For developers, fast-moving teams & OSS maintainers

The reviewer shouldn’t be the onewho finds the console.log.

Six Codex skills that guard the code you ship — writing the PR description from the real diff, catching security smells and breaking changes, normalizing commits, drafting review comments — plus a real script that returns PASS or BLOCK on the diff before it ever becomes a PR.

Get the Pack — $79one-time · instant delivery · 30-day refund
Six skills · One runnable gate
PR Description Writer
Diff-grounded PRs
Security Smell Scanner
Smells, pre-flight
Breaking-Change Detector
No silent breaks
Commit Message Normalizer
Bisectable history
Review Comment Drafter
Severity-sorted
PR Hygiene Gate
PASS or BLOCK
Works alongside
Codex · Claude Code · Cursor · Gemini CLI · Copilot
01.The Problem

Code review dies by a thousand small misses.

The expensive part of a pull request isn’t the logic — it’s everything around it. The reviewer opens the diff and spends the first ten minutes on a stray console.log, a conflict marker that survived a bad merge, a commit message that just says “updates,” and a description that doesn’t match the code. By the time they reach the actual change, their attention is spent.

Worse are the misses that get through: the it.only that quietly disabled half the suite, the hardcoded key now living in git history forever, the renamed parameter that just broke every consumer of your package.

The first 10 min

The most expensive minutes of a review go to mechanical junk — a stray console.log, a leftover conflict marker, a commit that just says 'updates' — before the reviewer ever reaches the logic.

git history forever

A hardcoded key committed once lives in history forever. The careless secret is the miss that turns a code-review slip into an incident — and it's exactly the kind a fast pass catches.

it.only

The focused test that silently disabled half the suite, the renamed parameter that broke every consumer — the quiet ones that compile, pass review, and surface in production.

02.What This Is — And Isn't

Clear about the lane. No inflated promises.

What this is
  • Six production-grade SKILL.md skills with NEVER/ALWAYS guardrails and worked examples.
  • A real, runnable pr-hygiene-gate.py — stdlib + git, PASS/BLOCK, non-zero exit for a pre-push hook or CI.
  • An AGENTS.md companion for repo-wide Codex review discipline, every session.
  • Reference docs per skill: checks reference, smell catalog, contract surfaces, review rubric, conventional-commits.
  • Cross-tool by the Agent Skills open standard: Codex, Claude Code, Cursor, Gemini CLI, Copilot.
What this isn't
  • Not a SAST tool — it's the fast pre-flight that Codex Security / Snyk / SonarQube run after.
  • Never claims a smell is an exploitable vuln — it flags patterns and defers validation.
  • Not a linter or formatter — it catches what those miss, and recommends them for style.
  • No auto-rewriting of your code or commits — every change is proposed and approved.
  • No SaaS, no monthly fee, no telemetry — your code never leaves your environment.
03.The Six Skills

Six skills + a gate that runs.

Clean the diff, write the description, catch the breaks, draft the review. Every skill is single-purpose and composes with the others — tight skills beat one bloated mega-skill.

Diff-grounded PRs
PR Description Writer
pr-description-writer
Triggers

“write the PR description,” “describe this PR,” “draft the pull request”

Writes the PR description from the actual diff — summary, why, how-to-test, risk/rollback, breaking changes. Grounded in what the code does, not what the ticket hoped for.

Smells, pre-flight
Security Smell Scanner
security-smell-scanner
Triggers

“any security issues,” “check for vulnerabilities,” “is this safe”

Fast, diff-scoped pass for injection, unsafe sinks, secrets, and weak crypto. Pairs each smell with the secure pattern — and defers to Codex Security / SAST for validated depth. Never claims exploitability.

No silent breaks
Breaking-Change Detector
breaking-change-detector
Triggers

“is this a breaking change,” “will this break consumers,” “need a major?”

Classifies each change as breaking, behavioral, or safe — separating public contract from internal code. HOLDs when it can't tell if a surface is public, and never hands out a false all-clear.

Bisectable history
Commit Message Normalizer
commit-message-normalizer
Triggers

“fix my commit message,” “conventional commits,” “clean up my commits”

Rewrites messages to Conventional Commits and splits a mixed staged blob into logical, bisectable commits. Derives type/scope from the diff — never fabricates meaning to sound right.

Severity-sorted
Review Comment Drafter
review-comment-drafter
Triggers

“review this PR,” “leave review comments,” “code review this diff”

Drafts review comments sorted into BLOCKING / SUGGESTION / NIT, each with a reason and a concrete fix. Kind in tone, honest in substance — no nitpick storms, no vague 'this seems off.'

PASS or BLOCK
PR Hygiene Gate
pr-hygiene-gate
Triggers

“check my PR,” “ready to push,” runs in a pre-push hook / CI

A real, runnable script that scans the diff and returns PASS or BLOCK with file-and-line proof — debug statements, secrets, conflict markers, focused tests. Exits non-zero so it gates CI.

04.The Gate, Live

The gate actually runs. Here’s real output.

