Jeden Skill in Manus ausführen
mit einem Klick

Jeden Skill in Manus mit einem Klick ausführen

dependency-discipline

Sterne1

Forks0

Aktualisiert30. Mai 2026 um 02:39

The "no invaders" gate for Synthex. The ship already carries everything it needs. NEVER add a new npm dependency, external SaaS, framework, datastore, or auth system to solve a problem an existing system already solves — adding one is a CEO-gated decision. ALWAYS prove the capability isn't already present (grep package.json, lib/, the skills list, Vercel env) before integrating anything new. Activate on ANY request to "add a package / install / npm i / integrate X / we need a tool / use library Y / add a provider / new database".

Installation

Mit Codex oder Claude installieren Kopieren Sie diesen Prompt, fügen Sie ihn in Codex, Claude oder einen anderen Assistant ein und lassen Sie die Skill-Seite prüfen und installieren.

In Manus ausführen

Quelle

CleanExpo

CleanExpo/Synthex

GitHub-Repository öffnen Creator-Repositorys ansehen

Download

In Manus ausführen

Verwandte BerufeSOC

Basierend auf der SOC-Berufsklassifikation

SoftwareentwicklerInformatik- und Mathematikberufe·SOC 15-1252

SKILL.md

readonly

name	dependency-discipline
description	The "no invaders" gate for Synthex. The ship already carries everything it needs. NEVER add a new npm dependency, external SaaS, framework, datastore, or auth system to solve a problem an existing system already solves — adding one is a CEO-gated decision. ALWAYS prove the capability isn't already present (grep package.json, lib/, the skills list, Vercel env) before integrating anything new. Activate on ANY request to "add a package / install / npm i / integrate X / we need a tool / use library Y / add a provider / new database".
metadata	{"author":"synthex","version":"1.0","type":"governance-skill","triggers":["add a package","npm install","npm i","install a library","new dependency","integrate","we need a tool","add a provider","new database","new framework"],"requires":[],"context":"fork"}

Dependency Discipline — no invaders board this ship

A new dependency is a passenger you feed forever: bundle size, serverless cold-starts, a CVE surface, a migration tax, and one more thing that can break a paying client's product. The default answer to "let's add X" is NO — because the ship almost certainly already carries something that does it.

The rule

Before adding ANY new npm package, external SaaS, framework, datastore, or auth system:

Prove it isn't already here (the checklist below). If it is — use it.
If a wired-up capability is close, extend it rather than add a rival.
If it is genuinely new and necessary, it is a CEO-gated decision — surface the trade-off (what it buys, bundle/cold-start cost, the maintenance tax, the alternative we already own) and wait for explicit human approval. Log the decision.

There is exactly one auth system (Supabase), one ORM (Prisma), one deploy target (Vercel + Railway). Do not add a second of anything that already exists.

What the ship already carries (check here first)

Need	Already wired — use this
Auth / sessions	Supabase (only auth — never NextAuth/Clerk/Auth0/custom)
Database / ORM	Supabase Postgres + Prisma 7 (+ pgvector for embeddings)
Hosting / cron / OG / ISR	Vercel; long-running services on Railway
LLMs	Anthropic, OpenAI, OpenRouter, Google/Gemini, Perplexity (keys in Vercel env)
AI voice (TTS / clone)	ElevenLabs (`lib/services/ai/voice-generation.ts`)
AI avatar video	HeyGen (`lib/marketing-agency/heygen`, `heygen-avatar` skill)
Video render / assembly	Remotion + FFmpeg + Playwright (`lib/video`, `video-engine`)
Web scrape	Firecrawl (`@mendable/firecrawl-js`) → native fetch fallback
Email	Resend + SendGrid (`lib/email/queue.ts`)
Billing	Stripe
Cache / queue / rate-limit	Redis / Upstash + BullMQ (`lib/rate-limit`, `lib/email/queue`)
Social distribution	9 platforms wired (`lib/social`) — twitter, linkedin, instagram, facebook, tiktok, youtube, pinterest, reddit, threads
Search / local SEO	GSC + GBP integrations (`lib/google`, `google-*` skills)
Errors	Sentry (client-side; server-side capture is intentionally off — use structured logging via `serializeError`)
State (frontend)	React hooks + Server Components — never Redux/Zustand
Data fetching (client)	SWR with `credentials:'include'`
Validation	Zod
UI	Radix + shadcn/ui + Tailwind

Before-you-add checklist

grep -i "<capability>" package.json            # already a dependency?
grep -rli "<capability>" lib app                # already wired in code?
npx vercel env ls | grep -i "<provider>"        # already have the keys/account?
# and scan the skill list — a specialist skill may already own this domain

If any hit → the capability exists. Use it. Stop.

