測試與安全

ALWAYS apply this skill for ANY software development task. Triggers: implement, create, build, add, write, code, function, class, component, API, feature, fix, bug, debug, refactor, improve, clean, review, check, design, architect, structure, test, endpoint, module, service, handler, controller, model, schema, migration, deploy, configure. This skill enforces kadoppe's development principles for all coding work.

Run tests for the Nomos provider project with comprehensive coverage reporting. Use this when asked to run tests, check code quality, or verify test coverage.

Manages SOPS-encrypted Kubernetes secrets for Flux GitOps deployments using age encryption

Git ignore configuration patterns for MetaSaver monorepos. Includes 10 required pattern categories (dependencies, build outputs, environment files with security-critical .env and .npmrc exclusions, logs, testing, IDE, OS, database, cache, temporary files). Use when creating or auditing .gitignore files to prevent secret leakage and repository pollution.

Generate complete CRUD API endpoints with async patterns, Pydantic validation, JWT authentication, and proper error handling. Activates when creating new API resources or routes.

FastAPI 0.121+ production patterns with async SQLAlchemy 2.0.44, Pydantic V2.12.4, dependency injection, and enterprise architecture. Use for REST API development.

AWS CLI v2 quick-reference for experienced developers. Covers compute (Lambda, ECS, EKS), storage (S3, DynamoDB, Aurora), networking (VPC, SSM tunneling), security (IAM, Secrets Manager), and GitHub Actions CI/CD. Use when asked to "write aws commands", "debug aws access", "set up cross-account roles", "configure aws cli", "assume role", "S3 bucket operations", or "deploy to ECS".

Create or update pytest coverage for the tic-tac-toe project, including win/draw detection, move validation, bot legality/optimality, and mixed human/bot turn flow. Use when adding or editing tests under the tests/ directory.

Review test cases for OAuth/OIDC error handling. Covers authorization endpoint errors, token endpoint errors, error response formats, HTTP status codes, and all error codes per OAuth 2.1 and OIDC Core 1.0.

Use when implementing any feature or bugfix, before writing implementation code

Standard Operating Procedure for /preview phase. Covers manual UI/UX testing on local dev server before shipping.

Implement enterprise Single Sign-On (SSO) authentication supporting multiple identity providers with JWT RS256 tokens, backwards verification, session management, and cross-system permission mapping. Use this skill when building authentication systems that integrate with multiple enterprise SSO providers or when implementing secure token validation with session verification.

Deploy Firebase Firestore security rules and indexes automatically. Use when Firestore query errors mention "requires an index", when firestore.rules or firestore.indexes.json are modified, or when user requests Firebase deployment.

Write efficient and secure database queries following best practices for SQL injection prevention, N+1 query optimization, and performance for PostgreSQL (Bun.sql, Prisma, Supabase) and Firestore. Use this skill when writing or modifying database queries, implementing data fetching logic, working with ORMs (Prisma, TypeORM, Entity Framework), using Bun.sql native driver, querying Firestore collections, or implementing caching strategies. Apply when working on service files (services/*.ts, repositories/*.ts, *Service.cs), query builder implementations, data access layers, or any code that fetches or manipulates data. This skill ensures parameterized queries to prevent SQL injection (never interpolate user input), eager loading to prevent N+1 problems, selective column fetching (no SELECT *), strategic indexing on WHERE/JOIN/ORDER BY columns, transactions for related operations, query timeouts for performance, caching expensive queries, prepared statements with Bun.sql for repeated queries, and query-driven mod

Commitlint configuration and GitHub Copilot commit message instruction templates with validation logic for conventional commit enforcement. Includes 6 required standards (conventional format, relaxed subject rules for Copilot compatibility, optional scope, Husky integration, required dependencies, Copilot instruction consistency). Use when creating or auditing commitlint.config.js and .copilot-commit-message-instructions.md files.

Orchestrate KB development workflow from request to completion.Coordinates skills in sequence: kb → plan → test → validate → complete → reflect → inbox.WORKFLOW:1. LOOKUP - /pmc:kb (check existing PRDs, patterns, code maps)2. PLAN - /pmc:plan + /pmc:plan-validation + /pmc:lint-kb3. IMPLEMENT - /pmc:test (TDD cycle: RED → GREEN → REFACTOR)4. VALIDATE - /pmc:validate + /pmc:ticket-status5. COMPLETE - /pmc:complete (write 5-final.md, commit)6. REFLECT - /pmc:reflect + /pmc:lint-kb7. INBOX - /pmc:inbox (process pending items)Use when:- User says "implement", "build", "develop", "work on"- Starting new feature or phase work- Need guided workflow from start to finish- User says "dev workflow", "full cycle"

Write unit tests for JavaScript files using Node.js native test runner. Use when creating new scripts, fixing bugs, or when prompted about missing tests.

Use when auditing Claude Code plugin security or implementing secure practices - security guidelines with credential handling, hook safety, and MCP security for November 2025 specifications

Use when you need to find code by concept (not just text). Uses Serena MCP for semantic code search across the codebase with minimal token usage. Ideal for understanding architecture, finding authentication flows, or multi-file refactoring.

Master authentication and authorization patterns including OAuth 2.0, OpenID Connect, JWT tokens, refresh tokens, role-based access control (RBAC), claims-based authorization, and secure token storage for .NET applications with OpenIddict and ABP Framework.