MartinKChen
UserAn opinionated Claude Code harness: lock specs & contracts as the source of truth, then drive a team of agents to implement against them with outside-in TDD and adversarial multi-agent review.
Categories
Indexed Skills (50)
create-bug-issue
Create one kind:bug GitHub issue with a Zone-A (symptom) body — the reporter's record of what's broken: Summary, Environment, Steps to reproduce, Expected vs. actual, Evidence, Severity, Regression anchor. Helps the user fill the bug-issue.md template (without inventing facts), confirms it, then creates the issue (kind:bug, NO status, NO branch) via create-bug.sh so /ship analyze picks it up. Activate on '/create-bug-issue', 'file/report a bug', or 'create a bug issue for <x>'.
create-enhancement-issue
Create one kind:enhancement GitHub issue against an EXISTING codebase — the lightweight single-issue analog of /deep-dive-feature (no interview, no doc-lock). Reads context read-only to draft a feature-shaped body, guards that the change needs NO contract/data-model edit (if it does, it's a feature — stop), confirms with the user, then creates it via create-enhancement.sh. Activate on '/create-enhancement-issue', 'create/file an enhancement issue for <x>', or 'enhance <existing behavior>'.
create-feature-issues
Decompose a locked-in feature's PRD into release-safe vertical-slice GitHub issues — ONE issue per slice, whose body inlines the typed task breakdown (e2e → backend → frontend) as a static-ID checklist. Reads the merged `feature-lockin` PRD and contracts; on approval opens slice issues labeled `kind:feature` + `status:ready-to-review` with `feature/<slice#>-<intent>` branches and `Blocked by` chains, then archives the spent PRD. Activate on 'create/slice issues for <feature-name>'.
dream-summary-memory
The 'dreaming' pass over a consuming project's recent history. Reads GitHub issues and PRs closed since the last dream run — review/fix threads, CI failures, merge conflicts — distills the recurring mistakes engineers and reviewers keep making and writes them as additive rule overlays under `.claude/memory/patterns/<skill>.md`. Writes autonomously; never edits baseline pattern skills. Activate on '/dream-summary-memory', 'dream the memory', or 'summarize recent issues into memory'.
memory-convention
How agents consume per-project summarized memory: durable improvement overlays at `$MAIN_ROOT/.claude/memory/patterns/<skill>.md`, written by the `dream-summary-memory` pass and loaded additively by every pattern skill. Defines where the overlays live, their file shape, and the precedence rules for applying overlay rules on top of a baseline pattern skill. (Runtime telemetry signals are written and owned entirely by the plugin's `hooks/runtime-telemetry/` scripts — not this skill's concern.)
operation-git
Single source of truth for every git / GitHub operation the workflow-* skills and the implement-slice Workflow perform. Owns the shared `gh` + `git` scripts (worktree setup, slice-branch resolve, issue listing, task-finder stages, label flips, comment posting, draft-PR creation, PR-status checks), the shared templates, and the gh-command / versioning / release references. Activate whenever the user works with git or GitHub directly, or from inside any workflow that mutates GitHub state.
pattern-architect-api-endpoint
Resource-oriented REST design — the single authority for API endpoint shape decisions (paths, verbs, request / response body, status codes, error envelope, pagination, sorting, filtering, versioning, idempotency policy, rate-limit policy, trailing-slash spelling). Activate when designing, adding, or refactoring an HTTP endpoint, controller, or handler. Every decision lands in the api contract at `docs/api-contract/<entity>.yaml` which engineers implement against and reviewers verify.
pattern-architect-deep-module
Deep-module design guidance (Ousterhout, A Philosophy of Software Design): narrow interface, deep implementation, hidden complexity, no shallow wrappers or pass-throughs. Activate when designing or reviewing the shape of a module, class, package, service, library, or API. Skip for implementation inside an already-agreed seam, bug fixes that don't change the interface, or general software-philosophy questions without an actual module to design.
