@geraldmaron/construct 1.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.env.example +69 -0
- package/LICENSE +21 -0
- package/README.md +344 -0
- package/agents/prompts/cx-accessibility.md +29 -0
- package/agents/prompts/cx-ai-engineer.md +31 -0
- package/agents/prompts/cx-architect.md +40 -0
- package/agents/prompts/cx-business-strategist.md +25 -0
- package/agents/prompts/cx-data-analyst.md +30 -0
- package/agents/prompts/cx-data-engineer.md +32 -0
- package/agents/prompts/cx-debugger.md +27 -0
- package/agents/prompts/cx-designer.md +33 -0
- package/agents/prompts/cx-devil-advocate.md +36 -0
- package/agents/prompts/cx-docs-keeper.md +50 -0
- package/agents/prompts/cx-engineer.md +36 -0
- package/agents/prompts/cx-evaluator.md +26 -0
- package/agents/prompts/cx-explorer.md +38 -0
- package/agents/prompts/cx-legal-compliance.md +25 -0
- package/agents/prompts/cx-operations.md +28 -0
- package/agents/prompts/cx-orchestrator.md +30 -0
- package/agents/prompts/cx-platform-engineer.md +25 -0
- package/agents/prompts/cx-product-manager.md +30 -0
- package/agents/prompts/cx-qa.md +42 -0
- package/agents/prompts/cx-rd-lead.md +25 -0
- package/agents/prompts/cx-release-manager.md +31 -0
- package/agents/prompts/cx-researcher.md +31 -0
- package/agents/prompts/cx-reviewer.md +36 -0
- package/agents/prompts/cx-security.md +37 -0
- package/agents/prompts/cx-sre.md +26 -0
- package/agents/prompts/cx-test-automation.md +35 -0
- package/agents/prompts/cx-trace-reviewer.md +76 -0
- package/agents/prompts/cx-ux-researcher.md +30 -0
- package/agents/registry.json +879 -0
- package/agents/teams.json +94 -0
- package/bin/construct +613 -0
- package/commands/build/feature.md +21 -0
- package/commands/build/fix.md +20 -0
- package/commands/design/access.md +19 -0
- package/commands/design/flow.md +16 -0
- package/commands/design/ui.md +18 -0
- package/commands/measure/experiment.md +18 -0
- package/commands/measure/metrics.md +18 -0
- package/commands/measure/results.md +18 -0
- package/commands/plan/api.md +19 -0
- package/commands/plan/challenge.md +18 -0
- package/commands/plan/decide.md +20 -0
- package/commands/plan/feature.md +49 -0
- package/commands/plan/requirements.md +24 -0
- package/commands/remember/context.md +26 -0
- package/commands/remember/handoff.md +19 -0
- package/commands/remember/runbook.md +20 -0
- package/commands/review/code.md +21 -0
- package/commands/review/quality.md +19 -0
- package/commands/review/security.md +16 -0
- package/commands/ship/ready.md +19 -0
- package/commands/ship/release.md +19 -0
- package/commands/ship/status.md +18 -0
- package/commands/understand/docs.md +22 -0
- package/commands/understand/research.md +22 -0
- package/commands/understand/this.md +23 -0
- package/commands/understand/why.md +18 -0
- package/commands/work/clean.md +32 -0
- package/commands/work/drive.md +69 -0
- package/commands/work/optimize-prompts.md +46 -0
- package/commands/work/parallel-review.md +40 -0
- package/db/migrations/001_init.sql +38 -0
- package/langfuse/docker-compose.yml +82 -0
- package/lib/audit-skills.mjs +118 -0
- package/lib/auto-docs.mjs +293 -0
- package/lib/cli-commands.mjs +409 -0
- package/lib/codex-config.mjs +114 -0
- package/lib/comment-lint.mjs +191 -0
- package/lib/completions.mjs +170 -0
- package/lib/context-state.mjs +99 -0
- package/lib/cost.mjs +213 -0
- package/lib/distill.mjs +403 -0
- package/lib/efficiency.mjs +139 -0
- package/lib/env-config.mjs +53 -0
- package/lib/eval-harness.mjs +59 -0
- package/lib/features.mjs +209 -0
- package/lib/headhunt.mjs +597 -0
- package/lib/hooks/adaptive-lint.mjs +112 -0
- package/lib/hooks/agent-tracker.mjs +50 -0
- package/lib/hooks/bootstrap-guard.mjs +90 -0
- package/lib/hooks/comment-lint.mjs +26 -0
- package/lib/hooks/config-protection.mjs +52 -0
- package/lib/hooks/console-warn.mjs +43 -0
- package/lib/hooks/context-window-recovery.mjs +90 -0
- package/lib/hooks/continuation-enforcer.mjs +72 -0
- package/lib/hooks/dep-audit.mjs +155 -0
- package/lib/hooks/drive-guard.mjs +89 -0
- package/lib/hooks/edit-accumulator.mjs +36 -0
- package/lib/hooks/edit-error-recovery.mjs +46 -0
- package/lib/hooks/edit-guard.mjs +109 -0
- package/lib/hooks/env-check.mjs +80 -0
- package/lib/hooks/guard-bash.mjs +83 -0
- package/lib/hooks/mcp-audit.mjs +57 -0
- package/lib/hooks/mcp-health-check.mjs +51 -0
- package/lib/hooks/mcp-task-scope.mjs +47 -0
- package/lib/hooks/model-fallback.mjs +105 -0
- package/lib/hooks/pre-compact.mjs +212 -0
- package/lib/hooks/pre-push-gate.mjs +129 -0
- package/lib/hooks/read-tracker.mjs +129 -0
- package/lib/hooks/registry-sync.mjs +23 -0
- package/lib/hooks/scan-secrets.mjs +76 -0
- package/lib/hooks/session-start.mjs +95 -0
- package/lib/hooks/stop-notify.mjs +191 -0
- package/lib/hooks/stop-typecheck.mjs +83 -0
- package/lib/hooks/task-completed-guard.mjs +43 -0
- package/lib/hooks/teammate-idle-guard.mjs +54 -0
- package/lib/hooks/workflow-guard.mjs +62 -0
- package/lib/host-capabilities.mjs +123 -0
- package/lib/init-docs.mjs +382 -0
- package/lib/mcp/server.mjs +1123 -0
- package/lib/mcp-catalog.json +243 -0
- package/lib/mcp-manager.mjs +433 -0
- package/lib/mcp-platform-config.mjs +104 -0
- package/lib/model-router.mjs +810 -0
- package/lib/opencode-config.mjs +44 -0
- package/lib/opencode-runtime-plugin.mjs +909 -0
- package/lib/opencode-telemetry.mjs +433 -0
- package/lib/orchestration-policy.mjs +258 -0
- package/lib/prompt-composer.mjs +196 -0
- package/lib/prompt-metadata.mjs +68 -0
- package/lib/review.mjs +429 -0
- package/lib/role-preload.mjs +52 -0
- package/lib/schemas/decision.json +50 -0
- package/lib/schemas/implementation.json +51 -0
- package/lib/schemas/review-report.json +32 -0
- package/lib/schemas/test-report.json +43 -0
- package/lib/server/index.mjs +334 -0
- package/lib/server/static/app.js +841 -0
- package/lib/server/static/index.html +820 -0
- package/lib/service-manager.mjs +225 -0
- package/lib/setup.mjs +319 -0
- package/lib/status.mjs +707 -0
- package/lib/storage/backend.mjs +44 -0
- package/lib/storage/embeddings.mjs +70 -0
- package/lib/storage/hybrid-query.mjs +184 -0
- package/lib/storage/sql-store.mjs +55 -0
- package/lib/storage/state-source.mjs +101 -0
- package/lib/storage/sync.mjs +164 -0
- package/lib/storage/vector-store.mjs +59 -0
- package/lib/telemetry/backends/langfuse.mjs +58 -0
- package/lib/telemetry/backends/noop.mjs +16 -0
- package/lib/telemetry/langfuse-ingest.mjs +108 -0
- package/lib/telemetry/langfuse-model-sync.mjs +270 -0
- package/lib/telemetry/team-rollup.mjs +143 -0
