swe-workflow-skills 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (177) hide show
  1. package/LICENSE +21 -0
  2. package/README.md +144 -0
  3. package/VERSION +1 -0
  4. package/bin/cli.mjs +44 -0
  5. package/catalog.json +225 -0
  6. package/commands/role.md +34 -0
  7. package/hooks/session-start.mjs +118 -0
  8. package/install.mjs +318 -0
  9. package/package.json +47 -0
  10. package/roles.json +194 -0
  11. package/scripts/resolve.mjs +296 -0
  12. package/skills/accessibility-design/SKILL.md +128 -0
  13. package/skills/accessibility-design/evals/evals.json +51 -0
  14. package/skills/accessibility-design/references/accessibility-patterns.md +321 -0
  15. package/skills/api-design/SKILL.md +144 -0
  16. package/skills/api-design/evals/evals.json +48 -0
  17. package/skills/api-design/references/rest-conventions.md +147 -0
  18. package/skills/api-design/templates/api-spec.md +156 -0
  19. package/skills/architecture-design/SKILL.md +86 -0
  20. package/skills/architecture-design/evals/evals.json +44 -0
  21. package/skills/architecture-design/references/clean-architecture.md +147 -0
  22. package/skills/architecture-design/references/component-principles.md +129 -0
  23. package/skills/architecture-design/references/principles.md +81 -0
  24. package/skills/architecture-design/references/solid-principles.md +106 -0
  25. package/skills/architecture-design/templates/adr.md +63 -0
  26. package/skills/architecture-documentation/SKILL.md +126 -0
  27. package/skills/architecture-documentation/evals/evals.json +44 -0
  28. package/skills/architecture-documentation/references/abstraction-levels.md +91 -0
  29. package/skills/architecture-documentation/references/diagram-tooling.md +141 -0
  30. package/skills/architecture-documentation/templates/architecture-doc.md +171 -0
  31. package/skills/bug-investigating/SKILL.md +133 -0
  32. package/skills/bug-investigating/evals/evals.json +56 -0
  33. package/skills/bug-investigating/references/common-bugs.md +62 -0
  34. package/skills/bug-investigating/references/debugging-patterns.md +94 -0
  35. package/skills/cicd-pipeline/SKILL.md +87 -0
  36. package/skills/cicd-pipeline/evals/evals.json +34 -0
  37. package/skills/cicd-pipeline/references/pipeline-patterns.md +206 -0
  38. package/skills/cicd-pipeline/templates/github-actions.md +206 -0
  39. package/skills/code-reviewing/SKILL.md +92 -0
  40. package/skills/code-reviewing/evals/evals.json +62 -0
  41. package/skills/code-reviewing/references/error-handling.md +108 -0
  42. package/skills/code-reviewing/references/review-checklist.md +144 -0
  43. package/skills/configuration-strategy/SKILL.md +109 -0
  44. package/skills/configuration-strategy/evals/evals.json +41 -0
  45. package/skills/configuration-strategy/references/config-patterns.md +161 -0
  46. package/skills/containerization/SKILL.md +90 -0
  47. package/skills/containerization/evals/evals.json +36 -0
  48. package/skills/containerization/references/dockerfile-patterns.md +168 -0
  49. package/skills/containerization/templates/dockerfile.md +154 -0
  50. package/skills/data-modeling/SKILL.md +83 -0
  51. package/skills/data-modeling/evals/evals.json +43 -0
  52. package/skills/data-modeling/references/conventions.md +57 -0
  53. package/skills/data-modeling/templates/schema.md +120 -0
  54. package/skills/dependency-impact-analysis/SKILL.md +113 -0
  55. package/skills/dependency-impact-analysis/evals/evals.json +41 -0
  56. package/skills/dependency-impact-analysis/references/impact-patterns.md +150 -0
  57. package/skills/dependency-management/SKILL.md +161 -0
  58. package/skills/dependency-management/evals/evals.json +48 -0
  59. package/skills/dependency-management/references/evaluation-checklist.md +127 -0
  60. package/skills/deployment-checklist/SKILL.md +132 -0
  61. package/skills/deployment-checklist/evals/evals.json +58 -0
  62. package/skills/deployment-checklist/references/pre-deploy-gates.md +91 -0
  63. package/skills/deployment-repo/SKILL.md +190 -0
  64. package/skills/deployment-repo/evals/evals.json +44 -0
  65. package/skills/deployment-repo/references/deployment-repo-patterns.md +258 -0
  66. package/skills/deployment-repo/references/version-compatibility.md +227 -0
  67. package/skills/deployment-repo/templates/deployment-repo-structure.md +226 -0
  68. package/skills/effort-estimation/SKILL.md +95 -0
  69. package/skills/effort-estimation/evals/evals.json +32 -0
  70. package/skills/effort-estimation/references/estimation-methods.md +154 -0
  71. package/skills/feature-planning/SKILL.md +84 -0
  72. package/skills/feature-planning/evals/evals.json +44 -0
  73. package/skills/feature-planning/templates/plan.md +55 -0
  74. package/skills/feature-planning/templates/task.md +26 -0
  75. package/skills/frontend-architecture/SKILL.md +154 -0
  76. package/skills/frontend-architecture/evals/evals.json +34 -0
  77. package/skills/frontend-architecture/references/component-patterns.md +264 -0
  78. package/skills/frontend-architecture/templates/folder-structure.md +203 -0
  79. package/skills/git-workflow/SKILL.md +127 -0
  80. package/skills/git-workflow/evals/evals.json +44 -0
  81. package/skills/git-workflow/references/conventions.md +142 -0
  82. package/skills/git-workflow/templates/pull-request.md +57 -0
  83. package/skills/gitops-delivery/SKILL.md +319 -0
  84. package/skills/gitops-delivery/evals/evals.json +44 -0
