product-playbook 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (291) hide show
  1. package/LICENSE +21 -0
  2. package/README.es.md +518 -0
  3. package/README.ja.md +519 -0
  4. package/README.ko.md +518 -0
  5. package/README.md +520 -0
  6. package/README.zh-CN.md +518 -0
  7. package/README.zh-TW.md +518 -0
  8. package/SKILL.md +244 -0
  9. package/commands/product-build.md +13 -0
  10. package/commands/product-dev.md +21 -0
  11. package/commands/product-full.md +13 -0
  12. package/commands/product-prd.md +14 -0
  13. package/commands/product-quick.md +13 -0
  14. package/commands/product-report.md +12 -0
  15. package/commands/product-revision.md +13 -0
  16. package/i18n/en/SKILL.md +245 -0
  17. package/i18n/en/commands/product-build.md +13 -0
  18. package/i18n/en/commands/product-dev.md +21 -0
  19. package/i18n/en/commands/product-full.md +13 -0
  20. package/i18n/en/commands/product-prd.md +14 -0
  21. package/i18n/en/commands/product-quick.md +13 -0
  22. package/i18n/en/commands/product-report.md +12 -0
  23. package/i18n/en/commands/product-revision.md +13 -0
  24. package/i18n/en/references/00-opportunity-check.md +44 -0
  25. package/i18n/en/references/01-strategy.md +90 -0
  26. package/i18n/en/references/02a-persona.md +57 -0
  27. package/i18n/en/references/02b-jtbd.md +125 -0
  28. package/i18n/en/references/02c-ost-journey.md +65 -0
  29. package/i18n/en/references/03-define.md +118 -0
  30. package/i18n/en/references/04a-prfaq.md +112 -0
  31. package/i18n/en/references/04b-solutions.md +269 -0
  32. package/i18n/en/references/04c-mvp.md +21 -0
  33. package/i18n/en/references/05a-northstar-aha.md +93 -0
  34. package/i18n/en/references/05b-pmf-gtm.md +102 -0
  35. package/i18n/en/references/05c-validation-spec.md +117 -0
  36. package/i18n/en/references/06-html-report.md +128 -0
  37. package/i18n/en/references/07a-handoff-core.md +152 -0
  38. package/i18n/en/references/07b-tasks-tickets.md +215 -0
  39. package/i18n/en/references/07c-architecture-setup.md +197 -0
  40. package/i18n/en/references/08-security-checklist.md +221 -0
  41. package/i18n/en/references/rules-build.md +152 -0
  42. package/i18n/en/references/rules-change-propagation.md +74 -0
  43. package/i18n/en/references/rules-commands.md +98 -0
  44. package/i18n/en/references/rules-context.md +291 -0
  45. package/i18n/en/references/rules-custom.md +63 -0
  46. package/i18n/en/references/rules-document-tools.md +126 -0
  47. package/i18n/en/references/rules-end-of-flow.md +150 -0
  48. package/i18n/en/references/rules-export-document.md +346 -0
  49. package/i18n/en/references/rules-file-integration.md +65 -0
  50. package/i18n/en/references/rules-full.md +66 -0
  51. package/i18n/en/references/rules-import-document.md +261 -0
  52. package/i18n/en/references/rules-product-type.md +14 -0
  53. package/i18n/en/references/rules-progress.md +60 -0
  54. package/i18n/en/references/rules-quick.md +29 -0
  55. package/i18n/en/references/rules-revision.md +64 -0
  56. package/i18n/es/SKILL.md +245 -0
  57. package/i18n/es/commands/product-build.md +13 -0
  58. package/i18n/es/commands/product-dev.md +21 -0
  59. package/i18n/es/commands/product-full.md +13 -0
  60. package/i18n/es/commands/product-prd.md +14 -0
  61. package/i18n/es/commands/product-quick.md +13 -0
  62. package/i18n/es/commands/product-report.md +12 -0
  63. package/i18n/es/commands/product-revision.md +13 -0
  64. package/i18n/es/references/00-opportunity-check.md +44 -0
  65. package/i18n/es/references/01-strategy.md +90 -0
  66. package/i18n/es/references/02a-persona.md +57 -0
  67. package/i18n/es/references/02b-jtbd.md +125 -0
  68. package/i18n/es/references/02c-ost-journey.md +65 -0
  69. package/i18n/es/references/03-define.md +118 -0
  70. package/i18n/es/references/04a-prfaq.md +114 -0
  71. package/i18n/es/references/04b-solutions.md +269 -0
  72. package/i18n/es/references/04c-mvp.md +21 -0
  73. package/i18n/es/references/05a-northstar-aha.md +93 -0
  74. package/i18n/es/references/05b-pmf-gtm.md +102 -0
  75. package/i18n/es/references/05c-validation-spec.md +117 -0
  76. package/i18n/es/references/06-html-report.md +138 -0
  77. package/i18n/es/references/07a-handoff-core.md +152 -0
  78. package/i18n/es/references/07b-tasks-tickets.md +215 -0
  79. package/i18n/es/references/07c-architecture-setup.md +197 -0
  80. package/i18n/es/references/08-security-checklist.md +221 -0
  81. package/i18n/es/references/rules-build.md +152 -0
  82. package/i18n/es/references/rules-change-propagation.md +74 -0
  83. package/i18n/es/references/rules-commands.md +98 -0
  84. package/i18n/es/references/rules-context.md +291 -0
  85. package/i18n/es/references/rules-custom.md +63 -0
  86. package/i18n/es/references/rules-document-tools.md +126 -0
  87. package/i18n/es/references/rules-end-of-flow.md +150 -0
  88. package/i18n/es/references/rules-export-document.md +346 -0
  89. package/i18n/es/references/rules-file-integration.md +65 -0
  90. package/i18n/es/references/rules-full.md +66 -0
  91. package/i18n/es/references/rules-import-document.md +261 -0
  92. package/i18n/es/references/rules-product-type.md +14 -0
  93. package/i18n/es/references/rules-progress.md +60 -0
