michaelalber/qrspi-spec
skills/team/qrspi-spec/SKILL.md
QRSPI Spec phase -- a Design Brain-Dump the human redirects ("brain surgery"), followed by a vertically-sliced Structure Outline. Use for "/qrspi-spec <feature>", "design discussion for X", "structure outline for X", "spec out X from the research". Do NOT use to write a product PRD (use to-prd) or for an open-ended design chat (use spec-coach); this phase consumes research.md and produces an approved spec.md. Do NOT use for the deprecated RPI workflow.
documentation
Updated Jun 4, 2026
$ install --global
skillsauthnpx skillsauth add michaelalber/ai-toolkit qrspi-specInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Jun 4, 2026, 8:47 AM140.1s3 files scanned
SKILL.md
- name:
- qrspi-spec
- audience:
- team
- description:
- >
QRSPI Spec
"Plans are worthless, but planning is everything." -- Adapted from Dwight D. Eisenhower
Core Philosophy
The Spec phase turns objective research into an agreed design BEFORE any plan or code exists. It
runs two movements: a Design Brain-Dump the human performs "brain surgery" on, then a
Structure Outline of signatures and vertical slices. The hard human gate between them is the
point -- catching a wrong approach here costs minutes; catching it in code costs hours. Spec maps
the source workflow's stages 3 (Design Discussion) and 4 (Structure Outline); see
references/stage-mapping.md.
Non-Negotiable Constraints:
- RESEARCH-GATED -- never start without an objective
research.mdon disk; never design from memory - BRAIN-DUMP FIRST, STOP -- present the Design Brain-Dump and WAIT; do not write the Structure
Outline until the human approves (
design_approved: true) - VERTICAL SLICES -- the Structure Outline slices work mock-API -> front-end -> database with a checkpoint per slice; never organize by horizontal layer
- SIGNATURES, NOT IMPLEMENTATIONS -- the outline is a "C header file": types and signatures, no bodies
- CONTEXT BUDGET: keep utilization under 40%. At 60%, write
spec.mdwith progress and tell the user to start a fresh session.
Workflow
PRE-FLIGHT
[ ] Locate the feature folder thoughts/shared/qrspi/YYYY-MM-DD-{slug}/
[ ] Read research.md (status: complete). If absent -> STOP; route the user to /qrspi-research
[ ] Read the answered questions.md for design intent
BRAIN-DUMP (source stage 3 -- Design Discussion)
Write ~200 lines: current state (from research) · desired end state · design decisions & tradeoffs
Write spec.md with the Brain-Dump only, status: draft, design_approved: false
STOP & LOOP (the "brain surgery" gate)
Present the Brain-Dump. WAIT. The human redirects architecture -> revise the Brain-Dump ->
re-present. Repeat until the human approves. Do NOT write the Structure Outline before approval.
STRUCTURE OUTLINE (source stage 4 -- only after design_approved: true)
Add: new/changed type signatures, public function signatures, and high-level phases sliced
VERTICALLY (mock-API -> front-end -> database), each with a verification checkpoint. No bodies.
Set status: ready-for-review
REPORT
Artifact path · slice list · "Review, then start a NEW session and run /qrspi-plan"
Exit criteria: spec.md holds an approved Brain-Dump plus a vertically-sliced Structure
Outline; status: ready-for-review; design_approved: true; user told to review before /qrspi-plan.
State Block
<qrspi-spec-state>
phase: PRE-FLIGHT | BRAIN-DUMP | STOP-LOOP | STRUCTURE-OUTLINE | REPORT | COMPLETE
feature_folder: thoughts/shared/qrspi/YYYY-MM-DD-{slug}/
research_present: true | false # MUST be true to proceed
design_approved: true | false # MUST be true before the Structure Outline
brain_dump_revisions: [count]
slices_outlined: [count]
context_budget: under-40 | approaching-60 | checkpoint-now
status: draft | ready-for-review | approved
</qrspi-spec-state>
Output Template
See references/spec-template.md for the full spec.md structure and frontmatter, and
references/stage-mapping.md for the 8-stage source -> 5-phase QRSPI mapping.
