hive-skills 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (238) hide show
  1. package/LICENSE +28 -0
  2. package/README.md +235 -0
  3. package/assets/LICENSE +32 -0
  4. package/assets/THIRD_PARTY_NOTICES.md +72 -0
  5. package/assets/manifest.json +1290 -0
  6. package/assets/skills/authored/code-review/composable/BUNDLE.md +192 -0
  7. package/assets/skills/authored/code-review/composable/INDEX.md +13 -0
  8. package/assets/skills/authored/code-review/composable/VERSION +1 -0
  9. package/assets/skills/authored/code-review/composable/mini/01-review-method.md +34 -0
  10. package/assets/skills/authored/code-review/composable/mini/02-security-review.md +20 -0
  11. package/assets/skills/authored/code-review/composable/mini/03-correctness-bugs.md +19 -0
  12. package/assets/skills/authored/code-review/composable/mini/04-concurrency.md +16 -0
  13. package/assets/skills/authored/code-review/composable/mini/05-error-handling.md +12 -0
  14. package/assets/skills/authored/code-review/composable/mini/06-performance.md +11 -0
  15. package/assets/skills/authored/code-review/composable/mini/07-api-design.md +20 -0
  16. package/assets/skills/authored/code-review/composable/mini/08-missing-tests.md +25 -0
  17. package/assets/skills/authored/code-review/composable/mini/09-refactoring-and-communication.md +32 -0
  18. package/assets/skills/authored/data-analysis/composable/BUNDLE.md +186 -0
  19. package/assets/skills/authored/data-analysis/composable/INDEX.md +13 -0
  20. package/assets/skills/authored/data-analysis/composable/VERSION +1 -0
  21. package/assets/skills/authored/data-analysis/composable/mini/01-data-quality-profiling.md +26 -0
  22. package/assets/skills/authored/data-analysis/composable/mini/02-aggregation-pitfalls.md +21 -0
  23. package/assets/skills/authored/data-analysis/composable/mini/03-time-series.md +19 -0
  24. package/assets/skills/authored/data-analysis/composable/mini/04-segmentation.md +23 -0
  25. package/assets/skills/authored/data-analysis/composable/mini/05-discount-pricing.md +17 -0
  26. package/assets/skills/authored/data-analysis/composable/mini/06-insight-generation.md +25 -0
  27. package/assets/skills/authored/data-analysis/composable/mini/07-executive-writing.md +26 -0
  28. package/assets/skills/authored/data-analysis/composable/mini/08-recommendations.md +20 -0
  29. package/assets/skills/authored/data-analysis/composable/mini/09-reproducibility-assumptions.md +20 -0
  30. package/assets/skills/authored/financial-analysis/composable/BUNDLE.md +1293 -0
  31. package/assets/skills/authored/financial-analysis/composable/INDEX.md +17 -0
  32. package/assets/skills/authored/financial-analysis/composable/VERSION +1 -0
  33. package/assets/skills/authored/financial-analysis/composable/mini/00-core.md +69 -0
  34. package/assets/skills/authored/financial-analysis/composable/mini/01-profitability-efficiency-ratios.md +173 -0
  35. package/assets/skills/authored/financial-analysis/composable/mini/02-liquidity-leverage-ratios.md +120 -0
  36. package/assets/skills/authored/financial-analysis/composable/mini/03-valuation-ratios-interpretation.md +107 -0
  37. package/assets/skills/authored/financial-analysis/composable/mini/04-dcf-projection-wacc.md +122 -0
  38. package/assets/skills/authored/financial-analysis/composable/mini/05-dcf-terminal-value-sensitivity.md +75 -0
  39. package/assets/skills/authored/financial-analysis/composable/mini/06-comparables-precedents.md +78 -0
  40. package/assets/skills/authored/financial-analysis/composable/mini/07-budget-variance-analysis.md +47 -0
  41. package/assets/skills/authored/financial-analysis/composable/mini/08-driver-based-forecasting-scenarios.md +111 -0
  42. package/assets/skills/authored/financial-analysis/composable/mini/09-rolling-forecasts-accuracy.md +114 -0
  43. package/assets/skills/authored/financial-analysis/composable/mini/10-reporting-exec-summary.md +58 -0
  44. package/assets/skills/authored/financial-analysis/composable/mini/11-industry-adaptations.md +130 -0
  45. package/assets/skills/authored/financial-analysis/composable/mini/12-toolkit-scripts-io.md +102 -0
  46. package/assets/skills/authored/python-api/composable/BUNDLE.md +389 -0
  47. package/assets/skills/authored/python-api/composable/INDEX.md +13 -0
  48. package/assets/skills/authored/python-api/composable/VERSION +1 -0
  49. package/assets/skills/authored/python-api/composable/mini/01-project-structure.md +44 -0
  50. package/assets/skills/authored/python-api/composable/mini/02-routing-and-app.md +38 -0
  51. package/assets/skills/authored/python-api/composable/mini/03-pydantic-models.md +45 -0
  52. package/assets/skills/authored/python-api/composable/mini/04-validation-and-errors.md +59 -0
  53. package/assets/skills/authored/python-api/composable/mini/05-dependencies-and-auth.md +60 -0
  54. package/assets/skills/authored/python-api/composable/mini/06-pagination-filtering.md +44 -0
  55. package/assets/skills/authored/python-api/composable/mini/07-async-performance.md +30 -0
  56. package/assets/skills/authored/python-api/composable/mini/08-testing.md +45 -0
  57. package/assets/skills/authored/python-api/composable/mini/09-middleware-observability.md +29 -0
  58. package/assets/skills/authored/tech-writing/composable/BUNDLE.md +220 -0
  59. package/assets/skills/authored/tech-writing/composable/INDEX.md +12 -0
  60. package/assets/skills/authored/tech-writing/composable/VERSION +1 -0
  61. package/assets/skills/authored/tech-writing/composable/mini/01-audience-analysis.md +26 -0
  62. package/assets/skills/authored/tech-writing/composable/mini/02-document-types.md +27 -0
  63. package/assets/skills/authored/tech-writing/composable/mini/03-readme-quickstart-changelog.md +22 -0
  64. package/assets/skills/authored/tech-writing/composable/mini/04-information-architecture.md +21 -0
  65. package/assets/skills/authored/tech-writing/composable/mini/05-style-clarity.md +29 -0
  66. package/assets/skills/authored/tech-writing/composable/mini/06-breaking-changes-migrations.md +33 -0
  67. package/assets/skills/authored/tech-writing/composable/mini/07-troubleshooting-security.md +30 -0
  68. package/assets/skills/authored/tech-writing/composable/mini/08-faq-voice-tone.md +32 -0
  69. package/assets/skills/converted/claude-api/composable/BUNDLE.md +14996 -0
  70. package/assets/skills/converted/claude-api/composable/INDEX.md +98 -0
  71. package/assets/skills/converted/claude-api/composable/VERSION +1 -0
  72. package/assets/skills/converted/claude-api/composable/mini/00-core.md +235 -0
  73. package/assets/skills/converted/claude-api/composable/mini/01-model-api-quick-reference.md +258 -0
  74. package/assets/skills/converted/claude-api/composable/mini/02-common-pitfalls.md +42 -0
  75. package/assets/skills/converted/claude-api/composable/mini/10-models.md +135 -0
  76. package/assets/skills/converted/claude-api/composable/mini/11-platform-availability.md +96 -0
  77. package/assets/skills/converted/claude-api/composable/mini/12-claude-platform-on-aws.md +59 -0
  78. package/assets/skills/converted/claude-api/composable/mini/13-live-sources.md +143 -0
  79. package/assets/skills/converted/claude-api/composable/mini/14-error-codes.md +256 -0
  80. package/assets/skills/converted/claude-api/composable/mini/15-prompt-caching.md +223 -0
  81. package/assets/skills/converted/claude-api/composable/mini/16-token-counting.md +56 -0
  82. package/assets/skills/converted/claude-api/composable/mini/17-tool-use-concepts.md +444 -0
  83. package/assets/skills/converted/claude-api/composable/mini/18-agent-design.md +101 -0
  84. package/assets/skills/converted/claude-api/composable/mini/19-anthropic-cli.md +246 -0
  85. package/assets/skills/converted/claude-api/composable/mini/20-model-migration.md +1301 -0
  86. package/assets/skills/converted/claude-api/composable/mini/30-managed-agents-overview.md +71 -0
  87. package/assets/skills/converted/claude-api/composable/mini/31-managed-agents-core.md +278 -0
  88. package/assets/skills/converted/claude-api/composable/mini/32-managed-agents-environments.md +219 -0
