The reviewer shouldn’t be the onewho finds the console.log.
Six Codex skills that guard the code you ship — writing the PR description from the real diff, catching security smells and breaking changes, normalizing commits, drafting review comments — plus a real script that returns PASS or BLOCK on the diff before it ever becomes a PR.
Code review dies by a thousand small misses.
The expensive part of a pull request isn’t the logic — it’s everything around it. The reviewer opens the diff and spends the first ten minutes on a stray console.log, a conflict marker that survived a bad merge, a commit message that just says “updates,” and a description that doesn’t match the code. By the time they reach the actual change, their attention is spent.
Worse are the misses that get through: the it.only that quietly disabled half the suite, the hardcoded key now living in git history forever, the renamed parameter that just broke every consumer of your package.
The most expensive minutes of a review go to mechanical junk — a stray console.log, a leftover conflict marker, a commit that just says 'updates' — before the reviewer ever reaches the logic.
A hardcoded key committed once lives in history forever. The careless secret is the miss that turns a code-review slip into an incident — and it's exactly the kind a fast pass catches.
The focused test that silently disabled half the suite, the renamed parameter that broke every consumer — the quiet ones that compile, pass review, and surface in production.
Clear about the lane. No inflated promises.
- Six production-grade SKILL.md skills with NEVER/ALWAYS guardrails and worked examples.
- A real, runnable pr-hygiene-gate.py — stdlib + git, PASS/BLOCK, non-zero exit for a pre-push hook or CI.
- An AGENTS.md companion for repo-wide Codex review discipline, every session.
- Reference docs per skill: checks reference, smell catalog, contract surfaces, review rubric, conventional-commits.
- Cross-tool by the Agent Skills open standard: Codex, Claude Code, Cursor, Gemini CLI, Copilot.
- Not a SAST tool — it's the fast pre-flight that Codex Security / Snyk / SonarQube run after.
- Never claims a smell is an exploitable vuln — it flags patterns and defers validation.
- Not a linter or formatter — it catches what those miss, and recommends them for style.
- No auto-rewriting of your code or commits — every change is proposed and approved.
- No SaaS, no monthly fee, no telemetry — your code never leaves your environment.
Six skills + a gate that runs.
Clean the diff, write the description, catch the breaks, draft the review. Every skill is single-purpose and composes with the others — tight skills beat one bloated mega-skill.
“write the PR description,” “describe this PR,” “draft the pull request”
Writes the PR description from the actual diff — summary, why, how-to-test, risk/rollback, breaking changes. Grounded in what the code does, not what the ticket hoped for.
“any security issues,” “check for vulnerabilities,” “is this safe”
Fast, diff-scoped pass for injection, unsafe sinks, secrets, and weak crypto. Pairs each smell with the secure pattern — and defers to Codex Security / SAST for validated depth. Never claims exploitability.
“is this a breaking change,” “will this break consumers,” “need a major?”
Classifies each change as breaking, behavioral, or safe — separating public contract from internal code. HOLDs when it can't tell if a surface is public, and never hands out a false all-clear.
“fix my commit message,” “conventional commits,” “clean up my commits”
Rewrites messages to Conventional Commits and splits a mixed staged blob into logical, bisectable commits. Derives type/scope from the diff — never fabricates meaning to sound right.
“review this PR,” “leave review comments,” “code review this diff”
Drafts review comments sorted into BLOCKING / SUGGESTION / NIT, each with a reason and a concrete fix. Kind in tone, honest in substance — no nitpick storms, no vague 'this seems off.'
“check my PR,” “ready to push,” runs in a pre-push hook / CI
A real, runnable script that scans the diff and returns PASS or BLOCK with file-and-line proof — debug statements, secrets, conflict markers, focused tests. Exits non-zero so it gates CI.
The gate actually runs. Here’s real output.
This is pr-hygiene-gate.py against a deliberately dirty diff — not a screenshot of a promise. It found five blocking issues, exited non-zero, and refused to let the PR open. That’s the honesty spine, executable.
$ python scripts/pr-hygiene-gate.py --base main
BLOCK files=3 added_lines=12 critical=5 warning=1
------------------------------------------------------------------------
BLOCKING (fix before opening the PR) (5)
• [debug-statement] src/auth.ts:12
Debug statement left in. Remove before opening the PR.
› console.log('debug login', u)
• [hardcoded-secret] src/auth.ts:13
Possible hardcoded secret. Move to an env var / secret store.
› const api_key = "sk-live-..."
• [merge-conflict-marker] src/checkout.ts:6
• [merge-conflict-marker] src/checkout.ts:8
• [focused-or-skipped-test] src/payments.test.ts:4
Focused/skipped test (.only/.skip) — silently disables the suite.
WARNINGS (review, non-blocking) (1)
• [untracked-todo] src/auth.ts:14
Verdict: BLOCK. Resolve the blocking items, then re-run.
$ echo $?
1Stdlib + git, no install. Reads --base, --staged, or a piped diff. JSON mode for CI, --allow to scope, and it only ever reads.
In front of Codex Security — not against it.
OpenAI’s Codex Security is the deep, repo-wide, sandbox-validated audit. This pack is the fast local pass before the PR exists. They’re complementary, and the pack says so out loud — the security-smell-scanner explicitly defers to Codex Security and SAST for validated findings.
Fast, local, diff-scoped. Runs in seconds on the lines you're about to push. Catches the obvious smells and the mechanical junk so they never reach a reviewer — or a deep scanner's queue. Flags patterns; never claims exploitability.
Repository-wide threat modeling, sandbox validation, remediation PRs (Codex Security); compliance-grade scanning (Snyk, SonarQube). The pack defers to these for validated, whole-system findings — and keeps them from wasting cycles on careless mistakes.
