tech-hub-skills 1.2.0 → 1.5.2

package/{tech_hub_skills → .claude}/roles/code-review/skills/01-automated-code-review/README.md

@@ -1,394 +1,394 @@
-# cr-01: Automated Code Review
-
-AI-powered automated code analysis for consistent quality enforcement.
-
-## Overview
-
-Automated code review integrates static analysis, security scanning, and AI-powered suggestions to catch issues before human review. This reduces review burden and ensures consistent quality standards.
-
-## Capabilities
-
-### Static Analysis
-- **Linting**: ESLint, Pylint, RuboCop, golangci-lint
-- **Formatting**: Prettier, Black, gofmt
-- **Type checking**: TypeScript, mypy, Pyright
-- **Complexity**: Cyclomatic, cognitive complexity metrics
-
-### Security Scanning
-- **SAST**: SonarQube, Semgrep, CodeQL
-- **Dependency scanning**: Snyk, Dependabot, npm audit
-- **Secret detection**: GitLeaks, TruffleHog
-- **Container scanning**: Trivy, Grype
-
-### AI-Powered Analysis
-- Code suggestions and improvements
-- Bug prediction and detection
-- Performance anti-pattern identification
-- Documentation gap detection
-
-## Implementation
-
-### GitHub Actions Workflow
-
-```yaml
-name: Automated Code Review
-on:
-  pull_request:
-    types: [opened, synchronize, reopened]
-
-permissions:
-  contents: read
-  pull-requests: write
-  security-events: write
-
-jobs:
-  lint:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: Setup Node.js
-        uses: actions/setup-node@v4
-        with:
-          node-version: '20'
-          cache: 'npm'
-
-      - name: Install dependencies
-        run: npm ci
-
-      - name: Run ESLint
-        run: |
-          npx eslint . --format=json --output-file=eslint-report.json || true
-
-      - name: Annotate PR with ESLint results
-        uses: ataylorme/eslint-annotate-action@v2
-        with:
-          report-json: "eslint-report.json"
-
-  security:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: Run Semgrep
-        uses: returntocorp/semgrep-action@v1
-        with:
-          config: p/security-audit p/secrets
-
-      - name: Run Snyk
-        uses: snyk/actions/node@master
-        continue-on-error: true
-        env:
-          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
-
-      - name: Upload SARIF
-        uses: github/codeql-action/upload-sarif@v2
-        with:
-          sarif_file: snyk.sarif
-
-  complexity:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: Check complexity
-        run: |
-          npx complexity-report --format json --output complexity.json src/
-
-      - name: Comment complexity report
-        uses: actions/github-script@v7
-        with:
-          script: |
-            const fs = require('fs');
-            const report = JSON.parse(fs.readFileSync('complexity.json'));
-            const high = report.filter(f => f.complexity > 15);
-            if (high.length > 0) {
-              const body = '## Complexity Warning\n\n' +
-                high.map(f => `- \`${f.file}\`: ${f.complexity}`).join('\n');
-              github.rest.issues.createComment({
-                issue_number: context.issue.number,
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                body
-              });
-            }
-```
-
-### Azure DevOps Pipeline
-
-```yaml
-trigger: none
-pr:
-  branches:
-    include:
-      - main
-      - develop
-
-pool:
-  vmImage: 'ubuntu-latest'
-
-stages:
-  - stage: AutomatedReview
-    displayName: 'Automated Code Review'
-    jobs:
-      - job: StaticAnalysis
-        displayName: 'Static Analysis'
-        steps:
-          - task: NodeTool@0
-            inputs:
-              versionSpec: '20.x'
-
-          - script: npm ci
-            displayName: 'Install dependencies'
-
-          - script: |
-              npx eslint . --format stylish --output-file $(Build.ArtifactStagingDirectory)/eslint.txt
-            displayName: 'Run ESLint'
-            continueOnError: true
-
-          - task: PublishBuildArtifacts@1
-            inputs:
-              pathToPublish: '$(Build.ArtifactStagingDirectory)'
-              artifactName: 'code-review'
-
-      - job: SecurityScan
-        displayName: 'Security Scanning'
-        steps:
-          - task: SonarQubePrepare@5
-            inputs:
-              SonarQube: 'SonarQube-Connection'
-              scannerMode: 'CLI'
-              configMode: 'manual'
-              cliProjectKey: '$(Build.Repository.Name)'
-
-          - task: SonarQubeAnalyze@5
-
-          - task: SonarQubePublish@5
-            inputs:
-              pollingTimeoutSec: '300'
-
-          - task: sonar-buildbreaker@8
-            inputs:
-              SonarQube: 'SonarQube-Connection'
-```
-
-### Python Analysis Script
-
-```python
-#!/usr/bin/env python3
-"""Automated code review analyzer."""
