Testing & Security

Use this when you have completed some feature implementation and have written passing tests, and you are ready to create a PR.

Use this skill to build features or debug anything that uses a webapp frontend.

Use when writing or changing tests, adding mocks, or tempted to add test-only methods to production code - prevents testing mock behaviour, production pollution with test-only methods, and mocking without understanding dependencies

Applies current Go testing best practices. Use when writing or modifying Go test files or advising on Go testing strategies.

Analyzes web performance using Chrome DevTools MCP. Measures Core Web Vitals (FCP, LCP, TBT, CLS, Speed Index), identifies render-blocking resources, network dependency chains, layout shifts, caching issues, and accessibility gaps. Use when asked to audit, profile, debug, or optimize page load performance, Lighthouse scores, or site speed.

Use narsil-mcp code intelligence tools effectively. Use when searching code, finding symbols, analyzing call graphs, scanning for security vulnerabilities, exploring dependencies, or performing static analysis on indexed repositories.

Guide for testing and verifying code changes in this TUI application. Use this skill after making ANY code changes to main.go or main.md to verify they work correctly.

Specialized in reverse-engineering compiled binaries (JARs, DLLs). Use this when the user asks to compare versions, find security fixes, or analyze binary patches.

Comprehensive security code audit using multi-phase analysis (Assessment → STRIDE Threat Modeling → Code Review → Report). Use when asked to perform security review, vulnerability assessment, code audit, pentest code review, find security bugs, or analyze code for vulnerabilities. Optimized for bug bounty hunting with concrete evidence and exploitability validation.

Designs comprehensive testing strategies for any codebase. Use when adding tests, improving coverage, setting up testing infrastructure, or when asked about testing approaches.

Create comprehensive implementation plans with detailed file-level changes and test strategies

Instructs AI agents on documentation standards for design docs, folder READMEs, source code interfaces, and test cases

Use when tests have race conditions, timing dependencies, or inconsistent pass/fail behavior - replaces arbitrary timeouts with condition polling to wait for actual state changes, eliminating flaky tests from timing guesses

Use when writing or changing tests, adding mocks, or tempted to add test-only methods to production code - prevents testing mock behavior, production pollution with test-only methods, and mocking without understanding dependencies

Use when encountering any bug, test failure, or unexpected behavior, before proposing fixes - four-phase framework (root cause investigation, pattern analysis, hypothesis testing, implementation) that ensures understanding before attempting solutions

Test-Driven Development workflow principles. RED-GREEN-REFACTOR cycle.

Use when creating new skills, editing existing skills, or verifying skills work before deployment - applies TDD to process documentation by testing with subagents before writing, iterating until bulletproof against rationalization

API security testing principles. OWASP API Top 10, authentication, authorization testing.

Security audit checklist covering OWASP Top 10, authentication, and secure coding practices.

Use when creating or editing skills, before deployment, to verify they work under pressure and resist rationalization - applies RED-GREEN-REFACTOR cycle to process documentation by running baseline without skill, writing to address failures, iterating to close loopholes