Initial commit

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: dguido

.claude/commands/trailofbits/config.md

@@ -0,0 +1,47 @@
+You are installing or updating Trail of Bits' Claude Code configuration into the user's `~/.claude/` directory.
+
+## Source files
+
+Fetch each file from GitHub using WebFetch. The base URL is:
+
+```
+https://raw.githubusercontent.com/trailofbits/claude-code-config/main/
+```
+
+Files to fetch when needed:
+- `settings.json`
+- `claude-md-template.md`
+- `mcp-template.json`
+- `scripts/statusline.sh`
+- `commands/review-pr.md`
+- `commands/fix-issue.md`
+
+## Steps
+
+1. **Inventory what exists.** Read `~/.claude/settings.json`, `~/.claude/CLAUDE.md`, `~/.mcp.json`, `~/.claude/statusline.sh`, and check for `~/.claude/commands/review-pr.md` and `~/.claude/commands/fix-issue.md`. Note which files exist and which don't.
+
+2. **Ask the user what to install.** Use AskUserQuestion with a single multi-select question. List each component with a short description. Pre-label components that are missing from `~/.claude/` as recommended. Components:
+   - **settings.json** — permissions, hooks, telemetry, statusline config
+   - **CLAUDE.md** — global development standards and tool preferences
+   - **MCP servers** — Context7, Exa, Granola
+   - **Statusline script** — two-line status bar with context/cost tracking
+   - **review-pr command** — multi-agent PR review workflow
+   - **fix-issue command** — end-to-end issue fixing workflow
+
+3. **Fetch selected files.** Use WebFetch to download only the files needed for the user's selections from the GitHub URLs above. Extract the raw file content from each response.
+
+4. **For each selected component, install it:**
+
+   - **settings.json**: If `~/.claude/settings.json` doesn't exist, write it directly. If it does exist, read both files and merge the repo's keys into the existing file — preserve any user keys that don't conflict. Show the user the merged result and ask for confirmation before writing.
+
+   - **CLAUDE.md**: If `~/.claude/CLAUDE.md` doesn't exist, write the fetched `claude-md-template.md` content to `~/.claude/CLAUDE.md`. If it already exists, tell the user it exists and ask whether to overwrite, skip, or show a diff. Never silently overwrite CLAUDE.md — it likely has personal customizations.
+
+   - **MCP servers**: If `~/.mcp.json` doesn't exist, write the fetched template to `~/.mcp.json` and remind the user to replace `your-exa-api-key-here`. If it exists, read it, merge any missing server entries from the template, and show the result before writing.
+
+   - **Statusline script**: Write to `~/.claude/statusline.sh` and `chmod +x` it. Safe to overwrite — it has no user customization.
+
+   - **Commands**: Write to `~/.claude/commands/review-pr.md` and/or `~/.claude/commands/fix-issue.md`. Create the directory if needed. Safe to overwrite.
+
+5. **Self-install.** After completing the user's selections, also install this setup command itself to `~/.claude/commands/trailofbits/config.md` so the user can run `/trailofbits:config` from any directory in the future without needing the repo cloned.
+
+6. **Post-install.** Summarize what was installed/updated. If MCP servers were installed, remind the user about the Exa API key. If CLAUDE.md was installed, suggest they review and customize it.

