From draft
Orchestrates multi-file code reviews at track level against spec.md or project level with uncommitted changes, file patterns, commit ranges. Runs automated validation, spec compliance, code quality stages; optional bughunt integration.
npx claudepluginhub mayurpise/draft --plugin draftThis skill uses the workspace's default tool permissions.
You are conducting a code review using Draft's Context-Driven Development methodology.
Reviews and verifies code before merge via triage-first checks (up to 16 parallel agents). Pipeline mode verifies vs plans; general mode for PRs/branches/staged changes. Flags findings only.
Dispatches 5 specialized agents for multi-perspective code review on correctness, architecture, security, production readiness, and test quality. Merges findings, auto-fixes Critical/Important issues up to 3 rounds.
Runs parallel multi-agent code review assessing six tenants—architecture, simplicity, maintainability, correctness, test coverage, documentation—then triages findings and applies auto/manual fixes.
Share bugs, ideas, or general feedback.
You are conducting a code review using Draft's Context-Driven Development methodology.
Read before you review. Evidence over opinion.
This command orchestrates code review workflows at two levels:
Optionally integrates /draft:bughunt for finding logic errors and writing regression tests.
Note: Automated static validation (OWASP secrets, dead code, dependency cycles, N+1 patterns) is natively built into Phase 1 of this review.
Extract and validate command arguments from user input.
Scope specifiers (mutually exclusive):
track <id|name> - Review specific track (exact ID or fuzzy name match)project - Review uncommitted changes (git diff HEAD)files <pattern> - Review specific file pattern (e.g., src/**/*.ts)commits <range> - Review commit range (e.g., main...HEAD, abc123..def456)Quality integration modifiers:
with-bughunt - Include /draft:bughunt resultsfull - Include bughunt resultstrack, project, files, commitsfull is present, enable with-bughunt, discarding redundant individual modifiers. No error — silently normalize.If no arguments provided:
[~] In Progress track from draft/tracks.md[~] track, find first [ ] Pending trackAuto-detected track: <id> - <name> [<status>] and proceed/draft:new-track to create one."Based on parsed arguments, determine review scope and load appropriate context.
Trigger: track <id|name> argument OR auto-detected track
Check if argument is exact directory match:
ls draft/tracks/<arg>/ 2>/dev/null
If exists → use this track
Parse tracks.md for fuzzy matching:
draft/tracks.md--- separators./tracks/<id>/)### <id> - <name>)Handle matches:
Multiple tracks match '<input>':
1. <id> - <name> [<status>]
2. <id> - <name> [<status>]
Select track (1-N):
Once track is resolved:
Verify track directory exists:
ls draft/tracks/<id>/ 2>/dev/null
Read spec.md:
draft/tracks/<id>/spec.mdRead plan.md:
draft/tracks/<id>/plan.md[x] task lines only. Match pattern: 7+ character hex strings in parentheses, regex \(([a-f0-9]{7,})\). Example: - [x] **Task 1.1:** Description (7a7dc85). Collect SHAs in order of appearance; deduplicate keeping first occurrence.git rev-parse <first_SHA>^ 2>/dev/null<first_SHA>^..<last_SHA> as the rangegit rev-parse fails): use the empty tree SHA 4b825dc642cb6eb9a060e54bf8d69288fbee4904 as the range start, i.e., 4b825dc642cb6eb9a060e54bf8d69288fbee4904..<last_SHA>. Alternatively, for single-commit ranges, use git diff-tree --root -p <first_SHA> to obtain the diff.<last_SHA>Check for incomplete work:
[ ], [~], [x], [!] tasks[ ] or [~] tasks exist: Display warning and proceed:
Warning: Track has N incomplete tasks (M in-progress, K pending). Reviewing completed work only.
Handle missing files:
Trigger: project, files <pattern>, or commits <range> argument
project argument:
git diff HEADfiles <pattern> argument:
git diff HEAD -- <pattern>git ls-files <pattern> | head -1
commits <range> argument:
git rev-parse <range> 2>/dev/null
git diff <range>For project-level reviews (no track context):
Load Draft context (if available):
Read and follow the base procedure in core/shared/draft-context-loading.md.
Note limitations:
Generate diff output using smart chunking to avoid context overflow.
Run shortstat to check diff size:
git diff --shortstat <range>
Parse output robustly — handle both singular (1 file changed) and plural (N files changed) forms. Extract numeric values for files, insertions, and deletions. Use total lines changed (insertions + deletions) for the chunking threshold.
Small/Medium changes (<300 lines changed):
git diff <range>
Large changes (≥300 lines changed):
git diff --name-only <range>
[N/M] Reviewing <filename>git diff <range> -- <file>Skip non-source files to focus review:
*.lock, package-lock.json, yarn.lock, *.min.js, *.min.css, *.mapdist/, build/, target/, out/, __pycache__/, *.pycnode_modules/, vendor/, .git/@generated marker (case-insensitive, any comment syntax: /* @generated */, // @generated, # @generated)Apply a three-stage review process (merging static validation and semantic review).
Goal: Detect structural, security, and performance issues using fast, objective searches across the diff.
For the files changed in the diff, perform static checks using grep or similar tools:
Architecture Conformance: Search for pattern violations documented in draft/.ai-context.md. (e.g. import * from 'database' in a React component).
Dead Code: Check for newly exported functions/classes in the diff that have 0 references across the codebase.
Dependency Cycles: Trace the import chains for new imports to ensure no circular dependencies (e.g., A → B → C → A) are introduced.
Graph Boundary Check (if draft/graph/module-graph.jsonl exists):
module-graph.jsonl edgesSecurity Scan (OWASP): Scan the diff for:
innerHTML or raw DOM insertion)Performance Anti-patterns: Scan the diff for:
Context-Specific Checks: Identify the primary domain of changed files and apply domain-specific checks:
auth, crypto, security, token, password, hash, encrypt):
== for secret comparison)Math.random() for security)migration, schema, model, entity, repository):
controller, handler, route, endpoint, resolver):
config, env, settings):
component, view, page, template):
innerHTML, dangerouslySetInnerHTML, v-html)Breaking Change Detection: Check for public API changes in the diff:
Threat Model (STRIDE): For new endpoints or data mutations, check:
Verdict:
After completing Stage 1, recommend appropriate static analysis tools based on the project's tech-stack.md. Check if these tools are already configured in CI; if not, recommend adding them.
| Language | Recommended Tools |
|---|---|
| JavaScript/TypeScript | ESLint with eslint-plugin-security, Semgrep |
| Python | Bandit, Semgrep, pylint |
| Java | Error Prone, SpotBugs, Semgrep |
| Go | gosec, staticcheck |
| Rust | cargo clippy, cargo audit |
| C/C++ | Clang Static Analyzer, cppcheck |
| Multi-language | Semgrep (https://semgrep.dev/), CodeQL (https://codeql.github.com/) |
References: Meta Infer for CI integration patterns, Google Error Prone for compile-time analysis.
Include tool recommendations in the review report under Stage 1 as a "Recommended Tooling" subsection. Only recommend tools relevant to the languages detected in the diff.
Skip for project-level reviews (no spec exists)
Load spec.md acceptance criteria and verify implementation:
For each functional requirement in spec.md:
For each criterion in spec.md:
Verdict:
Run for both track-level (if Stage 2 passes) and project-level reviews
Analyze semantic code quality across four dimensions:
.ai-context.md exists — check ## Critical Invariants section)For each flagged function, report: file path, function name, estimated complexity, and recommended action (split, extract, simplify).
If Stage 3 produces zero findings across all four dimensions, do NOT accept "clean" without one more look. Ask these 7 questions explicitly:
guardrails.md?.ai-context.md?If still zero after this pass, document it explicitly in the review report:
"Adversarial pass completed. Zero findings confirmed: [one sentence per question explaining why each is clean]"
This prevents lazy LGTM verdicts. It only adds work when a reviewer claims "nothing to find."
Classify all findings by severity:
| Severity | Definition | Action |
|---|---|---|
| Critical | Blocks release, breaks functionality, security issue | Must fix before proceeding |
| Important | Degrades quality, technical debt | Should fix before phase complete |
| Minor | Style, optimization, nice-to-have | Note for later, don't block |
Scope-specific behavior:
spec.md acceptance criteria loaded in Step 2.Issue format:
- [ ] [File:line] Description of issue
- **Impact:** [what breaks/degrades]
- **Suggested fix:** [how to address]
If with-bughunt or full modifier is set, integrate bug hunting.
Track-level:
/draft:bughunt --track <id>
Project-level:
/draft:bughunt
Parse output from draft/tracks/<id>/bughunt-report-latest.md or draft/bughunt-report-latest.md
Merge findings from:
Deduplication:
Create unified review report in markdown format.
MANDATORY: Include YAML frontmatter with git metadata. Follow the procedure in core/shared/git-report-metadata.md to gather git info, generate frontmatter, and include the report header table. Use generated_by: "draft:review".
Path: draft/tracks/<id>/review-report-<timestamp>.md (where <timestamp> is generated via date +%Y-%m-%dT%H%M, e.g., 2026-03-15T1430)
After writing the timestamped report, create a symlink pointing to it:
ln -sf review-report-<timestamp>.md draft/tracks/<id>/review-report-latest.md
[YAML frontmatter — see core/shared/git-report-metadata.md, use track_id: "<id>"]
# Review Report: <Track Title>
[Report header table — see core/shared/git-report-metadata.md]
**Track ID:** <id>
**Reviewer:** [Current model name and context window from runtime]
**Commit Range:** <first_SHA>^..<last_SHA>
**Diff Stats:** N files changed, M insertions(+), K deletions(-)
---
## Stage 1: Automated Validation
**Status:** PASS / FAIL
- **Architecture Conformance:** PASS/FAIL
- **Dead Code:** N found
- **Dependency Cycles:** PASS/FAIL
- **Security Scan:** N issues found
- **Performance:** N anti-patterns detected
[If FAIL: List critical structural issues and stop here]
---
## Stage 2: Spec Compliance
**Status:** PASS / FAIL
### Requirements Coverage
- [x] Requirement 1 - Implemented in <file:line>
- [x] Requirement 2 - Implemented in <file:line>
- [ ] Requirement 3 - **MISSING**
### Acceptance Criteria
- [x] Criterion 1 - Verified in <file:line>
- [x] Criterion 2 - Verified in <file:line>
- [ ] Criterion 3 - **NOT MET**
[If FAIL: List gaps and stop here]
---
## Stage 3: Code Quality
**Status:** PASS / PASS WITH NOTES / FAIL
### Critical Issues
[None / List with file:line]
### Important Issues
[None / List with file:line]
### Minor Notes
[None / List items]
---
[If with-bughunt or full]
## Integrations
### Bug Hunt Results
- **Critical:** N found
- **Important:** N found
- **Minor:** N found
- Full report: `./bughunt-report-latest.md`
---
## Summary
**Total Semantic Issues:** N
- Critical: N
- Important: N
- Minor: N
**Verdict:** PASS / PASS WITH NOTES / FAIL
**Required Actions:**
1. [Action item if any]
2. [Action item if any]
---
## Recommendations
[If incomplete tasks found]
⚠️ **Warning:** This track has N incomplete tasks. Consider completing all tasks before marking track as done.
[If no critical issues]
✅ **No blocking issues found.** This track is ready to merge.
