Code Quality Audit
Run quality and security audits for Drupal and Next.js projects with consistent tooling and reporting.
Quick Commands
For direct access, use these commands:
- •
/code-quality:setup- First-time setup wizard (install and configure tools) - •
/code-quality:audit- Run full audit (all 22 operations) - •
/code-quality:coverage- Check test coverage - •
/code-quality:security- Security scan (10 layers for Drupal, 7 for Next.js) - •
/code-quality:lint- Code standards check - •
/code-quality:solid- Architecture and SOLID principles check - •
/code-quality:dry- Find code duplication - •
/code-quality:tdd- Start TDD workflow (test watcher mode)
For conversational workflows, continue reading...
When to Use
Drupal projects:
- •"Setup quality tools" / "Install PHPStan"
- •"Run code audit" / "Check code quality"
- •"Check coverage" / "What's my coverage?"
- •"Find SOLID violations" / "Check complexity"
- •"Check duplication" / "DRY check"
- •"Lint code" / "Check coding standards"
- •"Fix deprecations" / "Run rector"
- •"Start TDD" / "RED-GREEN-REFACTOR"
- •"Check security" / "Find vulnerabilities" / "OWASP audit"
Next.js projects:
- •"Setup quality tools" / "Install ESLint"
- •"Run code audit" / "Check code quality"
- •"Check coverage" / "Run Jest coverage"
- •"Find SOLID violations" / "Check complexity" / "Check circular deps"
- •"Lint code" / "Run ESLint"
- •"Check duplication" / "DRY check"
- •"Start TDD" / "Jest watch mode"
- •"Check security" / "Find vulnerabilities" / "OWASP audit"
Quick Reference
Drupal Scripts
| Task | Script | Details |
|---|---|---|
| Setup tools | scripts/core/install-tools.sh | See Drupal Setup |
| Full audit | scripts/core/full-audit.sh | See Full Audit |
| Coverage | scripts/drupal/coverage-report.sh | See Coverage Check |
| SOLID check | scripts/drupal/solid-check.sh | See SOLID Check |
| DRY check | scripts/drupal/dry-check.sh | See DRY Check |
| Lint check | scripts/drupal/lint-check.sh | See Lint Check |
| Fix deprecations | scripts/drupal/rector-fix.sh | See Rector Fix |
| TDD cycle | scripts/drupal/tdd-workflow.sh | See TDD Workflow |
| Security audit | scripts/drupal/security-check.sh | See Security Audit (10 layers) |
Next.js Scripts
| Task | Script | Details |
|---|---|---|
| Setup tools | scripts/core/install-tools.sh | See Next.js Setup |
| Full audit | scripts/core/full-audit.sh | See Full Audit |
| Coverage | scripts/nextjs/coverage-report.sh | See Coverage Check |
| SOLID check | scripts/nextjs/solid-check.sh | See SOLID Check |
| Lint check | scripts/nextjs/lint-check.sh | See Lint Check |
| DRY check | scripts/nextjs/dry-check.sh | See DRY Check |
| TDD cycle | scripts/nextjs/tdd-workflow.sh | See TDD Workflow |
| Security audit | scripts/nextjs/security-check.sh | See Security Audit (7 layers) |
Before Any Operation
Drupal:
- •Locate Drupal root: check
web/core/lib/Drupal.phpordocroot/core/lib/Drupal.php - •Verify DDEV:
ddev describe - •Create reports directory:
mkdir -p .reports && echo ".reports/" >> .gitignore
Next.js:
- •Verify npm:
npm --version - •Create reports directory:
mkdir -p .reports && echo ".reports/" >> .gitignore
When to Run What
Read decision-guides/quality-audit-checklist.md for detailed guidance.
| Context | What to Run | Time |
|---|---|---|
| Pre-commit | quality:cs only | ~5s |
| Pre-push | PHPStan + Unit/Kernel tests | ~2min |
| Pre-merge | Full audit | ~10min |
| Weekly | Full audit + HTML reports | ~15min |
Scope Targeting
To audit specific modules or components instead of the entire project:
See Scope Targeting for three approaches:
- •Change directory (recommended) -
cd web/modules/custom/my_module - •Environment variables -
DRUPAL_MODULES_PATH=path/to/module - •Full scan (default) - Run from project root
Intelligent detection: Claude detects current directory and user intent.
