@tinkcarlos/skillora 0.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.claude/skills/.temp-skill-index.md +245 -0
- package/.claude/skills/SKILL.md +264 -0
- package/.claude/skills/api-scaffolding/SKILL.md +431 -0
- package/.claude/skills/api-scaffolding/agents/backend-architect.md +282 -0
- package/.claude/skills/api-scaffolding/agents/django-pro.md +144 -0
- package/.claude/skills/api-scaffolding/agents/fastapi-pro.md +156 -0
- package/.claude/skills/api-scaffolding/agents/graphql-architect.md +146 -0
- package/.claude/skills/api-scaffolding/skills/fastapi-templates/SKILL.md +171 -0
- package/.claude/skills/api-testing-observability/SKILL.md +583 -0
- package/.claude/skills/api-testing-observability/agents/api-documenter.md +146 -0
- package/.claude/skills/api-testing-observability/commands/api-mock.md +1320 -0
- package/.claude/skills/brainstorming/SKILL.md +283 -0
- package/.claude/skills/bug-fixing/SKILL.md +382 -0
- package/.claude/skills/bug-fixing/references/backend-guide.md +132 -0
- package/.claude/skills/bug-fixing/references/bug-guide.md +354 -0
- package/.claude/skills/bug-fixing/references/bug-record-template.md +134 -0
- package/.claude/skills/bug-fixing/references/bug-records.md +88 -0
- package/.claude/skills/bug-fixing/references/code-review-gate.md +81 -0
- package/.claude/skills/bug-fixing/references/common-bugs.md +140 -0
- package/.claude/skills/bug-fixing/references/complete-workflow.md +361 -0
- package/.claude/skills/bug-fixing/references/config-driven-fixes.md +136 -0
- package/.claude/skills/bug-fixing/references/context-isolation-protocol.md +268 -0
- package/.claude/skills/bug-fixing/references/cross-surface-regression.md +120 -0
- package/.claude/skills/bug-fixing/references/database-investigation.md +129 -0
- package/.claude/skills/bug-fixing/references/dependency-and-integrity-protocol.md +369 -0
- package/.claude/skills/bug-fixing/references/fix-completeness-checklist.md +239 -0
- package/.claude/skills/bug-fixing/references/frontend-guide.md +219 -0
- package/.claude/skills/bug-fixing/references/fullstack-joint-guide.md +123 -0
- package/.claude/skills/bug-fixing/references/functional-breakage.md +117 -0
- package/.claude/skills/bug-fixing/references/ide-lint-errors-guide.md +176 -0
- package/.claude/skills/bug-fixing/references/impact-analysis.md +511 -0
- package/.claude/skills/bug-fixing/references/investigation-checklist.md +263 -0
- package/.claude/skills/bug-fixing/references/knowledge-extraction-guide.md +531 -0
- package/.claude/skills/bug-fixing/references/knowledge-workflow.md +212 -0
- package/.claude/skills/bug-fixing/references/post-edit-quality-gate.md +30 -0
- package/.claude/skills/bug-fixing/references/python-env-and-testing.md +126 -0
- package/.claude/skills/bug-fixing/references/rca-guide.md +428 -0
- package/.claude/skills/bug-fixing/references/similar-bug-patterns.md +113 -0
- package/.claude/skills/bug-fixing/references/skill-delegation-guide.md +350 -0
- package/.claude/skills/bug-fixing/references/skill-orchestration.md +155 -0
- package/.claude/skills/bug-fixing/references/testing-strategy.md +350 -0
- package/.claude/skills/bug-fixing/references/tooling-build-scripts.md +162 -0
- package/.claude/skills/bug-fixing/references/user-input-validation.md +77 -0
- package/.claude/skills/bug-fixing/references/ux-patterns.md +158 -0
- package/.claude/skills/bug-fixing/references/windows-terminal-hygiene.md +106 -0
- package/.claude/skills/bug-fixing/references/zero-regression-matrix.md +239 -0
- package/.claude/skills/bug-fixing/references/zero-risk-protocol.md +102 -0
- package/.claude/skills/bug-fixing/scripts/format_code.py +611 -0
- package/.claude/skills/bug-fixing/scripts/generate_report_template.py +74 -0
- package/.claude/skills/bug-fixing/scripts/lint_check.py +816 -0
- package/.claude/skills/bug-fixing/scripts/requirements.txt +36 -0
- package/.claude/skills/cicd-pipeline/SKILL.md +300 -0
- package/.claude/skills/code-review/SKILL.md +535 -0
- package/.claude/skills/code-review/references/anti-pattern-scan.md +102 -0
- package/.claude/skills/code-review/references/automated-analysis.md +456 -0
- package/.claude/skills/code-review/references/backend-common-issues.md +589 -0
- package/.claude/skills/code-review/references/backend-expert-guide.md +415 -0
- package/.claude/skills/code-review/references/backend-review.md +868 -0
- package/.claude/skills/code-review/references/batch-processing-strategy.md +198 -0
- package/.claude/skills/code-review/references/call-chain-analysis-protocol.md +166 -0
- package/.claude/skills/code-review/references/common-patterns.md +321 -0
- package/.claude/skills/code-review/references/configuration-review.md +425 -0
- package/.claude/skills/code-review/references/control-flow-completeness.md +114 -0
- package/.claude/skills/code-review/references/database-review.md +298 -0
- package/.claude/skills/code-review/references/dependency-and-integrity-protocol.md +313 -0
- package/.claude/skills/code-review/references/external-standards.md +51 -0
- package/.claude/skills/code-review/references/feature-review.md +329 -0
- package/.claude/skills/code-review/references/file-review-template.md +326 -0
- package/.claude/skills/code-review/references/frontend-advanced.md +654 -0
- package/.claude/skills/code-review/references/frontend-common-issues.md +482 -0
- package/.claude/skills/code-review/references/frontend-expert-guide.md +342 -0
- package/.claude/skills/code-review/references/frontend-review.md +783 -0
- package/.claude/skills/code-review/references/fullstack-consistency.md +418 -0
- package/.claude/skills/code-review/references/fullstack-review.md +477 -0
- package/.claude/skills/code-review/references/functional-completeness.md +386 -0
- package/.claude/skills/code-review/references/hidden-bugs-detection.md +473 -0
- package/.claude/skills/code-review/references/ide-lint-errors-guide.md +173 -0
- package/.claude/skills/code-review/references/infrastructure-review.md +453 -0
- package/.claude/skills/code-review/references/iteration-review.md +264 -0
- package/.claude/skills/code-review/references/job-review.md +335 -0
- package/.claude/skills/code-review/references/layered-checklist-protocol.md +157 -0
- package/.claude/skills/code-review/references/logic-completeness.md +535 -0
