測試與安全

Manage Rust and Node.js dependencies including adding, updating, auditing, and resolving conflicts. Use when updating dependencies or resolving version conflicts.

Go coding standards following idiomatic Go patterns, error handling, concurrency best practices, and modern Go tooling. Use for Go projects requiring clean, efficient, production-ready code with comprehensive testing.

Expert guidance for Talon voice control development. Use when creating voice commands, defining actions, writing .talon files, testing Talon config, or debugging Talon issues.

Systematic error diagnosis and debugging workflow for Rust code. Use when code isn't working, tests fail, or runtime errors occur.

Authentication security standards covering OAuth2 flows (authorization code, PKCE), JWT best practices (RS256, expiration), MFA (TOTP, WebAuthn), session management, and NIST 800-63B compliance for production systems

Review code for best practices, bugs, security issues, and improvements. Use when reviewing code, checking PRs, or analyzing code quality.

Performance testing standards for load, stress, spike, and soak testing. Covers k6 and JMeter implementation, SLI/SLO definitions, CI/CD integration, and bottleneck analysis. Use when validating system behavior under load, establishing baselines, or capacity planning.

Analyzes HTTP security headers for a given URL and provides a comprehensive security score. Checks for critical headers like HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy. Returns detailed scoring and recommendations.

Implement robust E2E tests with Playwright or Cypress using Page Object Model, proper waits, and CI/CD integration. Covers selector strategies, flaky test prevention, and cross-browser testing patterns.

Unit testing standards following TDD methodology, test pyramid principles, and comprehensive coverage practices. Covers pytest, Jest, mocking, fixtures, and CI integration for reliable test suites.

Test and validate the dotfiles setup process for this repository. Use when the user wants to test the setup script, validate the installation, verify symlinks, troubleshoot setup issues, or check that dotfiles are properly configured. Triggers include "test setup", "validate installation", "check dotfiles", "verify setup", or troubleshooting requests.

Generate comprehensive unit tests for code. Use when creating tests, improving test coverage, or setting up testing frameworks.

Comprehensive testing standards including unit, integration, security, and property-based testing with TDD methodology

Validates test suite quality through mutation testing. Generates intelligent code mutations, runs tests to verify they catch the changes, and identifies gaps in test coverage. Use when evaluating test effectiveness, validating newly written tests, or improving test quality for mission-critical code.

Use for bugs, test failures, or unexpected behavior needing root cause

1. Broken Object Level Authorization (BOLA) - API fails to validate user access to objects 2. Broken Authentication - Weak or missing authentication mechanisms 3. Broken Object Property Level Authorization - Missing field-level access control 4. Unrestricted Resource Consumption - No rate limiting or throttling 5. Broken Function Level Authorization - Missing authorization checks on endpoints 6. Unrestricted Access to Sensitive Business Flows - Automated abuse of legitimate workflows 7. Server Side Request Forgery (SSRF) - API accepts URLs without validation 8. Security Misconfiguration - Insecure default configs, verbose errors 9. Improper Inventory Management - Undocumented/deprecated APIs in production 10. Unsafe Consumption of APIs - Trusting third-party API data without validation

Use before implementing UI changes or frontend PRs. Enforces TodoWrite with 18+ items. Triggers: "accessibility audit", "WCAG", "Lighthouse", "screen reader", "a11y", "NVDA", "VoiceOver", "keyboard navigation", "focus indicator". For "Core Web Vitals" in frontend/UI context, use this skill. For pure backend/API performance optimization, use performance-optimization instead. If thinking "WIP doesn't need this" - use it anyway.

Best practices for writing R package tests using testthat version 3+. Use when writing, organizing, or improving tests for R packages. Covers test structure, expectations, fixtures, snapshots, mocking, and modern testthat 3 patterns including self-sufficient tests, proper cleanup with withr, and snapshot testing.

CI/CD pipeline standards for GitHub Actions, GitLab CI, and deployment automation. Covers testing gates, security scanning, artifact management, and deployment strategies for reliable software delivery.

Security Operations Center (SOC) practices, incident response, SIEM management, and threat hunting following NIST 800-61