Supabase
CloudCommonly used with
Skills using Supabase (479)
drizzle-orm-expert
Expert in Drizzle ORM for TypeScript — schema design, relational queries, migrations, and serverless database integration. Use when building type-safe database layers with Drizzle.
clerk-migration-deep-dive
Migrate from other authentication providers to Clerk. Use when migrating from Auth0, Firebase, Supabase Auth, NextAuth, or custom authentication solutions. Trigger with phrases like "migrate to clerk", "clerk migration", "switch to clerk", "auth0 to clerk", "firebase auth to clerk".
shipwright-pipeline
Autonomous app builder that converts plain-English descriptions into fully built, tested applications. Use when the user wants to build a new app, scaffold a project, generate a full-stack application, or create an app from a description. Trigger with "build me an app", "create a new app", "shipwright build", "scaffold a project", "generate an application".
supabase-advanced-troubleshooting
Deep Supabase diagnostics: pg_stat_statements for slow queries, lock debugging with pg_locks, connection leak detection, RLS policy conflicts, Edge Function cold starts, and Realtime connection drop analysis. Use when standard troubleshooting fails, investigating performance regressions, debugging race conditions, or building evidence for Supabase support escalation. Trigger: "supabase deep debug", "supabase slow query", "supabase lock contention", "supabase connection leak", "supabase RLS conflict", "supabase cold start".
supabase-architecture-variants
Implement Supabase across different app architectures: Next.js SSR with server components using service_role and client components with anon key, SPA (React/Vue), mobile (React Native), serverless (Edge Functions), and multi-tenant with schema-per-tenant or RLS isolation. Use when choosing how to integrate Supabase into your specific stack, setting up SSR auth flows, configuring mobile deep links, or designing multi-tenant data isolation. Trigger with phrases like "supabase next.js", "supabase SSR", "supabase react native", "supabase SPA", "supabase serverless", "supabase multi-tenant", "supabase server component", "supabase architecture", "supabase service_role server".
supabase-auth-storage-realtime-core
Implement Supabase Auth (signUp, signIn, OAuth, session management), Storage (upload, download, signed URLs, bucket policies), and Realtime (Postgres changes, broadcast, presence). Use when building user auth flows, file upload features, or live-updating UIs with Supabase. Trigger with phrases like "supabase auth", "supabase storage upload", "supabase realtime subscribe", "supabase oauth", "supabase file upload", "supabase presence", "supabase rls storage".
supabase-ci-integration
Configure Supabase CI/CD pipelines with GitHub Actions: link projects, push migrations, deploy Edge Functions, generate types, and run tests against local Supabase instances. Use when setting up CI pipelines for Supabase, automating database migrations, deploying Edge Functions in CI, or running integration tests. Trigger with phrases like "supabase CI", "supabase GitHub Actions", "supabase deploy pipeline", "CI supabase migrations", "supabase preview branches".
supabase-common-errors
Diagnose and fix Supabase errors across PostgREST, PostgreSQL, Auth, Storage, and Realtime. Use when encountering error codes like PGRST301, 42501, 23505, or auth failures. Use when debugging failed queries, RLS policy violations, or HTTP 4xx/5xx responses. Trigger with "supabase error", "fix supabase", "PGRST", "supabase 403", "RLS not working", "supabase auth error", "unique constraint", "foreign key violation".
supabase-cost-tuning
Optimize Supabase costs through plan selection, database tuning, storage cleanup, connection pooling, and Edge Function optimization. Use when analyzing Supabase billing, reducing costs, right-sizing compute, or implementing usage tracking and budget alerts. Trigger with phrases like "supabase cost", "supabase billing", "reduce supabase costs", "supabase pricing", "supabase expensive", "supabase budget".
supabase-data-handling
Implement GDPR/CCPA compliance with Supabase: RLS for data isolation, user deletion via auth.admin.deleteUser(), data export via SQL, PII column management, backup/restore workflows, and retention policies. Use when handling sensitive data, implementing right-to-deletion, configuring data retention, or auditing PII in Supabase database columns. Trigger: "supabase GDPR", "supabase data handling", "supabase PII", "supabase compliance", "supabase data retention", "supabase delete user", "supabase data export".
supabase-debug-bundle
Collect Supabase diagnostic info for troubleshooting and support tickets. Use when debugging connection failures, auth issues, Realtime drops, Storage errors, RLS misconfigurations, or preparing a support escalation. Trigger: "supabase debug", "supabase diagnostics", "supabase support bundle", "collect supabase logs", "debug supabase connection".
supabase-deploy-integration
Deploy and manage Supabase projects in production. Covers database migrations, Edge Functions deployment, secrets management, zero-downtime rollouts, blue/green branching, rollback procedures, and post-deploy health checks. Use when deploying Supabase to production, running migrations, deploying Edge Functions, managing secrets, or implementing zero-downtime deployments. Trigger: "deploy supabase", "supabase migration push", "deploy edge function", "supabase rollback", "supabase blue green", "supabase health check".
supabase-enterprise-rbac
Implement custom role-based access control via JWT claims in Supabase: app_metadata.role, RLS policies with auth.jwt() ->> 'role', organization-scoped access, and API key scoping. Use when implementing role-based permissions, configuring organization-level access, building admin/member/viewer hierarchies, or scoping API keys per role. Trigger: "supabase RBAC", "supabase roles", "supabase permissions", "supabase JWT claims", "supabase organization access", "supabase custom roles", "supabase app_metadata".
supabase-hello-world
Run your first Supabase query — insert a row and read it back. Use when starting a new Supabase project, verifying your connection works, or learning the basic insert-then-select pattern with @supabase/supabase-js. Trigger with phrases like "supabase hello world", "first supabase query", "supabase quick start", "test supabase connection", "supabase insert and select".
supabase-incident-runbook
Execute Supabase incident response: dashboard health checks, connection pool status, pg_stat_activity queries, RLS debugging, Edge Function logs, storage health, and escalation. Use when responding to Supabase outages, investigating production errors, debugging connection issues, or preparing evidence for Supabase support escalation. Trigger: "supabase incident", "supabase outage", "supabase down", "supabase on-call", "supabase emergency", "supabase broken", "supabase connection issues".
supabase-install-auth
Install and configure Supabase SDK, CLI, and project authentication. Use when setting up a new Supabase project, installing @supabase/supabase-js, configuring environment variables, or initializing the Supabase client. Trigger with "install supabase", "setup supabase", "supabase auth config", "configure supabase", "supabase init", "add supabase to project".
supabase-known-pitfalls
Avoid and fix the most common Supabase mistakes: exposing service_role key in client bundles, forgetting to enable RLS, not using connection pooling in serverless, .single() throwing on empty results, missing .select() after insert/update, not destructuring { data, error }, creating multiple client instances, and not using generated types. Use when reviewing Supabase code, onboarding developers, auditing an existing project, or debugging unexpected behavior. Trigger with phrases like "supabase mistakes", "supabase anti-patterns", "supabase pitfalls", "supabase code review", "supabase gotchas", "supabase debugging", "what not to do supabase", "supabase common errors".
supabase-load-scale
Scale Supabase projects for production load: read replicas, connection pooling tuning via Supavisor, compute size upgrades, CDN caching for Storage, Edge Function regional deployment, and database table partitioning. Use when preparing for traffic spikes, optimizing connection limits, setting up read replicas for analytics queries, or partitioning large tables. Trigger with phrases like "supabase scale", "supabase read replica", "supabase connection pooling", "supabase compute upgrade", "supabase CDN storage", "supabase edge function regions", "supabase partitioning", "supavisor", "supabase pool mode".
supabase-local-dev-loop
Configure Supabase local development with the CLI, Docker, and migration workflow. Use when initializing a Supabase project locally, starting the local stack, writing migrations, seeding data, or iterating on schema changes. Trigger with phrases like "supabase local dev", "supabase start", "supabase init", "supabase db reset", "supabase local setup".
supabase-migration-deep-dive
Database migration patterns with Supabase CLI: npx supabase migration new, zero-downtime migrations, data backfill strategies, schema versioning, rollback strategies, and type generation. Use when creating database migrations, performing zero-downtime schema changes, backfilling data in production, managing schema versions, or planning rollback strategies. Trigger: "supabase migration", "supabase schema change", "supabase zero downtime", "supabase rollback", "supabase db push", "supabase migration new".
supabase-multi-env-setup
Configure Supabase across development, staging, and production with separate projects, environment-specific secrets, and safe migration promotion. Use when setting up multi-environment deployments, isolating dev from prod data, configuring per-environment Supabase projects, or promoting migrations through environments. Trigger: "supabase environments", "supabase staging", "supabase dev prod", "supabase multi-project", "supabase env config", "database branching".
supabase-observability
Set up monitoring and observability for Supabase projects using Dashboard reports, CLI inspect commands, pg_stat_statements, log drains, and alerting. Use when implementing monitoring, diagnosing slow queries, forwarding logs, or configuring alerts for Supabase project health. Trigger with phrases like "supabase monitoring", "supabase metrics", "supabase observability", "supabase logs", "supabase alerts", "supabase inspect", "supabase log drain".
supabase-performance-tuning
Optimize Supabase query performance with indexes, EXPLAIN ANALYZE, connection pooling, column selection, pagination, RPC functions, materialized views, and diagnostics. Use when queries are slow, connections are exhausted, response payloads are bloated, or when preparing a Supabase project for production-scale traffic. Trigger with phrases like "supabase performance", "supabase slow queries", "optimize supabase", "supabase index", "supabase connection pool", "supabase pagination", "supabase explain analyze".
supabase-policy-guardrails
Enforce organizational governance for Supabase projects: shared RLS policy library with reusable templates, table and column naming conventions, migration review process with CI checks, cost alert thresholds, and security audit scripts scanning for common misconfigurations. Use when establishing Supabase standards across teams, creating RLS policy templates, setting up migration review workflows, or auditing existing projects for security and cost issues. Trigger with phrases like "supabase governance", "supabase policy library", "supabase naming convention", "supabase migration review", "supabase cost alert", "supabase security audit", "supabase RLS template".
supabase-prod-checklist
Execute Supabase production deployment checklist covering RLS, key hygiene, connection pooling, backups, monitoring, Edge Functions, and Storage policies. Use when deploying to production, preparing for launch, or auditing a live Supabase project for security and performance gaps. Trigger with "supabase production", "supabase go-live", "supabase launch checklist", "supabase prod ready", "deploy supabase", "supabase production readiness".
supabase-rate-limits
Manage Supabase rate limits and quotas across all plan tiers. Use when hitting 429 errors, configuring connection pooling, optimizing API throughput, or understanding tier-specific quotas for Auth, Storage, Realtime, and Edge Functions. Trigger: "supabase rate limit", "supabase 429", "supabase throttle", "supabase quota", "supabase connection pool", "supabase too many requests".
supabase-reference-architecture
Implement enterprise Supabase reference architectures — monorepo layout, multi-tenant RLS, microservices with cross-project access, framework integration, edge functions, caching, queue patterns, and audit logging. Use when designing a new Supabase project from scratch, reviewing project structure for production readiness, planning multi-tenant isolation, or establishing team architecture standards. Trigger with phrases like "supabase architecture", "supabase project structure", "supabase monorepo", "supabase multi-tenant", "supabase reference design", "how to organize supabase at scale".
supabase-reliability-patterns
Build resilient Supabase integrations: circuit breakers wrapping createClient calls, offline queue with IndexedDB, graceful degradation with cached fallbacks, health check endpoints, retry with exponential backoff and jitter, and dual-write patterns for critical data. Use when building fault-tolerant apps, handling Supabase outages gracefully, implementing offline-first patterns, or adding retry logic to SDK calls. Trigger with phrases like "supabase circuit breaker", "supabase offline", "supabase retry", "supabase health check", "supabase fallback", "supabase resilience", "supabase dual write", "supabase outage".
supabase-schema-from-requirements
Design Supabase Postgres schema from business requirements with migrations, RLS, and types. Use when translating specifications into database tables, creating migration files, adding Row Level Security policies, or generating TypeScript types from schema. Trigger with phrases like "supabase schema", "design database supabase", "schema from requirements", "supabase migration", "supabase tables from spec".
supabase-sdk-patterns
Apply production-ready Supabase SDK patterns for TypeScript and Python projects. Use when implementing queries, auth, realtime, storage, or RPC calls with @supabase/supabase-js or supabase-py. Trigger with phrases like "supabase SDK patterns", "supabase query", "supabase typescript", "supabase python", "supabase client setup", "supabase realtime", "supabase auth", "supabase storage".
supabase-security-basics
Apply Supabase security best practices: anon vs service_role key separation, RLS enforcement, policy patterns, JWT verification, and API hardening. Use when securing a Supabase project, auditing API key usage, implementing Row Level Security, or running a production security checklist. Trigger with phrases like "supabase security", "supabase RLS", "secure supabase", "supabase API key", "supabase hardening", "row level security", "service role key".
supabase-upgrade-migration
Upgrade Supabase SDK and CLI versions with breaking-change detection and automated code migration. Use when upgrading @supabase/supabase-js (v1→v2 or minor bumps), migrating auth/realtime/storage APIs, or updating the Supabase CLI. Trigger with phrases like "upgrade supabase", "supabase breaking changes", "migrate supabase v2", "update supabase SDK".
supabase-webhooks-events
Implement Supabase database webhooks, pg_net async HTTP, LISTEN/NOTIFY, and Edge Function event handlers with signature verification. Use when setting up database webhooks for INSERT/UPDATE/DELETE events, sending HTTP requests from PostgreSQL triggers, handling Realtime postgres_changes as an event source, or building event-driven architectures. Trigger with phrases like "supabase webhook", "database events", "pg_net trigger", "supabase LISTEN NOTIFY", "webhook signature verify", "supabase event-driven", "supabase_functions.http_request".
moai-domain-database
Database specialist covering PostgreSQL, MongoDB, Redis, Oracle, and cloud database platforms (Neon, Supabase, Firestore). Use for schema design, query optimization, indexing strategies, data modeling, or cloud database selection. Cloud vendor guide absorbed from moai-platform-database-cloud.
moai-platform-database-cloud
Cloud database platform specialist covering Neon (serverless PostgreSQL), Supabase (PostgreSQL 16 with real-time), and Firebase Firestore (NoSQL with offline sync). Use when choosing or setting up cloud databases.
