Stats
Actions
Tags
From code-quality-tools
Runs code quality audits, security scans, test coverage, SOLID/DRY checks, and lints for Drupal (PHPStan, PHPMD, Psalm, Semgrep, Trivy, Gitleaks) and Next.js (ESLint, Jest, Semgrep, Trivy, Gitleaks) projects.
How this skill is triggered — by the user, by Claude, or both
Slash command
/code-quality-tools:code-quality-auditThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
Run quality and security audits for **Drupal** and **Next.js** projects with consistent tooling and reporting.
decision-guides/quality-audit-checklist.mddecision-guides/test-type-selection.mdreferences/composer-scripts.mdreferences/coverage-metrics.mdreferences/dry-detection.mdreferences/json-schemas.mdreferences/operations/dast-tools.mdreferences/operations/drupal-audits.mdreferences/operations/drupal-security.mdreferences/operations/drupal-setup.mdreferences/operations/drupal-tdd.mdreferences/operations/nextjs-audits.mdreferences/operations/nextjs-security.mdreferences/operations/nextjs-setup.mdreferences/operations/nextjs-tdd.mdreferences/scope-targeting.mdreferences/solid-detection.mdreferences/tdd-workflow.mdreferences/tool-comparison.mdreferences/troubleshooting.mdRun quality and security audits for Drupal and Next.js projects with consistent tooling and reporting.
For direct access, use these commands:
/code-quality:setup - First-time setup wizard (install and configure tools)/code-quality:audit - Run full audit (all 22 operations)/code-quality:coverage - Check test coverage/code-quality:security - Security scan (10 layers for Drupal, 7 for Next.js)/code-quality:lint - Code standards check/code-quality:solid - Architecture and SOLID principles check/code-quality:dry - Find code duplication/code-quality:tdd - Start TDD workflow (test watcher mode)/code-quality:review - Rubric-scored code review (/50 scale with quality gate)/code-quality:generate-review-md - Generate REVIEW.md for Claude Code's managed Code Review/code-quality:architecture-debate - Architecture debate (Pragmatist + Purist + Maintainer)For conversational workflows, continue reading...
Note — Claude Code's built-in
/simplify: Claude Code ships a built-in/simplifyskill for quick single-pass code review./code-quality:reviewis different: it runs automated tools (PHPStan/ESLint), scores across 10 rubric categories with a /50 scale, enforces a quality gate (PASS 35+/FAIL), and writes a persisted report. Use/simplifyfor fast ad-hoc feedback; use/code-quality:reviewwhen you need a structured, scored, and documented assessment.
Drupal projects:
Next.js projects:
| Task | Script | Details |
|---|---|---|
| Setup tools | scripts/core/install-tools.sh | See Drupal Setup |
| Full audit | scripts/core/full-audit.sh | See Full Audit |
| Coverage | scripts/drupal/coverage-report.sh | See Coverage Check |
| SOLID check | scripts/drupal/solid-check.sh | See SOLID Check |
| DRY check | scripts/drupal/dry-check.sh | See DRY Check |
| Lint check | scripts/drupal/lint-check.sh | See Lint Check |
| Fix deprecations | scripts/drupal/rector-fix.sh | See Rector Fix |
| TDD cycle | scripts/drupal/tdd-workflow.sh | See TDD Workflow |
| Security audit | scripts/drupal/security-check.sh | See Security Audit (10 layers) |
| Task | Script | Details |
|---|---|---|
| Setup tools | scripts/core/install-tools.sh | See Next.js Setup |
| Full audit | scripts/core/full-audit.sh | See Full Audit |
| Coverage | scripts/nextjs/coverage-report.sh | See Coverage Check |
| SOLID check | scripts/nextjs/solid-check.sh | See SOLID Check |
| Lint check | scripts/nextjs/lint-check.sh | See Lint Check |
| DRY check | scripts/nextjs/dry-check.sh | See DRY Check |
| TDD cycle | scripts/nextjs/tdd-workflow.sh | See TDD Workflow |
| Security audit | scripts/nextjs/security-check.sh | See Security Audit (7 layers) |
Drupal:
web/core/lib/Drupal.php or docroot/core/lib/Drupal.phpddev describemkdir -p .reports && echo ".reports/" >> .gitignoreNext.js:
npm --versionmkdir -p .reports && echo ".reports/" >> .gitignoreSandbox users: If Claude Code sandbox mode is enabled, bash scripts that invoke linters (PHPStan, ESLint, Semgrep, Trivy, Gitleaks) require their binary paths to be whitelisted. Add the tool binaries to your
allowedPathsinclaude_code_config.json(e.g.,vendor/bin/phpstan,/usr/local/bin/semgrep). DDEV-proxied commands run inside the container and are unaffected.