  85. package/skills/gitops-delivery/references/gitops-patterns.md +478 -0
  86. package/skills/gitops-delivery/templates/gitops-config.md +196 -0
  87. package/skills/incident-response/SKILL.md +130 -0
  88. package/skills/incident-response/evals/evals.json +55 -0
  89. package/skills/incident-response/references/communication-templates.md +134 -0
  90. package/skills/incident-response/references/severity-levels.md +77 -0
  91. package/skills/incident-response/templates/incident-timeline.md +57 -0
  92. package/skills/infrastructure-as-code/SKILL.md +86 -0
  93. package/skills/infrastructure-as-code/evals/evals.json +33 -0
  94. package/skills/infrastructure-as-code/references/iac-patterns.md +179 -0
  95. package/skills/infrastructure-as-code/templates/terraform-module.md +158 -0
  96. package/skills/metrics-and-okrs/SKILL.md +113 -0
  97. package/skills/metrics-and-okrs/evals/evals.json +33 -0
  98. package/skills/metrics-and-okrs/references/metric-catalog.md +90 -0
  99. package/skills/metrics-and-okrs/templates/okr-document.md +61 -0
  100. package/skills/ml-experiment-tracking/SKILL.md +96 -0
  101. package/skills/ml-experiment-tracking/evals/evals.json +32 -0
  102. package/skills/ml-experiment-tracking/references/tracking-tools.md +127 -0
  103. package/skills/ml-model-deployment/SKILL.md +106 -0
  104. package/skills/ml-model-deployment/evals/evals.json +34 -0
  105. package/skills/ml-model-deployment/references/serving-patterns.md +162 -0
  106. package/skills/ml-pipeline-design/SKILL.md +162 -0
  107. package/skills/ml-pipeline-design/evals/evals.json +34 -0
  108. package/skills/ml-pipeline-design/references/pipeline-components.md +174 -0
  109. package/skills/observability-design/SKILL.md +162 -0
  110. package/skills/observability-design/evals/evals.json +52 -0
  111. package/skills/observability-design/references/logging-patterns.md +229 -0
  112. package/skills/observability-design/references/slo-framework.md +151 -0
  113. package/skills/observability-design/templates/slo-document.md +80 -0
  114. package/skills/performance-optimization/SKILL.md +83 -0
  115. package/skills/performance-optimization/evals/evals.json +47 -0
  116. package/skills/performance-optimization/references/bottleneck-patterns.md +256 -0
  117. package/skills/performance-optimization/references/concurrency.md +101 -0
  118. package/skills/prd-writing/SKILL.md +109 -0
  119. package/skills/prd-writing/evals/evals.json +33 -0
  120. package/skills/prd-writing/references/prd-examples.md +132 -0
  121. package/skills/prd-writing/templates/prd.md +71 -0
  122. package/skills/prd-writing/templates/rfc.md +79 -0
  123. package/skills/project-documentation/SKILL.md +104 -0
  124. package/skills/project-documentation/evals/evals.json +48 -0
  125. package/skills/project-documentation/references/contributing-guide.md +100 -0
  126. package/skills/project-documentation/templates/changelog.md +59 -0
  127. package/skills/project-documentation/templates/readme.md +121 -0
  128. package/skills/project-proposal/SKILL.md +90 -0
  129. package/skills/project-proposal/evals/evals.json +31 -0
  130. package/skills/project-proposal/references/proposal-examples.md +140 -0
  131. package/skills/project-proposal/templates/proposal.md +76 -0
  132. package/skills/project-review/SKILL.md +111 -0
  133. package/skills/project-review/evals/evals.json +42 -0
  134. package/skills/refactoring/SKILL.md +90 -0
  135. package/skills/refactoring/evals/evals.json +44 -0
  136. package/skills/refactoring/references/transformations.md +132 -0
  137. package/skills/retrospective/SKILL.md +157 -0
  138. package/skills/retrospective/evals/evals.json +34 -0
  139. package/skills/retrospective/references/facilitation-guide.md +130 -0
  140. package/skills/retrospective/templates/post-mortem.md +121 -0
  141. package/skills/rollback-strategy/SKILL.md +116 -0
  142. package/skills/rollback-strategy/evals/evals.json +55 -0
  143. package/skills/rollback-strategy/references/rollback-patterns.md +125 -0
  144. package/skills/rollback-strategy/templates/rollback-plan.md +69 -0
  145. package/skills/security-audit/SKILL.md +146 -0
  146. package/skills/security-audit/evals/evals.json +66 -0
  147. package/skills/security-audit/references/owasp-top-10.md +167 -0
  148. package/skills/security-audit/templates/security-report.md +79 -0
  149. package/skills/skill-router/SKILL.md +171 -0
  150. package/skills/skill-router/evals/evals.json +39 -0
  151. package/skills/strategic-review/SKILL.md +106 -0
  152. package/skills/strategic-review/evals/evals.json +42 -0
  153. package/skills/strategic-review/templates/full-review-prompt.md +84 -0
  154. package/skills/tdd-workflow/SKILL.md +147 -0
  155. package/skills/tdd-workflow/evals/evals.json +58 -0
  156. package/skills/tdd-workflow/references/test-quality.md +71 -0
  157. package/skills/technical-debt-review/SKILL.md +113 -0
  158. package/skills/technical-debt-review/evals/evals.json +41 -0
  159. package/skills/technical-debt-review/references/debt-taxonomy.md +124 -0
  160. package/skills/technical-debt-review/templates/debt-audit.md +85 -0
  161. package/skills/test-data-strategy/SKILL.md +129 -0
  162. package/skills/test-data-strategy/evals/evals.json +49 -0
  163. package/skills/test-data-strategy/references/data-generation-patterns.md +341 -0
  164. package/skills/test-suite-design/SKILL.md +137 -0
