AgentSkillsCN

foundations

涵盖 Schema 设计、优化与数据库管理。包括主键选择(UUID/ULID/序列号)、安全迁移、借助 EXPLAIN ANALYZE 进行查询优化、索引策略(B 树、部分索引、复合索引),以及规范化权衡。在设计表结构、编写迁移脚本,或当用户询问“我应该选用哪种主键?”或“如何优化这条查询?”时,可加以运用。

SKILL.md
--- frontmatter
name: foundations
description: >-
  Establishes code quality and engineering standards. Covers code style conventions, conventional
  commit messages, documentation standards (ADRs, API docs, changelogs), and security patterns
  (input validation, secrets management, OWASP). Use when reviewing code, preparing commits,
  writing documentation, or when the user asks "how should I format this commit?" or "what's
  the security best practice for X?"

Code Standards

Engineering foundations for consistent, secure, and well-documented code.

Philosophy

Code speaks first. Well-structured code with clear names needs fewer comments. When comments are necessary, they explain WHY, not WHAT. Documentation lives close to code but separate from implementation details.

Commits tell a story. Each commit represents one coherent change. Messages use imperative mood and focus on intent. The git log should read like a narrative of the project's evolution.

Security by default. Every input is untrusted. Every error is generic to users. Every secret is externalized. Defense in depth, not security theater.

Quick Reference

StandardKey RuleExample
Code StyleType hints required, structured loggingasync def fetch(id: UUID) -> Result
Commits<type>: <description>, imperative moodfeat: add thermal rating API
DocumentationDocument after shipping, not beforeAPI docs reflect implemented endpoints only
SecurityValidate all inputs at trust boundariesPydantic models at API layer

Topics

TopicReferenceUse When
Code Stylereferences/code-style.mdWriting Python/TypeScript code, naming variables
Commitsreferences/commits.mdWriting commit messages, creating PRs, branching
Diagramsreferences/diagrams.mdCreating Mermaid diagrams, visualizing architecture
Documentationreferences/documentation.mdWriting ADRs, API docs, changelogs
Securityreferences/security.mdThreat modeling, managing secrets, compliance checks
Debuggingreferences/debugging.mdSystematically debugging issues with hypotheses
Hypothesis Trackingreferences/hypothesis-tracking.mdManaging multiple hypotheses during investigation
Test Debuggingreferences/test-debugging.mdFixing flaky tests, isolation issues, state pollution
TDDreferences/tdd.mdWriting tests first, red/green/refactor cycle
Verificationreferences/verification.mdVerifying work before claiming done
Code Reviewreferences/code-review.mdRequesting or receiving code reviews
Permissionsreferences/permissions.mdConfiguring tool allowlists, sandbox, agent permissions

Available Scripts

ScriptUsageDescription
scripts/check-commit-msg.shcheck-commit-msg.sh <file>Validate commit message format
scripts/check-python-style.pycheck-python-style.py <dir>Check Python style (type hints, docstrings)
scripts/check-test-naming.shcheck-test-naming.sh <dir>Check test file/function naming
scripts/validate-adr.pyvalidate-adr.py <file>Validate ADR structure
scripts/check-changelog-format.shcheck-changelog-format.sh <file>Check micro-changelog format
scripts/check-secrets.shcheck-secrets.sh <dir>Scan for hardcoded secrets
scripts/validate-compliance.pyvalidate-compliance.py <file>Validate security checklist completion

Critical Rules

Always

  • Use type hints on all public functions
  • Write atomic commits (one logical change)
  • Use imperative mood in commit messages
  • Validate inputs at trust boundaries
  • Log security events (without secrets)
  • Include micro-changelog at document bottom

Never

  • Commit secrets, passwords, or API keys
  • Document APIs before they ship
  • Use bare except: clauses
  • Force push to main/master
  • Log sensitive data or stack traces to users
  • Skip commit signing without explicit permission

Naming Conventions

ContextPythonTypeScript
Filessnake_case.pyPascalCase.tsx (components)
Functionssnake_casecamelCase
ClassesPascalCasePascalCase
ConstantsUPPER_SNAKEUPPER_SNAKE
Teststest_<unit>_<scenario>_<result>describe/it blocks

Commit Types

TypeUse ForVersion Impact
featNew featuresMinor bump
fixBug fixesPatch bump
refactorCode restructuringNone
docsDocumentation onlyNone
testTest additions/updatesNone
choreMaintenance, depsNone
perfPerformance improvementsPatch bump

Test Patterns

Follow AAA (Arrange-Act-Assert) and scenario-based fixture naming:

  • *_perfect - Complete, valid data (happy path)
  • *_degraded - Partial data, quality issues
  • *_chaos - Edge cases, malformed data

Coverage target: 70% minimum across all components.

Security Mindset

For every feature, ask:

  1. How could this be exploited?
  2. What happens if input is malicious?
  3. What if authenticated but not authorized?
  4. What if the system is partially compromised?

Related Skills

  • infrastructure-patterns - Container security, deployment hardening
  • database-patterns - SQL injection prevention, connection security