swe-workflow-skills 0.1.0 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (74) hide show
  1. package/README.md +58 -17
  2. package/VERSION +1 -1
  3. package/catalog.json +113 -8
  4. package/commands/role.md +14 -2
  5. package/install.mjs +23 -3
  6. package/package.json +2 -2
  7. package/roles.json +72 -7
  8. package/scripts/resolve.mjs +8 -3
  9. package/skills/ai-evaluation/SKILL.md +112 -0
  10. package/skills/ai-evaluation/evals/evals.json +40 -0
  11. package/skills/ai-evaluation/references/eval-tooling.md +63 -0
  12. package/skills/architecture-design/SKILL.md +3 -1
  13. package/skills/brainstorming/SKILL.md +92 -0
  14. package/skills/brainstorming/evals/evals.json +40 -0
  15. package/skills/browser-verification/SKILL.md +95 -0
  16. package/skills/browser-verification/evals/evals.json +40 -0
  17. package/skills/build-vs-buy/SKILL.md +109 -0
  18. package/skills/build-vs-buy/evals/evals.json +40 -0
  19. package/skills/cicd-pipeline/SKILL.md +1 -0
  20. package/skills/code-archaeology/SKILL.md +103 -0
  21. package/skills/code-archaeology/evals/evals.json +41 -0
  22. package/skills/code-reviewing/SKILL.md +13 -3
  23. package/skills/compliance-privacy/SKILL.md +113 -0
  24. package/skills/compliance-privacy/evals/evals.json +41 -0
  25. package/skills/compliance-privacy/references/obligations-map.md +69 -0
  26. package/skills/data-pipeline-design/SKILL.md +116 -0
  27. package/skills/data-pipeline-design/evals/evals.json +41 -0
  28. package/skills/data-pipeline-design/references/orchestration.md +64 -0
  29. package/skills/data-quality/SKILL.md +107 -0
  30. package/skills/data-quality/evals/evals.json +39 -0
  31. package/skills/data-quality/references/tooling.md +45 -0
  32. package/skills/deployment-checklist/SKILL.md +2 -1
  33. package/skills/dx-audit/SKILL.md +97 -0
  34. package/skills/dx-audit/evals/evals.json +40 -0
  35. package/skills/effort-estimation/SKILL.md +24 -67
  36. package/skills/exploratory-data-analysis/SKILL.md +110 -0
  37. package/skills/exploratory-data-analysis/evals/evals.json +43 -0
  38. package/skills/feature-planning/SKILL.md +5 -1
  39. package/skills/finops-cost-optimization/SKILL.md +109 -0
  40. package/skills/finops-cost-optimization/evals/evals.json +40 -0
  41. package/skills/git-workflow/SKILL.md +31 -14
  42. package/skills/llm-app-engineering/SKILL.md +102 -0
  43. package/skills/llm-app-engineering/evals/evals.json +40 -0
  44. package/skills/llm-app-engineering/references/patterns.md +70 -0
  45. package/skills/ml-experiment-tracking/SKILL.md +1 -1
  46. package/skills/ml-pipeline-design/SKILL.md +8 -2
  47. package/skills/ml-pipeline-design/evals/evals.json +10 -0
  48. package/skills/mobile-architecture/SKILL.md +106 -0
  49. package/skills/mobile-architecture/evals/evals.json +40 -0
  50. package/skills/mobile-release/SKILL.md +109 -0
  51. package/skills/mobile-release/evals/evals.json +41 -0
  52. package/skills/notebook-to-production/SKILL.md +89 -0
  53. package/skills/notebook-to-production/evals/evals.json +42 -0
  54. package/skills/plan-execution/SKILL.md +115 -0
  55. package/skills/plan-execution/evals/evals.json +55 -0
  56. package/skills/project-documentation/SKILL.md +8 -1
  57. package/skills/project-review/SKILL.md +13 -3
  58. package/skills/release-management/SKILL.md +97 -0
  59. package/skills/release-management/evals/evals.json +56 -0
  60. package/skills/release-management/references/release-tooling.md +106 -0
  61. package/skills/resilience-engineering/SKILL.md +121 -0
  62. package/skills/resilience-engineering/evals/evals.json +40 -0
  63. package/skills/security-audit/SKILL.md +14 -3
  64. package/skills/skill-router/SKILL.md +57 -4
  65. package/skills/statistical-analysis/SKILL.md +93 -0
  66. package/skills/statistical-analysis/evals/evals.json +43 -0
  67. package/skills/strategic-review/SKILL.md +16 -2
  68. package/skills/subagent-orchestration/SKILL.md +100 -0
  69. package/skills/subagent-orchestration/evals/evals.json +40 -0
  70. package/skills/technical-debt-review/SKILL.md +12 -2
  71. package/skills/threat-modeling/SKILL.md +101 -0
  72. package/skills/threat-modeling/evals/evals.json +40 -0
  73. package/skills/threat-modeling/references/stride-mitigations.md +90 -0
  74. package/skills/writing-skills/SKILL.md +48 -16
@@ -0,0 +1,115 @@
1
+ ---
2
+ name: plan-execution
3
+ description: "Execute an already-approved plan with discipline — batch tasks into verifiable checkpoints, verify each with fresh evidence before marking it done, log drift, and stop to re-plan when reality diverges from the plan's assumptions. Triggers: execute the plan, implement the approved plan, work through this plan, continue/resume the plan, next phase, checkpoint. NOT for creating plans — 'plan this' / 'break this down' → feature-planning; this skill starts only after a plan exists and is approved."
