Code Quality Audit

Run quality and security audits for Drupal and Next.js projects with consistent tooling and reporting.

Quick Commands

For direct access, use these commands:

• /code-quality:setup

• First-time setup wizard (install and configure tools)

• /code-quality:audit

• Run full audit (all 22 operations)

• /code-quality:coverage

• Check test coverage

• /code-quality:security

• Security scan (10 layers for Drupal, 7 for Next.js)

• /code-quality:lint

• Code standards check

• /code-quality:solid

• Architecture and SOLID principles check

• /code-quality:dry

• Find code duplication

• /code-quality:tdd

• Start TDD workflow (test watcher mode)

For conversational workflows, continue reading...

When to Use

Drupal projects:

• "Setup quality tools" / "Install PHPStan"

• "Run code audit" / "Check code quality"

• "Check coverage" / "What's my coverage?"

• "Find SOLID violations" / "Check complexity"

• "Check duplication" / "DRY check"

• "Lint code" / "Check coding standards"

• "Fix deprecations" / "Run rector"

• "Start TDD" / "RED-GREEN-REFACTOR"

• "Check security" / "Find vulnerabilities" / "OWASP audit"

Next.js projects:

• "Setup quality tools" / "Install ESLint"

• "Run code audit" / "Check code quality"

• "Check coverage" / "Run Jest coverage"

• "Find SOLID violations" / "Check complexity" / "Check circular deps"

• "Lint code" / "Run ESLint"

• "Check duplication" / "DRY check"

• "Start TDD" / "Jest watch mode"

• "Check security" / "Find vulnerabilities" / "OWASP audit"

Quick Reference

Drupal Scripts

Task Script Details

Setup tools scripts/core/install-tools.sh

See Drupal Setup

Full audit scripts/core/full-audit.sh

See Full Audit

Coverage scripts/drupal/coverage-report.sh

See Coverage Check

SOLID check scripts/drupal/solid-check.sh

See SOLID Check

DRY check scripts/drupal/dry-check.sh

See DRY Check

Lint check scripts/drupal/lint-check.sh

See Lint Check

Fix deprecations scripts/drupal/rector-fix.sh

See Rector Fix

TDD cycle scripts/drupal/tdd-workflow.sh

See TDD Workflow

Security audit scripts/drupal/security-check.sh

See Security Audit (10 layers)

Next.js Scripts

Task Script Details

Setup tools scripts/core/install-tools.sh

See Next.js Setup

Full audit scripts/core/full-audit.sh

See Full Audit

Coverage scripts/nextjs/coverage-report.sh

See Coverage Check

SOLID check scripts/nextjs/solid-check.sh

See SOLID Check

Lint check scripts/nextjs/lint-check.sh

See Lint Check

DRY check scripts/nextjs/dry-check.sh

See DRY Check

TDD cycle scripts/nextjs/tdd-workflow.sh

See TDD Workflow

Security audit scripts/nextjs/security-check.sh

See Security Audit (7 layers)

Before Any Operation

Drupal:

• Locate Drupal root: check web/core/lib/Drupal.php or docroot/core/lib/Drupal.php

• Verify DDEV: ddev describe

• Create reports directory: mkdir -p .reports && echo ".reports/" >> .gitignore

Next.js:

• Verify npm: npm --version

• Create reports directory: mkdir -p .reports && echo ".reports/" >> .gitignore

When to Run What

Read decision-guides/quality-audit-checklist.md for detailed guidance.

Context What to Run Time

Pre-commit quality:cs only ~5s

Pre-push PHPStan + Unit/Kernel tests ~2min

Pre-merge Full audit ~10min

Weekly Full audit + HTML reports ~15min

Scope Targeting

To audit specific modules or components instead of the entire project:

See Scope Targeting for three approaches:

• Change directory (recommended) - cd web/modules/custom/my_module

• Environment variables - DRUPAL_MODULES_PATH=path/to/module

• Full scan (default) - Run from project root

Intelligent detection: Claude detects current directory and user intent.

Operations

All detailed operation instructions have been moved to reference files for better organization.

Drupal Operations

Setup & Configuration

• Operation 1: Setup Tools - Install PHPStan, PHPMD, PHPCPD, Coder

• Operation 6: Module-Specific Audit - Scope audit to one module

• Operation 7: Add Composer Scripts - Configure quality scripts

• Operation 8: CI Integration - Setup GitHub Actions

Quality Audits

• Operation 2: Full Audit - Run all quality checks

• Operation 3: Coverage Check - Measure test coverage

• Operation 4: SOLID Check - Find principle violations

• Operation 5: DRY Check - Detect code duplication

• Operation 11: Lint Check - Coding standards

• Operation 12: Rector Fix - Auto-fix deprecations

Development Workflows

• Operation 10: TDD Workflow - RED-GREEN-REFACTOR cycle

Security

• Operation 20: Security Audit - 10 security layers (v2.0.0)

• Drush pm:security, Composer audit

• yousha/php-security-linter, Psalm taint analysis

• Custom Drupal patterns, Security Review module

• Semgrep SAST, Trivy scanner, Gitleaks (v1.8.0)

• Roave Security Advisories (v2.0.0)

Next.js Operations

Setup & Configuration

• Operation 13: Setup Tools - Install ESLint, Jest, security tools

Quality Audits

• Operation 14: Full Audit - Run all quality checks

• Operation 15: Lint Check - ESLint + TypeScript

• Operation 16: Coverage Check - Jest coverage

• Operation 17: DRY Check - Detect duplication

• Operation 19: SOLID Check - Circular deps, complexity

Development Workflows

• Operation 18: TDD Workflow - RED-GREEN-REFACTOR with Jest

Security

• Operation 21: Security Audit - 7 security layers (v2.0.0)

