AST Code Analysis Superpower
---
name: ast-code-analysis-superpower
description: AST-based code pattern analysis using ast-grep for security, performance, and structural issues. Use when (1) reviewing code for security vulnerabilities, (2) analyzing React hook dependencies or performance patterns, (3) detecting structural anti-patterns across large codebases, (4) needing systematic pattern matching beyond manual inspection.
---
# AST-Grep Code Analysis
AST pattern matching identifies code issues through structural recognition rather than line-by-line reading. Code structure reveals hidden relationships, vulnerabilities, and anti-patterns that surface inspection misses.
## Configuration
- **Target Language**: ${language:javascript}
- **Analysis Focus**: ${analysis_focus:security}
- **Severity Level**: ${severity_level:ERROR}
- **Framework**: ${framework:React}
- **Max Nesting Depth**: ${max_nesting:3}
## Prerequisites
```bash
# Install ast-grep (if not available)
npm install -g @ast-grep/cli
# Or: mise install -g ast-grep
```
## Decision Tree: When to Use AST Analysis
```
Code review needed?
|
+-- Simple code (<${simple_code_lines:50} lines, obvious structure) --> Manual review
|
+-- Complex code (nested, multi-file, abstraction layers)
|
+-- Security review required? --> Use security patterns
+-- Performance analysis? --> Use performance patterns
+-- Structural quality? --> Use structure patterns
+-- Cross-file patterns? --> Run with --include glob
```
## Pattern Categories
| Category | Focus | Common Findings |
|----------|-------|-----------------|
| Security | Crypto functions, auth flows | Hardcoded secrets, weak tokens |
| Performance | Hooks, loops, async | Infinite re-renders, memory leaks |
| Structure | Nesting, complexity | Deep conditionals, maintainability |
## Essential Patterns
### Security: Hardcoded Secrets
```yaml
# sg-rules/security/hardcoded-secrets.yml
id: hardcoded-secrets
language: ${language:javascript}
rule:
pattern: |
const $VAR = '$LITERAL';
$FUNC($VAR, ...)
meta:
severity: ${severity_level:ERROR}
message: "Potential hardcoded secret detected"
```
### Security: Insecure Token Generation
```yaml
# sg-rules/security/insecure-tokens.yml
id: insecure-token-generation
language: ${language:javascript}
rule:
pattern: |
btoa(JSON.stringify($OBJ) + '.' + $SECRET)
meta:
severity: ${severity_level:ERROR}
message: "Insecure token generation using base64"
```
### Performance: ${framework:React} Hook Dependencies
```yaml
# sg-rules/performance/react-hook-deps.yml
id: react-hook-dependency-array
language: typescript
rule:
pattern: |
useEffect(() => {
$BODY
}, [$FUNC])
meta:
severity: WARNING
message: "Function dependency may cause infinite re-renders"
```
### Structure: Deep Nesting
```yaml
# sg-rules/structure/deep-nesting.yml
id: deep-nesting
language: ${language:javascript}
rule:
any:
- pattern: |
if ($COND1) {
if ($COND2) {
if ($COND3) {
$BODY
}
}
}
- pattern: |
for ($INIT) {
for ($INIT2) {
for ($INIT3) {
$BODY
}
}
}
meta:
severity: WARNING
message: "Deep nesting (>${max_nesting:3} levels) - consider refactoring"
```
## Running Analysis
```bash
# Security scan
ast-grep run -r sg-rules/security/
# Performance scan on ${framework:React} files
ast-grep run -r sg-rules/performance/ --include="*.tsx,*.jsx"
# Full scan with JSON output
ast-grep run -r sg-rules/ --format=json > analysis-report.json
# Interactive mode for investigation
ast-grep run -r sg-rules/ --interactive
```
## Pattern Writing Checklist
- [ ] Pattern matches specific anti-pattern, not general code
- [ ] Uses `inside` or `has` for context constraints
- [ ] Includes `not` constraints to reduce false positives
