Skip to main content
Jeden Skill in Manus ausführen
mit einem Klick
GitHub-Repository

grc_library

grc_library enthält 19 gesammelte Skills von jposluns, mit Repository-Berufsabdeckung und Skill-Detailseiten auf SkillsMP.

gesammelte Skills
19
Stars
2
aktualisiert
2026-07-12
Forks
0
Berufsabdeckung
4 Berufskategorien · 100% klassifiziert
Repository-Explorer

Skills in diesem Repository

guardrail-review
Sonstige Computerberufe

When the governance machinery itself (the rules, skills, and audit gates that keep a governed codebase honest, plus their wiring surfaces) needs a structural-integrity review, run this skill. It is the periodic guard-rail review: a judgment-based pass over the machinery for overlap (two rules or gates covering the same ground), gap (a stated discipline no gate enforces, a recurring failure mode no rule names), and drift (a rule, skill, or gate whose intent has diverged across its wiring surfaces in a way the mechanical parity gates cannot detect, because they check identity and count, not meaning). Maintainer-triggered, and auto-prompted after any PR that adds, removes, or renames a rule, skill, or gate. Catches the architectural erosion the per-PR and corpus-content sweeps are not built to see. Slash command `/guardrails`.

2026-07-12
change-tracking-write-entry
Softwareentwickler

Composes a CHANGELOG entry (substantive or terse form) for a PR. Use when about to commit, open a PR, or finalize a change. Every PR carries an entry, even if terse; there is no skip path. The entry's required parts (date-and-version header, structured Keep a Changelog sections for substantive entries, file references as markdown links, the "why" not just the "what", verification evidence, phase context) are walked step by step so an entry that would fail the link-coverage gate, the version-monotonicity audit, or the D1 delta gate is caught at the draft stage rather than at CI.

2026-07-11
deep-assessment
Softwarequalitätssicherungsanalysten und -tester

Maintainer-invoked, rare-cadence whole-project deep assessment. Runs the full layered examination of the library and its own quality machinery from a fresh session, composing the existing semantic instruments (/validate, /full-qa, /fitness, /matrix-fit, /claim-fit, /reference-audit, /screen-publications, /guardrails) by invocation and adding the lenses the routine cadence does not apply to itself, gate-efficacy probing (mutation and blind-spot analysis), ground-truth citation sampling, adoptability and pipeline-integrity review, and a QA-ledger meta-audit. Multi-session and re-entrant: a durable register carries phase state across session boundaries, every confirmed finding is routed tiered with none dropped, and the pass terminates only on explicit maintainer sign-off, never on an empty finding set.

2026-07-10
deep-qa-review
Softwarequalitätssicherungsanalysten und -tester

Trust-recovery deep quality-assurance pass. A six-subagent forensic review specialized for AI-failure-pattern classes, run over a defined PR window plus the files those PRs reference, when an AI coding assistant's discipline failures (abbreviated QA, skipped post-commit audits, wrong-cadence timers, inferred-not-validated premises) call for a white-box re-examination beyond the routine per-PR and periodic sweeps. Slash command `/full-qa`. Pairs with `library-fitness-review` (`/fitness`): deep-qa-review is one deeply-contextualized lens tuned to how AI assistants fail; fitness is ten context-stripped persona lenses. Together they form the trust-recovery escalation tier. Findings route to the project backlog tiered by severity (High[critical]/High to the top-priority tier, Medium/Low to the next tier), none dropped, for maintainer triage; the pass terminates on explicit maintainer sign-off, not on an empty finding-set.

2026-07-09
library-fitness-review
Softwarequalitätssicherungsanalysten und -tester

Trigger a comprehensive whole-corpus library-fitness review with ten persona reviewers when a governance/security documentation library undergoes a major change (new domain dir, new document type, multiple governance rule additions, major restructure) or quarterly minimum. Each invocation dispatches a fan-out of independent persona subagents (executive, security practitioner, GRC practitioner, auditor, policy editor, process owner, skeptical reader, adoption practitioner, privacy officer, newcomer) who review every page from a fresh-reader perspective without inheriting maintainer mental models. Catches comprehensibility, usability, logical-structure, standardization, governance/security quality, auditability, maintainability, and reader-experience gaps that per-PR validation sweeps and mechanical audit gates do not detect. Surfaces prioritized recommendations and a discrete remediation backlog the maintainer drives through subsequent PRs.

