swe-workflow-skills 0.1.0 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (59) hide show
  1. package/README.md +57 -17
  2. package/VERSION +1 -1
  3. package/catalog.json +95 -5
  4. package/package.json +1 -1
  5. package/roles.json +58 -7
  6. package/skills/ai-evaluation/SKILL.md +111 -0
  7. package/skills/ai-evaluation/evals/evals.json +40 -0
  8. package/skills/ai-evaluation/references/eval-tooling.md +63 -0
  9. package/skills/architecture-design/SKILL.md +3 -1
  10. package/skills/brainstorming/SKILL.md +92 -0
  11. package/skills/brainstorming/evals/evals.json +40 -0
  12. package/skills/browser-verification/SKILL.md +95 -0
  13. package/skills/browser-verification/evals/evals.json +40 -0
  14. package/skills/build-vs-buy/SKILL.md +109 -0
  15. package/skills/build-vs-buy/evals/evals.json +40 -0
  16. package/skills/cicd-pipeline/SKILL.md +1 -0
  17. package/skills/code-archaeology/SKILL.md +103 -0
  18. package/skills/code-archaeology/evals/evals.json +41 -0
  19. package/skills/compliance-privacy/SKILL.md +113 -0
  20. package/skills/compliance-privacy/evals/evals.json +41 -0
  21. package/skills/compliance-privacy/references/obligations-map.md +69 -0
  22. package/skills/data-pipeline-design/SKILL.md +116 -0
  23. package/skills/data-pipeline-design/evals/evals.json +41 -0
  24. package/skills/data-pipeline-design/references/orchestration.md +64 -0
  25. package/skills/data-quality/SKILL.md +107 -0
  26. package/skills/data-quality/evals/evals.json +39 -0
  27. package/skills/data-quality/references/tooling.md +45 -0
  28. package/skills/deployment-checklist/SKILL.md +2 -1
  29. package/skills/dx-audit/SKILL.md +97 -0
  30. package/skills/dx-audit/evals/evals.json +40 -0
  31. package/skills/feature-planning/SKILL.md +5 -1
  32. package/skills/finops-cost-optimization/SKILL.md +109 -0
  33. package/skills/finops-cost-optimization/evals/evals.json +40 -0
  34. package/skills/git-workflow/SKILL.md +10 -0
  35. package/skills/llm-app-engineering/SKILL.md +102 -0
  36. package/skills/llm-app-engineering/evals/evals.json +40 -0
  37. package/skills/llm-app-engineering/references/patterns.md +70 -0
  38. package/skills/ml-experiment-tracking/SKILL.md +1 -1
  39. package/skills/ml-pipeline-design/SKILL.md +1 -1
  40. package/skills/mobile-architecture/SKILL.md +106 -0
  41. package/skills/mobile-architecture/evals/evals.json +40 -0
  42. package/skills/mobile-release/SKILL.md +109 -0
  43. package/skills/mobile-release/evals/evals.json +41 -0
  44. package/skills/plan-execution/SKILL.md +115 -0
  45. package/skills/plan-execution/evals/evals.json +55 -0
  46. package/skills/project-documentation/SKILL.md +4 -0
  47. package/skills/release-management/SKILL.md +97 -0
  48. package/skills/release-management/evals/evals.json +56 -0
  49. package/skills/release-management/references/release-tooling.md +106 -0
  50. package/skills/resilience-engineering/SKILL.md +121 -0
  51. package/skills/resilience-engineering/evals/evals.json +40 -0
  52. package/skills/security-audit/SKILL.md +2 -2
  53. package/skills/skill-router/SKILL.md +46 -3
  54. package/skills/subagent-orchestration/SKILL.md +100 -0
  55. package/skills/subagent-orchestration/evals/evals.json +40 -0
  56. package/skills/threat-modeling/SKILL.md +101 -0
  57. package/skills/threat-modeling/evals/evals.json +40 -0
  58. package/skills/threat-modeling/references/stride-mitigations.md +90 -0
  59. package/skills/writing-skills/SKILL.md +27 -11
@@ -0,0 +1,97 @@
1
+ ---
2
+ name: release-management
3
+ description: "Cut and publish software releases right-sized to the project — semver decisions, changelogs, tagging, automated version bumps (release-please, changesets, semantic-release), publishing gates, npm/PyPI/container registry publishing, pre-release channels, monorepo versioning. Triggers: cut a release, release this, publish to npm, publish to PyPI, publish this package, version bump, what version should this be, semver, changelog, tag a release, release notes, GitHub release, prerelease, release automation, release PR. Deploy-time safety → deployment-checklist; commit/PR hygiene → git-workflow."
4
+ model: sonnet
5
+ allowed-tools: Read, Grep, Glob, Write, Edit, Bash
6
+ ---
7
+
8
+ # Release Management
9
+
10
+ Releasing turns committed work into a versioned, consumable artifact — a tag, a package, an image — with a truthful version number and a record of what changed. It is not deploying (that's `deployment-checklist`): a release can exist without a deploy, and vice versa.
11
+
12
+ ## ⛔ The Iron Law
13
+
14
+ **Never publish without a fresh verification gate — and never impose more release process than the project warrants.**
15
+
16
+ Registry publishes are effectively irreversible: a version number, once published, is burned even if you yank it, and whatever shipped inside it is already on users' machines. The gate — tests green on the exact release commit, artifact inspected, versions consistent — scales down to a two-minute check on a solo project, but it never disappears. Ceremony scales with the project; the gate doesn't.
17
+
18
+ ## Step 1: Detect Existing Conventions — Never Assume Greenfield
19
+
20
+ Before proposing anything, find what the project already does:
21
+
22
+ - **Release config**: `.changeset/`, `release-please-config.json`, `.releaserc*` / `release` key in package.json, `cliff.toml`, `.goreleaser.yml`
23
+ - **Docs**: `RELEASING.md`, release sections in `CONTRIBUTING.md`
24
+ - **CI**: publish/release jobs in workflow files (tag triggers, `npm publish`, `twine upload`)
25
+ - **History**: `git tag --list` (scheme and cadence), `CHANGELOG.md` format, commit-message style
26
+
27
+ If conventions exist, follow them for this release; propose improvements as a separate change. An org's release process usually encodes constraints you can't see from the repo.
