--- name: code-quality-setup description: Use when setting up or configuring code quality tools (formatters, linters, type checkers, dependency scanners) for a repository. Also use when adding visual accessibility automation or security baseline scanning. Do not use for general coding or when tools are already configured. --- # Code quality setup ## Per-language toolchain Use the standard toolchain for each language in the repository. ### JavaScript / TypeScript (incl. React/Next) - Format+lint: ESLint + Prettier. - When configuring Prettier, always add and maintain `.prettierignore` so generated/build outputs and composed files are not formatted/linted as source (e.g., `dist/`, build artifacts, and `AGENTS.md` when generated by compose-agentsmd). - Typecheck: `tsc` with strict settings for TS projects. - Dependency scan: `osv-scanner`. If unsupported, use the package manager's audit tooling. ### Python - Format+lint: Ruff. - Typecheck: Pyright. - Dependency scan: pip-audit. ### Go - Format: gofmt. - Lint/static analysis: golangci-lint (includes staticcheck). - Dependency scan: govulncheck. ### Rust - Format: cargo fmt. - Lint/static analysis: cargo clippy with warnings as errors. - Dependency scan: cargo audit. ### Java - Format: Spotless + google-java-format. - Lint/static analysis: Checkstyle + SpotBugs. - Dependency scan: OWASP Dependency-Check. ### Kotlin - Format: Spotless + ktlint. - Lint/static analysis: detekt. - Compiler: enable warnings-as-errors in CI; if impractical, get explicit user approval before relaxing. ### C\# - Format: dotnet format (verify-no-changes in CI). - Lint/static analysis: enable .NET analyzers; treat warnings as errors; enable nullable reference types. - Dependency scan: `dotnet list package --vulnerable`. ### C++ - Format: clang-format. - Lint/static analysis: clang-tidy. - Build: enable strong warnings and treat as errors; run sanitizers (ASan/UBSan) in CI where supported. ### PowerShell - Format+lint: PSScriptAnalyzer (Invoke-Formatter + Invoke-ScriptAnalyzer). - Runtime: Set-StrictMode -Version Latest; fail fast on errors. - Tests: Pester when tests exist. - Enforce PSScriptAnalyzer via the repo's standard `verify` command/script when PowerShell is used; treat findings as errors. ### Shell (sh/bash) - Format: shfmt. - Lint: shellcheck. ### Dockerfile - Lint: hadolint. ### Terraform - Format: terraform fmt -check. - Validate: terraform validate. - Lint: tflint. - Security scan: trivy config. ### YAML - Lint: yamllint. ### Markdown - Lint: markdownlint. ## Design and visual accessibility automation Apply this section to projects with web UI components only. - Enforce automated visual accessibility checks as part of the repo-standard `verify` command and CI. - Use route discovery (sitemap, generated route lists, or framework route manifests) so newly added pages are automatically included. - Validate both light and dark themes when theme switching is supported. - Validate at least default, hover, and focus states for interactive elements. - Enforce non-text boundary contrast checks across all visible UI elements that present boundaries (including interactive controls and container-like elements), not only predefined component classes. - Use broad DOM discovery with only minimal technical exclusions (hidden/zero-size/non-rendered nodes). - Fail CI on violations; do not silently ignore design regressions. - If temporary exclusions are unavoidable, keep them narrowly scoped, documented with rationale, and remove them promptly. ## Security baseline - Require dependency vulnerability scanning appropriate to the ecosystem (SCA) for merges. If unavailable, report the limitation and get explicit user approval. - Enable GitHub secret scanning and remediate findings; never commit secrets. If unavailable, add a repo-local secret scanner. - Enable CodeQL code scanning for supported languages. If unavailable, use the best alternative for that ecosystem.