- package/.claude/skills/code-review/references/mandatory-checklist.md +288 -0
- package/.claude/skills/code-review/references/multi-language-guide.md +800 -0
- package/.claude/skills/code-review/references/new-project-review.md +226 -0
- package/.claude/skills/code-review/references/non-code-files-review.md +451 -0
- package/.claude/skills/code-review/references/overlooked-issues.md +657 -0
- package/.claude/skills/code-review/references/platform-specific-review.md +195 -0
- package/.claude/skills/code-review/references/precision-analysis-protocol.md +260 -0
- package/.claude/skills/code-review/references/python-patterns.md +494 -0
- package/.claude/skills/code-review/references/rca-techniques.md +362 -0
- package/.claude/skills/code-review/references/report-template.md +430 -0
- package/.claude/skills/code-review/references/resource-limits-and-degradation.md +137 -0
- package/.claude/skills/code-review/references/review-dimensions.md +311 -0
- package/.claude/skills/code-review/references/review-guide.md +202 -0
- package/.claude/skills/code-review/references/review-knowledge-workflow.md +257 -0
- package/.claude/skills/code-review/references/review-progress-tracker-protocol.md +172 -0
- package/.claude/skills/code-review/references/review-record-template.md +195 -0
- package/.claude/skills/code-review/references/skill-orchestration.md +143 -0
- package/.claude/skills/code-review/references/ui-ux-review.md +470 -0
- package/.claude/skills/containerization/SKILL.md +313 -0
- package/.claude/skills/database-migrations/agents/database-admin.md +142 -0
- package/.claude/skills/database-migrations/agents/database-optimizer.md +144 -0
- package/.claude/skills/database-migrations/commands/migration-observability.md +408 -0
- package/.claude/skills/database-migrations/commands/sql-migrations.md +492 -0
- package/.claude/skills/finishing-a-development-branch/SKILL.md +319 -0
- package/.claude/skills/frontend-design/LICENSE.txt +177 -0
- package/.claude/skills/frontend-design/SKILL.md +587 -0
- package/.claude/skills/frontend-design/references/color-consistency.md +487 -0
- package/.claude/skills/frontend-design/references/color-palettes-full.md +657 -0
- package/.claude/skills/frontend-design/references/design-system-generator.md +285 -0
- package/.claude/skills/frontend-design/references/font-pairings-full.md +705 -0
- package/.claude/skills/frontend-design/references/industry-anti-patterns.md +281 -0
- package/.claude/skills/frontend-design/references/layout-anti-patterns.md +582 -0
- package/.claude/skills/frontend-design/references/motion-patterns.md +659 -0
- package/.claude/skills/frontend-design/references/pre-delivery-checklist.md +153 -0
- package/.claude/skills/frontend-design/references/responsive-design.md +555 -0
- package/.claude/skills/frontend-design/references/style-modification-rules.md +335 -0
- package/.claude/skills/frontend-design/references/ui-styles-full.md +383 -0
- package/.claude/skills/frontend-design/references/ui-styles-rating.md +191 -0
- package/.claude/skills/frontend-design/references/ux-guidelines.md +640 -0
- package/.claude/skills/fullstack-developer/SKILL.md +512 -0
- package/.claude/skills/fullstack-developer/references/api-contract-guide.md +312 -0
- package/.claude/skills/fullstack-developer/references/api-response-patterns.md +223 -0
- package/.claude/skills/fullstack-developer/references/async-patterns.md +220 -0
- package/.claude/skills/fullstack-developer/references/bug-prevention.md +914 -0
- package/.claude/skills/fullstack-developer/references/code-quality-checklist.md +271 -0
- package/.claude/skills/fullstack-developer/references/complete-development-workflow.md +278 -0
- package/.claude/skills/fullstack-developer/references/context-isolation-protocol.md +256 -0
- package/.claude/skills/fullstack-developer/references/database-migration.md +331 -0
- package/.claude/skills/fullstack-developer/references/dependency-and-integrity-protocol.md +390 -0
- package/.claude/skills/fullstack-developer/references/development-phases.md +333 -0
- package/.claude/skills/fullstack-developer/references/expert-guide.md +214 -0
- package/.claude/skills/fullstack-developer/references/file-import-patterns.md +114 -0
- package/.claude/skills/fullstack-developer/references/graceful-degradation-patterns.md +78 -0
- package/.claude/skills/fullstack-developer/references/ide-lint-errors-guide.md +183 -0
- package/.claude/skills/fullstack-developer/references/integration-testing.md +301 -0
- package/.claude/skills/fullstack-developer/references/mock-api-patterns.md +307 -0
- package/.claude/skills/fullstack-developer/references/phase-gate-template.md +249 -0
- package/.claude/skills/fullstack-developer/references/post-edit-quality-gate.md +30 -0
- package/.claude/skills/fullstack-developer/references/python-engineering.md +79 -0
- package/.claude/skills/fullstack-developer/references/skill-orchestration.md +214 -0
- package/.claude/skills/fullstack-developer/references/skill-router-table.md +304 -0
- package/.claude/skills/fullstack-developer/references/state-sync.md +217 -0
- package/.claude/skills/fullstack-developer/references/ui-testing-checklist.md +292 -0
- package/.claude/skills/fullstack-developer/scripts/format_code.py +611 -0
- package/.claude/skills/fullstack-developer/scripts/lint_check.py +816 -0
- package/.claude/skills/fullstack-developer/scripts/requirements.txt +36 -0
- package/.claude/skills/performance-optimization/SKILL.md +250 -0
- package/.claude/skills/product-requirements/SKILL.md +357 -0
- package/.claude/skills/product-requirements/references/acceptance-criteria.md +335 -0
- package/.claude/skills/product-requirements/references/answer-first-questioning-protocol.md +299 -0
- package/.claude/skills/product-requirements/references/competitive-analysis-guide.md +183 -0
- package/.claude/skills/product-requirements/references/document-accuracy-protocol.md +253 -0
- package/.claude/skills/product-requirements/references/document-management-protocol.md +278 -0
- package/.claude/skills/product-requirements/references/external-standards.md +62 -0
- package/.claude/skills/product-requirements/references/feature-spec-template.md +359 -0
- package/.claude/skills/product-requirements/references/knowledge-acquisition-protocol.md +251 -0
