adaptive-enforcement-lab/implementation-patterns
plugins/patterns/skills/implementation-patterns/SKILL.md
Five idempotency patterns for automation: check-before-act, upsert, force overwrite, unique identifiers, and tombstones. Choose based on constraints and APIs.
tools
Updated Mar 27, 2026
$ install --global
skillsauthnpx skillsauth add adaptive-enforcement-lab/claude-skills implementation-patternsInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Mar 29, 2026, 10:57 AM36.5s8 files scanned
SKILL.md
- name:
- implementation-patterns
- description:
- >-
- Five idempotency patterns for automation:
- check-before-act, upsert, force overwrite, unique identifiers, and tombstones. Choose based on constraints and APIs.
Implementation Patterns
When to Use This Skill
| Pattern | Best For | Tradeoff | | --------- | ---------- | ---------- | | Check-Before-Act | Creating resources | Race conditions possible | | Upsert | APIs with atomic operations | Not universally available | | Force Overwrite | Content that can be safely replaced | Destructive if misused | | Unique Identifiers | Natural deduplication | ID logic can be complex | | Tombstone Markers | Multi-step operations | Markers need cleanup |
Implementation
Five patterns for making operations idempotent. Each has tradeoffs; choose based on your constraints.
Pattern Overview
| Pattern | Best For | Tradeoff | | --------- | ---------- | ---------- | | Check-Before-Act | Creating resources | Race conditions possible | | Upsert | APIs with atomic operations | Not universally available | | Force Overwrite | Content that can be safely replaced | Destructive if misused | | Unique Identifiers | Natural deduplication | ID logic can be complex | | Tombstone Markers | Multi-step operations | Markers need cleanup |
Quick Reference
Check-Before-Act
The most common pattern. Check if the target state exists before attempting to create it.
if git ls-remote --heads origin "$BRANCH" | grep -q "$BRANCH"; then
git checkout -B "$BRANCH" "origin/$BRANCH"
else
git checkout -b "$BRANCH"
fi
Create-or-Update (Upsert)
Use APIs or commands that handle both cases atomically.
gh release create v1.0.0 --notes "Release" || gh release edit v1.0.0 --notes "Release"
Force Overwrite
Don't check, just overwrite. Safe when overwriting with identical content is acceptable.
git push --force-with-lease origin "$BRANCH"
Unique Identifiers
Generate deterministic IDs so duplicate operations target the same resource.
BRANCH="update-$(sha256sum file.txt | cut -c1-8)"
Tombstone/Marker Files
Leave markers indicating operations completed.
MARKER=".completed-$RUN_ID"
[ -f "$MARKER" ] && exit 0
# Do work...
touch "$MARKER"
Choosing a Pattern
See examples.md for detailed code examples.
| Scenario | Recommended Pattern | | ---------- | ------------------- | | Creating resources (PRs, branches, files) | Check-Before-Act | | Updating existing resources | Upsert or Force Overwrite | | Operations with natural keys | Unique Identifiers | | Complex multi-step operations | Tombstone Markers | | API supports atomic operations | Upsert |
Combine Patterns
Real-world automation often combines multiple patterns. A workflow might use Check-Before-Act for PR creation, Force Overwrite for branch updates, and Unique Identifiers for naming.
Pattern Overview
| Pattern | Best For | Tradeoff | | --------- | ---------- | ---------- | | Check-Before-Act | Creating resources | Race conditions possible | | Upsert | APIs with atomic operations | Not universally available | | Force Overwrite | Content that can be safely replaced | Destructive if misused | | Unique Identifiers | Natural deduplication | ID logic can be complex | | Tombstone Markers | Multi-step operations | Markers need cleanup |
Quick Reference
Check-Before-Act
The most common pattern. Check if the target state exists before attempting to create it.
if git ls-remote --heads origin "$BRANCH" | grep -q "$BRANCH"; then
git checkout -B "$BRANCH" "origin/$BRANCH"
else
git checkout -b "$BRANCH"
fi
Create-or-Update (Upsert)
Use APIs or commands that handle both cases atomically.
gh release create v1.0.0 --notes "Release" || gh release edit v1.0.0 --notes "Release"
Force Overwrite
Don't check, just overwrite. Safe when overwriting with identical content is acceptable.
git push --force-with-lease origin "$BRANCH"
Unique Identifiers
Generate deterministic IDs so duplicate operations target the same resource.
BRANCH="update-$(sha256sum file.txt | cut -c1-8)"
Tombstone/Marker Files
Leave markers indicating operations completed.
MARKER=".completed-$RUN_ID"
[ -f "$MARKER" ] && exit 0
# Do work...
touch "$MARKER"
Choosing a Pattern
See examples.md for detailed code examples.
| Scenario | Recommended Pattern | | ---------- | ------------------- | | Creating resources (PRs, branches, files) | Check-Before-Act | | Updating existing resources | Upsert or Force Overwrite | | Operations with natural keys | Unique Identifiers | | Complex multi-step operations | Tombstone Markers | | API supports atomic operations | Upsert |
Combine Patterns
Real-world automation often combines multiple patterns. A workflow might use Check-Before-Act for PR creation, Force Overwrite for branch updates, and Unique Identifiers for naming.
Techniques
Pattern Overview
| Pattern | Best For | Tradeoff | | --------- | ---------- | ---------- | | Check-Before-Act | Creating resources | Race conditions possible | | Upsert | APIs with atomic operations | Not universally available | | Force Overwrite | Content that can be safely replaced | Destructive if misused | | Unique Identifiers | Natural deduplication | ID logic can be complex | | Tombstone Markers | Multi-step operations | Markers need cleanup |
Quick Reference
Check-Before-Act
The most common pattern. Check if the target state exists before attempting to create it.
if git ls-remote --heads origin "$BRANCH" | grep -q "$BRANCH"; then
git checkout -B "$BRANCH" "origin/$BRANCH"
else
git checkout -b "$BRANCH"
fi
Create-or-Update (Upsert)
Use APIs or commands that handle both cases atomically.
gh release create v1.0.0 --notes "Release" || gh release edit v1.0.0 --notes "Release"
Force Overwrite
Don't check, just overwrite. Safe when overwriting with identical content is acceptable.
git push --force-with-lease origin "$BRANCH"
Unique Identifiers
Generate deterministic IDs so duplicate operations target the same resource.
BRANCH="update-$(sha256sum file.txt | cut -c1-8)"
Tombstone/Marker Files
Leave markers indicating operations completed.
MARKER=".completed-$RUN_ID"
[ -f "$MARKER" ] && exit 0
# Do work...
touch "$MARKER"
Choosing a Pattern
flowchart TD
A[Need idempotency] --> B{API has upsert?}
B -->|Yes| C[Use Upsert]
B -->|No| D{Safe to overwrite?}
D -->|Yes| E[Use Force Overwrite]
D -->|No| F{Natural unique key?}
F -->|Yes| G[Use Unique Identifiers]
F -->|No| H{Multi-step operation?}
H -->|Yes| I[Use Tombstone Markers]
H -->|No| J[Use Check-Before-Act]
%% Ghostty Hardcore Theme
style A fill:#5e7175,color:#f8f8f3
style B fill:#fd971e,color:#1b1d1e
style C fill:#a7e22e,color:#1b1d1e
style D fill:#fd971e,color:#1b1d1e
style E fill:#e6db74,color:#1b1d1e
style F fill:#fd971e,color:#1b1d1e
style G fill:#65d9ef,color:#1b1d1e
style H fill:#fd971e,color:#1b1d1e
style I fill:#9e6ffe,color:#1b1d1e
style J fill:#65d9ef,color:#1b1d1e
| Scenario | Recommended Pattern | | ---------- | ------------------- | | Creating resources (PRs, branches, files) | Check-Before-Act | | Updating existing resources | Upsert or Force Overwrite | | Operations with natural keys | Unique Identifiers | | Complex multi-step operations | Tombstone Markers | | API supports atomic operations | Upsert |
Combine Patterns
Real-world automation often combines multiple patterns. A workflow might use Check-Before-Act for PR creation, Force Overwrite for branch updates, and Unique Identifiers for naming.
Examples
See examples.md for code examples.
References
- Source Documentation
- AEL Patterns
Related Skills
adaptive-enforcement-lab/workload-identity-federation-implementation
documentation
VerifiedTrustedCommunity
Workload Identity Federation implementation guide. GKE setup, IAM bindings, ServiceAccount configuration, migration from service account keys, and troubleshooting patterns.
SKILL.mdUpdated Mar 27, 2026
adaptive-enforcement-lab/workflow-trigger-security
development
VerifiedTrustedCommunity
Secure GitHub Actions trigger patterns for pull requests, forks, and reusable workflows. Preventing privilege escalation and code injection through trigger misconfiguration.
SKILL.mdUpdated Mar 27, 2026
adaptive-enforcement-lab/third-party-action-risk-assessment
development
VerifiedTrustedCommunity
Structured framework for evaluating GitHub Actions security before adoption. Trust tiers, risk assessment checklist, and decision tree for action evaluation.
SKILL.mdUpdated Mar 27, 2026
adaptive-enforcement-lab/storing-credentials
testing
VerifiedTrustedCommunity
Securely store GitHub App credentials across different environments. GitHub Actions secrets, external CI, Kubernetes, and automated rotation patterns.
SKILL.mdUpdated Mar 27, 2026