@hdwebsoft/hdcode-ai-darwin-x64 0.0.6 → 0.0.8

package/resources/skills/hd-code-review/reference/stacks/flutter.md

@@ -0,0 +1,48 @@
+# Stack: Flutter — Additional Review Checks
+
+Injected into Phase 4 aspects when `.dart` or `pubspec.yaml` files are detected in the diff (or `tech_stack: flutter` declared).
+Apply these checks IN ADDITION TO the universal checklist items for each aspect.
+
+---
+
+## Aspect 2 — Correctness (additional)
+
+- `BuildContext` used across an `async` gap without a `mounted` check — after any `await`, the widget may have been disposed; accessing `context` after the gap causes "use of BuildContext after async gap" errors. Guard with `if (!mounted) return;`.
+- `initState` launching async operations without `mounted` checks on completion — the async callback may call `setState` after the widget is disposed.
+- `setState` called after `dispose()` — any async operation started in `initState` or a callback that completes after navigation away causes a framework error.
+- `late` variable accessed before initialization — `LateInitializationError` at runtime; ensure assignment happens before first use, or use nullable type.
+
+---
+
+## Aspect 3 — Possible Breakage (additional)
+
+- `StreamSubscription` not cancelled in `dispose()` — memory leak; the stream keeps a reference to the widget after it is removed from the tree.
+- `AnimationController`, `TextEditingController`, `FocusNode`, `ScrollController`, `PageController` not disposed — each holds native resources; must call `.dispose()` in the widget's `dispose()` override.
+- `Timer` / `Timer.periodic` not cancelled in `dispose()` — fires callbacks on a disposed widget.
+- `GlobalKey` reused across different widget types or subtrees — causes framework assertion errors and incorrect state transfer.
+
+---
+
+## Aspect 7 — Security (additional)
+
+- Sensitive data (tokens, passwords, PII) stored with `SharedPreferences` — stored as plain text; use `flutter_secure_storage` for sensitive values.
+- API keys or secrets hardcoded in Dart source or `pubspec.yaml` — Dart code and assets are extractable from the APK/IPA; use server-side secrets or secure environment injection via `--dart-define`.
+- `WebView` loading user-supplied URLs without validation — XSS or phishing risk; validate scheme and domain before loading.
+
+---
+
+## Aspect 10 — Code Quality (additional)
+
+- Missing `const` constructor on widgets that could be `const` — non-const widgets are rebuilt on every parent rebuild; `const` widgets are only built once and reused.
+- `build()` method longer than ~50 lines — extract into smaller private widget methods or separate `StatelessWidget` classes; large `build()` is a maintenance and rebuild-scope problem.
+- Complex business logic inside `build()` — computed values, data transformations, and conditionals belong in the widget state, a controller, or a dedicated model; `build()` should be declarative.
+- `print()` in production code — use a proper logging package (`logger`, `talker`) with level filtering so debug output does not reach production.
+
+---
+
+## Aspect 12 — Architecture & Design (additional)
+
+- Business logic directly in `StatefulWidget` or `StatelessWidget` — use a state management solution (BLoC/Cubit, Riverpod, Provider, GetX per project convention) to separate UI from logic.
+- Deep widget nesting (> 5–6 levels without extraction) — leads to the "pyramid of doom"; extract subtrees into named widget classes for readability and testability.
+- `setState` used in a widget that is also shared across routes or has complex state — indicates the state belongs at a higher level or in a dedicated state management class.
+- Platform channel calls (`MethodChannel`) not abstracted behind an interface — makes testing difficult; wrap in a repository or service class that can be mocked.

