npm - @tinkcarlos/skillora - Versions diffs - 0.2.0 - Mend

@tinkcarlos/skillora 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (234) hide show

package/.claude/skills/code-review/references/multi-language-guide.md ADDED Viewed

@@ -0,0 +1,800 @@
+# Multi-Language Code Review Best Practices Guide
+> Based on the latest code review standards and tools from major language communities (2024-2025)
+## Table of Contents
+- [Universal Review Principles](#universal-review-principles)
+- [Python](#python)
+- [TypeScript / JavaScript](#typescript--javascript)
+- [React](#react)
+- [Vue.js](#vuejs)
+- [Angular](#angular)
+- [Go](#go)
+- [Java / Spring Boot](#java--spring-boot)
+- [Rust](#rust)
+- [C# / .NET](#c--net)
+- [Multi-Language Security Checklist](#multi-language-security-checklist)
+---
+## Universal Review Principles
+### OWASP Top 10 Security Checks (Applicable to All Languages)
+| Vulnerability Type | Check Points | Tools |
+|-------------------|--------------|-------|
+| **Injection Attacks** | SQL/Command/LDAP injection, parameterized queries | Bandit, ESLint-security |
+| **Authentication Failure** | Password storage, session management, token expiry | Security scanners |
+| **Sensitive Data Exposure** | Encryption algorithms, TLS config, log scrubbing | Code search |
+| **XXE** | XML parser config, disable external entities | SAST tools |
+| **Access Control** | Permission checks, least privilege principle | Manual review |
+| **Security Config** | Default config, error message leakage | Config scan |
+| **XSS** | Output encoding, CSP policy | ESLint, DOMPurify |
+| **Deserialization** | Deserialization of untrusted data | Static analysis |
+| **Component Vulnerabilities** | Dependency versions, known vulnerabilities | npm audit, Snyk |
+| **Logging & Monitoring** | Audit logs, anomaly detection | Log audit |
+---
+## Python
+### Tool Stack
+```bash
+# Install complete toolchain
+pip install pylint flake8 bandit mypy black isort
+# Run checks
+pylint src/
+flake8 src/
+mypy src/
+bandit -r src/  # Security scan
+black --check src/  # Format check
+```
+### Key Checklist
+| Category | Check Item | Incorrect Example | Correct Example |
+|----------|------------|-------------------|-----------------|
+| **Readability** | PEP 8 naming conventions | `def Calc_Area(r):` | `def calculate_area(radius):` |
+| **Type Safety** | Type annotations | `def add(a, b):` | `def add(a: int, b: int) -> int:` |
+| **Security** | SQL injection | `f"SELECT * FROM users WHERE id={id}"` | `cursor.execute("SELECT * FROM users WHERE id=?", (id,))` |
+| **Security** | Hardcoded credentials | `API_KEY = "sk-123..."` | `API_KEY = os.environ.get("API_KEY")` |
+| **Error Handling** | Exception catching | `except Exception: pass` | `except FileNotFoundError: logger.error(...); raise` |
+| **Resource Management** | Context managers | `file = open("data.txt")` | `with open("data.txt") as file:` |
+### Common Pitfalls
+```python
+# ❌ Mutable default arguments - Most common Python bug
+def append_to(element, to=[]):  # Default list created once at function definition
+    to.append(element)
+    return to
+# ✅ Correct approach
+def append_to(element, to=None):
+    if to is None:
+        to = []
+    to.append(element)
+    return to
+# ❌ Late binding in closures
+funcs = [lambda x: x * i for i in range(3)]
+# funcs[0](1), funcs[1](1), funcs[2](1) all return 2
+# ✅ Correct approach
+funcs = [lambda x, i=i: x * i for i in range(3)]
+# ❌ Modifying list while iterating
+items = [1, 2, 3, 4, 5]
+for item in items:
+    if item % 2 == 0:
+        items.remove(item)  # Skips elements
+# ✅ Correct approach
+items = [item for item in items if item % 2 != 0]
+```
+### FastAPI/Django Specific Checks
+| Framework | Check Item | Risk |
+|-----------|------------|------|
+| **FastAPI** | Blocking calls in async functions | Event loop blocking |
+| **FastAPI** | Dependency injection order | Resources not properly cleaned |
+| **Django** | `select_related` / `prefetch_related` | N+1 queries |
