@geraldmaron/construct 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (352) hide show
  1. package/.env.example +69 -0
  2. package/LICENSE +21 -0
  3. package/README.md +344 -0
  4. package/agents/prompts/cx-accessibility.md +29 -0
  5. package/agents/prompts/cx-ai-engineer.md +31 -0
  6. package/agents/prompts/cx-architect.md +40 -0
  7. package/agents/prompts/cx-business-strategist.md +25 -0
  8. package/agents/prompts/cx-data-analyst.md +30 -0
  9. package/agents/prompts/cx-data-engineer.md +32 -0
  10. package/agents/prompts/cx-debugger.md +27 -0
  11. package/agents/prompts/cx-designer.md +33 -0
  12. package/agents/prompts/cx-devil-advocate.md +36 -0
  13. package/agents/prompts/cx-docs-keeper.md +50 -0
  14. package/agents/prompts/cx-engineer.md +36 -0
  15. package/agents/prompts/cx-evaluator.md +26 -0
  16. package/agents/prompts/cx-explorer.md +38 -0
  17. package/agents/prompts/cx-legal-compliance.md +25 -0
  18. package/agents/prompts/cx-operations.md +28 -0
  19. package/agents/prompts/cx-orchestrator.md +30 -0
  20. package/agents/prompts/cx-platform-engineer.md +25 -0
  21. package/agents/prompts/cx-product-manager.md +30 -0
  22. package/agents/prompts/cx-qa.md +42 -0
  23. package/agents/prompts/cx-rd-lead.md +25 -0
  24. package/agents/prompts/cx-release-manager.md +31 -0
  25. package/agents/prompts/cx-researcher.md +31 -0
  26. package/agents/prompts/cx-reviewer.md +36 -0
  27. package/agents/prompts/cx-security.md +37 -0
  28. package/agents/prompts/cx-sre.md +26 -0
  29. package/agents/prompts/cx-test-automation.md +35 -0
  30. package/agents/prompts/cx-trace-reviewer.md +76 -0
  31. package/agents/prompts/cx-ux-researcher.md +30 -0
  32. package/agents/registry.json +879 -0
  33. package/agents/teams.json +94 -0
  34. package/bin/construct +613 -0
  35. package/commands/build/feature.md +21 -0
  36. package/commands/build/fix.md +20 -0
  37. package/commands/design/access.md +19 -0
  38. package/commands/design/flow.md +16 -0
  39. package/commands/design/ui.md +18 -0
  40. package/commands/measure/experiment.md +18 -0
  41. package/commands/measure/metrics.md +18 -0
  42. package/commands/measure/results.md +18 -0
  43. package/commands/plan/api.md +19 -0
  44. package/commands/plan/challenge.md +18 -0
  45. package/commands/plan/decide.md +20 -0
  46. package/commands/plan/feature.md +49 -0
  47. package/commands/plan/requirements.md +24 -0
  48. package/commands/remember/context.md +26 -0
  49. package/commands/remember/handoff.md +19 -0
  50. package/commands/remember/runbook.md +20 -0
  51. package/commands/review/code.md +21 -0
  52. package/commands/review/quality.md +19 -0
  53. package/commands/review/security.md +16 -0
  54. package/commands/ship/ready.md +19 -0
  55. package/commands/ship/release.md +19 -0
  56. package/commands/ship/status.md +18 -0
  57. package/commands/understand/docs.md +22 -0
  58. package/commands/understand/research.md +22 -0
  59. package/commands/understand/this.md +23 -0
  60. package/commands/understand/why.md +18 -0
  61. package/commands/work/clean.md +32 -0
  62. package/commands/work/drive.md +69 -0
  63. package/commands/work/optimize-prompts.md +46 -0
  64. package/commands/work/parallel-review.md +40 -0
  65. package/db/migrations/001_init.sql +38 -0
  66. package/langfuse/docker-compose.yml +82 -0
  67. package/lib/audit-skills.mjs +118 -0
  68. package/lib/auto-docs.mjs +293 -0
  69. package/lib/cli-commands.mjs +409 -0
  70. package/lib/codex-config.mjs +114 -0
  71. package/lib/comment-lint.mjs +191 -0
  72. package/lib/completions.mjs +170 -0
  73. package/lib/context-state.mjs +99 -0
  74. package/lib/cost.mjs +213 -0
  75. package/lib/distill.mjs +403 -0
  76. package/lib/efficiency.mjs +139 -0
  77. package/lib/env-config.mjs +53 -0
  78. package/lib/eval-harness.mjs +59 -0
  79. package/lib/features.mjs +209 -0
  80. package/lib/headhunt.mjs +597 -0
  81. package/lib/hooks/adaptive-lint.mjs +112 -0
  82. package/lib/hooks/agent-tracker.mjs +50 -0
  83. package/lib/hooks/bootstrap-guard.mjs +90 -0
  84. package/lib/hooks/comment-lint.mjs +26 -0
  85. package/lib/hooks/config-protection.mjs +52 -0
  86. package/lib/hooks/console-warn.mjs +43 -0
  87. package/lib/hooks/context-window-recovery.mjs +90 -0
  88. package/lib/hooks/continuation-enforcer.mjs +72 -0
  89. package/lib/hooks/dep-audit.mjs +155 -0
  90. package/lib/hooks/drive-guard.mjs +89 -0
  91. package/lib/hooks/edit-accumulator.mjs +36 -0
  92. package/lib/hooks/edit-error-recovery.mjs +46 -0
  93. package/lib/hooks/edit-guard.mjs +109 -0
  94. package/lib/hooks/env-check.mjs +80 -0
  95. package/lib/hooks/guard-bash.mjs +83 -0
  96. package/lib/hooks/mcp-audit.mjs +57 -0
  97. package/lib/hooks/mcp-health-check.mjs +51 -0
  98. package/lib/hooks/mcp-task-scope.mjs +47 -0
  99. package/lib/hooks/model-fallback.mjs +105 -0
  100. package/lib/hooks/pre-compact.mjs +212 -0
  101. package/lib/hooks/pre-push-gate.mjs +129 -0
  102. package/lib/hooks/read-tracker.mjs +129 -0
  103. package/lib/hooks/registry-sync.mjs +23 -0
  104. package/lib/hooks/scan-secrets.mjs +76 -0
  105. package/lib/hooks/session-start.mjs +95 -0
  106. package/lib/hooks/stop-notify.mjs +191 -0
  107. package/lib/hooks/stop-typecheck.mjs +83 -0
  108. package/lib/hooks/task-completed-guard.mjs +43 -0
  109. package/lib/hooks/teammate-idle-guard.mjs +54 -0
  110. package/lib/hooks/workflow-guard.mjs +62 -0
  111. package/lib/host-capabilities.mjs +123 -0
  112. package/lib/init-docs.mjs +382 -0
  113. package/lib/mcp/server.mjs +1123 -0
  114. package/lib/mcp-catalog.json +243 -0
  115. package/lib/mcp-manager.mjs +433 -0
  116. package/lib/mcp-platform-config.mjs +104 -0
  117. package/lib/model-router.mjs +810 -0
  118. package/lib/opencode-config.mjs +44 -0
  119. package/lib/opencode-runtime-plugin.mjs +909 -0
  120. package/lib/opencode-telemetry.mjs +433 -0
  121. package/lib/orchestration-policy.mjs +258 -0
  122. package/lib/prompt-composer.mjs +196 -0
  123. package/lib/prompt-metadata.mjs +68 -0
