swe-workflow-skills 0.1.0 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (74) hide show
  1. package/README.md +58 -17
  2. package/VERSION +1 -1
  3. package/catalog.json +113 -8
  4. package/commands/role.md +14 -2
  5. package/install.mjs +23 -3
  6. package/package.json +2 -2
  7. package/roles.json +72 -7
  8. package/scripts/resolve.mjs +8 -3
  9. package/skills/ai-evaluation/SKILL.md +112 -0
  10. package/skills/ai-evaluation/evals/evals.json +40 -0
  11. package/skills/ai-evaluation/references/eval-tooling.md +63 -0
  12. package/skills/architecture-design/SKILL.md +3 -1
  13. package/skills/brainstorming/SKILL.md +92 -0
  14. package/skills/brainstorming/evals/evals.json +40 -0
  15. package/skills/browser-verification/SKILL.md +95 -0
  16. package/skills/browser-verification/evals/evals.json +40 -0
  17. package/skills/build-vs-buy/SKILL.md +109 -0
  18. package/skills/build-vs-buy/evals/evals.json +40 -0
  19. package/skills/cicd-pipeline/SKILL.md +1 -0
  20. package/skills/code-archaeology/SKILL.md +103 -0
  21. package/skills/code-archaeology/evals/evals.json +41 -0
  22. package/skills/code-reviewing/SKILL.md +13 -3
  23. package/skills/compliance-privacy/SKILL.md +113 -0
  24. package/skills/compliance-privacy/evals/evals.json +41 -0
  25. package/skills/compliance-privacy/references/obligations-map.md +69 -0
  26. package/skills/data-pipeline-design/SKILL.md +116 -0
  27. package/skills/data-pipeline-design/evals/evals.json +41 -0
  28. package/skills/data-pipeline-design/references/orchestration.md +64 -0
  29. package/skills/data-quality/SKILL.md +107 -0
  30. package/skills/data-quality/evals/evals.json +39 -0
  31. package/skills/data-quality/references/tooling.md +45 -0
  32. package/skills/deployment-checklist/SKILL.md +2 -1
  33. package/skills/dx-audit/SKILL.md +97 -0
  34. package/skills/dx-audit/evals/evals.json +40 -0
  35. package/skills/effort-estimation/SKILL.md +24 -67
  36. package/skills/exploratory-data-analysis/SKILL.md +110 -0
  37. package/skills/exploratory-data-analysis/evals/evals.json +43 -0
  38. package/skills/feature-planning/SKILL.md +5 -1
  39. package/skills/finops-cost-optimization/SKILL.md +109 -0
  40. package/skills/finops-cost-optimization/evals/evals.json +40 -0
  41. package/skills/git-workflow/SKILL.md +31 -14
  42. package/skills/llm-app-engineering/SKILL.md +102 -0
  43. package/skills/llm-app-engineering/evals/evals.json +40 -0
  44. package/skills/llm-app-engineering/references/patterns.md +70 -0
  45. package/skills/ml-experiment-tracking/SKILL.md +1 -1
  46. package/skills/ml-pipeline-design/SKILL.md +8 -2
  47. package/skills/ml-pipeline-design/evals/evals.json +10 -0
  48. package/skills/mobile-architecture/SKILL.md +106 -0
  49. package/skills/mobile-architecture/evals/evals.json +40 -0
  50. package/skills/mobile-release/SKILL.md +109 -0
  51. package/skills/mobile-release/evals/evals.json +41 -0
  52. package/skills/notebook-to-production/SKILL.md +89 -0
  53. package/skills/notebook-to-production/evals/evals.json +42 -0
  54. package/skills/plan-execution/SKILL.md +115 -0
  55. package/skills/plan-execution/evals/evals.json +55 -0
  56. package/skills/project-documentation/SKILL.md +8 -1
  57. package/skills/project-review/SKILL.md +13 -3
  58. package/skills/release-management/SKILL.md +97 -0
  59. package/skills/release-management/evals/evals.json +56 -0
  60. package/skills/release-management/references/release-tooling.md +106 -0
  61. package/skills/resilience-engineering/SKILL.md +121 -0
  62. package/skills/resilience-engineering/evals/evals.json +40 -0
  63. package/skills/security-audit/SKILL.md +14 -3
  64. package/skills/skill-router/SKILL.md +57 -4
  65. package/skills/statistical-analysis/SKILL.md +93 -0
  66. package/skills/statistical-analysis/evals/evals.json +43 -0
  67. package/skills/strategic-review/SKILL.md +16 -2
  68. package/skills/subagent-orchestration/SKILL.md +100 -0
  69. package/skills/subagent-orchestration/evals/evals.json +40 -0
  70. package/skills/technical-debt-review/SKILL.md +12 -2
  71. package/skills/threat-modeling/SKILL.md +101 -0
  72. package/skills/threat-modeling/evals/evals.json +40 -0
  73. package/skills/threat-modeling/references/stride-mitigations.md +90 -0
  74. package/skills/writing-skills/SKILL.md +48 -16
package/README.md CHANGED
@@ -1,10 +1,10 @@
1
1
  # SWE Workflow Skills for Claude Code
2
2
 
3
3
  [![roles-check](https://github.com/SWEStash/swe-workflow-skills/actions/workflows/roles-check.yml/badge.svg)](https://github.com/SWEStash/swe-workflow-skills/actions/workflows/roles-check.yml)
4
- ![skills](https://img.shields.io/badge/skills-44-blue)
5
- [![license](https://img.shields.io/github/license/SWEStash/swe-workflow-skills)](LICENSE)
4
+ ![skills](https://img.shields.io/badge/skills-65-blue)
5
+ [![license: MIT](https://img.shields.io/badge/license-MIT-yellow.svg)](LICENSE)
6
6
 
7
- A curated library of **44 Claude Code Agent Skills** that walk Claude through the
7
+ A curated library of **65 Claude Code Agent Skills** that walk Claude through the
8
8
  software lifecycle the way a disciplined senior engineer would — planning, design,
9
9
  TDD, review, security, deployment, incidents, and the project-management work around
10
10
  them.
@@ -17,21 +17,37 @@ LLM-as-judge eval harness.
17
17
 
