⚠️

重要前提

安装AI Skills的关键前提是：必须科学上网，且开启TUN模式，这一点至关重要，直接决定安装能否顺利完成，在此郑重提醒三遍：科学上网，科学上网，科学上网。查看完整安装教程 →

Diffity Review：AI代码审查工具，自动化安全、性能与逻辑分析

diffity-review by kamranahmedse/diffity

305 周安装量

533 GitHub Stars

GitHub

安装命令

npx skills add https://github.com/kamranahmedse/diffity --skill diffity-review

自动化代码质量命令行工具

🇨🇳中文介绍

Diffity Review Skill

你正在使用 diffity agent CLI 审查代码差异并留下行内评论。

参数

ref (可选): 要审查的 Git 引用 (例如 main..feature, HEAD~3)。默认为工作区更改。当同时提供 ref 和 focus 时，两者都使用 (例如 /diffity-review main..feature security)。
focus (可选): 将审查重点放在特定领域。可选值: security, , , , , 。如果省略，则审查所有内容。

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

步骤 1: 确保 diffity 为正确的引用运行 (无需打开浏览器)

审查需要一个运行中的会话，其引用与请求的引用匹配。引用不匹配会导致添加评论时出现"文件不在当前差异中"的错误。

运行 diffity list --json 获取所有正在运行的实例。解析 JSON 输出，并找到其 repoRoot 与当前仓库匹配的条目。
如果存在匹配的条目，将其 ref 字段与请求的引用进行比较:
- 注册表为工作区会话存储 "work"，为命名引用存储用户提供的引用字符串 (例如 "main", "HEAD~3)。
- 如果引用匹配 → 重用该会话，记下端口，并继续步骤 2。
- 如果引用不匹配 → 重新启动: 运行 diffity <ref> --no-open --new (如果没有 ref，则运行 diffity --no-open --new)。--new 标志会终止旧会话并启动一个新会话。使用带有 run_in_background: true 的 Bash 工具。等待 2 秒，然后使用 diffity list --json 验证并记下端口。
- 如果未请求引用且正在运行的会话的引用不是 "work" → 使用 diffity --no-open --new 重新启动 (正在运行的会话是针对命名引用的，但我们需要工作区)。
如果此仓库没有会话正在运行，则在后台启动一个:
- 命令: diffity <ref> --no-open (如果没有 ref，则使用 diffity --no-open)
- 使用带有 run_in_background: true 的 Bash 工具
- 等待 2 秒，然后使用 diffity list --json 验证并记下端口。

步骤 2: 审查差异

从 diffity 的 API 获取解析后的差异参数，然后自己运行 git diff — 不要手动构造差异引用，因为 diffity 使用合并基准解析:
```
curl -s 'http://localhost:<port>/api/diff/ref?ref=<ref>'
```
如果未提供 ref，请省略 ref 查询参数。响应是带有 args 字段 (例如 "abc123def") 的 JSON。运行 git diff <args> 获取统一差异。行号在 @@ 块头中。
查找并阅读所有相关的 CLAUDE.md 文件 — 根目录的 CLAUDE.md 以及包含修改文件的任何目录中的 CLAUDE.md 文件。这些文件定义了差异必须遵循的特定于项目的规则。

在审查前理解变更

首先总结变更。 在寻找问题之前，构建一个关于差异的心智模型:
- 此变更试图实现什么？ (新功能、错误修复、重构、配置更改)
- 哪些文件是结构更改，哪些是核心逻辑更改？
- 作者的意图是什么？阅读提交信息 (git log --oneline <args>) 以及任何链接的问题或 PR 描述以获取上下文。
- 作者做出了哪些关键决策，他们在什么约束条件下工作？
理解意图有助于你区分有意行为和真正的错误。
对于每个更改的文件，阅读整个文件 (不仅仅是差异块) 以理解完整上下文。
交叉引用调用者和依赖项。 对于任何更改的函数签名、重命名的导出、修改的返回类型或更改的行为: 在整个代码库中 grep 查找使用情况。一个孤立看起来正确的函数可能会破坏每个调用者。检查:
- 谁调用了这个函数？他们会处理新的返回值/错误/null 情况吗？
- 谁导入了这个模块？更改后的导出名称能解析吗？
- 这种类型更改是否正确传播到消费者？
使用以下技术分析代码更改。如果提供了 focus 参数，请集中在该领域。否则，应用所有分析流程和信号阈值。

差异告诉你什么改变了；周围的代码告诉你这个改变是否正确。应用这些分析流程:

数据流分析 — 跟踪更改代码中的值。每个变量从哪里来？它去哪里？检查:

在更改后的代码假设其不为空/未定义的地方，值是否可能为 null/undefined？
更改后的代码是否处理了上游条件的所有分支？
如果函数的返回类型改变了，所有调用者是否都处理了新的结构？
是否存在差异意外移出的缩小检查 (例如 if (x))？

状态和生命周期分析 — 对于有状态的代码 (React 状态、数据库事务、流、事件监听器):

更改是否创建了一个无法到达或无法退出的状态？
资源 (监听器、订阅、文件句柄) 是否在所有路径上都被清理了？
并发访问是否会破坏共享状态？
操作的顺序是否仍然满足不变量 (例如先初始化再使用)？

契约分析 — 根据必须满足的契约检查更改后的代码:

函数是否仍然满足其调用者的期望？ (阅读调用者，不要猜测。)
如果它实现了一个接口或覆盖了一个基类方法，它是否仍然符合？
前置条件和后置条件是否得到保留？
对于 API 端点: 响应结构是否与客户端发送/期望的匹配？

边界分析 — 对于系统边界处的代码 (用户输入、网络、文件 I/O、IPC):

用户控制的输入在使用前是否经过验证？
格式错误的外部数据是否会崩溃进程或破坏状态？
是否存在注入向量 (SQL、shell、XSS、路径遍历)？

边界情况分析 — 仅针对实际中会发生的情况，而非理论上的情况:

空数组/字符串、零、负数 — 代码能处理它们吗？
循环、切片或索引运算中的差一错误
整数溢出、除零 (其中除数来自输入)

标记会影响正确性、安全性或可靠性的真正问题:

将无法编译、解析或运行的代码 (语法错误、类型错误、缺少导入、未解析的引用)
会产生错误结果的逻辑错误 (明显的错误、差一错误、条件错误)
更改代码中的安全漏洞 (注入、XSS、身份验证绕过、数据暴露)
你可以用具体场景演示的竞争条件或数据丢失风险
CLAUDE.md 违规，你可以引用被违反的确切规则
破坏的契约 — 一个不再满足其调用者期望的更改函数

跳过风格问题、linter 可捕获的问题以及未更改代码中预先存在的问题。专注于差异，而不是整个文件。

对于每个发现，在发布前验证它是真实的:

重新阅读周围的代码 — 许多明显的错误在完整上下文中会消失
对于"缺少导入"或"未定义变量"的断言，使用 grep 确认
对于破坏的调用者，阅读实际的调用点
对于 CLAUDE.md 违规，确认规则适用于此文件

如果跨文件出现重复模式，请评论第一次出现，并在总体摘要中提及该模式，而不是重复评论。

步骤 3: 留下评论

在评论正文中使用严重性前缀对每个发现进行分类:
- [must-fix] — 错误、安全问题、数据丢失风险。将导致中断或产生错误结果的代码。
- [suggestion] — 具有明确理由的具体改进。不是风格偏好 — 真正的改进。
- [question] — 需要作者澄清的不明确之处。
对于每个发现，使用以下命令留下行内评论:
```
diffity agent comment --file <path> --line <n> [--end-line <n>] [--side new] --body "<comment>"
```
- 对添加/修改的代码使用 --side new (默认)
- 对已删除的代码使用 --side old
- 当问题跨越多行时使用 --end-line
- 以问题开头，而不是背景。要具体且可操作。
- 对于小的、自包含的修复，包含一个显示修复的代码建议
- 对于较大的修复 (结构更改、多位置)，描述问题和建议的方法，无需完整的代码块
- 如果标记 CLAUDE.md 违规，请引用被违反的确切规则
留下所有行内评论后，决定是否需要一般评论:
- 没有发现 → 留下一般评论: "未发现问题。已检查错误和 CLAUDE.md 合规性。"
- 1-2 个发现 → 跳过一般评论，除非存在行内评论未涵盖的跨领域问题。
- 3+ 个发现 → 留下一般评论 总结主题。
- 不要在一般评论中使用严重性前缀 — 前缀仅用于行内发现。
- 以结论开头，直接且简洁 — 不要恭维，不要填充，不要叙述代码的作用。
  
  diffity agent general-comment --body "<overall review summary>"

步骤 4: 打开浏览器

现在评论已准备就绪，打开浏览器:
```
diffity open <ref>
```
如果提供了 ref 参数，请传递它 (例如 diffity open HEAD~3)。省略它以打开默认视图。
告诉用户审查已完成，他们可以检查浏览器。示例:

审查完成 — 请检查您的浏览器。

发现: 2 个必须修复, 1 个建议

准备就绪后，运行 /diffity-resolve 来修复它们。

🇺🇸English

Diffity Review Skill

You are reviewing a diff and leaving inline comments using the diffity agent CLI.

