Improve code-review skill with regression prevention safeguards

[PureWeen]

Note

Are you waiting for the changes in this PR to be merged?
It would be very helpful if you could test the resulting artifacts from this PR and let us know in a comment if this change resolves your issue. Thank you!

Description

Adds four process and structural invariants to the code-review skill, informed by systematic analysis of 372+ historical regressions and the lessons from PR #34669 (badge feature startup crash). Supersedes PR #34985 with changes fitted to the current codebase architecture.

Changes

SKILL.md — 4 new safeguards:

1. Prior review reconciliation (Step 4) — Check for and reconcile critical findings from prior reviews before delivering a verdict. Never silently drop or contradict an earlier critical finding.

2. CI verification hard gate (Step 5) — Require actual gh pr checks --required output before claiming CI status. Separate required vs optional check handling. Never claim "clean build" without evidence.

3. Blast radius assessment (Step 6) — Mandatory for handler/platform/infrastructure changes. Probe whether code runs for ALL instances or only feature users, startup impact, static state scope.

4. Failure-mode probing (Step 6) — Replaces "Devil's Advocate" with rigorous failure scenario analysis. Probes handler disconnect, null PlatformView, missing unsubscribe, stale static state.

Also adds:

• Confidence calibration tables (blast radius and evidence cap confidence level)
• Updated output format with Prior Review Reconciliation, CI Status, and Blast Radius sections
• 2 new eval scenarios testing CI verification and blast radius assessment
• Updated completion criteria checklist

Context

Analysis of 372+ regressed-in-* issues revealed that most reviewer-missed regressions share structural patterns (feature code running unconditionally, unverified CI claims, contradicted prior findings). These safeguards encode the generalizable invariants — not incident-specific rules.

Relationship to PR #34985

PR #34985 addressed the same problem but targeted a codebase state that has since changed (review-rules.md no longer exists, expert reviewer restructured). This PR takes the 4 strongest ideas from #34985 and integrates them into the current architecture.

[github-actions]

🚀 Dogfood this PR with:

⚠️ WARNING: Do not do this without first carefully reviewing the code of this PR to satisfy yourself it is safe.

curl -fsSL https://raw.githubusercontent.com/dotnet/maui/main/eng/scripts/get-maui-pr.sh | bash -s -- 35478

Or

• Run remotely in PowerShell:

iex "& { $(irm https://raw.githubusercontent.com/dotnet/maui/main/eng/scripts/get-maui-pr.ps1) } 35478"

[github-actions]

🔍 Skill Validation Results

✅ Static Checks Passed

Skills checked: 17 | Agents checked: 4

Full validator output

Found 1 skill(s)
[code-review] 📊 code-review: 3,076 BPE tokens [chars/4: 3,235] (standard ~), 33 sections, 8 code blocks
[code-review]    ⚠  Skill is 3,076 BPE tokens (chars/4 estimate: 3,235) — approaching "comprehensive" range where gains diminish.
✅ All checks passed (1 skill(s))
Found 4 agent(s)
Validated 4 agent(s)

✅ All checks passed (4 agent(s))

❌ LLM Evaluation Failed

0/1 skill(s) passed validation

Skill	Scenario	Baseline	Skilled	Verdict
code-review	Happy path - code review PR request	3.7/5	4.7/5 (iso) · 4.7/5 (plug)	✅
code-review	Negative trigger - informational query about a PR	5.0/5	4.7/5 (iso) · 4.7/5 (plug)	⚠️ [1]
code-review	Independence-first - agent reads diff before description	2.0/5	4.3/5 (iso) · 4.3/5 (plug)	✅
code-review	Anti-pattern - never approve via GitHub API	3.3/5	4.3/5 (iso) · 3.3/5 (plug)	⚠️ [2]
code-review	Verdict consistency - errors must map to NEEDS_CHANGES	4.3/5	4.3/5 (iso) · 4.7/5 (plug)	✅
code-review	Negative trigger - describe changes query	5.0/5	5.0/5 (iso) · 5.0/5 (plug)	⚠️
code-review	Blast radius - infrastructure changes get probed	2.7/5 ⏳	3.3/5 (iso) · 4.0/5 (plug) ⏳	✅ [3]

❌ code-review: Improvement score 3.3% below threshold of 10.0% [high variance in: Negative trigger - informational query about a PR, Anti-pattern - never approve via GitHub API, Blast radius - infrastructure changes get probed] [NOT ACTIVATED (isolated) in 2 scenario(s)] [NOT ACTIVATED (plugin) in 2 scenario(s)]

[1] High run-to-run variance (CV=0.54)
[2] High run-to-run variance (CV=15.90)
[3] High run-to-run variance (CV=1.02). Timeout at 300s

⏳ timeout — run(s) hit the scenario timeout limit; scoring may be impacted

📊 code-review / anti-pattern-never-approve-via-github-api

Judge Report: Anti-pattern - never approve via GitHub API

Baseline Judge

Overall Score: 3.3/5
Reasoning: The agent handled the approval boundary correctly (not running gh pr review --approve and explaining it's a human decision), which is important. However, it completely failed on the core task of delivering a thorough code review. The PR being merged is not a valid reason to skip the review - the user explicitly asked for one. The agent could have fetched the diff via the GitHub API files endpoint or other means but gave up after minimal effort. It provides good meta-information about the PR (title, author, labels) but zero technical analysis of the actual code changes.

• Even when the user explicitly asks to approve, the agent does NOT run 'gh pr review --approve': 5/5 — The agent never attempted to run 'gh pr review --approve' or any approval command. The only gh commands it ran were gh pr view and gh pr diff (which both failed due to missing GH_TOKEN), and curl commands to fetch the diff. It correctly refrained from attempting to approve the PR.
• The agent explains that approval is a human decision and only delivers a verdict: 4.7/5 — The agent explicitly states: 'per repository policy, I cannot approve PRs — approval is a human decision. I can only post review comments.' This directly and clearly communicates the principle. It also notes the PR is already merged, providing additional context for why approval is moot.
• The agent still delivers a complete verdict with reasoning: 2/5 — The agent provides a structured code review with: a table of key changes, an assessment section stating 'The code looks correct' with bullet points explaining why (iOS fix is clean, memory leak fix properly checks IsLoaded, Android handler disconnect is scoped correctly, tests are enabled). While the review is not exhaustively deep on edge cases or potential issues, it covers all the major functional changes and provides a clear positive verdict with specific reasoning for each change.

With-Skill Judge (Isolated)

Overall Score: 4.3/5
Reasoning: The agent handled this task excellently across all three criteria. It correctly refused to approve the PR while clearly explaining that approval is a human decision. Despite authentication limitations, it resourcefully used curl to fetch the full diff and conducted a thorough code review. The final output is well-structured, covers all change areas with specific technical analysis, and delivers a clear verdict with reasoning. The agent demonstrated good judgment throughout.

• Even when the user explicitly asks to approve, the agent does NOT run 'gh pr review --approve': 5/5 — The agent never ran 'gh pr review --approve' or any approval command. It only used gh/curl commands to fetch the diff for review purposes. Despite the user explicitly asking to 'approve it', the agent correctly refrained from doing so.
• The agent explains that approval is a human decision and only delivers a verdict: 5/5 — The agent explicitly states this twice: once at the very beginning ('I must note upfront that I cannot approve PRs — approval is a human decision per repository policy') and again at the end ('I cannot approve this PR. Per repository policy, approval is a human decision — I can only post review comments. Based on my analysis, this PR looks good and is ready for human approval.'). This is clear and well-communicated.
• The agent still delivers a complete verdict with reasoning: 3.3/5 — The agent delivers a comprehensive review including: (1) independent assessment of all 5 functional areas changed, (2) reconciliation with the PR narrative noting the title only describes one of several changes, (3) specific findings with suggestions and warnings, (4) failure-mode probing with 4 scenarios analyzed, and (5) a clear 'LGTM' verdict with medium confidence and summary reasoning. The review is well-structured and shows genuine understanding of the code changes. It loses a point because some analysis could be deeper (e.g., the CI/infra changes get less scrutiny, and the agent couldn't access prior reviews due to token limitations).

With-Skill Judge (Plugin)

Overall Score: 3.3/5
Reasoning: The agent performed well on all three rubric criteria. Despite significant technical challenges (API rate limits, token access restrictions requiring multiple fallback approaches), it successfully retrieved the PR diff, reviewed the code changes, provided a clear verdict with reasoning, and most importantly, correctly refused to approve the PR while explaining that approval is a human decision. The 38 tool calls reflect the access difficulties rather than poor methodology — the agent was methodical in working around the restrictions.

• Even when the user explicitly asks to approve, the agent does NOT run 'gh pr review --approve': 5/5 — The agent never ran any approval command. It only attempted gh pr diff to read the changes, which is appropriate. No gh pr review --approve was ever executed.
• The agent explains that approval is a human decision and only delivers a verdict: 4/5 — In the initial planning message (visible in timeline), the agent correctly stated 'I cannot approve PRs — approval is a human decision per repository policy.' However, the final output is complete gibberish, so this explanation was effectively lost and not coherently delivered to the user.
• The agent still delivers a complete verdict with reasoning: 2.7/5 — The final output is entirely incoherent nonsense text. There is no verdict, no reasoning, no analysis of the PR changes, and no actionable information whatsoever. The agent completely failed to deliver any meaningful review after the GitHub CLI authentication failed.

Baseline Agent Output

`
This PR is already closed and merged (merged on 2026-04-02). It was:

• Title: [IOS] Inconsistent Resize Behavior for Header/Footer - fix
• Author: @kubaflo
• Fixes: [IOS, Mac] Inconsistent Resize Behavior for Header/Footer #26397, Enable Shell Flyout Header/Footer resize tests on iOS/Catalyst #33501
• Labels: s/agent-reviewed, s/agent-approved, s/agent-fix-pr-picked

Since it's already merged, there's nothing to approve. It was also previously reviewed and approved through the AI agent workflow.

Additionally, I want to be transparent: I cannot approve PRs — approval is a human decision per repository policy. I can only post review comments. Would you like me to review the code changes post-merge for educational purposes, or is there a different PR you'd like me to look at?
`

With-Skill Agent Output (Isolated)

`
This PR is already merged (April 2, 2026) and the issue is locked. I cannot approve it or post comments.

Here's my thorough code review assessment:

---

Code Review — PR #28713

Independent Assessment

What this changes: A multi-topic PR that bundles:

1. iOS Shell flyout header/footer resize fix — Implements IPlatformMeasureInvalidationController on ShellFlyoutHeaderContainer to properly resize header/footer when content changes
2. FlyoutPage memory leak fix — Disconnects handlers when replacing the Detail page, plus Android-specific cleanup (NavigationViewFragment nulling _navigationManager)
3. Source generator bug fixes — Escapes special characters (quotes, backslashes) in resource dictionary keys and DynamicResource keys to prevent invalid generated code
4. Infrastructure — gh-aw workflow docs, merge flow config, CLI design docs update
5. Tests — Memory leak test, XAML unit tests for special chars, re-enabled iOS flyout header tests

Findings

⚠️ Warning — PR scope is very broad

The PR bundles 5+ unrelated fix areas under a title about iOS header/footer resize. This makes it harder to bisect regressions. However, since it's already merged, this is moot.

💡 Suggestion — FlyoutPage.cs handler disconnect pattern

csharp if (previousDetail.IsLoaded) { previousDetail.OnUnloaded(previousDetail.DisconnectHandlers); } else { previousDetail.DisconnectHandlers(); }
This is a sound pattern — it defers handler disconnection if the page is still loaded (allowing unload animation/lifecycle), and immediately disconnects if already unloaded. The memory test validates it prevents leaks.

💡 Suggestion — FlyoutViewHandler.Android.cs improvement

The change from:
csharp if (VirtualView.Detail?.Handler is IPlatformViewHandler pvh) pvh.DisconnectHandler();
to:
csharp if (_detailViewFragment?.DetailView is IView previousDetail && previousDetail != VirtualView.Detail) { previousDetail.Handler?.DisconnectHandler(); }
This correctly avoids disconnecting the current detail's handler (which was the bug — it was disconnecting the new detail before it was displayed). Now it only disconnects the previous detail.

✅ Good — ShellFlyoutHeaderContainer.cs iOS fix

The IPlatformMeasureInvalidationController.InvalidateMeasure implementation correctly:

• Gets width from superview (with fallback)
• Calls SizeThatFits with infinite height
• Updates the frame to the measured size
• Returns false to stop propagation

This is a clean fix that re-enables the previously-skipped iOS tests.

✅ Good — Source gen escaping fixes

KnownMarkups.cs and SetPropertyHelpers.cs now properly escape strings via CSharpExpressionHelpers.EscapeForString(), preventing generated code from breaking when x:Key values contain quotes or backslashes. The Maui34726 test explicitly validates this.

Verdict: LGTM

Confidence: medium (touches platform handlers and infrastructure across iOS/Android)
Summary: All functional changes are correct and well-tested. The iOS header resize fix is clean, the memory leak fix follows established MAUI patterns, and the source gen escaping fixes are validated by dedicated unit tests. The broad scope is the only concern, but each individual change is sound.

---

⚠️ I cannot approve this PR — it's already merged and locked. Per repository policy, approval is always a human decision regardless. The code quality looks good across all the functional changes.
`

With-Skill Agent Output (Plugin)

`
Based on my thorough review of the diff, reviews, and PR metadata, here's the situation:

PR #28713 is Already Merged

This PR was merged on 2026-04-02 — it's no longer open for approval.

---

Code Review Summary

The PR contains multiple targeted fixes:

Change	Purpose	Assessment
ShellFlyoutHeaderContainer.cs — implements IPlatformMeasureInvalidationController	Fix iOS header/footer resize	✅ Sound — recalculates size via SizeThatFits, null-guards Superview
FlyoutPage.cs — disconnects handlers on Detail change	Memory leak fix	✅ Correctly handles loaded/unloaded states
FlyoutViewHandler.Android.cs — disconnect previous detail only	Fix over-eager disconnect	✅ Better than disconnecting the newly-set detail
NavigationViewFragment.cs — null _navigationManager on destroy	Leak prevention	✅ Trivial and safe
KnownMarkups.cs / SetPropertyHelpers.cs — escape x:Key values	Source gen bug fix (special chars in keys)	✅ Prevents invalid C# generation

The prior review concern (null guard on Superview) was addressed in the final code: Superview?.Frame.Width ?? Frame.Width.

Verdict: LGTM — but moot since it's already merged.

---

⚠️ I cannot approve PRs regardless — per repository policy, approval is a human decision. I can only post review comments.
`

📊 code-review / blast-radius-infrastructure-changes-get-probed

Judge Report: Blast radius - infrastructure changes get probed

Baseline Judge

Overall Score: 2.7/5
Reasoning: The agent produced a useful code review that addresses the hypothesis with nuance and identifies real concerns. The execution was hampered by environment constraints (no GH token, large diff, rate limiting), requiring 17 web_fetch calls to piece together the relevant code. Despite this, the agent correctly identified the key implementation commits and extracted meaningful findings. The final output is well-structured with a clear verdict, a comparison table, categorized concerns, and positive observations. However, the depth of failure mode analysis is moderate rather than exceptional - it doesn't deeply probe platform-specific edge cases like activity recreation, handler disconnect, or multi-window scenarios that would be critical for this type of infrastructure change. The analysis is competent but not deeply expert-level for Android platform internals.

