@dennisrongo/skills 0.3.0 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/README.md CHANGED
@@ -103,6 +103,7 @@ node bin/claude-skills.js list
103
103
  | [`nextjs-app-router`](./skills/nextjs-app-router/SKILL.md) | Scaffold a new Next.js (App Router) **fullstack** app — TypeScript, **NextAuth (Auth.js v5)**, **Prisma + PostgreSQL**, Route Handlers as the backend, Redux Toolkit + RTK Query, Tailwind + shadcn/ui (Radix), React Hook Form + Zod. **API-driven by deliberate choice**: pages are `'use client'`, all data flows UI → RTK Query → `/api/**` Route Handlers → Prisma. No `fetch()` in server components, no Server Actions, no async `page.tsx`. Confirms the database (Postgres + Prisma) and NextAuth providers with the user before writing files. Forbids the usual pitfalls (custom JWT cookies alongside NextAuth, multiple `createApi`/`PrismaClient` instances, `serializableCheck: false`, `@ts-ignore`, mixed `moment`/`date-fns`, `styled-components` alongside Tailwind, case-sensitive folder dupes, `dangerouslySetInnerHTML` without sanitization, Route Handlers that skip `requireSession()` or trust client-sent user IDs, `prisma db push` in CI). Three modes — full project scaffold, add-a-feature slice (page + form + Route Handler + Zod schema + RTK Query endpoints + Prisma model), add-an-API-slice. Resolves package versions at scaffold time (not hard-coded). |
104
104
  | [`plan-and-build`](./skills/plan-and-build/SKILL.md) | Plan-first feature builder. Grills the user about the feature (à la `grill-with-docs`) until the design is unambiguous, detects the project's stack and conventions, presents a plan, and gates on `ExitPlanMode` approval before writing any code. When Phase 3 hits a genuine design fork (service-layer vs. CQRS, new table vs. nullable columns, sync vs. background job, etc.) and Phase 2 didn't settle it, runs **Design It Twice**: two parallel sub-agents each draft the BEST plan for one side of the named axis, then an inline debate names three wins for each and recommends one — the user sees a single recommended plan with a one-line "considered alternative" note so they can redirect with one sentence. Skipped when an existing pattern in the repo already dictates the approach. Builds TDD-first with NUnit when a .NET API changes — appending to the matching test class if one already exists rather than forking a parallel one — reuses existing patterns, keeps comments minimal, and generates EF Core / migration files **without ever** running `dotnet ef database update` or any DDL/SQL against the user's database. Triggers on "build/add/implement a feature", "/plan-and-build", or a pasted feature spec. |
105
105
  | [`pr-review`](./skills/pr-review/SKILL.md) | Structured review of a local branch, **grouped per `#NNN` task** referenced in commit messages, prioritized correctness → design → tests → security → performance → readability, with categorized feedback (`blocking` / `suggestion` / `question` / `nit` / `praise`). On non-trivial tasks, convenes a **per-task lens council**: parallel `Explore` sub-agents through distinct lenses (correctness / design / security / tests) on that task's diff only, followed by an **adversarial critique round** that demotes false-positive blockers when another lens defuses them, surfaces contradictions as `question` items for the user, and promotes findings raised by multiple lenses independently. Small tasks skip the council. The council never crosses task boundaries — each `#NNN` gets its own verdict. Triggers on "review my PR", "review the diff", "review my branch", or `/pr-review`. |
106