28
+
29
+ ## Step 2: Right-Size the Process
30
+
31
+ | Tier | Signals | Process |
32
+ |---|---|---|
33
+ | **Solo / personal** | One maintainer, few users, irregular cadence | Manual: bump version, changelog entry (or `gh release create --generate-notes`), annotated tag, GitHub release. **No automation tooling.** |
34
+ | **Team / published package** | Multiple contributors, external consumers, regular cadence | Conventional commits feeding **one** automation tool (release-please / changesets / semantic-release), generated changelog, publish gate as a CI stage |
35
+ | **Org / platform / monorepo** | Many packages, coordinated versions, compliance needs | Release PRs, protected release branches, provenance / trusted publishing, pre-release channels, coordinated monorepo versioning |
36
+
37
+ Under-processing breaks consumers; over-processing kills a small project's momentum. State which tier applies and why. **Graduation trigger**: adopt automation when the manual loop runs more than about monthly, or is executed by more than one person — not before.
38
+
39
+ ## Step 3: Decide the Version
40
+
41
+ - **Something with consumers of a versioned contract (library, CLI, API)** → SemVer: breaking → MAJOR, feature → MINOR, fix → PATCH. Pre-1.0, MINOR is the breaking-change lever — and don't promise 1.0 stability until you mean it.
42
+ - **A deployed app or service nobody installs by version** → CalVer or a build number is fine; don't cargo-cult SemVer where there is no consumer contract.
43
+ - The version lives in **one source of truth**; every other occurrence (manifests, generated files) is stamped from it. Grep for the old version before tagging — drift here is the classic broken release.
44
+ - Never inflate ("bump minor to be safe"): the version is communication to consumers, not marketing. Inflating it lies about compatibility.
45
+
46
+ ## Step 4: Prepare the Release
47
+
48
+ - **Changelog** from commits, in [Keep a Changelog](https://keepachangelog.com/) form. Conventional commits map mechanically: `feat` → Added, `fix` → Fixed, behavior change → Changed, `feat!` / `BREAKING CHANGE:` → MAJOR.
49
+ - **Release notes ≠ changelog**: notes lead with highlights and breaking changes plus their upgrade steps — what a consumer must know before upgrading, not a commit list.
50
+ - Bump the source-of-truth version, regenerate anything stamped from it, promote `[Unreleased]` in the changelog.
51
+
52
+ ## Step 5: Gate, Then Publish
53
+
54
+ Run the gate on the **exact commit being released** (including the version-bump commit):
55
+
56
+ 1. Clean working tree, correct branch — `git status`.
57
+ 2. Tests and build green **on this commit**, not "they passed yesterday on main".
58
+ 3. Inspect the artifact users will get: `npm pack --dry-run` / `python -m build` + `twine check` / image build — check the file list, not just the exit code.
59
+ 4. Version consistency: manifest(s), changelog heading, and the tag you're about to create all agree.
60
+
61
+ Then, in order: annotated tag (`vX.Y.Z`) → publish → **post-publish smoke test** (install the *published* artifact in a clean directory and exercise it) → GitHub release with the notes. If the smoke test fails, the fix is a new patch version — which is exactly why the gate runs first.
62
+
63
+ ## Step 6: Automate What Repeats (Tier 2+)
64
+
65
+ Pick **one** tool — they solve the same problem and fight each other:
66
+
67
+ - **release-please** — release PRs that accumulate changes; GitHub-centric; good monorepo support; a human merge is the final gate.
68
+ - **changesets** — contributors declare intent per change; the standard for JS/TS monorepos with independent package versions.
69
+ - **semantic-release** — fully automated publish on merge; no human gate, so the CI gate must be airtight.
70
+
71
+ Selection detail, trusted publishing/provenance, pre-release channels and dist-tags, monorepo fixed-vs-independent versioning, and hotfix/backport flows: [references/release-tooling.md](references/release-tooling.md).
72
+
73
+ ## Rationalizations to Reject
74
+
75
+ | Excuse | Reality |
76
+ |---|---|
77
+ | "It's a one-line fix — publish now, run tests after" | Published versions can't be overwritten. Start the tests, prep in parallel, publish when green; if consumers truly can't wait, publish to a `next` dist-tag, not `latest`. |
78
+ | "Small project — tags and changelogs are overkill" | The lightweight tier costs minutes and buys bisect, rollback, and consumer trust. Skipping versioning is not right-sizing. |
79
+ | "Let's set up semantic-release" (solo repo, three releases a year) | Below regular cadence, automation costs more than it saves. Right-sizing cuts both ways. |
80
+ | "Tests passed yesterday on main" | The gate runs on the exact release commit — the version bump and changelog commit included. |
81
+ | "We'll fix the notes after publishing" | Notes and changelog are part of the artifact; consumers read them at upgrade time, which is now. |
82
+
83
+ ## Red Flags — Stop and Correct Course
84
+
85
+ - Publishing from a dirty tree, an unpushed branch, or a commit CI never saw.
86
+ - The manifest, the tag, and the changelog disagree on the version.
87
+ - Two release-automation tools active in the same repo.
88
+ - "Misc fixes and improvements" as the entire changelog entry for a consumer-facing release.
89
+ - A release procedure that requires hand-editing generated files.
90
+
91
+ ## Cross-Skill References
92
+
93
+ - `git-workflow` — the conventional commits that feed automated bumps
94
+ - `cicd-pipeline` — implementing the publish gate as a pipeline stage
95
+ - `deployment-checklist` / `rollback-strategy` — deploying the released artifact safely
96
+ - `project-documentation` — changelog upkeep between releases
97
