@bfirestone45/opencode-slop-review 0.5.0

package/skills/ai-slop-review/references/rust.md

@@ -0,0 +1,296 @@
+# Rust AI Slop Signals
+
+Language-specific signals for Rust codebases. These supplement the universal signals
+in SKILL.md -- apply both.
+
+## What idiomatic Rust looks like
+
+### At version 1.94+ (Edition 2024)
+- `async fn` in traits -- no more `async-trait` crate for simple cases
+- `impl Trait` in more return positions
+- `LazyLock`/`LazyCell` from stdlib over `once_cell`/`lazy_static` crates
+- Let chains for cleaner pattern matching
+- `#[must_use]` on fallible functions and important return values
+- `#[diagnostic::on_unimplemented]` for better error messages on traits
+
+### Stdlib preferences
+- Lazy init: `std::sync::LazyLock` over `once_cell::sync::Lazy`
+- Error types: `thiserror` for library errors, `anyhow`/`eyre` for application errors
+- Async runtime: `tokio` (check project convention)
+- Serialization: `serde` with derive macros
+- CLI: `clap` with derive macros
+
+### Error handling convention
+- `?` propagation, never manual `match Ok/Err` for simple forwarding
+- Typed error enums with `thiserror` in library code
+- `anyhow::Result` acceptable in binary/CLI code, not libraries
+- `expect()` only in `main()` or provably unreachable paths
+- `unwrap()` only in tests
+
+### Type system usage
+- Enums over bools for state/mode parameters
+- Newtype pattern for domain values (UserId, OrderId)
+- `From`/`Into` implementations for error conversion
+- `Default` derive when obvious default exists
+- Private fields with public constructors for invariant enforcement
+
+### Project adaptation
+Before flagging any idiom violation, check if the project's baseline uses different conventions.
+
+---
+
+## Priority order for Rust
+
+1. Error handling -- unwrap/expect abuse, missing ? propagation
+2. Ownership and borrowing -- clone storms, RefCell overuse
+3. Type system usage -- enums vs. bools, newtypes, trait implementations
+4. Unsafe and panic safety -- library code that panics or uses unsafe carelessly
+5. Clippy and tooling -- suppressed warnings, unnecessary pub visibility
+
+---
+
+## Error handling (highest priority)
+
+**unwrap() outside of tests:**
+```rust
+// SLOP -- panics in production on any failure
+let config = read_config().unwrap();
+let conn = db.connect().unwrap();
+
+// IDIOMATIC -- propagate with ?
+let config = read_config()?;
+let conn = db.connect().context("connecting to database")?;
+```
+
+**expect() as a substitute for error propagation:**
+```rust
+// SLOP -- slightly better than unwrap but still panics
+let user = find_user(id).expect("user should exist");
+
+// expect() is OK for genuinely unrecoverable cases in main() or bootstrap
+// but not in library code or request handlers
+```
+
+**Box<dyn Error> in library code:**
+```rust
+// SLOP -- erases the error type, consumers cannot match on it
+fn process(data: &[u8]) -> Result<Output, Box<dyn Error>> {
+
+// IDIOMATIC -- typed error enum (thiserror)
+#[derive(Debug, thiserror::Error)]
+enum ProcessError {
+    #[error("invalid format: {0}")]
+    InvalidFormat(String),
+    #[error("io error")]
+    Io(#[from] std::io::Error),
+}
+
+fn process(data: &[u8]) -> Result<Output, ProcessError> {
+```
+
+**Not using ? propagation:**
+```rust
+// SLOP -- manual match on every Result
+let data = match read_file(path) {
+    Ok(d) => d,
+    Err(e) => return Err(e.into()),
+};
+
+// IDIOMATIC
+let data = read_file(path)?;
+```
+
+---
+
+## Borrow checker fights
+
+**Excessive .clone() -- the #1 Rust slop signal:**
+```rust
+// SLOP -- cloning to avoid borrow checker errors
+fn process(items: &[Item]) -> Vec<Output> {
+    let cloned = items.to_vec();  // unnecessary clone
+    cloned.iter().map(|item| {
+        let name = item.name.clone();  // another unnecessary clone
+        transform(name)
+    }).collect()
+}
+```
+
+When you see `.clone()` more than once or twice in a function, check whether
+ownership could be restructured instead. Some clones are necessary and correct --
+the signal is *pervasive* cloning as a pattern.
