@rrgarciach/flow-spec 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (31) hide show
  1. package/bin/init.js +91 -0
  2. package/package.json +28 -0
  3. package/template/.cursor/rules/use-base-rules.mdc +37 -0
  4. package/template/ai-specs/agents/backend-developer.md +121 -0
  5. package/template/ai-specs/agents/frontend-developer.md +134 -0
  6. package/template/ai-specs/agents/product-strategy-analyst.md +53 -0
  7. package/template/ai-specs/flow-spec-instructions.md +389 -0
  8. package/template/ai-specs/scripts/code_review.sh +35 -0
  9. package/template/ai-specs/skills/code-auditing/SKILL.md +155 -0
  10. package/template/ai-specs/skills/code-auditing/references/audit-methodology.md +371 -0
  11. package/template/ai-specs/skills/code-auditing/references/dead-code-methodology.md +261 -0
  12. package/template/ai-specs/skills/commit/SKILL.md +101 -0
  13. package/template/ai-specs/skills/enrich-us/SKILL.md +42 -0
  14. package/template/ai-specs/skills/explain/SKILL.md +84 -0
  15. package/template/ai-specs/skills/meta-prompt/SKILL.md +19 -0
  16. package/template/ai-specs/skills/update-docs/SKILL.md +13 -0
  17. package/template/ai-specs/skills/using-git-worktrees/SKILL.md +375 -0
  18. package/template/ai-specs/skills/writing-skills/SKILL.md +655 -0
  19. package/template/ai-specs/skills/writing-skills/anthropic-best-practices.md +1150 -0
  20. package/template/ai-specs/skills/writing-skills/examples/CLAUDE_MD_TESTING.md +189 -0
  21. package/template/ai-specs/skills/writing-skills/graphviz-conventions.dot +172 -0
  22. package/template/ai-specs/skills/writing-skills/persuasion-principles.md +187 -0
  23. package/template/ai-specs/skills/writing-skills/render-graphs.js +168 -0
  24. package/template/ai-specs/skills/writing-skills/testing-skills-with-subagents.md +384 -0
  25. package/template/docs/api-spec.yml +29 -0
  26. package/template/docs/backend-standards.md +53 -0
  27. package/template/docs/base-standards.md +114 -0
  28. package/template/docs/data-model.md +26 -0
  29. package/template/docs/development_guide.md +36 -0
  30. package/template/docs/documentation-standards.md +49 -0
  31. package/template/docs/frontend-standards.md +45 -0
@@ -0,0 +1,371 @@
1
+ # Code Audit Methodology
2
+
3
+ This document provides a comprehensive, systematic approach to code quality auditing. Follow these phases for thorough analysis.
4
+
5
+ ## Phase 0: Pre-Analysis Setup
6
+
7
+ Before analyzing code, establish the context:
8
+
9
+ ### 1. Project Configuration
10
+ - **Package files**: package.json, requirements.txt, go.mod, pom.xml, etc.
11
+ - **Tech stack**: Identify languages, frameworks, and core libraries
12
+ - **Linting configs**: eslint, prettier, black, golint, etc.
13
+ - **Project docs**: CLAUDE.md, README.md for project-specific guidelines
14
+
15
+ ### 2. Baseline Checks
16
+ Run existing linting and testing:
17
+ ```bash
18
+ # JavaScript/TypeScript
19
+ npm run lint
20
+ npm run typecheck
21
+ npm test
22
+
23
+ # Python
24
+ black --check .
25
+ flake8
26
+ pytest
27
+
28
+ # Go
29
+ go vet ./...
30
+ golint ./...
31
+ ```
32
+
33
+ Document existing errors/warnings as baseline.
