@rrgarciach/flow-spec 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (31) hide show
  1. package/bin/init.js +91 -0
  2. package/package.json +28 -0
  3. package/template/.cursor/rules/use-base-rules.mdc +37 -0
  4. package/template/ai-specs/agents/backend-developer.md +121 -0
  5. package/template/ai-specs/agents/frontend-developer.md +134 -0
  6. package/template/ai-specs/agents/product-strategy-analyst.md +53 -0
  7. package/template/ai-specs/flow-spec-instructions.md +389 -0
  8. package/template/ai-specs/scripts/code_review.sh +35 -0
  9. package/template/ai-specs/skills/code-auditing/SKILL.md +155 -0
  10. package/template/ai-specs/skills/code-auditing/references/audit-methodology.md +371 -0
  11. package/template/ai-specs/skills/code-auditing/references/dead-code-methodology.md +261 -0
  12. package/template/ai-specs/skills/commit/SKILL.md +101 -0
  13. package/template/ai-specs/skills/enrich-us/SKILL.md +42 -0
  14. package/template/ai-specs/skills/explain/SKILL.md +84 -0
  15. package/template/ai-specs/skills/meta-prompt/SKILL.md +19 -0
  16. package/template/ai-specs/skills/update-docs/SKILL.md +13 -0
  17. package/template/ai-specs/skills/using-git-worktrees/SKILL.md +375 -0
  18. package/template/ai-specs/skills/writing-skills/SKILL.md +655 -0
  19. package/template/ai-specs/skills/writing-skills/anthropic-best-practices.md +1150 -0
  20. package/template/ai-specs/skills/writing-skills/examples/CLAUDE_MD_TESTING.md +189 -0
  21. package/template/ai-specs/skills/writing-skills/graphviz-conventions.dot +172 -0
  22. package/template/ai-specs/skills/writing-skills/persuasion-principles.md +187 -0
  23. package/template/ai-specs/skills/writing-skills/render-graphs.js +168 -0
  24. package/template/ai-specs/skills/writing-skills/testing-skills-with-subagents.md +384 -0
  25. package/template/docs/api-spec.yml +29 -0
  26. package/template/docs/backend-standards.md +53 -0
  27. package/template/docs/base-standards.md +114 -0
  28. package/template/docs/data-model.md +26 -0
  29. package/template/docs/development_guide.md +36 -0
  30. package/template/docs/documentation-standards.md +49 -0
  31. package/template/docs/frontend-standards.md +45 -0
@@ -0,0 +1,389 @@
1
+ # Flow Spec: a spec-driven toolkit for AI coding agents
2
+
3
+ <!-- TODO: add a project logo/banner here -->
4
+
5
+ Bring OpenSpec's spec-driven discipline into any codebase and hand your coding agent a full toolkit to work with.
6
+
7
+ This repository bundles a curated set of engineering rules, technical standards, and AI agent configuration meant to run consistently across several coding copilots. Drop the whole structure into a project and it starts producing AI-assisted work that follows the same conventions every time.
8
+
9
+ Pairs naturally with spec-driven frameworks such as [OpenSpec](https://github.com/Fission-AI/OpenSpec).
10
+
11
+ ## 📁 Repository Structure
12
+
13
+ ```
14
+ .
15
+ ├── docs/ # Development standards and specifications
16
+ │ ├── base-standards.md # Core development rules (single source of truth)
17
+ │ ├── backend-standards.md
18
+ │ ├── frontend-standards.md
19
+ │ ├── documentation-standards.md
20
+ │ ├── api-spec.yml # OpenAPI specification
21
+ │ ├── data-model.md # Database and domain models
22
+ │ ├── development_guide.md
23
+ ├── ai-specs/
24
+ │ ├── agents/ # Agent role definitions (backend, frontend, analyst, etc.)
25
+ │ └── skills/ # Reusable skill prompts/workflows
26
+
27
+ ├── AGENTS.md # Generic agent configuration
28
+ ├── CLAUDE.md # Claude-specific configuration
29
+ ├── codex.md # GitHub Copilot/Codex configuration
30
+ └── GEMINI.md # Gemini-specific configuration
31
+ ```
32
+
33
+ ## 🤖 Multi-Copilot Support
34
+
35
+ Rather than maintaining separate rule sets per tool, this repo relies on **symlinks and file-naming conventions** so multiple AI copilots can share one source of truth:
36
+
37
+ - **`AGENTS.md`** → generic instructions most copilots pick up
38
+ - **`CLAUDE.md`** → the file Claude Code / Cursor look for
39
+ - **`codex.md`** → the file GitHub Copilot / Codex look for
40
+ - **`GEMINI.md`** → the file Google Gemini looks for
41
+
42
+ Every one of these is a symlink pointing at `docs/base-standards.md`, so editing the rules once updates every tool at the same time.
