claude-code-pilot 3.2.0 → 3.3.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +67 -0
- package/README.md +14 -9
- package/bin/install.js +124 -16
- package/manifest.json +18 -3
- package/package.json +3 -2
- package/src/agents/django-build-resolver.md +252 -0
- package/src/agents/django-reviewer.md +169 -0
- package/src/agents/fastapi-reviewer.md +79 -0
- package/src/agents/fsharp-reviewer.md +109 -0
- package/src/agents/swift-build-resolver.md +170 -0
- package/src/agents/swift-reviewer.md +116 -0
- package/src/commands/ccp/cost-report.md +107 -0
- package/src/commands/ccp/intel.md +3 -3
- package/src/commands/ccp/mvp-phase.md +45 -0
- package/src/commands/ccp/plan-prd.md +160 -0
- package/src/commands/ccp/pr-ecc.md +184 -0
- package/src/commands/ccp/security-scan.md +74 -0
- package/src/hooks/ccp-bash-hook-dispatcher.js +96 -0
- package/src/hooks/ccp-context-monitor.js +23 -0
- package/src/hooks/ccp-doc-file-warning.js +93 -0
- package/src/hooks/ccp-pre-bash-dispatcher.js +24 -0
- package/src/hooks/ccp-write-gateguard.js +868 -0
- package/src/lib/project-detect.js +0 -2
- package/src/lib/shell-substitution.js +499 -0
- package/src/pilot/references/execute-mvp-tdd.md +81 -0
- package/src/pilot/references/mvp-concepts.md +49 -0
- package/src/pilot/references/planner-graphify-auto-update.md +67 -0
- package/src/pilot/references/planner-human-verify-mode.md +57 -0
- package/src/pilot/references/planner-mvp-mode.md +53 -0
- package/src/pilot/references/skeleton-template.md +48 -0
- package/src/pilot/references/spidr-splitting.md +69 -0
- package/src/pilot/references/user-story-template.md +58 -0
- package/src/pilot/references/verify-mvp-mode.md +85 -0
- package/src/pilot/references/worktree-path-safety.md +89 -0
- package/src/pilot/workflows/help.md +5 -0
- package/src/pilot/workflows/mvp-phase.md +199 -0
- package/src/skills/agent-architecture-audit/SKILL.md +256 -0
- package/src/skills/agent-harness-design/SKILL.md +73 -0
- package/src/skills/angular-developer/SKILL.md +154 -0
- package/src/skills/angular-developer/references/angular-animations.md +160 -0
- package/src/skills/angular-developer/references/angular-aria.md +410 -0
- package/src/skills/angular-developer/references/cli.md +86 -0
- package/src/skills/angular-developer/references/component-harnesses.md +59 -0
- package/src/skills/angular-developer/references/component-styling.md +91 -0
- package/src/skills/angular-developer/references/components.md +117 -0
- package/src/skills/angular-developer/references/creating-services.md +97 -0
- package/src/skills/angular-developer/references/data-resolvers.md +69 -0
- package/src/skills/angular-developer/references/define-routes.md +67 -0
- package/src/skills/angular-developer/references/defining-providers.md +72 -0
- package/src/skills/angular-developer/references/di-fundamentals.md +120 -0
- package/src/skills/angular-developer/references/e2e-testing.md +56 -0
- package/src/skills/angular-developer/references/effects.md +83 -0
- package/src/skills/angular-developer/references/hierarchical-injectors.md +43 -0
- package/src/skills/angular-developer/references/host-elements.md +80 -0
- package/src/skills/angular-developer/references/injection-context.md +63 -0
- package/src/skills/angular-developer/references/inputs.md +101 -0
- package/src/skills/angular-developer/references/linked-signal.md +59 -0
- package/src/skills/angular-developer/references/loading-strategies.md +61 -0
- package/src/skills/angular-developer/references/mcp.md +108 -0
- package/src/skills/angular-developer/references/navigate-to-routes.md +69 -0
- package/src/skills/angular-developer/references/outputs.md +86 -0
- package/src/skills/angular-developer/references/reactive-forms.md +122 -0
- package/src/skills/angular-developer/references/rendering-strategies.md +44 -0
- package/src/skills/angular-developer/references/resource.md +77 -0
- package/src/skills/angular-developer/references/route-animations.md +56 -0
- package/src/skills/angular-developer/references/route-guards.md +52 -0
- package/src/skills/angular-developer/references/router-lifecycle.md +45 -0
- package/src/skills/angular-developer/references/router-testing.md +87 -0
- package/src/skills/angular-developer/references/show-routes-with-outlets.md +68 -0
- package/src/skills/angular-developer/references/signal-forms.md +795 -0
- package/src/skills/angular-developer/references/signals-overview.md +94 -0
- package/src/skills/angular-developer/references/tailwind-css.md +69 -0
- package/src/skills/angular-developer/references/template-driven-forms.md +114 -0
- package/src/skills/angular-developer/references/testing-fundamentals.md +65 -0
- package/src/skills/error-handling/SKILL.md +376 -0
- package/src/skills/fastapi-patterns/SKILL.md +327 -0
- package/src/skills/flox-environments/SKILL.md +496 -0
- package/src/skills/fsharp-testing/SKILL.md +280 -0
- package/src/skills/ios-icon-gen/SKILL.md +157 -0
- package/src/skills/ios-icon-gen/scripts/generate_icons.swift +258 -0
- package/src/skills/ios-icon-gen/scripts/iconify_gen.sh +235 -0
- package/src/skills/make-interfaces-feel-better/SKILL.md +151 -0
- package/src/skills/mysql-patterns/SKILL.md +412 -0
- package/src/skills/plan-orchestrate/SKILL.md +220 -0
- package/src/skills/prisma-patterns/SKILL.md +371 -0
- package/src/skills/production-audit/SKILL.md +206 -0
- package/src/skills/security-scan/references/agentshield-policy-exception/candidate-playbook.md +49 -0
- package/src/skills/security-scan/references/agentshield-policy-exception/report.json +35 -0
- package/src/skills/security-scan/references/agentshield-policy-exception/scenario.json +62 -0
- package/src/skills/security-scan/references/agentshield-policy-exception/trace.json +45 -0
- package/src/skills/security-scan/references/agentshield-policy-exception/verifier-result.json +35 -0
- package/src/skills/vite-patterns/SKILL.md +449 -0
- package/src/skills/windows-desktop-e2e/SKILL.md +887 -0
|
@@ -0,0 +1,412 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: mysql-patterns
|
|
3
|
+
description: MySQL and MariaDB schema, query, indexing, transaction, replication, and connection-pool patterns for production backends.
