Add standalone code-review skill with maintainer-sourced review rules

[PureWeen]

Note

Are you waiting for the changes in this PR to be merged?
It would be very helpful if you could test the resulting artifacts from this PR and let us know in a comment if this change resolves your issue. Thank you!

Summary

Adds a standalone code-review skill for reviewing PR code changes with MAUI-specific domain knowledge, modeled after dotnet/android's android-reviewer skill.

What's included

.github/skills/code-review/SKILL.md (196 lines) — Review workflow:

• Independence-first methodology (read code before PR description to avoid anchoring bias)
• 6-step workflow: gather context → load rules → independent assessment → reconcile with PR narrative → check CI → devil's advocate verdict
• Three verdicts: LGTM, NEEDS_CHANGES, NEEDS_DISCUSSION
• Optional multi-model review for diverse perspectives
• Output constraints: don't pile on, don't flag what CI catches

.github/skills/code-review/references/review-rules.md (345 lines) — Domain knowledge:

• 22 sections of review rules distilled from real FTE code reviews
• 138 PR citations linking each rule to the PR where the pattern was identified
• Sourced from 366 PRs: top 142 most-discussed PRs (2,883 review comments), 30 reverted PRs, 50 candidate-branch failures, 64 regression fixes
• Covers: handler lifecycle, memory leaks, safe area, layout, platform code, Android/iOS/Windows specifics, navigation, CollectionView, threading, XAML, testing, performance, error handling, API design, images, gestures, build, accessibility
• §21 Regression Prevention — lessons from reverts and candidate failures
• §22 Component Risk Table — ranking the most regression-prone components

Design decisions

• Separation of concerns: SKILL.md = workflow, review-rules.md = knowledge (follows Android's pattern)
• Standalone: Can be invoked directly by users or by other agents. No coupling to the PR agent pipeline.
• Data-driven: Every rule traces to a real PR where a senior maintainer flagged the pattern. No generic advice.

Changes to copilot-instructions.md

• Added "Opening PRs" section with required NOTE block template
• Added code-review skill to the skills listing
• Minor reformatting of existing documentation sections

[github-actions]

🚀 Dogfood this PR with:

⚠️ WARNING: Do not do this without first carefully reviewing the code of this PR to satisfy yourself it is safe.

curl -fsSL https://raw.githubusercontent.com/dotnet/maui/main/eng/scripts/get-maui-pr.sh | bash -s -- 34265

Or

• Run remotely in PowerShell:

iex "& { $(irm https://raw.githubusercontent.com/dotnet/maui/main/eng/scripts/get-maui-pr.ps1) } 34265"

[Copilot]

Pull request overview

Adds a new code-review skill and wires it into the PR agent’s post-gate workflow to qualitatively assess fix quality (to potentially skip expensive try-fix exploration) and to rank multiple passing fix candidates beyond simple pass/fail.

Changes:

• Introduces .github/skills/code-review/SKILL.md with two modes: pre-fix triage and post-fix comparison.
• Updates PR agent workflow docs to add Phase 2.5 (triage) and Phase 3.5 (comparison).
• Updates .github/copilot-instructions.md to list the new skill and fixes skill numbering.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 5 comments.

File	Description
.github/skills/code-review/SKILL.md	New skill definition for qualitative code review (triage + compare).
.github/agents/pr/post-gate.md	Inserts the new code-review phases into the post-gate workflow and guidance.
.github/agents/pr.md	Updates the workflow diagram to reflect new post-gate steps.
.github/copilot-instructions.md	Documents the new skill in the skills list and corrects numbering.

[Copilot]

The Outputs table lists verdict values (LGTM, NEEDS_REVIEW, NEEDS_CHANGES, SKIP_FIX_PHASE) but the rest of the skill (triage workflow + output format) only defines SKIP_FIX_PHASE/NEEDS_REVIEW, and compare mode doesn’t define how LGTM/NEEDS_CHANGES apply. Please align the documented verdict values with the two modes (e.g., triage: SKIP_FIX_PHASE|NEEDS_REVIEW; compare: omit verdict and require a ranking + selection), to avoid ambiguous invocations/outputs.

