@geraldmaron/construct 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (352) hide show
  1. package/.env.example +69 -0
  2. package/LICENSE +21 -0
  3. package/README.md +344 -0
  4. package/agents/prompts/cx-accessibility.md +29 -0
  5. package/agents/prompts/cx-ai-engineer.md +31 -0
  6. package/agents/prompts/cx-architect.md +40 -0
  7. package/agents/prompts/cx-business-strategist.md +25 -0
  8. package/agents/prompts/cx-data-analyst.md +30 -0
  9. package/agents/prompts/cx-data-engineer.md +32 -0
  10. package/agents/prompts/cx-debugger.md +27 -0
  11. package/agents/prompts/cx-designer.md +33 -0
  12. package/agents/prompts/cx-devil-advocate.md +36 -0
  13. package/agents/prompts/cx-docs-keeper.md +50 -0
  14. package/agents/prompts/cx-engineer.md +36 -0
  15. package/agents/prompts/cx-evaluator.md +26 -0
  16. package/agents/prompts/cx-explorer.md +38 -0
  17. package/agents/prompts/cx-legal-compliance.md +25 -0
  18. package/agents/prompts/cx-operations.md +28 -0
  19. package/agents/prompts/cx-orchestrator.md +30 -0
  20. package/agents/prompts/cx-platform-engineer.md +25 -0
  21. package/agents/prompts/cx-product-manager.md +30 -0
  22. package/agents/prompts/cx-qa.md +42 -0
  23. package/agents/prompts/cx-rd-lead.md +25 -0
  24. package/agents/prompts/cx-release-manager.md +31 -0
  25. package/agents/prompts/cx-researcher.md +31 -0
  26. package/agents/prompts/cx-reviewer.md +36 -0
  27. package/agents/prompts/cx-security.md +37 -0
  28. package/agents/prompts/cx-sre.md +26 -0
  29. package/agents/prompts/cx-test-automation.md +35 -0
  30. package/agents/prompts/cx-trace-reviewer.md +76 -0
  31. package/agents/prompts/cx-ux-researcher.md +30 -0
  32. package/agents/registry.json +879 -0
  33. package/agents/teams.json +94 -0
  34. package/bin/construct +613 -0
  35. package/commands/build/feature.md +21 -0
  36. package/commands/build/fix.md +20 -0
  37. package/commands/design/access.md +19 -0
  38. package/commands/design/flow.md +16 -0
  39. package/commands/design/ui.md +18 -0
  40. package/commands/measure/experiment.md +18 -0
  41. package/commands/measure/metrics.md +18 -0
  42. package/commands/measure/results.md +18 -0
  43. package/commands/plan/api.md +19 -0
  44. package/commands/plan/challenge.md +18 -0
  45. package/commands/plan/decide.md +20 -0
  46. package/commands/plan/feature.md +49 -0
  47. package/commands/plan/requirements.md +24 -0
  48. package/commands/remember/context.md +26 -0
  49. package/commands/remember/handoff.md +19 -0
  50. package/commands/remember/runbook.md +20 -0
  51. package/commands/review/code.md +21 -0
  52. package/commands/review/quality.md +19 -0
  53. package/commands/review/security.md +16 -0
  54. package/commands/ship/ready.md +19 -0
  55. package/commands/ship/release.md +19 -0
  56. package/commands/ship/status.md +18 -0
  57. package/commands/understand/docs.md +22 -0
  58. package/commands/understand/research.md +22 -0
  59. package/commands/understand/this.md +23 -0
  60. package/commands/understand/why.md +18 -0
  61. package/commands/work/clean.md +32 -0
  62. package/commands/work/drive.md +69 -0
  63. package/commands/work/optimize-prompts.md +46 -0
  64. package/commands/work/parallel-review.md +40 -0
  65. package/db/migrations/001_init.sql +38 -0
  66. package/langfuse/docker-compose.yml +82 -0
  67. package/lib/audit-skills.mjs +118 -0
  68. package/lib/auto-docs.mjs +293 -0
  69. package/lib/cli-commands.mjs +409 -0
  70. package/lib/codex-config.mjs +114 -0
  71. package/lib/comment-lint.mjs +191 -0
  72. package/lib/completions.mjs +170 -0
  73. package/lib/context-state.mjs +99 -0
  74. package/lib/cost.mjs +213 -0
  75. package/lib/distill.mjs +403 -0
  76. package/lib/efficiency.mjs +139 -0
  77. package/lib/env-config.mjs +53 -0
  78. package/lib/eval-harness.mjs +59 -0
  79. package/lib/features.mjs +209 -0
  80. package/lib/headhunt.mjs +597 -0
  81. package/lib/hooks/adaptive-lint.mjs +112 -0
  82. package/lib/hooks/agent-tracker.mjs +50 -0
  83. package/lib/hooks/bootstrap-guard.mjs +90 -0
  84. package/lib/hooks/comment-lint.mjs +26 -0
  85. package/lib/hooks/config-protection.mjs +52 -0
  86. package/lib/hooks/console-warn.mjs +43 -0
  87. package/lib/hooks/context-window-recovery.mjs +90 -0
  88. package/lib/hooks/continuation-enforcer.mjs +72 -0
  89. package/lib/hooks/dep-audit.mjs +155 -0
  90. package/lib/hooks/drive-guard.mjs +89 -0
  91. package/lib/hooks/edit-accumulator.mjs +36 -0
  92. package/lib/hooks/edit-error-recovery.mjs +46 -0
  93. package/lib/hooks/edit-guard.mjs +109 -0
  94. package/lib/hooks/env-check.mjs +80 -0
  95. package/lib/hooks/guard-bash.mjs +83 -0
  96. package/lib/hooks/mcp-audit.mjs +57 -0
  97. package/lib/hooks/mcp-health-check.mjs +51 -0
  98. package/lib/hooks/mcp-task-scope.mjs +47 -0
  99. package/lib/hooks/model-fallback.mjs +105 -0
  100. package/lib/hooks/pre-compact.mjs +212 -0
  101. package/lib/hooks/pre-push-gate.mjs +129 -0
  102. package/lib/hooks/read-tracker.mjs +129 -0
  103. package/lib/hooks/registry-sync.mjs +23 -0
  104. package/lib/hooks/scan-secrets.mjs +76 -0
  105. package/lib/hooks/session-start.mjs +95 -0
  106. package/lib/hooks/stop-notify.mjs +191 -0
  107. package/lib/hooks/stop-typecheck.mjs +83 -0
  108. package/lib/hooks/task-completed-guard.mjs +43 -0
  109. package/lib/hooks/teammate-idle-guard.mjs +54 -0
  110. package/lib/hooks/workflow-guard.mjs +62 -0
  111. package/lib/host-capabilities.mjs +123 -0
  112. package/lib/init-docs.mjs +382 -0
  113. package/lib/mcp/server.mjs +1123 -0
  114. package/lib/mcp-catalog.json +243 -0
  115. package/lib/mcp-manager.mjs +433 -0
  116. package/lib/mcp-platform-config.mjs +104 -0
  117. package/lib/model-router.mjs +810 -0
  118. package/lib/opencode-config.mjs +44 -0
  119. package/lib/opencode-runtime-plugin.mjs +909 -0
  120. package/lib/opencode-telemetry.mjs +433 -0
  121. package/lib/orchestration-policy.mjs +258 -0
  122. package/lib/prompt-composer.mjs +196 -0
  123. package/lib/prompt-metadata.mjs +68 -0
  124. package/lib/review.mjs +429 -0
  125. package/lib/role-preload.mjs +52 -0