43
+
44
+ ### Why This Approach?
45
+
46
+ ✅ **One source of truth**: rules live only in `base-standards.md`
47
+ ✅ **No per-tool duplication**: each copilot just finds its expected filename
48
+ ✅ **Works out of the box**: drop it into a project and it's already wired up
49
+ ✅ **Cheap to maintain**: one edit propagates to every copilot
50
+ ✅ **Fully portable**: reuse the same structure across any number of projects
51
+
52
+ ## 🚀 Quick Start
53
+
54
+ ### 1) Install and Initialize OpenSpec
55
+
56
+ This setup is designed to sit on top of OpenSpec, so install it first.
57
+
58
+ Requirement from OpenSpec's own docs:
59
+
60
+ - Node.js `20.19.0` or higher
61
+
62
+ Install the CLI globally:
63
+
64
+ ```bash
65
+ npm install -g @fission-ai/openspec@latest
66
+ ```
67
+
68
+ Then, from your project root:
69
+
70
+ ```bash
71
+ cd your-project
72
+ openspec init
73
+ ```
74
+
75
+ ### 2) Bring Flow Spec Into Your Project
76
+
77
+ Copy this repo's contents into your project so `docs/` and `ai-specs/` exist before you touch OpenSpec's config:
78
+
79
+ ```bash
80
+ # Clone or copy this repository into your project (`-n`: do not overwrite existing files so you keep project's original README)
81
+ cp -rn flow-spec/* your-project/
82
+ ```
83
+
84
+ Claude Code users have a second option for this step:
85
+
86
+ - Install the Claude plugin and let it perform the import for you.
87
+ - Note this only changes **how the files get copied in** — it won't install OpenSpec, touch its config, or fill in `docs/` for you.
88
+
89
+ Or just run the installer directly:
90
+
91
+ ```bash
92
+ npx @rrgarciach/flow-spec
93
+ ```
94
+
95
+ It writes every template file into place and rebuilds the symlink layout automatically. Re-running it is harmless — it never clobbers files that already exist.
96
+
97
+ ### 3) Fill In `docs/` With Your Own Context (Mandatory)
98
+
99
+ Don't skip this. Without it, your AI copilot keeps reasoning from placeholder context instead of your actual project.
100
+
101
+ Rewrite the files under `docs/` so they describe your real stack, architecture, domain vocabulary, API contracts, and data model.
102
+
103
+ See the [Customization](#-customization) section below for a ready-to-use prompt.
104
+
105
+ ### 4) Wire OpenSpec's Config to Your `docs/` and `ai-specs/`
106
+
107
+ Once `openspec init` has run and the repo has been copied in, point your project's `config.yml` at the technical context living in `docs/`.
108
+
109
+ A prompt you can hand your copilot to do this automatically:
110
+
111
+ ```text
112
+ Update my openspec config.yml context to reference this repository's docs and ai-specs structure.
113
+
114
+ Requirements:
115
+ - Use docs/base-standards.md as the single source of truth.
116
+ - Include docs/backend-standards.md, docs/frontend-standards.md, docs/documentation-standards.md.
117
+ - Include docs/api-spec.yml and docs/data-model.md.
118
+ - Tell the agent to adopt ai-specs/agents/backend-developer.md for backend work and ai-specs/agents/frontend-developer.md for frontend work.
119
+ - Mention ai-specs/skills as workflow guidance.
120
+ - Keep all paths relative to the project root.
