@ranimontagna/agent-toolkit 0.1.6 → 0.1.9
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +83 -10
- package/package.json +1 -1
- package/skills/backend/database/postgres-patterns/LICENSE.ANTIGRAVITY +21 -0
- package/skills/backend/database/postgres-patterns/LICENSE.ECC +21 -0
- package/skills/backend/database/postgres-patterns/NOTICE.md +11 -0
- package/skills/backend/database/postgres-patterns/SKILL.md +180 -0
- package/skills/backend/go/golang-patterns/LICENSE +21 -0
- package/skills/backend/go/golang-patterns/NOTICE.md +10 -0
- package/skills/backend/go/golang-patterns/SKILL.md +674 -0
- package/skills/backend/go/golang-testing/LICENSE +21 -0
- package/skills/backend/go/golang-testing/NOTICE.md +10 -0
- package/skills/backend/go/golang-testing/SKILL.md +329 -0
- package/skills/backend/java/java-coding-standards/LICENSE +21 -0
- package/skills/backend/java/java-coding-standards/NOTICE.md +10 -0
- package/skills/backend/java/java-coding-standards/SKILL.md +383 -0
- package/skills/backend/java/java-junit/LICENSE +21 -0
- package/skills/backend/java/java-junit/NOTICE.md +10 -0
- package/skills/backend/java/java-junit/SKILL.md +64 -0
- package/skills/backend/kotlin/kotlin-patterns/LICENSE +21 -0
- package/skills/backend/kotlin/kotlin-patterns/NOTICE.md +7 -0
- package/skills/backend/kotlin/kotlin-patterns/SKILL.md +711 -0
- package/skills/backend/kotlin/kotlin-testing/LICENSE +21 -0
- package/skills/backend/kotlin/kotlin-testing/NOTICE.md +7 -0
- package/skills/backend/kotlin/kotlin-testing/SKILL.md +824 -0
- package/skills/backend/python/python-patterns/LICENSE +21 -0
- package/skills/backend/python/python-patterns/NOTICE.md +7 -0
- package/skills/backend/python/python-patterns/SKILL.md +424 -0
- package/skills/backend/python/python-testing/LICENSE +21 -0
- package/skills/backend/python/python-testing/NOTICE.md +7 -0
- package/skills/backend/python/python-testing/SKILL.md +494 -0
- package/skills/devops/docker-patterns/LICENSE.ANTIGRAVITY +21 -0
- package/skills/devops/docker-patterns/LICENSE.ECC +21 -0
- package/skills/devops/docker-patterns/NOTICE.md +11 -0
- package/skills/devops/docker-patterns/SKILL.md +397 -0
- package/skills/frontend/accessibility/LICENSE +21 -0
- package/skills/frontend/accessibility/NOTICE.md +10 -0
- package/skills/frontend/accessibility/SKILL.md +145 -0
- package/skills/frontend/design/ui-ux-pro-max/LICENSE +21 -0
- package/skills/frontend/design/ui-ux-pro-max/NOTICE.md +12 -0
- package/skills/frontend/design/ui-ux-pro-max/SKILL.md +672 -0
- package/skills/frontend/design/ui-ux-pro-max/data/_sync_all.py +414 -0
- package/skills/frontend/design/ui-ux-pro-max/data/app-interface.csv +31 -0
- package/skills/frontend/design/ui-ux-pro-max/data/charts.csv +26 -0
- package/skills/frontend/design/ui-ux-pro-max/data/colors.csv +162 -0
- package/skills/frontend/design/ui-ux-pro-max/data/design.csv +1776 -0
- package/skills/frontend/design/ui-ux-pro-max/data/draft.csv +1779 -0
- package/skills/frontend/design/ui-ux-pro-max/data/google-fonts.csv +1924 -0
- package/skills/frontend/design/ui-ux-pro-max/data/icons.csv +106 -0
- package/skills/frontend/design/ui-ux-pro-max/data/landing.csv +35 -0
- package/skills/frontend/design/ui-ux-pro-max/data/products.csv +162 -0
- package/skills/frontend/design/ui-ux-pro-max/data/react-performance.csv +45 -0
- package/skills/frontend/design/ui-ux-pro-max/data/stacks/angular.csv +51 -0
- package/skills/frontend/design/ui-ux-pro-max/data/stacks/astro.csv +54 -0
- package/skills/frontend/design/ui-ux-pro-max/data/stacks/flutter.csv +53 -0
- package/skills/frontend/design/ui-ux-pro-max/data/stacks/html-tailwind.csv +56 -0
- package/skills/frontend/design/ui-ux-pro-max/data/stacks/jetpack-compose.csv +53 -0
- package/skills/frontend/design/ui-ux-pro-max/data/stacks/laravel.csv +51 -0
- package/skills/frontend/design/ui-ux-pro-max/data/stacks/nextjs.csv +53 -0
- package/skills/frontend/design/ui-ux-pro-max/data/stacks/nuxt-ui.csv +51 -0
- package/skills/frontend/design/ui-ux-pro-max/data/stacks/nuxtjs.csv +59 -0
- package/skills/frontend/design/ui-ux-pro-max/data/stacks/react-native.csv +52 -0
