review-policy-builder
Create and maintain the project-specific review policy consumed by
.
This skill is interview-first and evidence-grounded:
- derive what is already true from repo docs and ADRs
- mine high-confidence implementation conventions from the repository
- capture missing project/domain constraints from the user
- write structured policy artifacts in
<docs-dir>/review/policies/
- define review audit governance in for specialist attestation and completion rules
Read references/policy-contract.md before writing policy files. It is the canonical schema and includes onion/clean-architecture templates.
Phase 1 — Verify prerequisites and locate
- Read root .
- Discover from contract paths.
- Fallback: find and use its parent directory as .
- Confirm required files:
<docs-dir>/ENGINEERING.md
<docs-dir>/AGENTS_CONTEXT.md
- at least one
- Optional but strongly preferred:
<docs-dir>/CONTEXT-MAP.md
If required files are missing, fail fast with actionable remediation: run/fix
first.
Phase 2 — Load baseline truth before asking questions
Read these sources first, then summarize extracted constraints:
- for global workflow and non-negotiables
<docs-dir>/ENGINEERING.md
<docs-dir>/CONTEXT-MAP.md
- for architecture decisions and constraints
Extract candidate rules from those files into a working list tagged
or
.
Do not ask the user to restate anything already explicit in these files.
Phase 3 — Mine repository convention candidates (inheritance v1)
Before interviewing, mine code-level conventions that can become automatable review checks.
Scope (v1):
- inheritance conventions only (
check_type: inheritance_suffix
Mining workflow:
- Scan repository code (prioritize module-owned subtrees from /) for class declarations and inheritance/base-type relationships.
- Detect suffix-based inheritance candidates (for example extending , extending ).
- Build candidate evidence:
- class suffix
- expected base suffix
- sample count
- adoption ratio (
matching_samples / total_samples
- representative file+line evidence for matching and violating samples
- Candidate promotion defaults:
min_adoption_ratio = 0.85
- Classify candidates:
- : meets both thresholds
- : below threshold (show to user only when useful)
Scoping defaults:
- module-first by subtree ownership
- if the same candidate is confirmed across multiple modules, promote to a global rule
Never persist mined conventions automatically. They must be explicitly confirmed in the interview.
Phase 4 — Structured interview for missing policy
Run a focused interview to capture project-specific review checks not present in baseline docs. Use
and resolve one decision at a time.
Target gaps:
- architecture integrity rules (onion/clean/hexagonal)
- allowed dependency direction and forbidden layer crossings
- call-flow restrictions (for example controller -> application -> domain -> infrastructure)
- inherited code conventions discovered in Phase 3 (candidate confirmation, severity, exceptions)
- module exceptions (allowed boundary breaks and justification)
- transaction/data integrity rules
- security/business-risk hotspots that deserve stricter scrutiny
Rules for the interview:
- propose concrete options with recommended defaults
- for each promoted convention candidate, request explicit confirm/reject
- when confirmed, capture severity and explicit allowed exceptions
- capture explicit exceptions and evidence requirements
- resolve ambiguities immediately; do not leave vague prose
- when user input conflicts with ADRs, mark conflict as in output artifacts
Phase 5 — Write policy artifacts under <docs-dir>/review/policies/
Produce this contract:
- — cross-project rules and global constraints
- — one per module/context
- multi-context: derive from context rows in
- single-context: write one module file for the single context
- — index and routing map:
- module/context -> policy file
- primary subtree ownership
- policy version/updated metadata
- review audit contract for
Use the schema from
references/policy-contract.md
. Each rule must include required metadata fields:
- ( or )
- ()
- (
derived|user-specified|adr
- (optional)
Automation metadata (optional, recommended for deterministic checks):
- Add machine-usable metadata for confirmed inheritance conventions.
- For inheritance checks, set:
check_type: inheritance_suffix
apply_scope: changed-files
- selector and expectation fields defined by the policy contract
Convention rule scoping:
- default to module policy files ()
- promote to only when the same convention is confirmed across modules
- keep module-specific exceptions local unless explicitly approved as global
completion_mode: fail-closed
- required attestation fields:
- required specialist categories:
- module specialists always required
- cross-cut specialists required when routed by file semantics
- transparency mode:
Phase 6 — Update/merge behavior on reruns
If policy files already exist:
- merge/update in place; do not overwrite blindly
- preserve stable values for unchanged rules
- update metadata and content for modified rules
- mark obsolete rules as deprecated; do not silently delete history
- keep synchronized with current module list
Conflict handling:
- if a new/updated rule contradicts ADR constraints, mark it as and document the conflict in both impacted policy file and
Phase 7 — Integration contract for
This skill must produce artifacts that
can consume deterministically:
- policy location:
<docs-dir>/review/policies/
- expected files:
- each rule has machine-usable metadata fields (no prose-only rules)
- inheritance convention rules that should run automatically include
automation.check_type: inheritance_suffix
- includes a machine-readable section
- which modules have policy coverage
- which rules are global vs module-scoped
- which rules are automatable (, scope, and owning policy file)
- review audit contract values (, , required attestation fields, required specialist categories, transparency mode)
- any conflicts unresolved at authoring time
Phase 8 — Report back
Tell the user:
- which files were created/updated
- which rules were derived vs user-specified
- which mined convention candidates were confirmed, rejected, or deferred
- which review audit contract values were set in
- unresolved conflicts
- which modules still need policy refinement
- artifact hygiene outcome (what entries were added, or that no changes were applied)
At the end of every run, add an artifact-hygiene decision step before finishing:
- Explain that produces multiple generated artifacts under :
- (plan)
- (full scoped diffs)
review-result-*.specialists/
- (human-readable summary)
- (machine-readable manifest)
- Explain the tradeoff explicitly:
- keeping these files tracked preserves review/audit history
- ignoring some or all reduces repository noise
- Ask the user to choose one ignore strategy with :
yaml
questions:
- question: "Would you like me to update `.gitignore` for generated `agentic-review` artifacts?"
header: "Review Artifacts"
multiSelect: false
options:
- label: "Ignore all review artifacts (Recommended)"
description: "Add ignore patterns for plans, diff directories, specialist outputs, result summaries, and manifests."
- label: "Ignore diff files only"
description: "Ignore only `review-plan-*.diffs/` directories and keep other review artifacts tracked."
- label: "Keep review artifacts tracked"
description: "Do not modify `.gitignore`."
Apply deterministic mapping to root
:
Ignore all review artifacts (Recommended)
<docs-dir>/review/review-plan-*.md
<docs-dir>/review/review-plan-*.diffs/
<docs-dir>/review/review-result-*.specialists/
<docs-dir>/review/review-result-*.md
<docs-dir>/review/review-manifest-*.json
- :
<docs-dir>/review/review-plan-*.diffs/
Keep review artifacts tracked
Idempotency requirements:
- never add duplicate lines
- preserve existing content order except for appended new lines when needed
- if all required lines already exist for the chosen option, report instead of rewriting
Do not commit changes. The user reviews policy artifacts first.