pattern-e2e-coding-standard
E2E coding standard. Contract is iron on two axes. SEEDING: via API (Playwright `request` fixture, raw HTTP) respect `docs/api-contract/<entity>.yaml` — path, verb, status codes, request/response body; direct-to-DB (SQL fixtures, ORM helpers, factory scripts) respect `docs/data-model/<entity>.yaml` — table, column types, constraints, defaults, FKs. DRIVING/ASSERTING: respect `docs/ui-contract/<screen>.yaml` — query by the declared role + accessible name, scoped to the declared regions, and assert on the declared outcome states. Halt on missing/contradictory contracts; never invent shape or selectors. Activate on any E2E spec / fixture / seed helper.
pattern-engineer-backend-standard
Backend implementation bullets — what the contract doesn't say. Follow the contract verbatim (paths, verbs, status codes, body, envelope, idempotency, rate-limit policy). Covers input-validation mechanics, atomic mutations, RequestId middleware position, `/healthz` + `/readyz` shape, log redaction, SSRF safety, webhook HMAC verify, `.env.example` lockstep, locked deps, SIGTERM, migrations as compose service. Activate on backend code.
pattern-engineer-coding-standard
Language-agnostic coding standards. Contract is iron: implement the task's `Done criteria`, `docs/api-contract/*`, `docs/data-model/*`, and binding ADRs verbatim — halt on ambiguity, never invent. Priority: Readability → KISS → DRY → YAGNI. Verb-noun names; immutable data by default; narrow error handling at boundaries; parallel-by-default async; strongest types (no `any`); AAA tests; files 200–400 lines; feature/refactor in separate commits. Activate when writing or reviewing source code.
pattern-engineer-container
Containerized setups: every Dockerfile is multi-stage (`base`/`build`/`final`), pinned (no `:latest`) and vetted via `docker scout`, non-root with writable paths redirected, no in-image virtualenvs, `.dockerignore` required. Backends `alembic upgrade head` in entrypoint before exec'ing the server; expose fast `/healthz`. Frontend nginx puts API `location` blocks ABOVE the SPA `try_files` fallback. Secrets are runtime env vars. Activate on Dockerfile, compose, `.dockerignore`.
pattern-engineer-database
Ship migrations safely. Models are the source of truth; generate with `alembic revision --autogenerate`; test each via `pytest-alembic` (round-trip + post-state assertions); run in a `migrate` compose service before the backend, never the entrypoint; commit model + migration together. Plus runtime DB patterns: index FKs + RLS columns; RLS with `(SELECT auth.uid())`; project columns; cursor pagination; `SKIP LOCKED` queues. Activate on `alembic/versions/*`, the `migrate` service, or query work.
pattern-engineer-fastapi
FastAPI bullets — wire what the contract already decided. `APIRouter` with explicit prefix; `Depends()` injection; Pydantic at the boundary only; app-level exception handlers mapping to the contracted envelope; `RequestIdMiddleware` registered last; named path constants shared by route + tests; `Depends`-based auth guards; async-by-default; lifespan for startup/shutdown; `dependency_overrides` + per-test factory in tests. Activate on FastAPI routes, deps, middleware, handlers, wiring.
pattern-engineer-frontend-standard
React frontend bullets: composition-first components, custom hooks, route registration + entry-source reachability (a real inbound path, not just a passing URL-render test) in one slice, render to the surface's `docs/ui-contract/<screen>.yaml` (declared role+accessible-name interface; extend its `states` per slice), route-param queries gated by `enabled: !!param`, `onSuccess` cache invalidation, idempotency-key rotation on 4xx, API via `src/lib/api`, Context+Reducer state, RHF+Zod forms, per-route error boundaries, native a11y elements, Tailwind ↔ `docs/design-system/tokens.md`. Activate on frontend `.tsx`/`.ts`.
pattern-engineer-non-functional
Engineer-facing non-functional guardrails for production code (ISO-25010 quality characteristics). A thin always-build floor — bounded reads, no N+1, hot-predicate indexes, upload caps, outbound timeouts, no event-loop-blocking sync calls — plus heavier spec-gated targets (latency / throughput / capacity / availability) built only when the slice declares a matching non-functional AC. Security is out of scope. Activate on a query, list, upload, outbound, or async surface.
pattern-engineer-observability
OpenTelemetry is the only instrumentation API in source; vendor SDKs only behind the Collector. Services emit traces + metrics + logs through OTel with shared resource attributes, W3C `tracecontext` propagation, auto-instrumentation for boilerplate, RED/USE metrics with bounded label cardinality, structured JSON logs gated at source. Activate when touching instrumentation or `OTEL_*` env vars.