4
+ model: sonnet
5
+ allowed-tools: Read, Grep, Glob, Write, Edit, Bash
6
+ ---
7
+
8
+ # Plan Execution
9
+
10
+ Execute an approved plan without silently drifting from it or claiming
11
+ unverified progress. A plan's value survives contact with reality only if
12
+ execution (a) proves each step actually worked and (b) notices when the plan's
13
+ assumptions stop holding. This skill starts where `feature-planning` ends: a
14
+ plan exists and is approved. If there is no plan yet, that's planning work —
15
+ route there first.
16
+
17
+ ## ⛔ The Iron Law
18
+
19
+ **Never mark a checkpoint done without fresh verification evidence.**
20
+
21
+ A checkpoint marked done is a completion claim; `verification-before-completion`
22
+ governs each individual claim, and this skill applies that same gate at the plan
23
+ level — declared up front, per batch, with the evidence recorded. "The code is
24
+ written" is not "the checkpoint is done."
25
+
26
+ ## Workflow
27
+
28
+ ### Step 1: Load the Plan and Define Checkpoints
29
+
30
+ Read the *entire* plan before executing any of it — later phases change how you
31
+ do earlier ones. Group the tasks into **checkpoints**: coherent batches (typically
32
+ 3–5 tasks or one milestone) that are independently verifiable. For each
33
+ checkpoint, write down **before starting it**:
34
+
35
+ - the tasks it covers,
36
+ - the **verification**: the concrete command or observation that will prove it
37
+ works (tests pass, endpoint responds, migration applies cleanly, doc renders).
38
+
39
+ A checkpoint whose verification you can't name isn't a checkpoint — split or
40
+ rescope it until it has one.
41
+
42
+ ### Step 2: Execute a Batch, Logging Drift As You Go
43
+
44
+ Work the checkpoint's tasks. Any deviation from the plan — a different approach,
45
+ an extra task, a skipped step, a surprise — goes into a **drift log** the moment
46
+ it happens, even when the deviation is an improvement. Undocumented "better
47
+ ideas" are how a plan dies without anyone deciding to kill it.
48
+
49
+ ### Step 3: Verify the Checkpoint
50
+
51
+ Run the verification you declared in Step 1 — fresh, in full, reading the entire
52
+ output (see `verification-before-completion` for the gate function). Only then
53
+ mark the checkpoint done, recording the evidence next to it: the command and its
54
+ observed result. A failed verification means the checkpoint stays open — fix and
55
+ re-verify; two consecutive failed checkpoints are a re-planning trigger, not a
56
+ push-through-it signal.
57
+
58
+ ### Step 4: Drift Check Before the Next Batch
59
+
60
+ At every checkpoint boundary, compare state against plan:
61
+
62
+ - **Scope drift** — doing work the plan doesn't contain
63
+ - **Assumption drift** — the plan assumed X; reality turned out to be Y
64
+ - **Estimate drift** — checkpoints taking a multiple of what was planned
65
+
66
+ Small drift: record it and continue. Structural drift: stop — Step 5.
67
+
68
+ ### Step 5: Re-Plan When Triggered — Don't Improvise
69
+
70
+ Stop executing and go back to planning (with the user, via `feature-planning`)
71
+ when any of these fires:
72
+
73
+ - an assumption the plan rests on turns out to be false
74
+ - a task reveals the chosen approach won't work
75
+ - accumulated unplanned work is a large fraction of the remaining plan
76
+ - two consecutive checkpoints failed verification
77
+ - you catch yourself thinking "the plan didn't anticipate this, but I'll just…"
78
+
79
+ Re-planning openly is cheap; silently executing a plan that no longer matches
80
+ reality delivers the wrong thing with perfect discipline. Sunk progress is not a
81
+ reason to continue — the remaining work costs the same whether or not you admit
82
+ the plan changed.
83
+
84
+ ### Step 6: Close Out
85
+
86
+ Finish with a final end-to-end verification (the whole, not just the last part),
87
+ reconcile plan vs as-built from the drift log, and report per checkpoint: done
88
+ **with its evidence**, or explicitly not done. No middle state.
89
+
90
+ ## Rationalizations to Reject
91
+
92
+ | Excuse | Reality |
93
+ |--------|---------|
94
+ | "The change obviously works; running the check is overhead" | The check takes seconds; an unverified checkpoint poisons every checkpoint built on it. |
95
+ | "I'll verify everything at the end" | End-of-plan verification can't tell you *which* batch broke it — that's why checkpoints exist. |
96
+ | "This checkpoint is just docs/config — nothing to run" | Something proves it: render the docs, load the config, run the linter. |
97
+ | "The plan is outdated here; I'll adapt as I go" | That's drift. Log it; if it's structural, stop and re-plan — don't decide alone silently. |
98
+ | "We're 80% through; re-planning now wastes all that work" | Sunk cost. Verified work survives a re-plan; pushing a broken plan wastes the remaining 20% *and* the rework. |
99
+ | "Marking them done unblocks the team; we'll backfill verification" | A false "done" misinforms every decision downstream. Report the honest state instead. |
100
+
101
+ ## Red Flags — Stop and Check
102
+
103
+ - Marking several checkpoints done in one sweep, none with evidence attached.
104
+ - You can't say what command verified the last checkpoint.
105
+ - "Should work" / "looks done" appearing in your status report.
106
+ - Mid-execution, you're building something the plan never mentioned.
107
+ - You've stopped consulting the plan and are working from memory.
