jamie-bitflight/forensic-review
plugins/development-harness/skills/forensic-review/SKILL.md
Use when SAM Stage 5 Execution has completed and task results need independent verification against acceptance criteria. Dispatches a separate reviewer agent to fact-check implementation outputs and returns COMPLETE or NEEDS_WORK with specific findings and remediation tasks.
$ install --global
skillsauthnpx skillsauth add jamie-bitflight/claude_skills forensic-reviewInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 19, 2026, 5:07 AM8.1s1 file scanned
SKILL.md
- name:
- forensic-review
- description:
- Use when SAM Stage 5 Execution has completed and task results need independent verification against acceptance criteria. Dispatches a separate reviewer agent to fact-check implementation outputs and returns COMPLETE or NEEDS_WORK with specific findings and remediation tasks.
- user-invocable:
- false
SAM Stage 6 — Forensic Review
Role
SAM Stage 6 delegates the concrete review work to @dh:code-reviewer. This skill is the
orchestration wrapper: it resolves the task context, dispatches the agent, and maps its
structured output back to the SAM pipeline verdict.
Producer and reviewer must always be different agents — never invoke this skill from the same agent that executed the task.
Core Principle
AI cannot reliably self-evaluate. The agent that wrote the code cannot objectively assess its own work. Forensic review uses a separate agent with fresh context to verify claims against observable evidence.
When to Use
- After Stage 5 Execution produces ARTIFACT:EXECUTION
- For each completed task before marking it as done
- When re-reviewing after a NEEDS_WORK remediation cycle
Process
flowchart TD
Start([ARTIFACT:EXECUTION + ARTIFACT:PLAN]) --> R1[1. Resolve task context]
R1 --> R2[2. Dispatch @dh:code-reviewer]
R2 --> R3[3. Consume verdict from STATUS output]
R3 --> R4[4. Read codebase-analysis artifact]
R4 --> Decide{Verdict?}
Decide -->|PASS| Complete[Verdict — COMPLETE]
Decide -->|NEEDS-WORK or FAIL| NeedsWork[Verdict — NEEDS_WORK]
Complete --> Done([ARTIFACT:REVIEW registered by agent])
NeedsWork --> Remediate[Create remediation tasks from blocking findings]
Remediate --> Done
Step 1 — Resolve Task Context
Read the task via MCP:
sam_task(plan="{plan_id}", task="{task_id}", config={"action": "read"})
Extract:
task_file_path— the path to the task YAML file (e.g.,plan/P{id}-{slug}.yaml)issue_number— required for artifact registration; if absent, BLOCK immediatelyexpected_outputs— the implementation files produced by Stage 5 (listed in the task's "Files Changed" or "Expected Outputs" section)acceptance_criteria— the explicit success conditions to verify
Step 2 — Dispatch @dh:code-reviewer
Delegate the concrete S6 review work with subagent_type="dh:code-reviewer".
Context to include in the prompt:
task_file_path— path to the SAM task fileimplementation_files— the files from the task's Expected Outputsissue_number— required forartifact_registerinside the agent
Task is S6 forensic review with subagent_type="dh:code-reviewer"
Context: task_file_path={task_file_path}, issue_number={issue_number},
implementation_files={expected_outputs}
Output: STATUS block containing Verdict (PASS / FAIL / NEEDS-WORK) and ARTIFACTS
section confirming codebase-analysis artifact registered on issue #{issue_number}
The agent independently reads the task, detects the stack, verifies acceptance criteria,
applies universal and stack-specific quality dimensions, and registers the review report
as a codebase-analysis artifact via artifact_register.
Step 3 — Consume Verdict
Parse the agent's STATUS output:
Verdict: PASS→ map to SAM verdict COMPLETEVerdict: NEEDS-WORKorVerdict: FAIL→ map to SAM verdict NEEDS_WORK
If the agent returns STATUS: BLOCKED, propagate the block upstream with the agent's NEEDED section as the reason.
Step 4 — Read codebase-analysis Artifact
Retrieve the registered review report:
artifact_read(issue_number={issue_number}, artifact_type="codebase-analysis")
Use this to populate the SAM task's Review Results section and to extract blocking findings for remediation task creation.
