swe-workflow-skills 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (177) hide show
  1. package/LICENSE +21 -0
  2. package/README.md +144 -0
  3. package/VERSION +1 -0
  4. package/bin/cli.mjs +44 -0
  5. package/catalog.json +225 -0
  6. package/commands/role.md +34 -0
  7. package/hooks/session-start.mjs +118 -0
  8. package/install.mjs +318 -0
  9. package/package.json +47 -0
  10. package/roles.json +194 -0
  11. package/scripts/resolve.mjs +296 -0
  12. package/skills/accessibility-design/SKILL.md +128 -0
  13. package/skills/accessibility-design/evals/evals.json +51 -0
  14. package/skills/accessibility-design/references/accessibility-patterns.md +321 -0
  15. package/skills/api-design/SKILL.md +144 -0
  16. package/skills/api-design/evals/evals.json +48 -0
  17. package/skills/api-design/references/rest-conventions.md +147 -0
  18. package/skills/api-design/templates/api-spec.md +156 -0
  19. package/skills/architecture-design/SKILL.md +86 -0
  20. package/skills/architecture-design/evals/evals.json +44 -0
  21. package/skills/architecture-design/references/clean-architecture.md +147 -0
  22. package/skills/architecture-design/references/component-principles.md +129 -0
  23. package/skills/architecture-design/references/principles.md +81 -0
  24. package/skills/architecture-design/references/solid-principles.md +106 -0
  25. package/skills/architecture-design/templates/adr.md +63 -0
  26. package/skills/architecture-documentation/SKILL.md +126 -0
  27. package/skills/architecture-documentation/evals/evals.json +44 -0
  28. package/skills/architecture-documentation/references/abstraction-levels.md +91 -0
  29. package/skills/architecture-documentation/references/diagram-tooling.md +141 -0
  30. package/skills/architecture-documentation/templates/architecture-doc.md +171 -0
  31. package/skills/bug-investigating/SKILL.md +133 -0
  32. package/skills/bug-investigating/evals/evals.json +56 -0
  33. package/skills/bug-investigating/references/common-bugs.md +62 -0
  34. package/skills/bug-investigating/references/debugging-patterns.md +94 -0
  35. package/skills/cicd-pipeline/SKILL.md +87 -0
  36. package/skills/cicd-pipeline/evals/evals.json +34 -0
  37. package/skills/cicd-pipeline/references/pipeline-patterns.md +206 -0
  38. package/skills/cicd-pipeline/templates/github-actions.md +206 -0
  39. package/skills/code-reviewing/SKILL.md +92 -0
  40. package/skills/code-reviewing/evals/evals.json +62 -0
  41. package/skills/code-reviewing/references/error-handling.md +108 -0
  42. package/skills/code-reviewing/references/review-checklist.md +144 -0
  43. package/skills/configuration-strategy/SKILL.md +109 -0
  44. package/skills/configuration-strategy/evals/evals.json +41 -0
  45. package/skills/configuration-strategy/references/config-patterns.md +161 -0
  46. package/skills/containerization/SKILL.md +90 -0
  47. package/skills/containerization/evals/evals.json +36 -0
  48. package/skills/containerization/references/dockerfile-patterns.md +168 -0
  49. package/skills/containerization/templates/dockerfile.md +154 -0
  50. package/skills/data-modeling/SKILL.md +83 -0
  51. package/skills/data-modeling/evals/evals.json +43 -0
  52. package/skills/data-modeling/references/conventions.md +57 -0
  53. package/skills/data-modeling/templates/schema.md +120 -0
  54. package/skills/dependency-impact-analysis/SKILL.md +113 -0
  55. package/skills/dependency-impact-analysis/evals/evals.json +41 -0
  56. package/skills/dependency-impact-analysis/references/impact-patterns.md +150 -0
  57. package/skills/dependency-management/SKILL.md +161 -0
  58. package/skills/dependency-management/evals/evals.json +48 -0
  59. package/skills/dependency-management/references/evaluation-checklist.md +127 -0
  60. package/skills/deployment-checklist/SKILL.md +132 -0
  61. package/skills/deployment-checklist/evals/evals.json +58 -0
  62. package/skills/deployment-checklist/references/pre-deploy-gates.md +91 -0
  63. package/skills/deployment-repo/SKILL.md +190 -0
  64. package/skills/deployment-repo/evals/evals.json +44 -0
  65. package/skills/deployment-repo/references/deployment-repo-patterns.md +258 -0
  66. package/skills/deployment-repo/references/version-compatibility.md +227 -0
  67. package/skills/deployment-repo/templates/deployment-repo-structure.md +226 -0
  68. package/skills/effort-estimation/SKILL.md +95 -0
  69. package/skills/effort-estimation/evals/evals.json +32 -0
  70. package/skills/effort-estimation/references/estimation-methods.md +154 -0
  71. package/skills/feature-planning/SKILL.md +84 -0
  72. package/skills/feature-planning/evals/evals.json +44 -0
  73. package/skills/feature-planning/templates/plan.md +55 -0
  74. package/skills/feature-planning/templates/task.md +26 -0
  75. package/skills/frontend-architecture/SKILL.md +154 -0
  76. package/skills/frontend-architecture/evals/evals.json +34 -0
  77. package/skills/frontend-architecture/references/component-patterns.md +264 -0
  78. package/skills/frontend-architecture/templates/folder-structure.md +203 -0
  79. package/skills/git-workflow/SKILL.md +127 -0
  80. package/skills/git-workflow/evals/evals.json +44 -0
  81. package/skills/git-workflow/references/conventions.md +142 -0