121
+ ```
122
+
123
+ Example (`config.yml`):
124
+
125
+ ```yml
126
+ context: |
127
+ Tech stack: TODO - your languages, frameworks, and key infrastructure (e.g. AWS)
128
+ Architecture: TODO - your architectural style (e.g. layered, hexagonal, serverless)
129
+ We use conventional commits
130
+ Domain: TODO - one line describing what this project does and for whom
131
+ All code, comments, documentation, and technical artifacts must be in English
132
+
133
+ Project specs (single source of truth): All artifact creation and implementation MUST follow the project's technical context in ai-specs/. Read and apply these when creating or implementing:
134
+ - docs/base-standards.md — core principles, TDD, language standards, links to backend/frontend/docs standards
135
+ - docs/backend-standards.md — API, database, testing, security (backend changes)
136
+ - docs/frontend-standards.md — React, UI/UX (frontend changes)
137
+ - docs/api-spec.yml — API contracts and endpoint definitions
138
+ - docs/data-model.md — domain and data model
139
+ - docs/documentation-standards.md — docs structure and maintenance
140
+ For implementation: adopt the relevant agent from ai-specs/agents/ (e.g. backend-developer.md for backend, frontend-developer.md for frontend). Use ai-specs/skills/ for workflow guidance when applicable.
141
+
142
+ # Per-artifact rules (optional)
143
+ # Add custom rules for specific artifacts.
144
+ rules:
145
+ # Global: apply ai-specs when creating any artifact
146
+ _global:
147
+ - Before creating any artifact, read and apply docs/base-standards.md
148
+ - For backend-related artifacts, read docs/backend-standards.md and adopt guidelines from ai-specs/agents/backend-developer.md
149
+ - For frontend-related artifacts, read docs/frontend-standards.md and adopt guidelines from ai-specs/agents/frontend-developer.md
150
+ - Use docs/api-spec.yml and docs/data-model.md for API and data consistency in specs and tasks
151
+ ```
152
+
153
+ ## ✅ Verify Configuration (Required)
154
+
155
+ Once the steps above are done, check that your copilot is actually picking things up.
156
+
157
+ It should automatically resolve:
158
+
159
+ - **Claude/Cursor**: `CLAUDE.md` → `docs/base-standards.md`
160
+ - **GitHub Copilot**: `codex.md` → `docs/base-standards.md`
161
+ - **Gemini**: `GEMINI.md` → `docs/base-standards.md`
162
+
163
+ No manual wiring needed beyond what's already in place.
164
+
165
+ ## 💡 Usage: Official OpenSpec Workflow
166
+
167
+ This repo leans on OpenSpec's own commands to drive the day-to-day loop:
168
+
169
+ 1. **`/enrich-us`** (optional): turn a rough idea or ticket into a well-specified user story
170
+ 2. **`/new`**: start a new OpenSpec change (currently just an alias for `/ff`)
171
+ 3. **`/ff`**: generate every required OpenSpec artifact (proposal, tasks, etc.)
172
+ - `/new` followed by `/ff` is functionally the same as the newer `/propose` command
173
+ 4. **`/apply`**: work through the tasks one at a time
174
+ 5. **`/verify`**: check the implementation against what the change actually specified
175
+ 6. **`/adversarial-review`**: an independent, red-team-style pass before anything gets archived
176
+ 7. **`/archive`**: close out the finished change
177
+ 8. **`/commit`**: produce a focused commit and handle the Pull Request once verification is done
178
+
179
+ Workflow reference:
180
+
181
+ ```mermaid
182
+ flowchart TB
183
+ subgraph TOP[" "]
184
+ direction LR
185
+ US["User Story"] -->|"/enrich-us"| RUS["Refined User Story"] -->|"/new + /ff"| PA["Proposal Artifacts"]
186
+ end
187
+
188
+ subgraph MID["/apply output"]
189
+ direction TB
190
+ BR["Branch"] --> TE["Tests"] --> DOC["Documentation"] --> CODE["Code"] --> TR["Testing Report"] --> PU["Proposal Update"]
191
+ end
192
+
193
+ subgraph BOTTOM[" "]
194
+ direction LR
195
+ READY["Feature Ready"] -->|"/archive + /commit"| PRFEAT["Feature for PR"] --> PUB["Feature Published"]
196
+ end
197
+
198
+ PA -->|"/apply"| BR
199
+ PU -.->|"/verify + /adversarial-review: implement changes"| BR
200
+ PU -->|"/verify + /adversarial-review: passes"| READY
201
+ ```
202
+
203
+ ### Optional: MCP Integrations (monday.com + Playwright)
204
+
205
+ A couple of MCP servers make parts of this workflow smoother. Both are optional — skip either one, or swap in whatever equivalent tool you already use.
