✍️ ライティングコミュニティ

✍️ Simplify And Harden

simplify-and-harden

??ーディングエージェントが完了したコード変更に対し、簡素化、堅牢化、マイクロドキュメント化のレビューを自動で行い、品質とセキュリティを向上させるためのSkillです。

📜 元の英語説明(参考)

Post-completion self-review for coding agents that runs simplify, harden, and micro-documentation passes on non-trivial code changes. Use when: a coding task is complete in a general agent session and you want a bounded quality and security sweep before signaling done. For CI pipeline execution, use simplify-and-harden-ci.

🇯🇵 日本人クリエイター向け解説

一言でいうと

※ jpskill.com 編集部が日本のビジネス現場向けに補足した解説です。Skill本体の挙動とは独立した参考情報です。

⚡ おすすめ: コマンド1行でインストール(60秒)

下記のコマンドをコピーしてターミナル(Mac/Linux)または PowerShell(Windows)に貼り付けてください。ダウンロード → 解凍 → 配置まで全自動。

🍎 Mac / 🐧 Linux

mkdir -p ~/.claude/skills && cd ~/.claude/skills && curl -L -o simplify-and-harden.zip https://jpskill.com/download/5383.zip && unzip -o simplify-and-harden.zip && rm simplify-and-harden.zip

🪟 Windows (PowerShell)

$d = "$env:USERPROFILE\.claude\skills"; ni -Force -ItemType Directory $d | Out-Null; iwr https://jpskill.com/download/5383.zip -OutFile "$d\simplify-and-harden.zip"; Expand-Archive "$d\simplify-and-harden.zip" -DestinationPath $d -Force; ri "$d\simplify-and-harden.zip"

完了後、Claude Code を再起動 → 普通に「動画プロンプト作って」のように話しかけるだけで自動発動します。

💾 手動でダウンロードしたい(コマンドが難しい人向け)

1. 下の青いボタンを押して simplify-and-harden.zip をダウンロード
2. ZIPファイルをダブルクリックで解凍 → simplify-and-harden フォルダができる
3. そのフォルダを C:\Users\あなたの名前\.claude\skills\(Win)または ~/.claude/skills/(Mac)へ移動
4. Claude Code を再起動

⬇ .zip でダウンロード(推奨) ⬇ .skill 形式(上級者用) 元のソース ↗

⚠️ ダウンロード・利用は自己責任でお願いします。当サイトは内容・動作・安全性について責任を負いません。

🎯 このSkillでできること

下記の説明文を読むと、このSkillがあなたに何をしてくれるかが分かります。Claudeにこの分野の依頼をすると、自動で発動します。

📦 インストール方法 (3ステップ)

1. 上の「ダウンロード」ボタンを押して .skill ファイルを取得
2. ファイル名の拡張子を .skill から .zip に変えて展開(macは自動展開可)
3. 展開してできたフォルダを、ホームフォルダの .claude/skills/ に置く
- · macOS / Linux: ~/.claude/skills/
- · Windows: %USERPROFILE%\.claude\skills\

Claude Code を再起動すれば完了。「このSkillを使って…」と話しかけなくても、関連する依頼で自動的に呼び出されます。

詳しい使い方ガイドを見る →

最終更新: 2026-05-17
取得日時: 2026-05-17
同梱ファイル: 2

📖 Skill本文(日本語訳)

※ 原文(英語/中国語)を Gemini で日本語化したものです。Claude 自身は原文を読みます。誤訳がある場合は原文をご確認ください。

[スキル名] simplify-and-harden

エージェントスキル: Simplify & Harden

インストール

npx skills add pskoett/pskoett-ai-skills/simplify-and-harden

CI専用の実行には、以下を使用してください。

npx skills add pskoett/pskoett-ai-skills/simplify-and-harden-ci

メタデータ

フィールド	値
スキルID	`simplify-and-harden`
バージョン	0.1.0
トリガー	完了後フック
作者	Peter Skøtt Pedersen
カテゴリ	コード品質 / セキュリティ
優先度	推奨