34
+
35
+ ### 3. Documentation Loading
36
+ Use Context7 to pre-load documentation for identified core libraries:
37
+ ```
38
+ mcp__context7__resolve-library-id → Get library ID
39
+ mcp__context7__query-docs → Load current best practices
40
+ ```
41
+
42
+ ## Phase 1: Discovery
43
+
44
+ ### File Identification
45
+ Find all code files by type:
46
+ ```
47
+ *.js, *.ts, *.jsx, *.tsx (JavaScript/TypeScript)
48
+ *.py (Python)
49
+ *.java (Java)
50
+ *.go (Go)
51
+ *.rs (Rust)
52
+ *.rb (Ruby)
53
+ ```
54
+
55
+ ### Organization
56
+ - Group files by module/feature for contextual analysis
57
+ - Create a tracking list for systematic progress
58
+ - Prioritize core business logic over utilities
59
+
60
+ ## Phase 2: File-by-File Analysis
61
+
62
+ For each file, analyze for the following categories:
63
+
64
+ ### Dead Code
65
+ - Unused functions and methods
66
+ - Unused variables and imports
67
+ - Unreachable code blocks
68
+ - Commented-out code
69
+ - Deprecated features still present
70
+
71
+ ### Code Smells & Anti-Patterns
72
+ - Functions longer than 50 lines
73
+ - High cyclomatic complexity (> 10)
74
+ - Deeply nested conditionals (> 3 levels)
75
+ - Magic numbers without constants
76
+ - Copy-paste code duplication
77
+ - God objects/functions doing too much
78
+ - Long parameter lists (> 5 params)
79
+
80
+ ### Security Vulnerabilities
81
+ - Hardcoded secrets, API keys, passwords
82
+ - SQL injection vulnerabilities
83
+ - XSS (Cross-Site Scripting) risks
84
+ - Command injection risks
85
+ - Insecure deserialization
86
+ - Missing input validation
87
+ - Information disclosure in errors
88
+
89
+ ### Performance Issues
90
+ - O(n²) or worse algorithms in hot paths
91
+ - Missing database indexes
92
+ - N+1 query patterns
93
+ - Unnecessary synchronous operations
94
+ - Missing caching for expensive operations
95
+ - Large memory allocations in loops
96
+ - Blocking I/O in async contexts
97
+
98
+ ### TypeScript/Type Safety Issues
99
+ - Missing type annotations
100
+ - Excessive use of `any` type
101
+ - Type assertions that could be avoided
102
+ - Custom types duplicating official @types/* packages
103
+ - Missing null/undefined checks
104
+
105
+ ### Async/Promise Issues
106
+ - Missing `await` keywords
107
+ - Unhandled promise rejections
108
+ - Callback hell that should use async/await
109
+ - Fire-and-forget promises without error handling
110
+
111
+ ### Memory Leaks
112
+ - Event listeners not removed on cleanup
113
+ - Timers (setInterval, setTimeout) not cleared
114
+ - Large objects retained unnecessarily
115
+ - Closures holding references too long
116
+ - DOM references kept after element removal
117
+
118
+ ### Error Handling
119
+ - Empty catch blocks
120
+ - Catch-and-ignore patterns
121
+ - Missing try/catch in async code
122
+ - Inconsistent error types
123
+ - Generic error messages hiding root cause
124
+
125
+ ## Phase 3: Best Practices Verification
126
+
127
+ ### Context7 Documentation Check
128
+ For every major library identified:
129
+
130
+ 1. **Resolve library ID**:
131
+ ```
132
+ mcp__context7__resolve-library-id: "react"
133
+ ```
134
+
135
+ 2. **Get current best practices**:
136
+ ```
137
+ mcp__context7__query-docs: {
138
+ "context7CompatibleLibraryID": "/facebook/react",
139
+ "topic": "hooks best practices"
140
+ }
141
+ ```
142
+
143
+ 3. **Focus areas**:
144
+ - Migration guides between versions
145
+ - Deprecated features and replacements
146
+ - Performance best practices
147
+ - Security considerations
148
+ - Common pitfalls and anti-patterns
149
+
150
+ ### GitHub Research
151
+ Use `gh` CLI to research real-world usage:
152
+
153
+ ```bash
154
+ # Search for patterns
155
+ gh search code "useEffect cleanup" --language=typescript
156
+
157
+ # Check repository health
158
+ gh repo view [library] --json stargazersCount,updatedAt,openIssues
159
+
160
+ # Look for security advisories
161
+ gh api /repos/{owner}/{repo}/security-advisories
162
+ ```
163
+
164
+ ### Cross-Reference Findings
165
+ - Compare actual implementation vs official documentation
166
+ - Identify deviations from recommended patterns
167
+ - Note outdated patterns that need modernization
168
+ - Flag anti-patterns explicitly discouraged in docs
169
+
170
+ ## Phase 3.5: TypeScript Types Verification
171
+
172
+ For TypeScript projects, perform additional type analysis:
173
+
174
+ ### Check for Duplicate Types
175
+ Search for custom interfaces that mirror official types:
176
+ - React types (React.FC, React.Component, event types)
177
+ - Node.js types (Buffer, Process, Global)
178
+ - DOM types (HTMLElement, Event types)
179
+ - Express types (Request, Response)
180
+ - Popular library types (lodash, axios, etc.)