18
18
  ## Why this library
19
19
 
20
- - **An orchestrator, not a pile of skills.** A `skill-router` skill maps your intent to
21
- the right skill(s) and chains them across phases. Activation is *routed and
22
- deterministic*, not left to fuzzy auto-triggering.
20
+ Not just a pile of skills an activation architecture, an eval discipline, and
21
+ full-SDLC breadth that popular collections don't cover:
22
+
23
+ - **An orchestrator, not auto-trigger roulette.** A `skill-router` skill maps your
24
+ intent to the right skill(s) and chains them across phases. Activation is *routed and
25
+ deterministic*, not left to fuzzy auto-triggering — the routing eval harness measures
26
+ it (top-1 accuracy 1.00, zero misroutes on the current baseline, regression-gated in
27
+ CI).
23
28
  - **Scales past Claude's skill-listing budget.** Claude Code only injects skill
24
29
  descriptions up to ~1% of context, so large libraries silently stop triggering past
25
30
  ~20–40 skills. This library keeps only the router + safety skills "loud" and lists the
26
- rest **name-only** — so the router can invoke all 44 by name, with no cropping and
27
- without making you pre-pick a subset ([how it works](docs/ROLES.md)).
28
- - **Role-scoped.** `/role backend` (or `frontend`, `devops`, `ml`, `security`,
29
- `architect`, `em`, `pm`, `qa`, `designer`) promotes a working set to auto-trigger; the
30
- rest stay one route away.
31
+ rest **name-only** — the mechanism Claude Code's own docs now recommend for large
32
+ installs so the router can invoke every skill by name, with no cropping and without
33
+ making you pre-pick a subset ([how it works](docs/ROLES.md)).
34
+ - **Tested like code, not prose.** Every skill ships 3 evals; two LLM-as-judge
35
+ harnesses (content quality and routing accuracy) replay them with skill loaded vs
36
+ absent and gate regressions in CI. Safety-critical skills (deploys, releases, tests,
37
+ incidents, security) are **hardened**: an Iron Law, a rationalization table distilled
38
+ from real baseline failures, and pressure tests that try to talk the agent out of it.
39
+ - **Full-SDLC breadth.** Planning, architecture/ADRs, API and data design, TDD, review,
40
+ security, releases, deploys, GitOps, observability, incidents, MLOps, LLM apps
41
+ and AI evaluation, data pipelines and data quality, and the PM/strategy work
42
+ around them — a wider slice of the lifecycle than the community collections we
43
+ know of aim for (they tend to go deep on the coding inner loop; see
44
+ [Acknowledgements](#acknowledgements)).
45
+ - **Role-scoped.** `/role backend` (or `frontend`, `devops`, `ml`, `ai`, `data`,
46
+ `data-scientist`, `security`, `architect`, `em`, `pm`, `strategy`, `qa`, `mobile`,
47
+ `designer`) promotes a working set to auto-trigger; the rest stay one route away.
31
48
  - **Cross-platform install.** The installer and SessionStart hook are **pure Node** — the
32
49
  one runtime Claude Code already requires — so they run identically on Linux, macOS, and
33
50
  Windows (no bash, Python, or `sed`).
34
- - **Tested.** Every skill ships 3 evals; safety/discipline skills add pressure tests.
35
51
 
36
52
  ## Quick Start
37
53
 
@@ -46,7 +62,7 @@ web, claude.ai chat, and Cowork):
46
62
  **Want the whole library with the orchestrator** (CLI) — no clone needed:
47
63
 
48
64
  ```bash
49
- npx swe-workflow-skills install --global # all 44 skills + router + /role + the SessionStart hook
65
+ npx swe-workflow-skills install --global # all 65 skills + router + /role + the SessionStart hook
50
66
  ```
51
67
 
52
68
  Or from a clone: `node install.mjs --global`.
@@ -104,15 +120,19 @@ review) live in the `skill-router` skill and **[ROLES.md](docs/ROLES.md)**.
104
120
 
105
121
  ## What's included
106
122
 
107
- 44 skills — **[full catalog → SKILLS.md](docs/SKILLS.md)**:
123
+ 65 skills — **[full catalog → SKILLS.md](docs/SKILLS.md)**:
108
124
 
109
125
  | Area | Count | Examples |
110
126
  |------|-------|----------|
111
- | Software Engineering | 23 | feature-planning, architecture-design, tdd-workflow, code-reviewing, security-audit, refactoring, incident-response |
112
- | Project Management | 6 | prd-writing, effort-estimation, metrics-and-okrs, retrospective, strategic-review |
113
- | DevOps | 5 | containerization, cicd-pipeline, infrastructure-as-code, gitops-delivery |
127
+ | Software Engineering | 30 | feature-planning, plan-execution, architecture-design, threat-modeling, compliance-privacy, code-archaeology, tdd-workflow, security-audit, browser-verification, subagent-orchestration |
128
+ | Project Management | 8 | brainstorming, prd-writing, effort-estimation, build-vs-buy, metrics-and-okrs, retrospective, strategic-review |
129
+ | DevOps | 8 | containerization, cicd-pipeline, release-management, gitops-delivery, resilience-engineering, finops-cost-optimization |
114
130
  | Design | 3 | ui-ux-design, frontend-architecture, accessibility-design |
115
131
  | MLOps | 3 | ml-pipeline-design, ml-experiment-tracking, ml-model-deployment |
132
+ | AI Engineering | 2 | llm-app-engineering, ai-evaluation |
133
+ | Data Science | 3 | exploratory-data-analysis, statistical-analysis, notebook-to-production |
134
+ | Data Engineering | 2 | data-pipeline-design, data-quality |
135
+ | Mobile | 2 | mobile-architecture, mobile-release |
116
136
  | Evaluation & Monitoring | 2 | observability-design, test-data-strategy |
117
137
  | Meta | 2 | skill-router, writing-skills |
118
138
 
@@ -139,6 +159,27 @@ New or improved skills are welcome — start with **[AUTHORING.md](docs/AUTHORIN
139
159
  install the `writing-skills` skill). The short version: descriptions are everything, keep
140
160
  SKILL.md concise with detail in `references/`, and ship exactly 3 evals.
141
161
 