  124. package/lib/review.mjs +429 -0
  125. package/lib/role-preload.mjs +52 -0
  126. package/lib/schemas/decision.json +50 -0
  127. package/lib/schemas/implementation.json +51 -0
  128. package/lib/schemas/review-report.json +32 -0
  129. package/lib/schemas/test-report.json +43 -0
  130. package/lib/server/index.mjs +334 -0
  131. package/lib/server/static/app.js +841 -0
  132. package/lib/server/static/index.html +820 -0
  133. package/lib/service-manager.mjs +225 -0
  134. package/lib/setup.mjs +319 -0
  135. package/lib/status.mjs +707 -0
  136. package/lib/storage/backend.mjs +44 -0
  137. package/lib/storage/embeddings.mjs +70 -0
  138. package/lib/storage/hybrid-query.mjs +184 -0
  139. package/lib/storage/sql-store.mjs +55 -0
  140. package/lib/storage/state-source.mjs +101 -0
  141. package/lib/storage/sync.mjs +164 -0
  142. package/lib/storage/vector-store.mjs +59 -0
  143. package/lib/telemetry/backends/langfuse.mjs +58 -0
  144. package/lib/telemetry/backends/noop.mjs +16 -0
  145. package/lib/telemetry/langfuse-ingest.mjs +108 -0
  146. package/lib/telemetry/langfuse-model-sync.mjs +270 -0
  147. package/lib/telemetry/team-rollup.mjs +143 -0
  148. package/lib/toolkit-env.mjs +30 -0
  149. package/lib/validator.mjs +181 -0
  150. package/lib/workflow-state.mjs +794 -0
  151. package/package.json +53 -0
  152. package/personas/construct.md +94 -0
  153. package/platforms/claude/CLAUDE.md +30 -0
  154. package/platforms/claude/settings.template.json +472 -0
  155. package/platforms/opencode/config.template.json +65 -0
  156. package/platforms/opencode/plugins/construct-fallback.js +5 -0
  157. package/platforms/opencode/sync-config.mjs +69 -0
  158. package/rules/common/agents.md +55 -0
  159. package/rules/common/code-review.md +129 -0
  160. package/rules/common/coding-style.md +95 -0
  161. package/rules/common/comments.md +139 -0
  162. package/rules/common/cx-agent-routing.md +61 -0
  163. package/rules/common/cx-skill-routing.md +11 -0
  164. package/rules/common/development-workflow.md +49 -0
  165. package/rules/common/git-workflow.md +29 -0
  166. package/rules/common/hooks.md +35 -0
  167. package/rules/common/patterns.md +36 -0
  168. package/rules/common/performance.md +71 -0
  169. package/rules/common/security.md +34 -0
  170. package/rules/common/testing.md +62 -0
  171. package/rules/golang/coding-style.md +37 -0
  172. package/rules/golang/hooks.md +22 -0
  173. package/rules/golang/patterns.md +50 -0
  174. package/rules/golang/security.md +39 -0
  175. package/rules/golang/testing.md +36 -0
  176. package/rules/python/coding-style.md +47 -0
  177. package/rules/python/hooks.md +24 -0
  178. package/rules/python/patterns.md +44 -0
  179. package/rules/python/security.md +35 -0
  180. package/rules/python/testing.md +43 -0
  181. package/rules/swift/coding-style.md +52 -0
  182. package/rules/swift/hooks.md +25 -0
  183. package/rules/swift/patterns.md +71 -0
  184. package/rules/swift/security.md +38 -0
  185. package/rules/swift/testing.md +50 -0
  186. package/rules/typescript/coding-style.md +204 -0
  187. package/rules/typescript/hooks.md +27 -0
  188. package/rules/typescript/patterns.md +57 -0
  189. package/rules/typescript/security.md +33 -0
  190. package/rules/typescript/testing.md +23 -0
  191. package/rules/web/coding-style.md +101 -0
  192. package/rules/web/design-quality.md +68 -0
  193. package/rules/web/hooks.md +125 -0
  194. package/rules/web/patterns.md +84 -0
  195. package/rules/web/performance.md +69 -0
  196. package/rules/web/security.md +62 -0
  197. package/rules/web/testing.md +60 -0
  198. package/rules/zh/README.md +113 -0
  199. package/rules/zh/agents.md +55 -0
  200. package/rules/zh/code-review.md +129 -0
  201. package/rules/zh/coding-style.md +53 -0
  202. package/rules/zh/development-workflow.md +49 -0
  203. package/rules/zh/git-workflow.md +29 -0
  204. package/rules/zh/hooks.md +35 -0
  205. package/rules/zh/patterns.md +36 -0
  206. package/rules/zh/performance.md +60 -0
  207. package/rules/zh/security.md +34 -0
  208. package/rules/zh/testing.md +34 -0
  209. package/skills/ai/agent-dev.md +102 -0
  210. package/skills/ai/llm-security.md +105 -0
  211. package/skills/ai/ml-ops.md +169 -0
  212. package/skills/ai/orchestration-workflow.md +87 -0
  213. package/skills/ai/prompt-and-eval.md +114 -0
  214. package/skills/ai/prompt-optimizer.md +114 -0
  215. package/skills/ai/rag-system.md +104 -0
  216. package/skills/architecture/api-design.md +100 -0
  217. package/skills/architecture/caching.md +101 -0
  218. package/skills/architecture/cloud-native.md +97 -0
  219. package/skills/architecture/message-queue.md +100 -0
  220. package/skills/architecture/security-arch.md +105 -0
  221. package/skills/development/cpp.md +127 -0
  222. package/skills/development/go.md +129 -0
  223. package/skills/development/java.md +134 -0
  224. package/skills/development/kotlin.md +140 -0
  225. package/skills/development/mobile-crossplatform.md +144 -0
  226. package/skills/development/python.md +109 -0
  227. package/skills/development/rust.md +127 -0
  228. package/skills/development/shell.md +127 -0
  229. package/skills/development/swift.md +129 -0
  230. package/skills/development/typescript.md +129 -0
  231. package/skills/devops/ci-cd.md +108 -0
  232. package/skills/devops/containerization.md +106 -0
  233. package/skills/devops/cost-optimization.md +105 -0
  234. package/skills/devops/data-engineering.md +181 -0
  235. package/skills/devops/database.md +95 -0
  236. package/skills/devops/dependency-management.md +91 -0
  237. package/skills/devops/devsecops.md +96 -0
  238. package/skills/devops/git-workflow.md +100 -0
  239. package/skills/devops/incident-response.md +167 -0
  240. package/skills/devops/monorepo.md +87 -0
  241. package/skills/devops/observability.md +103 -0
  242. package/skills/devops/performance.md +104 -0
  243. package/skills/devops/testing.md +104 -0
  244. package/skills/docs/adr-workflow.md +32 -0
  245. package/skills/docs/backlog-proposal-workflow.md +19 -0
