Security

Multi-tenant architecture patterns including org_id claim management, JWT token structure with organization context, database isolation strategies for MongoDB and PostgreSQL, theme switching per organization, tenant provisioning workflows, data isolation patterns, and cross-tenant security. Activate for multi-tenancy implementation, tenant isolation, and organization-scoped data access.

Progressive audit and cleanup of GitHub accounts - stale forks, orphaned secrets, failing workflows, security configs. Audit-first with user approval before destructive actions. Triggers on 'clean up GitHub', 'audit my repos', 'GitHub hygiene', 'stale forks', 'orphaned secrets'. Requires gh CLI. (user)

Query and manage local Convex documentation mirror (42 docs). Search Convex topics for real-time database, serverless functions, authentication, file storage, and React hooks. Use when implementing Convex backend features or answering Convex-related questions. (user)

Complete Wasp authentication setup and user management. Use when implementing auth, setting up login/signup, or working with user authentication. Includes minimal User model, auth configuration, helper functions, and protected routes.

Write efficient and secure database queries using parameterized statements, preventing SQL injection, and optimizing performance through proper indexing and eager loading. Use this skill when writing database queries, ORM query methods, SQL statements, or repository pattern implementations. Use this skill when optimizing query performance, preventing N+1 query problems, implementing transactions for data consistency, or adding query timeouts and caching strategies. Use this skill when working with SELECT statements, JOIN operations, WHERE clauses, or any code that interacts with the database to fetch or manipulate data. Use this skill when working with files in repositories/, queries/, services/, or data access layers that contain database query logic.

Follow project-wide development conventions for project structure, documentation, version control, code review, environment configuration, dependency management, and security practices. Use this skill when setting up new projects, organizing file structures, writing project documentation, creating Git branches and commits, configuring environment variables, managing dependencies, setting up CI/CD pipelines, or implementing security practices. Apply when working on project setup tasks, creating documentation files (README.md, ARCHITECTURE.md, DATABASE_SCHEMA.md, API_REFERENCE.md, SETUP.md), Git workflow operations, .env files, package.json/bun.lockb, Docker configurations, or any cross-cutting project concerns. This skill ensures hybrid code organization (global shared code by type + feature-specific code with nested subdirectories), required documentation (README, ARCHITECTURE, DATABASE_SCHEMA, API_REFERENCE, SETUP - written before coding then updated), GitHub Flow workflow (main branch production-ready, feat

Audits RLS policies, validates security implementations, and identifies vulnerabilities

Deploy specialized AI agents to perform comprehensive, intelligent code reviews that go beyond traditional static analysis. Use for automated multi-agent review, security vulnerability analysis, performance bottleneck detection, and architecture pattern validation.

Guide for integrating Gemini AI models with Firebase using Firebase AI Logic SDK. This skill should be used when implementing Gemini features (chat, content generation, structured JSON output), configuring security (App Check), or troubleshooting issues (rate limits, schema errors).

Performs comprehensive code reviews following industry best practices. Use when reviewing pull requests, code changes, or when asked to analyze code quality, security, performance, or maintainability. Checks for common bugs, security vulnerabilities, code smells, and adherence to coding standards.

Browser automation for NHS Nervecentre EPR systems using local MCP servers. Use when asked to scrape, extract, or interact with Nervecentre patient data, worklists, clinical notes, or any NHS EPR system that requires local network access. Supports browser-use MCP (primary), Playwright MCP (fallback), and Browser MCP extension. Handles OAuth 2.0 authentication, dynamic SPA content, and FHIR-compliant data extraction. IMPORTANT - Requires local network access (hospital WiFi) - cloud browser services will not work.

Run Bandit security analysis to find common security issues and vulnerabilities in Python code. Use when the user mentions Bandit, security analysis, vulnerability scanning, security audit, software composition analysis (SCA), or wants to check for security issues in Python code.

Audits code for security vulnerabilities, performance issues, accessibility, complexity metrics, and infrastructure security. Use when reviewing code quality, performing security audits, checking OWASP compliance, analyzing complexity, auditing IaC, or finding dead code.

Use this skill when working with Decap CMS (formerly Netlify CMS) configuration, OAuth authentication, collection setup, or editorial workflow. Triggers include CMS configuration issues, GitHub backend authentication problems, collection schema design, field widget configuration, or media library integration. Critical for Triunghi.md's headless CMS architecture.

Comprehensive Claude Code conversation analysis skill for deep-diving into CC session logs.Use when analyzing exported Claude Code conversations to understand: project patterns, error rates,command failures, security risks, session duration, tool usage, and workflow efficiency.Triggers: "analyze conversation", "CC analysis", "conversation analysis", "session review","Claude Code logs", "analyze my sessions", "review CC usage", "conversation insights","what went wrong in my session", "session forensics", "CC forensics"

Implement comprehensive security for shared library. Use when working with security audits, dependency vulnerabilities, API security, token encryption, or secure coding practices for library consumers. Library security impacts all consuming plugins.

Detects logic bypass vulnerabilities including authentication bypass, authorization bypass, and business logic flaws. Use when analyzing authentication mechanisms, access controls, or investigating security control bypasses.

Use the 1Password CLI (`op`) to securely retrieve secrets. Load this skill when users ask to 'get a password from 1Password', 'retrieve a secret', 'fetch credentials from the vault', 'use op to read', or need to pass secrets to commands, environment variables, or files. CRITICAL: Never display secret values in conversation - always consume them inline with redirection or command substitution.

Comprehensive code review knowledge including security, performance, accessibility, and quality standards across multiple languages and frameworks

PAI (Personal AI Infrastructure) - Your AI system core. AUTO-LOADS at session start. USE WHEN any session begins OR user asks about PAI identity, response format, stack preferences, security protocols, or delegation patterns.