+| **Django** | CSRF protection | CSRF attacks |
+---
+## TypeScript / JavaScript
+### Tool Stack
+```bash
+# Install toolchain
+npm install -D eslint typescript @typescript-eslint/parser @typescript-eslint/eslint-plugin
+# ESLint config (eslint.config.js)
+import js from "@eslint/js";
+import tseslint from "typescript-eslint";
+export default tseslint.config({
+  files: ["**/*.ts", "**/*.tsx"],
+  extends: [
+    js.configs.recommended,
+    tseslint.configs.recommended,
+  ],
+  rules: {
+    "@typescript-eslint/no-explicit-any": "error",
+    "@typescript-eslint/explicit-function-return-type": "warn",
+  },
+});
+```
+### Key Checklist
+| Category | Check Item | Incorrect Example | Correct Example |
+|----------|------------|-------------------|-----------------|
+| **Type Safety** | Avoid any | `function process(data: any)` | `function process(data: UserData)` |
+| **Null Handling** | Optional chaining | `user.profile.name` | `user?.profile?.name` |
+| **Equality** | Strict equality | `if (a == b)` | `if (a === b)` |
+| **Promise** | Error handling | `promise.then(...)` | `promise.then(...).catch(...)` |
+| **Async** | await usage | `async function f() { return promise }` | `async function f() { return await promise }` |
+### Common Pitfalls
+```typescript
+// ❌ Closure trap - this context lost
+class Counter {
+  count = 0;
+  increment() {
+    setTimeout(function() {
+      this.count++;  // this is undefined or window
+    }, 100);
+  }
+}
+// ✅ Correct approach
+class Counter {
+  count = 0;
+  increment() {
+    setTimeout(() => {
+      this.count++;  // Arrow function preserves this context
+    }, 100);
+  }
+}
+// ❌ Unhandled Promise rejection
+async function fetchData() {
+  const response = await fetch('/api/data');
+  return response.json();  // Didn't check response.ok
+}
+// ✅ Correct approach
+async function fetchData() {
+  const response = await fetch('/api/data');
+  if (!response.ok) {
+    throw new Error(`HTTP error! status: ${response.status}`);
+  }
+  return response.json();
+}
+// ❌ Array mutation method misuse
+const original = [3, 1, 2];
+const sorted = original.sort();  // original is also modified!
+// ✅ Correct approach
+const sorted = [...original].sort();
+```
+---
+## React
+### Tool Stack
+```bash
+# Install React Hooks ESLint plugin
+npm install -D eslint-plugin-react-hooks
+# ESLint configuration
+{
+  "plugins": ["react-hooks"],
+  "rules": {
+    "react-hooks/rules-of-hooks": "error",
+    "react-hooks/exhaustive-deps": "warn"
+  }
+}
+```
+### Hooks Rules Check (Most Important)
+| Rule | Incorrect Example | Explanation |
+|------|-------------------|-------------|
+| **Hook in condition** | `if (cond) { const [x] = useState(0) }` | Hooks must be called at top level |
+| **Hook in loop** | `for (...) { useEffect(...) }` | Hook call order must be consistent |
+| **Hook in nested function** | `function handler() { useState(0) }` | Hooks can only be called in components or custom hooks |
+| **Hook in class component** | `class C { render() { useEffect() } }` | Hooks cannot be used in class components |
+### Performance Pitfalls
+```tsx
+// ❌ useMemo vs useEffect misuse - Most common React performance issue
+const Component = ({ items }) => {
+  const [computedValue, setComputedValue] = useState(0);
+  // Wrong: Using useEffect to set derived state
+  useEffect(() => {
+    setComputedValue(items.reduce((sum, item) => sum + item.value, 0));
+  }, [items]);
+  return <div>{computedValue}</div>;
+};
+// ✅ Correct: Use useMemo for derived values
+const Component = ({ items }) => {
+  const computedValue = useMemo(() => {
+    return items.reduce((sum, item) => sum + item.value, 0);
+  }, [items]);
+  return <div>{computedValue}</div>;
+};
+// ❌ Incomplete useEffect dependencies
+useEffect(() => {
+  const options = createOptions();  // Changes every render
+  const connection = createConnection(options);
+  connection.connect();
+  return () => connection.disconnect();
+}, [createOptions]);  // Dependency changes every time!