- package/.claude/skills/product-requirements/references/plan-execution-protocol.md +334 -0
- package/.claude/skills/product-requirements/references/plan-generation-protocol.md +264 -0
- package/.claude/skills/product-requirements/references/prioritization-frameworks.md +80 -0
- package/.claude/skills/product-requirements/references/requirement-decomposition-protocol.md +291 -0
- package/.claude/skills/product-requirements/references/user-story-examples.md +297 -0
- package/.claude/skills/product-requirements/references/workflow-templates.md +266 -0
- package/.claude/skills/react-best-practices/SKILL.md +198 -0
- package/.claude/skills/react-best-practices/references/advanced-patterns.md +94 -0
- package/.claude/skills/react-best-practices/references/bundle-optimization.md +182 -0
- package/.claude/skills/react-best-practices/references/client-data-fetching.md +112 -0
- package/.claude/skills/react-best-practices/references/complete-guide.md +2249 -0
- package/.claude/skills/react-best-practices/references/eliminating-waterfalls.md +169 -0
- package/.claude/skills/react-best-practices/references/javascript-performance.md +256 -0
- package/.claude/skills/react-best-practices/references/rendering-performance.md +230 -0
- package/.claude/skills/react-best-practices/references/rerender-optimization.md +214 -0
- package/.claude/skills/react-best-practices/references/server-performance.md +182 -0
- package/.claude/skills/security-audit/SKILL.md +226 -0
- package/.claude/skills/shared-references/advanced-debugging-techniques.md +186 -0
- package/.claude/skills/shared-references/code-quality-checklist.md +218 -0
- package/.claude/skills/shared-references/code-review-efficiency-guide.md +125 -0
- package/.claude/skills/shared-references/mcp-dependency-compatibility-protocol.md +276 -0
- package/.claude/skills/shared-references/skill-call-graph.md +230 -0
- package/.claude/skills/shared-references/skill-orchestration-protocol.md +281 -0
- package/.claude/skills/shared-references/subagent-dispatch-templates.md +199 -0
- package/.claude/skills/skill-expert-skills/LICENSE.txt +204 -0
- package/.claude/skills/skill-expert-skills/QUICK_NAVIGATION.md +374 -0
- package/.claude/skills/skill-expert-skills/SKILL.md +247 -0
- package/.claude/skills/skill-expert-skills/docs/_index.md +91 -0
- package/.claude/skills/skill-expert-skills/references/deep-research-methodology.md +389 -0
- package/.claude/skills/skill-expert-skills/references/docs-generation-workflow.md +398 -0
- package/.claude/skills/skill-expert-skills/references/domain-expertise-protocol.md +343 -0
- package/.claude/skills/skill-expert-skills/references/domain-knowledge/_index.md +54 -0
- package/.claude/skills/skill-expert-skills/references/domain-knowledge/backend-expertise.md +517 -0
- package/.claude/skills/skill-expert-skills/references/domain-knowledge/bug-fixing-expertise.md +363 -0
- package/.claude/skills/skill-expert-skills/references/domain-knowledge/code-review-expertise.md +392 -0
- package/.claude/skills/skill-expert-skills/references/domain-knowledge/frontend-expertise.md +410 -0
- package/.claude/skills/skill-expert-skills/references/domain-knowledge-template.md +503 -0
- package/.claude/skills/skill-expert-skills/references/examples.md +782 -0
- package/.claude/skills/skill-expert-skills/references/integration-examples.md +655 -0
- package/.claude/skills/skill-expert-skills/references/knowledge-validation-checklist.md +246 -0
- package/.claude/skills/skill-expert-skills/references/latest-knowledge-acquisition.md +461 -0
- package/.claude/skills/skill-expert-skills/references/mcp-tools-guide.md +439 -0
- package/.claude/skills/skill-expert-skills/references/official-best-practices.md +616 -0
- package/.claude/skills/skill-expert-skills/references/patterns.md +218 -0
- package/.claude/skills/skill-expert-skills/references/plugin-skills-guide.md +432 -0
- package/.claude/skills/skill-expert-skills/references/requirement-elicitation-protocol.md +290 -0
- package/.claude/skills/skill-expert-skills/references/skill-creator-SKILL.md +353 -0
- package/.claude/skills/skill-expert-skills/references/skill-templates.md +583 -0
- package/.claude/skills/skill-expert-skills/references/skills-knowledge-base.md +561 -0
- package/.claude/skills/skill-expert-skills/references/tools-guide.md +379 -0
- package/.claude/skills/skill-expert-skills/references/troubleshooting.md +378 -0
- package/.claude/skills/skill-expert-skills/references/universality-guide.md +205 -0
- package/.claude/skills/skill-expert-skills/references/writing-style-guide.md +466 -0
- package/.claude/skills/skill-expert-skills/scripts/__pycache__/quick_validate.cpython-313.pyc +0 -0
- package/.claude/skills/skill-expert-skills/scripts/__pycache__/universal_validate.cpython-313.pyc +0 -0
- package/.claude/skills/skill-expert-skills/scripts/analyze_trigger.py +425 -0
- package/.claude/skills/skill-expert-skills/scripts/diff_with_official.py +188 -0
- package/.claude/skills/skill-expert-skills/scripts/init_skill.py +349 -0
- package/.claude/skills/skill-expert-skills/scripts/package_skill.py +156 -0
- package/.claude/skills/skill-expert-skills/scripts/quick_validate.py +493 -0
- package/.claude/skills/skill-expert-skills/scripts/requirements.txt +2 -0
- package/.claude/skills/skill-expert-skills/scripts/universal_validate.py +182 -0
- package/.claude/skills/skill-expert-skills/scripts/upgrade_skill.py +431 -0
- package/.claude/skills/subagent-driven-development/SKILL.md +268 -0
- package/.claude/skills/test-driven-development/SKILL.md +246 -0
- package/.claude/skills/test-driven-development/references/testing-anti-patterns.md +192 -0
- package/.claude/skills/using-git-worktrees/SKILL.md +266 -0
- package/.claude/skills/using-skillstack/SKILL.md +127 -0
- package/.claude/skills/vercel-deploy/SKILL.md +166 -0
- package/.claude/skills/vercel-deploy/scripts/deploy.sh +249 -0
- package/.claude/skills/verification-before-completion/SKILL.md +305 -0
- package/.claude/skills/writing-plans/SKILL.md +259 -0
- package/README.md +69 -0
- package/bin/cli.js +468 -0
- package/lib/init.js +333 -0
- package/package.json +29 -0
|
@@ -0,0 +1,214 @@
|
|
|
1
|
+
# Re-render Optimization
|
|
2
|
+
|
|
3
|
+
**Impact: MEDIUM**
|
|
4
|
+
|
|
5
|
+
Reducing unnecessary re-renders minimizes wasted computation and improves UI responsiveness.