  165. package/skills/test-suite-design/evals/evals.json +69 -0
  166. package/skills/test-suite-design/references/test-infrastructure.md +175 -0
  167. package/skills/test-suite-design/references/testing-pyramid.md +140 -0
  168. package/skills/ui-ux-design/SKILL.md +117 -0
  169. package/skills/ui-ux-design/evals/evals.json +35 -0
  170. package/skills/ui-ux-design/references/interaction-patterns.md +145 -0
  171. package/skills/ui-ux-design/templates/screen-spec.md +97 -0
  172. package/skills/verification-before-completion/SKILL.md +85 -0
  173. package/skills/verification-before-completion/evals/evals.json +53 -0
  174. package/skills/writing-skills/SKILL.md +87 -0
  175. package/skills/writing-skills/evals/evals.json +41 -0
  176. package/skills/writing-skills/references/pressure-testing.md +69 -0
  177. package/uninstall.mjs +182 -0
@@ -0,0 +1,171 @@
1
+ # Architecture Documentation — Repository Structure Template
2
+
3
+ ## Recommended Directory Layout
4
+
5
+ ```
6
+ docs/
7
+ architecture/
8
+ README.md # Index: what's here, how to navigate, conventions used
9
+ glossary.md # Shared vocabulary — authoritative names for all systems
10
+
11
+ canonical/ # Source-of-truth structural diagrams (C4 model)
12
+ system-context.{puml|dsl|mmd} # Level 1: system + users + external dependencies
13
+ container-{system-name}.{ext} # Level 2: services, data stores, message brokers
14
+ component-{service-name}.{ext} # Level 3: internal structure (only if needed)
15
+
16
+ runtime/ # Operational behavior diagrams
17
+ flows/ # Data and request flows
18
+ {flow-name}.{d2|mmd|puml} # e.g., checkout-flow.d2, rag-pipeline.d2
19
+ infra/ # Deployment and infrastructure topology
20
+ {environment}-topology.{d2|mmd} # e.g., production-topology.d2
21
+ sequences/ # Sequence diagrams for key interactions
22
+ {interaction-name}.{ext} # e.g., auth-handshake.puml
23
+
24
+ conceptual/ # Communication and onboarding diagrams
25
+ overview-{audience}.md # e.g., overview-new-hires.md (with Mermaid)
26
+ {topic}.md # e.g., data-flow-simplified.md
27
+
28
+ decisions/ # ADRs (managed by architecture-design skill)
29
+ ADR-001-{title}.md
30
+ ADR-002-{title}.md
31
+ ```
32
+
33
+ ### Multi-Repo Variant
34
+
35
+ For systems spanning multiple repositories, either:
36
+
37
+ **A) Central docs repo** — One repo holds all architecture docs. Services reference it.
38
+ ```
39
+ architecture-docs/ # Dedicated repo
40
+ canonical/ # Cross-system C4 diagrams
41
+ runtime/ # Cross-service flows
42
+ decisions/ # Cross-cutting ADRs
43
+ ```
44
+
45
+ **B) Co-located per service** — Each repo has its own `docs/architecture/` with service-scoped diagrams. A top-level repo or wiki holds the system context and cross-service views.
46
+
47
+ Choose A when: a single team owns architecture docs, or the system context is the primary audience.
48
+ Choose B when: teams own their services end-to-end and update docs alongside code.
49
+
50
+ ---
51
+
52
+ ## Glossary Template
53
+
54
+ The glossary is the single source of truth for system element names. Every diagram must use these names exactly.
55
+
56
+ ```yaml
57
+ # docs/architecture/glossary.md (or glossary.yaml)
58
+
59
+ systems:
60
+ payments-platform:
61
+ description: Processes payments and manages billing
62
+ owner: team-payments
63
+ repo: github.com/org/payments
64
+
65
+ services:
66
+ payments-api:
67
+ system: payments-platform
68
+ description: REST API for payment operations
69
+ tech: Node.js / Express
70
+
71
+ payment-worker:
72
+ system: payments-platform
73
+ description: Async payment processing
74
+ tech: Node.js
75
+
76
+ data-stores:
77
+ payments-db:
78
+ system: payments-platform
79
+ description: Transaction and billing storage
80
+ tech: PostgreSQL
81
+
82
+ payment-queue:
83
+ system: payments-platform
84
+ description: Job queue for async payment processing
85
+ tech: Redis
86
+
87
+ external-systems:
88
+ stripe:
89
+ description: Payment gateway provider
90
+ integration: REST API
91
+
92
+ bank-api:
93
+ description: Account verification service
94
+ integration: REST API
95
+ ```
96
+
97
+ **Rules:**
98
+ - Same names used in C4, runtime, and conceptual diagrams — no aliasing
99
+ - New services must be added to the glossary before appearing in any diagram
100
+ - The glossary is the authority — if a name isn't here, it shouldn't be in a diagram
101
+
102
+ ---
103
+
104
+ ## Architecture README Template
105
+
106
+ ```markdown
107
+ # Architecture Documentation
108
+
109
+ ## How to Read These Docs
110
+
111
+ This directory contains architecture documentation at three abstraction levels:
112
+
113
+ - **`canonical/`** — Source of truth for system structure (C4 model). Start here.
114
+ - **`runtime/`** — How the system behaves: data flows, deployment topology, key interactions.
115
+ - **`conceptual/`** — Simplified overviews for onboarding and communication. Not authoritative.
116
+ - **`../decisions/`** — Architecture Decision Records (ADRs) explaining why the architecture looks this way.
117
+
118
+ ## Conventions
119
+
120
+ - **Naming**: All diagrams use names from `glossary.md`. No aliases or renames.
121
+ - **Tools**: [List your chosen tools, e.g., "C4-PlantUML for canonical, D2 for runtime, Mermaid for conceptual"]
122
+ - **Rendering**: [How to render diagrams, e.g., "Mermaid renders in GitHub. Run `make diagrams` for PlantUML/D2."]
