@geraldmaron/construct 1.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.env.example +69 -0
- package/LICENSE +21 -0
- package/README.md +344 -0
- package/agents/prompts/cx-accessibility.md +29 -0
- package/agents/prompts/cx-ai-engineer.md +31 -0
- package/agents/prompts/cx-architect.md +40 -0
- package/agents/prompts/cx-business-strategist.md +25 -0
- package/agents/prompts/cx-data-analyst.md +30 -0
- package/agents/prompts/cx-data-engineer.md +32 -0
- package/agents/prompts/cx-debugger.md +27 -0
- package/agents/prompts/cx-designer.md +33 -0
- package/agents/prompts/cx-devil-advocate.md +36 -0
- package/agents/prompts/cx-docs-keeper.md +50 -0
- package/agents/prompts/cx-engineer.md +36 -0
- package/agents/prompts/cx-evaluator.md +26 -0
- package/agents/prompts/cx-explorer.md +38 -0
- package/agents/prompts/cx-legal-compliance.md +25 -0
- package/agents/prompts/cx-operations.md +28 -0
- package/agents/prompts/cx-orchestrator.md +30 -0
- package/agents/prompts/cx-platform-engineer.md +25 -0
- package/agents/prompts/cx-product-manager.md +30 -0
- package/agents/prompts/cx-qa.md +42 -0
- package/agents/prompts/cx-rd-lead.md +25 -0
- package/agents/prompts/cx-release-manager.md +31 -0
- package/agents/prompts/cx-researcher.md +31 -0
- package/agents/prompts/cx-reviewer.md +36 -0
- package/agents/prompts/cx-security.md +37 -0
- package/agents/prompts/cx-sre.md +26 -0
- package/agents/prompts/cx-test-automation.md +35 -0
- package/agents/prompts/cx-trace-reviewer.md +76 -0
- package/agents/prompts/cx-ux-researcher.md +30 -0
- package/agents/registry.json +879 -0
- package/agents/teams.json +94 -0
- package/bin/construct +613 -0
- package/commands/build/feature.md +21 -0
- package/commands/build/fix.md +20 -0
- package/commands/design/access.md +19 -0
- package/commands/design/flow.md +16 -0
- package/commands/design/ui.md +18 -0
- package/commands/measure/experiment.md +18 -0
- package/commands/measure/metrics.md +18 -0
- package/commands/measure/results.md +18 -0
- package/commands/plan/api.md +19 -0
- package/commands/plan/challenge.md +18 -0
- package/commands/plan/decide.md +20 -0
- package/commands/plan/feature.md +49 -0
- package/commands/plan/requirements.md +24 -0
- package/commands/remember/context.md +26 -0
- package/commands/remember/handoff.md +19 -0
- package/commands/remember/runbook.md +20 -0
- package/commands/review/code.md +21 -0
- package/commands/review/quality.md +19 -0
- package/commands/review/security.md +16 -0
- package/commands/ship/ready.md +19 -0
- package/commands/ship/release.md +19 -0
- package/commands/ship/status.md +18 -0
- package/commands/understand/docs.md +22 -0
- package/commands/understand/research.md +22 -0
- package/commands/understand/this.md +23 -0
- package/commands/understand/why.md +18 -0
- package/commands/work/clean.md +32 -0
- package/commands/work/drive.md +69 -0
- package/commands/work/optimize-prompts.md +46 -0
- package/commands/work/parallel-review.md +40 -0
- package/db/migrations/001_init.sql +38 -0
- package/langfuse/docker-compose.yml +82 -0
- package/lib/audit-skills.mjs +118 -0
- package/lib/auto-docs.mjs +293 -0
- package/lib/cli-commands.mjs +409 -0
- package/lib/codex-config.mjs +114 -0
- package/lib/comment-lint.mjs +191 -0
- package/lib/completions.mjs +170 -0
- package/lib/context-state.mjs +99 -0
- package/lib/cost.mjs +213 -0
- package/lib/distill.mjs +403 -0
- package/lib/efficiency.mjs +139 -0
- package/lib/env-config.mjs +53 -0
- package/lib/eval-harness.mjs +59 -0
- package/lib/features.mjs +209 -0
- package/lib/headhunt.mjs +597 -0
- package/lib/hooks/adaptive-lint.mjs +112 -0
- package/lib/hooks/agent-tracker.mjs +50 -0
- package/lib/hooks/bootstrap-guard.mjs +90 -0
- package/lib/hooks/comment-lint.mjs +26 -0
- package/lib/hooks/config-protection.mjs +52 -0
- package/lib/hooks/console-warn.mjs +43 -0
- package/lib/hooks/context-window-recovery.mjs +90 -0
- package/lib/hooks/continuation-enforcer.mjs +72 -0
- package/lib/hooks/dep-audit.mjs +155 -0
- package/lib/hooks/drive-guard.mjs +89 -0
- package/lib/hooks/edit-accumulator.mjs +36 -0
- package/lib/hooks/edit-error-recovery.mjs +46 -0
- package/lib/hooks/edit-guard.mjs +109 -0
- package/lib/hooks/env-check.mjs +80 -0
- package/lib/hooks/guard-bash.mjs +83 -0
- package/lib/hooks/mcp-audit.mjs +57 -0
- package/lib/hooks/mcp-health-check.mjs +51 -0
- package/lib/hooks/mcp-task-scope.mjs +47 -0
- package/lib/hooks/model-fallback.mjs +105 -0
- package/lib/hooks/pre-compact.mjs +212 -0
- package/lib/hooks/pre-push-gate.mjs +129 -0
- package/lib/hooks/read-tracker.mjs +129 -0
- package/lib/hooks/registry-sync.mjs +23 -0
- package/lib/hooks/scan-secrets.mjs +76 -0
- package/lib/hooks/session-start.mjs +95 -0
- package/lib/hooks/stop-notify.mjs +191 -0
- package/lib/hooks/stop-typecheck.mjs +83 -0
- package/lib/hooks/task-completed-guard.mjs +43 -0
- package/lib/hooks/teammate-idle-guard.mjs +54 -0
- package/lib/hooks/workflow-guard.mjs +62 -0
- package/lib/host-capabilities.mjs +123 -0
- package/lib/init-docs.mjs +382 -0
- package/lib/mcp/server.mjs +1123 -0
- package/lib/mcp-catalog.json +243 -0
- package/lib/mcp-manager.mjs +433 -0
- package/lib/mcp-platform-config.mjs +104 -0
- package/lib/model-router.mjs +810 -0
- package/lib/opencode-config.mjs +44 -0
- package/lib/opencode-runtime-plugin.mjs +909 -0
- package/lib/opencode-telemetry.mjs +433 -0
- package/lib/orchestration-policy.mjs +258 -0
- package/lib/prompt-composer.mjs +196 -0
- package/lib/prompt-metadata.mjs +68 -0
- package/lib/review.mjs +429 -0
- package/lib/role-preload.mjs +52 -0
- package/lib/schemas/decision.json +50 -0
- package/lib/schemas/implementation.json +51 -0
- package/lib/schemas/review-report.json +32 -0
- package/lib/schemas/test-report.json +43 -0
- package/lib/server/index.mjs +334 -0
- package/lib/server/static/app.js +841 -0
- package/lib/server/static/index.html +820 -0
- package/lib/service-manager.mjs +225 -0
- package/lib/setup.mjs +319 -0
- package/lib/status.mjs +707 -0
- package/lib/storage/backend.mjs +44 -0
- package/lib/storage/embeddings.mjs +70 -0
- package/lib/storage/hybrid-query.mjs +184 -0
- package/lib/storage/sql-store.mjs +55 -0
- package/lib/storage/state-source.mjs +101 -0
- package/lib/storage/sync.mjs +164 -0
- package/lib/storage/vector-store.mjs +59 -0
- package/lib/telemetry/backends/langfuse.mjs +58 -0
- package/lib/telemetry/backends/noop.mjs +16 -0
- package/lib/telemetry/langfuse-ingest.mjs +108 -0