|
|
6
|
+
|
|
7
|
+
---
|
|
8
|
+
|
|
9
|
+
## 1. Defer State Reads to Usage Point
|
|
10
|
+
|
|
11
|
+
**Impact: MEDIUM (avoids unnecessary subscriptions)**
|
|
12
|
+
|
|
13
|
+
Don't subscribe to dynamic state if you only read it inside callbacks.
|
|
14
|
+
|
|
15
|
+
```tsx
|
|
16
|
+
// ❌ Incorrect: subscribes to all searchParams changes
|
|
17
|
+
function ShareButton({ chatId }: { chatId: string }) {
|
|
18
|
+
const searchParams = useSearchParams()
|
|
19
|
+
|
|
20
|
+
const handleShare = () => {
|
|
21
|
+
const ref = searchParams.get('ref')
|
|
22
|
+
shareChat(chatId, { ref })
|
|
23
|
+
}
|
|
24
|
+
|
|
25
|
+
return <button onClick={handleShare}>Share</button>
|
|
26
|
+
}
|
|
27
|
+
|
|
28
|
+
// ✅ Correct: reads on demand, no subscription
|
|
29
|
+
function ShareButton({ chatId }: { chatId: string }) {
|
|
30
|
+
const handleShare = () => {
|
|
31
|
+
const params = new URLSearchParams(window.location.search)
|
|
32
|
+
const ref = params.get('ref')
|
|
33
|
+
shareChat(chatId, { ref })
|
|
34
|
+
}
|
|
35
|
+
|
|
36
|
+
return <button onClick={handleShare}>Share</button>
|
|
37
|
+
}
|
|
38
|
+
```
|
|
39
|
+
|
|
40
|
+
---
|
|
41
|
+
|
|
42
|
+
## 2. Extract to Memoized Components
|
|
43
|
+
|
|
44
|
+
**Impact: MEDIUM (enables early returns)**
|
|
45
|
+
|
|
46
|
+
```tsx
|
|
47
|
+
// ❌ Incorrect: computes avatar even when loading
|
|
48
|
+
function Profile({ user, loading }: Props) {
|
|
49
|
+
const avatar = useMemo(() => {
|
|
50
|
+
const id = computeAvatarId(user)
|
|
51
|
+
return <Avatar id={id} />
|
|
52
|
+
}, [user])
|
|
53
|
+
|
|
54
|
+
if (loading) return <Skeleton />
|
|
55
|
+
return <div>{avatar}</div>
|
|
56
|
+
}
|
|
57
|
+
|
|
58
|
+
// ✅ Correct: skips computation when loading
|
|
59
|
+
const UserAvatar = memo(function UserAvatar({ user }: { user: User }) {
|
|
60
|
+
const id = useMemo(() => computeAvatarId(user), [user])
|
|
61
|
+
return <Avatar id={id} />
|
|
62
|
+
})
|
|
63
|
+
|
|
64
|
+
function Profile({ user, loading }: Props) {
|
|
65
|
+
if (loading) return <Skeleton />
|
|
66
|
+
return (
|
|
67
|
+
<div>
|
|
68
|
+
<UserAvatar user={user} />
|
|
69
|
+
</div>
|
|
70
|
+
)
|
|
71
|
+
}
|
|
72
|
+
```
|
|
73
|
+
|
|
74
|
+
**Note:** If React Compiler is enabled, manual memoization is not necessary.
|
|
75
|
+
|
|
76
|
+
---
|
|
77
|
+
|
|
78
|
+
## 3. Narrow Effect Dependencies
|
|
79
|
+
|
|
80
|
+
**Impact: LOW (minimizes effect re-runs)**
|
|
81
|
+
|
|
82
|
+
```tsx
|
|
83
|
+
// ❌ Incorrect: re-runs on any user field change
|
|
84
|
+
useEffect(() => {
|
|
85
|
+
console.log(user.id)
|
|
86
|
+
}, [user])
|
|
87
|
+
|
|
88
|
+
// ✅ Correct: re-runs only when id changes
|
|
89
|
+
useEffect(() => {
|
|
90
|
+
console.log(user.id)
|
|
91
|
+
}, [user.id])
|
|
92
|
+
```
|
|
93
|
+
|
|
94
|
+
**For derived state:**
|
|
95
|
+
|
|
96
|
+
```tsx
|
|
97
|
+
// ❌ Incorrect: runs on width=767, 766, 765...