- package/lib/toolkit-env.mjs +30 -0
- package/lib/validator.mjs +181 -0
- package/lib/workflow-state.mjs +794 -0
- package/package.json +53 -0
- package/personas/construct.md +94 -0
- package/platforms/claude/CLAUDE.md +30 -0
- package/platforms/claude/settings.template.json +472 -0
- package/platforms/opencode/config.template.json +65 -0
- package/platforms/opencode/plugins/construct-fallback.js +5 -0
- package/platforms/opencode/sync-config.mjs +69 -0
- package/rules/common/agents.md +55 -0
- package/rules/common/code-review.md +129 -0
- package/rules/common/coding-style.md +95 -0
- package/rules/common/comments.md +139 -0
- package/rules/common/cx-agent-routing.md +61 -0
- package/rules/common/cx-skill-routing.md +11 -0
- package/rules/common/development-workflow.md +49 -0
- package/rules/common/git-workflow.md +29 -0
- package/rules/common/hooks.md +35 -0
- package/rules/common/patterns.md +36 -0
- package/rules/common/performance.md +71 -0
- package/rules/common/security.md +34 -0
- package/rules/common/testing.md +62 -0
- package/rules/golang/coding-style.md +37 -0
- package/rules/golang/hooks.md +22 -0
- package/rules/golang/patterns.md +50 -0
- package/rules/golang/security.md +39 -0
- package/rules/golang/testing.md +36 -0
- package/rules/python/coding-style.md +47 -0
- package/rules/python/hooks.md +24 -0
- package/rules/python/patterns.md +44 -0
- package/rules/python/security.md +35 -0
- package/rules/python/testing.md +43 -0
- package/rules/swift/coding-style.md +52 -0
- package/rules/swift/hooks.md +25 -0
- package/rules/swift/patterns.md +71 -0
- package/rules/swift/security.md +38 -0
- package/rules/swift/testing.md +50 -0
- package/rules/typescript/coding-style.md +204 -0
- package/rules/typescript/hooks.md +27 -0
- package/rules/typescript/patterns.md +57 -0
- package/rules/typescript/security.md +33 -0
- package/rules/typescript/testing.md +23 -0
- package/rules/web/coding-style.md +101 -0
- package/rules/web/design-quality.md +68 -0
- package/rules/web/hooks.md +125 -0
- package/rules/web/patterns.md +84 -0
- package/rules/web/performance.md +69 -0
- package/rules/web/security.md +62 -0
- package/rules/web/testing.md +60 -0
- package/rules/zh/README.md +113 -0
- package/rules/zh/agents.md +55 -0
- package/rules/zh/code-review.md +129 -0
- package/rules/zh/coding-style.md +53 -0
- package/rules/zh/development-workflow.md +49 -0
- package/rules/zh/git-workflow.md +29 -0
- package/rules/zh/hooks.md +35 -0
- package/rules/zh/patterns.md +36 -0
- package/rules/zh/performance.md +60 -0
- package/rules/zh/security.md +34 -0
- package/rules/zh/testing.md +34 -0
- package/skills/ai/agent-dev.md +102 -0
- package/skills/ai/llm-security.md +105 -0
- package/skills/ai/ml-ops.md +169 -0
- package/skills/ai/orchestration-workflow.md +87 -0
- package/skills/ai/prompt-and-eval.md +114 -0
- package/skills/ai/prompt-optimizer.md +114 -0
- package/skills/ai/rag-system.md +104 -0
- package/skills/architecture/api-design.md +100 -0
- package/skills/architecture/caching.md +101 -0
- package/skills/architecture/cloud-native.md +97 -0
- package/skills/architecture/message-queue.md +100 -0
- package/skills/architecture/security-arch.md +105 -0
- package/skills/development/cpp.md +127 -0
- package/skills/development/go.md +129 -0
- package/skills/development/java.md +134 -0
- package/skills/development/kotlin.md +140 -0
- package/skills/development/mobile-crossplatform.md +144 -0
- package/skills/development/python.md +109 -0
- package/skills/development/rust.md +127 -0
- package/skills/development/shell.md +127 -0
- package/skills/development/swift.md +129 -0
- package/skills/development/typescript.md +129 -0
- package/skills/devops/ci-cd.md +108 -0
- package/skills/devops/containerization.md +106 -0
- package/skills/devops/cost-optimization.md +105 -0
- package/skills/devops/data-engineering.md +181 -0
- package/skills/devops/database.md +95 -0
- package/skills/devops/dependency-management.md +91 -0
- package/skills/devops/devsecops.md +96 -0
- package/skills/devops/git-workflow.md +100 -0
- package/skills/devops/incident-response.md +167 -0
- package/skills/devops/monorepo.md +87 -0
- package/skills/devops/observability.md +103 -0
- package/skills/devops/performance.md +104 -0
- package/skills/devops/testing.md +104 -0
- package/skills/docs/adr-workflow.md +32 -0
- package/skills/docs/backlog-proposal-workflow.md +19 -0
- package/skills/docs/customer-profile-workflow.md +22 -0
- package/skills/docs/evidence-ingest-workflow.md +23 -0
- package/skills/docs/init-docs.md +160 -0
- package/skills/docs/init-project.md +50 -0
- package/skills/docs/prd-workflow.md +57 -0
- package/skills/docs/prfaq-workflow.md +25 -0
- package/skills/docs/product-intelligence-review.md +22 -0
- package/skills/docs/product-intelligence-workflow.md +62 -0
- package/skills/docs/product-signal-workflow.md +27 -0
- package/skills/docs/research-workflow.md +28 -0
- package/skills/docs/runbook-workflow.md +24 -0
- package/skills/exploration/repo-map.md +297 -0
- package/skills/frameworks/django.md +159 -0
- package/skills/frameworks/nextjs.md +148 -0
- package/skills/frameworks/react.md +132 -0
- package/skills/frameworks/spring-boot.md +165 -0
- package/skills/frontend-design/accessibility.md +153 -0
- package/skills/frontend-design/component-patterns.md +111 -0
- package/skills/frontend-design/engineering.md +122 -0
- package/skills/frontend-design/state-management.md +118 -0
- package/skills/frontend-design/ui-aesthetics.md +102 -0
- package/skills/frontend-design/ux-principles.md +126 -0
- package/skills/quality-gates/review-work.md +90 -0
- package/skills/quality-gates/verify-change.md +94 -0
- package/skills/quality-gates/verify-module.md +96 -0
- package/skills/quality-gates/verify-quality.md +93 -0
- package/skills/quality-gates/verify-security.md +95 -0
- package/skills/roles/architect.ai-systems.md +37 -0
- package/skills/roles/architect.data.md +37 -0
- package/skills/roles/architect.enterprise.md +37 -0
- package/skills/roles/architect.integration.md +37 -0
- package/skills/roles/architect.md +68 -0
- package/skills/roles/architect.platform.md +37 -0
- package/skills/roles/data-analyst.experiment.md +37 -0
- package/skills/roles/data-analyst.md +68 -0
- package/skills/roles/data-analyst.product-intelligence.md +37 -0
- package/skills/roles/data-analyst.product.md +37 -0
- package/skills/roles/data-analyst.telemetry.md +37 -0
- package/skills/roles/data-engineer.pipeline.md +37 -0
- package/skills/roles/data-engineer.vector-retrieval.md +37 -0
