swe-workflow-skills 0.1.0 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (74) hide show
  1. package/README.md +58 -17
  2. package/VERSION +1 -1
  3. package/catalog.json +113 -8
  4. package/commands/role.md +14 -2
  5. package/install.mjs +23 -3
  6. package/package.json +2 -2
  7. package/roles.json +72 -7
  8. package/scripts/resolve.mjs +8 -3
  9. package/skills/ai-evaluation/SKILL.md +112 -0
  10. package/skills/ai-evaluation/evals/evals.json +40 -0
  11. package/skills/ai-evaluation/references/eval-tooling.md +63 -0
  12. package/skills/architecture-design/SKILL.md +3 -1
  13. package/skills/brainstorming/SKILL.md +92 -0
  14. package/skills/brainstorming/evals/evals.json +40 -0
  15. package/skills/browser-verification/SKILL.md +95 -0
  16. package/skills/browser-verification/evals/evals.json +40 -0
  17. package/skills/build-vs-buy/SKILL.md +109 -0
  18. package/skills/build-vs-buy/evals/evals.json +40 -0
  19. package/skills/cicd-pipeline/SKILL.md +1 -0
  20. package/skills/code-archaeology/SKILL.md +103 -0
  21. package/skills/code-archaeology/evals/evals.json +41 -0
  22. package/skills/code-reviewing/SKILL.md +13 -3
  23. package/skills/compliance-privacy/SKILL.md +113 -0
  24. package/skills/compliance-privacy/evals/evals.json +41 -0
  25. package/skills/compliance-privacy/references/obligations-map.md +69 -0
  26. package/skills/data-pipeline-design/SKILL.md +116 -0
  27. package/skills/data-pipeline-design/evals/evals.json +41 -0
  28. package/skills/data-pipeline-design/references/orchestration.md +64 -0
  29. package/skills/data-quality/SKILL.md +107 -0
  30. package/skills/data-quality/evals/evals.json +39 -0
  31. package/skills/data-quality/references/tooling.md +45 -0
  32. package/skills/deployment-checklist/SKILL.md +2 -1
  33. package/skills/dx-audit/SKILL.md +97 -0
  34. package/skills/dx-audit/evals/evals.json +40 -0
  35. package/skills/effort-estimation/SKILL.md +24 -67
  36. package/skills/exploratory-data-analysis/SKILL.md +110 -0
  37. package/skills/exploratory-data-analysis/evals/evals.json +43 -0
  38. package/skills/feature-planning/SKILL.md +5 -1
  39. package/skills/finops-cost-optimization/SKILL.md +109 -0
  40. package/skills/finops-cost-optimization/evals/evals.json +40 -0
  41. package/skills/git-workflow/SKILL.md +31 -14
  42. package/skills/llm-app-engineering/SKILL.md +102 -0
  43. package/skills/llm-app-engineering/evals/evals.json +40 -0
  44. package/skills/llm-app-engineering/references/patterns.md +70 -0
  45. package/skills/ml-experiment-tracking/SKILL.md +1 -1
  46. package/skills/ml-pipeline-design/SKILL.md +8 -2
  47. package/skills/ml-pipeline-design/evals/evals.json +10 -0
  48. package/skills/mobile-architecture/SKILL.md +106 -0
  49. package/skills/mobile-architecture/evals/evals.json +40 -0
  50. package/skills/mobile-release/SKILL.md +109 -0
  51. package/skills/mobile-release/evals/evals.json +41 -0
  52. package/skills/notebook-to-production/SKILL.md +89 -0
  53. package/skills/notebook-to-production/evals/evals.json +42 -0
  54. package/skills/plan-execution/SKILL.md +115 -0
  55. package/skills/plan-execution/evals/evals.json +55 -0
  56. package/skills/project-documentation/SKILL.md +8 -1
  57. package/skills/project-review/SKILL.md +13 -3
  58. package/skills/release-management/SKILL.md +97 -0
  59. package/skills/release-management/evals/evals.json +56 -0
  60. package/skills/release-management/references/release-tooling.md +106 -0
  61. package/skills/resilience-engineering/SKILL.md +121 -0
  62. package/skills/resilience-engineering/evals/evals.json +40 -0
  63. package/skills/security-audit/SKILL.md +14 -3
  64. package/skills/skill-router/SKILL.md +57 -4
  65. package/skills/statistical-analysis/SKILL.md +93 -0
  66. package/skills/statistical-analysis/evals/evals.json +43 -0
  67. package/skills/strategic-review/SKILL.md +16 -2
  68. package/skills/subagent-orchestration/SKILL.md +100 -0
  69. package/skills/subagent-orchestration/evals/evals.json +40 -0
  70. package/skills/technical-debt-review/SKILL.md +12 -2
  71. package/skills/threat-modeling/SKILL.md +101 -0
  72. package/skills/threat-modeling/evals/evals.json +40 -0
  73. package/skills/threat-modeling/references/stride-mitigations.md +90 -0
  74. package/skills/writing-skills/SKILL.md +48 -16
@@ -0,0 +1,40 @@
1
+ {
2
+ "skill_name": "browser-verification",
3
+ "evals": [
4
+ {
5
+ "id": 1,
6
+ "prompt": "I just finished implementing the new signup form (client validation + POST to /api/users + success toast). Unit tests pass. Can you verify it actually works in the browser before I open the PR?",
7
+ "expected_output": "Defines the proving flow (fill form → submit → 201 → toast → user exists), runs the real stack with seeded/realistic state, drives the flow interactively (typing, submitting — not just loading the page), watches console errors, network requests (endpoint, payload, status), and UI state, exercises validation errors and double-submit, and reports with evidence (screenshots, zero-console-errors statement, observed network results) rather than 'looks good'",
8
+ "assertions": [
9
+ "Defines the user-visible flow that proves the change (form fill → submit → success), not just that the page loads",
10
+ "Runs the actual app stack with realistic state and drives the flow interactively — typing into fields and submitting, via automation or manual clicking",
11
+ "Checks all three evidence channels: console errors, network requests (endpoint/payload/status), and the rendered UI outcome",
