devflow-kit 1.1.0 → 1.3.0

package/plugins/devflow-python/skills/python/references/violations.md

@@ -0,0 +1,204 @@
+# Python Violation Examples
+
+Extended violation patterns for Python reviews. Reference from main SKILL.md.
+
+## Type Safety Violations
+
+### Missing Type Hints
+
+```python
+# VIOLATION: No type annotations
+def process(data, config):
+    result = transform(data)
+    return result
+
+# VIOLATION: Partial annotations (inconsistent)
+def save(user: User, db):  # db missing type
+    return db.insert(user)
+
+# VIOLATION: Missing return type
+def calculate_total(items: list[Item]):
+    return sum(item.price for item in items)
+```
+
+### Bare Except Clauses
+
+```python
+# VIOLATION: Catches everything including SystemExit and KeyboardInterrupt
+try:
+    process_data()
+except:
+    pass
+
+# VIOLATION: Catches too broadly and silences
+try:
+    user = fetch_user(user_id)
+except Exception:
+    user = None  # Hides real errors (network, auth, parsing)
+
+# VIOLATION: Bare except with logging but no re-raise
+try:
+    critical_operation()
+except:
+    logger.error("Something failed")
+    # Swallows the error — caller never knows
+```
+
+## Data Modeling Violations
+
+### Raw Dicts Instead of Dataclasses
+
+```python
+# VIOLATION: Untyped dict — no IDE support, no validation
+user = {
+    "name": "Alice",
+    "email": "alice@example.com",
+    "age": 30,
+}
+
+# VIOLATION: Accessing dict keys without safety
+def get_display_name(user: dict) -> str:
+    return f"{user['first_name']} {user['last_name']}"  # KeyError risk
+
+# VIOLATION: Nested untyped dicts
+config = {
+    "database": {
+        "host": "localhost",
+        "port": 5432,
+    },
+    "cache": {
+        "ttl": 300,
+    },
+}
+```
+
+### Mutable Default Arguments
+
+```python
+# VIOLATION: Mutable default shared across calls
+def add_item(item: str, items: list[str] = []) -> list[str]:
+    items.append(item)
+    return items
+
+# VIOLATION: Dict default mutated in place
+def register(name: str, registry: dict[str, bool] = {}) -> None:
+    registry[name] = True
+
+# VIOLATION: Set default
+def collect(value: int, seen: set[int] = set()) -> set[int]:
+    seen.add(value)
+    return seen
+```
+
+## String Formatting Violations
+
+### Percent Formatting
+
+```python
+# VIOLATION: Old-style % formatting
+message = "Hello %s, you have %d messages" % (name, count)
+
+# VIOLATION: % formatting with dict — hard to read, error-prone
+log = "%(timestamp)s - %(level)s - %(message)s" % log_data
+```
+
+### String Concatenation in Loops
+
+```python
+# VIOLATION: O(n^2) string building
+result = ""
+for line in lines:
+    result += line + "\n"
+
+# CORRECT: Use join
+result = "\n".join(lines)
+```
+
+## Global State Violations
+
+### Module-Level Mutable State
+
+```python
+# VIOLATION: Global mutable state
+_cache = {}
+_connections = []
+
+def get_cached(key: str) -> Any:
+    return _cache.get(key)
+
+def add_connection(conn: Connection) -> None:
+    _connections.append(conn)
+
+# VIOLATION: Global variable modified by functions
+current_user = None
+
+def login(username: str) -> None:
+    global current_user
+    current_user = authenticate(username)
+```
+
+### Singleton via Module Import
+
+```python
+# VIOLATION: Hard-to-test singleton
+# db.py
+connection = create_connection(os.environ["DATABASE_URL"])
+
+# service.py
+from db import connection  # Cannot mock or swap for tests
+```
+
+## Import Violations
+
+### Wildcard Imports
+
+```python
+# VIOLATION: Pollutes namespace, hides dependencies
+from os.path import *
+from utils import *
+
+# VIOLATION: Star import in __init__.py
+# mypackage/__init__.py
+from .models import *
+from .services import *
+```
+
+### Circular Imports
+
+```python
+# VIOLATION: Circular dependency
+# models.py
+from services import UserService  # services imports models too
+
+# services.py
+from models import User  # Circular!
+```
+
+## Testing Violations
+
+### Assert in Production Code
+
+```python
+# VIOLATION: assert is stripped with -O flag
+def withdraw(account: Account, amount: float) -> None:
+    assert amount > 0, "Amount must be positive"  # Disabled in production!
+    assert account.balance >= amount, "Insufficient funds"
+    account.balance -= amount
+```
+
+### No pytest Fixtures
+
+```python
+# VIOLATION: Repeated setup in every test
+def test_create_user():
+    db = Database(":memory:")
+    db.create_tables()
+    service = UserService(db)
+    # ... test logic
+
+def test_update_user():
+    db = Database(":memory:")  # Duplicated setup
+    db.create_tables()
+    service = UserService(db)
+    # ... test logic
+```

