This skill should be used when implementing authentication, authorization, API security, or securing systems. It provides guidance on authentication methods (JWT, OAuth 2.0), authorization models (RBAC, ABAC, ACL), and API security techniques (rate limiting, CORS, injection prevention).
Environment variable security, secrets management, and secure credential handling for MoAI-ADK projects
Comprehensive security scanning for SAST, secrets, OWASP vulnerabilities, container and IaC security
MANDATORY protocol enforcing knowledge check before EVERY response - prevents explaining systems without reading docs, claiming without verification, and ignoring auto-loaded context
Provides exhaustive security vulnerability checklists with severity classifications, point deductions, and detection commands. Use when performing security audits, code reviews, penetration testing preparation, or checking OWASP compliance.
Sprawdzenie zużycia tokenów/kontekstu w sesji. Triggers: token usage, ile tokenów, ile zostało
Security scanning tools (gosec, govulncheck). Use when running security analysis.
Security pattern for implementing security logging and audit trails. Use when designing logging systems for security events, implementing non-repudiation, creating audit trails, or addressing security monitoring and incident response needs. Addresses "Entity repudiates action request" problem.
Hunt for injection vulnerabilities including SQL injection, command injection, XSS, SSTI, path traversal, LDAP injection, and other input validation flaws. Use when auditing code that processes user input.
Generate salted hash URLs with QR codes displayed in terminal. Use when user wants to create a unique URL with a random salt appended to an identifier, or needs a QR code linking to a user profile page. Triggers on /random-hash commands.
Find denial of service vulnerabilities through resource exhaustion, algorithmic complexity, memory exhaustion, and file/network resource abuse. Use when auditing code for availability issues.
Use when implementing quantum-resistant cryptographic signing. Triggers: "quantum signing", "ML-DSA", "post-quantum", "operation signing", "quantum-resistant". NOT for: Standard encryption or non-cryptographic integrity checks.
Automated post-migration validation for iam-migration (ETBC to IAM). Use when designing or executing verification that legacy ETBC users can log in to the portal, permissions are consistent, and app/menu mappings are correct across iam-management-service, iam-auth-center-service, APISIX, and portal-front.
macOSアプリのセキュリティレビュー。Notarization、Hardened Runtime、Sandbox、コード署名をチェック。Use when: macOS、公証、Notarization、Sandbox、署名 を依頼された時。
Authentication and security patterns for EFT-Tracker using NextAuth. Covers password reset, session management, CSRF protection, and security reviews. Activates when user mentions: auth, authentication, password, NextAuth, session, security, login, logout, CSRF, rate limit, token, JWT.
Configure RPT token exchange and permission-based authorization for affolterNET.Web.Bff. Use when setting up Keycloak permissions, resource policies, or fine-grained access control.
Authentication patterns for JWT, sessions, OAuth, MFA, and secure auth flows. Trigger: When implementing authentication, when setting up JWT tokens, when building login flows, when integrating OAuth providers, when implementing password reset, when adding MFA.
Conduct a focused security audit based on the Well-Architected Framework Security pillar. Use when user says "security review", "wa security", or "security audit". Analyzes authentication, authorization, data protection, input validation, and secrets management.
Analyzes the security posture of systems, codebases, and infrastructure. Examines authentication, authorization, data protection, network security, dependency vulnerabilities, secrets management, and compliance. Use when assessing security risks, performing security audits, or evaluating defensive measures.
Provides comprehensive KeyCloak administration guidance including realm management, user/group administration, client configuration, authentication flows, identity brokering, authorization policies, security hardening, and troubleshooting. Covers SSO configuration, SAML/OIDC setup, role-based access control (RBAC), user federation (LDAP/AD), social login integration, multi-factor authentication (MFA), and high availability deployments. Use when configuring KeyCloak, setting up SSO, managing realms and clients, troubleshooting authentication issues, implementing RBAC, or when users mention "KeyCloak", "SSO", "OIDC", "SAML", "identity provider", "IAM", "authentication flow", "user federation", "realm configuration", or "access management".
Default-Deny security posture for Supabase. Mandates strict RLS and 'WITH CHECK' clauses.
