swe-workflow-skills 0.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +21 -0
- package/README.md +144 -0
- package/VERSION +1 -0
- package/bin/cli.mjs +44 -0
- package/catalog.json +225 -0
- package/commands/role.md +34 -0
- package/hooks/session-start.mjs +118 -0
- package/install.mjs +318 -0
- package/package.json +47 -0
- package/roles.json +194 -0
- package/scripts/resolve.mjs +296 -0
- package/skills/accessibility-design/SKILL.md +128 -0
- package/skills/accessibility-design/evals/evals.json +51 -0
- package/skills/accessibility-design/references/accessibility-patterns.md +321 -0
- package/skills/api-design/SKILL.md +144 -0
- package/skills/api-design/evals/evals.json +48 -0
- package/skills/api-design/references/rest-conventions.md +147 -0
- package/skills/api-design/templates/api-spec.md +156 -0
- package/skills/architecture-design/SKILL.md +86 -0
- package/skills/architecture-design/evals/evals.json +44 -0
- package/skills/architecture-design/references/clean-architecture.md +147 -0
- package/skills/architecture-design/references/component-principles.md +129 -0
- package/skills/architecture-design/references/principles.md +81 -0
- package/skills/architecture-design/references/solid-principles.md +106 -0
- package/skills/architecture-design/templates/adr.md +63 -0
- package/skills/architecture-documentation/SKILL.md +126 -0
- package/skills/architecture-documentation/evals/evals.json +44 -0
- package/skills/architecture-documentation/references/abstraction-levels.md +91 -0
- package/skills/architecture-documentation/references/diagram-tooling.md +141 -0
- package/skills/architecture-documentation/templates/architecture-doc.md +171 -0
- package/skills/bug-investigating/SKILL.md +133 -0
- package/skills/bug-investigating/evals/evals.json +56 -0
- package/skills/bug-investigating/references/common-bugs.md +62 -0
- package/skills/bug-investigating/references/debugging-patterns.md +94 -0
- package/skills/cicd-pipeline/SKILL.md +87 -0
- package/skills/cicd-pipeline/evals/evals.json +34 -0
- package/skills/cicd-pipeline/references/pipeline-patterns.md +206 -0
- package/skills/cicd-pipeline/templates/github-actions.md +206 -0
- package/skills/code-reviewing/SKILL.md +92 -0
- package/skills/code-reviewing/evals/evals.json +62 -0
- package/skills/code-reviewing/references/error-handling.md +108 -0
- package/skills/code-reviewing/references/review-checklist.md +144 -0
- package/skills/configuration-strategy/SKILL.md +109 -0
- package/skills/configuration-strategy/evals/evals.json +41 -0
- package/skills/configuration-strategy/references/config-patterns.md +161 -0
- package/skills/containerization/SKILL.md +90 -0
- package/skills/containerization/evals/evals.json +36 -0
- package/skills/containerization/references/dockerfile-patterns.md +168 -0
- package/skills/containerization/templates/dockerfile.md +154 -0
- package/skills/data-modeling/SKILL.md +83 -0
- package/skills/data-modeling/evals/evals.json +43 -0
- package/skills/data-modeling/references/conventions.md +57 -0
- package/skills/data-modeling/templates/schema.md +120 -0
- package/skills/dependency-impact-analysis/SKILL.md +113 -0
- package/skills/dependency-impact-analysis/evals/evals.json +41 -0
- package/skills/dependency-impact-analysis/references/impact-patterns.md +150 -0
- package/skills/dependency-management/SKILL.md +161 -0
- package/skills/dependency-management/evals/evals.json +48 -0
- package/skills/dependency-management/references/evaluation-checklist.md +127 -0
- package/skills/deployment-checklist/SKILL.md +132 -0
- package/skills/deployment-checklist/evals/evals.json +58 -0
- package/skills/deployment-checklist/references/pre-deploy-gates.md +91 -0
- package/skills/deployment-repo/SKILL.md +190 -0
- package/skills/deployment-repo/evals/evals.json +44 -0
- package/skills/deployment-repo/references/deployment-repo-patterns.md +258 -0
- package/skills/deployment-repo/references/version-compatibility.md +227 -0
- package/skills/deployment-repo/templates/deployment-repo-structure.md +226 -0
- package/skills/effort-estimation/SKILL.md +95 -0
- package/skills/effort-estimation/evals/evals.json +32 -0
- package/skills/effort-estimation/references/estimation-methods.md +154 -0
- package/skills/feature-planning/SKILL.md +84 -0
- package/skills/feature-planning/evals/evals.json +44 -0
- package/skills/feature-planning/templates/plan.md +55 -0
- package/skills/feature-planning/templates/task.md +26 -0
- package/skills/frontend-architecture/SKILL.md +154 -0
- package/skills/frontend-architecture/evals/evals.json +34 -0
- package/skills/frontend-architecture/references/component-patterns.md +264 -0
- package/skills/frontend-architecture/templates/folder-structure.md +203 -0
- package/skills/git-workflow/SKILL.md +127 -0
- package/skills/git-workflow/evals/evals.json +44 -0
- package/skills/git-workflow/references/conventions.md +142 -0
- package/skills/git-workflow/templates/pull-request.md +57 -0
- package/skills/gitops-delivery/SKILL.md +319 -0
- package/skills/gitops-delivery/evals/evals.json +44 -0
- package/skills/gitops-delivery/references/gitops-patterns.md +478 -0
- package/skills/gitops-delivery/templates/gitops-config.md +196 -0
- package/skills/incident-response/SKILL.md +130 -0
- package/skills/incident-response/evals/evals.json +55 -0
- package/skills/incident-response/references/communication-templates.md +134 -0
- package/skills/incident-response/references/severity-levels.md +77 -0
- package/skills/incident-response/templates/incident-timeline.md +57 -0
- package/skills/infrastructure-as-code/SKILL.md +86 -0
- package/skills/infrastructure-as-code/evals/evals.json +33 -0
- package/skills/infrastructure-as-code/references/iac-patterns.md +179 -0
- package/skills/infrastructure-as-code/templates/terraform-module.md +158 -0