162
+ ## Acknowledgements
163
+
164
+ This library stands on ideas from projects we found genuinely useful:
165
+
166
+ - **[obra/superpowers](https://github.com/obra/superpowers)** — the guardrail pattern
167
+ our hardened safety skills adopt (an Iron Law, a rationalization table distilled from
168
+ real failures, and pressure tests that try to talk the agent out of it) comes from
169
+ Jesse Vincent's work here, as does the idea of a Socratic brainstorming skill as the
170
+ entry point to a feature. Superpowers goes deeper on the coding inner loop than we do;
171
+ if that's what you want, use it.
172
+ - **[anthropics/skills](https://github.com/anthropics/skills)** — Anthropic's official
173
+ skills (and `skill-creator` in particular) are the authoring practice we benchmark
174
+ ours against; the eval-first loop in [AUTHORING.md](docs/AUTHORING.md) follows the
175
+ same instinct.
176
+ - **The [Agent Skills docs](https://code.claude.com/docs/en/skills) and Anthropic's
177
+ engineering posts** — progressive disclosure, the listing budget, and the
178
+ `name-only` + `skillOverrides` activation surface this library's routing model is
179
+ built on.
180
+ - **The awesome-claude-skills community lists** — the ecosystem survey that shaped our
181
+ gap analysis of what a full-SDLC library should cover.
182
+
142
183
  ## License
143
184
 