|
|
4
|
+
origin: ECC
|
|
5
|
+
---
|
|
6
|
+
|
|
7
|
+
# MySQL Patterns
|
|
8
|
+
|
|
9
|
+
Use this skill when working on MySQL or MariaDB schema design, migrations,
|
|
10
|
+
slow-query investigation, queue-style transactions, connection pools, or
|
|
11
|
+
production database configuration. Prefer exact version checks before applying a
|
|
12
|
+
feature-specific pattern because MySQL and MariaDB have diverged in several SQL
|
|
13
|
+
details.
|
|
14
|
+
|
|
15
|
+
## Activation
|
|
16
|
+
|
|
17
|
+
- Designing MySQL or MariaDB tables, indexes, and constraints
|
|
18
|
+
- Reviewing migrations before they run on large production tables
|
|
19
|
+
- Debugging slow queries, lock waits, deadlocks, or connection exhaustion
|
|
20
|
+
- Adding keyset pagination, upserts, full-text search, JSON columns, or queues
|
|
21
|
+
- Configuring application connection pools, read replicas, TLS, or slow logs
|
|
22
|
+
|
|
23
|
+
## Version Check
|
|
24
|
+
|
|
25
|
+
Start by identifying the engine and version:
|
|
26
|
+
|
|
27
|
+
```sql
|
|
28
|
+
SELECT VERSION();
|
|
29
|
+
SHOW VARIABLES LIKE 'version_comment';
|
|
30
|
+
```
|
|
31
|
+
|
|
32
|
+
Keep MySQL and MariaDB guidance separate when syntax differs:
|
|
33
|
+
|
|
34
|
+
- MySQL documents row aliases as the replacement for `VALUES(col)` in
|
|
35
|
+
`ON DUPLICATE KEY UPDATE`; `VALUES(col)` is deprecated there.
|
|
36
|
+
- MariaDB documents `VALUES(col)` as the supported way to reference inserted
|
|
37
|
+
values in `ON DUPLICATE KEY UPDATE`; use it for cross-engine compatibility.
|
|
38
|
+
- `SKIP LOCKED` is appropriate for queue-like work only. It skips locked rows
|
|
39
|
+
and can return an inconsistent view, so do not use it for general accounting
|
|
40
|
+
or integrity-sensitive reads.
|
|
41
|
+
|
|
42
|
+
## Schema Defaults
|
|
43
|
+
|
|
44
|
+
```sql
|
|
45
|
+
CREATE TABLE orders (
|
|
46
|
+
id BIGINT UNSIGNED NOT NULL AUTO_INCREMENT,
|
|
47
|
+
account_id BIGINT UNSIGNED NOT NULL,
|
|
48
|
+
status VARCHAR(32) NOT NULL,
|
|
49
|
+
total DECIMAL(15, 2) NOT NULL,
|
|
50
|
+
created_at DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
|
|
51
|
+
updated_at DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,
|
|
52
|
+
deleted_at DATETIME NULL,
|
|
53
|
+
PRIMARY KEY (id),
|
|
54
|
+
KEY idx_orders_account_status_created (account_id, status, created_at),
|
|
55
|
+
KEY idx_orders_active (account_id, deleted_at)
|
|
56
|
+
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci;
|
|
57
|
+
```
|
|
58
|
+
|
|
59
|
+
Default choices:
|
|
60
|
+
|
|
61
|
+
| Use Case | Prefer | Avoid |
|
|
62
|
+
| --- | --- | --- |
|
|
63
|
+
| Surrogate primary keys | `BIGINT UNSIGNED AUTO_INCREMENT` | `INT` for tables that can grow beyond 2B rows |
|
|
64
|
+
| UUID lookup keys | `BINARY(16)` with conversion helpers | `VARCHAR(36)` primary keys on hot tables |
|
|
65
|
+
| Money and exact quantities | `DECIMAL(p, s)` | `FLOAT` or `DOUBLE` |
|
|
66
|
+
| User-facing text | `utf8mb4` tables and indexes | MySQL `utf8` / `utf8mb3` defaults |
|
|
67
|
+
| Application timestamps | `DATETIME` with UTC managed by the app | Assuming `DATETIME` stores time zone metadata |
|
|
68
|
+
| Soft deletes | `deleted_at DATETIME NULL` plus scoped indexes | Filtering soft-deleted rows without an index |
|
|
69
|
+
| Extensible status values | lookup table or constrained `VARCHAR` | `ENUM` when values change often |
|
|
70
|
+
|
|
71
|
+
## Indexing
|
|
72
|
+
|
|
73
|
+
Composite index order usually follows equality predicates first, then range or
|
|
74
|
+
sort columns:
|
|
75
|
+
|
|
76
|
+
```sql
|
|
77
|
+
CREATE INDEX idx_orders_account_status_created
|
|
78
|
+
ON orders (account_id, status, created_at);
|
|
79
|
+
|
|
80
|
+
SELECT id, total
|
|
81
|
+
FROM orders
|
|
82
|
+
WHERE account_id = ?
|
|
83
|
+
AND status = 'pending'
|
|
84
|
+
AND created_at >= ?
