AgentSkillsCN

code-quality-audit

当需要检查代码质量、执行安全审计、测试覆盖率、查找违规行为,或配置质量工具时使用——支持 Drupal(通过 DDEV 集成 PHPStan、PHPMD、PHPCPD、Psalm、Semgrep、Trivy、Gitleaks)以及 Next.js(通过 DDEV 集成 ESLint、Jest、jscpd、madge、Semgrep、Trivy、Gitleaks)项目,同时落实 TDD、SOLID、DRY 以及 OWASP 安全检查。

SKILL.md
--- frontmatter
name: code-quality-audit
description: Use when checking code quality, running security audits, testing coverage, finding violations, or setting up quality tools - supports Drupal (PHPStan, PHPMD, PHPCPD, Psalm, Semgrep, Trivy, Gitleaks via DDEV) and Next.js (ESLint, Jest, jscpd, madge, Semgrep, Trivy, Gitleaks) projects with TDD, SOLID, DRY, and OWASP security checks
version: 2.5.0
model: sonnet

Code Quality Audit

Run quality and security audits for Drupal and Next.js projects with consistent tooling and reporting.

Quick Commands

For direct access, use these commands:

  • /code-quality:setup - First-time setup wizard (install and configure tools)
  • /code-quality:audit - Run full audit (all 22 operations)
  • /code-quality:coverage - Check test coverage
  • /code-quality:security - Security scan (10 layers for Drupal, 7 for Next.js)
  • /code-quality:lint - Code standards check
  • /code-quality:solid - Architecture and SOLID principles check
  • /code-quality:dry - Find code duplication
  • /code-quality:tdd - Start TDD workflow (test watcher mode)

For conversational workflows, continue reading...

When to Use

Drupal projects:

  • "Setup quality tools" / "Install PHPStan"
  • "Run code audit" / "Check code quality"
  • "Check coverage" / "What's my coverage?"
  • "Find SOLID violations" / "Check complexity"
  • "Check duplication" / "DRY check"
  • "Lint code" / "Check coding standards"
  • "Fix deprecations" / "Run rector"
  • "Start TDD" / "RED-GREEN-REFACTOR"
  • "Check security" / "Find vulnerabilities" / "OWASP audit"

Next.js projects:

  • "Setup quality tools" / "Install ESLint"
  • "Run code audit" / "Check code quality"
  • "Check coverage" / "Run Jest coverage"
  • "Find SOLID violations" / "Check complexity" / "Check circular deps"
  • "Lint code" / "Run ESLint"
  • "Check duplication" / "DRY check"
  • "Start TDD" / "Jest watch mode"
  • "Check security" / "Find vulnerabilities" / "OWASP audit"

Quick Reference

Drupal Scripts

TaskScriptDetails
Setup toolsscripts/core/install-tools.shSee Drupal Setup
Full auditscripts/core/full-audit.shSee Full Audit
Coveragescripts/drupal/coverage-report.shSee Coverage Check
SOLID checkscripts/drupal/solid-check.shSee SOLID Check
DRY checkscripts/drupal/dry-check.shSee DRY Check
Lint checkscripts/drupal/lint-check.shSee Lint Check
Fix deprecationsscripts/drupal/rector-fix.shSee Rector Fix
TDD cyclescripts/drupal/tdd-workflow.shSee TDD Workflow
Security auditscripts/drupal/security-check.shSee Security Audit (10 layers)

Next.js Scripts

TaskScriptDetails
Setup toolsscripts/core/install-tools.shSee Next.js Setup
Full auditscripts/core/full-audit.shSee Full Audit
Coveragescripts/nextjs/coverage-report.shSee Coverage Check
SOLID checkscripts/nextjs/solid-check.shSee SOLID Check
Lint checkscripts/nextjs/lint-check.shSee Lint Check
DRY checkscripts/nextjs/dry-check.shSee DRY Check
TDD cyclescripts/nextjs/tdd-workflow.shSee TDD Workflow
Security auditscripts/nextjs/security-check.shSee Security Audit (7 layers)

