Documentation Portfolio Skill
Purpose
This skill defines the complete set of architecture documentation required for Hack23 projects. It ensures comprehensive documentation that supports both current operations and future planning, following best practices for technical documentation.
Rules
Required Documentation Files
MUST CREATE for each project:
Current State Documentation
-
ARCHITECTURE.md
-
C4 model diagrams (Context, Container, Component)
-
DATA_MODEL.md
-
Database schema, entity relationships
-
FLOWCHART.md
-
Process flows and workflows
-
STATEDIAGRAM.md
-
State machines and transitions
-
MINDMAP.md
-
System concepts and relationships
-
SWOT.md
-
Strengths, Weaknesses, Opportunities, Threats analysis
Future State Documentation
-
FUTURE_ARCHITECTURE.md
-
Planned architecture changes
-
FUTURE_DATA_MODEL.md
-
Planned data model evolution
-
FUTURE_FLOWCHART.md
-
Planned process improvements
-
FUTURE_STATEDIAGRAM.md
-
Planned state machine changes
-
FUTURE_MINDMAP.md
-
Future vision and concepts
-
FUTURE_SWOT.md
-
Future state SWOT analysis
Security Documentation
-
SECURITY_ARCHITECTURE.md
-
Security controls and architecture
-
FUTURE_SECURITY_ARCHITECTURE.md
-
Planned security improvements
-
THREAT_MODEL.md
-
Threat analysis and mitigations
Supplementary Documentation
-
README.md
-
Project overview, getting started
-
.github/SECURITY.md
-
Vulnerability reporting
-
CONTRIBUTING.md
-
Contribution guidelines
-
CLASSIFICATION.md
-
Data classification guidance (if applicable)
-
ADR/ directory - Architecture Decision Records
Documentation Standards
MUST:
-
Write in Markdown format
-
Use Mermaid for all diagrams
-
Include table of contents for documents > 500 lines
-
Add last updated date at top of document
-
Link related documents
-
Version documents (use git for versioning)
-
Keep diagrams up-to-date with code
-
Review documentation quarterly
MUST NOT:
-
Include sensitive information (secrets, credentials)
-
Create stale documentation (update or delete)
-
Duplicate information across documents (link instead)
-
Use proprietary diagram formats (use Mermaid)
ARCHITECTURE.md Structure
MUST INCLUDE:
-
Overview - System purpose and scope
-
System Context Diagram - C4 Level 1
-
Container Diagram - C4 Level 2
-
Component Diagrams - C4 Level 3 (for key containers)
-
Technology Stack - Languages, frameworks, services
-
Deployment Architecture - How system is deployed
-
Integration Points - External systems and APIs
-
Architecture Decision Records - Links to ADRs
DATA_MODEL.md Structure
MUST INCLUDE:
-
Overview - Data model purpose
-
Entity Relationship Diagram - Mermaid ER diagram
-
Entity Descriptions - Each entity with attributes
-
Relationships - Cardinality and constraints
-
Indexes - Performance-critical indexes
-
Data Classification - Sensitivity of each entity/attribute
-
Data Retention - How long data is kept
FLOWCHART.md Structure
MUST INCLUDE:
-
Overview - Processes documented
-
Key Workflows - Main user/system flows
-
Flowchart Diagrams - Mermaid flowcharts
-
Decision Points - Logic branches explained
-
Error Handling - Exception flows
-
Performance Considerations - Bottlenecks, optimizations
STATEDIAGRAM.md Structure
MUST INCLUDE:
-
Overview - State machines in system
-
State Diagrams - Mermaid state diagrams
-
States - Description of each state
-
Transitions - Events that trigger transitions
-
State Invariants - What must be true in each state
-
Terminal States - End states and cleanup
MINDMAP.md Structure
MUST INCLUDE:
-
Overview - Purpose of mindmap
-
Core Concepts - Central ideas
-
Mindmap Diagram - Mermaid mindmap
-
Concept Descriptions - Explanation of each node
-
Relationships - How concepts connect
-
Use Cases - How mindmap aids understanding
SWOT.md Structure
MUST INCLUDE:
-
Overview - Context for SWOT analysis
-
Strengths - Internal positive attributes
-
Weaknesses - Internal limitations
-
Opportunities - External favorable factors
-
Threats - External risks
-
Strategy Matrix - How to leverage/address SWOT
-
Action Items - Concrete next steps
Examples
Example 1: DATA_MODEL.md Structure
Data Model - Hack23 CIA Platform
Last Updated: 2025-01-24
Overview
This document describes the data model for the Citizen Intelligence Agency platform, which stores political data including politicians, parties, votes, and documents.
