Stats
Actions
Tags
From bsky
Structured design process for software projects. Produces specification artifacts (problem space, requirements, architecture, threat model, test plan) in docs/design/ before implementation begins. Scales from lightweight to full ceremony based on scope.
How this skill is triggered — by the user, by Claude, or both
Slash command
/bsky:designThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Produce design artifacts before implementation. The output lives in `docs/design/` and
Produce design artifacts before implementation. The output lives in docs/design/ and
becomes the source of truth that /develop works from.
If a required-environment-variables memory exists (scope: global), read and apply it.
Also load any project-scoped memories (use list filtered by project scope) if not already
loaded this session.
$ARGUMENTS describes what to design. It can be:
| Form | Meaning |
|---|---|
| Free text | Describe the thing to design — run from Phase 0 |
problem <text> | Phase 1 only — define the problem space |
requirements <text> | Phases 1-2 — problem space through requirements |
architecture <text> | Phases 1-3 — through architecture |
threat-model | Phase 4 only — threat model existing architecture in docs/design/ |
test-plan | Phase 5 only — derive test plan from existing SRTM |
review | Re-read docs/design/, check effectiveness signals, suggest revisions |
<component>: <text> | Component-scoped — artifacts go in docs/design/<component>/ |
When a specific phase is requested, check that prerequisite artifacts exist. If
docs/design/architecture.md doesn't exist and the user asks for threat-model,
say so and offer to run the earlier phases first.
You are the facilitator. Your job:
docs/design/ after user approval at each gatedocs/design/README.md)You do NOT: make design decisions unilaterally, skip human gates, or treat any phase as mandatory without discussing scope with the user first.
Before starting the design process, establish how much ceremony this work needs.
Read the task description and any existing docs/design/ artifacts. Also check for a global design-effectiveness memory via memory-mcp recall — if it
exists, read it. Previous patterns inform the depth recommendation (e.g., "lightweight
has been the right call for most designs so far" or "code review found security gaps
last time threat modeling was skipped").
Then assess:
docs/design/ exists, this may be
an iteration rather than a fresh design.Propose a depth to the user:
| Depth | When | Phases |
|---|---|---|
| Lightweight | Small feature, well-understood domain, low risk | 1 (abbreviated) -> 2 (key requirements only) -> skip to 5 |
| Standard | New component, moderate complexity, some unknowns | 1 -> 2 -> 3 -> discuss 4 -> 5 |
| Full | Greenfield system, security-critical, public API, regulatory | 1 -> 2 -> 3 -> 4 -> 5 |
State your recommendation and why. Wait for the user to confirm or adjust before proceeding. The user may override in either direction.
This phase is collaborative — no sub-agent. Work through these questions with the user, drafting as you go:
Draft the problem space document as you discuss. When the conversation converges:
Artifact: Write docs/design/problem.md
Gate: Present the draft to the user. Always wait for explicit approval
before proceeding to Phase 2.
Work through use cases and requirements with the user. This phase builds the foundation that architecture and testing are derived from.
For each actor identified in Phase 1, enumerate:
Present use cases in a structured table:
| ID | Actor | Use Case | Type | Priority |
|----|-------|----------|------|----------|
| UC-01 | User | Upload document for processing | Normal | Must |
| AC-01 | Attacker | Upload malicious payload | Abuse | Must-mitigate |
| SC-01 | System | Validate file type before processing | Security | Must |
Derive requirements from use cases. Each requirement should be:
For requirements that touch security, authentication, session management, access control, or data protection: reference the relevant OWASP ASVS category as a "have we considered this?" prompt. The ASVS categories:
Do NOT apply all categories mechanically. Flag the ones relevant to this project's domain and ask the user which merit deeper analysis. Record which categories were reviewed and which were deemed not applicable, with a one-line rationale.
Build a traceability matrix linking:
Use Case -> Requirement -> ASVS Category (if applicable) -> Test Case (placeholder)
The test case column starts as placeholders (e.g., "TC-01: verify...") — Phase 5 fills these in as a concrete test plan.
| Req ID | Requirement | Source UC | ASVS | Test Case |
|--------|-------------|-----------|------|-----------|
| R-01 | System shall validate file type | UC-01, AC-01 | V12.1 | TC-01 (pending) |
Artifact: Write docs/design/requirements.md (includes use case table, requirements,
ASVS review notes, and SRTM)
Gate: Present to user. Always wait for explicit approval before proceeding
to Phase 3.
Design the system architecture. This phase uses a sub-agent for diagram generation after the user approves the architectural decisions.
Work through these with the user collaboratively:
For each significant decision, note it for an ADR (written during /develop Phase 1.5,
or written here if the user prefers — ask).