123
+
124
+ ## Diagram Index
125
+
126
+ | Diagram | Level | Description | Last Updated |
127
+ |---------|-------|-------------|--------------|
128
+ | [System Context](canonical/system-context.puml) | Canonical | Top-level system view | YYYY-MM-DD |
129
+ | [Containers](canonical/container-payments.puml) | Canonical | Services and data stores | YYYY-MM-DD |
130
+ | [Checkout Flow](runtime/flows/checkout-flow.d2) | Runtime | End-to-end checkout sequence | YYYY-MM-DD |
131
+ | [Production Topology](runtime/infra/production-topology.d2) | Runtime | K8s cluster layout | YYYY-MM-DD |
132
+ | [New Hire Overview](conceptual/overview-new-hires.md) | Conceptual | Simplified system map | YYYY-MM-DD |
133
+ ```
134
+
135
+ ---
136
+
137
+ ## Validation Checklist
138
+
139
+ Use this checklist when reviewing architecture documentation for completeness:
140
+
141
+ ### Structure
142
+ - [ ] `docs/architecture/` directory exists with canonical/, runtime/, and conceptual/ subdirectories (as needed)
143
+ - [ ] `glossary.md` exists with all system element names
144
+ - [ ] `README.md` exists with navigation guide and diagram index
145
+
146
+ ### Canonical Diagrams
147
+ - [ ] System context diagram exists showing users and external dependencies
148
+ - [ ] Container diagram exists for each system with multiple services
149
+ - [ ] All services and data stores in the codebase appear in canonical diagrams
150
+ - [ ] Each canonical diagram has a title and last-updated date
151
+
152
+ ### Runtime Diagrams (if applicable)
153
+ - [ ] Runtime diagrams reference only elements from canonical diagrams (infrastructure-only components excepted)
154
+ - [ ] Key data flows and interactions are documented
155
+ - [ ] Deployment topology matches actual infrastructure
156
+
157
+ ### Naming Consistency
158
+ - [ ] All element names match the glossary exactly
159
+ - [ ] No diagram introduces new system names not in the glossary
160
+ - [ ] File names follow the established convention
161
+
162
+ ### Traceability
163
+ - [ ] ADRs that changed architecture reference affected diagrams
164
+ - [ ] Canonical diagrams link to relevant ADRs in annotations or comments
165
+ - [ ] Runtime diagrams are traceable to canonical elements
166
+
167
+ ### Maintenance
168
+ - [ ] Diagrams are version-controlled as text files
169
+ - [ ] Diagrams render correctly (manually verified or CI-checked)
170
+ - [ ] Conceptual diagrams are labeled as non-canonical
171
+ - [ ] Review cadence is documented (e.g., quarterly for canonical)
@@ -0,0 +1,133 @@
1
+ ---
2
+ name: bug-investigating
3
+ description: "Systematic debugging and root cause analysis using structured methodology — reproduce, isolate, hypothesize, verify. Triggers: this doesn't work, I'm getting an error, something is broken, bug, debug this, why is this happening, unexpected behavior, regression, root cause, stack trace, error message."
4
+ model: opus
5
+ allowed-tools: Read, Grep, Glob, Write, Edit, Bash
6
+ ---
7
+
8
+ # Bug Investigating
9
+
10
+ Guide systematic debugging to find root causes, not just symptoms. Good debugging is methodical — form hypotheses, test them, narrow down, and verify the fix.
11
+
12
+ ## ⛔ The Iron Law
13
+
14
+ **No fix without a confirmed root cause and a failing test that reproduces the bug.**
15
+
16
+ A change that makes the symptom disappear without an explanation of *why* it worked is a guess, not a fix — and guesses regress. If you can't articulate the mechanism that produced the wrong behavior, you have not found the root cause yet.
17
+
18
+ ## Workflow
19
+
20
+ ### Step 1: Gather Evidence
21
+
22
+ Before guessing at causes, collect information:
23
+
24
+ - **What is the expected behavior?** What should happen?
25
+ - **What is the actual behavior?** What happens instead?
26
+ - **When did it start?** Did it work before? What changed?
27
+ - **Is it reproducible?** Always, sometimes, only under certain conditions?
28
+ - **Error messages and stack traces?** Read them carefully — they usually point to the right area.
29
+
30
+ If the user provides a vague report ("it's broken"), ask these questions before investigating. A well-defined bug is half-solved.
31
+
32
+ ### Step 2: Reproduce the Bug
33
+
34
+ Reproduction is the most important step. If you can't reproduce it, you can't verify the fix.
35
+
36
+ 1. Follow the user's steps to trigger the bug
37
+ 2. Identify the minimum reproduction case — strip away everything irrelevant
38
+ 3. Document the exact steps to reproduce
39
+
40
+ If it's intermittent, look for:
41
+ - Race conditions (timing-dependent)
42
+ - State-dependent bugs (order of operations)
43
+ - Environment-dependent bugs (config, versions, OS)
44
+
45
+ ### Step 3: Form Hypotheses
46
+
47
+ Based on the evidence, list 2-5 likely causes, ordered by probability. For each hypothesis:
48
+
49
+ - What would be true if this hypothesis is correct?
50
+ - What quick test can confirm or eliminate it?
51
+
52
+ Good hypotheses come from:
53
+ - Reading the error message and stack trace carefully
54
+ - Checking what changed recently (`git log`, `git diff`)
55
+ - Examining the code path the failing scenario exercises
56
+ - Looking at similar past bugs
57
+
58
+ ### Step 4: Binary Search for the Cause
59
+
60
+ Narrow down systematically:
61
+
62
+ **In code**: Add logging/breakpoints at the midpoint of the suspected code path. Is the state correct at that point? If yes, the bug is in the second half. If no, the first half.
63
+
64
+ **In time**: If it worked before, use `git bisect` to find the commit that introduced the regression:
65
+ ```bash
66
+ git bisect start
67
+ git bisect bad # current state is broken
68
+ git bisect good <hash> # this commit was working
69
+ # Git checks out the midpoint — test and report good/bad
70
+ ```
71
+
72
+ **In data**: If the bug depends on input, narrow down which input triggers it. Test boundary values, null/empty cases, and special characters.
