curiositech/state-machine-designer
skills/state-machine-designer/SKILL.md
Design and implement finite state machines and statecharts for complex UI flows using XState v5 and Zustand. Activate on: multi-step forms, complex UI state, wizard flows, auth flows, statechart, XState. NOT for: simple boolean toggles (use React useState), server state (use data-fetching-strategist).
development
Updated Apr 4, 2026
$ install --global
skillsauthnpx skillsauth add curiositech/windags-skills state-machine-designerInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 4, 2026, 2:54 PM6.0s1 file scanned
SKILL.md
- license:
- Apache-2.0
- name:
- state-machine-designer
- description:
- Design and implement finite state machines and statecharts for complex UI flows using XState v5 and Zustand. Activate on: multi-step forms, complex UI state, wizard flows, auth flows, statechart, XState. NOT for: simple boolean toggles (use React useState), server state (use data-fetching-strategist).
- allowed-tools:
- Read,Write,Edit,Bash(npm:*,npx:*)
- category:
- Frontend & UI
- - skill:
- error-boundary-strategist
- reason:
- Error states in machines map to recovery UI via error boundaries
State Machine Designer
Model complex UI flows as finite state machines and statecharts using XState v5, eliminating impossible states and race conditions.
Activation Triggers
Activate on: multi-step wizards, authentication flows, payment checkout, complex form state, drag-and-drop orchestration, media player controls, XState, statechart, createMachine.
NOT for: simple boolean toggles (use useState). Server/async data caching -- use data-fetching-strategist. Global app state without transitions -- use Zustand directly.
Quick Start
- Map states -- list every discrete state the UI can be in (idle, loading, error, success, etc.).
- Define events -- list every user action or system event that triggers transitions.
- Draw the statechart -- use Stately.ai visual editor or ASCII diagram to verify no impossible transitions.
- Implement with XState v5 --
setup()+createMachine()with@xstate/reactuseMachinehook. - Test transitions -- use
createActorin unit tests to verify every path.
Core Capabilities
| Domain | Technologies | Key Patterns |
|--------|-------------|--------------|
| State Machines | XState v5, setup() API | Flat machines for simple flows |
| Statecharts | XState hierarchical/parallel states | Nested states, history states |
| UI Binding | @xstate/react useMachine, useSelector | React integration, selective re-renders |
| Lightweight State | Zustand with state enum pattern | When XState overhead is too much |
| Visualization | Stately.ai editor, @stately-ai/inspect | Visual debugging of live machines |
| Testing | createActor, getSnapshot | Deterministic transition testing |
Architecture Patterns
Pattern 1: XState v5 Machine with setup()
import { setup, assign } from 'xstate';
const checkoutMachine = setup({
types: {
context: {} as {
items: CartItem[];
address: Address | null;
paymentMethod: PaymentMethod | null;
error: string | null;
},
events: {} as
| { type: 'SET_ADDRESS'; address: Address }
| { type: 'SET_PAYMENT'; method: PaymentMethod }
| { type: 'SUBMIT' }
| { type: 'BACK' }
| { type: 'RETRY' },
},
guards: {
hasAddress: ({ context }) => context.address !== null,
hasPayment: ({ context }) => context.paymentMethod !== null,
},
}).createMachine({
id: 'checkout',
initial: 'cart',
context: { items: [], address: null, paymentMethod: null, error: null },
states: {
cart: { on: { SUBMIT: { target: 'address', guard: 'hasItems' } } },
address: { on: { SET_ADDRESS: { actions: assign({ address: (_, e) => e.address }), target: 'payment' }, BACK: 'cart' } },
payment: { on: { SET_PAYMENT: { actions: assign({ paymentMethod: (_, e) => e.method }), target: 'review' }, BACK: 'address' } },
review: { on: { SUBMIT: 'processing', BACK: 'payment' } },
processing: {
invoke: { src: 'processPayment', onDone: 'success', onError: { target: 'error', actions: assign({ error: (_, e) => e.data.message }) } },
},
success: { type: 'final' },
error: { on: { RETRY: 'processing', BACK: 'review' } },
},
});
Pattern 2: Zustand State Enum (Lightweight Alternative)
When XState is overkill but useState booleans create impossible states:
import { create } from 'zustand';
type AuthState = 'idle' | 'authenticating' | 'authenticated' | 'error' | 'mfa_required';
interface AuthStore {
state: AuthState;
user: User | null;
error: string | null;
login: (creds: Credentials) => Promise<void>;
submitMfa: (code: string) => Promise<void>;
logout: () => void;
}
const useAuthStore = create<AuthStore>((set, get) => ({
state: 'idle',
user: null,
error: null,
login: async (creds) => {
if (get().state !== 'idle' && get().state !== 'error') return; // guard
set({ state: 'authenticating', error: null });
try {
const res = await api.login(creds);
if (res.mfaRequired) set({ state: 'mfa_required' });
else set({ state: 'authenticated', user: res.user });
} catch (e) {
set({ state: 'error', error: e.message });
}
},
logout: () => set({ state: 'idle', user: null }),
}));
Pattern 3: Statechart Visualization
┌────────────────────────────────────────────────┐
│ checkout │
│ │
│ [cart] ──SUBMIT──> [address] ──SET_ADDR──> │
│ ^ │ │
│ └───BACK───────────┘ │
│ │
│ [payment] ──SET_PAY──> [review] ──SUBMIT──> │
│ ^ │ │
│ └───BACK───────────────┘ │
│ │
│ [processing] ──onDone──> [success] (final) │
│ │ │
│ └──onError──> [error] ──RETRY──> │
│ │ (back to processing)│
│ └──BACK──> [review] │
└────────────────────────────────────────────────┘
Anti-Patterns
- Boolean soup --
isLoading && !isError && isSubmittedcreates impossible state combinations. Use a single state enum or machine instead. - Skipping the statechart diagram -- jumping to code without visualizing transitions guarantees missing edge cases. Draw first, code second.
