michaelalber
211 verified skills
tdd-verify
Verify AI-generated code follows TDD discipline. Use when auditing commits for TDD discipline, checking test coverage quality, detecting TDD anti-patterns, or generating compliance scorecards. Do NOT use when reviewing legacy code written before TDD was applied without first establishing a baseline; Do NOT use when you have not reviewed project history.
development
rpi-research
RPI Research phase -- parallel codebase exploration using subagents to produce a compact, objective research artifact. Use for "/rpi-research topic", "research the codebase for X", "understand how X works before planning", "document what exists for topic".
development
evaluate-tests
Audits existing tests in two modes: (1) test-file quality — evaluates tests against Beck's behavioral and structure-insensitive criteria, flagging implementation-coupled, fragile, and theater tests with a prioritized rewrite list; (2) TDD compliance — analyzes git commit history for test-first discipline and produces a 0–25 compliance scorecard with AI anti-pattern findings. Use when auditing inherited test suites, checking AI-generated tests before merge, preparing code for safe refactoring, or verifying that TDD discipline was actually followed. Triggers on "evaluate tests", "audit test quality", "test coupling", "are these tests behavioral", "check my tests", "tdd compliance", "did we follow tdd", "tdd scorecard", "audit commits for tdd", "tdd anti-patterns". Do NOT use to write new tests — use tdd for that. Do NOT use when the codebase has no tests yet.
development
tdd-refactor
Safely refactor code while keeping tests green (REFACTOR phase). Use when tests pass and you want to improve code structure without changing behavior. Do NOT use when tests are red; do NOT use to fix bugs or add new behavior — return to RED phase first.
development
zoom-out
Zooms out from the current code to map callers, dependents, and module relationships before continuing. Use when entering unfamiliar code, debugging a confusing call chain, or asked to "zoom out", "map the context", or "show me the bigger picture". Ported from https://github.com/mattpocock/skills (Matt Pocock).
development
spec-implement
Spec-driven TDD implementation for greenfield features and well-understood changes. Takes an existing spec (PRD, user stories, requirements doc, or acceptance criteria) and drives test-first implementation to verified completion. The unique step is translating the spec into binary, verifiable acceptance criteria before any code starts. Use when implementing a greenfield feature from a spec, PRD, or acceptance criteria. Trigger phrases: "/spec-implement path/to/spec.md", "implement this spec", "implement from requirements", "turn this PRD into code", "greenfield feature from spec", "acceptance criteria to implementation". Do NOT use when the codebase is complex, unfamiliar, or requires research before planning — use /rpi-research instead.
development
system-design-kata
Domain-calibrated system design exercises — security workflows, edge fleet management, hybrid cloud, and real-world scenarios. Use when practicing system design, developing distributed systems trade-off judgment, or improving design skills through domain-specific scenarios covering edge AI, security workflows, and hybrid cloud. Distinct from generic interview prep.
development
dotnet-vertical-slice
Scaffold vertical slice architecture with CQRS + FreeMediator, including optional Telerik Blazor UI generation. Use when creating feature-based .NET projects with command/query separation and pipeline behaviors. Triggers on "scaffold feature", "create slice", "new feature", "generate cqrs", "add command", "add query", "create handler", "vertical slice". Do NOT use when the project uses layer-based (N-tier) architecture — this skill enforces feature folder structure and will conflict with existing layer conventions.
devops
nuget-package-scaffold
NuGet package creation with CI/CD pipeline setup and test harness. Use when creating new NuGet packages, configuring package metadata, or setting up publish workflows. Do NOT use when the library is internal-only and not intended for NuGet publication; Do NOT use when the target is an application project.
development
rust-feature-slice
Feature-based vertical slice architecture for Rust using Axum routers, handler functions, and service traits. No DI framework — dependencies are wired manually via Arc<dyn Trait> in Axum State. CQRS via trait separation: reader traits for queries, writer traits for commands. Use when scaffolding Rust features, creating Axum feature modules, implementing vertical slice architecture in Rust, adding Rust service layers, or organizing Rust code by feature rather than technical layer. Triggers on: "scaffold rust feature", "axum feature folder", "rust vertical slice", "add rust endpoint", "rust service layer", "rust feature module", "rust cqrs". Do NOT use when designing microservice boundaries or inter-process architecture — this skill scopes to module organization within a single Rust binary.
development
rust-migration-analyzer
Analyzes Rust migration paths: C/C++ to Rust rewrites using incremental FFI-based strangler fig, and Rust modernization (edition upgrades 2015→2018→2021, deprecated crate replacement, sync-to-async migration). Assesses risk, quantifies effort, and produces a phased migration plan. Does NOT perform the migration — assesses, plans, and guides. Use when migrating C or C++ code to Rust, upgrading Rust editions, modernizing legacy Rust codebases, replacing deprecated crates, or planning sync-to-async migrations. Triggers on: "rust migration", "c to rust", "c++ to rust", "rust edition upgrade", "modernize rust", "rust legacy migration", "rust rewrite", "cargo fix edition". Do NOT use when you want to execute the migration — this skill produces an assessment artifact only; Do NOT use when the codebase is already on current stable Rust with no legacy patterns.
development
task-decomposition
Goal decomposition heuristics, dependency DAG construction, sub-agent assignment protocols, and multi-agent orchestration patterns. Use when breaking complex goals into sub-tasks, constructing execution plans, or coordinating work across multiple specialized agents.
development
python-arch-review
Architecture review for Python 3 projects enforcing TDD (Red->Green->Refactor->Quality Check), YAGNI principles, and code quality gates. Use when (1) writing new Python code, (2) reviewing existing Python code, (3) refactoring Python modules, (4) adding tests to Python projects, (5) checking code quality metrics, (6) running quality gates before merging, or (7) improving Python architecture with type safety and clean design. Integrates Ruff, mypy, radon, bandit, pip-audit, and pytest-cov.
development
tdd-implementer
Implement minimal code to make failing tests pass (GREEN phase). Use when you have a failing test and need to write just enough code to make it pass. Do NOT use when no failing test exists; do NOT use for refactoring — use tdd-refactor instead.
development
to-prd
Converts meeting notes, feature requests, or conversation context into a structured Product Requirements Document (PRD) with goals, user stories, and binary acceptance criteria. Use when asked to "write a PRD", "turn this into a product spec", "create requirements", or "document this feature". Ported from https://github.com/mattpocock/skills (Matt Pocock).
development
tdd-verify
Verify AI-generated code follows TDD discipline. Use when auditing commits for TDD discipline, checking test coverage quality, detecting TDD anti-patterns, or generating compliance scorecards. Do NOT use when reviewing legacy code written before TDD was applied without first establishing a baseline; Do NOT use when you have not reviewed project history.
development
to-issues
Converts a PRD or feature spec into a set of atomic GitHub Issues ready to open, each covering one independently-deliverable slice ordered by dependency. Use when asked to "create issues", "break this into GitHub issues", "turn this PRD into issues", or "decompose this feature into tickets". Ported from https://github.com/mattpocock/skills (Matt Pocock).
tools
ubiquitous-language
Extracts and formalizes the ubiquitous language from a conversation or codebase. Flags ambiguous terms, resolves contradictions, and saves the glossary to UBIQUITOUS_LANGUAGE.md. Use when establishing shared vocabulary for a domain, after a domain-model session, or asked to "extract the ubiquitous language", "build a glossary", or "document the domain terms". Ported from https://github.com/mattpocock/skills (Matt Pocock).
development
spec-coach
Interactive spec design coach. Guides through vision, PRD structure, three-tier boundary definition, user story quality (INVEST), specification by example, and measurable success criteria to produce a complete, deployable spec. Use when designing a new skill, agent, feature, or any AI system that needs explicit behavioral boundaries. Use for "spec coach", "write agent spec", "create agent spec", "spec for ai agent", "agent specification", "define agent", "new skill spec", "new agent spec", "design agent behavior", "agent boundaries", "spec kit", "spec.md", "plan.md", "github spec kit", "specify workflow", "write a spec", "software requirements spec", "SRS", "write requirements", "design spec".
testing
edge-cv-pipeline
Build OpenCV + TFLite computer vision pipelines for Jetson and Raspberry Pi. Use when deploying real-time inference on edge devices with camera capture, model optimization, and result publishing. Do NOT use when the inference pipeline runs on cloud infrastructure; Do NOT use when the target hardware is a general-purpose server rather than an edge device.
development
automated-code-review
Systematic review execution engine -- transforms structured human review coaching patterns into autonomous review checklists with pass/fail gates, convention detection, and structured finding production. Use when running autonomous code reviews to ensure systematic coverage and consistent quality.
development
jira-review
Automatically review Jira issues for implementation readiness. Detects complexity signals, parses acceptance criteria, and recommends clarification or planning mode when needed. Use when asked to review a Jira issue for readiness, check if a ticket has enough detail to implement, assess acceptance criteria completeness, or evaluate a story before sprint planning. Do NOT use when implementation is already complete — this skill reviews for readiness, not post-implementation accuracy; Do NOT use when the issue tracker is not Jira.
testing
rag-pipeline-python
Scaffold RAG pipelines with Ollama or cloud embeddings. Use when building retrieval-augmented generation systems with local or cloud LLMs, vector stores, and document processing. Do NOT use when the application stack is .NET — use rag-pipeline-dotnet instead; do NOT use for full-text search without semantic retrieval requirements.
development
alembic-migration-manager
Manages the full Alembic migration lifecycle with safety checks and rollback planning. Python analog of ef-migration-manager. Use when creating, reviewing, or applying database migrations in Python projects using SQLAlchemy and Alembic. Triggers on phrases like "alembic migration", "create migration", "apply migration python", "database migration python", "sqlalchemy migration", "alembic revision", "alembic upgrade", "alembic downgrade".
development
caveman
Switches to caveman communication mode: terse, keyword-driven responses with no pleasantries and minimal formatting. Cuts response token usage ~75% while keeping accuracy. Persistent for the rest of the session once triggered. Use when the user says "caveman mode", "go caveman", "be terse", or "short answers only". Ported from https://github.com/mattpocock/skills (Matt Pocock).
development
confluence-guide-writer
Reads Confluence spec pages and/or source code and generates well-formatted tutorial and user guide content for a Confluence space's user guide section. Targets client/end-user/stakeholder audiences. Use when writing Confluence user guides, generating tutorial or how-to pages for clients or end users, or producing stakeholder documentation from Confluence spec pages or source code. Trigger phrases: "write user guide", "generate confluence page", "create tutorial", "confluence docs for clients". Do NOT use when the goal is to detect or reconcile stale pages — use doc-sync instead.
