azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
75ce1c2fd5d6d49e863d30f4a16056c49c04e982
claudetools/.claude/agents/CODE_REVIEW_ST_TESTING.md
Mike Swanson 75ce1c2fd5 feat: Add Sequential Thinking to Code Review + Frontend Validation 
Enhanced code review and frontend validation with intelligent triggers:

Code Review Agent Enhancement:
- Added Sequential Thinking MCP integration for complex issues
- Triggers on 2+ rejections or 3+ critical issues
- New escalation format with root cause analysis
- Comprehensive solution strategies with trade-off evaluation
- Educational feedback to break rejection cycles
- Files: .claude/agents/code-review.md (+308 lines)
- Docs: CODE_REVIEW_ST_ENHANCEMENT.md, CODE_REVIEW_ST_TESTING.md

Frontend Design Skill Enhancement:
- Automatic invocation for ANY UI change
- Comprehensive validation checklist (200+ checkpoints)
- 8 validation categories (visual, interactive, responsive, a11y, etc.)
- 3 validation levels (quick, standard, comprehensive)
- Integration with code review workflow
- Files: .claude/skills/frontend-design/SKILL.md (+120 lines)
- Docs: UI_VALIDATION_CHECKLIST.md (462 lines), AUTOMATIC_VALIDATION_ENHANCEMENT.md (587 lines)

Settings Optimization:
- Repaired .claude/settings.local.json (fixed m365 pattern)
- Reduced permissions from 49 to 33 (33% reduction)
- Removed duplicates, sorted alphabetically
- Created SETTINGS_PERMISSIONS.md documentation

Checkpoint Command Enhancement:
- Dual checkpoint system (git + database)
- Saves session context to API for cross-machine recall
- Includes git metadata in database context
- Files: .claude/commands/checkpoint.md (+139 lines)

Decision Rationale:
- Sequential Thinking MCP breaks rejection cycles by identifying root causes
- Automatic frontend validation catches UI issues before code review
- Dual checkpoints enable complete project memory across machines
- Settings optimization improves maintainability