- package/skills/metrics-and-okrs/SKILL.md +113 -0
- package/skills/metrics-and-okrs/evals/evals.json +33 -0
- package/skills/metrics-and-okrs/references/metric-catalog.md +90 -0
- package/skills/metrics-and-okrs/templates/okr-document.md +61 -0
- package/skills/ml-experiment-tracking/SKILL.md +96 -0
- package/skills/ml-experiment-tracking/evals/evals.json +32 -0
- package/skills/ml-experiment-tracking/references/tracking-tools.md +127 -0
- package/skills/ml-model-deployment/SKILL.md +106 -0
- package/skills/ml-model-deployment/evals/evals.json +34 -0
- package/skills/ml-model-deployment/references/serving-patterns.md +162 -0
- package/skills/ml-pipeline-design/SKILL.md +162 -0
- package/skills/ml-pipeline-design/evals/evals.json +34 -0
- package/skills/ml-pipeline-design/references/pipeline-components.md +174 -0
- package/skills/observability-design/SKILL.md +162 -0
- package/skills/observability-design/evals/evals.json +52 -0
- package/skills/observability-design/references/logging-patterns.md +229 -0
- package/skills/observability-design/references/slo-framework.md +151 -0
- package/skills/observability-design/templates/slo-document.md +80 -0
- package/skills/performance-optimization/SKILL.md +83 -0
- package/skills/performance-optimization/evals/evals.json +47 -0
- package/skills/performance-optimization/references/bottleneck-patterns.md +256 -0
- package/skills/performance-optimization/references/concurrency.md +101 -0
- package/skills/prd-writing/SKILL.md +109 -0
- package/skills/prd-writing/evals/evals.json +33 -0
- package/skills/prd-writing/references/prd-examples.md +132 -0
- package/skills/prd-writing/templates/prd.md +71 -0
- package/skills/prd-writing/templates/rfc.md +79 -0
- package/skills/project-documentation/SKILL.md +104 -0
- package/skills/project-documentation/evals/evals.json +48 -0
- package/skills/project-documentation/references/contributing-guide.md +100 -0
- package/skills/project-documentation/templates/changelog.md +59 -0
- package/skills/project-documentation/templates/readme.md +121 -0
- package/skills/project-proposal/SKILL.md +90 -0
- package/skills/project-proposal/evals/evals.json +31 -0
- package/skills/project-proposal/references/proposal-examples.md +140 -0
- package/skills/project-proposal/templates/proposal.md +76 -0
- package/skills/project-review/SKILL.md +111 -0
- package/skills/project-review/evals/evals.json +42 -0
- package/skills/refactoring/SKILL.md +90 -0
- package/skills/refactoring/evals/evals.json +44 -0
- package/skills/refactoring/references/transformations.md +132 -0
- package/skills/retrospective/SKILL.md +157 -0
- package/skills/retrospective/evals/evals.json +34 -0
- package/skills/retrospective/references/facilitation-guide.md +130 -0
- package/skills/retrospective/templates/post-mortem.md +121 -0
- package/skills/rollback-strategy/SKILL.md +116 -0
- package/skills/rollback-strategy/evals/evals.json +55 -0
- package/skills/rollback-strategy/references/rollback-patterns.md +125 -0
- package/skills/rollback-strategy/templates/rollback-plan.md +69 -0
- package/skills/security-audit/SKILL.md +146 -0
- package/skills/security-audit/evals/evals.json +66 -0
- package/skills/security-audit/references/owasp-top-10.md +167 -0
- package/skills/security-audit/templates/security-report.md +79 -0
- package/skills/skill-router/SKILL.md +171 -0
- package/skills/skill-router/evals/evals.json +39 -0
- package/skills/strategic-review/SKILL.md +106 -0
- package/skills/strategic-review/evals/evals.json +42 -0
- package/skills/strategic-review/templates/full-review-prompt.md +84 -0
- package/skills/tdd-workflow/SKILL.md +147 -0
- package/skills/tdd-workflow/evals/evals.json +58 -0
- package/skills/tdd-workflow/references/test-quality.md +71 -0
- package/skills/technical-debt-review/SKILL.md +113 -0
- package/skills/technical-debt-review/evals/evals.json +41 -0
- package/skills/technical-debt-review/references/debt-taxonomy.md +124 -0
- package/skills/technical-debt-review/templates/debt-audit.md +85 -0
- package/skills/test-data-strategy/SKILL.md +129 -0
- package/skills/test-data-strategy/evals/evals.json +49 -0
- package/skills/test-data-strategy/references/data-generation-patterns.md +341 -0
- package/skills/test-suite-design/SKILL.md +137 -0
- package/skills/test-suite-design/evals/evals.json +69 -0
- package/skills/test-suite-design/references/test-infrastructure.md +175 -0
- package/skills/test-suite-design/references/testing-pyramid.md +140 -0
- package/skills/ui-ux-design/SKILL.md +117 -0
- package/skills/ui-ux-design/evals/evals.json +35 -0
- package/skills/ui-ux-design/references/interaction-patterns.md +145 -0
- package/skills/ui-ux-design/templates/screen-spec.md +97 -0
- package/skills/verification-before-completion/SKILL.md +85 -0
- package/skills/verification-before-completion/evals/evals.json +53 -0
- package/skills/writing-skills/SKILL.md +87 -0
- package/skills/writing-skills/evals/evals.json +41 -0
- package/skills/writing-skills/references/pressure-testing.md +69 -0
- package/uninstall.mjs +182 -0
|
@@ -0,0 +1,167 @@
|
|
|
1
|
+
# OWASP Top 10 Security Checklist
|
|
2
|
+
|
|
3
|
+
## Contents
|
|
4
|
+
- A01: Broken Access Control
|
|
5
|
+
- A02: Cryptographic Failures
|
|
6
|
+
- A03: Injection
|
|
7
|
+
- A04: Insecure Design
|
|
8
|
+
- A05: Security Misconfiguration
|
|
9
|
+
- A06: Vulnerable and Outdated Components
|
|
10
|
+
- A07: Identification and Authentication Failures
|
|
11
|
+
- A08: Software and Data Integrity Failures
|
|
12
|
+
- A09: Security Logging and Monitoring Failures
|
|
13
|
+
- A10: Server-Side Request Forgery (SSRF)
|
|
14
|
+
|
|
15
|
+
## A01: Broken Access Control
|
|
16
|
+
|
|
17
|
+
The #1 vulnerability. Access control means enforcing that users can only act within their intended permissions.