  246. package/skills/docs/customer-profile-workflow.md +22 -0
  247. package/skills/docs/evidence-ingest-workflow.md +23 -0
  248. package/skills/docs/init-docs.md +160 -0
  249. package/skills/docs/init-project.md +50 -0
  250. package/skills/docs/prd-workflow.md +57 -0
  251. package/skills/docs/prfaq-workflow.md +25 -0
  252. package/skills/docs/product-intelligence-review.md +22 -0
  253. package/skills/docs/product-intelligence-workflow.md +62 -0
  254. package/skills/docs/product-signal-workflow.md +27 -0
  255. package/skills/docs/research-workflow.md +28 -0
  256. package/skills/docs/runbook-workflow.md +24 -0
  257. package/skills/exploration/repo-map.md +297 -0
  258. package/skills/frameworks/django.md +159 -0
  259. package/skills/frameworks/nextjs.md +148 -0
  260. package/skills/frameworks/react.md +132 -0
  261. package/skills/frameworks/spring-boot.md +165 -0
  262. package/skills/frontend-design/accessibility.md +153 -0
  263. package/skills/frontend-design/component-patterns.md +111 -0
  264. package/skills/frontend-design/engineering.md +122 -0
  265. package/skills/frontend-design/state-management.md +118 -0
  266. package/skills/frontend-design/ui-aesthetics.md +102 -0
  267. package/skills/frontend-design/ux-principles.md +126 -0
  268. package/skills/quality-gates/review-work.md +90 -0
  269. package/skills/quality-gates/verify-change.md +94 -0
  270. package/skills/quality-gates/verify-module.md +96 -0
  271. package/skills/quality-gates/verify-quality.md +93 -0
  272. package/skills/quality-gates/verify-security.md +95 -0
  273. package/skills/roles/architect.ai-systems.md +37 -0
  274. package/skills/roles/architect.data.md +37 -0
  275. package/skills/roles/architect.enterprise.md +37 -0
  276. package/skills/roles/architect.integration.md +37 -0
  277. package/skills/roles/architect.md +68 -0
  278. package/skills/roles/architect.platform.md +37 -0
  279. package/skills/roles/data-analyst.experiment.md +37 -0
  280. package/skills/roles/data-analyst.md +68 -0
  281. package/skills/roles/data-analyst.product-intelligence.md +37 -0
  282. package/skills/roles/data-analyst.product.md +37 -0
  283. package/skills/roles/data-analyst.telemetry.md +37 -0
  284. package/skills/roles/data-engineer.pipeline.md +37 -0
  285. package/skills/roles/data-engineer.vector-retrieval.md +37 -0
  286. package/skills/roles/data-engineer.warehouse.md +37 -0
  287. package/skills/roles/debugger.md +68 -0
  288. package/skills/roles/designer.accessibility.md +43 -0
  289. package/skills/roles/designer.md +68 -0
  290. package/skills/roles/engineer.ai.md +49 -0
  291. package/skills/roles/engineer.data.md +49 -0
  292. package/skills/roles/engineer.md +85 -0
  293. package/skills/roles/engineer.platform.md +49 -0
  294. package/skills/roles/operator.docs.md +43 -0
  295. package/skills/roles/operator.md +68 -0
  296. package/skills/roles/operator.release.md +43 -0
  297. package/skills/roles/operator.sre.md +43 -0
  298. package/skills/roles/orchestrator.md +66 -0
  299. package/skills/roles/product-manager.ai-product.md +37 -0
  300. package/skills/roles/product-manager.business-strategy.md +43 -0
  301. package/skills/roles/product-manager.enterprise.md +37 -0
  302. package/skills/roles/product-manager.growth.md +37 -0
  303. package/skills/roles/product-manager.md +67 -0
  304. package/skills/roles/product-manager.platform.md +37 -0
  305. package/skills/roles/product-manager.product.md +37 -0
  306. package/skills/roles/qa.ai-eval.md +37 -0
  307. package/skills/roles/qa.api-contract.md +37 -0
  308. package/skills/roles/qa.data-pipeline.md +37 -0
  309. package/skills/roles/qa.md +68 -0
  310. package/skills/roles/qa.test-automation.md +49 -0
  311. package/skills/roles/qa.web-ui.md +37 -0
  312. package/skills/roles/researcher.explorer.md +43 -0
  313. package/skills/roles/researcher.md +68 -0
  314. package/skills/roles/researcher.ux.md +43 -0
  315. package/skills/roles/reviewer.devil-advocate.md +43 -0
  316. package/skills/roles/reviewer.evaluator.md +43 -0
  317. package/skills/roles/reviewer.md +68 -0
  318. package/skills/roles/reviewer.trace.md +43 -0
  319. package/skills/roles/security.ai.md +37 -0
  320. package/skills/roles/security.appsec.md +37 -0
  321. package/skills/roles/security.cloud.md +37 -0
  322. package/skills/roles/security.legal-compliance.md +49 -0
  323. package/skills/roles/security.md +68 -0
  324. package/skills/roles/security.privacy.md +37 -0
  325. package/skills/roles/security.supply-chain.md +37 -0
  326. package/skills/routing.md +139 -0
  327. package/skills/security/blue-team.md +83 -0
  328. package/skills/security/code-audit.md +94 -0
  329. package/skills/security/pentest.md +84 -0
  330. package/skills/security/red-team.md +81 -0
  331. package/skills/security/threat-intel.md +89 -0
  332. package/skills/security/vuln-research.md +87 -0
  333. package/skills/utility/clean-code.md +165 -0
  334. package/sync-agents.mjs +899 -0
  335. package/templates/docs/adr.md +27 -0
  336. package/templates/docs/backlog-proposal.md +26 -0
  337. package/templates/docs/customer-profile.md +34 -0
  338. package/templates/docs/evidence-brief.md +37 -0
  339. package/templates/docs/incident-report.md +46 -0
  340. package/templates/docs/memo.md +27 -0
  341. package/templates/docs/meta-prd.md +56 -0
  342. package/templates/docs/one-pager.md +24 -0
  343. package/templates/docs/prd-business.md +61 -0
  344. package/templates/docs/prd-platform.md +62 -0
  345. package/templates/docs/prd.md +47 -0
  346. package/templates/docs/prfaq.md +31 -0
  347. package/templates/docs/product-intelligence-report.md +31 -0
  348. package/templates/docs/research-brief.md +29 -0
  349. package/templates/docs/rfc-platform.md +60 -0
  350. package/templates/docs/rfc.md +46 -0
  351. package/templates/docs/runbook.md +33 -0
  352. package/templates/docs/signal-brief.md +25 -0
@@ -0,0 +1,49 @@
1
+ <!--
2
+ skills/roles/qa.test-automation.md — Anti-pattern guidance for the Qa.test-automation (test automation) role.