12
+ "Exercises non-happy paths relevant to the change, such as validation errors and double-submit or backend failure",
13
+ "Reports in evidence terms — screenshots and observed results (e.g. 'POST /api/users returned 201, toast rendered, zero console errors') — before declaring it works"
14
+ ]
15
+ },
16
+ {
17
+ "id": 2,
18
+ "prompt": "QA says the orders dashboard 'sometimes shows nothing' but every time I open it, it looks fine and there are no errors in our logs. Verify whether the page is actually broken.",
19
+ "expected_output": "Recognizes 'works on my visit' isn't verification of the failure condition: reproduces the states where lists show nothing — empty data, slow API (throttled loading state), failed request (5xx/CORS with the error swallowed client-side), auth/role differences, race on refresh/back — while watching the browser console and network tab (server logs won't show client-side failures), and either reproduces it with evidence or reports precisely which states were exercised and ruled out",
20
+ "assertions": [
21
+ "Recognizes that the page rendering fine on one visit does not rule out state-dependent failure, and enumerates candidate states: empty data, slow/failed API responses, auth/role differences, or refresh/back races",
22
+ "Uses browser-side evidence (console, network tab) explicitly noting that server logs miss client-side failures like swallowed errors or CORS",
23
+ "Manipulates state to reproduce — seeding empty data, throttling, or forcing API failure — rather than only reloading the page",
24
+ "Checks the loading and empty states specifically (infinite spinner or blank-on-empty are classic 'shows nothing' causes)",
25
+ "Concludes with evidence: either a reproduced failure with its trigger, or a precise list of exercised-and-passing states — not 'seems fine'"
26
+ ]
27
+ },
28
+ {
29
+ "id": 3,
30
+ "prompt": "We need proper automated e2e coverage for our whole checkout funnel — browse, cart, payment, confirmation — running in CI on every PR. Set up the test strategy.",
31
+ "expected_output": "Recognizes this as designing a persistent automated test suite — refers to test-suite-design for the e2e strategy/infrastructure (and cicd-pipeline for the CI wiring), stating the boundary: browser-verification is the one-off evidence pass on the change in front of you; persistent suites are test-suite-design's domain",
32
+ "assertions": [
33
+ "Recognizes the request as persistent automated e2e suite design, not a one-off verification pass",
34
+ "Refers to the test-suite-design skill for the suite strategy (optionally cicd-pipeline for CI integration)",
35
+ "Does not respond with a single manual/ad-hoc browser verification session as the answer",
36
+ "States or implies the boundary: browser-verification verifies the change at hand; test-suite-design builds the lasting coverage"
37
+ ]
38
+ }
39
+ ]
40
+ }
@@ -0,0 +1,109 @@
1
+ ---
2
+ name: build-vs-buy
3
+ description: "Decide whether to build in-house, buy a vendor/SaaS product, or adopt OSS — core-vs-commodity framing, multi-year total cost of ownership, integration and maintenance burden, vendor viability, lock-in and exit costs. Triggers: build vs buy, build or buy, vendor evaluation, SaaS vs in-house, should we adopt this open source, TCO, total cost of ownership, lock-in, exit cost, make or buy, off the shelf. Internal-structure decisions (patterns, service boundaries, ADRs for your own code) → architecture-design."
4
+ model: opus
5
+ allowed-tools: Read, Grep, Glob, Write, Edit, WebFetch, WebSearch
6
+ ---
7
+
8
+ # Build vs Buy
9
+
10
+ Make the build/buy/adopt decision on total cost and strategic fit, not on
11
+ whichever option the room already favors. The two systematic errors this skill
12
+ exists to counter: engineers underestimate the *ongoing* cost of building
13
+ (maintenance routinely exceeds the initial build within a few years), and
14
+ everyone underestimates the *exit* cost of buying (discovered only when
15
+ leaving). Boundary: this skill decides whether the capability comes from
16
+ outside; how you structure your own code is `architecture-design`'s ADR
17
+ territory, and vetting an individual library is `dependency-management`.
18
+
19
+ ## Workflow
20
+
21
+ ### Step 1: Frame the Capability — Core or Commodity?
22
+
23
+ Name the capability precisely, then ask the question that dominates the whole
24
+ decision: **does doing this better than anyone else win you customers?** If yes
25
+ (core differentiator), building earns strategic control; if it's commodity
26
+ plumbing (auth, feature flags, payments, analytics infra, CRUD admin), every
27
+ engineer-month spent building it is a month not spent on what differentiates
28
+ you. Then split requirements into *must-have* and *nice-to-have* — a vendor
29
+ covering 90% of must-haves usually beats a build covering 100% of a wishlist.
30
+
31
+ ### Step 2: Inventory the Real Options
32
+
33
+ There are usually more than two:
34
+
35
+ - **Build** in-house
36
+ - **Buy** a vendor/SaaS product
37
+ - **Adopt** OSS self-hosted (you're not buying — you're taking an operations job)
38
+ - **Hybrid** — buy/adopt the commodity core, build the thin differentiating layer
39
+ - **Defer** — do nothing yet; a legitimate option when the need is unproven
40
+
41
+ Verify current facts (pricing, licensing, maintenance status) with live sources
42
+ — vendor pricing pages and OSS repos, not memory.
