codeforge-dev 1.5.7 → 1.7.0

package/.devcontainer/plugins/devs-marketplace/plugins/code-directive/skills/refactoring-patterns/references/smell-catalog.md

@@ -0,0 +1,332 @@
+# Code Smell Catalog
+
+Complete catalog of code smells with detection heuristics and before/after examples.
+
+## Contents
+
+- [Long Method](#long-method)
+- [Feature Envy](#feature-envy)
+- [Data Clump](#data-clump)
+- [Primitive Obsession](#primitive-obsession)
+- [God Class](#god-class)
+- [Shotgun Surgery](#shotgun-surgery)
+- [Divergent Change and Message Chain](#divergent-change-and-message-chain)
+
+---
+
+## Long Method
+
+**Detection heuristics:**
+- Method body exceeds ~20 lines
+- You need to scroll to see the entire function
+- Comments separate logical sections within the method
+- Multiple levels of indentation (3+ nesting levels)
+
+### Before
+
+```python
+def process_order(order, db, mailer):
+    # Validate order
+    if not order.items:
+        raise ValueError("Order has no items")
+    if order.total <= 0:
+        raise ValueError("Order total must be positive")
+    for item in order.items:
+        stock = db.get_stock(item.product_id)
+        if stock < item.quantity:
+            raise ValueError(f"Insufficient stock for {item.product_id}")
+
+    # Calculate totals
+    subtotal = sum(item.price * item.quantity for item in order.items)
+    tax = subtotal * 0.08
+    if order.customer.is_tax_exempt:
+        tax = 0
+    shipping = 5.99 if subtotal < 50 else 0
+    total = subtotal + tax + shipping
+
+    # Save to database
+    order.subtotal = subtotal
+    order.tax = tax
+    order.shipping = shipping
+    order.total = total
+    order.status = "confirmed"
+    db.save_order(order)
+
+    # Send confirmation
+    subject = f"Order #{order.id} Confirmed"
+    body = f"Your order total is ${total:.2f}"
+    mailer.send(order.customer.email, subject, body)
+
+    return order
+```
+
+### After
+
+```python
+def process_order(order, db, mailer):
+    validate_order(order, db)
+    totals = calculate_totals(order)
+    save_order(order, totals, db)
+    send_confirmation(order, totals, mailer)
+    return order
+
+def validate_order(order, db):
+    if not order.items:
+        raise ValueError("Order has no items")
+    if order.total <= 0:
+        raise ValueError("Order total must be positive")
+    for item in order.items:
+        stock = db.get_stock(item.product_id)
+        if stock < item.quantity:
+            raise ValueError(f"Insufficient stock for {item.product_id}")
+
+def calculate_totals(order):
+    subtotal = sum(item.price * item.quantity for item in order.items)
+    tax = 0 if order.customer.is_tax_exempt else subtotal * 0.08
+    shipping = 5.99 if subtotal < 50 else 0
+    return {"subtotal": subtotal, "tax": tax, "shipping": shipping, "total": subtotal + tax + shipping}
+
+def save_order(order, totals, db):
+    order.subtotal = totals["subtotal"]
+    order.tax = totals["tax"]
+    order.shipping = totals["shipping"]
+    order.total = totals["total"]
+    order.status = "confirmed"
+    db.save_order(order)
+
+def send_confirmation(order, totals, mailer):
+    subject = f"Order #{order.id} Confirmed"
+    body = f"Your order total is ${totals['total']:.2f}"
+    mailer.send(order.customer.email, subject, body)
+```
+
+---
+
+## Feature Envy
+
+**Detection heuristics:**
+- A method accesses more fields/methods from another object than from its own
+- Multiple chained attribute accesses (`obj.a.b.c`)
+- The method could be moved to the other class and would need fewer parameters
+
+### Before
+
+```python
+class Order:
+    def calculate_shipping(self):
+        # Envies Customer's data
+        if self.customer.address.country == "US":
+            if self.customer.address.state in ("AK", "HI"):
+                return self.total * 0.15
+            return self.total * 0.05
+        elif self.customer.address.country == "CA":
+            return self.total * 0.10
+        return self.total * 0.20
+```
+
+### After
+
+```python
+class Address:
+    def shipping_rate(self):
+        if self.country == "US":
+            if self.state in ("AK", "HI"):
+                return 0.15
+            return 0.05
+        elif self.country == "CA":
+            return 0.10
+        return 0.20
+
+class Order:
+    def calculate_shipping(self):
+        return self.total * self.customer.address.shipping_rate()
+```
+
+---
+
+## Data Clump
+
+**Detection heuristics:**
+- The same 3+ parameters appear together in multiple function signatures
+- You find yourself passing the same group of variables through several functions
+- Parameters have a logical relationship (e.g., `start_date, end_date` or `host, port, protocol`)
+
+### Before
+
+```python
+def connect(host: str, port: int, protocol: str, timeout: int): ...
