devflow-kit 1.1.0 → 1.2.0

package/plugins/devflow-rust/skills/rust/references/violations.md

@@ -0,0 +1,191 @@
+# Rust Violation Examples
+
+Extended violation patterns for Rust reviews. Reference from main SKILL.md.
+
+## Unwrap Abuse
+
+### Unwrap in Library Code
+
+```rust
+// VIOLATION: Panics on None — caller has no way to handle failure
+pub fn get_username(users: &HashMap<u64, String>, id: u64) -> &str {
+    users.get(&id).unwrap() // Panics if id not found
+}
+
+// VIOLATION: Unwrap on parse without context
+let port: u16 = std::env::var("PORT").unwrap().parse().unwrap();
+```
+
+### Expect Without Useful Message
+
+```rust
+// VIOLATION: Message doesn't help diagnose the problem
+let config = load_config().expect("failed");
+
+// CORRECT: Actionable message
+let config = load_config().expect("failed to load config from config.toml — does file exist?");
+```
+
+---
+
+## Unnecessary Cloning
+
+### Clone to Satisfy Borrow Checker
+
+```rust
+// VIOLATION: Cloning to work around borrow issues
+fn process_items(items: &Vec<Item>) {
+    let cloned = items.clone(); // Entire Vec cloned
+    for item in &cloned {
+        println!("{}", item.name);
+    }
+}
+
+// CORRECT: Just borrow
+fn process_items(items: &[Item]) {
+    for item in items {
+        println!("{}", item.name);
+    }
+}
+```
+
+### Clone in Hot Loop
+
+```rust
+// VIOLATION: Allocating on every iteration
+for record in &records {
+    let key = record.id.clone(); // String allocation per iteration
+    map.insert(key, record);
+}
+
+// CORRECT: Borrow or use references
+for record in &records {
+    map.insert(&record.id, record);
+}
+```
+
+---
+
+## Stringly-Typed APIs
+
+### String Where Enum Belongs
+
+```rust
+// VIOLATION: Any typo compiles and fails at runtime
+fn set_status(status: &str) {
+    match status {
+        "active" => { /* ... */ }
+        "inactive" => { /* ... */ }
+        _ => panic!("unknown status"), // Runtime failure
+    }
+}
+
+// CORRECT: Compiler enforces valid values
+enum Status { Active, Inactive }
+
+fn set_status(status: Status) {
+    match status {
+        Status::Active => { /* ... */ }
+        Status::Inactive => { /* ... */ }
+    } // Exhaustive — no default needed
+}
+```
+
+---
+
+## Unsafe Without Justification
+
+### Bare Unsafe Block
+
+```rust
+// VIOLATION: No safety comment explaining invariants
+unsafe {
+    let ptr = data.as_ptr();
+    std::ptr::copy_nonoverlapping(ptr, dest, len);
+}
+
+// CORRECT: Document why this is safe
+// SAFETY: `data` is guaranteed to be valid for `len` bytes because
+// it was allocated by `Vec::with_capacity(len)` and filled by `read_exact`.
+// `dest` is a valid pointer from `alloc::alloc(layout)` with matching size.
+unsafe {
+    std::ptr::copy_nonoverlapping(data.as_ptr(), dest, len);
+}
+```
+
+### Unnecessary Unsafe
+
+```rust
+// VIOLATION: Using unsafe when safe alternative exists
+unsafe fn get_element(slice: &[u8], index: usize) -> u8 {
+    *slice.get_unchecked(index)
+}
+
+// CORRECT: Safe indexing with bounds check
+fn get_element(slice: &[u8], index: usize) -> Option<u8> {
+    slice.get(index).copied()
+}
+```
+
+---
+
+## Ignoring Results
+
+### Discarding Write Errors
+
+```rust
+// VIOLATION: Write failure silently ignored
+let _ = file.write_all(data);
+let _ = file.flush();
+
+// CORRECT: Propagate errors
+file.write_all(data)?;
+file.flush()?;
+```
+
+### Ignoring Lock Poisoning
+
+```rust
+// VIOLATION: Silently ignoring poisoned mutex
+let guard = mutex.lock().unwrap_or_else(|e| e.into_inner());
+
+// CORRECT: Handle or propagate the poison
+let guard = mutex.lock().map_err(|_| AppError::LockPoisoned)?;
+```
+
+---
+
+## Concurrency Violations
+
+### Shared Mutable State Without Synchronization
+
+```rust
+// VIOLATION: Data race potential — no synchronization
+static mut COUNTER: u64 = 0;
+
+fn increment() {
+    unsafe { COUNTER += 1; } // Undefined behavior under concurrency
+}
+
+// CORRECT: Use atomic or mutex
+use std::sync::atomic::{AtomicU64, Ordering};
+static COUNTER: AtomicU64 = AtomicU64::new(0);
+
+fn increment() {
+    COUNTER.fetch_add(1, Ordering::Relaxed);
+}
+```
+
+### Blocking in Async Context
+
+```rust
+// VIOLATION: Blocks the async runtime thread
+async fn read_file(path: &str) -> Result<String, io::Error> {
+    std::fs::read_to_string(path) // Blocking call in async fn
+}
+
+// CORRECT: Use async file I/O or spawn_blocking
+async fn read_file(path: &str) -> Result<String, io::Error> {
+    tokio::fs::read_to_string(path).await
+}
+```

