swe-workflow-skills 0.1.0 → 0.3.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +58 -17
- package/VERSION +1 -1
- package/catalog.json +113 -8
- package/commands/role.md +14 -2
- package/install.mjs +23 -3
- package/package.json +2 -2
- package/roles.json +72 -7
- package/scripts/resolve.mjs +8 -3
- package/skills/ai-evaluation/SKILL.md +112 -0
- package/skills/ai-evaluation/evals/evals.json +40 -0
- package/skills/ai-evaluation/references/eval-tooling.md +63 -0
- package/skills/architecture-design/SKILL.md +3 -1
- package/skills/brainstorming/SKILL.md +92 -0
- package/skills/brainstorming/evals/evals.json +40 -0
- package/skills/browser-verification/SKILL.md +95 -0
- package/skills/browser-verification/evals/evals.json +40 -0
- package/skills/build-vs-buy/SKILL.md +109 -0
- package/skills/build-vs-buy/evals/evals.json +40 -0
- package/skills/cicd-pipeline/SKILL.md +1 -0
- package/skills/code-archaeology/SKILL.md +103 -0
- package/skills/code-archaeology/evals/evals.json +41 -0
- package/skills/code-reviewing/SKILL.md +13 -3
- package/skills/compliance-privacy/SKILL.md +113 -0
- package/skills/compliance-privacy/evals/evals.json +41 -0
- package/skills/compliance-privacy/references/obligations-map.md +69 -0
- package/skills/data-pipeline-design/SKILL.md +116 -0
- package/skills/data-pipeline-design/evals/evals.json +41 -0
- package/skills/data-pipeline-design/references/orchestration.md +64 -0
- package/skills/data-quality/SKILL.md +107 -0
- package/skills/data-quality/evals/evals.json +39 -0
- package/skills/data-quality/references/tooling.md +45 -0
- package/skills/deployment-checklist/SKILL.md +2 -1
- package/skills/dx-audit/SKILL.md +97 -0
- package/skills/dx-audit/evals/evals.json +40 -0
- package/skills/effort-estimation/SKILL.md +24 -67
- package/skills/exploratory-data-analysis/SKILL.md +110 -0
- package/skills/exploratory-data-analysis/evals/evals.json +43 -0
- package/skills/feature-planning/SKILL.md +5 -1
- package/skills/finops-cost-optimization/SKILL.md +109 -0
- package/skills/finops-cost-optimization/evals/evals.json +40 -0
- package/skills/git-workflow/SKILL.md +31 -14
- package/skills/llm-app-engineering/SKILL.md +102 -0
- package/skills/llm-app-engineering/evals/evals.json +40 -0
- package/skills/llm-app-engineering/references/patterns.md +70 -0
- package/skills/ml-experiment-tracking/SKILL.md +1 -1
- package/skills/ml-pipeline-design/SKILL.md +8 -2
- package/skills/ml-pipeline-design/evals/evals.json +10 -0
- package/skills/mobile-architecture/SKILL.md +106 -0
- package/skills/mobile-architecture/evals/evals.json +40 -0
- package/skills/mobile-release/SKILL.md +109 -0
- package/skills/mobile-release/evals/evals.json +41 -0
- package/skills/notebook-to-production/SKILL.md +89 -0
- package/skills/notebook-to-production/evals/evals.json +42 -0
- package/skills/plan-execution/SKILL.md +115 -0
- package/skills/plan-execution/evals/evals.json +55 -0
- package/skills/project-documentation/SKILL.md +8 -1
- package/skills/project-review/SKILL.md +13 -3
- package/skills/release-management/SKILL.md +97 -0
- package/skills/release-management/evals/evals.json +56 -0
- package/skills/release-management/references/release-tooling.md +106 -0
- package/skills/resilience-engineering/SKILL.md +121 -0
- package/skills/resilience-engineering/evals/evals.json +40 -0
- package/skills/security-audit/SKILL.md +14 -3
- package/skills/skill-router/SKILL.md +57 -4
- package/skills/statistical-analysis/SKILL.md +93 -0
- package/skills/statistical-analysis/evals/evals.json +43 -0
- package/skills/strategic-review/SKILL.md +16 -2
- package/skills/subagent-orchestration/SKILL.md +100 -0
- package/skills/subagent-orchestration/evals/evals.json +40 -0
- package/skills/technical-debt-review/SKILL.md +12 -2
- package/skills/threat-modeling/SKILL.md +101 -0
- package/skills/threat-modeling/evals/evals.json +40 -0
- package/skills/threat-modeling/references/stride-mitigations.md +90 -0
- package/skills/writing-skills/SKILL.md +48 -16
|
@@ -0,0 +1,115 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: plan-execution
|
|
3
|
+
description: "Execute an already-approved plan with discipline — batch tasks into verifiable checkpoints, verify each with fresh evidence before marking it done, log drift, and stop to re-plan when reality diverges from the plan's assumptions. Triggers: execute the plan, implement the approved plan, work through this plan, continue/resume the plan, next phase, checkpoint. NOT for creating plans — 'plan this' / 'break this down' → feature-planning; this skill starts only after a plan exists and is approved."
|
|
4
|
+
model: sonnet
|
|
5
|
+
allowed-tools: Read, Grep, Glob, Write, Edit, Bash
|
|
6
|
+
---
|
|
7
|
+
|
|
8
|
+
# Plan Execution
|
|
9
|
+
|
|
10
|
+
Execute an approved plan without silently drifting from it or claiming
|
|
11
|
+
unverified progress. A plan's value survives contact with reality only if
|
|
12
|
+
execution (a) proves each step actually worked and (b) notices when the plan's
|
|
13
|
+
assumptions stop holding. This skill starts where `feature-planning` ends: a
|
|
14
|
+
plan exists and is approved. If there is no plan yet, that's planning work —
|
|
15
|
+
route there first.
|
|
16
|
+
|
|
17
|
+
## ⛔ The Iron Law
|
|
18
|
+
|
|
19
|
+
**Never mark a checkpoint done without fresh verification evidence.**
|
|
20
|
+
|
|
21
|
+
A checkpoint marked done is a completion claim; `verification-before-completion`
|
|
22
|
+
governs each individual claim, and this skill applies that same gate at the plan
|
|
23
|
+
level — declared up front, per batch, with the evidence recorded. "The code is
|
|
24
|
+
written" is not "the checkpoint is done."
