swe-workflow-skills 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (177) hide show
  1. package/LICENSE +21 -0
  2. package/README.md +144 -0
  3. package/VERSION +1 -0
  4. package/bin/cli.mjs +44 -0
  5. package/catalog.json +225 -0
  6. package/commands/role.md +34 -0
  7. package/hooks/session-start.mjs +118 -0
  8. package/install.mjs +318 -0
  9. package/package.json +47 -0
  10. package/roles.json +194 -0
  11. package/scripts/resolve.mjs +296 -0
  12. package/skills/accessibility-design/SKILL.md +128 -0
  13. package/skills/accessibility-design/evals/evals.json +51 -0
  14. package/skills/accessibility-design/references/accessibility-patterns.md +321 -0
  15. package/skills/api-design/SKILL.md +144 -0
  16. package/skills/api-design/evals/evals.json +48 -0
  17. package/skills/api-design/references/rest-conventions.md +147 -0
  18. package/skills/api-design/templates/api-spec.md +156 -0
  19. package/skills/architecture-design/SKILL.md +86 -0
  20. package/skills/architecture-design/evals/evals.json +44 -0
  21. package/skills/architecture-design/references/clean-architecture.md +147 -0
  22. package/skills/architecture-design/references/component-principles.md +129 -0
  23. package/skills/architecture-design/references/principles.md +81 -0
  24. package/skills/architecture-design/references/solid-principles.md +106 -0
  25. package/skills/architecture-design/templates/adr.md +63 -0
  26. package/skills/architecture-documentation/SKILL.md +126 -0
  27. package/skills/architecture-documentation/evals/evals.json +44 -0
  28. package/skills/architecture-documentation/references/abstraction-levels.md +91 -0
  29. package/skills/architecture-documentation/references/diagram-tooling.md +141 -0
  30. package/skills/architecture-documentation/templates/architecture-doc.md +171 -0
  31. package/skills/bug-investigating/SKILL.md +133 -0
  32. package/skills/bug-investigating/evals/evals.json +56 -0
  33. package/skills/bug-investigating/references/common-bugs.md +62 -0
  34. package/skills/bug-investigating/references/debugging-patterns.md +94 -0
  35. package/skills/cicd-pipeline/SKILL.md +87 -0
  36. package/skills/cicd-pipeline/evals/evals.json +34 -0
  37. package/skills/cicd-pipeline/references/pipeline-patterns.md +206 -0
  38. package/skills/cicd-pipeline/templates/github-actions.md +206 -0
  39. package/skills/code-reviewing/SKILL.md +92 -0
  40. package/skills/code-reviewing/evals/evals.json +62 -0
  41. package/skills/code-reviewing/references/error-handling.md +108 -0
  42. package/skills/code-reviewing/references/review-checklist.md +144 -0
  43. package/skills/configuration-strategy/SKILL.md +109 -0
  44. package/skills/configuration-strategy/evals/evals.json +41 -0
  45. package/skills/configuration-strategy/references/config-patterns.md +161 -0
  46. package/skills/containerization/SKILL.md +90 -0
  47. package/skills/containerization/evals/evals.json +36 -0
  48. package/skills/containerization/references/dockerfile-patterns.md +168 -0
  49. package/skills/containerization/templates/dockerfile.md +154 -0
  50. package/skills/data-modeling/SKILL.md +83 -0
  51. package/skills/data-modeling/evals/evals.json +43 -0
  52. package/skills/data-modeling/references/conventions.md +57 -0
  53. package/skills/data-modeling/templates/schema.md +120 -0
  54. package/skills/dependency-impact-analysis/SKILL.md +113 -0
  55. package/skills/dependency-impact-analysis/evals/evals.json +41 -0
  56. package/skills/dependency-impact-analysis/references/impact-patterns.md +150 -0
  57. package/skills/dependency-management/SKILL.md +161 -0
  58. package/skills/dependency-management/evals/evals.json +48 -0
  59. package/skills/dependency-management/references/evaluation-checklist.md +127 -0
  60. package/skills/deployment-checklist/SKILL.md +132 -0
  61. package/skills/deployment-checklist/evals/evals.json +58 -0
  62. package/skills/deployment-checklist/references/pre-deploy-gates.md +91 -0
  63. package/skills/deployment-repo/SKILL.md +190 -0
  64. package/skills/deployment-repo/evals/evals.json +44 -0
  65. package/skills/deployment-repo/references/deployment-repo-patterns.md +258 -0
  66. package/skills/deployment-repo/references/version-compatibility.md +227 -0
  67. package/skills/deployment-repo/templates/deployment-repo-structure.md +226 -0
  68. package/skills/effort-estimation/SKILL.md +95 -0
  69. package/skills/effort-estimation/evals/evals.json +32 -0