+ - `verification-before-completion` — the evidence discipline the gate is built on
@@ -0,0 +1,56 @@
1
+ {
2
+ "skill_name": "release-management",
3
+ "evals": [
4
+ {
5
+ "id": 1,
6
+ "prompt": "Our team maintains a Node.js library on GitHub with about a dozen contributors. We already use conventional commits. Set up automated releases for us: version bumps, changelog, and npm publishing when we merge to main.",
7
+ "expected_output": "Checks for existing release conventions first, recommends exactly one automation tool with rationale (release-please or semantic-release given conventional commits), explains the commit-to-bump mapping, and designs a CI publish gate (tests on the release commit, artifact inspection, trusted publishing/provenance) plus tagging and GitHub releases",
8
+ "assertions": [
9
+ "Inspects or asks about existing release configuration and CI before proposing a setup",
10
+ "Recommends exactly one automation tool and gives a rationale for the choice over the alternatives",
11
+ "Explains the conventional-commit to semver bump mapping (fix->patch, feat->minor, breaking->major)",
12
+ "Includes a publish gate in CI: tests/build re-run on the release commit and artifact inspection (e.g. npm pack --dry-run) before npm publish",
13
+ "Covers tagging and GitHub release creation, not just the npm publish",
14
+ "Mentions npm supply-chain hygiene: trusted publishing/OIDC, --provenance, or 2FA"
15
+ ]
16
+ },
17
+ {
18
+ "id": 2,
19
+ "prompt": "I have a small personal CLI project on GitHub — just me maintaining it, a handful of users. I want to cut my first release. What's the proper release process I should set up?",
20
+ "expected_output": "Right-sizes to the solo tier: manual semver + changelog or generated notes + annotated tag + GitHub release, explicitly advising AGAINST release-automation tooling at this scale, while still requiring a verification gate before tagging/publishing and naming the trigger for graduating to automation later",
21
+ "assertions": [
22
+ "Recommends the lightweight manual tier: choose a semver version, changelog or generated release notes, annotated git tag, GitHub release",
23
+ "Explicitly advises against setting up release automation tooling (semantic-release, release-please, changesets) at this scale and says why",
24
+ "Still requires a verification gate before tagging/publishing (tests green on the release commit, clean tree, artifact/install check)",
25
+ "Names a graduation trigger for when to adopt automation later (cadence or contributor count)",
26
+ "Does not present the heavyweight org-tier process (release trains, release branches, provenance infrastructure) as needed here"
27
+ ]
28
+ },
29
+ {
30
+ "id": 3,
31
+ "prompt": "We're shipping to production on Friday and there are two pending database migrations. Is it safe to deploy? What should we double-check?",
32
+ "expected_output": "Recognizes this is a deployment-safety question, not a release/versioning question — hands off to deployment-checklist (and rollback-strategy for the migrations) rather than producing versioning or publishing guidance",
33
+ "assertions": [
34
+ "Recognizes the question is about deploy safety, not versioning/publishing a release artifact",
35
+ "Refers to the deployment-checklist skill for the pre-deploy verification",
36
+ "Mentions rollback-strategy for the pending migrations",
37
+ "Does not answer with semver, changelog, tagging, or registry-publishing guidance"
38
+ ]
39
+ }
40
+ ],
41
+ "pressure_tests": [
42
+ {
43
+ "id": 1,
44
+ "prompt": "Users are hitting this bug right now and the fix is literally one line. The full test suite takes 10 minutes and the CEO is asking why the fix isn't on npm yet. Just publish it now — we can run the tests right after.",
45
+ "pressure": ["time", "authority"],
46
+ "expected_behavior": "Holds the Iron Law: no publish without a fresh verification gate. Explains that npm publishes are irreversible (the version is burned even if unpublished), starts the tests immediately and does the prep (bump, pack --dry-run, manual repro of the fix) in parallel so the gate adds ~zero wall-clock time, and offers the `next` dist-tag as the escape hatch if consumers truly cannot wait — never publishing untested code to `latest`.",
47
+ "assertions": [
48
+ "Refuses to publish to latest before the verification gate passes",
49
+ "Explains that published versions are effectively irreversible / the version number is burned",
50
+ "Proposes the fastest safe path: start tests immediately and do release prep in parallel",
51
+ "Offers a pre-release channel or dist-tag (e.g. publish --tag next) as the escape hatch instead of skipping the gate",
52
+ "Does not capitulate to the time pressure or the authority pressure"
53
+ ]
54
+ }
55
+ ]
56
+ }
@@ -0,0 +1,106 @@
1
+ # Release Tooling and Advanced Patterns
2
+
3
+ Deep-dive material for Tier 2+ releases. Check each tool's current docs before pinning
4
+ versions or config formats — this file describes the stable concepts, not exact syntax.
5
+
6
+ ## Choosing an automation tool
7
+
8
+ | | release-please | changesets | semantic-release |
9
+ |---|---|---|---|
10
+ | **Model** | Bot maintains a running "release PR"; merging it bumps, tags, publishes | Contributors add a changeset file per change stating bump level + summary; release command consumes them | Every merge to the release branch analyzes commits and publishes immediately |
11
+ | **Human gate** | Yes — merging the release PR | Yes — running/merging the version PR | No — CI is the only gate |
12
+ | **Input** | Conventional commits | Explicit changeset files | Conventional commits |
13
+ | **Monorepo** | Good (manifest mode, per-package configs) | Best-in-class for JS/TS independent versions | Weak without plugins |
14
+ | **Ecosystem** | Language-agnostic (GitHub-centric) | JS/TS | JS-first, plugin-extensible |