|
|
98
|
+
useEffect(() => {
|
|
99
|
+
if (width < 768) {
|
|
100
|
+
enableMobileMode()
|
|
101
|
+
}
|
|
102
|
+
}, [width])
|
|
103
|
+
|
|
104
|
+
// ✅ Correct: runs only on boolean transition
|
|
105
|
+
const isMobile = width < 768
|
|
106
|
+
useEffect(() => {
|
|
107
|
+
if (isMobile) {
|
|
108
|
+
enableMobileMode()
|
|
109
|
+
}
|
|
110
|
+
}, [isMobile])
|
|
111
|
+
```
|
|
112
|
+
|
|
113
|
+
---
|
|
114
|
+
|
|
115
|
+
## 4. Subscribe to Derived State
|
|
116
|
+
|
|
117
|
+
**Impact: MEDIUM (reduces re-render frequency)**
|
|
118
|
+
|
|
119
|
+
```tsx
|
|
120
|
+
// ❌ Incorrect: re-renders on every pixel change
|
|
121
|
+
function Sidebar() {
|
|
122
|
+
const width = useWindowWidth() // updates continuously
|
|
123
|
+
const isMobile = width < 768
|
|
124
|
+
return <nav className={isMobile ? 'mobile' : 'desktop'}>
|
|
125
|
+
}
|
|
126
|
+
|
|
127
|
+
// ✅ Correct: re-renders only when boolean changes
|
|
128
|
+
function Sidebar() {
|
|
129
|
+
const isMobile = useMediaQuery('(max-width: 767px)')
|
|
130
|
+
return <nav className={isMobile ? 'mobile' : 'desktop'}>
|
|
131
|
+
}
|
|
132
|
+
```
|
|
133
|
+
|
|
134
|
+
---
|
|
135
|
+
|
|
136
|
+
## 5. Use Functional setState Updates
|
|
137
|
+
|
|
138
|
+
**Impact: MEDIUM (prevents stale closures)**
|
|
139
|
+
|
|
140
|
+
```tsx
|
|
141
|
+
// ❌ Incorrect: requires state as dependency
|
|
142
|
+
function TodoList() {
|
|
143
|
+
const [items, setItems] = useState(initialItems)
|
|
144
|
+
|
|
145
|
+
const addItems = useCallback((newItems: Item[]) => {
|
|
146
|
+
setItems([...items, ...newItems])
|
|
147
|
+
}, [items]) // ❌ items dependency causes recreations
|
|
148
|
+
|
|
149
|
+
return <ItemsEditor items={items} onAdd={addItems} />
|
|
150
|
+
}
|
|
151
|
+
|
|
152
|
+
// ✅ Correct: stable callbacks, no stale closures
|
|
153
|
+
function TodoList() {
|
|
154
|
+
const [items, setItems] = useState(initialItems)
|
|
155
|
+
|
|
156
|
+
const addItems = useCallback((newItems: Item[]) => {
|
|
157
|
+
setItems(curr => [...curr, ...newItems])
|
|
158
|
+
}, []) // ✅ No dependencies needed
|
|
159
|
+
|
|
160
|
+
return <ItemsEditor items={items} onAdd={addItems} />
|
|
161
|
+
}
|
|
162
|
+
```
|
|
163
|
+
|
|
164
|
+
---
|
|
165
|
+
|
|
166
|
+
## 6. Use Lazy State Initialization
|
|
167
|
+
|
|
168
|
+
**Impact: MEDIUM (wasted computation on every render)**
|
|
169
|
+
|
|
170
|
+
```tsx
|
|
171
|
+
// ❌ Incorrect: runs on every render
|
|
172
|
+
function FilteredList({ items }: { items: Item[] }) {
|
|
173
|
+
const [searchIndex, setSearchIndex] = useState(buildSearchIndex(items))
|
|
174
|
+
// ...
|
|
175
|
+
}
|
|
176
|
+
|
|
177
|
+
// ✅ Correct: runs only once
|
|
178
|
+
function FilteredList({ items }: { items: Item[] }) {
|
|
179
|
+
const [searchIndex, setSearchIndex] = useState(() => buildSearchIndex(items))
|
|
180
|
+
// ...
|
|
181
|
+
}
|
|
182
|
+
```
|
|
183
|
+
|
|
184
|
+
---
|
|
185
|
+
|
|
186
|
+
## 7. Use Transitions for Non-Urgent Updates
|
|
187
|
+
|
|
188
|
+
**Impact: MEDIUM (maintains UI responsiveness)**
|
|
189
|
+
|
|
190
|
+
```tsx
|
|
191
|
+
// ❌ Incorrect: blocks UI on every scroll
|
|
192
|
+
function ScrollTracker() {
|
|
193
|
+
const [scrollY, setScrollY] = useState(0)
|
|
194
|
+
useEffect(() => {
|
|
195
|
+
const handler = () => setScrollY(window.scrollY)
|
|
196
|
+
window.addEventListener('scroll', handler, { passive: true })
|
|
197
|
+
return () => window.removeEventListener('scroll', handler)
|
|
198
|
+
}, [])
|
|
199
|
+
}
|
|
200
|
+
|
|
201
|
+
// ✅ Correct: non-blocking updates
|
|
202
|
+
import { startTransition } from 'react'
|
|
203
|
+
|
|
204
|
+
function ScrollTracker() {
|
|
205
|
+
const [scrollY, setScrollY] = useState(0)
|
|
206
|
+
useEffect(() => {
|
|
207
|
+
const handler = () => {
|
|
208
|
+
startTransition(() => setScrollY(window.scrollY))
|
|
209
|
+
}
|
|
210
|
+
window.addEventListener('scroll', handler, { passive: true })
|
|
211
|
+
return () => window.removeEventListener('scroll', handler)
|
|
212
|
+
}, [])
|
|
213
|
+
}
|
|
214
|
+
```
|
|
@@ -0,0 +1,182 @@
|
|
|
1
|
+
# Server-Side Performance
|
|
2
|
+
|
|
3
|
+
**Impact: HIGH**
|
|
4
|
+
|
|
5
|
+
Optimizing server-side rendering and data fetching eliminates server-side waterfalls and reduces response times.
|
|
6
|
+
|
|
7
|
+
---
|
|
8
|
+
|
|
9
|
+
## 1. Cross-Request LRU Caching
|
|
10
|
+
|
|
11
|
+
**Impact: HIGH (caches across requests)**
|
|
12
|
+
|
|
13
|
+
`React.cache()` only works within one request. For data shared across sequential requests, use an LRU cache.
|
|
14
|
+
|
|
15
|
+
```typescript
|
|
16
|
+
import { LRUCache } from 'lru-cache'
|
|
17
|
+
|
|
18
|
+
const cache = new LRUCache<string, any>({
|
|
19
|
+
max: 1000,
|
|
20
|
+
ttl: 5 * 60 * 1000 // 5 minutes
|
|
21
|
+
})
|
|
22
|
+
|
|
23
|
+
export async function getUser(id: string) {
|
|
24
|
+
const cached = cache.get(id)
|
|
25
|
+
if (cached) return cached
|
|
26
|
+
|
|
27
|
+
const user = await db.user.findUnique({ where: { id } })
|
|
28
|
+
cache.set(id, user)
|
|
29
|
+
return user
|
|
30
|
+
}
|
|
31
|
+
|
|
32
|
+
// Request 1: DB query, result cached
|
|
33
|
+
// Request 2: cache hit, no DB query
|
|
34
|
+
```
|
|
35
|
+
|
|
36
|
+
**With Vercel's Fluid Compute:** LRU caching is especially effective because multiple concurrent requests can share the same function instance and cache.