• npm audit, ESLint security plugins

• Semgrep SAST, Trivy scanner, Gitleaks (v1.8.0)

• Custom React/Next.js patterns (XSS, eval, navigation)

• Socket CLI (v2.0.0)

Optional: DAST (Dynamic Testing)

Pre-production security testing for staging environments

• Operation 22: DAST Tools - Dynamic security testing (v2.1.0)

• OWASP ZAP (full DAST scanner)

• Nuclei (template-based CVE scanning)

• Requires running application

• Use before releases on staging/pre-production

Saving Reports

All reports must follow schemas/audit-report.schema.json :

{ "meta": { "project_type": "drupal|nextjs|monorepo", "timestamp": "2025-12-19T12:00:00Z", "thresholds": { "coverage_minimum": 70, "duplication_max": 5 } }, "summary": { "overall_score": "pass|warning|fail", "coverage_score": "pass|warning|fail", "solid_score": "pass|warning|fail", "dry_score": "pass|warning|fail", "security_score": "pass|warning|fail" }, "coverage": { "line_coverage": 75.5, "files_analyzed": 45 }, "solid": { "violations": [] }, "dry": { "duplication_percentage": 3.2, "clones": [] }, "security": { "critical": 0, "high": 0, "medium": 3, "low": 5, "issues": [] }, "recommendations": [] }

References

Core Guidance

• references/tdd-workflow.md

• RED-GREEN-REFACTOR patterns, test naming, cycle targets

• references/coverage-metrics.md

• Coverage targets by code type, PCOV vs Xdebug

• references/dry-detection.md

• Rule of Three, when duplication is OK

• references/solid-detection.md

• SOLID detection patterns and fixes

• references/composer-scripts.md

• Ready-to-use composer scripts

• references/scope-targeting.md

• Target specific modules/components (NEW in v1.8.0)

Operations

• references/operations/drupal-setup.md

• Drupal setup operations

• references/operations/drupal-audits.md

• Drupal quality audit operations

• references/operations/drupal-security.md

• Drupal security (10 layers, v2.0.0)

• references/operations/drupal-tdd.md

• Drupal TDD workflow

• references/operations/nextjs-setup.md

• Next.js setup operations

• references/operations/nextjs-audits.md

• Next.js quality audit operations

• references/operations/nextjs-security.md

• Next.js security (7 layers, v2.0.0)

• references/operations/nextjs-tdd.md

• Next.js TDD workflow

Online Dev-Guides (Drupal Domain)

For deeper Drupal-specific patterns beyond tool commands, fetch the guide index:

Index: https://camoa.github.io/dev-guides/llms.txt

Likely relevant topics: solid-principles, dry-principles, security, testing, tdd, js-development, github-actions

Usage: WebFetch the index to discover available topics, then fetch specific topic pages when explaining violations, suggesting fixes, or providing architectural context.

Decision Guides

• decision-guides/test-type-selection.md

• Unit vs Kernel vs Functional decision tree

• decision-guides/quality-audit-checklist.md

• When to run what (pre-commit vs pre-merge)

Templates

Drupal

• templates/drupal/phpstan.neon

• PHPStan 2.x config (extensions auto-load)

• templates/drupal/phpmd.xml

• PHPMD ruleset for Drupal

• templates/drupal/phpunit.xml

• PHPUnit config with testsuites

• templates/ci/github-drupal.yml

• GitHub Actions workflow with security tools

Next.js

• templates/nextjs/eslint.config.js

• ESLint v9 flat config with TypeScript + security

• templates/nextjs/jest.config.js

• Jest config with coverage thresholds

• templates/nextjs/jest.setup.js

• Jest setup with Testing Library

• templates/nextjs/.prettierrc

• Prettier config with Tailwind plugin

What's New in v2.1.0

Phase 3 - Optional DAST Tools (NEW!):

• ✅ OWASP ZAP (full DAST scanner for pre-production)

• ✅ Nuclei (template-based CVE and misconfiguration scanning)

• ✅ Comprehensive documentation with usage examples

• ✅ CI/CD integration guides (GitHub Actions, GitLab)

• ✅ Pre-release checklist script

DAST Coverage:

• Pre-production security testing

• Runtime vulnerability detection

• OWASP Top 10 dynamic testing

• 1000+ CVE templates (Nuclei)

See references/operations/dast-tools.md for full documentation.

What's New in v2.0.0

Progressive Disclosure Refactoring:

• ✅ SKILL.md: 632 → 234 lines (63% reduction)

• ✅ 9 reference files created with full documentation

• ✅ Plugin-creation-tools compliance (16/16 criteria)

Phase 1 - Cross-Stack Security Tools:

• ✅ Semgrep SAST (20,000+ security rules for PHP, React, JS, TS)

• ✅ Trivy scanner (dependency/container/secret scanner)

• ✅ Gitleaks (secret detection with 800+ patterns)

Phase 2 - Enhancement Tools:

• ✅ Roave Security Advisories (Drupal - Composer prevention layer)

• ✅ Socket CLI (Next.js - supply chain attack detection)

Security Coverage:

• Drupal: 40% → 90% (10 security layers)

• Next.js: 0% → 85% (7 security layers)

See .work-in-progress-v2.0.0.md for full implementation details.