michaelalber/cargo-package-scaffold
skills/team/cargo-package-scaffold/SKILL.md
Cargo crate creation with CI/CD pipeline setup, test harness, and crates.io publish workflow. Use when creating new Rust crates, configuring Cargo.toml metadata, setting up GitHub Actions for Rust CI, or publishing to crates.io. Triggers on: "scaffold cargo crate", "create rust crate", "new rust library", "publish to crates.io", "cargo package", "rust ci pipeline", "cargo workspace", "rust crate metadata", "cargo publish workflow". Do NOT use when the crate is internal-only and not intended for crates.io publication; Do NOT use when the target is a binary application — this skill targets library crates.
development
Updated Jun 4, 2026
$ install --global
skillsauthnpx skillsauth add michaelalber/ai-toolkit cargo-package-scaffoldInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Jun 4, 2026, 8:42 AM147.4s5 files scanned
SKILL.md
- name:
- cargo-package-scaffold
- audience:
- team
- description:
- >
- Triggers on:
- scaffold cargo crate", "create rust crate", "new rust library",
Cargo Package Scaffold
"A crate is a promise. Its Cargo.toml is the contract. Its tests are the proof. Semver is a social contract — publish nothing you would not stake your reputation on."
Core Philosophy
Publishing a Rust crate is a commitment. Once a version is on crates.io, it cannot be deleted —
only yanked. This skill enforces the practices that make crates trustworthy: complete metadata,
semver discipline, a CI gate that blocks broken publishes, and a test harness that covers the
public API surface. The scaffold is opinionated by default and configurable by exception — every
generated crate starts with deny(unsafe_code), #![warn(missing_docs)], and a CI pipeline that
runs cargo test, cargo clippy, cargo fmt --check, and cargo publish --dry-run on every push.
Non-Negotiable Constraints:
- SEMVER — breaking changes require a major version bump; verify with
cargo semver-checksin CI. - DRY-RUN GATE —
cargo publish --dry-runmust pass in CI before any release. - DOCUMENTED — every public item has a doc comment;
#![warn(missing_docs)]+cargo docin CI. - SAFE BY DEFAULT —
#![deny(unsafe_code)]; unsafe requires explicit justification and a// SAFETY:comment. - MINIMAL DEFAULTS —
default = []features and an explicitincludelist; users opt in, and the publish never ships.github/ortarget/.
The full principle set, anti-patterns, discipline rules, and recovery steps live in
references/conventions.md.
Workflow
DETECT Read workspace Cargo.toml (inherit [workspace.package] if present), existing
.github/workflows/, and deny.toml. Report findings. No files written.
SCAFFOLD Create the crate skeleton:
<crate-root>/
├── Cargo.toml # complete metadata (see cargo-metadata-reference.md)
├── src/lib.rs # deny(unsafe_code), warn(missing_docs), module structure
├── tests/integration.rs# integration stubs for the public API
├── examples/basic.rs # minimal working example
├── CHANGELOG.md # Keep a Changelog format
└── README.md # description, install, quick start
Exit: cargo build / test / doc --no-deps all pass.
CI Create .github/workflows/ci.yml with jobs: test (stable + MSRV matrix),
lint (clippy -D warnings + fmt --check), docs, semver (PRs only), publish-dry-run.
RELEASE Create release.yml triggered on v* tags: full CI gate, then publish to crates.io via
CARGO_REGISTRY_TOKEN secret, then a GitHub Release with the CHANGELOG excerpt.
(release.yml + secret documented in release-checklist.md.)
VERIFY Run and require pass: cargo build · test · clippy -- -D warnings · fmt --check ·
doc --no-deps · publish --dry-run. A captured command result, never a claim.
Exit criteria: crate builds, tests pass, lints clean, docs complete, publish --dry-run passes;
CI and release workflows created; CARGO_REGISTRY_TOKEN documented for the user to add.