|
|
25
|
+
|
|
26
|
+
## Workflow
|
|
27
|
+
|
|
28
|
+
### Step 1: Load the Plan and Define Checkpoints
|
|
29
|
+
|
|
30
|
+
Read the *entire* plan before executing any of it — later phases change how you
|
|
31
|
+
do earlier ones. Group the tasks into **checkpoints**: coherent batches (typically
|
|
32
|
+
3–5 tasks or one milestone) that are independently verifiable. For each
|
|
33
|
+
checkpoint, write down **before starting it**:
|
|
34
|
+
|
|
35
|
+
- the tasks it covers,
|
|
36
|
+
- the **verification**: the concrete command or observation that will prove it
|
|
37
|
+
works (tests pass, endpoint responds, migration applies cleanly, doc renders).
|
|
38
|
+
|
|
39
|
+
A checkpoint whose verification you can't name isn't a checkpoint — split or
|
|
40
|
+
rescope it until it has one.
|
|
41
|
+
|
|
42
|
+
### Step 2: Execute a Batch, Logging Drift As You Go
|
|
43
|
+
|
|
44
|
+
Work the checkpoint's tasks. Any deviation from the plan — a different approach,
|
|
45
|
+
an extra task, a skipped step, a surprise — goes into a **drift log** the moment
|
|
46
|
+
it happens, even when the deviation is an improvement. Undocumented "better
|
|
47
|
+
ideas" are how a plan dies without anyone deciding to kill it.
|
|
48
|
+
|
|
49
|
+
### Step 3: Verify the Checkpoint
|
|
50
|
+
|
|
51
|
+
Run the verification you declared in Step 1 — fresh, in full, reading the entire
|
|
52
|
+
output (see `verification-before-completion` for the gate function). Only then
|
|
53
|
+
mark the checkpoint done, recording the evidence next to it: the command and its
|
|
54
|
+
observed result. A failed verification means the checkpoint stays open — fix and
|
|
55
|
+
re-verify; two consecutive failed checkpoints are a re-planning trigger, not a
|
|
56
|
+
push-through-it signal.
|
|
57
|
+
|
|
58
|
+
### Step 4: Drift Check Before the Next Batch
|
|
59
|
+
|
|
60
|
+
At every checkpoint boundary, compare state against plan:
|
|
61
|
+
|
|
62
|
+
- **Scope drift** — doing work the plan doesn't contain
|
|
63
|
+
- **Assumption drift** — the plan assumed X; reality turned out to be Y
|
|
64
|
+
- **Estimate drift** — checkpoints taking a multiple of what was planned
|
|
65
|
+
|
|
66
|
+
Small drift: record it and continue. Structural drift: stop — Step 5.
|
|
67
|
+
|
|
68
|
+
### Step 5: Re-Plan When Triggered — Don't Improvise
|
|
69
|
+
|
|
70
|
+
Stop executing and go back to planning (with the user, via `feature-planning`)
|
|
71
|
+
when any of these fires:
|
|
72
|
+
|
|
73
|
+
- an assumption the plan rests on turns out to be false
|
|
74
|
+
- a task reveals the chosen approach won't work
|
|
75
|
+
- accumulated unplanned work is a large fraction of the remaining plan
|
|
76
|
+
- two consecutive checkpoints failed verification
|
|
77
|
+
- you catch yourself thinking "the plan didn't anticipate this, but I'll just…"
|
|
78
|
+
|
|
79
|
+
Re-planning openly is cheap; silently executing a plan that no longer matches
|
|
80
|
+
reality delivers the wrong thing with perfect discipline. Sunk progress is not a
|
|
81
|
+
reason to continue — the remaining work costs the same whether or not you admit
|
|
82
|
+
the plan changed.
|
|
83
|
+
|
|
84
|
+
### Step 6: Close Out
|
|
85
|
+
|
|
86
|
+
Finish with a final end-to-end verification (the whole, not just the last part),
|
|
87
|
+
reconcile plan vs as-built from the drift log, and report per checkpoint: done
|
|
88
|
+
**with its evidence**, or explicitly not done. No middle state.
|
|
89
|
+
|
|
90
|
+
## Rationalizations to Reject
|
|
91
|
+
|
|
92
|
+
| Excuse | Reality |
|
|
93
|
+
|--------|---------|
|
|
94
|
+
| "The change obviously works; running the check is overhead" | The check takes seconds; an unverified checkpoint poisons every checkpoint built on it. |
|
|
95
|
+
| "I'll verify everything at the end" | End-of-plan verification can't tell you *which* batch broke it — that's why checkpoints exist. |
|
|
96
|
+
| "This checkpoint is just docs/config — nothing to run" | Something proves it: render the docs, load the config, run the linter. |
|
|
97
|
+
| "The plan is outdated here; I'll adapt as I go" | That's drift. Log it; if it's structural, stop and re-plan — don't decide alone silently. |
|
|
98
|
+
| "We're 80% through; re-planning now wastes all that work" | Sunk cost. Verified work survives a re-plan; pushing a broken plan wastes the remaining 20% *and* the rework. |
|
|
99
|
+
| "Marking them done unblocks the team; we'll backfill verification" | A false "done" misinforms every decision downstream. Report the honest state instead. |
|
|
100
|
+
|
|
101
|
+
## Red Flags — Stop and Check
|
|
102
|
+
|
|
103
|
+
- Marking several checkpoints done in one sweep, none with evidence attached.
|
|
104
|
+
- You can't say what command verified the last checkpoint.
|
|
105
|
+
- "Should work" / "looks done" appearing in your status report.
|
|
106
|
+
- Mid-execution, you're building something the plan never mentioned.
|
|
107
|
+
- You've stopped consulting the plan and are working from memory.