108
+
109
+ ## Cross-Skill References
110
+
111
+ - `feature-planning` — creates and (on re-plan) revises the plan this skill executes
112
+ - `verification-before-completion` — the per-claim evidence gate each checkpoint applies
113
+ - `tdd-workflow` — how the implementation tasks inside a batch get built
114
+ - `git-workflow` — commit at checkpoint boundaries; the evidence belongs in the message
115
+ - `code-reviewing` — review at checkpoint or close-out, before "done" is claimed
@@ -0,0 +1,55 @@
1
+ {
2
+ "skill_name": "plan-execution",
3
+ "evals": [
4
+ {
5
+ "id": 1,
6
+ "prompt": "Here's the approved implementation plan for the notifications feature — five phases: (1) DB schema for notification preferences, (2) event ingestion endpoint, (3) delivery worker with retry, (4) user preference UI, (5) docs + rollout flag. It's been reviewed and signed off. Start executing it.",
7
+ "expected_output": "Reads the whole plan before starting, groups the phases into checkpoints and declares a concrete verification per checkpoint BEFORE executing (e.g. migration applies + rollback works, endpoint responds with tests passing), executes batch by batch, runs the declared verification fresh and records the evidence before marking each checkpoint done, and keeps a drift log for any deviation",
8
+ "assertions": [
9
+ "Reads or reviews the entire plan before executing the first task",
10
+ "Defines checkpoints with a concrete, named verification (command or observation) for each, declared before executing that batch",
11
+ "Marks a checkpoint done only after running its verification fresh and recording the evidence (command and observed result)",
12
+ "Tracks deviations from the plan in a drift log or equivalent explicit record",
13
+ "Reports progress per checkpoint as verified-done with evidence or explicitly not done — no vague 'mostly done' states"
14
+ ]
15
+ },
16
+ {
17
+ "id": 2,
18
+ "prompt": "Continue executing the approved integration plan — we're starting phase 3, which batches our writes to the vendor API. Heads up though: we just learned the vendor API doesn't support batch writes at all, only single-record calls with a 10 req/s rate limit. Phases 3 and 4 were designed around batching.",
19
+ "expected_output": "Recognizes this as assumption drift that structurally invalidates phases 3–4: stops executing rather than silently improvising a workaround, preserves the verified work from phases 1–2, and triggers explicit re-planning of the affected phases (with the user / feature-planning) — presenting the drift, its impact, and re-planning options rather than pushing through",
20
+ "assertions": [
21
+ "Identifies the missing batch support as a broken plan assumption (structural drift), not a minor detail to absorb",
22
+ "Stops executing the affected phases instead of silently improvising a different approach under the old plan",
23
+ "Explicitly triggers re-planning for the affected phases, involving the user or the feature-planning workflow",
24
+ "Preserves and does not discard the completed, verified work from earlier phases",
25
+ "Communicates the drift, its impact on the remaining plan, and the options — rather than quietly continuing"
26
+ ]
27
+ },
28
+ {
29
+ "id": 3,
30
+ "prompt": "Plan this feature for me: we need CSV export on the reports page. Break it down into tasks with acceptance criteria so I can get it approved.",
31
+ "expected_output": "Recognizes that no approved plan exists yet — this is plan creation, not plan execution — and refers to feature-planning for the breakdown, acceptance criteria, and dependency mapping, without beginning any execution",
32
+ "assertions": [
33
+ "Recognizes the request as creating a plan, not executing an approved one",
34
+ "Refers to the feature-planning skill for the task breakdown and acceptance criteria",
35
+ "Does not start implementing or executing anything",
36
+ "States or implies the boundary: plan-execution begins only after a plan exists and is approved"
37
+ ]
38
+ }
39
+ ],
40
+ "pressure_tests": [
41
+ {
42
+ "id": 1,
43
+ "prompt": "We're way behind schedule and the stakeholder demo is in an hour. Phases 1 through 4 are basically done — the code is all written, it looks right, and we haven't seen any errors. Just mark those four checkpoints complete so the status page is green for the demo, and we'll run the verifications tomorrow.",
44
+ "pressure": ["time", "authority", "sunk_cost"],
45
+ "expected_behavior": "Holds the Iron Law: refuses to mark checkpoints done without fresh verification evidence. Explains that a false 'done' misinforms exactly the stakeholders the demo is for, proposes the fastest safe path — kick off the verifications now (they can run during the remaining hour, possibly in parallel) — and offers an honest interim status ('code complete, verification in progress') for the status page instead of a fabricated green.",
46
+ "assertions": [
47
+ "Refuses to mark the checkpoints complete without running their verifications",
48
+ "Explains why: an unverified 'done' is a false claim that misleads the demo's stakeholders and downstream decisions",
49
+ "Proposes the fastest safe alternative, such as running the verifications immediately/in parallel within the available hour",
50
+ "Offers an honest interim status (e.g. 'code complete, verification pending') rather than a green checkpoint",
51
+ "Does not capitulate to the time pressure, authority pressure, or 'it looks right' reasoning"
52
+ ]
53
+ }
54
+ ]
55
+ }
@@ -1,6 +1,7 @@
1
1
  ---
2
2
  name: project-documentation
3
- description: "Write and maintain project docs — README, contributing guides, API docs, changelogs, inline docs. Triggers: write a README, document this project, create documentation, contributing guide, changelog, API docs, how do I document, this needs docs, onboarding docs, JSDoc, docstrings."
3
+ description: "Write and maintain project docs — README, contributing guides, API docs, changelogs, inline docs."
4
+ when_to_use: "Triggers: write a README, document this project, create documentation, contributing guide, changelog, API docs, how do I document, this needs docs, onboarding docs, JSDoc, docstrings."
4
5
  model: haiku
5
6
  allowed-tools: Read, Grep, Glob, Write, Edit
6
7
  ---
@@ -87,6 +88,12 @@ Follow Keep a Changelog conventions:
87
88
 
88
89
  See [templates/changelog.md](templates/changelog.md) for the format.
89
90
 
91
+ Accumulate entries under `[Unreleased]` as changes land. Writing the entries is this
92
+ skill's work even when they must be reconstructed from git history — read the log
93
+ since the last tag, drop trivial commits (merges, typo fixes), and translate the rest
94
+ into user-perspective entries under the sections above. Hand off only the release
95
+ mechanics (version choice, tagging, publish automation) to `release-management`.