cc-skill-backend-patterns
Backend architecture patterns, API design, database optimization, and server-side best practices for Node.js, Express, and Next.js API routes.
clarvia-aeo-check
Score any MCP server, API, or CLI for agent-readiness using Clarvia AEO (Agent Experience Optimization). Search 15,400+ indexed tools before adding them to your workflow.
comfyui-gateway
REST API gateway for ComfyUI servers. Workflow management, job queuing, webhooks, caching, auth, rate limiting, and image delivery (URL + base64).
drizzle-orm-expert
Expert in Drizzle ORM for TypeScript — schema design, relational queries, migrations, and serverless database integration. Use when building type-safe database layers with Drizzle.
expo-api-routes
Guidelines for creating API routes in Expo Router with EAS Hosting
nextjs-supabase-auth
Expert integration of Supabase Auth with Next.js App Router
supabase-automation
Automate Supabase database queries, table management, project administration, storage, edge functions, and SQL execution via Rube MCP (Composio). Always search tools first for current schemas.
trigger-dev
Trigger.dev expert for background jobs, AI workflows, and reliable async execution with excellent developer experience and TypeScript-first design.
vercel-deployment
Expert knowledge for deploying to Vercel with Next.js
database-schema
Schema awareness - read before coding, type generation, prevent column errors
project-tooling
gh, vercel, supabase, render CLI and deployment platform setup
security
OWASP security patterns, secrets management, security testing
cc-skill-project-guidelines-example
Project Guidelines Skill (Example)
credentials
Centralized API key management from Access.txt
postgres-best-practices
Postgres performance optimization and best practices from Supabase. Use this skill when writing, reviewing, or optimizing Postgres queries, schema designs, or database configurations.
context-budget
Audits Claude Code context window consumption across agents, skills, MCP servers, and rules. Identifies bloat, redundant components, and produces prioritized token-savings recommendations.
data-scraper-agent
Build a fully automated AI-powered data collection agent for any public source — job boards, prices, news, GitHub, sports, anything. Scrapes on a schedule, enriches data with a free LLM (Gemini Flash), stores results in Notion/Sheets/Supabase, and learns from user feedback. Runs 100% free on GitHub Actions. Use when the user wants to monitor, collect, or track any public data automatically.
documentation-lookup
Use up-to-date library and framework docs via Context7 MCP instead of training data. Activates for setup questions, API references, code examples, or when the user names a framework (e.g. React, Next.js, Prisma).
knowledge-ops
Knowledge base management, ingestion, sync, and retrieval across multiple storage layers (local files, MCP memory, vector stores, Git repos). Use when the user wants to save, organize, sync, deduplicate, or search across their knowledge systems.
auth-patterns
This skill should be used when the user asks about "authentication in Next.js", "NextAuth", "Auth.js", "middleware auth", "protected routes", "session management", "JWT", "login flow", or needs guidance on implementing authentication and authorization in Next.js applications.
supabase-automation
Automate Supabase database queries, table management, project administration, storage, edge functions, and SQL execution via Rube MCP (Composio). Always search tools first for current schemas.
backend-patterns
Backend architecture patterns, API design, database optimization, and server-side best practices for Node.js, Express, and Next.js API routes.
stripe-integration
Get paid from day one. Payments, subscriptions, billing portal, webhooks, metered billing, Stripe Connect. The complete guide to implementing Stripe correctly, including all the edge cases that will bite you at 3am. This isn't just API calls - it's the full payment system: handling failures, managing subscriptions, dealing with dunning, and keeping revenue flowing. Use when: stripe, payments, subscription, billing, checkout.
cc-skill-project-guidelines-example
Project Guidelines Skill (Example)
agent-recall
Persistent compounding memory for AI agents. 10 MCP tools: session_start, remember, recall, session_end, check, digest, project_board, project_status, bootstrap_scan, bootstrap_import. Correction-first memory with decision trail tracking, watch_for warnings, palace rooms with salience scoring, cross-project insight matching, same-day journal merging, ambient recall hooks. Local markdown only. Zero cloud, zero telemetry, Obsidian-compatible. Optional Supabase backend: when configured via `ar setup supabase`, recall() uses pgvector cosine similarity on OpenAI/Voyage embeddings instead of keyword search — same API, semantic understanding. Gracefully degrades to local search if not configured.
inngest
Inngest expert for serverless-first background jobs, event-driven workflows, and durable execution without managing queues or workers. Use when: inngest, serverless background job, event-driven workflow, step function, durable execution.
nextjs-supabase-auth
Expert integration of Supabase Auth with Next.js App Router Use when: supabase auth next, authentication next.js, login supabase, auth middleware, protected route.
supabase-postgres-best-practices
Postgres performance optimization and best practices from Supabase. Use this skill when writing, reviewing, or optimizing Postgres queries, schema designs, or database configurations.
find-skills
Discovers, searches, and installs skills from multiple AI agent skill marketplaces (400K+ skills) using the SkillKit CLI. Supports browsing official partner collections (Anthropic, Vercel, Supabase, Stripe, and more) and community repositories, searching by domain or technology, and installing specific skills from GitHub. Use when the user wants to find, browse, or install new agent skills, plugins, extensions, or add-ons; asks 'is there a skill for X' or 'find a skill for X'; wants to explore a skill store or marketplace; needs to extend agent capabilities in areas like React, testing, DevOps, security, or APIs; or says 'browse skills', 'search skill marketplace', 'install a skill', or 'what skills are available'.
backend-patterns
Backend architecture patterns, API design, database optimization, and server-side best practices for Node.js, Express, and Next.js API routes.
documentation-lookup
Use up-to-date library and framework docs via Context7 MCP instead of training data. Activates for setup questions, API references, code examples, or when the user names a framework (e.g. React, Next.js, Prisma).
backend-patterns
Backend architecture patterns, API design, database optimization, and server-side best practices for Node.js, Express, and Next.js API routes.
postgres-patterns
PostgreSQL database patterns for query optimization, schema design, indexing, and security. Based on Supabase best practices.
saas-scaffolder
Generates complete, production-ready SaaS project boilerplate including authentication, database schemas, billing integration, API routes, and a working dashboard using Next.js 14+ App Router, TypeScript, Tailwind CSS, shadcn/ui, Drizzle ORM, and Stripe. Use when the user wants to create a new SaaS app, start a subscription-based web project, scaffold a Next.js application, or mentions terms like starter template, boilerplate, new project, or wiring up auth and payments.
supabase-cli
This skill should be used when user asks to "use supabase CLI", "supabase init", "supabase start", "run migrations", "deploy edge functions", "manage Supabase project", or works with the supabase command-line tool for local development and project management.
supabase-js
This skill should be used when user asks to "use supabase-js", "query Supabase database", "supabase auth", "supabase storage", "supabase realtime", "supabase edge functions", or works with the @supabase/supabase-js JavaScript/TypeScript SDK.
supabase-postgres-best-practices
Postgres performance optimization and best practices from Supabase. Use this skill when writing, reviewing, or optimizing Postgres queries, schema designs, or database configurations.
portfolio-auto
Auto-sync GitHub repos to portfolio website. Scans GitHub repos, captures screenshots with Playwright, generates project entries, and updates projects-data.js or Supabase DB. Use when user asks to "update portfolio", "sync projects", "add my repos to portfolio", or "refresh portfolio projects". Do NOT use for one-time project additions — batch sync only.
database-migrator
Migrates databases between providers (Postgres, MySQL, Supabase, PlanetScale, MongoDB). Reads source schema, generates migration scripts, handles data type mapping, foreign keys, indexes, triggers, stored procedures. Validates migration with row counts and checksums. Generates migration-plan.md with step-by-step execution guide, rollback procedures, estimated downtime.
supabase-postgres-best-practices
Postgres performance optimization and best practices from Supabase. Use this skill when writing, reviewing, or optimizing Postgres queries, schema designs, or database configurations.
jat-onboard
Onboard a new client project — analyze client docs, create knowledge bases, write Supabase migration, generate PRD and tasktree. Run after jst-new has set up the mechanical scaffolding.
prd-v05-technical-stack-selection
Determine technologies needed to build the product, making build/buy/integrate decisions during PRD v0.5 Red Team Review. Handles both greenfield and brownfield contexts. Triggers on requests to select tech stack, evaluate technologies, make build vs. buy decisions, discover existing assets, or when user asks "what technologies?", "select tech stack", "build or buy?", "what do we reuse?", "existing stack", "technical decisions", "what tools do we need?", "evaluate solutions". Consumes FEA- (features), SCR- (screens), RISK- (constraints). Outputs TECH- entries with decisions, rationale, and trade-offs. Feeds v0.6 Architecture Design.
backend-patterns
Backend architecture patterns, API design, database optimization, and server-side best practices for Node.js, Express, and Next.js API routes.
postgres-patterns
PostgreSQL database patterns for query optimization, schema design, indexing, and security. Based on Supabase best practices.
project-guidelines-example
Example template for project-specific skill files covering architecture, patterns, testing, and deployment.
adapt
Adapt designs to work across different screen sizes, devices, contexts, or platforms. Implements breakpoints, fluid layouts, and touch targets. Use when the user mentions responsive design, mobile layouts, breakpoints, viewport adaptation, or cross-device compatibility.
animate
Review a feature and enhance it with purposeful animations, micro-interactions, and motion effects that improve usability and delight. Use when the user mentions adding animation, transitions, micro-interactions, motion design, hover effects, or making the UI feel more alive.
audit
Run technical quality checks across accessibility, performance, theming, responsive design, and anti-patterns. Generates a scored report with P0-P3 severity ratings and actionable plan. Use when the user wants an accessibility check, performance audit, or technical quality review.
bolder
Amplify safe or boring designs to make them more visually interesting and stimulating. Increases impact while maintaining usability. Use when the user says the design looks bland, generic, too safe, lacks personality, or wants more visual impact and character.
clarify
Improve unclear UX copy, error messages, microcopy, labels, and instructions to make interfaces easier to understand. Use when the user mentions confusing text, unclear labels, bad error messages, hard-to-follow instructions, or wanting better UX writing.
colorize
Add strategic color to features that are too monochromatic or lack visual interest, making interfaces more engaging and expressive. Use when the user mentions the design looking gray, dull, lacking warmth, needing more color, or wanting a more vibrant or expressive palette.
critique
Evaluate design from a UX perspective, assessing visual hierarchy, information architecture, emotional resonance, cognitive load, and overall quality with quantitative scoring, persona-based testing, automated anti-pattern detection, and actionable feedback. Use when the user asks to review, critique, evaluate, or give feedback on a design or component.
delight
Add moments of joy, personality, and unexpected touches that make interfaces memorable and enjoyable to use. Elevates functional to delightful. Use when the user asks to add polish, personality, animations, micro-interactions, delight, or make an interface feel fun or memorable.
distill
Strip designs to their essence by removing unnecessary complexity. Great design is simple, powerful, and clean. Use when the user asks to simplify, declutter, reduce noise, remove elements, or make a UI cleaner and more focused.
layout
Improve layout, spacing, and visual rhythm. Fixes monotonous grids, inconsistent spacing, and weak visual hierarchy. Use when the user mentions layout feeling off, spacing issues, visual hierarchy, crowded UI, alignment problems, or wanting better composition.
optimize
Diagnoses and fixes UI performance across loading speed, rendering, animations, images, and bundle size. Use when the user mentions slow, laggy, janky, performance, bundle size, load time, or wants a faster, smoother experience.
overdrive
Pushes interfaces past conventional limits with technically ambitious implementations — shaders, spring physics, scroll-driven reveals, 60fps animations. Use when the user wants to wow, impress, go all-out, or make something that feels extraordinary.
polish
Performs a final quality pass fixing alignment, spacing, consistency, and micro-detail issues before shipping. Use when the user mentions polish, finishing touches, pre-launch review, something looks off, or wants to go from good to great.
quieter
Tones down visually aggressive or overstimulating designs, reducing intensity while preserving quality. Use when the user mentions too bold, too loud, overwhelming, aggressive, garish, or wants a calmer, more refined aesthetic.
aios-data-engineer
Database Architect & Operations Engineer (Dara). Use for database design, schema architecture, Supabase configuration, RLS policies, migrations, query optimization, data modelin...
documentation-lookup
This skill should be used when the user asks about libraries, frameworks, API references, or needs code examples. Activates for setup questions, code generation involving libraries, or mentions of specific frameworks like React, Vue, Next.js, Prisma, Supabase, etc.
independent-developer-micro-saas-master
独立开发者与微型 SaaS — 单人或极小团队 (≤3 人) 构建可持续订阅收入的软件产品商业, 有别于自由职业/咨询、企业级 SaaS 和开源维护: (a) 产品发现与验证 (自己的痒 vs 市场优先 Nugent/Walling; 着陆页冒烟测试; 先接 Stripe 再写代码; JTBD 访谈适配独立开发者场景; Reddit/HN/X/社区痛点挖掘; Mom Test 验证框架; 公开构建作为验证机制); (b) 独立开发者技术架构 (无聊技术论 McKinley; 单体优先; serverless vs VPS 在 ≤$100/月预算下的取舍; Rails/Django/Laravel/Next.js 等框架的出货速度选型; 托管服务优先于自建; Supabase/PlanetScale/Neon 数据库即服务; Clerk/Auth0 认证即服务; Stripe/Paddle/LemonSqueezy 支付; Vercel/Fly.io/Railway 部署; AI 辅助编码 Cursor/Copilot 作为力量倍增器); (c) 无营销团队的分发与增长 (SEO 作为微型 SaaS 护城河; Product Hunt 发布; AppSumo 终身授权利弊; 冷邮件; Twitter/X 公开构建; IndieHackers 社区分发; 集成市场 Shopify/WordPress/Zapier/Slack 应用目录; 联盟计划; 一人内容营销); (d) 定价与变现 (SaaS 定价心理学; freemium vs 免费试用 vs 纯付费; 按席位 vs 按用量 vs 固定费率; 年付折扣; 老用户保价; 微型 SaaS 流失率控制; MRR/ARR/LTV/CAC 在微型规模的含义; $10K MRR 里程碑心理学); (e) 独立创始人心智模型与生活设计 (default alive vs default dead Graham; 拉面盈利 Levels; 生活方式生意 vs 增长生意的光谱; 独立开发者倦怠预防; 时间管理与上下文切换成本; 地理套利与远程优先; 一次构建反复销售的资产思维; 社区作为支持网络 IndieHackers/WIP/MicroConf); (f) 法务与运营基础 (公司注册地选择 LLC/Ltd/GmbH 税效; Stripe Atlas vs Firstbase
light-system-design
后端系统设计与数据库能力。当任务涉及系统架构、数据库设计、接口设计、权限/日志/异常/性能/部署时使用。设计 ER 图、数据表结构、接口文档、用户权限、数据流转、模块划分、API 规范、数据库索引、安全策略、部署方案,尤其适合科研系统、管理系统、数据分析平台、可视化平台、竞赛作品与软著项目。
vibe-build
Build your MVP following the AGENTS.md plan. Use when the user wants to start building, implement features, or says "build my MVP", "start coding", or "implement the project".
