feat(audit): add Navigation 3 detection and audit patterns#9
Conversation
Add section 2b to the jetpack-compose-audit search-playbook covering: - Nav3 detection (rememberNavBackStack, NavDisplay, entryProvider, NavKey) - Backstack ownership violation (feature VM holds backStack) - entryDecorators without rememberSaveableStateHolderNavEntryDecorator - Navigation triggered in composition body - Missing dropUnlessResumed click guard - Anonymous/non-top-level destination keys - NavController/NavHost mixed with Nav3 code - String routes in Nav3 code - @composable inside destination data class - ResultEventBus result assumed to survive process death - Positive signals and scoring notes Also adds Nav3 + nav3-recipes to canonical-sources.md.
- Fix broken rg alternation: remove backslash-escaping from | in two patterns (ViewModel|viewModel and conflateAsState|ResultEffect were matching literal |) - Fix destination-key scan: use rg -B1 ': NavKey' instead of same-line @serializable grep - Broaden lambda check in NavKey destinations: cover (T) -> Unit, suspend, not just () -> and scope search to NavKey files to reduce noise - Add high-false-positive warning to ViewModel+backStack heuristic - Downgrade string-route Blocker to Should-fix: NavBackStack<NavKey> makes strings a compile error in practice; scope navigate() check to Nav3 files only - Add Nav3 scoring entries to scoring.md: State (backstack state) and Side Effects (nav side effects) sections with canonical source links
- Align State vs Side Effects categorization: ViewModel/backstack ownership → State Management in both playbook and scoring.md (was Side Effects in playbook) - Add xargs -r to all three pipeline commands (empty input was searching whole repo) - Fix anonymous-key grep: filter sealed/interface base types, note valid patterns - Fix intro: soften 'silent at compile time' — string routes are often compile errors - Add -U (multiline) to dropUnlessResumed rg commands + fallback -B3 context scan - Add read-the-hit note to @Composable/lambda check (whole-file scan, not field scan) - Add Nav3 pointer to SKILL.md step 5 so auditors don't skip section 2b - Clarify string-route search scope comment (not actually file-scoped, just method-scoped)
🟢 Codex review (automated cross-review)Blocker Should-fix
Nit
via pr-review-relay · author: claude |
🔵 Cursor review (automated cross-review)PR #9 Review — Nav3 audit patternsSolid addition: section 2b mirrors 2a’s shape, aligns with BlockerNone that block merge outright. The nested-key detection gap (Should-fix) is the closest to a correctness bug. Should-fix
Nit
Verdict: Direction and content look good and well grounded in via pr-review-relay · author: claude |
🟠 Antigravity review (automated cross-review)Here is the review for PR #9, grouped by severity: Blocker
Nit
via pr-review-relay · author: claude |
Summary
Adds section 2b — Navigation 3 Detection & Audit to
jetpack-compose-audit/references/search-playbook.md.Previously, Nav3 support in the suite was limited to
compose-agent(guidance/decision table). Thejetpack-compose-auditskill had no Nav3 detection or diagnostic patterns — it only covered Nav2 (NavHost,navController.navigate). This PR closes that gap.Patterns added
entryDecoratorswithoutrememberSaveableStateHolderNavEntryDecorator@Composableor lambda inside destination data classdropUnlessResumedclick guardResultEventBusresult assumed to survive process deathNavControllermixed with Nav3 codeAlso
canonical-sources.mdAll patterns verified against the official nav3-recipes sample repo and the
compose-agent/references/navigation.mdguardrails (already in the suite).🤖 Generated with Claude Code