Before Any Operation

Drupal:

  1. Locate Drupal root: check web/core/lib/Drupal.php or docroot/core/lib/Drupal.php
  2. Verify DDEV: ddev describe
  3. Create reports directory: mkdir -p .reports && echo ".reports/" >> .gitignore

Next.js:

  1. Verify npm: npm --version
  2. Create reports directory: mkdir -p .reports && echo ".reports/" >> .gitignore

When to Run What

Read decision-guides/quality-audit-checklist.md for detailed guidance.

ContextWhat to RunTime
Pre-commitquality:cs only~5s
Pre-pushPHPStan + Unit/Kernel tests~2min
Pre-mergeFull audit~10min
WeeklyFull audit + HTML reports~15min

Scope Targeting

To audit specific modules or components instead of the entire project:

See Scope Targeting for three approaches:

  1. Change directory (recommended) - cd web/modules/custom/my_module
  2. Environment variables - DRUPAL_MODULES_PATH=path/to/module
  3. Full scan (default) - Run from project root

Intelligent detection: Claude detects current directory and user intent.


Operations

All detailed operation instructions have been moved to reference files for better organization.

Drupal Operations

Setup & Configuration

Quality Audits

Development Workflows

Security

  • Operation 20: Security Audit - 10 security layers (v2.0.0)
    • Drush pm:security, Composer audit
    • yousha/php-security-linter, Psalm taint analysis
    • Custom Drupal patterns, Security Review module
    • Semgrep SAST, Trivy scanner, Gitleaks (v1.8.0)
    • Roave Security Advisories (v2.0.0)

Next.js Operations

Setup & Configuration

  • Operation 13: Setup Tools - Install ESLint, Jest, security tools

Quality Audits

Development Workflows

  • Operation 18: TDD Workflow - RED-GREEN-REFACTOR with Jest

Security

  • Operation 21: Security Audit - 7 security layers (v2.0.0)
    • npm audit, ESLint security plugins
    • Semgrep SAST, Trivy scanner, Gitleaks (v1.8.0)
    • Custom React/Next.js patterns (XSS, eval, navigation)
    • Socket CLI (v2.0.0)

Optional: DAST (Dynamic Testing)

Pre-production security testing for staging environments

  • Operation 22: DAST Tools - Dynamic security testing (v2.1.0)
    • OWASP ZAP (full DAST scanner)
    • Nuclei (template-based CVE scanning)
    • Requires running application
    • Use before releases on staging/pre-production

Saving Reports

All reports must follow schemas/audit-report.schema.json:

json
{
  "meta": {
    "project_type": "drupal|nextjs|monorepo",
    "timestamp": "2025-12-19T12:00:00Z",
    "thresholds": { "coverage_minimum": 70, "duplication_max": 5 }
  },
  "summary": {
    "overall_score": "pass|warning|fail",
    "coverage_score": "pass|warning|fail",
    "solid_score": "pass|warning|fail",
    "dry_score": "pass|warning|fail",
    "security_score": "pass|warning|fail"
  },
  "coverage": { "line_coverage": 75.5, "files_analyzed": 45 },
  "solid": { "violations": [] },
  "dry": { "duplication_percentage": 3.2, "clones": [] },
  "security": { "critical": 0, "high": 0, "medium": 3, "low": 5, "issues": [] },
  "recommendations": []
}

References

Core Guidance

  • references/tdd-workflow.md - RED-GREEN-REFACTOR patterns, test naming, cycle targets
  • references/coverage-metrics.md - Coverage targets by code type, PCOV vs Xdebug
  • references/dry-detection.md - Rule of Three, when duplication is OK
  • references/solid-detection.md - SOLID detection patterns and fixes
  • references/composer-scripts.md - Ready-to-use composer scripts
  • references/scope-targeting.md - Target specific modules/components (NEW in v1.8.0)

