code-review-forge 2.0.0a1__py3-none-any.whl

code_forge/skills/qodo-review/SKILL.md

@@ -0,0 +1,135 @@
+---
+name: qodo-review
+description: Change-aware pre-review with feature-grouped walkthrough and structured suggestions. Inspired by Qodo's review prompt, runs locally with no Qodo dependency. Replaces code-reviewer as pass 1 in three-cycle review.
+---
+
+# When to Use
+
+- **Pass 1** in the three-cycle static review (before `/code-review-expert` and `/adversarial-qe`)
+- Quick pre-review of uncommitted local changes before diving into deeper architectural review
+- When you want a structured walkthrough grouped by feature/behavior, not just file-by-file
+
+# When NOT to Use
+
+- Not a substitute for `/code-review-expert` (architecture, SOLID, P0-P3 severity)
+- Not a substitute for `/adversarial-qe` (adversarial testing gaps, edge case hunting)
+- Not for reviewing committed branch changes in the three-cycle flow (use the full cycle for that)
+
+# Arguments
+
+- No argument: review uncommitted changes (staged + unstaged)
+- `committed`: review current branch vs merge-base
+- `<path>`: review a specific patch file (argument contains `/` or `.`)
+- Other text: passed as context hint to focus the review
+
+# How It Works
+
+## Step 1: Gather Changes
+
+Determine the diff source based on arguments:
+
+**Default (uncommitted):**
+```bash
+git diff --name-only | wc -l        # file count
+git diff | wc -l                     # line count
+git diff --no-binary                 # actual diff
+```
+
+**committed mode:**
+```bash
+BASE=$(git merge-base HEAD $(git rev-parse --abbrev-ref @{upstream} 2>/dev/null || git remote show origin | grep 'HEAD branch' | awk '{print $NF}'))
+git diff --no-binary $BASE...HEAD
+```
+
+**Patch file mode:**
+```bash
+cat <path>
+```
+
+### Edge Cases
+
+- **Empty diff**: if `git diff --stat` produces no output, respond "No changes to review" and stop
+- **Large diff**: if file count >10 OR line count >500, split into batches of <=5 files. Review each batch serially. Output each batch's results before starting the next. Use `git diff --no-binary -- <file1> <file2> ...` per batch.
+- **Binary files**: always use `--no-binary` to exclude
+
+## Step 2: Output the Review
+
+Follow this exact structure. Do not write any text between sections  --  only headings and structured entries. Do not include internal reasoning or thinking steps.
+
+### Output Format
+
+```
+# Changes Summary
+<1-3 sentence summary: what was changed, which components affected, the intent>
+
+# Files Walkthrough
+
+#### <Feature or Behavior Group 1>
+
+**<file_path>** (`Changes` | `New file` | `Removed file`)  --  <theme>
+<1 sentence: why this file changed>
+
+\`\`\`diff
+- <relevant code before>
++ <relevant code after>
+\`\`\`
++<linesAdded> / -<linesRemoved>
+
+**<file_path_2>** (...)
+...
+
+#### <Feature or Behavior Group 2>
+...
+
+# Code Suggestions
+
+## 🔴 Security Vulnerabilities (<N> issues)
+
+### [🔴 High] <title>
+
+**File:** <filePath>
+**Description:** <description of the issue and why it matters>
+
+Suggested fix:
+\`\`\`<lang>
+<code suggestion>
+\`\`\`
+
+### [🔴 High] <title>
+...
+
+## 🔴 Potential Bugs (<N> issues)
+
+### [🔴 High | 🟡 Medium] <title>
+...
+
+## 🟡 Best Practice Violations (<N> issues)
+
+### [🟡 Medium] <title>
+...
+
+## 🟢 Minor Issues (<N> issues)
+
+### [🟢 Low] <title>
+...
+```
+
+### Anti-hallucination gate (mandatory per finding)
+
+Before reporting any finding, you MUST:
+1. Re-read the actual file at the cited line (use Read tool, not memory).
+2. Confirm the code you are analyzing matches what is actually in the file.
+3. If the finding references a function, variable, or constant by name, grep to confirm it exists.
+
+Findings that fail this gate are false positives. Do not report them.
+
+### Rules
+
+- Only include a category if issues were found in that category. If zero issues in a category, omit the entire section.
