@tinkcarlos/skillora 0.2.0

package/.claude/skills/code-review/references/python-patterns.md

@@ -0,0 +1,494 @@
+# Python-Specific Review Patterns
+
+Comprehensive Python code review patterns covering Django, Flask, FastAPI, and core Python.
+
+## Core Python Issues
+
+### Type Hints & Mypy
+
+```python
+# 🚫 Missing type hints
+def process(data):
+    return data['value'] * 2
+
+# ✅ Proper type hints
+from typing import TypedDict
+
+class DataInput(TypedDict):
+    value: int
+
+def process(data: DataInput) -> int:
+    return data['value'] * 2
+```
+
+```python
+# 🚫 Using Any unnecessarily
+from typing import Any
+def handler(event: Any) -> Any: ...
+
+# ✅ Proper typing with generics
+from typing import TypeVar, Generic
+T = TypeVar('T')
+def handler(event: Event[T]) -> Response[T]: ...
+```
+
+### Context Managers
+
+```python
+# 🚫 Resource leak
+file = open('data.txt')
+data = file.read()
+# file never closed if exception
+
+# ✅ Proper context manager
+with open('data.txt') as file:
+    data = file.read()
+```
+
+```python
+# 🚫 Manual lock management
+lock.acquire()
+try:
+    do_work()
+finally:
+    lock.release()
+
+# ✅ Context manager
+with lock:
+    do_work()
+```
+
+### Generators & Memory
+
+```python
+# 🚫 Loading all into memory
+def get_users():
+    return [process(u) for u in db.query_all_users()]  # Millions of users!
+
+# ✅ Generator for streaming
+def get_users():
+    for user in db.query_users_cursor():
+        yield process(user)
+```
+
+```python
+# 🚫 String concatenation in loop
+result = ""
+for item in large_list:
+    result += str(item)  # O(n²) memory copies
+
+# ✅ Join pattern
+result = "".join(str(item) for item in large_list)
+```
+
+### Mutable Default Arguments
+
+```python
+# 🚫 CRITICAL BUG: Mutable default
+def add_item(item, items=[]):
+    items.append(item)
+    return items
+# add_item(1) → [1]
+# add_item(2) → [1, 2]  # Shared state!
+
+# ✅ None default
+def add_item(item, items=None):
+    if items is None:
+        items = []
+    items.append(item)
+    return items
+```
+
+### Mutable Class Attributes (Critical Hidden Bug)
+
+```python
+# 🚫 CRITICAL BUG: Class attribute shared across ALL instances
+class User:
+    permissions = []  # 💀 Shared across all instances!
+    tags = {}         # 💀 Same problem with dict
+
+user1 = User()
+user2 = User()
+user1.permissions.append("admin")
+print(user2.permissions)  # ['admin'] - user2 also has admin!
+
+# ✅ Initialize in __init__
+class User:
+    def __init__(self):
+        self.permissions = []  # Each instance gets its own list
+        self.tags = {}
+
+# ✅ Or use dataclasses with field()
+from dataclasses import dataclass, field
+
+@dataclass
+class User:
+    permissions: list = field(default_factory=list)
+    tags: dict = field(default_factory=dict)
+```
+
+**Detection command**:
+```bash
+# Search for class-level mutable attributes
+grep -rn "class.*:" --include="*.py" -A 10 | grep -E "^\s+\w+\s*=\s*(\[\]|\{\}|set\(\))"
+```
+
+### Exception Handling
+
+```python
+# 🚫 Bare except
+try:
+    risky_operation()
+except:  # Catches KeyboardInterrupt, SystemExit!
+    pass
+
+# ✅ Specific exceptions
+try:
+    risky_operation()
+except (ValueError, TypeError) as e:
+    logger.error(f"Operation failed: {e}")
+    raise
+```
+
+```python
+# 🚫 Lost traceback
+try:
+    risky_operation()
+except Exception as e:
+    raise CustomError(str(e))  # Loses original traceback
+
+# ✅ Chain exceptions
+try:
+    risky_operation()
+except Exception as e:
+    raise CustomError(f"Operation failed") from e
+```
+
+### Asyncio Issues
+
+```python
+# 🚫 Blocking in async code
+async def fetch_data():
+    response = requests.get(url)  # Blocks event loop!
