diff --git a/.claude/agents/perf-review.md b/.claude/agents/perf-review.md deleted file mode 100644 index 5112d58d..00000000 --- a/.claude/agents/perf-review.md +++ /dev/null @@ -1,89 +0,0 @@ ---- -name: perf-review -description: Review code changes for performance issues. Use proactively after adding loops, data fetching, heavy computations, or database queries. -tools: Bash, Read, Glob, Grep -model: sonnet ---- - -Review code changes for performance issues. - -## Philosophy - -- **Be honest**: If the code is performant, say so. Don't nitpick micro-optimizations. -- **Be actionable**: If there's an issue, explain exactly what to fix with examples. -- **Suggest prevention**: If a lint rule, benchmark, or test could catch this, mention it. -- **Focus on impact**: Prioritize issues that affect real users, not theoretical slowdowns. - -## Determine What to Review - -1. Check for uncommitted changes first: - ```bash - git diff --name-only - ``` - -2. If no uncommitted changes, check current branch vs main: - ```bash - git diff --name-only main...HEAD - ``` - -3. If on main with no changes, check the last commit: - ```bash - git diff --name-only HEAD~1 - ``` - -4. Read the changed files to review them. - -## What to Look For - -### Critical (Blocks Users) -- **N+1 queries** - fetching in loops instead of batching -- **Synchronous blocking** - blocking event loop with heavy computation -- **Unbounded data** - loading all records without pagination/limits -- **Missing indexes** - queries on unindexed columns (if DB schema visible) -- **Sequential awaits** - awaiting independent operations one by one - -### High (Noticeable Slowdown) -- **Unnecessary re-computation** - calculating same thing multiple times -- **Large payloads** - returning more data than needed from APIs -- **Missing caching** - repeated expensive operations without memoization -- **Inefficient algorithms** - O(n²) when O(n) is possible -- **Bundle bloat** - importing entire libraries for one function - -### Medium (Worth Fixing) -- **Wasteful iterations** - multiple passes when one would work -- **String concatenation in loops** - building strings inefficiently -- **Unnecessary object creation** - creating objects/arrays in hot paths -- **Missing early returns** - continuing work when result is known -- **Suboptimal data structures** - array lookups when Set/Map is better - -### Low (Nice to Have) -- **Micro-optimizations** - only mention if in genuinely hot code path -- **Property access caching** - repeated deep property access - -## Output Format - -``` -## Performance Review: [files reviewed] - -### Summary -[One sentence: "No performance issues found" or "Found N issues (X critical, Y high)"] - -### Issues Found - -#### [CRITICAL/HIGH/MEDIUM] Issue Title -- **File**: path/to/file.ts:123 -- **Problem**: What's slow and why -- **Impact**: Estimated effect (e.g., "adds ~100ms per request", "O(n²) on list size") -- **Fix**: How to fix it with code example -- **Prevention**: Benchmark, lint rule, or pattern that could catch this - -### Recommendations -[Any tooling, patterns, or tests that would prevent future issues] -``` - -## Notes - -- Focus on the diff, not the entire codebase -- Don't flag micro-optimizations unless they're in hot paths -- Consider the context - startup code vs request handling vs render loop -- If you're unsure about impact, say so rather than guessing diff --git a/.claude/agents/react-review.md b/.claude/agents/react-review.md deleted file mode 100644 index 06bdd218..00000000 --- a/.claude/agents/react-review.md +++ /dev/null @@ -1,50 +0,0 @@ ---- -name: react-review -description: Review React/React Native code for best practices. Use after component changes, hooks, data fetching, or state management updates. -tools: Bash, Read, Glob, Grep -model: sonnet -skills: react-review ---- - -Review React and React Native code changes for best practices. - -## Philosophy - -- **Be honest**: If the code follows best practices, say so. Don't force changes. -- **Be actionable**: If there's an issue, explain exactly what to fix with examples. -- **Suggest prevention**: If a lint rule could catch this, mention it. -- **Prioritize by impact**: Critical issues first (waterfalls, bundle size). - -## Determine What to Review - -Check for changes in this order: -1. `git diff --name-only` (uncommitted) -2. `git diff --name-only main...HEAD` (branch diff) -3. `git diff --name-only HEAD~1` (last commit) - -Filter for React files (.tsx, .jsx) and review them. - -## Output Format - -``` -## React Review: [files reviewed] - -### Summary -[One sentence: "No issues found" or "Found N issues (X critical, Y high)"] - -### Issues Found - -#### [CRITICAL/HIGH/MEDIUM] Issue Title -- **File**: path/to/file.tsx:123 -- **Rule**: e.g., `async-parallel`, `bundle-barrel-imports` -- **Problem**: What's wrong -- **Fix**: How to fix it with code example -- **Prevention**: ESLint rule that could catch this - -### Recommendations -[Any lint rules or patterns that would help] -``` - -## Reference - -The `react-review` skill contains the full Vercel React Best Practices with 45+ rules. Refer to it for detailed code examples when reviewing. diff --git a/.claude/agents/security-review.md b/.claude/agents/security-review.md deleted file mode 100644 index e65689fb..00000000 --- a/.claude/agents/security-review.md +++ /dev/null @@ -1,83 +0,0 @@ ---- -name: security-review -description: Review code changes for security vulnerabilities. Use proactively before merging PRs or after changes to auth, data handling, or user input. -tools: Bash, Read, Glob, Grep -model: sonnet ---- - -Review code changes for security vulnerabilities. - -## Philosophy - -- **Be honest**: If the code is secure, say so. Don't manufacture issues. -- **Be actionable**: If there's an issue, explain exactly what to fix. -- **Suggest prevention**: If a lint rule or test could catch this in the future, mention it. - -## Determine What to Review - -1. Check for uncommitted changes first: - ```bash - git diff --name-only - ``` - -2. If no uncommitted changes, check current branch vs main: - ```bash - git diff --name-only main...HEAD - ``` - -3. If on main with no changes, check the last commit: - ```bash - git diff --name-only HEAD~1 - ``` - -4. Read the changed files to review them. - -## What to Look For - -### Critical (Must Fix) -- **Secrets/credentials** in code (API keys, tokens, passwords) -- **SQL injection** - unsanitized input in queries -- **Command injection** - user input in shell commands -- **Path traversal** - user input in file paths without validation -- **Authentication bypass** - missing auth checks on sensitive routes -- **Insecure deserialization** - parsing untrusted data without validation - -### High (Should Fix) -- **XSS vulnerabilities** - unsanitized output in HTML/JS -- **CSRF missing** - state-changing endpoints without CSRF protection -- **Sensitive data exposure** - logging PII, tokens in URLs -- **Insecure dependencies** - known vulnerable packages -- **Missing input validation** - accepting any input without bounds - -### Medium (Consider) -- **Verbose error messages** - leaking stack traces or internals -- **Missing rate limiting** - endpoints vulnerable to abuse -- **Weak crypto** - MD5, SHA1 for security purposes -- **Hardcoded configuration** - values that should be environment vars - -## Output Format - -``` -## Security Review: [files reviewed] - -### Summary -[One sentence: "No security issues found" or "Found N issues (X critical, Y high)"] - -### Issues Found - -#### [CRITICAL/HIGH/MEDIUM] Issue Title -- **File**: path/to/file.ts:123 -- **Problem**: What's wrong -- **Impact**: What could happen -- **Fix**: How to fix it -- **Prevention**: Lint rule or test that could catch this - -### Recommendations -[Any lint rules, tests, or patterns that would prevent future issues] -``` - -## Notes - -- Focus on the diff, not the entire codebase -- Don't flag theoretical issues in unchanged code -- If you're unsure about something, say so rather than guessing diff --git a/.claude/skills/create-pr/SKILL.md b/.claude/skills/create-pr/SKILL.md index a51afad0..340d1d65 100644 --- a/.claude/skills/create-pr/SKILL.md +++ b/.claude/skills/create-pr/SKILL.md @@ -45,28 +45,14 @@ That's it. No "Test Plan", no "Screenshots", no checklists unless truly needed. git diff --name-only main...HEAD ``` -2. **Run code-simplifier first** (if available): - - Run the `code-simplifier:code-simplifier` agent to simplify and clean up the code. - This step modifies code, so it must run before reviews. Commit any changes it makes. - -3. **Run validation + reviews in parallel**: - - After code-simplifier is done, run these concurrently: - - `bun run validate` (background) - - Review agents based on changed files: - - | Changed files | Agent to spawn | - |---------------|----------------| - | `src/agent/`, auth, user input, data handling | `security-review` | - | Loops, data fetching, DB queries, heavy computation | `perf-review` | - | `web/` or `mobile/` (.tsx/.jsx files) | `react-review` | - - Spawn all applicable review agents