michaelalber/fitness-functions
skills/team/fitness-functions/SKILL.md
Author architectural fitness functions and wire them into a target project's CI as gatekeepers. Use for "add a fitness function", "wire an arch test as a CI gate", "enforce layering in CI", "fail the build when the dependency rule is violated". Per-stack tool selection (NetArchTest, import-linter, cargo-deny, Conftest). Do NOT use to run an existing test suite -- that is tdd. Do NOT use to analyze coupling for insight without gating -- that is dependency-mapper.
tools
Updated Jun 4, 2026
$ install --global
skillsauthnpx skillsauth add michaelalber/ai-toolkit fitness-functionsInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Jun 4, 2026, 8:44 AM217.1s5 files scanned
SKILL.md
- name:
- fitness-functions
- audience:
- team
- description:
- >
Fitness Functions
"An architectural fitness function provides an objective integrity assessment of some architectural characteristic(s)." -- Neal Ford, Rebecca Parsons & Patrick Kua, Building Evolutionary Architectures
Core Philosophy
A fitness function turns an architectural intention into an automated, objective check that the CI pipeline enforces on every push. It is the executable memory of an ADR: the ADR records why a boundary exists; the fitness function makes crossing that boundary fail the build. Without the gate, architectural decisions decay silently between reviews. The mechanism is uniform across stacks -- a check wired into CI as a gatekeeper -- but the tool is per-stack.
Non-Negotiable Constraints:
- A fitness function is a GATE, not a report -- it exits non-zero and fails CI on violation; a check that only prints is not a fitness function
- TRACEABLE -- every fitness function names the ADR or measurable quality attribute it enforces; no orphan checks
- PROVE it gates -- pass against today's code AND fail against a deliberate violation before you declare it done; an untested gate is assumed broken
- PER-STACK tool, uniform mechanism -- load
references/<stack>.md; never hardcode a stack's tooling into the gate-wiring logic - CONTEXT BUDGET: keep utilization under 40%. At 60%, write progress to the target's
architecture.mdfitness section and tell the user to start a fresh session.
Workflow
PRE-FLIGHT
[ ] Identify the target stack (dotnet|python|rust|policy) from architecture.md/the ADRs, or ASK
[ ] Locate the CI workflow file (.github/workflows/*, .gitlab-ci.yml, etc.)
[ ] Identify the ADR or quality attribute each fitness function will enforce
SELECT
Load references/<stack>.md and choose the tool for the rule category (layering/dependency
direction · coupling · dependency policy · coverage · package rules). For coupling-as-metric,
reference dependency-mapper (Martin Ca/Ce/I/A/D) rather than re-deriving the math.
AUTHOR
Write the check as an executable artifact in the target repo (a test, a contract, a policy
file). It must read the real source/build graph and exit non-zero on violation.
WIRE
Add the check to the CI workflow as a required step/job that blocks merge on failure.
Comment the step with the ADR id / quality attribute it gates.
VERIFY
1. Run it against current code -- must PASS (green)
2. Introduce a deliberate violation -- must FAIL (non-zero) -- then revert. Observe both.
REPORT
Each fitness function · the ADR/attribute it gates · CI step location · the violation proof.
Exit criteria: >= 1 fitness function authored in the target repo; wired into CI as a merge-blocking gate; verified GREEN today and verified to FAIL on a deliberate violation; each gate traces to a named ADR or quality attribute.
State Block
<fitness-functions-state>
phase: PRE-FLIGHT | SELECT | AUTHOR | WIRE | VERIFY | REPORT | COMPLETE
target_stack: dotnet | python | rust | policy
ci_workflow: [path to the CI file the gate is wired into]
fitness_functions: [count]
gates_on: [ADR ids / quality attributes enforced]
wired_as_ci_gate: true | false # MUST be true to COMPLETE
verified_fails_on_violation: true | false # MUST be true to COMPLETE
context_budget: under-40 | approaching-60 | checkpoint-now
status: in_progress | complete
</fitness-functions-state>
Output Template
See references/<stack>.md for the per-stack tool, a minimal check, the CI-wiring snippet, and the
deliberate-violation proof: dotnet.md (NetArchTest), python.md (import-linter), rust.md
(cargo-deny + dependency-direction test), policy.md (Conftest/OPA Rego).