-
-import json
-import subprocess
-from dataclasses import dataclass
-from pathlib import Path
-from typing import List, Dict, Any
-
-@dataclass
-class ReviewFinding:
-    """Represents a code review finding."""
-    file: str
-    line: int
-    severity: str  # critical, high, medium, low, info
-    category: str  # security, quality, performance, style
-    message: str
-    rule: str
-    suggestion: str = ""
-
-class AutomatedReviewer:
-    """Enterprise automated code reviewer."""
-
-    def __init__(self, project_path: str = "."):
-        self.project_path = Path(project_path)
-        self.findings: List[ReviewFinding] = []
-
-    def run_eslint(self) -> List[ReviewFinding]:
-        """Run ESLint for JavaScript/TypeScript."""
-        result = subprocess.run(
-            ["npx", "eslint", ".", "--format=json"],
-            capture_output=True,
-            text=True,
-            cwd=self.project_path
-        )
-
-        findings = []
-        if result.stdout:
-            data = json.loads(result.stdout)
-            for file_result in data:
-                for msg in file_result.get("messages", []):
-                    findings.append(ReviewFinding(
-                        file=file_result["filePath"],
-                        line=msg.get("line", 0),
-                        severity=self._map_severity(msg.get("severity", 1)),
-                        category="style" if "style" in msg.get("ruleId", "") else "quality",
-                        message=msg.get("message", ""),
-                        rule=msg.get("ruleId", ""),
-                        suggestion=msg.get("fix", {}).get("text", "") if msg.get("fix") else ""
-                    ))
-        return findings
-
-    def run_semgrep(self) -> List[ReviewFinding]:
-        """Run Semgrep for security analysis."""
-        result = subprocess.run(
-            ["semgrep", "--config=auto", "--json", "."],
-            capture_output=True,
-            text=True,
-            cwd=self.project_path
-        )
-
-        findings = []
-        if result.stdout:
-            data = json.loads(result.stdout)
-            for finding in data.get("results", []):
-                findings.append(ReviewFinding(
-                    file=finding["path"],
-                    line=finding["start"]["line"],
-                    severity=finding.get("extra", {}).get("severity", "medium"),
-                    category="security",
-                    message=finding["extra"].get("message", ""),
-                    rule=finding["check_id"],
-                    suggestion=finding.get("extra", {}).get("fix", "")
-                ))
-        return findings
-
-    def run_complexity_check(self) -> List[ReviewFinding]:
-        """Check code complexity."""
-        # Implementation depends on language
-        # This is a placeholder for complexity analysis
-        return []
-
-    def _map_severity(self, eslint_severity: int) -> str:
-        """Map ESLint severity to standard levels."""
-        return {1: "low", 2: "medium"}.get(eslint_severity, "info")
-
-    def run_all_checks(self) -> Dict[str, Any]:
-        """Run all automated checks."""