+
+**Rc<RefCell<T>> when ownership could be restructured:**
+```rust
+// SLOP -- interior mutability as a crutch
+let shared_state = Rc::new(RefCell::new(State::new()));
+
+// Often the real fix is restructuring so one owner holds the state
+// and others get references or communicate via channels
+```
+
+Note: with Edition 2024, `async fn` in traits eliminates some cases where
+`Rc<RefCell<T>>` was used as a workaround for trait object limitations in
+async code. If you see this pattern in async trait implementations, check
+whether native `async fn` in traits makes it unnecessary.
+
+**Arc<Mutex<T>> overuse:**
+Same pattern as Rc<RefCell<T>> but in async or threaded code. If every piece of
+shared state is behind Arc<Mutex<T>>, the author likely fought the borrow checker
+rather than designing for ownership.
+
+---
+
+## Type system underuse
+
+**Bool flags instead of enums:**
+```rust
+// SLOP -- what does (true, false) mean?
+fn create_user(name: &str, is_admin: bool, is_active: bool) -> User {
+
+// IDIOMATIC -- illegal states unrepresentable
+enum Role { Admin, User }
+enum Status { Active, Inactive }
+fn create_user(name: &str, role: Role, status: Status) -> User {
+```
+
+**Stringly-typed state:**
+```rust
+// SLOP
+fn set_status(status: &str) {
+    match status {
+        "active" | "inactive" | "pending" => { ... }
+        _ => panic!("invalid status"),  // runtime error for a compile-time problem
+    }
+}
+
+// IDIOMATIC
+enum Status { Active, Inactive, Pending }
+fn set_status(status: Status) { ... }
+```
+
+**Missing standard trait implementations:**
+- `Debug` derived but `Display` not implemented (users see `MyError { kind: ... }` instead of a message)
+- No `From`/`Into` implementations for error types (forces manual conversion everywhere)
+- No `Default` when there is an obvious default configuration
+- Missing `Clone`, `PartialEq`, `Hash` on types that clearly need them
+
+**Raw primitives for domain values:**
+```rust
+// SLOP -- easy to pass user_id where order_id is expected
+fn get_order(user_id: u64, order_id: u64) -> Order {
+
+// IDIOMATIC -- newtype pattern
+struct UserId(u64);
+struct OrderId(u64);
+fn get_order(user_id: UserId, order_id: OrderId) -> Order {
+```
+
+---
+
+## Unsafe and panic safety
+
+**Unsafe without SAFETY comment:**
+```rust
+// SLOP
+unsafe {
+    ptr::write(dest, value);
+}
+
+// REQUIRED
+// SAFETY: dest is guaranteed to be valid and aligned because
+// it was allocated by Vec::with_capacity and index < len.
+unsafe {
+    ptr::write(dest, value);
+}
+```
+
+**Panicking in library code:**
+- `panic!()`, `unreachable!()`, `todo!()` in non-test code
+- `.unwrap()` on user-influenced data paths
+- `assert!()` for input validation (use `Result` instead)
+- Array indexing without bounds checks where the index comes from external input
+
+**transmute without justification:**
+`std::mem::transmute` should be extremely rare and always documented. If AI generated
+a transmute, it almost certainly found a Stack Overflow answer from 2016 and
+copy-pasted it.
+
+---
+
+## Build and tooling signals
+
+**`lazy_static!` or `once_cell` for lazy initialization (Edition 2024+):**
+```rust
+// SLOP -- unnecessary third-party crate since Rust 1.80+
+use lazy_static::lazy_static;
+lazy_static! {
+    static ref CONFIG: Config = load_config();
+}
+
+// SLOP -- same issue with once_cell
+use once_cell::sync::Lazy;
+static CONFIG: Lazy<Config> = Lazy::new(|| load_config());
+
+// IDIOMATIC -- stdlib LazyLock (stable since 1.80, preferred in Edition 2024)
+use std::sync::LazyLock;
+static CONFIG: LazyLock<Config> = LazyLock::new(|| load_config());
+```
+
+If you see `lazy_static` or `once_cell::sync::Lazy` in new code targeting
+Rust 1.80+, flag it. For `once_cell::sync::OnceCell`, the stdlib equivalent
+is `std::sync::OnceLock`. Existing projects may still use the crates for MSRV
+reasons -- check `Cargo.toml` for `rust-version` before flagging.
