Name: Code Review
Author: hiroshiyui

name	code-review
description	Perform a project-wide code review covering security, correctness, code quality, tests, documentation, and style.

When performing a project-wide code review of bypass, always follow these steps:

Survey recent changes — Run git log --oneline -20 and skim the corresponding diffs to understand the scope of work before examining individual files. Cross-reference against doc/ROADMAP.md to confirm the change belongs to the current phase/milestone.
Security audit — Apply the security-audit skill. Give particular attention to:
- Plaintext handling: decrypted secrets must live in zeroize'd buffers and never reach println!, dbg!, log, panic messages, or any non-tempfile path. Tempfiles used by edit must live on a tmpfs / O_TMPFILE path where possible and be unlinked before the editor exits.
- GPG subprocess invocation: arguments must be passed as a Vec<&str> (never a shell string); stdin is the only acceptable channel for plaintext entering gpg; environment must respect GNUPGHOME and not leak through to child processes that don't need it.
- Path traversal: every entry name from the user must be resolved against the store root and rejected if it escapes (.., absolute paths, symlinks pointing outside the store).
- Recipient resolution: .gpg-id lookup must walk up from the entry path and stop at the store root — never silently fall through to a default key.
- Clipboard auto-clear: the clear path must run even on SIGINT / panic; the prior clipboard contents must be restored, not blanked.
Correctness and logic — Review the Rust implementation for:
- Pass compatibility: on-disk layout must match pass — <path>/<name>.gpg, .gpg-id files, optional .gpg-id.sig. A store created by pass must be readable by bypass and vice-versa.
- Error propagation: anyhow::Result at command boundaries, typed thiserror errors for library modules (gpg, store, git). No unwrap() / expect() in non-test code where a meaningful error could be propagated.
- Git integration: every mutation (insert, edit, rm, cp, mv, generate) must produce exactly one commit with a meaningful message; failures must leave the working tree in a consistent state (no half-written .gpg file without a matching commit).
- 2024 edition idioms: the crate targets edition 2024 — flag any patterns copied from older examples that won't compile (e.g., outdated gen keyword usage, lifetime elision changes).
Code smells — Flag any of the following:
- Duplicated logic that should be extracted into a shared helper.
- Functions exceeding roughly 60 lines without clear justification.
- Magic numbers (clipboard clear timeout, generated password length, etc.) appearing in multiple places without a named constant.
- Hard-coded paths instead of dirs::home_dir() / PASSWORD_STORE_DIR resolution.
- Dead code or stale commented-out blocks.
Test coverage — Verify that:
- New logic has unit tests co-located in the same file under #[cfg(test)] mod tests.
- Tests touching GPG set a throwaway GNUPGHOME via tempfile::TempDir and never read or write the user's real keyring.
- Tests touching the store set PASSWORD_STORE_DIR to a tempdir, not ~/.password-store.
- Integration tests live under tests/ and exercise full command flows (e.g., init → insert → show round-trip).
Documentation quality — Confirm that:
- Public items in store, gpg, git, and entry modules carry /// doc comments.
- CLAUDE.md is updated for any new locked-in decision or gotcha.
- doc/ROADMAP.md checkboxes are ticked for completed milestone items.
CLI UX — Review clap definitions for:
- Subcommand names and flags matching pass where the semantics match (-c for clipboard, --in-place for generate, etc.) — divergence requires a written reason.
- Help text that names the entry path argument consistently (e.g., always <path>, never sometimes <name>).
- Confirmation prompts on destructive operations (rm, overwrite on insert).
Code style — Confirm that formatting rules are observed:
- Code must be cargo fmt-clean.
- cargo clippy --all-targets -- -D warnings must pass.
- Any #[allow(clippy::...)] suppression must be accompanied by a comment explaining why the lint is a false positive in that context.
Report findings — Present all identified issues grouped by category: Security, Correctness, Code Smell, Tests, Documentation, CLI UX, and Style. Assign each a severity of Critical, High, Medium, or Low. For every finding, include the file path and line number, a clear description of the problem, and a concrete recommendation for how to fix it.

name	code-review
description	Perform a project-wide code review covering security, correctness, code quality, tests, documentation, and style.

