| name | project-bootstrapper |
| description | Universal meta-skill that bootstraps ANY software project regardless of programming language. Auto-generates 15-30+ hyper-detailed, project-specific coding skills BEFORE writing code. Language-agnostic: works with TypeScript, Python, Go, Rust, Java, C#, Swift, Kotlin, PHP, Ruby, and polyglot projects. AGGRESSIVE version enforcement: EVERY technology version MUST be verified via real-time lookup ā never use memorized versions. Generates skills for architecture, security, performance, privacy, testing, error handling, accessibility, observability, data modeling, API design, DevOps. Each skill enforces zero-bug standards with concrete code examples, anti-patterns, and measurable budgets. Triggers on: "bootstrap", "new project", "start project", "create project", "set up", "generate skills" ā use BEFORE any code exists.
|
Project Bootstrapper
Philosophy: Define how code must be written before writing any code. Bugs are prevented at design time, not discovered at runtime.
This is a meta-skill ā it does not write application code. It generates the rules, patterns, guardrails, and quality standards that govern all code written afterward, by any developer or AI assistant.
How It Works
[Idea] ā [Interview] ā [Tech Stack] ā [Skill Map] ā [Generate Skills] ā [Validate] ā [Code]
Activation
This skill activates when:
- User describes a new software project idea
- User says "bootstrap", "new project", "start from scratch", "set up project"
- User wants to generate a skill suite for an existing codebase
- User asks for coding standards, project scaffolding, or development guardrails
- Any context where skills should be created before development begins
Important: Read References First
Before generating ANY skills, you MUST read these reference files in order:
references/skill-catalog.md ā Full catalog of 40+ skill domainsreferences/skill-template.md ā Universal template every skill must followreferences/generation-guide.md ā Domain-specific generation instructions with codereferences/quality-standards.md ā Quality checklist for generated skillsreferences/cross-cutting-concerns.md ā Rules that span all skills
Phase 1: Project Intelligence Gathering
1.1 ā Understand the Idea
Extract or ask about:
What (Product):
- What does this project do? (one sentence)
- What type is it? (web app, mobile app, desktop app, CLI, library/SDK, API service, browser extension, IoT, embedded, game, data pipeline, ML platform, monorepo with multiple products)
- Who is the end user? (developers, consumers, enterprise, internal team)
- What is the revenue model? (open-source, freemium, SaaS subscription, one-time purchase, marketplace, ad-supported, enterprise license)
How Big (Scale):
- Expected users at launch? At 12 months?
- Data volume? (records, files, events/sec, storage)
- Geographic scope? (single region, continental, global)
- Availability requirement? (99.9%, 99.95%, 99.99%)
How (Constraints):
- Required technologies? (must use React, must deploy on AWS, etc.)
- Existing codebase? (greenfield vs brownfield)
- Team size? (solo, small team 2-5, medium 5-15, large 15+)
- Timeline? (hackathon/weekend, MVP in weeks, production in months)
- Budget constraints? (free tier only, moderate, enterprise)
- Compliance requirements? (GDPR, HIPAA, SOC2, PCI-DSS, COPPA, CCPA)
If the user already provided details, extract answers from their message instead of asking. Only ask what's missing and genuinely needed to make tech stack decisions.
1.2 ā Determine Tech Stack
Based on the answers, recommend a complete tech stack.
š MANDATORY: Version Research (Latest Stable) ā ZERO TOLERANCE
This is NON-NEGOTIABLE. Before proposing ANY technology, you MUST verify its latest stable version via real-time lookup.
ā ļø CRITICAL: AI models have knowledge cutoffs. Package ecosystems evolve daily. A skill generated with outdated versions will produce vulnerable, deprecated code.