+    return response.json()
+
+# ✅ Use async libraries
+async def fetch_data():
+    async with aiohttp.ClientSession() as session:
+        async with session.get(url) as response:
+            return await response.json()
+```
+
+```python
+# 🚫 Creating tasks without awaiting
+async def handler():
+    asyncio.create_task(background_job())  # Fire and forget, errors lost
+
+# ✅ Track tasks
+async def handler():
+    task = asyncio.create_task(background_job())
+    # Either await or add error handler
+    task.add_done_callback(handle_task_result)
+```
+
+```python
+# 🚫 Sequential async calls
+async def fetch_all():
+    user = await get_user()
+    posts = await get_posts()  # Waits for user first
+
+# ✅ Concurrent execution
+async def fetch_all():
+    user, posts = await asyncio.gather(
+        get_user(),
+        get_posts()
+    )
+```
+
+## Django Patterns
+
+### ORM Issues
+
+```python
+# 🚫 N+1 Query
+def get_posts():
+    posts = Post.objects.all()
+    for post in posts:
+        print(post.author.name)  # Query per iteration!
+
+# ✅ Select related
+def get_posts():
+    posts = Post.objects.select_related('author').all()
+    for post in posts:
+        print(post.author.name)  # Single query
+```
+
+```python
+# 🚫 Prefetch without optimization
+posts = Post.objects.prefetch_related('comments').all()
+for post in posts:
+    recent = post.comments.filter(created__gt=cutoff)  # New query!
+
+# ✅ Prefetch with filter
+from django.db.models import Prefetch
+posts = Post.objects.prefetch_related(
+    Prefetch('comments', queryset=Comment.objects.filter(created__gt=cutoff))
+).all()
+```
+
+```python
+# 🚫 Counting with len()
+count = len(Post.objects.all())  # Fetches all objects!
+
+# ✅ Use count()
+count = Post.objects.count()  # COUNT(*) query
+```
+
+### Security
+
+```python
+# 🚫 Raw SQL injection
+Post.objects.raw(f"SELECT * FROM posts WHERE title = '{user_input}'")
+
+# ✅ Parameterized query
+Post.objects.raw("SELECT * FROM posts WHERE title = %s", [user_input])
+```
+
+```python
+# 🚫 Missing CSRF protection
+@csrf_exempt  # Why?
+def update_profile(request): ...
+
+# ✅ Only exempt when necessary (e.g., API with token auth)
+@csrf_exempt
+@require_api_key  # Alternative protection
+def api_webhook(request): ...
+```
+
+### Views
+
+```python
+# 🚫 Business logic in views
+def create_order(request):
+    order = Order.objects.create(user=request.user)
+    order.total = sum(item.price for item in cart)
+    # Send email
+    # Update inventory
+    # 200 lines later...
+
+# ✅ Service layer
+def create_order(request):
+    order = OrderService.create_from_cart(request.user, cart)
+    return JsonResponse(OrderSerializer(order).data)
+```
+
+## FastAPI Patterns
+
+### Dependency Injection
+
+```python
+# 🚫 Hardcoded dependencies
+@app.get("/users")
+async def get_users():
+    db = Database()  # Created every request
+    return await db.get_users()
+
+# ✅ Dependency injection
+async def get_db():
+    async with AsyncSession() as session:
+        yield session
+
+@app.get("/users")
+async def get_users(db: AsyncSession = Depends(get_db)):
+    return await db.execute(select(User))
+```
+
+### Validation
+
+```python
+# 🚫 Manual validation
+@app.post("/users")
+async def create_user(request: Request):
+    data = await request.json()
+    if 'email' not in data:
+        raise HTTPException(400, "Email required")
+
+# ✅ Pydantic models
+class UserCreate(BaseModel):
+    email: EmailStr
+    name: str = Field(min_length=1, max_length=100)
+
+@app.post("/users")
+async def create_user(user: UserCreate):
+    # Validated automatically
+    return await UserService.create(user)
+```
+
+### Background Tasks
+
+```python
+# 🚫 Long operation in request
+@app.post("/reports")
+async def generate_report():
+    report = await heavy_computation()  # Client timeout!