|
|
85
|
+
ORDER BY created_at DESC
|
|
86
|
+
LIMIT 50;
|
|
87
|
+
```
|
|
88
|
+
|
|
89
|
+
Use `EXPLAIN` before adding or changing an index:
|
|
90
|
+
|
|
91
|
+
```sql
|
|
92
|
+
EXPLAIN
|
|
93
|
+
SELECT id, total
|
|
94
|
+
FROM orders
|
|
95
|
+
WHERE account_id = 123 AND status = 'pending'
|
|
96
|
+
ORDER BY created_at DESC
|
|
97
|
+
LIMIT 50;
|
|
98
|
+
```
|
|
99
|
+
|
|
100
|
+
Signals to investigate:
|
|
101
|
+
|
|
102
|
+
| Field | Risk Signal |
|
|
103
|
+
| --- | --- |
|
|
104
|
+
| `type` | `ALL` on a large table |
|
|
105
|
+
| `key` | `NULL` when a selective predicate exists |
|
|
106
|
+
| `rows` | Very high row estimate for an interactive path |
|
|
107
|
+
| `Extra` | `Using temporary`, `Using filesort`, or broad `Using where` |
|
|
108
|
+
|
|
109
|
+
Avoid adding indexes blindly. Each index increases write cost, migration time,
|
|
110
|
+
backup size, and buffer-pool pressure.
|
|
111
|
+
|
|
112
|
+
## Query Patterns
|
|
113
|
+
|
|
114
|
+
### Upsert
|
|
115
|
+
|
|
116
|
+
Cross-engine-compatible form:
|
|
117
|
+
|
|
118
|
+
```sql
|
|
119
|
+
INSERT INTO user_settings (user_id, setting_key, setting_value)
|
|
120
|
+
VALUES (?, ?, ?)
|
|
121
|
+
ON DUPLICATE KEY UPDATE
|
|
122
|
+
setting_value = VALUES(setting_value),
|
|
123
|
+
updated_at = CURRENT_TIMESTAMP;
|
|
124
|
+
```
|
|
125
|
+
|
|
126
|
+
MySQL row-alias form:
|
|
127
|
+
|
|
128
|
+
```sql
|
|
129
|
+
INSERT INTO user_settings (user_id, setting_key, setting_value)
|
|
130
|
+
VALUES (?, ?, ?) AS new
|
|
131
|
+
ON DUPLICATE KEY UPDATE
|
|
132
|
+
setting_value = new.setting_value,
|
|
133
|
+
updated_at = CURRENT_TIMESTAMP;
|
|
134
|
+
```
|
|
135
|
+
|
|
136
|
+
Use the row-alias form only after confirming the target is MySQL. Use
|
|
137
|
+
`VALUES(col)` for MariaDB or mixed MySQL/MariaDB fleets.
|
|
138
|
+
|
|
139
|
+
### Keyset Pagination
|
|
140
|
+
|
|
141
|
+
```sql
|
|
142
|
+
SELECT id, name, created_at
|
|
143
|
+
FROM products
|
|
144
|
+
WHERE (created_at, id) < (?, ?)
|
|
145
|
+
ORDER BY created_at DESC, id DESC
|
|
146
|
+
LIMIT 50;
|
|
147
|
+
```
|
|
148
|
+
|
|
149
|
+
Back it with an index that matches the cursor:
|
|
150
|
+
|
|
151
|
+
```sql
|
|
152
|
+
CREATE INDEX idx_products_created_id ON products (created_at, id);
|
|
153
|
+
```
|
|
154
|
+
|
|
155
|
+
Do not use deep `OFFSET` pagination on large tables; it makes the server scan
|
|
156
|
+
and discard rows before returning the page.
|
|
157
|
+
|
|
158
|
+
### JSON Fields
|
|
159
|
+
|
|
160
|
+
Use JSON columns for extension data, not for fields that need heavy relational
|
|
161
|
+
filtering or constraints.
|
|
162
|
+
|
|
163
|
+
```sql
|
|
164
|
+
CREATE TABLE events (
|
|
165
|
+
id BIGINT UNSIGNED AUTO_INCREMENT PRIMARY KEY,
|
|
166
|
+
payload JSON NOT NULL,
|
|
167
|
+
event_type VARCHAR(64)
|
|
168
|
+
GENERATED ALWAYS AS (JSON_UNQUOTE(JSON_EXTRACT(payload, '$.type'))) STORED,
|
|
169
|
+
KEY idx_events_type (event_type)
|
|
170
|
+
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;
|
|
171
|
+
```
|
|
172
|
+
|
|
173
|
+
For frequently queried JSON paths, expose a generated column and index that
|
|
174
|
+
column. Keep foreign keys, ownership, tenancy, and lifecycle fields relational.
|
|
175
|
+
|
|
176
|
+
### Full-Text Search
|
|
177
|
+
|
|
178
|
+
```sql
|
|
179
|
+
ALTER TABLE articles ADD FULLTEXT KEY ft_articles_title_body (title, body);
|
|
180
|
+
|
|
181
|
+
SELECT id, title, MATCH(title, body) AGAINST (? IN NATURAL LANGUAGE MODE) AS score
|
|
182
|
+
FROM articles
|
|
183
|
+
WHERE MATCH(title, body) AGAINST (? IN NATURAL LANGUAGE MODE)
|
|
184
|
+
ORDER BY score DESC
|
|
185
|
+
LIMIT 20;
|
|
186
|
+
```
|
|
187
|
+
|
|
188
|
+
Use external search when you need typo tolerance, complex ranking, cross-table
|
|
189
|
+
facets, or language-specific analysis beyond built-in full-text behavior.
|
|
190
|
+
|
|
191
|
+
## Transactions
|
|
192
|
+
|
|
193
|
+
Keep transactions short and lock rows in a consistent order:
|
|
194
|
+
|
|
195
|
+
```sql
|
|
196
|
+
START TRANSACTION;
|
|
197
|
+
|
|
198
|
+
SELECT id, balance
|
|
199
|
+
FROM accounts
|
|
200
|
+
WHERE id IN (?, ?)
|
|
201
|
+
ORDER BY id
|
|
202
|
+
FOR UPDATE;
|
|
203
|
+
|
|
204
|
+
UPDATE accounts SET balance = balance - ? WHERE id = ?;
|
|
205
|
+
UPDATE accounts SET balance = balance + ? WHERE id = ?;
|
|
206
|
+
|
|
207
|
+
COMMIT;
|
|
208
|
+
```
|
|
209
|
+
|
|
210
|
+
Deadlock and lock-wait checklist:
|
|
211
|
+
|
|
212
|
+
- Lock rows in a deterministic order across code paths.
|
|
213
|
+
- Do external API calls before opening the transaction, not inside it.
|
|
214
|
+
- Add indexes for predicates used in `UPDATE`, `DELETE`, and locking reads.