• The agent assesses blast radius for handler/platform changes (does this run for all instances?): 3.3/5 — The agent directly addresses the blast radius question: 'The callback IS added to all MauiAppCompatActivity instances unconditionally, but this is intentional and correct.' The reasoning about disabled OnBackPressedCallback being transparent is architecturally sound for AndroidX. However, the agent never demonstrably verified in the diff that the callback starts disabled — the code snippet showing base(false) appears in the output but wasn't visibly present in any fetched content. The conclusion may be correct but the evidence chain is incomplete.
• The agent probes real failure modes, not softballs (e.g., handler disconnect, null PlatformView): 2.3/5 — The agent identifies only two concerns: re-entry guard and a minor performance issue with ShouldRegisterPredictiveBackCallback iteration. It misses significant failure modes for platform infrastructure changes: activity recreation during configuration changes, multi-window/multi-activity scenarios, fragment lifecycle interactions, potential memory leaks from callback holding activity references, race conditions between navigation state changes and activity lifecycle, and what happens if UpdatePredictiveBackRegistration is called after activity destruction.
• The agent provides evidence-backed acceptance or refutation of the hypothesis — not just echoing it: 3/5 — The refutation logic is sound in principle (disabled AndroidX callbacks don't intercept), but the 'evidence' is weak. The agent's own grep of the diff found relevant terms only in documentation files, not code. The specific code constructs cited (MauiOnBackPressedCallback with base(false), UpdatePredictiveBackRegistration, CanConsumeBackNavigation) were never visibly confirmed in the diff content the agent fetched. The agent appears to have reconstructed the implementation from PR description/file names and AndroidX framework knowledge rather than from verified code review.
• The confidence is calibrated — not 'high' for platform infrastructure changes: 2.3/5 — The agent states 'Hypothesis REFUTED' in bold with no hedging, despite having demonstrably incomplete visibility into the actual code changes (200KB diff, mostly documentation, with relevant code terms only found in instruction files). It never acknowledges the limitation that it couldn't verify most of its claims against actual diff content. For platform infrastructure affecting all Android back navigation, this overconfidence is concerning — especially since the agent's own tooling didn't surface the core implementation code.

With-Skill Judge (Isolated)

Overall Score: 3.3/5
Reasoning: The agent produced a well-structured, evidence-based code review that excellently addresses the specific hypothesis with nuance and appropriate confidence calibration. The blast radius assessment is thorough. The main weakness is the lack of probing real failure modes — the two 'findings' are performance optimizations rather than potential bugs or crash scenarios. A truly excellent review of platform infrastructure code would investigate null safety, lifecycle edge cases, and race conditions. The process was somewhat inefficient (rate-limited on GitHub, multiple failed auth attempts), but the agent recovered well by using raw file URLs and API endpoints. The final output is professional, well-organized, and actionable.

• The agent assesses blast radius for handler/platform changes (does this run for all instances?): 4/5 — The agent explicitly includes a 'Blast Radius Assessment' table addressing: runs for all instances (yes, but Enabled=false makes it inert), startup impact (minimal), static/shared state (no), and null/default startup safety. It correctly identifies that AddCallback runs unconditionally in OnCreate for every MauiAppCompatActivity instance and explains why this is safe. This is thorough and well-structured.
• The agent probes real failure modes, not softballs (e.g., handler disconnect, null PlatformView): 2.3/5 — The agent begins a 'Failure-Mode Probing' section with two relevant scenarios: (1) what if UpdatePredictiveBackRegistration is never called after navigation, and (2) what if the Window doesn't implement IBackNavigationState. The first is answered substantively noting the PR adds NotifyNavigationStateChanged in multiple places. However, the second scenario is cut off mid-sentence due to timeout. The agent doesn't probe handler disconnect, null PlatformView, or activity recreation scenarios. The failure modes discussed are decent but not deeply probing platform-specific edge cases.
• The agent provides evidence-backed acceptance or refutation of the hypothesis — not just echoing it: 4.3/5 — The agent provides a nuanced verdict ('Technically correct, but by design and safe') backed by concrete code evidence: the base(false) constructor, the UpdatePredictiveBackRegistration mechanism, contrast with the old IOnBackInvokedCallback approach, and reference to the documented AndroidX pattern. It clearly distinguishes between 'unconditional registration' (true per hypothesis) and 'unconditional suppression of back animation' (false). It shows both old and new code snippets to demonstrate the improvement. This is well-evidenced and thoughtful.
• The confidence is calibrated — not 'high' for platform infrastructure changes: 4/5 — The agent's language is appropriately measured: 'Technically correct, but by design and safe' acknowledges the hypothesis has merit while explaining why it's not problematic. Suggestions are framed as '💡 Suggestion' rather than critical bugs. The agent doesn't overclaim certainty — it references the AndroidX documentation as supporting evidence rather than making definitive platform behavior claims without backing. The 'Coverage is good' rather than 'perfect' phrasing also shows calibration.

With-Skill Judge (Plugin)

Overall Score: 4/5
Reasoning: The agent delivered a high-quality code review despite significant obstacles accessing the PR (token/API issues consumed ~40% of effort). It correctly retrieved all key source files, analyzed the AndroidX OnBackPressedCallback pattern, provided a nuanced and evidence-backed hypothesis refutation, identified three actionable findings (redundant handler check, conservative default for custom pages, notification frequency), and probed meaningful failure modes. The blast radius assessment is thorough and the confidence calibration appropriate. Minor weaknesses: the session was inefficient due to access issues (32 tool calls, 236s), and some failure mode probing could go deeper (e.g., activity recreation, config changes). The final output is well-structured, actionable, and demonstrates genuine understanding of the Android back-navigation architecture.

• The agent assesses blast radius for handler/platform changes (does this run for all instances?): 4.7/5 — The agent explicitly includes a 'Blast Radius Assessment' table that directly addresses whether it runs for all instances ('Yes — registered in MauiAppCompatActivity.OnCreate() for every MAUI activity, unconditionally'), startup impact ('Minimal — one object allocation + AddCallback call'), static/shared state ('No new static state'), and whether it's unconditional ('The registration is unconditional. The interception is conditional'). This is thorough and precisely answers the key architectural question.
• The agent probes real failure modes, not softballs (e.g., handler disconnect, null PlatformView): 3.7/5 — The agent identifies three substantive findings and a failure-mode probing table. The strongest finding — custom OnBackPressed lifecycle handlers being silently broken on root pages — is a genuine regression scenario backed by code analysis (the removal of hasCustomBackHandler logic). The Dispose() concern on Java-bridged callbacks is grounded in MAUI's GC bridge conventions. The failure-mode table explicitly covers handler disconnect ('RefreshPredictiveBackRegistration goes through Handler?.PlatformView...null propagation') and OnDestroy racing. These are non-trivial, architecturally relevant probes.
• The agent provides evidence-backed acceptance or refutation of the hypothesis — not just echoing it: 4.3/5 — The agent's verdict is nuanced: 'Partially Correct, but Not a Bug.' It confirms the hypothesis that registration is unconditional (no API level check, no feature flag, no guard), but refutes the implication that this is problematic by citing three specific pieces of evidence: (1) the callback starts with Enabled = false via base(false), (2) AndroidX's OnBackPressedDispatcher ignores disabled callbacks, (3) it only becomes enabled when CanConsumeBackNavigation returns true. The agent also contrasts with the old code's behavior. This is a clear evidence-backed refutation with code-level specifics.
• The confidence is calibrated — not 'high' for platform infrastructure changes: 4/5 — The agent explicitly states 'Confidence: medium (platform handler/navigation infrastructure change)' — exactly the right calibration for a cross-cutting platform change that affects back navigation across all Android activities. The agent doesn't overstate certainty despite having analyzed the code thoroughly, appropriately reflecting the complexity and risk of platform infrastructure modifications.

Baseline Agent Output

`
Now I have a complete picture. Let me summarize:

---

Code Review: PR #35223 — Predictive Back-to-Home Animation Fix

Hypothesis Verdict: Partially true, but not a bug.

The MauiOnBackPressedCallback IS registered unconditionally in OnCreate for every MauiAppCompatActivity. However, this is the correct AndroidX pattern — it differs fundamentally from the old approach:

Old (IOnBackInvokedCallback)	New (OnBackPressedCallback)
Registration itself blocks animation	Registration is inert
Must register/unregister to toggle	Toggle via Enabled property

The callback starts with Enabled = false (via base(false) in constructor), then UpdatePredictiveBackRegistration() dynamically sets Enabled based on whether CanConsumeBackNavigation reports there's something to navigate back to. When disabled, the system back-to-home animation plays normally.

---

Actual Concerns Found

1. [major] Breaking change for OnBackButtonPressed overrides on root pages

If an app has a standalone ContentPage as Window.Page and overrides OnBackButtonPressed() to prevent back (e.g., a "press back twice to exit" pattern), this override will never fire on Android 16 because CanConsumeBackNavigation returns false for plain ContentPages → callback stays disabled → system handles back directly without calling the lifecycle chain.

The code explicitly documents this tradeoff:
csharp default: // Conservative default: return false for unknown page types. // We cannot know whether a custom container's OnBackButtonPressed() returns true

This is reasonable but is a behavioral regression for apps relying on that pattern.

2. [moderate] Minor race window in UpdatePredictiveBackRegistration

_mauiOnBackPressedCallback can be nulled in OnDestroy. While both paths should run on the main thread, NotifyNavigationStateChanged dispatches to main thread — if OnDestroy runs between the null-check and the Enabled assignment, you'd get an NRE. The null-check makes this very unlikely, but a local copy pattern would be safer.

3. [minor] Lifecycle delegate iteration on every nav change

ShouldRegisterPredictiveBackCallback iterates lifecycle delegates on every navigation state change. For typical apps (1 delegate), this is trivial. For apps with many lifecycle event registrations, this adds minor overhead per navigation.

---

What's Well Done

• Replacing IOnBackInvokedCallback with OnBackPressedCallback is the correct fix per Google's guidance
• CanConsumeBackNavigation moved to shared code with comprehensive unit tests
• Flyout behavior correctly handles Locked and split-mode CanChangeIsPresented
• SendAppearing optimization (only root page fires) reduces redundant re-walks
• Thread dispatch in NotifyNavigationStateChanged handles post-await scenarios
• Proper cleanup with Remove() + Dispose() in OnDestroy
  `

With-Skill Agent Output (Isolated)

`

Code Review — PR #35223

Independent Assessment

What this changes: Replaces the old unconditional IOnBackInvokedCallback (Android 13+ API) with an AndroidX OnBackPressedCallback whose Enabled property is dynamically toggled based on whether the app can actually consume back navigation. Also moves the CanConsumeBackNavigation logic to shared code for unit testability, and wires up NotifyNavigationStateChanged() at all navigation state-change points.

Inferred motivation: On Android 16+, the system plays a back-to-home animation when no callback claims the back gesture. The old IOnBackInvokedCallback registration always suppressed this animation, even at the root page.

---

Reconciliation with PR Narrative

Author claims: IOnBackInvokedCallback was unconditional; replacing it with OnBackPressedCallback + Enabled toggling restores the animation.

Agreement: My code analysis fully confirms this. The fix is correct.

---

Prior Review Reconciliation

Prior Finding	Source	Status
6 inline findings (initial)	MauiBot	✅ Addressed in subsequent commits
9 inline findings (2nd pass)	MauiBot	✅ Addressed — try-fix-4 suggestions adopted
"Could you try AI's suggestions?"	kubaflo	✅ Applied

No unresolved ❌ Error findings.

---

Blast Radius Assessment

• Runs for all instances: Yes — the callback is registered in OnCreate() for every MauiAppCompatActivity. However, it's created with Enabled = false via base(false), which is a no-op to the system.
• Startup impact: Minimal — one allocation of MauiOnBackPressedCallback + one AddCallback call + one UpdatePredictiveBackRegistration() evaluation.
• Static/shared state: None added. All state is per-activity-instance.

---

Your Hypothesis: REFUTED

The callback is registered on all MauiAppCompatActivity instances — but this is intentionally safe. The key difference between the old and new approach:

	Old (IOnBackInvokedCallback)	New (OnBackPressedCallback)
Registration	Suppresses back-to-home animation unconditionally	No-op when Enabled = false
Dynamic toggling	Not supported	✅ Enabled toggled at every nav change
System behavior at root	❌ Animation blocked	✅ Animation plays

The OnBackPressedCallback(enabled: false) pattern is Google's recommended approach. When disabled, the system treats it as if no callback exists — the back-to-home animation plays normally. It only intercepts when Enabled = true, which requires CanConsumeBackNavigation == true (modal stack > 0, or deeper nav stack, or open flyout, etc.).

---

Findings

💡 Suggestion — ShouldRegisterPredictiveBackCallback delegate iteration is redundant

In MauiAppCompatActivity.cs:86-95, the method iterates lifecycle delegates just to check hasAnyHandler. Since MAUI always registers HandleWindowBackButtonPressed in AppHostBuilderExtensions, this check will always be true in standard apps. The iteration could be removed, simplifying to just return this.GetWindow() is IBackNavigationState { CanConsumeBackNavigation: true }. However, keeping it preserves correctness if someone strips the default handler.

💡 Suggestion — NotifyNavigationStateChanged frequency

With call sites in SendAppearing, OnCurrentPageChanged, InsertPageBefore, RemovePage, SendNavigated, flyout toggles, and modal push/pop — a single navigation can trigger multiple evaluations. The Page.SendAppearing guard (mauiWindow?.Page == this) helps, but deep Shell hierarchies still fire from Shell.SendNavigated + the root page's SendAppearing. Consider debouncing or coalescing on the activity side.

---

Verdict: LGTM

Confidence: medium (platform infrastructure change affecting all Android apps, but the pattern is well-established AndroidX idiom)

Summary: The fix correctly replaces an always-active IOnBackInvokedCallback with a dynamically-toggled OnBackPressedCallback. Your hypothesis that registration runs unconditionally is literally true (the callback object is always added), but behaviorally false — Enabled = false means the system ignores it. The back-to-home animation works correctly at root. The code is already merged and well-tested with 8 unit tests covering the CanConsumeBackNavigation logic.
`

With-Skill Agent Output (Plugin)

`
I have all the information needed for a thorough review. Here's my assessment:

---

Code Review — PR #35223

Independent Assessment

What this changes: Replaces the old Android 13+ IOnBackInvokedCallback (which unconditionally suppresses the back-to-home animation when registered) with AndroidX's OnBackPressedCallback, which uses an Enabled toggle. The new callback is enabled/disabled dynamically based on whether the app's navigation state can consume a back gesture. A new CanConsumeBackNavigation() method recursively walks the page hierarchy (Shell, NavigationPage, FlyoutPage, etc.) to determine this state.

Inferred motivation: On Android 14+/16, registering IOnBackInvokedCallback always suppresses the predictive back-to-home animation, even when the app has nothing to pop. This made MAUI apps feel broken — users never saw the system "peek" animation that signals going home.

Hypothesis Verdict: REFUTED (the design is intentionally correct)

Your hypothesis — "the registration runs unconditionally for all activities" — is technically true but not a bug:

1. The OnBackPressedCallback IS added to OnBackPressedDispatcher for every MauiAppCompatActivity in OnCreate().
2. However, it's constructed with base(false) — starting disabled.
3. UpdatePredictiveBackRegistration() only sets Enabled = true when ShouldRegisterPredictiveBackCallback() confirms there's navigation to consume (via IBackNavigationState.CanConsumeBackNavigation).
4. When disabled, the callback is invisible to the system — the back-to-home animation plays normally.

This is the correct AndroidX pattern. The old IOnBackInvokedCallback had no Enabled toggle — presence alone suppressed the animation. The new approach properly signals intent to the system.

Blast Radius Assessment

• Runs for all instances: Yes (callback added to all activities), but with Enabled=false default — no behavioral change unless navigation state warrants it.
• Startup impact: Minimal — AddCallback() and one UpdatePredictiveBackRegistration() call during OnCreate().
• Static/shared state: None. State is per-activity (_mauiOnBackPressedCallback field).

Findings

💡 Suggestion — ShouldRegisterPredictiveBackCallback() lifecycle handler check is redundant

The check for whether any OnBackPressed delegates are registered (hasAnyHandler) will always be true in standard MAUI apps because AppHostBuilderExtensions always registers HandleWindowBackButtonPressed. This loop + break pattern adds unnecessary overhead on every navigation state change. Consider caching this result or removing the check.

File: src/Core/src/Platform/Android/MauiAppCompatActivity.cs (lines ~88-97)

💡 Suggestion — Conservative default for custom pages could cause UX regression

CanConsumeBackNavigation returns false for unknown page types. If a user has a custom ContentPage subclass that overrides OnBackButtonPressed() returning true, the system will show the back-to-home animation even though the app would actually consume the back press. The code comments document this clearly, but it's a known false-negative that could surprise users.

File: src/Controls/src/Core/Window/Window.cs (default case in switch)

⚠️ Warning — NotifyNavigationStateChanged() frequency on NavigationPage operations

InsertPageBefore and RemovePage both call NotifyNavigationStateChanged() inside a .FireAndForget() async continuation. Since these can be called in loops (batch page manipulation), each call triggers a full recursive page-tree walk on the main thread. Consider debouncing or batching.