Arguments

ref (optional): Git ref to review (e.g. main..feature, HEAD~3). Defaults to working tree changes. When both ref and focus are provided, use both (e.g. /diffity-review main..feature security).
focus (optional): Focus the review on a specific area. One of: security, performance, naming, errors, types, logic. If omitted, review everything.

CLI Reference

diffity agent list [--status open|resolved|dismissed] [--json]
diffity agent comment --file <path> --line <n> [--end-line <n>] [--side new|old] --body "<text>"
diffity agent general-comment --body "<text>"
diffity agent resolve <id> [--summary "<text>"]
diffity agent dismiss <id> [--reason "<text>"]
diffity agent reply <id> --body "<text>"

--file, --line, --body are required for comment
--end-line defaults to --line (single-line comment)
--side defaults to new
general-comment creates a diff-level comment not tied to any file or line
<id> accepts full UUID or 8-char prefix

Prerequisites

Check that diffity is available: run which diffity. If not found, install it with npm install -g diffity.

Instructions

Step 1: Ensure diffity is running for the correct ref (without opening browser)

The review needs a running session whose ref matches the requested ref. A ref mismatch causes "file not in current diff" errors when adding comments.

Run diffity list --json to get all running instances. Parse the JSON output and find the entry whose repoRoot matches the current repo.
If a matching entry exists, compare its ref field against the requested ref:
- The registry stores "work" for working-tree sessions and the user-provided ref string (e.g. "main", "HEAD~3") for named refs.
- If refs match → reuse the session, note the port, and continue to Step 2.
- If refs don't match → restart: run diffity <ref> --no-open --new (or diffity --no-open --new if no ref). The --new flag kills the old session and starts a fresh one. Use Bash tool with . Wait 2 seconds, then verify with and note the port.

Step 2: Review the diff

Get the resolved diff args from diffity's API , then run git diff yourself — do NOT construct the diff ref manually, as diffity uses merge-base resolution:

curl -s 'http://localhost:<port>/api/diff/ref?ref=<ref>'

If no ref was provided, omit the ref query parameter. The response is JSON with an args field (e.g. "abc123def"). Run git diff <args> to get the unified diff. Line numbers are in the @@ hunk headers. 2. Find and read all relevant CLAUDE.md files — the root CLAUDE.md and any CLAUDE.md files in directories containing modified files. These define project-specific rules that the diff must follow.

Understand the change before reviewing it

Summarize the change first. Before looking for problems, build a mental model of the diff:
- What is this change trying to accomplish? (new feature, bug fix, refactor, config change)
- Which files are structural changes vs. the core logic change?
- What is the author's intent? Read commit messages (git log --oneline <args>) and any linked issues or PR descriptions for context.
- What are the key decisions the author made, and what constraints were they working within?

Understanding intent helps you distinguish intentional behavior from real bugs.

For each changed file, read the entire file (not just the diff hunks) to understand the full context.
Cross-reference callers and dependents. For any changed function signature, renamed export, modified return type, or altered behavior: grep for usages across the codebase. A function that looks correct in isolation can break every caller. Check:
- Who calls this function? Will they handle the new return value / error / null case?
- Who imports this module? Will the changed export name resolve?
- Does this type change propagate correctly to consumers?
Analyze the code changes using the techniques below. If a focus argument was provided, concentrate on that area. Otherwise, apply all analysis passes and the signal threshold.

How to analyze

The diff tells you what changed; the surrounding code tells you whether the change is correct. Apply these analysis passes:

Data flow analysis — Trace values through the changed code. Where does each variable come from? Where does it go? Check:

Can a value be null/undefined where the changed code assumes it isn't?
Does the changed code handle all branches of an upstream conditional?
If a function's return type changed, do all callers handle the new shape?
Are there narrowing checks (e.g. if (x)) that the diff accidentally moved outside of?

State and lifecycle analysis — For stateful code (React state, database transactions, streams, event listeners):

Does the change create a state that can't be reached or can't be exited?
Are resources (listeners, subscriptions, file handles) still cleaned up on all paths?
Can concurrent access corrupt shared state?
Does the ordering of operations still satisfy invariants (e.g. init before use)?

Contract analysis — Check the changed code against the contracts it must satisfy:

Does the function still satisfy what its callers expect? (Read the callers, don't guess.)
If it implements an interface or overrides a base method, does it still conform?
Are pre-conditions and post-conditions preserved?
For API endpoints: does the response shape match what clients send/expect?

Boundary analysis — For code at system boundaries (user input, network, file I/O, IPC):

Is user-controlled input validated before use?
Can malformed external data crash the process or corrupt state?
Are there injection vectors (SQL, shell, XSS, path traversal)?

