Code Quality Audit
Run quality and security audits for Drupal and Next.js projects with consistent tooling and reporting.
Quick Commands
For direct access, use these commands:
-
/code-quality:setup
-
First-time setup wizard (install and configure tools)
-
/code-quality:audit
-
Run full audit (all 22 operations)
-
/code-quality:coverage
-
Check test coverage
-
/code-quality:security
-
Security scan (10 layers for Drupal, 7 for Next.js)
-
/code-quality:lint
-
Code standards check
-
/code-quality:solid
-
Architecture and SOLID principles check
-
/code-quality:dry
-
Find code duplication
-
/code-quality:tdd
-
Start TDD workflow (test watcher mode)
For conversational workflows, continue reading...
When to Use
Drupal projects:
-
"Setup quality tools" / "Install PHPStan"
-
"Run code audit" / "Check code quality"
-
"Check coverage" / "What's my coverage?"
-
"Find SOLID violations" / "Check complexity"
-
"Check duplication" / "DRY check"
-
"Lint code" / "Check coding standards"
-
"Fix deprecations" / "Run rector"
-
"Start TDD" / "RED-GREEN-REFACTOR"
-
"Check security" / "Find vulnerabilities" / "OWASP audit"
Next.js projects:
-
"Setup quality tools" / "Install ESLint"
-
"Run code audit" / "Check code quality"
-
"Check coverage" / "Run Jest coverage"
-
"Find SOLID violations" / "Check complexity" / "Check circular deps"
-
"Lint code" / "Run ESLint"
-
"Check duplication" / "DRY check"
-
"Start TDD" / "Jest watch mode"
-
"Check security" / "Find vulnerabilities" / "OWASP audit"
Quick Reference
Drupal Scripts
Task Script Details
Setup tools scripts/core/install-tools.sh
See Drupal Setup
Full audit scripts/core/full-audit.sh
See Full Audit
Coverage scripts/drupal/coverage-report.sh
See Coverage Check
SOLID check scripts/drupal/solid-check.sh
See SOLID Check
DRY check scripts/drupal/dry-check.sh
See DRY Check
Lint check scripts/drupal/lint-check.sh
See Lint Check
Fix deprecations scripts/drupal/rector-fix.sh
See Rector Fix
TDD cycle scripts/drupal/tdd-workflow.sh
See TDD Workflow
Security audit scripts/drupal/security-check.sh
See Security Audit (10 layers)
Next.js Scripts
Task Script Details
Setup tools scripts/core/install-tools.sh
See Next.js Setup
Full audit scripts/core/full-audit.sh
See Full Audit
Coverage scripts/nextjs/coverage-report.sh
See Coverage Check
SOLID check scripts/nextjs/solid-check.sh
See SOLID Check
Lint check scripts/nextjs/lint-check.sh
See Lint Check
DRY check scripts/nextjs/dry-check.sh
See DRY Check
TDD cycle scripts/nextjs/tdd-workflow.sh
See TDD Workflow
Security audit scripts/nextjs/security-check.sh
See Security Audit (7 layers)
Before Any Operation
Drupal:
-
Locate Drupal root: check web/core/lib/Drupal.php or docroot/core/lib/Drupal.php
-
Verify DDEV: ddev describe
-
Create reports directory: mkdir -p .reports && echo ".reports/" >> .gitignore
Next.js:
-
Verify npm: npm --version
-
Create reports directory: mkdir -p .reports && echo ".reports/" >> .gitignore
When to Run What
Read decision-guides/quality-audit-checklist.md for detailed guidance.
Context What to Run Time
Pre-commit quality:cs only ~5s
Pre-push PHPStan + Unit/Kernel tests ~2min
Pre-merge Full audit ~10min
Weekly Full audit + HTML reports ~15min
Scope Targeting
To audit specific modules or components instead of the entire project:
See Scope Targeting for three approaches:
-
Change directory (recommended) - cd web/modules/custom/my_module
-
Environment variables - DRUPAL_MODULES_PATH=path/to/module
-
Full scan (default) - Run from project root
Intelligent detection: Claude detects current directory and user intent.
Operations
All detailed operation instructions have been moved to reference files for better organization.