Entity Relationship Diagram
erDiagram
POLITICIAN ||--o{ POLITICIAN_ROLE : has
POLITICIAN ||--o{ VOTE : casts
POLITICIAN }|--|| PARTY : "member of"
PARTY ||--o{ VOTE : "party line"
PARTY ||--o{ DOCUMENT : publishes
BALLOT ||--o{ VOTE : contains
BALLOT }|--|| COMMITTEE : "voted in"
DOCUMENT }|--o| POLITICIAN : authored
DOCUMENT }|--o| PARTY : published
POLITICIAN {
uuid id PK
string personId UK "Unique ID from Riksdagen"
string firstName
string lastName
date birthDate
string gender
timestamp createdAt
timestamp updatedAt
}
PARTY {
uuid id PK
string partyId UK
string name
string abbreviation
string website
timestamp createdAt
}
POLITICIAN_ROLE {
uuid id PK
uuid politicianId FK
string roleType "MP, Minister, etc"
date fromDate
date toDate
string details
}
VOTE {
uuid id PK
uuid ballotId FK
uuid politicianId FK
string voteOption "Yes, No, Abstain, Absent"
timestamp voteTime
}
BALLOT {
uuid id PK
string ballotId UK
string title
string description
date voteDate
uuid committeeId FK
timestamp createdAt
}
DOCUMENT {
uuid id PK
string documentId UK
string title
string documentType
string status
date publishedDate
uuid authorId FK
uuid partyId FK
}
COMMITTEE {
uuid id PK
string committeeId UK
string name
string abbreviation
}
Entity Descriptions
POLITICIAN
Stores information about Swedish politicians.
Attribute
Type
Classification
Description
id
UUID
INTERNAL
Primary key
personId
String
PUBLIC
Unique ID from Riksdagen API
firstName
String
PUBLIC
First name
lastName
String
PUBLIC
Last name
birthDate
Date
PUBLIC
Date of birth
gender
String
PUBLIC
Gender (M/F)
createdAt
Timestamp
INTERNAL
Record creation time
updatedAt
Timestamp
INTERNAL
Last update time
Indexes:
- idx_politician_person_id
(UNIQUE) on personId
- idx_politician_name
on lastName, firstName
Data Retention: Indefinite (historical political data)
VOTE
Records individual votes cast by politicians.
Attribute
Type
Classification
Description
id
UUID
INTERNAL
Primary key
ballotId
UUID
INTERNAL
Foreign key to BALLOT
politicianId
UUID
INTERNAL
Foreign key to POLITICIAN
voteOption
String
PUBLIC
Yes/No/Abstain/Absent
voteTime
Timestamp
PUBLIC
When vote was cast
Indexes:
- idx_vote_ballot
on ballotId
- idx_vote_politician
on politicianId
- idx_vote_time
on voteTime
Data Retention: Indefinite (historical voting records)
Relationships
- POLITICIAN to PARTY: Many-to-One (politician belongs to one party at a time)
- POLITICIAN to VOTE: One-to-Many (politician casts many votes)
- BALLOT to VOTE: One-to-Many (ballot contains many votes)
- POLITICIAN to POLITICIAN_ROLE: One-to-Many (politician has multiple roles over time)
Data Classification Summary
- PUBLIC: Politician names, votes, documents (public record)
- INTERNAL: System IDs, timestamps, technical metadata
- CONFIDENTIAL: None
- RESTRICTED: None
Performance Considerations
- Votes table will grow large (millions of records), requires partitioning by year
- Full-text search on DOCUMENT requires Elasticsearch integration
- POLITICIAN queries often join with PARTY, consider denormalization for read performance
Migration Strategy
See FUTURE_DATA_MODEL.md
for planned schema changes.