  94. package/i18n/es/references/rules-quick.md +29 -0
  95. package/i18n/es/references/rules-revision.md +64 -0
  96. package/i18n/ja/SKILL.md +245 -0
  97. package/i18n/ja/commands/product-build.md +13 -0
  98. package/i18n/ja/commands/product-dev.md +21 -0
  99. package/i18n/ja/commands/product-full.md +13 -0
  100. package/i18n/ja/commands/product-prd.md +14 -0
  101. package/i18n/ja/commands/product-quick.md +13 -0
  102. package/i18n/ja/commands/product-report.md +12 -0
  103. package/i18n/ja/commands/product-revision.md +13 -0
  104. package/i18n/ja/references/00-opportunity-check.md +44 -0
  105. package/i18n/ja/references/01-strategy.md +90 -0
  106. package/i18n/ja/references/02a-persona.md +57 -0
  107. package/i18n/ja/references/02b-jtbd.md +125 -0
  108. package/i18n/ja/references/02c-ost-journey.md +65 -0
  109. package/i18n/ja/references/03-define.md +118 -0
  110. package/i18n/ja/references/04a-prfaq.md +111 -0
  111. package/i18n/ja/references/04b-solutions.md +269 -0
  112. package/i18n/ja/references/04c-mvp.md +21 -0
  113. package/i18n/ja/references/05a-northstar-aha.md +93 -0
  114. package/i18n/ja/references/05b-pmf-gtm.md +102 -0
  115. package/i18n/ja/references/05c-validation-spec.md +117 -0
  116. package/i18n/ja/references/06-html-report.md +126 -0
  117. package/i18n/ja/references/07a-handoff-core.md +152 -0
  118. package/i18n/ja/references/07b-tasks-tickets.md +215 -0
  119. package/i18n/ja/references/07c-architecture-setup.md +197 -0
  120. package/i18n/ja/references/08-security-checklist.md +221 -0
  121. package/i18n/ja/references/rules-build.md +152 -0
  122. package/i18n/ja/references/rules-change-propagation.md +74 -0
  123. package/i18n/ja/references/rules-commands.md +98 -0
  124. package/i18n/ja/references/rules-context.md +291 -0
  125. package/i18n/ja/references/rules-custom.md +63 -0
  126. package/i18n/ja/references/rules-document-tools.md +126 -0
  127. package/i18n/ja/references/rules-end-of-flow.md +150 -0
  128. package/i18n/ja/references/rules-export-document.md +346 -0
  129. package/i18n/ja/references/rules-file-integration.md +65 -0
  130. package/i18n/ja/references/rules-full.md +66 -0
  131. package/i18n/ja/references/rules-import-document.md +261 -0
  132. package/i18n/ja/references/rules-product-type.md +14 -0
  133. package/i18n/ja/references/rules-progress.md +60 -0
  134. package/i18n/ja/references/rules-quick.md +29 -0
  135. package/i18n/ja/references/rules-revision.md +64 -0
  136. package/i18n/ko/SKILL.md +245 -0
  137. package/i18n/ko/commands/product-build.md +13 -0
  138. package/i18n/ko/commands/product-dev.md +21 -0
  139. package/i18n/ko/commands/product-full.md +13 -0
  140. package/i18n/ko/commands/product-prd.md +14 -0
  141. package/i18n/ko/commands/product-quick.md +13 -0
  142. package/i18n/ko/commands/product-report.md +12 -0
  143. package/i18n/ko/commands/product-revision.md +13 -0
  144. package/i18n/ko/references/00-opportunity-check.md +44 -0
  145. package/i18n/ko/references/01-strategy.md +90 -0
  146. package/i18n/ko/references/02a-persona.md +57 -0
  147. package/i18n/ko/references/02b-jtbd.md +125 -0
  148. package/i18n/ko/references/02c-ost-journey.md +65 -0
  149. package/i18n/ko/references/03-define.md +118 -0
  150. package/i18n/ko/references/04a-prfaq.md +112 -0
  151. package/i18n/ko/references/04b-solutions.md +269 -0
  152. package/i18n/ko/references/04c-mvp.md +21 -0
  153. package/i18n/ko/references/05a-northstar-aha.md +93 -0
  154. package/i18n/ko/references/05b-pmf-gtm.md +102 -0
  155. package/i18n/ko/references/05c-validation-spec.md +117 -0
  156. package/i18n/ko/references/06-html-report.md +126 -0
  157. package/i18n/ko/references/07a-handoff-core.md +152 -0
  158. package/i18n/ko/references/07b-tasks-tickets.md +215 -0
  159. package/i18n/ko/references/07c-architecture-setup.md +197 -0
  160. package/i18n/ko/references/08-security-checklist.md +221 -0
  161. package/i18n/ko/references/rules-build.md +152 -0
  162. package/i18n/ko/references/rules-change-propagation.md +74 -0
  163. package/i18n/ko/references/rules-commands.md +98 -0
  164. package/i18n/ko/references/rules-context.md +291 -0
  165. package/i18n/ko/references/rules-custom.md +63 -0
  166. package/i18n/ko/references/rules-document-tools.md +126 -0
  167. package/i18n/ko/references/rules-end-of-flow.md +150 -0
  168. package/i18n/ko/references/rules-export-document.md +346 -0
  169. package/i18n/ko/references/rules-file-integration.md +65 -0
  170. package/i18n/ko/references/rules-full.md +66 -0
  171. package/i18n/ko/references/rules-import-document.md +261 -0
  172. package/i18n/ko/references/rules-product-type.md +14 -0
  173. package/i18n/ko/references/rules-progress.md +60 -0
  174. package/i18n/ko/references/rules-quick.md +29 -0
  175. package/i18n/ko/references/rules-revision.md +64 -0
  176. package/i18n/zh-CN/SKILL.md +245 -0
  177. package/i18n/zh-CN/commands/product-build.md +13 -0
  178. package/i18n/zh-CN/commands/product-dev.md +21 -0
  179. package/i18n/zh-CN/commands/product-full.md +13 -0
  180. package/i18n/zh-CN/commands/product-prd.md +14 -0
  181. package/i18n/zh-CN/commands/product-quick.md +13 -0
  182. package/i18n/zh-CN/commands/product-report.md +12 -0
