From 04c68e483af8c2cc2717ad4b8013c3673124836c Mon Sep 17 00:00:00 2001 From: Alexis Le Dain <47504664+Alexsky347@users.noreply.github.com> Date: Thu, 28 May 2026 13:32:52 +0200 Subject: [PATCH] Add React language track with agents, skills, rules, and commands (#2024) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * feat(rules): add rules/react/ track Five rule files mirroring per-language convention (coding-style, hooks, patterns, security, testing). Each has `paths:` glob frontmatter for auto-activation when editing matching files. - coding-style.md: file extensions, naming, JSX, RSC boundary - hooks.md: React hooks (NOT Claude Code hooks) — rules-of-hooks, dep arrays, cleanup, memoization, React 19 additions - patterns.md: container/presentational split, state location decision tree, Suspense + error boundaries, forms, data fetching - security.md: dangerouslySetInnerHTML, unsafe URL schemes, server-action validation, env-var leaks, CSP - testing.md: RTL queries, userEvent, async, MSW, axe, anti-patterns Each file extends typescript/* and common/* rules. * feat(skills): add react-patterns, react-testing, react-performance Three new skills under skills/ following the SKILL.md convention. - react-patterns: React 18/19 idioms — hooks discipline, state location decision tree, server/client component boundary, Suspense + error boundaries, form actions (React 19), data fetching matrix, composition recipes, accessibility-first. - react-testing: React Testing Library + Vitest/Jest, query priority order, userEvent, MSW network mocking, axe a11y assertions, RTL vs Playwright CT boundary, TDD workflow. - react-performance: 70-rule performance ruleset adapted from Vercel Labs react-best-practices (MIT) across 8 priority categories — waterfalls, bundle size, server-side, client fetch, re-render, rendering, JS micro, advanced patterns. Includes Lighthouse / Web Vitals mapping and attribution to upstream. Cross-links between the three skills and out to frontend-patterns, accessibility, e2e-testing, tdd-workflow. * feat(agents): add react-reviewer and react-build-resolver Two new agents covering React-specific code review and build error resolution, plus matching .kiro/ mirrors and a routing pointer edit on typescript-reviewer. - react-reviewer: slim React-only lanes (hooks rules, dangerouslySetInnerHTML, unsafe URL schemes, key prop, state mutation, derived-state-in-effect, server/client component boundary, accessibility, render performance, Server Action validation, env-var leaks). Explicitly delegates generic TypeScript/async/Node concerns to typescript-reviewer. Both agents should be invoked together on .tsx/.jsx PRs. - react-build-resolver: React build/bundler/runtime hydration failures across Vite, webpack, Next.js, CRA, Parcel, esbuild, Bun, Rsbuild. Handles JSX/TSX compile errors, tsconfig fixes, Next.js App Router server/client boundary errors, hydration mismatches, duplicated React copies, Tailwind/PostCSS pipeline. - .kiro/agents/react-reviewer.json + react-build-resolver.json: Kiro IDE format mirrors following the per-language precedent. - typescript-reviewer: routing pointer added to its MEDIUM React block — defers to /react-review for React-specific concerns while keeping its block as fallback for repos that only invoke typescript-reviewer. All agents carry the standard Prompt Defense Baseline stanza. * feat(commands): add /react-review /react-build /react-test Three new slash commands invoking the React agents. - /react-review: invokes react-reviewer. Documents the routing rule with typescript-reviewer — both should run together on TSX/JSX PRs. Lists CRITICAL/HIGH/MEDIUM rule categories and the automated checks (eslint with react-hooks + jsx-a11y, tsc --noEmit, npm audit). - /react-build: invokes react-build-resolver. Documents bundler detection, common failure patterns, fix strategy, and stop conditions. - /react-test: enforces TDD with React Testing Library + Vitest or Jest, behavior-focused queries, userEvent + MSW patterns, axe accessibility assertions, coverage targets. Each command file has the required description: frontmatter and follows the per-language command convention (cpp-test, go-test, kotlin-test, etc.). * chore: wire react track into manifests and stack mappings - agent.yaml: add react-patterns, react-performance, react-testing to the skills array; add react-build, react-review, react-test to the commands array (alphabetically inserted to satisfy the ci/agent-yaml-surface sync test). - config/project-stack-mappings.json: extend the `react` stack entry — add "react" to rules array (was ["common","typescript", "web"]); add react-patterns, react-performance, react-testing, accessibility to the skills array. - docs/COMMAND-REGISTRY.json: bump totalCommands 75 -> 78; add three new entries (react-build, react-review, react-test) with primaryAgents / allAgents / skills wiring. react-review's allAgents includes typescript-reviewer to reflect the dual-agent routing convention. - CLAUDE.md: add Skills-table row mapping *.tsx / *.jsx / components/** to react-patterns + react-testing skills and the /react-review, /react-build, /react-test commands. * chore(catalog): sync counts to 62 agents / 78 commands / 235 skills Auto-generated via `node scripts/ci/catalog.js --write --text` after the react track additions: - 2 new agents: react-reviewer, react-build-resolver (60 -> 62) - 3 new commands: react-build, react-review, react-test (75 -> 78) - 3 new skills: react-patterns, react-performance, react-testing (232 -> 235) Files updated by the catalog sync: - .claude-plugin/plugin.json description string - .claude-plugin/marketplace.json plugin description - README.md quick-start summary, project tree, feature parity tables - README.zh-CN.md quick-start summary - AGENTS.md project structure summary - docs/zh-CN/README.md parity table - docs/zh-CN/AGENTS.md project structure summary All counts now match the filesystem catalog (verified by ci/catalog.test.js). * feat(kiro): add react agent markdown companions to JSON entries * feat(kiro): add react skills into manifests * fix(ci): sync catalog counts, registry, and package files for react track - .claude-plugin/{plugin,marketplace}.json: bump description counts to 62/235/78 - docs/COMMAND-REGISTRY.json: regenerate to include quality-gate and react commands - package.json: add skills/react-{patterns,performance,testing}/ to files allowlist so npm-publish-surface aligns with install-modules manifest * fix(react): address PR #2024 review feedback Critical: - Remove undefined/.claude/session-aliases.json containing __proto__ prototype-pollution fixture committed by accident in a7333c14 High: - agents/react-build-resolver.md: replace brittle `test -o $(grep -l ...)` and `test -a -n $(grep ...)` detection with explicit `{ ... || grep -q ...; }` so bundler detection no longer breaks when grep returns empty - agents/react-build-resolver.md: drop hardcoded `npm i react@^19 react-dom@^19` remediation; replace with version-agnostic pair-upgrade note that honors the project's installed major (17/18/19) — surgical fix principle - commands/react-review.md: guard `tsc --noEmit -p tsconfig.json` with `[ -f tsconfig.json ] &&` so the review skips cleanly on JS-only projects Medium: - rules/react/security.md: correct the React-18-blocks-javascript-URL claim (React only warns in dev; production navigation is not blocked) - rules/react/security.md: correct CRA env-var exposure row (CRA exposes REACT_APP_*, NODE_ENV, PUBLIC_URL — not 'all' variables) - skills/react-testing/SKILL.md: instantiate QueryClient once outside the wrapper closure so React Query cache survives re-renders (flaky-test fix) - skills/react-testing/SKILL.md: restore console.error spy with mockRestore() in a try/finally so the mock does not leak across tests - commands/react-test.md: switch outer example-session fence to 4 backticks so the inner ```tsx/```bash blocks don't prematurely terminate it * fix(kiro): mirror react-build-resolver react 19 conditional remediation Discussion r3272907106 flagged the kiro json variant still carrying the hardcoded 'npm i react@^19 react-dom@^19' line that the .md companion already dropped. Replace with the same conditional, version-agnostic guidance so both variants stay in sync. * fix(react): bump react-build example session fence to 4 backticks Discussion r3272907144 flagged the same nested-fence issue in commands/react-build.md that we fixed earlier in commands/react-test.md. The outer triple-backtick text block was being prematurely terminated by the inner bash/tsx fences inside the Example Session. * fix(react): bump react-review example usage fence to 4 backticks Discussion r3272907201 flagged the same nested-fence issue in commands/react-review.md. The outer triple-backtick text block was being prematurely terminated by the inner tsx/ts fences inside the Example Usage transcript. * fix(docs): clarify commands row as legacy shims in feature parity table Discussion r3272912003: README comparison table said 'PASS: 78 commands' while the install-section and quick-start prose use 'legacy command shims'. Aligned the comparison-table cell to 'PASS: 78 commands (legacy shims)' so the count word survives the catalog-validator regex while making the legacy nature explicit. Widened the catalog comparison-table commands regex to tolerate an optional parenthetical after the count word, so both the existing 'X commands' and the new 'X commands (legacy shims)' phrasings validate without breaking older READMEs/translations. * Update rules/react/security.md Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com> * fix(react): guard tsc in react-build-resolver diagnostic commands Discussion r3288910205: the agent prompt instructed an unconditional 'tsc --noEmit -p tsconfig.json', which adds noise (or hard-fails) on JavaScript-only projects with no tsconfig.json or no installed TypeScript. Replaced with 'test -f tsconfig.json && npx --yes tsc --noEmit -p tsconfig.json' in both variants: - agents/react-build-resolver.md - .kiro/agents/react-build-resolver.json (prompt string mirrored) Mirrors the same guard already applied to commands/react-review.md in de135f61. * fix(react): pin tsc resolution to local install in build resolver Discussion r3289054157: previous fix used 'npx --yes tsc' which auto-installs the latest TypeScript from npm when none is local, producing version drift and non-reproducible typecheck results across machines. Switched to 