Add safe URL construction rules to agent guides

[gearnode]

Summary

• Add a "URL and query parameter construction" section to contrib/claude/go-style.md requiring net/url (url.URL, url.Values) instead of fmt.Sprintf or string concatenation
• Add a matching TypeScript section to contrib/claude/httpclient.md requiring URL and URLSearchParams instead of template literals or string concatenation
• Update CLAUDE.md index descriptions to reference the new sections

Test plan

• Verify the guide renders correctly on GitHub
• Confirm cross-references between Go and TypeScript sections link properly

---

Summary by cubic

Add safe URL construction rules to the Go style guide and add a new TypeScript style guide. Uses structured URL APIs and fixes Go examples to avoid double-encoding and parse errors.

• New Features

  • Go: Added “URL and query parameter construction” requiring net/url (url.URL, url.Values); prefer url.JoinPath; recommend pkg/baseurl.URLBuilder; forbid fmt.Sprintf/concat.
  • TypeScript: New contrib/claude/ts-style.md; require URL and URLSearchParams; escape path segments with encodeURIComponent.
  • Index: Updated AGENTS.md to note Go rules and link ts-style.md.

• Bug Fixes

  • Go examples now use url.Values + RawQuery and url.JoinPath to avoid double-encoding and query concat errors.
  • Added error handling around url.Parse.

^{Written for commit f82d76b. Summary will update on new commits.}

[cubic-dev-ai]

3 issues found across 3 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="contrib/claude/httpclient.md">

<violation number="1" location="contrib/claude/httpclient.md:57">
P2: The “good” example should encode dynamic path segments; raw interpolation into `pathname` can break path structure when values contain reserved characters like `/`.</violation>
</file>

<file name="contrib/claude/go-style.md">

<violation number="1" location="contrib/claude/go-style.md:198">
P2: Escape dynamic path segments in the “Good” example; joining raw `userID` can change URL path semantics.</violation>

<violation number="2" location="contrib/claude/go-style.md:221">
P2: The “Good” example still constructs a URL by concatenating strings; parse the base URL and set `RawQuery` instead.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

1 issue found across 2 files (changes from recent commits).

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="contrib/claude/go-style.md">

<violation number="1" location="contrib/claude/go-style.md:198">
P2: This example double-encodes path segments by putting `url.PathEscape(...)` directly into `url.URL.Path`. Use `Path` with the unescaped value and `RawPath` with the escaped value.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

1 issue found across 1 file (changes from recent commits).

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="contrib/claude/go-style.md">

<violation number="1" location="contrib/claude/go-style.md:200">
P2: Do not ignore `url.Parse` errors in the “Good” example; handle and wrap the error consistently.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}