package/resources/skills/hd-code-review/reference/stacks/go.md

@@ -0,0 +1,51 @@
+# Stack: Go — Additional Review Checks
+
+Injected into Phase 4 aspects when `.go` or `go.mod` files are detected in the diff (or `tech_stack: go` declared).
+Apply these checks IN ADDITION TO the universal checklist items for each aspect.
+
+---
+
+## Aspect 2 — Correctness (additional)
+
+- Goroutine started but never terminates — no quit channel, context cancellation, or `WaitGroup` tracking; goroutine leaks accumulate over time in long-running services.
+- `defer` inside a loop — deferred calls execute when the **function** returns, not at the end of each iteration; resource handles (files, locks) accumulate until the outer function exits.
+- Value receiver on a method that modifies state — only pointer receivers mutate the original; value receivers get a copy. Check consistency across the method set.
+- Nil pointer dereference on interface — a non-nil interface variable holding a nil pointer is NOT nil (`var p *T; var i I = p; i == nil` is `false`); guard with the concrete type check.
+- Integer overflow — `int` is platform-width (32-bit on 32-bit targets); use `int64` / `uint64` explicitly for values that may exceed 2³¹.
+
+---
+
+## Aspect 3 — Possible Breakage (additional)
+
+- `sync.WaitGroup.Add()` called inside the goroutine instead of before launching it — race condition; the main goroutine may call `Wait()` before `Add()` is reached.
+- Unbounded channel send or receive without a `select + timeout` or context deadline — potential deadlock if the other side is never ready.
+- `sync.Mutex` (or `sync.RWMutex`) copied by value — passing by value creates an independent copy that is unlocked; always use a pointer (`*sync.Mutex`).
+- `http.Response.Body` not closed, or not fully drained before closing — keep-alive connections are not returned to the pool, causing connection leaks.
+- Context not threaded through I/O calls — functions making DB queries or HTTP requests should accept and forward `context.Context` to support cancellation and timeout propagation.
+
+---
+
+## Aspect 7 — Security (additional)
+
+- SQL built with `fmt.Sprintf` or string concatenation — SQL injection. Use parameterized queries (`db.QueryContext(ctx, "SELECT ... WHERE id=$1", id)`).
+- `exec.Command` with user-controlled arguments and `shell`-like expansion — command injection. Pass arguments as separate strings, never via `sh -c`.
+- `http.Get(userURL)` or outbound HTTP to a user-supplied URL without validation — SSRF (Server-Side Request Forgery). Validate scheme, host, and port against an allowlist.
+- Sensitive values (tokens, passwords) passed as command-line arguments — appear in `ps` output and process env; use environment variables or files with restricted permissions.
+
+---
+
+## Aspect 10 — Code Quality (additional)
+
+- Error wrapped without `%w` verb — `fmt.Errorf("context: %v", err)` breaks `errors.Is` / `errors.As`; use `fmt.Errorf("context: %w", err)`.
+- Errors ignored with `_` in non-trivial cases — `_, err = ...` without checking `err`; or return values discarded silently.
+- Naked return in a function longer than ~10 lines — hard to reason about what is being returned; use explicit return values.
+- `init()` function with complex logic or side effects — runs at package load time, order is non-deterministic across packages; keep `init()` minimal.
+
+---
+
+## Aspect 12 — Architecture & Design (additional)
+
+- Business logic directly in `http.Handler` or `http.HandlerFunc` — separate transport (HTTP) from domain logic using handler → service → repository layers.
+- Circular package dependency — Go forbids this at compile time, but circular `_test` package imports or subtle import paths can introduce it; check import graph.
+- `interface{}` / `any` used where a specific type or generic would be clearer — loses compile-time safety; prefer typed parameters or generics (Go 1.18+).
+- Package-level mutable state (package-level `var`) in non-main packages — makes packages non-reentrant and hard to test; use dependency injection.

package/resources/skills/hd-code-review/reference/stacks/laravel.md

@@ -0,0 +1,56 @@
+# Stack: Laravel — Additional Review Checks
+
+Injected IN ADDITION to `php` preset when Laravel signals are detected:
+- `artisan` file in the diff or repo root
+- `app/Http/Controllers/` paths in the diff
+- `routes/web.php` or `routes/api.php` in the diff
+- `"laravel/framework"` in `composer.json`
+
+Contains Laravel-specific checks only — PHP-level checks are in `php.md`.
+
+---
+
+## Aspect 2 — Correctness (additional)
+
+- `Model::find($id)` without null check — returns `null` if not found; chaining methods directly causes `Call to a member function on null`. Use `findOrFail()` or explicit null guard.
+- N+1 query: accessing a relationship in a loop without `with()` eager loading — `foreach ($users as $u) { $u->posts; }` fires N+1 queries. Use `User::with('posts')->get()`.
+- `$request->input()` vs `$request->validated()` — using unvalidated `input()` data directly in models bypasses Form Request validation rules that were written for that purpose.
+- Eloquent `where` with column name from user input — `->where($column, $value)` allows column injection if `$column` is user-controlled. Validate column against an allowlist.
+
+---
+
+## Aspect 3 — Possible Breakage (additional)
+
+- Missing database transaction around multiple related writes — partial failure leaves data in an inconsistent state. Wrap with `DB::transaction()` or `DB::beginTransaction()` / `commit()` / `rollBack()`.
+- Queue job without `tries` limit or failed job handler — a failing job retries indefinitely, filling the queue; define `$tries`, `$backoff`, and a `failed()` method or `$failOnTimeout`.
+- `Storage::disk()->put()` without checking available disk space in long-running file processing.
+- Scheduled command (`$schedule->command()`) overlapping itself — use `->withoutOverlapping()` for commands that should not run concurrently.
+
+---
+
+## Aspect 7 — Security (additional)
+
+- Raw query via `DB::statement()` / `DB::select()` with string interpolation — SQL injection. Use binding: `DB::select('SELECT * FROM t WHERE id = ?', [$id])`.
+- Missing `$fillable` or over-broad `$guarded = []` on Eloquent models — mass assignment vulnerability; `Model::create($request->all())` with `$guarded = []` allows setting any column.
+- Route missing `auth` / `auth:sanctum` / `auth:api` middleware — endpoint accessible without authentication.
+- Missing CSRF protection on state-changing web routes — ensure `VerifyCsrfToken` middleware is active; `api` routes are exempt and should use token-based auth instead.
+- `Response::make()` or `return response($userContent)` with `Content-Type: text/html` and user-controlled content — XSS.
+- Sensitive data logged via `Log::info($request->all())` — passwords, tokens, and PII in log files.
+
+---
+
+## Aspect 10 — Code Quality (additional)
+
+- Fat controller: complex business logic, multiple model queries, or conditional branching directly in controller methods — extract to Service classes, Action classes, or Eloquent scopes.
+- Direct `Mail::send()` / `Notification::send()` in controller without queuing — blocks the HTTP response for the duration of the send; use `Mail::queue()` or `->delay()`.
+- Eloquent model with no `$casts` for JSON columns, booleans, or dates — accessing uncasted columns returns raw strings, causing type bugs.
+- `dd()` / `dump()` / `var_dump()` committed to non-test code.
+
+---
+
+## Aspect 12 — Architecture & Design (additional)
+
+- Business logic in Blade templates — templates should only render data, not compute or fetch it; move logic to controllers, view composers, or view models.
+- Direct `Model::` static calls deep in service or domain classes — tight coupling to Eloquent; inject a repository or use the model through a service boundary.
+- Event listeners doing synchronous heavy work — use `ShouldQueue` on listeners to push work to the queue and avoid blocking the request.
+- `config()` / `env()` called outside of service providers or config files at request time — `env()` always returns null after config is cached (`php artisan config:cache`); use `config()` everywhere except config files themselves.