  89. package/assets/skills/converted/claude-api/composable/mini/33-managed-agents-tools.md +366 -0
  90. package/assets/skills/converted/claude-api/composable/mini/34-managed-agents-events.md +252 -0
  91. package/assets/skills/converted/claude-api/composable/mini/35-managed-agents-outcomes.md +106 -0
  92. package/assets/skills/converted/claude-api/composable/mini/36-managed-agents-multiagent.md +101 -0
  93. package/assets/skills/converted/claude-api/composable/mini/37-managed-agents-webhooks.md +123 -0
  94. package/assets/skills/converted/claude-api/composable/mini/38-managed-agents-memory.md +197 -0
  95. package/assets/skills/converted/claude-api/composable/mini/39-managed-agents-scheduled-deployments.md +146 -0
  96. package/assets/skills/converted/claude-api/composable/mini/40-managed-agents-client-patterns.md +211 -0
  97. package/assets/skills/converted/claude-api/composable/mini/41-managed-agents-onboarding.md +82 -0
  98. package/assets/skills/converted/claude-api/composable/mini/42-managed-agents-api-reference.md +441 -0
  99. package/assets/skills/converted/claude-api/composable/mini/43-managed-agents-self-hosted-sandboxes.md +174 -0
  100. package/assets/skills/converted/claude-api/composable/mini/50-python-readme.md +564 -0
  101. package/assets/skills/converted/claude-api/composable/mini/51-python-tool-use.md +590 -0
  102. package/assets/skills/converted/claude-api/composable/mini/52-python-streaming-batches-files.md +549 -0
  103. package/assets/skills/converted/claude-api/composable/mini/53-python-managed-agents.md +335 -0
  104. package/assets/skills/converted/claude-api/composable/mini/55-typescript-readme.md +404 -0
  105. package/assets/skills/converted/claude-api/composable/mini/56-typescript-tool-use.md +548 -0
  106. package/assets/skills/converted/claude-api/composable/mini/57-typescript-streaming-batches-files.md +384 -0
  107. package/assets/skills/converted/claude-api/composable/mini/58-typescript-managed-agents.md +358 -0
  108. package/assets/skills/converted/claude-api/composable/mini/60-csharp-readme.md +361 -0
  109. package/assets/skills/converted/claude-api/composable/mini/61-csharp-tool-use.md +163 -0
  110. package/assets/skills/converted/claude-api/composable/mini/62-csharp-streaming-batches-files.md +64 -0
  111. package/assets/skills/converted/claude-api/composable/mini/65-go-readme.md +185 -0
  112. package/assets/skills/converted/claude-api/composable/mini/66-go-tool-use.md +219 -0
  113. package/assets/skills/converted/claude-api/composable/mini/67-go-streaming-files.md +63 -0
  114. package/assets/skills/converted/claude-api/composable/mini/68-go-managed-agents.md +564 -0
  115. package/assets/skills/converted/claude-api/composable/mini/70-java-readme.md +237 -0
  116. package/assets/skills/converted/claude-api/composable/mini/71-java-tool-use.md +227 -0
  117. package/assets/skills/converted/claude-api/composable/mini/72-java-streaming-files.md +49 -0
  118. package/assets/skills/converted/claude-api/composable/mini/73-java-managed-agents.md +443 -0
  119. package/assets/skills/converted/claude-api/composable/mini/75-php-readme.md +173 -0
  120. package/assets/skills/converted/claude-api/composable/mini/76-php-tool-use.md +252 -0
  121. package/assets/skills/converted/claude-api/composable/mini/77-php-streaming-batches-files.md +53 -0
  122. package/assets/skills/converted/claude-api/composable/mini/78-php-managed-agents.md +443 -0
  123. package/assets/skills/converted/claude-api/composable/mini/80-ruby-readme.md +133 -0
  124. package/assets/skills/converted/claude-api/composable/mini/81-ruby-tool-use-streaming.md +56 -0
  125. package/assets/skills/converted/claude-api/composable/mini/82-ruby-managed-agents.md +394 -0
  126. package/assets/skills/converted/claude-api/composable/mini/85-curl-examples.md +255 -0
  127. package/assets/skills/converted/claude-api/composable/mini/86-curl-managed-agents.md +340 -0
  128. package/assets/skills/converted/claude-api/composable/presets/csharp.md +1151 -0
  129. package/assets/skills/converted/claude-api/composable/presets/curl.md +1154 -0
  130. package/assets/skills/converted/claude-api/composable/presets/go.md +1598 -0
  131. package/assets/skills/converted/claude-api/composable/presets/java.md +1523 -0
  132. package/assets/skills/converted/claude-api/composable/presets/php.md +1488 -0
  133. package/assets/skills/converted/claude-api/composable/presets/python.md +2605 -0
  134. package/assets/skills/converted/claude-api/composable/presets/ruby.md +1146 -0
  135. package/assets/skills/converted/claude-api/composable/presets/shared.md +6478 -0
  136. package/assets/skills/converted/claude-api/composable/presets/typescript.md +2261 -0
  137. package/assets/skills/converted/docx/composable/BUNDLE.md +617 -0
  138. package/assets/skills/converted/docx/composable/INDEX.md +12 -0
  139. package/assets/skills/converted/docx/composable/VERSION +1 -0
  140. package/assets/skills/converted/docx/composable/mini/00-core.md +26 -0
  141. package/assets/skills/converted/docx/composable/mini/01-reading-converting.md +36 -0
  142. package/assets/skills/converted/docx/composable/mini/02-creating-setup-layout.md +85 -0
  143. package/assets/skills/converted/docx/composable/mini/03-creating-elements.md +257 -0
  144. package/assets/skills/converted/docx/composable/mini/04-editing-existing.md +57 -0
  145. package/assets/skills/converted/docx/composable/mini/05-xml-reference.md +128 -0
  146. package/assets/skills/converted/internal-comms/composable/BUNDLE.md +220 -0
  147. package/assets/skills/converted/internal-comms/composable/INDEX.md +11 -0
  148. package/assets/skills/converted/internal-comms/composable/VERSION +1 -0
  149. package/assets/skills/converted/internal-comms/composable/mini/00-core.md +30 -0
  150. package/assets/skills/converted/internal-comms/composable/mini/01-3p-updates.md +49 -0
  151. package/assets/skills/converted/internal-comms/composable/mini/02-company-newsletter.md +67 -0
  152. package/assets/skills/converted/internal-comms/composable/mini/03-faq-answers.md +32 -0
  153. package/assets/skills/converted/internal-comms/composable/mini/04-general-comms.md +18 -0
  154. package/assets/skills/converted/mcp-builder/composable/BUNDLE.md +2460 -0
  155. package/assets/skills/converted/mcp-builder/composable/INDEX.md +23 -0
  156. package/assets/skills/converted/mcp-builder/composable/VERSION +1 -0
  157. package/assets/skills/converted/mcp-builder/composable/mini/00-core.md +43 -0
  158. package/assets/skills/converted/mcp-builder/composable/mini/01-workflow-research-planning.md +54 -0
  159. package/assets/skills/converted/mcp-builder/composable/mini/02-implementation-process.md +78 -0
  160. package/assets/skills/converted/mcp-builder/composable/mini/03-naming-conventions.md +33 -0
  161. package/assets/skills/converted/mcp-builder/composable/mini/04-response-formats.md +21 -0
  162. package/assets/skills/converted/mcp-builder/composable/mini/05-pagination.md +24 -0
  163. package/assets/skills/converted/mcp-builder/composable/mini/06-transport.md +47 -0
  164. package/assets/skills/converted/mcp-builder/composable/mini/07-annotations.md +20 -0
  165. package/assets/skills/converted/mcp-builder/composable/mini/08-security.md +35 -0
  166. package/assets/skills/converted/mcp-builder/composable/mini/09-error-handling.md +32 -0
  167. package/assets/skills/converted/mcp-builder/composable/mini/10-testing-and-documentation.md +21 -0
  168. package/assets/skills/converted/mcp-builder/composable/mini/11-python-implementation.md +432 -0
  169. package/assets/skills/converted/mcp-builder/composable/mini/12-python-advanced-and-checklist.md +233 -0
  170. package/assets/skills/converted/mcp-builder/composable/mini/13-node-implementation.md +717 -0
  171. package/assets/skills/converted/mcp-builder/composable/mini/14-node-advanced-and-checklist.md +200 -0
  172. package/assets/skills/converted/mcp-builder/composable/mini/15-evaluation-design.md +200 -0