2026-07-09
pr-retrospective
Softwareentwickler

Post-merge retrospective on each successful PR. Surfaces what went well, what caused friction, recurring patterns, and proposed improvements. Output is one entry per PR in the improvement-log register; recurring patterns become candidates for pack-rule updates, worker-brief template additions, or new audit gates. Invoke after `/validate-pr` returns and before the next-PR planning step.

2026-07-09
claim-fit
Softwareentwickler

Cadenced citation-precision audit of normative-attribution claims. Catches the gate-blind FR-120 class, "attributed value, silent source": a sentence ties a specific value (a retention period, a clock, a threshold) to a named normative source, the source exists and the citation is well-formed (so the existence and citation gates pass), but the source does not actually prescribe the attributed value. Run the one-time full Tier-A pass at adoption, then ad-hoc when a claim is in doubt and after any batch that adds or edits normative-value claims. It dispatches a semantic judge over the tiered worklist that `tools/audit-claim-precision.py` produces, adjudicating each claim against the held source TEXT in the reference base, then routes confirmed misattributions. It catches what the existence gates structurally cannot: claim precision needs a read of the source clause, not a source-exists check.

2026-07-09
matrix-fit
Projektmanagementspezialisten

Cadenced semantic-fit audit of the compliance matrix and per-document framework-alignment tables. Catches the gate-blind "valid code, wrong control" class: a control identifier that EXISTS in its catalogue (so the existence gates 48/49/54/58/61 pass it) but is the WRONG control for the row's document. Run after each FR-167 matrix-expansion batch, once at matrix completion, and ad-hoc when a control-code citation is in doubt. It dispatches a semantic judge over the recall-oriented worklist that `tools/audit-matrix-semantic-fit.py` produces, adjudicating each cited code against the source control TITLE in the reference base, then routes confirmed mismatches. It catches what the existence-and-membership gates structurally cannot: semantic fit needs a read of the source title, not a catalogue-membership check.

2026-07-07
fresh-reader-validation
Softwareentwickler

Before declaring a new or substantively-revised governance document complete, dispatch a fresh subagent with no session context to read the document and surface tacit-context gaps (ambiguous terms, missing definitions, implicit assumptions, unresolved references that the author knows but did not write down). Catches the failure mode the author cannot catch directly: the "I know what I meant" blind spot that fills the document's gaps invisibly during authoring.

2026-07-04
validation-sweep-pr-scoped
Softwarequalitätssicherungsanalysten und -tester

PR-scoped validation sweep. Runs after every successful PR merge to catch issues the merge introduced before they compound across subsequent PRs. Dispatches Subagent A (recent-PR deep review) scoped to the just-merged PR's diff plus a lightweight cross-reference check for files cited by other documents. Complements the corpus-wide `validation-sweep` skill (`/validate`): `/validate-pr` is fast and runs after every merge; `/validate` is comprehensive and runs every 10 merges or maintainer-triggered. The two skills together cover both per-PR drift (caught fast) and corpus-wide drift (caught broadly).

2026-07-04
validation-sweep
Softwarequalitätssicherungsanalysten und -tester

Corpus-wide regression sweep run as a follow-up after any issue is identified and corrected, to confirm no sibling issue remains anywhere in the repository. Invoke after fixes that touch multi-surface artefacts, gate inventories, prose claims about repo state, AI-inferred citations, or generated artefacts. Combines the mechanical audit suite with a structured semantic fan-out, and loops until clean.

