swe-workflow-skills 0.1.0 → 0.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +57 -17
- package/VERSION +1 -1
- package/catalog.json +95 -5
- package/package.json +1 -1
- package/roles.json +58 -7
- package/skills/ai-evaluation/SKILL.md +111 -0
- package/skills/ai-evaluation/evals/evals.json +40 -0
- package/skills/ai-evaluation/references/eval-tooling.md +63 -0
- package/skills/architecture-design/SKILL.md +3 -1
- package/skills/brainstorming/SKILL.md +92 -0
- package/skills/brainstorming/evals/evals.json +40 -0
- package/skills/browser-verification/SKILL.md +95 -0
- package/skills/browser-verification/evals/evals.json +40 -0
- package/skills/build-vs-buy/SKILL.md +109 -0
- package/skills/build-vs-buy/evals/evals.json +40 -0
- package/skills/cicd-pipeline/SKILL.md +1 -0
- package/skills/code-archaeology/SKILL.md +103 -0
- package/skills/code-archaeology/evals/evals.json +41 -0
- package/skills/compliance-privacy/SKILL.md +113 -0
- package/skills/compliance-privacy/evals/evals.json +41 -0
- package/skills/compliance-privacy/references/obligations-map.md +69 -0
- package/skills/data-pipeline-design/SKILL.md +116 -0
- package/skills/data-pipeline-design/evals/evals.json +41 -0
- package/skills/data-pipeline-design/references/orchestration.md +64 -0
- package/skills/data-quality/SKILL.md +107 -0
- package/skills/data-quality/evals/evals.json +39 -0
- package/skills/data-quality/references/tooling.md +45 -0
- package/skills/deployment-checklist/SKILL.md +2 -1
- package/skills/dx-audit/SKILL.md +97 -0
- package/skills/dx-audit/evals/evals.json +40 -0
- package/skills/feature-planning/SKILL.md +5 -1
- package/skills/finops-cost-optimization/SKILL.md +109 -0
- package/skills/finops-cost-optimization/evals/evals.json +40 -0
- package/skills/git-workflow/SKILL.md +10 -0
- package/skills/llm-app-engineering/SKILL.md +102 -0
- package/skills/llm-app-engineering/evals/evals.json +40 -0
- package/skills/llm-app-engineering/references/patterns.md +70 -0
- package/skills/ml-experiment-tracking/SKILL.md +1 -1
- package/skills/ml-pipeline-design/SKILL.md +1 -1
- package/skills/mobile-architecture/SKILL.md +106 -0
- package/skills/mobile-architecture/evals/evals.json +40 -0
- package/skills/mobile-release/SKILL.md +109 -0
- package/skills/mobile-release/evals/evals.json +41 -0
- package/skills/plan-execution/SKILL.md +115 -0
- package/skills/plan-execution/evals/evals.json +55 -0
- package/skills/project-documentation/SKILL.md +4 -0
- package/skills/release-management/SKILL.md +97 -0
- package/skills/release-management/evals/evals.json +56 -0
- package/skills/release-management/references/release-tooling.md +106 -0
- package/skills/resilience-engineering/SKILL.md +121 -0
- package/skills/resilience-engineering/evals/evals.json +40 -0
- package/skills/security-audit/SKILL.md +2 -2
- package/skills/skill-router/SKILL.md +46 -3
- package/skills/subagent-orchestration/SKILL.md +100 -0
- package/skills/subagent-orchestration/evals/evals.json +40 -0
- package/skills/threat-modeling/SKILL.md +101 -0
- package/skills/threat-modeling/evals/evals.json +40 -0
- package/skills/threat-modeling/references/stride-mitigations.md +90 -0
- package/skills/writing-skills/SKILL.md +27 -11
|
@@ -0,0 +1,100 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: subagent-orchestration
|
|
3
|
+
description: "Decompose big or parallelizable work across subagents — when to fan out vs stay solo, scoping self-contained sub-tasks, prompting agents that don't share your context, isolating parallel edits (git worktrees), skeptically verifying and synthesizing results you didn't produce. Triggers: use subagents, parallelize this, fan out, orchestrate agents, multi-agent, spawn agents, worktree, delegate to agents, split this across agents, agent team. Sequencing checkpoints of an approved plan → plan-execution (orchestration parallelizes within its batches)."
|
|
4
|
+
model: sonnet
|
|
5
|
+
allowed-tools: Read, Grep, Glob, Write, Edit, Bash
|
|
6
|
+
---
|
|
7
|
+
|
|
8
|
+
# Subagent Orchestration
|
|
9
|
+
|
|
10
|
+
Structure work across multiple agents so the result is *more* trustworthy than
|
|
11
|
+
one agent's pass — not just faster. The two failure modes this skill counters:
|
|
12
|
+
fanning out work that needed shared context (agents produce incompatible
|
|
13
|
+
pieces), and trusting subagent reports as if they were evidence (they're
|
|
14
|
+
claims). Exact tool names and mechanics vary by harness and move fast — apply
|
|
15
|
+
these principles through whatever agent-spawning surface is available.