- package/skills/roles/data-engineer.warehouse.md +37 -0
- package/skills/roles/debugger.md +68 -0
- package/skills/roles/designer.accessibility.md +43 -0
- package/skills/roles/designer.md +68 -0
- package/skills/roles/engineer.ai.md +49 -0
- package/skills/roles/engineer.data.md +49 -0
- package/skills/roles/engineer.md +85 -0
- package/skills/roles/engineer.platform.md +49 -0
- package/skills/roles/operator.docs.md +43 -0
- package/skills/roles/operator.md +68 -0
- package/skills/roles/operator.release.md +43 -0
- package/skills/roles/operator.sre.md +43 -0
- package/skills/roles/orchestrator.md +66 -0
- package/skills/roles/product-manager.ai-product.md +37 -0
- package/skills/roles/product-manager.business-strategy.md +43 -0
- package/skills/roles/product-manager.enterprise.md +37 -0
- package/skills/roles/product-manager.growth.md +37 -0
- package/skills/roles/product-manager.md +67 -0
- package/skills/roles/product-manager.platform.md +37 -0
- package/skills/roles/product-manager.product.md +37 -0
- package/skills/roles/qa.ai-eval.md +37 -0
- package/skills/roles/qa.api-contract.md +37 -0
- package/skills/roles/qa.data-pipeline.md +37 -0
- package/skills/roles/qa.md +68 -0
- package/skills/roles/qa.test-automation.md +49 -0
- package/skills/roles/qa.web-ui.md +37 -0
- package/skills/roles/researcher.explorer.md +43 -0
- package/skills/roles/researcher.md +68 -0
- package/skills/roles/researcher.ux.md +43 -0
- package/skills/roles/reviewer.devil-advocate.md +43 -0
- package/skills/roles/reviewer.evaluator.md +43 -0
- package/skills/roles/reviewer.md +68 -0
- package/skills/roles/reviewer.trace.md +43 -0
- package/skills/roles/security.ai.md +37 -0
- package/skills/roles/security.appsec.md +37 -0
- package/skills/roles/security.cloud.md +37 -0
- package/skills/roles/security.legal-compliance.md +49 -0
- package/skills/roles/security.md +68 -0
- package/skills/roles/security.privacy.md +37 -0
- package/skills/roles/security.supply-chain.md +37 -0
- package/skills/routing.md +139 -0
- package/skills/security/blue-team.md +83 -0
- package/skills/security/code-audit.md +94 -0
- package/skills/security/pentest.md +84 -0
- package/skills/security/red-team.md +81 -0
- package/skills/security/threat-intel.md +89 -0
- package/skills/security/vuln-research.md +87 -0
- package/skills/utility/clean-code.md +165 -0
- package/sync-agents.mjs +899 -0
- package/templates/docs/adr.md +27 -0
- package/templates/docs/backlog-proposal.md +26 -0
- package/templates/docs/customer-profile.md +34 -0
- package/templates/docs/evidence-brief.md +37 -0
- package/templates/docs/incident-report.md +46 -0
- package/templates/docs/memo.md +27 -0
- package/templates/docs/meta-prd.md +56 -0
- package/templates/docs/one-pager.md +24 -0
- package/templates/docs/prd-business.md +61 -0
- package/templates/docs/prd-platform.md +62 -0
- package/templates/docs/prd.md +47 -0
- package/templates/docs/prfaq.md +31 -0
- package/templates/docs/product-intelligence-report.md +31 -0
- package/templates/docs/research-brief.md +29 -0
- package/templates/docs/rfc-platform.md +60 -0
- package/templates/docs/rfc.md +46 -0
- package/templates/docs/runbook.md +33 -0
- package/templates/docs/signal-brief.md +25 -0
|
@@ -0,0 +1,49 @@
|
|
|
1
|
+
<!--
|
|
2
|
+
skills/roles/qa.test-automation.md — Anti-pattern guidance for the Qa.test-automation (test automation) role.
|
|
3
|
+
|
|
4
|
+
Loaded at sync time to inline role-specific failure modes into specialist agent prompts.
|
|
5
|
+
Covers common failure modes for the qa.test-automation (test automation) domain and counter-moves to avoid them.
|
|
6
|
+
Applies to: cx-test-automation.
|
|
7
|
+
-->
|
|
8
|
+
---
|
|
9
|
+
role: qa.test-automation
|
|
10
|
+
applies_to: [cx-test-automation]
|
|
11
|
+
inherits: qa
|
|
12
|
+
version: 1
|
|
13
|
+
---
|
|
14
|
+
# Test Automation Overlay
|
|
15
|
+
|
|
16
|
+
Additional failure modes on top of the qa core.
|
|
17
|
+
|
|
18
|
+
|
|
19
|
+
### 1. Flaky tests tolerated
|
|
20
|
+
**Symptom**: tests retried until green; flakes treated as "environmental noise."
|
|
21
|
+
**Why it fails**: signal erodes — real regressions hide among the flakes. Developers stop trusting the suite.
|
|
22
|
+
**Counter-move**: quarantine flakes immediately with a tracking ticket. Target zero retries for trusted tests.
|
|
23
|
+
|
|
24
|
+
### 2. E2E-heavy pyramid
|
|
25
|
+
**Symptom**: test suite dominated by slow, wide end-to-end tests with few unit tests.
|
|
26
|
+
**Why it fails**: feedback loops get slow; debug surface is huge; CI time balloons.
|
|
27
|
+
**Counter-move**: push coverage down the pyramid: unit > integration > e2e. Each layer tests what the one below can't.
|
|
28
|
+
|
|
29
|
+
### 3. Shared state between tests
|
|
30
|
+
**Symptom**: tests that must run in a specific order or share a database row.
|
|
31
|
+
**Why it fails**: parallelization breaks; reordering breaks; failures become non-reproducible.
|
|
32
|
+
**Counter-move**: every test sets up and tears down its own fixtures. Parallelize-safe by default.
|
|
33
|
+
|
|
34
|
+
### 4. Assertions on implementation
|
|
35
|
+
**Symptom**: tests that snapshot internal state or spy on private methods.
|
|
36
|
+
**Why it fails**: refactors break the suite without changing behavior; test trust drops, tests get deleted.
|
|
37
|
+
**Counter-move**: assert on observable behavior (outputs, side effects at boundaries). Treat internals as off-limits.
|
|
38
|
+
|
|
39
|
+
### 5. CI as the only runner
|
|
40
|
+
**Symptom**: tests only pass in CI; developers can't run them locally.
|
|
41
|
+
**Why it fails**: debug cycles are 10x slower; test health decays between CI runs.
|
|
42
|
+
**Counter-move**: every test runnable locally with one command. Fixtures and mocks self-contained.
|
|
43
|
+
|
|
44
|
+
## Self-check before shipping
|
|
45
|
+
- [ ] Zero flakes in the trusted suite
|
|
46
|
+
- [ ] Pyramid shape: mostly unit, some integration, few e2e
|
|
47
|
+
- [ ] Tests isolated; no shared state
|
|
48
|
+
- [ ] Assertions on behavior, not internals
|
|
49
|
+
- [ ] Suite runs locally with one command
|
|
@@ -0,0 +1,37 @@
|
|
|
1
|
+
<!--
|
|
2
|
+
skills/roles/qa.web-ui.md — Anti-pattern guidance for the Qa.web-ui (web ui) role.
|
|
3
|
+
|
|
4
|
+
Loaded at sync time to inline role-specific failure modes into specialist agent prompts.
|
|
5
|
+
Covers common failure modes for the qa.web-ui (web ui) domain and counter-moves to avoid them.
|
|
6
|
+
Applies to: cx-qa, cx-test-automation.
