create-integration

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

create-integration

When to use

使用场景

Use this skill when tasks include:

creating a new integration package from scratch
scaffolding data streams and applying post-scaffold edits
understanding package topology, file placement, and manifest patterns
running the end-to-end build workflow (scaffold → data collection setup → pipeline → system tests → review)
questions about package structure, layout, or
```
manifest.yml
```
shape

当你有以下任务时，可使用本技能：

从零开始创建新的集成包
搭建数据流脚手架并进行搭建后的编辑操作
理解包拓扑结构、文件放置规则以及manifest.yml的格式
运行端到端构建工作流（脚手架搭建 → 数据收集设置 → 管道配置 → 系统测试 → 审核）
咨询包结构、布局或manifest.yml格式相关问题

IMPORTANT: Loading references

重要提示：加载参考文件

This skill has four reference files. Load the appropriate one(s) based on your task:

When creating a full integration (end-to-end): → MUST read
references/create-workflow.md
fully before starting. This contains the complete orchestration workflow, all phases, subagent delegation instructions, and guardrails.

When adding data streams to an existing package: → MUST read
references/add-datastream-workflow.md
fully before starting. This covers verifying the package, scaffolding streams, and the CEL → pipeline → system-test sequence.

When scaffolding a package or data stream, or applying post-scaffold edits: → Read

references/scaffold-commands.md

for the scaffold commands, post-scaffold checklist, and common pitfalls.

When reviewing or understanding package topology and file layout: → Read

references/package-layout.md

for canonical trees, manifest patterns, and review checklists for both integration and input packages.

本技能包含四个参考文件，请根据你的任务加载对应的文件：

创建完整集成包（端到端）时： → 开始前必须完整阅读
references/create-workflow.md
。该文件包含完整的编排工作流、所有阶段、子代理委派说明以及约束规则。

为现有包添加数据流时： → 开始前必须完整阅读
references/add-datastream-workflow.md
。内容涵盖包验证、数据流搭建以及CEL → 管道 → 系统测试的流程。

搭建包或数据流脚手架，或进行搭建后的编辑操作时： → 阅读

references/scaffold-commands.md

获取脚手架命令、搭建后检查清单以及常见问题。

审核或理解包拓扑结构与文件布局时： → 阅读

references/package-layout.md

获取标准目录结构、manifest.yml格式以及集成包和输入包的审核检查清单。

What to provide when creating an integration

创建集成包时需提供的信息

Include any combination of the following:

Input	How to provide	Examples
Package name	free text	`my_vendor`
Product / vendor	free text	"Acme Firewall appliance"
Data delivery method	free text	"REST API with pagination", "syslog over TCP/UDP", "S3 bucket"
API / log documentation	paste URLs	`https://docs.acme.com/api/v2`
Sample data	`@` -mention files	`@samples/acme_event.json`
Research brief	`@` -mention file	`@notes/acme-research-brief.md`
Constraints	free text	"CEL input only", "single data stream"

可提供以下任意组合的信息：

输入项	提供方式	示例
包名称	自由文本	`my_vendor`
产品/供应商	自由文本	"Acme防火墙设备"
数据交付方式	自由文本	"带分页的REST API"、"基于TCP/UDP的syslog"、"S3存储桶"
API/日志文档	粘贴URL	`https://docs.acme.com/api/v2`
示例数据	使用 `@` 引用文件	`@samples/acme_event.json`
研究简报	使用 `@` 引用文件	`@notes/acme-research-brief.md`
约束条件	自由文本	"仅支持CEL输入"、"单一数据流"

Example invocations

调用示例

Create a new "acme_firewall" integration for Acme Firewall appliance.
  API docs: https://docs.acme.com/api/v2/events
  Auth: Bearer token header. Pagination: offset-based with total_count.
  @samples/acme_events.json. Single data stream "event" using cel input.

New syslog integration "my_appliance" with tcp,udp inputs.
  @notes/research-brief.md. Two streams: "log" (syslog) and "traffic" (syslog).