+// ✅ Correct: Use useCallback to stabilize function reference
+const createOptions = useCallback(() => {
+  return { serverUrl, roomId };
+}, [serverUrl, roomId]);
+// ❌ Missing cleanup function - Memory leak
+useEffect(() => {
+  const subscription = eventSource.subscribe(handler);
+  // No cleanup!
+}, []);
+// ✅ Correct: Return cleanup function
+useEffect(() => {
+  const subscription = eventSource.subscribe(handler);
+  return () => subscription.unsubscribe();
+}, []);
+// ❌ Non-unique key or using index as key
+{items.map((item, index) => (
+  <Item key={index} data={item} />  // Problems with reordering
+))}
+// ✅ Correct: Use stable unique key
+{items.map((item) => (
+  <Item key={item.id} data={item} />
+))}
+```
+### Security Checks
+```tsx
+// ❌ XSS risk - dangerouslySetInnerHTML
+const MarkdownPreview = ({ content }) => {
+  // User-provided content may contain malicious scripts
+  return <div dangerouslySetInnerHTML={{ __html: content }} />;
+};
+// ✅ Correct: Use DOMPurify to sanitize
+import DOMPurify from 'dompurify';
+const MarkdownPreview = ({ content }) => {
+  const sanitizedHtml = DOMPurify.sanitize(content);
+  return <div dangerouslySetInnerHTML={{ __html: sanitizedHtml }} />;
+};
+```
+---
+## Vue.js
+### XSS Protection Check (Most Important)
+```vue
+<!-- ❌ XSS risk - v-html with user input -->
+<template>
+  <span v-html="userInput" />  <!-- Dangerous! -->
+</template>
+<!-- ✅ Correct: Use DOMPurify or v-dompurify-html -->
+<template>
+  <div v-dompurify-html="userInput"></div>
+</template>
+<script setup>
+import { ref } from 'vue';
+// npm install vue-dompurify-html
+const userInput = ref('<span style="color: red">Safe</span>');
+</script>
+```
+### Key Checklist
+| Category | Check Item | Risk |
+|----------|------------|------|
+| **XSS** | `v-html` with user input | XSS attack |
+| **URL Injection** | `:href="userProvidedUrl"` | javascript: protocol attack |
+| **Style Injection** | `:style="userProvidedStyle"` | CSS injection attack |
+| **Template Injection** | Server-side rendering of user input | Template injection attack |
+| **v-if/v-for** | Using both on same element | Performance issues, priority issues |
+| **Reactivity Loss** | Destructuring props or reactive objects | Reactivity loss |
+### Common Pitfalls
+```vue
+<script setup>
+import { reactive, toRefs } from 'vue';
+// ❌ Reactivity loss
+const state = reactive({ count: 0 });
+const { count } = state;  // count is no longer reactive
+// ✅ Correct: Use toRefs
+const { count } = toRefs(state);  // count is reactive
+// ❌ Lifecycle cleanup omission
+onMounted(() => {
+  window.addEventListener('resize', handleResize);
+  // No cleanup!