|
|
7
|
+
-->
|
|
8
|
+
---
|
|
9
|
+
role: qa.web-ui
|
|
10
|
+
applies_to: [cx-qa, cx-test-automation]
|
|
11
|
+
inherits: qa
|
|
12
|
+
version: 1
|
|
13
|
+
---
|
|
14
|
+
# Web UI QA Overlay
|
|
15
|
+
|
|
16
|
+
Additional failure modes on top of the QA core.
|
|
17
|
+
|
|
18
|
+
### 1. Testing screens instead of user flows
|
|
19
|
+
**Symptom**: tests assert that elements exist but not that the user can complete the job.
|
|
20
|
+
**Why it fails**: visual presence is not behavioral confidence.
|
|
21
|
+
**Counter-move**: cover critical flows across loading, empty, error, keyboard, and responsive states.
|
|
22
|
+
|
|
23
|
+
### 2. Accessibility left to a separate pass
|
|
24
|
+
**Symptom**: keyboard navigation, focus management, labels, and contrast are not acceptance criteria.
|
|
25
|
+
**Why it fails**: accessibility defects are product defects and often break automation too.
|
|
26
|
+
**Counter-move**: include keyboard-only and screen-reader-relevant checks in the test plan.
|
|
27
|
+
|
|
28
|
+
### 3. Fragile selectors
|
|
29
|
+
**Symptom**: tests depend on CSS classes, animation timing, or arbitrary sleeps.
|
|
30
|
+
**Why it fails**: automation becomes flaky and loses trust.
|
|
31
|
+
**Counter-move**: use stable roles, labels, test IDs, and deterministic waits.
|
|
32
|
+
|
|
33
|
+
## Self-check before shipping
|
|
34
|
+
- [ ] Critical flows include loading, empty, error, and responsive states
|
|
35
|
+
- [ ] Keyboard and accessible-name checks are included
|
|
36
|
+
- [ ] Selectors are stable and waits are deterministic
|
|
37
|
+
- [ ] Visual regressions cover states that users actually encounter
|
|
@@ -0,0 +1,43 @@
|
|
|
1
|
+
<!--
|
|
2
|
+
skills/roles/researcher.explorer.md — Anti-pattern guidance for the Researcher.explorer (explorer) role.
|
|
3
|
+
|
|
4
|
+
Loaded at sync time to inline role-specific failure modes into specialist agent prompts.
|
|
5
|
+
Covers common failure modes for the researcher.explorer (explorer) domain and counter-moves to avoid them.
|
|
6
|
+
Applies to: cx-explorer.
|
|
7
|
+
-->
|
|
8
|
+
---
|
|
9
|
+
role: researcher.explorer
|
|
10
|
+
applies_to: [cx-explorer]
|
|
11
|
+
inherits: researcher
|
|
12
|
+
version: 1
|
|
13
|
+
---
|
|
14
|
+
# Codebase Explorer Overlay
|
|
15
|
+
|
|
16
|
+
Additional failure modes on top of the researcher core.
|
|
17
|
+
|
|
18
|
+
|
|
19
|
+
### 1. Summarizing without paths
|
|
20
|
+
**Symptom**: "there's a validation layer in the auth module" with no file or line reference.
|
|
21
|
+
**Why it fails**: the reader can't verify or act on the claim. The next session re-does the search.
|
|
22
|
+
**Counter-move**: cite every finding with `path:line` or at minimum `path`. No claim without a pointer.
|
|
23
|
+
|
|
24
|
+
### 2. Pattern-match by name
|
|
25
|
+
**Symptom**: assuming `validateUser()` does what its name suggests without reading the body.
|
|
26
|
+
**Why it fails**: names lie. The function may wrap, delegate, or do something unrelated.
|
|
27
|
+
**Counter-move**: read the function body and its callers before asserting what it does.
|
|
28
|
+
|
|
29
|
+
### 3. Shallow single-grep conclusions
|
|
30
|
+
**Symptom**: one grep returns nothing, conclude "feature doesn't exist."
|
|
31
|
+
**Why it fails**: the feature may use a different term, be split across files, or be dynamically dispatched.
|
|
32
|
+
**Counter-move**: try 3+ naming variations. Check adjacent directories. Read the entry points.
|
|
33
|
+
|
|
34
|
+
### 4. Over-scoping the exploration
|
|
35
|
+
**Symptom**: producing a 5-page architecture tour for a question that only needed one file.
|
|
36
|
+
**Why it fails**: burns the consumer's time and context window; the answer drowns in tangent.
|
|
37
|
+
**Counter-move**: answer the question asked. Link supporting material; don't inline it unless asked.
|
|
38
|
+
|
|
39
|
+
## Self-check before shipping
|
|
40
|
+
- [ ] Every claim cites a path, ideally with a line
|
|
41
|
+
- [ ] Function behavior verified from the body, not the name
|
|
42
|
+
- [ ] Searched multiple naming variants and entry points
|
|
43
|
+
- [ ] Response scoped to the question asked
|
|
@@ -0,0 +1,68 @@
|
|
|
1
|
+
<!--
|
|
2
|
+
skills/roles/researcher.md — Anti-pattern guidance for the Researcher role.
|
|
3
|
+
|
|
4
|
+
Loaded at sync time to inline role-specific failure modes into specialist agent prompts.
|
|
5
|
+
Covers common failure modes for the researcher domain and counter-moves to avoid them.
|
|
6
|
+
Applies to: cx-researcher, cx-ux-researcher, cx-explorer.
|
|
7
|
+
-->
|
|
8
|
+
---
|
|
9
|
+
role: researcher
|
|
10
|
+
applies_to: [cx-researcher, cx-ux-researcher, cx-explorer]
|
|
11
|
+
inherits: null
|
|
12
|
+
version: 1
|
|
13
|
+
---
|
|
14
|
+
# Researcher — Role guidance
|
|
15
|
+
|
|
16
|
+
Load this before drafting. These are the failure modes that separate strong role output from weak role output — check your draft against each.
|
|
17
|
+
|
|
18
|
+
|
|
19
|
+
### 1. Confirmation bias
|
|
20
|
+
**Symptom**: the research converges on the answer the author already suspected, using sources selected to support it.
|
|
21
|
+
**Why it fails**: the reader learns nothing new; decisions rest on motivated reasoning.
|
|
22
|
+
**Counter-move**: actively search for disconfirming evidence. Name the strongest counter-finding and address it.
|
|
23
|
+
|
|
24
|
+
### 2. Single-source conclusions
|
|
25
|
+
**Symptom**: a finding rests on one blog post, one vendor page, or one paper.
|
|
26
|
+
**Why it fails**: any single source can be wrong, outdated, or biased. Confidence is borrowed from the source's authority, not the evidence.
|
|
27
|
+
**Counter-move**: require at least two independent sources for each load-bearing claim. Note when they disagree.
|
|
28
|
+
|
|
29
|
+
### 3. Freshness blindness
|
|
30
|
+
**Symptom**: cited source dated 2019 used as current for a fast-moving topic — AI capabilities, framework APIs, security advisories.
|
|
31
|
+
**Why it fails**: the reader assumes the finding is current; acts on stale information.
|
|
32
|
+
**Counter-move**: check and record the publication date of every source. For fast-moving topics, prefer sources within the last 12 months.
|
|
33
|
+
|
|
34
|
+
### 4. Findings without confidence
|
|
35
|
+
**Symptom**: all findings presented flatly, with no distinction between what is well-established and what is speculative.