-        self.findings.extend(self.run_eslint())
-        self.findings.extend(self.run_semgrep())
-        self.findings.extend(self.run_complexity_check())
-
-        return {
-            "total_findings": len(self.findings),
-            "by_severity": self._count_by_severity(),
-            "by_category": self._count_by_category(),
-            "blocking": self._get_blocking_issues(),
-            "findings": [f.__dict__ for f in self.findings]
-        }
-
-    def _count_by_severity(self) -> Dict[str, int]:
-        """Count findings by severity."""
-        counts = {"critical": 0, "high": 0, "medium": 0, "low": 0, "info": 0}
-        for f in self.findings:
-            counts[f.severity] = counts.get(f.severity, 0) + 1
-        return counts
-
-    def _count_by_category(self) -> Dict[str, int]:
-        """Count findings by category."""
-        counts = {}
-        for f in self.findings:
-            counts[f.category] = counts.get(f.category, 0) + 1
-        return counts
-
-    def _get_blocking_issues(self) -> List[Dict]:
-        """Get issues that should block merge."""
-        blocking = [f for f in self.findings
-                   if f.severity in ("critical", "high") or f.category == "security"]
-        return [f.__dict__ for f in blocking]
-
-    def generate_pr_comment(self) -> str:
-        """Generate a PR comment with findings."""
-        counts = self._count_by_severity()
-        blocking = self._get_blocking_issues()
-
-        comment = "## Automated Code Review Results\n\n"
-
-        if blocking:
-            comment += "### Blocking Issues\n"
-            for issue in blocking[:10]:  # Limit to 10
-                comment += f"- **{issue['severity'].upper()}** [{issue['rule']}] "
-                comment += f"`{issue['file']}:{issue['line']}` - {issue['message']}\n"
-            comment += "\n"
-
-        comment += "### Summary\n"
-        comment += f"- Critical: {counts['critical']}\n"
-        comment += f"- High: {counts['high']}\n"
-        comment += f"- Medium: {counts['medium']}\n"
-        comment += f"- Low: {counts['low']}\n"
-
-        if not blocking:
-            comment += "\n All automated checks passed.\n"
-        else:
-            comment += "\n Please address blocking issues before merge.\n"
-
-        return comment
-
-
-if __name__ == "__main__":
-    reviewer = AutomatedReviewer()
-    results = reviewer.run_all_checks()
-    print(json.dumps(results, indent=2))
-```
-
-## Configuration
-
-### ESLint Configuration (.eslintrc.json)
-```json
-{
-  "extends": [
-    "eslint:recommended",
-    "plugin:@typescript-eslint/recommended",
-    "plugin:security/recommended"
-  ],
-  "plugins": ["security", "@typescript-eslint"],
-  "rules": {
-    "complexity": ["error", 15],
-    "max-depth": ["error", 4],
-    "max-lines-per-function": ["error", 100],
-    "no-eval": "error",
-    "security/detect-eval-with-expression": "error",
-    "security/detect-non-literal-regexp": "warn"
-  }
-}
-```
-
-### Semgrep Configuration (.semgrep.yml)
-```yaml
-rules:
-  - id: hardcoded-secret
-    patterns:
-      - pattern-regex: (password|secret|key|token)\s*=\s*["'][^"']+["']
-    message: "Potential hardcoded secret detected"
-    severity: ERROR
-    languages: [python, javascript, typescript]
-
-  - id: sql-injection
-    patterns:
-      - pattern: $QUERY = "..." + $INPUT + "..."
-      - pattern: f"SELECT ... {$INPUT} ..."
-    message: "Potential SQL injection vulnerability"
-    severity: ERROR
-    languages: [python, javascript]
-```
-
-## Metrics
-
-| Metric | Target | Description |
-|--------|--------|-------------|
-| False positive rate | < 10% | Minimize noise |
-| Detection rate | > 90% | Catch real issues |
-| Scan time | < 5 min | Fast feedback |
-| Coverage | 100% changed files | Review all changes |
-
-## Connections
-
-- **Inputs from**: Developer push, PR creation
-- **Outputs to**: PR comments, quality gates (cr-03)
-- **Integrates with**: Security Architect (sa-05), DevOps (do-09)
-
-## Best Practices
-
-1. Run automated checks on every push, not just PRs
-2. Fix tool configuration issues quickly to maintain trust
-3. Suppress false positives with inline comments, not config
-4. Review and update rules quarterly
-5. Track false positive rate and tune accordingly
+# cr-01: Automated Code Review
+
+AI-powered automated code analysis for consistent quality enforcement.