package/plugins/devflow-self-review/.claude-plugin/plugin.json

@@ -1,7 +1,7 @@
 {
   "name": "devflow-self-review",
   "description": "Self-review workflow: Simplifier + Scrutinizer for code quality",
-  "version": "1.1.0",
+  "version": "1.2.0",
   "agents": ["simplifier", "scrutinizer", "validator"],
   "skills": ["self-review", "core-patterns"]
 }

package/plugins/devflow-specify/.claude-plugin/plugin.json

@@ -5,7 +5,7 @@
     "name": "DevFlow Contributors",
     "email": "dean@keren.dev"
   },
-  "version": "1.1.0",
+  "version": "1.2.0",
   "homepage": "https://github.com/dean0x/devflow",
   "repository": "https://github.com/dean0x/devflow",
   "license": "MIT",

package/plugins/devflow-typescript/.claude-plugin/plugin.json

@@ -0,0 +1,15 @@
+{
+  "name": "devflow-typescript",
+  "description": "TypeScript language patterns - type safety, generics, utility types, type guards",
+  "author": {
+    "name": "DevFlow Contributors",
+    "email": "dean@keren.dev"
+  },
+  "version": "1.2.0",
+  "homepage": "https://github.com/dean0x/devflow",
+  "repository": "https://github.com/dean0x/devflow",
+  "license": "MIT",
+  "keywords": ["typescript", "types", "generics", "type-safety"],
+  "agents": [],
+  "skills": ["typescript"]
+}

package/plugins/{devflow-core-skills → devflow-typescript}/skills/typescript/references/patterns.md

@@ -137,7 +137,7 @@ const isUndefined = (value: unknown): value is undefined =>
 const isNullish = (value: unknown): value is null | undefined =>
   value === null || value === undefined;
 
-const isFunction = (value: unknown): value is Function =>
+const isFunction = (value: unknown): value is (...args: unknown[]) => unknown =>
   typeof value === 'function';
 
 const isObject = (value: unknown): value is object =>
@@ -760,7 +760,7 @@ function debounce<T extends (...args: any[]) => any>(
   fn: T,
   delayMs: number
 ): (...args: Parameters<T>) => void {
-  let timeoutId: NodeJS.Timeout | null = null;
+  let timeoutId: ReturnType<typeof setTimeout> | null = null;
 
   return (...args: Parameters<T>) => {
     if (timeoutId) clearTimeout(timeoutId);
@@ -774,7 +774,7 @@ function throttle<T extends (...args: any[]) => any>(
   limitMs: number
 ): (...args: Parameters<T>) => void {
   let lastRun = 0;
-  let timeoutId: NodeJS.Timeout | null = null;
+  let timeoutId: ReturnType<typeof setTimeout> | null = null;
 
   return (...args: Parameters<T>) => {
     const now = Date.now();

package/shared/agents/coder.md

@@ -2,7 +2,7 @@
 name: Coder
 description: Autonomous task implementation on feature branch. Implements, tests, and commits.
 model: inherit
-skills: core-patterns, git-safety, implementation-patterns, git-workflow, typescript, react, test-patterns, input-validation, accessibility, frontend-design
+skills: core-patterns, git-safety, implementation-patterns, git-workflow, test-patterns, input-validation
 ---
 
 # Coder Agent
@@ -33,11 +33,16 @@ You receive from orchestrator:
 
 2. **Reference handoff** (if PRIOR_PHASE_SUMMARY provided): Use summary to validate your understanding of prior work, not as the sole source of truth. The actual code is authoritative.
 