- package/skills/frontend/design/ui-ux-pro-max/data/stacks/react.csv +54 -0
- package/skills/frontend/design/ui-ux-pro-max/data/stacks/shadcn.csv +61 -0
- package/skills/frontend/design/ui-ux-pro-max/data/stacks/svelte.csv +54 -0
- package/skills/frontend/design/ui-ux-pro-max/data/stacks/swiftui.csv +51 -0
- package/skills/frontend/design/ui-ux-pro-max/data/stacks/threejs.csv +54 -0
- package/skills/frontend/design/ui-ux-pro-max/data/stacks/vue.csv +50 -0
- package/skills/frontend/design/ui-ux-pro-max/data/styles.csv +85 -0
- package/skills/frontend/design/ui-ux-pro-max/data/typography.csv +74 -0
- package/skills/frontend/design/ui-ux-pro-max/data/ui-reasoning.csv +162 -0
- package/skills/frontend/design/ui-ux-pro-max/data/ux-guidelines.csv +100 -0
- package/skills/frontend/design/ui-ux-pro-max/scripts/core.py +262 -0
- package/skills/frontend/design/ui-ux-pro-max/scripts/design_system.py +1148 -0
- package/skills/frontend/design/ui-ux-pro-max/scripts/search.py +114 -0
- package/skills/frontend/react/react-patterns/SKILL.md +4 -4
- package/skills/frontend/react/react-patterns/rules/react/LICENSE +21 -0
- package/skills/frontend/react/react-patterns/rules/react/NOTICE.md +11 -0
- package/skills/frontend/react/react-patterns/rules/react/coding-style.md +109 -0
- package/skills/frontend/react/react-patterns/rules/react/hooks.md +187 -0
- package/skills/frontend/react/react-patterns/rules/react/patterns.md +194 -0
- package/skills/frontend/react/react-patterns/rules/react/security.md +180 -0
- package/skills/frontend/react/react-patterns/rules/react/testing.md +208 -0
- package/skills/frontend/react/react-performance/SKILL.md +2 -2
- package/skills/frontend/react/react-performance/rules/react/LICENSE +21 -0
- package/skills/frontend/react/react-performance/rules/react/NOTICE.md +11 -0
- package/skills/frontend/react/react-performance/rules/react/coding-style.md +109 -0
- package/skills/frontend/react/react-performance/rules/react/hooks.md +187 -0
- package/skills/frontend/react/react-performance/rules/react/patterns.md +194 -0
- package/skills/frontend/react/react-performance/rules/react/security.md +180 -0
- package/skills/frontend/react/react-performance/rules/react/testing.md +208 -0
- package/skills/frontend/react/react-testing/SKILL.md +4 -4
- package/skills/frontend/react/react-testing/rules/react/LICENSE +21 -0
- package/skills/frontend/react/react-testing/rules/react/NOTICE.md +11 -0
- package/skills/frontend/react/react-testing/rules/react/coding-style.md +109 -0
- package/skills/frontend/react/react-testing/rules/react/hooks.md +187 -0
- package/skills/frontend/react/react-testing/rules/react/patterns.md +194 -0
- package/skills/frontend/react/react-testing/rules/react/security.md +180 -0
- package/skills/frontend/react/react-testing/rules/react/testing.md +208 -0
- package/skills/general/code-reviewer/AGENTS.md +292 -0
- package/skills/general/code-reviewer/LICENSE +201 -0
- package/skills/general/code-reviewer/NOTICE.md +10 -0
- package/skills/general/code-reviewer/SKILL.md +132 -0
- package/skills/general/code-reviewer/rules/correctness-error-handling.md +279 -0
- package/skills/general/code-reviewer/rules/maintainability-naming.md +149 -0
- package/skills/general/code-reviewer/rules/maintainability-type-hints.md +93 -0
- package/skills/general/code-reviewer/rules/performance-n-plus-one.md +250 -0
- package/skills/general/code-reviewer/rules/security-sql-injection.md +142 -0
- package/skills/general/code-reviewer/rules/security-xss-prevention.md +225 -0
|
@@ -0,0 +1,180 @@
|
|
|
1
|
+
---
|
|
2
|
+
paths:
|
|
3
|
+
- "**/*.tsx"
|
|
4
|
+
- "**/*.jsx"
|
|
5
|
+
- "**/components/**/*.ts"
|
|
6
|
+
- "**/app/**/*.ts"
|
|
7
|
+
- "**/pages/**/*.ts"
|
|
8
|
+
---
|
|
9
|
+
# React Security
|
|
10
|
+
|
|
11
|
+
> This file extends the upstream `typescript/security.md` and `common/security.md` rules with React specific content.
|
|
12
|
+
|
|
13
|
+
## XSS via `dangerouslySetInnerHTML`
|
|
14
|
+
|
|
15
|
+
CRITICAL. The prop name is deliberately scary — treat every usage as a code review halt.