- package/lib/telemetry/langfuse-model-sync.mjs +270 -0
- package/lib/telemetry/team-rollup.mjs +143 -0
- package/lib/toolkit-env.mjs +30 -0
- package/lib/validator.mjs +181 -0
- package/lib/workflow-state.mjs +794 -0
- package/package.json +53 -0
- package/personas/construct.md +94 -0
- package/platforms/claude/CLAUDE.md +30 -0
- package/platforms/claude/settings.template.json +472 -0
- package/platforms/opencode/config.template.json +65 -0
- package/platforms/opencode/plugins/construct-fallback.js +5 -0
- package/platforms/opencode/sync-config.mjs +69 -0
- package/rules/common/agents.md +55 -0
- package/rules/common/code-review.md +129 -0
- package/rules/common/coding-style.md +95 -0
- package/rules/common/comments.md +139 -0
- package/rules/common/cx-agent-routing.md +61 -0
- package/rules/common/cx-skill-routing.md +11 -0
- package/rules/common/development-workflow.md +49 -0
- package/rules/common/git-workflow.md +29 -0
- package/rules/common/hooks.md +35 -0
- package/rules/common/patterns.md +36 -0
- package/rules/common/performance.md +71 -0
- package/rules/common/security.md +34 -0
- package/rules/common/testing.md +62 -0
- package/rules/golang/coding-style.md +37 -0
- package/rules/golang/hooks.md +22 -0
- package/rules/golang/patterns.md +50 -0
- package/rules/golang/security.md +39 -0
- package/rules/golang/testing.md +36 -0
- package/rules/python/coding-style.md +47 -0
- package/rules/python/hooks.md +24 -0
- package/rules/python/patterns.md +44 -0
- package/rules/python/security.md +35 -0
- package/rules/python/testing.md +43 -0
- package/rules/swift/coding-style.md +52 -0
- package/rules/swift/hooks.md +25 -0
- package/rules/swift/patterns.md +71 -0
- package/rules/swift/security.md +38 -0
- package/rules/swift/testing.md +50 -0
- package/rules/typescript/coding-style.md +204 -0
- package/rules/typescript/hooks.md +27 -0
- package/rules/typescript/patterns.md +57 -0
- package/rules/typescript/security.md +33 -0
- package/rules/typescript/testing.md +23 -0
- package/rules/web/coding-style.md +101 -0
- package/rules/web/design-quality.md +68 -0
- package/rules/web/hooks.md +125 -0
- package/rules/web/patterns.md +84 -0
- package/rules/web/performance.md +69 -0
- package/rules/web/security.md +62 -0
- package/rules/web/testing.md +60 -0
- package/rules/zh/README.md +113 -0
- package/rules/zh/agents.md +55 -0
- package/rules/zh/code-review.md +129 -0
- package/rules/zh/coding-style.md +53 -0
- package/rules/zh/development-workflow.md +49 -0
- package/rules/zh/git-workflow.md +29 -0
- package/rules/zh/hooks.md +35 -0
- package/rules/zh/patterns.md +36 -0
- package/rules/zh/performance.md +60 -0
- package/rules/zh/security.md +34 -0
- package/rules/zh/testing.md +34 -0
- package/skills/ai/agent-dev.md +102 -0
- package/skills/ai/llm-security.md +105 -0
- package/skills/ai/ml-ops.md +169 -0
- package/skills/ai/orchestration-workflow.md +87 -0
- package/skills/ai/prompt-and-eval.md +114 -0
- package/skills/ai/prompt-optimizer.md +114 -0
- package/skills/ai/rag-system.md +104 -0
- package/skills/architecture/api-design.md +100 -0
- package/skills/architecture/caching.md +101 -0
- package/skills/architecture/cloud-native.md +97 -0
- package/skills/architecture/message-queue.md +100 -0
- package/skills/architecture/security-arch.md +105 -0
- package/skills/development/cpp.md +127 -0
- package/skills/development/go.md +129 -0
- package/skills/development/java.md +134 -0
- package/skills/development/kotlin.md +140 -0
- package/skills/development/mobile-crossplatform.md +144 -0
- package/skills/development/python.md +109 -0
- package/skills/development/rust.md +127 -0
- package/skills/development/shell.md +127 -0
- package/skills/development/swift.md +129 -0
- package/skills/development/typescript.md +129 -0
- package/skills/devops/ci-cd.md +108 -0
- package/skills/devops/containerization.md +106 -0
- package/skills/devops/cost-optimization.md +105 -0
- package/skills/devops/data-engineering.md +181 -0
- package/skills/devops/database.md +95 -0
- package/skills/devops/dependency-management.md +91 -0
- package/skills/devops/devsecops.md +96 -0
- package/skills/devops/git-workflow.md +100 -0
- package/skills/devops/incident-response.md +167 -0
- package/skills/devops/monorepo.md +87 -0
- package/skills/devops/observability.md +103 -0
- package/skills/devops/performance.md +104 -0
- package/skills/devops/testing.md +104 -0
- package/skills/docs/adr-workflow.md +32 -0
- package/skills/docs/backlog-proposal-workflow.md +19 -0
- package/skills/docs/customer-profile-workflow.md +22 -0
- package/skills/docs/evidence-ingest-workflow.md +23 -0
- package/skills/docs/init-docs.md +160 -0
- package/skills/docs/init-project.md +50 -0
- package/skills/docs/prd-workflow.md +57 -0
- package/skills/docs/prfaq-workflow.md +25 -0
- package/skills/docs/product-intelligence-review.md +22 -0
- package/skills/docs/product-intelligence-workflow.md +62 -0
- package/skills/docs/product-signal-workflow.md +27 -0
- package/skills/docs/research-workflow.md +28 -0
- package/skills/docs/runbook-workflow.md +24 -0
- package/skills/exploration/repo-map.md +297 -0
- package/skills/frameworks/django.md +159 -0
- package/skills/frameworks/nextjs.md +148 -0
- package/skills/frameworks/react.md +132 -0
- package/skills/frameworks/spring-boot.md +165 -0
- package/skills/frontend-design/accessibility.md +153 -0
- package/skills/frontend-design/component-patterns.md +111 -0
- package/skills/frontend-design/engineering.md +122 -0
- package/skills/frontend-design/state-management.md +118 -0
- package/skills/frontend-design/ui-aesthetics.md +102 -0
- package/skills/frontend-design/ux-principles.md +126 -0
- package/skills/quality-gates/review-work.md +90 -0
- package/skills/quality-gates/verify-change.md +94 -0
- package/skills/quality-gates/verify-module.md +96 -0
- package/skills/quality-gates/verify-quality.md +93 -0
- package/skills/quality-gates/verify-security.md +95 -0
- package/skills/roles/architect.ai-systems.md +37 -0
- package/skills/roles/architect.data.md +37 -0
- package/skills/roles/architect.enterprise.md +37 -0
- package/skills/roles/architect.integration.md +37 -0
- package/skills/roles/architect.md +68 -0
- package/skills/roles/architect.platform.md +37 -0
- package/skills/roles/data-analyst.experiment.md +37 -0
- package/skills/roles/data-analyst.md +68 -0
- package/skills/roles/data-analyst.product-intelligence.md +37 -0