Operations
All detailed operation instructions have been moved to reference files for better organization.
Drupal Operations
Setup & Configuration
- •Operation 1: Setup Tools - Install PHPStan, PHPMD, PHPCPD, Coder
- •Operation 6: Module-Specific Audit - Scope audit to one module
- •Operation 7: Add Composer Scripts - Configure quality scripts
- •Operation 8: CI Integration - Setup GitHub Actions
Quality Audits
- •Operation 2: Full Audit - Run all quality checks
- •Operation 3: Coverage Check - Measure test coverage
- •Operation 4: SOLID Check - Find principle violations
- •Operation 5: DRY Check - Detect code duplication
- •Operation 11: Lint Check - Coding standards
- •Operation 12: Rector Fix - Auto-fix deprecations
Development Workflows
- •Operation 10: TDD Workflow - RED-GREEN-REFACTOR cycle
Security
- •Operation 20: Security Audit - 10 security layers (v2.0.0)
- •Drush pm:security, Composer audit
- •yousha/php-security-linter, Psalm taint analysis
- •Custom Drupal patterns, Security Review module
- •Semgrep SAST, Trivy scanner, Gitleaks (v1.8.0)
- •Roave Security Advisories (v2.0.0)
Next.js Operations
Setup & Configuration
- •Operation 13: Setup Tools - Install ESLint, Jest, security tools
Quality Audits
- •Operation 14: Full Audit - Run all quality checks
- •Operation 15: Lint Check - ESLint + TypeScript
- •Operation 16: Coverage Check - Jest coverage
- •Operation 17: DRY Check - Detect duplication
- •Operation 19: SOLID Check - Circular deps, complexity
Development Workflows
- •Operation 18: TDD Workflow - RED-GREEN-REFACTOR with Jest
Security
- •Operation 21: Security Audit - 7 security layers (v2.0.0)
- •npm audit, ESLint security plugins
- •Semgrep SAST, Trivy scanner, Gitleaks (v1.8.0)
- •Custom React/Next.js patterns (XSS, eval, navigation)
- •Socket CLI (v2.0.0)
Optional: DAST (Dynamic Testing)
Pre-production security testing for staging environments
- •Operation 22: DAST Tools - Dynamic security testing (v2.1.0)
- •OWASP ZAP (full DAST scanner)
- •Nuclei (template-based CVE scanning)
- •Requires running application
- •Use before releases on staging/pre-production
Saving Reports
All reports must follow schemas/audit-report.schema.json:
{
"meta": {
"project_type": "drupal|nextjs|monorepo",
"timestamp": "2025-12-19T12:00:00Z",
"thresholds": { "coverage_minimum": 70, "duplication_max": 5 }
},
"summary": {
"overall_score": "pass|warning|fail",
"coverage_score": "pass|warning|fail",
"solid_score": "pass|warning|fail",
"dry_score": "pass|warning|fail",
"security_score": "pass|warning|fail"
},
"coverage": { "line_coverage": 75.5, "files_analyzed": 45 },
"solid": { "violations": [] },
"dry": { "duplication_percentage": 3.2, "clones": [] },
"security": { "critical": 0, "high": 0, "medium": 3, "low": 5, "issues": [] },
"recommendations": []
}
References
Core Guidance
- •
references/tdd-workflow.md- RED-GREEN-REFACTOR patterns, test naming, cycle targets - •
references/coverage-metrics.md- Coverage targets by code type, PCOV vs Xdebug - •
references/dry-detection.md- Rule of Three, when duplication is OK - •
references/solid-detection.md- SOLID detection patterns and fixes - •
references/composer-scripts.md- Ready-to-use composer scripts - •
references/scope-targeting.md- Target specific modules/components (NEW in v1.8.0)
Operations
- •
references/operations/drupal-setup.md- Drupal setup operations - •
references/operations/drupal-audits.md- Drupal quality audit operations - •
references/operations/drupal-security.md- Drupal security (10 layers, v2.0.0) - •
references/operations/drupal-tdd.md- Drupal TDD workflow - •
references/operations/nextjs-setup.md- Next.js setup operations - •
references/operations/nextjs-audits.md- Next.js quality audit operations - •
references/operations/nextjs-security.md- Next.js security (7 layers, v2.0.0) - •
references/operations/nextjs-tdd.md- Next.js TDD workflow
Online Dev-Guides (Drupal Domain)
For deeper Drupal-specific patterns beyond tool commands, WebFetch from https://camoa.github.io/dev-guides/. Use when explaining violations, suggesting fixes, or providing architectural context.