+def health_check(host: str, port: int, protocol: str): ...
+def send_request(host: str, port: int, protocol: str, payload: bytes): ...
+```
+
+### After
+
+```python
+from dataclasses import dataclass
+
+@dataclass
+class ServerConfig:
+    host: str
+    port: int
+    protocol: str = "https"
+    timeout: int = 30
+
+def connect(config: ServerConfig): ...
+def health_check(config: ServerConfig): ...
+def send_request(config: ServerConfig, payload: bytes): ...
+```
+
+---
+
+## Primitive Obsession
+
+**Detection heuristics:**
+- Business validation logic scattered across multiple call sites
+- `str` used for structured values (emails, URLs, phone numbers)
+- `int` or `float` used for money, percentages, or quantities with constraints
+- `dict` used where a typed structure is needed
+
+### Before
+
+```python
+def create_user(email: str, age: int):
+    if "@" not in email or "." not in email.split("@")[1]:
+        raise ValueError("Invalid email")
+    if age < 0 or age > 150:
+        raise ValueError("Invalid age")
+    # ... same validation repeated in update_user, send_invite, etc.
+```
+
+### After
+
+```python
+class Email:
+    def __init__(self, value: str):
+        if "@" not in value or "." not in value.split("@")[1]:
+            raise ValueError(f"Invalid email: {value}")
+        self.value = value
+
+    def __str__(self):
+        return self.value
+
+class Age:
+    def __init__(self, value: int):
+        if value < 0 or value > 150:
+            raise ValueError(f"Invalid age: {value}")
+        self.value = value
+
+def create_user(email: Email, age: Age):
+    # Validation is guaranteed by construction
+    ...
+```
+
+---
+
+## God Class
+
+**Detection heuristics:**
+- Class has 500+ lines or 20+ methods
+- Class name is vague: `Manager`, `Handler`, `Processor`, `Utils`, `Helper`
+- Class imports from many unrelated modules
+- Methods cluster into groups that don't share instance state
+
+### Before
+
+```python
+class UserManager:
+    def create_user(self, ...): ...
+    def update_user(self, ...): ...
+    def delete_user(self, ...): ...
+    def authenticate(self, ...): ...
+    def reset_password(self, ...): ...
+    def send_welcome_email(self, ...): ...
+    def send_password_reset_email(self, ...): ...
+    def generate_report(self, ...): ...
+    def export_to_csv(self, ...): ...
+```
+
+### After
+
+```python
+class UserRepository:
+    def create(self, ...): ...
+    def update(self, ...): ...
+    def delete(self, ...): ...
+
+class AuthService:
+    def authenticate(self, ...): ...
+    def reset_password(self, ...): ...
+
+class UserNotifier:
+    def send_welcome_email(self, ...): ...
+    def send_password_reset_email(self, ...): ...
+
+class UserReporter:
+    def generate_report(self, ...): ...
+    def export_to_csv(self, ...): ...