43
+
44
+ ### Step 3: TCO Over 3 Years — Not the Sticker Price
45
+
46
+ Cost each finalist over a 3-year horizon; year-1 comparisons systematically
47
+ favor building (the build cost is visible, the ownership cost isn't):
48
+
49
+ - **Build**: initial engineering + **ongoing ownership** (maintenance, on-call,
50
+ security patching, feature parity as needs grow — commonly comparable to the
51
+ initial build per year for actively-used systems) + **opportunity cost** (what
52
+ those engineers would otherwise ship — usually the largest and least-counted line).
53
+ - **Buy**: subscription *at projected usage*, not today's (model the pricing
54
+ curve at 3× growth — usage-based pricing is where vendors recover their
55
+ discounts) + integration + admin.
56
+ - **Adopt (OSS)**: hosting + operations + upgrades + security response + the
57
+ expertise to run it; "free" describes the license, not the ownership.
58
+ - **Everyone forgets**: migration of existing data/flows, training, compliance
59
+ and security review, vendor management overhead.
60
+
61
+ ### Step 4: Risk — Lock-in, Exit, and Viability
62
+
63
+ Write the **exit plan now**, while you have leverage — the exit cost you can't
64
+ estimate is the one that traps you:
65
+
66
+ - What does leaving take? Data export (format? completeness? egress fees?),
67
+ proprietary APIs/features you'd re-implement, contract terms (lock-in period,
68
+ auto-renewal, price-increase caps).
69
+ - **Vendor viability**: funding/profitability, roadmap alignment, acquisition
70
+ risk, what happens to your data if they fold.
71
+ - **OSS health**: maintainer bus factor, release cadence, CVE responsiveness,
72
+ license (copyleft implications, and watch relicensing-to-source-available
73
+ history in the space) — delegate a deep package-level check to `dependency-management`.
74
+ - **Build risk** is real too: key-person dependency, and the "internal vendor"
75
+ failure mode — a team obligated to maintain a product nobody funds.
76
+
77
+ ### Step 5: Decide and Record
78
+
79
+ Score the finalists in a weighted matrix — criteria and weights fixed *before*
80
+ scoring (after, the matrix just rationalizes the favorite). State a clear
81
+ recommendation with the dominant reasons, name the runner-up and what would
82
+ have flipped the decision, and set a **revisit trigger** ("revisit if usage
83
+ exceeds X / pricing changes >Y% / the maintainer goes dark"). Record it like an
84
+ ADR — decision, context, alternatives, consequences — so the next team
85
+ understands *why*, not just *what*.
86
+
87
+ ### Step 6: De-risk Before Committing
88
+
89
+ For close calls or large commitments, run a time-boxed pilot against your top
90
+ must-haves and your real data volumes before signing multi-year terms or
91
+ staffing a build. A two-week PoC is the cheapest insurance in this workflow —
92
+ and pilot the *exit* too (run the data export once and look at what comes out).
93
+
94
+ ## Principles Applied
95
+
96
+ - **Commodity → buy bias; differentiator → build bias** — most wrong decisions
97
+ invert this because building is more fun than integrating.
98
+ - **Compare TCO, not sticker price** — the build's cost is mostly after launch;
99
+ the vendor's is mostly at renewal and exit.
100
+ - **A decision without a revisit trigger is dogma** — pricing, vendors, and
101
+ your scale all change.
102
+
103
+ ## Cross-Skill References
104
+
105
+ - `architecture-design` — internal-structure decisions and the ADR format
106
+ - `dependency-management` — deep evaluation of a specific library/package
107
+ - `project-proposal` — wrap the decision in a business case for approval
108
+ - `effort-estimation` — sizing the build option honestly
109
+ - `strategic-review` — when the decision touches positioning or the moat
@@ -0,0 +1,40 @@
1
+ {
2
+ "skill_name": "build-vs-buy",
3
+ "evals": [
4
+ {
5
+ "id": 1,
6
+ "prompt": "We need feature flags for our product (SaaS, ~15 engineers, growing fast). Should we build our own flag service, buy LaunchDarkly, or self-host an open-source option like Unleash? Help me decide.",
7
+ "expected_output": "Frames feature flags as commodity infrastructure (core-vs-differentiator test), compares all three options on a multi-year TCO including ongoing ownership for build, projected-usage pricing for buy, and operations burden for self-hosted OSS, examines lock-in and exit costs plus vendor/OSS health, and lands on a clear recommendation recorded like an ADR with a revisit trigger",
8
+ "assertions": [
9
+ "Applies the core-vs-commodity framing — asks or determines whether feature flags differentiate this product (they don't) and lets that bias the decision",
10
+ "Compares build, buy, and OSS-adopt on total cost of ownership over a multi-year horizon, including ongoing maintenance/ownership for build and operations burden for self-hosted OSS — not just sticker price",
11
+ "Models the buy option at projected usage/growth, not only today's seat or flag count",
12
+ "Addresses lock-in and exit costs (data/config export, proprietary features, contract terms) and vendor or OSS project health",
13
+ "Concludes with a clear recommendation, the runner-up and what would flip it, and a revisit trigger — recorded in an ADR-like decision format"
14
+ ]
15
+ },
16
+ {
17
+ "id": 2,
18
+ "prompt": "Our data team already spent two quarters building about 60% of an in-house analytics pipeline (ingestion works, transformation layer is half done). Meanwhile Fivetran + Snowflake + dbt Cloud would cover everything we planned for roughly $8k/month. Do we finish the build or switch? Leadership hates the idea of throwing away six months of work.",
19
+ "expected_output": "Treats the six months as sunk cost and evaluates only forward-looking costs: remaining build effort plus perpetual ownership (maintenance, on-call, feature parity) and the team's opportunity cost, versus migration effort plus the subscription at projected data volumes — including the vendor stack's lock-in/exit profile — and gives a clear recommendation with reasoning rather than an 'it depends' hedge",