+
+**`async-trait` crate in Edition 2024 code:**
+```rust
+// SLOP -- unnecessary with native async fn in traits (Edition 2024)
+#[async_trait]
+trait MyService {
+    async fn handle(&self) -> Result<()>;
+}
+
+// IDIOMATIC -- native async fn in traits
+trait MyService {
+    async fn handle(&self) -> Result<()>;
+}
+```
+
+The `async-trait` crate is still needed for `dyn Trait` usage or when trait
+objects require `Send` bounds that native async traits do not yet handle well.
+Flag it only when the trait is used with static dispatch (generics/`impl Trait`).
+
+**Suppressed warnings:**
+```rust
+// SLOP -- hiding problems instead of fixing them
+#[allow(unused_variables)]
+#[allow(dead_code)]
+#[allow(unused_imports)]
+```
+
+A few `#[allow]` annotations are normal. Dozens scattered across a file means the
+code was generated and then warnings were suppressed to make it compile.
+
+**Over-broad pub visibility:**
+```rust
+// SLOP -- everything public for no reason
+pub struct Config {
+    pub db_url: String,
+    pub db_pool_size: u32,
+    pub secret_key: String,  // this should NOT be pub
+}
+```
+
+In idiomatic Rust, items are private by default and only made `pub` when needed
+by the module's public API. If every struct, field, function, and module is `pub`,
+it is likely AI-generated with no thought about encapsulation.
+
+---
+
+## Rust-specific test signals
+
+- No `#[should_panic]` or explicit error matching on tests for error paths
+- `assert!(result.is_ok())` instead of `let value = result.unwrap()` + assertions on value
+- Tests that do not use `#[test]` helper patterns (common setup extracted to functions)
+- Integration tests in `src/` instead of `tests/` directory
+- No `proptest` or `quickcheck` where the function has clear algebraic properties

package/skills/ai-slop-review/references/svelte-ts.md

@@ -0,0 +1,384 @@
+# Svelte / TypeScript AI Slop Signals
+
+Language-specific signals for Svelte and TypeScript codebases. These supplement the
+universal signals in SKILL.md -- apply both.
+
+## What idiomatic Svelte/TypeScript looks like
+
+### Svelte 24.x LTS (Svelte 5)
+- Runes: `$state`, `$derived`, `$effect` -- no more `$:` reactive declarations
+- `$props()` with typed interface -- no more `export let`
+- `$bindable()` for two-way binding props
+- Snippets over slots for content composition
+- `$inspect()` for debugging (dev-only)
+- Fine-grained reactivity -- no more immutable assignment patterns needed for arrays/objects
+
+### TypeScript 5.9+
+- `satisfies` operator for type narrowing without widening
+- `using` declarations for resource management (Explicit Resource Management)
+- `const` type parameters for literal inference
+- `NoInfer<T>` utility type
+- Discriminated unions over optional fields
+- `readonly` on config/prop interfaces
+- Template literal types for string validation
+
+### SvelteKit patterns
+- `+page.server.ts` load functions over `onMount` fetching
+- Form actions over manual fetch POST
+- `$page.data` for layout-shared data
+- SvelteKit's `fetch` (not axios/node-fetch) -- handles cookies, SSR, relative URLs
+- `$env/static/private` for secrets (never in `+page.ts`)
+
+### Project adaptation
+Before flagging any idiom violation, check the project's baseline conventions.
