sagargupta16/dev-rules
plugins/dev-rules/skills/dev-rules/SKILL.md
Use when writing code, making git operations, handling secrets, reviewing PRs, or working with dependencies. Enforces git safety, security best practices, PR workflow discipline, and context-efficient development patterns. Auto-activates as guardrails.
$ install --global
skillsauthnpx skillsauth add sagargupta16/claude-skills dev-rulesInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 23, 2026, 5:14 AM9.1s1 file scanned
SKILL.md
- name:
- dev-rules
- description:
- Use when writing code, making git operations, handling secrets, reviewing PRs, or working with dependencies. Enforces git safety, security best practices, PR workflow discipline, and context-efficient development patterns. Auto-activates as guardrails.
Development Rules and Guardrails
Git Safety
| Rule | Why |
|------|-----|
| Never force push to main/master | Destroys team history, breaks CI |
| Never git reset --hard without confirmation | Irreversible data loss |
| Never amend published commits | Creates divergent history for collaborators |
| Never skip pre-commit hooks (--no-verify) | Hooks catch real issues |
| Stage specific files by name | git add . risks committing secrets or binaries |
| Never commit .env, credentials, API keys | Secrets in git history are permanent |
| Verify current branch before pushing | Avoid pushing to wrong branch |
Security
Secrets and Credentials
- Never commit
.envfiles, API keys, tokens, passwords, or connection strings - Always use
.env.examplewith placeholder values, never real credentials - If real credentials are found in git history, flag immediately - they must be rotated
- Add secret config files to
.gitignore(e.g.,config/secrets.yml)
Code Security
- Validate all user input at system boundaries (API endpoints, form submissions)
- Use parameterized queries - never string concatenation for database queries
- Sanitize data before rendering in templates (prevent XSS)
- Use bcrypt or argon2 for password hashing, never MD5 or SHA for passwords
- Set CORS origins from environment variables, never wildcard in production
Dependency Security
- Check for known vulnerabilities before adding new packages
- Prefer well-maintained packages with active security response
- Pin dependency versions in lock files
PR Workflow
When working with pull requests:
- Always read comments first before making changes
gh api repos/{owner}/{repo}/issues/{num}/commentsgh api repos/{owner}/{repo}/pulls/{num}/comments
- Check merge readiness before acting
gh api repos/{owner}/{repo}/pulls/{num} --jq '{mergeable, mergeable_state, draft}'
- Check how far behind the base branch
gh api repos/{owner}/{repo}/compare/{base}...{head} --jq '{behind_by, ahead_by}'
- After fixing/rebasing - comment back on the PR summarizing what was done
- Before deleting a fork - verify zero open PRs from that fork
- When rebasing - squash into clean commits, match project's commit style
- Never force-push to someone else's branch - only to your own fork branches
CLAUDE.md Authoring Rules
When writing or reviewing CLAUDE.md files:
<important> Tags
Wrap must-follow rules in <important> tags so they survive long contexts:
<important>
- Never commit .env files or API keys
- Always run tests before pushing
- Never force push to main/master
</important>
Use <important if="..."> for conditional rules:
<important if="making git commits or pushing code">
- Never add Co-Authored-By trailers
- Use conventional commit format
</important>
Length and Structure
- Keep each CLAUDE.md under 200 lines -- rules get ignored beyond this
- Split detailed rules into
.claude/rules/*.mdfiles - Structure: Overview > Commands > Conventions > Architecture > Critical Rules
- Loading: ancestors load at startup, descendants lazily, siblings never
Context Optimization
Progressive Disclosure
- Load metadata first (names, descriptions) before full content
- Only read files when actually needed - don't preemptively read everything
- For long files, read specific sections rather than the entire file
Context Health
- Manual
/compactat ~50% context usage -- don't wait for auto-compaction - Use
/rewindwhen an approach fails -- don't leave failures in context - Spawn sub-agents for research tasks to keep main context clean
- New task = new session (avoid context pollution)
Scripts as Black Boxes
- Run helper scripts with
--helpfirst to understand their interface - Only read script source code if
--helpis insufficient or if debugging - Prefer calling tools over reading their implementation
Efficient Patterns
- Present quick-reference tables upfront when multiple approaches exist
- Route to specific patterns based on the task at hand
- Don't load all reference material - load what's relevant
Anti-Patterns
- Don't read every file in a directory when a targeted search suffices
- Don't duplicate work between main context and sub-agents
- Don't re-read files that were recently read in the same session
- Don't say "no try again" after bad output -- /rewind then re-prompt
- Don't wait for auto-compact -- model is least intelligent during auto-compact
Related Skills
sagargupta16/starter-session-audit
testing
VerifiedTrustedCommunity
Use when the user asks to audit a session for uncaptured learnings. Activates on "audit this session", "session audit", "what did we miss", "end of session check", or "/starter-session-audit". Scans the conversation for corrections, preferences, decisions, and new context, then proposes where to save each.
4SKILL.mdUpdated May 23, 2026
sagargupta16/repo-polish
testing
VerifiedTrustedCommunity
Use when setting up new repositories, auditing existing ones, or preparing repos for public visibility. Generates .gitignore, .env.example, README, and LICENSE files. Detects committed secrets and flags security issues.
4SKILL.mdUpdated May 23, 2026
sagargupta16/renovate-triage
tools
VerifiedTrustedCommunity
Use when triaging open Renovate PRs across your own repos into merge / close / defer. Activates on "renovate triage", "review dep PRs", "monthly deps", or on the 1st of a month if deps are grouped monthly.
4SKILL.mdUpdated May 23, 2026
sagargupta16/refactoring
development
VerifiedTrustedCommunity
Use when restructuring code without changing behavior -- extracting functions, renaming, moving files, reducing duplication, migrating between patterns (JS to TS, CJS to ESM), or addressing code smells. Covers safe refactoring workflows for any language.
4SKILL.mdUpdated May 23, 2026