  173. package/assets/skills/converted/mcp-builder/composable/mini/16-evaluation-running.md +198 -0
  174. package/assets/skills/converted/mcp-builder/composable/presets/node-server.md +1381 -0
  175. package/assets/skills/converted/mcp-builder/composable/presets/python-server.md +1129 -0
  176. package/assets/skills/converted/pdf/composable/BUNDLE.md +1284 -0
  177. package/assets/skills/converted/pdf/composable/INDEX.md +14 -0
  178. package/assets/skills/converted/pdf/composable/VERSION +1 -0
  179. package/assets/skills/converted/pdf/composable/mini/00-core.md +46 -0
  180. package/assets/skills/converted/pdf/composable/mini/01-creation.md +176 -0
  181. package/assets/skills/converted/pdf/composable/mini/02-extraction.md +178 -0
  182. package/assets/skills/converted/pdf/composable/mini/03-merge-split-manipulate.md +240 -0
  183. package/assets/skills/converted/pdf/composable/mini/04-images-ocr.md +168 -0
  184. package/assets/skills/converted/pdf/composable/mini/05-encryption.md +51 -0
  185. package/assets/skills/converted/pdf/composable/mini/06-forms.md +300 -0
  186. package/assets/skills/converted/pdf/composable/mini/07-libraries-reference.md +89 -0
  187. package/assets/skills/converted/pptx/composable/BUNDLE.md +911 -0
  188. package/assets/skills/converted/pptx/composable/INDEX.md +12 -0
  189. package/assets/skills/converted/pptx/composable/VERSION +1 -0
  190. package/assets/skills/converted/pptx/composable/mini/00-core.md +37 -0
  191. package/assets/skills/converted/pptx/composable/mini/01-reading.md +37 -0
  192. package/assets/skills/converted/pptx/composable/mini/02-creating-from-scratch.md +422 -0
  193. package/assets/skills/converted/pptx/composable/mini/03-editing-templates.md +207 -0
  194. package/assets/skills/converted/pptx/composable/mini/04-design.md +89 -0
  195. package/assets/skills/converted/pptx/composable/mini/05-qa-and-rendering.md +91 -0
  196. package/assets/skills/converted/pptx/composable/presets/creating.md +659 -0
  197. package/assets/skills/converted/pptx/composable/presets/editing.md +485 -0
  198. package/assets/skills/converted/skill-creator/composable/BUNDLE.md +1681 -0
  199. package/assets/skills/converted/skill-creator/composable/INDEX.md +21 -0
  200. package/assets/skills/converted/skill-creator/composable/VERSION +1 -0
  201. package/assets/skills/converted/skill-creator/composable/mini/00-core.md +59 -0
  202. package/assets/skills/converted/skill-creator/composable/mini/01-creating-a-skill.md +27 -0
  203. package/assets/skills/converted/skill-creator/composable/mini/02-skill-writing-guide.md +71 -0
  204. package/assets/skills/converted/skill-creator/composable/mini/03-test-cases.md +21 -0
  205. package/assets/skills/converted/skill-creator/composable/mini/04-running-and-evaluating.md +128 -0
  206. package/assets/skills/converted/skill-creator/composable/mini/05-improving-the-skill.md +30 -0
  207. package/assets/skills/converted/skill-creator/composable/mini/06-blind-comparison.md +5 -0
  208. package/assets/skills/converted/skill-creator/composable/mini/07-description-optimization.md +74 -0
  209. package/assets/skills/converted/skill-creator/composable/mini/08-packaging.md +11 -0
  210. package/assets/skills/converted/skill-creator/composable/mini/09-environment-specific.md +38 -0
  211. package/assets/skills/converted/skill-creator/composable/mini/10-scripts-and-references.md +34 -0
  212. package/assets/skills/converted/skill-creator/composable/mini/11-json-schemas.md +414 -0
  213. package/assets/skills/converted/skill-creator/composable/mini/12-agent-grader.md +225 -0
  214. package/assets/skills/converted/skill-creator/composable/mini/13-agent-comparator.md +204 -0
  215. package/assets/skills/converted/skill-creator/composable/mini/14-agent-analyzer.md +276 -0
  216. package/assets/skills/converted/skill-creator/composable/presets/authoring.md +198 -0
  217. package/assets/skills/converted/skill-creator/composable/presets/evaluating.md +1334 -0
  218. package/assets/skills/converted/skill-creator/composable/presets/optimizing.md +160 -0
  219. package/assets/skills/converted/skill-creator/composable/presets.json +5 -0
  220. package/assets/skills/meta/ccs-skill-creator/composable/BUNDLE.md +465 -0
  221. package/assets/skills/meta/ccs-skill-creator/composable/INDEX.md +8 -0
  222. package/assets/skills/meta/ccs-skill-creator/composable/VERSION +1 -0
  223. package/assets/skills/meta/ccs-skill-creator/composable/mini/00-core.md +46 -0
  224. package/assets/skills/meta/ccs-skill-creator/composable/mini/01-create-new-skill.md +167 -0
  225. package/assets/skills/meta/ccs-skill-creator/composable/mini/02-convert-existing-skill.md +120 -0
  226. package/assets/skills/meta/ccs-skill-creator/composable/mini/03-review-and-maintain.md +112 -0
  227. package/assets/skills/sources/anthropic/PROVENANCE.md +3 -0
  228. package/assets/skills/sources/anthropic/claude-api/LICENSE.txt +202 -0
  229. package/assets/skills/sources/anthropic/docx/LICENSE.txt +30 -0
  230. package/assets/skills/sources/anthropic/internal-comms/LICENSE.txt +202 -0
  231. package/assets/skills/sources/anthropic/mcp-builder/LICENSE.txt +202 -0
  232. package/assets/skills/sources/anthropic/pdf/LICENSE.txt +30 -0
  233. package/assets/skills/sources/anthropic/pptx/LICENSE.txt +30 -0
  234. package/assets/skills/sources/anthropic/skill-creator/LICENSE.txt +202 -0
  235. package/assets/skills/sources/financial-analyst/PROVENANCE.md +1 -0
  236. package/assets/tools/hive.py +728 -0
  237. package/dist/cli.js +7494 -0
  238. package/package.json +40 -0
@@ -0,0 +1,44 @@
1
+ ---
2
+ pairs-with:
3
+ - code-review/02-security-review.md
4
+ ---
5
+
6
+ # Pagination, Filtering & Sorting
7
+
8
+ Never return an unbounded collection. Offer limit/offset for simple cases, keyset (cursor) for large or fast-changing data.
9
+
10
+ **Limit/offset:**
11
+ ```python
12
+ class Page(BaseModel):
13
+ limit: int = Field(20, ge=1, le=100)
14
+ offset: int = Field(0, ge=0)
15
+
16
+ @router.get("", response_model=PageOut[UserOut])
17
+ def list_users(p: Page = Depends(), db: Session = Depends(get_db)):
18
+ q = select(User).order_by(User.id)
19
+ total = db.scalar(select(func.count()).select_from(User))
20
+ rows = db.scalars(q.limit(p.limit).offset(p.offset)).all()
21
+ return {"items": rows, "total": total, "limit": p.limit, "offset": p.offset}
22
+ ```
23
+
24
+ Note the `le=100` cap: clients can't request unbounded pages.
25
+
26
+ **Keyset pagination** avoids the deep-offset performance cliff (offset scans and discards skipped rows): `WHERE id > :cursor ORDER BY id LIMIT :n`, returning the last id as the next cursor. Use it for large tables and infinite scroll.
27
+
28
+ **Deterministic ordering is mandatory.** Always apply an `ORDER BY` with a unique tiebreaker (e.g. `ORDER BY created_at, id`). Without it, rows can shift between pages and clients see duplicates or gaps.
29
+
30
+ **Safe filtering & sorting** (the security-critical part):
31
+ - Expose an explicit allowlist of filter fields as typed query params. Never build SQL from raw client strings and never `eval` a filter expression.
32
+ - Map sort keys through a whitelist dict to columns:
33
+
34
+ ```python
35
+ SORTABLE = {"email": User.email, "created": User.created_at}
36
+ col = SORTABLE.get(sort_key)
37
+ if col is None:
38
+ raise HTTPException(400, "invalid sort field")
39
+ q = q.order_by(col.desc() if descending else col.asc())
40
+ ```
41
+
42
+ This prevents SQL injection and stops clients sorting by or filtering on private columns. Always use parameterized queries / the ORM, never string interpolation.
43
+
44
+ **Response metadata.** Return enough for the client to navigate: the items plus `limit`/`offset` (or a `next_cursor`), and a `total` only when it's cheap: a `COUNT(*)` over a huge filtered table can cost as much as the page query itself, so for large datasets prefer cursor pagination with a `has_more` flag and omit the total. Cap the maximum page size server-side (`le=100`) regardless of what the client asks for, so no single request can pull the whole table.
