From fc6a15d5ee32dd48d7d15ab3cec61366777f8d09 Mon Sep 17 00:00:00 2001 From: Ivan Grynenko Date: Fri, 24 Oct 2025 21:24:41 +1100 Subject: [PATCH 1/4] feat: Added slash command installation and tests --- .cursor/commands/behat-drevops.md | 378 +++++++++++++++ .cursor/commands/drupal-lint.md | 292 +++++++++++ .cursor/commands/gh-issue-create.md | 240 +++++++++ .cursor/commands/gh-issue-resolve.md | 52 ++ .cursor/commands/npm-audit-fix.md | 121 +++++ .cursor/commands/pr-assess.md | 594 +++++++++++++++++++++++ .cursor/commands/pr-draft.md | 62 +++ .cursor/commands/pr-resolve.md | 128 +++++ .cursor/commands/security-scan.md | 109 +++++ .cursor/commands/security-verify.md | 193 ++++++++ .cursor/commands/session-summary.md | 61 +++ .cursor/commands/speckit.analyze.md | 180 +++++++ .cursor/commands/speckit.checklist.md | 283 +++++++++++ .cursor/commands/speckit.clarify.md | 172 +++++++ .cursor/commands/speckit.constitution.md | 73 +++ .cursor/commands/speckit.implement.md | 118 +++++ .cursor/commands/speckit.plan.md | 76 +++ .cursor/commands/speckit.specify.md | 204 ++++++++ .cursor/commands/speckit.tasks.md | 107 ++++ .tests/file-maps.sh | 132 ++++- .tests/run-all-tests.sh | 37 +- .tests/run-tests.sh | 35 +- .tests/test-javascript-option.sh | 17 +- AGENTS.md | 6 + CHANGELOG.md | 43 ++ docs/prd.md | 74 --- docs/specs/command-installer-update.md | 14 + docs/srs.md | 86 ---- install.php | 568 +++++++++++++++++++++- 29 files changed, 4261 insertions(+), 194 deletions(-) create mode 100644 .cursor/commands/behat-drevops.md create mode 100644 .cursor/commands/drupal-lint.md create mode 100644 .cursor/commands/gh-issue-create.md create mode 100644 .cursor/commands/gh-issue-resolve.md create mode 100644 .cursor/commands/npm-audit-fix.md create mode 100644 .cursor/commands/pr-assess.md create mode 100644 .cursor/commands/pr-draft.md create mode 100644 .cursor/commands/pr-resolve.md create mode 100644 .cursor/commands/security-scan.md create mode 100644 .cursor/commands/security-verify.md create mode 100644 .cursor/commands/session-summary.md create mode 100644 .cursor/commands/speckit.analyze.md create mode 100644 .cursor/commands/speckit.checklist.md create mode 100644 .cursor/commands/speckit.clarify.md create mode 100644 .cursor/commands/speckit.constitution.md create mode 100644 .cursor/commands/speckit.implement.md create mode 100644 .cursor/commands/speckit.plan.md create mode 100644 .cursor/commands/speckit.specify.md create mode 100644 .cursor/commands/speckit.tasks.md create mode 100644 CHANGELOG.md delete mode 100644 docs/prd.md create mode 100644 docs/specs/command-installer-update.md delete mode 100644 docs/srs.md diff --git a/.cursor/commands/behat-drevops.md b/.cursor/commands/behat-drevops.md new file mode 100644 index 0000000..2cedac7 --- /dev/null +++ b/.cursor/commands/behat-drevops.md @@ -0,0 +1,378 @@ +# Custom Command: Behat DrevOps + +## Command Usage +`/behat-drevops ` + +Treat `` as the description of the Behat scenario the user wants. The remainder of this guide explains how to fulfil that request. + +## Role definition + +You are behat test writer, implement the test requested as {$ARGUMENT} + +### DrevOps Behat Steps Integration +For Drupal projects using the `drevops/behat-steps` library, which provides comprehensive Behat step definitions. When available in `vendor/drevops/behat-steps/`, use these pre-built steps. + +### Available Behat Traits from DrevOps +When writing custom Behat tests, check for these available traits: + +#### Common Traits +- `ContentTrait` - Content management steps +- `FieldTrait` - Field interaction steps +- `FileTrait` - File handling steps +- `PathTrait` - Path navigation steps +- `SearchApiTrait` - Search API testing steps +- `TaxonomyTrait` - Taxonomy term steps +- `WaitTrait` - Wait conditions steps +- `WatchdogTrait` - Watchdog/logging steps + +#### Additional Available Traits +- `BigPipeTrait` - BigPipe functionality testing +- `BlockContentTrait` - Block content management +- `BlockTrait` - Block placement and configuration +- `CookieTrait` - Cookie manipulation +- `DateTrait` - Date field handling +- `DraggableViewsTrait` - Draggable views testing +- `EckTrait` - Entity Construction Kit support +- `ElementTrait` - DOM element interactions +- `EmailTrait` - Email testing capabilities +- `FileDownloadTrait` - File download verification +- `JsTrait` - JavaScript execution +- `KeyboardTrait` - Keyboard interaction +- `LinkTrait` - Link verification +- `MediaTrait` - Media entity handling +- `MenuTrait` - Menu system testing +- `MetaTagTrait` - Meta tag verification +- `OverrideTrait` - Override functionality +- `ParagraphsTrait` - Paragraphs field testing +- `ResponseTrait` - HTTP response assertions +- `RoleTrait` - User role management +- `SelectTrait` - Select field interactions +- `TestmodeTrait` - Test mode utilities +- `UserTrait` - User management +- `VisibilityTrait` - Element visibility checks +- `WysiwygTrait` - WYSIWYG editor testing + +### Writing Behat Tests - Best Practices + +#### 1. Step Format Guidelines +```gherkin +# Use descriptive placeholder names +Given I am viewing the "About Us" page content +When I fill in "Title" with "New Page Title" +Then I should see the text "Successfully created" + +# Use "the following" for table data +When I create nodes with the following details: + | title | type | status | + | About Page | page | 1 | + | Contact Page | page | 1 | + +# Use "with" for properties +Given I am logged in as a user with the "administrator" role +``` + +#### User Authentication in Behat Tests + +**Important**: When creating users in Behat tests, follow these guidelines: + +1. **Always include password field** when creating users: + ```gherkin + Given users: + | name | mail | pass | roles | + | admin_user | admin@example.com | password | administrator | + | editor_user | editor@example.com | password | content_editor | + | basic_user | user@example.com | password | | + ``` + +2. **Never manually assign "authenticated" role**: + - ❌ Wrong: `| basic_user | user@example.com | password | authenticated |` + - ✅ Correct: `| basic_user | user@example.com | password | |` + - The "authenticated" role is automatically assigned by Drupal + +3. **Common user creation patterns**: + ```gherkin + # Background section for multiple scenarios + Background: + Given users: + | name | mail | pass | roles | + | site_admin_user | site_admin@example.com | password | civictheme_site_administrator | + | content_editor_user | editor@example.com | password | civictheme_content_author | + | no_role_user | basic@example.com | password | | + + # Using the created users + Scenario: Admin can access restricted pages + Given I am logged in as "site_admin_user" + When I go to "/admin/structure" + Then I should not see "Access denied" + ``` + +4. **Login methods**: + ```gherkin + # Login as created user + Given I am logged in as "username_from_table" + + # Login with role + Given I am logged in as a user with the "administrator" role + + # Anonymous user + Given I am an anonymous user + ``` + +#### 2. Step Type Conventions + +**Given Steps** (Prerequisites): +```gherkin +Given I am logged in as a user with the "administrator" role +Given "page" content exists with the title "Home Page" +Given I have a "article" content type +``` + +**When Steps** (Actions): +```gherkin +When I visit "node/add/page" +When I fill in "Title" with "Test Page" +When I press "Save" +When I click "Add content" +``` + +**Then Steps** (Assertions): +```gherkin +Then I should see the text "Page created" +Then I should not see "Access denied" +Then the response status code should be 200 +Then the "Title" field should contain "Test Page" +``` + +### Running Behat Tests + +```bash +# Run all Behat tests +ahoy test-behat + +# Run specific feature +ahoy test-behat tests/behat/features/content.feature + +# Run tests with specific tag +ahoy test-behat --tags=@api + +# Run tests excluding a tag +ahoy test-behat --tags='~@skipped' + +# Run with specific profile +ahoy test-behat -p p0 +``` + +### Debugging Behat Tests + +1. **Add Screenshots**: + ```gherkin + Then save screenshot + # Screenshots saved to .logs/screenshots/ + ``` + +2. **Pause Execution**: + ```gherkin + Then I break + # Pauses test execution for debugging + ``` + +3. **Check Element Visibility**: + ```gherkin + Then I wait for the "#edit-title" element to appear + Then I wait 5 seconds for the ".banner" element to appear + ``` + +4. **Debug JavaScript**: + ```gherkin + Then I execute javascript "console.log(jQuery('.tabs').length)" + ``` + +### Behat Configuration Notes + +Common `behat.yml` configuration includes: +- Screenshot capture on failure +- JUnit output for CI integration +- Parallel testing profiles +- Chrome/Selenium integration for JavaScript tests + +### Adding Custom Behat Steps + +When you need custom steps not provided by DrevOps Behat Steps: + +1. Add to `tests/behat/bootstrap/FeatureContext.php` +2. Follow existing patterns in the file +3. Use proper PHPDoc annotations +4. Include proper error handling + +Example: +```php +/** + * Verifies custom element is displayed. + * + * @Then I should see the custom element + */ +public function iShouldSeeTheCustomElement(): void { + $element = $this->getSession()->getPage()->find('css', '.custom-element'); + if (!$element || !$element->isVisible()) { + throw new \Exception('Custom element is not visible'); + } +} +``` + +### Common Behat Issues and Solutions + +#### 1. WYSIWYG/CKEditor Fields +When testing forms with WYSIWYG editors (like CKEditor): + +**Problem**: Standard field filling doesn't work with CKEditor fields +```gherkin +# This may fail: +And I fill in "Body" with "Content text" +``` + +**Solution**: Use the WysiwygTrait from DrevOps +```php +// In FeatureContext.php, add: +use DrevOps\BehatSteps\WysiwygTrait; + +class FeatureContext extends DrupalContext { + use WysiwygTrait; + // ... other traits +} +``` + +Then use the WYSIWYG-specific step: +```gherkin +And I fill in WYSIWYG "Body" with "This content will be properly filled in CKEditor" +``` + +#### 2. Multi-Domain Sites +For sites with multiple domains (like WorkSafe/Consumer Protection): + +**Problem**: Domain selection uses radio buttons, not checkboxes +```gherkin +# Wrong: +And I check "WorkSafe" + +# Correct: +And I select the radio button "WorkSafe" +``` + +#### 3. Media Bundle Names +When creating media entities, use the correct bundle names: + +**Problem**: Generic bundle names may not exist +```gherkin +# This may fail: +Given media: + | name | bundle | + | test-doc.pdf | document | +``` + +**Solution**: Use the actual bundle name from your site +```gherkin +Given media: + | name | bundle | + | test-doc.pdf | civictheme_document | +``` + +#### 4. File System Configuration +For sites with private file system: + +**Problem**: Creating files with public:// when system uses private:// +```gherkin +# May fail if system is configured for private files: +Given files: + | uri | + | public://test-doc.pdf | +``` + +**Solution**: Use private:// URI scheme +```gherkin +Given files: + | uri | + | private://test-doc.pdf | +``` + +#### 5. Testing Without Form Submission +When form submission fails, break down the test: + +```gherkin +# Instead of one large scenario, split into: +Scenario: Verify form fields exist + Then I should see the field "Title" + And I should see the field "Body" + +Scenario: Test form submission + When I fill in "Title" with "Test" + And I fill in WYSIWYG "Body" with "Content" + And I press "Save" + Then I should see "has been created" +``` + +#### 6. Conditional Steps for Flexible Tests +Add conditional steps in FeatureContext.php for more resilient tests: + +```php +/** + * Click on the first matching element if it exists. + * + * @When I click on the first :selector element if it exists + */ +public function iClickOnTheFirstElementIfItExists($selector): void { + $elements = $this->getSession()->getPage()->findAll('css', $selector); + + // If no elements exist, that's okay - just skip + if (empty($elements)) { + return; + } + + // Click the first element + $elements[0]->click(); +} +``` + +Use in tests: +```gherkin +# Won't fail if no publications exist yet +When I click on the first ".ct-list__content a" element if it exists +``` + +#### 7. URL Patterns and Path Aliases +Be aware that Drupal may use path aliases: + +```gherkin +# Instead of assuming /node/123 format: +And the url should match "\/node\/\d+" + +# Check for the actual alias pattern: +And the url should match "\/publications\/[\w-]+" +``` + +#### 8. Status Code Checks with JavaScript Drivers +Status code assertions don't work with Selenium/JavaScript drivers: + +```gherkin +# This will fail with Selenium: +Then the response status code should be 200 + +# Use content-based verification instead: +Then I should see "Expected page content" +And I should not see "Access denied" +``` + +#### 9. Running Specific Scenarios +To run a single scenario during development: +```bash +# Run scenario starting at line 33 +docker compose exec cli vendor/bin/behat tests/behat/features/file.feature:33 +``` + +#### 10. Debugging Failed Tests +Always check screenshots when tests fail: +```bash +# Check latest screenshots +ls -la .logs/screenshots/ | tail -5 + +# Use Playwright to view screenshots +mcp__playwright__browser_navigate with file:// URL diff --git a/.cursor/commands/drupal-lint.md b/.cursor/commands/drupal-lint.md new file mode 100644 index 0000000..919ab7c --- /dev/null +++ b/.cursor/commands/drupal-lint.md @@ -0,0 +1,292 @@ +# Custom Command: Drupal Lint + +## Command Usage +`/drupal-lint [scope]` + +Use the optional `scope` argument to narrow linting (e.g., `php`, `js`, `all`). Omit it to run the full linting workflow. The sections below describe the available tools and when to use them. + +# Linting Commands for Drupal Projects + +This document provides comprehensive linting instructions for the Drupal project based on Vortex (DrevOps) configuration. When you refactoring existing code (as opposed to making minor adjustments), think harder. + +## Quick Reference + +### Model use +Use `chatgpt-5-high` model for all tasks + +### Run All Linting +```bash +# Run all backend and frontend linting +ahoy lint + +# Run only backend linting +ahoy lint-be + +# Run only frontend linting +ahoy lint-fe + +# Auto-fix linting issues (where possible) +ahoy lint-fix +``` + +## Backend Linting Tools + +### 1. PHP CodeSniffer (PHPCS) + +**Purpose**: Checks PHP code against Drupal coding standards. + +```bash +# Run PHPCS on entire codebase +ahoy cli vendor/bin/phpcs + +# Run on specific file or directory +ahoy cli vendor/bin/phpcs web/modules/custom/module_name + +# Show specific sniffs being used +ahoy cli vendor/bin/phpcs -s + +# Generate a report +ahoy cli vendor/bin/phpcs --report=summary + +# Check specific standard violations +ahoy cli vendor/bin/phpcs --sniffs=Drupal.Commenting.FunctionComment +``` + +**Configuration**: `phpcs.xml` +- Standards: Drupal, DrupalPractice +- PHP Version: 8.3 +- Checks custom modules, themes, and tests + +### 2. PHP Code Beautifier and Fixer (PHPCBF) + +**Purpose**: Automatically fixes PHPCS violations where possible. + +```bash +# Auto-fix all fixable issues +ahoy cli vendor/bin/phpcbf + +# Fix specific file or directory +ahoy cli vendor/bin/phpcbf web/modules/custom/module_name + +# See what would be fixed without making changes +ahoy cli vendor/bin/phpcbf --dry-run +``` + +### 3. PHPStan + +**Purpose**: Static analysis tool that finds bugs without running code. + +```bash +# Run PHPStan analysis (Level 7) +ahoy cli vendor/bin/phpstan + +# Run with memory limit +ahoy cli vendor/bin/phpstan --memory-limit=2G + +# Analyze specific paths +ahoy cli vendor/bin/phpstan analyse web/modules/custom/module_name + +# Clear cache and re-analyze +ahoy cli vendor/bin/phpstan clear-result-cache +ahoy cli vendor/bin/phpstan +``` + +**Configuration**: `phpstan.neon` +- Level: 7 (strict) +- Includes phpstan-drupal extension + +### 4. PHP Mess Detector (PHPMD) + +**Purpose**: Detects code smells and possible bugs. + +```bash +# Run PHPMD +ahoy cli vendor/bin/phpmd . text phpmd.xml + +# Check specific directory +ahoy cli vendor/bin/phpmd web/modules/custom/module_name text phpmd.xml + +# Generate HTML report +ahoy cli vendor/bin/phpmd . html phpmd.xml > phpmd-report.html + +# Check specific rules +ahoy cli vendor/bin/phpmd . text codesize,unusedcode +``` + +**Configuration**: `phpmd.xml` +- Rules: unusedcode, codesize, cleancode + +### 5. Rector + +**Purpose**: Automated refactoring and code upgrades. + +```bash +# Dry run (preview changes) +docker compose exec -T cli bash -c "XDEBUG_MODE=off vendor/bin/rector --debug --ansi --memory-limit=2G --no-progress-bar --clear-cache --dry-run" + +# Apply changes +docker compose exec -T cli bash -c "XDEBUG_MODE=off vendor/bin/rector --debug --ansi --memory-limit=2G --no-progress-bar --clear-cache" + +# Process specific directory +docker compose exec -T cli bash -c "XDEBUG_MODE=off vendor/bin/rector process web/modules/custom/module_name --dry-run" +``` + +**Configuration**: `rector.php` +- Includes Drupal 8/9/10 upgrade rules +- Code quality improvements + +## Frontend Linting Tools + +### 6. Twig CS (Twig Coding Standards) + +**Purpose**: Checks Twig template files for coding standards. + +```bash +# Run Twig CS +ahoy cli vendor/bin/twigcs + +# Check specific directory +ahoy cli vendor/bin/twigcs web/themes/custom/theme_name +``` + +### 7. Theme-specific Linting + +**Purpose**: ESLint and Stylelint for JavaScript and CSS. + +```bash +# Run theme linting (configured in package.json) +ahoy lint-fe + +# Or manually for specific theme +ahoy cli "npm run --prefix web/themes/custom/demirs_ws lint" +ahoy cli "npm run --prefix web/themes/custom/demirs_cp lint" +``` + +## Common Linting Scenarios + +### Before Committing Code +```bash +# Run all linters +ahoy lint + +# If issues found, try auto-fix +ahoy lint-fix + +# Re-run to check remaining issues +ahoy lint +``` + +### Module Development +```bash +# Check specific module +MODULE="demirs_file_cleanup" +ahoy cli vendor/bin/phpcs web/modules/custom/$MODULE +ahoy cli vendor/bin/phpstan analyse web/modules/custom/$MODULE +ahoy cli vendor/bin/phpmd web/modules/custom/$MODULE text phpmd.xml +``` + +### Fix Common Issues + +#### Fix PHP Strict Types +```bash +# PHPCS requires strict types declaration +ahoy cli vendor/bin/phpcbf --standard=Generic --sniffs=Generic.PHP.RequireStrictTypes web/modules/custom/module_name +``` + +#### Fix Drupal Coding Standards +```bash +# Auto-fix Drupal standards +ahoy cli vendor/bin/phpcbf --standard=Drupal web/modules/custom/module_name +``` + +## Memory Considerations + +For large codebases or memory-intensive operations: + +```bash +# Increase memory for PHPStan +ahoy cli vendor/bin/phpstan --memory-limit=4G + +# Run Rector with more memory +docker compose exec -T cli bash -c "XDEBUG_MODE=off vendor/bin/rector --memory-limit=4G --dry-run" + +# Or set PHP memory limit for session +docker compose exec cli php -d memory_limit=-1 vendor/bin/phpcs +``` + +## Continuous Integration + +These commands are typically run in CI/CD pipelines: + +```bash +# CI-friendly output +ahoy cli vendor/bin/phpcs --report=junit +ahoy cli vendor/bin/phpstan --error-format=junit +``` + +## Troubleshooting + +### Clear Caches +```bash +# Clear Drupal cache (may affect some tools) +ahoy drush cr + +# Clear PHPStan cache +ahoy cli vendor/bin/phpstan clear-result-cache + +# Clear Rector cache +rm -rf /tmp/rector_cached_files +``` + +### Debug Mode +```bash +# Verbose PHPCS +ahoy cli vendor/bin/phpcs -vvv + +# Debug Rector +docker compose exec -T cli bash -c "vendor/bin/rector --debug --dry-run" +``` + +### Exclude Patterns + +To temporarily exclude files/directories, modify the respective config files: +- PHPCS: Add to `` in `phpcs.xml` +- PHPStan: Add to `excludePaths` in `phpstan.neon` +- PHPMD: Add to `` in `phpmd.xml` + +## Best Practices + +1. **Run linting before commits**: Use git hooks or manually run `ahoy lint` +2. **Fix issues incrementally**: Start with auto-fixable issues using `ahoy lint-fix` +3. **Module-specific linting**: When developing a module, lint it specifically to get faster feedback +4. **Use appropriate memory limits**: For large codebases, increase memory limits as needed +5. **Keep tools updated**: Regularly update linting tools via Composer + +## Common Errors and Solutions + +### PHPDoc Parameter Name Mismatch +``` +ParamNameNoMatch: Doc comment for parameter $some_service does not match actual variable name $someService +``` +**Solution**: Ensure PHPDoc parameter names exactly match the actual parameter names in the function signature. + +### Missing Strict Types Declaration +``` +MissingDeclareStrictTypes: Missing declare(strict_types=1) statement +``` +**Solution**: Add `declare(strict_types=1);` after the opening PHP tag in each file. + +### TranslatableMarkup Type Errors +When entity labels return TranslatableMarkup objects instead of strings: +```php +// Convert to string +$label = (string) $entity->label(); +``` + +## References + +- [Vortex PHPCS Documentation](https://vortex.drevops.com/tools/phpcs) +- [Vortex PHPMD Documentation](https://vortex.drevops.com/tools/phpmd) +- [Vortex PHPStan Documentation](https://vortex.drevops.com/tools/phpstan) +- [Vortex Rector Documentation](https://vortex.drevops.com/tools/rector) +- [Drupal Coding Standards](https://www.drupal.org/docs/develop/standards) diff --git a/.cursor/commands/gh-issue-create.md b/.cursor/commands/gh-issue-create.md new file mode 100644 index 0000000..a47d840 --- /dev/null +++ b/.cursor/commands/gh-issue-create.md @@ -0,0 +1,240 @@ +# Custom Command: GitHub Issue Create + +## Command Usage +`/gh-issue-create ` + +Everything after `/gh-issue-create` is treated as a single argument containing the user's description of what they want to achieve. + +## Instructions + +You are implementing a command that intelligently creates GitHub issues based on user descriptions. This task must avoid any code changes. + + Think harder and follow these steps thoroughly: + +### 1. Parse and Understand Context +- **Extract Requirements**: Identify core functionality from the original request, accept the full text after the command as the user's description, analyse the current working directory to understand the project context; Identify the Git repository and its remote origin. +- **Define Test Cases**: Create specific, measurable test scenarios +- **Specify Expected Outcomes**: Clear success and failure criteria +- **Structure for Implementation**: Organize prompt for red-green-refactor cycle +- **Include Edge Cases**: Don't forget boundary conditions and error scenarios + +### 2. Codebase Analysis +- Explore the relevant parts of the codebase mentioned in the description +- Look for: + - Related existing code + - Configuration files + - Documentation (README, docs/, wiki references) + - Similar patterns or implementations + - Dependencies that might be affected + +### 3. Issue Classification +Determine the issue type based on the description: +- **Bug**: Something is broken or not working as expected +- **Feature**: New functionality that doesn't exist +- **Enhancement**: Improvement to existing functionality +- **Task**: Technical work, refactoring, or maintenance + +### 4. TDD Prompt Structure + +#### 1. Objective Statement +Clear, concise description of what needs to be built + +#### 2. Test Specifications +``` +GIVEN: [Initial state/context] +WHEN: [Action performed] +THEN: [Expected outcome] +``` + +### 5. Break Down Into Tasks +Decompose the description into specific, actionable tasks: +- Each task should be atomic and testable +- Think to consider technical dependencies +- Include both implementation and testing tasks +- Think about documentation updates needed + +### 6. Define Acceptance Criteria +For each major component, think hard to establish clear acceptance criteria: +- What specific behaviour should be implemented? +- What are the success conditions? Define specific, measurable outcomes. +- What edge cases need handling? +- What are the error handling expectations? +- What tests would validate the implementation? +- What are performance requirements? + +#### 6.1 Test Cases Format +```markdown +Test Case 1: [Descriptive name] +- Input: [Specific input data] +- Expected Output: [Exact expected result] +- Validation: [How to verify success] + +Test Case 2: [Edge case name] +- Input: [Boundary/error condition] +- Expected Output: [Error handling result] +- Validation: [Error verification method] +``` + +#### 6.2 Conversion Examples + +##### Original Request: +"Add user login functionality" + +##### TDD Conversion: +```markdown +## Objective +Implement secure user login with email/password authentication + +## Test Specifications + +### Test 1: Successful Login +GIVEN: Valid user credentials exist in database +WHEN: User submits correct email and password +THEN: User receives auth token and is redirected to dashboard + +### Test 2: Invalid Password +GIVEN: Valid email but incorrect password +WHEN: User submits login form +THEN: Return error "Invalid credentials" without revealing which field is wrong + +### Test 3: Non-existent User +GIVEN: Email not in database +WHEN: User attempts login +THEN: Return same "Invalid credentials" error (prevent user enumeration) + +### Test 4: Rate Limiting +GIVEN: User has failed 5 login attempts +WHEN: User attempts 6th login within 15 minutes +THEN: Block attempt and show "Too many attempts" error + +## Success Criteria +- All tests pass +- Password is hashed using bcrypt +- Auth tokens expire after 24 hours +- Login attempts are logged +- Response time < 200ms +``` + +#### 6.3 Output Format + +Generate TDD prompt as: + +```markdown +## TDD Prompt: [Feature Name] + +### Objective +[Clear description of the feature to implement] + +### Test Suite + +#### Happy Path Tests +[List of successful scenario tests] + +#### Error Handling Tests +[List of failure scenario tests] + +#### Edge Case Tests +[List of boundary condition tests] + +### Implementation Requirements +- [ ] All tests must pass +- [ ] Code coverage > 80% +- [ ] Performance criteria met +- [ ] Security requirements satisfied + +### Test-First Development Steps +1. Write failing test for [first requirement] +2. Implement minimal code to pass +3. Refactor while keeping tests green +4. Repeat for next requirement + +### Example Test Implementation +```language +// Example test code structure +``` +``` + +#### Remember to: +- Focus on behavior, not implementation details +- Make tests specific and measurable +- Include both positive and negative test cases +- Structure for iterative TDD workflow + +### 7. Generate Issue Content +Structure the issue with: +- **Title**: Concise, descriptive summary +- **Type**: Bug/Feature/Enhancement/Task label +- **Description**: Clear explanation of the need +- **Tasks**: Bulleted list of implementation steps +- **Acceptance Criteria**: Testable success conditions +- **Testing scenarios**: Numbered list of testing scenarios in the requested format +- **Technical Notes**: Any implementation considerations +- **Related Files**: Key files that will be affected + +### 8. Present for Confirmation +Before creating the issue, present the formatted content to the user: +``` +=== GitHub Issue Preview === +Repository: [detected repo] +Title: [generated title] +Type: [classification] + +Description: +[formatted description] + +Tasks: +- [ ] Task 1 +- [ ] Task 2 +... + +Acceptance Criteria: +- [ ] Criteria 1 +- [ ] Criteria 2 +... + +Technical Notes: +[any relevant notes] + +Related Files: +- file1.js +- file2.php +... +=========================== + +Would you like to create this issue? (yes/no) +``` + +### 9. Create the Issue +If confirmed: +- Detect the Git remote origin URL +- Extract the GitHub repository owner and name +- Use the GitHub API to create the issue +- Return the created issue URL + +## Example Behaviour + +User input: `/gh-issue-create Add user authentication with email verification and password reset functionality` + +Your process: +1. Scan for existing auth implementation +2. Check for auth-related dependencies +3. Classify as "Feature" +4. Break down into: database schema, registration endpoint, email service, verification flow, password reset flow, tests +5. Define criteria for each component +6. Identify test cases +7. Present formatted issue for review +8. Create upon confirmation using github mcp or github cli + +## Error Handling +- If no Git repository found: Inform user and exit +- If no remote origin: Ask user to specify repository +- If GitHub API fails: Provide issue content for manual creation +- If description too vague: Ask clarifying questions + +## Important Notes +- Always think step-by-step through the entire process +- Be thorough in codebase exploration +- Make reasonable assumptions but note them +- Focus on creating actionable, well-structured issues +- Consider the project's conventions and patterns +``` diff --git a/.cursor/commands/gh-issue-resolve.md b/.cursor/commands/gh-issue-resolve.md new file mode 100644 index 0000000..e22cc19 --- /dev/null +++ b/.cursor/commands/gh-issue-resolve.md @@ -0,0 +1,52 @@ +# Custom Command: GitHub Issue Resolve + +## Command Usage +`/gh-issue-resolve [context]` + +Treat the first argument as the GitHub issue URL (or number). Everything after that is optional analyst context to guide the resolution. If the URL is missing, pause and ask the user to provide it before continuing. + +Please analyse and fix the GitHub issue referenced in the user input. The problem description provided after `/gh-issue-resolve` becomes your working context. If you cannot access the issue or the instructions are incomplete, stop and request clarification from the user before proceeding. + +Follow these steps: + +## 1. PLAN +1. Use 'gh issue view' to get the issue details +2. Think and understand the problem described in the issue +3. Ask clarifying questions if necessary +4. Understand the prior art for this issue + - Search the codebase for relevant files +5. Think harder about how to break the issue down into a series of small, manageable tasks. +6. Prepare your plan + - include the issue name + - include a link to the issue. + +## 2. WRITE TEST +- Create a new Git branch for the issue. +- Identify the testing framework within the project. +- Begin by writing tests in the identified framework that will satisfy the ticket acceptance criteria and overall task. +- Write behat and (or) Unit and (or) Postman tests to describe the expected behavior of your code. Tests will fail which is okay. +- Aim at minimum 80% of test coverage + + +## 3. WRITE CODE +- Think and solve the issue in small, manageable steps, according to your plan. +- Commit your changes after each step. +- When coding FrontEnd, use Playwright MCP to validate your work. +- Document your changes in project documentation (README.md and /docs/ folder) +- Update CHANGELOG.md file with listing the changes you're making, keep this file up to date and always validate to remove information that does not apply any longer. +- Check for the linting tools available in the project's CLAUDE.md file. +- Use either playwright via MCP, or Unit, or behat to test the changes if you have made changes to the UI. If you are in a Drupal project, login via playwright browser, first execute `ahoy login` command and grab the one-time login URL as Drupal user #1. Then visit that URL to instantly login. +- Run the full test suite to ensure you haven't broken anything +- If the tests are failing, fix them, or the functionality. +- Ensure that all tests are passing before moving on to the next step +- If testing automation is present as a GitHub Actions workflow, test it locally using local Docker. Example: `act --container-architecture linux/amd64 -j test --verbose` + +## 4. LINT +- Execute code linting, using tools specific to the project and resolve any errors and warnings. + +## 5. DEPLOY +- Open a PR and request a review. +- Create a cross-reference links between the PR and GH issue. +- Validate PR for passing Github Actions workflow tests, resolve any test failures in GHA. + +Remember to use the GitHub CLI (`gh`) for all GitHub-related tasks. diff --git a/.cursor/commands/npm-audit-fix.md b/.cursor/commands/npm-audit-fix.md new file mode 100644 index 0000000..ba06b2f --- /dev/null +++ b/.cursor/commands/npm-audit-fix.md @@ -0,0 +1,121 @@ +# Custom Command: NPM Audit Fix + +## Command Usage +`/npm-audit-fix [path]` + +Provide an optional project `path` (defaults to the repository root). The instructions below describe how to audit and remediate NPM vulnerabilities in the target project. + +You will help audit and remediate NPM vulnerabilities in a Drupal theme project. The project uses NPM packages to build front-end assets like CSS and JavaScript, and may use NPM, Yarn, or other package managers. + +Here is the project path you'll be working with: + + +the project root path + + +Your goal is to investigate the project setup, fix security vulnerabilities, ensure assets build properly in both host and Docker environments, and update documentation to guide developers on front-end asset rendering. + +Before executing the remediation steps, wrap your analysis in tags to systematically document your findings. It's OK for this section to be quite long. Include: + +- **File Structure**: List the key files found in the project (package.json, lock files, Docker files, .nvmrc, etc.) +- **Package Manager Detection**: Identify which package manager is being used and document the evidence +- **Build Environment**: Determine if builds happen on host vs Docker and identify the build commands +- **Node Version**: Check for .nvmrc or other version specifications +- **Git Baseline**: Record the current git status to establish a baseline +- **Vulnerability Assessment**: Run and document the results of npm/yarn audit, listing each vulnerability with its severity +- **Remediation Strategy**: Plan your approach for fixing vulnerabilities while minimizing breaking changes + +Before proceeding, make sure the PHP runtime has access to the same project files as the CLI container. The PHP image in this stack does not mount the module code by default, so you must manually sync the files before attempting any audits or Drupal commands: + +**Mandatory Container Sync (must be performed manually by the assistant)** +- Identify the running PHP pod/container for the target environment. For Lagoon-based stacks use `kubectl get pods -l lagoon.sh/project=the project name,lagoon.sh/service=php` (or the equivalent `kubectl get pod` command provided by the platform). For local Docker Compose environments use `docker compose ps php` to confirm the container name. +- Determine the CLI container name (typically `the project name` locally or the Lagoon CLI pod). This container has the authoritative Drupal codebase. +- Copy the missing module directories from the CLI container to the PHP container so PHP can load them. Example (Docker): `docker cp $(docker compose ps -q cli):/app/web/modules/. $(docker compose ps -q php):/app/web/modules/` and repeat for any other required paths (e.g. `/app/vendor`, `/app/web/profiles`). Example (Lagoon/Kubernetes): `kubectl cp :/app/web/modules :/app/web/modules -c php`. +- Verify inside the PHP container that the expected module (e.g. `upgrade_status`) now exists under `/app/web/modules/contrib`. Do not restart or recreate containers; only manual copying is permitted. + +Then follow these systematic steps: + +**Step 1: Initial Project Investigation** +- Navigate to the project path and examine the file structure +- Look for package.json, yarn.lock, package-lock.json to determine which package manager is in use +- Check for Dockerfile or docker-compose.yml files that contain asset building instructions +- Examine .nvmrc file for Node version requirements; if missing, create one with a reasonable LTS version + +**Step 2: Environment Detection** +- Determine whether asset building happens on the host machine (typically macOS) or in Docker +- If Docker is used, identify the specific commands used for asset building +- Note any build scripts defined in package.json + +**Step 3: Git Status Baseline** +- Run `git status` and document the current state +- This baseline will help identify if any distributed assets are incorrectly committed + +**Step 4: NPM Security Audit** +- Run `npm audit` (or `yarn audit` if Yarn is detected) to identify vulnerabilities +- Document all vulnerabilities found, including their severity levels and affected packages + +**Step 5: Vulnerability Remediation** +- Start with `npm audit fix` or the equivalent command for your detected package manager +- For vulnerabilities that can't be auto-fixed, research each one individually: + - Check if newer versions of packages resolve the issues + - Look for alternative packages if necessary + - Prioritize fixes that don't break compatibility +- Update packages incrementally, testing after each major change + +**Step 6: Asset Building and Testing** +- Build assets using the identified build process +- Test building on the host machine first +- If Docker is used, test building in the Docker environment as well +- Ensure all assets compile without errors + +**Step 7: Git Status Validation** +- Run `git status` again after building assets +- Compare with the baseline from Step 3 +- If any files in distribution/build folders were removed: + - Move these files to a separate backup folder + - Update build scripts to copy these files back to their proper location + - Document this process for future reference + +**Step 8: Documentation Review and Updates** +- Review the README file inside the theme directory +- Update the project-level README file to include clear instructions for front-end asset rendering +- Ensure the README provides step-by-step guidance for developers on how to execute front-end asset compilation + +**Step 9: Ahoy Command Verification** +- Verify that the `ahoy fe` command exists and successfully compiles assets +- Verify that the `ahoy fei` command exists and successfully installs dependencies +- Ensure these commands work when executed from the root level +- Confirm that the commands pass the necessary arguments to NPM, Yarn, or whatever compiler is being used +- If these commands don't exist or don't work properly, create or fix them + +**Step 10: Cross-Environment Validation** +- Test the complete build process in both host and Docker environments +- Verify that all assets are generated correctly in both contexts +- Confirm that any manually managed assets are properly handled + +**Important Guidelines:** +- Minimize changes to avoid breaking existing functionality +- Test thoroughly after each significant change +- Preserve any assets that were manually placed in distribution folders +- Ensure Node version consistency across environments +- Document any workarounds or special handling required + +Provide your analysis and remediation work in the following format: + + +**Vulnerability Summary:** [List vulnerabilities found and how they were addressed] + +**Package Changes:** [Detail any package replacements or major updates made] + +**Build Environment Setup:** [Describe whether builds happen on host vs Docker, and any special configuration] + +**Asset Handling:** [Explain any special handling required for manually managed assets] + +**Ahoy Command Status:** [Confirm that 'ahoy fe' and 'ahoy fei' commands exist and work properly] + +**Documentation Updates:** [Summarize changes made to theme and project README files] + +**Cross-Environment Testing:** [Confirm that builds work in both host and Docker environments] + +**Future Recommendations:** [Provide recommendations for preventing similar issues] + diff --git a/.cursor/commands/pr-assess.md b/.cursor/commands/pr-assess.md new file mode 100644 index 0000000..44fc3ea --- /dev/null +++ b/.cursor/commands/pr-assess.md @@ -0,0 +1,594 @@ +# Custom Command: PR Assess + +## Command Usage +`/pr-assess [context]` + +Require the first argument to be the PR URL or number. Any extra text becomes review context. If the URL/number is missing, ask the user for it before continuing. + +Review pull request and ticket using: Use the user-provided arguments (if any) as contextual input +If the Use the user-provided arguments (if any) as contextual input is missing, stop and ask user to provide information, such as pull request URL or number along with any instructions. This input becomes Use the user-provided arguments (if any) as contextual input. + +# Code Review Agent Instructions + +You are a senior technical lead and architect conducting automated code reviews for GitHub or GitLab pull requests across multiple technology stacks (Drupal, Vue.js, React, etc.). Your role is to evaluate code changes against ticket requirements and coding standards, manage GitHub labels for workflow automation, and update Freshdesk tickets with review findings. + +## Primary Objectives + +1. **Requirement Fulfilment Analysis (50%)**: Verify code changes satisfy ticket requirements +2. **Code Standards Compliance (30%)**: Ensure adherence to technology-specific coding standards and best practices, including defensive coding, logging and reporting, errors capturing. +3. **Security Assessment (20%)**: Validate OWASP security standards and framework-specific security practices +4. **Label Management**: Apply appropriate GitHub labels for workflow automation +5. **Freshdesk Integration**: Update tickets with structured review findings and log time entry +6. **Line-Specific Feedback**: Add comments directly on problematic code lines + +## Input Data Analysis + +- Pull GitHub PR URL from Use the user-provided arguments (if any) as contextual input. +- If not provided during the prompt, ask user to provide PR number or URL, extract and analyse: + +### Pull Request Context +- **PR Details**: Extract PR number +- **Repository Info**: Note owner, repo name, and branch information +- **Change Statistics**: Review additions, deletions, and changed files count +- **Use GitHub mcp tool**: Use github-mcp tool to connect to GitHub. If fails, Use gh cli. + +### Ticket Context +- **Requirements**: Parse ticket description and conversations to understand functional requirements +- **Acceptance Criteria**: Identify specific acceptance criteria from ticket conversations +- **Client Feedback**: Review conversation history for clarification and changes +- **Technical Context**: Note technology stack, modules affected, and dependencies +- **Extract ticket information**: Check PR description and title to pull ticket number. + In most cases it will be a Freshdesk ticket. Use freshdesk-mcp task get ticket information, + conversations and ticket summary to understand context of the issue. In some cases you will be passed a JIRA URL, Use atlassian-mcp to connect and get ticket details in this case. + +### Site summary context +- **Use atlassian-mcp tool**: to access confluence and find the Site Summary in the SUPPORT space. + The Site Summary would include production domain in page title. The Site Summary may have important + details with project customisations. Keep this page up to date when you identify inconsistencies, + or information is missing, based on your PR review outcome. + +### Code Changes +- **Files Modified**: Analyse changed files and their purposes +- **Code Patterns**: Review implementation approach and architecture +- **Security Implications**: Assess security impact of changes +- **Reliability and errors-prune**: Validate defensive coding practices are followed +- **Errors reporting**: Validate code has suffisient errors logging and reporting +- **Important**: Note that this PR review tool is for ALL repositories (Drupal backend AND Vue.js/React frontends) + +## Review Process + +### 1. Requirement Analysis (Pass Score: 80%) +Compare code changes against: +- Original ticket requirements +- Acceptance criteria from conversations +- Client-requested modifications +- Expected functionality + +**Scoring Criteria:** +- 90-100%: All requirements fully implemented with proper edge case handling +- 80-89%: Core requirements met with minor gaps +- 70-79%: Most requirements met but missing key functionality +- Below 70%: Significant requirements gaps + +### 2. Code Standards Review (Context-Aware Scoring) + +**IMPORTANT**: Adjust review criteria based on repository type: +- For Drupal repositories: Apply Drupal-specific standards below +- For Vue.js/React frontends: Apply frontend-specific standards (ES6+, component architecture, state management) +- For other technologies: Apply language-specific best practices + +#### Critical/Required Criteria: +**Security Assessment:** +- SQL Injection Prevention: Parameterized queries, no direct SQL concatenation +- XSS Protection: Proper output sanitization (Html::escape(), #plain_text) +- CSRF Protection: Form API usage, custom forms have CSRF tokens +- Access Control: Proper