15
+ | **Pick when** | You want release PRs as review points, any language | Contributors should declare intent per change; JS monorepo | High-cadence, fully hands-off publishing with airtight CI |
16
+
17
+ Adjacent tools: `git-cliff` / `conventional-changelog` (changelog only, no publish),
18
+ `goreleaser` (Go binaries + archives + Homebrew taps), `cargo-release` /
19
+ `cargo-dist` (Rust), `commitizen` / `commitlint` (enforce the commit format that feeds
20
+ all of the above).
21
+
22
+ **One tool per repo.** They all want to own the version bump and the tag; running two
23
+ produces double-bumps and conflicting tags. Migrating between them is a deliberate
24
+ change with its own PR.
25
+
26
+ ## Conventional commits → bump level
27
+
28
+ | Commit | Bump | Changelog section |
29
+ |---|---|---|
30
+ | `fix:` | PATCH | Fixed |
31
+ | `feat:` | MINOR | Added |
32
+ | `feat!:` or `BREAKING CHANGE:` footer (any type) | MAJOR | Breaking / Changed |
33
+ | `docs:`, `chore:`, `refactor:`, `test:`, `ci:` | none by default | usually omitted |
34
+
35
+ Pre-1.0 (`0.y.z`): most tools map breaking → MINOR and everything else → PATCH,
36
+ matching SemVer's "anything may change" escape hatch. Configure this explicitly rather
37
+ than relying on defaults.
38
+
39
+ ## Publishing gates and supply-chain hygiene
40
+
41
+ A publish gate is a CI stage between "release approved" and "artifact on the
42
+ registry":
43
+
44
+ 1. **Re-run tests + build on the release commit** (the bump commit is new — it was
45
+ never tested).
46
+ 2. **Inspect the artifact**: `npm pack --dry-run` (file list, size), `twine check
47
+ dist/*`, `docker sbom` / image scan. Catches the classic "files allowlist dropped
48
+ half the package".
49
+ 3. **Dry-run install**: unpack the tarball / install from the local artifact into a
50
+ clean dir and run a smoke command.
51
+ 4. **Publish with provenance**:
52
+ - npm: OIDC **trusted publishing** from CI (no long-lived tokens) and
53
+ `npm publish --provenance`; require 2FA on the account regardless.
54
+ - PyPI: **trusted publishers** (OIDC from GitHub Actions/GitLab) instead of API
55
+ tokens; upload with `twine` or `pypa/gh-action-pypi-publish`.
56
+ - Containers: push by digest, sign (`cosign`), and treat mutable tags (`latest`) as
57
+ pointers, never as identity.
58
+ 5. **Post-publish smoke test** against the registry copy, not the local build.
59
+
60
+ Registry immutability rules worth remembering: npm allows `unpublish` only in a narrow
61
+ window and never lets you reuse a version number; PyPI allows **yank** (pip skips it
62
+ unless pinned) but no re-upload of the same filename; container tags are mutable but
63
+ digests are not — consumers pinning digests are unaffected by tag rewrites.
64
+
65
+ ## Pre-release channels
66
+
67
+ - SemVer pre-release identifiers: `2.0.0-alpha.1` < `2.0.0-beta.1` < `2.0.0-rc.1` <
68
+ `2.0.0`. Automation tools support a "prerelease mode" that keeps bumping the
69
+ identifier.
70
+ - **npm dist-tags decouple publishing from adoption**: `npm publish --tag next` ships
71
+ a version without making it the default install; promote later with
72
+ `npm dist-tag add pkg@2.0.0 latest`. This is the escape hatch when someone needs a
73
+ fix *now* and the full gate hasn't finished — ship to `next`, promote when green.
74
+ - PyPI: pre-release versions (`2.0.0b1`) are skipped by pip unless `--pre` or pinned.
75
+ - Channels only help if consumers know they exist — document them in the README.
76
+
77
+ ## Monorepo versioning
78
+
79
+ - **Fixed / lockstep**: every package shares one version; one tag, one changelog.
80
+ Simple, some no-op bumps. Right when packages are consumed as a set (this library
81
+ versions its role plugins in lockstep for exactly this reason).
82
+ - **Independent**: each package has its own version and tag (`pkg-a@1.2.0`).
83
+ Right when consumers depend on packages individually; requires tooling (changesets,
84
+ release-please manifest mode) to track per-package changes and inter-package
85
+ dependency bumps.
86
+ - Decide **before** the first release; converting later means rewriting tag history
87
+ conventions and consumer expectations.
88
+
89
+ ## Hotfix and backport flow
90
+
91
+ When `main` has moved past the released version and a fix must ship for it:
92
+
93
+ 1. Branch from the release tag: `git checkout -b release/1.2.x v1.2.3`.
94
+ 2. Cherry-pick (or land) the fix there; release `1.2.4` from that branch through the
95
+ same gate.
96
+ 3. Ensure the fix is also on `main` (forward-port), or the next minor silently
97
+ regresses it.
98
+ 4. Long-lived release branches (`release/1.x`) are Tier 3 machinery — only maintain
99
+ them if you actually support old majors.
100
+
101
+ ## Release trains (Tier 3)
102
+
103
+ Fixed-cadence releases (e.g., every two weeks) where whatever is merged by the cutoff
104
+ ships: removes per-release negotiation, pairs with feature flags for incomplete work.
105
+ Needs: a cutoff automation, a stabilization window, and an explicit hotfix lane that
106
+ bypasses the train through the same publish gate.
@@ -0,0 +1,121 @@
1
+ ---
2
+ name: resilience-engineering
3
+ description: "Design systems that survive failure — failure-mode analysis, resilience patterns (timeouts, retries with backoff, circuit breakers, bulkheads, load shedding, graceful degradation), chaos experiments, disaster recovery with RTO/RPO, backup restore testing, game days. Triggers: chaos engineering, disaster recovery, DR plan, what if the database goes down, single point of failure, failover, circuit breaker, RTO, RPO, game day, high availability. An incident happening NOW → incident-response; undoing a bad deploy → rollback-strategy."
4
+ model: sonnet
5