Integration with Other Skills
| Skill | Relationship |
|-------|-------------|
| qrspi-research | Prior phase. Its objective research.md is the factual ground for the Brain-Dump. |
| qrspi-plan | Next phase. Consumes the approved spec.md; refuses to plan without it. |
| dotnet-vertical-slice / python-feature-slice / rust-feature-slice | Stack scaffolders for the vertical slices the Structure Outline defines. |
| spec-coach | Use instead for an open-ended interactive design chat; qrspi-spec is a gated brain-dump -> outline. |
| rpi-plan | DEPRECATED sibling that folds design into planning. Route here for QRSPI's separate design gate. |
Related Skills
michaelalber/security-review-federal
development
VerifiedTrustedCommunity
Federal / government security overlay applied ON TOP OF a base language security review (dotnet/python/php/rust/react). Language-agnostic: adds NIST SP 800-53 control mapping, FIPS 140-2/3 cryptographic compliance (with a per-language crypto table), CUI handling, EO 14028 supply-chain requirements, and DOE Order 205.1B, and emits POA&M-ready findings with FIPS 199 impact levels. Use for federal/DOE/DOD/national-laboratory systems. Triggers on "federal security review", "NIST compliance", "NIST 800-53", "FISMA", "CUI", "FIPS audit", "DOE security", "POA&M", "ATO review". Do NOT use alone — run the matching <lang>-security-review FIRST; this overlay maps and extends it.
SKILL.mdUpdated Jun 4, 2026
michaelalber/react-security-review
tools
VerifiedTrustedCommunity
OWASP-based security review of React / TypeScript front-end applications. Detects the framework (Vite/CRA/Next), entry points, and data flows, scans against the OWASP Top 10 (2025) mapped to React client-side patterns (XSS via raw HTML, URL/protocol injection, secrets in the bundle, insecure token storage, dependency CVEs, missing CSP, open redirects), and produces a manager-friendly executive summary plus a graded technical findings table. Use to audit React code for vulnerabilities. Triggers on "react security review", "frontend security audit", "audit react for vulnerabilities", "owasp react", "react xss", "react security posture", "npm audit review". For federal / gov / DOE / NIST / FIPS / CUI context, run security-review-federal after this base review. Do NOT use to grade architecture/structure — use react-architecture-checklist.
SKILL.mdUpdated Jun 4, 2026
michaelalber/react-modernization-analyzer
tools
VerifiedTrustedCommunity
Analyzes legacy React codebases and produces actionable modernization plans. Primary migration paths include class components to function components + hooks, Create React App to Vite, React 16/17 to 18 to 19, JavaScript to TypeScript, Enzyme to React Testing Library, legacy Redux to Redux Toolkit / Zustand / Context, and deprecated lifecycle/API removal. Does NOT perform the migration — assesses, quantifies risk, and plans. Triggers on phrases like "modernize react", "class to hooks", "upgrade react", "migrate CRA to vite", "react legacy migration", "react 17 to 18", "react js to typescript", "react technical debt", "enzyme to RTL".
SKILL.mdUpdated Jun 4, 2026
michaelalber/react-feature-slice
development
VerifiedTrustedCommunity
Scaffolds feature-based React / TypeScript architecture using feature folders, presentational + container components, custom hooks, a typed data layer, and structural CQRS (query hooks vs mutation hooks). React analog of dotnet-vertical-slice and python-feature-slice — no DI framework; uses props/context for dependency injection and a query cache for server state. Use when creating feature-based React projects, adding React features, organizing components by feature rather than by technical type, or scaffolding a feature's data layer. Triggers on phrases like "scaffold react feature", "create react slice", "react feature folder", "react vertical slice", "add react feature", "react feature architecture", "organize react by feature".
SKILL.mdUpdated Jun 4, 2026