code-quality-audit
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseCode Quality Audit
代码质量审计
Run quality and security audits for Drupal and Next.js projects with consistent tooling and reporting.
使用统一的工具和报告机制,为Drupal和Next.js项目执行质量与安全审计。
Quick Commands
快速命令
For direct access, use these commands:
- - First-time setup wizard (install and configure tools)
/code-quality:setup - - Run full audit (all 22 operations)
/code-quality:audit - - Check test coverage
/code-quality:coverage - - Security scan (10 layers for Drupal, 7 for Next.js)
/code-quality:security - - Code standards check
/code-quality:lint - - Architecture and SOLID principles check
/code-quality:solid - - Find code duplication
/code-quality:dry - - Start TDD workflow (test watcher mode)
/code-quality:tdd
For conversational workflows, continue reading...
如需直接操作,使用以下命令:
- - 首次设置向导(安装并配置工具)
/code-quality:setup - - 执行完整审计(包含全部22项操作)
/code-quality:audit - - 核查测试覆盖率
/code-quality:coverage - - 安全扫描(Drupal包含10个检测层,Next.js包含7个)
/code-quality:security - - 代码规范检查
/code-quality:lint - - 架构与SOLID原则检查
/code-quality:solid - - 排查代码重复问题
/code-quality:dry - - 启动TDD工作流(测试监听模式)
/code-quality:tdd
如需了解交互式工作流,请继续阅读...
When to Use
适用场景
Drupal projects:
- "Setup quality tools" / "Install PHPStan"
- "Run code audit" / "Check code quality"
- "Check coverage" / "What's my coverage?"
- "Find SOLID violations" / "Check complexity"
- "Check duplication" / "DRY check"
- "Lint code" / "Check coding standards"
- "Fix deprecations" / "Run rector"
- "Start TDD" / "RED-GREEN-REFACTOR"
- "Check security" / "Find vulnerabilities" / "OWASP audit"
Next.js projects:
- "Setup quality tools" / "Install ESLint"
- "Run code audit" / "Check code quality"
- "Check coverage" / "Run Jest coverage"
- "Find SOLID violations" / "Check complexity" / "Check circular deps"
- "Lint code" / "Run ESLint"
- "Check duplication" / "DRY check"
- "Start TDD" / "Jest watch mode"
- "Check security" / "Find vulnerabilities" / "OWASP audit"
Drupal项目:
- "搭建质量工具" / "安装PHPStan"
- "执行代码审计" / "检查代码质量"
- "核查覆盖率" / "我的覆盖率是多少?"
- "排查SOLID违规问题" / "检查代码复杂度"
- "检查代码重复" / "DRY检查"
- "代码语法检查" / "核查编码规范"
- "修复废弃代码" / "执行Rector"
- "启动TDD" / "RED-GREEN-REFACTOR(红-绿-重构)"
- "检查安全问题" / "排查漏洞" / "OWASP审计"
Next.js项目:
- "搭建质量工具" / "安装ESLint"
- "执行代码审计" / "检查代码质量"
- "核查覆盖率" / "执行Jest覆盖率检测"
- "排查SOLID违规问题" / "检查代码复杂度" / "检查循环依赖"
- "代码语法检查" / "执行ESLint"
- "检查代码重复" / "DRY检查"
- "启动TDD" / "Jest监听模式"
- "检查安全问题" / "排查漏洞" / "OWASP审计"
Quick Reference
快速参考
Drupal Scripts
Drupal脚本
| Task | Script | Details |
|---|---|---|
| Setup tools | | See Drupal Setup |
| Full audit | | See Full Audit |
| Coverage | | See Coverage Check |
| SOLID check | | See SOLID Check |
| DRY check | | See DRY Check |
| Lint check | | See Lint Check |