'npx --no-install tsc' in both variants so the diagnostic uses only the project's pinned TypeScript and fails fast if it isn't installed: - agents/react-build-resolver.md - .kiro/agents/react-build-resolver.json (prompt string mirrored) * feat(counts): resolve counts for agents, skills... * fix(ci): regen command registry for golang-testing entry Removes stale kotlin-patterns entry to satisfy command-registry:check. * fix: keep local Claude settings out of React track PR --------- Co-authored-by: AlexisLeDain Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com> Co-authored-by: Affaan Mustafa --- .claude-plugin/marketplace.json | 2 +- .claude-plugin/plugin.json | 2 +- .gitignore | 1 + .kiro/agents/react-build-resolver.json | 17 + .kiro/agents/react-build-resolver.md | 143 ++++++ .kiro/agents/react-reviewer.json | 16 + .kiro/agents/react-reviewer.md | 108 +++++ AGENTS.md | 8 +- CLAUDE.md | 1 + README.md | 48 +-- README.zh-CN.md | 2 +- agent.yaml | 6 + agents/react-build-resolver.md | 215 +++++++++ agents/react-reviewer.md | 167 +++++++ agents/typescript-reviewer.md | 3 + commands/react-build.md | 187 ++++++++ commands/react-review.md | 170 ++++++++ commands/react-test.md | 265 ++++++++++++ config/project-stack-mappings.json | 6 +- docs/COMMAND-REGISTRY.json | 69 ++- docs/zh-CN/AGENTS.md | 8 +- docs/zh-CN/README.md | 44 +- manifests/install-modules.json | 3 + package.json | 3 + rules/react/coding-style.md | 109 +++++ rules/react/hooks.md | 187 ++++++++ rules/react/patterns.md | 194 +++++++++ rules/react/security.md | 180 ++++++++ rules/react/testing.md | 208 +++++++++ scripts/ci/catalog.js | 2 +- skills/react-patterns/SKILL.md | 341 +++++++++++++++ skills/react-performance/SKILL.md | 574 +++++++++++++++++++++++++ skills/react-testing/SKILL.md | 423 ++++++++++++++++++ 33 files changed, 3643 insertions(+), 69 deletions(-) create mode 100644 .kiro/agents/react-build-resolver.json create mode 100644 .kiro/agents/react-build-resolver.md create mode 100644 .kiro/agents/react-reviewer.json create mode 100644 .kiro/agents/react-reviewer.md create mode 100644 agents/react-build-resolver.md create mode 100644 agents/react-reviewer.md create mode 100644 commands/react-build.md create mode 100644 commands/react-review.md create mode 100644 commands/react-test.md create mode 100644 rules/react/coding-style.md create mode 100644 rules/react/hooks.md create mode 100644 rules/react/patterns.md create mode 100644 rules/react/security.md create mode 100644 rules/react/testing.md create mode 100644 skills/react-patterns/SKILL.md create mode 100644 skills/react-performance/SKILL.md create mode 100644 skills/react-testing/SKILL.md diff --git a/.claude-plugin/marketplace.json b/.claude-plugin/marketplace.json index 62db81a8..ff0278fb 100644 --- a/.claude-plugin/marketplace.json +++ b/.claude-plugin/marketplace.json @@ -11,7 +11,7 @@ { "name": "ecc", "source": "./", - "description": "Harness-native ECC operator layer - 61 agents, 246 skills, 76 legacy command shims, reusable hooks, rules, selective install profiles, and production-ready workflows for Claude Code, Codex, OpenCode, Cursor, and related agent harnesses", + "description": "Harness-native ECC operator layer - 63 agents, 249 skills, 79 legacy command shims, reusable hooks, rules, selective install profiles, and production-ready workflows for Claude Code, Codex, OpenCode, Cursor, and related agent harnesses", "version": "2.0.0-rc.1", "author": { "name": "Affaan Mustafa", diff --git a/.claude-plugin/plugin.json b/.claude-plugin/plugin.json index a4aee757..4fb284ff 100644 --- a/.claude-plugin/plugin.json +++ b/.claude-plugin/plugin.json @@ -1,7 +1,7 @@ { "name": "ecc", "version": "2.0.0-rc.1", - "description": "Harness-native ECC plugin for engineering teams - 61 agents, 246 skills, 76 legacy command shims, reusable hooks, rules, MCP conventions, and operator workflows for Claude Code plus adjacent agent harnesses", + "description": "Harness-native ECC plugin for engineering teams - 63 agents, 249 skills, 79 legacy command shims, reusable hooks, rules, MCP conventions, and operator workflows for Claude Code plus adjacent agent harnesses", "author": { "name": "Affaan Mustafa", "url": "https://x.com/affaanmustafa" diff --git a/.gitignore b/.gitignore index b19ca72c..46e46443 100644 --- a/.gitignore +++ b/.gitignore @@ -77,6 +77,7 @@ examples/sessions/*.tmp marketing/ .dmux/ .dmux-hooks/ +.claude/settings.local.json .claude/worktrees/ .claude/scheduled_tasks.lock diff --git a/.kiro/agents/react-build-resolver.json b/.kiro/agents/react-build-resolver.json new file mode 100644 index 00000000..4b26f045 --- /dev/null +++ b/.kiro/agents/react-build-resolver.json @@ -0,0 +1,17 @@ +{ + "name": "react-build-resolver", + "description": "Diagnose and fix React build failures across Vite, webpack, Next.js, CRA, Parcel, esbuild, and Bun. Handles JSX/TSX compile errors, hydration mismatches, server/client component boundary failures, missing types, and bundler-specific configuration issues with minimal, surgical changes. MUST BE USED when a React build fails.", + "mcpServers": {}, + "tools": [ + "@builtin" + ], + "allowedTools": [ + "fs_read", + "fs_write", + "shell" + ], + "resources": [], + "hooks": {}, + "useLegacyMcpJson": false, + "prompt": "# React Build Resolver\n\nYou are an expert React build error resolution specialist. Fix React build failures across Vite, webpack, Next.js, CRA, Parcel, esbuild, and Bun with minimal, surgical changes.\n\n## Scope\n\nThis agent owns React build/bundler/runtime hydration failures. Pure TypeScript type errors with no React involvement are out of scope — fix inline only if blocking the React build.\n\n## Core Responsibilities\n\n1. Detect the project's React build system (Vite, webpack, Next.js, CRA, Parcel, esbuild, Bun, Rsbuild)\n2. Parse build, transform, and runtime errors\n3. Fix JSX/TSX compile errors (missing `@types/react`, wrong JSX transform, missing imports)\n4. Resolve bundler configuration issues\n5. Diagnose hydration mismatches (server output != client output)\n6. Fix server/client component boundary errors in Next.js App Router\n7. Handle missing dependencies (`@types/react`, `@types/react-dom`, `react-dom/client`)\n8. Resolve PostCSS / Tailwind / CSS-in-JS pipeline failures\n\n## Diagnostic Commands\n\n```bash\nnpm run build --if-present\nnpm run typecheck --if-present\n# Run only if TypeScript is configured in this repo (tsconfig.json present\n# and typescript available as local dep or via npx fallback).\ntest -f tsconfig.json && npx --no-install tsc --noEmit -p tsconfig.json\nnext build\nvite build\nreact-scripts build\nwebpack --mode=production\nparcel build src/index.html\nbun run build\n```\n\n## Resolution Workflow\n\n1. Run build -> capture full error output\n2. Identify the layer -> TypeScript / bundler config / runtime / hydration\n3. Read affected file -> understand context\n4. Apply minimal fix -> only what the error demands\n5. Re-run build -> verify; treat any new error as a fresh diagnosis\n6. Run tests if present -> ensure fix did not regress behavior\n\n## Common Failure Patterns\n\n### JSX / TSX Compile\n\n- `'React' is not defined` -> set `\"jsx\": \"react-jsx\"` in tsconfig (React 17+) or add `import React`\n- Missing `@types/react` / `@types/react-dom` -> `npm i -D @types/react @types/react-dom`\n- `JSX element type 'X' does not have any construct or call signatures` -> default-vs-named import mismatch\n- `Module '\"react\"' has no exported member 'X'` -> match `@types/react` major to installed `react`\n- `Unexpected token '<'` -> missing `@vitejs/plugin-react`, `babel-loader` with `@babel/preset-react`, or equivalent\n- Adjacent JSX siblings -> wrap in fragment `<>...`\n\n### tsconfig\n\n- Missing `\"jsx\"` -> `\"react-jsx\"` for React 17+\n- Missing `\"esModuleInterop\": true` for `import React from 'react'`\n- Outdated `\"moduleResolution\"` -> `\"bundler\"` for Vite/Next 13+\n- Path aliases mismatch between tsconfig and bundler\n\n### Vite\n\n- Missing `@vitejs/plugin-react` in plugins array\n- `optimizeDeps.include` needed for CJS-only deps\n- `define: { 'process.env.NODE_ENV': '\"production\"' }` for libs expecting Node env\n\n### Next.js App Router\n\n- `You're importing a component that needs useState` -> add `\"use client\"` or move hook to a Client Component child\n- `Module not found: Can't resolve 'fs'` in a client file -> remove `fs` or move logic into a Server Component / API route\n- `Functions cannot be passed directly to Client Components` -> wrap in a Server Action\n- `Hydration failed because the initial UI does not match` -> non-deterministic render (`Date.now()`, `Math.random()`, `typeof window`, `localStorage`); move to `useEffect`\n\n### webpack\n\n- Missing babel-loader rule for `.jsx`/`.tsx`\n- `resolve.extensions` missing `.tsx`/`.jsx`\n- `IgnorePlugin` regex too broad\n- Source map plugin OOM\n\n### CRA\n\n- Unmaintained — recommend migrating to Vite or Next.js for new projects\n- `react-scripts` version drift vs `react` major\n- Missing `browserslist` config\n\n### Hydration Mismatches\n\n1. Non-deterministic render values -> move to `useEffect`\n2. Browser-only APIs (window, document, localStorage) -> gate with `typeof window !== 'undefined'` or `useEffect`\n3. CSS-in-JS without SSR setup -> `ServerStyleSheet` for styled-components, `extractCritical` for emotion\n4. Invalid HTML nesting (`

` containing `