tools
design-an-interface
Applies "Design It Twice" from APOSD: generates two radically different interface designs for the same problem, then compares them on information hiding, complexity, and cohesion before recommending one. Use when designing a new API, module boundary, or class interface, or asked to "design the interface", "apply design it twice", or "compare interface designs". Ported from https://github.com/mattpocock/skills (Matt Pocock).
development
dotnet-architecture-checklist
Checklist executor for .NET Blazor architecture reviews using CQRS patterns (FreeMediator/Mapster). Use when asked to review architecture, audit code quality, assess technical debt, evaluate Blazor projects, check for anti-patterns, review .NET solutions, validate FreeMediator/Mapster usage, run architecture checklist, or grade a .NET project. Triggers on phrases like "review this project", "architecture checklist", "audit this code", "check for issues", "evaluate this solution", "review CQRS patterns", "check handlers", "check framework version", "shared kernel review", "run checklist", "grade this architecture".
development
fastapi-scaffolder
Scaffolds FastAPI endpoints with OpenAPI documentation, Pydantic v2 request/response models, JWT authentication, rate limiting, and health checks. Python analog of minimal-api-scaffolder. Use when creating REST APIs, adding endpoints, setting up FastAPI projects, or configuring API infrastructure. Triggers on phrases like "scaffold fastapi", "create fastapi endpoint", "fastapi router", "add fastapi route", "fastapi api", "python rest api", "fastapi project setup", "fastapi authentication", "fastapi openapi".
development
improve-codebase-architecture
Deep module refactoring using APOSD vocabulary: eliminates shallow modules, reduces information leakage, resolves temporal coupling, and aligns naming with the ubiquitous language. Use when asked to "improve the architecture", "refactor this module", "apply APOSD", or "clean up the design". Works best after domain-model is established. Ported from https://github.com/mattpocock/skills (Matt Pocock).
development
jira-comment-writer
Plain-language Jira comment drafter for project managers and clients. Translates technical progress, blockers, and decisions into clear, jargon-free updates. Use when adding a comment to a Jira issue that a non-technical stakeholder will read. Do NOT use when the audience is engineers or technical peers — use pr-feedback-writer instead; this skill targets non-technical stakeholders only.
tools
model-optimization
Optimize ML models for edge deployment through quantization, pruning, format conversion (TensorRT/TFLite/ONNX), and accuracy/latency benchmarking. Use when preparing models for resource-constrained devices.
development
pattern-tradeoff-analyzer
Pattern selection coach -- presents 2-3 patterns with explicit tradeoffs for your problem, challenges golden hammer tendencies, and builds pattern selection judgment. Use when choosing between design patterns, architectural approaches, or implementation strategies.
development
picar-x-behavior
Build composable robot behaviors for SunFounder Picar-X. Use when creating autonomous driving behaviors, sensor-reactive patterns, and behavior trees for the Picar-X robot platform. Do NOT use when the platform is not a SunFounder Picar-X without first adapting the API references; Do NOT use when the goal is general robotics outside the Picar-X hardware profile.
development
pypi-package-scaffold
Scaffolds production-ready PyPI packages with pyproject.toml, hatch/flit/build tooling, GitHub Actions publish workflow, test harness, and documentation. Python analog of nuget-package-scaffold. Use when creating Python packages, setting up PyPI publishing, configuring package metadata, or building Python libraries. Triggers on phrases like "create python package", "scaffold pypi", "publish python package", "pyproject.toml setup", "python library scaffold", "python package setup", "pypi publish", "python package metadata".
tools
python-feature-slice
Scaffolds feature-based Python architecture using FastAPI routers, Pydantic v2 models, and a service layer. Python analog of dotnet-vertical-slice — no mediator library, uses FastAPI Depends() for dependency injection and structural CQRS conventions. Use when creating feature-based Python projects, adding FastAPI features, scaffolding service layers, or organizing Python code by feature. Triggers on phrases like "scaffold python feature", "create python slice", "fastapi feature folder", "python vertical slice", "add python endpoint", "python feature architecture", "python service layer".
development
python-modernization-analyzer
Analyzes legacy Python codebases and produces actionable modernization plans. Primary migration paths include Python 2 to 3.12+, sync to async, Flask/Django monolith to FastAPI, requirements.txt to pyproject.toml, and bare classes to Pydantic/dataclasses. Does NOT perform the migration — assesses, quantifies risk, and plans. Triggers on phrases like "modernize python", "python 2 to 3", "upgrade python", "migrate flask to fastapi", "python legacy migration", "async migration python", "python modernization", "upgrade python codebase", "python technical debt".
development
python-security-review
Conducts OWASP-based security reviews of Python applications (FastAPI, Django, Flask) with bandit/pip-audit tooling. Identifies vulnerabilities, insecure patterns, and compliance gaps across all OWASP Top 10 categories. Generates manager-friendly reports with risk explanations and remediation priorities. Use when asked to review security, audit python code, check python vulnerabilities, OWASP python, bandit scan, pip-audit, or evaluate python application security posture. Triggers on phrases like "python security review", "audit python code", "check python vulnerabilities", "OWASP python", "bandit scan", "pip-audit", "python security posture", "fastapi security", "django security", "flask security".
tools
skills/python-security-review-federal
--- name: python-security-review-federal description: Conducts security reviews of Python applications for federal/DOE/DOD environments. Extends python-security-review with NIST SP 800-53 control mapping, DOE Order 205.1B compliance, FIPS 140-2/3 cryptographic requirements, and CUI handling. Generates federal-compliant reports with impact levels and POA&M-ready findings. Trigger phrases: "federal python security", "NIST python", "FISMA python", "DOE python security", "python ATO review", "python
development
qa
Performs structured QA review of a feature, PR, or implementation: verifies acceptance criteria coverage, generates edge case test cases, and flags gaps before shipping. Use when asked to "QA this", "review for quality", "write QA test cases", "find edge cases", or before marking a feature done. Ported from https://github.com/mattpocock/skills (Matt Pocock).
testing
rag-pipeline-dotnet
Implements RAG (Retrieval-Augmented Generation) pipelines using Microsoft Semantic Kernel for .NET applications with federal compliance and air-gapped deployment support. Use when building RAG .NET, Semantic Kernel RAG, vector search .NET, document QA .NET, knowledge base .NET, AI search .NET, embedding pipeline, or retrieval-augmented generation in C#. Do NOT use when the application stack is Python — use rag-pipeline-python instead; do NOT use outside federal or .NET-primary environments.
development
refactor-challenger
Refactoring prioritization coach — distinguishes "bothers me aesthetically" from "will cause a production incident." Use when deciding which refactoring to prioritize, building a business case for technical improvements, or practicing the distinction between aesthetic preferences and production-risk code smells.
development
research-synthesis
Multi-source cross-referencing, source credibility scoring, and structured briefing formats. Use when synthesizing research findings from multiple sources into evidence-based deliverables with confidence levels and citations.
development
rpi-implement
RPI Implement phase -- executes a phased implementation plan mechanically with verification after each phase and checkpoint-based context management. Use when executing an approved implementation plan. Trigger phrases: "/rpi-implement path/to/plan.md", "execute the plan", "implement the changes from the plan", "run the implementation".
testing
rpi-iterate
RPI Iterate phase -- surgically updates an existing implementation plan based on feedback without starting over. Use when updating an existing plan based on new feedback or constraints. Trigger phrases: "/rpi-iterate feedback", "update the plan", "the plan needs to change because X", "adjust the plan for Y", "add Z to the plan".
data-ai
rpi-plan
RPI Plan phase -- converts a research artifact into a phased implementation plan with exact file paths, change descriptions, and per-phase verification steps. Use when converting a research artifact into a phased implementation plan. Trigger phrases: "/rpi-plan feature", "create implementation plan", "plan the changes for X", "design the implementation".
content-media
rust-architecture-checklist
Checklist executor for Rust architecture reviews. Detects Rust edition, async runtime, and workspace structure, then runs a systematic checklist covering ownership discipline, trait design, error handling conventions, unsafe block justification, and crate boundary hygiene. Use when asked to review a Rust project, audit Rust code quality, check for anti-patterns, evaluate Rust architecture, run Clippy checks, or grade a Rust codebase. Triggers on phrases like "review rust project", "rust architecture checklist", "audit rust code", "check rust patterns", "evaluate rust codebase", "rust code review", "clippy review", "rust ownership review". Do NOT use when a security review is the goal — use rust-security-review; this checklist covers correctness and structure, not security implications.
tools
rust-feature-slice
Feature-based vertical slice architecture for Rust using Axum routers, handler functions, and service traits. No DI framework — dependencies are wired manually via Arc<dyn Trait> in Axum State. CQRS via trait separation: reader traits for queries, writer traits for commands. Use when scaffolding Rust features, creating Axum feature modules, implementing vertical slice architecture in Rust, adding Rust service layers, or organizing Rust code by feature rather than technical layer. Triggers on: "scaffold rust feature", "axum feature folder", "rust vertical slice", "add rust endpoint", "rust service layer", "rust feature module", "rust cqrs". Do NOT use when designing microservice boundaries or inter-process architecture — this skill scopes to module organization within a single Rust binary.
development
rust-migration-analyzer
Analyzes Rust migration paths: C/C++ to Rust rewrites using incremental FFI-based strangler fig, and Rust modernization (edition upgrades 2015→2018→2021, deprecated crate replacement, sync-to-async migration). Assesses risk, quantifies effort, and produces a phased migration plan. Does NOT perform the migration — assesses, plans, and guides. Use when migrating C or C++ code to Rust, upgrading Rust editions, modernizing legacy Rust codebases, replacing deprecated crates, or planning sync-to-async migrations. Triggers on: "rust migration", "c to rust", "c++ to rust", "rust edition upgrade", "modernize rust", "rust legacy migration", "rust rewrite", "cargo fix edition". Do NOT use when you want to execute the migration — this skill produces an assessment artifact only; Do NOT use when the codebase is already on current stable Rust with no legacy patterns.
development
rust-security-review
OWASP-based security review for Rust applications. Rust eliminates memory safety vulnerabilities at compile time, but logic flaws, injection attacks, cryptographic misuse, unsafe block vulnerabilities, and dependency CVEs remain real attack surfaces. Generates manager-friendly reports with risk explanations and remediation priorities. Use when asked to review Rust security, audit Rust code for vulnerabilities, check OWASP compliance in Rust, assess Rust security risks, find Rust security issues, scan for CVEs in Rust dependencies, or audit unsafe blocks for security implications. Triggers on: "rust security review", "audit rust code security", "cargo audit", "rust vulnerabilities", "unsafe audit rust", "OWASP rust", "rust security scan". Do NOT use when the goal is architectural review — use rust-architecture-checklist for ownership patterns, module structure, and API design.