package/plugins/devflow-react/.claude-plugin/plugin.json

@@ -0,0 +1,22 @@
+{
+  "name": "devflow-react",
+  "description": "React framework patterns - hooks, state management, composition, performance",
+  "author": {
+    "name": "DevFlow Contributors",
+    "email": "dean@keren.dev"
+  },
+  "version": "1.3.0",
+  "homepage": "https://github.com/dean0x/devflow",
+  "repository": "https://github.com/dean0x/devflow",
+  "license": "MIT",
+  "keywords": [
+    "react",
+    "hooks",
+    "state",
+    "components"
+  ],
+  "agents": [],
+  "skills": [
+    "react"
+  ]
+}

package/plugins/{devflow-core-skills → devflow-react}/skills/react/SKILL.md

@@ -95,7 +95,7 @@ export function AuthProvider({ children }: { children: React.ReactNode }) {
   const [user, setUser] = useState<User | null>(null);
   const login = async (creds: Credentials) => setUser(await authApi.login(creds));
   const logout = () => { authApi.logout(); setUser(null); };
-  return <AuthContext.Provider value={{ user, login, logout }}>{children}</AuthContext.Provider>;
+  return <AuthContext value={{ user, login, logout }}>{children}</AuthContext>;
 }
 
 export function useAuth() {

package/plugins/{devflow-core-skills → devflow-react}/skills/react/references/patterns.md

@@ -429,9 +429,9 @@ export function AuthProvider({ children }: { children: React.ReactNode }) {
   };
 
   return (
-    <AuthContext.Provider value={{ user, login, logout, isLoading }}>
+    <AuthContext value={{ user, login, logout, isLoading }}>
       {children}
-    </AuthContext.Provider>
+    </AuthContext>
   );
 }
 