  126. package/lib/schemas/decision.json +50 -0
  127. package/lib/schemas/implementation.json +51 -0
  128. package/lib/schemas/review-report.json +32 -0
  129. package/lib/schemas/test-report.json +43 -0
  130. package/lib/server/index.mjs +334 -0
  131. package/lib/server/static/app.js +841 -0
  132. package/lib/server/static/index.html +820 -0
  133. package/lib/service-manager.mjs +225 -0
  134. package/lib/setup.mjs +319 -0
  135. package/lib/status.mjs +707 -0
  136. package/lib/storage/backend.mjs +44 -0
  137. package/lib/storage/embeddings.mjs +70 -0
  138. package/lib/storage/hybrid-query.mjs +184 -0
  139. package/lib/storage/sql-store.mjs +55 -0
  140. package/lib/storage/state-source.mjs +101 -0
  141. package/lib/storage/sync.mjs +164 -0
  142. package/lib/storage/vector-store.mjs +59 -0
  143. package/lib/telemetry/backends/langfuse.mjs +58 -0
  144. package/lib/telemetry/backends/noop.mjs +16 -0
  145. package/lib/telemetry/langfuse-ingest.mjs +108 -0
  146. package/lib/telemetry/langfuse-model-sync.mjs +270 -0
  147. package/lib/telemetry/team-rollup.mjs +143 -0
  148. package/lib/toolkit-env.mjs +30 -0
  149. package/lib/validator.mjs +181 -0
  150. package/lib/workflow-state.mjs +794 -0
  151. package/package.json +53 -0
  152. package/personas/construct.md +94 -0
  153. package/platforms/claude/CLAUDE.md +30 -0
  154. package/platforms/claude/settings.template.json +472 -0
  155. package/platforms/opencode/config.template.json +65 -0
  156. package/platforms/opencode/plugins/construct-fallback.js +5 -0
  157. package/platforms/opencode/sync-config.mjs +69 -0
  158. package/rules/common/agents.md +55 -0
  159. package/rules/common/code-review.md +129 -0
  160. package/rules/common/coding-style.md +95 -0
  161. package/rules/common/comments.md +139 -0
  162. package/rules/common/cx-agent-routing.md +61 -0
  163. package/rules/common/cx-skill-routing.md +11 -0
  164. package/rules/common/development-workflow.md +49 -0
  165. package/rules/common/git-workflow.md +29 -0
  166. package/rules/common/hooks.md +35 -0
  167. package/rules/common/patterns.md +36 -0
  168. package/rules/common/performance.md +71 -0
  169. package/rules/common/security.md +34 -0
  170. package/rules/common/testing.md +62 -0
  171. package/rules/golang/coding-style.md +37 -0
  172. package/rules/golang/hooks.md +22 -0
  173. package/rules/golang/patterns.md +50 -0
  174. package/rules/golang/security.md +39 -0
  175. package/rules/golang/testing.md +36 -0
  176. package/rules/python/coding-style.md +47 -0
  177. package/rules/python/hooks.md +24 -0
  178. package/rules/python/patterns.md +44 -0
  179. package/rules/python/security.md +35 -0
  180. package/rules/python/testing.md +43 -0
  181. package/rules/swift/coding-style.md +52 -0
  182. package/rules/swift/hooks.md +25 -0
  183. package/rules/swift/patterns.md +71 -0
  184. package/rules/swift/security.md +38 -0
  185. package/rules/swift/testing.md +50 -0
  186. package/rules/typescript/coding-style.md +204 -0
  187. package/rules/typescript/hooks.md +27 -0
  188. package/rules/typescript/patterns.md +57 -0
  189. package/rules/typescript/security.md +33 -0
  190. package/rules/typescript/testing.md +23 -0
  191. package/rules/web/coding-style.md +101 -0
  192. package/rules/web/design-quality.md +68 -0
  193. package/rules/web/hooks.md +125 -0
  194. package/rules/web/patterns.md +84 -0
  195. package/rules/web/performance.md +69 -0
  196. package/rules/web/security.md +62 -0
  197. package/rules/web/testing.md +60 -0
  198. package/rules/zh/README.md +113 -0
  199. package/rules/zh/agents.md +55 -0
  200. package/rules/zh/code-review.md +129 -0
  201. package/rules/zh/coding-style.md +53 -0
  202. package/rules/zh/development-workflow.md +49 -0
  203. package/rules/zh/git-workflow.md +29 -0
  204. package/rules/zh/hooks.md +35 -0
  205. package/rules/zh/patterns.md +36 -0
  206. package/rules/zh/performance.md +60 -0
  207. package/rules/zh/security.md +34 -0
  208. package/rules/zh/testing.md +34 -0
  209. package/skills/ai/agent-dev.md +102 -0
  210. package/skills/ai/llm-security.md +105 -0
  211. package/skills/ai/ml-ops.md +169 -0
  212. package/skills/ai/orchestration-workflow.md +87 -0
  213. package/skills/ai/prompt-and-eval.md +114 -0
  214. package/skills/ai/prompt-optimizer.md +114 -0
  215. package/skills/ai/rag-system.md +104 -0
  216. package/skills/architecture/api-design.md +100 -0
  217. package/skills/architecture/caching.md +101 -0
  218. package/skills/architecture/cloud-native.md +97 -0
  219. package/skills/architecture/message-queue.md +100 -0
  220. package/skills/architecture/security-arch.md +105 -0
  221. package/skills/development/cpp.md +127 -0
  222. package/skills/development/go.md +129 -0
  223. package/skills/development/java.md +134 -0
  224. package/skills/development/kotlin.md +140 -0
  225. package/skills/development/mobile-crossplatform.md +144 -0
  226. package/skills/development/python.md +109 -0
  227. package/skills/development/rust.md +127 -0
  228. package/skills/development/shell.md +127 -0
  229. package/skills/development/swift.md +129 -0
  230. package/skills/development/typescript.md +129 -0
  231. package/skills/devops/ci-cd.md +108 -0
  232. package/skills/devops/containerization.md +106 -0
  233. package/skills/devops/cost-optimization.md +105 -0
  234. package/skills/devops/data-engineering.md +181 -0
  235. package/skills/devops/database.md +95 -0
  236. package/skills/devops/dependency-management.md +91 -0
  237. package/skills/devops/devsecops.md +96 -0
  238. package/skills/devops/git-workflow.md +100 -0
  239. package/skills/devops/incident-response.md +167 -0
  240. package/skills/devops/monorepo.md +87 -0
  241. package/skills/devops/observability.md +103 -0
  242. package/skills/devops/performance.md +104 -0
  243. package/skills/devops/testing.md +104 -0
  244. package/skills/docs/adr-workflow.md +32 -0
  245. package/skills/docs/backlog-proposal-workflow.md +19 -0
  246. package/skills/docs/customer-profile-workflow.md +22 -0
  247. package/skills/docs/evidence-ingest-workflow.md +23 -0
  248. package/skills/docs/init-docs.md +160 -0