development
security-review-trainer
Progressive security review challenges -- intentional vulnerabilities embedded in clean code, scored findings, and increasing subtlety. Use when building security review skills, practicing vulnerability identification, developing severity judgment, or training to detect subtle security flaws in progressively harder code samples.
development
sensor-integration
Build sensor data pipelines with I2C, SPI, UART, and GPIO protocols. Use when integrating sensors with Raspberry Pi, Jetson, or other SBCs for data collection, calibration, and anomaly detection. Do NOT use when there is no physical sensor hardware involved; Do NOT use when the goal is cloud telemetry ingestion.
development
skills/supply-chain-audit
--- name: supply-chain-audit description: Software supply chain vulnerability scanning, license compliance analysis, and CVE correlation across NuGet, npm, and pip ecosystems. Provides vulnerability database references, scanning tool guidance, CVSS severity interpretation, and license compatibility matrices for dependency audits. Also performs NuGet package security reviews with manager-friendly executive summaries. Use when asked to audit package dependencies, scan for vulnerabilities, check li
tools
tdd-agent
Fully autonomous TDD with strict guardrails. Use when you want the AI to drive the entire RED-GREEN-REFACTOR cycle independently while maintaining TDD discipline.
development
tdd-cycle
Orchestrate RED-GREEN-REFACTOR TDD phases. Use when starting TDD, managing phase transitions, or maintaining TDD discipline across a development session. Do NOT use when TDD discipline is optional or exploratory; do NOT use when a failing test does not yet exist — create the test first.
development
tdd-implementer
Implement minimal code to make failing tests pass (GREEN phase). Use when you have a failing test and need to write just enough code to make it pass. Do NOT use when no failing test exists; do NOT use for refactoring — use tdd-refactor instead.
development
tdd-pair
AI as TDD pair programmer with role-based collaboration. Use when you want to collaborate on TDD with the AI taking a specific role (driver, navigator, or alternating). Do NOT use when the goal is autonomous solo work; Do NOT use when no human partner is actively present in the session.
development
tdd-refactor
Safely refactor code while keeping tests green (REFACTOR phase). Use when tests pass and you want to improve code structure without changing behavior. Do NOT use when tests are red; do NOT use to fix bugs or add new behavior — return to RED phase first.
development
technical-debt-assessor
Technical debt quantification practice — deliberate vs accidental debt, cost-to-fix vs cost-to-carry analysis, interest rate estimation, and business case building. Use when developing judgment about which technical debt to pay down, building a business case for improvements, or deciding whether to accept or address identified debt.
development
test-scaffold
Test generation conventions, naming patterns, mock strategies, and project structure for .NET test suites. Use when generating tests for C#/.NET projects with xUnit, FluentAssertions, and NSubstitute.
testing
to-prd
Converts meeting notes, feature requests, or conversation context into a structured Product Requirements Document (PRD) with goals, user stories, and binary acceptance criteria. Use when asked to "write a PRD", "turn this into a product spec", "create requirements", or "document this feature". Ported from https://github.com/mattpocock/skills (Matt Pocock).
development
transcript-capture
Converts raw Zoom/Slack AI-generated transcripts into structured capture documents for spec-driven development. Uses per-block human review to filter small talk and off-topic content. The PM guides what is in scope; the skill structures that judgment. Use when given a raw Zoom transcript, Slack AI-generated meeting summary, or pasted meeting notes that need to be converted into a structured capture document for spec-driven development.
development
task-decomposition
Goal decomposition heuristics, dependency DAG construction, sub-agent assignment protocols, and multi-agent orchestration patterns. Use when breaking complex goals into sub-tasks, constructing execution plans, or coordinating work across multiple specialized agents.
development
doc-sync
Documentation staleness detection, XML doc comment generation, and README synchronization -- keeps documentation accurate and in sync with code changes. Use when auditing documentation coverage, generating XML doc comments, or syncing READMEs after code changes.
development
agent-spec-writer
Interactive spec design for AI agents from first principles. Guides through vision, PRD structure, three-tier boundary definition, and measurable success criteria to produce a complete, deployable spec. Use when designing a new skill, agent, or any AI system that needs explicit behavioral boundaries. Triggers on "write agent spec", "create agent spec", "spec for ai agent", "agent specification", "define agent", "new skill spec", "new agent spec", "design agent behavior", "agent boundaries", "spec kit", "spec.md", "plan.md", "github spec kit", "specify workflow", "write a spec", "software requirements spec", "SRS", "write requirements".
testing
mcp-server-scaffold
Custom MCP server creation with FastMCP pattern and testing. Use when building MCP servers to expose tools, resources, or prompts to AI assistants. Do NOT use when the integration is synchronous REST-only; Do NOT use when the tool surface is a single function that does not benefit from the MCP protocol.
tools
anomaly-detection
Statistical anomaly detection for sensor data streams. Use when implementing outlier detection, drift monitoring, anomaly classification, and alert/recalibration decision trees for time-series sensor data.
testing
axum-scaffolder
Scaffolds Axum HTTP endpoints with OpenAPI documentation (utoipa), Tower middleware, JWT authentication, rate limiting, CORS, health checks, and versioning. Axum-first approach: typed extractors, typed responses, and compile-time route verification. Use when creating Rust REST APIs, scaffolding Axum endpoints, setting up Axum projects, configuring Tower middleware, adding OpenAPI documentation to Axum, or implementing JWT authentication in Axum. Triggers on: "scaffold axum", "create axum endpoint", "axum router", "add axum route", "rust rest api", "axum api", "axum openapi", "axum jwt", "axum middleware". Do NOT use when the existing codebase uses Actix-web — scaffolding Axum into an Actix project requires manual integration not covered here.
development
sqlx-migration-manager
SQLx migration lifecycle management with safety checks and rollback planning. Manages plain SQL migration files, compile-time query verification via sqlx prepare, and the offline query cache. Use when creating, reviewing, or applying database migrations in Rust/SQLx projects, managing sqlx migrate run/revert, regenerating the sqlx offline cache after schema changes, or planning zero-downtime migrations. Triggers on: "sqlx migration", "rust database migration", "create migration rust", "sqlx migrate", "sqlx schema change", "sqlx prepare", "sqlx offline cache".
development
zoom-out
Zooms out from the current code to map callers, dependents, and module relationships before continuing. Use when entering unfamiliar code, debugging a confusing call chain, or asked to "zoom out", "map the context", or "show me the bigger picture". Ported from https://github.com/mattpocock/skills (Matt Pocock).
development
to-issues
Converts a PRD or feature spec into a set of atomic GitHub Issues ready to open, each covering one independently-deliverable slice ordered by dependency. Use when asked to "create issues", "break this into GitHub issues", "turn this PRD into issues", or "decompose this feature into tickets". Ported from https://github.com/mattpocock/skills (Matt Pocock).
tools
grill-me
Interview the user relentlessly about a plan or design until reaching shared understanding, resolving each branch of the decision tree. Use when the user wants to stress-test a plan, get grilled on their design, or mentions "grill me". Source: https://github.com/mattpocock/skills/tree/main/grill-me (Matt Pocock)
testing
triage-issue
Triages a GitHub Issue or bug report: classifies severity, identifies the likely root cause area, suggests reproduction steps, and recommends priority and owner. Use when asked to "triage this issue", "assess this bug", "classify this report", or given a bug report to evaluate. Ported from https://github.com/mattpocock/skills (Matt Pocock).
business
supply-chain-audit
Software supply chain vulnerability scanning, license compliance analysis, and CVE correlation across NuGet, npm, and pip ecosystems. Provides vulnerability database references, scanning tool guidance, CVSS severity interpretation, and license compatibility matrices for dependency audits. Also performs NuGet package security reviews with manager-friendly executive summaries. Use when asked to audit package dependencies, scan for vulnerabilities, check license compliance, or assess supply chain security. Trigger phrases: "review nuget", "package security", "nuget audit", "outdated packages", "vulnerability scan", "check dependencies", "supply chain audit".
tools
edge-cv-pipeline
Build OpenCV + TFLite computer vision pipelines for Jetson and Raspberry Pi. Use when deploying real-time inference on edge devices with camera capture, model optimization, and result publishing. Do NOT use when the inference pipeline runs on cloud infrastructure; Do NOT use when the target hardware is a general-purpose server rather than an edge device.
development
anomaly-detection
Statistical anomaly detection for sensor data streams. Use when implementing outlier detection, drift monitoring, anomaly classification, and alert/recalibration decision trees for time-series sensor data.
testing
model-optimization
Optimize ML models for edge deployment through quantization, pruning, format conversion (TensorRT/TFLite/ONNX), and accuracy/latency benchmarking. Use when preparing models for resource-constrained devices.
development
spec-coach
Interactive spec design coach. Guides through vision, PRD structure, three-tier boundary definition, user story quality (INVEST), specification by example, and measurable success criteria to produce a complete, deployable spec. Use when designing a new skill, agent, feature, or any AI system that needs explicit behavioral boundaries. Use for "spec coach", "write agent spec", "create agent spec", "spec for ai agent", "agent specification", "define agent", "new skill spec", "new agent spec", "design agent behavior", "agent boundaries", "spec kit", "spec.md", "plan.md", "github spec kit", "specify workflow", "write a spec", "software requirements spec", "SRS", "write requirements", "design spec".
testing
alembic-migration-manager
Manages the full Alembic migration lifecycle with safety checks and rollback planning. Python analog of ef-migration-manager. Use when creating, reviewing, or applying database migrations in Python projects using SQLAlchemy and Alembic. Triggers on phrases like "alembic migration", "create migration", "apply migration python", "database migration python", "sqlalchemy migration", "alembic revision", "alembic upgrade", "alembic downgrade".
development
php-api-scaffolder
Scaffolds Laravel API endpoints with API Resource responses, Form Request validation, Sanctum authentication, throttle-based rate limiting, URI versioning, OpenAPI documentation, and health checks. PHP analog of fastapi-scaffolder, minimal-api-scaffolder, and axum-scaffolder. Use when creating REST APIs in Laravel, adding API endpoints, setting up API routing and middleware, or configuring API infrastructure. Triggers on phrases like "scaffold laravel api", "create laravel endpoint", "laravel api resource", "add api route php", "laravel rest api", "php api versioning", "laravel sanctum endpoint", "laravel openapi".
development
php-architecture-checklist
Checklist executor for PHP / Laravel architecture reviews. Detects the PHP version, framework (Laravel/Symfony/plain), and autoloading layout, then runs a systematic checklist covering service-layer boundaries, strict typing, input validation, query safety, and config/secrets hygiene — producing a graded report with file:line evidence. Use to review or grade an existing PHP codebase. Triggers on "review this php project", "php architecture checklist", "audit php code", "laravel architecture review", "evaluate php codebase", "php code review", "grade this php architecture". Do NOT use for a Socratic design critique — use architecture-review. Do NOT use for a security audit — use php-security-review. Do NOT use to write new code test-first — use tdd.
