AgentSkillsCN

system-design

系统设计、软件架构、API设计、网络安全和威胁建模。构建安全、可扩展的系统。

SKILL.md
--- frontmatter
# ═══════════════════════════════════════════════════════════════════════════
# SKILL: System Design
# Version: 2.0.0 | Updated: 2025-01
# ═══════════════════════════════════════════════════════════════════════════
name: system-design
description: System design, software architecture, API design, cybersecurity, and threat modeling. Build secure, scalable systems.

# ACTIVATION TRIGGERS
triggers:
  - architecture
  - system design
  - security
  - api
  - scalability
  - owasp
  - threat modeling
  - compliance

# SKILL PARAMETERS
parameters:
  system_type:
    type: string
    required: true
    description: Type of system (web app, API, data platform)
  scale:
    type: string
    enum: [startup, growth, enterprise]
    required: false
  security_level:
    type: string
    enum: [standard, high, compliance]
    required: false

# OUTPUT SPECIFICATION
outputs:
  architecture:
    type: object
  security_measures:
    type: array
  trade_offs:
    type: array

# RELIABILITY
retry:
  max_attempts: 3
  backoff: exponential

# OBSERVABILITY
observability:
  log_level: info

level: advanced
prerequisites:
  - core-development
  - data-structures

sasmp_version: "1.3.0"
bonded_agent: 01-core-paths
bond_type: PRIMARY_BOND

System Design Skill

Quick Reference

PatternBest ForComplexityScaling
MonolithStartups, MVPsLowLimited
MicroservicesLarge teamsHighExcellent
ServerlessEvent-drivenMediumAuto
Event-DrivenHigh throughputHighExcellent

Scalability Progression

code
Level 1: Single Server
    │
    ▼ Bottleneck: CPU/Memory
Level 2: Load Balancer + Multiple Servers
    │
    ▼ Bottleneck: Database reads
Level 3: Caching Layer (Redis)
    │
    ▼ Bottleneck: Database writes
Level 4: Read Replicas
    │
    ▼ Bottleneck: Single DB limits
Level 5: Sharding / Partitioning
    │
    ▼ Bottleneck: Cross-shard queries
Level 6: CQRS + Event Sourcing

Architecture Decision Tree

code
What's your team size and product stage?
│
├─► Team < 10, product unclear
│   └─► Monolith (start simple)
│
├─► Team > 10, clear domain boundaries
│   └─► Microservices
│
├─► Variable workloads, pay-per-use
│   └─► Serverless
│
└─► High throughput, async workflows
    └─► Event-Driven

API Design

REST Best Practices

code
GET    /api/v1/users              # List
GET    /api/v1/users/{id}         # Get
POST   /api/v1/users              # Create
PUT    /api/v1/users/{id}         # Replace
PATCH  /api/v1/users/{id}         # Update
DELETE /api/v1/users/{id}         # Delete

GET    /api/v1/users/{id}/orders  # Nested

HTTP Status Codes

CodeMeaningUse When
200OKGET/PUT/PATCH success
201CreatedPOST success
204No ContentDELETE success
400Bad RequestInvalid input
401UnauthorizedNo/invalid auth
403ForbiddenNo permission
404Not FoundResource missing
429Too Many RequestsRate limited
500Server ErrorServer failure

Database Selection

Use CaseBest ChoiceNotes
TransactionsPostgreSQLACID, most versatile
High writeCassandraWrite-optimized
CachingRedisSub-millisecond
SearchElasticsearchFull-text search
AnalyticsBigQueryColumn-store
Time-seriesTimescaleDBTime-based data
GraphNeo4jRelationships

Security: OWASP Top 10 (2025)

#VulnerabilityPrevention
1Broken Access ControlVerify auth on every request
2Cryptographic FailuresTLS 1.3, AES-256, Argon2
3InjectionParameterized queries
4Insecure DesignThreat modeling
5Security MisconfigurationHarden defaults
6Vulnerable ComponentsDependency scanning
7Auth FailuresMFA, rate limiting
8Data IntegritySign data, verify sources
9Logging FailuresComprehensive logging
10SSRFAllowlist URLs

Encryption Standards

LayerStandardNotes
In TransitTLS 1.3HTTPS everywhere
At RestAES-256Encrypt sensitive data
PasswordsArgon2idbcrypt acceptable
API KeysSHA-256Store hashed

Threat Modeling: STRIDE

code
┌─────────────────────────────────────────┐
│              STRIDE MODEL                │
├─────────────────────────────────────────┤
│  S - Spoofing                           │
│      → Strong auth, MFA                 │
│                                         │
│  T - Tampering                          │
│      → Integrity checks, signatures     │
│                                         │
│  R - Repudiation                        │
│      → Audit logging                    │
│                                         │
│  I - Information Disclosure             │
│      → Encryption, access control       │
│                                         │
│  D - Denial of Service                  │
│      → Rate limiting, DDoS protection   │
│                                         │
│  E - Elevation of Privilege             │
│      → Least privilege, RBAC            │
└─────────────────────────────────────────┘

Compliance Requirements

StandardDomainKey Requirements
GDPREU DataConsent, right to delete
HIPAAHealthcarePHI encryption, audit logs
SOC 2ServicesSecurity controls
PCI DSSPaymentsCard data protection
CCPACA PrivacyConsumer rights

Disaster Recovery

StrategyRTORPOCost
Backup/RestoreHoursHoursLow
Pilot Light10s minMinutesMedium
Warm StandbyMinutesSecondsHigh
Active-ActiveSecondsZeroVery High

Troubleshooting

code
System not scaling?
├─► Database bottleneck? → Add caching, replicas
├─► Single point of failure? → Add redundancy
├─► Stateful services? → Make stateless
└─► Network limits? → CDN, optimize payloads

Security incident response?
├─► 1. CONTAIN: Isolate affected systems
├─► 2. IDENTIFY: Scope and entry point
├─► 3. ERADICATE: Remove threat, patch
├─► 4. RECOVER: Restore from clean backup
└─► 5. LEARN: Post-mortem, improve

Common Failure Modes

SymptomRoot CauseRecovery
Cascading failuresTight couplingCircuit breakers
Works locallyEnv differencesContainers, IaC
Data breachMissing controlsAudit, RBAC
Audit failedMissing complianceGap analysis

Next Actions

Describe your system requirements for architecture recommendations.