  249. package/skills/docs/init-project.md +50 -0
  250. package/skills/docs/prd-workflow.md +57 -0
  251. package/skills/docs/prfaq-workflow.md +25 -0
  252. package/skills/docs/product-intelligence-review.md +22 -0
  253. package/skills/docs/product-intelligence-workflow.md +62 -0
  254. package/skills/docs/product-signal-workflow.md +27 -0
  255. package/skills/docs/research-workflow.md +28 -0
  256. package/skills/docs/runbook-workflow.md +24 -0
  257. package/skills/exploration/repo-map.md +297 -0
  258. package/skills/frameworks/django.md +159 -0
  259. package/skills/frameworks/nextjs.md +148 -0
  260. package/skills/frameworks/react.md +132 -0
  261. package/skills/frameworks/spring-boot.md +165 -0
  262. package/skills/frontend-design/accessibility.md +153 -0
  263. package/skills/frontend-design/component-patterns.md +111 -0
  264. package/skills/frontend-design/engineering.md +122 -0
  265. package/skills/frontend-design/state-management.md +118 -0
  266. package/skills/frontend-design/ui-aesthetics.md +102 -0
  267. package/skills/frontend-design/ux-principles.md +126 -0
  268. package/skills/quality-gates/review-work.md +90 -0
  269. package/skills/quality-gates/verify-change.md +94 -0
  270. package/skills/quality-gates/verify-module.md +96 -0
  271. package/skills/quality-gates/verify-quality.md +93 -0
  272. package/skills/quality-gates/verify-security.md +95 -0
  273. package/skills/roles/architect.ai-systems.md +37 -0
  274. package/skills/roles/architect.data.md +37 -0
  275. package/skills/roles/architect.enterprise.md +37 -0
  276. package/skills/roles/architect.integration.md +37 -0
  277. package/skills/roles/architect.md +68 -0
  278. package/skills/roles/architect.platform.md +37 -0
  279. package/skills/roles/data-analyst.experiment.md +37 -0
  280. package/skills/roles/data-analyst.md +68 -0
  281. package/skills/roles/data-analyst.product-intelligence.md +37 -0
  282. package/skills/roles/data-analyst.product.md +37 -0
  283. package/skills/roles/data-analyst.telemetry.md +37 -0
  284. package/skills/roles/data-engineer.pipeline.md +37 -0
  285. package/skills/roles/data-engineer.vector-retrieval.md +37 -0
  286. package/skills/roles/data-engineer.warehouse.md +37 -0
  287. package/skills/roles/debugger.md +68 -0
  288. package/skills/roles/designer.accessibility.md +43 -0
  289. package/skills/roles/designer.md +68 -0
  290. package/skills/roles/engineer.ai.md +49 -0
  291. package/skills/roles/engineer.data.md +49 -0
  292. package/skills/roles/engineer.md +85 -0
  293. package/skills/roles/engineer.platform.md +49 -0
  294. package/skills/roles/operator.docs.md +43 -0
  295. package/skills/roles/operator.md +68 -0
  296. package/skills/roles/operator.release.md +43 -0
  297. package/skills/roles/operator.sre.md +43 -0
  298. package/skills/roles/orchestrator.md +66 -0
  299. package/skills/roles/product-manager.ai-product.md +37 -0
  300. package/skills/roles/product-manager.business-strategy.md +43 -0
  301. package/skills/roles/product-manager.enterprise.md +37 -0
  302. package/skills/roles/product-manager.growth.md +37 -0
  303. package/skills/roles/product-manager.md +67 -0
  304. package/skills/roles/product-manager.platform.md +37 -0
  305. package/skills/roles/product-manager.product.md +37 -0
  306. package/skills/roles/qa.ai-eval.md +37 -0
  307. package/skills/roles/qa.api-contract.md +37 -0
  308. package/skills/roles/qa.data-pipeline.md +37 -0
  309. package/skills/roles/qa.md +68 -0
  310. package/skills/roles/qa.test-automation.md +49 -0
  311. package/skills/roles/qa.web-ui.md +37 -0
  312. package/skills/roles/researcher.explorer.md +43 -0
  313. package/skills/roles/researcher.md +68 -0
  314. package/skills/roles/researcher.ux.md +43 -0
  315. package/skills/roles/reviewer.devil-advocate.md +43 -0
  316. package/skills/roles/reviewer.evaluator.md +43 -0
  317. package/skills/roles/reviewer.md +68 -0
  318. package/skills/roles/reviewer.trace.md +43 -0
  319. package/skills/roles/security.ai.md +37 -0
  320. package/skills/roles/security.appsec.md +37 -0
  321. package/skills/roles/security.cloud.md +37 -0
  322. package/skills/roles/security.legal-compliance.md +49 -0
  323. package/skills/roles/security.md +68 -0
  324. package/skills/roles/security.privacy.md +37 -0
  325. package/skills/roles/security.supply-chain.md +37 -0
  326. package/skills/routing.md +139 -0
  327. package/skills/security/blue-team.md +83 -0
  328. package/skills/security/code-audit.md +94 -0
  329. package/skills/security/pentest.md +84 -0
  330. package/skills/security/red-team.md +81 -0
  331. package/skills/security/threat-intel.md +89 -0
  332. package/skills/security/vuln-research.md +87 -0
  333. package/skills/utility/clean-code.md +165 -0
  334. package/sync-agents.mjs +899 -0
  335. package/templates/docs/adr.md +27 -0
  336. package/templates/docs/backlog-proposal.md +26 -0
  337. package/templates/docs/customer-profile.md +34 -0
  338. package/templates/docs/evidence-brief.md +37 -0
  339. package/templates/docs/incident-report.md +46 -0
  340. package/templates/docs/memo.md +27 -0
  341. package/templates/docs/meta-prd.md +56 -0
  342. package/templates/docs/one-pager.md +24 -0
  343. package/templates/docs/prd-business.md +61 -0
  344. package/templates/docs/prd-platform.md +62 -0
  345. package/templates/docs/prd.md +47 -0
  346. package/templates/docs/prfaq.md +31 -0
  347. package/templates/docs/product-intelligence-report.md +31 -0
  348. package/templates/docs/research-brief.md +29 -0
  349. package/templates/docs/rfc-platform.md +60 -0
  350. package/templates/docs/rfc.md +46 -0
  351. package/templates/docs/runbook.md +33 -0
  352. package/templates/docs/signal-brief.md +25 -0
@@ -0,0 +1,93 @@
1
+ <!--
2
+ skills/quality-gates/verify-quality.md — Verify Quality — Use this skill to check code quality, complexity, and maintainability after chan
3
+
4
+ Use this skill to check code quality, complexity, and maintainability after changes. ## Complexity
5
+ -->
6
+ # Verify Quality
7
+
8
+ Use this skill to check code quality, complexity, and maintainability after changes.
