swe-workflow-skills 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (177) hide show
  1. package/LICENSE +21 -0
  2. package/README.md +144 -0
  3. package/VERSION +1 -0
  4. package/bin/cli.mjs +44 -0
  5. package/catalog.json +225 -0
  6. package/commands/role.md +34 -0
  7. package/hooks/session-start.mjs +118 -0
  8. package/install.mjs +318 -0
  9. package/package.json +47 -0
  10. package/roles.json +194 -0
  11. package/scripts/resolve.mjs +296 -0
  12. package/skills/accessibility-design/SKILL.md +128 -0
  13. package/skills/accessibility-design/evals/evals.json +51 -0
  14. package/skills/accessibility-design/references/accessibility-patterns.md +321 -0
  15. package/skills/api-design/SKILL.md +144 -0
  16. package/skills/api-design/evals/evals.json +48 -0
  17. package/skills/api-design/references/rest-conventions.md +147 -0
  18. package/skills/api-design/templates/api-spec.md +156 -0
  19. package/skills/architecture-design/SKILL.md +86 -0
  20. package/skills/architecture-design/evals/evals.json +44 -0
  21. package/skills/architecture-design/references/clean-architecture.md +147 -0
  22. package/skills/architecture-design/references/component-principles.md +129 -0
  23. package/skills/architecture-design/references/principles.md +81 -0
  24. package/skills/architecture-design/references/solid-principles.md +106 -0
  25. package/skills/architecture-design/templates/adr.md +63 -0
  26. package/skills/architecture-documentation/SKILL.md +126 -0
  27. package/skills/architecture-documentation/evals/evals.json +44 -0
  28. package/skills/architecture-documentation/references/abstraction-levels.md +91 -0
  29. package/skills/architecture-documentation/references/diagram-tooling.md +141 -0
  30. package/skills/architecture-documentation/templates/architecture-doc.md +171 -0
  31. package/skills/bug-investigating/SKILL.md +133 -0
  32. package/skills/bug-investigating/evals/evals.json +56 -0
  33. package/skills/bug-investigating/references/common-bugs.md +62 -0
  34. package/skills/bug-investigating/references/debugging-patterns.md +94 -0
  35. package/skills/cicd-pipeline/SKILL.md +87 -0
  36. package/skills/cicd-pipeline/evals/evals.json +34 -0
  37. package/skills/cicd-pipeline/references/pipeline-patterns.md +206 -0
  38. package/skills/cicd-pipeline/templates/github-actions.md +206 -0
  39. package/skills/code-reviewing/SKILL.md +92 -0
  40. package/skills/code-reviewing/evals/evals.json +62 -0
  41. package/skills/code-reviewing/references/error-handling.md +108 -0
  42. package/skills/code-reviewing/references/review-checklist.md +144 -0
  43. package/skills/configuration-strategy/SKILL.md +109 -0
  44. package/skills/configuration-strategy/evals/evals.json +41 -0
  45. package/skills/configuration-strategy/references/config-patterns.md +161 -0
  46. package/skills/containerization/SKILL.md +90 -0
  47. package/skills/containerization/evals/evals.json +36 -0
  48. package/skills/containerization/references/dockerfile-patterns.md +168 -0
  49. package/skills/containerization/templates/dockerfile.md +154 -0
  50. package/skills/data-modeling/SKILL.md +83 -0
  51. package/skills/data-modeling/evals/evals.json +43 -0
  52. package/skills/data-modeling/references/conventions.md +57 -0
  53. package/skills/data-modeling/templates/schema.md +120 -0
  54. package/skills/dependency-impact-analysis/SKILL.md +113 -0
  55. package/skills/dependency-impact-analysis/evals/evals.json +41 -0
  56. package/skills/dependency-impact-analysis/references/impact-patterns.md +150 -0
  57. package/skills/dependency-management/SKILL.md +161 -0
  58. package/skills/dependency-management/evals/evals.json +48 -0
  59. package/skills/dependency-management/references/evaluation-checklist.md +127 -0
  60. package/skills/deployment-checklist/SKILL.md +132 -0
  61. package/skills/deployment-checklist/evals/evals.json +58 -0
  62. package/skills/deployment-checklist/references/pre-deploy-gates.md +91 -0
  63. package/skills/deployment-repo/SKILL.md +190 -0
  64. package/skills/deployment-repo/evals/evals.json +44 -0
  65. package/skills/deployment-repo/references/deployment-repo-patterns.md +258 -0
  66. package/skills/deployment-repo/references/version-compatibility.md +227 -0
  67. package/skills/deployment-repo/templates/deployment-repo-structure.md +226 -0
  68. package/skills/effort-estimation/SKILL.md +95 -0
  69. package/skills/effort-estimation/evals/evals.json +32 -0
  70. package/skills/effort-estimation/references/estimation-methods.md +154 -0
  71. package/skills/feature-planning/SKILL.md +84 -0
  72. package/skills/feature-planning/evals/evals.json +44 -0
  73. package/skills/feature-planning/templates/plan.md +55 -0
  74. package/skills/feature-planning/templates/task.md +26 -0
  75. package/skills/frontend-architecture/SKILL.md +154 -0
  76. package/skills/frontend-architecture/evals/evals.json +34 -0
  77. package/skills/frontend-architecture/references/component-patterns.md +264 -0
  78. package/skills/frontend-architecture/templates/folder-structure.md +203 -0
  79. package/skills/git-workflow/SKILL.md +127 -0
  80. package/skills/git-workflow/evals/evals.json +44 -0
  81. package/skills/git-workflow/references/conventions.md +142 -0
  82. package/skills/git-workflow/templates/pull-request.md +57 -0
  83. package/skills/gitops-delivery/SKILL.md +319 -0
  84. package/skills/gitops-delivery/evals/evals.json +44 -0
  85. package/skills/gitops-delivery/references/gitops-patterns.md +478 -0
  86. package/skills/gitops-delivery/templates/gitops-config.md +196 -0
  87. package/skills/incident-response/SKILL.md +130 -0
  88. package/skills/incident-response/evals/evals.json +55 -0
  89. package/skills/incident-response/references/communication-templates.md +134 -0
  90. package/skills/incident-response/references/severity-levels.md +77 -0
  91. package/skills/incident-response/templates/incident-timeline.md +57 -0
  92. package/skills/infrastructure-as-code/SKILL.md +86 -0
  93. package/skills/infrastructure-as-code/evals/evals.json +33 -0