144
185
  MIT — see [LICENSE](LICENSE).
package/VERSION CHANGED
@@ -1 +1 @@
1
- 0.1.0
1
+ 0.3.0
package/catalog.json CHANGED
@@ -6,6 +6,11 @@
6
6
  "description": "Design and implement accessible web/mobile apps to WCAG 2.1/2.2 — semantic HTML, ARIA patterns, keyboard navigation, focus management, color contrast, screen readers, accessible forms. Triggers: accessibility, a11y, WCAG, screen reader, keyboard navigation, ARIA, focus management, color contrast, alt text, semantic HTML, tab order, focus trap, skip link, announce. Build it in, don't bolt it on.",
7
7
  "path": "accessibility-design/SKILL.md"
8
8
  },
9
+ {
10
+ "name": "ai-evaluation",
11
+ "description": "Define how to evaluate ML models and GenAI/LLM apps — golden datasets, offline metrics, RAG evaluation (faithfulness, relevance, context precision/recall) with ragas/deepeval/promptfoo, LLM-as-judge design and calibration, eval regression gates in CI, online A/B and human feedback. Logging/comparing runs → ml-experiment-tracking; building the app → llm-app-engineering; general experiment statistics → statistical-analysis. Triggers: evaluate the model, eval my chatbot, RAG evals, ragas, LLM as judge, golden dataset, eval suite, is the new prompt better, hallucination rate, benchmark our AI app.",
12
+ "path": "ai-evaluation/SKILL.md"
13
+ },
9
14
  {
10
15
  "name": "api-design",
11
16
  "description": "Design RESTful and GraphQL APIs — endpoint naming, request/response contracts, error handling, pagination, versioning, auth patterns, OpenAPI specs. Triggers: design the API, API contract, REST API, GraphQL schema, error response format, pagination, API versioning, OpenAPI, swagger, endpoints. Use architecture-design for REST-vs-GraphQL or monolith-vs-microservices decisions.",
@@ -13,7 +18,7 @@
13
18
  },
14
19
  {
15
20
  "name": "architecture-design",
16
- "description": "Guide architectural and structural decisions using Architecture Decision Records (ADRs) — new services, pattern choices, database selection, component boundaries, state management, costly-to-reverse decisions. Triggers: how should I architect, which pattern, design decision, should I use X or Y, system design, ADR, component design, architectural trade-off.",
21
+ "description": "Guide architectural and structural decisions using Architecture Decision Records (ADRs) — new services, pattern choices, database selection, component boundaries, state management, costly-to-reverse decisions. Triggers: how should I architect, which pattern, design decision, should I use X or Y, system design, ADR, component design, architectural trade-off. Owns internal-structure decisions — build vs buy/adopt a vendor or OSS capability → build-vs-buy.",
17
22
  "path": "architecture-design/SKILL.md"
18
23
  },
19
24
  {
@@ -21,21 +26,46 @@
21
26
  "description": "Design and maintain architecture documentation with multi-level diagrams (C4) and docs-as-code. Triggers: architecture diagram, document the architecture, C4 diagram, system context, container diagram, component diagram, architecture docs, docs-as-code, PlantUML, Structurizr, D2, Mermaid architecture, infrastructure diagram, runtime flow. Use architecture-design for ADRs.",
22
27
  "path": "architecture-documentation/SKILL.md"
23
28
  },
29
+ {
30
+ "name": "brainstorming",
31
+ "description": "Facilitate divergent ideation before committing to a spec — Socratic questioning, widening the option space, challenging assumptions and inherited constraints, then converging on candidates. Triggers: brainstorm, let's explore ideas, what are our options, help me think through, generate ideas, what could we build, not sure what I want, explore approaches, ideate. Once ideas converge, hand off to prd-writing (WHAT/WHY) or feature-planning (breakdown) — this skill opens options; those close them.",
32
+ "path": "brainstorming/SKILL.md"
33
+ },
34
+ {
35
+ "name": "browser-verification",
36
+ "description": "Verify a web app change by driving the real UI in a browser — reproduce the user flow end to end, watch console errors and network failures, exercise loading/error/empty states, capture screenshots as evidence. Use before claiming a UI change works. Triggers: check it in the browser, verify the UI, click through the flow, console errors, test it like a user, smoke test the frontend. Designing persistent test suites → test-suite-design; the generic done-gate → verification-before-completion (this is its browser-specific practice).",
37
+ "path": "browser-verification/SKILL.md"
38
+ },
24
39
  {
25
40
  "name": "bug-investigating",
26
41
  "description": "Systematic debugging and root cause analysis using structured methodology — reproduce, isolate, hypothesize, verify. Triggers: this doesn't work, I'm getting an error, something is broken, bug, debug this, why is this happening, unexpected behavior, regression, root cause, stack trace, error message.",
27
42
  "path": "bug-investigating/SKILL.md"
28
43
  },
44
+ {
45
+ "name": "build-vs-buy",
46
+ "description": "Decide whether to build in-house, buy a vendor/SaaS product, or adopt OSS — core-vs-commodity framing, multi-year total cost of ownership, integration and maintenance burden, vendor viability, lock-in and exit costs. Triggers: build vs buy, build or buy, vendor evaluation, SaaS vs in-house, should we adopt this open source, TCO, total cost of ownership, lock-in, exit cost, make or buy, off the shelf. Internal-structure decisions (patterns, service boundaries, ADRs for your own code) → architecture-design.",
47
+ "path": "build-vs-buy/SKILL.md"
48
+ },
29
49
  {
30
50
  "name": "cicd-pipeline",
31
51
  "description": "Design CI/CD pipelines for automated build, test, deploy — GitHub Actions, GitLab CI, quality gates. Triggers: CI/CD, pipeline, GitHub Actions, GitLab CI, workflow, automated deployment, build pipeline, continuous integration, continuous deployment, automate tests on PR, deploy automatically, quality gate.",
32
52
  "path": "cicd-pipeline/SKILL.md"
33
53
  },
54
+ {
55
+ "name": "code-archaeology",
56
+ "description": "Understand unfamiliar or legacy code before changing it — map entry points, mine git history (blame, churn, log -S), trace data flow, recover the why behind odd code, pin current behavior with characterization tests, find seams for safe change. Triggers: understand this codebase, legacy code, inherited this project, what does this code do, why is it written this way, nobody knows how this works, onboard to this repo, is it safe to change this. Prioritizing debt → technical-debt-review; improving code you already understand → refactoring.",
57
+ "path": "code-archaeology/SKILL.md"
58
+ },
34
59
  {
35
60
  "name": "code-reviewing",
36
61
  "description": "Structured code reviews enforcing DRY, KISS, YAGNI, SRP, best practices, and project conventions. Triggers: review this code, code review, check my code, what do you think of this implementation, review this PR, is this code good, feedback on my code, review staged changes before commit.",
37
62
  "path": "code-reviewing/SKILL.md"
38
63
  },
64
+ {
65
+ "name": "compliance-privacy",
66
+ "description": "Engineer for regulatory and privacy obligations — GDPR/CCPA privacy-by-design, PII data mapping and minimization, retention and deletion (right to erasure), data subject requests, consent, SOC 2 controls (access, change management, audit logging). Triggers: GDPR, CCPA, SOC 2, HIPAA, compliance, privacy review, PII, personal data, data retention, right to be forgotten, DSR, audit requirements, are we compliant. Vulnerabilities in code → security-audit; attack analysis of a design → threat-modeling.",
67
+ "path": "compliance-privacy/SKILL.md"
68
+ },
39
69
  {
40
70
  "name": "configuration-strategy",
41
71
  "description": "Design environment configuration, secrets management, and feature-flag hierarchy for a service or feature. Triggers: config strategy, environment variables, .env, secrets management, feature flag, config hierarchy, config precedence, twelve-factor config, environment-specific settings.",