9
+
10
+ ## Complexity
11
+
12
+ - [ ] Cyclomatic complexity per function stays below 15
13
+ - [ ] Cognitive complexity per function stays below 20
14
+ - [ ] No function exceeds 50 lines (excluding comments and blank lines)
15
+ - [ ] No file exceeds 800 lines
16
+ - [ ] No nesting deeper than 4 levels; use early returns to flatten
17
+
18
+ **Severity**: Function >80 lines = High. File >800 lines = High. Nesting >5 = Medium.
19
+
20
+ ## Naming
21
+
22
+ - [ ] Variables and functions use descriptive, intention-revealing names
23
+ - [ ] Boolean variables use `is`, `has`, `should`, or `can` prefixes
24
+ - [ ] No single-letter variables outside tiny loop counters
25
+ - [ ] No abbreviations unless universally understood (id, url, http)
26
+ - [ ] Types, interfaces, and components use PascalCase
27
+ - [ ] Constants use UPPER_SNAKE_CASE
28
+
29
+ **Severity**: Misleading name = High. Ambiguous abbreviation = Medium.
30
+
31
+ ## Code Smells
32
+
33
+ - [ ] No dead code (unreachable branches, unused imports, commented-out blocks)
34
+ - [ ] No magic numbers or strings; extract to named constants
35
+ - [ ] No god objects or god functions that do everything
36
+ - [ ] No feature envy (function that uses another module's data more than its own)
37
+ - [ ] No shotgun surgery pattern (one change requires edits across many files)
38
+ - [ ] No primitive obsession (use domain types instead of raw strings/numbers)
39
+
40
+ **Severity**: Dead code = Medium. God function = High. Magic number = Low.
41
+
42
+ ## DRY Violations
43
+
44
+ - [ ] No duplicated logic blocks (3+ lines repeated 2+ times)
45
+ - [ ] Shared patterns extracted into utility functions or modules
46
+ - [ ] No copy-paste drift where cloned code diverged silently
47
+ - [ ] Configuration values defined once and referenced
48
+
49
+ **Severity**: Exact duplication = Medium. Diverged clone = High.
50
+
51
+ ## Error Handling
52
+
53
+ - [ ] All error paths handled explicitly; no silent swallowing
54
+ - [ ] Errors include context for debugging (what failed, with what input)
55
+ - [ ] User-facing errors are friendly; developer-facing errors are detailed
56
+ - [ ] Async errors caught (unhandled promise rejections, goroutine panics)
57
+ - [ ] Resource cleanup in finally/defer blocks
58
+
59
+ **Severity**: Silent swallow = High. Missing async catch = High. No context = Medium.
60
+
61
+ ## Immutability
62
+
63
+ - [ ] Functions return new values instead of mutating inputs
64
+ - [ ] Collections updated via spread/copy, not in-place mutation
65
+ - [ ] Shared state minimized; prefer local scope
66
+
67
+ **Severity**: Mutation of shared state = High. Local mutation = Low.
68
+
69
+ ## Type Safety
70
+
71
+ - [ ] No use of `any` or equivalent escape hatches without justification
72
+ - [ ] Null/undefined handled with type narrowing or optional chaining
73
+ - [ ] Generic types used where they reduce duplication without obscuring intent
74
+
75
+ **Severity**: Unchecked `any` = Medium. Missing null check = High.
76
+
77
+ ## Readability
78
+
79
+ - [ ] Functions do one thing and are named for what they do
80
+ - [ ] Control flow is linear and predictable (no spaghetti)
81
+ - [ ] Related code is colocated; unrelated code is separated
82
+ - [ ] Abstractions are justified by actual reuse, not speculation
83
+
84
+ **Severity**: Tangled control flow = High. Speculative abstraction = Medium.
85
+
86
+ ## Severity Reference
87
+
88
+ | Level | Meaning | Action |
89
+ |---|---|---|
90
+ | Critical | Correctness risk or architectural violation | Must fix |
91
+ | High | Significant maintainability problem | Should fix |
92
+ | Medium | Quality concern worth addressing | Fix when practical |
93
+ | Low | Style preference or minor suggestion | Optional |
@@ -0,0 +1,95 @@
1
+ <!--
2
+ skills/quality-gates/verify-security.md — Verify Security — Use this skill to scan code for security vulnerabilities before commits or relea
3
+
4
+ Use this skill to scan code for security vulnerabilities before commits or releases. ## Scan Scope
5
+ -->
6
+ # Verify Security
7
+
8
+ Use this skill to scan code for security vulnerabilities before commits or releases.
9
+
10
+ ## Scan Scope
11
+
12
+ Analyze all changed files plus their direct dependencies for the categories below.
13
+
14
+ ## Secrets and Credentials
15
+
16
+ - [ ] No hardcoded API keys, passwords, tokens, or connection strings
17
+ - [ ] No private keys or certificates committed
18
+ - [ ] `.env` files excluded from version control
19
+ - [ ] Secrets loaded from environment variables or a secret manager
20
+ - [ ] No secrets in logs, error messages, or stack traces
21
+
22
+ **Severity**: Hardcoded secret = Critical. Secret in logs = High.
23
+
24
+ ## Authentication and Authorization
25
+
26
+ - [ ] Authentication required on all protected endpoints
27
+ - [ ] Authorization checks enforce least privilege
28
+ - [ ] Session tokens are cryptographically random and expire
29
+ - [ ] Password storage uses bcrypt, scrypt, or argon2 with sufficient rounds
30
+ - [ ] Multi-factor authentication supported where appropriate
31
+ - [ ] No authentication bypass via parameter tampering or path traversal
32
+
33
+ **Severity**: Auth bypass = Critical. Missing authz check = High. Weak hash = High.
34
+
35
+ ## Injection
36
+
37
+ - [ ] SQL queries use parameterized statements or an ORM
38
+ - [ ] No string concatenation in queries, commands, or templates
39
+ - [ ] OS command execution uses allowlists, never user input directly
40
+ - [ ] LDAP, XML, and template injection vectors reviewed
41
+
42
+ **Severity**: SQL/OS injection = Critical. Template injection = High.
43
+
44
+ ## Cross-Site Scripting (XSS)
45
+
46
+ - [ ] All user-supplied data escaped before rendering in HTML
47
+ - [ ] No use of `innerHTML`, `dangerouslySetInnerHTML`, or `v-html` without sanitization
48
+ - [ ] Content-Security-Policy header configured
49
+ - [ ] Reflected, stored, and DOM-based XSS vectors checked
50
+
51
+ **Severity**: Stored XSS = Critical. Reflected XSS = High. DOM XSS = High.
52
+
53
+ ## Cross-Site Request Forgery (CSRF)
54
+
55
+ - [ ] State-changing requests require CSRF tokens
56
+ - [ ] SameSite cookie attribute set to Lax or Strict
57
+ - [ ] Custom headers validated for API endpoints
58
+
59
+ **Severity**: Missing CSRF on state change = High.
