Code quality setup

Per-language toolchain

Use the standard toolchain for each language in the repository.

JavaScript / TypeScript (incl. React/Next)

• Format+lint: ESLint + Prettier.
• When configuring Prettier, always add and maintain .prettierignore so generated/build outputs and composed files are not formatted/linted as source (e.g., dist/, build artifacts, and AGENTS.md when generated by compose-agentsmd).
• Typecheck: tsc with strict settings for TS projects.
• Dependency scan: osv-scanner. If unsupported, use the package manager's audit tooling.

Python

• Format+lint: Ruff.
• Typecheck: Pyright.
• Dependency scan: pip-audit.

Go

• Format: gofmt.
• Lint/static analysis: golangci-lint (includes staticcheck).
• Dependency scan: govulncheck.

Rust

• Format: cargo fmt.
• Lint/static analysis: cargo clippy with warnings as errors.
• Dependency scan: cargo audit.

Java

• Format: Spotless + google-java-format.
• Lint/static analysis: Checkstyle + SpotBugs.
• Dependency scan: OWASP Dependency-Check.

Kotlin

• Format: Spotless + ktlint.
• Lint/static analysis: detekt.
• Compiler: enable warnings-as-errors in CI; if impractical, get explicit user approval before relaxing.

C#

• Format: dotnet format (verify-no-changes in CI).
• Lint/static analysis: enable .NET analyzers; treat warnings as errors; enable nullable reference types.
• Dependency scan: dotnet list package --vulnerable.

C++

• Format: clang-format.
• Lint/static analysis: clang-tidy.
• Build: enable strong warnings and treat as errors; run sanitizers (ASan/UBSan) in CI where supported.

PowerShell

• Format+lint: PSScriptAnalyzer (Invoke-Formatter + Invoke-ScriptAnalyzer).
• Runtime: Set-StrictMode -Version Latest; fail fast on errors.
• Tests: Pester when tests exist.
• Enforce PSScriptAnalyzer via the repo's standard verify command/script when PowerShell is used; treat findings as errors.

Shell (sh/bash)

• Format: shfmt.
• Lint: shellcheck.

Dockerfile

• Lint: hadolint.

Terraform

• Format: terraform fmt -check.
• Validate: terraform validate.
• Lint: tflint.
• Security scan: trivy config.

YAML

• Lint: yamllint.

Markdown

• Lint: markdownlint.

Design and visual accessibility automation

Apply this section to projects with web UI components only.

• Enforce automated visual accessibility checks as part of the repo-standard verify command and CI.
• Use route discovery (sitemap, generated route lists, or framework route manifests) so newly added pages are automatically included.
• Validate both light and dark themes when theme switching is supported.
• Validate at least default, hover, and focus states for interactive elements.
• Enforce non-text boundary contrast checks across all visible UI elements that present boundaries (including interactive controls and container-like elements), not only predefined component classes.
• Use broad DOM discovery with only minimal technical exclusions (hidden/zero-size/non-rendered nodes).
• Fail CI on violations; do not silently ignore design regressions.
• If temporary exclusions are unavoidable, keep them narrowly scoped, documented with rationale, and remove them promptly.

Security baseline

• Require dependency vulnerability scanning appropriate to the ecosystem (SCA) for merges. If unavailable, report the limitation and get explicit user approval.
• Enable GitHub secret scanning and remediate findings; never commit secrets. If unavailable, add a repo-local secret scanner.
• Enable CodeQL code scanning for supported languages. If unavailable, use the best alternative for that ecosystem.