permission checks, entity access API usage +- File Upload Security: Extension validation, MIME type checks +- Input Validation: Server-side validation for all user inputs +- Sensitive Data: No hardcoded credentials, API keys, or secrets + +**Drupal API Compliance:** +- Entity API: Using Entity API instead of direct database queries +- Form API: Proper form construction and validation +- Render API: Using render arrays, not direct HTML +- Database API: Using Database::getConnection(), not mysql_* +- Configuration API: Config entities for settings, not variables +- Cache API: Proper cache tags and contexts +- Queue API: For long-running processes + +**Code Architecture:** +- Dependency Injection: Services injected, not statically called +- Hook Implementations: Correct hook usage and naming +- Plugin System: Proper plugin implementation when applicable +- Event Subscribers: For responding to system events +- Service Definitions: Proper service registration + +**Database Changes:** +- Update Hooks: Database schema changes in update hooks +- Migration Scripts: For data transformations +- Schema Definition: Proper schema API usage +- Backward Compatibility: Rollback procedures + +#### Important/Recommended Criteria: +**Performance Considerations:** +- Query Optimization: Avoid N+1 queries, use entity loading +- Caching Strategy: Appropriate cache bins and invalidation +- Asset Optimization: Aggregation, lazy loading +- Memory Usage: Batch processing for large datasets +- Database Indexes: For frequently queried fields + +**Code Quality Standards:** +- Drupal Coding Standards: phpcs with Drupal/DrupalPractice +- Type Declarations: PHP 8.3+ type hints +- Error Handling: Try-catch blocks, graceful degradation +- Type validation: Classes and methods types are validate before use - instaseof Class +- Code Complexity: Cyclomatic complexity < 10 +- Function Length: Methods under 50 lines +- DRY Principle: No code duplication + +**Testing Coverage:** +- Unit Tests: For isolated functionality +- Kernel Tests: For Drupal API integration +- Functional Tests: For user workflows +- JavaScript Tests: For frontend functionality +- Test Data: Proper test fixtures and mocks + +**Documentation:** +- PHPDoc Blocks: For classes and public methods +- README Updates: For new features/modules +- Change Records: For API changes +- Hook Documentation: Proper @hook annotations +- Code Comments: For complex logic only + +#### Optional/Nice-to-Have Criteria: +**Accessibility (WCAG 2.1):** +- ARIA Labels: Proper semantic markup +- Keyboard Navigation: Full keyboard support +- Screen Reader: Announced changes +- Color Contrast: WCAG AA compliance +- Form Labels: Associated with inputs + +**Frontend Standards:** +- JavaScript: ES6+, no inline scripts +- CSS: BEM methodology, no !important +- Responsive Design: Mobile-first approach +- Browser Support: Per project requirements +- Asset Libraries: Proper library definitions + +#### Vue.js/React Specific Standards: +**For Vue.js Projects:** +- Import statements: Use named imports correctly (e.g., `import { ComponentName } from`) +- CSS selectors: Avoid deprecated `/deep/`, use `::v-deep` for Vue 2 +- Props: Don't define props that aren't used +- Component structure: Follow Vue style guide +- State management: Proper Vuex usage +- Computed properties: Should be pure functions + +**For React Projects:** +- Hooks: Follow Rules of Hooks +- State management: Proper Redux/Context usage +- Component structure: Functional components preferred +- PropTypes or TypeScript: Type checking required +- **Security**: NEVER use localStorage for JWT tokens or sensitive data +- Token Storage: Use httpOnly cookies or secure storage abstractions +- API Keys: Must not be exposed in frontend code +- Data Sanitization: Always sanitize user input before rendering + +**Multi-site & Multilingual:** +- Domain Access: Proper domain-aware code +- Configuration Split: Environment-specific configs +- String Translation: t() and formatPlural() +- Content Translation: Entity translation API + +### 3. Drupal-Specific Security Assessment +**Native Drupal Security (Auto-Pass Criteria):** +- CSRF protection is handled automatically by Drupal Form API - no manual checks needed +- Administrative forms protected by permission system - inherently secure +- Drupal's built-in input filtering and sanitisation - trust the framework +- Entity access control through Drupal's entity system - framework handles this + +**Manual Security Checks Required:** +- Custom database queries must use parameterised queries +- Direct HTML output must use proper sanitisation functions +- File uploads must validate file types and permissions +- Custom access callbacks must be properly implemented +- Cache invalidation strategy must be secure +- Update path testing for existing sites +- Multisite compatibility verification +- Queue/Batch API for scalability +- Entity access checks beyond basic permissions + +## Line-Specific Comments (CRITICAL) + +**ALWAYS add line-specific comments** for identified issues using the GitHub review API: + +1. **Use the review API** to create a review with line comments: + ```bash + # IMPORTANT: Check if you're reviewing your own PR first! + PR_AUTHOR=$(gh pr view {pr_number} --repo {owner}/{repo} --json author -q '.author.login') + CURRENT_USER=$(gh api user -q '.login') + + if [ "$PR_AUTHOR" = "$CURRENT_USER" ]; then + EVENT_TYPE="COMMENT" # Cannot request changes on own PR + else + EVENT_TYPE="REQUEST_CHANGES" # or "APPROVE" or "COMMENT" + fi + + # Create a JSON file with review comments + cat > /tmp/review_comments.json << EOF + { + "body": "Code review with line-specific feedback", + "event": "$EVENT_TYPE", + "comments": [ + { + "path": "path/to/file.ext", + "line": 123, + "body": "Your comment here with code suggestions" + } + ] + } + EOF + + # Submit the review + gh api repos/{owner}/{repo}/pulls/{pr_number}/reviews -X POST --input /tmp/review_comments.json + ``` + +2. **Line comment best practices**: + - Be specific about the issue and provide the fix + - Include code snippets showing the correct implementation + - Reference relevant documentation or standards + - Use markdown formatting for clarity + +3. **Common pitfalls to avoid**: + - Don't use `gh pr comment` for line-specific feedback (it only adds general comments) + - Don't try to use deprecated comment APIs + - Ensure line numbers match the diff view, not the file view + - NEVER use "REQUEST_CHANGES" on your own PRs (causes HTTP 422 error) + +## Decision Criteria (Drupal-Context Aware) + +- **Approve**: Overall score ≥ 80% AND requirement fulfilment ≥ 80% AND no critical custom security issues +- **Request Changes**: Overall score < 75% OR requirement fulfilment < 80% OR critical custom security vulnerabilities +- **Comment**: Score 75-79% with minor issues + +**Note**: Drupal's native security features (Form API CSRF, permission-based access, Entity API) are considered secure by default and should not trigger failures. + +## GitHub Label Management + +**Required Standard Labels** (create if not present with specified colours): + +**Review Status Labels:** +- `code-review-approved` - PR passes all quality checks + - **Color**: `#1f7a1f` (dark green) +- `code-review-changes` - Changes requested before approval + - **Color**: `#cc8800` (dark orange) +- `code-review-security` - Security issues identified + - **Color**: `#dc3545` (red) + +**Quality Labels:** +- `drupal-standards` - Drupal coding standards violations + - **Color**: `#6f42c1` (purple) +- `requirements-met` - Functional requirements satisfied + - **Color**: `#1f7a1f` (dark green) +- `requirements-gap` - Missing or incomplete functionality + - **Color**: `#cc8800` (dark orange) + +**Technical Labels:** +- `performance-impact` - Performance concerns identified + - **Color**: `#fd7e14` (orange) +- `documentation-needed` - Missing or inadequate documentation + - **Color**: `#17a2b8` (blue) +- `testing-required` - Additional tests needed + - **Color**: `#e83e8c` (pink) +- `php-upgrade` - PHP version compatibility issues + - **Color**: `#6c757d` (grey) + +**Size Labels** (based on PR statistics): +- `size/xs` - 1-10 lines changed + - **Color**: `#28a745` (light green) +- `size/s` - 11-50 lines changed + - **Color**: `#ffc107` (yellow) +- `size/m` - 51-200 lines changed + - **Color**: `#fd7e14` (orange) +- `size/l` - 201-500 lines changed + - **Color**: `#dc3545` (red) +- `size/xl` - 500+ lines changed + - **Color**: `#6f42c1` (purple) + +**Component Labels** (based on affected modules): +- `component/backend` - Drupal backend changes + - **Color**: `#0d6efd` (blue) +- `component/frontend` - Theme/JS/CSS changes + - **Color**: `#20c997` (teal) +- `component/api` - API modifications + - **Color**: `#6610f2` (indigo) +- `component/config` - Configuration changes + - **Color**: `#fd7e14` (orange) +- `component/security` - Security-related changes + - **Color**: `#dc3545` (red) + +## Label Application Logic + +**Auto-Apply Labels Based On:** +- **Score ≥ 80%**: Add `code-review-approved` +- **Score < 80%**: Add `code-review-changes` +- **Security Issues**: Add `code-review-security` +- **Standards Violations**: Add `drupal-standards` +- **Requirement Score ≥ 80%**: Add `requirements-met` +- **Requirement Score < 80%**: Add `requirements-gap` +- **Performance Warnings**: Add `performance-impact` +- **Documentation Issues**: Add `documentation-needed` +- **Missing Tests**: Add `testing-required` +- **PHP Compatibility**: Add `php-upgrade` + +**Label Application Methods:** +1. **Preferred**: Use `gh issue edit` command (works for PRs too): + ```bash + gh issue edit {pr_number} --repo {owner}/{repo} --add-label "label1" --add-label "label2" + ``` +2. **Alternative**: If repository uses non-standard labels, check existing labels first: + ```bash + gh label list --repo {owner}/{repo} --limit 100 + ``` + Then apply the most appropriate existing labels + +## Freshdesk Management + +After completing the code review, perform the following Freshdesk updates: + +1. **Add Private Note** with review findings using structured HTML format with appropriate colour coding +2. **Log Time Entry** of 15 minutes for "Code Review" activity + +### Private Note HTML Structure Template +```html +
+

{status_icon} PR #{pr_number} - {review_status}

+
+Overall Score: {score}% +
+ +

Review Summary

+
{requirement_icon} Requirements ({requirement_score}%)
+
    + {requirement_details} +
+ +
{drupal_icon} Drupal Standards ({drupal_score}%)
+
    + {drupal_standards_details} +
+ +
{security_icon} Security Assessment ({security_score}%)
+
    + {security_assessment_details} +
+ +

Technical Changes

+
    + {technical_changes_list} +
+ +{critical_issues_section} + +
+ Status: {final_status}
+ PR Link: {pr_html_url}
+ {next_steps_info} +
+
+``` + +### Colour Coding Guidelines + +**Status Colours:** +- **Success/Approved**: `#1f7a1f` (dark green) +- **Warning/Changes Needed**: `#cc8800` (dark orange) +- **Critical/Failed**: `#dc3545` (red) +- **Info/In Progress**: `#17a2b8` (blue) + +**Icons and Status:** +- **✅ Passed (90%+)**: Dark Green `#1f7a1f` +- **⚠️ Warning (75-89%)**: Dark Orange `#cc8800` +- **❌ Failed (<75%)**: Red `#dc3545` +- **🔍 Under Review**: Blue `#17a2b8` + +**Background Colours for Status Boxes:** +- **Success**: `#d4edda` (light green) +- **Warning**: Use private note background `background-image: linear-gradient(#fef1e1, #fef1e1);` +- **Danger**: `#f8d7da` (light red) +- **Info**: `#d1ecf1` (light blue) + +**Code Formatting:** +```html +filename.php +``` + +**Critical Issues Section (when applicable):** +```html +
+

❌ Critical Issues Found

+
    + {critical_issues_list} +
+
+``` + +**Warning Issues Section (when applicable):** +```html +
+

⚠️ Issues Requiring Attention

+
    + {warning_issues_list} +
+
+``` + +**Note Update Instructions:** +- Use `create_ticket_note` to add private note with HTML structure +- Apply appropriate colours based on review outcomes +- Include all critical findings and recommendations +- Reference PR links for easy tracking +- Update ticket status if review indicates completion +- **Log Time Entry**: Use appropriate Freshdesk API to log 15 minutes of work time for "Code Review" activity + +## Australian English +Use Australian English spelling and terminology throughout the review. + +## PR Review Checklist + +When reviewing, ensure you check: + +### Critical (Must Pass): +- [ ] No SQL injection vulnerabilities +- [ ] No XSS vulnerabilities +- [ ] Proper access control implemented +- [ ] No hardcoded credentials or secrets +- [ ] Drupal APIs used correctly (Entity, Form, Render) +- [ ] Database updates in update hooks +- [ ] File uploads validated + +### Important (Should Pass): +- [ ] Performance optimized (queries, caching) +- [ ] Drupal coding standards followed +- [ ] Adequate test coverage +- [ ] Documentation updated +- [ ] Error handling implemented +- [ ] No code duplication + +### Nice to Have: +- [ ] Accessibility standards met +- [ ] Frontend best practices +- [ ] Multisite compatibility tested +- [ ] Multilingual support +- [ ] Module structure follows conventions + +### Commonly Missed: +- [ ] Cache invalidation strategy +- [ ] Update path testing +- [ ] Queue/Batch API for long processes +- [ ] Entity access beyond permissions +- [ ] Configuration split for environments + +## CRITICAL: Self-Improvement Protocol + +**MANDATORY**: After EVERY code review session, you MUST update this command file (`/Users/ivan/.claude/commands/pr.md`) with: + +1. **New Technology Stacks Encountered**: + - Add specific review criteria for any new frameworks/languages + - Document unique linting rules or standards + - Note build/test commands specific to that stack + +2. **Command Issues and Workarounds**: + - Document any gh CLI commands that failed and why + - Add working alternatives you discovered + - Update examples with real, tested commands + +3. **Repository-Specific Patterns**: + - Custom label schemes used by specific organisations + - Unique workflow requirements + - Special security or compliance needs + +4. **Review Process Improvements**: + - Better ways to extract requirements from tickets + - More efficient review workflows + - Time-saving automation opportunities + +5. **Common Code Issues by Technology**: + - Add to the "Commonly Missed" sections + - Create new sections for technology-specific pitfalls + - Update scoring criteria based on real reviews + +### Update Process: +1. At the end of each review, ask yourself: "What did I learn?" +2. Use the `Edit` tool to update relevant sections +3. Add real examples from the review you just completed +4. Test any new commands before documenting them + +### Example Update Entry: +```markdown +### [Date] - Technology: [Stack] - Repository: [Name] +**Issue**: [What happened] +**Solution**: [How you solved it] +**Future Prevention**: [What to do next time] +``` + +## Lessons Learned from Review Sessions + +### What Works Well: +1. **gh CLI**: Reliable for PR operations +2. **gh issue edit**: Works for adding labels to PRs (PRs are issues in GitHub) +3. **Review API**: Best method for line-specific comments +4. **JSON input files**: Clean way to structure complex review data + +### Common Pitfalls: +1. **Don't assume Drupal**: Many repos are Vue.js/React frontends +2. **Check existing labels**: Repos may have custom label schemes +3. **Line comments require review API**: `gh pr comment` only adds general comments +4. **No ticket reference**: Not all PRs reference tickets - proceed with code review anyway +5. **Import statements**: Watch for incorrect ES6 module imports in frontend code +6. **Deprecated Vue features**: `/deep/` selector, unused props, etc. +7. **PR Review Submission**: You CANNOT request changes on your own PRs - use "COMMENT" instead +8. **Token Storage**: Always flag localStorage usage for auth tokens as security risk + +### Technology-Specific Discoveries: + +#### Vue.js (Vue 2) +- **Date**: 2025-06-03 +- **Issue**: `/deep/` selector still being used +- **Solution**: Always flag for `::v-deep` replacement +- **Common Pattern**: Unused props passed but never utilized + +#### GitHub API Quirks +- **Date**: 2025-06-03 +- **Issue**: `gh pr edit --add-label` fails with permissions error +- **Solution**: Use `gh issue edit` instead (PRs are issues) +- **Note**: Some repos have 100+ custom labels - always check first + +#### React Frontend Security +- **Date**: 2025-07-07 +- **Issue**: localStorage used for JWT token storage in React app +- **Solution**: Flag as security vulnerability - recommend httpOnly cookies or sessionStorage +- **Common Pattern**: Many React apps default to localStorage for convenience +- **Security Impact**: Tokens in localStorage are vulnerable to XSS attacks + +### PR Review API Best Practices (Updated 2025-07-07) + +**CRITICAL**: Avoid these token-wasting mistakes: + +1. **Review Event Type Selection**: + - If reviewing your own PR: MUST use `"event": "COMMENT"` + - If reviewing others' PRs: Can use `"REQUEST_CHANGES"`, `"APPROVE"`, or `"COMMENT"` + - The API will return HTTP 422 error if you try to request changes on your own PR + +2. **Label Creation Strategy**: + - ALWAYS create labels before trying to apply them + - Use `2>/dev/null || true` to suppress errors if labels already exist + - Batch label creation to avoid multiple API calls + +3. **Efficient Review Process**: + ```bash + # Step 1: Create all needed labels first (batch operation) + for label in "code-review-changes:cc8800" "requirements-met:1f7a1f"; do + IFS=':' read -r name color <<< "$label" + gh label create "$name" --repo {owner}/{repo} --color "$color" 2>/dev/null || true + done + + # Step 2: Submit review with correct event type + # For your own PRs: + gh api repos/{owner}/{repo}/pulls/{pr_number}/reviews -X POST --input review.json + # Where review.json has "event": "COMMENT" + + # Step 3: Apply all labels in one command + gh issue edit {pr_number} --repo {owner}/{repo} \ + --add-label "label1" --add-label "label2" --add-label "label3" + ``` + +4. **Common Security Checks for Frontend Apps**: + - localStorage usage for sensitive data (tokens, PII) + - Inline event handlers (onclick, etc.) + - Direct DOM manipulation without sanitization + - Missing CSP headers configuration + - Exposed API keys in frontend code + +## Final report + - amongst other requirements, include inline comments against individual files and line numbers. diff --git a/.cursor/commands/pr-draft.md b/.cursor/commands/pr-draft.md new file mode 100644 index 0000000..fc29375 --- /dev/null +++ b/.cursor/commands/pr-draft.md @@ -0,0 +1,62 @@ +# Custom Command: PR Draft + +## Command Usage +`/pr-draft ` + +The argument `` should capture highlights, testing notes, and reviewer callouts. Use it to shape the PR title and body. + +You are tasked with creating a pull request (PR) for a code change. Follow these instructions carefully to generate an appropriate PR description and title. + +Check if Use the user-provided arguments (if any) as contextual input was provided in a prompt. If not, stop first and ask user for any comments, assign them as Use the user-provided arguments (if any) as contextual input. Process the Use the user-provided arguments (if any) as contextual input, extract the useful information and plan how it might impact pull request creation. If none provided, proceed with the PR creation. + +## Tool use + +Use github cli or github mcp if available for PR creation. + +## Template + +First, here is the PR template that should be used as a base for the pull request description: + + +the repository pull request template + + +Now, let's create the pull request: + +1. Extract the ticket number: + Analyze the branch name provided: the active Git branch name + Look for a four-digit number in the branch name, which should represent the Freshdesk ticket number. If found, use it in the next steps. If not found, make a note to ask for it later, unless Use the user-provided arguments (if any) as contextual input instruct you to skip ticket number. + +2. Create the PR title: + Format: "[#TICKET_NUMBER] [Verb in past tense] [description of the change] [full stop at the end.]" + Example: "[#5765] Updated user authentication process." + +3. Create the PR description: + Start with the PR template provided above. + + For the "Freshdesk or JIRA ticket" section: + - If you found a ticket number, add the link: https://servicedesk.salsadigital.com.au/a/tickets/TICKET_NUMBER + - If no ticket number was found, leave a placeholder: "TODO: Add Freshdesk ticket link", However, if you were provided with instructions to skip ticket number, then ignore this line. + + For the "Changed" section: + - Be very descriptive about every change made. + - Use proper markdown with headings, lists and other markdown options. + - Ensure extra empty line is present between header and text and between list options. + - Mention constant names, variables, and classes that were generated or updated. + - Explain the reason for the update and what problems were solved. + - List the items that were updated or changed. + - Do not include lengthy code snippets. + + For the "Screenshots" section: + - Leave it empty. + +4. If any information is missing (e.g., ticket number not found in branch name), add a note at the end of the PR description listing the missing information that needs to be provided, unless custom instructions in the Use the user-provided arguments (if any) as contextual input instruct you not to do so. + +5. Final output: + Provide the following in your response: + a) The PR title + b) The complete PR description + c) Any questions or missing information that need to be addressed before submitting the PR + d) PR link. + +Remember, your final output should only include the PR title, PR description, and any questions about missing information. Do not include any of your thought process or these instructions in the output. diff --git a/.cursor/commands/pr-resolve.md b/.cursor/commands/pr-resolve.md new file mode 100644 index 0000000..b4ed961 --- /dev/null +++ b/.cursor/commands/pr-resolve.md @@ -0,0 +1,128 @@ +# Custom Command: PR Resolve + +## Command Usage +`/pr-resolve [context]` + +Require the PR URL/number as the first argument. Treat any following text as remediation instructions from the reviewer. + +Please address review comments for Pull Request: Use the user-provided arguments (if any) as contextual input. +If no artument was provided or you can't read it, stop and ask the user for the prompt, pull request URL and any instructions. Any user input becomes the Use the user-provided arguments (if any) as contextual input. Use those instructions from the Use the user-provided arguments (if any) as contextual input and pull request URL in further steps. + +This command uses AI coding agent to efficiently resolve PR feedback while maintaining code quality. + +## 0. VALIDATION PHASE +If no PR link provided in Use the user-provided arguments (if any) as contextual input, ask user: +"Please provide the PR link (e.g., https://github.com/org/repo/pull/123 or just the PR number if in the current repo)" + +## 1. ANALYSIS PHASE +Launch initial analysis agent: +``` +Task: "Analyze PR #Use the user-provided arguments (if any) as contextual input comprehensively: +- Use 'gh pr view Use the user-provided arguments (if any) as contextual input' to get PR details +- Use 'gh pr reviews Use the user-provided arguments (if any) as contextual input' to get all review comments +- Use 'gh api repos/{owner}/{repo}/pulls/{number}/comments' for inline file comments +- Check current PR status and CI/CD results +- Categorize feedback into: code changes, test additions, documentation updates +- Check project's AGENTS.md for available testing and linting commands" +``` + +## 2. MULTI-STEP RESOLUTION PHASE + +### Step 1 - Code Changes & Review Comments +``` +Task: "Address all code review feedback for PR #Use the user-provided arguments (if any) as contextual input: +- For each review comment: + * Understand the requested change + * Implement the fix following reviewer suggestions + * Search codebase for similar patterns to ensure consistency +- For inline file comments: + * Navigate to exact file and line + * Implement suggested changes + * Consider impact on surrounding code +- Make logical commits grouping related changes" +``` + +### Step 2 - Testing & Validation +``` +Task: "Ensure all tests pass for PR #Use the user-provided arguments (if any) as contextual input: +- Check AGENTS.md for project-specific test commands +- Detect available testing frameworks: + * Look for: composer.json, package.json, Makefile, ahoy.yml + * For Drupal: check for phpunit.xml, behat.yml + * Check for Playwright/Puppeteer configs or MCP servers +- Run the full test suite: + * Use commands from AGENTS.md first + * Fallback to standard commands (composer test, npm test) + * For Drupal: try `ahoy test`, `ahoy test-bdd`, `ahoy test-unit`, `ddev test`, `lando test` +- If tests fail: + * Analyze failure reasons + * Fix failing tests or implementation + * Add new tests if requested in reviews" +``` + +### Step 3 - Linting & Code Quality +``` +Task: "Fix all linting and style issues for PR #Use the user-provided arguments (if any) as contextual input: +- Check AGENTS.md for project-specific linting commands +- Detect available linters: + * For PHP: phpcs, phpstan, psalm + * For JS: eslint, prettier + * For Python: flake8, black, pylint +- Run all applicable linters: + * Use commands from AGENTS.md first + * Fix all warnings and errors + * For Drupal: ensure coding standards compliance +- Run formatters if available +- Ensure blank empty line at the end of every file in your PR review +- Verify no new linting issues introduced" +``` + +## 3. DOCUMENTATION PHASE +After code changes complete, if needed: +``` +Task: "Update documentation for PR #Use the user-provided arguments (if any) as contextual input: +- Review all code changes from other agents +- Check if any of these require documentation updates: + * API changes + * New functionality + * Changed methodology or approach + * Configuration changes +- Update relevant documentation: + * Inline code comments + * README.md (only if necessary) + * For Drupal: update .module file docs, hook_help() + * API documentation if applicable +- Do NOT create new documentation files unless critical" +``` + +## 4. FINALIZATION PHASE +After all agents complete successfully: +``` +Task: "Finalize and push changes for PR #Use the user-provided arguments (if any) as contextual input: +- Run final test suite to ensure nothing broken +- Run final linting pass +- Create clear commit messages explaining changes +- Group related changes into logical commits +- Push all commits to update the PR +- Post a comment on PR summarizing addressed feedback: + * List all resolved comments + * Mention any remaining concerns + * Thank reviewers for feedback" +``` + +## 5. VERIFICATION +Final check: +- Use 'gh pr checks Use the user-provided arguments (if any) as contextual input' to verify CI/CD status +- Ensure all automated checks are passing + +## Key Principles: +1. **Systematic Approach**: Every review comment is tracked and addressed +2. **Quality Gates**: Changes only pushed after tests and linting pass +3. **Project Awareness**: Always check AGENTS.md for project-specific commands +4. **Documentation**: Update docs only when functionality changes + +## Error Handling: +- If PR not found: Ask user for correct PR link +- If tests fail: Fix before proceeding +- If linting fails: Fix before pushing +- If push fails: Check branch permissions and conflicts diff --git a/.cursor/commands/security-scan.md b/.cursor/commands/security-scan.md new file mode 100644 index 0000000..9a7d907 --- /dev/null +++ b/.cursor/commands/security-scan.md @@ -0,0 +1,109 @@ +# Custom Command: Security Scan + +## Command Usage +`/security-scan [scope]` + +Use `scope` to target a subdirectory or component; omit it for a repository-wide audit. + +# Security Audit + +Perform a comprehensive security audit of the codebase to identify potential vulnerabilities, insecure patterns, and security best practice violations. Validate against OWASP Top-10, check file in the project codebase named owasp_top10_2021.csv with vulnerabilities. + +## Usage Examples + +### Basic Usage +"Run a security audit on this project" +"Check for security vulnerabilities in the authentication module" +"Scan the API endpoints for security issues" + +### Specific Audits +"Check for SQL injection vulnerabilities" +"Audit the file upload functionality for security risks" +"Review authentication and authorization implementation" +"Check for hardcoded secrets and API keys" + +## Instructions for the agent + +When performing a security audit: + +1. **Systematic Scanning**: Examine the codebase systematically for common vulnerability patterns +2. **Use OWASP Guidelines**: Reference OWASP Top 10 and other security standards +3. **Check Multiple Layers**: Review frontend, backend, database, and infrastructure code +4. **Prioritize Findings**: Categorize issues by severity (Critical, High, Medium, Low) +5. **Provide Remediation**: Include specific fixes for each identified issue + +### Security Checklist + +#### Authentication & Authorization +- Password storage and hashing methods +- Session management security +- JWT implementation and validation +- Access control and permission checks +- Multi-factor authentication support + +#### Input Validation & Sanitization +- SQL injection prevention +- XSS (Cross-Site Scripting) protection +- Command injection safeguards +- Path traversal prevention +- File upload validation + +#### Data Protection +- Encryption in transit (HTTPS/TLS) +- Encryption at rest +- Sensitive data exposure +- API key and secret management +- PII handling compliance + +#### Common Vulnerabilities +- CSRF protection +- Clickjacking prevention +- Security headers configuration +- Dependency vulnerabilities +- Insecure direct object references + +#### API Security +- Rate limiting implementation +- API authentication methods +- Input validation on endpoints +- Error message information leakage +- CORS configuration + +### Output Format + +Provide a structured security report with: + +```markdown +## Security Audit Report + +### Summary +- Total issues found: X +- Critical: X, High: X, Medium: X, Low: X + +### Critical Issues +#### 1. [Issue Name] +- **Location**: file.js:line +- **Description**: Detailed explanation +- **Impact**: Potential consequences +- **Remediation**: Specific fix with code example + +### High Priority Issues +[Similar format] + +### Medium Priority Issues +[Similar format] + +### Low Priority Issues +[Similar format] + +### Recommendations +- General security improvements +- Best practices to implement +- Tools and libraries to consider +``` + +Remember to: +- Be specific about file locations and line numbers +- Provide code examples for fixes +- Explain the security impact clearly +- Avoid false positives by understanding the context diff --git a/.cursor/commands/security-verify.md b/.cursor/commands/security-verify.md new file mode 100644 index 0000000..894318f --- /dev/null +++ b/.cursor/commands/security-verify.md @@ -0,0 +1,193 @@ +# Custom Command: Security Verify + +## Command Usage +`/security-verify ` + +The `` argument identifies the feature branch being reviewed. + +You are a senior security engineer conducting a focused security review of the changes on this branch. You also validating local changes against OWASP Top-10 vulnerabilities. Check project codebase for the file named owasp_top10_2021.csv which outlines those. + +GIT STATUS: + +``` +!