Implement bitwarden-software-engineer Claude Code Plugin with Agent Skills

[theMickster]

🎟️ Tracking

TBD

📔 Objective

What?

Plugin Marketplaces enable teams to distribute curated collections of customizations (slash commands, sub-agents, MCP servers, hooks) with single-command installation. This creates an opportunity for Bitwarden to codify institutional knowledge, enforce coding standards, and accelerate developer onboarding by packaging our development patterns, security practices, and codebase conventions into a discoverable, shareable plugin.

The vision for the bitwarden-software-engineer plugin is to bundle Skills that understand our Angular architecture, Tailwind CSS (tw-) conventions, FusionCache adoption (ADR-0028), Signals/RxJS best practices and migration (ADR-0029), the Rust SDK, and so many more — enabling Claude to auto-invoke relevant expertise based on conversational context without manual commands.

Why?

Skills operate through prompt expansion and context modification — Claude automatically detects when a skill is relevant and loads only the minimal information needed.
This means:

1. Zero manual activation: Claude reads skill descriptions and invokes them based on intent
2. Composable expertise: Multiple skills stack together (Angular + Security + Tailwind)
3. Portable knowledge: Build once, share via marketplace across the entire clients team
4. Scoped permissions: Skills define exactly which tools they can use (Read, Write, Bash)

References

Highly encourage reading before code reviewing this PR

• Anthropic: "Introducing Agent Skills"
• Anthropic: "Customize Claude Code with plugins"
• Build with Claude Code -> Plugins
• Equipping agents for the real world with Agent Skills
• Han Lee: "Claude Agent Skills: A First Principles Deep Dive"
• Understanding Claude Code: Skills vs Commands vs Subagents vs Plugins

[github-actions]

Checkmarx One – Scan Summary & Details – 1b3369ed-357c-4091-be2c-e2689cdf0da5

Great job! No new security vulnerabilities introduced in this pull request

[withinfocus]

Few thoughts. Here's a list of other Claude skills I've built elsewhere that may be worthy of inclusion in a first pass:

• dapper-implementation
• ef-core-implementation
• dotnet-api-development
• unit-testing
• authentication-implementation
• authorization-implementation
• query-optimization
• responsive-design

Also, do we not need to have a skills.json that organizes all of these? I haven't maintained a marketplace but when it's in a repo you should.

[withinfocus]

🎨 I think it would be advisable to open this up to all SQL variants. T-SQL is our primary language but we are also responsible for our other RDBMSes.

[theMickster]

I did that at first and the skill got overblown real fast. I also don't know enough about the internals of the other RDBMS yet. I'll try to find some other good examples for us to consider and we can see what works best; one SQL skill or multiple

[SaintPatrck]

🌱 🤔 This might be a good place to leverage Progressive Disclosure. Define general SQL guidelines directly in SKILL.md then have variant specific guidelines in /skills/sql-dev/guides/{sql-variant}.md.

That will result in Claude always consuming the general rules, then conditionally loading the specific variant rules relevant to the changes being reviewed. Irrelevant guidelines are never loaded into context.

P.S.
Obviously out of scope for this PR, but something to consider for later.

[theMickster]

I thought that it was a good idea; gave it a shot.
I know very little about what we're trying / not trying to do in these particular areas so I did rely on Claude Code to craft the wording after having it scan the repo & read our contributing docs.

[withinfocus]

Some fundamental questions about structure and design of this plugin and how it relates to monorepo development as well as work as a whole across many repos.

[withinfocus]

ℹ️ We must be mindful of what's in the various repos instructing and defining these approaches, and eliminate that content in favor of this one at the right time. Have to have one single source of truth, as a skill, here.

[withinfocus]

🎨 Per your other guide, this is meant to be ORM-focused right? So we'd write this with a Dapper mindset, but still include the T-SQL references which it uses.

[withinfocus]

⚠️ In the case of SQL at least we have some really good coverage of this at https://contributing.bitwarden.com/contributing/code-style/sql. This plus any other skills / guides here would benefit from reaching out to the relevant page to get the implementation details, as we need the style guides there for engineering in general. Will that be an issue? I don't want to duplicate content.

This comment applies in several other places. My understanding is these guides document approach and rationale, but we should have the actual "how" in close-to-code or the docs site; traditionally I'd want just the former but these are company-wide and can't be just in individual repos.

[withinfocus]

⚠️ See my other comment, but I see this as a skill for a ".NET backend".

[withinfocus]

⚠️ Same comment again, but the docs site or in-repo code should have these things. The two monorepos for frontend and backend do take on a lot of what a "Bitwarden software engineer" does on many days and something like a migration is specific to the latter, so it should be there. Generally though, such as literally" writing database queries" is more open-ended and could apply to many repositories.

[withinfocus]

❌ Just found out while experimenting that this should be named AGENT.md.

[SaintPatrck]

That's not technically required. I'm for making it a Bitwarden practice though. We just need to document it somewhere. By default, when using Claude Code to generate a new agent it does not name the file AGENT.md. It uses a descriptive name like pr-knowledge-extractor.md or test-forge-engineer.md, so devs would have to manually rename them when created this way.

