Security

WHEN: GraphQL schema review, resolver patterns, N+1 detection, query complexity, API securityWHAT: Schema design + N+1 detection + Query complexity + Input validation + Error handling + DataLoader patternsWHEN NOT: REST API → api-documenter, Database schema → schema-reviewer, ORM → orm-reviewer

Implement OAuth 2.1 / OIDC authentication using Better Auth with MCP assistance. Use when settingup a centralized auth server (SSO provider), implementing SSO clients in Next.js apps, configuringPKCE flows, or managing tokens with JWKS verification. Uses Better Auth MCP for guided setup.NOT when using simple session-only auth without OAuth/OIDC requirements.

Implement secure file uploads with validation, size limits, type checking, virus scanning, and UUID naming. Use when handling file uploads like profile photos, documents, or resources.

Azure AD OAuth2/OIDC SSO integration for Kubernetes applications. Use when implementing Single Sign-On, configuring Azure AD App Registrations, restricting access by groups, or integrating tools (DefectDojo, Grafana, ArgoCD, Harbor, SonarQube) with Azure AD authentication.

Guide for implementing DefectDojo - an open-source DevSecOps, ASPM, and vulnerability management platform. Use when querying vulnerabilities, managing findings, configuring CI/CD pipeline imports, or working with security scan data. Includes MCP tools for direct API interaction.

Comprehensive code review assistant that analyzes code for security vulnerabilities, performance issues, and code quality. Use when reviewing pull requests, conducting code audits, or analyzing code changes. Supports Python, JavaScript/TypeScript, and general code patterns. Includes automated analysis scripts and structured checklists.

Structured framework for evaluating GitHub Actions security before adoption. Trust tiers, risk assessment checklist, and decision tree for action evaluation.

Intelligence-first code analysis for bugs, architecture, performance, and security. Use proactively when investigating code issues, tracing dependencies, or understanding system behavior. MUST query project-intel.mjs before reading files.

Generate detailed control implementation guidance, technical steps, and implementation plans for OSCAL security controls. Use this skill to create implementation narratives, technical procedures, and deployment plans.

Security and privacy engineering

Configure Traefik labels for routing, SSL/TLS with LetsEncrypt, and advanced routing patterns including Cloudflare DNS challenge. Use when adding web access to Dokploy services.

Unified login wizard combining Claude API authentication with CIPS identity setup. Use when /login invoked, first-run detected, or identity reset requested. Follows @asking-users PARAMOUNT patterns.

Review implementation for security vulnerabilities and best practices. Checks input validation, injection prevention, auth/authz, secrets handling. Use after implementation before merge.

Use when working with Expo SDK modules for camera, location, notifications, file system, secure storage, and other device APIs. Covers permissions, configurations, and best practices.

Write secure, optimized database queries using parameterized statements, proper indexing, and efficient data fetching patterns. Use this skill when writing database queries, ORM query methods, SQL statements, or data access layer code. When working on files containing Prisma queries, TypeORM query builders, raw SQL statements, database transaction logic, eager loading and joins, query optimization code, files implementing data pagination or filtering, cache strategies for expensive queries, or files handling database connection pooling and query timeouts.

DEPRECATED umbrella Skill (backward compatibility). Use only for cross-cutting security reviews spanning remote content + XSS/sanitization + store compliance. Prefer focused openwebf-security-* Skills.

Validate PM environment and authentication status. Use when (1) new PM onboarding, (2) checking required tools (gh CLI, Git, GitHub Projects access), (3) verifying GitHub auth and project permissions, (4) orchestrator auto-runs at work start.

Use when you need to plan technical solutions that are scalable, secure, and maintainable.

Research Maven dependency updates with breaking changes, release notes, and security information

Provides architecture knowledge for the dealflow-network project including tRPC router patterns, Drizzle ORM conventions, authentication flow, file organization, and collaborative contact system. Use when working on this codebase, adding features, or understanding existing patterns.