  82. package/skills/git-workflow/templates/pull-request.md +57 -0
  83. package/skills/gitops-delivery/SKILL.md +319 -0
  84. package/skills/gitops-delivery/evals/evals.json +44 -0
  85. package/skills/gitops-delivery/references/gitops-patterns.md +478 -0
  86. package/skills/gitops-delivery/templates/gitops-config.md +196 -0
  87. package/skills/incident-response/SKILL.md +130 -0
  88. package/skills/incident-response/evals/evals.json +55 -0
  89. package/skills/incident-response/references/communication-templates.md +134 -0
  90. package/skills/incident-response/references/severity-levels.md +77 -0
  91. package/skills/incident-response/templates/incident-timeline.md +57 -0
  92. package/skills/infrastructure-as-code/SKILL.md +86 -0
  93. package/skills/infrastructure-as-code/evals/evals.json +33 -0
  94. package/skills/infrastructure-as-code/references/iac-patterns.md +179 -0
  95. package/skills/infrastructure-as-code/templates/terraform-module.md +158 -0
  96. package/skills/metrics-and-okrs/SKILL.md +113 -0
  97. package/skills/metrics-and-okrs/evals/evals.json +33 -0
  98. package/skills/metrics-and-okrs/references/metric-catalog.md +90 -0
  99. package/skills/metrics-and-okrs/templates/okr-document.md +61 -0
  100. package/skills/ml-experiment-tracking/SKILL.md +96 -0
  101. package/skills/ml-experiment-tracking/evals/evals.json +32 -0
  102. package/skills/ml-experiment-tracking/references/tracking-tools.md +127 -0
  103. package/skills/ml-model-deployment/SKILL.md +106 -0
  104. package/skills/ml-model-deployment/evals/evals.json +34 -0
  105. package/skills/ml-model-deployment/references/serving-patterns.md +162 -0
  106. package/skills/ml-pipeline-design/SKILL.md +162 -0
  107. package/skills/ml-pipeline-design/evals/evals.json +34 -0
  108. package/skills/ml-pipeline-design/references/pipeline-components.md +174 -0
  109. package/skills/observability-design/SKILL.md +162 -0
  110. package/skills/observability-design/evals/evals.json +52 -0
  111. package/skills/observability-design/references/logging-patterns.md +229 -0
  112. package/skills/observability-design/references/slo-framework.md +151 -0
  113. package/skills/observability-design/templates/slo-document.md +80 -0
  114. package/skills/performance-optimization/SKILL.md +83 -0
  115. package/skills/performance-optimization/evals/evals.json +47 -0
  116. package/skills/performance-optimization/references/bottleneck-patterns.md +256 -0
  117. package/skills/performance-optimization/references/concurrency.md +101 -0
  118. package/skills/prd-writing/SKILL.md +109 -0
  119. package/skills/prd-writing/evals/evals.json +33 -0
  120. package/skills/prd-writing/references/prd-examples.md +132 -0
  121. package/skills/prd-writing/templates/prd.md +71 -0
  122. package/skills/prd-writing/templates/rfc.md +79 -0
  123. package/skills/project-documentation/SKILL.md +104 -0
  124. package/skills/project-documentation/evals/evals.json +48 -0
  125. package/skills/project-documentation/references/contributing-guide.md +100 -0
  126. package/skills/project-documentation/templates/changelog.md +59 -0
  127. package/skills/project-documentation/templates/readme.md +121 -0
  128. package/skills/project-proposal/SKILL.md +90 -0
  129. package/skills/project-proposal/evals/evals.json +31 -0
  130. package/skills/project-proposal/references/proposal-examples.md +140 -0
  131. package/skills/project-proposal/templates/proposal.md +76 -0
  132. package/skills/project-review/SKILL.md +111 -0
  133. package/skills/project-review/evals/evals.json +42 -0
  134. package/skills/refactoring/SKILL.md +90 -0
  135. package/skills/refactoring/evals/evals.json +44 -0
  136. package/skills/refactoring/references/transformations.md +132 -0
  137. package/skills/retrospective/SKILL.md +157 -0
  138. package/skills/retrospective/evals/evals.json +34 -0
  139. package/skills/retrospective/references/facilitation-guide.md +130 -0
  140. package/skills/retrospective/templates/post-mortem.md +121 -0
  141. package/skills/rollback-strategy/SKILL.md +116 -0
  142. package/skills/rollback-strategy/evals/evals.json +55 -0
  143. package/skills/rollback-strategy/references/rollback-patterns.md +125 -0
  144. package/skills/rollback-strategy/templates/rollback-plan.md +69 -0
  145. package/skills/security-audit/SKILL.md +146 -0
  146. package/skills/security-audit/evals/evals.json +66 -0
  147. package/skills/security-audit/references/owasp-top-10.md +167 -0
  148. package/skills/security-audit/templates/security-report.md +79 -0
  149. package/skills/skill-router/SKILL.md +171 -0
  150. package/skills/skill-router/evals/evals.json +39 -0
  151. package/skills/strategic-review/SKILL.md +106 -0
  152. package/skills/strategic-review/evals/evals.json +42 -0
  153. package/skills/strategic-review/templates/full-review-prompt.md +84 -0
  154. package/skills/tdd-workflow/SKILL.md +147 -0
  155. package/skills/tdd-workflow/evals/evals.json +58 -0
  156. package/skills/tdd-workflow/references/test-quality.md +71 -0
  157. package/skills/technical-debt-review/SKILL.md +113 -0
  158. package/skills/technical-debt-review/evals/evals.json +41 -0
  159. package/skills/technical-debt-review/references/debt-taxonomy.md +124 -0
