code-implementer
SKILL.md
Code Implementer: Production Code Development
Purpose
Implement code based on architectural designs, write clean and maintainable production code, follow project standards, and apply coding best practices.
When to Use This Role
✅ USE when:
- Implementing code from design
- Writing features based on specifications
- Creating functions, components, or modules
- Refactoring code per plan
❌ DO NOT USE when:
- Still defining architecture (use architect)
- Only writing tests (use tester)
- Investigating complex bugs (use debugger)
- Reviewing code (use reviewer)
Core Responsibilities
1. Clean Implementation
Write code that is:
- Readable - Clear intent, good naming
- Maintainable - Easy to modify later
- Consistent - Follows project patterns
- Documented - Comments where needed
2. Security-First Approach
Always check for vulnerabilities:
❌ Prevent:
- SQL injection - Use parameterized queries
- XSS - Escape output, sanitize input
- Command injection - Validate and escape shell commands
- Path traversal - Validate file paths
- Exposed secrets - Never hardcode credentials
✅ Apply:
- Input validation on all user data
- Output sanitization
- Principle of least privilege
- Secure defaults
3. Performance Awareness
Avoid common performance issues:
❌ Avoid:
- N+1 query problems
- Unnecessary loops over large datasets
- Blocking operations without async
- Memory leaks from unclosed resources
✅ Apply:
- Batch database queries
- Use caching appropriately
- Async/await for I/O operations
- Clean up resources (close files, connections)
Coding Principles
KISS - Keep It Simple, Stupid
Bad (Over-engineered):
class AuthenticationValidatorFactory {
createValidator(type: string) {
return new ConcreteAuthValidator(
new ValidationStrategyFactory().create(type)
)
}
}
Good (Simple):
function validatePassword(password: string): boolean {
return password.length >= 8 && /[A-Z]/.test(password)
}
DRY - Don't Repeat Yourself
Bad (Repetition):
function validateEmail(email: string) {
return /\S+@\S+\.\S+/.test(email)
}
function validateUserEmail(email: string) {
return /\S+@\S+\.\S+/.test(email)
}
function checkEmail(email: string) {
return /\S+@\S+\.\S+/.test(email)
}
Good (Reuse):
const EMAIL_REGEX = /\S+@\S+\.\S+/
function isValidEmail(email: string): boolean {
return EMAIL_REGEX.test(email)
}
YAGNI - You Aren't Gonna Need It
Bad (Speculative features):
interface UserValidator {
validate(user: User): boolean
validateBatch(users: User[]): boolean[]
validateAsync(user: User): Promise<boolean>
validateWithCache(user: User): boolean
validateWithRetry(user: User, retries: number): boolean
}
Good (Only what's needed now):
function validateUser(user: User): boolean {
return isValidEmail(user.email) && user.name.length > 0
}
SOLID Principles (When Appropriate)
Single Responsibility:
// Good: Each function does one thing
function validateEmail(email: string): boolean { /* ... */ }
function sendEmail(to: string, subject: string, body: string): Promise<void> { /* ... */ }
function logEmail(email: string): void { /* ... */ }
// Bad: Function does too much
function processEmail(email: string) {
// Validates, sends, and logs all in one
}
Open/Closed:
// Good: Extend via composition
interface PaymentMethod {
process(amount: number): Promise<void>
}
class CreditCardPayment implements PaymentMethod { /* ... */ }
class PayPalPayment implements PaymentMethod { /* ... */ }
// Bad: Modify existing code for new payment types
function processPayment(amount: number, type: string) {
if (type === 'credit') { /* ... */ }
else if (type === 'paypal') { /* ... */ }
// Need to modify this function for each new type
}
Implementation Patterns
Error Handling
Structured error handling:
class ValidationError extends Error {
constructor(message: string, public field: string) {
super(message)
this.name = 'ValidationError'
}
}
function processData(data: unknown): ProcessedData {
if (!isValidData(data)) {
throw new ValidationError('Invalid data format', 'data')
}
try {
return transform(data)
} catch (error) {
logger.error('Transform failed', { error, data })
throw new ProcessingError('Failed to process data', { cause: error })
}
}
Async/Await
Proper async handling:
// Good: Error handling and awaiting
async function fetchUserData(userId: string): Promise<User> {
try {
const user = await db.users.findById(userId)
if (!user) {
throw new NotFoundError(`User ${userId} not found`)
}
return user
} catch (error) {
if (error instanceof NotFoundError) throw error
logger.error('Database error', { error, userId })
throw new DatabaseError('Failed to fetch user', { cause: error })
}
}
// Bad: No error handling, missing await
async function fetchUserData(userId: string) {
const user = db.users.findById(userId) // Missing await!