pattern-engineer-python
Modern idiomatic Python: `uv` only for env/deps; PEP 8 + 88-char lines; full type annotations on every signature; EAFP with narrow `except` + `raise ... from e`; modern type hints (PEP 604/695); `Protocol` for duck-typed seams; frozen-slots `@dataclass` DTOs (Pydantic only at boundaries); `with` for resources; no mutable default args; comprehensions over C-style loops; no `import *`; no MD5/SHA1 for security; Alembic chained to head + `pytest-alembic` round-trip. Activate on `.py` files.
pattern-engineer-security
Engineer-facing security guardrails for production code. The non-negotiables — env-only secrets, schema-validated input at the boundary, parameterized queries, HttpOnly+Secure+SameSite cookies, authorize-before-act + ownership checks, sanitized output + security headers, CSRF + per-route rate limits, redacted logs, locked dependencies, SSRF allowlists, locked-down CORS, HMAC webhook verification, OAuth state + PKCE. A quick-lookup catalogue keyed by the surface touched. Activate on code.
pattern-engineer-typescript
TypeScript bullets: `strict` + `noUncheckedIndexedAccess` + `exactOptionalPropertyTypes` + the no-implicit/no-fallthrough flags; no `any` (use `unknown` at boundaries, narrow); no `!` without a documented invariant; `type` for unions, `interface` for extendable shapes; discriminated unions; wrap `JSON.parse`; never `forEach(async)`; schema-validate untrusted objects before merge; explicit return types on public exports. Activate when editing TypeScript or `tsconfig.json`.
pattern-engineer-vite
Vite implementation bullets: pick Vite for pure CSR (no SSR/SSG/SEO); env vars via `import.meta.env` with `VITE_` prefix (NOT a security boundary); `vite-plugin-checker` or `tsc --noEmit` in CI — `vite build` does not type-check; `vite-tsconfig-paths` over hand-rolled aliases; `build.sourcemap: false` in prod; `server.host: true` for containerized dev; avoid barrel files; route-boundary splitting via `lazy()` + `<Suspense>`. Activate when editing `vite.config.*` or scaffolding a Vite React app.
pattern-exploratory-testing
Role-neutral catalogue for chartered, time-boxed exploratory testing of a running build — the risk-steered investigation scripted AC/Gherkin coverage can't reach. Covers the session shape (charter + time-box + ship/no-ship readout), the steering tours, and the consistency oracles for bugs with no spec line. Built for a pre-release gate agent recommending SHIP / NO-SHIP — not part of the review fan-out, never blocks on a missing AC. Activate for an exploratory or release-readiness session.
pattern-reviewer-backend-standard
Language-agnostic backend best-practice audit — input-validation mechanics, unbounded queries (`SELECT *` / no `LIMIT`), N+1, missing outbound timeouts, error-message leakage on 5xx, atomic-mutation discipline, `/healthz` no-DB shape, `RequestIdMiddleware` registration order, log redaction key match, sensitive-value single-layer logging, `.env.example` ↔ code lockstep, locked lock files, CORS lock-down. Each finding cites `file:line` with BAD/GOOD snippets.
pattern-reviewer-coding-standard
Language-agnostic code-quality review patterns: Pre-Report Gate (cite line, name failure mode, read context, defend severity); HIGH/CRITICAL require proof; zero findings is valid; common-false-positives list; code-quality bars (large functions/files, deep nesting, missing error handling, mutation, dead code); plus performance, best-practices, and AI-code checks. Each finding is confidence-filtered, severity-graded, cited as `file:line`. Activate when reviewing source code; skip `type:e2e`.
pattern-reviewer-container
Docker / compose audit: Dockerfile is multi-stage (`base`/`build`/`final`); tags pinned (no `:latest`) with `docker scout` clean of fixable MEDIUM+ CVEs; non-root user with writable paths redirected; `.dockerignore` excludes secrets/build outputs; backend entrypoint runs `alembic upgrade head` before the server; no-dep `/healthz` exists; frontend nginx puts API `location` blocks ABOVE the SPA `try_files` fallback. Activate on Dockerfile, compose, or `.dockerignore` diffs.