### Example 2: FLOWCHART.md Structure
```markdown
# Flowcharts - Hack23 Homepage Deployment
**Last Updated:** 2025-01-24
## Overview
This document describes the key workflows and processes for the Hack23 Homepage, focusing on content updates, deployment, and monitoring.
## Content Update Workflow
```mermaid
flowchart TD
Start([Developer creates PR]) --> Validate{Validation checks pass?}
Validate -->|No| Fix[Fix errors]
Fix --> Start
Validate -->|Yes| Review[Code review]
Review --> Approved{Approved?}
Approved -->|No| RequestChanges[Request changes]
RequestChanges --> Start
Approved -->|Yes| Merge[Merge to main]
Merge --> Build[Build & Minify]
Build --> Security[Security scan - ZAP]
Security --> SecurityPass{Vulnerabilities found?}
SecurityPass -->|Yes| Alert[Create security issue]
Alert --> Block[Block deployment]
Block --> End1([End - Deployment blocked])
SecurityPass -->|No| Lighthouse[Lighthouse audit]
Lighthouse --> LighthousePass{Meets budget?}
LighthousePass -->|No| Warning[Warning - below threshold]
Warning --> DeployAnyway{Deploy anyway?}
DeployAnyway -->|No| End2([End - Deployment cancelled])
DeployAnyway -->|Yes| Deploy[Deploy to S3]
LighthousePass -->|Yes| Deploy
Deploy --> Invalidate[Invalidate CloudFront cache]
Invalidate --> Verify[Verify deployment]
Verify --> Success{Deployment successful?}
Success -->|Yes| Notify[Notify team - Success]
Success -->|No| Rollback[Rollback deployment]
Rollback --> NotifyFail[Notify team - Failure]
NotifyFail --> End3([End - Rolled back])
Notify --> End4([End - Deployed successfully])
Translation Workflow
flowchart TD
Start([New content in English]) --> Detect[Detect languages to translate]
Detect --> Generate[Generate translations]
Generate --> Review{Translation quality check}
Review -->|Low quality| Manual[Manual translation]
Manual --> Validate
Review -->|Good quality| Validate[Validate HTML structure]
Validate --> ValidPass{Valid HTML?}
ValidPass -->|No| Fix[Fix validation errors]
Fix --> Validate
ValidPass -->|Yes| Hreflang[Update hreflang tags]
Hreflang --> Sitemap[Update sitemap.xml]
Sitemap --> Test[Test translated pages]
Test --> TestPass{All tests pass?}
TestPass -->|No| Debug[Debug issues]
Debug --> Fix
TestPass -->|Yes| Commit[Commit translations]
Commit --> End([End - Translations complete])
Security Incident Response
flowchart TD
Start([Security incident detected]) --> Assess[Assess severity]
Assess --> Critical{Critical incident?}
Critical -->|Yes| Immediate[Immediate response team]
Immediate --> Block[Block attack vector]
Block --> Contain[Contain incident]
Critical -->|No| Standard[Standard response]
Standard --> Investigate[Investigate incident]
Contain --> Investigate
Investigate --> Determine{Cause identified?}
Determine -->|No| Escalate[Escalate to security team]
Escalate --> Investigate
Determine -->|Yes| Remediate[Implement fix]
Remediate --> Test[Test remediation]
Test --> TestPass{Incident resolved?}
TestPass -->|No| Remediate
TestPass -->|Yes| Deploy[Deploy fix]
Deploy --> Monitor[Monitor for recurrence]
Monitor --> Document[Document incident]
Document --> Review[Post-incident review]
Review --> Improve[Improve security controls]
Improve --> End([End - Incident resolved])
Decision Points
Validation Checks
- HTML validation
- CSS validation
- JavaScript linting
- Accessibility checks (WCAG 2.1 AA)
- Link validation
- Security header validation
Security Scan Thresholds
- Block deployment: Critical vulnerabilities
- Warning: High vulnerabilities (review required)
- Pass: Medium or lower vulnerabilities
Lighthouse Budget
- Performance: ≥ 90
- Accessibility: ≥ 95
- Best Practices: ≥ 95
- SEO: ≥ 95
Error Handling
All workflows include error handling:
- Detect error - Automated checks or manual report
- Log error - CloudWatch, GitHub Actions logs