Total: 1,200+ lines of documentation and enhancements

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-01-17 16:23:52 -07:00

390 lines
11 KiB
Markdown
Raw Blame History

# Code Review Agent - Sequential Thinking Testing
This document demonstrates the enhanced Code Review Agent with Sequential Thinking MCP integration.
**Last Updated:** 2026-01-17
---
## Test Scenarios
### Scenario 1: Simple Issue (No ST Required)
**Code Submitted:**
```python
def calculate_tax(amount):
return amount * 0.08
```
**Issues:**
- Missing type hints
- No docstring
- Magic number (0.08)
**Expected Behavior:** Code reviewer fixes directly, approves
**ST Triggered:** NO (simple, first review)
**Review Result:**
```python
def calculate_tax(amount: Decimal) -> Decimal:
"""Calculate sales tax on given amount.
Args:
amount: Pre-tax amount
Returns:
Tax amount (8% rate)
"""
TAX_RATE = Decimal("0.08")
return amount * TAX_RATE
```
**Status:** APPROVED (after minor fixes)
---
### Scenario 2: First Rejection (Standard Escalation)
**Code Submitted:**
```python
def login(username, password):
user = db.query(f"SELECT * FROM users WHERE name='{username}'")
if user and user.password == password:
return True
return False
```
**Issues:**
- SQL injection vulnerability
- Plaintext password comparison
**Expected Behavior:** Standard escalation format
**ST Triggered:** NO (only 1 critical issue per category, first review)
**Review Result:**
```markdown
## Code Review - Requires Revision
**Specification Compliance:** FAIL
**Security:** CRITICAL ISSUES
### CRITICAL: SQL Injection
- **Location:** login function, line 2
- **Problem:** String interpolation in SQL query
- **Impact:** Database compromise possible
- **Required Fix:** Use parameterized queries
### CRITICAL: Plaintext Password
- **Location:** login function, line 3
- **Problem:** Direct password comparison
- **Impact:** Passwords should be hashed (bcrypt)
- **Required Fix:** Hash passwords, use secure comparison
**Checklist:**
- [ ] Parameterized SQL queries
- [ ] Bcrypt password hashing
```
**Status:** ESCALATED (standard format)
---
### Scenario 3: Second Rejection (ST TRIGGERED)
**Code Resubmitted After Fix:**
```python
def login(username, password):
user = db.query("SELECT * FROM users WHERE name=?", username)
if user and bcrypt.checkpw(password, user.password):
session['user'] = username
return True
return False
```
**Issues:**
- Session management insecure (no token, no expiry)
- No rate limiting (brute force possible)
- Username might not exist (error handling)
**Expected Behavior:** ST TRIGGERED (2nd rejection)
**ST Analysis:**
```
Thought 1: This is the second rejection. First was SQL injection + plaintext
passwords. Now session management issues. Pattern: treating authentication
as simple data retrieval rather than security-critical component.
Thought 2: Root cause is mental model problem. Coding Agent fixing surface
issues but missing the security-first mindset required for authentication.
Thought 3: Need comprehensive authentication pattern, not incremental fixes.
Thought 4: Should provide complete example with security threat model
explanation to shift mental model.
Thought 5: Include: parameterized queries (done), bcrypt (done), session
tokens (missing), rate limiting (missing), input validation (missing),
timing-safe comparison (missing).
Thought 6: Enhanced escalation format with educational context needed.
```
**Review Result:**
```markdown
## Code Review - Requires Revision (Complex Issues Analyzed)
**Review Iteration:** 2 (USING SEQUENTIAL THINKING ANALYSIS)
**Reason:** 2nd rejection - pattern indicates mental model mismatch
## Root Cause Analysis
**Surface Issues:**
- Insecure session management
- No brute force protection
- Missing input validation
**Root Cause:**
Authentication is being treated as a CRUD operation (create/read user)
rather than a security-critical component with an active threat model.
**Why Previous Attempts Failed:**
Incremental security fixes without understanding the holistic security
requirements for authentication systems.
## Comprehensive Solution Strategy
**Recommended Approach:**
Implement complete authentication system with defense-in-depth:
- JWT tokens (not simple sessions)
- Rate limiting (prevent brute force)
- Input validation (prevent injection beyond SQL)
- Timing-safe comparison (prevent timing attacks)
- Audit logging (security monitoring)
**Why This Approach:**
- Addresses all OWASP authentication risks
- Provides defense-in-depth
- Industry standard pattern
**Complete Example:**
```python
from datetime import datetime, timedelta
import jwt
import bcrypt
from functools import wraps
from typing import Optional
# Rate limiting decorator
def rate_limit(max_attempts=5, window_minutes=15):
attempts = {}
def decorator(func):
@wraps(func)
def wrapper(username, *args, **kwargs):
now = datetime.now()
if username in attempts:
count, first = attempts[username]
if (now - first) < timedelta(minutes=window_minutes):
if count >= max_attempts:
raise Exception("Rate limit exceeded")
attempts[username] = (count + 1, first)
else:
attempts[username] = (1, now)
else:
attempts[username] = (1, now)
return func(username, *args, **kwargs)
return wrapper
return decorator
@rate_limit(max_attempts=5, window_minutes=15)
def login(username: str, password: str) -> Optional[str]:
"""Authenticate user and return JWT token.
Security measures:
- Parameterized queries (SQL injection prevention)
- Bcrypt password hashing (credential theft protection)
- Rate limiting (brute force prevention)