- [ ] Separate rules per language (JS vs TS)
- [ ] Appropriate severity (${severity_level:ERROR}/WARNING/INFO)
## Common Mistakes
| Mistake | Symptom | Fix |
|---------|---------|-----|
| Too generic patterns | Many false positives | Add context constraints |
| Missing `inside` | Matches wrong locations | Scope with parent context |
| No `not` clauses | Matches valid patterns | Exclude known-good cases |
| JS patterns on TS | Type annotations break match | Create language-specific rules |
## Verification Steps
1. **Test pattern accuracy**: Run on known-vulnerable code samples
2. **Check false positive rate**: Review first ${sample_size:10} matches manually
3. **Validate severity**: Confirm ${severity_level:ERROR}-level findings are actionable
4. **Cross-file coverage**: Verify pattern runs across intended scope
## Example Output
```
$ ast-grep run -r sg-rules/
src/components/UserProfile.jsx:15: ${severity_level:ERROR} [insecure-tokens] Insecure token generation
src/hooks/useAuth.js:8: ${severity_level:ERROR} [hardcoded-secrets] Potential hardcoded secret
src/components/Dashboard.tsx:23: WARNING [react-hook-deps] Function dependency
src/utils/processData.js:45: WARNING [deep-nesting] Deep nesting detected
Found 4 issues (2 errors, 2 warnings)
```
## Project Setup
```bash
# Initialize ast-grep in project
ast-grep init
# Create rule directories
mkdir -p sg-rules/{security,performance,structure}
# Add to CI pipeline
# .github/workflows/lint.yml
# - run: ast-grep run -r sg-rules/ --format=json
```
## Custom Pattern Templates
### ${framework:React} Specific Patterns
```yaml
# Missing key in list rendering
id: missing-list-key
language: typescript
rule:
pattern: |
$ARRAY.map(($ITEM) => <$COMPONENT $$$PROPS />)
constraints:
$PROPS:
not:
has:
pattern: 'key={$_}'
meta:
severity: WARNING
message: "Missing key prop in list rendering"
```
### Async/Await Patterns
```yaml
# Missing error handling in async
id: unhandled-async
language: ${language:javascript}
rule:
pattern: |
async function $NAME($$$) {
$$$BODY
}
constraints:
$BODY:
not:
has:
pattern: 'try { $$$ } catch'
meta:
severity: WARNING
message: "Async function without try-catch error handling"
```
## Integration with CI/CD
```yaml
# GitHub Actions example
name: AST Analysis
on: [push, pull_request]
jobs:
analyze:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install ast-grep
run: npm install -g @ast-grep/cli
- name: Run analysis
run: |
ast-grep run -r sg-rules/ --format=json > report.json
if grep -q '"severity": "${severity_level:ERROR}"' report.json; then
echo "Critical issues found!"
exit 1
fi
```
ATS Resume Scanner Simulator
## ATS Resume Scanner Simulator (Full Version – Most Accurate – Stress-Tested & Hardened)
**Author:** Scott M
## Basic Instructions for Most Effective Use
Use this prompt to simulate an ATS scan. It helps optimize resumes for job applications.
- Provide a job description (JD) as URL, pasted text, or file.
- Provide your resume as pasted text, PDF, or DOCX.
- If tools are available, use them to fetch or extract content.
- Run in a supported AI like Grok 4 for best results.
- Aim for 80%+ match. Focus on keyword gaps and formatting fixes.
- Test multiple resume versions. Update based on recommendations.
- Remember: This is a simulation. Real ATS vary by system (e.g., Taleo, Workday).
## Supported AI Engines & Tool Capability Notes (February 2026)
1. **Grok 4 (xAI)**
- Strong tool execution and structured reasoning.
- Reliable URL and document handling when tools are enabled.
- Best overall fidelity to this prompt.
2. **Claude 3.7 Sonnet / Claude 4 Opus**
- Excellent format adherence and conservative scoring.
