swe-workflow-skills 0.1.0 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (59) hide show
  1. package/README.md +57 -17
  2. package/VERSION +1 -1
  3. package/catalog.json +95 -5
  4. package/package.json +1 -1
  5. package/roles.json +58 -7
  6. package/skills/ai-evaluation/SKILL.md +111 -0
  7. package/skills/ai-evaluation/evals/evals.json +40 -0
  8. package/skills/ai-evaluation/references/eval-tooling.md +63 -0
  9. package/skills/architecture-design/SKILL.md +3 -1
  10. package/skills/brainstorming/SKILL.md +92 -0
  11. package/skills/brainstorming/evals/evals.json +40 -0
  12. package/skills/browser-verification/SKILL.md +95 -0
  13. package/skills/browser-verification/evals/evals.json +40 -0
  14. package/skills/build-vs-buy/SKILL.md +109 -0
  15. package/skills/build-vs-buy/evals/evals.json +40 -0
  16. package/skills/cicd-pipeline/SKILL.md +1 -0
  17. package/skills/code-archaeology/SKILL.md +103 -0
  18. package/skills/code-archaeology/evals/evals.json +41 -0
  19. package/skills/compliance-privacy/SKILL.md +113 -0
  20. package/skills/compliance-privacy/evals/evals.json +41 -0
  21. package/skills/compliance-privacy/references/obligations-map.md +69 -0
  22. package/skills/data-pipeline-design/SKILL.md +116 -0
  23. package/skills/data-pipeline-design/evals/evals.json +41 -0
  24. package/skills/data-pipeline-design/references/orchestration.md +64 -0
  25. package/skills/data-quality/SKILL.md +107 -0
  26. package/skills/data-quality/evals/evals.json +39 -0
  27. package/skills/data-quality/references/tooling.md +45 -0
  28. package/skills/deployment-checklist/SKILL.md +2 -1
  29. package/skills/dx-audit/SKILL.md +97 -0
  30. package/skills/dx-audit/evals/evals.json +40 -0
  31. package/skills/feature-planning/SKILL.md +5 -1
  32. package/skills/finops-cost-optimization/SKILL.md +109 -0
  33. package/skills/finops-cost-optimization/evals/evals.json +40 -0
  34. package/skills/git-workflow/SKILL.md +10 -0
  35. package/skills/llm-app-engineering/SKILL.md +102 -0
  36. package/skills/llm-app-engineering/evals/evals.json +40 -0
  37. package/skills/llm-app-engineering/references/patterns.md +70 -0
  38. package/skills/ml-experiment-tracking/SKILL.md +1 -1
  39. package/skills/ml-pipeline-design/SKILL.md +1 -1
  40. package/skills/mobile-architecture/SKILL.md +106 -0
  41. package/skills/mobile-architecture/evals/evals.json +40 -0
  42. package/skills/mobile-release/SKILL.md +109 -0
  43. package/skills/mobile-release/evals/evals.json +41 -0
  44. package/skills/plan-execution/SKILL.md +115 -0
  45. package/skills/plan-execution/evals/evals.json +55 -0
  46. package/skills/project-documentation/SKILL.md +4 -0
  47. package/skills/release-management/SKILL.md +97 -0
  48. package/skills/release-management/evals/evals.json +56 -0
  49. package/skills/release-management/references/release-tooling.md +106 -0
  50. package/skills/resilience-engineering/SKILL.md +121 -0
  51. package/skills/resilience-engineering/evals/evals.json +40 -0
  52. package/skills/security-audit/SKILL.md +2 -2
  53. package/skills/skill-router/SKILL.md +46 -3
  54. package/skills/subagent-orchestration/SKILL.md +100 -0
  55. package/skills/subagent-orchestration/evals/evals.json +40 -0
  56. package/skills/threat-modeling/SKILL.md +101 -0
  57. package/skills/threat-modeling/evals/evals.json +40 -0
  58. package/skills/threat-modeling/references/stride-mitigations.md +90 -0
  59. package/skills/writing-skills/SKILL.md +27 -11
@@ -0,0 +1,103 @@
1
+ ---
2
+ name: code-archaeology
3
+ description: "Understand unfamiliar or legacy code before changing it — map entry points, mine git history (blame, churn, log -S), trace data flow, recover the why behind odd code, pin current behavior with characterization tests, find seams for safe change. Triggers: understand this codebase, legacy code, inherited this project, what does this code do, why is it written this way, nobody knows how this works, onboard to this repo, is it safe to change this. Prioritizing debt → technical-debt-review; improving code you already understand → refactoring."
4
+ model: sonnet
5
+ allowed-tools: Read, Grep, Glob, Write, Edit, Bash
6
+ ---
7
+
8
+ # Code Archaeology
9
+
10
+ Build a working model of code nobody fully understands — *before* changing it.
11
+ The cardinal rule: **the code is the way it is for reasons; find them before
12
+ overriding them.** Chesterton's fence applies — weird code is usually a bug fix
13
+ whose bug report is lost, and "cleaning it up" reintroduces the bug. Boundary
14
+ with siblings: `technical-debt-review` assesses and prioritizes what to fix;
15
+ `refactoring` improves code you already understand; this skill produces the
16
+ understanding both depend on.