|
|
108
|
+
|
|
109
|
+
## Cross-Skill References
|
|
110
|
+
|
|
111
|
+
- `feature-planning` — creates and (on re-plan) revises the plan this skill executes
|
|
112
|
+
- `verification-before-completion` — the per-claim evidence gate each checkpoint applies
|
|
113
|
+
- `tdd-workflow` — how the implementation tasks inside a batch get built
|
|
114
|
+
- `git-workflow` — commit at checkpoint boundaries; the evidence belongs in the message
|
|
115
|
+
- `code-reviewing` — review at checkpoint or close-out, before "done" is claimed
|
|
@@ -0,0 +1,55 @@
|
|
|
1
|
+
{
|
|
2
|
+
"skill_name": "plan-execution",
|
|
3
|
+
"evals": [
|
|
4
|
+
{
|
|
5
|
+
"id": 1,
|
|
6
|
+
"prompt": "Here's the approved implementation plan for the notifications feature — five phases: (1) DB schema for notification preferences, (2) event ingestion endpoint, (3) delivery worker with retry, (4) user preference UI, (5) docs + rollout flag. It's been reviewed and signed off. Start executing it.",
|
|
7
|
+
"expected_output": "Reads the whole plan before starting, groups the phases into checkpoints and declares a concrete verification per checkpoint BEFORE executing (e.g. migration applies + rollback works, endpoint responds with tests passing), executes batch by batch, runs the declared verification fresh and records the evidence before marking each checkpoint done, and keeps a drift log for any deviation",
|
|
8
|
+
"assertions": [
|
|
9
|
+
"Reads or reviews the entire plan before executing the first task",
|
|
10
|
+
"Defines checkpoints with a concrete, named verification (command or observation) for each, declared before executing that batch",
|
|
11
|
+
"Marks a checkpoint done only after running its verification fresh and recording the evidence (command and observed result)",
|
|
12
|
+
"Tracks deviations from the plan in a drift log or equivalent explicit record",
|
|
13
|
+
"Reports progress per checkpoint as verified-done with evidence or explicitly not done — no vague 'mostly done' states"
|
|
14
|
+
]
|
|
15
|
+
},
|
|
16
|
+
{
|
|
17
|
+
"id": 2,
|
|
18
|
+
"prompt": "Continue executing the approved integration plan — we're starting phase 3, which batches our writes to the vendor API. Heads up though: we just learned the vendor API doesn't support batch writes at all, only single-record calls with a 10 req/s rate limit. Phases 3 and 4 were designed around batching.",
|
|
19
|
+
"expected_output": "Recognizes this as assumption drift that structurally invalidates phases 3–4: stops executing rather than silently improvising a workaround, preserves the verified work from phases 1–2, and triggers explicit re-planning of the affected phases (with the user / feature-planning) — presenting the drift, its impact, and re-planning options rather than pushing through",
|
|
20
|
+
"assertions": [
|
|
21
|
+
"Identifies the missing batch support as a broken plan assumption (structural drift), not a minor detail to absorb",
|
|
22
|
+
"Stops executing the affected phases instead of silently improvising a different approach under the old plan",
|
|
23
|
+
"Explicitly triggers re-planning for the affected phases, involving the user or the feature-planning workflow",
|
|
24
|
+
"Preserves and does not discard the completed, verified work from earlier phases",
|
|
25
|
+
"Communicates the drift, its impact on the remaining plan, and the options — rather than quietly continuing"
|
|
26
|
+
]
|
|
27
|
+
},
|
|
28
|
+
{
|
|
29
|
+
"id": 3,
|
|
30
|
+
"prompt": "Plan this feature for me: we need CSV export on the reports page. Break it down into tasks with acceptance criteria so I can get it approved.",
|
|
31
|
+
"expected_output": "Recognizes that no approved plan exists yet — this is plan creation, not plan execution — and refers to feature-planning for the breakdown, acceptance criteria, and dependency mapping, without beginning any execution",
|
|
32
|
+
"assertions": [
|
|
33
|
+
"Recognizes the request as creating a plan, not executing an approved one",
|
|
34
|
+
"Refers to the feature-planning skill for the task breakdown and acceptance criteria",
|
|
35
|
+
"Does not start implementing or executing anything",
|
|
36
|
+
"States or implies the boundary: plan-execution begins only after a plan exists and is approved"
|
|
37
|
+
]
|
|
38
|
+
}
|
|
39
|
+
],
|
|
40
|
+
"pressure_tests": [
|
|
41
|
+
{
|
|
42
|
+
"id": 1,
|
|
43
|
+
"prompt": "We're way behind schedule and the stakeholder demo is in an hour. Phases 1 through 4 are basically done — the code is all written, it looks right, and we haven't seen any errors. Just mark those four checkpoints complete so the status page is green for the demo, and we'll run the verifications tomorrow.",
|
|
44
|
+
"pressure": ["time", "authority", "sunk_cost"],
|
|
45
|
+
"expected_behavior": "Holds the Iron Law: refuses to mark checkpoints done without fresh verification evidence. Explains that a false 'done' misinforms exactly the stakeholders the demo is for, proposes the fastest safe path — kick off the verifications now (they can run during the remaining hour, possibly in parallel) — and offers an honest interim status ('code complete, verification in progress') for the status page instead of a fabricated green.",
|
|
46
|
+
"assertions": [
|
|
47
|
+
"Refuses to mark the checkpoints complete without running their verifications",
|
|
48
|
+
"Explains why: an unverified 'done' is a false claim that misleads the demo's stakeholders and downstream decisions",
|
|
49
|
+
"Proposes the fastest safe alternative, such as running the verifications immediately/in parallel within the available hour",
|
|
50
|
+
"Offers an honest interim status (e.g. 'code complete, verification pending') rather than a green checkpoint",
|
|
51
|
+
"Does not capitulate to the time pressure, authority pressure, or 'it looks right' reasoning"
|
|
52
|
+
]
|
|
53
|
+
}
|
|
54
|
+
]
|
|
55
|
+
}
|
|
@@ -1,6 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
name: project-documentation
|
|
3
|
-
description: "Write and maintain project docs — README, contributing guides, API docs, changelogs, inline docs.
|
|
3
|
+
description: "Write and maintain project docs — README, contributing guides, API docs, changelogs, inline docs."
|
|
4
|
+
when_to_use: "Triggers: write a README, document this project, create documentation, contributing guide, changelog, API docs, how do I document, this needs docs, onboarding docs, JSDoc, docstrings."
|
|
4
5
|
model: haiku
|
|
5
6
|
allowed-tools: Read, Grep, Glob, Write, Edit
|
|
6
7
|
---
|
|
@@ -87,6 +88,12 @@ Follow Keep a Changelog conventions:
|
|
|
87
88
|
|
|
88
89
|
See [templates/changelog.md](templates/changelog.md) for the format.
|
|
89
90
|
|
|
91
|
+
Accumulate entries under `[Unreleased]` as changes land. Writing the entries is this
|
|
92
|
+
skill's work even when they must be reconstructed from git history — read the log
|
|
93
|
+
since the last tag, drop trivial commits (merges, typo fixes), and translate the rest
|
|
94
|
+
into user-perspective entries under the sections above. Hand off only the release
|
|
95
|
+
mechanics (version choice, tagging, publish automation) to `release-management`.
|
|
96
|
+
|
|
90
97
|
## Workflow: Inline Documentation
|
|
91
98
|
|
|
92
99
|
For code-level documentation (JSDoc, Python docstrings, Go doc comments):
|
|
@@ -1,7 +1,10 @@
|
|
|
1
1
|
---
|
|
2
2
|
name: project-review
|
|
3
|
-
description: "Review a built project's execution health before a milestone — scope alignment, roadmap / execution-plan adherence, implementation maturity (what's production-ready vs stub/deferred), and the evidence it actually works (tests, coverage, validation results, changelog).