根拠と哲学

コーディングエージェントがタスクを完了すると、問題、解決策、およびその過程で行ったトレードオフについて、最高のコンテキスト理解を保持しています。このコンテキストはすぐに劣化し、次のタスクで一掃されます。Simplify & Harden は、エージェントが次に進む前に、この最高のコンテキストウィンドウを利用して、2つの集中的なレビューパスを実行します。

ほとんどのエージェントはチケットを解決して停止します。このスキルは、「完了」を「うまく完了」に変えます。

運用哲学は、次に進む前の意図的な「新鮮な目」による自己レビューです。新しく書かれたすべてのコードと、タスクで変更された既存のすべてのコードを注意深く読み直し、明らかなバグ、エラー、混乱を招くロジック、脆い仮定、命名の問題、見落とされた強化の機会を熱心に探します。目標は、スコープを拡大したり、ソリューションを書き直したりすることではありません。エージェントがすべての変更の意図をまだ覚えている間に、最高のコンテキストを使用して、規律ある最初のレビューパスを実行することです。

独立したレビューとの最適な使用法

このスキルは完了後の自己パスであり、独立したレビューパスに代わるものではありません。

推奨されるフロー:

タスクを実装します。
Simplify & Harden を実行して、非自明な決定をクリーンアップ、強化、文書化します。
独立したレビューパスを実行して、重要度順に発見事項を特定します。
両方のパスが対処された後にのみマージします。

両者が意見を異にする場合、独立したレビューの発見事項を外部ゲートとして扱い、発見事項を修正するか、明示的に免除してください。

トリガー条件

以下のすべてが真の場合、スキルは自動的にアクティブになります。

エージェントが主要なコーディングタスクを完了している
エージェントがタスク完了を通知している（終了コード0、PR準備完了、または同等）
差分に非自明なコード変更が含まれている（以下の定義を参照）
スキルがこのタスクでまだ実行されていない（再入ループなし）

非自明なコード変更の定義

以下の両方を満たす場合、差分を非自明と見なします。

少なくとも1つの実行可能なソースファイルに触れている（例: *.ts、*.tsx、*.js、*.jsx、*.py、*.go、*.rs、*.java、*.cs、*.rb、*.php、*.swift、*.kt、*.scala、*.sh）。
以下のいずれかを含んでいる:
- 実行可能なソースファイルで、コメントや空白以外の変更された行が少なくとも10行、または
- 少なくとも1つの影響の大きいロジック変更（認証/認可チェック、入力検証、データアクセス/クエリロジック、外部コマンド実行、ファイルパス処理、ネットワークリクエスト処理、または並行性制御）。

差分がドキュメントのみ、設定のみ、コメントのみ、書式設定のみ、生成された成果物のみ、またはテストのみの場合、非自明 = false と見なします。

以下の場合はスキルはアクティブになりません。

エージェントが失敗したか中断された
変更がドキュメントのみである
変更がテストのみである
変更が生成されたファイルである（ロックファイル、ビルド成果物）
ユーザーが --no-review または同等のフラグで明示的にスキップした

スコープの制約

厳格なルール: このタスクで変更されたコードのみに触れること。

エージェントは以下を行ってはなりません。

変更していない隣接するコードをリファクタリングする
差分外の「ついでに」改善を追求する
新しい依存関係やアーキテクチャの変更を導入する
他で気づいたパターンに基づいて投機的な修正を行う

エージェントは、スコープ外の懸念事項を要約出力でフラグ付けすべきであり、それらに対処すべきではありません。

予算制限:

最大追加変更: 元の差分サイズ（変更された行数で測定）の20%
最大実行時間: 60秒（設定可能）
いずれかの制限に達した場合、エージェントは停止し、budget_exceeded フラグとともに現在の出力を出力します。

