codeforge-dev 1.14.2 → 2.0.0

package/.devcontainer/plugins/devs-marketplace/plugins/git-workflow/skills/pr-review/SKILL.md

@@ -0,0 +1,325 @@
+---
+description: Review an existing pull request without merging — post findings as PR comment
+argument-hint: [PR number, URL, or omit for current branch]
+disable-model-invocation: true
+allowed-tools: Bash(gh:*), Bash(git:*), Read, Grep, Glob, AskUserQuestion
+---
+
+# /pr:review - Review Existing PR
+
+Review an existing pull request and post findings as a PR comment. NEVER approve or merge.
+
+## Input
+
+`$ARGUMENTS` - PR number (e.g., `42`), URL (e.g., `https://github.com/owner/repo/pull/42`), or empty to auto-detect from current branch.
+
+## Process
+
+### Phase 1: Identify Target PR
+
+**With argument:**
+```bash
+gh pr view $1 --json number,title,body,baseRefName,headRefName,additions,deletions,commits,files
+```
+
+**Without argument (auto-detect):**
+```bash
+gh pr view --json number,title,body,baseRefName,headRefName,additions,deletions,commits,files
+```
+
+**If both fail:** Use AskUserQuestion to prompt for PR number.
+
+Capture PR number for subsequent operations.
+
+Fetch the full diff:
+```bash
+gh pr diff $PR
+```
+
+### Phase 2: Gather Additional Context
+
+- Read changed files in full (not just diff) for deeper understanding of surrounding code
+- Discover project rules:
+  ```bash
+  ls -la CLAUDE.md .claude/CLAUDE.md CLAUDE.local.md 2>/dev/null
+  ls -la .claude/rules/*.md 2>/dev/null
+  ```
+- Check if PR body references a ticket (parse for `#N`, `Closes #N`, `Refs #N`, `Fixes #N`)
+- If ticket found, fetch it for requirements verification:
+  ```bash
+  gh issue view $TICKET --json number,title,body
+  ```
+
+### Phase 3: Aggressive Analysis
+
+This review is DEEPER than a commit review — it is the final gate before merge.
+
+#### Attack Surface Analysis
+
+| Check | Look For |
+|-------|----------|
+| New Endpoints | Every new route/handler exposed |
+| New Inputs | Every new user input vector |
+| Permission Changes | Any auth/authz modifications |
+| Data Flow | How data moves through new code |
+| External Integrations | New API calls, webhooks, services |
+
+#### Threat Modeling (per feature)
+
+For each significant feature in the PR:
+- What could an attacker exploit?
+- What data could be exfiltrated?
+- What operations could be abused?
+- What rate limiting is needed?
+- What audit logging is needed?
+
+#### Dependency Security
+
+```bash
+# Check for new dependencies (adapt patterns to project)
+gh pr diff $PR | grep -E '^\+.*"(dependencies|devDependencies)"' -A 50
+gh pr diff $PR | grep -E '^\+' | grep -E 'requirements.*\.txt|package.*\.json|Cargo\.toml|go\.mod|Gemfile'
+```
+
+| Check | Look For |
+|-------|----------|
+| New Dependencies | List all new packages + versions |
+| Known CVEs | Check against vulnerability databases |
+| Supply Chain | Typosquatting, maintainer reputation |
+| License Compliance | License compatibility issues |
+
+#### Project Rules Adherence
+
+Check compliance with project-specific rules (deeper than commit review):
+
+1. **Discover rules**:
+   - Read `CLAUDE.md` or `.claude/CLAUDE.md` if present
+   - Read all files in `.claude/rules/*.md`
+   - Check `CLAUDE.local.md` for user-specific rules
+
+2. **Full diff review for compliance**:
+   - Check EVERY change against stated rules
+   - Note architectural patterns that should be followed
+   - Flag ALL deviations from documented conventions
+
+| Rule Source | Compliance | Notes |
+|-------------|------------|-------|
+| CLAUDE.md | OK / VIOLATION | [specifics] |
+| rules/[name].md | OK / VIOLATION | [specifics] |
+
+#### Architecture Deep Dive
+
+| Check | Look For |
+|-------|----------|
+| Pattern Compliance | Full diff against established patterns |
+| Coupling Analysis | New dependencies between modules |
+| Scalability | O(n) analysis, potential bottlenecks |
+| Error Propagation | How errors flow through new code |
+| Recovery Strategies | Graceful degradation, retry logic |
+| State Management | Race conditions, consistency issues |
+
+#### Code Quality Review
+
+| Check | Look For |
+|-------|----------|
+| Complexity | Nesting depth > 3, high cyclomatic complexity |
+| Duplication | Copy-paste code, extractable shared logic |
+| Naming | Unclear names, inconsistent conventions |