+});
+// ✅ Correct: Clean up in onUnmounted
+onMounted(() => {
+  window.addEventListener('resize', handleResize);
+});
+onUnmounted(() => {
+  window.removeEventListener('resize', handleResize);
+});
+</script>
+```
+---
+## Angular
+### Security Configuration Check
+```typescript
+// ✅ XSRF protection configuration
+import { provideHttpClient, withXsrfConfiguration } from '@angular/common/http';
+export const appConfig: ApplicationConfig = {
+  providers: [
+    provideHttpClient(
+      withXsrfConfiguration({
+        cookieName: 'XSRF-TOKEN',
+        headerName: 'X-XSRF-TOKEN'
+      })
+    ),
+  ]
+};
+// ✅ Secure HTTP interceptor
+@Injectable()
+export class AuthInterceptor implements HttpInterceptor {
+  intercept(req: HttpRequest<any>, next: HttpHandler) {
+    const token = localStorage.getItem('authToken');
+    const clonedReq = token
+      ? req.clone({
+          setHeaders: { Authorization: `Bearer ${token}` },
+        })
+      : req;
+    return next.handle(clonedReq);
+  }
+}
+```
+### XSS Protection
+```typescript
+// Angular escapes HTML by default for bound values
+// ❌ Dangerous: Bypassing security check
+import { DomSanitizer } from '@angular/platform-browser';
+@Component({...})
+export class MyComponent {
+  constructor(private sanitizer: DomSanitizer) {}
+  // Dangerous! Only use when content is guaranteed safe
+  trustedHtml = this.sanitizer.bypassSecurityTrustHtml(userInput);
+}
+// ✅ Correct: Let Angular handle escaping
+@Component({
+  template: `<div>{{ userInput }}</div>`  // Auto-escaped
+})
+```
+---
+## Go
+### Tool Stack
+```bash
+# Install golangci-lint
+go install github.com/golangci/golangci-lint/cmd/golangci-lint@latest
+# Run checks
+golangci-lint run ./...
+# Data race detection (Most Important)
+go test -race ./...
+go run -race main.go
+go build -race
+```
+### Concurrency Safety Check (Most Important)
+```go
+// ❌ Data race - Go's most dangerous hidden bug
+package main
+import (
+    "fmt"
+    "sync"
+)
+var counter int  // Shared state
+func main() {
+    var wg sync.WaitGroup
+    for i := 0; i < 1000; i++ {
+        wg.Add(1)
+        go func() {
+            counter++  // Data race!
+            wg.Done()
+        }()
+    }
+    wg.Wait()
+    fmt.Println(counter)  // Result is non-deterministic
+}
+// ✅ Correct: Use Mutex
+var (
+    counter int
+    mu      sync.Mutex
+)
+func increment() {
+    mu.Lock()
+    counter++
+    mu.Unlock()
+}
+// ✅ Or use atomic operations
+import "sync/atomic"
+var counter int64
+func increment() {
+    atomic.AddInt64(&counter, 1)
+}
+// ❌ Concurrent map access - fatal error
+m := make(map[int]int)
+go func() { m[1] = 1 }()  // Write
+go func() { _ = m[1] }()  // Read
+// fatal error: concurrent map read and map write
+// ✅ Correct: Use sync.Map
+var m sync.Map
+m.Store(1, 1)
+v, _ := m.Load(1)
+```
+### Key Checklist
+| Category | Check Item | Detection Method |
+|----------|------------|------------------|
+| **Data Race** | Shared variable concurrent access | `go test -race` |
+| **Goroutine Leak** | Unclosed channels | Code review |
+| **Deadlock** | Mutex nested locking | go-deadlock library |
+| **Map Concurrency** | Non-thread-safe map | `go build -race` |
+| **Error Handling** | Ignored returned errors | golangci-lint |
+---
+## Java / Spring Boot
+### Tool Stack
+```xml
+<!-- Maven configuration -->
+<plugin>
+    <groupId>com.github.spotbugs</groupId>
+    <artifactId>spotbugs-maven-plugin</artifactId>
+    <version>4.8.3</version>
+</plugin>
+<plugin>
+    <groupId>org.apache.maven.plugins</groupId>
+    <artifactId>maven-checkstyle-plugin</artifactId>
+    <version>3.3.0</version>
+</plugin>
+<!-- Dependency vulnerability check -->
+<plugin>
+    <groupId>org.owasp</groupId>
+    <artifactId>dependency-check-maven</artifactId>
+    <version>9.0.0</version>
+</plugin>
+```
+```bash
+# Run checks
+mvn spotbugs:check
+mvn checkstyle:check
+mvn org.owasp:dependency-check-maven:check
+```
+### Key Checklist
+| Category | Check Item | SpotBugs Rule |
+|----------|------------|---------------|
+| **Null Pointer** | NPE risk | NP_NULL_ON_SOME_PATH |
+| **Resource Leak** | Unclosed streams/connections | OBL_UNSATISFIED_OBLIGATION |
+| **Concurrency** | Non-thread-safe usage | IS2_INCONSISTENT_SYNC |