パス 1: 簡素化

目的: 実装中に導入された不必要な複雑さを軽減します。

デフォルトの姿勢: 簡素化し、再構築しないこと。 このパスの主な目標は、軽量なクリーンアップです。ノイズの除去、命名の引き締め、デッドコードの削除などです。エージェントは、コードの構造を変更せずにコードをよりクリーンにする表面的な修正に大きく偏るべきです。リファクタリングは例外であり、ルールではありません。

新鮮な目での開始（必須）: このパスで編集を行う前に、このタスクで追加または変更されたすべてのコードを「新鮮な目」で読み直し、明らかなバグ、エラー、混乱を招くロジック、脆い仮定、命名の問題、見落とされた強化の機会を積極的に探します。

エージェントは自身の作業をレビューし、次のように問いかけます。

「完全な解決策を理解した今、これを表現するもっと簡単な方法はないだろうか？」

レビューチェックリスト

デッドコードと足場 -- デバッグログ、コメントアウトされた試み、未使用のインポート、イテレーションループからの仮変数などを残していないか？それらを削除します。
命名の明確さ -- 関数名、変数、パラメーターは、新鮮な目で読んだときに意味が通じるか？実装中に意味があった名前が、後から見ると分かりにくい場合があります。それらをリネームします。
制御フロー -- 入れ子になった条件文を平坦化できないか？早期リターンで深いネストを置き換えられないか？簡素化できるブール式はないか？それらを引き締めます。
APIサーフェス -- 必要以上に公開していないか？公開メソッド/関数をプライベートにできないか？可視性を減らします。
過剰な抽象化 -- 現在のスコープで正当化されないクラス、インターフェース、またはラッパー関数を作成していないか？エージェントは過剰設計しがちです。フラグを立てますが、大きなメリットがない限り再構築しないでください。
統合の機会 -- ロジックを複数の関数やファイルに分散させていないか、1か所にまとめられないか？フラグを立てますが、リファクタリングを提案するだけにとどめます。

📜 原文 SKILL.md(Claudeが読む英語/中国語)を展開

Agent Skill: Simplify & Harden

Install

npx skills add pskoett/pskoett-ai-skills/simplify-and-harden

For CI-only execution, use:

npx skills add pskoett/pskoett-ai-skills/simplify-and-harden-ci

Metadata

Field	Value
Skill ID	`simplify-and-harden`
Version	0.1.0
Trigger	Post-completion hook
Author	Peter Skøtt Pedersen
Category	Code Quality / Security
Priority	Recommended

Rationale and Philosophy

When a coding agent completes a task, it holds peak contextual understanding of the problem, the solution, and the tradeoffs it made along the way. This context degrades immediately -- the next task wipes the slate. Simplify & Harden exploits that peak context window to perform two focused review passes before the agent moves on.

Most agents solve the ticket and stop. This skill turns "done" into "done well."

The operating philosophy is a deliberate "fresh eyes" self-review before moving on: carefully re-read all newly written code and all existing code modified in the task, and look hard for obvious bugs, errors, confusing logic, brittle assumptions, naming issues, and missed hardening opportunities. The goal is not to expand scope or rewrite the solution -- it is to use peak context to perform a disciplined first review pass while the agent still remembers the intent behind every change.

Best Use with Independent Review

This skill is a post-completion self-pass and does not replace an independent review pass.

Recommended flow:

Implement the task.
Run Simplify & Harden to clean, harden, and document non-obvious decisions.
Run an independent review pass for severity-ordered findings.
Merge only after both passes are addressed.

If the two disagree, treat the independent review findings as the external gate and either fix or explicitly waive findings.