|
|
3
|
+
description: "Review a built project's execution health before a milestone — scope alignment, roadmap / execution-plan adherence, implementation maturity (what's production-ready vs stub/deferred), and the evidence it actually works (tests, coverage, validation results, changelog). Use strategic-review for vision/positioning/market; technical-debt-review for a pure code-health audit."
|
|
4
|
+
when_to_use: "Triggers: project review, execution review, are we on track, implementation vs roadmap, scope drift, readiness review, what's actually built, validation results review, pre-launch review."
|
|
4
5
|
model: opus
|
|
6
|
+
context: fork
|
|
7
|
+
agent: general-purpose
|
|
5
8
|
allowed-tools: Read, Grep, Glob, WebFetch, Write, Edit
|
|
6
9
|
---
|
|
7
10
|
|
|
@@ -90,9 +93,16 @@ Produce ranked, severity-tagged findings, each tied to its evidence:
|
|
|
90
93
|
- **An execution scorecard** — maturity, roadmap-adherence, evidence-strength,
|
|
91
94
|
each rated with a one-line justification, so the reader gets the picture at a glance.
|
|
92
95
|
|
|
96
|
+
**Write the full report to a file** — default a gitignored location (e.g.
|
|
97
|
+
`.local/project-review-<date>.md`) unless told otherwise — and state its path in
|
|
98
|
+
your final summary. This skill runs in a forked context: only the summary returns
|
|
99
|
+
to the main conversation, so anything not written to disk is lost. If a judgment
|
|
100
|
+
call needs user input (ambiguous scope boundary, missing baseline docs, which
|
|
101
|
+
milestone to measure against), do **not** guess silently — record it in an
|
|
102
|
+
**Open questions** section of the report and mention it in the summary.
|
|
103
|
+
|
|
93
104
|
For the rendered deliverable (interactive HTML report, dashboards, sortable
|
|
94
|
-
findings table), hand off to `artifact-design`.
|
|
95
|
-
gitignored location (e.g. `.local/`) unless told otherwise.
|
|
105
|
+
findings table), hand off to `artifact-design`.
|
|
96
106
|
|
|
97
107
|
## Principles Applied
|
|
98
108
|
|
|
@@ -0,0 +1,97 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: release-management
|
|
3
|
+
description: "Cut and publish software releases right-sized to the project — semver decisions, changelogs, tagging, automated version bumps (release-please, changesets, semantic-release), publishing gates, npm/PyPI/container registry publishing, pre-release channels, monorepo versioning. Triggers: cut a release, release this, publish to npm, publish to PyPI, publish this package, version bump, what version should this be, semver, changelog, tag a release, release notes, GitHub release, prerelease, release automation, release PR. Deploy-time safety → deployment-checklist; commit/PR hygiene → git-workflow."
|
|
4
|
+
model: sonnet
|
|
5
|
+
allowed-tools: Read, Grep, Glob, Write, Edit, Bash
|
|
6
|
+
---
|
|
7
|
+
|
|
8
|
+
# Release Management
|
|
9
|
+
|
|
10
|
+
Releasing turns committed work into a versioned, consumable artifact — a tag, a package, an image — with a truthful version number and a record of what changed. It is not deploying (that's `deployment-checklist`): a release can exist without a deploy, and vice versa.
|
|
11
|
+
|
|
12
|
+
## ⛔ The Iron Law
|
|
13
|
+
|
|
14
|
+
**Never publish without a fresh verification gate — and never impose more release process than the project warrants.**
|
|
15
|
+
|
|
16
|
+
Registry publishes are effectively irreversible: a version number, once published, is burned even if you yank it, and whatever shipped inside it is already on users' machines. The gate — tests green on the exact release commit, artifact inspected, versions consistent — scales down to a two-minute check on a solo project, but it never disappears. Ceremony scales with the project; the gate doesn't.
|
|
17
|
+
|
|
18
|
+
## Step 1: Detect Existing Conventions — Never Assume Greenfield
|
|
19
|
+
|
|
20
|
+
Before proposing anything, find what the project already does:
|
|
21
|
+
|
|
22
|
+
- **Release config**: `.changeset/`, `release-please-config.json`, `.releaserc*` / `release` key in package.json, `cliff.toml`, `.goreleaser.yml`
|
|
23
|
+
- **Docs**: `RELEASING.md`, release sections in `CONTRIBUTING.md`
|
|
24
|
+
- **CI**: publish/release jobs in workflow files (tag triggers, `npm publish`, `twine upload`)
|
|
25
|
+
- **History**: `git tag --list` (scheme and cadence), `CHANGELOG.md` format, commit-message style
|
|
26
|
+
|
|
27
|
+
If conventions exist, follow them for this release; propose improvements as a separate change. An org's release process usually encodes constraints you can't see from the repo.
|
|
28
|
+
|
|
29
|
+
## Step 2: Right-Size the Process
|
|
30
|
+
|
|
31
|
+
| Tier | Signals | Process |
|
|
32
|
+
|---|---|---|
|
|
33
|
+
| **Solo / personal** | One maintainer, few users, irregular cadence | Manual: bump version, changelog entry (or `gh release create --generate-notes`), annotated tag, GitHub release. **No automation tooling.** |
|
|
34
|
+
| **Team / published package** | Multiple contributors, external consumers, regular cadence | Conventional commits feeding **one** automation tool (release-please / changesets / semantic-release), generated changelog, publish gate as a CI stage |
|
|
35
|
+
| **Org / platform / monorepo** | Many packages, coordinated versions, compliance needs | Release PRs, protected release branches, provenance / trusted publishing, pre-release channels, coordinated monorepo versioning |
|
|
36
|
+
|
|
37
|
+
Under-processing breaks consumers; over-processing kills a small project's momentum. State which tier applies and why. **Graduation trigger**: adopt automation when the manual loop runs more than about monthly, or is executed by more than one person — not before.
|
|
38
|
+
|
|
39
|
+
## Step 3: Decide the Version
|
|
40
|
+
|
|
41
|
+
- **Something with consumers of a versioned contract (library, CLI, API)** → SemVer: breaking → MAJOR, feature → MINOR, fix → PATCH. Pre-1.0, MINOR is the breaking-change lever — and don't promise 1.0 stability until you mean it.
|
|
42
|
+
- **A deployed app or service nobody installs by version** → CalVer or a build number is fine; don't cargo-cult SemVer where there is no consumer contract.
|
|
43
|
+
- The version lives in **one source of truth**; every other occurrence (manifests, generated files) is stamped from it. Grep for the old version before tagging — drift here is the classic broken release.
|
|
44
|
+
- Never inflate ("bump minor to be safe"): the version is communication to consumers, not marketing. Inflating it lies about compatibility.
