Ensures TUI+CLI+Documentation parity for all feature changes. CRITICAL - Use this for EVERY change that affects commands, screens, shortcuts, or settings. Validates that changes are reflected in TUI implementation, CLI commands, docs/cli/, docs/tui/, docs/tui/shortcuts.md, CLAUDE.md, and feature registry. Prevents documentation drift and missing implementations.
Fix Python code formatting issues using the Ruff formatter. Use when: (1) Formatting errors are detected by ruff format --check, (2) Python files need to be formatted to match project style, (3) Pre-commit hooks or CI fail due to formatting issues.
Systematic code maturity assessment using Trail of Bits' 9-category framework. Analyzes codebase for arithmetic safety, auditing practices, access controls, complexity, decentralization, documentation, MEV risks, low-level code, and testing. Produces professional scorecard with evidence-based ratings and actionable recommendations. (project, gitignored)
Pre-commit security validation and secret detection. Runs detect-secrets scan and audit workflow, validates secrets baseline, and integrates with pre-commit hooks to prevent credential leaks. Use when user mentions scanning for secrets, detect-secrets, secret detection, credential scanning, pre-commit security, or .secrets.baseline.
Use before code review - determine if change is minor (review new code only) or major (review impacted code too)
Use when writing code - follow Google style guides where available, otherwise follow established best practices for the language
TypeScript type safety guidelines. Use this when writing TypeScript code, especially when handling errors or unknown data types.
Review specifications for soundness, completeness, and implementability - validates structure, identifies ambiguities, checks for gaps before implementation
Conducts comprehensive backend code reviews including API design (REST/GraphQL/gRPC), database patterns, authentication/authorization, caching strategies, message queues, microservices architecture, security vulnerabilities, and performance optimization for Node.js, Python, Java, Go, and C#. Produces detailed review reports with specific issues, severity ratings, and actionable recommendations. Use when reviewing server-side code, analyzing API implementations, checking database queries, validating authentication flows, assessing microservices architecture, or when users mention "review backend code", "check API design", "analyze server code", "validate database patterns", "security audit", "performance review", or "backend code quality".
Verify specification quality and completeness. Use after writing spec.md to ensure it meets standards before task breakdown - checks for clarity, feasibility, testability, and completeness.
Runs pre-render-validation.py and systematically fixes all detected errors. Use before rendering or committing to catch LaTeX, link, variable, citation, and import issues.
コード品質の問題を積極的に検出し改善する。以下を検出した際に自動発動: (1) 長いメソッド/クラス、(2) 重複コードパターン、(3) 深いネスト、(4) 不適切な命名、(5) マジックナンバー/文字列、(6) N+1 クエリパターン、(7) 未使用コード、(8) Feature Envy や God クラス。言語非依存のリファクタリングガイダンスを提供。
Use when writing or modifying code. Enforces production-quality standards, prohibits common shortcuts, and ensures pre-existing issues are addressed. Invoked automatically by implementing-features and test-driven-development.
Style guidelines for justfile recipe documentation. Use when writing or editing justfiles to ensure consistent and concise documentation.
Master type safety patterns - fix type errors at source, never use type: ignore or any, prefer Pydantic models, use type stubs for external libraries
TypeScript best practices, type system usage, and code quality standards
Domain specialist for security operations, vulnerability management, compliance, and secure coding practices. Scope: OWASP Top 10, authentication (OAuth2, JWT, SAML, OIDC), input validation (SQLi, XSS, CSRF), secrets management, security headers, file upload security, vulnerability scanning, compliance (SOC2, GDPR, PCI-DSS). Excludes: code-level design patterns, infrastructure security, database design, performance optimization. Triggers: "security", "OWASP", "authentication", "authorization", "OAuth", "JWT", "SAML", "OIDC", "SQL injection", "XSS", "CSRF", "input validation", "secrets management", "vulnerability scan", "compliance", "SOC2", "GDPR", "security headers".
Access configured sidecar providers (health, banking, government) via WebFetch.
Deletes or archives secrets in 1Password using the op CLI. Use when the user needs to permanently remove items, archive deprecated credentials, or clean up unused secrets from 1Password vaults. Supports both permanent deletion and archiving for later recovery.
Expert knowledge in implementing secure web applications and protecting against common vulnerabilities. Covers OWASP Top 10, authentication and authorization, data protection, Content Security Policy (CSP), HTTPS/TLS, input validation, secure dependencies, and API security. Use when implementing security features or addressing security vulnerabilities.
