codyswanngt/parity-code-review
plugins/lisa-agy/skills/parity-code-review/SKILL.md
Lisa-native code review of the current git diff. Walks every changed hunk and reports correctness bugs, security issues, and obvious defects as severity-ranked findings with file:line references. Vendor-neutral — the cross-agent equivalent of the upstream code-review command, runnable on Codex, agy, Copilot, Cursor, and Claude.
$ install --global
skillsauthnpx skillsauth add codyswanngt/lisa parity-code-reviewInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 31, 2026, 3:19 AM97.1s1 file scanned
SKILL.md
- name:
- parity-code-review
- description:
- Lisa-native code review of the current git diff. Walks every changed hunk and reports correctness bugs, security issues, and obvious defects as severity-ranked findings with file:line references. Vendor-neutral — the cross-agent equivalent of the upstream code-review command, runnable on Codex, agy, Copilot, Cursor, and Claude.
- allowed-tools:
- ["Read", "Bash", "Grep", "Glob"]
Parity Code Review
Review the code that is about to ship — the current uncommitted/branch diff — for defects a reviewer would block on. This is a focused defect hunt: correctness, security, and obvious mistakes. It is not a style audit and not a refactor pass (use parity-code-simplifier for quality-only cleanup).
Not drift-trackable. This skill intentionally carries no
synced-frompin. The upstreamcode-review@claude-plugins-officialplugin publishes no semver (its cache version resolves tounknown), so a pin would be unparseable and meaningless toscripts/plugin-parity-drift.mjs. Drift is tracked manually — re-review the upstream command by hand when the curated plugin set is refreshed. This is a Lisa-native reimplementation, not a port of upstream code.
Step 1: Establish the diff
Determine exactly what changed. Prefer the broadest accurate view of the work-in-progress:
# Branch changes vs the merge base (preferred for a PR-style review)
git merge-base HEAD origin/main 2>/dev/null && \
git diff "$(git merge-base HEAD origin/main)"...HEAD
# Plus anything still uncommitted in the working tree
git diff HEAD
git status --short
If there is no diff at all, say so plainly and stop — do not invent findings. If the diff is enormous, review in full but prioritize the files with the most logic changes; never silently skip files (note any you deprioritized).
Step 2: Read for real context
Do not review hunks in isolation. For each changed file, open enough surrounding code to understand:
- What the function/module is supposed to do and who calls it.
- Invariants and preconditions the change might violate.
- Error/edge paths touched by the change.
Use Read, Grep, and Glob to follow call sites and trace data flow. A finding you can't ground in the actual code is a guess — drop it.
Step 3: Hunt for defects
For every changed hunk, evaluate against these lenses:
- Correctness — Off-by-one errors, inverted conditions, wrong operator, missing
await, unhandlednull/undefined, incorrect default, broken control flow, type coercion bugs, mutation of shared state, race conditions. - Security — Unsanitized input at trust boundaries; injection (SQL/shell/template); secrets, tokens, or keys committed or logged; missing authn/authz on new endpoints; unsafe deserialization; path traversal; overly broad permissions; SSRF.
- Edge cases & failure modes — Empty collections, zero, negative numbers, very large input, concurrent calls, partial failures, timeouts, retries that aren't idempotent.
- Obvious defects — Dead code paths, unreachable branches, swallowed errors, resource leaks (unclosed handles/connections),
TODO/FIXMEleft in shipping code, debug logging left on, broken or missing tests for the new behavior. - Contract & API — Breaking changes to public signatures, changed return shapes, altered error semantics callers depend on.
Step 4: Output — severity-ranked findings
Group findings by severity. Within each group, list the most impactful first. Every finding must carry a file:line reference.
Critical (must fix before merge)
Bugs that break correctness, leak/expose data, or introduce a security hole.
Warning (should fix)
Likely to cause problems later, or a real defect with limited blast radius.
Suggestion (nice to have)
Minor correctness nits or defensive improvements.
Finding format
For each finding:
- What — precise description of the defect.
- Where —
path/to/file.ts:42(and a span if it covers multiple lines). - Why — the concrete failure it causes, with an example input or sequence that triggers it.
- Fix — a specific, actionable suggestion (or a short code sketch).
Example:
Critical — Unhandled null dereference Where:
src/auth/session.ts:88Why:findUser()returnsnullwhen the id is unknown, but line 88 readsuser.rolesdirectly. An unknown session id (expired token replay) throws and 500s instead of returning 401. Fix: Guardif (!user) return unauthorized()before readinguser.roles.
Rules
- Ground every finding in the diff. No speculative findings, no generic best-practice lectures unrelated to the change.
- Be honest about coverage. If you deprioritized files or couldn't fully trace a path, say so.
- If the diff is clean, say so clearly — "No blocking issues found across N changed files" — do not manufacture problems.
- This is review-only: report findings, do not edit files. Apply fixes via the normal implementation flow or
parity-code-simplifier(quality) after triage.
Related Skills
codyswanngt/lisa-wiki-onboard-me
documentation
VerifiedTrustedCommunity
Onboard a user to the project via its LLM Wiki. Interviews the user about themselves in relation to the project, captures that to project-scoped memory only, then gives a guided tour of what the project is and sample questions they can ask. Use when someone is new to the project or asks to be onboarded. Read-mostly — it does not open PRs or write PII into the wiki.
1SKILL.mdUpdated Jun 5, 2026
codyswanngt/lisa-wiki-migrate
documentation
VerifiedTrustedCommunity
Migrate an existing, hand-rolled wiki implementation onto the lisa-wiki kernel — phased and compatibility-first, with a strict no-loss guarantee. Use when adopting lisa-wiki in a repo that already has its own wiki/, ingest skills, docs, or roles. Renaming things into the canonical shape is fine; losing functionality or data is not. Ends by running /doctor.
1SKILL.mdUpdated Jun 5, 2026
codyswanngt/lisa-wiki-lint
development
VerifiedTrustedCommunity
Health-check the LLM Wiki. Reports orphan pages, contradictions, stale claims, broken internal links, missing index/log coverage, structure-manifest violations, and secret/tenant leaks. Use periodically or before hardening a wiki. Read-only — it reports findings, it does not fix them.
1SKILL.mdUpdated Jun 5, 2026
codyswanngt/lisa-wiki-ingest
testing
VerifiedTrustedCommunity
Ingest source material into the LLM Wiki. With an argument (URL, file path, or prompt) it ingests that one source; with no argument it runs a full ingest across every enabled non-external-write source. Routes to the right connector, then runs the ordered pipeline (source note → synthesis → index → log → verify → state → commit/PR). Use whenever new knowledge should enter the wiki.
1SKILL.mdUpdated Jun 5, 2026