supabase-postgres-best-practices
Postgres performance optimization and best practices from Supabase. Use this skill when writing, reviewing, or optimizing Postgres queries, schema designs, or database configurations.
analyze-logs
Analyze application logs from the .evlog/logs/ directory. Use when debugging errors, investigating slow requests, understanding request patterns, or answering questions about application behavior. Reads structured NDJSON wide events written by evlog's file system drain.
data-sanity
Layer C of spectra pre-handoff quality gates. Static audit for the data-shape failure class where a client query param literal violates the server zod schema bound (e.g. perPage: 200 vs max(100)) → silent 4xx → lookup map empties → admin list column collapses to a uniform fallback. Use during /spectra-apply Design Review and before /spectra-archive, or ad-hoc on any change that touches paginated queries + lookup-resolved columns.
document-writer
Use when writing blog posts or documentation markdown files - provides writing style guide (active voice, present tense), content structure patterns, and MDC component usage. Overrides brevity rules for proper grammar. Use nuxt-content for MDC syntax, nuxt-ui for component props.
handoff
Session 交接管理。雙模:(A) 當前 chat session 有 in-progress 工作時,只做交接寫入(升級未完項到 HANDOFF.md / tech-debt / ROADMAP / spectra change)。(B) 當前 chat session 沒有要交辦的時,整理現有 HANDOFF.md + 評估剩餘 outstanding 工作適合串行還是並行,推薦並讓使用者用 request_user_input 選擇下一步。「Session」指當前 chat session,**不是** working tree / git state — user 並行多 session 工作,git 髒污可能來自別 session。Use when user types /handoff.
harden
Improve interface resilience through better error handling, i18n support, text overflow handling, and edge case management. Makes interfaces robust and production-ready.
motion
Use when adding animations with Motion Vue (motion-v) - provides motion component API, gesture animations, scroll-linked effects, layout transitions, and composables for Vue 3/Nuxt
nuxt
Use when working on Nuxt 4+ projects — server routes, routing, middleware, composables, h3 v1 helpers, nitropack v2. Updated for Nuxt 4.3+.
nuxt-better-auth
Use when implementing auth in Nuxt apps with @onmax/nuxt-better-auth - provides useUserSession composable, server auth helpers, route protection, and Better Auth plugins integration.
nuxt-content
Use when working with Nuxt Content v3, markdown content, or CMS features in Nuxt - provides collections (local/remote/API sources), queryCollection API, MDC rendering, database configuration, NuxtStudio integration, hooks, i18n patterns, and LLMs integration
nuxt-modules
Use when creating Nuxt modules: (1) Published npm modules (@nuxtjs/, nuxt-), (2) Local project modules (modules/ directory), (3) Runtime extensions (components, composables, plugins), (4) Server extensions (API routes, middleware), (5) Releasing/publishing modules to npm, (6) Setting up CI/CD workflows for modules. Provides defineNuxtModule patterns, Kit utilities, hooks, E2E testing, and release automation.
nuxthub
Use when building NuxtHub v0.10.6 applications - provides database (Drizzle ORM with sqlite/postgresql/mysql), KV storage, blob storage, and cache APIs. Covers configuration, schema definition, migrations, multi-cloud deployment (Cloudflare, Vercel), and the new hub:db, hub:kv, hub:blob virtual module imports.
pinia
Pinia official Vue state management library, type-safe and extensible. Use when defining stores, working with state/getters/actions, or implementing store patterns in Vue apps.
reka-ui
Use when building with Reka UI (headless Vue components) - provides component API, accessibility patterns, composition (asChild), controlled/uncontrolled state, virtualization, and styling integration. Formerly Radix Vue.
review-logging-patterns
Review code for logging patterns and suggest evlog adoption. Guides setup on Nuxt, Next.js, SvelteKit, Nitro, TanStack Start, React Router, NestJS, Express, Hono, Fastify, Elysia, Cloudflare Workers, and standalone TypeScript. Detects console.log spam, unstructured errors, and missing context. Covers wide events, structured errors, drain adapters (Axiom, OTLP, HyperDX, PostHog, Sentry, Better Stack, Datadog), sampling, enrichers, and AI SDK integration (token usage, tool calls, streaming metrics, telemetry integration, cost estimation, embedding metadata).
review-readiness-scan
掃描 openspec/changes/ 各 change 的 manual-review 區塊,判斷哪些已 ready for 人工檢查、哪些被 Pre-Review Data Readiness pattern 命中(alert)尚未 ready,並把結果登記到 HANDOFF.md。Use when 使用者說「掃 review readiness」「review:ui 哪些 ready」「scan manual review alerts」「批次人工檢查前先看哪些 ready」「找出 review:ui 的 alert」。不適用於單一 change 內逐項 review(那走 `pnpm review` GUI,從 clade home 跑)。
cc-skill-backend-patterns
Backend architecture patterns, API design, database optimization, and server-side best practices for Node.js, Express, and Next.js API routes.
session-memory
Manages cross-session learning and memory persistence. Use when user mentions 前回何をした, 履歴, 過去の作業, セッション記録, continue from before, session history. Do NOT load for: 実装作業, レビュー, 一時的な情報.
backend-patterns
Backend architecture patterns, API design, database optimization, and server-side best practices for Node.js, Express, and Next.js API routes.
supabase-postgres-best-practices
Postgres performance optimization and best practices from Supabase. Use this skill when writing, reviewing, or optimizing Postgres queries, schema designs, or database configurations.
commit
依功能分類變更並逐步完成 commit,遵循 commitlint 規範
backend-patterns
Backend architecture patterns, API design, database optimization, and server-side best practices for Node.js, Express, and Next.js API routes.
postgres-patterns
PostgreSQL database patterns for query optimization, schema design, indexing, and security. Based on Supabase best practices.
postgres-best-practices
Postgres performance optimization and best practices from Supabase. Use this skill when writing, reviewing, or optimizing Postgres queries, schema designs, or database configurations.
security-engineer
SEOcrawler security vulnerability scanner and hardening specialist covering code analysis, dependency audits, and infrastructure review.
build-audit-logs
Build or review audit trails in TypeScript/JavaScript apps using evlog (pipelines, typed actions, denials, retention, compliance-style reviews). For application code, not for extending the evlog package.
cf-crawl
Crawl entire websites using Cloudflare Browser Rendering /crawl API. Initiates async crawl jobs, polls for completion, and saves results as markdown files. Useful for ingesting documentation sites, knowledge bases, or any web content into your project context. Requires CLOUDFLARE_ACCOUNT_ID and CLOUDFLARE_API_TOKEN environment variables.
dep-upgrade
統一 dep 升級入口 — 依輸入分兩個 mode。(1) 在 consumer cwd 無參數觸發 → § Outdated batch mode:跑 pnpm outdated 後逐 pkg 派 codex 在 worktree 升版 + 驗證 + commit + 失敗升 high research。(2) 在 clade home 給 release URL / `<pkg>@<ver>` / 純 pkg name → § Fleet mode:跨 consumer 對單一 pkg sweep,自動 fetch + 解析 BC、用 dep-fleet-scan 掃命中 consumer、用 codebase-memory-mcp 定位 callsites、並行 fan-out 長駐 subagent。Use when 使用者說「升 deps」、「pnpm outdated 處理」、「處理過期套件」、「跟上 release」、「跨 consumer 升 X」、「全部 consumer 升 @xxx」、「無腦升 @xxx」、「升級套件」。**不適用於**單套件 ad-hoc 升(`pnpm add <pkg>@latest` 更快)、framework major migration(Nuxt 3→4 / Next 14→15 需專屬 plan)。Fleet mode **MUST run from clade home (`~/offline/clade`)**,受 [[clade-role-and-todo-discipline]] § upstream-driven dep migration carve-out 約束。
design
UI/UX design orchestrator — coordinates multiple design skills into plans. Use for /design new, /design improve, /design iterate. NOT for coding UI or single-skill tasks.
design-retro
分析 docs/design-review-findings.md 歷史,識別跨 spec 的重複 UI 問題模式,提出流程改善建議。spectra-archive 完成或 findings 累積 5 倍數時主動觸發。
impeccable
Use when the user wants to design, redesign, shape, critique, audit, polish, clarify, distill, harden, optimize, adapt, animate, colorize, extract, or otherwise improve a frontend interface. Covers websites, landing pages, dashboards, product UI, app shells, components, forms, settings, onboarding, and empty states. Handles UX review, visual hierarchy, information architecture, cognitive load, accessibility, performance, responsive behavior, theming, anti-patterns, typography, fonts, spacing, layout, alignment, color, motion, micro-interactions, UX copy, error states, edge cases, i18n, and reusable design systems or tokens. Also use for bland designs that need to become bolder or more delightful, loud designs that should become quieter, live browser iteration on UI elements, or ambitious visual effects that should feel technically extraordinary. Not for backend-only or non-UI tasks.
nuxt-auth-utils
Use when implementing auth in Nuxt apps with nuxt-auth-utils - provides useUserSession composable, OAuth handlers, cookie-based sessions, and route protection. Works on all deployment targets without DB dependency.
nuxt-ui
Use when building styled UI with @nuxt/ui v4 components — forms, data tables, modals, theming. Use vue for raw patterns, reka-ui for headless.
pinia-store
Pinia Store 架構規範。Use when creating app/stores/**/*.ts files, working with defineStore, managing global state, or building Pinia stores. Always use this skill for store design patterns, naming conventions, and state management architecture.
review-archive
將已完成的人工檢查項目從 tasks artifact 遷移到 docs/manual-review-archive.md,保留追溯資訊。
review-screenshot
截圖、看畫面、確認 UI、看一下頁面、幫我看 UI、review screenshot、跑檢查清單 — 統一截圖入口,派遣 screenshot-review agent(Sonnet)執行。
rls-performance
Postgres + Supabase RLS 效能診斷與優化手冊。Use when 寫/改 RLS policy、 跑 EXPLAIN ANALYZE、排查 PGRST003 pool timeout、設計 index、 優化 pagination、使用者抱怨 API 變慢、或需要診斷 connection pool 問題時。涵蓋 pg_stat_activity 診斷、角色對照、self-hosted LXC 責任模型、效能基準與事故恢復 SOP。
screenshots-archive
將已收錄到 docs/manual-review-archive.md 的 change,把對應截圖資料夾從 screenshots/<env>/<topic>/ 搬到 screenshots/<env>/_archive/YYYY-MM/<topic>/。讓 screenshots/<env>/ 頂層只剩 current pending review。觸發詞:歸檔截圖、sweep screenshots、清掉舊的截圖資料夾、screenshots archive。
backend-patterns
Backend architecture patterns, API design, database optimization, and server-side best practices for Node.js, Express, and Next.js API routes.
cursor-mem
Cursorでclaude-memのMCPサーバーにアクセスし、過去のセッション記録を検索・新しい観測を記録。トリガー: 'メモリ検索', 'claude-mem', '過去の判断', '記録して', 'memory search', 'past decisions'. Do NOT load for: 通常のコーディング、一時的なメモ、実装作業。
deployment-audit-skill
Use DigitalOcean MCP and related tools to check deployment health, crash logs, environment consistency, and runtime issues for Unite-Hub / Synthex. Use when diagnosing deployment failures or verifying readiness.
expo-api-routes
Guidelines for creating API routes in Expo Router with EAS Hosting
supabase-automation
Automate Supabase database queries, table management, project administration, storage, edge functions, and SQL execution via Rube MCP (Composio). Always search tools first for current schemas.
orchestrationgencreator-stack
Catalogs, scaffolds, and audits the per-repo tech stack across every brand (Arcanea, FrankX, Business, Starlight, verticals). Four verbs — audit (walk repos + emit constellation), scaffold (drop STACK.md template into a target repo), assign (bind tools to substrate/reasoning/coding/research/ops tiers), diff (surface drift between STACK.md intent and reality from .mcp.json + .claude/ + settings.json + installed CLIs). Use this skill whenever the user mentions stack architecture, repo inventory, "which AI assistant for which repo", custom GPTs, MCP routing across brands, browser workspaces per project, or asks "do we have a clean view of our tech stack". Default skill for the Starlight Architect when the question spans repos rather than a single one.
typescript
Patterns and conventions for all TypeScript code. Use this skill whenever writing or reviewing TypeScript, naming identifiers, typing exports, choosing between type and interface, using Zod schemas, structuring function parameters, or enforcing code patterns like avoiding switch statements and enums.
building-saas
Build a SaaS company from idea to scale — product development, architecture decisions, pricing, hiring sequence, fundraising stages, and operational infrastructure. Use when starting a SaaS, scaling from $0 to $10M ARR, making build-vs-buy decisions, or designing the technical and operational foundation of a software business. Triggers on: "build a SaaS", "start a SaaS", "SaaS architecture", "SaaS startup", "build software business", "SaaS from scratch", "tech stack for SaaS", or any request about building a software company.
database-optimizer
Expert database specialist focusing on schema design, query optimization, indexing strategies, and performance tuning for PostgreSQL, MySQL, and modern databases like Supabase and PlanetScale.
cc-skill-project-guidelines-example
Project Guidelines Skill (Example)
business-data-model-designer
Design complete Supabase/PostgreSQL data models with ERD, SQL migrations, RLS policies, indexes, and triggers for business applications
erd-generator
Generate an ERD as Mermaid + DBML from domain narrative or live Supabase schema, with cardinality, optionality, FKs, and a notation legend.