-3. **Load domain skills**: Based on DOMAIN hint, apply relevant patterns:
-   - `backend`: typescript, implementation-patterns, input-validation
-   - `frontend`: react, typescript, accessibility, frontend-design
-   - `tests`: test-patterns, typescript
-   - `fullstack`: all of the above
+3. **Load domain skills**: Based on DOMAIN hint and files in scope, dynamically load relevant language/ecosystem skills by reading their SKILL.md. Only load skills that are installed:
+   - `backend` (TypeScript): Read `~/.claude/skills/typescript/SKILL.md`, `~/.claude/skills/input-validation/SKILL.md`
+   - `backend` (Go): Read `~/.claude/skills/go/SKILL.md`
+   - `backend` (Java): Read `~/.claude/skills/java/SKILL.md`
+   - `backend` (Python): Read `~/.claude/skills/python/SKILL.md`
+   - `backend` (Rust): Read `~/.claude/skills/rust/SKILL.md`
+   - `frontend`: Read `~/.claude/skills/react/SKILL.md`, `~/.claude/skills/typescript/SKILL.md`, `~/.claude/skills/accessibility/SKILL.md`, `~/.claude/skills/frontend-design/SKILL.md`
+   - `tests`: Read `~/.claude/skills/test-patterns/SKILL.md`, `~/.claude/skills/typescript/SKILL.md`
+   - `fullstack`: Combine backend + frontend skills
+   - If a Read fails (skill not installed), skip it silently and continue.
 
 4. **Implement the plan**: Work through execution steps systematically, creating and modifying files. Follow existing patterns. Type everything. Use Result types if codebase uses them.
 

package/shared/agents/reviewer.md

@@ -34,6 +34,10 @@ The orchestrator provides:
 | `react` | `~/.claude/skills/react/SKILL.md` |
 | `accessibility` | `~/.claude/skills/accessibility/SKILL.md` |
 | `frontend-design` | `~/.claude/skills/frontend-design/SKILL.md` |
+| `go` | `~/.claude/skills/go/SKILL.md` |
+| `java` | `~/.claude/skills/java/SKILL.md` |
+| `python` | `~/.claude/skills/python/SKILL.md` |
+| `rust` | `~/.claude/skills/rust/SKILL.md` |
 
 ## Responsibilities
 
@@ -117,3 +121,7 @@ Report format for `{output_path}`:
 | react | If .tsx/.jsx files changed |
 | accessibility | If .tsx/.jsx files changed |
 | frontend-design | If .tsx/.jsx/.css/.scss files changed |
+| go | If .go files changed |
+| java | If .java files changed |
+| python | If .py files changed |
+| rust | If .rs files changed |

package/shared/skills/ambient-router/SKILL.md

@@ -54,7 +54,7 @@ Based on classified intent, read the following skills to inform your response.
 
 | Intent | Primary Skills | Secondary (if file type matches) |
 |--------|---------------|----------------------------------|
-| **BUILD** | test-driven-development, implementation-patterns | typescript (.ts), react (.tsx/.jsx), frontend-design (CSS/UI), input-validation (forms/API), security-patterns (auth/crypto) |
+| **BUILD** | test-driven-development, implementation-patterns | typescript (.ts), react (.tsx/.jsx), go (.go), java (.java), python (.py), rust (.rs), frontend-design (CSS/UI), input-validation (forms/API), security-patterns (auth/crypto) |
 | **DEBUG** | test-patterns, core-patterns | git-safety (if git operations involved) |
 | **REVIEW** | self-review, core-patterns | test-patterns |
 | **PLAN** | implementation-patterns | core-patterns |

package/shared/skills/ambient-router/references/skill-catalog.md

@@ -16,6 +16,10 @@ These skills may be loaded during STANDARD-depth ambient routing.
 | react | React components in scope | `*.tsx`, `*.jsx` |
 | frontend-design | UI/styling work | `*.css`, `*.scss`, `*.tsx` with styling keywords |
 | input-validation | Forms, APIs, user input | Files with form/input/validation keywords |
+| go | Go files in scope | `*.go` |
+| java | Java files in scope | `*.java` |
+| python | Python files in scope | `*.py` |
+| rust | Rust files in scope | `*.rs` |
 | security-patterns | Auth, crypto, secrets | Files with auth/token/crypto/password keywords |
 