  70. package/skills/effort-estimation/references/estimation-methods.md +154 -0
  71. package/skills/feature-planning/SKILL.md +84 -0
  72. package/skills/feature-planning/evals/evals.json +44 -0
  73. package/skills/feature-planning/templates/plan.md +55 -0
  74. package/skills/feature-planning/templates/task.md +26 -0
  75. package/skills/frontend-architecture/SKILL.md +154 -0
  76. package/skills/frontend-architecture/evals/evals.json +34 -0
  77. package/skills/frontend-architecture/references/component-patterns.md +264 -0
  78. package/skills/frontend-architecture/templates/folder-structure.md +203 -0
  79. package/skills/git-workflow/SKILL.md +127 -0
  80. package/skills/git-workflow/evals/evals.json +44 -0
  81. package/skills/git-workflow/references/conventions.md +142 -0
  82. package/skills/git-workflow/templates/pull-request.md +57 -0
  83. package/skills/gitops-delivery/SKILL.md +319 -0
  84. package/skills/gitops-delivery/evals/evals.json +44 -0
  85. package/skills/gitops-delivery/references/gitops-patterns.md +478 -0
  86. package/skills/gitops-delivery/templates/gitops-config.md +196 -0
  87. package/skills/incident-response/SKILL.md +130 -0
  88. package/skills/incident-response/evals/evals.json +55 -0
  89. package/skills/incident-response/references/communication-templates.md +134 -0
  90. package/skills/incident-response/references/severity-levels.md +77 -0
  91. package/skills/incident-response/templates/incident-timeline.md +57 -0
  92. package/skills/infrastructure-as-code/SKILL.md +86 -0
  93. package/skills/infrastructure-as-code/evals/evals.json +33 -0
  94. package/skills/infrastructure-as-code/references/iac-patterns.md +179 -0
  95. package/skills/infrastructure-as-code/templates/terraform-module.md +158 -0
  96. package/skills/metrics-and-okrs/SKILL.md +113 -0
  97. package/skills/metrics-and-okrs/evals/evals.json +33 -0
  98. package/skills/metrics-and-okrs/references/metric-catalog.md +90 -0
  99. package/skills/metrics-and-okrs/templates/okr-document.md +61 -0
  100. package/skills/ml-experiment-tracking/SKILL.md +96 -0
  101. package/skills/ml-experiment-tracking/evals/evals.json +32 -0
  102. package/skills/ml-experiment-tracking/references/tracking-tools.md +127 -0
  103. package/skills/ml-model-deployment/SKILL.md +106 -0
  104. package/skills/ml-model-deployment/evals/evals.json +34 -0
  105. package/skills/ml-model-deployment/references/serving-patterns.md +162 -0
  106. package/skills/ml-pipeline-design/SKILL.md +162 -0
  107. package/skills/ml-pipeline-design/evals/evals.json +34 -0
  108. package/skills/ml-pipeline-design/references/pipeline-components.md +174 -0
  109. package/skills/observability-design/SKILL.md +162 -0
  110. package/skills/observability-design/evals/evals.json +52 -0
  111. package/skills/observability-design/references/logging-patterns.md +229 -0
  112. package/skills/observability-design/references/slo-framework.md +151 -0
  113. package/skills/observability-design/templates/slo-document.md +80 -0
  114. package/skills/performance-optimization/SKILL.md +83 -0
  115. package/skills/performance-optimization/evals/evals.json +47 -0
  116. package/skills/performance-optimization/references/bottleneck-patterns.md +256 -0
  117. package/skills/performance-optimization/references/concurrency.md +101 -0
  118. package/skills/prd-writing/SKILL.md +109 -0
  119. package/skills/prd-writing/evals/evals.json +33 -0
  120. package/skills/prd-writing/references/prd-examples.md +132 -0
  121. package/skills/prd-writing/templates/prd.md +71 -0
  122. package/skills/prd-writing/templates/rfc.md +79 -0
  123. package/skills/project-documentation/SKILL.md +104 -0
  124. package/skills/project-documentation/evals/evals.json +48 -0
  125. package/skills/project-documentation/references/contributing-guide.md +100 -0
  126. package/skills/project-documentation/templates/changelog.md +59 -0
  127. package/skills/project-documentation/templates/readme.md +121 -0
  128. package/skills/project-proposal/SKILL.md +90 -0
  129. package/skills/project-proposal/evals/evals.json +31 -0
  130. package/skills/project-proposal/references/proposal-examples.md +140 -0
  131. package/skills/project-proposal/templates/proposal.md +76 -0
  132. package/skills/project-review/SKILL.md +111 -0
  133. package/skills/project-review/evals/evals.json +42 -0
  134. package/skills/refactoring/SKILL.md +90 -0
  135. package/skills/refactoring/evals/evals.json +44 -0
