Testing & Security

Use when implementing features or refactoring with TDD - enforces writing ONE test at a time, implementing minimal code to pass, then repeating, preventing batch test writing that defeats incremental design discovery

Validate implementation against test cases and acceptance criteria. Use when checking if code works correctly, validating against user-provided test cases, or verifying acceptance criteria are met. Gets test cases from user input or previous workflow stages.

Performs intelligent compliance audits for software projects. Automatically detects which regulatory frameworks (GDPR, HIPAA, PCI-DSS, CCPA, SOC 2) apply based on project analysis and user context. Provides tiered reports with executive summaries and detailed technical findings. Use when the user asks about compliance, regulatory requirements, security standards, data protection, or wants to audit their codebase for legal/regulatory adherence.

Generate reactive iOS list screens with RxSwift MVVM Input/Output pattern. Creates complete list features with reactive bindings, pagination (date range/page number), ViewModel, ViewController, Navigator, and tests for iOS reactive projects. Use when "create reactive list", "generate reactive list", "new reactive list screen", "create rxswift list", or "generate list with rxswift".

Express.js server best practices including middleware, error handling, and security.

Risk prioritization framework for engineers. CVSS interpretation, exploitability analysis, blast radius calculation, and decision trees for patch management and vulnerability remediation.

Manage and maintain VRP Toolkit skills through compliance checking, audit tracking, and documentation synchronization. Use when (1) adding or modifying skills, (2) checking skill compliance with project standards, (3) auditing SKILLS.md vs skills directory consistency, (4) recording skill changes to SKILLS_LOG.md, or (5) performing periodic skill health checks. Ensures skills stay independent, under 500 lines, properly structured, and well-documented.

Production-ready scripts for Android app testing, building, and automation. Provides semantic UI navigation, build automation, accessibility testing, and emulator lifecycle management. Optimized for AI agents with minimal token output. Android equivalent of ios-simulator-skill.

ALWAYS use this skill proactively for Consumer Affairs Django repositories (located in ../ca/ directory) when ANY of these occur - (1) After writing or modifying ANY Python code files in CA repos (2) After tests pass and before telling user work is complete (3) User mentions linting, formatting, ruff, code style, or code quality (4) After using the ca-django-tests skill successfully (5) Before preparing to commit code. This skill runs 'ca exec ruff format' and 'ca exec ruff check --fix' to ensure code quality. CRITICAL - Always run this automatically after code changes and before declaring work complete.

Work with this repo’s GitHub Actions CI and GHCR Docker image publishing workflow. Use when changing generation checks, tests, formatting, or when preparing a release and validating image tags.

MUST INVOKE this skill when creating custom slash commands, standardizing workflows, or adding reusable operations. Secondary: understanding command structure, learning YAML configuration, or optimizing existing commands. Create, audit, and maintain custom slash commands.

Document REST API endpoints through systematic empirical testing. Analyzes URL structure, generates minimal test cases, executes requests, and produces concise API documentation. Use when exploring undocumented APIs, reverse-engineering endpoints, or creating integration documentation.

Test-Driven Development following Kent Beck's TDD and Tidy First principles. Use when implementing features with test-first approach, following Red-Green-Refactor cycle, or separating structural changes from behavioral changes in commits.

Playwright Page Object Model including page classes, fixtures, helpers, and test organization. Use when structuring Playwright E2E tests or organizing test code.

Review security risks and mitigations for remote WebF content (untrusted bundles, URL allowlists, HTTPS, trust boundaries, clickjacking). Use when the user mentions untrusted remote bundles, bundle URL validation/allowlists, or remote updates risk.

Proper delegation patterns for Task() invocations with governance context injection

Use when creating REST API clients, SDK wrappers, or HTTP service integrations. Generates type-safe client code with retry logic, error handling, rate limiting, and comprehensive tests. Triggered by requests to integrate external APIs, build SDK clients, or create service wrappers.

Develop features for the Cljr Clojure-to-.NET compiler. Use when adding emitter features, expression types, analyzer support, or testing features. Guides the complete workflow from Expr.cs to C# tests to NRepl verification. Critical for REPL-oriented development.

IoT network traffic analyzer for detecting IoT protocols and identifying security vulnerabilities in network communications. Use when you need to analyze network traffic, identify IoT protocols, or assess network security of IoT devices.

Test smart contracts comprehensively using Hardhat and Foundry with unit tests, integration tests, and mainnet forking. Use when testing Solidity contracts, setting up blockchain test suites, or validating DeFi protocols.