17
+
18
+ ## Workflow
19
+
20
+ ### Step 1: Survey Before Digging
21
+
22
+ Get the shape of the territory without reading line-by-line: entry points
23
+ (main, routes, handlers, cron, consumers), the dependency skeleton (what are
24
+ the load-bearing modules — imported by everything), build/run/test commands
25
+ (does the test suite even pass? that's data), and the directory map with sizes.
26
+ Resist starting at file one and reading forward — comprehension follows the
27
+ call graph, not the alphabet.
28
+
29
+ ### Step 2: Mine the History — the Code's Memory
30
+
31
+ Git knows what the docs forgot. The high-yield digs:
32
+
33
+ - `git log --follow -p -- <file>` — a file's life story; the commit that
34
+ introduced the odd code usually says why (and links a ticket).
35
+ - `git log -S '<string>'` (pickaxe) — when a magic value or weird guard
36
+ appeared, and what else changed with it.
37
+ - **Churn analysis** — files with the most commits are the active organs
38
+ (`git log --format= --name-only | sort | uniq -c | sort -rn | head`);
39
+ high-churn + large = where understanding pays most (same hotspot logic as
40
+ `technical-debt-review`).
41
+ - `git blame -w -C` (ignore whitespace, follow copies) — who last touched this
42
+ line *and in what commit context*; blame the commit, then read its message
43
+ and siblings.
44
+ - Merge/PR references in messages — the review thread often holds the design
45
+ discussion that never made it into the code.
46
+
47
+ ### Step 3: Trace, Don't Guess
48
+
49
+ For the specific behavior you need to understand, follow the data: pick one
50
+ concrete input (a request, an event, a row) and trace it end to end — through
51
+ handlers, transformations, side effects, and persistence. Use the debugger or
52
+ strategic log statements over static reading when the control flow is dynamic
53
+ (dispatch tables, DI containers, metaprogramming). Write the trace down as you
54
+ go; a data-flow narrative ("the order enters here, gets enriched here, forks
55
+ here") is worth ten class diagrams.
56
+
57
+ ### Step 4: Interrogate the Oddities
58
+
59
+ For each "why on earth" you hit, run the checklist before concluding it's
60
+ senseless: What does history say (Step 2)? Does a test encode it as intended
61
+ behavior? Do comments/tickets/ADRs reference it? Does production data depend on
62
+ it (that dead-looking branch may handle the 2019 records)? Only after all four
63
+ come up empty may you *suspect* it's vestigial — and even then you prove it
64
+ (logging/telemetry on the branch) rather than assume it.
65
+
66
+ ### Step 5: Pin Behavior with Characterization Tests
67
+
68
+ Before changing anything you don't fully understand, write tests that capture
69
+ what the code **currently does** — not what it should do. Feed it
70
+ representative inputs (including the weird ones from production), assert the
71
+ observed outputs, and lock in today's behavior as the baseline. These tests
72
+ are your tripwire: if a "safe cleanup" changes an output, you learn it in CI,
73
+ not in production. Golden-master/snapshot testing works well when outputs are
74
+ large or numerous. (For designing the suite around them long-term:
75
+ `test-suite-design`.)
76
+
77
+ ### Step 6: Leave the Map Better Than You Found It
78
+
79
+ Record what you learned where the next archaeologist will find it: a short
80
+ architecture note or README-in-the-directory (the data-flow narrative from
81
+ Step 3, the load-bearing oddities from Step 4 and *why they exist*), backfilled
82
+ ADRs for the big recovered decisions (`architecture-design`), and comments only
83
+ on the genuinely non-obvious constraints. Then, with understanding and
84
+ characterization tests in place, changes proceed via `refactoring` (seams,
85
+ safe transformations) or `dependency-impact-analysis` (blast radius) as normal.
86
+
87
+ ## Principles Applied
88
+
89
+ - **Chesterton's fence**: understand why the fence is there before removing
90
+ it; lost context is not absent context.
91
+ - **Evidence over inference**: history, traces, and tests beat reading-and-
92
+ guessing — the code's actual behavior outranks anyone's model of it.
93
+ - **Capture as you go**: understanding that lives in one head (or one session)
94
+ is re-excavated at full cost next time.