  136. package/skills/refactoring/references/transformations.md +132 -0
  137. package/skills/retrospective/SKILL.md +157 -0
  138. package/skills/retrospective/evals/evals.json +34 -0
  139. package/skills/retrospective/references/facilitation-guide.md +130 -0
  140. package/skills/retrospective/templates/post-mortem.md +121 -0
  141. package/skills/rollback-strategy/SKILL.md +116 -0
  142. package/skills/rollback-strategy/evals/evals.json +55 -0
  143. package/skills/rollback-strategy/references/rollback-patterns.md +125 -0
  144. package/skills/rollback-strategy/templates/rollback-plan.md +69 -0
  145. package/skills/security-audit/SKILL.md +146 -0
  146. package/skills/security-audit/evals/evals.json +66 -0
  147. package/skills/security-audit/references/owasp-top-10.md +167 -0
  148. package/skills/security-audit/templates/security-report.md +79 -0
  149. package/skills/skill-router/SKILL.md +171 -0
  150. package/skills/skill-router/evals/evals.json +39 -0
  151. package/skills/strategic-review/SKILL.md +106 -0
  152. package/skills/strategic-review/evals/evals.json +42 -0
  153. package/skills/strategic-review/templates/full-review-prompt.md +84 -0
  154. package/skills/tdd-workflow/SKILL.md +147 -0
  155. package/skills/tdd-workflow/evals/evals.json +58 -0
  156. package/skills/tdd-workflow/references/test-quality.md +71 -0
  157. package/skills/technical-debt-review/SKILL.md +113 -0
  158. package/skills/technical-debt-review/evals/evals.json +41 -0
  159. package/skills/technical-debt-review/references/debt-taxonomy.md +124 -0
  160. package/skills/technical-debt-review/templates/debt-audit.md +85 -0
  161. package/skills/test-data-strategy/SKILL.md +129 -0
  162. package/skills/test-data-strategy/evals/evals.json +49 -0
  163. package/skills/test-data-strategy/references/data-generation-patterns.md +341 -0
  164. package/skills/test-suite-design/SKILL.md +137 -0
  165. package/skills/test-suite-design/evals/evals.json +69 -0
  166. package/skills/test-suite-design/references/test-infrastructure.md +175 -0
  167. package/skills/test-suite-design/references/testing-pyramid.md +140 -0
  168. package/skills/ui-ux-design/SKILL.md +117 -0
  169. package/skills/ui-ux-design/evals/evals.json +35 -0
  170. package/skills/ui-ux-design/references/interaction-patterns.md +145 -0
  171. package/skills/ui-ux-design/templates/screen-spec.md +97 -0
  172. package/skills/verification-before-completion/SKILL.md +85 -0
  173. package/skills/verification-before-completion/evals/evals.json +53 -0
  174. package/skills/writing-skills/SKILL.md +87 -0
  175. package/skills/writing-skills/evals/evals.json +41 -0
  176. package/skills/writing-skills/references/pressure-testing.md +69 -0
  177. package/uninstall.mjs +182 -0
@@ -0,0 +1,132 @@
1
+ ---
2
+ name: deployment-checklist
3
+ description: "Pre-deploy verification and release safety checks — config, migrations, monitoring, rollback readiness, comms. Triggers: deployment checklist, ready to deploy, pre-deploy, release checklist, go-live, ship checklist, deploy safety, is this safe to ship, release readiness."
4
+ model: haiku
5
+ allowed-tools: Read, Grep, Glob, Write, Edit
6
+ ---
7
+
8
+ # Deployment Checklist
9
+
10
+ Ensure code is production-ready before deploying. This skill runs through a structured verification process that catches common deployment failures before they reach users.
11
+
12
+ ## ⛔ The Iron Law
13
+
14
+ **Don't check a box you haven't verified.**
15
+
16
+ Every checked item is backed by evidence — a command you ran in this session or code you read — not memory or assumption. "Should be fine" is not a verification. A blocked deploy is far cheaper than a production incident, so when a gate fails, stop and fix it before proceeding.
17
+
18
+ ## Workflow
19
+
20
+ ### Step 1: Assess the Change
21
+
22
+ Understand the scope and risk of what's being deployed:
23
+
24
+ - **What changed?** Review the diff against the deployment target branch
25
+ - **Change type?** Feature / bugfix / hotfix / infrastructure / dependency update
26
+ - **Risk level?** Low (cosmetic), Medium (logic change), High (data migration, auth, payments)
27
+ - **Rollback plan?** Can this be reverted with a simple deploy, or does it require data migration reversal?
28
+
29
+ ### Step 2: Run the Checklist
30
+
31
+ Walk through each section. Check items by reading code, running commands, and verifying artifacts.
