Staged Changes Review
Checklist-driven, deterministic review of Git staged changes. Produces reproducible findings by combining grep-based scanning with closed-question semantic analysis.
输出要求
重要:本技能必须使用中文输出所有分析结果和建议。
- 语言: 始终使用中文回复
- 编码: UTF-8
- 风格: 专业、简洁,发现必须附带代码证据
Workflow (8 Steps)
Execute steps in strict order: 0 → 0.5 → 1 → 2 → 2.5 → 3 → 4 → 5. Do not skip or reorder any step.
Step 0: Collect Changes
git diff --cached
git diff --cached --stat
git diff --cached --name-status
If no staged changes exist, output "无暂存变更,审查终止。" and stop.
Step 0.5: Detect Project Profile
Detect the project type once to determine which rule categories to activate.
# Detect framework
python3 -c "
import json, sys
try:
with open('package.json') as f:
d = json.load(f)
deps = {**d.get('dependencies', {}), **d.get('devDependencies', {})}
if 'next' in deps:
print('react-nextjs')
elif 'react' in deps:
print('react-app')
else:
print('generic')
except:
print('generic')
" 2>/dev/null || echo "generic"
# Count staged file types
git diff --cached --name-only | grep -cE '\.(tsx|jsx)$' || echo 0
git diff --cached --name-only | grep -cE '\.py$' || echo 0
Record the detected profile — it determines active rule categories:
| Profile | Condition | Active Rule Categories |
|---|---|---|
| react-nextjs | next in dependencies | SEC + REACT + PERF + ASYNC + STR + LOGIC/BREAK + BIZ + REPO |
| react-app | react but no next | SEC + REACT + ASYNC + STR + LOGIC/BREAK + BIZ + REPO (001-007) |
| python-generic | Python files majority, no package.json | SEC + STR + LOGIC/BREAK + BIZ + REPO (001-006) |
| generic | No package.json or detection failed | SEC + STR + LOGIC/BREAK + BIZ + REPO (001-006) |
REACT-* and PERF-* rules are skipped entirely for python-generic or generic profiles. REPO-007 requires react-nextjs or react-app; REPO-008 requires react-nextjs only. If detection fails, default to generic.
Step 1: Classify Files
Classify every staged file into priority tiers using the rules in references/review-rules.md §1.
- Assign each file exactly one priority (P0–P4).
- Skip P4 files entirely — do not read or scan them.
- Sort remaining files by priority (P0 first, P3 last).
- Record the file list for the report's "审查范围" section.
Step 2: Deterministic Scan
For each file (P0 → P3 order), execute every applicable deterministic rule from references/review-rules.md §2.
Execution method:
- Use grep patterns from
references/language-patterns.mdmatching the file's language. - Run each grep against the staged diff (
git diff --cached -- <file>) or the file itself. - If a pattern matches, record a finding immediately — no subjective filtering.
- Use the severity from
references/review-rules.md§4 — do NOT modify severity.
MANDATORY: Every rule × file combination must be executed or explicitly marked N/A (wrong file type or inactive profile). Do not skip rules because "they seem unlikely."
Step 2.5: Impact Scope Analysis
For P0/P1 files, run a one-time impact scope assessment and record results for the "影响范围" section.
# 1. New/modified exported symbols in staged diff
git diff --cached -U0 -- "*.ts" "*.tsx" | grep -E "^\+export (function|const|class|interface|type)"
# 2. API route changes
git diff --cached --name-only | grep -E "app/api/|pages/api/"
# 3. Server Action changes (security impact)
git diff --cached -- "*.ts" "*.tsx" | grep -E '^[+-].*("use server"|'"'"'use server'"'"')'
# 4. Environment variable changes
git diff --cached -- ".env*" 2>/dev/null | grep -E "^[+-][A-Z_]+" | head -10
For each exported symbol found (up to 5 symbols), check reference count:
# Replace SYMBOL_NAME with actual symbol
grep -rl "SYMBOL_NAME" --include="*.ts" --include="*.tsx" src/ 2>/dev/null | wc -l
If no impact scope items are detected, note "无显著影响范围变更" in the report.
Step 3: Semantic Review
For each file (P0 → P3 order), answer every applicable semantic question from references/review-rules.md §3 and §3b.