When performing a project-wide code review of bypass, always follow these steps:

Survey recent changes — Run git log --oneline -20 and skim the corresponding diffs to understand the scope of work before examining individual files. Cross-reference against doc/ROADMAP.md to confirm the change belongs to the current phase/milestone.
Security audit — Apply the security-audit skill. Give particular attention to:
- Plaintext handling: decrypted secrets must live in zeroize'd buffers and never reach println!, dbg!, log, panic messages, or any non-tempfile path. Tempfiles used by edit must live on a tmpfs / O_TMPFILE path where possible and be unlinked before the editor exits.
- GPG subprocess invocation: arguments must be passed as a Vec<&str> (never a shell string); stdin is the only acceptable channel for plaintext entering gpg; environment must respect GNUPGHOME and not leak through to child processes that don't need it.
- Path traversal: every entry name from the user must be resolved against the store root and rejected if it escapes (.., absolute paths, symlinks pointing outside the store).
- Recipient resolution: .gpg-id lookup must walk up from the entry path and stop at the store root — never silently fall through to a default key.
- Clipboard auto-clear: the clear path must run even on SIGINT / panic; the prior clipboard contents must be restored, not blanked.
Correctness and logic — Review the Rust implementation for:
- Pass compatibility: on-disk layout must match pass — <path>/<name>.gpg, .gpg-id files, optional .gpg-id.sig. A store created by pass must be readable by bypass and vice-versa.
- Error propagation: anyhow::Result at command boundaries, typed thiserror errors for library modules (gpg, store, git). No unwrap() / expect() in non-test code where a meaningful error could be propagated.
- Git integration: every mutation (insert, edit, rm, cp, mv, generate) must produce exactly one commit with a meaningful message; failures must leave the working tree in a consistent state (no half-written .gpg file without a matching commit).
- 2024 edition idioms: the crate targets edition 2024 — flag any patterns copied from older examples that won't compile (e.g., outdated gen keyword usage, lifetime elision changes).
Code smells — Flag any of the following:
- Duplicated logic that should be extracted into a shared helper.
- Functions exceeding roughly 60 lines without clear justification.
- Magic numbers (clipboard clear timeout, generated password length, etc.) appearing in multiple places without a named constant.
- Hard-coded paths instead of dirs::home_dir() / PASSWORD_STORE_DIR resolution.
- Dead code or stale commented-out blocks.
Test coverage — Verify that:
- New logic has unit tests co-located in the same file under #[cfg(test)] mod tests.
- Tests touching GPG set a throwaway GNUPGHOME via tempfile::TempDir and never read or write the user's real keyring.
- Tests touching the store set PASSWORD_STORE_DIR to a tempdir, not ~/.password-store.
- Integration tests live under tests/ and exercise full command flows (e.g., init → insert → show round-trip).
Documentation quality — Confirm that:
- Public items in store, gpg, git, and entry modules carry /// doc comments.
- CLAUDE.md is updated for any new locked-in decision or gotcha.
- doc/ROADMAP.md checkboxes are ticked for completed milestone items.
CLI UX — Review clap definitions for:
- Subcommand names and flags matching pass where the semantics match (-c for clipboard, --in-place for generate, etc.) — divergence requires a written reason.
- Help text that names the entry path argument consistently (e.g., always <path>, never sometimes <name>).
- Confirmation prompts on destructive operations (rm, overwrite on insert).
Code style — Confirm that formatting rules are observed:
- Code must be cargo fmt-clean.
- cargo clippy --all-targets -- -D warnings must pass.
- Any #[allow(clippy::...)] suppression must be accompanied by a comment explaining why the lint is a false positive in that context.
Report findings — Present all identified issues grouped by category: Security, Correctness, Code Smell, Tests, Documentation, CLI UX, and Style. Assign each a severity of Critical, High, Medium, or Low. For every finding, include the file path and line number, a clear description of the problem, and a concrete recommendation for how to fix it.

code-review

Mehr aus diesem Repository

Mehr aus diesem Repository