32
+
33
+ #### Code Quality
34
+ - [ ] All tests pass (`npm test`, `pytest`, or project-specific command)
35
+ - [ ] No linting errors or warnings
36
+ - [ ] No `TODO` or `FIXME` items related to this change left unaddressed
37
+ - [ ] No debugging code (console.log, debugger, print statements) left in
38
+ - [ ] No commented-out code blocks
39
+
40
+ #### Testing
41
+ - [ ] New behavior has corresponding tests
42
+ - [ ] Edge cases and error paths are tested
43
+ - [ ] Integration tests pass against a clean environment
44
+ - [ ] If applicable: manual testing completed on staging
45
+
46
+ #### Security
47
+ - [ ] No hardcoded secrets, API keys, or credentials
48
+ - [ ] No new endpoints without authentication/authorization
49
+ - [ ] User input is validated and sanitized
50
+ - [ ] Dependencies have no known critical vulnerabilities (`npm audit`, `pip audit`)
51
+
52
+ #### Database & Data
53
+ - [ ] Migrations are forwards-compatible (old code works with new schema)
54
+ - [ ] Migrations are reversible
55
+ - [ ] Large data changes have been tested on production-sized data
56
+ - [ ] No destructive operations without confirmation (DROP, DELETE without WHERE)
57
+ - [ ] Backfill scripts are idempotent (safe to run multiple times)
58
+
59
+ #### Configuration & Environment
60
+ - [ ] New environment variables are documented and set in all target environments
61
+ - [ ] Feature flags are in the correct state for this release
62
+ - [ ] No environment-specific hardcoding (localhost URLs, test credentials)
63
+
64
+ #### Observability
65
+ - [ ] Errors are logged with sufficient context for debugging
66
+ - [ ] New endpoints/operations have appropriate metrics or monitoring
67
+ - [ ] Alert thresholds are reviewed for new functionality
68
+
69
+ #### Documentation
70
+ - [ ] README updated if setup steps changed
71
+ - [ ] API documentation updated for new/changed endpoints
72
+ - [ ] CHANGELOG updated (if project uses one)
73
+ - [ ] Breaking changes are clearly communicated
74
+
75
+ ### Step 3: Report
76
+
77
+ Summarize the checklist results:
78
+
79
+ - **Ready to deploy**: All checks pass
80
+ - **Needs attention**: List specific items that need fixing
81
+ - **Blocked**: Critical issues that must be resolved (data loss risk, security gap, failing tests)
82
+
83
+ ### Step 4: Deploy Safely
84
+
85
+ Based on the change risk level:
86
+
87
+ - **Low risk**: Deploy directly, monitor for 15 minutes
88
+ - **Medium risk**: Deploy to staging first, verify, then production. Monitor for 1 hour
89
+ - **High risk**: Deploy behind a feature flag, canary to a small percentage, monitor, then roll out gradually
90
+
91
+ ## Quick Reference
92
+
93
+ For urgent hotfixes where the full checklist feels heavy, run at minimum:
94
+ 1. Tests pass
95
+ 2. No secrets in code
96
+ 3. Migrations are reversible
97
+ 4. Rollback plan exists
98
+
99
+ Everything else can be addressed in a follow-up, but these four prevent the worst outcomes.
100
+
101
+ ## Principles Applied
102
+
103
+ - **KISS**: The simplest deploy that can safely reach production. Avoid adding complexity (new flags, new services) in the same deployment as the feature.
104
+ - **Defense in depth**: Validate at every gate — tests, staging, canary — not just once. Each gate catches a different class of failure.
105
+ - **Fail fast**: If a check fails, stop and fix before proceeding. A blocked deploy is far cheaper than a production incident.
106
+ - **YAGNI**: Don't deploy speculative configuration or unused feature flags. Unused config is future confusion.
107
+
108
+ See [references/pre-deploy-gates.md](references/pre-deploy-gates.md) for environment-specific checklists, schema migration safety, and rollback trigger criteria.
109
+
110
+ ## Rationalizations to reject
111
+
112
+ | Excuse | Reality |
113
+ |--------|---------|
114
+ | "Tests passed in CI yesterday" | Verify against the exact commit being deployed, now — not a stale run. |
115
+ | "It's a tiny change, skip the checklist" | Tiny changes cause outages too. Run at least the four-item minimum. |
116
+ | "Migrations are probably reversible" | "Probably" is not verified. Confirm the down-path exists and runs. |
117
+ | "We'll add monitoring after launch" | You can't observe an incident you never instrumented. |
118
+ | "No time for staging" | Skipping staging on a high-risk change is how data-loss incidents start. |
119
+
120
+ ## Red flags — stop and correct course
121
+
122
+ - Marking items complete from memory rather than checking.
123
+ - "Should be fine" / "probably works" language about any gate.
124
+ - Deploying a High-risk change with no rollback plan.
125
+ - Bundling a risky migration and a feature in the same deploy.