|
|
16
|
+
Boundary: `plan-execution` sequences an approved plan's checkpoints;
|
|
17
|
+
orchestration is *how a batch* gets executed when it parallelizes.
|
|
18
|
+
|
|
19
|
+
## Workflow
|
|
20
|
+
|
|
21
|
+
### Step 1: Decide Fan-Out vs Solo — Honestly
|
|
22
|
+
|
|
23
|
+
Fan out when the work is **divisible into independent pieces** (per-file
|
|
24
|
+
migration, multi-angle research, review dimensions), when you need
|
|
25
|
+
**independent perspectives** (adversarial verification, judge panels), or when
|
|
26
|
+
the reading wouldn't fit one context (broad audits). Stay solo when the task
|
|
27
|
+
needs **one coherent design voice** (an API's shape, a refactor's structure),
|
|
28
|
+
when pieces are tightly coupled, or when the task is small — orchestration has
|
|
29
|
+
overhead, and a fleet of agents building a feature without shared design
|
|
30
|
+
produces expensive incoherence. Sub-agents also can't ask you clarifying
|
|
31
|
+
questions mid-flight: ambiguity you'd resolve interactively must be resolved
|
|
32
|
+
*before* the fan-out.
|
|
33
|
+
|
|
34
|
+
### Step 2: Decompose into Self-Contained Tasks
|
|
35
|
+
|
|
36
|
+
Each sub-task needs: a **crisp goal** with a definition of done, **explicit
|
|
37
|
+
inputs** (files, constraints, conventions), **no shared mutable state** with
|
|
38
|
+
its siblings, and an **output contract** (exactly what to return, in what
|
|
39
|
+
form). If two tasks keep needing to talk to each other, they're one task —
|
|
40
|
+
re-cut the boundaries. Interfaces first: when pieces must fit together, fix
|
|
41
|
+
the contract between them *yourself, up front*, and hand each agent the
|
|
42
|
+
contract rather than hoping parallel guesses converge.
|
|
43
|
+
|
|
44
|
+
### Step 3: Prompt for a Cold Start
|
|
45
|
+
|
|
46
|
+
The subagent knows nothing you don't say — none of your conversation, your
|
|
47
|
+
constraints, or your taste. State the context it needs (or say exactly which
|
|
48
|
+
files to read first), the conventions to follow, the boundaries ("do NOT touch
|
|
49
|
+
X"), and the output contract. Ask for **raw findings and artifacts** (data,
|
|
50
|
+
diffs, file paths, failure output) rather than summaries — you need material
|
|
51
|
+
you can verify, not reassurance. A vague prompt costs a full agent-run to
|
|
52
|
+
discover; read your prompt as a stranger before sending it.
|
|
53
|
+
|
|
54
|
+
### Step 4: Isolate Parallel Writers
|
|
55
|
+
|
|
56
|
+
Agents editing the same working tree concurrently corrupt each other. Reads
|
|
57
|
+
parallelize freely; **writes need isolation** — one writer per area, or git
|
|
58
|
+
worktrees (each agent on its own branch/copy, merged deliberately afterward).
|
|
59
|
+
Budget for the merge: parallel edits that touch shared files turn saved
|
|
60
|
+
wall-clock into conflict resolution. If the merge looks expensive, re-cut
|
|
61
|
+
Step 2 along file boundaries instead.
|
|
62
|
+
|
|
63
|
+
### Step 5: Verify Like You Didn't Write It — Because You Didn't
|
|
64
|
+
|
|
65
|
+
A subagent's "done, tests pass" is a report, not evidence
|
|
66
|
+
(`verification-before-completion` applies with extra force). Run the proving
|
|
67
|
+
command on their artifact yourself; spot-read the diff (`code-reviewing` for
|
|
68
|
+
substantial changes). For *findings* (bugs, research claims), use structure:
|
|
69
|
+
**adversarial verification** (a second agent prompted to *refute* each
|
|
70
|
+
finding), **diverse lenses** (verifiers checking different failure modes beat
|
|
71
|
+
N identical passes), and majority voting where individual judgments are noisy.
|
|
72
|
+
Expect and discard duplicates and false positives from parallel finders —
|
|
73
|
+
that's normal yield, not failure.