|
|
18
|
+
|
|
19
|
+
**What to check:**
|
|
20
|
+
- [ ] Every API endpoint enforces authentication (not just the frontend)
|
|
21
|
+
- [ ] Authorization is checked server-side for every protected operation
|
|
22
|
+
- [ ] Users cannot access other users' data by changing IDs in URLs (IDOR)
|
|
23
|
+
- [ ] Directory traversal is prevented (no `../` in file paths from user input)
|
|
24
|
+
- [ ] CORS is configured to allow only specific trusted origins (not `*`)
|
|
25
|
+
- [ ] JWT tokens are validated properly (algorithm, signature, expiry, issuer)
|
|
26
|
+
- [ ] API rate limiting prevents enumeration attacks
|
|
27
|
+
- [ ] Metadata manipulation is blocked (tampering with JWT, cookies, hidden fields)
|
|
28
|
+
|
|
29
|
+
**Common patterns to flag:**
|
|
30
|
+
```javascript
|
|
31
|
+
// BAD: Only checks if logged in, not if authorized for THIS resource
|
|
32
|
+
app.get('/orders/:id', authenticate, async (req, res) => {
|
|
33
|
+
const order = await db.orders.findById(req.params.id);
|
|
34
|
+
res.json(order); // Any authenticated user can see ANY order
|
|
35
|
+
});
|
|
36
|
+
|
|
37
|
+
// GOOD: Checks ownership
|
|
38
|
+
app.get('/orders/:id', authenticate, async (req, res) => {
|
|
39
|
+
const order = await db.orders.findOne({
|
|
40
|
+
id: req.params.id,
|
|
41
|
+
userId: req.user.id // Scoped to the authenticated user
|
|
42
|
+
});
|
|
43
|
+
if (!order) return res.status(404).json({ error: 'Not found' });
|
|
44
|
+
res.json(order);
|
|
45
|
+
});
|
|
46
|
+
```
|
|
47
|
+
|
|
48
|
+
## A02: Cryptographic Failures
|
|
49
|
+
|
|
50
|
+
Sensitive data exposure through weak or missing cryptography.
|
|
51
|
+
|
|
52
|
+
**What to check:**
|
|
53
|
+
- [ ] Passwords hashed with bcrypt, argon2, or scrypt (never MD5, SHA-1, or SHA-256 alone)
|
|
54
|
+
- [ ] Sufficient work factor (bcrypt rounds >= 12, argon2 with recommended params)
|
|
55
|
+
- [ ] TLS 1.2+ enforced for all connections
|
|
56
|
+
- [ ] Sensitive data encrypted at rest (PII, financial data, health data)
|
|
57
|
+
- [ ] Encryption keys managed properly (not hardcoded, rotated periodically)
|
|
58
|
+
- [ ] No sensitive data in URLs (tokens, passwords in query strings)
|
|
59
|
+
- [ ] Proper random number generation (crypto.randomBytes, not Math.random)
|
|
60
|
+
|
|
61
|
+
## A03: Injection
|
|
62
|
+
|
|
63
|
+
Untrusted data sent to an interpreter as part of a command or query.
|
|
64
|
+
|
|
65
|
+
**What to check:**
|
|
66
|
+
- [ ] SQL queries use parameterized statements (never string concatenation)
|
|
67
|
+
- [ ] NoSQL queries use typed parameters (not raw user input in operators)
|
|
68
|
+
- [ ] OS commands use parameterized execution (never shell interpolation)
|
|
69
|
+
- [ ] LDAP queries are parameterized
|
|
70
|
+
- [ ] XPath/XML queries are parameterized
|
|
71
|
+
- [ ] HTML output is escaped to prevent XSS (use framework auto-escaping)
|
|
72
|
+
- [ ] User input in `eval()`, `Function()`, or template literals is blocked
|
|
73
|
+
- [ ] GraphQL queries are depth-limited and complexity-bounded
|
|
74
|
+
|
|
75
|
+
**Injection types and their signatures:**
|
|
76
|
+
|
|
77
|
+
| Type | Dangerous Pattern | Safe Pattern |
|
|
78
|
+
|------|------------------|-------------|
|
|
79
|
+
| SQL | `"SELECT * FROM users WHERE id = " + userId` | `db.query("SELECT * FROM users WHERE id = $1", [userId])` |
|
|
80
|
+
| XSS | `innerHTML = userInput` | `textContent = userInput` or framework escaping |
|
|
81
|
+
| Command | `exec("ls " + userPath)` | `execFile("ls", [userPath])` |
|
|
82
|
+
| NoSQL | `{ $where: userInput }` | `{ field: { $eq: userInput } }` |
|
|
83
|
+
| Template | `` `Hello ${userInput}` `` in template engine | Template engine with auto-escaping |
|
|
84
|
+
|
|
85
|
+
## A04: Insecure Design
|
|
86
|
+
|
|
87
|
+
Flaws in the design itself, not just the implementation.
|
|
88
|
+
|
|
89
|
+
**What to check:**
|
|
90
|
+
- [ ] Business logic has server-side enforcement (not just client-side validation)
|
|
91
|
+
- [ ] Rate limiting on resource-intensive operations
|
|
92
|
+
- [ ] Transaction limits enforced server-side
|
|
93
|
+
- [ ] Multi-step processes can't skip steps
|
|
94
|
+
- [ ] File upload validates type, size, and content (not just extension)
|
|
95
|
+
- [ ] No mass assignment vulnerabilities (user can't set `role: 'admin'` by adding fields)
|
|
96
|
+
|
|
97
|
+
## A05: Security Misconfiguration
|
|
98
|
+
|
|
99
|
+
Default or incomplete configurations that leave openings.
|
|
100
|
+
|
|
101
|
+
**What to check:**
|
|
102
|
+
- [ ] No default credentials in any environment
|
|
103
|
+
- [ ] Error messages don't expose stack traces or internal details to users
|
|
104
|
+
- [ ] Unnecessary HTTP methods disabled (TRACE, OPTIONS where not needed)
|
|
105
|
+
- [ ] Security headers configured: CSP, X-Frame-Options, X-Content-Type-Options, HSTS
|
|
106
|
+
- [ ] Directory listing disabled on web servers
|
|
107
|
+
- [ ] Debug mode disabled in production
|
|
108
|
+
- [ ] Cloud storage buckets/blobs are not publicly accessible by default
|
|
109
|
+
- [ ] Database ports not exposed to the internet
|
|
110
|
+
|
|
111
|
+
## A06: Vulnerable and Outdated Components
|
|
112
|
+
|
|
113
|
+
Using components with known vulnerabilities.
|
|
114
|
+
|
|
115
|
+
**What to check:**
|
|
116
|
+
- [ ] `npm audit` / `pip audit` / `govulncheck` shows no critical vulnerabilities
|
|
117
|
+
- [ ] Dependencies are reasonably up to date (no major versions behind)
|
|
118
|
+
- [ ] Unused dependencies are removed (reduce attack surface)
|
|
119
|
+
- [ ] Lock files are committed and used for deterministic builds
|
|
120
|
+
- [ ] Sub-dependencies (transitive) are also checked
|
|
121
|
+
|
|
122
|
+
## A07: Identification and Authentication Failures
|
|
123
|
+
|
|
124
|
+
Weaknesses in the authentication mechanism itself.
