⚠️

重要前提

安装AI Skills的关键前提是：必须科学上网，且开启TUN模式，这一点至关重要，直接决定安装能否顺利完成，在此郑重提醒三遍：科学上网，科学上网，科学上网。查看完整安装教程 →

预发布审查 (Pre-Ship Review) - AI代码集成边界质量检查与自动化测试指南

pre-ship-review by terrylica/cc-skills

56 周安装量

28 GitHub Stars

GitHub

安装命令

npx skills add https://github.com/terrylica/cc-skills --skill pre-ship-review

软件工程自动化代码质量

🇨🇳中文介绍

预发布审查

在任何检查点（如 PR、发布、里程碑）提交代码前进行的结构化质量审查。捕获发生在集成边界的失败——即合约、示例、常量和测试必须全部一致的地方。

核心论点：AI 生成的代码在独立组件方面表现出色，但在组件之间的边界处会系统性失败。此技能系统地检查这些边界。

何时使用此技能

在任何重要的代码提交前使用：

涉及多个新模块连接在一起的拉取请求
合并了多位贡献者或多个分支工作的发布
在继续推进前必须通过质量门的里程碑
任何检查点，其中包含跨文件的示例、常量或接口扩展的代码需要验证

不需要用于：单文件的表面更改、仅文档更新、依赖项升级。

TodoWrite 任务模板

强制要求：在开始审查前，选择并加载适当的模板。

模板 A：新功能发布

1. 检测更改的文件和范围（针对基础分支运行 `git diff --name-only`）
2. 运行阶段 1 - 外部工具检查（Pyright, Vulture, import-linter, deptry, Semgrep, Griffe）
3. 运行阶段 2 - cc-skills 编排（code-hardcode-audit, dead-code-detector, pr-gfm-validator）
4. 根据更改的文件类型运行阶段 2 的条件检查
5. 阶段 3 - 验证每个函数参数至少有一个调用者通过名称传递它
6. 阶段 3 - 验证每个配置/示例参数映射到实际的函数关键字参数
7. 阶段 3 - 检查架构边界违规（硬编码的功能列表、跨层耦合）
8. 阶段 3 - 验证领域常量和公式正确（交叉引用引用的来源）
9. 阶段 3 - 审计测试质量 - 测试是否测试了它们声称的内容（而非副作用）？
10. 阶段 3 - 检查新组件之间的隐式依赖关系
11. 阶段 3 - 寻找 O(n^2) 模式，其中 O(n) 就足够了
12. 阶段 3 - 验证错误消息提供了可操作的指导
13. 阶段 3 - 确认示例反映了实际行为，而非期望行为
14. 编译包含严重性和建议修复的发现报告

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

模板 B：Bug 修复发布

1. 验证修复是否针对根本原因，而非症状
2. 验证修复是否没有掩盖信息流
3. 检查新测试是否重现了原始错误（在没有修复的情况下失败）
4. 在更改的文件上运行阶段 1 - 外部工具检查
5. 在更改的文件上运行阶段 2 - cc-skills 检查
6. 如果任何值发生更改，验证常量一致性
7. 编译发现报告

模板 C：重构发布

1. 验证所有调用者已更新以匹配新签名
2. 运行阶段 1 - 外部工具检查（特别是 Griffe 用于 API 漂移）
3. 运行阶段 2 - cc-skills 检查（特别是 dead-code-detector）
4. 验证示例/文档已更新以匹配新参数名称
5. 验证没有因移除功能而产生的死导入
6. 检查是否引入了跨边界耦合
7. 编译发现报告

阶段 1：外部工具检查（约 15 秒，可并行）

在更改的文件上运行静态分析工具。跳过任何未安装的工具（优雅降级）。

Detect scope:
  git diff --name-only $(git merge-base HEAD main)...HEAD

Run in parallel:
  pyright --outputjson <changed_py_files>          # Type contracts
  vulture <changed_py_files> --min-confidence 80   # Dead code / YAGNI
  lint-imports                                      # Architecture boundaries
  deptry .                                          # Dependency hygiene
  semgrep --config .semgrep/ <changed_files>        # Custom pattern rules
  griffe check --against main <package>             # API signature drift