3
+
4
+ Loaded at sync time to inline role-specific failure modes into specialist agent prompts.
5
+ Covers common failure modes for the qa.test-automation (test automation) domain and counter-moves to avoid them.
6
+ Applies to: cx-test-automation.
7
+ -->
8
+ ---
9
+ role: qa.test-automation
10
+ applies_to: [cx-test-automation]
11
+ inherits: qa
12
+ version: 1
13
+ ---
14
+ # Test Automation Overlay
15
+
16
+ Additional failure modes on top of the qa core.
17
+
18
+
19
+ ### 1. Flaky tests tolerated
20
+ **Symptom**: tests retried until green; flakes treated as "environmental noise."
21
+ **Why it fails**: signal erodes — real regressions hide among the flakes. Developers stop trusting the suite.
22
+ **Counter-move**: quarantine flakes immediately with a tracking ticket. Target zero retries for trusted tests.
23
+
24
+ ### 2. E2E-heavy pyramid
25
+ **Symptom**: test suite dominated by slow, wide end-to-end tests with few unit tests.
26
+ **Why it fails**: feedback loops get slow; debug surface is huge; CI time balloons.
27
+ **Counter-move**: push coverage down the pyramid: unit > integration > e2e. Each layer tests what the one below can't.
28
+
29
+ ### 3. Shared state between tests
30
+ **Symptom**: tests that must run in a specific order or share a database row.
31
+ **Why it fails**: parallelization breaks; reordering breaks; failures become non-reproducible.
32
+ **Counter-move**: every test sets up and tears down its own fixtures. Parallelize-safe by default.
33
+
34
+ ### 4. Assertions on implementation
35
+ **Symptom**: tests that snapshot internal state or spy on private methods.
36
+ **Why it fails**: refactors break the suite without changing behavior; test trust drops, tests get deleted.
37
+ **Counter-move**: assert on observable behavior (outputs, side effects at boundaries). Treat internals as off-limits.
38
+
39
+ ### 5. CI as the only runner
40
+ **Symptom**: tests only pass in CI; developers can't run them locally.
41
+ **Why it fails**: debug cycles are 10x slower; test health decays between CI runs.
42
+ **Counter-move**: every test runnable locally with one command. Fixtures and mocks self-contained.
43
+
44
+ ## Self-check before shipping
45
+ - [ ] Zero flakes in the trusted suite
46
+ - [ ] Pyramid shape: mostly unit, some integration, few e2e
47
+ - [ ] Tests isolated; no shared state
48
+ - [ ] Assertions on behavior, not internals
49
+ - [ ] Suite runs locally with one command
@@ -0,0 +1,37 @@
1
+ <!--
2
+ skills/roles/qa.web-ui.md — Anti-pattern guidance for the Qa.web-ui (web ui) role.
3
+
4
+ Loaded at sync time to inline role-specific failure modes into specialist agent prompts.
5
+ Covers common failure modes for the qa.web-ui (web ui) domain and counter-moves to avoid them.
6
+ Applies to: cx-qa, cx-test-automation.
7
+ -->
8
+ ---
9
+ role: qa.web-ui
10
+ applies_to: [cx-qa, cx-test-automation]
11
+ inherits: qa
12
+ version: 1
13
+ ---
14
+ # Web UI QA Overlay
15
+
16
+ Additional failure modes on top of the QA core.
17
+
18
+ ### 1. Testing screens instead of user flows
19
+ **Symptom**: tests assert that elements exist but not that the user can complete the job.
20
+ **Why it fails**: visual presence is not behavioral confidence.
21
+ **Counter-move**: cover critical flows across loading, empty, error, keyboard, and responsive states.
22
+
23
+ ### 2. Accessibility left to a separate pass
24
+ **Symptom**: keyboard navigation, focus management, labels, and contrast are not acceptance criteria.
25
+ **Why it fails**: accessibility defects are product defects and often break automation too.
26
+ **Counter-move**: include keyboard-only and screen-reader-relevant checks in the test plan.
27
+
28
+ ### 3. Fragile selectors
29
+ **Symptom**: tests depend on CSS classes, animation timing, or arbitrary sleeps.
30
+ **Why it fails**: automation becomes flaky and loses trust.
31
+ **Counter-move**: use stable roles, labels, test IDs, and deterministic waits.
32
+
33
+ ## Self-check before shipping
34
+ - [ ] Critical flows include loading, empty, error, and responsive states
35
+ - [ ] Keyboard and accessible-name checks are included
36
+ - [ ] Selectors are stable and waits are deterministic
37
+ - [ ] Visual regressions cover states that users actually encounter
@@ -0,0 +1,43 @@
1
+ <!--
2
+ skills/roles/researcher.explorer.md — Anti-pattern guidance for the Researcher.explorer (explorer) role.
3
+
4
+ Loaded at sync time to inline role-specific failure modes into specialist agent prompts.
5
+ Covers common failure modes for the researcher.explorer (explorer) domain and counter-moves to avoid them.
6
+ Applies to: cx-explorer.
7
+ -->
8
+ ---
9
+ role: researcher.explorer
10
+ applies_to: [cx-explorer]
11
+ inherits: researcher
12
+ version: 1
13
+ ---
14
+ # Codebase Explorer Overlay
15
+
16
+ Additional failure modes on top of the researcher core.
17
+
18
+
19
+ ### 1. Summarizing without paths
20
+ **Symptom**: "there's a validation layer in the auth module" with no file or line reference.
21
+ **Why it fails**: the reader can't verify or act on the claim. The next session re-does the search.
22
+ **Counter-move**: cite every finding with `path:line` or at minimum `path`. No claim without a pointer.
23
+
24
+ ### 2. Pattern-match by name
25
+ **Symptom**: assuming `validateUser()` does what its name suggests without reading the body.
26
+ **Why it fails**: names lie. The function may wrap, delegate, or do something unrelated.
27
+ **Counter-move**: read the function body and its callers before asserting what it does.
28
+
29
+ ### 3. Shallow single-grep conclusions
30
+ **Symptom**: one grep returns nothing, conclude "feature doesn't exist."
31
+ **Why it fails**: the feature may use a different term, be split across files, or be dynamically dispatched.
32
+ **Counter-move**: try 3+ naming variations. Check adjacent directories. Read the entry points.