+| Error Handling | Missing boundaries, generic catches, no recovery |
+| SOLID Violations | God classes, tight coupling, leaky abstractions |
+| Dead Code | Unreachable code, unused imports/variables |
+
+#### Test Analysis
+
+Evaluate against testing standards:
+
+| Check | Assess |
+|-------|--------|
+| Behavior Coverage | Are key behaviors tested? (not line count) |
+| Test Quality | Do tests verify outcomes, not implementation? |
+| Brittleness | Any tests that will break on refactor? |
+| Over-testing | Trivial code with unnecessary tests? |
+| Under-testing | Critical paths without tests? |
+| Manual Test Plan | What cannot be automated |
+
+**AI testing pitfalls to flag**:
+- Tests for trivial getters/setters
+- Excessive edge cases (>5 per function)
+- Tests asserting on implementation details
+- Over-mocked tests that verify nothing
+
+#### Breaking Changes
+
+| Check | Look For |
+|-------|----------|
+| API Contracts | Changed request/response schemas |
+| Database Schema | Migration requirements |
+| Configuration | New env vars, changed defaults |
+| Dependencies | Version bumps affecting consumers |
+
+#### Requirements Verification (if ticket found)
+
+Cross-reference each requirement from the linked ticket:
+
+| Requirement | Status | Evidence |
+|-------------|--------|----------|
+| [REQ text] | SATISFIED / PARTIAL / NOT MET | [file:line or explanation] |
+
+All acceptance criteria must be verified.
+
+### Phase 4: Present Findings
+
+Organize by severity:
+
+```markdown
+## PR Review Findings
+
+### Critical (Must Fix Before Merge)
+- [Finding]: [file:line] - [Impact]
+
+### High (Should Fix Before Merge)
+- [Finding]: [file:line] - [Impact]
+
+### Medium (Fix Soon)
+- [Finding]: [file:line] - [Impact]
+
+### Low (Nice to Have)
+- [Finding]: [file:line] - [Impact]
+
+### Info (Observations)
+- [Observation]
+
+### Project Rules Compliance
+| Rule Source | Status | Details |
+|-------------|--------|---------|
+| ... | ... | ... |
+
+### Requirements Status (if ticket linked)
+| Requirement | Status | Evidence |
+|-------------|--------|----------|
+| ... | ... | ... |
+
+### Threat Model Summary
+| Feature | Primary Risks | Mitigations Present |
+|---------|---------------|---------------------|
+| ... | ... | ... |
+```
+
+If no findings in a severity level, omit that section.
+
+### Phase 5: User Decisions
+
+Use AskUserQuestion:
+
+```
+For each finding, select handling:
+- NOTE: Include in PR review comment
+- ISSUE: Create separate GitHub issue
+- IGNORE: Don't include in review
+```
+
+### Phase 6: Create Issues (if selected)
+
+Group by category, include:
+- PR number
+- Branch name
+- Link to original ticket (if found)
+
+```bash
+gh issue create --title "[Category] findings from PR #[PR]" --body "$(cat <<'EOF'
+## [Category] Findings from PR #[PR]
+
+**PR**: #[PR_NUMBER]
+**Branch**: [branch]
+[**Related Ticket**: #[TICKET] — only if ticket found]
+
+### Findings
+
+- [ ] [Finding 1] - `file:line`
+- [ ] [Finding 2] - `file:line`
+
+### Context
+
+[Brief context about the PR's purpose]
+EOF
+)"
+```
+
+### Phase 7: Post Review Comment (NEVER APPROVE)
+
+```bash
+gh pr review $PR --comment --body "$(cat <<'EOF'
+## Automated Review
+
+**Status**: Requires human approval
+
+### Summary
+
+[Overall assessment - 2-3 sentences]
+
+### Critical Issues (Must Address)
+- [Issue with file:line]
+
+### Required Changes
+- [Specific change needed]
+
+### Suggestions
+- [Nice-to-have improvements]
+
+### Project Rules Compliance
+- [Summary of rules adherence]
+
+### Security Considerations
+- [Key security points for human reviewer]
+
+### Test Coverage
+- [Coverage assessment]
+- [Manual test recommendations if applicable]
+
+### Requirements Status (if ticket linked)
+| Requirement | Status |
+|-------------|--------|
+| ... | ... |
+
+### Related Issues Created
+- #[N]: [Description]
+
+---
+*Automated review by Claude. Human approval required before merge.*
+EOF
+)"
+```
+
+### Phase 8: Report
+
+Output summary:
+
+```markdown
+## Review Summary
+
+- **PR**: #[N] — [title]
+- **Findings**: [Critical: N, High: N, Medium: N, Low: N, Info: N]
+- **Review**: Posted as comment
+- **Issues Created**: #[N]: [category] — or "None"
+- **Ticket**: #[TICKET] requirements verified — or "No linked ticket"
+```