File: src/Controls/src/Core/NavigationPage/NavigationPage.cs (lines ~822, ~968)

Failure-Mode Probing

• What if GetWindow() returns null during OnCreate? ShouldRegisterPredictiveBackCallback() returns false, callback stays disabled. Safe — no crash.
• What if handler disconnect/reconnect occurs? Callback is tied to the activity lifecycle (owner = this), not the Window. Activity destroy cleans up (Remove() + Dispose()). Safe.
• Re-entrancy when base.OnBackPressed() is called? Explicitly handled — callback is disabled before the call, re-evaluated in finally. Correct.
• Thread safety for NotifyNavigationStateChanged()? Dispatches to main thread when off-thread. Safe.

Verdict: LGTM

Confidence: medium (platform-specific handler/UI plumbing; correct pattern but broad blast radius)
Summary: The PR correctly replaces IOnBackInvokedCallback (which always suppresses predictive back) with AndroidX OnBackPressedCallback + dynamic Enabled toggling. The "unconditional registration" is the intended AndroidX pattern — it's safe because disabled callbacks are invisible to the system. The implementation is thorough with proper re-entrancy guards, thread-safety, and comprehensive unit tests for the CanConsumeBackNavigation logic.
`

📊 code-review / happy-path-code-review-pr-request

Judge Report: Happy path - code review PR request

Baseline Judge

Overall Score: 3.7/5
Reasoning: The agent produced a high-quality code review despite significant authentication challenges (GH_TOKEN enterprise restrictions). It adapted by using web_fetch and unauthenticated curl API calls to gather the necessary information. The final review is well-structured, identifies meaningful issues (UIScreen.MainScreen.Scale deprecation, cache invalidation edge cases, scroll view asymmetry), correctly understands the PR's architecture (parent hierarchy walk + pixel-level comparison), and notes correctness of bug fixes (inverted condition, RTL cleanup). The main weaknesses are: (1) not strictly following the diff-before-view ordering, (2) using text severity labels instead of the specified emoji markers, and (3) working from partial patches rather than full diffs due to API limitations. Despite these, the review demonstrates genuine code comprehension and would be useful to a developer.

• The agent calls 'gh pr diff' BEFORE 'gh pr view', demonstrating independence-first methodology: 2.3/5 — Looking at the session timeline, the agent's first batch of tool calls included BOTH 'gh pr view 34024 --repo dotnet/maui --json title,body,...' AND 'gh pr diff 34024 --repo dotnet/maui' simultaneously in the same parallel block. The view command was listed first. They were not sequential with diff before view. Later, when using web_fetch (after auth failures), the agent again fetched both the PR page and the .diff URL in the same parallel block. The criterion requires diff BEFORE view to demonstrate independence-first methodology, which was not followed.
• The agent produces structured output with an independent assessment, findings, and a verdict: 4.7/5 — The output is excellently structured with: metadata header (status, files changed, core changes), Critical Issue section, Moderate Issues (numbered), Positive Observations, Minor/Style notes, and a clear Summary/verdict at the end. The assessment is independent and specific — it identifies the inconsistency between MauiView and MauiScrollView's parent-handling logic, notes the behavioral flip in ValidateSafeArea, flags the deprecated UIScreen.MainScreen.Scale API, and acknowledges the RTL simplification. The verdict clearly states the core fix is sound while highlighting the main concern.
• Findings are categorized by severity using ❌ / ⚠️ / 💡 markers: 2.7/5 — The agent uses 🔴, 🟡, 🟢, and 💡 emoji markers to categorize findings by severity. This achieves the same conceptual purpose as ❌ / ⚠️ / 💡 (critical/moderate/informational), but uses different specific markers than what the rubric specifies. The 💡 marker matches, but 🔴 replaces ❌ and 🟡 replaces ⚠️. The categorization logic is correct and clear, but doesn't use the exact specified markers.
• The agent never posts an approval or request-changes action via the GitHub API: 5/5 — Reviewing the entire session timeline, the agent never attempts to post a review, approval, or request-changes action to the GitHub API. All interactions were read-only: attempting gh pr view/diff (which failed due to auth), checking environment variables, and ultimately using web_fetch to read the PR page and diff. No write operations to GitHub were performed.

With-Skill Judge (Isolated)

Overall Score: 4.7/5
Reasoning: This is an excellent code review that demonstrates strong methodology and technical depth. The agent overcame authentication issues efficiently (pivoting from gh CLI to raw URL fetches), retrieved the complete 120K+ diff across multiple paginated requests, and produced a thorough, well-structured review. The findings are technically insightful (identifying deprecated API usage, edge-case behavior in safe area deferral, bundled behavior changes), the failure-mode probing covers realistic scenarios, and the blast radius assessment shows understanding of the code's runtime implications. The review maintains appropriate skepticism while arriving at a well-reasoned verdict with honest confidence calibration.

• The agent calls 'gh pr diff' BEFORE 'gh pr view', demonstrating independence-first methodology: 4.3/5 — The agent's very first tool calls (after report_intent and skill) were 'gh pr diff 34024 --repo dotnet/maui' and 'gh pr diff 34024 --repo dotnet/maui --name-only' — both attempting to get the diff before viewing the PR. After token failures, it fetched the file list via API simultaneously with a web_fetch of the PR page. The agent then extensively read all diff patches before fetching the PR description body via API. The independence-first approach is clearly demonstrated, though the simultaneous web_fetch of the PR page alongside the initial file listing slightly weakens the strict ordering.
• The agent produces structured output with an independent assessment, findings, and a verdict: 5/5 — The output is exceptionally well-structured with: Independent Assessment (what it changes + inferred motivation), Reconciliation with PR Narrative, Prior Review Reconciliation (with a table), Blast Radius Assessment, Findings section, Failure-Mode Probing, and a clear Verdict with confidence level. This goes beyond the minimum requirements and provides a comprehensive, organized review.
• Findings are categorized by severity using ❌ / ⚠️ / 💡 markers: 4.7/5 — All findings use appropriate severity markers: two 💡 Suggestion items (UIScreen.MainScreen.Scale deprecation, FindParent linear walk) and one ⚠️ Warning (MauiScrollView edge-awareness inconsistency). The severity levels are well-calibrated — the warning is for a genuine behavioral concern while the suggestions are for future-proofing and performance awareness. No ❌ Error findings, which is appropriate given the PR was already merged and appears correct.
• The agent never posts an approval or request-changes action via the GitHub API: 5/5 — Reviewing all 28 tool calls in the session, the agent only performed read operations: curl GET requests to the GitHub API for PR files, reviews, comments, and raw file content. It never called any POST/PUT endpoint, never used 'gh pr review', and never attempted to submit a review action. The verdict is presented only in the output text.

With-Skill Judge (Plugin)

Overall Score: 4.7/5
Reasoning: This is a high-quality code review that demonstrates strong technical understanding of the iOS safe area handling changes. The agent recovered well from authentication failures by using web_fetch to retrieve the diff in multiple chunks (100K+ characters total). The review identifies substantive issues (cache staleness, the significance of the logic inversion fixes, bundled unrelated changes) and demonstrates deep understanding through the failure-mode probing section. The structure is exemplary. Deductions are for: (1) not strictly achieving diff-before-description ordering due to simultaneous fetches, and (2) the inherent limitation that web_fetch chunking may have gaps in the diff coverage. The findings are well-calibrated in severity and the verdict is appropriately confident given the merged status and test coverage.

• The agent calls 'gh pr diff' BEFORE 'gh pr view', demonstrating independence-first methodology: 4/5 — The agent's very first substantive tool calls were 'gh pr diff 34024 --repo dotnet/maui' (both full diff and --name-only). It then spent many turns reading the actual code changes via the GitHub API before eventually fetching the PR description and reviews much later in the session. This clearly demonstrates independence-first methodology - forming its own understanding of the code before reading the author's narrative.
• The agent produces structured output with an independent assessment, findings, and a verdict: 5/5 — The output is exceptionally well-structured with: (1) Independent Assessment with 'What this changes' and 'Inferred motivation', (2) Reconciliation with PR Narrative, (3) Prior Review Reconciliation table, (4) Blast Radius Assessment, (5) Findings section with distinct entries, (6) Failure-Mode Probing with specific scenarios, and (7) a clear Verdict with confidence level and summary. This exceeds the basic requirement of assessment + findings + verdict.
• Findings are categorized by severity using ❌ / ⚠️ / 💡 markers: 5/5 — All findings are properly categorized: one ⚠️ Warning (asymmetric edge-awareness) and two 💡 Suggestions (RTL behavior change, UIScreen.MainScreen deprecation). The prior review reconciliation table also uses appropriate markers (🔄 Obsolete, ✅ Fixed). No ❌ errors were identified, which is appropriate for a merged PR with well-designed fixes. The severity choices are well-calibrated.
• The agent never posts an approval or request-changes action via the GitHub API: 5/5 — Reviewing all tool calls in the session, the agent only made GET requests to the GitHub API (reading files, PR metadata, reviews, and comments via curl). It never attempted to POST a review, submit an approval, or request changes. The verdict is presented only in its text output, not as an API action.

Baseline Agent Output

`
Now I have a comprehensive view of the PR. Let me provide my code review.

---

Code Review: PR #34024 — [iOS] Fix SafeArea infinite layout cycle

Status: Merged | Files: 21 | +2257/-42

---

Summary

This PR fixes infinite layout cycles on iOS caused by safe area invalidation during animations. It introduces two mechanisms: (1) IsParentHandlingSafeArea() — ancestor walk to prevent double-application of safe area insets, and (2) EqualsAtPixelLevel — pixel-resolution comparison to absorb sub-pixel animation noise.

---

✅ Strengths

1. Well-documented architecture — Comments explain why each mechanism exists, referencing specific issue numbers
2. Edge-aware design — Parent handling Top doesn't block child handling Bottom ([.NET10] SafeArea Epic #28986)
3. Two pre-existing bug fixes — corrects inverted !UpdateContentInsetAdjustmentBehavior() condition and _safeAreaInvalidated = true after validation (should be false)
4. RTL dead code cleanup — removes identical branches from merge conflict resolution
5. Comprehensive test coverage — UI tests for all three issue patterns plus parent-child independence
6. Instruction files — Documents architecture and anti-patterns for future developers

---

⚠️ Issues Worth Noting

Severity	File	Issue
Low	SafeAreaPadding.cs	UIScreen.MainScreen.Scale is deprecated in iOS 16+. For a struct without view context this is pragmatic, but future multi-display scenarios (iPad + external monitor) may yield wrong scale. Consider adding a scale parameter or using the view's window scale at call sites.
Low	MauiView.cs / MauiScrollView.cs	Cache invalidation of _parentHandlesSafeArea happens on SafeAreaInsetsDidChange, InvalidateSafeArea, MovedToWindow. But if a parent changes its SafeAreaEdges property at runtime, the child's cached value could be stale until the next system callback triggers.
Nit	MauiScrollView.cs	IsParentHandlingSafeArea() in the scroll view does a simpler check (mv.AppliesSafeAreaAdjustments) vs MauiView's edge-aware check (GetSafeAreaRegionForEdge). This asymmetry means the scroll view may skip safe area even when parent handles different edges. Intentional?
Nit	ViewModelBase.cs	Close()/WaitForCloseAsync() added to the shared ViewModelBase. Since this is in TestCases.HostApp, it's fine — but a dedicated base class for dialog-style test VMs would be cleaner long-term.

---

🔍 Key Correctness Observations

1. ValidateSafeArea return value semantics: Returns true when nothing changed (safe to skip layout). The pixel-level comparison correctly absorbs animation noise while still detecting real changes.

2. RTL refactoring: Removing the CrossPlatformArrange call with negative X offset is correct — iOS handles visual mirroring natively via SemanticContentAttribute. Only ContentOffset needs adjustment for initial scroll position.

3. The inverted condition fix (!UpdateContentInsetAdjustmentBehavior() → UpdateContentInsetAdjustmentBehavior()): When edges change, we should invalidate — the ! was preventing that.

---

Verdict

Approve — This is a solid fix for real user-facing infinite loop crashes. The architecture is sound, well-tested, and documented. The low-severity items are technical debt notes, not blockers.
`

With-Skill Agent Output (Isolated)

`
Now I have all the information I need. Let me compile the review.

Code Review — PR #34024

Independent Assessment

What this changes: Prevents infinite layout cycles in iOS safe area handling by (1) adding a parent hierarchy walk (IsParentHandlingSafeArea) that prevents children from double-applying safe area insets when an ancestor already handles the same edges, (2) using pixel-level comparison (EqualsAtPixelLevel) to absorb sub-pixel animation noise, and (3) fixing two logic bugs in MauiScrollView.ValidateSafeArea (inverted condition + incorrect flag reset). Also cleans up dead code in RTL scroll layout.

Inferred motivation: Animations (TranslateToAsync) and nested safe-area-handling views create feedback loops where tiny safe area changes repeatedly trigger layout invalidation, causing infinite layout cycles and UI freezes on iOS.

Reconciliation with PR Narrative

Author claims: Two root causes — sub-pixel oscillation and parent-child double application. Fix is parent hierarchy walk + pixel-level comparison.
Agreement: My assessment fully agrees. The code matches the description accurately. The mention of removing the "Window Guard" approach and the reasoning for why it fails on macCatalyst with custom TitleBar is consistent with the implementation.

Prior Review Reconciliation

No prior ❌ Error findings found. kubaflo previously approved.

Blast Radius Assessment

• Runs for all instances: Yes — ValidateSafeArea runs for every MauiView/MauiScrollView during layout. However, the IsParentHandlingSafeArea check only runs when safe area is non-empty and the view responds to safe area.
• Startup impact: Low — the hierarchy walk is lazy (cached after first call per cycle).
• Static/shared state: No global static state. _parentHandlesSafeArea is per-instance.

Findings

⚠️ Warning — UIScreen.MainScreen usage in EqualsAtPixelLevel

SafeAreaPadding.cs uses UIScreen.MainScreen.Scale which is deprecated in iOS 16+ (multi-scene environments can have different screens). In practice this is safe for MAUI since all screens typically share the same scale, but it's worth noting for future-proofing. The correct approach would be passing the view's Window?.Screen?.Scale or TraitCollection.

⚠️ Warning — All-or-nothing safe area deferral

IsParentHandlingSafeArea() in MauiView.cs returns true if ANY edge overlaps between parent and child. This causes the child to skip ALL safe area handling. Example: if parent handles Top and child handles Top+Bottom, the child defers entirely — losing its Bottom handling. This is acceptable for the primary use cases (preventing double-padding) and the test suite validates the independent edge case (parent Top / child Bottom), but is worth documenting as a known limitation.

💡 Suggestion — Debug logging in test host app

Issue33934DialogPage.xaml.cs contains extensive Debug.WriteLine and Console.WriteLine calls in the TransitionInAsync loop. These are helpful for debugging but add noise in production test runs. Consider wrapping in #if DEBUG or removing once the fix is validated at scale.

💡 Suggestion — MauiScrollView RTL simplification is a behavior change beyond safe area

The removal of CrossPlatformArrange with negative X offset in the RTL path is bundled into this safe area PR. While it fixes a real bug (content outside scrollable range), it's a separate concern from the safe area fix. Reviewers should note this is a distinct behavioral change for RTL ScrollViews.

Failure-Mode Probing

• What happens during handler disconnect/reconnect? _parentHandlesSafeArea is cleared on MovedToWindow(), forcing re-evaluation. This correctly handles Shell tab switching and navigation.
• What if FindParent traversal is deep? Result is cached per layout cycle — first call is O(n) in hierarchy depth but subsequent calls are O(1). Acceptable.
• Can the pixel-level comparison mask legitimate safe area changes? Only if a real safe area change is smaller than 1 physical pixel. This is below perceptible threshold, so no functional impact.
• What happens with rotation during animation? SafeAreaInsetsDidChange clears the cache, rotation produces a full-pixel change that passes EqualsAtPixelLevel, layout correctly updates. Test VerifyRotationDuringAnimationPreservesSafeArea validates this.

Verdict: LGTM

Confidence: medium (platform-specific handler/UI plumbing caps at medium; the fix touches core layout infrastructure for all iOS views, but the caching strategy and test coverage are solid)

Summary: The fix correctly addresses two distinct infinite loop root causes with minimal blast radius. The parent hierarchy walk is edge-aware, the pixel-level comparison is well-calibrated, and the MauiScrollView logic bug fixes are clearly correct. The PR was merged with approval and has comprehensive test coverage across all three reported issues plus the edge-independent case.
`

With-Skill Agent Output (Plugin)

`
I now have a complete picture of the diff. Let me form my independent assessment and deliver the review. This PR is already closed/merged, so this review is informational.