  94. package/skills/infrastructure-as-code/references/iac-patterns.md +179 -0
  95. package/skills/infrastructure-as-code/templates/terraform-module.md +158 -0
  96. package/skills/metrics-and-okrs/SKILL.md +113 -0
  97. package/skills/metrics-and-okrs/evals/evals.json +33 -0
  98. package/skills/metrics-and-okrs/references/metric-catalog.md +90 -0
  99. package/skills/metrics-and-okrs/templates/okr-document.md +61 -0
  100. package/skills/ml-experiment-tracking/SKILL.md +96 -0
  101. package/skills/ml-experiment-tracking/evals/evals.json +32 -0
  102. package/skills/ml-experiment-tracking/references/tracking-tools.md +127 -0
  103. package/skills/ml-model-deployment/SKILL.md +106 -0
  104. package/skills/ml-model-deployment/evals/evals.json +34 -0
  105. package/skills/ml-model-deployment/references/serving-patterns.md +162 -0
  106. package/skills/ml-pipeline-design/SKILL.md +162 -0
  107. package/skills/ml-pipeline-design/evals/evals.json +34 -0
  108. package/skills/ml-pipeline-design/references/pipeline-components.md +174 -0
  109. package/skills/observability-design/SKILL.md +162 -0
  110. package/skills/observability-design/evals/evals.json +52 -0
  111. package/skills/observability-design/references/logging-patterns.md +229 -0
  112. package/skills/observability-design/references/slo-framework.md +151 -0
  113. package/skills/observability-design/templates/slo-document.md +80 -0
  114. package/skills/performance-optimization/SKILL.md +83 -0
  115. package/skills/performance-optimization/evals/evals.json +47 -0
  116. package/skills/performance-optimization/references/bottleneck-patterns.md +256 -0
  117. package/skills/performance-optimization/references/concurrency.md +101 -0
  118. package/skills/prd-writing/SKILL.md +109 -0
  119. package/skills/prd-writing/evals/evals.json +33 -0
  120. package/skills/prd-writing/references/prd-examples.md +132 -0
  121. package/skills/prd-writing/templates/prd.md +71 -0
  122. package/skills/prd-writing/templates/rfc.md +79 -0
  123. package/skills/project-documentation/SKILL.md +104 -0
  124. package/skills/project-documentation/evals/evals.json +48 -0
  125. package/skills/project-documentation/references/contributing-guide.md +100 -0
  126. package/skills/project-documentation/templates/changelog.md +59 -0
  127. package/skills/project-documentation/templates/readme.md +121 -0
  128. package/skills/project-proposal/SKILL.md +90 -0
  129. package/skills/project-proposal/evals/evals.json +31 -0
  130. package/skills/project-proposal/references/proposal-examples.md +140 -0
  131. package/skills/project-proposal/templates/proposal.md +76 -0
  132. package/skills/project-review/SKILL.md +111 -0
  133. package/skills/project-review/evals/evals.json +42 -0
  134. package/skills/refactoring/SKILL.md +90 -0
  135. package/skills/refactoring/evals/evals.json +44 -0
  136. package/skills/refactoring/references/transformations.md +132 -0
  137. package/skills/retrospective/SKILL.md +157 -0
  138. package/skills/retrospective/evals/evals.json +34 -0
  139. package/skills/retrospective/references/facilitation-guide.md +130 -0
  140. package/skills/retrospective/templates/post-mortem.md +121 -0
  141. package/skills/rollback-strategy/SKILL.md +116 -0
  142. package/skills/rollback-strategy/evals/evals.json +55 -0
  143. package/skills/rollback-strategy/references/rollback-patterns.md +125 -0
  144. package/skills/rollback-strategy/templates/rollback-plan.md +69 -0
  145. package/skills/security-audit/SKILL.md +146 -0
  146. package/skills/security-audit/evals/evals.json +66 -0
  147. package/skills/security-audit/references/owasp-top-10.md +167 -0
  148. package/skills/security-audit/templates/security-report.md +79 -0
  149. package/skills/skill-router/SKILL.md +171 -0
  150. package/skills/skill-router/evals/evals.json +39 -0
  151. package/skills/strategic-review/SKILL.md +106 -0
  152. package/skills/strategic-review/evals/evals.json +42 -0
  153. package/skills/strategic-review/templates/full-review-prompt.md +84 -0
  154. package/skills/tdd-workflow/SKILL.md +147 -0
  155. package/skills/tdd-workflow/evals/evals.json +58 -0
  156. package/skills/tdd-workflow/references/test-quality.md +71 -0
  157. package/skills/technical-debt-review/SKILL.md +113 -0
  158. package/skills/technical-debt-review/evals/evals.json +41 -0
  159. package/skills/technical-debt-review/references/debt-taxonomy.md +124 -0
  160. package/skills/technical-debt-review/templates/debt-audit.md +85 -0
  161. package/skills/test-data-strategy/SKILL.md +129 -0
  162. package/skills/test-data-strategy/evals/evals.json +49 -0
  163. package/skills/test-data-strategy/references/data-generation-patterns.md +341 -0
  164. package/skills/test-suite-design/SKILL.md +137 -0
  165. package/skills/test-suite-design/evals/evals.json +69 -0
  166. package/skills/test-suite-design/references/test-infrastructure.md +175 -0
  167. package/skills/test-suite-design/references/testing-pyramid.md +140 -0
  168. package/skills/ui-ux-design/SKILL.md +117 -0
  169. package/skills/ui-ux-design/evals/evals.json +35 -0
  170. package/skills/ui-ux-design/references/interaction-patterns.md +145 -0
  171. package/skills/ui-ux-design/templates/screen-spec.md +97 -0
  172. package/skills/verification-before-completion/SKILL.md +85 -0
  173. package/skills/verification-before-completion/evals/evals.json +53 -0
  174. package/skills/writing-skills/SKILL.md +87 -0
  175. package/skills/writing-skills/evals/evals.json +41 -0
  176. package/skills/writing-skills/references/pressure-testing.md +69 -0
  177. package/uninstall.mjs +182 -0
@@ -0,0 +1,113 @@
1
+ ---
2
+ name: dependency-impact-analysis
3
+ description: "Map the blast radius of a change before implementing — find dependents, classify breaking vs additive, identify coordination needs, produce a propagation plan. Triggers: what will break if I change this, blast radius, impact analysis, breaking change, who depends on this, downstream impact, safe to rename, shared schema change, dependency graph."