[If critical issues found]
❌ **Critical issues must be resolved before proceeding.**
Path: draft/review-report-<timestamp>.md (where <timestamp> is generated via date +%Y-%m-%dT%H%M, e.g., 2026-03-15T1430)
After writing the timestamped report, create a symlink pointing to it:
ln -sf review-report-<timestamp>.md draft/review-report-latest.md
Similar format but:
project: "Scope: Uncommitted changes"files <pattern>: "Scope: Files matching ''"commits <range>: "Scope: Commits "-latest.md symlink always points to the most recent report-latest.md symlink exists (read its target to determine the previous timestamp)Previous timestamped reports are preserved. The -latest.md symlink always points to the most recent report.
For track-level reviews, update metadata.json with review status.
Condition: Always update metadata after generating the review report, regardless of verdict. This ensures review history is tracked for all outcomes (PASS, PASS_WITH_NOTES, or FAIL).
Load draft/tracks/<id>/metadata.json
{
"id": "<track_id>",
...
"lastReviewed": "<ISO timestamp>",
"reviewCount": N,
"lastReviewVerdict": "PASS" | "PASS_WITH_NOTES" | "FAIL"
}
Increment reviewCount on each review.
Save updated metadata.json
Display summary to user with actionable next steps.
✅ Review complete: <track_id>
Report: draft/tracks/<id>/review-report-<timestamp>.md (symlink: review-report-latest.md)
Summary:
- Stage 1 (Automated Validation): PASS
- Stage 2 (Spec Compliance): PASS
- Stage 3 (Code Quality): PASS WITH NOTES
- Total semantic issues: 12 (0 Critical, 3 Important, 9 Minor)
[If full]
Additional Checks:
- Bug Hunt: 5 medium-severity findings
Verdict: PASS WITH NOTES
Recommended actions:
1. Fix 3 Important issues (see report)
2. Review 9 Minor notes for future improvements
Next: Address findings and run /draft:review again, or mark track complete.
❌ Review failed: <track_id>
Report: draft/tracks/<id>/review-report-<timestamp>.md (symlink: review-report-latest.md)
Stage 1 (Automated Validation): PASS
Stage 2 (Spec Compliance): FAIL
- 3 requirements not implemented
- 2 acceptance criteria not met
Stage 3: SKIPPED (Stage 2 must pass first)
Verdict: FAIL
Required actions:
1. Implement missing requirements (see report)
2. Meet all acceptance criteria
3. Run /draft:implement to resume work
Next: Fix gaps and run /draft:review again.
| Condition | Message |
|---|---|
No draft/ directory | "Draft not initialized. Run /draft:init." |
No tracks in draft/tracks.md | "No tracks found. Run /draft:new-track." |
| Track not found | Show closest matches by edit distance, suggest /draft:status |
| Multiple track matches | Display numbered list, prompt selection |
| Invalid git range | Show git error, suggest verifying with git log |
| No commit SHAs in plan.md | Suggest manual range or /draft:review project |
| Don't | Instead |
|---|---|
| Skip Stage 1 (Automated Validation) | Always run automated checks first |
| Skip Stage 2 (Spec Compliance) | Always verify spec compliance before quality checks |
| Run Stage 3 when Stage 2 fails | Fix spec gaps before quality checks |
| Ignore incomplete tasks | Warn user, suggest completing work first |
| Auto-fix issues found | Report only, let developer decide |
| Batch multiple tracks | Review one track at a time |
After generating the review report, execute the pattern learning phase from core/shared/pattern-learning.md to update draft/guardrails.md with patterns discovered during this review.
/draft:review
/draft:review track add-user-auth
/draft:review track "user authentication"
/draft:review track add-user-auth full
/draft:review project
/draft:review files "src/**/*.ts"
/draft:review commits main...feature-branch
/draft:review track my-feature with-bughunt
/draft:coverage and include results in review reportAfter review completion, based on findings:
If significant code quality findings:
"Review complete. Consider:
→ /draft:tech-debt — Catalog and prioritize the technical debt found"
If new public APIs lack documentation:
→ /draft:documentation api — Document new API endpoints"
If undocumented design decisions discovered:
→ /draft:adr — Record architectural decisions found during review"
If Jira ticket linked, sync via core/shared/jira-sync.md:
review-report-latest.md to ticket