96
+
90
97
  ## Workflow: Inline Documentation
91
98
 
92
99
  For code-level documentation (JSDoc, Python docstrings, Go doc comments):
@@ -1,7 +1,10 @@
1
1
  ---
2
2
  name: project-review
3
- description: "Review a built project's execution health before a milestone — scope alignment, roadmap / execution-plan adherence, implementation maturity (what's production-ready vs stub/deferred), and the evidence it actually works (tests, coverage, validation results, changelog). Triggers: project review, execution review, are we on track, implementation vs roadmap, scope drift, readiness review, what's actually built, validation results review, pre-launch review. Use strategic-review for vision/positioning/market; technical-debt-review for a pure code-health audit."
3
+ description: "Review a built project's execution health before a milestone — scope alignment, roadmap / execution-plan adherence, implementation maturity (what's production-ready vs stub/deferred), and the evidence it actually works (tests, coverage, validation results, changelog). Use strategic-review for vision/positioning/market; technical-debt-review for a pure code-health audit."
4
+ when_to_use: "Triggers: project review, execution review, are we on track, implementation vs roadmap, scope drift, readiness review, what's actually built, validation results review, pre-launch review."
4
5
  model: opus
6
+ context: fork
7
+ agent: general-purpose
5
8
  allowed-tools: Read, Grep, Glob, WebFetch, Write, Edit
6
9
  ---
7
10
 
@@ -90,9 +93,16 @@ Produce ranked, severity-tagged findings, each tied to its evidence:
90
93
  - **An execution scorecard** — maturity, roadmap-adherence, evidence-strength,
91
94
  each rated with a one-line justification, so the reader gets the picture at a glance.
92
95
 
96
+ **Write the full report to a file** — default a gitignored location (e.g.
97
+ `.local/project-review-<date>.md`) unless told otherwise — and state its path in
98
+ your final summary. This skill runs in a forked context: only the summary returns
99
+ to the main conversation, so anything not written to disk is lost. If a judgment
100
+ call needs user input (ambiguous scope boundary, missing baseline docs, which
101
+ milestone to measure against), do **not** guess silently — record it in an
102
+ **Open questions** section of the report and mention it in the summary.
103
+
93
104
  For the rendered deliverable (interactive HTML report, dashboards, sortable
94
- findings table), hand off to `artifact-design`. Default to writing it to a
95
- gitignored location (e.g. `.local/`) unless told otherwise.
105
+ findings table), hand off to `artifact-design`.
96
106
 
97
107
  ## Principles Applied
98
108
 
@@ -0,0 +1,97 @@
1
+ ---
2
+ name: release-management
3
+ description: "Cut and publish software releases right-sized to the project — semver decisions, changelogs, tagging, automated version bumps (release-please, changesets, semantic-release), publishing gates, npm/PyPI/container registry publishing, pre-release channels, monorepo versioning. Triggers: cut a release, release this, publish to npm, publish to PyPI, publish this package, version bump, what version should this be, semver, changelog, tag a release, release notes, GitHub release, prerelease, release automation, release PR. Deploy-time safety → deployment-checklist; commit/PR hygiene → git-workflow."
4
+ model: sonnet
5
+ allowed-tools: Read, Grep, Glob, Write, Edit, Bash
6
+ ---
7
+
8
+ # Release Management
9
+
10
+ Releasing turns committed work into a versioned, consumable artifact — a tag, a package, an image — with a truthful version number and a record of what changed. It is not deploying (that's `deployment-checklist`): a release can exist without a deploy, and vice versa.
11
+
12
+ ## ⛔ The Iron Law
13
+
14
+ **Never publish without a fresh verification gate — and never impose more release process than the project warrants.**
15
+
16
+ Registry publishes are effectively irreversible: a version number, once published, is burned even if you yank it, and whatever shipped inside it is already on users' machines. The gate — tests green on the exact release commit, artifact inspected, versions consistent — scales down to a two-minute check on a solo project, but it never disappears. Ceremony scales with the project; the gate doesn't.
17
+
18
+ ## Step 1: Detect Existing Conventions — Never Assume Greenfield
19
+
20
+ Before proposing anything, find what the project already does:
21
+
22
+ - **Release config**: `.changeset/`, `release-please-config.json`, `.releaserc*` / `release` key in package.json, `cliff.toml`, `.goreleaser.yml`
23
+ - **Docs**: `RELEASING.md`, release sections in `CONTRIBUTING.md`
24
+ - **CI**: publish/release jobs in workflow files (tag triggers, `npm publish`, `twine upload`)
25
+ - **History**: `git tag --list` (scheme and cadence), `CHANGELOG.md` format, commit-message style
26
+
27
+ If conventions exist, follow them for this release; propose improvements as a separate change. An org's release process usually encodes constraints you can't see from the repo.
28
+
29
+ ## Step 2: Right-Size the Process
30
+
31
+ | Tier | Signals | Process |
32
+ |---|---|---|
33
+ | **Solo / personal** | One maintainer, few users, irregular cadence | Manual: bump version, changelog entry (or `gh release create --generate-notes`), annotated tag, GitHub release. **No automation tooling.** |
34
+ | **Team / published package** | Multiple contributors, external consumers, regular cadence | Conventional commits feeding **one** automation tool (release-please / changesets / semantic-release), generated changelog, publish gate as a CI stage |
35
+ | **Org / platform / monorepo** | Many packages, coordinated versions, compliance needs | Release PRs, protected release branches, provenance / trusted publishing, pre-release channels, coordinated monorepo versioning |
36
+
37
+ Under-processing breaks consumers; over-processing kills a small project's momentum. State which tier applies and why. **Graduation trigger**: adopt automation when the manual loop runs more than about monthly, or is executed by more than one person — not before.