index-strategy-planner
Index recommendations from query patterns, EXPLAIN ANALYZE excerpts, and table sizes. Includes partial / covering / GIN / BRIN guidance for Postgres / Supabase.
migration-plan-builder
Staged migration plan (additive → backfill → dual-write → cutover → cleanup) for Postgres / Supabase, with rollback gates, observability checkpoints, and db-reviewer agent review.
plan-completion-audit
Audit a project plan against the actual implementation — verifying code, types, security, and Supabase backend alignment.
postgres-schema-audit
Audit any Postgres schema (Supabase via MCP or any Postgres 13+ via read-only connection) for structural and relational design quality. Produces a markdown report, ER diagram, JSON sidecar, and draft migrations-suggested.sql. Use for database design, schema audit, FK/constraint/trigger/RPC review, or pre-migration cleanup.
rls-policy-designer
Generate a Supabase Row-Level-Security policy bundle from an access-model description. Outputs SQL + test queries + admin-impersonation patterns.
supabase-schema-bootstrap
Bootstrap a complete Supabase schema from a domain spec — tables, RLS, triggers, indexes, seeds, type generation. Wraps erd / rls / index skills for new-project setup.
write-path-mapping
Map the write path of a project across multiple frameworks — entry points, validation, auth, persistence, side-effects. Outputs report, Mermaid diagrams, JSON sidecar. Flags unauth writes, missing RLS, cache gaps. Use for write path, mutation audit, RLS audit.
docs-seeker
Fetch up-to-date library and framework documentation into AI context. Use when looking up docs, finding feature-specific references, or discovering documentation sources for any library, framework, or tool.
disqualification-handling
Handles disqualified and near-miss inbound leads gracefully. Drafts polite rejection emails, referral requests (right company wrong person), and nurture routing (future fit). Ensures no inbound lead gets ignored and every disqualification preserves the relationship. Tool-agnostic.
linkedin-outreach
End-to-end LinkedIn outreach campaign builder. Takes leads from Supabase, upstream skills, or CSV. Aligns on campaign goal and tone, writes personalized LinkedIn message sequences (connection request + follow-ups + optional InMail), presents for review, and exports for the user's outreach tool (Dripify, Botdog, Expandi, or manual CSV). Logs to Supabase outreach_log.
pipeline-review
Pipeline analysis composite. Pulls deal/meeting data from any CRM or tracking system, analyzes the pipeline over a user-defined period (weekly, fortnightly, monthly, quarterly), and produces both an executive summary and a detailed diagnostic report. Covers volume, qualification rates, source effectiveness, stage velocity, stuck deals, and actionable recommendations. Tool-agnostic — works with any CRM (Salesforce, HubSpot, Pipedrive, Close, Supabase, CSV).
signal-scanner
Detect buying signals across TAM companies and watchlist personas. Three-phase architecture: (1) free diff-based signals from existing data (headcount growth, tech stack changes, funding rounds), (2) Apify-powered signals (job postings, LinkedIn content analysis, profile changes), and (3) post-processing with dedup, scoring, and lead status updates. Writes signals to Supabase signals table for downstream activation.
learning-analyzer
Analyze collected learning data from Supabase to identify success patterns, failure patterns, optimization opportunities, and agent performance trends.
supabase-skill
Configure and manage Supabase projects using MCP (Model Context Protocol). Use this skill when working with Supabase databases, setting up MCP servers, designing database schemas, implementing Row Level Security, managing migrations, or building modern data architectures with PostgreSQL. Essential for Supabase development, database design, and AI-powered database operations.
supabase-expert
Supabase database optimization specialist
inngest
Inngest expert for serverless-first background jobs, event-driven workflows, and durable execution without managing queues or workers. Use when: inngest, serverless background job, event-driven workflow, step function, durable execution.
nextjs-supabase-auth
Expert integration of Supabase Auth with Next.js App Router Use when: supabase auth next, authentication next.js, login supabase, auth middleware, protected route.
supabase-postgres-best-practices
Postgres performance optimization and best practices from Supabase. Use this skill when writing, reviewing, or optimizing Postgres queries, schema designs, or database configurations.
codex-review
Have OpenAI Codex review the current branch with documentation research. Use for second-opinion code reviews or when you want cross-AI verification.
create-auth-skill
Scaffold and implement authentication in TypeScript/JavaScript apps using Better Auth. Detect frameworks, configure database adapters, set up route handlers, add OAuth providers, and create auth UI pages. Use when users want to add login, sign-up, or authentication to a new or existing project with Better Auth.
payuni-webhook
Implements PAYUNi webhook handling including signature verification, replay attack prevention, and payment status updates. Use when building payment notification endpoints for 統一金流.
data-analyst
SEO data analysis, pattern identification, and actionable insights generation
api-endpoint-creation
Next.js 15+ API endpoint creation patterns with Supabase and workspace validation
architecture-reference
Quick reference for Portfolio Buddy 2 project structure. Use when: adding new features, modifying existing components, understanding data flow, or onboarding to the codebase. Contains component hierarchy, hook patterns, and utility functions.
auth
Authentication and access control skill for Next.js 15 + Supabase applications. Use when implementing user authentication, protecting routes, managing user sessions, enforcing role-based access control (admin/member), or working with multi-tenant family-based data isolation. Covers login/logout, registration with email verification, OAuth (GitHub), route protection for Server Components and Server Actions, admin-only features, and multi-tenant data access patterns.
backend-agent
Handles backend/API/database work for Unite-Hub. Implements Next.js API routes, Supabase database operations, RLS policies, authentication, and third-party integrations (Gmail, Stripe).
codebase-explorer
Explore and understand the Empathy Ledger codebase architecture, data flows, database schema, services, and how components connect. Use when you need to understand where things are, how data flows, or how different parts of the system relate to each other.
cookmode-v2-source-of-truth
Documents and explains the CookMode V2 codebase as it exists. Use this when the user needs factual information about the current implementation, architecture, file locations, or how components work. DOES NOT suggest improvements unless explicitly asked.
database-manager
Manages Supabase database schema, migrations, and queries for CookMode V2. Use this when the user needs to create/modify tables, write migrations, update RLS policies, or troubleshoot database issues.
empathy-ledger-dev
Invoke this skill when: - Starting work on any Empathy Ledger feature - Need quick reference to project patterns
lovable
Integration skill for Lovable.dev projects. Activates when working with: - Lovable.dev projects with GitHub sync - Supabase Edge Functions that need deployment - Database migrations for Lovable Cloud - Projects with supabase/ directory structure - Any mention of "Lovable", "deploy edge function", "apply migration" Provides exact Lovable prompts for backend operations that can't be done via GitHub alone.
migration-tracker
Context for ongoing migration from old Portfolio Buddy app. Use when: fixing bugs, adding migrated features, checking feature parity, or understanding why certain code exists. Contains list of 40 features being migrated and known issues.
portfolio-context
Auto-loaded context for Portfolio Buddy 2 development. Use for ANY task involving: React 19 development, TypeScript, portfolio analysis features, metrics calculations, trading strategy comparison, or working with the Portfolio Buddy 2 codebase. Contains tech stack, known issues, and architectural constraints.
project-scaffolding
IDE-grade project scaffolding wizard for creating new projects with comprehensive configuration. Supports 70+ project types: HTML/CSS websites, React, Next.js, Vue, Astro, Remix, React Native, Flutter, Expo, FastAPI, Django, Express, NestJS, Go/Gin, Rust/Axum, Spring Boot, Hono, Elysia, Chrome Extensions, VS Code Extensions, Tauri desktop apps, serverless functions, and more. Provides WebStorm/PyCharm-level project creation with interactive SDK selection, framework configuration, database setup, and DevOps tooling. Use when: creating a new project, setting up a framework application, initializing a codebase, scaffolding boilerplate, building extensions, creating mobile/desktop/web apps, setting up monorepos, or making static websites/landing pages.
stack-analyzer
Analyze project stack and recommend skills. Auto-detects frameworks, activates generic ai-dev-kit skills, and optionally scaffolds project-specific skills in the target repo.
supabase
Manage Supabase projects, databases, migrations, Edge Functions, and storage using the `supabase` CLI.
supabase-patterns
Generic Supabase best practices for Row Level Security, realtime subscriptions, storage, and edge functions. Framework-agnostic.
techdoc-search-and-orchestrate
【强制】所有技术文档查询必须使用本技能,禁止在主对话中直接使用 mcp__context7-mcp 工具。触发关键词:查询/学习/了解某个库或框架的文档、API用法、配置参数、错误解释、版本差异、代码示例、最佳实践。本技能通过 context7-researcher agent 执行查询,避免大量文档内容污染主对话上下文,保持 token 效率。
dev-auth
Modern web auth implementation (better-auth, Lucia, NextAuth/Auth.js, Clerk, Supabase Auth). Trigger when the user wants to add login, signup, sessions, OAuth, magic links, 2FA, or when existing auth code is detected to audit or migrate.
dev-supabase
Backend development with Supabase. Trigger when the user wants to configure auth, the database, or Supabase storage.
build-feature
Implement one vertical slice (UI → server action/route handler → DB) for a single PRD user story. Obeys path-scoped rules. Ends by invoking /code-review. Draft/approve at every boundary.
code-review
Review the current diff against path-scoped rules (secrets, RLS/tenant scoping, Stripe webhook verification, input validation, scope), flag changed code lacking tests, and run a quick security pass. Reports findings; nothing auto-fixed without approval.
design-pricing
Define plans/tiers, metered units, trial period, and upgrade/downgrade rules using the pricing template. Map each plan to Stripe products and prices. Drafts pricing.md then awaits approval.
design-schema
Design Postgres tables, relations, RLS policies, and tenant scoping using the data-model template. Produce a draft Supabase migration. Get approval before applying anything.
launch-checklist
Run the pre-launch gate: verify secrets not committed, RLS enforced, Stripe in live mode with webhooks, error monitoring configured, and legal stubs present. Outputs PASS or BLOCK with blocking items.
setup-billing
Implement Stripe billing end-to-end: products/prices from config, checkout session, webhook handler with signature verification and idempotency, and customer portal. Present plan then implement.
setup-deploy
Set up the Vercel project, wire environment variables across environments, and add a GitHub Actions CI workflow (lint, typecheck, build). Presents the full config plan before touching anything.
setup-stack
Scaffold the Next.js + TypeScript + Tailwind + shadcn + Supabase + Stripe project. Presents exact commands and config for approval BEFORE running anything. Writes .env.example with required keys.
test-setup
Scaffold the test stack for the SaaS app: install and configure Vitest + Testing Library, Playwright, and a CI test step. Run after qa-plan is approved. Produces a runnable test harness.
threat-model
Produce a STRIDE-lite threat model for the SaaS app: enumerate assets, trust boundaries, and entry points, then name the top threat and mitigation for each STRIDE category, focused on multi-tenant SaaS.
write-tests
Author tests for one PRD user story: unit, integration, and e2e cases plus any RLS policy or Stripe webhook fixture tests required. Run after test-setup is complete. Produces passing test files.
backend-db-performance
Optimize database queries, schemas, and performance. Use when fixing slow queries, adding indexes, N+1 problems, schema design, RLS policies, or when user mentions "slow query", "database performance", "timeout", "index", "query optimization", "Prisma", "Supabase", or "PostgreSQL".
backend-error-handling
Implement solid error handling patterns. Use when adding error handling, improving error UX, debugging error flows, standardizing error responses, or when user mentions "error boundary", "try/catch", "error state", "toast notification", "form validation error", or "API error handling".
backend-observability
Instrument features so errors, traces, and logs are correlated from the first line. Use when adding logging, tracing, or monitoring; wiring Sentry, Langfuse, or structured logs; or when asked "add logging", "instrument this", "why can't I debug prod", "correlate the error to the trace", "redact PII from logs", "set up alerts/SLOs".
backend-patterns
Design solid backend architectures with modern patterns. Use when user wants "API design", "database schema", "authentication", "caching", "queues", "background jobs", "microservices", "serverless", or "backend architecture".
backend-realtime
Implement real-time features using WebSockets, Supabase Realtime, Server-Sent Events, and live data. Use when user wants "real-time", "live updates", "WebSocket", "notifications", "chat", "collaborative", "presence", "live data", or "instant sync".
canvas
A Cursor Canvas is a live React app the user opens beside the chat. MUST use a canvas for standalone analytical artifacts — quantitative analyses, billing investigations, security audits, architecture reviews, data-heavy content, timelines, charts, tables, interactive explorations, repeatable tools, or any response that benefits from visual layout. Prefer canvas for MCP tool results (Datadog, Databricks, Linear, Sentry, Slack) over markdown tables or code blocks. MUST also read this skill when creating, editing, or debugging any .canvas.tsx file.
create-subagent
Create custom subagents for specialized AI tasks. Use when the user wants to create a new type of subagent, set up task-specific agents, configure code reviewers, debuggers, or domain-specific assistants with custom prompts.
data-pipeline
Wire ETL, ingestion, cron, edge-function, and queue jobs correctly. Use for "build a pipeline", "sync X into Y", "nightly aggregation", "cron double-counts", "dedupe", "backfill", "the numbers are wrong after a retry". Bakes in idempotency, atomic writes, data contracts, dead-letter, and observability.
data-visualization
Create interactive charts, graphs, and data visualizations. Use when user wants "chart", "graph", "visualization", "dashboard", "analytics", "D3", "Recharts", "data display", "metrics", or "statistics".
debug-error
Systematic debugging workflow for errors and bugs. Use when debugging errors, investigating bugs, troubleshooting issues, or when something isn't working as expected. Integrates Sentry MCP for production error context, Firecrawl for researching fix patterns, and Sequential Thinking for complex multi-step diagnosis.
debug-fe-be-integration
Debug frontend-backend integration issues for any project by analyzing backend logs, identifying incorrect API calls, and fixing both sides. Auto-detects FE/BE frameworks, API style (REST/GraphQL/tRPC), and validation library. Uses Sentry MCP for production error context, Firecrawl for debugging pattern research, and Supabase MCP for data verification. Replaces hardcoded paths with auto-detected patterns. Use when diagnosing API errors, mismatched requests, integration issues between frontend and backend, or when the user mentions API 4xx/5xx errors, validation failures, or FE-BE contract mismatches.