- package/skills/roles/data-analyst.product.md +37 -0
- package/skills/roles/data-analyst.telemetry.md +37 -0
- package/skills/roles/data-engineer.pipeline.md +37 -0
- package/skills/roles/data-engineer.vector-retrieval.md +37 -0
- package/skills/roles/data-engineer.warehouse.md +37 -0
- package/skills/roles/debugger.md +68 -0
- package/skills/roles/designer.accessibility.md +43 -0
- package/skills/roles/designer.md +68 -0
- package/skills/roles/engineer.ai.md +49 -0
- package/skills/roles/engineer.data.md +49 -0
- package/skills/roles/engineer.md +85 -0
- package/skills/roles/engineer.platform.md +49 -0
- package/skills/roles/operator.docs.md +43 -0
- package/skills/roles/operator.md +68 -0
- package/skills/roles/operator.release.md +43 -0
- package/skills/roles/operator.sre.md +43 -0
- package/skills/roles/orchestrator.md +66 -0
- package/skills/roles/product-manager.ai-product.md +37 -0
- package/skills/roles/product-manager.business-strategy.md +43 -0
- package/skills/roles/product-manager.enterprise.md +37 -0
- package/skills/roles/product-manager.growth.md +37 -0
- package/skills/roles/product-manager.md +67 -0
- package/skills/roles/product-manager.platform.md +37 -0
- package/skills/roles/product-manager.product.md +37 -0
- package/skills/roles/qa.ai-eval.md +37 -0
- package/skills/roles/qa.api-contract.md +37 -0
- package/skills/roles/qa.data-pipeline.md +37 -0
- package/skills/roles/qa.md +68 -0
- package/skills/roles/qa.test-automation.md +49 -0
- package/skills/roles/qa.web-ui.md +37 -0
- package/skills/roles/researcher.explorer.md +43 -0
- package/skills/roles/researcher.md +68 -0
- package/skills/roles/researcher.ux.md +43 -0
- package/skills/roles/reviewer.devil-advocate.md +43 -0
- package/skills/roles/reviewer.evaluator.md +43 -0
- package/skills/roles/reviewer.md +68 -0
- package/skills/roles/reviewer.trace.md +43 -0
- package/skills/roles/security.ai.md +37 -0
- package/skills/roles/security.appsec.md +37 -0
- package/skills/roles/security.cloud.md +37 -0
- package/skills/roles/security.legal-compliance.md +49 -0
- package/skills/roles/security.md +68 -0
- package/skills/roles/security.privacy.md +37 -0
- package/skills/roles/security.supply-chain.md +37 -0
- package/skills/routing.md +139 -0
- package/skills/security/blue-team.md +83 -0
- package/skills/security/code-audit.md +94 -0
- package/skills/security/pentest.md +84 -0
- package/skills/security/red-team.md +81 -0
- package/skills/security/threat-intel.md +89 -0
- package/skills/security/vuln-research.md +87 -0
- package/skills/utility/clean-code.md +165 -0
- package/sync-agents.mjs +899 -0
- package/templates/docs/adr.md +27 -0
- package/templates/docs/backlog-proposal.md +26 -0
- package/templates/docs/customer-profile.md +34 -0
- package/templates/docs/evidence-brief.md +37 -0
- package/templates/docs/incident-report.md +46 -0
- package/templates/docs/memo.md +27 -0
- package/templates/docs/meta-prd.md +56 -0
- package/templates/docs/one-pager.md +24 -0
- package/templates/docs/prd-business.md +61 -0
- package/templates/docs/prd-platform.md +62 -0
- package/templates/docs/prd.md +47 -0
- package/templates/docs/prfaq.md +31 -0
- package/templates/docs/product-intelligence-report.md +31 -0
- package/templates/docs/research-brief.md +29 -0
- package/templates/docs/rfc-platform.md +60 -0
- package/templates/docs/rfc.md +46 -0
- package/templates/docs/runbook.md +33 -0
- package/templates/docs/signal-brief.md +25 -0
|
@@ -0,0 +1,93 @@
|
|
|
1
|
+
<!--
|
|
2
|
+
skills/quality-gates/verify-quality.md — Verify Quality — Use this skill to check code quality, complexity, and maintainability after chan
|
|
3
|
+
|
|
4
|
+
Use this skill to check code quality, complexity, and maintainability after changes. ## Complexity
|
|
5
|
+
-->
|
|
6
|
+
# Verify Quality
|
|
7
|
+
|
|
8
|
+
Use this skill to check code quality, complexity, and maintainability after changes.
|
|
9
|
+
|
|
10
|
+
## Complexity
|
|
11
|
+
|
|
12
|
+
- [ ] Cyclomatic complexity per function stays below 15
|
|
13
|
+
- [ ] Cognitive complexity per function stays below 20
|
|
14
|
+
- [ ] No function exceeds 50 lines (excluding comments and blank lines)
|
|
15
|
+
- [ ] No file exceeds 800 lines
|
|
16
|
+
- [ ] No nesting deeper than 4 levels; use early returns to flatten
|
|
17
|
+
|
|
18
|
+
**Severity**: Function >80 lines = High. File >800 lines = High. Nesting >5 = Medium.
|
|
19
|
+
|
|
20
|
+
## Naming
|
|
21
|
+
|
|
22
|
+
- [ ] Variables and functions use descriptive, intention-revealing names
|
|
23
|
+
- [ ] Boolean variables use `is`, `has`, `should`, or `can` prefixes
|
|
24
|
+
- [ ] No single-letter variables outside tiny loop counters
|
|
25
|
+
- [ ] No abbreviations unless universally understood (id, url, http)
|
|
26
|
+
- [ ] Types, interfaces, and components use PascalCase
|
|
27
|
+
- [ ] Constants use UPPER_SNAKE_CASE
|
|
28
|
+
|
|
29
|
+
**Severity**: Misleading name = High. Ambiguous abbreviation = Medium.
|
|
30
|
+
|
|
31
|
+
## Code Smells
|
|
32
|
+
|
|
33
|
+
- [ ] No dead code (unreachable branches, unused imports, commented-out blocks)
|
|
34
|
+
- [ ] No magic numbers or strings; extract to named constants
|
|
35
|
+
- [ ] No god objects or god functions that do everything
|
|
36
|
+
- [ ] No feature envy (function that uses another module's data more than its own)
|
|
37
|
+
- [ ] No shotgun surgery pattern (one change requires edits across many files)
|
|
38
|
+
- [ ] No primitive obsession (use domain types instead of raw strings/numbers)
|
|
39
|
+
|
|
40
|
+
**Severity**: Dead code = Medium. God function = High. Magic number = Low.
|
|
41
|
+
|
|
42
|
+
## DRY Violations
|
|
43
|
+
|
|
44
|
+
- [ ] No duplicated logic blocks (3+ lines repeated 2+ times)
|
|
45
|
+
- [ ] Shared patterns extracted into utility functions or modules
|
|
46
|
+
- [ ] No copy-paste drift where cloned code diverged silently
|
|
47
|
+
- [ ] Configuration values defined once and referenced
|
|
48
|
+
|
|
49
|
+
**Severity**: Exact duplication = Medium. Diverged clone = High.
|
|
50
|
+
|
|
51
|
+
## Error Handling
|
|
52
|
+
|
|
53
|
+
- [ ] All error paths handled explicitly; no silent swallowing
|
|
54
|
+
- [ ] Errors include context for debugging (what failed, with what input)
|
|
55
|
+
- [ ] User-facing errors are friendly; developer-facing errors are detailed
|
|
56
|
+
- [ ] Async errors caught (unhandled promise rejections, goroutine panics)
