Code quality tools for reviewing changes, understanding architecture, performing focused appsec reviews, and maintaining projects.
/plugin install devx-qa@devx-plugins
Analyzes project architecture and generates ASCII state machine and sequence diagrams. Triggers automatically when you ask to explain a project, analyze architecture, or trace an entrypoint.
explain this project
explain the auth-flow feature
show me the architecture
What happens:
- Detects your stack (language, framework, tools)
- Finds the entrypoint for the feature you specify
- Generates ASCII state machine diagram
- Generates ASCII sequence diagram
- Lists key files with their roles
Output:
┌─────────────┐ success ┌──────────────┐
│ PENDING │──────────────►│ AUTHORIZED │
└─────────────┘ └──────────────┘
│ │
│ failure │ logout
▼ ▼
┌─────────────┐ ┌──────────────┐
│ FAILED │ │ EXPIRED │
└─────────────┘ └──────────────┘
No mermaid. No external tools. Just ASCII that works everywhere.
Reviews pull requests and code changes for correctness, conventions, maintainability, performance, tests, and security. Triggers when you ask for a code review, PR review, feedback on a diff, or to check code quality.
review this PR 42
review my staged changes
check code quality in src/auth
What happens:
- Resolves the review target (PR, local diff, commit range, or path)
- Uses
gh pr list,gh pr view, andgh pr difffor GitHub PR reviews when relevant - Reads the changed files with surrounding context
- Checks correctness, conventions, performance, tests, and security
- Returns findings-first feedback grouped by: Must fix, Should fix, Nit
Performs a focused application security review of pull requests and branch diffs. Triggers when you ask for a security review of a PR, diff, or branch, or want only exploitable auth, injection, data exposure, and trust-boundary issues.
security review this PR
audit this branch for vulnerabilities
check this diff for auth or injection bugs
What happens:
- Resolves the review scope from a PR, local branch, or commit range
- Reads nearby auth, validation, tenant, rendering, and data-flow code for context
- Generates candidate vulnerabilities, then filters false positives with a second pass
- Reports only HIGH and MEDIUM findings with confidence
>= 8/10 - Returns markdown only, or states that no high-confidence appsec findings were found
Includes a playbook for TypeScript/Node, Python, Rust, and modern web app attack surfaces.
Evaluates and improves a plugin's skills by applying Anthropic's skill authoring best practices. Triggers when you ask to fix, improve, or review skills.
Audits React codebases for anti-patterns (useEffect misuse, missing cleanup, stale closures, memory leaks) and produces a scored gap analysis table with severity ratings. Applies prioritized fixes on request.
audit react code
fix react anti-patterns
check useEffect cleanup in src/components/
What happens:
- Runs
scan-antipatterns.shto inventory suspect patterns - Reads flagged files and classifies findings by category and severity
- Produces a gap analysis table grouped by: useEffect rules, state management, component architecture, cleanup & memory safety, navigation & DOM
- Applies fixes in priority order (if requested)
- Verifies with lint
Includes three reference files with authoritative rules and before/after fix examples.
Keeps CLAUDE.md in sync with codebase evolution. Triggers when you ask to update or sync CLAUDE.md.
What happens:
- Finds your CLAUDE.md (or creates one)
- Analyzes commits since last update
- Detects new patterns, stack changes, architecture shifts
- Proposes additions and removals in diff format
- Asks for confirmation before applying
Your project memory stays current without manual maintenance.