.gitignore

@@ -0,0 +1,6 @@
+.DS_Store
+*.swp
+*.swo
+*~
+.env
+.env.*

README.md

@@ -0,0 +1,207 @@
+# Global Development Standards
+
+Global instructions for all projects. Project-specific CLAUDE.md files override these defaults.
+
+- Prefer Exa AI (`mcp__exa__web_search_exa`) over `WebSearch` for all web searches
+- Use skills proactively when they match the task — suggest relevant ones, don't block on them
+
+## Philosophy
+
+- **No speculative features** - Don't add features, flags, or configuration unless users actively need them
+- **No premature abstraction** - Don't create utilities until you've written the same code three times
+- **Clarity over cleverness** - Prefer explicit, readable code over dense one-liners
+- **Justify new dependencies** - Each dependency is attack surface and maintenance burden
+- **No phantom features** - Don't document or validate features that aren't implemented
+- **Replace, don't deprecate** - When a new implementation replaces an old one, remove the old one entirely. No backward-compatible shims, dual config formats, or migration paths. Proactively flag dead code — it adds maintenance burden and misleads both developers and LLMs.
+- **Verify at every level** - Set up automated guardrails (linters, type checkers, pre-commit hooks, tests) as the first step, not an afterthought. Prefer structure-aware tools (ast-grep, LSPs, compilers) over text pattern matching. Review your own output critically. Every layer catches what the others miss.
+- **Bias toward action** - Decide and move for anything easily reversed; state your assumption so the reasoning is visible. Ask before committing to interfaces, data models, architecture, or destructive/write operations on external services.
+- **Finish the job** - Don't stop at the minimum that technically satisfies the request. Handle the edge cases you can see. Clean up what you touched. If something is broken adjacent to your change, flag it. But don't invent new scope — there's a difference between thoroughness and gold-plating.
+- **Agent-native by default** - Design so agents can achieve any outcome users can. Tools are atomic primitives; features are outcomes described in prompts. Prefer file-based state for transparency and portability. When adding UI capability, ask: can an agent achieve this outcome too?
+
+## Code Quality
+
+### Hard limits
+
+1. ≤100 lines/function, cyclomatic complexity ≤8
+2. ≤5 positional params
+3. 100-char line length
+4. Absolute imports only — no relative (`..`) paths
+5. Google-style docstrings on non-trivial public APIs
+
+### Zero warnings policy
+
+Fix every warning from every tool — linters, type checkers, compilers, tests. If a warning truly can't be fixed, add an inline ignore with a justification comment. Never leave warnings unaddressed; a clean output is the baseline, not the goal.
+
+### Comments
+
+Code should be self-documenting. No commented-out code—delete it. If you need a comment to explain WHAT the code does, refactor the code instead.
+
+### Error handling
+
+- Fail fast with clear, actionable messages
+- Never swallow exceptions silently
+- Include context (what operation, what input, suggested fix)
+
+### Reviewing code
+
+Evaluate in order: architecture → code quality → tests → performance. Before reviewing, sync to latest remote (`git fetch origin`).
+
+For each issue: describe concretely with file:line references, present options with tradeoffs when the fix isn't obvious, recommend one, and ask before proceeding.
+
+### Testing
+
+**Test behavior, not implementation.** Tests should verify what code does, not how. If a refactor breaks your tests but not your code, the tests were wrong.
+
+**Test edges and errors, not just the happy path.** Empty inputs, boundaries, malformed data, missing files, network failures — bugs live in edges. Every error path the code handles should have a test that triggers it.
+
+**Mock boundaries, not logic.** Only mock things that are slow (network, filesystem), non-deterministic (time, randomness), or external services you don't control.
+
+**Verify tests catch failures.** Break the code, confirm the test fails, then fix. Use mutation testing (`cargo-mutants`, `mutmut`) to verify systematically. Use property-based testing (`proptest`, `hypothesis`) for parsers, serialization, and algorithms.
+
+## Development
+
+When adding dependencies, CI actions, or tool versions, always look up the current stable version — never assume from memory unless the user provides one.
+
+### CLI tools
+
+| tool | replaces | usage |
+|------|----------|-------|
+| `rg` (ripgrep) | grep | `rg "pattern"` - 10x faster regex search |
+| `fd` | find | `fd "*.py"` - fast file finder |
+| `ast-grep` | - | `ast-grep --pattern '$FUNC($$$)' --lang py` - AST-based code search |
+| `shellcheck` | - | `shellcheck script.sh` - shell script linter |
+| `shfmt` | - | `shfmt -i 2 -w script.sh` - shell formatter |
+| `actionlint` | - | `actionlint .github/workflows/` - GitHub Actions linter |
+| `zizmor` | - | `zizmor .github/workflows/` - Actions security audit |
+| `prek` | pre-commit | `prek run` - fast git hooks (Rust, no Python) |
+| `wt` | git worktree | `wt switch branch` - manage parallel worktrees |