4
+ model: opus
5
+ allowed-tools: Read, Grep, Glob, Write, Edit
6
+ ---
7
+
8
+ # Dependency Impact Analysis
9
+
10
+ Understand what will break before breaking it. Changing a shared component without mapping its dependents leads to cascading failures — often discovered in production.
11
+
12
+ ## Step 1: Define the Change
13
+
14
+ Be precise about what is changing:
15
+
16
+ - **What is the component?** (API endpoint, database table/column, library function, event schema, shared module)
17
+ - **What specifically is changing?** (Field renamed, parameter added, type changed, behavior changed, endpoint removed)
18
+ - **What is the deployment boundary?** (Single service, multiple services, public API accessible by external clients)
19
+
20
+ A vague "I'm changing the user model" is too broad. "I'm renaming the `email` field to `email_address` in the users table and the User API response" is specific enough to analyze.
21
+
22
+ ## Step 2: Map All Dependents
23
+
24
+ Find everything that depends on the component being changed.
25
+
26
+ **For API endpoints:**
27
+ - Search for the endpoint path across all service repositories
28
+ - Check API gateway logs for callers (especially for public APIs)
29
+ - Review API documentation and SDKs for external consumers
30
+ - Check internal service-to-service call graphs or service mesh metrics
31
+
32
+ **For database tables/columns:**
33
+ - Search all codebases for table name and column name references
34
+ - Check ORM models, raw SQL queries, stored procedures, migration files
35
+ - Look for database views, triggers, or materialized views that reference the column
36
+ - Check reporting tools and data pipelines that read from the table directly
37
+
38
+ **For shared libraries/packages:**
39
+ - Check the package registry or dependency graph for what imports this library
40
+ - Search for the specific function/class/type being changed across all consumers
41
+ - Check version constraints — which consumers would receive this change automatically?
42
+
43
+ **For event schemas:**
44
+ - Find all producers of this event type
45
+ - Find all consumers (subscribers) of this event type
46
+ - Check event replay systems or data warehouses that store these events
47
+
48
+ **For shared modules/types:**
49
+ - Search the codebase for all import statements referencing the module
50
+ - Check generated clients (OpenAPI codegen, gRPC stubs) that depend on the schema
51
+
52
+ ## Step 3: Classify Impact by Dependent
53
+
54
+ For each dependent found, classify the impact:
55
+
56
+ | Impact type | Definition | Action required |
57
+ |-------------|-----------|----------------|
58
+ | **Breaking** | Dependent will fail or produce wrong results without modification | Must coordinate: update before or simultaneously |
59
+ | **Additive** | Change adds capability but doesn't break existing behavior | No action required; dependent can opt in |
60
+ | **Internal** | Change is within a single service, no external interface changes | No coordination needed |
61
+ | **Latent** | Dependent doesn't use the changed part yet, but may assume current behavior | Monitor; communicate the change |
62
+
63
+ **Breaking change examples:**
64
+ - Renaming a required request field
65
+ - Changing a field type
66
+ - Removing an endpoint
67
+ - Adding a required (non-nullable, no default) column to a table
68
+ - Changing event schema to remove a field
69
+
70
+ **Additive change examples:**
71
+ - Adding a new optional field to a response
72
+ - Adding a new endpoint
73
+ - Adding a nullable column with a default
74
+ - Deprecating (but not removing) a field
75
+
76
+ ## Step 4: Produce the Change Propagation Plan
77
+
78
+ For each breaking change, define the coordination plan:
79
+
80
+ **Option A: Simultaneous deploy** (for small, closely-coupled services under one team)
81
+ - Update all dependents in the same deployment window
82
+ - Risk: all services must be deployed together — failure in one blocks all
83
+
84
+ **Option B: Versioned transition** (recommended for shared APIs)
85
+ 1. Deploy v2 of the interface alongside v1 (both exist simultaneously)
86
+ 2. Migrate consumers to v2 one by one
87
+ 3. Remove v1 once all consumers have migrated
88
+
89
+ **Option C: Expand-contract** (recommended for database and event schema changes)
90
+ 1. Expand: add new field/column alongside old (both exist, old still works)
91
+ 2. Migrate: update consumers to use new field
92
+ 3. Contract: remove old field after all consumers are migrated
93
+
94
+ **Communication plan:**
95
+ - Which teams own dependent services?