|
|
215
|
+
- On deadlock, roll back and retry the whole transaction with a bounded retry
|
|
216
|
+
budget.
|
|
217
|
+
- Capture `SHOW ENGINE INNODB STATUS\G` soon after a deadlock; it is overwritten
|
|
218
|
+
by later events.
|
|
219
|
+
|
|
220
|
+
Queue-style worker claim:
|
|
221
|
+
|
|
222
|
+
```sql
|
|
223
|
+
START TRANSACTION;
|
|
224
|
+
|
|
225
|
+
SELECT id
|
|
226
|
+
FROM jobs
|
|
227
|
+
WHERE status = 'pending'
|
|
228
|
+
ORDER BY created_at
|
|
229
|
+
LIMIT 1
|
|
230
|
+
FOR UPDATE SKIP LOCKED;
|
|
231
|
+
|
|
232
|
+
UPDATE jobs
|
|
233
|
+
SET status = 'processing', started_at = CURRENT_TIMESTAMP
|
|
234
|
+
WHERE id = ?;
|
|
235
|
+
|
|
236
|
+
COMMIT;
|
|
237
|
+
```
|
|
238
|
+
|
|
239
|
+
Use `SKIP LOCKED` only for queue-like workloads where skipping a locked row is
|
|
240
|
+
acceptable. It is not a replacement for normal transactional consistency.
|
|
241
|
+
|
|
242
|
+
## Connection Pools
|
|
243
|
+
|
|
244
|
+
SQLAlchemy example:
|
|
245
|
+
|
|
246
|
+
```python
|
|
247
|
+
from sqlalchemy import create_engine
|
|
248
|
+
|
|
249
|
+
engine = create_engine(
|
|
250
|
+
"mysql+mysqlconnector://app:secret@db.internal/app",
|
|
251
|
+
pool_size=10,
|
|
252
|
+
max_overflow=5,
|
|
253
|
+
pool_timeout=30,
|
|
254
|
+
pool_recycle=240,
|
|
255
|
+
pool_pre_ping=True,
|
|
256
|
+
connect_args={"connect_timeout": 5},
|
|
257
|
+
)
|
|
258
|
+
```
|
|
259
|
+
|
|
260
|
+
Node.js `mysql2` example:
|
|
261
|
+
|
|
262
|
+
```javascript
|
|
263
|
+
import mysql from 'mysql2/promise';
|
|
264
|
+
|
|
265
|
+
const pool = mysql.createPool({
|
|
266
|
+
host: process.env.DB_HOST,
|
|
267
|
+
user: process.env.DB_USER,
|
|
268
|
+
password: process.env.DB_PASSWORD,
|
|
269
|
+
database: process.env.DB_NAME,
|
|
270
|
+
waitForConnections: true,
|
|
271
|
+
connectionLimit: 10,
|
|
272
|
+
queueLimit: 0,
|
|
273
|
+
enableKeepAlive: true,
|
|
274
|
+
keepAliveInitialDelay: 30000,
|
|
275
|
+
});
|
|
276
|
+
|
|
277
|
+
const [rows] = await pool.execute(
|
|
278
|
+
'SELECT id, total FROM orders WHERE account_id = ? LIMIT 50',
|
|
279
|
+
[accountId],
|
|
280
|
+
);
|
|
281
|
+
```
|
|
282
|
+
|
|
283
|
+
Keep application pool recycling below the server `wait_timeout`. If the server
|
|
284
|
+
uses `wait_timeout = 300`, a `pool_recycle` around 240 seconds is coherent;
|
|
285
|
+
`pool_pre_ping` still helps recover from network and failover events.
|
|
286
|
+
|
|
287
|
+
## Diagnostics
|
|
288
|
+
|
|
289
|
+
Useful first-pass commands:
|
|
290
|
+
|
|
291
|
+
```sql
|
|
292
|
+
SHOW FULL PROCESSLIST;
|
|
293
|
+
SHOW ENGINE INNODB STATUS\G;
|
|
294
|
+
SHOW VARIABLES LIKE 'slow_query_log';
|
|
295
|
+
SHOW VARIABLES LIKE 'long_query_time';
|
|
296
|
+
```
|
|
297
|
+
|
|
298
|
+
Enable the slow log in a controlled environment:
|
|
299
|
+
|
|
300
|
+
```sql
|
|
301
|
+
SET GLOBAL slow_query_log = 'ON';
|
|
302
|
+
SET GLOBAL long_query_time = 1;
|
|
303
|
+
SET GLOBAL log_queries_not_using_indexes = 'ON';
|
|
304
|
+
```
|
|
305
|
+
|
|
306
|
+
Use `EXPLAIN ANALYZE` only when it is safe to execute the query. It runs the
|
|
307
|
+
statement and can be expensive on production-sized data.
|
|
308
|
+
|
|
309
|
+
## Replication
|
|
310
|
+
|
|
311
|
+
Read replicas can lag. Do not route read-your-own-write paths, checkout flows,
|
|
312
|
+
permission checks, or idempotency-key reads to a replica immediately after a
|
|
313
|
+
write.
|
|
314
|
+
|
|
315
|
+
```sql
|
|
316
|
+
-- MySQL legacy terminology, still common in existing fleets
|
|
317
|
+
SHOW SLAVE STATUS\G;
|
|
318
|
+
|
|
319
|
+
-- Newer terminology where supported
|
|
320
|
+
SHOW REPLICA STATUS\G;
|
|
321
|
+
```
|
|
322
|
+
|
|
323
|
+
Check the engine/version before standardizing on one command. Monitor replica
|
|
324
|
+
SQL thread health, IO thread health, and lag, not just whether the TCP
|
|
325
|
+
connection is alive.