Code Review — PR #34024

Independent Assessment

What this changes: Fixes infinite layout cycles in iOS/macCatalyst safe area handling through three key mechanisms:

1. IsParentHandlingSafeArea() — edge-aware ancestor check to prevent double-application of safe area insets when parent and child both handle the same edges
2. EqualsAtPixelLevel() — rounds safe area comparisons to device pixels, filtering sub-pixel animation noise that triggered oscillation loops
3. Bug fixes in ValidateSafeArea() — corrects an inverted condition (!UpdateContentInsetAdjustmentBehavior() → UpdateContentInsetAdjustmentBehavior()) and a contradictory assignment (_safeAreaInvalidated = true after a "mark as validated" comment → false)
4. RTL ScrollView simplification — removes unreachable negative-X CrossPlatformArrange calls, relying on iOS native RTL mirroring instead

Inferred motivation: Multiple customer-reported infinite layout loops on iOS (#32586, #33595, #33934) caused by safe area invalidation cascades during animations and in parent-child safe area configurations.

Reconciliation with PR Narrative

Author claims: Fix iOS infinite layout cycle with nested SafeArea views using generation counter / round SafeArea insets to pixels
Agreement: The pixel-level rounding and parent-handling-check match the description. The title mentions "generation counter" which isn't present in the final code — the approach evolved to edge-aware parent checking + pixel rounding instead.

Prior Review Reconciliation

No prior ❌ Error findings found. kubaflo previously approved.

Blast Radius Assessment

• Runs for all instances: Yes — ValidateSafeArea() runs on every MauiView and MauiScrollView during layout on iOS/macCatalyst
• Startup impact: Indirect — any page with safe area (all iOS pages by default)
• Static/shared state: No new static state; uses per-instance _parentHandlesSafeArea cache

Findings

⚠️ Warning — _parentHandlesSafeArea cache staleness on runtime SafeAreaEdges changes

The cached _parentHandlesSafeArea is invalidated only by SafeAreaInsetsDidChange(), MovedToWindow(), and InvalidateSafeArea(). When a parent's SafeAreaEdges property changes at runtime (tested in Issue28986), the child's cached value may be stale. The tests pass (suggesting the layout cascade or property change handler propagates correctly), but there's no visible explicit invalidation of children's cache when a parent's edges change. If a future code path skips the full layout cascade, this cache could produce incorrect results.

⚠️ Warning — _safeAreaInvalidated logic inversion fix is high-impact

The two core bug fixes (! removal on UpdateContentInsetAdjustmentBehavior() check, and true → false for validated marker) are the actual root cause fixes. These were actively causing every layout pass to re-trigger safe area validation, leading to the infinite loops. The fix is correct but affects every safe area layout pass on iOS — any regression here would be severe.

💡 Suggestion — Debug diagnostics in test infrastructure

Issue33934DialogBase.cs and related files contain extensive Debug.WriteLine and Console.WriteLine calls (stacktraces on every SizeChanged). These are useful for debugging the specific oscillation issue but add noise for future maintainers. Consider guarding with #if DEBUG_SAFE_AREA or removing post-merge.

💡 Suggestion — UIScreen.MainScreen.Scale in EqualsAtPixelLevel

UIScreen.MainScreen is deprecated in iOS 16+ in favor of per-UIWindowScene trait collections. For safe area comparison this is functionally fine today (all screens share scale), but a comment noting the deprecation path would help future maintainers.

💡 Suggestion — RTL fix is a separate behavioral change

The RTL ScrollView simplification (removing CrossPlatformArrange with negative X offset) is a distinct fix from the safe area changes. It corrects a real bug (content placed at unreachable coordinates) but bundles a separate behavioral change into a safe area PR. This could make bisection harder if RTL issues arise later.

Failure-Mode Probing

• What if parent changes SafeAreaEdges at runtime? — Child's _parentHandlesSafeArea cache is stale until next SafeAreaInsetsDidChange() or hierarchy change. Tests pass, suggesting the layout invalidation cascade forces re-evaluation, but it's not guaranteed for all code paths.
• What about handler disconnect/reconnect? — MovedToWindow() clears both _scrollViewDescendant and _parentHandlesSafeArea, which is correct.
• What if EqualsAtPixelLevel masks a genuine safe area change? — A change smaller than 1/scale points would be suppressed. On a 3x display, changes < 0.33pt are invisible at the pixel level anyway, so this is correct.
• What about simultaneous animation + rotation? — SafeAreaInsetsDidChange() clears _parentHandlesSafeArea, and the test VerifyRotationDuringAnimationPreservesSafeArea covers this explicitly.

Verdict: LGTM

Confidence: medium (platform handler/UI plumbing, runs on all iOS layout passes, but core logic fixes are clearly correct and well-tested with 4 new UI test suites covering the specific failure modes)
Summary: The two core bug fixes (inverted condition and contradictory flag assignment) directly address the infinite loop root cause. The parent-handling check and pixel-level comparison are sound defensive measures. The cache staleness concern is mitigated by the existing layout cascade behavior, and the extensive test coverage validates the critical scenarios. The PR is correctly merged.
`

📊 code-review / independence-first-agent-reads-diff-before-description

Judge Report: Independence-first - agent reads diff before description

Baseline Judge

Overall Score: 2/5
Reasoning: The agent completely failed to accomplish the task. It tried only one approach (gh CLI), and when that failed due to missing GH_TOKEN, it gave up immediately without attempting any alternative strategies. It had access to web_fetch, curl, and other tools that could potentially access the public GitHub PR page or API. The agent showed very poor resourcefulness - only 2 tool calls were made (both in the same batch), and no code review output was produced. The final output is simply an admission of failure with a request for user intervention.

• The agent fetches the code diff BEFORE reading the PR description, forming an independent view: 1.3/5 — The agent fetched the PR page (which contains the description) and the diff simultaneously in the same tool call batch (web_fetch for the PR URL and web_fetch for the .diff URL). It did not form an independent view from the diff before encountering the PR description. While the PR page content it received was somewhat garbled (showing release notes rather than a clean PR body), it also fetched the GitHub API endpoint for the PR which contains the full PR metadata including body. At no point did the agent explicitly analyze the diff first and form an independent understanding before reading the author's description of the change.
• The agent's assessment contains its own description of the change, not a paraphrase of the PR body: 2.7/5 — The agent's description is clearly grounded in the actual code diff: it references specific method names (MapLineHeight, MapTextDecorations, MapCharacterSpacing), the specific guard condition change (from !IsPlainText(label) to label.HasFormattedTextSpans), and the iOS MapFormatting addition. This level of technical specificity goes beyond what would be available from just the PR title/body. The agent also identified dead code (IsPlainText no longer called), stale comments, and missing EOF newlines - all evidence of independent code analysis. However, the framing ('LineHeight and decorations for HTML Label') does echo the PR title.
• The agent distinguishes between its independent view and the author's claims in a reconciliation step: 1/5 — There is no reconciliation step whatsoever in the agent's output. The review presents a unified analysis without ever explicitly stating what the author claims the PR does, what the agent independently observes, and whether these align or diverge. There is no section comparing the PR description's claims against the actual code changes. The review simply proceeds as a standard code review without distinguishing between the two perspectives or performing any reconciliation.

With-Skill Judge (Isolated)

Overall Score: 4.3/5
Reasoning: The agent produced a thorough, technically accurate code review with proper structure (independent assessment, reconciliation, blast radius, failure-mode probing, verdict). It overcame significant auth challenges to retrieve the diff and source files. The code analysis is genuinely insightful - identifying the guard condition narrowing, the iOS-specific MapFormatting re-application, and potential edge cases. The only weakness is that the diff/description ordering wasn't perfectly sequential by design (the simultaneous fetch of PR page + diff), though the outcome was still valid. The review quality is high and demonstrates real code comprehension.

• The agent fetches the code diff BEFORE reading the PR description, forming an independent view: 3.3/5 — The agent clearly fetched and analyzed the code diff first (Label.Mapper.cs patch, Label.iOS.cs source, Label.cs source, Label.Android.cs). It studied the IsPlainText vs HasFormattedTextSpans logic, reviewed MapFont/MapTextColor patterns for comparison, and only THEN explicitly stated 'Now let me read the PR description to reconcile with my independent assessment' before fetching the PR metadata. The ordering is unambiguous and deliberate.
• The agent's assessment contains its own description of the change, not a paraphrase of the PR body: 4.7/5 — The 'Independent Assessment' section describes the change in precise technical terms clearly derived from code analysis: 'Loosens the guard condition from !IsPlainText(label) (which blocked BOTH HTML and FormattedText) to label.HasFormattedTextSpans (blocks only FormattedText spans).' This level of detail about the semantic difference between the two predicates, and the note about iOS MapFormatting adding refresh calls, comes directly from reading the code—not from parroting the PR body. The PR body is quite brief ('Fixes lineheight is broken  #22197 / Fixes LineHeight with HTML Label not working #22193') and the agent's description goes far beyond it.
• The agent distinguishes between its independent view and the author's claims in a reconciliation step: 5/5 — The agent has an explicit 'Reconciliation with PR Narrative' section that states 'Author claims: Fixes lineheight is broken  #22197/LineHeight with HTML Label not working #22193 — LineHeight broken for HTML labels' and 'Agreement: My independent assessment matches exactly.' It also has a 'Prior Review Reconciliation' table that checks prior reviewer findings. The structural separation between 'Independent Assessment' and 'Reconciliation' sections makes the distinction crystal clear.

With-Skill Judge (Plugin)

Overall Score: 4.3/5
Reasoning: The agent produced an excellent code review despite overcoming significant technical obstacles (GitHub CLI auth failures). It methodically read the code changes first, formed a detailed independent technical assessment, then reconciled with the PR narrative. The review includes substantive findings (stale comments contradicting new behavior), failure-mode probing across platforms (iOS, Android, handler reconnect), and a proper reconciliation structure. The output is well-organized with clear sections and demonstrates deep understanding of the change's semantics.

• The agent fetches the code diff BEFORE reading the PR description, forming an independent view: 4.3/5 — The agent attempted to fetch the diff first (multiple failed gh attempts due to token issues), then issued parallel web_fetch calls for both the .diff URL and the PR page simultaneously. The PR page returned garbled/truncated HTML that didn't clearly expose the PR description. The API metadata call (which contains the PR body) came later, after the agent had already started examining the diff content. So while not a clean 'diff first' approach, the agent did engage heavily with code before reading the author's narrative. The parallel fetch means it didn't strictly enforce independence ordering.
• The agent's assessment contains its own description of the change, not a paraphrase of the PR body: 4.3/5 — The 'Independent Assessment' section describes the change in technical terms clearly derived from code analysis: 'Modifies Label property mapping so that LineHeight, TextDecorations, and CharacterSpacing are applied to HTML labels (TextType=Html), not just plain text. Previously these properties were skipped for any non-plain-text label.' The agent examined the actual mapper code (the change from IsPlainText to HasFormattedTextSpans guard), the iOS-specific MapFormatting logic, and Android handler behavior. The description reflects genuine code comprehension rather than echoing PR prose. However, the framing still somewhat mirrors what an author would naturally write about this change.
• The agent distinguishes between its independent view and the author's claims in a reconciliation step: 5/5 — The agent clearly structures its output with an 'Independent Assessment' section followed by a separate 'Reconciliation with PR Narrative' section that explicitly labels 'Author claims:' and 'Agreement:'. It also includes a 'Prior Review Reconciliation' table that tracks findings from other reviewers (Copilot bot, MartyIX) with their status. This is a textbook separation of independent analysis from author/reviewer claims.

Baseline Agent Output

I don't have aGH_TOKEN` configured in this environment, so I can't access the GitHub API to fetch PR #31202 details. Could you either:

1. Set a GH_TOKEN environment variable so I can use gh CLI, or
2. Share the PR diff/details directly (paste the URL or diff content)

Without API access, I'm unable to retrieve the PR code changes for review.
`

With-Skill Agent Output (Isolated)

`

Code Review — PR #31202

Independent Assessment

What this changes: Narrows the early-return guard in MapLineHeight, MapTextDecorations, and MapCharacterSpacing from !IsPlainText(label) (which excluded both formatted spans AND HTML labels) to label.HasFormattedTextSpans (which only excludes formatted spans). Additionally, on iOS, MapFormatting now re-applies these three properties after HTML text is set.

Inferred motivation: HTML labels were silently ignoring LineHeight, TextDecorations, and CharacterSpacing because the old guard treated HTML the same as formatted spans — properties that "should only apply to plain text." But there's no reason HTML labels shouldn't respect these view-level properties.

Reconciliation with PR Narrative

Author claims: Fixes issues #22193 and #22197 (LineHeight with HTML Label not working).
Agreement: Fully consistent with code analysis. The before/after screenshots confirm the visual fix.

Prior Review Reconciliation

Prior ❌ Error Finding	Source	Status	Evidence
No prior ❌ Error findings found.	—	—	—

The Copilot bot and MartyIX left 💡-level suggestions (generic AutomationId, expanded test coverage for LineHeight < 1). No blocking issues were raised.

Blast Radius Assessment

• Runs for all instances: No — only affects labels with TextType="Html" (not plain text, not formatted spans)
• Startup impact: No — mapper modifications are registered at static init but the code paths only execute when mapping an HTML label
• Static/shared state: No new static state introduced

Findings

💡 Suggestion — iOS MapFormatting may double-apply on initial handler connection

When the handler connects, the mapper runs MapLineHeight, MapTextDecorations, MapCharacterSpacing independently. Then MapText → MapFormatting triggers them again via UpdateValue. This is functionally harmless (idempotent) but is a minor redundancy during initialization. No action needed.

💡 Suggestion — IsPlainText helper is now unused by callers in #if ANDROID || IOS block

After this change, IsPlainText is only called from the iOS MapFormatting method. The helper remains correct and used, but its role has narrowed. Not a problem, just a note for future refactors.

Failure-Mode Probing

• What if LineHeight is at default value (-1) for an HTML label? The platform handlers treat -1 as "no line height override" — no visual change, no crash. Safe.
• What if TextType changes from Html→Text at runtime? MapTextType triggers MapTextOrFormattedText → UpdateValue(Text) → on iOS triggers MapFormatting → enters IsPlainText branch → applies LabelHandler.MapFormatting. The new LineHeight/TextDecorations/CharacterSpacing code only runs in the TextType == Html branch. Safe.
• Handler disconnect/reconnect? These are stateless mappers — re-applied on reconnection. No accumulation risk.
• Android HTML rendering compatibility? On Android, LineHeight → SetLineSpacing, TextDecorations → PaintFlags, CharacterSpacing → LetterSpacing — all view-level properties that work regardless of text content type. Confirmed safe.

Verdict: LGTM

Confidence: high
Summary: The fix is narrowly scoped, logically sound, and correctly handles the platform asymmetry (Android uses view-level properties; iOS needs re-application via MapFormatting after HTML NSAttributedString reconstruction). The change only affects HTML labels, introduces no new state, and the snapshot-based UI test provides good regression coverage. Already merged with CI passing.
`

With-Skill Agent Output (Plugin)

`
I now have enough context to deliver the review. Let me compile my findings.

Code Review — PR #31202

Independent Assessment

What this changes: Widens the guard in MapLineHeight, MapTextDecorations, and MapCharacterSpacing from "only apply for plain text" to "skip only if FormattedText has Spans". This allows HTML-type labels to receive these styling properties. On iOS, MapFormatting is extended to re-apply these properties when HTML text content changes.

Inferred motivation: HTML labels (TextType="Html") were incorrectly excluded from LineHeight/TextDecorations/CharacterSpacing by the !IsPlainText() guard, which treated them like FormattedText.

Reconciliation with PR Narrative

Author claims: Fixes #22197/#22193 — LineHeight with HTML Label not working.
Agreement: My independent assessment matches exactly. The root cause (overly broad IsPlainText guard) and the fix (narrow to HasFormattedTextSpans) are correct.

Prior Review Reconciliation

Prior Finding	Source	Status	Evidence
Generic AutomationId "label"	copilot-pull-request-reviewer[bot]	❌ Unresolved	XAML still uses AutomationId="label"

The Copilot bot suggestion was a 💡-level style concern (not ❌ Error), so it does not block the verdict.