  160. package/skills/technical-debt-review/templates/debt-audit.md +85 -0
  161. package/skills/test-data-strategy/SKILL.md +129 -0
  162. package/skills/test-data-strategy/evals/evals.json +49 -0
  163. package/skills/test-data-strategy/references/data-generation-patterns.md +341 -0
  164. package/skills/test-suite-design/SKILL.md +137 -0
  165. package/skills/test-suite-design/evals/evals.json +69 -0
  166. package/skills/test-suite-design/references/test-infrastructure.md +175 -0
  167. package/skills/test-suite-design/references/testing-pyramid.md +140 -0
  168. package/skills/ui-ux-design/SKILL.md +117 -0
  169. package/skills/ui-ux-design/evals/evals.json +35 -0
  170. package/skills/ui-ux-design/references/interaction-patterns.md +145 -0
  171. package/skills/ui-ux-design/templates/screen-spec.md +97 -0
  172. package/skills/verification-before-completion/SKILL.md +85 -0
  173. package/skills/verification-before-completion/evals/evals.json +53 -0
  174. package/skills/writing-skills/SKILL.md +87 -0
  175. package/skills/writing-skills/evals/evals.json +41 -0
  176. package/skills/writing-skills/references/pressure-testing.md +69 -0
  177. package/uninstall.mjs +182 -0
@@ -0,0 +1,167 @@
1
+ # OWASP Top 10 Security Checklist
2
+
3
+ ## Contents
4
+ - A01: Broken Access Control
5
+ - A02: Cryptographic Failures
6
+ - A03: Injection
7
+ - A04: Insecure Design
8
+ - A05: Security Misconfiguration
9
+ - A06: Vulnerable and Outdated Components
10
+ - A07: Identification and Authentication Failures
11
+ - A08: Software and Data Integrity Failures
12
+ - A09: Security Logging and Monitoring Failures
13
+ - A10: Server-Side Request Forgery (SSRF)
14
+
15
+ ## A01: Broken Access Control
16
+
17
+ The #1 vulnerability. Access control means enforcing that users can only act within their intended permissions.
18
+
19
+ **What to check:**
20
+ - [ ] Every API endpoint enforces authentication (not just the frontend)
21
+ - [ ] Authorization is checked server-side for every protected operation
22
+ - [ ] Users cannot access other users' data by changing IDs in URLs (IDOR)
23
+ - [ ] Directory traversal is prevented (no `../` in file paths from user input)
24
+ - [ ] CORS is configured to allow only specific trusted origins (not `*`)
25
+ - [ ] JWT tokens are validated properly (algorithm, signature, expiry, issuer)
26
+ - [ ] API rate limiting prevents enumeration attacks
27
+ - [ ] Metadata manipulation is blocked (tampering with JWT, cookies, hidden fields)
28
+
29
+ **Common patterns to flag:**
30
+ ```javascript
31
+ // BAD: Only checks if logged in, not if authorized for THIS resource
32
+ app.get('/orders/:id', authenticate, async (req, res) => {
33
+ const order = await db.orders.findById(req.params.id);
34
+ res.json(order); // Any authenticated user can see ANY order
35
+ });
36
+
37
+ // GOOD: Checks ownership
38
+ app.get('/orders/:id', authenticate, async (req, res) => {
39
+ const order = await db.orders.findOne({
40
+ id: req.params.id,
41
+ userId: req.user.id // Scoped to the authenticated user
42
+ });
43
+ if (!order) return res.status(404).json({ error: 'Not found' });
44
+ res.json(order);
45
+ });
46
+ ```
47
+
48
+ ## A02: Cryptographic Failures
49
+
50
+ Sensitive data exposure through weak or missing cryptography.
51
+
52
+ **What to check:**
53
+ - [ ] Passwords hashed with bcrypt, argon2, or scrypt (never MD5, SHA-1, or SHA-256 alone)
54
+ - [ ] Sufficient work factor (bcrypt rounds >= 12, argon2 with recommended params)
55
+ - [ ] TLS 1.2+ enforced for all connections
56
+ - [ ] Sensitive data encrypted at rest (PII, financial data, health data)
57
+ - [ ] Encryption keys managed properly (not hardcoded, rotated periodically)
58
+ - [ ] No sensitive data in URLs (tokens, passwords in query strings)
59
+ - [ ] Proper random number generation (crypto.randomBytes, not Math.random)
60
+
61
+ ## A03: Injection
62
+
63
+ Untrusted data sent to an interpreter as part of a command or query.
64
+
65
+ **What to check:**
66
+ - [ ] SQL queries use parameterized statements (never string concatenation)
67
+ - [ ] NoSQL queries use typed parameters (not raw user input in operators)
68
+ - [ ] OS commands use parameterized execution (never shell interpolation)
69
+ - [ ] LDAP queries are parameterized
70
+ - [ ] XPath/XML queries are parameterized
71
+ - [ ] HTML output is escaped to prevent XSS (use framework auto-escaping)
72
+ - [ ] User input in `eval()`, `Function()`, or template literals is blocked
73
+ - [ ] GraphQL queries are depth-limited and complexity-bounded
74
+
75
+ **Injection types and their signatures:**
76
+
77
+ | Type | Dangerous Pattern | Safe Pattern |
78
+ |------|------------------|-------------|
79
+ | SQL | `"SELECT * FROM users WHERE id = " + userId` | `db.query("SELECT * FROM users WHERE id = $1", [userId])` |
80
+ | XSS | `innerHTML = userInput` | `textContent = userInput` or framework escaping |
81
+ | Command | `exec("ls " + userPath)` | `execFile("ls", [userPath])` |
82
+ | NoSQL | `{ $where: userInput }` | `{ field: { $eq: userInput } }` |
83
+ | Template | `` `Hello ${userInput}` `` in template engine | Template engine with auto-escaping |
84
+
85
+ ## A04: Insecure Design
86
+
87
+ Flaws in the design itself, not just the implementation.