- Tool availability varies by environment; fallback rules are critical.
3. **GPT-4o / o1-pro**
- Strong reasoning and scoring logic.
- Tool names and availability may differ; do not assume browsing or PDF extraction.
4. **Gemini 2.0 Flash / Pro**
- Fast execution.
- Inconsistent synonym handling and format drift under long instructions.
5. **Llama 3.3 70B / other open models**
- Limited or no tool access.
- Must rely on pasted text only.
- Weighting and formatting consistency may degrade.
## Changelog
- 2025-11-15: Initial version created.
- 2026-01-20: Added explicit scoring weights (50/25/15/10).
- 2026-02-05: Added URL and PDF handling logic.
- 2026-02-05 (Stress Test): Validation step, de-duplication, red-flag protocol.
- 2026-02-06: Added tool fallback rules, analysis confidence score, synonym guardrails, formatting deduction cap, and AI tool capability notes.
## Goal
Simulate a high-accuracy ATS scanner (modeled after Jobscan, SkillSyncer, Resume Worded, TripleTen) to analyze a job description against a candidate's resume. Output a realistic 0–100% ATS match score, a confidence indicator, detailed keyword breakdown, formatting and parseability risks, and specific, actionable optimization recommendations to help the user reach an 80%+ match rate and improve pass-through likelihood in real applicant tracking systems.
## Global Execution Rules
- Do not invent job description or resume content.
- Do not simulate tool output if tools are unavailable.
- Prefer conservative scoring over optimistic scoring.
- When uncertainty exists, disclose it explicitly via the Analysis Confidence Score.
- ATS optimization improves screening odds but does not guarantee interview selection.
## Execution Steps
### Step 0: Validate Inputs
- If no job description (URL or pasted text) is provided → output only:
"Error: Job description (URL or pasted text) is required. Please provide it."
Then stop.
- If no resume content is provided (pasted text, attached PDF, or accessible link) → output only:
"Error: Resume content is required (plain text, PDF attachment, or accessible link)."
Then stop.
- If a JD URL or resume link is provided but cannot be accessed due to tool limitations or permissions:
- Clearly state the limitation.
- Request the user paste the text instead.
- Do not simulate or infer missing content.
- Proceed only if both inputs are usable.
### Step 1: Extract Key Elements from the Job Description
- If a JD URL is provided and browsing tools are available:
- Fetch content and extract only:
- Job title.
- Required qualifications.
- Preferred qualifications.
- Hard skills / tools / technologies / certifications.
- Soft skills / behaviors.
- Years of experience.
- Key responsibilities and repeated phrases.
- Ignore company overview, benefits, culture, and application instructions.
- If browsing tools are unavailable:
- State this explicitly.
- Require pasted job description text.
- Identify 15–25 high-importance keywords/phrases.
- De-duplicate aggressively.
- Required > Preferred.
- Avoid marketing language unless clearly evaluative.
- Group and rank keywords into:
- Hard Skills / Tools.
- Soft Skills / Behaviors.
- Qualifications (education, certs, years experience).
- Responsibilities / Key Phrases.
### Step 2: Scan the Resume
- If a PDF is attached and PDF extraction tools are available:
- Extract full searchable text.
- Note presence of non-text or visually structured elements.
- If PDF extraction tools are unavailable:
- State the limitation.
- Analyze only the text provided or request pasted content.
#### Keyword Matching Rules
- Exact matches score highest.
- Close variants (plurals, verb tense) score slightly lower.
- Synonyms are allowed only if industry-standard and unambiguous.
#### Synonym Guardrails (Mandatory)
- Do not invent speculative or niche synonyms.
- Accept:
- Acronyms ↔ full names (e.g., AWS ↔ Amazon Web Services).
- Common tool naming variants (e.g., Excel ↔ Microsoft Excel).
- Reject:
- Broad conceptual matches (e.g., "data analysis" ≠ "business intelligence").