|
|
36
|
+
**Why it fails**: the reader cannot decide how much weight to place on each claim.
|
|
37
|
+
**Counter-move**: label each finding high / medium / low confidence, with a one-line reason.
|
|
38
|
+
|
|
39
|
+
### 5. Observation confused with inference
|
|
40
|
+
**Symptom**: the doc presents what the author concluded as what the source said.
|
|
41
|
+
**Why it fails**: the conclusion cannot be audited. Reviewers who disagree cannot find the step where the logic turned.
|
|
42
|
+
**Counter-move**: separate "what the source said" from "what I infer from this". Label them.
|
|
43
|
+
|
|
44
|
+
### 6. Secondary sources passed as primary
|
|
45
|
+
**Symptom**: citations point to summaries, listicles, or syntheses instead of the underlying paper, spec, or changelog.
|
|
46
|
+
**Why it fails**: the summary may misrepresent the primary source. The chain of error is invisible.
|
|
47
|
+
**Counter-move**: cite primary sources — the actual paper, spec, commit, or dataset. Use secondary sources only to discover primary ones.
|
|
48
|
+
|
|
49
|
+
### 7. Scope creep
|
|
50
|
+
**Symptom**: the research question was about X but the brief covers X, Y, and Z because they came up.
|
|
51
|
+
**Why it fails**: the original question does not get answered well; reviewers cannot tell which findings are load-bearing.
|
|
52
|
+
**Counter-move**: answer the original question first and completely. Tangential findings go into a separate section or a follow-up.
|
|
53
|
+
|
|
54
|
+
### 8. Action without evidence threshold
|
|
55
|
+
**Symptom**: the implications section recommends a change without stating what evidence would have led to a different recommendation.
|
|
56
|
+
**Why it fails**: the research is unfalsifiable. Any finding leads to the same recommendation.
|
|
57
|
+
**Counter-move**: state up-front what evidence would cause the recommendation to flip. Verify the actual evidence meets the threshold.
|
|
58
|
+
|
|
59
|
+
## Self-check before shipping
|
|
60
|
+
|
|
61
|
+
- [ ] Strongest counter-finding is named and addressed
|
|
62
|
+
- [ ] Each load-bearing claim has at least two independent sources
|
|
63
|
+
- [ ] Source dates recorded; fast-moving topics use recent sources
|
|
64
|
+
- [ ] Each finding labeled with confidence and reason
|
|
65
|
+
- [ ] Observation separated from inference
|
|
66
|
+
- [ ] Citations point to primary sources
|
|
67
|
+
- [ ] Original question is answered first; tangents are separate
|
|
68
|
+
- [ ] Evidence threshold for the recommendation is stated
|
|
@@ -0,0 +1,43 @@
|
|
|
1
|
+
<!--
|
|
2
|
+
skills/roles/researcher.ux.md — Anti-pattern guidance for the Researcher.ux (ux) role.
|
|
3
|
+
|
|
4
|
+
Loaded at sync time to inline role-specific failure modes into specialist agent prompts.
|
|
5
|
+
Covers common failure modes for the researcher.ux (ux) domain and counter-moves to avoid them.
|
|
6
|
+
Applies to: cx-ux-researcher.
|
|
7
|
+
-->
|
|
8
|
+
---
|
|
9
|
+
role: researcher.ux
|
|
10
|
+
applies_to: [cx-ux-researcher]
|
|
11
|
+
inherits: researcher
|
|
12
|
+
version: 1
|
|
13
|
+
---
|
|
14
|
+
# UX Researcher Overlay
|
|
15
|
+
|
|
16
|
+
Additional failure modes on top of the researcher core.
|
|
17
|
+
|
|
18
|
+
|
|
19
|
+
### 1. Leading questions
|
|
20
|
+
**Symptom**: asking "do you like X?" or "would this feature be useful?"
|
|
21
|
+
**Why it fails**: social desirability bias; users say yes to things they'd never actually use.
|
|
22
|
+
**Counter-move**: ask about past behavior, not future preference. "When did you last do X? Walk me through it."
|
|
23
|
+
|
|
24
|
+
### 2. Confusing opinion with evidence
|
|
25
|
+
**Symptom**: reporting "users said they want Y" as a finding.
|
|
26
|
+
**Why it fails**: stated preference diverges from revealed preference. Features built on asked-for wants often go unused.
|
|
27
|
+
**Counter-move**: separate self-report from observed behavior. Weight observed behavior higher.
|
|
28
|
+
|
|
29
|
+
### 3. Sample of one
|
|
30
|
+
**Symptom**: quoting a single interviewee as representative of the user base.
|
|
31
|
+
**Why it fails**: any one user is an outlier on some axis. Decisions built on N=1 encode that person's quirks.
|
|
32
|
+
**Counter-move**: aim for 5+ on any behavioral claim. Flag "from 1 of 5 participants" explicitly.
|
|
33
|
+
|
|
34
|
+
### 4. Prescribing solutions in findings
|
|
35
|
+
**Symptom**: findings document recommending specific UI changes.
|
|
36
|
+
**Why it fails**: collapses the problem-space exploration into a solution bias; design has less room to iterate.
|
|
37
|
+
**Counter-move**: report the problem (friction, confusion, unmet need). Let design own the solution.
|
|
38
|
+
|
|
39
|
+
## Self-check before shipping
|
|
40
|
+
- [ ] Questions focus on past behavior, not hypothetical future
|
|
41
|
+
- [ ] Observed behavior weighted over self-report
|
|
42
|
+
- [ ] Sample size stated for every claim
|
|
43
|
+
- [ ] Findings describe problems, not prescribe solutions
|
|
@@ -0,0 +1,43 @@
|
|
|
1
|
+
<!--
|
|
2
|
+
skills/roles/reviewer.devil-advocate.md — Anti-pattern guidance for the Reviewer.devil-advocate (devil advocate) role.
|
|
3
|
+
|
|
4
|
+
Loaded at sync time to inline role-specific failure modes into specialist agent prompts.
|
|
5
|
+
Covers common failure modes for the reviewer.devil-advocate (devil advocate) domain and counter-moves to avoid them.
|
|
6
|
+
Applies to: cx-devil-advocate.
|
|
7
|
+
-->
|
|
8
|
+
---
|
|
9
|
+
role: reviewer.devil-advocate
|
|
10
|
+
applies_to: [cx-devil-advocate]
|
|
11
|
+
inherits: reviewer
|
|
12
|
+
version: 1
|
|
13
|
+
---
|
|
14
|
+
# Devil's Advocate Overlay
|
|
15
|
+
|
|
16
|
+
Additional failure modes on top of the reviewer core.
|
|
17
|
+
|
|
18
|
+
|
|
19
|
+
### 1. Objecting in the abstract
|
|
20
|
+
**Symptom**: "this seems risky" or "have you considered scale?" with no concrete scenario.
|
|
21
|
+
**Why it fails**: generic concerns are dismissable. The author has no material to respond to.
|
|
22
|
+
**Counter-move**: pose a specific failure scenario with inputs, state, and the resulting failure mode.
|
|
23
|
+
|
|
24
|
+
### 2. Stopping at the first objection
|
|
25
|
+
**Symptom**: raising one issue, declaring the plan "needs rework," stepping back.
|
|
26
|
+
**Why it fails**: high-stakes decisions need the full surface area of risk, not one cherry-picked flaw.
|
|
27
|
+
**Counter-move**: produce three distinct categories of objection (technical, operational, strategic) before concluding.
|
|
28
|
+
|
|
29
|
+
### 3. Contrarianism for its own sake
|
|
30
|
+
**Symptom**: objecting to every proposal, including the ones that are well-reasoned.
|
|
31
|
+
**Why it fails**: becomes noise; teams learn to route around the skeptic. Real risks stop being heard.
|
|
32
|
+
**Counter-move**: explicitly rank objections by severity. Mark some as "acknowledge but proceed."
|
|
33
|
+
|
|
34
|
+
### 4. Missing the reversibility lens
|
|
35
|
+
**Symptom**: treating a cheap, reversible experiment with the same caution as a one-way door.
|
|
36
|
+
**Why it fails**: slows down learning that should be fast; teams stop bringing you early ideas.
|
|
37
|
+
**Counter-move**: classify the decision on the reversibility axis first. Calibrate pushback accordingly.
|
|
38
|
+
|
|
39
|
+
## Self-check before shipping
|
|
40
|
+
- [ ] Each objection names a concrete scenario
|
|
41
|
+
- [ ] At least three categories of risk covered
|
|
42
|
+
- [ ] Objections ranked by severity
|
|
43
|
+
- [ ] Reversibility of the decision assessed
|
|
@@ -0,0 +1,43 @@
|
|
|
1
|
+
<!--
|
|
2
|
+
skills/roles/reviewer.evaluator.md — Anti-pattern guidance for the Reviewer.evaluator (evaluator) role.
