Add code-review agent skill for Workers code validation

[elithrar]

Adds a reusable agent skill at .agents/skills/code-review/ that teaches agents how to review Workers and Cloudflare Developer Platform code for correctness.

The skill is retrieval-biased — it tells agents how to fetch and validate against the latest published types and schemas rather than baking in code examples, type definitions, or config snippets that go stale.

Structure

.agents/skills/code-review/
├── SKILL.md                     # 129 lines — review process, rules, anti-patterns, output format
└── references/
    ├── workers-types.md         #  87 lines — type retrieval, integrity rules, common mistakes
    ├── wrangler-config.md       #  80 lines — schema retrieval, validation checks, config mistakes
    └── common-patterns.md       # 135 lines — what to verify, mechanical checks, serialization, security

What it covers

• Retrieval of latest @cloudflare/workers-types and wrangler config schema via npm pack (not pinned to the docs repo's outdated dependencies)
• Code categorization (Illustrative / Demonstrative / Executable) with expectations per category
• Type system integrity: no any, no double-casting, no unjustified @ts-ignore, prefer satisfies over as
• Binding access validation (env.X vs this.env.X) with mechanical grep checks
• Floating promise detection, including oxlint --type-aware --deny typescript/no-floating-promises and manual search patterns for step.do/step.sleep/fetch
• Serialization boundary enforcement (Queue messages, Workflow step returns, DO storage) — flags Response, Error, and other non-structured-clone types
• Stale class/API pattern detection (implements vs extends, renamed properties, wrong import paths)
• Security logic escalation for crypto/auth code where correct API usage masks incorrect surrounding logic
• Config-code consistency, DO migration requirements, streaming vs buffering, conciseness

Design decisions

• No baked-in code examples, types, or config shapes — these rot. The skill instructs agents to fetch the latest published packages and read the actual type definitions and schema.
• Mechanical checks where possible (grep for binding access, oxlint for floating promises) rather than relying on visual inspection alone.
• Rules derived from actual PR history: Fix Queues docs code examples & types #28192 (Queues types), Fix DO docs indentation & code errors #28156 (DO indentation/API), Fix timing attack length leak in examples #28135 (timing attack), [Workflows] Fix docs using code review #28208/Fix Workflows docs code & API errors #28188 (Workflows), Fix syntax errors and improve documentation in D1 Worker API #27635 (D1 syntax), Remove .end() calls, add handler notes #28160 (Hyperdrive).

Supersedes the inline rules in .opencode/agent/review-code-examples.md (updating that agent to load this skill is a separate follow-up).

[github-actions]

This pull request requires reviews from CODEOWNERS as it changes files that match the following patterns:

Pattern	Owners
*	@cloudflare/pcx-technical-writing

[github-actions]

Preview URL: https://1774fe74.preview.developers.cloudflare.com
Preview Branch URL: https://code-review-skill.preview.developers.cloudflare.com