General
PromptBeginner5 minmarkdown
Untitled Skill
193
Guidance for reviewing pull requests on this repository. The first three sections are
Loading actions...
Main instructions and any bundled files for this skill.
Guidance for reviewing pull requests on this repository. The first three sections are stable principles; the Recurring Catches section is auto-maintained from past human review rounds and grows over time.
Protocol & spec
schema.ts exactly (optional vs required fields)ProtocolError codes (enum ProtocolErrorCode); HTTP status codes match spec (e.g., 404 vs 410)python-sdk does for the same featureAPI surface
Correctness
awaitany, no unsafe as assertionsTests & docs
docs/migration.md and docs/migration-SKILL.mddocs/**/*.md describes the old behavior and needs updating; flag prose that now contradicts the implementationexamples/ needs a new or updated exampleexamples/ still compile and demonstrate the current APIWhen verifying spec compliance, consult the spec directly rather than relying on memory:
https://modelcontextprotocol.io/mcphttps://modelcontextprotocol.io/llms-full.txt — fetch to a temp file and grep for the relevant sectionschema.tsMcp-Session-Id, return 400 for a missing header and 404 for an unknown/expired session — never conflate !sessionId || !transports[sessionId] into one status, because the client needs to distinguish "fix your request" from "start a new session". Flag any diff that branches on session-id presence/lookup with a single 4xx. (#1707, #1770)catch blocks must not emit client-fault JSON-RPC codes (-32700 ParseError, -32602 InvalidParams) for server-internal failures like stream setup, task-store misses, or polling errors — map those to -32603 InternalError so clients don't retry/reformat pointlessly. Flag any catch-all that hard-codes ParseError/InvalidParams without discriminating the thrown cause. (#1752, #1769)schemas.ts, verify unknown-key handling matches the spec schema.ts: if the spec type has no additionalProperties: false, the SDK schema must use z.looseObject() / .catchall(z.unknown()) rather than implicit strict — over-strict Zod (incl. z.literal('object') on type) rejects spec-valid payloads from other SDKs. Also confirm the spec.types.*.test.ts comparisons still pass bidirectionally. (#1768, #1849, #1169)close() / shutdown paths, wrap user-supplied or chained callbacks (onclose?.(), cancel fns) in try/finally so a throw can't skip the remaining teardown (abort(), _onclose(), map clears) — otherwise the transport is left half-open. (#1735, #1763)setTimeout, .finally(), reconnect closures) must check closed/aborted state before mutating this._* or starting I/O — a callback scheduled pre-close can fire after close/reconnect and corrupt the new connection's state (e.g., delete the new request's AbortController). (#1735, #1763).changeset/*.md text and new inline comments against the implementation in the same diff — prose that promises behavior the code no longer ships misleads consumers and contradicts stated intent. Flag any claim the diff doesn't back. (#1718, #1838)pnpm publish delegates to the system npm CLI (so npm OIDC works), and changesets/action in publish mode has no PR-comment step requiring pull-requests: write. For diffs under .github/workflows/, confirm claimed behavior in the action's README/source before flagging. (#1838, #1836)TypeScript and ESLint rules that MUST be followed when creating, modifying, or reviewing any file under apps/frontend/, including .ts, .tsx, .js, and .jsx files. Also apply when discussing frontend li...
risks