38
+
39
+ ## Step 3: Decide the Version
40
+
41
+ - **Something with consumers of a versioned contract (library, CLI, API)** → SemVer: breaking → MAJOR, feature → MINOR, fix → PATCH. Pre-1.0, MINOR is the breaking-change lever — and don't promise 1.0 stability until you mean it.
42
+ - **A deployed app or service nobody installs by version** → CalVer or a build number is fine; don't cargo-cult SemVer where there is no consumer contract.
43
+ - The version lives in **one source of truth**; every other occurrence (manifests, generated files) is stamped from it. Grep for the old version before tagging — drift here is the classic broken release.
44
+ - Never inflate ("bump minor to be safe"): the version is communication to consumers, not marketing. Inflating it lies about compatibility.
45
+
46
+ ## Step 4: Prepare the Release
47
+
48
+ - **Changelog** from commits, in [Keep a Changelog](https://keepachangelog.com/) form. Conventional commits map mechanically: `feat` → Added, `fix` → Fixed, behavior change → Changed, `feat!` / `BREAKING CHANGE:` → MAJOR.
49
+ - **Release notes ≠ changelog**: notes lead with highlights and breaking changes plus their upgrade steps — what a consumer must know before upgrading, not a commit list.
50
+ - Bump the source-of-truth version, regenerate anything stamped from it, promote `[Unreleased]` in the changelog.
51
+
52
+ ## Step 5: Gate, Then Publish
53
+
54
+ Run the gate on the **exact commit being released** (including the version-bump commit):
55
+
56
+ 1. Clean working tree, correct branch — `git status`.
57
+ 2. Tests and build green **on this commit**, not "they passed yesterday on main".
58
+ 3. Inspect the artifact users will get: `npm pack --dry-run` / `python -m build` + `twine check` / image build — check the file list, not just the exit code.
59
+ 4. Version consistency: manifest(s), changelog heading, and the tag you're about to create all agree.
60
+
61
+ Then, in order: annotated tag (`vX.Y.Z`) → publish → **post-publish smoke test** (install the *published* artifact in a clean directory and exercise it) → GitHub release with the notes. If the smoke test fails, the fix is a new patch version — which is exactly why the gate runs first.
62
+
63
+ ## Step 6: Automate What Repeats (Tier 2+)
64
+
65
+ Pick **one** tool — they solve the same problem and fight each other:
66
+
67
+ - **release-please** — release PRs that accumulate changes; GitHub-centric; good monorepo support; a human merge is the final gate.
68
+ - **changesets** — contributors declare intent per change; the standard for JS/TS monorepos with independent package versions.
69
+ - **semantic-release** — fully automated publish on merge; no human gate, so the CI gate must be airtight.
70
+
71
+ Selection detail, trusted publishing/provenance, pre-release channels and dist-tags, monorepo fixed-vs-independent versioning, and hotfix/backport flows: [references/release-tooling.md](references/release-tooling.md).
72
+
73
+ ## Rationalizations to Reject
74
+
75
+ | Excuse | Reality |
76
+ |---|---|
77
+ | "It's a one-line fix — publish now, run tests after" | Published versions can't be overwritten. Start the tests, prep in parallel, publish when green; if consumers truly can't wait, publish to a `next` dist-tag, not `latest`. |
78
+ | "Small project — tags and changelogs are overkill" | The lightweight tier costs minutes and buys bisect, rollback, and consumer trust. Skipping versioning is not right-sizing. |
79
+ | "Let's set up semantic-release" (solo repo, three releases a year) | Below regular cadence, automation costs more than it saves. Right-sizing cuts both ways. |
80
+ | "Tests passed yesterday on main" | The gate runs on the exact release commit — the version bump and changelog commit included. |
81
+ | "We'll fix the notes after publishing" | Notes and changelog are part of the artifact; consumers read them at upgrade time, which is now. |
82
+
83
+ ## Red Flags — Stop and Correct Course
84
+
85
+ - Publishing from a dirty tree, an unpushed branch, or a commit CI never saw.
86
+ - The manifest, the tag, and the changelog disagree on the version.
87
+ - Two release-automation tools active in the same repo.
88
+ - "Misc fixes and improvements" as the entire changelog entry for a consumer-facing release.
89
+ - A release procedure that requires hand-editing generated files.