package/resources/skills/hd-code-review/reference/stacks/lwc.md

@@ -0,0 +1,49 @@
+# Stack: LWC (Lightning Web Components) — Additional Review Checks
+
+Injected when `.html` or `.js` files under a `lwc/` path segment are detected in the diff
+(or `tech_stack: lwc` declared). Combines with `apex` preset when `.cls` files are also present.
+Apply these checks IN ADDITION TO the universal checklist items.
+
+---
+
+## Aspect 2 — Correctness (additional)
+
+- Imperative Apex call result not re-fetched when `@wire` reactive property changes — stale data displayed until hard reload; use `@wire` with reactive `$property` syntax or re-call imperatively in a `@wire` handler.
+- `this.template.querySelector()` called in `constructor()` — DOM not yet attached; move to `connectedCallback()` or `renderedCallback()`.
+- `renderedCallback()` modifying a tracked property unconditionally — triggers re-render → re-runs `renderedCallback()` → infinite loop; guard with a `_rendered` boolean flag.
+- `@track` decorator applied to a primitive (`string`, `number`, `boolean`) — primitives are automatically reactive; `@track` is only needed for nested object/array mutation detection.
+
+---
+
+## Aspect 3 — Possible Breakage (additional)
+
+- Custom event dispatched before `connectedCallback()` completes — parent component not yet listening; dispatch after the component is fully connected.
+- Manual event listener added in `connectedCallback()` without a matching `removeEventListener()` in `disconnectedCallback()` — memory leak on SPA navigation.
+- `@api` property value mutated directly inside the child component — violates one-way data flow; raises framework warnings and produces unpredictable state; emit an event instead.
+
+---
+
+## Aspect 7 — Security (additional)
+
+- `innerHTML` assignment using user-controlled data — XSS vector; use `lwc:inner-html` with a sanitized string or bind via template expressions only.
+- Direct access to `window`, `document`, or `eval()` — blocked by Lightning Web Security (LWS) and will throw at runtime; use `this.template` APIs and LWC-approved patterns.
+- Sensitive data (tokens, session IDs, PII) stored in `@track` / `@api` component state — readable via browser DevTools; keep sensitive data server-side.
+- External JS or CSS hotlinked from a CDN or external URL instead of bundled as a Static Resource — AppExchange auto-fail; all third-party assets must be versioned static resources within the package.
+- Third-party npm package with known CVEs shipped to the org — run `npm audit` or Snyk on the LWC project; outdated libraries bundled into component JS are in scope for the AppExchange security review.
+- `LightningMessageChannel` component with `isExposed: true` — exposes the channel to all subscriber orgs; leave `false` unless intentional cross-cloud messaging is documented.
+
+---
+
+## Aspect 10 — Code Quality (additional)
+
+- Business logic (calculations, data transformations, conditional rules) placed in component JS — move to Apex or a shared LWC utility module; components should orchestrate, not compute.
+- `@wire` adapter result used without handling the `error` property — silent failures invisible to the user; always check `if (error)` and surface a message.
+- Layout built without SLDS utility classes — produces inconsistent spacing and theming across Experience Cloud, App Builder, and standard Salesforce UI contexts.
+
+---
+
+## Aspect 12 — Architecture & Design (additional)
+
+- Parent-to-child communication via direct method calls on the child element reference instead of reactive `@api` property bindings — tight coupling; method calls are harder to test and break declarative data flow.
+- Child-to-parent communication by holding a direct reference to the parent instead of dispatching custom events — breaks component encapsulation and makes reuse impossible.
+- `@wire` result destructured into multiple separate tracked properties — verbose and fragile when the wire shape changes; bind to a single object and access properties in the template.