  183. package/i18n/zh-CN/commands/product-revision.md +13 -0
  184. package/i18n/zh-CN/references/00-opportunity-check.md +44 -0
  185. package/i18n/zh-CN/references/01-strategy.md +90 -0
  186. package/i18n/zh-CN/references/02a-persona.md +57 -0
  187. package/i18n/zh-CN/references/02b-jtbd.md +125 -0
  188. package/i18n/zh-CN/references/02c-ost-journey.md +65 -0
  189. package/i18n/zh-CN/references/03-define.md +118 -0
  190. package/i18n/zh-CN/references/04a-prfaq.md +106 -0
  191. package/i18n/zh-CN/references/04b-solutions.md +269 -0
  192. package/i18n/zh-CN/references/04c-mvp.md +21 -0
  193. package/i18n/zh-CN/references/05a-northstar-aha.md +93 -0
  194. package/i18n/zh-CN/references/05b-pmf-gtm.md +102 -0
  195. package/i18n/zh-CN/references/05c-validation-spec.md +117 -0
  196. package/i18n/zh-CN/references/06-html-report.md +123 -0
  197. package/i18n/zh-CN/references/07a-handoff-core.md +152 -0
  198. package/i18n/zh-CN/references/07b-tasks-tickets.md +215 -0
  199. package/i18n/zh-CN/references/07c-architecture-setup.md +197 -0
  200. package/i18n/zh-CN/references/08-security-checklist.md +221 -0
  201. package/i18n/zh-CN/references/rules-build.md +152 -0
  202. package/i18n/zh-CN/references/rules-change-propagation.md +74 -0
  203. package/i18n/zh-CN/references/rules-commands.md +98 -0
  204. package/i18n/zh-CN/references/rules-context.md +291 -0
  205. package/i18n/zh-CN/references/rules-custom.md +63 -0
  206. package/i18n/zh-CN/references/rules-document-tools.md +126 -0
  207. package/i18n/zh-CN/references/rules-end-of-flow.md +150 -0
  208. package/i18n/zh-CN/references/rules-export-document.md +346 -0
  209. package/i18n/zh-CN/references/rules-file-integration.md +65 -0
  210. package/i18n/zh-CN/references/rules-full.md +66 -0
  211. package/i18n/zh-CN/references/rules-import-document.md +261 -0
  212. package/i18n/zh-CN/references/rules-product-type.md +14 -0
  213. package/i18n/zh-CN/references/rules-progress.md +60 -0
  214. package/i18n/zh-CN/references/rules-quick.md +29 -0
  215. package/i18n/zh-CN/references/rules-revision.md +64 -0
  216. package/i18n/zh-TW/SKILL.md +244 -0
  217. package/i18n/zh-TW/commands/product-build.md +13 -0
  218. package/i18n/zh-TW/commands/product-dev.md +21 -0
  219. package/i18n/zh-TW/commands/product-full.md +13 -0
  220. package/i18n/zh-TW/commands/product-prd.md +14 -0
  221. package/i18n/zh-TW/commands/product-quick.md +13 -0
  222. package/i18n/zh-TW/commands/product-report.md +12 -0
  223. package/i18n/zh-TW/commands/product-revision.md +13 -0
  224. package/i18n/zh-TW/references/00-opportunity-check.md +44 -0
  225. package/i18n/zh-TW/references/01-strategy.md +90 -0
  226. package/i18n/zh-TW/references/02a-persona.md +57 -0
  227. package/i18n/zh-TW/references/02b-jtbd.md +125 -0
  228. package/i18n/zh-TW/references/02c-ost-journey.md +65 -0
  229. package/i18n/zh-TW/references/03-define.md +118 -0
  230. package/i18n/zh-TW/references/04a-prfaq.md +106 -0
  231. package/i18n/zh-TW/references/04b-solutions.md +269 -0
  232. package/i18n/zh-TW/references/04c-mvp.md +21 -0
  233. package/i18n/zh-TW/references/05a-northstar-aha.md +93 -0
  234. package/i18n/zh-TW/references/05b-pmf-gtm.md +102 -0
  235. package/i18n/zh-TW/references/05c-validation-spec.md +117 -0
  236. package/i18n/zh-TW/references/06-html-report.md +123 -0
  237. package/i18n/zh-TW/references/07a-handoff-core.md +152 -0
  238. package/i18n/zh-TW/references/07b-tasks-tickets.md +215 -0
  239. package/i18n/zh-TW/references/07c-architecture-setup.md +197 -0
  240. package/i18n/zh-TW/references/08-security-checklist.md +221 -0
  241. package/i18n/zh-TW/references/rules-build.md +152 -0
  242. package/i18n/zh-TW/references/rules-change-propagation.md +74 -0
  243. package/i18n/zh-TW/references/rules-commands.md +98 -0
  244. package/i18n/zh-TW/references/rules-context.md +291 -0
  245. package/i18n/zh-TW/references/rules-custom.md +63 -0
  246. package/i18n/zh-TW/references/rules-document-tools.md +126 -0
  247. package/i18n/zh-TW/references/rules-end-of-flow.md +150 -0
  248. package/i18n/zh-TW/references/rules-export-document.md +346 -0
  249. package/i18n/zh-TW/references/rules-file-integration.md +65 -0
  250. package/i18n/zh-TW/references/rules-full.md +66 -0
  251. package/i18n/zh-TW/references/rules-import-document.md +261 -0
  252. package/i18n/zh-TW/references/rules-product-type.md +14 -0
  253. package/i18n/zh-TW/references/rules-progress.md +60 -0
  254. package/i18n/zh-TW/references/rules-quick.md +29 -0
  255. package/i18n/zh-TW/references/rules-revision.md +64 -0
  256. package/install.sh +418 -0
  257. package/package.json +41 -0
  258. package/references/00-opportunity-check.md +44 -0
  259. package/references/01-strategy.md +90 -0
  260. package/references/02a-persona.md +57 -0
  261. package/references/02b-jtbd.md +125 -0
  262. package/references/02c-ost-journey.md +65 -0
  263. package/references/03-define.md +118 -0
  264. package/references/04a-prfaq.md +106 -0
  265. package/references/04b-solutions.md +269 -0
  266. package/references/04c-mvp.md +21 -0
  267. package/references/05a-northstar-aha.md +93 -0
  268. package/references/05b-pmf-gtm.md +102 -0
  269. package/references/05c-validation-spec.md +117 -0