206
+
207
+ - **monday.com MCP (used by `/enrich-us`)**: lets the agent pull item details straight from a board instead of you copy-pasting them in. Keep a custom text column on the board holding a readable key (e.g. `PROJ-123`) so items can be looked up by that value rather than the internal numeric item id.
208
+ - **Playwright MCP (for E2E checks)**: gives the agent a real browser to drive when validating user-facing flows.
209
+
210
+ To set these up:
211
+
212
+ - **Cursor**: register the MCP servers under Cursor's settings, then supply the credentials each one needs (e.g. a monday.com API token).
213
+ - **Other tools/IDEs**: follow that tool's own MCP setup docs to add the monday.com and Playwright servers.
214
+
215
+ Not using monday.com, or don't want automated E2E checks? Just adjust the affected skills and the rest of the OpenSpec flow keeps working as-is.
216
+
217
+ ### Example: End-to-End Flow
218
+
219
+ A typical run through the commands, in order:
220
+
221
+ It's worth spinning up a dedicated worktree first (the `using-git-worktrees` skill handles this) and tearing it down once you're done.
222
+
223
+ ```bash
224
+ /enrich-us SCRUM-10
225
+ /ff SCRUM-10
226
+ /apply SCRUM-10
227
+ /verify SCRUM-10
228
+ /adversarial-review SCRUM-10
229
+ /archive SCRUM-10
230
+ /commit
231
+ ```
232
+
233
+ OpenSpec's own directories track every artifact produced along the way, including the testing reports generated during the run.
234
+
235
+ ### Useful Skills
236
+
237
+ Skills are defined once under `ai-specs/skills/` and exposed to every copilot via relative symlinks in `.claude/skills/` and `.cursor/skills/`. Whichever agent you're running, it picks up a skill automatically once a request matches that skill's description (see `AGENTS.md` §4). The ones you'll reach for most often are **`enrich-us`**, **`using-git-worktrees`**, **`writing-skills`**, and **`code-auditing`**:
238
+
239
+ - **`enrich-us`** — Turns a thin user story (pulled from monday.com, or just an idea typed in chat) into something implementation-ready: acceptance criteria, technical detail, edge cases. Run this **before** planning so the team and the agent start from the same understanding of scope.
240
+ - **`using-git-worktrees`** — Spins up an isolated workspace before you start a feature or run a plan: safe creation, baseline checks, copying over local Claude settings, and a full teardown once the work is merged.
241
+ - **`writing-skills`** — Guides you through authoring or refactoring a skill with TDD-style validation before it ships. Reach for this whenever you're touching `ai-specs/skills/`.
242
+ - **`code-auditing`** — Walks a codebase through a 6-phase quality pass (security, performance, type safety, dead code, library health) and ends with a ranked action list. Good fit for pre-release checks or a technical-debt sweep.
243
+
244
+ The repo also ships `commit`, `explain`, `meta-prompt`, and `update-docs` as active skills — check each `ai-specs/skills/<name>/SKILL.md` for specifics.
245
+
246
+ ## 📖 Core Development Rules
247
+
248
+ Everything here flows from the principles in `docs/base-standards.md`:
249
+
250
+ ### Key Principles
251
+
252
+ 1. **Small Tasks, One at a Time**: move in small, reviewable steps — never several stages ahead
253
+ 2. **Test-Driven Development (TDD)**: red before green, every time
254
+ 3. **Type Safety**: no untyped code paths (TypeScript throughout)
255
+ 4. **Clear Naming**: names should explain themselves
256
+ 5. **English Only**: code, comments, docs, and commit messages, no exceptions
257
+ 6. **90%+ Test Coverage**: across every layer, not just the happy path
258
+ 7. **Incremental Changes**: keep diffs small and easy to review
259
+
260
+ ### Specific Standards
261
+
262