Research Protocol (execute for EVERY technology):
-
Use available tools (in priority order):
WebSearch: "{package} latest stable version {current_year}"WebFetch: Official docs site (e.g., nextjs.org, python.org, go.dev)- Context7:
resolve-library-id ā query-docs for changelog
- Package registry: npmjs.com, pypi.org, crates.io, pkg.go.dev, maven.apache.org
-
Extract exact version:
- Format:
Major.Minor.Patch (e.g., Next.js 16.1.0)
- Verify it's STABLE (not alpha, beta, RC, canary, nightly)
- Note release date ā reject if >6 months old without updates
-
Document verification:
Technology: Next.js
Version: 16.1.0
Verified via: nextjs.org/blog
Verification date: 2026-03-09
Release date: 2026-02-15
Node requirement: >= 22.0.0
HARDCORE RULES:
- ā
MUST: Verify EVERY dependency, not just frameworks
- ā
MUST: Pin exact versions in all configs (
package.json, requirements.txt, Cargo.toml, etc.)
- ā
MUST: Use latest APIs/syntax from verified version in ALL code examples
- ā NEVER: Use memorized versions under ANY circumstance
- ā NEVER: Skip verification even for "well-known" packages
- ā NEVER: Use deprecated APIs from older versions
- ā ļø WARN: If verification fails, mark clearly:
ā ļø VERSION UNVERIFIED ā MUST CONFIRM
Abandonment Detection:
- Last commit/release >12 months = investigate alternatives
- No maintainer response to issues >6 months = red flag
- Security advisories unpatched >30 days = DO NOT USE
Example research queries:
"next.js latest version" ā nextjs.org or npm"postgresql latest stable release" ā postgresql.org"tailwind css latest version" ā tailwindcss.com or npm- Context7: resolve library ID ā query docs for version/changelog
Tech Stack Decision Table
Organize as a layered decision table:
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
ā TECH STACK PROPOSAL (versions verified: {date}) ā
āāāāāāāāāāāāāāāāāā¬āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā¬āāāāāāāāāāāāāāāāāāāā¤
ā Category ā Choice ā Rationale ā
āāāāāāāāāāāāāāāāāā¼āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā¼āāāāāāāāāāāāāāāāāāāā¤
ā Language ā {name} {verified latest version} ā ā
ā Runtime ā {name} {verified latest version} ā ā
ā Framework ā {name} {verified latest version} ā ā
ā Database ā {name} {verified latest version} ā ā
ā ORM/Query ā {name} {verified latest version} ā ā
ā Cache ā {name} {verified latest version} ā ā
ā Auth ā {name} {verified latest version} ā ā
ā UI Library ā {name} {verified latest version} ā ā
ā CSS/Styling ā {name} {verified latest version} ā ā
ā State Mgmt ā {name} {verified latest version} ā ā
ā API Style ā {name} {verified latest version} ā ā
ā Validation ā {name} {verified latest version} ā ā
ā Testing ā {name} {verified latest version} ā ā
ā CI/CD ā {name} {verified latest version} ā ā
ā Hosting ā {name} ā ā
ā Monitoring ā {name} {verified latest version} ā ā
ā Email ā {name} {verified latest version} ā ā
ā File Storage ā {name} ā ā
ā Search ā {name} {verified latest version} ā ā
ā Queue/Jobs ā {name} {verified latest version} ā ā
ā Analytics ā {name} {verified latest version} ā ā
āāāāāāāāāāāāāāāāāā“āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā“āāāāāāāāāāāāāāāāāāāā
Only include rows relevant to the project. Each choice gets a one-line rationale.
Wait for user confirmation before proceeding. The tech stack determines everything that follows.