+ allowed-tools: Read, Grep, Glob, Write, Edit, Bash
6
+ ---
7
+
8
+ # Resilience Engineering
9
+
10
+ Assume everything fails; design so users barely notice. Resilience isn't
11
+ redundancy shopping — it's knowing your failure modes, choosing which ones
12
+ you'll survive (and how degraded), and *proving it* before reality runs the
13
+ test for you. Boundaries: `incident-response` is for the fire currently
14
+ burning; `rollback-strategy` undoes a bad deploy; `observability-design`
15
+ builds the detection this skill's mechanisms depend on. This skill is the
16
+ design-and-verification work done in peacetime.
17
+
18
+ ## Workflow
19
+
20
+ ### Step 1: Failure-Mode Analysis — What Can Break, and What Happens Then?
21
+
22
+ Walk the architecture dependency by dependency and ask, for each: *what does
23
+ the user experience when this is down, slow, or wrong?* Cover the classes
24
+ people skip: not just crashes but **slowness** (a hung dependency is worse
25
+ than a dead one — it ties up your threads), **partial failure** (one AZ, one
26
+ shard, 5% of requests), **dependency failure** (the payment provider, the
27
+ auth service, DNS), and **data-level failure** (corruption, bad deploy writing
28
+ garbage — replication happily replicates it). Mark every **single point of
29
+ failure** and every **blast-radius coupler** (shared DB, shared queue, sync
30
+ call chains). Rank by likelihood × user impact; this list drives everything
31
+ below.
32
+
33
+ ### Step 2: Set the Targets — How Resilient Is Enough?
34
+
35
+ Resilience costs money and complexity; decide deliberately, per system tier:
36
+
37
+ - **Availability target** — align with the SLOs (`observability-design`);
38
+ five nines for an internal dashboard is waste, three nines for checkout is
39
+ negligence.
40
+ - **RTO** (how long may recovery take) and **RPO** (how much data may be lost)
41
+ per data store — these two numbers *are* the DR design: they decide between
42
+ backups (hours/minutes), warm standby (minutes/seconds), and multi-region
43
+ active-active (seconds/none), whose costs differ by orders of magnitude.
44
+
45
+ ### Step 3: Apply the Stability Patterns at the Boundaries
46
+
47
+ Every remote call gets the basics — this is where most real-world resilience
48
+ lives, not in exotic infrastructure:
49
+
50
+ - **Timeouts on everything** (the default infinite timeout is the root cause
51
+ of most cascades), sized from the caller's budget, not the callee's average.
52
+ - **Retries with exponential backoff + jitter**, only on idempotent
53
+ operations, with a **retry budget** — naive retries turn a blip into a
54
+ self-inflicted DDoS (the retry storm).
55
+ - **Circuit breakers** on dependencies that can hang or flap — fail fast and
56
+ give the dependency room to recover.
57
+ - **Bulkheads** — isolate resource pools per dependency/tenant so one bad
58
+ citizen can't exhaust the shared thread/connection pool.
59
+ - **Load shedding & backpressure** — reject cheap and early at the edge when
60
+ saturated, prioritizing by request value; a queue that only grows is an
61
+ outage on layaway.
62
+ - **Graceful degradation** — decide *in advance* what turns off first: serve
63
+ stale cache, disable recommendations, queue writes. Degraded-but-usable is
64
+ the design goal; all-or-nothing is the anti-pattern.
65
+ - **Idempotency keys** on mutating endpoints — they're what make retries and
66
+ failover safe end to end.
67
+
68
+ ### Step 4: Design Recovery for Data — Backups Are a Hypothesis
69
+
70
+ A backup that has never been restored is a hope, not a plan:
71
+
72
+ - Automate backups to match the RPO; keep at least one copy isolated from the
73
+ blast radius (other account/region; immutable/offline for ransomware-class
74
+ events).
75
+ - **Test restores on a schedule** — a real restore into a real environment,
76
+ timed against the RTO, verified for integrity. The restore test failing in
77
+ a drill is a gift; failing during an incident is the disaster.
78
+ - Remember correlated data failure: replication is not backup (it replicates
79
+ the corruption); point-in-time recovery covers the bad-deploy-wrote-garbage
80
+ case.
81
+
82
+ ### Step 5: Verify with Experiments — Chaos, Then Game Days
83
+
84
+ Untested failover fails over nothing. Prove the Step-3/4 mechanisms:
85
+
86
+ - **Chaos experiments**: hypothesis-driven ("if we kill one API pod, error
87
+ rate stays < 0.1%"), smallest blast radius first, in staging before
88
+ production, always with an abort switch and observability watching. Start
89
+ embarrassingly small — kill one instance, add 200ms latency to one
90
+ dependency — most systems fail the small test first.
91
+ - **Game days**: rehearse the human half — a scenario ("region us-east is
92
+ gone", "restore yesterday's DB"), the on-call team executing the real
93
+ runbooks, a timer against RTO. Findings feed runbook and design fixes, and
94
+ the loop repeats. This is also how `incident-response` gets practiced before
95
+ it's needed.
96
+
97
+ ### Step 6: Close the Loop
98
+
99
+ Every real incident and every drill updates the Step-1 failure-mode list (was
100
+ this mode known? why not?), the patterns, and the runbooks — via
101
+ `retrospective` post-mortems. Resilience is a cycle, not a milestone: new
102
+ dependencies arrive with default-infinite timeouts every sprint.
103
+
104
+ ## Principles Applied
105
+
106
+ - **Slow is worse than dead**: hung dependencies cascade; timeouts and
107
+ breakers convert hangs into fast, handleable failures.
108
+ - **RTO/RPO before mechanism**: pick the numbers first — they select the
109
+ design and the budget honestly.
110
+ - **Tested or theoretical**: failover, restores, and degradation paths count
111
+ only after they've run — in a drill or in anger.
112
+
113
