-
Notifications
You must be signed in to change notification settings - Fork 0
Research
Bluetemberg packs are evidence-backed where the guidance is checkable. Any claim in a rule or skill that goes beyond plain convention is verified against primary sources — official documentation, IETF RFCs, vendor security advisories, and peer-reviewed or standards material — using an adversarial, default-refute methodology: each claim survives only on a majority of independent checks, and overstated claims are downgraded to "nuanced" rather than accepted.
The full LLM best-practices research log (82 agents, three-lens verification) lives in research/2026-06-llm-best-practices-pass-2.md. The rule packs bluetemberg-rules-context-engineering, bluetemberg-rules-agent-memory, bluetemberg-rules-llm-api-product, and bluetemberg-rules-security are built from those verified survivors.
Legend: ✅ confirmed · 🔸 confirmed with an important nuance (the pack wording is hedged accordingly).
| Claim | Pack(s) | Verdict | Primary source |
|---|---|---|---|
In PostgreSQL 11+, ADD COLUMN with a NOT NULL non-volatile default is metadata-only (no rewrite); a volatile default (clock_timestamp(), random()) forces a full table+index rewrite. |
migration-safety |
✅ | PostgreSQL 11 — ALTER TABLE Notes, §5.5 Modifying Tables |
Plain CREATE INDEX takes a SHARE lock — it blocks writes but allows reads (not ACCESS EXCLUSIVE); CREATE INDEX CONCURRENTLY does not block writes but is slower, cannot run in a transaction block, and can leave an INVALID index on failure. |
migration-safety |
✅ | PostgreSQL — CREATE INDEX (Building Indexes Concurrently) |
422 Unprocessable Content is the precise code for a well-formed request that fails semantic/field validation, but 400 Bad Request is also spec-compliant — RFC 9110 scopes 400 to any "perceived client error", not only malformed syntax. |
api-design |
🔸 | RFC 9110 §15.5.21 / §15.5.1, MDN 422 |
| API versioning is context-dependent — URL path, query string, and headers are all valid; there is no settled "version must be in the URL path" rule. | api-design |
✅ | GitHub REST API versions (header), Azure API Guidelines (query param), Fielding — REST must be hypertext-driven |
Cursor/keyset pagination suits large, append-only, or monotonically-ordered data; offset/page suits random-page access; a deep SQL OFFSET still computes and discards every skipped row. |
api-design |
✅ | PostgreSQL — LIMIT and OFFSET, Google AIP-158: Pagination, Markus Winand — No Offset |
Verify passwords by re-hashing with a slow KDF (argon2id / bcrypt / scrypt) and the library's constant-time verify; raw constant-time compare (timingSafeEqual, compare_digest) is for fixed-length tokens/keys/HMACs, not passwords. |
security-audit |
✅ |
OWASP Authentication Cheat Sheet, OWASP Password Storage Cheat Sheet, Node crypto.timingSafeEqual
|
Pin GitHub Actions to a full commit SHA — tags are mutable and were weaponized in the March 2025 tj-actions/changed-files compromise. GitHub scopes the recommendation to third-party actions; pinning all actions (incl. first-party) is the OpenSSF/community extension. Pair with least-privilege GITHUB_TOKEN and OIDC. |
ci-cd-best-practices |
🔸 | GitHub — Secure use reference, CVE-2025-30066 / GHSA-mrrh-fwg8-r2c3, CISA alert |
| Multi-agent systems: prefer an orchestrator that mediates communication (no agent-to-agent calls), give each subagent an explicit task spec, isolate context, separate retrieval from synthesis, and retry with exponential backoff + jitter + a max-retry cap. Reserve multi-agent for genuinely parallel work — it is token-expensive. | sub-agent-design |
🔸 | Anthropic — multi-agent research system, AWS Well-Architected REL05-BP03, AWS — Exponential Backoff and Jitter |
| Line/row thresholds (≈10k rows to batch, ≈150-line components, ≈30-line functions, ≈15-min rollback) are informed heuristics, not proven constants — calibrate to context. The packs phrase them as tunable defaults. |
migration-safety, react-patterns, patterns, rollback-plan
|
✅ |
GitLab — batching best practices, ESLint max-lines-per-function
|
Every claim above was re-checked by an independent agent instructed to refute by default and to cite only authoritative/primary sources. A claim was accepted as ✅ only when the source clearly supported the full statement, and marked 🔸 when the source supported the substance but the original wording overstated scope or attribution (those skills were then reworded to match the source). This mirrors the methodology in the research log.