95
+
96
+ ## Cross-Skill References
97
+
98
+ - `technical-debt-review` — assess and prioritize what to fix once understood
99
+ - `refactoring` — the safe-change patterns applied after comprehension
100
+ - `test-suite-design` — growing characterization tests into a real suite
101
+ - `dependency-impact-analysis` — blast radius before changing a shared piece
102
+ - `architecture-documentation` — recording the recovered architecture (C4, flows)
103
+ - `bug-investigating` — when the goal narrows to one specific misbehavior
@@ -0,0 +1,41 @@
1
+ {
2
+ "skill_name": "code-archaeology",
3
+ "evals": [
4
+ {
5
+ "id": 1,
6
+ "prompt": "I just inherited a 8-year-old Django billing service. The original team is gone, there are no docs, and I need to change how proration is calculated. Help me understand it before I touch anything.",
7
+ "expected_output": "Surveys structure first (entry points, load-bearing modules, does the test suite pass), mines git history for the proration code specifically (log --follow, pickaxe for magic values, blame with commit context, churn hotspots), traces one concrete billing case end to end, interrogates oddities against history/tests/production data before judging them, writes characterization tests pinning current proration outputs before any change, and records the recovered understanding",
8
+ "assertions": [
9
+ "Surveys the codebase shape first (entry points, dependency skeleton, whether tests run) instead of reading files linearly",
10
+ "Uses git history as a primary source — git log --follow, pickaxe (log -S), or blame with commit context — to recover why the proration code is the way it is",
11
+ "Traces at least one concrete billing input end to end through the code rather than only reading statically",
12
+ "Writes characterization tests that pin the CURRENT proration behavior (including odd cases) before making any change",
13
+ "Treats odd code as potentially load-bearing (Chesterton's fence) — checks history, tests, and production data before deeming anything vestigial",
14
+ "Records the recovered understanding (data-flow narrative, architecture note, or backfilled ADR) for the next person"
15
+ ]
16
+ },
17
+ {
18
+ "id": 2,
19
+ "prompt": "There's a bizarre guard clause in our payment processor: `if amount == 999999: amount = amount - 1`. No comment, no test, git blame just shows a 'fixes' commit from 2019 by someone who left. Everyone's afraid to delete it. Should I?",
20
+ "expected_output": "Does not say 'yes, delete it' outright: digs into the 2019 commit's full context (message, sibling changes, linked ticket, the PR discussion), searches for related production data or downstream systems that might depend on the cap, and if all sources come up empty, proposes proving it's dead (logging/telemetry on the branch for a period) plus a characterization test — removal only with evidence and a safety net, not on vibes",
21
+ "assertions": [
22
+ "Investigates the 2019 commit's full context (message, other files in the same commit, linked ticket/PR discussion) rather than accepting blame's surface result",
23
+ "Considers that production data or a downstream system may depend on the behavior before judging it vestigial",
24
+ "Proposes gathering runtime evidence (logging/telemetry on the branch) to prove the code path is dead rather than assuming it",
25
+ "Recommends a characterization test or equivalent safety net around the behavior before/when removing it",
26
+ "Does not recommend immediate deletion based on the code looking senseless"
27
+ ]
28
+ },
29
+ {
30
+ "id": 3,
31
+ "prompt": "Our codebase is a mess of tech debt — give me a prioritized assessment of what we should fix first and a remediation roadmap for the quarter.",
32
+ "expected_output": "Recognizes this as a debt assessment/prioritization request — refers to technical-debt-review for the hotspot analysis and remediation roadmap, noting the boundary: code-archaeology builds understanding of unfamiliar code; technical-debt-review assesses health and prioritizes fixes",
33
+ "assertions": [
34
+ "Recognizes the request as debt assessment and prioritization, not comprehension of unfamiliar code",
35
+ "Refers to the technical-debt-review skill for the hotspot analysis and roadmap",
36
+ "Does not produce an archaeology workflow (history mining, characterization tests) as the primary answer",
37
+ "States or implies the boundary: code-archaeology produces understanding; technical-debt-review assesses and prioritizes what to fix"
38
+ ]
39
+ }
40
+ ]
41
+ }
@@ -0,0 +1,113 @@
1
+ ---
2
+ name: compliance-privacy
3
+ description: "Engineer for regulatory and privacy obligations — GDPR/CCPA privacy-by-design, PII data mapping and minimization, retention and deletion (right to erasure), data subject requests, consent, SOC 2 controls (access, change management, audit logging). Triggers: GDPR, CCPA, SOC 2, HIPAA, compliance, privacy review, PII, personal data, data retention, right to be forgotten, DSR, audit requirements, are we compliant. Vulnerabilities in code → security-audit; attack analysis of a design → threat-modeling."
4
+ model: opus
5
+ allowed-tools: Read, Grep, Glob, Write, Edit, WebFetch, WebSearch
6
+ ---
7
+
8
+ # Compliance & Privacy Engineering
9
+
10
+ Turn regulatory obligations into engineering requirements — before an auditor,
11
+ a regulator, or a deletion request does it for you. This skill covers the
12
+ *engineering* of compliance (what to build and how); it is not legal advice, and
13
+ material decisions (lawful basis, DPAs, breach notification) need counsel —
14
+ flag them explicitly rather than silently deciding. Boundary with its siblings:
15
+ `security-audit` finds technical vulnerabilities, `threat-modeling` analyzes
16
+ attacker paths in a design; this skill handles what regulations *oblige* you to
17
+ do with data regardless of attackers.
18
+
19
+ ## Workflow
20
+
21
+ ### Step 1: Map the Data — You Can't Comply with What You Can't Find
22
+
23
+ Build the data inventory first; every obligation hangs off it:
24
+
25
+ - **What personal data exists** — direct identifiers (name, email, phone),
26
+ indirect (IP, device IDs, location), sensitive categories (health, biometrics,
27
+ children's data — these carry stricter rules).
28
+ - **Where it lives** — every store, including the ones people forget: logs,
29
+ analytics, backups, data warehouses, third-party processors, caches, error
30
+ trackers.
31
+ - **Where it flows** — which services touch it, which vendors receive it
32
+ (each is a processor needing a DPA), and whether it crosses borders.
33
+
34
+ Grep the codebase and schemas for it; the inventory that only reflects the
35
+ architecture diagram misses the PII in logs and analytics events.