+| `trash` | rm | `trash file` - moves to macOS Trash (recoverable). **Never use `rm -rf`** |
+
+Prefer `ast-grep` over ripgrep when searching for code structure (function calls, class definitions, imports, pattern matching across arguments). Use ripgrep for literal strings and log messages.
+
+### Python
+
+**Runtime:** 3.13 with `uv venv`
+
+| purpose | tool |
+|---------|------|
+| deps & venv | `uv` |
+| lint & format | `ruff check` · `ruff format` |
+| static types | `ty check` |
+| tests | `pytest -q` |
+
+**Always use uv, ruff, and ty** over pip/poetry, black/pylint/flake8, and mypy/pyright — they're faster and stricter. Configure `ty` strictness via `[tool.ty.rules]` in pyproject.toml. Use `uv_build` for pure Python, `hatchling` for extensions.
+
+Tests in `tests/` directory mirroring package structure. Supply chain: `pip-audit` before deploying, pin exact versions (`==` not `>=`), verify hashes with `uv pip install --require-hashes`.
+
+### Node/TypeScript
+
+**Runtime:** Node 22 LTS, ESM only (`"type": "module"`)
+
+| purpose | tool |
+|---------|------|
+| lint | `oxlint` |
+| format | `oxfmt` |
+| test | `vitest` |
+| types | `tsc --noEmit` |
+
+**Always use oxlint and oxfmt** over eslint/prettier — they're faster and stricter. Enable `typescript`, `import`, `unicorn` plugins.
+
+**tsconfig.json strictness** — enable all of these:
+```jsonc
+"strict": true,
+"noUncheckedIndexedAccess": true,
+"exactOptionalPropertyTypes": true,
+"noImplicitOverride": true,
+"noPropertyAccessFromIndexSignature": true,
+"verbatimModuleSyntax": true,
+"isolatedModules": true
+```
+
+Colocated `*.test.ts` files. Supply chain: `pnpm audit --audit-level=moderate` before installing, pin exact versions (no `^` or `~`), enforce 24-hour publish delay (`pnpm config set minimumReleaseAge 1440`), block postinstall scripts (`pnpm config set ignore-scripts true`).
+
+### Rust
+
+**Runtime:** Latest stable via `rustup`
+
+| purpose | tool |
+|---------|------|
+| build & deps | `cargo` |
+| lint | `cargo clippy --all-targets --all-features -- -D warnings` |
+| format | `cargo fmt` |
+| test | `cargo test` |
+| supply chain | `cargo deny check` (advisories, licenses, bans) |
+| safety check | `cargo careful test` (stdlib debug assertions + UB checks) |
+
+**Style:**
+- Prefer `for` loops with mutable accumulators over iterator chains
+- Shadow variables through transformations (no `raw_x`/`parsed_x` prefixes)
+- No wildcard matches; avoid `matches!` macro—explicit destructuring catches field changes
+- Use `let...else` for early returns; keep happy path unindented
+
+**Type design:**
+- Newtypes over primitives (`UserId(u64)` not `u64`)
+- Enums for state machines, not boolean flags
+- `thiserror` for libraries, `anyhow` for applications
+- `tracing` for logging (`error!`/`warn!`/`info!`/`debug!`), not println
+
+**Optimization:**
+- Write efficient code by default — correct algorithm, appropriate data structures, no unnecessary allocations
+- Profile before micro-optimizing; measure after
+
+**Cargo.toml lints:**
+```toml
+[lints.clippy]
+pedantic = { level = "warn", priority = -1 }
+# Panic prevention
+unwrap_used = "deny"
+expect_used = "warn"
+panic = "deny"
+panic_in_result_fn = "deny"
+unimplemented = "deny"
+# No cheating
+allow_attributes = "deny"
+# Code hygiene
+dbg_macro = "deny"
+todo = "deny"
+print_stdout = "deny"
+print_stderr = "deny"
+# Safety
+await_holding_lock = "deny"
+large_futures = "deny"
+exit = "deny"
+mem_forget = "deny"
+# Pedantic relaxations (too noisy)
+module_name_repetitions = "allow"
+similar_names = "allow"
+```
+
+### Bash
+
+All scripts must start with `set -euo pipefail`. Lint: `shellcheck script.sh && shfmt -d script.sh`
+
+### GitHub Actions
+
+Pin actions to SHA hashes with version comments: `actions/checkout@<full-sha>  # vX.Y.Z` (use `persist-credentials: false`). Scan workflows with `zizmor` before committing. Configure Dependabot with 7-day cooldowns and grouped updates.
+
+## Workflow
+
+**Before committing:**
+1. Re-read your changes for unnecessary complexity, redundant code, and unclear naming
+2. Run relevant tests — not the full suite
+3. Run linters and type checker — fix everything before committing
+
+**Commits:**
+- Imperative mood, ≤72 char subject line, one logical change per commit
+- Never amend/rebase commits already pushed to shared branches
+- Never push directly to main — use feature branches and PRs
+- Never commit secrets, API keys, or credentials — use `.env` files (gitignored) and environment variables
+
+**Hooks and worktrees:**
+- Install prek in every repo (`prek install`). Run `prek run` before committing. Configure auto-updates: `prek auto-update --cooldown-days 7`
+- Parallel subagents require worktrees. Each subagent MUST work in its own worktree (`wt switch <branch>`), not the main repo. Never share working directories.
+
+**Pull requests:**
+Describe what the code does now — not discarded approaches, prior iterations, or alternatives. Only describe what's in the diff.
+
+Use plain, factual language. A bug fix is a bug fix, not a "critical stability improvement." Avoid: critical, crucial, essential, significant, comprehensive, robust, elegant.