|
|
74
|
+
|
|
75
|
+
### Step 6: Synthesize — the Step That Makes It One Answer
|
|
76
|
+
|
|
77
|
+
Merging results is real work you own: dedup overlapping findings, reconcile
|
|
78
|
+
contradictions (two agents asserting opposite things means *you* investigate,
|
|
79
|
+
not average), integrate parallel diffs and re-run the full suite on the
|
|
80
|
+
combined result, and write the coherent summary. The whole was your task; the
|
|
81
|
+
agents only did the parts. Close with a completeness check: did every
|
|
82
|
+
sub-task actually complete, and what fell between the cracks of the
|
|
83
|
+
decomposition?
|
|
84
|
+
|
|
85
|
+
## Principles Applied
|
|
86
|
+
|
|
87
|
+
- **Decomposition quality bounds output quality**: bad task boundaries can't
|
|
88
|
+
be fixed by more agents.
|
|
89
|
+
- **Reports aren't evidence**: verify artifacts, adversarially where stakes
|
|
90
|
+
warrant — trust is for people, not processes.
|
|
91
|
+
- **Parallelize reads freely, writes deliberately**: isolation is cheap before
|
|
92
|
+
the fan-out and expensive after.
|
|
93
|
+
|
|
94
|
+
## Cross-Skill References
|
|
95
|
+
|
|
96
|
+
- `plan-execution` — the checkpoint discipline; orchestration executes its batches
|
|
97
|
+
- `feature-planning` — producing the task breakdown worth parallelizing
|
|
98
|
+
- `verification-before-completion` — the evidence gate applied to every agent's claim
|
|
99
|
+
- `code-reviewing` — reviewing substantial subagent diffs before integration
|
|
100
|
+
- `git-workflow` — branch/merge hygiene for worktree-isolated work
|
|
@@ -0,0 +1,40 @@
|
|
|
1
|
+
{
|
|
2
|
+
"skill_name": "subagent-orchestration",
|
|
3
|
+
"evals": [
|
|
4
|
+
{
|
|
5
|
+
"id": 1,
|
|
6
|
+
"prompt": "I need to migrate 40 API endpoint files from our old error-handling pattern to the new Result-type pattern. The transformation is mechanical but each file has quirks. Can we parallelize this across subagents?",
|
|
7
|
+
"expected_output": "Confirms good fan-out shape (divisible, independent files, mechanical core), decomposes with an explicit output contract and conventions per agent, fixes the shared pattern/contract up front (an exemplar transformation), prompts for cold start (files to read, boundaries, exact return format), isolates parallel writers (per-file ownership or worktrees), then verifies the combined result itself — running the full suite on the merged output and spot-reviewing diffs — rather than trusting per-agent 'done' reports",
|
|
8
|
+
"assertions": [
|
|
9
|
+
"Evaluates the task's fan-out fitness (independent per-file work, mechanical transformation) rather than parallelizing by default",
|
|
10
|
+
"Fixes the shared contract up front — an exemplar of the new pattern/conventions each agent receives — so parallel results converge",
|
|
11
|
+
"Prompts agents for a cold start: explicit inputs, boundaries (files they own, what not to touch), and an exact output contract",
|
|
12
|
+
"Isolates parallel writes (one agent per file/area or git worktrees) to avoid corrupting the shared working tree",
|
|
13
|
+
"Verifies the merged result directly (full test suite on the combined diff, spot-reading changes) instead of trusting subagent completion reports"
|
|
14
|
+
]
|
|
15
|
+
},
|
|
16
|
+
{
|
|
17
|
+
"id": 2,
|
|
18
|
+
"prompt": "Designing our new public API is taking long. Let's speed it up: spawn 6 subagents — one designs the auth endpoints, one the user endpoints, one the billing endpoints, one picks the pagination style, one the error format, one versioning. Then we'll glue their outputs together.",
|
|
19
|
+
"expected_output": "Pushes back on the decomposition: an API's shape needs one coherent design voice — pagination, error format, versioning, and resource conventions are cross-cutting decisions that must be fixed once, not designed in parallel and glued; recommends deciding the cross-cutting contract first (solo or via api-design), then fanning out only genuinely independent work (e.g. drafting per-resource specs against the fixed contract, or independent reviews of a draft), warning that parallel guesses produce incompatible pieces and expensive reconciliation",
|
|
20
|
+
"assertions": [
|
|
21
|
+
"Identifies that the proposed decomposition splits tightly-coupled, cross-cutting design decisions (pagination, errors, versioning, conventions) that need a single coherent voice",