package/resources/skills/hd-code-review/reference/stacks/nodejs.md

@@ -0,0 +1,51 @@
+# Stack: Node.js — Additional Review Checks
+
+Injected into Phase 4 aspects when `tech_stack: nodejs` is declared in `docs/REVIEW_STANDARDS.md`.
+Apply these checks IN ADDITION TO the universal checklist items for each aspect.
+
+---
+
+## Aspect 2 — Correctness (additional)
+
+- `==` / `!=` instead of `===` / `!==` — type coercion produces unexpected results (e.g., `0 == false`, `null == undefined`).
+- Callback error argument silently ignored — `callback(err, data)` where `err` is not checked before using `data`.
+- Missing `await` on an async function call — promise is created but result is lost; errors are swallowed.
+- `parseInt` without explicit radix — `parseInt("08")` was `0` in legacy engines; always pass `10`.
+- `typeof null === 'object'` trap — null checks must use `=== null`, not `typeof`.
+
+---
+
+## Aspect 3 — Possible Breakage (additional)
+
+- CPU-intensive synchronous operation inside an async handler — blocks the event loop for all concurrent requests. Offload to worker threads or use async alternatives (`fs.promises.*`, `crypto.subtle`).
+- `fs.readFileSync` / `execSync` / `spawnSync` in request handlers or hot paths.
+- Unhandled `EventEmitter` `'error'` event — crashes the process if no listener is registered. Always attach `.on('error', handler)`.
+- `process.nextTick` in a tight loop — starves I/O callbacks; prefer `setImmediate` for deferring to next iteration.
+- `JSON.parse` on arbitrarily large request bodies without size guard — OOM risk.
+
+---
+
+## Aspect 7 — Security (additional)
+
+- `eval()` / `new Function(code)` with any user-controlled input — arbitrary code execution.
+- `require()` with user-controlled path — path traversal / arbitrary module load.
+- RegEx with catastrophic backtracking (ReDoS) on untrusted input — nested quantifiers like `(a+)+`, `(a|aa)+`. Test with abnormal input.
+- `Buffer.allocUnsafe()` — allocates uninitialized memory; may expose prior memory contents. Use `Buffer.alloc()`.
+- `child_process.exec` / `execFile` / `spawn` with shell: true and user input — shell injection.
+
+---
+
+## Aspect 9 — Implication Assessment (additional)
+
+- `JSON.parse` / `JSON.stringify` on large payloads in request handlers — consider streaming parsers (e.g., `stream-json`).
+- Synchronous crypto (`crypto.createHash(...).update(...).digest(...)`) in a hot request path — non-trivial CPU cost; evaluate if async or worker thread is needed.
+- `setInterval` without a corresponding `clearInterval` — memory/CPU leak in long-running processes.
+
+---
+
+## Aspect 10 — Code Quality (additional)
+
+- Callback hell (> 3 levels of nesting) when `async/await` or `Promise` chains are available.
+- Sequential `await` in a loop where `Promise.all` would parallelize independent async ops.
+- `console.log` / `console.error` in production code paths — use structured logger (pino, winston, etc.).
+- Catching and re-throwing without adding context — `catch (e) { throw e; }` loses stack augmentation opportunity.

package/resources/skills/hd-code-review/reference/stacks/php.md

@@ -0,0 +1,52 @@
+# Stack: PHP — Additional Review Checks
+
+Injected into Phase 4 aspects when `.php` files are detected in the diff (or `tech_stack: php` declared).
+When Laravel signals are present, `laravel` preset is loaded IN ADDITION to this one.
+When CakePHP signals are present, `cakephp` preset is loaded IN ADDITION to this one.
+Apply these checks IN ADDITION TO the universal checklist items for each aspect.
+
+---
+
+## Aspect 2 — Correctness (additional)
+
+- Loose comparison (`==`) with type-juggling surprises — `0 == "foo"` is `true` in PHP ≤7; `"1" == "01"` is `true`. Use strict comparison (`===`) unless type coercion is explicitly intended.
+- `isset()` vs `empty()` vs `null` check confusion — `empty("")`, `empty(0)`, `empty([])` all return `true`; use explicit type checks when zero or empty string is a valid value.
+- Integer overflow on 32-bit PHP — `PHP_INT_MAX` is 2³¹−1 on 32-bit; use `bcmath` or `GMP` for large integer arithmetic.
+- Array functions that return `false` on failure vs. an empty array — e.g., `preg_match()` returns `false` on error, not `0`; check with `=== false`.
+
+---
+
+## Aspect 3 — Possible Breakage (additional)
+
+- Database connection or PDO statement not closed in long-running scripts (CLI / workers) — connection pool exhaustion; use `null`-ing the PDO instance or explicit `$pdo = null`.
+- `preg_replace` with `/e` modifier (PHP 5) — executes matched content as PHP code (removed in PHP 7; if seen in a legacy codebase, critical security issue).
+- `@` error-suppression operator hiding actual errors — masks failures silently; remove and handle errors explicitly.
+- Session started after output sent — `session_start()` after any echo/print causes `Cannot send session cookie - headers already sent`.
+
+---
+
+## Aspect 7 — Security (additional)
+
+- SQL built with string concatenation or `sprintf` without prepared statements — SQL injection. Use PDO prepared statements or a query builder.
+- `$_GET` / `$_POST` / `$_COOKIE` values echoed directly into HTML — XSS. Escape with `htmlspecialchars($val, ENT_QUOTES, 'UTF-8')` or use a templating engine with auto-escaping.
+- `eval()` with any user-controlled input — arbitrary code execution.
+- `include` / `require` with user-controlled path — Local File Inclusion (LFI) / Remote File Inclusion (RFI). Validate against an allowlist.
+- `system()` / `exec()` / `shell_exec()` / `passthru()` with user input — OS command injection. Use `escapeshellarg()` or avoid shell entirely.
+- File upload handler not validating MIME type and extension server-side — never trust `$_FILES['type']`; validate with `finfo_file()`.
+- `unserialize()` on untrusted input — PHP object injection / arbitrary code execution. Use JSON instead.
+
+---
+
+## Aspect 10 — Code Quality (additional)
+
+- Missing strict types declaration — `declare(strict_types=1)` at top of file catches type coercion bugs at call sites; recommended for all new files.
+- Mixed `echo` and `return` in functions — functions should return values; presentation logic should echo; mixing makes code untestable.
+- Global variables accessed via `global $var` inside functions — avoid shared mutable global state; pass dependencies explicitly.
+
+---
+
+## Aspect 12 — Architecture & Design (additional)
+
+- Business logic in view templates (`.php` files directly rendered) — separate presentation from logic; use a controller or service layer.
+- Direct `$_POST` / `$_GET` access deep in the application stack — input should be validated and bound at the HTTP boundary (controller/request class), not accessed in services or models.
+- `die()` / `exit()` in library or service code — terminates the entire process; throw an exception instead to allow callers to handle errors.