`) -> fix markup\n\n### Bundler-Independent Runtime\n\n- `Invalid hook call. Hooks can only be called inside of the body of a function component` -> multiple React copies; `npm ls react`, use `resolutions`/`overrides` to dedupe\n- `Element type is invalid: expected a string or class/function but got: undefined` -> default vs named import mismatch\n- `Functions are not valid as a React child` -> missing call `()` or wrong wrap\n\n### Dependency Issues\n\n```bash\nnpm ls react\nnpm ls @types/react\nnpm dedupe\n# Only when npm ls react reports duplicates or a version mismatch with @types/react.\n# Upgrade react and react-dom as a pair (matching the major already in use) — never independently.\n# Replace with the project React major (17 / 18 / 19); jumping majors is a separate, deliberate change.\n# npm i react@^ react-dom@^\n```\n\n## Key Principles\n\n- Surgical fixes only — don't refactor\n- Never disable type-checking or lint rules to make it green\n- Never add `// @ts-ignore` without an inline explanation and a TODO\n- Always re-run the build after each fix — do not stack changes\n- Fix root cause over suppressing symptoms\n- If the error indicates a real architectural problem, stop and report\n\n## Stop Conditions\n\n- Same error persists after 3 fix attempts\n- Fix introduces more errors than it resolves\n- Error requires architectural changes beyond build resolution\n- Bundler version no longer supports the installed React major\n\n## Output Format\n\n```text\n[FIXED] src/components/UserCard.tsx\nError: 'React' is not defined\nFix: tsconfig.json -> set \"jsx\": \"react-jsx\"; removed obsolete import\nRemaining errors: 2\n```\n\nFinal: `Build Status: SUCCESS | Errors Fixed: N | Files Modified: `" +} diff --git a/.kiro/agents/react-build-resolver.md b/.kiro/agents/react-build-resolver.md new file mode 100644 index 00000000..458c7bd9 --- /dev/null +++ b/.kiro/agents/react-build-resolver.md @@ -0,0 +1,143 @@ +--- +name: react-build-resolver +description: Diagnose and fix React build failures across Vite, webpack, Next.js, CRA, Parcel, esbuild, and Bun. Handles JSX/TSX compile errors, hydration mismatches, server/client component boundary failures, missing types, and bundler-specific configuration issues with minimal, surgical changes. MUST BE USED when a React build fails. +allowedTools: + - read + - write + - shell +--- + +# React Build Resolver + +You are an expert React build error resolution specialist. Fix React build failures across Vite, webpack, Next.js, CRA, Parcel, esbuild, and Bun with minimal, surgical changes. + +## Scope + +This agent owns React build/bundler/runtime hydration failures. Pure TypeScript type errors with no React involvement are out of scope -- fix inline only if blocking the React build. + +## Core Responsibilities + +1. Detect the project's React build system (Vite, webpack, Next.js, CRA, Parcel, esbuild, Bun, Rsbuild) +2. Parse build, transform, and runtime errors +3. Fix JSX/TSX compile errors (missing `@types/react`, wrong JSX transform, missing imports) +4. Resolve bundler configuration issues +5. Diagnose hydration mismatches (server output != client output) +6. Fix server/client component boundary errors in Next.js App Router +7. Handle missing dependencies (`@types/react`, `@types/react-dom`, `react-dom/client`) +8. Resolve PostCSS / Tailwind / CSS-in-JS pipeline failures + +## Diagnostic Commands + +```bash +npm run build --if-present +npm run typecheck --if-present +tsc --noEmit -p tsconfig.json +next build +vite build +react-scripts build +webpack --mode=production +parcel build src/index.html +bun run build +``` + +## Resolution Workflow + +1. Run build -> capture full error output +2. Identify the layer -> TypeScript / bundler config / runtime / hydration +3. Read affected file -> understand context +4. Apply minimal fix -> only what the error demands +5. Re-run build -> verify; treat any new error as a fresh diagnosis +6. Run tests if present -> ensure fix did not regress behavior + +## Common Failure Patterns + +### JSX / TSX Compile + +- `'React' is not defined` -> set `"jsx": "react-jsx"` in tsconfig (React 17+) or add `import React` +- Missing `@types/react` / `@types/react-dom` -> `npm i -D @types/react @types/react-dom` +- `JSX element type 'X' does not have any construct or call signatures` -> default-vs-named import mismatch +- `Module '"react"' has no exported member 'X'` -> match `@types/react` major to installed `react` +- `Unexpected token '<'` -> missing `@vitejs/plugin-react`, `babel-loader` with `@babel/preset-react`, or equivalent +- Adjacent JSX siblings -> wrap in fragment `<>...` + +### tsconfig + +- Missing `"jsx"` -> `"react-jsx"` for React 17+ +- Missing `"esModuleInterop": true` for `import React from 'react'` +- Outdated `"moduleResolution"` -> `"bundler"` for Vite/Next 13+ +- Path aliases mismatch between tsconfig and bundler + +### Vite + +- Missing `@vitejs/plugin-react` in plugins array +- `optimizeDeps.include` needed for CJS-only deps +- `define: { 'process.env.NODE_ENV': '"production"' }` for libs expecting Node env + +### Next.js App Router + +- `You're importing a component that needs useState` -> add `"use client"` or move hook to a Client Component child +- `Module not found: Can't resolve 'fs'` in a client file -> remove `fs` or move logic into a Server Component / API route +- `Functions cannot be passed directly to Client Components` -> wrap in a Server Action +- `Hydration failed because the initial UI does not match` -> non-deterministic render (`Date.now()`, `Math.random()`, `typeof window`, `localStorage`); move to `useEffect` + +### webpack + +- Missing babel-loader rule for `.jsx`/`.tsx` +- `resolve.extensions` missing `.tsx`/`.jsx` +- `IgnorePlugin` regex too broad +- Source map plugin OOM + +### CRA + +- Unmaintained -- recommend migrating to Vite or Next.js for new projects +- `react-scripts` version drift vs `react` major +- Missing `browserslist` config + +### Hydration Mismatches + +1. Non-deterministic render values -> move to `useEffect` +2. Browser-only APIs (window, document, localStorage) -> gate with `typeof window !== 'undefined'` or `useEffect` +3. CSS-in-JS without SSR setup -> `ServerStyleSheet` for styled-components, `extractCritical` for emotion +4. Invalid HTML nesting (`

` containing `

`) -> fix markup + +### Bundler-Independent Runtime + +- `Invalid hook call. Hooks can only be called inside of the body of a function component` -> multiple React copies; `npm ls react`, use `resolutions`/`overrides` to dedupe +- `Element type is invalid: expected a string or class/function but got: undefined` -> default vs named import mismatch +- `Functions are not valid as a React child` -> missing call `()` or wrong wrap + +### Dependency Issues + +```bash +npm ls react +npm ls @types/react +npm dedupe +npm i react@^19 react-dom@^19 +``` + +## Key Principles + +- Surgical fixes only -- don't refactor +- Never disable type-checking or lint rules to make it green +- Never add `// @ts-ignore` without an inline explanation and a TODO +- Always re-run the build after each fix -- do not stack changes +- Fix root cause over suppressing symptoms +- If the error indicates a real architectural problem, stop and report + +## Stop Conditions + +- Same error persists after 3 fix attempts +- Fix introduces more errors than it resolves +- Error requires architectural changes beyond build resolution +- Bundler version no longer supports the installed React major + +## Output Format + +```text +[FIXED] src/components/UserCard.tsx +Error: 'React' is not defined +Fix: tsconfig.json -> set "jsx": "react-jsx"; removed obsolete import +Remaining errors: 2 +``` + +Final: `Build Status: SUCCESS | Errors Fixed: N | Files Modified: ` diff --git a/.kiro/agents/react-reviewer.json b/.kiro/agents/react-reviewer.json new file mode 100644 index 00000000..c7f05948 --- /dev/null +++ b/.kiro/agents/react-reviewer.json @@ -0,0 +1,16 @@ +{ + "name": "react-reviewer", + "description": "Expert React/JSX code reviewer specializing in hook correctness, render performance, server/client component boundaries, accessibility, and React-specific security. Use for any change touching .tsx/.jsx files or React component logic. MUST BE USED for React projects.", + "mcpServers": {}, + "tools": [ + "@builtin" + ], + "allowedTools": [ + "fs_read", + "shell" + ], + "resources": [], + "hooks": {}, + "useLegacyMcpJson": false, + "prompt": "You are a senior React engineer reviewing React component code for correctness, accessibility, performance, and React-specific security. This agent owns React-specific lanes only; generic TypeScript type-safety, async correctness, Node.js security, and non-React code style are owned by the `typescript-reviewer` agent. Both should be invoked together on PRs that touch `.tsx`/`.jsx`.\n\n## Scope vs typescript-reviewer\n\n- typescript-reviewer owns: `any` abuse, `as` casts, async correctness, Node.js security, generic XSS.\n- react-reviewer owns: hooks rules, `dangerouslySetInnerHTML` audit, unsafe URL schemes, key prop, state mutation, derived-state-in-effect, server/client component boundary, accessibility, render performance, memo discipline, Suspense placement, Server Action input validation, env var leaks via `NEXT_PUBLIC_*` / `VITE_*` / `REACT_APP_*`.\n\nFor a JSX/TSX PR, invoke both agents. For a pure `.ts` change with no React imports, invoke only `typescript-reviewer`.\n\n## When invoked\n\n1. Establish review scope from the actual base branch (do not hard-code `main`). Prefer `git diff --staged -- '*.tsx' '*.jsx'` for local review.\n2. Inspect PR merge readiness when metadata is available; stop and report if checks are red or conflicts exist.\n3. Run the project's lint command; require `eslint-plugin-react-hooks` (rules-of-hooks + exhaustive-deps). Flag missing config as HIGH.\n4. Run the project's typecheck command. Skip cleanly for JS-only projects.\n5. If no JSX/TSX changes in the diff, defer to `typescript-reviewer` and stop.\n6. Focus on modified `.tsx`/`.jsx` files; read surrounding context before commenting. Begin review.\n\nYou DO NOT refactor or rewrite code — you report findings only.\n\n## Review Priorities (React-specific only)\n\n### CRITICAL -- React Security\n- `dangerouslySetInnerHTML` with unsanitized input — halt review until source documented and sanitizer at the call site\n- `href`/`src` with unvalidated user URLs — `javascript:` / `data:` schemes execute code; require scheme validation\n- Server Action without input validation — `\"use server\"` functions accepting FormData without zod/yup/valibot schema\n- Secret in client bundle — `NEXT_PUBLIC_*`, `VITE_*`, `REACT_APP_*` holding a private key/token\n- `localStorage`/`sessionStorage` for session tokens — accessible to any XSS; require httpOnly cookies\n\n### CRITICAL -- Hook Rules\n- Conditional hook call (if/for/&&/ternary/after early return)\n- Hook called outside a component or custom hook\n- Mutating state directly (`state.push`, `obj.foo = 1; setObj(obj)`)\n\n### HIGH -- Hook Correctness\n- Missing dependency in `useEffect`/`useMemo`/`useCallback` (flag every disabled `exhaustive-deps` without justification)\n- Effect used for derived state (compute during render instead)\n- Effect missing cleanup (subscriptions, intervals, listeners, `AbortController`)\n- Stale closure in async handler or interval\n- Custom hook not prefixed `use`\n\n### HIGH -- Server/Client Boundary (Next.js App Router / RSC)\n- Server-only import in Client Component (DB client, secrets module)\n- `\"use client\"` over-propagation\n- Sensitive data leaked via props to a Client Component\n- Server Action without auth/authorization check\n\n### HIGH -- Accessibility\n- `