[claude]

Claude finished @theMickster's task in 2m 20s —— View job

---

Plugin Review Complete

I've completed a comprehensive review of the bitwarden-software-engineer plugin. Here are my findings:

---

✅ Component Validation: PASSED

Agent File

plugins/bitwarden-software-engineer/agents/bitwarden-software-engineer.md

Structure: ✅ Valid

• YAML frontmatter present and valid
• Required fields (name, description) present
• Optional fields (model, tools, color) properly configured

Tool Access: ✅ Appropriate

• Tools: Read, Write, Edit, Bash, Glob, Grep
• Scoping is justified for a full-stack development agent
• Bash access appropriate for running builds, tests, migrations

Description: ⚠️ Needs Minor Improvement

• The description includes activation context ("feature implementation, cross-language refactoring")
• Suggested: Add more specific activation triggers. Consider:

  description: Full-stack software engineer specializing in C#, JavaScript, TypeScript, Rust, and SQL. Coordinates complex development tasks across languages. Use for feature implementation spanning multiple repos, cross-language refactoring, or tasks requiring full-stack reasoning across frontend, backend, and database.

System Prompt: ✅ Well-Structured

• Clear role definition
• Explicit working approach
• Focused on avoiding over-engineering (good!)
• Concise and actionable

Model Selection: ✅ Appropriate

• Using sonnet - appropriate for complex engineering tasks

---

Skills Files

All three skills validated:

• writing-client-code/SKILL.md (81 lines) ✅
• writing-database-queries/SKILL.md (86 lines) ✅
• writing-server-code/SKILL.md (90 lines) ✅

Structure: ✅ Valid

• All YAML frontmatter present and valid
• Required fields (name, description) present
• Names follow kebab-case convention
• All under 500-line guideline (well within limits)

Descriptions: ✅ Excellent
All descriptions include clear activation triggers:

• "Use when working in the clients mono-repo..."
• "Use when working with .sql files, stored procedures..."
• "Use when working in the server repo, creating commands..."

Tool Access: ✅ Appropriate
All skills specify: Read, Write, Edit, Bash, Glob, Grep

• Appropriate for code generation and modification tasks
• Bash access justified for running migrations, builds, tests

Content Quality: ✅ Strong

• Clear, specific instructions
• Good use of tables for reference information
• Appropriate examples (✅/❌ patterns)
• Repository-specific guidance
• Progressive disclosure with guide files (tsql.md, entity-framework.md)

---

🔒 Security Validation: PASSED

Critical Security Checks:

• ✅ No settings.local.json committed
• ✅ No hardcoded API keys, tokens, or passwords
• ✅ No credentials in configuration files
• ✅ Tool permissions appropriately scoped
• ✅ Bash access justified for engineering workflows

Tool Access Security: ✅ Appropriate

• Agent and skills grant necessary tools for their purpose
• No overly broad access patterns
• Follows principle of least privilege for full-stack dev work

---

📋 Best Practices Review

✅ Strengths

1. Well-organized skill structure - Clear separation between client, server, and database concerns
2. Progressive disclosure implemented - Database queries skill properly uses guide files
3. Repository-specific guidance - Skills contain Bitwarden-specific patterns (tw- prefix, no enums, GenerateComb, etc.)
4. Practical examples - Good use of ✅/❌ patterns throughout
5. Token-efficient - All skills well under 500-line guideline
6. Clear activation triggers - Descriptions specify when to invoke each skill

📝 Recommendations (Optional Improvements)

1. Agent Naming Convention (from review comments)

• Current filename: bitwarden-software-engineer.md
• Alternative: Consider renaming to AGENT.md for consistency
• Note: This is not required by Claude Code spec, but may become a Bitwarden convention

2. Progressive Disclosure Enhancement (writing-database-queries)

• Current guide files: tsql.md, entity-framework.md
• Consider: Add PostgreSQL, MySQL, SQLite-specific guides as variants evolve
• The current approach references contributing docs which is appropriate

3. Marketplace.json Entry

• Plugin not yet added to .claude-plugin/marketplace.json
• Per PR description: Intentionally marked as "not-ready-for-primetime"
• When ready, add entry following existing pattern

4. Skills Organization Consideration
From review comments, consider these additional skills for future iterations:

• dapper-implementation
• ef-core-implementation
• unit-testing
• authentication-implementation
• authorization-implementation
• query-optimization
• responsive-design

---

🎯 Verdict

Status: ✅ APPROVED with optional recommendations

The bitwarden-software-engineer plugin follows Claude Code standards and implements security best practices correctly. All validation checks pass:

• ✅ Component structure valid (agents, skills, YAML frontmatter)
• ✅ Security requirements met (no secrets, appropriate permissions)
• ✅ Progressive disclosure implemented
• ✅ Clear activation triggers
• ✅ Token-efficient organization
• ✅ Repository-specific guidance included

The optional recommendations above are enhancements, not blockers. The plugin is well-structured and ready for internal testing.

---

Related Review Comments

Several thoughtful review comments from the team touch on important architectural considerations:

1. Skill vs Agent scope - The hybrid "super-role" approach vs. specialized agents
2. Security skills - Need for OWASP, secure development, auth/authz skills
3. Single source of truth - Balance between plugin skills and contributing docs
4. Monorepo considerations - Skills should focus on rationale, reference docs for implementation details

These are excellent points for the next iteration and align with the PR's stated goal of building foundational patterns.

---