| Fix deprecations | | See Rector Fix |
| TDD cycle | | See TDD Workflow |
| Security audit | | See Security Audit (10 layers) |
| 任务 | 脚本 | 详情 |
|---|---|---|
| 搭建工具 | | 查看Drupal设置 |
| 完整审计 | | 查看完整审计 |
| 覆盖率核查 | | 查看覆盖率检查 |
| SOLID检查 | | 查看SOLID检查 |
| DRY检查 | | 查看DRY检查 |
| 语法检查 | | 查看语法检查 |
| 修复废弃代码 | | 查看Rector修复 |
| TDD循环 | | 查看TDD工作流 |
| 安全审计 | | 查看安全审计(10个检测层) |
Next.js Scripts
Next.js脚本
| Task | Script | Details |
|---|---|---|
| Setup tools | | See Next.js Setup |
| Full audit | | See Full Audit |
| Coverage | | See Coverage Check |
| SOLID check | | See SOLID Check |
| Lint check | | See Lint Check |
| DRY check | | See DRY Check |
| TDD cycle | | See TDD Workflow |
| Security audit | | See Security Audit (7 layers) |
| 任务 | 脚本 | 详情 |
|---|---|---|
| 搭建工具 | | 查看Next.js设置 |
| 完整审计 | | 查看完整审计 |
| 覆盖率核查 | | 查看覆盖率检查 |
| SOLID检查 | | 查看SOLID检查 |
| 语法检查 | | 查看语法检查 |
| DRY检查 | | 查看DRY检查 |
| TDD循环 | | 查看TDD工作流 |
| 安全审计 | | 查看安全审计(7个检测层) |
Before Any Operation
操作前准备
Drupal:
- Locate Drupal root: check or
web/core/lib/Drupal.phpdocroot/core/lib/Drupal.php - Verify DDEV:
ddev describe - Create reports directory:
mkdir -p .reports && echo ".reports/" >> .gitignore
Next.js:
- Verify npm:
npm --version - Create reports directory:
mkdir -p .reports && echo ".reports/" >> .gitignore
Drupal:
- 定位Drupal根目录:检查或
web/core/lib/Drupal.phpdocroot/core/lib/Drupal.php - 验证DDEV:
ddev describe - 创建报告目录:
mkdir -p .reports && echo ".reports/" >> .gitignore
Next.js:
- 验证npm:
npm --version - 创建报告目录:
mkdir -p .reports && echo ".reports/" >> .gitignore
When to Run What
执行时机指南
Read for detailed guidance.
decision-guides/quality-audit-checklist.md| Context | What to Run | Time |
|---|---|---|
| Pre-commit | | ~5s |
| Pre-push | PHPStan + Unit/Kernel tests | ~2min |
| Pre-merge | Full audit | ~10min |
| Weekly | Full audit + HTML reports | ~15min |
查看获取详细指导。
decision-guides/quality-audit-checklist.md| 场景 | 执行操作 | 耗时 |
|---|---|---|
| 提交前 | 仅执行 | ~5秒 |
| 推送前 | PHPStan + 单元/内核测试 | ~2分钟 |
| 合并前 | 完整审计 | ~10分钟 |
| 每周 | 完整审计 + HTML报告 | ~15分钟 |
Scope Targeting
范围定位
To audit specific modules or components instead of the entire project:
See Scope Targeting for three approaches:
- Change directory (recommended) -
cd web/modules/custom/my_module - Environment variables -
DRUPAL_MODULES_PATH=path/to/module - Full scan (default) - Run from project root
Intelligent detection: Claude detects current directory and user intent.
如需审计特定模块或组件而非整个项目:
查看范围定位了解三种方式:
- 切换目录(推荐)-
cd web/modules/custom/my_module - 环境变量 -
DRUPAL_MODULES_PATH=path/to/module - 完整扫描(默认)- 在项目根目录执行
智能检测:Claude会检测当前目录和用户意图。
Operations
操作说明
All detailed operation instructions have been moved to reference files for better organization.
