troykelly/review-gate
skills/review-gate/SKILL.md
HARD GATE before PR creation - verifies review artifact exists in issue comments, all findings addressed or tracked, blocks PR creation if requirements not met
$ install --global
skillsauthnpx skillsauth add troykelly/codex-skills review-gateInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 24, 2026, 8:48 PM2.0s1 file scanned
SKILL.md
- name:
- review-gate
- description:
- HARD GATE before PR creation - verifies review artifact exists in issue comments, all findings addressed or tracked, blocks PR creation if requirements not met
Review Gate
Overview
Hard compliance gate that BLOCKS PR creation until review requirements are satisfied.
Core principle: No PR without proof of review. No exceptions.
This is enforced by hooks. Even if you attempt to skip this skill, the PreToolUse hook on gh pr create will block the action.
Gate Requirements
ALL must be satisfied to create a PR:
┌──────────────────────────────────────────────────────────────────────────┐
│ REVIEW GATE │
├──────────────────────────────────────────────────────────────────────────┤
│ [ ] Review artifact posted to issue (<!-- REVIEW:START --> format) │
│ [ ] Review status is COMPLETE (not BLOCKED or IN_PROGRESS) │
│ [ ] Unaddressed findings = 0 │
│ [ ] All deferred findings have tracking issues (linked in artifact) │
│ [ ] Security review complete (if security-sensitive code changed) │
├──────────────────────────────────────────────────────────────────────────┤
│ ALL SATISFIED → PR CREATION ALLOWED │
│ ANY MISSING → PR CREATION BLOCKED │
└──────────────────────────────────────────────────────────────────────────┘
Verification Process
Step 1: Check Review Artifact Exists
# Query issue comments for review artifact
ISSUE_NUMBER=123
REPO=$(gh repo view --json nameWithOwner --jq '.nameWithOwner')
REVIEW_EXISTS=$(gh api "/repos/$REPO/issues/$ISSUE_NUMBER/comments" \
--jq '[.[] | select(.body | contains("<!-- REVIEW:START -->"))] | length')
if [ "$REVIEW_EXISTS" -eq 0 ]; then
echo "BLOCKED: No review artifact found"
fi
Step 2: Parse Review Status
Extract from the latest review artifact:
# Get latest review comment
REVIEW_BODY=$(gh api "/repos/$REPO/issues/$ISSUE_NUMBER/comments" \
--jq '[.[] | select(.body | contains("<!-- REVIEW:START -->"))] | last | .body')
# Check status
if echo "$REVIEW_BODY" | grep -q "Review Status.*COMPLETE"; then
echo "Review status: COMPLETE"
elif echo "$REVIEW_BODY" | grep -q "Review Status.*BLOCKED"; then
echo "BLOCKED: Review status is BLOCKED_ON_DEPENDENCIES"
fi
Step 3: Verify No Unaddressed Findings
# Extract unaddressed count
UNADDRESSED=$(echo "$REVIEW_BODY" | grep -oP 'Unaddressed[:\s|]+\K\d+' | head -1)
if [ "$UNADDRESSED" != "0" ]; then
echo "BLOCKED: $UNADDRESSED unaddressed findings"
fi
Step 4: Verify Deferred Findings Have Tracking Issues
For each deferred finding, verify a tracking issue exists and is linked:
# Each deferred finding must have format: | Finding | ... | #NNN | ...
DEFERRED_WITHOUT_ISSUE=$(echo "$REVIEW_BODY" | grep -i "DEFERRED" | grep -cv "#[0-9]" || echo "0")
if [ "$DEFERRED_WITHOUT_ISSUE" -gt 0 ]; then
echo "BLOCKED: $DEFERRED_WITHOUT_ISSUE deferred findings without tracking issues"
fi
Step 5: Security Review (Conditional)
If files matching security-sensitive patterns were changed:
# Check if security-sensitive files changed
SECURITY_FILES=$(git diff --name-only HEAD~1 | grep -E '(auth|security|middleware|api|password|token|secret)')
if [ -n "$SECURITY_FILES" ]; then
# Verify security review section exists in artifact
if ! echo "$REVIEW_BODY" | grep -q "Security-Sensitive.*YES"; then
echo "BLOCKED: Security-sensitive files changed but no security review"
fi
fi
Review Artifact Format
The review artifact MUST follow this exact format for machine parsing:
<!-- REVIEW:START -->
## Code Review Complete
| Property | Value |
|----------|-------|
| Worker | `[WORKER_ID]` |
| Issue | #[ISSUE_NUMBER] |
| Scope | [MINOR|MAJOR] |
| Security-Sensitive | [YES|NO] |
| Reviewed | [ISO_TIMESTAMP] |
### Criteria Results
| # | Criterion | Status | Findings |
|---|-----------|--------|----------|
| 1 | Blindspots | [✅ PASS|✅ FIXED|⚠️ DEFERRED] | [N] |
| 2 | Clarity | [✅ PASS|✅ FIXED|⚠️ DEFERRED] | [N] |
| 3 | Maintainability | [✅ PASS|✅ FIXED|⚠️ DEFERRED] | [N] |
| 4 | Security | [✅ PASS|✅ FIXED|⚠️ DEFERRED|N/A] | [N] |
| 5 | Performance | [✅ PASS|✅ FIXED|⚠️ DEFERRED] | [N] |
| 6 | Documentation | [✅ PASS|✅ FIXED|⚠️ DEFERRED] | [N] |
| 7 | Style | [✅ PASS|✅ FIXED|⚠️ DEFERRED] | [N] |
### Findings Fixed in This PR
| # | Severity | Finding | Resolution |
|---|----------|---------|------------|
| 1 | [SEVERITY] | [DESCRIPTION] | [HOW_FIXED] |
### Findings Deferred (With Tracking Issues)
| # | Severity | Finding | Tracking Issue | Justification |
|---|----------|---------|----------------|---------------|
| 1 | [SEVERITY] | [DESCRIPTION] | #[ISSUE] | [WHY] |
### Summary
| Category | Count |
|----------|-------|
| Fixed in PR | [N] |
| Deferred (with tracking) | [N] |
| Unaddressed | 0 |
**Review Status:** [✅ COMPLETE|⏸️ BLOCKED_ON_DEPENDENCIES]
<!-- REVIEW:END -->
Blocked Scenarios
Missing Review Artifact
REVIEW GATE BLOCKED
Reason: No review artifact found in issue #123
Required Action:
1. Perform comprehensive-review
2. Post review artifact to issue #123 using standard format
3. Address all findings or create tracking issues
4. Retry PR creation
Hint: Run `codex-subagent code-reviewer` to perform the review.
Unaddressed Findings
REVIEW GATE BLOCKED
Reason: 3 unaddressed findings in review artifact
Required Action:
1. Fix the unaddressed findings, OR
2. Create tracking issues and update artifact with links
3. Ensure "Unaddressed: 0" in artifact summary
4. Retry PR creation
Missing Security Review
REVIEW GATE BLOCKED
Reason: Security-sensitive files changed without security review
Files detected:
- src/auth/login.ts
- src/middleware/authenticate.ts
Required Action:
1. Run `codex-subagent security-reviewer`
2. Update review artifact with "Security-Sensitive: YES"
3. Document security review findings
4. Retry PR creation
Checklist
Before attempting PR creation:
- [ ]
comprehensive-reviewskill completed - [ ] Review artifact posted to issue (exact format)
- [ ] All findings either FIXED or DEFERRED
- [ ] All DEFERRED findings have tracking issues created
- [ ] Tracking issue numbers in artifact
- [ ] Security review if security-sensitive files changed
- [ ] "Unaddressed: 0" in summary
- [ ] "Review Status: COMPLETE"
Integration
This skill is enforced by:
PreToolUsehook onBash(filtersgh pr create)
This skill is called after:
comprehensive-reviewapply-all-findingssecurity-review(if applicable)
This skill precedes:
pr-creation
Related Skills
troykelly/worker-protocol
data-ai
VerifiedTrustedCommunity
Defines behavior protocol for spawned worker agents. Injected into worker prompts. Covers startup, progress reporting, exit conditions, and handover preparation.
6SKILL.mdUpdated Apr 15, 2026
troykelly/worker-handover
development
VerifiedTrustedCommunity
Defines context handover format when workers hit turn limit. Posts structured handover to GitHub issue comments enabling replacement workers to continue seamlessly.
6SKILL.mdUpdated Apr 15, 2026
troykelly/worker-dispatch
data-ai
VerifiedTrustedCommunity
Use to spawn isolated worker processes for autonomous issue work. Creates git worktrees, constructs worker prompts, and handles worker lifecycle.
6SKILL.mdUpdated Apr 15, 2026
troykelly/work-intake
tools
VerifiedTrustedCommunity
Entry point for ALL work requests - triages scope from trivial to massive, asks clarifying questions, and routes to appropriate planning skills. Use this when receiving any new work request.
6SKILL.mdUpdated Apr 15, 2026