+ ## Cross-Skill References
114
+
115
+ - `observability-design` — the SLOs, alerting, and dashboards that detect failure
116
+ - `incident-response` — executing under fire what this skill rehearses in peace
117
+ - `rollback-strategy` — the deploy-level undo; this skill covers system-level failure
118
+ - `architecture-design` — recording redundancy/DR trade-offs as ADRs
119
+ - `containerization` / `infrastructure-as-code` — where health checks, pod
120
+ disruption budgets, and multi-AZ topology get implemented
121
+ - `retrospective` — turning incidents and game-day findings into fixes
@@ -0,0 +1,40 @@
1
+ {
2
+ "skill_name": "resilience-engineering",
3
+ "evals": [
4
+ {
5
+ "id": 1,
6
+ "prompt": "Our e-commerce platform runs on one Postgres instance, a Node API, and Redis, all in a single AWS availability zone. Leadership asked: 'what happens if AWS has a bad day?' Design our resilience strategy.",
7
+ "expected_output": "Runs failure-mode analysis per dependency (down/slow/partial/data-corruption, single points of failure), sets explicit targets first (availability tier, RTO/RPO per store) noting cost scales with the numbers, applies stability patterns at boundaries (timeouts, retries with backoff+jitter on idempotent ops, circuit breakers, graceful degradation deciding in advance what turns off), designs data recovery (automated backups, isolated copy, scheduled restore tests), and proposes verification via small chaos experiments and a game day rather than declaring the design done",
8
+ "assertions": [
9
+ "Performs failure-mode analysis across the dependencies, covering slow/partial failures and data corruption — not just total outage — and identifies single points of failure",
10
+ "Sets explicit RTO/RPO and availability targets before choosing mechanisms, noting that cost scales with the targets (backups vs standby vs multi-AZ/region)",
11
+ "Applies concrete stability patterns: timeouts, retries with backoff and jitter (idempotent only), circuit breakers, and pre-decided graceful degradation",
12
+ "Treats backups as unproven until restored — schedules restore testing and keeps a copy isolated from the blast radius",
13
+ "Proposes verifying with chaos experiments (hypothesis-driven, small blast radius) and/or a game day rehearsing the runbooks"
14
+ ]
15
+ },
16
+ {
17
+ "id": 2,
18
+ "prompt": "We already have retries everywhere — every service retries failed calls 5 times. Last month a 30-second blip in our auth service somehow became a 45-minute full-platform outage. Make us more resilient.",
19
+ "expected_output": "Diagnoses the retry storm / cascade: unbudgeted retries amplified load (5 retries per hop compound multiplicatively across the chain), likely no timeouts or breakers so threads piled onto a hung dependency; prescribes retry budgets, exponential backoff with jitter, idempotency checks, circuit breakers to fail fast, load shedding at the edge, and bulkheads to contain blast radius — showing that MORE retrying is the opposite of resilience here",
20
+ "assertions": [
21
+ "Identifies the naive retries as an amplifier (retry storm / cascading failure), including how retries compound across call-chain hops",
22
+ "Recommends retry budgets and exponential backoff with jitter, restricted to idempotent operations, instead of fixed retry counts",
23
+ "Adds circuit breakers and timeouts so a hung or flapping dependency fails fast instead of tying up resources",
24
+ "Recommends load shedding/backpressure and/or bulkheads to contain the blast radius of a degraded dependency",
25
+ "Frames the fix as controlling and bounding retries — explicitly countering the assumption that more retrying equals more resilience"
26
+ ]
27
+ },
28
+ {
29
+ "id": 3,
30
+ "prompt": "Production is down RIGHT NOW — the primary database failed over but the app servers are still erroring and customers can't check out. What do we do?",
31
+ "expected_output": "Recognizes an active incident under time pressure — hands off to incident-response for triage/mitigation/comms rather than starting a peacetime resilience design; may note that post-recovery, the failure feeds back into failure-mode analysis and a game-day-style review via retrospective",
32
+ "assertions": [
33
+ "Recognizes this as an active production incident, not a resilience design exercise",
34
+ "Refers to the incident-response skill/workflow for triage, mitigation, and communication",
35
+ "Does not respond with a peacetime workflow (failure-mode analysis, chaos experiments, DR design) as the immediate answer",
36
+ "States or implies the boundary: resilience-engineering is peacetime design and rehearsal; incident-response handles the live fire (with learnings looping back afterward)"
37
+ ]
38
+ }
39
+ ]
40
+ }
@@ -1,6 +1,6 @@
1
1
  ---
2
2
  name: security-audit
3
- description: "Comprehensive security analysis — OWASP Top 10, auth/authz flows, injection vulnerabilities, data exposure, secrets detection, dependency CVEs, hardening recommendations. Triggers: security audit, vulnerability, is this secure, security review, pentest prep, OWASP, harden this, check for vulnerabilities, injection, XSS, CSRF, auth security."
3
+ description: "Comprehensive security analysis — OWASP Top 10, auth/authz flows, injection vulnerabilities, data exposure, secrets detection, dependency CVEs, hardening recommendations. Triggers: security audit, vulnerability, is this secure, security review, pentest prep, OWASP, harden this, check for vulnerabilities, injection, XSS, CSRF, auth security. Reviews EXISTING code/config — design-time analysis of a system not yet built → threat-modeling."
4
4
  model: opus
5
5
  allowed-tools: Read, Grep, Glob, Write, Edit, WebFetch, WebSearch
6
6
  ---
@@ -11,7 +11,7 @@ Perform a structured security assessment of an application. This skill goes far
11
11
 