` instead of ` + ); +} +``` + +- Prefer `type Props = {}` for closed component prop shapes +- Use `interface` only when the prop type is extended via declaration merging or exported as a public API extension point +- Always destructure props in the parameter list — no `props.user` access inside the body +- Type the return implicitly through JSX (`function Foo(): JSX.Element` only when the function returns conditionally and the union confuses inference) + +## JSX + +- Self-close tags with no children: ``, `` +- Use fragments `<>...` over wrapper `
` when no DOM element is needed +- Conditional rendering: `{condition && }` for booleans, ternary for either/or, early return for guard clauses +- Never put logic inline in JSX when it reads as multi-line — extract to a const above the return or a function + +```tsx +// Prefer +const greeting = user.isAdmin ? "Welcome, admin" : `Hello ${user.name}`; +return

{greeting}

; + +// Over +return

{user.isAdmin ? "Welcome, admin" : `Hello ${user.name}`}

; +``` + +## Server / Client Boundary (Next.js App Router, RSC) + +- Default a new file to Server Component — only add `"use client"` when the file uses state, effects, refs, browser APIs, or event handlers +- Place the `"use client"` directive on line 1, before any imports +- Never import a Client Component file from inside a `"use server"` action file +- Never re-export server-only code through a client module — the bundler will silently include it + +## Imports + +- React imports first: `import { useState } from "react"` +- Then third-party libs, then absolute project imports, then relative +- Type-only imports: `import type { ReactNode } from "react"` — never mix runtime and type imports in one statement when ESLint's `consistent-type-imports` is configured + +## Hooks Discipline + +See [hooks.md](./hooks.md) for the full ruleset. Style highlights: + +- Custom hooks must start with `use` — enforced by `eslint-plugin-react-hooks` +- Group all hook calls at the top of the component, before any conditional logic +- Avoid creating ad-hoc hooks for one-line wrappers — inline the call instead + +## State + +- Local first (`useState`), lift only when shared +- Context for cross-cutting state read by many components (theme, auth, i18n) — not for high-frequency updates +- External store (Zustand, Jotai, Redux Toolkit) when state must persist across route changes, sync across tabs, or be debugged via devtools +- Never duplicate state that can be derived — compute during render + +## Class Components + +Forbidden in new code. Convert legacy class components to function components when touching them for non-trivial changes. + +## File Layout per Component + +``` +components/UserCard/ + UserCard.tsx + UserCard.module.css # or styled-components, or Tailwind classes inline + UserCard.test.tsx + index.ts # re-export only +``` + +Inline single-file components are fine for trivial presentational pieces. diff --git a/rules/react/hooks.md b/rules/react/hooks.md new file mode 100644 index 00000000..a9b9d5a0 --- /dev/null +++ b/rules/react/hooks.md @@ -0,0 +1,187 @@ +--- +paths: + - "**/*.tsx" + - "**/*.jsx" + - "**/hooks/**/*.ts" + - "**/hooks/**/*.js" + - "**/use-*.ts" + - "**/use-*.tsx" +--- +# React Hooks + +> This file covers **React hooks** (`useState`, `useEffect`, `useMemo`, `useCallback`, custom hooks) — NOT the Claude Code `hooks/` runtime system. Naming matches the per-language convention `rules//hooks.md` used across this repo. +> +> Extends [typescript/patterns.md](../typescript/patterns.md) and [common/patterns.md](../common/patterns.md). + +## Rules of Hooks + +Enforce `eslint-plugin-react-hooks` with `react-hooks/rules-of-hooks` set to error. + +1. Hooks only at the top level of a function component or another hook +2. Never in loops, conditionals, nested functions, or after early returns +3. Always called in the same order on every render +4. Only inside React function components or custom hooks (functions starting with `use`) + +```tsx +// WRONG: conditional hook +function Foo({ enabled }: { enabled: boolean }) { + if (enabled) { + const [x, setX] = useState(0); // rule violation + } +} + +// CORRECT: hook unconditional, condition inside +function Foo({ enabled }: { enabled: boolean }) { + const [x, setX] = useState(0); + if (!enabled) return null; + return {x}; +} +``` + +## `useEffect` — When NOT to Use + +`useEffect` is for synchronizing with external systems (subscriptions, browser APIs, third-party libraries). It is **not** the right tool for: + +- Derived state — compute it during render +- Transforming data for rendering — compute it during render +- Resetting state when a prop changes — use a `key` on the parent or derive from props +- Notifying parents of state changes — call the callback in the event handler +- Initializing app-level singletons — call the function module-side or in `main.tsx` + +```tsx +// WRONG: effect for derived state +const [fullName, setFullName] = useState(""); +useEffect(() => { + setFullName(`${first} ${last}`); +}, [first, last]); + +// CORRECT: derive during render +const fullName = `${first} ${last}`; +``` + +## Dependency Arrays + +- Always include every reactive value referenced inside the effect/callback +- Enable `react-hooks/exhaustive-deps` lint rule — never silence it without a comment explaining why +- If the dep array grows unwieldy, the effect is doing too much — split it +- Stable identity for functions passed in deps: wrap in `useCallback` only when the function is itself a dependency of another hook or passed to a memoized child + +## Cleanup + +Every subscription, interval, listener, or in-flight request must clean up. + +```tsx +useEffect(() => { + const controller = new AbortController(); + fetch(url, { signal: controller.signal }).then(handleResponse); + return () => controller.abort(); +}, [url]); +``` + +```tsx +useEffect(() => { + const id = setInterval(tick, 1000); + return () => clearInterval(id); +}, []); +``` + +Missing cleanup = race conditions when deps change, memory leaks on unmount. + +## `useMemo` and `useCallback` — When Worth It + +Default position: **do not memoize**. Add `useMemo` / `useCallback` only when: + +1. The value is passed to a `React.memo`-wrapped child as a prop, and identity matters +2. The value is a dependency of another `useEffect` / `useMemo` / `useCallback` +3. The computation is measurably expensive (profile before assuming) + +Premature memoization adds noise, hides bugs, and can be slower than the recompute it replaces. + +## Custom Hooks + +Extract a custom hook when: + +- The same hook sequence (state + effect + computed) appears in 2+ components +- The logic has a clear, nameable purpose (`useDebounce`, `useOnClickOutside`, `useLocalStorage`) +- You want to test the logic independently of any component + +Do NOT extract when: + +- It would have a single caller — inline it +- The "hook" is just `useState` with a different name — adds indirection, no value + +```tsx +export function useDebounce(value: T, delay: number): T { + const [debounced, setDebounced] = useState(value); + useEffect(() => { + const id = setTimeout(() => setDebounced(value), delay); + return () => clearTimeout(id); + }, [value, delay]); + return debounced; +} +``` + +## `useState` Patterns + +- Initial state from prop only at mount: pass a function `useState(() => computeInitial(prop))` when computation is expensive +- Functional updater when the new state depends on the old: `setCount(c => c + 1)` — never `setCount(count + 1)` inside async or batched contexts +- Group related state into one object only when they always change together; otherwise split into multiple `useState` calls +- Use `useReducer` once state transitions are conditional on the previous state or there are 3+ related values + +## `useRef` Patterns + +- DOM refs for imperative APIs (focus, scroll, third-party libs) +- Mutable container that does not trigger re-render (timer ids, previous values, "is mounted" flags) +- Never read or write `ref.current` during render — only inside effects or event handlers +- `useImperativeHandle` only when exposing a child API to a parent ref — last-resort escape hatch + +## `useSyncExternalStore` + +Use this hook to subscribe to any external store (browser API, third-party state lib, custom event emitter). It is the supported way to make external state safe with concurrent rendering. + +```tsx +const isOnline = useSyncExternalStore( + (cb) => { + window.addEventListener("online", cb); + window.addEventListener("offline", cb); + return () => { + window.removeEventListener("online", cb); + window.removeEventListener("offline", cb); + }; + }, + () => navigator.onLine, + () => true, +); +``` + +## React 19 Additions + +- `use()` — unwrap promises and contexts inline; usable conditionally (only hook with that property) +- `useFormStatus()` / `useFormState()` (or `useActionState`) — form submission state without prop drilling +- `useOptimistic()` — optimistic UI updates while a server action is pending +- `useTransition()` — mark non-urgent state updates so urgent ones stay responsive + +When the project targets React 19+, prefer these over hand-rolled equivalents. + +## Stale Closure Trap + +Async handlers and intervals capture the values from the render where they were created. Fix by: + +1. Using the functional updater form of `setState` +2. Putting the changing value in the dep array of `useEffect` and rebuilding the handler +3. Reading from a ref that is kept in sync + +## Lint Configuration + +Required rules: + +```json +{ + "rules": { + "react-hooks/rules-of-hooks": "error", + "react-hooks/exhaustive-deps": "warn" + } +} +``` + +Treat `exhaustive-deps` warnings as errors in CI for new code. diff --git a/rules/react/patterns.md b/rules/react/patterns.md new file mode 100644 index 00000000..8a412939 --- /dev/null +++ b/rules/react/patterns.md @@ -0,0 +1,194 @@ +--- +paths: + - "**/*.tsx" + - "**/*.jsx" + - "**/components/**/*.ts" + - "**/components/**/*.js" + - "**/app/**/*.tsx" + - "**/pages/**/*.tsx" +--- +# React Patterns + +> This file extends [typescript/patterns.md](../typescript/patterns.md) and [common/patterns.md](../common/patterns.md) with React specific content. For hook-specific rules see [hooks.md](./hooks.md). + +## Container / Presentational Split + +Container components own data fetching, state, and side effects. Presentational components receive props and render — no service calls, no hooks beyond local UI state. + +```tsx +// Container — owns data +export function UserPage({ userId }: { userId: string }) { + const { data: user, isLoading } = useUser(userId); + if (isLoading) return ; + if (!user) return ; + return ; +} + +// Presentational — pure +export function UserCard({ user, onSelect }: { user: User; onSelect: (id: string) => void }) { + return ; +} +``` + +## State Location Decision Tree + +1. Used by one component → `useState` inside it +2. Used by parent + a few children → lift to nearest common ancestor, pass via props +3. Used across distant branches → React Context **for low-frequency reads only** (theme, auth, locale) +4. High-frequency updates shared across the tree → external store (Zustand, Jotai, Redux Toolkit) +5. Server-derived data → server-state library (TanStack Query, SWR, RSC fetch) — not application state + +Context misused for frequently changing values causes every consumer to re-render on every update. + +## Server / Client Component Boundary (RSC, Next.js App Router) + +- Server Components are the default — they run on the server, do not ship to the client, and can `await` directly +- Client Components opt in with `"use client"` at the top of the file +- Data flows down: a Server Component can render a Client Component and pass serializable props +- A Client Component cannot import a Server Component, but it can receive one via `children` or named slots + +```tsx +// Server (default) +export default async function Page() { + const user = await fetchUser(); + return ; +} + +// Client +"use client"; +export function UserClient({ user }: { user: User }) { + const [tab, setTab] = useState("profile"); + return {user.name}; +} +``` + +- Never import `"server-only"` packages (DB clients, secrets) from a Client Component file — wrap them in a Server Component or Server Action +- Mark sensitive modules with `import "server-only"` so the bundler errors if a client file imports them + +## Suspense + Error Boundaries + +Every Suspense boundary needs an Error Boundary above it. The pair handles both states. + +```tsx +}> + }> + + + +``` + +- Place Suspense boundaries close to where data is needed, not at the route root +- Multiple narrower boundaries reveal loaded content progressively +- Error Boundary must be a Class Component (React 19 has no functional equivalent yet) OR use a library wrapper such as `react-error-boundary` + +## Forms + +### Uncontrolled (React 19 + form actions) + +Prefer uncontrolled inputs with form actions when the form has a clear submit step. The browser owns the value; React reads it via `FormData` on submit. + +```tsx +async function action(formData: FormData) { + "use server"; + await saveUser({ name: String(formData.get("name")) }); +} + +export function UserForm() { + return ( + + + + + ); +} +``` + +### Controlled + +Use controlled inputs when the value drives other UI, requires real-time validation, or formatting. + +```tsx +const [email, setEmail] = useState(""); +return setEmail(e.target.value)} />; +``` + +### Form Libraries + +For complex forms (multi-step, dynamic field arrays, cross-field validation), use a library: + +- React Hook Form — minimal re-renders, uncontrolled-first +- TanStack Form — typed, framework-agnostic +- Final Form — when subscription-based re-renders matter + +## Data Fetching + +| Strategy | When | +|---|---| +| RSC fetch (`await` in Server Component) | Per-request data in Next.js App Router, no client-side cache needed | +| TanStack Query | Client-side cache, mutations, optimistic updates, polling | +| SWR | Lightweight cache + revalidation, simpler than TanStack Query | +| `fetch` in `useEffect` | Avoid — race conditions, no cache, no retry. Only acceptable for one-off fire-and-forget | + +Never fetch in a `useEffect` when a real cache library is available — they handle deduping, cache invalidation, error retry, and Suspense integration. + +## Lists and Keys + +- `key` must be stable across renders — never `index` for any list that can reorder, insert, or delete +- `key` must be unique among siblings, not globally +- A reordered list with index keys causes state in child components to attach to the wrong row + +## Composition over Inheritance + +- Pass `children` for slot-style composition +- Pass render-prop functions for parameterized rendering +- Pass component types for plug-in points: `renderItem={UserRow}` +- Never extend a component class to specialize behavior + +## Compound Components + +For related controls (Tabs, Accordion, Menu), use compound components sharing state via Context: + +```tsx + + + Profile + Settings + + + + +``` + +## Portals + +Use `createPortal` for modals, tooltips, toast containers — anything that must escape the parent's `overflow: hidden` or `z-index` stacking context. Render to a stable DOM node mounted in `index.html`. + +## Refs and Forwarding (React 19+) + +React 19 lets function components accept `ref` as a regular prop — `forwardRef` is no longer required. + +```tsx +export function Input({ ref, ...rest }: { ref?: React.Ref } & InputProps) { + return ; +} +``` + +Older codebases on React 18 still need `forwardRef`. + +## Out of Scope (Pointer Sections) + +### Next.js (App Router) + +- Server Actions, Route Handlers, Middleware, Parallel/Intercepted Routes, streaming Metadata +- Treated as a separate framework concern — when adding deep Next-specific patterns, propose a dedicated `rules/nextjs/` track +- For now follow Next.js official docs for App Router specifics + +### React Native + +- Platform-specific imports (`Platform.OS`, `.ios.tsx` / `.android.tsx`), `StyleSheet`, navigation libraries (React Navigation, Expo Router) +- Treated as a separate track — `rules/react-native/` is not yet present +- React core hooks/patterns from this file still apply + +## Skill Reference + +For React-specific deep dives see `skills/react-patterns/SKILL.md`. For cross-framework frontend concerns see `skills/frontend-patterns/SKILL.md`. For accessibility see `skills/accessibility/SKILL.md`. diff --git a/rules/react/security.md b/rules/react/security.md new file mode 100644 index 00000000..1e3553eb --- /dev/null +++ b/rules/react/security.md @@ -0,0 +1,180 @@ +--- +paths: + - "**/*.tsx" + - "**/*.jsx" + - "**/components/**/*.ts" + - "**/app/**/*.ts" + - "**/pages/**/*.ts" +--- +# React Security + +> This file extends [typescript/security.md](../typescript/security.md) and [common/security.md](../common/security.md) with React specific content. + +## XSS via `dangerouslySetInnerHTML` + +CRITICAL. The prop name is deliberately scary — treat every usage as a code review halt. + +```tsx +// CRITICAL: unsanitized user input +
+ +// CORRECT options: +// 1. Render as text +
{userBio}
+ +// 2. Render parsed markdown via a library that sanitizes +{userBio} + +// 3. If raw HTML is required, sanitize first with DOMPurify +import DOMPurify from "isomorphic-dompurify"; +
+``` + +Audit checklist for every `dangerouslySetInnerHTML` call: + +- Is the input always under our control? Document the source. +- If user-derived: is it sanitized at the **same call site**? (Sanitization at the API boundary is acceptable only if every consumer is verified.) +- Is the sanitizer config allowlisting tags, not denylisting? + +## Unsafe URL Schemes + +`javascript:` and `data:` URLs in `href`, `src`, and `xlink:href` execute arbitrary code. + +```tsx +// CRITICAL: javascript: URL injection +Visit // if user.website = "javascript:alert(1)" + +// CORRECT: validate scheme +function safeUrl(url: string): string | undefined { + try { + const parsed = new URL(url); + if (["http:", "https:", "mailto:"].includes(parsed.protocol)) return url; + } catch { + return undefined; + } + return undefined; +} +Visit +``` + +React warns about `javascript:` URLs in `href` in development mode, but does not block them at runtime. `data:` URLs and other schemes also slip through. Always validate. + +## `target="_blank"` Without `rel` + +`` without `rel="noopener noreferrer"` lets the target page access `window.opener` and run navigation hijacks. + +```tsx +// WRONG +External + +// CORRECT +External +``` + +Modern browsers default to `noopener` when `target="_blank"`, but do not rely on browser defaults — be explicit. + +## Server Action Input Validation + +Server Actions (`"use server"`) run with the same trust level as a public API endpoint. Validate every input. + +```tsx +"use server"; +import { z } from "zod"; + +const Input = z.object({ + email: z.string().email(), + age: z.number().int().min(0).max(120), +}); + +export async function updateUser(_state: unknown, formData: FormData) { + const parsed = Input.safeParse({ + email: formData.get("email"), + age: Number(formData.get("age")), + }); + if (!parsed.success) return { error: parsed.error.flatten() }; + // ... +} +``` + +- Authenticate inside the action — do not trust the client-side route gate +- Authorize: confirm the current user has permission for the specific record they are mutating +- Rate limit sensitive actions + +## Secret Exposure via Env Vars + +Prefixed env vars are bundled into the client. Treat them as public. + +| Framework | Public prefix | Private | +|---|---|---| +| Next.js | `NEXT_PUBLIC_*` | All others | +| Vite | `VITE_*` | `.env` server-side only | +| Create React App | `REACT_APP_*`, plus `NODE_ENV` and `PUBLIC_URL` | All others (anything without the `REACT_APP_` prefix is server-side only) | +| Remix | `process.env` access in `loader`/`action` only | Same | + +```ts +// CRITICAL: secret leaked to client bundle +const apiKey = process.env.NEXT_PUBLIC_STRIPE_SECRET_KEY; +``` + +Audit on every PR that touches env vars: would this string in the public bundle be a problem? + +## Authentication / Authorization + +- Never store sessions in `localStorage` — accessible to any XSS. Use httpOnly secure cookies. +- Never trust client-set state to gate sensitive UI. Render-gating in JSX prevents display, not access — the API must enforce. +- CSRF: cookie-based auth requires CSRF tokens or `SameSite=Strict`/`Lax` cookies +- Use double-submit cookies or origin verification for form actions when not using framework defaults + +## Content Security Policy (CSP) + +Configure server-side. The minimum acceptable CSP for a React app: + +``` +default-src 'self'; +script-src 'self' 