init
This commit is contained in:
52
.opencode/skills/code-review/references/checklists/api.md
Normal file
52
.opencode/skills/code-review/references/checklists/api.md
Normal file
@@ -0,0 +1,52 @@
|
||||
# API Review Checklist (Overlay)
|
||||
|
||||
Additive to `base.md`. Apply when project exposes REST/GraphQL/gRPC APIs.
|
||||
|
||||
## Detection
|
||||
|
||||
Apply this overlay when any of these are true:
|
||||
- Project has route definitions (Express, FastAPI, NestJS, Django, Rails, Go chi/gin)
|
||||
- OpenAPI/Swagger spec file exists
|
||||
- `src/routes/`, `src/api/`, `src/controllers/` directories
|
||||
- GraphQL schema files in the diff
|
||||
|
||||
---
|
||||
|
||||
## Pass 1 — CRITICAL (additions to base)
|
||||
|
||||
### Auth & Rate Limiting
|
||||
- Public endpoints missing rate limiting (login, registration, password reset)
|
||||
- API keys or tokens exposed in URL query parameters (use headers)
|
||||
- Missing auth middleware on new routes
|
||||
- Batch/bulk endpoints without per-item authorization checks
|
||||
|
||||
### Input Validation
|
||||
- Request body accepted without schema validation (missing Zod, Joi, Pydantic, etc.)
|
||||
- Mass assignment: entire request body spread into database model
|
||||
- File upload without size/type restrictions
|
||||
- Array inputs without length limits (DoS via large payloads)
|
||||
|
||||
### Data Exposure
|
||||
- Sensitive fields in API responses (password hashes, internal IDs, tokens)
|
||||
- Stack traces or internal error details in production error responses
|
||||
- Verbose error messages that leak schema/implementation details
|
||||
|
||||
---
|
||||
|
||||
## Pass 2 — INFORMATIONAL (additions to base)
|
||||
|
||||
### API Design
|
||||
- List endpoints without pagination (LIMIT/OFFSET or cursor-based)
|
||||
- Missing consistent error response format across endpoints
|
||||
- Inconsistent naming conventions (camelCase vs snake_case in same API)
|
||||
- Missing request/response content-type headers
|
||||
|
||||
### Observability
|
||||
- New endpoints without logging/metrics
|
||||
- Error paths that swallow exceptions silently
|
||||
- Missing correlation/request IDs for tracing
|
||||
|
||||
### Versioning & Compatibility
|
||||
- Breaking changes to existing response shapes without version bump
|
||||
- Removed fields without deprecation notice
|
||||
- Changed field types (string → number) in existing responses
|
||||
100
.opencode/skills/code-review/references/checklists/base.md
Normal file
100
.opencode/skills/code-review/references/checklists/base.md
Normal file
@@ -0,0 +1,100 @@
|
||||
# Base Review Checklist
|
||||
|
||||
Universal checklist for all project types. Two-pass model: critical (blocking) + informational (non-blocking).
|
||||
|
||||
## Instructions
|
||||
|
||||
Review `git diff origin/main` for the issues below. Be specific — cite `file:line` and suggest fixes. Skip anything that's fine. Only flag real problems.
|
||||
|
||||
**Output format:**
|
||||
|
||||
```
|
||||
Pre-Landing Review: N issues (X critical, Y informational)
|
||||
|
||||
**CRITICAL** (blocking):
|
||||
- [file:line] Problem description
|
||||
Fix: suggested fix
|
||||
|
||||
**Issues** (non-blocking):
|
||||
- [file:line] Problem description
|
||||
Fix: suggested fix
|
||||
```
|
||||
|
||||
If no issues: `Pre-Landing Review: No issues found.`
|
||||
|
||||
Be terse. One line problem, one line fix. No preamble.