debug-sentry-monitor
Monitor, triage, fix, and proactively enhance Sentry error monitoring for any project. Use when asked to: check Sentry, fix Sentry errors, triage Sentry issues, run post-deploy monitoring, review production errors, clean up Sentry noise, audit Sentry setup, improve monitoring coverage, enhance error tracking, or "run sentry check". Works with any GitHub repo — auto-detects org, project, framework, and config. Fetches issues via Sentry MCP, triages them, performs root cause analysis, fixes code bugs, updates noise filters, audits the monitoring architecture, and resolves issues only after verified fixes.
deploy-npm
Release a Changesets + GitHub Actions + npm OIDC (trusted publisher) monorepo end-to-end. Use when asked to "release", "publish to npm", "ship a new version", "cut a release", "update the changelog and publish", or any package name + release verb.
deploy-verify
Post-deploy smoke test combining all 5 MCPs (Sentry + Supabase + Langfuse CLI + Playwright + Firecrawl) into one workflow. Auto-detects deployment context, checks Sentry for new errors (with Seer AI root-cause on P0s), verifies Supabase migration health and logs, confirms Langfuse trace pipeline, runs Playwright smoke test on critical paths, and produces a ship-or-rollback verdict. Works with any project. Use when asked to: "verify deploy", "post-deploy check", "smoke test production", "check if deploy is healthy", "ship or rollback", "post-release check", "verify release", "deploy health check", or "run post-deploy".
design-api
Design RESTful and GraphQL APIs following best practices. Use when designing APIs, creating endpoints, structuring responses, or planning API architecture.
design-canvas
Create museum-quality visual art in .png and .pdf formats using design philosophy. Use when user asks for poster, visual design, infographic, certificate, badge, banner, social media graphic, print design, or mentions "create artwork", "design graphic", "visual identity", or "print material".
design-email
Design and implement transactional and marketing email templates. Detects email framework (React Email, MJML, or plain HTML), mail provider (Resend, SendGrid, Postmark, AWS SES, Nodemailer), and delivery setup (SPF/DKIM/DMARC). Builds mobile-first templates with dark mode support, 600px max-width, inline styles for client compatibility, and accessible alt text. Reviews copy for natural, conversational tone — no jargon, no passive voice, no corporate formality. Checks deliverability config. Tests rendering across major email clients. Generic across any stack. Use when asked to "build an email template", "transactional email", "welcome email", "password reset email", "email design", "React Email", "MJML", "dark mode email", "deliverability", "SPF DKIM", "email copy review", or "why is my email in spam".
design-frontend
Create distinctive, production-grade frontend interfaces. Use when building web components, pages, dashboards, or beautifying UI. Avoids generic AI aesthetics.
design-generative-art
Create algorithmic art using p5.js, Canvas API, or SVG with seeded randomness and interactive parameters. Use when user requests generative art, procedural art, flow fields, particle systems, creative coding, noise patterns, mathematical visualizations, or asks for "art from code", "generate visuals", or "interactive animation".
design-mobile-first
Design design-mobile-first responsive interfaces with touch optimization. Use when user mentions "mobile", "responsive", "touch", "PWA", "design-mobile-first", "small screen", "tablet", "swipe", or "gesture".
design-motion
Create delightful animations and micro-interactions using Framer Motion, CSS animations, and GSAP. Use when user mentions "animation", "transition", "micro-interaction", "motion", "animate", "hover effect", "scroll animation", "page transition", or "make it interactive".
design-prd
Generate Product Requirements Documents through structured conversation for any project. Auto-detects tech stack, existing features, and data model from the codebase. Uses Firecrawl to research competitor products and UX patterns, Context7 to check framework capabilities for feasibility, and Supabase MCP to verify data model feasibility. Produces actionable PRDs with technical feasibility sections informed by real codebase analysis. Use when starting a new feature, documenting requirements, creating specs before implementation, or needing clarity on scope and success criteria.
design-system
Build and maintain cohesive design systems and component libraries. Use when creating component libraries, design tokens, theming systems, or when user mentions "design system", "component library", "tokens", "variants", "consistent styling", or "reusable components".
design-theme
Apply cohesive visual themes to artifacts (slides, docs, landing pages). Provides 11 pre-set themes with colors/fonts. Use when user mentions "apply theme", "color palette", "brand colors", "styling slides", "presentation design", "visual identity", or wants consistent styling across artifacts.
docs-writer
Write clear, helpful documentation including READMEs, API docs, and code comments. Use when writing documentation, creating READMEs, documenting APIs, or when the user needs help with docs.
enhance-capacitor-ui
Cross-surface UIUX separation skill for hybrid web apps that ship as PWA + iOS + Android via Capacitor (or Tauri / Expo Web / Ionic / RN-Web). Use when a previous UI/UX sweep "improved one surface and broke the other" — desktop polished but mobile cramped, or mobile native but desktop wastes space. Also use when the project has ad-hoc useIsMobile / isNative branches scattered across components, a single md: breakpoint doing double duty as "is desktop" and "wider slot", or per-component platform styling instead of mode tokens. Establishes three orthogonal axes — form factor (compact/medium/expanded), platform (web/ios/android), pointer (fine/coarse) — and a three-layer architecture (context hook, mode tokens, container-query primitives) so one sweep can enhance one axis without degrading the others. Catches axis conflation in a single boolean, hover-only affordances on native shells, and SSR/Capacitor first-paint mismatch. For pure visual polish on a single surface, use enhance-web-ui first.
enhance-pwa
Add or upgrade PWA features to any web app: service worker, offline mode, install prompt, push notifications, and background sync. Detects existing manifest and service worker setup. Installs and configures the right tooling for the framework (Vite PWA plugin, next-pwa, Workbox). Runs a Playwright Lighthouse audit to measure the PWA score before and after. Compatible with Capacitor hybrid apps — bridges PWA web layer with native shell without conflicts. Generic across any web framework. Use when asked to "make it a PWA", "offline support", "install prompt", "push notifications", "service worker", "add to home screen", "background sync", "Lighthouse PWA score", "app-like experience", "installable", or "works offline".
enhance-readme
Turn a plain-text README into a visually rich showcase with a theme-aware hero image, a feature tour grid, an optional animated guided-tour GIF, and updated tech badges. Captures live screenshots via Playwright MCP in both dark and light mode at hero-quality 1600x1000, pairs them with `<picture>` for auto theme-swap, and inlines them into the README using GitHub-supported HTML. Optionally records a guided-tour `.gif` (autoplays inline on github.com via `record-readme-tour.mjs`) for an animated demo above the static screenshots. Works with any web app that has a live URL or local dev server. Use when asked to "enhance README", "make README prettier", "add screenshots to README", "showcase the app in README", "design the README", "add hero image", "spice up README", "make README more fun", "add animated demo to README", "record a tour GIF", or "make a README GIF".
enhance-web-landing
Build landing pages, portfolios, and marketing sites that don't look AI-generated. Use when asked for "landing page", "portfolio", "marketing site", "anti-slop", "Awwwards-style", "premium frontend", or when design needs a strong point of view.
enhance-web-redesign
Upgrades existing websites and apps to premium quality. Audits current design, identifies generic AI patterns, and applies high-end design standards without breaking functionality. Use when redesigning existing projects, upgrading UI to premium quality, removing AI slop patterns, or when the user asks for a redesign audit. Works with any CSS framework or vanilla CSS.
enhance-web-ui
Artistic, research-grounded UI enhancement skill for making an existing page feel intentional, spacious, and human-crafted. Use when the user asks to make a page nicer, more polished, more premium, more editorial, less crowded, less AI-generated, better laid out or balanced, or mentions typography, visual hierarchy, spacing, empty/dead space, motion, hover states, cards, grids, or density — especially vague-but-visceral feedback ("clunky", "heavy", "incoherent", "wasted space", "feels AI-generated", "monochromatic", "everything stacked left"). Catches hard-to-spot failures: active-state mass mismatch, chrome tautology, card-on-card layering, brand-color competition, full-cell wash where a micro-indicator belongs, wrapper-collapsed tiles, conditional slots reserving space for absent content, and the same datum repeated 3× in one fold. General across web repos. Focuses on content choreography, hierarchy, spacing, and motion; for task-flow usability/data correctness use enhance-web-ux first or alongside it.
migrate-to-skills
Convert 'Applied intelligently' Cursor rules (.cursor/rules/*.mdc) and slash commands (.cursor/commands/*.md) to Agent Skills format (.cursor/skills/). Use when the user wants to migrate rules or commands to skills, convert .mdc rules to SKILL.md format, or consolidate commands into the skills directory.
update-cli-config
View and modify Cursor CLI configuration in ~/.cursor/cli-config.json. Use to change CLI settings, configure permissions, switch approval mode, enable vim mode, toggle display options, configure sandbox, or manage any CLI preferences.
ccc-connect
Opt-in MCP connector setup — click-connect Notion, Slack, GitHub, Supabase, Figma, Linear, Vercel, Neon, Fly.io, Upstash, Sentry, Stripe, Browserbase, Postgres,…
powersync
Guided onboarding and best practices for building applications with PowerSync — Cloud and self-hosted setup, sync configuration, client SDK usage, backend integration (Supabase, custom Postgres, MongoDB, MySQL, MSSQL), and debugging. Use this skill whenever the user mentions PowerSync, offline-first sync, local-first architecture, sync rules, sync streams, uploadData, fetchCredentials, real-time data replication, or wants to add offline-capable sync to a mobile or web app — even if they don't explicitly name PowerSync.
health
Cal.com Commander health check across all subsystems. TRIGGERS - calcom health, calendar bot status, cal.com diagnostics, booking bot check.
infra-deploy
Cal.com self-hosted deployment to GCP Cloud Run with Supabase PostgreSQL. Docker Compose for local dev.
setup
Full Cal.com Commander setup wizard - Cal.com API, Telegram bot, Supabase DB, GCP project, launchd services. Discovers 1Password.
context7
Fetch up-to-date library documentation via Context7 API. Use PROACTIVELY when: (1) Working with ANY external library (React, Next.js, Supabase, etc.) (2) User asks about library APIs, patterns, or best practices (3) Implementing features that rely on third-party packages (4) Debugging library-specific issues (5) Need current documentation beyond training data cutoff (6) AND MOST IMPORTANTLY, when you are installing dependencies, libraries, or frameworks you should ALWAYS check the docs to see what the latest versions are. Do not rely on outdated knowledge. Always prefer this over guessing library APIs or using outdated knowledge.
elite-mvp-master
Top 1% development standard for OC Pipeline and federal-grade construction software. Use when Bill asks to build features, fix bugs, write code, create components, or do any software development work. Activates for requests involving Supabase, Vercel, React, Node.js, database work, API development, or any coding tasks for OC Pipeline or related projects.
kry-system
Act 3 — Dữ liệu + Kiến trúc (cửa 1 chiều). Trigger khi user gõ /kry-system, hoặc nói 'thiết kế data model', 'schema cho app', 'kiến trúc hệ thống', 'dựng nền kỹ thuật', 'chốt stack + database', 'auth thế nào', sau khi đã có UX spec từ /kry-ux. Skill define TƯƠI cho app này: entity→bảng→field→ràng buộc + state machine + boundary/contract + auth/role (RLS) + stack + host. Spawn agent challenger-system (giọng phản biện sắc bén (nguyên lý + gu)) để bới security/race/integrity/edge mà nocode không biết hỏi. Đây là cửa 1 chiều — sai = migration trên data thật, đắt 10-100x. Output: ERD + schema + DECISIONS. Hand off /kry-ui.
design-architecture
Define system structure, module boundaries, and data flow for the SaaS app. Record significant decisions as ADRs. Drafts architecture.md then awaits approval.
design-ui
For each screen in flows.md, select shadcn/ui components and layout, note empty/loading/error states, and document basic accessibility. Drafts ui.md then awaits approval.
help
List all 23 studio skills grouped by phase, each with a one-line description. Run any time you need a map of what the studio can do.
map-flows
Derive key user journeys and the full screen list from the PRD. Confirm primary flows with the user, then produce flows.md as the UX contract for design-ui and build-feature.
qa-plan
Define the test strategy and tooling for the SaaS app before writing tests: the test pyramid, what to cover at each layer, and the security-critical seams. Run after the first feature exists. Produces a qa-plan doc.
scope-check
Compare current or proposed work against the PRD's non-goals and scope boundaries. Flag scope creep early, recommend cut or keep, and get a user decision before work continues.
security-audit
Audit the SaaS codebase (or a diff) against the path-scoped rules and an OWASP-style SaaS checklist: auth/session, RLS/tenant isolation, secrets, input validation, Stripe webhook verification, dependency vulnerabilities. Produces a severity-ranked findings report.
start
Detect the project's current stage and route to the right first skill. Run at the very beginning of any new session. Shows the studio map and recommends the next action.
studio-status
Report where the project stands: which spec artifacts exist, what's missing, and which skill to run next. Run at the start of any session to re-orient.
validate-idea
Pressure-test a SaaS idea before any PRD: problem, target user, market, willingness to pay. Run right after /start. Produces an idea-validation doc and a PROCEED/PIVOT/KILL verdict.
write-prd
Turn a validated idea into a full PRD: goals, target users, user stories with acceptance criteria, non-goals, and success metrics. Requires idea-validation.md. Drafts then awaits approval.
cyberseguranca
Skill ROBUSTA de cybersegurança full-spectrum para arquitetar, auditar e responder. Usar SEMPRE que o usuário quiser projetar segurança, auditar projeto, garantir hardening, defender contra invasão, mitigar vulnerabilidades, ou tratar incident. Também aciona quando mencionar 'cybersegurança', 'cyber', 'segurança do projeto', 'hackeado', 'invadido', 'invasão', 'ataque', 'breach', 'vazamento', 'pentest', 'red team', 'blue team', 'audit de segurança', 'OWASP', 'LGPD', 'ISO 27001', 'SOC 2', 'PCI', 'NIST', 'CIS Controls', 'STRIDE', 'threat modeling', 'modelagem de ameaças', 'MFA', 'FIDO2', 'WebAuthn', 'passkey', 'JWT seguro', 'RLS', 'row-level security', 'CSP', 'security headers', 'WAF', 'Cloudflare Access', 'Zero Trust', 'BeyondCorp', 'SSRF', 'XSS', 'CSRF', 'BOLA', 'IDOR', 'injection', 'SQLi', 'prompt injection', 'LLM security', 'AI security', 'agent security', 'supply chain', 'SBOM', 'SLSA', 'Sigstore', 'cosign', 'gitleaks', 'secret scanning', 'rotação de chave', 'data breach', 'incident response', 'IR plan', 'N
shipkit-get-mcps
Discover and install MCP servers for enhanced Claude capabilities
create-hook
Create Cursor hooks. Use to create a hook, write hooks.json, add hook scripts, or automate behavior around agent events.