development
php-security-review
OWASP-based security review of PHP / Laravel applications. Detects the framework and entry points, scans against the OWASP Top 10 (2025) mapped to PHP/Laravel patterns (mass-assignment, query injection, Blade XSS, auth/session, file uploads, secrets), and produces a manager-friendly executive summary plus a graded technical findings table. Use to audit PHP code for vulnerabilities. Triggers on "php security review", "laravel security audit", "audit php for vulnerabilities", "owasp php", "php security posture", "check php vulnerabilities", "composer audit". For federal / gov / DOE / NIST / FIPS / CUI context, run security-review-federal after this base review. Do NOT use to grade architecture/structure — use php-architecture-checklist.
development
python-architecture-checklist
Checklist executor for Python 3 architecture reviews. Detects the Python version, framework (FastAPI/Django/Flask), and package layout, then runs a systematic checklist covering clean-architecture boundaries, type-safety discipline, complexity, dependency direction, and config/secrets hygiene — producing a graded report with file:line evidence. Use to review or grade an existing Python codebase. Triggers on "review this python project", "python architecture checklist", "audit python code", "evaluate python codebase", "python code review", "grade this python architecture", "check python patterns". Do NOT use for a Socratic design critique — use architecture-review. Do NOT use for a security audit — use python-security-review. Do NOT use to write new code test-first — use tdd.
development
qraspi-architecture
QRASPI Architecture phase -- lock the path-dependent decisions for a NEW system as MADR ADRs with alternatives, draw the C4 Context + Container in Mermaid, and specify the required fitness functions. Use for "/qraspi-architecture <project>", "write the ADRs for new X", "what architecture for new X", "C4 for new system X", "lock the stack decisions for X". This is where the picks happen, behind ADRs the human aligns on. Do NOT use to review or critique an EXISTING system's architecture (use architecture-review). Do NOT use for retrospective ADR journaling (use architecture-journal). Do NOT use to design a feature in an existing codebase (use qrspi-spec). Do NOT use for the deprecated RPI workflow.
development
qrspi-plan
QRSPI Plan phase -- converts an approved spec.md into a mechanically executable, vertically sliced plan.md with exact file paths and per-phase verification. Use for "/qrspi-plan <feature>", "qrspi plan X", "turn the spec into an implementation plan". Do NOT use for the deprecated RPI workflow (use /rpi-plan) or to plan without a spec; this phase consumes spec.md and REFUSES horizontal-layer plans.
tools
qrspi-questions
QRSPI Questions phase -- surface what the agent does not know before any research or design begins. Use for "/qrspi-questions <feature>", "what don't we know about X", "surface unknowns for X", "open technical questions for X". Do NOT use to answer a question or for general Q&A -- this phase ASKS questions, it does not answer them. Do NOT use for the deprecated RPI workflow.
data-ai
react-security-review
OWASP-based security review of React / TypeScript front-end applications. Detects the framework (Vite/CRA/Next), entry points, and data flows, scans against the OWASP Top 10 (2025) mapped to React client-side patterns (XSS via raw HTML, URL/protocol injection, secrets in the bundle, insecure token storage, dependency CVEs, missing CSP, open redirects), and produces a manager-friendly executive summary plus a graded technical findings table. Use to audit React code for vulnerabilities. Triggers on "react security review", "frontend security audit", "audit react for vulnerabilities", "owasp react", "react xss", "react security posture", "npm audit review". For federal / gov / DOE / NIST / FIPS / CUI context, run security-review-federal after this base review. Do NOT use to grade architecture/structure — use react-architecture-checklist.
tools
rust-architecture-checklist
Checklist executor for Rust architecture reviews. Detects the Rust edition, async runtime, and workspace structure, then runs a systematic checklist covering ownership discipline, trait coherence, error-handling conventions, unsafe-block justification, and crate-boundary hygiene — producing a graded report with file:line evidence. Use to review or grade an existing Rust codebase. Triggers on "review rust project", "rust architecture checklist", "audit rust code", "evaluate rust codebase", "rust code review", "clippy review", "grade this rust architecture", "rust ownership review". Do NOT use for a Socratic design critique — use architecture-review. Do NOT use for a security audit — use rust-security-review. Do NOT use to write new code test-first — use tdd.
tools
rust-security-review
OWASP-based security review of Rust applications with a memory-safety `unsafe` audit. Detects the crates, async runtime, and entry points, scans against the OWASP Top 10 (2025) mapped to Rust patterns (injection, unsafe-block memory safety, panic/DoS, deserialization, crypto, secrets), runs cargo-audit and cargo-deny for evidence, and produces a manager-friendly executive summary plus a graded technical findings table. Use to audit Rust code for vulnerabilities. Triggers on "rust security review", "audit rust vulnerabilities", "cargo audit", "unsafe audit rust", "OWASP rust", "rust security scan". For federal / gov / DOE / NIST / FIPS / CUI context, run security-review-federal after this base review. Do NOT use to grade architecture/structure — use rust-architecture-checklist.
development
security-review-federal
Federal / government security overlay applied ON TOP OF a base language security review (dotnet/python/php/rust/react). Language-agnostic: adds NIST SP 800-53 control mapping, FIPS 140-2/3 cryptographic compliance (with a per-language crypto table), CUI handling, EO 14028 supply-chain requirements, and DOE Order 205.1B, and emits POA&M-ready findings with FIPS 199 impact levels. Use for federal/DOE/DOD/national-laboratory systems. Triggers on "federal security review", "NIST compliance", "NIST 800-53", "FISMA", "CUI", "FIPS audit", "DOE security", "POA&M", "ATO review". Do NOT use alone — run the matching <lang>-security-review FIRST; this overlay maps and extends it.
development
architecture-journal
Lightweight ADR templates with retrospective prompts at 30/90/180 days — converts experience into transferable expertise. Use when making architecture decisions, recording technical choices, or reviewing past decisions to extract lessons.
testing
architecture-review
Devil's advocate architecture critic -- challenges designs via Socratic questioning against SOLID, coupling, failure modes, scalability, and operational complexity. Use when stress-testing an architecture decision, evaluating a proposed system design, reviewing architecture before implementation, or asked to critique a technical approach.
development
code-review-coach
Deliberate practice for code review — review code yourself first, then compare against expert analysis with category-based scoring. Use when practicing code review skills, improving review quality, calibrating finding severity, or building more systematic review habits through deliberate practice.
development
pattern-tradeoff-analyzer
Pattern selection coach -- presents 2-3 patterns with explicit tradeoffs for your problem, challenges golden hammer tendencies, and builds pattern selection judgment. Use when choosing between design patterns, architectural approaches, or implementation strategies.
development
jetson-deploy
Deploy and optimize applications on Jetson Orin Nano with TensorRT. Use when setting up Jetson environments, converting models to TensorRT, managing power modes, and containerizing edge AI applications. Do NOT use when the target hardware is not a Jetson device; Do NOT use when deploying to Raspberry Pi — use edge-cv-pipeline and sensor-integration instead.
development
system-design-kata
Domain-calibrated system design exercises — security workflows, edge fleet management, hybrid cloud, and real-world scenarios. Use when practicing system design, developing distributed systems trade-off judgment, or improving design skills through domain-specific scenarios covering edge AI, security workflows, and hybrid cloud. Distinct from generic interview prep.
development
refactor-challenger
Refactoring prioritization coach — distinguishes "bothers me aesthetically" from "will cause a production incident." Use when deciding which refactoring to prioritize, building a business case for technical improvements, or practicing the distinction between aesthetic preferences and production-risk code smells.
development
picar-x-behavior
Build composable robot behaviors for SunFounder Picar-X. Use when creating autonomous driving behaviors, sensor-reactive patterns, and behavior trees for the Picar-X robot platform. Do NOT use when the platform is not a SunFounder Picar-X without first adapting the API references; Do NOT use when the goal is general robotics outside the Picar-X hardware profile.
development
pr-feedback-writer
Review communication coach — practice writing constructive PR feedback with proper blocking/suggestion/nit classification, empathetic framing, and clear explanations. Use when writing PR review comments, practicing constructive feedback, improving how code review findings are communicated, or learning to classify findings as blocking, suggestion, or nit.
development
fleet-management
Rolling deployment strategies, multi-device coordination, and rollback triggers for edge device fleets. Use when managing fleet-wide deployments, configuring rollout strategies, building device registries, or implementing rollback automation.
tools
sensor-integration
Build sensor data pipelines with I2C, SPI, UART, and GPIO protocols. Use when integrating sensors with Raspberry Pi, Jetson, or other SBCs for data collection, calibration, and anomaly detection. Do NOT use when there is no physical sensor hardware involved; Do NOT use when the goal is cloud telemetry ingestion.
development
security-review-trainer
Progressive security review challenges -- intentional vulnerabilities embedded in clean code, scored findings, and increasing subtlety. Use when building security review skills, practicing vulnerability identification, developing severity judgment, or training to detect subtle security flaws in progressively harder code samples.
development
dependency-mapper
Coupling visualization with Robert C. Martin stability metrics — makes architectural decisions visible as dependency patterns. Use when analyzing module dependencies, detecting circular references, visualizing coupling, or assessing architectural health through Robert C. Martin stability metrics.
testing
fastapi-scaffolder
Scaffolds FastAPI endpoints with OpenAPI documentation, Pydantic v2 request/response models, JWT authentication, rate limiting, and health checks. Python analog of minimal-api-scaffolder. Use when creating REST APIs, adding endpoints, setting up FastAPI projects, or configuring API infrastructure. Triggers on phrases like "scaffold fastapi", "create fastapi endpoint", "fastapi router", "add fastapi route", "fastapi api", "python rest api", "fastapi project setup", "fastapi authentication", "fastapi openapi".
development
dotnet-architecture-checklist
Checklist executor for .NET architecture reviews across BOTH styles — controller-based layered/N-tier Web APIs AND vertical-slice CQRS (FreeMediator/Mapster) / Blazor. Detects the target framework, hosting model, and architecture style FIRST, then grades against the style the project actually uses (a layered controller API is not penalized for not being vertical-slice). Covers architectural coherence, controller/handler discipline, EF Core lifetime, framework health, and config/secrets hygiene — producing a graded report with file:line evidence. Use to review or grade an existing .NET solution. Triggers on "review this .net project", "architecture checklist", "audit this solution", "evaluate blazor project", "review web api controllers", "review cqrs patterns", "check handlers", "grade this architecture", "shared kernel review". Do NOT use for a Socratic design critique — use architecture-review. Do NOT use for a security audit — use dotnet-security-review. Do NOT use to write new code test-first — use tdd.