|
|
37
|
+
|
|
38
|
+
**In traditional serverless:** Consider Redis for cross-process caching.
|
|
39
|
+
|
|
40
|
+
---
|
|
41
|
+
|
|
42
|
+
## 2. Minimize Serialization at RSC Boundaries
|
|
43
|
+
|
|
44
|
+
**Impact: HIGH (reduces data transfer size)**
|
|
45
|
+
|
|
46
|
+
Only pass fields that the client actually uses.
|
|
47
|
+
|
|
48
|
+
```tsx
|
|
49
|
+
// ❌ Incorrect: serializes all 50 fields
|
|
50
|
+
async function Page() {
|
|
51
|
+
const user = await fetchUser() // 50 fields
|
|
52
|
+
return <Profile user={user} />
|
|
53
|
+
}
|
|
54
|
+
|
|
55
|
+
'use client'
|
|
56
|
+
function Profile({ user }: { user: User }) {
|
|
57
|
+
return <div>{user.name}</div> // uses 1 field
|
|
58
|
+
}
|
|
59
|
+
|
|
60
|
+
// ✅ Correct: serializes only 1 field
|
|
61
|
+
async function Page() {
|
|
62
|
+
const user = await fetchUser()
|
|
63
|
+
return <Profile name={user.name} />
|
|
64
|
+
}
|
|
65
|
+
|
|
66
|
+
'use client'
|
|
67
|
+
function Profile({ name }: { name: string }) {
|
|
68
|
+
return <div>{name}</div>
|
|
69
|
+
}
|
|
70
|
+
```
|
|
71
|
+
|
|
72
|
+
---
|
|
73
|
+
|
|
74
|
+
## 3. Parallel Data Fetching with Component Composition
|
|
75
|
+
|
|
76
|
+
**Impact: CRITICAL (eliminates server-side waterfalls)**
|
|
77
|
+
|
|
78
|
+
React Server Components execute sequentially within a tree. Restructure with composition to parallelize.
|
|
79
|
+
|
|
80
|
+
```tsx
|
|
81
|
+
// ❌ Incorrect: Sidebar waits for Page's fetch to complete
|
|
82
|
+
export default async function Page() {
|
|
83
|
+
const header = await fetchHeader()
|
|
84
|
+
return (
|
|
85
|
+
<div>
|
|
86
|
+
<div>{header}</div>
|
|
87
|
+
<Sidebar />
|
|
88
|
+
</div>
|
|
89
|
+
)
|
|
90
|
+
}
|
|
91
|
+
|
|
92
|
+
async function Sidebar() {
|
|
93
|
+
const items = await fetchSidebarItems()
|
|
94
|
+
return <nav>{items.map(renderItem)}</nav>
|
|
95
|
+
}
|
|
96
|
+
|
|
97
|
+
// ✅ Correct: both fetch simultaneously
|
|
98
|
+
async function Header() {
|
|
99
|
+
const data = await fetchHeader()
|
|
100
|
+
return <div>{data}</div>
|
|
101
|
+
}
|
|
102
|
+
|
|
103
|
+
async function Sidebar() {
|
|
104
|
+
const items = await fetchSidebarItems()
|
|
105
|
+
return <nav>{items.map(renderItem)}</nav>
|
|
106
|
+
}
|
|
107
|
+
|
|
108
|
+
export default function Page() {
|
|
109
|
+
return (
|
|
110
|
+
<div>
|
|
111
|
+
<Header />
|
|
112
|
+
<Sidebar />
|
|
113
|
+
</div>
|
|
114
|
+
)
|
|
115
|
+
}
|
|
116
|
+
```
|
|
117
|
+
|
|
118
|
+
---
|
|
119
|
+
|
|
120
|
+
## 4. Per-Request Deduplication with React.cache()
|
|
121
|
+
|
|
122
|
+
**Impact: MEDIUM (deduplicates within request)**
|
|
123
|
+
|
|
124
|
+
```typescript
|
|
125
|
+
import { cache } from 'react'
|
|
126
|
+
|
|
127
|
+
export const getCurrentUser = cache(async () => {
|
|
128
|
+
const session = await auth()
|
|
129
|
+
if (!session?.user?.id) return null
|
|
130
|
+
return await db.user.findUnique({
|
|
131
|
+
where: { id: session.user.id }
|
|
132
|
+
})
|
|
133
|
+
})
|
|
134
|
+
```
|
|
135
|
+
|
|
136
|
+
Within a single request, multiple calls to `getCurrentUser()` execute the query only once.
|
|
137
|
+
|
|
138
|
+
---
|
|
139
|
+
|
|
140
|
+
## 5. Use after() for Non-Blocking Operations
|
|
141
|
+
|
|
142
|
+
**Impact: MEDIUM (faster response times)**
|
|
143
|
+
|
|
144
|
+
Use Next.js's `after()` to schedule work that should execute after a response is sent.
|
|
145
|
+
|
|
146
|
+
```tsx
|
|
147
|
+
// ❌ Incorrect: blocks response
|
|
148
|
+
export async function POST(request: Request) {
|
|
149
|
+
await updateDatabase(request)
|
|
150
|
+
|
|
151
|
+
// Logging blocks the response
|
|
152
|
+
const userAgent = request.headers.get('user-agent') || 'unknown'
|
|
153
|
+
await logUserAction({ userAgent })
|
|
154
|
+
|
|
155
|
+
return new Response(JSON.stringify({ status: 'success' }))
|
|
156
|
+
}
|
|
157
|
+
|
|
158
|
+
// ✅ Correct: non-blocking
|
|
159
|
+
import { after } from 'next/server'
|
|
160
|
+
import { headers, cookies } from 'next/headers'
|
|
161
|
+
|
|
162
|
+
export async function POST(request: Request) {
|
|
163
|
+
await updateDatabase(request)
|
|
164
|
+
|
|
165
|
+
// Log after response is sent
|
|
166
|
+
after(async () => {
|
|
167
|
+
const userAgent = (await headers()).get('user-agent') || 'unknown'
|
|
168
|
+
const sessionCookie = (await cookies()).get('session-id')?.value || 'anonymous'
|
|
169
|
+
|
|
170
|
+
logUserAction({ sessionCookie, userAgent })
|
|
171
|
+
})
|
|
172
|
+
|
|
173
|
+
return new Response(JSON.stringify({ status: 'success' }))
|
|
174
|
+
}
|
|
175
|
+
```
|
|
176
|
+
|
|
177
|
+
**Common use cases:**
|
|
178
|
+
- Analytics tracking
|
|
179
|
+
- Audit logging
|
|
180
|
+
- Sending notifications
|
|
181
|
+
- Cache invalidation
|
|
182
|
+
- Cleanup tasks
|
|
@@ -0,0 +1,226 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: security-audit
|
|
3
|
+
description: |
|
|
4
|
+
Security audit with OWASP Top 10, SAST/DAST, and dependency scanning.
