一键导入
running-a-proof-of-concept
Phase 3 (Proof of Concept) deep-dive playbook — validates the Research recommendation in real Bitwarden code and drafts the ADR.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
Phase 3 (Proof of Concept) deep-dive playbook — validates the Research recommendation in real Bitwarden code and drafts the ADR.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
Remediate GitHub Actions action findings identified by the action-audit skill. Applies the appropriate fix per action type — `@main` ref for internal `bitwarden/` actions, full SHA with inline version comment for external actions, or full replacement — across selected repos and creates draft PRs. Run the action-audit skill first to identify findings before using this skill. <example> User: Go ahead and fix the unpinned actions from the audit Action: Trigger action-remediate to apply fixes and create PRs </example> <example> User: Replace tj-actions/changed-files with the safe version across those repos Action: Trigger action-remediate to swap the action and create PRs </example>
Apply fixes for workflow linter findings identified by the workflow-audit skill. Applies mechanical fixes automatically, pauses for judgment calls, verifies with a re-lint, and creates draft PRs. Run the workflow-audit skill first to identify findings before using this skill. <example> User: Go ahead and fix the linter findings from the audit Action: Trigger workflow-fix to apply fixes and create PRs </example> <example> User: Fix the workflow linter issues in server and clients Action: Trigger workflow-fix for those repos </example>
Use this skill when a PR diff contains changes to dependency manifest files (package.json, .csproj, Cargo.toml, go.mod, requirements.txt, etc.) or when reviewing Renovate/Dependabot bot PRs. Evaluates new dependencies for AppSec approval process compliance, major version bump significance, lock file hygiene, and dependency removal completeness. Does NOT perform deep security or license analysis — that is handled by the bitwarden-security-engineer plugin's reviewing-dependencies skill.
Perform a rigorous, multi-agent code review with architecture-compliance, parallel quality/security analysis, finding validation, and severity audit. Use when the user asks for a structured, deep, thorough, multi-pass, or multi-agent code review — or a review that includes architecture/pattern compliance, confidence-scored findings, or a severity audit. Use when the user asks for a code review across a commit range, time window, or N most recent commits in a locally checked-out repo.
Decompose a breakdown Plan into a tasks.md document with one entry per future Jira work item. Also handles resumption against a partly-drafted task list. Triggers: "decompose into tasks", "draft the tasks section", "break this into stories", "split into Jira tickets", "fill in the tasks table", "continue task decomposition".
Resolve open design questions, then capture what's being built into the Specification section of a Bitwarden Tech Breakdown. Use after a breakdown document has been created in its empty state or resuming a partly-resolved specification. Triggered by phrasings such as "understand the work", "define breakdown scope", "write the breakdown spec", "develop the specification", "continue the breakdown spec".
| name | running-a-proof-of-concept |
| description | Phase 3 (Proof of Concept) deep-dive playbook — validates the Research recommendation in real Bitwarden code and drafts the ADR. |
| when_to_use | Use when Research has produced an approved recommendation and the shepherd is validating it in real code before Scoping. Triggers — "PoC time", "building the PoC", "drafting the ADR". Not for the High-Level Architecture Plan (use `scoping-and-handing-off-to-teams`) or cross-team coordination (use `coordinating-implementation-across-teams`). |
| allowed-tools | Skill, mcp__plugin_bitwarden-atlassian-tools_bitwarden-atlassian__get_issue, mcp__plugin_bitwarden-atlassian-tools_bitwarden-atlassian__get_issue_comments, mcp__plugin_bitwarden-atlassian-tools_bitwarden-atlassian__get_issue_remote_links, mcp__plugin_bitwarden-atlassian-tools_bitwarden-atlassian__search_issues, mcp__plugin_bitwarden-atlassian-tools_bitwarden-atlassian__get_confluence_page, mcp__plugin_bitwarden-atlassian-tools_bitwarden-atlassian__get_confluence_page_comments, mcp__plugin_bitwarden-atlassian-tools_bitwarden-atlassian__search_confluence, mcp__plugin_bitwarden-atlassian-tools_bitwarden-atlassian__search_confluence_cql |
Phase 3 (Proof of Concept) deep-dive playbook for an initiative shepherd. Deliverables: one or more PRs that demonstrate the recommended pattern in real Bitwarden code, Architecture Council review, and a draft ADR in the centralized contributing-docs repository (not per-repo). Time budget: 2–4 weeks, 40–80 hours of shepherd time. PoCs that stretch past 4 weeks usually signal either the wrong scope (too ambitious) or the wrong approach (the recommendation isn't working).