+```
+
+---
+
+## Shotgun Surgery
+
+**Detection heuristics:**
+- Adding a new enum value requires changes in 5+ files
+- A conceptual change (e.g., "add a new user role") touches model, serializer, validator, template, and tests in a scattered pattern
+- Developers frequently forget to update one of the locations
+
+### Before
+
+```python
+# models.py
+STATUSES = ["draft", "published", "archived"]
+
+# serializer.py
+if status not in ["draft", "published", "archived"]:
+    raise ValidationError("Invalid status")
+
+# template.html
+# {% if article.status == "draft" or article.status == "published" or ... %}
+
+# admin.py
+list_filter = ["draft", "published", "archived"]
+```
+
+### After
+
+```python
+import enum
+
+# models.py — single source of truth
+class ArticleStatus(enum.Enum):
+    DRAFT = "draft"
+    PUBLISHED = "published"
+    ARCHIVED = "archived"
+
+# All other files reference ArticleStatus
+# serializer.py
+if status not in ArticleStatus.__members__: ...
+
+# admin.py
+list_filter = [s.value for s in ArticleStatus]
+```
+
+---
+
+## Divergent Change and Message Chain
+
+**Divergent Change:** One class changes for unrelated reasons. Split responsibilities.
+
+**Message Chain:** Long chains like `a.getB().getC().getD()`. Introduce delegate methods:
+
+```python
+# Before
+city = order.customer.address.city
+
+# After — Order provides the method
+class Order:
+    def shipping_city(self):
+        return self.customer.address.city
+```
+
+Each of these smells is a signal, not a verdict. Investigate the context before applying transformations mechanically.

package/.devcontainer/plugins/devs-marketplace/plugins/code-directive/skills/security-checklist/SKILL.md

@@ -0,0 +1,277 @@
+---
+name: security-checklist
+description: >-
+  This skill should be used when the user asks to "check for security issues",
+  "audit this code for vulnerabilities", "scan for secrets", "review for
+  injection attacks", "check OWASP compliance", "find security bugs",
+  "detect hardcoded credentials", "review authentication logic",
+  "check for XSS", "audit dependencies for vulnerabilities",
+  or discusses security review, vulnerability scanning, OWASP Top 10,
+  secrets detection, SQL injection, command injection, or dependency auditing.
+version: 0.1.0
+---
+
+# Security Checklist
+
+## Mental Model
+
+Security is **defense in depth** -- no single layer protects you. Assume every input is hostile, every dependency is compromised, every network boundary is breached. Then build layers so that when (not if) one fails, the next catches the attack.
+
+The practical consequence: validate at every boundary, not just the outermost one. A function that accepts user input should validate it even if the caller "should have" validated it. Database queries should use parameterized statements even if the application layer "should have" sanitized the input. This redundancy is not waste -- it's the safety net.
+
+Security review has three phases:
+1. **Input boundaries** -- Where does external data enter the system? (HTTP requests, file uploads, CLI args, environment variables, database reads, message queues)
+2. **Trust transitions** -- Where does data cross from untrusted to trusted? (Deserialization, template rendering, shell execution, SQL queries)
+3. **Output boundaries** -- Where does data leave the system? (Logs, error messages, API responses, HTML rendering)
+
+Every vulnerability exists at a boundary where untrusted data is treated as trusted.
+
+---
+
+## OWASP Top 10 Quick Reference (2021)
+
+### A01: Broken Access Control
+Users act outside their intended permissions. Check: Can user A access user B's resources by changing an ID in the URL? Are admin endpoints protected by role checks, not just authentication?
+
+### A02: Cryptographic Failures
+Sensitive data transmitted or stored without proper encryption. Check: Is TLS enforced? Are passwords hashed with bcrypt/argon2 (not MD5/SHA1)? Are API keys in environment variables (not source code)?
+
+### A03: Injection
+Untrusted data sent to an interpreter as part of a command or query. Covers SQL injection, NoSQL injection, OS command injection, LDAP injection. Check: Are all database queries parameterized? Is user input ever passed to `eval()`, `exec()`, or shell commands?
+
+### A04: Insecure Design
+Missing or ineffective security controls at the design level. Check: Is there rate limiting on authentication endpoints? Are business logic constraints enforced server-side?
+
+### A05: Security Misconfiguration
+Default credentials, unnecessary features enabled, overly permissive CORS, verbose error messages in production. Check: Are stack traces hidden in production? Is directory listing disabled? Are default accounts removed?
+
+### A06: Vulnerable and Outdated Components
+Using libraries with known vulnerabilities. Check: When were dependencies last updated? Are there known CVEs in the dependency tree?