+- Severity markers: 🔴 High (must fix before merge), 🟡 Medium (problematic but non-critical), 🟢 Low (minor/stylistic)
+- Group files into features/behaviors in the walkthrough (e.g., "VLAN pop/push test rework", "Parser extension for push_vlan")
+- Use `diff` code blocks for before/after in walkthrough
+- Use language-specific code blocks for suggestions
+- Every suggestion must include file path and a concrete code fix
+- Categories in order: Security -> Bugs -> Best Practices -> Debug/Leftover Code -> Linting -> Other
+- This is a **read-only review**  --  do not modify any files, only output suggestions

code_forge/skills/smoke-test/SKILL.md

@@ -0,0 +1,253 @@
+---
+name: smoke-test
+description: Post-review smoke testing  --  verify code works by assembling assertions from a reusable shell primitive library
+allowed-tools:
+  - Shell
+  - ReadFile
+  - WriteFile
+---
+
+# Smoke Test (Step 4 of Review Pipeline)
+
+## Purpose
+
+Execute AFTER three-cycle static review (coder -> code-review-expert -> adversarial-qe) with zero findings.
+Verify code actually works at runtime using a reusable assertion primitive library.
+
+Static analysis catches design issues; smoke tests catch runtime issues.
+
+## When to Use
+
+- **Mandatory**: After three-cycle review shows zero findings and before final commit
+- **Optional**: When user asks "确定没问题么？" or similar verification questions
+- **Skip**: Documentation-only changes (pure markdown/comments with no executable code)
+
+## Workflow (4 Steps)
+
+### Step A: Analyze the Change
+
+Read the code diff. Identify:
+- What changed (new CLI param? error handling? file I/O? concurrency? security fix?)
+- The primary execution path (what command to run)
+- Expected outputs, side effects, and edge cases
+
+### Step B: Select Primitives
+
+Source the library and consult the decision table:
+
+```bash
+source ~/.claude/skills/smoke-test/test-library/shell/primitives.sh
+```
+
+| Change Type | Required Primitives | Optional |
+|------------|-------------------|----------|
+| New CLI parameter | `assert_success`, `assert_output_contains` | `assert_stderr_empty` |
+| Error handling | `assert_failure`, `assert_stderr_contains` | `assert_exit_code` |
+| File operations | `assert_file_exists`, `assert_file_contains` | `assert_file_not_exists` |
+| Concurrency | `assert_success` (xN), `assert_no_zombie` | `assert_temp_clean`, `assert_file_contains` (race check) |
+| Security patch | `assert_no_command_exec`, `assert_no_path_traversal` | `assert_output_not_contains` |
+| API response | `assert_json_valid`, `assert_output_contains` |  --  |
+| Config parsing | `assert_success`, `assert_file_contains` |  --  |
+| Log output | `assert_output_contains` | `assert_stderr_empty` |
+| Cleanup logic | `assert_file_not_exists` |  --  |
+
+Full primitive reference: `test-library/shell/README.md`  --  includes signatures, safety usage guide, combination rules, and zombie race constraints.
+
+### Step C: Assemble Test Script
+
+Act before Assert. One assertion per line. Values through parameters.
+
+**Standard pattern**:
+
+```bash
+run_and_capture ./script.sh --flag value
+output=$(cat "$SMOKE_LAST_STDOUT")
+assert_success "$SMOKE_LAST_STATUS" "script.sh --flag"
+assert_output_contains "$output" "expected text" "flag output"
+```
+
+**Error handling pattern**:
+
+```bash
+run_and_capture ./script.sh --bad-flag
+assert_failure "$SMOKE_LAST_STATUS" "script.sh --bad-flag"
+assert_stderr_contains "$(cat "$SMOKE_LAST_STDERR")" "error:" "bad flag error"
+```
+
+**Concurrency pattern (zombie detection before reap)**:
+
+```bash
+run_concurrent 5 ./script.sh
+sleep 0.5                              # wait for child exits, zombie forms
+assert_no_zombie $$ "concurrent run"    # detect BEFORE reap
+concurrent_wait; cw_status=$?
