@h1dr0n/skill-pool 0.1.0

package/skills/django/skills/django-verification.md

@@ -0,0 +1,469 @@
+---
+name: django-verification
+description: "Verification loop for Django projects: migrations, linting, tests with coverage, security scans, and deployment readiness checks before release or PR."
+origin: ECC
+---
+
+# Django Verification Loop
+
+Run before PRs, after major changes, and pre-deploy to ensure Django application quality and security.
+
+## When to Activate
+
+- Before opening a pull request for a Django project
+- After major model changes, migration updates, or dependency upgrades
+- Pre-deployment verification for staging or production
+- Running full environment → lint → test → security → deploy readiness pipeline
+- Validating migration safety and test coverage
+
+## Phase 1: Environment Check
+
+```bash
+# Verify Python version
+python --version  # Should match project requirements
+
+# Check virtual environment
+which python
+pip list --outdated
+
+# Verify environment variables
+python -c "import os; import environ; print('DJANGO_SECRET_KEY set' if os.environ.get('DJANGO_SECRET_KEY') else 'MISSING: DJANGO_SECRET_KEY')"
+```
+
+If environment is misconfigured, stop and fix.
+
+## Phase 2: Code Quality & Formatting
+
+```bash
+# Type checking
+mypy . --config-file pyproject.toml
+
+# Linting with ruff
+ruff check . --fix
+
+# Formatting with black
+black . --check
+black .  # Auto-fix
+
+# Import sorting
+isort . --check-only
+isort .  # Auto-fix
+
+# Django-specific checks
+python manage.py check --deploy
+```
+
+Common issues:
+- Missing type hints on public functions
+- PEP 8 formatting violations
+- Unsorted imports
+- Debug settings left in production configuration
+
+## Phase 3: Migrations
+
+```bash
+# Check for unapplied migrations
+python manage.py showmigrations
+
+# Create missing migrations
+python manage.py makemigrations --check
+
+# Dry-run migration application
+python manage.py migrate --plan
+
+# Apply migrations (test environment)
+python manage.py migrate
+
+# Check for migration conflicts
+python manage.py makemigrations --merge  # Only if conflicts exist
+```
+
+Report:
+- Number of pending migrations
+- Any migration conflicts
+- Model changes without migrations
+
+## Phase 4: Tests + Coverage
+
+```bash
+# Run all tests with pytest
+pytest --cov=apps --cov-report=html --cov-report=term-missing --reuse-db
+
+# Run specific app tests
+pytest apps/users/tests/
+
+# Run with markers
+pytest -m "not slow"  # Skip slow tests
+pytest -m integration  # Only integration tests
+
+# Coverage report
+open htmlcov/index.html
+```
+
+Report:
+- Total tests: X passed, Y failed, Z skipped
+- Overall coverage: XX%
+- Per-app coverage breakdown
+
+Coverage targets:
+
+| Component | Target |
+|-----------|--------|
+| Models | 90%+ |
+| Serializers | 85%+ |
+| Views | 80%+ |
+| Services | 90%+ |
+| Overall | 80%+ |
+
+## Phase 5: Security Scan
+
+```bash
+# Dependency vulnerabilities
+pip-audit
+safety check --full-report
+
+# Django security checks
+python manage.py check --deploy
+
+# Bandit security linter
+bandit -r . -f json -o bandit-report.json
+
+# Secret scanning (if gitleaks is installed)
+gitleaks detect --source . --verbose
+
+# Environment variable check
+python -c "from django.core.exceptions import ImproperlyConfigured; from django.conf import settings; settings.DEBUG"
+```
+
+Report:
+- Vulnerable dependencies found
+- Security configuration issues
+- Hardcoded secrets detected
+- DEBUG mode status (should be False in production)
+
+## Phase 6: Django Management Commands
+
+```bash
+# Check for model issues
+python manage.py check
+
+# Collect static files
+python manage.py collectstatic --noinput --clear
+
+# Create superuser (if needed for tests)
+echo "from apps.users.models import User; User.objects.create_superuser('admin@example.com', 'admin')" | python manage.py shell
+
+# Database integrity
+python manage.py check --database default
+
+# Cache verification (if using Redis)
+python -c "from django.core.cache import cache; cache.set('test', 'value', 10); print(cache.get('test'))"
+```
+
+## Phase 7: Performance Checks