@@ -590,7 +590,7 @@ function SearchInput() {
 ```tsx
 // CORRECT: Track previous value for comparisons
 function usePrevious<T>(value: T): T | undefined {
-  const ref = useRef<T>();
+  const ref = useRef<T | undefined>(undefined);
 
   useEffect(() => {
     ref.current = value;

package/plugins/devflow-resolve/.claude-plugin/plugin.json

@@ -5,12 +5,22 @@
     "name": "DevFlow Contributors",
     "email": "dean@keren.dev"
   },
-  "version": "1.1.0",
+  "version": "1.3.0",
   "homepage": "https://github.com/dean0x/devflow",
   "repository": "https://github.com/dean0x/devflow",
   "license": "MIT",
-  "keywords": ["issues", "fixes", "tech-debt", "resolution", "review"],
-  "agents": ["git", "resolver", "simplifier"],
+  "keywords": [
+    "issues",
+    "fixes",
+    "tech-debt",
+    "resolution",
+    "review"
+  ],
+  "agents": [
+    "git",
+    "resolver",
+    "simplifier"
+  ],
   "skills": [
     "implementation-patterns",
     "security-patterns",

package/plugins/devflow-resolve/skills/security-patterns/SKILL.md

@@ -1,6 +1,6 @@
 ---
 name: security-patterns
-description: Security vulnerability analysis patterns for code review. Detects injection flaws, authentication bypasses, insecure cryptography, hardcoded secrets, and missing input sanitization. Loaded by Reviewer agent when focus=security.
+description: This skill should be used when reviewing code for injection flaws, auth bypasses, or hardcoded secrets.
 user-invocable: false
 allowed-tools: Read, Grep, Glob
 ---

package/plugins/devflow-rust/.claude-plugin/plugin.json

@@ -0,0 +1,22 @@
+{
+  "name": "devflow-rust",
+  "description": "Rust language patterns - ownership, borrowing, error handling, type-driven design",
+  "author": {
+    "name": "DevFlow Contributors",
+    "email": "dean@keren.dev"
+  },
+  "version": "1.3.0",
+  "homepage": "https://github.com/dean0x/devflow",
+  "repository": "https://github.com/dean0x/devflow",
+  "license": "MIT",
+  "keywords": [
+    "rust",
+    "ownership",
+    "borrowing",
+    "type-safety"
+  ],
+  "agents": [],
+  "skills": [
+    "rust"
+  ]
+}

package/plugins/devflow-rust/skills/rust/SKILL.md

@@ -0,0 +1,193 @@
+---
+name: rust
+description: This skill should be used when the user works with Rust files (.rs), asks about "ownership", "borrowing", "lifetimes", "Result/Option", "traits", or discusses memory safety and type-driven design. Provides patterns for ownership, error handling, type system usage, and safe concurrency.
+user-invocable: false
+allowed-tools: Read, Grep, Glob
+activation:
+  file-patterns:
+    - "**/*.rs"
+  exclude:
+    - "**/target/**"
+---
+
+# Rust Patterns
+
+Reference for Rust-specific patterns, ownership model, and type-driven design.
+
+## Iron Law
+
+> **MAKE ILLEGAL STATES UNREPRESENTABLE**
+>
+> Encode invariants in the type system. If a function can fail, return `Result`. If a value
+> might be absent, return `Option`. If a state transition is invalid, make it uncompilable.
+> Runtime checks are a fallback, not a strategy.
+
+## When This Skill Activates
+
+- Working with Rust codebases
+- Designing type-safe APIs
+- Managing ownership and borrowing
+- Implementing error handling
+- Writing concurrent code
+
+---
+
+## Ownership & Borrowing
+
+### Prefer Borrowing Over Cloning
+
+```rust
+// BAD: fn process(data: String) — takes ownership unnecessarily
+// GOOD: fn process(data: &str) — borrows, caller keeps ownership
+
+fn process(data: &str) -> usize {
+    data.len()
+}
+```
+
+### Lifetime Annotations When Needed
+
+```rust