181
+
182
+ ### Verify @types Packages
183
+ ```bash
184
+ # Check if official types exist
185
+ npm view @types/[library] types
186
+
187
+ # Verify installed @types versions
188
+ npm ls @types/*
189
+ ```
190
+
191
+ ### Common Issues
192
+ - Custom `IRequest` when `express.Request` exists
193
+ - Custom event types when React provides them
194
+ - Duplicating `@types/node` built-in types
195
+
196
+ ## Phase 4: Pattern Detection
197
+
198
+ Look for recurring issues across the codebase:
199
+
200
+ ### Cross-File Patterns
201
+ - Same anti-pattern repeated in multiple files
202
+ - Duplicated utility functions
203
+ - Inconsistent error handling approaches
204
+ - Different coding styles in different modules
205
+
206
+ ### Abstraction Opportunities
207
+ - Repeated code that could be a utility function
208
+ - Common patterns that could be hooks (React)
209
+ - Cross-cutting concerns needing middleware
210
+
211
+ ### Inconsistencies
212
+ - Mixed async styles (callbacks, promises, async/await)
213
+ - Inconsistent naming conventions
214
+ - Different error handling strategies
215
+ - Varying code organization patterns
216
+
217
+ ## Phase 5: Library Recommendations
218
+
219
+ For custom implementations, find mature replacements:
220
+
221
+ ### Discovery Process
222
+ 1. **Check existing libraries first** - Use Context7 to see if current libraries already provide needed functionality
223
+ 2. **Search package registries** - npm, PyPI, crates.io, etc.
224
+ 3. **Verify library health**:
225
+ - Recent commits (active development)
226
+ - Open issues (responsiveness)
227
+ - Download stats (community adoption)
228
+ - Security advisories (vulnerability history)
229
+
230
+ ### Evaluation Criteria
231
+ - **Maintenance**: Last commit < 6 months
232
+ - **Adoption**: Significant download/star count
233
+ - **Security**: No unaddressed vulnerabilities
234
+ - **Bundle size**: Important for frontend code
235
+ - **API stability**: Semantic versioning, migration guides
236
+ - **Documentation**: Clear examples and API docs
237
+
238
+ ### Common Replacements
239
+ | Custom Implementation | Recommended Library |
240
+ |----------------------|---------------------|
241
+ | Date manipulation | date-fns, dayjs |
242
+ | HTTP client | axios, ky |
243
+ | Form validation | zod, yup |
244
+ | State management | zustand, jotai |
245
+ | Deep cloning | lodash/cloneDeep, structuredClone |
246
+ | UUID generation | uuid, nanoid |
247
+ | Retry logic | p-retry, async-retry |
248
+
249
+ ## Phase 6: Report Generation
250
+
251
+ ### Report Structure
252
+
253
+ #### Executive Summary (2-3 paragraphs)
254
+ - Total files analyzed
255
+ - High-level findings overview
256
+ - Key risks and recommendations
257
+
258
+ #### Critical Issues (Immediate Action)
259
+ For each:
260
+ - File path and line number
261
+ - Issue description
262
+ - Security/stability impact
263
+ - Fix example
264
+ - Effort estimate
265
+
266
+ #### High Priority Issues
267
+ - Performance bottlenecks
268
+ - Maintainability problems
269
+ - Missing error handling
270
+
271
+ #### Medium Priority Issues
272
+ - Best practices violations
273
+ - Code quality concerns
274
+ - Type safety improvements
275
+
276
+ #### Low Priority Issues
277
+ - Style inconsistencies
278
+ - Minor improvements
279
+ - Documentation gaps
280
+
281
+ #### Library Recommendations
282
+ For each suggested replacement:
283
+ - Current custom code location
284
+ - Recommended library
285
+ - Migration effort
286
+ - Bundle size impact
287
+
288
+ #### Quick Wins
289
+ Low-effort, high-value fixes:
290
+ - < 30 minutes to implement
291
+ - High impact on quality/security
292
+
293
+ #### Action Plan
294
+ Prioritized steps with:
295
+ - Effort estimates (S/M/L/XL)
296
+ - Dependencies between tasks
297
+ - Suggested sprint allocation
298
+
299
+ ### Report Format Requirements
300
+
301
+ Each issue should include:
302
+ ```markdown
303
+ ### [PRIORITY] Issue Title
304
+ **Location:** `src/auth/login.js:42`
305
+
306
+ **Problem:**
307
+ Description of the issue and why it matters.