Language-Agnostic Version Verification Matrix
For EVERY language, verify these tool versions:
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
ā LANGUAGE ā CORE VERSION ā PACKAGE MANAGER ā LINTER ā TESTER ā
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā¤
ā TypeScript ā Latest Node ā npm/pnpm 10+ ā ESLint 9+ ā Vitest 3+ ā
ā Python ā 3.12+ ā pip/uv ā Ruff 0.9+ ā pytest 8+ ā
ā Go ā 1.24+ ā go modules ā golangci ā go test ā
ā Rust ā Latest ā cargo ā clippy ā cargo test ā
ā Java ā 21 LTS ā Maven/Gradle ā checkstyle ā JUnit 5 ā
ā Kotlin ā 2.1+ ā Gradle ā ktlint ā Kotest ā
ā C# ā .NET 9+ ā NuGet ā analyzers ā xUnit ā
ā Swift ā 6.0+ ā SwiftPM ā swiftlint ā XCTest ā
ā PHP ā 8.4+ ā Composer 2+ ā PHPStan 2+ ā PHPUnit 11+ ā
ā Ruby ā 3.4+ ā Bundler ā RuboCop ā RSpec ā
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
Polyglot Projects: Generate separate {language}-standards skills for each language.
1.3 ā Generate Skill Map
Based on confirmed tech stack, produce a skill map ā the complete list of skills to generate. Read references/skill-catalog.md for the full domain catalog.
Mandatory skills (generated for every project):
project-architecture ā folder structure, module boundaries, naming{language}-standards ā language-level coding rulessecurity-hardening ā defense in depth, input/output, secrets, depserror-handling ā error hierarchy, propagation, recoverydata-validation ā schema validation, sanitization, boundariestesting-strategy ā test types, coverage, mocking, fixturesperformance-optimization ā budgets, profiling, caching, lazy loadinggit-workflow ā branches, commits, PRs, releasesdocumentation-standards ā code docs, API docs, READMs, ADRsprivacy-compliance ā PII handling, data lifecycle, consent, GDPR/CCPAdependency-management ā versioning, auditing, update policy, lockfiles
Conditional skills (generated when the project needs them):
{framework}-patterns ā framework-specific conventionsdatabase-design ā schema, migrations, indexing, queriesapi-design ā endpoints, versioning, pagination, rate limitingui-engineering ā components, styling, responsive, a11ystate-management ā client/server/URL/form state patternsauth-patterns ā authn, authz, sessions, tokens, MFAdevops-pipeline ā CI/CD, environments, deployment, rollbackobservability ā logging, metrics, tracing, alertingaccessibility-standards ā WCAG compliance, ARIA, keyboard navinternationalization ā i18n, l10n, RTL, pluralizationpayment-integration ā billing, subscriptions, webhooks, PCIfile-handling ā uploads, storage, processing, CDNrealtime-system ā WebSocket, SSE, pub/sub, presenceemail-system ā transactional, templates, queue, compliancesearch-implementation ā engine, indexing, relevance, autocompletebackground-jobs ā queues, scheduling, retry, dead lettermobile-patterns ā navigation, offline, push, deep linksdesktop-patterns ā window mgmt, tray, IPC, auto-updatecli-design ā commands, args, output, config, shell completionmonorepo-management ā workspaces, boundaries, versioningai-integration ā LLM calls, prompts, streaming, cost, safetycaching-strategy ā layers, invalidation, CDN, stale-while-revalidaterate-limiting ā algorithms, tiers, headers, distributed limitingfeature-flags ā rollout, targeting, kill switches, cleanupmigration-strategy ā zero-downtime, data migrations, backward compatcontainer-orchestration ā Docker, K8s, health checks, resourcesinfrastructure-as-code ā Terraform/Pulumi, state, modulesevent-driven-architecture ā event sourcing, CQRS, sagasgraphql-patterns ā schema design, resolvers, N+1, batchingwebsocket-patterns ā connection management, rooms, reconnectionmicroservice-patterns ā service boundaries, communication, discovery
Present the skill map organized by generation layer. Wait for user confirmation.
