Remediation Plan¶
Use this skill to convert a gap analysis, audit report, or target state comparison into a structured, phased execution plan with dependencies, effort estimates, and risk management.
Problem¶
Gap analyses identify what's wrong. Teams need a plan that tells them what to do, in what order, with what effort, and what risks to watch for. Without structure, remediation becomes ad hoc — critical paths are missed, parallelisable work is serialised, and decisions block progress silently.
This skill produces a plan that:
- organises work into phases with clear dependencies
- sizes each task for sprint planning
- identifies decisions that block progress and forces them to the surface
- maps the critical path and parallelisable work
- registers risks with mitigations so they don't surprise the team mid-execution
When To Use It¶
- A gap analysis has been completed and needs to be turned into an execution plan.
- A prototype needs a production readiness roadmap.
- A decoupling, migration, or modernisation initiative needs phased planning.
- Audit findings (security, design, operational) need a remediation sequence.
- The user asks for a "remediation plan", "production readiness plan", "migration plan", "execution plan", or "roadmap".
Inputs¶
The skill needs one or more of:
- A gap analysis report (from the
gap-analysisskill or equivalent) - A target state description (architecture diagram, standards doc, or verbal description)
- An audit report with findings and recommendations
- Constraints: team size, timeline, external dependencies, blocked decisions
If no gap analysis exists, run the gap-analysis skill first or ask the user for the input findings.
Workflow¶
-
Inventory the gaps. Read the input findings. Group them by domain (deployment, auth, observability, security, testing, operations). Use references/phase-patterns.md for common phase groupings.
-
Identify dependencies. Map which gaps depend on others:
- Infrastructure must exist before deployment pipelines can target it
- Auth must work before security hardening makes sense
- Observability should be wired before production promotion
-
Testing gaps can often be addressed in parallel with other phases Build a dependency graph. Identify the critical path.
-
Group into phases. Each phase should:
- Have a clear entry condition (what must be done before it starts)
- Have a clear exit condition / deliverable list
- Be completable in 1–5 days by 1–2 people
-
Contain tasks that are internally independent (parallelisable within the phase) Use references/phase-patterns.md for typical phase structures.
-
Size each task. Use the effort scale from references/task-sizing.md. Include:
- Task description (action-oriented, specific)
- Effort estimate (Trivial / Small / Medium / Large)
- Issue/Jira ticket reference (if known, otherwise
—) -
Status (⬜ Not started / 🔶 In progress / ✅ Complete)
-
Surface decisions. List decisions that block one or more phases. For each:
- State the decision clearly
- List options with pros/cons
- Make a recommendation
-
Note which phases are blocked until the decision is made
-
Register risks. Use references/risk-template.md. For each risk:
- Impact (what goes wrong)
- Likelihood (Low / Medium / High)
-
Mitigation (what to do about it)
-
Define success criteria. For each major milestone (e.g., dev deployment, tst promotion, prd go-live), state the concrete criteria that must be met.
-
Produce the plan. Use references/plan-template.md for the output structure.
-
Hand off to WIP tracking (when execution starts). When the plan moves from draft to active execution, create a
*.effort.jsonsidecar per plan-effort-estimate. Re-size steps with the Fibonacci scale — see the handoff rules in effort-scales.yaml.
Branching Rules¶
- If the input is a gap analysis, map P0 gaps → early phases, P1 → middle phases, P2/P3 → later phases.
- If the input is a decoupling/migration plan, organise phases around code movement: copy → wire → migrate consumers → validate → clean up.
- If the input is an audit report, organise by severity: critical findings first, then high, then medium.
- If the plan has more than 10 phases, consolidate. Most plans should have 5–8 phases.
- If team size is 1, serialise all phases. If team size is 2+, show what can be parallelised.
- If external dependencies exist (Azure subscription, Entra ID registration, security review), call them out as blockers with lead time estimates.
Execution Rules¶
- Every task must be action-oriented and specific enough to create a Jira ticket from. "Improve observability" is too vague. "Add
azure-monitor-opentelemetrydependency toservices/api/pyproject.toml" is specific. - Include deliverables for each phase — concrete artifacts (files, configs, ADRs) that prove the phase is done.
- Show the dependency map visually (ASCII diagram) so the critical path is obvious.
- Include an effort summary table with total estimate and team size assumption.
- Preserve architecture strengths from the gap analysis — do not plan work that would regress quality.
- If the plan involves code vendoring or migration, include parity testing in the validation phase.
- Keep decision tables separate from task tables — decisions are for leadership, tasks are for engineers.
References¶
- Effort scales taxonomy (router): ../../taxonomy/effort-scales.yaml
- Plan status crosswalk: ../../taxonomy/plan-status.yaml
- Common phase groupings: references/phase-patterns.md
- Task sizing guide: references/task-sizing.md
- WIP progress tracking: ../plan-effort-estimate/SKILL.md
- Risk register format: references/risk-template.md
- Plan output structure: references/plan-template.md
Required Output¶
- Current state summary (what exists, what's missing — brief).
- Target architecture (diagram if applicable).
- Phased execution plan with task tables per phase.
- Dependency map (ASCII diagram showing phase ordering and parallelism).
- Key decisions table (options, recommendations, which phases are blocked).
- Risk register (impact, likelihood, mitigation).
- Effort summary table (phase, effort, dependencies, status).
- Success criteria per milestone.
Troubleshooting¶
Error: Plan has too many phases (10+) and feels overwhelming. Cause: Gaps were not consolidated by domain; each gap became its own phase. Solution: Merge related gaps into domain-based phases (see references/phase-patterns.md). Most plans should have 5–8 phases.
Error: Tasks are too vague to create tickets from. Cause: Task descriptions use abstract language ("improve", "set up") instead of specific actions. Solution: Each task must start with a verb and name the file, module, or endpoint affected. See task description rules in references/task-sizing.md.
Error: Plan stalls because decisions were not surfaced early. Cause: Decisions were embedded in task descriptions instead of tracked separately. Solution: Extract all blocking decisions into the Key Decisions table with options, recommendations, and which phases they block.
Completion Bar¶
- Every gap from the input is addressed in at least one phase.
- Phases have clear entry/exit conditions and deliverables.
- The critical path is identified and the dependency map is consistent with phase ordering.
- Decisions are separated from tasks and include actionable recommendations.
- Risks have concrete mitigations, not just "monitor".
- Effort estimates are realistic and team-size-aware.
- The plan is directly convertible to Issues/Jira epics and stories.