Suggested change

	| `verdict` | `LGTM`, `NEEDS_REVIEW`, `NEEDS_CHANGES`, or `SKIP_FIX_PHASE` |
	| `verdict` | **Triage mode only.** Either `SKIP_FIX_PHASE` or `NEEDS_REVIEW`. Compare mode omits `verdict` and instead uses `recommendation` for ranking/selection. |

[Copilot]

This section recommends running a multi-model review “in parallel”, but the PR agent shared rules strongly emphasize “SEQUENTIAL ONLY” for multi-model workflows (to avoid confusion with try-fix). Consider adding an explicit note that parallelism here is OK because code-review is read-only, and that the sequential-only restriction still applies to try-fix executions.

Suggested change

	> **Note:** Parallelism is allowed here because code review is a **read-only** workflow and does **not** invoke `try-fix` or modify the PR. The global **"SEQUENTIAL ONLY"** rule for multi-model workflows still applies to `try-fix` executions and any mutating workflows. Never run multiple `try-fix` attempts in parallel.

[Copilot]

This file is titled "Post-Gate Phases (3-4)", but the workflow overview now includes phases 2.5 and 3.5. To keep the doc self-consistent (and easier to search/reference), update the header/intro to reflect the new phase range (e.g., “2.5–4” or “Post-Gate Phases (2.5, 3, 3.5, 4)”).

[Copilot]

The “Common Mistakes” bullet says to “Always run triage before Fix phase”, but earlier in Phase 2.5 you note triage applies only when starting from an existing PR (and should be skipped when starting from an issue with no PR). Please reword this bullet to be conditional (e.g., “When reviewing an existing PR, don’t skip triage”) so the guidance isn’t contradictory.

Suggested change

	- ❌ **Skipping Code Review Triage** - Always run triage before Fix phase (saves compute when PR is already good)
	- ❌ **Skipping Code Review Triage** - When reviewing an existing PR, don't skip triage before the Fix phase (saves compute when the PR is already good)

[Copilot]

The diagram now shows post-gate includes phases 2.5 and 3.5, but the preceding sentence still says post-gate covers “Phases 3-4”. Please update that reference to match the new workflow (e.g., “Phases 2.5–4”), so readers don’t miss the Code Review phases.

[jonathanpeppers]

You can also define any lamdbas as static as a way to force no captured variables. (slightly mentioned above)

[jonathanpeppers]

This won't 100% leak if you forgot this. If a handler is GC'd, the _listener should be as well. It's good guidance, but with too strong wording.

It actually might be more important that you need to do view.SetListener(null), so Java doesn't have a reference to _listener.

[jonathanpeppers]

This was talking about something in a *.cake file, maybe we should remove this.

I don't know when .NET MAUI would need to call Process.Kill() from inside an app.

[PureWeen]

Skill Validator Consensus Report: code-review

Summary

Dimension	Result
Eval Generation	🆕 Generated (5 scenarios, validated)
Anthropic Verdict	IMPROVE (7/10)
Consensus	IMPROVE

Strengths (High Confidence)

• Independence-first assessment is the standout feature -- explicitly forbidding the agent from reading PR descriptions until Step 3 prevents anchoring bias
• review-rules.md is exceptionally rich -- 22 categories, 80+ checks, real PR numbers as evidence, plus a "What NOT to Flag" noise-reduction section
• Verdict consistency rules are unambiguous: NEEDS_CHANGES if any ❌ Error -- removes judgment calls
• Output format precisely specified with a literal markdown template

