codeforge-dev 1.7.0 → 1.8.0

package/.devcontainer/plugins/devs-marketplace/plugins/code-directive/skills/ast-grep-patterns/references/language-patterns.md

@@ -0,0 +1,327 @@
+# Language-Specific AST-Grep Patterns
+
+Complete pattern reference organized by language. Each pattern includes the `sg` command and example matches.
+
+---
+
+## Python
+
+### Function Definitions
+
+```bash
+# All functions
+sg run -p 'def $NAME($$$PARAMS): $$$BODY' -l python
+
+# Async functions
+sg run -p 'async def $NAME($$$PARAMS): $$$BODY' -l python
+
+# Functions with return type annotation
+sg run -p 'def $NAME($$$PARAMS) -> $RET: $$$BODY' -l python
+
+# Functions with specific decorator
+sg run -p '@staticmethod
+def $NAME($$$PARAMS): $$$BODY' -l python
+```
+
+### Class Definitions
+
+```bash
+# Any class
+sg run -p 'class $NAME: $$$BODY' -l python
+
+# Class with base classes
+sg run -p 'class $NAME($$$BASES): $$$BODY' -l python
+
+# Dataclass
+sg run -p '@dataclass
+class $NAME: $$$BODY' -l python
+
+# Pydantic model
+sg run -p 'class $NAME(BaseModel): $$$BODY' -l python
+```
+
+### Decorators
+
+```bash
+# Any decorated function
+sg run -p '@$DEC
+def $NAME($$$P): $$$B' -l python
+
+# FastAPI/Flask route
+sg run -p '@app.route($$$ARGS)
+def $NAME($$$P): $$$B' -l python
+
+# pytest fixture
+sg run -p '@pytest.fixture
+def $NAME($$$P): $$$B' -l python
+
+# Property
+sg run -p '@property
+def $NAME(self): $$$B' -l python
+```
+
+### Imports
+
+```bash
+# From imports
+sg run -p 'from $MOD import $$$NAMES' -l python
+
+# Star import
+sg run -p 'from $MOD import *' -l python
+
+# Aliased import
+sg run -p 'import $MOD as $ALIAS' -l python
+```
+
+### Try/Except
+
+```bash
+# Basic try/except
+sg run -p 'try:
+    $$$TRY
+except $EXC:
+    $$$HANDLER' -l python
+
+# Bare except (code smell)
+sg run -p 'try:
+    $$$TRY
+except:
+    $$$HANDLER' -l python
+```
+
+### Comprehensions
+
+```bash
+# List comprehension
+sg run -p '[$EXPR for $VAR in $ITER]' -l python
+
+# Dict comprehension
+sg run -p '{$KEY: $VAL for $VAR in $ITER}' -l python
+
+# Generator with condition
+sg run -p '($EXPR for $VAR in $ITER if $COND)' -l python
+```
+
+### Async Patterns
+
+```bash
+# Async with
+sg run -p 'async with $CTX as $VAR: $$$BODY' -l python
+
+# Await expression
+sg run -p 'await $EXPR' -l python
+
+# Async for
+sg run -p 'async for $VAR in $ITER: $$$BODY' -l python
+```
+
+---
+
+## TypeScript / JavaScript
+
+### Function Calls
+
+```bash
+# Specific function call
+sg run -p 'fetch($$$ARGS)' -l typescript
+
+# Method call
+sg run -p '$OBJ.addEventListener($$$ARGS)' -l typescript
+
+# Console methods
+sg run -p 'console.$METHOD($$$ARGS)' -l javascript
+
+# React hook
+sg run -p 'useState($$$ARGS)' -l typescript
+sg run -p 'useEffect($$$ARGS)' -l typescript
+```
+
+### JSX / React Components
+
+```bash
+# Component usage
+sg run -p '<$Component $$$PROPS />' -l typescript
+
+# Component with children
+sg run -p '<$Component $$$PROPS>$$$CHILDREN</$Component>' -l typescript
+
+# Specific component
+sg run -p '<Button $$$PROPS>$$$CHILDREN</Button>' -l typescript
+```
+
+### Imports / Exports
+
+```bash
+# Named import
+sg run -p 'import { $$$NAMES } from "$MOD"' -l typescript
+
+# Default import
+sg run -p 'import $NAME from "$MOD"' -l typescript
+
+# Dynamic import
+sg run -p 'import($PATH)' -l typescript
+
+# Named export