This is pr-hygiene-gate.py against a deliberately dirty diff — not a screenshot of a promise. It found five blocking issues, exited non-zero, and refused to let the PR open. That’s the honesty spine, executable.

skills/pr-hygiene-gate/scripts/pr-hygiene-gate.py
stdlib + git · no install
$ python scripts/pr-hygiene-gate.py --base main

  BLOCK   files=3  added_lines=12  critical=5  warning=1
------------------------------------------------------------------------

BLOCKING (fix before opening the PR) (5)
  • [debug-statement] src/auth.ts:12
      Debug statement left in. Remove before opening the PR.
      › console.log('debug login', u)
  • [hardcoded-secret] src/auth.ts:13
      Possible hardcoded secret. Move to an env var / secret store.
      › const api_key = "sk-live-..."
  • [merge-conflict-marker] src/checkout.ts:6
  • [merge-conflict-marker] src/checkout.ts:8
  • [focused-or-skipped-test] src/payments.test.ts:4
      Focused/skipped test (.only/.skip) — silently disables the suite.

WARNINGS (review, non-blocking) (1)
  • [untracked-todo] src/auth.ts:14

Verdict: BLOCK. Resolve the blocking items, then re-run.
$ echo $?
1

Stdlib + git, no install. Reads --base, --staged, or a piped diff. JSON mode for CI, --allow to scope, and it only ever reads.

05.Where It Fits

In front of Codex Security — not against it.

OpenAI’s Codex Security is the deep, repo-wide, sandbox-validated audit. This pack is the fast local pass before the PR exists. They’re complementary, and the pack says so out loud — the security-smell-scanner explicitly defers to Codex Security and SAST for validated findings.

This pack — the pre-flight

Fast, local, diff-scoped. Runs in seconds on the lines you're about to push. Catches the obvious smells and the mechanical junk so they never reach a reviewer — or a deep scanner's queue. Flags patterns; never claims exploitability.

Codex Security / SAST — the deep audit

Repository-wide threat modeling, sandbox validation, remediation PRs (Codex Security); compliance-grade scanning (Snyk, SonarQube). The pack defers to these for validated, whole-system findings — and keeps them from wasting cycles on careless mistakes.

06.Composition

The skills chain into the review lifecycle.

A generic AI tool is a one-shot. A skill is a step in a workflow. Here’s how the six run together across the moments a PR passes through.

Composition 01 · The pre-PR pass

The PR a reviewer opens is already worth their time — the mechanical junk never reaches them.

pr-hygiene-gate

Blocks the mechanical junk first — debug statements, conflict markers, secrets, focused tests — exiting non-zero until the diff is clean.

security-smell-scanner

Flags the obvious injection, secret, and weak-crypto smells in the lines you're about to push, deferring to Codex Security / SAST for validated depth.

pr-description-writer

Drafts the writeup from the now-clean diff — summary, why, how-to-test, risk, breaking changes. The reviewer starts on the logic, not the noise.

Composition 02 · The release check

No consumer gets surprised by a silent break.

breaking-change-detector

Classifies every contract change as breaking, behavioral, or safe, and drafts the migration note — HOLDing when it can't tell if a surface is public.

pr-description-writer

Drops the classified breaking changes straight into the PR's Breaking changes section, with the migration guidance attached.

Composition 03 · Clean history, fast review

Reviewable commits in, actionable review out.

commit-message-normalizer

Splits a mixed staged blob and relabels it to Conventional Commits — a bisectable history derived from the diff, never invented.

review-comment-drafter

Reviews the diff with feedback sorted BLOCKING / SUGGESTION / NIT, each with a reason and a concrete fix. No nitpick storms.

07.Composes With Your RedHub Stack

This pack guards new code. Two siblings cover the rest.

Exactly what you get for $79, and what you don’t: six skills and a gate that keep every PR clean — not a tool that fixes the old code or documents it. Those are the jobs of the two Codex siblings below; together they’re the dev-team trio.

08.Common Questions

The questions developers actually ask before installing.

They operate at different depths and they're complementary. Codex Security is OpenAI's heavyweight application-security agent — it builds a repository-wide threat model, validates findings in a sandbox, and proposes remediation PRs. It's the deep, asynchronous, whole-system audit. This pack is the fast, local, diff-scoped pass you run before the PR even exists: the security-smell-scanner catches the obvious injection, secret, and weak-crypto smells in the lines you're about to push, and the PR-hygiene gate blocks debug statements and conflict markers. The pack explicitly defers to Codex Security and to SAST tools like Snyk and SonarQube for validated, repo-wide analysis. The two together mean the heavyweight tools (and your reviewers) aren't wasting cycles on careless mistakes.

6 skills · runnable gate · CI gate · $79

Catch it before the reviewer does.

Run the gate against a branch you think is clean. If it PASSes, you lost nothing. If it BLOCKs on a secret or a stray console.log, the pack just paid for itself. Thirty-day refund either way.

Sold by RedHub AI LLC · Secured by Stripe · redhub.ai