+ | [`ship-it`](./skills/ship-it/SKILL.md) | Pre-launch **operational-readiness** gate for a feature, release, or branch — the complement to [`code-review`](./skills/code-review/SKILL.md). Walks a fixed 10-category checklist (logging, error handling, telemetry, feature flags, migrations, rollback strategy, secrets, local-first storage, auth, update strategy) against the named scope and produces a structured report with PASS / GAP / N/A per item — every PASS backed by a `file:line` citation, every GAP labelled `no evidence found at <path>`, every N/A justified in one line. The final verdict groups findings as **Blocking** (secrets in code, missing authz on a new endpoint, destructive migration without rollback, no way to disable the change in prod) / **Should-fix** / **N/A with reason** / **Passing**, then asks per-blocker whether to draft a fix. **Never edits code unprompted** and **forces scope before auditing** — a PR, a flag, a release tag, or a module — so the output stays actionable. Distinct from `code-review` (diff quality) and `pr-review` (branch / per-task review): `ship-it` is the operational gate that catches what diff-level reviews don't surface. Triggers on "is this ready to ship?", "ship-it check", "production checklist", "pre-launch checklist", "release readiness", or `/ship-it`. |
106
107
  | [`tauri-2-app`](./skills/tauri-2-app/SKILL.md) | Scaffold a new Tauri 2 desktop app (Rust backend + TypeScript/React frontend) using a thin-frontend / rich-Rust-backend architecture with modular `commands/`, `state/`, `storage/`, `platform/` traits, `error/` macros, single-instance + updater plugins wired correctly, capability JSON per window, encrypted secrets at rest, `spawn_blocking` for sync work, and typed frontend command hooks — while forbidding common pitfalls (committed `.backup`/`.orig`/`.temp` files, plaintext API keys in `settings.json`, tokens in `localStorage`, `cfg!(target_os)` in command bodies instead of trait-based platform code, hand-rolled date math instead of `chrono`, raw `std::fs` bypassing capability checks, blocking I/O inside async commands, missing `windows_subsystem = "windows"` in `main.rs`, `devtools: true` in release, hardcoded bundle identifiers / updater pubkeys / CDN URLs). Three modes — full project scaffold, add-a-command end-to-end, add-a-Rust-module slice. Resolves Cargo + npm versions at scaffold time (not hard-coded). |
107
108
  | [`write-a-skill`](./skills/write-a-skill/SKILL.md) | Author a new Claude Code skill — interview-driven scaffolding that produces a properly-structured `SKILL.md` (trigger-rich YAML description, "When to use", workflow, examples, anti-patterns), drops it in the right location (library `skills/`, project `./.claude/skills/`, or global `~/.claude/skills/`), updates the README skills table when extending this library, and runs a review checklist focused on the failure mode that matters most — under-triggering descriptions. Triggers on "create/write/add a skill", "/write-a-skill", or a pasted SKILL.md URL with "one like this". |
108
109
 
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@dennisrongo/skills",
3
- "version": "0.3.0",
3
+ "version": "0.4.0",
4
4
  "description": "A curated, fine-tunable library of Claude Code skills. Install globally or per-project via npx.",
5
5
  "bin": {
6
6
  "skills": "bin/claude-skills.js"
@@ -0,0 +1,180 @@
1
+ ---
2
+ name: ship-it
3
+ description: Pre-launch operational-readiness checklist for a feature, release, or branch. Walks a fixed 10-category gate (logging, error handling, telemetry, feature flags, migrations, rollback, secrets, local-first storage, auth, update strategy), produces a structured report with PASS / GAP / N/A per item, every PASS backed by `file:line` evidence and every GAP cited as `no evidence found at <path>`. Final verdict groups findings as **Blocking** / **Should-fix** / **N/A with reason** / **Passing**. Use this skill whenever the user says "is this ready to ship?", "ship-it check", "/ship-it", "production checklist", "pre-launch checklist", "production readiness", "release readiness", "launch checklist", or asks whether a release is operationally safe — even if they don't explicitly say "ship-it skill". Use [`code-review`](../code-review/SKILL.md) for diff-level code quality (DRY, dead code, tests). Use `ship-it` for cross-cutting operational readiness. Never edits code unprompted — recommendation first, ask, then fix.
4
+ ---
5
+
6
+ # Ship It
7
+
8
+ The operational gate I run before calling something done. Code review tells me the diff is clean; `ship-it` tells me the thing won't page me at 3am.
