Skip to content

Commit ca07a9b

Browse files
committed
Merge branch 'develop' v0.5.10
2 parents 58a32b7 + 9a7552e commit ca07a9b

81 files changed

Lines changed: 50113 additions & 76531 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

.claude/skills/pr-review.md

Lines changed: 231 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,231 @@
1+
# PR / MR Review Skill
2+
3+
Use this skill when the user asks to **review a pull request or merge request**
4+
typically with a prompt like:
5+
6+
> `review <MR/PR URL>` (target develop branch)
7+
>
8+
> Is this a good PR?
9+
> Safe? No regressions?
10+
> Good UX?
11+
> No security issues?
12+
> Well documented?
13+
> Safe to merge?
14+
15+
This skill is for reviewing **someone else's** PR/MR at a URL. It is distinct
16+
from `.claude/skills/code-review.md`, which is the pre-commit self-review
17+
checklist applied to my own changes before returning them to the user.
18+
19+
## Ground Rules
20+
21+
1. **Never push, merge, approve, or comment on the PR** from this skill unless
22+
the user explicitly asks. Produce a written review for the user to act on.
23+
2. **Do not modify files** in the working copy as part of the review. Reviewing
24+
is read-only.
25+
3. Reference specific **files and line numbers** whenever citing an issue.
26+
4. If the PR targets a branch **other than `develop`**, call this out as the
27+
first finding. The expected target for this repo is `develop`.
28+
5. Keep findings factual and specific — quote the diff where useful.
29+
30+
## Step 1 — Detect the URL and fetch PR metadata
31+
32+
Identify the host from the URL.
33+
34+
### GitHub PR (`github.com/<owner>/<repo>/pull/<NN>`)
35+
36+
Prefer the `gh` CLI via Bash:
37+
38+
```bash
39+
gh pr view <NN> --repo <owner>/<repo> --json \
40+
title,body,author,state,mergeable,mergeStateStatus,baseRefName,headRefName,\
41+
additions,deletions,changedFiles,files,statusCheckRollup,reviews,comments,url
42+
43+
gh pr diff <NN> --repo <owner>/<repo>
44+
gh pr checks <NN> --repo <owner>/<repo>
45+
```
46+
47+
If a GitHub MCP server is configured, `pull_request_read` methods
48+
(`get`, `get_diff`, `get_files`, `get_status`, `get_reviews`,
49+
`get_comments`, `get_review_comments`) are equivalent.
50+
51+
### GitLab MR (`gitlab.aws.dev/<group>/<project>/-/merge_requests/<NN>`)
52+
53+
Use the `glab` CLI:
54+
55+
```bash
56+
glab mr view <NN> --repo <group>/<project>
57+
glab mr diff <NN> --repo <group>/<project>
58+
glab mr note list <NN> --repo <group>/<project>
59+
glab ci status --repo <group>/<project>
60+
```
61+
62+
Fallback — `curl` against the GitLab API:
63+
64+
```bash
65+
PROJECT=$(python3 -c "import urllib.parse,sys;print(urllib.parse.quote_plus(sys.argv[1]))" \
66+
"<group>/<project>")
67+
TOKEN="${GITLAB_TOKEN:-$(yq -r .token ~/.config/glab-cli/config.yml 2>/dev/null)}"
68+
curl -sH "PRIVATE-TOKEN: $TOKEN" \
69+
"https://gitlab.aws.dev/api/v4/projects/$PROJECT/merge_requests/<NN>"
70+
curl -sH "PRIVATE-TOKEN: $TOKEN" \
71+
"https://gitlab.aws.dev/api/v4/projects/$PROJECT/merge_requests/<NN>/changes"
72+
```
73+
74+
### Collect at minimum
75+
76+
- PR/MR title, description, author
77+
- Source branch → target branch (confirm target is `develop`)
78+
- CI / pipeline status
79+
- List of changed files with insertions / deletions
80+
- The full diff
81+
- Existing reviews and comments
82+
- Linked issues, if any
83+
84+
For larger PRs (> ~500 lines changed or touching unfamiliar modules), read key
85+
changed files in full — not just the diff — using the `Read` tool on paths at
86+
the head ref so surrounding context is captured.
87+
88+
## Step 2 — Evaluate the six review questions
89+
90+
Work through each question. Reuse project coding-standards knowledge from the
91+
other skill files (`backend-lambda.md`, `frontend-ui.md`, `infrastructure.md`,
92+
`documentation.md`, `testing-qa.md`, `code-review.md`).
93+
94+
### 1. Is this a good PR?
95+
- Scope is focused (single feature / fix / refactor; not a grab-bag)
96+
- Title is descriptive and follows convention (e.g. `feat:`, `fix:`, `docs:`)
97+
- Description explains **what** and **why**, and links to an issue when applicable
98+
- Targets `develop` (flag otherwise)
99+
- CI is green (or failures are understood)
100+
- Size is reviewable — very large PRs should be called out
101+
102+
### 2. Safe? No regressions?
103+
- New/changed logic has **unit tests**; assertions are meaningful
104+
- Existing tests are not deleted or weakened without justification
105+
- Backward compatibility maintained for shared interfaces:
106+
- `Document` model and its serialization
107+
- Config schemas under `config_library/`
108+
- GraphQL schema and generated types in `src/ui/src/graphql/generated/`
109+
- Lambda handler event/response contracts
110+
- No obvious race conditions, unbounded loops, or missing pagination
111+
- Error handling uses explicit exceptions (no bare `except:`), with `exc_info=True`
112+
- No removal of observability (X-Ray `patch_all`, structured logging)
113+
114+
### 3. Good UX?
115+
- **Frontend** (`src/ui/`):
116+
