michaelalber/qrspi-plan
skills/team/qrspi-plan/SKILL.md
QRSPI Plan phase -- converts an approved spec.md into a mechanically executable, vertically sliced plan.md with exact file paths and per-phase verification. Use for "/qrspi-plan <feature>", "qrspi plan X", "turn the spec into an implementation plan". Do NOT use for the deprecated RPI workflow (use /rpi-plan) or to plan without a spec; this phase consumes spec.md and REFUSES horizontal-layer plans.
tools
Updated Jun 4, 2026
$ install --global
skillsauthnpx skillsauth add michaelalber/ai-toolkit qrspi-planInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Jun 4, 2026, 8:49 AM265.0s2 files scanned
SKILL.md
- name:
- qrspi-plan
- audience:
- team
- description:
- >
QRSPI Plan
"A plan precise enough to execute mechanically is the goal. If the implementer has to invent anything, the plan failed." -- Adapted from Dwight D. Eisenhower
Core Philosophy
The Plan phase turns the approved spec into an implementation contract the Implement phase can execute WITHOUT judgment, invention, or discovery. The spec already settled the design and the vertical slices; Plan makes each slice mechanical -- exact file paths, exact changes, a test-first step, and an automated verification command. Its one hard gate is vertical, not horizontal: a plan organized by technical layer (all models, then all services, then all UI) is rejected before it is written. Each phase must deliver an end-to-end testable increment, inherited from the spec's slices.
Non-Negotiable Constraints:
- SPEC-GATED -- never plan without an approved
spec.mdon disk; never plan from memory - VERTICAL OR REFUSE -- if phases organize by horizontal layer, STOP and re-slice before writing
- MECHANICAL EXECUTION -- every change names an exact file path; "the service layer" is not a path
- TESTS FIRST -- any phase adding behavior opens with a failing-test step (RED) before the code step
- EVERY PHASE VERIFIABLE -- each phase carries an automated command (build / test / lint) and a rollback
- NO SOURCE CODE -- change descriptions and illustrative snippets only, never full implementations
- CONTEXT BUDGET: keep utilization under 40%. At 60%, write
plan.mdwith progress and tell the user to start a fresh session.
Workflow
PRE-FLIGHT
[ ] Locate the feature folder thoughts/shared/qrspi/YYYY-MM-DD-{slug}/
[ ] Read spec.md. If absent -> STOP; route the user to /qrspi-spec
[ ] Confirm spec.md status: approved AND design_approved: true.
If only ready-for-review -> STOP; ask the human to approve the spec design first
[ ] Carry the spec's Structure Outline slices forward as the phase skeleton
RE-SLICE GATE (the vertical-not-horizontal refusal)
Inspect the intended phases. If any phase completes a whole layer (all models, then all
services, then all UI), STOP and re-slice so each phase is an end-to-end increment.
Do NOT proceed to WRITE until every phase is a vertical slice.
WRITE (only after the gate passes)
For each slice/phase: exact file paths · REMOVE/ADD change descriptions · a RED test step
before the code step · an automated verification command · a rollback line.
Add "What we're NOT doing" (scope boundaries) and a rollback plan.
Write plan.md, status: ready-for-review.
REPORT
Artifact path · phase list (one line each) · "Review/approve, then start a NEW session and run /qrspi-implement"
Exit criteria: plan.md holds vertically sliced phases, each with exact paths, a test-first
step, an automated verification command, and a rollback; a "What we're NOT doing" list is present;
status: ready-for-review; user told to review/approve before /qrspi-implement.
State Block
<qrspi-plan-state>
phase: PRE-FLIGHT | RE-SLICE-GATE | WRITE | REPORT | COMPLETE
feature_folder: thoughts/shared/qrspi/YYYY-MM-DD-{slug}/
spec_present: true | false # MUST be true to proceed
spec_approved: true | false # MUST be true to proceed
phases_planned: [count]
vertical_check: pass | re-slice-needed # MUST be pass before WRITE
tests_first_phases: [count]
rollback_documented: true | false
context_budget: under-40 | approaching-60 | checkpoint-now
status: draft | ready-for-review | approved
</qrspi-plan-state>
Output Template
See references/plan-template.md for the full plan.md structure, frontmatter, per-phase shape
(exact paths, RED/GREEN test steps, verification commands, rollback), and the horizontal-vs-vertical
worked example.