+ - **Backend Standards**: `docs/backend-standards.md`
263
+ - API development patterns
264
+ - Database best practices
265
+ - Security guidelines
266
+ - Testing requirements
267
+ - **Frontend Standards**: `docs/frontend-standards.md`
268
+ - React component patterns
269
+ - UI/UX guidelines
270
+ - State management
271
+ - Component testing
272
+ - **Documentation Standards**: `docs/documentation-standards.md`
273
+ - Technical documentation structure
274
+ - API documentation (OpenAPI)
275
+ - Code documentation
276
+ - Maintenance guidelines
277
+
278
+ ## 🎯 Benefits
279
+
280
+ ### For Developers
281
+
282
+ - ✅ **Consistent Code Quality**: the agent applies the same rules run after run
283
+ - ✅ **Comprehensive Testing**: 90%+ coverage across layers, without chasing it manually
284
+ - ✅ **Complete Documentation**: API specs stay current as part of the flow
285
+ - ✅ **Faster Onboarding**: newcomers read the same rules the agent already follows
286
+ - ✅ **Reduced Review Time**: output already matches established patterns
287
+
288
+ ### For Teams
289
+
290
+ - ✅ **Copilot Flexibility**: everyone keeps using the AI tool they prefer
291
+ - ✅ **Knowledge Preservation**: standards live in files, not in someone's head
292
+ - ✅ **Quality Consistency**: the same bar applies no matter who — or what — wrote the code
293
+ - ✅ **Easier Code Reviews**: expectations are explicit going in
294
+ - ✅ **Scalable Practices**: the rules scale with headcount, the docs don't need to
295
+
296
+ ### For Projects
297
+
298
+ - ✅ **Maintainable Codebase**: clean architecture, clear layering
299
+ - ✅ **Production-Ready Code**: TDD, error handling, and validation baked in from the start
300
+ - ✅ **Living Documentation**: specs and data models stay in sync with reality
301
+ - ✅ **Faster Feature Development**: the agent can implement autonomously from a plan
302
+ - ✅ **Lower Technical Debt**: good practices are the default, not an afterthought
303
+
304
+ ## 🔧 Customization
305
+
306
+ ### Adapting to Your Project
307
+
308
+ 1. **Rewrite the technical context**: go through everything under `docs/` and replace the principles, conventions, business rules, and reference material with your project's own:
309
+ - backend/frontend/testing/documentation standards
310
+ - installation guide
311
+ - data model
312
+ - API docs
313
+ - ...
314
+ 2. **Adjust the agent roles in `ai-specs/agents`**: match them to how your team actually splits responsibilities
315
+ 3. **Grow the skill library in `ai-specs/skills`**: capture proven prompts and workflows as reusable skills
316
+ 4. **Wire up external resources**: connect project docs or ticket systems through MCPs
317
+ 5. **Preserve the symlink layout**: keep `.claude` and `.cursor` pointing at `ai-specs/agents` and `ai-specs/skills` via relative symlinks so nothing drifts out of sync
318
+
319
+ ### Prompt Example: Adapt Technical Context
320
+
321
+ A prompt you can hand your copilot to rewrite `docs/` while keeping the same layout:
322
+
323
+ ```text
324
+ Following the same base structure already present in docs/, update all technical context documents according to this project's specifics.
325
+
326
+ Requirements:
327
+ - Keep the same document set and file names in docs/.
328
+ - Replace generic content with this project's real stack, architecture patterns, coding conventions, and domain terminology.
329
+ - Update backend, frontend, and documentation standards to reflect actual practices used by this team.
330
+ - Update docs/api-spec.yml and docs/data-model.md so they match the real endpoints and entities of this project.
331
+ - Ensure all references are internally consistent and aligned across docs/.
332
+ - Keep everything in English and make guidance implementation-ready for AI agents.
