[ PACK LIBRARY / PACK 03 ]
Software Development
Architecture to shipped code, reviewed and tested.
45 PLAYBOOKS — 3 OPEN AS FREE SAMPLES
The sample playbooks below are open in full. Unlock the pack once and every playbook here becomes readable, updates included.
BLUEPRINTS/ 6
- BLUEPRINTLOCKED
Scaffold, auth, bill, and deploy a SaaS in coordinated waves
Theo, Idris, Root, Jason, Jerry, and Torque take a product from empty repo to a running, authenticated, billed, deployed, tested, and security-reviewed skeleton, with auth handed to a named specialist and a review step, since auth and billing are exactly where scaffolding agents make the costliest mistakes.
- BLUEPRINTLOCKED
Stand up a self-iterating build loop with a real verification gate
Root, Satchmo, Jason, and Kayle wire an unattended build-verify-ship loop scoped to a real blast radius, with a stop condition and cost tracking so it keeps shipping verified work within a budget. Directly answers the 2026 finding that teams wiring up agent loops without a verification gate are the ones that spend without shipping.
- BLUEPRINTLOCKED
Rescue a legacy codebase: audit, refactor plan, staged migration
Kayle, Jerry, Jason, and Root build a real map of a brownfield repo with systematic debugging and differential review, then produce a prioritized, staged detangling plan that sequences the risky changes behind the safe ones.
- BLUEPRINTLOCKED
Launch web and native builds sharing one backend and test suite
Theo, Kira, Idris, and Jason build synchronized Next.js and React Native surfaces against one backend and one Playwright suite, so the two clients never drift into separate codebases.
- BLUEPRINTLOCKED
Launch a product that is a web app and an MCP server on day one
Orbit, Theo, Root, and Jason ship a product usable both as a normal web app and as a tool inside Claude Desktop, ChatGPT, Cursor, and VS Code from day one, published and CI-gated so the MCP surface ships and stays tested alongside the web app.
- BLUEPRINTLOCKED
Bootstrap a multi-agent dev org: coordinator, worker lanes, advisor gate
Satchmo, Kayle, Root, and Zack set up a main-seat/worker-lane split with a second-opinion advisor gate, so cheaper and specialized executors each run under an explicit spec while the main seat keeps planning, review, verification, and git.
FEATURES/ 12
- FEATURELOCKED
Add passkey + Bitcoin wallet auth to an existing Next.js app
Theo and Jerry add modern auth without hand-rolling session or token handling, security-reviewed before merge. Siggy's Sigma Identity patterns give wallet-native sign-in alongside passkeys.
- FEATURELOCKED
Add 2FA / passkey step-up to existing auth
Jerry and Theo close an account-takeover gap with tested step-up auth and a device-authorization flow for CLI and desktop, security-reviewed before it ships so the new factor doesn't open a fresh hole of its own.
- FEATURELOCKED
Expose an existing app's core actions as an MCP server
Orbit makes the product callable by any MCP host — Claude Desktop, ChatGPT, Cursor, VS Code — without a second integration effort, with the tool contract designed to be safe and discoverable.
- FEATURELOCKED
Add an AI-rendered dashboard or form surface, safely
Theo and Orbit build a generative-UI surface that renders from model output via json-render without raw HTML injection, so users get dashboards and forms that recompose around whatever data the model returns.
- FEATURELOCKED
Add an e2e suite and a merge-blocking coverage gate
Jason and Root add Playwright end-to-end coverage and wire it as a CI gate that blocks merges, replacing we-will-add-tests-later with an enforced bar.
- FEATURELOCKED
Migrate a feature to Next.js 16 async APIs without breaking it
Theo runs a codemod-driven migration to Turbopack and async APIs, with a react-doctor pass to catch re-render and hook regressions, so a feature keeps working across the platform major.
- FEATURELOCKED
Add Stripe billing and signature-verified webhooks to an app
Theo builds subscription billing with idempotent, signature-verified webhook handling, Jason covers the event matrix with test cards, and Jerry security-reviews it, so retries and out-of-order events resolve to exactly one fulfillment.