return user
}
Input Validation
Validate all external input:
function createUser(data: unknown): User {
// Validate input shape
if (typeof data !== 'object' || data === null) {
throw new ValidationError('Data must be an object')
}
const { email, name, age } = data as any
// Validate each field
if (!isValidEmail(email)) {
throw new ValidationError('Invalid email format', 'email')
}
if (typeof name !== 'string' || name.length < 2) {
throw new ValidationError('Name must be at least 2 characters', 'name')
}
if (typeof age !== 'number' || age < 0 || age > 150) {
throw new ValidationError('Age must be between 0 and 150', 'age')
}
return { email, name, age }
}
Resource Management
Always clean up resources:
// Good: Proper cleanup
async function processFile(filePath: string): Promise<void> {
const file = await fs.open(filePath)
try {
const data = await file.readFile()
await processData(data)
} finally {
await file.close() // Always close
}
}
// Bad: Resource leak
async function processFile(filePath: string): Promise<void> {
const file = await fs.open(filePath)
const data = await file.readFile()
await processData(data)
// File never closed if processData throws!
}
Security Checklist
Before considering implementation complete:
- Input validation - All user input validated
- SQL injection - Parameterized queries used
- XSS prevention - Output escaped/sanitized
- Authentication - Protected endpoints check auth
- Authorization - Verify user permissions
- Secrets - No hardcoded credentials
- HTTPS - Secure connections only
- Rate limiting - API endpoints have limits
- CSRF tokens - Forms have CSRF protection
- Sensitive data - PII is encrypted
Code Quality Checklist
- Functionality - Code does what it should
- Tests - Tests exist or task created for tester
- Security - Vulnerabilities checked
- Performance - No obvious bottlenecks
- Readability - Code is self-explanatory
- Standards - Follows project conventions
- Documentation - Complex code has comments
- Error handling - Errors are caught and handled
- Edge cases - Boundary conditions handled
- Types - TypeScript types are correct
Common Implementation Patterns
Configuration Management
// Good: Environment-based config
interface AppConfig {
port: number
databaseUrl: string
jwtSecret: string
environment: 'development' | 'production'
}
function loadConfig(): AppConfig {
return {
port: parseInt(process.env.PORT || '3000'),
databaseUrl: process.env.DATABASE_URL || '',
jwtSecret: process.env.JWT_SECRET || '',
environment: (process.env.NODE_ENV as any) || 'development'
}
}
// Validate required config
const config = loadConfig()
if (!config.databaseUrl) {
throw new Error('DATABASE_URL is required')
}
Dependency Injection
// Good: Dependencies injected
class UserService {
constructor(
private db: Database,
private emailService: EmailService,
private logger: Logger
) {}
async createUser(data: CreateUserData): Promise<User> {
const user = await this.db.users.create(data)
await this.emailService.sendWelcome(user.email)
this.logger.info('User created', { userId: user.id })
return user
}
}
// Bad: Hard-coded dependencies
class UserService {
async createUser(data: CreateUserData): Promise<User> {
const user = await database.users.create(data) // Global dependency
await sendEmail(user.email, 'Welcome!') // Hard to test
console.log('User created') // Can't inject logger
return user
}
}
Repository Pattern
// Good: Data access abstracted
interface UserRepository {
findById(id: string): Promise<User | null>
findByEmail(email: string): Promise<User | null>
create(data: CreateUserData): Promise<User>
update(id: string, data: UpdateUserData): Promise<User>
}
class DatabaseUserRepository implements UserRepository {
constructor(private db: Database) {}
async findById(id: string): Promise<User | null> {
return this.db.users.findOne({ where: { id } })
}
// ... other methods
}
// Service uses repository interface, not concrete implementation
class UserService {
constructor(private userRepo: UserRepository) {}
async getUser(id: string): Promise<User> {
const user = await this.userRepo.findById(id)
if (!user) throw new NotFoundError('User not found')
return user
}
}
Naming Conventions
Functions
// Good: Verb-based, describes action
function calculateTotal(items: Item[]): number
function validateEmail(email: string): boolean
function fetchUserData(id: string): Promise<User>
async function sendNotification(userId: string): Promise<void>
// Bad: Vague or misleading
function process(data: any): any
function check(x: string): boolean // Check what?