9
+
10
+ ## When to use this skill
11
+
12
+ - "is this ready to ship?" / "ship-it check" / "/ship-it"
13
+ - "production checklist" / "pre-launch checklist" / "production readiness" / "release readiness" / "launch checklist"
14
+ - "can we deploy this?" / "anything missing before we ship?"
15
+ - The user names a branch, PR, release tag, or module and asks whether it's safe to release.
16
+
17
+ Do **not** auto-trigger when the user is asking about diff-level code quality, DRY, dead code, or test coverage — that's [`code-review`](../code-review/SKILL.md)'s job. If the trigger is ambiguous (e.g. bare "ready to ship?" with a working tree full of uncommitted edits), ask once whether they want the diff review or the operational checklist.
18
+
19
+ ## Hard rules
20
+
21
+ - **Recommend, don't refactor.** This is an audit. Never edit code unprompted. After the report, ask per-blocker whether the user wants a fix drafted.
22
+ - **Evidence is mandatory.** Every PASS must cite `file:line`. "I checked, it looks fine" is not a PASS — that's a GAP labelled `couldn't verify`.
23
+ - **N/A needs a reason.** Mark a category N/A only with a one-line justification (e.g. *"server-only service, no local storage layer"*). Don't fabricate gaps for categories that don't apply.
24
+ - **Stay in your lane.** Don't re-do `code-review`'s work. If the user asks about DRY / dead code / test coverage, defer.
25
+
26
+ ## Workflow
27
+
28
+ ### Phase 1 — Name the unit being shipped
29
+
30
+ Don't proceed until scope is named. Ask the user with `AskUserQuestion` if it isn't obvious:
31
+
32
+ - A specific PR / branch? → `git diff` against the base; scope the audit to changed files + their direct call graph.
33
+ - A feature flag? → grep the flag key; scope to gated code paths.
34
+ - A release tag / version bump? → `git diff <prev-tag>..HEAD`.
35
+ - A module / directory? → scope to that path.
36
+
37
+ Echo the scope back in one line before starting Phase 2 (*"Auditing branch `feat/billing-v2` against base `main` — 14 files changed."*).
38
+
39
+ ### Phase 2 — Walk the 10 categories
40
+
41
+ For each category: state the criterion in one line, search the codebase for evidence, mark PASS / GAP / N/A. Use `Grep` and `Read` aggressively; spawn an `Explore` sub-agent for any category where the search would take more than 3 queries.
42
+
43
+ #### 1. Logging
44
+
45
+ **What good looks like:** Structured logs (JSON or key=value), correlation / request IDs propagated, levels used correctly (`error` ≠ `info`), no secrets / tokens / PII in log output, errors logged with stack + context, not just the message.
46
+
47
+ **How to check:** Grep for the logger import and inspect call sites in changed files. Confirm a request-ID middleware exists upstream and that the new code paths inherit it. Grep for known secret-shaped variables being passed to log calls.
48
+
49
+ #### 2. Error handling
50
+
51
+ **What good looks like:** Each failure mode named (network, validation, auth, downstream 5xx), no `catch {}` / `except: pass` / `_ = ...` silent swallows, user-facing errors mapped to safe messages, retry / backoff on external-boundary calls (HTTP, DB, queues).
52
+
53
+ **How to check:** Grep for empty catches, bare `except`, error-swallowing patterns. Trace each new external call to see how failures propagate. Confirm idempotency where retries exist.
54
+
55
+ #### 3. Telemetry
56
+
57
+ **What good looks like:** New code paths emit metrics (counts, latencies, error rates), traces propagate (OpenTelemetry / equivalent context passed through), dashboards / alerts updated to include the new signal.
58
+
59
+ **How to check:** Grep for the metrics client in changed files. Confirm at least one counter and one latency histogram per significant code path. Ask the user whether the dashboards / alerts were updated — that's usually out-of-tree.
60
+
61
+ #### 4. Feature flags
62
+
63
+ **What good looks like:** New behavior gated behind a flag with a clear owner, documented default state for prod (almost always `off`), and a written ramp / cleanup plan (when does the flag get removed?).