- Notify - Slack/email notification
- Rollback (if deployed) - Revert to previous version
- Fix - Implement correction
- Verify - Test fix before re-deploying
Performance Considerations
- Parallel processing: Run security scan and Lighthouse audit in parallel
- Caching: Cache CloudFront invalidation to avoid rate limits
- Incremental builds: Only process changed files
### Example 3: SWOT.md Template
```markdown
# SWOT Analysis - Hack23 Homepage
**Last Updated:** 2025-01-24
**Context:** Strategic planning for homepage evolution (2025-2026)
## Overview
This SWOT analysis evaluates the current state of the Hack23 Homepage and identifies strategic opportunities for improvement.
## Strengths (Internal Positive Factors)
### Technical Excellence
- ✅ **100% static** - No server-side processing, ultra-fast load times
- ✅ **Highly secure** - Minimal attack surface, no backend vulnerabilities
- ✅ **Excellent performance** - Lighthouse scores consistently above 90
- ✅ **Global CDN** - CloudFront provides worldwide low-latency access
- ✅ **Automated CI/CD** - GitHub Actions provides reliable deployment
### Content & Messaging
- ✅ **Clear value proposition** - Security-focused, transparent approach
- ✅ **Multilingual** - 14 languages supported (English + 13 translations)
- ✅ **Accessibility** - WCAG 2.1 AA compliant
- ✅ **Open-source** - Builds trust, demonstrates transparency
- ✅ **Public ISMS** - Unique differentiator in market
### Cost Efficiency
- ✅ **Low operational cost** - S3 + CloudFront = minimal hosting fees
- ✅ **No maintenance** - Static site requires minimal upkeep
- ✅ **Free CI/CD** - GitHub Actions free tier sufficient
## Weaknesses (Internal Negative Factors)
### Technical Limitations
- ❌ **No dynamic content** - Can't personalize for users
- ❌ **No user accounts** - No way to track returning visitors
- ❌ **No analytics** - Privacy-first means no visitor insights
- ❌ **Manual translations** - Time-consuming, potential quality issues
- ❌ **No search** - Difficult to find specific content
### Content Gaps
- ❌ **Limited interactivity** - No contact forms, no demos
- ❌ **No case studies** - Lack of customer success stories
- ❌ **Few examples** - Need more concrete use cases
- ❌ **Static blog** - No comment system, limited engagement
### Marketing & Growth
- ❌ **Low SEO maturity** - Needs optimization
- ❌ **No lead capture** - Can't build email list
- ❌ **Limited conversion tracking** - Hard to measure effectiveness
## Opportunities (External Positive Factors)
### Market Trends
- 📈 **Growing cybersecurity demand** - Increased awareness post-breaches
- 📈 **Compliance requirements** - NIS2, GDPR driving demand
- 📈 **Open-source adoption** - More companies embracing transparency
- 📈 **Remote work security** - Distributed teams need better security
- 📈 **AI/LLM security** - Emerging need for AI security consulting
### Technology Evolution
- 📈 **Jamstack maturity** - Static sites with dynamic features via APIs
- 📈 **Serverless functions** - Add backend functionality without servers
- 📈 **Web3 integration** - Potential for blockchain-based transparency
- 📈 **Progressive Web Apps** - Enhanced mobile experience
### Business Opportunities
- 📈 **Strategic partnerships** - Integrate with complementary services
- 📈 **Content marketing** - Leverage blog for SEO and thought leadership
- 📈 **Community building** - Open-source projects attract contributors
- 📈 **Training & certification** - Offer security training programs
## Threats (External Negative Factors)
### Competition
- ⚠️ **Established players** - Large consultancies have brand recognition
- ⚠️ **Price competition** - Offshore providers offer lower rates
- ⚠️ **Feature parity** - Competitors may copy open-source approach