126
+
127
+ ## Cross-Skill References
128
+
129
+ - `rollback-strategy` — design the rollback plan before deploying (required for High-risk changes)
130
+ - `configuration-strategy` — verify all environment variables and feature flags are configured correctly
131
+ - `incident-response` — use if the deployment causes a production incident
132
+ - `verification-before-completion` — the evidence gate behind every checked box
@@ -0,0 +1,58 @@
1
+ {
2
+ "skill_name": "deployment-checklist",
3
+ "evals": [
4
+ {
5
+ "id": 1,
6
+ "prompt": "I've finished implementing the payment integration feature. It adds Stripe webhook handling and stores payment events in the database. I'm ready to deploy to production. Can you run through the deployment checklist?",
7
+ "expected_output": "Should run the full checklist with emphasis on security (webhook signature verification), database (migration review), and high-risk assessment. Should classify this as high-risk due to payment handling.",
8
+ "assertions": [
9
+ "Classifies this as high-risk (payments)",
10
+ "Checks for webhook signature verification",
11
+ "Reviews database migrations for reversibility",
12
+ "Checks for hardcoded API keys/secrets",
13
+ "Recommends feature flag or canary deployment",
14
+ "Asks about rollback plan for the data migration",
15
+ "Runs or requests test suite execution"
16
+ ]
17
+ },
18
+ {
19
+ "id": 2,
20
+ "prompt": "quick fix for a typo in the About page. can I just deploy this?",
21
+ "expected_output": "Should classify as low-risk, run a minimal checklist, and give a quick green light if checks pass.",
22
+ "assertions": [
23
+ "Classifies as low-risk (cosmetic change)",
24
+ "Runs abbreviated checklist, not the full thing",
25
+ "Still checks that tests pass",
26
+ "Does not over-process a simple change",
27
+ "Gives clear go/no-go recommendation"
28
+ ]
29
+ },
30
+ {
31
+ "id": 3,
32
+ "prompt": "We need to deploy a database migration that renames a column used by 3 services. We can't have downtime. Is this safe to deploy?",
33
+ "expected_output": "Should flag this as high-risk, recommend expand-contract pattern, and block a direct column rename. Should reference data-modeling skill for migration strategy.",
34
+ "assertions": [
35
+ "Flags column rename as dangerous in production",
36
+ "Recommends expand-contract migration pattern",
37
+ "Identifies that 3 services mean coordinated deployment is needed",
38
+ "Does NOT give a green light for a direct rename",
39
+ "Considers zero-downtime requirement",
40
+ "Suggests referencing the data-modeling skill for migration strategy"
41
+ ]
42
+ }
43
+ ],
44
+ "pressure_tests": [
45
+ {
46
+ "id": 1,
47
+ "prompt": "It's a one-line copy change and CI was green yesterday. I'm checking every box as done and deploying right now.",
48
+ "pressure": ["time", "sunk_cost"],
49
+ "expected_behavior": "Holds the Iron Law: don't check a box you haven't verified. Treats yesterday's CI as stale, re-runs at least the minimum gates against the current commit, and refuses to rubber-stamp the checklist from memory.",
50
+ "assertions": [
51
+ "Does NOT accept boxes checked from memory or from yesterday's CI",
52
+ "Re-runs verification against the exact current commit",
53
+ "Runs at least the four-item minimum",
54
+ "Does not rubber-stamp on 'it's only one line'"
55
+ ]
56
+ }
57
+ ]
58
+ }
@@ -0,0 +1,91 @@
1
+ # Pre-Deploy Gates
2
+
3
+ ## Gate 1: Code Review Complete
4
+
5
+ Before any deployment, the code must have been reviewed by at least one other engineer. For high-risk changes (auth, payments, data migrations), require two reviewers.
6
+
7
+ **What reviewers look for:**
8
+ - Logic correctness and edge cases
9
+ - Security issues (injection, auth gaps, secret exposure)
10
+ - Test coverage for new behavior
11
+ - Migration safety (see below)
12
+
13
+ ## Gate 2: Schema Migration Safety
14
+
15
+ Database migrations are the most common source of deployment failures. Verify before deploying:
16
+
17
+ **Safe migrations (backwards-compatible):**
18
+ - Adding a nullable column
19
+ - Adding a new table
20
+ - Adding an index (use `CREATE INDEX CONCURRENTLY` in Postgres)
21
+ - Renaming a column in a phased approach (add new → backfill → remove old)
22
+
23
+ **Unsafe migrations (require coordination):**
24
+ - Dropping a column that old code still reads
25
+ - Renaming a column in a single migration
26
+ - Adding a NOT NULL constraint without a default on an existing table
27
+ - Changing a column type (may lock table)
28
+
29
+ **Migration checklist:**
30
+ - [ ] Migration is reversible (has a `down` method or equivalent)
31
+ - [ ] Migration runs in under 30 seconds on production-sized data (or is marked non-locking)
32
+ - [ ] Old application code is compatible with the new schema
33
+ - [ ] Migration has been tested on a recent production data snapshot
34
+
35
+ ## Gate 3: Secrets and Configuration
36
+
37
+ **Verify:**
38
+ - [ ] All new environment variables are set in target environment(s) before deploying
39
+ - [ ] New secrets are stored in the secrets manager (not in `.env` files checked in)
40
+ - [ ] No credentials appear in code diff, logs, or error messages
41
+ - [ ] Feature flags required for this release are in the correct state
42
+
43
+ **Common failure mode:** Deploying code that reads a new env var before the var is set. This causes the application to crash on startup or produce silent failures. Always set the variable first, then deploy the code that reads it.
44
+
45
+ ## Gate 4: Rollback Triggers
46
+
47
+ Define these before deploying. If any trigger fires, roll back immediately without waiting for investigation:
48
+
49
+ | Metric | Rollback threshold |
50
+ |--------|-------------------|
51
+ | Error rate | > 1% of requests (or 2x baseline, whichever is lower) |
52
+ | P99 latency | > 3x baseline |
53
+ | 5xx rate | Any spike above noise floor |
54
+ | Queue depth | Backlog growing for > 5 minutes |
55
+ | Business metric | Checkout rate, signup rate drops > 10% |
56
+
57
+ Set up monitoring dashboards before deploying. If you can't see the metrics, you can't detect the trigger.