|
|
16
|
+
|
|
17
|
+
```tsx
|
|
18
|
+
// CRITICAL: unsanitized user input
|
|
19
|
+
<div dangerouslySetInnerHTML={{ __html: userBio }} />
|
|
20
|
+
|
|
21
|
+
// CORRECT options:
|
|
22
|
+
// 1. Render as text
|
|
23
|
+
<div>{userBio}</div>
|
|
24
|
+
|
|
25
|
+
// 2. Render parsed markdown via a library that sanitizes
|
|
26
|
+
<ReactMarkdown>{userBio}</ReactMarkdown>
|
|
27
|
+
|
|
28
|
+
// 3. If raw HTML is required, sanitize first with DOMPurify
|
|
29
|
+
import DOMPurify from "isomorphic-dompurify";
|
|
30
|
+
<div dangerouslySetInnerHTML={{ __html: DOMPurify.sanitize(userBio) }} />
|
|
31
|
+
```
|
|
32
|
+
|
|
33
|
+
Audit checklist for every `dangerouslySetInnerHTML` call:
|
|
34
|
+
|
|
35
|
+
- Is the input always under our control? Document the source.
|
|
36
|
+
- If user-derived: is it sanitized at the **same call site**? (Sanitization at the API boundary is acceptable only if every consumer is verified.)
|
|
37
|
+
- Is the sanitizer config allowlisting tags, not denylisting?
|
|
38
|
+
|
|
39
|
+
## Unsafe URL Schemes
|
|
40
|
+
|
|
41
|
+
`javascript:` and `data:` URLs in `href`, `src`, and `xlink:href` execute arbitrary code.
|
|
42
|
+
|
|
43
|
+
```tsx
|
|
44
|
+
// CRITICAL: javascript: URL injection
|
|
45
|
+
<a href={user.website}>Visit</a> // if user.website = "javascript:alert(1)"
|
|
46
|
+
|
|
47
|
+
// CORRECT: validate scheme
|
|
48
|
+
function safeUrl(url: string): string | undefined {
|
|
49
|
+
try {
|
|
50
|
+
const parsed = new URL(url);
|
|
51
|
+
if (["http:", "https:", "mailto:"].includes(parsed.protocol)) return url;
|
|
52
|
+
} catch {
|
|
53
|
+
return undefined;
|
|
54
|
+
}
|
|
55
|
+
return undefined;
|
|
56
|
+
}
|
|
57
|
+
<a href={safeUrl(user.website)}>Visit</a>
|
|
58
|
+
```
|
|
59
|
+
|
|
60
|
+
React warns about `javascript:` URLs in `href` in development mode, but does not block them at runtime. `data:` URLs and other schemes also slip through. Always validate.
|
|
61
|
+
|
|
62
|
+
## `target="_blank"` Without `rel`
|
|
63
|
+
|
|
64
|
+
`<a target="_blank">` without `rel="noopener noreferrer"` lets the target page access `window.opener` and run navigation hijacks.
|
|
65
|
+
|
|
66
|
+
```tsx
|
|
67
|
+
// WRONG
|
|
68
|
+
<a href={externalUrl} target="_blank">External</a>
|
|
69
|
+
|
|
70
|
+
// CORRECT
|
|
71
|
+
<a href={externalUrl} target="_blank" rel="noopener noreferrer">External</a>
|
|
72
|
+
```
|
|
73
|
+
|
|
74
|
+
Modern browsers default to `noopener` when `target="_blank"`, but do not rely on browser defaults — be explicit.
|
|
75
|
+
|
|
76
|
+
## Server Action Input Validation
|
|
77
|
+
|
|
78
|
+
Server Actions (`"use server"`) run with the same trust level as a public API endpoint. Validate every input.
|
|
79
|
+
|
|
80
|
+
```tsx
|
|
81
|
+
"use server";
|
|
82
|
+
import { z } from "zod";
|
|
83
|
+
|
|
84
|
+
const Input = z.object({
|
|
85
|
+
email: z.string().email(),
|
|
86
|
+
age: z.number().int().min(0).max(120),
|
|
87
|
+
});
|
|
88
|
+
|
|
89
|
+
export async function updateUser(_state: unknown, formData: FormData) {
|
|
90
|
+
const parsed = Input.safeParse({
|
|
91
|
+
email: formData.get("email"),
|
|
92
|
+
age: Number(formData.get("age")),
|
|
93
|
+
});
|
|
94
|
+
if (!parsed.success) return { error: parsed.error.flatten() };
|
|
95
|
+
// ...
|
|
96
|
+
}
|
|
97
|
+
```
|
|
98
|
+
|
|
99
|
+
- Authenticate inside the action — do not trust the client-side route gate
|
|
100
|
+
- Authorize: confirm the current user has permission for the specific record they are mutating
|
|
101
|
+
- Rate limit sensitive actions
|
|
102
|
+
|
|
103
|
+
## Secret Exposure via Env Vars
|
|
104
|
+
|
|
105
|
+
Prefixed env vars are bundled into the client. Treat them as public.