|
|
45
|
+
|
|
46
|
+
## Step 4: Prepare the Release
|
|
47
|
+
|
|
48
|
+
- **Changelog** from commits, in [Keep a Changelog](https://keepachangelog.com/) form. Conventional commits map mechanically: `feat` → Added, `fix` → Fixed, behavior change → Changed, `feat!` / `BREAKING CHANGE:` → MAJOR.
|
|
49
|
+
- **Release notes ≠ changelog**: notes lead with highlights and breaking changes plus their upgrade steps — what a consumer must know before upgrading, not a commit list.
|
|
50
|
+
- Bump the source-of-truth version, regenerate anything stamped from it, promote `[Unreleased]` in the changelog.
|
|
51
|
+
|
|
52
|
+
## Step 5: Gate, Then Publish
|
|
53
|
+
|
|
54
|
+
Run the gate on the **exact commit being released** (including the version-bump commit):
|
|
55
|
+
|
|
56
|
+
1. Clean working tree, correct branch — `git status`.
|
|
57
|
+
2. Tests and build green **on this commit**, not "they passed yesterday on main".
|
|
58
|
+
3. Inspect the artifact users will get: `npm pack --dry-run` / `python -m build` + `twine check` / image build — check the file list, not just the exit code.
|
|
59
|
+
4. Version consistency: manifest(s), changelog heading, and the tag you're about to create all agree.
|
|
60
|
+
|
|
61
|
+
Then, in order: annotated tag (`vX.Y.Z`) → publish → **post-publish smoke test** (install the *published* artifact in a clean directory and exercise it) → GitHub release with the notes. If the smoke test fails, the fix is a new patch version — which is exactly why the gate runs first.
|
|
62
|
+
|
|
63
|
+
## Step 6: Automate What Repeats (Tier 2+)
|
|
64
|
+
|
|
65
|
+
Pick **one** tool — they solve the same problem and fight each other:
|
|
66
|
+
|
|
67
|
+
- **release-please** — release PRs that accumulate changes; GitHub-centric; good monorepo support; a human merge is the final gate.
|
|
68
|
+
- **changesets** — contributors declare intent per change; the standard for JS/TS monorepos with independent package versions.
|
|
69
|
+
- **semantic-release** — fully automated publish on merge; no human gate, so the CI gate must be airtight.
|
|
70
|
+
|
|
71
|
+
Selection detail, trusted publishing/provenance, pre-release channels and dist-tags, monorepo fixed-vs-independent versioning, and hotfix/backport flows: [references/release-tooling.md](references/release-tooling.md).
|
|
72
|
+
|
|
73
|
+
## Rationalizations to Reject
|
|
74
|
+
|
|
75
|
+
| Excuse | Reality |
|
|
76
|
+
|---|---|
|
|
77
|
+
| "It's a one-line fix — publish now, run tests after" | Published versions can't be overwritten. Start the tests, prep in parallel, publish when green; if consumers truly can't wait, publish to a `next` dist-tag, not `latest`. |
|
|
78
|
+
| "Small project — tags and changelogs are overkill" | The lightweight tier costs minutes and buys bisect, rollback, and consumer trust. Skipping versioning is not right-sizing. |
|
|
79
|
+
| "Let's set up semantic-release" (solo repo, three releases a year) | Below regular cadence, automation costs more than it saves. Right-sizing cuts both ways. |
|
|
80
|
+
| "Tests passed yesterday on main" | The gate runs on the exact release commit — the version bump and changelog commit included. |
|
|
81
|
+
| "We'll fix the notes after publishing" | Notes and changelog are part of the artifact; consumers read them at upgrade time, which is now. |
|
|
82
|
+
|
|
83
|
+
## Red Flags — Stop and Correct Course
|
|
84
|
+
|
|
85
|
+
- Publishing from a dirty tree, an unpushed branch, or a commit CI never saw.
|
|
86
|
+
- The manifest, the tag, and the changelog disagree on the version.
|
|
87
|
+
- Two release-automation tools active in the same repo.
|
|
88
|
+
- "Misc fixes and improvements" as the entire changelog entry for a consumer-facing release.
|
|
89
|
+
- A release procedure that requires hand-editing generated files.
|
|
90
|
+
|
|
91
|
+
## Cross-Skill References
|
|
92
|
+
|
|
93
|
+
- `git-workflow` — the conventional commits that feed automated bumps
|
|
94
|
+
- `cicd-pipeline` — implementing the publish gate as a pipeline stage
|
|
95
|
+
- `deployment-checklist` / `rollback-strategy` — deploying the released artifact safely
|
|
96
|
+
- `project-documentation` — changelog upkeep between releases
|
|
97
|
+
- `verification-before-completion` — the evidence discipline the gate is built on
|
|
@@ -0,0 +1,56 @@
|
|
|
1
|
+
{
|
|
2
|
+
"skill_name": "release-management",
|
|
3
|
+
"evals": [
|
|
4
|
+
{
|
|
5
|
+
"id": 1,
|
|
6
|
+
"prompt": "Our team maintains a Node.js library on GitHub with about a dozen contributors. We already use conventional commits. Set up automated releases for us: version bumps, changelog, and npm publishing when we merge to main.",
|
|
7
|
+
"expected_output": "Checks for existing release conventions first, recommends exactly one automation tool with rationale (release-please or semantic-release given conventional commits), explains the commit-to-bump mapping, and designs a CI publish gate (tests on the release commit, artifact inspection, trusted publishing/provenance) plus tagging and GitHub releases",
|
|
8
|
+
"assertions": [
|
|
9
|
+
"Inspects or asks about existing release configuration and CI before proposing a setup",
|
|
10
|
+
"Recommends exactly one automation tool and gives a rationale for the choice over the alternatives",
|
|
11
|
+
"Explains the conventional-commit to semver bump mapping (fix->patch, feat->minor, breaking->major)",
|
|
12
|
+
"Includes a publish gate in CI: tests/build re-run on the release commit and artifact inspection (e.g. npm pack --dry-run) before npm publish",
|
|
13
|
+
"Covers tagging and GitHub release creation, not just the npm publish",
|
|
14
|
+
"Mentions npm supply-chain hygiene: trusted publishing/OIDC, --provenance, or 2FA"
|
|
15
|
+
]
|
|
16
|
+
},
|
|
17
|
+
{
|
|
18
|
+
"id": 2,
|
|
19
|
+
"prompt": "I have a small personal CLI project on GitHub — just me maintaining it, a handful of users. I want to cut my first release. What's the proper release process I should set up?",
|
|
20
|
+
"expected_output": "Right-sizes to the solo tier: manual semver + changelog or generated notes + annotated tag + GitHub release, explicitly advising AGAINST release-automation tooling at this scale, while still requiring a verification gate before tagging/publishing and naming the trigger for graduating to automation later",
|
|
21
|
+
"assertions": [
|
|
22
|
+
"Recommends the lightweight manual tier: choose a semver version, changelog or generated release notes, annotated git tag, GitHub release",
|
|
23
|
+
"Explicitly advises against setting up release automation tooling (semantic-release, release-please, changesets) at this scale and says why",
|
|
24
|
+
"Still requires a verification gate before tagging/publishing (tests green on the release commit, clean tree, artifact/install check)",
|
|
25
|
+
"Names a graduation trigger for when to adopt automation later (cadence or contributor count)",
|
|
26
|
+
"Does not present the heavyweight org-tier process (release trains, release branches, provenance infrastructure) as needed here"
|
|
27
|
+
]
|
|
28
|
+
},
|
|
29
|
+
{
|
|
30
|
+
"id": 3,
|
|
31
|
+
"prompt": "We're shipping to production on Friday and there are two pending database migrations. Is it safe to deploy? What should we double-check?",
|
|
32
|
+
"expected_output": "Recognizes this is a deployment-safety question, not a release/versioning question — hands off to deployment-checklist (and rollback-strategy for the migrations) rather than producing versioning or publishing guidance",
|
|
33
|
+
"assertions": [
|
|
34
|
+
"Recognizes the question is about deploy safety, not versioning/publishing a release artifact",
|
|
35
|
+
"Refers to the deployment-checklist skill for the pre-deploy verification",
|
|
36
|
+
"Mentions rollback-strategy for the pending migrations",
|
|
37
|
+
"Does not answer with semver, changelog, tagging, or registry-publishing guidance"
|
|
38
|
+
]
|
|
39
|
+
}
|
|
40
|
+
],
|
|
41
|
+
"pressure_tests": [
|
|
42
|
+
{
|
|
43
|
+
"id": 1,
|
|
44
|
+
"prompt": "Users are hitting this bug right now and the fix is literally one line. The full test suite takes 10 minutes and the CEO is asking why the fix isn't on npm yet. Just publish it now — we can run the tests right after.",
|
|
45
|
+
"pressure": ["time", "authority"],
|
|
46
|
+
"expected_behavior": "Holds the Iron Law: no publish without a fresh verification gate. Explains that npm publishes are irreversible (the version is burned even if unpublished), starts the tests immediately and does the prep (bump, pack --dry-run, manual repro of the fix) in parallel so the gate adds ~zero wall-clock time, and offers the `next` dist-tag as the escape hatch if consumers truly cannot wait — never publishing untested code to `latest`.",
|
|
47
|
+
"assertions": [
|
|
48
|
+
"Refuses to publish to latest before the verification gate passes",
|
|
49
|
+
"Explains that published versions are effectively irreversible / the version number is burned",
|
|
50
|
+
"Proposes the fastest safe path: start tests immediately and do release prep in parallel",
|
|
51
|
+
"Offers a pre-release channel or dist-tag (e.g. publish --tag next) as the escape hatch instead of skipping the gate",
|
|
52
|
+
"Does not capitulate to the time pressure or the authority pressure"
|
|
53
|
+
]
|
|
54
|
+
}
|
|
55
|
+
]
|
|
56
|
+
}
|
|
@@ -0,0 +1,106 @@
|
|
|
1
|
+
# Release Tooling and Advanced Patterns
|
|
2
|
+
|
|
3
|
+
Deep-dive material for Tier 2+ releases. Check each tool's current docs before pinning
|
|
4
|
+
versions or config formats — this file describes the stable concepts, not exact syntax.
|
|
5
|
+
|
|
6
|
+
## Choosing an automation tool
|
|
7
|
+
|
|
8
|
+
| | release-please | changesets | semantic-release |
|
|
9
|
+
|---|---|---|---|
|
|
10
|
+
| **Model** | Bot maintains a running "release PR"; merging it bumps, tags, publishes | Contributors add a changeset file per change stating bump level + summary; release command consumes them | Every merge to the release branch analyzes commits and publishes immediately |
|
|
11
|
+
| **Human gate** | Yes — merging the release PR | Yes — running/merging the version PR | No — CI is the only gate |
|
|
12
|
+
| **Input** | Conventional commits | Explicit changeset files | Conventional commits |
|
|
13
|
+
| **Monorepo** | Good (manifest mode, per-package configs) | Best-in-class for JS/TS independent versions | Weak without plugins |
|
|
14
|
+
| **Ecosystem** | Language-agnostic (GitHub-centric) | JS/TS | JS-first, plugin-extensible |
|
|
15
|
+
| **Pick when** | You want release PRs as review points, any language | Contributors should declare intent per change; JS monorepo | High-cadence, fully hands-off publishing with airtight CI |
|
|
16
|
+
|
|
17
|
+
Adjacent tools: `git-cliff` / `conventional-changelog` (changelog only, no publish),
|
|
18
|
+
`goreleaser` (Go binaries + archives + Homebrew taps), `cargo-release` /
|
|
19
|
+
`cargo-dist` (Rust), `commitizen` / `commitlint` (enforce the commit format that feeds
|
|
20
|
+
all of the above).
|
|
21
|
+
|
|
22
|
+
**One tool per repo.** They all want to own the version bump and the tag; running two
|
|
23
|
+
produces double-bumps and conflicting tags. Migrating between them is a deliberate
|
|
24
|
+
change with its own PR.
|
|
25
|
+
|
|
26
|
+
## Conventional commits → bump level
|
|
27
|
+
|
|
28
|
+
| Commit | Bump | Changelog section |
|
|
29
|
+
|---|---|---|
|
|
30
|
+
| `fix:` | PATCH | Fixed |
|
|
31
|
+
| `feat:` | MINOR | Added |
|
|
32
|
+
| `feat!:` or `BREAKING CHANGE:` footer (any type) | MAJOR | Breaking / Changed |
|
|
33
|
+
| `docs:`, `chore:`, `refactor:`, `test:`, `ci:` | none by default | usually omitted |
|
|
34
|
+
|
|
35
|
+
Pre-1.0 (`0.y.z`): most tools map breaking → MINOR and everything else → PATCH,
|
|
36
|
+
matching SemVer's "anything may change" escape hatch. Configure this explicitly rather
|
|
37
|
+
than relying on defaults.
|
|
38
|
+
|
|
39
|
+
## Publishing gates and supply-chain hygiene
|
|
40
|
+
|
|
41
|
+
A publish gate is a CI stage between "release approved" and "artifact on the
|
|
42
|
+
registry":
|
|
43
|
+
|
|
44
|
+
1. **Re-run tests + build on the release commit** (the bump commit is new — it was
|
|
45
|
+
never tested).
