cloudbase-code-review
This CloudBase code review skill validates implementation work across web, miniprogram, CloudRun, and cloud-function projects by detecting common mistakes in authentication, database setup, security rules, and SDK usage. Use it after completing CloudBase features to catch issues before automated grading through both deterministic regex-based linting and semantic LLM review of auth guards, database configurations, RLS policies, storage domain setup, and API calls.
git clone --depth 1 https://github.com/TencentCloudBase/CloudBase-MCP /tmp/cloudbase-code-review && cp -r /tmp/cloudbase-code-review/miniprogram/cloudbase-ai-video/.codebuddy/skills/cloudbase-code-review ~/.claude/skills/cloudbase-code-reviewSKILL.md
## Standalone Install Note If this environment only installed the current skill, start from the CloudBase main entry and use the published `cloudbase/references/...` paths for sibling skills. - CloudBase main entry: `https://cnb.cool/tencent/cloud/cloudbase/cloudbase-skills/-/git/raw/main/skills/cloudbase/SKILL.md` - Current skill raw source: `https://cnb.cool/tencent/cloud/cloudbase/cloudbase-skills/-/git/raw/main/skills/cloudbase/references/cloudbase-code-review/SKILL.md` Keep local `references/...` paths for files that ship with the current skill directory. When this file points to a sibling skill, use the standalone fallback URL shown next to that reference. # CloudBase Code Review > **One-liner**: After implementing CloudBase features, call this skill to catch common mistakes before the grader does. ## When to use Call this skill **after** completing a CloudBase implementation task, before declaring done: - You implemented auth (login / register / route guard) - You created database tables or wrote CRUD (NoSQL / PostgreSQL / MySQL) - You set up CloudBase Storage (file upload, hosting) - You configured security rules or RLS policies - You wrote MCP-dependent code ## How it works The skill runs in two layers: | Layer | Method | Speed | What it catches | |-------|--------|-------|-----------------| | **Lint (optional)** | No executable script is shipped. If the user approves running lint, review the code block in `references/lint-rules/README.md`, copy it to a temporary local `cloudbase-lint.mjs`, then run `node cloudbase-lint.mjs --project-dir <path>` | Seconds | Deterministic regex checks — wrong API calls, missing configs, pattern mismatches | | **LLM review** | Read each rule's "LLM 检查" section, inspect code semantically | Variable | Semantic issues — route guard logic, RLS completeness, architecture-level problems | ## Rule index See `references/RULES_INDEX.md` for the full matrix (module × frontend type → applicable rules). ## Rule boundary Do not promote a single failed run or case-specific workaround into a hard rule. A rule should be backed by stable SDK/API documentation, repeated failures, or deterministic runtime behavior. Case-specific observations belong in attribution reports; only broadly applicable constraints should enter `RULES_INDEX.md` or the optional lint checklist. ## Quick start ```bash # Step 1: Read relevant rules for identified modules # references/rules/cross-cutting/AUTH001.md # references/rules/postgresql/PG-CR001.md # ... # Optional: if the user approves running lint, review the script code block in # references/lint-rules/README.md, copy it to a temporary cloudbase-lint.mjs, # then run: node cloudbase-lint.mjs --project-dir . # Step 2: For each applicable rule, read the "LLM 检查" section # and manually inspect your code before claiming done. ``` ## Rule format Each rule `.md` file follows this structure: ```markdown # RULE-ID Rule Name - **Module**: which module (auth / postgresql / storage / ...) - **Severity**: error | warning - **Stage**: code-generation | deployment | config ## 正则检查 (Lint) The condition checked by the optional script code block in `references/lint-rules/README.md`. ## LLM 检查 Semantic review prompt for human or LLM to evaluate. ## 修复指引 How to fix the issue. ```
Use this skill for Node.js backend AI via @cloudbase/node-sdk (>=3.16.0) — cloud functions, CloudRun, Express, Koa, NestJS, serverless APIs, scheduled jobs, LLM proxies. Only SDK supporting image generation (ai.createImageModel + generateImage). Text models via ai.createModel with groups cloudbase, hunyuan-exp, or custom-*. Model IDs (deepseek-v4-flash, deepseek-v3.2, hunyuan-2.0-instruct-20251111, glm-5, kimi-k2.6) go in the model field of generateText/streamText. MUST run two-step preflight before code — see body. Keywords: backend, 云函数, 云托管, serverless, LLM proxy, agent orchestration, generateText, streamText, generateImage, createModel, hunyuan-image, Token Credits, TokenHub, Hunyuan, DeepSeek, GLM, Kimi, MiniMax. NOT for browser/Web (use ai-model-web) or Mini Program (use ai-model-wechat).