'nonce-{REQUEST_NONCE}'; +style-src 'self' 'unsafe-inline'; +img-src 'self' data: https:; +connect-src 'self' https://api.example.com; +frame-ancestors 'none'; +``` + +- Avoid `unsafe-inline` and `unsafe-eval` in `script-src` +- For SSR with inline scripts (Next.js streaming, hydration data), use per-request nonces — both Next.js and Remix support nonce injection +- `style-src 'unsafe-inline'` is often unavoidable for CSS-in-JS libraries — document the tradeoff + +## Prototype Pollution via Object Spread + +```tsx +// WRONG: untrusted JSON spread directly into state +const update = await req.json(); +setState({ ...state, ...update }); // attacker controls __proto__ + +// CORRECT: parse with a schema, or guard keys +const Allowed = z.object({ name: z.string(), email: z.string().email() }); +const parsed = Allowed.parse(await req.json()); +setState({ ...state, ...parsed }); +``` + +## SSR Template Injection + +When using `renderToString` or `renderToPipeableStream`: + +- All values rendered inside JSX are escaped by React — safe +- Values passed to `dangerouslySetInnerHTML` are NOT escaped — same rules as client +- Manually constructed HTML wrappers around the React output must be escaped or sanitized — never concatenate user input into the surrounding HTML template + +## Third-Party Components + +- Audit `npm audit` before adding any UI library +- Check that the library does not internally use `dangerouslySetInnerHTML` on its input (e.g., rich text editors) +- Pin versions, review changelogs before major upgrades +- Be wary of components that accept HTML strings as props + +## Source Map Exposure in Production + +Production builds should ship without source maps, or with sourcemaps uploaded to an error tracker (Sentry) and stripped from the public bundle. Public source maps leak internal logic and file structure. + +## Agent Support + +- Use `security-reviewer` agent for comprehensive security audits across the codebase +- Use `react-reviewer` agent for React-specific patterns and the above rules in active code review diff --git a/rules/react/testing.md b/rules/react/testing.md new file mode 100644 index 00000000..fa8da66c --- /dev/null +++ b/rules/react/testing.md @@ -0,0 +1,208 @@ +--- +paths: + - "**/*.test.tsx" + - "**/*.test.jsx" + - "**/*.spec.tsx" + - "**/*.spec.jsx" + - "**/__tests__/**/*.ts" + - "**/__tests__/**/*.tsx" +--- +# React Testing + +> This file extends [typescript/testing.md](../typescript/testing.md) and [common/testing.md](../common/testing.md) with React specific content. + +## Library Choice + +- **React Testing Library (RTL)** — the standard for component testing. Tests behavior through the rendered DOM. +- **Vitest** — preferred runner for new Vite-based projects. Faster than Jest, native ESM, same API. +- **Jest** — still the default for Next.js / CRA projects. RTL works identically. +- **Playwright Component Testing** — when component tests need a real browser engine (animation, layout, complex events) +- **Cypress Component Testing** — alternative real-browser component runner + +Pick one component test runner per project — do not mix RTL + Playwright CT in the same repo. + +## Core Principle + +Test what the user sees and does, not implementation details. + +- Query by accessible role first, then label, then text — fall back to `data-testid` only when nothing else fits +- Never assert on internal state, props passed to children, or which hooks were called +- Refactor without breaking tests = the test was testing behavior; that is the goal + +## Query Priority + +RTL exposes queries in three families. Use this priority order top-down: + +1. **Accessible to everyone** + - `getByRole(role, { name })` — primary choice + - `getByLabelText` — for form inputs + - `getByPlaceholderText` — when no label is available (and add a label) + - `getByText` — for non-interactive text + - `getByDisplayValue` — for form fields with a current value + +2. **Semantic queries** + - `getByAltText` — for images + - `getByTitle` — last resort, low accessibility value + +3. **Test IDs** + - `getByTestId("some-id")` — escape hatch only, when none of the above work + +`getBy*` throws when no match. `queryBy*` returns null (use for asserting absence). `findBy*` returns a promise (use for async). + +## User Interaction + +Prefer `userEvent` over `fireEvent`. `userEvent` simulates real browser sequences (focus, keydown, beforeinput, input, keyup) — `fireEvent` dispatches a single synthetic event. + +```tsx +import userEvent from "@testing-library/user-event"; + +test("submits the form", async () => { + const user = userEvent.setup(); + render(); + + await user.type(screen.getByLabelText("Email"), "user@example.com"); + await user.click(screen.getByRole("button", { name: /save/i })); + + expect(handleSubmit).toHaveBeenCalledWith({ email: "user@example.com" }); +}); +``` + +- Always `await` `userEvent` calls — they are async +- Call `userEvent.setup()` once at the top of each test, then reuse the returned `user` + +## Async Assertions + +```tsx +// WRONG: synchronous query for async-rendered content +expect(screen.getByText("Loaded")).toBeInTheDocument(); // throws — not in DOM yet + +// CORRECT: findBy* (returns a promise, retries) +expect(await screen.findByText("Loaded")).toBeInTheDocument(); + +// CORRECT: waitFor for non-element assertions +await waitFor(() => expect(saveSpy).toHaveBeenCalled()); +``` + +- `findBy*` for async element appearance +- `waitFor` for async expectations on side effects or other matchers +- Never `setTimeout` + assertion — flaky + +## Network Mocking with MSW + +Use Mock Service Worker for any test that hits a network boundary. MSW runs at the network layer, so the component, hooks, and fetch library all behave as in production. + +```tsx +// test setup +import { setupServer } from "msw/node"; +import { http, HttpResponse } from "msw"; + +const server = setupServer( + http.get("/api/users/:id", ({ params }) => + HttpResponse.json({ id: params.id, name: "Alice" }), + ), +); + +beforeAll(() => server.listen()); +afterEach(() => server.resetHandlers()); +afterAll(() => server.close()); +``` + +Per-test override: + +```tsx +test("renders error on 500", async () => { + server.use(http.get("/api/users/:id", () => new HttpResponse(null, { status: 500 }))); + render(); + expect(await screen.findByText(/something went wrong/i)).toBeInTheDocument(); +}); +``` + +## Avoid Snapshot Tests for Components + +Snapshots of rendered output are brittle, hard to review, and rubber-stamped by reviewers. Use them only for: + +- Pure data serialization (e.g., a transformer that produces a stable string) +- Catching unintended regressions in non-visual output + +For component visual regression, use Playwright / Cypress / Percy screenshots — actual visual diffs, not DOM diffs. + +## Test Setup Helpers + +Wrap providers once: + +```tsx +function renderWithProviders(ui: React.ReactElement) { + return render( + + + {ui} + + , + ); +} +``` + +Export from `test-utils.tsx` and use everywhere. + +## Custom Hook Testing + +Use `renderHook` from RTL: + +```tsx +import { renderHook, act } from "@testing-library/react"; + +test("useCounter increments", () => { + const { result } = renderHook(() => useCounter()); + act(() => result.current.increment()); + expect(result.current.count).toBe(1); +}); +``` + +- Always wrap state-changing calls in `act` +- Always test through the public hook API, not internal implementation + +## Accessibility Assertions + +```tsx +import { axe } from "vitest-axe"; // or jest-axe + +test("UserCard has no a11y violations", async () => { + const { container } = render(); + expect(await axe(container)).toHaveNoViolations(); +}); +``` + +Run axe assertions in component tests — catches missing labels, ARIA misuse, color contrast (limited). + +## When to Reach for Playwright / Cypress + +Component test with RTL + JSDOM cannot: + +- Test real layout (flexbox, grid, viewport-dependent rendering) +- Test scrolling, drag-and-drop, paste from clipboard +- Test browser-native animation, CSS transitions +- Test cross-frame interactions (iframes, popups) + +For those, use Playwright Component Testing or end-to-end Playwright/Cypress runs. See [e2e-testing skill](../../skills/e2e-testing/SKILL.md). + +## Coverage Targets + +| Layer | Target | +|---|---| +| Pure utility functions | ≥90% | +| Custom hooks | ≥85% | +| Components (presentational) | ≥80% — behavior, not lines | +| Container components | ≥70% — golden paths + error states | +| Pages (E2E covered separately) | Smoke test per route minimum | + +## Anti-Patterns + +- Asserting on `container.querySelector` — bypasses accessibility queries +- Asserting on number of renders — implementation detail +- Mocking React hooks (`jest.mock("react", ...)`) — refactor the component instead +- Mocking child components by default — tests the integration, not the parent in isolation +- Manual `act()` warnings ignored — they indicate real bugs + +## Skill Reference + +See `skills/react-testing/SKILL.md` for end-to-end test examples, MSW patterns, and accessibility test scaffolding. diff --git a/scripts/ci/catalog.js b/scripts/ci/catalog.js index e5fac994..a36df0a5 100644 --- a/scripts/ci/catalog.js +++ b/scripts/ci/catalog.js @@ -128,7 +128,7 @@ function parseReadmeExpectations(readmeContent) { const tablePatterns = [ { category: 'agents', regex: /\|\s*(?:\*\*)?Agents(?:\*\*)?\s*\|\s*(?:(?:PASS:|\u2705)\s*)?(\d+)\s+agents\s*\|/i, source: 'README.md comparison table' }, - { category: 'commands', regex: /\|\s*(?:\*\*)?Commands(?:\*\*)?\s*\|\s*(?:(?:PASS:|\u2705)\s*)?(\d+)\s+commands\s*\|/i, source: 'README.md comparison table' }, + { category: 'commands', regex: /\|\s*(?:\*\*)?Commands(?:\*\*)?\s*\|\s*(?:(?:PASS:|\u2705)\s*)?(\d+)\s+commands(?:\s*\([^)]*\))?\s*\|/i, source: 'README.md comparison table' }, { category: 'skills', regex: /\|\s*(?:\*\*)?Skills(?:\*\*)?\s*\|\s*(?:(?:PASS:|\u2705)\s*)?