|
|
22
|
+
"Recommends fixing the shared contract/conventions first, before any fan-out, rather than gluing independently-designed pieces afterward",
|
|
23
|
+
"Explains the failure mode: parallel agents without a shared contract produce incompatible outputs and costly reconciliation",
|
|
24
|
+
"Offers a legitimate parallel structure instead — e.g. per-resource spec drafting against the fixed contract, or a multi-perspective review/judge panel of a single draft",
|
|
25
|
+
"Does not simply execute the 6-way split as requested"
|
|
26
|
+
]
|
|
27
|
+
},
|
|
28
|
+
{
|
|
29
|
+
"id": 3,
|
|
30
|
+
"prompt": "Here's our approved 5-phase implementation plan for the billing feature. Execute it phase by phase, verifying each phase before moving to the next.",
|
|
31
|
+
"expected_output": "Recognizes this as sequential checkpointed execution of an approved plan — refers to plan-execution for the checkpoint/verification/drift discipline, noting orchestration only enters if a batch inside the plan parallelizes; states the boundary between sequencing a plan and fanning out sub-tasks",
|
|
32
|
+
"assertions": [
|
|
33
|
+
"Recognizes the request as checkpointed sequential execution of an approved plan, not a parallelization problem",
|
|
34
|
+
"Refers to the plan-execution skill for the checkpoint, verification-evidence, and drift discipline",
|
|
35
|
+
"Does not spawn subagents or propose a fan-out as the primary answer",
|
|
36
|
+
"States or implies the boundary: plan-execution sequences the plan's checkpoints; subagent-orchestration is how an individual batch runs when it genuinely parallelizes"
|
|
37
|
+
]
|
|
38
|
+
}
|
|
39
|
+
]
|
|
40
|
+
}
|
|
@@ -0,0 +1,101 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: threat-modeling
|
|
3
|
+
description: "Design-time security analysis of a system or feature before it's built — trust boundaries, attack surface, STRIDE per element, abuse cases, prioritized mitigations that become security requirements. Triggers: threat model, STRIDE, trust boundary, attack surface, what could go wrong security-wise, security design review, abuse case, secure this design, security requirements. Reviewing EXISTING code/config for vulnerabilities → security-audit; use this skill while the design is still on the whiteboard."
|
|
4
|
+
model: opus
|
|
5
|
+
allowed-tools: Read, Grep, Glob, Write, Edit
|
|
6
|
+
---
|
|
7
|
+
|
|
8
|
+
# Threat Modeling
|
|
9
|
+
|
|
10
|
+
Find the security flaws while they're still cheap — in the design, before the
|
|
11
|
+
code exists. A missing authorization check found here is a requirement; found by
|
|
12
|
+
`security-audit` it's a rework ticket; found by an attacker it's an incident.
|
|
13
|
+
The frame is Shostack's four questions: **what are we building, what can go
|
|
14
|
+
wrong, what are we doing about it, did we do a good job?**
|
|
15
|
+
|
|
16
|
+
Boundary: this skill is proactive and design-time. Once code exists, verify it
|
|
17
|
+
against this model with `security-audit` — the two are complements, not
|
|
18
|
+
alternatives.
|
|
19
|
+
|
|
20
|
+
## Workflow
|
|
21
|
+
|
|
22
|
+
### Step 1: Model the System
|
|
23
|
+
|
|
24
|
+
Sketch a data-flow view of what's being built: components (processes, stores,
|
|
25
|
+
external services), the data flowing between them, and **classification** of
|
|
26
|
+
that data (what here is worth stealing or corrupting — credentials, PII,
|
|
27
|
+
payment data, tokens?). Then draw the **trust boundaries**: every place data
|
|
28
|
+
crosses a privilege, ownership, or network line — internet → load balancer,
|
|
29
|
+
app → database, user → admin, your service → a third party, webhook → your
|
|
30
|
+
endpoint. Threats cluster at these crossings; a model without explicit
|
|
31
|
+
boundaries finds only generic threats.
|
|
32
|
+
|
|
33
|
+
### Step 2: Enumerate the Attack Surface
|
|
34
|
+
|
|
35
|
+
List the entry points ranked by exposure — unauthenticated internet-facing
|
|
36
|
+
first, then authenticated user, then internal/partner, then admin. Name the
|
|
37
|
+
assets an attacker actually wants (from Step 1's classification) and the
|
|
38
|
+
realistic attackers: opportunist with a scanner, malicious or curious insider,
|
|
39
|
+
targeted attacker after your data specifically. Effort should follow exposure ×
|
|
40
|
+
asset value, not enumeration order.