33
+
34
+ ### 4. Over-scoping the exploration
35
+ **Symptom**: producing a 5-page architecture tour for a question that only needed one file.
36
+ **Why it fails**: burns the consumer's time and context window; the answer drowns in tangent.
37
+ **Counter-move**: answer the question asked. Link supporting material; don't inline it unless asked.
38
+
39
+ ## Self-check before shipping
40
+ - [ ] Every claim cites a path, ideally with a line
41
+ - [ ] Function behavior verified from the body, not the name
42
+ - [ ] Searched multiple naming variants and entry points
43
+ - [ ] Response scoped to the question asked
@@ -0,0 +1,68 @@
1
+ <!--
2
+ skills/roles/researcher.md — Anti-pattern guidance for the Researcher role.
3
+
4
+ Loaded at sync time to inline role-specific failure modes into specialist agent prompts.
5
+ Covers common failure modes for the researcher domain and counter-moves to avoid them.
6
+ Applies to: cx-researcher, cx-ux-researcher, cx-explorer.
7
+ -->
8
+ ---
9
+ role: researcher
10
+ applies_to: [cx-researcher, cx-ux-researcher, cx-explorer]
11
+ inherits: null
12
+ version: 1
13
+ ---
14
+ # Researcher — Role guidance
15
+
16
+ Load this before drafting. These are the failure modes that separate strong role output from weak role output — check your draft against each.
17
+
18
+
19
+ ### 1. Confirmation bias
20
+ **Symptom**: the research converges on the answer the author already suspected, using sources selected to support it.
21
+ **Why it fails**: the reader learns nothing new; decisions rest on motivated reasoning.
22
+ **Counter-move**: actively search for disconfirming evidence. Name the strongest counter-finding and address it.
23
+
24
+ ### 2. Single-source conclusions
25
+ **Symptom**: a finding rests on one blog post, one vendor page, or one paper.
26
+ **Why it fails**: any single source can be wrong, outdated, or biased. Confidence is borrowed from the source's authority, not the evidence.
27
+ **Counter-move**: require at least two independent sources for each load-bearing claim. Note when they disagree.
28
+
29
+ ### 3. Freshness blindness
30
+ **Symptom**: cited source dated 2019 used as current for a fast-moving topic — AI capabilities, framework APIs, security advisories.
31
+ **Why it fails**: the reader assumes the finding is current; acts on stale information.
32
+ **Counter-move**: check and record the publication date of every source. For fast-moving topics, prefer sources within the last 12 months.
33
+
34
+ ### 4. Findings without confidence
35
+ **Symptom**: all findings presented flatly, with no distinction between what is well-established and what is speculative.
36
+ **Why it fails**: the reader cannot decide how much weight to place on each claim.
37
+ **Counter-move**: label each finding high / medium / low confidence, with a one-line reason.
38
+
39
+ ### 5. Observation confused with inference
40
+ **Symptom**: the doc presents what the author concluded as what the source said.
41
+ **Why it fails**: the conclusion cannot be audited. Reviewers who disagree cannot find the step where the logic turned.
42
+ **Counter-move**: separate "what the source said" from "what I infer from this". Label them.
43
+
44
+ ### 6. Secondary sources passed as primary
45
+ **Symptom**: citations point to summaries, listicles, or syntheses instead of the underlying paper, spec, or changelog.
46
+ **Why it fails**: the summary may misrepresent the primary source. The chain of error is invisible.
47
+ **Counter-move**: cite primary sources — the actual paper, spec, commit, or dataset. Use secondary sources only to discover primary ones.
48
+
49
+ ### 7. Scope creep
50
+ **Symptom**: the research question was about X but the brief covers X, Y, and Z because they came up.
51
+ **Why it fails**: the original question does not get answered well; reviewers cannot tell which findings are load-bearing.
52
+ **Counter-move**: answer the original question first and completely. Tangential findings go into a separate section or a follow-up.
53
+
54
+ ### 8. Action without evidence threshold
55
+ **Symptom**: the implications section recommends a change without stating what evidence would have led to a different recommendation.
56
+ **Why it fails**: the research is unfalsifiable. Any finding leads to the same recommendation.
57
+ **Counter-move**: state up-front what evidence would cause the recommendation to flip. Verify the actual evidence meets the threshold.
58
+
59
+ ## Self-check before shipping
60
+
61
+ - [ ] Strongest counter-finding is named and addressed
62
+ - [ ] Each load-bearing claim has at least two independent sources
63
+ - [ ] Source dates recorded; fast-moving topics use recent sources
64
+ - [ ] Each finding labeled with confidence and reason
65
+ - [ ] Observation separated from inference
66
+ - [ ] Citations point to primary sources
67
+ - [ ] Original question is answered first; tangents are separate
68
+ - [ ] Evidence threshold for the recommendation is stated
@@ -0,0 +1,43 @@
1
+ <!--
2
+ skills/roles/researcher.ux.md — Anti-pattern guidance for the Researcher.ux (ux) role.
3
+
4
+ Loaded at sync time to inline role-specific failure modes into specialist agent prompts.
5
+ Covers common failure modes for the researcher.ux (ux) domain and counter-moves to avoid them.
6
+ Applies to: cx-ux-researcher.
7
+ -->
8
+ ---
9
+ role: researcher.ux
10
+ applies_to: [cx-ux-researcher]
11
+ inherits: researcher
12
+ version: 1
13
+ ---
14
+ # UX Researcher Overlay
15
+
16
+ Additional failure modes on top of the researcher core.
17
+
18
+
19
+ ### 1. Leading questions
20
+ **Symptom**: asking "do you like X?" or "would this feature be useful?"
21
+ **Why it fails**: social desirability bias; users say yes to things they'd never actually use.
22
+ **Counter-move**: ask about past behavior, not future preference. "When did you last do X? Walk me through it."
23
+
24
+ ### 2. Confusing opinion with evidence
25
+ **Symptom**: reporting "users said they want Y" as a finding.
26
+ **Why it fails**: stated preference diverges from revealed preference. Features built on asked-for wants often go unused.
27
+ **Counter-move**: separate self-report from observed behavior. Weight observed behavior higher.
28
+
29
+ ### 3. Sample of one
30
+ **Symptom**: quoting a single interviewee as representative of the user base.
31
+ **Why it fails**: any one user is an outlier on some axis. Decisions built on N=1 encode that person's quirks.
32
+ **Counter-move**: aim for 5+ on any behavioral claim. Flag "from 1 of 5 participants" explicitly.
33
+
34
+ ### 4. Prescribing solutions in findings
35
+ **Symptom**: findings document recommending specific UI changes.
36
+ **Why it fails**: collapses the problem-space exploration into a solution bias; design has less room to iterate.
37
+ **Counter-move**: report the problem (friction, confusion, unmet need). Let design own the solution.