308
+
309
+ **Before:**
310
+ ```javascript
311
+ // problematic code
312
+ ```
313
+
314
+ **After:**
315
+ ```javascript
316
+ // fixed code
317
+ ```
318
+
319
+ **Effort:** S (< 30 min) | M (1-4 hours) | L (4-8 hours) | XL (> 8 hours)
320
+ ```
321
+
322
+ ## Tool Usage Reference
323
+
324
+ ### Context7
325
+ ```
326
+ # Resolve library ID first
327
+ mcp__context7__resolve-library-id: "express"
328
+
329
+ # Then get documentation
330
+ mcp__context7__query-docs: {
331
+ "context7CompatibleLibraryID": "/expressjs/express",
332
+ "topic": "middleware"
333
+ }
334
+ ```
335
+
336
+ ### GitHub CLI
337
+ ```bash
338
+ # Repository health
339
+ gh repo view owner/repo --json stargazersCount,updatedAt
340
+
341
+ # Code search
342
+ gh search code "pattern" --language=javascript
343
+
344
+ # Issues search
345
+ gh search issues "memory leak" --repo=owner/repo
346
+ ```
347
+
348
+ ### Package Research
349
+ Use `mcp__fetch__fetch` for package registry pages:
350
+ - npmjs.com/package/[name]
351
+ - pypi.org/project/[name]
352
+
353
+ ## Common Pitfalls to Avoid
354
+
355
+ 1. **Don't rely on assumptions** - Always verify with documentation
356
+ 2. **Don't suggest outdated patterns** - Check current best practices
357
+ 3. **Don't recommend unmaintained libraries** - Verify activity
358
+ 4. **Don't ignore project conventions** - Respect CLAUDE.md guidelines
359
+ 5. **Don't break functionality** - Ensure fixes are safe
360
+ 6. **Don't over-engineer** - Consider cost/benefit ratio
361
+ 7. **Don't skip TypeScript type checks** - Types are documentation
362
+ 8. **Don't ignore bundle size** - Frontend performance matters
363
+
364
+ ## Performance Optimization
365
+
366
+ For large codebases:
367
+ - **Parallel processing**: Analyze multiple files simultaneously
368
+ - **Batch operations**: Group similar checks together
369
+ - **Selective scanning**: Focus on changed files first
370
+ - **Cache documentation**: Reuse Context7 lookups
371
+ - **Progressive reporting**: Provide interim results
@@ -0,0 +1,261 @@
1
+ # Dead Code Detection Methodology
2
+
3
+ This document provides guidance on detecting and removing dead code using automated tools and manual verification.
4
+
5
+ ## Overview
6
+
7
+ Dead code is code that exists in the codebase but is never executed. It increases maintenance burden, bundle size, and cognitive load. This methodology uses specialized tools combined with agent verification to filter false positives.