+assert_success "$cw_status" "concurrent execution"
+# Per-instance diagnostics on failure
+if [[ $cw_status -ne 0 ]]; then
+    for ((i=0; i<5; i++)); do
+        s=$(cat "$CONCURRENT_RESULT_DIR/$i.status" 2>/dev/null || echo unknown)
+        (( s != 0 )) && echo "  instance $i FAIL: exit=$s"
+    done
+fi
+```
+
+**Security pattern**:
+
+```bash
+# Test injection payloads
+for payload in '$(id)' '`whoami`' '; rm -rf /' '../../etc/passwd'; do
+    assert_no_command_exec "$payload" "payload: $payload"
+    assert_no_path_traversal "$payload" "payload: $payload"
+done
+
+# Test actual script input handling
+run_and_capture ./script.sh '$(id)'
+output=$(cat "$SMOKE_LAST_STDOUT")
+assert_output_not_contains "$output" "uid=" "injection not executed"
+```
+
+### Step D: Execute and Record
+
+Run the assembled test script. Count results:
+
+```bash
+PASS_COUNT=$(grep -c '^PASS: ' test_output.txt)
+FAIL_COUNT=$(grep -c '^FAIL: ' test_output.txt)
+```
+
+**Exit criteria**:
+- `FAIL_COUNT == 0`, all test categories covered (normal + boundary + security + concurrency if applicable)
+- Any FAIL -> fix the code, restart from Step 0 (syntax pre-check) of the review pipeline
+
+Record results in `REVIEW.md` Section 5 (Smoke Test Results):
+- The assembled test script
+- PASS/FAIL counts
+- Any FAIL details with debug context
+
+## Assembly Rules
+
+1. **One assertion per expected behavior**  --  don't combine checks into one `[[ ... ]]`
+2. **Act before Assert**  --  run the command first (via `run_and_capture`), then assert on the captured state
+3. **Values through parameters**  --  captured stdout/stderr/status go directly into assertion parameters, not global regex
+4. **Every test starts with `source primitives.sh`**  --  one line, all 19 functions (16 primitives + 3 helpers) available
+5. **No gaps in coverage**  --  decision table required primitives are non-negotiable
+
+## Prohibited Patterns
+
+- Do NOT modify tested code  --  smoke test is read-only verification
+- Do NOT depend on network  --  tests must pass offline
+- Do NOT include syntax checks (`bash -n`, `shellcheck`, `py_compile`, `go vet`)  --  these belong in Step 0 (syntax pre-check), before review cycles begin
+
+## Non-Shell File Strategy
+
+Shell primitives exist because bash has no standard test framework. Python, Go, and C already have mature frameworks  --  use them.
+
+| Language | Smoke Test Tool | Pattern |
+|----------|----------------|---------|
+| Shell | `source primitives.sh` | Decision table (Step B), standard patterns (Step C) |
+| Python | `pytest` | `subprocess.run(cmd, capture_output=True, text=True)` + `assert r.returncode == 0` |
+| Go | `go test` / `testing.T` | `exec.Command(...).CombinedOutput()` + `if err != nil { t.Fatal(...) }` |
+| Kernel C | `primitives.sh` (build) + `runtest -n` (job XML) | See "Kernel C Changes" below |
+
+Rationale: Python's `pytest` and Go's `testing` are industry standards that AI already knows. Replacing them with custom assertion functions provides no benefit and adds learning cost. Shell is the exception  --  it has no native test framework, so `primitives.sh` fills that gap. Kernel C is shell-adjacent: the verification targets (kbuild, runtest) are shell processes, so `primitives.sh` applies even though the source language is C.
+
+### Kernel C Changes (CentOS Stream / RHEL)
+
+Kernel smoke tests cannot achieve full functional verification within the 5-minute pre-commit window (Beaker runs take 30 min - 2 hr). Step 4 validates what's reachable locally; Step 5 handles Beaker.
+
+For kernel C commits, the CLAUDE.md commit marker rule has an explicit exception: `# post-review-c3` in kernel context means Step 4 complete (build passes + test plan exists). Step 5 (Beaker) is a separate pre-merge gate, not a pre-commit requirement.
+
+**Step 4 (pre-commit)**:
+
+```bash
+source ~/.claude/skills/smoke-test/test-library/shell/primitives.sh
+
+# 1. Build affected subsystem
+# In-tree (from kernel source dir):
+run_and_capture make M=net/openvswitch -j$(nproc)
+assert_success "$SMOKE_LAST_STATUS" "kbuild net/openvswitch"
+# Out-of-tree (external module):
+# run_and_capture make -C /lib/modules/$(uname -r)/build M=$PWD -j$(nproc)
+# assert_success "$SMOKE_LAST_STATUS" "kbuild external module"
+
+# 2. Identify corresponding kernel-qe test
+ls code/kernel/networking/openvswitch/ovs_kernel_socketmap/
+# If no existing test: note in REVIEW.md, plan follow-up
+
+# 3. Verify Beaker job XML can be generated (dry-run, do NOT submit)
+run_and_capture runtest -n --task=code/kernel/networking/openvswitch/ovs_kernel_socketmap
+assert_success "$SMOKE_LAST_STATUS" "runtest dry-run  --  job XML generated"
+```
+
+**Step 5 (pre-merge, separate from Step 4)**:
+
+```bash
+runtest -B <build-id> --task=code/kernel/networking/openvswitch/ovs_kernel_socketmap
+# Results on Beaker job page.