(\d+)\s+skills\s*\|/i, source: 'README.md comparison table' } ]; diff --git a/skills/react-patterns/SKILL.md b/skills/react-patterns/SKILL.md new file mode 100644 index 00000000..f1340c8c --- /dev/null +++ b/skills/react-patterns/SKILL.md @@ -0,0 +1,341 @@ +--- +name: react-patterns +description: React 18/19 patterns including hooks discipline, server/client component boundaries, Suspense + error boundaries, form actions, data fetching, state management decision trees, and accessibility-first composition. Use when writing or reviewing React components. +origin: ECC +--- + +# React Patterns + +Idiomatic React 18/19 patterns for building robust, accessible, performant component trees. + +## When to Activate + +- Writing or modifying React function components, custom hooks, or component trees +- Reviewing JSX/TSX files +- Designing state shape or component composition +- Migrating class components or older `forwardRef`/`useEffect`-heavy code +- Choosing between local state, lifted state, context, and external stores +- Working with Server Components / Client Components (Next.js App Router, RSC) +- Implementing forms with React 19 actions or controlled inputs +- Wiring data fetching with TanStack Query / SWR / RSC + +## Core Principles + +### 1. Render is a Pure Function of Props and State + +```tsx +// Good: derive during render +function Cart({ items }: { items: CartItem[] }) { + const total = items.reduce((sum, i) => sum + i.price * i.qty, 0); + return {formatMoney(total)}; +} + +// Bad: derived state stored separately +function Cart({ items }: { items: CartItem[] }) { + const [total, setTotal] = useState(0); + useEffect(() => { + setTotal(items.reduce((sum, i) => sum + i.price * i.qty, 0)); + }, [items]); + return {formatMoney(total)}; +} +``` + +Derived state in `useEffect` adds a render cycle, can desync, and obscures the data flow. + +### 2. Side Effects Outside Render + +Effects, mutations, network calls, and subscriptions live in event handlers or `useEffect` — never in the render body. + +### 3. Composition Over Inheritance + +React has no inheritance model for components. Compose with `children`, render props, or component props. + +## Hooks Discipline + +See [rules/react/hooks.md](../../rules/react/hooks.md) for the full ruleset. Highlights: + +- Top-level only, never conditional +- Cleanup every subscription, interval, listener +- Functional updater (`setX(prev => prev + 1)`) when new state depends on old +- Default position: do not memoize — add `useMemo`/`useCallback` only when a profiler or a dependency chain proves it matters +- Extract a custom hook only when the same hook sequence appears in 2+ components + +## State Location Decision Tree + +``` +Used by one component? + -> useState inside it + +Used by parent + a few descendants? + -> lift to nearest common ancestor + +Used across distant branches AND low-frequency reads (theme, auth, locale)? + -> React Context + +High-frequency updates shared across the tree? + -> external store (Zustand, Jotai, Redux Toolkit) + +Derived from a server? + -> server-state library (TanStack Query, SWR, RSC fetch) +``` + +Most pages do not need context or a global store. Resist abstraction until duplicated lifting becomes painful. + +## Server / Client Components (RSC) + +```tsx +// Server Component - default, async, never ships JS for itself +export default async function ProductPage({ params }: { params: { id: string } }) { + const product = await db.product.findUnique({ where: { id: params.id } }); + if (!product) notFound(); + return ; +} + +// Client Component - opt in with "use client" +"use client"; +export function AddToCartButton({ productId }: { productId: string }) { + const [pending, startTransition] = useTransition(); + return ( + + ); +} +``` + +Boundaries: + +- Server -> Client: pass serializable props or `children` +- Client -> Server: invoke Server Actions via `
` or imperatively from event handlers +- Never `import` a Server Component from a Client Component file — compose them via `children` instead + +## Suspense + Error Boundaries + +```tsx +}> + }> + + + +``` + +- Place Suspense boundaries close to the data, not at the route root — progressively reveal content +- Error Boundary remains a class API; use `react-error-boundary` for a hook-friendly wrapper +- A boundary catches errors thrown during render, lifecycle, and constructors of its children — NOT in event handlers or async code + +## Forms + +### React 19 form actions (preferred for new code) + +```tsx +"use client"; +import { useActionState } from "react"; + +const initial = { error: null as string | null }; + +async function updateUserAction(_prev: typeof initial, formData: FormData) { + "use server"; + const parsed = UserSchema.safeParse(Object.fromEntries(formData)); + if (!parsed.success) return { error: "Invalid input" }; + await db.user.update({ where: { id: parsed.data.id }, data: parsed.data }); + return { error: null }; +} + +export function UserForm() { + const [state, formAction, pending] = useActionState(updateUserAction, initial); + return ( + + + + {state.error &&

{state.error}

} +
+ ); +} +``` + +### Controlled inputs + +Use controlled when the value drives other UI, formats on every keystroke, or implements real-time validation. + +### Complex forms + +For multi-step forms, dynamic field arrays, or cross-field validation: use a library (React Hook Form, TanStack Form). Roll-your-own state management for forms past trivial complexity is a maintenance trap. + +## Data Fetching Decision Matrix + +| Need | Tool | +|---|---| +| Per-request data in Next.js App Router | RSC `await fetch()` | +| Client-side cache + mutations + invalidation | TanStack Query | +| Lightweight client cache + revalidation | SWR | +| Real-time subscriptions | Server-Sent Events, WebSockets, or the lib's subscription API | +| One-off fire-and-forget | `fetch()` in an event handler | + +Avoid `useEffect` + `fetch` for application data — race conditions, no cache, no retry, no Suspense integration. + +## Composition Recipes + +### Slot via `children` + +```tsx + +
+
{content}
+ +``` + +### Named slots + +```tsx +} sidebar={}> + + +``` + +### Compound components (shared state via Context) + +```tsx + + + Profile + Settings + + + + +``` + +### Render prop / function-as-child + +Useful when the parent needs to pass parameters to the rendered output: + +```tsx + + {({ data, isLoading }) => isLoading ? : } + +``` + +Modern alternative: a hook (`useData(id)`) returning the same shape — usually cleaner. + +## Performance + +### When `React.memo` Actually Helps + +Wrap a component in `React.memo` only when: + +1. It re-renders frequently +2. Its props are usually the same between renders +3. Its render is measurably expensive + +`React.memo` adds an equality check on every render. If props differ on most renders, the check is pure overhead. + +### Avoiding Render Cascades + +- Lift state down rather than up where possible +- Split context: one context per concern, so a change to `themeContext` does not re-render auth consumers +- Use `useSyncExternalStore` for external state libraries — required for safe concurrent rendering + +### Lists + +- Provide stable `key` props (database id, not array index) +- Virtualize long lists with `@tanstack/react-virtual` or `react-window` once visible item count exceeds ~50 with non-trivial rows + +## Accessibility-First Composition + +- Always render semantic HTML (` + + + ); +} +``` + +### Splitting context to avoid render cascades + +```tsx +// Two contexts: one rarely changes, one frequently +const ThemeContext = createContext("light"); +const NotificationsContext = createContext([]); + +// A component that only consumes ThemeContext does NOT re-render when notifications change +``` diff --git a/skills/react-performance/SKILL.md b/skills/react-performance/SKILL.md new file mode 100644 index 00000000..91ccf8f7 --- /dev/null +++ b/skills/react-performance/SKILL.md @@ -0,0 +1,574 @@ +--- +name: react-performance +description: React and Next.js performance optimization patterns adapted from Vercel Engineering's React Best Practices (https://github.com/vercel-labs/agent-skills). Organizes 70+ rules across 8 priority categories — waterfalls, bundle size, server-side, client fetching, re-render, rendering, JS micro-perf, advanced. Use when writing, reviewing, or refactoring React/Next.js code for performance. +origin: ECC +--- + +# React Performance + +Performance optimization patterns for React 18/19 and Next.js, adapted from [Vercel Labs `react-best-practices`](https://github.com/vercel-labs/agent-skills/tree/main/skills/react-best-practices) (MIT, v1.0.0). This skill organizes rules by priority and provides decision-tree guidance for active code review and refactoring. + +## When to Activate + +- Writing or reviewing React/Next.js code for performance +- Diagnosing slow page loads, slow interactions, or high CPU on the client +- Auditing bundle size or Lighthouse Core Web Vitals regressions +- Removing waterfalls in Server Components / API routes +- Reducing client-side re-renders +- Optimizing long lists, animations, or hydration +- Auditing optimization choices in PRs touching `app/`, `pages/`, `components/`, or data layers + +## Priority Index + +| Priority | Category | Prefix | When it matters | +|---|---|---|---| +| 1 — CRITICAL | Eliminating Waterfalls | `async-` | Anytime `await` is followed by independent `await` | +| 2 — CRITICAL | Bundle Size Optimization | `bundle-` | First-load JS, route-level imports, third-party libs | +| 3 — HIGH | Server-Side Performance | `server-` | RSC, Server Actions, API routes, SSR | +| 4 — MEDIUM-HIGH | Client-Side Data Fetching | `client-` | SWR / TanStack Query / raw `fetch` in hooks | +| 5 — MEDIUM | Re-render Optimization | `rerender-` | High-frequency state updates, parent-child fan-out | +| 6 — MEDIUM | Rendering Performance | `rendering-` | Long lists, animations, hydration | +| 7 — LOW-MEDIUM | JavaScript Performance | `js-` | Hot loops, frequent allocations | +| 8 — LOW | Advanced Patterns | `advanced-` | Effect-event integration, stable refs | + +## 1. Eliminating Waterfalls (CRITICAL) + +> "Waterfalls are the #1 performance killer" — every sequential `await` adds full network latency. + +### Cheap conditions before await + +Check sync conditions (props, env, hardcoded flags) before awaiting remote data. + +```ts +// INCORRECT +async function Page({ id }: { id: string }) { + const flag = await getFlag("show-page"); + if (!flag || !id) return null; + const data = await getData(id); + // ... +} + +// CORRECT — short-circuit on cheap sync condition first +async function Page({ id }: { id: string }) { + if (!id) return null; + const flag = await getFlag("show-page"); + if (!flag) return null; + const data = await getData(id); +} +``` + +### Defer awaits until used + +Move `await` into the branch that uses it. + +```ts +// INCORRECT — awaits before deciding it needs the data +const user = await getUser(id); +if (mode === "guest") return