`git status` +``` + +FILES MODIFIED: + +``` +!`git diff --name-only origin/HEAD...` +``` + +COMMITS: + +``` +!`git log --no-decorate origin/HEAD...` +``` + +DIFF CONTENT: + +``` +!`git diff --merge-base origin/HEAD` +``` + +Review the complete diff above. This contains all code changes in the PR. + + +OBJECTIVE: +Perform a security-focused code review to identify HIGH-CONFIDENCE security vulnerabilities that could have real exploitation potential. This is not a general code review - focus ONLY on security implications newly added by this PR. Do not comment on existing security concerns. + +CRITICAL INSTRUCTIONS: +1. MINIMIZE FALSE POSITIVES: Only flag issues where you're >80% confident of actual exploitability +2. AVOID NOISE: Skip theoretical issues, style concerns, or low-impact findings +3. FOCUS ON IMPACT: Prioritize vulnerabilities that could lead to unauthorized access, data breaches, or system compromise +4. EXCLUSIONS: Do NOT report the following issue types: + - Denial of Service (DOS) vulnerabilities, even if they allow service disruption + - Secrets or sensitive data stored on disk (these are handled by other processes) + - Rate limiting or resource exhaustion issues + +SECURITY CATEGORIES TO EXAMINE: + +**Input Validation Vulnerabilities:** +- SQL injection via unsanitized user input +- Command injection in system calls or subprocesses +- XXE injection in XML parsing +- Template injection in templating engines +- NoSQL injection in database queries +- Path traversal in file operations + +**Authentication & Authorization Issues:** +- Authentication bypass logic +- Privilege escalation paths +- Session management flaws +- JWT token vulnerabilities +- Authorization logic bypasses + +**Crypto & Secrets Management:** +- Hardcoded API keys, passwords, or tokens +- Weak cryptographic algorithms or implementations +- Improper key storage or management +- Cryptographic randomness issues +- Certificate validation bypasses + +**Injection & Code Execution:** +- Remote code execution via deseralization +- Pickle injection in Python +- YAML deserialization vulnerabilities +- Eval injection in dynamic code execution +- XSS vulnerabilities in web applications (reflected, stored, DOM-based) + +**Data Exposure:** +- Sensitive data logging or storage +- PII handling violations +- API endpoint data leakage +- Debug information exposure + +Additional notes: +- Even if something is only exploitable from the local network, it can still be a HIGH severity issue + +ANALYSIS METHODOLOGY: + +Phase 1 - Repository Context Research (Use file search tools): +- Identify existing security frameworks and libraries in use +- Look for established secure coding patterns in the codebase +- Examine existing sanitization and validation patterns +- Understand the project's security model and threat model + +Phase 2 - Comparative Analysis: +- Compare new code changes against existing security patterns +- Identify deviations from established secure practices +- Look for inconsistent security implementations +- Flag code that introduces new attack surfaces + +Phase 3 - Vulnerability Assessment: +- Examine each modified file for security implications +- Trace data flow from user inputs to sensitive operations +- Look for privilege boundaries being crossed unsafely +- Identify injection points and unsafe deserialization + +REQUIRED OUTPUT FORMAT: + +You MUST output your findings in markdown. The markdown output should contain the file, line number, severity, category (e.g. `sql_injection` or `xss`), description, exploit scenario, and fix recommendation. + +For example: + +# Vuln 1: XSS: `foo.py:42` + +* Severity: High +* Description: User input from `username` parameter is directly interpolated into HTML without escaping, allowing reflected XSS attacks +* Exploit Scenario: Attacker crafts URL like /bar?q= to execute JavaScript in victim's browser, enabling session hijacking or data theft +* Recommendation: Use Flask's escape() function or Jinja2 templates with auto-escaping enabled for all user inputs rendered in HTML + +SEVERITY GUIDELINES: +- **HIGH**: Directly exploitable vulnerabilities leading to RCE, data breach, or authentication bypass +- **MEDIUM**: Vulnerabilities requiring specific conditions but with significant impact +- **LOW**: Defense-in-depth issues or lower-impact vulnerabilities + +CONFIDENCE SCORING: +- 0.9-1.0: Certain exploit path identified, tested if possible +- 0.8-0.9: Clear vulnerability pattern with known exploitation methods +- 0.7-0.8: Suspicious pattern requiring specific conditions to exploit +- Below 0.7: Don't report (too speculative) + +FINAL REMINDER: +Focus on HIGH and MEDIUM findings only. Better to miss some theoretical issues than flood the report with false positives. Each finding should be something a security engineer would confidently raise in a PR review. + +FALSE POSITIVE FILTERING: + +> You do not need to run commands to reproduce the vulnerability, just read the code to determine if it is a real vulnerability. Do not use the bash tool or write to any files. +> +> HARD EXCLUSIONS - Automatically exclude findings matching these patterns: +> 1. Denial of Service (DOS) vulnerabilities or resource exhaustion attacks. +> 2. Secrets or credentials stored on disk if they are otherwise secured. +> 3. Rate limiting concerns or service overload scenarios. +> 4. Memory consumption or CPU exhaustion issues. +> 5. Lack of input validation on non-security-critical fields without proven security impact. +> 6. Input sanitization concerns for GitHub Action workflows unless they are clearly triggerable via untrusted input. +> 7. A lack of hardening measures. Code is not expected to implement all security best practices, only flag concrete vulnerabilities. +> 8. Race conditions or timing attacks that are theoretical rather than practical issues. Only report a race condition if it is concretely problematic. +> 9. Vulnerabilities related to outdated third-party libraries. These are managed separately and should not be reported here. +> 10. Memory safety issues such as buffer overflows or use-after-free-vulnerabilities are impossible in rust. Do not report memory safety issues in rust or any other memory safe languages. +> 11. Files that are only unit tests or only used as part of running tests. +> 12. Log spoofing concerns. Outputting un-sanitized user input to logs is not a vulnerability. +> 13. SSRF vulnerabilities that only control the path. SSRF is only a concern if it can control the host or protocol. +> 14. Including user-controlled content in AI system prompts is not a vulnerability. +> 15. Regex injection. Injecting untrusted content into a regex is not a vulnerability. +> 16. Regex DOS concerns. +> 16. Insecure documentation. Do not report any findings in documentation files such as markdown files. +> 17. A lack of audit logs is not a vulnerability. +> +> PRECEDENTS - +> 1. Logging high value secrets in plaintext is a vulnerability. Logging URLs is assumed to be safe. +> 2. UUIDs can be assumed to be unguessable and do not need to be validated. +> 3. Environment variables and CLI flags are trusted values. Attackers are generally not able to modify them in a secure environment. Any attack that relies on controlling an environment variable is invalid. +> 4. Resource management issues such as memory or file descriptor leaks are not valid. +> 5. Subtle or low impact web vulnerabilities such as tabnabbing, XS-Leaks, prototype pollution, and open redirects should not be reported unless they are extremely high confidence. +> 6. React and Angular are generally secure against XSS. These frameworks do not need to sanitize or escape user input unless it is using dangerouslySetInnerHTML, bypassSecurityTrustHtml, or similar methods. Do not report XSS vulnerabilities in React or Angular components or tsx files unless they are using unsafe methods. +> 7. Most vulnerabilities in github action workflows are not exploitable in practice. Before validating a github action workflow vulnerability ensure it is concrete and has a very specific attack path. +> 8. A lack of permission checking or authentication in client-side JS/TS code is not a vulnerability. Client-side code is not trusted and does not need to implement these checks, they are handled on the server-side. The same applies to all flows that send untrusted data to the backend, the backend is responsible for validating and sanitizing all inputs. +> 9. Only include MEDIUM findings if they are obvious and concrete issues. +> 10. Most vulnerabilities in ipython notebooks (*.ipynb files) are not exploitable in practice. Before validating a notebook vulnerability ensure it is concrete and has a very specific attack path where untrusted input can trigger the vulnerability. +> 11. Logging non-PII data is not a vulnerability even if the data may be sensitive. Only report logging vulnerabilities if they expose sensitive information such as secrets, passwords, or personally identifiable information (PII). +> 12. Command injection vulnerabilities in shell scripts are generally not exploitable in practice since shell scripts generally do not run with untrusted user input. Only report command injection vulnerabilities in shell scripts if they are concrete and have a very specific attack path for untrusted input. +> +> SIGNAL QUALITY CRITERIA - For remaining findings, assess: +> 1. Is there a concrete, exploitable vulnerability with a clear attack path? +> 2. Does this represent a real security risk vs theoretical best practice? +> 3. Are there specific code locations and reproduction steps? +> 4. Would this finding be actionable for a security team? +> +> For each finding, assign a confidence score from 1-10: +> - 1-3: Low confidence, likely false positive or noise +> - 4-6: Medium confidence, needs investigation +> - 7-10: High confidence, likely true vulnerability + +START ANALYSIS: + +Begin your analysis now. Do this in 3 steps: + +1. Use a sub-task to identify vulnerabilities. Use the repository exploration tools to understand the codebase context, then analyze the PR changes for security implications. In the prompt for this sub-task, include all of the above. +2. Then for each vulnerability identified by the above sub-task, create a new sub-task to filter out false-positives. Launch these sub-tasks as parallel sub-tasks. In the prompt for these sub-tasks, include everything in the "FALSE POSITIVE FILTERING" instructions. +3. Filter out any vulnerabilities where the sub-task reported a confidence less than 8. + +Your final reply must contain the markdown report and nothing else. diff --git a/.cursor/commands/session-summary.md b/.cursor/commands/session-summary.md new file mode 100644 index 0000000..913fd02 --- /dev/null +++ b/.cursor/commands/session-summary.md @@ -0,0 +1,61 @@ +# Custom Command: Session Summary + +## Command Usage +`/session-summary [notes]` + +Use optional `notes` to highlight areas you want analysed. + +You are an AI assistant tasked with analyzing a coding session and suggesting improvements to the AGENTS.md file. Your goal is to enhance the efficiency of tool calls and reduce future token usage by identifying and addressing problems that occurred during the session. + +First, review the current content of the AGENTS.md file: + + +the current AGENTS.md content + + +Now, examine the session history: + + +the full session history transcript + + +Analyze the session history and generate improvement suggestions for the AGENTS.md file. Focus on the following areas: +1. Failed tool calls +2. Repeated attempts to use non-existing tools or options +3. Incorrect decisions leading to wasted tokens +4. Attempts to write to files outside permitted directories +5. Any other issues that resulted in inefficient token usage + +When creating suggestions, keep them small and concise. Each suggestion should directly address a specific problem identified in the session history. + +Format your suggestions as follows: +1. Start each suggestion with "Suggestion: " followed by a brief description of the improvement. +2. Provide a short explanation of why this improvement is necessary, referencing the specific issue in the session history. +3. If applicable, include the exact text to be added to or modified in the AGENTS.md file. + +Present your suggestions in a numbered list, allowing the user to choose which ones to implement. For example: + +1. Suggestion: Add permitted directory paths + Explanation: Multiple attempts were made to write to unauthorized directories, wasting tokens. + Addition to AGENTS.md: "Permitted write directories: /project/data, /project/output" + +2. Suggestion: Update available tool list + Explanation: Several calls were made to non-existent tools, causing errors and token waste. + Modification in AGENTS.md: Replace "analyze_data" with "process_data" in the tools section. + +After presenting the suggestions, include the following message: +"Please select the suggestions you would like to implement by entering their corresponding numbers (e.g., '1, 3, 4' or 'all'). I will then proceed with updating the AGENTS.md file accordingly." + +Once the user has made their selection, update the AGENTS.md file content with the chosen improvements. If the user selects "all", implement all suggestions. + +Your final output should be structured as follows: + +[Numbered list of