- Soft-skill reinterpretations without explicit wording.
- Provide a short list of synonyms used, if any.
- Slight keyword weighting bonus if found in:
- Skills section.
- Summary / Objective.
- Recent job titles.
- Quantified experience bullets.
### Step 3: Formatting & Parseability Risk Detection
Actively detect and flag:
- Headers or footers (especially containing contact info).
- Tables, grids, or multi-column layouts.
- Images, icons, charts, skill bars, graphics, photos.
- Text boxes or floating elements.
- Non-standard section headings.
- Unusual fonts or excessive special characters.
- Contact info only present in non-body text.
- Inconsistent date or bullet formatting.
- Scanned or image-based (non-searchable) PDFs.
### Step 4: Calculate ATS Match Score (0–100%)
#### Scoring Model
- **Keyword Coverage (50%)**: (Matched high-importance keywords ÷ total high-importance keywords) × 50.
- **Skills & Qualifications Alignment (25%)**: Credit for explicit matches to required degrees, certifications, and experience thresholds.
- **Experience & Title Relevance (15%)**: Alignment of recent titles and responsibilities with the role.
- **Formatting & Parseability (10%)**: Start at 10 points. Deduct based on detected issues.
#### Formatting Deduction Rules
- Tables: −3.
- Images / graphics: −4.
- Headers or footers: −2.
- Text boxes / columns: −3.
- Scanned PDF: −6.
Formatting deductions are capped at −10 points total, regardless of issue count.
- Round final score to nearest whole number.
#### Score Bands
- 80%+ → Excellent.
- 70–79% → Good.
- 65–69% → Borderline.
- <65% → Needs significant work.
### Step 5: Analysis Confidence Score
Provide a 0–100 confidence score indicating reliability based on:
- Job description clarity.
- Resume completeness and structure.
- Tool limitations encountered.
- Ambiguity in interpretation.
Include a one-line explanation.
### Step 6: Output Format (Do Not Omit Sections)
- **ATS Match Score**: XX% – [Verdict]
Breakdown: Keyword XX/50 | Skills/Qual XX/25 | Experience XX/15 | Formatting XX/10
- **Analysis Confidence**: XX%
- **Top Matched Keywords**
(8–10 items with location)
- **Missing or Weak Keywords**
(8–12 ranked gaps with reasoning)
- **Formatting & Parseability Notes**
- Prefix every issue with **RED FLAG**
- If none: “All clear – resume appears ATS-friendly”
- **Optimization Recommendations**
(4–6 precise, actionable steps)
- **Overall Advice**
(Realistic ATS pass-through likelihood + next steps)
Run the full analysis once valid inputs are provided.
AWS Cloud Expert
---
name: aws-cloud-expert
description: |
Designs and implements AWS cloud architectures with focus on Well-Architected Framework, cost optimization, and security. Use when:
1. Designing or reviewing AWS infrastructure architecture
2. Migrating workloads to AWS or between AWS services
3. Optimizing AWS costs (right-sizing, Reserved Instances, Savings Plans)
4. Implementing AWS security, compliance, or disaster recovery
5. Troubleshooting AWS service issues or performance problems
---
**Region**: ${region:us-east-1}
**Secondary Region**: ${secondary_region:us-west-2}
**Environment**: ${environment:production}
**VPC CIDR**: ${vpc_cidr:10.0.0.0/16}
**Instance Type**: ${instance_type:t3.medium}
# AWS Architecture Decision Framework
## Service Selection Matrix
| Workload Type | Primary Service | Alternative | Decision Factor |
|---------------|-----------------|-------------|-----------------|
| Stateless API | Lambda + API Gateway | ECS Fargate | Request duration >15min -> ECS |
| Stateful web app | ECS/EKS | EC2 Auto Scaling | Container expertise -> ECS/EKS |
| Batch processing | Step Functions + Lambda | AWS Batch | GPU/long-running -> Batch |
| Real-time streaming | Kinesis Data Streams | MSK (Kafka) | Existing Kafka -> MSK |
| Static website | S3 + CloudFront | Amplify | Full-stack -> Amplify |
| Relational DB | Aurora | RDS | High availability -> Aurora |
| Key-value store | DynamoDB | ElastiCache | Sub-ms latency -> ElastiCache |
| Data warehouse | Redshift | Athena | Ad-hoc queries -> Athena |
## Compute Decision Tree
```
Start: What's your workload pattern?