pattern-reviewer-contract
Contract-conformance audit. Every API endpoint matches its api contract at `docs/api-contract/<entity>.yaml` — path, verb, request/response schema, status codes, error envelope, Idempotency-Key + rate-limit policy. Every ORM model matches its data-model contract at `docs/data-model/<entity>.yaml` — table name, columns, constraint names (`pk_*`, `fk_*`, `uq_*`, `idx_*`, `ck_*`), relationships. Every routed surface + E2E spec matches its UI contract at `docs/ui-contract/<screen>.yaml` — declared regions, role+accessible-name actions, outcome states; specs query only the declared surface. Activate when the diff includes API routes, ORM models, frontend pages/components, or E2E specs AND a sibling contract file exists.
pattern-reviewer-database
Migration audit: code-first (models drive migration); autogenerate review; `pytest-alembic` round-trip; post-state assertions by **name** (`pk_*`, `fk_*`, `uq_*`, `idx_*`, `ck_*`); extensions dropped by downgrade; migration in a `migrate` compose service. Runtime DB audit: column types; FK + RLS-policy indexing; `OFFSET`; `SKIP LOCKED` queues; lock order; `EXPLAIN ANALYZE`. Activate when the diff touches `alembic/versions/*`, ORM models, the `migrate` service, or `pytest-alembic`.
pattern-reviewer-fastapi
FastAPI best-practice audit — router-mount prefix discipline, `Depends()` injection (no inline auth in handlers), Pydantic at boundary only (not deep in domain), app-level exception handlers (every project exception class registered), middleware registration order (`RequestIdMiddleware` last so it runs first), named path constants shared by route + tests, `Settings()` instantiation footgun in `create_app()`, `dependency_overrides` in tests (not `monkeypatch`), per-test app factory.
pattern-reviewer-frontend-standard
React-specific code-quality audit for a frontend diff: component design, hook correctness, route registration + entry-source reachability (a real inbound path from the shell or parent), TanStack Query route-param guards, mutation `onSuccess` invalidation + return stability, idempotency-key rotation on 4xx, API access through `src/lib/api`, per-route error boundaries, native a11y elements, Tailwind ↔ tokens. Each finding cites `file:line`. Activate on frontend diffs.
pattern-reviewer-non-functional
Reviewer lens for the non-functional dimension of a production-code review (performance, reliability, scalability, resource use). Grades each gap under a strict spec-gated rule: HIGH (blocks) ONLY when it maps to a declared non-functional AC on a touched surface; floor gaps with no NFR AC (unbounded read, N+1, missing timeout) are Defer/Nit, never HIGH — so a slice with no NFR ACs is never blocked, only advised. Security is out of scope. Activate on a backend/frontend production-code review.
pattern-reviewer-observability
OTel instrumentation audit: vendor SDKs (Datadog/Sentry/etc.) in `src/` → CRITICAL (Collector-only); `print`/`console.log` in committed paths → HIGH; high-cardinality span names or metric labels → HIGH; logs without trace_id/span_id under an active span → MEDIUM; synchronous exporters → HIGH; app-level fixed-ratio head-sampling → HIGH (Collector's job). Holds the architectural background so audits are grounded in the why. Activate when reviewing instrumentation or `OTEL_*` env vars.
pattern-reviewer-python
Python audit: f-string SQL injection (CRITICAL); pickle/yaml.load deserialization (CRITICAL); bandit-banned APIs (shell=True, yaml.load, urlopen); mutable default args (HIGH); MD5/SHA1 for security (HIGH); sync-blocking calls in async funcs; full type annotations; EAFP (narrow except, `raise ... from e`); modern type hints (PEP 604/695); `Protocol` seams; frozen-slots DTOs; `with` for resources; `is None`. Cites `file:line`. Activate when the diff includes `.py` files.
pattern-reviewer-security
Security-review catalogue + iteration flow for a scoped diff and a freshly built container image. Walks fourteen patterns across backend / frontend / deps / image (never test files): container CVEs, secrets, schema-validated input, parameterized queries, auth / cookies / IDOR / JWT, XSS + headers, CSRF, rate limits, redaction, dependency hygiene, SSRF, CORS, webhook + OAuth, race conditions. Each carries an exact bar. Activate on a security-gate review; skip for `type:e2e`.