suggestions] +[Selection prompt for the user] + + + +[Updated content of AGENTS.md after implementing selected suggestions] + + +Remember, your output should only include the content within the and tags. Do not include any additional commentary or explanations outside of these tags. diff --git a/.cursor/commands/speckit.analyze.md b/.cursor/commands/speckit.analyze.md new file mode 100644 index 0000000..1aded74 --- /dev/null +++ b/.cursor/commands/speckit.analyze.md @@ -0,0 +1,180 @@ +## User Input + +```text +Use the user-provided arguments (if any) as contextual input +``` + +You **MUST** consider the user input before proceeding (if not empty). + +## Goal + +Identify inconsistencies, duplications, ambiguities, and underspecified items across the three core artifacts (`spec.md`, `plan.md`, `tasks.md`) before implementation. This command MUST run only after `/tasks` has successfully produced a complete `tasks.md`. + +## Operating Constraints + +**STRICTLY READ-ONLY**: Do **not** modify any files. Output a structured analysis report. Offer an optional remediation plan (user must explicitly approve before any follow-up editing commands would be invoked manually). + +**Constitution Authority**: The project constitution (`.specify/memory/constitution.md`) is **non-negotiable** within this analysis scope. Constitution conflicts are automatically CRITICAL and require adjustment of the spec, plan, or tasks—not dilution, reinterpretation, or silent ignoring of the principle. If a principle itself needs to change, that must occur in a separate, explicit constitution update outside `/analyze`. + +## Execution Steps + +### 1. Initialize Analysis Context + +Run `.specify/scripts/bash/check-prerequisites.sh --json --require-tasks --include-tasks` once from repo root and parse JSON for FEATURE_DIR and AVAILABLE_DOCS. Derive absolute paths: + +- SPEC = FEATURE_DIR/spec.md +- PLAN = FEATURE_DIR/plan.md +- TASKS = FEATURE_DIR/tasks.md + +Abort with an error message if any required file is missing (instruct the user to run missing prerequisite command). +For single quotes in args like "I'm Groot", use escape syntax: e.g 'I'\''m Groot' (or double-quote if possible: "I'm Groot"). + +### 2. Load Artifacts (Progressive Disclosure) + +Load only the minimal necessary context from each artifact: + +**From spec.md:** + +- Overview/Context +- Functional Requirements +- Non-Functional Requirements +- User Stories +- Edge Cases (if present) + +**From plan.md:** + +- Architecture/stack choices +- Data Model references +- Phases +- Technical constraints + +**From tasks.md:** + +- Task IDs +- Descriptions +- Phase grouping +- Parallel markers [P] +- Referenced file paths + +**From constitution:** + +- Load `.specify/memory/constitution.md` for principle validation + +### 3. Build Semantic Models + +Create internal representations (do not include raw artifacts in output): + +- **Requirements inventory**: Each functional + non-functional requirement with a stable key (derive slug based on imperative phrase; e.g., "User can upload file" → `user-can-upload-file`) +- **User story/action inventory**: Discrete user actions with acceptance criteria +- **Task coverage mapping**: Map each task to one or more requirements or stories (inference by keyword / explicit reference patterns like IDs or key phrases) +- **Constitution rule set**: Extract principle names and MUST/SHOULD normative statements + +### 4. Detection Passes (Token-Efficient Analysis) + +Focus on high-signal findings. Limit to 50 findings total; aggregate remainder in overflow summary. + +#### A. Duplication Detection + +- Identify near-duplicate requirements +- Mark lower-quality phrasing for consolidation + +#### B. Ambiguity Detection + +- Flag vague adjectives (fast, scalable, secure, intuitive, robust) lacking measurable criteria +- Flag unresolved placeholders (TODO, TKTK, ???, ``, etc.) + +#### C. Underspecification + +- Requirements with verbs but missing object or measurable outcome +- User stories missing acceptance criteria alignment +- Tasks referencing files or components not defined in spec/plan + +#### D. Constitution Alignment + +- Any requirement or plan element conflicting with a MUST principle +- Missing mandated sections or quality gates from constitution + +#### E. Coverage Gaps + +- Requirements with zero associated tasks +- Tasks with no mapped requirement/story +- Non-functional requirements not reflected in tasks (e.g., performance, security) + +#### F. Inconsistency + +- Terminology drift (same concept named differently across files) +- Data entities referenced in plan but absent in spec (or vice versa) +- Task ordering contradictions (e.g., integration tasks before foundational setup tasks without dependency note) +- Conflicting requirements (e.g., one requires Next.js while other specifies Vue) + +### 5. Severity Assignment + +Use this heuristic to prioritize findings: + +- **CRITICAL**: Violates constitution MUST, missing core spec artifact, or requirement with zero coverage that blocks baseline functionality +- **HIGH**: Duplicate or conflicting requirement, ambiguous security/performance attribute, untestable acceptance criterion +- **MEDIUM**: Terminology drift, missing non-functional task coverage, underspecified edge case +- **LOW**: Style/wording improvements, minor redundancy not affecting execution order + +### 6. Produce Compact Analysis Report + +Output a Markdown report (no file writes) with the following structure: + +## Specification Analysis Report + +| ID | Category | Severity | Location(s) | Summary | Recommendation | +|----|----------|----------|-------------|---------|----------------| +| A1 | Duplication | HIGH | spec.md:L120-134 | Two similar requirements ... | Merge phrasing; keep clearer version | + +(Add one row per finding; generate stable IDs prefixed by category initial.) + +**Coverage Summary Table:** + +| Requirement Key | Has Task? | Task IDs | Notes | +|-----------------|-----------|----------|-------| + +**Constitution Alignment Issues:** (if any) + +**Unmapped Tasks:** (if any) + +**Metrics:** + +- Total Requirements +- Total Tasks +- Coverage % (requirements with >=1 task) +- Ambiguity Count +- Duplication Count +- Critical Issues Count + +### 7. Provide Next Actions + +At end of report, output a concise Next Actions block: + +- If CRITICAL issues exist: Recommend resolving before `/implement` +- If only LOW/MEDIUM: User may proceed, but provide improvement suggestions +- Provide explicit command suggestions: e.g., "Run /specify with refinement", "Run /plan to adjust architecture", "Manually edit tasks.md to add coverage for 'performance-metrics'" + +### 8. Offer Remediation + +Ask the user: "Would you like me to suggest concrete remediation edits for the top N issues?" (Do NOT apply them automatically.) + +## Operating Principles + +### Context Efficiency + +- **Minimal high-signal tokens**: Focus on actionable findings, not exhaustive documentation +- **Progressive disclosure**: Load artifacts incrementally; don't dump all content into analysis +- **Token-efficient output**: Limit findings table to 50 rows; summarize overflow +- **Deterministic results**: Rerunning without changes should produce consistent IDs and counts + +### Analysis Guidelines + +- **NEVER modify files** (this is read-only analysis) +- **NEVER hallucinate missing sections** (if absent, report them accurately) +- **Prioritize constitution violations** (these are always CRITICAL) +- **Use examples over exhaustive rules** (cite specific instances, not generic patterns) +- **Report zero issues gracefully** (emit success report with coverage statistics) + +## Context + +Use the user-provided arguments (if any) as contextual input diff --git a/.cursor/commands/speckit.checklist.md b/.cursor/commands/speckit.checklist.md new file mode 100644 index 0000000..574874b --- /dev/null +++ b/.cursor/commands/speckit.checklist.md @@ -0,0 +1,283 @@ +## Checklist Purpose: "Unit Tests for English" + +**CRITICAL CONCEPT**: Checklists are **UNIT TESTS FOR REQUIREMENTS WRITING** - they validate the quality, clarity, and completeness of requirements in a given domain. + +**NOT for verification/testing**: +- ❌ NOT "Verify the button clicks correctly" +- ❌ NOT "Test error handling works" +- ❌ NOT "Confirm the API returns 200" +- ❌ NOT checking if code/implementation matches the spec + +**FOR requirements quality validation**: +- ✅ "Are visual hierarchy requirements defined for all card types?" (completeness) +- ✅ "Is 'prominent display' quantified with specific sizing/positioning?" (clarity) +- ✅ "Are hover state requirements consistent across all interactive elements?" (consistency) +- ✅ "Are accessibility requirements defined for keyboard navigation?" (coverage) +- ✅ "Does the spec define what happens when logo image fails to load?" (edge cases) + +**Metaphor**: If your spec is code written in English, the checklist is its unit test suite. You're testing whether the requirements are well-written, complete, unambiguous, and ready for implementation - NOT whether the implementation works. + +## User Input + +```text +Use the user-provided arguments (if any) as contextual input +``` + +You **MUST** consider the user input before proceeding (if not empty). + +## Execution Steps + +1. **Setup**: Run `.specify/scripts/bash/check-prerequisites.sh --json` from repo root and parse JSON for FEATURE_DIR and AVAILABLE_DOCS list. + - All file paths must be absolute. + - For single quotes in args like "I'm Groot", use escape syntax: e.g 'I'\''m Groot' (or double-quote if possible: "I'm Groot"). + +2. **Clarify intent (dynamic)**: Derive up to THREE initial contextual clarifying questions (no pre-baked catalog). They MUST: + - Be generated from the user's phrasing + extracted signals from spec/plan/tasks + - Only ask about information that materially changes checklist content + - Be skipped individually if already unambiguous in `Use the user-provided arguments (if any) as contextual input` + - Prefer precision over breadth + + Generation algorithm: + 1. Extract signals: feature domain keywords (e.g., auth, latency, UX, API), risk indicators ("critical", "must", "compliance"), stakeholder hints ("QA", "review", "security team"), and explicit deliverables ("a11y", "rollback", "contracts"). + 2. Cluster signals into candidate focus areas (max 4) ranked by relevance. + 3. Identify probable audience & timing (author, reviewer, QA, release) if not explicit. + 4. Detect missing dimensions: scope breadth, depth/rigor, risk emphasis, exclusion boundaries, measurable acceptance criteria. + 5. Formulate questions chosen from these archetypes: + - Scope refinement (e.g., "Should this include integration touchpoints with X and Y or stay limited to local module correctness?") + - Risk prioritization (e.g., "Which of these potential risk areas should receive mandatory gating checks?") + - Depth calibration (e.g., "Is this a lightweight pre-commit sanity list or a formal release gate?") + - Audience framing (e.g., "Will this be used by the author only or peers during PR review?") + - Boundary exclusion (e.g., "Should we explicitly exclude performance tuning items this round?") + - Scenario class gap (e.g., "No recovery flows detected—are rollback / partial failure paths in scope?") + + Question formatting rules: + - If presenting options, generate a compact table with columns: Option | Candidate | Why It Matters + - Limit to A–E options maximum; omit table if a free-form answer is clearer + - Never ask the user to restate what they already said + - Avoid speculative categories (no hallucination). If uncertain, ask explicitly: "Confirm whether X belongs in scope." + + Defaults when interaction impossible: + - Depth: Standard + - Audience: Reviewer (PR) if code-related; Author otherwise + - Focus: Top 2 relevance clusters + + Output the questions (label Q1/Q2/Q3). After answers: if ≥2 scenario classes (Alternate / Exception / Recovery / Non-Functional domain) remain unclear, you MAY ask up to TWO more targeted follow‑ups (Q4/Q5) with a one-line justification each (e.g., "Unresolved recovery path risk"). Do not exceed five total questions. Skip escalation if user explicitly declines more. + +3. **Understand user request**: Combine `Use the user-provided arguments (if any) as contextual input` + clarifying answers: + - Derive checklist theme (e.g., security, review, deploy, ux) + - Consolidate explicit must-have items mentioned by user + - Map focus selections to category scaffolding + - Infer any missing context from spec/plan/tasks (do NOT hallucinate) + +4. **Load feature context**: Read from FEATURE_DIR: + - spec.md: Feature requirements and scope + - plan.md (if exists): Technical details, dependencies + - tasks.md (if exists): Implementation tasks + + **Context Loading Strategy**: + - Load only necessary portions relevant to active focus areas (avoid full-file dumping) + - Prefer summarizing long sections into concise scenario/requirement bullets + - Use progressive disclosure: add follow-on retrieval only if gaps detected + - If source docs are large, generate interim summary items instead of embedding raw text + +5. **Generate checklist** - Create "Unit Tests for Requirements": + - Create `FEATURE_DIR/checklists/` directory if it doesn't exist + - Generate unique checklist filename: + - Use short, descriptive name based on domain (e.g., `ux.md`, `api.md`, `security.md`) + - Format: `[domain].md` + - If file exists, append to existing file + - Number items sequentially starting from CHK001 + - Each `/speckit.checklist` run creates a NEW file (never overwrites existing checklists) + + **CORE PRINCIPLE - Test the Requirements, Not the Implementation**: + Every checklist item MUST evaluate the REQUIREMENTS THEMSELVES for: + - **Completeness**: Are all necessary requirements present? + - **Clarity**: Are requirements unambiguous and specific? + - **Consistency**: Do requirements align with each other? + - **Measurability**: Can requirements be objectively verified? + - **Coverage**: Are all scenarios/edge cases addressed? + + **Category Structure** - Group items by requirement quality dimensions: + - **Requirement Completeness** (Are all necessary requirements documented?) + - **Requirement Clarity** (Are requirements specific and unambiguous?) + - **Requirement Consistency** (Do requirements align without conflicts?) + - **Acceptance Criteria Quality** (Are success criteria measurable?) + - **Scenario Coverage** (Are all flows/cases addressed?) + - **Edge Case Coverage** (Are boundary conditions defined?) + - **Non-Functional Requirements** (Performance, Security, Accessibility, etc. - are they specified?) + - **Dependencies & Assumptions** (Are they documented and validated?) + - **Ambiguities & Conflicts** (What needs clarification?) + + **HOW TO WRITE CHECKLIST ITEMS - "Unit Tests for English"**: + + ❌ **WRONG** (Testing implementation): + - "Verify landing page displays 3 episode cards" + - "Test hover states work on desktop" + - "Confirm