96
+ - How will they be notified?
97
+ - What is the migration deadline?
98
+ - Is there a deprecation period?
99
+
100
+ ## Principles Applied
101
+
102
+ - **Functional independence**: Minimize blast radius — prefer additive changes over breaking changes when both achieve the same goal
103
+ - **KISS**: The simplest propagation plan is the one with the fewest simultaneous moving parts. Prefer sequential migration over big-bang deploys.
104
+ - **YAGNI**: Don't change more than necessary. If the change can be made additive (old behavior still works), prefer that over a breaking change.
105
+ - **Explicit over implicit**: Undocumented contracts are the most dangerous dependencies — they're discovered when broken, not before
106
+
107
+ ## Cross-Skill References
108
+
109
+ - `api-design` — design the new API contract after impact is understood
110
+ - `feature-planning` — incorporate the dependency coordination into the implementation plan
111
+ - `architecture-design` — if analysis reveals excessive coupling, document an ADR for reducing it
112
+ - `data-modeling` — use for schema change design once impact is mapped
113
+ - `deployment-repo` — when impact crosses repo boundaries in a polyrepo, use the deployment repo's compatibility matrix and contract tests to validate migration paths
@@ -0,0 +1,41 @@
1
+ {
2
+ "skill_name": "dependency-impact-analysis",
3
+ "evals": [
4
+ {
5
+ "id": 1,
6
+ "prompt": "I want to rename the 'user_id' field to 'account_id' in our REST API response for GET /api/users. We have a mobile app, a web app, and two internal microservices that call this endpoint. What's the impact?",
7
+ "expected_output": "Dependency impact analysis identifying all four consumers, classifying the rename as breaking for all of them, recommending a versioning strategy, and producing a migration plan with coordination steps",
8
+ "assertions": [
9
+ "Identifies all four consumers (mobile app, web app, two microservices) as affected",
10
+ "Classifies this as a breaking change for all consumers (field rename, not additive)",
11
+ "Flags mobile app as highest risk (users may not update; old app versions still call the API)",
12
+ "Recommends API versioning (v1 keeps user_id, v2 uses account_id) for the mobile app case",
13
+ "Produces a migration sequence: add v2, migrate internal consumers, migrate web, sunset v1 after mobile migration window",
14
+ "Does not suggest a simultaneous big-bang rename as the only option"
15
+ ]
16
+ },
17
+ {
18
+ "id": 2,
19
+ "prompt": "I'm adding a new optional 'metadata' JSON column to the orders table. Is this safe to deploy?",
20
+ "expected_output": "Classifies this as an additive/backwards-compatible change requiring minimal coordination, confirms it's safe to deploy without consumer updates, and notes any edge cases",
21
+ "assertions": [
22
+ "Confirms this is a backwards-compatible (additive) change",
23
+ "Notes that existing code ignores the new column and remains safe",
24
+ "May mention that ORM models should be updated to avoid unexpected behavior when they serialize full rows",
25
+ "Does not require complex coordination or versioning",
26
+ "Gives a clear 'safe to proceed' verdict with any minor caveats"
27
+ ]
28
+ },
29
+ {
30
+ "id": 3,
31
+ "prompt": "How do I add authentication to this endpoint?",
32
+ "expected_output": "Recognizes this is an API design or security question, not a dependency impact analysis request — redirects to the appropriate skill",
33
+ "assertions": [
34
+ "Recognizes this is not a dependency impact analysis request",
35
+ "Does not perform a blast radius analysis for adding auth",
36
+ "May note that adding required auth to an existing endpoint is a breaking change for current consumers (brief impact observation)",
37
+ "Directs to security-audit or api-design skill for the actual implementation guidance"
38
+ ]
39
+ }
40
+ ]
41
+ }
@@ -0,0 +1,150 @@
1
+ # Impact Patterns
2
+
3
+ ## API Versioning Strategies
4
+
5
+ ### URL versioning
6
+ ```
7
+ /api/v1/users/{id}
8
+ /api/v2/users/{id}
9
+ ```
10
+ Simplest to implement. Consumers explicitly opt into the new version. Old version remains accessible until deprecated.
11
+
12
+ **When to use**: Public APIs with external consumers. Breaking changes are unavoidable.
13
+
14
+ **Deprecation process**:
15
+ 1. Announce deprecation with sunset date (minimum 6 months for external consumers)
16
+ 2. Add `Deprecation` header to responses: `Deprecation: Sat, 01 Jan 2026 00:00:00 GMT`
17
+ 3. Monitor v1 traffic to track migration progress
18
+ 4. Sunset v1 after deadline
19
+
20
+ ### Header versioning
21
+ ```
22
+ Accept: application/vnd.myapi.v2+json
23
+ ```
24
+ Cleaner URLs. More complex routing. Use when URL versioning breaks REST resource semantics.
25
+
26
+ ### Query parameter versioning
27
+ ```
28
+ GET /api/users/{id}?version=2
29
+ ```
30
+ Easy to test in browser. Explicit but verbose. Common for internal APIs with few consumers.
31
+
32
+ ### No versioning (evolve in place)
33
+ Only works if all changes are additive. Works well for internal services where you control all consumers and can coordinate deploys.
34
+
35
+ ---
36
+
37
+ ## Database Migration Coordination
38
+
39
+ ### Single-service database
40
+ All reads and writes go through one service that owns the schema. Migration coordination is just within that service.