@@ -51,6 +81,16 @@
51
81
  "description": "Design database schemas, relationships, indexes, and migration strategies — relational and document stores. Triggers: data model, schema design, ER diagram, database schema, table design, foreign key, index strategy, normalization, denormalization, migration plan, document model, partition key.",
52
82
  "path": "data-modeling/SKILL.md"
53
83
  },
84
+ {
85
+ "name": "data-pipeline-design",
86
+ "description": "Design batch and streaming data pipelines — ELT into a warehouse/lakehouse, dbt and analytics engineering (staging/intermediate/marts layers), orchestration with Airflow or Dagster, idempotent loads, incremental models, backfills, CDC ingestion. Triggers: data pipeline, ELT, ETL, dbt models, data warehouse, Snowflake, BigQuery, ingest into the warehouse, Airflow DAG, Dagster, Kafka streaming, backfill, incremental load, nightly job duplicates rows. ML training/feature pipelines → ml-pipeline-design; validating the data → data-quality.",
87
+ "path": "data-pipeline-design/SKILL.md"
88
+ },
89
+ {
90
+ "name": "data-quality",
91
+ "description": "Keep warehouse and pipeline data trustworthy — dbt tests, expectations (Great Expectations/Soda), data contracts with upstream producers, source freshness, schema-drift and volume anomaly detection, lineage and blast radius, severity and alerting. Triggers: data quality, bad data in dashboards, data validation, dbt tests, data contract, schema drift, stale data, freshness check, duplicate rows, nulls in the warehouse, data lineage, data SLA, upstream schema change broke us. Generating test/synthetic data → test-data-strategy; schema design → data-modeling.",
92
+ "path": "data-quality/SKILL.md"
93
+ },
54
94
  {
55
95
  "name": "dependency-impact-analysis",
56
96
  "description": "Map the blast radius of a change before implementing — find dependents, classify breaking vs additive, identify coordination needs, produce a propagation plan. Triggers: what will break if I change this, blast radius, impact analysis, breaking change, who depends on this, downstream impact, safe to rename, shared schema change, dependency graph.",
@@ -71,16 +111,31 @@
71
111
  "description": "Design a deployment (GitOps) repo that orchestrates multiple services in a polyrepo — version pinning, environment promotion, compatibility matrices, system config. Triggers: deployment repo, GitOps repo, polyrepo, multi-repo, version pinning, compatibility matrix, environment promotion, multi-service deployment, orchestration repo, which versions work together.",
72
112
  "path": "deployment-repo/SKILL.md"
73
113
  },
114
+ {
115
+ "name": "dx-audit",
116
+ "description": "Audit and improve developer experience — inner-loop feedback (build/test/reload times), CI wait and queue times, flaky tests, local environment setup, onboarding time-to-first-PR, tooling friction, docs discoverability; produce a prioritized remediation plan. Triggers: developer experience, DX audit, devex, builds are slow, CI takes forever, flaky tests, onboarding takes weeks, tooling friction, developer productivity, engineers are frustrated. Code health/debt hotspots → technical-debt-review; designing one pipeline → cicd-pipeline.",
117
+ "path": "dx-audit/SKILL.md"
118
+ },
74
119
  {
75
120
  "name": "effort-estimation",
76
121
  "description": "Estimate engineering effort with agile techniques — story points, t-shirt sizing, three-point estimation, capacity planning. Triggers: estimate this, how long will this take, story points, t-shirt sizing, effort estimation, capacity planning, sprint planning, budget estimate, forecast, velocity, when will this be done.",
77
122
  "path": "effort-estimation/SKILL.md"
78
123
  },
124
+ {
125
+ "name": "exploratory-data-analysis",
126
+ "description": "Explore and profile an unfamiliar dataset before modeling or analysis — structural profiling, missingness structure, distributions and outliers, feature–target relationships, leakage awareness, and explicit hypothesis generation. Pipeline-level data trust (broken dashboards, tests, contracts, freshness) → data-quality; formal inference on the hypotheses → statistical-analysis. Triggers: explore this dataset, EDA, profile the data, what's in this data, first look at the data, understand this CSV, distributions, outliers, missing values, correlation, data leakage.",
127
+ "path": "exploratory-data-analysis/SKILL.md"
128
+ },
79
129
  {
80
130
  "name": "feature-planning",
81
- "description": "Break features into well-scoped tasks with acceptance criteria, risk assessment, and dependency mapping. Triggers: plan this, break this down, scope this feature, create tasks for, sprint planning, how should I implement this feature, user stories, acceptance criteria, dependency mapping, feature breakdown.",
131
+ "description": "Break features into well-scoped tasks with acceptance criteria, risk assessment, and dependency mapping. Triggers: plan this, break this down, scope this feature, create tasks for, sprint planning, how should I implement this feature, user stories, acceptance criteria, dependency mapping, feature breakdown. Creates the plan — executing an already-approved plan checkpoint by checkpoint → plan-execution.",
82
132
  "path": "feature-planning/SKILL.md"
83
133
  },
134
+ {
135
+ "name": "finops-cost-optimization",
136
+ "description": "Understand and reduce cloud spend — cost visibility and allocation (tagging, ownership), unit economics, rightsizing, autoscaling, commitment discounts (reserved instances, savings plans), storage/egress traps, architecture cost review, budgets and anomaly alerts. Triggers: cloud costs, AWS bill, cut costs, cost optimization, FinOps, why is our bill so high, rightsizing, reserved instances, savings plan, egress fees, cost per customer. Whether to build or buy a capability → build-vs-buy; making code faster → performance-optimization.",
137
+ "path": "finops-cost-optimization/SKILL.md"
138
+ },
84
139
  {
85
140
  "name": "frontend-architecture",
86
141
  "description": "Design frontend architecture — React component hierarchy, state management, design tokens, data fetching, routing, error boundaries, code organization. Triggers: component architecture, state management, design system, design tokens, component library, React structure, folder structure, Zustand vs Redux, React Query, code splitting, error boundary, compound component.",
@@ -106,6 +161,11 @@
106
161
  "description": "Write and review IaC with Terraform, CloudFormation, Pulumi, or CDK — modularity, security, state management. Triggers: Terraform, CloudFormation, Pulumi, infrastructure as code, IaC, provision, cloud resources, terraform module, state management, terraform plan, CDK, drift, remote state.",
107
162
  "path": "infrastructure-as-code/SKILL.md"
108
163
  },
164
+ {
165
+ "name": "llm-app-engineering",
166
+ "description": "Design and build LLM-powered applications — prompt and context engineering, RAG architecture (chunking, hybrid retrieval, reranking, grounded prompts), agent design (tool surfaces, planning, sub-agents), and memory. Triggers: build a chatbot, LLM app, AI assistant, prompt engineering, system prompt, RAG design, chunking, embeddings, vector database, semantic search, AI agent, tool calling, agent memory, context window, hallucinations. Measuring quality → ai-evaluation; model serving/inference infra → ml-model-deployment.",
167
+ "path": "llm-app-engineering/SKILL.md"
168
+ },
109
169
  {
110
170
  "name": "metrics-and-okrs",
111
171
  "description": "Define OKRs, KPIs, success metrics, and engineering health metrics (DORA). Triggers: OKR, KPI, metrics, success metrics, key results, objectives, measure success, DORA metrics, engineering metrics, velocity, cycle time, deployment frequency, how do we measure, what should we track.",
@@ -113,7 +173,7 @@
113
173
  },
114
174
  {
115
175
  "name": "ml-experiment-tracking",
116