create-rule
Create Cursor rules for persistent AI guidance. Use when user wants to create a rule, add coding standards, project conventions, file-specific patterns, or mentions ".cursor/rules", "AGENTS.md", "cursor rule", "coding standard", "convention", or "AI guidance".
create-skill
Guide users through creating effective Agent Skills for Cursor. Use when user wants to create, write, update, or debug a skill, or asks about SKILL.md format, skill structure, ~/.cursor/skills/, or skill best practices.
shell
Run the rest of a /shell request as a literal shell command. Use only when the user explicitly invokes /shell and wants the following text executed directly in the terminal.
statusline
Configure a custom status line in the CLI. Use when the user mentions status line, statusline, statusLine, CLI status bar, prompt footer customization, or wants to add session context above the prompt.
update-cursor-settings
Modify Cursor/VSCode user settings in settings.json. Use when user wants to change editor settings, preferences, themes, font size, tab size, keybindings, or mentions "settings", "preferences", "theme", "font", "format on save", "auto save", or "cursor config".
systematic-debugging
Use when a bug, test failure, or unexpected behaviour appears, to find the root cause before changing code instead of guessing fixes. A four-phase process that stops the hallucinated-fix loop and the token waste of trying patches at random.
think-before-coding
Use before writing or changing code on any non-trivial task, to surface hidden assumptions, keep the change minimal and surgical, and define how you will verify success. The discipline that stops over-engineering and wasted tokens before they happen.
data-export
Use when the user wants to export marketing data to BigQuery, Google Sheets, or Supabase for analysis, reporting, or integration with other tools.
db-migration
建立 Supabase migration,確保符合安全規範
init-project
Quick-start Claude Code configuration. Auto-detects stack, asks 4 questions to understand the project, generates complete config.
saas-preflight
Audit a vibe-coded or AI-generated SaaS for security and payment failures before it ships, focused on the Next.js + Supabase + Stripe stack. Use this whenever the user is about to deploy, launch, or "ship" a web app that handles authentication, user data, or payments. Trigger on phrases like "is my app secure", "can someone read other users' data", "is my Stripe integration safe", "will someone get a free subscription", "review my SaaS before launch", "I'm going to production", or any review of API routes, server actions, Supabase RLS policies, Stripe webhooks, or middleware in a SaaS, even if the user never says the word "audit". Prefer this skill over an ad-hoc code read whenever real users or real money are about to touch the code.
gdpr
Use when building, shipping, or auditing one of my B2C apps for GDPR/privacy — classify the data posture (offline / Supabase-backed / ships-to-AI-processor), run the decision gates (personal data? lawful basis? processor DPA? transfer? minimization? DSR/erasure?), add a privacy notice, and add privacy-first cookieless analytics without triggering consent. EU GDPR; references security-bar for the controls.
vibe-proof
Security-focused hardening for vibe-coded full-stack apps. Runs parallel audits across frontend, backend, and config layers, then fixes issues systematically by severity. Covers injection, PII exposure, missing headers, error leakage, dead code, and credential hygiene.
db-feature
Plan and fine-tune a Supabase database feature for the WorldCup 2026 app. Covers schema, RLS, CRUD, SDK patterns, and keys before any implementation. Use when the user says "plan feature", "db feature", "design table", or asks to build a specific feature.
verify-ef-sync
Read-only audit of all WorldCup 2026 Edge Functions, pg_cron jobs, and DB triggers. Verifies the data-sync + scheduling + notification pipeline is correctly wired for the real tournament and flags gaps (unmapped WC games, missing sync crons, leftover test data, stale EF versions). Use when the user says "verify EF", "check the sync", "audit edge functions", "are the crons ready for the World Cup", or before go-live.
devops
Deploy to Vercel (frontends, serverless), Railway (backends, services), Supabase (database, auth, storage), GitHub Actions CI/CD. Use for deployments, infrastructure, monitoring, CI/CD.
supabase
Supabase / PostgREST Row-Level-Security playbook — pull the anon (or leaked service_role) key out of the frontend JS, map tables from the auto-generated OpenAPI spec, test anonymous RLS READ disclosures (PII/secret leaks), and anonymous RLS WRITE abuse (insert/update/delete — e.g. forging "certificate"/verification/entitlement rows the app trusts). Use when the target's frontend talks to *.supabase.co, ships an anon JWT, or you see /rest/v1/, /auth/v1/, /storage/v1/ requests.
context-budget
Audits Claude Code context window consumption across agents, skills, MCP servers, and rules. Identifies bloat, redundant components, and produces prioritized token-savings recommendations.
cost-analysis
Use this skill when the user asks for a cost audit, margin analysis, unit economics, "how much does this cost to run", "what's our margin", "are we losing money on X plan", "compare top-up packs", pricing health-check, or any variant of "is this priced right". Inventories every paid API call, SDK invocation, scraper, render provider, and managed service (Vercel, Resend, Supabase, Stripe, Replicate, Fal, Apify, Upstash, Anthropic, OpenAI, Gemini, etc.), pulls per-unit rates from canonical sources, then compares against the project's pricing model (subscription tiers, top-up packs, usage-based, free). Computes margins for redlining / average / power users, surfaces loss-making paths, and diffs against prior snapshots stored in memory. Optionally writes a COSTS.md to the repo. Also invocable as `/cost-analysis`.
preprod-check
Use this skill when the user asks for a pre-production readiness check, launch checklist, "is this safe to ship", "go-live review", "prod audit", or any variant of "what should I check before deploying". Performs a structured audit covering auth/multi-tenancy, input validation, billing & credit integrity, rate limiting, cost containment, external-request safety (SSRF, uploads), secrets/env, security headers/cookies, error handling, CORS, database (indexes/backups), logging & monitoring, email/password flows, legal/compliance, and operations. Adapts checks to the detected stack (Next.js, Auth.js, Stripe, Supabase, Drizzle, AI SDKs, blob storage, etc.). Produces a severity-grouped findings report and drafts patches for trivial fixes. Also invocable as `/preprod-check`.
pmcontext
Context for the pmcontext PM-Claude workflow plugin. Use this skill whenever any /pmcontext:* command is invoked, when explaining how the tiers or phase gates work, when the user asks which command to run next, or when helping someone set up or troubleshoot pmcontext. Also load this skill if the user references CONTEXT.md, PROJECT_BRIEF.md, ROADMAP.md, or the PM–Claude Workflow block in their project's CLAUDE.md — those files are all scaffolded by this plugin.
brainstorm-spec
Use at the start of a non-trivial feature or change, before planning or coding, to refine a vague request into a short written spec through focused questions. Turns "build me X" into an agreed scope, so the plan and the code that follow do not chase a moving target.
compact-and-offload
Use when the context budget is near full (level compact) or before a planned compaction, to summarise the session and offload durable facts to slipstream memory so nothing important is lost when context is trimmed.
context-budget
Use periodically during a long session to check the approximate context budget and decide whether to keep going, switch to scoped reads, or compact, so you rarely hit the context limit.
finishing-a-branch
Use when implementation is complete and verified and the work needs to land, to choose how to integrate it. Walks the close-out from a clean green suite to a recorded memory of what changed, then merge, pull request or cleanup as the situation calls for.
frontend-design-system
Use when a site needs to look designed rather than defaulted, before building sections: establish a cohesive design system of type scale, spacing, colour, radius and shadow tokens so every component shares one premium visual language.
frontend-hero-section
Use when building the top of a landing page, to produce a high-impact hero with confident display type, a clear single call to action and balanced composition, the kind of opening a polished marketing site leads with.
frontend-marketing-sections
Use when filling out a landing page below the hero, to build the polished marketing sections a premium site is made of: a feature grid, a logo or social-proof strip, a testimonial and a closing call to action.
frontend-motion
Use when a site needs the smooth entrance and scroll-reveal animations that make a page feel alive and crafted, to add tasteful motion with a real animation library rather than ad-hoc transitions.
receiving-code-review
Use when acting on code-review feedback, especially when a comment seems unclear or wrong. Requires verifying each point technically before changing anything, so you fix real issues and push back on mistaken ones instead of agreeing performatively.
requesting-code-review
Use when a feature or fix is complete and verified, before merging, to get a focused review. Prepares a tight diff and the context a reviewer needs so the review finds real problems instead of drowning in noise.
scoped-read
Use before opening any source file in a project that has a slipstream map, to read the compact index and pull a single symbol or line range instead of the whole file, protecting the context budget.
subagent-driven-development
Use when executing a multi-step plan whose tasks are independent, to dispatch a fresh agent per task and review between tasks. Keeps each task in a clean context, parallelises independent work, and gates each result before the next begins.
test-driven-development
Use before writing or changing any feature or bugfix code, to drive the change with a failing test first. Red, green, refactor. The discipline that proves the code does what was asked and keeps it proven as the project grows.
using-slipstream
Use whenever the user says "use slipstream", "use superpowers", or starts any task in a project that has slipstream. A hard, always-on discipline that forces scoped reads over whole-file reads to save tokens, recalls memory before acting, and records what is durable every turn so memory grows constantly.
verification-before-completion
Use before claiming any work is done, fixed, passing or shipped, and before committing or opening a pull request. Requires running the real checks and quoting the real output, so a success claim is backed by evidence rather than hope.
write-plan
Use after a spec is agreed and before coding a multi-step change, to break the work into small, independently verifiable tasks with exact files and a check per task. A plan an agent can execute without re-deciding scope, and that survives compaction.
writing-skills
Use when creating or editing a slipstream skill, to produce one that loads cleanly and earns its place. Covers the frontmatter contract, the trigger-shaped description, the required body sections and the verification gate, so the skill validator passes and the skill is actually useful.
super-claudiosoftware-development
Software development skill. Use when the user wants to build, code, automate, or deploy anything technical. Covers backend APIs, databases, workflow automation, scripts, free public APIs, and hosting/deployment. Trigger on backend: "build an API", "REST API", "database schema", "Supabase", "Firebase", "PostgreSQL", "MongoDB", "FastAPI", "Express", "Fastify", "GraphQL", "Node.js server", "Python API", "Prisma", "ORM", "authentication backend", "serverless functions". Trigger on automation: "automate this", "connect these apps", "n8n", "Make.com", "Zapier", "when X happens do Y", "no-code automation", "schedule a script", "webhook", "automate posting", "IFTTT", "auto-post to Instagram", "batch processing", "automate email". Trigger on free APIs: "free API for X", "public API", "build a weather app", "NASA API", "real-time data", "open data", "free data source", "API without credit card", "government API". Trigger on deployment: "deploy my app", "Docker", "Railway", "GitHub Actions", "CI/CD", "hosting", "go live
backend-patterns
Backend architecture patterns, API design, database optimization, and server-side best practices for Node.js, Express, and Next.js API routes.
auth
This skill should be used when adding authentication or authorization to an app or SaaS — login, signup, sessions, tokens, roles, permissions, multi-tenant access, SSO, or social login. Trigger phrases include "add login", "add auth", "sign in with Google", "protect this route", "user roles", "admin permissions", "JWT or sessions", "which auth provider", "RBAC", "multi-tenant access", "who can see what", "magic link", "SSO". It picks the right provider and pattern instead of rolling auth from scratch.
data-modeling
This skill should be used when designing a database schema, modeling data, choosing a database, planning migrations, or setting up multi-tenancy for a SaaS. Trigger phrases include "design the database", "model this data", "what database should I use", "schema for", "multi-tenant", "tenant isolation", "add an index", "how do I migrate", "SQL or NoSQL", "Postgres schema", "row level security", "RLS". It defaults to Postgres, models multi-tenancy safely, and enforces migration and indexing discipline.
secure-coding
This skill should be used while WRITING any backend, API, auth, or data-handling code for a web app or SaaS — to prevent vulnerabilities before they ship, not to audit them after. Trigger phrases include "add an endpoint", "handle user input", "store user data", "is this secure", "build the API", "save to the database", "handle the form", "user uploads", "process payment", "handle secrets", "set up CORS", "rate limit". It applies OWASP Top 10 prevention, input validation, secrets hygiene, and GDPR basics as you build.
repo-performance-guard
Enforce performance-safe query and rendering patterns across this Nx monorepo. Use when working on Vite freezes, Supabase overfetching, pagination, caching, CPU hotspots, memory pressure, or large seeded datasets.
readiness-check
Verify all OpenCode plugin services are healthy and ready. Use when diagnosing plugin issues, after deployment, or when services like Whisper, TTS, Supabase, or Telegram aren't working.
babysit
Keep a PR merge-ready by triaging comments, resolving clear conflicts, and fixing CI in a loop.
split-to-prs
Split current work into small reviewable PRs. Use when the user asks to split a chat, set of changes, branch, or PR.
mcp-tools
MCP tool decision tree and MCP-first fallback strategy. TRIGGER when: choosing whether to use an MCP tool versus a built-in, or an MCP tool is available for a task. SKIP: semantic-memory MCP usage specifically (use semantic-memory-mcp).
