Dev tools for the
independent builder.

Prevents v3 hallucinations. 5 rule files, migration skill, validation skill, and a review subagent.

• Anti-pattern detection for 12 common AI mistakes
• /tw-migrate -- v3 to v4 project migration
• /tw-validate -- version mixing detector

Django 5.x + DRF patterns. N+1 query prevention, model scaffolding, settings management, and 14 anti-pattern rules.

• N+1 query detection as a first-class rule
• /django-model -- full vertical slice scaffold
• /django-validate -- project anti-pattern audit

Solid Stack, Hotwire, params.expect, built-in auth, Kamal 2. Stops Cursor from generating Rails 7 patterns.

• Hotwire decision tree: Frames vs Streams vs Stimulus
• /rails-auth -- built-in auth, no Devise
• /rails-validate -- Rails 7 pattern detector

Pydantic v2 migration, async event loop safety, SQLAlchemy patterns, and 13 anti-pattern rules for FastAPI.

• Complete Pydantic v1-to-v2 migration rules
• /fastapi-endpoint -- async CRUD scaffold
• /fastapi-validate -- v1 + async audit

Cache Components, proxy.ts (renamed from middleware), async-only request APIs, the Data Access Layer pattern, Server Actions with Zod + ownership re-check, three-layer auth. React 19.2.

• 34 anti-patterns with BAD/CORRECT pairs (10 finely-globbed rules)
• /nextjs-dal -- scaffold the Data Access Layer
• /nextjs-migrate-v15-to-v16 -- codemod sequence

log/slog, errors.Is/As + %w wrapping, context-first APIs, http.ServeMux method routing (1.22+), range-over-func iterators (1.23).

• Catches io/ioutil, interface{}, panic(err), time.After leaks
• /go-modernize -- older Go to 1.24 migration
• /go-error-wrap -- %v to %w + errors.Is conversion

jakarta.* imports, constructor injection, SecurityFilterChain, RestClient, records as DTOs, virtual threads, Testcontainers @ServiceConnection.

• Catches 20 Boot 2-era patterns LLMs still produce
• /spring-boot-migrate-to-3 -- 2.x to 3.x in 10 steps
• /spring-boot-testcontainers -- @ServiceConnection wiring

Top-level Program.cs, Minimal APIs with TypedResults, IHttpClientFactory, EF Core AsNoTracking + projection, HybridCache, built-in OpenAPI.

• Catches Startup.cs, sync-over-async, new HttpClient, Newtonsoft
• /aspnet-migrate-to-9 -- older .NET to .NET 9
• /aspnet-testing-setup -- WebApplicationFactory + Testcontainers

Kotlin 2.x with the kotlin-compose plugin, StateFlow + collectAsStateWithLifecycle, Hilt, type-safe Navigation, Material 3, Version Catalogs.

• Catches findViewById, GlobalScope, LiveData, Material 2, !!
• /compose-migrate-views-to-compose -- per-screen migration
• /compose-modernize-build -- libs.versions.toml + KSP + BOM

for_each over count, remote backend + locking, moved/import/removed blocks, ephemeral resources, OpenTofu state encryption, OIDC for CI.

• Catches 0.0.0.0/0 ingress, unpinned providers, plaintext secrets
• /terraform-refactor-with-moved -- safe rename + restructure
• /terraform-migrate-secrets -- HCL to Secrets Manager

Schema-first design, sql template tag for parameter binding, drizzle-zod pairing, Postgres RLS, Testcontainers transaction-rollback tests. Covers 0.45.x stable + 1.0-rc next.

• Catches Prisma include/select leakage, removed casing API, SQL injection via execute
• /drizzle-migrate-to-v1 -- 0.x to 1.0-rc with codemods
• /drizzle-rls -- Postgres RLS scaffold + isolation tests

Semantic locators (getByRole over CSS), web-first assertions, test.extend fixtures, setup-project + storageState auth, sharded CI with merge-reports.