+| **Security** | SQL injection | SQL_INJECTION_* |
+| **Performance** | Inefficient loops | WMI_WRONG_MAP_ITERATOR |
+### Spring Boot Security Check
+```java
+// ❌ SQL injection risk
+@Repository
+public class UserRepository {
+    public User findByUsername(String username) {
+        String sql = "SELECT * FROM users WHERE username = '" + username + "'";
+        return jdbcTemplate.queryForObject(sql, new UserRowMapper());
+    }
+}
+// ✅ Correct: Use parameterized queries
+@Repository
+public class UserRepository {
+    public User findByUsername(String username) {
+        String sql = "SELECT * FROM users WHERE username = ?";
+        return jdbcTemplate.queryForObject(sql, new UserRowMapper(), username);
+    }
+}
+// ✅ Or use JPA
+@Repository
+public interface UserRepository extends JpaRepository<User, Long> {
+    @Query("SELECT u FROM User u WHERE u.username = :username")
+    User findByUsername(@Param("username") String username);
+}
+```
+---
+## Rust
+### Tool Stack
+```bash
+# Clippy - Rust official linter
+cargo clippy --all-targets --all-features -- -D warnings
+# Auto-fix
+cargo clippy --fix --all-targets --all-features
+# Security audit
+cargo audit
+```
+### Clippy Configuration (Recommended to Enable)
+```rust
+// Cargo.toml or top of lib.rs
+#![warn(
+    // Arithmetic safety
+    clippy::cast_possible_truncation,
+    clippy::cast_sign_loss,
+    clippy::cast_possible_wrap,
+    clippy::arithmetic_side_effects,
+    // Error handling
+    clippy::unwrap_used,
+    clippy::expect_used,
+    clippy::panicking_unwrap,
+    // Array index safety
+    clippy::indexing_slicing,
+)]
+// ❌ Dangerous: Using unwrap directly
+fn get_user(id: u64) -> User {
+    users.get(&id).unwrap()  // May panic
+}
+// ✅ Correct: Return Option or Result
+fn get_user(id: u64) -> Option<&User> {
+    users.get(&id)
+}
+// ✅ Or use ? operator
+fn get_user(id: u64) -> Result<&User, Error> {
+    users.get(&id).ok_or(Error::NotFound)
+}
+```
+### Unsafe Code Review
+```rust
+// Unsafe code review checklist:
+// 1. Necessity: Is unsafe really needed? Are there safe alternatives?
+// 2. Minimal scope: Is the unsafe block as small as possible?
+// 3. Documentation: Is there # Safety documentation explaining preconditions?
+// 4. Testing: Is there Miri testing?
+// ✅ Correct unsafe usage pattern
+/// # Safety
+///
+/// - `ptr` must be a valid pointer to initialized memory
+/// - The memory must not be mutably aliased
+unsafe fn dereference(ptr: *const i32) -> i32 {
+    // SAFETY: Caller guarantees ptr is valid and not aliased
+    *ptr
+}
+```
+---
+## C# / .NET
+### Tool Stack
+```xml
+<!-- .csproj configuration -->
+<PropertyGroup>
+    <TreatWarningsAsErrors>true</TreatWarningsAsErrors>
+    <EnforceCodeStyleInBuild>true</EnforceCodeStyleInBuild>
+</PropertyGroup>
+<ItemGroup>
+    <PackageReference Include="Microsoft.CodeAnalysis.NetAnalyzers" Version="8.0.0">
+        <PrivateAssets>all</PrivateAssets>
+        <IncludeAssets>runtime; build; native; contentfiles; analyzers</IncludeAssets>
+    </PackageReference>
+    <PackageReference Include="StyleCop.Analyzers" Version="1.2.0-beta.556">
+        <PrivateAssets>all</PrivateAssets>
+        <IncludeAssets>runtime; build; native; contentfiles; analyzers</IncludeAssets>
+    </PackageReference>
+    <PackageReference Include="Roslynator.Analyzers" Version="4.14.1">
+        <PrivateAssets>all</PrivateAssets>
+        <IncludeAssets>runtime; build; native; contentfiles; analyzers</IncludeAssets>
+    </PackageReference>
+</ItemGroup>
+```
+```bash
+# Run analysis
+dotnet build
+# Security audit
+dotnet list package --vulnerable
+# Roslynator CLI
+roslynator analyze MyProject.csproj
+```
+### .editorconfig Configuration
+```ini
+[*.cs]
+# Enable all .NET analyzers
+dotnet_analyzer_diagnostic.severity = warning
+# Set security rules as errors
+dotnet_diagnostic.CA2100.severity = error  # SQL injection
+dotnet_diagnostic.CA3001.severity = error  # SQL injection
+dotnet_diagnostic.CA3002.severity = error  # XSS
+dotnet_diagnostic.CA3003.severity = error  # File path injection
+dotnet_diagnostic.CA3004.severity = error  # Information disclosure
+# Code quality
+dotnet_diagnostic.IDE0090.severity = warning  # Use new(...)