+    return report
+
+# ✅ Background task
+@app.post("/reports")
+async def generate_report(background_tasks: BackgroundTasks):
+    task_id = str(uuid4())
+    background_tasks.add_task(generate_report_task, task_id)
+    return {"task_id": task_id, "status": "processing"}
+```
+
+## Python Security
+
+### Dangerous Functions
+
+```python
+# 🚫 CRITICAL: eval/exec with user input
+result = eval(user_expression)  # Remote code execution!
+
+# ✅ Use safe alternatives
+import ast
+result = ast.literal_eval(user_expression)  # Only literals
+
+# Or use a proper expression parser
+from simpleeval import simple_eval
+result = simple_eval(user_expression)
+```
+
+```python
+# 🚫 Pickle with untrusted data
+import pickle
+data = pickle.loads(user_data)  # Arbitrary code execution!
+
+# ✅ Use JSON or safe formats
+import json
+data = json.loads(user_data)
+```
+
+```python
+# 🚫 Subprocess with shell=True
+import subprocess
+subprocess.run(f"ls {user_path}", shell=True)  # Command injection!
+
+# ✅ Pass args as list
+subprocess.run(["ls", user_path])
+```
+
+### Path Traversal
+
+```python
+# 🚫 Path traversal vulnerability
+def read_file(filename):
+    with open(f"/data/{filename}") as f:  # ../../../etc/passwd
+        return f.read()
+
+# ✅ Validate and resolve path
+from pathlib import Path
+
+def read_file(filename):
+    base = Path("/data").resolve()
+    file_path = (base / filename).resolve()
+    if not file_path.is_relative_to(base):
+        raise ValueError("Invalid path")
+    return file_path.read_text()
+```
+
+## Performance Patterns
+
+### List Comprehensions vs Loops
+
+```python
+# 🚫 Slow loop with append
+result = []
+for item in items:
+    if item.active:
+        result.append(item.value)
+
+# ✅ List comprehension (faster)
+result = [item.value for item in items if item.active]
+
+# ✅ Generator for large data
+result = (item.value for item in items if item.active)
+```
+
+### Dictionary Operations
+
+```python
+# 🚫 Checking then getting
+if key in dictionary:
+    value = dictionary[key]
+else:
+    value = default
+
+# ✅ get() method
+value = dictionary.get(key, default)
+
+# 🚫 Multiple key lookups
+for key in keys:
+    if key in large_dict:
+        process(large_dict[key])
+
+# ✅ Use items() or single lookup
+for key in keys:
+    value = large_dict.get(key)
+    if value is not None:
+        process(value)
+```
+
+### Caching
+
+```python
+# 🚫 Repeated expensive computation
+def get_expensive_result(user_id):
+    return expensive_computation(user_id)  # Called every time
+
+# ✅ Use functools.lru_cache
+from functools import lru_cache
+
+@lru_cache(maxsize=1000)
+def get_expensive_result(user_id):
+    return expensive_computation(user_id)
+```
+
+## Testing Patterns
+
+### Fixtures
+
+```python
+# 🚫 Test database pollution
+def test_create_user():
+    user = User.objects.create(email="test@test.com")
+    # Persists after test!
+
+# ✅ Use pytest fixtures with cleanup
+@pytest.fixture
+def user(db):
+    user = User.objects.create(email="test@test.com")
+    yield user
+    user.delete()
+
+# Or use transactional tests
+@pytest.mark.django_db(transaction=True)
+def test_create_user():
+    # Rolled back after test
+```
+
+### Mocking
+
+```python
+# 🚫 Mocking too deep
+@patch('myapp.services.user.repository.db.session')
+def test_create_user(mock_session):
+    # Testing implementation, not behavior
+
+# ✅ Mock at boundaries
+@patch('myapp.services.user.external_api.verify_email')
+def test_create_user(mock_verify):
+    mock_verify.return_value = True
+    result = UserService.create(user_data)
+    assert result.verified
+```
+