Merge branch 'main' into chore/update-ci

Author: ryzizub

.claude-plugin/plugin.json

@@ -47,6 +47,9 @@
     "theming",
     "very-good-cli",
     "wcag",
-    "widget-testing"
+    "widget-testing",
+    "sdk-upgrade",
+    "dart-sdk",
+    "flutter-sdk"
   ]
 }

CLAUDE.md

@@ -26,6 +26,7 @@ skills/
   bloc/SKILL.md
   bloc/reference.md
   create-project/SKILL.md
+  dart-flutter-sdk-upgrade/SKILL.md
   internationalization/SKILL.md
   layered-architecture/SKILL.md
   layered-architecture/reference.md

README.md

@@ -38,6 +38,7 @@ For more details, see the [Very Good Claude Marketplace][marketplace_link].
 | [**Layered Architecture**](skills/layered-architecture/SKILL.md) | VGV layered architecture — four-layer package structure (Data, Repository, Business Logic, Presentation), dependency rules, data flow, and bootstrap wiring |
 | [**Security**](skills/static-security/SKILL.md) | Flutter-specific static security review — secrets management, `flutter_secure_storage`, certificate pinning, `Random.secure()`, `formz` validation, dependency vulnerability scanning with `osv-scanner`, and OWASP Mobile Top 10 guidance |
 | [**License Compliance**](skills/license-compliance/SKILL.md) | Dependency license auditing — categorizes licenses (permissive, weak/strong copyleft, unknown), flags non-compliant or missing licenses, and produces a structured compliance report using Very Good CLI |
+| [**Dart/Flutter SDK Upgrade**](skills/dart-flutter-sdk-upgrade/SKILL.md) | Bump Dart and Flutter SDK constraints across packages — CI workflow versions, pubspec.yaml environment constraints, and PR preparation for SDK upgrades |
 
 ## Hooks
 
@@ -76,6 +77,7 @@ You can also invoke skills directly as slash commands:
 /vgv-static-security
 /vgv-testing
 /vgv-license-compliance
+/vgv-dart-flutter-sdk-upgrade
 ```
 
 ## What Each Skill Provides

skills/dart-flutter-sdk-upgrade/SKILL.md

@@ -0,0 +1,143 @@
+---
+name: vgv-dart-flutter-sdk-upgrade
+description: >
+  VGV-specific reference for bumping Dart and Flutter SDK constraints across packages.
+  Use when upgrading the Flutter or Dart SDK version in any VGV repository — bumping
+  pubspec.yaml environment constraints, updating CI workflow Flutter versions, or preparing
+  an SDK upgrade PR. CI uses ^MAJOR.MINOR.x to resolve to the latest patch; pubspec pins
+  the exact patch version (e.g., ^3.50.1). Trigger on phrases like "bump Flutter to 3.x",
+  "update SDK constraints", "upgrade Dart SDK", "update CI Flutter version",
+  "bump SDK version", or "prep the SDK upgrade PR".
+allowed-tools: Read,Glob,Grep,Edit,Write,Bash
+---
+
+# VGV Flutter/Dart SDK Upgrade — Quick Reference
+
+One PR per project. Only CI workflow and `pubspec.yaml` changes — no logic, no dependency
+version bumps, no test changes.
+
+---
+
+## Core Standards
+
+Apply these standards to ALL SDK upgrade work:
+
+- **Flutter and Dart versions differ** — always look up the Dart version bundled with the target Flutter release from https://docs.flutter.dev/install/archive
+- **CI uses `^MAJOR.MINOR.x`** — wildcard patch so CI always gets the latest patch
+- **pubspec pins exact patch** — use `^MAJOR.MINOR.PATCH` with the specific patch version
+- **Pure Dart packages** — use the Dart version directly, no Flutter mapping needed
+- **Verify with `pub get` and `analyze`** — don't silently resolve conflicts
+
+---
+
+## 0. Resolve target version
+
+Flutter bundles a specific Dart release — their version numbers do **not** match. For
+example, Flutter 3.41.0 ships with Dart 3.11.0. You must look up the correct Dart version
+for the target Flutter release before editing any files.
+
+**How to find the Dart version:**
+
+1. Open https://docs.flutter.dev/install/archive
+2. Find the target Flutter stable release
+3. Note the Dart version listed alongside it
+
+If the user has not specified a Flutter version, look up the latest Flutter stable release
+from that same page. For pure Dart packages (no Flutter dependency), the Dart version is
+whatever the user specifies or the latest stable — no Flutter mapping needed.
+
+Confirm both resolved versions with the user before editing files.
+
+---
+
+## 1. CI workflows — `.github/workflows/`
+
+VGV packages use `VeryGoodOpenSource/very_good_workflows` reusable workflows. Leave the
+`@v1` tag untouched. Use `^MAJOR.MINOR.x` — caret with literal `x` as the patch wildcard
+so CI always resolves to the latest release patch automatically. When bumping versions,
+update MAJOR and/or MINOR as appropriate (e.g., `^3.41.x` → `^3.42.x` or `^4.0.x`):
+
+**Flutter package:**
+
+```yaml
+uses: VeryGoodOpenSource/very_good_workflows/.github/workflows/flutter_package.yml@v1
+with:
+  flutter_version: "^3.41.x" # ← caret + MAJOR.MINOR.x, resolves to latest patch
+```
+
+**Pure Dart package** — note the key is `dart_sdk`, not `flutter_version`. Use the Dart
+version, not the Flutter version:
+
+```yaml
+uses: VeryGoodOpenSource/very_good_workflows/.github/workflows/dart_package.yml@v1
+with:
+  dart_sdk: "^3.11.x" # ← Dart version (not Flutter version)
+```
+
+If a file uses `flutter_channel: stable` instead of a pinned version,
+pin the version — VGV always pins Flutter versions in CI workflows.
+
+---
+
+## 2. `pubspec.yaml` environment constraints
+
+Format is `^MAJOR.MINOR.PATCH` (caret, exact patch). Unlike CI, pubspec pins a specific
+patch version — the one the user specifies or the current stable at the time of the bump.
+
+**Flutter package** (has `flutter:` under `dependencies`):
+
+```yaml
+environment:
+  sdk: ^3.11.0 # ← Dart version bundled with the target Flutter release
+  flutter: ^3.41.0 # ← Flutter version
+```
+
+**Pure Dart package** (no Flutter SDK dependency):
+
+```yaml
+environment:
+  sdk: ^3.11.0 # ← Dart version only
+  # no flutter: line
+```
+
+In a monorepo, update each package's `pubspec.yaml` individually. The shared CI workflow
+only needs updating once.
+
+---
+
+## 3. Verify
+
+Run from each package directory. **Use Dart/Flutter MCP tools if available; otherwise Bash.**
+
+```bash
+flutter pub get   # or: dart pub get  (for pure Dart packages)
+flutter analyze   # or: dart analyze
+```
+
+If `pub get` fails with dependency conflicts, report them — don't silently resolve by
+upgrading packages. If `analyze` surfaces new errors introduced by the SDK bump, report
+them rather than fixing them in this PR.
+
+---
+
+## 4. PR scope check
+
+Before committing, confirm the diff contains only:
+
+- `.github/workflows/*.yml`
+- `pubspec.yaml` (one or more)
+
+```bash
+git diff HEAD --name-only
+```
+
+Suggested commit/PR message:
+
+```
+chore: bump Flutter to 3.41.0 / Dart to 3.11.0
+
+- Update flutter_version in .github/workflows/ to ^3.41.x (CI resolves latest patch)
+- Update environment sdk/flutter constraints in pubspec.yaml
+
+No logic or code changes.
+```

skills/very-good-analysis-upgrade/SKILL.md

@@ -0,0 +1,164 @@
+---
+name: vgv-very-good-analysis-upgrade
+description: Upgrade very_good_analysis lint package to new version across Dart/Flutter projects. Handles version bump, lint fixes, and PR creation.
+allowed-tools: Read,Glob,Grep,Bash
+---
+
+# Upgrade very_good_analysis
+
+This skill guides the full upgrade of `very_good_analysis` in a Dart or Flutter project.
+The goal is a clean, focused PR: nothing more than the version bump in `pubspec.yaml` plus
+the minimal code changes needed to satisfy any new lint rules introduced in that version.
+
+---
+
+## Core Standards
+
+These standards apply to every `very_good_analysis` upgrade.
+
+- **Keep the PR focused** — include only the version bump and required lint fixes
+- **Fix only new warnings** — do not address pre-existing issues in the same PR
+- **Avoid behavior changes** — if a lint fix alters runtime behavior, flag it for review
+- **Verify with analysis** — end with a clean `flutter analyze` or `dart analyze`
+
+---
+
+## Before You Start
+
+Confirm two things before proceeding:
+
+1. **Target version** — if the user didn't specify a version, fetch the latest from the pub.dev API
+   and use that. Don't ask — just look it up and proceed:
+
+    ```bash
+    curl -s https://pub.dev/api/packages/very_good_analysis | jq -r '.latest.version'
+    ```
+
+   Tell the user which version you're upgrading to before making any changes.
+
+2. **Project scope** — is this a single package or a monorepo? In a monorepo, each sub-package
+   with its own `pubspec.yaml` needs its own bump (and potentially its own PR).
+
+---
+
+## Step 1 — Bump the version in pubspec.yaml
+
+Locate the `pubspec.yaml` file(s) for the project. Update the `very_good_analysis` entry under
+`dev_dependencies`:
+
+```yaml
+dev_dependencies:
+  very_good_analysis: ^x.y.z # replace x.y.z with the target version
+```
+
+Keep the caret (`^`) prefix — that's the VGV convention. Don't change anything else in the file.
+
+After editing, run:
+
+```bash
+flutter pub get
+```
+
+(For a pure Dart package without Flutter, use `dart pub get` instead.)
+
+Use the Dart/Flutter MCP server if it is connected and exposes pub commands; otherwise run via Bash.
+
+---
+
+## Step 2 — Run flutter analyze
+
+```bash
+flutter analyze
+```
+
+Or for a pure Dart package:
+
+```bash
+dart analyze
+```
+
+Capture the full output. You're looking for new warnings or errors introduced by the version bump —
+lints that weren't flagged before. Ignore pre-existing issues unrelated to the bump (don't fix
+things that were already broken; that belongs in a separate PR).
+
+---
+
+## Step 3 — Fix the lint warnings
+
+Work through the warnings one by one. Keep fixes **minimal and lint-compliance-only**:
+
+- Fix only what `flutter analyze` flags
+- Don't refactor, rename, or reorganize anything beyond what's needed
+- Don't fix pre-existing lint warnings that existed before the bump
+- If a warning looks like it might require a behavioral change (not just style), flag it for
+  human review rather than silently fixing it
+
+After fixing, re-run `flutter analyze` to confirm zero warnings remain.
+
+---
+
+## Step 4 — Verify the fix is complete
+
+Run the full analyze pass one more time to make sure nothing was missed:
+
+```bash
+flutter analyze
+```
+
+Expected output: `No issues found!` (or only pre-existing issues that you haven't touched).
+
+If new warnings appear that weren't there after Step 2, address them now. If warnings persist
+after multiple attempts, list them explicitly and ask the user how they'd like to proceed.
+
+---
+
+## Step 5 — Create the PR
+
+Stage only the changed files:
+
+```bash
+git add pubspec.yaml pubspec.lock   # always include these
+# plus any .dart files you edited for lint fixes
+```
+
+Commit with a clear message following the project's conventions. A good default:
+
+```
+chore: upgrade very_good_analysis to x.y.z
+
+Bump very_good_analysis from <old> to <new> and resolve
+lint warnings introduced by newly enabled rules.
+```
+
+Then push and open a PR. The PR should contain **nothing else** — no feature work, no unrelated
+refactors, no extra cleanup. Reviewers should be able to see at a glance that this is purely
+a lint compliance update.
+
+If the project uses a PR template, fill it in. Mention specifically which rules were newly
+enabled if any warnings required code changes.
+
+---
+
+## Tips and edge cases
+
+**Monorepos**: Each package that depends on `very_good_analysis` needs its own `pubspec.yaml`
+bump. You can often run `flutter analyze` from the repo root to surface all warnings at once,
+but `pub get` must be run per-package.
+
+**analysis_options.yaml**: `very_good_analysis` ships its own `analysis_options.yaml` that is
+included by the project's own options file. You generally don't need to touch the project's
+`analysis_options.yaml` — the bump in `pubspec.yaml` is sufficient to pull in the new rules.
+
+**Breaking rule changes**: Occasionally a new version disables a rule that was previously
+enabled, or changes its severity. That might cause previously-flagged issues to disappear,
+which is fine — don't re-introduce them.
+
+**flutter pub get fails**: If dependency resolution fails after the bump (version conflicts),
+investigate the conflict before proceeding. Don't force-upgrade other dependencies just to
+make the bump work — surface the conflict to the user.
+
+---
+
+## Additional Resources
+
+See [reference.md](reference.md) for a quick-reference table of common lint rules introduced by `very_good_analysis` upgrades and their typical fixes (`prefer_const_constructors`, `use_super_parameters`, `unnecessary_late`, `avoid_dynamic_calls`, `require_trailing_commas`, `unnecessary_null_checks`).

skills/very-good-analysis-upgrade/reference.md

@@ -0,0 +1,16 @@
+# Upgrade very_good_analysis — Reference
+
+Extended examples and common lint rule fixes for the very_good_analysis upgrade skill.
+
+---
+
+## Common Lint Rule Fixes
+
+| Lint rule                   | Typical fix                                          |
+| --------------------------- | ---------------------------------------------------- |
+| `prefer_const_constructors` | Add `const` keyword                                  |
+| `use_super_parameters`      | Convert `super.param` to initializer                 |
+| `unnecessary_late`          | Remove `late` from immediately-initialized variables |
+| `avoid_dynamic_calls`       | Cast the receiver to a specific type                 |
+| `require_trailing_commas`   | Add trailing comma in argument/parameter lists       |
+| `unnecessary_null_checks`   | Remove redundant `!` operators                       |