41
+
42
+ **Safe upgrade sequence**:
43
+ 1. Deploy migration (schema change)
44
+ 2. Deploy application code that uses new schema
45
+
46
+ **Rollback**: reverse migration + revert code deploy.
47
+
48
+ ### Shared database (multiple services read the same tables)
49
+ The most dangerous architecture for migrations. Any schema change can break other services.
50
+
51
+ **Rules for shared database migrations**:
52
+ 1. **Never drop a column** without verifying no other service reads it
53
+ 2. **Never rename a column** without an expand-contract migration
54
+ 3. **Adding NOT NULL constraints** on existing columns requires a default value or coordinated deploy
55
+ 4. Always search all service codebases for references to the table/column before migrating
56
+
57
+ **Migrate shared tables using expand-contract**:
58
+ ```
59
+ Step 1: Add new_column alongside old_column (both present)
60
+ Step 2: Deploy service A to write to both columns, read from old_column
61
+ Step 3: Deploy all other services to read from new_column
62
+ Step 4: Deploy service A to write only to new_column
63
+ Step 5: Drop old_column
64
+ ```
65
+
66
+ ### Zero-downtime migrations
67
+ For large tables where schema changes lock the table:
68
+
69
+ **Postgres**: Use `ALTER TABLE ... ADD COLUMN ... DEFAULT NULL` (instant) then backfill asynchronously. Adding a default value to a new column in Postgres 11+ is instant.
70
+
71
+ **Avoid in production**:
72
+ - `ALTER TABLE ... ADD COLUMN ... NOT NULL` (requires table scan + lock pre-Postgres 11)
73
+ - `CREATE INDEX` without `CONCURRENTLY` (locks entire table)
74
+ - `ALTER TABLE ... SET NOT NULL` on a column that may contain nulls
75
+
76
+ ---
77
+
78
+ ## Event Schema Evolution
79
+
80
+ ### Backwards-compatible event changes
81
+ - Adding new optional fields
82
+ - Adding new event types (consumers ignore unknown types)
83
+ - Loosening validation (accepting more values)
84
+
85
+ ### Breaking event changes
86
+ - Removing fields consumers depend on
87
+ - Changing field semantics (same name, different meaning)
88
+ - Tightening validation (rejecting previously-valid values)
89
+ - Changing the primary identifier field
90
+
91
+ ### Schema registry approach (for Kafka/event streaming)
92
+ Use a schema registry (Confluent Schema Registry, AWS Glue) to enforce compatibility:
93
+
94
+ - **BACKWARD**: New schema can read data written by old schema (consumer can be updated first)
95
+ - **FORWARD**: Old schema can read data written by new schema (producer can be updated first)
96
+ - **FULL**: Both backward and forward compatible (safest; most restrictive)
97
+
98
+ ### Consumer-first pattern (no schema registry)
99
+ For breaking changes without a schema registry:
100
+ 1. Deploy consumers that handle both old and new schema (check for field presence before using it)
101
+ 2. Deploy producers using new schema
102
+ 3. Remove old schema handling from consumers once all producers are updated
103
+
104
+ ---
105
+
106
+ ## Shared Library Change Coordination
107
+
108
+ ### Semantic versioning
109
+ - **PATCH** (1.0.x): Bug fixes, no API changes. Consumers upgrade safely.
110
+ - **MINOR** (1.x.0): New additive features. Old code still works. Consumers can upgrade when ready.
111
+ - **MAJOR** (x.0.0): Breaking changes. Consumers must update their code to use the new version.
112
+
113
+ ### Monorepo vs. multi-repo impact
114
+ **Monorepo**: All dependents are visible. Tooling (Nx, Turborepo, Bazel) can identify which services are affected. Breaking library change requires updating all consumers in the same PR/release.
115
+
116
+ **Multi-repo**: Consumers are on different release cycles. Use semantic versioning + deprecation period. Old major version must be maintained until all consumers migrate.
117
+
118
+ ### Lock files and version pinning
119
+ Consumers with pinned versions won't receive the change automatically. Must explicitly update their dependency. This provides safety (can choose when to migrate) but also means old versions can persist indefinitely.
120
+
121
+ ---
122
+
123
+ ## Finding Dependents Quickly
124
+
125
+ ### Grep patterns for common dependency types
126
+
127
+ **REST endpoint consumers:**
128
+ ```bash
129
+ grep -r "GET /api/users" --include="*.{ts,js,py,go,rb}" .
130
+ grep -r "POST /api/orders" --include="*.{ts,js,py,go,rb}" .
131
+ ```
132
+
133
+ **Database column references:**
134
+ ```bash
135
+ grep -r "\.email\b" --include="*.{ts,js,py,go}" .
136
+ grep -r "\"email\"" --include="*.{ts,js,py,go}" .
137
+ grep -r "users\.email" --include="*.{sql}" .
138
+ ```
139
+
140
+ **Function/class references (TypeScript/JavaScript):**
141
+ ```bash
142
+ grep -r "import.*UserService" --include="*.ts" .
143
+ grep -r "from.*user-service" --include="*.ts" .
144
+ ```
145
+
146
+ **Package imports:**
147
+ ```bash
148
+ grep -r "require.*my-shared-lib" --include="*.js" .
149
+ grep -r "from my_shared_lib" --include="*.py" .
150
+ ```
@@ -0,0 +1,161 @@
1
+ ---
2
+ name: dependency-management
3
+ description: "Evaluate, audit, and upgrade project dependencies — assess libraries before adoption, audit CVEs, plan major upgrades, resolve conflicts. Triggers: should I use this library, npm audit, upgrade dependencies, dependency vulnerability, outdated packages, evaluate this package, is this library maintained, dependency conflict, lock file, breaking changes in upgrade."