- Input validation (injection prevention)
- JWT tokens (secure session management)
- Timing-safe comparison (timing attack prevention)
Args:
username: User's username (validated)
password: User's plaintext password
Returns:
JWT token string if authenticated, None otherwise
Raises:
ValueError: If inputs are invalid
Exception: If rate limit exceeded
"""
# Input validation
if not username or not isinstance(username, str):
raise ValueError("Invalid username")
if len(username) > 50:
raise ValueError("Username too long")
if not password or len(password) < 8:
raise ValueError("Invalid password")
# Parameterized query (SQL injection prevention)
user = db.query(
"SELECT id, username, password_hash FROM users WHERE username = ?",
params=(username,)
)
# Timing-safe comparison to prevent timing attacks
if not user:
# Run bcrypt anyway to prevent timing leak
bcrypt.checkpw(b"dummy", bcrypt.hashpw(b"dummy", bcrypt.gensalt()))
return None
# Bcrypt comparison (secure password verification)
if not bcrypt.checkpw(password.encode(), user.password_hash):
return None
# Generate JWT token (secure session management)
token = jwt.encode({
'user_id': user.id,
'username': user.username,
'exp': datetime.utcnow() + timedelta(hours=24),
'iat': datetime.utcnow()
}, SECRET_KEY, algorithm='HS256')
# Audit logging (security monitoring)
audit_log.info(f"User {username} logged in", extra={
'user_id': user.id,
'ip': request.remote_addr,
'timestamp': datetime.utcnow()
})
return token
```
## Educational Context
**Key Concept: Defense in Depth**
Authentication is an attack surface. Every decision has security implications.
Multiple layers of defense ensure that if one fails, others protect the system.
**Security Threat Model for Authentication:**
1. SQL Injection → Parameterized queries
2. Credential theft → Password hashing
3. Brute force → Rate limiting
4. Session hijacking → JWT with expiry
5. Timing attacks → Constant-time comparison
6. Injection attacks → Input validation
7. Forensics → Audit logging
**Why It Matters:**
Authentication failures lead to complete system compromise. A single
vulnerability can bypass all other security measures.
**Reference Patterns:**
- OWASP Authentication Cheatsheet
- JWT Best Practices
- Bcrypt/Argon2 for password hashing
```
**Status:** ESCALATED (enhanced format with ST analysis)
---
### Scenario 4: Complex Multiple Issues (ST TRIGGERED)
**Code Submitted:**
```python
def process_orders(user_id):
orders = []
user = db.query(f"SELECT * FROM users WHERE id={user_id}")
for order in db.query("SELECT * FROM orders"):
if order.user_id == user_id:
items = []
for item in db.query("SELECT * FROM items"):
if item.order_id == order.id:
items.append(item)
orders.append({'order': order, 'items': items})
return orders
```
**Issues:**
- SQL injection (user_id)
- N+1 query problem (orders loop)
- N+1 query problem (items loop)
- Missing indexes implied
- Inefficient filtering in Python
- No error handling
- No type hints
**Expected Behavior:** ST TRIGGERED (3+ critical issues, interrelated)
**ST Analysis:**
```
Thought 1: Multiple issues: SQL injection + N+1 queries (2 levels) +
inefficient filtering. These are interrelated - fixing one affects others.
Thought 2: Root cause: fundamental misunderstanding of database query
optimization. Treating database like in-memory collection.
Thought 3: Can't fix incrementally. Need to teach JOIN queries and
query optimization principles.
Thought 4: If I just say "use JOIN", they might not understand why or
how to structure it properly.
Thought 5: Need to show the performance impact (N+1 = 1000 orders * 100 items
= 100,000 queries vs 1 JOIN query), explain query planning, and provide
complete rewrite.
Thought 6: Also opportunity to teach about ORM vs raw SQL trade-offs.
```
**Review Result:** [Enhanced escalation format with performance analysis,
query optimization education, and complete JOIN example]
**Status:** ESCALATED (enhanced format with ST analysis)
---
## Testing Checklist
When testing the enhanced code reviewer:
- [ ] Test simple issues (no ST, direct fix)
- [ ] Test first rejection (standard escalation)
- [ ] Test second rejection (ST triggered, enhanced format)
- [ ] Test 3+ critical issues (ST triggered, complexity)
- [ ] Test architectural issues (ST for trade-off analysis)
- [ ] Verify enhanced format includes root cause analysis
- [ ] Verify comprehensive examples in feedback
- [ ] Verify educational context in complex cases
---
## Expected Behavior Summary
| Scenario | Rejection Count | Issue Complexity | ST Triggered? | Format Used |
|----------|----------------|------------------|---------------|-------------|
| Simple formatting | 0 | Low | NO | Direct fix |
| First security issue | 0 | Medium | NO | Standard escalation |
| Second rejection | 2 | Medium | YES | Enhanced escalation |
| 3+ critical issues | 0-1 | High | YES | Enhanced escalation |
| Architectural trade-offs | 0-1 | High | YES | Enhanced escalation |
| Complex interrelated | 0-1 | Very High | YES | Enhanced escalation |
---
## Success Metrics
Enhanced code reviewer should:
1. **Reduce rejection cycles** - ST analysis breaks patterns faster
2. **Provide better education** - Comprehensive examples teach patterns
3. **Identify root causes** - Not just symptoms
4. **Make better architectural decisions** - Trade-off analysis with ST
5. **Save tokens overall** - Fewer rejections = less total token usage
---
**Last Updated:** 2026-01-17
**Status:** Ready for Testing
Reference in New Issue View Git Blame Copy Permalink