|
|
125
|
+
|
|
126
|
+
**What to check:**
|
|
127
|
+
- [ ] Brute force protection (rate limiting, account lockout, CAPTCHA)
|
|
128
|
+
- [ ] No credential stuffing vulnerability (breached password checking)
|
|
129
|
+
- [ ] Session IDs regenerated after login (session fixation prevention)
|
|
130
|
+
- [ ] Session timeout is appropriate (not infinite)
|
|
131
|
+
- [ ] Password reset tokens expire and are single-use
|
|
132
|
+
- [ ] MFA bypass resistance (recovery codes handled securely)
|
|
133
|
+
- [ ] OAuth state parameter used to prevent CSRF
|
|
134
|
+
|
|
135
|
+
## A08: Software and Data Integrity Failures
|
|
136
|
+
|
|
137
|
+
Trusting data or code without verification.
|
|
138
|
+
|
|
139
|
+
**What to check:**
|
|
140
|
+
- [ ] CI/CD pipeline integrity (no unsigned code deployments)
|
|
141
|
+
- [ ] Deserialization of untrusted data is avoided or secured
|
|
142
|
+
- [ ] Software updates verified with signatures
|
|
143
|
+
- [ ] Subresource Integrity (SRI) used for CDN-loaded scripts
|
|
144
|
+
- [ ] Webhook payloads verified with signatures
|
|
145
|
+
|
|
146
|
+
## A09: Security Logging and Monitoring Failures
|
|
147
|
+
|
|
148
|
+
Insufficient detection capability.
|
|
149
|
+
|
|
150
|
+
**What to check:**
|
|
151
|
+
- [ ] Authentication events are logged (login, failed login, logout)
|
|
152
|
+
- [ ] Authorization failures are logged
|
|
153
|
+
- [ ] Input validation failures are logged (potential attack probing)
|
|
154
|
+
- [ ] Sensitive data NOT logged (passwords, tokens, PII)
|
|
155
|
+
- [ ] Logs are tamper-proof (centralized, append-only)
|
|
156
|
+
- [ ] Alerting on anomalous patterns (burst of failures, unusual access patterns)
|
|
157
|
+
|
|
158
|
+
## A10: Server-Side Request Forgery (SSRF)
|
|
159
|
+
|
|
160
|
+
The application fetches a remote resource based on user input without validation.
|
|
161
|
+
|
|
162
|
+
**What to check:**
|
|
163
|
+
- [ ] User-supplied URLs are validated against an allowlist
|
|
164
|
+
- [ ] Internal/private IP ranges are blocked (127.0.0.1, 10.x, 172.16.x, 192.168.x)
|
|
165
|
+
- [ ] URL scheme is restricted (https only, no file://, gopher://, etc.)
|
|
166
|
+
- [ ] Redirects from user-supplied URLs are not followed blindly
|
|
167
|
+
- [ ] DNS rebinding attacks are considered (re-resolve after initial check)
|
|
@@ -0,0 +1,79 @@
|
|
|
1
|
+
# Security Audit Report Template
|
|
2
|
+
|
|
3
|
+
```markdown
|
|
4
|
+
# Security Audit Report: [Project Name]
|
|
5
|
+
|
|
6
|
+
**Date**: [YYYY-MM-DD]
|
|
7
|
+
**Auditor**: [Name / Claude Code]
|
|
8
|
+
**Scope**: [What was reviewed — codebase, specific modules, infrastructure config]
|
|
9
|
+
**Commit**: [Git hash at time of audit]
|
|
10
|
+
|
|
11
|
+
## Executive Summary
|
|
12
|
+
|
|
13
|
+
[2-3 sentences: Overall security posture, number of findings by severity,
|
|
14
|
+
most critical issue found.]
|
|
15
|
+
|
|
16
|
+
**Finding Summary:**
|
|
17
|
+
| Severity | Count |
|
|
18
|
+
|----------|-------|
|
|
19
|
+
| Critical | [N] |
|
|
20
|
+
| High | [N] |
|
|
21
|
+
| Medium | [N] |
|
|
22
|
+
| Low | [N] |
|
|
23
|
+
|
|
24
|
+
## Attack Surface
|
|
25
|
+
|
|
26
|
+
[Brief description of entry points, authentication boundaries, and data flows analyzed.]
|
|
27
|
+
|
|
28
|
+
## Findings
|
|
29
|
+
|
|
30
|
+
### [SEVERITY]-[NNN]: [Short Title]
|
|
31
|
+
|
|
32
|
+
**Severity**: Critical / High / Medium / Low
|
|
33
|
+
**Category**: [OWASP category, e.g., A03: Injection]
|
|
34
|
+
**Location**: `[file:line]` or `[endpoint]`
|
|
35
|
+
|
|
36
|
+
**Description:**
|
|
37
|
+
[What the vulnerability is.]
|
|
38
|
+
|
|
39
|
+
**Exploit Scenario:**
|
|
40
|
+
[How an attacker could exploit this. Be specific — show a curl command,
|
|
41
|
+
a malicious input, or a sequence of actions.]
|
|
42
|
+
|
|
43
|
+
**Evidence:**
|
|
44
|
+
```[language]
|
|
45
|
+
// The vulnerable code
|
|
46
|
+
```
|
|
47
|
+
|
|
48
|
+
**Remediation:**
|
|
49
|
+
```[language]
|
|
50
|
+
// The fixed code
|
|
51
|
+
```
|
|
52
|
+
|
|
53
|
+
**Effort**: [Low / Medium / High]
|
|
54
|
+
|
|
55
|
+
---
|
|
56
|
+
|
|
57
|
+
[Repeat for each finding, ordered by severity]
|
|
58
|
+
|
|
59
|
+
## Recommendations Summary
|
|
60
|
+
|
|
61
|
+
### Immediate (fix before next deploy)
|
|
62
|
+
1. [Critical/High finding references]
|
|
63
|
+
|
|
64
|
+
### Short-term (fix within 1-2 sprints)
|
|
65
|
+
1. [Medium finding references]
|
|
66
|
+
|
|
67
|
+
### Long-term (address in roadmap)
|
|
68
|
+
1. [Low findings, architectural improvements]
|
|
69
|
+
|
|
70
|
+
## Out of Scope
|
|
71
|
+
|
|
72
|
+
[What was NOT reviewed and why — runtime testing, infrastructure, etc.]
|
|
73
|
+
|
|
74
|
+
## Next Steps
|
|
75
|
+
|
|
76
|
+
- [ ] Fix Critical and High findings
|
|
77
|
+
- [ ] Schedule follow-up audit after fixes
|
|
78
|
+
- [ ] Consider penetration testing for [specific areas]
|
|
79
|
+
```
|
|
@@ -0,0 +1,171 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: skill-router
|
|
3
|
+
description: "Orchestrator and entry point for the swe-workflow skills library — consult FIRST when starting any non-trivial software task; most skills load name-only and only activate when invoked here. Triggers: starting a feature, planning, an architecture or design decision, implementing, debugging, reviewing, refactoring, testing, security, deployment, an incident, shipping, or unsure which skill fits. Routes intent to the right skill(s) and invokes them by name; shows the Golden Path chains."
