aj-geddes/self-verification
skills/self-verification/SKILL.md
Guides the user through systematic pre-commit quality verification. ALWAYS trigger on "review my code", "check my work", "before commit", "self-review", "quality check", "am I ready to commit", "pre-commit review", "code quality", "verify my changes", "sanity check", "review before merge", "is this ready". Use before any commit, merge, or code review submission.
$ install --global
skillsauthnpx skillsauth add aj-geddes/unicorn-team self-verificationInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 25, 2026, 4:46 PM53.0s4 files scanned
SKILL.md
- name:
- self-verification
- description:
- >-
<!-- Last reviewed: 2026-03 -->
Self-Verification
Run scripts/self-review.sh or execute these 6 steps manually before every commit.
1. Review Staged Changes
git diff --staged
- [ ] Would I approve this in code review?
- [ ] Does this change do ONE thing well?
- [ ] Is the change focused or sprawling?
2. Completeness Check
- [ ] Functionality does what was requested
- [ ] Edge cases handled or documented as out-of-scope
- [ ] All failure paths covered with clear error messages
- [ ] Key operations logged at appropriate level
- [ ] All inputs validated at boundaries
- [ ] Outputs properly encoded/sanitized
3. Quality Check
- [ ] No TODOs/FIXMEs/HACKs (resolve or file tickets)
- [ ] No debug code (print, console.log, breakpoint, pdb)
- [ ] No commented-out code (it's in git history)
- [ ] Variables/functions/classes are self-documenting
- [ ] Functions each do one thing well (< 50 lines ideal)
- [ ] No magic numbers (extract to named constants)
- [ ] Follows project style conventions
# Automated scan for debug artifacts
git diff --cached | grep -E "breakpoint|pdb|console\.log|debugger|TODO|FIXME|HACK"
4. Test Verification
- [ ] All tests pass
- [ ] Coverage >= 80% on new code
- [ ] Edge cases tested (not just happy path)
- [ ] Error paths tested
- [ ] Test names describe what they verify
- [ ] No flaky tests
# Python
pytest --cov=. --cov-report=term-missing --cov-fail-under=80
# JavaScript
npm test -- --coverage --coverageThreshold='{"global":{"lines":80}}'
# Go
go test -cover ./...
5. Security Check
- [ ] No secrets (API keys, passwords, tokens) in code
- [ ] No PII or credentials in logs
- [ ] All external inputs validated
- [ ] SQL params parameterized, HTML escaped, URLs encoded
- [ ] Protected endpoints enforce auth
- [ ] Code runs with minimum required permissions
# Scan for leaked secrets
git diff --cached | grep -iE "api[_-]?key|password|secret|token"
# Python security scan
bandit -r . -q
# JavaScript
npm audit
Security questions to answer:
| # | Question | |---|----------| | 1 | Who can call this? (Authentication) | | 2 | Are they allowed to? (Authorization) | | 3 | What if they send malicious input? (Validation) | | 4 | What if they send huge input? (Resource limits) | | 5 | Can they see data they shouldn't? (Data exposure) | | 6 | Will we know if they try? (Audit logging) |
6. Documentation Check
- [ ] Public APIs/functions have docstrings
- [ ] Complex logic has comments explaining WHY
- [ ] Usage examples for complex APIs
- [ ] README updated if external behavior changed
- [ ] CHANGELOG updated for user-visible changes
- [ ] Migration guide if breaking changes exist
Fresh Eyes Techniques
Use these to break the "see what you intended" bias:
- Time Gap (10+ min) -- let your brain forget what you meant
- Context Switch -- work on something else, then return
- Read Aloud -- speaking forces slower processing
- Rubber Duck -- explain code to an imaginary colleague
- Reverse Review -- read diff from last line to first
See references/fresh-eyes-techniques.md for detailed guides.
Common Self-Review Failures
| Failure | Symptom | Prevention | |---------|---------|------------| | "Works on My Machine" | Fails in CI/production | Test in clean environment | | Missing Edge Cases | Breaks with unexpected input | Test null, empty, negative, huge | | Unclear Intent | Can't explain without reading | Extract to well-named functions | | Incomplete Error Handling | Crashes on first error | Identify all failure points |
See references/self-review-failures.md for detailed prevention strategies.
Script
Run the interactive self-review protocol:
skills/self-verification/scripts/self-review.sh
# or
./scripts/self-review.sh && git commit -m "your message"
References
references/fresh-eyes-techniques.md-- detailed technique guidesreferences/self-review-failures.md-- prevention strategies with examplesscripts/self-review.sh-- interactive self-review script
Related Skills
aj-geddes/testing
development
VerifiedTrustedCommunity
Guides the user through test-first development and test strategy decisions. ALWAYS trigger on "write tests", "TDD", "test coverage", "mock", "test fails", "flaky test", "how to test", "unit test", "integration test", "e2e test", "test structure", "what to test", "test organization", "coverage report", "testing strategy", "arrange act assert". Use when writing new tests, choosing test types, setting up mocking, debugging flaky tests, improving coverage, or designing testable code. Different from qa-security agent which focuses on code review and security audits rather than test authoring.
7SKILL.mdUpdated Apr 25, 2026
aj-geddes/technical-debt
development
VerifiedTrustedCommunity
Guides deliberate management of technical debt: recognition, tracking, prioritization, and paydown. ALWAYS trigger on "technical debt", "code shortcut", "pay down debt", "debt tracking", "just for now", "temporary hack", "hardcoded value", "copy-paste code", "missing tests", "TODO cleanup", "refactor plan", "debt priority", "interest cost", "boy scout rule", "code quality backlog". Use when taking a shortcut, discovering suboptimal code, planning debt paydown, or quantifying ongoing cost of compromises.
7SKILL.mdUpdated Apr 25, 2026
aj-geddes/security
development
VerifiedTrustedCommunity
Guides secure development using defense-in-depth and attacker's mindset. ALWAYS trigger on "security review", "vulnerability", "authentication", "authorization", "input validation", "XSS", "SQL injection", "CSRF", "secrets management", "OWASP", "threat model", "security scan", "path traversal", "mass assignment", "privilege escalation", "security headers", "bandit", "dependency audit", "hardening". Use when implementing auth, handling user input, storing secrets, reviewing code for vulnerabilities, or preparing for production deployment. Different from devops skill which covers infrastructure; this covers application-level security patterns.
7SKILL.mdUpdated Apr 25, 2026
aj-geddes/python
tools
VerifiedTrustedCommunity
Guides Python development with modern idioms, tooling, and project structure. ALWAYS trigger on "python project", "pyproject.toml", "ruff", "mypy", "pytest", "poetry", "python setup", "type hints", "pydantic", "dataclass", "async python", "asyncio", "python anti-pattern", "python best practices", "python tooling", "python lint". Use when setting up Python projects, configuring tooling, choosing data modeling approaches, or writing tests. Different from testing skill which covers general test strategy; this covers Python-specific pytest patterns and tooling configs.
7SKILL.mdUpdated Apr 25, 2026