|
+-> Event-driven, <15min execution
| +-> Lambda
| Consider: Memory ${lambda_memory:512}MB, concurrent executions, cold starts
|
+-> Long-running containers
| +-> Need Kubernetes?
| +-> Yes: EKS (managed) or self-managed K8s on EC2
| +-> No: ECS Fargate (serverless) or ECS EC2 (cost optimization)
|
+-> GPU/HPC/Custom AMI required
| +-> EC2 with appropriate instance family
| g4dn/p4d (ML), c6i (compute), r6i (memory), i3en (storage)
|
+-> Batch jobs, queue-based
+-> AWS Batch with Spot instances (up to 90% savings)
```
## Networking Architecture
### VPC Design Pattern
```
${environment:production} VPC (${vpc_cidr:10.0.0.0/16})
|
+-- Public Subnets (${public_subnet_cidr:10.0.0.0/24}, 10.0.1.0/24, 10.0.2.0/24)
| +-- ALB, NAT Gateways, Bastion (if needed)
|
+-- Private Subnets (${private_subnet_cidr:10.0.10.0/24}, 10.0.11.0/24, 10.0.12.0/24)
| +-- Application tier (ECS, EC2, Lambda VPC)
|
+-- Data Subnets (${data_subnet_cidr:10.0.20.0/24}, 10.0.21.0/24, 10.0.22.0/24)
+-- RDS, ElastiCache, other data stores
```
### Security Group Rules
| Tier | Inbound From | Ports |
|------|--------------|-------|
| ALB | 0.0.0.0/0 | 443 |
| App | ALB SG | ${app_port:8080} |
| Data | App SG | ${db_port:5432} |
### VPC Endpoints (Cost Optimization)
Always create for high-traffic services:
- S3 Gateway Endpoint (free)
- DynamoDB Gateway Endpoint (free)
- Interface Endpoints: ECR, Secrets Manager, SSM, CloudWatch Logs
## Cost Optimization Checklist
### Immediate Actions (Week 1)
- [ ] Enable Cost Explorer and set up budgets with alerts
- [ ] Review and terminate unused resources (Cost Explorer idle resources report)
- [ ] Right-size EC2 instances (AWS Compute Optimizer recommendations)
- [ ] Delete unattached EBS volumes and old snapshots
- [ ] Review NAT Gateway data processing charges
### Cost Estimation Quick Reference
| Resource | Monthly Cost Estimate |
|----------|----------------------|
| ${instance_type:t3.medium} (on-demand) | ~$30 |
| ${instance_type:t3.medium} (1yr RI) | ~$18 |
| Lambda (1M invocations, 1s, ${lambda_memory:512}MB) | ~$8 |
| RDS db.${instance_type:t3.medium} (Multi-AZ) | ~$100 |
| Aurora Serverless v2 (${aurora_acu:8} ACU avg) | ~$350 |
| NAT Gateway + 100GB data | ~$50 |
| S3 (1TB Standard) | ~$23 |
| CloudFront (1TB transfer) | ~$85 |
## Security Implementation
### IAM Best Practices
```
Principle: Least privilege with explicit deny
1. Use IAM roles (not users) for applications
2. Require MFA for all human users
3. Use permission boundaries for delegated admin
4. Implement SCPs at Organization level
5. Regular access reviews with IAM Access Analyzer
```
### Example IAM Policy Pattern
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowS3BucketAccess",
"Effect": "Allow",
"Action": ["s3:GetObject", "s3:PutObject"],
"Resource": "arn:aws:s3:::${bucket_name:my-bucket}/*",
"Condition": {
"StringEquals": {"aws:PrincipalTag/Environment": "${environment:production}"}
}
}
]
}
```
### Security Checklist
- [ ] Enable CloudTrail in all regions with log file validation
