aj-geddes/estimation
skills/estimation/SKILL.md
Guides the user through risk-based task estimation using decomposition, three-point estimates, and PERT formula. ALWAYS trigger on "estimate", "how long will this take", "time to complete", "sizing", "scope this", "effort estimate", "how many hours", "story points", "project timeline", "when will this be done", "cost estimate", "level of effort". Use when sizing any work item, feature, or project.
$ install --global
skillsauthnpx skillsauth add aj-geddes/unicorn-team estimationInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 25, 2026, 4:42 PM54.1s5 files scanned
SKILL.md
- name:
- estimation
- description:
- >-
<!-- Last reviewed: 2026-03 -->
Estimation
Process
1. Decompose Exhaustively
Break tasks until each piece is < 8 hours and estimatable with confidence.
Task: "Add user authentication"
├─ Database schema (2h)
├─ API endpoints (16h) → decompose further
├─ Password handling (8h)
├─ JWT tokens (19h) → decompose further
├─ Middleware (14h) → decompose further
├─ Testing (23h) → decompose further
└─ Integration (22h) → decompose further
Rule: If you can't estimate confidently, decompose further.
2. Identify Unknowns
unknowns:
technical: ["Never used bcrypt", "Don't know JWT refresh pattern"]
domain: ["Password rules unspecified", "SSO needed later?"]
external: ["DBA review has 2-day SLA"]
resource: ["Frontend dev availability uncertain"]
Every unknown adds risk. Quantify it.
3. Three-Point Estimate
For each atomic task:
| Estimate | Meaning | |----------|---------| | Optimistic (O) | Everything goes perfectly | | Realistic (R) | Normal conditions, typical hiccups | | Pessimistic (P) | Murphy's Law applies |
"Implement password hashing"
O: 1h (copy existing pattern)
R: 3h (read docs, test, handle edge cases)
P: 8h (version issues, need alternatives)
Rule: If P > 3x R, decompose further.
4. Calculate PERT
Expected = (O + 4*R + P) / 6
Example: (1 + 4*3 + 8) / 6 = 3.5h
5. Apply Risk Buffers
| Risk Level | Multiplier | When | |------------|------------|------| | Low | 1.0-1.2x | Well-understood, clear requirements | | Medium | 1.2-1.5x | Some unknowns, moderate complexity | | High | 1.5-2.0x | New tech, unclear requirements | | Critical | 2.0-3.0x | Multiple unknowns, bleeding-edge |
Risk categories:
| Category | Multiplier | Triggers | |----------|------------|----------| | Technical | 1.3-2.0x | New lang/framework, complex algorithms, perf requirements | | Domain | 1.4-2.5x | Unclear requirements, regulatory, stakeholder disagreement | | External | 1.5-3.0x | Third-party deps, vendor timelines, cross-team | | Resource | 1.2-2.0x | Availability uncertain, skills gap, access issues |
6. Add Integration Buffer
Integration is where 50% of bugs live. Always add 20-30%.
Subtasks total: 40h
Integration buffer (25%): 10h
Final: 50h
Anti-Patterns
| Anti-Pattern | Problem | Fix | |-------------|---------|-----| | "2 Hours" | "I have no idea" | Use three-point + PERT | | Secret Padding | Destroys trust | State explicit buffer: "5h + 5h buffer" | | Ignoring Integration | Underestimate 30-50% | Always add integration buffer | | Forgetting Testing | "Done" != done | Include test time (often 1:1 with dev) | | No Confidence Level | False precision | Use ranges: "45h +/- 5h" |
Communication Template
[ESTIMATE] (+/-[UNCERTAINTY]) assuming [ASSUMPTIONS]
Breakdown:
- Component 1: Xh
- Component 2: Yh
- Integration: Zh
Confidence: [High/Medium/Low] (XX%)
Assumptions:
1. [Critical assumption]
Risks:
- [Risk]: [impact] / [mitigation]
Dependencies:
- [External dependency]
Unknowns:
- [Unknown] - [how to resolve]
Validation Checklist
Before finalizing any estimate:
- [ ] Decomposed into atomic units (< 8h each)
- [ ] Every subtask has O/R/P estimates
- [ ] PERT formula applied
- [ ] All unknowns identified
- [ ] Risk buffers applied
- [ ] Integration buffer added (20-30%)
- [ ] Confidence level assigned
- [ ] Assumptions stated
- [ ] Risks identified with mitigations
- [ ] Dependencies noted
- [ ] Estimate is a range (+/- X)
When to Re-Estimate
- Requirements change -- re-decompose affected components
- Unknown resolved -- update with actual findings
- Overrun > 20% -- stop and reassess remaining work
- Dependency changes -- adjust timeline
- Team changes -- different skills = different estimates
Script
Run the interactive PERT estimation helper:
skills/estimation/scripts/estimate.sh
# or
./scripts/estimate.sh [--output filename]
References
references/decomposition-examples.md-- full worked examplesreferences/risk-analysis.md-- risk assessment frameworkreferences/communication-guide.md-- stakeholder communication patternsscripts/estimate.sh-- interactive PERT estimation script
Related Skills
aj-geddes/testing
development
VerifiedTrustedCommunity
Guides the user through test-first development and test strategy decisions. ALWAYS trigger on "write tests", "TDD", "test coverage", "mock", "test fails", "flaky test", "how to test", "unit test", "integration test", "e2e test", "test structure", "what to test", "test organization", "coverage report", "testing strategy", "arrange act assert". Use when writing new tests, choosing test types, setting up mocking, debugging flaky tests, improving coverage, or designing testable code. Different from qa-security agent which focuses on code review and security audits rather than test authoring.
7SKILL.mdUpdated Apr 25, 2026
aj-geddes/technical-debt
development
VerifiedTrustedCommunity
Guides deliberate management of technical debt: recognition, tracking, prioritization, and paydown. ALWAYS trigger on "technical debt", "code shortcut", "pay down debt", "debt tracking", "just for now", "temporary hack", "hardcoded value", "copy-paste code", "missing tests", "TODO cleanup", "refactor plan", "debt priority", "interest cost", "boy scout rule", "code quality backlog". Use when taking a shortcut, discovering suboptimal code, planning debt paydown, or quantifying ongoing cost of compromises.
7SKILL.mdUpdated Apr 25, 2026
aj-geddes/self-verification
development
VerifiedTrustedCommunity
Guides the user through systematic pre-commit quality verification. ALWAYS trigger on "review my code", "check my work", "before commit", "self-review", "quality check", "am I ready to commit", "pre-commit review", "code quality", "verify my changes", "sanity check", "review before merge", "is this ready". Use before any commit, merge, or code review submission.
7SKILL.mdUpdated Apr 25, 2026
aj-geddes/security
development
VerifiedTrustedCommunity
Guides secure development using defense-in-depth and attacker's mindset. ALWAYS trigger on "security review", "vulnerability", "authentication", "authorization", "input validation", "XSS", "SQL injection", "CSRF", "secrets management", "OWASP", "threat model", "security scan", "path traversal", "mass assignment", "privilege escalation", "security headers", "bandit", "dependency audit", "hardening". Use when implementing auth, handling user input, storing secrets, reviewing code for vulnerabilities, or preparing for production deployment. Different from devops skill which covers infrastructure; this covers application-level security patterns.
7SKILL.mdUpdated Apr 25, 2026