langwatch/code-review
.claude/skills/code-review/SKILL.md
Project-level code review: check changed files against LangWatch codebase rules (IDs, multitenancy, layering, naming, SRP).
$ install --global
skillsauthnpx skillsauth add langwatch/langwatch code-reviewInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 15, 2026, 1:21 PM4.8s1 file scanned
SKILL.md
- name:
- code-review
- description:
- Project-level code review: check changed files against LangWatch codebase rules (IDs, multitenancy, layering, naming, SRP).
- user-invocable:
- true
- argument-hint:
- [diff, branch, or commit range]
Review code changes and sign off on each rule below.
What to diff: If $ARGUMENTS is provided, use it as the diff target (a branch, commit range, or raw diff). Otherwise diff against origin/main, or the PR base branch if on a PR branch. If ambiguous, ask.
For each rule: PASS if no violations, or FAIL with every violation listed — one per line with file:line.
Rules
-
KSUID only — no uuid/nanoid. The project uses
@langwatch/ksuid. No imports ofuuid,nanoid, orcrypto.randomUUID. -
No foreign keys in Prisma migrations. Prisma relations handle referential integrity. No
REFERENCES,FOREIGN KEY, orADD CONSTRAINT.*FOREIGNin.sqlmigration files. -
Prisma queries include projectId. Every
findMany/findFirst/findUnique/update/deleteon project-scoped models must haveprojectIdin thewhereclause. Skip:User,Organization,OrganizationUser,Session,Account,VerificationToken. -
ClickHouse queries include TenantId. Every ClickHouse query must filter by
TenantIdin the WHERE clause. -
No TypeScript
any. No: any,as any,<any>, orany[]in added code. Ignore comments and eslint-disable lines. -
No hardcoded schema names in migrations. No
"langwatch_db".or other schema prefixes in.sqlfiles. Use unqualified table names. -
Hooks don't return JSX. Files matching
use*.ts(not.tsx) must not return JSX. Hooks return state/callbacks only. -
No re-exports for backwards compatibility.
export { X } fromorexport * fromshims are not allowed — update consumers directly. (New public API re-exports are fine.) -
Layer violations (route → service → repository). Routes must not import from repositories. Services must not import another domain's repositories directly. Repositories must not import from services. See
src/server/app-layer/. -
Repository/service method naming. Repositories use
findAll/findById(notlist*/get*). Services usegetAll/getById(notfind*). -
Single Responsibility. New files should not mix concerns (e.g. HTTP + business logic, data fetching + rendering). One primary export per file. Flag functions over ~100 lines.
-
Skills must have scenario tests. Any PR that adds or modifies a skill (
skills/*/SKILL.md) or MCP tools (mcp-server/src/tools/) must include corresponding scenario tests inspecs/skills/skills-testing.feature. New tool handlers need at least one@integrationscenario covering the happy path.
Output format
### 1. KSUID only (no uuid/nanoid) — PASS
### 2. No FK in migrations — FAIL
- FOREIGN KEY in `migrations/001_init.sql:45`
- ADD CONSTRAINT FOREIGN in `migrations/002_add.sql:12`
### 3. projectId in Prisma queries — FAIL
- `findMany` without projectId in `src/api.ts:33`
### 4. TenantId in ClickHouse queries — PASS
...
Related Skills
langwatch/tracing
development
VerifiedTrustedCommunity
Add LangWatch tracing and observability to your code. Use for both onboarding (instrument an entire codebase) and targeted operations (add tracing to a specific function or module). Supports Python and TypeScript with all major frameworks.
3,203SKILL.mdUpdated Apr 15, 2026
langwatch/scenarios
tools
VerifiedTrustedCommunity
Test your AI agent with simulation-based scenarios. Covers writing scenario test code (Scenario SDK), creating platform scenarios (CLI or MCP), and red teaming for security vulnerabilities. Auto-detects whether to use code or platform approach based on context.
3,203SKILL.mdUpdated Apr 15, 2026
langwatch/test-compliance
testing
VerifiedTrustedCommunity
Test that your AI agent stays observational and doesn't give prescriptive advice in regulated domains (healthcare, finance, legal). Creates scenario tests for boundary enforcement and red team tests for adversarial probing. Use when your agent advises but must not prescribe.
3,203SKILL.mdUpdated Apr 15, 2026
langwatch/test-cli-usability
tools
VerifiedTrustedCommunity
Write scenario tests that verify your CLI tool is usable by AI agents. Ensures commands work non-interactively, provide clear output, and don't hang on prompts. Use when you want to prove your CLI is agent-friendly.
3,203SKILL.mdUpdated Apr 15, 2026