+// Return reference tied to input lifetime
+fn first_word(s: &str) -> &str {
+    s.split_whitespace().next().unwrap_or("")
+}
+
+// Explicit when compiler can't infer
+struct Excerpt<'a> {
+    text: &'a str,
+}
+```
+
+---
+
+## Error Handling
+
+### Use Result and the ? Operator
+
+```rust
+use std::fs;
+use std::io;
+
+fn read_config(path: &str) -> Result<Config, AppError> {
+    let content = fs::read_to_string(path)
+        .map_err(|e| AppError::Io { path: path.into(), source: e })?;
+    let config: Config = toml::from_str(&content)
+        .map_err(|e| AppError::Parse { source: e })?;
+    Ok(config)
+}
+```
+
+### Custom Error Types with thiserror
+
+```rust
+use thiserror::Error;
+
+#[derive(Error, Debug)]
+pub enum AppError {
+    #[error("IO error reading {path}")]
+    Io { path: String, #[source] source: io::Error },
+    #[error("parse error")]
+    Parse { #[from] source: toml::de::Error },
+    #[error("{entity} with id {id} not found")]
+    NotFound { entity: String, id: String },
+}
+```
+
+---
+
+## Type System
+
+### Newtype Pattern
+
+```rust
+// Prevent mixing up IDs
+struct UserId(String);
+struct OrderId(String);
+
+fn get_order(user_id: &UserId, order_id: &OrderId) -> Result<Order, AppError> {
+    // Can't accidentally swap parameters
+    todo!()
+}
+```
+
+### Enums for State Machines
+
+```rust
+enum Connection {
+    Disconnected,
+    Connecting { attempt: u32 },
+    Connected { session: Session },
+}
+
+// Each state carries only its relevant data
+// Invalid transitions are uncompilable
+```
+
+---
+
+## Patterns
+
+### Builder Pattern
+
+```rust
+pub struct ServerBuilder {
+    port: u16,
+    host: String,
+}
+
+impl ServerBuilder {
+    pub fn new() -> Self { Self { port: 8080, host: "localhost".into() } }
+    pub fn port(mut self, port: u16) -> Self { self.port = port; self }
+    pub fn host(mut self, host: impl Into<String>) -> Self { self.host = host.into(); self }
+    pub fn build(self) -> Server { Server { port: self.port, host: self.host } }
+}
+```
+
+### Iterator Chains Over Loops
+
+```rust
+// BAD: manual loop with push
+// GOOD:
+let active_names: Vec<&str> = users.iter()
+    .filter(|u| u.is_active)
+    .map(|u| u.name.as_str())
+    .collect();
+```
+
+---
+
+## Anti-Patterns
+
+| Pattern | Bad | Good |
+|---------|-----|------|
+| Unwrap in library | `.unwrap()` | `?` operator or `.ok_or()` |
+| Clone to satisfy borrow checker | `.clone()` everywhere | Restructure ownership |
+| String for everything | `HashMap<String, String>` | Typed structs and enums |
+| Ignoring Result | `let _ = write(...)` | Handle or propagate error |
+| Mutex<Vec> for message passing | Shared mutable state | Channels (`mpsc`) |
+
+---
+
+## Extended References
+
+For additional patterns and examples:
+- `references/violations.md` - Common Rust violations
+- `references/patterns.md` - Extended Rust patterns
+- `references/detection.md` - Detection patterns for Rust issues
+- `references/ownership.md` - Advanced ownership and lifetime patterns
+
+---
+
+## Checklist
+
+- [ ] No `.unwrap()` in library/application code (ok in tests)
+- [ ] Custom error types with `thiserror`
+- [ ] `?` operator for error propagation
+- [ ] Borrow instead of clone where possible
+- [ ] Newtype pattern for type-safe IDs
+- [ ] Enums for state machines
+- [ ] Iterator chains over manual loops
+- [ ] `#[must_use]` on Result-returning functions
+- [ ] No `unsafe` without safety comment
+- [ ] Clippy clean (`cargo clippy -- -D warnings`)

package/plugins/devflow-rust/skills/rust/references/detection.md