+
+## Rules
+
+- **NEVER approve or merge** — post review as comment only
+- **Deeper than commit review** — this is the final gate before merge
+- **Active threat modeling** required for each significant feature
+- **All findings** categorized by severity with `file:line` references
+- **User decides** what goes in the review comment
+- **Check project rules** (CLAUDE.md, .claude/rules/*.md) thoroughly
+- **Auto-detect ticket** from PR body if possible — never prompt for one
+- **Read full files** for changed code, not just the diff
+- Batch all GitHub operations
+
+## Severity Guide
+
+**Critical**: Active vulnerability, data exposure, auth bypass, breaking production
+**High**: Security weakness, significant bug, major pattern violation
+**Medium**: Code smell, minor vulnerability, missing validation
+**Low**: Style, optimization, minor improvements
+**Info**: Observations, questions, future considerations

package/.devcontainer/plugins/devs-marketplace/plugins/git-workflow/skills/ship/SKILL.md

@@ -0,0 +1,314 @@
+---
+description: Review changes, commit with detailed message, push, and optionally create pull request
+argument-hint: [commit message hint]
+disable-model-invocation: true
+allowed-tools: Bash(gh:*), Bash(git:*), Read, Grep, Glob, Edit, Write, AskUserQuestion
+---
+
+# /ship - Review, Commit, Push & Optional PR
+
+Review all changes, commit with a detailed message, push, and optionally create a pull request. Optionally links to tickets if context exists from `/ticket:work`.
+
+## Input
+
+`$ARGUMENTS` - Optional commit message hint or summary of changes. May be empty.
+
+## Process
+
+### Phase 1: Gather Context
+
+```bash
+# Working tree state
+git status
+git diff HEAD
+git diff --staged
+
+# Branch info
+git branch --show-current
+git log main..HEAD --oneline
+git diff main...HEAD --stat
+
+# Discover project rules
+ls -la CLAUDE.md .claude/CLAUDE.md CLAUDE.local.md 2>/dev/null
+ls -la .claude/rules/*.md 2>/dev/null
+```
+
+Check for ticket context in the current session. If a ticket number is available from a prior `/ticket:work` call, note it for linking in later phases. Do NOT prompt for a ticket — this command works standalone.
+
+### Phase 2: Full Review
+
+Review ALL changes (staged + unstaged) with `file:line` references.
+
+#### Security Review
+
+| Check | Look For |
+|-------|----------|
+| Secrets | API keys, passwords, tokens, connection strings in code |
+| Injection | SQL injection, command injection, XSS, CSRF |
+| Auth/Authz | Missing auth checks, privilege escalation paths |
+| Data Exposure | PII in logs, sensitive data in error messages |
+| Dependencies | New dependencies with known vulnerabilities |
+| Input Validation | Unvalidated user input, missing sanitization |
+
+#### Project Rules Adherence
+
+Check compliance with project-specific rules:
+
+1. **Discover rules**:
+   - Read `CLAUDE.md` or `.claude/CLAUDE.md` if present
+   - Read all files in `.claude/rules/*.md`
+   - Check `CLAUDE.local.md` for user-specific rules
+
+2. **Review for compliance**:
+   - Check if changes violate any stated rules
+   - Note architectural patterns that should be followed
+   - Flag deviations from documented conventions
+
+| Rule Source | Compliance | Notes |
+|-------------|------------|-------|
+| CLAUDE.md | OK / VIOLATION | [specifics] |
+| rules/[name].md | OK / VIOLATION | [specifics] |
+
+#### Code Quality Review
+
+| Check | Look For |
+|-------|----------|
+| Complexity | Nesting depth > 3, high cyclomatic complexity |
+| Duplication | Copy-paste code, extractable shared logic |
+| Naming | Unclear names, inconsistent conventions |
+| Error Handling | Missing boundaries, generic catches, no recovery |
+| SOLID Violations | God classes, tight coupling, leaky abstractions |
+| Dead Code | Unreachable code, unused imports/variables |
+
+#### Architecture Review
+
+| Check | Look For |
+|-------|----------|
+| Pattern Compliance | Deviations from established patterns |
+| Coupling | Inappropriate dependencies, circular imports |
+| API Contracts | Breaking changes, missing versioning |
+| Cohesion | Mixed responsibilities, scattered logic |
+
+#### Test Review
+
+**Note**: If user indicates tests are not applicable or opts out, skip this section entirely and note "Tests: Skipped per user preference."