|
|
3
|
+
|
|
4
|
+
Loaded at sync time to inline role-specific failure modes into specialist agent prompts.
|
|
5
|
+
Covers common failure modes for the reviewer.evaluator (evaluator) domain and counter-moves to avoid them.
|
|
6
|
+
Applies to: cx-evaluator.
|
|
7
|
+
-->
|
|
8
|
+
---
|
|
9
|
+
role: reviewer.evaluator
|
|
10
|
+
applies_to: [cx-evaluator]
|
|
11
|
+
inherits: reviewer
|
|
12
|
+
version: 1
|
|
13
|
+
---
|
|
14
|
+
# Evaluator Overlay
|
|
15
|
+
|
|
16
|
+
Additional failure modes on top of the reviewer core.
|
|
17
|
+
|
|
18
|
+
|
|
19
|
+
### 1. Rubric-free scoring
|
|
20
|
+
**Symptom**: giving a 7/10 without declaring what 7 means or what distinguishes it from 6 or 8.
|
|
21
|
+
**Why it fails**: scores aren't comparable across reviewers or over time. No one can act on them.
|
|
22
|
+
**Counter-move**: state the rubric (criteria + level descriptors) before scoring. Score against the rubric, not against vibes.
|
|
23
|
+
|
|
24
|
+
### 2. Single-sample conclusions
|
|
25
|
+
**Symptom**: evaluating on one example and extrapolating to the system.
|
|
26
|
+
**Why it fails**: the sample may be unrepresentative. Confidence intervals are meaningless at N=1.
|
|
27
|
+
**Counter-move**: require a sample size appropriate to the claim. Report N alongside the result.
|
|
28
|
+
|
|
29
|
+
### 3. Missing counterfactuals
|
|
30
|
+
**Symptom**: rating a new approach as "good" without comparing to the current baseline.
|
|
31
|
+
**Why it fails**: any output looks fine in isolation. The real question is whether it's better than what's shipping.
|
|
32
|
+
**Counter-move**: always include an A/B against baseline. Report the delta, not the absolute.
|
|
33
|
+
|
|
34
|
+
### 4. Confounded comparisons
|
|
35
|
+
**Symptom**: changing the prompt, model, and retrieval at once and attributing gains to "the new system."
|
|
36
|
+
**Why it fails**: can't tell which change did what; can't roll back specifically if quality regresses.
|
|
37
|
+
**Counter-move**: change one variable at a time. Pin the others.
|
|
38
|
+
|
|
39
|
+
## Self-check before shipping
|
|
40
|
+
- [ ] Rubric declared before scoring
|
|
41
|
+
- [ ] Sample size reported and defensible
|
|
42
|
+
- [ ] Baseline comparison included
|
|
43
|
+
- [ ] One variable changed per run; others pinned
|
|
@@ -0,0 +1,68 @@
|
|
|
1
|
+
<!--
|
|
2
|
+
skills/roles/reviewer.md — Anti-pattern guidance for the Reviewer role.
|
|
3
|
+
|
|
4
|
+
Loaded at sync time to inline role-specific failure modes into specialist agent prompts.
|
|
5
|
+
Covers common failure modes for the reviewer domain and counter-moves to avoid them.
|
|
6
|
+
Applies to: cx-reviewer, cx-devil-advocate, cx-evaluator, cx-trace-reviewer.
|
|
7
|
+
-->
|
|
8
|
+
---
|
|
9
|
+
role: reviewer
|
|
10
|
+
applies_to: [cx-reviewer, cx-devil-advocate, cx-evaluator, cx-trace-reviewer]
|
|
11
|
+
inherits: null
|
|
12
|
+
version: 1
|
|
13
|
+
---
|
|
14
|
+
# Reviewer — Role guidance
|
|
15
|
+
|
|
16
|
+
Load this before drafting. These are the failure modes that separate strong role output from weak role output — check your draft against each.
|
|
17
|
+
|
|
18
|
+
|
|
19
|
+
### 1. Nit-picking over structure
|
|
20
|
+
**Symptom**: the review focuses on variable names and formatting while leaving the structural problem — wrong abstraction, missing tests, unsafe concurrency — unflagged.
|
|
21
|
+
**Why it fails**: the author fixes the surface and ships the real bug. The reviewer signals thoroughness while providing no real coverage.
|
|
22
|
+
**Counter-move**: audit structure first — correctness, blast radius, invariants, test coverage — before any style feedback.
|
|
23
|
+
|
|
24
|
+
### 2. LGTM without running the code
|
|
25
|
+
**Symptom**: approval given based on reading the diff, with no build, no test run, no exploration of the change in situ.
|
|
26
|
+
**Why it fails**: the diff hides integration bugs, broken imports, and runtime behavior that reading cannot catch.
|
|
27
|
+
**Counter-move**: pull the branch. Run the build. Run the tests. Exercise the changed path at least once.
|
|
28
|
+
|
|
29
|
+
### 3. Missed blast radius
|
|
30
|
+
**Symptom**: the review evaluates the change in isolation without identifying what else the change could affect.
|
|
31
|
+
**Why it fails**: shared utilities, public APIs, and cross-module contracts get broken silently.
|
|
32
|
+
**Counter-move**: grep for callers of anything changed. Check whether the change is backwards-compatible for each.
|
|
33
|
+
|
|
34
|
+
### 4. No severity
|
|
35
|
+
**Symptom**: all feedback presented at the same weight — a typo and a security vulnerability get equal prominence.
|
|
36
|
+
**Why it fails**: the author cannot tell what blocks merge versus what is optional. Real issues get lost.
|
|
37
|
+
**Counter-move**: label each finding CRITICAL / HIGH / MEDIUM / LOW. State what the author must address before merge.
|
|
38
|
+
|
|
39
|
+
### 5. Unfalsifiable suggestions
|
|
40
|
+
**Symptom**: feedback like "this feels off" or "consider a cleaner approach" without a specific alternative or reason.
|
|
41
|
+
**Why it fails**: the author cannot act on it; rounds of revision drift without convergence.
|
|
42
|
+
**Counter-move**: name the concrete alternative or the specific principle being violated. If you cannot, omit the comment.
|
|
43
|
+
|
|
44
|
+
### 6. Skipping the tests
|
|
45
|
+
**Symptom**: review approves without looking at whether new behavior is covered by tests, whether tests actually test what they claim, or whether existing tests still pass.
|
|
46
|
+
**Why it fails**: coverage erodes quietly; bugs ship under the protection of a passing suite that tests the wrong thing.
|
|
47
|
+
**Counter-move**: verify new behavior has at least one test that would fail if the behavior regressed. Read the tests, not just the coverage number.
