Files
pm-skills/pm-ai-shipping
Claude 18468a95b4 Release v2.1.0: Opus 4.8-tuned pm-ai-shipping audits + CHANGELOG-driven release automation
pm-ai-shipping: mandatory Evidence citations verified before reporting,
concrete subagent fan-out contract, read-only allowed-tools on both audits,
N+1/waterfall detection and a refute pass in the performance audit,
untrusted-input hardening across the kit, parallel audits in /ship-check,
severity anchors + report consolidation, repo-relative paths.

Repo: CHANGELOG.md as release source of truth with auto-tag-and-release on
merge to main (adapted from phuryn/claude-usage, minus the .vsix build),
Tests workflow on every PR/push, unit + docs-consistency test suite,
contributor-credit conventions in CONTRIBUTING, all manifests synced at 2.1.0.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_011URgT9hYuNrXeCvzjnqRxJ
2026-07-03 13:34:34 +02:00
..

pm-ai-shipping — AI Shipping Kit

For PMs and founders accountable for AI-built code. Document a vibe-coded app, audit it for intended-vs-implemented security gaps and performance issues, and produce a reviewer-ready shipping packet.

Overview

AI agents write code fast but leave no record of intent — what the system should do, who may do what, where the secrets live. Without that record, no human and no auditing agent can tell whether the code is safe to ship. This kit restores reviewability: it documents the system, then audits the gap between what the docs say and what the code does — the class of bug generic scanners miss because they have no model of intent.

Start with /ship-check for the full sequence, or run a single stage with the specialist commands.

Install

Install from the pm-skills marketplace and enable the pm-ai-shipping plugin. Each command can be triggered with /pm-ai-shipping:<command> or its short /<command> form; skills auto-load when the topic matches.

Skills (2)

  • shipping-artifacts — The durable documentation set that makes an AI-built app reviewable: a core every app needs (architecture, user/permission flows, permissions, variables/secrets, test-coverage map) plus conditional docs added only when they apply (emails, cron, SEO, embedded agents/automation). Defines what each doc must capture and how a reviewer uses it.
  • intended-vs-implemented — The method for finding the gap between what a system is documented to do and what the code actually does, with cited evidence on both sides and without hand-wavy findings.

Commands (5)

  • /pm-ai-shipping:ship-check — Turn a vibe-coded repo into a reviewer-ready shipping packet: document, wire agent context, run security and performance audits, map test coverage, and compile the results.
  • /pm-ai-shipping:document-app — Reverse-engineer a codebase into the system documents reviewers and auditors need — a core set (architecture, flows, permissions, variables) plus conditional docs (emails, cron, SEO, automation) when they apply.
  • /pm-ai-shipping:derive-tests — Turn documented intent into a test-coverage map: inventory the tests that exist today, separate them from proposed tests and unverified gaps, mark each unit / guarded-live / manual, and recommend a green-before-merge CI gate.
  • /pm-ai-shipping:security-audit-static — Static security audit: map trust boundaries, cross-reference documented intent, self-refute every finding, and report only evidence-backed risks.
  • /pm-ai-shipping:performance-audit-static — Static performance audit: find N+1 queries and request waterfalls, over-fetching, missing indexes, and caching opportunities, ranked by effort and impact.

Author

Paweł Huryn — The Product Compass Newsletter

License

MIT