- FEATURELOCKED
Add realtime sync: live updates, presence, collaborative state
Idris and Theo add live-updating UI with presence and shared state on Convex, without hand-rolling WebSocket plumbing.
- FEATURELOCKED
Add a validated, optimized file upload and storage pipeline
Idris, Theo, and Torque add size-limited, validated file handling on Convex storage with images optimized on the way in, so uploads stay bounded and every stored image is already compressed for delivery.
- FEATURELOCKED
Add a monitored background job / cron pipeline
Idris and Root add scheduled, monitored work with real observability on Convex cron, replacing fire-and-forget setTimeout calls that silently fail.
- FEATURELOCKED
Add cost/token tracking and budget guardrails to an agentic feature
Satchmo and Root instrument an agent workflow with per-request cost tracking and a budget ceiling, so monthly bills stop swinging 2-3x quarter over quarter. Cost volatility is the top 2026 pain point for teams running agentic workflows.
- FEATURELOCKED
Wire up repo guardrails with Claude Code hooks
Zack and Root add enforced pre-commit checks — lint, secret scans, format, type-check — that run automatically on every commit, so the repo's rules hold even when someone's rushing a fix under deadline.
TASKS/ 16
- TASKLOCKED
Run a dependency + secrets audit before a release
Paul produces a go/no-go release gate with known CVEs and leaked secrets caught before ship, so a release doesn't carry a supply-chain or credential-exposure surprise into production.
- TASKFREE SAMPLE
Run a full performance audit: Lighthouse, bundle, images
Torque returns a scored, prioritized fix list covering blocking scripts, oversized bundles, unoptimized images, and render-blocking CSS, ranked so you can act on the biggest wins the same day.
- TASKLOCKED
Security-scan a single PR before merge
Jerry runs a severity-rated Semgrep and CodeQL scan of one diff, catching injection, auth, and data-flow issues before they merge. Routing pattern-detectable issues to an agent reserves human attention for the critical logic.
- TASKLOCKED
Differential review of a risky diff before merge
Kayle runs a structured before/after risk read on a change too big to eyeball, so the review doesn't degrade into generic feedback the way a single big prompt does past 200 lines.
- TASKLOCKED
Run a three-phase adversarial bug hunt
Jerry, Kayle, and Jason run a Hunter-Skeptic-Referee pass that produces high-fidelity bug reports without single-model sycophancy — the multi-agent review pattern that outperforms one-prompt review on anything non-trivial.
- TASKLOCKED
Backfill unit and integration coverage for an untested module
Jason puts a safety net around code nobody dares touch, using property-based testing to cover the happy path, the edge cases, the error conditions, and the invariants that must always hold, so the module can finally be refactored safely.
- TASKLOCKED
Run a free-roam exploratory bug-discovery session on staging
Jason explores staging like a real user and surfaces the bugs a scripted suite never thinks to try, returning a reproducible list before those defects reach production.
- TASKLOCKED
Verify CI is green before proceeding
Root turns CI status into a blocking gate that holds every downstream step until the pipeline is green, so nothing builds on a broken commit.
- TASKLOCKED
Publish an npm package: version bump, changelog, release
Root and Orbit run a clean, reproducible release with the version bumped, changelog written, and tag pushed in one pass, so the published package matches exactly what's in the repo.
- TASKLOCKED
Publish an MCP server that installs cleanly for other teams
Orbit runs the MCP publish checklist — npx compatibility, package.json fields, discovery metadata, install docs — so the server installs cleanly on a teammate's machine the first time they run it.
- TASKLOCKED
Build a codebase context map before a big audit
Kayle produces a map of the codebase — module boundaries, data flow, entry points, external dependencies — so the next audit or refactor starts from a shared reference every reviewer can read.
- TASKLOCKED
Cut page weight with an image and bundle optimization pass
Torque compresses images and trims the largest bundle contributors, cutting page weight and JavaScript payload without a redesign or any change to how the product behaves.
