Runs code quality audits, security scans, test coverage, SOLID/DRY checks, and lints for Drupal (PHPStan, PHPMD, Psalm, Semgrep, Trivy, Gitleaks) and Next.js (ESLint, Jest, Semgrep, Trivy, Gitleaks) projects.
From code-quality-toolsnpx claudepluginhub camoa/claude-skills --plugin code-quality-toolsThis skill is limited to using the following tools:
decision-guides/quality-audit-checklist.mddecision-guides/test-type-selection.mdreferences/composer-scripts.mdreferences/coverage-metrics.mdreferences/dry-detection.mdreferences/json-schemas.mdreferences/operations/dast-tools.mdreferences/operations/drupal-audits.mdreferences/operations/drupal-security.mdreferences/operations/drupal-setup.mdreferences/operations/drupal-tdd.mdreferences/operations/nextjs-audits.mdreferences/operations/nextjs-security.mdreferences/operations/nextjs-setup.mdreferences/operations/nextjs-tdd.mdreferences/scope-targeting.mdreferences/solid-detection.mdreferences/tdd-workflow.mdreferences/tool-comparison.mdreferences/troubleshooting.mdSearches, retrieves, and installs Agent Skills from prompts.chat registry using MCP tools like search_skills and get_skill. Activates for finding skills, browsing catalogs, or extending Claude.
Searches prompts.chat for AI prompt templates by keyword or category, retrieves by ID with variable handling, and improves prompts via AI. Use for discovering or enhancing prompts.
Sorts ECC skills, commands, rules, hooks, and extras into DAILY vs LIBRARY buckets using repo evidence like file extensions and configs. Creates trimmed install plan for project-specific needs.
Run quality and security audits for Drupal and Next.js projects with consistent tooling and reporting.
For direct access, use these commands:
/code-quality:setup - First-time setup wizard (install and configure tools)/code-quality:audit - Run full audit (all 22 operations)/code-quality:coverage - Check test coverage/code-quality:security - Security scan (10 layers for Drupal, 7 for Next.js)/code-quality:lint - Code standards check/code-quality:solid - Architecture and SOLID principles check/code-quality:dry - Find code duplication/code-quality:tdd - Start TDD workflow (test watcher mode)/code-quality:review - Rubric-scored code review (/50 scale with quality gate)/code-quality:generate-review-md - Generate REVIEW.md for Claude Code's managed Code Review/code-quality:architecture-debate - Architecture debate (Pragmatist + Purist + Maintainer)For conversational workflows, continue reading...
Note — Claude Code's built-in
/simplify: Claude Code ships a built-in/simplifyskill for quick single-pass code review./code-quality:reviewis different: it runs automated tools (PHPStan/ESLint), scores across 10 rubric categories with a /50 scale, enforces a quality gate (PASS 35+/FAIL), and writes a persisted report. Use/simplifyfor fast ad-hoc feedback; use/code-quality:reviewwhen you need a structured, scored, and documented assessment.
Drupal projects:
Next.js projects:
| Task | Script | Details |
|---|---|---|
| Setup tools | scripts/core/install-tools.sh | See Drupal Setup |
| Full audit | scripts/core/full-audit.sh | See Full Audit |
| Coverage | scripts/drupal/coverage-report.sh | See Coverage Check |
| SOLID check | scripts/drupal/solid-check.sh | See SOLID Check |
| DRY check | scripts/drupal/dry-check.sh | See DRY Check |
| Lint check | scripts/drupal/lint-check.sh | See Lint Check |
| Fix deprecations | scripts/drupal/rector-fix.sh | See Rector Fix |
| TDD cycle | scripts/drupal/tdd-workflow.sh | See TDD Workflow |
| Security audit | scripts/drupal/security-check.sh | See Security Audit (10 layers) |
| Task | Script | Details |
|---|---|---|
| Setup tools | scripts/core/install-tools.sh | See Next.js Setup |
| Full audit | scripts/core/full-audit.sh | See Full Audit |
| Coverage | scripts/nextjs/coverage-report.sh | See Coverage Check |
| SOLID check | scripts/nextjs/solid-check.sh | See SOLID Check |
| Lint check | scripts/nextjs/lint-check.sh | See Lint Check |
| DRY check | scripts/nextjs/dry-check.sh | See DRY Check |
| TDD cycle | scripts/nextjs/tdd-workflow.sh | See TDD Workflow |
| Security audit | scripts/nextjs/security-check.sh | See Security Audit (7 layers) |
Drupal:
web/core/lib/Drupal.php or docroot/core/lib/Drupal.phpddev describemkdir -p .reports && echo ".reports/" >> .gitignoreNext.js:
npm --versionmkdir -p .reports && echo ".reports/" >> .gitignoreSandbox users: If Claude Code sandbox mode is enabled, bash scripts that invoke linters (PHPStan, ESLint, Semgrep, Trivy, Gitleaks) require their binary paths to be whitelisted. Add the tool binaries to your
allowedPathsinclaude_code_config.json(e.g.,vendor/bin/phpstan,/usr/local/bin/semgrep). DDEV-proxied commands run inside the container and are unaffected.
Read decision-guides/quality-audit-checklist.md for detailed guidance.
| Context | What to Run | Time |
|---|---|---|
| Pre-commit | quality:cs only | ~5s |
| Pre-push | PHPStan + Unit/Kernel tests | ~2min |
| Pre-merge | Full audit | ~10min |
| Weekly | Full audit + HTML reports | ~15min |
To audit specific modules or components instead of the entire project:
See Scope Targeting for three approaches:
cd web/modules/custom/my_moduleDRUPAL_MODULES_PATH=path/to/moduleIntelligent detection: Claude detects current directory and user intent.
All detailed operation instructions have been moved to reference files for better organization.
Pre-production security testing for staging environments
All reports must follow schemas/audit-report.schema.json:
{
"meta": {
"project_type": "drupal|nextjs|monorepo",
"timestamp": "2025-12-19T12:00:00Z",
"thresholds": { "coverage_minimum": 70, "duplication_max": 5 }
},
"summary": {
"overall_score": "pass|warning|fail",
"coverage_score": "pass|warning|fail",
"solid_score": "pass|warning|fail",
"dry_score": "pass|warning|fail",
"security_score": "pass|warning|fail"
},
"coverage": { "line_coverage": 75.5, "files_analyzed": 45 },
"solid": { "violations": [] },
"dry": { "duplication_percentage": 3.2, "clones": [] },
"security": { "critical": 0, "high": 0, "medium": 3, "low": 5, "issues": [] },
"recommendations": []
}
references/tdd-workflow.md - RED-GREEN-REFACTOR patterns, test naming, cycle targetsreferences/coverage-metrics.md - Coverage targets by code type, PCOV vs Xdebugreferences/dry-detection.md - Rule of Three, when duplication is OKreferences/solid-detection.md - SOLID detection patterns and fixesreferences/composer-scripts.md - Ready-to-use composer scriptsreferences/scope-targeting.md - Target specific modules/components (NEW in v1.8.0)references/operations/drupal-setup.md - Drupal setup operationsreferences/operations/drupal-audits.md - Drupal quality audit operationsreferences/operations/drupal-security.md - Drupal security (10 layers, v2.0.0)references/operations/drupal-tdd.md - Drupal TDD workflowreferences/operations/nextjs-setup.md - Next.js setup operationsreferences/operations/nextjs-audits.md - Next.js quality audit operationsreferences/operations/nextjs-security.md - Next.js security (7 layers, v2.0.0)references/operations/nextjs-tdd.md - Next.js TDD workflowFor deeper Drupal-specific patterns beyond tool commands, fetch the guide index:
Index: https://camoa.github.io/dev-guides/llms.txt
Likely relevant topics: solid-principles, dry-principles, security, testing, tdd, js-development, github-actions
Usage: WebFetch the index to discover available topics, then fetch specific topic pages when explaining violations, suggesting fixes, or providing architectural context.
decision-guides/test-type-selection.md - Unit vs Kernel vs Functional decision treedecision-guides/quality-audit-checklist.md - When to run what (pre-commit vs pre-merge)templates/drupal/phpstan.neon - PHPStan 2.x config (extensions auto-load)templates/drupal/phpmd.xml - PHPMD ruleset for Drupaltemplates/drupal/phpunit.xml - PHPUnit config with testsuitestemplates/ci/github-drupal.yml - GitHub Actions workflow with security toolstemplates/nextjs/eslint.config.js - ESLint v9 flat config with TypeScript + securitytemplates/nextjs/jest.config.js - Jest config with coverage thresholdstemplates/nextjs/jest.setup.js - Jest setup with Testing Librarytemplates/nextjs/.prettierrc - Prettier config with Tailwind pluginPhase 3 - Optional DAST Tools (NEW!):
DAST Coverage:
See references/operations/dast-tools.md for full documentation.
Progressive Disclosure Refactoring:
Phase 1 - Cross-Stack Security Tools:
Phase 2 - Enhancement Tools:
Security Coverage:
See .work-in-progress-v2.0.0.md for full implementation details.