20
+ "assertions": [
21
+ "Explicitly identifies the completed 60% as sunk cost and excludes it from the forward-looking comparison",
22
+ "Compares remaining-build-plus-ongoing-ownership cost (maintenance, on-call, opportunity cost of the data team) against migration-plus-subscription cost",
23
+ "Models the managed stack's subscription at projected data growth and examines its lock-in and exit costs, not just the $8k/month figure",
24
+ "Considers what the team would work on instead (opportunity cost) as a first-class factor in the decision",
25
+ "Delivers a clear, justified recommendation with a revisit trigger instead of an evasive 'it depends'"
26
+ ]
27
+ },
28
+ {
29
+ "id": 3,
30
+ "prompt": "Should our order service use event sourcing or a plain CRUD model, and is it time to split it out of the monolith into its own microservice?",
31
+ "expected_output": "Recognizes these as internal-structure architectural decisions about the team's own code — pattern choice and service boundaries — and refers to architecture-design for an ADR-driven trade-off analysis, without running a vendor/TCO evaluation",
32
+ "assertions": [
33
+ "Recognizes the request as internal architecture (pattern choice, service boundaries), not a build/buy/adopt sourcing decision",
34
+ "Refers to the architecture-design skill and its ADR workflow for the decision",
35
+ "Does not produce a vendor evaluation, TCO analysis, or lock-in assessment for this request",
36
+ "States or implies the boundary: build-vs-buy decides where a capability comes from; architecture-design decides how your own system is structured"
37
+ ]
38
+ }
39
+ ]
40
+ }
@@ -83,5 +83,6 @@ Quality gates prevent bad code from advancing:
83
83
  - `deployment-repo` — for multi-service systems, the deployment repo handles system-level CI (contract tests, E2E, promotion)
84
84
  - `gitops-delivery` — pull-based delivery as an alternative to CI-driven `kubectl apply` / `helm upgrade`
85
85
  - `deployment-checklist` — pre-deployment verification gates to incorporate into the pipeline
86
+ - `release-management` — the release stage itself: version bumps, changelog, tagging, publish gates, registry publishing (the pipeline automates what that skill decides)
86
87
  - `security-audit` — security scanning stages and SAST/DAST integration
87
88
  - `verification-before-completion` — run the proving commands locally before relying on the pipeline to catch failures
@@ -0,0 +1,103 @@
1
+ ---
2
+ name: code-archaeology
3
+ description: "Understand unfamiliar or legacy code before changing it — map entry points, mine git history (blame, churn, log -S), trace data flow, recover the why behind odd code, pin current behavior with characterization tests, find seams for safe change. Triggers: understand this codebase, legacy code, inherited this project, what does this code do, why is it written this way, nobody knows how this works, onboard to this repo, is it safe to change this. Prioritizing debt → technical-debt-review; improving code you already understand → refactoring."
4
+ model: sonnet
5
+ allowed-tools: Read, Grep, Glob, Write, Edit, Bash
6
+ ---
7
+
8
+ # Code Archaeology
9
+
10
+ Build a working model of code nobody fully understands — *before* changing it.
11
+ The cardinal rule: **the code is the way it is for reasons; find them before
12
+ overriding them.** Chesterton's fence applies — weird code is usually a bug fix
13
+ whose bug report is lost, and "cleaning it up" reintroduces the bug. Boundary
14
+ with siblings: `technical-debt-review` assesses and prioritizes what to fix;
15
+ `refactoring` improves code you already understand; this skill produces the
16
+ understanding both depend on.
17
+
18
+ ## Workflow
19
+
20
+ ### Step 1: Survey Before Digging
21
+
22
+ Get the shape of the territory without reading line-by-line: entry points
23
+ (main, routes, handlers, cron, consumers), the dependency skeleton (what are
24
+ the load-bearing modules — imported by everything), build/run/test commands
25
+ (does the test suite even pass? that's data), and the directory map with sizes.
26
+ Resist starting at file one and reading forward — comprehension follows the
27
+ call graph, not the alphabet.
28
+
29
+ ### Step 2: Mine the History — the Code's Memory
30
+
31
+ Git knows what the docs forgot. The high-yield digs:
32
+
33
+ - `git log --follow -p -- <file>` — a file's life story; the commit that
34
+ introduced the odd code usually says why (and links a ticket).
35
+ - `git log -S '<string>'` (pickaxe) — when a magic value or weird guard
36
+ appeared, and what else changed with it.
37
+ - **Churn analysis** — files with the most commits are the active organs
38
+ (`git log --format= --name-only | sort | uniq -c | sort -rn | head`);
39
+ high-churn + large = where understanding pays most (same hotspot logic as
40
+ `technical-debt-review`).
41
+ - `git blame -w -C` (ignore whitespace, follow copies) — who last touched this
42
+ line *and in what commit context*; blame the commit, then read its message
43
+ and siblings.
44
+ - Merge/PR references in messages — the review thread often holds the design
45
+ discussion that never made it into the code.
46
+
47
+ ### Step 3: Trace, Don't Guess
48
+
49
+ For the specific behavior you need to understand, follow the data: pick one
50
+ concrete input (a request, an event, a row) and trace it end to end — through
51
+ handlers, transformations, side effects, and persistence. Use the debugger or
52
+ strategic log statements over static reading when the control flow is dynamic
53
+ (dispatch tables, DI containers, metaprogramming). Write the trace down as you
54
+ go; a data-flow narrative ("the order enters here, gets enriched here, forks
55
+ here") is worth ten class diagrams.