+```
+
+**Bug reproducer rules** (per CLAUDE.md):
+- Reproducer MUST trigger on buggy kernels and NOT trigger on fixed kernels
+- Manual reproduction insufficient -> escalate to kprobe/kretprobe kernel module
+- IBT constraint (`CONFIG_X86_KERNEL_IBT=y`): function-pointer calls to static symbols fail CET  --  trigger through kernel's own code paths
+
+## Output Format
+
+Smoke test results go into `REVIEW.md` Section 5:
+
+```
+## 5. Smoke Test Results
+
+**Date**: YYYY-MM-DD HH:MM
+**Files tested**: <list>
+**Primitives sourced**: ~/.claude/skills/smoke-test/test-library/shell/primitives.sh
+
+### Test Script
+\```bash
+source ~/.claude/skills/smoke-test/test-library/shell/primitives.sh
+run_and_capture ./script.sh --flag
+output=$(cat "$SMOKE_LAST_STDOUT")
+assert_success "$SMOKE_LAST_STATUS" "script.sh --flag"
+assert_output_contains "$output" "expected" "output check"
+\```
+
+### Results
+PASS: N  FAIL: 0
+
+### Categories
+- [x] Normal Path: PASS
+- [x] Boundary: PASS
+- [x] Security: PASS
+- [x] Concurrency: PASS (or N/A)
+```
+
+## Integration with Three-Cycle Review
+
+```
+Code Change -> Step 0: Syntax Pre-Check -> Cycle 1 (coder/expert/adversarial)
+  -> Any finding? -> Fix -> Cycle 1 restart
+  -> Zero findings? -> Cycle 2 (repeat 3 passes)
+  -> Any finding? -> Fix -> Cycle 1 restart
+  -> Zero findings? -> Cycle 3 (repeat 3 passes)
+  -> Any finding? -> Fix -> Cycle 1 restart
+  -> Zero findings? -> Step 4: Smoke Test (THIS SKILL)
+  -> Any FAIL? -> Fix -> Step 0 restart
+  -> All PASS? -> Commit with # post-review-c3
+```
+
+## Common Pitfalls
+
+1. **Skipping Act and going straight to Assert**: primitives need captured state  --  always `run_and_capture` first
+2. **Checking zombie AFTER wait**: `assert_no_zombie` must run before `concurrent_wait` reaps processes
+3. **Using `$?` instead of `$SMOKE_LAST_STATUS`**: `$?` changes on every command; `$SMOKE_LAST_STATUS` is stable
+4. **Not sourcing primitives.sh**: every test script must start with `source primitives.sh`
+5. **Writing custom assertion libraries for Python/Go/C**: use the language's standard test framework (pytest, go test). Shell is the only language that needs `primitives.sh`
+
+## References
+
+- `test-library/shell/primitives.sh`  --  15 assertion primitives + 3 helper functions
+- `test-library/shell/primitives_test.sh`  --  self-tests for every primitive
+- `test-library/shell/README.md`  --  decision table, safety guide, combination rules, dependencies
+- `references/injection-payloads.md`  --  common injection attack vectors
+- `references/boundary-cases.md`  --  edge cases by data type
+- `references/concurrency-patterns.md`  --  race condition test scenarios

code_forge/skills/smoke-test/references/boundary-cases.md

@@ -0,0 +1,114 @@
+# Boundary Cases by Data Type
+
+Edge cases that commonly cause bugs in production.