development
dotnet-security-review
OWASP-based security review of .NET / .NET Framework applications with Telerik UI specialization. Detects the framework and entry points, scans against the OWASP Top 10 (2025) mapped to .NET patterns (deserialization, injection, auth, Telerik, crypto, secrets), and produces a manager-friendly executive summary plus a graded technical findings table. Use to audit .NET code for vulnerabilities. Triggers on "dotnet security review", "OWASP audit", "check for vulnerabilities", "Telerik security", ".net security posture", "security scan", "vulnerability assessment". For federal / gov / DOE / NIST / FIPS / CUI context, run security-review-federal after this base review. Do NOT use to grade architecture/structure — use dotnet-architecture-checklist.
development
cargo-package-scaffold
Cargo crate creation with CI/CD pipeline setup, test harness, and crates.io publish workflow. Use when creating new Rust crates, configuring Cargo.toml metadata, setting up GitHub Actions for Rust CI, or publishing to crates.io. Triggers on: "scaffold cargo crate", "create rust crate", "new rust library", "publish to crates.io", "cargo package", "rust ci pipeline", "cargo workspace", "rust crate metadata", "cargo publish workflow". Do NOT use when the crate is internal-only and not intended for crates.io publication; Do NOT use when the target is a binary application — this skill targets library crates.
development
dotnet-controller-api-scaffolder
Scaffolds controller-based ASP.NET Core Web API endpoints ([ApiController] / ControllerBase) that CONFORM to an existing codebase's conventions — base controller, validation approach (DataAnnotations or FluentValidation), service layer vs. mediator, response envelope, routing, versioning, and DI registration. Detect-and-match, never impose. Use when adding controllers or actions to an existing controller-based Web API, or joining a team that ships controller APIs. Triggers on "add controller", "scaffold controller", "web api controller", "new api controller", "controller endpoint", "[ApiController]", "ControllerBase", "add action to controller", "controller-based api". Do NOT use for greenfield Minimal APIs — use minimal-api-scaffolder. Do NOT use to introduce CQRS/vertical-slice into a layered project — use dotnet-vertical-slice only when the team has chosen that style.
development
mcp-server-scaffold
Custom MCP server creation with FastMCP pattern and testing. Use when building MCP servers to expose tools, resources, or prompts to AI assistants. Do NOT use when the integration is synchronous REST-only; Do NOT use when the tool surface is a single function that does not benefit from the MCP protocol.
tools
axum-scaffolder
Scaffolds Axum HTTP endpoints with OpenAPI documentation (utoipa), Tower middleware, JWT authentication, rate limiting, CORS, health checks, and versioning. Axum-first approach: typed extractors, typed responses, and compile-time route verification. Use when creating Rust REST APIs, scaffolding Axum endpoints, setting up Axum projects, configuring Tower middleware, adding OpenAPI documentation to Axum, or implementing JWT authentication in Axum. Triggers on: "scaffold axum", "create axum endpoint", "axum router", "add axum route", "rust rest api", "axum api", "axum openapi", "axum jwt", "axum middleware". Do NOT use when the existing codebase uses Actix-web — scaffolding Axum into an Actix project requires manual integration not covered here.
development
automated-code-review
Systematic review execution engine -- transforms structured human review coaching patterns into autonomous review checklists with pass/fail gates, convention detection, and structured finding production. Use when running autonomous code reviews to ensure systematic coverage and consistent quality.
development
python-security-review
OWASP-based security review of Python applications (FastAPI, Django, Flask). Detects the framework and entry points, scans against the OWASP Top 10 (2025) mapped to Python patterns (injection, insecure deserialization, SSTI, secrets, auth), runs bandit and pip-audit for evidence, and produces a manager-friendly executive summary plus a graded technical findings table. Use to audit Python code for vulnerabilities. Triggers on "python security review", "audit python code", "check python vulnerabilities", "OWASP python", "bandit scan", "pip-audit", "fastapi security", "django security", "flask security". For federal / gov / DOE / NIST / FIPS / CUI context, run security-review-federal after this base review. Do NOT use to grade architecture/structure — use python-architecture-checklist.
development
jira-review
Automatically review Jira issues for implementation readiness. Detects complexity signals, parses acceptance criteria, and recommends clarification or planning mode when needed. Use when asked to review a Jira issue for readiness, check if a ticket has enough detail to implement, assess acceptance criteria completeness, or evaluate a story before sprint planning. Do NOT use when implementation is already complete — this skill reviews for readiness, not post-implementation accuracy; Do NOT use when the issue tracker is not Jira.
testing
fitness-functions
Author architectural fitness functions and wire them into a target project's CI as gatekeepers. Use for "add a fitness function", "wire an arch test as a CI gate", "enforce layering in CI", "fail the build when the dependency rule is violated". Per-stack tool selection (NetArchTest, import-linter, cargo-deny, Conftest). Do NOT use to run an existing test suite -- that is tdd. Do NOT use to analyze coupling for insight without gating -- that is dependency-mapper.
tools
pypi-package-scaffold
Scaffolds production-ready PyPI packages with pyproject.toml, hatch/flit/build tooling, GitHub Actions publish workflow, test harness, and documentation. Python analog of nuget-package-scaffold. Use when creating Python packages, setting up PyPI publishing, configuring package metadata, or building Python libraries. Triggers on phrases like "create python package", "scaffold pypi", "publish python package", "pyproject.toml setup", "python library scaffold", "python package setup", "pypi publish", "python package metadata".
tools
php-migration-manager
Manages the full Laravel database migration lifecycle with safety checks and rollback planning. PHP analog of ef-migration-manager, alembic-migration-manager, and sqlx-migration-manager. Covers creating, reviewing, applying, and rolling back migrations; enforces a reversible down() method, expand-contract for zero-downtime changes, and guards against destructive operations in production. Use when creating or reviewing Laravel migrations, planning a schema change, applying or rolling back migrations, or designing a zero-downtime migration. Triggers on phrases like "laravel migration", "php database migration", "create migration laravel", "migrate rollback", "laravel schema change", "artisan migrate", "zero downtime migration laravel".
testing
technical-debt-assessor
Technical debt quantification practice — deliberate vs accidental debt, cost-to-fix vs cost-to-carry analysis, interest rate estimation, and business case building. Use when developing judgment about which technical debt to pay down, building a business case for improvements, or deciding whether to accept or address identified debt.
development
php-package-scaffold
Scaffolds production-ready Composer packages for Packagist with a complete composer.json, PSR-4 autoloading, a Pest/PHPUnit test harness, GitHub Actions CI (PHP version matrix, PHPStan, PHP-CS-Fixer), and a semver tag-based publish workflow. PHP analog of nuget-package-scaffold, pypi-package-scaffold, and cargo-package-scaffold. Use when creating a reusable PHP library, configuring composer.json metadata, setting up Composer/Packagist publishing, or building a PHP package CI pipeline. Triggers on phrases like "scaffold php package", "create composer package", "publish to packagist", "composer.json setup", "php library scaffold", "php package metadata", "packagist publish workflow".
development
php-feature-slice
Scaffolds feature-based PHP / Laravel architecture using feature folders, thin controllers, Form Requests, a service/action layer, and API Resources. PHP analog of dotnet-vertical-slice and python-feature-slice — no mediator library; uses the Laravel service container for dependency injection and structural CQRS conventions. Use when creating feature-based PHP projects, adding Laravel features, scaffolding service layers, or organizing PHP code by feature rather than by technical layer. Triggers on phrases like "scaffold php feature", "create laravel slice", "laravel feature folder", "php vertical slice", "add laravel endpoint", "php feature architecture", "laravel service layer".
development
qraspi-graduate
QRASPI Graduation -- the terminal handoff from greenfield (QRASPI) to brownfield (QRSPI). Once the walking skeleton is green and V0/V1 is shipped, capture the repo + accepted ADRs + skeleton state + fitness functions + stack into graduation.md and hand new feature work to QRSPI. Use for "/qraspi-graduate <project>", "graduate this to QRSPI", "the V1 is done, hand off to the feature workflow". Do NOT fire mid-workflow or on a generic "we're done" / "ship it" -- this is the END of QRASPI for a system. Do NOT use for the deprecated RPI workflow.
tools
python-feature-slice
Scaffolds feature-based Python architecture using FastAPI routers, Pydantic v2 models, and a service layer. Python analog of dotnet-vertical-slice — no mediator library, uses FastAPI Depends() for dependency injection and structural CQRS conventions. Use when creating feature-based Python projects, adding FastAPI features, scaffolding service layers, or organizing Python code by feature. Triggers on phrases like "scaffold python feature", "create python slice", "fastapi feature folder", "python vertical slice", "add python endpoint", "python feature architecture", "python service layer".
development
qraspi-research
QRASPI Research phase -- map the solution LANDSCAPE for a new system, factual only, no recommendations. Use for "/qraspi-research <project>", "research the solution landscape for new X", "what libraries / prior art exist for X", "survey the options before architecting X". Mode switch: external-domain (no codebase) or inherited-repo. Do NOT use for QRSPI (an EXISTING codebase / adding a feature) -- that routes to qrspi-research. Do NOT use for the deprecated RPI workflow.
development
rag-pipeline-dotnet
Implements RAG (Retrieval-Augmented Generation) pipelines using Microsoft Semantic Kernel for .NET applications with federal compliance and air-gapped deployment support. Use when building RAG .NET, Semantic Kernel RAG, vector search .NET, document QA .NET, knowledge base .NET, AI search .NET, embedding pipeline, or retrieval-augmented generation in C#. Do NOT use when the application stack is Python — use rag-pipeline-python instead; do NOT use outside federal or .NET-primary environments.
development
qraspi-questions
QRASPI Questions phase -- surface what is unknown about a NEW system before any research, architecture, or skeleton begins. Use for "/qraspi-questions <project>", "new project from scratch", "greenfield X", "questions for a brand-new system". Do NOT use for QRSPI (an EXISTING codebase / adding a feature) -- that routes to qrspi-questions. Do NOT use for the deprecated RPI workflow.
development
qrspi-spec
QRSPI Spec phase -- a Design Brain-Dump the human redirects ("brain surgery"), followed by a vertically-sliced Structure Outline. Use for "/qrspi-spec <feature>", "design discussion for X", "structure outline for X", "spec out X from the research". Do NOT use to write a product PRD (use to-prd) or for an open-ended design chat (use spec-coach); this phase consumes research.md and produces an approved spec.md. Do NOT use for the deprecated RPI workflow.