333
+ ```
334
+
335
+ ### Maintaining Standards
336
+
337
+ - **Single Source of Truth**: `base-standards.md` gets updated first, always
338
+ - **Version Control**: treat standards changes like any other code change
339
+ - **Team Review**: run changes to the standards through review, same as a PR
340
+ - **Documentation**: keep the examples honest with what's actually implemented
341
+ - **Symlink Integrity**: renaming or moving a file means checking every symlink that points at it
342
+ - **Canonical Placement**: `ai-specs` stays the canonical source; `.claude`/`.cursor` only ever hold symlinks into it
343
+
344
+ ## 📚 Technical context
345
+
346
+ ### `docs/` Templates (Fill These In)
347
+
348
+ The files below ship as **empty skeletons**: the section headers show what to cover, but every `_TODO_` needs your project's real content before an agent can use it as context:
349
+
350
+ - **API Specification**: `docs/api-spec.yml` (OpenAPI 3.0 format)
351
+ - *Document your actual endpoints here instead*
352
+ - **Data Models**: `docs/data-model.md` (Database schemas, domain models)
353
+ - *Describe your real database structure and domain entities*
354
+ - **Development Guide**: `docs/development_guide.md` (Setup, workflows)
355
+ - *Write the setup steps that match your actual tech stack*
356
+
357
+ ## 🤝 Contributing
358
+
359
+ When changing the standards themselves:
360
+
361
+ 1. Update `base-standards.md` first — it's the single source of truth
362
+ 2. Confirm the change still works across the AI copilots you support
363
+ 3. Refresh any generated examples under `changes/` that are now out of date
364
+ 4. Call out breaking changes explicitly
365
+ 5. Hold the standards documents to the same bar they set for everything else
366
+
367
+ ## 📄 License
368
+
369
+ Copyright (c) 2026 Ruy Garcia
370
+ Licensed under the MIT License
371
+
372
+ ---
373
+
374
+ ## 🙏 Acknowledgements
375
+
376
+ Several workflow and skill patterns here draw on the Superpowers framework, particularly:
377
+
378
+ - `using-git-worktrees`
379
+ - `writing-skills`
380
+
381
+ Superpowers project: [obra/superpowers](https://github.com/obra/superpowers/tree/main)
382
+
383
+ Additional attribution:
384
+
385
+ - `code-auditing` skill: adapted from [jeffrigby/somepulp-agents](https://github.com/jeffrigby/somepulp-agents/tree/main)
386
+
387
+ **Made with 🤖 by Flow Spec**
388
+
389
+ Questions, issues, or suggestions? Open an issue on the Flow Spec repository.
@@ -0,0 +1,35 @@
1
+ #!/usr/bin/env bash
2
+ # code_review.sh - Basic code review report
3
+
4
+ set -euo pipefail
5
+
6
+ echo "Starting code review..."
7
+
8
+ if ! command -v agent >/dev/null 2>&1; then
9
+ echo "Error: 'agent' command not found in PATH."
10
+ exit 1
11
+ fi
12
+
13
+ SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
14
+ TIMESTAMP="$(date +%Y%m%d_%H%M%S)"
15
+ OUTPUT_FILE="${SCRIPT_DIR}/review_${TIMESTAMP}.txt"
16
+
17
+ if agent -p --output-format text \
18
+ "Review the recent code changes and provide feedback on:
19
+ - Code quality and readability
20
+ - Possible bugs or issues
21
+ - Security considerations
22
+ - Best-practices compliance
23
+
24
+ Provide specific improvement suggestions." > "${OUTPUT_FILE}"; then
25
+ if [[ -s "${OUTPUT_FILE}" ]]; then
26
+ echo "Code review completed successfully."
27
+ echo "Review saved to: ${OUTPUT_FILE}"
28
+ else
29
+ echo "Code review failed: output file is empty."
30
+ exit 1
31
+ fi
32
+ else
33
+ echo "Code review failed while running 'agent'."
34
+ exit 1
35
+ fi
@@ -0,0 +1,155 @@
1
+ ---
2
+ name: code-auditing
3
+ description: Task-focused project skill.
4
+ version: 1.0.0
5
+ ---
6
+ # Code Auditing Skill
7
+
8
+ Comprehensive methodology for systematic code quality audits.
9
+
10
+ ## When to Use
11
+
12
+ - Comprehensive code quality audits
13
+ - Security vulnerability assessments
14
+ - Technical debt identification
15
+ - Pre-release code reviews
16
+ - Best practices verification
17
+ - Library and dependency audits
18
+
19
+ ## Audit Phases
20
+
21
+ ### Phase 0: Pre-Analysis Setup
22
+ 1. Check for project configuration files (package.json, tsconfig.json, etc.)