38
+
39
+ ## Self-check before shipping
40
+ - [ ] Questions focus on past behavior, not hypothetical future
41
+ - [ ] Observed behavior weighted over self-report
42
+ - [ ] Sample size stated for every claim
43
+ - [ ] Findings describe problems, not prescribe solutions
@@ -0,0 +1,43 @@
1
+ <!--
2
+ skills/roles/reviewer.devil-advocate.md — Anti-pattern guidance for the Reviewer.devil-advocate (devil advocate) role.
3
+
4
+ Loaded at sync time to inline role-specific failure modes into specialist agent prompts.
5
+ Covers common failure modes for the reviewer.devil-advocate (devil advocate) domain and counter-moves to avoid them.
6
+ Applies to: cx-devil-advocate.
7
+ -->
8
+ ---
9
+ role: reviewer.devil-advocate
10
+ applies_to: [cx-devil-advocate]
11
+ inherits: reviewer
12
+ version: 1
13
+ ---
14
+ # Devil's Advocate Overlay
15
+
16
+ Additional failure modes on top of the reviewer core.
17
+
18
+
19
+ ### 1. Objecting in the abstract
20
+ **Symptom**: "this seems risky" or "have you considered scale?" with no concrete scenario.
21
+ **Why it fails**: generic concerns are dismissable. The author has no material to respond to.
22
+ **Counter-move**: pose a specific failure scenario with inputs, state, and the resulting failure mode.
23
+
24
+ ### 2. Stopping at the first objection
25
+ **Symptom**: raising one issue, declaring the plan "needs rework," stepping back.
26
+ **Why it fails**: high-stakes decisions need the full surface area of risk, not one cherry-picked flaw.
27
+ **Counter-move**: produce three distinct categories of objection (technical, operational, strategic) before concluding.
28
+
29
+ ### 3. Contrarianism for its own sake
30
+ **Symptom**: objecting to every proposal, including the ones that are well-reasoned.
31
+ **Why it fails**: becomes noise; teams learn to route around the skeptic. Real risks stop being heard.
32
+ **Counter-move**: explicitly rank objections by severity. Mark some as "acknowledge but proceed."
33
+
34
+ ### 4. Missing the reversibility lens
35
+ **Symptom**: treating a cheap, reversible experiment with the same caution as a one-way door.
36
+ **Why it fails**: slows down learning that should be fast; teams stop bringing you early ideas.
37
+ **Counter-move**: classify the decision on the reversibility axis first. Calibrate pushback accordingly.
38
+
39
+ ## Self-check before shipping
40
+ - [ ] Each objection names a concrete scenario
41
+ - [ ] At least three categories of risk covered
42
+ - [ ] Objections ranked by severity
43
+ - [ ] Reversibility of the decision assessed
@@ -0,0 +1,43 @@
1
+ <!--
2
+ skills/roles/reviewer.evaluator.md — Anti-pattern guidance for the Reviewer.evaluator (evaluator) role.
3
+
4
+ Loaded at sync time to inline role-specific failure modes into specialist agent prompts.
5
+ Covers common failure modes for the reviewer.evaluator (evaluator) domain and counter-moves to avoid them.
6
+ Applies to: cx-evaluator.
7
+ -->
8
+ ---
9
+ role: reviewer.evaluator
10
+ applies_to: [cx-evaluator]
11
+ inherits: reviewer
12
+ version: 1
13
+ ---
14
+ # Evaluator Overlay
15
+
16
+ Additional failure modes on top of the reviewer core.
17
+
18
+
19
+ ### 1. Rubric-free scoring
20
+ **Symptom**: giving a 7/10 without declaring what 7 means or what distinguishes it from 6 or 8.
21
+ **Why it fails**: scores aren't comparable across reviewers or over time. No one can act on them.
22
+ **Counter-move**: state the rubric (criteria + level descriptors) before scoring. Score against the rubric, not against vibes.
23
+
24
+ ### 2. Single-sample conclusions
25
+ **Symptom**: evaluating on one example and extrapolating to the system.
26
+ **Why it fails**: the sample may be unrepresentative. Confidence intervals are meaningless at N=1.
27
+ **Counter-move**: require a sample size appropriate to the claim. Report N alongside the result.
28
+
29
+ ### 3. Missing counterfactuals
30
+ **Symptom**: rating a new approach as "good" without comparing to the current baseline.
31
+ **Why it fails**: any output looks fine in isolation. The real question is whether it's better than what's shipping.
32
+ **Counter-move**: always include an A/B against baseline. Report the delta, not the absolute.
33
+
34
+ ### 4. Confounded comparisons
35
+ **Symptom**: changing the prompt, model, and retrieval at once and attributing gains to "the new system."
36
+ **Why it fails**: can't tell which change did what; can't roll back specifically if quality regresses.
37
+ **Counter-move**: change one variable at a time. Pin the others.
38
+
39
+ ## Self-check before shipping
40
+ - [ ] Rubric declared before scoring
41
+ - [ ] Sample size reported and defensible
42
+ - [ ] Baseline comparison included
43
+ - [ ] One variable changed per run; others pinned
@@ -0,0 +1,68 @@
1
+ <!--
2
+ skills/roles/reviewer.md — Anti-pattern guidance for the Reviewer role.
3
+
4
+ Loaded at sync time to inline role-specific failure modes into specialist agent prompts.
5
+ Covers common failure modes for the reviewer domain and counter-moves to avoid them.
6
+ Applies to: cx-reviewer, cx-devil-advocate, cx-evaluator, cx-trace-reviewer.
7
+ -->
8
+ ---
9
+ role: reviewer
10
+ applies_to: [cx-reviewer, cx-devil-advocate, cx-evaluator, cx-trace-reviewer]
11
+ inherits: null
12
+ version: 1
13
+ ---
14
+ # Reviewer — Role guidance
15
+
16
+ Load this before drafting. These are the failure modes that separate strong role output from weak role output — check your draft against each.
17
+
18
+
19
+ ### 1. Nit-picking over structure
20
+ **Symptom**: the review focuses on variable names and formatting while leaving the structural problem — wrong abstraction, missing tests, unsafe concurrency — unflagged.
21
+ **Why it fails**: the author fixes the surface and ships the real bug. The reviewer signals thoroughness while providing no real coverage.
22
+ **Counter-move**: audit structure first — correctness, blast radius, invariants, test coverage — before any style feedback.
23
+
24
+ ### 2. LGTM without running the code
25
+ **Symptom**: approval given based on reading the diff, with no build, no test run, no exploration of the change in situ.
26
+ **Why it fails**: the diff hides integration bugs, broken imports, and runtime behavior that reading cannot catch.
27
+ **Counter-move**: pull the branch. Run the build. Run the tests. Exercise the changed path at least once.
28
+
29
+ ### 3. Missed blast radius
30
+ **Symptom**: the review evaluates the change in isolation without identifying what else the change could affect.