36
+
37
+ ### Step 2: Determine What Applies
38
+
39
+ Which regimes govern you follows from the data and the users, not the company's
40
+ location: EU/UK users → GDPR/UK-GDPR; California residents → CCPA/CPRA; health
41
+ data in the US → HIPAA; card data → PCI-DSS; enterprise customers asking for
42
+ audits → SOC 2. Verify specifics against current official sources — regulations
43
+ and thresholds change; don't answer from memory. Then extract the engineering
44
+ obligations (see [references/obligations-map.md](references/obligations-map.md)
45
+ for the regulation → engineering-requirement mapping).
46
+
47
+ ### Step 3: Design for Minimization and Purpose
48
+
49
+ The cheapest data to protect is data you don't have:
50
+
51
+ - **Collect less**: challenge every field — what breaks if we don't collect it?
52
+ - **Retain less**: every data class gets a retention period and an *automated*
53
+ deletion path; "keep forever by default" is a finding, not a policy.
54
+ - **Expose less**: pseudonymize/tokenize where full identity isn't needed
55
+ (analytics, testing — see `test-data-strategy` for GDPR-safe test data);
56
+ scope access per purpose.
57
+ - **Log less**: PII in logs inherits none of your database's controls and all
58
+ of its obligations — scrub at the logging layer, not in post-processing.
59
+
60
+ ### Step 4: Build the Rights Machinery
61
+
62
+ Data-subject rights are engineering features with deadlines (typically ~30
63
+ days), not support tickets to improvise:
64
+
65
+ - **Access/export**: produce all of a person's data across every Step-1 store.
66
+ - **Deletion**: erase or anonymize across primary stores, caches, search
67
+ indexes, analytics, and a documented stance on backups (usually: excluded
68
+ from immediate erasure, purged on backup expiry — state it in the policy).
69
+ Deletion that misses a store the inventory forgot is the classic failure.
70
+ - **Consent**: record what was consented to, when, and which version; make
71
+ withdrawal as easy as granting; gate the relevant processing on it.
72
+
73
+ Test the deletion path like a feature — run it against a seeded user and verify
74
+ every store — because the first real request is a terrible time to discover it
75
+ doesn't work.
76
+
77
+ ### Step 5: Implement the Control Layer (SOC 2 lens)
78
+
79
+ The controls auditors verify are mostly good engineering hygiene made
80
+ demonstrable: least-privilege access with a review cadence, change management
81
+ (PRs + reviews + CI — which you likely have; the gap is usually *evidence*),
82
+ append-only audit logging of sensitive-data access and admin actions
83
+ (overlaps `threat-modeling`'s repudiation counters), encryption in transit and
84
+ at rest, offboarding that provably revokes access, and vendor review for every
85
+ processor in the Step-1 flow map. Wire evidence collection into the systems
86
+ themselves — screenshots gathered the week before an audit don't scale.
87
+
88
+ ### Step 6: Make It Continuous
89
+
90
+ Compliance decays with every feature that adds a data flow. Add a lightweight
91
+ privacy check to the definition of done for features touching personal data
92
+ (new data collected? new vendor? retention set? deletion path covers it?), keep
93
+ the data inventory in version control next to the code, and re-run the Step-1
94
+ mapping when architecture changes — same living-document discipline as a threat
95
+ model.
96
+
97
+ ## Principles Applied
98
+
99
+ - **Minimization is the master control**: every other obligation scales with
100
+ how much data you hold.
101
+ - **Rights are features**: access, deletion, and consent need designs, tests,
102
+ and deadlines — not runbooks of manual SQL.
103
+ - **Evidence or it didn't happen**: an undocumented control fails the audit
104
+ even when it works.
105
+
106
+ ## Cross-Skill References
107
+
108
+ - `security-audit` — technical vulnerability review (confidentiality controls overlap)
109
+ - `threat-modeling` — design-time attack analysis; shares the data-classification step
110
+ - `data-modeling` — schema-level retention, soft-delete vs erasure, PII isolation
111
+ - `test-data-strategy` — GDPR-safe test data, anonymization
112
+ - `configuration-strategy` — secrets and access to production data
113
+ - `observability-design` — keeping PII out of logs, traces, and metrics
@@ -0,0 +1,41 @@
1
+ {
2
+ "skill_name": "compliance-privacy",
3
+ "evals": [
4
+ {
5
+ "id": 1,
6
+ "prompt": "We're a B2B SaaS with EU customers and we just got our first GDPR deletion request. We honestly don't know where all the user data lives. What do we need to build to handle this properly?",
7
+ "expected_output": "Starts with a data inventory across ALL stores (databases, logs, analytics, backups, third-party processors, caches), then designs deletion machinery: erasure/anonymization across every store, a documented stance on backups, the ~30-day deadline, and testing the deletion path against a seeded user; frames rights handling as an engineered feature and adds minimization/retention so the problem shrinks over time",
8
+ "assertions": [
9
+ "Begins with a data inventory/mapping across all stores — explicitly including the commonly-missed ones (logs, analytics, backups, third-party processors, caches)",
10
+ "Designs deletion as an engineered, testable feature spanning every store, not a manual SQL runbook against the primary database",
11
+ "Addresses backups explicitly with a documented stance (e.g. excluded from immediate erasure, purged on backup expiry)",
12
+ "Mentions the response deadline for data subject requests (about 30 days) and/or verifying the deletion path against a seeded test user before a real request",
13
+ "Recommends minimization and retention policies (automated deletion, collect less, PII out of logs) so future obligations shrink",
14