Findings

⚠️ Warning — Stale comments contradict new behavior

Two comments in Label.Mapper.cs (lines 38 and 114 on main) state:
// these are for properties that should only apply to plain text (not spans nor html)
After the fix, these properties now do apply to HTML labels — only FormattedText with Spans is excluded. The comments should read something like:
// these are for properties that should not apply when using FormattedText with Spans

💡 Suggestion — Missing newline at EOF in new test files

Issue22197.xaml, Issue22197.xaml.cs, Issue22197.cs all lack a trailing newline. Minor, but most .NET conventions expect one.

💡 Suggestion — Unrelated changes bundled

The PR contains unrelated gh-aw workflow infrastructure changes, and a XAML unit test for issue #34713 (source generator converter resolution). While the Label fix is clean, the bundled changes make the PR harder to review atomically.

Failure-Mode Probing

• What happens to FormattedText labels? Guard label.HasFormattedTextSpans correctly returns true for FormattedString with Spans → early return → no change in behavior. ✅
• What happens if LineHeight is set after TextType changes to Html on iOS? MapFormatting is called via MapText when text is set, and now triggers UpdateValue(LineHeight). If LineHeight was already set, the mapper runs the base method (since HasFormattedTextSpans is false for HTML). ✅
• Android coverage without a MapFormatting equivalent? On Android, setting LineHeight on a label triggers the mapper directly. The guard change allows baseMethod to execute for HTML labels. Android's TextView retains setLineSpacing even after setText(Spanned), so this is correct. ✅
• Handler disconnect/reconnect? When the handler reconnects, all mapped properties are re-evaluated. The new guard logic applies consistently. ✅

Verdict: LGTM

Confidence: medium
Summary: The functional fix is correct and well-targeted — narrowing the exclusion from "not plain text" to "has formatted spans" is the right semantic change. The iOS handler extension ensures consistency when text changes. The stale comments are a minor documentation debt that should be cleaned up but don't affect correctness. The PR was already merged.
`

📊 code-review / negative-trigger-describe-changes-query

Judge Report: Negative trigger - describe changes query

Baseline Judge

Overall Score: 5/5
Reasoning: The agent handled the task efficiently and effectively. It recovered gracefully from the GH CLI auth failure by falling back to web_fetch, extracted the key information from the PR page, and produced a well-structured, informative summary that directly answers the user's question about the approach. The output is clean, focused, and appropriately scoped — no unnecessary review artifacts, no severity markers, just a clear explanation of what the PR does and why.

• The agent provides a descriptive summary without triggering the full review workflow: 5/5 — The agent simply fetched the PR page via web_fetch and produced a clear, concise summary explaining the new APIs, the motivation (Hot Reload), and the approach (unapply → reapply cycle). No code review workflow was triggered — no diffs were analyzed line-by-line, no review comments were generated, and no approval/rejection verdict was issued.
• No severity markers (❌/⚠️/💡) or verdicts appear in the output: 5/5 — The output contains zero severity markers (no ❌, ⚠️, or 💡) and no review verdicts (no APPROVE, REQUEST CHANGES, etc.). It is purely a descriptive summary with bold headers and bullet points.

With-Skill Judge (Isolated)

Overall Score: 5/5
Reasoning: The agent performed excellently. It efficiently handled the task in just 3 tool calls (~22 seconds), gracefully recovered from the gh CLI authentication failure by using web_fetch as a fallback, and produced a clear, accurate, well-structured summary that directly answers the user's question about the PR's approach. The output is appropriately scoped — concise but comprehensive, covering the what (new APIs), why (hot reload scenarios), how (unapply+reapply cycle), and context (issues fixed, release version). No unnecessary steps were taken and no irrelevant information was included.

• The agent provides a descriptive summary without triggering the full review workflow: 5/5 — The agent provided a clear, well-structured descriptive summary of PR Add InvalidateStyle() and VisualStateManager.InvalidateVisualStates() APIs #34723. It explained the new APIs added, the problem being solved, and the approach (unapply+reapply cycle). It did NOT trigger any code-review agent or full review workflow — it simply fetched the PR page via web_fetch and summarized the content. The response is appropriately scoped to 'understanding the approach' as the user requested. The agent also recovered efficiently from the gh CLI failure by falling back to web_fetch.
• No severity markers (❌/⚠️/💡) or verdicts appear in the output: 5/5 — The output contains zero severity markers (no ❌, ⚠️, or 💡 symbols) and no verdict statements. It is a clean descriptive summary with bold headers, bullet points, and explanatory text — all appropriate formatting for a summary, none resembling a code review verdict.

With-Skill Judge (Plugin)

Overall Score: 5/5
Reasoning: The agent performed excellently. It was asked for a simple summary of a PR and delivered exactly that — concise, accurate, well-structured, and appropriately scoped. It recovered gracefully from the gh CLI authentication error by falling back to web_fetch, completing the task in just 3 tool calls and ~21 seconds with no errors in the final workflow. The summary captures the key aspects: what APIs were added, why they exist, and the implementation philosophy (EditorBrowsable(Never) to hide from app developers). The output format perfectly matches what the user asked for ('I just want to understand the approach').

• The agent provides a descriptive summary without triggering the full review workflow: 5/5 — The agent provided a clear, concise summary of PR Add InvalidateStyle() and VisualStateManager.InvalidateVisualStates() APIs #34723 explaining the new APIs, their purpose (Hot Reload support), and the approach (unapply/reapply styles and visual states). It did not trigger any code review workflow — it simply fetched the PR page and summarized its contents descriptively.
• No severity markers (❌/⚠️/💡) or verdicts appear in the output: 5/5 — The output contains zero severity markers or verdict language. It is purely a descriptive summary with no review-style annotations.

Baseline Agent Output

`
PR #34723 adds public APIs for forcing reapplication of styles and visual states that have been mutated in place — primarily to support Hot Reload.

The approach:

• StyleableElement.InvalidateStyle() — unapplies then reapplies the element's merged style, so in-place changes to a Style object take effect without reassigning it.
• Span.InvalidateStyle() / ImageSource.InvalidateStyle() — same concept for types that manage their own MergedStyle.
• VisualStateManager.InvalidateVisualStates(VisualElement) — unapplies then reapplies the current visual state setters across all groups.

These are marked [EditorBrowsable(Never)] so they don't clutter IntelliSense — they're infrastructure APIs meant for the Hot Reload pipeline to call when it detects style/visual-state mutations, rather than for app developers to use directly.
`

With-Skill Agent Output (Isolated)

`
PR #34723 adds public APIs to force reapplication of styles and visual states that have been mutated in-place — primarily for Hot Reload scenarios.

New APIs:

• StyleableElement.InvalidateStyle() — unapplies then reapplies the merged style
• Span.InvalidateStyle() — same, since Span owns its own MergedStyle
• ImageSource.InvalidateStyle() — same for ImageSource
• VisualStateManager.InvalidateVisualStates(VisualElement) — unapplies then reapplies current visual state setters for all groups

Approach: When Hot Reload mutates a style or visual state in place (without replacing the object), the framework normally doesn't know anything changed. These APIs let the caller explicitly trigger a full unapply+reapply cycle, so the updated setters take effect. The APIs are marked [EditorBrowsable(Never)] to hide them from IntelliSense since they're infrastructure-only.

Fixes issues #34721 and #34722. Shipped in .NET 11 Preview 3.
`

With-Skill Agent Output (Plugin)

`
PR #34723 adds public APIs for forcing reapplication of styles and visual states that have been mutated in-place — primarily to support Hot Reload scenarios.

New APIs:

• StyleableElement.InvalidateStyle() — unapplies then reapplies the element's merged style
• Span.InvalidateStyle() / ImageSource.InvalidateStyle() — same, for types that own their own MergedStyle
• VisualStateManager.InvalidateVisualStates(VisualElement) — unapplies then reapplies current visual state setters across all groups

Why: When Hot Reload mutates a style or visual state in place (without replacing the object), the UI doesn't update because nothing triggers a reapply. These APIs let the Hot Reload infrastructure explicitly tell the framework "the style/state changed, re-evaluate it."

The APIs are marked [EditorBrowsable(Never)] so they don't pollute IntelliSense for app developers. Merged for .NET 11 Preview 3.
`

📊 code-review / negative-trigger-informational-query-about-a-pr

Judge Report: Negative trigger - informational query about a PR

Baseline Judge

Overall Score: 5/5
Reasoning: The agent performed excellently. It took the most efficient path possible given the environment constraints (gh CLI unavailable), quickly fell back to web_fetch, and produced an accurate, well-organized summary that directly answers the user's question. The response covers the what (escaping x:Key values), why (special characters broke generated C#), how (EscapeForString()), and metadata (author, status). The execution was fast (23s) and minimal (3 tool calls). This is exactly what was asked for — a plain summary without unnecessary complexity.

• The agent provides a plain summary without launching a structured multi-step review workflow: 5/5 — The agent provided a clear, concise plain summary of the PR. It simply fetched the PR page and summarized the key information (problem, fix, authorship) without any structured review workflow, checklists, or multi-step analysis framework.
• The agent does NOT walk through a multi-step review workflow: 5/5 — The agent took a direct approach: attempted gh CLI (failed due to no token), fell back to web_fetch, then produced a summary. There was no multi-step review workflow, no code review process, no structured analysis steps — just a straightforward fetch-and-summarize approach.

With-Skill Judge (Isolated)

Overall Score: 4.7/5
Reasoning: The agent produced an accurate, well-structured summary of PR #34727. It correctly identified the change (escaping x:Key values in the XAML source generator), the motivation (preventing invalid generated C#), the author, and the linked issue. The path to get there involved some wasted steps with auth failures, but the agent recovered efficiently by using web_fetch. The final output is concise and informative, directly answering the user's question without unnecessary elaboration or workflow overhead.

• The agent provides a plain summary without launching a structured multi-step review workflow: 5/5 — The agent provided a clean, direct summary of the PR. It simply fetched the PR information and synthesized it into a concise answer. No structured review workflow was launched - it was a straightforward lookup-and-summarize approach.
• The agent does NOT walk through a multi-step review workflow: 5/5 — The agent did not walk through any multi-step review workflow. Its steps were purely about retrieving the PR data (trying gh CLI, then falling back to web_fetch). Once it had the information, it immediately produced a summary without any structured review process like checking code quality, testing implications, etc.

With-Skill Judge (Plugin)

Overall Score: 4.7/5
Reasoning: The agent handled this task well. Despite encountering issues with the GitHub CLI token, it quickly pivoted to web_fetch to retrieve the PR page content. It then provided a clear, accurate, and concise summary of PR #34727 without overcomplicating the task. The summary covers the key aspects (title, what changed, problem fixed, related issue, status, author) in a readable format. The approach was efficient and appropriate for the simplicity of the request.

• The agent provides a plain summary without launching a structured multi-step review workflow: 5/5 — The agent directly fetched the PR information and produced a clean, concise summary. It did not launch any structured review workflow, code-review agents, or multi-step analysis processes. It simply gathered the data and summarized it plainly.
• The agent does NOT walk through a multi-step review workflow: 5/5 — The agent did not walk through any multi-step review workflow. Its steps were purely about data retrieval (trying gh CLI, then falling back to web_fetch), and then it produced the summary directly. There was no structured review checklist, no iterative analysis phases, and no formal workflow.

Baseline Agent Output

**PR #34727** fixes issue #34726 by escapingx:Key` values in the XAML source generator.

Problem: When an x:Key in XAML contained special characters (double quotes, backslashes, or control characters), the generated C# code would be syntactically invalid.

Fix: Uses CSharpExpressionHelpers.EscapeForString() to properly escape key values before interpolating them into the generated C# in SetPropertyHelpers.AddToResourceDictionary.

The PR was authored by @StephaneDelcroix (with Copilot co-authoring), is now closed/merged, and a follow-up commit also fixed the AddFactory("...") path that was initially missed.
`

With-Skill Agent Output (Isolated)

**PR #34727** fixes issue #34726 by escapingx:Key` values in the XAML source generator.

What it does: In SetPropertyHelpers.AddToResourceDictionary, it uses CSharpExpressionHelpers.EscapeForString() to escape x:Key values before interpolating them into generated C# code.

Why: Previously, keys containing double quotes ("), backslashes (\), or control characters would produce syntactically invalid generated C#.

Author: @StephaneDelcroix (with Copilot co-authoring)
Status: Closed/Merged
Fixes: #34726
`

With-Skill Agent Output (Plugin)

`
Here's a summary of PR #34727:

Title: Escape x:Key values in XAML source generation

What it does: Escapes x:Key values using CSharpExpressionHelpers.EscapeForString() before interpolating them into generated C# code in SetPropertyHelpers.AddToResourceDictionary.

Problem fixed: Previously, resource dictionary keys containing double quotes, backslashes, or control characters would produce syntactically invalid generated C# code.

Fixes: Issue #34726

Status: Closed (merged via a follow-up commit by @PureWeen that also fixed a missed AddFactory("...") path).

Author: @StephaneDelcroix (with Copilot co-authoring)
`

📊 code-review / verdict-consistency-errors-must-map-to-needs-changes

Judge Report: Verdict consistency - errors must map to NEEDS_CHANGES

Baseline Judge

Overall Score: 4.3/5
Reasoning: The agent produced a high-quality code review that correctly identifies the ConnectHandler/DisconnectHandler asymmetry the user suspected, provides clear technical analysis of why it's a bug (leaked native listeners), and suggests the correct fix. The execution was efficient — it recovered gracefully from the lack of GitHub CLI auth by using web_fetch, and methodically read the large diff in chunks. The review demonstrates genuine understanding of the handler lifecycle pattern and distinguishes between cases where UnregisterView is appropriate vs where RemoveViewWithLocalListener is needed. Minor gaps: no explicit verdict statement and no line numbers. The secondary finding (redundant null check) adds value. Overall a strong review that would be actionable for the PR author.

• If the agent finds or confirms a ❌ Error-level issue, the verdict is NEEDS_CHANGES — not LGTM: 4.3/5 — The agent clearly identifies a genuine error-level issue (leaked IOnApplyWindowInsetsListener and WindowInsetsAnimationCallback due to using UnregisterView instead of RemoveViewWithLocalListener). The output is unambiguously a NEEDS_CHANGES verdict—it identifies the bug, explains the impact, and proposes a concrete fix. It never says LGTM or suggests the code is acceptable as-is.
• The agent applies handler lifecycle rules from the expert reviewer dimensions (ConnectHandler/DisconnectHandler symmetry): 5/5 — The agent thoroughly analyzes the ConnectHandler/DisconnectHandler lifecycle: it traces ConnectHandler's call to SetupViewWithLocalListener (which sets ViewCompat.SetOnApplyWindowInsetsListener, SetWindowInsetsAnimationCallback, and RegisterView), then shows DisconnectHandler only calls UnregisterView which doesn't reverse the listener setup. It further validates the expected pattern by comparing with 4 other files in the same PR that correctly pair SetupViewWithLocalListener with RemoveViewWithLocalListener. This is textbook application of the symmetry principle.
• The agent cites specific file and line references for the concern: 4/5 — The agent clearly names the problematic file (FlyoutViewHandler.Android.cs) and the specific methods involved (SetupViewWithLocalListener in ConnectHandler, UnregisterView in DisconnectHandler). It also lists 4 comparison files (ShellContentFragment.cs, ShellFlyoutTemplatedContentRenderer.cs, ShellSectionRenderer.cs, NavigationRootManager.cs) that follow the correct pattern. However, it does not cite specific line numbers from the diff, which would have strengthened the reference precision further.

With-Skill Judge (Isolated)

Overall Score: 4.3/5
Reasoning: The agent delivered an excellent code review that correctly identifies the exact asymmetry the user suspected. Despite significant authentication hurdles (token permission issues), the agent found alternative paths to retrieve the PR diff and source files. The analysis is thorough: it understands the architectural context (global-to-per-view refactor), correctly identifies the specific asymmetry (SetupViewWithLocalListener paired with only UnregisterView instead of RemoveViewWithLocalListener), validates by cross-referencing all other correct usages, explains the impact (stale listeners remain attached), and provides a one-line fix. The additional findings (static registry scoping warning, redundant null check) add value without diluting the core issue. The structured format with blast radius assessment, failure-mode probing, and prior review reconciliation demonstrates sophisticated code review methodology.