Append review results to the task:
sam_task(
plan="{plan_id}",
task="{task_id}",
config={"action": "update", "append_section": "Review Results", "section_content": "{artifact_content}"}
)
Input
ARTIFACT:EXECUTION+ARTIFACT:TASKviasam_task(plan="{plan_id}", task="{task_id}", config={"action": "read"})issue_number— must be present; used by@dh:code-reviewerforartifact_registerand by this skill forartifact_read
NEEDS_WORK Remediation Loop
When the verdict is NEEDS_WORK or FAIL, extract blocking findings from the
codebase-analysis artifact's "Required changes (blocking)" or "Blocking" section.
flowchart TD
NW([NEEDS_WORK verdict]) --> Extract[Extract blocking findings from codebase-analysis artifact]
Extract --> Create[Create remediation TASK files — one per blocking finding]
Create --> Stage5[Stage 5 — Execute remediation tasks]
Stage5 --> Stage6[Stage 6 — Re-review via @dh:code-reviewer]
Stage6 --> Q{PASS?}
Q -->|Yes| Done([Proceed to next task or Stage 7])
Q -->|No| Extract
Remediation tasks follow the same CLEAR format as original tasks. They:
- Reference the specific blocking finding (file:line from the codebase-analysis artifact)
- Define acceptance criteria that directly resolve the blocking finding
Behavioral Rules
- Never review your own execution — producer and reviewer must differ
- Verdict is sourced from
@dh:code-reviewerSTATUS output — do not invent it - Blocking findings for remediation come from the
codebase-analysisartifact — do not invent them from the agent's STATUS summary - Do not add new requirements — review against the ORIGINAL acceptance criteria only
- Verification Gap findings are always BLOCKING (see
@dh:code-revieweragent for the full classification rule)
Success Criteria
@dh:code-reviewerreturns STATUS: DONE with a PASS, FAIL, or NEEDS-WORK verdictcodebase-analysisartifact is registered on issue #{issue_number}- Review Results appended to the SAM task via
sam_task(action='update') - Blocking findings (if any) have concrete remediation tasks created
Related Skills
jamie-bitflight/xdg-base-directory
development
VerifiedTrustedCommunity
When an application needs to store config, data, cache, or state files. When designing where user-specific files should live. When code writes to ~/.appname or hardcoded home paths. When implementing cross-platform file storage with platformdirs.
39SKILL.mdUpdated Apr 30, 2026
jamie-bitflight/verification-gate
testing
VerifiedTrustedCommunity
Enforce mandatory pre-action verification checkpoints to prevent pattern-matching from overriding explicit reasoning. Use this skill when about to execute implementation actions (Bash, Write, Edit) to verify hypothesis-action alignment. Blocks execution when hypothesis unverified or action targets different system than hypothesis identified. Critical for preventing cognitive dissonance where correct diagnosis leads to wrong implementation.
39SKILL.mdUpdated Apr 30, 2026
jamie-bitflight/twelve-factor-app
tools
VerifiedTrustedCommunity
Reference guide for the Twelve-Factor App methodology — 15 principles (12 original + 3 modern extensions) for building portable, resilient, cloud-native applications. Use when evaluating application architecture, designing cloud-native services, reviewing codebases for methodology compliance, advising on configuration, scaling, observability, security, and deployment patterns. Incorporates the 2025 open-source community evolution and cloud-native reinterpretations of each factor.
39SKILL.mdUpdated Apr 30, 2026
jamie-bitflight/user-docs-to-ai-skill
tools
VerifiedTrustedCommunity
Converts user-facing documentation (how-to guides, tutorials, API references, examples) in any format — Markdown, PDF, DOCX, PPTX, XLSX, AsciiDoc, RST, HTML, Jupyter notebooks, man pages, TOML/YAML/JSON configs, and plain text — into Claude Code skill directories with SKILL.md plus thematically grouped references/*.md files. Use when given a docs directory or mixed-format documentation to transform into an AI skill. Uses MCP file-reader server for binary formats.
39SKILL.mdUpdated Apr 30, 2026