- Cloudscape Design System components (not MUI / AntD / Bootstrap)
117+
- Loading, empty, and error states handled
118+
- Arrow-function components; hooks in kebab-case files
119+
- `ConsoleLogger` used, no stray `console.log`
120+
- Accessibility: labels on inputs, keyboard nav, focus management
121+
- `DOMPurify` used for any `dangerouslySetInnerHTML`
122+
- Responsive behavior reasonable
123+
- **Backend / API**:
124+
- Actionable error messages; failures surface to the UI (e.g. status on `Document`)
125+
- Progress / status updated at meaningful checkpoints
126+
- Sensible defaults; new required config has migration guidance
127+
128+
### 4. No security issues?
129+
- No hardcoded credentials, API keys, or tokens
130+
- No full JWTs logged in plaintext (Talos finding #10)
131+
- No hardcoded `arn:aws:` partitions — must use `${AWS::Partition}`
132+
(validated by `make check-arn-partitions`)
133+
- No hardcoded `amazonaws.com` — must use `${AWS::URLSuffix}`
134+
- IAM policies scoped — no `Resource: "*"` or wildcard S3 ARNs without
135+
written justification
136+
- `PermissionsBoundary` conditional present on new IAM roles
137+
- New Lambdas have a dedicated `AWS::Logs::LogGroup` with KMS encryption
138+
- Input validation on new API surfaces; DOMPurify on HTML render paths
139+
- New Python/npm dependencies are pinned and from trusted sources
140+
- `cfn-nag` / `checkov` suppressions include `reason:` metadata
141+
- No new public S3 buckets, public SNS topics, or open security groups
142+
143+
### 5. Well documented?
144+
- User-facing changes update `CHANGELOG.md`
145+
- Feature docs added/updated under `docs/` with:
146+
- YAML frontmatter (`title:` required)
147+
- License header after frontmatter
148+
- Cross-references to related docs added where helpful
149+
- Public functions/classes have docstrings
150+
- Complex logic has inline comments explaining *why*
151+
- If GraphQL schema changed, `make codegen` has been run and generated files
152+
are included in the PR (or a note explains why not)
153+
154+
### 6. Safe to merge?
155+
- Targets `develop`
156+
- CI / pipeline green ✅
157+
- No unresolved review comments on the latest commit
158+
- No merge conflicts
159+
- `VERSION` / version bump done if required by change scope
160+
- No leftover `TODO` / `FIXME` / debug prints / commented-out code blocks
161+
- Migration notes provided for any breaking change
162+
163+
## Step 3 — Produce the review
164+
165+
Output the review in this exact structure so the user can paste it or act on it:
166+
167+
```markdown
168+
## PR/MR Review: <title> (#<NN>)
169+
**Repo:** <owner/repo>
170+
**Author:** @<author>
171+
**Source → Target:** `<source>``<target>` <!-- ⚠️ if not develop -->
172+
**CI status:** ✅ passing | ❌ failing | ⏳ pending
173+
**Size:** +<insertions> / -<deletions> across <N> files
174+
175+
### Summary
176+
<1–3 sentence plain-English description of what this PR does.>
177+
178+
### Verdict
179+
180+
| Question | Verdict | Notes |
181+
|---|---|---|
182+
| Good PR? | ✅ / ⚠️ / ❌ ||
183+
| Safe / no regressions? |||
184+
| Good UX? | … / N/A ||
185+
| No security issues? |||
186+
| Well documented? |||
187+
| **Safe to merge?** | ✅ Approve / ⚠️ Request changes / ❌ Block ||
188+
189+
### Findings
190+
- 🔴 **Blocking** — <file>:<line> — description + suggested fix
191+
- 🟡 **Should fix** — <file>:<line> — description
192+
- 🟢 **Nice to have** — <file>:<line> — description
193+
194+
### Recommendation
195+
**Approve** / **Request changes** / **Comment**
196+
197+
<one-paragraph rationale>
198+
```
199+
200+
Legend:
201+
- ✅ pass / 🟢 nit — non-blocking
202+
- ⚠️ / 🟡 — should fix before merge
203+
- ❌ / 🔴 — blocking; must fix before merge
204+
205+
## Step 4 — After delivering the review
206+
207+
- Do **not** post the review as a PR/MR comment unless the user explicitly
208+
said "post this as a review comment" or similar.
209+
- If the user asks follow-up questions, re-use the already-fetched diff /
210+
metadata rather than re-fetching.
211+
- If the user asks you to implement the requested changes, switch context:
212+
treat it as a new implementation task following the relevant skill files.
213+
214+
## Quick Reference — Common Red Flags
215+
216+
Flag these immediately when seen in any diff:
217+
218+
- `arn:aws:` literal in a CloudFormation / SAM template
219+
- `amazonaws.com` literal (should be `${AWS::URLSuffix}`)
220+
- `Resource: "*"` in a new IAM policy statement
221+
- `Principal: "*"` in a new resource policy
222+
- `console.log(` in production UI code
223+
- `print(` used for logging in Lambda code
224+
- New Lambda without dedicated LogGroup + KMS
225+
- New IAM role without a `PermissionsBoundary` conditional
226+
- Secrets / access keys / JWTs in code, logs, or tests
227+
- Deleted tests without a replacement
228+
- Schema change in `src/ui/src/graphql/schema.graphql` without regenerated
229+
files under `src/ui/src/graphql/generated/`
230+
- `Document` model field removed or renamed without a migration path
231+
- Wildcards in S3 bucket/object ARNs without `reason:` metadata

0 commit comments

Comments
 (0)