- Putting side effects in guards -- guards must be pure predicates. Use
actionsorinvokefor side effects. - Over-engineering simple toggles -- a modal open/close does not need XState. Use
useState<boolean>for trivially simple state. - Forgetting to handle the error-to-retry path -- users get stuck in error states with no way back. Always define recovery transitions.
Quality Checklist
- [ ] Every UI state is an explicit named state (no derived boolean combinations)
- [ ] Statechart visualized (Stately.ai or ASCII diagram) before implementation
- [ ] No impossible state transitions (e.g., cannot go from
successtocart) - [ ] Guards are pure functions with no side effects
- [ ] Every error state has a recovery transition (
RETRYorBACK) - [ ] Machine tested with
createActorcovering happy path + error path + edge cases - [ ] Context types fully specified with TypeScript
- [ ] React binding uses
useSelectorfor selective re-renders (not full context subscription) - [ ] Parallel states used where independent concerns overlap (e.g., form validity + network status)
Related Skills
curiositech/circuit-breakers-and-retries
tools
VerifiedTrustedCommunity
Building resilient distributed systems with circuit breakers, retries with full-jitter exponential backoff, retry budgets (per-request 3-attempt + per-client 10% ratio per Google SRE), deadline propagation, and the cascading-failure math (4 layers × 3 retries = 64x amplification). Grounded in Resilience4j, Microsoft Cloud Patterns, AWS Architecture Blog (Marc Brooker), and Google SRE Book.
4SKILL.mdUpdated May 6, 2026
curiositech/cdn-cache-control-headers
testing
VerifiedTrustedCommunity
Designing HTTP cache headers that work correctly across browsers, CDNs, and shared proxies — `Cache-Control` directives per RFC 9111, `stale-while-revalidate` and `stale-if-error` per RFC 5861, the Vary header for varying responses, and surrogate keys for tag-based purging. Grounded in IETF RFCs and Cloudflare/Fastly docs.
4SKILL.mdUpdated May 5, 2026
curiositech/content-security-policy-headers
development
VerifiedTrustedCommunity
Use when designing or fixing a Content Security Policy on a real site, choosing between nonce-based and hash-based CSP, adding strict-dynamic, debugging "Refused to execute inline script" errors, deploying CSP in report-only mode first, configuring report-to / report-uri, or auditing an existing policy for unsafe-inline / unsafe-eval / wildcards. Triggers: "CSP blocks legitimate inline script", strict-dynamic, nonce-{RANDOM}, sha256-{HASH}, object-src none, base-uri none, frame-ancestors, Trusted Types, X-Content-Security-Policy obsolete, report-only vs enforced. NOT for general HTTP security headers (HSTS, COOP/COEP), Trusted Types deep dive, CORS configuration, or building a WAF.
3SKILL.mdUpdated May 4, 2026
curiositech/api-versioning-strategy
tools
VerifiedTrustedCommunity
Choosing and operating an HTTP API versioning strategy that doesn't break clients — Stripe's date-based pinned versions, the Deprecation/Sunset header pair (RFC 9745 + RFC 8594), URI vs header vs media-type approaches, and the version-transformer pattern. Grounded in Stripe's published architecture and IETF RFCs.
3SKILL.mdUpdated May 4, 2026