+
+## Priority order for Svelte/TypeScript
+
+1. TypeScript type safety -- any abuse, type assertions, missing discriminated unions
+2. Svelte reactivity model -- correct reactive updates, cleanup, binding usage
+3. SvelteKit patterns -- load functions, form actions, data flow
+4. Component design -- prop drilling, store usage, composition
+5. Security -- XSS via {@html}, client-side secrets
+
+---
+
+## TypeScript misuse
+
+**`any` as an escape hatch:**
+```typescript
+// SLOP -- gives up type safety entirely
+const response: any = await fetch('/api/users');
+const data: any = await response.json();
+
+// IDIOMATIC -- define the shape
+interface User {
+  id: string;
+  name: string;
+  email: string;
+}
+const response = await fetch('/api/users');
+const data: User[] = await response.json();
+
+// EVEN BETTER -- runtime validation
+const data = UserArraySchema.parse(await response.json());
+```
+
+**@ts-ignore without explanation:**
+```typescript
+// SLOP
+// @ts-ignore
+const result = thing.method();
+
+// IF NECESSARY -- explain why
+// @ts-expect-error: library types are wrong, see https://github.com/lib/issues/123
+const result = thing.method();
+```
+
+**Type assertions without runtime validation:**
+```typescript
+// SLOP -- trusts external data blindly
+const user = JSON.parse(body) as User;
+
+// IDIOMATIC -- validate at the boundary
+const user = userSchema.parse(JSON.parse(body));
+```
+
+**Optionals everywhere instead of discriminated unions:**
+```typescript
+// SLOP -- which combinations are valid? Who knows
+interface ApiResponse {
+  data?: User[];
+  error?: string;
+  loading?: boolean;
+  total?: number;
+}
+
+// IDIOMATIC -- each state is explicit
+type ApiResponse =
+  | { status: 'loading' }
+  | { status: 'error'; error: string }
+  | { status: 'success'; data: User[]; total: number };
+```
+
+**Missing readonly:**
+```typescript
+// SLOP -- props and config objects should be immutable
+interface Config {
+  apiUrl: string;
+  timeout: number;
+}
+
+// IDIOMATIC
+interface Config {
+  readonly apiUrl: string;
+  readonly timeout: number;
+}
+```
+
+---
+
+## Svelte reactivity model violations
+
+**Using Svelte 4 reactive declarations instead of runes:**
+```svelte
+<script lang="ts">
+// SLOP -- Svelte 4 syntax, no longer idiomatic
+export let count = 0;
+$: doubled = count * 2;
+$: if (count > 10) {
+  console.log('count is big');
+}
+
+// IDIOMATIC -- Svelte 5 runes
+interface Props {
+  count: number;
+}
+let { count }: Props = $props();
+let doubled = $derived(count * 2);
+$effect(() => {
+  if (count > 10) {
+    console.log('count is big');
+  }
+});
+</script>
+```
+
+**Imperative mutation instead of reactive state:**
+```svelte
+<script lang="ts">
+// SLOP -- using $state but mutating without Svelte detecting it
+let items: string[] = $state([]);
+function addItem(item: string) {
+  // In Svelte 5, $state makes arrays/objects deeply reactive,
+  // so .push() DOES work. But creating new references is still
+  // clearer for complex transformations.
+  items = [...items, item];
+}
+</script>
+```
+
+**Missing $effect cleanup:**
+```svelte
+<script lang="ts">
+// SLOP -- interval never cleared, memory leak
+$effect(() => {
+  setInterval(pollData, 5000);
+});
+
+// IDIOMATIC -- $effect return value is the cleanup function
+$effect(() => {
+  const interval = setInterval(pollData, 5000);
+  return () => clearInterval(interval);
+});
+</script>
+```
+
+**Direct DOM manipulation bypassing Svelte:**
+```svelte
+<script lang="ts">
+// SLOP -- fighting the framework
+import { onMount } from 'svelte';
+onMount(() => {
+  document.querySelector('.header')?.classList.add('active');
+});
+
+// IDIOMATIC -- use Svelte bindings and class directives
+let isActive = $state(false);
+</script>
+<div class="header" class:active={isActive}>
+```
+
+**Missing UI states -- the classic AI tell:**
+```svelte
+<!-- SLOP -- only shows data, no loading/error/empty states -->
+{#if data}
+  {#each data as item}
+    <Card {item} />
+  {/each}
+{/if}
+
+<!-- IDIOMATIC -- handles all states -->
+{#if loading}
+  <Spinner />
+{:else if error}
+  <ErrorMessage {error} />
+{:else if data.length === 0}
+  <EmptyState />
+{:else}
+  {#each data as item}
+    <Card {item} />
+  {/each}
+{/if}
+```
+
+---
+
+## SvelteKit patterns
+
+**Data fetching in onMount instead of load function:**
+```svelte
+<script lang="ts">
+// SLOP -- data fetched client-side only, no SSR, no loading state from SvelteKit