|
|
106
|
+
|
|
107
|
+
| Framework | Public prefix | Private |
|
|
108
|
+
|---|---|---|
|
|
109
|
+
| Next.js | `NEXT_PUBLIC_*` | All others |
|
|
110
|
+
| Vite | `VITE_*` | `.env` server-side only |
|
|
111
|
+
| Create React App | `REACT_APP_*`, plus `NODE_ENV` and `PUBLIC_URL` | All others (anything without the `REACT_APP_` prefix is server-side only) |
|
|
112
|
+
| Remix | `process.env` access in `loader`/`action` only | Same |
|
|
113
|
+
|
|
114
|
+
```ts
|
|
115
|
+
// CRITICAL: secret leaked to client bundle
|
|
116
|
+
const apiKey = process.env.NEXT_PUBLIC_STRIPE_SECRET_KEY;
|
|
117
|
+
```
|
|
118
|
+
|
|
119
|
+
Audit on every PR that touches env vars: would this string in the public bundle be a problem?
|
|
120
|
+
|
|
121
|
+
## Authentication / Authorization
|
|
122
|
+
|
|
123
|
+
- Never store sessions in `localStorage` — accessible to any XSS. Use httpOnly secure cookies.
|
|
124
|
+
- Never trust client-set state to gate sensitive UI. Render-gating in JSX prevents display, not access — the API must enforce.
|
|
125
|
+
- CSRF: cookie-based auth requires CSRF tokens or `SameSite=Strict`/`Lax` cookies
|
|
126
|
+
- Use double-submit cookies or origin verification for form actions when not using framework defaults
|
|
127
|
+
|
|
128
|
+
## Content Security Policy (CSP)
|
|
129
|
+
|
|
130
|
+
Configure server-side. The minimum acceptable CSP for a React app:
|
|
131
|
+
|
|
132
|
+
```
|
|
133
|
+
default-src 'self';
|
|
134
|
+
script-src 'self' 'nonce-{REQUEST_NONCE}';
|
|
135
|
+
style-src 'self' 'unsafe-inline';
|
|
136
|
+
img-src 'self' data: https:;
|
|
137
|
+
connect-src 'self' https://api.example.com;
|
|
138
|
+
frame-ancestors 'none';
|
|
139
|
+
```
|
|
140
|
+
|
|
141
|
+
- Avoid `unsafe-inline` and `unsafe-eval` in `script-src`
|
|
142
|
+
- For SSR with inline scripts (Next.js streaming, hydration data), use per-request nonces — both Next.js and Remix support nonce injection
|
|
143
|
+
- `style-src 'unsafe-inline'` is often unavoidable for CSS-in-JS libraries — document the tradeoff
|
|
144
|
+
|
|
145
|
+
## Prototype Pollution via Object Spread
|
|
146
|
+
|
|
147
|
+
```tsx
|
|
148
|
+
// WRONG: untrusted JSON spread directly into state
|
|
149
|
+
const update = await req.json();
|
|
150
|
+
setState({ ...state, ...update }); // attacker controls __proto__
|
|
151
|
+
|
|
152
|
+
// CORRECT: parse with a schema, or guard keys
|
|
153
|
+
const Allowed = z.object({ name: z.string(), email: z.string().email() });
|
|
154
|
+
const parsed = Allowed.parse(await req.json());
|
|
155
|
+
setState({ ...state, ...parsed });
|
|
156
|
+
```
|
|
157
|
+
|
|
158
|
+
## SSR Template Injection
|
|
159
|
+
|
|
160
|
+
When using `renderToString` or `renderToPipeableStream`:
|
|
161
|
+
|
|
162
|
+
- All values rendered inside JSX are escaped by React — safe
|
|
163
|
+
- Values passed to `dangerouslySetInnerHTML` are NOT escaped — same rules as client
|
|
164
|
+
- Manually constructed HTML wrappers around the React output must be escaped or sanitized — never concatenate user input into the surrounding HTML template
|
|
165
|
+
|
|
166
|
+
## Third-Party Components
|
|
167
|
+
|
|
168
|
+
- Audit `npm audit` before adding any UI library
|
|
169
|
+
- Check that the library does not internally use `dangerouslySetInnerHTML` on its input (e.g., rich text editors)
|
|
170
|
+
- Pin versions, review changelogs before major upgrades
|
|
171
|
+
- Be wary of components that accept HTML strings as props
|
|
172
|
+
|
|
173
|
+
## Source Map Exposure in Production
|
|
174
|
+
|
|
175
|
+
Production builds should ship without source maps, or with sourcemaps uploaded to an error tracker (Sentry) and stripped from the public bundle. Public source maps leak internal logic and file structure.
|
|
176
|
+
|
|
177
|
+
## Agent Support
|
|
178
|
+
|
|
179
|
+
- Use `security-reviewer` agent for comprehensive security audits across the codebase
|
|
180
|
+
- Use `react-reviewer` agent for React-specific patterns and the above rules in active code review
|
|
@@ -0,0 +1,208 @@
|
|
|
1
|
+
---
|
|
2
|
+
paths:
|
|
3
|
+
- "**/*.test.tsx"
|
|
4
|
+
- "**/*.test.jsx"
|
|
5
|
+
- "**/*.spec.tsx"
|
|
6
|
+
- "**/*.spec.jsx"
|
|
7
|
+
- "**/__tests__/**/*.ts"
|
|
8
|
+
- "**/__tests__/**/*.tsx"
|
|
9
|
+
---
|
|
10
|
+
# React Testing
|
|
11
|
+
|
|
12
|
+
> This file extends the upstream `typescript/testing.md` and `common/testing.md` rules with React specific content.