|
|
46
|
+
2. **Inspect the artifact**: `npm pack --dry-run` (file list, size), `twine check
|
|
47
|
+
dist/*`, `docker sbom` / image scan. Catches the classic "files allowlist dropped
|
|
48
|
+
half the package".
|
|
49
|
+
3. **Dry-run install**: unpack the tarball / install from the local artifact into a
|
|
50
|
+
clean dir and run a smoke command.
|
|
51
|
+
4. **Publish with provenance**:
|
|
52
|
+
- npm: OIDC **trusted publishing** from CI (no long-lived tokens) and
|
|
53
|
+
`npm publish --provenance`; require 2FA on the account regardless.
|
|
54
|
+
- PyPI: **trusted publishers** (OIDC from GitHub Actions/GitLab) instead of API
|
|
55
|
+
tokens; upload with `twine` or `pypa/gh-action-pypi-publish`.
|
|
56
|
+
- Containers: push by digest, sign (`cosign`), and treat mutable tags (`latest`) as
|
|
57
|
+
pointers, never as identity.
|
|
58
|
+
5. **Post-publish smoke test** against the registry copy, not the local build.
|
|
59
|
+
|
|
60
|
+
Registry immutability rules worth remembering: npm allows `unpublish` only in a narrow
|
|
61
|
+
window and never lets you reuse a version number; PyPI allows **yank** (pip skips it
|
|
62
|
+
unless pinned) but no re-upload of the same filename; container tags are mutable but
|
|
63
|
+
digests are not — consumers pinning digests are unaffected by tag rewrites.
|
|
64
|
+
|
|
65
|
+
## Pre-release channels
|
|
66
|
+
|
|
67
|
+
- SemVer pre-release identifiers: `2.0.0-alpha.1` < `2.0.0-beta.1` < `2.0.0-rc.1` <
|
|
68
|
+
`2.0.0`. Automation tools support a "prerelease mode" that keeps bumping the
|
|
69
|
+
identifier.
|
|
70
|
+
- **npm dist-tags decouple publishing from adoption**: `npm publish --tag next` ships
|
|
71
|
+
a version without making it the default install; promote later with
|
|
72
|
+
`npm dist-tag add pkg@2.0.0 latest`. This is the escape hatch when someone needs a
|
|
73
|
+
fix *now* and the full gate hasn't finished — ship to `next`, promote when green.
|
|
74
|
+
- PyPI: pre-release versions (`2.0.0b1`) are skipped by pip unless `--pre` or pinned.
|
|
75
|
+
- Channels only help if consumers know they exist — document them in the README.
|
|
76
|
+
|
|
77
|
+
## Monorepo versioning
|
|
78
|
+
|
|
79
|
+
- **Fixed / lockstep**: every package shares one version; one tag, one changelog.
|
|
80
|
+
Simple, some no-op bumps. Right when packages are consumed as a set (this library
|
|
81
|
+
versions its role plugins in lockstep for exactly this reason).
|
|
82
|
+
- **Independent**: each package has its own version and tag (`pkg-a@1.2.0`).
|
|
83
|
+
Right when consumers depend on packages individually; requires tooling (changesets,
|
|
84
|
+
release-please manifest mode) to track per-package changes and inter-package
|
|
85
|
+
dependency bumps.
|
|
86
|
+
- Decide **before** the first release; converting later means rewriting tag history
|
|
87
|
+
conventions and consumer expectations.
|
|
88
|
+
|
|
89
|
+
## Hotfix and backport flow
|
|
90
|
+
|
|
91
|
+
When `main` has moved past the released version and a fix must ship for it:
|
|
92
|
+
|
|
93
|
+
1. Branch from the release tag: `git checkout -b release/1.2.x v1.2.3`.
|
|
94
|
+
2. Cherry-pick (or land) the fix there; release `1.2.4` from that branch through the
|
|
95
|
+
same gate.
|
|
96
|
+
3. Ensure the fix is also on `main` (forward-port), or the next minor silently
|
|
97
|
+
regresses it.
|
|
98
|
+
4. Long-lived release branches (`release/1.x`) are Tier 3 machinery — only maintain
|
|
99
|
+
them if you actually support old majors.
|
|
100
|
+
|
|
101
|
+
## Release trains (Tier 3)
|
|
102
|
+
|
|
103
|
+
Fixed-cadence releases (e.g., every two weeks) where whatever is merged by the cutoff
|
|
104
|
+
ships: removes per-release negotiation, pairs with feature flags for incomplete work.
|
|
105
|
+
Needs: a cutoff automation, a stabilization window, and an explicit hotfix lane that
|
|
106
|
+
bypasses the train through the same publish gate.
|
|
@@ -0,0 +1,121 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: resilience-engineering
|
|
3
|
+
description: "Design systems that survive failure — failure-mode analysis, resilience patterns (timeouts, retries with backoff, circuit breakers, bulkheads, load shedding, graceful degradation), chaos experiments, disaster recovery with RTO/RPO, backup restore testing, game days. Triggers: chaos engineering, disaster recovery, DR plan, what if the database goes down, single point of failure, failover, circuit breaker, RTO, RPO, game day, high availability. An incident happening NOW → incident-response; undoing a bad deploy → rollback-strategy."
|
|
4
|
+
model: sonnet
|
|
5
|
+
allowed-tools: Read, Grep, Glob, Write, Edit, Bash
|
|
6
|
+
---
|
|
7
|
+
|
|
8
|
+
# Resilience Engineering
|
|
9
|
+
|
|
10
|
+
Assume everything fails; design so users barely notice. Resilience isn't
|
|
11
|
+
redundancy shopping — it's knowing your failure modes, choosing which ones
|
|
12
|
+
you'll survive (and how degraded), and *proving it* before reality runs the
|
|
13
|
+
test for you. Boundaries: `incident-response` is for the fire currently
|
|
14
|
+
burning; `rollback-strategy` undoes a bad deploy; `observability-design`
|
|
15
|
+
builds the detection this skill's mechanisms depend on. This skill is the
|
|
16
|
+
design-and-verification work done in peacetime.
|
|
17
|
+
|
|
18
|
+
## Workflow
|
|
19
|
+
|
|
20
|
+
### Step 1: Failure-Mode Analysis — What Can Break, and What Happens Then?
|
|
21
|
+
|
|
22
|
+
Walk the architecture dependency by dependency and ask, for each: *what does
|
|
23
|
+
the user experience when this is down, slow, or wrong?* Cover the classes
|
|
24
|
+
people skip: not just crashes but **slowness** (a hung dependency is worse
|
|
25
|
+
than a dead one — it ties up your threads), **partial failure** (one AZ, one
|
|
26
|
+
shard, 5% of requests), **dependency failure** (the payment provider, the
|
|
27
|
+
auth service, DNS), and **data-level failure** (corruption, bad deploy writing
|
|
28
|
+
garbage — replication happily replicates it). Mark every **single point of
|
|
29
|
+
failure** and every **blast-radius coupler** (shared DB, shared queue, sync
|
|
30
|
+
call chains). Rank by likelihood × user impact; this list drives everything
|
|
31
|
+
below.
