Testing & Security

Dual-mode workflow issue logger. Use with mode=log to append mistakes during waves. Use with mode=summary at workflow end to review accumulated issues. Use when completing /build, /audit, or /ms workflows.

Use this skill whenever the user wants to design, implement, or refactor authentication and authorization in a NestJS TypeScript backend, including JWT, sessions, refresh tokens, guards, roles/permissions, and integration with modules/services/controllers.

Use when implementation is complete, all tests pass, and you need to decide how to integrate the work - guides completion of development work by presenting structured options for merge, PR, or cleanup

Security audit for vulnerabilities, compliance issues, and sensitive data exposure. Use before production deployments or when reviewing security-sensitive code.

Conduct thorough, constructive code reviews that improve code quality and team knowledge. Focuses on what matters - architecture, logic, security, maintainability - while avoiding bikeshedding.

Review and triage semgrep security scan results to identify true positive vulnerabilities. Use when analyzing semgrep output, triaging security findings, reviewing static analysis results, or when the user has semgrep-results directories to review. Performs deep code analysis to distinguish real vulnerabilities from false positives with high confidence.

Package entire code repositories into single AI-friendly files using Repomix. Capabilities include pack codebases with customizable include/exclude patterns, generate multiple output formats (XML, Markdown, plain text), preserve file structure and context, optimize for AI consumption with token counting, filter by file types and directories, add custom headers and summaries. Use when packaging codebases for AI analysis, creating repository snapshots for LLM context, analyzing third-party libraries, preparing for security audits, generating documentation context, or evaluating unfamiliar codebases.

Prevents RCE, SQL injection, and common vulnerabilities through validation and safe coding practices. Use when implementing or reviewing security-sensitive code involving user input, database queries, or command execution.

Use when implementing features or adding functionality - dispatches incremental-tdd-agent that enforces ONE test at a time, preventing batch test writing that defeats incremental design discovery. Maintains discipline through entire feature implementation (10+ test cycles)

Create CRPO-compliant lead magnets for therapy practices that build email lists without crossing ethical boundaries. Use when planning top-of-funnel content to capture leads. Creates concepts for guides, frameworks, and educational resources. CRITICAL: NO diagnostic assessments, NO outcome promises, NO psychological tests. Triggers on: create lead magnet, build email list, free resource ideas, content upgrade concepts. Outputs educational lead magnet concepts that provide genuine value while staying compliant.

This skill should be used when users need to evaluate course content, workshop materials, or training programs against a set of evaluation criteria (such as ICP-BAF learning outcomes). The skill audits content comprehensively, identifies gaps, and provides actionable recommendations.

Configure OAuth authentication providers for Clerk (Google, GitHub, Discord, Apple, Microsoft, Facebook, LinkedIn, Twitter, and 11+ more). Use when setting up social login, configuring OAuth providers, implementing authentication flows, generating redirect URLs, testing OAuth connections, or when user mentions Clerk OAuth, social authentication, provider setup, or multi-provider auth.

Use when verifying code is production-ready. Runs build, lint, and test commands to check compilation, code quality, and test suite. Essential validation step for /build and /audit commands.

MCPサーバー開発を支援します。プロトコル準拠、Pydanticスキーマ設計、Playwright統合のベストプラクティスを提供します。

Execute safe SELECT queries against MySQL/MariaDB databases with connection pooling, SQL injection prevention, and automatic result formatting. Activated when users mention "mysql", "mariadb", or need SQL database operations.

Guide for building Vue 3 components with NuxtUI using strict Test-Driven Development (TDD) methodology enforced by a TDD guard hook. Use this skill when implementing new UI components (atoms, molecules, organisms) for the Poche project, creating Storybook stories with interaction tests, or working within the RED-GREEN-REFACTOR cycle. Particularly useful when the user mentions "TDD", "test-first", "create a component", "build a component", "implement [ComponentName]", or when adding UI functionality.

Review code for quality, security, and best practices. Use when reviewing recent changes, PRs, or checking code quality. Proactively use after significant code modifications.

Use when writing or updating GitHub Actions workflow files (.github/workflows/*.yml) - provides latest version tags for official and popular third-party actions to avoid using outdated versions

Comprehensive guide for implementing Supabase Realtime features with best practices, scalable patterns, and migration strategies. Use when building realtime features in Supabase applications including messaging, notifications, presence, live updates, collaborative features, or migrating from postgres_changes to broadcast. Covers client setup, database triggers with realtime.broadcast_changes, RLS authorization, naming conventions, and performance optimization.

Comprehensive guide for building serverless applications with Cloudflare Workers. Use when developing Workers, configuring bindings, implementing runtime APIs, testing Workers, using Wrangler CLI, deploying to production, or building edge functions with JavaScript/TypeScript/Python/Rust.