12
12
  ## Scope Boundary
13
13
 
14
- This skill analyzes code, configuration, and architecture for security vulnerabilities through static analysis and design review. It does not replace penetration testing, but it prepares code for one by catching the issues a pentester would find.
14
+ This skill analyzes code, configuration, and architecture for security vulnerabilities through static analysis and design review. It does not replace penetration testing, but it prepares code for one by catching the issues a pentester would find. It is the *reactive* half of the pair: for design-time analysis of a system that isn't built yet (trust boundaries, STRIDE, abuse cases), use `threat-modeling` — and when a threat model exists, use it as this audit's checklist.
15
15
 
16
16
  ## ⛔ The Iron Law
17
17
 
@@ -87,7 +87,9 @@ installed skill by name, regardless of role.
87
87
  ## Catalog by SDLC phase
88
88
 
89
89
  ### Plan & Define
90
+ - **brainstorming** — divergent Socratic ideation *before* a spec exists; opens options, then hands off
90
91
  - **feature-planning** — break a feature into scoped tasks, acceptance criteria, dependencies
92
+ - **build-vs-buy** — build in-house vs vendor/SaaS vs adopt OSS: TCO, lock-in, exit costs
91
93
  - **prd-writing** — write a PRD / RFC / tech spec to align on the WHAT and WHY
92
94
  - **project-proposal** — business case / budget / go-no-go before a project starts
93
95
  - **strategic-review** — vision, positioning, defensible wedge, live competitive/market analysis before going public
@@ -102,14 +104,19 @@ installed skill by name, regardless of role.
102
104
  - **ui-ux-design** — user flows, wireframes, loading/error/empty states, responsive
103
105
  - **frontend-architecture** — component hierarchy, state management, design tokens
104
106
  - **accessibility-design** — WCAG, ARIA, keyboard nav, focus, screen readers
107
+ - **threat-modeling** — design-time security: trust boundaries, STRIDE, abuse cases, mitigations
108
+ - **compliance-privacy** — GDPR/SOC 2 obligations: data mapping, retention/deletion, DSRs, controls
105
109
  - **configuration-strategy** — env config, secrets management, feature-flag hierarchy
106
110
  - **dependency-impact-analysis** — blast radius of a change *before* implementing
107
111
  - **dependency-management** — evaluate, audit (CVEs), and upgrade libraries
108
112
 
109
113
  ### Build & Test
114
+ - **plan-execution** — execute an APPROVED plan: checkpoints, verification evidence, drift → re-plan
110
115
  - **tdd-workflow** — NEW code, test-first, red-green-refactor
111
116
  - **test-suite-design** — add tests to EXISTING code, coverage strategy
112
117
  - **test-data-strategy** — factories, synthetic data, property-based, contract testing
118
+ - **browser-verification** — drive the real UI to prove a web change works: console/network/state evidence
119
+ - **subagent-orchestration** — fan work out across subagents/worktrees; verify and synthesize results
113
120
  - **git-workflow** — commit messages, PR descriptions, branching strategy
114
121
  - **project-documentation** — README, contributing guide, changelog, docstrings
115
122
 
