michaelalber/qraspi-graduate
skills/team/qraspi-graduate/SKILL.md
QRASPI Graduation -- the terminal handoff from greenfield (QRASPI) to brownfield (QRSPI). Once the walking skeleton is green and V0/V1 is shipped, capture the repo + accepted ADRs + skeleton state + fitness functions + stack into graduation.md and hand new feature work to QRSPI. Use for "/qraspi-graduate <project>", "graduate this to QRSPI", "the V1 is done, hand off to the feature workflow". Do NOT fire mid-workflow or on a generic "we're done" / "ship it" -- this is the END of QRASPI for a system. Do NOT use for the deprecated RPI workflow.
tools
Updated Jun 4, 2026
$ install --global
skillsauthnpx skillsauth add michaelalber/ai-toolkit qraspi-graduateInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Jun 4, 2026, 8:45 AM128.7s2 files scanned
SKILL.md
- name:
- qraspi-graduate
- audience:
- team
- description:
- >
QRASPI Graduate
"A walking skeleton is grown, not thrown away. Once it walks and carries real features, it is just... the codebase."
Core Philosophy
QRASPI is V0/V1 only. Once the walking skeleton is green and the first real slices are shipped,
new features stop being greenfield -- they are additions to an existing codebase, which is QRSPI's
job. Graduation is the explicit seam: a single markdown artifact, graduation.md, that bootstraps the
first QRSPI feature with everything QRASPI produced -- the repo, the accepted ADRs, the layers the
skeleton exercises, the live fitness gates, and the stack declaration. Both workflows already share
tdd, vertical slices, and the read-only research-* subagents, so the seam is state capture +
documentation, not new machinery. This phase is terminal: it captures, hands off, and stops; it
never fires mid-workflow.
Non-Negotiable Constraints:
- SKELETON-GATED + TERMINAL -- never graduate without
skeleton.md(status: complete,ci_green: true); never fire mid-workflow. V0/V1 must be shipped (the skeleton stands green AND the first slices are built, or the human explicitly confirms V1 is done) - CAPTURE, DON'T RE-DERIVE --
graduation.mdindexes what already exists (the repo,docs/adr/,skeleton.md, the fitness gates, the stack); it adds no new decisions and re-opens nothing - NO NEW MACHINERY -- the seam is documentation; QRSPI already shares
tdd, vertical slices, and theresearch-*subagents. Write one artifact, hand off, stop - EXPLICIT HANDOFF --
graduation.mdends with the QRSPI bootstrap instruction (run /qrspi-questions in this repo); after it, QRASPI is complete for this system - CONTEXT BUDGET: keep utilization under 40%. At 60%, write
graduation.mdwith progress and tell the user to start a fresh session.
Workflow
PRE-FLIGHT
[ ] Locate the project folder thoughts/shared/qraspi/YYYY-MM-DD-{slug}/
[ ] Read skeleton.md (status: complete, ci_green: true). If absent / not green -> STOP; route to /qraspi-skeleton
[ ] Confirm V0/V1 is shipped: implementation-log-{slice}.md present for the built slices, or the
human explicitly confirms V1 is done. If nothing is built yet -> STOP; this is mid-workflow, not graduation
[ ] Read the accepted docs/adr/, the live fitness gates, and the stack declaration
CAPTURE (index what exists -- no new decisions)
Assemble graduation.md (references/graduation-template.md) from:
1. Target repo pointer + docs/adr/ (the accepted ADRs QRSPI will read)
2. Skeleton state -- the layers the walking skeleton exercises + current CI status
3. The landed fitness functions + where each gates
4. The stack declaration
5. The QRSPI handoff instruction
WRITE
thoughts/shared/qraspi/YYYY-MM-DD-{slug}/graduation.md (status: complete)
REPORT
graduation.md path · what was captured · "V0/V1 is shipped. New features now use QRSPI --
run /qrspi-questions in this repo." QRASPI is complete for this system.
Exit criteria: graduation.md written capturing the repo + accepted ADRs + skeleton state +
landed fitness functions + stack; it ends with the QRSPI handoff instruction; the user is told QRASPI
is complete for this system and to run /qrspi-questions for the next feature.
State Block
<qraspi-graduate-state>
phase: PRE-FLIGHT | CAPTURE | WRITE | REPORT | COMPLETE
project_folder: thoughts/shared/qraspi/YYYY-MM-DD-{slug}/
skeleton_present: true | false # MUST be true to proceed
skeleton_ci_green: true | false # MUST be true to proceed
v1_shipped: true | false # MUST be true -- the terminal guard, not mid-workflow
adrs_captured: [count]
fitness_gates_captured: [count]
stack_declared: [stack | unknown]
handoff_written: true | false # the /qrspi-questions instruction is in graduation.md
context_budget: under-40 | approaching-60 | checkpoint-now
status: in_progress | complete
</qraspi-graduate-state>
Output Template
See references/graduation-template.md for the graduation.md structure -- the repo + ADR pointer,
the skeleton state, the landed fitness functions, the stack declaration, and the QRSPI handoff block.
Integration with Other Skills
| Skill | Relationship |
|-------|-------------|
| qraspi-skeleton | Source of the skeleton state + the live fitness gates graduation.md captures. |
| qraspi-implement | Its implementation-log-{slice}.md files are the evidence that V0/V1 is shipped (the terminal precondition). |
| qraspi-architecture | The accepted ADRs graduation.md points QRSPI at -- QRSPI reads them to understand the locked decisions. |
| qrspi-questions | The QRSPI entry point this phase hands off to -- new features run /qrspi-questions in the same repo. |
| research-file-locator / research-code-analyzer / research-pattern-finder | The read-only subagents QRSPI's Research uses (inherited-repo mode) to map the now-existing codebase QRASPI produced. |
Related Skills
michaelalber/security-review-federal
development
VerifiedTrustedCommunity
Federal / government security overlay applied ON TOP OF a base language security review (dotnet/python/php/rust/react). Language-agnostic: adds NIST SP 800-53 control mapping, FIPS 140-2/3 cryptographic compliance (with a per-language crypto table), CUI handling, EO 14028 supply-chain requirements, and DOE Order 205.1B, and emits POA&M-ready findings with FIPS 199 impact levels. Use for federal/DOE/DOD/national-laboratory systems. Triggers on "federal security review", "NIST compliance", "NIST 800-53", "FISMA", "CUI", "FIPS audit", "DOE security", "POA&M", "ATO review". Do NOT use alone — run the matching <lang>-security-review FIRST; this overlay maps and extends it.
SKILL.mdUpdated Jun 4, 2026
michaelalber/react-security-review
tools
VerifiedTrustedCommunity
OWASP-based security review of React / TypeScript front-end applications. Detects the framework (Vite/CRA/Next), entry points, and data flows, scans against the OWASP Top 10 (2025) mapped to React client-side patterns (XSS via raw HTML, URL/protocol injection, secrets in the bundle, insecure token storage, dependency CVEs, missing CSP, open redirects), and produces a manager-friendly executive summary plus a graded technical findings table. Use to audit React code for vulnerabilities. Triggers on "react security review", "frontend security audit", "audit react for vulnerabilities", "owasp react", "react xss", "react security posture", "npm audit review". For federal / gov / DOE / NIST / FIPS / CUI context, run security-review-federal after this base review. Do NOT use to grade architecture/structure — use react-architecture-checklist.
SKILL.mdUpdated Jun 4, 2026
michaelalber/react-modernization-analyzer
tools
VerifiedTrustedCommunity
Analyzes legacy React codebases and produces actionable modernization plans. Primary migration paths include class components to function components + hooks, Create React App to Vite, React 16/17 to 18 to 19, JavaScript to TypeScript, Enzyme to React Testing Library, legacy Redux to Redux Toolkit / Zustand / Context, and deprecated lifecycle/API removal. Does NOT perform the migration — assesses, quantifies risk, and plans. Triggers on phrases like "modernize react", "class to hooks", "upgrade react", "migrate CRA to vite", "react legacy migration", "react 17 to 18", "react js to typescript", "react technical debt", "enzyme to RTL".
SKILL.mdUpdated Jun 4, 2026
michaelalber/react-feature-slice
development
VerifiedTrustedCommunity
Scaffolds feature-based React / TypeScript architecture using feature folders, presentational + container components, custom hooks, a typed data layer, and structural CQRS (query hooks vs mutation hooks). React analog of dotnet-vertical-slice and python-feature-slice — no DI framework; uses props/context for dependency injection and a query cache for server state. Use when creating feature-based React projects, adding React features, organizing components by feature rather than by technical type, or scaffolding a feature's data layer. Triggers on phrases like "scaffold react feature", "create react slice", "react feature folder", "react vertical slice", "add react feature", "react feature architecture", "organize react by feature".
SKILL.mdUpdated Jun 4, 2026