feat(#67): /handover generates a stub C4 L2 container diagram

[atlas-apex]

Summary

Extends /handover with a new step that writes a projects/<name>/architecture/container.md stub alongside the existing handover assessment. Detection covers six slots (web / api / worker / db / cache / queue) plus five external-system families (auth / payments / email / storage / LLM), with docker-compose.yml overriding package.json when both exist.

What changed

• .claude/skills/handover/SKILL.md — adds step 6 "Write the L2 container diagram stub (if missing)" between "Synthesise the assessment" and "Append to the portfolio registry". Subsequent steps renumbered (7 = registry, 8 = summary). Existing cross-refs updated.
• Output-location preamble now documents both emitted files (assessment always rewritten; architecture stub written once, never overwritten).
• Summary format in step 8 includes architecture/container.md: <written | preserved | skipped>.
• Rules [Feat] require explicit per-merge CEO approval — never infer from plan-level "go" #11 + feat(#11): require explicit per-merge CEO approval — never infer from "go" #12 added — never overwrite, never claim the detector is authoritative.

Testing

Doc-only change to the SKILL.md. No executable code; no unit tests.

Validation comes from the next real /handover invocation on a JS/TS project (the detection tables are richest there; Python / Go / Rust / Ruby are covered but not as deeply as Node). The generated file should:

• Render on GitHub immediately (Mermaid inline)
• Match the c4-container.md template shape
• Have a top note explicitly calling out "auto-generated on YYYY-MM-DD — refine me"
• Skip gracefully if projects/<name>/architecture/container.md already exists

Non-goals / deferred

• L1 context stub — L1 requires external-system knowledge the repo signals don't always expose reliably. If added later, it becomes step 6a.
• Automatic rel/edge inference from code (e.g. parse fetch() calls to infer "api → llm-api") — too much false-positive risk. The skill emits a reasonable first-pass wiring and lets the team refine.
• Non-Mermaid formats — see [Feature] Structurizr DSL as escape hatch for L3+ C4 diagrams #68 (deferred Structurizr DSL for L3+).

Glossary

Term	Definition
C4 L2 container	Deployable / runnable unit inside the system boundary (web app, API, worker, database)
detection signal	A file or package that reveals a container's existence (e.g. prisma/schema.prisma → ContainerDb)
slot	A category in the detection table (web / api / worker / db / cache / queue / external) — each slot emits at most one container unless multiple services fit (workers, caches)
override	When docker-compose.yml exists, it supersedes package.json for composition — compose describes the actual deployment shape
stub	A starting-point file meant to be refined by the team, with an explicit "auto-generated — review me" header

Related

• Closes [Feature] /handover skill generates a stub C4 L2 container diagram #67
• Depends on templates shipped in feat: architecture diagram support in documentation — C4 model #50 (templates/architecture/c4-container.md)
• Complements [Feature] Structurizr DSL as escape hatch for L3+ C4 diagrams #68 (Structurizr DSL for L3+) — L1 / L2 stays Mermaid

[atlas-apex]

Code Review: PR #70

Commit: 1df34e5f8a645cb63ee6b3d958892c5016bf2b73

Summary

Doc-only extension of /handover SKILL.md adding step 6 that emits a stub C4 L2 container diagram from repo signals. Six slots (web / api / worker / db / cache / queue) plus five external families, with docker-compose.yml overriding package.json. Skip-if-exists, summary distinguishes written | preserved | skipped, rules #11/#12 protect the stub from overwrite.

Checklist Results

• Architecture & Design: Pass (doc-only)
• Code Quality: Pass
• Testing: N/A (process doc)
• Security: Pass (rule #8 .env never-read preserved)
• Performance: N/A
• PR Description & Glossary: Pass (5 terms)
• Technical Decisions (AgDR): N/A — implements earlier decision (#67, template from #50); no new tech choice

Findings

Detection table (spot-checked):

• @auth0/* → Auth0 — correct (@auth0/nextjs-auth0, @auth0/auth0-react)
• prisma/schema.prisma with provider = "postgresql" → PostgreSQL — correct Prisma datasource syntax
• ioredis / redis / @upstash/redis → Redis — correct
• @aws-sdk/client-sqs → SQS queue — correct

Next.js web+api collapse logic: Actionable. "Collapse web + api into one container labelled Web App + API" is explicit. The api-row qualifier "same container as web, or split if clearly separate service" is slightly soft — a naive read could emit two — but the dedicated monolith paragraph plus rule #12 disambiguate. Acceptable.

docker-compose precedence: Clear — "When compose and package.json conflict, trust compose."

Skip-if-exists vs skipped: Unambiguous. preserved = file exists, skipped = zero signals. Rule #11 enforces never-overwrite.

Step renumbering integrity: Clean. All internal refs checked (line 181 "step 7", line 250 "step 3", line 457 "step 8", line 493 "step 3"). No stale pointers.

Non-goals boundary: Confirmed — no L1 context stub, no edge inference from code, no Structurizr DSL. Scope discipline held.

Suggestions (non-blocking)

• drizzle.config.ts row leaves <driver> to be filled — consider noting the config uses a dialect: field as the hint source.

Verdict

APPROVED (posted as comment — cannot self-approve via GitHub review API)

---

Reviewed by Rex (Code Reviewer Agent)
Reviewed commit: `1df34e5f8a645cb63ee6b3d958892c5016bf2b73`