|
|
13
|
+
|
|
14
|
+
## Library Choice
|
|
15
|
+
|
|
16
|
+
- **React Testing Library (RTL)** — the standard for component testing. Tests behavior through the rendered DOM.
|
|
17
|
+
- **Vitest** — preferred runner for new Vite-based projects. Faster than Jest, native ESM, same API.
|
|
18
|
+
- **Jest** — still the default for Next.js / CRA projects. RTL works identically.
|
|
19
|
+
- **Playwright Component Testing** — when component tests need a real browser engine (animation, layout, complex events)
|
|
20
|
+
- **Cypress Component Testing** — alternative real-browser component runner
|
|
21
|
+
|
|
22
|
+
Pick one component test runner per project — do not mix RTL + Playwright CT in the same repo.
|
|
23
|
+
|
|
24
|
+
## Core Principle
|
|
25
|
+
|
|
26
|
+
Test what the user sees and does, not implementation details.
|
|
27
|
+
|
|
28
|
+
- Query by accessible role first, then label, then text — fall back to `data-testid` only when nothing else fits
|
|
29
|
+
- Never assert on internal state, props passed to children, or which hooks were called
|
|
30
|
+
- Refactor without breaking tests = the test was testing behavior; that is the goal
|
|
31
|
+
|
|
32
|
+
## Query Priority
|
|
33
|
+
|
|
34
|
+
RTL exposes queries in three families. Use this priority order top-down:
|
|
35
|
+
|
|
36
|
+
1. **Accessible to everyone**
|
|
37
|
+
- `getByRole(role, { name })` — primary choice
|
|
38
|
+
- `getByLabelText` — for form inputs
|
|
39
|
+
- `getByPlaceholderText` — when no label is available (and add a label)
|
|
40
|
+
- `getByText` — for non-interactive text
|
|
41
|
+
- `getByDisplayValue` — for form fields with a current value
|
|
42
|
+
|
|
43
|
+
2. **Semantic queries**
|
|
44
|
+
- `getByAltText` — for images
|
|
45
|
+
- `getByTitle` — last resort, low accessibility value
|
|
46
|
+
|
|
47
|
+
3. **Test IDs**
|
|
48
|
+
- `getByTestId("some-id")` — escape hatch only, when none of the above work
|
|
49
|
+
|
|
50
|
+
`getBy*` throws when no match. `queryBy*` returns null (use for asserting absence). `findBy*` returns a promise (use for async).
|
|
51
|
+
|
|
52
|
+
## User Interaction
|
|
53
|
+
|
|
54
|
+
Prefer `userEvent` over `fireEvent`. `userEvent` simulates real browser sequences (focus, keydown, beforeinput, input, keyup) — `fireEvent` dispatches a single synthetic event.
|
|
55
|
+
|
|
56
|
+
```tsx
|
|
57
|
+
import userEvent from "@testing-library/user-event";
|
|
58
|
+
|
|
59
|
+
test("submits the form", async () => {
|
|
60
|
+
const user = userEvent.setup();
|
|
61
|
+
render(<UserForm onSubmit={handleSubmit} />);
|
|
62
|
+
|
|
63
|
+
await user.type(screen.getByLabelText("Email"), "user@example.com");
|
|
64
|
+
await user.click(screen.getByRole("button", { name: /save/i }));
|
|
65
|
+
|
|
66
|
+
expect(handleSubmit).toHaveBeenCalledWith({ email: "user@example.com" });
|
|
67
|
+
});
|
|
68
|
+
```
|
|
69
|
+
|
|
70
|
+
- Always `await` `userEvent` calls — they are async
|
|
71
|
+
- Call `userEvent.setup()` once at the top of each test, then reuse the returned `user`
|
|
72
|
+
|
|
73
|
+
## Async Assertions
|
|
74
|
+
|
|
75
|
+
```tsx
|
|
76
|
+
// WRONG: synchronous query for async-rendered content
|
|
77
|
+
expect(screen.getByText("Loaded")).toBeInTheDocument(); // throws — not in DOM yet
|
|
78
|
+
|
|
79
|
+
// CORRECT: findBy* (returns a promise, retries)
|
|
80
|
+
expect(await screen.findByText("Loaded")).toBeInTheDocument();
|
|
81
|
+
|
|
82
|
+
// CORRECT: waitFor for non-element assertions
|
|
83
|
+
await waitFor(() => expect(saveSpy).toHaveBeenCalled());
|
|
84
|
+
```
|
|
85
|
+
|
|
86
|
+
- `findBy*` for async element appearance
|
|
87
|
+
- `waitFor` for async expectations on side effects or other matchers
|
|
88
|
+
- Never `setTimeout` + assertion — flaky
|
|
89
|
+
|
|
90
|
+
## Network Mocking with MSW
|
|
91
|
+
|
|
92
|
+
Use Mock Service Worker for any test that hits a network boundary. MSW runs at the network layer, so the component, hooks, and fetch library all behave as in production.
