Testing & Security

Testing strategy and test pyramid for EFT-Tracker. Guides when to write unit, integration, E2E, or smoke tests. Includes MSW patterns, Playwright best practices, and contract testing. Activates when user mentions: test, unit test, integration test, E2E, Playwright, MSW, coverage, mock, test pyramid, vitest.

Ability to plan, direct, and oversee the development, operation, and governance of information systems to meet organisational objectives. Includes aligning technology strategy with business needs, managing teams and resources, ensuring system reliability and security, overseeing budgets and vendors, and governing risk and compliance. Applies across public and private sector contexts and is independent of specific technologies or platforms, with human accountability retained for strategic decisions, assurance, and outcomes.

Analytical thinking patterns for comprehensive evaluation, code audits, security analysis, and performance reviews. Provides structured templates for thorough investigation with extended thinking support.

This skill should be used when starting any feature or bug fix, exploring unfamiliar code, making commits or PRs, or when unsure which agent or approach to use. Covers agent routing, git discipline, testing workflow, and proactive quality practices.

Provides a comprehensive guide and templates for creating integration tests for FastAPI applications. Use this skill when you need to set up or write integration tests involving a database, authentication, file uploads, or error handling. It includes patterns for pytest fixtures, test client usage, and test data factories.

This skill should be used when setting up email OTP authentication with JWT sessions, password management, rate limiting, CSRF protection, and audit logging in a Next.js application. Use this skill when implementing a production-ready authentication system that matches the reference implementation pattern with Resend email, Prisma ORM, PostgreSQL, bcrypt password hashing, and jose JWT tokens.

Build React components using @fpkit/acss library patterns. Scaffolds complete component structures (tsx, types, scss, stories, tests), validates CSS variables follow naming conventions (--component-property with rem units), enforces TypeScript patterns, accessibility standards (WCAG 2.1 AA), and Storybook documentation. Use when building new components, generating boilerplate, or refactoring to use fpkit primitives. Includes automation scripts, reference guides, and templates.

Creates a new domain following DDD architecture pattern with all 4 layers (Repository, API Client, Hooks, Components), boilerplate files, and test stubs. Use when starting a new feature domain.

Testing strategies and best practices

Create async FastAPI endpoints with proper error handling, dependency injection, service/repository patterns, and type safety. Includes async database queries, pagination, filtering, and Gemini integration.

This skill should be used when configuring Supabase Auth for server-side rendering with Next.js App Router, including secure cookie handling, middleware protection, route guards, authentication utilities, and logout flow. Apply when setting up SSR auth, adding protected routes, implementing middleware authentication, configuring secure sessions, or building login/logout flows with Supabase.

Convex Auth - authentication, user management, protected functions, and session handling

Comprehensive guide for Shopify CLI app development lifecycle. Use when working with Shopify apps - initializing projects, managing TOML configurations, running local development (shopify app dev), deploying extensions, setting up multi-environment workflows (dev/staging/prod), or automating CI/CD pipelines. Includes helper scripts for common tasks like environment setup, config validation, webhook testing, and deployment automation.

This skill should be used when the user wants to commit their work to git and push to GitHub. It guides through reviewing changes, crafting meaningful commit messages following project conventions (including Conventional Commits when detected), creating commits with security checks, and pushing to remote repositories.

Returns a simple 'Hello World' message. Use this tool for testing MCP connection.

End-to-end browser testing patterns with Playwright. Use when writing integration tests, user flow testing, or browser automation.

Visual regression testing with Playwright and Percy. Use when implementing screenshot-based testing.

Automatically runs project validation commands (linters, type checkers, tests) after file edits and blocks commits on any failure. Reads validation commands from CLAUDE.md or auto-detects from project type. Enforces strict quality gates to catch issues early. (project)

Write clear, testable requirements using User Stories and Gherkin scenarios. Capture functional and non-functional requirements with proper acceptance criteria. Use when defining new features or documenting system behavior.

Systematic refactoring with small-step discipline. Use when user says 'refactor', 'clean up', 'restructure', 'extract', 'rename', 'simplify', or mentions code smells. Enforces one change → test → commit cycle. For structural improvements, NOT style/formatting (use /lint). NOT for adding features or fixing bugs.