  270. package/references/06-html-report.md +123 -0
  271. package/references/07a-handoff-core.md +152 -0
  272. package/references/07b-tasks-tickets.md +215 -0
  273. package/references/07c-architecture-setup.md +197 -0
  274. package/references/08-security-checklist.md +221 -0
  275. package/references/rules-build.md +152 -0
  276. package/references/rules-change-propagation.md +74 -0
  277. package/references/rules-commands.md +98 -0
  278. package/references/rules-context.md +291 -0
  279. package/references/rules-custom.md +63 -0
  280. package/references/rules-document-tools.md +126 -0
  281. package/references/rules-end-of-flow.md +150 -0
  282. package/references/rules-export-document.md +346 -0
  283. package/references/rules-file-integration.md +65 -0
  284. package/references/rules-full.md +66 -0
  285. package/references/rules-import-document.md +261 -0
  286. package/references/rules-product-type.md +14 -0
  287. package/references/rules-progress.md +60 -0
  288. package/references/rules-quick.md +29 -0
  289. package/references/rules-revision.md +64 -0
  290. package/references/templates/prd-style.css +464 -0
  291. package/references/templates/report-style.css +114 -0
@@ -0,0 +1,197 @@
1
+ # Development Handoff — ARCHITECTURE.md + setup.sh
2
+
3
+ ## 📄 ARCHITECTURE.md Template
4
+
5
+ ```markdown
6
+ # [Product Name] — Technical Architecture
7
+
8
+ ## Directory Structure
9
+
10
+ [Generate the corresponding directory structure based on the tech stack]
11
+
12
+ ## Database Design
13
+
14
+ [Consolidate from the PRD's DB Schema — convert to CREATE TABLE SQL or ORM model definitions]
15
+
16
+ ### ER Diagram
17
+
18
+ [Mermaid erDiagram]
19
+
20
+ ### Key Table Descriptions
21
+
22
+ | Table | Description | Key Fields | Index Recommendations |
23
+ |-------|------------|------------|----------------------|
24
+ | | | | |
25
+
26
+ ## API Design
27
+
28
+ [Define RESTful API endpoints or GraphQL schema based on User Stories and feature specs]
29
+
30
+ ### Endpoints List
31
+
32
+ | Method | Path | Description | Corresponding Task |
33
+ |--------|------|------------|-------------------|
34
+ | GET | /api/v1/[resource] | [Description] | T1.1 |
35
+ | POST | /api/v1/[resource] | [Description] | T1.2 |
36
+
37
+ ### Authentication
38
+
39
+ [JWT / Session / OAuth, etc.]
40
+
41
+ ## Third-Party Services
42
+
43
+ | Service | Purpose | Corresponding Feature |
44
+ |---------|---------|----------------------|
45
+ | | | |
46
+
47
+ ## Security Architecture
48
+
49
+ ### CORS Configuration
50
+
51
+ | Setting | Value | Notes |
52
+ |---------|-------|-------|
53
+ | Allowed Origins | [Production domain, localhost:port] | Do not use wildcard * |
54
+ | Allowed Methods | GET, POST, PUT, DELETE | Based on actual API needs |
55
+ | Allowed Headers | Content-Type, Authorization | |
56
+ | Credentials | true/false | Depends on authentication method |
57
+
58
+ ### Security Headers
59
+
60
+ [Select applicable headers from references/08-security-checklist.md §5 based on product requirements]
61
+
62
+ ### Rate Limiting Strategy
63
+
64
+ | Endpoint Type | Limit | Identification Method |
65
+ |--------------|-------|----------------------|
66
+ | General API | [X] req/min | IP + User ID |
67
+ | Login/Register | [X] req/min | IP |
68
+ | File Upload | [X] req/min | User ID |
69
+
70
+ ### Sensitive Data Handling
71
+
72
+ - Secret management: [.env + platform env vars / Secrets Manager]
73
+ - Logging rules: Never log passwords, tokens, or personal data
74
+ - Data encryption: [TLS in transit / encryption at rest requirements]
75
+
76
+ > Full security checklist at `references/08-security-checklist.md`
77
+ ```
78
+
79
+ ---
80
+
81
+ ## 📄 .gitignore Template
82
+
83
+ ```gitignore
84
+ # Environment variables and secrets
85
+ .env
86
+ .env.local
87
+ .env.*.local
88
+ *.pem
89
+ *.key
90
+
91
+ # Product planning progress (may contain sensitive business information)
92
+ .product-playbook-progress.md
93
+
94
+ # IDE and OS
95
+ .idea/
96
+ .vscode/
97
+ *.swp
98
+ .DS_Store
99
+ Thumbs.db
100
+
101
+ # Dependencies
102
+ node_modules/
103
+ __pycache__/
104
+ *.pyc
105
+ venv/
106
+
107
+ # Build output
108
+ dist/
109
+ build/
110
+ .next/
111
+ ```
112
+
113
+ ---
114
+
115
+ ## 📄 setup.sh Template
116
+
117
+ ```bash
118
+ #!/bin/bash
119
+ # [Product Name] — Project Initialization Script
120
+ # Usage: chmod +x scripts/setup.sh && ./scripts/setup.sh
121
+
122
+ set -e
123
+
124
+ echo "🚀 Initializing [Product Name]..."
125
+
126
+ # ===== Check prerequisites =====
127
+ command -v [node/python/etc] >/dev/null 2>&1 || { echo "❌ [runtime] is required"; exit 1; }
128
+
129
+ # ===== Install dependencies =====
130
+ echo "📦 Installing dependencies..."
131
+ [npm install / pip install -r requirements.txt / etc]
132
+
133
+ # ===== Environment setup =====
134
+ if [ ! -f .env ]; then
135
+ echo "📝 Creating .env file..."
136
+ cp .env.example .env
137
+ echo "⚠️ Please edit .env and fill in the required environment variables"
138
+ fi
139
+
140
+ # ===== Database initialization =====
141
+ echo "🗄️ Initializing database..."
142
+ [migration commands]
143
+
144
+ echo ""
145
+ echo "✅ Initialization complete!"
