Review Skills

code-reviewer, council-review, design-reviewer, and pr-creator

Fulcrum Opinion: The Agent Council catches issues that solo review misses—always use for non-trivial work. Two perspectives are better than one, and three catch what two miss.

code-reviewer

The code-reviewer skill reviews code changes against quality, security, and performance standards. It analyzes pull requests, git diffs, or uncommitted changes and provides structured feedback with approval decisions.

Review Categories

Category	Severity	Must Fix Before Merge?
Critical	🔴 High	Yes — security, data loss, crashes
Important	🟡 Medium	Yes — bugs, performance, maintainability
Suggestions	🟢 Low	No — style, naming, minor improvements

Invocation

# Review current branch against main
/code-reviewer

# Review specific PR
/code-reviewer --pr 142

# Review uncommitted changes
/code-reviewer --staged

# Review with specific focus
/code-reviewer --focus security

Review Output

Code Review: feature/oauth-integration
══════════════════════════════════════════════════════════

🔴 CRITICAL (1)
───────────────
auth.ts:47 — SQL Injection vulnerability
  Problem: User input directly concatenated into query
  Fix: Use parameterized queries
  
  - const query = `SELECT * FROM users WHERE id = '${userId}'`;
  + const query = 'SELECT * FROM users WHERE id = $1';
  + const result = await db.query(query, [userId]);

🟡 IMPORTANT (2)
────────────────
api.ts:23 — Missing error handling
  Problem: Promise rejection unhandled, will crash on network failure
  Fix: Add try/catch or .catch() handler

oauth.ts:89 — Token stored in localStorage
  Problem: XSS vulnerability if localStorage is compromised
  Fix: Use httpOnly cookies for token storage

🟢 SUGGESTIONS (3)
──────────────────
auth.ts:12 — Consider extracting magic number
auth.ts:34 — Variable name 'x' is not descriptive
oauth.ts:15 — Unused import 'axios'

══════════════════════════════════════════════════════════
Decision: ❌ REQUEST CHANGES

1 critical issue must be resolved before approval.

council-review

The council-review skill facilitates synchronous peer review dialogue between multiple agents. It orchestrates discussion, builds consensus, and escalates to the Tech Lead when agents disagree.

How the Council Works

┌───────────────────────────────────────────────────────────┐
│                     COUNCIL SESSION                       │
├───────────────────────────────────────────────────────────┤
│                                                           │
│  Implementer: @backend-engineer                           │
│  "I've implemented the caching layer using Redis..."      │
│                                                           │
│  Peer 1: @frontend-engineer                               │
│  "Cache invalidation looks correct, but consider..."      │
│                                                           │
│  Peer 2: @devops-engineer                                 │
│  "Redis config needs connection pooling for production"   │
│                                                           │
│  ─────────────────────────────────────────────────────── │
│  Consensus: Changes needed (2 agree, 0 disagree)          │
│                                                           │
│  Action Items:                                            │
│  1. Add connection pooling                                │
│  2. Document cache TTL strategy                           │
└───────────────────────────────────────────────────────────┘

Escalation Path

Peer Review
     │
     ├─► Consensus reached ──────► Approve / Request Changes
     │
     └─► Disagreement ───────────► Escalate to @tech-lead
                                        │
                                        ▼
                                  Final decision
                                  with rationale

Invocation

# Start council review for current changes
/council-review

# Council review with specific peers
/council-review --peers "@frontend-engineer, @devops-engineer"

# Review specific scope
/council-review --scope "security implications"

When to use council-review: Always for non-trivial work—architectural changes, security-sensitive code, cross-team integrations, or anything where you'd want a second opinion. Skip for typo fixes and config updates.

design-reviewer

The design-reviewer skill reviews technical design documents for architectural alignment, security, performance, and testability. It provides structured feedback with approve/conditions/reject decisions.

Review Dimensions

Architectural Alignment — Does it fit existing patterns?
Security Posture — Are threats addressed?
Performance Impact — Will it scale?
Testability — Can it be verified?
Operational Readiness — Can we deploy and monitor it?

Invocation

# Review a design document
/design-reviewer docs/designs/oauth-integration.md

# Review with specific focus
/design-reviewer --focus "security, scalability"

# Quick review for smaller designs
/design-reviewer --quick

Decision Framework

Decision	Meaning	Next Step
✅ Approve	Design is sound, proceed to implementation	Start coding
⚠️ Approve with Conditions	Minor issues that can be fixed during implementation	Note conditions, start coding
❌ Reject	Fundamental issues that require redesign	Revise design, re-submit

pr-creator

The pr-creator skill creates comprehensive pull requests from git changes. It analyzes commits, generates PR descriptions, recommends reviewers, suggests labels, and uses GitHub CLI to create PRs automatically.

What It Generates

Title — Conventional commit format, descriptive
Description — What, why, and how
Testing Notes — How to verify the changes
Reviewers — Based on code ownership and expertise
Labels — Type, scope, priority
Linked Issues — Auto-detected from commit messages

Invocation

# Create PR from current branch
/pr-creator

# Create with specific base branch
/pr-creator --base develop

# Draft PR (not ready for review)
/pr-creator --draft

# Create and auto-assign reviewers
/pr-creator --auto-reviewers

Generated PR Example

Title: feat(auth): Add OAuth 2.0 integration with Google

## Summary
Implements OAuth 2.0 authentication flow with Google as the identity provider.
Users can now sign in with their Google accounts in addition to email/password.

## Changes
- Added OAuth callback handler in `/api/auth/callback`
- Created Google OAuth configuration in `lib/oauth.ts`
- Updated login page with "Sign in with Google" button
- Added token refresh mechanism

## Testing
1. Click "Sign in with Google" on login page
2. Complete Google authentication
3. Verify redirect back to app with session active
4. Test token refresh after 1 hour

## Screenshots
[Login page with new button]

## Checklist
- [x] Tests added/updated
- [x] Documentation updated
- [x] No breaking changes

Closes #142

---
Reviewers: @security-team, @frontend-team
Labels: feature, auth, needs-review

Review Workflow

Implementation Complete
         │
         ▼
┌─────────────────────┐
│ /quality-gate-      │◄── Ensure gates pass first
│    checker          │
└──────────┬──────────┘
           │
           ▼
┌─────────────────────┐
│ /code-reviewer      │◄── Self-review before peers
└──────────┬──────────┘
           │
    Critical issues?
           │
    ├─── Yes ──► Fix, re-review
    │
    └─── No
           │
           ▼
┌─────────────────────┐
│ /council-review     │◄── Peer review (for non-trivial)
└──────────┬──────────┘
           │
    Consensus?
           │
    ├─── No ──► Escalate to @tech-lead
    │
    └─── Yes
           │
           ▼
┌─────────────────────┐
│ /pr-creator         │◄── Generate and submit PR
└─────────────────────┘

Pro tip: Run /code-reviewer on your own changes before asking for peer review. Catching obvious issues yourself shows respect for reviewers' time and results in more meaningful feedback on the harder problems.