+
+```bash
+# Django Debug Toolbar output (check for N+1 queries)
+# Run in dev mode with DEBUG=True and access a page
+# Look for duplicate queries in SQL panel
+
+# Query count analysis
+django-admin debugsqlshell  # If django-debug-sqlshell installed
+
+# Check for missing indexes
+python manage.py shell << EOF
+from django.db import connection
+with connection.cursor() as cursor:
+    cursor.execute("SELECT table_name, index_name FROM information_schema.statistics WHERE table_schema = 'public'")
+    print(cursor.fetchall())
+EOF
+```
+
+Report:
+- Number of queries per page (should be < 50 for typical pages)
+- Missing database indexes
+- Duplicate queries detected
+
+## Phase 8: Static Assets
+
+```bash
+# Check for npm dependencies (if using npm)
+npm audit
+npm audit fix
+
+# Build static files (if using webpack/vite)
+npm run build
+
+# Verify static files
+ls -la staticfiles/
+python manage.py findstatic css/style.css
+```
+
+## Phase 9: Configuration Review
+
+```python
+# Run in Python shell to verify settings
+python manage.py shell << EOF
+from django.conf import settings
+import os
+
+# Critical checks
+checks = {
+    'DEBUG is False': not settings.DEBUG,
+    'SECRET_KEY set': bool(settings.SECRET_KEY and len(settings.SECRET_KEY) > 30),
+    'ALLOWED_HOSTS set': len(settings.ALLOWED_HOSTS) > 0,
+    'HTTPS enabled': getattr(settings, 'SECURE_SSL_REDIRECT', False),
+    'HSTS enabled': getattr(settings, 'SECURE_HSTS_SECONDS', 0) > 0,
+    'Database configured': settings.DATABASES['default']['ENGINE'] != 'django.db.backends.sqlite3',
+}
+
+for check, result in checks.items():
+    status = '✓' if result else '✗'
+    print(f"{status} {check}")
+EOF
+```
+
+## Phase 10: Logging Configuration
+
+```bash
+# Test logging output
+python manage.py shell << EOF
+import logging
+logger = logging.getLogger('django')
+logger.warning('Test warning message')
+logger.error('Test error message')
+EOF
+
+# Check log files (if configured)
+tail -f /var/log/django/django.log
+```
+
+## Phase 11: API Documentation (if DRF)
+
+```bash
+# Generate schema
+python manage.py generateschema --format openapi-json > schema.json
+
+# Validate schema
+# Check if schema.json is valid JSON
+python -c "import json; json.load(open('schema.json'))"
+
+# Access Swagger UI (if using drf-yasg)
+# Visit http://localhost:8000/swagger/ in browser
+```
+
+## Phase 12: Diff Review
+
+```bash
+# Show diff statistics
+git diff --stat
+
+# Show actual changes
+git diff
+
+# Show changed files
+git diff --name-only
+
+# Check for common issues
+git diff | grep -i "todo\|fixme\|hack\|xxx"
+git diff | grep "print("  # Debug statements
+git diff | grep "DEBUG = True"  # Debug mode
+git diff | grep "import pdb"  # Debugger
+```
+
+Checklist:
+- No debugging statements (print, pdb, breakpoint())
+- No TODO/FIXME comments in critical code
+- No hardcoded secrets or credentials
+- Database migrations included for model changes
+- Configuration changes documented
+- Error handling present for external calls
+- Transaction management where needed
+
+## Output Template
+
+```
+DJANGO VERIFICATION REPORT
+==========================
+
+Phase 1: Environment Check
+  ✓ Python 3.11.5
+  ✓ Virtual environment active
+  ✓ All environment variables set
+
+Phase 2: Code Quality
+  ✓ mypy: No type errors
+  ✗ ruff: 3 issues found (auto-fixed)
+  ✓ black: No formatting issues
+  ✓ isort: Imports properly sorted
+  ✓ manage.py check: No issues
+
+Phase 3: Migrations
+  ✓ No unapplied migrations
+  ✓ No migration conflicts
+  ✓ All models have migrations
+
+Phase 4: Tests + Coverage
+  Tests: 247 passed, 0 failed, 5 skipped
+  Coverage:
+    Overall: 87%
+    users: 92%
+    products: 89%
+    orders: 85%
+    payments: 91%
+
+Phase 5: Security Scan
+  ✗ pip-audit: 2 vulnerabilities found (fix required)
+  ✓ safety check: No issues
+  ✓ bandit: No security issues
+  ✓ No secrets detected
+  ✓ DEBUG = False
+
+Phase 6: Django Commands
+  ✓ collectstatic completed
+  ✓ Database integrity OK
+  ✓ Cache backend reachable
+
+Phase 7: Performance
+  ✓ No N+1 queries detected
+  ✓ Database indexes configured