60
+
61
+ ## Dependencies
62
+
63
+ - [ ] No known CVEs in direct or transitive dependencies
64
+ - [ ] Lock file committed and up to date
65
+ - [ ] No unnecessary dependencies
66
+ - [ ] Audit command run: `npm audit`, `pip audit`, `cargo audit`, or equivalent
67
+
68
+ **Severity**: Critical CVE = Critical. High CVE = High. Outdated dep = Medium.
69
+
70
+ ## Cryptography
71
+
72
+ - [ ] TLS 1.2+ enforced for all network communication
73
+ - [ ] No use of MD5, SHA1, DES, or RC4 for security purposes
74
+ - [ ] Random values generated with cryptographic PRNG
75
+ - [ ] Key lengths meet current standards (RSA 2048+, AES 256)
76
+
77
+ **Severity**: Broken crypto = High. Weak random = High. Deprecated algo = Medium.
78
+
79
+ ## Data Exposure
80
+
81
+ - [ ] Sensitive fields excluded from API responses and logs
82
+ - [ ] Error messages do not leak internal paths, stack traces, or versions
83
+ - [ ] Debug endpoints disabled in production
84
+ - [ ] Rate limiting on authentication and sensitive endpoints
85
+
86
+ **Severity**: PII leak = Critical. Stack trace in prod = Medium. Missing rate limit = Medium.
87
+
88
+ ## Severity Reference
89
+
90
+ | Level | Meaning | Action |
91
+ |---|---|---|
92
+ | Critical | Exploitable vulnerability or data breach risk | Must fix before merge |
93
+ | High | Significant security weakness | Should fix before merge |
94
+ | Medium | Defense-in-depth gap | Fix when practical |
95
+ | Low | Hardening suggestion | Optional |
@@ -0,0 +1,37 @@
1
+ <!--
2
+ skills/roles/architect.ai-systems.md — Anti-pattern guidance for the Architect.ai-systems (ai systems) role.
3
+
4
+ Loaded at sync time to inline role-specific failure modes into specialist agent prompts.
5
+ Covers common failure modes for the architect.ai-systems (ai systems) domain and counter-moves to avoid them.
6
+ Applies to: cx-architect.
7
+ -->
8
+ ---
9
+ role: architect.ai-systems
10
+ applies_to: [cx-architect]
11
+ inherits: architect
12
+ version: 1
13
+ ---
14
+ # AI Systems Architect Overlay
15
+
16
+ Additional failure modes on top of the architect core.
17
+
18
+ ### 1. Model behavior as an implicit dependency
19
+ **Symptom**: the design depends on a model always following instructions or returning one exact shape.
20
+ **Why it fails**: model behavior changes across versions, providers, prompts, and context.
21
+ **Counter-move**: define output schemas, validation, retries, fallback behavior, and human review boundaries.
22
+
23
+ ### 2. Retrieval without provenance
24
+ **Symptom**: vector search is treated as truth without source attribution, freshness, or permission boundaries.
25
+ **Why it fails**: stale or unauthorized context can become generated output.
26
+ **Counter-move**: design citation, freshness, access control, and re-indexing paths.
27
+
28
+ ### 3. Evals postponed until after launch
29
+ **Symptom**: the ADR names model choice but not the evaluation gate.
30
+ **Why it fails**: quality becomes subjective and regressions become invisible.
31
+ **Counter-move**: require eval suites, golden traces, failure cases, and promotion criteria as part of the architecture.
32
+
33
+ ## Self-check before shipping
34
+ - [ ] Model output schemas and validation paths are explicit
35
+ - [ ] Retrieval has provenance, freshness, ACL, and re-indexing rules
36
+ - [ ] Human review and fallback boundaries are named
37
+ - [ ] Evals and promotion gates are architecture requirements
@@ -0,0 +1,37 @@
1
+ <!--
2
+ skills/roles/architect.data.md — Anti-pattern guidance for the Architect.data (data) role.
3
+
4
+ Loaded at sync time to inline role-specific failure modes into specialist agent prompts.
5
+ Covers common failure modes for the architect.data (data) domain and counter-moves to avoid them.
6
+ Applies to: cx-architect.
7
+ -->
8
+ ---
9
+ role: architect.data
10
+ applies_to: [cx-architect]
11
+ inherits: architect
12
+ version: 1
13
+ ---
14
+ # Data Architect Overlay
15
+
16
+ Additional failure modes on top of the architect core.
17
+
18
+ ### 1. Schema now, migration later
19
+ **Symptom**: the model fits the first implementation but has no migration or backfill plan.
20
+ **Why it fails**: data shape changes are harder to unwind than code shape changes.
21
+ **Counter-move**: define forward/backward migration, backfill safety, and compatibility windows before implementation.
22
+
23
+ ### 2. Query patterns guessed instead of designed
24
+ **Symptom**: indexes, partitions, and materialized views are deferred until performance hurts.
25
+ **Why it fails**: production data volume exposes assumptions hidden by test fixtures.
26
+ **Counter-move**: document expected cardinality, access paths, retention, and latency targets.
27
+
28
+ ### 3. Data quality treated as downstream work
29
+ **Symptom**: contracts cover types but not nullability, freshness, uniqueness, or lineage.
30
+ **Why it fails**: bad data silently becomes product behavior.
31
+ **Counter-move**: include data contracts, quality checks, lineage, and incident response ownership.
32
+
33
+ ## Self-check before shipping
34
+ - [ ] Schema evolution, migrations, and backfills are covered
35
+ - [ ] Cardinality, indexing, retention, and latency assumptions are explicit
36
+ - [ ] Quality checks, lineage, and data ownership are defined
37
+ - [ ] Rollback and repair paths exist for corrupted state
@@ -0,0 +1,37 @@
1
+ <!--
2
+ skills/roles/architect.enterprise.md — Anti-pattern guidance for the Architect.enterprise (enterprise) role.
3
+
4
+ Loaded at sync time to inline role-specific failure modes into specialist agent prompts.
5
+ Covers common failure modes for the architect.enterprise (enterprise) domain and counter-moves to avoid them.
6
+ Applies to: cx-architect.
7
+ -->
8
+ ---
9
+ role: architect.enterprise
10
+ applies_to: [cx-architect]
11
+ inherits: architect
12
+ version: 1
13
+ ---
14
+ # Enterprise Architect Overlay
15
+
16
+ Additional failure modes on top of the architect core.
17
+
18
+ ### 1. Enterprise controls bolted on late
19
+ **Symptom**: SSO, RBAC, audit, retention, and tenant isolation are listed as future work.
20
+ **Why it fails**: enterprise controls change data models, APIs, and operational workflows.
21
+ **Counter-move**: include identity, access, audit, retention, and tenancy in the first architecture pass.
22
+
23
+ ### 2. Procurement requirements treated as non-technical
24
+ **Symptom**: compliance evidence, data residency, SLAs, and admin reporting are not reflected in system design.
25
+ **Why it fails**: sales commitments become engineering emergencies.
26
+ **Counter-move**: translate procurement and compliance needs into explicit technical contracts.