Phase 2: Skill Generation Engine
2.1 ā Generation Order (Dependency Layers)
Generate skills in strict dependency order ā later skills can reference earlier ones:
Layer 0: project-architecture
(defines folder structure, module boundaries, naming ā everything else references this)
Layer 1: {language}-standards, git-workflow, documentation-standards
(foundational coding and process standards)
Layer 2: security-hardening, error-handling, data-validation, privacy-compliance,
dependency-management
(cross-cutting safety and quality concerns)
Layer 3: database-design, api-design, auth-patterns, caching-strategy
(data and communication layer)
Layer 4: {framework}-patterns, ui-engineering, state-management,
accessibility-standards
(presentation and interaction layer)
Layer 5: testing-strategy, performance-optimization
(quality assurance ā needs all other skills to exist first)
Layer 6: devops-pipeline, observability, container-orchestration,
infrastructure-as-code
(operations layer)
Layer 7: Domain-specific skills (payments, i18n, email, search, realtime,
background-jobs, feature-flags, AI, etc.)
(only relevant domains)
2.2 ā Skill File Structure
Every generated skill MUST produce this file tree:
{skill-name}/
āāā SKILL.md # Main instructions (< 500 lines)
āāā references/
ā āāā patterns.md # Approved patterns with full code examples
ā āāā anti-patterns.md # Forbidden patterns with severity + explanation
ā āāā checklist.md # Pre-commit/pre-merge verification checklist
āāā templates/ # (optional) Code templates, configs
āāā *.template.*
2.3 ā Content Requirements
Read references/skill-template.md for the exact skeleton. Read references/generation-guide.md for domain-specific content requirements.
Every generated skill MUST contain:
- YAML frontmatter ā name + aggressive description for reliable triggering
- Activation conditions ā exact triggers (file types, directories, user phrases)
- Project context ā references to actual project tech, paths, decisions
- Numbered core rules (15-40 per skill) ā each with rationale + code examples
- Approved patterns ā copy-pasteable code showing the right way
- Anti-patterns with severity (š“ CRITICAL / š HIGH / š” MEDIUM / š¢ LOW)
- Performance budgets ā concrete measurable numbers, not vague goals
- Security checklist ā domain-specific security verification items
- Error scenarios table ā what fails, how to detect, how to recover
- Edge cases ā documented with handling instructions
- Integration points ā how this skill connects to other generated skills
- Pre-commit checklist ā verification items before code can be committed
2.4 ā Writing Principles
- Explain the WHY: Claude and developers are smart ā reasoning > rigid commands
- Concrete over abstract: Real code examples > descriptions of code
- Project-specific: Reference actual tech choices, paths, and decisions ā never generic
- Opinionated: Pick one best approach and enforce it, don't offer menus
- Testable: Every rule must be verifiable (lint rule, test, code review check)
- Examples compile: All code examples must work if copy-pasted, no pseudocode
- Both sides: Show correct AND incorrect for every critical rule
2.5 ā Cross-Skill Consistency
After generating all skills, verify:
Phase 3: Output
3.1 ā Directory Layout
{project-root}/
āāā .claude/
ā āāā skills/
ā āāā project-architecture/
ā ā āāā SKILL.md
ā ā āāā references/
ā āāā {language}-standards/
ā ā āāā SKILL.md
ā ā āāā references/
ā ā āāā templates/
ā āāā security-hardening/
ā ā āāā SKILL.md
ā ā āāā references/
ā āāā ... (all generated skills)
ā āāā _bootstrap-manifest.json
āāā .gitignore
āāā ... (application code comes AFTER bootstrap)
3.2 ā Bootstrap Manifest
Generate _bootstrap-manifest.json:
{
"project": "{name}",
"bootstrapped_at": "{ISO-8601}",
"tech_stack": {},
"skills_generated": [
{
"name": "{skill-name}",
"path": ".claude/skills/{skill-name}/",
"layer": 0,
"depends_on": [],
"domains_covered": ["architecture", "folder-structure", "naming"]
}
],
"total_skills": 0,
"total_rules": 0,
"total_anti_patterns": 0,
"coverage": {
"security": true,
"performance": true,
"privacy": true,
"testing": true,
"accessibility": true,
"error_handling": true,
"documentation": true,
"observability": true
}
}
Phase 4: Validation