- "description": "Design reproducible ML experiments — tracking, versioning, run comparison with MLflow, W&B, or DVC. Triggers: experiment tracking, MLflow, wandb, weights and biases, DVC, track experiments, compare models, hyperparameter, reproducibility, model registry, which model is better, experiment results, log metrics.",
176
+ "description": "Design reproducible ML experiments — tracking, versioning, run comparison with MLflow, W&B, or DVC. Triggers: experiment tracking, MLflow, wandb, weights and biases, DVC, track experiments, compare models, hyperparameter, reproducibility, model registry, which model is better, experiment results, log metrics. Defining WHAT to measure (metrics, golden datasets, judges) → ai-evaluation; this skill records and compares the runs.",
117
177
  "path": "ml-experiment-tracking/SKILL.md"
118
178
  },
119
179
  {
@@ -123,9 +183,24 @@
123
183
  },
124
184
  {
125
185
  "name": "ml-pipeline-design",
126
- "description": "Design reproducible ML training and data pipelines — ingestion, validation, feature engineering, training, evaluation, continuous training orchestration. Triggers: training pipeline, data pipeline, feature engineering, ETL for ML, continuous training, data validation, feature store, preprocessing, notebook to pipeline, orchestrate training, Airflow, Kubeflow, pipeline DAG.",
186
+ "description": "Design reproducible ML training and data pipelines — ingestion, validation, feature engineering, training, evaluation, continuous training orchestration. Analytics/BI ELT and dbt warehouse pipelines → data-pipeline-design; refactoring general analysis/reporting notebooks (no model training) to production code → notebook-to-production. Triggers: training pipeline, ML data pipeline, feature engineering, ETL for ML, continuous training, data validation, feature store, preprocessing, notebook to training pipeline, orchestrate training, Kubeflow, pipeline DAG, point-in-time features.",
127
187
  "path": "ml-pipeline-design/SKILL.md"
128
188
  },
189
+ {
190
+ "name": "mobile-architecture",
191
+ "description": "Design mobile app architecture — native (Swift/Kotlin) vs cross-platform (React Native/Flutter) selection, navigation and deep linking, state management, offline-first design and data sync, local persistence, push notifications, platform constraints (background work, battery, permissions). Triggers: mobile app architecture, iOS app, Android app, React Native or Flutter, offline first, data sync, mobile state management, deep linking, push notifications, app structure. Web SPA component architecture → frontend-architecture.",
192
+ "path": "mobile-architecture/SKILL.md"
193
+ },
194
+ {
195
+ "name": "mobile-release",
196
+ "description": "Ship mobile apps through the app stores — signing and provisioning, store review and rejection handling, phased/staged rollouts with halt criteria, crash monitoring, versioning and build numbers, beta channels (TestFlight, Play tracks), forced updates, and the no-instant-rollback reality of mobile. Triggers: app store release, publish to App Store, Play Store, TestFlight, staged rollout, app review rejected, code signing, provisioning profile, mobile release, hotfix a mobile bug. General semver/registry/library publishing → release-management.",
197
+ "path": "mobile-release/SKILL.md"
198
+ },
199
+ {
200
+ "name": "notebook-to-production",
201
+ "description": "Refactor analysis notebooks into production-grade code — triage what deserves productionizing, extract modules with tests, parameterize hardcoded values, pin environments for reproducibility, and schedule unattended runs with alerting. Owns general analysis/reporting notebooks; notebooks that feed model TRAINING (feature engineering + training DAGs, scheduled retraining) → ml-pipeline-design. Triggers: productionize this notebook, notebook to script, notebook to module, refactor my notebook, parameterize notebook, papermill, schedule this analysis, reproducible analysis, notebook is a mess.",
202
+ "path": "notebook-to-production/SKILL.md"
203
+ },
129
204
  {
130
205
  "name": "observability-design",
131
206
  "description": "Design production observability — SLIs, SLOs, SLAs, error budgets, OpenTelemetry traces/metrics/logs, structured logging, alerting, dashboards. Triggers: SLO, SLI, SLA, error budget, observability, monitoring, OpenTelemetry, OTel, tracing, distributed tracing, structured logging, alerting, dashboard, metrics, correlation ID, alert fatigue.",
@@ -136,6 +211,11 @@
136
211
  "description": "Identify and resolve performance bottlenecks via static analysis — N+1 queries, algorithmic complexity, query optimization, caching, memory leaks, bundle size, connection management. Triggers: this is slow, optimize, performance, N+1, query optimization, caching, bundle size, memory leak, latency, response time, scale, bottleneck.",
137
212
  "path": "performance-optimization/SKILL.md"
138
213
  },
214
+ {
215
+ "name": "plan-execution",
216
+ "description": "Execute an already-approved plan with discipline — batch tasks into verifiable checkpoints, verify each with fresh evidence before marking it done, log drift, and stop to re-plan when reality diverges from the plan's assumptions. Triggers: execute the plan, implement the approved plan, work through this plan, continue/resume the plan, next phase, checkpoint. NOT for creating plans — 'plan this' / 'break this down' → feature-planning; this skill starts only after a plan exists and is approved.",
217
+ "path": "plan-execution/SKILL.md"
218
+ },
139
219
  {
140
220
  "name": "prd-writing",
141
221
  "description": "Write lightweight agile PRDs and technical RFCs that align stakeholders before implementation. Triggers: PRD, product requirements, RFC, request for comments, technical design doc, design document, tech spec, write requirements, what are we building, spec this out. Produces the WHAT and WHY — feature-planning handles HOW.",
@@ -153,7 +233,7 @@
153
233
  },
154
234
  {
155
235
  "name": "project-review",
156
- "description": "Review a built project's execution health before a milestone — scope alignment, roadmap / execution-plan adherence, implementation maturity (what's production-ready vs stub/deferred), and the evidence it actually works (tests, coverage, validation results, changelog). Triggers: project review, execution review, are we on track, implementation vs roadmap, scope drift, readiness review, what's actually built, validation results review, pre-launch review. Use strategic-review for vision/positioning/market; technical-debt-review for a pure code-health audit.",
236
+ "description": "Review a built project's execution health before a milestone — scope alignment, roadmap / execution-plan adherence, implementation maturity (what's production-ready vs stub/deferred), and the evidence it actually works (tests, coverage, validation results, changelog). Use strategic-review for vision/positioning/market; technical-debt-review for a pure code-health audit. Triggers: project review, execution review, are we on track, implementation vs roadmap, scope drift, readiness review, what's actually built, validation results review, pre-launch review.",
157
237
  "path": "project-review/SKILL.md"
158
238
  },
159
239
  {
@@ -161,6 +241,16 @@
161
241
  "description": "Systematic code improvement via design principles, smell detection, and safe transformation patterns. Triggers: refactor this, clean this up, simplify this code, reduce complexity, extract this, this code is messy, tech debt, improve this code, code smell, rename, extract function, dead code.",
162
242
  "path": "refactoring/SKILL.md"
163
243
  },
244
+ {
245
+ "name": "release-management",
246
+ "description": "Cut and publish software releases right-sized to the project — semver decisions, changelogs, tagging, automated version bumps (release-please, changesets, semantic-release), publishing gates, npm/PyPI/container registry publishing, pre-release channels, monorepo versioning. Triggers: cut a release, release this, publish to npm, publish to PyPI, publish this package, version bump, what version should this be, semver, changelog, tag a release, release notes, GitHub release, prerelease, release automation, release PR. Deploy-time safety → deployment-checklist; commit/PR hygiene → git-workflow.",