+  ✓ Query count acceptable
+
+Phase 8: Static Assets
+  ✓ npm audit: No vulnerabilities
+  ✓ Assets built successfully
+  ✓ Static files collected
+
+Phase 9: Configuration
+  ✓ DEBUG = False
+  ✓ SECRET_KEY configured
+  ✓ ALLOWED_HOSTS set
+  ✓ HTTPS enabled
+  ✓ HSTS enabled
+  ✓ Database configured
+
+Phase 10: Logging
+  ✓ Logging configured
+  ✓ Log files writable
+
+Phase 11: API Documentation
+  ✓ Schema generated
+  ✓ Swagger UI accessible
+
+Phase 12: Diff Review
+  Files changed: 12
+  +450, -120 lines
+  ✓ No debug statements
+  ✓ No hardcoded secrets
+  ✓ Migrations included
+
+RECOMMENDATION: WARNING: Fix pip-audit vulnerabilities before deploying
+
+NEXT STEPS:
+1. Update vulnerable dependencies
+2. Re-run security scan
+3. Deploy to staging for final testing
+```
+
+## Pre-Deployment Checklist
+
+- [ ] All tests passing
+- [ ] Coverage ≥ 80%
+- [ ] No security vulnerabilities
+- [ ] No unapplied migrations
+- [ ] DEBUG = False in production settings
+- [ ] SECRET_KEY properly configured
+- [ ] ALLOWED_HOSTS set correctly
+- [ ] Database backups enabled
+- [ ] Static files collected and served
+- [ ] Logging configured and working
+- [ ] Error monitoring (Sentry, etc.) configured
+- [ ] CDN configured (if applicable)
+- [ ] Redis/cache backend configured
+- [ ] Celery workers running (if applicable)
+- [ ] HTTPS/SSL configured
+- [ ] Environment variables documented
+
+## Continuous Integration
+
+### GitHub Actions Example
+
+```yaml
+# .github/workflows/django-verification.yml
+name: Django Verification
+
+on: [push, pull_request]
+
+jobs:
+  verify:
+    runs-on: ubuntu-latest
+    services:
+      postgres:
+        image: postgres:14
+        env:
+          POSTGRES_PASSWORD: postgres
+        options: >-
+          --health-cmd pg_isready
+          --health-interval 10s
+          --health-timeout 5s
+          --health-retries 5
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Set up Python
+        uses: actions/setup-python@v4
+        with:
+          python-version: '3.11'
+
+      - name: Cache pip
+        uses: actions/cache@v3
+        with:
+          path: ~/.cache/pip
+          key: ${{ runner.os }}-pip-${{ hashFiles('**/requirements.txt') }}
+
+      - name: Install dependencies
+        run: |
+          pip install -r requirements.txt
+          pip install ruff black mypy pytest pytest-django pytest-cov bandit safety pip-audit
+
+      - name: Code quality checks
+        run: |
+          ruff check .
+          black . --check
+          isort . --check-only
+          mypy .
+
+      - name: Security scan
+        run: |
+          bandit -r . -f json -o bandit-report.json
+          safety check --full-report
+          pip-audit
+
+      - name: Run tests
+        env:
+          DATABASE_URL: postgres://postgres:postgres@localhost:5432/test
+          DJANGO_SECRET_KEY: test-secret-key
+        run: |
+          pytest --cov=apps --cov-report=xml --cov-report=term-missing
+
+      - name: Upload coverage
+        uses: codecov/codecov-action@v3
+```
+
+## Quick Reference
+
+| Check | Command |
+|-------|---------|
+| Environment | `python --version` |
+| Type checking | `mypy .` |
+| Linting | `ruff check .` |
+| Formatting | `black . --check` |
+| Migrations | `python manage.py makemigrations --check` |
+| Tests | `pytest --cov=apps` |
+| Security | `pip-audit && bandit -r .` |
+| Django check | `python manage.py check --deploy` |
+| Collectstatic | `python manage.py collectstatic --noinput` |
+| Diff stats | `git diff --stat` |
+
+Remember: Automated verification catches common issues but doesn't replace manual code review and testing in staging environment.

package/skills/dotnet/agents/csharp-reviewer.md

@@ -0,0 +1,101 @@
+---
+name: csharp-reviewer
+description: Expert C# code reviewer specializing in .NET conventions, async patterns, security, nullable reference types, and performance. Use for all C# code changes. MUST BE USED for C# projects.
+tools: ["Read", "Grep", "Glob", "Bash"]
+model: sonnet
+---
+
+You are a senior C# code reviewer ensuring high standards of idiomatic .NET code and best practices.