|
|
41
|
+
|
|
42
|
+
### Step 3: STRIDE Each Boundary Crossing
|
|
43
|
+
|
|
44
|
+
Apply STRIDE **per element and boundary crossing**, not once globally — that's
|
|
45
|
+
what makes it systematic rather than a vibes checklist:
|
|
46
|
+
|
|
47
|
+
| Category | The question at each crossing |
|
|
48
|
+
|---|---|
|
|
49
|
+
| **S**poofing | Can the caller pretend to be someone/something else? |
|
|
50
|
+
| **T**ampering | Can data or code be modified in transit or at rest? |
|
|
51
|
+
| **R**epudiation | Could an actor deny an action with no way to prove it? |
|
|
52
|
+
| **I**nformation disclosure | Can data leak to someone unauthorized? |
|
|
53
|
+
| **D**enial of service | Can this element be exhausted or made unavailable? |
|
|
54
|
+
| **E**levation of privilege | Can a lower-privilege actor gain higher privilege? |
|
|
55
|
+
|
|
56
|
+
Per-category threat patterns and standard mitigations:
|
|
57
|
+
[references/stride-mitigations.md](references/stride-mitigations.md).
|
|
58
|
+
|
|
59
|
+
### Step 4: Write Abuse Cases
|
|
60
|
+
|
|
61
|
+
For each key user story, write the attacker's version: "As a malicious user, I
|
|
62
|
+
can share a link that grants more than I have", "As a former employee, I can
|
|
63
|
+
still call the API with my cached token." Abuse cases catch the logic-level
|
|
64
|
+
threats STRIDE's element-by-element pass misses — especially authorization
|
|
65
|
+
logic, workflow bypasses, and quota/limit abuse.
|
|
66
|
+
|
|
67
|
+
### Step 5: Rank and Decide
|
|
68
|
+
|
|
69
|
+
Score each threat roughly by likelihood × impact — precision theater (long
|
|
70
|
+
DREAD decimals) wastes the room's time; high/medium/low is enough to order the
|
|
71
|
+
work. For each threat, record an explicit decision: **mitigate** (name the
|
|
72
|
+
control), **eliminate** (remove the feature/flow), **transfer** (vendor,
|
|
73
|
+
insurance), or **accept** (documented, with an owner — silent acceptance is the
|
|
74
|
+
only wrong answer). Mitigations become **security requirements with acceptance
|
|
75
|
+
criteria** — feed them into `feature-planning` so they ship with the feature
|
|
76
|
+
instead of after it.
|
|
77
|
+
|
|
78
|
+
### Step 6: Validate and Keep It Alive
|
|
79
|
+
|
|
80
|
+
Check coverage: every trust boundary STRIDE'd, every entry point owned, every
|
|
81
|
+
threat decided. Then treat the model as living documentation — revisit when the
|
|
82
|
+
architecture changes (new integration, new entry point, new data class), and
|
|
83
|
+
hand it to `security-audit` as the checklist when the built system gets
|
|
84
|
+
reviewed.
|
|
85
|
+
|
|
86
|
+
## Principles Applied
|
|
87
|
+
|
|
88
|
+
- **Threats cluster at trust boundaries** — model the boundaries first and the
|
|
89
|
+
threats enumerate themselves; skip them and you get a generic list.
|
|
90
|
+
- **A decision per threat, even "accept"** — an undocumented accepted risk is
|
|
91
|
+
indistinguishable from an unnoticed one.
|
|
92
|
+
- **KISS on scoring**: rank to order the work, not to defend the numbers.
|
|
93
|
+
|
|
94
|
+
## Cross-Skill References
|
|
95
|
+
|
|
96
|
+
- `security-audit` — reactive review of the *built* system; consumes this model
|
|
97
|
+
- `architecture-design` — record structural security decisions as ADRs
|
|
98
|
+
- `api-design` — authn/authz contracts for the boundaries identified here
|
|
99
|
+
- `data-modeling` — where the classified data actually lives
|
|
100
|
+
- `configuration-strategy` — secrets handling for the credentials in the model
|
|
101
|
+
- `feature-planning` — turns the mitigations into scheduled, testable tasks
|
|
@@ -0,0 +1,40 @@
|
|
|
1
|
+
{
|
|
2
|
+
"skill_name": "threat-modeling",
|
|
3
|
+
"evals": [
|
|
4
|
+
{
|
|
5
|
+
"id": 1,
|
|
6
|
+
"prompt": "We're designing a new file-sharing feature: users upload documents and can share them via public links, with optional password protection and expiry. Nothing is built yet. Can you threat model it before we start?",
|
|
7
|
+
"expected_output": "Models the system and data flows with explicit trust boundaries (internet → app, app → storage, anonymous link-holder → protected document), classifies the data at stake, enumerates the attack surface ranked by exposure, applies STRIDE per element/boundary crossing (e.g. link enumeration/guessing as information disclosure, password brute force as spoofing, upload abuse as DoS/tampering), writes abuse cases, and outputs prioritized mitigations framed as security requirements to feed into planning",
|
|
8
|
+
"assertions": [
|
|
9
|
+
"Models the system's components and data flows and identifies explicit trust boundaries before enumerating threats",