- ⚠️ **Commoditization** - Risk of security consulting becoming commodity
### Technology Risks
- ⚠️ **Browser changes** - Could break existing functionality
- ⚠️ **CDN outages** - Dependence on CloudFront availability
- ⚠️ **Security vulnerabilities** - Supply chain attacks on dependencies
- ⚠️ **Algorithm changes** - SEO rankings could drop suddenly
### Regulatory & Market
- ⚠️ **Changing regulations** - New compliance requirements add complexity
- ⚠️ **Economic downturn** - Budget cuts in security spending
- ⚠️ **Privacy regulations** - Stricter rules may limit marketing
## Strategy Matrix
### Strengths × Opportunities (Maximize)
| Strength | Opportunity | Strategy |
|----------|-------------|----------|
| Technical excellence | Growing security demand | Position as premium, high-trust provider |
| Open-source ISMS | Open-source adoption | Create community around ISMS templates |
| Multilingual | Global market | Target international markets (EU, Asia) |
| Low cost | Price competition | Offer competitive pricing with high margins |
### Strengths × Threats (Leverage)
| Strength | Threat | Strategy |
|----------|--------|----------|
| Security focus | Established players | Differentiate through transparency & innovation |
| Automated CI/CD | Security vulnerabilities | Maintain fast patching, demonstrate resilience |
| Public ISMS | Compliance changes | Quickly update ISMS, show adaptability |
### Weaknesses × Opportunities (Improve)
| Weakness | Opportunity | Strategy |
|----------|-------------|----------|
| No dynamic content | Jamstack maturity | Implement serverless functions for forms |
| No analytics | Content marketing | Add privacy-preserving analytics (Plausible) |
| No lead capture | Community building | Create newsletter via static form + Netlify |
| Manual translations | AI/LLM evolution | Explore AI-assisted translation with human review |
### Weaknesses × Threats (Monitor)
| Weakness | Threat | Strategy |
|----------|--------|----------|
| Limited interactivity | Commoditization | Maintain focus on quality and service |
| No case studies | Established players | Develop customer testimonials, success stories |
| Low SEO maturity | Algorithm changes | Invest in SEO, diversify traffic sources |
## Action Items
### Q1 2025 (Immediate)
1. Implement privacy-preserving analytics (Plausible or similar)
2. Create 3 case studies from existing customers
3. Optimize SEO (meta descriptions, structured data improvements)
4. Add simple contact form via serverless function
### Q2 2025 (Near-term)
5. Launch newsletter signup (static form + automation)
6. Create comprehensive FAQ page
7. Develop security assessment tool/quiz
8. Expand blog with weekly posts
### H2 2025 (Medium-term)
9. Build community forum for ISMS discussions
10. Launch security training module (paid)
11. Develop interactive demos for CIA/Compliance Manager
12. Partner with complementary services (penetration testing, etc.)
### 2026 (Long-term)
13. Expand to additional languages (Chinese, Portuguese)
14. Create certification program
15. Launch SaaS version of compliance tools
16. Explore strategic acquisitions or partnerships
## Review Schedule
- **Quarterly review**: Reassess SWOT based on market changes
- **Annual deep dive**: Full strategic planning session
- **Ad-hoc**: Major market events or competitive moves
**Next Review:** 2025-04-24
Related ISMS Policies
- Secure Development Policy - Documentation requirements
- Information Security Policy - Overall framework
Related Documentation
- c4-modeling SKILL.md - C4 diagram creation
- security-architecture SKILL.md - Security documentation
Documentation Tools
- Mermaid Live Editor: https://mermaid.live/
- Markdown Preview: VS Code with Markdown Preview Enhanced
- Diagram Validation: GitHub's native Mermaid rendering