|
|
326
|
+
|
|
327
|
+
## Security
|
|
328
|
+
|
|
329
|
+
```sql
|
|
330
|
+
CREATE USER 'app'@'%' IDENTIFIED BY 'use-a-secret-manager';
|
|
331
|
+
GRANT SELECT, INSERT, UPDATE, DELETE ON appdb.* TO 'app'@'%';
|
|
332
|
+
|
|
333
|
+
ALTER USER 'app'@'%' REQUIRE SSL;
|
|
334
|
+
|
|
335
|
+
SELECT user, host
|
|
336
|
+
FROM mysql.user
|
|
337
|
+
WHERE user = '';
|
|
338
|
+
|
|
339
|
+
DROP USER IF EXISTS ''@'localhost';
|
|
340
|
+
DROP USER IF EXISTS ''@'%';
|
|
341
|
+
```
|
|
342
|
+
|
|
343
|
+
Security review points:
|
|
344
|
+
|
|
345
|
+
- Do not grant `ALL PRIVILEGES` or `*.*` to application users.
|
|
346
|
+
- Require TLS for application users when traffic crosses hosts or networks.
|
|
347
|
+
- Store credentials in the platform secret manager, not in examples, scripts, or
|
|
348
|
+
repository files.
|
|
349
|
+
- Separate migration/admin users from runtime application users.
|
|
350
|
+
- Audit public network exposure and bind addresses before tuning performance.
|
|
351
|
+
|
|
352
|
+
## Configuration
|
|
353
|
+
|
|
354
|
+
Example starting point for a dedicated database host:
|
|
355
|
+
|
|
356
|
+
```ini
|
|
357
|
+
[mysqld]
|
|
358
|
+
innodb_buffer_pool_size = 4G
|
|
359
|
+
innodb_flush_log_at_trx_commit = 1
|
|
360
|
+
sync_binlog = 1
|
|
361
|
+
|
|
362
|
+
max_connections = 300
|
|
363
|
+
thread_cache_size = 50
|
|
364
|
+
|
|
365
|
+
wait_timeout = 300
|
|
366
|
+
interactive_timeout = 300
|
|
367
|
+
innodb_lock_wait_timeout = 10
|
|
368
|
+
|
|
369
|
+
slow_query_log = ON
|
|
370
|
+
long_query_time = 1
|
|
371
|
+
log_queries_not_using_indexes = ON
|
|
372
|
+
|
|
373
|
+
log_bin = mysql-bin
|
|
374
|
+
binlog_format = ROW
|
|
375
|
+
binlog_expire_logs_seconds = 604800
|
|
376
|
+
```
|
|
377
|
+
|
|
378
|
+
Treat configuration values as a prompt for review, not a universal preset. Size
|
|
379
|
+
memory, connections, log retention, and durability settings from workload,
|
|
380
|
+
hardware, backup policy, and recovery objectives.
|
|
381
|
+
|
|
382
|
+
## Anti-Patterns
|
|
383
|
+
|
|
384
|
+
| Anti-Pattern | Risk | Better Pattern |
|
|
385
|
+
| --- | --- | --- |
|
|
386
|
+
| `SELECT *` in hot paths | Over-fetching and brittle clients | Select explicit columns |
|
|
387
|
+
| Deep `OFFSET` pagination | Linear scans and slow pages | Keyset pagination |
|
|
388
|
+
| No index on foreign-key joins | Slow joins and lock-heavy deletes | Index FK columns intentionally |
|
|
389
|
+
| Long transactions | Lock waits and large undo history | Commit small units of work |
|
|
390
|
+
| Direct DML against `mysql.user` | Grant-table corruption risk | Use `CREATE USER`, `ALTER USER`, `DROP USER` |
|
|
391
|
+
| Application user with admin grants | High blast radius | Least-privilege runtime user |
|
|
392
|
+
| Pool recycle above `wait_timeout` | Stale pooled connections | Recycle below timeout and pre-ping |
|
|
393
|
+
| Replica reads after writes | Stale user-facing state | Pin read-after-write flows to primary |
|
|
394
|
+
|
|
395
|
+
## Output Expectations
|
|
396
|
+
|
|
397
|
+
When this skill is used for review, return:
|
|
398
|
+
|
|
399
|
+
1. Engine/version assumptions.
|
|
400
|
+
2. Highest-risk correctness, lock, security, and migration issues.
|
|
401
|
+
3. Exact SQL or code changes for the safe path.
|
|
402
|
+
4. Validation plan: `EXPLAIN`, migration dry run, lock/deadlock check, and
|
|
403
|
+
rollback criteria.
|
|
404
|
+
5. Any MySQL/MariaDB syntax differences that affect the recommendation.
|
|
405
|
+
|
|
406
|
+
## Related
|
|
407
|
+
|
|
408
|
+
- Skill: `postgres-patterns` - PostgreSQL-specific schema and query patterns
|
|
409
|
+
- Skill: `database-migrations` - migration planning and rollout safety
|
|
410
|
+
- Skill: `backend-patterns` - API and service-layer patterns
|
|
411
|
+
- Skill: `security-review` - secret handling, auth, and least privilege
|
|
412
|
+
- Agent: `database-reviewer` - broader database review workflow
|
|
@@ -0,0 +1,220 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: plan-orchestrate
|
|
3
|
+
description: Read a plan document, decompose it into steps, design a per-step agent chain from the CCP catalogue, and emit ready-to-paste /orchestrate custom prompts. Generative only — never invokes /orchestrate itself. Use when the user has a multi-step plan and wants to drive it through orchestrate without composing chains by hand.
|
|
4
|
+
origin: ECC
|
|
5
|
+
---
|
|
6
|
+
|
|
7
|
+
# Plan Orchestrate
|
|
8
|
+
|
|
9
|
+
Bridge a plan document to `/orchestrate custom` by emitting one ready-to-paste invocation per step. The skill is generative only — it never executes `/orchestrate`. The user pastes each line when ready.
|
|
10
|
+
|
|
11
|
+
## When to Activate
|
|
12
|
+
|
|
13
|
+
- User has a multi-step plan document (PRD, RFC, implementation plan) and wants to drive it through `/orchestrate`.
|
|
14
|
+
- User says "orchestrate this plan", "give me orchestrate prompts for each step", "compose chains for this plan".
|
|
15
|
+
- A step-by-step plan exists but the user does not want to manually pick agents per step.
|
|
16
|
+
|
|
17
|
+
Skip when:
|
|
18
|
+
- The work is one ad-hoc step → call `/orchestrate custom` directly.
|
|
19
|
+
- The plan is unreadable or empty. Lack of explicit numbering alone is not a skip condition — see the "No clear steps" edge case below.