73
+
74
+ ### Step 5: Verify the Root Cause
75
+
76
+ Before fixing, confirm you've found the actual root cause, not a symptom:
77
+
78
+ - Can you explain *why* this code produces the wrong behavior?
79
+ - Does the explanation account for all observed symptoms?
80
+ - If you remove/change the suspected cause, does the bug disappear?
81
+
82
+ If you can't explain why, you haven't found the root cause yet.
83
+
84
+ ### Step 6: Fix and Verify
85
+
86
+ 1. **Write a failing test** that reproduces the bug (this is your regression test)
87
+ 2. **Apply the minimal fix** — change as little as possible
88
+ 3. **Run the test** — it should now pass
89
+ 4. **Run the full test suite** — the fix shouldn't break anything else
90
+ 5. **Document** what caused the bug and why the fix works
91
+
92
+ See [references/common-bugs.md](references/common-bugs.md) for patterns of frequently encountered bugs by language/framework.
93
+
94
+ ## Principles Applied
95
+
96
+ - **Methodical over intuition**: Resist the urge to guess and change things. Every action is a test of a hypothesis.
97
+ - **Binary search mindset**: Always cut the problem space in half. Don't narrow from the edges — bisect from the middle.
98
+ - **Root cause vs. symptom**: A null check that masks a null isn't a fix. Understand *why* the unexpected state exists.
99
+ - **Reproducibility before fixes**: If you can't reproduce the bug reliably, you can't verify the fix. Spend time here first.
100
+ - **Minimal fix**: Change the least amount of code that fixes the root cause. Broad changes introduce new bugs.
101
+
102
+ ## Anti-patterns in Debugging
103
+
104
+ - **Shotgun debugging**: Changing random things and hoping. Always have a hypothesis.
105
+ - **Blame debugging**: Assuming the bug is in someone else's code (library, framework, OS). Start with your code.
106
+ - **Printf-only debugging**: Print statements are fine, but use a debugger for complex state issues.
107
+ - **Fix the symptom**: Adding a null check instead of understanding why the value is null.
108
+ - **Fixing without a test**: You'll be back here in a month.
109
+
110
+ See [references/debugging-patterns.md](references/debugging-patterns.md) for hypothesis-driven debugging technique and language-specific tips.
111
+
112
+ ## Rationalizations to reject
113
+
114
+ | Excuse | Reality |
115
+ |--------|---------|
116
+ | "This null check will probably fix it" | If you can't explain why the value is null, you're masking a symptom — it will resurface elsewhere. |
117
+ | "It's probably flaky / the library's fault" | Start in your own code. Blame is not a diagnosis. |
118
+ | "I can't reproduce it, but this should help" | Unreproduced means unverifiable — you won't know if the change actually worked. |
119
+ | "Let me just try a few things" | Shotgun debugging. Every change must test a stated hypothesis. |
120
+ | "The fix is obvious, no need for a test" | Without a regression test, the bug comes back and nobody notices. |
121
+
122
+ ## Red flags — stop and correct course
123
+
124
+ - Changing code without a written hypothesis.
125
+ - Proposing a fix before you've reproduced the bug.
126
+ - The fix works but you can't explain the mechanism.
127
+ - Adding defensive checks at the symptom instead of the source.
128
+
129
+ ## Cross-Skill References
130
+
131
+ - `incident-response` — use instead when production is actively down and users are impacted (time-pressured response)
132
+ - `tdd-workflow` — write the regression test (Step 6) using the TDD workflow
133
+ - `verification-before-completion` — confirm the reproducing test passes before claiming the fix
@@ -0,0 +1,56 @@
1
+ {
2
+ "skill_name": "bug-investigating",
3
+ "evals": [
4
+ {
5
+ "id": 1,
6
+ "prompt": "My API endpoint returns 200 but the data is wrong. The user's email shows as null even though it's in the database. Here's the endpoint:\n\napp.get('/users/:id', async (req, res) => {\n const user = await db.users.findUnique({\n where: { id: req.params.id },\n select: { name: true, createdAt: true }\n });\n res.json(user);\n});",
7
+ "expected_output": "Should identify the root cause: the select clause explicitly omits email. Should not suggest database fixes or complex debugging when the code clearly shows the issue.",
8
+ "assertions": [
9
+ "Identifies the root cause: select clause doesn't include email",
10
+ "Does not suggest database investigation as first step",
11
+ "Explains why the bug manifests as null (field not selected)",
12
+ "Suggests adding email to the select clause or removing select to return all fields",
13
+ "Recommends writing a regression test"
14
+ ]
15
+ },
16
+ {
17
+ "id": 2,
18
+ "prompt": "something broke in production, users are complaining about slow loading. it was fine yesterday. help!",
19
+ "expected_output": "Should systematically gather evidence before jumping to conclusions. Ask what changed, check recent deployments, look at metrics.",
20
+ "assertions": [
21
+ "Asks clarifying questions (what changed, recent deploys, error messages)",
22
+ "Suggests checking recent git commits/deploys",
23
+ "Recommends looking at metrics/monitoring before code",
24
+ "Does not immediately suggest code fixes without evidence",
25
+ "Suggests checking for N+1 queries or new external calls as common causes of sudden slowness"
26
+ ]
27
+ },
28
+ {
29
+ "id": 3,
30
+ "prompt": "I'm getting this error intermittently: 'SequelizeConnectionError: Connection pool exhausted'. It happens about 10 times a day, always during peak hours. Restarting the server fixes it temporarily.",
31
+ "expected_output": "Should recognize this as a connection leak pattern, not suggest increasing pool size as the primary fix, and guide toward finding the code that doesn't return connections.",
32
+ "assertions": [
33
+ "Identifies this as a connection leak (not just a pool size issue)",
34
+ "Does NOT primarily recommend just increasing pool size",
35
+ "Suggests searching for database calls that might not close connections (missing finally blocks, unhandled promise rejections)",
36
+ "Recommends checking for transactions that aren't committed/rolled back",
37
+ "Explains why restart temporarily fixes it (pool is recreated)",
38
+ "Suggests adding connection pool monitoring"
39
+ ]
40
+ }
41
+ ],
42
+ "pressure_tests": [
43
+ {
44
+ "id": 1,
45
+ "prompt": "Production throws a NullPointerException sometimes. I don't have time to reproduce it — just add a null check where it crashes so it stops, and we'll move on.",
46
+ "pressure": ["time"],
47
+ "expected_behavior": "Holds the Iron Law: no fix without a confirmed root cause. Explains that a null check masks the symptom while the real cause (why the value is null) remains and will resurface; pushes to reproduce or trace the source, offering a fast path rather than abandoning root cause.",
48
+ "assertions": [
49
+ "Does NOT simply add the null check and move on",
50
+ "Explains masking the symptom vs fixing the root cause",
51
+ "Pushes to reproduce the bug or find why the value is null",
52
+ "Offers a fast route to root cause under time pressure rather than skipping it"
53
+ ]
54
+ }
55
+ ]
56
+ }
@@ -0,0 +1,62 @@
1
+ # Common Bug Patterns
2
+
3
+ ## Contents
4
+ - Universal patterns
5
+ - Async and concurrency bugs
6
+ - Data and state bugs
7
+ - Integration bugs
8
+ - Environment bugs
9
+
10
+ ## Universal Patterns
11
+
12
+ **Off-by-one errors**: Loops that iterate one too many or too few times. Check `<` vs `<=`, `0` vs `1` starting indexes, and fence-post problems.