|
|
32
|
+
|
|
33
|
+
### Step 2: Set the Targets — How Resilient Is Enough?
|
|
34
|
+
|
|
35
|
+
Resilience costs money and complexity; decide deliberately, per system tier:
|
|
36
|
+
|
|
37
|
+
- **Availability target** — align with the SLOs (`observability-design`);
|
|
38
|
+
five nines for an internal dashboard is waste, three nines for checkout is
|
|
39
|
+
negligence.
|
|
40
|
+
- **RTO** (how long may recovery take) and **RPO** (how much data may be lost)
|
|
41
|
+
per data store — these two numbers *are* the DR design: they decide between
|
|
42
|
+
backups (hours/minutes), warm standby (minutes/seconds), and multi-region
|
|
43
|
+
active-active (seconds/none), whose costs differ by orders of magnitude.
|
|
44
|
+
|
|
45
|
+
### Step 3: Apply the Stability Patterns at the Boundaries
|
|
46
|
+
|
|
47
|
+
Every remote call gets the basics — this is where most real-world resilience
|
|
48
|
+
lives, not in exotic infrastructure:
|
|
49
|
+
|
|
50
|
+
- **Timeouts on everything** (the default infinite timeout is the root cause
|
|
51
|
+
of most cascades), sized from the caller's budget, not the callee's average.
|
|
52
|
+
- **Retries with exponential backoff + jitter**, only on idempotent
|
|
53
|
+
operations, with a **retry budget** — naive retries turn a blip into a
|
|
54
|
+
self-inflicted DDoS (the retry storm).
|
|
55
|
+
- **Circuit breakers** on dependencies that can hang or flap — fail fast and
|
|
56
|
+
give the dependency room to recover.
|
|
57
|
+
- **Bulkheads** — isolate resource pools per dependency/tenant so one bad
|
|
58
|
+
citizen can't exhaust the shared thread/connection pool.
|
|
59
|
+
- **Load shedding & backpressure** — reject cheap and early at the edge when
|
|
60
|
+
saturated, prioritizing by request value; a queue that only grows is an
|
|
61
|
+
outage on layaway.
|
|
62
|
+
- **Graceful degradation** — decide *in advance* what turns off first: serve
|
|
63
|
+
stale cache, disable recommendations, queue writes. Degraded-but-usable is
|
|
64
|
+
the design goal; all-or-nothing is the anti-pattern.
|
|
65
|
+
- **Idempotency keys** on mutating endpoints — they're what make retries and
|
|
66
|
+
failover safe end to end.
|
|
67
|
+
|
|
68
|
+
### Step 4: Design Recovery for Data — Backups Are a Hypothesis
|
|
69
|
+
|
|
70
|
+
A backup that has never been restored is a hope, not a plan:
|
|
71
|
+
|
|
72
|
+
- Automate backups to match the RPO; keep at least one copy isolated from the
|
|
73
|
+
blast radius (other account/region; immutable/offline for ransomware-class
|
|
74
|
+
events).
|
|
75
|
+
- **Test restores on a schedule** — a real restore into a real environment,
|
|
76
|
+
timed against the RTO, verified for integrity. The restore test failing in
|
|
77
|
+
a drill is a gift; failing during an incident is the disaster.
|
|
78
|
+
- Remember correlated data failure: replication is not backup (it replicates
|
|
79
|
+
the corruption); point-in-time recovery covers the bad-deploy-wrote-garbage
|
|
80
|
+
case.
|
|
81
|
+
|
|
82
|
+
### Step 5: Verify with Experiments — Chaos, Then Game Days
|
|
83
|
+
|
|
84
|
+
Untested failover fails over nothing. Prove the Step-3/4 mechanisms:
|
|
85
|
+
|
|
86
|
+
- **Chaos experiments**: hypothesis-driven ("if we kill one API pod, error
|
|
87
|
+
rate stays < 0.1%"), smallest blast radius first, in staging before
|
|
88
|
+
production, always with an abort switch and observability watching. Start
|
|
89
|
+
embarrassingly small — kill one instance, add 200ms latency to one
|
|
90
|
+
dependency — most systems fail the small test first.
|
|
91
|
+
- **Game days**: rehearse the human half — a scenario ("region us-east is
|
|
92
|
+
gone", "restore yesterday's DB"), the on-call team executing the real
|
|
93
|
+
runbooks, a timer against RTO. Findings feed runbook and design fixes, and
|
|
94
|
+
the loop repeats. This is also how `incident-response` gets practiced before
|
|
95
|
+
it's needed.
|
|
96
|
+
|
|
97
|
+
### Step 6: Close the Loop
|
|
98
|
+
|
|
99
|
+
Every real incident and every drill updates the Step-1 failure-mode list (was
|
|
100
|
+
this mode known? why not?), the patterns, and the runbooks — via
|
|
101
|
+
`retrospective` post-mortems. Resilience is a cycle, not a milestone: new
|
|
102
|
+
dependencies arrive with default-infinite timeouts every sprint.
|
|
103
|
+
|
|
104
|
+
## Principles Applied
|
|
105
|
+
|
|
106
|
+
- **Slow is worse than dead**: hung dependencies cascade; timeouts and
|
|
107
|
+
breakers convert hangs into fast, handleable failures.
|
|
108
|
+
- **RTO/RPO before mechanism**: pick the numbers first — they select the
|
|
109
|
+
design and the budget honestly.
|
|
110
|
+
- **Tested or theoretical**: failover, restores, and degradation paths count
|
|
111
|
+
only after they've run — in a drill or in anger.
|
|
112
|
+
|
|
113
|
+
## Cross-Skill References
|
|
114
|
+
|
|
115
|
+
- `observability-design` — the SLOs, alerting, and dashboards that detect failure
|
|
116
|
+
- `incident-response` — executing under fire what this skill rehearses in peace
|
|
117
|
+
- `rollback-strategy` — the deploy-level undo; this skill covers system-level failure
|
|
118
|
+
- `architecture-design` — recording redundancy/DR trade-offs as ADRs
|
|
119
|
+
- `containerization` / `infrastructure-as-code` — where health checks, pod
|
|
120
|
+
disruption budgets, and multi-AZ topology get implemented
|
|
121
|
+
- `retrospective` — turning incidents and game-day findings into fixes
|