所有详细操作说明已移至参考文件,以便更好地组织内容。
Drupal Operations
Drupal操作
Setup & Configuration
设置与配置
- Operation 1: Setup Tools - Install PHPStan, PHPMD, PHPCPD, Coder
- Operation 6: Module-Specific Audit - Scope audit to one module
- Operation 7: Add Composer Scripts - Configure quality scripts
- Operation 8: CI Integration - Setup GitHub Actions
- 操作1: 搭建工具 - 安装PHPStan、PHPMD、PHPCPD、Coder
- 操作6: 模块专属审计 - 将审计范围限定为单个模块
- 操作7: 添加Composer脚本 - 配置质量检查脚本
- 操作8: CI集成 - 搭建GitHub Actions
Quality Audits
质量审计
- Operation 2: Full Audit - Run all quality checks
- Operation 3: Coverage Check - Measure test coverage
- Operation 4: SOLID Check - Find principle violations
- Operation 5: DRY Check - Detect code duplication
- Operation 11: Lint Check - Coding standards
- Operation 12: Rector Fix - Auto-fix deprecations
- 操作2: 完整审计 - 执行所有质量检查
- 操作3: 覆盖率检查 - 统计测试覆盖率
- 操作4: SOLID检查 - 排查原则违规问题
- 操作5: DRY检查 - 检测代码重复
- 操作11: 语法检查 - 编码规范核查
- 操作12: Rector修复 - 自动修复废弃代码
Development Workflows
开发工作流
- Operation 10: TDD Workflow - RED-GREEN-REFACTOR cycle
- 操作10: TDD工作流 - RED-GREEN-REFACTOR(红-绿-重构)循环
Security
安全
- Operation 20: Security Audit - 10 security layers (v2.0.0)
- Drush pm:security, Composer audit
- yousha/php-security-linter, Psalm taint analysis
- Custom Drupal patterns, Security Review module
- Semgrep SAST, Trivy scanner, Gitleaks (v1.8.0)
- Roave Security Advisories (v2.0.0)
- 操作20: 安全审计 - 10个安全检测层(v2.0.0)
- Drush pm:security、Composer audit
- yousha/php-security-linter、Psalm污点分析
- 自定义Drupal模式、Security Review模块
- Semgrep SAST、Trivy扫描器、Gitleaks(v1.8.0)
- Roave Security Advisories(v2.0.0)
Next.js Operations
Next.js操作
Setup & Configuration
设置与配置
- Operation 13: Setup Tools - Install ESLint, Jest, security tools
- 操作13: 搭建工具 - 安装ESLint、Jest、安全工具
Quality Audits
质量审计
- Operation 14: Full Audit - Run all quality checks
- Operation 15: Lint Check - ESLint + TypeScript
- Operation 16: Coverage Check - Jest coverage
- Operation 17: DRY Check - Detect duplication
- Operation 19: SOLID Check - Circular deps, complexity
- 操作14: 完整审计 - 执行所有质量检查
- 操作15: 语法检查 - ESLint + TypeScript检查
- 操作16: 覆盖率检查 - Jest覆盖率统计
- 操作17: DRY检查 - 检测代码重复
- 操作19: SOLID检查 - 循环依赖、代码复杂度核查
Development Workflows
开发工作流
- Operation 18: TDD Workflow - RED-GREEN-REFACTOR with Jest
- 操作18: TDD工作流 - 结合Jest的RED-GREEN-REFACTOR(红-绿-重构)循环
Security
安全
- Operation 21: Security Audit - 7 security layers (v2.0.0)
- npm audit, ESLint security plugins
- Semgrep SAST, Trivy scanner, Gitleaks (v1.8.0)
- Custom React/Next.js patterns (XSS, eval, navigation)
- Socket CLI (v2.0.0)
- 操作21: 安全审计 - 7个安全检测层(v2.0.0)
- npm audit、ESLint安全插件
- Semgrep SAST、Trivy扫描器、Gitleaks(v1.8.0)
- 自定义React/Next.js模式(XSS、eval、导航)
- Socket CLI(v2.0.0)
Optional: DAST (Dynamic Testing)
可选:DAST(动态测试)
Pre-production security testing for staging environments
- Operation 22: DAST Tools - Dynamic security testing (v2.1.0)
- OWASP ZAP (full DAST scanner)
- Nuclei (template-based CVE scanning)
- Requires running application
- Use before releases on staging/pre-production
预生产环境的安全测试
- 操作22: DAST工具 - 动态安全测试(v2.1.0)
- OWASP ZAP(完整的预生产DAST扫描器)
- Nuclei(基于模板的CVE与配置错误扫描)
- 需要运行中的应用程序
- 在预生产环境发布前使用
Saving Reports
报告保存
All reports must follow :
schemas/audit-report.schema.jsonjson
{
"meta": {
"project_type": "drupal|nextjs|monorepo",
"timestamp": "2025-12-19T12:00:00Z",
"thresholds": { "coverage_minimum": 70, "duplication_max": 5 }
},
"summary": {
"overall_score": "pass|warning|fail",