+
+### A07: Identification and Authentication Failures
+Weak passwords allowed, missing brute-force protection, session tokens in URLs. Check: Is there account lockout or rate limiting? Are session tokens regenerated after login?
+
+### A08: Software and Data Integrity Failures
+Code or data from untrusted sources without verification. Check: Are CI/CD pipelines protected? Are dependencies verified by checksum or signature?
+
+### A09: Security Logging and Monitoring Failures
+Insufficient logging of security events. Check: Are login failures logged? Are access control failures logged? Is there alerting on anomalous patterns?
+
+### A10: Server-Side Request Forgery (SSRF)
+Application fetches a URL from user input without validation. Check: Are user-supplied URLs validated against an allowlist? Is the application prevented from accessing internal services?
+
+> **Deep dive:** See `references/owasp-patterns.md` for detailed OWASP patterns with vulnerable and fixed code examples.
+
+---
+
+## Language-Specific Vulnerability Patterns
+
+### Python
+
+**Dangerous deserialization:**
+```python
+# VULNERABLE: pickle executes arbitrary code on load
+import pickle
+data = pickle.loads(user_input)  # Remote code execution
+
+# SAFE: use JSON or a schema-validated format
+import json
+data = json.loads(user_input)
+```
+
+**Code execution:**
+```python
+import ast
+from typing import Any
+
+# VULNERABLE: eval/exec on user input
+result = eval(user_expression)
+
+# SAFE: use ast.literal_eval for data, or a parser for expressions
+def safe_eval(expression: str) -> Any:
+    return ast.literal_eval(expression)  # only literals: strings, numbers, tuples, lists, dicts, bools, None
+```
+
+**Command injection:**
+```python
+# VULNERABLE: shell=True with user input
+import subprocess
+subprocess.run(f"grep {user_query} /var/log/app.log", shell=True)
+
+# SAFE: pass args as list, never use shell=True with user input
+subprocess.run(["grep", user_query, "/var/log/app.log"])
+```
+
+**SQL injection:**
+```python
+# VULNERABLE: string formatting in queries
+cursor.execute(f"SELECT * FROM users WHERE email = '{email}'")
+
+# SAFE: parameterized queries
+cursor.execute("SELECT * FROM users WHERE email = ?", (email,))
+```
+
+### JavaScript / TypeScript
+
+**Prototype pollution:**
+```javascript
+// VULNERABLE: deep merge from user input
+function merge(target, source) {
+    for (const key in source) {
+        target[key] = source[key]; // __proto__ can be overwritten
+    }
+}
+
+// SAFE: validate keys, use Object.create(null), or use structuredClone
+function safeMerge(target, source) {
+    for (const key of Object.keys(source)) {
+        if (key === "__proto__" || key === "constructor" || key === "prototype") continue;
+        target[key] = source[key];
+    }
+}
+```
+
+**ReDoS (Regular Expression Denial of Service):**
+```javascript
+// VULNERABLE: catastrophic backtracking
+const emailRegex = /^([a-zA-Z0-9]+\.)*[a-zA-Z0-9]+@([a-zA-Z0-9]+\.)+[a-zA-Z]{2,}$/;
+
+// SAFE: use linear-time regex or a dedicated validation library
+const { z } = require("zod");
+const email = z.string().email();
+```
+
+**Path traversal:**
+```javascript
+// VULNERABLE: user controls file path
+const filePath = path.join("/uploads", req.params.filename);
+
+// SAFE: resolve and verify the path stays within the allowed directory
+const safePath = path.resolve("/uploads", req.params.filename);
+if (!safePath.startsWith("/uploads/")) {
+    throw new Error("Path traversal detected");
+}
+```
+
+### Go
+
+**Integer overflow:**
+```go
+// VULNERABLE: unchecked conversion
+length := int32(userProvidedInt64) // silent truncation
+
+// SAFE: bounds check before conversion
+if userProvidedInt64 > math.MaxInt32 || userProvidedInt64 < math.MinInt32 {
+    return fmt.Errorf("value out of range")
+}
+length := int32(userProvidedInt64)
+```
+
+**Race conditions:**
+```go
+// VULNERABLE: unsynchronized map access