|
||||
|
||||
---
|
||||
|
||||
## Pass 1 — CRITICAL (blocking)
|
||||
|
||||
### Injection & Data Safety
|
||||
- String interpolation in SQL/database queries (even with type casting — use parameterized queries)
|
||||
- Unsanitized user input written to database or rendered in HTML
|
||||
- Raw HTML output from user-controlled data (`innerHTML`, `dangerouslySetInnerHTML`, `html_safe`, `raw()`, `| safe`)
|
||||
- Command injection via string concatenation in shell commands (use argument arrays)
|
||||
- Path traversal via user input in file operations
|
||||
|
||||
### Race Conditions & Concurrency
|
||||
- Read-check-write without atomic operations (check-then-set should be atomic WHERE + UPDATE)
|
||||
- Find-or-create without unique database constraint (concurrent calls create duplicates)
|
||||
- Status transitions without atomic WHERE old_status + UPDATE new_status
|
||||
- Shared mutable state accessed without synchronization
|
||||
|
||||
### Security Boundaries
|
||||
- Missing authentication checks on new endpoints/routes
|
||||
- Privilege escalation paths (user can access/modify another user's data — IDOR)
|
||||
- Secrets in logs, error responses, or client-side code
|
||||
- LLM/AI output written to database or used in queries without validation
|
||||
- JWT/token comparison using `==` instead of constant-time comparison
|
||||
|
||||
### Auth & Access Control
|
||||
- New API endpoints without auth middleware
|
||||
- Missing authorization check (authenticated but not authorized)
|
||||
- Admin-only operations accessible to regular users
|
||||
- Session fixation or token reuse vulnerabilities
|
||||
|
||||
---
|
||||
|
||||
## Pass 2 — INFORMATIONAL (non-blocking)
|
||||
|
||||
### Conditional Side Effects
|
||||
- Code branches on condition but forgets side effect on one branch (e.g., sets status but not associated data)
|
||||
- Log messages claiming action happened but action was conditionally skipped
|
||||
|
||||
### Magic Numbers & String Coupling
|
||||
- Bare numeric literals used in multiple files — should be named constants
|
||||
- Error message strings used as query filters elsewhere (grep for the string)
|
||||
|
||||
### Dead Code & Consistency
|
||||
- Variables assigned but never read
|
||||
- Stale comments describing old behavior after code changed
|
||||
- Import/require statements for unused modules
|
||||
|
||||
### Test Gaps
|
||||
- Missing negative-path tests (error cases, validation failures)
|
||||
- Assertions on type/status but not side effects (e.g., checks status but not that email was sent)
|
||||
- Missing integration tests for security enforcement (auth, rate limiting, access control)
|
||||
|
||||
### Type Coercion at Boundaries
|
||||
- Values crossing language/system boundaries where type could change (string vs number)
|
||||
- Hash/digest inputs that don't normalize types before serialization
|
||||
|
||||
### Performance
|
||||
- O(n*m) lookups in views/templates (array search inside loops — use hash/map lookup)
|
||||
- Missing pagination on list endpoints returning unbounded results
|
||||
- N+1 queries: loading associations inside loops without eager loading
|
||||
- Unbounded queries without LIMIT
|
||||
|
||||
---
|
||||
|
||||
## Suppressions — DO NOT flag these
|
||||
|
||||
- Redundancy that aids readability (e.g., `present?` redundant with length check)
|
||||
- "Add comment explaining why this threshold was chosen" — thresholds change, comments rot
|
||||
- "This assertion could be tighter" when assertion already covers the behavior
|
||||
- Consistency-only changes (wrapping a value to match how another constant is guarded)
|
||||
- Harmless no-ops (e.g., `.filter()` on array that never contains the filtered value)
|
||||
- ANYTHING already addressed in the diff being reviewed — read the FULL diff before commenting
|
||||
- Style/formatting issues (use a linter for that)
|
||||
- "Consider using X instead of Y" when Y works fine
|
||||
@@ -0,0 +1,54 @@
|
||||
# Web App Review Checklist (Overlay)
|
||||
|
||||
Additive to `base.md`. Apply when project has frontend framework (React, Vue, Svelte, Next.js, etc.).
|
||||
|
||||
## Detection
|
||||
|
||||
Apply this overlay when any of these are true:
|
||||
- `package.json` has `react`, `vue`, `svelte`, `next`, `nuxt`, `angular` dependency
|
||||
- Project has `src/pages/`, `src/app/`, `src/components/`, `src/views/` directories
|
||||
- HTML/JSX/TSX/Vue files in the diff
|
||||
|
||||
---
|
||||
|
||||
## Pass 1 — CRITICAL (additions to base)
|
||||
|
||||
### XSS
|
||||
- `innerHTML` assignment from any non-static source
|
||||
- Template literals interpolated into DOM without escaping
|
||||
- URL parameters rendered without sanitization
|
||||
- `<a href={userInput}>` without protocol validation (javascript: protocol)
|
||||
- Server-rendered user content without HTML entity encoding
|
||||
|
||||
### CSRF
|
||||
- State-changing endpoints (POST/PUT/DELETE) without CSRF token verification
|
||||
- Cookie-based auth without SameSite attribute
|
||||
- Form submissions to external URLs
|
||||
|
||||
### N+1 Queries (server-rendered views)
|
||||
- Database queries inside loops rendering lists
|
||||
- Missing eager loading for associations rendered in views/pages
|
||||
- Sequential API calls that could be batched
|
||||
|
||||
---
|
||||
|
||||
## Pass 2 — INFORMATIONAL (additions to base)
|
||||
|
||||
### Frontend Performance
|
||||
- Inline `<style>` blocks in components re-parsed every render
|
||||
- Missing `key` prop on list items
|
||||
- Large bundle imports that could be lazy-loaded (e.g., full lodash instead of lodash/get)
|
||||
- Images without width/height causing layout shift
|
||||
- Missing `loading="lazy"` on below-fold images
|
||||
|
||||
### Accessibility
|
||||
- Interactive elements without keyboard support (onClick without onKeyDown)
|
||||
- Missing `alt` text on images
|
||||
- Form inputs without associated labels
|
||||
- Color-only indicators (no text/icon fallback)
|
||||
- Missing ARIA attributes on custom interactive components
|
||||
|
||||
### Responsive / Layout
|
||||
- Fixed pixel widths that break on mobile
|
||||
- Missing viewport meta tag
|
||||
- Overflow hidden cutting off content on small screens
|
||||
Reference in New Issue
Block a user