Create a new "acme_firewall" integration for Acme Firewall appliance.
  API docs: https://docs.acme.com/api/v2/events
  Auth: Bearer token header. Pagination: offset-based with total_count.
  @samples/acme_events.json. Single data stream "event" using cel input.

New syslog integration "my_appliance" with tcp,udp inputs.
  @notes/research-brief.md. Two streams: "log" (syslog) and "traffic" (syslog).

What to provide when adding data streams to an existing package

为现有包添加数据流时需提供的信息

Use

-mentions for files/folders and paste links inline.

Input	How to provide	Examples
Target package	free text or `@` -mention	`acme_firewall` , `@packages/acme_firewall`
Stream name	free text	`audit` , `traffic` , `alert`
Stream type	free text	`logs` (default) or `metrics`
Input type(s)	free text	`cel` , `tcp,udp` , `filestream` , `http_endpoint` , `aws-s3`
API / log docs	paste URLs	`https://docs.acme.com/api/audit`
Sample data	`@` -mention files	`@samples/audit_event.json` , `@samples/traffic.log`
Research brief	`@` -mention file	`@notes/acme-audit-brief.md`
Constraints	free text	"reuse package-level auth vars", "separate pipeline per event type"
Acceptance criteria	free text	"parse all syslog fields, map to ECS"

使用

引用文件/文件夹，并直接粘贴链接。

输入项	提供方式	示例
目标包	自由文本或 `@` 引用	`acme_firewall` , `@packages/acme_firewall`
数据流名称	自由文本	`audit` , `traffic` , `alert`
数据流类型	自由文本	`logs` （默认）或 `metrics`
输入类型	自由文本	`cel` , `tcp,udp` , `filestream` , `http_endpoint` , `aws-s3`
API/日志文档	粘贴URL	`https://docs.acme.com/api/audit`
示例数据	使用 `@` 引用文件	`@samples/audit_event.json` , `@samples/traffic.log`
研究简报	使用 `@` 引用文件	`@notes/acme-audit-brief.md`
约束条件	自由文本	"复用包级别的认证变量"、"按事件类型分离管道"
验收标准	自由文本	"解析所有syslog字段，映射至ECS"

Example invocations

调用示例

Add "audit" stream to @packages/acme_firewall using cel input.
  API endpoint: /api/v2/audit_logs
  Pagination: timestamp cursor.
  @samples/acme_audit.json

Add "traffic" and "threat" streams to acme_firewall.
  Both use tcp,udp inputs (syslog).
  @samples/traffic.log @samples/threat.log

Add "audit" stream to @packages/acme_firewall using cel input.
  API endpoint: /api/v2/audit_logs
  Pagination: timestamp cursor.
  @samples/acme_audit.json

Add "traffic" and "threat" streams to acme_firewall.
  Both use tcp,udp inputs (syslog).
  @samples/traffic.log @samples/threat.log

Subagents overview

子代理概述

Do not load CEL, pipeline, ECS, or field-mapping skills yourself. Delegate to subagents that load their own domain skills.

All specialised work is delegated to the platform's generic / general-purpose subagent (Cursor:

generalPurpose

Task agent; Claude Code:

general-purpose

Task agent; or the equivalent on other platforms). Each task prompt must point the subagent at the relevant
*-subagent-guidance.md
file by path and instruct it to read that file (plus the skill SKILL.md it lists in "First steps") end-to-end before doing any other work. Do NOT read the guidance file yourself or paste its contents into the task prompt — that doubles its context cost. Pass only the path plus the task-specific context. The subagent will load the manual itself in its own fresh context. Full dispatch rules and per-step detail live in

