docs: add ECC cross-analysis for specforge workflow improvements#5
docs: add ECC cross-analysis for specforge workflow improvements#5Censseo wants to merge 4 commits into
Conversation
Analyze everything-claude-code repo to identify actionable improvements for specforge across hooks, security, quality gates, context management, MCP servers, multi-agent orchestration, and CI/CD integration. https://claude.ai/code/session_01EZoFj6PGoyHEZkLhJvj6x3
Add section 12 covering sequential phase orchestration, two-instance kickoff, git worktrees parallelization, model routing by complexity, dynamic context injection, and security-as-system-design patterns. https://claude.ai/code/session_01EZoFj6PGoyHEZkLhJvj6x3
Add 3 categories of improvements based on ECC cross-analysis: Hooks system: - New /specforge.setup-hooks command with 3 profiles (minimal/standard/strict) - PreToolUse hooks: secret detection, linter config protection - PostToolUse hooks: auto-format, TypeScript typecheck - SessionStart/Stop hooks: context loading, coverage reminders - Integrated into setup-skills.md (Phase 3) and setup.md orchestrator New commands: - /specforge.verify: sequential technical quality gates (build → test → lint → typecheck → security → coverage) with tool auto-detection - /specforge.security: OWASP Top 10 audit, secret scanning (12+ patterns), dependency vulnerabilities, auth/authz coverage mapping Framework implementation skills (SKILL.md + references/): - python-django: models, services, DRF, managers, testing with factory_boy - typescript-nextjs: App Router, server/client components, data fetching, MSW - java-springboot: DI, REST controllers, JPA, security, slice testing - golang-api: interfaces, error handling, middleware, table-driven tests https://claude.ai/code/session_01EZoFj6PGoyHEZkLhJvj6x3
…hooks commands - Add /specforge.verify (quality gates) and /specforge.security (security audit) to README and workflows.md - Add /specforge.setup-hooks to setup commands in both files - Update Full Workflow flow diagram to include verify step before validate - Fix Quick Reference: replace incorrect setup-bootstrap with setup-constitution - Add all missing setup sub-commands to Quick Reference (setup-docs, setup-skills, setup-mcp, setup-hooks) - Add breakdown and taskstoissues to Quick Reference - Renumber phases: verify becomes Phase 7, validate becomes Phase 8, fix Phase 9 - Add verify and security to Supporting Workflows quality analysis section https://claude.ai/code/session_01EZoFj6PGoyHEZkLhJvj6x3
There was a problem hiding this comment.
Pull request overview
Adds ECC (Everything Claude Code) cross-analysis takeaways into SpecForge by expanding the setup/workflow docs and introducing new operational commands (verify/security/hooks) plus framework-specific implementation skills.
Changes:
- Add new
/specforge.verify,/specforge.security, and/specforge.setup-hookscommand templates and wire hooks into setup guidance. - Introduce new framework “SKILL.md” packages + reference docs for Next.js, Django, Spring Boot, and Go (testing/data/JPA/errors patterns).
- Update user-facing docs/README workflow diagrams to include the new verification + security steps.
Reviewed changes
Copilot reviewed 20 out of 20 changed files in this pull request and generated 9 comments.
Show a summary per file
| File | Description |
|---|---|
| templates/skills/typescript-nextjs/references/testing-patterns.md | Adds Next.js testing reference patterns (Vitest/TL/MSW/Playwright). |
| templates/skills/typescript-nextjs/references/data-fetching.md | Adds Next.js data fetching reference patterns (RSC, caching, actions, errors). |
| templates/skills/typescript-nextjs/SKILL.md | Adds Next.js App Router patterns skill (API routes, validation, security checklist). |
| templates/skills/python-django/references/testing-patterns.md | Adds Django testing reference patterns (factories, DRF, service tests). |
| templates/skills/python-django/references/models-patterns.md | Adds Django model patterns reference (inheritance, validation, migrations, soft delete). |
| templates/skills/python-django/SKILL.md | Adds Django implementation patterns skill (models/views/services/security/testing). |
| templates/skills/java-springboot/references/testing-patterns.md | Adds Spring Boot testing reference patterns (web/repo/integration/unit). |
| templates/skills/java-springboot/references/jpa-patterns.md | Adds Spring Boot JPA patterns reference (relationships, N+1, specs, auditing). |
| templates/skills/java-springboot/SKILL.md | Adds Spring Boot implementation patterns skill (DI, REST, JPA, security, testing). |
| templates/skills/golang-api/references/testing-patterns.md | Adds Go testing reference patterns (table-driven, httptest, testcontainers). |
| templates/skills/golang-api/references/error-patterns.md | Adds Go error-handling reference patterns (wrapping, AppError, handler mapping). |
| templates/skills/golang-api/SKILL.md | Adds Go API implementation patterns skill (structure, errors, handlers, middleware). |
| templates/commands/verify.md | New “quality gates” command definition (build/test/lint/typecheck/security/coverage). |
| templates/commands/security.md | New security audit command definition (OWASP, secrets, deps, auth coverage). |
| templates/commands/setup-hooks.md | New hook generator command definition (profiles, pre/post hooks, write/merge). |
| templates/commands/setup.md | Updates setup orchestrator docs to include “Skills & Hooks”. |
| templates/commands/setup-skills.md | Extends setup-skills docs to invoke setup-hooks and report hook status. |
| docs/workflows.md | Updates workflows to insert verify/security steps and adds command reference rows. |
| docs/ecc-analysis-improvements.md | Adds ECC cross-analysis improvements document. |
| README.md | Updates command list and workflow diagram to include verify/security/hooks. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - If `--dry-run`: display the JSON and stop | ||
| - If `__AGENT_DIR__/settings.local.json` exists: read it, merge the `hooks` key (preserve other settings), write back | ||
| - If it doesn't exist: create it with the hooks structure | ||
|
|
There was a problem hiding this comment.
