Testing & Security

Use when implementing any feature or bugfix, before writing implementation code

Standard Operating Procedure for /preview phase. Covers manual UI/UX testing on local dev server before shipping.

Implement enterprise Single Sign-On (SSO) authentication supporting multiple identity providers with JWT RS256 tokens, backwards verification, session management, and cross-system permission mapping. Use this skill when building authentication systems that integrate with multiple enterprise SSO providers or when implementing secure token validation with session verification.

Deploy Firebase Firestore security rules and indexes automatically. Use when Firestore query errors mention "requires an index", when firestore.rules or firestore.indexes.json are modified, or when user requests Firebase deployment.

Write efficient and secure database queries following best practices for SQL injection prevention, N+1 query optimization, and performance for PostgreSQL (Bun.sql, Prisma, Supabase) and Firestore. Use this skill when writing or modifying database queries, implementing data fetching logic, working with ORMs (Prisma, TypeORM, Entity Framework), using Bun.sql native driver, querying Firestore collections, or implementing caching strategies. Apply when working on service files (services/*.ts, repositories/*.ts, *Service.cs), query builder implementations, data access layers, or any code that fetches or manipulates data. This skill ensures parameterized queries to prevent SQL injection (never interpolate user input), eager loading to prevent N+1 problems, selective column fetching (no SELECT *), strategic indexing on WHERE/JOIN/ORDER BY columns, transactions for related operations, query timeouts for performance, caching expensive queries, prepared statements with Bun.sql for repeated queries, and query-driven modeling for Firestore to avoid complex OR queries.

Commitlint configuration and GitHub Copilot commit message instruction templates with validation logic for conventional commit enforcement. Includes 6 required standards (conventional format, relaxed subject rules for Copilot compatibility, optional scope, Husky integration, required dependencies, Copilot instruction consistency). Use when creating or auditing commitlint.config.js and .copilot-commit-message-instructions.md files.

Orchestrate KB development workflow from request to completion. Coordinates skills in sequence: kb → plan → test → validate → complete → reflect → inbox. WORKFLOW: 1. LOOKUP - /pmc:kb (check existing PRDs, patterns, code maps) 2. PLAN - /pmc:plan + /pmc:plan-validation + /pmc:lint-kb 3. IMPLEMENT - /pmc:test (TDD cycle: RED → GREEN → REFACTOR) 4. VALIDATE - /pmc:validate + /pmc:ticket-status 5. COMPLETE - /pmc:complete (write 5-final.md, commit) 6. REFLECT - /pmc:reflect + /pmc:lint-kb 7. INBOX - /pmc:inbox (process pending items) Use when: - User says "implement", "build", "develop", "work on" - Starting new feature or phase work - Need guided workflow from start to finish - User says "dev workflow", "full cycle"

Write unit tests for JavaScript files using Node.js native test runner. Use when creating new scripts, fixing bugs, or when prompted about missing tests.

Use when auditing Claude Code plugin security or implementing secure practices - security guidelines with credential handling, hook safety, and MCP security for November 2025 specifications

Use when you need to find code by concept (not just text). Uses Serena MCP for semantic code search across the codebase with minimal token usage. Ideal for understanding architecture, finding authentication flows, or multi-file refactoring.

Master authentication and authorization patterns including OAuth 2.0, OpenID Connect, JWT tokens, refresh tokens, role-based access control (RBAC), claims-based authorization, and secure token storage for .NET applications with OpenIddict and ABP Framework.

Autonomously audit the entire repository and update the main README with comprehensive, accurate documentation of the current codebase

Master JMESPath for Kyverno policies. Query nested resources, build complex conditions, and validate Kubernetes workloads with production-tested patterns.

Generates entrypoint.sh script for Docker container runtime environment variable injection. Replaces placeholder values in built assets with actual environment variables at container startup.

Frontend development patterns for React, Vue, and TypeScript including component composition, state management (Redux, Zustand, Pinia), hooks patterns, performance optimization, testing with Jest/Vitest, and build tools (Vite, webpack). Use when building frontend applications, optimizing performance, managing state, or setting up testing.

Set up CI/CD pipelines with GitHub Actions. Use when creating new projects, adding automation, or when manual verification becomes bottleneck. Covers lint, test, build, deploy automation.

Emergency release workflow for critical bug fixes and security patches. Use when production issues require fast-track deployment.

Complete TDD workflow for implementing business logic (use cases) and API endpoints that make tests pass. Covers Zod safeParse validation, async/await patterns, Next.js API routes, service orchestration, and Clean Architecture compliance.

Run CLI dev tools for game development (world inspection, benchmarks, assets, simulation). Use when user wants to 'check performance', 'inspect world', 'validate assets', 'stress test', or asks about new CLI features.

Use when writing narrative memos, 6-pagers, 1-pagers, press releases, or PRFAQs in Amazon style. Applies Amazon's no-PowerPoint writing standards with data over adjectives, active voice, and the "so what" test.