4
+ model: sonnet
5
+ allowed-tools: Read, Grep, Glob, Write, Edit, WebFetch, WebSearch
6
+ ---
7
+
8
+ # Dependency Management
9
+
10
+ Help make disciplined decisions about project dependencies. Every dependency is a trade-off: functionality gained vs. maintenance burden, security surface, and coupling accepted.
11
+
12
+ ## Core Rule
13
+
14
+ **Every dependency should earn its place.** Before adding a dependency, ask: "Is this worth the ongoing cost of maintaining, updating, and trusting someone else's code in my project?"
15
+
16
+ ## Workflow: Evaluating a New Dependency
17
+
18
+ ### Step 1: Do You Need It?
19
+
20
+ Before evaluating any library, check if the need can be met without one:
21
+
22
+ - **Is this a few lines of code?** Writing `leftPad` yourself is better than importing it.
23
+ - **Does the language/framework already provide this?** Check built-in APIs first.
24
+ - **Is this a one-time use?** Copy-paste a small utility function instead of adding a dependency.
25
+
26
+ A dependency is justified when it provides substantial, maintained functionality that would be costly and error-prone to build yourself (e.g., cryptography, date handling with timezones, database drivers, authentication).
27
+
28
+ ### Step 2: Evaluate the Library
29
+
30
+ For any library under consideration, assess these dimensions:
31
+
32
+ **Maintenance health:**
33
+ - Last commit date (stale > 1 year is a yellow flag)
34
+ - Open issues and PR response time
35
+ - Number of maintainers (bus factor — 1 maintainer is risky)
36
+ - Release frequency and changelog quality
37
+
38
+ **Adoption signals:**
39
+ - Weekly downloads / GitHub stars (not definitive, but signals community trust)
40
+ - Used by known projects (check dependents)
41
+ - Ecosystem maturity (plugins, integrations, documentation)
42
+
43
+ **Technical fit:**
44
+ - TypeScript support (if applicable)
45
+ - Bundle size impact — check on bundlephobia.com or similar
46
+ - API quality — is it intuitive, well-documented, consistent?
47
+ - Compatibility with your runtime, framework version, and other dependencies
48
+
49
+ **Security and legal:**
50
+ - License compatibility with your project (MIT, Apache-2.0 are permissive; GPL is viral)
51
+ - Known vulnerabilities (check npm audit advisory, Snyk, or GitHub advisories)
52
+ - Does it have excessive transitive dependencies?
53
+
54
+ **Alternatives comparison:**
55
+ - Identify 2-3 alternatives and compare on the dimensions above
56
+ - A slightly less popular library that's better maintained may be the better choice
57
+
58
+ See [references/evaluation-checklist.md](references/evaluation-checklist.md) for the structured assessment template.
59
+
60
+ ### Step 3: Present the Recommendation
61
+
62
+ For the user, summarize:
63
+ - **Recommendation**: Use / Don't use / Consider alternative
64
+ - **Primary reason**: The most compelling argument
65
+ - **Risks accepted**: What you're trading off
66
+ - **Alternatives considered**: Brief comparison
67
+
68
+ ## Workflow: Auditing Existing Dependencies
69
+
70
+ ### Step 1: Run Vulnerability Scanners
71
+
72
+ ```bash
73
+ # JavaScript/TypeScript
74
+ npm audit
75
+ # For more detail:
76
+ npx better-npm-audit audit
77
+
78
+ # Python
79
+ pip audit
80
+ # or
81
+ safety check
82
+
83
+ # Go
84
+ govulncheck ./...
85
+
86
+ # Ruby
87
+ bundle audit check --update
88
+ ```
89
+
90
+ ### Step 2: Triage Results
91
+
92
+ Not all vulnerabilities require action. For each finding:
93
+
94
+ 1. **Is the vulnerable code path actually used in your project?** Many CVEs affect specific features you may not use.
95
+ 2. **What's the severity?** Critical and High need immediate action. Medium within a sprint. Low can be tracked.
96
+ 3. **Is a patched version available?** If yes, upgrade. If no, assess mitigation or replacement.
97
+ 4. **Is it a transitive dependency?** You may need to upgrade the parent package, or use overrides/resolutions.
98
+
99
+ ### Step 3: Find Unused Dependencies
100
+
101
+ Dead dependencies add attack surface and bloat for zero value.
102
+
103
+ ```bash
104
+ # JavaScript — find unused packages
105
+ npx depcheck
106
+
107
+ # Python — find unused imports (suggests unused packages)
108
+ pip install vulture
109
+ vulture src/ --min-confidence 80
110
+ ```
111
+
112
+ Remove unused dependencies. If unsure, comment it out, run tests, and deploy to staging.
113
+
114
+ ### Step 4: Produce the Report
115
+
116
+ Summarize: N vulnerabilities found (X critical, Y high), N unused packages, N significantly outdated.
117
+
118
+ ## Workflow: Major Version Upgrades
119
+
120
+ ### Step 1: Read the Changelog
121
+
122
+ Read the changelog and migration guide for the new major version. Identify:
123
+ - **Breaking changes**: What will break in your code?
124
+ - **Deprecations resolved**: What deprecated APIs were removed?
125
+ - **New features**: Anything that simplifies your code?
126
+ - **Peer dependency changes**: Does this force other upgrades?
127
+
128
+ ### Step 2: Plan the Upgrade
129
+
130
+ For low-risk upgrades (well-documented, small surface area):
131
+ - Create a branch, bump the version, run tests, fix failures.