documentation
react-app-scaffolder
Scaffolds a production-ready React + TypeScript application skeleton with Vite, a router, strict TypeScript, Vitest + React Testing Library, ESLint (hooks + jsx-a11y), Prettier, environment handling, an error boundary, and a feature-folder layout. React analog of an app/project scaffolder. Use when starting a new React app, bootstrapping a Vite + React + TypeScript project, setting up the testing/lint toolchain, or establishing the base folder structure and app shell. Triggers on phrases like "scaffold react app", "new react project", "bootstrap react typescript", "create vite react app", "set up react project", "react app skeleton", "react project structure".
tools
qrspi-research
QRSPI Research phase -- objective, ticket-hidden codebase mapping via parallel read-only subagents. Use for "/qrspi-research <feature>", "qrspi research X", "ticket-hidden research", "map what exists for X before designing". Do NOT use for the deprecated RPI workflow ("/rpi-research", "rpi research X") -- that routes to rpi-research, a different workflow.
development
react-architecture-checklist
Checklist executor for React architecture reviews. Detects the React version, bundler (Vite/CRA/Next), TypeScript usage, state-management library, and router, then runs a systematic checklist covering hooks discipline, component cohesion, effect correctness, render performance, state-management boundaries, accessibility, and type safety — producing a graded report with file:line evidence. Use to review or grade an existing React/TypeScript codebase. Triggers on "review react project", "react architecture checklist", "audit react code", "evaluate react codebase", "react code review", "check hooks", "react component review", "grade this react architecture". Do NOT use for a Socratic design critique — use architecture-review. Do NOT use for a security audit — use react-security-review. Do NOT use to write new code test-first — use tdd.
development
react-component-scaffolder
Scaffolds a single React / TypeScript component or route with a typed props interface, a co-located React Testing Library test, an accessibility baseline, and an optional Storybook story. React analog of fastapi-scaffolder — the component/route is the front-end "unit". Use when creating a new React component, adding a route/page, generating a typed presentational or container component, or standing up a component with its test and story. Triggers on phrases like "scaffold react component", "create react component", "new react component", "add react route", "react page component", "react component with test", "react storybook component".
development
react-feature-slice
Scaffolds feature-based React / TypeScript architecture using feature folders, presentational + container components, custom hooks, a typed data layer, and structural CQRS (query hooks vs mutation hooks). React analog of dotnet-vertical-slice and python-feature-slice — no DI framework; uses props/context for dependency injection and a query cache for server state. Use when creating feature-based React projects, adding React features, organizing components by feature rather than by technical type, or scaffolding a feature's data layer. Triggers on phrases like "scaffold react feature", "create react slice", "react feature folder", "react vertical slice", "add react feature", "react feature architecture", "organize react by feature".
development
react-modernization-analyzer
Analyzes legacy React codebases and produces actionable modernization plans. Primary migration paths include class components to function components + hooks, Create React App to Vite, React 16/17 to 18 to 19, JavaScript to TypeScript, Enzyme to React Testing Library, legacy Redux to Redux Toolkit / Zustand / Context, and deprecated lifecycle/API removal. Does NOT perform the migration — assesses, quantifies risk, and plans. Triggers on phrases like "modernize react", "class to hooks", "upgrade react", "migrate CRA to vite", "react legacy migration", "react 17 to 18", "react js to typescript", "react technical debt", "enzyme to RTL".
tools
qrspi-implement
QRSPI Implement phase -- executes an approved plan.md slice-by-slice with strict Red-Green-Refactor per slice and a fresh-session checkpoint after each. Use for "/qrspi-implement <feature>", "execute the qrspi plan", "build the approved plan slice by slice". Do NOT use for the deprecated RPI workflow (use /rpi-implement) or to run a bare TDD cycle with no plan (use tdd); this phase requires plan.md status: approved and writes per-slice logs.
development
qraspi-skeleton
QRASPI Skeleton phase -- stand up a RUNNABLE walking skeleton for a NEW system: scaffold the repo from the accepted ADRs, walk one vertical slice end-to-end through every layer, land the specified fitness functions as CI gates, and prove it with a real CI run (exit 0). Use for "/qraspi-skeleton <project>", "scaffold the walking skeleton for X", "stand up V0 of X with CI", "make the architecture executable". The exit gate is CI green, not a claim. Do NOT use to scaffold a single feature slice in an existing repo (use the *-feature-slice scaffolders). Do NOT use for QRSPI (an existing codebase). Do NOT use for the deprecated RPI workflow.
development
qraspi-plan
QRASPI Plan phase -- converts the next slice from the skeleton's backlog into a mechanically executable, vertically-sliced plan-{slice}.md with exact file paths and per-phase verification, grown on top of the green walking skeleton. Use for "/qraspi-plan <project>", "plan the first slice of new X", "plan the next increment on the skeleton". Do NOT use to plan a feature in an EXISTING codebase (use qrspi-plan). Do NOT use for the deprecated RPI workflow. This phase consumes skeleton.md and REFUSES horizontal-layer plans.
development
rpi-implement
**DEPRECATED — use QRSPI (qrspi-implement) instead.** RPI Implement phase -- executes a phased implementation plan mechanically with verification after each phase and checkpoint-based context management. Use when executing an approved implementation plan. Trigger phrases: "/rpi-implement path/to/plan.md", "execute the plan", "implement the changes from the plan", "run the implementation".
testing
rpi-research
**DEPRECATED — use QRSPI (qrspi-research) instead.** RPI Research phase -- parallel codebase exploration using subagents to produce a compact, objective research artifact. Use for "/rpi-research topic", "research the codebase for X", "understand how X works before planning", "document what exists for topic".
development
qraspi-implement
QRASPI Implement phase -- grows the green walking skeleton ONE approved slice at a time with strict Red-Green-Refactor per phase, keeping the skeleton's fitness gates green, and writes a per-slice proof log. Use for "/qraspi-implement <project>", "implement the slice on the skeleton", "build the approved plan-{slice} with RGR". Do NOT use to implement a feature in an EXISTING codebase (use qrspi-implement). Do NOT use for the deprecated RPI workflow (use /rpi-implement) or a bare TDD cycle with no plan (use tdd); this phase requires plan-{slice}.md status: approved and a green skeleton.
development
rpi-plan
**DEPRECATED — use QRSPI (qrspi-plan) instead.** RPI Plan phase -- converts a research artifact into a phased implementation plan with exact file paths, change descriptions, and per-phase verification steps. Use when converting a research artifact into a phased implementation plan. Trigger phrases: "/rpi-plan feature", "create implementation plan", "plan the changes for X", "design the implementation".
content-media
rpi-iterate
**DEPRECATED — QRSPI has no iterate phase; edit spec.md and re-run /qrspi-plan instead.** RPI Iterate phase -- surgically updates an existing implementation plan based on feedback without starting over. Use when updating an existing plan based on new feedback or constraints. Trigger phrases: "/rpi-iterate feedback", "update the plan", "the plan needs to change because X", "adjust the plan for Y", "add Z to the plan".
data-ai
session-context
Git change summarization, ADR relevance matching, and pattern applicability for building session context. Provides techniques for analyzing recent project activity, scoring context relevance, and detecting patterns that accelerate AI coding session starts. Use when building context for a new coding session, analyzing recent changes, or matching project decisions to current work.
development
4d-schema-migration
Parses 4D application exports and generates SQL Server DDL, EF Core entities, and Blazor UI guidance. Use when migrating from 4th Dimension (4D) platform to .NET/SQL Server. Triggers on phrases like "migrate 4D", "4D to SQL Server", "4D database conversion", "4D schema", "4th dimension", "convert 4D", "4D application", "4D database", "4D to .NET", "4D to EF Core", "4D forms to Blazor".
data-ai
pattern-tradeoff-analyzer
Pattern selection coach -- presents 2-3 patterns with explicit tradeoffs for your problem, challenges golden hammer tendencies, and builds pattern selection judgment. Use when choosing between design patterns, architectural approaches, or implementation strategies.
development
pr-feedback-writer
Review communication coach — practice writing constructive PR feedback with proper blocking/suggestion/nit classification, empathetic framing, and clear explanations. Use when writing PR review comments, practicing constructive feedback, improving how code review findings are communicated, or learning to classify findings as blocking, suggestion, or nit.
development
security-review-trainer
Progressive security review challenges -- intentional vulnerabilities embedded in clean code, scored findings, and increasing subtlety. Use when building security review skills, practicing vulnerability identification, developing severity judgment, or training to detect subtle security flaws in progressively harder code samples.
development
sensor-integration
Build sensor data pipelines with I2C, SPI, UART, and GPIO protocols. Use when integrating sensors with Raspberry Pi, Jetson, or other SBCs for data collection, calibration, and anomaly detection. Do NOT use when there is no physical sensor hardware involved; Do NOT use when the goal is cloud telemetry ingestion.
development
caveman
Switches to caveman communication mode: terse, keyword-driven responses with no pleasantries and minimal formatting. Cuts response token usage ~75% while keeping accuracy. Persistent for the rest of the session once triggered. Use when the user says "caveman mode", "go caveman", "be terse", or "short answers only". Ported from https://github.com/mattpocock/skills (Matt Pocock).
development
doc-sync
Documentation staleness detection, XML doc comment generation, and README synchronization -- keeps documentation accurate and in sync with code changes. Use when auditing documentation coverage, generating XML doc comments, or syncing READMEs after code changes.
development
technical-debt-assessor
Technical debt quantification practice — deliberate vs accidental debt, cost-to-fix vs cost-to-carry analysis, interest rate estimation, and business case building. Use when developing judgment about which technical debt to pay down, building a business case for improvements, or deciding whether to accept or address identified debt.
development
minimal-api-scaffolder
Scaffolds .NET 10 Minimal API endpoints with OpenAPI documentation, versioning strategies, and security patterns. Use when creating REST APIs, adding endpoints, setting up API projects, or configuring API infrastructure. Triggers on phrases like "scaffold API", "minimal API", "create endpoint", "API versioning", "api endpoint", "rest endpoint", "add route", "openapi", "create api". Do NOT use when the project is controller-based MVC — use dotnet-vertical-slice for handler architecture instead.
development
legacy-migration-analyzer
Analyze .NET Framework to .NET 10 migration paths. Use when assessing legacy codebases for modernization, identifying breaking changes, and planning incremental migration strategies. Also triggers on "upgrade framework", "migrate to .net 10", "framework to core", "legacy .net", ".net framework upgrade", "modernize .net", "upgrade .net framework project", "convert csproj to sdk-style".
development
system-design-kata
Domain-calibrated system design exercises — security workflows, edge fleet management, hybrid cloud, and real-world scenarios. Use when practicing system design, developing distributed systems trade-off judgment, or improving design skills through domain-specific scenarios covering edge AI, security workflows, and hybrid cloud. Distinct from generic interview prep.