The hook generator describes writing to __AGENT_DIR__/settings.local.json, but the detection script used by this command outputs SETTINGS_FILE as <AGENT_DIR>/settings.json (see scripts/bash/setup-hooks.sh). To avoid generating hooks into a file the agent may never read, align the docs/behavior to use the detected SETTINGS_FILE (or clearly explain why settings.local.json is preferred and how it’s loaded).
| ### Next Steps | ||
| - Review generated skills | ||
| - Add project-specific conventions | ||
| - Review hooks in __AGENT_DIR__/settings.local.json |
There was a problem hiding this comment.
This file points users to review hooks in __AGENT_DIR__/settings.local.json, but the tool detection script used across setup commands reports the settings path as <AGENT_DIR>/settings.json. For consistency (and to ensure Claude Code actually loads the hooks), consider referencing the detected SETTINGS_FILE path or settings.json here.
| - Review hooks in __AGENT_DIR__/settings.local.json | |
| - Review hooks in __AGENT_DIR__/settings.json |
| // __tests__/api/users.test.ts | ||
| import { GET, POST } from "@/app/api/users/route"; | ||
| import { NextRequest } from "next/server"; | ||
|
|
||
| describe("GET /api/users", () => { | ||
| it("returns users list", async () => { | ||
| const request = new NextRequest("http://localhost/api/users"); | ||
| const response = await GET(request); | ||
| const data = await response.json(); | ||
|
|
||
| expect(response.status).toBe(200); | ||
| expect(data.data).toBeInstanceOf(Array); | ||
| }); | ||
|
|
||
| it("returns 401 without auth", async () => { | ||
| // mock auth to return null | ||
| vi.mocked(auth).mockResolvedValueOnce(null); | ||
| const request = new NextRequest("http://localhost/api/users"); | ||
| const response = await GET(request); |
There was a problem hiding this comment.
The API route testing example uses vi.mocked(auth) but never imports vi (unless relying on Vitest globals) and never imports/mocks auth from the module under test. As written, readers copying this will get runtime/type errors; consider adding the missing imports and showing the module mock setup for auth() explicitly.
| { params }: { params: Promise<{ id: string }> }, | ||
| ) { | ||
| const { id } = await params; |
There was a problem hiding this comment.
These examples type params as Promise<{ id: string }> and then await params. For Next.js App Router route handlers, params is provided as a plain object (e.g. { params: { id: string } }), and treating it as a Promise will confuse readers and lead to incorrect typings. Adjust the signature and remove the await to match Next.js 14+ conventions stated at the top of this skill.
| { params }: { params: Promise<{ id: string }> }, | |
| ) { | |
| const { id } = await params; | |
| { params }: { params: { id: string } }, | |
| ) { | |
| const { id } = params; |
| export default async function UserPage({ params }: { params: Promise<{ id: string }> }) { | ||
| const { id } = await params; | ||
| const user = await getUser(id); | ||
| if (!user) notFound(); | ||
| return <UserProfile user={user} />; | ||
| } |
There was a problem hiding this comment.
This UserPage example types params as Promise<{ id: string }> and then awaits it. In Next.js App Router pages, params is passed as a plain object, so this typing/pattern is misleading for Next.js 14+ and will cause incorrect types in real code. Update the signature to ({ params }: { params: { id: string } }) and drop the await.
| # Analyse ECC (Everything Claude Code) — Recommandations pour SpecForge | ||
|
|
There was a problem hiding this comment.
