by DevOtts
The QA front door of the DevOtts lifecycle family — plan-it plans, fable-it builds, review-it verifies. Runs the plan-phase Test Contract against the build and enforces an 11-rule gate catalog that makes false-VERIFIED claims un-shippable.
# Add to your Claude Code skills
git clone https://github.com/DevOtts/review-itreview-it is an open-source ai agents skill for AI coding assistants such as Claude Code, Codex CLI, and ChatGPT, built by DevOtts. The QA front door of the DevOtts lifecycle family — plan-it plans, fable-it builds, review-it verifies. Runs the plan-phase Test Contract against the build and enforces an 11-rule gate catalog that makes false-VERIFIED claims un-shippable. It has 0 GitHub stars.
review-it's catalog security scan is still queued. You can run an instant dependency and prompt-injection check now with the "Scan for vulnerabilities" button above.
Clone the repository with "git clone https://github.com/DevOtts/review-it" and add it to your Claude Code skills directory (see the Installation section above). review-it ships a SKILL.md manifest, so compatible agents can discover and load it automatically.
review-it is primarily written in HTML. It is open-source under DevOtts on GitHub, so you can review or fork the full source.
Yes. SkillsLLM lists many other AI Agents skills you can browse and compare side by side. Open the AI Agents category from the badge at the top of this page, or use the Related Skills and comparison links further down to weigh review-it against similar tools.
No comments yet. Be the first to share your thoughts!
Unlocks once the catalog security scan passes (runs nightly).
The deep catalog scan for this skill is still queued. Run an instant dependency check now instead.
You are the verification leg of the lifecycle triangle: plan-it plans → fable-it builds → you verify. Your primary job is to take the Test Contract authored at plan phase and prove — with evidence, not narration — that the build obeys it. Everything else (side-effects, deploy verification, PR review) orbits that core.
Two failures define your reason to exist (the Airtable postmortem): a "VERIFIED" UI with 4 operability bugs no test ever exercised, and a third-party write whose record rendered empty in the target system's own UI — both caught by a human, after the report said green. Your gate catalog makes those, and nine sibling failure classes, mechanically un-shippable.
You are a front door, not a re-implementation. Execution belongs to the routed specialists (see the routing table). Your added value is mode dispatch, the gates, the oracle-provenance discipline, and one honest report format. If a behavior exists in a routed skill, call it by name — never paste a worse copy (CB-3).
/review-it <target> # target: contract path | feature dir | PR ref | "staging"/"prod"
│
├─ MODE contract-qa → PRIMARY: run the plan-phase Test Contract against the build
├─ MODE side-effects → third-party write verification (skills/side-effects/SKILL.md)
├─ MODE deploy-verify → staging/prod verification (skills/deploy-verify/SKILL.md)
└─ MODE pr-review → SECONDARY: severity-tiered review (skills/pr-review/SKILL.md)
▼
GATES — references/gate-catalog.md (R1–R11), applied in EVERY mode
▼
REPORT — references/report-format.md (one format, shared with fable-it's evidence ledger)
Shared vocabulary (statuses, tiers, TYPE×PERSISTENCE, skip taxonomy, AUTHORED/DERIVED) lives in references/vocabularies.md. Test-authoring standards in references/authoring-standards.md. CI-gate wiring guidance (reference only, not an executable mode) in references/ci-gate-guidance.md.
Before any verdict, assert WHICH app / checkout / branch you are about to test, and record it as the report's preflight line:
git branch --show-current, git rev-parse --short HEAD, dirty/clean.parallel-lifecycle's .env.worktree contract (ports, app identity) — never assume :3000 is the app you think it is.origin/<branch>:<path> — a stale local checkout contaminated by parallel sessions is never the verification surface.| Target looks like | Mode |
|---|---|
A test-plan/Test Contract path (qa/test-plan*.md, a plan-it package) |
contract-qa |
| A PR ref / branch / diff | pr-review |
staging / prod / a deploy or release ask |
deploy-verify |
| A DoD or feature dir whose criteria include third-party writes (Airtable, Slack, Shopify, CRM…) | side-effects |
| Mixed | run the modes in sequence: contract-qa → side-effects → deploy-verify; pr-review only when a PR is the object |
State the detected mode in one line and proceed — no menu, no confirmation.