|
|
20
|
+
|
|
21
|
+
## Inputs
|
|
22
|
+
|
|
23
|
+
```
|
|
24
|
+
<plan-doc-path> [--lang=python|typescript|go|rust|cpp|java|kotlin|flutter|auto] [--scope=all|step:<n>|range:<a>-<b>] [--dry-run]
|
|
25
|
+
```
|
|
26
|
+
|
|
27
|
+
- `<plan-doc-path>` — required; relative or absolute path (`@docs/...` accepted).
|
|
28
|
+
- `--lang` — reviewer language variant; defaults to `auto` (detected from project).
|
|
29
|
+
- `--scope` — limits emitted steps; defaults to `all`.
|
|
30
|
+
- `--dry-run` — print decomposition + chain rationale only; do not emit final prompts.
|
|
31
|
+
|
|
32
|
+
## Authoritative `/orchestrate` shape (do not deviate)
|
|
33
|
+
|
|
34
|
+
```
|
|
35
|
+
/orchestrate custom "<agent1>,<agent2>,...,<agentN>" "<task description>"
|
|
36
|
+
```
|
|
37
|
+
|
|
38
|
+
- `custom` is a sequential chain; each agent's HANDOFF feeds the next.
|
|
39
|
+
- Comma-separated agent list. No spaces preferred; one space tolerated.
|
|
40
|
+
- No `--mode` / `--gate` / `--agents=...` flags exist — never invent them.
|
|
41
|
+
- Agent names come from the catalogue in this skill. Embedded double quotes in the task description are escaped as `\"`.
|
|
42
|
+
- Agent names are bare (`<name>`), matching how CCP installs them into `<claude-home>/agents/`.
|
|
43
|
+
|
|
44
|
+
## Available agent catalogue (must pick from these)
|
|
45
|
+
|
|
46
|
+
General:
|
|
47
|
+
- `planner` — requirement restatement, risk decomposition, step planning
|
|
48
|
+
- `architect` — architecture, system design, refactor proposals
|
|
49
|
+
- `tdd-guide` — write tests → implement → 80%+ coverage
|
|
50
|
+
- `code-reviewer` — generic code review
|
|
51
|
+
- `security-reviewer` — security audit, OWASP, secret leakage
|
|
52
|
+
- `refactor-cleaner` — dead code, duplicates, knip-class cleanup
|
|
53
|
+
- `doc-updater` — documentation, codemap, README
|
|
54
|
+
- `docs-lookup` — third-party library API lookups (Context7)
|
|
55
|
+
- `e2e-runner` — end-to-end test orchestration
|
|
56
|
+
- `database-reviewer` — PostgreSQL schema, migration, performance
|
|
57
|
+
- `harness-optimizer` — local agent harness configuration
|
|
58
|
+
- `loop-operator` — long-running autonomous loops
|
|
59
|
+
- `chief-of-staff` — multi-channel triage (rarely a fit for plan steps)
|
|
60
|
+
|
|
61
|
+
Build error resolvers:
|
|
62
|
+
- `build-error-resolver` (generic) / `cpp-build-resolver` / `go-build-resolver` / `java-build-resolver` / `kotlin-build-resolver` / `rust-build-resolver` / `pytorch-build-resolver`
|
|
63
|
+
|
|
64
|
+
Code reviewers:
|
|
65
|
+
- `python-reviewer` / `typescript-reviewer` / `go-reviewer` / `rust-reviewer` / `cpp-reviewer` / `java-reviewer` / `kotlin-reviewer` / `flutter-reviewer`
|
|
66
|
+
|
|
67
|
+
A misspelled agent name fails `/orchestrate`. Cross-check against this list before emitting.
|
|
68
|
+
|
|
69
|
+
## How It Works
|
|
70
|
+
|
|
71
|
+
### Phase 0 — Detect language
|
|
72
|
+
|
|
73
|
+
1. Read `<plan-doc-path>`. If missing or empty, report and stop.
|
|
74
|
+
2. Resolve `--lang`. When `auto`, run a polyglot-aware detection:
|
|
75
|
+
- Probe markers: `pyproject.toml` / `uv.lock` / `requirements.txt` → python; `package.json` → typescript; `go.mod` → go; `Cargo.toml` → rust; `CMakeLists.txt` or top-level `*.cpp` → cpp; `pom.xml` / `build.gradle` (Java) → java; `build.gradle.kts` or top-level Kotlin → kotlin; `pubspec.yaml` → flutter.
|
|
76
|
+
- **Polyglot tie-break**: if more than one marker matches, pick the language whose source files outnumber the others (count via `git ls-files`, excluding `vendor/`, `node_modules/`, `dist/`, `build/`, `.venv/`, generated files, and obvious test fixtures). On a tie or when no language exceeds 60% of source files, set `lang=unknown`.
|
|
77
|
+
- No marker matched → set `lang=unknown`.
|
|
78
|
+
- `lang=unknown` is a sentinel — it is **not** an agent name. Phase 2 rules 4 and 5 turn it into `code-reviewer` / `build-error-resolver` at chain composition time.
|
|
79
|
+
4. Detect a **PyTorch sub-profile**: when `lang=python` and any of `pyproject.toml` / `requirements.txt` / `uv.lock` declares a dependency on `torch`, set `pytorch=true`. This only affects `build` chain selection (Phase 2 rule below); the reviewer remains `python-reviewer`.
|
|
80
|
+
5. **Normalize any agent names declared in the plan**: if the plan text references agents by a plugin-prefixed form (e.g. `<namespace>:tdd-guide`), strip the prefix to get the bare catalogue name before validating or composing chains. CCP emits bare names only; never let a pre-prefixed name flow into the output.
|
|
81
|
+
|
|
82
|
+
### Phase 1 — Decompose steps
|
|
83
|
+
|
|
84
|
+
Identify "step units" in priority order:
|
|
85
|
+
|
|
86
|
+
1. Explicit numbering: `## Step N` / `### Phase N` / `## N. ...` / top-level ordered list.
|
|
87
|
+
2. A "Step" column in a table.
|
|
88
|
+
3. `---`-separated blocks with verb-led headings.