27
+
28
+ ### 3. Single-tenant assumptions hidden in code
29
+ **Symptom**: tenant IDs, limits, and isolation rules are missing from interfaces.
30
+ **Why it fails**: retrofitting tenancy after launch creates security and migration risk.
31
+ **Counter-move**: make tenant context, authorization, quotas, and isolation visible at every boundary.
32
+
33
+ ## Self-check before shipping
34
+ - [ ] SSO, RBAC, audit, retention, and tenant isolation are designed
35
+ - [ ] Data residency, SLA, and evidence requirements are translated into system contracts
36
+ - [ ] Tenant context and authorization are visible in interfaces
37
+ - [ ] Admin reporting and support diagnostics are included
@@ -0,0 +1,37 @@
1
+ <!--
2
+ skills/roles/architect.integration.md — Anti-pattern guidance for the Architect.integration (integration) role.
3
+
4
+ Loaded at sync time to inline role-specific failure modes into specialist agent prompts.
5
+ Covers common failure modes for the architect.integration (integration) domain and counter-moves to avoid them.
6
+ Applies to: cx-architect.
7
+ -->
8
+ ---
9
+ role: architect.integration
10
+ applies_to: [cx-architect]
11
+ inherits: architect
12
+ version: 1
13
+ ---
14
+ # Integration Architect Overlay
15
+
16
+ Additional failure modes on top of the architect core.
17
+
18
+ ### 1. Designing only the successful exchange
19
+ **Symptom**: the sequence diagram stops after a 200 response.
20
+ **Why it fails**: real integrations fail through retries, partial writes, timeouts, duplicate deliveries, and stale credentials.
21
+ **Counter-move**: document idempotency keys, retry/backoff policy, dead-letter paths, and reconciliation flows.
22
+
23
+ ### 2. Unclear source of truth
24
+ **Symptom**: two systems can update the same entity without conflict rules.
25
+ **Why it fails**: data divergence becomes a support problem that cannot be diagnosed from logs.
26
+ **Counter-move**: name the system of record, conflict strategy, sync direction, and repair workflow.
27
+
28
+ ### 3. Credentials as an implementation detail
29
+ **Symptom**: auth setup, rotation, scopes, and revocation are left to engineering.
30
+ **Why it fails**: integrations become fragile and over-privileged.
31
+ **Counter-move**: define credential lifecycle, least-privilege scopes, secret storage, and audit events.
32
+
33
+ ## Self-check before shipping
34
+ - [ ] Failure modes include retries, duplicates, partial failure, and reconciliation
35
+ - [ ] System of record and conflict resolution are explicit
36
+ - [ ] Credential lifecycle and scopes are designed
37
+ - [ ] Observability covers cross-system correlation IDs
@@ -0,0 +1,68 @@
1
+ <!--
2
+ skills/roles/architect.md — Anti-pattern guidance for the Architect role.
3
+
4
+ Loaded at sync time to inline role-specific failure modes into specialist agent prompts.
5
+ Covers common failure modes for the architect domain and counter-moves to avoid them.
6
+ Applies to: cx-architect, cx-rd-lead.
7
+ -->
8
+ ---
9
+ role: architect
10
+ applies_to: [cx-architect, cx-rd-lead]
11
+ inherits: null
12
+ version: 1
13
+ ---
14
+ # Architect — Role guidance
15
+
16
+ Load this before drafting. These are the failure modes that separate strong role output from weak role output — check your draft against each.
17
+
18
+
19
+ ### 1. Premature tech choice
20
+ **Symptom**: the design names a specific database, framework, or cloud service before the requirements have been stated.
21
+ **Why it fails**: anchors the team on a tool the problem may not need. Alternatives go unexplored.
22
+ **Counter-move**: state requirements first. Name candidates second. Pick last, with the reason tied to the requirements.
23
+
24
+ ### 2. Decisions without alternatives
25
+ **Symptom**: the doc presents one option as the recommendation with no serious comparison.
26
+ **Why it fails**: reviewers cannot tell whether the decision was made or merely assumed.
27
+ **Counter-move**: document at least two real alternatives with specific reasons each was rejected. A straw-man alternative is worse than none.
28
+
29
+ ### 3. Ignoring operational burden
30
+ **Symptom**: the design optimizes for build-time elegance and ignores who operates the system at 3am.
31
+ **Why it fails**: elegant systems become unmaintainable once they have real users; on-call pays the cost forever.
32
+ **Counter-move**: include an operations section. Who pages, what breaks, how it is observed, how it is rolled back.
33
+
34
+ ### 4. Reversibility blindness
35
+ **Symptom**: no statement of whether the decision is a one-way door (irreversible) or a two-way door (cheap to undo).
36
+ **Why it fails**: one-way doors get the same debate-depth as two-way doors; teams over-deliberate on the reversible and under-deliberate on the permanent.
37
+ **Counter-move**: label every major decision as one-way or two-way and match the evidence burden to it.
38
+
39
+ ### 5. Boundary vagueness
40
+ **Symptom**: modules, services, or teams are drawn with arrows but the contracts — inputs, outputs, failure modes — are not specified.
41
+ **Why it fails**: each team implements its own interpretation; the integration surfaces the gaps in production.
42
+ **Counter-move**: every boundary has a contract. Every contract names its failure modes.
43
+
44
+ ### 6. Scaling for the fantasy case
45
+ **Symptom**: the design is sized for a load that requires 100x of current users, which the business has no plan to reach.
46
+ **Why it fails**: pays today's cost for tomorrow's hypothetical. The hypothetical never arrives, or arrives in a different shape.
47
+ **Counter-move**: size for current load plus the one-year plan. Note the scaling assumption. Revisit when reality deviates.
48
+
49
+ ### 7. Ignoring the migration
50
+ **Symptom**: the design describes the end state but not the path from here to there.
51
+ **Why it fails**: migration is where projects die. "Cut over the weekend" rarely works.
52
+ **Counter-move**: include a migration plan with phases, dual-run strategy, rollback points, and the failure modes of each phase.
53
+
54
+ ### 8. Reinventing over reusing
55
+ **Symptom**: a custom solution for a problem a mature tool already solves, justified by thin differentiation.
56
+ **Why it fails**: the team now owns the maintenance of both the product and a worse version of an existing tool.
57
+ **Counter-move**: survey existing tools honestly. If building, articulate exactly what the existing tools fail to do.
58
+
59
+ ## Self-check before shipping
60
+
61
+ - [ ] Requirements are stated before tech choices
62
+ - [ ] At least two real alternatives considered and rejected with reasons
63
+ - [ ] Operations section names on-call, observability, rollback
64
+ - [ ] Every major decision labeled one-way or two-way
65
+ - [ ] Every boundary has a specified contract, including failure modes
66
+ - [ ] Scaling assumptions are named and tied to the business plan
67
+ - [ ] Migration path is explicit with phases and rollback points
68
+ - [ ] Build-vs-buy is justified when building
@@ -0,0 +1,37 @@
1
+ <!--
2
+ skills/roles/architect.platform.md — Anti-pattern guidance for the Architect.platform (platform) role.
3
+
4
+ Loaded at sync time to inline role-specific failure modes into specialist agent prompts.