The skills chain into the review lifecycle.
A generic AI tool is a one-shot. A skill is a step in a workflow. Here’s how the six run together across the moments a PR passes through.
The PR a reviewer opens is already worth their time — the mechanical junk never reaches them.
Blocks the mechanical junk first — debug statements, conflict markers, secrets, focused tests — exiting non-zero until the diff is clean.
Flags the obvious injection, secret, and weak-crypto smells in the lines you're about to push, deferring to Codex Security / SAST for validated depth.
Drafts the writeup from the now-clean diff — summary, why, how-to-test, risk, breaking changes. The reviewer starts on the logic, not the noise.
No consumer gets surprised by a silent break.
Classifies every contract change as breaking, behavioral, or safe, and drafts the migration note — HOLDing when it can't tell if a surface is public.
Drops the classified breaking changes straight into the PR's Breaking changes section, with the migration guidance attached.
Reviewable commits in, actionable review out.
Splits a mixed staged blob and relabels it to Conventional Commits — a bisectable history derived from the diff, never invented.
Reviews the diff with feedback sorted BLOCKING / SUGGESTION / NIT, each with a reason and a concrete fix. No nitpick storms.
This pack guards new code. Two siblings cover the rest.
Exactly what you get for $79, and what you don’t: six skills and a gate that keep every PR clean — not a tool that fixes the old code or documents it. Those are the jobs of the two Codex siblings below; together they’re the dev-team trio.
Codex Migration & Refactor Pack
$99Framework upgrades, dependency sweeps, monolith extraction, dead-code removal — with its own runnable verifier. Fix the old code, then use this pack to guard every PR after.
Technical Documentation Engine
$99README, API reference, ADRs, onboarding, changelogs (Diátaxis) + a runnable coverage auditor. Guard the new code, then document all of it — coverage proven, not assumed.
The questions developers actually ask before installing.
They operate at different depths and they're complementary. Codex Security is OpenAI's heavyweight application-security agent — it builds a repository-wide threat model, validates findings in a sandbox, and proposes remediation PRs. It's the deep, asynchronous, whole-system audit. This pack is the fast, local, diff-scoped pass you run before the PR even exists: the security-smell-scanner catches the obvious injection, secret, and weak-crypto smells in the lines you're about to push, and the PR-hygiene gate blocks debug statements and conflict markers. The pack explicitly defers to Codex Security and to SAST tools like Snyk and SonarQube for validated, repo-wide analysis. The two together mean the heavyweight tools (and your reviewers) aren't wasting cycles on careless mistakes.
A dependency-free Python script (stdlib + git, no install) that reads your diff and returns PASS or BLOCK with file-and-line locations. It blocks leftover merge-conflict markers, debug statements (console.log, debugger, pdb.set_trace), hardcoded secrets, and focused/skipped tests (.only/.skip) that silently disable your suite. It warns on untracked TODOs, oversized diffs, and source changed without a test. It exits non-zero on BLOCK, so it drops straight into a pre-push hook or CI. It's genuinely executable — it reads only, never edits your code.
Each skill is a standard SKILL.md folder. Codex loads skills from your skills directory (commonly ~/.agents/skills/ or ~/.codex/skills/) and discovers them automatically when your task matches the description, or you invoke one with /skills. The PR-hygiene-gate skill ships a scripts/ folder Codex runs natively. The pack also includes an AGENTS.md companion you drop in your repo root so Codex enforces review discipline — gate-before-PR, conventional commits, no secrets — on every session. Codex skill support has been GA since December 2025.
No. The skills follow the Agent Skills open standard, so the SKILL.md files also work in Claude Code, Cursor, Gemini CLI, and Copilot's agent mode. The AGENTS.md companion is Codex-and-Cursor-native. The hygiene-gate script is plain Python and runs anywhere — in a skill, a git hook, or CI. We built and named it for Codex because its terminal-first, repo-editing workflow is the natural home for pre-PR checks, but nothing is locked to one tool.
No. The gate and the detectors read only. The skills propose — a PR description, a commit grouping, review comments, a list of breaking changes — and you approve before anything is applied. The commit-message-normalizer suggests how to split and label commits; it doesn't silently rewrite your history. Every action that touches the repo is explicit and reversible by design.
A linter catches style; it doesn't write a PR description from your diff, classify a signature change as a breaking change, or draft review comments sorted by severity. A junior reviewer catches some of it, inconsistently, and burns senior time doing so. This pack encodes the senior-engineer reflexes — the ones that separate a blocking bug from a nit, spot the new required parameter that breaks consumers, and refuse to let a hardcoded secret reach git history — and applies them the same way every time, before the PR is opened.
They're the two halves of the dev-team pair. This pack guards the new code you ship — it gates every PR, catches secrets and breaking changes, and keeps review focused. The Migration & Refactor Pack ($99) fixes the old code you inherited — framework upgrades, dependency rot, monolith seams, dead code — with its own runnable verifier. Buy both for the full lifecycle: migrate safely, then guard every PR after. The third sibling, the Technical Documentation Engine, documents all of it.
Thirty days, no questions. Run the hygiene gate against a branch you think is clean — if it comes back PASS, you lost nothing; if it BLOCKs on a secret or a stray console.log you'd have shipped, the pack already paid for itself. If it doesn't earn its price in the first 30 days, email us and we refund in full.
Catch it before the reviewer does.
Run the gate against a branch you think is clean. If it PASSes, you lost nothing. If it BLOCKs on a secret or a stray console.log, the pack just paid for itself. Thirty-day refund either way.
Sold by RedHub AI LLC · Secured by Stripe · redhub.ai