Use this skill when a browser/Web app (React, Vue, Angular, Next, Nuxt, static sites, SPAs, dashboards, AI chat UI) needs AI models via @cloudbase/js-sdk. Default routing for page/页面/Web/前端/frontend/网页/H5 AI — call directly from browser, do NOT propose a Node.js proxy. Covers generateText and streamText. Models via ai.createModel with groups cloudbase, hunyuan-exp, or custom-*. Model IDs (deepseek-v4-flash, deepseek-v3.2, hunyuan-2.0-instruct-20251111, glm-5, kimi-k2.6) go in the model field. MUST run two-step preflight before code — see body. Keywords: 页面, Web, 前端, React, Vue, Next, Nuxt, SPA, AI chat UI, generateText, streamText, createModel, hunyuan-exp, Token Credits, TokenHub, Hunyuan, DeepSeek, GLM, Kimi, MiniMax. NOT for Node.js backend (use ai-model-nodejs), Mini Program (use ai-model-wechat), or image generation (Node SDK only).
Use this skill for WeChat Mini Program AI via wx.cloud.extend.AI (小程序, 企业微信小程序, wx.cloud apps). Features generateText and streamText with callbacks (onText, onEvent, onFinish). Models via wx.cloud.extend.AI.createModel with groups hunyuan-exp (小程序成长计划), cloudbase (main managed), or custom-*. Model IDs (deepseek-v4-flash, deepseek-v3.2, hunyuan-2.0-instruct-20251111, glm-5, kimi-k2.6) go in the data wrapper model field. API differs from JS/Node SDK — streamText needs data wrapper, generateText returns raw response. MUST run two-step preflight before code — see body. Keywords: Mini Program AI, wx.cloud.extend.AI, 小程序成长计划, ai_miniprogram_inspire_plan, Token Credits 资源包, generateText, streamText, createModel, hunyuan-exp, TokenHub, Hunyuan, DeepSeek, GLM, Kimi, MiniMax. NOT for browser/Web (use ai-model-web), Node.js backend (use ai-model-nodejs), or image generation (use ai-model-nodejs).
CloudBase Node SDK auth guide for server-side identity, user lookup, and custom login tickets. This skill should be used when Node.js code must read caller identity, inspect end users, or bridge an existing user system into CloudBase; not when configuring providers or building client login UI.
CloudBase auth provider configuration and login-readiness guide. This skill should be used when users need to inspect, enable, disable, or configure auth providers, publishable-key prerequisites, login methods, SMS/email sender setup, or other provider-side readiness before implementing a client or backend auth flow.
CloudBase Web Authentication Quick Guide for frontend integration after auth-tool has already been checked. Provides concise and practical Web authentication solutions with multiple login methods and complete user management.
CloudBase WeChat Mini Program native authentication guide. This skill should be used when users need mini program identity handling, OPENID/UNIONID access, or `wx.cloud` auth behavior in projects where login is native and automatic.
CloudBase function runtime guide for building, deploying, and debugging your own Event Functions or HTTP Functions. This skill should be used when users need application runtime code on CloudBase, not when they are merely calling CloudBase official platform APIs.