athola/safety-critical-patterns
plugins/pensive/skills/safety-critical-patterns/SKILL.md
Applies NASA Power of 10 rules for safety-critical verifiable code. Use when auditing financial, medical, or high-reliability system code.
$ install --global
skillsauthnpx skillsauth add athola/claude-night-market safety-critical-patternsInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Jun 8, 2026, 3:35 AM248.2s1 file scanned
SKILL.md
- name:
- safety-critical-patterns
- description:
- Applies NASA Power of 10 rules for safety-critical verifiable code. Use when auditing financial, medical, or high-reliability system code.
- alwaysApply:
- false
- category:
- code-quality
- tools:
- []
- complexity:
- intermediate
- model_hint:
- standard
- estimated_tokens:
- 600
- - pensive:
- code-refinement
- - imbue:
- structured-output
Safety-Critical Coding Patterns
Guidelines adapted from NASA's Power of 10 rules for safety-critical software.
When to Apply
Full rigor: Safety-critical systems, financial transactions, data integrity code Selective application: Business logic, API handlers, core algorithms Light touch: Scripts, prototypes, non-critical utilities
"Match rigor to consequence" - The real engineering principle
The 10 Rules (Adapted)
1. Restrict Control Flow
Avoid goto, setjmp/longjmp, and limit recursion.
Why: Ensures acyclic call graphs that tools can verify. Adaptation: Recursion acceptable with provable termination (tail recursion, bounded depth).
2. Fixed Loop Bounds
All loops should have verifiable upper bounds.
# Good - bound is clear
for i in range(min(len(items), MAX_ITEMS)):
process(item)
# Risky - unbounded
while not_done: # When does this end?
process_next()
Adaptation: Document expected bounds; add safety limits on potentially unbounded loops.
3. No Dynamic Memory After Initialization
Avoid heap allocation in critical paths after startup.
Why: Prevents allocation failures at runtime. Adaptation: Pre-allocate pools; use object reuse patterns in hot paths.
4. Function Length ~60 Lines
Functions should fit on one screen/page.
Why: Cognitive limits on comprehension remain valid. Adaptation: Flexible for declarative code; strict for complex logic.
5. Assertion Density
Include defensive assertions documenting expectations.
def transfer_funds(from_acct, to_acct, amount):
assert from_acct != to_acct, "Cannot transfer to same account"
assert amount > 0, "Transfer amount must be positive"
assert from_acct.balance >= amount, "Insufficient funds"
# ... implementation
Adaptation: Focus on boundary conditions and invariants, not arbitrary quotas.
6. Minimal Variable Scope
Declare variables at narrowest possible scope.
# Good - scoped tightly
for item in items:
total = calculate(item) # Only exists in loop
results.append(total)
# Avoid - unnecessarily broad
total = 0 # Why is this outside?
for item in items:
total = calculate(item)
results.append(total)
7. Check Return Values and Parameters
Validate inputs; never ignore return values.
# Good
result = parse_config(path)
if result is None:
raise ConfigError(f"Failed to parse {path}")
# Bad
parse_config(path) # Ignored return
8. Limited Preprocessor/Metaprogramming
Restrict macros, decorators, and code generation.
Why: Makes static analysis possible. Adaptation: Document metaprogramming thoroughly; prefer explicit over magic.
9. Pointer/Reference Discipline
Limit indirection levels; be explicit about ownership.
Adaptation: Use type hints, avoid deep nesting of optionals, prefer immutable data.
10. Enable All Warnings
Compile/lint with strictest settings from day one.
# Python
ruff check --select=ALL
mypy --strict
# TypeScript
tsc --strict --noImplicitAny
Rules That May Not Apply
| Rule | When to Relax | |------|---------------| | No recursion | Tree traversal, parser combinators with bounded depth | | No dynamic memory | GC languages, short-lived processes | | 60-line functions | Declarative configs, state machines | | No function pointers | Callbacks, event handlers, strategies |
Integration
Reference this skill from:
pensive:code-refinement- Clean code and quality dimensionsanctum:pr-review- Code quality phase/harden- composed in the hardening pipeline/full-review safety-critical- focused entry point, and an auto-detection row when assertion density is low, loops are unbounded, or recursion lacks a termination proof
Violation Output Format
For each rule violation, report:
Rule N: <rule name>
Location: file.py:42
Anchor: `<verbatim source text at line 42>`
Issue: <what violates the rule>
Fix: <concrete remediation>
Verify Findings Are Grounded (safety-critical:findings-verified)
Every finding must cite a real location and a verbatim anchor. Write
findings to .review/findings.json and confirm each citation resolves:
python plugins/imbue/scripts/citation_verifier.py \
--findings .review/findings.json --repo-root .
Drop or label UNVERIFIED any finding the verifier fails (exit 1); only
verified findings enter the report. See Skill(imbue:review-core) Step 5
and Skill(imbue:structured-output) for the schema.
Exit Criteria
- [ ] Each of the 10 rules has an explicit verdict for the target (applies / violated / not applicable), not a silent skip
- [ ] Every reported violation cites a concrete
file:lineand the rule number it breaks - [ ] Rules deemed not applicable name the reason (e.g. "no dynamic allocation in this module") rather than being omitted
- [ ] Loops flagged under Rule 2 are checked for a statically provable upper bound; unbounded loops are reported
- [ ] Recursion flagged under Rule 1 is reported when it lacks a termination argument
- [ ] A summary states whether the target is suitable for safety-critical use, or which rules block that judgment
- [ ] Every reported violation carries a
Location+ verbatimAnchorconfirmed bycitation_verifier.py(exit0), or unverified violations were dropped or labeledUNVERIFIED.
Sources
- NASA JPL Power of 10 Rules (Gerard Holzmann, 2006)
- MISRA C Guidelines
- HN discussion insights on practical application
Related Skills
athola/ideate
research
VerifiedTrustedCommunity
Generate diverse solution candidates with category-spanning ideation methods and rotation. Use when stuck on a design or fighting repetitive LLM output.
304SKILL.mdUpdated Jun 8, 2026
athola/plugins/sanctum/skills/validate-pr
tools
VerifiedTrustedCommunity
--- name: validate-pr description: Use when you need a diff-derived test plan for a PR: reads the diff, groups changes by area, runs targeted verifications, and proves revert-tests are genuine guards, not dead assertions. alwaysApply: false category: validation tags: - pr - validation - test-plan - diff - revert-test - evidence tools: [] usage_patterns: - diff-derived-test-plan - revert-test-quality-check - evidence-capture complexity: intermediate model_hint: standard estimated_tokens: 650
304SKILL.mdUpdated Jun 8, 2026
athola/decision-journal
development
VerifiedTrustedCommunity
Contract for the project decision journal (tradeoffs and lessons-learned logs). Use when recording a decision, tradeoff, or lesson, or building a consumer hook.
304SKILL.mdUpdated Jun 8, 2026
athola/graduated-implementation
development
VerifiedTrustedCommunity
Ramps implementation ambition a notch only after the prior increment is understood. Use when building a feature you must understand, not just ship.
304SKILL.mdUpdated Jun 8, 2026