Testing & Security

Homeostatic actuator that tags code, tests, and commits with REQ-* keys for traceability. Adds "# Implements:" tags to code and "# Validates:" tags to tests. Use when code or tests are missing requirement tags.

Diagnose errors and failing tests in Laravel + React applications. Use when encountering bugs, exceptions,stack traces, 500 errors, TypeErrors, failing Pest/Vitest tests, or unexpected behavior. EXCLUSIVE to debugger agent.

Design pre-assessments, placement tests, and diagnostic instruments to identify learner starting points, knowledge gaps, and optimal entry points for personalized pathways. Use when determining where learners should start. Activates on "placement test", "diagnostic assessment", "pre-test", or "skill assessment".

Elevate projects to production quality using proven patterns. Use when starting a project, reviewing architecture, auditing code, or when user mentions "elevate-code", "production ready", "patterns", "make it production grade".

FastAPI patterns for building high-performance Python APIs. Covers routing, dependency injection, Pydantic models, background tasks, WebSockets, testing, and production deployment.

R 4.4+ best practices with testthat 3.2, lintr 3.2, and data analysis patterns.

Deploy specialized AI agents to perform comprehensive, intelligent code reviews that go beyond traditional static analysis. Use for automated multi-agent review, security vulnerability analysis, performance bottleneck detection, and architecture pattern validation.

Guide for integrating Gemini AI models with Firebase using Firebase AI Logic SDK. This skill should be used when implementing Gemini features (chat, content generation, structured JSON output), configuring security (App Check), or troubleshooting issues (rate limits, schema errors).

Performs interactive rebases with smart commit management and conflict resolution. Use when rebasing branches, cleaning up commit history, resolving conflicts, or when the user mentions "rebase", "interactive rebase", "squash commits", or wants to update their branch with latest changes from main/develop.

Expert guidance for debugging Next.js, React, and Playwright applications with modern tools and best practices.

Manage and consolidate tags. Use when asked to "clean up tags", "consolidate tags", "tag audit", "merge tags", or "rename tag".

Follow development best practices including consistent project structure, clear documentation with README files, version control best practices with clear commit messages, environment configuration using environment variables, minimal dependency management, code review processes, testing requirements, feature flags for incomplete features, and changelog maintenance. Use this skill when organizing project files and directories, writing commit messages, managing dependencies, setting up environment configurations, establishing code review processes, or maintaining project documentation. This skill applies when working on project organization, git workflows, dependency management, or any project-level conventions.

Follow strict TDD methodology using Sherpa's workflow enforcement. Activates when implementing new features, adding functionality, or building code that requires tests. Ensures RED-GREEN-REFACTOR discipline with guide check/done tracking.

Test GitHub Actions workflows locally using act, including installation, configuration, debugging, and troubleshooting local workflow execution

This skill should be used when developing with the Hono web framework, including CLI tool usage, project scaffolding, routing, middleware configuration, testing, optimization, and deployment across multiple JavaScript runtimes (Cloudflare Workers, Deno, Bun, Vercel, AWS Lambda, Node.js)

Bash/Shell scripting standards including shellcheck, shfmt, and bats testing. Use when working with shell scripts (.sh, .bash).

Performs comprehensive code reviews following industry best practices. Use when reviewing pull requests, code changes, or when asked to analyze code quality, security, performance, or maintainability. Checks for common bugs, security vulnerabilities, code smells, and adherence to coding standards.

Browser automation for NHS Nervecentre EPR systems using local MCP servers. Use when asked to scrape, extract, or interact with Nervecentre patient data, worklists, clinical notes, or any NHS EPR system that requires local network access. Supports browser-use MCP (primary), Playwright MCP (fallback), and Browser MCP extension. Handles OAuth 2.0 authentication, dynamic SPA content, and FHIR-compliant data extraction. IMPORTANT - Requires local network access (hospital WiFi) - cloud browser services will not work.

Operates local Kubernetes clusters with Minikube for development and testing.Use when setting up local K8s, deploying applications locally, or debugging K8s issues.Covers Minikube, kubectl essentials, local image loading, and networking.

Run Bandit security analysis to find common security issues and vulnerabilities in Python code. Use when the user mentions Bandit, security analysis, vulnerability scanning, security audit, software composition analysis (SCA), or wants to check for security issues in Python code.