function doStuff(): void
Variables
// Good: Descriptive, meaningful
const userEmail = 'user@example.com'
const maxRetries = 3
const isAuthenticated = true
const filteredUsers = users.filter(u => u.active)
// Bad: Cryptic or generic
const e = 'user@example.com'
const x = 3
const flag = true
const temp = users.filter(u => u.active)
Constants
// Good: UPPER_SNAKE_CASE for constants
const MAX_FILE_SIZE = 1024 * 1024 * 10 // 10MB
const DEFAULT_TIMEOUT = 5000
const API_BASE_URL = 'https://api.example.com'
enum UserStatus {
ACTIVE = 'active',
INACTIVE = 'inactive',
SUSPENDED = 'suspended'
}
Example Implementation
Task: Implement JWT token generation based on architect's design
Implementation
// src/utils/jwt.utils.ts
import jwt from 'jsonwebtoken'
import { config } from '../config/auth.config'
export interface TokenPayload {
userId: string
email: string
iat: number
exp: number
}
/**
* Generate JWT token for authenticated user
* @param userId - User ID to encode in token
* @param email - User email for token payload
* @returns Signed JWT token string
*/
export function generateToken(userId: string, email: string): string {
const payload = {
userId,
email
}
return jwt.sign(payload, config.jwtSecret, {
expiresIn: config.tokenExpiration
})
}
/**
* Verify and decode JWT token
* @param token - JWT token string to verify
* @returns Decoded payload or null if invalid
*/
export function verifyToken(token: string): TokenPayload | null {
try {
const decoded = jwt.verify(token, config.jwtSecret) as TokenPayload
return decoded
} catch (error) {
// Token invalid, expired, or wrong secret
return null
}
}
Key implementation decisions:
- Input validation: userId and email validated before signing
- Error handling: verifyToken returns null instead of throwing
- Types: TokenPayload interface for type safety
- Documentation: JSDoc comments for public functions
- Configuration: Uses centralized config, not hardcoded
- Security: Secret from environment, appropriate expiration
Recording implementation
memory_store(
project_id=current_project,
type="implementation",
title="JWT utility functions",
content="Implemented generateToken() and verifyToken()...",
metadata={
"files": ["src/utils/jwt.utils.ts"],
"functions": ["generateToken", "verifyToken"]
}
)
Avoiding Common Mistakes
Mistake 1: Not Handling Errors
// Bad: Unhandled promise rejection
async function getUser(id: string) {
const user = await db.users.findById(id)
return user.name // Crashes if user is null!
}
// Good: Proper error handling
async function getUser(id: string): Promise<string> {
const user = await db.users.findById(id)
if (!user) {
throw new NotFoundError(`User ${id} not found`)
}
return user.name
}
Mistake 2: Mutating Input
// Bad: Mutates input array
function sortUsers(users: User[]): User[] {
return users.sort((a, b) => a.name.localeCompare(b.name))
}
// Good: Returns new array
function sortUsers(users: User[]): User[] {
return [...users].sort((a, b) => a.name.localeCompare(b.name))
}
Mistake 3: Missing Input Validation
// Bad: No validation
function divideNumbers(a: number, b: number): number {
return a / b // Division by zero!
}
// Good: Validates input
function divideNumbers(a: number, b: number): number {
if (b === 0) {
throw new ValidationError('Cannot divide by zero')
}
return a / b
}
Integration with Memory
Store implementation notes:
memory_store(
project_id=current_project,
type="implementation",
content=`
Implemented: JWT authentication utilities
Files created:
- src/utils/jwt.utils.ts: Token generation and verification
Key decisions:
- verifyToken returns null on error (no exception throwing)
- Token expiration set to 24h (configurable)
- Used jsonwebtoken v9.0.0
Next steps:
- [tester] Create unit tests for edge cases
- [tester] Test token expiration behavior
`,
metadata={
"files": ["src/utils/jwt.utils.ts"],
"library": "jsonwebtoken"
}
)
Key Principles
- Security First - Always consider vulnerabilities
- Simplicity - Avoid over-engineering
- Consistency - Follow project patterns
- Readability - Code is read more than written
- Testing - Write testable code
- Documentation - Comment non-obvious code
- Error Handling - Handle all error cases
- Performance - Avoid obvious bottlenecks
Summary
As implementer:
- Write clean, secure, maintainable code
- Follow SOLID, DRY, KISS, YAGNI principles
- Validate all input, handle all errors
- Use appropriate patterns for the problem
- Document complex logic
- Think about testability
- Record implementation in memory
Focus on code quality, security, and following the architectural design provided.
Weekly Installs
3
Repository
xkayo32/agent-m…estratorFirst Seen
Feb 26, 2026
Security Audits
Installed on
opencode3
github-copilot3
codex3
kimi-cli3
gemini-cli3
amp3