michaelalber/tdd
skills/team/tdd/SKILL.md
The canonical RED-GREEN-REFACTOR inner loop. Enforces behavioral, structure-insensitive tests and prohibits horizontal slicing. Use when writing any new code test-first, managing TDD phase transitions, or as the inner loop for qrspi-implement, qraspi-implement, or any other implementation skill. Triggers on "tdd", "red green refactor", "write a failing test", "test-first", "tdd cycle". Do NOT use to audit existing test suites — use evaluate-tests instead.
development
Updated Jun 5, 2026
$ install --global
skillsauthnpx skillsauth add michaelalber/ai-toolkit tddInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Jun 5, 2026, 6:27 AM128.5s11 files scanned
SKILL.md
- name:
- tdd
- audience:
- team
- description:
- >
TDD (Red-Green-Refactor)
"Write tests that are sensitive to behavior changes, insensitive to structure changes." — Kent Beck
Two Critical Properties
Every test must satisfy both before leaving RED:
| Property | A compliant test... | A violation looks like |
|----------|---------------------|------------------------|
| Behavioral | fails when the observable outcome breaks | assert repo.save.called — verifies a method was called, not what the system produced |
| Structure-insensitive | survives a rename-only or extract-method refactor | assert order._total == 100 — reads internal state; breaks on any rename |
The Failure Mode: Horizontal Slicing
The most common TDD failure in AI-generated code:
# WRONG — horizontal slice
def test_register(): ...
def test_login(): ...
def test_logout(): ...
# ... then all implementation
class Auth: ...
# RIGHT — vertical slice
def test_register(): ... # one test
class Auth: # minimal code to pass it
def register(): ...
# refactor → commit → next test
def test_login(): ...
Horizontal slicing produces tests that were never red, implementations that were never minimal, and refactoring that was never constrained by a safety net. Never accumulate unimplemented tests.
The Cycle — One test → one implementation → repeat
RED
- Write ONE failing test for the next smallest observable behavior
- Run the suite — the new test must fail for a semantic reason (not import/syntax)
- All other tests must still pass
GREEN
- Write the minimum code to pass the failing test — nothing it does not require (no unrequested error handling, config, edge cases, or "while I'm here" features)
- Prefer: Fake It (hardcode) → Obvious Implementation → Triangulation
- Run the suite — all tests must pass
- Strategies & per-language idioms (.NET/Python/PHP/TS): green idioms on demand; for .NET test structure see
test-scaffold
REFACTOR
- One structural change at a time — behavior must not change (no bug fixes, no new features; those start a new RED)
- Run tests after every change — revert immediately if red
- Smell→refactoring recipes: code smells · refactoring catalog on demand
Per-Cycle Self-Check
- [ ] This test was red before I wrote any implementation
- [ ] This test asserts an observable outcome, not a method call or internal state
- [ ] A rename-only refactor would NOT break this test
- [ ] My implementation passes this test and no others I have not written yet
- [ ] All tests are green entering REFACTOR
State Block
<tdd-state>
phase: RED | GREEN | REFACTOR
iteration: N
current_test: [test name]
failure_reason: [semantic description — not "syntax error"]
tests_passing: true | false
</tdd-state>
Modes & Companions
The one canonical loop (GREEN/REFACTOR depth in references/ above). Companions are modes and audits, not alternatives:
| Need | Skill |
|------|-------|
| AI drives all phases autonomously (defers here for mechanics) | tdd-agent |
| Human + AI pair — ping-pong / navigator / teaching (defers here) | tdd-pair |
| Audit test quality or TDD compliance after the fact | evaluate-tests |
| .NET test conventions — xUnit / AAA / mocks | test-scaffold |
| RED before/after examples | Behavioral Examples |
Related Skills
michaelalber/security-review-federal
development
VerifiedTrustedCommunity
Federal / government security overlay applied ON TOP OF a base language security review (dotnet/python/php/rust/react). Language-agnostic: adds NIST SP 800-53 control mapping, FIPS 140-2/3 cryptographic compliance (with a per-language crypto table), CUI handling, EO 14028 supply-chain requirements, and DOE Order 205.1B, and emits POA&M-ready findings with FIPS 199 impact levels. Use for federal/DOE/DOD/national-laboratory systems. Triggers on "federal security review", "NIST compliance", "NIST 800-53", "FISMA", "CUI", "FIPS audit", "DOE security", "POA&M", "ATO review". Do NOT use alone — run the matching <lang>-security-review FIRST; this overlay maps and extends it.
SKILL.mdUpdated Jun 4, 2026
michaelalber/react-security-review
tools
VerifiedTrustedCommunity
OWASP-based security review of React / TypeScript front-end applications. Detects the framework (Vite/CRA/Next), entry points, and data flows, scans against the OWASP Top 10 (2025) mapped to React client-side patterns (XSS via raw HTML, URL/protocol injection, secrets in the bundle, insecure token storage, dependency CVEs, missing CSP, open redirects), and produces a manager-friendly executive summary plus a graded technical findings table. Use to audit React code for vulnerabilities. Triggers on "react security review", "frontend security audit", "audit react for vulnerabilities", "owasp react", "react xss", "react security posture", "npm audit review". For federal / gov / DOE / NIST / FIPS / CUI context, run security-review-federal after this base review. Do NOT use to grade architecture/structure — use react-architecture-checklist.
SKILL.mdUpdated Jun 4, 2026
michaelalber/react-modernization-analyzer
tools
VerifiedTrustedCommunity
Analyzes legacy React codebases and produces actionable modernization plans. Primary migration paths include class components to function components + hooks, Create React App to Vite, React 16/17 to 18 to 19, JavaScript to TypeScript, Enzyme to React Testing Library, legacy Redux to Redux Toolkit / Zustand / Context, and deprecated lifecycle/API removal. Does NOT perform the migration — assesses, quantifies risk, and plans. Triggers on phrases like "modernize react", "class to hooks", "upgrade react", "migrate CRA to vite", "react legacy migration", "react 17 to 18", "react js to typescript", "react technical debt", "enzyme to RTL".
SKILL.mdUpdated Jun 4, 2026
michaelalber/react-feature-slice
development
VerifiedTrustedCommunity
Scaffolds feature-based React / TypeScript architecture using feature folders, presentational + container components, custom hooks, a typed data layer, and structural CQRS (query hooks vs mutation hooks). React analog of dotnet-vertical-slice and python-feature-slice — no DI framework; uses props/context for dependency injection and a query cache for server state. Use when creating feature-based React projects, adding React features, organizing components by feature rather than by technical type, or scaffolding a feature's data layer. Triggers on phrases like "scaffold react feature", "create react slice", "react feature folder", "react vertical slice", "add react feature", "react feature architecture", "organize react by feature".
SKILL.mdUpdated Jun 4, 2026