eggai-tech · Codesleuth · Mar 12, 2026 · Mar 12, 2026 · valdis · Mar 17, 2026
diff --git a/.qualops/examples/typescript-quality/typescript-quality.qualopsrc.json b/.qualops/examples/typescript-quality/typescript-quality.qualopsrc.json
@@ -0,0 +1,247 @@
+{
+  "ai": {
+    "reviewStage": {
+      "provider": "anthropic",
+      "model": "claude-sonnet-4-5-20250929",
+      "inputPerMillion": 3.0,
+      "outputPerMillion": 15.0,
+      "temperature": 0.1
+    },
+    "fixStage": {
+      "provider": "anthropic",
+      "model": "claude-sonnet-4-5-20250929",
+      "inputPerMillion": 3.0,
+      "outputPerMillion": 15.0,
+      "temperature": 0
+    },
+    "judgeStage": {
+      "provider": "anthropic",
+      "model": "claude-sonnet-4-5-20250929",
+      "inputPerMillion": 3.0,
+      "outputPerMillion": 15.0,
+      "temperature": 0
+    }
+  },
+  "performance": {
+    "maxFileSizeKB": 500,
+    "maxFilesPerBatch": 15,
+    "maxTokensPerFile": 4000,
+    "timeoutSeconds": 300,
+    "throttling": {
+      "enabled": true,
+      "maxRequestsPerMinute": 15
+    }
+  },
+  "review": {
+    "minConfidence": 7,
+    "maxConcurrentFiles": 3,
+    "validation": {
+      "enabled": true,
+      "minConfidence": 7,
+      "prompt": "typescript-quality/validation.md"
+    },
+    "deduplication": {
+      "enabled": true,
+      "prompt": "deduplication.md"
+    },
+    "pipeline": [
+      {
+        "name": "typescriptQualityReview",
+        "enabled": true,
+        "validation": {
+          "enabled": true,
+          "minConfidence": 7,
+          "prompt": "typescript-quality/validation.md"
+        },
+        "passes": [
+          {
+            "name": "Error Handling & Exceptions",
+            "enabled": true,
+            "prompt": "typescript-quality/review-system-message.md",
+            "filters": {
+              "detectionTriggers": [
+                "try\\s*\\{",
+                "catch\\s*\\(",
+                "throw\\s+new",
+                "Promise\\.reject",
+                "process\\.exit",
+                "Error",
+                "logger\\.error",
+                "logger\\.warn"
+              ],
+              "filePatterns": ["**/*.{ts,tsx,js,mjs,cjs}"],
+              "excludePatterns": ["**/*.spec.*", "**/*.test.*", "**/__tests__/**"]
+            }
+          },
+          {
+            "name": "Async/Await Patterns",
+            "enabled": true,
+            "prompt": "typescript-quality/review-system-message.md",
+            "filters": {
+              "detectionTriggers": [
+                "async\\s+function",
+                "await ",
+                "Promise\\.",
+                "new\\s+Promise",
+                "Promise\\.all",
+                "setTimeout",
+                "AbortController",
+                "for\\s+await"
+              ],
+              "filePatterns": ["**/*.{ts,tsx,js,mjs,cjs}"],
+              "excludePatterns": ["**/*.spec.*", "**/*.test.*", "**/__tests__/**"]
+            }
+          },
+          {
+            "name": "HTTP Endpoints & Middleware",
+            "enabled": true,
+            "prompt": "typescript-quality/review-system-message.md",
+            "filters": {
+              "detectionTriggers": [
+                "express\\(",
+                "Router\\(",
+                "app\\.(get|post|put|patch|delete)",
+                "router\\.(get|post|put|patch|delete)",
+                "Request",
+                "Response",
+                "NextFunction",
+                "res\\.status",
+                "req\\.(params|query|body)",
+                "zod"
+              ],
+              "filePatterns": [
+                "**/api/**/*.{ts,tsx,js,mjs,cjs}",
+                "**/routes/**/*.{ts,tsx,js,mjs,cjs}",
+                "**/*router*.{ts,tsx,js,mjs,cjs}",
+                "**/*controller*.{ts,tsx,js,mjs,cjs}",
+                "**/server.{ts,js}",
+                "**/main.{ts,js}"
+              ],
+              "excludePatterns": ["**/*.spec.*", "**/*.test.*", "**/__tests__/**"]
+            }
+          },
+          {
+            "name": "Type Safety & Validation",
+            "enabled": true,
+            "prompt": "typescript-quality/review-system-message.md",
+            "filters": {