58
+
59
+ ## Per-Environment Checklist
60
+
61
+ ### Development / Local
62
+ - Tests pass
63
+ - No lint errors
64
+ - Feature works manually
65
+
66
+ ### Staging
67
+ All development checks, plus:
68
+ - Integration tests pass against staging services
69
+ - Migration runs successfully on staging database
70
+ - New env vars are configured in staging
71
+ - Manual smoke test of critical paths
72
+
73
+ ### Production
74
+ All staging checks, plus:
75
+ - Rollback plan documented and tested
76
+ - On-call engineer aware of deployment
77
+ - Monitoring dashboard open
78
+ - Deployment window appropriate (avoid Friday afternoon, peak traffic hours)
79
+ - Runbook updated if operational behavior changed
80
+
81
+ ## Secrets Rotation Procedures
82
+
83
+ When rotating a secret that is actively used:
84
+
85
+ 1. **Generate new secret** — create the new value without deleting the old one
86
+ 2. **Add to application** — update the application to accept both old and new values (if possible) or to use the new value
87
+ 3. **Deploy** — deploy the application update
88
+ 4. **Verify** — confirm the application is using the new secret correctly
89
+ 5. **Revoke old secret** — only after confirming new secret works
90
+
91
+ For API keys that can't be dual-accepted: schedule a maintenance window, update key and redeploy atomically, verify immediately, keep old key available for 24 hours before revoking.
@@ -0,0 +1,190 @@
1
+ ---
2
+ name: deployment-repo
3
+ description: "Design a deployment (GitOps) repo that orchestrates multiple services in a polyrepo — version pinning, environment promotion, compatibility matrices, system config. Triggers: deployment repo, GitOps repo, polyrepo, multi-repo, version pinning, compatibility matrix, environment promotion, multi-service deployment, orchestration repo, which versions work together."
4
+ model: sonnet
5
+ allowed-tools: Read, Grep, Glob, Write, Edit, Bash
6
+ ---
7
+
8
+ # Deployment Repository Design
9
+
10
+ The deployment repo is the single source of truth for how a distributed system is composed. Individual app repos answer "where does service X live?" — the deployment repo answers "where does the system live?"
11
+
12
+ ## Step 1: Assess the System
13
+
14
+ Before designing the repo, map the landscape:
15
+
16
+ - **Services**: How many repos, what each service does, what language/framework
17
+ - **Communication**: How services talk (REST, gRPC, events/queues, shared database)
18
+ - **Team structure**: One team owns everything vs. multiple teams with service ownership
19
+ - **Current deployment**: How are services deployed today? Manual, CI-driven, ad hoc?
20
+ - **Environments**: Local dev, staging, production? More?
21
+
22
+ **Determine scale tier:**
23
+
24
+ | Tier | Team size | Services | Recommended tooling |
25
+ |------|-----------|----------|-------------------|
26
+ | **Lightweight** | 1 team | 2-5 | docker-compose, Makefile, `.env` files |
27
+ | **Standard** | 2-3 teams | 5-15 | Helm or Kustomize, CI-driven promotion |
28
+ | **Enterprise** | Many teams | 15+ | Helm + ArgoCD/Flux, automated promotion, audit trails |
29
+
30
+ Start at the lightest tier that fits. You can graduate up — premature complexity is worse than growing into it.
31
+
32
+ ## Step 2: Design the Repo Structure
33
+
34
+ The deployment repo contains everything needed to compose, deploy, and validate the full system. See [references/deployment-repo-patterns.md](references/deployment-repo-patterns.md) for detailed structures per tier and [templates/deployment-repo-structure.md](templates/deployment-repo-structure.md) for scaffolding.
35
+
36
+ **Core directories (all tiers):**
37
+
38
+ ```
39
+ deployment-repo/
40
+ ├── versions.yaml # Compatible service versions (the compatibility lock)
41
+ ├── docker-compose.yml # Local dev orchestration
42
+ ├── .env.example # Environment template
43
+ ├── Makefile # Developer-friendly commands (make up, make test)
44
+ ├── environments/ # Per-environment overrides
45
+ │ ├── dev/
46
+ │ ├── staging/
47
+ │ └── production/
48
+ ├── tests/
49
+ │ └── e2e/ # Cross-service E2E tests
50
+ ├── docs/
51
+ │ ├── architecture/ # ADRs, system diagrams
52
+ │ └── runbooks/ # Operational procedures
53
+ └── scripts/ # Utility scripts (setup, seed, health checks)
54
+ ```
55
+
56
+ **Standard/Enterprise additions:**
57
+
58
+ ```
59
+ ├── infrastructure/ # Shared IaC (Terraform modules, network config)
60
+ ├── helm/ # Helm umbrella chart or per-service charts
61
+ │ ├── Chart.yaml # Dependencies with pinned versions
62
+ │ └── values/
63
+ │ ├── dev.yaml
64
+ │ ├── staging.yaml
65
+ │ └── production.yaml
66
+ ├── contracts/ # API contracts (OpenAPI specs, Pact contracts)
67
+ └── ci/ # System-level CI/CD pipelines
68
+ ```
69
+
70
+ **Choose the manifest format based on tier:**
71
+ - **Lightweight**: `docker-compose.yml` with image tags pinned in `versions.yaml` or `.env`
72
+ - **Standard**: Helm charts with `values-<env>.yaml` overrides, or Kustomize with base + overlays
73
+ - **Enterprise**: Helm umbrella chart with sub-charts per service, or Kustomize with ApplicationSets
74
+
75
+ ## Step 3: Define the Version Pinning Strategy
76
+
77
+ This is the core mechanism. The deployment repo acts as a **compatibility lock** — analogous to `package-lock.json` but at the system level.