+dotnet_diagnostic.IDE0028.severity = warning  # Simplify collection initialization
+```
+### Key Checklist
+```csharp
+// ❌ IDisposable not properly handled
+public void ProcessFile(string path) {
+    var stream = File.OpenRead(path);
+    var data = stream.ReadByte();
+    // stream not closed!
+}
+// ✅ Correct: Use using statement
+public void ProcessFile(string path) {
+    using var stream = File.OpenRead(path);
+    var data = stream.ReadByte();
+}
+// ❌ Async method blocking call
+public void BadAsync() {
+    var result = GetDataAsync().Result;  // Deadlock risk!
+}
+// ✅ Correct: Async all the way
+public async Task GoodAsync() {
+    var result = await GetDataAsync();
+}
+// ❌ Null reference exception risk
+public string GetName(User user) {
+    return user.Profile.Name;  // NRE risk
+}
+// ✅ Correct: Null check
+public string? GetName(User? user) {
+    return user?.Profile?.Name;
+}
+```
+---
+## Multi-Language Security Checklist
+### 10-Point Security Review Checklist (Applicable to All Languages)
+| # | Check Item | Description | Tools |
+|---|------------|-------------|-------|
+| 1 | **Input Validation** | Type, length, format, range validation | Static analysis |
+| 2 | **Authentication & Authorization** | Session management, password storage, permission checks | Security scan |
+| 3 | **Data Encryption** | TLS, encryption algorithms, key management | Config review |
+| 4 | **Exception Handling** | Error message leakage, resource cleanup | Code review |
+| 5 | **Dependency Management** | Known vulnerabilities, version compatibility | npm audit / pip-audit |
+| 6 | **API Security** | Authentication, rate limiting, data validation | API testing |
+| 7 | **CSRF Protection** | Token validation, SameSite Cookie | Framework config |
+| 8 | **Code Execution** | Don't execute user input, template injection | Static analysis |
+| 9 | **Business Logic** | Permission bypass, payment flow vulnerabilities | Manual review |
+| 10 | **Code Quality** | Readability, documentation, test coverage | Linter |
+### Quick Check Commands Summary for Each Language
+```bash
+# Python
+pylint src/ && mypy src/ && bandit -r src/ && pip-audit
+# TypeScript/JavaScript
+npx eslint . && npx tsc --noEmit && npm audit
+# Go
+golangci-lint run && go test -race ./...
+# Java
+mvn spotbugs:check && mvn checkstyle:check && mvn dependency-check:check
+# Rust
+cargo clippy -- -D warnings && cargo audit && cargo +nightly miri test
+# C#
+dotnet build /warnaserror && dotnet list package --vulnerable
+```
+---
+## Reference Resources
+- [OWASP Code Review Guide](https://owasp.org/www-project-code-review-guide/)
+- [Google Style Guides](https://google.github.io/styleguide/)
+- [Airbnb JavaScript Style Guide](https://github.com/airbnb/javascript)
+- [PEP 8 - Python Style Guide](https://peps.python.org/pep-0008/)
+- [Effective Rust](https://effective-rust.com/)
+- [Go Code Review Comments](https://github.com/golang/go/wiki/CodeReviewComments)
+- [Microsoft C# Coding Conventions](https://docs.microsoft.com/en-us/dotnet/csharp/fundamentals/coding-style/coding-conventions)