Identifies error-prone APIs, dangerous configurations, and footgun designs that enable security mistakes. Use when reviewing API designs, configuration schemas, cryptographic library ergonomics, or evaluating whether code follows 'secure by default' and 'pit of success' principles. Triggers: footgun, misuse-resistant, secure defaults, API usability, dangerous configuration.
Enterprise SSRF Security Protection with AI-powered request validation, Context7 integration, and intelligent URL filtering for web application security
Scans git repositories for hardcoded secrets, credentials, and API keys using Gitleaks. Returns findings with severity, location, and remediation steps. Use when user asks to "scan for secrets", "detect credentials", "find API keys", "check for leaks", "シークレット検出", "認証情報スキャン".
Use when configuring ALTO settings including arbiter thresholds, permissions, or verification hooks. Applies during setup orchestrator "Configure ALTO" selection, build orchestrator checkpoints, or when user requests configuration changes.
Complete 1Password CLI (op) for managing secrets, credentials, and secure storage. Use when working with: (1) Retrieving passwords, API keys, and secrets from vaults, (2) Managing items, documents, and secure notes, (3) Injecting secrets into environment variables and config files, (4) Automating credential rotation and management, (5) Accessing SSH keys and certificates, (6) Vault and item CRUD operations, (7) Secret references for CI/CD pipelines, (8) User and group management.
Autonomous validation of authentication security. Checks password hashing, cookie configuration, CSRF protection, and session management for OWASP compliance.
Comprehensive guide for implementing Fullstory's User Identification API (setIdentity) across web applications. Teaches proper uid handling, property passing, re-identification behavior, and session management. Includes detailed good/bad examples for login flows, multi-account scenarios, and SPA applications to help developers correctly identify users for analytics and session replay.
Validates PopKit security posture using concrete vulnerability patterns, automated secret scanning, and OWASP-aligned checklists
Mandatory session close-out with IG audit, AAR, HISTORIAN, and RELEASE_MANAGER. Enforces clean session handoff.
macOS MDM with auth manifolds as cobordisms for credential derivation
API security hardening patterns. Use when implementing rate limiting, input validation, CORS configuration, API key management, request throttling, or protecting endpoints from abuse. Covers defense-in-depth strategies for REST APIs with practical implementations for Express, FastAPI, and serverless.
Meticulous Matt is the Auditor and Security Consultant. Reports ALL issues, no matter how small. Scopes out security risks a mile away - reviews plans and implementations for vulnerabilities. Compulsively honest, documents everything in beads. Can audit skills and user code. Invoke: "Matt, review this" or "Matt, security review this plan".
Analyzes SMACK policy files for correctness, label conflicts, and access control issues. Verifies mandatory access control rules.
Implement authentication and authorization with Better Auth - a framework-agnostic TypeScript authentication framework. Features include email/password authentication with verification, OAuth providers (Google, GitHub, Discord, etc.), two-factor authentication (TOTP, SMS), passkeys/WebAuthn support, session management, role-based access control (RBAC), rate limiting, and database adapters. Use when adding authentication to applications, implementing OAuth flows, setting up 2FA/MFA, managing user sessions, configuring authorization rules, or building secure authentication systems for web applications.
Maps security requirements to implementation. Coordinates compliance against FIPS 140-3, OCF, CommonCriteria, and Tizen specification.
セキュリティ脆弱性を自動検出する。認証情報のハードコード、コマンドインジェクション、危険なシェル構文などをチェック。
Implement client-side security measures including Content Security Policy, input sanitization, XSS prevention, and secure data handling. Use when handling user input, displaying dynamic content, or storing sensitive data.
Validates OSCAL System Security Plan documents against NIST 800-18 Rev 1 requirements and FedRAMP baselines. Identifies missing elements, quality issues, and provides remediation guidance for achieving ATO compliance.
Validate security findings from commit-security-scan by assessing exploitability, filtering false positives, and generating proof-of-concept exploits. Use after running commit-security-scan to confirm vulnerabilities.
Open a headless browser authenticated with Aircall staging credentials for localhost development
Implement secure authentication systems including signup, signin, password hashing, JWT tokens, and Better Auth integration.