|
|
93
|
+
|
|
94
|
+
```tsx
|
|
95
|
+
// test setup
|
|
96
|
+
import { setupServer } from "msw/node";
|
|
97
|
+
import { http, HttpResponse } from "msw";
|
|
98
|
+
|
|
99
|
+
const server = setupServer(
|
|
100
|
+
http.get("/api/users/:id", ({ params }) =>
|
|
101
|
+
HttpResponse.json({ id: params.id, name: "Alice" }),
|
|
102
|
+
),
|
|
103
|
+
);
|
|
104
|
+
|
|
105
|
+
beforeAll(() => server.listen());
|
|
106
|
+
afterEach(() => server.resetHandlers());
|
|
107
|
+
afterAll(() => server.close());
|
|
108
|
+
```
|
|
109
|
+
|
|
110
|
+
Per-test override:
|
|
111
|
+
|
|
112
|
+
```tsx
|
|
113
|
+
test("renders error on 500", async () => {
|
|
114
|
+
server.use(http.get("/api/users/:id", () => new HttpResponse(null, { status: 500 })));
|
|
115
|
+
render(<UserPage id="1" />);
|
|
116
|
+
expect(await screen.findByText(/something went wrong/i)).toBeInTheDocument();
|
|
117
|
+
});
|
|
118
|
+
```
|
|
119
|
+
|
|
120
|
+
## Avoid Snapshot Tests for Components
|
|
121
|
+
|
|
122
|
+
Snapshots of rendered output are brittle, hard to review, and rubber-stamped by reviewers. Use them only for:
|
|
123
|
+
|
|
124
|
+
- Pure data serialization (e.g., a transformer that produces a stable string)
|
|
125
|
+
- Catching unintended regressions in non-visual output
|
|
126
|
+
|
|
127
|
+
For component visual regression, use Playwright / Cypress / Percy screenshots — actual visual diffs, not DOM diffs.
|
|
128
|
+
|
|
129
|
+
## Test Setup Helpers
|
|
130
|
+
|
|
131
|
+
Wrap providers once:
|
|
132
|
+
|
|
133
|
+
```tsx
|
|
134
|
+
function renderWithProviders(ui: React.ReactElement) {
|
|
135
|
+
return render(
|
|
136
|
+
<QueryClientProvider client={new QueryClient()}>
|
|
137
|
+
<ThemeProvider theme={lightTheme}>
|
|
138
|
+
<Router>{ui}</Router>
|
|
139
|
+
</ThemeProvider>
|
|
140
|
+
</QueryClientProvider>,
|
|
141
|
+
);
|
|
142
|
+
}
|
|
143
|
+
```
|
|
144
|
+
|
|
145
|
+
Export from `test-utils.tsx` and use everywhere.
|
|
146
|
+
|
|
147
|
+
## Custom Hook Testing
|
|
148
|
+
|
|
149
|
+
Use `renderHook` from RTL:
|
|
150
|
+
|
|
151
|
+
```tsx
|
|
152
|
+
import { renderHook, act } from "@testing-library/react";
|
|
153
|
+
|
|
154
|
+
test("useCounter increments", () => {
|
|
155
|
+
const { result } = renderHook(() => useCounter());
|
|
156
|
+
act(() => result.current.increment());
|
|
157
|
+
expect(result.current.count).toBe(1);
|
|
158
|
+
});
|
|
159
|
+
```
|
|
160
|
+
|
|
161
|
+
- Always wrap state-changing calls in `act`
|
|
162
|
+
- Always test through the public hook API, not internal implementation
|
|
163
|
+
|
|
164
|
+
## Accessibility Assertions
|
|
165
|
+
|
|
166
|
+
```tsx
|
|
167
|
+
import { axe } from "vitest-axe"; // or jest-axe
|
|
168
|
+
|
|
169
|
+
test("UserCard has no a11y violations", async () => {
|
|
170
|
+
const { container } = render(<UserCard user={mockUser} />);
|
|
171
|
+
expect(await axe(container)).toHaveNoViolations();
|
|
172
|
+
});
|
|
173
|
+
```
|
|
174
|
+
|
|
175
|
+
Run axe assertions in component tests — catches missing labels, ARIA misuse, color contrast (limited).
|
|
176
|
+
|
|
177
|
+
## When to Reach for Playwright / Cypress
|
|
178
|
+
|
|
179
|
+
Component test with RTL + JSDOM cannot:
|
|
180
|
+
|
|
181
|
+
- Test real layout (flexbox, grid, viewport-dependent rendering)
|
|
182
|
+
- Test scrolling, drag-and-drop, paste from clipboard
|
|
183
|
+
- Test browser-native animation, CSS transitions
|
|
184
|
+
- Test cross-frame interactions (iframes, popups)
|
|
185
|
+
|
|
186
|
+
For those, use Playwright Component Testing or end-to-end Playwright/Cypress runs. See the e2e-testing skill when it is installed.