56
+
57
+ ### Step 4: Interrogate the Oddities
58
+
59
+ For each "why on earth" you hit, run the checklist before concluding it's
60
+ senseless: What does history say (Step 2)? Does a test encode it as intended
61
+ behavior? Do comments/tickets/ADRs reference it? Does production data depend on
62
+ it (that dead-looking branch may handle the 2019 records)? Only after all four
63
+ come up empty may you *suspect* it's vestigial — and even then you prove it
64
+ (logging/telemetry on the branch) rather than assume it.
65
+
66
+ ### Step 5: Pin Behavior with Characterization Tests
67
+
68
+ Before changing anything you don't fully understand, write tests that capture
69
+ what the code **currently does** — not what it should do. Feed it
70
+ representative inputs (including the weird ones from production), assert the
71
+ observed outputs, and lock in today's behavior as the baseline. These tests
72
+ are your tripwire: if a "safe cleanup" changes an output, you learn it in CI,
73
+ not in production. Golden-master/snapshot testing works well when outputs are
74
+ large or numerous. (For designing the suite around them long-term:
75
+ `test-suite-design`.)
76
+
77
+ ### Step 6: Leave the Map Better Than You Found It
78
+
79
+ Record what you learned where the next archaeologist will find it: a short
80
+ architecture note or README-in-the-directory (the data-flow narrative from
81
+ Step 3, the load-bearing oddities from Step 4 and *why they exist*), backfilled
82
+ ADRs for the big recovered decisions (`architecture-design`), and comments only
83
+ on the genuinely non-obvious constraints. Then, with understanding and
84
+ characterization tests in place, changes proceed via `refactoring` (seams,
85
+ safe transformations) or `dependency-impact-analysis` (blast radius) as normal.
86
+
87
+ ## Principles Applied
88
+
89
+ - **Chesterton's fence**: understand why the fence is there before removing
90
+ it; lost context is not absent context.
91
+ - **Evidence over inference**: history, traces, and tests beat reading-and-
92
+ guessing — the code's actual behavior outranks anyone's model of it.
93
+ - **Capture as you go**: understanding that lives in one head (or one session)
94
+ is re-excavated at full cost next time.
95
+
96
+ ## Cross-Skill References
97
+
98
+ - `technical-debt-review` — assess and prioritize what to fix once understood
99
+ - `refactoring` — the safe-change patterns applied after comprehension
100
+ - `test-suite-design` — growing characterization tests into a real suite
101
+ - `dependency-impact-analysis` — blast radius before changing a shared piece
102
+ - `architecture-documentation` — recording the recovered architecture (C4, flows)
103
+ - `bug-investigating` — when the goal narrows to one specific misbehavior
@@ -0,0 +1,41 @@
1
+ {
2
+ "skill_name": "code-archaeology",
3
+ "evals": [
4
+ {
5
+ "id": 1,
6
+ "prompt": "I just inherited a 8-year-old Django billing service. The original team is gone, there are no docs, and I need to change how proration is calculated. Help me understand it before I touch anything.",
7
+ "expected_output": "Surveys structure first (entry points, load-bearing modules, does the test suite pass), mines git history for the proration code specifically (log --follow, pickaxe for magic values, blame with commit context, churn hotspots), traces one concrete billing case end to end, interrogates oddities against history/tests/production data before judging them, writes characterization tests pinning current proration outputs before any change, and records the recovered understanding",
8
+ "assertions": [
9
+ "Surveys the codebase shape first (entry points, dependency skeleton, whether tests run) instead of reading files linearly",
10
+ "Uses git history as a primary source — git log --follow, pickaxe (log -S), or blame with commit context — to recover why the proration code is the way it is",
11
+ "Traces at least one concrete billing input end to end through the code rather than only reading statically",
12
+ "Writes characterization tests that pin the CURRENT proration behavior (including odd cases) before making any change",
13
+ "Treats odd code as potentially load-bearing (Chesterton's fence) — checks history, tests, and production data before deeming anything vestigial",
14
+ "Records the recovered understanding (data-flow narrative, architecture note, or backfilled ADR) for the next person"
15
+ ]
16
+ },
17
+ {
18
+ "id": 2,
19
+ "prompt": "There's a bizarre guard clause in our payment processor: `if amount == 999999: amount = amount - 1`. No comment, no test, git blame just shows a 'fixes' commit from 2019 by someone who left. Everyone's afraid to delete it. Should I?",
20
+ "expected_output": "Does not say 'yes, delete it' outright: digs into the 2019 commit's full context (message, sibling changes, linked ticket, the PR discussion), searches for related production data or downstream systems that might depend on the cap, and if all sources come up empty, proposes proving it's dead (logging/telemetry on the branch for a period) plus a characterization test — removal only with evidence and a safety net, not on vibes",
21
+ "assertions": [
22
+ "Investigates the 2019 commit's full context (message, other files in the same commit, linked ticket/PR discussion) rather than accepting blame's surface result",
23
+ "Considers that production data or a downstream system may depend on the behavior before judging it vestigial",
24
+ "Proposes gathering runtime evidence (logging/telemetry on the branch) to prove the code path is dead rather than assuming it",
25
+ "Recommends a characterization test or equivalent safety net around the behavior before/when removing it",
26
+ "Does not recommend immediate deletion based on the code looking senseless"
27
+ ]
28
+ },
29
+ {
30
+ "id": 3,
31
+ "prompt": "Our codebase is a mess of tech debt — give me a prioritized assessment of what we should fix first and a remediation roadmap for the quarter.",
32
+ "expected_output": "Recognizes this as a debt assessment/prioritization request — refers to technical-debt-review for the hotspot analysis and remediation roadmap, noting the boundary: code-archaeology builds understanding of unfamiliar code; technical-debt-review assesses health and prioritizes fixes",
33
+ "assertions": [
34
+ "Recognizes the request as debt assessment and prioritization, not comprehension of unfamiliar code",
35
+ "Refers to the technical-debt-review skill for the hotspot analysis and roadmap",
36
+ "Does not produce an archaeology workflow (history mining, characterization tests) as the primary answer",
37
+ "States or implies the boundary: code-archaeology produces understanding; technical-debt-review assesses and prioritizes what to fix"
38
+ ]
39
+ }
40
+ ]
41
+ }
@@ -1,6 +1,7 @@
1
1
  ---
2
2
  name: code-reviewing
3
- description: "Structured code reviews enforcing DRY, KISS, YAGNI, SRP, best practices, and project conventions. Triggers: review this code, code review, check my code, what do you think of this implementation, review this PR, is this code good, feedback on my code, review staged changes before commit."