88
+
89
+ **What to check:**
90
+ - [ ] Business logic has server-side enforcement (not just client-side validation)
91
+ - [ ] Rate limiting on resource-intensive operations
92
+ - [ ] Transaction limits enforced server-side
93
+ - [ ] Multi-step processes can't skip steps
94
+ - [ ] File upload validates type, size, and content (not just extension)
95
+ - [ ] No mass assignment vulnerabilities (user can't set `role: 'admin'` by adding fields)
96
+
97
+ ## A05: Security Misconfiguration
98
+
99
+ Default or incomplete configurations that leave openings.
100
+
101
+ **What to check:**
102
+ - [ ] No default credentials in any environment
103
+ - [ ] Error messages don't expose stack traces or internal details to users
104
+ - [ ] Unnecessary HTTP methods disabled (TRACE, OPTIONS where not needed)
105
+ - [ ] Security headers configured: CSP, X-Frame-Options, X-Content-Type-Options, HSTS
106
+ - [ ] Directory listing disabled on web servers
107
+ - [ ] Debug mode disabled in production
108
+ - [ ] Cloud storage buckets/blobs are not publicly accessible by default
109
+ - [ ] Database ports not exposed to the internet
110
+
111
+ ## A06: Vulnerable and Outdated Components
112
+
113
+ Using components with known vulnerabilities.
114
+
115
+ **What to check:**
116
+ - [ ] `npm audit` / `pip audit` / `govulncheck` shows no critical vulnerabilities
117
+ - [ ] Dependencies are reasonably up to date (no major versions behind)
118
+ - [ ] Unused dependencies are removed (reduce attack surface)
119
+ - [ ] Lock files are committed and used for deterministic builds
120
+ - [ ] Sub-dependencies (transitive) are also checked
121
+
122
+ ## A07: Identification and Authentication Failures
123
+
124
+ Weaknesses in the authentication mechanism itself.
125
+
126
+ **What to check:**
127
+ - [ ] Brute force protection (rate limiting, account lockout, CAPTCHA)
128
+ - [ ] No credential stuffing vulnerability (breached password checking)
129
+ - [ ] Session IDs regenerated after login (session fixation prevention)
130
+ - [ ] Session timeout is appropriate (not infinite)
131
+ - [ ] Password reset tokens expire and are single-use
132
+ - [ ] MFA bypass resistance (recovery codes handled securely)
133
+ - [ ] OAuth state parameter used to prevent CSRF
134
+
135
+ ## A08: Software and Data Integrity Failures
136
+
137
+ Trusting data or code without verification.
138
+
139
+ **What to check:**
140
+ - [ ] CI/CD pipeline integrity (no unsigned code deployments)
141
+ - [ ] Deserialization of untrusted data is avoided or secured
142
+ - [ ] Software updates verified with signatures
143
+ - [ ] Subresource Integrity (SRI) used for CDN-loaded scripts
144
+ - [ ] Webhook payloads verified with signatures
145
+
146
+ ## A09: Security Logging and Monitoring Failures
147
+
148
+ Insufficient detection capability.
149
+
150
+ **What to check:**
151
+ - [ ] Authentication events are logged (login, failed login, logout)
152
+ - [ ] Authorization failures are logged
153
+ - [ ] Input validation failures are logged (potential attack probing)
154
+ - [ ] Sensitive data NOT logged (passwords, tokens, PII)
155
+ - [ ] Logs are tamper-proof (centralized, append-only)
156
+ - [ ] Alerting on anomalous patterns (burst of failures, unusual access patterns)
157
+
158
+ ## A10: Server-Side Request Forgery (SSRF)
159
+
160
+ The application fetches a remote resource based on user input without validation.
161
+
162
+ **What to check:**
163
+ - [ ] User-supplied URLs are validated against an allowlist
164
+ - [ ] Internal/private IP ranges are blocked (127.0.0.1, 10.x, 172.16.x, 192.168.x)
165
+ - [ ] URL scheme is restricted (https only, no file://, gopher://, etc.)
166
+ - [ ] Redirects from user-supplied URLs are not followed blindly
167
+ - [ ] DNS rebinding attacks are considered (re-resolve after initial check)
@@ -0,0 +1,79 @@
1
+ # Security Audit Report Template
2
+
3
+ ```markdown
4
+ # Security Audit Report: [Project Name]
5
+
6
+ **Date**: [YYYY-MM-DD]
7
+ **Auditor**: [Name / Claude Code]
8
+ **Scope**: [What was reviewed — codebase, specific modules, infrastructure config]
9
+ **Commit**: [Git hash at time of audit]
10
+
11
+ ## Executive Summary
12
+
13
+ [2-3 sentences: Overall security posture, number of findings by severity,
14
+ most critical issue found.]
15
+
16
+ **Finding Summary:**
17
+ | Severity | Count |
18
+ |----------|-------|
19
+ | Critical | [N] |
20
+ | High | [N] |
21
+ | Medium | [N] |
22
+ | Low | [N] |
23
+
24
+ ## Attack Surface
25
+
26
+ [Brief description of entry points, authentication boundaries, and data flows analyzed.]
27
+
28
+ ## Findings
29
+
30
+ ### [SEVERITY]-[NNN]: [Short Title]
31
+
32
+ **Severity**: Critical / High / Medium / Low
33
+ **Category**: [OWASP category, e.g., A03: Injection]
34
+ **Location**: `[file:line]` or `[endpoint]`
35
+
36
+ **Description:**
37
+ [What the vulnerability is.]
38
+
39
+ **Exploit Scenario:**
40
+ [How an attacker could exploit this. Be specific — show a curl command,
41
+ a malicious input, or a sequence of actions.]
