renatocaliari/cali-shape-up
skills/local/cali-product-workflow/skills-workflow/cali-shape-up/SKILL.md
[Cali] Shape Up product planning skill. Use when the user wants to shape a product proposal using the Shape Up method. Produces a shaped proposal with problem, solution, scope (IN/OUT), and risks. Part of the cali-product-workflow but can be used standalone.
$ install --global
skillsauthnpx skillsauth add renatocaliari/agent-sync-public-skills cali-shape-upInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 22, 2026, 4:03 AM335.5s7 files scanned
SKILL.md
- name:
- cali-shape-up
- description:
- >
Shape Up Planning
Tools: See
references/cli-tools/subagents.mdfor subagent patterns.
Overview
This skill executes the Shape Up planning phase. It can be run:
- Standalone:
/skill:cali-shape-up— for quick shaping sessions - Via Orchestrator: Called by
/skill:cali-product-workflow
1a. Parallel Recon (optional — recommended for complex features)
Before shaping, launch subagent to map context:
subagent({
tasks: [
{
agent: "scout",
task: `Map the current code state related to: [description].
Identify relevant files, existing flows, and impact points.`,
output: ".cali-product-workflow/{YYYY-MM-DD}/{_dir}/context/current-state.md",
context: "fresh"
},
{
agent: "scout",
task: `Map technical risks, external dependencies, and
constraints for: [description].`,
output: ".cali-product-workflow/{YYYY-MM-DD}/{_dir}/context/risks.md",
context: "fresh"
}
],
concurrency: 2
})
Read the outputs before proceeding.
1b. Shaping
Read the references/ files to guide the process:
| File | Covers |
|---|---|
| references/shaping-complete.md | Context, clarification, responsibilities |
| references/shaping-principles.md | Core shaping principles |
| references/risk-analysis.md | Risk analysis and strategic alternatives |
| references/execution-guide.md | Sequencing, persistence, cross-domain adaptation |
| references/proposal-structure.md | Output structure for the shaped proposal |
| references/output-expectations.md | Strong vs weak output criteria |
Use ask_user_question for strategic questions when needed.
After shaping:
- Save to
.cali-product-workflow/{YYYY-MM-DD}/{_dir}/plans/spec-product_{v}.md - Do not ask about Interface Brainstorming — already decided in Phase 1 (Setup)
- Do NOT ask scope adjustment yet — this happens after Plan Critique and Gate approval (see workflow sequence below)
Workflow Sequence
After Shape Up, the workflow proceeds:
Shape Up
↓
Plan Critique (pre-flight check)
↓
Plannotator (Gate — visual approval)
↓
Scope Adjustment (ask) ← HERE scope happens
↓
Interface Brainstorming (if selected)
Note: Scope Adjustment comes AFTER Gate approval, not before.
Scope Adjustment (after Gate approval)
This section executes after Plannotator Gate approval (not immediately after shaping).
When triggered by the orchestrator:
Show the IN/OUT scope table. Ask:
- Remove from IN? —
ask_user_questionmultiSelect with current IN scopes - Add to IN? —
ask_user_questionmultiSelect with OUT scope items
ask_user_question({
questions: [
{
question: "What should be REMOVED from IN scope? (select none to keep current)",
header: "Remove IN",
multiSelect: true,
options: [
{ label: "{IN scope item 1}", description: "{description}" },
{ label: "{IN scope item 2}", description: "{description}" }
]
},
{
question: "What should be ADDED to IN scope? (select none to keep current)",
header: "Add to IN",
multiSelect: true,
options: [
{ label: "{OUT scope item 1}", description: "{description}" },
{ label: "{OUT scope item 2}", description: "{description}" }
]
}
]
})
If user removes items: update spec
If user adds items: create spec-product_{v+1}.md (user is aware)
If user selects nothing: proceed without changes
Note: No Plannotator re-run — ask tool already confirms selections.
Output
The shaped proposal is saved to:
.cali-product-workflow/{YYYY-MM-DD}/{_dir}/plans/spec-product_{v}.md
See references/proposal-structure.md for the expected output format.
Related Skills
- cali-product-workflow: Coordinates this skill with other phases
- cali-interface-brainstorm: Interface exploration after shaping
- cali-plan-critique: Plan review after shaping
Environment Adaptation
If a tool is unavailable, check:
../../../cali-product-workflow/references/cli-tools/
Related Skills
renatocaliari/pocketbase
development
VerifiedTrustedCommunity
PocketBase v0.39+ development - API rules, auth, collections, SDK, realtime, files, Go/JS extending, deployment, production tuning.
1SKILL.mdUpdated Jun 7, 2026
renatocaliari/cali-lat-md-seed
tools
VerifiedTrustedCommunity
Auto-initialize structured documentation for any project using lat.md (knowledge graph of markdown files with [[wiki links]], // @lat: code refs, and semantic search). Detects cali-product-workflow artifacts (spec-product.md, spec-tech.md, critiques) and uses them as seed material. Falls back to extracting business rules, architecture, and design decisions directly from the codebase. Use when a project lacks structured documentation or when lat.md/ is missing. After seeding, lat.md extension hooks keep documentation alive automatically.
1SKILL.mdUpdated Jun 2, 2026
renatocaliari/cali-ops-server-security
testing
VerifiedTrustedCommunity
[Cali] Server security audit and hardening for private servers behind Tailscale. Use when: auditing server security, hardening SSH/firewall/Docker, checking for vulnerabilities, setting up fail2ban, reviewing port exposure, or responding to security alerts. Covers 6 layers: CloudFlare, UFW, Tailscale, SSH, Docker, Application. Triggers: "server security", "security audit", "harden server", "SSH hardening", "firewall rules", "UFW config", "fail2ban", "port security", "Docker security", "vulnerability check", "security review".
1SKILL.mdUpdated May 30, 2026
renatocaliari/cali-ops-package-audit
tools
VerifiedTrustedCommunity
Run supply chain security scans before installing packages or before releases. Triggers when: user installs a package (npm, pip, go get, brew), user asks to 'scan dependencies', 'check vulnerabilities', 'supply chain', 'security audit', 'run trivy', 'run socket', or before any release/deployment. Also triggers on mentions of: socket.dev, trivy, OSV-scanner, dotenvx, CVE, dependency audit. Covers all four tools with concrete commands.
1SKILL.mdUpdated May 30, 2026