Testing & Security

Deploy Docker applications using Kamal 2 with zero-downtime and automatic SSL. Use this skill when (1) setting up new Kamal deployments, (2) generating deploy.yml configuration, (3) deploying apps that lack health endpoints (using Caddy workaround).

Proactive security engineering for PAI projects. USE WHEN user needs threat modeling, CMMC compliance baseline, security requirements, vulnerability analysis, or security-first design. Prevents security issues during design, not after deployment.

Production-tested setup for AutoAnimate (@formkit/auto-animate) - a zero-config, drop-in animation librarythat automatically adds smooth transitions when DOM elements are added, removed, or moved. This skill shouldbe used when building UIs that need simple, automatic animations for lists, accordions, toasts, or form validationmessages without the complexity of full animation libraries.Use when: Adding smooth animations to dynamic lists, building filter/sort interfaces, creating accordion components,implementing toast notifications, animating form validation messages, needing simple transitions without animation code,working with Vite + React + Tailwind, deploying to Cloudflare Workers Static Assets, or encountering SSR errors withanimation libraries.Keywords: auto-animate, @formkit/auto-animate, formkit, zero-config animation, automatic animations, drop-in animation,list animations, accordion animation, toast animation, form validation animation, lightweight animation, 2kb animation,prefers-reduce

Supabase Row Level Security policies. Use when creating RLS policies, securing tables, or implementing multi-tenant data isolation.

Automatically applies when writing pytest tests. Ensures proper use of fixtures, parametrize, marks, mocking, async tests, and follows testing best practices.

Runs Static Application Security Testing (SAST) using Semgrep. Scans source code for vulnerabilities, security anti-patterns, and OWASP Top 10 issues. Use when user asks to "run SAST", "scan for vulnerabilities", "static analysis", "code security scan", "静的解析", "脆弱性スキャン".

Audit code for WCAG 2.1 AA and EN 301 549 compliance. Checks keyboard navigation, ARIA usage, color contrast, forms, and media accessibility.

Comprehensive guide for building robust, secure, and efficient CI/CD pipelines using GitHub Actions. Covers workflow structure, jobs, steps, environment variables, secret management, caching, matrix strategies, testing, and deployment strategies.

Writes comprehensive unit, integration, and end-to-end tests. Use when user needs help writing tests, improving test coverage, or creating test suites.

Expert security architecture including threat modeling, authentication, encryption, and compliance

Identify potential quality, security, and delivery risks early in discovery to inform mitigation planning.

Build and maintain WPF MVVM patterns using CommunityToolkit.Mvvm for a .NET 8 widget-host app. Use when creating ViewModels, commands, observable state, validation, view bindings, and viewmodel-first navigation behaviors. Avoid Prism and heavy region managers; keep ViewModels testable and UI-agnostic.

Perform security audits detecting OWASP Top 10 vulnerabilities, insecure dependencies, and security misconfigurations. Use when auditing applications for security vulnerabilities.

This skill teaches the agent how to write and manage tests in the API project. MANDATORY - You MUST read this skill before modifying any test files.

Run, debug, and structure tests for this Go project (unit + integration), including generation prerequisites. Use when changing domain logic, repositories, HTTP handlers, or migrations.

Alpha/beta/RC tagging patterns and GitHub pre-release workflows for managing pre-production releases. Use when creating alpha releases, beta releases, release candidates, managing pre-release branches, testing release workflows, or when user mentions pre-release, alpha, beta, RC, release candidate, or pre-production versioning.

Runs Software Composition Analysis (SCA) to detect vulnerable dependencies. Wraps npm audit and Trivy fs. Use when user asks to "scan dependencies", "check npm vulnerabilities", "SCA scan", "dependency audit", "依存関係スキャン", "脆弱性チェック".

DEPRECATED umbrella Skill (backward compatibility). Use only for cross-cutting orchestration across multiple WebF app tasks when a request spans several capabilities (dev loop + debugging + testing + release). Prefer focused openwebf-app-* Skills.

Route protection and authorization patterns for Clerk middleware. Use when implementing route guards, protecting API routes, configuring middleware matchers, setting up role-based access control, creating auth boundaries, or when user mentions middleware, route protection, auth guards, protected routes, public routes, matcher patterns, or authorization middleware.

Use when implementing code during ant-act execution. Enforces RED-GREEN-REFACTORcycle. Triggers: writing code, fixing bugs, adding features, any implementation.Do NOT skip - no production code without failing test first.