create-integration

When to use

Use this skill when tasks include:

creating a new integration package from scratch
scaffolding data streams and applying post-scaffold edits
understanding package topology, file placement, and manifest patterns
running the end-to-end build workflow (scaffold → data collection setup → pipeline → system tests → review)
questions about package structure, layout, or
```
manifest.yml
```
shape

IMPORTANT: Loading references

This skill has four reference files. Load the appropriate one(s) based on your task:

When creating a full integration (end-to-end): → MUST read
references/create-workflow.md
fully before starting. This contains the complete orchestration workflow, all phases, subagent delegation instructions, and guardrails.

When adding data streams to an existing package: → MUST read
references/add-datastream-workflow.md
fully before starting. This covers verifying the package, scaffolding streams, and the CEL → pipeline → system-test sequence.

When scaffolding a package or data stream, or applying post-scaffold edits: → Read

references/scaffold-commands.md

for the scaffold commands, post-scaffold checklist, and common pitfalls.

When reviewing or understanding package topology and file layout: → Read

references/package-layout.md

for canonical trees, manifest patterns, and review checklists for both integration and input packages.

What to provide when creating an integration

Include any combination of the following:

Input	How to provide	Examples
Package name	free text	`my_vendor`
Product / vendor	free text	"Acme Firewall appliance"
Data delivery method	free text	"REST API with pagination", "syslog over TCP/UDP", "S3 bucket"
API / log documentation	paste URLs	`https://docs.acme.com/api/v2`
Sample data	`@` -mention files	`@samples/acme_event.json`
Research brief	`@` -mention file	`@notes/acme-research-brief.md`
Constraints	free text	"CEL input only", "single data stream"

Example invocations

Create a new "acme_firewall" integration for Acme Firewall appliance.
  API docs: https://docs.acme.com/api/v2/events
  Auth: Bearer token header. Pagination: offset-based with total_count.
  @samples/acme_events.json. Single data stream "event" using cel input.

New syslog integration "my_appliance" with tcp,udp inputs.
  @notes/research-brief.md. Two streams: "log" (syslog) and "traffic" (syslog).

What to provide when adding data streams to an existing package

Use

-mentions for files/folders and paste links inline.

Input	How to provide	Examples
Target package	free text or `@` -mention	`acme_firewall` , `@packages/acme_firewall`
Stream name	free text	`audit` , `traffic` , `alert`
Stream type	free text	`logs` (default) or `metrics`
Input type(s)	free text	`cel` , `tcp,udp` , `filestream` , `http_endpoint` , `aws-s3`
API / log docs	paste URLs	`https://docs.acme.com/api/audit`
Sample data	`@` -mention files	`@samples/audit_event.json` , `@samples/traffic.log`
Research brief	`@` -mention file	`@notes/acme-audit-brief.md`
Constraints	free text	"reuse package-level auth vars", "separate pipeline per event type"
Acceptance criteria	free text	"parse all syslog fields, map to ECS"

Example invocations

Add "audit" stream to @packages/acme_firewall using cel input.
  API endpoint: /api/v2/audit_logs
  Pagination: timestamp cursor.
  @samples/acme_audit.json

Add "traffic" and "threat" streams to acme_firewall.
  Both use tcp,udp inputs (syslog).
  @samples/traffic.log @samples/threat.log

Subagents overview

Do not load CEL, pipeline, ECS, or field-mapping skills yourself. Delegate to subagents that load their own domain skills.

All specialised work is delegated to the platform's generic / general-purpose subagent (Cursor:

generalPurpose

Task agent; Claude Code:

general-purpose

Task agent; or the equivalent on other platforms). Each task prompt must point the subagent at the relevant
*-subagent-guidance.md
file by path and instruct it to read that file (plus the skill SKILL.md it lists in "First steps") end-to-end before doing any other work. Do NOT read the guidance file yourself or paste its contents into the task prompt — that doubles its context cost. Pass only the path plus the task-specific context. The subagent will load the manual itself in its own fresh context. Full dispatch rules and per-step detail live in

references/create-workflow.md

and

references/add-datastream-workflow.md

Subagent guidance file	When to use
`/research-integration` skill (orchestrates its own research subagents)	Vendor/API research before building, when no research brief is provided
`cel-programs/references/builder-subagent-guidance.md`	Each CEL data stream — mock API, CEL program (incremental mito build), `cel.yml.hbs` template, manifest vars, initial field mappings
`integration-testing/references/builder-setup-subagent-guidance.md`	Each non-CEL data stream — data collection setup (docker-compose, sample logs, agent stream template, system test config, manifest var cleanup)
`ingest-pipelines/references/builder-subagent-guidance.md`	Each data stream's pipeline and field definitions
`integration-testing/references/builder-system-test-subagent-guidance.md`	System test execution after pipeline work completes, for any testable input (CEL, tcp, udp, http_endpoint, logfile, kafka, pubsub)
`review-integration/references/reviewer-subagent-guidance.md`	Quality review after all streams are built — classifies files by domain, loads relevant domain skills and checklists via the `review-integration` skill, returns severity-ranked, domain-tagged findings

For cloud storage inputs (aws-s3, gcs, azure-blob-storage, azure-eventhub): skip data collection setup and system tests. The scaffold provides a usable template; trim vars to match needs. See

references/create-workflow.md

for details.

References

```
references/create-workflow.md
```
— full phases 1–8 for creating a new integration, subagent instructions, guardrails, data anonymization
```
references/add-datastream-workflow.md
```
— phases 1–4 for adding data streams to an existing package, CEL/pipeline/system-test sequence
```
references/scaffold-commands.md
```
— scaffold commands, post-scaffold edits, base-fields.yml format
```
references/package-layout.md
```
— integration and input package topology, manifest patterns

create-integration

NPX Install

Tags

SKILL.md Content

create-integration

When to use

IMPORTANT: Loading references

What to provide when creating an integration

Example invocations

What to provide when adding data streams to an existing package

Example invocations

Subagents overview

References