Execution method:
- Read the file's staged diff and surrounding context (use
Readtool for full file when needed). - For each semantic rule, answer the closed question with exactly one of:
- YES — issue found. MUST provide: file:line + evidence snippet.
- NO — reviewed, no issue found.
- N/A — rule does not apply to this file type or change.
- Only YES answers produce findings. Use the severity from §4.
BIZ 规则执行说明:
- 对 P1 文件,使用
git show HEAD:<path>获取变更前版本,与暂存版本对比进行 before/after 行为分析。 - BIZ findings 必须包含"变更前行为"、"变更后行为"和"影响场景"字段。
- 纯重构(逻辑等价变换)不应报为行为变更。
- 采样限制: P1 文件超过 10 个时,BIZ 规则仅分析前 5 个文件,并注明"剩余 N 个文件未进行 BIZ 分析(采样限制)"。
MANDATORY: Answer every question. Do not skip questions because context seems insufficient — answer N/A with a brief reason instead.
Step 4: Merge & Deduplicate
- Collect all findings from Steps 2 and 3.
- Generate a fingerprint for each finding:
{ruleId}:{file}:{line}. - Deduplicate by fingerprint — if the same fingerprint appears from both a deterministic and semantic rule, keep the one with higher severity.
- Group findings by severity: CRITICAL → HIGH → MEDIUM → LOW.
- Apply output budget limits from
references/report-template.md§3.
Step 5: Generate Report
Output the report using the exact structure from references/report-template.md §2.
- 审查范围: file counts and rule counts.
- 影响范围: impact scope analysis results.
- 业务影响分析: BIZ findings 的摘要表格(变更文件 / BIZ 规则 / 行为变更摘要)。若无 BIZ 发现,输出"未检测到用户可感知的业务行为变更"。
- 发现总览: severity summary table.
- 结论: auto-select from
references/review-rules.md§5 based on highest severity found. - 分级发现: findings in
references/report-template.md§1 format, grouped by severity. BIZ findings 按 severity 归入对应级别。 - 文件审查矩阵: per-file summary table.
Execution Constraints (MANDATORY)
These constraints are non-negotiable. Violating any constraint invalidates the review.
- No skipping: Every rule must be evaluated against every applicable file. Document N/A explicitly.
- No free-form analysis: Only report findings that match a defined rule ID. Do not invent new categories.
- Forced answers: Every semantic question must receive YES, NO, or N/A. Leaving a question unanswered is forbidden.
- Evidence lock: Every YES finding must cite a specific file:line and include a code snippet. Findings without evidence are invalid.
- Severity is immutable: Use the severity from the mapping table. Do not upgrade or downgrade based on subjective judgment.
- Conclusion is templated: The conclusion must be one of the four templates in review-rules.md §5. Do not write a custom conclusion.
- Fingerprint required: Every finding must include a fingerprint in
{ruleId}:{file}:{line}format.
Context Budget Strategy
When staged changes are large (>500 lines or >15 files):
- P0 files: Always read full content — security-critical.
- P1 files: Read full diff. If a single file diff >200 lines, focus on: function signatures, exported symbols, error handling blocks, and security-sensitive patterns.
- P2 files: Read diff only. Focus on SEC rules and BREAK-003/BREAK-004.
- P3 files: Scan diff headers only. Apply STR rules only.
- If total context would exceed capacity, process files strictly by priority and stop at capacity with a note: "剩余 N 个低优先级文件未审查".
REACT/ASYNC rule sampling limit: For rules that require Read tool for semantic verification (REACT-001, REACT-003, ASYNC-001, ASYNC-002), if grep returns more than 5 matches, take the first 5 matches only and note "N 处未验证(采样限制)". This prevents excessive Read tool calls.
Validator Interface Contract
This skill's output is consumed by staged-review-validator. The following fields are required for compatibility:
- Finding title must include
[ruleId]prefix (e.g.,[SEC-003] SQL 拼接风险) - Each finding must include a
指纹(Fingerprint) field - Severity uses 4 levels: CRITICAL / HIGH / MEDIUM / LOW
- Report structure follows
references/report-template.md§2 BIZ-*findings 使用 before/after 格式(含"变更前行为"、"变更后行为"、"影响场景"字段),详见references/report-template.md§1
References
references/review-rules.md— Rule definitions, file classification, severity mappingreferences/report-template.md— Finding format, report structure, output budgetreferences/language-patterns.md— Language-specific grep patterns by rule ID