+
+## Strings
+
+| Case | Value | Common Bug |
+|------|-------|------------|
+| Empty | `""` | Unhandled empty check, division by zero on length |
+| Whitespace only | `"   "` | Treated as non-empty, fails validation |
+| Single char | `"a"` | Off-by-one in substring operations |
+| Very long | 10MB+ string | Memory exhaustion, buffer overflow |
+| Unicode | `"你好🎉"` | Byte vs character length mismatch |
+| Newlines | `"line1\nline2"` | Breaks line-based parsing |
+| Null bytes | `"foo\x00bar"` | String truncation in C-style APIs |
+| Control chars | `"\r\n\t\b"` | Terminal escape injection |
+
+## Numbers
+
+| Case | Value | Common Bug |
+|------|-------|------------|
+| Zero | `0` | Division by zero, empty array index |
+| Negative | `-1`, `-999` | Unsigned overflow, invalid array index |
+| Max int | `2147483647` (32-bit) | Overflow on +1 |
+| Min int | `-2147483648` (32-bit) | Overflow on negation |
+| Float precision | `0.1 + 0.2` | Not equal to `0.3` |
+| Infinity | `float('inf')` | Breaks comparisons |
+| NaN | `float('nan')` | Breaks equality checks |
+| Scientific notation | `1e10` | Parsing as string fails |
+
+## Collections
+
+| Case | Value | Common Bug |
+|------|-------|------------|
+| Empty array | `[]` | Index out of bounds on `arr[0]` |
+| Single element | `[1]` | Loop assumes multiple elements |
+| Duplicates | `[1, 1, 1]` | Set conversion loses data |
+| Very large | 1M+ elements | Memory exhaustion, O(n^2) algorithms |
+| Nested empty | `[[]]` | Depth check fails |
+| Mixed types | `[1, "two", None]` | Type assumptions break |
+
+## Files
+
+| Case | Value | Common Bug |
+|------|-------|------------|
+| Non-existent | `/no/such/file` | Unhandled FileNotFoundError |
+| Empty file | 0 bytes | Read returns empty, breaks parsing |
+| Permission denied | `chmod 000 file` | Unhandled PermissionError |
+| Directory not file | `/tmp/` | IsADirectoryError |
+| Symlink | `ln -s target link` | Follows link unexpectedly |
+| Very large | 10GB+ | Memory exhaustion on read() |
+| Binary data | Non-UTF8 bytes | UnicodeDecodeError |
+
+## Network
+
+| Case | Scenario | Common Bug |
+|------|----------|------------|
+| Timeout | Server doesn't respond | Hangs forever without timeout |
+| Connection refused | Port closed | Unhandled ConnectionRefusedError |
+| DNS failure | Invalid hostname | Unhandled socket.gaierror |
+| Partial response | Server closes mid-stream | Incomplete data treated as valid |
+| Malformed JSON | `{"key": "value"` | json.JSONDecodeError |
+| HTTP 429 | Rate limit | Retry loop without backoff |
+| HTTP 500 | Server error | Treated as success |
+
+## Dates/Times
+
+| Case | Value | Common Bug |
+|------|-------|------------|
+| Epoch | `1970-01-01 00:00:00` | Treated as null/unset |
+| Leap year | `2024-02-29` | Invalid date in non-leap year |
+| DST transition | `2024-03-10 02:30` | Non-existent time |
+| Timezone edge | `UTC+14` vs `UTC-12` | Date changes across zones |
+| Far future | `9999-12-31` | Overflow in timestamp conversion |
+
+## Concurrency
+
+| Case | Scenario | Common Bug |
+|------|----------|------------|
+| Race condition | Two threads write same file | Corrupted data |
+| Deadlock | A waits for B, B waits for A | Infinite hang |
+| Lock timeout | Lock held too long | Fallback not implemented |
+| Signal interruption | SIGINT during I/O | Partial write |
+
+## Testing Strategy
+
+1. **Identify data types**: What inputs does the code accept?
+2. **Select relevant cases**: Match boundary cases to data types
+3. **Execute with boundary input**: Replace normal input with edge case
+4. **Verify graceful handling**: No crashes, clear error messages
+5. **Check side effects**: Files/logs/state not corrupted
+
+## Example Test Script
+
+```bash
+#!/bin/bash
+# Boundary test for kimi-balance.sh
+
+echo "=== Empty key ==="
+KIMI_API_KEY="" ./kimi-balance.sh
+echo "Exit code: $?"
+
+echo "=== Whitespace key ==="
+KIMI_API_KEY="   " ./kimi-balance.sh
+echo "Exit code: $?"
+
+echo "=== Invalid JSON response ==="
+response='{"invalid json' ./kimi-balance.sh
+echo "Exit code: $?"
+
+echo "=== Very long key (10KB) ==="
+KIMI_API_KEY=$(python3 -c "print('x' * 10000)") ./kimi-balance.sh
+echo "Exit code: $?"
+```