Recommended Improvements

#	Suggestion	Rationale
1	Expand trigger phrases in description to include "analyze code changes", "check PR code quality", "look at what changed in PR"	Trigger recall is low (5/10) -- common phrasings won't fire the skill
2	Add disambiguation note distinguishing code-review from pr-review and pr-finalize at top of SKILL.md	Both do "code review" -- users won't know which to invoke
3	Use absolute path .github/skills/code-review/references/review-rules.md in Step 2	Agent won't reliably know skill directory at runtime
4	Add explicit comment-posting policy -- output to terminal only, never gh pr review --comment unless orchestrated	pr-finalize has this rule; code-review should match for consistency
5	✅ eval.yaml committed with this review (5 scenarios)	Enables future automated regression detection

Verdict

IMPROVE and merge. The skill is well-structured with a genuinely valuable independence-first approach and rich review rules. Address items 1-4 above before merging for best results.

[kubaflo]

Tested here:
#22208 - 🟡 Changes Suggested
#26851 - 🟢 Approved
#28321 - 🟡 Changes Suggested
#28713 - 🟢 Approved
#29996 - 🟢 Approved
#31056 - 🟡 Changes Suggested
#31202 🟢 Approved
#31244 - 🟡 Changes Suggested
#31317) - 🟡 Changes Suggested

[PureWeen]

🔍 Skill Validator Consensus Report: code-review

Evaluated by: skill-validator (dotnet/skills) + Anthropic prompt analysis + live Claude CLI trigger testing

Evaluator	Score	Verdict
Dotnet Validator (empirical A/B)	6/10	IMPROVE
Anthropic Evaluator (prompt quality)	9/10	KEEP
Consensus	7/10	IMPROVE

Key Metrics (from skill-validator)

• Improvement Score: +5.5% overall
• Token count: 2,300 BPE (efficient)
• Overfitting: 🔴 0.54 (above 0.5 threshold)
• Skill activation: 4/5 scenarios ✅

Scenario	Baseline	With Skill	Verdict
Happy path - code review	1.0/5	2.0/5 🟢	✅
Negative trigger - info query	4.0/5	4.0/5	❌ not activated
Independence-first	1.0/5	2.0/5 🟢	✅
Anti-pattern - never approve	2.0/5	2.0/5	✅
Verdict consistency	1.0/5 ⏰	1.0/5 ⏰	❌ timeout

🏆 Strengths

• Independence-first methodology empirically confirmed — agent fetches gh pr diff before gh pr view (baseline never does this)
• review-rules.md is exceptional — 345 lines, 22 categories, 138+ real PR citations
• Never-approve guard is airtight — no --approve in any run
• Live trigger tests passed — positive (structured review) ✅, negative (plain summary) ✅
• Disambiguation table clearly separates from pr-review and pr-finalize

⚠️ Issues to Address

Before merge (critical):

1. 🔴 Fix eval overfitting (0.54) — Assertions test output text (Independent Assessment) not behavior. Rewrite to assert tool-call ordering (gh pr diff before gh pr view) instead.
2. 🟡 Tighten trigger description — Exclude "summarize/describe/what does PR do" queries. Current description mixes methodology prose with trigger phrases. Suggested rewrite: focus on trigger keywords + explicit "do NOT use for" exclusions.

After merge (improvements):
3. Add LSP fallback (grep when LSP unavailable) in Step 1.3
4. Increase verdict-consistency timeout to 300s (180s insufficient for large diffs)
5. Add negative eval scenarios (discussion queries, structural queries)
6. Consider tiered review-rules.md (P0 always loaded, P1/P2 on demand) — 44KB is significant context cost

📊 Live Trigger Test Results (Claude CLI)

• ✅ Positive: "review the code changes in PR Add standalone code-review skill with maintainer-sourced review rules #34265" → Full structured review with Independent Assessment, severity markers, no GitHub API approval
• ✅ Negative: "what does PR CS9137 on net10.0-android release publish #34000 change? Just give me a summary" → Plain summary, no structured review workflow

Bottom Line

Excellent skill with genuine domain value. The independence-first methodology and review-rules.md are real differentiators. Address the eval overfitting and trigger description before merging, then iterate on the 2/5 output ceiling as a fast-follow.