|
|
57
|
+
- [ ] Resource cleanup in finally/defer blocks
|
|
58
|
+
|
|
59
|
+
**Severity**: Silent swallow = High. Missing async catch = High. No context = Medium.
|
|
60
|
+
|
|
61
|
+
## Immutability
|
|
62
|
+
|
|
63
|
+
- [ ] Functions return new values instead of mutating inputs
|
|
64
|
+
- [ ] Collections updated via spread/copy, not in-place mutation
|
|
65
|
+
- [ ] Shared state minimized; prefer local scope
|
|
66
|
+
|
|
67
|
+
**Severity**: Mutation of shared state = High. Local mutation = Low.
|
|
68
|
+
|
|
69
|
+
## Type Safety
|
|
70
|
+
|
|
71
|
+
- [ ] No use of `any` or equivalent escape hatches without justification
|
|
72
|
+
- [ ] Null/undefined handled with type narrowing or optional chaining
|
|
73
|
+
- [ ] Generic types used where they reduce duplication without obscuring intent
|
|
74
|
+
|
|
75
|
+
**Severity**: Unchecked `any` = Medium. Missing null check = High.
|
|
76
|
+
|
|
77
|
+
## Readability
|
|
78
|
+
|
|
79
|
+
- [ ] Functions do one thing and are named for what they do
|
|
80
|
+
- [ ] Control flow is linear and predictable (no spaghetti)
|
|
81
|
+
- [ ] Related code is colocated; unrelated code is separated
|
|
82
|
+
- [ ] Abstractions are justified by actual reuse, not speculation
|
|
83
|
+
|
|
84
|
+
**Severity**: Tangled control flow = High. Speculative abstraction = Medium.
|
|
85
|
+
|
|
86
|
+
## Severity Reference
|
|
87
|
+
|
|
88
|
+
| Level | Meaning | Action |
|
|
89
|
+
|---|---|---|
|
|
90
|
+
| Critical | Correctness risk or architectural violation | Must fix |
|
|
91
|
+
| High | Significant maintainability problem | Should fix |
|
|
92
|
+
| Medium | Quality concern worth addressing | Fix when practical |
|
|
93
|
+
| Low | Style preference or minor suggestion | Optional |
|
|
@@ -0,0 +1,95 @@
|
|
|
1
|
+
<!--
|
|
2
|
+
skills/quality-gates/verify-security.md — Verify Security — Use this skill to scan code for security vulnerabilities before commits or relea
|
|
3
|
+
|
|
4
|
+
Use this skill to scan code for security vulnerabilities before commits or releases. ## Scan Scope
|
|
5
|
+
-->
|
|
6
|
+
# Verify Security
|
|
7
|
+
|
|
8
|
+
Use this skill to scan code for security vulnerabilities before commits or releases.
|
|
9
|
+
|
|
10
|
+
## Scan Scope
|
|
11
|
+
|
|
12
|
+
Analyze all changed files plus their direct dependencies for the categories below.
|
|
13
|
+
|
|
14
|
+
## Secrets and Credentials
|
|
15
|
+
|
|
16
|
+
- [ ] No hardcoded API keys, passwords, tokens, or connection strings
|
|
17
|
+
- [ ] No private keys or certificates committed
|
|
18
|
+
- [ ] `.env` files excluded from version control
|
|
19
|
+
- [ ] Secrets loaded from environment variables or a secret manager
|
|
20
|
+
- [ ] No secrets in logs, error messages, or stack traces
|
|
21
|
+
|
|
22
|
+
**Severity**: Hardcoded secret = Critical. Secret in logs = High.
|
|
23
|
+
|
|
24
|
+
## Authentication and Authorization
|
|
25
|
+
|
|
26
|
+
- [ ] Authentication required on all protected endpoints
|
|
27
|
+
- [ ] Authorization checks enforce least privilege
|
|
28
|
+
- [ ] Session tokens are cryptographically random and expire
|
|
29
|
+
- [ ] Password storage uses bcrypt, scrypt, or argon2 with sufficient rounds
|
|
30
|
+
- [ ] Multi-factor authentication supported where appropriate
|
|
31
|
+
- [ ] No authentication bypass via parameter tampering or path traversal
|
|
32
|
+
|
|
33
|
+
**Severity**: Auth bypass = Critical. Missing authz check = High. Weak hash = High.
|
|
34
|
+
|
|
35
|
+
## Injection
|
|
36
|
+
|
|
37
|
+
- [ ] SQL queries use parameterized statements or an ORM
|
|
38
|
+
- [ ] No string concatenation in queries, commands, or templates
|
|
39
|
+
- [ ] OS command execution uses allowlists, never user input directly
|
|
40
|
+
- [ ] LDAP, XML, and template injection vectors reviewed
|
|
41
|
+
|
|
42
|
+
**Severity**: SQL/OS injection = Critical. Template injection = High.
|
|
43
|
+
|
|
44
|
+
## Cross-Site Scripting (XSS)
|
|
45
|
+
|
|
46
|
+
- [ ] All user-supplied data escaped before rendering in HTML
|
|
47
|
+
- [ ] No use of `innerHTML`, `dangerouslySetInnerHTML`, or `v-html` without sanitization
|
|
48
|
+
- [ ] Content-Security-Policy header configured
|
|
49
|
+
- [ ] Reflected, stored, and DOM-based XSS vectors checked
|
|
50
|
+
|
|
51
|
+
**Severity**: Stored XSS = Critical. Reflected XSS = High. DOM XSS = High.
|
|
52
|
+
|
|
53
|
+
## Cross-Site Request Forgery (CSRF)
|
|
54
|
+
|
|
55
|
+
- [ ] State-changing requests require CSRF tokens
|
|
56
|
+
- [ ] SameSite cookie attribute set to Lax or Strict
|
|
57
|
+
- [ ] Custom headers validated for API endpoints
|
|
58
|
+
|
|
59
|
+
**Severity**: Missing CSRF on state change = High.
|
|
60
|
+
|
|
61
|
+
## Dependencies
|
|
62
|
+
|
|
63
|
+
- [ ] No known CVEs in direct or transitive dependencies
|
|
64
|
+
- [ ] Lock file committed and up to date
|
|
65
|
+
- [ ] No unnecessary dependencies
|
|
66
|
+
- [ ] Audit command run: `npm audit`, `pip audit`, `cargo audit`, or equivalent
|
|
67
|
+
|
|
68
|
+
**Severity**: Critical CVE = Critical. High CVE = High. Outdated dep = Medium.
|
|
69
|
+
|
|
70
|
+
## Cryptography
|
|
71
|
+
|
|
72
|
+
- [ ] TLS 1.2+ enforced for all network communication
|
|
73
|
+
- [ ] No use of MD5, SHA1, DES, or RC4 for security purposes
|
|
74
|
+
- [ ] Random values generated with cryptographic PRNG
|
|
75
|
+
- [ ] Key lengths meet current standards (RSA 2048+, AES 256)
|
|
76
|
+
|
|
77
|
+
**Severity**: Broken crypto = High. Weak random = High. Deprecated algo = Medium.
|
|
78
|
+
|
|
79
|
+
## Data Exposure
|
|
80
|
+
|
|
81
|
+
- [ ] Sensitive fields excluded from API responses and logs
|
|
82
|
+
- [ ] Error messages do not leak internal paths, stack traces, or versions
|
|
83
|
+
- [ ] Debug endpoints disabled in production
|
|
84
|
+
- [ ] Rate limiting on authentication and sensitive endpoints
|
|
85
|
+
|
|
86
|
+
**Severity**: PII leak = Critical. Stack trace in prod = Medium. Missing rate limit = Medium.
|
|
87
|
+
|
|
88
|
+
## Severity Reference
|
|
89
|
+
|
|
90
|
+
| Level | Meaning | Action |
|
|
91
|
+
|---|---|---|
|
|
92
|
+
| Critical | Exploitable vulnerability or data breach risk | Must fix before merge |
|
|
93
|
+
| High | Significant security weakness | Should fix before merge |
|
|
94
|
+
| Medium | Defense-in-depth gap | Fix when practical |
|
|
95
|
+
| Low | Hardening suggestion | Optional |
|
|
@@ -0,0 +1,37 @@
|
|
|
1
|
+
<!--
|
|
2
|
+
skills/roles/architect.ai-systems.md — Anti-pattern guidance for the Architect.ai-systems (ai systems) role.
|
|
3
|
+
|
|
4
|
+
Loaded at sync time to inline role-specific failure modes into specialist agent prompts.
|
|
5
|
+
Covers common failure modes for the architect.ai-systems (ai systems) domain and counter-moves to avoid them.
|
|
6
|
+
Applies to: cx-architect.
|
|
7
|
+
-->
|
|
8
|
+
---
|
|
9
|
+
role: architect.ai-systems
|
|
10
|
+
applies_to: [cx-architect]
|
|
11
|
+
inherits: architect
|
|
12
|
+
version: 1
|
|
13
|
+
---
|
|
14
|
+
# AI Systems Architect Overlay
|
|
15
|
+
|
|
16
|
+
Additional failure modes on top of the architect core.
