rad-claude-skills

A council of cognitive-framework advisors that debates any decision — repo plans, website designs, product/codebase critiques, marketing plans, anything — then votes and returns one ranked, confidence-rated recommendation with dissent preserved and a single concrete next step. Diversity comes from incompatible *reasoning lenses* (The Contrarian, First Principles, The Vulcan, The Metric, The Storyteller, The Outsider, The Executor, The Orator, The Expansionist, The Growth Catalyst), not personas — research shows cognitive frameworks beat roleplay, and that perspective diversity (not debate depth) is the dominant driver of quality. One skill, `convene`, with two modes: `standard` (independent drafts → one blind peer-review round + dot-vote → rigor-weighted synthesis) and `quick` (parallel critics → synthesis, no review round). A Blue Hat orchestrator auto-selects 3–5 seats for any topic by engineering natural tension between opposing lenses (hard cap 5). Synthesis weights by empirical rigor and logical consistency — never headcount — preserves genuine clashes, rates confidence 1–10, and commits to exactly one next step (disagree-and-commit). Guardrails are baked in against the documented failure modes of multi-agent debate: conformity drift (independent generation), sycophancy (framework constraints, not personas), false consensus (preserved dissent), and runaway cost (hard agent/round caps + effort scaling). Claude-only — no external API keys. Output is one self-contained markdown report, delivered where you choose, never auto-committed. Pairs with rad-brainstormer (diverge → converge) and rad-planner (decide → sequence); recommends rad-code-review for deep code passes rather than duplicating it.

3-role adversarial code review for Claude Code — Opus default, Sonnet/Haiku compatible. Parallel tool-call pipeline, JSON-first subagent output, compaction-safe checkpointing with `--resume`, and `--non-interactive` mode for agents/CI. Blame-aware diff scoping, 14-pattern AI slop detection (hallucinated imports, fake error handling, ghost type assertions, mock-shaped fallbacks, etc.), framework-specific IDOR for Next.js / Express / Fastify / Django / Rails / Go, WCAG 2.2 + dynamic ARIA state detection, performance heuristics, severity-ranked findings with release verdict, and accepted-risk expiry enforcement. Includes a `code-reviewer` agent for proactive autonomous review. v5.0: finding IDs shortened to `CR-NNN` (config/state paths unchanged); the hallucinated-imports validator is now wired into the automated-checks phase (offline, lockfile-verified, runs even in --local-only); history comparison matches findings across runs by fingerprint (category+file+title) instead of per-run IDs, making "show new findings only" trustworthy; the never-implemented `--engine claude|codex|both` flag removed in favor of the real `--adversarial-model <name>` cross-model challenge pass; reports save to `.radcr/history/` only (no loose root-level report file). Backed by `check-hallucinated-imports.py` — a pure-stdlib Python 3.8+ script that parses 9 lockfile formats (package-lock.json, yarn.lock, pnpm-lock.yaml, package.json deps, requirements.txt, pyproject.toml, Pipfile.lock, poetry.lock, uv.lock), extracts imports via Python `ast` + JS/TS regex, and flags packages not declared in any lockfile (slopsquatting risk). Runs standalone or in the orchestrator's Step 5g.

MV3 Chrome extension development standards (WXT, React, TypeScript) with two pure-stdlib Python validators that catch what LLM eyeballing misses. Skills cover architecture, MV3 security (CSP, remote code ban, content script isolation), permission minimization and CWS compliance, typed messaging, storage selection, service worker lifecycle, React UI patterns, testing, and Chrome Web Store troubleshooting. The chrome-ext-reviewer agent runs two validators before LLM judgment: `audit-manifest.py` (manifest.json audit for MV3 compliance, permission overreach, weak CSP, web_accessible_resources scoping, MV2 leftovers, CWS-rejection causes; auto-discovers WXT `.output/` build manifests) and `scan-mv3-violations.py` (greps source for CSP-banned `eval` / `new Function` / `setTimeout('string')`, remote `<script src="http">` and dynamic imports of remote URLs, MV2-only `chrome.tabs.executeScript` / `chrome.browserAction` / `chrome.extension.getBackgroundPage`, blocking webRequest listeners, optional DOM-risk `innerHTML` / `document.write`). Both emit findings with severity and specific fix recommendations. Pure stdlib Python 3.8+.