每个工具捕获的内容：

工具	反模式	安装
Pyright (严格模式)	接口合约、返回类型、跨文件类型错误	`pip install pyright`
Vulture	死代码、未使用的常量/导入 (YAGNI)	`pip install vulture`
import-linter	架构边界违规、禁止的导入	`pip install import-linter`
deptry	未使用/缺失/传递依赖项	`pip install deptry`
Semgrep	非确定性、静默参数吸收、禁止的模式	`brew install semgrep`
Griffe	破坏性 API 更改、与基础分支的签名漂移	`pip install griffe`

优雅降级：如果某个工具未安装，记录警告并跳过它。绝不因为一个可选工具缺失而使整个审查失败。

有关详细工具程序，请参阅自动化检查参考。有关安装说明，请参阅工具安装指南。

阶段 2：cc-skills 编排（约 30 秒，可子代理并行）

调用补充外部工具的现有 cc-skills。

code-hardcode-audit -- 硬编码值、魔数、泄露的秘密
dead-code-detector -- 多语言死代码检测（Python, TypeScript, Rust）
pr-gfm-validator -- PR 描述链接有效性（如果创建 PR）

根据更改的文件类型有条件地运行：

条件	要调用的技能
Python 文件更改	impl-standards（错误处理、常量、日志记录）
500+ 行更改	code-clone-assistant（重复代码检测）
插件/钩子文件更改	plugin-validator（结构、静默失败）
Markdown/文档更改	link-validation（损坏的链接、路径策略）

阶段 3：人工判断审查（Claude 辅助）

这些检查需要理解意图、领域正确性和架构适用性。手动检查每一项。

检查 1：架构边界

"核心"层中的新代码是否引用了"插件"或"能力"层的名称？
是否存在硬编码的功能/插件名称列表？（边界违规）
添加此功能类型的另一个实例是否需要修改核心代码？

检查 2：领域正确性

数学公式是否正确？与引用的论文交叉引用。
常量标记是否正确？（例如，"每日"常量应使用每日值）
单位和时间段是否匹配？（年利率与日利率，季度与月度 lambda）

检查 3：测试质量

每个测试是否都测试了它声称要测试的特定函数？
还是它测试了一个副作用？（函数 A 测试函数 B，而 B 内部调用了 A）
是否涵盖了边界情况？（空输入、NaN、单个元素、除以零）

检查 4：依赖透明度

如果组件 A 需要组件 B 先运行，这一点是否有文档记录？
顺序要求是否在接口中明确说明，而不仅仅是在示例中？

检查 5：性能

是否存在对同一数据的嵌套循环？（潜在的 O(n^2)）
是否存在可以改为滚动或全样本操作的扩展窗口操作？
是否存在可以向量化的逐元素操作？

检查 6：错误消息质量

错误是否告诉用户要做什么，而不仅仅是哪里出错了？
验证错误是否引用了失败的具体参数/值？

检查 7：示例准确性

示例是否演示了代码中实际有效的功能？
示例中是否存在被 **kwargs 或 **_ 静默吸收的参数？

有关详细检查程序，请参阅判断检查参考。

通用预发布清单

Phase 1 (Tools):
- [ ] Pyright strict passes on changed files (no type errors)
- [ ] Vulture finds no unused code in new files (or allowlisted)
- [ ] import-linter passes (no architecture boundary violations)
- [ ] deptry passes (no unused/missing dependencies)
- [ ] Semgrep custom rules pass (no non-determinism, no silent param absorption)
- [ ] Griffe shows no unintended API breaking changes vs base branch

Phase 2 (cc-skills):
- [ ] code-hardcode-audit passes (no magic numbers or secrets)
- [ ] dead-code-detector passes (no unused code)
- [ ] PR description links valid (pr-gfm-validator)

Phase 3 (Judgment):
- [ ] No new cross-boundary coupling introduced
- [ ] Domain constants and formulas are mathematically correct
- [ ] Tests actually test what they claim (not side effects)
- [ ] Implicit dependencies between components are documented
- [ ] No O(n^2) where O(n) suffices
- [ ] Error messages give actionable guidance
- [ ] Examples reflect actual behavior, not aspirational behavior

