tylerjrbuell/recipe-code-assistant
apps/docs/skills/recipe-code-assistant/SKILL.md
Full recipe for a code assistant with shell execution, file read/write, git integration, and sandboxed code running.
$ install --global
skillsauthnpx skillsauth add tylerjrbuell/reactive-agents-ts recipe-code-assistantInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 22, 2026, 1:58 AM112.9s1 file scanned
SKILL.md
- name:
- recipe-code-assistant
- description:
- Full recipe for a code assistant with shell execution, file read/write, git integration, and sandboxed code running.
- compatibility:
- Reactive Agents TypeScript projects using @reactive-agents/*
- author:
- reactive-agents
- version:
- 2.0
- tier:
- recipe
Recipe: Code Assistant
What this builds
A code assistant that can read and write files, run shell commands (git, build tools, tests), and execute code in a sandboxed environment. Suitable for CI/CD automation, code review, and iterative development tasks.
Skills loaded by this recipe
shell-execution-sandbox— shell tool with allowlist and opt-in build commandsreasoning-strategy-selection— plan-execute-reflect for multi-step coding taskstool-creation— tool registration and allowedToolsobservability-instrumentation— verbose live output for development
Complete implementation
import { ReactiveAgents } from "@reactive-agents/runtime";
import { shellExecuteTool, shellExecuteHandler } from "@reactive-agents/tools";
// Configure the shell tool with build commands enabled
const shellTool = {
definition: shellExecuteTool,
handler: shellExecuteHandler({
additionalCommands: ["bun", "node", "npm", "git"],
timeoutMs: 60_000, // 60s for build/test commands
maxOutputChars: 8_000, // increase for verbose test output
cwd: process.cwd(),
}),
};
const agent = await ReactiveAgents.create()
.withName("code-assistant")
.withProvider("anthropic")
.withReasoning({
defaultStrategy: "plan-execute-reflect",
maxIterations: 30,
})
.withTools({
tools: [shellTool],
allowedTools: ["shell-execute", "file-read", "file-write", "checkpoint", "final-answer"],
})
.withObservability({ verbosity: "verbose", live: true })
.withCostTracking({ perSession: 2.0, daily: 20.0 })
.withSystemPrompt(`
You are a code assistant with shell and file access.
Workflow for coding tasks:
1. Read relevant files with file-read before making changes.
2. Checkpoint your plan before starting significant edits.
3. Make targeted, focused changes — do not rewrite files unnecessarily.
4. After writing files, run tests with shell-execute to verify.
5. Use "git status" and "git diff" to review changes before finalizing.
6. Report what you changed and whether tests passed.
Allowed shell commands: git, ls, cat, grep, find, bun, node, npm, mkdir, cp, mv, touch, wc, head, tail, diff
Blocked: rm, chmod, chown (use mv to "delete" files if needed)
`)
.build();
// Example: fix a bug
const result = await agent.run(`
Fix the failing test in packages/auth/tests/login.test.ts.
The test expects validateToken to return null for expired tokens,
but the current implementation throws an error instead.
`);
console.log(result.output);
await agent.dispose();
Key variations
Read-only code review (no writes)
const reviewTool = {
definition: shellExecuteTool,
handler: shellExecuteHandler({
allowedCommands: ["git", "ls", "cat", "grep", "find", "head", "tail", "wc", "diff"],
}),
};
const reviewer = await ReactiveAgents.create()
.withProvider("anthropic")
.withTools({
tools: [reviewTool],
allowedTools: ["shell-execute", "file-read", "checkpoint"],
})
.withSystemPrompt("Review code for issues. Do not make any changes. Report findings only.")
.build();
Docker-sandboxed code execution
const sandboxTool = {
definition: shellExecuteTool,
handler: shellExecuteHandler({
additionalCommands: ["node", "python3"],
dockerEscalation: { enabled: true },
// Inline code (node --eval, python -c) runs in isolated Docker containers
}),
};
Audit logging for production
import type { ShellAuditEntry } from "@reactive-agents/tools";
const auditedTool = {
definition: shellExecuteTool,
handler: shellExecuteHandler({
additionalCommands: ["bun", "git"],
onAudit: (entry: ShellAuditEntry) => {
logger.info("shell-execute", {
command: entry.command,
exitCode: entry.exitCode,
durationMs: entry.durationMs,
});
},
}),
};
Expected output shape
const result = await agent.run("Fix the failing test...");
// result.output — description of changes made and test results
// result.steps — full trace of file reads, writes, and shell commands
// result.cost — USD cost for the session
Pitfalls
rmis hard-blocked and cannot be enabled viaadditionalCommands— usemvto archive files insteadmaxOutputChars: 4000(default) truncates long command output — increase to 8000+ forbun teston large test suitestimeoutMs: 30_000(default) is too short forbun install— set 60_000+ for package management commands- Always read files before writing them — the agent must understand the existing code structure before making changes
file-writeoverwrites the entire file — ensure the agent reads the file first and preserves non-modified sections
Related Skills
tylerjrbuell/reactive-agents
development
VerifiedTrustedCommunity
Orient to the Reactive Agents framework, understand the builder API shape, and select the right capability skills for your task.
9SKILL.mdUpdated Apr 21, 2026
tylerjrbuell/quality-assurance
testing
VerifiedTrustedCommunity
Enable output verification (hallucination detection, semantic entropy, self-consistency), add post-run verification steps, and run LLM-scored evals across 5 quality dimensions.
9SKILL.mdUpdated Apr 21, 2026
tylerjrbuell/provider-patterns
data-ai
VerifiedTrustedCommunity
Configure per-provider behavior, understand streaming quirks, and use the 7-hook adapter system for optimal performance across LLM providers.
9SKILL.mdUpdated Apr 21, 2026
tylerjrbuell/memory-patterns
data-ai
VerifiedTrustedCommunity
Configure the 4-layer memory system with SQLite/FTS5/vec storage for persistent agent knowledge that survives sessions.
9SKILL.mdUpdated Apr 21, 2026