|
|
10
|
+
"Classifies the data at stake and enumerates entry points / attack surface ranked by exposure (unauthenticated public links first)",
|
|
11
|
+
"Applies STRIDE categories systematically per element or boundary crossing, naming the categories, rather than producing an unstructured threat list",
|
|
12
|
+
"Includes threats specific to this design, such as public-link guessing/enumeration, password brute-forcing, expired-link enforcement, and malicious file upload",
|
|
13
|
+
"Produces prioritized mitigations with an explicit decision per threat, framed as security requirements/acceptance criteria for implementation planning"
|
|
14
|
+
]
|
|
15
|
+
},
|
|
16
|
+
{
|
|
17
|
+
"id": 2,
|
|
18
|
+
"prompt": "New design to review before we build: we're adding inbound webhooks from a payment provider (they POST us payment events) plus an internal admin panel where support staff can issue refunds. Threat model this.",
|
|
19
|
+
"expected_output": "Treats the third-party webhook and the admin privilege line as distinct trust boundaries: webhook threats include spoofed/forged events (signature verification), replay (timestamp/nonce), and DoS/flooding; admin-panel threats center on elevation of privilege (function-level authz on refunds), repudiation (audit trail for refund actions), and insider abuse cases; ranks by exposure and emits concrete mitigations",
|
|
20
|
+
"assertions": [
|
|
21
|
+
"Identifies the inbound webhook from the payment provider as a trust boundary crossing and covers spoofed/forged events with signature verification as a mitigation",
|
|
22
|
+
"Covers replay of webhook events (timestamp, nonce, or idempotency handling) and denial of service on the webhook endpoint",
|
|
23
|
+
"Treats the admin/support refund capability as a privilege boundary — covering elevation of privilege and server-side function-level authorization",
|
|
24
|
+
"Addresses repudiation for refund actions (audit logging of who refunded what) and includes an insider/abuse-case perspective",
|
|
25
|
+
"Prioritizes threats by exposure and impact and records an explicit decision or mitigation per threat"
|
|
26
|
+
]
|
|
27
|
+
},
|
|
28
|
+
{
|
|
29
|
+
"id": 3,
|
|
30
|
+
"prompt": "Here's our Express API that's been in production for a year — can you go through the code and check it for vulnerabilities like SQL injection, XSS, and broken auth?",
|
|
31
|
+
"expected_output": "Recognizes this as a reactive security review of existing code, not design-time threat modeling — refers to security-audit for the OWASP-style code review, stating the boundary: threat-modeling analyzes designs before they're built; security-audit reviews built systems",
|
|
32
|
+
"assertions": [
|
|
33
|
+
"Recognizes the request as a security review of existing, deployed code rather than design-time analysis",
|
|
34
|
+
"Refers to the security-audit skill for the vulnerability review",
|
|
35
|
+
"Does not produce a design-time threat model (DFDs, STRIDE-per-boundary of a not-yet-built system) as the answer",
|
|
36
|
+
"States the boundary: threat-modeling is proactive/design-time, security-audit is the reactive review of built code"
|
|
37
|
+
]
|
|
38
|
+
}
|
|
39
|
+
]
|
|
40
|
+
}
|
|
@@ -0,0 +1,90 @@
|
|
|
1
|
+
# STRIDE: Threat Patterns and Standard Mitigations
|
|
2
|
+
|
|
3
|
+
Per-category catalog for Step 3. For each boundary crossing, scan the category's
|
|
4
|
+
typical threats and pick from the standard controls — invent a custom control
|
|
5
|
+
only when a standard one genuinely doesn't fit (custom security controls are
|
|
6
|
+
where vulnerabilities live).
|
|
7
|
+
|
|
8
|
+
## Spoofing (authentication)
|
|
9
|
+
|
|
10
|
+
**Typical threats**: credential stuffing/phishing at login; forged webhook or
|
|
11
|
+
callback calls; service-to-service calls with no caller identity; DNS/ARP
|
|
12
|
+
spoofing on internal traffic; replayed tokens or signed URLs.
|
|
13
|
+
|
|
14
|
+
**Standard mitigations**: strong auth (MFA for humans, mTLS or signed requests
|
|
15
|
+
for services); webhook signature verification **plus** timestamp/nonce to block
|
|
16
|
+
replay; short-lived tokens over long-lived API keys; OIDC/OAuth flows instead of
|
|
17
|
+
home-grown login; certificate pinning only where the threat justifies its
|
|
18
|
+
operational cost.
|
|
19
|
+
|
|
20
|
+
## Tampering (integrity)
|
|
21
|
+
|
|
22
|
+
**Typical threats**: parameter/payload manipulation (IDs, prices, quantities);
|
|
23
|
+
modification of data in transit; direct writes to a shared store bypassing the
|
|
24
|
+
app's rules; CI/CD or dependency supply-chain injection; unsigned mobile/desktop
|
|
25
|
+
update channels.