Trigger Conditions

The skill activates automatically when ALL of the following are true:

The agent has completed its primary coding task
The agent signals task completion (exit code 0, PR ready, or equivalent)
The diff contains a non-trivial code change (see definition below)
The skill has not already run on this task (no re-entry loops)

Non-trivial code change definition

Treat a diff as non-trivial when it satisfies BOTH of the following:

It touches at least one executable source file (for example: *.ts, *.tsx, *.js, *.jsx, *.py, *.go, *.rs, *.java, *.cs, *.rb, *.php, *.swift, *.kt, *.scala, *.sh).
It includes either:
- At least 10 changed non-comment, non-whitespace lines in executable source files, OR
- At least one high-impact logic change (auth/authz checks, input validation, data access/query logic, external command execution, file path handling, network request handling, or concurrency control).

Treat the diff as non-trivial = false when it is docs-only, config-only, comments-only, formatting-only, generated artifacts only, or tests-only.

The skill does NOT activate when:

The agent failed or was interrupted
The change is documentation-only
The change is tests-only
The change is a generated file (lockfiles, build artifacts)
The user explicitly skips it via --no-review or equivalent flag

Scope Constraints

Hard rule: Only touch code modified in this task.

The agent MUST NOT:

Refactor adjacent code it did not modify
Pursue "while I'm here" improvements outside the diff
Introduce new dependencies or architectural changes
Make speculative fixes based on patterns it noticed elsewhere

The agent SHOULD flag out-of-scope concerns in the summary output rather than acting on them.

Budget limits:

Maximum additional changes: 20% of the original diff size (measured in lines changed)
Maximum execution time: 60 seconds (configurable)
If either limit is hit, the agent stops and outputs what it has with a budget_exceeded flag

Pass 1: Simplify

Objective: Reduce unnecessary complexity introduced during implementation.

Default posture: simplify, don't restructure. The primary goal of this pass is lightweight cleanup -- removing noise, tightening naming, killing dead code. The agent should bias heavily toward cosmetic fixes that make the code cleaner without changing its structure. Refactoring is the exception, not the rule.

Fresh-eyes start (mandatory): Before making any edits in this pass, re-read all code added or modified in this task with "fresh eyes" and actively look for obvious bugs, errors, confusing logic, brittle assumptions, naming issues, and missed hardening opportunities.

The agent reviews its own work and asks:

"Now that I understand the full solution, is there a simpler way to express this?"

Review Checklist

Dead code and scaffolding -- Did I leave behind debug logs, commented-out attempts, unused imports, or temporary variables from my iteration loop? Remove them.
Naming clarity -- Do function names, variables, and parameters make sense when read fresh? Names that made sense mid-implementation often read poorly after the fact. Rename them.
Control flow -- Can any nested conditionals be flattened? Can early returns replace deep nesting? Are there boolean expressions that could be simplified? Tighten them.
API surface -- Did I expose more than necessary? Could any public methods/functions be private? Reduce visibility.
Over-abstraction -- Did I create classes, interfaces, or wrapper functions that aren't justified by the current scope? Agents tend to over-engineer. Flag it, but don't restructure unless the win is significant.
Consolidation opportunities -- Did I spread logic across multiple functions or files when it could live in one place? Flag it, but only propose a refactor if the duplication is egregious and the consolidation is clean.

Simplify Actions

For each finding, the agent categorizes it as:

Cosmetic fix (dead code removal, unused imports, naming, control flow tightening, visibility reduction) -- applied automatically if within budget. This is the bread and butter of the skill.
Refactor (consolidation, restructuring, abstraction changes) -- proposed ONLY when the agent determines it is genuinely necessary or the benefit is substantial. A refactor is not the default action. The bar is: "Would a senior engineer look at this and say the current state is clearly wrong, not just imperfect?"

Refactor Stop Hook (mandatory):

Any change the agent classifies as a refactor triggers an interactive prompt. The agent MUST:

Describe what it wants to change and why
Show the before/after (or a clear description of the structural change)
Wait for explicit human approval before applying

The agent does not batch refactor proposals. Each refactor is presented individually so the human can approve, reject, or modify on a case-by-case basis.