|
|
187
|
+
|
|
188
|
+
## Coverage Targets
|
|
189
|
+
|
|
190
|
+
| Layer | Target |
|
|
191
|
+
|---|---|
|
|
192
|
+
| Pure utility functions | ≥90% |
|
|
193
|
+
| Custom hooks | ≥85% |
|
|
194
|
+
| Components (presentational) | ≥80% — behavior, not lines |
|
|
195
|
+
| Container components | ≥70% — golden paths + error states |
|
|
196
|
+
| Pages (E2E covered separately) | Smoke test per route minimum |
|
|
197
|
+
|
|
198
|
+
## Anti-Patterns
|
|
199
|
+
|
|
200
|
+
- Asserting on `container.querySelector` — bypasses accessibility queries
|
|
201
|
+
- Asserting on number of renders — implementation detail
|
|
202
|
+
- Mocking React hooks (`jest.mock("react", ...)`) — refactor the component instead
|
|
203
|
+
- Mocking child components by default — tests the integration, not the parent in isolation
|
|
204
|
+
- Manual `act()` warnings ignored — they indicate real bugs
|
|
205
|
+
|
|
206
|
+
## Skill Reference
|
|
207
|
+
|
|
208
|
+
See `skills/react-testing/SKILL.md` for end-to-end test examples, MSW patterns, and accessibility test scaffolding.
|
|
@@ -562,8 +562,8 @@ When the project ships React Compiler, demote `rerender-*` manual memoization ru
|
|
|
562
562
|
|
|
563
563
|
## Related
|
|
564
564
|
|
|
565
|
-
- Skills: [react-patterns](../react-patterns/SKILL.md), [react-testing](../react-testing/SKILL.md),
|
|
566
|
-
- Rules: [rules/react/](
|
|
565
|
+
- Skills: [react-patterns](../react-patterns/SKILL.md), [react-testing](../react-testing/SKILL.md), frontend-patterns, accessibility, nextjs-turbopack
|
|
566
|
+
- Rules: [rules/react/](rules/react/)
|
|
567
567
|
- Agents: `react-reviewer` enforces these rules in code review; `react-build-resolver` handles related build failures
|
|
568
568
|
- Commands: `/react-review`, `/react-build`, `/react-test`
|
|
569
569
|
|
|
@@ -0,0 +1,21 @@
|
|
|
1
|
+
MIT License
|
|
2
|
+
|
|
3
|
+
Copyright (c) 2026 Affaan Mustafa
|
|
4
|
+
|
|
5
|
+
Permission is hereby granted, free of charge, to any person obtaining a copy
|
|
6
|
+
of this software and associated documentation files (the "Software"), to deal
|
|
7
|
+
in the Software without restriction, including without limitation the rights
|
|
8
|
+
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
|
9
|
+
copies of the Software, and to permit persons to whom the Software is
|
|
10
|
+
furnished to do so, subject to the following conditions:
|
|
11
|
+
|
|
12
|
+
The above copyright notice and this permission notice shall be included in all
|
|
13
|
+
copies or substantial portions of the Software.
|
|
14
|
+
|
|
15
|
+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
|
16
|
+
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
|
17
|
+
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
|
18
|
+
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
|
19
|
+
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
|
20
|
+
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
|
21
|
+
SOFTWARE.
|
|
@@ -0,0 +1,11 @@
|
|
|
1
|
+
# Third-party notice
|
|
2
|
+
|
|
3
|
+
This directory contains React rule references copied from Affaan Mustafa's ECC
|
|
4
|
+
repository.
|
|
5
|
+
|
|
6
|
+
- Source: https://github.com/affaan-m/ECC/tree/main/rules/react
|
|
7
|
+
- Source commit: 0f84c0e2796703fbda87d577b2636351418c7442
|
|
8
|
+
- License: MIT
|
|
9
|
+
- Copyright: Copyright (c) 2026 Affaan Mustafa
|
|
10
|
+
|
|
11
|
+
The upstream MIT license is included in `LICENSE`.
|
|
@@ -0,0 +1,109 @@
|
|
|
1
|
+
---
|
|
2
|
+
paths:
|
|
3
|
+
- "**/*.tsx"
|
|
4
|
+
- "**/*.jsx"
|
|
5
|
+
- "**/components/**/*.ts"
|
|
6
|
+
- "**/components/**/*.js"
|
|
7
|
+
- "**/hooks/**/*.ts"
|
|
8
|
+
- "**/hooks/**/*.js"
|
|
9
|
+
---
|
|
10
|
+
# React Coding Style
|
|
11
|
+
|
|
12
|
+
> This file extends the upstream `typescript/coding-style.md` and `common/coding-style.md` rules with React specific content.