@@ -0,0 +1,30 @@
1
+ ---
2
+ pairs-with:
3
+ - code-review/06-performance.md
4
+ - code-review/04-concurrency.md
5
+ ---
6
+
7
+ # Async, Performance & the Event Loop
8
+
9
+ FastAPI runs `async def` handlers on the event loop and plain `def` handlers in a threadpool. Understanding this split is essential for performance.
10
+
11
+ **The cardinal sin:** calling blocking I/O inside an `async def` handler (a sync DB driver, `requests`, `time.sleep`, or any CPU-heavy loop). It stalls the entire event loop, so every concurrent request stalls with it. Fixes:
12
+ - Make the handler plain `def` (FastAPI runs it in a threadpool), **or**
13
+ - Use async libraries: `httpx.AsyncClient` instead of `requests`, async SQLAlchemy / async drivers, `asyncio.sleep` instead of `time.sleep`.
14
+
15
+ Don't mix them: a `def` handler calling async code, or an `async def` handler calling blocking code, are both wrong.
16
+
17
+ **Database performance:**
18
+ - Use connection pooling (configure pool size to match worker count).
19
+ - Prevent N+1 queries with eager loading (`selectinload`, `joinedload`) when you access relationships in a loop.
20
+ - Push filtering/aggregation into SQL rather than loading rows and processing in Python.
21
+
22
+ **Outbound calls:**
23
+ - Reuse a single HTTP client with connection pooling; don't create a client per request.
24
+ - **Set timeouts on every outbound call**: a hung dependency without a timeout ties up a worker indefinitely.
25
+
26
+ **Caching:** add caching for hot read paths, using HTTP `ETag`/`Cache-Control` headers for client/proxy caching, or Redis for shared server-side caching. Cache computed or expensive-to-fetch data with a sensible TTL and clear invalidation rules.
27
+
28
+ **General:** avoid mutable default arguments and shared global mutable state across requests (each request should get its own state). Profile before optimizing; most latency is I/O (DB and downstream calls), not Python CPU.
29
+
30
+ **Production concurrency model:** run multiple worker processes (`uvicorn`/`gunicorn`, sized roughly to cores for CPU-bound apps, higher for I/O-bound) behind a process manager. Each worker has its own event loop; scaling out processes is how you use multiple cores, since one Python process is GIL-bound for CPU work. Offload genuinely heavy or long-running work (report generation, image processing, third-party fan-out) to a background task queue (Celery, RQ, `arq`) and return `202 Accepted` with a status URL, rather than blocking a request worker for seconds.
@@ -0,0 +1,45 @@
1
+ ---
2
+ pairs-with:
3
+ - code-review/08-missing-tests.md
4
+ ---
5
+
6
+ # Testing with pytest + TestClient
7
+
8
+ Test through the API with `TestClient` (sync) or `httpx.AsyncClient` (async). Override dependencies to inject a test DB and fake auth: this is the payoff of dependency injection.
9
+
10
+ ```python
11
+ from fastapi.testclient import TestClient
12
+
13
+ @pytest.fixture
14
+ def client():
15
+ app.dependency_overrides[get_db] = lambda: test_session
16
+ with TestClient(app) as c:
17
+ yield c
18
+ app.dependency_overrides.clear()
19
+
20
+ def test_create_user(client):
21
+ r = client.post("/api/v1/users", json={"email": "a@b.com",
22
+ "password": "s3cret!!", "full_name": "A"})
23
+ assert r.status_code == 201
24
+ assert "password" not in r.json() # sensitive field must not leak
25
+
26
+ def test_rejects_short_password(client):
27
+ r = client.post("/api/v1/users", json={"email": "a@b.com",
28
+ "password": "x", "full_name": "A"})
29
+ assert r.status_code == 422
30
+ ```
31
+
32
+ **Test the contract, not the implementation:**
33
+ - Status codes for success and each error path.
34
+ - Response shape, and that sensitive fields (password hashes, internal ids) are absent.
35
+ - Auth enforced: unauthenticated returns `401`, wrong-user/role returns `403`.
36
+ - Validation rejects bad input (`422`); pagination bounds hold (`limit` cap respected).
37
+
38
+ **Isolation & data:**
39
+ - Use a fresh transactional DB per test: create schema then wrap each test in a rollback, or use a disposable SQLite / testcontainers Postgres.
40
+ - `pytest.fixture` for setup/teardown; `parametrize` for edge cases.
41
+ - Build test data with factories (`factory_boy` or plain builder functions), not copy-pasted dicts.
42
+
43
+ Keep tests fast and isolated. Mock only external services (payment gateways, third-party APIs); never mock your own code, or you test the mock instead of the behavior. A test that passes against a mock of your service proves nothing about the service.
44
+
45
+ Cover the full contract deliberately: a happy-path test per endpoint, plus one test per error branch (404, 409, 422), an auth test (401 unauthenticated, 403 wrong role/owner), and a pagination test asserting the `limit` cap is enforced. Prefer many small focused tests over a few sprawling ones: when a focused test fails, its name tells you what broke.
@@ -0,0 +1,29 @@
1
+ ---
2
+ pairs-with:
3
+ - code-review/02-security-review.md
4
+ ---
5
+
6
+ # Middleware, CORS, Observability & Rate Limiting
7
+
8
+ Cross-cutting concerns belong in middleware and app-level config, not scattered through individual handlers.
9
+
10
+ **CORS.** If a browser front-end on another origin calls the API, configure `CORSMiddleware` with an explicit allowlist of origins. Never combine `allow_origins=["*"]` with `allow_credentials=True`: it is both insecure and rejected by browsers. List the exact front-end origins, methods, and headers you actually need.
11
+
12
+ ```python
13
+ from fastapi.middleware.cors import CORSMiddleware
14
+ app.add_middleware(
15
+ CORSMiddleware,
16
+ allow_origins=settings.cors_origins,
17
+ allow_credentials=True,
18
+ allow_methods=["*"],
19
+ allow_headers=["*"],
20
+ )
21
+ ```
22
+
23
+ **Request logging & correlation.** Add middleware that assigns each request a correlation id (from an incoming `X-Request-ID` header or a freshly generated UUID), binds it to the logger, and logs method, path, status code, and duration. Structured JSON logs make a request traceable across services. Never log request bodies that may carry secrets or PII.
24
+
25
+ **Rate limiting.** Protect auth and expensive endpoints with rate limits (a library like `slowapi`, or an upstream API gateway). Limit by client identity or IP, return `429` with a `Retry-After` header when a caller exceeds the limit, and apply stricter limits to login/token endpoints to blunt credential-stuffing attacks.
26
+
27
+ **Health & readiness.** Expose a lightweight `/health` (the process is up) and a `/ready` (dependencies are reachable) endpoint for orchestrators and load balancers. Keep `/health` dependency-free so a slow database doesn't make the instance look dead and get killed. Emit basic metrics (request count, latency, error rate) for monitoring dashboards and alerts.
28
+
29
+ **Timeouts everywhere.** Set request and outbound-call timeouts so a slow client or hung downstream can't hold a worker indefinitely. Combined with rate limiting, this is your first line of defense against both accidental overload and abuse.
@@ -0,0 +1,220 @@
1
+ <!-- GENERATED by tools/hive.py compile. Do not hand-edit. -->
2
+ # tech-writing: Compiled Skill Bundle (v1.0.0)
3
+
4
+ All composable mini-skills for `tech-writing` concatenated in index order, frontmatter stripped. Regenerate with `tools/hive.py compile <skill-dir>`. Do not edit by hand.
5
+
6
+ ---
7
+ <!-- module: 01-audience-analysis.md -->
8
+
9
+ # Audience Analysis & Job-to-be-Done
10
+
11
+ Never write a doc until you can name three things: (a) the reader, (b) the task they are mid-way through, and (c) what "done" looks like for them. Documentation is read by people under load (mid-incident, mid-integration, mid-evaluation), not studied at leisure.
12
+
13
+ Segment readers on three axes:
14
+
15
+ - **Expertise**: novice vs. expert. Novices need concepts and orientation; experts need a searchable reference and copy-paste snippets. Do not force an expert through a tutorial to find one flag name.
16
+ - **Goal**: evaluating (should I adopt this?), integrating (make it work now), operating (keep it running), debugging (why did it break?). Each goal wants a different document type and depth.
17
+ - **Context of use**: at a terminal, on a phone mid-incident, in a procurement meeting. Context dictates length, scannability, and where the answer must appear.