• Catches text= selectors, page.$ ElementHandles, waitForTimeout, missing await on assertions
• /playwright-setup-auth -- per-worker, multi-role, JWT bypass
• /playwright-visual-regression -- macOS-vs-Linux baseline trap

Laravel 13.x on PHP 8.3+. The L11 skeleton (bootstrap/app.php, deleted Kernel.php), L12/L13 deltas (Carbon 3, casts() method, #[Scope], Cache::flexible, automatic eager loading, UUIDv7), Livewire 4 SFC without Volt, Inertia 3.1 deferred props, Pest 4 browser testing.

• 37 anti-patterns with BAD/CORRECT pairs. Catches Repository pattern, $casts array, scopeXxx, wire:model.lazy, Carbon 2 calls, Volt-for-Livewire-4
• Anti-Repository wedge with Otwell, Freek, Spatie citations
• /laravel-migrate-v10-to-v13 -- Kernel.php to bootstrap, $casts to casts()

Vue 3.5.34 + Nuxt 4.4.5. Leads with the Vue 3.5 trio LLMs miss (useTemplateRef, useId, reactive props destructure) and the Nuxt 4 app/ srcDir layout. Pinia 3 setup stores, Vue Router 5, useAsyncData singleton-by-key + shallowRef defaults, server/api with method-suffixed handlers, VueUse 14, Vitest 4.

• 38 anti-patterns with BAD/CORRECT pairs. Catches Options API in new code, ref(null) template refs, toRefs/withDefaults boilerplate, Vuex, module-scope ref SSR leaks, readBody in GET, store/ vs app/stores/
• Pinned to Vue 3.5 + Nuxt 4. Canonical Cursor entries pre-date both releases.
• /vue-nuxt-migrate-to-3-5-and-4 -- pages/components to app/, store/ to stores/, Vuex to Pinia 3

Svelte 5.55.7 + SvelteKit 2.60.1. Leads with the Runes shape LLMs still miss ($state, $derived, $effect, $props), the Snippet replacement for slots, callback-prop events, and the SvelteKit 2 deltas (no-throw error/redirect, mandatory cookies path, $app/state). Vite 8, TypeScript 6, Vitest 4, Playwright 1.60, bits-ui, sveltekit-superforms + formsnap + zod.

• 40 anti-patterns with BAD/GOOD pairs. Catches on:click directives, $: reactive blocks, export let, <slot>, createEventDispatcher, throw redirect, cookies.set without path, $app/stores in new code, $effect infinite loops
• Reactivity-trap rules no other plugin encodes: $effect SSR-only, untrack for read-write loops, $state.raw for >1000 elements, deep-proxy destructure
• /sveltekit-migrate-to-runes -- Svelte 4 to Svelte 5 + SvelteKit 1 to 2 in stages

Astro 6.3.3. Targets the post-October-2024 surface area LLMs lag on: Server Islands (server:defer + fallback), the Content Layer API (loader: glob/file, render(entry), getEntry), Actions with zod via astro:schema, Sessions, astro:env, and the Tailwind 4 + @tailwindcss/vite move. Vite 7, TypeScript 6, Zod 4, Node 22.12 floor.

• 48 anti-patterns with BAD/GOOD pairs. Catches output: 'hybrid', <ViewTransitions />, getEntryBySlug, entry.render(), entry.slug, Astro.glob, type: 'content' collections, src/content/config.ts, @astrojs/tailwind, lowercase endpoint exports, client:only without framework name, middleware without return next()
• Rules no other Astro plugin encodes: Astro.callAction vs Astro.getActionResult on prerendered pages, server-island prop serialization + Astro.url trap, astro:env secret/client leak, Cloudflare bare-node imports, partytown + ClientRouter analytics break
• /astro-migrate-to-content-layer -- src/content/config.ts to src/content.config.ts, type:'content' to loader:glob, entry.render() to render(entry), entry.slug to entry.id in stages

React Router 7.15.1 Framework Mode (formerly Remix, merged Nov 2024). Targets the surface LLMs trained pre-Nov-2024 still get wrong: per-route Route namespace types from ./+types/, plain-object loader returns, data() for status, ServerRouter/HydratedRouter, clientLoader + HydrateFallback pairing, react-router.config.ts, @react-router/dev/vite. React 19.2, Vite 8, TypeScript 6, Zod 4, Node 20.19 floor.