This new doc is entirely in French while the rest of the public docs under docs/ are written in English (e.g., docs/index.md, docs/workflows.md). To keep documentation consistent and accessible to the primary audience, consider translating this to English or adding an English summary at the top and linking to it from an appropriate index/toc.
| # Analyse ECC (Everything Claude Code) — Recommandations pour SpecForge | |
| # ECC Analysis (Everything Claude Code) — Recommendations for SpecForge | |
| > This document cross-analyzes the repository [affaan-m/everything-claude-code](https://github.com/affaan-m/everything-claude-code) against the current SpecForge workflow. | |
| > It identifies concrete improvements from ECC that can be applied to SpecForge (e.g., setup, automation, quality gates, context management, security, MCP servers, CI/CD, and continuous learning). | |
| --- | |
| ## Analyse ECC (Everything Claude Code) — Recommandations pour SpecForge |
| | Command | Description | | ||
| | -------------------------- | -------------------------------------------------------------------------------- | | ||
| | `/specforge.analyze` | Cross-artifact consistency & coverage analysis | | ||
| | `/specforge.review` | Code quality analysis, technical debt detection, actionable recommendations | | ||
| | `/specforge.verify` | Run sequential quality gates (build, test, lint, typecheck, security, coverage) | | ||
| | `/specforge.security` | Comprehensive security audit (OWASP Top 10, secrets, dependencies, auth) | | ||
| | `/specforge.checklist` | Generate quality checklists ("unit tests for English") | | ||
| | `/specforge.learn` | Analyze codebase to update architecture registry + module CLAUDE.md files | | ||
| | `/specforge.merge` | Merge feature branch to main, consolidate docs to /docs | | ||
|
|
||
| #### Setup & Configuration Commands | ||
|
|
||
| | Command | Description | | ||
| | ----------------------------- | --------------------------------------------------------------------------- | | ||
| | `/specforge.setup` | **Orchestrator** - runs all setup-xxx sub-commands | | ||
| | `/specforge.setup-constitution` | Create/update project constitution | | ||
| | `/specforge.setup-docs` | Initialize /docs domain structure (from-code/from-docs/from-specs) | | ||
| | `/specforge.setup-skills` | Configure skills based on detected frameworks | | ||
| | `/specforge.setup-agents` | Generate specialized subagents | | ||
| | `/specforge.setup-mcp` | Configure MCP server for testing/automation | | ||
| | `/specforge.setup-hooks` | Generate Claude Code hooks (secret detection, auto-format, quality gates) | |
There was a problem hiding this comment.
The PR title is scoped as docs: but the changes add new command templates and multiple new skill/reference templates under templates/ (functional behavior for generated agents), not just documentation. Consider updating the PR title/type (and/or splitting into separate PRs) so reviewers and release tooling don’t treat this as documentation-only.
| - **SessionStart**: Load project constitution and architecture context | ||
| - **Stop**: Coverage and test reminders | ||
|
|
||
| **Skip if**: User passed `--skip-hooks` or agent does not support hooks (hooks are Claude Code specific). |
There was a problem hiding this comment.
/specforge.setup-skills references a --skip-hooks flag in Phase 3, but the command’s Options section doesn’t document this flag. Either document --skip-hooks alongside the other skip flags, or remove the reference so users aren’t instructed to use an unknown option.
| **Skip if**: User passed `--skip-hooks` or agent does not support hooks (hooks are Claude Code specific). | |
| **Skip if**: Agent does not support hooks (hooks are Claude Code specific). |
| vi.mock("next/cache", () => ({ | ||
| revalidatePath: vi.fn(), | ||
| })); | ||
|
|
||
| vi.mock("next/navigation", () => ({ | ||
| redirect: vi.fn(), | ||
| })); | ||
|
|
||
| describe("createPost", () => { | ||
| it("creates a post and redirects", async () => { | ||
| const formData = new FormData(); | ||
| formData.set("title", "Test Post"); | ||
| formData.set("content", "Content here"); | ||
|
|
||
| await createPost(formData); | ||
|
|
||
| expect(redirect).toHaveBeenCalledWith(expect.stringContaining("/posts/")); | ||
| expect(revalidatePath).toHaveBeenCalledWith("/posts"); | ||
| }); |
There was a problem hiding this comment.
In the Server Actions test example, redirect and revalidatePath are asserted but never imported from next/navigation and next/cache (only mocked). Without importing them, those identifiers are undefined, so the snippet won’t work as-is. Import the mocked functions (or access them via the mocked module) before asserting.
Analyze everything-claude-code repo to identify actionable improvements
for specforge across hooks, security, quality gates, context management,
MCP servers, multi-agent orchestration, and CI/CD integration.
https://claude.ai/code/session_01EZoFj6PGoyHEZkLhJvj6x3