42
+
43
+ **Evidence:**
44
+ ```[language]
45
+ // The vulnerable code
46
+ ```
47
+
48
+ **Remediation:**
49
+ ```[language]
50
+ // The fixed code
51
+ ```
52
+
53
+ **Effort**: [Low / Medium / High]
54
+
55
+ ---
56
+
57
+ [Repeat for each finding, ordered by severity]
58
+
59
+ ## Recommendations Summary
60
+
61
+ ### Immediate (fix before next deploy)
62
+ 1. [Critical/High finding references]
63
+
64
+ ### Short-term (fix within 1-2 sprints)
65
+ 1. [Medium finding references]
66
+
67
+ ### Long-term (address in roadmap)
68
+ 1. [Low findings, architectural improvements]
69
+
70
+ ## Out of Scope
71
+
72
+ [What was NOT reviewed and why — runtime testing, infrastructure, etc.]
73
+
74
+ ## Next Steps
75
+
76
+ - [ ] Fix Critical and High findings
77
+ - [ ] Schedule follow-up audit after fixes
78
+ - [ ] Consider penetration testing for [specific areas]
79
+ ```
@@ -0,0 +1,171 @@
1
+ ---
2
+ name: skill-router
3
+ description: "Orchestrator and entry point for the swe-workflow skills library — consult FIRST when starting any non-trivial software task; most skills load name-only and only activate when invoked here. Triggers: starting a feature, planning, an architecture or design decision, implementing, debugging, reviewing, refactoring, testing, security, deployment, an incident, shipping, or unsure which skill fits. Routes intent to the right skill(s) and invokes them by name; shows the Golden Path chains."
4
+ model: haiku
5
+ allowed-tools: Read, Grep, Glob, Skill
6
+ ---
7
+
8
+ # Skill Router
9
+
10
+ This project installs the **swe-workflow skills library** — a set of structured
11
+ SDLC workflows. This skill is the **orchestrator**: most skills are loaded
12
+ **name-only** (listed but not auto-triggering), so they activate by being
13
+ invoked. Use this router to pick the right skill — or skills — quickly and invoke them,
14
+ then hand off and get out of the way. A task that spans several domains or phases
15
+ needs several skills; invoke all that apply, not just the first.
16
+
17
+ ## Activation model (why this skill matters)
18
+
19
+ To keep the context listing small, only a pinned set auto-triggers (this router
20
+ plus the safety skills: `verification-before-completion`, `tdd-workflow`,
21
+ `bug-investigating`, `incident-response`, `code-reviewing`). Every other skill is
22
+ **name-only** — invocable, but it will not fire on its own. Routing through this
23
+ orchestrator is how those skills get activated. A **role** can promote a working
24
+ set back to auto-triggering; switch roles with the `/role <name>` command
25
+ (`/role` to see options, `/role all` to reset to baseline).
26
+
27
+ ## The rule
28
+
29
+ Before substantial software work — planning a feature, making a structural or
30
+ data decision, implementing, debugging, reviewing, refactoring, or shipping —
31
+ **check whether a dedicated skill applies, and invoke it.** This is the default,
32
+ not an optional extra. The skills encode the *how* and *why* of doing each
33
+ activity well, so you don't have to re-derive them.
34
+
35
+ Routing is **not a once-per-session gate.** Re-route whenever the *kind* of work
36
+ changes — analysis → implementation → writing tests → review → shipping — because
37
+ each phase's skill is loaded only when invoked, and the one you need for the new
38
+ phase almost certainly isn't loaded yet. A session that routed for analysis and
39
+ then writes tests an hour later without re-routing silently drops the testing
40
+ skills' guidance.
41
+
42
+ Do **not** talk yourself out of it because the task "looks like a one-liner,"
43
+ touches only one file, or seems obvious. Small structural changes (renames,
44
+ config edits, dependency bumps) and anything that matches a specific skill's
45
+ domain (accessibility, API design, security, data modeling, migrations,
46
+ performance…) are exactly what the skills are for. When in doubt, route.
47
+
48
+ Skip **only** for genuinely trivial, conversational, or information-lookup
49
+ requests where no workflow adds value, or when the user tells you not to use a
50
+ skill or to "just do X". **The user's explicit instructions always take
51
+ precedence** over any skill.
52
+
53
+ ## How to route
54
+
55
+ 1. **Get the full catalog.** Read `.catalog.json` from the installed skills
56
+ directory (the parent of this skill — e.g. `.claude/skills/.catalog.json` or
57
+ `~/.claude/skills/.catalog.json`). It holds every skill's full description, so
58
+ you can match precisely even though their descriptions aren't in the listing.
59
+ If it's absent (e.g. a plugin install), use the phase index below.
60
+ 2. **Match** the user's intent to **every** skill that applies — not just the
61
+ single best fit. A request often spans more than one domain (e.g. "review for
62
+ accessibility *and* UX" → both `accessibility-design` and `ui-ux-design`) or
63
+ more than one phase (a feature → planning, then data model, then API, …).
64
+ 3. **Invoke them by name** via the Skill tool — name-only skills are fully
65
+ invocable; the listing just doesn't show their description. When several skills
66
+ apply, **invoke them all, in workflow order, and integrate each one's guidance
67
+ — do not stop after the first.** Stating "I'll use both" is not enough; you
68
+ must actually call each one (invoke the next applicable skill before you finish
69
+ — e.g. load the UX skill before writing a combined a11y+UX review, and on a
70
+ Golden Path chain invoke each phase's skill as you reach it). "Hand off" means
71
+ stop narrating the routing and start the work, NOT "one skill is enough." Route
72
+ to a single skill only when the task genuinely maps to exactly one.
73
+ 4. If a matched skill isn't installed (a subset/plugin install), read its
74
+ `SKILL.md` inline if present, or tell the user which skill/role to add.
75
+ 5. If the work spans several phases, follow the relevant **Golden Path** chain,
76
+ invoking each skill in the chain as you reach its phase.