claude-md-template.md

@@ -0,0 +1,97 @@
+# Fix GitHub Issue
+
+@description End-to-end: plan, implement, test, PR, review, fix findings, and comment on a GitHub issue.
+@arguments $ISSUE_NUMBER: GitHub issue number to fix
+
+Read GitHub Issue #$ISSUE_NUMBER thoroughly. Understand the full
+context: problem description, acceptance criteria, linked PRs,
+and any discussion. Follow linked issues, referenced PRs, and
+external documentation to build complete understanding before
+planning.
+
+Execute every step below sequentially. Do not stop or ask for
+confirmation at any step.
+
+## 1. Plan
+
+Write a detailed implementation plan to `plan-issue-$ISSUE_NUMBER.md`
+in the repo root. The plan must:
+
+- Summarize the issue requirements
+- List every file to create or modify
+- Describe the approach and key design decisions
+- Call out risks or open questions
+- Reference relevant code paths by file:line
+
+## 2. Implement
+
+Implement the plan across all necessary files. Follow the
+project's CLAUDE.md standards. Keep changes minimal and focused
+on the issue requirements -- no speculative features.
+
+## 3. Build, test, lint
+
+Run the project's full quality pipeline in this order:
+
+1. Build (compile/bundle if the project has a build step)
+2. Run the full test suite -- iterate on failures until green
+3. Add new tests for the changed behavior
+4. Run linting, formatting, and type-checking -- fix any issues
+
+Refer to the project's CLAUDE.md or package.json/Makefile/etc.
+for the correct commands.
+
+## 4. Branch, commit, and push
+
+- Determine the branch prefix from the issue type: `fix/` for
+  bugs, `feat/` for features, `refactor/` for refactors, `docs/`
+  for documentation. When ambiguous, use `fix/`.
+- Create a branch named `{prefix}issue-$ISSUE_NUMBER`
+- Delete the plan file (`plan-issue-$ISSUE_NUMBER.md`) -- it was a
+  working artifact and should not be committed
+- Commit all changes with a conventional commit message referencing
+  the issue
+- Push the branch
+
+## 5. Create PR
+
+Create a PR with:
+
+- A concise title (under 70 chars)
+- A description that maps changes back to the issue requirements
+- Link to the issue with "Closes #$ISSUE_NUMBER" (or "Refs" if it
+  doesn't fully close it)
+
+## 6. Self-review
+
+Use `/compound-engineering:workflows:review` to perform a full
+multi-agent code review of the PR. Produce a list of findings
+ranked by severity (P1 = blocks merge, P2 = important, P3 = nice
+to have).
+
+## 7. Fix findings
+
+Address all P1-P3 findings. For each finding, either:
+
+- **Fix it** -- apply the change, or
+- **Dismiss it** -- explain why it's a false positive or not worth
+  the churn (e.g. a stylistic disagreement or an impossible edge
+  case). Document the reasoning inline.
+
+After addressing all findings:
+
+1. Re-run the full quality pipeline (build, test, lint)
+2. Commit the fixes as a separate commit (do not squash into the
+   original -- preserve review history)
+3. Push the branch (regular push, not force-push)
+4. Delete any todo files in `todos/` that were created by the
+   review and are now resolved
+
+## 8. Comment on issue
+
+Post a summary comment on Issue #$ISSUE_NUMBER linking to the PR.
+Include:
+
+- What was implemented (1-3 bullet points)
+- Key design decisions
+- Link to the PR