Operations

  • references/operations/drupal-setup.md - Drupal setup operations
  • references/operations/drupal-audits.md - Drupal quality audit operations
  • references/operations/drupal-security.md - Drupal security (10 layers, v2.0.0)
  • references/operations/drupal-tdd.md - Drupal TDD workflow
  • references/operations/nextjs-setup.md - Next.js setup operations
  • references/operations/nextjs-audits.md - Next.js quality audit operations
  • references/operations/nextjs-security.md - Next.js security (7 layers, v2.0.0)
  • references/operations/nextjs-tdd.md - Next.js TDD workflow

Online Dev-Guides (Drupal Domain)

For deeper Drupal-specific patterns beyond tool commands, WebFetch from https://camoa.github.io/dev-guides/. Use when explaining violations, suggesting fixes, or providing architectural context.

TopicURLUse when
SOLID principlesdrupal/solid-principles/Explaining SOLID violations with Drupal patterns
SRP — controllers & formsdrupal/solid-principles/controllers-srp/SRP violations in controllers or forms
OCP — config overridesdrupal/solid-principles/config-overrides-ocp/OCP violations in configuration
LSP — entity hierarchydrupal/solid-principles/entity-hierarchy-lsp/LSP violations in entity types
ISP — entity interfacesdrupal/solid-principles/entity-interfaces-isp/ISP violations in interfaces
DIP — dependency injectiondrupal/solid-principles/dependency-injection-patterns-dip/DIP violations, static calls
DIP — anti-patternsdrupal/solid-principles/anti-patterns-dip/Common DI anti-patterns
SOLID common mistakesdrupal/solid-principles/common-mistakes/Recurring SOLID violation patterns
SOLID best practicesdrupal/solid-principles/best-practices-checklist/Checklist for SOLID compliance
DRY principlesdrupal/dry-principles/Explaining DRY violations with Drupal patterns
Services for shared logicdrupal/dry-principles/services-shared-logic/Extracting duplicated logic to services
Traits for cross-cuttingdrupal/dry-principles/traits-cross-cutting/Using traits to reduce duplication
Base classesdrupal/dry-principles/base-classes-inheritance/Extracting common base classes
Plugin reusedrupal/dry-principles/plugin-reuse/DRY patterns in plugin system
Over-DRY anti-patternsdrupal/dry-principles/over-dry-anti-patterns/When NOT to DRY (wrong abstraction)
DRY decision frameworkdrupal/dry-principles/best-practices-decision-framework/When to extract vs duplicate
Security overviewdrupal/security/Drupal security patterns and practices
OWASP Top 10 in Drupaldrupal/security/owasp-top-10-in-drupal/OWASP mapping to Drupal context
XSS preventiondrupal/security/xss-prevention/XSS findings context
SQL injection preventiondrupal/security/sql-injection-prevention/SQLi findings context
CSRF protectiondrupal/security/csrf-protection/CSRF findings context
Input validationdrupal/security/input-validation-and-sanitization/Input validation findings
Access controldrupal/security/entity-access-control/Access control findings
Route access checksdrupal/security/route-access-checks/Route security findings
Twig autoescapedrupal/security/twig-autoescape-and-safe-markup/Template security findings
Testing overviewdrupal/testing/Test frameworks, setup, progressive strategy
Test type selectiondrupal/testing/framework-selection-decision-matrix/Unit vs Kernel vs Functional decision
Unit testsdrupal/testing/phpunit-unit-tests/PHPUnit unit test patterns
Kernel testsdrupal/testing/phpunit-kernel-tests/Kernel test patterns with services/DB
Functional testsdrupal/testing/phpunit-functional-tests/Browser test patterns
Progressive testingdrupal/testing/progressive-testing-strategy/Test coverage planning for new modules
Testing best practicesdrupal/testing/best-practices-anti-patterns/Testing anti-patterns and standards
TDD overviewdrupal/tdd/RED-GREEN-REFACTOR, spec-driven development
TDD workflowdrupal/tdd/tdd-workflow-red-green-refactor/RED-GREEN-REFACTOR cycle details
Coverage metricsdrupal/tdd/coverage-metrics-strategy/Coverage targets, metrics interpretation
Quality gatesdrupal/tdd/quality-gates-audit-checklist/Pre-commit/push/merge gate definitions
Test type decisiondrupal/tdd/test-type-decision-matrix/When to use which test type
Spec-driven devdrupal/tdd/spec-driven-drupal-development/Writing specs before code
Testing servicesdrupal/tdd/testing-services/Service testing patterns
Testing formsdrupal/tdd/testing-forms/Form testing patterns
Testing entitiesdrupal/tdd/testing-entities/Entity testing patterns
Testing pluginsdrupal/tdd/testing-plugins/Plugin testing patterns
Testing (GitHub Actions)drupal/github-actions/CI/CD quality pipeline context
JS securitydrupal/js-development/security/JavaScript security findings
JS testingdrupal/js-development/testing-javascript/JavaScript testing context