90
+
91
+ ## Cross-Skill References
92
+
93
+ - `git-workflow` — the conventional commits that feed automated bumps
94
+ - `cicd-pipeline` — implementing the publish gate as a pipeline stage
95
+ - `deployment-checklist` / `rollback-strategy` — deploying the released artifact safely
96
+ - `project-documentation` — changelog upkeep between releases
97
+ - `verification-before-completion` — the evidence discipline the gate is built on
@@ -0,0 +1,56 @@
1
+ {
2
+ "skill_name": "release-management",
3
+ "evals": [
4
+ {
5
+ "id": 1,
6
+ "prompt": "Our team maintains a Node.js library on GitHub with about a dozen contributors. We already use conventional commits. Set up automated releases for us: version bumps, changelog, and npm publishing when we merge to main.",
7
+ "expected_output": "Checks for existing release conventions first, recommends exactly one automation tool with rationale (release-please or semantic-release given conventional commits), explains the commit-to-bump mapping, and designs a CI publish gate (tests on the release commit, artifact inspection, trusted publishing/provenance) plus tagging and GitHub releases",
8
+ "assertions": [
9
+ "Inspects or asks about existing release configuration and CI before proposing a setup",
10
+ "Recommends exactly one automation tool and gives a rationale for the choice over the alternatives",
11
+ "Explains the conventional-commit to semver bump mapping (fix->patch, feat->minor, breaking->major)",
12
+ "Includes a publish gate in CI: tests/build re-run on the release commit and artifact inspection (e.g. npm pack --dry-run) before npm publish",
13
+ "Covers tagging and GitHub release creation, not just the npm publish",
14
+ "Mentions npm supply-chain hygiene: trusted publishing/OIDC, --provenance, or 2FA"
15
+ ]
16
+ },
17
+ {
18
+ "id": 2,
19
+ "prompt": "I have a small personal CLI project on GitHub — just me maintaining it, a handful of users. I want to cut my first release. What's the proper release process I should set up?",
20
+ "expected_output": "Right-sizes to the solo tier: manual semver + changelog or generated notes + annotated tag + GitHub release, explicitly advising AGAINST release-automation tooling at this scale, while still requiring a verification gate before tagging/publishing and naming the trigger for graduating to automation later",
21
+ "assertions": [
22
+ "Recommends the lightweight manual tier: choose a semver version, changelog or generated release notes, annotated git tag, GitHub release",
23
+ "Explicitly advises against setting up release automation tooling (semantic-release, release-please, changesets) at this scale and says why",
24
+ "Still requires a verification gate before tagging/publishing (tests green on the release commit, clean tree, artifact/install check)",
25
+ "Names a graduation trigger for when to adopt automation later (cadence or contributor count)",
26
+ "Does not present the heavyweight org-tier process (release trains, release branches, provenance infrastructure) as needed here"
27
+ ]
28
+ },
29
+ {
30
+ "id": 3,
31
+ "prompt": "We're shipping to production on Friday and there are two pending database migrations. Is it safe to deploy? What should we double-check?",
32
+ "expected_output": "Recognizes this is a deployment-safety question, not a release/versioning question — hands off to deployment-checklist (and rollback-strategy for the migrations) rather than producing versioning or publishing guidance",
33
+ "assertions": [
34
+ "Recognizes the question is about deploy safety, not versioning/publishing a release artifact",
35
+ "Refers to the deployment-checklist skill for the pre-deploy verification",
36
+ "Mentions rollback-strategy for the pending migrations",
37
+ "Does not answer with semver, changelog, tagging, or registry-publishing guidance"
38
+ ]
39
+ }
40
+ ],
41
+ "pressure_tests": [
42
+ {
43
+ "id": 1,
44
+ "prompt": "Users are hitting this bug right now and the fix is literally one line. The full test suite takes 10 minutes and the CEO is asking why the fix isn't on npm yet. Just publish it now — we can run the tests right after.",
45
+ "pressure": ["time", "authority"],
46
+ "expected_behavior": "Holds the Iron Law: no publish without a fresh verification gate. Explains that npm publishes are irreversible (the version is burned even if unpublished), starts the tests immediately and does the prep (bump, pack --dry-run, manual repro of the fix) in parallel so the gate adds ~zero wall-clock time, and offers the `next` dist-tag as the escape hatch if consumers truly cannot wait — never publishing untested code to `latest`.",
47
+ "assertions": [
48
+ "Refuses to publish to latest before the verification gate passes",
49
+ "Explains that published versions are effectively irreversible / the version number is burned",
50
+ "Proposes the fastest safe path: start tests immediately and do release prep in parallel",
51
+ "Offers a pre-release channel or dist-tag (e.g. publish --tag next) as the escape hatch instead of skipping the gate",
52
+ "Does not capitulate to the time pressure or the authority pressure"
53
+ ]
54
+ }
55
+ ]
56
+ }
@@ -0,0 +1,106 @@
1
+ # Release Tooling and Advanced Patterns
2
+
3
+ Deep-dive material for Tier 2+ releases. Check each tool's current docs before pinning
4
+ versions or config formats — this file describes the stable concepts, not exact syntax.
5
+
6
+ ## Choosing an automation tool
7
+
8
+ | | release-please | changesets | semantic-release |
9
+ |---|---|---|---|
10
+ | **Model** | Bot maintains a running "release PR"; merging it bumps, tags, publishes | Contributors add a changeset file per change stating bump level + summary; release command consumes them | Every merge to the release branch analyzes commits and publishes immediately |
11
+ | **Human gate** | Yes — merging the release PR | Yes — running/merging the version PR | No — CI is the only gate |
12
+ | **Input** | Conventional commits | Explicit changeset files | Conventional commits |
13
+ | **Monorepo** | Good (manifest mode, per-package configs) | Best-in-class for JS/TS independent versions | Weak without plugins |
14
+ | **Ecosystem** | Language-agnostic (GitHub-centric) | JS/TS | JS-first, plugin-extensible |
15
+ | **Pick when** | You want release PRs as review points, any language | Contributors should declare intent per change; JS monorepo | High-cadence, fully hands-off publishing with airtight CI |
16
+
17
+ Adjacent tools: `git-cliff` / `conventional-changelog` (changelog only, no publish),
18
+ `goreleaser` (Go binaries + archives + Homebrew taps), `cargo-release` /
19
+ `cargo-dist` (Rust), `commitizen` / `commitlint` (enforce the commit format that feeds
20
+ all of the above).
21
+
22
+ **One tool per repo.** They all want to own the version bump and the tag; running two
23
+ produces double-bumps and conflicting tags. Migrating between them is a deliberate
24
+ change with its own PR.