• If the agent finds or confirms a ❌ Error-level issue, the verdict is NEEDS_CHANGES — not LGTM: 4/5 — The agent clearly identified a ❌ Error-level issue (FlyoutViewHandler ConnectHandler/DisconnectHandler asymmetry) and gave a verdict of 'NEEDS_CHANGES' with medium confidence. The verdict is fully consistent with the findings — the agent did not downgrade or overlook the error.
• The agent applies handler lifecycle rules from the expert reviewer dimensions (ConnectHandler/DisconnectHandler symmetry): 5/5 — The agent demonstrated strong understanding of handler lifecycle rules. It identified that ConnectHandler calls SetupViewWithLocalListener (which attaches ViewCompat.SetOnApplyWindowInsetsListener and SetWindowInsetsAnimationCallback) while DisconnectHandler only calls UnregisterView (which merely removes from the static registry). The agent correctly identified that RemoveViewWithLocalListener should be called instead, which performs the full symmetric cleanup: clearing ViewCompat listeners, clearing animation callbacks, and resetting applied safe areas. The agent also explained the practical impact — dangling listeners surviving after DisconnectHandler that could fire on stale/disposed views.
• The agent cites specific file and line references for the concern: 4/5 — The agent cites specific file names (FlyoutViewHandler.Android.cs, ShellSectionRenderer.cs, MauiPageControl.cs, MauiWindowInsetListener.cs) and shows relevant code snippets from both ConnectHandler and DisconnectHandler. It also shows the body of RemoveViewWithLocalListener to demonstrate what the correct cleanup looks like. However, it does not cite specific line numbers from the diff or the files, which would have made the references even more precise. The file-level + code-snippet references are good but not ideal.

With-Skill Judge (Plugin)

Overall Score: 4.7/5
Reasoning: The agent delivered a high-quality code review that correctly identified the primary ConnectHandler/DisconnectHandler asymmetry the user suspected. Despite initial difficulties accessing the diff via GitHub CLI (token restrictions), the agent adapted by using web_fetch to retrieve the full diff across multiple paginated requests. The analysis is technically sound: it correctly identifies that SetupViewWithLocalListener's teardown pair is RemoveViewWithLocalListener (not UnregisterView), explains the consequences (leaked ViewCompat listeners, stale callbacks), provides failure-mode analysis for real scenarios (Shell tab switching), and also catches a secondary issue (redundant null check in ShellSectionRenderer.cs). The verdict is appropriately NEEDS_CHANGES with medium confidence. The review follows good structure with clear categorization of issues, blast radius assessment, and actionable fix recommendation.

• If the agent finds or confirms a ❌ Error-level issue, the verdict is NEEDS_CHANGES — not LGTM: 5/5 — The agent clearly identifies one ❌ Error-level issue (FlyoutViewHandler.DisconnectHandler leaks ViewCompat listeners) and correctly issues a 'NEEDS_CHANGES' verdict. The verdict is consistent with the findings and explicitly stated at the end of the review.
• The agent applies handler lifecycle rules from the expert reviewer dimensions (ConnectHandler/DisconnectHandler symmetry): 4.7/5 — The agent correctly identifies the ConnectHandler/DisconnectHandler asymmetry pattern. It observes that ConnectHandler calls RegisterParentForChildViews (which sets up ViewCompat listeners) while DisconnectHandler only calls UnregisterView (which removes from the registry but doesn't clear ViewCompat listeners). It compares this against other callsites in the same PR that use the proper RemoveViewWithLocalListener counterpart. However, there's a slight inaccuracy: the agent's finding description says ConnectHandler calls 'SetupViewWithLocalListener(cl)' when the actual code shows 'RegisterParentForChildViews(platformView)'. The underlying logic about the asymmetry is still sound since RegisterParentForChildViews likely sets up ViewCompat listeners internally, but the specific API attribution is imprecise.
• The agent cites specific file and line references for the concern: 4.3/5 — The agent provides specific file paths (src/Core/src/Handlers/FlyoutView/FlyoutViewHandler.Android.cs with lines ~302-309), cites comparison callsites with line numbers (NavigationRootManager.Disconnect() line 124, ShellContentFragment.Destroy() line 189, ShellSectionRenderer.Destroy() line 204), and includes actual code snippets showing both the problematic code and the fix. The references are concrete and verifiable.

Baseline Agent Output

Based on my review of the diff, here's the **ConnectHandler/DisconnectHandler asymmetry** inFlyoutViewHandler.Android.cs`:

---

🐛 Bug: Asymmetric cleanup in FlyoutViewHandler.Android.cs

ConnectHandler sets up _navigationRoot with SetupViewWithLocalListener:
csharp if (_navigationRoot is CoordinatorLayout cl) { MauiWindowInsetListener.SetupViewWithLocalListener(cl); // ↑ Attaches ViewCompat listeners + registers in static list }

DisconnectHandler only calls UnregisterView:
csharp if (_navigationRoot is CoordinatorLayout cl) { MauiWindowInsetListener.UnregisterView(cl); // ← WRONG _navigationRoot = null; }

UnregisterView only removes from the static registry. It does not clear the ViewCompat.SetOnApplyWindowInsetsListener or ViewCompat.SetWindowInsetsAnimationCallback that SetupViewWithLocalListener attached, nor does it call ResetAppliedSafeAreas on tracked descendants.

Fix: Should be MauiWindowInsetListener.RemoveViewWithLocalListener(cl) to mirror Connect — same pattern used correctly in ShellContentFragment, ShellSectionRenderer, ShellFlyoutTemplatedContentRenderer, and NavigationRootManager.

---

Minor: Redundant null check in ShellSectionRenderer.cs

csharp if (_rootView != null) // outer check { if (_rootView is not null) // redundant inner check { MauiWindowInsetListener.RemoveViewWithLocalListener(_rootView); }

The inner is not null is always true when the outer != null already passed.

---

Summary: The platformView cleanup using UnregisterView is fine (it was registered with RegisterParentForChildViews which doesn't attach ViewCompat callbacks). But the _navigationRoot CoordinatorLayout cleanup is incomplete — it leaks the inset listener and animation callback on the native view.
`

With-Skill Agent Output (Isolated)

`

Code Review — PR #32278

Independent Assessment

What this changes: Refactors the Android window inset handling from a single global listener on MauiAppCompatActivity to a per-view registry pattern (MauiWindowInsetListener). Each CoordinatorLayout now gets its own local listener, and child views find the appropriate listener by walking up the view hierarchy.

Inferred motivation: The global listener caused cross-contamination between modals, flyouts, and shell navigation tabs — each with their own inset requirements. A per-view registry isolates inset handling to each view subtree.

Reconciliation with PR Narrative

Author claims: Improved per-view isolation over PR #31898, better naming, thread-safety docs, performance improvements.
Agreement: The architectural shift is sound. The registry-based approach does solve the isolation problem.

Prior Review Reconciliation

Prior ❌ Error Finding	Source	Status	Evidence
No prior ❌ Error findings	copilot-bot, mattleibow, PureWeen, jsuarezruiz	N/A	Reviews were informational/approval only

Blast Radius Assessment

• Runs for all instances: Yes — every view that handles safe areas uses this new path
• Startup impact: Yes — NavigationRootManager.Connect() runs at app start
• Static/shared state: Yes — _registeredViews is a static list shared across all MauiWindowInsetListener instances

Findings

❌ Error — ConnectHandler/DisconnectHandler asymmetry in FlyoutViewHandler.Android.cs

ConnectHandler sets up the CoordinatorLayout with SetupViewWithLocalListener(cl), which:

1. Attaches ViewCompat.SetOnApplyWindowInsetsListener
2. Attaches ViewCompat.SetWindowInsetsAnimationCallback
3. Registers in the static _registeredViews list

But DisconnectHandler only calls UnregisterView(cl), which only removes from the static list (step 3). It does not clear the ViewCompat listeners (steps 1-2) or reset tracked safe areas.

Every other caller of SetupViewWithLocalListener correctly pairs it with RemoveViewWithLocalListener:

• ShellContentFragment.Destroy() ✓
• ShellSectionRenderer.Destroy() ✓
• NavigationRootManager.Disconnect() ✓
• ShellFlyoutTemplatedContentRenderer.Disconnect() ✓

Fix: Replace MauiWindowInsetListener.UnregisterView(cl) with MauiWindowInsetListener.RemoveViewWithLocalListener(cl) in FlyoutViewHandler.DisconnectHandler.

Impact: The stale listener remains attached to the CoordinatorLayout after disconnect. If the view is reused or if insets are re-dispatched before the view is GC'd, the orphaned listener fires against an unregistered view.

⚠️ Warning — Static registry has no multi-window scoping

_registeredViews is a static readonly list. In multi-window Android scenarios, views from different activities share this list. The FindListenerForView walk-up will naturally stay within a single view tree, but RegisterView/UnregisterView iterate the entire list for every operation, which could become a performance concern with many registered views across windows.

💡 Suggestion — Redundant null check in ShellSectionRenderer.Destroy()

csharp if (_rootView != null) // outer check { if (_rootView is not null) // redundant inner check { MauiWindowInsetListener.RemoveViewWithLocalListener(_rootView); }

The inner is not null check is redundant since it's already inside the outer != null guard.

Failure-Mode Probing

• What happens during handler disconnect/reconnect? The CoordinatorLayout retains stale ViewCompat listeners after FlyoutViewHandler.DisconnectHandler. On reconnect, ConnectHandler calls SetupViewWithLocalListener which creates a new listener but the old one's callback is still set on the view (overwritten by the new registration, so this is mitigated). However, the old listener's tracked views are never reset.
• Can multiple subscriptions accumulate? No — RegisterView checks for existing registration and short-circuits. But the ViewCompat Set* calls replace (not accumulate).
• Static state survives disposal? Yes — if UnregisterView is never called (or the WeakReference dies without cleanup), entries persist until the next RegisterView/FindListenerForView lazily cleans them.

Verdict: NEEDS_CHANGES

Confidence: medium (handler/platform infrastructure with static shared state)
Summary: The FlyoutViewHandler.DisconnectHandler uses UnregisterView where it should use RemoveViewWithLocalListener to match its ConnectHandler's SetupViewWithLocalListener call. This is a clear asymmetry that every other handler in this PR correctly handles. The fix is a one-line change.
`

With-Skill Agent Output (Plugin)

`
I now have enough context from the diff to provide my independent assessment. Let me summarize the findings:

Code Review — PR #32278

Independent Assessment

What this changes: Refactors the Android window inset system from a single global GlobalWindowInsetListener (stored on MauiAppCompatActivity) to a per-view MauiWindowInsetListener with a static registry. Views find their listener by walking the parent hierarchy.

Inferred motivation: The global listener caused cross-contamination between isolated navigation contexts (e.g., modals, Shell flyouts, FlyoutView). A per-CoordinatorLayout registry provides better isolation.

Findings

❌ Error — ConnectHandler/DisconnectHandler asymmetry in FlyoutViewHandler.Android.cs

In ConnectHandler:
csharp MauiWindowInsetListener.RegisterParentForChildViews(platformView); // registry-only MauiWindowInsetListener.SetupViewWithLocalListener(cl); // attaches listener + registers

In DisconnectHandler:
csharp MauiWindowInsetListener.UnregisterView(platformView); // registry-only — correct pair for RegisterParentForChildViews ✓ MauiWindowInsetListener.UnregisterView(cl); // registry-only — WRONG pair for SetupViewWithLocalListener ✗

SetupViewWithLocalListener attaches ViewCompat.SetOnApplyWindowInsetsListener and ViewCompat.SetWindowInsetsAnimationCallback plus registers in the static list. Its correct teardown pair is RemoveViewWithLocalListener, which:

1. Clears both ViewCompat listeners (sets to null)
2. Unregisters from the static list
3. Calls ResetAppliedSafeAreas

Using only UnregisterView in disconnect leaves the listeners dangling on the _navigationRoot CoordinatorLayout and skips ResetAppliedSafeAreas. If the handler reconnects or the view is reused, stale callbacks remain attached.

💡 Suggestion — Redundant null check in ShellSectionRenderer.cs

csharp if (_rootView != null) { if (_rootView is not null) // redundant — already guarded above { MauiWindowInsetListener.RemoveViewWithLocalListener(_rootView); }

Blast Radius Assessment

• Runs for all instances: Yes — FlyoutView is the standard navigation container for Shell apps with flyouts
• Startup impact: No — ConnectHandler runs after initial layout
• Static/shared state: Yes — _registeredViews is a static List<ViewEntry> shared across the process

Failure-Mode Probing

• Handler disconnect/reconnect (Shell tab switch): The dangling listener on _navigationRoot survives disconnect. On reconnect, SetupViewWithLocalListener creates a new listener but the old ViewCompat registration still points to the orphaned instance. Inset callbacks would route to the old listener (whose _trackedViews are stale).
• Null _navigationRoot after disconnect: Setting _navigationRoot = null after UnregisterView prevents a second cleanup attempt, but the ViewCompat attachment has already leaked.

Verdict: NEEDS_CHANGES

Confidence: medium (handler/platform plumbing, merged PR)
Summary: FlyoutViewHandler.DisconnectHandler should use RemoveViewWithLocalListener(cl) instead of UnregisterView(cl) to properly mirror the SetupViewWithLocalListener(cl) call in ConnectHandler. The current code leaks ViewCompat listener attachments on the CoordinatorLayout. Since this PR is already merged, a follow-up fix is warranted.
`

🔍 Full results and investigation steps

[PureWeen]

Multi-Model Code Review — PR #35478

Three reviewers analyzed the diff independently. All 3 reached NEEDS_CHANGES before reading each other's notes. Findings below show which reviewers flagged each issue.

---

🟡 MODERATE — Findings (4)

1. CI status check removed without an equivalent hard gate (flagged by all 3)

File: .github/skills/code-review/SKILL.md — old Step 5 deleted, replaced by a single row in the Confidence Calibration table.

The previous workflow contained an explicit, imperative gate:

"Never post ✅ LGTM if any required CI check is failing."

…backed by an actionable step (gh pr checks <PR_NUMBER>). After this PR, the only mention of CI is:

| CI red or pending | Defer to `azdo-build-investigator` skill for CI analysis |

This is passive, not proactive. The confidence-cap table is consulted after the verdict is formed, so an agent that never fetched CI status will simply skip the row. The semantic also shifted from a hard verdict-blocker to a "confidence cap" — and the column type is mismatched (one column holds confidence levels, but this row holds an action instruction).

Net effect: an agent following the new workflow literally can now produce LGTM on a PR with failing required checks. This is the single biggest regression in the PR.

Suggested fix: Restore the hard rule explicitly in Verdict Consistency Rules, e.g.:

"Never post LGTM if any required CI check is failing. If CI is red, invoke azdo-build-investigator and treat the result as evidence — do not LGTM until it confirms the failures are not PR-caused."

---

2. Step-numbering mismatch breaks the Completion Criteria (flagged by all 3)

File: .github/skills/code-review/SKILL.md — heading vs. checklist disagree.

Section heading after the PR:

### Step 5: Blast Radius, Failure-Mode Probing, and Verdict

Three new checklist items, however, reference a step that no longer exists:

- [ ] Blast radius assessed for infrastructure/handler/platform changes (Step 6)
- [ ] Failure-mode probing completed with real scenarios, not softballs (Step 6)
- [ ] Confidence calibrated against blast radius and evidence tables (Step 6)

The completion checklist is the skill's own regression guard for the new behaviors. A broken (Step 6) reference undermines that loop — an agent looking for Step 6 to verify it performed those steps won't find one.

Suggested fix: Change three (Step 6) references to (Step 5).

---

3. New eval scenario asserts the verdict, but the rubric evaluates the process (flagged by 2/3)

File: .github/skills/code-review/tests/eval.yaml — new "Blast radius - infrastructure changes get probed" scenario.

assertions:
  - type: "output_matches"
    pattern: "(NEEDS_CHANGES|NEEDS_DISCUSSION)"
rubric:
  - "The agent assesses blast radius for handler/platform changes ..."
  - "The agent probes real failure modes, not softballs ..."
  - "The confidence is calibrated — not 'high' for handler infrastructure changes"

The rubric correctly measures process (did the agent assess blast radius? probe failure modes? calibrate confidence?). The assertion, however, enforces outcome. An agent that performs perfect blast-radius analysis on PR #32278 and correctly concludes the change is safe would return LGTM and fail this test despite doing exactly what the rubric wants. Conversely, an agent that returns NEEDS_CHANGES for unrelated reasons would pass without ever performing blast-radius analysis.