| Topic | URL | Use when |
|---|---|---|
| SOLID principles | drupal/solid-principles/ | Explaining SOLID violations with Drupal patterns |
| SRP — controllers & forms | drupal/solid-principles/controllers-srp/ | SRP violations in controllers or forms |
| OCP — config overrides | drupal/solid-principles/config-overrides-ocp/ | OCP violations in configuration |
| LSP — entity hierarchy | drupal/solid-principles/entity-hierarchy-lsp/ | LSP violations in entity types |
| ISP — entity interfaces | drupal/solid-principles/entity-interfaces-isp/ | ISP violations in interfaces |
| DIP — dependency injection | drupal/solid-principles/dependency-injection-patterns-dip/ | DIP violations, static calls |
| DIP — anti-patterns | drupal/solid-principles/anti-patterns-dip/ | Common DI anti-patterns |
| SOLID common mistakes | drupal/solid-principles/common-mistakes/ | Recurring SOLID violation patterns |
| SOLID best practices | drupal/solid-principles/best-practices-checklist/ | Checklist for SOLID compliance |
| DRY principles | drupal/dry-principles/ | Explaining DRY violations with Drupal patterns |
| Services for shared logic | drupal/dry-principles/services-shared-logic/ | Extracting duplicated logic to services |
| Traits for cross-cutting | drupal/dry-principles/traits-cross-cutting/ | Using traits to reduce duplication |
| Base classes | drupal/dry-principles/base-classes-inheritance/ | Extracting common base classes |
| Plugin reuse | drupal/dry-principles/plugin-reuse/ | DRY patterns in plugin system |
| Over-DRY anti-patterns | drupal/dry-principles/over-dry-anti-patterns/ | When NOT to DRY (wrong abstraction) |
| DRY decision framework | drupal/dry-principles/best-practices-decision-framework/ | When to extract vs duplicate |
| Security overview | drupal/security/ | Drupal security patterns and practices |
| OWASP Top 10 in Drupal | drupal/security/owasp-top-10-in-drupal/ | OWASP mapping to Drupal context |
| XSS prevention | drupal/security/xss-prevention/ | XSS findings context |
| SQL injection prevention | drupal/security/sql-injection-prevention/ | SQLi findings context |
| CSRF protection | drupal/security/csrf-protection/ | CSRF findings context |
| Input validation | drupal/security/input-validation-and-sanitization/ | Input validation findings |
| Access control | drupal/security/entity-access-control/ | Access control findings |
| Route access checks | drupal/security/route-access-checks/ | Route security findings |
| Twig autoescape | drupal/security/twig-autoescape-and-safe-markup/ | Template security findings |
| Testing overview | drupal/testing/ | Test frameworks, setup, progressive strategy |
| Test type selection | drupal/testing/framework-selection-decision-matrix/ | Unit vs Kernel vs Functional decision |
| Unit tests | drupal/testing/phpunit-unit-tests/ | PHPUnit unit test patterns |
| Kernel tests | drupal/testing/phpunit-kernel-tests/ | Kernel test patterns with services/DB |
| Functional tests | drupal/testing/phpunit-functional-tests/ | Browser test patterns |
| Progressive testing | drupal/testing/progressive-testing-strategy/ | Test coverage planning for new modules |
| Testing best practices | drupal/testing/best-practices-anti-patterns/ | Testing anti-patterns and standards |
| TDD overview | drupal/tdd/ | RED-GREEN-REFACTOR, spec-driven development |