"coverage_score": "pass|warning|fail",
"solid_score": "pass|warning|fail",
"dry_score": "pass|warning|fail",
"security_score": "pass|warning|fail"
},
"coverage": { "line_coverage": 75.5, "files_analyzed": 45 },
"solid": { "violations": [] },
"dry": { "duplication_percentage": 3.2, "clones": [] },
"security": { "critical": 0, "high": 0, "medium": 3, "low": 5, "issues": [] },
"recommendations": []
}所有报告必须遵循格式:
schemas/audit-report.schema.jsonjson
{
"meta": {
"project_type": "drupal|nextjs|monorepo",
"timestamp": "2025-12-19T12:00:00Z",
"thresholds": { "coverage_minimum": 70, "duplication_max": 5 }
},
"summary": {
"overall_score": "pass|warning|fail",
"coverage_score": "pass|warning|fail",
"solid_score": "pass|warning|fail",
"dry_score": "pass|warning|fail",
"security_score": "pass|warning|fail"
},
"coverage": { "line_coverage": 75.5, "files_analyzed": 45 },
"solid": { "violations": [] },
"dry": { "duplication_percentage": 3.2, "clones": [] },
"security": { "critical": 0, "high": 0, "medium": 3, "low": 5, "issues": [] },
"recommendations": []
}References
参考资料
Core Guidance
核心指南
- - RED-GREEN-REFACTOR patterns, test naming, cycle targets
references/tdd-workflow.md - - Coverage targets by code type, PCOV vs Xdebug
references/coverage-metrics.md - - Rule of Three, when duplication is OK
references/dry-detection.md - - SOLID detection patterns and fixes
references/solid-detection.md - - Ready-to-use composer scripts
references/composer-scripts.md - - Target specific modules/components (NEW in v1.8.0)
references/scope-targeting.md
- - RED-GREEN-REFACTOR模式、测试命名规范、循环目标
references/tdd-workflow.md - - 按代码类型划分的覆盖率目标、PCOV与Xdebug对比
references/coverage-metrics.md - - 三次原则、何时允许代码重复
references/dry-detection.md - - SOLID违规检测模式与修复方案
references/solid-detection.md - - 可直接使用的Composer脚本
references/composer-scripts.md - - 定位特定模块/组件(v1.8.0新增)
references/scope-targeting.md
Operations
操作说明
- - Drupal setup operations
references/operations/drupal-setup.md - - Drupal quality audit operations
references/operations/drupal-audits.md - - Drupal security (10 layers, v2.0.0)
references/operations/drupal-security.md - - Drupal TDD workflow
references/operations/drupal-tdd.md - - Next.js setup operations
references/operations/nextjs-setup.md - - Next.js quality audit operations
references/operations/nextjs-audits.md - - Next.js security (7 layers, v2.0.0)
references/operations/nextjs-security.md - - Next.js TDD workflow
references/operations/nextjs-tdd.md
- - Drupal设置操作
references/operations/drupal-setup.md - - Drupal质量审计操作
references/operations/drupal-audits.md - - Drupal安全(10个检测层,v2.0.0)
references/operations/drupal-security.md - - Drupal TDD工作流
references/operations/drupal-tdd.md - - Next.js设置操作
references/operations/nextjs-setup.md - - Next.js质量审计操作
references/operations/nextjs-audits.md - - Next.js安全(7个检测层,v2.0.0)
references/operations/nextjs-security.md - - Next.js TDD工作流
references/operations/nextjs-tdd.md
Online Dev-Guides (Drupal Domain)
在线开发指南(Drupal领域)
For deeper Drupal-specific patterns beyond tool commands, fetch the guide index:
Index:
https://camoa.github.io/dev-guides/llms.txtLikely relevant topics: solid-principles, dry-principles, security, testing, tdd, js-development, github-actions
Usage: WebFetch the index to discover available topics, then fetch specific topic pages when explaining violations, suggesting fixes, or providing architectural context.