Hard NO (these are settled — do not re-litigate)

❌ A second auth / email / voice / video / LLM-gateway provider when one is wired.
❌ Redux, Zustand, tRPC, GraphQL, Server Actions for mutations — absent by design; mutations go through API routes (architecture-enforcer).
❌ Any non-Supabase auth (NextAuth, Clerk, Auth0, custom JWT issuance).
❌ A new ORM / query builder / migration tool alongside Prisma.
❌ pnpm/yarn — this project uses npm.
❌ Heavy deps that blow the 50 MB serverless function limit or the cold-start budget.

When new genuinely IS justified

Rare, and always: (1) the checklist confirms nothing existing fits, (2) the cost is named (bundle, cold-start, CVE surface, maintenance), (3) the alternative-we-own is named and rejected for a concrete reason, (4) explicit CEO approval, (5) pinned exact version, (6) the decision logged. Then — and only then — it boards.

A comprehensive, advanced system isn't the one with the most packages. It's the one that does the most with the fewest moving parts it already trusts.

Mehr aus diesem Repository

gleiches Repository

north-star

CleanExpo/Synthex

The engineering navigation layer for Synthex — holds the mission, the current course, the rules of the ship, and routes work to the right existing specialist. Load at the START of any planning, prioritisation, "what's next", roadmap, scope, or new-feature decision. NEVER let work drift off the critical path or add capabilities the ship already carries (see dependency-discipline). NEVER claim done without the verification gate. NEVER merge to production or change prod data without a human gate. ALWAYS trace a task to the NorthStar, the live Linear epic, and an existing system before writing code.

2026-06-241

playwright-cli

CleanExpo/Synthex

Authenticated browser automation for Synthex — drive real Chrome to log in, screenshot, and audit dashboard/integration surfaces. Use for live visual verification, "audit the dashboard", "check what's connected", or closing the verification gate on /dashboard/* routes. Two backends: the Playwright MCP server (interactive, in-session tools) and the committed CLI scripts (scripts/browser/*.mjs, reliable + headless). RUNS WHERE THE BROWSER + NETWORK + AUTH EXIST — i.e. a local machine, not a network-restricted sandbox.

2026-06-241

api-testing

CleanExpo/Synthex

Synthex API testing enforcer. NEVER mock the database in integration tests — use real Supabase. NEVER skip the 401 (unauthenticated) or 403 (wrong org) test cases. NEVER use pnpm. ALWAYS structure tests as: 401 → 403 → 400 → 200/201 happy path. Activate on ANY request to write API tests, validate endpoints, add test coverage, or check test quality.

2026-06-231

database-prisma

CleanExpo/Synthex

Synthex database operations enforcer. NEVER use prisma db push for schema changes — use migrate diff + db execute. NEVER add non-nullable columns without defaults. NEVER write Prisma queries without organizationId scope. ALWAYS use backward-compatible migrations and validate with prisma validate first. Activate on ANY request to change schema, write a query, create a migration, add a model, or modify database operations.

2026-06-231

design

CleanExpo/Synthex

Synthex design system enforcer. NEVER use Inter as a heading font, purple (#8B5CF6) gradients on white, or generic glassmorphism without Synthex tokens. ALWAYS use Space Grotesk headings, #f97316 brand orange, #0f172a slate background, and the Synthex glass token set. Activate on ANY request involving UI, components, styling, layout, visual design, colour, typography, spacing, shadows, animations, or anything a user will see on screen.

2026-06-231

security-hardener

CleanExpo/Synthex

Synthex security posture enforcer. NEVER apply generic OWASP checklists without grounding in Synthex's specific threat model. NEVER suggest any auth system other than Supabase. ALWAYS audit: SSRF via validateExternalUrl, JWT tier elevation via resolveVerifiedTier, CORS via CORS_ORIGIN exact-match, org-scope bypass in Prisma. Activate on ANY request to harden security, audit vulnerabilities, review auth patterns, check for injection risks, or assess an attack surface.