+import { onMount } from 'svelte';
+let users: User[] = $state([]);
+onMount(async () => {
+  const res = await fetch('/api/users');
+  users = await res.json();
+});
+</script>
+```
+
+```typescript
+// IDIOMATIC -- in +page.ts or +page.server.ts
+export const load = async ({ fetch }) => {
+  const res = await fetch('/api/users');
+  return { users: await res.json() };
+};
+```
+
+**Not using SvelteKit's fetch:**
+```typescript
+// SLOP -- loses cookie forwarding, SSR compatibility
+import axios from 'axios';
+const data = await axios.get('/api/data');
+
+// IDIOMATIC -- SvelteKit's fetch handles cookies, SSR, and relative URLs
+export const load = async ({ fetch }) => {
+  const res = await fetch('/api/data');
+  return { data: await res.json() };
+};
+```
+
+**Manual form handling instead of form actions:**
+```svelte
+<!-- SLOP -- reinventing what SvelteKit provides, using Svelte 4 event syntax -->
+<form onsubmit={(e) => { e.preventDefault(); handleSubmit(); }}>
+  <input bind:value={name} />
+  <button>Submit</button>
+</form>
+
+<script lang="ts">
+let name = $state('');
+async function handleSubmit() {
+  await fetch('/api/users', {
+    method: 'POST',
+    body: JSON.stringify({ name }),
+  });
+}
+</script>
+```
+
+```typescript
+// IDIOMATIC -- in +page.server.ts
+export const actions = {
+  default: async ({ request }) => {
+    const data = await request.formData();
+    const name = data.get('name');
+    // validate and save
+  }
+};
+```
+
+**Ignoring layout data and page stores:**
+- Not using `$page.data` for shared data from layout load functions
+- Not using `$navigating` for navigation state
+- Duplicating data fetching that a parent layout already provides
+
+---
+
+## Component design
+
+**Prop drilling (4+ levels):**
+```svelte
+<!-- SLOP -- passing theme through every intermediate component -->
+<App {theme}>
+  <Layout {theme}>
+    <Sidebar {theme}>
+      <NavItem {theme} />
+
+<!-- IDIOMATIC -- use Svelte context -->
+<!-- App.svelte -->
+<script lang="ts">
+import { setContext } from 'svelte';
+setContext('theme', theme);
+</script>
+
+<!-- NavItem.svelte -->
+<script lang="ts">
+import { getContext } from 'svelte';
+const theme = getContext<Theme>('theme');
+</script>
+```
+
+**One-off component duplication:**
+If a component exists that does 90% of what is needed, and AI created a new component
+with 90% identical code plus a small variation -- that is slop. The existing component
+should be extended with a prop or snippet.
+
+**Untyped props and events:**
+```svelte
+<script lang="ts">
+// SLOP -- no types on props
+let { data, onSubmit } = $props();
+
+// IDIOMATIC -- typed interface with $props()
+interface Props {
+  readonly data: User;
+  onSubmit: (user: User) => void;
+}
+let { data, onSubmit }: Props = $props();
+</script>
+```
+
+**Using `export let` (Svelte 4 legacy):**
+```svelte
+<script lang="ts">
+// SLOP -- Svelte 4 prop declaration, no longer idiomatic
+export let user: User;
+export let onSave: (user: User) => void;
+
+// IDIOMATIC -- Svelte 5 $props() with typed interface
+interface Props {
+  readonly user: User;
+  onSave: (user: User) => void;
+}
+let { user, onSave }: Props = $props();
+</script>
+```
+
+---
+
+## Security signals
+
+**XSS via {@html}:**
+```svelte
+<!-- CRITICAL -- user content rendered as raw HTML -->
+{@html userComment}
+
+<!-- SAFE -- Svelte auto-escapes by default in text content -->
+{userComment}
+```
+
+**Client-side secrets:**
+```typescript
+// SLOP -- exposed to the browser
+const API_KEY = 'sk-1234567890';
+
+// IDIOMATIC -- server-side only, in +page.server.ts or via $env/static/private
+import { API_KEY } from '$env/static/private';
+```
+
+- Any `import` from `$env/static/private` in a `+page.ts` (non-server) file
+- API keys in `.env` without the `PUBLIC_` prefix that are used client-side
+- Sensitive data in `+page.ts` load functions instead of `+page.server.ts`
+
+---
+
+## TypeScript-specific test signals
+
+- Tests that use `as any` to bypass type errors instead of providing proper test data
+- No `vitest` or `playwright` in a SvelteKit project (the default test runners)
+- Component tests that only check rendering, not interaction or state changes
+- Missing `@testing-library/svelte` patterns -- testing implementation details instead of behavior
+- No type-level tests for discriminated unions and conditional types
+- E2E tests that use `data-testid` on everything instead of accessible selectors

package/version.txt

@@ -0,0 +1 @@
+0.5.0