- TASKLOCKED
Wire Claude Code hooks for a repo's guardrails
Zack and Root configure repo hooks so lint, secret, and format checks run automatically on every change, turning a convention nobody follows into an enforced guardrail.
- TASKLOCKED
Map the attack surface of a new service before a pentest
Paul enumerates every externally reachable input for a service before a pentest, so the review starts from a complete surface map with each endpoint, header, parameter, and upload path accounted for.
- TASKLOCKED
Scaffold a correctly structured internal Claude Code plugin
Zack scaffolds a plugin with the directory layout that auto-discovery expects for skills, agents, hooks, and commands, so every component registers the first time the plugin loads.
- TASKLOCKED
Organize technical-control evidence for a SOC 2 audit
Paul assembles and structures the technical-control evidence an auditor will ask for, so the audit opens with an organized evidence set mapped to each control in scope.
CHAINS/ 6
- CHAINFREE SAMPLE
Delivery chain: architecture plan to build to test to security audit
Kayle plans the architecture, Theo builds, Jason tests, and Jerry security-audits — one feature carried end to end through four named specialists with a clean handoff at each stage, the maker-checker pattern that outperforms one big review prompt. The canonical Kayle-to-Theo-to-Jason-to-Jerry chain.
- CHAINLOCKED
Ship-a-feature-safely chain: build to perf audit to test to deploy
Theo builds, Torque runs a perf audit, Jason tests, and Root deploys, with each handoff blocking the next, so a feature is measured for speed and covered by tests before it ever reaches a user.
- CHAINLOCKED
Security incident response chain: sweep to audit to risk call to patch
Paul sweeps for exposure, Jerry audits the affected code, Kayle makes the risk call, and Root ships the patch, so an incident moves through one ordered path with a single owner at each step.
- CHAINLOCKED
Platform upgrade chain: impact assessment to codemod to regression to verify
Kayle assesses impact, Theo runs the codemod, Jason regression-tests, and Root verifies CI — so a major-version upgrade lands without a surprise outage.
- CHAINLOCKED
MCP productization chain: build to package to test contract to publish
Orbit builds the MCP server, Zack shapes the command surface, Jason tests the tool contract, and Root publishes — turning an internal tool into an installable, tested, published MCP server.
- CHAINLOCKED
Agent system bootstrap chain: design to author to review to benchmark
Satchmo architects the agent, Zack authors it, Kayle reviews, and Jason benchmarks — so a new agent is designed, built, reviewed, and measured before it's trusted with real work.
FOUNDATIONS/ 5
- FOUNDATIONFREE SAMPLE
Tech-stack manifest: languages, frameworks, infra, and who owns what
A machine-readable manifest of the buyer's real stack so every other playbook in this pack starts from documented facts about the languages, frameworks, infra, and ownership in play — the AGENTS.md-style onboarding doc that agent-compatible codebases now depend on.
- FOUNDATIONLOCKED
CI/CD baseline doc: provider, required checks, deploy targets, secrets policy
Root documents the pipeline provider, required checks, deploy targets, and secrets policy, so deploy and CI playbooks plug into the buyer's actual pipeline on their first run.
- FOUNDATIONLOCKED
Coding conventions and review-bar doc: lint rules, commit style, merge blockers
A fill-in-the-blank doc capturing lint rules, commit style, PR size limits, and merge blockers, so review and test playbooks enforce the buyer's actual bar on every change they touch.
- FOUNDATIONLOCKED
Security and compliance profile: sensitive-data map, controls, sign-off owner
Paul maps the sensitive data, applicable controls, sign-off owner, and residual risk via a gap analysis, so security tasks scope to what actually matters for this buyer's risk profile.
- FOUNDATIONLOCKED
Agent operating charter: installed staff, model tier, escalation path
Satchmo and Root document which staff are installed, their budget and model tier, and the escalation path, so blueprint and chain playbooks know which agents exist in this org and when to escalate to a human.