WCAG 2.2 AA accessibility toolkit for Claude Code. Six skills covering semantic HTML, ARIA patterns, keyboard/focus, forms, automated testing setup, and a static-analysis review pass; one autonomous reviewer agent. **Four pure-stdlib Python validators** (scan-jsx-patterns, check-tailwind-contrast with real WCAG sRGB math, check-target-size for WCAG 2.5.8, lint-aria wrapping eslint-plugin-jsx-a11y when installed) run in parallel before LLM judgment. **Stack-aware phase routing** detects React, Next.js, Astro, Tailwind, Radix, Headless UI from package.json + config files; framework-specific Phase 8 slices only execute when the stack matches. **Cross-model**: Opus 4.7 and Sonnet 4.6 issue Phase 0 + Phase 1 as a single parallel tool-call burst; Haiku 4.5 falls back to sequential phases if parallel batching misbehaves — final report is identical. The /a11y-review skill performs static pattern matching over JSX/HTML/CSS source — it is not an audit and does not run axe-core, does not test runtime focus behavior, does not test with screen readers. Findings tagged [STATIC] / [HEURISTIC] / [NEEDS-MANUAL] by detection confidence; no Pass/Fail compliance verdict is issued because static analysis cannot defensibly produce one. Pair with the a11y-testing skill for real axe runtime via jest-axe / Playwright, and manual screen reader testing for full coverage.

End-to-end Coolify self-hosted PaaS management — 9 skills covering deployments (Nixpacks/Dockerfile/Compose), databases, security, CI/CD, troubleshooting, observability, multi-server infrastructure, live MCP-backed actions, and a read-only status dashboard; coolify-reviewer agent (Opus default) with 4 Python validators (lint-dockerfile, lint-compose, check-coolify-env, audit-cicd) that catch the patterns LLM eyeballing misses; PostToolUse hook that auto-lints Dockerfile/compose edits; bundled @radoriginllc/coolify-mcp (36 tools, endpoints verified against the OpenAPI spec) for live operations against your Coolify instance. Covers Coolify v4 self-hosted (rolling beta — version-specific advice grounded via coolify_version). Honest about what's experimental (Sentinel, Swarm, Caddy proxy, Railpack-NOT-yet-shipped) and what's production-ready.

End-to-end 1Password CLI (`op`) coverage with a hardcoded-secrets scanner. Skills cover secret references (`op://...`), `op inject` / `op run` / `op read` for keeping secrets out of code and shell history, item CRUD with assignment statements and JSON templates, vault and user provisioning with granular permissions, SSH key generation and use, third-party CLI auth via `op plugin run`, and service-account / Connect-server patterns for CI/CD and headless servers. One router skill, ten topical sub-skills, four slash commands. Bundled `scripts/scan-hardcoded-secrets.py` is a pure-stdlib Python scanner that finds provider-prefixed tokens (OpenAI, Anthropic, GitHub PAT, Stripe, AWS, Slack, Google, Twilio, SendGrid, Mailgun, Supabase JWT), URL-embedded passwords (postgres / mongodb / mysql / redis / https / etc.), and assignment-shaped credentials (`api_key = "..."`, `password: "..."`). For each finding, suggests a concrete `op://<vault>/<item>/<field>` reference shape for replacement. Skips `.env*` files, lockfiles, test fixtures, and obvious placeholders. Not a replacement for gitleaks/trufflehog — it's for in-editor use during development with explicit op:// migration suggestions. Cross-checked against `op` v2.34.0.