+ "Flags that material legal decisions (lawful basis, DPAs, breach specifics) need counsel rather than deciding them itself"
15
+ ]
16
+ },
17
+ {
18
+ "id": 2,
19
+ "prompt": "An enterprise prospect just sent us a security questionnaire asking if we're SOC 2 compliant. We're a 10-person startup with decent engineering hygiene (PRs, CI, SSO) but zero formal compliance work. What does getting there actually involve on the engineering side?",
20
+ "expected_output": "Explains SOC 2 as an audit of controls operating over time (Type I vs II), maps their existing hygiene (PR review, CI, SSO) onto trust-criteria controls and identifies the real gap as demonstrable evidence — access reviews, offboarding proof, audit logging, vendor review — recommending evidence automation over screenshot scrambles, scoping to the Security criterion first, and being realistic about timeline/audit-window",
21
+ "assertions": [
22
+ "Explains that SOC 2 audits controls operating over time (Type II observation window), not a one-time checklist",
23
+ "Maps existing engineering hygiene (PR reviews, CI, SSO) onto SOC 2 controls and identifies evidence/demonstrability as the actual gap",
24
+ "Covers the core control areas: logical access (least privilege, access reviews, offboarding), change management, audit logging, and vendor management",
25
+ "Recommends starting with the Security criterion and adding other trust criteria only when customers demand them",
26
+ "Recommends automating evidence collection rather than gathering screenshots before the audit"
27
+ ]
28
+ },
29
+ {
30
+ "id": 3,
31
+ "prompt": "Can you review our Express API code for injection vulnerabilities and check whether our JWT auth implementation is secure?",
32
+ "expected_output": "Recognizes this as a technical vulnerability review of existing code — refers to security-audit for the injection/auth analysis, stating the boundary: compliance-privacy handles regulatory and privacy obligations (GDPR/SOC 2, data rights, retention); security-audit finds technical vulnerabilities",
33
+ "assertions": [
34
+ "Recognizes the request as a technical security review of code, not a regulatory/privacy obligation question",
35
+ "Refers to the security-audit skill for the injection and auth review",
36
+ "Does not produce a compliance workflow (data mapping, DSR machinery, SOC 2 controls) as the answer",
37
+ "States the boundary: compliance-privacy covers regulatory/privacy obligations; security-audit covers technical vulnerabilities"
38
+ ]
39
+ }
40
+ ]
41
+ }
@@ -0,0 +1,69 @@
1
+ # Regulation → Engineering Obligation Map
2
+
3
+ What each regime actually demands from the engineering side. Verify thresholds
4
+ and details against current official sources before relying on them — this map
5
+ orients; it doesn't replace the regulation text or counsel.
6
+
7
+ ## GDPR / UK-GDPR (EU/UK personal data)
8
+
9
+ | Obligation | Engineering requirement |
10
+ |---|---|
11
+ | Lawful basis per processing purpose (Art. 6) | Record which basis covers each data flow; consent flows need capture + withdrawal machinery |
12
+ | Data minimization & purpose limitation (Art. 5) | Field-level justification; no reuse of data for new purposes without a new basis |
13
+ | Right of access / portability (Art. 15, 20) | Export of all of a subject's data, machine-readable, across every store |
14
+ | Right to erasure (Art. 17) | Deletion/anonymization across primary stores, caches, indexes, analytics; documented backup stance |
15
+ | Privacy by design & default (Art. 25) | Privacy review in the feature workflow; most-protective defaults |
16
+ | Records of processing (Art. 30) | The data inventory (SKILL.md Step 1), kept current |
17
+ | Security of processing (Art. 32) | Encryption in transit/at rest, access control, pseudonymization where feasible |
18
+ | Breach notification (Art. 33) | Detection + escalation path that can meet 72-hour notification — needs `observability-design`-grade alerting |
19
+ | Processors & transfers (Art. 28, Ch. V) | DPA with every vendor receiving personal data; transfer mechanism (SCCs/adequacy) for cross-border flows |
20
+ | DPIA for high-risk processing (Art. 35) | Formal assessment before launching high-risk features (large-scale profiling, sensitive categories) — pairs with `threat-modeling` |
21
+
22
+ ## CCPA / CPRA (California residents)
23
+
24
+ Similar rights machinery to GDPR (know/access, delete, correct) plus two deltas
25
+ worth engineering attention: **opt-out of sale/sharing** (honor Global Privacy
26
+ Control signals; maintain a "Do Not Sell or Share" path) and **service-provider
27
+ contracts** (the CCPA analog of DPAs). Thresholds determine applicability
28
+ (revenue / volume of consumers' data / share of revenue from selling data) —
29
+ check current numbers.
30
+
31
+ ## SOC 2 (Trust Services Criteria — what enterprise customers ask for)
32
+
33
+ SOC 2 is an audit of *your controls operating over time* (Type II), not a
34
+ checklist you pass once. The Security criterion (always in scope):
35
+
36
+ | Control area | Typical evidence engineering owns |
37
+ |---|---|
38
+ | Logical access | SSO/MFA, least-privilege roles, quarterly access reviews, provably-executed offboarding |
39
+ | Change management | PR review required on protected branches, CI gates, deploy audit trail |
40
+ | System operations | Monitoring/alerting, incident-response process with records (`incident-response`, `observability-design`) |
41
+ | Risk & vendor management | Vendor list with security review per processor; risk assessment cadence |
42
+ | Data handling | Encryption at rest/in transit, backup + restore testing (`resilience-engineering`), retention/disposal execution |
43
+
44
+ Availability, Confidentiality, Processing Integrity, and Privacy criteria are
45
+ opt-in scope — add them when customers demand them, not preemptively.