+sg run -p 'export const $NAME = $VAL' -l typescript
+
+# Export function
+sg run -p 'export function $NAME($$$P) { $$$B }' -l typescript
+```
+
+### Class Methods
+
+```bash
+# Method definition
+sg run -p 'class $C { $$$B1 $METHOD($$$P) { $$$B2 } $$$B3 }' -l typescript
+
+# Async method
+sg run -p 'async $METHOD($$$P) { $$$BODY }' -l typescript
+
+# Constructor
+sg run -p 'constructor($$$PARAMS) { $$$BODY }' -l typescript
+```
+
+### Arrow Functions
+
+```bash
+# Arrow with body
+sg run -p 'const $NAME = ($$$P) => { $$$BODY }' -l typescript
+
+# Arrow with expression
+sg run -p 'const $NAME = ($$$P) => $EXPR' -l typescript
+
+# Callback arrow
+sg run -p '($$$P) => $EXPR' -l typescript
+```
+
+---
+
+## Go
+
+### Function Signatures
+
+```bash
+# Function definition
+sg run -p 'func $NAME($$$PARAMS) $$$RETURN { $$$BODY }' -l go
+
+# Method (with receiver)
+sg run -p 'func ($RECV $TYPE) $NAME($$$PARAMS) $$$RETURN { $$$BODY }' -l go
+
+# Function returning error
+sg run -p 'func $NAME($$$P) ($$$R, error) { $$$B }' -l go
+```
+
+### Struct Definitions
+
+```bash
+# Struct
+sg run -p 'type $NAME struct { $$$FIELDS }' -l go
+
+# Interface
+sg run -p 'type $NAME interface { $$$METHODS }' -l go
+```
+
+### Goroutines and Concurrency
+
+```bash
+# Goroutine launch
+sg run -p 'go $FUNC($$$ARGS)' -l go
+
+# Defer statement
+sg run -p 'defer $FUNC($$$ARGS)' -l go
+
+# Channel send
+sg run -p '$CH <- $VAL' -l go
+
+# Channel receive
+sg run -p '$VAR := <-$CH' -l go
+
+# Select statement
+sg run -p 'select { $$$CASES }' -l go
+```
+
+### Error Handling
+
+```bash
+# Error check pattern
+sg run -p 'if err != nil { $$$BODY }' -l go
+
+# Error wrapping
+sg run -p 'fmt.Errorf($$$ARGS)' -l go
+```
+
+---
+
+## Rust
+
+### Function and Impl Blocks
+
+```bash
+# Function
+sg run -p 'fn $NAME($$$PARAMS) -> $RET { $$$BODY }' -l rust
+
+# Impl block
+sg run -p 'impl $TYPE { $$$METHODS }' -l rust
+
+# Trait implementation
+sg run -p 'impl $TRAIT for $TYPE { $$$METHODS }' -l rust
+
+# Public function
+sg run -p 'pub fn $NAME($$$PARAMS) -> $RET { $$$BODY }' -l rust
+```
+
+### Match Arms
+
+```bash
+# Match statement
+sg run -p 'match $EXPR { $$$ARMS }' -l rust
+
+# Specific match arm (harder — ast-grep matches full expressions better)
+```
+
+### Macro Invocations
+
+```bash
+# println! macro
+sg run -p 'println!($$$ARGS)' -l rust
+
+# vec! macro
+sg run -p 'vec![$$$ITEMS]' -l rust
+
+# Any macro
+sg run -p '$MACRO!($$$ARGS)' -l rust
+```
+
+### Error Handling
+
+```bash
+# unwrap calls (potential panics)
+sg run -p '$EXPR.unwrap()' -l rust
+
+# expect calls
+sg run -p '$EXPR.expect($MSG)' -l rust
+
+# ? operator (harder to match as standalone — use in function context)
+```
+
+### Async Patterns
+
+```bash
+# Async function
+sg run -p 'async fn $NAME($$$P) -> $RET { $$$B }' -l rust
+
+# .await
+sg run -p '$EXPR.await' -l rust
+
+# tokio::spawn
+sg run -p 'tokio::spawn($$$ARGS)' -l rust
+```
+
+---
+
+## Tips
+
+- **Pattern doesn't match?** Use `tree-sitter parse file.ext` to see the actual syntax tree structure. ast-grep patterns must match the tree structure, which sometimes differs from how code appears visually.
+- **Too many results?** Add more context to the pattern (surrounding code) or search within a specific directory.
+- **Cross-language search?** Run separate `sg` commands per language — ast-grep requires a language specification.
+- **Combine with Grep:** Use ast-grep to find structural patterns, then Grep to filter results by specific strings within matches.

package/.devcontainer/plugins/devs-marketplace/plugins/code-directive/skills/dependency-management/SKILL.md

@@ -0,0 +1,134 @@
+---
+name: dependency-management
+description: >-
+  This skill should be used when the user asks to "check dependencies",
+  "audit dependencies", "find outdated packages", "check dependency health",
+  "scan for vulnerabilities", "find unused dependencies", "license check",
+  "npm audit", "pip audit", "cargo audit", or discusses dependency analysis,
+  supply chain security, package version gaps, or license compliance.
+version: 0.1.0
+---
+
+# Dependency Management
+
+## Mental Model
+
+Dependency health is **ongoing hygiene**, not a one-time audit. Every dependency is a trust relationship — you inherit its bugs, vulnerabilities, and license obligations. Healthy projects monitor five dimensions continuously:
+
+1. **Currency** — How far behind are you? Major gaps accumulate breaking changes; patch gaps leave security holes open.
+2. **Security** — Are there known vulnerabilities? Severity × exploitability × exposure = actual risk.
+3. **Unused** — Dead dependencies increase attack surface and slow installs for zero value.
+4. **Conflicts** — Version mismatches cause subtle runtime bugs that are expensive to diagnose.
+5. **Licensing** — License obligations propagate transitively. One GPL dependency can change your distribution obligations.
+
+Treat dependency updates like any other code change: assess, plan, execute, verify.
+
+---
+
+## Ecosystem Detection
+
+Identify which package managers are in use before running any analysis. A project may span multiple ecosystems (e.g., Python backend + Node.js frontend).
+
+| Ecosystem | Manifest Files | Lock Files |
+|-----------|---------------|------------|
+| **Node.js** | `package.json` | `package-lock.json`, `yarn.lock`, `pnpm-lock.yaml` |
+| **Python** | `pyproject.toml`, `setup.py`, `requirements*.txt`, `Pipfile` | `poetry.lock`, `uv.lock`, `Pipfile.lock` |
+| **Rust** | `Cargo.toml` | `Cargo.lock` |
+| **Go** | `go.mod` | `go.sum` |
+
+Use `Glob` to discover manifests. Read each manifest to count direct dependencies before running analysis commands.
+
+For monorepos, identify each workspace/package separately and analyze independently.
+
+---
+
+## Analysis Workflow
+
+### Phase 1: Outdated Packages
+
+Check currency across all detected ecosystems. Categorize findings by version gap:
+
+- **Major** — Likely breaking changes. Review changelog before upgrading.
+- **Minor** — New features, generally low risk.
+- **Patch** — Bug fixes and security patches. Upgrade promptly.
+
+Prioritize patch-level upgrades first — they carry the least risk and often fix security issues.
+
+### Phase 2: Security Vulnerabilities
+
+Run ecosystem-specific audit tools. For each finding, report:
+- Package name and installed version
+- Vulnerability ID (CVE, GHSA)
+- Severity (critical / high / medium / low)
+- Fixed version (if available)
+- Whether it is a **direct** or **transitive** dependency
+
+Direct dependencies are simpler to fix. Transitive vulnerabilities may require upgrading an intermediary package.
+
+### Phase 3: Unused Dependencies
+
+Cross-reference manifest declarations with source imports:
+1. Read the manifest to list declared dependencies.
+2. Search for import/require statements across all source files.
+3. Flag packages with zero import matches as potentially unused.
+
+Mark known implicit-use categories separately: plugins, CLI tools, type packages (`@types/*`), test frameworks in `devDependencies`, build tools, and runtime-loaded modules. These get a "verify manually" note rather than a definitive "unused" label.
+
+### Phase 4: Version Conflicts
+
+Check for conflicting version requirements in the dependency tree. Peer dependency issues in Node.js, version resolution conflicts in Python, and duplicate packages at different versions all indicate problems.
+
+### Phase 5: License Compliance
+
+Classify all dependency licenses and flag risk:
+- **Permissive** (MIT, BSD, Apache-2.0, ISC) — Safe for all use.
+- **Weak copyleft** (LGPL, MPL) — Safe as library, restrictions on modifications.
+- **Strong copyleft** (GPL, AGPL) — May require source disclosure. Flag for commercial projects.
+- **Unknown/Missing** — Flag for manual review. Unlicensed code carries legal risk.
+
+---
+
+## Version Gap Classification
+
+| Gap | Risk | Action |
+|-----|------|--------|
+| Patch (0.0.x) | Low | Upgrade promptly — bug fixes and security patches |
+| Minor (0.x.0) | Low–Medium | Review changelog, usually safe to upgrade |
+| Major (x.0.0) | Medium–High | Review migration guide, test thoroughly |
+| Multiple majors behind | High | Plan incremental upgrade path, one major at a time |
+
+---
+
+## Vulnerability Severity
+
+CVSS scores provide a starting point but need context:
+
+| CVSS Range | Label | Typical Action |
+|------------|-------|---------------|
+| 9.0–10.0 | Critical | Patch immediately. These often have active exploits. |
+| 7.0–8.9 | High | Patch within days. Check if your usage triggers the vulnerability. |
+| 4.0–6.9 | Medium | Patch within weeks. Assess exploitability in your context. |
+| 0.1–3.9 | Low | Patch during regular maintenance. Low exploitability. |
+
+A critical vulnerability in a transitive dependency used only in tests has lower effective risk than a medium vulnerability in a direct dependency exposed to user input. Always assess exploitability in context.
+
+---
+
+## Ambiguity Policy
+
+| Ambiguity | Default |
+|-----------|---------|
+| **Scope not specified** | Run all five phases (outdated, security, unused, conflicts, licenses) |
+| **Ecosystem not specified** | Analyze all detected ecosystems |
+| **Severity threshold** | Report all severities, highlight critical and high |
+| **Update recommendations** | Advisory only — never modify manifests or lock files |
+| **Direct vs transitive** | Always distinguish; prioritize direct dependencies |
+
+---
+
+## Reference Files
+
+| File | Contents |
+|------|----------|
+| [Ecosystem Commands](references/ecosystem-commands.md) | Per-ecosystem command tables for npm, pip/uv, cargo, and go — outdated checks, audits, unused detection, conflict checks, and license listing |
+| [License Compliance](references/license-compliance.md) | License classification table, SPDX identifiers, commercial implications, common conflicts, and recommended actions per risk level |

package/.devcontainer/plugins/devs-marketplace/plugins/code-directive/skills/dependency-management/references/ecosystem-commands.md

@@ -0,0 +1,264 @@
+# Ecosystem Commands Reference
+
+Per-ecosystem command reference for dependency analysis. All commands are **read-only** — they inspect but never modify the project.
+
+If a command is not found, note it as unavailable and skip. Do not attempt to install tools.
+
+---
+
+## Node.js (npm / yarn / pnpm)
+
+### Outdated Packages
+
+```bash
+# npm
+npm outdated 2>/dev/null || true
+
+# yarn
+yarn outdated 2>/dev/null || true
+
+# pnpm
+pnpm outdated 2>/dev/null || true
+```
+
+Output columns: Package, Current, Wanted (semver-compatible), Latest (newest).
+
+### Security Audit
+
+```bash
+# npm — structured output for parsing
+npm audit --json 2>/dev/null || true
+
+# npm — human-readable summary
+npm audit 2>/dev/null || true
+
+# yarn
+yarn audit 2>/dev/null || true
+
+# pnpm
+pnpm audit 2>/dev/null || true
+```
+
+### Unused Detection
+
+No built-in command. Cross-reference `package.json` dependencies with source imports:
+
+```bash
+# List declared dependencies
+node -e "const p=require('./package.json'); console.log(Object.keys(p.dependencies||{}).join('\n'))"
+
+# Search for imports (use Grep tool, not bash grep)
+# Pattern: require('pkg') or import ... from 'pkg'
+```
+
+Known exceptions to flag as "verify manually":
+- `@types/*` packages — TypeScript type definitions, no runtime import
+- Packages in `devDependencies` used only by build/test tooling
+- Babel/ESLint/Prettier plugins loaded by configuration
+- `dotenv` and similar packages loaded via `-r` flag or preload
+
+### Version Conflicts
+
+```bash
+# Check for peer dependency issues
+npm ls 2>&1 | head -100 || true
+
+# Check for duplicated packages
+npm ls --all 2>/dev/null | head -200 || true
+```
+
+### License Listing
+
+```bash
+# Using npx (no install needed)
+npx license-checker --summary 2>/dev/null || true
+
+# Detailed per-package
+npx license-checker --json 2>/dev/null || true
+```
+
+---
+
+## Python (pip / uv / poetry)
+
+### Outdated Packages
+
+```bash
+# pip
+pip list --outdated 2>/dev/null || true
+
+# uv
+uv pip list --outdated 2>/dev/null || true
+
+# poetry
+poetry show --outdated 2>/dev/null || true
+```
+
+### Security Audit
+
+```bash
+# pip-audit (preferred)
+pip-audit 2>/dev/null || true
+
+# pip-audit with JSON output
+pip-audit --format json 2>/dev/null || true
+
+# safety (alternative)
+safety check 2>/dev/null || true
+```
+
+### Unused Detection
+
+Cross-reference manifest with source imports:
+
+```bash
+# List declared dependencies from pyproject.toml
+python3 -c "
+import tomllib, pathlib
+data = tomllib.loads(pathlib.Path('pyproject.toml').read_text())
+deps = data.get('project', {}).get('dependencies', [])
+for d in deps:
+    print(d.split('>=')[0].split('==')[0].split('<')[0].split('>')[0].split('~=')[0].strip())
+" 2>/dev/null || true
+```
+
+Then use Grep to search for `import pkg` or `from pkg import` across `.py` files.