2026-06-231

name	dependency-discipline
description	The "no invaders" gate for Synthex. The ship already carries everything it needs. NEVER add a new npm dependency, external SaaS, framework, datastore, or auth system to solve a problem an existing system already solves — adding one is a CEO-gated decision. ALWAYS prove the capability isn't already present (grep package.json, lib/, the skills list, Vercel env) before integrating anything new. Activate on ANY request to "add a package / install / npm i / integrate X / we need a tool / use library Y / add a provider / new database".
metadata	{"author":"synthex","version":"1.0","type":"governance-skill","triggers":["add a package","npm install","npm i","install a library","new dependency","integrate","we need a tool","add a provider","new database","new framework"],"requires":[],"context":"fork"}

Dependency Discipline — no invaders board this ship

The rule

Before adding ANY new npm package, external SaaS, framework, datastore, or auth system:

Prove it isn't already here (the checklist below). If it is — use it.
If a wired-up capability is close, extend it rather than add a rival.
If it is genuinely new and necessary, it is a CEO-gated decision — surface the trade-off (what it buys, bundle/cold-start cost, the maintenance tax, the alternative we already own) and wait for explicit human approval. Log the decision.

There is exactly one auth system (Supabase), one ORM (Prisma), one deploy target (Vercel + Railway). Do not add a second of anything that already exists.

What the ship already carries (check here first)

Need	Already wired — use this
Auth / sessions	Supabase (only auth — never NextAuth/Clerk/Auth0/custom)
Database / ORM	Supabase Postgres + Prisma 7 (+ pgvector for embeddings)
Hosting / cron / OG / ISR	Vercel; long-running services on Railway
LLMs	Anthropic, OpenAI, OpenRouter, Google/Gemini, Perplexity (keys in Vercel env)
AI voice (TTS / clone)	ElevenLabs (`lib/services/ai/voice-generation.ts`)
AI avatar video	HeyGen (`lib/marketing-agency/heygen`, `heygen-avatar` skill)
Video render / assembly	Remotion + FFmpeg + Playwright (`lib/video`, `video-engine`)
Web scrape	Firecrawl (`@mendable/firecrawl-js`) → native fetch fallback
Email	Resend + SendGrid (`lib/email/queue.ts`)
Billing	Stripe
Cache / queue / rate-limit	Redis / Upstash + BullMQ (`lib/rate-limit`, `lib/email/queue`)
Social distribution	9 platforms wired (`lib/social`) — twitter, linkedin, instagram, facebook, tiktok, youtube, pinterest, reddit, threads
Search / local SEO	GSC + GBP integrations (`lib/google`, `google-*` skills)
Errors	Sentry (client-side; server-side capture is intentionally off — use structured logging via `serializeError`)
State (frontend)	React hooks + Server Components — never Redux/Zustand
Data fetching (client)	SWR with `credentials:'include'`
Validation	Zod
UI	Radix + shadcn/ui + Tailwind

Before-you-add checklist

grep -i "<capability>" package.json            # already a dependency?
grep -rli "<capability>" lib app                # already wired in code?
npx vercel env ls | grep -i "<provider>"        # already have the keys/account?
# and scan the skill list — a specialist skill may already own this domain

If any hit → the capability exists. Use it. Stop.

Hard NO (these are settled — do not re-litigate)

❌ A second auth / email / voice / video / LLM-gateway provider when one is wired.
❌ Redux, Zustand, tRPC, GraphQL, Server Actions for mutations — absent by design; mutations go through API routes (architecture-enforcer).
❌ Any non-Supabase auth (NextAuth, Clerk, Auth0, custom JWT issuance).
❌ A new ORM / query builder / migration tool alongside Prisma.
❌ pnpm/yarn — this project uses npm.
❌ Heavy deps that blow the 50 MB serverless function limit or the cold-start budget.

When new genuinely IS justified

A comprehensive, advanced system isn't the one with the most packages. It's the one that does the most with the fewest moving parts it already trusts.