13
+
14
+ **Null/undefined reference**: Accessing a property of something that doesn't exist. Check: is the variable initialized? Could the query return no results? Is the API response missing a field?
15
+
16
+ **Type coercion**: Implicit conversions producing unexpected results. JavaScript `"5" + 3 === "53"`, Python `"5" * 3 === "555"`. Use strict equality and explicit conversions.
17
+
18
+ **Operator precedence**: `a || b && c` doesn't evaluate left-to-right in most languages. When in doubt, use parentheses.
19
+
20
+ **Mutable default arguments**: In Python, `def fn(items=[])` shares the same list across all calls. Use `None` as default and create inside the function.
21
+
22
+ ## Async and Concurrency Bugs
23
+
24
+ **Unhandled promise rejection**: An async function throws, but nothing catches it. In Node.js, this can crash the process. Always add `.catch()` or use try/catch with await.
25
+
26
+ **Race condition**: Two operations depend on shared state, and the result varies based on timing. Signs: intermittent failures, works in debugger but fails at full speed. Fix: use locks, queues, or redesign to eliminate shared mutable state.
27
+
28
+ **Deadlock**: Two processes each wait for a resource the other holds. Signs: system hangs, no errors, no progress. Fix: consistent lock ordering, timeouts.
29
+
30
+ **Stale closure**: A callback captures a variable that changes before the callback runs. Common in loops with async operations. Fix: use block scoping (`let` in JS) or pass the value explicitly.
31
+
32
+ **N+1 query**: A loop makes one database query per item instead of a batch query. Signs: slow page load that scales with data size. Fix: eager loading, batch queries.
33
+
34
+ ## Data and State Bugs
35
+
36
+ **State mutation side effect**: A function modifies an object that the caller didn't expect to change. Signs: object has wrong values "mysteriously". Fix: clone inputs or use immutable data structures.
37
+
38
+ **Timezone confusion**: Storing or comparing dates without consistent timezone handling. Signs: off-by-one-day errors, times shifted by a few hours. Fix: store everything in UTC, convert only for display.
39
+
40
+ **Encoding issues**: Characters display as garbage or question marks. Signs: works with ASCII, breaks with accented or CJK characters. Fix: use UTF-8 everywhere, specify encoding explicitly.
41
+
42
+ **Floating point precision**: `0.1 + 0.2 !== 0.3` in most languages. Fix: use integer arithmetic (cents instead of dollars), decimal libraries, or epsilon comparison.
43
+
44
+ **Cache staleness**: Application shows outdated data because a cache wasn't invalidated. Signs: data updates "eventually" or "after restart". Fix: explicit cache invalidation on writes.
45
+
46
+ ## Integration Bugs
47
+
48
+ **API contract mismatch**: The client sends/expects data in a different format than the server provides. Signs: null fields, 400 errors, missing data. Fix: check the actual request/response (not the docs — they may be wrong).
49
+
50
+ **Connection pooling exhaustion**: Database connections aren't returned to the pool. Signs: app works fine, then suddenly can't connect to DB after running for a while. Fix: ensure connections are closed in finally blocks.
51
+
52
+ **Retry without idempotency**: A failed request is retried, but the original request actually succeeded. Signs: duplicate records, double charges. Fix: use idempotency keys.
53
+
54
+ **CORS**: Browser blocks a cross-origin request. Signs: works in Postman/curl, fails in browser. Fix: configure CORS headers on the server, not by disabling browser security.
55
+
56
+ ## Environment Bugs
57
+
58
+ **Works on my machine**: Code behaves differently across environments. Common causes: different dependency versions, environment variable differences, OS-specific behavior (file paths, line endings).
59
+
60
+ **Missing environment variable**: App crashes or behaves unexpectedly because a config value isn't set. Fix: fail fast at startup with clear error messages for required config.
61
+
62
+ **Dependency version conflict**: Two packages require incompatible versions of a shared dependency. Signs: strange runtime errors that don't match the code. Fix: use lockfiles, check `node_modules` or `site-packages` for unexpected versions.