3
+ description: "Structured code reviews enforcing DRY, KISS, YAGNI, SRP, best practices, and project conventions."
4
+ when_to_use: "Triggers: review this code, code review, check my code, what do you think of this implementation, review this PR, is this code good, feedback on my code, review staged changes before commit."
4
5
  model: sonnet
5
6
  allowed-tools: Read, Grep, Glob, Write, Edit
6
7
  ---
@@ -13,10 +14,19 @@ Perform thorough, constructive code reviews that catch bugs, enforce principles,
13
14
 
14
15
  ### Step 1: Understand the Context
15
16
 
16
- Before reviewing line-by-line, understand the big picture:
17
+ Working-tree changes right now (live at skill load; empty when the tree is clean,
18
+ this isn't a git repo, or the review targets something else — e.g. pasted code or
19
+ a PR):
20
+
21
+ !`git diff --stat 2>/dev/null || true`
22
+
23
+ If the summary above is empty or irrelevant to what you were asked to review,
24
+ proceed with the code as provided. Before reviewing line-by-line, understand the
25
+ big picture:
17
26
 
18
27
  - **What is this code supposed to do?** Read the PR description, linked issue, or ask the user.
19
- - **What changed?** If reviewing a diff, understand the scope of changes.
28
+ - **What changed?** If reviewing a diff, understand the scope of changes — run the
29
+ full `git diff` (or `git diff --staged`) when the stat summary isn't enough.
20
30
  - **What's the surrounding code like?** Read adjacent files for conventions and patterns.
21
31
 
22
32
  ### Step 2: First Pass — Structural Review
@@ -0,0 +1,113 @@
1
+ ---
2
+ name: compliance-privacy
3
+ description: "Engineer for regulatory and privacy obligations — GDPR/CCPA privacy-by-design, PII data mapping and minimization, retention and deletion (right to erasure), data subject requests, consent, SOC 2 controls (access, change management, audit logging). Triggers: GDPR, CCPA, SOC 2, HIPAA, compliance, privacy review, PII, personal data, data retention, right to be forgotten, DSR, audit requirements, are we compliant. Vulnerabilities in code → security-audit; attack analysis of a design → threat-modeling."
4
+ model: opus
5
+ allowed-tools: Read, Grep, Glob, Write, Edit, WebFetch, WebSearch
6
+ ---
7
+
8
+ # Compliance & Privacy Engineering
9
+
10
+ Turn regulatory obligations into engineering requirements — before an auditor,
11
+ a regulator, or a deletion request does it for you. This skill covers the
12
+ *engineering* of compliance (what to build and how); it is not legal advice, and
13
+ material decisions (lawful basis, DPAs, breach notification) need counsel —
14
+ flag them explicitly rather than silently deciding. Boundary with its siblings:
15
+ `security-audit` finds technical vulnerabilities, `threat-modeling` analyzes
16
+ attacker paths in a design; this skill handles what regulations *oblige* you to
17
+ do with data regardless of attackers.
18
+
19
+ ## Workflow
20
+
21
+ ### Step 1: Map the Data — You Can't Comply with What You Can't Find
22
+
23
+ Build the data inventory first; every obligation hangs off it:
24
+
25
+ - **What personal data exists** — direct identifiers (name, email, phone),
26
+ indirect (IP, device IDs, location), sensitive categories (health, biometrics,
27
+ children's data — these carry stricter rules).
28
+ - **Where it lives** — every store, including the ones people forget: logs,
29
+ analytics, backups, data warehouses, third-party processors, caches, error
30
+ trackers.
31
+ - **Where it flows** — which services touch it, which vendors receive it
32
+ (each is a processor needing a DPA), and whether it crosses borders.
33
+
34
+ Grep the codebase and schemas for it; the inventory that only reflects the
35
+ architecture diagram misses the PII in logs and analytics events.
36
+
37
+ ### Step 2: Determine What Applies
38
+
39
+ Which regimes govern you follows from the data and the users, not the company's
40
+ location: EU/UK users → GDPR/UK-GDPR; California residents → CCPA/CPRA; health
41
+ data in the US → HIPAA; card data → PCI-DSS; enterprise customers asking for
42
+ audits → SOC 2. Verify specifics against current official sources — regulations
43
+ and thresholds change; don't answer from memory. Then extract the engineering
44
+ obligations (see [references/obligations-map.md](references/obligations-map.md)
45
+ for the regulation → engineering-requirement mapping).
46
+
47
+ ### Step 3: Design for Minimization and Purpose
48
+
49
+ The cheapest data to protect is data you don't have:
50
+
51
+ - **Collect less**: challenge every field — what breaks if we don't collect it?
52
+ - **Retain less**: every data class gets a retention period and an *automated*
53
+ deletion path; "keep forever by default" is a finding, not a policy.