77
+ 6. If nothing fits, proceed normally — not everything needs a skill.
78
+
79
+ ## Role-scoped routing (optional)
80
+
81
+ If a role is active (a `.active-role` marker sits beside the skills, or the
82
+ SessionStart hook named one), lead with that role's working set — read
83
+ `.roles.json` for it — then fall back to the rest of the catalog. The user can
84
+ change the promoted set with `/role <name>`. Either way you can invoke any
85
+ installed skill by name, regardless of role.
86
+
87
+ ## Catalog by SDLC phase
88
+
89
+ ### Plan & Define
90
+ - **feature-planning** — break a feature into scoped tasks, acceptance criteria, dependencies
91
+ - **prd-writing** — write a PRD / RFC / tech spec to align on the WHAT and WHY
92
+ - **project-proposal** — business case / budget / go-no-go before a project starts
93
+ - **strategic-review** — vision, positioning, defensible wedge, live competitive/market analysis before going public
94
+ - **effort-estimation** — story points, t-shirt sizing, three-point estimates, capacity
95
+ - **metrics-and-okrs** — define OKRs, KPIs, success metrics, DORA / engineering health
96
+
97
+ ### Design & Architecture
98
+ - **architecture-design** — costly-to-reverse structural decisions, pattern choice, ADRs
99
+ - **architecture-documentation** — C4 diagrams, docs-as-code, runtime/infra views
100
+ - **api-design** — REST/GraphQL contracts, endpoints, errors, pagination, versioning
101
+ - **data-modeling** — schema, relationships, indexes, migration strategy
102
+ - **ui-ux-design** — user flows, wireframes, loading/error/empty states, responsive
103
+ - **frontend-architecture** — component hierarchy, state management, design tokens
104
+ - **accessibility-design** — WCAG, ARIA, keyboard nav, focus, screen readers
105
+ - **configuration-strategy** — env config, secrets management, feature-flag hierarchy
106
+ - **dependency-impact-analysis** — blast radius of a change *before* implementing
107
+ - **dependency-management** — evaluate, audit (CVEs), and upgrade libraries
108
+
109
+ ### Build & Test
110
+ - **tdd-workflow** — NEW code, test-first, red-green-refactor
111
+ - **test-suite-design** — add tests to EXISTING code, coverage strategy
112
+ - **test-data-strategy** — factories, synthetic data, property-based, contract testing
113
+ - **git-workflow** — commit messages, PR descriptions, branching strategy
114
+ - **project-documentation** — README, contributing guide, changelog, docstrings
115
+
116
+ ### Review & Improve
117
+ - **code-reviewing** — structured review enforcing DRY/KISS/YAGNI/SRP & conventions
118
+ - **security-audit** — OWASP Top 10, auth/authz, injection, secrets, dependency CVEs
119
+ - **performance-optimization** — N+1, algorithmic complexity, caching, bundle size
120
+ - **refactoring** — systematic, test-protected code improvement
121
+ - **technical-debt-review** — codebase health, hotspots, remediation roadmap
122
+ - **project-review** — whole-project execution health: scope alignment, roadmap adherence, implementation maturity, evidence-it-works
123
+
124
+ ### Diagnose & Fix
125
+ - **bug-investigating** — systematic debugging, reproduce → isolate → hypothesize → verify
126
+
127
+ ### Ship & Operate
128
+ - **deployment-checklist** — pre-deploy verification and release safety
129
+ - **rollback-strategy** — safe rollback plans, irreversible-change detection
130
+ - **containerization** — Dockerfiles, docker-compose, Kubernetes manifests
131
+ - **cicd-pipeline** — CI/CD pipelines, quality gates (GitHub Actions, GitLab CI)
132
+ - **infrastructure-as-code** — Terraform, CloudFormation, Pulumi, CDK
133
+ - **deployment-repo** — GitOps polyrepo orchestration, version pinning, promotion
134
+ - **gitops-delivery** — ArgoCD / Flux declarative delivery, drift detection
135
+ - **observability-design** — SLI/SLO/SLA, OpenTelemetry, structured logging, alerting
136
+ - **incident-response** — ACTIVE production incident: triage, mitigate, communicate
137
+
138
+ ### Reflect
139
+ - **retrospective** — sprint retros, project / incident post-mortems, action items
140
+
141
+ ### MLOps
142
+ - **ml-pipeline-design** — training & data pipelines, feature engineering, orchestration
143
+ - **ml-experiment-tracking** — MLflow / W&B / DVC, run comparison, reproducibility
144
+ - **ml-model-deployment** — serving, monitoring, drift detection, safe rollouts
145
+
146
+ ## Golden Path workflow chains
147
+
148
+ When work spans phases, chain skills rather than improvising:
149
+
150
+ **New feature**
151
+ `feature-planning` → `architecture-design` (if structural) → `data-modeling`
152
+ (if schema) → `tdd-workflow` → `code-reviewing` → `deployment-checklist`
153
+
154
+ **Bug / incident**
155
+ `incident-response` (if prod is down) → `bug-investigating` → `tdd-workflow`
156
+ (regression test) → `deployment-checklist`
157
+
158
+ **Continuous improvement**
159
+ `technical-debt-review` → `refactoring` → `dependency-impact-analysis`
160
+ (blast radius) → `test-suite-design` (if coverage is thin)
161
+
162
+ **Pre-public / pre-milestone review**
163
+ `strategic-review` (vision, positioning, market) → `project-review` (scope,
164
+ roadmap, implementation, evidence) → synthesis → `artifact-design` (interactive
165
+ report). See `strategic-review/templates/full-review-prompt.md` for the combined brief.
166
+
167
+ ## When NOT to route
168
+
169
+ - Pure questions, explanations, or conversation with no workflow component.