8
+
9
+ ## Types of Dead Code
10
+
11
+ ### 1. Unused Imports
12
+ Import statements for modules/symbols that are never used:
13
+ ```javascript
14
+ import { unused } from './utils'; // Never referenced
15
+ ```
16
+
17
+ ### 2. Unused Exports
18
+ Functions, classes, variables exported but never imported elsewhere:
19
+ ```javascript
20
+ export function formatDate() { ... } // Not imported anywhere
21
+ ```
22
+
23
+ ### 3. Unused Variables
24
+ Variables declared but never read:
25
+ ```python
26
+ result = compute() # Never used after assignment
27
+ ```
28
+
29
+ ### 4. Unused Functions/Methods
30
+ Functions defined but never called:
31
+ ```typescript
32
+ function legacyHelper() { ... } // Never invoked
33
+ ```
34
+
35
+ ### 5. Unused Files
36
+ Entire files not imported anywhere in the codebase.
37
+
38
+ ### 6. Unused Dependencies
39
+ Packages in package.json/requirements.txt not used in code.
40
+
41
+ ### 7. Unreachable Code
42
+ Code after return/throw statements or in dead branches:
43
+ ```javascript
44
+ function foo() {
45
+ return 42;
46
+ console.log('never runs'); // Unreachable
47
+ }
48
+ ```
49
+
50
+ ## Detection Tools
51
+
52
+ ### Knip (JavaScript/TypeScript)
53
+
54
+ **Installation:**
55
+ ```bash
56
+ npm install -g knip
57
+ # or use via npx (no install required)
58
+ ```
59
+
60
+ **Commands:**
61
+ ```bash
62
+ # Detection (default output)
63
+ npx knip
64
+
65
+ # JSON output for parsing
66
+ npx knip --reporter json
67
+
68
+ # Fix automatically (use with caution)
69
+ npx knip --fix
70
+
71
+ # Specific workspace
72
+ npx knip --workspace packages/core
73
+
74
+ # Include/exclude patterns
75
+ npx knip --include files --exclude dependencies
76
+ ```
77
+
78
+ **Configuration (`knip.json`):**
79
+ ```json
80
+ {
81
+ "$schema": "https://unpkg.com/knip@latest/schema.json",
82
+ "entry": ["src/index.ts"],
83
+ "project": ["src/**/*.ts"],
84
+ "ignore": ["**/*.test.ts"],
85
+ "ignoreDependencies": ["@types/*"]
86
+ }
87
+ ```
88
+
89
+ **Categories detected:**
90
+ - files, dependencies, devDependencies
91
+ - exports, nsExports, classMembers
92
+ - types, nsTypes, enumMembers
93
+ - unlisted, binaries, unresolved, duplicates
94
+
95
+ ### Deadcode (Python)
96
+
97
+ **Installation:**
98
+ ```bash
99
+ pip install deadcode
100
+ ```
101
+
102
+ **Commands:**
103
+ ```bash
104
+ # Detection
105
+ deadcode .
106
+
107
+ # With verbose output
108
+ deadcode . --verbose
109
+
110
+ # Fix automatically
111
+ deadcode . --fix
112
+
113
+ # Dry run (show what would be fixed)
114
+ deadcode . --dry
115
+
116
+ # Specific path
117
+ deadcode src/
118
+
119
+ # Exclude patterns
120
+ deadcode . --exclude tests/
121
+ ```
122
+
123
+ **Detection capabilities:**
124
+ - Unused imports (DC01)
125
+ - Unused variables (DC02)
126
+ - Unused functions (DC03)
127
+ - Unused classes (DC04)
128
+ - Unused methods (DC05)
129
+
130
+ ## False Positive Detection
131
+
132
+ **CRITICAL: Always verify findings before reporting to the user.**
133
+
134
+ ### Common False Positives
135
+
136
+ #### 1. Dynamic Imports
137
+ ```javascript
138
+ // These imports appear unused but are loaded at runtime
139
+ const module = await import(modulePath);
140
+ require(variableName);
141
+ ```
142
+
143
+ #### 2. Framework Magic
144
+ ```typescript
145
+ // React components used in JSX
146
+ export const Button = () => <button />; // Used as <Button />
147
+
148
+ // Decorators in TypeScript/Python
149
+ @decorator
150
+ export class Controller {}
151
+
152
+ // Vue setup functions
153
+ export function useCounter() { ... } // Used in <script setup>
154
+ ```
155
+
156
+ #### 3. Re-exports for Public API
157
+ ```typescript
158
+ // index.ts barrel file - exports ARE the purpose
159
+ export { Helper } from './helper'; // Re-exported for external use
160
+ ```
161
+
162
+ #### 4. Entry Points
163
+ ```javascript
164
+ // CLI scripts, serverless handlers, etc.
