From 74336101055c92a4c264d84fb09b657c39e5d3d8 Mon Sep 17 00:00:00 2001 From: Affaan Mustafa Date: Tue, 10 Mar 2026 20:50:34 -0700 Subject: [PATCH] docs: tighten kotlin support examples --- agents/kotlin-reviewer.md | 19 +++++++++++++++++++ rules/kotlin/coding-style.md | 2 +- rules/kotlin/patterns.md | 2 +- rules/kotlin/security.md | 2 +- rules/kotlin/testing.md | 2 +- .../compose-multiplatform-patterns/SKILL.md | 7 ++++--- skills/kotlin-coroutines-flows/SKILL.md | 2 +- 7 files changed, 28 insertions(+), 8 deletions(-) diff --git a/agents/kotlin-reviewer.md b/agents/kotlin-reviewer.md index 1a728b5d..84ac896b 100644 --- a/agents/kotlin-reviewer.md +++ b/agents/kotlin-reviewer.md @@ -28,6 +28,16 @@ Check for: - `CLAUDE.md` for project-specific conventions - Whether this is Android-only, KMP, or Compose Multiplatform +### Step 2b: Security Review + +Apply the Kotlin/Android security guidance before continuing: +- exported Android components, deep links, and intent filters +- insecure crypto, WebView, and network configuration usage +- keystore, token, and credential handling +- platform-specific storage and permission risks + +If you find a CRITICAL security issue, stop the review and hand off to `security-reviewer` before doing any further analysis. + ### Step 3: Read and Review Read changed files fully. Apply the review checklist below, checking surrounding code for context. @@ -97,6 +107,15 @@ Button(onClick = onClick) - **Hardcoded strings** — User-facing strings not in `strings.xml` or Compose resources - **Missing lifecycle handling** — Collecting Flows in Activities without `repeatOnLifecycle` +### Security (CRITICAL) + +- **Exported component exposure** — Activities, services, or receivers exported without proper guards +- **Insecure crypto/storage** — Homegrown crypto, plaintext secrets, or weak keystore usage +- **Unsafe WebView/network config** — JavaScript bridges, cleartext traffic, permissive trust settings +- **Sensitive logging** — Tokens, credentials, PII, or secrets emitted to logs + +If any CRITICAL security issue is present, stop and escalate to `security-reviewer`. + ### Gradle & Build (LOW) - **Version catalog not used** — Hardcoded versions instead of `libs.versions.toml` diff --git a/rules/kotlin/coding-style.md b/rules/kotlin/coding-style.md index f9703cf9..5c5ee30c 100644 --- a/rules/kotlin/coding-style.md +++ b/rules/kotlin/coding-style.md @@ -5,7 +5,7 @@ paths: --- # Kotlin Coding Style -> This file extends [common/coding-style.md](../common/coding-style.md) with Kotlin specific content. +> This file extends [common/coding-style.md](../common/coding-style.md) with Kotlin-specific content. ## Formatting diff --git a/rules/kotlin/patterns.md b/rules/kotlin/patterns.md index 23071cde..1a09e6b7 100644 --- a/rules/kotlin/patterns.md +++ b/rules/kotlin/patterns.md @@ -5,7 +5,7 @@ paths: --- # Kotlin Patterns -> This file extends [common/patterns.md](../common/patterns.md) with Kotlin and Android/KMP specific content. +> This file extends [common/patterns.md](../common/patterns.md) with Kotlin and Android/KMP-specific content. ## Dependency Injection diff --git a/rules/kotlin/security.md b/rules/kotlin/security.md index a94bdde8..a212211d 100644 --- a/rules/kotlin/security.md +++ b/rules/kotlin/security.md @@ -5,7 +5,7 @@ paths: --- # Kotlin Security -> This file extends [common/security.md](../common/security.md) with Kotlin and Android/KMP specific content. +> This file extends [common/security.md](../common/security.md) with Kotlin and Android/KMP-specific content. ## Secrets Management diff --git a/rules/kotlin/testing.md b/rules/kotlin/testing.md index 98a2e38d..cdf97334 100644 --- a/rules/kotlin/testing.md +++ b/rules/kotlin/testing.md @@ -5,7 +5,7 @@ paths: --- # Kotlin Testing -> This file extends [common/testing.md](../common/testing.md) with Kotlin and Android/KMP specific content. +> This file extends [common/testing.md](../common/testing.md) with Kotlin and Android/KMP-specific content. ## Test Framework diff --git a/skills/compose-multiplatform-patterns/SKILL.md b/skills/compose-multiplatform-patterns/SKILL.md index 70e4ac65..f4caec1e 100644 --- a/skills/compose-multiplatform-patterns/SKILL.md +++ b/skills/compose-multiplatform-patterns/SKILL.md @@ -252,11 +252,12 @@ val showScrollToTop by remember { // BAD — new lambda and list every recomposition items.filter { it.isActive }.forEach { ActiveItem(it, onClick = { handle(it) }) } -// GOOD — remember filtered list, stable lambda with key +// GOOD — key each item so callbacks stay attached to the right row val activeItems = remember(items) { items.filter { it.isActive } } activeItems.forEach { item -> - val onClick = remember(item.id) { { handle(item) } } - ActiveItem(item, onClick = onClick) + key(item.id) { + ActiveItem(item, onClick = { handle(item) }) + } } ``` diff --git a/skills/kotlin-coroutines-flows/SKILL.md b/skills/kotlin-coroutines-flows/SKILL.md index 6650b0b7..4108aacc 100644 --- a/skills/kotlin-coroutines-flows/SKILL.md +++ b/skills/kotlin-coroutines-flows/SKILL.md @@ -217,7 +217,7 @@ viewModelScope.launch { ```kotlin @Test fun `search updates item list`() = runTest { - val fakeRepository = FakeItemRepository(items = testItems) + val fakeRepository = FakeItemRepository().apply { emit(testItems) } val viewModel = ItemListViewModel(GetItemsUseCase(fakeRepository)) viewModel.state.test {