|
|
17
|
+
|
|
18
|
+
### 1. Model behavior as an implicit dependency
|
|
19
|
+
**Symptom**: the design depends on a model always following instructions or returning one exact shape.
|
|
20
|
+
**Why it fails**: model behavior changes across versions, providers, prompts, and context.
|
|
21
|
+
**Counter-move**: define output schemas, validation, retries, fallback behavior, and human review boundaries.
|
|
22
|
+
|
|
23
|
+
### 2. Retrieval without provenance
|
|
24
|
+
**Symptom**: vector search is treated as truth without source attribution, freshness, or permission boundaries.
|
|
25
|
+
**Why it fails**: stale or unauthorized context can become generated output.
|
|
26
|
+
**Counter-move**: design citation, freshness, access control, and re-indexing paths.
|
|
27
|
+
|
|
28
|
+
### 3. Evals postponed until after launch
|
|
29
|
+
**Symptom**: the ADR names model choice but not the evaluation gate.
|
|
30
|
+
**Why it fails**: quality becomes subjective and regressions become invisible.
|
|
31
|
+
**Counter-move**: require eval suites, golden traces, failure cases, and promotion criteria as part of the architecture.
|
|
32
|
+
|
|
33
|
+
## Self-check before shipping
|
|
34
|
+
- [ ] Model output schemas and validation paths are explicit
|
|
35
|
+
- [ ] Retrieval has provenance, freshness, ACL, and re-indexing rules
|
|
36
|
+
- [ ] Human review and fallback boundaries are named
|
|
37
|
+
- [ ] Evals and promotion gates are architecture requirements
|
|
@@ -0,0 +1,37 @@
|
|
|
1
|
+
<!--
|
|
2
|
+
skills/roles/architect.data.md — Anti-pattern guidance for the Architect.data (data) role.
|
|
3
|
+
|
|
4
|
+
Loaded at sync time to inline role-specific failure modes into specialist agent prompts.
|
|
5
|
+
Covers common failure modes for the architect.data (data) domain and counter-moves to avoid them.
|
|
6
|
+
Applies to: cx-architect.
|
|
7
|
+
-->
|
|
8
|
+
---
|
|
9
|
+
role: architect.data
|
|
10
|
+
applies_to: [cx-architect]
|
|
11
|
+
inherits: architect
|
|
12
|
+
version: 1
|
|
13
|
+
---
|
|
14
|
+
# Data Architect Overlay
|
|
15
|
+
|
|
16
|
+
Additional failure modes on top of the architect core.
|
|
17
|
+
|
|
18
|
+
### 1. Schema now, migration later
|
|
19
|
+
**Symptom**: the model fits the first implementation but has no migration or backfill plan.
|
|
20
|
+
**Why it fails**: data shape changes are harder to unwind than code shape changes.
|
|
21
|
+
**Counter-move**: define forward/backward migration, backfill safety, and compatibility windows before implementation.
|
|
22
|
+
|
|
23
|
+
### 2. Query patterns guessed instead of designed
|
|
24
|
+
**Symptom**: indexes, partitions, and materialized views are deferred until performance hurts.
|
|
25
|
+
**Why it fails**: production data volume exposes assumptions hidden by test fixtures.
|
|
26
|
+
**Counter-move**: document expected cardinality, access paths, retention, and latency targets.
|
|
27
|
+
|
|
28
|
+
### 3. Data quality treated as downstream work
|
|
29
|
+
**Symptom**: contracts cover types but not nullability, freshness, uniqueness, or lineage.
|
|
30
|
+
**Why it fails**: bad data silently becomes product behavior.
|
|
31
|
+
**Counter-move**: include data contracts, quality checks, lineage, and incident response ownership.
|
|
32
|
+
|
|
33
|
+
## Self-check before shipping
|
|
34
|
+
- [ ] Schema evolution, migrations, and backfills are covered
|
|
35
|
+
- [ ] Cardinality, indexing, retention, and latency assumptions are explicit
|
|
36
|
+
- [ ] Quality checks, lineage, and data ownership are defined
|
|
37
|
+
- [ ] Rollback and repair paths exist for corrupted state
|
|
@@ -0,0 +1,37 @@
|
|
|
1
|
+
<!--
|
|
2
|
+
skills/roles/architect.enterprise.md — Anti-pattern guidance for the Architect.enterprise (enterprise) role.
|
|
3
|
+
|
|
4
|
+
Loaded at sync time to inline role-specific failure modes into specialist agent prompts.
|
|
5
|
+
Covers common failure modes for the architect.enterprise (enterprise) domain and counter-moves to avoid them.
|
|
6
|
+
Applies to: cx-architect.
|
|
7
|
+
-->
|
|
8
|
+
---
|
|
9
|
+
role: architect.enterprise
|
|
10
|
+
applies_to: [cx-architect]
|
|
11
|
+
inherits: architect
|
|
12
|
+
version: 1
|
|
13
|
+
---
|
|
14
|
+
# Enterprise Architect Overlay
|
|
15
|
+
|
|
16
|
+
Additional failure modes on top of the architect core.
|
|
17
|
+
|
|
18
|
+
### 1. Enterprise controls bolted on late
|
|
19
|
+
**Symptom**: SSO, RBAC, audit, retention, and tenant isolation are listed as future work.
|
|
20
|
+
**Why it fails**: enterprise controls change data models, APIs, and operational workflows.
|
|
21
|
+
**Counter-move**: include identity, access, audit, retention, and tenancy in the first architecture pass.
|
|
22
|
+
|
|
23
|
+
### 2. Procurement requirements treated as non-technical
|
|
24
|
+
**Symptom**: compliance evidence, data residency, SLAs, and admin reporting are not reflected in system design.
|
|
25
|
+
**Why it fails**: sales commitments become engineering emergencies.
|
|
26
|
+
**Counter-move**: translate procurement and compliance needs into explicit technical contracts.
|
|
27
|
+
|
|
28
|
+
### 3. Single-tenant assumptions hidden in code
|
|
29
|
+
**Symptom**: tenant IDs, limits, and isolation rules are missing from interfaces.
|
|
30
|
+
**Why it fails**: retrofitting tenancy after launch creates security and migration risk.
|
|
31
|
+
**Counter-move**: make tenant context, authorization, quotas, and isolation visible at every boundary.
|
|
32
|
+
|
|
33
|
+
## Self-check before shipping
|
|
34
|
+
- [ ] SSO, RBAC, audit, retention, and tenant isolation are designed
|
|
35
|
+
- [ ] Data residency, SLA, and evidence requirements are translated into system contracts
|
|
36
|
+
- [ ] Tenant context and authorization are visible in interfaces
|
|
37
|
+
- [ ] Admin reporting and support diagnostics are included
|
|
@@ -0,0 +1,37 @@
|
|
|
1
|
+
<!--
|
|
2
|
+
skills/roles/architect.integration.md — Anti-pattern guidance for the Architect.integration (integration) role.
|
|
3
|
+
|
|
4
|
+
Loaded at sync time to inline role-specific failure modes into specialist agent prompts.
|
|
5
|
+
Covers common failure modes for the architect.integration (integration) domain and counter-moves to avoid them.
|
|
6
|
+
Applies to: cx-architect.
|
|
7
|
+
-->
|
|
8
|
+
---
|
|
9
|
+
role: architect.integration
|
|
10
|
+
applies_to: [cx-architect]
|
|
11
|
+
inherits: architect
|
|
12
|
+
version: 1
|
|
13
|
+
---
|
|
14
|
+
# Integration Architect Overlay
|
|
15
|
+
|
|
16
|
+
Additional failure modes on top of the architect core.
|
|
17
|
+
|
|
18
|
+
### 1. Designing only the successful exchange
|
|
19
|
+
**Symptom**: the sequence diagram stops after a 200 response.
|
|
20
|
+
**Why it fails**: real integrations fail through retries, partial writes, timeouts, duplicate deliveries, and stale credentials.