165
+ export const handler = async (event) => { ... }; // AWS Lambda entry
166
+ ```
167
+
168
+ #### 5. Test Utilities
169
+ ```typescript
170
+ // Only used in test files
171
+ export class TestHelper {} // Referenced in *.test.ts
172
+ ```
173
+
174
+ #### 6. String-Based References
175
+ ```javascript
176
+ // Accessed via strings or reflection
177
+ const fn = functions['dynamicName'];
178
+ getattr(obj, 'method_name')()
179
+ ```
180
+
181
+ ### Verification Checklist
182
+
183
+ For each flagged item, the agent MUST:
184
+
185
+ 1. **Read the flagged code** to understand context
186
+ 2. **Search for dynamic references**:
187
+ - `import(` or `require(` with variables
188
+ - String interpolation with the item name
189
+ - `eval`, `getattr`, or reflection patterns
190
+ 3. **Check framework patterns**:
191
+ - React: Is it a component used in JSX?
192
+ - Angular: Is it decorated with @Component, @Injectable, etc.?
193
+ - Express: Is it middleware or route handler?
194
+ 4. **Check for re-exports**:
195
+ - Is this in an index.ts/index.js barrel file?
196
+ - Is this part of the public API?
197
+ 5. **Check entry points**:
198
+ - Is this a CLI script, serverless handler, or worker?
199
+ - Is it referenced in package.json scripts or config files?
200
+
201
+ ## Workflow
202
+
203
+ ### 1. Run Detection Tool
204
+ ```bash
205
+ # Use the helper script
206
+ ${CLAUDE_PLUGIN_ROOT}/scripts/dead-code-detect.sh --format json
207
+ ```
208
+
209
+ ### 2. Parse and Categorize
210
+ Group findings by type:
211
+ - Unused exports
212
+ - Unused files
213
+ - Unused dependencies
214
+ - Unused imports
215
+ - Unused class members
216
+
217
+ ### 3. Verify Each Finding
218
+ For each item:
219
+ 1. Read the code
220
+ 2. Check for false positive patterns
221
+ 3. Mark as "verified" or "likely false positive"
222
+
223
+ ### 4. Present Verified Report
224
+ Show user:
225
+ - Summary counts (verified items only)
226
+ - Detailed list with file:line references
227
+ - Filtered items with reasons
228
+
229
+ ### 5. Apply Fixes (After Approval)
230
+ ```bash
231
+ # Only after user confirms
232
+ npx knip --fix
233
+ # or
234
+ deadcode . --fix
235
+ ```
236
+
237
+ ## Integration with Audits
238
+
239
+ ### Quick Check Integration
240
+ - Run detection as part of automated checks
241
+ - Report findings under "Dead Code" category
242
+ - Don't auto-fix; inform user of findings
243
+
244
+ ### Deep Audit Integration
245
+ - Run as Phase 2.5: Dead Code Detection
246
+ - Include in comprehensive report
247
+ - Provide fix commands for user to run
248
+
249
+ ### Standalone `/dead-code` Command
250
+ - Focused workflow for dead code only
251
+ - Interactive cleanup with user approval
252
+ - Show verification process
253
+
254
+ ## Best Practices
255
+
256
+ 1. **Run regularly** - Include in CI/CD pipeline
257
+ 2. **Configure properly** - Set up ignore rules for framework patterns
258
+ 3. **Test after removal** - Ensure nothing breaks
259
+ 4. **Review before commit** - Manual verification recommended
260
+ 5. **Document exceptions** - Comment why certain "dead" code is intentional
261
+ 6. **Start conservative** - Better to miss some than to break things