development
domain-model
Interrogates a plan or codebase using Domain-Driven Design vocabulary. Enforces CONTEXT.md terminology, surfaces code/plan contradictions, and records domain decisions as ADRs sparingly. Use when designing a bounded context, reviewing a domain model, or asked to "apply DDD", "model the domain", or "review the domain model". Requires CONTEXT.md or creates one from CONTEXT-FORMAT.md. Ported from https://github.com/mattpocock/skills (Matt Pocock).
development
jetson-deploy
Deploy and optimize applications on Jetson Orin Nano with TensorRT. Use when setting up Jetson environments, converting models to TensorRT, managing power modes, and containerizing edge AI applications. Do NOT use when the target hardware is not a Jetson device; Do NOT use when deploying to Raspberry Pi — use edge-cv-pipeline and sensor-integration instead.
development
4d-schema-migration
Parses 4D application exports and generates SQL Server DDL, EF Core entities, and Blazor UI guidance. Use when migrating from 4th Dimension (4D) platform to .NET/SQL Server. Triggers on phrases like "migrate 4D", "4D to SQL Server", "4D database conversion", "4D schema", "4th dimension", "convert 4D", "4D application", "4D database", "4D to .NET", "4D to EF Core", "4D forms to Blazor".
data-ai
architecture-journal
Lightweight ADR templates with retrospective prompts at 30/90/180 days — converts experience into transferable expertise. Use when making architecture decisions, recording technical choices, or reviewing past decisions to extract lessons.
testing
anomaly-detection
Statistical anomaly detection for sensor data streams. Use when implementing outlier detection, drift monitoring, anomaly classification, and alert/recalibration decision trees for time-series sensor data.
testing
code-review-coach
Deliberate practice for code review — review code yourself first, then compare against expert analysis with category-based scoring. Use when practicing code review skills, improving review quality, calibrating finding severity, or building more systematic review habits through deliberate practice.
development
edge-cv-pipeline
Build OpenCV + TFLite computer vision pipelines for Jetson and Raspberry Pi. Use when deploying real-time inference on edge devices with camera capture, model optimization, and result publishing. Do NOT use when the inference pipeline runs on cloud infrastructure; Do NOT use when the target hardware is a general-purpose server rather than an edge device.
development
dependency-mapper
Coupling visualization with Robert C. Martin stability metrics — makes architectural decisions visible as dependency patterns. Use when analyzing module dependencies, detecting circular references, visualizing coupling, or assessing architectural health through Robert C. Martin stability metrics.
testing
fleet-management
Rolling deployment strategies, multi-device coordination, and rollback triggers for edge device fleets. Use when managing fleet-wide deployments, configuring rollout strategies, building device registries, or implementing rollback automation.
tools
model-optimization
Optimize ML models for edge deployment through quantization, pruning, format conversion (TensorRT/TFLite/ONNX), and accuracy/latency benchmarking. Use when preparing models for resource-constrained devices.
development
refactor-challenger
Refactoring prioritization coach — distinguishes "bothers me aesthetically" from "will cause a production incident." Use when deciding which refactoring to prioritize, building a business case for technical improvements, or practicing the distinction between aesthetic preferences and production-risk code smells.
development
email-capture
Converts email threads, SOWs, change requests, and pasted documents into structured capture documents for spec-driven development. Extracts requirements, decisions, commitments, and open questions with source attribution to sender and message date. Use when given an email thread, SOW, change request, or pasted document that needs to be converted into structured requirements with per-message source attribution.
development
dotnet-security-review-federal
Conducts security reviews of .NET applications for federal/DOE/DOD environments. Extends the base dotnet-security-review with NIST SP 800-53 control mapping, DOE Order 205.1B compliance, FIPS 140-2/3 cryptographic requirements, and CUI handling. Generates federal-compliant reports with impact levels and POA&M-ready findings. Trigger phrases: "federal security review", "NIST compliance", "DOE security", "FISMA", "CUI", "FIPS audit", "federal compliance", "federal agency security", "ATO review", "POA&M generation".
testing
sqlx-migration-manager
SQLx migration lifecycle management with safety checks and rollback planning. Manages plain SQL migration files, compile-time query verification via sqlx prepare, and the offline query cache. Use when creating, reviewing, or applying database migrations in Rust/SQLx projects, managing sqlx migrate run/revert, regenerating the sqlx offline cache after schema changes, or planning zero-downtime migrations. Triggers on: "sqlx migration", "rust database migration", "create migration rust", "sqlx migrate", "sqlx schema change", "sqlx prepare", "sqlx offline cache".
development
test-scaffold
Test generation conventions, naming patterns, mock strategies, and project structure for .NET test suites. Use when generating tests for C#/.NET projects with xUnit, FluentAssertions, and NSubstitute.
testing
tdd-pair
AI as TDD pair programmer with role-based collaboration. Use when you want to collaborate on TDD with the AI taking a specific role (driver, navigator, or alternating). Do NOT use when the goal is autonomous solo work; Do NOT use when no human partner is actively present in the session.
development
tdd
The canonical RED-GREEN-REFACTOR inner loop. Enforces behavioral, structure-insensitive tests and prohibits horizontal slicing. Use when writing any new code test-first, managing TDD phase transitions, or as the inner loop for qrspi-implement, qraspi-implement, or any other implementation skill. Triggers on "tdd", "red green refactor", "write a failing test", "test-first", "tdd cycle". Do NOT use to audit existing test suites — use evaluate-tests instead.
development
spec-implement
**DEPRECATED — use QRSPI (brownfield) or QRASPI (greenfield) instead.** Spec-driven TDD implementation for greenfield features and well-understood changes. Takes an existing spec (PRD, user stories, requirements doc, or acceptance criteria) and drives test-first implementation to verified completion. The unique step is translating the spec into binary, verifiable acceptance criteria before any code starts. Use when implementing a greenfield feature from a spec, PRD, or acceptance criteria. Trigger phrases: "/spec-implement path/to/spec.md", "implement this spec", "implement from requirements", "turn this PRD into code", "greenfield feature from spec", "acceptance criteria to implementation". Do NOT use when the codebase is complex, unfamiliar, or requires research before planning — use QRSPI (/qrspi-questions) instead.
development
tdd-agent
Fully autonomous TDD with strict guardrails. Use when you want the AI to drive the entire RED-GREEN-REFACTOR cycle independently while maintaining TDD discipline.
development
skill-creator
Create, modify, and audit AI agent skills in this toolkit. Use when scaffolding a new SKILL.md from the 5-section lean layout, revising an existing skill to fix structural defects, or scoring a skill against the 10-dimension rubric. Trigger phrases: "create skill", "new skill", "scaffold skill", "write skill", "revise skill", "update skill", "score skill", "audit skill quality". Do NOT use when the goal is to run a skill (invoke the skill directly); do NOT use when the goal is to create an agent definition (use AGENTS.md conventions).
tools
architecture-review
Devil's advocate architecture critic -- challenges designs via Socratic questioning against SOLID, coupling, failure modes, scalability, and operational complexity. Use when stress-testing an architecture decision, evaluating a proposed system design, reviewing architecture before implementation, or asked to critique a technical approach.
development
confluence-guide-writer
Reads Confluence spec pages and/or source code and generates well-formatted tutorial and user guide content for a Confluence space's user guide section. Targets client/end-user/stakeholder audiences. Use when writing Confluence user guides, generating tutorial or how-to pages for clients or end users, or producing stakeholder documentation from Confluence spec pages or source code. Trigger phrases: "write user guide", "generate confluence page", "create tutorial", "confluence docs for clients". Do NOT use when the goal is to detect or reconcile stale pages — use doc-sync instead.
tools
spec-coach
Interactive spec design coach. Guides through vision, PRD structure, three-tier boundary definition, user story quality (INVEST), specification by example, and measurable success criteria to produce a complete, deployable spec. Use when designing a new skill, agent, feature, or any AI system that needs explicit behavioral boundaries. Use for "spec coach", "write agent spec", "create agent spec", "spec for ai agent", "agent specification", "define agent", "new skill spec", "new agent spec", "design agent behavior", "agent boundaries", "spec kit", "spec.md", "plan.md", "github spec kit", "specify workflow", "write a spec", "software requirements spec", "SRS", "write requirements", "design spec".
testing
capture-consolidate
Merges multiple capture documents from transcript-capture and email-capture into a unified intake bundle. Assigns canonical per-project REQ-XXX IDs, deduplicates overlapping requirements, surfaces cross-document contradictions for PM resolution, and produces a final capture bundle ready for spec generation. Use when two or more capture documents from transcript-capture or email-capture need to be merged into a single intake bundle for spec generation.
documentation
environment-health
Docker health checks, service monitoring, container lifecycle management, connection validation, and environment diagnostics. Use when troubleshooting dev environment issues or performing health audits.
development
grill-me
Interview the user relentlessly about a plan or design until reaching shared understanding, resolving each branch of the decision tree. Use when the user wants to stress-test a plan, get grilled on their design, or mentions "grill me". Source: https://github.com/mattpocock/skills/tree/main/grill-me (Matt Pocock)
testing
jira-comment-writer
Plain-language Jira comment drafter for project managers and clients. Translates technical progress, blockers, and decisions into clear, jargon-free updates. Use when adding a comment to a Jira issue that a non-technical stakeholder will read. Do NOT use when the audience is engineers or technical peers — use pr-feedback-writer instead; this skill targets non-technical stakeholders only.
tools
improve-codebase-architecture
Deep module refactoring using APOSD vocabulary: eliminates shallow modules, reduces information leakage, resolves temporal coupling, and aligns naming with the ubiquitous language. Use when asked to "improve the architecture", "refactor this module", "apply APOSD", or "clean up the design". Works best after domain-model is established. Ported from https://github.com/mattpocock/skills (Matt Pocock).
development
dependency-mapper
Coupling visualization with Robert C. Martin stability metrics — makes architectural decisions visible as dependency patterns. Use when analyzing module dependencies, detecting circular references, visualizing coupling, or assessing architectural health through Robert C. Martin stability metrics.
testing
dotnet-security-review-federal
Conducts security reviews of .NET applications for federal/DOE/DOD environments. Extends the base dotnet-security-review with NIST SP 800-53 control mapping, DOE Order 205.1B compliance, FIPS 140-2/3 cryptographic requirements, and CUI handling. Generates federal-compliant reports with impact levels and POA&M-ready findings. Trigger phrases: "federal security review", "NIST compliance", "DOE security", "FISMA", "CUI", "FIPS audit", "federal compliance", "federal agency security", "ATO review", "POA&M generation".
testing
fleet-management
Rolling deployment strategies, multi-device coordination, and rollback triggers for edge device fleets. Use when managing fleet-wide deployments, configuring rollout strategies, building device registries, or implementing rollback automation.
tools
code-review-coach
Deliberate practice for code review — review code yourself first, then compare against expert analysis with category-based scoring. Use when practicing code review skills, improving review quality, calibrating finding severity, or building more systematic review habits through deliberate practice.
development
pr-feedback-writer
Review communication coach — practice writing constructive PR feedback with proper blocking/suggestion/nit classification, empathetic framing, and clear explanations. Use when writing PR review comments, practicing constructive feedback, improving how code review findings are communicated, or learning to classify findings as blocking, suggestion, or nit.
development
architecture-journal
Lightweight ADR templates with retrospective prompts at 30/90/180 days — converts experience into transferable expertise. Use when making architecture decisions, recording technical choices, or reviewing past decisions to extract lessons.
testing
architecture-review
Devil's advocate architecture critic -- challenges designs via Socratic questioning against SOLID, coupling, failure modes, scalability, and operational complexity. Use when stress-testing an architecture decision, evaluating a proposed system design, reviewing architecture before implementation, or asked to critique a technical approach.
development
ef-migration-manager
EF Core migration lifecycle with safety checks and rollback planning. Use when creating, reviewing, or applying database migrations in .NET projects. Do NOT use when the goal is initial schema design or ad-hoc SQL management; Do NOT use when the project uses Dapper or raw SQL without an EF Core DbContext.
development
email-capture
Converts email threads, SOWs, change requests, and pasted documents into structured capture documents for spec-driven development. Extracts requirements, decisions, commitments, and open questions with source attribution to sender and message date. Use when given an email thread, SOW, change request, or pasted document that needs to be converted into structured requirements with per-message source attribution.
development
capture-consolidate
Merges multiple capture documents from transcript-capture and email-capture into a unified intake bundle. Assigns canonical per-project REQ-XXX IDs, deduplicates overlapping requirements, surfaces cross-document contradictions for PM resolution, and produces a final capture bundle ready for spec generation. Use when two or more capture documents from transcript-capture or email-capture need to be merged into a single intake bundle for spec generation.
documentation
jetson-deploy
Deploy and optimize applications on Jetson Orin Nano with TensorRT. Use when setting up Jetson environments, converting models to TensorRT, managing power modes, and containerizing edge AI applications. Do NOT use when the target hardware is not a Jetson device; Do NOT use when deploying to Raspberry Pi — use edge-cv-pipeline and sensor-integration instead.
development
dotnet-security-review
Conducts OWASP-based security reviews of .NET and .NET Framework applications with Telerik UI specialization. Identifies vulnerabilities, insecure patterns, and compliance gaps across all OWASP Top 10 categories. Generates manager-friendly reports with risk explanations and remediation priorities. Use when asked to review security, audit code for vulnerabilities, check OWASP compliance, assess security risks, find security issues, scan for CVEs, review Telerik security, or evaluate application security posture. Triggers on phrases like "security review", "OWASP audit", "vulnerability assessment", "security scan", "check for vulnerabilities", "security compliance", "Telerik security", "security posture", "penetration test prep".
development
nuget-package-scaffold
NuGet package creation with CI/CD pipeline setup and test harness. Use when creating new NuGet packages, configuring package metadata, or setting up publish workflows. Do NOT use when the library is internal-only and not intended for NuGet publication; Do NOT use when the target is an application project.
development
environment-health
Docker health checks, service monitoring, container lifecycle management, connection validation, and environment diagnostics. Use when troubleshooting dev environment issues or performing health audits.
development
python-arch-review
Architecture review for Python 3 projects enforcing TDD (Red->Green->Refactor->Quality Check), YAGNI principles, and code quality gates. Use when (1) writing new Python code, (2) reviewing existing Python code, (3) refactoring Python modules, (4) adding tests to Python projects, (5) checking code quality metrics, (6) running quality gates before merging, or (7) improving Python architecture with type safety and clean design. Integrates Ruff, mypy, radon, bandit, pip-audit, and pytest-cov.
development
legacy-migration-analyzer
Analyze .NET Framework to .NET 10 migration paths. Use when assessing legacy codebases for modernization, identifying breaking changes, and planning incremental migration strategies. Also triggers on "upgrade framework", "migrate to .net 10", "framework to core", "legacy .net", ".net framework upgrade", "modernize .net", "upgrade .net framework project", "convert csproj to sdk-style".
development
python-modernization-analyzer
Analyzes legacy Python codebases and produces actionable modernization plans. Primary migration paths include Python 2 to 3.12+, sync to async, Flask/Django monolith to FastAPI, requirements.txt to pyproject.toml, and bare classes to Pydantic/dataclasses. Does NOT perform the migration — assesses, quantifies risk, and plans. Triggers on phrases like "modernize python", "python 2 to 3", "upgrade python", "migrate flask to fastapi", "python legacy migration", "async migration python", "python modernization", "upgrade python codebase", "python technical debt".
development
skills/team/python-security-review-federal
--- name: python-security-review-federal audience: team description: Conducts security reviews of Python applications for federal/DOE/DOD environments. Extends python-security-review with NIST SP 800-53 control mapping, DOE Order 205.1B compliance, FIPS 140-2/3 cryptographic requirements, and CUI handling. Generates federal-compliant reports with impact levels and POA&M-ready findings. Trigger phrases: "federal python security", "NIST python", "FISMA python", "DOE python security", "python ATO r
development
ollama-model-workflow
Local LLM management with Ollama, Modelfile creation, and benchmarking. Use when pulling models, creating custom Modelfiles, or evaluating model performance locally. Do NOT use when the target runtime is a cloud provider API (OpenAI, Anthropic, Azure OpenAI); do NOT use when VRAM is unavailable on the target machine.
development
ef-migration-manager
EF Core migration lifecycle with safety checks and rollback planning. Use when creating, reviewing, or applying database migrations in .NET projects. Do NOT use when the goal is initial schema design or ad-hoc SQL management; Do NOT use when the project uses Dapper or raw SQL without an EF Core DbContext.
development
minimal-api-scaffolder
Scaffolds .NET 10 Minimal API endpoints with OpenAPI documentation, versioning strategies, and security patterns. Use when creating REST APIs, adding endpoints, setting up API projects, or configuring API infrastructure. Triggers on phrases like "scaffold API", "minimal API", "create endpoint", "API versioning", "api endpoint", "rest endpoint", "add route", "openapi", "create api". Do NOT use when the project is controller-based MVC — use dotnet-vertical-slice for handler architecture instead.
development
research-synthesis
Multi-source cross-referencing, source credibility scoring, and structured briefing formats. Use when synthesizing research findings from multiple sources into evidence-based deliverables with confidence levels and citations.
development
rag-pipeline-python
Scaffold RAG pipelines with Ollama or cloud embeddings. Use when building retrieval-augmented generation systems with local or cloud LLMs, vector stores, and document processing. Do NOT use when the application stack is .NET — use rag-pipeline-dotnet instead; do NOT use for full-text search without semantic retrieval requirements.
development
picar-x-behavior
Build composable robot behaviors for SunFounder Picar-X. Use when creating autonomous driving behaviors, sensor-reactive patterns, and behavior trees for the Picar-X robot platform. Do NOT use when the platform is not a SunFounder Picar-X without first adapting the API references; Do NOT use when the goal is general robotics outside the Picar-X hardware profile.
development
cargo-package-scaffold
Cargo crate creation with CI/CD pipeline setup, test harness, and crates.io publish workflow. Use when creating new Rust crates, configuring Cargo.toml metadata, setting up GitHub Actions for Rust CI, or publishing to crates.io. Triggers on: "scaffold cargo crate", "create rust crate", "new rust library", "publish to crates.io", "cargo package", "rust ci pipeline", "cargo workspace", "rust crate metadata", "cargo publish workflow". Do NOT use when the crate is internal-only and not intended for crates.io publication; Do NOT use when the target is a binary application — this skill targets library crates.
development
ollama-model-workflow
Local LLM management with Ollama, Modelfile creation, and benchmarking. Use when pulling models, creating custom Modelfiles, or evaluating model performance locally. Do NOT use when the target runtime is a cloud provider API (OpenAI, Anthropic, Azure OpenAI); do NOT use when VRAM is unavailable on the target machine.
development
session-context
Git change summarization, ADR relevance matching, and pattern applicability for building session context. Provides techniques for analyzing recent project activity, scoring context relevance, and detecting patterns that accelerate AI coding session starts. Use when building context for a new coding session, analyzing recent changes, or matching project decisions to current work.
development
skill-creator
Create, modify, and audit AI agent skills in this toolkit. Use when scaffolding a new SKILL.md from the 10-section template, revising an existing skill to fix structural defects, or scoring a skill against the 10-dimension rubric. Trigger phrases: "create skill", "new skill", "scaffold skill", "write skill", "revise skill", "update skill", "score skill", "audit skill quality". Do NOT use when the goal is to run a skill (invoke the skill directly); do NOT use when the goal is to create an agent definition (use AGENTS.md conventions).
tools
dotnet-vertical-slice
Scaffold vertical slice architecture with CQRS + FreeMediator, including optional Telerik Blazor UI generation. Use when creating feature-based .NET projects with command/query separation and pipeline behaviors. Triggers on "scaffold feature", "create slice", "new feature", "generate cqrs", "add command", "add query", "create handler", "vertical slice". Do NOT use when the project uses layer-based (N-tier) architecture — this skill enforces feature folder structure and will conflict with existing layer conventions.
devops
domain-model
Interrogates a plan or codebase using Domain-Driven Design vocabulary. Enforces CONTEXT.md terminology, surfaces code/plan contradictions, and records domain decisions as ADRs sparingly. Use when designing a bounded context, reviewing a domain model, or asked to "apply DDD", "model the domain", or "review the domain model". Requires CONTEXT.md or runs ubiquitous-language first. Ported from https://github.com/mattpocock/skills (Matt Pocock).
development
transcript-capture
Converts raw Zoom/Slack AI-generated transcripts into structured capture documents for spec-driven development. Uses per-block human review to filter small talk and off-topic content. The PM guides what is in scope; the skill structures that judgment. Use when given a raw Zoom transcript, Slack AI-generated meeting summary, or pasted meeting notes that need to be converted into a structured capture document for spec-driven development.
development
triage-issue
Triages a GitHub Issue or bug report: classifies severity, identifies the likely root cause area, suggests reproduction steps, and recommends priority and owner. Use when asked to "triage this issue", "assess this bug", "classify this report", or given a bug report to evaluate. Ported from https://github.com/mattpocock/skills (Matt Pocock).
business