+              "detectionTriggers": [
+                "interface\\s+",
+                "type\\s+",
+                "enum\\s+",
+                ": ",
+                "as\\s+",
+                "any",
+                "unknown",
+                "z\\.object",
+                "Joi\\.",
+                "class-validator"
+              ],
+              "filePatterns": ["**/*.{ts,tsx}"],
+              "excludePatterns": ["**/*.spec.*", "**/*.test.*", "**/__tests__/**"]
+            }
+          },
+          {
+            "name": "Logging & Observability",
+            "enabled": true,
+            "prompt": "typescript-quality/review-system-message.md",
+            "filters": {
+              "detectionTriggers": [
+                "logger\\.",
+                "console\\.",
+                "debug",
+                "pino",
+                "winston",
+                "traceId",
+                "requestId"
+              ],
+              "filePatterns": ["**/*.{ts,tsx,js,mjs,cjs}"],
+              "excludePatterns": ["**/*.spec.*", "**/*.test.*", "**/__tests__/**"]
+            }
+          },
+          {
+            "name": "Database & Persistence",
+            "enabled": true,
+            "prompt": "typescript-quality/review-system-message.md",
+            "filters": {
+              "detectionTriggers": [
+                "execute\\(",
+                "executemany\\(",
+                "query\\(",
+                "findOne",
+                "findMany",
+                "save\\(",
+                "transaction",
+                "prisma\\.",
+                "typeorm",
+                "SELECT",
+                "INSERT",
+                "UPDATE",
+                "DELETE",
+                "WHERE",
+                "connection",
+                "knex"
+              ],
+              "filePatterns": [
+                "**/repository/**/*.{ts,tsx,js,mjs,cjs}",
+                "**/persistence/**/*.{ts,tsx,js,mjs,cjs}",
+                "**/database/**/*.{ts,tsx,js,mjs,cjs}",
+                "**/db/**/*.{ts,tsx,js,mjs,cjs}",
+                "**/models/**/*.{ts,tsx,js,mjs,cjs}",
+                "**/*repository*.{ts,tsx,js,mjs,cjs}"
+              ],
+              "excludePatterns": [
+                "**/*.spec.*",
+                "**/*.test.*",
+                "**/__tests__/**",
+                "**/migrations/**"
+              ]
+            }
+          },
+          {
+            "name": "Configuration & Settings",
+            "enabled": true,
+            "prompt": "typescript-quality/review-system-message.md",
+            "filters": {
+              "detectionTriggers": [
+                "process\\.env",
+                "dotenv",
+                "import\\.meta\\.env",
+                "settings",
+                "config",
+                "SECRET",
+                "API_KEY",
+                "PASSWORD",
+                "TOKEN"
+              ],
+              "filePatterns": [
+                "**/config/**/*.{ts,tsx,js,mjs,cjs}",
+                "**/settings/**/*.{ts,tsx,js,mjs,cjs}",
+                "**/*config*.{ts,tsx,js,mjs,cjs}",
+                "**/*settings*.{ts,tsx,js,mjs,cjs}"
+              ],
+              "excludePatterns": ["**/*.spec.*", "**/*.test.*", "**/__tests__/**"]
+            }
+          }
+        ]
+      }
+    ]
+  },
+  "fix": {
+    "enabled": true,
+    "prompt": "fix-system-message.md",
+    "severities": ["high", "medium"],
+    "minConfidence": 8,
+    "maxConcurrentFixes": 5
+  },
+  "gitlab": {
+    "enabled": false,
+    "postComments": false,
+    "skipOnDraft": false,
+    "blockPipeline": false
+  },
+  "report": {
+    "includedSeverities": ["critical", "high", "medium"],
+    "enableRootCauseExtraction": false
+  }
+}
diff --git a/.qualops/prompts/typescript-quality/review-system-message.md b/.qualops/prompts/typescript-quality/review-system-message.md
@@ -0,0 +1,140 @@
+# TypeScript Code Quality Review System
+
+You are an expert TypeScript reviewer with strong knowledge of Node.js services, modern async patterns, API design, and secure coding practices.
+
+Your task is to review TypeScript/JavaScript code for real quality issues that affect correctness, security, maintainability, and production reliability.
