Skip to content

feat: add twelve-factor app skill and compliance audit agent#93

Merged
citypaul merged 5 commits into
mainfrom
feat/twelve-factor-skill
Mar 15, 2026
Merged

feat: add twelve-factor app skill and compliance audit agent#93
citypaul merged 5 commits into
mainfrom
feat/twelve-factor-skill

Conversation

@citypaul

@citypaul citypaul commented Mar 15, 2026

Copy link
Copy Markdown
Owner

Summary

  • New twelve-factor skill (377 lines) with actionable TypeScript patterns for building 12-factor compliant applications — covers all 12 factors with code examples, anti-patterns, and a verification checklist
  • New twelve-factor-audit agent (330 lines) for auditing existing Node.js/TypeScript codebases against the 12-factor methodology — produces structured compliance reports with file/line citations, code suggestions, and prioritized action plans
  • All 12 factors addressed: Factors I-XII with full code treatment for code-affecting factors and brief guidance for operational factors
  • Greenfield projects must follow all factors; brownfield projects get a prioritized 5-step adoption order
  • Integrated with /setup command for automatic detection of 12-factor patterns (Dockerfile, docker-compose, Procfile, .env.example, Kubernetes manifests)
  • Updated install-claude.sh (16 skills, 10 agents), README.md, and agents/README.md with all counts, tables, and listings

Key design decisions

  • Scope: Core factors (config, deps, backing services, logs) apply to any deployed app including frontends. Server-specific factors (port binding, concurrency, disposability) apply only to backend services.
  • Code examples: All follow the repo's TypeScript conventions — factory functions, options objects, Zod schemas at trust boundaries, Pick<Config> for minimal surface, no any types
  • Logging: Prescriptive on semantics (structured, stdout, levels, correlation IDs) but flexible on implementation (any library is fine)
  • TDD integration: Dedicated section on how to test 12-factor patterns (config validation, shutdown, backing services) through behavior-driven tests
  • Agent: Covers all 12 factors with Grep/Glob search patterns, false-positive guidance per factor, three response modes (full audit, quick health check, specific factor)

Files changed

File Change
claude/.claude/skills/twelve-factor/SKILL.md New (377 lines)
claude/.claude/agents/twelve-factor-audit.md New (330 lines)
claude/.claude/CLAUDE.md Skill catalog + workflow reference
claude/.claude/commands/setup.md 12-factor detection step
claude/.claude/agents/README.md Agent entry, decision table, summary
README.md Counts, tables, agent section, curl commands
install-claude.sh mkdir, arrays, summary counts
.changeset/twelve-factor-skill.md Minor bump

Test plan

  • stow claude succeeds, ~/.claude/skills/twelve-factor/SKILL.md is symlinked
  • grep twelve-factor ~/.claude/CLAUDE.md shows catalog entry and workflow reference
  • ./install-claude.sh --skills-only includes the new skill
  • Run twelve-factor-audit agent against an existing service project
  • Run /setup on a project with a Dockerfile to verify 12-factor detection
  • Verify all counts in README.md match actual file counts (16 skills, 10 agents)

🤖 Generated with Claude Code

citypaul and others added 4 commits March 15, 2026 11:56
Add a new `twelve-factor` skill with actionable TypeScript patterns for
building 12-factor compliant services (config, dependencies, backing
services, stateless processes, disposability, logging). Includes a
`twelve-factor-audit` agent for auditing existing codebases against the
methodology with compliance reports and prioritized suggestions.

Greenfield projects must follow all factors; brownfield projects adopt
incrementally with a prioritized adoption order.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Skill fixes:
- Fix response.json() returning any — now validates through schema
- Fix config.QUEUE_URL compile error — removed undefined field
- Fix server.close() not awaited — now promisified
- Fix JSON.stringify(error) producing {} — proper error serialization
- Fix process.exit(0) after errors — exits non-zero on failure
- Add drain timeout to prevent hung shutdown processes
- Add health check endpoint pattern (/health, /ready)
- Add Factor VIII (Concurrency) — separate entry points, process types
- Add optional config and complex config examples (SENTRY_DSN, ALLOWED_ORIGINS)
- Add startup fail-fast with clear error message on invalid config
- Add request correlation ID to logging requirements
- Add setInterval/node-cron as stateless anti-pattern
- Expand brownfield adoption order (swap backing services before stateless)
- Broaden scope — applies to any deployed app, not just backend services
- Add code example to Dependencies section

Agent fixes:
- Scope explicitly to Node.js/TypeScript in description
- Add all 12 factors (was missing I, V, VIII)
- Add ORM detection patterns (Prisma, TypeORM, Drizzle, Sequelize)
- Add response patterns (full audit, quick health check, specific factor)
- Use Grep tool parameters instead of bash grep
- Add instruction to write report to file
- Improve false-positive guidance for statelessness checks

