michaelalber/qraspi-research
skills/team/qraspi-research/SKILL.md
QRASPI Research phase -- map the solution LANDSCAPE for a new system, factual only, no recommendations. Use for "/qraspi-research <project>", "research the solution landscape for new X", "what libraries / prior art exist for X", "survey the options before architecting X". Mode switch: external-domain (no codebase) or inherited-repo. Do NOT use for QRSPI (an EXISTING codebase / adding a feature) -- that routes to qrspi-research. Do NOT use for the deprecated RPI workflow.
development
Updated Jun 4, 2026
$ install --global
skillsauthnpx skillsauth add michaelalber/ai-toolkit qraspi-researchInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Jun 4, 2026, 8:47 AM146.4s3 files scanned
SKILL.md
- name:
- qraspi-research
- audience:
- team
- description:
- >
- switch:
- external-domain (no codebase) or inherited-repo. Do NOT use for QRSPI (an EXISTING
QRASPI Research
"The map is not the territory." -- Alfred Korzybski
Core Philosophy
The Research phase produces a factual landscape map of the solution space -- never a recommendation. Greenfield has no ticket to hide and (in the default mode) no codebase to map; the failure mode shifts from QRSPI's "biased map" to premature solution -- the agent quietly picking FastAPI + Postgres before the Architecture phase has weighed a single trade-off. Recommendations are Architecture's job, gated behind ADRs. This phase catalogs what EXISTS in the solution space -- libraries, prior art, patterns, constraints -- and converts every comparative judgment into an open question for Architecture to decide.
The phase runs in one of two modes, detected at pre-flight (references/landscape-vs-codebase.md):
external-domain (default; pure greenfield) maps the problem domain and solution landscape via
research-synthesis and the web; inherited-repo (greenfield component inside an existing repo)
maps the host repo's conventions via the read-only research-* subagents.
Non-Negotiable Constraints:
- LANDSCAPE, not evaluation -- catalog what EXISTS in the solution space; convert every comparative judgment into an open question for Architecture. Recommendations are A's job.
- NO premature solution -- the state flag
recommendations_madeMUST stay false; do not pick a stack, framework, or library here - CITE every claim -- external-domain: source + credibility (via
research-synthesis); inherited-repo:file:line. An uncited claim is dropped. - MODE-AWARE firewall -- external-domain uses source-credibility discipline; inherited-repo passes ONLY a neutral topic string to the read-only subagents (never the project goal)
- CONTEXT BUDGET: keep utilization under 40%. At 60%, write
research.mdwith progress and tell the user to start a fresh session.
Workflow
PRE-FLIGHT
[ ] Locate the project folder thoughts/shared/qraspi/YYYY-MM-DD-{slug}/
[ ] Read the ANSWERED questions.md to scope the landscape (areas/constraints only)
-> If no questions.md exists, scope from the argument and note the gap
[ ] DETECT research_mode (see references/landscape-vs-codebase.md):
populated source tree at the target? no -> external-domain (default) yes -> inherited-repo
GATHER
external-domain: invoke research-synthesis; survey libraries, prior art, patterns, and
constraints via WebSearch/WebFetch; score source credibility; facts + citations
inherited-repo: derive a NEUTRAL topic string; spawn in PARALLEL via the Task tool, passing
ONLY that string:
@research-file-locator "Find all files related to: {neutral topic}"
@research-code-analyzer "Analyze the implementation of: {neutral topic}"
@research-pattern-finder "Find patterns and conventions related to: {neutral topic}"
wait for ALL THREE before synthesizing
SYNTHESIZE
Organize into overview, landscape findings, options-on-the-table, constraints, open questions.
Convert EVERY comparative judgment ("X is faster than Y") into an open question for Architecture.
Compact to <= ~200 lines.
WRITE
thoughts/shared/qraspi/YYYY-MM-DD-{slug}/research.md (references/research-template.md)
Set status: complete
REPORT
Artifact path · 3-5 landscape facts · the options surfaced (NOT a pick) · open questions ·
"Review, then start a NEW session and run /qraspi-architecture"
Exit criteria: research.md written as a factual landscape map; mode recorded; every claim
cited; every comparative judgment converted to an open question; recommendations_made: false;
user told to review before /qraspi-architecture.