如需了解工具命令之外的Drupal专属深度模式,获取指南索引:
索引:
https://camoa.github.io/dev-guides/llms.txt可能相关的主题:solid-principles, dry-principles, security, testing, tdd, js-development, github-actions
使用方式:通过WebFetch获取索引以发现可用主题,然后在解释违规问题、建议修复方案或提供架构背景时,获取特定主题页面。
Decision Guides
决策指南
- - Unit vs Kernel vs Functional decision tree
decision-guides/test-type-selection.md - - When to run what (pre-commit vs pre-merge)
decision-guides/quality-audit-checklist.md
- - 单元测试、内核测试、功能测试的决策树
decision-guides/test-type-selection.md - - 不同场景的执行操作指南(提交前vs合并前)
decision-guides/quality-audit-checklist.md
Templates
模板
Drupal
Drupal
- - PHPStan 2.x config (extensions auto-load)
templates/drupal/phpstan.neon - - PHPMD ruleset for Drupal
templates/drupal/phpmd.xml - - PHPUnit config with testsuites
templates/drupal/phpunit.xml - - GitHub Actions workflow with security tools
templates/ci/github-drupal.yml
- - PHPStan 2.x配置(扩展自动加载)
templates/drupal/phpstan.neon - - 适用于Drupal的PHPMD规则集
templates/drupal/phpmd.xml - - 包含测试套件的PHPUnit配置
templates/drupal/phpunit.xml - - 集成安全工具的GitHub Actions工作流
templates/ci/github-drupal.yml
Next.js
Next.js
- - ESLint v9 flat config with TypeScript + security
templates/nextjs/eslint.config.js - - Jest config with coverage thresholds
templates/nextjs/jest.config.js - - Jest setup with Testing Library
templates/nextjs/jest.setup.js - - Prettier config with Tailwind plugin
templates/nextjs/.prettierrc
- - 包含TypeScript与安全检测的ESLint v9扁平配置
templates/nextjs/eslint.config.js - - 带有覆盖率阈值的Jest配置
templates/nextjs/jest.config.js - - 集成Testing Library的Jest设置
templates/nextjs/jest.setup.js - - 集成Tailwind插件的Prettier配置
templates/nextjs/.prettierrc
What's New in v2.1.0
v2.1.0版本新增内容
Phase 3 - Optional DAST Tools (NEW!):
- ✅ OWASP ZAP (full DAST scanner for pre-production)
- ✅ Nuclei (template-based CVE and misconfiguration scanning)
- ✅ Comprehensive documentation with usage examples
- ✅ CI/CD integration guides (GitHub Actions, GitLab)
- ✅ Pre-release checklist script
DAST Coverage:
- Pre-production security testing
- Runtime vulnerability detection
- OWASP Top 10 dynamic testing
- 1000+ CVE templates (Nuclei)
See for full documentation.
references/operations/dast-tools.md第三阶段 - 可选DAST工具(新增!):
- ✅ OWASP ZAP(完整的预生产DAST扫描器)
- ✅ Nuclei(基于模板的CVE与配置错误扫描)
- ✅ 包含使用示例的全面文档
- ✅ CI/CD集成指南(GitHub Actions、GitLab)
- ✅ 发布前检查列表脚本
DAST覆盖范围:
- 预生产环境安全测试
- 运行时漏洞检测
- OWASP Top 10动态测试
- 1000+ CVE模板(Nuclei)
查看获取完整文档。
references/operations/dast-tools.mdWhat's New in v2.0.0
v2.0.0版本新增内容
Progressive Disclosure Refactoring:
- ✅ SKILL.md: 632 → 234 lines (63% reduction)
- ✅ 9 reference files created with full documentation
- ✅ Plugin-creation-tools compliance (16/16 criteria)
Phase 1 - Cross-Stack Security Tools:
- ✅ Semgrep SAST (20,000+ security rules for PHP, React, JS, TS)
- ✅ Trivy scanner (dependency/container/secret scanner)
- ✅ Gitleaks (secret detection with 800+ patterns)
Phase 2 - Enhancement Tools:
- ✅ Roave Security Advisories (Drupal - Composer prevention layer)
- ✅ Socket CLI (Next.js - supply chain attack detection)
Security Coverage:
- Drupal: 40% → 90% (10 security layers)
- Next.js: 0% → 85% (7 security layers)
See for full implementation details.
.work-in-progress-v2.0.0.md渐进式披露重构:
- ✅ SKILL.md:从632行缩减至234行(减少63%)
- ✅ 创建9个参考文件存放完整文档
- ✅ 符合插件创建工具规范(16/16项标准)
第一阶段 - 跨栈安全工具:
- ✅ Semgrep SAST(20000+适用于PHP、React、JS、TS的安全规则)
- ✅ Trivy扫描器(依赖/容器/密钥扫描器)
- ✅ Gitleaks(800+检测模式的密钥检测工具)
第二阶段 - 增强工具:
- ✅ Roave Security Advisories(Drupal - Composer防护层)
- ✅ Socket CLI(Next.js - 供应链攻击检测)
安全覆盖范围:
- Drupal:从40%提升至90%(10个安全检测层)
- Next.js:从0%提升至85%(7个安全检测层)
查看获取完整实现细节。
.work-in-progress-v2.0.0.md