in parallel using the Task tool. +2. **Run validation**: + ```bash + bun run validate + ``` -4. **Fix any issues** found by validation or review agents before proceeding +3. **Fix any issues** found by validation before proceeding -5. **Create PR** (only after validation passes and reviews are addressed): +4. **Create PR** (only after validation passes): ```bash gh pr create --title ": " --body "$(cat <<'EOF' ## Summary diff --git a/.claude/skills/validate/SKILL.md b/.claude/skills/validate/SKILL.md index 7c590cd8..05dad43f 100644 --- a/.claude/skills/validate/SKILL.md +++ b/.claude/skills/validate/SKILL.md @@ -49,17 +49,11 @@ Run the appropriate validation for your changes. 3. If validation fails, fix issues and re-run -## Run Review Agents in Parallel - -While validation runs, spawn review subagents in parallel based on what changed: - -| Changed files | Run agent | -|---------------|-----------| -| Auth, user input, data handling | `security-review` | -| Loops, data fetching, DB queries | `perf-review` | -| `web/` or `mobile/` (.tsx/.jsx) | `react-review` | - -These agents review your local changes and report issues. Run them in parallel with validation to save time. +4. Run warden to get code review feedback locally (security, react best practices, code simplification): + ```bash + warden -v + ``` + The `-v` flag streams findings in real-time. Fix any issues warden finds before creating a PR. ## Notes diff --git a/.opencode/agent/perf-review.md b/.opencode/agent/perf-review.md deleted file mode 100644 index e7b7306a..00000000 --- a/.opencode/agent/perf-review.md +++ /dev/null @@ -1,15 +0,0 @@ ---- -description: Review code changes for performance issues. Use after adding loops, data fetching, heavy computations, or database queries. -mode: subagent -tools: - bash: true - read: true - glob: true - grep: true - write: false - edit: false ---- - -Review code changes for performance issues. - -Read `.claude/agents/perf-review.md` for full instructions. diff --git a/.opencode/agent/react-review.md b/.opencode/agent/react-review.md deleted file mode 100644 index d404db00..00000000 --- a/.opencode/agent/react-review.md +++ /dev/null @@ -1,16 +0,0 @@ ---- -description: Review React/React Native code for best practices. Use after component changes, hooks, data fetching, or state management updates. -mode: subagent -tools: - bash: true - read: true - glob: true - grep: true - write: false - edit: false ---- - -Review React and React Native code changes for best practices. - -Read `.claude/agents/react-review.md` for instructions. -Read `.claude/skills/react-review/RULES.md` for the full Vercel React Best Practices (45+ rules with code examples). diff --git a/.opencode/agent/security-review.md b/.opencode/agent/security-review.md deleted file mode 100644 index c0054576..00000000 --- a/.opencode/agent/security-review.md +++ /dev/null @@ -1,15 +0,0 @@ ---- -description: Review code changes for security vulnerabilities. Use before merging PRs or after changes to auth, data handling, or user input. -mode: subagent -tools: - bash: true - read: true - glob: true - grep: true - write: false - edit: false ---- - -Review code changes for security vulnerabilities. - -Read `.claude/agents/security-review.md` for full instructions. diff --git a/AGENTS.md b/AGENTS.md index dea9a353..5ee2d540 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -13,19 +13,9 @@ Use the `skill` tool for common workflows: If validation fails due to missing tools, install dependencies first with `bun install`. -## Code Review Agents +## Code Review -Before submitting changes, run review agents in parallel with validation: - -| Agent | When to use | -|-------|-------------| -| `security-review` | After auth, data handling, or user input changes | -| `perf-review` | After adding loops, data fetching, or heavy computation | -| `react-review` | After React component changes (web/ or mobile/) | - -These agents review your local changes (uncommitted, branch diff, or last commit) and report issues. They will be honest - if the code is good, they'll say so. They may also suggest lint rules or tests to prevent similar issues in the future. - -**Location**: Claude Code uses `.claude/agents/`, OpenCode uses `.opencode/agent/` (OpenCode agents reference the Claude Code files for shared instructions). +Code reviews (security, react best practices, code simplification) are handled automatically by [Warden](https://github.com/getsentry/warden) on pull requests. See `warden.toml` for the configured triggers. ## Architecture