• 45 anti-patterns with BAD/GOOD pairs. Catches @remix-run/* imports, remix.config.js, RemixServer/Browser, vitePlugin as remix, useLoaderData<typeof loader>(), LoaderFunction/MetaFunction generics, json()/defer() returns, <BrowserRouter><Routes>, useTransition from react-router, unstable_viewTransition, file naming traps ($id vs [id], _index.tsx vs index.tsx)
• Rules no other RR7 plugin encodes: +types/<file> sibling-of-file convention, clientLoader.hydrate without HydrateFallback, VITE_*_SECRET leak detection, .server module discipline, isRouteErrorResponse vs manual narrowing, Route.ShouldRevalidateFunctionArgs not the v6 generic
• /rr7-migrate-from-remix -- @remix-run/* to react-router and @react-router/* in stages, with the codemod pointer

Expo SDK 55 (May 2026) with the legacy architecture fully removed. Targets the SDK 51-54 idioms LLMs still emit: Reanimated 4 worklets (with the react-native-worklets/plugin babel move), FlashList 2.x without estimatedItemSize, CameraView, expo-video / expo-audio split, expo-sqlite/kv-store as the AsyncStorage drop-in, Stack.Protected for auth, file-based +api routes. React 19.2, RN 0.83.6, Node 20.19 multi-LTS floor.

• 45 anti-patterns with BAD/GOOD pairs. Catches @react-navigation/native + NavigationContainer in Expo Router projects, useAnimatedGestureHandler (removed), Camera legacy import, react-native-reanimated/plugin in babel (must be react-native-worklets/plugin), AsyncStorage for JWT, EXPO_PUBLIC_*_SECRET bundle leaks, expo-cli + expo install, expo-av imports, FlashList 1.x estimatedItemSize carryover
• Rules no other Expo plugin encodes: useFonts without render gate, splash never hidden, CNG-incompatible manual ios/android edits, runtimeVersion as string vs fingerprint policy, package.json exports CJS/ESM dual hazard, edge-to-edge StatusBar overlap, useLocalSearchParams generic typing
• /expo-migrate-from-rn-cli -- bare RN or older Expo SDK to SDK 55 stage by stage; Reanimated 3 to 4 + worklets plugin swap; FlashList 1.x to 2.x; classic FileSystem to new File/Directory API

Hono v4 (TypeScript edge web framework). Targets the v3-era APIs LLMs still emit because v4.0.0 shipped Feb 2024 and stripped a long tail: c.jsonT, c.stream as Context method, c.env() function form, c.req.cookie, app.showRoutes, app.handleEvent, hono/middleware barrel, app.head. Pin floors enforced: >= 4.9.7 (CVE-2025-59139 bodyLimit bypass), >= 4.12.18 if rendering JSX SSR. Runs unchanged on Cloudflare Workers, Bun, Deno, Node 20+, Vercel Edge, AWS Lambda.

• 59 anti-patterns with BAD/CORRECT pairs. Catches Express leakage (res.json, (req,res,next), npm cors, supertest, missing return), v3 removed APIs, RPC inference traps (unchained routes, Rails-style controllers, zValidator placement, value-import server bundle in browser), Workers gotchas (process.env, deprecated serveStatic from hono/cloudflare-workers, unawaited D1, executionCtx truthy-check on Bun), security gaps (no secureHeaders/csrf/bodyLimit, insecure cookies, hard-coded JWT secret)
• Rules no other Hono plugin encodes: CVE-2025-59139 pin-floor enforcement, @hono/sentry deprecated by Sentry warning (use @sentry/hono), Lucia auth deprecated March 2025 flag, hono/cache no-op on workers.dev subdomains, Prisma + Hyperdrive requires @prisma/adapter-pg, RPC at 30+ routes IDE-slowdown mitigation via TypeScript project references, JSR @hono/hono on Deno (deno.land/x stale since v4.4.0)
• /hono-migrate-to-v4 -- stage-by-stage v3 to v4 migration with the validator-throws change; /hono-rpc-setup -- hc<AppType> with the load-bearing import-type rule (the #1 RPC bundle-bloat pitfall)