|
|
26
|
+
|
|
27
|
+
**Standard mitigations**: TLS everywhere (internal too); server-side validation
|
|
28
|
+
of every client-supplied value (client-side checks are UX, not security);
|
|
29
|
+
integrity signatures/HMACs on anything that round-trips through the client
|
|
30
|
+
(cookies, tokens, callback params); least-privilege DB accounts per service;
|
|
31
|
+
signed artifacts and locked dependencies in the pipeline.
|
|
32
|
+
|
|
33
|
+
## Repudiation (auditability)
|
|
34
|
+
|
|
35
|
+
**Typical threats**: admin or support actions with no trail; shared/service
|
|
36
|
+
accounts hiding who acted; logs an attacker can edit or delete; missing
|
|
37
|
+
before/after values on sensitive mutations.
|
|
38
|
+
|
|
39
|
+
**Standard mitigations**: append-only or write-once audit logs, shipped off the
|
|
40
|
+
host that generates them; per-human accounts (no shared logins) with actions
|
|
41
|
+
attributed through impersonation records; log the actor, action, target, and
|
|
42
|
+
before/after for sensitive operations; clock sync so timelines reconstruct.
|
|
43
|
+
|
|
44
|
+
## Information Disclosure (confidentiality)
|
|
45
|
+
|
|
46
|
+
**Typical threats**: IDOR (guessable IDs + missing object-level authz); verbose
|
|
47
|
+
errors/stack traces leaking internals; sensitive data in logs, URLs, or
|
|
48
|
+
analytics; overly broad API responses (returning the whole object when the
|
|
49
|
+
client needs two fields); backups/exports with weaker controls than the source;
|
|
50
|
+
enumeration via timing or error differences (valid vs invalid username).
|
|
51
|
+
|
|
52
|
+
**Standard mitigations**: object-level authorization on every read (not just
|
|
53
|
+
route-level); non-enumerable IDs where exposure matters; encrypt sensitive data
|
|
54
|
+
at rest and classify what "sensitive" means (Step 1); scrub PII/secrets from
|
|
55
|
+
logs and error responses; response shaping (field allowlists); uniform errors
|
|
56
|
+
and timing for auth failures.
|
|
57
|
+
|
|
58
|
+
## Denial of Service (availability)
|
|
59
|
+
|
|
60
|
+
**Typical threats**: unauthenticated endpoints doing expensive work (search,
|
|
61
|
+
export, PDF render); unbounded request sizes/collections ("give me all
|
|
62
|
+
records"); resource exhaustion via file upload; amplification through webhooks
|
|
63
|
+
or fan-out; a single tenant starving the rest.
|
|
64
|
+
|
|
65
|
+
**Standard mitigations**: rate limiting keyed to the right identity (IP for
|
|
66
|
+
anonymous, account for authenticated); pagination and hard caps on collection
|
|
67
|
+
endpoints; size limits and timeouts on every external input; queue + backpressure
|
|
68
|
+
for expensive work instead of doing it in-request; per-tenant quotas.
|
|
69
|
+
|
|
70
|
+
## Elevation of Privilege (authorization)
|
|
71
|
+
|
|
72
|
+
**Typical threats**: missing function-level checks (the admin route trusts the
|
|
73
|
+
hidden menu); role changes that don't re-evaluate existing sessions; mass
|
|
74
|
+
assignment setting `is_admin` from a request body; confused-deputy flows (your
|
|
75
|
+
service does something *for* a caller with *its own* elevated rights); path
|
|
76
|
+
traversal / injection escalating code execution.
|
|
77
|
+
|
|
78
|
+
**Standard mitigations**: deny-by-default authorization enforced server-side at
|
|
79
|
+
the function/object level; centralized policy (one authz module, not checks
|
|
80
|
+
scattered per handler); explicit field allowlists on writes; scoped credentials
|
|
81
|
+
so a deputy can only act with the caller's authority; re-check privileges on
|
|
82
|
+
sensitive actions, not just at login.
|
|
83
|
+
|
|
84
|
+
## Using the catalog
|
|
85
|
+
|
|
86
|
+
Walk each trust-boundary crossing from SKILL.md Step 3 down this list. Most
|
|
87
|
+
crossings surface 2–4 real threats, not all six categories — a database
|
|
88
|
+
crossing rarely has a repudiation story, a webhook crossing almost always has
|
|
89
|
+
spoofing + replay + DoS. Record only threats with a plausible attacker and
|
|
90
|
+
path; padding the model with theoretical entries buries the real ones.