46
+
47
+ ## HIPAA (US health data)
48
+
49
+ Applies to covered entities and their **business associates** (a BAA makes you
50
+ one). Engineering core: PHI inventory and isolation, access controls + audit
51
+ logs on every PHI touch, encryption, minimum-necessary access, breach
52
+ notification machinery. PHI in logs/analytics is the recurring violation.
53
+
54
+ ## PCI-DSS (card data)
55
+
56
+ The dominant engineering decision is **scope reduction**: use a tokenizing
57
+ payment processor (Stripe/Adyen-style) so raw PANs never transit your systems —
58
+ this collapses most requirements to the lowest self-assessment tier. Storing
59
+ raw card data puts your whole environment in scope; treat that as a
60
+ `build-vs-buy` decision with a strong buy bias.
61
+
62
+ ## Choosing what to tackle first
63
+
64
+ 1. Data inventory (everything depends on it).
65
+ 2. Kill the involuntary violations: PII in logs, forever-retention, missing
66
+ deletion path.
67
+ 3. Rights machinery (access + deletion) — deadline-bound once requests arrive.
68
+ 4. Evidence automation for the controls you already operate.
69
+ 5. Formal frameworks (SOC 2 audit, DPIAs) when customers or scale demand.
@@ -0,0 +1,116 @@
1
+ ---
2
+ name: data-pipeline-design
3
+ description: "Design batch and streaming data pipelines — ELT into a warehouse/lakehouse, dbt and analytics engineering (staging/intermediate/marts layers), orchestration with Airflow or Dagster, idempotent loads, incremental models, backfills, CDC ingestion. Triggers: data pipeline, ELT, ETL, dbt models, data warehouse, Snowflake, BigQuery, ingest into the warehouse, Airflow DAG, Dagster, Kafka streaming, backfill, incremental load, nightly job duplicates rows. ML training/feature pipelines → ml-pipeline-design; validating the data → data-quality."
4
+ model: opus
5
+ allowed-tools: Read, Grep, Glob, Write, Edit, Bash
6
+ ---
7
+
8
+ # Data Pipeline Design
9
+
10
+ Design pipelines that move and transform data for analytics — and stay correct
11
+ when they fail, rerun, and backfill, because they will. The two design
12
+ properties that separate a pipeline from a script: **idempotency** (any run can
13
+ be repeated safely) and **parameterization** (any time window can be processed
14
+ by the same code). Boundaries: pipelines feeding *model training* (features,
15
+ point-in-time correctness) belong to `ml-pipeline-design`; *validating* the
16
+ data this pipeline moves belongs to `data-quality`.
17
+
18
+ ## Workflow
19
+
20
+ ### Step 1: Map Sources, Consumers, and Freshness
21
+
22
+ List each source (databases, SaaS APIs, event streams), each consumer
23
+ (dashboards, reverse ETL, downstream teams), and the freshness each consumer
24
+ actually needs. Freshness drives everything: daily batch is an order of
25
+ magnitude cheaper to build and operate than streaming — don't buy streaming
26
+ because "real-time" sounds better; buy it when a consumer decision genuinely
27
+ changes within minutes.
28
+
29
+ ### Step 2: Choose ELT (and Say Why)
30
+
31
+ For a cloud warehouse (Snowflake, BigQuery, Redshift, Databricks), default to
32
+ **ELT**: land raw data unchanged, transform inside the warehouse with SQL/dbt.
33
+ The reasons are operational, not fashionable — raw history means transform bugs
34
+ are fixed by *re-running transforms*, not re-extracting from sources; the
35
+ warehouse scales the compute; transformations become versioned, testable SQL.
36
+ Classic ETL survives where data must be cleaned/redacted before it may land
37
+ (PII, compliance) or the target isn't a warehouse.
38
+
39
+ ### Step 3: Don't Hand-Roll Extraction
40
+
41
+ Ingestion is undifferentiated heavy lifting with long tail of pain (API
42
+ pagination, rate limits, schema changes, backpressure):
43
+
44
+ - **SaaS/DB sources**: managed or open connectors first — Fivetran/Airbyte/dlt.
45
+ Hand-write only when no connector exists or volume/cost forces it.
46
+ - **Operational DBs at scale**: CDC (Debezium or the warehouse-native
47
+ equivalent) instead of daily full dumps or fragile `updated_at` queries.
48
+ - **Events**: land the stream (Kafka → object storage/warehouse) raw; process
49
+ micro-batch unless Step 1 proved sub-minute freshness is needed.
50
+
51
+ ### Step 4: Layer the Transforms (dbt)
52
+
53
+ - **Staging** — 1:1 with sources: rename, cast, deduplicate. No business logic.
54
+ - **Intermediate** — joins and business logic, composable, not exposed to BI.
55
+ - **Marts** — consumer-facing facts/dimensions, one per business domain.
56
+
57
+ Each layer only reads from the one below; BI tools read only marts. This is
58
+ SRP for SQL: when a number is wrong, the layer tells you where to look. Schema
59
+ design for the marts themselves is `data-modeling`'s domain.