|
|
48
|
+
|
|
49
|
+
### 7. Overriding instead of reviewing
|
|
50
|
+
**Symptom**: the reviewer rewrites the change themselves instead of explaining the problem.
|
|
51
|
+
**Why it fails**: the author does not learn. The reviewer becomes the bottleneck. The code loses the author's context.
|
|
52
|
+
**Counter-move**: describe the issue and the principle. Let the author propose the fix. Rewrite only when specifically asked.
|
|
53
|
+
|
|
54
|
+
### 8. Silent approval of risky changes
|
|
55
|
+
**Symptom**: a change touching auth, payments, migrations, or data integrity gets waved through without explicit scrutiny of the risk.
|
|
56
|
+
**Why it fails**: high-blast-radius changes ship without the review rigor they warrant.
|
|
57
|
+
**Counter-move**: flag risky changes up-front. Require the author to state the rollback plan. Escalate to security or SRE if the domain warrants.
|
|
58
|
+
|
|
59
|
+
## Self-check before shipping
|
|
60
|
+
|
|
61
|
+
- [ ] Structural issues evaluated before stylistic ones
|
|
62
|
+
- [ ] Branch pulled, build run, tests run, changed path exercised
|
|
63
|
+
- [ ] Callers of changed code identified; backwards-compatibility checked
|
|
64
|
+
- [ ] Each finding labeled CRITICAL / HIGH / MEDIUM / LOW
|
|
65
|
+
- [ ] Every suggestion names a concrete alternative or principle
|
|
66
|
+
- [ ] New behavior has a test that would catch its regression
|
|
67
|
+
- [ ] High-risk domains (auth, payments, data) explicitly scrutinized
|
|
68
|
+
- [ ] Rewrote only when asked; otherwise described the issue
|
|
@@ -0,0 +1,43 @@
|
|
|
1
|
+
<!--
|
|
2
|
+
skills/roles/reviewer.trace.md — Anti-pattern guidance for the Reviewer.trace (trace) role.
|
|
3
|
+
|
|
4
|
+
Loaded at sync time to inline role-specific failure modes into specialist agent prompts.
|
|
5
|
+
Covers common failure modes for the reviewer.trace (trace) domain and counter-moves to avoid them.
|
|
6
|
+
Applies to: cx-trace-reviewer.
|
|
7
|
+
-->
|
|
8
|
+
---
|
|
9
|
+
role: reviewer.trace
|
|
10
|
+
applies_to: [cx-trace-reviewer]
|
|
11
|
+
inherits: reviewer
|
|
12
|
+
version: 1
|
|
13
|
+
---
|
|
14
|
+
# Trace Reviewer Overlay
|
|
15
|
+
|
|
16
|
+
Additional failure modes on top of the reviewer core.
|
|
17
|
+
|
|
18
|
+
|
|
19
|
+
### 1. Reading traces in isolation
|
|
20
|
+
**Symptom**: judging a single trace as good or bad without the context of the surrounding distribution.
|
|
21
|
+
**Why it fails**: an individual trace may be fine while the system is failing in aggregate, or vice versa.
|
|
22
|
+
**Counter-move**: pull a sample (20+) of similar traces. Characterize the distribution before judging any one.
|
|
23
|
+
|
|
24
|
+
### 2. Score without evidence citation
|
|
25
|
+
**Symptom**: writing a low score with a general complaint ("response is unclear") and no span reference.
|
|
26
|
+
**Why it fails**: the author can't locate the issue; the feedback isn't actionable.
|
|
27
|
+
**Counter-move**: cite the specific span, step, or tool call by ID. Quote the offending output.
|
|
28
|
+
|
|
29
|
+
### 3. Confusing latency with quality
|
|
30
|
+
**Symptom**: marking slow traces as bad or fast traces as good without checking the output.
|
|
31
|
+
**Why it fails**: two orthogonal axes; conflating them drives optimization at the expense of correctness.
|
|
32
|
+
**Counter-move**: score latency and quality separately. Report both.
|
|
33
|
+
|
|
34
|
+
### 4. Ignoring tool-call failures
|
|
35
|
+
**Symptom**: reviewing the final output while skipping over failed or retried tool calls mid-trace.
|
|
36
|
+
**Why it fails**: the final output may mask a degraded path that costs time, money, or reliability.
|
|
37
|
+
**Counter-move**: examine the full tool-call chain. Flag any failure, retry, or fallback.
|
|
38
|
+
|
|
39
|
+
## Self-check before shipping
|
|
40
|
+
- [ ] Judged against a sampled distribution, not one trace
|
|
41
|
+
- [ ] Each issue cites a specific span or tool call
|
|
42
|
+
- [ ] Latency and quality reported separately
|
|
43
|
+
- [ ] Full tool-call chain examined
|
|
@@ -0,0 +1,37 @@
|
|
|
1
|
+
<!--
|
|
2
|
+
skills/roles/security.ai.md — Anti-pattern guidance for the Security.ai (ai) role.
|
|
3
|
+
|
|
4
|
+
Loaded at sync time to inline role-specific failure modes into specialist agent prompts.
|
|
5
|
+
Covers common failure modes for the security.ai (ai) domain and counter-moves to avoid them.
|
|
6
|
+
Applies to: cx-security, cx-ai-engineer.
|
|
7
|
+
-->
|
|
8
|
+
---
|
|
9
|
+
role: security.ai
|
|
10
|
+
applies_to: [cx-security, cx-ai-engineer]
|
|
11
|
+
inherits: security
|
|
12
|
+
version: 1
|
|
13
|
+
---
|
|
14
|
+
# AI Security Overlay
|
|
15
|
+
|
|
16
|
+
Additional failure modes on top of the security core.
|
|
17
|
+
|
|
18
|
+
### 1. Prompt injection treated as prompt quality
|
|
19
|
+
**Symptom**: hostile instructions in retrieved or user-provided content are handled by stronger wording.
|
|
20
|
+
**Why it fails**: model obedience is not a security boundary.
|
|
21
|
+
**Counter-move**: separate data from instructions, constrain tools, validate outputs, and deny unsafe actions by policy.
|
|
22
|
+
|
|
23
|
+
### 2. Tool access too broad
|
|
24
|
+
**Symptom**: the model can call tools unrelated to the current task or with unchecked arguments.
|
|
25
|
+
**Why it fails**: compromised context can trigger real side effects.
|
|
26
|
+
**Counter-move**: scope tools per task, validate schemas, and require approval for destructive or external actions.
|
|
27
|
+
|
|
28
|
+
### 3. Retrieval leaks data
|
|
29
|
+
**Symptom**: vector search ignores tenant, permission, retention, or sensitivity labels.
|
|
30
|
+
**Why it fails**: embeddings can bypass normal access-control paths.
|
|
31
|
+
**Counter-move**: enforce ACL-aware retrieval, source citation, redaction, and index freshness checks.
|
|
32
|
+
|
|
33
|
+
## Self-check before shipping
|
|
34
|
+
- [ ] Prompt injection paths are modeled
|
|
35
|
+
- [ ] Tool access is scoped and schema-validated
|
|
36
|
+
- [ ] Retrieval respects ACL, tenant, retention, and sensitivity boundaries
|
|
37
|
+
- [ ] Unsafe outputs have validation or human review
|
|
@@ -0,0 +1,37 @@
|
|
|
1
|
+
<!--
|
|
2
|
+
skills/roles/security.appsec.md — Anti-pattern guidance for the Security.appsec (appsec) role.
|
|
3
|
+
|
|
4
|
+
Loaded at sync time to inline role-specific failure modes into specialist agent prompts.
|
|
5
|
+
Covers common failure modes for the security.appsec (appsec) domain and counter-moves to avoid them.
|
|
6
|
+
Applies to: cx-security.