146
+ echo ""
147
+ echo "Next steps:"
148
+ echo " 1. Edit .env to fill in environment variables"
149
+ echo " 2. Start the dev server: [start command]"
150
+ echo " 3. Start developing: claude \"Read CLAUDE.md and TASKS.md, then start executing Phase 1\""
151
+ ```
152
+
153
+ ---
154
+
155
+ ## User Guidance Text
156
+
157
+ ### In Claude Chat / Cowork
158
+
159
+ After producing the handoff package, display the following guidance:
160
+
161
+ ```
162
+ 📦 Development handoff package is ready! It includes the following files:
163
+
164
+ CLAUDE.md → Claude Code's project memory (product context + tech specs)
165
+ TASKS.md → Development task list (4 Phases, [N] Tasks total)
166
+ TICKETS.md → Ticket list ([N] tickets, ready to create in Jira/Asana/Linear)
167
+ docs/PRD.md → Full PRD
168
+ docs/ARCHITECTURE.md → Technical architecture (DB schema + API + directory structure)
169
+ docs/PRODUCT-SPEC.md → Product Spec Summary
170
+ scripts/setup.sh → One-click initialization script
171
+
172
+ 🔗 How to start developing:
173
+
174
+ 1. Download and extract to your project folder
175
+ 2. Open a terminal and navigate to the project folder
176
+ 3. Launch Claude Code:
177
+ $ claude
178
+ 4. Tell Claude Code to begin:
179
+ > Read CLAUDE.md and TASKS.md, then start executing Phase 0
180
+
181
+ 💡 Tips:
182
+ - Claude Code automatically reads CLAUDE.md, so it already knows the full product context
183
+ - After each Phase is complete, it will ask whether to proceed to the next Phase
184
+ - To adjust feature scope, just edit TASKS.md directly
185
+ - The "Explicitly Not Doing" list in CLAUDE.md prevents Claude Code from building out of scope
186
+ ```
187
+
188
+ ### Pre-Output Final Confirmation
189
+
190
+ ```
191
+ Before producing the development handoff package, I need to confirm a few things:
192
+
193
+ 1. Tech stack: [Confirmed / Needs confirmation]
194
+ 2. Product name (for the project folder name): [Confirmed / Needs confirmation]
195
+ 3. Any other technical constraints or preferences?
196
+ - e.g., Must use a specific ORM, need to support specific browsers, existing CI/CD, etc.
197
+ ```
@@ -0,0 +1,221 @@
1
+ # Security Checklist
2
+
3
+ > Loaded before producing the development handoff package. Ensures that critical security requirements are considered during the product planning phase, preventing security from becoming an afterthought.
4
+
5
+ ## 🔐 Security Architecture Quick Check
6
+
7
+ Before producing the development handoff package, verify each of the following security aspects. Mark each as ✅ (covered in planning) or ❌ (needs to be added).
8
+
9
+ ### 1. Authentication & Authorization
10
+
11
+ ```
12
+ | Check Item | Status | Notes |
13
+ |-----------|--------|-------|
14
+ | Authentication method determined (JWT / Session / OAuth / Passkey) | | |
15
+ | Token storage is secure (HttpOnly Cookie, not localStorage) | | |
16
+ | Token expiration and refresh mechanism designed | | |
17
+ | Password storage uses bcrypt / argon2 (not MD5/SHA) | | |
18
+ | Permission model defined (RBAC / ABAC / simple roles) | | |
19
+ | All API endpoints have corresponding authorization checks | | |
20
+ | Login failures have brute-force protection (lockout / progressive delay) | | |
21
+ ```
22
+
23
+ **JWT Best Practices (if using JWT):**
24
+ - Use short-lived Access Tokens (15-30 minutes) + long-lived Refresh Tokens
25
+ - Store Refresh Tokens in HttpOnly Secure Cookies
26
+ - Implement Token Revocation (invalidate Refresh Token on logout)
27
+ - Do not store sensitive information in the JWT payload
28
+
29
+ ### 2. CORS Policy (Cross-Origin Resource Sharing)
30
+
31
+ ```
32
+ | Check Item | Status | Notes |
33
+ |-----------|--------|-------|
34
+ | Allowed Origin list defined (no wildcard *) | | |
35
+ | Only necessary HTTP methods are allowed | | |
36
+ | Access-Control-Allow-Credentials configured | | |
37
+ | Preflight cache duration is reasonable (Access-Control-Max-Age) | | |
38
+ ```
39
+
40
+ **CORS Configuration Template:**
41
+ ```
42
+ Allowed Origins:
43
+ - Production: https://[your-domain.com]
44
+ - Development: http://localhost:[port]
45
+
46
+ Allowed Methods: GET, POST, PUT, DELETE, PATCH
47
+ Allowed Headers: Content-Type, Authorization
48
+ Credentials: true (if using cookie-based auth)
49
+ Max-Age: 86400 (24 hours)
50
+ ```
51
+
52
+ ### 3. Input Validation & Sanitization
53
+
54
+ ```
55
+ | Check Item | Status | Notes |
56
+ |-----------|--------|-------|
57
+ | All API inputs have server-side validation | | |
58
+ | Parameterized queries used to prevent SQL Injection | | |
59
+ | User input is output-encoded before rendering to HTML (XSS prevention) | | |
60
+ | File uploads have type / size restrictions | | |
61
+ | URL / redirect targets have whitelist validation (Open Redirect prevention) | | |
62
+ ```
63
+
64
+ **Validation Principles:**
65
+ - Frontend validation is UX; backend validation is security — both are needed, but backend validation is non-negotiable
66
+ - Use a Schema Validation Library (e.g., Zod, Joi, Pydantic) for unified validation logic
67
+ - Reject inputs that don't match expected formats — don't try to "fix" user input
68
+
69
+ ### 4. CSRF Protection (Cross-Site Request Forgery)
70
+
71
+ ```
72
+ | Check Item | Status | Notes |
73
+ |-----------|--------|-------|
74
+ | State-changing operations use POST/PUT/DELETE (not GET) | | |
75
+ | CSRF Token implemented or SameSite Cookie used | | |
76
+ | Critical operations have secondary confirmation | | |
77
+ ```
78
+
79
+ ### 5. Security Headers
80
+
81
+ ```
82
+ | Header | Purpose | Recommended Value |
83
+ |--------|---------|-------------------|
84
+ | Content-Security-Policy (CSP) | Prevent XSS, data injection | default-src 'self'; script-src 'self' |
85
+ | X-Content-Type-Options | Prevent MIME sniffing | nosniff |
86
+ | X-Frame-Options | Prevent clickjacking | DENY or SAMEORIGIN |
87
+ | Strict-Transport-Security (HSTS) | Enforce HTTPS | max-age=31536000; includeSubDomains |
