Testing & Security

Orchestrate and run appropriate pensive review skills based on codebase analysis and context. Triggers: code review, unified review, full review, review orchestration, multi-domain review, intelligent review, auto-detect review Use when: general review needed without knowing which specific skill applies, full multi-domain review desired, integrated reporting needed DO NOT use when: specific review type known - use bug-review, test-review, etc. DO NOT use when: architecture-only focus - use architecture-review. Use this skill when orchestrating multiple review types.

Session-aware usage logging for audit trails, cost tracking, and analytics with JSONL format. Triggers: usage logging, audit trails, cost tracking, session logging, analytics, structured logging, JSONL Use when: implementing audit trails, tracking costs, collecting usage analytics, managing session logging DO NOT use when: simple operations without logging needs. Consult this skill when implementing usage logging and audit trails.

Create clear, testable specifications with user stories and acceptance criteria. Triggers: spec writing, feature specification, requirements, user stories Use when: creating new specifications or writing acceptance criteria DO NOT use when: generating implementation tasks - use task-planning.

Reusable patterns and templates for Claude Code skill and hook development. Triggers: validation patterns, error handling, testing templates, workflow patterns, shared patterns, reusable templates, DRY patterns, common workflows Use when: creating new skills or hooks that need consistent patterns, implementing validation logic, setting up error handling, creating test scaffolding, referencing standard workflow structures DO NOT use when: pattern is specific to one skill only. DO NOT use when: pattern is still evolving - wait for stability. DO NOT use when: pattern is context-dependent requiring variations. Reference these patterns to validate consistency across the ecosystem.

Compose processing stages using a pipes-and-filters model for ETL, media processing, or compiler-like workloads. Triggers: pipeline architecture, pipes and filters, ETL, data transformation, stream processing, CI/CD pipeline, media processing, batch processing Use when: data flows through fixed sequence of transformations, stages can be independently developed and tested, parallel processing of stages is beneficial DO NOT use when: selecting from multiple paradigms - use architecture-paradigms first. DO NOT use when: data flow isn't sequential or predictable. DO NOT use when: complex branching/merging logic dominates. Consult this skill when designing data pipelines or transformation workflows.

Orchestrate tutorial generation from VHS tapes and Playwright specs to dual-tone markdown with GIF recording. Triggers: tutorial update, gif generation, tape recording, update tutorial, regenerate gifs, tutorial manifest Use when: regenerating tutorial GIFs, updating documentation demos, creating tutorials from tape files DO NOT use when: only updating text - use doc-updates. DO NOT use when: only capturing browser - use scry:browser-recording directly.

detailed hook evaluation framework for Claude Code and Agent SDK hooks. Triggers: hook audit, hook security, hook performance, hook compliance, SDK hooks, hook evaluation, hook benchmarking, hook vulnerability Use when: auditing existing hooks for security vulnerabilities, benchmarking hook performance, implementing hooks using Python SDK, understanding hook callback signatures, validating hooks against compliance standards DO NOT use when: deciding hook placement - use hook-scope-guide instead. DO NOT use when: writing hook rules from scratch - use hookify instead. DO NOT use when: validating plugin structure - use validate-plugin instead. Use this skill BEFORE deploying hooks to production.

Complete guide for writing Claude Code and SDK hooks with security-first design. Triggers: hook creation, hook writing, PreToolUse, PostToolUse, UserPromptSubmit, tool validation, logging hooks, context injection, workflow automation Use when: creating new hooks for tool validation, logging operations for audit, injecting context before prompts, enforcing project-specific workflows, preventing dangerous operations in production DO NOT use when: logic belongs in core skill - use Skills instead. DO NOT use when: complex multi-step workflows needed - use Agents instead. DO NOT use when: behavior better suited for custom tool. Use this skill BEFORE writing any hook. Check even if unsure.

Employ the Hexagonal (Ports & Adapters) pattern to decouple domain logic from infrastructure, maximizing flexibility and testability. Triggers: hexagonal architecture, ports and adapters, infrastructure independence, dependency inversion, clean architecture, domain isolation, adapter pattern, infrastructure abstraction, database independence, framework independence Use when: designing systems with strong business logic separation, anticipating infrastructure changes, needing easy mocking for tests, building portable domain code DO NOT use when: selecting from multiple paradigms - use architecture-paradigms first. DO NOT use when: building simple CRUD apps without complex domain logic. Consult this skill when implementing hexagonal patterns or migrating to port-based design.