247
+ "path": "release-management/SKILL.md"
248
+ },
249
+ {
250
+ "name": "resilience-engineering",
251
+ "description": "Design systems that survive failure — failure-mode analysis, resilience patterns (timeouts, retries with backoff, circuit breakers, bulkheads, load shedding, graceful degradation), chaos experiments, disaster recovery with RTO/RPO, backup restore testing, game days. Triggers: chaos engineering, disaster recovery, DR plan, what if the database goes down, single point of failure, failover, circuit breaker, RTO, RPO, game day, high availability. An incident happening NOW → incident-response; undoing a bad deploy → rollback-strategy.",
252
+ "path": "resilience-engineering/SKILL.md"
253
+ },
164
254
  {
165
255
  "name": "retrospective",
166
256
  "description": "Facilitate sprint retros, project post-mortems, and incident post-mortems with actionable, owned improvements. Triggers: retrospective, retro, post-mortem, postmortem, lessons learned, what went wrong, what went well, incident review, blameless, action items, sprint review, after action review.",
@@ -173,19 +263,29 @@
173
263
  },
174
264
  {
175
265
  "name": "security-audit",
176
- "description": "Comprehensive security analysis — OWASP Top 10, auth/authz flows, injection vulnerabilities, data exposure, secrets detection, dependency CVEs, hardening recommendations. Triggers: security audit, vulnerability, is this secure, security review, pentest prep, OWASP, harden this, check for vulnerabilities, injection, XSS, CSRF, auth security.",
266
+ "description": "Comprehensive security analysis — OWASP Top 10, auth/authz flows, injection vulnerabilities, data exposure, secrets detection, dependency CVEs, hardening recommendations. Reviews EXISTING code/config — design-time analysis of a system not yet built → threat-modeling. Triggers: security audit, vulnerability, is this secure, security review, pentest prep, OWASP, harden this, check for vulnerabilities, injection, XSS, CSRF, auth security.",
177
267
  "path": "security-audit/SKILL.md"
178
268
  },
179
269
  {
180
270
  "name": "skill-router",
181
- "description": "Orchestrator and entry point for the swe-workflow skills library — consult FIRST when starting any non-trivial software task; most skills load name-only and only activate when invoked here. Triggers: starting a feature, planning, an architecture or design decision, implementing, debugging, reviewing, refactoring, testing, security, deployment, an incident, shipping, or unsure which skill fits. Routes intent to the right skill(s) and invokes them by name; shows the Golden Path chains.",
271
+ "description": "Orchestrator and entry point for the swe-workflow skills library — consult FIRST when starting any non-trivial software task; most skills load name-only and only activate when invoked here. Routes intent to the right skill(s) and invokes them by name; shows the Golden Path chains. Triggers: starting a feature, planning, an architecture or design decision, implementing, debugging, reviewing, refactoring, testing, security, deployment, an incident, shipping, or unsure which skill fits.",
182
272
  "path": "skill-router/SKILL.md"
183
273
  },
274
+ {
275
+ "name": "statistical-analysis",
276
+ "description": "Design and analyze experiments and statistical tests — test selection with stated assumptions, sample size and power, effect sizes and confidence intervals over bare p-values, and pitfall discipline (multiple comparisons, p-hacking, peeking/optional stopping). Owns experiment statistics generally; live A/B evaluation of AI/LLM apps (quality metrics, judges, feedback) → ai-evaluation. Triggers: hypothesis test, t-test, chi-square, p-value, statistical significance, confidence interval, sample size, power analysis, design an experiment, A/B test, multiple comparisons, is this difference real.",
277
+ "path": "statistical-analysis/SKILL.md"
278
+ },
184
279
  {
185
280
  "name": "strategic-review",
186
- "description": "Review a project's strategic position before going public, launching, or raising — vision, mission, value proposition, scope positioning, the defensible wedge, and a live competitive / market comparative analysis. Triggers: strategic review, positioning, go public, go-to-market, market analysis, competitive landscape, value proposition, is there a moat, who are our competitors, platform absorption risk, market positioning, comparable products. Use project-review for execution/roadmap/implementation health; delegates deep market scans to deep-research.",
281
+ "description": "Review a project's strategic position before going public, launching, or raising — vision, mission, value proposition, scope positioning, the defensible wedge, and a live competitive / market comparative analysis. Use project-review for execution/roadmap/implementation health; delegates deep market scans to deep-research. Triggers: strategic review, positioning, go public, go-to-market, market analysis, competitive landscape, value proposition, is there a moat, who are our competitors, platform absorption risk, market positioning, comparable products.",
187
282
  "path": "strategic-review/SKILL.md"
188
283
  },
284
+ {
285
+ "name": "subagent-orchestration",
286
+ "description": "Decompose big or parallelizable work across subagents — when to fan out vs stay solo, scoping self-contained sub-tasks, prompting agents that don't share your context, isolating parallel edits (git worktrees), skeptically verifying and synthesizing results you didn't produce. Triggers: use subagents, parallelize this, fan out, orchestrate agents, multi-agent, spawn agents, worktree, delegate to agents, split this across agents, agent team. Sequencing checkpoints of an approved plan → plan-execution (orchestration parallelizes within its batches).",
287
+ "path": "subagent-orchestration/SKILL.md"
288
+ },
189
289
  {
190
290
  "name": "tdd-workflow",
191
291
  "description": "Guide test-driven development with red-green-refactor. Triggers: use tdd, test first, write the tests, red green refactor, test-driven, what should I test, write tests before code, failing test, implement using TDD. For NEW code via test-first — use test-suite-design for adding tests to existing code.",
@@ -206,6 +306,11 @@
206
306
  "description": "Design comprehensive test suites for existing code — strategy across unit/integration/e2e, fixtures, factories, helpers. Triggers: add tests, write tests for, increase coverage, test this module, testing strategy, test plan, what tests do I need, test infrastructure, test helpers, this has no tests. Not for TDD — use tdd-workflow.",
207
307
  "path": "test-suite-design/SKILL.md"
208
308
  },
309
+ {
310
+ "name": "threat-modeling",
311
+ "description": "Design-time security analysis of a system or feature before it's built — trust boundaries, attack surface, STRIDE per element, abuse cases, prioritized mitigations that become security requirements. Triggers: threat model, STRIDE, trust boundary, attack surface, what could go wrong security-wise, security design review, abuse case, secure this design, security requirements. Reviewing EXISTING code/config for vulnerabilities → security-audit; use this skill while the design is still on the whiteboard.",
312
+ "path": "threat-modeling/SKILL.md"
313
+ },
209
314
  {
210
315
  "name": "ui-ux-design",
211
316
  "description": "Design user experiences from an engineer's perspective — user flows, wireframes, interaction patterns, responsive strategy, navigation, loading/error/empty states. Triggers: design the UI, user flow, wireframe, how should this screen look, loading state, error state, empty state, responsive design, navigation, page layout, form design, mockup.",
package/commands/role.md CHANGED
@@ -8,10 +8,21 @@ disable-model-invocation: true
8
8
 