170
+ - The user named a specific skill or explicitly opted out — follow them.
171
+ - Tiny mechanical edits (typo, rename) where a workflow is overhead.
@@ -0,0 +1,39 @@
1
+ {
2
+ "skill_name": "skill-router",
3
+ "evals": [
4
+ {
5
+ "id": 1,
6
+ "prompt": "We want to add multi-tenant support to our SaaS app. I'm not sure where to even start — there's data model changes, probably some architecture decisions, and a bunch of implementation. How should I approach this?",
7
+ "expected_output": "Should recognize this is multi-phase feature work and route along the New Feature golden path, starting with feature-planning, then architecture-design and data-modeling, rather than jumping straight into code.",
8
+ "assertions": [
9
+ "Identifies that a dedicated skill / chain applies instead of improvising",
10
+ "Routes to feature-planning as the entry point",
11
+ "Names the relevant downstream skills (architecture-design, data-modeling) as next steps",
12
+ "References the New Feature golden path chain",
13
+ "Hands off to the chosen skill rather than narrating the routing at length"
14
+ ]
15
+ },
16
+ {
17
+ "id": 2,
18
+ "prompt": "What's the difference between a stub and a mock?",
19
+ "expected_output": "A pure conceptual question with no workflow component. The router should NOT force a skill — it should just answer (optionally noting tdd-workflow/test-suite-design exist if the user later wants to apply it).",
20
+ "assertions": [
21
+ "Does NOT invoke a workflow skill for a pure question",
22
+ "Answers the question directly",
23
+ "Does not over-route or insist on a workflow",
24
+ "At most lightly mentions relevant skills as optional"
25
+ ]
26
+ },
27
+ {
28
+ "id": 3,
29
+ "prompt": "Just write me a quick Dockerfile for a Node app — don't bother with any of your skill workflows, I'm in a hurry.",
30
+ "expected_output": "User explicitly opted out of the workflow. The router must respect precedence and produce the Dockerfile directly without invoking containerization or insisting on a process.",
31
+ "assertions": [
32
+ "Respects the user's explicit opt-out (does not force the containerization skill)",
33
+ "Produces the requested Dockerfile directly",
34
+ "Does not lecture about following the workflow",
35
+ "Treats user instructions as taking precedence over the soft routing rule"
36
+ ]
37
+ }
38
+ ]
39
+ }
@@ -0,0 +1,106 @@
1
+ ---
2
+ name: strategic-review
3
+ description: "Review a project's strategic position before going public, launching, or raising — vision, mission, value proposition, scope positioning, the defensible wedge, and a live competitive / market comparative analysis. Triggers: strategic review, positioning, go public, go-to-market, market analysis, competitive landscape, value proposition, is there a moat, who are our competitors, platform absorption risk, market positioning, comparable products. Use project-review for execution/roadmap/implementation health; delegates deep market scans to deep-research."
4
+ model: opus
5
+ allowed-tools: Read, Grep, Glob, WebFetch, WebSearch, Write, Edit
6
+ ---
7
+
8
+ # Strategic Review
9
+
10
+ Pressure-test whether a project has a defensible strategic position before it goes
11
+ public. The output is an honest read on vision, positioning, and market — what's
12
+ strong, what rests on unproven assumptions, and where the wedge is closing — ending
13
+ in **strategic options with trade-offs and a recommendation** (not flattery, and
14
+ not a single forced verdict unless asked).
15
+
16
+ This is the **strategy lens**. For what's actually built and whether it works, run
17
+ `project-review`; the two compose into a full pre-public review (see
18
+ [templates/full-review-prompt.md](templates/full-review-prompt.md)).
19
+
20
+ ## Ground rule: a thesis is a claim, not a fact
21
+
22
+ State the project's strategic thesis in one sentence, then treat every load-bearing
23
+ assumption inside it as a claim to be tested, not granted. The most valuable thing
24
+ this review produces is naming the assumption the whole strategy rests on — and
25
+ whether there's evidence for it. Mark every market finding **confirmed** (cited
26
+ source, dated) or **inferred**, and date-bound everything ("as of <date>") because
27
+ the competitive landscape moves.
28
+
29
+ ## Step 1: Articulate and critique the vision
30
+
31
+ Extract, from the project's own materials, the core narrative:
32
+
33
+ - **Vision / mission** — what change in the world, for whom.
34
+ - **Value proposition** — the specific job it does and why someone switches to it.
35
+ - **The thesis** — the one-sentence bet (e.g. "developers will adopt a neutral
36
+ standard layer because they run multiple tools and feel the lock-in pain").
37
+
38
+ Then critique it: Is the value proposition concrete or aspirational? Is the target
39
+ user real and reachable? **Which assumption is load-bearing, and is it proven?**
40
+ (How many users actually have the pain? Would they pay / switch / adopt?)
41
+
42
+ ## Step 2: Scope and positioning
43
+
44
+ - **Positioning** — what band does this compete in, and against what? Where does it
45
+ sit relative to incumbents and to the platforms it runs on?
46
+ - **The defensible wedge** — what can this do that the obvious larger players
47
+ won't or can't, and how durable is that? Separate a real moat (standard,
48
+ network, data, switching cost) from a temporary head start.
49
+ - **Where positioning is strong vs. where it leans on unproven assumptions** — be
50
+ explicit about the difference.
51
+
52
+ ## Step 3: Market comparative analysis (live)
53
+
54
+ Survey the field with current evidence, not memory:
55
+
56
+ - **Refresh the known bands** — for each established competitor band, who's in it
57
+ now and what shipped recently.
58
+ - **Hunt for new entrants** — date-bound searches for products that appeared
59
+ recently in this space, adjacent standards, and platform features that may
60
+ absorb the category.