|
|
13
|
+
|
|
14
|
+
## File Extensions
|
|
15
|
+
|
|
16
|
+
- `.tsx` for any file containing JSX, even one-liner snippets
|
|
17
|
+
- `.ts` for pure logic, custom hooks without JSX, type definitions, utilities
|
|
18
|
+
- `.test.tsx` / `.test.ts` mirroring the source file
|
|
19
|
+
- Use `.jsx` only when the project intentionally avoids TypeScript — flag every new untyped React file in review
|
|
20
|
+
|
|
21
|
+
## Naming
|
|
22
|
+
|
|
23
|
+
- Components: `PascalCase` for both the symbol and the file (`UserCard.tsx`, default export `UserCard`)
|
|
24
|
+
- Custom hooks: `useCamelCase` for the symbol, kebab-case for the file when the project convention is kebab-case (`use-debounce.ts` exports `useDebounce`)
|
|
25
|
+
- Context: `<Domain>Context` symbol, `<Domain>Provider` provider component, `use<Domain>` consumer hook
|
|
26
|
+
- Event handlers: `handleClick`, `handleSubmit` inside the component; the prop that receives it is `onClick`, `onSubmit`
|
|
27
|
+
- Boolean props: `isLoading`, `hasError`, `canSubmit` — never `loading` or `error` alone for booleans
|
|
28
|
+
|
|
29
|
+
## Component Shape
|
|
30
|
+
|
|
31
|
+
```tsx
|
|
32
|
+
type Props = {
|
|
33
|
+
user: User;
|
|
34
|
+
onSelect: (id: string) => void;
|
|
35
|
+
};
|
|
36
|
+
|
|
37
|
+
export function UserCard({ user, onSelect }: Props) {
|
|
38
|
+
return (
|
|
39
|
+
<button type="button" onClick={() => onSelect(user.id)}>
|
|
40
|
+
{user.name}
|
|
41
|
+
</button>
|
|
42
|
+
);
|
|
43
|
+
}
|
|
44
|
+
```
|
|
45
|
+
|
|
46
|
+
- Prefer `type Props = {}` for closed component prop shapes
|
|
47
|
+
- Use `interface` only when the prop type is extended via declaration merging or exported as a public API extension point
|
|
48
|
+
- Always destructure props in the parameter list — no `props.user` access inside the body
|
|
49
|
+
- Type the return implicitly through JSX (`function Foo(): JSX.Element` only when the function returns conditionally and the union confuses inference)
|
|
50
|
+
|
|
51
|
+
## JSX
|
|
52
|
+
|
|
53
|
+
- Self-close tags with no children: `<img />`, `<UserCard user={u} />`
|
|
54
|
+
- Use fragments `<>...</>` over wrapper `<div>` when no DOM element is needed
|
|
55
|
+
- Conditional rendering: `{condition && <Foo />}` for booleans, ternary for either/or, early return for guard clauses
|
|
56
|
+
- Never put logic inline in JSX when it reads as multi-line — extract to a const above the return or a function
|
|
57
|
+
|
|
58
|
+
```tsx
|
|
59
|
+
// Prefer
|
|
60
|
+
const greeting = user.isAdmin ? "Welcome, admin" : `Hello ${user.name}`;
|
|
61
|
+
return <h1>{greeting}</h1>;
|
|
62
|
+
|
|
63
|
+
// Over
|
|
64
|
+
return <h1>{user.isAdmin ? "Welcome, admin" : `Hello ${user.name}`}</h1>;
|
|
65
|
+
```
|
|
66
|
+
|
|
67
|
+
## Server / Client Boundary (Next.js App Router, RSC)
|
|
68
|
+
|
|
69
|
+
- Default a new file to Server Component — only add `"use client"` when the file uses state, effects, refs, browser APIs, or event handlers
|
|
70
|
+
- Place the `"use client"` directive on line 1, before any imports
|
|
71
|
+
- Never import a Client Component file from inside a `"use server"` action file
|
|
72
|
+
- Never re-export server-only code through a client module — the bundler will silently include it
|
|
73
|
+
|
|
74
|
+
## Imports
|
|
75
|
+
|
|
76
|
+
- React imports first: `import { useState } from "react"`
|
|
77
|
+
- Then third-party libs, then absolute project imports, then relative
|
|
78
|
+
- Type-only imports: `import type { ReactNode } from "react"` — never mix runtime and type imports in one statement when ESLint's `consistent-type-imports` is configured
|
|
79
|
+
|
|
80
|
+
## Hooks Discipline
|
|
81
|
+
|
|
82
|
+
See [hooks.md](./hooks.md) for the full ruleset. Style highlights:
|
|
83
|
+
|
|
84
|
+
- Custom hooks must start with `use` — enforced by `eslint-plugin-react-hooks`
|
|
85
|
+
- Group all hook calls at the top of the component, before any conditional logic
|
|
86
|
+
- Avoid creating ad-hoc hooks for one-line wrappers — inline the call instead
|
|
87
|
+
|
|
88
|
+
## State
|
|
89
|
+
|
|
90
|
+
- Local first (`useState`), lift only when shared
|
|
91
|
+
- Context for cross-cutting state read by many components (theme, auth, i18n) — not for high-frequency updates
|
|
92
|
+
- External store (Zustand, Jotai, Redux Toolkit) when state must persist across route changes, sync across tabs, or be debugged via devtools
|
|
93
|
+
- Never duplicate state that can be derived — compute during render
|
|
94
|
+
|
|
95
|
+
## Class Components
|
|
96
|
+
|
|
97
|
+
Forbidden in new code. Convert legacy class components to function components when touching them for non-trivial changes.
|
|
98
|
+
|
|
99
|
+
## File Layout per Component
|
|
100
|
+
|
|
101
|
+
```
|
|
102
|
+
components/UserCard/
|
|
103
|
+
UserCard.tsx
|
|
104
|
+
UserCard.module.css # or styled-components, or Tailwind classes inline
|
|
105
|
+
UserCard.test.tsx
|
|
106
|
+
index.ts # re-export only
|
|
107
|
+
```
|
|
108
|
+
|
|
109
|
+
Inline single-file components are fine for trivial presentational pieces.
|