@@ -0,0 +1,131 @@
+# Rust Detection Patterns
+
+Grep and regex patterns for finding common Rust issues. Use with `Grep` tool.
+
+## Unwrap and Expect
+
+```bash
+# Find .unwrap() calls (exclude tests)
+grep -rn '\.unwrap()' --include='*.rs' --exclude-dir=tests --exclude='*_test.rs'
+
+# Find .expect() without descriptive message
+grep -rn '\.expect("")' --include='*.rs'
+
+# Find unwrap_or_default hiding errors
+grep -rn '\.unwrap_or_default()' --include='*.rs'
+```
+
+**Pattern**: `\.unwrap\(\)` — matches any `.unwrap()` call
+**Pattern**: `\.expect\("` — matches `.expect("` to review message quality
+
+---
+
+## Clone Abuse
+
+```bash
+# Find .clone() calls — review each for necessity
+grep -rn '\.clone()' --include='*.rs'
+
+# Find clone in loop bodies (likely hot-path waste)
+grep -rn -A2 'for.*in' --include='*.rs' | grep '\.clone()'
+
+# Find to_string() where &str would work
+grep -rn '\.to_string()' --include='*.rs'
+```
+
+**Pattern**: `\.clone\(\)` — all clone calls for manual review
+**Pattern**: `\.to_owned\(\)` — ownership transfer that may be unnecessary
+
+---
+
+## Unsafe Blocks
+
+```bash
+# Find all unsafe blocks
+grep -rn 'unsafe\s*{' --include='*.rs'
+
+# Find unsafe without SAFETY comment
+grep -rn -B2 'unsafe\s*{' --include='*.rs' | grep -v 'SAFETY'
+
+# Find unsafe functions
+grep -rn 'unsafe fn' --include='*.rs'
+```
+
+**Pattern**: `unsafe\s*\{` — unsafe blocks
+**Pattern**: `unsafe fn` — unsafe function declarations
+
+---
+
+## Incomplete Code
+
+```bash
+# Find todo! and unimplemented! macros
+grep -rn 'todo!\|unimplemented!' --include='*.rs'
+
+# Find unreachable! that may hide bugs
+grep -rn 'unreachable!' --include='*.rs'
+
+# Find panic! in non-test code
+grep -rn 'panic!' --include='*.rs' --exclude-dir=tests --exclude='*_test.rs'
+```
+
+**Pattern**: `todo!\(\)` — placeholder code
+**Pattern**: `unimplemented!\(\)` — unfinished implementations
+**Pattern**: `panic!\(` — explicit panics outside tests
+
+---
+
+## Error Handling Issues
+
+```bash
+# Find ignored Results (let _ = expr that returns Result)
+grep -rn 'let _ =' --include='*.rs'
+
+# Find empty match arms that may swallow errors
+grep -rn '=> {}' --include='*.rs'
+
+# Find catch-all match arms hiding missing cases
+grep -rn '_ =>' --include='*.rs'
+```
+
+**Pattern**: `let _ =` — potentially ignored Result or important value
+**Pattern**: `=> \{\}` — empty match arm (may swallow error)
+
+---
+
+## Concurrency Red Flags
+
+```bash
+# Find static mut (almost always wrong)
+grep -rn 'static mut' --include='*.rs'
+
+# Find blocking calls in async functions
+grep -rn 'std::fs::' --include='*.rs' | grep -v 'test'
+grep -rn 'std::thread::sleep' --include='*.rs'
+
+# Find Mutex without Arc in multi-threaded context
+grep -rn 'Mutex::new' --include='*.rs'
+```
+
+**Pattern**: `static mut` — mutable global state (data race risk)
+**Pattern**: `std::fs::` — blocking I/O that may appear in async context
+**Pattern**: `std::thread::sleep` — blocking sleep (use `tokio::time::sleep` in async)
+
+---
+
+## Clippy Lints
+
+Run Clippy for automated detection of many patterns above:
+
+```bash
+cargo clippy -- -D warnings
+cargo clippy -- -W clippy::pedantic
+cargo clippy -- -W clippy::nursery
+```
+
+Key Clippy lints that catch issues:
+- `clippy::unwrap_used` — flags unwrap calls
+- `clippy::clone_on_ref_ptr` — unnecessary Arc/Rc clone
+- `clippy::needless_pass_by_value` — should borrow instead
+- `clippy::missing_errors_doc` — public Result fn without doc
+- `clippy::wildcard_enum_match_arm` — catch-all hiding cases