60
+
61
+ ### Step 5: Make Every Run Idempotent
62
+
63
+ The Iron Rule of pipelines: **a rerun must produce the same result as one
64
+ run.** Append-only loads fail this and produce the classic duplicate-rows-
65
+ after-retry incident. Choose a write pattern per table:
66
+
67
+ - **Delete + insert by partition** (or `INSERT OVERWRITE`): simplest, right
68
+ default for date-partitioned facts.
69
+ - **Merge/upsert on a unique key**: for mutable entities and late updates —
70
+ requires a true unique key (enforce it via `data-quality` tests).
71
+ - **Full refresh**: fine while small; flip to incremental on cost, not pride.
72
+
73
+ In dbt: `incremental` materialization with `unique_key` set — and always define
74
+ the full-refresh path (`--full-refresh` must work, or you can't recover from a
75
+ logic bug).
76
+
77
+ ### Step 6: Parameterize Time — Backfill Is a First-Class Case
78
+
79
+ Every run processes an explicit **logical window** passed in by the
80
+ orchestrator (`WHERE event_date = {{ ds }}`) — never `CURRENT_DATE - 1` inside
81
+ the SQL, which makes yesterday's failure unreproducible today. Then backfill is
82
+ not a special script: it's the same job over a range, natively supported by
83
+ the orchestrator (Airflow `backfill`, Dagster partitioned assets). If
84
+ backfilling means hand-editing dates, Steps 5–6 were skipped.
85
+
86
+ Handle **late-arriving data** explicitly: reprocess a trailing lookback window
87
+ (e.g. the last 3 days) each run, or track a watermark — pick per source based
88
+ on how late its data actually arrives.
89
+
90
+ ### Step 7: Orchestrate and Operate
91
+
92
+ Pick **one** orchestrator and make a recommendation, not a brochure: Dagster
93
+ for a dbt-centric greenfield stack (asset/partition model matches warehouse
94
+ thinking, first-class dbt integration); Airflow where the org already runs it
95
+ or needs its ecosystem breadth (comparison and managed options:
96
+ [references/orchestration.md](references/orchestration.md)). Then wire in
97
+ operations: retries with alerting on final failure (`observability-design`),
98
+ quality checks between layers (`data-quality`), and cost visibility per model —
99
+ warehouses make it very easy to spend quietly.
100
+
101
+ ## Principles Applied
102
+
103
+ - **KISS**: batch over streaming, connectors over custom extractors, SQL over
104
+ a framework — until a measured requirement says otherwise.
105
+ - **DRY**: one parameterized job for daily runs *and* backfills; logic lives
106
+ once, in the transform layer, not copied into extraction scripts.
107
+ - **YAGNI**: no lakehouse/streaming/metadata-platform buildout for a stack
108
+ whose consumers refresh dashboards daily.
109
+
110
+ ## Cross-Skill References
111
+
112
+ - `data-quality` — tests, contracts, and freshness checks between the layers
113
+ - `data-modeling` — the schema design of the marts this pipeline produces
114
+ - `ml-pipeline-design` — when the consumer is model training, not BI
115
+ - `observability-design` — pipeline SLOs, alerting, run-level monitoring
116
+ - `architecture-design` — ADRs for the costly-to-reverse platform choices
@@ -0,0 +1,41 @@
1
+ {
2
+ "skill_name": "data-pipeline-design",
3
+ "evals": [
4
+ {
5
+ "id": 1,
6
+ "prompt": "We need to get data from Postgres and Stripe into Snowflake for BI dashboards. Design the pipeline — the team is considering dbt plus Airflow or Dagster.",
7
+ "expected_output": "Designs an ELT pipeline: extraction/connector choice for both sources, raw load into Snowflake, dbt layering (staging → intermediate → marts), a reasoned Airflow-vs-Dagster recommendation, idempotent incremental models, and a backfill story — not just the initial full load",
8
+ "assertions": [
9
+ "Recommends ELT (load raw, transform in-warehouse) and explains why it fits a Snowflake + dbt stack",
10
+ "Designs dbt layering: raw/staging models, intermediate transformations, and marts for BI consumption",
11
+ "Makes a reasoned orchestrator recommendation (Airflow vs Dagster) instead of listing both neutrally",
12
+ "Designs for idempotency: reruns must not duplicate or corrupt data (incremental models with unique keys, merge or delete+insert patterns)",
13
+ "Covers incremental loading and a backfill strategy (parameterized date ranges or partitions), not just the initial full load",
14
+ "Addresses extraction from the sources concretely (managed connector such as Fivetran/Airbyte/dlt, or CDC) rather than hand-waving ingestion"
15
+ ]
16
+ },
17
+ {
18
+ "id": 2,
19
+ "prompt": "Our nightly job loads yesterday's orders into the warehouse. When it fails midway and we rerun it, we get duplicate rows — and backfilling last month means manually editing the date in the script 30 times. Fix the design.",
20
+ "expected_output": "Identifies the non-idempotent append-only load as the root cause; converts the job to an idempotent write pattern (delete+insert by partition, merge/upsert on a key, or partition overwrite) parameterized over a logical date, so backfill becomes running the same job over a range via the orchestrator — with a lookback window for late-arriving data",
21
+ "assertions": [
22
