When is pactkit-review invoked?

It runs during PR check phase (Check Phase 4) when /project-check is provided, and during Sprint Stage B automated QA.

What do severity levels mean?

P0 is Critical and must block merge; P1 should be fixed before merge; P2 may be fixed in PR or follow-up; P3 is optional improvement.

What does the protocol analyze?

It fetches PR metadata and diff, extracts STORY-ID if present, then applies SOLID, Security, and Quality checklists and reports results in a standardized format.

pactkit-review

npx machina-cli add skill pactkit/claude-code-plugin/pactkit-review --openclaw

Files (1)

SKILL.md

1.3 KB

PactKit Review

Structured PR code review with severity-ranked findings.

When Invoked

Check Phase 4 (PR variant): When /project-check is given a PR number/URL.
Sprint Stage B: As part of automated QA in Sprint orchestration.

Severity Levels

Level	Name	Action
P0	Critical	Must block merge
P1	High	Should fix before merge
P2	Medium	Fix in PR or follow-up
P3	Low	Optional improvement

Protocol

1. PR Information

Fetch PR metadata: gh pr view $ARG --json title,body,author,baseRefName,headRefName,files
Fetch PR diff: gh pr diff $ARG
Extract STORY-ID from title/body if present.

2. Review Checklists

SOLID: SRP, OCP, LSP, ISP, DIP analysis on changed files.
Security: OWASP baseline (injection, auth, secrets, XSS, SSRF).
Quality: Error handling, performance, boundary conditions, logic correctness.

3. Report

## Code Review: PR $ARG
**Result**: APPROVE / REQUEST_CHANGES
### Issues
- [P0] [file:line] Description
- [P1] [file:line] Description
### Spec Alignment
- [x] R1: Implemented
- [ ] R2: Missing

CONSTRAINT: This skill is read-only. Do not modify code files.

Source

git clone https://github.com/pactkit/claude-code-plugin/blob/main/pactkit-plugin/skills/pactkit-review/SKILL.mdView on GitHub

Overview

PACTKit Review provides a structured PR code review using severity-ranked findings across SOLID design principles, security, and quality. It helps teams catch architectural flaws and vulnerabilities early before merging.

How This Skill Works

It fetches PR metadata and diff via gh pr commands, and extracts STORY-ID when present. It then runs SOLID, Security, and Quality checklists on changed files, assigns severity levels (P0-P3), and compiles a standardized report indicating approval status.

When to Use It

Triggered during PR checks (Check Phase 4) when /project-check is used with a PR number or URL.
Used in Sprint Stage B as part of automated QA in sprint orchestration.
Generates severity-ranked findings (P0–P3) to decide if a merge should be blocked or awaited.
Applies SOLID analysis (SRP, OCP, LSP, ISP, DIP) on changed files.
Runs OWASP-based security checks for common vulnerabilities (injection, auth, secrets, XSS, SSRF).

Quick Start

Step 1: Invoke pactkit-review on the PR (gh pr view/diff to gather data).
Step 2: Run the SOLID, Security, and Quality checklists on changed files.
Step 3: Review the generated report and set status to APPROVE or REQUEST_CHANGES.

Best Practices

Anchor findings to severity levels: P0 blocks merge, P1 requires fix before merge.
Apply SOLID checks (SRP, OCP, LSP, ISP, DIP) on touched components.
Cross-check for OWASP security risks and sensitive data exposure.
Verify error handling, performance implications, and boundary conditions.
Treat the report as read-only guidance and provide actionable next steps in PR comments.

Example Use Cases

A PR introduces a critical null pointer path; P0 blocks merge until fixed.
Security-sensitive input handling flagged for XSS risk; remediation prioritized (P1).
Refactor triggers DIP improvement opportunities; suggested optimizations (P3).
Auth flow change reviewed; potential logic flaw flagged for fixes (P2).
Performance regression detected in a loop; optimization recommended (P2/P3).

Frequently Asked Questions

Add this skill to your agents