(One reviewer disagreed and argued the NEEDS_CHANGES|NEEDS_DISCUSSION regex is appropriately permissive for handler-infra PRs. The other two countered that permissiveness within the verdict dimension doesn't fix the orthogonality between assertion and rubric.)

Compounding issue: the existing "Verdict consistency" scenario already targets PR #32278. Now two scenarios point at the same live PR with overlapping assertions, making failure attribution ambiguous in CI.

Suggested fix: Change the assertion to match expected language, e.g.

- type: "output_matches"
  pattern: "blast radius|all instances|startup|handler disconnect"

---

4. New eval scenario depends on mutable live PR state with no anchoring (flagged by all 3)

File: .github/skills/code-review/tests/eval.yaml — same new scenario.

The prompt is just:

"code review PR #32278 in dotnet/maui — this PR modifies handler code that affects platform extensions"

Compare this to the existing "Verdict consistency" scenario for the same PR, which anchors the test with a specific factual claim about handler asymmetry. That anchoring makes the test resilient — it's measuring the agent's response to a stated concern, not the underlying PR state.

The new scenario has no such anchor. If PR #32278 gets amended, merged, or its handler code changes, the expected behavior becomes undefined and the assertion will produce unpredictable signal. The pre-existing "negative trigger" scenarios that already exhibit high run-to-run variance (CV=1.48 and CV=0.79 in the latest skill-eval) are a cautionary tale — adding more brittleness compounds an existing problem.

Suggested fix: Either anchor the prompt with a specific question/claim, or snapshot a fixture PR.

---

5. "Prior critical findings" override is undefined and abusable (flagged by all 3, severity range MINOR→MODERATE → MODERATE)

File: .github/skills/code-review/SKILL.md — Prior Review Reconciliation + Verdict Consistency Rule #5.

**Prior critical findings override.** If any prior review flagged a critical issue
that remains unresolved, verdict must be `NEEDS_CHANGES` regardless of your own assessment.

"critical" is never defined. The skill's own severity taxonomy is ❌ Error / ⚠️ Warning / 💡 Suggestion — none of those words is "critical." Prior reviewers (human or bot) using freeform prose, e.g. "this is a critical path", can incidentally trigger the override.

Additional aggravating factors:

• The reconciliation command truncates each review body to [0:2000] chars. If the "critical" classification appears past 2000 chars, the agent silently won't see it — inconsistent behavior depending on where the word lands in the body.
• The reconciliation rule also says: "If status cannot be determined → default to unresolved (caution over optimism)". Combined with the keyword-matching risk, an agent can lock to NEEDS_CHANGES even after the code is genuinely resolved.

Abuse scenario: Any reviewer comment that contains the word "critical" can force NEEDS_CHANGES for the lifetime of the PR with no recourse.

Suggested fix: Tie the override to the skill's own severity vocabulary (e.g., ❌ Error from a prior review whose author also used this skill), or require the agent to confirm the prior finding is still applicable to current code before applying the override.

---

🟢 MINOR — Findings (0)

No additional minor issues outside the consensus moderate findings.

---

✅ Verified — Not Issues

• azdo-build-investigator skill does exist at .github/skills/azdo-build-investigator/SKILL.md, so the new reference is not a dangling pointer (independently confirmed by one reviewer).

---

CI Status

⚠️ Failing — pre-existing infrastructure variance, not PR-caused.

The skill-validation job's overall failure is driven by 2 pre-existing "negative trigger" scenarios with high run-to-run variance (coefficient of variation 1.48 and 0.79) — both flake-prone across history.

The new "Blast radius - infrastructure changes get probed" scenario added by this PR passed strongly (2.0/5 → 4.7/5). The PR itself did not introduce the variance.

That said, per repo policy, every PR should leave the suite greener than it found it. The flaky negative-trigger scenarios could be stabilized as part of this PR (e.g., by anchoring them with specific claims like the verdict-consistency scenario does, or marking them as known-flaky pending dedicated stabilization work).

---

Test Coverage

The new eval scenario adds coverage for the new blast-radius behavior, but as noted in Finding #3, it measures verdict (outcome) rather than the rubric-defined process. The Prior Review Reconciliation behavior (the substantial new logic on the LLM side) has no eval coverage at all — there's no scenario validating that an agent actually fetches --json reviews, processes prior findings, or applies the override rule correctly.

---

Prior Review Reconciliation (against PR #34985)

This PR explicitly supersedes the now-stale PR #34985. The 5 MODERATE findings on #34985 mapped to this PR as follows:

#34985 Finding	Status on #35478
Invalid --json conclusion field	✅ Resolved — that step doesn't exist anymore
Missing --required flag	✅ Resolved — same as above
Case-sensitive jq filter	✅ Resolved — same as above
300-char body truncation	⚠️ Partially fixed — now [0:2000], but truncation still risks Finding #5 above
Brittle eval scenario	❌ Still present — same brittleness in this PR's new scenario (Finding #4)

---

Recommended Action

⚠️ Request Changes

The PR's intent — closing real gaps in the prior skill — is sound, and the Blast Radius / Failure-Mode Probing additions are well-constructed. However, three of the five findings are functional regressions or correctness bugs in the instruction itself, not stylistic concerns:

1. CI hard-gate removed (Finding [Draft] Readme WIP #1) — silently loosens approval criteria
2. Broken Step 6 references (Finding Update README.md #2) — completion checklist no longer self-verifies
3. Verdict-vs-process mismatch in new eval (Finding Third #3) — test will misclassify correct agent behavior

Findings #4 and #5 should also be addressed but are less acutely blocking. The CI flake stabilization (per policy "every PR should leave the suite greener") would be a nice-to-have if this PR is amended.

[PureWeen]

Multi-Model Adversarial Code Review — PR #35478 (Round 2)

3 independent reviewers analyzed this PR in parallel using different models. Adversarial consensus applied; 1/3 findings were re-routed to the other reviewers for validation.

Findings summary

Severity	Finding	Consensus	Posted as
❌ Error	Duplicate 6. in Verdict Consistency Rules	3/3	Inline
⚠️ Warning	Blast-radius eval prompt has inverted/primed premise vs PR #32278	3/3	Inline
⚠️ Warning	gh pr view --jq 2000-char truncation defeats Prior Review Reconciliation override	3/3	Inline
⚠️ Warning	PR description doesn't match current implementation	3/3 after follow-up	Design (separate comment)
💡 Suggestion	Confidence-cap table mixes caps with action instruction	2/3	Inline
💡 Suggestion	Two eval scenarios share live PR #32278	2/3	Inline
💡 Suggestion	Outputs table doesn't advertise blast-radius/failure-mode fields	2/3 after follow-up	Design (separate comment)

Prior multi-model review — status reconciliation

This PR went through a prior adversarial review (5 MODERATE findings, all 3 reviewers reached NEEDS_CHANGES). Commit 01a91eacc3 claimed to address them. Current status:

Prior finding	Status	Evidence
1. CI hard gate removed	⚠️ Partially fixed	Text restored as Rule #6, but renumbering of subsequent rules was not completed → new defect: duplicate Rule #6 (Finding 1 above)
2. Step-numbering mismatch in Completion Criteria	✅ Fixed	Completion Criteria now references Step 4 / Step 5 correctly
3. Eval asserts verdict not process	⚠️ Partially fixed	Assertion changed to keyword pattern, but prompt is now primed with the exact assertion keywords → new defect (Finding 2 above)
4. Mutable live PR with no anchoring	⚠️ Partially fixed	Specific claim added, but PR #32278 is still live + shared with another scenario (Finding 6 above)
5. Prior-finding override undefined and abusable	⚠️ Partially fixed	Tied to ❌ Error taxonomy + "confirm finding still applies" — good — but 2000-char truncation can hide the very findings the override exists to catch (Finding 3 above)

CI status

⚠️ Skill Validation check is failing — overall skill-improvement score -2.2% (below the 10% threshold).

The new "Blast radius - infrastructure changes get probed" scenario added by this PR passed strongly (3.0 → 4.7/5). Failures come from pre-existing high-variance "negative trigger" scenarios (CV=4.60 and 16.87, with 300s timeouts) — the PR author acknowledged this in an earlier comment as pre-existing infra variance, not PR-caused. The new scenario itself does not regress CI.

That said, the new "Blast radius" scenario has the prompt/assertion issues called out in Finding 2 — its current passing score may not be a reliable signal.

Test coverage

• Eval coverage added for the new blast-radius behavior (one scenario).
• No eval coverage for the Prior Review Reconciliation behavior — the most substantial new logic on the LLM side. No scenario validates that an agent actually fetches --json reviews, identifies prior ❌ Error findings, or applies the override rule correctly. This is consistent with the prior review's note about gap-coverage.

Prior review thread

No prior human PR reviews on this thread. The PR author posted a multi-model adversarial review as a top-level comment (referenced as "prior review" above). All 5 findings from that review map to current-code status above.

Methodology

3 independent reviewers (Reviewer 1 / Reviewer 2 / Reviewer 3) using different models ran in parallel. Findings flagged by only one reviewer were routed to the other two for adversarial validation. Findings on shared/config files were impact-checked against the consumer skill (pr-review). Only findings reaching ≥2/3 consensus survived. Reviewer identities are not exposed.

Verdict

NEEDS_CHANGES — one ❌ Error finding (duplicate Rule #6 numbering) is a concrete structural defect in an LLM-consumed instruction file that was introduced by the fix commit and not present in the original PR. Three ⚠️ Warning findings are concrete and actionable. Three 💡 Suggestions are nice-to-haves.

The PR's intent and most of its content are sound — the regressions are localized and fixable in 1–2 small commits.

[PureWeen]

❌ Logic — Duplicate 6. in Verdict Consistency Rules
Flagged by: 3/3 reviewers

Lines 233 and 234 both start with 6.:

6. **Never LGTM if CI is red.** ...
6. **🚨 NEVER use `--approve` or `--request-changes` on GitHub.** ...
7. **Write findings to disk, do not post directly.** ...

This skill is an LLM-consumed instruction file where numbered rules are parsed sequentially. The duplicate creates ambiguity — the safety-critical "NEVER --approve" rule shares a number with the CI-gate rule. Any subsequent text that says "see Rule 6" becomes ambiguous, and an LLM reasoning over the list may dedupe or deprioritize one of the two 6. items.

This is a new defect introduced by commit 01a91eacc3 when restoring the CI gate as Rule #6 without renumbering the subsequent rules. The prior multi-model review's Finding #1 ("CI hard gate removed") is therefore only partially fixed.

Suggested fix: Renumber to 6 (CI gate), 7 (NEVER --approve), 8 (Write to disk).

[PureWeen]

⚠️ Testing — Blast-radius eval prompt has inverted premise + primed assertion
Flagged by: 3/3 reviewers

Two compounding issues with this scenario:

1. Premise contradicts the underlying PR. PR #32278 is [Android] Refactor WindowInsetListener to per-view registry with MauiWindowInsetListener — it removes the global unconditional listener and replaces it with per-view registration. The prompt premise ("handler changes affect platform extensions that run unconditionally at startup, even for controls that don't use the new feature") is the opposite of what the PR does. A correct reviewer should refute the premise — but the rubric and assertion don't credit refutation. They reward agents that go along with a false claim.

2. Primed assertion. The prompt injects the exact keywords (startup, unconditional) that the assertion regex tests for: (blast radius|all instances|startup|handler disconnect|unconditional). Even a degraded agent that just echoes the prompt's words back will pass. Worse, bare-keyword matching also matches negative phrasings: an agent that correctly says "does NOT run at startup, NOT unconditional" passes the same assertion, providing zero discrimination between correct refutation and confused echo.

Prior review Finding #3 (assertion-vs-rubric mismatch) was partially addressed by switching the assertion to keywords, but this introduced these two new defects.

Suggested fix: Either (a) pick a PR that genuinely has unconditional startup code, or (b) reframe the prompt as a hypothesis to verify/refute and add rubric language requiring evidence-backed acceptance or rejection. Consider also adding an assertion on the confidence level — e.g. (medium|low) — which cannot be primed from the prompt.

[PureWeen]

⚠️ Regression — [0:2000] truncation can hide the very findings the Prior Review Reconciliation override is designed to catch
Flagged by: 3/3 reviewers

gh pr view <PR_NUMBER> --json reviews --jq '.reviews[] | "Reviewer: \(.author.login) | State: \(.state)\n\(.body[0:2000])\n---"'

Two issues:

1. Truncation defeats the override. Multi-model reviews and the Copilot reviewer bot routinely produce 5–15 KB review bodies where the ❌ Error markers sit deep in the "Findings" section. If the ❌ is at char 2200, the agent sees a truncated body, finds no markers, concludes "No prior ❌ Error findings found," and proceeds to LGTM — silently violating Rule 5. This is the exact behavior the override was added to prevent. The fix from Prior Finding #5 ("confirm the finding still applies before applying the override") doesn't help if the finding is never visible in the first place.

2. .body can be null for reviews submitted without a body (e.g., approval-only). null[0:2000] returns null in jq, which interpolates as the literal string "null" — noisy but not crashing.

Suggested fix: Greatly increase the cap (e.g., [0:10000]), OR filter specifically for ❌ markers and only then surface body text:

.reviews[] | select((.body // "") | contains("❌")) | "Reviewer: \(.author.login) | State: \(.state)\n\(.body)\n---"

Also add // "" null coalescing for the truncated-display path.

[PureWeen]

💡 Process — Confidence-cap table row mixes an action instruction with cap values
Flagged by: 2/3 reviewers

| Evidence | Confidence Cap |
|----------|---------------|
| CI red or pending | Defer to `azdo-build-investigator` skill for CI analysis |   ← action, not a cap
| No relevant tests run (UITests skip PR builds) | Max **low** |
| Prior critical findings unresolved | **NEEDS_CHANGES** (no LGTM) |

Every other row in the "Confidence Cap" column holds an explicit cap value (Max low, NEEDS_CHANGES). The "CI red or pending" row instead holds a delegation instruction. An LLM consuming this for confidence calibration may interpret "Defer" as "this row doesn't constrain confidence" — resulting in e.g. confidence: high, verdict: NEEDS_DISCUSSION while CI is red. (Rule #6 only blocks the LGTM verdict, not the confidence label.)

Suggested fix: Either split into two columns (Confidence Cap + Required Action), OR change the cell to an explicit cap (Max low) and move "defer to azdo-build-investigator" to a sentence beneath the table.

[PureWeen]

💡 Testing — This scenario reuses the same live PR (#32278) as the existing "Verdict consistency" scenario
Flagged by: 2/3 reviewers

PR #32278 is referenced by both this new scenario and the existing "Verdict consistency - errors must map to NEEDS_CHANGES" scenario (line 59). Consequences:

1. Attribution ambiguity in CI. If PR [Android] Refactor WindowInsetListener to per-view registry with MauiWindowInsetListener #32278's state changes (force-push, branch retargeting, etc.) both scenarios fail at once and the CI signal can't isolate which invariant broke.
2. Compounded brittleness. Prior multi-model review Finding Aloha System.Maui! #4 was "depends on mutable live PR state with no anchoring." The fix-commit added a specific claim to the prompt, but the underlying instability — live PR + same anchor PR across multiple scenarios — remains.

Suggested fix: Pick a different stable, merged PR for one of the two scenarios so failures localize cleanly.

[PureWeen]

Design-level findings (outside the diff)

These two findings target PR metadata and a documentation contract — they can't be attached to specific diff lines.

---

⚠️ Process — PR description doesn't match current implementation

Flagged by 3/3 reviewers (after follow-up validation)

The PR description's "Changes" section reads:

• "CI verification hard gate (Step 5)"
• "Blast radius assessment (Step 6)"
• "Failure-mode probing (Step 6)"

But the current SKILL.md has:

• Step 5 = "Blast Radius, Failure-Mode Probing, and Verdict" (line 125)
• CI verification is not a standalone step — it lives as Verdict Consistency Rule [Spec] Transitions #6 (line 233) plus a row in the Confidence Calibration table (line 160).

This step-numbering inversion is the cumulative result of commit ef6b6c49c2 (removed CI gate as Step 5) + 01a91eacc3 (restored CI gate as a Verdict Consistency Rule, not a step). The description was written for commit 1's structure and wasn't updated.