package/resources/skills/hd-code-review/reference/stacks/python.md

@@ -0,0 +1,50 @@
+# Stack: Python — Additional Review Checks
+
+Injected into Phase 4 aspects when `.py` files are detected in the diff (or `tech_stack: python` declared).
+When Django path signals are also present (views.py, models.py, urls.py, migrations/), the `django` preset is loaded IN ADDITION to this one.
+Apply these checks IN ADDITION TO the universal checklist items for each aspect.
+
+---
+
+## Aspect 2 — Correctness (additional)
+
+- Mutable default argument — `def f(items=[])` or `def f(config={})`: the default object is created once and shared across all calls; subsequent calls mutate the same object. Use `None` and initialize inside the function.
+- `is` used for value comparison — `if x is "hello"` or `if x is 42`: identity check, not equality. Use `==` for value comparison. (`is None` / `is not None` are correct.)
+- Float equality without tolerance — `if result == 0.1 + 0.2` is almost always `False`; use `math.isclose()` or `abs(a - b) < epsilon`.
+- Broad `except Exception` with no logging or re-raise — silently swallows unexpected errors and hides bugs.
+
+---
+
+## Aspect 3 — Possible Breakage (additional)
+
+- File or resource not closed — `open()`, database cursors, network connections must use `with` (context manager); explicit `.close()` is skipped on exception.
+- Bare `except:` clause — catches `BaseException`, including `KeyboardInterrupt`, `SystemExit`, and `GeneratorExit`. Almost always wrong; use `except Exception:` at minimum.
+- Generator or iterator consumed after the underlying collection was modified — results are undefined.
+- `threading` without proper synchronization on shared mutable state — GIL does not protect compound operations (`dict[k] += 1` is not atomic).
+
+---
+
+## Aspect 7 — Security (additional)
+
+- `eval()` / `exec()` with any user-controlled input — arbitrary code execution.
+- `subprocess.run(..., shell=True)` with user-controlled arguments — shell injection. Pass arguments as a list instead.
+- `pickle.loads()` / `yaml.load()` (not `yaml.safe_load()`) from untrusted input — arbitrary code execution during deserialization.
+- SQL via string formatting — `f"SELECT * FROM {table}"` or `"SELECT * FROM " + table` — SQL injection. Use parameterized queries (`cursor.execute("SELECT * FROM t WHERE id = %s", [id])`).
+- Hardcoded secrets or API keys in source files — use environment variables or secrets manager.
+
+---
+
+## Aspect 10 — Code Quality (additional)
+
+- Inconsistent string formatting style in the same file — mixing `f"..."`, `"...".format()`, and `%s` formatting without a reason.
+- Missing type hints on new public functions / methods — hurts readability, IDE support, and static analysis.
+- `from module import *` — pollutes the namespace, makes it impossible to know where names come from, and breaks refactoring tools.
+- Shadowing a built-in name — `list = []`, `id = ...`, `input = ...` silently breaks later uses of the built-in.
+
+---
+
+## Aspect 12 — Architecture & Design (additional)
+
+- Circular imports — `module A` imports `module B` which imports `module A`; causes `ImportError` or partial initialization bugs. Restructure or use late imports.
+- Heavy computation or I/O at module top-level — code outside functions/classes runs on every `import`; slows startup, causes issues in tests, and runs in unexpected contexts.
+- `global` statement modifying module-level state — use class attributes, return values, or dependency injection instead.