+
+When invoked:
+1. Run `git diff -- '*.cs'` to see recent C# file changes
+2. Run `dotnet build` and `dotnet format --verify-no-changes` if available
+3. Focus on modified `.cs` files
+4. Begin review immediately
+
+## Review Priorities
+
+### CRITICAL — Security
+- **SQL Injection**: String concatenation/interpolation in queries — use parameterized queries or EF Core
+- **Command Injection**: Unvalidated input in `Process.Start` — validate and sanitize
+- **Path Traversal**: User-controlled file paths — use `Path.GetFullPath` + prefix check
+- **Insecure Deserialization**: `BinaryFormatter`, `JsonSerializer` with `TypeNameHandling.All`
+- **Hardcoded secrets**: API keys, connection strings in source — use configuration/secret manager
+- **CSRF/XSS**: Missing `[ValidateAntiForgeryToken]`, unencoded output in Razor
+
+### CRITICAL — Error Handling
+- **Empty catch blocks**: `catch { }` or `catch (Exception) { }` — handle or rethrow
+- **Swallowed exceptions**: `catch { return null; }` — log context, throw specific
+- **Missing `using`/`await using`**: Manual disposal of `IDisposable`/`IAsyncDisposable`
+- **Blocking async**: `.Result`, `.Wait()`, `.GetAwaiter().GetResult()` — use `await`
+
+### HIGH — Async Patterns
+- **Missing CancellationToken**: Public async APIs without cancellation support
+- **Fire-and-forget**: `async void` except event handlers — return `Task`
+- **ConfigureAwait misuse**: Library code missing `ConfigureAwait(false)`
+- **Sync-over-async**: Blocking calls in async context causing deadlocks
+
+### HIGH — Type Safety
+- **Nullable reference types**: Nullable warnings ignored or suppressed with `!`
+- **Unsafe casts**: `(T)obj` without type check — use `obj is T t` or `obj as T`
+- **Raw strings as identifiers**: Magic strings for config keys, routes — use constants or `nameof`
+- **`dynamic` usage**: Avoid `dynamic` in application code — use generics or explicit models
+
+### HIGH — Code Quality
+- **Large methods**: Over 50 lines — extract helper methods
+- **Deep nesting**: More than 4 levels — use early returns, guard clauses
+- **God classes**: Classes with too many responsibilities — apply SRP
+- **Mutable shared state**: Static mutable fields — use `ConcurrentDictionary`, `Interlocked`, or DI scoping
+
+### MEDIUM — Performance
+- **String concatenation in loops**: Use `StringBuilder` or `string.Join`
+- **LINQ in hot paths**: Excessive allocations — consider `for` loops with pre-allocated buffers
+- **N+1 queries**: EF Core lazy loading in loops — use `Include`/`ThenInclude`
+- **Missing `AsNoTracking`**: Read-only queries tracking entities unnecessarily
+
+### MEDIUM — Best Practices
+- **Naming conventions**: PascalCase for public members, `_camelCase` for private fields
+- **Record vs class**: Value-like immutable models should be `record` or `record struct`
+- **Dependency injection**: `new`-ing services instead of injecting — use constructor injection
+- **`IEnumerable` multiple enumeration**: Materialize with `.ToList()` when enumerated more than once
+- **Missing `sealed`**: Non-inherited classes should be `sealed` for clarity and performance
+
+## Diagnostic Commands
+
+```bash
+dotnet build                                          # Compilation check
+dotnet format --verify-no-changes                     # Format check
+dotnet test --no-build                                # Run tests
+dotnet test --collect:"XPlat Code Coverage"           # Coverage
+```
+
+## Review Output Format
+
+```text
+[SEVERITY] Issue title
+File: path/to/File.cs:42
+Issue: Description
+Fix: What to change
+```
+
+## Approval Criteria
+
+- **Approve**: No CRITICAL or HIGH issues
+- **Warning**: MEDIUM issues only (can merge with caution)
+- **Block**: CRITICAL or HIGH issues found
+
+## Framework Checks
+
+- **ASP.NET Core**: Model validation, auth policies, middleware order, `IOptions<T>` pattern
+- **EF Core**: Migration safety, `Include` for eager loading, `AsNoTracking` for reads
+- **Minimal APIs**: Route grouping, endpoint filters, proper `TypedResults`
+- **Blazor**: Component lifecycle, `StateHasChanged` usage, JS interop disposal
+
+## Reference
+
+For detailed C# patterns, see skill: `dotnet-patterns`.
+For testing guidelines, see skill: `csharp-testing`.
+
+---
+
+Review with the mindset: "Would this code pass review at a top .NET shop or open-source project?"

package/skills/dotnet/manifest.yaml

@@ -0,0 +1,14 @@
+name: dotnet
+version: 0.1.0
+description: Idiomatic C# and .NET patterns, testing with xUnit, and expert code review for building robust, maintainable .NET applications.
+depends:
+  - common
+tags:
+  - csharp
+  - dotnet
+rules: []
+skills:
+  - skills/dotnet-patterns.md
+  - skills/csharp-testing.md
+agents:
+  - agents/csharp-reviewer.md