Edge case analysis — Only for cases that will happen in practice, not theoretical ones:

Empty arrays/strings, zero, negative numbers — does the code handle them?
Off-by-one in loops, slices, or index arithmetic
Integer overflow, division by zero where the divisor comes from input

What to flag

Flag real problems that would affect correctness, security, or reliability:

Code that will fail to compile, parse, or run (syntax errors, type errors, missing imports, unresolved references)
Logic errors that will produce wrong results (clear bugs, off-by-one errors, broken conditions)
Security vulnerabilities in changed code (injection, XSS, auth bypass, data exposure)
Race conditions or data loss risks you can demonstrate with a concrete scenario
CLAUDE.md violations where you can quote the exact rule being broken
Broken contracts — a changed function that no longer satisfies what its callers expect

Skip style concerns, linter-catchable issues, and pre-existing problems in unchanged code. Focus on the diff, not the whole file.

Validate before commenting

For each finding, verify it's real before posting:

Re-read the surrounding code — many apparent bugs disappear in full context
For "missing import" or "undefined variable" claims, grep to confirm
For broken callers, read the actual call sites
For CLAUDE.md violations, confirm the rule is scoped to this file

If a repeated pattern appears across files, comment on the first occurrence and mention the pattern in the general summary instead of duplicating comments.

Step 3: Leave comments

Categorize each finding with a severity prefix in the comment body:
- [must-fix] — Bugs, security issues, data loss risks. Code that will break or produce wrong results.
- [suggestion] — Concrete improvements with a clear reason. Not style preferences — real improvements.
- [question] — Something unclear that needs clarification from the author.
For each finding, leave an inline comment using:

diffity agent comment --file <path> --line <n> [--end-line <n>] [--side new] --body "<comment>"
- Use --side new (default) for comments on added/modified code
- Use --side old for comments on removed code
- Use --end-line when the issue spans multiple lines
- Lead with the problem , not background. Be specific and actionable.
- For small, self-contained fixes, include a code suggestion showing the fix

Step 4: Open the browser

Open the browser now that comments are ready:

diffity open <ref>

Pass the ref argument if one was provided (e.g. diffity open HEAD~3). Omit it to open the default view.

Tell the user the review is ready and they can check the browser. Example:

Review complete — check your browser.

Found: 2 must-fix, 1 suggestion

When you're ready, run /diffity-resolve to fix them.

Weekly Installs

Repository

kamranahmedse/diffity

GitHub Stars

280

First Seen

8 days ago

Security Audits

Gen Agent Trust HubPass SocketWarn SnykPass

Installed on

gemini-cli74

kimi-cli74

codex74

amp74

cline74

github-copilot74

通过 LiteLLM 代理让 Claude Code 对接 GitHub Copilot 运行 | 高级变通方案指南

48,700 周安装

run_in_background: true

diffity list --json

If no ref was requested and the running session's ref is not "work" → restart with diffity --no-open --new (the running session is for a named ref, but we need working-tree).

If no session is running for this repo, start one in the background:

Command: diffity <ref> --no-open (or diffity --no-open if no ref)
Use Bash tool with run_in_background: true
Wait 2 seconds, then verify with diffity list --json and note the port.

For larger fixes (structural changes, multi-location), describe the issue and suggested approach without a full code block

If flagging a CLAUDE.md violation, quote the exact rule being broken

After leaving all inline comments, decide whether a general comment is needed:

No findings → leave a general comment: "No issues found. Checked for bugs and CLAUDE.md compliance."
1-2 findings → skip the general comment unless there's a cross-cutting concern the inline comments don't cover.
3+ findings → leave a general comment summarizing the themes.
Do not use severity prefixes in the general comment — prefixes are only for inline findings.
Lead with the verdict, be direct and concise — no compliments, no filler, no narrating what the code does.

diffity agent general-comment --body "<overall review summary>"

Diffity Review：AI代码审查工具，自动化安全、性能与逻辑分析

🇨🇳中文介绍

Diffity Review Skill

参数

相关 Skills

CLI 参考

先决条件

使用说明

步骤 1: 确保 diffity 为正确的引用运行 (无需打开浏览器)

步骤 2: 审查差异

在审查前理解变更

如何分析

标记什么

评论前验证

步骤 3: 留下评论

步骤 4: 打开浏览器

🇺🇸English

Diffity Review Skill

Arguments

CLI Reference

Prerequisites

Instructions

Step 1: Ensure diffity is running for the correct ref (without opening browser)

Step 2: Review the diff

Understand the change before reviewing it

How to analyze

What to flag

Validate before commenting

Step 3: Leave comments

Step 4: Open the browser

最新 Skills