Documentation updates:
- README.md: Update all counts (15→16 skills, 9→10 agents, 21→22 total)
- README.md: Add twelve-factor to Key Sections table
- README.md: Add two entries to Skills Guide problem table
- README.md: Add full agent #10 section with audit table
- README.md: Add curl command for project-specific install
- README.md: Update Documentation section agent list
- agents/README.md: Add twelve-factor-audit to overview, decision table, summary
- install-claude.sh: Update summary message counts

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Skill:
- Fix ALLOWED_ORIGINS default producing [''] instead of [] on empty string
- Fix concurrency example referencing QUEUE_URL not in schema (use REDIS_URL)
- Fix logger spread overwriting reserved keys (namespace under context)
- Fix admin script missing try/finally for db cleanup
- Fix shutdown signal type to 'SIGTERM' | 'SIGINT' union
- Add Factor I (Codebase) section — one codebase per service, monorepo guidance
- Add Factor V (Build/Release/Run) section — same artifact all envs, no baked config
- Add dependency isolation rule (node_modules, not global installs)
- Add backing services Pick<Config> for minimal surface
- Add TDD integration section — how to test config, shutdown, backing services
- Add codebase and build items to checklist
- Cross-reference typescript-strict and testing skills in intro

Agent:
- Replace remaining bash grep commands with proper Bash alternatives
- Add false-positive guidance for Factors II, III, IV, VI, XI

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@citypaul citypaul changed the title feat: add twelve-factor app skill and audit agent feat: add twelve-factor app skill and compliance audit agent Mar 15, 2026
Clarify service-only scope and correct grep/lockfile instructions to avoid false audit results. Align README terminology with the agents' workflow guidance.
@citypaul

Copy link
Copy Markdown
Owner Author

Automated PR Review

Summary

Category Status Issues
TDD Compliance N/A Documentation-only PR
Testing Quality N/A No production logic to test
TypeScript Strictness PASS All code examples follow strict conventions
Functional Patterns PASS All code examples use immutable patterns
General Quality PASS 1 minor observation

Recommendation: APPROVE

CI: OpenCode Compatibility check passes.


What's Good

This is a well-structured documentation and tooling PR. The content quality is high throughout.

Skill content (SKILL.md):

  • All TypeScript examples follow repo conventions precisely — factory functions with options objects, Pick<Config, ...> for minimal surface, Zod schemas at trust boundaries, z.infer<> for derived types, readonly arrays via as const, no any types
  • The createConfig pattern is a clean reference implementation: validates at startup, logs structured JSON before process.exit(1), exports a plain Config type
  • The graceful shutdown example is thorough: drain timeout via setTimeout, awaits server.close(), cleans up backing service connections, exits with process.exit(1) on failure — all the details that get missed in real projects
  • The logging section is appropriately prescriptive on semantics (structured, stdout, levels, correlation IDs) while staying flexible on library choice — a good design decision for a reusable skill
  • The brownfield adoption order (Config -> Logs -> Disposability -> Backing Services -> Stateless) is a practical prioritisation that acknowledges real-world constraints
  • Cross-references to typescript-strict, testing, functional, and hexagonal-architecture skills are well-placed

Agent content (twelve-factor-audit.md):

  • The false-positive guidance per factor is genuinely useful — the notes on localhost in .env.example being acceptable, new Map() inside a function vs. module scope, and Winston with console transport being compliant show careful thinking about real codebases
  • The three response modes (full audit, quick health check, specific factor) follow the same pattern as other agents in the repo
  • The instruction to write the report to twelve-factor-audit.md rather than chat is consistent with the output guardrails in CLAUDE.md
  • Explicit use of Grep/Glob tools rather than bash grep is correctly enforced

Integration:

  • CLAUDE.md skill catalogue entry and workflow reference are minimal and correct
  • /setup detection heuristics (Dockerfile, docker-compose, Procfile, .env.example, PORT binding, k8s manifests) cover the common cases without being exhaustive
  • All counts updated consistently across README.md, install-claude.sh, and agents/README.md
  • Changeset file is present and correctly typed as minor

Suggestions (Nice to Have)

SKILL.md — Factor II example imports a package that may not be a standard dependency

The checkSystemDependencies example uses import which from 'which'. This is a real npm package and the example is illustrative, but a reader might add it as a dependency without realising it is only needed if their app shells out to system tools. A one-line note like "add which as a dependency if your app calls system tools" would make the example self-contained. Very minor.

twelve-factor-audit.md — Factor VI search pattern for in-process schedulers

The Grep pattern for setInterval|node-cron|schedule\.scheduleJob will match test files and utility helpers. The other factors explicitly note exclusion of test files, but Factor VI does not include the same false-positive note. Consistent to add: "False positive note: setInterval in test utilities (fake timers) and one-off scripts is acceptable. Only flag production request-handling code."


Generated by pr-reviewer agent

@citypaul citypaul merged commit 5cf7c5b into main Mar 15, 2026
1 check passed
@citypaul citypaul deleted the feat/twelve-factor-skill branch March 15, 2026 12:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant