michaelalber/doc-sync
skills/team/doc-sync/SKILL.md
Documentation staleness detection, XML doc comment generation, and README synchronization -- keeps documentation accurate and in sync with code changes. Use when auditing documentation coverage, generating XML doc comments, or syncing READMEs after code changes.
development
Updated Jun 4, 2026
$ install --global
skillsauthnpx skillsauth add michaelalber/ai-toolkit doc-syncInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Jun 4, 2026, 8:42 AM139.3s5 files scanned
SKILL.md
- name:
- doc-sync
- audience:
- team
- description:
- Documentation staleness detection, XML doc comment generation, and README synchronization -- keeps documentation accurate and in sync with code changes. Use when auditing documentation coverage, generating XML doc comments, or syncing READMEs after code changes.
Doc Sync
"The only thing worse than no documentation is wrong documentation — someone will trust it and make a bad decision." -- adapted from Steve McConnell, "Code Complete"
Core Philosophy
Documentation decays the moment code changes. This skill detects when documentation has drifted from code, generates accurate XML doc comments from implementation analysis, and keeps READMEs synchronized with the project's actual state. The goal is not comprehensive documentation — it is accurate documentation. A perfectly documented codebase that was accurate six months ago is a liability; a minimally documented one verified this morning is an asset. Freshness and accuracy always beat completeness. Documentation is a derived artifact of code: when they diverge, the code is always right and the docs must change to match.
Non-Negotiable Constraints:
- CODE IS TRUTH — when docs and code disagree, update the docs to match; never the reverse.
- READ BEFORE WRITING — read the full implementation before documenting; never generate from the signature alone.
- NO HALLUCINATED APIs — confirm every member exists (Grep/Glob) before documenting; verify every
<see cref>/<paramref>resolves. - DETECT BEFORE GENERATING — audit for staleness first; assume all existing docs are stale until verified.
- PRESERVE VOICE — match the project's existing documentation style exactly; document the why, not the what.
Full principle table, discipline rules, anti-patterns, and error recovery live in
references/conventions.md.
Workflow
STALENESS DETECTION
SCAN Identify scope: target dir/namespace, file types (.cs/.md/.xml), doc types.
COMPARE Per documented file: code vs. doc modification dates (git log); signatures vs. doc
content; new public members without docs; removed members still in docs.
CLASSIFY CURRENT | STALE (code changed after doc) | MISSING (public API, no doc) |
ORPHANED (doc references gone code) | DRIFT (doc ≠ current signatures).
PRIORITIZE ORPHANED → DRIFT → STALE → MISSING-on-public → CURRENT.
(Heuristics: references/staleness-detection.md.)
XML DOC GENERATION
READ Full implementation; exact signature; throwing paths; edge cases; existing docs.
GENERATE <summary> WHAT+WHY not HOW · <param> each param + constraints · <returns> each
non-void · <exception> each throw + condition · <remarks> edge/threading/perf ·
<example> only when non-obvious · <see cref> related members.
VERIFY Every <param name> matches a real param; every <exception cref> is actually thrown;
every <see cref> resolves; no <returns> on void; examples compile; summary ≠ name.
(C# tag patterns: references/xml-doc-patterns.md.)
README SYNC
INVENTORY What the README covers (description, setup, config, usage, API, deps, contributing).
DIFF Each section vs. current state: setup vs. build files; deps vs. manifests; examples
vs. current signatures; description vs. current capabilities.
UPDATE Read the current code/config; update to match; preserve existing style/format; don't
add sections without an obvious gap; note anything you cannot verify.
VALIDATE All paths exist; commands valid; dep versions match manifests; API refs current.
Exit criteria: every in-scope item classified; updated docs match the implementation; every reference verified to resolve; unverifiable items flagged with a note; README sections validated against manifests and build files.