[simplify-and-harden] Refactor proposal (1 of 2):

  I want to merge duplicated validation logic from handleCreate() and 
  handleUpdate() into a shared validatePayload() function.

  Why: Both functions validate the same fields with identical rules.
  The duplication was introduced because I built handleUpdate as a 
  copy of handleCreate during implementation.

  Files affected: src/api/handler.ts (lines 34-67)
  Estimated diff: -22 lines, +14 lines

  [approve] [reject] [show diff] [skip all refactors]

If the human selects skip all refactors, the agent skips remaining refactor proposals and moves to the Harden pass. Skipped refactors still appear in the output summary as flagged with status skipped_by_user.

Cosmetic fixes do not trigger the stop hook. They are applied silently (and reported in the output summary). The rationale: removing an unused import is not a judgment call. Restructuring code is.

Pass 2: Harden

Objective: Close security and resilience gaps while the agent still understands the code's intent.

The agent reviews its own work and asks:

"If someone malicious saw this code, what would they try?"

Review Checklist

Input validation -- Are all external inputs (user input, API params, file paths, environment variables) validated before use? Check for type coercion issues, missing bounds checks, and unconstrained string lengths.
Error handling -- Are catch blocks specific? Are errors logged with context but without leaking sensitive data? Are there any swallowed exceptions?
Injection vectors -- Check for SQL injection, XSS, command injection, path traversal, and template injection in any code that builds strings from external input.
Authentication and authorization -- Do new endpoints or functions enforce auth? Are permission checks present and correct? Is there any privilege escalation risk?
Secrets and credentials -- Are there hardcoded secrets, API keys, tokens, or passwords? Are connection strings parameterized? Check for credentials in log output.
Data exposure -- Does error output, logging, or API responses leak internal state, stack traces, database schemas, or PII?
Dependency risk -- Did the agent introduce new dependencies? If so, are they well-maintained, properly versioned, and free of known vulnerabilities?
Race conditions and state -- For concurrent code: are shared resources properly synchronized? Are there TOCTOU (time-of-check-to-time-of-use) vulnerabilities?

Harden Actions

For each finding, the agent categorizes it as:

Patch (adding a validation check, escaping output, removing a hardcoded secret) -- applied automatically if within budget
Security refactor (restructuring auth flow, replacing a vulnerable pattern with a new approach, changing data handling architecture) -- ALWAYS requires human approval before proceeding

The same Refactor Stop Hook from the Simplify pass applies here. Security refactors are presented individually with the added context of severity and attack vector:

[simplify-and-harden] Security refactor proposal:

  The new /admin/export endpoint inherits base authentication but has 
  no role-based access check. Any authenticated user can trigger a 
  full data export.

  Severity: HIGH
  Vector: Privilege escalation

  Proposed fix: Add role guard requiring 'admin' role before the 
  handler executes. This changes the middleware chain for this route.

  Files affected: src/api/routes/admin.ts (line 12)
  Estimated diff: +8 lines

  [approve] [reject] [show diff] [skip all security refactors]

Flagged as critical -- findings the agent cannot safely patch without human input (noted in output regardless of approval)
Flagged as advisory -- hardening opportunities that are not active vulnerabilities

Security patches (not refactors) are prioritized over simplification changes when budget is constrained.

Pass 3: Document (Micro-pass)

Objective: Capture non-obvious decisions while the agent still remembers why it made them.

This is deliberately lightweight -- not a documentation pass, just decision capture.

Rules

For any logic that requires more than 5 seconds of "why does this exist?" thought: add a single-line comment explaining the decision
For any workaround or hack: add a comment with context and ideally a TODO with conditions for removal
For any performance-sensitive choice: note why the current approach was chosen over the obvious alternative
Maximum: 5 comments added per task. This is not a documentation sprint.