For each case/criterion about to run, confirm its verification target is actually reachable this session (service up, data real, env exists). Unreachable target → route that row straight to IMPLEMENTED-NOT-VERIFIED with a named blocker tagged temporary|structural — and move on. Never spin an executor against a mock to manufacture a green (that is the exact theater this skill exists to kill). [REAL]-tagged cases are never VERIFIED on a mock, full stop.
Every verdict needs an oracle — the source of the expected outcome. Where the oracle comes from determines what a green means. Never refuse for lack of a contract; never invent-and-grade silently.
Run the ladder in order; stop at the first hit:
make-eval for LLM boundaries. Anchor every expected value to an external source where one exists; where the only available oracle is the implementation itself, tag the case DERIVED and flag it.qa/test-plan-derived.md in the consumer repo, so this review becomes durable, promotable coverage plan-it can absorb.contract-qa (PRIMARY). Consume the plan-it Test Contract 1:1 — no translation layer. Tally declared vs counted cases before running (mismatch = stop and reconcile). Flag [REAL] rows for tier-2 handling. Delegate execution by row shape via the routing table below; apply the gate catalog to every row before accepting a PASS; fix loops go through iterate. DoD = 100% PASS or honest INV — nothing between.
side-effects / deploy-verify / pr-review. Dispatch to the bundled skill (skills/side-effects/SKILL.md, skills/deploy-verify/SKILL.md, skills/pr-review/SKILL.md). Each applies the same gates and returns rows in the same report format.
| Work | Route to |
|---|---|
| Functional / CDP UI QA against a test plan | fable-it:full-qa |
| Authenticated real-Chrome action (user's logged-in browser) | fable-it:chrome-cdp-control |
| Diagnose → fix → test loops | fable-it:iterate |
| LLM-function evals (closed-label classifiers, rubric outputs) | make-eval |
| Worktree / port / browser isolation for parallel runs | parallel-lifecycle (hard dependency — assumed installed, never absorbed) |
If a routed skill is missing in the host, perform that phase inline following the same principle it would have applied, and say so in the report — degrade, never break, and never claim the specialist ran.
The full protocol and prompts live in references/report-format.md.
Emit exactly one report in the references/report-format.md schema, to the consumer repo's .review-it/ (or .fable-it-reports/ when conducted by fable-it — in that case feed rows into fable-it's evidence ledger instead of issuing a competing verdict).
Closed status vocabulary (CB-1) — no other states may appear:
PASS / FAIL / IMPLEMENTED-NOT-VERIFIED (+named blocker, temporary|structural) · skips: SKIP-no-script / SKIP-out-of-scope / BLOCK.
Every row carries its oracle-provenance tag (AUTHORED | DERIVED). INV rows are re-tested when their blocker lifts; PASS rows are demoted on challenge — fake-green and lazy-INV are the same sin (CB-2). Close with the R10 debrief question: "did any row get a false VERIFIED, and which verification primitive would have caught it earlier?"
.secrets/.full.credentials, LOCAL-CREDENTIALS.md) and quote the incumbent ruling back (gate R5). Default to the incumbent pattern.fable-it:chrome-cdp-control with its per-write confirmation gate; autonomous QA never touches an authenticated session.full-qa, iterate, chrome-cdp-control, make-eval or parallel-lifecycle — route by name (CB-3).# As a Claude Code plugin (recommended)
/plugin marketplace add DevOtts/review-it
/plugin install review-it@devotts
# Or as a standalone skill package
npx skills add DevOtts/review-it
Getting started: /review-it qa/test-plan-master.md runs a plan-phase Test Contract against your build; /review-it PR #42 reviews a PR; /review-it prod verifies a deploy. See docs/usage.md.
.review-it/, qa/test-plan-derived.md) — never code, never config (CB-8).Authored by DevOtts.
Two real incidents define this plugin (the Airtable postmortem):
Both were caught by a human, after the report said green. review-it makes those two failures — and nine sibling classes — mechanically un-shippable, with a gate catalog where every rule is written as trigger → test → action and every verdict is a lookup into an evidence ledger, not a judgment call.