How to use: When analyzing violations or providing remediation guidance for Drupal projects, WebFetch the relevant topic URL (prefix with https://camoa.github.io/dev-guides/) to get comprehensive Drupal-specific patterns and examples.

Decision Guides

  • decision-guides/test-type-selection.md - Unit vs Kernel vs Functional decision tree
  • decision-guides/quality-audit-checklist.md - When to run what (pre-commit vs pre-merge)

Templates

Drupal

  • templates/drupal/phpstan.neon - PHPStan 2.x config (extensions auto-load)
  • templates/drupal/phpmd.xml - PHPMD ruleset for Drupal
  • templates/drupal/phpunit.xml - PHPUnit config with testsuites
  • templates/ci/github-drupal.yml - GitHub Actions workflow with security tools

Next.js

  • templates/nextjs/eslint.config.js - ESLint v9 flat config with TypeScript + security
  • templates/nextjs/jest.config.js - Jest config with coverage thresholds
  • templates/nextjs/jest.setup.js - Jest setup with Testing Library
  • templates/nextjs/.prettierrc - Prettier config with Tailwind plugin

What's New in v2.1.0

Phase 3 - Optional DAST Tools (NEW!):

  • ✅ OWASP ZAP (full DAST scanner for pre-production)
  • ✅ Nuclei (template-based CVE and misconfiguration scanning)
  • ✅ Comprehensive documentation with usage examples
  • ✅ CI/CD integration guides (GitHub Actions, GitLab)
  • ✅ Pre-release checklist script

DAST Coverage:

  • Pre-production security testing
  • Runtime vulnerability detection
  • OWASP Top 10 dynamic testing
  • 1000+ CVE templates (Nuclei)

See references/operations/dast-tools.md for full documentation.


What's New in v2.0.0

Progressive Disclosure Refactoring:

  • ✅ SKILL.md: 632 → 234 lines (63% reduction)
  • ✅ 9 reference files created with full documentation
  • ✅ Plugin-creation-tools compliance (16/16 criteria)

Phase 1 - Cross-Stack Security Tools:

  • ✅ Semgrep SAST (20,000+ security rules for PHP, React, JS, TS)
  • ✅ Trivy scanner (dependency/container/secret scanner)
  • ✅ Gitleaks (secret detection with 800+ patterns)

Phase 2 - Enhancement Tools:

  • ✅ Roave Security Advisories (Drupal - Composer prevention layer)
  • ✅ Socket CLI (Next.js - supply chain attack detection)

Security Coverage:

  • Drupal: 40% → 90% (10 security layers)
  • Next.js: 0% → 85% (7 security layers)

See .work-in-progress-v2.0.0.md for full implementation details.