Reviewing

All components MUST integrate with platform accessibility APIs from initial implementation:

After any operation touching 5+ files, run a verification pass for stale references before marking complete.

When you replace or refactor code, delete what it supersedes. Leave no dead code, orphaned files, or commented-out blocks behind.

Constructor injection via `Microsoft.Extensions.DependencyInjection`. Use interface types for dependencies, not concr...

Use `pathlib.Path`, not `os.path`. All path manipulation should go through `pathlib`.

Talk only to immediate collaborators and tell objects to act rather than asking for their internals, except across documented boundary, builder, and pipeline cases.

- `PascalCase` for types, methods, properties, public fields, constants, namespaces

`roadmap_lib` uses the standard library only. Do not add PyYAML, requests, or other third-party packages to core libr...

Only modify what was requested. State the goal before starting. Note but do not fix adjacent issues.

Shell script `main()` functions must only call other functions — no inline logic. Keep scripts composable and testable.

Type hints are welcome but not required. Maintain Python 3.9 compatibility — use `from __future__ import annotations`...

Use functions from `roadmap_lib` for all roadmap operations (reading state, parsing frontmatter, finding steps, etc.)...

Parse YAML frontmatter with the built-in frontmatter parser in `roadmap_lib`. Do not add a PyYAML dependency. The par...

Query review checklist: anti-patterns to flag, EXPLAIN QUERY PLAN red flags, and common performance issues in SQLite queries.

Scan, pin, sign, and slim container images so they ship without known-exploited vulnerabilities, embedded secrets, or root runtimes.

All user-facing strings MUST be localizable — no hardcoded strings:

All layouts MUST support right-to-left languages:

Treat every observable behavior of an interface as a contract a consumer may depend on: document guarantees, constrain incidental behavior, and never depend on the unspecified.

Pre-merge checklist a reviewer runs over an MCP server's primitive design, tool contracts, and authorization.

Respect server rate limits. Handle 429 responses gracefully.

Always set both connection and read timeouts. Never use infinite timeouts.

All significant user actions MUST be instrumented via an `AnalyticsProvider` interface (`track(event, properties)`). ...

Every component and flow must be instrumented with structured logging using the platform's best-in-class framework:

All significant feature points and views MUST be deep linkable using the platform's native URL/deep link mechanism:

Use AppKit (macOS) and UIKit (iOS) for all UI. Use SwiftUI only where Apple requires it.

Use OAuth 2.0 / OpenID Connect with PKCE for all public clients. The Implicit flow is

**Server-side authorization is the only real authorization.** Client-side checks (hiding

Prevent XSS and injection with a strict CSP. Web apps only.

Cross-Origin Resource Sharing — get it right or don't enable it.

Your dependencies are your attack surface. Manage them actively.

**Never trust client input.** Client-side validation is a UX feature, not a security control.

Adversarially test LLM and agent systems against the OWASP LLM Top 10 and gate releases on a tracked attack-success-rate threshold.

Collect only what is needed. Prefer on-device processing.

Tokens, credentials, and any sensitive data MUST use platform secure storage. Never store secrets in plaintext config...

Every web application should set these response headers:

Minimize what you collect, encrypt what you keep, never log what you shouldn't.

Short-lived (5-15 min). Include only necessary claims — no PII in JWTs

**TLS 1.2 minimum**, prefer TLS 1.3. Disable TLS 1.0 and 1.1 entirely.

Triage CVEs by exploitability — CISA KEV and high EPSS first, deprioritize unreachable transitive findings — not raw CVSS.

Comprehensive lint checklist for validating Claude Code agent structure, content quality, and best practices

Optimize Claude Code extensions for speed and token efficiency through shell scripts, model selection, and progressive disclosure.

Comprehensive lint checklist for validating Claude Code rule file content quality, best practices, and optimization

Comprehensive lint checklist for validating Claude Code skill structure, content quality, and best practices

Flaky tests destroy confidence. Quarantine them immediately — fix or delete, never ignore.

Every generated artifact MUST be verified:

Run security scans as part of post-generation verification (agenticdevelopercookbook://guidelines/testing/post-generation-verification). These a...

Use color with intention — never as the sole means of conveying information.

Interactive elements MUST be large enough to tap or click accurately. Defer to the platform