A-F code grading

A blunt verdict on whether code is ready to ship.

Suede Code Grader gives any diff, PR, file, or release a direct A-F grade across seven evidence-backed lanes. The output is a grade with evidence and a required upgrade, not a lint score and not a pile of style notes. Use it when you need the ship decision, not the full line-by-line review.

Install the skill View skill folder

Public install command

This is the public route. It installs from GitHub as a standard Codex skill folder.

python3 ~/.codex/skills/.system/skill-installer/scripts/install-skill-from-github.py \
  --repo JasonColapietro/suede-creator-skills \
  --path skills/suede-code-grader

Restart Codex after installing the skill.

The seven lanes

  • Correctness: behavior, edge cases, error paths, async, routing, data flow, and regression risk.
  • Security and permissions: auth, secrets, payment, injection, path, SSRF, and data exposure fail closed.
  • Data and state: schemas, migrations, caches, jobs, queues, webhooks, retries, and idempotency stay consistent.
  • Domain truth: public claims, rights, provenance, royalty routing, and product claims match the implementation.
  • UX and release behavior: loading, empty, error, success, mobile, screenshot, and route states hold together.
  • Tests and verification: changed behavior has meaningful tests, builds, runs, readbacks, or named caveats.
  • Deploy readiness: env vars, flags, configs, migrations, rollback notes, and release sequencing are clear.

Where it fits

Run it as the gate between "done" and "shipped." It reads the actual source and the evidence that exercises the change, not the PR description, then returns one overall grade with the single biggest reason and the upgrade that would move it.

Pair it with the full code review when you want findings and fix briefs too. The grader answers one question fast: does this ship, and if not, what is the smallest thing that changes the answer.

Instant-F triggers

Any single match is an automatic F. The grade stops there and names the file and line. No other lane can raise it.

Secrets in sourceA hardcoded API key, token, password, private key, or signing secret committed to a real file.
InjectionSQL built by string concatenation with user input, a shell command from user input, or unescaped user input rendered where XSS is reachable.
Auth bypassA path that skips the auth check, a permission check bypassable by a request param, or a token accepted with no real verification.
Payment and walletA handler that swallows errors silently, a webhook with no signature check, or an amount or recipient taken from untrusted input.
Data destructionA destructive migration with no rollback, a bulk delete with no guard, or a cache wipe with no restore path.
Plaintext sensitive dataA password stored or logged in plaintext, or PII and payment or health data in an unencrypted field or log.

Grade caps by surface

Certain surfaces cannot earn an A or B on a passing build alone. The cap is stated in the output when it applies.

  • Auth changes need the bypass and escalation path tested, not just the happy path, or the grade caps at C.
  • Payment and wallet flows need error paths tested and server-side amount and recipient validation, or they cap at C.
  • Data migrations need a documented, tested rollback; no rollback plan caps at D.
  • Breaking public API changes need verified backward compatibility or a versioned migration path, or they cap at C.

Output format

It opens with a plain-language summary a non-coder can follow, then the seven lane grades, the overall grade, any cap, the evidence-backed why, and the ranked required upgrades.

Correctness: A-F
Security and permissions: A-F
Data and state: A-F
Domain truth: A-F
UX and release behavior: A-F
Tests and verification: A-F
Deploy readiness: A-F
Overall: A-F

Best prompts

Use $suede-code-grader to give this PR a blunt A-F ship verdict with evidence and the one required upgrade.
Use $suede-code-grader on this auth change. Apply the surface grade cap and tell me what evidence would lift it.
Use $suede-code-grader on this release build. I want the ship decision, not a full review.

Safety boundary

The grade is a working review, not an audited guarantee. The skill does not invent tests, screenshots, live checks, or deploy status, and it does not raise a grade because the work was hard or because CI passed without exercising the change.

It never ships a C, D, or F without naming the upgrade that would move it.

Cue Suede

Feedback can happen mid-workflow or at the end. Say Cue Suede to ask for choices: change something, preserve what worked so the agent can mimic it later, or keep as-is by saying nothing.