+ "Identifies the root cause as a non-idempotent, append-only load",
23
+ "Proposes an idempotent write pattern: delete+insert by partition, merge/upsert on a unique key, or partition-overwrite semantics",
24
+ "Parameterizes the run over a logical date/window so any day can be run or re-run identically (backfill = the same job over a range)",
25
+ "Recommends orchestrator-native backfill (or an equivalent parameterized range run) over hand-edited scripts",
26
+ "Considers late-arriving or corrected data (lookback window, watermark, or reprocessing policy), not just the happy path"
27
+ ]
28
+ },
29
+ {
30
+ "id": 3,
31
+ "prompt": "Design the data pipeline that produces training features for our churn model — we need point-in-time correct features and a training set refreshed weekly.",
32
+ "expected_output": "Recognizes this as an ML training/feature pipeline, not analytics ELT — hands off to ml-pipeline-design, flagging point-in-time correctness/leakage as the ML-specific concern that a BI-oriented warehouse design does not address",
33
+ "assertions": [
34
+ "Recognizes this is an ML training/feature pipeline, not an analytics/BI ELT pipeline",
35
+ "Refers to the ml-pipeline-design skill for feature engineering and training orchestration",
36
+ "Flags point-in-time correctness / data leakage as the ML-specific concern that distinguishes this from BI work",
37
+ "Does not answer with a BI-oriented warehouse/dbt marts design as the primary solution"
38
+ ]
39
+ }
40
+ ]
41
+ }
@@ -0,0 +1,64 @@
1
+ # Orchestration — Choosing and Using the Scheduler
2
+
3
+ Versions and managed offerings change; check current docs before committing.
4
+ The selection logic is stable.
5
+
6
+ ## Airflow vs Dagster vs the rest
7
+
8
+ | | Airflow | Dagster |
9
+ |---|---|---|
10
+ | Mental model | Tasks in a DAG; scheduler runs tasks | Software-defined **assets** (tables/files) with partitions; runs materialize assets |
11
+ | dbt integration | Via operators (Cosmos et al.) — workable | First-class: each dbt model becomes an asset with its own lineage/partitions |
12
+ | Backfill | `airflow backfill` over execution dates | Partitioned assets — backfill = materialize missing partitions, UI-native |
13
+ | Ecosystem | Enormous (every provider has an operator); huge hiring pool | Younger, smaller, growing; strong local dev experience |
14
+ | Managed | MWAA (AWS), Cloud Composer (GCP), Astronomer | Dagster+ |
15
+
16
+ Recommendation logic:
17
+
18
+ - **Greenfield, warehouse/dbt-centric** → Dagster. The asset+partition model
19
+ *is* Steps 5–6 of the skill (idempotent, parameterized, backfillable) encoded
20
+ in the orchestrator; you fight the framework less.
21
+ - **Org already runs Airflow, or the pipeline is mostly "call these seven
22
+ systems in order"** → Airflow. Operational familiarity and operator breadth
23
+ beat elegance; don't run two orchestrators for one team.
24
+ - **All-in on one vendor stack** → the platform-native option (Databricks
25
+ Workflows, Snowflake Tasks) is acceptable glue; you trade portability.
26
+ - **Cron + a queue** is fine for one or two jobs — adopt an orchestrator when
27
+ you need dependencies, backfill, and retry visibility, which is usually at
28
+ the third job.
29
+
30
+ Whatever the choice: schedules trigger *logical windows*, tasks are
31
+ idempotent, retries are bounded and alert on final failure, and secrets come
32
+ from the platform's secret backend (`configuration-strategy`), never DAG code.
33
+
34
+ ## Ingestion tool notes
35
+
36
+ - **Fivetran**: managed, broadest connector catalog, per-row pricing that gets
37
+ real at volume. Buy when engineer time is the scarce resource.
38
+ - **Airbyte**: open-source + cloud; connector quality varies — test the
39
+ specific connectors you need, especially for incremental correctness.
40
+ - **dlt**: Python library, connectors-as-code, great for API sources a
41
+ framework doesn't cover; you own the runtime.
42
+ - **CDC (Debezium / native)**: when daily snapshots lose intermediate states
43
+ or full dumps are too heavy. Operationally nontrivial (snapshotting, schema
44
+ evolution, tombstones) — budget for it.
45
+
46
+ ## Streaming — only after Step 1 says so
47
+
48
+ - Micro-batch (5–15 min) covers most "real-time" dashboard asks at batch-like
49
+ complexity; genuine streaming (Flink, Spark Structured Streaming,
50
+ Materialize) is for operational decisions made in seconds-to-minutes.
51
+ - Streaming reintroduces every hard problem batch solved for you: exactly-once
52
+ vs at-least-once delivery, watermarks for late events, state management,
53
+ replay. Idempotent sinks (merge on key) make at-least-once livable — design
54
+ the sink first.
55
+ - Keep the raw stream landed to cheap storage regardless; it's your backfill
56
+ and reprocessing escape hatch.
57
+
58
+ ## Warehouse cost hygiene
59
+
60
+ - Tag/attribute compute per model or job from day one (dbt does this cheaply).
61
+ - Incremental models exist for cost as much as latency — flip when a full
62
+ refresh's bill, not its runtime, annoys you.
63
+ - Watch for accidental cross-joins and full scans in staging layers; the
64
+ warehouse will happily execute them nightly forever.