michaelalber/qraspi-skeleton
skills/team/qraspi-skeleton/SKILL.md
QRASPI Skeleton phase -- stand up a RUNNABLE walking skeleton for a NEW system: scaffold the repo from the accepted ADRs, walk one vertical slice end-to-end through every layer, land the specified fitness functions as CI gates, and prove it with a real CI run (exit 0). Use for "/qraspi-skeleton <project>", "scaffold the walking skeleton for X", "stand up V0 of X with CI", "make the architecture executable". The exit gate is CI green, not a claim. Do NOT use to scaffold a single feature slice in an existing repo (use the *-feature-slice scaffolders). Do NOT use for QRSPI (an existing codebase). Do NOT use for the deprecated RPI workflow.
development
Updated Jun 4, 2026
$ install --global
skillsauthnpx skillsauth add michaelalber/ai-toolkit qraspi-skeletonInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Jun 4, 2026, 8:48 AM265.1s7 files scanned
SKILL.md
- name:
- qraspi-skeleton
- audience:
- team
- description:
- >
- QRASPI Skeleton phase -- stand up a RUNNABLE walking skeleton for a NEW system:
- scaffold the repo
QRASPI Skeleton
"A walking skeleton is a tiny implementation of the system that performs a small end-to-end function. It need not use the final architecture, but it should link the main components." -- Adapted from Alistair Cockburn
Core Philosophy
The Skeleton phase makes the architecture executable. A walking skeleton is a tiny end-to-end
implementation that exercises every architectural layer and carries the build/test/deploy harness --
runnable from day one, grown rather than thrown away (this is what distinguishes it from a spike).
This phase consumes the accepted ADRs + architecture.md, selects the matching archetype recipe,
scaffolds a runnable repo around the one vertical slice that walks end-to-end, lands the specified
fitness functions as CI gates, and proves it with a real command: CI green, or the phase is not done.
The failure this prevents is the aspirational skeleton -- a scaffold that "should run" but was
never executed. ci_green is a captured command result, never a claim. This is why Skeleton runs on
the builder agent (edit access), on the far side of the alignment phases' edit boundary.
Non-Negotiable Constraints:
- ARCHITECTURE-GATED -- never start without
architecture.md(status: complete) + the accepteddocs/adr/NNNN-*.mdon disk; the stack comes from the ADRs, never invented - EXECUTABLE, NOT ASPIRATIONAL -- the exit gate is a real CI/test run with exit 0;
ci_greenis a captured command result; you CANNOT report COMPLETE withci_green: false - ONE WALKING SLICE -- scaffold exactly one vertical slice end-to-end through every layer (delegate
to a
*-feature-slice/*-scaffoldskill); breadth is later slices, not now - FITNESS FUNCTIONS ARE GATES -- every fitness function
architecture.mdspecified is wired into CI as merge-blocking (delegate tofitness-functions); their passing is PART OF CI green - RECIPE, NOT RIGID REPO -- archetype recipes are instructions you adapt to the ADRs, never copy-paste templates; over-constraint re-introduces the magic-words trap QRASPI exists to avoid
- CONTEXT BUDGET: keep utilization under 40%. At 60%, write
skeleton.mdwith progress and tell the user to start a fresh session.
Workflow
PRE-FLIGHT
[ ] Locate the project folder thoughts/shared/qraspi/YYYY-MM-DD-{slug}/
[ ] Read architecture.md (status: complete) + the accepted docs/adr/NNNN-*.md.
If absent -> STOP; route the user to /qraspi-architecture
[ ] Read the fitness-function spec table from architecture.md
[ ] DETECT archetype: match the ADR stack declaration to references/archetypes/<archetype>.md by
name; no match -> the generic "declare-stack-and-generate" recipe
SCAFFOLD (archetype recipe (+) feature-slice scaffolder)
Repo layer (archetype recipe): project layout, CI workflow, health check, observability hook,
secure-by-default config -- the repo+CI scaffold the feature-slice tools do NOT supply
Slice layer: invoke the matching *-feature-slice / *-scaffold skill for the ONE vertical slice
that walks every layer end-to-end
GATE (land the fitness functions)
For each fitness function specified in architecture.md: invoke fitness-functions to author it and
wire it into CI as a merge-blocking gate, traced to its ADR id.
VERIFY (the exit gate -- a real command, not a claim)
Run the scaffolded project's CI / test suite via Bash. Require exit 0 (build + unit + lint +
fitness gates all green). HARDWARE archetype: CI-green covers build+unit+lint+fitness; the
device-deploy step is a DOCUMENTED MANUAL gate, not auto-run. ci_green is the captured result.
If non-zero -> fix and re-run; never report COMPLETE with ci_green: false.
WRITE
thoughts/shared/qraspi/YYYY-MM-DD-{slug}/skeleton.md (status: complete): what the skeleton
instantiates, which layers it walks, CI status, the landed fitness gates, and the SLICE BACKLOG
for /qraspi-plan.
REPORT
skeleton.md path · archetype used · layers walked · CI status (green) · fitness gates landed ·
slice backlog count · "Review, then start a NEW session and run /qraspi-plan"
Exit criteria: a runnable repo scaffolded from the ADR stack; the one walking slice exercises
every architectural layer; every specified fitness function wired as a merge-blocking CI gate; the
CI/test suite RAN and exited 0 (ci_green: true); skeleton.md written with the slice backlog; user
told to review before /qraspi-plan.