Drupal Operations
Setup & Configuration
-
Operation 1: Setup Tools - Install PHPStan, PHPMD, PHPCPD, Coder
-
Operation 6: Module-Specific Audit - Scope audit to one module
-
Operation 7: Add Composer Scripts - Configure quality scripts
-
Operation 8: CI Integration - Setup GitHub Actions
Quality Audits
-
Operation 2: Full Audit - Run all quality checks
-
Operation 3: Coverage Check - Measure test coverage
-
Operation 4: SOLID Check - Find principle violations
-
Operation 5: DRY Check - Detect code duplication
-
Operation 11: Lint Check - Coding standards
-
Operation 12: Rector Fix - Auto-fix deprecations
Development Workflows
- Operation 10: TDD Workflow - RED-GREEN-REFACTOR cycle
Security
-
Operation 20: Security Audit - 10 security layers (v2.0.0)
-
Drush pm:security, Composer audit
-
yousha/php-security-linter, Psalm taint analysis
-
Custom Drupal patterns, Security Review module
-
Semgrep SAST, Trivy scanner, Gitleaks (v1.8.0)
-
Roave Security Advisories (v2.0.0)
Next.js Operations
Setup & Configuration
- Operation 13: Setup Tools - Install ESLint, Jest, security tools
Quality Audits
-
Operation 14: Full Audit - Run all quality checks
-
Operation 15: Lint Check - ESLint + TypeScript
-
Operation 16: Coverage Check - Jest coverage
-
Operation 17: DRY Check - Detect duplication
-
Operation 19: SOLID Check - Circular deps, complexity
Development Workflows
- Operation 18: TDD Workflow - RED-GREEN-REFACTOR with Jest
Security
-
Operation 21: Security Audit - 7 security layers (v2.0.0)
-
npm audit, ESLint security plugins
-
Semgrep SAST, Trivy scanner, Gitleaks (v1.8.0)
-
Custom React/Next.js patterns (XSS, eval, navigation)
-
Socket CLI (v2.0.0)
Optional: DAST (Dynamic Testing)
Pre-production security testing for staging environments
-
Operation 22: DAST Tools - Dynamic security testing (v2.1.0)
-
OWASP ZAP (full DAST scanner)
-
Nuclei (template-based CVE scanning)
-
Requires running application
-
Use before releases on staging/pre-production
Saving Reports
All reports must follow schemas/audit-report.schema.json :
{ "meta": { "project_type": "drupal|nextjs|monorepo", "timestamp": "2025-12-19T12:00:00Z", "thresholds": { "coverage_minimum": 70, "duplication_max": 5 } }, "summary": { "overall_score": "pass|warning|fail", "coverage_score": "pass|warning|fail", "solid_score": "pass|warning|fail", "dry_score": "pass|warning|fail", "security_score": "pass|warning|fail" }, "coverage": { "line_coverage": 75.5, "files_analyzed": 45 }, "solid": { "violations": [] }, "dry": { "duplication_percentage": 3.2, "clones": [] }, "security": { "critical": 0, "high": 0, "medium": 3, "low": 5, "issues": [] }, "recommendations": [] }
References
Core Guidance
-
references/tdd-workflow.md
-
RED-GREEN-REFACTOR patterns, test naming, cycle targets
-
references/coverage-metrics.md
-
Coverage targets by code type, PCOV vs Xdebug
-
references/dry-detection.md
-
Rule of Three, when duplication is OK
-
references/solid-detection.md
-
SOLID detection patterns and fixes
-
references/composer-scripts.md
-
Ready-to-use composer scripts
-
references/scope-targeting.md
-
Target specific modules/components (NEW in v1.8.0)
Operations
-
references/operations/drupal-setup.md
-
Drupal setup operations
-
references/operations/drupal-audits.md
-
Drupal quality audit operations
-
references/operations/drupal-security.md
-
Drupal security (10 layers, v2.0.0)
-
references/operations/drupal-tdd.md
-
Drupal TDD workflow
-
references/operations/nextjs-setup.md
-
Next.js setup operations
-
references/operations/nextjs-audits.md
-
Next.js quality audit operations
-
references/operations/nextjs-security.md
-
Next.js security (7 layers, v2.0.0)
-
references/operations/nextjs-tdd.md
-
Next.js TDD workflow
Online Dev-Guides (Drupal Domain)
For deeper Drupal-specific patterns beyond tool commands, fetch the guide index:
Index: https://camoa.github.io/dev-guides/llms.txt
Likely relevant topics: solid-principles, dry-principles, security, testing, tdd, js-development, github-actions
Usage: WebFetch the index to discover available topics, then fetch specific topic pages when explaining violations, suggesting fixes, or providing architectural context.
Decision Guides
-
decision-guides/test-type-selection.md
-
Unit vs Kernel vs Functional decision tree
-
decision-guides/quality-audit-checklist.md
-
When to run what (pre-commit vs pre-merge)
Templates
Drupal
-
templates/drupal/phpstan.neon
-
PHPStan 2.x config (extensions auto-load)
-
templates/drupal/phpmd.xml
-
PHPMD ruleset for Drupal
-
templates/drupal/phpunit.xml
-
PHPUnit config with testsuites
-
templates/ci/github-drupal.yml
-
GitHub Actions workflow with security tools
Next.js
-
templates/nextjs/eslint.config.js
-
ESLint v9 flat config with TypeScript + security
-
templates/nextjs/jest.config.js
-
Jest config with coverage thresholds
-
templates/nextjs/jest.setup.js
-
Jest setup with Testing Library
-
templates/nextjs/.prettierrc
-
Prettier config with Tailwind plugin
What's New in v2.1.0
Phase 3 - Optional DAST Tools (NEW!):
-
✅ OWASP ZAP (full DAST scanner for pre-production)
-
✅ Nuclei (template-based CVE and misconfiguration scanning)
-
✅ Comprehensive documentation with usage examples
-
✅ CI/CD integration guides (GitHub Actions, GitLab)
-
✅ Pre-release checklist script
DAST Coverage:
-
Pre-production security testing
-
Runtime vulnerability detection
-
OWASP Top 10 dynamic testing
-
1000+ CVE templates (Nuclei)
See references/operations/dast-tools.md for full documentation.
What's New in v2.0.0
Progressive Disclosure Refactoring:
-
✅ SKILL.md: 632 → 234 lines (63% reduction)
-
✅ 9 reference files created with full documentation
-
✅ Plugin-creation-tools compliance (16/16 criteria)
Phase 1 - Cross-Stack Security Tools:
-
✅ Semgrep SAST (20,000+ security rules for PHP, React, JS, TS)
-
✅ Trivy scanner (dependency/container/secret scanner)
-
✅ Gitleaks (secret detection with 800+ patterns)
Phase 2 - Enhancement Tools:
-
✅ Roave Security Advisories (Drupal - Composer prevention layer)
-
✅ Socket CLI (Next.js - supply chain attack detection)
Security Coverage:
-
Drupal: 40% → 90% (10 security layers)
-
Next.js: 0% → 85% (7 security layers)
See .work-in-progress-v2.0.0.md for full implementation details.