Testing & Security

Auditar segredos e variáveis na esteira CI/CD (GitHub Actions) e no runtime (Docker Swarm), verificando integração via OIDC com Azure Key Vault e paridade de ambientes. Use quando houver falhas por falta de segredos, variáveis ausentes, “id-token: write” ausente, ou inconsistência entre Key Vault, Swarm e workflows.

Code review best practices including review checklists (functionality, tests, documentation, security, performance), providing constructive feedback, automated checks integration, and handling review comments. Use when reviewing pull requests, providing code feedback, responding to review comments, or setting up review processes.

Comprehensive REST and GraphQL API design patterns, best practices, OpenAPI specifications, versioning, authentication, error handling, pagination, rate limiting, and security. Use when designing APIs, creating endpoints, reviewing specifications, implementing authentication, or building scalable backend services.

This skill should be used when the user asks to "write tests first", "use TDD", "test-driven development", "red green refactor", "test first", "add unit tests before code", "write regression test first", "safe refactor with tests", or when TDD mode is active and the user makes any coding request that affects behavior (features, bugs, refactors).

Research latest library documentation, industry best practices, and technical knowledge to automatically generate project-level skills. Use when asked to: (1) Research and create a skill for a library/framework, (2) Build a skill based on architectural patterns, (3) Generate skills from technical research, (4) Create domain-specific technical skills from web research, or (5) Any request combining research with skill creation.

Run Flutter tests and analyze results. Use when implementing game logic, fixing bugs, or validating changes. Triggers on "run tests", "test this", "verify", "check if it works".

Performs Firebase Firestore operations. Use when querying collections, creating/updating/deleting documents, using batch writes, or working with Timestamps. Includes pagination, transactions, and security rules patterns.

Upgrade React applications to latest versions, migrate from class components to hooks, and adopt concurrent features. Use when modernizing React codebases, migrating to React Hooks, or upgrading to latest React versions.

A test skill for validation

Securely upload GitHub Actions secrets via gh CLI. Stdin pipe (preferred) or temp script fallback. NEVER commits secrets.

ドキュメント・テスト品質レビュー - コメント品質、API仕様、テストの意味、カバレッジを統合評価

Use when writing or changing tests, adding mocks, or tempted to add test-only methods to production code - prevents testing mock behavior and production pollution

Patterns for testing pure functions using Deno's test framework. Covers unit tests, property-based testing, test organization, and assertion patterns. Use when writing tests. Includes script for generating test boilerplate.

Skill for PHP/Laravel backend development following project conventions. Use when creating or editing PHP code, models, services, controllers, tests, or any backend logic. Loads all backend rules from .claude/rules/backend/ and .claude/rules/dataclasses/.

Comprehensive project health auditor that compares original plans, requirements, and architecture against current implementation to identify gaps, deviations, and technical debt. Use when users ask to audit a project, review project status, compare plans vs reality, identify what's missing or incomplete, assess project health, find scope creep, detect architectural drift, or get back on track. Acts as a trusted advisor providing actionable recommendations based on industry best practices.

Use when: making a mistake, breaking build/tests, realizing wrong approach, misunderstanding requirements, using wrong patterns, forgetting conventions, receiving correction from user, unexpected behavior, or any error situation

Validate backend development environment and authentication status. Use when (1) new backend developer onboarding, (2) checking required tools (gh CLI, Git, Node, pnpm, Supabase), (3) verifying GitHub auth and repo access, (4) orchestrator auto-runs at work start.

Validates n8n workflow JSON files, tests APIs with real credentials, auto-fixes common issues, and learns new problems. Use when you need to CHECK, VALIDATE, FIX, TEST, PREFLIGHT, or REPAIR n8n workflow JSON files before importing them.

Comprehensive purple team security assessment skill that analyzes codebases like a skilled penetration tester, identifies attack vectors, and provides remediation guidance. Use this skill when: (1) Performing security audits or code reviews, (2) Identifying vulnerabilities before deployment, (3) Running purple team exercises (offensive analysis + defensive remediation), (4) Checking for OWASP Top 10 vulnerabilities, (5) Scanning for hardcoded secrets, API keys, or credentials, (6) Analyzing authentication/authorization flaws, (7) Reviewing cryptographic implementations, (8) Auditing infrastructure-as-code (Terraform, K8s, Docker), (9) Generating security reports in Markdown, HTML, or JSON format. Triggers: "security audit", "purple team", "penetration test", "find vulnerabilities", "security review", "attack vectors", "remediate vulnerabilities", "OWASP", "security scan".

Guidance for configuring MCP servers in Claude Code projects. Covers transport selection, scopes, authentication, and security patterns. Use whenever adding MCP servers - projects, plugins, or any context.