Security practices including secrets management, input validation, SSRF prevention, and production hardening. Use for security-sensitive code.

Systematically uncover and fix bugs using language-specific expertise and reproducible evidence. Triggers: bug hunting, defect detection, debugging, fix verification, bug fix, regression check, error investigation, defect documentation Use when: deep bug hunting needed, documenting defects, verifying fixes, systematic debugging required DO NOT use when: test coverage audit - use test-review instead. DO NOT use when: architecture issues - use architecture-review. Use this skill for systematic bug hunting with evidence trails.

Expert-level Rust audits covering ownership, concurrency, unsafe blocks, traits, and Cargo dependencies. Triggers: Rust review, ownership analysis, borrowing, unsafe audit, concurrency, Cargo dependencies, lifetime annotations, trait bounds Use when: reviewing Rust code, auditing unsafe blocks, analyzing ownership patterns, scanning Cargo dependencies for security DO NOT use when: general code review without Rust - use unified-review. DO NOT use when: performance profiling - use parseltongue:python-performance pattern. Use this skill for Rust-specific code audits.

Detect codebase bloat through progressive analysis: dead code, duplication, complexity, and documentation bloat. Triggers: bloat detection, dead code, code cleanup, duplication, redundancy, codebase health, technical debt, unused code Use when: preparing for refactoring, context usage is high, quarterly maintenance, pre-release cleanup DO NOT use when: actively developing new features, time-sensitive bug fixes. DO NOT use when: codebase is < 1000 lines (insufficient scale for bloat). Progressive 3-tier detection: quick scan → targeted analysis → deep audit.

Audit Makefiles for duplication, portability, and idiomatic GNU Make usage. Triggers: Makefile review, build system, GNU Make, portability, deduplication, pattern rules, automatic variables, dependency graph Use when: auditing Makefiles, reviewing build system, checking portability, eliminating recipe duplication DO NOT use when: creating new Makefiles - use abstract:make-dogfood. DO NOT use when: architecture review - use architecture-review. Use this skill for Makefile audit and optimization.

Configure pre-commit hooks for code formatting, linting, and security checks

Evaluate and upgrade test suites with TDD/BDD rigor, coverage tracking, and quality assessment. Triggers: test audit, test coverage, test quality, TDD, BDD, test gaps, test improvement, coverage analysis, test remediation Use when: auditing test suites, analyzing coverage gaps, improving test quality, evaluating TDD/BDD compliance DO NOT use when: writing new tests - use parseltongue:python-testing. DO NOT use when: updating existing tests - use sanctum:test-updates. Use this skill for test suite evaluation and quality assessment.

Evaluate codebase architecture against ADRs, coupling rules, and team guardrails. Triggers: architecture review, ADR audit, coupling analysis, design review, principle checks, Law of Demeter, architecture assessment Use when: reviewing architecture decisions, auditing ADR compliance, analyzing coupling, validating design principles DO NOT use when: selecting architecture paradigms - use archetypes skills. DO NOT use when: API surface review - use api-review. Use this skill for architecture assessment and compliance.

Go conventions for hexagonal architecture, project structure, error handling, testing, and observability. Use when writing Go services.

Evaluate public API surfaces against internal guidelines and external exemplars. Triggers: API review, API design, consistency audit, API documentation, versioning, surface inventory, exemplar research Use when: reviewing API design, auditing consistency, governing documentation, researching API exemplars DO NOT use when: architecture review - use architecture-review. DO NOT use when: implementation bugs - use bug-review. Use this skill for API surface evaluation and design review.

Python testing with pytest, fixtures, mocking, and TDD workflows. Triggers: pytest, unit tests, test fixtures, mocking, TDD, test suite, coverage, test-driven development, testing patterns, parameterized tests Use when: writing unit tests, setting up test suites, implementing TDD, configuring pytest, creating fixtures, async testing DO NOT use when: evaluating test quality - use pensive:test-review instead. DO NOT use when: infrastructure test config - use leyline:pytest-config. Consult this skill for Python testing implementation and patterns.