Create Architecture Decision Records (ADRs) documenting strategic technical decisions while acknowledging ecosystem E(t) constraints. Use when choosing cloud providers, languages, frameworks, databases, or architectural patterns.
/plugin marketplace add foolishimp/ai_sdlc_method/plugin install aisdlc-methodology@aisdlcThis skill is limited to using the following tools:
Skill Type: Actuator (Design Documentation) Purpose: Document architecture decisions acknowledging ecosystem E(t) Prerequisites: Strategic technical decision needed
You are creating Architecture Decision Records (ADRs) that acknowledge ecosystem E(t) constraints.
Critical: ADRs document GIVEN constraints (E(t)), not just CHOSEN solutions.
Format: "Given E(t), we chose X" (not "we chose X")
# ADR-{ID}: {Decision Title}
**Date**: {YYYY-MM-DD}
**Status**: Accepted | Rejected | Superseded | Deprecated
**Deciders**: {Who made this decision}
---
## Context
**Requirements**:
- <REQ-ID>: User authentication
- REQ-NFR-SEC-001: Secure password storage
**Problem**:
We need to choose a password hashing algorithm that is secure
against brute force attacks while maintaining acceptable performance.
**Ecosystem E(t) Constraints**:
- Team Experience: Team familiar with bcrypt
- Infrastructure: Running on AWS (bcrypt supported)
- Compliance: PCI-DSS recommends strong hashing
- Performance: Login response must be < 500ms (REQ-NFR-PERF-001)
- Libraries Available: bcrypt, argon2, scrypt available
---
## Decision
**Selected**: bcrypt with cost factor 12
**Rejected Alternatives**:
- SHA256: ❌ Too fast (vulnerable to brute force)
- MD5: ❌ Cryptographically broken
- Argon2: ⚠️ Better security but team unfamiliar, migration risk
- scrypt: ⚠️ Good security but less widely supported
**Rationale**:
1. bcrypt is industry standard (acknowledged E(t))
2. Team has experience with bcrypt (acknowledge E(t) - team capabilities)
3. Cost factor 12 balances security and performance
4. Meets PCI-DSS requirements (acknowledge E(t) - compliance)
5. Login tests show 200ms average (well within 500ms SLA)
---
## Ecosystem Constraints Acknowledged
**Team** (E(t)):
- Team knows: bcrypt, SHA256
- Team doesn't know: Argon2 implementation
- Risk: Learning curve with Argon2
**Infrastructure** (E(t)):
- Platform: AWS Lambda + RDS PostgreSQL
- bcrypt: Native support, no additional dependencies
- Argon2: Would need custom layer
**Compliance** (E(t)):
- PCI-DSS: Requires strong, salted hashing
- bcrypt: Explicitly mentioned in PCI guidelines
- Audit: External auditors familiar with bcrypt
**Performance** (E(t)):
- Requirement: Login < 500ms (REQ-NFR-PERF-001)
- bcrypt (cost 12): ~200ms (acceptable)
- Argon2: ~250ms (acceptable but no experience)
**Timeline** (E(t)):
- Sprint: 2 weeks
- bcrypt: No learning curve (immediate)
- Argon2: 2-3 days research + testing
---
## Constraints Imposed Downstream
**Code Stage** (constraints for implementation):
- MUST use bcrypt library (not custom hashing)
- MUST use cost factor 12 (not lower)
- MUST salt passwords (bcrypt does this automatically)
**Runtime Stage** (constraints for deployment):
- Infrastructure: bcrypt library must be available
- Performance monitoring: Track hash time (should be ~200ms)
**Testing Stage**:
- Test hash time (ensure < 500ms)
- Test bcrypt version (security updates)
---
## Consequences
**Positive**:
- ✅ Team productive immediately (no learning curve)
- ✅ Proven security (industry standard)
- ✅ PCI-DSS compliant (audit-friendly)
- ✅ Performance acceptable (< 500ms)
**Negative**:
- ⚠️ Not latest algorithm (Argon2 is newer)
- ⚠️ Vendor lock-in to bcrypt (migration costly)
**Neutral**:
- Cost factor 12 is balance (could be 10 for faster, 14 for stronger)
---
## Related Decisions
- ADR-001: Database selection (PostgreSQL)
- ADR-003: Session management (JWT)
**Supersedes**: None
**Superseded By**: None
---
## References
- PCI-DSS Password Requirements: https://www.pcisecuritystandards.org/
- bcrypt Documentation: https://en.wikipedia.org/wiki/Bcrypt
- OWASP Password Storage: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html
Sequential: ADR-001, ADR-002, ADR-003, ...
Categories:
Create ADR for:
Don't create ADR for:
[CREATE ADR - bcrypt Password Hashing]
Decision: Use bcrypt for password hashing
Context:
Requirements: <REQ-ID>, REQ-NFR-SEC-001
Problem: Need secure password hashing
Ecosystem E(t): Team knows bcrypt, PCI-DSS compliant, AWS supported
Decision:
Selected: bcrypt (cost factor 12)
Rejected: SHA256 (too fast), Argon2 (team unfamiliar)
Ecosystem Constraints Acknowledged:
- Team capabilities: knows bcrypt ✓
- Compliance: PCI-DSS requires strong hashing ✓
- Performance: Must be < 500ms ✓
- Infrastructure: AWS supports bcrypt ✓
Constraints Imposed:
- Code must use bcrypt library
- Code must use cost factor 12
- Runtime must have bcrypt available
Created: docs/adrs/ADR-002-password-hashing.md
✅ ADR Created!
Architecture decision documented
Ecosystem E(t) acknowledged
Downstream constraints clear
Why ADRs?
ADRs vs Constraints (C-*):
Example:
C-001: PCI-DSS requires strong password hashing (GIVEN)
ADR-002: We chose bcrypt (GIVEN C-001 and team skills)
Homeostasis Goal:
desired_state:
all_strategic_decisions_documented: true
ecosystem_constraints_acknowledged: true
rationale_clear: true
"Excellence or nothing" 🔥
Creating algorithmic art using p5.js with seeded randomness and interactive parameter exploration. Use this when users request creating art using code, generative art, algorithmic art, flow fields, or particle systems. Create original algorithmic art rather than copying existing artists' work to avoid copyright violations.
Applies Anthropic's official brand colors and typography to any sort of artifact that may benefit from having Anthropic's look-and-feel. Use it when brand colors or style guidelines, visual formatting, or company design standards apply.
Create beautiful visual art in .png and .pdf documents using design philosophy. You should use this skill when the user asks to create a poster, piece of art, design, or other static piece. Create original visual designs, never copying existing artists' work to avoid copyright violations.