+
+Known exceptions: pytest plugins, mypy/ruff extensions, ASGI/WSGI servers (uvicorn, gunicorn), and packages used only in configuration files.
+
+### Version Conflicts
+
+```bash
+# pip check for broken dependencies
+pip check 2>/dev/null || true
+```
+
+### License Listing
+
+```bash
+# pip-licenses
+pip-licenses 2>/dev/null || true
+
+# pip-licenses with format
+pip-licenses --format=json 2>/dev/null || true
+```
+
+---
+
+## Rust (cargo)
+
+### Outdated Packages
+
+```bash
+# Requires cargo-outdated
+cargo outdated 2>/dev/null || true
+
+# Alternative: check Cargo.toml against crates.io manually
+cargo search <crate_name> 2>/dev/null || true
+```
+
+### Security Audit
+
+```bash
+# Requires cargo-audit
+cargo audit 2>/dev/null || true
+
+# JSON output
+cargo audit --json 2>/dev/null || true
+```
+
+### Unused Detection
+
+```bash
+# Requires cargo-udeps (nightly)
+cargo +nightly udeps 2>/dev/null || true
+```
+
+If `cargo-udeps` is unavailable, cross-reference `Cargo.toml` `[dependencies]` with `use` statements in `src/**/*.rs`.
+
+### Version Conflicts
+
+```bash
+# Check dependency tree for duplicates
+cargo tree --duplicates 2>/dev/null || true
+```
+
+### License Listing
+
+```bash
+# Requires cargo-license
+cargo license 2>/dev/null || true
+
+# Alternative: cargo-deny
+cargo deny check licenses 2>/dev/null || true
+```
+
+---
+
+## Go
+
+### Outdated Packages
+
+```bash
+# List all dependencies with available updates
+go list -u -m all 2>/dev/null || true
+```
+
+### Security Audit
+
+```bash
+# Official Go vulnerability checker
+govulncheck ./... 2>/dev/null || true
+```
+
+### Unused Detection
+
+Go modules are imported explicitly. Check for modules in `go.mod` not imported in any `.go` file:
+
+```bash
+# List declared modules
+go list -m all 2>/dev/null | tail -n +2 || true
+
+# Tidy check (would remove unused, but don't run with -v to avoid modifications)
+# Instead, compare go.mod with actual imports via Grep
+```
+
+### Version Conflicts
+
+Go uses minimum version selection — conflicts are rare. Check for replace directives that may mask issues:
+
+```bash
+# Show replace directives
+grep -n "replace" go.mod 2>/dev/null || true
+
+# Verify module graph consistency
+go mod verify 2>/dev/null || true
+```
+
+### License Listing
+
+```bash
+# Requires go-licenses
+go-licenses csv ./... 2>/dev/null || true
+
+# Alternative: manual check via go.sum and module proxy
+```
+
+---
+
+## Error Handling
+
+When a tool is not installed:
+- Note it as **unavailable** in the report.
+- Skip that check and proceed to the next.
+- Suggest installation if the tool would provide significant value.
+- Never attempt to install tools — that changes system state.
+
+Common missing tools and alternatives:
+| Tool | Ecosystem | Alternative |
+|------|-----------|-------------|
+| `cargo-audit` | Rust | Check RustSec advisory DB manually |
+| `cargo-outdated` | Rust | `cargo search` per crate |
+| `pip-audit` | Python | `safety check` |
+| `govulncheck` | Go | Check Go vulnerability DB manually |
+| `license-checker` | Node.js | Read `license` field from each `node_modules/*/package.json` |