Integration with Other Skills
| Skill | Relationship |
|-------|-------------|
| qrspi-spec | Prior phase. Its approved spec.md (vertical slices + signatures) is the contract this phase makes mechanical. |
| qrspi-implement | Next phase. Consumes the approved plan.md; refuses to execute without status: approved. |
| tdd | The inner loop the Implement phase runs per phase; Plan's test-first steps map onto RED-GREEN-REFACTOR. |
| dotnet-vertical-slice / python-feature-slice / rust-feature-slice | Stack scaffolders for the vertical slices each phase implements. |
| rpi-plan | DEPRECATED sibling that folds design into planning. Route here for QRSPI's spec-gated, refuses-horizontal plan. |
Related Skills
michaelalber/security-review-federal
development
VerifiedTrustedCommunity
Federal / government security overlay applied ON TOP OF a base language security review (dotnet/python/php/rust/react). Language-agnostic: adds NIST SP 800-53 control mapping, FIPS 140-2/3 cryptographic compliance (with a per-language crypto table), CUI handling, EO 14028 supply-chain requirements, and DOE Order 205.1B, and emits POA&M-ready findings with FIPS 199 impact levels. Use for federal/DOE/DOD/national-laboratory systems. Triggers on "federal security review", "NIST compliance", "NIST 800-53", "FISMA", "CUI", "FIPS audit", "DOE security", "POA&M", "ATO review". Do NOT use alone — run the matching <lang>-security-review FIRST; this overlay maps and extends it.
SKILL.mdUpdated Jun 4, 2026
michaelalber/react-security-review
tools
VerifiedTrustedCommunity
OWASP-based security review of React / TypeScript front-end applications. Detects the framework (Vite/CRA/Next), entry points, and data flows, scans against the OWASP Top 10 (2025) mapped to React client-side patterns (XSS via raw HTML, URL/protocol injection, secrets in the bundle, insecure token storage, dependency CVEs, missing CSP, open redirects), and produces a manager-friendly executive summary plus a graded technical findings table. Use to audit React code for vulnerabilities. Triggers on "react security review", "frontend security audit", "audit react for vulnerabilities", "owasp react", "react xss", "react security posture", "npm audit review". For federal / gov / DOE / NIST / FIPS / CUI context, run security-review-federal after this base review. Do NOT use to grade architecture/structure — use react-architecture-checklist.
SKILL.mdUpdated Jun 4, 2026
michaelalber/react-modernization-analyzer
tools
VerifiedTrustedCommunity
Analyzes legacy React codebases and produces actionable modernization plans. Primary migration paths include class components to function components + hooks, Create React App to Vite, React 16/17 to 18 to 19, JavaScript to TypeScript, Enzyme to React Testing Library, legacy Redux to Redux Toolkit / Zustand / Context, and deprecated lifecycle/API removal. Does NOT perform the migration — assesses, quantifies risk, and plans. Triggers on phrases like "modernize react", "class to hooks", "upgrade react", "migrate CRA to vite", "react legacy migration", "react 17 to 18", "react js to typescript", "react technical debt", "enzyme to RTL".
SKILL.mdUpdated Jun 4, 2026
michaelalber/react-feature-slice
development
VerifiedTrustedCommunity
Scaffolds feature-based React / TypeScript architecture using feature folders, presentational + container components, custom hooks, a typed data layer, and structural CQRS (query hooks vs mutation hooks). React analog of dotnet-vertical-slice and python-feature-slice — no DI framework; uses props/context for dependency injection and a query cache for server state. Use when creating feature-based React projects, adding React features, organizing components by feature rather than by technical type, or scaffolding a feature's data layer. Triggers on phrases like "scaffold react feature", "create react slice", "react feature folder", "react vertical slice", "add react feature", "react feature architecture", "organize react by feature".
SKILL.mdUpdated Jun 4, 2026