010115-supabase-platform
Supabase platform — Row Level Security, Edge Functions, Realtime patterns, Storage signed URLs, PostgreSQL schema design, and anti-patterns.
saas-scaffolder
Materialize a full-stack SaaS project skeleton with Ulak OS governance pre-wired (Next.js + TypeScript + Supabase + optional payment + i18n + RLS + CI + tests + Traefik deploy). Generates a shippable starter that embeds 23 sector packs + 8 rule packs + 79 anti-patterns from commit 1. Use when starting a new SaaS product OR when /ulak-scaffold command dispatches.
saas-analytics
SaaS uygulaması için PostHog analytics ve ürün analizi kur. Event tracking, kullanıcı tanımlama, feature flag, session replay, funnel analizi ve gizlilik uyumlu yapılandırma. Bu skill'i kullanıcı analytics, PostHog, event tracking, kullanıcı davranışı, feature flag, A/B test, dönüşüm analizi veya metrik takibi ile ilgili bir şey istediğinde kullan. "Analytics kur", "kullanıcıları takip et", "PostHog ekle", "feature flag yap" gibi ifadeler tetikler.
saas-api-security
SaaS uygulaması için API güvenlik katmanı kur. Rate limiting, plan bazlı erişim kontrolü, input validation, hata yönetimi, CORS ve health check. Bu skill'i kullanıcı API güvenliği, rate limiting, yetkilendirme, input doğrulama, hata yönetimi veya API koruması ile ilgili bir şey istediğinde kullan. "API'yi koru", "rate limit ekle", "plan kontrolü yap", "input validation" gibi ifadeler tetikler.
saas-auth
SaaS uygulaması için kimlik doğrulama ve oturum yönetimi kur. Google OAuth, Magic Link, e-posta/şifre veya bunların kombinasyonlarını yapılandır. Bu skill'i kullanıcı login sistemi, kayıt akışı, oturum yönetimi, korumalı route'lar veya kullanıcı profili ile ilgili bir şey istediğinde kullan. "Giriş sayfası yap", "auth ekle", "kullanıcı sistemi kur", "login/register" gibi ifadeler tetikler.
saas-database
SaaS uygulaması için Supabase veritabanı altyapısını kur. Proje oluşturma, şema tasarımı, Row Level Security (RLS), migration, connection pooling, realtime ve edge function yapılandırması. Bu skill'i kullanıcı veritabanı, Supabase, tablo, migration, RLS, şema veya veri modeli ile ilgili bir şey istediğinde kullan. "Veritabanı kur", "tablo oluştur", "Supabase ayarla", "migration yap" gibi ifadeler tetikler.
saas-deployment
SaaS uygulamasını production'a taşı. Vercel, Railway veya Fly.io ile deployment, domain yapılandırması, SSL, ortam değişkenleri, CI/CD, izleme ve operasyonel hazırlık. Bu skill'i kullanıcı deploy, yayınlama, production, hosting, domain, SSL, CI/CD, monitoring veya "siteyi canlıya al" ile ilgili bir şey istediğinde kullan. "Deploy et", "yayınla", "canlıya al", "Vercel'e koy", "domain bağla" gibi ifadeler tetikler.
saas-email
SaaS uygulaması için transactional e-posta altyapısı kur. Resend veya Mailgun yapılandırması, DNS kayıtları (SPF, DKIM, DMARC), e-posta şablonları ve spam'dan kaçınma stratejisi. Bu skill'i kullanıcı e-posta gönderimi, DNS ayarları, spam sorunu, magic link, e-posta şablonu veya e-posta servisi ile ilgili bir şey istediğinde kullan. "E-postalar spam'a düşüyor", "DNS ayarla", "hoş geldin e-postası yap" gibi ifadeler tetikler.
saas-landing-seo
SaaS uygulaması için dönüşüm odaklı landing page tasarla ve arama motoru optimizasyonu (SEO) kur. Hero, pricing, FAQ, testimonials gibi bileşenler, metadata, sitemap, robots.txt, Open Graph, yapısal veri ve blog sistemi. Bu skill'i kullanıcı landing page, ana sayfa, fiyatlandırma sayfası, SEO, sitemap, Open Graph, blog veya "daha fazla müşteri çekmek" istediğinde kullan. "Güzel bir ana sayfa yap", "SEO ayarla", "pricing section ekle", "blog kur" gibi ifadeler tetikler.
saas-launcher
Sıfırdan production-ready bir SaaS uygulaması kur. Ödeme, kimlik doğrulama, veritabanı, e-posta, landing page, SEO ve API güvenliği dahil tüm katmanları kapsar. Kullanıcı SaaS kurmak, web uygulaması başlatmak, AI aracı oluşturmak veya online ürün çıkarmak istediğinde bu skill'i kullan — "startup kur", "proje başlat", "uygulama yap" gibi ifadeler dahil. Mevcut bir projeye tek bir katman eklemek (sadece ödeme, sadece auth vb.) için ilgili alt skill'e yönlendir.
saas-legal
SaaS uygulaması için yasal uyumluluk altyapısı kur. KVKK ve GDPR uyumluluğu, gizlilik politikası, kullanım koşulları, çerez onayı, aydınlatma metni ve veri işleme süreçleri. Bu skill'i kullanıcı yasal gereklilikler, KVKK, GDPR, gizlilik politikası, kullanım koşulları, çerez onayı, kişisel veri veya uyumluluk ile ilgili bir şey istediğinde kullan. "Gizlilik politikası yaz", "KVKK uyumlu yap", "çerez onayı ekle", "yasal sayfaları hazırla" gibi ifadeler tetikler.
saas-payments
SaaS uygulaması için ödeme ve abonelik sistemi kur. Stripe veya Lemon Squeezy ile checkout, webhook, abonelik yönetimi, fiyatlandırma planları ve müşteri portalı yapılandır. Bu skill'i kullanıcı ödeme, abonelik, fiyatlandırma, Stripe, gelir, plan, subscription veya checkout ile ilgili bir şey istediğinde kullan. "Para al", "ödeme sistemi kur", "pricing yap", "abonelik ekle" gibi ifadeler tetikler.
saas-storage
SaaS uygulaması için Supabase Storage ile dosya depolama altyapısı kur. Bucket yapılandırması, RLS ile dosya güvenliği, dosya yükleme, görsel optimizasyonu ve plan bazlı depolama limitleri. Bu skill'i kullanıcı dosya yükleme, görsel, depolama, storage, upload veya profil fotoğrafı ile ilgili bir şey istediğinde kullan. "Dosya yükleme ekle", "profil fotoğrafı yükle", "storage kur" gibi ifadeler tetikler.
saas-testing
SaaS uygulaması için test stratejisi kur. Vitest ile birim test, Playwright ile E2E test, API route testi, webhook mock, Stripe test modu ve CI entegrasyonu. Bu skill'i kullanıcı test, test yazma, E2E, birim test, Playwright, Vitest, coverage veya kalite güvencesi ile ilgili bir şey istediğinde kullan. "Test yaz", "test kur", "E2E ekle", "CI'da test çalıştır" gibi ifadeler tetikler.
backend-patterns
Backend architecture patterns, API design, database optimization, and server-side best practices for Node.js, Express, and Next.js API routes.
postgres-patterns
PostgreSQL database patterns for query optimization, schema design, indexing, and security. Based on Supabase best practices.
backend-patterns
Backend architecture patterns, API design, database optimization, and server-side best practices for Node.js, Express, and Next.js API routes.
beforemerge-fullstack-architecture-review
Code review rules for DRY/SOLID layered architecture in fullstack TypeScript applications. Covers dependency direction, service/repository patterns, factory injection, domain entities, security hardening, performance optimization, and code quality patterns. Use this skill when reviewing, writing, or refactoring fullstack TypeScript code with layered architecture — especially before merging pull requests. Triggers on tasks involving code review, architecture review, SOLID principles, clean architecture, or quality checks for fullstack TypeScript projects.
beforemerge-nextjs-review
Comprehensive code review rules for Next.js, React, and TypeScript applications. Covers security anti-patterns, performance pitfalls, architecture mistakes, and code quality issues. Use this skill when reviewing, writing, or refactoring Next.js/React code — especially before merging pull requests. Triggers on tasks involving code review, PR review, security audit, performance review, or quality checks for React/Next.js/TypeScript projects.
beforemerge-react-review
Comprehensive code review rules for React applications (framework-agnostic). Covers security anti-patterns, performance pitfalls, architecture mistakes, and code quality issues. Use this skill when reviewing, writing, or refactoring React code — especially before merging pull requests. Triggers on tasks involving code review, PR review, security audit, performance review, or quality checks for React/TypeScript projects. Does not cover Next.js-specific patterns (see nextjs-review for that).
beforemerge-supabase-review
Comprehensive code review rules for Supabase applications including RLS security, auth patterns, query performance, migration workflows, and type safety. Use this skill when reviewing, writing, or refactoring Supabase-backed code — especially before merging pull requests. Triggers on tasks involving code review, PR review, security audit, performance review, or quality checks for Supabase/PostgreSQL projects.
beforemerge-wordpress-review
Comprehensive code review rules for WordPress plugin and theme development. Covers security anti-patterns, performance pitfalls, architecture mistakes, and code quality issues. Use this skill when reviewing, writing, or refactoring WordPress/PHP code — especially before merging pull requests. Triggers on tasks involving code review, PR review, security audit, performance review, or quality checks for WordPress projects.
lictor-fix-it
Applies the fixes recommended by /lictor-security-check, with the user's explicit permission for each change. Walks through findings one at a time, shows the proposed change, gets approval, applies, runs tests if available, and moves on. Some fixes (rotating leaked credentials) require the user to act outside Claude — surface those clearly.
lictor-rotate
Walks the user through rotating a leaked API key — step by step, provider-specific. Knows the exact URL to visit, the exact button to click, and how to verify the rotation worked. Supports Stripe, OpenAI, Anthropic, Google Cloud / AI Studio, GitHub, AWS, Slack, Supabase, Firebase, Postmark, and generic OAuth providers.
lictor-security-check
Pre-release security audit for AI-built web apps. Scans the user's project for 7 common bugs that get vibe-coded SaaS apps embarrassed in public — leaked API keys, unprotected user-data endpoints, open databases, the wrong kind of admin-page lock, exposed config files, dangerous AI chat setups, and over-permissive cross-origin settings. Writes a plain-English markdown report. No jargon.
doc-sync
同步更新 docs/verify/ 文件,確保文件反映當前系統狀態
retro
Sprint 回顧 — 分析最近的開發指標
second-opinion
獨立 code review — 從全新視角檢查
mcp-add
Install an MCP server template from dotforge into a project or global Claude Code config with a single command.
analytics-events
Use when you need product analytics: track the handful of events that actually matter, such as sign up and purchase.
analytics-plausible
Use when adding privacy-friendly site analytics: add a lightweight, cookieless analytics script that respects visitor privacy.
analytics-web-vitals
Use when you want to measure real-user performance (Core Web Vitals): measure and report Largest Contentful Paint, Interaction to Next Paint and Cumulative Layout Shift.
auth-oauth
Use when adding social or third-party sign in: add a third party OAuth provider such as GitHub or Google for social sign in.
auth-password-reset
Use when users need to reset a forgotten password: let users reset a forgotten password with a single use, time limited token sent by email.
auth-rbac
Use when routes or actions must be gated by user role: gate routes and actions behind roles so only authorised users can perform them.
auth-session
Use when issuing authenticated session cookies: issue HTTP only, secure, same site session cookies for authenticated requests.
backend-error-handling
Use when an API needs consistent error responses: catch unhandled errors centrally and return consistent JSON error envelopes.
backend-hono-api
Use when scaffolding an HTTP API that runs on Node and the edge: create a Hono based HTTP API that runs on both Node and edge runtimes.
backend-openapi
Use when consumers need an OpenAPI spec for the API: generate an OpenAPI specification from the API routes and serve it for consumers.
backend-rate-limit
Use when a public endpoint needs abuse protection: protect public endpoints with a token bucket rate limiter keyed by client identity.
backend-zod-validation
Use when API input must be validated and rejected if malformed: add schema validation middleware so every endpoint rejects malformed input with a 400.
cloudflare-d1
Use when the app needs a SQLite database on Cloudflare: create a Cloudflare D1 SQLite database and run an initial migration.
cloudflare-kv
Use when you need a low-latency edge cache or key-value store: create a Workers KV namespace and use it as a low latency cache.
cloudflare-pages
Use when deploying a static front end to Cloudflare Pages: publish a built static front end to Cloudflare Pages.
cloudflare-r2
Use when the app needs object storage on Cloudflare: create an R2 object storage bucket and bind it to a Worker.
cloudflare-secrets
Use when a Worker needs secret values kept out of source: store sensitive values as Worker secrets rather than committing them.
cloudflare-worker
Use when building an API or handler at the Cloudflare edge: create a Cloudflare Worker with Wrangler that serves an API at the edge.
frontend-component-library
Use when starting a UI and you want reusable accessible primitives: create a small set of reusable, accessible UI primitives the rest of the site composes from.
frontend-dark-mode
Use when adding a light/dark theme toggle: add a persisted light and dark theme toggle driven by a CSS class on the root element.
frontend-forms
Use when building forms that need validation and accessible errors: build forms with client side validation and accessible error messaging.
frontend-responsive-layout
Use when laying out a marketing or landing page that must work on mobile and desktop: compose a responsive hero, features and footer layout that holds up from mobile to desktop.
frontend-router
Use when a front end needs multiple pages and routing: install a router and define the page routes for a multi page front end.
frontend-tailwind
Use when adding Tailwind CSS to a Vite project: wire Tailwind CSS into a Vite project for utility first styling.
frontend-vite-react
Use when starting a new React single-page front end: create a Vite single page app with React and TypeScript as the front end foundation.
git-conventional-commit
Use when committing work and you want a clean, changelog-shaped history: record work as small conventional commits so history reads as a changelog.
git-feature-branch
Use when starting a new unit of work that should not land on the default branch: create a focused feature branch off the default branch for each unit of work.
git-init-repo
Use when starting version control in a new project: initialise a Git repository with a sensible default branch and ignore file.
analyze
Deep cross-layer consistency audit for any codebase. Traces every feature from UI to database, finds broken wiring, missing handlers, model mismatches, and security gaps. Auto-fixes critical and warning issues. Use this after building features, before releases, or whenever something feels off. Works with any tech stack.
context-budget
Use when context feels heavy or you've added skills, agents, MCP servers, or memory and want a token-consumption audit of the whole setup with a prioritized trim list.
perf-bar
Use when assessing performance or algorithmic soundness — Big-O on hot paths, N+1 queries, Supabase egress, and benchmarking hard challenges; feeds the SPIKE sub-phase and per-task review.
security-bar
Use when reviewing changes for security to apply my checklist on top of security-review — input handling, secrets, authz, Supabase RLS, egress limits, server-side PIN enforcement, and the agent-harness surface (config secrets, hook injection, MCP risk, over-broad permissions).