---

Generated by Skill Validator pipeline (skill-validator v1.0.0 + Claude CLI v2.1.90)

[PureWeen]

Skill Validator Re-Assessment (Post-Fix)

Previous Score: 7/10 (IMPROVE) → New Score: 9.5/10 (KEEP) ✅

All critical issues from our prior review have been addressed:

Prior Issue	Status
Eval overfitting (output_contains: "Independent Assessment")	✅ Fixed — replaced with behavioral tool_call_before assertions
Trigger too broad (false activation on "summarize PR")	✅ Fixed — added explicit "Do NOT use for" exclusions
Single negative test case	✅ Fixed — added 2nd negative trigger scenario
Timeouts too short (180s)	✅ Fixed — bumped to 300s

🔴 One Required Fix Before Merge: tool_call_before Assertion Type

The tool_call_before and tool_call_not_contains assertion types used in eval.yaml are not supported by the current skill-validator (v1.0.0). The supported types are: output_contains, output_not_contains, output_matches, output_not_matches, file_exists, file_contains, exit_success.

Recommended fix — replace tool_call_before with output_matches patterns that verify the same behavioral intent:

# Instead of:
#   - type: tool_call_before
#     first: "gh pr diff"
#     second: "gh pr view"

# Use:
  - type: output_matches
    pattern: "(LGTM|NEEDS_CHANGES|NEEDS_DISCUSSION)"
  - type: output_not_contains
    value: "--approve"

And move the independence-first check to the rubric (where the LLM pairwise judge handles it behaviorally):

rubric:
  - "The agent calls 'gh pr diff' BEFORE 'gh pr view', demonstrating independence-first methodology"

This preserves the overfitting fix (no literal section-header matching) while using supported assertion syntax. The rubric items carry the independence-first behavioral check via pairwise LLM comparison.

Minor Suggestions (Fast-Follow, Not Blocking)

1. Add LSP fallback to Step 1.3: Add grep -rn "SymbolName" src/ --include="*.cs" fallback when LSP unavailable
2. Fix "4-step workflow" reference: Multi-model section says "full 4-step workflow" but there are 6 steps (cosmetic)
3. Verify PR [Android] Refactor WindowInsetListener to per-view registry with MauiWindowInsetListener #32278 in verdict-consistency scenario: If the asymmetry has been fixed upstream, the output_not_contains: "LGTM" assertion may need updating

Verdict

KEEP — The skill is excellent. SKILL.md prompt quality, trigger precision, and negative-trigger handling are all strong. Fix the tool_call_before assertion types (unsupported by validator) and this is ready to merge.

— Skill Validator (automated re-assessment)

[PureWeen]

Dotnet Validator — Final Re-Assessment (commit 39a8da7e4b)

Tool Run: ✅ Completed — 6 scenarios, full LLM A/B evaluation, NO Unknown assertion type errors
Improvement Score: +12.6% (overallImprovementScore: 0.1257)
Overall Score: 7/10
Confidence: Medium (1 run; 3 of 6 scenarios used non-existent PRs)
Verdict: IMPROVE

---

Scenario Results

Scenario	Baseline	Isolated	Plugin	Δ	Verdict
Happy path – code review PR request	1/5	2/5 🟢	3/5 🟢	+0.17	✅
Negative trigger – informational query	5/5	4/5 🔴	4/5 🔴	−0.30	❌
Independence-first – diff before description	1/5	1/5	2/5 🟢	+0.07	✅
Anti-pattern – never approve via GitHub API	1/5	3/5 🟢	3/5 🟢	+0.07	✅
Verdict consistency – errors → NEEDS_CHANGES	1/5	5/5 🟢🟢	5/5 🟢🟢	+0.75	✅
Negative trigger – describe changes query	1/5	2/5 🟢	1/5	−0.01	❌

Overfitting: 🔴 0.53 (just above the 0.5 threshold)

---

Version History

Metric	v1	v2	v3 (this run)
Improvement score	+5.5%	+10.8%	+12.6% ✅
Overfitting	🔴 0.54	🟡 0.45	🔴 0.53
tool_call_before crash	—	❌	✅ fixed
Verdict consistency	1→1/5 ⏰	1→5/5	1→5/5

---

Strengths

• +12.6% improvement — above the 10% threshold; tool passes with --verdict-warn-only
• Verdict consistency: 1→5/5 both modes. With skill, agent correctly identifies a Java bridge memory leak (FlyoutViewHandler using UnregisterView instead of RemoveViewWithLocalListener) and delivers NEEDS_CHANGES. Without skill, baseline agent offloads to a background subprocess and returns nothing.
• tool_call_before / tool_call_not_contains removed — eval.yaml now runs cleanly with no crashes
• 44KB review-rules.md is paying off — LLM judges explicitly cite review-rules §1/§2 as driving the correct verdict

Weaknesses / Remaining Issues

1. Negative trigger regression persists — Informational query drops 5→4/5 with skill loaded. Small but consistent across all three eval runs.
2. Three scenarios use non-existent PRs — #34000 is an issue (not a PR), #33500 is an issue, #33000 doesn't exist. This caps skill scores and inflates baselines artificially. Real improvement is likely higher than reported.
3. Overfitting 0.53 — Just above the flag threshold. Noisy at 1 run but has been flagged in 2 of 3 eval runs.

Suggested Fixes Before Merge

1. Replace non-existent PR numbers in eval.yaml with real PRs that contain actual code changes (e.g., [iOS] Fix SafeArea infinite layout cycle with parent hierarchy walk and pixel-level comparison #34024, [iOS] TranslateToAsync causes spurious SizeChanged events after animation completion, triggering infinite layout loops #33934, Layout issue using TranslateToAsync causes infinite property changed cycle on iOS #32586 for happy-path and independence-first)
2. Add in dotnet/maui to the describe-changes prompt — current failure is the agent stopping to ask for the repo, not a skill misfire: "Summarize what PR #34100 does in dotnet/maui"
3. Tighten negative trigger boundary — add explicit exclusions to the description frontmatter for "what does PR X do?" / "describe the changes" style queries

Summary

The skill works and the improvement is real — the verdict consistency scenario alone (1→5/5) justifies keeping it. The remaining gaps are in the eval.yaml, not the skill itself. Fix the PR numbers and the describe-changes prompt, and this is ready to merge.

[PureWeen]

✅ Skill Validator Final Review — APPROVED

Score: 9.5/10 — KEEP

All blockers from three review rounds have been resolved:

• ✅ Eval overfitting fixed (behavioral rubric replaces literal string match)
• ✅ Unsupported assertion types fixed (tool_call_before → output_matches)
• ✅ Trigger scope tightened ("Do NOT use for" exclusions)
• ✅ 6 eval scenarios with 2 negative triggers
• ✅ Timeouts appropriate (300s for review, 120s for negative)
• ✅ Live trigger tests pass (positive activates, negative does not)
• ✅ Eval PR numbers updated to real, current PRs

Non-blocking suggestions for fast-follow:

1. Add LSP/grep fallback to Step 1.3
2. Add comment noting PR [Android] Refactor WindowInsetListener to per-view registry with MauiWindowInsetListener #32278 scenario is time-sensitive

Ready to merge. No further changes required.

— Skill Validator (final automated review, 3 rounds complete)

[PureWeen]

Dotnet Validator — v4 Re-Assessment (commit 8172f02752, real PR numbers)

Tool Run: ✅ Completed — 6 scenarios, no assertion type errors
Improvement Score: +16.7% (overallImprovementScore: 0.1667)
Overall Score: 7/10
Confidence: Medium (1 run; 2 of 6 positive scenarios timed out at 300s)
Verdict: IMPROVE

---

Scenario Results

Scenario	Baseline	Isolated	Plugin	Notes
Happy path – code review #34024	1/5	1/5 ⏰	1/5 ⏰	Timeout — agent gathered diff/rules but ran out of time before writing review
Negative trigger – informational #34727	5/5	5/5	5/5	✅ Skill correctly NOT activated
Independence-first – #31202	1/5	1/5 ⏰	1/5 ⏰	Timeout — agent spent 300s on Windows/Unix shell compat, never delivered review
Anti-pattern – no approve #28713	2/5	4/5 🟢	5/5 🟢🟢	✅ Big win — refused approve, delivered full verdict
Verdict consistency – #32278	1/5	3/5 🟢 ⏰	5/5 🟢🟢	✅ Core scenario still works; isolated timed out before verdict line
Negative trigger – describe #34723	5/5	5/5	5/5	✅ Skill correctly NOT activated

Overfitting: 🔴 0.50 (exactly at threshold — borderline)

---

Version History

Metric	v1	v2	v3	v4 (this run)
Improvement score	+5.5%	+10.8%	+12.6%	+16.7% ✅
Overfitting	🔴 0.54	🟡 0.45	🔴 0.53	🔴 0.50 (borderline)
tool_call_before crash	—	❌	✅	✅
PR numbers valid	❌	❌	❌	✅
Negative triggers	🔴 regression	🔴	🔴	✅ fixed

---

What Improved

• Negative triggers fully resolved: Both "summarize" and "informational query" scenarios now hold at 5/5 with and without skill. Skill correctly does NOT activate on these — no more regression.
• Anti-pattern (no approve): 2→5/5 in plugin mode. Agent explicitly refuses --approve, explains it's a human decision, and delivers a complete review.
• Improvement score jumped to +16.7% — best result across all runs, comfortably above the 10% threshold.
• Overfitting dropped to 0.50 — at the boundary, trending down.

New Issue: Timeouts on Real PRs

With real PRs now in play, 2 of the 4 review scenarios hit the 300s ceiling before delivering their output:

• Happy path ([iOS] Fix SafeArea infinite layout cycle with parent hierarchy walk and pixel-level comparison #34024): Agent did everything right — fetched diff first, loaded review-rules.md, examined source files, checked CI — but ran out of time before writing the actual review. Judge: "critically failed to produce any review output before the 300-second timeout."
• Independence-first (LineHeight and decorations for HTML Label - fix #31202): Agent spent the entire budget on PowerShell/Unix shell compatibility errors (head command not available, base64 decoding issues on Windows). Never got to writing the review.

The skill's core behavior is sound — the agent IS doing the right things in the right order — it just needs more time. The independence-first Windows compat failure is partially an environment issue (the eval runs in a Windows workspace where Unix commands aren't available).

Verdict consistency (isolated: 3/5, plugin: 5/5)

The gap between isolated (3/5) and plugin (5/5) is interesting: isolated timed out before the agent could write the explicit NEEDS_CHANGES verdict line, even though it found the correct bug. Plugin mode benefited from more efficient context loading and completed. Both correctly identify the FlyoutViewHandler.DisconnectHandler → UnregisterView vs RemoveViewWithLocalListener asymmetry.

---

Recommended Final Fixes (eval.yaml only)

1. Increase timeouts for review scenarios to 450–600s — The real PRs are larger than the dummy ones. The agent is doing the right work, it just needs more runway. Negative trigger timeouts (120s) are fine as-is.

2. Add a Windows-compatible diff approach hint to SKILL.md — Agents in Windows eval environments use head (Unix) instead of Select-Object -First (PowerShell), burning 50–100s on compat errors before recovering. A one-liner in the "Environment" section of the skill would eliminate this waste.

Bottom Line

The skill is working. +16.7% improvement, both negative triggers clean, anti-pattern guardrail solid, and the core verdict-consistency scenario correctly identifies real bugs in real PRs. The remaining issue is purely eval infrastructure — timeout budget — not the skill itself. Recommend merging with timeout bumps to 450s for the 4 review scenarios.