State Block
<cargo-package-scaffold-state>
phase: DETECT | SCAFFOLD | CI | RELEASE | VERIFY | COMPLETE
crate_name: [name]
crate_type: lib | bin | proc-macro
workspace: true | false
workspace_metadata_inherited: true | false
msrv: [version]
unsafe_allowed: true | false
features: [comma-separated]
ci_created: true | false
release_workflow_created: true | false
build_status: pass | fail | not-run
last_action: [description]
next_action: [description]
</cargo-package-scaffold-state>
Output Template
- Cargo.toml —
references/cargo-metadata-reference.md(required + recommended fields, include/exclude). - lib.rs, CI workflow, progress report —
references/scaffold-templates.md. - release.yml, CHANGELOG format, semver/yanking policy, pre-release checklist —
references/release-checklist.md.
Integration with Other Skills
| Skill | Relationship |
|-------|-------------|
| rust-architecture-checklist | Run after scaffold to verify the crate's internal architecture. |
| rust-security-review | Run before first publish to audit for security issues. |
| rust-migration-analyzer | Use when migrating an existing crate to a new Rust edition. |
| supply-chain-audit | Audit crate dependencies for CVEs and license compliance before publish. |
Related Skills
michaelalber/security-review-federal
development
VerifiedTrustedCommunity
Federal / government security overlay applied ON TOP OF a base language security review (dotnet/python/php/rust/react). Language-agnostic: adds NIST SP 800-53 control mapping, FIPS 140-2/3 cryptographic compliance (with a per-language crypto table), CUI handling, EO 14028 supply-chain requirements, and DOE Order 205.1B, and emits POA&M-ready findings with FIPS 199 impact levels. Use for federal/DOE/DOD/national-laboratory systems. Triggers on "federal security review", "NIST compliance", "NIST 800-53", "FISMA", "CUI", "FIPS audit", "DOE security", "POA&M", "ATO review". Do NOT use alone — run the matching <lang>-security-review FIRST; this overlay maps and extends it.
SKILL.mdUpdated Jun 4, 2026
michaelalber/react-security-review
tools
VerifiedTrustedCommunity
OWASP-based security review of React / TypeScript front-end applications. Detects the framework (Vite/CRA/Next), entry points, and data flows, scans against the OWASP Top 10 (2025) mapped to React client-side patterns (XSS via raw HTML, URL/protocol injection, secrets in the bundle, insecure token storage, dependency CVEs, missing CSP, open redirects), and produces a manager-friendly executive summary plus a graded technical findings table. Use to audit React code for vulnerabilities. Triggers on "react security review", "frontend security audit", "audit react for vulnerabilities", "owasp react", "react xss", "react security posture", "npm audit review". For federal / gov / DOE / NIST / FIPS / CUI context, run security-review-federal after this base review. Do NOT use to grade architecture/structure — use react-architecture-checklist.
SKILL.mdUpdated Jun 4, 2026
michaelalber/react-modernization-analyzer
tools
VerifiedTrustedCommunity
Analyzes legacy React codebases and produces actionable modernization plans. Primary migration paths include class components to function components + hooks, Create React App to Vite, React 16/17 to 18 to 19, JavaScript to TypeScript, Enzyme to React Testing Library, legacy Redux to Redux Toolkit / Zustand / Context, and deprecated lifecycle/API removal. Does NOT perform the migration — assesses, quantifies risk, and plans. Triggers on phrases like "modernize react", "class to hooks", "upgrade react", "migrate CRA to vite", "react legacy migration", "react 17 to 18", "react js to typescript", "react technical debt", "enzyme to RTL".
SKILL.mdUpdated Jun 4, 2026
michaelalber/react-feature-slice
development
VerifiedTrustedCommunity
Scaffolds feature-based React / TypeScript architecture using feature folders, presentational + container components, custom hooks, a typed data layer, and structural CQRS (query hooks vs mutation hooks). React analog of dotnet-vertical-slice and python-feature-slice — no DI framework; uses props/context for dependency injection and a query cache for server state. Use when creating feature-based React projects, adding React features, organizing components by feature rather than by technical type, or scaffolding a feature's data layer. Triggers on phrases like "scaffold react feature", "create react slice", "react feature folder", "react vertical slice", "add react feature", "react feature architecture", "organize react by feature".
SKILL.mdUpdated Jun 4, 2026