54
+ - **Expose less**: pseudonymize/tokenize where full identity isn't needed
55
+ (analytics, testing — see `test-data-strategy` for GDPR-safe test data);
56
+ scope access per purpose.
57
+ - **Log less**: PII in logs inherits none of your database's controls and all
58
+ of its obligations — scrub at the logging layer, not in post-processing.
59
+
60
+ ### Step 4: Build the Rights Machinery
61
+
62
+ Data-subject rights are engineering features with deadlines (typically ~30
63
+ days), not support tickets to improvise:
64
+
65
+ - **Access/export**: produce all of a person's data across every Step-1 store.
66
+ - **Deletion**: erase or anonymize across primary stores, caches, search
67
+ indexes, analytics, and a documented stance on backups (usually: excluded
68
+ from immediate erasure, purged on backup expiry — state it in the policy).
69
+ Deletion that misses a store the inventory forgot is the classic failure.
70
+ - **Consent**: record what was consented to, when, and which version; make
71
+ withdrawal as easy as granting; gate the relevant processing on it.
72
+
73
+ Test the deletion path like a feature — run it against a seeded user and verify
74
+ every store — because the first real request is a terrible time to discover it
75
+ doesn't work.
76
+
77
+ ### Step 5: Implement the Control Layer (SOC 2 lens)
78
+
79
+ The controls auditors verify are mostly good engineering hygiene made
80
+ demonstrable: least-privilege access with a review cadence, change management
81
+ (PRs + reviews + CI — which you likely have; the gap is usually *evidence*),
82
+ append-only audit logging of sensitive-data access and admin actions
83
+ (overlaps `threat-modeling`'s repudiation counters), encryption in transit and
84
+ at rest, offboarding that provably revokes access, and vendor review for every
85
+ processor in the Step-1 flow map. Wire evidence collection into the systems
86
+ themselves — screenshots gathered the week before an audit don't scale.
87
+
88
+ ### Step 6: Make It Continuous
89
+
90
+ Compliance decays with every feature that adds a data flow. Add a lightweight
91
+ privacy check to the definition of done for features touching personal data
92
+ (new data collected? new vendor? retention set? deletion path covers it?), keep
93
+ the data inventory in version control next to the code, and re-run the Step-1
94
+ mapping when architecture changes — same living-document discipline as a threat
95
+ model.
96
+
97
+ ## Principles Applied
98
+
99
+ - **Minimization is the master control**: every other obligation scales with
100
+ how much data you hold.
101
+ - **Rights are features**: access, deletion, and consent need designs, tests,
102
+ and deadlines — not runbooks of manual SQL.
103
+ - **Evidence or it didn't happen**: an undocumented control fails the audit
104
+ even when it works.
105
+
106
+ ## Cross-Skill References
107
+
108
+ - `security-audit` — technical vulnerability review (confidentiality controls overlap)
109
+ - `threat-modeling` — design-time attack analysis; shares the data-classification step
110
+ - `data-modeling` — schema-level retention, soft-delete vs erasure, PII isolation
111
+ - `test-data-strategy` — GDPR-safe test data, anonymization
112
+ - `configuration-strategy` — secrets and access to production data
113
+ - `observability-design` — keeping PII out of logs, traces, and metrics
@@ -0,0 +1,41 @@
1
+ {
2
+ "skill_name": "compliance-privacy",
3
+ "evals": [
4
+ {
5
+ "id": 1,
6
+ "prompt": "We're a B2B SaaS with EU customers and we just got our first GDPR deletion request. We honestly don't know where all the user data lives. What do we need to build to handle this properly?",
7
+ "expected_output": "Starts with a data inventory across ALL stores (databases, logs, analytics, backups, third-party processors, caches), then designs deletion machinery: erasure/anonymization across every store, a documented stance on backups, the ~30-day deadline, and testing the deletion path against a seeded user; frames rights handling as an engineered feature and adds minimization/retention so the problem shrinks over time",
8
+ "assertions": [
9
+ "Begins with a data inventory/mapping across all stores — explicitly including the commonly-missed ones (logs, analytics, backups, third-party processors, caches)",
10
+ "Designs deletion as an engineered, testable feature spanning every store, not a manual SQL runbook against the primary database",
11
+ "Addresses backups explicitly with a documented stance (e.g. excluded from immediate erasure, purged on backup expiry)",
12
+ "Mentions the response deadline for data subject requests (about 30 days) and/or verifying the deletion path against a seeded test user before a real request",
13
+ "Recommends minimization and retention policies (automated deletion, collect less, PII out of logs) so future obligations shrink",
14
+ "Flags that material legal decisions (lawful basis, DPAs, breach specifics) need counsel rather than deciding them itself"
15
+ ]
16
+ },
17
+ {
18
+ "id": 2,
19
+ "prompt": "An enterprise prospect just sent us a security questionnaire asking if we're SOC 2 compliant. We're a 10-person startup with decent engineering hygiene (PRs, CI, SSO) but zero formal compliance work. What does getting there actually involve on the engineering side?",
20
+ "expected_output": "Explains SOC 2 as an audit of controls operating over time (Type I vs II), maps their existing hygiene (PR review, CI, SSO) onto trust-criteria controls and identifies the real gap as demonstrable evidence — access reviews, offboarding proof, audit logging, vendor review — recommending evidence automation over screenshot scrambles, scoping to the Security criterion first, and being realistic about timeline/audit-window",
21
+ "assertions": [
22
+ "Explains that SOC 2 audits controls operating over time (Type II observation window), not a one-time checklist",
23
+ "Maps existing engineering hygiene (PR reviews, CI, SSO) onto SOC 2 controls and identifies evidence/demonstrability as the actual gap",
24
+ "Covers the core control areas: logical access (least privilege, access reviews, offboarding), change management, audit logging, and vendor management",
25
+ "Recommends starting with the Security criterion and adding other trust criteria only when customers demand them",
26
+ "Recommends automating evidence collection rather than gathering screenshots before the audit"
27
+ ]
28
+ },
29
+ {
30
+ "id": 3,
31
+ "prompt": "Can you review our Express API code for injection vulnerabilities and check whether our JWT auth implementation is secure?",
32
+ "expected_output": "Recognizes this as a technical vulnerability review of existing code — refers to security-audit for the injection/auth analysis, stating the boundary: compliance-privacy handles regulatory and privacy obligations (GDPR/SOC 2, data rights, retention); security-audit finds technical vulnerabilities",
33
+ "assertions": [
34
+ "Recognizes the request as a technical security review of code, not a regulatory/privacy obligation question",
35
+ "Refers to the security-audit skill for the injection and auth review",
36
+ "Does not produce a compliance workflow (data mapping, DSR machinery, SOC 2 controls) as the answer",
37
+ "States the boundary: compliance-privacy covers regulatory/privacy obligations; security-audit covers technical vulnerabilities"
38
+ ]
39
+ }
40
+ ]
41
+ }
@@ -0,0 +1,69 @@
1
+ # Regulation → Engineering Obligation Map
2
+
3
+ What each regime actually demands from the engineering side. Verify thresholds
4
+ and details against current official sources before relying on them — this map
5
+ orients; it doesn't replace the regulation text or counsel.