88
+ | X-XSS-Protection | Browser XSS filter | 0 (relying on CSP is more reliable) |
89
+ | Referrer-Policy | Control referrer information | strict-origin-when-cross-origin |
90
+ | Permissions-Policy | Restrict browser features | camera=(), microphone=(), geolocation=() |
91
+ ```
92
+
93
+ ### 6. API Security & Rate Limiting
94
+
95
+ ```
96
+ | Check Item | Status | Notes |
97
+ |-----------|--------|-------|
98
+ | API has global rate limiting (e.g., 100 req/min/IP) | | |
99
+ | Sensitive endpoints have stricter limits (login 5 req/min, register 3 req/min) | | |
100
+ | API error responses don't leak internal details (stack traces, SQL statements) | | |
101
+ | API versioning strategy determined (/api/v1/) | | |
102
+ | Bulk data endpoints have pagination limits | | |
103
+ ```
104
+
105
+ **Rate Limiting Design Recommendations:**
106
+ ```
107
+ | Endpoint Type | Recommended Limit | Identification Method |
108
+ |--------------|-------------------|----------------------|
109
+ | General API | 100 req/min | IP + User ID |
110
+ | Login/Register | 5 req/min | IP |
111
+ | Password Reset | 3 req/hour | IP + Email |
112
+ | File Upload | 10 req/min | User ID |
113
+ | Search/Query | 30 req/min | IP + User ID |
114
+ ```
115
+
116
+ ### 7. Anti-Scraping & Bot Protection
117
+
118
+ ```
119
+ | Check Item | Status | Notes |
120
+ |-----------|--------|-------|
121
+ | robots.txt configured (restrict sensitive paths) | | |
122
+ | Critical forms have bot protection (reCAPTCHA / hCaptcha / Honeypot) | | |
123
+ | API has User-Agent checks (optional) | | |
124
+ | Sensitive operations have behavioral analysis (optional, advanced) | | |
125
+ ```
126
+
127
+ **Layered Protection Strategy:**
128
+ 1. **Basic layer**: Rate Limiting + robots.txt — Every product should have this
129
+ 2. **Standard layer**: + CAPTCHA (registration/login) + Honeypot fields — Recommended for B2C products
130
+ 3. **Advanced layer**: + Behavioral analysis + IP reputation + Device Fingerprint — High-risk products
131
+
132
+ ### 8. Sensitive Data Protection
133
+
134
+ ```
135
+ | Check Item | Status | Notes |
136
+ |-----------|--------|-------|
137
+ | Sensitive data encrypted in transit (HTTPS/TLS) | | |
138
+ | Sensitive data encrypted at rest (if required) | | |
139
+ | Secrets and keys not stored in code | | |
140
+ | .env and sensitive files added to .gitignore | | |
141
+ | Logs don't record passwords, tokens, credit card numbers, etc. | | |
142
+ | Clear data retention and deletion policy (GDPR if applicable) | | |
143
+ ```
144
+
145
+ **Secrets Management Recommendations:**
146
+ - Development: `.env` file (not in version control) + `.env.example` (key names only, no values)
147
+ - Production: Use platform-provided env var management (Vercel Environment Variables / Railway Variables / AWS Secrets Manager)
148
+ - Never mention secrets in commit messages, PR descriptions, or issues
149
+
150
+ ### 9. .gitignore Security Template
151
+
152
+ ```gitignore
153
+ # Environment variables and secrets
154
+ .env
155
+ .env.local
156
+ .env.*.local
157
+ *.pem
158
+ *.key
159
+
160
+ # Product planning progress (may contain sensitive business information)
161
+ .product-playbook-progress.md
162
+
163
+ # IDE and OS
164
+ .idea/
165
+ .vscode/
166
+ *.swp
167
+ .DS_Store
168
+ Thumbs.db
169
+
170
+ # Dependencies
171
+ node_modules/
172
+ __pycache__/
173
+ *.pyc
174
+ venv/
175
+
176
+ # Build output
177
+ dist/
178
+ build/
179
+ .next/
180
+ ```
181
+
182
+ ---
183
+
184
+ ## 🏷️ OWASP Top 10 Quick Reference
185
+
186
+ | # | Risk | Relevant to This Product? | Corresponding Check |
187
+ |---|------|--------------------------|-------------------|
188
+ | A01 | Broken Access Control | [Yes/No] | §1 Authentication & Authorization |
189
+ | A02 | Cryptographic Failures | [Yes/No] | §8 Sensitive Data Protection |
190
+ | A03 | Injection (SQL / XSS / Command) | [Yes/No] | §3 Input Validation |
191
+ | A04 | Insecure Design | [Yes/No] | Overall architecture design |
192
+ | A05 | Security Misconfiguration | [Yes/No] | §5 Headers + §2 CORS |
193
+ | A06 | Vulnerable Components | [Yes/No] | Dependency management (npm audit / pip audit) |
194
+ | A07 | Authentication Failures | [Yes/No] | §1 Authentication & Authorization |
195
+ | A08 | Data Integrity Failures | [Yes/No] | §3 Input Validation + §8 Data Protection |
196
+ | A09 | Logging & Monitoring Failures | [Yes/No] | §8 Logging rules |
197
+ | A10 | SSRF (Server-Side Request Forgery) | [Yes/No] | §3 URL whitelist validation |
198
+
199
+ ---
200
+
201
+ ## 📎 Integration Timing
202
+
203
+ | Trigger | Integration Action |
204
+ |---------|-------------------|
205
+ | Before producing the dev handoff package | Run the security quick check, integrate results into CLAUDE.md "Risk Alerts" and ARCHITECTURE.md "Security Architecture" sections |
206
+ | When producing the PRD | Integrate security check results into PRD §6 "Technical Considerations → Security Requirements" |
207
+ | Pre-mortem step | Prompt the user to consider security failure scenarios |
208
+ | Revision mode S1 | Prompt the user to provide the existing product's current security posture |
209
+
210
+ ## Quality Self-Check
211
+
212
+ ```
213
+ | Check Item | ✅/❌ |
214
+ |-----------|------|
215
+ | Authentication method explicitly chosen, not left as "TBD" | |
216
+ | At least 3 security headers planned | |
217
+ | Rate limiting strategy tailored to product characteristics (not just copied from template) | |
218
+ | .gitignore includes all sensitive files | |
219
+ | All OWASP Top 10 items marked "relevant" have corresponding measures | |
220
+ | Security measure complexity matches the product stage (MVP doesn't need perfect security, but the basics are non-negotiable) | |
221
+ ```
@@ -0,0 +1,152 @@
1
+ # ⚡ Build Mode Step Sequence (7 Steps + Final Output)
2
+
3
+ > This file is the authoritative step definition for Build Mode. Loaded by the SKILL.md core dispatcher.