State Block
<doc-sync-state>
phase: SCAN | COMPARE | CLASSIFY | GENERATE | VALIDATE
scope: [directory, namespace, or file]
files_scanned: [count]
gaps_found: [count]
stale_docs: [count]
items_updated: [count]
items_validated: [count]
last_verified: [description of last action]
</doc-sync-state>
Output Template
- Staleness report, XML doc coverage report —
references/output-templates.md. - C# XML tag patterns, when to use each tag, quality examples —
references/xml-doc-patterns.md. - Staleness heuristics (git-blame compare, signature drift, coverage, broken examples) —
references/staleness-detection.md. - Principle table, discipline rules, anti-patterns, error recovery —
references/conventions.md.
Integration with Other Skills
| Skill | Relationship |
|-------|-------------|
| architecture-journal | When an audit reveals undocumented architecture decisions, record them as ADRs there — documentation gaps often indicate decision gaps. Typical flow: doc-sync audit → discover an undocumented API redesign → architecture-journal records the decision → return to doc-sync to update XML docs + README. |
Related Skills
michaelalber/security-review-federal
development
VerifiedTrustedCommunity
Federal / government security overlay applied ON TOP OF a base language security review (dotnet/python/php/rust/react). Language-agnostic: adds NIST SP 800-53 control mapping, FIPS 140-2/3 cryptographic compliance (with a per-language crypto table), CUI handling, EO 14028 supply-chain requirements, and DOE Order 205.1B, and emits POA&M-ready findings with FIPS 199 impact levels. Use for federal/DOE/DOD/national-laboratory systems. Triggers on "federal security review", "NIST compliance", "NIST 800-53", "FISMA", "CUI", "FIPS audit", "DOE security", "POA&M", "ATO review". Do NOT use alone — run the matching <lang>-security-review FIRST; this overlay maps and extends it.
SKILL.mdUpdated Jun 4, 2026
michaelalber/react-security-review
tools
VerifiedTrustedCommunity
OWASP-based security review of React / TypeScript front-end applications. Detects the framework (Vite/CRA/Next), entry points, and data flows, scans against the OWASP Top 10 (2025) mapped to React client-side patterns (XSS via raw HTML, URL/protocol injection, secrets in the bundle, insecure token storage, dependency CVEs, missing CSP, open redirects), and produces a manager-friendly executive summary plus a graded technical findings table. Use to audit React code for vulnerabilities. Triggers on "react security review", "frontend security audit", "audit react for vulnerabilities", "owasp react", "react xss", "react security posture", "npm audit review". For federal / gov / DOE / NIST / FIPS / CUI context, run security-review-federal after this base review. Do NOT use to grade architecture/structure — use react-architecture-checklist.
SKILL.mdUpdated Jun 4, 2026
michaelalber/react-modernization-analyzer
tools
VerifiedTrustedCommunity
Analyzes legacy React codebases and produces actionable modernization plans. Primary migration paths include class components to function components + hooks, Create React App to Vite, React 16/17 to 18 to 19, JavaScript to TypeScript, Enzyme to React Testing Library, legacy Redux to Redux Toolkit / Zustand / Context, and deprecated lifecycle/API removal. Does NOT perform the migration — assesses, quantifies risk, and plans. Triggers on phrases like "modernize react", "class to hooks", "upgrade react", "migrate CRA to vite", "react legacy migration", "react 17 to 18", "react js to typescript", "react technical debt", "enzyme to RTL".
SKILL.mdUpdated Jun 4, 2026
michaelalber/react-feature-slice
development
VerifiedTrustedCommunity
Scaffolds feature-based React / TypeScript architecture using feature folders, presentational + container components, custom hooks, a typed data layer, and structural CQRS (query hooks vs mutation hooks). React analog of dotnet-vertical-slice and python-feature-slice — no DI framework; uses props/context for dependency injection and a query cache for server state. Use when creating feature-based React projects, adding React features, organizing components by feature rather than by technical type, or scaffolding a feature's data layer. Triggers on phrases like "scaffold react feature", "create react slice", "react feature folder", "react vertical slice", "add react feature", "react feature architecture", "organize react by feature".
SKILL.mdUpdated Jun 4, 2026