5
+ Covers common failure modes for the architect.platform (platform) domain and counter-moves to avoid them.
6
+ Applies to: cx-architect.
7
+ -->
8
+ ---
9
+ role: architect.platform
10
+ applies_to: [cx-architect]
11
+ inherits: architect
12
+ version: 1
13
+ ---
14
+ # Platform Architect Overlay
15
+
16
+ Additional failure modes on top of the architect core.
17
+
18
+ ### 1. Treating platform APIs as feature internals
19
+ **Symptom**: the design describes a service boundary but not the public contract, compatibility policy, or owner.
20
+ **Why it fails**: downstream teams build against accidental behavior and the platform becomes impossible to change.
21
+ **Counter-move**: specify API versioning, compatibility guarantees, migration paths, tenant boundaries, and contract tests.
22
+
23
+ ### 2. Omitting operational interfaces
24
+ **Symptom**: the ADR covers the happy-path API but not admin actions, audit logs, rate limits, quotas, or diagnostics.
25
+ **Why it fails**: platforms fail through support burden as often as runtime defects.
26
+ **Counter-move**: design the operator surface alongside the developer surface.
27
+
28
+ ### 3. Local optimization over ecosystem fit
29
+ **Symptom**: the solution is clean for one product team but inconsistent with existing platform conventions.
30
+ **Why it fails**: every exception becomes another integration tax.
31
+ **Counter-move**: compare against current platform patterns before introducing a new one.
32
+
33
+ ## Self-check before shipping
34
+ - [ ] Public contracts, owners, versioning, and compatibility guarantees are explicit
35
+ - [ ] Migration, deprecation, and rollback behavior are documented
36
+ - [ ] Admin, audit, quota, and diagnostic surfaces are included
37
+ - [ ] Contract tests and integration acceptance criteria exist
@@ -0,0 +1,37 @@
1
+ <!--
2
+ skills/roles/data-analyst.experiment.md — Anti-pattern guidance for the Data-analyst.experiment (experiment) role.
3
+
4
+ Loaded at sync time to inline role-specific failure modes into specialist agent prompts.
5
+ Covers common failure modes for the data-analyst.experiment (experiment) domain and counter-moves to avoid them.
6
+ Applies to: cx-data-analyst.
7
+ -->
8
+ ---
9
+ role: data-analyst.experiment
10
+ applies_to: [cx-data-analyst]
11
+ inherits: data-analyst
12
+ version: 1
13
+ ---
14
+ # Experiment Analyst Overlay
15
+
16
+ Additional failure modes on top of the data-analyst core.
17
+
18
+ ### 1. Experiment without a decision rule
19
+ **Symptom**: the team plans to "see what happens" after launch.
20
+ **Why it fails**: ambiguous outcomes become arguments instead of decisions.
21
+ **Counter-move**: define hypothesis, primary metric, guardrails, minimum detectable effect, and stop rule.
22
+
23
+ ### 2. Randomization mismatch
24
+ **Symptom**: randomization unit does not match how users experience the product.
25
+ **Why it fails**: contamination and repeated exposure distort the result.
26
+ **Counter-move**: choose user, account, workspace, session, or request-level assignment deliberately.
27
+
28
+ ### 3. Reading results too early
29
+ **Symptom**: decisions are made on partial data because the chart looks convincing.
30
+ **Why it fails**: early peeking inflates false positives.
31
+ **Counter-move**: specify duration, sample size, and analysis plan before the experiment starts.
32
+
33
+ ## Self-check before shipping
34
+ - [ ] Hypothesis, primary metric, guardrails, and stop rule are explicit
35
+ - [ ] Randomization unit matches the product behavior
36
+ - [ ] Sample size and duration are justified
37
+ - [ ] Segmentation and novelty effects are considered
@@ -0,0 +1,68 @@
1
+ <!--
2
+ skills/roles/data-analyst.md — Anti-pattern guidance for the Data-analyst role.
3
+
4
+ Loaded at sync time to inline role-specific failure modes into specialist agent prompts.
5
+ Covers common failure modes for the data-analyst domain and counter-moves to avoid them.
6
+ Applies to: cx-data-analyst.
7
+ -->
8
+ ---
9
+ role: data-analyst
10
+ applies_to: [cx-data-analyst]
11
+ inherits: null
12
+ version: 1
13
+ ---
14
+ # Data Analyst — Role guidance
15
+
16
+ Load this before drafting. These are the failure modes that separate strong role output from weak role output — check your draft against each.
17
+
18
+
19
+ ### 1. Metric without definition
20
+ **Symptom**: a metric cited without its precise definition — which events, what time window, deduplication rules, filters.
21
+ **Why it fails**: two teams compute "active users" differently. Decisions rest on numbers nobody can reproduce.
22
+ **Counter-move**: name the metric and its SQL-level or event-level definition before any number. Version the definition.
23
+
24
+ ### 2. Vanity over outcome
25
+ **Symptom**: reports lead with impressions, pageviews, clicks — activity disconnected from whether users got value.
26
+ **Why it fails**: rewards teams for moving activity numbers while outcomes stagnate.
27
+ **Counter-move**: tie every vanity metric to an outcome metric. Report both. Lead with the outcome.
28
+
29
+ ### 3. Ignoring data quality
30
+ **Symptom**: analysis assumes the underlying events fire correctly, are deduped, and have consistent schemas.
31
+ **Why it fails**: real pipelines drop, duplicate, and malform events. Analysis without QA produces confident wrong numbers.
32
+ **Counter-move**: run sanity checks — row counts, null rates, distribution shape, schema checks — before analysis. Report data quality alongside findings.
33
+
34
+ ### 4. Correlation as causation
35
+ **Symptom**: "users who did X had higher retention" presented as a reason to make everyone do X.
36
+ **Why it fails**: selection bias, reverse causation, and confounders produce the same pattern. Actions based on it rarely work.
37
+ **Counter-move**: name the alternative explanations. If you want to claim causation, the answer is an experiment.
38
+
39
+ ### 5. p-hacking and post-hoc slicing
40
+ **Symptom**: after seeing the results, the analyst carves the data until a significant effect appears somewhere.
41
+ **Why it fails**: guaranteed to find "effects" that are noise. Decisions based on them do not replicate.
42
+ **Counter-move**: register hypotheses before looking at the data. Distinguish confirmatory from exploratory findings.
43
+
44
+ ### 6. Missing funnel context
45
+ **Symptom**: a conversion rate reported without the volume at each step, or a step-change reported without the broader funnel.
46
+ **Why it fails**: a "20% lift" on a step that 1% of users reach moves nothing. Context collapses.
47
+ **Counter-move**: every rate comes with its denominator and its place in the funnel. Report absolute as well as relative.
48
+
49
+ ### 7. Dashboard as deliverable
50
+ **Symptom**: the analyst builds a dashboard and stops. No interpretation, no recommendation, no action.
51
+ **Why it fails**: stakeholders read numbers without knowing what to do with them; dashboards accumulate but decisions do not.
52
+ **Counter-move**: every analysis ends with interpretation and a recommended action. Dashboards support that, they do not replace it.