|
|
21
|
+
**Counter-move**: document idempotency keys, retry/backoff policy, dead-letter paths, and reconciliation flows.
|
|
22
|
+
|
|
23
|
+
### 2. Unclear source of truth
|
|
24
|
+
**Symptom**: two systems can update the same entity without conflict rules.
|
|
25
|
+
**Why it fails**: data divergence becomes a support problem that cannot be diagnosed from logs.
|
|
26
|
+
**Counter-move**: name the system of record, conflict strategy, sync direction, and repair workflow.
|
|
27
|
+
|
|
28
|
+
### 3. Credentials as an implementation detail
|
|
29
|
+
**Symptom**: auth setup, rotation, scopes, and revocation are left to engineering.
|
|
30
|
+
**Why it fails**: integrations become fragile and over-privileged.
|
|
31
|
+
**Counter-move**: define credential lifecycle, least-privilege scopes, secret storage, and audit events.
|
|
32
|
+
|
|
33
|
+
## Self-check before shipping
|
|
34
|
+
- [ ] Failure modes include retries, duplicates, partial failure, and reconciliation
|
|
35
|
+
- [ ] System of record and conflict resolution are explicit
|
|
36
|
+
- [ ] Credential lifecycle and scopes are designed
|
|
37
|
+
- [ ] Observability covers cross-system correlation IDs
|
|
@@ -0,0 +1,68 @@
|
|
|
1
|
+
<!--
|
|
2
|
+
skills/roles/architect.md — Anti-pattern guidance for the Architect role.
|
|
3
|
+
|
|
4
|
+
Loaded at sync time to inline role-specific failure modes into specialist agent prompts.
|
|
5
|
+
Covers common failure modes for the architect domain and counter-moves to avoid them.
|
|
6
|
+
Applies to: cx-architect, cx-rd-lead.
|
|
7
|
+
-->
|
|
8
|
+
---
|
|
9
|
+
role: architect
|
|
10
|
+
applies_to: [cx-architect, cx-rd-lead]
|
|
11
|
+
inherits: null
|
|
12
|
+
version: 1
|
|
13
|
+
---
|
|
14
|
+
# Architect — Role guidance
|
|
15
|
+
|
|
16
|
+
Load this before drafting. These are the failure modes that separate strong role output from weak role output — check your draft against each.
|
|
17
|
+
|
|
18
|
+
|
|
19
|
+
### 1. Premature tech choice
|
|
20
|
+
**Symptom**: the design names a specific database, framework, or cloud service before the requirements have been stated.
|
|
21
|
+
**Why it fails**: anchors the team on a tool the problem may not need. Alternatives go unexplored.
|
|
22
|
+
**Counter-move**: state requirements first. Name candidates second. Pick last, with the reason tied to the requirements.
|
|
23
|
+
|
|
24
|
+
### 2. Decisions without alternatives
|
|
25
|
+
**Symptom**: the doc presents one option as the recommendation with no serious comparison.
|
|
26
|
+
**Why it fails**: reviewers cannot tell whether the decision was made or merely assumed.
|
|
27
|
+
**Counter-move**: document at least two real alternatives with specific reasons each was rejected. A straw-man alternative is worse than none.
|
|
28
|
+
|
|
29
|
+
### 3. Ignoring operational burden
|
|
30
|
+
**Symptom**: the design optimizes for build-time elegance and ignores who operates the system at 3am.
|
|
31
|
+
**Why it fails**: elegant systems become unmaintainable once they have real users; on-call pays the cost forever.
|
|
32
|
+
**Counter-move**: include an operations section. Who pages, what breaks, how it is observed, how it is rolled back.
|
|
33
|
+
|
|
34
|
+
### 4. Reversibility blindness
|
|
35
|
+
**Symptom**: no statement of whether the decision is a one-way door (irreversible) or a two-way door (cheap to undo).
|
|
36
|
+
**Why it fails**: one-way doors get the same debate-depth as two-way doors; teams over-deliberate on the reversible and under-deliberate on the permanent.
|
|
37
|
+
**Counter-move**: label every major decision as one-way or two-way and match the evidence burden to it.
|
|
38
|
+
|
|
39
|
+
### 5. Boundary vagueness
|
|
40
|
+
**Symptom**: modules, services, or teams are drawn with arrows but the contracts — inputs, outputs, failure modes — are not specified.
|
|
41
|
+
**Why it fails**: each team implements its own interpretation; the integration surfaces the gaps in production.
|
|
42
|
+
**Counter-move**: every boundary has a contract. Every contract names its failure modes.
|
|
43
|
+
|
|
44
|
+
### 6. Scaling for the fantasy case
|
|
45
|
+
**Symptom**: the design is sized for a load that requires 100x of current users, which the business has no plan to reach.
|
|
46
|
+
**Why it fails**: pays today's cost for tomorrow's hypothetical. The hypothetical never arrives, or arrives in a different shape.
|
|
47
|
+
**Counter-move**: size for current load plus the one-year plan. Note the scaling assumption. Revisit when reality deviates.
|
|
48
|
+
|
|
49
|
+
### 7. Ignoring the migration
|
|
50
|
+
**Symptom**: the design describes the end state but not the path from here to there.
|
|
51
|
+
**Why it fails**: migration is where projects die. "Cut over the weekend" rarely works.
|
|
52
|
+
**Counter-move**: include a migration plan with phases, dual-run strategy, rollback points, and the failure modes of each phase.
|
|
53
|
+
|
|
54
|
+
### 8. Reinventing over reusing
|
|
55
|
+
**Symptom**: a custom solution for a problem a mature tool already solves, justified by thin differentiation.
|
|
56
|
+
**Why it fails**: the team now owns the maintenance of both the product and a worse version of an existing tool.
|
|
57
|
+
**Counter-move**: survey existing tools honestly. If building, articulate exactly what the existing tools fail to do.
|
|
58
|
+
|
|
59
|
+
## Self-check before shipping
|
|
60
|
+
|
|
61
|
+
- [ ] Requirements are stated before tech choices
|
|
62
|
+
- [ ] At least two real alternatives considered and rejected with reasons
|
|
63
|
+
- [ ] Operations section names on-call, observability, rollback
|
|
64
|
+
- [ ] Every major decision labeled one-way or two-way
|
|
65
|
+
- [ ] Every boundary has a specified contract, including failure modes
|
|
66
|
+
- [ ] Scaling assumptions are named and tied to the business plan
|
|
67
|
+
- [ ] Migration path is explicit with phases and rollback points
|
|
68
|
+
- [ ] Build-vs-buy is justified when building
|
|
@@ -0,0 +1,37 @@
|
|
|
1
|
+
<!--
|
|
2
|
+
skills/roles/architect.platform.md — Anti-pattern guidance for the Architect.platform (platform) role.
|
|
3
|
+
|
|
4
|
+
Loaded at sync time to inline role-specific failure modes into specialist agent prompts.
|
|
5
|
+
Covers common failure modes for the architect.platform (platform) domain and counter-moves to avoid them.
|
|
6
|
+
Applies to: cx-architect.
|
|
7
|
+
-->
|
|
8
|
+
---
|
|
9
|
+
role: architect.platform
|
|
10
|
+
applies_to: [cx-architect]
|
|
11
|
+
inherits: architect
|
|
12
|
+
version: 1
|
|
13
|
+
---
|
|
14
|
+
# Platform Architect Overlay
|
|
15
|
+
|
|
16
|
+
Additional failure modes on top of the architect core.
|
|
17
|
+
|
|
18
|
+
### 1. Treating platform APIs as feature internals
|
|
19
|
+
**Symptom**: the design describes a service boundary but not the public contract, compatibility policy, or owner.
|
|
20
|
+
**Why it fails**: downstream teams build against accidental behavior and the platform becomes impossible to change.
|
|
21
|
+
**Counter-move**: specify API versioning, compatibility guarantees, migration paths, tenant boundaries, and contract tests.