package/resources/skills/hd-code-review/reference/stacks/react.md

@@ -0,0 +1,51 @@
+# Stack: React / Next.js — Additional Review Checks
+
+Injected into Phase 4 aspects when `.tsx` or `.jsx` files are detected in the diff (or `tech_stack: react` declared).
+Covers React and Next.js (Next.js is React with SSR — same checks apply).
+Apply these checks IN ADDITION TO the universal checklist items for each aspect.
+
+---
+
+## Aspect 2 — Correctness (additional)
+
+- `v-for`-equivalent: rendering a list without a stable `key` prop, or using array index as key when the list can be reordered/filtered — causes incorrect DOM reconciliation and stale state.
+- Stale closure in `useState` setter — `setCount(count + 1)` inside an async callback or interval captures the stale `count`; use `setCount(prev => prev + 1)` instead.
+- `async` function passed directly as `useEffect` callback — `useEffect(async () => {...})` returns a Promise, not a cleanup function; wrap in an inner async fn.
+- Hook called conditionally — hooks must be called in the same order on every render (no early returns, no hooks inside `if`, loops, or callbacks).
+- `useRef` value mutated during render — `.current` mutations must happen in effects or event handlers, not during the render phase.
+
+---
+
+## Aspect 3 — Possible Breakage (additional)
+
+- Missing `useEffect` cleanup — subscriptions, event listeners, `setInterval`/`setTimeout`, WebSocket connections, and Observables must be cleaned up in the return function; omitting causes memory leaks and state updates on unmounted components.
+- Infinite render loop — object literal, array literal, or inline function in `useEffect`/`useCallback`/`useMemo` dependency array creates a new reference on every render, triggering the effect infinitely. Use `useMemo`/`useCallback` or stable references.
+- `setState` called on unmounted component — async operation completes after unmount and calls `setState`; guard with an `isMounted` ref or abort signal.
+- `React.StrictMode` double-invocation exposing non-idempotent side effects — effects run twice in development; ensure effects are safe to re-run.
+
+---
+
+## Aspect 7 — Security (additional)
+
+- `dangerouslySetInnerHTML={{ __html: userInput }}` without sanitization — direct XSS vector. Sanitize with DOMPurify or equivalent before setting.
+- Secrets / API keys in component code or `.env` files with `NEXT_PUBLIC_` prefix — `NEXT_PUBLIC_` variables are bundled into the client build and visible to all users. Backend secrets must never use this prefix.
+- Next.js Server Actions missing authentication check — `use server` functions are exposed as HTTP endpoints; verify session/user before performing privileged operations.
+- `href` or `src` set from user input without validation — `javascript:` URLs in `href` are an XSS vector.
+
+---
+
+## Aspect 10 — Code Quality (additional)
+
+- Component with more than one primary responsibility — split into smaller, focused components.
+- Prop drilling deeper than 3 levels — consider React Context or a state management solution.
+- Inline arrow functions or object literals as props on frequently-rendered list items — creates new reference on every render, prevents `React.memo` optimization.
+- `useEffect` with an empty dependency array `[]` doing complex async work that depends on props — silent bug when props change; re-evaluate dependencies.
+
+---
+
+## Aspect 12 — Architecture & Design (additional)
+
+- Business logic inside component bodies — extract to custom hooks or service modules; components should orchestrate rendering, not implement domain logic.
+- Direct API calls (`fetch`, `axios`) inside a component body — wrap in a custom hook (`useUserData`, `useProducts`) to enable reuse, testing, and loading/error state management.
+- Missing error boundaries around async data-fetching subtrees — unhandled promise rejection in a child component crashes the entire tree; add `<ErrorBoundary>`.
+- `useContext` used for high-frequency updates (e.g., mouse position, scroll offset) — every context consumer re-renders on any context change; use a more granular state solution.

package/resources/skills/hd-code-review/reference/stacks/reactnative.md

@@ -0,0 +1,54 @@
+# Stack: React Native — Additional Review Checks
+
+Injected into Phase 4 aspects when React Native signals are detected in the diff:
+- `react-native` dependency in `package.json`
+- `.native.ts` / `.native.tsx` / `.native.js` platform-specific files
+- Paths containing `android/` or `ios/` Java/Kotlin/Swift/ObjC files alongside JS/TS
+
+When Expo signals are also present (`expo` in `package.json`, `app.json`, `app.config.js`),
+the `expo` preset is loaded IN ADDITION to this one.
+
+React Native inherits all `react` checks. Apply these IN ADDITION to `react.md` and the universal checklist.
+
+---
+
+## Aspect 2 — Correctness (additional)
+
+- `FlatList` / `SectionList` missing `keyExtractor` — React Native uses it for reconciliation and scroll position restoration; without it, list re-renders are incorrect.
+- `renderItem` in `FlatList` not wrapped in `useCallback` — creates a new function reference on every parent render, causing all list items to re-render regardless of data changes.
+- `Platform.OS` check used where `Platform.select` or platform-specific file (`.ios.tsx` / `.android.tsx`) would be clearer and more maintainable.
+- `Dimensions.get('window')` called once at module level — does not update on orientation change or window resize (foldables, tablets); use `useWindowDimensions()` hook or subscribe to `Dimensions.addEventListener`.
+
+---
+
+## Aspect 3 — Possible Breakage (additional)
+
+- `AppState`, `BackHandler`, `Keyboard`, `Linking` event listeners added without removal in a cleanup function / `useEffect` return — duplicate handlers accumulate across navigations and cause memory leaks.
+- Navigation `navigate()` or `goBack()` called after the component is unmounted (e.g., in an async callback after a network request) — `setState on unmounted component` warning and potential crash.
+- `InteractionManager.runAfterInteractions()` callbacks not cancelled on unmount — runs after the component is gone.
+- Deep linking / universal link handler not guarded — unvalidated route parameters passed directly to navigation can cause crashes on unexpected input.
+
+---
+
+## Aspect 7 — Security (additional)
+
+- Sensitive data (tokens, passwords, PII) stored in `AsyncStorage` — stores plain text on-disk, readable by other apps on rooted/jailbroken devices. Use `expo-secure-store` (Expo) or `react-native-keychain` (bare).
+- API keys or secrets hardcoded in JS source — React Native bundles are extractable from APK/IPA; use environment variables (via `react-native-config` or Expo's `app.config.js`) and never embed secrets in the bundle.
+- Deep link URL parameters used without validation — user or attacker-controlled URLs should be validated before use in navigation or API calls.
+- `WebView` with `javaScriptEnabled` + `onMessage` / `postMessage` handling user-controlled URLs — XSS in the WebView can exfiltrate data via the bridge.
+
+---
+
+## Aspect 9 — Implication Assessment (additional)
+
+- `StyleSheet.create()` vs inline style objects — inline styles create new objects on every render; `StyleSheet.create()` optimizes by sending IDs over the bridge. Use `StyleSheet.create()` for static styles.
+- JavaScript thread blocked by heavy computation — RN has a single JS thread; synchronous CPU work (large JSON parse, sorting, image processing) causes frame drops. Offload to a worker or native module.
+- `console.log` in production builds — each log crosses the JS bridge and has measurable overhead; ensure logs are stripped in production (Babel plugin or conditional).
+
+---
+
+## Aspect 12 — Architecture & Design (additional)
+
+- Business logic in screen components — extract to hooks, stores (Zustand, Redux, MobX), or service modules; screens should handle rendering and navigation only.
+- Platform-specific code scattered via `if (Platform.OS === 'ios')` throughout business logic — consolidate platform differences in a single abstraction layer or platform-specific files.
+- Missing error boundary around screens loaded via deep link or navigation — a crash in one screen should not bring down the entire navigator stack.