|
|
4
|
+
model: haiku
|
|
5
|
+
allowed-tools: Read, Grep, Glob, Skill
|
|
6
|
+
---
|
|
7
|
+
|
|
8
|
+
# Skill Router
|
|
9
|
+
|
|
10
|
+
This project installs the **swe-workflow skills library** — a set of structured
|
|
11
|
+
SDLC workflows. This skill is the **orchestrator**: most skills are loaded
|
|
12
|
+
**name-only** (listed but not auto-triggering), so they activate by being
|
|
13
|
+
invoked. Use this router to pick the right skill — or skills — quickly and invoke them,
|
|
14
|
+
then hand off and get out of the way. A task that spans several domains or phases
|
|
15
|
+
needs several skills; invoke all that apply, not just the first.
|
|
16
|
+
|
|
17
|
+
## Activation model (why this skill matters)
|
|
18
|
+
|
|
19
|
+
To keep the context listing small, only a pinned set auto-triggers (this router
|
|
20
|
+
plus the safety skills: `verification-before-completion`, `tdd-workflow`,
|
|
21
|
+
`bug-investigating`, `incident-response`, `code-reviewing`). Every other skill is
|
|
22
|
+
**name-only** — invocable, but it will not fire on its own. Routing through this
|
|
23
|
+
orchestrator is how those skills get activated. A **role** can promote a working
|
|
24
|
+
set back to auto-triggering; switch roles with the `/role <name>` command
|
|
25
|
+
(`/role` to see options, `/role all` to reset to baseline).
|
|
26
|
+
|
|
27
|
+
## The rule
|
|
28
|
+
|
|
29
|
+
Before substantial software work — planning a feature, making a structural or
|
|
30
|
+
data decision, implementing, debugging, reviewing, refactoring, or shipping —
|
|
31
|
+
**check whether a dedicated skill applies, and invoke it.** This is the default,
|
|
32
|
+
not an optional extra. The skills encode the *how* and *why* of doing each
|
|
33
|
+
activity well, so you don't have to re-derive them.
|
|
34
|
+
|
|
35
|
+
Routing is **not a once-per-session gate.** Re-route whenever the *kind* of work
|
|
36
|
+
changes — analysis → implementation → writing tests → review → shipping — because
|
|
37
|
+
each phase's skill is loaded only when invoked, and the one you need for the new
|
|
38
|
+
phase almost certainly isn't loaded yet. A session that routed for analysis and
|
|
39
|
+
then writes tests an hour later without re-routing silently drops the testing
|
|
40
|
+
skills' guidance.
|
|
41
|
+
|
|
42
|
+
Do **not** talk yourself out of it because the task "looks like a one-liner,"
|
|
43
|
+
touches only one file, or seems obvious. Small structural changes (renames,
|
|
44
|
+
config edits, dependency bumps) and anything that matches a specific skill's
|
|
45
|
+
domain (accessibility, API design, security, data modeling, migrations,
|
|
46
|
+
performance…) are exactly what the skills are for. When in doubt, route.
|
|
47
|
+
|
|
48
|
+
Skip **only** for genuinely trivial, conversational, or information-lookup
|
|
49
|
+
requests where no workflow adds value, or when the user tells you not to use a
|
|
50
|
+
skill or to "just do X". **The user's explicit instructions always take
|
|
51
|
+
precedence** over any skill.
|
|
52
|
+
|
|
53
|
+
## How to route
|
|
54
|
+
|
|
55
|
+
1. **Get the full catalog.** Read `.catalog.json` from the installed skills
|
|
56
|
+
directory (the parent of this skill — e.g. `.claude/skills/.catalog.json` or
|
|
57
|
+
`~/.claude/skills/.catalog.json`). It holds every skill's full description, so
|
|
58
|
+
you can match precisely even though their descriptions aren't in the listing.
|
|
59
|
+
If it's absent (e.g. a plugin install), use the phase index below.
|
|
60
|
+
2. **Match** the user's intent to **every** skill that applies — not just the
|
|
61
|
+
single best fit. A request often spans more than one domain (e.g. "review for
|
|
62
|
+
accessibility *and* UX" → both `accessibility-design` and `ui-ux-design`) or
|
|
63
|
+
more than one phase (a feature → planning, then data model, then API, …).
|
|
64
|
+
3. **Invoke them by name** via the Skill tool — name-only skills are fully
|
|
65
|
+
invocable; the listing just doesn't show their description. When several skills
|
|
66
|
+
apply, **invoke them all, in workflow order, and integrate each one's guidance
|
|
67
|
+
— do not stop after the first.** Stating "I'll use both" is not enough; you
|
|
68
|
+
must actually call each one (invoke the next applicable skill before you finish
|
|
69
|
+
— e.g. load the UX skill before writing a combined a11y+UX review, and on a
|
|
70
|
+
Golden Path chain invoke each phase's skill as you reach it). "Hand off" means
|
|
71
|
+
stop narrating the routing and start the work, NOT "one skill is enough." Route
|
|
72
|
+
to a single skill only when the task genuinely maps to exactly one.
|
|
73
|
+
4. If a matched skill isn't installed (a subset/plugin install), read its
|
|
74
|
+
`SKILL.md` inline if present, or tell the user which skill/role to add.
|
|
75
|
+
5. If the work spans several phases, follow the relevant **Golden Path** chain,
|
|
76
|
+
invoking each skill in the chain as you reach its phase.
|
|
77
|
+
6. If nothing fits, proceed normally — not everything needs a skill.
|
|
78
|
+
|
|
79
|
+
## Role-scoped routing (optional)
|
|
80
|
+
|
|
81
|
+
If a role is active (a `.active-role` marker sits beside the skills, or the
|
|
82
|
+
SessionStart hook named one), lead with that role's working set — read
|
|
83
|
+
`.roles.json` for it — then fall back to the rest of the catalog. The user can
|
|
84
|
+
change the promoted set with `/role <name>`. Either way you can invoke any
|
|
85
|
+
installed skill by name, regardless of role.