 ### DEBUG Intent

package/shared/skills/go/SKILL.md

@@ -0,0 +1,187 @@
+---
+name: go
+description: This skill should be used when the user works with Go files (.go), asks about "error handling", "interfaces", "goroutines", "channels", "packages", or discusses Go idioms and concurrency. Provides patterns for error handling, interface design, concurrency, and package organization.
+user-invocable: false
+allowed-tools: Read, Grep, Glob
+activation:
+  file-patterns:
+    - "**/*.go"
+  exclude:
+    - "vendor/**"
+---
+
+# Go Patterns
+
+Reference for Go-specific patterns, idioms, and best practices.
+
+## Iron Law
+
+> **ERRORS ARE VALUES**
+>
+> Never ignore errors. `if err != nil` is correctness, not boilerplate. Every error
+> return must be checked, wrapped with context, or explicitly documented as intentionally
+> ignored with `_ = fn()`. Silent error swallowing causes cascading failures.
+
+## When This Skill Activates
+
+- Working with Go codebases
+- Designing interfaces and packages
+- Implementing concurrent code
+- Handling errors
+- Structuring Go projects
+
+---
+
+## Error Handling
+
+### Wrap Errors with Context
+
+```go
+// BAD: return err
+// GOOD: return fmt.Errorf("reading config %s: %w", path, err)
+```
+
+### Sentinel Errors for Expected Conditions
+
+```go
+var ErrNotFound = errors.New("not found")
+
+func FindUser(id string) (*User, error) {
+    u, err := db.Get(id)
+    if err != nil {
+        return nil, fmt.Errorf("finding user %s: %w", id, err)
+    }
+    if u == nil {
+        return nil, ErrNotFound
+    }
+    return u, nil
+}
+// Caller: if errors.Is(err, ErrNotFound) { ... }
+```
+
+---
+
+## Interface Design
+
+### Accept Interfaces, Return Structs
+
+```go
+// BAD: func NewService(repo *PostgresRepo) *Service
+// GOOD: func NewService(repo Repository) *Service
+
+type Repository interface {
+    FindByID(ctx context.Context, id string) (*Entity, error)
+    Save(ctx context.Context, entity *Entity) error
+}
+```
+
+### Keep Interfaces Small
+
+```go
+// BAD: 10-method interface
+// GOOD: single-method interfaces composed as needed
+type Reader interface { Read(p []byte) (n int, err error) }
+type Writer interface { Write(p []byte) (n int, err error) }
+type ReadWriter interface { Reader; Writer }
+```
+
+---
+
+## Concurrency
+
+### Use Context for Cancellation
+
+```go
+func Process(ctx context.Context, items []Item) error {
+    g, ctx := errgroup.WithContext(ctx)
+    for _, item := range items {
+        g.Go(func() error {
+            return processItem(ctx, item)
+        })
+    }
+    return g.Wait()
+}
+```
+
+### Channel Direction
+
+```go
+// Declare direction in function signatures
+func producer(ch chan<- int) { ch <- 42 }
+func consumer(ch <-chan int) { v := <-ch; _ = v }
+```
+
+---
+
+## Package Design
+
+### Organize by Domain, Not by Type
+
+```go
+// BAD: models/, controllers/, services/
+// GOOD: user/, order/, payment/
+```
+
+### Export Only What's Needed
+
+```go
+// Internal helpers stay unexported (lowercase)
+func (s *Service) validate(u *User) error { ... }
+
+// Public API is exported (uppercase)
+func (s *Service) CreateUser(ctx context.Context, req CreateUserReq) (*User, error) { ... }
+```
+
+---
+
+## Zero Values
+
+```go
+// Use zero values as valid defaults
+var mu sync.Mutex     // Ready to use
+var buf bytes.Buffer  // Ready to use
+var wg sync.WaitGroup // Ready to use
+
+// Design types with useful zero values
+type Config struct {
+    Timeout time.Duration // zero = no timeout
+    Retries int           // zero = no retries
+}
+```
+
+---
+
+## Anti-Patterns
+
+| Pattern | Bad | Good |
+|---------|-----|------|
+| Ignoring error | `val, _ := fn()` | `val, err := fn(); if err != nil { ... }` |
+| Naked return | `return` in named returns | Explicit `return val, err` |
+| init() abuse | Complex `init()` functions | Explicit initialization in `main()` or constructors |
+| Interface pollution | Defining interfaces before use | Define interfaces at the consumer site |
+| Goroutine leak | `go fn()` without lifecycle | Use context, errgroup, or done channels |
+
+---
+
+## Extended References
+
+For additional patterns and examples:
+- `references/violations.md` - Common Go violations
+- `references/patterns.md` - Extended Go patterns
+- `references/detection.md` - Detection patterns for Go issues
+- `references/concurrency.md` - Advanced concurrency patterns
+
+---
+
+## Checklist
+
+- [ ] All errors checked or explicitly ignored with `_ =`
+- [ ] Errors wrapped with `fmt.Errorf("context: %w", err)`
+- [ ] Interfaces defined at consumer, not producer
+- [ ] Interfaces kept small (1-3 methods)
+- [ ] Context passed as first parameter
+- [ ] Goroutines have clear lifecycle/cancellation
+- [ ] Channel direction specified in signatures
+- [ ] Zero values are useful defaults
+- [ ] Packages organized by domain
+- [ ] No `init()` with side effects