Output Schema

The skill produces a structured summary appended to the task output:

simplify_and_harden:
  version: "0.1.0"
  task_id: "<original task ID>"
  execution:
    mode: "interactive"
    mode_source: "auto_detected"  # "auto_detected", "config", "env_override"
    human_present: true
  scope:
    files_reviewed: ["src/api/handler.ts", "src/utils/validate.ts"]
    original_diff_lines: 142
    additional_changes_lines: 18
    budget_exceeded: false

  simplify:
    applied:
      - file: "src/api/handler.ts"
        line: 45
        type: "consolidation"
        category: "refactor"
        approval: "approved_by_user"
        description: "Merged duplicated validation logic from handleCreate and handleUpdate into shared validatePayload function"
    flagged:
      - file: "src/utils/validate.ts"
        type: "over-abstraction"
        category: "refactor"
        approval: "skipped_by_user"
        description: "ValidationStrategy interface may be unnecessary -- only one implementation exists. Consider inlining if no additional strategies are planned."
        confidence: "medium"
    cosmetic_applied:
      - file: "src/api/handler.ts"
        line: 12
        type: "dead_code"
        description: "Removed unused import of deprecated AuthHelper"

  harden:
    applied:
      - file: "src/api/handler.ts"
        line: 62
        type: "input_validation"
        severity: "high"
        description: "Added bounds check on pageSize parameter -- previously accepted arbitrary integers"
    flagged_critical:
      - file: "src/api/handler.ts"
        type: "authorization"
        description: "New /admin/export endpoint inherits base auth but no role check -- any authenticated user can access it. Requires human decision on role policy."
    flagged_advisory:
      - file: "src/utils/validate.ts"
        type: "error_handling"
        description: "Catch block on L31 logs full request body which may contain PII in production"

  document:
    comments_added: 2
    locations:
      - file: "src/api/handler.ts"
        line: 78
        comment: "// Pagination uses cursor-based approach instead of offset -- offset breaks when items are deleted between pages"
      - file: "src/api/handler.ts" 
        line: 93
        comment: "// WORKAROUND: Legacy API returns dates as strings without timezone. Assuming UTC until migration completes (see TICKET-1234)"

  learning_loop:
    target_skill: "self-improvement"
    log_file: ".learnings/LEARNINGS.md"
    candidates:
      - pattern_key: "simplify.dead_code"
        pass: "simplify"
        finding_type: "dead_code"
        severity: "low"
        source_file: "src/api/handler.ts"
        source_line: 12
        suggested_rule: "Remove dead code and unused imports before finalizing a task."
      - pattern_key: "harden.input_validation"
        pass: "harden"
        finding_type: "input_validation"
        severity: "high"
        source_file: "src/api/handler.ts"
        source_line: 62
        suggested_rule: "Validate and bound-check external inputs before use."
    recurrence_window_days: 30
    promotion_threshold:
      min_occurrences: 3
      min_distinct_tasks: 2

  summary:
    simplify_applied: 1
    simplify_cosmetic_applied: 1
    simplify_flagged: 1
    simplify_rejected_by_user: 0
    simplify_skipped_by_user: 1
    harden_applied: 1
    harden_flagged_critical: 1
    harden_flagged_advisory: 1
    harden_rejected_by_user: 0
    comments_added: 2
    total_additional_lines: 18
    budget_utilization: "12.7%"
    human_prompts_shown: 3
    human_prompts_approved: 1
    human_prompts_rejected: 0
    human_prompts_skipped: 1
    human_prompts_timed_out: 1
    learning_candidates: 2
    learning_promotions_recommended: 1
    review_followup_required: true

Set review_followup_required to true when any unresolved finding remains (critical/advisory flags, skipped or timed-out refactor proposals), or when budget_exceeded is true. Set it to false only when no follow-up is required.

Self-Improvement Integration (Learning Loop)

Simplify & Harden feeds its recurring quality/security findings into the self-improvement skill so repeated issues can become durable prompt rules.