此技能基于 9 种集成边界反模式的分类法构建。有关完整目录（包含示例、检测启发式方法和修复方法），请参阅反模式目录。

| 反模式 | 检测方法

---|---|---
1 | 接口合约违规 | Pyright + Griffe + 手动追踪
2 | 误导性示例 | Semgrep + 手动配置到代码比较
3 | 架构边界违规 | import-linter + 手动审查
4 | 不正确的领域常量 | Semgrep + 领域专业知识
5 | 测试覆盖缺口 | mutmut + 手动测试审计
6 | 非确定性 | Semgrep 自定义规则
7 | YAGNI | Vulture + dead-code-detector
8 | 隐藏的依赖关系 | 手动依赖关系追踪
9 | 性能反模式 | 手动复杂度分析

修改此技能后：

反模式目录反映了真实世界的发现
工具安装指南包含当前版本和命令
TodoWrite 模板涵盖了三种发布类型
通用清单完整且无冗余
所有 references/ 链接解析正确
将更改追加到 references/evolution-log.md

此技能完成后，在关闭任务前进行反思：

定位自己。 — 在编辑前找到此 SKILL.md 的规范路径（全局搜索此技能名称）。所有更正都针对此文件及其同级 references/ 目录——绝不针对其他文档。
什么失败了？ — 修复导致失败的指令。如果可能再次发生，将其添加为反模式。
什么比预期效果更好？ — 将其提升为推荐实践。记录原因。
什么发生了漂移？ — 任何不再符合现实的脚本、参考或外部依赖项立即修复。
记录它。 — 每次更改都会在 evolution-log 中添加一条记录，包含触发原因、修复方法和证据。

不要推迟。下一次调用将继承你留下的任何内容。

问题	原因	解决方案
工具未找到	外部工具未安装	按照 tool-install-guide.md 安装或跳过（优雅降级）
Vulture 误报过多	框架入口点看起来未使用	创建允许列表：`vulture --make-whitelist > whitelist.py`
Semgrep 太慢	大型代码库扫描	仅限定在更改的文件：`semgrep --include=<changed>`
import-linter 没有合约	项目未配置	在 `pyproject.toml` 中添加 `[importlinter]` 部分
Griffe 报告错误的破坏性更改	故意的 API 更改	使用 `griffe check --against main --allow-breaking`
阶段 3 未发现问题但审查者发现问题	新的反模式类别	添加到目录和 evolution-log.md
cc-skill 未触发	技能未在市场中安装	使用 `/plugin list` 验证

有关详细信息，请参阅：

自动化检查参考 -- 阶段 1 外部工具程序
判断检查参考 -- 阶段 3 人工判断程序
反模式目录 -- 包含示例的完整 9 类别分类法
工具安装指南 -- 所有外部工具的安装和设置
演进日志 -- 变更历史

🇺🇸English

Pre-Ship Review

Structured quality review before shipping code at any checkpoint: PRs, releases, milestones. Catches the failures that occur at integration boundaries -- where contracts, examples, constants, and tests must all agree.

Core thesis : AI-generated code excels at isolated components but fails systematically at boundaries between components. This skill systematically checks those boundaries.

When to Use This Skill

Use before any significant code shipment:

Pull requests with multiple new modules that wire together
Releases combining work from multiple contributors or branches
Milestones where quality gates must pass before proceeding
Any checkpoint where code with examples, constants across files, or interface extensions needs validation

NOT needed for: single-file cosmetic changes, documentation-only updates, dependency bumps.

TodoWrite Task Templates

MANDATORY : Select and load the appropriate template before starting review.

Template A: New Feature Ship

1. Detect changed files and scope (git diff --name-only against base branch)
2. Run Phase 1 - External tool checks (Pyright, Vulture, import-linter, deptry, Semgrep, Griffe)
3. Run Phase 2 - cc-skills orchestration (code-hardcode-audit, dead-code-detector, pr-gfm-validator)
4. Run Phase 2 conditional checks based on file types changed
5. Phase 3 - Verify every function parameter has at least one caller passing it by name
6. Phase 3 - Verify every config/example parameter maps to an actual function kwarg
7. Phase 3 - Check for architecture boundary violations (hardcoded feature lists, cross-layer coupling)
8. Phase 3 - Verify domain constants and formulas are correct (cross-reference cited sources)
9. Phase 3 - Audit test quality - do tests test what they claim (not side effects)?
10. Phase 3 - Check for implicit dependencies between new components
11. Phase 3 - Look for O(n^2) patterns where O(n) suffices
12. Phase 3 - Verify error messages give actionable guidance
13. Phase 3 - Confirm examples reflect actual behavior, not aspirational behavior
14. Compile findings report with severity and suggested fixes