package/resources/skills/hd-code-review/reference/stacks/scala.md

@@ -0,0 +1,48 @@
+# Stack: Scala — Additional Review Checks
+
+Injected into Phase 4 aspects when `.scala` or `build.sbt` files are detected in the diff (or `tech_stack: scala` declared).
+Apply these checks IN ADDITION TO the universal checklist items for each aspect.
+
+---
+
+## Aspect 2 — Correctness (additional)
+
+- `.get` called on `Option` without prior `isDefined` check — throws `NoSuchElementException` on `None`; use `getOrElse`, `fold`, pattern match, or `map`/`flatMap`.
+- `Await.result()` / `Await.ready()` with `Duration.Inf` on a Future — blocks the calling thread indefinitely; always set a finite timeout.
+- Mutable shared state in an `Actor` accessed from outside the actor — Akka actors must only be interacted with via messages; direct field access breaks the concurrency model.
+- `==` on case classes vs reference types — works correctly for case classes (structural equality), but reference-type instances use reference equality unless `equals` is overridden; verify intent.
+- `flatMap` / `map` on `Future` that swallows exceptions — unhandled `Future` failures silently disappear; use `.recover` or `.recoverWith` to handle failures explicitly.
+
+---
+
+## Aspect 3 — Possible Breakage (additional)
+
+- `Future` started outside an `ExecutionContext` passed as implicit — missing implicit `ec` causes compilation error or picks up an unintended global context (e.g., `scala.concurrent.ExecutionContext.global` for blocking I/O, which exhausts the thread pool).
+- Blocking I/O (`Await`, JDBC, file reads) on the default `ExecutionContext` — the global EC is sized for CPU-bound work; blocking on it starves other Futures. Use a dedicated blocking EC (`ExecutionContext.fromExecutor(Executors.newCachedThreadPool())`).
+- `var` in a class shared across Futures without synchronization — race condition; prefer immutable vals, `Atomic` references, or actor-based state.
+- Pattern match not exhaustive on a sealed trait — `MatchError` at runtime; the compiler warns but it can be suppressed; verify all cases are handled.
+
+---
+
+## Aspect 7 — Security (additional)
+
+- String interpolation in SQL queries (`s"SELECT * FROM t WHERE id=$id"`) — SQL injection. Use prepared statements or a type-safe query library (Doobie, Slick, Quill).
+- Deserialization of untrusted Java-serialized objects (`ObjectInputStream`) — arbitrary code execution; avoid Java serialization for external data; use JSON/Protobuf instead.
+- Scala `xml.XML.loadString(userInput)` without entity expansion disabled — XXE (XML External Entity) attack. Use a secure XML parser configuration.
+
+---
+
+## Aspect 10 — Code Quality (additional)
+
+- Overuse of `asInstanceOf` casts — defeats the type system; use pattern matching or type-safe abstractions.
+- `null` returned or accepted instead of `Option` — null references in Scala are idiomatic Java but break functional composition; prefer `Option[T]`.
+- Implicit conversions that are not obviously scoped — wide-scope implicits cause surprising behavior; prefer explicit conversions or type classes.
+- `throw` in a for-comprehension or `map` — breaks the monadic chain; return `Try`, `Either`, or `Option` to represent failure.
+
+---
+
+## Aspect 12 — Architecture & Design (additional)
+
+- Business logic in Akka Actor `receive` handlers directly — complex logic in receive makes actors untestable; delegate to pure functions or services called from the actor.
+- Mixing `Future`-based and blocking code in the same layer — inconsistent async model creates thread pool starvation and unpredictable behavior.
+- Type class instances defined in a non-companion object or non-package-object scope — may not be picked up by implicit resolution; place in companion objects or import explicitly.