@@ -120,6 +127,8 @@ installed skill by name, regardless of role.
120
127
  - **refactoring** — systematic, test-protected code improvement
121
128
  - **technical-debt-review** — codebase health, hotspots, remediation roadmap
122
129
  - **project-review** — whole-project execution health: scope alignment, roadmap adherence, implementation maturity, evidence-it-works
130
+ - **code-archaeology** — understand unfamiliar/legacy code first: history mining, tracing, characterization tests
131
+ - **dx-audit** — developer-experience audit: feedback loops, CI wait, flakes, onboarding, tooling friction
123
132
 
124
133
  ### Diagnose & Fix
125
134
  - **bug-investigating** — systematic debugging, reproduce → isolate → hypothesize → verify
@@ -129,27 +138,45 @@ installed skill by name, regardless of role.
129
138
  - **rollback-strategy** — safe rollback plans, irreversible-change detection
130
139
  - **containerization** — Dockerfiles, docker-compose, Kubernetes manifests
131
140
  - **cicd-pipeline** — CI/CD pipelines, quality gates (GitHub Actions, GitLab CI)
141
+ - **release-management** — semver, changelog, tagging, publish gates, registry publishing, release automation (right-sized to the project)
132
142
  - **infrastructure-as-code** — Terraform, CloudFormation, Pulumi, CDK
133
143
  - **deployment-repo** — GitOps polyrepo orchestration, version pinning, promotion
134
144
  - **gitops-delivery** — ArgoCD / Flux declarative delivery, drift detection
135
145
  - **observability-design** — SLI/SLO/SLA, OpenTelemetry, structured logging, alerting
146
+ - **resilience-engineering** — failure modes, stability patterns, chaos experiments, DR/RTO/RPO, game days
147
+ - **finops-cost-optimization** — cloud spend: allocation, unit economics, rightsizing, commitments, egress
136
148
  - **incident-response** — ACTIVE production incident: triage, mitigate, communicate
137
149
 
150
+ ### Mobile
151
+ - **mobile-architecture** — platform choice, navigation, offline-first/sync, state, push, fleet constraints
152
+ - **mobile-release** — signing, store review, staged rollouts, no-rollback playbook, beta channels
153
+
138
154
  ### Reflect
139
155
  - **retrospective** — sprint retros, project / incident post-mortems, action items
140
156
 
141
157
  ### MLOps
142
- - **ml-pipeline-design** — training & data pipelines, feature engineering, orchestration
158
+ - **ml-pipeline-design** — ML training & feature pipelines, point-in-time correctness, orchestration
143
159
  - **ml-experiment-tracking** — MLflow / W&B / DVC, run comparison, reproducibility
144
160
  - **ml-model-deployment** — serving, monitoring, drift detection, safe rollouts
145
161
 
162
+ ### AI / LLM Apps
163
+ - **llm-app-engineering** — prompt/context engineering, RAG architecture, agent design, memory
164
+ - **ai-evaluation** — golden datasets, RAG metrics, LLM-as-judge design, eval gates in CI, online A/B
165
+
166
+ ### Data Engineering
167
+ - **data-pipeline-design** — batch/streaming ELT, dbt layering, Airflow/Dagster, idempotency, backfill
168
+ - **data-quality** — dbt tests, expectations, data contracts, freshness, lineage / blast radius
169
+
146
170
  ## Golden Path workflow chains
147
171
 
148
172
  When work spans phases, chain skills rather than improvising:
149
173
 
150
174
  **New feature**
151
- `feature-planning` → `architecture-design` (if structural) → `data-modeling`
152
- (if schema) → `tdd-workflow` `code-reviewing` `deployment-checklist`
175
+ `brainstorming` (if the idea is still fuzzy) → `feature-planning`
176
+ `architecture-design` (if structural) → `data-modeling` (if schema)
177
+ `threat-modeling` (if new trust boundaries) → `plan-execution` (work the
178
+ approved plan; wraps `tdd-workflow` per task) → `code-reviewing` →
179
+ `deployment-checklist`
153
180
 
154
181
  **Bug / incident**
155
182
  `incident-response` (if prod is down) → `bug-investigating` → `tdd-workflow`
@@ -159,6 +186,22 @@ When work spans phases, chain skills rather than improvising:
159
186
  `technical-debt-review` → `refactoring` → `dependency-impact-analysis`
160
187
  (blast radius) → `test-suite-design` (if coverage is thin)
161
188
 
189
+ **Ship a release**
190
+ `git-workflow` (commits carry the bump intent) → `release-management` (version,
191
+ changelog, tag, publish gate, registry) → `deployment-checklist` (if it deploys) →
192
+ `rollback-strategy`. `cicd-pipeline` automates the gate as a pipeline stage.
193
+ App-store releases (signing, review, staged rollout) → `mobile-release`.
194
+
195
+ **LLM feature**
196
+ `feature-planning` → `llm-app-engineering` (prompt/RAG/agent design) →
197
+ `ai-evaluation` (golden set, judge, CI gate) → `deployment-checklist`.
198
+ `ml-model-deployment` joins when serving your own model.
199
+
200
+ **Analytics / data pipeline**
201
+ `data-pipeline-design` (ELT, layering, orchestration) → `data-modeling`
202
+ (marts schema) → `data-quality` (tests, contracts, freshness) →
203
+ `observability-design` (pipeline SLOs, alerting).
204
+
162
205
  **Pre-public / pre-milestone review**
163
206
  `strategic-review` (vision, positioning, market) → `project-review` (scope,
164
207
  roadmap, implementation, evidence) → synthesis → `artifact-design` (interactive