Template B: Bug Fix Ship

1. Verify the fix addresses root cause, not symptom
2. Verify the fix does not mask information flow
3. Check that new test reproduces the original bug (fails without fix)
4. Run Phase 1 - External tool checks on changed files
5. Run Phase 2 - cc-skills checks on changed files
6. Verify constants consistency if any values changed
7. Compile findings report

Template C: Refactoring Ship

1. Verify all callers updated to match new signatures
2. Run Phase 1 - External tool checks (especially Griffe for API drift)
3. Run Phase 2 - cc-skills checks (especially dead-code-detector)
4. Verify examples/docs updated to match new parameter names
5. Verify no dead imports from removed features
6. Check for introduced cross-boundary coupling
7. Compile findings report

Three-Phase Workflow

Phase 1: External Tool Checks (~15s, parallelizable)

Run static analysis tools on changed files. Skip any tool that is not installed (graceful degradation).

Detect scope:
  git diff --name-only $(git merge-base HEAD main)...HEAD

Run in parallel:
  pyright --outputjson <changed_py_files>          # Type contracts
  vulture <changed_py_files> --min-confidence 80   # Dead code / YAGNI
  lint-imports                                      # Architecture boundaries
  deptry .                                          # Dependency hygiene
  semgrep --config .semgrep/ <changed_files>        # Custom pattern rules
  griffe check --against main <package>             # API signature drift

What each tool catches:

Tool	Anti-Pattern	Install
Pyright (strict)	Interface contracts, return types, cross-file type errors	`pip install pyright`
Vulture	Dead code, unused constants/imports (YAGNI)	`pip install vulture`
import-linter	Architecture boundary violations, forbidden imports	`pip install import-linter`
deptry	Unused/missing/transitive dependencies	`pip install deptry`
Semgrep	Non-determinism, silent param absorption, banned patterns

Graceful degradation : If a tool is not installed, log a warning and skip it. Never fail the entire review because one optional tool is missing.

For detailed tool procedures, see Automated Checks Reference. For installation instructions, see Tool Install Guide.

Phase 2: cc-skills Orchestration (~30s, subagent-parallelizable)

Invoke existing cc-skills that complement external tools.

Always run:

code-hardcode-audit -- Hardcoded values, magic numbers, leaked secrets
dead-code-detector -- Polyglot dead code detection (Python, TypeScript, Rust)
pr-gfm-validator -- PR description link validity (if creating a PR)

Run conditionally based on changed file types:

Condition	Skill to invoke
Python files changed	impl-standards (error handling, constants, logging)
500+ lines changed	code-clone-assistant (duplicate code detection)
Plugin/hook files changed	plugin-validator (structure, silent failures)
Markdown/docs changed	link-validation (broken links, path policy)

Phase 3: Human Judgment Review (Claude-assisted)

These checks require understanding intent, domain correctness, and architectural fitness. Go through each one manually.

Check 1: Architecture Boundaries

Does new code in a "core" layer reference names from a "plugin" or "capability" layer?
Are there hardcoded lists of feature/plugin names? (Boundary violation)
Would adding another instance of this feature type require modifying core code?

Check 2: Domain Correctness

Are mathematical formulas correct? Cross-reference with cited papers.
Are constants labeled correctly? (e.g., a "daily" constant should use the daily value)
Do units and time periods match? (annual vs daily rates, quarterly vs monthly lambdas)

Check 3: Test Quality

Does each test exercise the specific function it claims to test?
Or does it test a side-effect? (Function A tests function B which internally calls A)
Are edge cases covered? (Empty input, NaN, single element, division by zero)

Check 4: Dependency Transparency

If component A requires component B to run first, is this documented?
Are ordering requirements explicit in interfaces, not just in examples?

Check 5: Performance

Any nested loops over the same data? (Potential O(n^2))
Any expanding-window operations that could be rolling or full-sample?
Any per-element operations that could be vectorized?

Check 6: Error Message Quality

Do errors tell users what to DO, not just what went wrong?
Do validation errors reference the specific parameter/value that failed?