31
+ **Why it fails**: shared utilities, public APIs, and cross-module contracts get broken silently.
32
+ **Counter-move**: grep for callers of anything changed. Check whether the change is backwards-compatible for each.
33
+
34
+ ### 4. No severity
35
+ **Symptom**: all feedback presented at the same weight — a typo and a security vulnerability get equal prominence.
36
+ **Why it fails**: the author cannot tell what blocks merge versus what is optional. Real issues get lost.
37
+ **Counter-move**: label each finding CRITICAL / HIGH / MEDIUM / LOW. State what the author must address before merge.
38
+
39
+ ### 5. Unfalsifiable suggestions
40
+ **Symptom**: feedback like "this feels off" or "consider a cleaner approach" without a specific alternative or reason.
41
+ **Why it fails**: the author cannot act on it; rounds of revision drift without convergence.
42
+ **Counter-move**: name the concrete alternative or the specific principle being violated. If you cannot, omit the comment.
43
+
44
+ ### 6. Skipping the tests
45
+ **Symptom**: review approves without looking at whether new behavior is covered by tests, whether tests actually test what they claim, or whether existing tests still pass.
46
+ **Why it fails**: coverage erodes quietly; bugs ship under the protection of a passing suite that tests the wrong thing.
47
+ **Counter-move**: verify new behavior has at least one test that would fail if the behavior regressed. Read the tests, not just the coverage number.
48
+
49
+ ### 7. Overriding instead of reviewing
50
+ **Symptom**: the reviewer rewrites the change themselves instead of explaining the problem.
51
+ **Why it fails**: the author does not learn. The reviewer becomes the bottleneck. The code loses the author's context.
52
+ **Counter-move**: describe the issue and the principle. Let the author propose the fix. Rewrite only when specifically asked.
53
+
54
+ ### 8. Silent approval of risky changes
55
+ **Symptom**: a change touching auth, payments, migrations, or data integrity gets waved through without explicit scrutiny of the risk.
56
+ **Why it fails**: high-blast-radius changes ship without the review rigor they warrant.
57
+ **Counter-move**: flag risky changes up-front. Require the author to state the rollback plan. Escalate to security or SRE if the domain warrants.
58
+
59
+ ## Self-check before shipping
60
+
61
+ - [ ] Structural issues evaluated before stylistic ones
62
+ - [ ] Branch pulled, build run, tests run, changed path exercised
63
+ - [ ] Callers of changed code identified; backwards-compatibility checked
64
+ - [ ] Each finding labeled CRITICAL / HIGH / MEDIUM / LOW
65
+ - [ ] Every suggestion names a concrete alternative or principle
66
+ - [ ] New behavior has a test that would catch its regression
67
+ - [ ] High-risk domains (auth, payments, data) explicitly scrutinized
68
+ - [ ] Rewrote only when asked; otherwise described the issue
@@ -0,0 +1,43 @@
1
+ <!--
2
+ skills/roles/reviewer.trace.md — Anti-pattern guidance for the Reviewer.trace (trace) role.
3
+
4
+ Loaded at sync time to inline role-specific failure modes into specialist agent prompts.
5
+ Covers common failure modes for the reviewer.trace (trace) domain and counter-moves to avoid them.
6
+ Applies to: cx-trace-reviewer.
7
+ -->
8
+ ---
9
+ role: reviewer.trace
10
+ applies_to: [cx-trace-reviewer]
11
+ inherits: reviewer
12
+ version: 1
13
+ ---
14
+ # Trace Reviewer Overlay
15
+
16
+ Additional failure modes on top of the reviewer core.
17
+
18
+
19
+ ### 1. Reading traces in isolation
20
+ **Symptom**: judging a single trace as good or bad without the context of the surrounding distribution.
21
+ **Why it fails**: an individual trace may be fine while the system is failing in aggregate, or vice versa.
22
+ **Counter-move**: pull a sample (20+) of similar traces. Characterize the distribution before judging any one.
23
+
24
+ ### 2. Score without evidence citation
25
+ **Symptom**: writing a low score with a general complaint ("response is unclear") and no span reference.
26
+ **Why it fails**: the author can't locate the issue; the feedback isn't actionable.
27
+ **Counter-move**: cite the specific span, step, or tool call by ID. Quote the offending output.
28
+
29
+ ### 3. Confusing latency with quality
30
+ **Symptom**: marking slow traces as bad or fast traces as good without checking the output.
31
+ **Why it fails**: two orthogonal axes; conflating them drives optimization at the expense of correctness.
32
+ **Counter-move**: score latency and quality separately. Report both.
33
+
34
+ ### 4. Ignoring tool-call failures
35
+ **Symptom**: reviewing the final output while skipping over failed or retried tool calls mid-trace.
36
+ **Why it fails**: the final output may mask a degraded path that costs time, money, or reliability.
37
+ **Counter-move**: examine the full tool-call chain. Flag any failure, retry, or fallback.
38
+
39
+ ## Self-check before shipping
40
+ - [ ] Judged against a sampled distribution, not one trace
41
+ - [ ] Each issue cites a specific span or tool call
42
+ - [ ] Latency and quality reported separately
43
+ - [ ] Full tool-call chain examined
@@ -0,0 +1,37 @@
1
+ <!--
2
+ skills/roles/security.ai.md — Anti-pattern guidance for the Security.ai (ai) role.
3
+
4
+ Loaded at sync time to inline role-specific failure modes into specialist agent prompts.
5
+ Covers common failure modes for the security.ai (ai) domain and counter-moves to avoid them.
6
+ Applies to: cx-security, cx-ai-engineer.
7
+ -->
8
+ ---
9
+ role: security.ai
10
+ applies_to: [cx-security, cx-ai-engineer]
11
+ inherits: security
12
+ version: 1
13
+ ---
14
+ # AI Security Overlay
15
+
16
+ Additional failure modes on top of the security core.
17
+
18
+ ### 1. Prompt injection treated as prompt quality
19
+ **Symptom**: hostile instructions in retrieved or user-provided content are handled by stronger wording.
20
+ **Why it fails**: model obedience is not a security boundary.
21
+ **Counter-move**: separate data from instructions, constrain tools, validate outputs, and deny unsafe actions by policy.
22
+
23
+ ### 2. Tool access too broad
24
+ **Symptom**: the model can call tools unrelated to the current task or with unchecked arguments.
25
+ **Why it fails**: compromised context can trigger real side effects.
26
+ **Counter-move**: scope tools per task, validate schemas, and require approval for destructive or external actions.
27
+
28
+ ### 3. Retrieval leaks data
29
+ **Symptom**: vector search ignores tenant, permission, retention, or sensitivity labels.
30
+ **Why it fails**: embeddings can bypass normal access-control paths.
31
+ **Counter-move**: enforce ACL-aware retrieval, source citation, redaction, and index freshness checks.