State Block
<qraspi-skeleton-state>
phase: PRE-FLIGHT | SCAFFOLD | GATE | VERIFY | WRITE | REPORT | COMPLETE
project_folder: thoughts/shared/qraspi/YYYY-MM-DD-{slug}/
architecture_present: true | false # MUST be true to proceed
archetype: python-mcp-server | dotnet-blazor-vertical-slice | python-fastapi-service | edge-ai-device | eval-harness | generic
walking_slice: [the one end-to-end slice scaffolded]
fitness_gates_wired: [count] # every spec'd fitness fn wired as a CI gate
ci_command: [the exact CI/test command run]
ci_green: true | false # MUST be true to COMPLETE -- a captured command result
hardware_manual_gate: none | [documented device-deploy step]
slice_backlog: [count] # slices enumerated for /qraspi-plan
context_budget: under-40 | approaching-60 | checkpoint-now
status: in_progress | complete
</qraspi-skeleton-state>
Output Template
See references/skeleton-template.md for the skeleton.md structure (what the skeleton instantiates,
CI status, landed gates, slice backlog) and the recipe-not-rigid-repo principle, and
references/archetypes/<archetype>.md for the per-archetype repo+CI recipe: python-mcp-server.md,
dotnet-blazor-vertical-slice.md, python-fastapi-service.md, edge-ai-device.md, eval-harness.md.
Integration with Other Skills
| Skill | Relationship |
|-------|-------------|
| qraspi-architecture | Prior phase. Its architecture.md + accepted ADRs declare the stack and the fitness-function spec this phase instantiates. |
| fitness-functions | Authors and wires each specified fitness function as a merge-blocking CI gate; their passing is part of CI green. |
| qraspi-plan | Next phase. Consumes the slice backlog in skeleton.md to plan the next vertical increment on the skeleton. |
| dotnet-vertical-slice / python-feature-slice / rust-feature-slice / mcp-server-scaffold | The feature-slice scaffolders invoked for the one walking slice; the archetype recipe supplies the repo+CI layer they do not. |
| tdd | Used from /qraspi-implement when growing later slices; the skeleton itself is scaffolded, not TDD'd into existence. |
| qrspi-implement | Brownfield sibling's execution phase. Skeleton is greenfield-only -- it stands V0 up once, then features graduate to QRSPI. |
Related Skills
michaelalber/security-review-federal
development
VerifiedTrustedCommunity
Federal / government security overlay applied ON TOP OF a base language security review (dotnet/python/php/rust/react). Language-agnostic: adds NIST SP 800-53 control mapping, FIPS 140-2/3 cryptographic compliance (with a per-language crypto table), CUI handling, EO 14028 supply-chain requirements, and DOE Order 205.1B, and emits POA&M-ready findings with FIPS 199 impact levels. Use for federal/DOE/DOD/national-laboratory systems. Triggers on "federal security review", "NIST compliance", "NIST 800-53", "FISMA", "CUI", "FIPS audit", "DOE security", "POA&M", "ATO review". Do NOT use alone — run the matching <lang>-security-review FIRST; this overlay maps and extends it.
SKILL.mdUpdated Jun 4, 2026
michaelalber/react-security-review
tools
VerifiedTrustedCommunity
OWASP-based security review of React / TypeScript front-end applications. Detects the framework (Vite/CRA/Next), entry points, and data flows, scans against the OWASP Top 10 (2025) mapped to React client-side patterns (XSS via raw HTML, URL/protocol injection, secrets in the bundle, insecure token storage, dependency CVEs, missing CSP, open redirects), and produces a manager-friendly executive summary plus a graded technical findings table. Use to audit React code for vulnerabilities. Triggers on "react security review", "frontend security audit", "audit react for vulnerabilities", "owasp react", "react xss", "react security posture", "npm audit review". For federal / gov / DOE / NIST / FIPS / CUI context, run security-review-federal after this base review. Do NOT use to grade architecture/structure — use react-architecture-checklist.
SKILL.mdUpdated Jun 4, 2026
michaelalber/react-modernization-analyzer
tools
VerifiedTrustedCommunity
Analyzes legacy React codebases and produces actionable modernization plans. Primary migration paths include class components to function components + hooks, Create React App to Vite, React 16/17 to 18 to 19, JavaScript to TypeScript, Enzyme to React Testing Library, legacy Redux to Redux Toolkit / Zustand / Context, and deprecated lifecycle/API removal. Does NOT perform the migration — assesses, quantifies risk, and plans. Triggers on phrases like "modernize react", "class to hooks", "upgrade react", "migrate CRA to vite", "react legacy migration", "react 17 to 18", "react js to typescript", "react technical debt", "enzyme to RTL".
SKILL.mdUpdated Jun 4, 2026
michaelalber/react-feature-slice
development
VerifiedTrustedCommunity
Scaffolds feature-based React / TypeScript architecture using feature folders, presentational + container components, custom hooks, a typed data layer, and structural CQRS (query hooks vs mutation hooks). React analog of dotnet-vertical-slice and python-feature-slice — no DI framework; uses props/context for dependency injection and a query cache for server state. Use when creating feature-based React projects, adding React features, organizing components by feature rather than by technical type, or scaffolding a feature's data layer. Triggers on phrases like "scaffold react feature", "create react slice", "react feature folder", "react vertical slice", "add react feature", "react feature architecture", "organize react by feature".
SKILL.mdUpdated Jun 4, 2026