18
+
19
+ **Worked example.** "How do I authenticate?" comes from at least two readers. The evaluator wants to know *which* auth methods exist and their tradeoffs: one paragraph and a table. The integrator wants a working request *right now*: a labeled code block with a real-looking token. Answer both, in that order, and label each so readers skip to their part.
20
+
21
+ **State assumed prior knowledge explicitly at the top**: "This guide assumes a running cluster and kubectl configured." Unstated assumptions are the single largest cause of doc failure: the reader hits an undocumented prerequisite, gets stuck, and blames the product.
22
+
23
+ Practical habits:
24
+ - Write a one-line reader statement before drafting: "For an integrator who already has an API key and wants their first successful call."
25
+ - List prerequisites as an up-front checklist, not scattered inline.
26
+ - When a page must serve two audiences, split it into clearly labeled sections rather than blending. Blended docs frustrate both readers at once.
27
+ - Prefer specifics the reader can check ("you need Node 18+") over vague reassurance ("recent Node").
28
+
29
+ The audience decision drives every later choice: document type, structure, tone, and how much you explain versus assume. Get it wrong and even flawless prose fails, because it answers a question the reader did not ask.
30
+
31
+ ---
32
+ <!-- module: 02-document-types.md -->
33
+
34
+ # Choosing the Right Document Type
35
+
36
+ Reader goals map to four distinct, non-interchangeable document types. Mixing them in one page is the most common structural mistake in documentation.
37
+
38
+ - **Tutorial** (learning-oriented): a guided, guaranteed-to-succeed lesson for a newcomer. Linear, opinionated, one happy path, no alternatives, no error branches. Success = the reader built something and feels competent.
39
+ - **How-to / task guide** (problem-oriented): steps to accomplish a specific real-world task the reader already knows they need. Assumes competence. May list variations. Success = task completed.
40
+ - **Reference** (information-oriented): exhaustive, accurate description of the machinery: every parameter, return value, error code, config key. Dry, consistent, austere. Success = the reader found the exact fact and trusts it.
41
+ - **Explanation / concept** (understanding-oriented): the *why*: architecture, tradeoffs, mental models. Read away from the keyboard. Success = the reader can reason about edge cases.
42
+
43
+ Keep these separate. A reference page cluttered with tutorial hand-holding frustrates experts; a tutorial padded with reference tables loses novices. When a page feels muddled, it is usually two types fighting. Split it.
44
+
45
+ **How to tell them apart in practice.** Ask what the reader is doing:
46
+ - Learning the tool for the first time → tutorial.
47
+ - Has a specific job to finish → how-to.
48
+ - Needs a precise fact mid-work → reference.
49
+ - Wants to understand tradeoffs before deciding → explanation.
50
+
51
+ **Worked example.** "Authentication" often needs three pages, not one: a *tutorial* that walks a newcomer through their first authenticated call; a *reference* listing every auth method, scope, token lifetime, and error code; and an *explanation* of the auth model and its threat assumptions. One page trying to be all three serves none well.
52
+
53
+ Signs you have mixed types: a tutorial with a giant parameter table; a reference page with encouraging asides ("Great, now let's..."); a how-to that pauses to explain architecture. Move the mismatched content to the page whose type it fits, and link between them.
54
+
55
+ Parallel structure within a type helps: every API method reference page should share one shape (Description → Parameters → Returns → Errors → Example) so readers navigate by muscle memory.
56
+
57
+ ---
58
+ <!-- module: 03-readme-quickstart-changelog.md -->
59
+
60
+ # README, Quickstart, Changelog & Release Notes
61
+
62
+ **README**: a landing page and router, not a manual. Order: one-sentence description of what this is and who it is for; a short "why/what" paragraph; minimal install; a **60-second quickstart** that produces a visible result; then links out to deeper docs. Put the single most impressive working example above the fold. Badges and tables of contents come *after* value is demonstrated, not before. A reader should learn what the thing is and see it work within the first screen.
63
+
64
+ **Quickstart**: the shortest path from zero to a first success, ideally under 5 minutes. List prerequisites up front as a checklist. Every step is copy-pasteable and idempotent where possible. End with a concrete checkpoint ("you should now see X") and exactly one clear next step. Cut every optional detail and link it instead; a quickstart that branches has failed at being quick.
65
+
66
+ **Changelog vs release notes**: two artifacts for two audiences; do not conflate them.
67
+ - A **changelog** is terse, chronological, developer-facing. Group entries per version as Added / Changed / Deprecated / Removed / Fixed / Security (the Keep a Changelog convention). Each entry is one line stating what changed.
68
+ - **Release notes** are narrative and user-facing. Lead with the headline value ("Exports are now 10x faster"), explain impact, and call out breaking changes prominently.
69
+
70
+ Both must be **newest first, dated, with a stable version identifier**. Never make a reader diff two versions to discover what changed. That is the changelog's entire job.
71
+
72
+ **Worked example (a changelog entry vs a release note for the same change):**
73
+ - Changelog: `### Changed` / `- \`export()\` now streams results instead of buffering (#412).`
74
+ - Release note: "Large exports no longer run out of memory. `export()` now streams, so multi-gigabyte reports complete reliably. No code change needed unless you relied on the full result being in memory at once (see [migration])."
75
+
76
+ Common failures: a README that explains philosophy before showing the tool work; a quickstart padded with configuration options; release notes that bury a breaking change in a bullet list. Fix each by ruthlessly front-loading the reader's payoff and pushing detail to linked reference pages.
77
+
78
+ ---
79
+ <!-- module: 04-information-architecture.md -->
80
+
81
+ # Information Architecture
82
+
83
+ How to structure pages and doc sets so readers find and consume the right thing fast.
84
+
85
+ - **One page, one job.** If a page answers more than one reader question, split it. Competing half-answers on multiple pages are worse than one canonical page. Ensure exactly one authoritative page per topic.
86
+ - **Front-load the answer.** Use the inverted pyramid: conclusion or result first, then detail, then background. Readers scan the first line of each section and bail early, so the payoff must come first. "To reset your password, open Settings" beats "Open Settings, which you can find in order to reset your password."
87
+ - **Make it scannable.** Write descriptive, task-stating headings ("Rotate an API key") not vague nouns ("Keys"). A reader scanning the table of contents should predict exactly what each page contains.
88
+ - **Progressive disclosure.** Keep the common case in the main flow; push rare cases, flags, and caveats into collapsible sections, footnotes, or linked pages. Don't tax the 90% to serve the 10%.
89
+ - **Parallel structure.** Sibling sections should share shape. Every API method page: Description → Parameters → Returns → Errors → Example. Predictability lets readers navigate by muscle memory.
90
+ - **Link deliberately.** Link the first mention of a concept to its explanation. Don't bury a required prerequisite as an inline mid-sentence link: call it out as a prerequisite block so it cannot be missed.
91
+
92
+ **Worked example.** A page titled "Configuration" that dumps 40 settings alphabetically forces every reader to scan all of them. Restructure: lead with the 3 settings 90% of users change, in a short "Common configuration" section; move the full list to a reference table below or on a linked page; give each setting a task-oriented sub-heading where relevant ("Increase the request timeout").
93
+
94
+ **Checklist for a doc set:**
95
+ - Can a reader find the right page in one guess from the nav?
96
+ - Does each page declare its audience and prerequisites?
97
+ - Is there exactly one canonical page per topic (no competing half-answers)?
98
+ - Does every page front-load its most important information?
99
+ - Are sibling pages structurally parallel?
100
+
101
+ Good architecture is invisible: the reader lands on the right page, sees the answer at the top, and leaves. Bad architecture makes readers hunt, and hunting readers file support tickets or give up.
102
+
103
+ ---
104
+ <!-- module: 05-style-clarity.md -->
105
+
106
+ # Style & Clarity Rules
107
+
108
+ Concrete, enforceable rules, not "write clearly."
109
+
110
+ 1. **Second person, imperative, active voice.** "Run `npm install`," not "The user should run" or "npm install is run." Address the reader as "you."
111
+ 2. **Present tense** for behavior. "The endpoint returns 200," not "will return."
112
+ 3. **One instruction per numbered step.** If a step contains "and," consider splitting. Number sequential actions; bullet unordered options.
113
+ 4. **Lead sentences with the point.** Put the keyword first so scanners catch it: "To reset your password, open Settings" beats the reverse.
114
+ 5. **Cut hedges and filler.** Delete "simply," "just," "easy," "obviously," "of course": they shame stuck readers and add nothing. Replace "in order to" → "to," "at this point in time" → "now," "utilize" → "use."