+
+| Check | Assess |
+|-------|--------|
+| Behavior Coverage | Are key behaviors tested? (not line count) |
+| Test Quality | Do tests verify outcomes, not implementation? |
+| Brittleness | Any tests that will break on refactor? |
+| Over-testing | Trivial code with unnecessary tests? |
+| Under-testing | Critical paths without tests? |
+
+### Phase 3: Present Findings
+
+Organize ALL findings by severity:
+
+```markdown
+## Review Findings
+
+### Critical (Must Fix Before Commit)
+- [Finding]: [file:line] - [Impact]
+
+### High (Should Fix Before Commit)
+- [Finding]: [file:line] - [Impact]
+
+### Medium (Fix Soon)
+- [Finding]: [file:line] - [Impact]
+
+### Low (Nice to Have)
+- [Finding]: [file:line] - [Impact]
+
+### Info (Observations)
+- [Observation]
+
+### Project Rules Compliance
+| Rule Source | Status | Details |
+|-------------|--------|---------|
+| ... | ... | ... |
+```
+
+If no findings in a severity level, omit that section.
+
+### Phase 4: User Decisions on Findings
+
+Use AskUserQuestion to batch decisions:
+
+```
+For each category of findings, select handling:
+- FIX: Address before commit
+- ISSUE: Create GitHub issue for later
+- IGNORE: Acknowledge and proceed
+```
+
+Allow multi-select within categories.
+
+### Phase 5: Fix Selected Items
+
+Address all items marked FIX. Re-run relevant checks after fixes.
+
+### Phase 6: Create Issues (if selected)
+
+For findings marked ISSUE, group by category:
+
+```bash
+gh issue create --title "[Category] findings from [branch]" --body "$(cat <<'EOF'
+## [Category] Findings
+
+**Source**: Branch `[branch]`, commit `[hash]`
+[**Related Ticket**: #[TICKET] — only if ticket context exists]
+
+### Findings
+
+- [ ] [Finding 1] - `file:line`
+- [ ] [Finding 2] - `file:line`
+
+### Context
+
+[Brief context about what was being implemented]
+EOF
+)"
+```
+
+Link to ticket if context exists.
+
+### Phase 7: Draft Commit Message
+
+```markdown
+<type>(<scope>): <summary>
+
+<Business context>
+- [Change description]
+- [User-facing impact]
+
+<Technical changes>
+- [File/component changed]
+- [Pattern used]
+
+<Review findings>
+- Addressed: [list]
+- Deferred to #[issue]: [list]
+- Acknowledged: [list]
+
+Closes #[TICKET] (if completing all requirements — only if ticket context)
+Refs #[TICKET] (if partial — only if ticket context)
+```
+
+Types: `feat`, `fix`, `refactor`, `test`, `docs`, `chore`
+
+If `$ARGUMENTS` provided a commit message hint, use it to inform the summary line.
+
+### Phase 8: User Sign-Off on Commit Message
+
+Present commit message for approval via AskUserQuestion. Allow edits. Do not proceed without explicit approval.
+
+### Phase 9: Commit & Push
+
+```bash
+git add [specific files — never git add -A]
+git commit -m "$(cat <<'EOF'
+[approved message]
+EOF
+)"
+git push -u origin $(git branch --show-current)
+```
+
+Stage specific files by name. Never use `git add .` or `git add -A`.
+
+### Phase 10: Ask About PR
+
+Use AskUserQuestion:
+
+```
+Changes committed and pushed to [branch].
+
+Would you like to create a pull request?
+- Yes: Create PR targeting main
+- No: Done — just commit and push
+```
+
+If **No** → skip to Phase 12.