78
+
79
+ **Semantic versioning is the contract.** Each app repo tags releases with semver (`v1.2.3`). The deployment repo's `versions.yaml` records which versions have been validated together:
80
+
81
+ ```yaml
82
+ # versions.yaml — the compatibility lock
83
+ services:
84
+ api-gateway:
85
+ image: registry.example.com/api-gateway
86
+ version: v2.3.1
87
+ user-service:
88
+ image: registry.example.com/user-service
89
+ version: v1.7.0
90
+ billing-service:
91
+ image: registry.example.com/billing-service
92
+ version: v3.1.2
93
+
94
+ validated:
95
+ timestamp: "2025-01-15T14:30:00Z"
96
+ e2e_result: pass
97
+ contract_result: pass
98
+ ```
99
+
100
+ **Version pinning rules:**
101
+
102
+ 1. **Pin exact versions, not ranges** — `v1.7.0`, not `v1.x` or `latest`. The deployment repo records what was tested, not what might work.
103
+ 2. **Promote version sets, not individual services** — When staging's version set passes validation, the entire set promotes to production. This prevents "it worked in staging" failures caused by version drift.
104
+ 3. **Breaking changes require coordinated bumps** — If `api-gateway` v3.0.0 requires `user-service` v2.0.0, both versions update in the same deployment repo commit.
105
+ 4. **Every version combination that reaches an environment is recorded** — The deployment repo's git history IS the audit trail of what ran where and when.
106
+
107
+ See [references/version-compatibility.md](references/version-compatibility.md) for semver contract details, compatibility matrices, and breaking change coordination patterns.
108
+
109
+ ## Step 4: Design Contract Tests
110
+
111
+ Version pinning is only trustworthy if compatibility is actually tested. Contract tests validate that pinned versions can talk to each other.
112
+
113
+ **Consumer-driven contracts (recommended for HTTP APIs):**
114
+ - Each consumer service defines its expectations of a provider's API (a "contract")
115
+ - Contracts live in the deployment repo's `contracts/` directory or are published to a Pact Broker
116
+ - The deployment repo CI runs contract verification: for each service pair, verify that the pinned provider version satisfies the pinned consumer's contract
117
+ - The **`can-i-deploy`** check (Pact Broker) answers: "are these specific versions compatible?"
118
+
119
+ **Schema validation (recommended for event-driven systems):**
120
+ - Event schemas (Avro, Protobuf, JSON Schema) live in the deployment repo or a schema registry
121
+ - CI validates that producer schemas are backward-compatible with what consumers expect
122
+ - Schema evolution rules: additive changes are safe, field removal/rename is breaking
123
+
124
+ **What to test in the deployment repo CI:**
125
+ 1. Contract compatibility between all pinned service versions
126
+ 2. E2E smoke tests against the composed system (docker-compose up + test suite)
127
+ 3. Database migration compatibility (if services share a database)
128
+
129
+ ## Step 5: Set Up Environment Promotion
130
+
131
+ The deployment repo PR is the promotion mechanism. No version reaches any environment without going through it.
132
+
133
+ **Promotion flow:**
134
+
135
+ ```
136
+ App repo tags v1.8.0
137
+ → Automated PR to deployment repo: "bump user-service to v1.8.0 in dev"
138
+ → CI runs contract tests + E2E in dev
139
+ → Merge → dev deploys automatically
140
+ → Manual PR: "promote dev version set to staging"
141
+ → CI runs full E2E in staging
142
+ → Merge → staging deploys
143
+ → Manual PR with approval gate: "promote to production"
144
+ → Merge → production deploys (canary optional)
145
+ ```
146
+
147
+ **Key design decisions:**
148
+ - **Dev**: auto-promote on merge, fast feedback
149
+ - **Staging**: manual promotion trigger, full E2E validation
150
+ - **Production**: approval gate (require N reviewers), optional canary rollout
151
+ - **Rollback**: revert the deployment repo commit — the previous version set is restored
152
+
153
+ For automated cross-repo triggers (app repo build -> deployment repo PR), see `gitops-delivery`.