64
+
65
+ **How to check:** Grep for the flag client; confirm new branches are gated. Read the flag definition file / dashboard config for owner + default. Ask the user for the cleanup plan if it isn't in the PR description.
66
+
67
+ #### 5. Migrations
68
+
69
+ **What good looks like:** Forward-compatible — the deployed code tolerates BOTH old and new schema for at least one release. Backfill plan named if columns are added. Runtime estimated against prod-size data (not just dev).
70
+
71
+ **How to check:** Read the migration files. Look for `ALTER TABLE` against large tables — flag any that take exclusive locks. Confirm the matching code reads `column ?? fallback` rather than assuming the new shape exists. Ask about backfill strategy.
72
+
73
+ #### 6. Rollback strategy
74
+
75
+ **What good looks like:** The change can be reverted by redeploying the previous artifact. Flag-on / flag-off is the rollback path where possible. Migrations are split from code deploys so revert never requires a DB rollback. There's a one-liner in the runbook.
76
+
77
+ **How to check:** Look for the runbook entry. Confirm migrations were merged in a separate commit / PR from the feature code (the "expand / migrate / contract" pattern). If a migration is destructive (DROP, NOT NULL added) call it out as blocking unless a rollback plan exists.
78
+
79
+ #### 7. Secrets
80
+
81
+ **What good looks like:** No secrets in code, config files, or logs. Rotation path documented. New env vars added to the secret store (Vault / AWS SM / Doppler / etc.), not just `.env.example`.
82
+
83
+ **How to check:** Grep changed files for high-entropy strings, common key shapes (`AKIA…`, `sk_live_`, `xoxb-`), and `.env*` diffs. Confirm any new env var also exists in the secret-store config (Terraform / Helm values / etc.).
84
+
85
+ #### 8. Local-first storage *(skip with N/A for pure server services)*
86
+
87
+ **What good looks like:** Offline behavior defined (queue + replay, or fail-fast), conflict resolution rule named for sync (last-writer-wins, CRDT, merge UI), schema version in the local DB, migration handles users upgrading from an older client.
88
+
89
+ **How to check:** Find the local store (IndexedDB / SQLite / Realm / AsyncStorage). Read its schema-version handling and migration code. If the PR changes the local schema, confirm the upgrade path exists.
90
+
91
+ #### 9. Auth
92
+
93
+ **What good looks like:** New endpoints / screens have **authorization** checks (not just authentication), tenant / org scoping enforced server-side (never trust client-sent IDs), no IDOR — `GET /orders/:id` verifies the order belongs to the caller — session / token handling unchanged or explicitly reviewed.
94
+
95
+ **How to check:** For each new route, read the handler top-to-bottom. Confirm: caller identity comes from the session, the resource is loaded scoped to that identity, no `where: { id: req.params.id }` without a tenant predicate. Missing authz on a new route is **blocking**.
96
+
97
+ #### 10. Update strategy
98
+
99
+ **What good looks like:** How users get the new version is named and tested.
100
+ - **Web:** deploy + cache-bust (hashed assets, SW update flow if applicable).
101
+ - **Desktop (Tauri / Electron):** auto-update channel signed and pointed at the right manifest.
102
+ - **Mobile:** store review window accounted for, forced-update path for breaking API changes.
103
+ - **CLI / SDK:** version pinning respected, breaking changes major-bumped.
104
+
105
+ **How to check:** Identify the artifact type and ask the user how the rollout happens. For desktop, read the updater config. For mobile + breaking changes, confirm there's a min-version-supported check on the backend.
106
+
107
+ ### Phase 3 — Produce the report
108
+
109
+ Group findings into four buckets. Order matters — blocking first.