2026-07-04
action-before-explanation-of-inaction
Softwareentwickler

Grounds explanations of why an external action cannot or will not proceed in a real tool result, not in inference. Use before writing any clause of the form "X is blocked / waiting on / requires / needs / would fail" attached to an external action you have not attempted this turn. Use when about to explain why a PR cannot merge, why CI is waiting, why a deploy is held, why a permission is missing, or why any external system step is not proceeding. The safe action is attempted before the explanation is written; destructive actions are named and asked, not guessed at.

2026-07-02
citation-quote-verification
Softwareentwickler

Before any completion claim on a change that touches a document containing external-source citations (verbatim quotes, paraphrased synthesis, or framework references with article / section / clause locators), verify each citation's text against the cited source at the cited location. Catches the failure mode where a confidently-cited quote does not actually appear in the source, or a paraphrase mis-represents the source's meaning. Catches what the mechanical citation linters (format and currency) cannot reach: quote-to-source correspondence.

2026-07-02
clarify-before-acting
Softwareentwickler

Surfaces ambiguity in one sentence and asks before acting, rather than silently picking. Use when a request supports more than one reasonable interpretation, when an external value the request does not pin down is required, when a project-specific convention must be chosen, or when an unexpected state of the world is encountered.

2026-07-02
evidence-grounded-completion
Softwareentwickler

Verifies completion claims with evidence before declaring done. Use before stating "done", "complete", "fixed", "shipped", "ready", or any synonym. Use when wrapping up a unit of work and about to summarize to the user. Use when about to acknowledge a user-reported issue with "good catch". Use also before asserting a factual property of an artefact you have not read (a state assertion in research, assessment, planning, or review), not only at completion.

2026-07-02
gate-discipline-diagnose
Softwareentwickler

Diagnoses a failing CI gate, lint, or audit and fixes the artefact rather than weakening the gate. Use when a gate fails. Use when tempted to bypass a check with --no-verify, blanket suppression, severity-threshold lowering, or exemption-list addition. Use when a pre-commit hook blocks a commit. Use when a required status check on a PR shows red.

2026-07-02
skill-authoring-discipline
Softwareentwickler

When adding a new skill to the `dev-security/claude-rules/skills/` pack, or when substantively revising an existing skill's structure or frontmatter, apply the pack's established eight-section structural template (YAML frontmatter with `derives_from`, Overview, When-to-Use, Process, Red Flags, Verification, Common Rationalizations, See Also) and validate trigger-accuracy with representative positive, negative, and boundary prompts. Catches structural drift across pack skills that accumulates silently as the pack grows: section compression, missing cross-references, missing rationalizations table, vague description wording. The mechanical gate 32 only verifies `derives_from` resolution; everything else relies on authorial discipline that this skill codifies.

2026-07-02
high-assurance-verification
Sonstige Computerberufe

Run the heavier pre-apply verification harness for a SENSITIVE change, one that is gate-blind on correctness (a fit or semantic property no existence gate can check), delicate at scale (a wide reshape or bulk mapping where a hand-edit is itself a defect risk), and costly to get wrong (a cited or downstream-relied-on artefact). Use before applying such a change, when the maintainer directs absolute-integrity rechecking, or when resuming a sensitive item left open in the register. It composes research fan-out, a mechanical signal pass over the negatives, two independent adversarial verifiers (false-negative and false-positive lenses, blind to each other and to the research), a programmatic invariant floor, and a deterministic scripted apply plus re-parse, so apply-correctness does not rest on the orchestrator's in-context precision. It catches the plausible-but-wrong value that survives every existence gate because the gate confirms the value is well-formed, not that it is right.

2026-06-29
artefact-discipline-check
Sonstige Computerberufe

Routes a change through the correct workflow when the change touches a generated artefact or a protected branch. Use before hand-editing a file that is produced by a generator (build outputs, schema dumps, taxonomies, doc portals, scorecards, lockfiles). Use before pushing directly to, force-pushing, or `reset --hard`ing a protected branch (the default branch, release branches, long-lived integration branches). Use when CI flags generated-artefact drift or a protected-branch operation. The workflow redirects to "edit source, run the generator, commit both halves" or "open a PR through the documented merge mechanism", never to "hand-edit the artefact" or "force-push past the check".

2026-06-22