4
+
5
+ > ⚠️ Required reminder: "Skipping the user research phase means your solution is built on assumptions. We recommend conducting Continuous Discovery as soon as possible after execution to validate."
6
+
7
+ ## Step Sequence
8
+
9
+ ```
10
+ S1. Confirm problem statement (one sentence)
11
+ S2. PR-FAQ → Read references/04a-prfaq.md
12
+ S3. Parallel solutions → Read references/04b-solutions.md → 3.2
13
+ S4. Pre-mortem → Read references/04b-solutions.md → 3.3
14
+ S5. GEM + RICE Prioritization → Read references/04b-solutions.md → 3.4 + 3.5
15
+ S6. MVP + Not Doing List → Read references/04c-mvp.md
16
+ S7. North Star + Aha Moment → Read references/05a-northstar-aha.md
17
+ ────
18
+ Final Output → Engineer-oriented execution summary
19
+ ```
20
+
21
+ ## Reference Loading Instructions
22
+
23
+ | Step | Reference File |
24
+ |------|---------------|
25
+ | S1 | No external reference needed (directly guide the user to state the problem) |
26
+ | S2 | `references/04a-prfaq.md` |
27
+ | S3-S5 | `references/04b-solutions.md` |
28
+ | S6 | `references/04c-mvp.md` |
29
+ | S7 | `references/05a-northstar-aha.md` |
30
+
31
+ ## Final Output Format
32
+
33
+ **Engineer-oriented execution summary**: Solution decisions → MVP boundary → Success metrics → Key risks
34
+
35
+ After completion, follow `references/rules-end-of-flow.md` to execute the end-of-flow rules.
36
+
37
+ ---
38
+
39
+ ## 🔧 Feature Extension Quick Path (4 Steps)
40
+
41
+ > Automatically switches to this path when the user is **adding a single feature to an existing product**.
42
+ > Trigger conditions: User description includes phrases like "add a feature," "new feature," "add XX functionality," "on the existing system," "existing product needs," etc.
43
+
44
+ **Differences from the full Build Mode (7 steps)**: An existing product already has a North Star, Aha Moment, and product positioning — no need to redefine them. A single feature does not require a PR-FAQ press release or full GEM+RICE re-prioritization. The focus is on "what to add, how to add it, and whether it will break existing functionality."
45
+
46
+ ### Feature Extension Step Sequence
47
+
48
+ ```
49
+ S1. Problem + existing system context
50
+ S2. Three parallel solutions + pros/cons + AI recommendation → Read references/04b-solutions.md → 3.2
51
+ S3. Risk assessment (regression + compatibility) → Read references/04b-solutions.md → 3.3
52
+ S4. Execution scope (what to do / what not to touch / acceptance criteria) → Read references/04c-mvp.md
53
+ ────
54
+ Final Output → Feature development spec
55
+ ```
56
+
57
+ ### S1 Pre-step: Product Context Loading
58
+
59
+ Before entering S1, read `references/rules-context.md` and check `.product-context.md`:
60
+
61
+ - **Complete context available (Scenario 1)**: Automatically bring in product name, tech stack, key modules, and the 3 most recent Decision History entries. Change S1 guidance to **confirmation-style**: "Your product is [name], using [tech stack], with key modules including [module list]. What feature do you want to add? Which modules will be affected?" (Questions 2 and part of question 3 are pre-filled — just needs confirmation)
62
+ - **No context (Scenario 2)**: Trigger Context Bootstrap (`rules-context.md` Section 4), then proceed to the standard S1 below
63
+ - **Partial context (Scenario 3)**: Bring in known tech stack and modules (merged from Decision History), and collect the missing parts. For example: "Besides [known modules], are there other modules that might be affected?"
64
+
65
+ ### S1 Guidance Content (Problem + Existing System Context)
66
+
67
+ Claude needs to collect the following information (guide step by step — do not ask all questions at once. If context has pre-filled some answers, confirm rather than re-collect):
68
+
69
+ ```
70
+ 1. What feature do you want to add? What problem does it solve?
71
+ 2. Current product architecture overview (tech stack, key modules) ← context can pre-fill
72
+ 3. Which existing modules will this feature affect? ← context can partially pre-fill
73
+ 4. Is there any user feedback or data supporting this requirement?