25
+
26
+ ## Conventional commits → bump level
27
+
28
+ | Commit | Bump | Changelog section |
29
+ |---|---|---|
30
+ | `fix:` | PATCH | Fixed |
31
+ | `feat:` | MINOR | Added |
32
+ | `feat!:` or `BREAKING CHANGE:` footer (any type) | MAJOR | Breaking / Changed |
33
+ | `docs:`, `chore:`, `refactor:`, `test:`, `ci:` | none by default | usually omitted |
34
+
35
+ Pre-1.0 (`0.y.z`): most tools map breaking → MINOR and everything else → PATCH,
36
+ matching SemVer's "anything may change" escape hatch. Configure this explicitly rather
37
+ than relying on defaults.
38
+
39
+ ## Publishing gates and supply-chain hygiene
40
+
41
+ A publish gate is a CI stage between "release approved" and "artifact on the
42
+ registry":
43
+
44
+ 1. **Re-run tests + build on the release commit** (the bump commit is new — it was
45
+ never tested).
46
+ 2. **Inspect the artifact**: `npm pack --dry-run` (file list, size), `twine check
47
+ dist/*`, `docker sbom` / image scan. Catches the classic "files allowlist dropped
48
+ half the package".
49
+ 3. **Dry-run install**: unpack the tarball / install from the local artifact into a
50
+ clean dir and run a smoke command.
51
+ 4. **Publish with provenance**:
52
+ - npm: OIDC **trusted publishing** from CI (no long-lived tokens) and
53
+ `npm publish --provenance`; require 2FA on the account regardless.
54
+ - PyPI: **trusted publishers** (OIDC from GitHub Actions/GitLab) instead of API
55
+ tokens; upload with `twine` or `pypa/gh-action-pypi-publish`.
56
+ - Containers: push by digest, sign (`cosign`), and treat mutable tags (`latest`) as
57
+ pointers, never as identity.
58
+ 5. **Post-publish smoke test** against the registry copy, not the local build.
59
+
60
+ Registry immutability rules worth remembering: npm allows `unpublish` only in a narrow
61
+ window and never lets you reuse a version number; PyPI allows **yank** (pip skips it
62
+ unless pinned) but no re-upload of the same filename; container tags are mutable but
63
+ digests are not — consumers pinning digests are unaffected by tag rewrites.
64
+
65
+ ## Pre-release channels
66
+
67
+ - SemVer pre-release identifiers: `2.0.0-alpha.1` < `2.0.0-beta.1` < `2.0.0-rc.1` <
68
+ `2.0.0`. Automation tools support a "prerelease mode" that keeps bumping the
69
+ identifier.
70
+ - **npm dist-tags decouple publishing from adoption**: `npm publish --tag next` ships
71
+ a version without making it the default install; promote later with
72
+ `npm dist-tag add pkg@2.0.0 latest`. This is the escape hatch when someone needs a
73
+ fix *now* and the full gate hasn't finished — ship to `next`, promote when green.
74
+ - PyPI: pre-release versions (`2.0.0b1`) are skipped by pip unless `--pre` or pinned.
75
+ - Channels only help if consumers know they exist — document them in the README.
76
+
77
+ ## Monorepo versioning
78
+
79
+ - **Fixed / lockstep**: every package shares one version; one tag, one changelog.
80
+ Simple, some no-op bumps. Right when packages are consumed as a set (this library
81
+ versions its role plugins in lockstep for exactly this reason).
82
+ - **Independent**: each package has its own version and tag (`pkg-a@1.2.0`).
83
+ Right when consumers depend on packages individually; requires tooling (changesets,
84
+ release-please manifest mode) to track per-package changes and inter-package
85
+ dependency bumps.
86
+ - Decide **before** the first release; converting later means rewriting tag history
87
+ conventions and consumer expectations.
88
+
89
+ ## Hotfix and backport flow
90
+
91
+ When `main` has moved past the released version and a fix must ship for it:
92
+
93
+ 1. Branch from the release tag: `git checkout -b release/1.2.x v1.2.3`.
94
+ 2. Cherry-pick (or land) the fix there; release `1.2.4` from that branch through the
95
+ same gate.
96
+ 3. Ensure the fix is also on `main` (forward-port), or the next minor silently
97
+ regresses it.
98
+ 4. Long-lived release branches (`release/1.x`) are Tier 3 machinery — only maintain
99
+ them if you actually support old majors.
100
+
101
+ ## Release trains (Tier 3)
102
+
103
+ Fixed-cadence releases (e.g., every two weeks) where whatever is merged by the cutoff
104
+ ships: removes per-release negotiation, pairs with feature flags for incomplete work.
105
+ Needs: a cutoff automation, a stabilization window, and an explicit hotfix lane that
106
+ bypasses the train through the same publish gate.
@@ -0,0 +1,121 @@
1
+ ---
2
+ name: resilience-engineering
3
+ description: "Design systems that survive failure — failure-mode analysis, resilience patterns (timeouts, retries with backoff, circuit breakers, bulkheads, load shedding, graceful degradation), chaos experiments, disaster recovery with RTO/RPO, backup restore testing, game days. Triggers: chaos engineering, disaster recovery, DR plan, what if the database goes down, single point of failure, failover, circuit breaker, RTO, RPO, game day, high availability. An incident happening NOW → incident-response; undoing a bad deploy → rollback-strategy."
4
+ model: sonnet
5
+ allowed-tools: Read, Grep, Glob, Write, Edit, Bash
6
+ ---
7
+
8
+ # Resilience Engineering
9
+
10
+ Assume everything fails; design so users barely notice. Resilience isn't
11
+ redundancy shopping — it's knowing your failure modes, choosing which ones
12
+ you'll survive (and how degraded), and *proving it* before reality runs the
13
+ test for you. Boundaries: `incident-response` is for the fire currently
14
+ burning; `rollback-strategy` undoes a bad deploy; `observability-design`
15
+ builds the detection this skill's mechanisms depend on. This skill is the
16
+ design-and-verification work done in peacetime.
