一键导入
MAINFRAME
MAINFRAME 收录了来自 CATWILLgh 的 19 个 skills,并提供仓库级职业覆盖和站内 skill 详情页。
这个仓库中的 skills
Run a structured, multi-aspect code and quality audit of a module, directory, or diff. Splits the audit into independent dimensions (security, architecture, performance, business logic, testing) run as parallel subagents, then deduplicates, verifies high-severity findings, and produces one prioritized report with a precise location per finding. Calibrates severity via the `severity-calibration` skill.
Stack-adaptive Node.js / TypeScript backend patterns — recon-driven dispatch across NestJS / Express / Fastify with cross-cutting concerns (TypeORM / Prisma / Drizzle ORMs, class-validator / Zod validation, multitenancy via AsyncLocalStorage + PostgreSQL RLS, pino + OpenTelemetry observability, jest + supertest + testcontainers-node testing, NestJS DI scopes discipline, TypeScript strict mode). Loaded by `nestjs-backend-engineer` agent only; closed to main-context auto-invocation.
Next.js App Router server-layer patterns — recon-driven dispatch across Route Handlers, Server Actions, RSC data fetching, caching / revalidation, middleware, server-side auth (Auth.js / NextAuth v5, the Data Access Layer pattern), and ORM access in serverless (Prisma singleton / connection pooling, Drizzle HTTP drivers). Cross-cutting: server-as-canonical, authorize-in-the-DAL-not-middleware-alone, `NEXT_PUBLIC_` secret-leak ban, `server-only` boundary, Zod at every boundary, TypeScript strict. Covers what is DISTINCT to Next's server model — defers generic Node/ORM depth to the standalone backend skill. Loaded by `nextjs-backend-engineer` agent only; closed to main-context auto-invocation.
Verify a coding change introduced no placeholder or suppression markers without explicit user permission. Covers TODO/FIXME/HACK/XXX, commented-out code, skipped or focused tests (.skip/.only/xit/fit), and silenced type/lint checks (@ts-ignore, @ts-nocheck, eslint-disable,
Prevent duplicate instances of long-running development processes (dev servers, application processes, Docker Compose stacks). Run a preflight check before launching to detect an already-running instance by port or process name; if already running, do not start a second one. Handle restarts by stopping the current instance gracefully (SIGTERM, escalate to SIGKILL only on timeout) before launching once.
Stack-adaptive Python backend patterns — recon-driven dispatch across FastAPI / Django / Flask with cross-cutting concerns (SQLAlchemy 2.0 + Pydantic 2 / Marshmallow / DRF, multitenancy via PostgreSQL RLS, structlog + OpenTelemetry observability, pytest + testcontainers testing, typed exceptions, eager loading discipline). Loaded by `python-backend-engineer` agent only; closed to main-context auto-invocation.
Stack-adaptive React frontend patterns — recon-driven dispatch for the Vite + React 19 + TypeScript + Tailwind v4 + TanStack Query 5 + Zod + React Hook Form stack, with FSD (Feature-Sliced Design) as the named architectural default and Boy Scout / Strangler Fig discipline for legacy. Cross-cutting: typed data boundaries (Zod), discriminated request states, server-state vs client-state separation, form-state vs server-state separation, XSS / secrets / dangerouslySetInnerHTML discipline, TypeScript strict mode. Loaded by `react-frontend-engineer` agent only; closed to main-context auto-invocation.
Methodology for rigorous, evidence-grounded validation of a proposed decision, design, or approach. Covers pre-mortem failure-scenario generation, disconfirmation testing, counter-model construction, evidence-grounding of every objection, and honest severity ranking — with the hard discipline that an objection which cannot be grounded is reported as ungrounded, never manufactured or inflated. Loaded by the `decision-reviewer` agent only; closed to main-context auto-invocation.
Operate a Dokploy instance through its HTTP API (self-hosted PaaS on Docker + Traefik): authentication via the `x-api-key` header, the tRPC-over-OpenAPI call convention (GET = flat query params, POST = JSON body, bare-JSON responses, `{message,code,issues}` errors), the resource hierarchy Project -> Environment -> {Application | Compose | Database}, and canonical workflows for deploying applications and Compose stacks, provisioning databases, attaching domains/TLS, and managing servers and backups. Includes destructive-operation safety and a live-spec navigation technique for any endpoint beyond the cookbook.
Design / visual-quality layer for the React frontend engineer — the third layer beside `shadcn` (which component / markup) and `react-frontend-patterns` (state / data / architecture). Owns the decisions those two defer: what the semantic colour tokens resolve to (WCAG-safe palettes on shadcn's token names, OKLCH), type scale and pairing, accessibility beyond what Radix enforces (contrast, target size, labels, focus order, custom-widget ARIA), motion (reduced-motion, compositor-only, duration budget), and layout (8pt spacing, responsive, visual hierarchy, density). Authored from primary sources (WCAG 2.2, Material 3, Apple HIG, shadcn theming, Tailwind).