+var cache = make(map[string]string) // data race in concurrent use
+
+// SAFE: use sync.Map or mutex
+var cache sync.Map
+cache.Store("key", "value")
+val, ok := cache.Load("key")
+```
+
+---
+
+## Secrets Detection
+
+Scan code for accidentally committed secrets using these regex patterns:
+
+```bash
+# AWS Access Key
+AKIA[0-9A-Z]{16}
+
+# AWS Secret Key
+(?i)aws(.{0,20})?(?-i)['\"][0-9a-zA-Z/+]{40}['\"]
+
+# Generic API Key patterns
+(?i)(api[_-]?key|apikey|api[_-]?secret)[\s]*[=:]\s*['\"][a-zA-Z0-9]{16,}['\"]
+
+# GitHub Token
+gh[pousr]_[A-Za-z0-9_]{36,}
+
+# Generic high-entropy strings (base64, 32+ chars)
+['\"][A-Za-z0-9+/]{32,}={0,2}['\"]
+
+# Private keys
+-----BEGIN (RSA |EC |OPENSSH )?PRIVATE KEY-----
+
+# Connection strings with passwords
+(?i)(postgres|mysql|mongodb)://[^:]+:[^@]+@
+```
+
+**Prevention:**
+- Use `.gitignore` to exclude `.env`, `*.pem`, `credentials.*`
+- Add a pre-commit hook with tools like `gitleaks` or `detect-secrets`
+- Store secrets in environment variables or a secrets manager, never in code
+- If a secret is committed, rotate it immediately -- removing it from git history is not sufficient
+
+> **Deep dive:** See `references/secrets-patterns.md` for comprehensive regex patterns and detection strategies.
+
+---
+
+## Dependency Audit Commands
+
+Run these commands regularly and in CI/CD pipelines:
+
+```bash
+# JavaScript/TypeScript (npm)
+npm audit
+npm audit --audit-level=high    # fail only on high+ severity
+npx audit-ci --high             # CI-friendly wrapper
+
+# Python
+pip-audit                       # PyPI advisory database
+pip-audit --fix                 # auto-fix where possible
+safety check                   # alternative scanner
+
+# Rust
+cargo audit                    # RustSec advisory database
+cargo deny check advisories    # stricter policy engine
+
+# Go
+govulncheck ./...              # official Go vulnerability checker
+
+# Container images
+trivy image myapp:latest       # scan container for OS + app vulns
+grype myapp:latest             # alternative container scanner
+
+# Multi-language / CI
+trivy fs .                     # scan filesystem for all languages
+snyk test                      # commercial scanner with free tier
+```
+
+**Best practices:**
+- Run audits in CI -- fail the build on high/critical findings
+- Pin dependency versions in lock files (`package-lock.json`, `poetry.lock`, `Cargo.lock`)
+- Update dependencies weekly, not quarterly -- smaller updates are easier to review
+- Subscribe to security advisories for critical dependencies
+
+---
+
+## Ambiguity Policy
+
+These defaults apply when the user does not specify a preference. State the assumption when making a choice:
+
+- **Scan scope:** Default to the current project directory. Do not scan `node_modules`, `venv`, or other dependency directories directly -- use audit tools for those.
+- **Severity threshold:** Flag all findings but prioritize high and critical. Informational findings are reported but not treated as blockers.
+- **Secrets in tests:** Flag hardcoded credentials in test files as warnings, not errors -- but recommend using fixtures or environment variables instead.
+- **Dependency updates:** Recommend updating vulnerable dependencies to the latest patch version, not the latest major version, to minimize breaking changes.
+- **False positives:** When a finding is a false positive, explain why and suggest adding it to an ignore list rather than silently skipping it.
+- **Framework:** Default to the security patterns of the framework in use (Django ORM over raw SQL, Express middleware over manual checks).
+
+---
+
+## Reference Files
+
+| File | Contents |
+|------|----------|
+| `references/owasp-patterns.md` | Detailed OWASP Top 10 patterns with vulnerable and fixed code examples for Python, JavaScript, and Go |
+| `references/secrets-patterns.md` | Comprehensive regex patterns for detecting API keys, tokens, certificates, and connection strings, plus prevention strategies |