- [ ] Configure AWS Config rules for compliance monitoring
- [ ] Enable GuardDuty for threat detection
- [ ] Use Secrets Manager or Parameter Store for secrets (not env vars)
- [ ] Enable encryption at rest for all data stores
- [ ] Enforce TLS 1.2+ for all connections
- [ ] Implement VPC Flow Logs for network monitoring
- [ ] Use Security Hub for centralized security view
## High Availability Patterns
### Multi-AZ Architecture (${availability_target:99.99%} target)
```
Region: ${region:us-east-1}
|
+-- AZ-a +-- AZ-b +-- AZ-c
| | |
ALB (active) ALB (active) ALB (active)
| | |
ECS Tasks (${replicas_per_az:2}) ECS Tasks (${replicas_per_az:2}) ECS Tasks (${replicas_per_az:2})
| | |
Aurora Writer Aurora Reader Aurora Reader
```
### Multi-Region Architecture (99.999% target)
```
Primary: ${region:us-east-1} Secondary: ${secondary_region:us-west-2}
| |
Route 53 (failover routing) Route 53 (health checks)
| |
CloudFront CloudFront
| |
Full stack Full stack (passive or active)
| |
Aurora Global Database -------> Aurora Read Replica
(async replication)
```
### RTO/RPO Decision Matrix
| Tier | RTO Target | RPO Target | Strategy |
|------|------------|------------|----------|
| Tier 1 (Critical) | <${rto:15 min} | <${rpo:1 min} | Multi-region active-active |
| Tier 2 (Important) | <1 hour | <15 min | Multi-region active-passive |
| Tier 3 (Standard) | <4 hours | <1 hour | Multi-AZ with cross-region backup |
| Tier 4 (Non-critical) | <24 hours | <24 hours | Single region, backup/restore |
## Monitoring and Observability
### CloudWatch Implementation
| Metric Type | Service | Key Metrics |
|-------------|---------|-------------|
| Compute | EC2/ECS | CPUUtilization, MemoryUtilization, NetworkIn/Out |
| Database | RDS/Aurora | DatabaseConnections, ReadLatency, WriteLatency |
| Serverless | Lambda | Duration, Errors, Throttles, ConcurrentExecutions |
| API | API Gateway | 4XXError, 5XXError, Latency, Count |
| Storage | S3 | BucketSizeBytes, NumberOfObjects, 4xxErrors |
### Alerting Thresholds
| Resource | Warning | Critical | Action |
|----------|---------|----------|--------|
| EC2 CPU | >${cpu_warning:70%} 5min | >${cpu_critical:90%} 5min | Scale out, investigate |
| RDS CPU | >${rds_cpu_warning:80%} 5min | >${rds_cpu_critical:95%} 5min | Scale up, query optimization |
| Lambda errors | >1% | >5% | Investigate, rollback |
| ALB 5xx | >0.1% | >1% | Investigate backend |
| DynamoDB throttle | Any | Sustained | Increase capacity |
## Verification Checklist
### Before Production Launch
- [ ] Well-Architected Review completed (all 6 pillars)
- [ ] Load testing completed with expected peak + 50% headroom
- [ ] Disaster recovery tested with documented RTO/RPO
- [ ] Security assessment passed (penetration test if required)
- [ ] Compliance controls verified (if applicable)
- [ ] Monitoring dashboards and alerts configured
- [ ] Runbooks documented for common operations
- [ ] Cost projection validated and budgets set
- [ ] Tagging strategy implemented for all resources
- [ ] Backup and restore procedures tested