Three things, in order:
If the PoC doesn't accomplish all three, the next phase will pay for it.
This is the highest-leverage decision in the phase. The funnel doc's guidance: representative but contained, ideally ~1–5 files or one module that demonstrates the key patterns.
How to choose:
Once selected, identify a point-of-contact on the owning team (usually a senior engineer, sometimes the tech lead) who will pair with you or review your work. They are not adopting the work — they are your partner in surfacing where it doesn't fit.
This is also a good moment to consult Skill(architecting-solutions) in bitwarden-tech-lead for the team-scope architectural constraints that will shape your PoC (security mindset, multi-client reality, V+/-2 compatibility, etc.). The PoC ships against those constraints from the start, not retrofitted.
If the approach requires shared scaffolding — middleware, base classes, type definitions, shared libraries — build it first. This is the reusable piece that broader rollout depends on. The framework itself is part of what the PoC is validating.
Two principles:
Implement 1–3 examples demonstrating the new pattern in the chosen area. Each example should be self-contained enough that a reviewer can see the pattern in action, but realistic enough that it tests real-world complexity. Examples from the funnel doc: migrate one API endpoint, one UI component, or one service module.
For each example, capture:
The funnel doc strongly recommends presenting the PoC to Architecture Council at this phase. Format:
What the Council provides: pattern-level guidance, cross-initiative awareness (is this approach in conflict with something else underway?), validation of the proposed direction, and surface concerns about rollout.
What the Council does not provide: a green light independent of engineering leadership's go/no-go at the end of the phase. The Council recommends; leadership decides.
If the PoC validates the approach, draft an Architecture Decision Record following the Bitwarden ADR template. ADRs live in the centralized bitwarden/contributing-docs repository under docs/architecture/adr/ (rendered at contributing.bitwarden.com/architecture/adr/). There is no per-repo ADR directory — Bitwarden's architectural decisions are intentionally centralized so they're discoverable across all codebases the decision touches.
Open a PR against contributing-docs with the new ADR file, numbered sequentially after the latest accepted ADR. Example for reference: 0020-observability-with-opentelemetry.md.
The ADR is not the architecture plan — that comes in Scoping. The ADR is the decision artifact. Sections per the template:
The ADR is the durable artifact that survives the shepherd's departure. Six months from now, someone will hit a related decision and read this ADR to understand why the codebase is shaped the way it is. Write for that reader.
The ADR captures the decision. The PoC is also the moment to establish the functional documentation that the new pattern needs to be discoverable and usable by the teams who will adopt it during Phase 5. Per Documentation Patterns, Bitwarden splits documentation into two homes that you should land in deliberately:
README.md files automatically when engineers navigate, which is the discovery path that actually works. Use Mermaid for diagrams so they render in-place.bitwarden/contributing-docs repository, rendered at contributing.bitwarden.com. ADRs, setup guides, feature-flag operating procedures, and cross-cutting architectural references go here.What the PoC should ship in each home:
README.md explaining what the framework is, its interface, how to extend or apply it, and what trade-offs were deliberately made. Reference the ADR for the decision rationale. Examples to model on: EventIntegrations, DbSeederUtility, EmergencyAccess.contributing-docs as covered above.rustdoc and crate/module-level README for Rust. The Documentation Patterns page has the per-stack rubric.CLAUDE.md — link the README.md via @ syntax and the ADR by URL. The bitwarden-init and claude-config-validator plugins help bootstrap and review these.The shape of the documentation matters because the PoC is what the receiving teams in Phase 4 will react to. A PoC PR + a framework README + an ADR is far more legible than a PoC PR alone — and the difference shows up as faster handoff meetings and less "wait, what was the intended pattern here?" during Implementation.
During PoC (see Idea-Based Initiatives):
Per the funnel doc:
For the leadership review, bring:
bitwarden/contributing-docs repository.Skill(shepherding-an-initiative) for the umbrella playbook, Skill(running-an-architectural-assessment) for the upstream Research-phase work the PoC validates, Skill(scoping-and-handing-off-to-teams) for what the PoC feeds into, Skill(architecting-solutions) (in bitwarden-tech-lead) for team-scope architectural constraints that shape PoC design.