Implement authentication with Scalekit for web applications, APIs, and MCP servers. Supports full-stack auth, modular SSO (SAML/OIDC), and MCP OAuth 2.1. Handles login, SSO, session management, token validation, and enterprise identity providers. Works with Node.js, Express, Next.js, Python, FastAPI, and MCP servers. Use when implementing authentication, adding SSO, securing APIs, or protecting MCP servers.
Secure credential handling using macOS Keychain. Use when working with API keys, passwords, tokens, or any sensitive data. Triggers: 'API key', 'credentials', 'secret', 'password', 'token', 'authenticate'.
Scan code for security vulnerabilities. Use after implementation changes.
OAuth 2.1 compliance checklist for authorization servers. Use when implementing OAuth 2.1 beyond OpenID Connect Basic OP requirements, verifying OAuth 2.1 specific features, or understanding differences from OAuth 2.0. Covers all OAuth 2.1 draft-ietf-oauth-v2-1-14 requirements not in Basic OP.
Use when OAuth tokens expire frequently, need automatic token refresh, YouTube/Google API integration, or when workflows fail due to expired credentials
Apply the Agent OS standard for global validation.
iOSアプリのコード署名・プロビジョニング支援。証明書管理、Provisioning Profile管理、Keychain設定、CI/CD環境での署名設定など、コード署名に関する包括的なサポートを提供する。「署名エラーを解決したい」「証明書を更新したい」「CIで署名を設定したい」と言った時に使用する。
OAuth 2.1 Token Endpoint implementation guide. Use when implementing token endpoint requirements beyond OpenID Connect, including grant types, token response format, Cache-Control headers, CORS support, and error handling. Covers OAuth 2.1 Section 3.2 and Section 4 requirements.
Security pattern for implementing access control and authorization. Use when designing permission systems, implementing RBAC/ABAC, preventing unauthorized access, addressing privilege escalation, or ensuring users can only perform allowed actions on permitted resources. Addresses "Entity performs disallowed action" problem.
Validate workflows and node requests against Genfeed OSS core scope. Ensures only OSS-included nodes are used and flags Cloud-only features. Use before implementing workflows or when users request new nodes.
SSO integration guidance for fort-nix services. Use when adding authentication to a service, choosing an SSO mode, configuring oauth2-proxy, or troubleshooting auth issues. Triggers on fort.cluster.services sso config, oauth2-proxy setup, OIDC integration, or auth header injection.
Authenticate to web app and verify session state with Chrome DevTools session sharing
Security pattern for delegating cryptographic operations and key management to an external service. Use when designing systems that should not possess cryptographic keys directly. Implementation of Cryptographic Key Management pattern. Examples include Android Keystore, iOS KeyChain, AWS KMS, Azure Key Vault, Google Cloud KMS. Reduces risk of key leakage and cipher misconfiguration.
validation audit quality check startup initialization integrity
CROSS-CUTTING: Security patterns and best practices for ALL PACT phases. Provides OWASP Top 10 guidance, authentication/authorization patterns, input validation, secure coding practices, secrets management, and security testing checklists. Use when: implementing authentication, handling user input, storing secrets, designing authorization, reviewing code for vulnerabilities, planning security tests.
Automatically refresh AWS SSO authentication tokens when encountering expiration errors. Use when AWS MCP tools fail due to expired SSO sessions.
Debug CSRF token issues and authentication problems including 403 Forbidden errors, cookie issues, JWT tokens, OAuth flows, and session management. Use when troubleshooting CSRF verification failed, 403 errors on POST requests, login not working, or token refresh issues.
Design and implement secure admin APIs in Next.js 16 with hardened security, RBAC, CSRF protection, tenant isolation, and audit logging. Use when creating new admin API routes, implementing security controls, or ensuring API compliance with corporate security standards.
Create security zones and assign rights to profiles. Use when registering controllers.
Use this skill when working with the 1Password CLI (`op` command) for secrets management, retrieving API keys, injecting secrets into development environments, or any task involving 1Password vault operations. Triggers on: "1password", "op command", "secrets management", "api keys from vault", "op run", "op read", "service account token".