After architectural decisions are agreed, dispatch an architecture sub-agent (model: sonnet) to generate Mermaid diagrams.
Sub-agent prompt template:
You are a technical documentation agent. Generate Mermaid diagrams based on
the architectural decisions provided. Produce clean, readable diagrams — not
exhaustive detail.
Architectural decisions:
<decisions from 3a>
Requirements:
<from docs/design/requirements.md>
Generate these diagrams in Mermaid syntax:
1. **System context diagram** — the system as a box, external actors and systems
around it, showing data flows. Use a C4-style approach.
2. **Component diagram** — internal components, their responsibilities, and
how they communicate. Include data stores.
3. **Data flow diagram with trust boundaries** — show where data crosses trust
boundaries (user <-> API, API <-> database, internal <-> external service).
Mark trust boundaries explicitly with subgraph labels.
This diagram is the primary input for threat modeling in Phase 4.
4. **Data schema** — entity-relationship diagram for the core data model.
Include key fields only, not every column.
5. **Key sequence diagrams** — for the 2-3 most important or complex
interactions identified in the use cases. Not every use case needs one.
For each diagram, include a brief prose description (2-3 sentences) explaining
what the diagram shows and any notable design choices visible in it.
Output format: markdown with ```mermaid code blocks, each preceded by an H3
heading and the prose description.
Present the generated diagrams to the user. Diagrams frequently need iteration — components may be misnamed, flows may be wrong, trust boundaries may be misplaced.
Critical: AI-generated architecture diagrams often contain subtle but significant flaws — missing trust boundaries, inappropriate data flows, wrong component responsibilities. The human review gate here is load-bearing. Your job: present the diagrams, flag anything you're uncertain about, and iterate until the user is satisfied.
Re-dispatch the sub-agent for significant changes; make minor edits directly.
Artifact: Write docs/design/architecture.md (prose decisions + Mermaid diagrams)
Gate: Present final architecture to user. Always wait for explicit approval
before proceeding to Phase 4.
This phase is the heaviest. Before starting, have an explicit conversation with the user about whether to proceed.
Present this to the user:
Threat modeling checkpoint.
Based on the architecture, I've identified these trust boundaries and data flows:
- [list trust boundaries from the data flow diagram]
- [list external-facing data flows]
A STRIDE analysis would systematically evaluate each data flow crossing a trust boundary for: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege.
This is the most time-intensive phase of the design process. It's most valuable for:
- Systems with external-facing APIs or user authentication
- Systems that handle sensitive data
- Systems where a security incident would have significant impact
Options:
- Proceed with full STRIDE analysis — thorough, takes time
- Lightweight review — I'll flag the most obvious concerns without systematic enumeration
- Defer — capture the trust boundaries now, do the analysis later (you can run
/design threat-modelwhen ready)- Skip — not needed for this scope
If a design-effectiveness memory exists and contains relevant signals (e.g.,
"code review found security gaps last time threat modeling was skipped"), mention
this in the discussion — it's a data point, not a mandate.
Wait for the user's choice. Do not default to any option.
Dispatch a threat modeling sub-agent (model: opus) to analyze the architecture.
Sub-agent prompt template:
You are a threat modeling agent performing STRIDE analysis. You are methodical
and precise. You do not invent threats that don't apply — false positives waste
the engineer's time and erode trust in the process. You do find threats that a
developer might overlook.
Architecture:
<from docs/design/architecture.md — include all diagrams>
Requirements:
<from docs/design/requirements.md>
Data flow diagram with trust boundaries:
<extract specifically from architecture.md>
For each data flow that crosses a trust boundary, analyze:
| Threat | Question |
|--------|----------|
| **Spoofing** | Can an entity be impersonated on this flow? |
| **Tampering** | Can data be modified in transit or at rest? |
| **Repudiation** | Can actions on this flow occur without accountability? |
| **Information Disclosure** | Can data leak via this flow (logs, errors, side channels)? |
| **Denial of Service** | Can this flow be used to exhaust resources? |
| **Elevation of Privilege** | Can this flow be used to gain unauthorized access? |
For each identified threat:
1. Describe the threat concretely (not "tampering is possible" but "an attacker
could modify the JWT payload because...")