|
|
22
|
+
|
|
23
|
+
### 2. Omitting operational interfaces
|
|
24
|
+
**Symptom**: the ADR covers the happy-path API but not admin actions, audit logs, rate limits, quotas, or diagnostics.
|
|
25
|
+
**Why it fails**: platforms fail through support burden as often as runtime defects.
|
|
26
|
+
**Counter-move**: design the operator surface alongside the developer surface.
|
|
27
|
+
|
|
28
|
+
### 3. Local optimization over ecosystem fit
|
|
29
|
+
**Symptom**: the solution is clean for one product team but inconsistent with existing platform conventions.
|
|
30
|
+
**Why it fails**: every exception becomes another integration tax.
|
|
31
|
+
**Counter-move**: compare against current platform patterns before introducing a new one.
|
|
32
|
+
|
|
33
|
+
## Self-check before shipping
|
|
34
|
+
- [ ] Public contracts, owners, versioning, and compatibility guarantees are explicit
|
|
35
|
+
- [ ] Migration, deprecation, and rollback behavior are documented
|
|
36
|
+
- [ ] Admin, audit, quota, and diagnostic surfaces are included
|
|
37
|
+
- [ ] Contract tests and integration acceptance criteria exist
|
|
@@ -0,0 +1,37 @@
|
|
|
1
|
+
<!--
|
|
2
|
+
skills/roles/data-analyst.experiment.md — Anti-pattern guidance for the Data-analyst.experiment (experiment) role.
|
|
3
|
+
|
|
4
|
+
Loaded at sync time to inline role-specific failure modes into specialist agent prompts.
|
|
5
|
+
Covers common failure modes for the data-analyst.experiment (experiment) domain and counter-moves to avoid them.
|
|
6
|
+
Applies to: cx-data-analyst.
|
|
7
|
+
-->
|
|
8
|
+
---
|
|
9
|
+
role: data-analyst.experiment
|
|
10
|
+
applies_to: [cx-data-analyst]
|
|
11
|
+
inherits: data-analyst
|
|
12
|
+
version: 1
|
|
13
|
+
---
|
|
14
|
+
# Experiment Analyst Overlay
|
|
15
|
+
|
|
16
|
+
Additional failure modes on top of the data-analyst core.
|
|
17
|
+
|
|
18
|
+
### 1. Experiment without a decision rule
|
|
19
|
+
**Symptom**: the team plans to "see what happens" after launch.
|
|
20
|
+
**Why it fails**: ambiguous outcomes become arguments instead of decisions.
|
|
21
|
+
**Counter-move**: define hypothesis, primary metric, guardrails, minimum detectable effect, and stop rule.
|
|
22
|
+
|
|
23
|
+
### 2. Randomization mismatch
|
|
24
|
+
**Symptom**: randomization unit does not match how users experience the product.
|
|
25
|
+
**Why it fails**: contamination and repeated exposure distort the result.
|
|
26
|
+
**Counter-move**: choose user, account, workspace, session, or request-level assignment deliberately.
|
|
27
|
+
|
|
28
|
+
### 3. Reading results too early
|
|
29
|
+
**Symptom**: decisions are made on partial data because the chart looks convincing.
|
|
30
|
+
**Why it fails**: early peeking inflates false positives.
|
|
31
|
+
**Counter-move**: specify duration, sample size, and analysis plan before the experiment starts.
|
|
32
|
+
|
|
33
|
+
## Self-check before shipping
|
|
34
|
+
- [ ] Hypothesis, primary metric, guardrails, and stop rule are explicit
|
|
35
|
+
- [ ] Randomization unit matches the product behavior
|
|
36
|
+
- [ ] Sample size and duration are justified
|
|
37
|
+
- [ ] Segmentation and novelty effects are considered
|
|
@@ -0,0 +1,68 @@
|
|
|
1
|
+
<!--
|
|
2
|
+
skills/roles/data-analyst.md — Anti-pattern guidance for the Data-analyst role.
|
|
3
|
+
|
|
4
|
+
Loaded at sync time to inline role-specific failure modes into specialist agent prompts.
|
|
5
|
+
Covers common failure modes for the data-analyst domain and counter-moves to avoid them.
|
|
6
|
+
Applies to: cx-data-analyst.
|
|
7
|
+
-->
|
|
8
|
+
---
|
|
9
|
+
role: data-analyst
|
|
10
|
+
applies_to: [cx-data-analyst]
|
|
11
|
+
inherits: null
|
|
12
|
+
version: 1
|
|
13
|
+
---
|
|
14
|
+
# Data Analyst — Role guidance
|
|
15
|
+
|
|
16
|
+
Load this before drafting. These are the failure modes that separate strong role output from weak role output — check your draft against each.
|
|
17
|
+
|
|
18
|
+
|
|
19
|
+
### 1. Metric without definition
|
|
20
|
+
**Symptom**: a metric cited without its precise definition — which events, what time window, deduplication rules, filters.
|
|
21
|
+
**Why it fails**: two teams compute "active users" differently. Decisions rest on numbers nobody can reproduce.
|
|
22
|
+
**Counter-move**: name the metric and its SQL-level or event-level definition before any number. Version the definition.
|
|
23
|
+
|
|
24
|
+
### 2. Vanity over outcome
|
|
25
|
+
**Symptom**: reports lead with impressions, pageviews, clicks — activity disconnected from whether users got value.
|
|
26
|
+
**Why it fails**: rewards teams for moving activity numbers while outcomes stagnate.
|
|
27
|
+
**Counter-move**: tie every vanity metric to an outcome metric. Report both. Lead with the outcome.
|
|
28
|
+
|
|
29
|
+
### 3. Ignoring data quality
|
|
30
|
+
**Symptom**: analysis assumes the underlying events fire correctly, are deduped, and have consistent schemas.
|
|
31
|
+
**Why it fails**: real pipelines drop, duplicate, and malform events. Analysis without QA produces confident wrong numbers.
|
|
32
|
+
**Counter-move**: run sanity checks — row counts, null rates, distribution shape, schema checks — before analysis. Report data quality alongside findings.
|
|
33
|
+
|
|
34
|
+
### 4. Correlation as causation
|
|
35
|
+
**Symptom**: "users who did X had higher retention" presented as a reason to make everyone do X.
|
|
36
|
+
**Why it fails**: selection bias, reverse causation, and confounders produce the same pattern. Actions based on it rarely work.
|
|
37
|
+
**Counter-move**: name the alternative explanations. If you want to claim causation, the answer is an experiment.
|
|
38
|
+
|
|
39
|
+
### 5. p-hacking and post-hoc slicing
|
|
40
|
+
**Symptom**: after seeing the results, the analyst carves the data until a significant effect appears somewhere.
|
|
41
|
+
**Why it fails**: guaranteed to find "effects" that are noise. Decisions based on them do not replicate.
|
|
42
|
+
**Counter-move**: register hypotheses before looking at the data. Distinguish confirmatory from exploratory findings.
|
|
43
|
+
|
|
44
|
+
### 6. Missing funnel context
|
|
45
|
+
**Symptom**: a conversion rate reported without the volume at each step, or a step-change reported without the broader funnel.
|
|
46
|
+
**Why it fails**: a "20% lift" on a step that 1% of users reach moves nothing. Context collapses.
|
|
47
|
+
**Counter-move**: every rate comes with its denominator and its place in the funnel. Report absolute as well as relative.
|
|
48
|
+
|
|
49
|
+
### 7. Dashboard as deliverable
|
|
50
|
+
**Symptom**: the analyst builds a dashboard and stops. No interpretation, no recommendation, no action.
|
|
51
|
+
**Why it fails**: stakeholders read numbers without knowing what to do with them; dashboards accumulate but decisions do not.
|
|
52
|
+
**Counter-move**: every analysis ends with interpretation and a recommended action. Dashboards support that, they do not replace it.
|
|
53
|
+
|
|
54
|
+
### 8. Unreproducible analysis
|
|
55
|
+
**Symptom**: the number came from a notebook on someone's laptop; the query is not saved; the result cannot be regenerated.
|
|
56
|
+
**Why it fails**: the analysis cannot be audited, extended, or re-run against fresh data. Trust erodes when numbers cannot be reproduced.
|
|
57
|
+
**Counter-move**: code in a repo, queries in version control, inputs and outputs documented. A colleague can re-run the analysis tomorrow.
|
|
58
|
+
|
|
59
|
+
## Self-check before shipping
|
|
60
|
+
|
|
61
|
+
- [ ] Every metric has a precise, versioned definition
|
|
62
|
+
- [ ] Outcome metrics lead; vanity metrics support or are omitted
|
|
63
|
+
- [ ] Data quality checks run; quality reported with findings
|
|
64
|
+
- [ ] Correlations explicitly separated from causal claims
|
|
65
|
+
- [ ] Hypotheses registered before seeing the data
|
|
66
|
+
- [ ] Rates include denominators and funnel context
|
|
67
|
+
- [ ] Interpretation and recommended action accompany numbers
|
|
68
|
+
- [ ] Analysis is reproducible from version-controlled artifacts
|
|
@@ -0,0 +1,37 @@
|
|
|
1
|
+
<!--
|
|
2
|
+
skills/roles/data-analyst.product-intelligence.md — Anti-pattern guidance for the Data-analyst.product-intelligence (product intelligence) role.
|
|
3
|
+
|
|
4
|
+
Loaded at sync time to inline role-specific failure modes into specialist agent prompts.
|
|
5
|
+
Covers common failure modes for the data-analyst.product-intelligence (product intelligence) domain and counter-moves to avoid them.
|
|
6
|
+
Applies to: cx-data-analyst, cx-product-manager.
|
|
7
|
+
-->
|
|
8
|
+
---
|
|
9
|
+
role: data-analyst.product-intelligence
|
|
10
|
+
applies_to: [cx-data-analyst, cx-product-manager]
|
|
11
|
+
inherits: data-analyst
|
|
12
|
+
version: 1
|
|
13
|
+
---
|
|
14
|
+
# Product Intelligence Analyst Overlay
|
|
15
|
+
|
|
16
|
+
Additional failure modes on top of the data-analyst core.
|
|
17
|
+
|
|
18
|
+
### 1. Anecdotes counted as evidence
|
|
19
|
+
**Symptom**: customer notes are summarized without source count, confidence, or contradiction.
|
|
20
|
+
**Why it fails**: loud examples masquerade as trends.
|
|
21
|
+
**Counter-move**: separate signal, evidence, confidence, counter-evidence, and unresolved questions.
|
|
22
|
+
|
|
23
|
+
### 2. Qualitative and quantitative data never meet
|
|
24
|
+
**Symptom**: support themes, interviews, telemetry, and roadmap work remain separate artifacts.
|
|
25
|
+
**Why it fails**: PM decisions lack a durable evidence trail.
|
|
26
|
+
**Counter-move**: link customer signals to metrics, segments, affected workflows, and backlog proposals.
|
|
27
|
+
|
|
28
|
+
### 3. Evidence store ignored
|
|
29
|
+
**Symptom**: new briefs are written without checking prior Product Intelligence artifacts.
|
|
30
|
+
**Why it fails**: teams rediscover the same signal and lose longitudinal context.
|
|
31
|
+
**Counter-move**: query `.cx/product-intel`, `docs/prd`, and `docs/meta-prd` through hybrid search before drafting.
|
|
32
|
+
|
|
33
|
+
## Self-check before shipping
|
|
34
|
+
- [ ] Evidence count, confidence, and counter-evidence are explicit
|
|
35
|
+
- [ ] Signals link to metrics, segments, and backlog implications
|
|
36
|
+
- [ ] Prior Product Intelligence artifacts were checked
|
|
37
|
+
- [ ] Open questions and collection plan are recorded
|
|
@@ -0,0 +1,37 @@
|
|
|
1
|
+
<!--
|
|
2
|
+
skills/roles/data-analyst.product.md — Anti-pattern guidance for the Data-analyst.product (product) role.
|
|
3
|
+
|
|
4
|
+
Loaded at sync time to inline role-specific failure modes into specialist agent prompts.
|
|
5
|
+
Covers common failure modes for the data-analyst.product (product) domain and counter-moves to avoid them.
|
|
6
|
+
Applies to: cx-data-analyst.
|
|
7
|
+
-->
|
|
8
|
+
---
|
|
9
|
+
role: data-analyst.product
|
|
10
|
+
applies_to: [cx-data-analyst]
|
|
11
|
+
inherits: data-analyst
|
|
12
|
+
version: 1
|
|
13
|
+
---
|
|
14
|
+
# Product Analytics Overlay
|
|
15
|
+
|
|
16
|
+
Additional failure modes on top of the data-analyst core.
|
|
17
|
+
|
|
18
|
+
### 1. Measuring usage instead of value
|
|
19
|
+
**Symptom**: success is defined as clicks, visits, or feature usage.
|
|
20
|
+
**Why it fails**: users can use a feature without getting value from it.
|
|
21
|
+
**Counter-move**: connect metrics to the user behavior or business outcome the product is meant to change.
|
|
22
|
+
|
|
23
|
+
### 2. Funnel averages hide segments
|
|
24
|
+
**Symptom**: aggregate conversion improves while an important user segment regresses.
|
|
25
|
+
**Why it fails**: product decisions often affect cohorts differently.
|
|
26
|
+
**Counter-move**: require segmentation by persona, plan, acquisition source, geography, device, or maturity where relevant.
|
|
27
|
+
|
|
28
|
+
### 3. Instrumentation after launch
|
|
29
|
+
**Symptom**: events are added after users start flowing through the feature.
|
|
30
|
+
**Why it fails**: there is no baseline and no clean before/after comparison.
|
|
31
|
+
**Counter-move**: define event schema, baseline window, and success threshold before release.
|
|
32
|
+
|
|
33
|
+
## Self-check before shipping
|
|
34
|
+
- [ ] Metrics connect to user value, not raw activity
|
|
35
|
+
- [ ] Baselines and segments are defined
|
|
36
|
+
- [ ] Event schema and properties are specified
|
|
37
|
+
- [ ] Guardrail metrics are included
|
|
@@ -0,0 +1,37 @@
|
|
|
1
|
+
<!--
|
|
2
|
+
skills/roles/data-analyst.telemetry.md — Anti-pattern guidance for the Data-analyst.telemetry (telemetry) role.
|
|
3
|
+
|
|
4
|
+
Loaded at sync time to inline role-specific failure modes into specialist agent prompts.
|
|
5
|
+
Covers common failure modes for the data-analyst.telemetry (telemetry) domain and counter-moves to avoid them.
|
|
6
|
+
Applies to: cx-data-analyst, cx-sre.
|
|
7
|
+
-->
|
|
8
|
+
---
|
|
9
|
+
role: data-analyst.telemetry
|
|
10
|
+
applies_to: [cx-data-analyst, cx-sre]
|
|
11
|
+
inherits: data-analyst
|
|
12
|
+
version: 1
|
|
13
|
+
---
|
|
14
|
+
# Telemetry Analyst Overlay
|
|
15
|
+
|
|
16
|
+
Additional failure modes on top of the data-analyst core.
|
|
17
|
+
|
|
18
|
+
### 1. Observability without an answer path
|
|
19
|
+
**Symptom**: dashboards exist but cannot answer whether a user-facing behavior improved or regressed.
|
|
20
|
+
**Why it fails**: telemetry becomes decorative instead of operational.
|
|
21
|
+
**Counter-move**: tie traces, metrics, logs, and events to concrete questions and decisions.
|
|
22
|
+
|
|
23
|
+
### 2. Missing denominator
|
|
24
|
+
**Symptom**: counts are reported without exposure, attempts, population, or eligibility.
|
|
25
|
+
**Why it fails**: raw counts move with traffic and hide rate changes.
|
|
26
|
+
**Counter-move**: define numerator, denominator, sampling, and exclusions for every metric.
|
|
27
|
+
|
|
28
|
+
### 3. Data quality not monitored
|
|
29
|
+
**Symptom**: teams monitor the product but not the telemetry pipeline.
|
|
30
|
+
**Why it fails**: broken instrumentation can look like product behavior.
|
|
31
|
+
**Counter-move**: add freshness, volume, schema, and drop-rate checks.
|
|
32
|
+
|
|
33
|
+
## Self-check before shipping
|
|
34
|
+
- [ ] Telemetry answers named product or operational questions
|
|
35
|
+
- [ ] Numerators, denominators, and exclusions are defined
|
|
36
|
+
- [ ] Freshness, volume, schema, and drop-rate checks exist
|
|
37
|
+
- [ ] Alerts distinguish product failure from telemetry failure
|