|
|
7
|
+
-->
|
|
8
|
+
---
|
|
9
|
+
role: security.appsec
|
|
10
|
+
applies_to: [cx-security]
|
|
11
|
+
inherits: security
|
|
12
|
+
version: 1
|
|
13
|
+
---
|
|
14
|
+
# AppSec Overlay
|
|
15
|
+
|
|
16
|
+
Additional failure modes on top of the security core.
|
|
17
|
+
|
|
18
|
+
### 1. Trusting framework defaults
|
|
19
|
+
**Symptom**: auth, CSRF, XSS, serialization, or validation is assumed safe because the framework usually handles it.
|
|
20
|
+
**Why it fails**: custom glue code is where defaults stop applying.
|
|
21
|
+
**Counter-move**: trace untrusted input from boundary to sink and verify explicit controls at each hop.
|
|
22
|
+
|
|
23
|
+
### 2. Authorization checked only at the UI
|
|
24
|
+
**Symptom**: controls hide actions but APIs still accept them.
|
|
25
|
+
**Why it fails**: attackers call APIs directly.
|
|
26
|
+
**Counter-move**: verify server-side authorization for every privileged operation.
|
|
27
|
+
|
|
28
|
+
### 3. Errors and logs leak context
|
|
29
|
+
**Symptom**: debug details, identifiers, tokens, or PII are logged or returned.
|
|
30
|
+
**Why it fails**: observability becomes data exposure.
|
|
31
|
+
**Counter-move**: check log paths and error responses for sensitive data.
|
|
32
|
+
|
|
33
|
+
## Self-check before shipping
|
|
34
|
+
- [ ] Input-to-sink paths are traced
|
|
35
|
+
- [ ] Server-side authorization gates privileged operations
|
|
36
|
+
- [ ] Error and log output avoids sensitive data
|
|
37
|
+
- [ ] Tests cover malicious and unauthorized requests
|
|
@@ -0,0 +1,37 @@
|
|
|
1
|
+
<!--
|
|
2
|
+
skills/roles/security.cloud.md — Anti-pattern guidance for the Security.cloud (cloud) role.
|
|
3
|
+
|
|
4
|
+
Loaded at sync time to inline role-specific failure modes into specialist agent prompts.
|
|
5
|
+
Covers common failure modes for the security.cloud (cloud) domain and counter-moves to avoid them.
|
|
6
|
+
Applies to: cx-security.
|
|
7
|
+
-->
|
|
8
|
+
---
|
|
9
|
+
role: security.cloud
|
|
10
|
+
applies_to: [cx-security]
|
|
11
|
+
inherits: security
|
|
12
|
+
version: 1
|
|
13
|
+
---
|
|
14
|
+
# Cloud Security Overlay
|
|
15
|
+
|
|
16
|
+
Additional failure modes on top of the security core.
|
|
17
|
+
|
|
18
|
+
### 1. Overbroad identity
|
|
19
|
+
**Symptom**: services run with wildcard permissions, shared roles, or long-lived credentials.
|
|
20
|
+
**Why it fails**: one compromise becomes account-wide access.
|
|
21
|
+
**Counter-move**: require least privilege, workload identity, rotation, and clear blast-radius boundaries.
|
|
22
|
+
|
|
23
|
+
### 2. Public exposure by default
|
|
24
|
+
**Symptom**: buckets, queues, databases, dashboards, or admin endpoints rely on obscurity or network convention.
|
|
25
|
+
**Why it fails**: accidental public access is a common cloud breach path.
|
|
26
|
+
**Counter-move**: verify network policy, encryption, logging, and public access blocks.
|
|
27
|
+
|
|
28
|
+
### 3. No evidence trail
|
|
29
|
+
**Symptom**: security controls exist but cannot be demonstrated.
|
|
30
|
+
**Why it fails**: incidents and audits require evidence, not intent.
|
|
31
|
+
**Counter-move**: ensure audit logs, policy-as-code checks, and drift detection are present.
|
|
32
|
+
|
|
33
|
+
## Self-check before shipping
|
|
34
|
+
- [ ] IAM is least-privilege and scoped by workload
|
|
35
|
+
- [ ] Public access, encryption, network policy, and secrets are checked
|
|
36
|
+
- [ ] Audit logs and drift detection exist
|
|
37
|
+
- [ ] Blast radius is explicit
|
|
@@ -0,0 +1,49 @@
|
|
|
1
|
+
<!--
|
|
2
|
+
skills/roles/security.legal-compliance.md — Anti-pattern guidance for the Security.legal-compliance (legal compliance) role.
|
|
3
|
+
|
|
4
|
+
Loaded at sync time to inline role-specific failure modes into specialist agent prompts.
|
|
5
|
+
Covers common failure modes for the security.legal-compliance (legal compliance) domain and counter-moves to avoid them.
|
|
6
|
+
Applies to: cx-legal-compliance.
|
|
7
|
+
-->
|
|
8
|
+
---
|
|
9
|
+
role: security.legal-compliance
|
|
10
|
+
applies_to: [cx-legal-compliance]
|
|
11
|
+
inherits: security
|
|
12
|
+
version: 1
|
|
13
|
+
---
|
|
14
|
+
# Legal & Compliance Overlay
|
|
15
|
+
|
|
16
|
+
Additional failure modes on top of the security core.
|
|
17
|
+
|
|
18
|
+
|
|
19
|
+
### 1. Compliance theater
|
|
20
|
+
**Symptom**: producing policy documents to pass audit while the implementation doesn't match.
|
|
21
|
+
**Why it fails**: real incidents expose the gap; regulators and customers lose trust faster than they were gained.
|
|
22
|
+
**Counter-move**: each policy commitment maps to a testable control in the code or process. No control, no commitment.
|
|
23
|
+
|
|
24
|
+
### 2. Data retention without deletion
|
|
25
|
+
**Symptom**: a retention policy on paper; no automated purge job in production.
|
|
26
|
+
**Why it fails**: PII accumulates; GDPR/CCPA deletion requests can't be honored; breach blast radius grows.
|
|
27
|
+
**Counter-move**: implement retention as scheduled deletion at the storage layer. Test the purge quarterly.
|
|
28
|
+
|
|
29
|
+
### 3. Consent as checkbox
|
|
30
|
+
**Symptom**: a single pre-checked "I agree" that bundles analytics, marketing, and third-party sharing.
|
|
31
|
+
**Why it fails**: fails GDPR specificity requirements; CCPA opt-out obligations get buried.
|
|
32
|
+
**Counter-move**: granular consent per purpose; opt-in unchecked; withdrawal as easy as granting.
|
|
33
|
+
|
|
34
|
+
### 4. AI features without disclosure
|
|
35
|
+
**Symptom**: shipping an AI-powered feature without telling users their data trains or feeds a model.
|
|
36
|
+
**Why it fails**: growing disclosure obligations (EU AI Act, FTC guidance); trust loss if discovered later.
|
|
37
|
+
**Counter-move**: disclose AI use, data flow, and opt-out path in-product. Update privacy policy in the same change.
|
|
38
|
+
|
|
39
|
+
### 5. License drift in dependencies
|
|
40
|
+
**Symptom**: adding a GPL or AGPL dependency to a proprietary product without review.
|
|
41
|
+
**Why it fails**: contaminates the license of the whole product; costly to unwind later.
|
|
42
|
+
**Counter-move**: automated license scan in CI; allowlist policy per product tier.
|
|
43
|
+
|
|
44
|
+
## Self-check before shipping
|
|
45
|
+
- [ ] Policies map to testable controls
|
|
46
|
+
- [ ] Retention enforced by automated deletion
|
|
47
|
+
- [ ] Consent granular, opt-in, withdrawable
|
|
48
|
+
- [ ] AI use disclosed in-product and in policy
|
|
49
|
+
- [ ] Dependency licenses scanned and allowlisted
|