references/create-workflow.md

and

references/add-datastream-workflow.md

Subagent guidance file	When to use
`/research-integration` skill (orchestrates its own research subagents)	Vendor/API research before building, when no research brief is provided
`cel-programs/references/builder-subagent-guidance.md`	Each CEL data stream — mock API, CEL program (incremental mito build), `cel.yml.hbs` template, manifest vars, initial field mappings
`integration-testing/references/builder-setup-subagent-guidance.md`	Each non-CEL data stream — data collection setup (docker-compose, sample logs, agent stream template, system test config, manifest var cleanup)
`ingest-pipelines/references/builder-subagent-guidance.md`	Each data stream's pipeline and field definitions
`integration-testing/references/builder-system-test-subagent-guidance.md`	System test execution after pipeline work completes, for any testable input (CEL, tcp, udp, http_endpoint, logfile, kafka, pubsub)
`review-integration/references/reviewer-subagent-guidance.md`	Quality review after all streams are built — classifies files by domain, loads relevant domain skills and checklists via the `review-integration` skill, returns severity-ranked, domain-tagged findings

For cloud storage inputs (aws-s3, gcs, azure-blob-storage, azure-eventhub): skip data collection setup and system tests. The scaffold provides a usable template; trim vars to match needs. See

references/create-workflow.md

for details.

请勿自行加载CEL、管道、ECS或字段映射相关技能。请将任务委派给会自行加载对应领域技能的子代理。

所有专业工作均需委派给平台的通用子代理（Cursor：

generalPurpose

任务代理；Claude Code：

general-purpose

任务代理；其他平台的等效代理）。每个任务提示必须通过路径指引子代理查看相关的
*-subagent-guidance.md
文件，并指示其在开展任何工作前完整阅读该文件（以及文件“第一步”中列出的SKILL.md技能文档）。请勿自行阅读指引文件或将其内容粘贴至任务提示中——这会增加双倍的上下文成本。只需传递路径以及任务特定的上下文即可。子代理会在其全新的上下文中自行加载手册。完整的调度规则和分步细节请查看

references/create-workflow.md

和

references/add-datastream-workflow.md

。

子代理指引文件	使用场景
`/research-integration` 技能（可编排自身的研究子代理）	构建前的供应商/API研究，且未提供研究简报时
`cel-programs/references/builder-subagent-guidance.md`	每个CEL数据流——模拟API、CEL程序（增量mito构建）、 `cel.yml.hbs` 模板、manifest变量、初始字段映射
`integration-testing/references/builder-setup-subagent-guidance.md`	每个非CEL数据流——数据收集设置（docker-compose、示例日志、代理流模板、系统测试配置、manifest变量清理）
`ingest-pipelines/references/builder-subagent-guidance.md`	每个数据流的管道和字段定义
`integration-testing/references/builder-system-test-subagent-guidance.md`	管道工作完成后的系统测试执行，适用于所有可测试的输入类型（CEL、tcp、udp、http_endpoint、logfile、kafka、pubsub）
`review-integration/references/reviewer-subagent-guidance.md`	所有数据流构建完成后的质量审核——按领域分类文件，通过 `review-integration` 技能加载相关领域技能和检查清单，返回按严重程度排序、带领域标签的审核结果

对于云存储输入（aws-s3、gcs、azure-blob-storage、azure-eventhub）：跳过数据收集设置和系统测试。脚手架会提供可用模板；根据需求删减变量即可。详情请查看

references/create-workflow.md

。

References

参考文件

```
references/create-workflow.md
```
— full phases 1–8 for creating a new integration, subagent instructions, guardrails, data anonymization
```
references/add-datastream-workflow.md
```
— phases 1–4 for adding data streams to an existing package, CEL/pipeline/system-test sequence
```
references/scaffold-commands.md
```
— scaffold commands, post-scaffold edits, base-fields.yml format
```
references/package-layout.md
```
— integration and input package topology, manifest patterns

```
references/create-workflow.md
```
— 创建新集成包的完整1-8阶段、子代理说明、约束规则、数据匿名化
```
references/add-datastream-workflow.md
```
— 为现有包添加数据流的1-4阶段、CEL/管道/系统测试流程
```
references/scaffold-commands.md
```
— 脚手架命令、搭建后编辑操作、base-fields.yml格式
```
references/package-layout.md
```
— 集成包和输入包的拓扑结构、manifest.yml格式