+
+## Review Focus Areas
+
+### 1. Error Handling & Exceptions
+
+- Missing or weak try/catch around risky operations
+- Catch blocks that swallow errors or remove useful context
+- Throwing generic errors where domain-specific errors are needed
+- Returning raw internal errors to users
+- Missing cleanup in `finally` blocks
+
+**Look for:**
+
+- `catch (err) {}` with no logging or rethrow
+- `throw new Error("...")` without original cause when needed
+- API handlers exposing stack traces
+
+### 2. Async/Await Patterns
+
+- Missing `await` on promise-returning calls
+- Unhandled promises (`no-floating-promises` style issues)
+- Sequential awaits that should be parallelized
+- Missing timeout/cancellation handling
+- Blocking or CPU-heavy work in request paths
+
+**Look for:**
+
+- Promise-returning calls not awaited
+- `Promise.all` without failure strategy in critical workflows
+- No abort/timeout strategy for network calls
+
+### 3. HTTP Endpoints & Middleware
+
+- Missing input validation for `params`, `query`, and `body`
+- Inconsistent status codes and error response shape
+- Missing authz/authn checks in protected handlers
+- Missing defensive checks on user-controlled input
+- Middleware order bugs (auth/logging/error handling)
+
+**Look for:**
+
+- Route handlers trusting `req.body` directly
+- Inconsistent `res.status(...)` behavior
+- Missing centralized error normalization
+
+### 4. Type Safety & Validation
+
+- Excessive `any` usage
+- Unsafe type assertions (`as`) without runtime checks
+- Missing null/undefined guards
+- Weakly typed external API responses
+- Missing runtime schema validation at boundaries
+
+**Look for:**
+
+- `any` in critical paths
+- `as SomeType` on unvalidated input
+- Missing `zod`/Joi/class-validator style checks for external data
+
+### 5. Logging & Observability
+
+- Sensitive data in logs (tokens, passwords, PII)
+- Missing context (`requestId`, correlation IDs)
+- Wrong log levels for failures vs expected conditions
+- Excessive noisy logs in hot paths
+
+**Look for:**
+
+- `console.log` in production server paths
+- Logging full request bodies with secrets
+- Errors logged without enough context to debug
+
+### 6. Database & Persistence
+
+- SQL injection risks in raw queries
+- Missing transaction boundaries
+- N+1 query patterns
+- Missing pagination/limits on list queries
+- Incomplete rollback/error handling
+
+**Look for:**
+
+- String interpolation in SQL statements
+- Unbounded reads in API endpoints
+- Multi-step writes without transaction guards
+
+### 7. Configuration & Secrets
+
+- Unvalidated environment variables
+- Hardcoded secrets or credentials
+- Unsafe defaults for security-sensitive config
+- Missing fail-fast behavior for required config
+
+**Look for:**
+
+- `process.env.*` values used without validation
+- Secrets included in source or logs
+- Optional config silently falling back to insecure behavior
+
+## Severity Guidance
+
+- `critical`: clear security vulnerabilities, data corruption/loss, severe availability risks
+- `high`: likely production failures, major logic bugs, significant reliability/security concerns
+- `medium`: maintainability and correctness risks with meaningful impact
+- `low`: minor quality issues or non-critical improvements
+- `info`: useful suggestions with low immediate impact
+
- `low`: minor quality issues or non-critical improvements
- `info`: useful suggestions with low immediate impact
+- `low`: minor quality issues, non-critical improvements, or informational suggestions with low immediate impact
- `low`: minor quality issues or non-critical improvements
- `info`: useful suggestions with low immediate impact
+- `low`: minor quality issues, non-critical improvements, or informational suggestions with low immediate impact
+## Confidence Guidance
+
+- `8-10`: strong evidence of a real defect/anti-pattern
+- `5-7`: likely issue, somewhat context dependent
+- `1-4`: weak evidence or preference-level suggestion
+
+## Output Requirements
+
+For every issue, provide:
+
+- `title`
+- `severity`
+- `confidence` (1-10)
+- `category`
+- `line` (exact line or range)
+- `description`
+- `impact`
+- `recommendation` (with concrete fix direction)
+- `references` (TypeScript/Node.js/security best-practice sources)
-For every issue, provide:
-
- `title`
- `severity`
- `confidence` (1-10)
- `category`
- `line` (exact line or range)
- `description`
- `impact`
- `recommendation` (with concrete fix direction)
- `references` (TypeScript/Node.js/security best-practice sources)
+Follow the JSON schema provided by the reviewing tool (FileReviewer). Do not invent your own top-level keys or structure.
+
+Populate all required fields in that schema (for example: `type`, `description`, `location`, `reasoning`, `context`, `suggestion`, `severity`, `confidence`), and ensure severity and confidence values are consistent with the guidance above.
-For every issue, provide:
-
- `title`
- `severity`
- `confidence` (1-10)
- `category`
- `line` (exact line or range)
- `description`
- `impact`
- `recommendation` (with concrete fix direction)
- `references` (TypeScript/Node.js/security best-practice sources)
+Follow the JSON schema provided by the reviewing tool (FileReviewer). Do not invent your own top-level keys or structure.
+
+Populate all required fields in that schema (for example: `type`, `description`, `location`, `reasoning`, `context`, `suggestion`, `severity`, `confidence`), and ensure severity and confidence values are consistent with the guidance above.
+
+## What Not to Flag
+
+- Pure formatting/style concerns covered by formatter/linter
+- Test-only simplifications unless they create real production risk
+- Framework-standard patterns used correctly
+- Speculative issues without evidence
+
+Prioritize actionable findings that developers can fix quickly and safely.