|
|
86
|
+
|
|
87
|
+
## Catalog by SDLC phase
|
|
88
|
+
|
|
89
|
+
### Plan & Define
|
|
90
|
+
- **feature-planning** — break a feature into scoped tasks, acceptance criteria, dependencies
|
|
91
|
+
- **prd-writing** — write a PRD / RFC / tech spec to align on the WHAT and WHY
|
|
92
|
+
- **project-proposal** — business case / budget / go-no-go before a project starts
|
|
93
|
+
- **strategic-review** — vision, positioning, defensible wedge, live competitive/market analysis before going public
|
|
94
|
+
- **effort-estimation** — story points, t-shirt sizing, three-point estimates, capacity
|
|
95
|
+
- **metrics-and-okrs** — define OKRs, KPIs, success metrics, DORA / engineering health
|
|
96
|
+
|
|
97
|
+
### Design & Architecture
|
|
98
|
+
- **architecture-design** — costly-to-reverse structural decisions, pattern choice, ADRs
|
|
99
|
+
- **architecture-documentation** — C4 diagrams, docs-as-code, runtime/infra views
|
|
100
|
+
- **api-design** — REST/GraphQL contracts, endpoints, errors, pagination, versioning
|
|
101
|
+
- **data-modeling** — schema, relationships, indexes, migration strategy
|
|
102
|
+
- **ui-ux-design** — user flows, wireframes, loading/error/empty states, responsive
|
|
103
|
+
- **frontend-architecture** — component hierarchy, state management, design tokens
|
|
104
|
+
- **accessibility-design** — WCAG, ARIA, keyboard nav, focus, screen readers
|
|
105
|
+
- **configuration-strategy** — env config, secrets management, feature-flag hierarchy
|
|
106
|
+
- **dependency-impact-analysis** — blast radius of a change *before* implementing
|
|
107
|
+
- **dependency-management** — evaluate, audit (CVEs), and upgrade libraries
|
|
108
|
+
|
|
109
|
+
### Build & Test
|
|
110
|
+
- **tdd-workflow** — NEW code, test-first, red-green-refactor
|
|
111
|
+
- **test-suite-design** — add tests to EXISTING code, coverage strategy
|
|
112
|
+
- **test-data-strategy** — factories, synthetic data, property-based, contract testing
|
|
113
|
+
- **git-workflow** — commit messages, PR descriptions, branching strategy
|
|
114
|
+
- **project-documentation** — README, contributing guide, changelog, docstrings
|
|
115
|
+
|
|
116
|
+
### Review & Improve
|
|
117
|
+
- **code-reviewing** — structured review enforcing DRY/KISS/YAGNI/SRP & conventions
|
|
118
|
+
- **security-audit** — OWASP Top 10, auth/authz, injection, secrets, dependency CVEs
|
|
119
|
+
- **performance-optimization** — N+1, algorithmic complexity, caching, bundle size
|
|
120
|
+
- **refactoring** — systematic, test-protected code improvement
|
|
121
|
+
- **technical-debt-review** — codebase health, hotspots, remediation roadmap
|
|
122
|
+
- **project-review** — whole-project execution health: scope alignment, roadmap adherence, implementation maturity, evidence-it-works
|
|
123
|
+
|
|
124
|
+
### Diagnose & Fix
|
|
125
|
+
- **bug-investigating** — systematic debugging, reproduce → isolate → hypothesize → verify
|
|
126
|
+
|
|
127
|
+
### Ship & Operate
|
|
128
|
+
- **deployment-checklist** — pre-deploy verification and release safety
|
|
129
|
+
- **rollback-strategy** — safe rollback plans, irreversible-change detection
|
|
130
|
+
- **containerization** — Dockerfiles, docker-compose, Kubernetes manifests
|
|
131
|
+
- **cicd-pipeline** — CI/CD pipelines, quality gates (GitHub Actions, GitLab CI)
|
|
132
|
+
- **infrastructure-as-code** — Terraform, CloudFormation, Pulumi, CDK
|
|
133
|
+
- **deployment-repo** — GitOps polyrepo orchestration, version pinning, promotion
|
|
134
|
+
- **gitops-delivery** — ArgoCD / Flux declarative delivery, drift detection
|
|
135
|
+
- **observability-design** — SLI/SLO/SLA, OpenTelemetry, structured logging, alerting
|
|
136
|
+
- **incident-response** — ACTIVE production incident: triage, mitigate, communicate
|
|
137
|
+
|
|
138
|
+
### Reflect
|
|
139
|
+
- **retrospective** — sprint retros, project / incident post-mortems, action items
|
|
140
|
+
|
|
141
|
+
### MLOps
|
|
142
|
+
- **ml-pipeline-design** — training & data pipelines, feature engineering, orchestration
|
|
143
|
+
- **ml-experiment-tracking** — MLflow / W&B / DVC, run comparison, reproducibility
|
|
144
|
+
- **ml-model-deployment** — serving, monitoring, drift detection, safe rollouts
|
|
145
|
+
|
|
146
|
+
## Golden Path workflow chains
|
|
147
|
+
|
|
148
|
+
When work spans phases, chain skills rather than improvising:
|
|
149
|
+
|
|
150
|
+
**New feature**
|
|
151
|
+
`feature-planning` → `architecture-design` (if structural) → `data-modeling`
|
|
152
|
+
(if schema) → `tdd-workflow` → `code-reviewing` → `deployment-checklist`
|
|
153
|
+
|
|
154
|
+
**Bug / incident**
|
|
155
|
+
`incident-response` (if prod is down) → `bug-investigating` → `tdd-workflow`
|
|
156
|
+
(regression test) → `deployment-checklist`
|
|
157
|
+
|
|
158
|
+
**Continuous improvement**
|
|
159
|
+
`technical-debt-review` → `refactoring` → `dependency-impact-analysis`
|
|
160
|
+
(blast radius) → `test-suite-design` (if coverage is thin)
|
|
161
|
+
|
|
162
|
+
**Pre-public / pre-milestone review**
|
|
163
|
+
`strategic-review` (vision, positioning, market) → `project-review` (scope,
|
|
164
|
+
roadmap, implementation, evidence) → synthesis → `artifact-design` (interactive
|
|
165
|
+
report). See `strategic-review/templates/full-review-prompt.md` for the combined brief.
|
|
166
|
+
|
|
167
|
+
## When NOT to route
|
|
168
|
+
|
|
169
|
+
- Pure questions, explanations, or conversation with no workflow component.
|
|
170
|
+
- The user named a specific skill or explicitly opted out — follow them.
|
|
171
|
+
- Tiny mechanical edits (typo, rename) where a workflow is overhead.