Read decision-guides/quality-audit-checklist.md for detailed guidance.
| Context | What to Run | Time |
|---|---|---|
| Pre-commit | quality:cs only | ~5s |
| Pre-push | PHPStan + Unit/Kernel tests | ~2min |
| Pre-merge | Full audit | ~10min |
| Weekly | Full audit + HTML reports | ~15min |
To audit specific modules or components instead of the entire project:
See Scope Targeting for three approaches:
cd web/modules/custom/my_moduleDRUPAL_MODULES_PATH=path/to/moduleIntelligent detection: Claude detects current directory and user intent.
All detailed operation instructions have been moved to reference files for better organization.
Pre-production security testing for staging environments
All reports must follow schemas/audit-report.schema.json:
{
"meta": {
"project_type": "drupal|nextjs|monorepo",
"timestamp": "2025-12-19T12:00:00Z",
"thresholds": { "coverage_minimum": 70, "duplication_max": 5 }
},
"summary": {
"overall_score": "pass|warning|fail",
"coverage_score": "pass|warning|fail",
"solid_score": "pass|warning|fail",
"dry_score": "pass|warning|fail",
"security_score": "pass|warning|fail"
},
"coverage": { "line_coverage": 75.5, "files_analyzed": 45 },
"solid": { "violations": [] },
"dry": { "duplication_percentage": 3.2, "clones": [] },
"security": { "critical": 0, "high": 0, "medium": 3, "low": 5, "issues": [] },
"recommendations": []
}
references/tdd-workflow.md - RED-GREEN-REFACTOR patterns, test naming, cycle targetsreferences/coverage-metrics.md - Coverage targets by code type, PCOV vs Xdebugreferences/dry-detection.md - Rule of Three, when duplication is OKreferences/solid-detection.md - SOLID detection patterns and fixesreferences/composer-scripts.md - Ready-to-use composer scriptsreferences/scope-targeting.md - Target specific modules/components (NEW in v1.8.0)references/operations/drupal-setup.md - Drupal setup operationsreferences/operations/drupal-audits.md - Drupal quality audit operationsreferences/operations/drupal-security.md - Drupal security (10 layers, v2.0.0)references/operations/drupal-tdd.md - Drupal TDD workflowreferences/operations/nextjs-setup.md - Next.js setup operationsreferences/operations/nextjs-audits.md - Next.js quality audit operationsreferences/operations/nextjs-security.md - Next.js security (7 layers, v2.0.0)references/operations/nextjs-tdd.md - Next.js TDD workflowFor deeper Drupal-specific patterns beyond tool commands, fetch the guide index:
Index: https://camoa.github.io/dev-guides/llms.txt
Likely relevant topics: solid-principles, dry-principles, security, testing, tdd, js-development, github-actions
Usage: WebFetch the index to discover available topics, then fetch specific topic pages when explaining violations, suggesting fixes, or providing architectural context.
decision-guides/test-type-selection.md - Unit vs Kernel vs Functional decision treedecision-guides/quality-audit-checklist.md - When to run what (pre-commit vs pre-merge)templates/drupal/phpstan.neon - PHPStan 2.x config (extensions auto-load)templates/drupal/phpmd.xml - PHPMD ruleset for Drupaltemplates/drupal/phpunit.xml - PHPUnit config with testsuitestemplates/ci/github-drupal.yml - GitHub Actions workflow with security toolstemplates/nextjs/eslint.config.js - ESLint v9 flat config with TypeScript + securitytemplates/nextjs/jest.config.js - Jest config with coverage thresholdstemplates/nextjs/jest.setup.js - Jest setup with Testing Librarytemplates/nextjs/.prettierrc - Prettier config with Tailwind pluginPhase 3 - Optional DAST Tools (NEW!):
DAST Coverage:
See references/operations/dast-tools.md for full documentation.
Progressive Disclosure Refactoring:
Phase 1 - Cross-Stack Security Tools:
Phase 2 - Enhancement Tools:
Security Coverage:
See .work-in-progress-v2.0.0.md for full implementation details.
npx claudepluginhub camoa/claude-skills --plugin code-quality-toolsAnalyzes code quality and technical debt for Drupal and WordPress projects. Spawns a specialist agent for full analysis with depth modes, scope control, and output formats.
Runs an 8-dimension project health audit covering security, dependencies, code quality, architecture, performance, infrastructure, docs, and mesh analytics. Delegates to specialist skills and produces a consolidated health score and action plan.
Reviews code for quality issues: architecture conformance, anti-patterns, performance, maintainability. Read-only analysis, never modifies code.