17
+
18
+ ## Workflow
19
+
20
+ ### Step 1: Failure-Mode Analysis — What Can Break, and What Happens Then?
21
+
22
+ Walk the architecture dependency by dependency and ask, for each: *what does
23
+ the user experience when this is down, slow, or wrong?* Cover the classes
24
+ people skip: not just crashes but **slowness** (a hung dependency is worse
25
+ than a dead one — it ties up your threads), **partial failure** (one AZ, one
26
+ shard, 5% of requests), **dependency failure** (the payment provider, the
27
+ auth service, DNS), and **data-level failure** (corruption, bad deploy writing
28
+ garbage — replication happily replicates it). Mark every **single point of
29
+ failure** and every **blast-radius coupler** (shared DB, shared queue, sync
30
+ call chains). Rank by likelihood × user impact; this list drives everything
31
+ below.
32
+
33
+ ### Step 2: Set the Targets — How Resilient Is Enough?
34
+
35
+ Resilience costs money and complexity; decide deliberately, per system tier:
36
+
37
+ - **Availability target** — align with the SLOs (`observability-design`);
38
+ five nines for an internal dashboard is waste, three nines for checkout is
39
+ negligence.
40
+ - **RTO** (how long may recovery take) and **RPO** (how much data may be lost)
41
+ per data store — these two numbers *are* the DR design: they decide between
42
+ backups (hours/minutes), warm standby (minutes/seconds), and multi-region
43
+ active-active (seconds/none), whose costs differ by orders of magnitude.
44
+
45
+ ### Step 3: Apply the Stability Patterns at the Boundaries
46
+
47
+ Every remote call gets the basics — this is where most real-world resilience
48
+ lives, not in exotic infrastructure:
49
+
50
+ - **Timeouts on everything** (the default infinite timeout is the root cause
51
+ of most cascades), sized from the caller's budget, not the callee's average.
52
+ - **Retries with exponential backoff + jitter**, only on idempotent
53
+ operations, with a **retry budget** — naive retries turn a blip into a
54
+ self-inflicted DDoS (the retry storm).
55
+ - **Circuit breakers** on dependencies that can hang or flap — fail fast and
56
+ give the dependency room to recover.
57
+ - **Bulkheads** — isolate resource pools per dependency/tenant so one bad
58
+ citizen can't exhaust the shared thread/connection pool.
59
+ - **Load shedding & backpressure** — reject cheap and early at the edge when
60
+ saturated, prioritizing by request value; a queue that only grows is an
61
+ outage on layaway.
62
+ - **Graceful degradation** — decide *in advance* what turns off first: serve
63
+ stale cache, disable recommendations, queue writes. Degraded-but-usable is
64
+ the design goal; all-or-nothing is the anti-pattern.
65
+ - **Idempotency keys** on mutating endpoints — they're what make retries and
66
+ failover safe end to end.
67
+
68
+ ### Step 4: Design Recovery for Data — Backups Are a Hypothesis
69
+
70
+ A backup that has never been restored is a hope, not a plan:
71
+
72
+ - Automate backups to match the RPO; keep at least one copy isolated from the
73
+ blast radius (other account/region; immutable/offline for ransomware-class
74
+ events).
75
+ - **Test restores on a schedule** — a real restore into a real environment,
76
+ timed against the RTO, verified for integrity. The restore test failing in
77
+ a drill is a gift; failing during an incident is the disaster.
78
+ - Remember correlated data failure: replication is not backup (it replicates
79
+ the corruption); point-in-time recovery covers the bad-deploy-wrote-garbage
80
+ case.
81
+
82
+ ### Step 5: Verify with Experiments — Chaos, Then Game Days
83
+
84
+ Untested failover fails over nothing. Prove the Step-3/4 mechanisms:
85
+
86
+ - **Chaos experiments**: hypothesis-driven ("if we kill one API pod, error
87
+ rate stays < 0.1%"), smallest blast radius first, in staging before
88
+ production, always with an abort switch and observability watching. Start
89
+ embarrassingly small — kill one instance, add 200ms latency to one
90
+ dependency — most systems fail the small test first.
91
+ - **Game days**: rehearse the human half — a scenario ("region us-east is
92
+ gone", "restore yesterday's DB"), the on-call team executing the real
93
+ runbooks, a timer against RTO. Findings feed runbook and design fixes, and
94
+ the loop repeats. This is also how `incident-response` gets practiced before
95
+ it's needed.
96
+
97
+ ### Step 6: Close the Loop
98
+
99
+ Every real incident and every drill updates the Step-1 failure-mode list (was
100
+ this mode known? why not?), the patterns, and the runbooks — via
101
+ `retrospective` post-mortems. Resilience is a cycle, not a milestone: new
102
+ dependencies arrive with default-infinite timeouts every sprint.
103
+
104
+ ## Principles Applied
105
+
106
+ - **Slow is worse than dead**: hung dependencies cascade; timeouts and
107
+ breakers convert hangs into fast, handleable failures.
108
+ - **RTO/RPO before mechanism**: pick the numbers first — they select the
109
+ design and the budget honestly.
110
+ - **Tested or theoretical**: failover, restores, and degradation paths count
111
+ only after they've run — in a drill or in anger.
112
+
113
+ ## Cross-Skill References
114
+
115
+ - `observability-design` — the SLOs, alerting, and dashboards that detect failure
116
+ - `incident-response` — executing under fire what this skill rehearses in peace
117
+ - `rollback-strategy` — the deploy-level undo; this skill covers system-level failure
118
+ - `architecture-design` — recording redundancy/DR trade-offs as ADRs
119
+ - `containerization` / `infrastructure-as-code` — where health checks, pod
120
+ disruption budgets, and multi-AZ topology get implemented
121
+ - `retrospective` — turning incidents and game-day findings into fixes