Check 7: Example Accuracy

Do examples demonstrate features that actually work in the code?
Are there parameters in examples that get silently absorbed by **kwargs or **_?

For detailed check procedures, see Judgment Checks Reference.

Universal Pre-Ship Checklist

Phase 1 (Tools):
- [ ] Pyright strict passes on changed files (no type errors)
- [ ] Vulture finds no unused code in new files (or allowlisted)
- [ ] import-linter passes (no architecture boundary violations)
- [ ] deptry passes (no unused/missing dependencies)
- [ ] Semgrep custom rules pass (no non-determinism, no silent param absorption)
- [ ] Griffe shows no unintended API breaking changes vs base branch

Phase 2 (cc-skills):
- [ ] code-hardcode-audit passes (no magic numbers or secrets)
- [ ] dead-code-detector passes (no unused code)
- [ ] PR description links valid (pr-gfm-validator)

Phase 3 (Judgment):
- [ ] No new cross-boundary coupling introduced
- [ ] Domain constants and formulas are mathematically correct
- [ ] Tests actually test what they claim (not side effects)
- [ ] Implicit dependencies between components are documented
- [ ] No O(n^2) where O(n) suffices
- [ ] Error messages give actionable guidance
- [ ] Examples reflect actual behavior, not aspirational behavior

Anti-Pattern Catalog

This skill is built on a taxonomy of 9 integration boundary anti-patterns. For the full catalog with examples, detection heuristics, and fix approaches, see Anti-Pattern Catalog.

| Anti-Pattern | Detection Method

---|---|---
1 | Interface contract violation | Pyright + Griffe + manual trace
2 | Misleading examples | Semgrep + manual config-to-code comparison
3 | Architecture boundary violation | import-linter + manual review
4 | Incorrect domain constants | Semgrep + domain expertise
5 | Testing gaps | mutmut + manual test audit
6 | Non-determinism | Semgrep custom rules
7 | YAGNI | Vulture + dead-code-detector
8 | Hidden dependencies | Manual dependency trace
9 | Performance anti-patterns | Manual complexity analysis

Post-Change Checklist

After modifying THIS skill:

Anti-pattern catalog reflects real-world findings
Tool install guide has current versions and commands
TodoWrite templates cover the three ship types
Universal checklist is complete and non-redundant
All references/ links resolve correctly
Append changes to references/evolution-log.md

Post-Execution Reflection

After this skill completes, reflect before closing the task:

Locate yourself. — Find this SKILL.md's canonical path (Glob for this skill's name) before editing. All corrections target THIS file and its sibling references/ — never other documentation.
What failed? — Fix the instruction that caused it. If it could recur, add it as an anti-pattern.
What worked better than expected? — Promote it to recommended practice. Document why.
What drifted? — Any script, reference, or external dependency that no longer matches reality gets fixed now.
Log it. — Every change gets an evolution-log entry with trigger, fix, and evidence.

Do NOT defer. The next invocation inherits whatever you leave behind.

Troubleshooting

Issue	Cause	Solution
Tool not found	External tool not installed	Install per tool-install-guide.md or skip (graceful degradation)
Too many Vulture false positives	Framework entry points look unused	Create allowlist: `vulture --make-whitelist > whitelist.py`
Semgrep too slow	Large codebase scan	Scope to changed files only: `semgrep --include=<changed>`
import-linter has no contracts	Project not configured	Add `[importlinter]` section to `pyproject.toml`
Griffe reports false breaking changes	Intentional API change

Reference Documentation

For detailed information, see:

Automated Checks Reference -- Phase 1 external tool procedures
Judgment Checks Reference -- Phase 3 human-judgment procedures
Anti-Pattern Catalog -- Full 9-category taxonomy with examples
Tool Install Guide -- Installation and setup for all external tools
Evolution Log -- Change history

Weekly Installs

Repository

terrylica/cc-skills

GitHub Stars

First Seen

Feb 13, 2026

Security Audits

Gen Agent Trust HubPass SocketPass SnykPass

Installed on

opencode54

github-copilot53

codex53

kimi-cli53

gemini-cli53

amp53

GitHub Actions 官方文档查询助手 - 精准解答 CI/CD 工作流问题

49,000 周安装

brew install semgrep