chore(skills): add superpowers plugin + vendor performance-audit skill bundle#117
Closed
scarson wants to merge 29 commits into
Closed
chore(skills): add superpowers plugin + vendor performance-audit skill bundle#117scarson wants to merge 29 commits into
scarson wants to merge 29 commits into
Conversation
…l bundle Install superpowers@claude-plugins-official (v5.1.0) and enable it in repo settings. Vendor the non-colliding skills from the attached bundle into .claude/skills/ (superpowers-plus perf-audit/bug-hunter/build/handoff family, project-setup init skills, url-to-markdown). Project-customized colliding skills (writing-plans-enhanced, plan-review-cycle, bug-hunt-cycle, health-review-cycle, project-health-review) are preserved, not overwritten. Scaffold docs/perf-audits/ and record setup decisions in DECISIONS.md. https://claude.ai/code/session_01B2SLSJ6PN3tJaUDEE8SqTe
Survey (42k Go + 9.2k Vue prod LOC, one deployable), hot-path map, 10-slice disjoint partition + O1 overlay, cross-slice frequency calibration, depth tiers, verification mode, and the resumable progress ledger. Partition passed a 3-round adversarial review (sizing, hot-path accuracy, partition-design lens). https://claude.ai/code/session_01B2SLSJ6PN3tJaUDEE8SqTe
… 5 major, 5 minor) Six lanes (blind, cross-validated against source). Dominant findings: EPSS per-row advisory-locked transactions (~250k/run), merge child tables rewritten row-by-row per source write, archive adapters materialize the whole feed, and redundant 2x material_hash reads on the realtime-alert ingest path. 3 suspected bugs handed off (EPSS partial-run-as-complete). Adds shared lane preamble. https://claude.ai/code/session_01B2SLSJ6PN3tJaUDEE8SqTe
… 5 minor) Merge recomputes the canonical row from scratch per source write (re-reads + re-unmarshals all sources), issues ~12 un-pipelined round-trips with child tables rewritten row-by-row, writes an unguarded duplicate raw-payload row, and runs a redundant JCS pass per hash. Notes cross-slice agreement with S3 and corrects the FTS-GIN write-amplification concern (already guarded). 2 suspected bugs handed off. https://claude.ai/code/session_01B2SLSJ6PN3tJaUDEE8SqTe
… major, 5 minor) Realtime eval re-loads the entire active rule set per changed CVE and runs one candidate query per CVE x rule (O(CVEs x rules)), inline on the serial ingest loop; batch sweep buffers the whole window. Cross-validation confirmed a likely missed-alerts bug (cap+cursor) and refuted a flagged keyset bug as a false positive. 4 suspected bugs handed off (1 security-relevant). https://claude.ai/code/session_01B2SLSJ6PN3tJaUDEE8SqTe
…major, 6 minor) Missing composite keyset index on (date_modified_canonical, cve_id) is the marquee quick win; non-sargable CVSS/EPSS filters; serial 4-RTT detail fetch; database/sql vs pgx-native on the hot read path; required http.TimeoutHandler is absent everywhere. Lanes correctly refuted the scope brief's facet-aggregation region (not implemented). 3 suspected bugs handed off. https://claude.ai/code/session_01B2SLSJ6PN3tJaUDEE8SqTe
… 4 FULL slices) Tagged running feedback per the skill's feedback-template: blind-discovery and anti-padding both held; cross-validation caught a real missed-alerts bug and refuted a false positive; documents workarounds invented (shared-preamble file, autonomous whole-repo mode, wc-based LOC survey) and a sibling-file dispatch defect. Living doc — extended after each remaining slice. https://claude.ai/code/session_01B2SLSJ6PN3tJaUDEE8SqTe
…or, 8 minor) Fan-out is N+1 per matched CVE (invariant channel re-query + per-channel tx) — the canonical owner of S2's cross-slice ref; worker pool admits 1 job/tick; webhook MaxIdleConnsPerHost defaults to 2; security-event writer is tx-per-event and sheds under burst. Lanes corrected the scope brief (limiter is auth-only, not every-request) and cleared the delivery policies. 2 suspected bugs handed off. https://claude.ai/code/session_01B2SLSJ6PN3tJaUDEE8SqTe
…major, 7 minor) Both hypothesized criticals refuted from source (AI cache TTL-evicted; digest is LIMIT 500). Real findings: missing date index on ai_usage retention DELETE; AI call tx fan-out; digest runs inline on the worker loop and serial per-report. Calibration working (low-finding WARM slice). 2 suspected bugs handed off, including a user-facing digest watchlist-scoping bug. https://claude.ai/code/session_01B2SLSJ6PN3tJaUDEE8SqTe