9
9
  The user is managing the active swe-workflow skill role. The requested role argument is: `$ARGUMENTS`
10
10
 
11
- Run this script exactly once via Bash, then report the result to the user concisely (the new active role, and that the change hot-reloads so it applies to the next prompt):
11
+ **Validate the argument before running anything.** It must be empty or match
12
+ `^[a-z0-9_-]{1,32}$` (role keys are short kebab-case names). If it does not match —
13
+ any spaces, quotes, `$`, backticks, slashes, or other characters — do NOT run the
14
+ script below with it: reply that the role name is invalid and show the available
15
+ roles by running only `node "@@RESOLVE@@" roles` (with `ROLES_JSON="@@ROLES@@"`
16
+ exported).
17
+
18
+ If the argument is valid, run this script exactly once via Bash, replacing
19
+ `__ROLE__` with the validated argument (or with nothing when no argument was
20
+ given), then report the result to the user concisely (the new active role, and
21
+ that the change hot-reloads so it applies to the next prompt):
12
22
 
13
23
  ```bash
14
- ROLE="$ARGUMENTS"
24
+ ROLE="__ROLE__"
25
+ case "$ROLE" in *[!a-zA-Z0-9_-]*) echo "invalid role name" >&2; exit 1;; esac
15
26
  RESOLVE="@@RESOLVE@@"; SKILLS="@@SKILLS@@"; SETTINGS="@@SETTINGS@@"
16
27
  ROLES="@@ROLES@@"; ACTIVE="@@ACTIVE_ROLE@@"
17
28
  export ROLES_JSON="$ROLES"
@@ -32,3 +43,4 @@ fi
32
43
  Notes:
33
44
  - `skillOverrides` and the skill listing hot-reload when `settings.local.json` changes, so the new auto-trigger set takes effect on the next prompt without a restart.
34
45
  - This command is for the full (all-skills) CLI install. Hard-subset (`--role`) installs and the per-role marketplace plugins don't need it.
46
+ - Security: the script deliberately never embeds `$ARGUMENTS` directly (slash-command templates interpolate it as text, so a crafted argument would execute in the shell). The value reaches the script only via the validated `__ROLE__` transfer above; the in-script `case` guard is defense-in-depth.
package/install.mjs CHANGED
@@ -161,6 +161,17 @@ if (role) {
161
161
  }
162
162
  }
163
163
 
164
+ // Positional args must be exact skill names, never paths: a traversal like
165
+ // `install.mjs ../..` would pass the isDir guard below and the clean-copy rmSync
166
+ // would then delete outside the destination. Reject before touching anything.
167
+ if (selected.length > 0) {
168
+ const known = new Set(listSkillDirs());
169
+ const bad = selected.filter((s) => !known.has(s));
170
+ if (bad.length > 0) {
171
+ fatal(`unknown skill(s): ${bad.join(", ")}. Run 'install.mjs --list' to see skills.`);
172
+ }
173
+ }
174
+
164
175
  // ---- resolve destination ---------------------------------------------------
165
176
 
166
177
  let claudeDir;
@@ -298,15 +309,24 @@ function copyIfExists(src, destPath) {
298
309
  if (existsSync(src)) cpSync(src, destPath);
299
310
  }
300
311
 
301
- // The SessionStart block to merge into settings.json. JSON.stringify keeps the path
302
- // correctly escaped on every OS (Windows backslashes included).
312
+ // Double-quote a path for the POSIX shell that runs the hook command, escaping the
313
+ // chars that stay active inside double quotes (\ $ ` "). Without the $/` escapes, a
314
+ // config path containing e.g. `$(cmd)` would run that command substitution at every
315
+ // session start. For \ and " this produces exactly what JSON.stringify used to (so
316
+ // Windows paths render unchanged); cmd.exe keeps the backslash before $/`, but paths
317
+ // with those chars are effectively POSIX-only.
318
+ function shellQuote(p) {
319
+ return '"' + p.replace(/[\\$`"]/g, (c) => "\\" + c) + '"';
320
+ }
321
+
322
+ // The SessionStart block to merge into settings.json.
303
323
  function hookSnippet(path) {
304
324
  const block = {
305
325
  hooks: {
306
326
  SessionStart: [
307
327
  {
308
328
  matcher: "startup|resume|clear|compact",
309
- hooks: [{ type: "command", command: `node ${JSON.stringify(path)}` }],
329
+ hooks: [{ type: "command", command: `node ${shellQuote(path)}` }],
310
330
  },
311
331
  ],
312
332
  },
package/package.json CHANGED
@@ -1,7 +1,7 @@
1
1
  {
2
2
  "name": "swe-workflow-skills",
3
- "version": "0.1.0",
4
- "description": "A curated library of 44 Claude Code Agent Skills for the software lifecycle, with orchestrator-routed activation that scales past the skill-listing budget.",
3
+ "version": "0.3.0",
4
+ "description": "A curated library of Claude Code Agent Skills covering the full software lifecycle, with orchestrator-routed activation that scales past the skill-listing budget.",
5
5
  "type": "module",
6
6
  "bin": {
7
7
  "swe-workflow-skills": "bin/cli.mjs"