74
+ ```
75
+
76
+ ### S2 Guidance Content (Three Parallel Solutions + AI Recommendation)
77
+
78
+ ```
79
+ | HMW | Solution A (Conservative / minimal change) | Solution B (Balanced) | Solution C (Bold / refactor) |
80
+ |-----|-------------------------------------------|----------------------|----------------------------|
81
+ | [Problem] | | | |
82
+
83
+ | Solution | Pros | Cons | Impact Scope | Implementation Complexity |
84
+ |----------|------|------|-------------|--------------------------|
85
+ | A | | | | |
86
+ | B | | | | |
87
+ | C | | | | |
88
+
89
+ 🤖 AI Recommendation: Solution [X]
90
+ Rationale: [Comprehensive judgment based on impact scope, complexity, and risk]
91
+ ```
92
+
93
+ ### S3 Guidance Content (Risk Assessment — Focused on Regression & Compatibility)
94
+
95
+ ```
96
+ | Risk Type | Specific Risk | Likelihood | Mitigation |
97
+ |-----------|--------------|------------|------------|
98
+ | Regression risk | [Areas where existing features may be affected] | | |
99
+ | Compatibility risk | [Conflicts with existing architecture/data/APIs] | | |
100
+ | Performance risk | [Impact of the new feature on system performance] | | |
101
+ | Security risk | [Security considerations introduced by the new feature] | | |
102
+ ```
103
+
104
+ ### S4 Guidance Content (Execution Scope)
105
+
106
+ ```
107
+ **What to do (Scope)**:
108
+ - [Specific feature items to add]
109
+ - [Existing modules that need modification]
110
+
111
+ **Do Not Touch**:
112
+ - [Modules and features explicitly not to modify]
113
+ - [Reason for not touching them]
114
+
115
+ **Acceptance Criteria**:
116
+ - [ ] [Specific testable condition]
117
+ - [ ] [Regression test: confirm existing features are unaffected]
118
+ ```
119
+
120
+ ### Feature Extension Final Output Format
121
+
122
+ **Feature development spec**: Problem statement → Selected solution + rationale → Impact scope → Execution scope + acceptance criteria → Risk list
123
+
124
+ ### Incremental Document Output (when source document is available)
125
+
126
+ If the user uploaded a source document (PRD, spec, etc.) during the process:
127
+
128
+ 1. **Incremental version** (default when source document exists):
129
+ - Insert/modify sections in the original document structure
130
+ - Maintain the original file's format, style, and naming conventions
131
+ - New content marked with `[NEW]`
132
+ - Modified content marked with `[UPDATED]` with original preserved as reference
133
+ - Sections unrelated to the new feature remain completely untouched
134
+
135
+ 2. **Standalone version** (when no source document):
136
+ - Use the standard Feature development spec format (as defined above)
137
+
138
+ 3. **Ask the user before generating**:
139
+ "I detected that you uploaded a [document type]. How would you like the output?
140
+ A) Incremental update on the original document (recommended)
141
+ B) Standalone feature development spec"
142
+
143
+ ### Reference Loading Instructions
144
+
145
+ | Step | Reference File |
146
+ |------|---------------|
147
+ | S1 | No external reference needed |
148
+ | S2 | `references/04b-solutions.md` → 3.2 |
149
+ | S3 | `references/04b-solutions.md` → 3.3 |
150
+ | S4 | `references/04c-mvp.md` |
151
+
152
+ After completion, follow `references/rules-end-of-flow.md` to execute the end-of-flow rules.
@@ -0,0 +1,74 @@
1
+ # 🔄 Change Propagation Rules
2
+
3
+ > Loaded when the user modifies a previously completed step.
4
+
5
+ ## 📍 Progress Indicator (must be displayed at every step)
6
+
7
+ When executing any step, Claude must display a progress bar at the very beginning of the response, in this format:
8
+
9
+ ```
10
+ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
11
+ 📍 [Execution Mode] | Progress S[current step number] / S[total steps]
12
+ ✅ S1: [Step name] (completed)
13
+ ✅ S2: [Step name] (completed)
14
+ ▶️ S3: [Step name] (in progress)
15
+ ⬜ S4: [Step name] (pending)
16
+ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
17
+ ```
18
+
19
+ This progress indicator must appear in the following situations:
20
+ - When entering a new step
21
+ - When the user goes back to a step to make modifications
22
+ - When completing a step and prompting the user for confirmation before moving to the next step
23
+
24
+ ## Trigger Methods
25
+ - "Go back to Persona," "Go back to JTBD," "Go back to HMW," "Go back to PR-FAQ," or any other step name
26
+ - "I want to modify [step name]," "[step name] — I want to change something"
27
+ - Directly referencing an already-produced table or content with "change this to..."
28
+
29
+ ## Required Actions After Modification
30
+
31
+ When any step is modified, Claude **must proactively perform the following checks**:
32
+
33
+ ```
34
+ Modified Layer Affected Downstream (must re-confirm or update)
35
+ ─────────────────────────────────────────────────────
36
+ Persona / JTBD → HMW, Opportunity Assessment Table, Positioning, PR-FAQ, North Star, Product Spec Summary
37
+ HMW / Opportunity Assessment → PR-FAQ, Parallel Solutions, MVP, North Star, Product Spec Summary
38
+ Positioning → PR-FAQ, Product Spec Summary
39
+ PR-FAQ / Solutions → Pre-mortem, GEM/RICE, MVP, Aha Moment, Product Spec Summary
40
+ MVP / Not Doing List → User Story, DB schema (if already generated), Product Spec Summary
41
+ North Star / Metrics → Hypothesis Validation Plan, Product Spec Summary
42
+ Product Spec Summary → HTML Report, PRD (if already generated)
43
+ ```
44
+
45
+ ### Feature Extension dependency:
46
+ ```
47
+ Feature Extension dependency:
48
+ ─────────────────────────────────────────────────────
49
+ S1 (Problem + Context) → S2 (Solutions), S3 (Risks), S4 (Execution Scope)
50
+ S2 (Selected Solution) → S3 (Risks), S4 (Execution Scope)
51
+ S3 (Risk Assessment) → S4 (Execution Scope)
52
+ ```
53
+
54
+ ## Execution Process
55
+
56
+ 1. **Inform the user of the impact scope**: "You modified [step]. This affects [list of downstream steps]. I will update each one."
57
+ 2. **Confirm or auto-update downstream items**:
58
+ - If the downstream change is minor (wording adjustments) → Update directly and explain what changed
59
+ - If the downstream change is significant (directional shift) → Prompt the user to confirm the new direction before updating
60
+ 3. **Re-integrate the Product Spec Summary**
61
+ 4. **If an HTML report or PRD has already been generated**: Re-generate it directly and output a version snapshot:
62
+
63
+ ```
64
+ 📋 Version Snapshot v[old version] → v[new version]
65
+ Modified step: [Step name]
66
+ Key content before modification: [1-3 sentences]
67
+ Key content after modification: [1-3 sentences]
68
+ Downstream updates triggered: [Which steps were also adjusted]
69
+ ```
70
+
71
+ ## Principles
72
+ - No modification happens silently — the impact scope must always be explicitly communicated
73
+ - The user has the right to choose "only modify this step, leave downstream as-is for now." Claude must mark which parts are outdated (add a ⚠️ Needs Update label)
74
+ - Modification history remains traceable within the conversation