Vue 3 SPA: unbounded deeply-reactive admin Load-More tables with per-row Intl formatting; no Vite vendor chunk split; template JSON.stringify; two independent- fetch waterfalls. Strong calibration — CVE table capped at 25 rows, no cross-nav leaks, all routes lazy, versions current. 6 suspected bugs handed off. https://claude.ai/code/session_01B2SLSJ6PN3tJaUDEE8SqTe
…5 major) Cold sweeps surfaced one systemic theme: withBypassTx 3-4 round-trips for single-row reads on non-RLS tables on every authenticated request (auth path runs 2x, login 3-5x). SCIM provisioning is the hot under-optimized part of S9 (list materialization, group N+1, per-member remap txns, uncached tier/config) plus an audit_log missing-index echoing S4. Strong confirmed-cold calibration elsewhere. https://claude.ai/code/session_01B2SLSJ6PN3tJaUDEE8SqTe
/readyz does two uncached DB round-trips per probe (the one operational finding); rest is per-request middleware micro-allocations + admin N+1s. Verified clean: metrics cardinality bounded, no per-request DB in middleware, SPA served from embedded FS, pool config sensible. All 10 coverage slices now complete. https://claude.ai/code/session_01B2SLSJ6PN3tJaUDEE8SqTe
Overlay reassembles the per-record ingest->merge->alert->notify cost (additive per-item transactions across 4 slices, serial at 3 choke points). Roll-up groups ~98 findings into 5 systemic themes (per-item transactions; SET LOCAL + simple- protocol multiplier; missing composite indexes; invariant re-computation in hot loops; whole-collection materialization) + frontend, with a prioritized fix list and a slice x severity heat map. No assume-hot findings outstanding. https://claude.ai/code/session_01B2SLSJ6PN3tJaUDEE8SqTe
All confirmed findings scheduled (default-FIX, no severity deferral), organized into 7 workstreams by systemic theme — indexes first (no-code quick win), then the ingest-pipeline round-trip reductions, alert/notify, auth/SCIM transactions, frontend, and the grouped minor tail. Each task carries a baseline + post-change demonstration + correctness guard (static-only: round-trip/complexity arguments, no fabricated numbers). 3 design decisions flagged for Sam in the deferred appendix. https://claude.ai/code/session_01B2SLSJ6PN3tJaUDEE8SqTe
…ddenda Folds in subagent-readiness fixes (migration 000046, NoTransaction concurrent indexes, ambiguity), cross-task ordering (W1 sequential same-file edits; bypass- read helper ownership; W0->W2->W3), and verification/security gates (EXPLAIN needs a seeded DB; T4.1/T2.1 require security-review; guards are real-data tests). https://claude.ai/code/session_01B2SLSJ6PN3tJaUDEE8SqTe
… + verdict) Part 2 covers REDUCED/COLD/frontend slices, the autonomous whole-repo mode I had to invent, the model-independent sibling-file dispatch defect (confirmed on opus and sonnet), rate-limit resumability, and the roll-up/overlay as highest-value artifacts. Final ranked top-3 skill changes + verdict: it found real, well- calibrated work with blind discovery and held anti-padding across all slices. https://claude.ai/code/session_01B2SLSJ6PN3tJaUDEE8SqTe
…e run Evidence-based, anti-sycophantic assessment against the eval rubric (covariates, naive-recovery counterfactual, D1-D10, pack evidence-map, open reflection). Headline: ~35% naive-recovery of crit+major; real margin was cold-tail discovery + cross-slice synthesis, not the packs (mostly sharpening); D8 autonomous-fit=2 (had to improvise headless mode); D3 bug/perf separation=5. Severity labels on static-only arguments flagged as the main false-authority risk. https://claude.ai/code/session_01B2SLSJ6PN3tJaUDEE8SqTe
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Install superpowers@claude-plugins-official (v5.1.0) and enable it in repo
settings. Vendor the non-colliding skills from the attached bundle into
.claude/skills/ (superpowers-plus perf-audit/bug-hunter/build/handoff family,
project-setup init skills, url-to-markdown). Project-customized colliding skills
(writing-plans-enhanced, plan-review-cycle, bug-hunt-cycle, health-review-cycle,
project-health-review) are preserved, not overwritten. Scaffold docs/perf-audits/
and record setup decisions in DECISIONS.md.
https://claude.ai/code/session_01B2SLSJ6PN3tJaUDEE8SqTe