pattern-reviewer-test-coverage
Reviewer lens for the test-coverage gate on any `type:*` task or slice. The catalogue of *what counts as a complete test set* lives in `pattern-test-coverage` (shared with the engineer); this skill adds the reviewer's verb — turning a gap into a finding: a gap mapping to a declared AC / Gherkin / contract clause on a touched surface is HIGH and blocks the gate, while edge breadth no spec names is a non-blocking Defer/Nit. Activate on every code-gate review.
pattern-reviewer-typescript
TypeScript audit: `tsconfig.json` strictness (`strict`, `noUncheckedIndexedAccess`, `exactOptionalPropertyTypes`); `any` / `as any` laundering; `!` non-null without documented invariant; `interface` vs `type`; together-optional fields that should be discriminated unions; `eval` / `child_process` on user input (CRITICAL); prototype pollution; unguarded `JSON.parse`; `==` vs `===`; `forEach(async)`; return types on exports. Activate when the diff includes `.ts` / `.tsx` / `tsconfig.json`.
pattern-reviewer-vite
Vite audit: stack choice (Vite for CSR, Next for SSR/SSG/SEO); `VITE_` prefix on every client-exposed `import.meta.env` read; `VITE_` is NOT a security boundary (secret-shaped `VITE_*` is HIGH); `loadEnv(..., '')` leaks server secrets; `.env.example` mirrors every `VITE_*`; type-check gap (no `tsc --noEmit`); prod sourcemap without Sentry; route-boundary lazy-load. Activate when the diff touches `vite.config.*`, `vitest.config.*`, or `import.meta.env` reads.
pattern-test-coverage
Role-neutral catalogue of what makes a test set *complete* — the shared substance both the engineer (authoring tests in the TDD red phase) and the reviewer (gating the code) judge against. Every EARS criterion is discharged by the cheapest durable proof at its owning layer (backend / frontend / E2E); new code paths cover edge breadth. The spine is the deletable-code lens: complete only when deleting any single production branch makes a test fail. Activate when writing or reviewing tests.
principle-engineer-tdd
Strictly enforce outside-in TDD on every implementation task. Acceptance test first from the issue's EARS/Gherkin scenarios; modules grown via one-behavior RED → GREEN → REFACTOR loops with fake adapters at seams; real adapters earn contract tests; wiring proved by the acceptance test going green. Each step is its own commit per the caller's commit-message template. Encodes scaffold-vs-production boundaries, mandatory edge-case coverage, banned test anti-patterns, and the iron rules.
scaffold-project
Bootstrap a greenfield project to a bootable stack. Reads `docs/architecture-decision-record/` for stack + topology, creates a scaffold branch, materializes backend, frontend, e2e, and `docker-compose.yaml` from templates, verifies the stack boots end-to-end, asserts the upstream-locked design system exists and seeds its tokens into the frontend, then pushes and opens a PR. Activate on '/scaffold-project', 'scaffold the project'. Do NOT activate if any scaffold surface already exists.
workflow-architect-interview
Drive a depth-first architectural design interview against a single requirement. Read `docs/product-requirement-document/<feature-name>/requirement.md` and the existing architecture context, walk a one-question-per-turn conversation with a recommendation plus alternatives and a trade-off block, surface unstated assumptions, request approval, partition decisions into ADR IDs, then emit a dispatch prompt for a separate publisher agent. Writes nothing. Activate on '/workflow-architect-interview'.
workflow-design-interview
Drive a depth-first design discovery interview against a single requirement. Read `docs/product-requirement-document/<feature-name>/requirement.md` and any existing `docs/design-system/`, walk a one-question-per-turn conversation, lock the product's visual language, platform priority, accessibility targets, a surface + navigation inventory, and a per-surface UI interaction contract skeleton (the semantic interface E2E specs drive against), request approval, then compose a dispatch prompt for a separate publisher agent. Writes nothing. Activate on '/workflow-design-interview'.