And the quiet failure underneath them all: a QA run with no authored test contract that quietly reverse-engineers its expectations from the code it is testing — and then grades itself green. review-it tags every verdict's oracle AUTHORED or DERIVED; a DERIVED green means "self-consistent," never "obeys the plan." No self-graded green.
# 1. Add the DevOtts marketplace (once — shared with fable-it / plan-it)
/plugin marketplace add DevOtts/review-it
# 2. Install
/plugin install review-it@devotts
# Or as a standalone skill package
npx skills add DevOtts/review-it
Then hand it a target:
/review-it qa/test-plan-master.md # contract-qa: run the plan-phase Test Contract
/review-it PR #42 # pr-review: severity-tiered, evidence-cited
/review-it prod # deploy-verify: is it ACTUALLY live + ready?
/review-it <feature dir with third-party writes> # side-effects verification
/review-it <target>
│
├─ MODE contract-qa → PRIMARY: run the plan-phase Test Contract against the build
├─ MODE side-effects → third-party writes read back from the target's OWN API + UI
├─ MODE deploy-verify → deployed-code ladder + [REAL] re-runs + release checklist
└─ MODE pr-review → SECONDARY: severity-tiered findings, blocking vs advisory
▼
GATES — 11 rules, applied in every mode
▼
REPORT — one format, shared with fable-it's evidence ledger
IMPLEMENTED-NOT-VERIFIED
with a named blocker, never a manufactured green. [REAL] cases are never verified on
a mock.full-qa (functional/CDP QA), iterate (fix loops), chrome-cdp-control
(authenticated real Chrome), make-eval (LLM evals), parallel-lifecycle (isolation).| # | Gate | Kills |
|---|---|---|
| R1 | wrong-layer | third-party writes "verified" without reading the target's own API and UI |
| R2 | operability | "shows a value" passed off as "is operable" |
| R3 | read-stability | verdicts off a single read; false regressions off read-after-write lag |
| R4 | first-look | the human becoming the un-instrumented first tester |
| R5 | directive-lookup | credential/mechanism proposals that ignore standing rulings |
| R6 | narration≠evidence | subagent self-reports accepted without record-of-truth re-derivation |
| R7 | pixels-over-prose | reports whose screenshots contradict their claims |
| R8 | deploy-truth | MERGED / "Ready" / green-cached-build treated as deploy evidence |
| R9 | environment-identity | verdicts issued against the wrong app/branch/checkout |
| R10 | debrief-methodology | postmortems that log bugs but never the methodology hole |
| R11 | oracle-provenance | the self-grading trap — expectations derived from the code under test reported as "obeys the plan" |
Full specs (each trigger → test → action):
plugins/review-it/skills/references/gate-catalog.md.
| Piece | Path | Job |
|---|---|---|
| Front door | plugins/review-it/skills/review-it/ |
mode detection, preflight, oracle ladder, routing, report |
| side-effects | plugins/review-it/skills/side-effects/ |
third-party write verification (the Airtable class) |
| deploy-verify | plugins/review-it/skills/deploy-verify/ |
staging/prod: deployed-code ladder → READY / NOT-READY |
| pr-review | plugins/review-it/skills/pr-review/ |
severity-tiered review process, loads .claude/review-config.md |
| references | plugins/review-it/skills/references/ |
gate catalog · report format (shared with fable-it) · vocabularies · authoring standards · CI guidance |
plan-it |
fable-it |
review-it |
|
|---|---|---|---|
| Job | discovery → spec → agile split | goal + DoD → delivery | contract → verified verdicts |
| The bridge | authors the Test Contract | adopts it as its DoD | runs it against the build |
review-it consumes plan-it's Test Contract 1:1 and feeds its verdict rows into fable-it's evidence ledger — one report format, hosted here, both plugins point at it.
review-it is read-mostly by design: it writes only its report/ledger conventions in consumer repos, never proposes credential storage, human-gates credential operations and destructive steps (safety ladder), and routes authenticated browser work to chrome-cdp-control's per-write confirmation gate. Details in SKILL.md.
MIT — see LICENSE.
Authored by DevOtts.