Integration with Other Skills
| Skill | Relationship |
|-------|-------------|
| qraspi-architecture | Specifies which fitness functions each ADR requires; this skill authors them. |
| qraspi-skeleton | Lands these fitness functions as CI gates when the walking skeleton stands up. |
| dependency-mapper | The ready-made coupling fitness function -- Martin Ca/Ce/I/A/D metrics. Reference it for coupling rules rather than re-deriving the math. |
| tdd | Different layer: tdd gates behavior (does the code do the right thing); a fitness function gates architecture (is the structure still legal). Do not conflate. |
Related Skills
michaelalber/security-review-federal
development
VerifiedTrustedCommunity
Federal / government security overlay applied ON TOP OF a base language security review (dotnet/python/php/rust/react). Language-agnostic: adds NIST SP 800-53 control mapping, FIPS 140-2/3 cryptographic compliance (with a per-language crypto table), CUI handling, EO 14028 supply-chain requirements, and DOE Order 205.1B, and emits POA&M-ready findings with FIPS 199 impact levels. Use for federal/DOE/DOD/national-laboratory systems. Triggers on "federal security review", "NIST compliance", "NIST 800-53", "FISMA", "CUI", "FIPS audit", "DOE security", "POA&M", "ATO review". Do NOT use alone — run the matching <lang>-security-review FIRST; this overlay maps and extends it.
SKILL.mdUpdated Jun 4, 2026
michaelalber/react-security-review
tools
VerifiedTrustedCommunity
OWASP-based security review of React / TypeScript front-end applications. Detects the framework (Vite/CRA/Next), entry points, and data flows, scans against the OWASP Top 10 (2025) mapped to React client-side patterns (XSS via raw HTML, URL/protocol injection, secrets in the bundle, insecure token storage, dependency CVEs, missing CSP, open redirects), and produces a manager-friendly executive summary plus a graded technical findings table. Use to audit React code for vulnerabilities. Triggers on "react security review", "frontend security audit", "audit react for vulnerabilities", "owasp react", "react xss", "react security posture", "npm audit review". For federal / gov / DOE / NIST / FIPS / CUI context, run security-review-federal after this base review. Do NOT use to grade architecture/structure — use react-architecture-checklist.
SKILL.mdUpdated Jun 4, 2026
michaelalber/react-modernization-analyzer
tools
VerifiedTrustedCommunity
Analyzes legacy React codebases and produces actionable modernization plans. Primary migration paths include class components to function components + hooks, Create React App to Vite, React 16/17 to 18 to 19, JavaScript to TypeScript, Enzyme to React Testing Library, legacy Redux to Redux Toolkit / Zustand / Context, and deprecated lifecycle/API removal. Does NOT perform the migration — assesses, quantifies risk, and plans. Triggers on phrases like "modernize react", "class to hooks", "upgrade react", "migrate CRA to vite", "react legacy migration", "react 17 to 18", "react js to typescript", "react technical debt", "enzyme to RTL".
SKILL.mdUpdated Jun 4, 2026
michaelalber/react-feature-slice
development
VerifiedTrustedCommunity
Scaffolds feature-based React / TypeScript architecture using feature folders, presentational + container components, custom hooks, a typed data layer, and structural CQRS (query hooks vs mutation hooks). React analog of dotnet-vertical-slice and python-feature-slice — no DI framework; uses props/context for dependency injection and a query cache for server state. Use when creating feature-based React projects, adding React features, organizing components by feature rather than by technical type, or scaffolding a feature's data layer. Triggers on phrases like "scaffold react feature", "create react slice", "react feature folder", "react vertical slice", "add react feature", "react feature architecture", "organize react by feature".
SKILL.mdUpdated Jun 4, 2026