workflow-e2e-author
Author Playwright E2E specs for the named E2E task ids on a slice branch. Read the slice body, locate the task block(s) in the `## Tasks` checklist, set up the slice worktree, translate the mapped Gherkin scenarios into specs, tick the authored tasks' checkboxes, commit with `Refs #<slice#>` + `Task: <id>` trailers, push, post a summary comment. Activate when dispatched with `Author E2E for slice #<n> tasks <ids>`, or on '/workflow-e2e-author'.
workflow-e2e-fix
Address coverage-gate findings on a slice's authored E2E specs. Read the newest coverage-gate review comment on the slice (the one posted after the last `Refs #<slice#>` commit), set up the slice worktree, modify the specs per the comment, commit with `Refs #<slice#>` + `Task: <id>` trailers, push, post a summary comment. Activate when dispatched with `Fix E2E coverage feedback on slice #<n>`, or on '/workflow-e2e-fix'.
workflow-engineer-analyze-bug
Diagnose one kind:bug issue read-only: reproduce it (browser MCP first, Playwright fallback, both against a booted stack), root-cause it to file:line, and post a `# Bug Analysis` comment proposing the fix + regression-test plan, then flip status → ready-to-review for a human to approve. Writes NO production code, creates NO branch, opens NO PR. Activate when dispatched with `Analyze bug #<n>` or '/workflow-engineer-analyze-bug'.
workflow-engineer-diagnose-e2e
Integrate origin/main, boot the slice's stack, run every E2E spec created or modified on the slice branch via testcontainers, and CATEGORIZE any failures into correlated production-fix groups — without writing a fix. Returns the diagnosis structurally (green | failures + groups | need-attention); the calling workflow dispatches one engineer per group. Edits no code or specs. Activate when dispatched with `Diagnose E2E acceptance for slice #<n>` or '/workflow-engineer-diagnose-e2e'.
workflow-engineer-fix-bug
Fix one approved kind:bug on its fix branch. Two dispatch verbs: `Fix bug #<n>` writes the regression test FIRST (RED per the approved # Bug Analysis comment, fails on pre-fix code), drives it GREEN, refactors, and pushes; `Fix the review feedback on bug #<n>` addresses the newest # Bug Fix Review findings via TDD. Production code only; every commit carries `Refs #<n>`. Activate when dispatched with either verb or '/workflow-engineer-fix-bug'.
workflow-engineer-fix-e2e
Fix ONE diagnosed E2E failure group on the slice branch via outside-in TDD on production code only — never the specs. The dispatch carries the group's root cause, failing tests, and fix hint. Write a failing unit/integration test mirroring the symptom, drive it green with the minimal change, propagate the class-of-bug to every sibling site, commit with a `Refs #<slice#>` trailer, and push. Activate when dispatched with `Fix E2E failures on slice #<n>` or '/workflow-engineer-fix-e2e'.
workflow-engineer-fix-pr
Fix merge-blocking issues on one open draft slice PR. Determine the scope (conflict, CI, or both) from live PR state, read every PR-issue comment newer than the slice branch's last commit, set up the slice worktree, merge main first to resolve conflicts, drive RED→GREEN for CI failures, commit with `Refs #<pr-#>` + `Refs #<slice-#>` trailers, push, remove `status:fix-in-progress`. Activate when dispatched with `Fix PR #<pr-#>` or '/workflow-engineer-fix-pr'.
workflow-engineer-fix-slice
Address slice-review findings on one slice. Read the slice body and the newest slice-review comment (newer than the last `Refs #<slice#>` commit), set up the slice worktree, drive TDD per findings (production code only — never modify E2E specs), commit with `Refs #<slice#>` + `Task: <id>` trailers, push, post a summary comment. Activate when dispatched with `Fix the review feedback on slice #<n>` or '/workflow-engineer-fix-slice'.
pattern-architect-data-model
Data-model shape and naming guidance: tables, columns, indexes, constraints, views, and the SQLAlchemy `MetaData` naming convention that emits predictable names. Activate when designing or reviewing a new table, model, or schema, or when asked 'how should I name this table/column/index/constraint?'. Skip for application-level query logic that doesn't change schema, and for code-first / migration / `migrate` compose / `alembic` mechanics.
Bio shown is the top-scored skill's repo description as a fallback — real GitHub bios land in a future update.