23
+ 2. Identify tech stack and main libraries
24
+ 3. Check for linting/formatting configs
25
+ 4. Run existing linting/testing commands as baseline
26
+ 5. Load documentation for identified core libraries
27
+
28
+ ### Phase 1: Discovery
29
+ 1. Find all code files by type
30
+ 2. Create tracking list for each file
31
+ 3. Group files by module/feature for contextual analysis
32
+
33
+ ### Phase 2: File-by-File Analysis
34
+ For each file, analyze for:
35
+ - Dead code (unused functions, variables, imports)
36
+ - Code smells and anti-patterns
37
+ - Custom implementations that could use established libraries
38
+ - Security vulnerabilities
39
+ - Performance issues
40
+ - Outdated patterns or deprecated APIs
41
+ - Missing error handling
42
+ - Overly complex functions
43
+ - Duplicate code
44
+
45
+ ### Phase 3: Best Practices Verification
46
+ For every library and framework:
47
+ 1. Retrieve official documentation
48
+ 2. Compare implementation against official patterns
49
+ 3. Identify deviations from recommendations
50
+ 4. Note outdated usage patterns
51
+ 5. Flag discouraged anti-patterns
52
+
53
+ ### Phase 4: Pattern Detection
54
+ Look for recurring issues:
55
+ - Common anti-patterns across files
56
+ - Duplicated logic that could be abstracted
57
+ - Inconsistent coding styles
58
+ - Missing error handling patterns
59
+
60
+ ### Phase 5: Library Recommendations
61
+ For custom implementations:
62
+ 1. Check if current libraries provide the functionality
63
+ 2. Search for mature ecosystem packages
64
+ 3. Verify library health (commits, issues, activity)
65
+ 4. Check compatibility with project setup
66
+
67
+ ### Phase 6: Comprehensive Report
68
+ Generate detailed report with:
69
+ - Executive summary
70
+ - Critical issues requiring immediate attention
71
+ - File-by-file findings
72
+ - Prioritized action plan
73
+ - Effort estimates
74
+ - Library recommendations
75
+
76
+ ## Issue Priority Levels
77
+
78
+ - **Critical** - Security vulnerabilities, broken functionality
79
+ - **High Priority** - Performance bottlenecks, unmaintainable code
80
+ - **Medium Priority** - Code quality, best practices deviations
81
+ - **Low Priority** - Style, minor improvements
82
+ - **Quick Wins** - Less than 30 minutes to fix
83
+
84
+ ## Analysis Categories
85
+
86
+ ### Security
87
+ - Hardcoded secrets
88
+ - SQL injection risks
89
+ - XSS vulnerabilities
90
+ - Missing input validation
91
+ - Exposed sensitive data
92
+
93
+ ### Performance
94
+ - Inefficient algorithms
95
+ - Blocking operations
96
+ - Memory leaks
97
+ - Missing caching opportunities
98
+ - N+1 query patterns
99
+
100
+ ### TypeScript/Type Safety
101
+ - Missing type annotations
102
+ - Use of `any` type
103
+ - Custom types duplicating official types
104
+ - Missing @types packages
105
+
106
+ ### Async/Promise Issues
107
+ - Missing await keywords
108
+ - Unhandled promise rejections
109
+ - Callback hell
110
+
111
+ ### Dead Code
112
+ - Unused imports and exports
113
+ - Unused functions, classes, and methods
114
+ - Unused variables and types
115
+ - Unreachable code blocks
116
+ - Unused files (not imported anywhere)
117
+ - Unused dependencies
118
+
119
+ **Tools:**
120
+ - JavaScript/TypeScript: `npx knip --reporter json`
121
+ - Python: `deadcode . --dry`
122
+
123
+ **Important:** Always verify tool findings before reporting. Check for:
124
+ - Dynamic imports (`import(variable)`)
125
+ - Framework patterns (React components, decorators)
126
+ - Re-exports for public API
127
+ - Entry points (CLI scripts, serverless handlers)
128
+
129
+ ## Resources
130
+
131
+ See the reference documents for complete methodologies:
132
+
133
+ - `references/audit-methodology.md` - Full 6-phase audit process with detailed checklists
134
+ - `references/dead-code-methodology.md` - Dead code detection tools, verification, and cleanup workflows
135
+
136
+ ## Quick Reference
137
+
138
+ ### Before Starting
139
+ - [ ] Read project configuration files
140
+ - [ ] Identify tech stack and libraries
141
+ - [ ] Run existing linters as baseline
142
+ - [ ] Create file tracking list
143
+
144
+ ### During Audit
145
+ - [ ] Mark files as in-progress
146
+ - [ ] Analyze each category systematically
147
+ - [ ] Note specific line numbers
148
+ - [ ] Document before/after examples
149
+ - [ ] Mark files as completed
150
+
151
+ ### After Audit
152
+ - [ ] Categorize all findings by priority
153
+ - [ ] Generate comprehensive report
154
+ - [ ] Save report to project root
155
+ - [ ] Provide brief console summary