Produce Conventional Commits v1.0.0 messages for the staged change. `type(scope)[!]:` and footer tokens are always English; the description and body are written in the repo's commit language (resolved per the rule below — default English). File / function / identifier names go in backticks. Body is a bullet list of why / what to verify / trade-offs. Splits a mixed change into atomic commits by type and independent scope (feat / fix / docs / refactor / test / ci / chore / perf / build / style). Always commits via `git commit -F /dev/stdin` heredoc — `-m "…"` breaks on non-ASCII, newlines, and backticks. Never emits Claude / AI attribution trailers (`Co-Authored-By: Claude …`, `Generated with Claude Code`).
A personal-machine credentials layout for the terminal: SSH host/auth and HTTP Basic via native mechanisms (`~/.ssh/config`, `~/.netrc`, `gh auth login`); generic API tokens and passwords in `~/.config/credentials/secrets.env` (mode 0600) read only through the `secret` helper or as shell env-vars; descriptions and server short-names in `~/.claude/credentials-index.md` (no values inside). Direct reads of the credentials store are denied by `settings.json` patterns. Credential values reach the subprocess through `$VAR` or `$(secret get NAME)` shell substitution, never through the response transcript. A pre-reply scan checks the draft against shape regexes for GitHub / AWS / OpenAI / Anthropic / Slack / Stripe / SSH key blocks / generic high-entropy strings.
shadcn/ui composition layer — when, what, and how to compose shadcn components in a Vite + React project. Provides the CLI workflow (search → view → add → docs), the corrected `info --json` schema fields needed for project-aware decisions (framework, Tailwind version, aliases, base, RSC flag), critical composition rules (Field / InputGroup / asChild / variants / icon discipline), and the strict no-MCP, npx-only invocation model. Defers per-component detail to live `npx shadcn@latest docs <component>` so it never goes stale.
Capture any problem you choose not to fix right now — adjacent bug discovered out of scope, in-scope issue you postpone, deliberately deferred refactor, partial implementation, "quick fix" or hack left in place — as a structured ticket in the project's docs/tickets/ folder. Uses a stable template with YAML frontmatter (id/title/status/priority/component/discovered/discovered-from/tags) and a fixed body structure (what observed, why it matters, why not a duplicate, what to do, acceptance criteria, sources). Supports a 5-state audit lifecycle Open / Needs Refinement / In Progress / Closed / Approved with reopen-in-the-same-file when audit fails or when an approved ticket's bug recurs.
Universal cycle for any task that modifies code, configuration, documentation, or infrastructure — feature, bugfix, refactor, migration, ops work. Cycle: triage → recon → plan (file when ≥ 3 phases) → parallel dispatch → synthesis → advisor → execution → verification → out-of-scope tickets → edge-case sweep → advisor → git safety → commit → report. Plan files land in `~/.claude/plans/<basename(cwd)>/<YYYY-MM-DD>-<topic>.md` — outside the project, not tracked by git, persistent across sessions. Adapts to both interactive sessions (uses `EnterPlanMode` / `ExitPlanMode` when present) and unattended auto-runs (writes the plan file directly, no blocking gate). Size and urgency do not bypass the cycle; they only change which conditional steps activate.
Apply infra-need tiers (what an autonomous run can self-verify — no-env / local / test-prod), the nested testing pyramid, and a maximal-but-not-excessive coverage rule to choose which test(s) to write for any non-trivial code change, bug fix, or new behaviour. Triages by what the change touches and what it must stand up to run, names the right tier and level, and flags anti-patterns (testing implementation, flaky e2e, weakening assertions, slow suites). Tests are part of the change itself, not a follow-up. Pairs with the CLAUDE.md TDD bullets — bug-fix failing test first, Red→Green→Refactor, Tier-1-first.
File a structured feedback report about friction caused by the mainframe harness itself — a hook gate block that looks like a false positive, a permission rule that denied legitimate work, a skill or rule instruction that proved unclear or contradictory, or a capability the harness lacks. Writes one Markdown file with YAML frontmatter (date/project/session/artifact/type/severity/title) and a mandatory `## Trigger` section into the global `~/.claude/mainframe/feedback/` queue via the bundled `feedback.py` receiver; the hub processes the queue as candidates and tunes the harness. Friction-only channel — not for praise, not for problems in the project's own code (that is `surface-ticket`), and filing feedback never replaces fixing a gate finding.
HTTP(S) request templates and safe-defaults for `curl`: Bearer / Basic / `.netrc` auth, JSON GET/POST, multipart upload, healthcheck. Diagnostics — redirects, timeout (`--connect-timeout` + `--max-time`), retry whitelist (`--retry` covers HTTP 408 / 429 / 500-504 / 522 / 524 + connection timeouts, NOT arbitrary 4xx), header-only inspection (`-I` actually changes method to HEAD; `-i` keeps GET and just includes headers in output). Anti-patterns: hardcoded secrets, missing `--fail` / `--fail-with-body`, `-k` outside explicit debug, no `--max-time` on healthcheck, Basic over plain HTTP (cleartext), `--location` forwarding `Authorization` header to a cross-host redirect.
Assign a calibrated severity level (Critical/High/Medium/Low) to a finding, risk, bug, or audit result by real impact rather than drama. Provides the rubric for each level and the discipline against severity inflation, which devalues genuinely critical findings.