|
|
5
|
+
|
|
6
|
+
Use when:
|
|
7
|
+
- Auditing code for security vulnerabilities
|
|
8
|
+
- Checking OWASP Top 10 compliance
|
|
9
|
+
- Scanning dependencies for CVEs
|
|
10
|
+
- Reviewing authentication/authorization logic
|
|
11
|
+
|
|
12
|
+
Key Features:
|
|
13
|
+
- OWASP Top 10 checklist
|
|
14
|
+
- SAST: Static code analysis
|
|
15
|
+
- Dependency vulnerability scanning
|
|
16
|
+
- Auth/AuthZ review patterns
|
|
17
|
+
allowed-tools: [read, execute, grep, glob, mcp__serena__find_symbol, mcp__serena__get_symbols_overview]
|
|
18
|
+
---
|
|
19
|
+
|
|
20
|
+
# Security Audit
|
|
21
|
+
|
|
22
|
+
Find vulnerabilities before attackers do.
|
|
23
|
+
|
|
24
|
+
## The Iron Law
|
|
25
|
+
|
|
26
|
+
```
|
|
27
|
+
NO DEPLOY WITHOUT SECURITY REVIEW. NO USER INPUT WITHOUT VALIDATION. NO SECRET IN CODE.
|
|
28
|
+
```
|
|
29
|
+
|
|
30
|
+
---
|
|
31
|
+
|
|
32
|
+
## Quick Start
|
|
33
|
+
|
|
34
|
+
```
|
|
35
|
+
安全审计请求
|
|
36
|
+
│
|
|
37
|
+
▼
|
|
38
|
+
┌─────────────────────────────────────────────────────────────┐
|
|
39
|
+
│ Step 1: 确定审计范围 │
|
|
40
|
+
│ ─────────────────────────────────────────────────────────── │
|
|
41
|
+
│ 全量审计 → 完整 OWASP Top 10 检查 │
|
|
42
|
+
│ 增量审计 → 仅审查变更代码 │
|
|
43
|
+
│ 专项审计 → 特定漏洞类型 (如 SQL 注入) │
|
|
44
|
+
└─────────────────────────────────────────────────────────────┘
|
|
45
|
+
│
|
|
46
|
+
▼
|
|
47
|
+
┌─────────────────────────────────────────────────────────────┐
|
|
48
|
+
│ Step 2: 执行检查 │
|
|
49
|
+
│ ─────────────────────────────────────────────────────────── │
|
|
50
|
+
│ 1. OWASP Top 10 检查清单 │
|
|
51
|
+
│ 2. 依赖漏洞扫描 │
|
|
52
|
+
│ 3. 敏感信息泄露检查 │
|
|
53
|
+
│ 4. 认证/授权逻辑审查 │
|
|
54
|
+
└─────────────────────────────────────────────────────────────┘
|
|
55
|
+
```
|
|
56
|
+
|
|
57
|
+
---
|
|
58
|
+
|
|
59
|
+
## 🔴 OWASP Top 10 (2021) 检查清单
|
|
60
|
+
|
|
61
|
+
| # | 漏洞类型 | 检查要点 | 严重等级 |
|
|
62
|
+
|---|----------|----------|----------|
|
|
63
|
+
| A01 | Broken Access Control | 越权访问、IDOR、路径遍历 | **P0** |
|
|
64
|
+
| A02 | Cryptographic Failures | 弱加密、明文传输、硬编码密钥 | **P0** |
|
|
65
|
+
| A03 | Injection | SQL/NoSQL/OS/LDAP 注入 | **P0** |
|
|
66
|
+
| A04 | Insecure Design | 业务逻辑漏洞、缺少威胁建模 | **P1** |
|
|
67
|
+
| A05 | Security Misconfiguration | 默认配置、错误信息泄露 | **P1** |
|
|
68
|
+
| A06 | Vulnerable Components | 已知漏洞依赖、过期组件 | **P0** |
|
|
69
|
+
| A07 | Auth Failures | 弱密码、会话固定、暴力破解 | **P0** |
|
|
70
|
+
| A08 | Data Integrity Failures | 不安全反序列化、CI/CD 污染 | **P1** |
|
|
71
|
+
| A09 | Logging Failures | 日志不足、敏感信息记录 | **P2** |
|
|
72
|
+
| A10 | SSRF | 服务端请求伪造 | **P1** |
|
|
73
|
+
|
|
74
|
+
→ 详细检查清单: `references/owasp-top10-checklist.md`
|
|
75
|
+
|
|
76
|
+
---
|
|
77
|
+
|
|
78
|
+
## 🔴 代码审查模式
|
|
79
|
+
|
|
80
|
+
### Injection 检查
|
|
81
|
+
|
|
82
|
+
```python
|
|
83
|
+
# ❌ 危险模式
|
|
84
|
+
query = f"SELECT * FROM users WHERE id = {user_id}" # SQL 注入
|
|
85
|
+
os.system(f"ping {host}") # 命令注入
|
|
86
|
+
eval(user_input) # 代码注入
|
|
87
|
+
|
|
88
|
+
# ✅ 安全模式
|
|
89
|
+
cursor.execute("SELECT * FROM users WHERE id = ?", (user_id,)) # 参数化
|
|
90
|
+
subprocess.run(["ping", host], shell=False) # 避免 shell
|
|
91
|
+
ast.literal_eval(user_input) # 安全解析
|
|
92
|
+
```
|
|
93
|
+
|
|
94
|
+
### XSS 检查
|
|
95
|
+
|
|
96
|
+
```javascript
|
|
97
|
+
// ❌ 危险模式
|
|
98
|
+
element.innerHTML = userInput; // DOM XSS
|
|
99
|
+
document.write(data); // 反射 XSS
|
|
100
|
+
|
|
101
|
+
// ✅ 安全模式
|
|
102
|
+
element.textContent = userInput; // 自动转义
|
|
103
|
+
DOMPurify.sanitize(data); // 显式清理
|
|
104
|
+
```
|
|
105
|
+
|
|
106
|
+
### 认证检查
|
|
107
|
+
|
|
108
|
+
| 检查项 | 通过标准 |
|
|
109
|
+
|--------|----------|
|
|
110
|
+
| 密码存储 | bcrypt/argon2,cost ≥ 10 |
|
|
111
|
+
| 会话管理 | HttpOnly + Secure + SameSite |
|
|
112
|
+
| Token | JWT 签名验证 + 过期检查 |
|
|
113
|
+
| 暴力破解 | 速率限制 + 账户锁定 |
|
|
114
|
+
|
|
115
|
+
---
|
|
116
|
+
|
|
117
|
+
## 🔴 依赖漏洞扫描
|
|
118
|
+
|
|
119
|
+
### 扫描命令
|
|
120
|
+
|
|
121
|
+
```bash
|
|
122
|
+
# Python
|
|
123
|
+
pip-audit
|
|
124
|
+
safety check
|
|
125
|
+
|
|
126
|
+
# Node.js
|
|
127
|
+
npm audit
|
|
128
|
+
yarn audit
|
|
129
|
+
|
|
130
|
+
# 通用
|
|
131
|
+
snyk test
|
|
132
|
+
trivy fs .
|
|
133
|
+
```
|
|
134
|
+
|
|
135
|
+
### 漏洞处理优先级
|
|
136
|
+
|
|
137
|
+
| CVSS 分数 | 严重等级 | 处理时限 |
|
|
138
|
+
|-----------|----------|----------|
|
|
139
|
+
| 9.0-10.0 | Critical | 立即修复 |
|
|
140
|
+
| 7.0-8.9 | High | 24 小时内 |
|
|
141
|
+
| 4.0-6.9 | Medium | 1 周内 |
|
|
142
|
+
| 0.1-3.9 | Low | 下个版本 |
|
|
143
|
+
|
|
144
|
+
---
|
|
145
|
+
|
|
146
|
+
## 🔴 敏感信息检查
|
|
147
|
+
|
|
148
|
+
### 禁止出现在代码中
|
|
149
|
+
|
|
150
|
+
```
|
|
151
|
+
# 正则模式
|
|
152
|
+
API[_-]?KEY.*=.*['"][a-zA-Z0-9]{20,}['"]
|
|
153
|
+
SECRET.*=.*['"][a-zA-Z0-9]{20,}['"]
|
|
154
|
+
PASSWORD.*=.*['"].+['"]
|
|
155
|
+
-----BEGIN (RSA|EC|OPENSSH) PRIVATE KEY-----
|
|
156
|
+
```
|
|
157
|
+
|
|
158
|
+
### 检查位置
|
|
159
|
+
|
|
160
|
+
| 位置 | 检查内容 |
|
|
161
|
+
|------|----------|
|
|
162
|
+
| 源代码 | 硬编码密钥、密码 |
|
|
163
|
+
| 配置文件 | .env 是否在 .gitignore |
|
|
164
|
+
| Git 历史 | 历史提交中的敏感信息 |
|
|
165
|
+
| 日志 | 是否记录敏感数据 |
|
|
166
|
+
|
|
167
|
+
---
|
|
168
|
+
|
|
169
|
+
## 输出契约
|
|
170
|
+
|
|
171
|
+
```markdown
|
|
172
|
+
## Security Audit Report
|
|
173
|
+
|
|
174
|
+
### 审计范围
|
|
175
|
+
- 文件数: X
|
|
176
|
+
- 代码行数: Y
|
|
177
|
+
|
|
178
|
+
### 发现汇总
|
|
179
|
+
| 严重等级 | 数量 |
|
|
180
|
+
|----------|------|
|
|
181
|
+
| P0 (Critical) | X |
|
|
182
|
+
| P1 (High) | Y |
|
|
183
|
+
| P2 (Medium) | Z |
|
|
184
|
+
|
|
185
|
+
### 详细发现
|
|
186
|
+
#### [SEC-001] SQL 注入 (P0)
|
|
187
|
+
- **位置**: `src/api/users.py:45`
|
|
188
|
+
- **问题**: 字符串拼接构造 SQL
|
|
189
|
+
- **修复**: 使用参数化查询
|
|
190
|
+
|
|
191
|
+
### 依赖漏洞
|
|
192
|
+
| 包名 | 版本 | CVE | 严重等级 | 修复版本 |
|
|
193
|
+
|------|------|-----|----------|----------|
|
|
194
|
+
|
|
195
|
+
### 建议
|
|
196
|
+
1. ...
|
|
197
|
+
```
|
|
198
|
+
|
|
199
|
+
---
|
|
200
|
+
|
|
201
|
+
## 与 fullstack-developer 集成
|
|
202
|
+
|
|
203
|
+
```
|
|
204
|
+
fullstack-developer Phase 6 (code-review)
|
|
205
|
+
│
|
|
206
|
+
├── 涉及安全敏感代码?
|
|
207
|
+
│ ↓
|
|
208
|
+
│ security-audit
|
|
209
|
+
│ │
|
|
210
|
+
│ ├── OWASP Top 10 检查
|
|
211
|
+
│ ├── 依赖漏洞扫描
|
|
212
|
+
│ └── 返回: 安全审计报告
|
|
213
|
+
│
|
|
214
|
+
└── 继续 code-review
|
|
215
|
+
```
|
|
216
|
+
|
|
217
|
+
---
|
|
218
|
+
|
|
219
|
+
## Reference Navigation
|
|
220
|
+
|
|
221
|
+
| Situation | Read This |
|
|
222
|
+
|-----------|-----------|
|
|
223
|
+
| OWASP 详细检查 | `references/owasp-top10-checklist.md` |
|
|
224
|
+
| 注入防护 | `references/injection-prevention.md` |
|
|
225
|
+
| 认证安全 | `references/auth-security-patterns.md` |
|
|
226
|
+
| 依赖扫描 | `references/dependency-scanning.md` |
|