+
+## Overview
+
+Automated code review integrates static analysis, security scanning, and AI-powered suggestions to catch issues before human review. This reduces review burden and ensures consistent quality standards.
+
+## Capabilities
+
+### Static Analysis
+- **Linting**: ESLint, Pylint, RuboCop, golangci-lint
+- **Formatting**: Prettier, Black, gofmt
+- **Type checking**: TypeScript, mypy, Pyright
+- **Complexity**: Cyclomatic, cognitive complexity metrics
+
+### Security Scanning
+- **SAST**: SonarQube, Semgrep, CodeQL
+- **Dependency scanning**: Snyk, Dependabot, npm audit
+- **Secret detection**: GitLeaks, TruffleHog
+- **Container scanning**: Trivy, Grype
+
+### AI-Powered Analysis
+- Code suggestions and improvements
+- Bug prediction and detection
+- Performance anti-pattern identification
+- Documentation gap detection
+
+## Implementation
+
+### GitHub Actions Workflow
+
+```yaml
+name: Automated Code Review
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+
+permissions:
+  contents: read
+  pull-requests: write
+  security-events: write
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          cache: 'npm'
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Run ESLint
+        run: |
+          npx eslint . --format=json --output-file=eslint-report.json || true
+
+      - name: Annotate PR with ESLint results
+        uses: ataylorme/eslint-annotate-action@v2
+        with:
+          report-json: "eslint-report.json"
+
+  security:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Run Semgrep
+        uses: returntocorp/semgrep-action@v1
+        with:
+          config: p/security-audit p/secrets
+
+      - name: Run Snyk
+        uses: snyk/actions/node@master
+        continue-on-error: true
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+
+      - name: Upload SARIF
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: snyk.sarif
+
+  complexity:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Check complexity
+        run: |
+          npx complexity-report --format json --output complexity.json src/
+
+      - name: Comment complexity report
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const fs = require('fs');
+            const report = JSON.parse(fs.readFileSync('complexity.json'));
+            const high = report.filter(f => f.complexity > 15);
+            if (high.length > 0) {
+              const body = '## Complexity Warning\n\n' +
+                high.map(f => `- \`${f.file}\`: ${f.complexity}`).join('\n');
+              github.rest.issues.createComment({
+                issue_number: context.issue.number,
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                body
+              });
+            }
+```
+
+### Azure DevOps Pipeline
+
+```yaml
+trigger: none
+pr:
+  branches:
+    include:
+      - main
+      - develop
+
+pool:
+  vmImage: 'ubuntu-latest'
+
+stages:
+  - stage: AutomatedReview
+    displayName: 'Automated Code Review'
+    jobs:
+      - job: StaticAnalysis
+        displayName: 'Static Analysis'
+        steps:
+          - task: NodeTool@0
+            inputs:
+              versionSpec: '20.x'
+
+          - script: npm ci
+            displayName: 'Install dependencies'
+
+          - script: |
+              npx eslint . --format stylish --output-file $(Build.ArtifactStagingDirectory)/eslint.txt
+            displayName: 'Run ESLint'
+            continueOnError: true
+
+          - task: PublishBuildArtifacts@1
+            inputs:
+              pathToPublish: '$(Build.ArtifactStagingDirectory)'
+              artifactName: 'code-review'
+
+      - job: SecurityScan
+        displayName: 'Security Scanning'
+        steps:
+          - task: SonarQubePrepare@5
+            inputs:
+              SonarQube: 'SonarQube-Connection'
+              scannerMode: 'CLI'
+              configMode: 'manual'
+              cliProjectKey: '$(Build.Repository.Name)'
+
+          - task: SonarQubeAnalyze@5
+
+          - task: SonarQubePublish@5
+            inputs:
+              pollingTimeoutSec: '300'
+
+          - task: sonar-buildbreaker@8
+            inputs:
+              SonarQube: 'SonarQube-Connection'
+```
+
+### Python Analysis Script
+
+```python
+#!/usr/bin/env python3
+"""Automated code review analyzer."""