|
|
@@ -0,0 +1,39 @@
|
|
|
1
|
+
{
|
|
2
|
+
"skill_name": "skill-router",
|
|
3
|
+
"evals": [
|
|
4
|
+
{
|
|
5
|
+
"id": 1,
|
|
6
|
+
"prompt": "We want to add multi-tenant support to our SaaS app. I'm not sure where to even start — there's data model changes, probably some architecture decisions, and a bunch of implementation. How should I approach this?",
|
|
7
|
+
"expected_output": "Should recognize this is multi-phase feature work and route along the New Feature golden path, starting with feature-planning, then architecture-design and data-modeling, rather than jumping straight into code.",
|
|
8
|
+
"assertions": [
|
|
9
|
+
"Identifies that a dedicated skill / chain applies instead of improvising",
|
|
10
|
+
"Routes to feature-planning as the entry point",
|
|
11
|
+
"Names the relevant downstream skills (architecture-design, data-modeling) as next steps",
|
|
12
|
+
"References the New Feature golden path chain",
|
|
13
|
+
"Hands off to the chosen skill rather than narrating the routing at length"
|
|
14
|
+
]
|
|
15
|
+
},
|
|
16
|
+
{
|
|
17
|
+
"id": 2,
|
|
18
|
+
"prompt": "What's the difference between a stub and a mock?",
|
|
19
|
+
"expected_output": "A pure conceptual question with no workflow component. The router should NOT force a skill — it should just answer (optionally noting tdd-workflow/test-suite-design exist if the user later wants to apply it).",
|
|
20
|
+
"assertions": [
|
|
21
|
+
"Does NOT invoke a workflow skill for a pure question",
|
|
22
|
+
"Answers the question directly",
|
|
23
|
+
"Does not over-route or insist on a workflow",
|
|
24
|
+
"At most lightly mentions relevant skills as optional"
|
|
25
|
+
]
|
|
26
|
+
},
|
|
27
|
+
{
|
|
28
|
+
"id": 3,
|
|
29
|
+
"prompt": "Just write me a quick Dockerfile for a Node app — don't bother with any of your skill workflows, I'm in a hurry.",
|
|
30
|
+
"expected_output": "User explicitly opted out of the workflow. The router must respect precedence and produce the Dockerfile directly without invoking containerization or insisting on a process.",
|
|
31
|
+
"assertions": [
|
|
32
|
+
"Respects the user's explicit opt-out (does not force the containerization skill)",
|
|
33
|
+
"Produces the requested Dockerfile directly",
|
|
34
|
+
"Does not lecture about following the workflow",
|
|
35
|
+
"Treats user instructions as taking precedence over the soft routing rule"
|
|
36
|
+
]
|
|
37
|
+
}
|
|
38
|
+
]
|
|
39
|
+
}
|
|
@@ -0,0 +1,106 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: strategic-review
|
|
3
|
+
description: "Review a project's strategic position before going public, launching, or raising — vision, mission, value proposition, scope positioning, the defensible wedge, and a live competitive / market comparative analysis. Triggers: strategic review, positioning, go public, go-to-market, market analysis, competitive landscape, value proposition, is there a moat, who are our competitors, platform absorption risk, market positioning, comparable products. Use project-review for execution/roadmap/implementation health; delegates deep market scans to deep-research."
|
|
4
|
+
model: opus
|
|
5
|
+
allowed-tools: Read, Grep, Glob, WebFetch, WebSearch, Write, Edit
|
|
6
|
+
---
|
|
7
|
+
|
|
8
|
+
# Strategic Review
|
|
9
|
+
|
|
10
|
+
Pressure-test whether a project has a defensible strategic position before it goes
|
|
11
|
+
public. The output is an honest read on vision, positioning, and market — what's
|
|
12
|
+
strong, what rests on unproven assumptions, and where the wedge is closing — ending
|
|
13
|
+
in **strategic options with trade-offs and a recommendation** (not flattery, and
|
|
14
|
+
not a single forced verdict unless asked).
|
|
15
|
+
|
|
16
|
+
This is the **strategy lens**. For what's actually built and whether it works, run
|
|
17
|
+
`project-review`; the two compose into a full pre-public review (see
|
|
18
|
+
[templates/full-review-prompt.md](templates/full-review-prompt.md)).
|
|
19
|
+
|
|
20
|
+
## Ground rule: a thesis is a claim, not a fact
|
|
21
|
+
|
|
22
|
+
State the project's strategic thesis in one sentence, then treat every load-bearing
|
|
23
|
+
assumption inside it as a claim to be tested, not granted. The most valuable thing
|
|
24
|
+
this review produces is naming the assumption the whole strategy rests on — and
|
|
25
|
+
whether there's evidence for it. Mark every market finding **confirmed** (cited
|
|
26
|
+
source, dated) or **inferred**, and date-bound everything ("as of <date>") because
|
|
27
|
+
the competitive landscape moves.
|
|
28
|
+
|
|
29
|
+
## Step 1: Articulate and critique the vision
|
|
30
|
+
|
|
31
|
+
Extract, from the project's own materials, the core narrative:
|
|
32
|
+
|
|
33
|
+
- **Vision / mission** — what change in the world, for whom.
|
|
34
|
+
- **Value proposition** — the specific job it does and why someone switches to it.
|
|
35
|
+
- **The thesis** — the one-sentence bet (e.g. "developers will adopt a neutral
|
|
36
|
+
standard layer because they run multiple tools and feel the lock-in pain").
|
|
37
|
+
|
|
38
|
+
Then critique it: Is the value proposition concrete or aspirational? Is the target
|
|
39
|
+
user real and reachable? **Which assumption is load-bearing, and is it proven?**
|
|
40
|
+
(How many users actually have the pain? Would they pay / switch / adopt?)
|
|
41
|
+
|
|
42
|
+
## Step 2: Scope and positioning
|
|
43
|
+
|
|
44
|
+
- **Positioning** — what band does this compete in, and against what? Where does it
|
|
45
|
+
sit relative to incumbents and to the platforms it runs on?
|
|
46
|
+
- **The defensible wedge** — what can this do that the obvious larger players
|
|
47
|
+
won't or can't, and how durable is that? Separate a real moat (standard,
|
|
48
|
+
network, data, switching cost) from a temporary head start.
|
|
49
|
+
- **Where positioning is strong vs. where it leans on unproven assumptions** — be
|
|
50
|
+
explicit about the difference.
|
|
51
|
+
|
|
52
|
+
## Step 3: Market comparative analysis (live)
|
|
53
|
+
|
|
54
|
+
Survey the field with current evidence, not memory:
|
|
55
|
+
|
|
56
|
+
- **Refresh the known bands** — for each established competitor band, who's in it
|
|
57
|
+
now and what shipped recently.
|
|
58
|
+
- **Hunt for new entrants** — date-bound searches for products that appeared
|
|
59
|
+
recently in this space, adjacent standards, and platform features that may
|
|
60
|
+
absorb the category.
|
|
61
|
+
- For a deep, multi-source, fact-checked sweep, **delegate to `deep-research`** and
|
|
62
|
+
fold its cited report in. For a lighter pass, use `WebSearch`/`WebFetch` directly.
|
|
63
|
+
- **Tag each comparable** with its relationship: **competitor**, **complement**,
|
|
64
|
+
or **integration target** — and what it means for this project.
