feat(skills): add advanced recipes and persona skills#9
Conversation
Add 5 skills completing the AI agent skills milestone: - a6-recipe-multi-tenant: Multi-tenant gateway patterns (consumer groups, host/path/header routing, per-tenant rate limiting) - a6-recipe-api-versioning: API versioning strategies (URI path, header-based, query param, gradual migration, deprecation) - a6-recipe-graphql-proxy: GraphQL proxying (operation-based routing, per-operation rate limiting, degraphql REST conversion) - a6-persona-operator: Platform operator persona (deployment, monitoring, troubleshooting, security hardening) - a6-persona-developer: API developer persona (API design, plugin selection, local dev setup, CI/CD integration) Update README.md: - Update skill count from 35+ to 40 - Add Advanced Recipes and Personas rows to skills table
There was a problem hiding this comment.
Pull request overview
Adds the final set of AI agent skills to complete the Phase 4 “AI Agent Skills” milestone, expanding the skills library to 40 total entries and updating the README taxonomy accordingly.
Changes:
- Added 3 new advanced recipe skills: multi-tenant, API versioning, GraphQL proxying
- Added 2 new persona skills: operator and developer
- Updated README skill count and added “Advanced Recipes” + “Personas” rows in the skills category table
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| skills/a6-recipe-multi-tenant/SKILL.md | New recipe covering multi-tenant patterns (consumer groups, routing, rate limits, proxy-rewrite, declarative sync). |
| skills/a6-recipe-api-versioning/SKILL.md | New recipe covering path/header/query versioning, migration via traffic-split, and deprecation redirects. |
| skills/a6-recipe-graphql-proxy/SKILL.md | New recipe covering GraphQL operation-aware routing, rate limiting, restriction, and REST-to-GraphQL via degraphql. |
| skills/a6-persona-operator/SKILL.md | New operator persona playbook for context mgmt, deployment/rollback, troubleshooting, security, monitoring. |
| skills/a6-persona-developer/SKILL.md | New developer persona guide for building/testing routes, plugin selection, local dev, CI/CD workflows. |
| README.md | Updates skill count to 40 and expands the skills category table with new rows. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
| `upstream` field means "use the route's default upstream". Weight `9` + weight | ||
| `1` = 90%/10%. | ||
| - **`~~` operator** — regex match in vars expressions. Must double-escape backslashes | ||
| in JSON: `"application/vnd\\\\.api\\\\.v2\\\\+json"`. |
There was a problem hiding this comment.
In this file, the header-based versioning example uses the JSON string application/vnd\\.api\\.v2\\+json (escaped as application/vnd\.api\.v2\+json), but this gotcha claims JSON requires "application/vnd\\\\.api\\\\.v2\\\\+json". These two are inconsistent, and the latter appears to over-escape compared to the working example. Align the gotcha with the example (and clarify the intended escaping level).
| in JSON: `"application/vnd\\\\.api\\\\.v2\\\\+json"`. | |
| in JSON: `"application/vnd\\.api\\.v2\\+json"` (JSON string literal for regex | |
| `application/vnd\.api\.v2\+json`). |
| Use a custom header (e.g., `X-Tenant-ID`) to route to different upstreams | ||
| via `traffic-split`. | ||
|
|
||
| ```bash | ||
| a6 route create -f - <<'EOF' | ||
| { | ||
| "uri": "/api/*", | ||
| "plugins": { | ||
| "key-auth": {}, | ||
| "traffic-split": { | ||
| "rules": [ | ||
| { | ||
| "match": [{ "vars": [["http_x_tenant_id", "==", "tenant-a"]] }], | ||
| "weighted_upstreams": [ | ||
| { "upstream": { "type": "roundrobin", "nodes": { "tenant-a-backend:8080": 1 } }, "weight": 1 } | ||
| ] | ||
| }, | ||
| { | ||
| "match": [{ "vars": [["http_x_tenant_id", "==", "tenant-b"]] }], | ||
| "weighted_upstreams": [ | ||
| { "upstream": { "type": "roundrobin", "nodes": { "tenant-b-backend:8080": 1 } }, "weight": 1 } | ||
| ] |
There was a problem hiding this comment.
X-Tenant-ID header-based routing uses a client-controlled header to select tenant-specific upstreams without binding it to the authenticated consumer identity. Any authenticated consumer can forge X-Tenant-ID (e.g., send X-Tenant-ID: tenant-a while belonging to another tenant) to route traffic to another tenant’s backend, potentially leading to cross-tenant data access. To avoid this, derive the tenant identifier from the authenticated consumer (e.g., via consumer_group_id) or enforce a mapping using consumer-restriction/similar checks rather than trusting a raw request header for tenant selection.
Summary
Final PR in the AI Agent Skills milestone (Phase 4). Adds 3 advanced recipe skills and 2 persona skills, completing all 40 planned skills.
New Skills (5)
a6-recipe-multi-tenanta6-recipe-api-versioninga6-recipe-graphql-proxya6-persona-operatora6-persona-developerREADME Update
Validation
make validate-skills— 40/40 skills pass ✅CGO_ENABLED=0 go test ./...— all tests pass ✅Phase 4 Milestone Complete 🎉
Total: 40 skills across 10 categories.
PR-36 of 36 — final PR in the complete a6 roadmap.