110
+
111
+ ```markdown
112
+ # Ship-It Report — <scope>
113
+
114
+ ## Blocking
115
+ - **<category>:** <one-line problem> — `<file:line>` or `no evidence found at <path>`
116
+
117
+ ## Should-fix (non-blocking)
118
+ - **<category>:** <one-line problem> — `<file:line>`
119
+
120
+ ## N/A
121
+ - **<category>:** <one-line reason>
122
+
123
+ ## Passing
124
+ - **<category>:** <one-line evidence> — `<file:line>`
125
+ ```
126
+
127
+ **Blocking = any one of:**
128
+ - Secrets in code / logs / committed config.
129
+ - Missing authz on a new endpoint or screen.
130
+ - Destructive migration with no rollback plan.
131
+ - No way to disable the new behavior in prod (no flag, no quick revert).
132
+ - Update strategy genuinely absent for the artifact type.
133
+
134
+ Everything else is should-fix.
135
+
136
+ ### Phase 4 — Offer to fix
137
+
138
+ After the report, ask: *"Want me to draft fixes for the blocking items, or stop at the report?"* Wait for explicit go-ahead before editing.
139
+
140
+ ## Examples
141
+
142
+ ### Example 1: PR-scoped audit
143
+
144
+ **User:** "is this ready to ship?" *(currently on branch `feat/billing-v2` with an open PR)*
145
+
146
+ **Claude:**
147
+ 1. Echoes scope: *"Auditing `feat/billing-v2` against `main` — 14 files changed."*
148
+ 2. Walks the 10 categories, citing `file:line` per finding.
149
+ 3. Reports: 2 blocking (missing authz on `POST /api/v2/invoices`, no rollback for the `currency_code NOT NULL` migration), 4 should-fix, 1 N/A (local-first storage — server-only), 3 passing.
150
+ 4. Asks whether to draft fixes for the blockers.
151
+
152
+ ### Example 2: Module-scoped audit
153
+
154
+ **User:** "ship-it check on the billing module"
155
+
156
+ **Claude:**
157
+ 1. Scopes to `src/billing/**` (confirms the path exists first).
158
+ 2. Skips the "diff vs base" framing — runs the 10 categories against the module's current state.
159
+ 3. Marks update-strategy as N/A *("module is consumed by the web app's update flow — covered there, not here")* with a pointer to where it IS covered.
160
+
161
+ ### Example 3: Anti-pattern — wrong skill
162
+
163
+ **User:** "review my diff"
164
+
165
+ **Claude:** "That's [`code-review`](../code-review/SKILL.md)'s territory — diff-level quality, DRY, tests. `ship-it` is for the operational gate (logging, flags, migrations, rollback, auth, etc.). Want me to run `code-review` instead, or did you mean the operational checklist?"
166
+
167
+ ## Anti-patterns
168
+
169
+ - ❌ Marking a category PASS without a `file:line` citation. "Looks fine" is a GAP labelled `couldn't verify`.
170
+ - ❌ Inventing GAPs in N/A categories. A server-only service genuinely has no local-first storage layer — say so and move on.
171
+ - ❌ Reviewing diff quality (DRY, dead code, missing tests) under the ship-it banner. Defer to `code-review`.
172
+ - ❌ Editing code mid-audit. The report comes first, then the user picks what to fix.
173
+ - ❌ Blocking on every missing dashboard or runbook entry. Telemetry without a dashboard is should-fix. Telemetry with secrets in the log line is blocking. Calibrate.
174
+ - ❌ Letting Phase 1 slide. Auditing "the whole repo" produces unactionable output. Force a scope.
175
+
176
+ ## Notes
177
+
178
+ - Categories 1–7 + 9 apply to almost any service. Category 8 (local-first storage) is N/A for pure server work. Category 10 (update strategy) is where most teams underinvest — push on it.
179
+ - The 10-category list is deliberately fixed. Don't extend it ad-hoc — if you find yourself wanting to add "performance" or "i18n" as a category, that's a separate skill or a should-fix entry under the closest existing category.
180
+ - Pairs well with [`code-review`](../code-review/SKILL.md) (run code-review first for diff quality, then ship-it for operational readiness) and [`handoff`](../handoff/SKILL.md) (capture the report as the next-session pointer if shipping is deferred).