+
+import json
+import subprocess
+from dataclasses import dataclass
+from pathlib import Path
+from typing import List, Dict, Any
+
+@dataclass
+class ReviewFinding:
+    """Represents a code review finding."""
+    file: str
+    line: int
+    severity: str  # critical, high, medium, low, info
+    category: str  # security, quality, performance, style
+    message: str
+    rule: str
+    suggestion: str = ""
+
+class AutomatedReviewer:
+    """Enterprise automated code reviewer."""
+
+    def __init__(self, project_path: str = "."):
+        self.project_path = Path(project_path)
+        self.findings: List[ReviewFinding] = []
+
+    def run_eslint(self) -> List[ReviewFinding]:
+        """Run ESLint for JavaScript/TypeScript."""
+        result = subprocess.run(
+            ["npx", "eslint", ".", "--format=json"],
+            capture_output=True,
+            text=True,
+            cwd=self.project_path
+        )
+
+        findings = []
+        if result.stdout:
+            data = json.loads(result.stdout)
+            for file_result in data:
+                for msg in file_result.get("messages", []):
+                    findings.append(ReviewFinding(
+                        file=file_result["filePath"],
+                        line=msg.get("line", 0),
+                        severity=self._map_severity(msg.get("severity", 1)),
+                        category="style" if "style" in msg.get("ruleId", "") else "quality",
+                        message=msg.get("message", ""),
+                        rule=msg.get("ruleId", ""),
+                        suggestion=msg.get("fix", {}).get("text", "") if msg.get("fix") else ""
+                    ))
+        return findings
+
+    def run_semgrep(self) -> List[ReviewFinding]:
+        """Run Semgrep for security analysis."""
+        result = subprocess.run(
+            ["semgrep", "--config=auto", "--json", "."],
+            capture_output=True,
+            text=True,
+            cwd=self.project_path
+        )
+
+        findings = []
+        if result.stdout:
+            data = json.loads(result.stdout)
+            for finding in data.get("results", []):
+                findings.append(ReviewFinding(
+                    file=finding["path"],
+                    line=finding["start"]["line"],
+                    severity=finding.get("extra", {}).get("severity", "medium"),
+                    category="security",
+                    message=finding["extra"].get("message", ""),
+                    rule=finding["check_id"],
+                    suggestion=finding.get("extra", {}).get("fix", "")
+                ))
+        return findings
+
+    def run_complexity_check(self) -> List[ReviewFinding]:
+        """Check code complexity."""
+        # Implementation depends on language
+        # This is a placeholder for complexity analysis
+        return []
+
+    def _map_severity(self, eslint_severity: int) -> str:
+        """Map ESLint severity to standard levels."""
+        return {1: "low", 2: "medium"}.get(eslint_severity, "info")
+
+    def run_all_checks(self) -> Dict[str, Any]:
+        """Run all automated checks."""
+        self.findings.extend(self.run_eslint())
+        self.findings.extend(self.run_semgrep())
+        self.findings.extend(self.run_complexity_check())
+
+        return {
+            "total_findings": len(self.findings),
+            "by_severity": self._count_by_severity(),
+            "by_category": self._count_by_category(),
+            "blocking": self._get_blocking_issues(),
+            "findings": [f.__dict__ for f in self.findings]
+        }
+
+    def _count_by_severity(self) -> Dict[str, int]:
+        """Count findings by severity."""