After each run:

Normalize each finding into a pattern_key:
- Simplify examples: simplify.dead_code, simplify.naming, simplify.control_flow
- Harden examples: harden.input_validation, harden.authorization, harden.error_handling
Emit those pattern candidates in simplify_and_harden.learning_loop.candidates.
Hand off candidates to self-improvement, which logs or updates entries in .learnings/LEARNINGS.md (instead of creating duplicate one-off notes).
Mark candidates as promotion-ready when they cross the recurrence threshold: >= 3 occurrences across >= 2 distinct tasks in a 30-day window.
Promote promotion-ready patterns into the agent context/system prompt files (CLAUDE.md, AGENTS.md, .github/copilot-instructions.md, or equivalent) to reduce repeat issues.

This keeps Simplify & Harden focused on per-task cleanup/hardening while self-improvement owns cross-task memory and promotion.

Execution Model

This skill is for general coding-agent sessions where a human can approve refactors in-line.

Behavior:

Refactor proposals are shown one at a time with clear rationale
The agent pauses and waits for [approve], [reject], [show diff], or [skip all refactors]
Cosmetic fixes and straightforward security patches are applied automatically

For CI pipelines and headless automation, use simplify-and-harden-ci.

Agent Context File References

To activate this skill, reference it in your agent context file.

Agent-specific copy-paste snippets are in references/agent-context-snippets.md. Load only the snippet for your active agent to keep context lean.

Core invariants for any agent integration:

Scope lock -- only files modified in the current task
Budget cap -- 20% max additional diff
Simplify-first posture -- cleanup is the default, refactoring is the exception
Refactor stop hook -- structural changes always require human approval
Three passes -- simplify, harden, document (in that order)
Structured output -- summary of applied, approved, rejected, and flagged items

Precaution: some agents may not reliably pause for approval in high-autonomy modes. Validate this behavior before production use.

Agent Compatibility

This skill is designed to work with any coding agent that follows a task-based workflow. It is not tied to any specific agent framework or product.

Programmatic integration (agents with skill/hook APIs):

Claude Code, GitHub Copilot Workspace, Codex, Opencode, OpenClaw, Cursor Agent, Windsurf, Aider, SWE-Agent, OpenHands, Devin, and any agent exposing a task completion lifecycle event

Prompt-based integration (chat-based agents without formal skill APIs):

Any LLM-based coding assistant that accepts post-task instructions -- the skill's logic can be injected as a follow-up prompt after the agent signals completion

The output schema is agent-agnostic YAML. Consuming tools only need to parse the structured summary.

Integration Notes

This skill is agent-agnostic. It hooks into any coding agent that exposes a task completion lifecycle event. The examples below are generic -- adapt them to your agent's specific API.

Agent Integration

The skill hooks into the agent's task completion lifecycle. Suggested integration pattern:

agent.on('task:complete', async (context) => {
  if (context.diff.isNonTrivial() && !context.flags.includes('no-review')) {
    const result = await skills.run('simplify-and-harden', {
      diff: context.diff,
      files: context.modifiedFiles,
      budget: { maxLines: context.diff.linesChanged * 0.2, maxTime: 60000 }
    });
    context.appendOutput(result.summary);
  }
});

Agents that support this skill should implement the following interface:

Access to the diff produced by the completed task
A list of modified files with full content
The ability to present interactive prompts (for interactive mode)
An output channel for the structured summary (stdout, PR comment, or equivalent)

Prompt-based Integration

For agents that don't support programmatic skill hooks (e.g., chat-based coding agents like Claude Code, Cursor, Copilot Chat), this skill can be implemented as a post-task prompt injection:

After completing the task, run the Simplify & Harden review:
1. Review only the files you modified
2. Simplify: Your default action is cleanup -- remove dead code, unused 
   imports, fix naming, tighten control flow, reduce unnecessary public 
   surface. Apply these directly. Refactoring (merging functions, changing 
   abstractions, restructuring) is NOT the default. Only propose a refactor 
   when the code is genuinely wrong or the improvement is substantial. 
   If you propose one, describe it and ask for approval before applying.
3. Harden: Check for input validation gaps, injection vectors, auth issues, 
   exposed secrets, and error handling problems. Apply simple patches directly.
   For security refactors that change structure, describe the issue with
   severity and ask for approval.
4. Document: Add up to 5 comments on non-obvious decisions.
5. Output a summary of what you changed, what you flagged, and 
   what you left alone.

CI Pipeline Variant

For GitHub Actions or other CI/headless usage, run simplify-and-harden-ci.

Configuration

# Example configuration (adapt path to your agent's config format)
# e.g., .agent/skills.yaml, .claude/skills.yaml, .cursor/skills.yaml
simplify-and-harden:
  enabled: true
  budget:
    max_diff_ratio: 0.2        # Max additional changes as ratio of original diff
    max_time_seconds: 60       # Hard time limit
  simplify:
    enabled: true
    auto_apply_cosmetic: true  # Cosmetic fixes applied without prompting
    refactor_requires_approval: true  # ALWAYS true -- cannot be disabled
  harden:
    enabled: true
    auto_apply_patches: true   # Simple security patches applied without prompting
    refactor_requires_approval: true  # ALWAYS true -- cannot be disabled
  document:
    enabled: true
    max_comments: 5
  stop_hook:
    mode: "interactive"
    show_diff_preview: true
    allow_skip_all: true
    timeout_seconds: 300       # 5 min -- human is at the keyboard
    timeout_action: "flag"     # Assume they stepped away, don't discard
  skip_patterns:               # Glob patterns to exclude from review
    - "**/*.test.*"
    - "**/*.spec.*"
    - "**/migrations/**"

Design Decisions

Why post-completion and not continuous? Continuous review during implementation creates feedback loops that slow the agent down and can cause oscillation (simplify, then re-complicate, then re-simplify). Post-completion gives the agent a stable codebase to review against.

Why simplify-first, not refactor-first? Agents love to refactor. Given permission to "improve" code, they will restructure it. But most post-task improvements are cosmetic: a dead import, a bad name, a needlessly deep conditional. These account for 80%+ of the value with near-zero risk. Refactoring carries real risk -- it can introduce bugs, break tests, and bloat diffs. By making simplification the default and refactoring the exception, the skill delivers consistent value without surprise rewrites. The bar for a refactor should be "this is genuinely wrong" not "this could be slightly better."

Why a budget? Without constraints, agents will use review passes as license for unbounded refactoring. The 20% rule keeps the skill focused: improve what you built, don't rebuild it.

Why separate simplify from harden? They require different mindsets. Simplify asks "is this the clearest expression of my intent?" while Harden asks "how could this be exploited?" Conflating them leads to mediocre results on both. Running them sequentially also lets us prioritize security fixes when budget is tight.

Why the document micro-pass? Agents are terrible at documenting their reasoning unprompted. Humans reviewing agent-generated code consistently report that the biggest friction is understanding why a choice was made. Five comments is a trivial cost for enormous review-time savings.

Future Considerations

Team calibration: Allow teams to weight the review checklist (e.g., "we care more about injection vectors than naming")
Diff-aware context loading: For large codebases, intelligently load only the files and symbols relevant to the diff rather than the full project
Cross-skill composition: Simplify & Harden could feed into a "PR Description" skill that uses its summary to auto-generate meaningful PR descriptions

同梱ファイル

※ ZIPに含まれるファイル一覧。`SKILL.md` 本体に加え、参考資料・サンプル・スクリプトが入っている場合があります。

📄 SKILL.md (24,970 bytes)
📎 references/agent-context-snippets.md (11,185 bytes)