Implements API rate limiting using token bucket, sliding window, and Redis-based algorithms to protect against abuse. Use when securing public APIs, implementing tiered access, or preventing denial-of-service attacks.
Configures HTTP security headers to protect against XSS, clickjacking, and MIME sniffing attacks. Use when hardening web applications, passing security audits, or implementing Content Security Policy.
Implements secure session management with JWT tokens, Redis storage, refresh flows, and proper cookie configuration. Use when building authentication systems, managing user sessions, or implementing secure logout functionality.
XSS attack prevention with input sanitization, output encoding, Content Security Policy. Use for user-generated content, rich text editors, web application security, or encountering stored XSS, reflected XSS, DOM manipulation, script injection errors.
This skill should be used when the user asks to "add turnstile", "implement bot protection", "validate turnstile token", "fix turnstile error", "setup captcha alternative", or encounters error codes 100*/300*/600*, CSP errors, or token validation failures. Provides CAPTCHA-alternative protection for Cloudflare Workers, React, Next.js, and Hono.
OAuth 2.0 and OpenID Connect authentication with secure flows. Use for third-party integrations, SSO systems, token-based API access, or encountering authorization code flow, PKCE, token refresh, scope management errors.
Implements CSRF protection using synchronizer tokens, double-submit cookies, and SameSite attributes. Use when securing web forms, protecting state-changing endpoints, or implementing defense-in-depth authentication.
Use when writing unit tests for Angular components, services, pipes, or directives. Triggers on requests to "write tests", "add tests", "create spec", "test this component", or when test files need to be created/modified.
Validate at every layer data passes through to make bugs impossible. Use when invalid data causes failures deep in execution, requiring validation at multiple system layers.
Use for test coverage with Bun, --coverage flag, lcov reports, thresholds, and CI integration.
Validate Spectr specifications and change proposals without requiring the spectr binary USE WHEN you're in a sandboxed or restricted execution context and spectr is not available in your path. DO NOT USE WHEN you need a lightweight alternative for task acceptance, but have the spectr binary available. DO NOT USE when you have the spectr binary available.
Use for bun:test syntax, assertions, describe/it, test.skip/only/each, and basic patterns.
Use for test lifecycle hooks: beforeAll, afterAll, beforeEach, afterEach, fixtures, preload.
Use when migrating from Jest to Bun's test runner, import compatibility, mocks, and config.
Use for mock functions in Bun tests, spyOn, mock.module, implementations, and test doubles.
Generate Jest unit tests for JavaScript/TypeScript with mocking, coverage. Use for JS/TS modules, React components, test generation, or encountering missing coverage, improper mocking, test structure errors.
Browser automation and E2E testing with Playwright. Auto-detects dev servers, writes clean test scripts. Test pages, fill forms, take screenshots, check responsive design, validate UX, test login flows, check links, automate any browser task. Use for cross-browser testing, visual regression, API testing, component testing in TypeScript/JavaScript and Python projects.
Create minimal subtests to isolate and fix complex bugs. Use when a test fails and the issue is buried in complexity.
Run all validation checks before tagging a new release
系统化的程序码审查检查清单和提交前品质关卡。 使用时机:审查 pull request、检查程序码品质、提交程序码前。 关鍵字:review, PR, pull request, checklist, quality, commit, 审查, 检查, 簽入。
Pre-release integrity check. Verify package consistency for API changes and spec updates. Use for release check, version update, documentation consistency, pre-release verification.
General development rules including comment length, testing protocol, and command aliasing (puro).