6
+
7
+ ## GDPR / UK-GDPR (EU/UK personal data)
8
+
9
+ | Obligation | Engineering requirement |
10
+ |---|---|
11
+ | Lawful basis per processing purpose (Art. 6) | Record which basis covers each data flow; consent flows need capture + withdrawal machinery |
12
+ | Data minimization & purpose limitation (Art. 5) | Field-level justification; no reuse of data for new purposes without a new basis |
13
+ | Right of access / portability (Art. 15, 20) | Export of all of a subject's data, machine-readable, across every store |
14
+ | Right to erasure (Art. 17) | Deletion/anonymization across primary stores, caches, indexes, analytics; documented backup stance |
15
+ | Privacy by design & default (Art. 25) | Privacy review in the feature workflow; most-protective defaults |
16
+ | Records of processing (Art. 30) | The data inventory (SKILL.md Step 1), kept current |
17
+ | Security of processing (Art. 32) | Encryption in transit/at rest, access control, pseudonymization where feasible |
18
+ | Breach notification (Art. 33) | Detection + escalation path that can meet 72-hour notification — needs `observability-design`-grade alerting |
19
+ | Processors & transfers (Art. 28, Ch. V) | DPA with every vendor receiving personal data; transfer mechanism (SCCs/adequacy) for cross-border flows |
20
+ | DPIA for high-risk processing (Art. 35) | Formal assessment before launching high-risk features (large-scale profiling, sensitive categories) — pairs with `threat-modeling` |
21
+
22
+ ## CCPA / CPRA (California residents)
23
+
24
+ Similar rights machinery to GDPR (know/access, delete, correct) plus two deltas
25
+ worth engineering attention: **opt-out of sale/sharing** (honor Global Privacy
26
+ Control signals; maintain a "Do Not Sell or Share" path) and **service-provider
27
+ contracts** (the CCPA analog of DPAs). Thresholds determine applicability
28
+ (revenue / volume of consumers' data / share of revenue from selling data) —
29
+ check current numbers.
30
+
31
+ ## SOC 2 (Trust Services Criteria — what enterprise customers ask for)
32
+
33
+ SOC 2 is an audit of *your controls operating over time* (Type II), not a
34
+ checklist you pass once. The Security criterion (always in scope):
35
+
36
+ | Control area | Typical evidence engineering owns |
37
+ |---|---|
38
+ | Logical access | SSO/MFA, least-privilege roles, quarterly access reviews, provably-executed offboarding |
39
+ | Change management | PR review required on protected branches, CI gates, deploy audit trail |
40
+ | System operations | Monitoring/alerting, incident-response process with records (`incident-response`, `observability-design`) |
41
+ | Risk & vendor management | Vendor list with security review per processor; risk assessment cadence |
42
+ | Data handling | Encryption at rest/in transit, backup + restore testing (`resilience-engineering`), retention/disposal execution |
43
+
44
+ Availability, Confidentiality, Processing Integrity, and Privacy criteria are
45
+ opt-in scope — add them when customers demand them, not preemptively.
46
+
47
+ ## HIPAA (US health data)
48
+
49
+ Applies to covered entities and their **business associates** (a BAA makes you
50
+ one). Engineering core: PHI inventory and isolation, access controls + audit
51
+ logs on every PHI touch, encryption, minimum-necessary access, breach
52
+ notification machinery. PHI in logs/analytics is the recurring violation.
53
+
54
+ ## PCI-DSS (card data)
55
+
56
+ The dominant engineering decision is **scope reduction**: use a tokenizing
57
+ payment processor (Stripe/Adyen-style) so raw PANs never transit your systems —
58
+ this collapses most requirements to the lowest self-assessment tier. Storing
59
+ raw card data puts your whole environment in scope; treat that as a
60
+ `build-vs-buy` decision with a strong buy bias.
61
+
62
+ ## Choosing what to tackle first
63
+
64
+ 1. Data inventory (everything depends on it).
65
+ 2. Kill the involuntary violations: PII in logs, forever-retention, missing
66
+ deletion path.
67
+ 3. Rights machinery (access + deletion) — deadline-bound once requests arrive.
68
+ 4. Evidence automation for the controls you already operate.
69
+ 5. Formal frameworks (SOC 2 audit, DPIAs) when customers or scale demand.