154
+
155
+ ## Step 6: Validate and Document
156
+
157
+ Verify the full lifecycle works:
158
+
159
+ - [ ] A version bump in an app repo triggers an update in the deployment repo (manual or automated)
160
+ - [ ] Contract tests catch an intentionally incompatible version combination
161
+ - [ ] E2E tests run against the composed system in CI
162
+ - [ ] Promotion from dev to staging works via PR
163
+ - [ ] Rollback works by reverting a deployment repo commit
164
+ - [ ] A new developer can `make up` and get the full system running locally
165
+ - [ ] Adding a new service to the deployment repo is documented
166
+
167
+ **Document for the team:**
168
+ - How to add a new service to the deployment repo
169
+ - How to bump a service version (manual process or automated trigger)
170
+ - How to promote across environments
171
+ - How to rollback
172
+ - How to run E2E tests locally
173
+
174
+ ## Principles Applied
175
+
176
+ - **Single source of truth**: The deployment repo is THE place to understand what's running where. Don't split this knowledge across wikis, Slack threads, and CI configs.
177
+ - **KISS**: Start lightweight (docker-compose + versions.yaml). Graduate to Helm/ArgoCD when the pain of the simple approach exceeds the cost of the complex one.
178
+ - **Explicit over implicit**: Pin exact versions. Record test results. Make the compatibility lock visible, not assumed.
179
+ - **YAGNI**: Don't set up Helm umbrella charts for 3 services. Don't add ArgoCD before you have multiple environments. Scale the tooling to the problem.
180
+ - **Promote sets, not services**: The fundamental principle — a validated version set moves together through environments.
181
+
182
+ ## Cross-Skill References
183
+
184
+ - `gitops-delivery` — automate delivery from the deployment repo using ArgoCD/Flux and cross-repo triggers
185
+ - `containerization` — Helm chart structure, Kustomize overlays, and Dockerfile patterns for services
186
+ - `infrastructure-as-code` — Terraform modules for shared infrastructure in the deployment repo
187
+ - `cicd-pipeline` — system-level CI pipelines and cross-repo pipeline design
188
+ - `dependency-impact-analysis` — map blast radius of breaking changes across services before updating version pins
189
+ - `rollback-strategy` — rollback in a deployment repo context is a git revert of the version set
190
+ - `architecture-design` — ADR for adopting the deployment repo pattern itself
@@ -0,0 +1,44 @@
1
+ {
2
+ "skill_name": "deployment-repo",
3
+ "evals": [
4
+ {
5
+ "id": 1,
6
+ "prompt": "We have 5 microservices in separate GitHub repos (auth-service, user-service, billing-service, notification-service, api-gateway). They communicate via REST APIs and a shared event bus (RabbitMQ). We deploy to Kubernetes with 3 environments (dev, staging, prod). How should we set up a deployment repo to coordinate them?",
7
+ "expected_output": "Should produce a standard-tier deployment repo structure with Helm or Kustomize for K8s, a versions.yaml pinning all 5 services, contract testing strategy for REST APIs and event schemas, environment promotion flow, and E2E test orchestration.",
8
+ "assertions": [
9
+ "Recommends a separate deployment repository, not embedding deployment config in app repos",
10
+ "Produces a directory structure with version pins, per-environment configs, and E2E tests",
11
+ "Designs a versions.yaml (or equivalent) pinning exact versions of all 5 services",
12
+ "Recommends Helm or Kustomize for multi-environment K8s manifests (not plain manifests)",
13
+ "Includes contract testing strategy for both REST APIs and event schemas",
14
+ "Defines environment promotion flow: dev -> staging -> prod with appropriate gates",
15
+ "Addresses how a version bump in an app repo reaches the deployment repo",
16
+ "Cross-references containerization for Helm chart details and gitops-delivery for automation"
17
+ ]
18
+ },
19
+ {
20
+ "id": 2,
21
+ "prompt": "We're a small team with 3 services (FastAPI backend, Next.js frontend, PostgreSQL), all using Docker Compose for local dev and a single staging server. Is a deployment repo overkill for us?",
22
+ "expected_output": "Should validate the lightweight tier, recommend a simple deployment repo with docker-compose and version pinning, and explain how it scales up when needed. Should NOT push Kubernetes, Helm, or ArgoCD.",
23
+ "assertions": [
24
+ "Validates that a deployment repo is NOT overkill even for small teams",
25
+ "Recommends the lightweight tier with docker-compose and a simple version manifest",
26
+ "Does NOT recommend Kubernetes, Helm, or GitOps operators for this scale",
27
+ "Shows a minimal but useful repo structure (docker-compose, versions file, Makefile, .env.example)",
28
+ "Explains the immediate value: one command to run the full system, version tracking, onboarding",
29
+ "Acknowledges the pattern scales up as the team grows without requiring a rewrite"
30
+ ]
31
+ },
32
+ {
33
+ "id": 3,
34
+ "prompt": "How do I write Pact contract tests between my frontend and backend API?",
35
+ "expected_output": "Should recognize this as a contract testing question that overlaps with but is not the core of the deployment-repo skill. Should provide brief context on how contract tests fit into the deployment repo pattern, then redirect to test-suite-design for implementation details.",
36
+ "assertions": [
37
+ "Recognizes this is primarily a testing question, not a deployment repo design question",
38
+ "Provides brief context on how contract tests relate to the deployment repo (they validate version compatibility)",
39
+ "References test-suite-design for detailed contract test implementation guidance",
40
+ "Does not attempt to be a full Pact tutorial within the deployment-repo skill"
41
+ ]
42
+ }
43
+ ]
44
+ }