renderGuest(); +return renderUser(user); + +// CORRECT +if (mode === "guest") return renderGuest(); +const user = await getUser(id); +return renderUser(user); +``` + +### Promise.all for independent work + +```ts +// INCORRECT — sequential +const user = await getUser(id); +const posts = await getPosts(id); +const followers = await getFollowers(id); + +// CORRECT — parallel +const [user, posts, followers] = await Promise.all([ + getUser(id), + getPosts(id), + getFollowers(id), +]); +``` + +### Partial dependencies — start early, await late + +```ts +// CORRECT — kick off all promises, await only when each result is needed +const userP = getUser(id); +const postsP = getPosts(id); +const profile = await getProfile(id); +if (profile.private) return null; +const [user, posts] = await Promise.all([userP, postsP]); +``` + +### Suspense for streaming + +Push `` boundaries close to the data so the page paints what it can while slower sub-trees stream in. The trade-off: layout shift when content arrives — reserve space (skeleton or `min-height`). + +### Server Components: parallel through composition + +```tsx +// INCORRECT — sibling awaits run sequentially inside one component +export default async function Page() { + const user = await getUser(); + const cart = await getCart(); + return ; +} + +// CORRECT — split into children, React runs them in parallel +export default async function Page() { + return ( + + + + + ); +} +``` + +## 2. Bundle Size Optimization (CRITICAL) + +### Direct imports, not barrels + +Barrel `index.ts` files force the bundler to walk the entire module graph even when tree-shaking removes most of it. Direct imports save 200-800ms of first-load JS in many real-world apps. + +```ts +// INCORRECT +import { Button, Card, Modal } from "@/components"; + +// CORRECT +import { Button } from "@/components/Button"; +import { Card } from "@/components/Card"; +import { Modal } from "@/components/Modal"; +``` + +Next.js 13.5+ has [Optimize Package Imports](https://nextjs.org/docs/app/api-reference/next-config-js/optimizePackageImports) that automates this for listed packages — use it; manual direct imports still required for non-listed libs. + +### Statically analyzable paths + +```ts +// INCORRECT — defeats bundler/trace analysis +const mod = await import(`./pages/${name}`); + +// CORRECT — explicit per branch +const mod = name === "home" ? await import("./pages/home") : await import("./pages/about"); +``` + +### Dynamic imports for heavy components + +```tsx +import dynamic from "next/dynamic"; + +const HeavyChart = dynamic(() => import("./HeavyChart"), { + loading: () => , + ssr: false, // when client-only +}); +``` + +### Defer third-party scripts + +Load analytics, logging, support widgets AFTER hydration. Use `next/script` with `strategy="afterInteractive"` (default) or `"lazyOnload"`. + +### Conditional module loading + +```tsx +if (user.role === "admin") { + const { AdminPanel } = await import("./admin/AdminPanel"); + // ... +} +``` + +### Preload on hover/focus + +Trigger `` or `import()` on hover so the bundle is in cache by the time the user clicks. + +## 3. Server-Side Performance (HIGH) + +### Authenticate Server Actions like API routes + +Every `"use server"` function is a public endpoint. Authenticate AND authorize inside the action — never rely on the calling Client Component's gating. + +```ts +"use server"; +export async function deleteUser(formData: FormData) { + const session = await getSession(); + if (!session?.user) throw new Error("Unauthorized"); + const targetId = String(formData.get("id")); + if (session.user.role !== "admin" && session.user.id !== targetId) { + throw new Error("Forbidden"); + } + await db.user.delete({ where: { id: targetId } }); +} +``` + +### `React.cache()` for per-request deduplication + +```ts +import { cache } from "react"; + +export const getUser = cache(async (id: string) => { + return db.user.findUnique({ where: { id } }); +}); +``` + +`React.cache` dedupes within a single request. Calling `getUser("1")` from three Server Components in the same render = one DB query. + +### LRU cache for cross-request data + +For data that does NOT change per request (config, lookup tables), cache outside React with an LRU cache or `unstable_cache`. + +### Avoid duplicate serialization in RSC props + +When a Server Component renders the same data into multiple Client Components, the data is serialized once per consumer. Lift the Client Component up and pass children. + +### Hoist static I/O to module scope + +```ts +// CORRECT — runs once at module load +const fontData = readFileSync(fontPath); + +export async function Page() { + return ; +} +``` + +### No mutable module-level state in RSC/SSR + +Module state on the server is shared across all requests — a race condition between users. Use request-scoped storage (`headers()`, `cookies()`, async context) instead. + +### Minimize data passed to Client Components + +Only serialize what the Client needs. Strip fields, paginate, project columns at the DB layer. + +### Parallelize nested fetches with Promise.all per item + +```ts +const users = await getUsers(); +const enriched = await Promise.all( + users.map(async (u) => ({ ...u, posts: await getPostsFor(u.id) })), +); +``` + +### Use `after()` for non-blocking work + +Next.js 15 `after()` runs work after the response is sent — logging, cache warming, analytics. + +```ts +import { after } from "next/server"; +export async function GET() { + const data = await getData(); + after(() => logAnalytics(data)); + return Response.json(data); +} +``` + +## 4. Client-Side Data Fetching (MEDIUM-HIGH) + +### SWR / TanStack Query for deduplication + +Multiple components calling `useUser(id)` should share one network request and one cache entry. Use SWR or TanStack Query — never roll your own `useEffect` + `fetch` for shared data. + +### Deduplicate global event listeners + +```tsx +// INCORRECT — every component adds its own +useEffect(() => { + window.addEventListener("scroll", handler); + return () => window.removeEventListener("scroll", handler); +}, []); + +// CORRECT — single shared listener via a hook + global subject +const useScroll = createScrollHook(); // singleton subject under the hood +``` + +### Passive listeners for scroll + +```ts +window.addEventListener("scroll", handler, { passive: true }); +``` + +Improves scrolling smoothness; the listener cannot `preventDefault()`. + +### localStorage: version + minimize + +- Always store a `version` field; bump on schema change and migrate or discard old data +- Keep payloads small — `localStorage` is synchronous and blocks main thread + +## 5. Re-render Optimization (MEDIUM) + +### Don't subscribe to state used only in callbacks + +```tsx +// INCORRECT — re-renders every time count changes +const count = useStore((s) => s.count); +const handler = () => doSomething(count); + +// CORRECT — read once on call +const handler = () => { + const count = useStore.getState().count; + doSomething(count); +}; +``` + +### Extract expensive work into memoized components + +```tsx +// CORRECT — child re-renders only when `items` changes +const Heavy = memo(function Heavy({ items }: { items: Item[] }) { + return ; +}); +``` + +### Hoist default non-primitive props + +```tsx +// INCORRECT — new array each render breaks memo + + +// CORRECT +const EMPTY: Item[] = []; + +``` + +### Primitive dependencies in effects + +```tsx +// INCORRECT — new object identity every render +useEffect(() => {}, [{ id, name }]); + +// CORRECT — primitives +useEffect(() => {}, [id, name]); +``` + +### Subscribe to derived booleans, not raw values + +```tsx +// INCORRECT — re-renders for any cart change +const cart = useStore((s) => s.cart); +const hasItems = cart.length > 0; + +// CORRECT — re-renders only when emptiness flips +const hasItems = useStore((s) => s.cart.length > 0); +``` + +### Derive during render, never via `useEffect` + +```tsx +// INCORRECT +const [full, setFull] = useState(""); +useEffect(() => setFull(`${first} ${last}`), [first, last]); + +// CORRECT +const full = `${first} ${last}`; +``` + +### Functional `setState` for stable callbacks + +```tsx +// CORRECT +const increment = useCallback(() => setCount((c) => c + 1), []); +``` + +### Lazy state initializer for expensive values + +```tsx +const [tree] = useState(() => parseTree(largeInput)); +``` + +### Avoid memo for simple primitives + +`useMemo(() => x + 1, [x])` is overhead. Memo earns its keep on object identity and expensive computation. + +### Split hooks with independent deps + +```tsx +// INCORRECT — both selectors re-run if either source changes +const { a, b } = useSomething(source1, source2); + +// CORRECT +const a = useA(source1); +const b = useB(source2); +``` + +### Move interaction logic into event handlers + +Event handlers run only on the user action — `useEffect` re-runs whenever deps change. + +### `startTransition` for non-urgent updates + +```tsx +const [pending, startTransition] = useTransition(); +startTransition(() => setFilters(newFilters)); +``` + +### `useDeferredValue` for expensive renders + +```tsx +const deferredQuery = useDeferredValue(query); +const results = useMemo(() => expensiveSearch(deferredQuery), [deferredQuery]); +``` + +### `useRef` for transient frequent values + +For values that change often but should not trigger re-render (timestamps, last-key, accumulators). + +### Don't define components inside components + +```tsx +// INCORRECT — Inner is a new component on every Outer render +function Outer() { + const Inner = () => ; + return ; +} +``` + +Each render makes a new `Inner` type, defeating reconciliation and unmounting children. + +## 6. Rendering Performance (MEDIUM) + +### Animate the wrapper, not the SVG + +Transforming a `
` wrapper around an SVG is GPU-accelerated; transforming the SVG itself triggers paint. + +### `content-visibility: auto` for long lists + +```css +.row { content-visibility: auto; contain-intrinsic-size: auto 80px; } +``` + +Browser skips offscreen rendering — major win for lists with hundreds of rows. + +### Hoist static JSX + +```tsx +const STATIC_HEADER =

Title

; +function Page() { + return <>{STATIC_HEADER}; +} +``` + +### SVG: reduce coordinate precision + +`d="M10.123456,20.654321"` → `d="M10.12,20.65"`. Each digit costs bytes; the visual difference is sub-pixel. + +### Hydration no-flicker via inline script + +For values needed before hydration (theme, locale), inline a `