32
+
33
+ ## Self-check before shipping
34
+ - [ ] Prompt injection paths are modeled
35
+ - [ ] Tool access is scoped and schema-validated
36
+ - [ ] Retrieval respects ACL, tenant, retention, and sensitivity boundaries
37
+ - [ ] Unsafe outputs have validation or human review
@@ -0,0 +1,37 @@
1
+ <!--
2
+ skills/roles/security.appsec.md — Anti-pattern guidance for the Security.appsec (appsec) role.
3
+
4
+ Loaded at sync time to inline role-specific failure modes into specialist agent prompts.
5
+ Covers common failure modes for the security.appsec (appsec) domain and counter-moves to avoid them.
6
+ Applies to: cx-security.
7
+ -->
8
+ ---
9
+ role: security.appsec
10
+ applies_to: [cx-security]
11
+ inherits: security
12
+ version: 1
13
+ ---
14
+ # AppSec Overlay
15
+
16
+ Additional failure modes on top of the security core.
17
+
18
+ ### 1. Trusting framework defaults
19
+ **Symptom**: auth, CSRF, XSS, serialization, or validation is assumed safe because the framework usually handles it.
20
+ **Why it fails**: custom glue code is where defaults stop applying.
21
+ **Counter-move**: trace untrusted input from boundary to sink and verify explicit controls at each hop.
22
+
23
+ ### 2. Authorization checked only at the UI
24
+ **Symptom**: controls hide actions but APIs still accept them.
25
+ **Why it fails**: attackers call APIs directly.
26
+ **Counter-move**: verify server-side authorization for every privileged operation.
27
+
28
+ ### 3. Errors and logs leak context
29
+ **Symptom**: debug details, identifiers, tokens, or PII are logged or returned.
30
+ **Why it fails**: observability becomes data exposure.
31
+ **Counter-move**: check log paths and error responses for sensitive data.
32
+
33
+ ## Self-check before shipping
34
+ - [ ] Input-to-sink paths are traced
35
+ - [ ] Server-side authorization gates privileged operations
36
+ - [ ] Error and log output avoids sensitive data
37
+ - [ ] Tests cover malicious and unauthorized requests
@@ -0,0 +1,37 @@
1
+ <!--
2
+ skills/roles/security.cloud.md — Anti-pattern guidance for the Security.cloud (cloud) role.
3
+
4
+ Loaded at sync time to inline role-specific failure modes into specialist agent prompts.
5
+ Covers common failure modes for the security.cloud (cloud) domain and counter-moves to avoid them.
6
+ Applies to: cx-security.
7
+ -->
8
+ ---
9
+ role: security.cloud
10
+ applies_to: [cx-security]
11
+ inherits: security
12
+ version: 1
13
+ ---
14
+ # Cloud Security Overlay
15
+
16
+ Additional failure modes on top of the security core.
17
+
18
+ ### 1. Overbroad identity
19
+ **Symptom**: services run with wildcard permissions, shared roles, or long-lived credentials.
20
+ **Why it fails**: one compromise becomes account-wide access.
21
+ **Counter-move**: require least privilege, workload identity, rotation, and clear blast-radius boundaries.
22
+
23
+ ### 2. Public exposure by default
24
+ **Symptom**: buckets, queues, databases, dashboards, or admin endpoints rely on obscurity or network convention.
25
+ **Why it fails**: accidental public access is a common cloud breach path.
26
+ **Counter-move**: verify network policy, encryption, logging, and public access blocks.
27
+
28
+ ### 3. No evidence trail
29
+ **Symptom**: security controls exist but cannot be demonstrated.
30
+ **Why it fails**: incidents and audits require evidence, not intent.
31
+ **Counter-move**: ensure audit logs, policy-as-code checks, and drift detection are present.
32
+
33
+ ## Self-check before shipping
34
+ - [ ] IAM is least-privilege and scoped by workload
35
+ - [ ] Public access, encryption, network policy, and secrets are checked
36
+ - [ ] Audit logs and drift detection exist
37
+ - [ ] Blast radius is explicit
@@ -0,0 +1,49 @@
1
+ <!--
2
+ skills/roles/security.legal-compliance.md — Anti-pattern guidance for the Security.legal-compliance (legal compliance) role.
3
+
4
+ Loaded at sync time to inline role-specific failure modes into specialist agent prompts.
5
+ Covers common failure modes for the security.legal-compliance (legal compliance) domain and counter-moves to avoid them.
6
+ Applies to: cx-legal-compliance.
7
+ -->
8
+ ---
9
+ role: security.legal-compliance
10
+ applies_to: [cx-legal-compliance]
11
+ inherits: security
12
+ version: 1
13
+ ---
14
+ # Legal & Compliance Overlay
15
+
16
+ Additional failure modes on top of the security core.
17
+
18
+
19
+ ### 1. Compliance theater
20
+ **Symptom**: producing policy documents to pass audit while the implementation doesn't match.
21
+ **Why it fails**: real incidents expose the gap; regulators and customers lose trust faster than they were gained.
22
+ **Counter-move**: each policy commitment maps to a testable control in the code or process. No control, no commitment.
23
+
24
+ ### 2. Data retention without deletion
25
+ **Symptom**: a retention policy on paper; no automated purge job in production.
26
+ **Why it fails**: PII accumulates; GDPR/CCPA deletion requests can't be honored; breach blast radius grows.
27
+ **Counter-move**: implement retention as scheduled deletion at the storage layer. Test the purge quarterly.
28
+
29
+ ### 3. Consent as checkbox
30
+ **Symptom**: a single pre-checked "I agree" that bundles analytics, marketing, and third-party sharing.
31
+ **Why it fails**: fails GDPR specificity requirements; CCPA opt-out obligations get buried.
32
+ **Counter-move**: granular consent per purpose; opt-in unchecked; withdrawal as easy as granting.
33
+
34
+ ### 4. AI features without disclosure
35
+ **Symptom**: shipping an AI-powered feature without telling users their data trains or feeds a model.
36
+ **Why it fails**: growing disclosure obligations (EU AI Act, FTC guidance); trust loss if discovered later.
37
+ **Counter-move**: disclose AI use, data flow, and opt-out path in-product. Update privacy policy in the same change.
38
+
39
+ ### 5. License drift in dependencies
40
+ **Symptom**: adding a GPL or AGPL dependency to a proprietary product without review.
41
+ **Why it fails**: contaminates the license of the whole product; costly to unwind later.
42
+ **Counter-move**: automated license scan in CI; allowlist policy per product tier.
43
+
44
+ ## Self-check before shipping
45
+ - [ ] Policies map to testable controls
46
+ - [ ] Retention enforced by automated deletion
47
+ - [ ] Consent granular, opt-in, withdrawable
48
+ - [ ] AI use disclosed in-product and in policy
49
+ - [ ] Dependency licenses scanned and allowlisted