115
+ 6. **Define each term on first use, then use it consistently.** Never call one thing "app," "service," and "instance" across three paragraphs. One term per concept.
116
+ 7. **Format for meaning.** Code, filenames, commands, and literal UI labels in monospace; UI navigation in **bold**. Never wrap prose in code font for emphasis.
117
+ 8. **Show, then tell.** Pair every abstract instruction with a concrete example. A working snippet is worth three sentences of description.
118
+ 9. **Prefer specifics over vagueness.** "Wait about 30 seconds" beats "wait a while." "Returns up to 100 items" beats "returns several."
119
+
120
+ **Before/after:** *"It should be noted that in order to utilize the API, users will need to first obtain an authentication token."* → *"To use the API, first get an auth token."* (24 words → 9, identical meaning.)
121
+
122
+ **More edits:**
123
+ - "This functionality provides users with the ability to filter." → "You can filter results."
124
+ - "The system will automatically perform validation of the input." → "The system validates the input."
125
+ - "In the event that the request fails..." → "If the request fails..."
126
+
127
+ **Write for a global audience.** Short sentences, common words, no region-specific slang or idioms. Spell out ambiguous dates (2026-07-05, not 07/05/26). Enforce one style guide (capitalization, Oxford comma, product name) so the whole doc set reads as one voice.
128
+
129
+ Above all: **accuracy beats polish.** An inaccurate doc is worse than none: it destroys trust in the entire doc set. Test every command and code sample before publishing.
130
+
131
+ ---
132
+ <!-- module: 06-breaking-changes-migrations.md -->
133
+
134
+ # Writing About Breaking Changes & Migrations
135
+
136
+ This is where docs most often fail users, and where care matters most. A breaking change poorly documented turns into hours of user debugging and a flood of support requests.
137
+
138
+ **Rules:**
139
+ - **Announce loudly and early.** Breaking changes get a prominent, unmissable callout in release notes, not a buried bullet. State the exact version where the break lands.
140
+ - **Say what breaks, and for whom.** "If you call `parse()` with a string, it now throws": name the exact API, the exact condition, and who is affected. A reader should determine in seconds whether they are impacted.
141
+ - **Always give the migration path.** A breaking change without a migration guide is a broken promise. Provide before/after code side by side. If migration can be automated (codemod, script), lead with that.
142
+ - **Explain the why, briefly.** One sentence of rationale reduces anger and support load: "We changed this to prevent silent data loss."
143
+ - **State deprecation timelines.** Deprecated ≠ removed. Give the deprecation version, the planned removal version, and the recommended replacement. Keep deprecation warnings in the docs until removal is complete.
144
+
145
+ **Migration guide skeleton:**
146
+ 1. *What changed*
147
+ 2. *Who is affected*
148
+ 3. *Before / after examples*
149
+ 4. *Step-by-step migration*
150
+ 5. *How to verify you migrated correctly*
151
+ 6. *Rollback / fallback if it goes wrong*
152
+
153
+ **Worked micro-example (a release-note callout):**
154
+ > **Breaking (v3.0):** `client.fetch()` no longer accepts a callback. Passing a function as the second argument now throws `TypeError`.
155
+ > **Migrate:** `client.fetch(url, cb)` → `client.fetch(url).then(cb)`. See the [async migration guide].
156
+
157
+ **Deprecation example:**
158
+ > **Deprecated (v2.4):** `config.legacyMode` is deprecated and will be removed in v4.0. Use `config.compatibility` instead. Calls still work in v2.x and v3.x but log a warning.
159
+
160
+ Common failures to avoid: listing a breaking change with no fix; using vague language ("some APIs have changed") instead of naming them; removing something that was never formally deprecated; or hiding the break inside a long changelog where impacted users scroll past it. Every breaking change should be findable, understandable, and actionable within a minute of a reader landing on the release notes.
161
+
162
+ ---
163
+ <!-- module: 07-troubleshooting-security.md -->
164
+
165
+ # Troubleshooting & Security Docs
166
+
167
+ **Troubleshooting** is organized by *symptom*, not by cause: the reader knows what they see, not why it happens. Structure each entry:
168
+
169
+ 1. **Symptom**: the exact error message or observed behavior, quoted verbatim so it is searchable.
170
+ 2. **Cause**: what produces it.
171
+ 3. **Fix**: the steps to resolve it.
172
+ 4. **Confirm**: how to verify it is actually fixed.
173
+
174
+ Include the literal error text; users paste error strings into search engines and your page's search box. Order entries by frequency (most common first). Add a "still stuck?" escape hatch: where to file an issue and which diagnostics (logs, version, config) to attach.
175
+
176
+ **Worked example:**
177
+ > **Symptom:** `Error: ECONNREFUSED 127.0.0.1:5432`
178
+ > **Cause:** The database isn't running, or the port is wrong.
179
+ > **Fix:** Start the database (`docker compose up db`) and confirm `DB_PORT` matches. **Confirm:** `psql -h localhost -p 5432` connects.
180
+
181
+ **Security documentation** demands extra precision, because mistakes here are costly:
182
+ - Be explicit and unambiguous: no "should probably." State exactly what is and isn't protected.
183
+ - **Never show real secrets, tokens, or private keys.** Use obvious placeholders (`YOUR_API_KEY`, `sk_test_...`). Warn readers against committing secrets to version control.
184
+ - Document the secure default, and clearly flag any insecure convenience option ("do not use in production").
185
+ - Separate "how to configure securely" (a how-to) from "our security model / threat model" (an explanation).
186
+ - Give a responsible-disclosure contact and a supported-versions policy.
187
+ - State the blast radius of permissions and tokens: their scope, lifetime, and how to revoke them.
188
+
189
+ **Common failures:** troubleshooting organized by internal component instead of user-visible symptom (readers can't map their error to your architecture); paraphrased error messages that don't match what users actually see; security examples containing real-looking keys that get copy-pasted into production; and vague hedging ("this is generally secure") that leaves the reader unable to make a safe decision. Precision and searchability are the whole game in both doc types.
190
+
191
+ ---
192
+ <!-- module: 08-faq-voice-tone.md -->
193
+
194
+ # FAQ Design, Voice & Tone
195
+
196
+ ## FAQ design
197
+
198
+ FAQs are a last resort and a symptom, not a strategy. A "frequently asked question" usually means the primary docs failed to answer it in the right place: the durable fix is to answer it *there*, on the relevant page. Use an FAQ only for genuinely cross-cutting questions that don't belong to any single page: licensing, pricing, "is X supported," "how does this compare to Y."
199
+
200
+ Rules:
201
+ - Phrase each entry as the reader's *actual question in their words* ("Can I use this offline?"), not marketing framing ("Does our robust platform support disconnected operation?").
202
+ - Keep answers short and link to the authoritative page rather than duplicating content.
203
+ - Group by theme; order by frequency.
204
+ - Prune ruthlessly. If an FAQ grows past ~15 entries, the underlying docs need restructuring, not a longer FAQ.
205
+ - Never let the FAQ become the only place a fact lives: that fact belongs on a real page.
206
+
207
+ ## Voice and tone
208
+
209
+ **Voice** is constant: your product's personality. **Tone** flexes with the reader's emotional state. Calibrate tone to context:
210
+ - Routine how-to: neutral, efficient, confident.
211
+ - Error messages and troubleshooting: calm, blame-free, helpful, never cute when a user is frustrated. No jokes on error pages.
212
+ - Onboarding: warmer, more encouraging.
213
+
214
+ **Worked example (same information, tone tuned to context):**
215
+ - Success/onboarding: "Nice. Your first deploy is live. Next, add a custom domain."
216
+ - Error state: "The deploy failed because the build step exited with code 1. Check the build log below, then retry." (No "oops!", no exclamation, no blame on the user.)
217
+
218
+ Universal rules: be respectful and inclusive (avoid "simply/just," avoid idioms that don't translate, avoid ableist or exclusionary metaphors). Be consistent: pick and enforce conventions in a style guide (capitalization, Oxford comma, "email" vs "e-mail," how you name the product). Write for a global audience with short sentences and common words, and spell out ambiguous dates (2026-07-05).
219
+
220
+ The test: read your error and troubleshooting copy imagining the reader is stressed and behind schedule. If any word would irritate that reader (a "simply," a joke, a shrug), cut it. Tone failures do the most damage exactly when the reader most needs help.
@@ -0,0 +1,12 @@
1
+ # Technical & Product Writing: Composable Index
2
+
3
+ Loading policy: read this menu, then load 00-core (if present) plus the minis relevant to your task. If most of this skill is relevant, load BUNDLE.md (or a matching presets/*.md) in one read instead.