| TDD workflow | drupal/tdd/tdd-workflow-red-green-refactor/ | RED-GREEN-REFACTOR cycle details |
| Coverage metrics | drupal/tdd/coverage-metrics-strategy/ | Coverage targets, metrics interpretation |
| Quality gates | drupal/tdd/quality-gates-audit-checklist/ | Pre-commit/push/merge gate definitions |
| Test type decision | drupal/tdd/test-type-decision-matrix/ | When to use which test type |
| Spec-driven dev | drupal/tdd/spec-driven-drupal-development/ | Writing specs before code |
| Testing services | drupal/tdd/testing-services/ | Service testing patterns |
| Testing forms | drupal/tdd/testing-forms/ | Form testing patterns |
| Testing entities | drupal/tdd/testing-entities/ | Entity testing patterns |
| Testing plugins | drupal/tdd/testing-plugins/ | Plugin testing patterns |
| Testing (GitHub Actions) | drupal/github-actions/ | CI/CD quality pipeline context |
| JS security | drupal/js-development/security/ | JavaScript security findings |
| JS testing | drupal/js-development/testing-javascript/ | JavaScript testing context |
How to use: When analyzing violations or providing remediation guidance for Drupal projects, WebFetch the relevant topic URL (prefix with https://camoa.github.io/dev-guides/) to get comprehensive Drupal-specific patterns and examples.
Decision Guides
- •
decision-guides/test-type-selection.md- Unit vs Kernel vs Functional decision tree - •
decision-guides/quality-audit-checklist.md- When to run what (pre-commit vs pre-merge)
Templates
Drupal
- •
templates/drupal/phpstan.neon- PHPStan 2.x config (extensions auto-load) - •
templates/drupal/phpmd.xml- PHPMD ruleset for Drupal - •
templates/drupal/phpunit.xml- PHPUnit config with testsuites - •
templates/ci/github-drupal.yml- GitHub Actions workflow with security tools
Next.js
- •
templates/nextjs/eslint.config.js- ESLint v9 flat config with TypeScript + security - •
templates/nextjs/jest.config.js- Jest config with coverage thresholds - •
templates/nextjs/jest.setup.js- Jest setup with Testing Library - •
templates/nextjs/.prettierrc- Prettier config with Tailwind plugin
What's New in v2.1.0
Phase 3 - Optional DAST Tools (NEW!):
- •✅ OWASP ZAP (full DAST scanner for pre-production)
- •✅ Nuclei (template-based CVE and misconfiguration scanning)
- •✅ Comprehensive documentation with usage examples
- •✅ CI/CD integration guides (GitHub Actions, GitLab)
- •✅ Pre-release checklist script
DAST Coverage:
- •Pre-production security testing
- •Runtime vulnerability detection
- •OWASP Top 10 dynamic testing
- •1000+ CVE templates (Nuclei)
See references/operations/dast-tools.md for full documentation.
What's New in v2.0.0
Progressive Disclosure Refactoring:
- •✅ SKILL.md: 632 → 234 lines (63% reduction)
- •✅ 9 reference files created with full documentation
- •✅ Plugin-creation-tools compliance (16/16 criteria)
Phase 1 - Cross-Stack Security Tools:
- •✅ Semgrep SAST (20,000+ security rules for PHP, React, JS, TS)
- •✅ Trivy scanner (dependency/container/secret scanner)
- •✅ Gitleaks (secret detection with 800+ patterns)
Phase 2 - Enhancement Tools:
- •✅ Roave Security Advisories (Drupal - Composer prevention layer)
- •✅ Socket CLI (Next.js - supply chain attack detection)
Security Coverage:
- •Drupal: 40% → 90% (10 security layers)
- •Next.js: 0% → 85% (7 security layers)
See .work-in-progress-v2.0.0.md for full implementation details.