+
+### Phase 11: Create PR (conditional)
+
+```bash
+gh pr create --title "<type>(<scope>): <summary>" --body "$(cat <<'EOF'
+## Summary
+
+- [1-3 bullet points of what this PR accomplishes]
+
+## Related Issue
+
+[Closes #TICKET / Refs #TICKET — only if ticket context exists]
+
+## Changes
+
+- [Component]: [What changed]
+
+## Testing
+
+- [ ] [How to test each change]
+
+---
+*PR created by Claude. Awaiting human review.*
+EOF
+)"
+```
+
+Capture PR number.
+
+If ticket context exists, post comment to the original issue:
+
+```bash
+gh issue comment $TICKET --body "$(cat <<'EOF'
+## Pull Request Created
+
+**PR**: #[PR_NUMBER]
+**Branch**: [branch]
+
+### Status
+- [x] PR created
+- [ ] Human review pending
+- [ ] Approved and merged
+
+---
+*PR created by Claude.*
+EOF
+)"
+```
+
+### Phase 12: Report
+
+Output summary:
+
+```markdown
+## Ship Summary
+
+- **Commit**: [hash] on `[branch]`
+- **Push**: [branch] → origin/[branch]
+- **PR**: #[N] ([URL]) — or "Not created"
+- **Issues Created**: #[N]: [category] — or "None"
+- **Ticket**: #[TICKET] linked — or "Standalone (no ticket context)"
+```
+
+## Rules
+
+- **Full review is mandatory** — no skipping phases 2-3
+- **User MUST approve** commit message before committing
+- **AskUserQuestion MUST confirm** before PR creation — never auto-create
+- **NEVER auto-approve** PRs
+- **Stage specific files** — never `git add .` or `git add -A`
+- **Optionally ticket-aware** — link to ticket if context exists, never prompt for one
+- **Batch** all GitHub operations
+- **Check project rules** (CLAUDE.md, .claude/rules/*.md) thoroughly
+- Present findings FIRST, then get decisions
+- Fix selected items BEFORE drafting commit
+
+## Finding Severity Guide
+
+**Critical**: Security vulnerability, data loss risk, breaking production
+**High**: Significant bug, major pattern violation, auth issue
+**Medium**: Code smell, minor bug, missing validation
+**Low**: Style issue, minor optimization, documentation gap
+**Info**: Observations, questions, future considerations

package/.devcontainer/plugins/devs-marketplace/plugins/prompt-snippets/.claude-plugin/plugin.json

@@ -0,0 +1,5 @@
+{
+	"name": "prompt-snippets",
+	"description": "Quick behavioral mode switches via /ps command.",
+	"author": { "name": "AnExiledDev" }
+}

package/.devcontainer/plugins/devs-marketplace/plugins/prompt-snippets/README.md

@@ -0,0 +1,52 @@
+# Prompt Snippets Plugin
+
+Quick behavioral mode switches via a single `/ps` slash command.
+
+## Usage
+
+```text
+/ps [snippet-name]
+```
+
+Type `/ps` followed by a snippet name to inject a behavioral directive for the remainder of the conversation.
+
+### Available Snippets
+
+| Snippet | What it does |
+|---------|-------------|
+| `noaction` | Investigate and report only — no edits, no commands |
+| `brief` | Concise answers, no filler |
+| `plan` | Plan first, don't implement until approved |
+| `go` | Proceed without confirmation prompts |
+| `review` | Audit only — report findings, don't modify |
+| `ship` | Commit, push, and create a PR |
+| `deep` | Thorough investigation, leave no stone unturned |
+| `hold` | Do the work but don't commit or push |
+| `recall` | Search session history with ccms for prior context |
+| `wait` | When done, stop — no suggestions or follow-ups |
+
+### Composing
+
+Combine snippets by listing multiple names:
+
+```text
+/ps noaction brief
+```
+
+## Design
+
+This plugin contains a single skill (`/ps`) that uses `$ARGUMENTS` as a lookup key into a snippet table. It is:
+
+- **Not auto-suggested** — `disable-model-invocation: true` keeps it out of the skill engine's auto-suggestion system
+- **Independently toggleable** — disable via `enabledPlugins` in `settings.json` without affecting other skills
+- **Extensible** — add a row to the table in `skills/ps/SKILL.md` to create new snippets
+
+## Adding Custom Snippets
+
+Edit `skills/ps/SKILL.md` and add a row to the "Available Snippets" table:
+
+```markdown
+| `mysnippet` | Your custom instruction here. |
+```
+
+No other files need to change.