|
|
89
|
+
4. Otherwise treat each H2 as one step.
|
|
90
|
+
|
|
91
|
+
Per step extract `id` (1-based), `title` (≤ 80 chars), `intent` (1–3 sentences), `tags`.
|
|
92
|
+
|
|
93
|
+
### Phase 2 — Tag and pick chain
|
|
94
|
+
|
|
95
|
+
Tag by intent (multi-tag allowed; chain built from primary + stacked secondaries):
|
|
96
|
+
|
|
97
|
+
Trigger words below are matched case-insensitively. Multilingual plans are supported by matching the word stems in any language as long as the meaning aligns with the listed English trigger words.
|
|
98
|
+
|
|
99
|
+
| Tag | Trigger words | Default chain |
|
|
100
|
+
|---|---|---|
|
|
101
|
+
| `design` | architecture, design, choose, evaluate, RFC | `planner,architect` |
|
|
102
|
+
| `plan` | plan, breakdown, milestone | `planner` |
|
|
103
|
+
| `impl` | implement, build, add, create, port | `tdd-guide,<lang>-reviewer` |
|
|
104
|
+
| `test` | test, coverage, e2e, integration | `tdd-guide,e2e-runner` |
|
|
105
|
+
| `refactor` | refactor, cleanup, dedupe, split | `architect,refactor-cleaner,<lang>-reviewer` |
|
|
106
|
+
| `migration` | migrate, upgrade, rewrite, port | `architect,tdd-guide,<lang>-reviewer` |
|
|
107
|
+
| `db` | schema, migration, index, SQL, Postgres, alembic, sqlmodel | `database-reviewer,<lang>-reviewer` |
|
|
108
|
+
| `security` | encrypt, auth, secret, OWASP, PII | `security-reviewer,<lang>-reviewer` |
|
|
109
|
+
| `build` | build, compile, lint failure, CI | `<lang>-build-resolver` (falls back to `build-error-resolver`) |
|
|
110
|
+
| `docs` | docs, readme, codemap, changelog | `doc-updater` |
|
|
111
|
+
| `lookup` | lookup, reference, API usage | `docs-lookup` |
|
|
112
|
+
| `review` | review, audit, verify | `<lang>-reviewer,code-reviewer` |
|
|
113
|
+
| `loop` | loop, autonomous, watchdog | `loop-operator` |
|
|
114
|
+
|
|
115
|
+
Chain composition rules:
|
|
116
|
+
1. **Primary tag selection**: when a step matches multiple tags, the **first one in table order** (top of the table = highest priority) is the primary; the rest are secondaries. Composition rules 2 and 3 below handle specific multi-tag combinations explicitly; otherwise, append secondary chains in tag table order.
|
|
117
|
+
2. `impl` + `security` → `tdd-guide,<lang>-reviewer,security-reviewer`.
|
|
118
|
+
3. `impl` + `db` → `tdd-guide,database-reviewer,<lang>-reviewer`.
|
|
119
|
+
4. **Deduplicate** the resulting chain (preserve first occurrence). E.g. `review` + `lang=unknown` would yield `code-reviewer,code-reviewer` after rule 5; deduplication collapses it to `code-reviewer`.
|
|
120
|
+
5. `<lang>-reviewer` resolves to `code-reviewer` when `lang=unknown`.
|
|
121
|
+
6. `<lang>-build-resolver` resolves to `build-error-resolver` when `lang=unknown`. **Special case**: if Phase 0 set `pytorch=true`, use `pytorch-build-resolver` for `build` chains regardless of `<lang>`. There is no `python-build-resolver`; `--lang=python` without `pytorch=true` resolves to `build-error-resolver`.
|
|
122
|
+
7. **Zero-tag steps**: if no trigger word matches, set chain to `code-reviewer` and write `no tag matched; default review-only chain` under "Chain rationale".
|
|
123
|
+
8. Chain length ≤ 4 after deduplication. If exceeded, drop weakest tag (`lookup` and `docs` first).
|
|
124
|
+
9. Do not pair `planner` and `architect` in an `impl` chain (token waste). Pair them only on `design` steps.
|
|
125
|
+
10. Steps tagged `impl`, `refactor`, or `migration` end with a **reviewer-class** agent — any of `<lang>-reviewer`, `code-reviewer`, `security-reviewer`, or `database-reviewer`. The most domain-specific reviewer wins the tail position (e.g. rule 2's `impl+security` ends with `security-reviewer`; rule 3's `impl+db` ends with `<lang>-reviewer` because `database-reviewer` already gates the migration earlier in the chain). `test` and `build` steps are gated by their own validators (`e2e-runner` and the build resolver respectively) and do not require an additional reviewer.
|
|
126
|
+
|
|
127
|
+
### Phase 3 — Compress task description
|
|
128
|
+
|
|
129
|
+
Each emitted `<task description>` must:
|
|
130
|
+
- Be self-contained (the first agent does not need the plan document open).
|
|
131
|
+
- Start with `[Plan: <path>#step-<id>]`.
|
|
132
|
+
- Include 1–3 verifiable Acceptance criteria.
|
|
133
|
+
- Include a Scope guard (`Out of scope: ...`) **only if the plan declares one for this step**. Inherit verbatim. If the plan has no out-of-scope statement, omit the clause entirely — do not invent one.
|
|
134
|
+
- Be 200–600 characters; one line; embedded `"` escaped as `\"`; no literal newlines.
|
|
135
|
+
|
|
136
|
+
### Phase 4 — Output
|
|
137
|
+
|
|
138
|
+
Emit Markdown using the bare-name form. The slash command is always `/orchestrate` and every agent name is rendered as a bare catalogue name (no namespace prefix).