@@ -0,0 +1,94 @@
1
+ # Debugging Patterns
2
+
3
+ ## Hypothesis-Driven Debugging
4
+
5
+ The scientific method applied to bugs:
6
+
7
+ 1. **Observe**: Collect all available evidence (error messages, logs, stack traces, reproduction steps)
8
+ 2. **Hypothesize**: Form a falsifiable explanation — "I think X is happening because Y"
9
+ 3. **Predict**: "If my hypothesis is correct, then when I do Z, I should see W"
10
+ 4. **Test**: Run the experiment — add a log, check a value, change an input
11
+ 5. **Conclude**: If the prediction was wrong, update or discard the hypothesis
12
+
13
+ Never skip step 3. A test without a prediction teaches you nothing useful — you don't know what result would confirm or deny the hypothesis.
14
+
15
+ ## Narrowing Techniques
16
+
17
+ ### Binary search in code
18
+ Add an assertion or log at the midpoint of the suspected code path. If state is correct there, the bug is downstream. If wrong, upstream. Repeat until the exact line is isolated.
19
+
20
+ ### Git bisect (regression bugs)
21
+ ```bash
22
+ git bisect start
23
+ git bisect bad # current commit is broken
24
+ git bisect good <hash> # this commit was known-good
25
+ # git checks out midpoint — test it, then:
26
+ git bisect good # or: git bisect bad
27
+ # Repeat until git identifies the culprit commit
28
+ git bisect reset # return to HEAD
29
+ ```
30
+
31
+ ### Input reduction (data-dependent bugs)
32
+ Start with the full failing input. Remove half of it. Still fails? Remove another half. When it passes, the removed part was essential. Binary search until you have the minimum failing case.
33
+
34
+ ## Bug Categories and Where to Look
35
+
36
+ ### Off-by-one errors
37
+ - Loop bounds: `< len` vs `<= len`, `0` vs `1` as starting index
38
+ - String/array slicing: `[0:n]` vs `[0:n+1]`
39
+ - Fence-post problems: n items need n-1 gaps, or n+1 fences
40
+ - Symptom: Wrong count, missing last element, processing one extra item
41
+
42
+ ### Null / undefined reference
43
+ - Cause: Assuming a value exists when it can be absent
44
+ - Check: Where does this value come from? Can that source ever return null?
45
+ - Fix: Validate at the boundary where data enters, not at every use site
46
+
47
+ ### Type coercion / comparison bugs
48
+ - JavaScript `==` vs `===`, Python `is` vs `==`
49
+ - Integer vs float comparison (`0.1 + 0.2 != 0.3`)
50
+ - String-to-number coercion in dynamic languages
51
+
52
+ ### Race conditions
53
+ - Symptom: Intermittent failure, passes when you add logging (logging adds timing)
54
+ - Look for: Shared mutable state accessed from multiple threads/async contexts
55
+ - Tools: Thread sanitizers, sleep injection to exaggerate timing windows
56
+
57
+ ### State mutation bugs
58
+ - Symptom: Correct result first call, wrong result on second call
59
+ - Look for: Global state, cached values that aren't invalidated, objects mutated in place
60
+
61
+ ### N+1 query bugs
62
+ - Symptom: Slow with many records, fast with few
63
+ - Look for: Database queries inside loops
64
+ - Tool: Query logging (`EXPLAIN ANALYZE`, ORM query counting in tests)
65
+
66
+ ### Async / Promise bugs (JavaScript/TypeScript)
67
+ - Unhandled promise rejection: Missing `await` or `.catch()`
68
+ - Stale closure: `async` callback captures variable value at creation time, not call time
69
+ - Fire-and-forget: `async` function called without `await`, caller proceeds before it completes
70
+
71
+ ## Language-Specific Tips
72
+
73
+ ### JavaScript / TypeScript
74
+ - `console.dir(obj, {depth: null})` — print nested objects fully
75
+ - `debugger` statement + Chrome DevTools or Node `--inspect`
76
+ - `JSON.stringify(obj, null, 2)` for serializable objects
77
+ - TypeScript: Read the type error message carefully — it tells you exactly what's wrong
78
+
79
+ ### Python
80
+ - `import pdb; pdb.set_trace()` — interactive debugger
81
+ - `breakpoint()` — Python 3.7+ shorthand
82
+ - `print(repr(value))` — shows exact type and value, including whitespace
83
+ - `traceback.print_exc()` — print exception from except block
84
+
85
+ ### Go
86
+ - `fmt.Printf("%+v\n", struct)` — print struct with field names
87
+ - `fmt.Printf("%T\n", value)` — print type
88
+ - Delve debugger: `dlv debug ./cmd/myapp`
89
+ - Race detector: `go test -race ./...`
90
+
91
+ ### SQL
92
+ - `EXPLAIN ANALYZE <query>` — shows actual execution plan and row counts
93
+ - Check for sequential scans on large tables (missing index)
94
+ - Check for `N+1` by counting queries in test logs
@@ -0,0 +1,87 @@
1
+ ---
2
+ name: cicd-pipeline
3
+ description: "Design CI/CD pipelines for automated build, test, deploy — GitHub Actions, GitLab CI, quality gates. Triggers: CI/CD, pipeline, GitHub Actions, GitLab CI, workflow, automated deployment, build pipeline, continuous integration, continuous deployment, automate tests on PR, deploy automatically, quality gate."
4
+ model: sonnet
5
+ allowed-tools: Read, Grep, Glob, Write, Edit, Bash
6
+ ---
7
+
8
+ # CI/CD Pipeline Design
9
+
10
+ Design and write CI/CD pipelines that automate build, test, and deployment with appropriate quality gates. Good pipelines are fast, reliable, and catch problems before they reach production.
11
+
12
+ ## Workflow
13
+
14
+ ### Step 1: Understand the Requirements
15
+
16
+ Before writing pipeline configuration, establish:
17
+
18
+ - **Platform**: GitHub Actions, GitLab CI, Jenkins, CircleCI, etc.
19
+ - **Triggers**: On push, on PR, on tag, on schedule, manual?
20
+ - **Stages needed**: Lint → Test → Build → Deploy? Security scan? Performance test?
21
+ - **Environments**: Staging, production? Approval gates between them?