logo click navigates home" + + ✅ **CORRECT** (Testing requirements quality): + - "Are the exact number and layout of featured episodes specified?" [Completeness] + - "Is 'prominent display' quantified with specific sizing/positioning?" [Clarity] + - "Are hover state requirements consistent across all interactive elements?" [Consistency] + - "Are keyboard navigation requirements defined for all interactive UI?" [Coverage] + - "Is the fallback behavior specified when logo image fails to load?" [Edge Cases] + - "Are loading states defined for asynchronous episode data?" [Completeness] + - "Does the spec define visual hierarchy for competing UI elements?" [Clarity] + + **ITEM STRUCTURE**: + Each item should follow this pattern: + - Question format asking about requirement quality + - Focus on what's WRITTEN (or not written) in the spec/plan + - Include quality dimension in brackets [Completeness/Clarity/Consistency/etc.] + - Reference spec section `[Spec §X.Y]` when checking existing requirements + - Use `[Gap]` marker when checking for missing requirements + + **EXAMPLES BY QUALITY DIMENSION**: + + Completeness: + - "Are error handling requirements defined for all API failure modes? [Gap]" + - "Are accessibility requirements specified for all interactive elements? [Completeness]" + - "Are mobile breakpoint requirements defined for responsive layouts? [Gap]" + + Clarity: + - "Is 'fast loading' quantified with specific timing thresholds? [Clarity, Spec §NFR-2]" + - "Are 'related episodes' selection criteria explicitly defined? [Clarity, Spec §FR-5]" + - "Is 'prominent' defined with measurable visual properties? [Ambiguity, Spec §FR-4]" + + Consistency: + - "Do navigation requirements align across all pages? [Consistency, Spec §FR-10]" + - "Are card component requirements consistent between landing and detail pages? [Consistency]" + + Coverage: + - "Are requirements defined for zero-state scenarios (no episodes)? [Coverage, Edge Case]" + - "Are concurrent user interaction scenarios addressed? [Coverage, Gap]" + - "Are requirements specified for partial data loading failures? [Coverage, Exception Flow]" + + Measurability: + - "Are visual hierarchy requirements measurable/testable? [Acceptance Criteria, Spec §FR-1]" + - "Can 'balanced visual weight' be objectively verified? [Measurability, Spec §FR-2]" + + **Scenario Classification & Coverage** (Requirements Quality Focus): + - Check if requirements exist for: Primary, Alternate, Exception/Error, Recovery, Non-Functional scenarios + - For each scenario class, ask: "Are [scenario type] requirements complete, clear, and consistent?" + - If scenario class missing: "Are [scenario type] requirements intentionally excluded or missing? [Gap]" + - Include resilience/rollback when state mutation occurs: "Are rollback requirements defined for migration failures? [Gap]" + + **Traceability Requirements**: + - MINIMUM: ≥80% of items MUST include at least one traceability reference + - Each item should reference: spec section `[Spec §X.Y]`, or use markers: `[Gap]`, `[Ambiguity]`, `[Conflict]`, `[Assumption]` + - If no ID system exists: "Is a requirement & acceptance criteria ID scheme established? [Traceability]" + + **Surface & Resolve Issues** (Requirements Quality Problems): + Ask questions about the requirements themselves: + - Ambiguities: "Is the term 'fast' quantified with specific metrics? [Ambiguity, Spec §NFR-1]" + - Conflicts: "Do navigation requirements conflict between §FR-10 and §FR-10a? [Conflict]" + - Assumptions: "Is the assumption of 'always available podcast API' validated? [Assumption]" + - Dependencies: "Are external podcast API requirements documented? [Dependency, Gap]" + - Missing definitions: "Is 'visual hierarchy' defined with measurable criteria? [Gap]" + + **Content Consolidation**: + - Soft cap: If raw candidate items > 40, prioritize by risk/impact + - Merge near-duplicates checking the same requirement aspect + - If >5 low-impact edge cases, create one item: "Are edge cases X, Y, Z addressed in requirements? [Coverage]" + + **🚫 ABSOLUTELY PROHIBITED** - These make it an implementation test, not a requirements test: + - ❌ Any item starting with "Verify", "Test", "Confirm", "Check" + implementation behavior + - ❌ References to code execution, user actions, system behavior + - ❌ "Displays correctly", "works properly", "functions as expected" + - ❌ "Click", "navigate", "render", "load", "execute" + - ❌ Test cases, test plans, QA procedures + - ❌ Implementation details (frameworks, APIs, algorithms) + + **✅ REQUIRED PATTERNS** - These test requirements quality: + - ✅ "Are [requirement type] defined/specified/documented for [scenario]?" + - ✅ "Is [vague term] quantified/clarified with specific criteria?" + - ✅ "Are requirements consistent between [section A] and [section B]?" + - ✅ "Can [requirement] be objectively measured/verified?" + - ✅ "Are [edge cases/scenarios] addressed in requirements?" + - ✅ "Does the spec define [missing aspect]?" + +6. **Structure Reference**: Generate the checklist following the canonical template in `.specify/templates/checklist-template.md` for title, meta section, category headings, and ID formatting. If template is unavailable, use: H1 title, purpose/created meta lines, `##` category sections containing `- [ ] CHK### ` lines with globally incrementing IDs starting at CHK001. + +7. **Report**: Output full path to created checklist, item count, and remind user that each run creates a new file. Summarize: + - Focus areas selected + - Depth level + - Actor/timing + - Any explicit user-specified must-have items incorporated + +**Important**: Each `/speckit.checklist` command invocation creates a checklist file using short, descriptive names unless file already exists. This allows: + +- Multiple checklists of different types (e.g., `ux.md`, `test.md`, `security.md`) +- Simple, memorable filenames that indicate checklist purpose +- Easy identification and navigation in the `checklists/` folder + +To avoid clutter, use descriptive types and clean up obsolete checklists when done. + +## Example Checklist Types & Sample Items + +**UX Requirements Quality:** `ux.md` + +Sample items (testing the requirements, NOT the implementation): +- "Are visual hierarchy requirements defined with measurable criteria? [Clarity, Spec §FR-1]" +- "Is the number and positioning of UI elements explicitly specified? [Completeness, Spec §FR-1]" +- "Are interaction state requirements (hover, focus, active) consistently defined? [Consistency]" +- "Are accessibility requirements specified for all interactive elements? [Coverage, Gap]" +- "Is fallback behavior defined when images fail to load? [Edge Case, Gap]" +- "Can 'prominent display' be objectively measured? [Measurability, Spec §FR-4]" + +**API Requirements Quality:** `api.md` + +Sample items: +- "Are error response formats specified for all failure scenarios? [Completeness]" +- "Are rate limiting requirements quantified with specific thresholds? [Clarity]" +- "Are authentication requirements consistent across all endpoints? [Consistency]" +- "Are retry/timeout requirements defined for external dependencies? [Coverage, Gap]" +- "Is versioning strategy documented in requirements? [Gap]" + +**Performance Requirements Quality:** `performance.md` + +Sample items: +- "Are performance requirements quantified with specific metrics? [Clarity]" +- "Are performance targets defined for all critical user journeys? [Coverage]" +- "Are performance requirements under different load conditions specified? [Completeness]" +- "Can performance requirements be objectively measured? [Measurability]" +- "Are degradation requirements defined for high-load scenarios? [Edge Case, Gap]" + +**Security Requirements Quality:** `security.md` + +Sample items: +- "Are authentication requirements specified for all protected resources? [Coverage]" +- "Are data protection requirements defined for sensitive information? [Completeness]" +- "Is the threat model documented and requirements aligned to it? [Traceability]" +- "Are security requirements consistent with compliance obligations? [Consistency]" +- "Are security failure/breach response requirements defined? [Gap, Exception Flow]" + +## Anti-Examples: What NOT To Do + +**❌ WRONG - These test implementation, not requirements:** + +```markdown +- [ ] CHK001 - Verify landing page displays 3 episode cards [Spec §FR-001] +- [ ] CHK002 - Test hover states work correctly on desktop [Spec §FR-003] +- [ ] CHK003 - Confirm logo click navigates to home page [Spec §FR-010] +- [ ] CHK004 - Check that related episodes section shows 3-5 items [Spec §FR-005] +``` + +**✅ CORRECT - These test requirements quality:** + +```markdown +- [ ] CHK001 - Are the number and layout of featured episodes explicitly specified? [Completeness, Spec §FR-001] +- [ ] CHK002 - Are hover state requirements consistently defined for all interactive elements? [Consistency, Spec §FR-003] +- [ ] CHK003 - Are navigation requirements clear for all clickable brand elements? [Clarity, Spec §FR-010] +- [ ] CHK004 - Is the selection criteria for related episodes documented? [Gap, Spec §FR-005] +- [ ] CHK005 - Are loading state requirements defined for asynchronous episode data? [Gap] +- [ ] CHK006 - Can "visual hierarchy" requirements be objectively measured? [Measurability, Spec §FR-001] +``` + +**Key Differences:** +- Wrong: Tests if the system works correctly +- Correct: Tests if the requirements are written correctly +- Wrong: Verification of behavior +- Correct: Validation of requirement quality +- Wrong: "Does it do X?" +- Correct: "Is X clearly specified?" diff --git a/.cursor/commands/speckit.clarify.md b/.cursor/commands/speckit.clarify.md new file mode 100644 index 0000000..9ec41c2 --- /dev/null +++ b/.cursor/commands/speckit.clarify.md @@ -0,0 +1,172 @@ +## User Input + +```text +Use the user-provided arguments (if any) as contextual input +``` + +You **MUST** consider the user input before proceeding (if not empty). + +## Outline + +Goal: Detect and reduce ambiguity or missing decision points in the active feature specification and record the clarifications directly in the spec file. + +Note: This clarification workflow is expected to run (and be completed) BEFORE invoking `/speckit.plan`. If the user explicitly states they are skipping clarification (e.g., exploratory spike), you may proceed, but must warn that downstream rework risk increases. + +Execution steps: + +1. Run `.specify/scripts/bash/check-prerequisites.sh --json --paths-only` from repo root **once** (combined `--json --paths-only` mode / `-Json -PathsOnly`). Parse minimal JSON payload fields: + - `FEATURE_DIR` + - `FEATURE_SPEC` + - (Optionally capture `IMPL_PLAN`, `TASKS` for future chained flows.) + - If JSON parsing fails, abort and instruct user to re-run `/speckit.specify` or verify feature branch environment. + - For single quotes in args like "I'm Groot", use escape syntax: e.g 'I'\''m Groot' (or double-quote if possible: "I'm Groot"). + +2. Load the current spec file. Perform a structured ambiguity & coverage scan using this taxonomy. For each category, mark status: Clear / Partial / Missing. Produce an internal coverage map used for prioritization (do not output raw map unless no questions will be asked). + + Functional Scope & Behavior: + - Core user goals & success criteria + - Explicit out-of-scope declarations + - User roles / personas differentiation + + Domain & Data Model: + - Entities, attributes, relationships + - Identity & uniqueness rules + - Lifecycle/state transitions + - Data volume / scale assumptions + + Interaction & UX Flow: + - Critical user journeys / sequences + - Error/empty/loading states + - Accessibility or localization notes + + Non-Functional Quality Attributes: + - Performance (latency, throughput targets) + - Scalability (horizontal/vertical, limits) + - Reliability & availability (uptime, recovery expectations) + - Observability (logging, metrics, tracing signals) + - Security & privacy (authN/Z, data protection, threat assumptions) + - Compliance / regulatory constraints (if any) + + Integration & External Dependencies: + - External services/APIs and failure modes + - Data import/export formats + - Protocol/versioning assumptions + + Edge Cases & Failure Handling: + - Negative scenarios + - Rate limiting / throttling + - Conflict resolution (e.g., concurrent edits) + + Constraints & Tradeoffs: + - Technical constraints (language, storage, hosting) + - Explicit tradeoffs or rejected alternatives + + Terminology & Consistency: + - Canonical glossary terms + - Avoided synonyms / deprecated terms + + Completion Signals: + - Acceptance criteria testability + - Measurable Definition of Done style indicators + + Misc / Placeholders: + - TODO markers / unresolved decisions + - Ambiguous adjectives ("robust", "intuitive") lacking quantification + + For each category with Partial or Missing status, add a candidate question opportunity unless: + - Clarification would not materially change implementation or validation strategy + - Information is better deferred to planning phase (note internally) + +3. Generate (internally) a prioritized queue of candidate clarification questions (maximum 5). Do NOT output them all at once. Apply these constraints: + - Maximum of 10 total questions across the whole session. + - Each question must be answerable with EITHER: + * A short multiple‑choice selection (2–5 distinct, mutually exclusive options), OR + * A one-word / short‑phrase answer (explicitly constrain: "Answer in <=5 words"). + - Only include questions whose answers materially impact architecture, data modeling, task decomposition, test design, UX behavior, operational readiness, or compliance validation. + - Ensure category coverage balance: attempt to cover the highest impact unresolved categories first; avoid asking two low-impact questions when a single high-impact area (e.g., security posture) is unresolved. + - Exclude questions already answered, trivial stylistic preferences, or plan-level execution details (unless blocking correctness). + - Favor clarifications that reduce downstream rework risk or prevent misaligned acceptance tests. + - If more than 5 categories remain unresolved, select the top 5 by (Impact * Uncertainty) heuristic. + +4. Sequential questioning loop (interactive): + - Present EXACTLY ONE question at a time. + - For multiple‑choice questions: + * **Analyze all options** and determine the **most suitable option** based on: + - Best practices for the project type + - Common patterns in similar implementations + - Risk reduction (security, performance, maintainability) + - Alignment with any explicit project goals or constraints visible in the spec + * Present your **recommended option prominently** at the top with clear reasoning (1-2 sentences explaining why this is the best choice). + * Format as: `**Recommended:** Option [X] - ` + * Then render all options as a Markdown table: + + | Option | Description | + |--------|-------------| + | A |