|
|
139
|
+
|
|
140
|
+
Output structure:
|
|
141
|
+
|
|
142
|
+
````markdown
|
|
143
|
+
# Plan-Orchestrate Result
|
|
144
|
+
|
|
145
|
+
**Plan**: `<path>`
|
|
146
|
+
**Lang**: `<detected-or-given>`
|
|
147
|
+
**Steps**: <N>
|
|
148
|
+
**Scope**: <all | step:n | range:a-b>
|
|
149
|
+
|
|
150
|
+
## Steps overview
|
|
151
|
+
|
|
152
|
+
| # | Title | Tags | Chain |
|
|
153
|
+
|---|---|---|---|
|
|
154
|
+
| 1 | ... | impl, db | `tdd-guide,database-reviewer,python-reviewer` |
|
|
155
|
+
| ... | | | |
|
|
156
|
+
|
|
157
|
+
---
|
|
158
|
+
|
|
159
|
+
## Step 1 — <title>
|
|
160
|
+
|
|
161
|
+
**Intent**: <1–3 sentences>
|
|
162
|
+
**Tags**: <a, b>
|
|
163
|
+
**Chain rationale**: <why this chain; which agent closes the loop>
|
|
164
|
+
|
|
165
|
+
```bash
|
|
166
|
+
/orchestrate custom "tdd-guide,database-reviewer,python-reviewer" "[Plan: docs/foo.md#step-1] <compressed task description>; Acceptance: <1–3 items>; Out of scope: <…>"
|
|
167
|
+
```
|
|
168
|
+
````
|
|
169
|
+
|
|
170
|
+
Append a final "Batch execution" block aggregating every step's command in order so the user can paste them all at once. **Skip the Batch block in overview-only mode** (see "Large plan" edge case): when only the overview table is being emitted, there are no per-step commands to aggregate.
|
|
171
|
+
|
|
172
|
+
### Phase 5 — Self-check (run before emitting)
|
|
173
|
+
|
|
174
|
+
- [ ] Every agent in every chain comes from the catalogue (after stripping any plugin namespace prefix that appeared in the plan; see Phase 0 step 5).
|
|
175
|
+
- [ ] All emitted agent names are bare (no namespace prefix) and the slash command is `/orchestrate`.
|
|
176
|
+
- [ ] No invented `--mode` / `--gate` / `--agents=...` fields.
|
|
177
|
+
- [ ] Each task description is single-line, double-quoted, with embedded `"` escaped.
|
|
178
|
+
- [ ] Each task description begins with `[Plan: <path>#step-<id>]` and includes Acceptance (1–3 items). The `Out of scope:` clause is present only when inherited from the plan.
|
|
179
|
+
- [ ] No duplicate agent in any chain after Phase 2 dedup.
|
|
180
|
+
- [ ] Chain length ≤ 4.
|
|
181
|
+
- [ ] Steps tagged `impl`/`refactor`/`migration` end with a reviewer-class agent (`<lang>-reviewer`, `code-reviewer`, `security-reviewer`, or `database-reviewer`). `test` and `build` are exempt — see Phase 2 rule 10.
|
|
182
|
+
- [ ] Zero-tag steps emit `code-reviewer` with the rationale `no tag matched; default review-only chain`.
|
|
183
|
+
- [ ] Overview table lists every step in the plan, regardless of `--scope`.
|
|
184
|
+
- [ ] Per-step detail block count matches the resolved `--scope` (full plan when `--scope=all`; one block for `step:n`; range size for `range:a-b`). In overview-only mode, no per-step blocks and no Batch block are emitted.
|
|
185
|
+
|
|
186
|
+
## Edge cases
|
|
187
|
+
|
|
188
|
+
- **No clear steps**: prefer H2/H3 splitting; if still ambiguous, report "no structured steps detected" with the document outline and ask the user to confirm running by outline.
|
|
189
|
+
- **Large plan (>1500 lines)**: enter **overview-only mode** — emit only the overview table and ask the user to narrow with `--scope` before re-running for details. In this mode, skip per-step detail blocks and skip the Batch execution block.
|
|
190
|
+
- **Step too broad** (e.g. "complete all backend work"): do not force a single chain. Suggest splitting into N.a and N.b and propose a split.
|
|
191
|
+
- **Plan declares agents** (rare): first **strip any plugin namespace prefix** (e.g. `<namespace>:tdd-guide`) to get the bare catalogue name (Phase 0 step 5), then validate against the catalogue. Replace invalid agents and explain under "Chain rationale".
|
|
192
|
+
- **Polyglot project where `--lang=auto` cannot pick a winner**: set `lang=unknown`; reviewer resolves to `code-reviewer` and build resolver to `build-error-resolver`. Mention the fallback under "Chain rationale".
|
|
193
|
+
|
|
194
|
+
## Examples
|
|
195
|
+
|
|
196
|
+
### Example — Python plan
|
|
197
|
+
|
|
198
|
+
Input:
|
|
199
|
+
```
|
|
200
|
+
plan-orchestrate @docs/plan/example-feature.md --lang=python
|
|
201
|
+
```
|
|
202
|
+
|
|
203
|
+
Excerpt of expected output:
|
|
204
|
+
````markdown
|
|
205
|
+
## Step 2 — Encrypt sensitive UserProfile fields
|
|
206
|
+
|
|
207
|
+
**Intent**: Introduce an `EncryptedString` SQLAlchemy type and AES-GCM encrypt `birth_datetime` / `location` before persistence; load the key from an environment variable.
|
|
208
|
+
**Tags**: impl, security, db
|
|
209
|
+
**Chain rationale**: Security-sensitive write path, so `security-reviewer` closes the chain; `database-reviewer` validates the alembic migration; `python-reviewer` covers typing and PEP 8.
|
|
210
|
+
|
|
211
|
+
```bash
|
|
212
|
+
/orchestrate custom "tdd-guide,database-reviewer,python-reviewer,security-reviewer" "[Plan: docs/plan/example-feature.md#step-2] Implement EncryptedString SQLAlchemy type and migrate UserProfile.birth_datetime/location columns; key from ENV APP_DB_KEY; Acceptance: encrypt/decrypt roundtrip tests pass; alembic upgrade/downgrade clean on empty DB; no plaintext in DB after migrate; Out of scope: cross-tenant profile sharing logic"
|
|
213
|
+
```
|
|
214
|
+
````
|
|
215
|
+
|
|
216
|
+
## Notes
|
|
217
|
+
|
|
218
|
+
- Generative only. Never invoke `/orchestrate` from inside this skill.
|
|
219
|
+
- Match the language of the plan document for task descriptions (agent names always remain English).
|
|
220
|
+
- Do not insert "Co-Authored-By" lines or emoji in the output unless the user explicitly asks.
|