22
+ - **Artifacts**: Docker images, npm packages, binaries? Where do they go?
23
+ - **Secrets**: What credentials are needed and how are they managed?
24
+
25
+ ### Step 2: Design the Pipeline Stages
26
+
27
+ Follow the "fail fast" principle — cheapest and fastest checks run first:
28
+
29
+ ```
30
+ 1. Lint & Format (seconds) → Catch style issues immediately
31
+ 2. Unit Tests (seconds) → Catch logic errors
32
+ 3. Build (minutes) → Confirm it compiles/bundles
33
+ 4. Integration Tests (minutes) → Catch wiring issues
34
+ 5. Security Scan (minutes) → Catch vulnerabilities
35
+ 6. Deploy to Staging (minutes) → Validate in real environment
36
+ 7. Deploy to Prod (minutes) → With approval gate
37
+ ```
38
+
39
+ Parallelize independent stages. Lint, unit tests, and security scans can run simultaneously.
40
+
41
+ **Multi-repo / deployment repo pattern:** If this service is part of a polyrepo with a deployment repo, the pipeline's deploy stages may update version pins in the deployment repo (via PR or `repository_dispatch`) rather than deploying directly to infrastructure. The deployment repo's own CI handles validation and promotion across environments. See `deployment-repo` for the orchestration pattern and `gitops-delivery` for automated cross-repo triggers.
42
+
43
+ ### Step 3: Write the Configuration
44
+
45
+ Write the pipeline config for the target platform. Use [templates/github-actions.md](templates/github-actions.md) as a starting point for GitHub Actions PR validation and production deploy workflows, plus a GitLab CI equivalent.
46
+
47
+ Key best practices:
48
+ - **Cache dependencies** — Cache node_modules, pip packages, Go modules between runs
49
+ - **Pin action/image versions** — Use SHA hashes or exact tags, not `@latest` or `@main`
50
+ - **Minimize secrets scope** — Only expose secrets to the jobs that need them
51
+ - **Use matrix builds** — Test across Node versions, OS variants, or Python versions when applicable
52
+ - **Set timeouts** — Prevent stuck jobs from consuming runner minutes indefinitely
53
+ - **Reusable workflows** — Extract common patterns into shared workflow files
54
+
55
+ ### Step 4: Add Quality Gates
56
+
57
+ Quality gates prevent bad code from advancing:
58
+
59
+ - **Required checks** — Tests and lint must pass before PR merge
60
+ - **Coverage thresholds** — Fail if coverage drops below the floor
61
+ - **Security scan** — Block deploys with critical vulnerabilities
62
+ - **Approval gates** — Require manual approval for production deploys
63
+ - **Smoke tests** — Automated health checks after deployment
64
+
65
+ ### Step 5: Validate
66
+
67
+ - [ ] Pipeline triggers correctly on the intended events
68
+ - [ ] Failing tests actually block the pipeline (not just warnings)
69
+ - [ ] Secrets are not exposed in logs
70
+ - [ ] Cache is working (second run is faster)
71
+ - [ ] Deploy steps have appropriate environment protections
72
+ - [ ] Rollback mechanism exists
73
+
74
+ ## Principles Applied
75
+
76
+ - **KISS**: Start with a single-file pipeline. Split into reusable workflows only when duplication appears.
77
+ - **DRY**: Extract repeated steps into composite actions or shared workflows.
78
+ - **Fail fast**: Order stages by speed and likelihood of failure.
79
+ - **YAGNI**: Don't add matrix builds across 5 Node versions if you only support one.
80
+
81
+ ## Cross-Skill References
82
+
83
+ - `deployment-repo` — for multi-service systems, the deployment repo handles system-level CI (contract tests, E2E, promotion)
84
+ - `gitops-delivery` — pull-based delivery as an alternative to CI-driven `kubectl apply` / `helm upgrade`
85
+ - `deployment-checklist` — pre-deployment verification gates to incorporate into the pipeline
86
+ - `security-audit` — security scanning stages and SAST/DAST integration
87
+ - `verification-before-completion` — run the proving commands locally before relying on the pipeline to catch failures
@@ -0,0 +1,34 @@
1
+ {
2
+ "skill_name": "cicd-pipeline",
3
+ "evals": [
4
+ {
5
+ "id": 1,
6
+ "prompt": "Set up a GitHub Actions CI/CD pipeline for our TypeScript Express API. We use PostgreSQL, run tests with Jest, build a Docker image, and deploy to AWS ECS. We want PR checks and auto-deploy to staging on merge to main, with manual approval for production.",
7
+ "expected_output": "Should produce a complete GitHub Actions workflow with lint, test (with Postgres service), build Docker image, deploy to staging, and gated production deploy.",
8
+ "assertions": [
9
+ "Lint and test run in parallel",
10
+ "PostgreSQL service container configured with health check",
11
+ "Dependencies are cached",
12
+ "Docker build uses multi-stage and caching",
13
+ "Staging deploys automatically on main push",
14
+ "Production deploy requires manual approval (environment protection)",
15
+ "Smoke test after each deployment",
16
+ "All jobs have timeouts",
17
+ "Action versions are pinned"
18
+ ]
19
+ },
20
+ {
21
+ "id": 2,
22
+ "prompt": "Our CI pipeline takes 35 minutes. It runs lint, unit tests, integration tests, e2e tests, security scan, build, and deploy all sequentially. How can we speed it up?",
23
+ "expected_output": "Should identify parallelization opportunities, caching improvements, and suggest restructuring. Should not suggest skipping tests.",
24
+ "assertions": [
25
+ "Identifies that lint, unit tests, and security scan can run in parallel",
26
+ "Recommends dependency caching",
27
+ "Suggests splitting integration and e2e tests from unit tests",
28
+ "Does NOT suggest removing or skipping tests",
29
+ "Recommends concurrency control to cancel outdated runs",
30
+ "Provides a restructured pipeline diagram"
31
+ ]
32
+ }
33
+ ]
34
+ }