2. Assess likelihood (low/medium/high) and impact (low/medium/high)
3. Propose a mitigation — either a new requirement or an architectural change
4. If the mitigation is a new requirement, format it as: "NEW-REQ: <requirement text>"
with a suggested ASVS category
Also check for:
- Injection vectors at each input boundary
- Authentication/authorization gaps in the flow
- Sensitive data exposure in logs, errors, or API responses
- Resource exhaustion vectors (unbounded queues, connections, memory)
- Supply chain concerns (dependencies with excessive privilege)
Output format:
## Trust Boundary: <name>
### Data Flow: <source -> destination>
| STRIDE | Threat | Likelihood | Impact | Mitigation |
|--------|--------|------------|--------|------------|
| S | ... | ... | ... | ... |
## New Requirements from Threat Model
- NEW-REQ-01: <text> (ASVS: <category>)
- ...
## Architectural Changes Recommended
- <change and rationale>
After the threat model sub-agent returns, present findings to the user. Then:
docs/design/requirements.md and
update the SRTM. These get traced like any other requirement.docs/design/architecture.md. Re-generate
affected diagrams if needed.This iteration — where threat modeling surfaces issues that change requirements and architecture — is where real engineering happens. It's the process working, not failing.
Artifact: Write docs/design/threat-model.md
Gate: Present threat model and any resulting requirement/architecture changes
to user. Always wait for explicit approval before proceeding to Phase 5.
Derive a test strategy from the SRTM. This phase bridges design into implementation —
the output is what /develop's planning agent uses to ensure tests are written.
For each requirement in the SRTM:
For requirements derived from threat modeling (NEW-REQ items):
| Test ID | Requirement | Type | Description | Automated? |
|---------|-------------|------|-------------|------------|
| TC-01 | R-01 | Unit | Upload handler rejects non-whitelisted MIME types | Yes |
| TC-02 | NEW-REQ-01 | Integration | Expired JWT returns 401, not partial data | Yes |
Artifact: Write docs/design/test-plan.md
Artifact: Update docs/design/requirements.md SRTM with final test case IDs
Artifact: Write/update docs/design/README.md — index linking all artifacts
with a brief status note for each
Gate: Present the complete design package to the user. Confirm it's ready to
hand off to /develop.
When invoked with review, this mode synthesizes effectiveness signals and checks
design health. No sub-agent needed.
docs/design/ for all files, check metadata
status and last-updated datesrecall for design-effectiveness
scoped to this project. If observations exist, summarize patterns.code-review-patterns memory exists,
check whether security findings in this project map to gaps in the design
(threat classes not covered, trust boundaries not enumerated).All artifacts live in docs/design/ (or docs/design/<component>/ for scoped designs).
docs/design/
README.md — index, status, scope summary
problem.md — problem space definition
requirements.md — use cases, requirements, SRTM, ASVS notes
architecture.md — decisions, Mermaid diagrams
threat-model.md — STRIDE analysis (if performed)
test-plan.md — verification strategy from SRTM
[requirements](requirements.md)<!-- design-meta
status: draft | review | approved
last-updated: YYYY-MM-DD
phase: 1 | 2 | 3 | 4 | 5
-->
When /develop starts, its planning agent should check for docs/design/README.md.
If it exists:
(This is a follow-on edit to /develop — the /design skill writes artifacts in
a format that makes this discovery straightforward.)
This skill participates in a distributed feedback loop across the skill system. The goal: automatically track whether design work is utilized effectively and surface signals for revision.
design-effectiveness memory if it exists. Previous patterns
inform the depth recommendation./code-review Phase 6: when docs/design/ exists, notes whether security
findings map to threat model coverage or represent gaps. Appends to
design-effectiveness memory./land Phase 1: when design artifacts exist, notes whether they were referenced
during the session. Appends./develop Phase 1: notes whether design artifacts informed the plan. Appends.Global memory design-effectiveness (scope: global). This tracks how the design
process itself is working across all projects — it's about the methodology, not any
single project's design. Each observation is a dated one-liner with project context:
2026-04-15 [elfin]: /code-review found auth bypass (P1) — threat model covered auth
flows but missed the /admin path. Gap in trust boundary enumeration.
2026-04-18 [memory-mcp]: /develop planning agent used requirements.md as plan
foundation — utilization confirmed.
2026-04-22: Phase 0 chose "lightweight" for the third consecutive design — full
process may be over-specified for typical task size.
| Sub-agent | Model | Rationale |
|---|---|---|
| Architecture diagrams (Phase 3b) | sonnet | Mechanical generation from agreed decisions |
| Threat modeling (Phase 4) | opus | Judgment-heavy — must distinguish real threats from noise |
Phases 0, 1, 2, and 5 are coordinator-led (collaborative with the user). The coordinator inherits the session model. No sub-agents needed — the value is in the conversation, not parallel analysis.
npx claudepluginhub butterflyskies/claude-marketplace --plugin bskyCreates bite-sized, testable implementation plans from specs or requirements, with file structure and task decomposition. Activates before coding multi-step tasks.