|
|
65
|
+
- Label every finding confirmed-vs-inferred and date it.
|
|
66
|
+
|
|
67
|
+
## Step 4: Trajectory and wedge-closure risk
|
|
68
|
+
|
|
69
|
+
The dangerous competitor is often the platform, not a peer. Assess:
|
|
70
|
+
|
|
71
|
+
- **Absorption risk** — is a larger platform shipping features that close the
|
|
72
|
+
wedge? What's the trajectory over the last 6–12 months?
|
|
73
|
+
- **Timing** — is the window opening or closing, and what evidence says so?
|
|
74
|
+
- **What would invalidate the thesis** — name the observable event that would mean
|
|
75
|
+
"stop."
|
|
76
|
+
|
|
77
|
+
## Step 5: Synthesis — potential, weak points, strategic forks
|
|
78
|
+
|
|
79
|
+
Integrate the above into a decision instrument:
|
|
80
|
+
|
|
81
|
+
- **Potential** — the genuine strengths and the conditions under which the bet pays off.
|
|
82
|
+
- **Weak points, ranked** — lead with the assumption most likely to be false.
|
|
83
|
+
- **Strategic forks** — present 2–4 distinct paths (e.g. double down / narrow scope /
|
|
84
|
+
reposition / pivot), each with its trade-offs, then **name a recommended path and
|
|
85
|
+
why**. Configurable: if the user wants options only or a hard go/no-go, honor that —
|
|
86
|
+
default is options + a recommendation.
|
|
87
|
+
- **A readiness picture** mapped to the project's own gates, if it has them.
|
|
88
|
+
|
|
89
|
+
For the rendered deliverable (interactive HTML, scorecards, a forks comparison
|
|
90
|
+
panel), hand off to `artifact-design`; default to a gitignored path (e.g. `.local/`).
|
|
91
|
+
|
|
92
|
+
## Principles Applied
|
|
93
|
+
|
|
94
|
+
- **Honesty over hype** — surface the uncomfortable finding first; a review that
|
|
95
|
+
validates the founder's optimism is worse than none.
|
|
96
|
+
- **Assumptions are the product** — the review's value is naming what must be true.
|
|
97
|
+
- **Current and cited** — date-bound, confirmed-vs-inferred, sourced.
|
|
98
|
+
- **Options with a recommendation** — give the decision-maker the forks *and* a view.
|
|
99
|
+
|
|
100
|
+
## Cross-Skill References
|
|
101
|
+
|
|
102
|
+
- `project-review` — the execution half of a pre-public review (roadmap, implementation, evidence).
|
|
103
|
+
- `deep-research` — for the deep, fact-checked market fan-out; fold its report into Step 3.
|
|
104
|
+
- `project-proposal` — when the question is a forward-looking go/no-go business case, not a review.
|
|
105
|
+
- `metrics-and-okrs` — to convert the readiness picture into measurable gates.
|
|
106
|
+
- `artifact-design` — to render the review as a polished interactive decision instrument.
|
|
@@ -0,0 +1,42 @@
|
|
|
1
|
+
{
|
|
2
|
+
"skill_name": "strategic-review",
|
|
3
|
+
"evals": [
|
|
4
|
+
{
|
|
5
|
+
"id": 1,
|
|
6
|
+
"prompt": "We're considering taking our open-source developer tool public in a couple of months. Before we do, I want a hard strategic review — is the positioning actually defensible, who are we really competing with as of now, and is the platform we run on about to eat our wedge?",
|
|
7
|
+
"expected_output": "A strategic review that states the project's thesis and its load-bearing assumption, critiques the value proposition and positioning, runs a current/date-bound competitive analysis (delegating deep market work to deep-research) tagging each comparable as competitor/complement/integration target, assesses platform-absorption risk, and ends in strategic forks with trade-offs plus a recommended path.",
|
|
8
|
+
"assertions": [
|
|
9
|
+
"States the project's strategic thesis in one sentence and identifies the load-bearing assumption to test",
|
|
10
|
+
"Critiques the value proposition / positioning, separating what's strong from what rests on unproven assumptions",
|
|
11
|
+
"Runs a live, date-bound competitive analysis rather than relying on memory, and delegates a deep sweep to deep-research",
|
|
12
|
+
"Tags comparables by relationship (competitor / complement / integration target)",
|
|
13
|
+
"Assesses platform-absorption / wedge-closure risk and names what would invalidate the thesis",
|
|
14
|
+
"Ends with strategic forks (trade-offs) and a recommended path, labeling findings confirmed vs inferred and dated",
|
|
15
|
+
"Defers implementation/roadmap/evidence questions to project-review"
|
|
16
|
+
]
|
|
17
|
+
},
|
|
18
|
+
{
|
|
19
|
+
"id": 2,
|
|
20
|
+
"prompt": "Honestly the space we're in feels crowded and I'm not sure what makes us different anymore. Big platforms keep shipping features that overlap with ours. Is there even a defensible wedge here?",
|
|
21
|
+
"expected_output": "Confronts the weak-wedge situation directly: tests whether a real moat exists vs a temporary head start, maps the overlapping platform features with current evidence, and presents honest forks (narrow scope / reposition / pivot) with a recommendation rather than reassurance.",
|
|
22
|
+
"assertions": [
|
|
23
|
+
"Distinguishes a durable moat (standard, network, data, switching cost) from a temporary head start",
|
|
24
|
+
"Examines the overlapping platform/incumbent features with current, dated evidence",
|
|
25
|
+
"Does not offer false reassurance — willing to conclude the wedge is thin if that's what the evidence shows",
|
|
26
|
+
"Presents distinct strategic forks (e.g. narrow / reposition / pivot) with trade-offs and a recommendation",
|
|
27
|
+
"Names the observable event that would invalidate continuing"
|
|
28
|
+
]
|
|
29
|
+
},
|
|
30
|
+
{
|
|
31
|
+
"id": 3,
|
|
32
|
+
"prompt": "I'm writing the one-line tagline for our landing page. Should it say 'fast' or 'simple'?",
|
|
33
|
+
"expected_output": "Recognizes this is a narrow copy choice, not a strategic review — answers directly (with brief reasoning) rather than launching a full vision/market analysis.",
|
|
34
|
+
"assertions": [
|
|
35
|
+
"Recognizes this is a small copy/messaging question, not a strategic review",
|
|
36
|
+
"Does not launch the full strategic-review workflow (thesis, market scan, forks)",
|
|
37
|
+
"Answers the tagline question directly with brief, practical reasoning",
|
|
38
|
+
"May note that messaging should follow from positioning if a deeper review is ever wanted"
|
|
39
|
+
]
|
|
40
|
+
}
|
|
41
|
+
]
|
|
42
|
+
}
|