Secrets management standards for API keys, passwords, certificates, and sensitive data. Covers HashiCorp Vault, environment variables, rotation policies, and detection tools with NIST 800-53r5 SC-12 compliance.
Validate, format, and minify JSON files when users request JSON validation, formatting, or ask to validate their JSONs
Expert code reviewer specializing in code quality, security vulnerabilities, and best practices across multiple languages. Masters static analysis, design patterns, and performance optimization with focus on maintainability and technical debt reduction.
Enforce KISS, Purity, SOLID, and Let It Crash principles through mandatory validation gates. Detects complexity violations, impure functions, design anti-patterns, and error handling issues.
Activate when analyzing code quality through linting, formatting, testing, coverage analysis, and maintainability metrics
JavaScript/ES6+ coding standards following Airbnb guidelines, modern patterns, React best practices, and comprehensive Jest testing. Use for JavaScript projects requiring clean, maintainable, production-ready code with modern tooling.
Final code/plan review using Codex. Use as the last review step after sonnet and opus.
Input-Validation standards for input validation in Security environments.
Authorization security standards covering RBAC, ABAC, policy enforcement, OAuth2 scopes, resource-based access control, and NIST 800-53 compliance (AC-3, AC-4, AC-6) for production systems
Expert penetration tester specializing in ethical hacking, vulnerability assessment, and security testing. Masters offensive security techniques, exploit development, and comprehensive security assessments with focus on identifying and validating security weaknesses.
1. Broken Object Level Authorization (BOLA) - API fails to validate user access to objects 2. Broken Authentication - Weak or missing authentication mechanisms 3. Broken Object Property Level Authorization - Missing field-level access control 4. Unrestricted Resource Consumption - No rate limiting or throttling 5. Broken Function Level Authorization - Missing authorization checks on endpoints 6. Unrestricted Access to Sensitive Business Flows - Automated abuse of legitimate workflows 7. Server Side Request Forgery (SSRF) - API accepts URLs without validation 8. Security Misconfiguration - Insecure default configs, verbose errors 9. Improper Inventory Management - Undocumented/deprecated APIs in production 10. Unsafe Consumption of APIs - Trusting third-party API data without validation
Authentication security standards covering OAuth2 flows (authorization code, PKCE), JWT best practices (RS256, expiration), MFA (TOTP, WebAuthn), session management, and NIST 800-63B compliance for production systems
Specialized CVE and vulnerability management for morphir-dotnet. Use when user asks to scan for vulnerabilities, fix CVEs, suppress false positives, review security reports, or manage dependency-check. Triggers include "CVE", "vulnerability", "security scan", "dependency-check", "suppress", "false positive", "CVSS", "security fix".
Review checkpoint specs and tests to identify tests that encode ambiguous interpretations rather than explicit requirements. Use when asked to check checkpoint_N.md against test_checkpoint_N.py, when auditing tests for ambiguity, or when reviewing snapshot eval failures for interpretive issues.
Analyze checkpoint tests and suggest missing edge cases. Use after writing tests or when reviewing test coverage. Invoke with /edge-cases <problem> <checkpoint>.
Expert test automation engineer specializing in building robust test frameworks, CI/CD integration, and comprehensive test coverage. Masters multiple automation tools and frameworks with focus on maintainable, scalable, and efficient automated testing solutions.
Use when user requests exhaustive edge case analysis. Enforces TodoWrite with 15+ items (5 categories). Triggers: "all edge cases", "what could break", "bulletproof", "failure modes". If thinking "main path is sufficient" - use this.
Analyze test cases against specifications to find ambiguous assumptions. Use when tests might be making assumptions not explicitly defined in the spec. Invoke with /test-ambiguity-detector <problem> <checkpoint>.
Use when design is complete and you need detailed implementation tasks - breaks epics into coarse-grained Beans issues with TDD guidance, exact file paths, and verification steps
Reclassify tests by adding @pytest.mark.functionality to tests not explicitly shown in the spec. Invoke with /reclassify-tests <problem> <checkpoint>.
Continually test and repair solutions to benchmark problems until they pass. Use when a solution has failing tests. Invoke with /fix-solution <snapshot_path> <problem_name> <checkpoint_index>.