+        counts = {"critical": 0, "high": 0, "medium": 0, "low": 0, "info": 0}
+        for f in self.findings:
+            counts[f.severity] = counts.get(f.severity, 0) + 1
+        return counts
+
+    def _count_by_category(self) -> Dict[str, int]:
+        """Count findings by category."""
+        counts = {}
+        for f in self.findings:
+            counts[f.category] = counts.get(f.category, 0) + 1
+        return counts
+
+    def _get_blocking_issues(self) -> List[Dict]:
+        """Get issues that should block merge."""
+        blocking = [f for f in self.findings
+                   if f.severity in ("critical", "high") or f.category == "security"]
+        return [f.__dict__ for f in blocking]
+
+    def generate_pr_comment(self) -> str:
+        """Generate a PR comment with findings."""
+        counts = self._count_by_severity()
+        blocking = self._get_blocking_issues()
+
+        comment = "## Automated Code Review Results\n\n"
+
+        if blocking:
+            comment += "### Blocking Issues\n"
+            for issue in blocking[:10]:  # Limit to 10
+                comment += f"- **{issue['severity'].upper()}** [{issue['rule']}] "
+                comment += f"`{issue['file']}:{issue['line']}` - {issue['message']}\n"
+            comment += "\n"
+
+        comment += "### Summary\n"
+        comment += f"- Critical: {counts['critical']}\n"
+        comment += f"- High: {counts['high']}\n"
+        comment += f"- Medium: {counts['medium']}\n"
+        comment += f"- Low: {counts['low']}\n"
+
+        if not blocking:
+            comment += "\n All automated checks passed.\n"
+        else:
+            comment += "\n Please address blocking issues before merge.\n"
+
+        return comment
+
+
+if __name__ == "__main__":
+    reviewer = AutomatedReviewer()
+    results = reviewer.run_all_checks()
+    print(json.dumps(results, indent=2))
+```
+
+## Configuration
+
+### ESLint Configuration (.eslintrc.json)
+```json
+{
+  "extends": [
+    "eslint:recommended",
+    "plugin:@typescript-eslint/recommended",
+    "plugin:security/recommended"
+  ],
+  "plugins": ["security", "@typescript-eslint"],
+  "rules": {
+    "complexity": ["error", 15],
+    "max-depth": ["error", 4],
+    "max-lines-per-function": ["error", 100],
+    "no-eval": "error",
+    "security/detect-eval-with-expression": "error",
+    "security/detect-non-literal-regexp": "warn"
+  }
+}
+```
+
+### Semgrep Configuration (.semgrep.yml)
+```yaml
+rules:
+  - id: hardcoded-secret
+    patterns:
+      - pattern-regex: (password|secret|key|token)\s*=\s*["'][^"']+["']
+    message: "Potential hardcoded secret detected"
+    severity: ERROR
+    languages: [python, javascript, typescript]
+
+  - id: sql-injection
+    patterns:
+      - pattern: $QUERY = "..." + $INPUT + "..."
+      - pattern: f"SELECT ... {$INPUT} ..."
+    message: "Potential SQL injection vulnerability"
+    severity: ERROR
+    languages: [python, javascript]
+```
+
+## Metrics
+
+| Metric | Target | Description |
+|--------|--------|-------------|
+| False positive rate | < 10% | Minimize noise |
+| Detection rate | > 90% | Catch real issues |
+| Scan time | < 5 min | Fast feedback |
+| Coverage | 100% changed files | Review all changes |
+
+## Connections
+
+- **Inputs from**: Developer push, PR creation
+- **Outputs to**: PR comments, quality gates (cr-03)
+- **Integrates with**: Security Architect (sa-05), DevOps (do-09)
+
+## Best Practices
+
+1. Run automated checks on every push, not just PRs
+2. Fix tool configuration issues quickly to maintain trust
+3. Suppress false positives with inline comments, not config
+4. Review and update rules quarterly
+5. Track false positive rate and tune accordingly