Before declaring bootstrap complete, run validation using both JavaScript and Python validators:
Validation Checklist
- Completeness ā Every tech stack component is covered by at least one skill
- Contradictions ā No two skills give conflicting advice
- Dependencies ā Every skill's
depends_on targets exist
- Coverage ā Security, performance, privacy, testing, error handling all covered
- Specificity ā Skills reference actual project names, paths, versions
- Quality ā Run validators against the generated skills
Running Validators
JavaScript/Node.js (default):
node scripts/validate_bootstrap.js .claude/skills/
node scripts/version_checker.js .claude/skills/
node scripts/check_skill_compliance.js src/
Python (alternative):
python scripts/validate_bootstrap.py .claude/skills/
python scripts/version_checker.py .claude/skills/
python scripts/check_skill_compliance.py src/
Validation Output
Present a summary table:
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
ā BOOTSTRAP COMPLETE ā
ā āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā£
ā Project: {name} ā
ā Skills Generated: {N} ā
ā Total Rules: {N} ā
ā Total Anti-Patterns: {N} ā
ā Security Rules: {N} ā
ā Performance Budgets: {N} ā
ā Privacy Controls: {N} ā
ā Test Requirements: {N} ā
ā āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā£
ā ā
No contradictions found ā
ā ā
All dependencies resolved ā
ā ā
Full coverage verified ā
ā ā
Validators passed ā
ā ā
Ready to code ā
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
Phase 5: Continuous Compliance (project-manager skill)
CRITICAL: After bootstrap, the project-manager skill ensures ongoing compliance:
What project-manager Does
- Monitors all code changes in real-time
- Validates every modification against active skills
- Blocks commits with skill violations
- Reports compliance metrics weekly
- Guides developers back to skill compliance
- Detects skill drift automatically
Tools Available
JavaScript:
node scripts/check_skill_compliance.js src/
node scripts/analyze_skill_coverage.js src/
node scripts/generate_compliance_report.js --week
Python:
python scripts/check_skill_compliance.py src/
python scripts/analyze_skill_coverage.py src/
python scripts/generate_compliance_report.py --week
Pre-Commit Hooks
Set up automated compliance checking:
cp scripts/pre-commit.example .git/hooks/pre-commit
chmod +x .git/hooks/pre-commit
Result: Skills become active guardrails, not just documentation.
Phase 6: Handoff
After bootstrap and validation:
- Confirm all skills are generated in
.claude/skills/
- Explain the
project-manager skill will monitor compliance
- Show how to run validators (both JS and Python options)
- Demonstrate compliance checking commands
- Transition to actual development
Every file created or edited will be governed by the relevant skills automatically, enforced by the project-manager skill.
Rules for This Skill
Core Principles
- This skill generates OTHER skills ā it never generates application code
- Generated skills must be project-specific, not generic boilerplate
- When in doubt, generate MORE skills rather than fewer
- If the user's project needs a domain not in the catalog, invent a new skill for it
- Follow the user's language preference (English by default)
- The tech stack is tech-agnostic: works for TypeScript, Python, Go, Rust, Java, C#, Swift, Kotlin, PHP, Ruby, or any combination
- For polyglot projects, generate per-language skills
- Read ALL reference files before generating ANY skills
Validation Requirements
ALWAYS run validators after generation:
node scripts/validate_bootstrap.js .claude/skills/
python scripts/validate_bootstrap.py .claude/skills/
Validation must pass before declaring bootstrap complete.
Required Skills
ALWAYS generate the project-manager skill alongside other skills. It:
- Monitors compliance throughout development
- Validates code against skills in real-time
- Generates compliance reports
- Prevents skill drift
Version Verification
CRITICAL: Every technology version MUST be verified via real-time lookup:
- Use
WebSearch, WebFetch, or Context7
- Document verification source and date
- Never use memorized versions
- Verify ALL dependencies, not just frameworks
Post-Generation Checklist
Before handoff:
