adaptive-enforcement-lab/strangler-fig
plugins/patterns/skills/strangler-fig/SKILL.md
Incremental migration from legacy systems. Run old and new in parallel, gradually shift traffic, rollback at any point. Zero downtime, production-validated.
testing
Updated Mar 27, 2026
$ install --global
skillsauthnpx skillsauth add adaptive-enforcement-lab/claude-skills strangler-figInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Mar 29, 2026, 11:05 AM36.7s4 files scanned
SKILL.md
- name:
- strangler-fig
- description:
- >-
Strangler Fig
When to Use This Skill
Use when:
- Replacing critical production systems
- High risk of downtime
- Need gradual validation
- Rollback must be instant
Don't use when:
- Small, non-critical systems (just replace)
- No production traffic yet
- Resource cost of running both systems is prohibitive
Implementation
Traffic Routing Approach
- Implementation Strategies - Feature flags, parallel run validation, database migration strategies
- Traffic Routing - Percentage-based, user-based, and canary deployment patterns
- Monitoring and Rollback - Track both systems, compare metrics, instant rollback
Component Replacement Approach
- Platform Component Replacement - Build-replace-remove pattern for infrastructure, zero downtime component swaps
Migration Process
- Migration Guide - Eight-phase checklist, common pitfalls, real-world timeline
Techniques
Two Approaches to Strangler Fig
The strangler fig pattern has two distinct implementation approaches depending on what you're replacing:
Approach 1: Traffic Routing (User-Facing Systems)
Gradually shift user traffic from old to new system using percentage-based routing.
Use for:
- API migrations (REST v1 → v2)
- Feature rollouts (old checkout → new checkout)
- UI rewrites (legacy frontend → modern frontend)
- Application logic changes
How it works: Router/proxy directs percentage of traffic to new system. Start at 1%, increase gradually to 100%.
Approach 2: Component Replacement (Infrastructure)
Replace entire components without routing traffic, including databases, service meshes, operators, and storage.
Use for:
- Database migrations (single instance → HA cluster)
- Service mesh replacement (Linkerd → Istio)
- Operator upgrades (CRD v1alpha1 → v1)
- Storage backend changes (EBS → EFS)
How it works: Build new component, ensure compatibility, swap references, remove old component. No routing layer needed.
Key distinction: Traffic routing = gradual user migration. Component replacement = infrastructure swap with compatibility layer.
Examples
See examples.md for code examples.
Related Patterns
- Separation of Concerns
- Graceful Degradation
- Environment Progression
References
- Source Documentation
- AEL Patterns
Related Skills
adaptive-enforcement-lab/workload-identity-federation-implementation
documentation
VerifiedTrustedCommunity
Workload Identity Federation implementation guide. GKE setup, IAM bindings, ServiceAccount configuration, migration from service account keys, and troubleshooting patterns.
SKILL.mdUpdated Mar 27, 2026
adaptive-enforcement-lab/workflow-trigger-security
development
VerifiedTrustedCommunity
Secure GitHub Actions trigger patterns for pull requests, forks, and reusable workflows. Preventing privilege escalation and code injection through trigger misconfiguration.
SKILL.mdUpdated Mar 27, 2026
adaptive-enforcement-lab/third-party-action-risk-assessment
development
VerifiedTrustedCommunity
Structured framework for evaluating GitHub Actions security before adoption. Trust tiers, risk assessment checklist, and decision tree for action evaluation.
SKILL.mdUpdated Mar 27, 2026
adaptive-enforcement-lab/storing-credentials
testing
VerifiedTrustedCommunity
Securely store GitHub App credentials across different environments. GitHub Actions secrets, external CI, Kubernetes, and automated rotation patterns.
SKILL.mdUpdated Mar 27, 2026