4
+
5
+ - **01-audience-analysis.md** - Identify reader, their job-to-be-done, expertise, and assumed knowledge. *Load when* starting any doc or deciding scope/depth.
6
+ - **02-document-types.md** - Tutorial vs how-to vs reference vs explanation; picking the right one. *Load when* deciding what kind of doc to write or a page feels muddled.
7
+ - **03-readme-quickstart-changelog.md** - Structure for READMEs, quickstarts, changelogs, and release notes. *Load when* writing any of these specific artifacts.
8
+ - **04-information-architecture.md** - Page scoping, front-loading, scannability, progressive disclosure, linking. *Load when* organizing a page or doc set.
9
+ - **05-style-clarity.md** - Concrete sentence-level rules; voice, tense, cutting filler, formatting. *Load when* drafting or editing prose.
10
+ - **06-breaking-changes-migrations.md** - Announcing breaks, migration guides, deprecation timelines. *Load when* documenting a breaking change, upgrade, or deprecation.
11
+ - **07-troubleshooting-security.md** - Symptom-first troubleshooting; precise, safe security docs. *Load when* writing troubleshooting, error, or security content.
12
+ - **08-faq-voice-tone.md** - When FAQs are justified; calibrating voice vs tone. *Load when* designing an FAQ or setting tone/personality.
@@ -0,0 +1,26 @@
1
+ ---
2
+ pairs-with:
3
+ - 02-document-types.md
4
+ ---
5
+
6
+ # Audience Analysis & Job-to-be-Done
7
+
8
+ Never write a doc until you can name three things: (a) the reader, (b) the task they are mid-way through, and (c) what "done" looks like for them. Documentation is read by people under load (mid-incident, mid-integration, mid-evaluation), not studied at leisure.
9
+
10
+ Segment readers on three axes:
11
+
12
+ - **Expertise**: novice vs. expert. Novices need concepts and orientation; experts need a searchable reference and copy-paste snippets. Do not force an expert through a tutorial to find one flag name.
13
+ - **Goal**: evaluating (should I adopt this?), integrating (make it work now), operating (keep it running), debugging (why did it break?). Each goal wants a different document type and depth.
14
+ - **Context of use**: at a terminal, on a phone mid-incident, in a procurement meeting. Context dictates length, scannability, and where the answer must appear.
15
+
16
+ **Worked example.** "How do I authenticate?" comes from at least two readers. The evaluator wants to know *which* auth methods exist and their tradeoffs: one paragraph and a table. The integrator wants a working request *right now*: a labeled code block with a real-looking token. Answer both, in that order, and label each so readers skip to their part.
17
+
18
+ **State assumed prior knowledge explicitly at the top**: "This guide assumes a running cluster and kubectl configured." Unstated assumptions are the single largest cause of doc failure: the reader hits an undocumented prerequisite, gets stuck, and blames the product.
19
+
20
+ Practical habits:
21
+ - Write a one-line reader statement before drafting: "For an integrator who already has an API key and wants their first successful call."
22
+ - List prerequisites as an up-front checklist, not scattered inline.
23
+ - When a page must serve two audiences, split it into clearly labeled sections rather than blending. Blended docs frustrate both readers at once.
24
+ - Prefer specifics the reader can check ("you need Node 18+") over vague reassurance ("recent Node").
25
+
26
+ The audience decision drives every later choice: document type, structure, tone, and how much you explain versus assume. Get it wrong and even flawless prose fails, because it answers a question the reader did not ask.
@@ -0,0 +1,27 @@
1
+ ---
2
+ pairs-with:
3
+ - 04-information-architecture.md
4
+ ---
5
+
6
+ # Choosing the Right Document Type
7
+
8
+ Reader goals map to four distinct, non-interchangeable document types. Mixing them in one page is the most common structural mistake in documentation.
9
+
10
+ - **Tutorial** (learning-oriented): a guided, guaranteed-to-succeed lesson for a newcomer. Linear, opinionated, one happy path, no alternatives, no error branches. Success = the reader built something and feels competent.
11
+ - **How-to / task guide** (problem-oriented): steps to accomplish a specific real-world task the reader already knows they need. Assumes competence. May list variations. Success = task completed.
12
+ - **Reference** (information-oriented): exhaustive, accurate description of the machinery: every parameter, return value, error code, config key. Dry, consistent, austere. Success = the reader found the exact fact and trusts it.
13
+ - **Explanation / concept** (understanding-oriented): the *why*: architecture, tradeoffs, mental models. Read away from the keyboard. Success = the reader can reason about edge cases.
14
+
15
+ Keep these separate. A reference page cluttered with tutorial hand-holding frustrates experts; a tutorial padded with reference tables loses novices. When a page feels muddled, it is usually two types fighting. Split it.
16
+
17
+ **How to tell them apart in practice.** Ask what the reader is doing:
18
+ - Learning the tool for the first time → tutorial.
19
+ - Has a specific job to finish → how-to.
20
+ - Needs a precise fact mid-work → reference.
21
+ - Wants to understand tradeoffs before deciding → explanation.
22
+
23
+ **Worked example.** "Authentication" often needs three pages, not one: a *tutorial* that walks a newcomer through their first authenticated call; a *reference* listing every auth method, scope, token lifetime, and error code; and an *explanation* of the auth model and its threat assumptions. One page trying to be all three serves none well.
24
+
25
+ Signs you have mixed types: a tutorial with a giant parameter table; a reference page with encouraging asides ("Great, now let's..."); a how-to that pauses to explain architecture. Move the mismatched content to the page whose type it fits, and link between them.
26
+
27
+ Parallel structure within a type helps: every API method reference page should share one shape (Description → Parameters → Returns → Errors → Example) so readers navigate by muscle memory.
@@ -0,0 +1,22 @@
1
+ ---
2
+ pairs-with:
3
+ - 06-breaking-changes-migrations.md
4
+ ---
5
+
6
+ # README, Quickstart, Changelog & Release Notes
7
+
8
+ **README**: a landing page and router, not a manual. Order: one-sentence description of what this is and who it is for; a short "why/what" paragraph; minimal install; a **60-second quickstart** that produces a visible result; then links out to deeper docs. Put the single most impressive working example above the fold. Badges and tables of contents come *after* value is demonstrated, not before. A reader should learn what the thing is and see it work within the first screen.
9
+
10
+ **Quickstart**: the shortest path from zero to a first success, ideally under 5 minutes. List prerequisites up front as a checklist. Every step is copy-pasteable and idempotent where possible. End with a concrete checkpoint ("you should now see X") and exactly one clear next step. Cut every optional detail and link it instead; a quickstart that branches has failed at being quick.
11
+
12
+ **Changelog vs release notes**: two artifacts for two audiences; do not conflate them.
13
+ - A **changelog** is terse, chronological, developer-facing. Group entries per version as Added / Changed / Deprecated / Removed / Fixed / Security (the Keep a Changelog convention). Each entry is one line stating what changed.
14
+ - **Release notes** are narrative and user-facing. Lead with the headline value ("Exports are now 10x faster"), explain impact, and call out breaking changes prominently.
15
+
16
+ Both must be **newest first, dated, with a stable version identifier**. Never make a reader diff two versions to discover what changed. That is the changelog's entire job.
17
+
18
+ **Worked example (a changelog entry vs a release note for the same change):**
19
+ - Changelog: `### Changed` / `- \`export()\` now streams results instead of buffering (#412).`
20
+ - Release note: "Large exports no longer run out of memory. `export()` now streams, so multi-gigabyte reports complete reliably. No code change needed unless you relied on the full result being in memory at once (see [migration])."
21
+
22
+ Common failures: a README that explains philosophy before showing the tool work; a quickstart padded with configuration options; release notes that bury a breaking change in a bullet list. Fix each by ruthlessly front-loading the reader's payoff and pushing detail to linked reference pages.
@@ -0,0 +1,21 @@
1
+ # Information Architecture
2
+
3
+ How to structure pages and doc sets so readers find and consume the right thing fast.
4
+
5
+ - **One page, one job.** If a page answers more than one reader question, split it. Competing half-answers on multiple pages are worse than one canonical page. Ensure exactly one authoritative page per topic.
6
+ - **Front-load the answer.** Use the inverted pyramid: conclusion or result first, then detail, then background. Readers scan the first line of each section and bail early, so the payoff must come first. "To reset your password, open Settings" beats "Open Settings, which you can find in order to reset your password."
7
+ - **Make it scannable.** Write descriptive, task-stating headings ("Rotate an API key") not vague nouns ("Keys"). A reader scanning the table of contents should predict exactly what each page contains.