61
+ - For a deep, multi-source, fact-checked sweep, **delegate to `deep-research`** and
62
+ fold its cited report in. For a lighter pass, use `WebSearch`/`WebFetch` directly.
63
+ - **Tag each comparable** with its relationship: **competitor**, **complement**,
64
+ or **integration target** — and what it means for this project.
65
+ - Label every finding confirmed-vs-inferred and date it.
66
+
67
+ ## Step 4: Trajectory and wedge-closure risk
68
+
69
+ The dangerous competitor is often the platform, not a peer. Assess:
70
+
71
+ - **Absorption risk** — is a larger platform shipping features that close the
72
+ wedge? What's the trajectory over the last 6–12 months?
73
+ - **Timing** — is the window opening or closing, and what evidence says so?
74
+ - **What would invalidate the thesis** — name the observable event that would mean
75
+ "stop."
76
+
77
+ ## Step 5: Synthesis — potential, weak points, strategic forks
78
+
79
+ Integrate the above into a decision instrument:
80
+
81
+ - **Potential** — the genuine strengths and the conditions under which the bet pays off.
82
+ - **Weak points, ranked** — lead with the assumption most likely to be false.
83
+ - **Strategic forks** — present 2–4 distinct paths (e.g. double down / narrow scope /
84
+ reposition / pivot), each with its trade-offs, then **name a recommended path and
85
+ why**. Configurable: if the user wants options only or a hard go/no-go, honor that —
86
+ default is options + a recommendation.
87
+ - **A readiness picture** mapped to the project's own gates, if it has them.
88
+
89
+ For the rendered deliverable (interactive HTML, scorecards, a forks comparison
90
+ panel), hand off to `artifact-design`; default to a gitignored path (e.g. `.local/`).
91
+
92
+ ## Principles Applied
93
+
94
+ - **Honesty over hype** — surface the uncomfortable finding first; a review that
95
+ validates the founder's optimism is worse than none.
96
+ - **Assumptions are the product** — the review's value is naming what must be true.
97
+ - **Current and cited** — date-bound, confirmed-vs-inferred, sourced.
98
+ - **Options with a recommendation** — give the decision-maker the forks *and* a view.
99
+
100
+ ## Cross-Skill References
101
+
102
+ - `project-review` — the execution half of a pre-public review (roadmap, implementation, evidence).
103
+ - `deep-research` — for the deep, fact-checked market fan-out; fold its report into Step 3.
104
+ - `project-proposal` — when the question is a forward-looking go/no-go business case, not a review.
105
+ - `metrics-and-okrs` — to convert the readiness picture into measurable gates.
106
+ - `artifact-design` — to render the review as a polished interactive decision instrument.
@@ -0,0 +1,42 @@
1
+ {
2
+ "skill_name": "strategic-review",
3
+ "evals": [
4
+ {
5
+ "id": 1,
6
+ "prompt": "We're considering taking our open-source developer tool public in a couple of months. Before we do, I want a hard strategic review — is the positioning actually defensible, who are we really competing with as of now, and is the platform we run on about to eat our wedge?",
7
+ "expected_output": "A strategic review that states the project's thesis and its load-bearing assumption, critiques the value proposition and positioning, runs a current/date-bound competitive analysis (delegating deep market work to deep-research) tagging each comparable as competitor/complement/integration target, assesses platform-absorption risk, and ends in strategic forks with trade-offs plus a recommended path.",
8
+ "assertions": [
9
+ "States the project's strategic thesis in one sentence and identifies the load-bearing assumption to test",
10
+ "Critiques the value proposition / positioning, separating what's strong from what rests on unproven assumptions",
11
+ "Runs a live, date-bound competitive analysis rather than relying on memory, and delegates a deep sweep to deep-research",
12
+ "Tags comparables by relationship (competitor / complement / integration target)",
13
+ "Assesses platform-absorption / wedge-closure risk and names what would invalidate the thesis",
14
+ "Ends with strategic forks (trade-offs) and a recommended path, labeling findings confirmed vs inferred and dated",
15
+ "Defers implementation/roadmap/evidence questions to project-review"
16
+ ]
17
+ },
18
+ {
19
+ "id": 2,
20
+ "prompt": "Honestly the space we're in feels crowded and I'm not sure what makes us different anymore. Big platforms keep shipping features that overlap with ours. Is there even a defensible wedge here?",
21
+ "expected_output": "Confronts the weak-wedge situation directly: tests whether a real moat exists vs a temporary head start, maps the overlapping platform features with current evidence, and presents honest forks (narrow scope / reposition / pivot) with a recommendation rather than reassurance.",
22
+ "assertions": [
23
+ "Distinguishes a durable moat (standard, network, data, switching cost) from a temporary head start",
24
+ "Examines the overlapping platform/incumbent features with current, dated evidence",
25
+ "Does not offer false reassurance — willing to conclude the wedge is thin if that's what the evidence shows",
26
+ "Presents distinct strategic forks (e.g. narrow / reposition / pivot) with trade-offs and a recommendation",
27
+ "Names the observable event that would invalidate continuing"
28
+ ]
29
+ },
30
+ {
31
+ "id": 3,
32
+ "prompt": "I'm writing the one-line tagline for our landing page. Should it say 'fast' or 'simple'?",
33
+ "expected_output": "Recognizes this is a narrow copy choice, not a strategic review — answers directly (with brief reasoning) rather than launching a full vision/market analysis.",
34
+ "assertions": [
35
+ "Recognizes this is a small copy/messaging question, not a strategic review",
36
+ "Does not launch the full strategic-review workflow (thesis, market scan, forks)",
37
+ "Answers the tagline question directly with brief, practical reasoning",
38
+ "May note that messaging should follow from positioning if a deeper review is ever wanted"
39
+ ]
40
+ }
41
+ ]
42
+ }