The brainstormer that doesn't anchor you. Most AI brainstorming dumps fifteen ideas at you immediately — and research on human–AI ideation shows you then anchor on them, producing fewer, less varied, less original ideas of your own. rad-brainstormer draws out YOUR thinking first, every time, then builds on it with proven facilitation methods under enforced divergent/convergent discipline (idea generation and evaluation are never mixed). It brainstorms anything — software, business strategy, content, travel, creative projects, life decisions — not just code. Four skills (v3.0 consolidated from ten — the standalone technique skills are now modes of the session): - `brainstorm-session` — the facilitated session: anti-anchoring first, divergent → convergent, live domain research when useful. Techniques selectable by name: scamper, six-hats, reverse, hmw, starburst, unblock. - `idea-evaluation` — you already have the ideas; structured prioritization (Impact/Effort, Assumption Mapping, Pre-Mortem, JTBD, Dot Voting). - `five-whys` — root-cause analysis (a different job than ideation, kept separate). - `design-sprint` — post-decision: chosen software approach → reviewable spec → hand-off to /rad-planner:plan, whose discovery interview pre-fills from the spec. Three agents: domain-researcher (live web research woven into the questions, not dumped as a report), idea-challenger (pre-mortem stress-test of top candidates), spec-reviewer (iterative completeness review, capped). Output is one self-contained markdown file and the skill asks where to deliver it: a personal folder (default for non-project topics; surfaced for download on Desktop/Cowork/claude.ai), into the current project as an explicitly transient doc (consumed by the planner, archived after — never docs/design.md, which is your brand/UI design direction), or no file at all. Never auto-committed. Pairs with rad-planner (ideation → design → plan); works standalone on any topic.

Codebase-scoped SEO/AEO tooling for Claude Code with four pure-stdlib Python validators that turn the plugin's static-analysis claims into deterministic checks: `audit-ai-access.py` (per-AI-bot robots.txt allow/block matrix classed training vs citation — GPTBot, ClaudeBot, Google-Extended, CCBot vs OAI-SearchBot, ChatGPT-User, Claude-SearchBot/User, PerplexityBot/User, Bingbot, Googlebot — plus llms.txt existence/format check, Content-Signal/RSL/noai detection, JS-dependence heuristic, and optional CDN-block UA probing), `validate-jsonld.py` (extracts JSON-LD from HTML and framework source including dangerouslySetInnerHTML/set:html/template-literal forms, validates against ~20 SEO-impactful schema.org types, honest dynamic_jsonld findings for unverifiable JS-built blocks), `audit-meta-tags.py` (title/description lengths, canonical shape, charset, viewport, robots sanity, Open Graph 5-prop + Twitter Card 4-prop coverage, hreflang x-default), `check-broken-links.py` (parallel HEAD scanner with GET-Range fallback; URL list / sitemap / HTML-root inputs). Plus knowledge skills for AEO/GEO content optimization (with AI crawl-access gate and Lighthouse Agentic Browsing awareness), keyword ideation, content strategy, schema generation with 2026 rich-result deprecation awareness (FAQ/HowTo retired), E-E-A-T, and observable competitive research. Honest scope: does NOT measure numerical Core Web Vitals, keyword volumes, backlink profiles, or actual AI citation rates — those require Path B MCP integrations documented in references/CAPABILITIES.md.

Write, debug, reverse-engineer, and migrate AI prompts — now including agentic loops and goal conditions. The prompt-engineering skill covers writing patterns and platform-specific shape (Claude, GPT, Gemini, Claude Code, OpenAI Codex/AGENTS.md, image generators, agentic tools). The loop-goal-engineering skill authors loop prompts (Ralph-style, one-task-per-iteration), goal/completion conditions (Claude Code /goal, Codex Goal Mode, Stop hooks), and the four-file long-horizon scaffold — hardened against documented reward-hacking exploits. The prompt-decompiler skill routes between six modes — anatomize, translate, compress, decompose, forensics, diagnose. An autonomous prompt-debugger agent handles prompt-output failure analysis with an F1-F8 taxonomy (44 patterns, F8 = loop/goal failures). Two bundled pure-stdlib validators, wired into the skills and agent: `scripts/lint-prompt.py` (missing role frame, vague instructions, unbounded length adjectives, conflicting formats, excessive emphasis, superhuman framing, imperative collisions) and `scripts/check-goal.py` (goal anatomy: named check, scope guard, bound, evidence display; gameability signatures G1-G7: unprotected tests, grep-only success, existence-only checks, absence-only checks, self-judged completion, skip-counting, effort-based success — G8 revert-satisfiability needs semantic judgment and stays with the skill; loop discipline: one task per iteration, file-based state, idempotent start, done signal). Both read file or stdin; emit JSON or human-readable findings.

