From fable5-methodology
Reviews diffs and pull requests in structured passes (correctness, safety/security, design, style), reporting findings by severity.
How this skill is triggered — by the user, by Claude, or both
Slash command
/fable5-methodology:code-reviewThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Review in order of what costs most to get wrong. A style nit found while a correctness bug
Review in order of what costs most to get wrong. A style nit found while a correctness bug goes unnoticed is a review that failed. Do the passes in sequence — do not let a formatting distraction pull you off the correctness pass.
git diff <base>...HEAD, or the PR diff) — not just the latest
commit. Review the change as it will land.For each hunk ask:
< vs <=), null vs empty vs zero,
duplicates, malformed input. Walk the same edge list as verification-and-review against the
new code.Naming clarity, comment quality (why-not-what, no process narration), formatting consistency. Rule: never let Pass 4 findings crowd out or outnumber Pass 1–2 findings in the report. If the linter enforces it, don't hand-review it — say "linter covers formatting" and move on.
Rank by severity, most severe first. Each finding: file:line, what's wrong, why it matters
(the failure it causes), and a concrete fix or a specific question.
End with a one-line verdict: approve / approve-with-nits / changes-requested, and the count by severity. If there are zero substantive findings, say so plainly — don't manufacture nits to look thorough.
Same passes, plus: read it as a stranger's (you're blind to your own intent — lean on the written requirements instead), and specifically hunt your signature failure modes: unverified API calls stated as correct, requirements quietly narrowed, success implied without a run. Collect all findings in one read-through before fixing any — fixing mid-read hides structural problems.
HIGH src/auth/session.ts:88 Missing expiry check
refreshSession() issues a new token whenever the old one decodes, without checking exp.
An expired token still refreshes → sessions never actually expire (defeats the timeout the
PR's issue asks for — requirement unmet).
Fix: reject when payload.exp < now() before issuing; add a test with an expired token
asserting 401.
All four passes ran in order over the complete diff judged against its stated intent; findings are ranked by severity with file:line, impact, and a concrete fix; Pass 1–2 findings are not buried under Pass 4 nits; and the report ends with an explicit verdict and severity counts. For your own work, the signature-failure-mode hunt was done before delivery.
npx claudepluginhub unpaidattention/fable5-methodologyReviews code changes for correctness, readability, architecture, security, and performance. Checks lint, type safety, test coverage, and security issues. Use for PRs, audits, or pre-merge reviews.
Systematically evaluates pull requests for correctness, design, readability, and tests, delivering actionable and kind feedback based on Google's engineering practices.
Reviews pull requests and diffs to find unrelated changes, missing verification, behavior risks, and over-engineering. Intended for code review audits of human or AI-generated code.