8
+ - **Progressive disclosure.** Keep the common case in the main flow; push rare cases, flags, and caveats into collapsible sections, footnotes, or linked pages. Don't tax the 90% to serve the 10%.
9
+ - **Parallel structure.** Sibling sections should share shape. Every API method page: Description → Parameters → Returns → Errors → Example. Predictability lets readers navigate by muscle memory.
10
+ - **Link deliberately.** Link the first mention of a concept to its explanation. Don't bury a required prerequisite as an inline mid-sentence link: call it out as a prerequisite block so it cannot be missed.
11
+
12
+ **Worked example.** A page titled "Configuration" that dumps 40 settings alphabetically forces every reader to scan all of them. Restructure: lead with the 3 settings 90% of users change, in a short "Common configuration" section; move the full list to a reference table below or on a linked page; give each setting a task-oriented sub-heading where relevant ("Increase the request timeout").
13
+
14
+ **Checklist for a doc set:**
15
+ - Can a reader find the right page in one guess from the nav?
16
+ - Does each page declare its audience and prerequisites?
17
+ - Is there exactly one canonical page per topic (no competing half-answers)?
18
+ - Does every page front-load its most important information?
19
+ - Are sibling pages structurally parallel?
20
+
21
+ Good architecture is invisible: the reader lands on the right page, sees the answer at the top, and leaves. Bad architecture makes readers hunt, and hunting readers file support tickets or give up.
@@ -0,0 +1,29 @@
1
+ ---
2
+ pairs-with:
3
+ - 08-faq-voice-tone.md
4
+ ---
5
+
6
+ # Style & Clarity Rules
7
+
8
+ Concrete, enforceable rules, not "write clearly."
9
+
10
+ 1. **Second person, imperative, active voice.** "Run `npm install`," not "The user should run" or "npm install is run." Address the reader as "you."
11
+ 2. **Present tense** for behavior. "The endpoint returns 200," not "will return."
12
+ 3. **One instruction per numbered step.** If a step contains "and," consider splitting. Number sequential actions; bullet unordered options.
13
+ 4. **Lead sentences with the point.** Put the keyword first so scanners catch it: "To reset your password, open Settings" beats the reverse.
14
+ 5. **Cut hedges and filler.** Delete "simply," "just," "easy," "obviously," "of course": they shame stuck readers and add nothing. Replace "in order to" → "to," "at this point in time" → "now," "utilize" → "use."
15
+ 6. **Define each term on first use, then use it consistently.** Never call one thing "app," "service," and "instance" across three paragraphs. One term per concept.
16
+ 7. **Format for meaning.** Code, filenames, commands, and literal UI labels in monospace; UI navigation in **bold**. Never wrap prose in code font for emphasis.
17
+ 8. **Show, then tell.** Pair every abstract instruction with a concrete example. A working snippet is worth three sentences of description.
18
+ 9. **Prefer specifics over vagueness.** "Wait about 30 seconds" beats "wait a while." "Returns up to 100 items" beats "returns several."
19
+
20
+ **Before/after:** *"It should be noted that in order to utilize the API, users will need to first obtain an authentication token."* → *"To use the API, first get an auth token."* (24 words → 9, identical meaning.)
21
+
22
+ **More edits:**
23
+ - "This functionality provides users with the ability to filter." → "You can filter results."
24
+ - "The system will automatically perform validation of the input." → "The system validates the input."
25
+ - "In the event that the request fails..." → "If the request fails..."
26
+
27
+ **Write for a global audience.** Short sentences, common words, no region-specific slang or idioms. Spell out ambiguous dates (2026-07-05, not 07/05/26). Enforce one style guide (capitalization, Oxford comma, product name) so the whole doc set reads as one voice.
28
+
29
+ Above all: **accuracy beats polish.** An inaccurate doc is worse than none: it destroys trust in the entire doc set. Test every command and code sample before publishing.
@@ -0,0 +1,33 @@
1
+ ---
2
+ pairs-with:
3
+ - 03-readme-quickstart-changelog.md
4
+ - code-review/07-api-design.md
5
+ ---
6
+
7
+ # Writing About Breaking Changes & Migrations
8
+
9
+ This is where docs most often fail users, and where care matters most. A breaking change poorly documented turns into hours of user debugging and a flood of support requests.
10
+
11
+ **Rules:**
12
+ - **Announce loudly and early.** Breaking changes get a prominent, unmissable callout in release notes, not a buried bullet. State the exact version where the break lands.
13
+ - **Say what breaks, and for whom.** "If you call `parse()` with a string, it now throws": name the exact API, the exact condition, and who is affected. A reader should determine in seconds whether they are impacted.
14
+ - **Always give the migration path.** A breaking change without a migration guide is a broken promise. Provide before/after code side by side. If migration can be automated (codemod, script), lead with that.
15
+ - **Explain the why, briefly.** One sentence of rationale reduces anger and support load: "We changed this to prevent silent data loss."
16
+ - **State deprecation timelines.** Deprecated ≠ removed. Give the deprecation version, the planned removal version, and the recommended replacement. Keep deprecation warnings in the docs until removal is complete.
17
+
18
+ **Migration guide skeleton:**
19
+ 1. *What changed*
20
+ 2. *Who is affected*
21
+ 3. *Before / after examples*
22
+ 4. *Step-by-step migration*
23
+ 5. *How to verify you migrated correctly*
24
+ 6. *Rollback / fallback if it goes wrong*
25
+
26
+ **Worked micro-example (a release-note callout):**
27
+ > **Breaking (v3.0):** `client.fetch()` no longer accepts a callback. Passing a function as the second argument now throws `TypeError`.
28
+ > **Migrate:** `client.fetch(url, cb)` → `client.fetch(url).then(cb)`. See the [async migration guide].
29
+
30
+ **Deprecation example:**
31
+ > **Deprecated (v2.4):** `config.legacyMode` is deprecated and will be removed in v4.0. Use `config.compatibility` instead. Calls still work in v2.x and v3.x but log a warning.
32
+
33
+ Common failures to avoid: listing a breaking change with no fix; using vague language ("some APIs have changed") instead of naming them; removing something that was never formally deprecated; or hiding the break inside a long changelog where impacted users scroll past it. Every breaking change should be findable, understandable, and actionable within a minute of a reader landing on the release notes.
@@ -0,0 +1,30 @@
1
+ ---
2
+ pairs-with:
3
+ - code-review/02-security-review.md
4
+ ---
5
+
6
+ # Troubleshooting & Security Docs
7
+
8
+ **Troubleshooting** is organized by *symptom*, not by cause: the reader knows what they see, not why it happens. Structure each entry:
9
+
10
+ 1. **Symptom**: the exact error message or observed behavior, quoted verbatim so it is searchable.
11
+ 2. **Cause**: what produces it.
12
+ 3. **Fix**: the steps to resolve it.
13
+ 4. **Confirm**: how to verify it is actually fixed.
14
+
15
+ Include the literal error text; users paste error strings into search engines and your page's search box. Order entries by frequency (most common first). Add a "still stuck?" escape hatch: where to file an issue and which diagnostics (logs, version, config) to attach.
16
+
17
+ **Worked example:**
18
+ > **Symptom:** `Error: ECONNREFUSED 127.0.0.1:5432`
19
+ > **Cause:** The database isn't running, or the port is wrong.
20
+ > **Fix:** Start the database (`docker compose up db`) and confirm `DB_PORT` matches. **Confirm:** `psql -h localhost -p 5432` connects.
21
+
22
+ **Security documentation** demands extra precision, because mistakes here are costly:
23
+ - Be explicit and unambiguous: no "should probably." State exactly what is and isn't protected.
24
+ - **Never show real secrets, tokens, or private keys.** Use obvious placeholders (`YOUR_API_KEY`, `sk_test_...`). Warn readers against committing secrets to version control.
25
+ - Document the secure default, and clearly flag any insecure convenience option ("do not use in production").
26
+ - Separate "how to configure securely" (a how-to) from "our security model / threat model" (an explanation).
27
+ - Give a responsible-disclosure contact and a supported-versions policy.
28
+ - State the blast radius of permissions and tokens: their scope, lifetime, and how to revoke them.
29
+
30
+ **Common failures:** troubleshooting organized by internal component instead of user-visible symptom (readers can't map their error to your architecture); paraphrased error messages that don't match what users actually see; security examples containing real-looking keys that get copy-pasted into production; and vague hedging ("this is generally secure") that leaves the reader unable to make a safe decision. Precision and searchability are the whole game in both doc types.