Active PARA system management. Five skills cover folder organization, weekly review automation, Progressive Summarization, Hemingway Bridge session handoffs (integrates with rad-session), and the 12 Favorite Problems workshop. Two autonomous agents: para-auditor (structure validation) and para-weekly-reviewer (review briefings). One pure-stdlib Python validator (`audit-para-structure.py`) that mechanically enforces the four-canonical-folder rule (Projects/Areas/Resources/Archive), detects false projects (topic-shaped names instead of project-shaped), flags non-PARA anti-pattern folders (Inbox/Notes/Misc/etc.), counts active projects (warn >10, info >20, PARA recommends 5-10), and finds orphaned root files. Based on Tiago Forte's Building a Second Brain methodology.

Plan a project before you write code — and re-plan it as reality unfolds. Built for solo developers who aren't formally trained engineers: it interrogates you until it actually understands what you're building, then produces a plan a moderately experienced vibe coder can read AND a coding agent can execute. Strictly a planner — it never writes implementation code. The method is interview-driven, risk-first, adversarially-reviewed, and mechanically-validated: - The grilling: a structured discovery interview — eight coverage areas (end goal, users, MVP, success criteria, constraints, assets, exclusions, danger zones), each driven to settled-or-explicitly-unknown; the project mirrored back for correction; assumptions proposed for confirm/deny. Capped at 3 rounds so it stays fast. - The release ladder: every plan anchors to your end goal via a Now / Next / Later release map — Now (MVP/Beta, fully specced tasks), Next (V1 milestone outline), Later (end-goal themes). Detail decays with distance by design; pulling the next horizon into detail is a /replan event. - Written for two readers: a plain-language layer (how-to-read note, release map, 'After this ships' lines) for you; six-field task blocks (objective, files, dependencies, done-when, validation, rollback) for the coding agent. - Codegen-aware stack evaluation (AI-native Golden Path matrix), goal-backward decomposition, risk-first sequencing with size discipline. - Mechanical validation via `plan-lint.py` (required sections incl. the release map, per-task fields, dependency resolution + cycles, vague language) — a real pass/fail check, not the model grading itself. - Adversarial review via the `risk-assessor` agent against 14 documented anti-patterns (APPROVE / REVISE / RETHINK; iterative on the full path, single-pass on the quick path you can choose at discovery). Four skills — two doors in, one maintained plan: - `/plan` — greenfield or a clear next effort: the six-phase conversation → `docs/plan.md`. - `/rescue` — a project in an unclear state: read-only archaeology (code + git evidence), evidence-led interview (keep/cut/unknown per piece), then a fresh release-map plan from where the project actually is. Assesses and plans; never fixes, runs, or deletes code. - `/replan` — evidence-based plan update: marks shipped work from git + handoff (moved to a `## Shipped` section — history preserved, never deleted), re-baselines the rest, pulls the next horizon into detail when Now ships. - `/review-plan` — two-layer quality audit of an existing plan (mechanical lint + adversarial risk review). The PRD exception: when `docs/prd.md` is missing or skeletal, the planner offers to draft it — each section written from your own interview answers, applied only on per-section confirmation. After that birth the PRD is yours (rad-repo-manager keeps it fresh); the planner never edits an existing PRD. Other durable-doc changes go into a paste-ready `docs/[date]-update-prompt.md` for you to apply — durable docs stay under your control. Pairs with rad-repo-manager (which maintains plan.md status and PRD freshness between plans); works standalone. Two agents: `stack-advisor`, `risk-assessor`.