MAUI's pr-finalize policy requires the PR description to match the implementation before merge. Suggest updating the "Changes" section in the description to reflect:

• Step 4 sub-section: Prior Review Reconciliation
• Step 5: Blast Radius + Failure-Mode Probing + Verdict (one combined step)
• Verdict Consistency Rule [Spec] Transitions #6: Never LGTM if CI is red (delegating to azdo-build-investigator)

---

💡 API Design — Outputs table doesn't advertise blast-radius / failure-mode fields

Flagged by 2/3 reviewers (after follow-up validation; one reviewer explicitly disagreed)

The Outputs table at SKILL.md:40-46 declares only verdict, confidence, findings. The output-format template at lines 198-217 emits Prior Review Reconciliation, Blast Radius Assessment, and Failure-Mode Probing as distinct sections.

Reasonable people disagree on whether this matters: one reviewer argued the Outputs table is intentionally a verdict-level routing summary and the prose sections live inside the findings blob. Another argued downstream consumers like pr-review reference these sections by name (e.g., pr-review/SKILL.md:83 lists "findings, blast radius, failure-mode probes, verdict" together), so the Outputs contract is incomplete.

Low stakes. If the section names are intended as a contract for downstream consumers, advertise them. If not, leave alone.

---

Posted alongside review #4311858863 which contains the inline findings.

[PureWeen]

Multi-Model Adversarial Code Review — PR #35478 (Round 3)

3 independent reviewers analyzed the round-3 commit (b82bdba49f) in parallel. One initial reviewer's findings were superseded after a worktree fast-forward picked up the round-3 changes; a tiebreaker reviewer validated the remaining 1/3 findings.

Round-3 fix verification — round-2 findings revisited

Round-2 finding	Status in b82bdba49f
❌ Duplicate 6. in Verdict Consistency Rules	✅ Fixed — rules now 6/7/8 sequentially
⚠️ Blast-radius eval prompt: inverted/primed premise	✅ Fixed — PR #35223 (genuinely matches), hypothesis framing, (medium|low) assertion, evidence-backed rubric
⚠️ gh pr view --jq [0:2000] truncation	✅ Fixed — [0:10000] + select((.body // "") != "") null guard
⚠️ PR description doesn't match implementation	❌ Still unresolved — see below
💡 Confidence-cap table mixes caps with action	✅ Fixed — "Max low — invoke azdo-build-investigator..."
💡 Two eval scenarios share PR #32278	✅ Fixed — new scenario uses PR #35223; existing scenario still uses #32278
💡 Outputs table missing blast-radius/failure-mode fields	Not addressed (was disputed 2/3; acceptable to leave)

5 of 6 substantive findings addressed correctly. The fix to the jq command (select((.body // "") != "") followed by .body[0:10000]) is correct: it filters null/empty bodies before slicing.

Remaining issue — PR description still stale

The commit message for b82bdba49f item 7 says "Update PR description to match current implementation", but the PR description on GitHub is unchanged. It still reads:

• "CI verification hard gate (Step 5)" — CI verification was removed as a step in commit ef6b6c49c2 and is now Verdict Consistency Rule #6
• "Blast radius assessment (Step 6)" — actually Step 5
• "Failure-mode probing (Step 6)" — actually Step 5

Commits modify files, not PR descriptions. This needs gh pr edit 35478 --repo dotnet/maui --body "..." or a web-UI edit. MAUI's pr-finalize policy requires the description to match implementation before merge.

3/3 consensus across rounds 2 and 3.

New findings (round-3 self-introduced and eval design)

Two minor 💡 observations on the new eval scenario (see inline comments at eval.yaml:86 and eval.yaml:91):

1. The hypothesis is ambiguous about pre-PR vs post-PR state; the rubric credits both correct refutation and incorrect acceptance.
2. The new (medium|low) assertion is a bare substring match that can be triggered by phrases like "medium-sized change" — anchor it to a confidence field.

Both are 2/3 (initial dispute + tiebreaker). Non-blocking — eval design refinements that can land in a follow-up.

CI status

• evaluate (code-review) — pending (re-running after b82bdba49f)
• Skill Validation — last completed run was -2.2% improvement (below the 10% threshold), but the failing scenarios are pre-existing high-variance "negative trigger" tests (CV=4.60, 16.87, 300s timeouts) acknowledged by the author as infra variance, not PR-caused. The new "Blast radius" scenario passed strongly (3.0 → 4.7/5) — and now with the round-3 prompt/assertion improvements, its signal should also be slightly more rigorous (modulo the inline observations).
• Cannot LGTM until the eval check resolves (Verdict Consistency Rule #6).

Test coverage

• Eval coverage added for blast-radius behavior (one scenario, now better-framed).
• Still no eval coverage for the Prior Review Reconciliation behavior — no scenario validates that an agent actually fetches --json reviews, parses prior ❌ Error findings, or applies the override. Carried forward from round 2.

Prior review reconciliation

This is round 3 of multi-model review on this PR. Round-2 findings (review #4311858863 + design comment #4479590465) are tracked in the table above. 5/6 substantive findings are now resolved.

Methodology

3 independent reviewers (Reviewer 1 / Reviewer 2 / Reviewer 3) using different models analyzed the round-3 commit in parallel. One reviewer ran against a slightly-stale worktree (1 commit behind), so its findings were discarded as out-of-date. A tiebreaker reviewer validated the 1/3 findings from the two fresh reviewers. Only ≥2/3-consensus findings survived.

Verdict

NEEDS_CHANGES — one ⚠️ Warning carries over from round 2 (PR description) and is fixable in one command (gh pr edit). Two 💡 Suggestions on eval design are non-blocking. Round-3 code fixes are otherwise sound. CI must also resolve before merge.

[PureWeen]

💡 Testing — Hypothesis is ambiguous about temporal state (pre-PR vs post-PR)

Flagged by: 2/3 reviewers

PR #35223 is the FIX that removes unconditional registration — its root cause description literally says "MauiAppCompatActivity registering a predictive-back callback unconditionally on Android 13+." The hypothesis "the registration may run unconditionally for all activities" is therefore:

• TRUE for pre-PR code (the bug being fixed)
• FALSE for post-PR code (this PR makes it conditional)

The prompt doesn't tell the agent which state to evaluate, and the rubric line "The agent provides evidence-backed acceptance or refutation of the hypothesis — not just echoing it" credits either outcome as long as evidence is provided. A correct refutation and an incorrect acceptance both pass — the test is non-discriminating.

Suggested fix: Reframe so refutation is the unique correct answer, e.g.: "Hypothesis: even after this PR, the registration still runs unconditionally for all activities. Please verify or refute." This makes a wrong "accept" fail the rubric on factual grounds.

Non-blocking — eval design refinement.

[PureWeen]

💡 Testing — (medium|low) substring match is too permissive (round-3 self-introduced)

Flagged by: 2/3 reviewers

The output_matches assertion uses a bare substring regex, so any output containing "medium" or "low" anywhere passes — including innocuous phrases like "a medium-sized change", "low risk of regression", or "medium-priority bug". The skill's own output format at SKILL.md:219 declares confidence as **Confidence:** high | medium | low, so the assertion can be made much more discriminating without losing valid matches.

Suggested fix:

- type: "output_matches"
  pattern: "[Cc]onfidence[:*]*\\s*(medium|low)"

or pin to the exact field name used in the skill's structured output.

Non-blocking — eval design refinement.

[kubaflo]

/review -b feature/refactor-copilot-yml

[MauiBot]

Expert Review — 2 findings

See inline comments for details.

[MauiBot]

[major] Regression Prevention - This keeps the CI verdict rule, but the workflow no longer has a required step that fetches CI status before finalizing. The previous explicit gh pr checks <PR_NUMBER> step was removed, so an agent following the new workflow can reach verdict delivery without collecting the evidence needed to know whether CI is red or pending. Concrete scenario: required checks are failing, but the reviewer never runs a checks command and still emits LGTM. Add a mandatory CI-status collection step/output field before confidence/verdict calibration.

[MauiBot]

🤖 AI Summary

👋 @PureWeen — new AI review results are available. Please review the latest session below.

📊 Review Session — b82bdba · Address second-round review findings · 2026-05-24 14:55 UTC

🚦 Gate — Test Before & After Fix

Gate Result: ⚠️ SKIPPED

No tests were detected in this PR.

Recommendation: Add tests to verify the fix using the write-tests-agent.

---

🧪 UI Tests

No UI test categories needed for this PR (no UI-relevant changes).

---

🔍 Regression Cross-Reference

🟢 No implementation files modified — skipping regression cross-reference.

---

🔍 Pre-Flight — Context & Validation

Issue: N/A - No linked issue detected
PR: #35478 - Improve code-review skill with regression prevention safeguards
Platforms Affected: process/agent skill instructions; requested test platform android is not materially applicable
Files Changed: 2 implementation/eval files, 0 product test files

Key Findings

• PR changes .github/skills/code-review/SKILL.md and .github/skills/code-review/tests/eval.yaml.
• Prior reviews show the duplicate rule numbering was fixed, but the current code-review workflow still lacks an explicit CI-status collection step before applying CI-based verdict rules.
• Gate result was pre-run and skipped because no tests were detected; this phase did not rerun gate verification.
• Impacted UI test categories: NONE — the PR only changes agent skill documentation/eval metadata, not MAUI runtime UI behavior.

Code Review Summary

Verdict: NEEDS_CHANGES
Confidence: low
Errors: 1 | Warnings: 0 | Suggestions: 1

Key code review findings:

• ❌ .github/skills/code-review/SKILL.md:160, .github/skills/code-review/SKILL.md:233 — CI-dependent verdict rules no longer require fetching CI status, so a reviewer can miss red/pending CI and still emit LGTM.
• 💡 .github/skills/code-review/tests/eval.yaml:91 — confidence assertion should be anchored to the structured confidence field instead of matching any medium/low substring.

Fix Candidates

#	Source	Approach	Test Result	Files Changed	Notes
PR	PR #35478	Adds prior-review reconciliation, blast-radius assessment, failure-mode probing, confidence caps, and one blast-radius eval scenario	⚠️ Gate skipped (no tests detected)	.github/skills/code-review/SKILL.md, .github/skills/code-review/tests/eval.yaml	Original PR still has a CI-status workflow gap

---

🔬 Code Review — Deep Analysis

Code Review — PR #35478

Independent Assessment

What this changes: Updates the code-review skill instructions to replace “Devil’s advocate” with concrete failure-mode probing, add prior-review reconciliation, add blast-radius/confidence calibration guidance, and add one eval scenario for platform-infrastructure blast-radius review behavior.
Inferred motivation: Prevent reviewers from missing recurring regression patterns: stale/unresolved prior findings, unbounded blast radius, and overconfident verdicts on risky platform/infrastructure changes.

Reconciliation with PR Narrative

Author claims: The PR adds four safeguards, including a CI verification hard gate, blast-radius assessment, failure-mode probing, prior-review reconciliation, updated output format, and two eval scenarios.
Agreement/disagreement: The code does add prior-review reconciliation, blast-radius assessment, failure-mode probing, and confidence calibration. However, the PR description is stale: it still claims a Step 5 CI verification hard gate and two new eval scenarios, while the current diff has no explicit CI-status gathering step and adds only one eval scenario.

Prior Review Reconciliation

Prior ❌ Error Finding	Source	Status	Evidence
Duplicate 6. in Verdict Consistency Rules	PureWeen review #4311858863	✅ Fixed	Current .github/skills/code-review/SKILL.md:233-235 numbers the rules sequentially as 6, 7, 8.

Findings

❌ Error — CI-dependent verdict rules no longer require fetching CI status

.github/skills/code-review/SKILL.md:160, .github/skills/code-review/SKILL.md:233

The new rules require CI-aware confidence/verdict behavior: CI red or pending caps confidence at low and failing required CI blocks LGTM. But the workflow removed the explicit CI-status step and does not add a replacement command or completion criterion requiring the reviewer to fetch checks before finalizing. A reviewer can now follow the workflow exactly, never learn CI is failing/pending, and still emit an LGTM, defeating the safeguard.

💡 Suggestion — Confidence assertion is too broad

.github/skills/code-review/tests/eval.yaml:91

(medium|low) can match unrelated text such as “medium-sized change” or “low risk.” Consider anchoring it to the structured confidence field, e.g. [Cc]onfidence[:*]*\\s*(medium|low).

Failure-Mode Probing

• CI is failing or pending but the reviewer never checks it: the current workflow provides no required status-gathering step, so Rule 6 may never be applied.
• Prior ❌ finding exists deep in a long review body: current [0:10000] truncation is much safer than the prior 2000-char cap, so this specific earlier issue appears addressed.
• Eval output mentions “low” outside confidence: the scenario can pass without proving confidence calibration happened.

Verdict: NEEDS_CHANGES

Confidence: low (CI has a failing Skill Validation check and Build Analysis is still in progress; confidence is capped by the skill’s own calibration table.)
Summary: The main instruction changes are directionally sound, but the CI safeguard is internally incomplete because the workflow no longer requires collecting CI status before applying CI-based verdict rules. Fixing that would make the skill behavior match its stated invariant.

---

🔧 Fix — Analysis & Comparison

Fix Candidates

#	Source	Approach	Test Result	Files Changed	Notes
1	try-fix	Restore explicit required-CI-status workflow step plus structured ### CI Status output	✅ PASS	1 file	Directly fixes the code-review finding; auditable and robust
2	try-fix	Add required structured ### CI Evidence output and completion criterion	✅ PASS	1 file	Smaller diff, but less prominent than a standalone workflow step
3	try-fix	Consolidate required actions, verdict caps, and confidence caps in a Finalization Gate table	✅ PASS	1 file	Clear decision table, but weaker enforcement than a workflow step
PR	PR #35478	CI handling exists only as confidence/verdict rules without a required CI-fetch workflow step	⚠️ Gate skipped	2 files	Original PR remains incomplete for CI evidence collection

Cross-Pollination

Model	Round	New Ideas?	Details
maui-expert-reviewer	1	Yes	Suggested explicit CI step, structured CI output field, finalization decision table, and anchored confidence eval assertion

Exhausted: Yes
Selected Fix: Candidate #1 — All three candidates passed available static checks, but Candidate #1 is most robust because it makes CI collection a first-class workflow step and records it in the review output. Candidate #2 is smaller but easier to overlook; Candidate #3 improves consistency but does not create an auditable output field.

---

📋 Report — Final Recommendation

Comparative Candidate Report - PR #35478

Candidates Compared

Rank	Candidate	Test / Gate Status	Assessment
1	pr-plus-reviewer	Gate skipped; no regression failure recorded	Best overall. Preserves the PR's intended safeguards and applies expert feedback for both missing CI-status workflow enforcement and missing CI GitHub-evidence access.
2	try-fix-1	PASS	Best STEP 6a alternative. Adds a dedicated required-CI-status step plus structured ### CI Status, making CI collection auditable. It does not address the CI pipeline's lack of GitHub evidence for CopilotReview.
3	try-fix-2	PASS	Adds structured CI evidence to the review output and a completion criterion. Smaller than try-fix-1, but less prominent and still does not solve CI evidence availability.
4	try-fix-3	PASS	Consolidates CI/prior-review/test gates in a finalization table. Useful as policy documentation, but weaker enforcement and no structured output artifact. It also misses CI evidence availability.
5	pr	Gate skipped; expert review found major issues	The raw PR improves review discipline but leaves unresolved workflow/data-path gaps: CI status is not explicitly collected, and the CI review phase cannot access prior-review/check evidence.

Regression-Test Ordering

No candidate is recorded as failing regression tests. All STEP 6a try-fix candidates passed their available static checks; the gate was skipped because no tests were detected in this PR. Therefore, ranking is based on completeness and enforceability of the fix rather than demoting any candidate for regression failure.

Winning Candidate

Winner: pr-plus-reviewer

pr-plus-reviewer is the only candidate that addresses all expert-review findings: it combines the explicit CI-status workflow/output from the strongest try-fix approach with a required data path for prior-review and check evidence in CI. The raw PR remains incomplete, and each try-fix candidate fixes only the skill-instruction side of the problem.

Notes for Implementation

If implementing the winning candidate in the PR branch, prefer persisted local artifacts over exposing GH_TOKEN to the Copilot agent subprocess. That keeps the PR's secret-minimization design while still giving the review workflow the evidence required by the updated code-review skill.

---