Testing & Security

Develop and test API routes in the Next.js App Router. Use this when the user asks to create, modify, test, or debug API endpoints, handle API responses, validate request parameters, or work with the /api directory.

Design and implement visual regression testing for UI changes. Definesscreenshot coverage, rendering stabilization, baseline management, and CIintegration (e.g., Playwright screenshots, Percy/Chromatic). Use whenUI/styling/layout changes need protection against regressions, or when addingscreenshot-based tests to a web/WASM/desktop UI.

Validate security findings from commit-security-scan by assessing exploitability, filtering false positives, and generating proof-of-concept exploits. Use after running commit-security-scan to confirm vulnerabilities.

FastAPI Python backend in api/. Covers routes, models, Supabase integration, authentication, R2 storage, and Cloudflare Workers deployment. Port 9999 for local dev. OpenAPI docs at /docs.

This skill should be used when estimating development time for Jira tickets. It provides both manual and AI-assisted estimates with T-shirt sizes, story points, and phase-by-phase time breakdowns based on task type classification, complexity scoring, and project architecture (monolithic/serverless/frontend/fullstack/mobile/test_automation).

Test Nuxt 3 / Nitro API handlers with real PostgreSQL, transaction rollback isolation, and typed factories. No mocks, real SQL.

Automatically troubleshoot unexpected results OR command/script errors without user request. Triggers when: (1) unexpected behavior - command succeeded but expected effect didn't happen, missing expected errors, wrong output, silent failures; (2) explicit failures - stderr, exceptions, non-zero exit, SDK/API errors. Applies systematic diagnosis using error templates, hypothesis testing, and web research for any Stack Overflow-worthy issue.

WHEN: Rust project review, ownership/borrowing, error handling, unsafe code, performanceWHAT: Ownership patterns + Lifetime analysis + Error handling (Result/Option) + Unsafe audit + Idiomatic RustWHEN NOT: Rust API → rust-api-reviewer, Go → go-reviewer

Guides test creation for Polibase following strict testing standards. Activates when writing tests or creating test files. Enforces external service mocking (no real API calls), async/await patterns, test independence, and proper use of pytest-asyncio to prevent CI failures and API costs.

Guides on analyzing and improving test coverage for Python (pytest-cov) and JavaScript (c8) projects. Use when a user asks to set up test coverage, generate coverage reports, understand why coverage is low, or improve their test coverage.

Invoke IMMEDIATELY via python script when user requests codebase analysis, architecture review, security assessment, or quality evaluation. Do NOT explore first - the script orchestrates exploration.

Test n8n nodes using Jest, nock for HTTP mocking, and local testing workflows with npm link. Use this skill when writing test files in __tests__ folders, mocking HTTP requests with nock, creating mock IExecuteFunctions contexts, testing helper functions, setting up golden file tests, running the linter before publishing, or locally testing nodes in the n8n UI. Apply when organizing test files, mocking external APIs, validating node execution output, or following the pre-publish checklist.

Run ruff + pytest and fix issues minimally.

Guide for building robust API integration layers in React/TypeScript applications. Use when implementing HTTP clients (axios/fetch), request/response interceptors, authentication token handling, error handling strategies, retry logic, request cancellation, or organizing API services. Triggers on questions about API client setup, custom hooks for data fetching, React Query/SWR integration, or service layer patterns.

Security patterns for Astro lead generation websites on Cloudflare. Forms, headers, bot protection, GDPR. Use for any production lead gen site.

Clean Architecture and SOLID principles implementation including dependency injection, layer separation, domain-driven design, hexagonal architecture, and code quality patterns

Implement secure, consistent input validation on both client and server sides. Use this skill when validating form inputs, API request bodies, or user-provided data. When sanitizing input to prevent injection attacks (SQL, XSS, command injection). When writing allowlist-based validation, type checking, or business rule validation. When providing field-specific error messages to users.

Best practices for writing Python tests - use when creating or improving test coverage

Vitest setup and best practices. Use when configuring Vitest for TypeScript projects.

Data import/export and validation pipeline for MyDetailArea. Handles bulk operations, CSV/Excel processing, data migration, validation rules, error handling, and audit trails. Supports vehicle inventory import, order batch updates, contact imports, and custom data transformations. Use when implementing bulk data operations, migration from legacy systems, or scheduled exports.