State Block
<qraspi-research-state>
phase: PRE-FLIGHT | GATHER | SYNTHESIZE | WRITE | REPORT | COMPLETE
project_folder: thoughts/shared/qraspi/YYYY-MM-DD-{slug}/
research_mode: external-domain | inherited-repo
recommendations_made: false # MUST remain false -- the no-premature-solution firewall
neutral_topic: [ticket-free topic string | n/a for external-domain]
subagents_spawned: 0 | 1 | 2 | 3 # inherited-repo only
subagents_complete: 0 | 1 | 2 | 3 # inherited-repo only
open_questions: [count]
context_budget: under-40 | approaching-60 | checkpoint-now
status: in_progress | complete
</qraspi-research-state>
Output Template
See references/research-template.md for the full research.md structure and frontmatter, and
references/landscape-vs-codebase.md for mode detection and the per-mode evidence rules.
Integration with Other Skills
| Skill | Relationship |
|-------|-------------|
| qraspi-questions | Prior phase. Its answered questions.md scopes the landscape. |
| qraspi-architecture | Next phase. Consumes research.md; it -- not this phase -- makes the picks via ADRs. |
| research-synthesis | The external-domain engine: source-credibility scoring and cross-referencing for the landscape map. |
| qrspi-research | Brownfield sibling. Use it instead when the system EXISTS and you are mapping it to add a feature. |
Related Skills
michaelalber/security-review-federal
development
VerifiedTrustedCommunity
Federal / government security overlay applied ON TOP OF a base language security review (dotnet/python/php/rust/react). Language-agnostic: adds NIST SP 800-53 control mapping, FIPS 140-2/3 cryptographic compliance (with a per-language crypto table), CUI handling, EO 14028 supply-chain requirements, and DOE Order 205.1B, and emits POA&M-ready findings with FIPS 199 impact levels. Use for federal/DOE/DOD/national-laboratory systems. Triggers on "federal security review", "NIST compliance", "NIST 800-53", "FISMA", "CUI", "FIPS audit", "DOE security", "POA&M", "ATO review". Do NOT use alone — run the matching <lang>-security-review FIRST; this overlay maps and extends it.
SKILL.mdUpdated Jun 4, 2026
michaelalber/react-security-review
tools
VerifiedTrustedCommunity
OWASP-based security review of React / TypeScript front-end applications. Detects the framework (Vite/CRA/Next), entry points, and data flows, scans against the OWASP Top 10 (2025) mapped to React client-side patterns (XSS via raw HTML, URL/protocol injection, secrets in the bundle, insecure token storage, dependency CVEs, missing CSP, open redirects), and produces a manager-friendly executive summary plus a graded technical findings table. Use to audit React code for vulnerabilities. Triggers on "react security review", "frontend security audit", "audit react for vulnerabilities", "owasp react", "react xss", "react security posture", "npm audit review". For federal / gov / DOE / NIST / FIPS / CUI context, run security-review-federal after this base review. Do NOT use to grade architecture/structure — use react-architecture-checklist.
SKILL.mdUpdated Jun 4, 2026
michaelalber/react-modernization-analyzer
tools
VerifiedTrustedCommunity
Analyzes legacy React codebases and produces actionable modernization plans. Primary migration paths include class components to function components + hooks, Create React App to Vite, React 16/17 to 18 to 19, JavaScript to TypeScript, Enzyme to React Testing Library, legacy Redux to Redux Toolkit / Zustand / Context, and deprecated lifecycle/API removal. Does NOT perform the migration — assesses, quantifies risk, and plans. Triggers on phrases like "modernize react", "class to hooks", "upgrade react", "migrate CRA to vite", "react legacy migration", "react 17 to 18", "react js to typescript", "react technical debt", "enzyme to RTL".
SKILL.mdUpdated Jun 4, 2026
michaelalber/react-feature-slice
development
VerifiedTrustedCommunity
Scaffolds feature-based React / TypeScript architecture using feature folders, presentational + container components, custom hooks, a typed data layer, and structural CQRS (query hooks vs mutation hooks). React analog of dotnet-vertical-slice and python-feature-slice — no DI framework; uses props/context for dependency injection and a query cache for server state. Use when creating feature-based React projects, adding React features, organizing components by feature rather than by technical type, or scaffolding a feature's data layer. Triggers on phrases like "scaffold react feature", "create react slice", "react feature folder", "react vertical slice", "add react feature", "react feature architecture", "organize react by feature".
SKILL.mdUpdated Jun 4, 2026