Explain a project to humans, honestly — without overpromising or inventing features that aren't in the repo. Five skills generate audience-targeted communications from your project's actual artifacts (code, docs, planning files): - `narrate-project` — plain-English description, audience-adaptive (non-dev / investor / future-self / new-collaborator) - `elevator-pitch` — ~150 words, ~30 seconds spoken - `draft-pitch` — one-pager / executive summary for funding, grants, partnerships - `explain-document` — interpret a specific repo file ("what does this commit me to?", "where could this go wrong?") - `ground-readme` — generate or audit a README so it stays grounded in source (two modes: audit existing, or generate new) Two pure-stdlib Python validators run on every output: `check-grounding.py` traces each substantive claim back to repo source, and `check-overpromise.py` flags superlatives, vague-quantity claims, marketing fluff, and production-readiness assertions without evidence. Works on any repo with no rad-planner dependency. Reads canonical `docs/` if present (vision.md, decisions/, planning/current.md, status.md, roadmap.md), falls back to README + project manifest + source structure when absent. The plugin's own README passes its own `check-overpromise.py`.

A repo manager for vibe coders — keeps a project's docs minimal, consistent, and honest so coding agents don't get confused or misled by contradictory information. It is the 'manager'; your coding agent is the 'employee.' Four skills, two of them deliberately lean: - `/startup` — orient at the start of a session: read the four active docs + git state, run the two cheap mechanical scans (loose docs, stale docs), surface where you are + what's next + whether the docs are trustworthy. Read-only; recommends `/repo-init` on a fresh repo or `/repo-align` when the scans show drift. - `/wrapup` — leave a clean handoff for a new chat or a post-compaction continuation. Overwrites `docs/handoff.md` from git evidence (not chat memory), then reconciles the active core docs with the session — applying scoped updates to the docs it owns (`docs/plan.md`, AGENTS.md operational sections) on your OK, and drafting exact edits to stale user-owned docs (prd/design/decisions) applied only on per-edit confirmation. Ends with a one-line hygiene pulse. No status/roadmap files, no auto-commit, never runs tests. - `/repo-init` — first-run setup: scaffold the compact doc model (core docs, thin agent shims, minimal folders) on a new or nearly empty repo. Creates only what's missing; never invents product content; never overwrites user-authored files without confirmation. - `/repo-align` — the opt-in deep clean: find drift (contradictions, redundancy, stale/loose/misplaced docs, broken read paths) and propose fixes interactively. Proposes — never auto-acts; moves tracked files with `git mv` to preserve history. Plus an ambient hook layer (Claude Code-only, silent in repos that don't use the doc model, never blocking, says nothing on green): SessionStart injects a one-line doc-health note when something is stale or loose; PreCompact preserves the handoff's raw material (validation results, files changed, next action) through compaction; Stop reminds about wrapup at most once per session when real work is uncommitted and the handoff isn't fresh. The doc model is a tiny, declared, defended core — `AGENTS.md`, `docs/prd.md`, `docs/plan.md`, `docs/handoff.md` (prd/plan/handoff carry an `**Updated:**` freshness stamp) — plus conditional `docs/design.md`, a closed `docs/reference/` catalog, and `docs/archive/` for history. The boundary that matters: `docs/plan.md` owns the durable roadmap/scope/gates/stop-conditions; `docs/handoff.md` owns only the short resume snapshot for the next chat. The plugin authors `AGENTS.md` operational sections, the `CLAUDE.md`/`GEMINI.md` shims, and `docs/handoff.md`; durable changes (prd, design, decision-log) are drafted as exact edits and applied only on your explicit per-edit confirmation. Five pure-stdlib validators: the cheap pair (`repo-scan`, `doc-freshness`) runs every session; the deep trio (`doc-contradiction`, `doc-redundancy`, `audit-user-content`) runs in `repo-align`. Replaces rad-session; Claude-side counterpart to the Codex rad-repo-manager skills. Pairs with rad-planner (which owns `docs/plan.md` content and can birth `docs/prd.md` from its discovery interview; wrapup recommends `/rad-planner:replan` when plan divergence is structural rather than restructuring it itself); works standalone.