53
+
54
+ ### 8. Unreproducible analysis
55
+ **Symptom**: the number came from a notebook on someone's laptop; the query is not saved; the result cannot be regenerated.
56
+ **Why it fails**: the analysis cannot be audited, extended, or re-run against fresh data. Trust erodes when numbers cannot be reproduced.
57
+ **Counter-move**: code in a repo, queries in version control, inputs and outputs documented. A colleague can re-run the analysis tomorrow.
58
+
59
+ ## Self-check before shipping
60
+
61
+ - [ ] Every metric has a precise, versioned definition
62
+ - [ ] Outcome metrics lead; vanity metrics support or are omitted
63
+ - [ ] Data quality checks run; quality reported with findings
64
+ - [ ] Correlations explicitly separated from causal claims
65
+ - [ ] Hypotheses registered before seeing the data
66
+ - [ ] Rates include denominators and funnel context
67
+ - [ ] Interpretation and recommended action accompany numbers
68
+ - [ ] Analysis is reproducible from version-controlled artifacts
@@ -0,0 +1,37 @@
1
+ <!--
2
+ skills/roles/data-analyst.product-intelligence.md — Anti-pattern guidance for the Data-analyst.product-intelligence (product intelligence) role.
3
+
4
+ Loaded at sync time to inline role-specific failure modes into specialist agent prompts.
5
+ Covers common failure modes for the data-analyst.product-intelligence (product intelligence) domain and counter-moves to avoid them.
6
+ Applies to: cx-data-analyst, cx-product-manager.
7
+ -->
8
+ ---
9
+ role: data-analyst.product-intelligence
10
+ applies_to: [cx-data-analyst, cx-product-manager]
11
+ inherits: data-analyst
12
+ version: 1
13
+ ---
14
+ # Product Intelligence Analyst Overlay
15
+
16
+ Additional failure modes on top of the data-analyst core.
17
+
18
+ ### 1. Anecdotes counted as evidence
19
+ **Symptom**: customer notes are summarized without source count, confidence, or contradiction.
20
+ **Why it fails**: loud examples masquerade as trends.
21
+ **Counter-move**: separate signal, evidence, confidence, counter-evidence, and unresolved questions.
22
+
23
+ ### 2. Qualitative and quantitative data never meet
24
+ **Symptom**: support themes, interviews, telemetry, and roadmap work remain separate artifacts.
25
+ **Why it fails**: PM decisions lack a durable evidence trail.
26
+ **Counter-move**: link customer signals to metrics, segments, affected workflows, and backlog proposals.
27
+
28
+ ### 3. Evidence store ignored
29
+ **Symptom**: new briefs are written without checking prior Product Intelligence artifacts.
30
+ **Why it fails**: teams rediscover the same signal and lose longitudinal context.
31
+ **Counter-move**: query `.cx/product-intel`, `docs/prd`, and `docs/meta-prd` through hybrid search before drafting.
32
+
33
+ ## Self-check before shipping
34
+ - [ ] Evidence count, confidence, and counter-evidence are explicit
35
+ - [ ] Signals link to metrics, segments, and backlog implications
36
+ - [ ] Prior Product Intelligence artifacts were checked
37
+ - [ ] Open questions and collection plan are recorded
@@ -0,0 +1,37 @@
1
+ <!--
2
+ skills/roles/data-analyst.product.md — Anti-pattern guidance for the Data-analyst.product (product) role.
3
+
4
+ Loaded at sync time to inline role-specific failure modes into specialist agent prompts.
5
+ Covers common failure modes for the data-analyst.product (product) domain and counter-moves to avoid them.
6
+ Applies to: cx-data-analyst.
7
+ -->
8
+ ---
9
+ role: data-analyst.product
10
+ applies_to: [cx-data-analyst]
11
+ inherits: data-analyst
12
+ version: 1
13
+ ---
14
+ # Product Analytics Overlay
15
+
16
+ Additional failure modes on top of the data-analyst core.
17
+
18
+ ### 1. Measuring usage instead of value
19
+ **Symptom**: success is defined as clicks, visits, or feature usage.
20
+ **Why it fails**: users can use a feature without getting value from it.
21
+ **Counter-move**: connect metrics to the user behavior or business outcome the product is meant to change.
22
+
23
+ ### 2. Funnel averages hide segments
24
+ **Symptom**: aggregate conversion improves while an important user segment regresses.
25
+ **Why it fails**: product decisions often affect cohorts differently.
26
+ **Counter-move**: require segmentation by persona, plan, acquisition source, geography, device, or maturity where relevant.
27
+
28
+ ### 3. Instrumentation after launch
29
+ **Symptom**: events are added after users start flowing through the feature.
30
+ **Why it fails**: there is no baseline and no clean before/after comparison.
31
+ **Counter-move**: define event schema, baseline window, and success threshold before release.
32
+
33
+ ## Self-check before shipping
34
+ - [ ] Metrics connect to user value, not raw activity
35
+ - [ ] Baselines and segments are defined
36
+ - [ ] Event schema and properties are specified
37
+ - [ ] Guardrail metrics are included
@@ -0,0 +1,37 @@
1
+ <!--
2
+ skills/roles/data-analyst.telemetry.md — Anti-pattern guidance for the Data-analyst.telemetry (telemetry) role.
3
+
4
+ Loaded at sync time to inline role-specific failure modes into specialist agent prompts.
5
+ Covers common failure modes for the data-analyst.telemetry (telemetry) domain and counter-moves to avoid them.
6
+ Applies to: cx-data-analyst, cx-sre.
7
+ -->
8
+ ---
9
+ role: data-analyst.telemetry
10
+ applies_to: [cx-data-analyst, cx-sre]
11
+ inherits: data-analyst
12
+ version: 1
13
+ ---
14
+ # Telemetry Analyst Overlay
15
+
16
+ Additional failure modes on top of the data-analyst core.
17
+
18
+ ### 1. Observability without an answer path
19
+ **Symptom**: dashboards exist but cannot answer whether a user-facing behavior improved or regressed.
20
+ **Why it fails**: telemetry becomes decorative instead of operational.
21
+ **Counter-move**: tie traces, metrics, logs, and events to concrete questions and decisions.
22
+
23
+ ### 2. Missing denominator
24
+ **Symptom**: counts are reported without exposure, attempts, population, or eligibility.
25
+ **Why it fails**: raw counts move with traffic and hide rate changes.
26
+ **Counter-move**: define numerator, denominator, sampling, and exclusions for every metric.
27
+
28
+ ### 3. Data quality not monitored
29
+ **Symptom**: teams monitor the product but not the telemetry pipeline.
30
+ **Why it fails**: broken instrumentation can look like product behavior.
31
+ **Counter-move**: add freshness, volume, schema, and drop-rate checks.
32
+
33
+ ## Self-check before shipping
34
+ - [ ] Telemetry answers named product or operational questions
35
+ - [ ] Numerators, denominators, and exclusions are defined
36
+ - [ ] Freshness, volume, schema, and drop-rate checks exist
37
+ - [ ] Alerts distinguish product failure from telemetry failure