132
+
133
+ For high-risk upgrades (framework major version, ORM, auth library):
134
+ - Create a detailed task list of changes needed
135
+ - Test in isolation first if possible
136
+ - Consider running old and new versions in parallel temporarily (expand-contract)
137
+ - Suggest using the `feature-planning` skill to break the upgrade into tasks
138
+
139
+ ### Step 3: Validate
140
+
141
+ - [ ] All tests pass
142
+ - [ ] No deprecation warnings from the upgraded package
143
+ - [ ] No new vulnerabilities introduced by the upgrade
144
+ - [ ] Lock file is committed and clean
145
+ - [ ] Bundle size has not increased unexpectedly
146
+
147
+ ## Quick Reference: Lock File Hygiene
148
+
149
+ - **Always commit lock files** (`package-lock.json`, `yarn.lock`, `poetry.lock`, `go.sum`)
150
+ - **Never edit lock files manually** — let the package manager manage them
151
+ - **Use `npm ci` (not `npm install`) in CI** — installs from lock file exactly
152
+ - **Review lock file diffs in PRs** — large unexpected changes signal problems
153
+ - **Regenerate periodically** if the lock file becomes stale or conflicted
154
+
155
+ ## Principles Applied
156
+
157
+ - **YAGNI**: Don't add a library for a feature you *might* need. Add it when the need is real and proven.
158
+ - **KISS**: Prefer libraries with small, focused APIs over Swiss-army-knife frameworks.
159
+ - **DRY**: A well-chosen dependency eliminates duplication across projects — but a bad choice creates maintenance debt across projects.
160
+ - **Functional Independence**: Prefer libraries that don't deeply couple to your application architecture. You should be able to swap them out.
161
+ - **Boundaries**: Wrap third-party APIs with thin adapter layers — depend on your own abstractions, not on library specifics. This limits blast radius when a dependency changes or is replaced, and keeps your business logic free of third-party types. Only skip wrapping for pervasive infrastructure (e.g., your web framework, your ORM) where the cost of wrapping exceeds the cost of coupling.
@@ -0,0 +1,48 @@
1
+ {
2
+ "skill_name": "dependency-management",
3
+ "evals": [
4
+ {
5
+ "id": 1,
6
+ "prompt": "I'm building a Node.js API and need a validation library. I'm considering zod, joi, yup, and ajv. Which should I use? Our stack is TypeScript, Express, and Prisma.",
7
+ "expected_output": "Should evaluate all four libraries across the standard dimensions (maintenance, TS support, bundle size, API quality) and make a clear recommendation based on the TypeScript stack.",
8
+ "assertions": [
9
+ "Evaluates all four options, not just recommends one without comparison",
10
+ "Considers TypeScript integration as a key differentiator",
11
+ "Notes zod's TypeScript-native schema-to-type inference as a strong fit",
12
+ "Compares bundle sizes",
13
+ "Compares API ergonomics with brief examples",
14
+ "Makes a clear recommendation with primary reason",
15
+ "Does not dismiss alternatives without explanation"
16
+ ]
17
+ },
18
+ {
19
+ "id": 2,
20
+ "prompt": "npm audit shows 47 vulnerabilities: 3 critical, 8 high, 15 moderate, 21 low. I don't know where to start. Help me triage this.",
21
+ "expected_output": "Should guide triage by severity, distinguish direct vs transitive dependencies, check if vulnerable code paths are actually used, and produce an action plan.",
22
+ "assertions": [
23
+ "Starts with critical vulnerabilities, not the full list",
24
+ "Distinguishes between direct and transitive dependencies",
25
+ "Asks about or checks whether vulnerable code paths are actually exercised",
26
+ "Suggests npm audit fix --force ONLY with caution (can introduce breaking changes)",
27
+ "Recommends overrides/resolutions for transitive deps when parent hasn't updated",
28
+ "Identifies that many moderate/low findings may be acceptable risk",
29
+ "Produces a prioritized action plan, not just 'fix everything'"
30
+ ]
31
+ },
32
+ {
33
+ "id": 3,
34
+ "prompt": "We need to upgrade React from v17 to v19. We have a large codebase with 200+ components. Some use class components and legacy context API. How should we approach this?",
35
+ "expected_output": "Should recommend a phased approach (17→18→19), identify the major breaking changes at each step, suggest using the feature-planning skill to break this into tasks, and warn about class component and legacy API issues.",
36
+ "assertions": [
37
+ "Recommends incremental upgrade (17→18 first, then 18→19), not direct 17→19",
38
+ "Identifies class components and legacy context as migration blockers",
39
+ "Lists the key breaking changes at each major version boundary",
40
+ "Suggests codemods for automated migration where available",
41
+ "Recommends comprehensive test coverage before starting",
42
+ "Suggests feature-planning skill to break into manageable tasks",
43
+ "Warns about the scope and risk — this is not a one-afternoon task",
44
+ "Recommends testing in isolation before merging to main"
45
+ ]
46
+ }
47
+ ]
48
+ }
@@ -0,0 +1,127 @@
1
+ # Dependency Evaluation Checklist
2
+
3
+ ## Contents
4
+ - Structured assessment template
5
+ - License compatibility guide
6
+ - Red flags to watch for
7
+ - Bundle size guidelines
8
+ - Common decisions by category
9
+
10
+ ## Structured Assessment Template
11
+
12
+ Use this template when evaluating a library for adoption:
13
+
14
+ ```markdown
15
+ ## Dependency Evaluation: [library-name]
16
+
17
+ **Purpose**: [What does it do? Why do we need it?]