package/resources/skills/hd-code-review/reference/stacks/visualforce.md

@@ -0,0 +1,38 @@
+# Stack: Visualforce — Additional Review Checks
+
+Injected when `.page` files, or `.component` files under a `pages/` path segment, are detected
+in the diff (or `tech_stack: visualforce` declared). Standalone preset.
+Apply these checks IN ADDITION TO the universal checklist items.
+
+---
+
+## Aspect 2 — Correctness (additional)
+
+- Merge field rendered in HTML context without `{!HTMLENCODE(field)}` — raw output allows HTML injection; always encode user-controlled or record-sourced values in markup.
+- Merge field used inside a `<script>` block without `{!JSENCODE(field)}` — unencoded value breaks JS syntax or enables injection; use `JSENCODE()` for all script-context merge fields.
+- `<apex:commandButton>` or `<apex:actionFunction>` present on a page without an enclosing `<apex:form>` — actions silently do nothing; all action components require a parent form.
+
+---
+
+## Aspect 3 — Possible Breakage (additional)
+
+- Large record collections bound to `<apex:dataTable>`, `<apex:pageBlockTable>`, or `<apex:repeat>` without server-side pagination — view state can exceed the 170 KB limit and throw a runtime exception for end users.
+- `StandardController` extension overriding the `save()` action without calling `super.save()` — record changes are silently discarded; chain to the standard save or implement full DML explicitly.
+
+---
+
+## Aspect 7 — Security (additional)
+
+- `{!variable}` used inside a `<script>` block without `JSENCODE()` — classic Visualforce XSS vector; any user-controlled value injected into JS can execute arbitrary code.
+- `@RemoteAction` Apex method on a class without explicit `with sharing` — FLS and record-level sharing not enforced; remote actions bypass standard controller sharing automatically.
+- `<apex:includeLightning>` referencing a third-party or unreviewed Lightning component — executes in the Salesforce session context; verify the component source before including.
+- External JS loaded via `<script src="https://...">` instead of `<apex:includeScript>` with a Static Resource — AppExchange auto-fail; all third-party JS must be packaged as static resources.
+- CSS loaded via `<link href="...">` tag instead of `<apex:stylesheet>` with a Static Resource — improper CSS load, flagged as violation in AppExchange security review.
+- `OnClickJavaScript` in custom buttons or weblinks — AppExchange auto-fail; Classic mode is always in scope even if the org uses Lightning Experience exclusively.
+
+---
+
+## Aspect 10 — Code Quality (additional)
+
+- SOQL query placed in a controller property getter (`get { return [SELECT ...]; }`) — re-executes on every partial-page re-render and `<apex:actionFunction>` call; assign to an instance variable in the constructor or an `action` method.
+- `<apex:outputPanel layout="block">` used for inline or flex layout — produces an unexpected `<div>` wrapper; use `layout="none"` to emit a `<span>`, or apply CSS directly.

package/resources/skills/hd-code-review/reference/stacks/vuejs.md

@@ -0,0 +1,52 @@
+# Stack: Vue.js — Additional Review Checks
+
+Injected into Phase 4 aspects when `.vue` files are detected in the diff (or `tech_stack: vuejs` declared).
+Covers Vue 2 and Vue 3 — version-specific differences are noted inline.
+Apply these checks IN ADDITION TO the universal checklist items for each aspect.
+
+---
+
+## Aspect 2 — Correctness (additional)
+
+- `v-for` without `:key` or using array index as key when the list can be reordered/filtered — causes incorrect DOM reconciliation and stale component state.
+- `v-if` and `v-for` on the same element:
+  - **Vue 2**: `v-for` has higher priority — `v-if` runs on each iterated item (may be intentional, but often a mistake).
+  - **Vue 3**: `v-if` has higher priority — the loop variable is not accessible inside `v-if` (always a bug if the intent was to filter).
+  - Prefer `<template v-for>` with `v-if` on the inner element, or filter in `computed`.
+- Direct array index mutation in Vue 2 — `this.arr[0] = val` is NOT reactive; use `this.$set(this.arr, 0, val)` or `Vue.set`. (Vue 3 Proxy-based reactivity handles this correctly.)
+- Mutating a prop directly inside a child component — always emit an event to the parent instead.
+- `computed` property with side effects — computed getters must be pure; side effects belong in `watch` or methods.
+
+---
+
+## Aspect 3 — Possible Breakage (additional)
+
+- Event listener or DOM subscription added in `mounted`/`created` without corresponding removal in `beforeUnmount` (Vue 3) / `beforeDestroy` (Vue 2) — memory leak and duplicate handlers on re-mount.
+- `$refs` accessed in `created` or before the component is mounted — refs are only populated after `mounted`; earlier access returns `undefined`.
+- `watch` without `{ immediate: true }` when initial state needs to trigger the handler — silent miss on first load.
+- **Vue 3 Composition API**: reactive object destructured into plain variables loses reactivity — `const { count } = reactive({count: 0})` creates a plain number, not a ref.
+
+---
+
+## Aspect 7 — Security (additional)
+
+- `v-html` with user-controlled content — direct XSS vector; sanitize with DOMPurify or equivalent before binding, or avoid `v-html` entirely for user content.
+- Dynamic `<component :is="userInput">` with unvalidated values — can render arbitrary registered components.
+
+---
+
+## Aspect 10 — Code Quality (additional)
+
+- Mixing Options API and Composition API inconsistently across components in the same project without a documented convention — pick one style per codebase.
+- `this.$parent` or `this.$children` access — creates fragile parent-child coupling; use props/events or provide/inject.
+- Logic-heavy template expressions (ternaries, method chains) — extract to `computed` properties for readability and cacheability.
+- Missing prop `type` and `validator` definitions — prop validation documents the contract and catches bugs early.
+
+---
+
+## Aspect 12 — Architecture & Design (additional)
+
+- Business logic inside template expressions or inline event handlers — extract to methods or composables.
+- `this.$store.commit()` called directly in a component (Vuex / Pinia) — prefer dispatching actions, which can handle async logic and logging.
+- **Vue 3**: composable function mutating external state without returning reactive refs — composables should be self-contained and return their state explicitly.
+- Cross-component communication via `EventBus` in Vue 3 — the global event bus pattern is removed; use `mitt` explicitly or Pinia for shared state.