Add comprehensive code review specifications and templates

- Introduced best practices requirements specification covering code quality, performance, maintainability, error handling, and documentation standards.
- Established quality standards with overall quality metrics and mandatory checks for security, code quality, performance, and maintainability.
- Created security requirements specification aligned with OWASP Top 10 and CWE Top 25, detailing checks and patterns for common vulnerabilities.
- Developed templates for documenting best practice findings, security findings, and generating reports, including structured markdown and JSON formats.
- Updated dependencies in the project, ensuring compatibility and stability.
- Added test files and README documentation for vector indexing tests.

.claude/skills/code-reviewer/specs/security-requirements.md

@@ -0,0 +1,243 @@
+# Security Requirements Specification
+
+## OWASP Top 10 Coverage
+
+### A01:2021 - Broken Access Control
+
+**Checks**:
+- Missing authorization checks on protected routes
+- Insecure direct object references (IDOR)
+- Path traversal vulnerabilities
+- Missing CSRF protection
+- Elevation of privilege
+
+**Patterns**:
+```javascript
+// Missing auth middleware
+router.get('/admin/*', handler);  // ❌ No auth check
+
+// Insecure direct object reference
+router.get('/user/:id', async (req, res) => {
+  const user = await User.findById(req.params.id);  // ❌ No ownership check
+  res.json(user);
+});
+```
+
+### A02:2021 - Cryptographic Failures
+
+**Checks**:
+- Sensitive data transmitted without encryption
+- Weak cryptographic algorithms (MD5, SHA1)
+- Hardcoded secrets/keys
+- Insecure random number generation
+
+**Patterns**:
+```javascript
+// Weak hashing
+const hash = crypto.createHash('md5').update(password);  // ❌ MD5 is weak
+
+// Hardcoded secret
+const token = jwt.sign(payload, 'secret123');  // ❌ Hardcoded secret
+```
+
+### A03:2021 - Injection
+
+**Checks**:
+- SQL injection
+- NoSQL injection
+- Command injection
+- LDAP injection
+- XPath injection
+
+**Patterns**:
+```javascript
+// SQL injection
+const query = `SELECT * FROM users WHERE id = ${userId}`;  // ❌
+
+// Command injection
+exec(`git clone ${userRepo}`);  // ❌
+```
+
+### A04:2021 - Insecure Design
+
+**Checks**:
+- Missing rate limiting
+- Lack of input validation
+- Business logic flaws
+- Missing security requirements
+
+### A05:2021 - Security Misconfiguration
+
+**Checks**:
+- Default credentials
+- Overly permissive CORS
+- Verbose error messages
+- Unnecessary features enabled
+- Missing security headers
+
+**Patterns**:
+```javascript
+// Overly permissive CORS
+app.use(cors({ origin: '*' }));  // ❌
+
+// Verbose error
+res.status(500).json({ error: err.stack });  // ❌
+```
+
+### A06:2021 - Vulnerable and Outdated Components
+
+**Checks**:
+- Dependencies with known vulnerabilities
+- Unmaintained dependencies
+- Using deprecated APIs
+
+### A07:2021 - Identification and Authentication Failures
+
+**Checks**:
+- Weak password requirements
+- Permits brute force attacks
+- Exposed session IDs
+- Weak JWT implementation
+
+**Patterns**:
+```javascript
+// Weak bcrypt rounds
+bcrypt.hash(password, 4);  // ❌ Too low (min: 10)
+
+// Session ID in URL
+res.redirect(`/dashboard?sessionId=${sessionId}`);  // ❌
+```
+
+### A08:2021 - Software and Data Integrity Failures
+
+**Checks**:
+- Insecure deserialization
+- Unsigned/unverified updates
+- CI/CD pipeline vulnerabilities
+
+**Patterns**:
+```javascript
+// Insecure deserialization
+const obj = eval(userInput);  // ❌
+
+// Pickle vulnerability (Python)
+data = pickle.loads(untrusted_data)  # ❌
+```
+
+### A09:2021 - Security Logging and Monitoring Failures
+
+**Checks**:
+- Missing audit logs
+- Sensitive data in logs
+- Insufficient monitoring
+
+**Patterns**:
+```javascript
+// Password in logs
+console.log(`Login attempt: ${username}:${password}`);  // ❌
+```
+
+### A10:2021 - Server-Side Request Forgery (SSRF)
+
+**Checks**:
+- Unvalidated URLs in requests
+- Internal network access
+- Cloud metadata exposure
+
+**Patterns**:
+```javascript
+// SSRF vulnerability
+const response = await fetch(userProvidedUrl);  // ❌
+```
+
+## CWE Top 25 Coverage
+
+### CWE-79: Cross-site Scripting (XSS)
+
+**Patterns**:
+```javascript
+element.innerHTML = userInput;  // ❌
+document.write(userInput);  // ❌
+```
+
+### CWE-89: SQL Injection
+
+**Patterns**:
+```javascript
+query = `SELECT * FROM users WHERE name = '${name}'`;  // ❌
+```
+
+### CWE-20: Improper Input Validation
+
+**Checks**:
+- Missing input sanitization
+- No input length limits
+- Unvalidated file uploads
+
+### CWE-78: OS Command Injection
+
+**Patterns**:
+```javascript
+exec(`ping ${userInput}`);  // ❌
+```
+
+### CWE-190: Integer Overflow
+
+**Checks**:
+- Large number operations without bounds checking
+- Array allocation with user-controlled size
+
+## Language-Specific Security Rules
+
+### TypeScript/JavaScript
+
+- Prototype pollution
+- eval() usage
+- Unsafe regex (ReDoS)
+- require() with dynamic input
+
+### Python
+
+- pickle vulnerabilities
+- yaml.unsafe_load()
+- SQL injection in SQLAlchemy
+- Command injection in subprocess
+
+### Java
+
+- Deserialization vulnerabilities
+- XXE in XML parsers
+- Path traversal
+- SQL injection in JDBC
+
+### Go
+
+- Race conditions
+- SQL injection
+- Path traversal
+- Weak cryptography
+
+## Severity Classification
+
+### Critical
+- Remote code execution
+- SQL injection with write access
+- Authentication bypass
+- Hardcoded credentials in production
+
+### High
+- XSS in sensitive contexts
+- Missing authorization checks
+- Sensitive data exposure
+- Insecure cryptography
+
+### Medium
+- Missing rate limiting
+- Weak password policy
+- Security misconfiguration
+- Information disclosure
+
+### Low
+- Missing security headers
+- Verbose error messages
+- Outdated dependencies (no known exploits)