18
+ **Alternative to**: [What we're using now, or "nothing — new capability"]
19
+ **Evaluated on**: [Date]
20
+
21
+ ### Maintenance Health
22
+ - Last release: [date]
23
+ - Commits in last 6 months: [number]
24
+ - Open issues / total issues: [ratio]
25
+ - Maintainers: [number, names if notable]
26
+ - Bus factor concern? [Yes/No]
27
+
28
+ ### Adoption
29
+ - Weekly downloads: [number]
30
+ - GitHub stars: [number]
31
+ - Notable dependents: [projects]
32
+ - Stack Overflow questions: [rough count]
33
+
34
+ ### Technical Fit
35
+ - TypeScript types: [built-in / @types / none]
36
+ - Bundle size (minified + gzipped): [KB]
37
+ - Transitive dependencies: [count]
38
+ - Compatible with our [framework] version? [Yes/No]
39
+ - API quality: [Good / Acceptable / Poor]
40
+
41
+ ### Security & Legal
42
+ - License: [license type]
43
+ - Compatible with our project? [Yes/No]
44
+ - Known vulnerabilities: [count / none]
45
+ - Security advisory history: [clean / concerning]
46
+
47
+ ### Alternatives Considered
48
+ | Criteria | [Library A] | [Library B] | [Library C] |
49
+ |----------|-------------|-------------|-------------|
50
+ | Bundle size | | | |
51
+ | TypeScript | | | |
52
+ | Maintenance | | | |
53
+ | API quality | | | |
54
+ | Adoption | | | |
55
+
56
+ ### Decision
57
+ **Recommendation**: [Adopt / Don't adopt / Adopt alternative X]
58
+ **Rationale**: [1-2 sentences]
59
+ **Risks accepted**: [What we're giving up]
60
+ ```
61
+
62
+ ## License Compatibility Guide
63
+
64
+ | License | Commercial Use | Can Modify | Must Disclose Source | Viral |
65
+ |---------|---------------|------------|---------------------|-------|
66
+ | MIT | ✓ | ✓ | No | No |
67
+ | Apache 2.0 | ✓ | ✓ | No (but must include license) | No |
68
+ | BSD 2/3 | ✓ | ✓ | No | No |
69
+ | ISC | ✓ | ✓ | No | No |
70
+ | GPL 2/3 | ✓ | ✓ | Yes — your code must also be GPL | **Yes** |
71
+ | LGPL | ✓ | ✓ | Only for modifications to the library | Partially |
72
+ | AGPL | ✓ | ✓ | Yes — even for SaaS/network use | **Yes** |
73
+ | BSL | Varies | ✓ | After time period | Varies |
74
+ | Unlicense | ✓ | ✓ | No | No |
75
+
76
+ **Safe for most projects**: MIT, Apache 2.0, BSD, ISC, Unlicense
77
+ **Requires legal review**: GPL, LGPL, AGPL, BSL, any custom license
78
+ **Red flag**: No license file at all — technically you have no right to use it
79
+
80
+ ## Red Flags
81
+
82
+ **Maintenance red flags:**
83
+ - No commits in 12+ months with open issues
84
+ - Single maintainer who has gone silent
85
+ - Repository archived or marked as deprecated
86
+ - No changelog or release notes for major versions
87
+
88
+ **Quality red flags:**
89
+ - No tests in the repository
90
+ - Many open issues with the "bug" label and no response
91
+ - Breaking changes in minor/patch versions (doesn't follow semver)
92
+ - Excessive transitive dependencies (a utility library with 50+ deps)
93
+
94
+ **Security red flags:**
95
+ - Known unpatched vulnerabilities
96
+ - History of supply chain attacks on this package
97
+ - Maintainer account compromise history
98
+ - Obfuscated or minified source code in the published package
99
+
100
+ ## Bundle Size Guidelines
101
+
102
+ Context for JavaScript frontend projects:
103
+
104
+ | Category | Acceptable | Concerning | Excessive |
105
+ |----------|-----------|------------|-----------|
106
+ | Utility (lodash-like) | < 5 KB | 5-20 KB | > 20 KB |
107
+ | UI component | < 15 KB | 15-50 KB | > 50 KB |
108
+ | State management | < 10 KB | 10-30 KB | > 30 KB |
109
+ | Date library | < 10 KB | 10-30 KB | > 30 KB |
110
+ | Charting | < 50 KB | 50-150 KB | > 150 KB |
111
+ | Full framework | < 50 KB | 50-100 KB | > 100 KB |
112
+
113
+ Check with: `bundlephobia.com` or `npm pack && tar -tzf *.tgz | wc -l`
114
+
115
+ For backend projects, bundle size matters less — focus on transitive dependency count and startup time impact.
116
+
117
+ ## Common Decisions by Category
118
+
119
+ | Need | Recommended Approach |
120
+ |------|---------------------|
121
+ | **Date handling** | Use `Intl.DateTimeFormat` (built-in) for formatting. Add `date-fns` only for complex date math. Avoid `moment` (deprecated, huge). |
122
+ | **HTTP client** | Use built-in `fetch` (Node 18+, all browsers). Add `ky` or `ofetch` for convenience wrappers only if needed. |
123
+ | **Validation** | `zod` for TypeScript (schema + types). `joi` for JavaScript. Built-in validators for simple cases. |
124
+ | **UUID generation** | `crypto.randomUUID()` (built-in Node 19+, all browsers). Add `uuid` only for v1/v5 or older runtimes. |
125
+ | **Cryptography** | Always use built-in `crypto` module or `bcrypt`/`argon2`. Never implement your own. |
126
+ | **Testing** | `vitest` for Vite projects, `jest` for everything else. Both are comprehensive enough to avoid extra test utilities. |
127
+ | **Linting** | `eslint` with `typescript-eslint`. `biome` as a faster alternative. Avoid stacking too many plugins. |