|
|
@@ -7,11 +7,12 @@ allowed-tools: Read, Grep, Glob, Write, Edit, Bash
|
|
|
7
7
|
|
|
8
8
|
# Writing Skills
|
|
9
9
|
|
|
10
|
-
Author and maintain skills for this library. The canonical rule set lives in
|
|
11
|
-
|
|
12
|
-
|
|
13
|
-
*applied*, not just read: how to reproduce a skill's failure before
|
|
14
|
-
how to write a description that actually triggers, and how to
|
|
10
|
+
Author and maintain skills for this library. The canonical rule set lives in
|
|
11
|
+
**docs/AUTHORING.md** — read it for descriptions, listing budget, frontmatter,
|
|
12
|
+
dynamic context injection, and common mistakes. This skill adds the parts that
|
|
13
|
+
must be *applied*, not just read: how to reproduce a skill's failure before
|
|
14
|
+
fixing it, how to write a description that actually triggers, and how to
|
|
15
|
+
pressure-test.
|
|
15
16
|
|
|
16
17
|
## ⛔ The Iron Law
|
|
17
18
|
|
|
@@ -53,16 +54,25 @@ description over the body, so get it right.
|
|
|
53
54
|
- **Our format is a compliant hybrid:** `<when/purpose>. Triggers: <keywords>. <boundary>`.
|
|
54
55
|
The `Triggers:` list *is* the when-to-use expressed as the phrases a user
|
|
55
56
|
actually types — keep casting that net wide.
|
|
56
|
-
-
|
|
57
|
-
|
|
57
|
+
- **Keep the hybrid format for now** (don't move triggers to `when_to_use` yet):
|
|
58
|
+
the catalog builder reads only `description`, so the router would lose the
|
|
59
|
+
trigger phrases. The `when_to_use` migration is a coordinated roadmap change
|
|
60
|
+
(builder + skills + routing re-baseline together).
|
|
61
|
+
- **~350 chars** for `description` (listing-budget constraint; hard cap 1024).
|
|
62
|
+
Over budget, the *least-invoked* skills' descriptions drop silently — `/doctor`
|
|
63
|
+
reports it. See AUTHORING.md "Listing Budget".
|
|
58
64
|
- **Anti-pattern:** describing mechanics/steps instead of triggering situations.
|
|
59
65
|
|
|
60
|
-
## Structure and budget (brief — see
|
|
66
|
+
## Structure and budget (brief — see AUTHORING.md for detail)
|
|
61
67
|
|
|
62
68
|
- Frontmatter: `name`, `description`, `model` (haiku/sonnet/opus by reasoning
|
|
63
|
-
need), `allowed-tools`.
|
|
69
|
+
need), `allowed-tools`. Newer fields where they fit: `when_to_use`,
|
|
70
|
+
`context: fork` + `agent` (heavy read-only skills), `paths` (file-scoped),
|
|
71
|
+
`disable-model-invocation` (deliberate-only workflows), `effort`.
|
|
64
72
|
- Progressive disclosure: keep SKILL.md tight (aim < 300 lines); push deep
|
|
65
|
-
domain knowledge to `references/`, output formats to `templates/`.
|
|
73
|
+
domain knowledge to `references/`, output formats to `templates/`. On
|
|
74
|
+
compaction only a skill's first ~5k tokens are re-attached — front-load the
|
|
75
|
+
Iron Law and workflow; write standing instructions, not one-time steps.
|
|
66
76
|
- Exactly **3 evals** (happy path / edge case / scope boundary) with specific,
|
|
67
77
|
verifiable assertions. For hardened skills, add an optional `pressure` eval
|
|
68
78
|
(see `verification-before-completion` and the safety-critical skills for the
|
|
@@ -79,9 +89,15 @@ Apply rigor where mistakes are expensive; keep freedom where judgment matters.
|
|
|
79
89
|
architecture exploration, UX, estimation, proposals. Rigidity there produces
|
|
80
90
|
worse outcomes, not better ones.
|
|
81
91
|
|
|
92
|
+
## Retiring skills
|
|
93
|
+
|
|
94
|
+
As base models improve, a skill can become pure overhead. Periodically re-run a
|
|
95
|
+
skill's evals RED (without the skill); if RED ≈ GREEN, slim or retire it rather
|
|
96
|
+
than letting it spend listing budget and re-attachment tokens.
|
|
97
|
+
|
|
82
98
|
## See also
|
|
83
99
|
|
|
84
|
-
-
|
|
100
|
+
- docs/AUTHORING.md — the canonical rules and common mistakes.
|
|
85
101
|
- [references/pressure-testing.md](references/pressure-testing.md) — running baseline scenarios and the pressure levers.
|
|
86
102
|
- `docs/EVALS.md` — the automated RED/GREEN harness that replays evals through subagents and gates regressions in CI.
|
|
87
103
|
- `verification-before-completion` — the discipline that proves a skill change works (run the eval, read the result).
|