stack-gotchas
Use when hitting a known failure in my stack — release-please rate-limit or auto-merge loop, GitHub Pages env branch-policy, Supabase egress/RLS/stale-client-blob, a Flipper FAP release/build/version-triad failure or a FAP whose UI won't refresh when launched from favourites/quick-buttons, or verifying mobile/responsive rendering in WSL — for a direct diagnose-and-recover recipe.
stacks
Use when building or maintaining a project in one of my non-default stacks — Flipper Zero FAP in C now, Django / Flask / FastAPI coming — for its architecture, build, test, formatting and release conventions. Routes to references/<stack>/. The web stack (TS / Supabase / PWA) is the pack's implicit default and has no entry here.
edinet-document-fetch
Download a single EDINET disclosure document binary (PDF / XBRL ZIP / CSV) by docID. Returns a time-limited signed URL from Kokai's private storage proxy. Use after `edinet-document-search` to retrieve the actual filing for citation or analysis.
agent-inbox
Create temporary email inboxes and receive emails for testing auth flows, email verification, account confirmation, and any scenario where an AI agent needs to receive an email. Uses the agent-inbox MCP server with mail.tm + 1secmail fallback.
backend-patterns
Backend architecture patterns, API design, database optimization, and server-side best practices for Node.js, Express, and Next.js API routes. USE WHEN building or refactoring Node/Express/Next.js backend code, API routes, or data-access and server-side logic.
design-system-reference
Provides structured DESIGN.md schema and curated brand references for AI-native visual design specification. Use when user asks about design system, DESIGN.md, visual design, UI design language, design tokens, color palette, typography system, 디자인 시스템, 비주얼 디자인, 디자인 토큰, or UI 디자인.
ship-it
Set up or fix a deploy pipeline. Picks a platform that fits the app, writes the config (Dockerfile, vercel.json, railway.toml, fly.toml, GitHub Actions), and ships a first deploy. Knows Vercel, Railway, Fly.io, Render, AWS basics (ECS, Lambda, Amplify), Docker, Kubernetes essentials, and GitHub Actions. Use when the user says "deploy this", "ship it", "set up vercel", "dockerize this", "write the GitHub Actions for deploy", or has working local code that needs to be live.
ship-it
Set up or fix a deploy pipeline. Picks a platform that fits the app, writes the config (Dockerfile, vercel.json, railway.toml, fly.toml, GitHub Actions), and ships a first deploy. Knows Vercel, Railway, Fly.io, Render, AWS basics (ECS, Lambda, Amplify), Docker, Kubernetes essentials, and GitHub Actions. Use when the user says "deploy this", "ship it", "set up vercel", "dockerize this", "write the GitHub Actions for deploy", or has working local code that needs to be live.
deploy-planner
Deployment and DevOps agent that generates Dockerfiles, CI/CD configs, and step-by-step deployment guides for free hosting platforms. Triggers on: deploy, launch, hosting, Docker, CI/CD, production, go live, ship it.
system-architect
System architecture agent that designs tech stack, folder structure, API contracts, and external service integrations. Triggers on: system design, tech stack, architecture, API design, folder structure, choose framework.
migration-guide
Create and manage database migrations safely. Use when adding tables, columns, indexes, RLS policies, or making any database schema change.
generating-programmatic-seo
Use when generating hundreds or thousands of unique landing pages from a structured data source (Supabase table, CSV, Sanity collection) — city pages, category pages, "[X] for [Y]" matrices, integration pages, directory listings. Wires data + template + LLM enrichment + per-page schema + sitemap inclusion + internal-link graph, with quality gates that keep output on the Tripadvisor/Zapier side and away from Google's scaled-content-abuse policy. Auto-triggers on "programmatic SEO", "generate landing pages from data", "scale content", "city pages", "category pages", "[X] for [Y] pages", or "directory site SEO".
api-contract-reviewer
Review Supabase RPC/PostgREST API contracts for DTO correctness, response consistency, validation quality, and backward-compatibility risk. Use when changing libs/api/*, shared response types, or API-facing behavior.
database-schema-reviewer
Review PostgreSQL schema design for integrity, performance, and migration safety. Use when modifying supabase/migrations/* or supabase/functions/*.
security-reviewer
Review LenserFight security for selected modules or scopes using architecture-aware, low-coupling, high-cohesion rules. Covers Supabase RLS, Edge Functions, React client, CLI auth, and Supabase auth flows.
deliberato
Skill in italiano per decisioni strategiche complesse. Council di advisor AI specializzati, peer review anonima, sintesi del chairman. Per founder, manager e professionisti italiani. Due velocità: Full Council (5 advisor + peer review) e Fast Council (3 advisor, risposta rapida). TRIGGER FULL COUNCIL: "delibera questa decisione", "convoca il council", "council questa decisione", "fai partire il council", "passa al council", "delibera questa scelta", "metti alla prova questa decisione", "stresstest questa scelta", "demolisci questa idea", "trova i buchi in questo piano". TRIGGER FAST COUNCIL: "check questa decisione", "parere rapido", "analisi rapida", "check rapido", "quick council", "parere veloce". TRIGGER CONTESTUALI (Full Council, solo con decisione reale e trade-off significativi): "devo decidere se X o Y", "non so se conviene Z", "vale la pena W", "mi conviene", "che faccio tra A e B", "sono convinto di fare X ma voglio un contraddittorio", "ho già deciso, dimmi dove sbaglio". NON TRIGGERARE su: domande
expo-api-routes
Guidelines for creating API routes in Expo Router with EAS Hosting
config-settings
Claude Code configuration and settings management guide. Covers the settings hierarchy (Enterprise managed > project local > project > user), permission evaluation order (Deny > Ask > Allow), CLAUDE.md best practices, settings.json schema, settings.local.json personal overrides, memory management, and context optimization strategies. Use when configuring Claude Code, updating settings, writing CLAUDE.md, managing permissions, or optimizing context window usage.
doc-workflows
Documentation workflow assistant for code and product documentation. Generates READMEs, API docs, knowledge base articles, and maintains doc-code sync. Use when asked to write documentation, update docs, generate a README, create API docs, build a knowledge base article, or document code changes.
automation-feasibility
手動で行っている作業・プロセスを自動化できるか、すべきかを判断する。自動化コストと人的コストを比較し、ROI・リスク・依存性を整理する。自動化を検討し始めた段階で使う。
change-impact-scan
コード・DB・設定の変更が波及する範囲を洗い出す。意図しない副作用・破壊的変更・依存箇所を実装前に特定する。
failure-point-review
自動化フロー・システム統合の障害点を体系的に列挙し、影響度・検知可能性・対応方針を整理する。実装前・リリース前の最終チェックで使う。
patch-readiness
既存システムへのパッチ・ホットフィックス・緊急修正を安全に適用できる状態かを確認する。テスト・バックアップ・ロールバック手段が揃っているかをチェックする。パッチ・ホットフィックスを適用する前に使う。
repo-structure-review
リポジトリのディレクトリ構造・命名規則・ファイル配置が設計原則と整合しているかをレビューする。構造の崩れを早期に検出し、保守コストの増加を防ぐ。リポジトリ構造をレビューするときに使う。
retry-idempotency-check
自動化フロー・API 呼び出しのリトライ設計とべき等性を確認する。同���処理が複数回実行された場合に、データ破損・二重決済・重複挿入が起きないかを検証する。リトライ・再実行を伴う処理の設計時に使う。
rollback-plan
実装・デプロイ・マイグレーションが失敗した場合に元の状態に戻すための手順を設計する。何を・どの順序で・誰が・どこまで戻すかを事前に定義する。
cm-identity-guard
Verify and lock project identity before ANY git push, Cloudflare deploy, or Supabase operation. Essential when working with multiple GitHub accounts (personal + work), multiple Cloudflare accounts, or multiple Supabase/Neon projects. Prevents wrong-account deploys, cross-project secret leaks, and git history contamination.
cm-safe-deploy
Use when setting up deployment infrastructure for any project - establishes multi-gate deploy pipeline with test gates, build verification, frontend safety checks, and rollback strategy before code reaches production
implementing-next.js-with-supabase
Guides implementation of Next.js 15 App Router features with Supabase SSR. Helps choose between Server/Client Components, select correct Supabase client, and follow security patterns. Use when building pages, components, or API routes.
managing-supabase-schema-migrations
Guides creation, validation, and application of Supabase database migrations with RLS policy checks and type generation. Use when adding tables, modifying schema, or updating database structure.
pre-commit-quality-checking
Runs mandatory quality checks before commits. Executes build, tests, and pattern validation from code-review-standards.md. Use when ready to commit code or when asked to verify code quality meets project standards.
test-driven-development
Use when implementing any feature or bugfix in the Culinary Advisor Next.js project - write the test first, watch it fail, write minimal code to pass; ensures tests actually verify behavior by requiring failure first
cortex-uninstall
Remove cortex-x from this machine — framework, shims, skills, agents. Wraps the bin/cortex-uninstall.cjs CLI. Safe-by-default — preserves $CORTEX_DATA_HOME (~/.cortex/) which holds research/projects/journal/insights (months of work). Triggers (EN+CZ) "/cortex-uninstall", "uninstall cortex", "remove cortex", "smaž cortex", "odinstaluj cortex", "wipe cortex", "i don't want cortex anymore". Refuses to act without explicit operator confirmation. The --purge flag (deletes ~/.cortex/ too) is DESTRUCTIVE and requires a second confirmation step on top of the first. Always runs --dry-run first so the operator sees the exact path list before any deletion happens.
migration-planner
Plan and track cross-platform or cross-service migrations (Supabase to Firebase, single to multi-tenant, schema migrations, etc). Generates rollback-safe migration plans with state tracking.
freeze
凍結指定路徑,防止 Claude 修改
apps-language-rules
Define i18n and internalization rules for forum (React/i18next) and docs (VitePress locales) apps. Use when adding new UI strings, translating docs, adding new locales, checking language consistency, or setting up hreflang SEO for multilingual pages.
cli-developer
Review, modify, and improve the LenserFight CLI at apps/cli/. Covers citty commands, API client integration, output formatting, TUI, and configuration.
supabase-rls-account-lifecycle-engineer
Use when implementing RLS, account state enforcement, soft deletion, legal retention boundaries, cancellation on login, and pg_cron purge workflows in Supabase/Postgres.
supabase-social-graph-engineer
Use when designing Postgres/Supabase schema, triggers, helper functions, and query patterns for follows, follower requests, mutuals, blocks, counters, and profile access relationships.
mushi-health
Pass/fail health check across every Mushi Mushi pipeline component — CLI credentials, API reachability, edge functions, BYOK key pool, QA cron. Use when "is mushi working", "mushi health check", "check mushi pipeline", "mushi deploy check", "pipeline not responding", or right after setup.
mushi-integration
Full end-to-end Mushi Mushi integration smoke test: bug capture → AI triage → story mapping → TDD test generation → approval → execution → PDCA cycle. Use when "test mushi integration", "verify full pipeline", "mushi e2e check", "does mushi work end-to-end", "smoke test mushi", or after deploying changes.
mushi-mushi
Set up, configure, and use Mushi Mushi — the AI-powered QA platform for automatic bug detection, user story mapping, TDD scenario generation, and PDCA auto-improvement. Use when setting up Mushi, configuring SDK/CLI/MCP, managing API keys, or asking how any Mushi feature works.
backend-patterns
Backend architecture patterns, API design, database optimization, and server-side best practices for Node.js, Express, and Next.js API routes.
api-testing
Test backend HTTP surfaces — REST/RPC endpoints, Next.js route handlers, Supabase APIs, and Stripe webhook handlers — without a browser. Use this skill whenever the user wants to test an API, check an endpoint, verify a webhook, confirm RLS/auth behavior, validate response shape or status codes, or smoke-test the backend after a change. Trigger even if the user just says "does the booking endpoint still work" or "test the payment API" without naming a tool.
e2e-testing
Write and run TypeScript end-to-end browser tests with Playwright that exercise real user journeys — signup/login, search, the booking flow, and Stripe checkout → confirmation. Use this skill whenever the user wants an e2e test, a browser test, to test a full flow "end to end", to catch regressions before deploy, or to verify the live site still works after a change. Trigger even on casual asks like "make sure booking still works in the browser" or "test the checkout flow".
payments-testing
Test Stripe payment flows in test mode using the Stripe API/MCP — the successful charge/checkout path that should create a booking, and the decline/failure paths (generic decline and 3DS/SCA-required) that the app must handle gracefully. Use this skill whenever the user wants to test payments, verify checkout, confirm a charge succeeds or a declined card is handled, or check Stripe integration before launch. Trigger on casual asks like "does paying actually work" or "test a declined card" too. Stripe TEST MODE only.
security-audit
Run a defensive security audit of a full-stack web app — exposed secrets and service-role keys, Supabase RLS gaps, auth bypass and IDOR on routes, Stripe webhook signature handling, input validation, insecure direct object references, and vulnerable dependencies. Use this skill whenever the user wants a security audit, a vulnerability check, to review auth, to find exposed keys/secrets, or to harden the app before launch. Trigger on asks like "is my app secure" or "check for leaked keys" too. Defensive use only.
seo-audit
Audit web pages for on-page SEO health — title and meta tags, heading structure, canonical/robots directives, Open Graph and Twitter cards, structured data (JSON-LD), image alt text, and crawlability signals. Use this skill whenever the user wants an SEO audit, an SEO check, to improve search ranking, to validate metadata or structured data, or asks why pages aren't ranking or showing rich results. Trigger on casual asks like "check the SEO on my listings pages" too.
migration-reversibility
Check SQL migration files for irreversible or deploy-breaking operations before running them against production. Use whenever the user writes a migration, mentions ALTER/DROP/migrate, prepares a release containing schema changes, or asks if a deploy is safe — for Supabase, Prisma, Drizzle, or raw SQL alike. Runs fully offline — no API keys, no network, no credentials.
secret-preflight
Scan a repository for committed secrets, API keys, tokens, and private keys before deploying or pushing. Use before any first push to a public repo, before any deploy, when the user mentions 'did I commit a secret', 'API key in code', security review, or open-sourcing a project — and proactively if you notice a hardcoded credential while doing other work. Runs fully offline — no API keys, no network, no credentials.
migration-reversibility
Check SQL migration files for irreversible or deploy-breaking operations before running them against production. Use whenever the user writes a migration, mentions ALTER/DROP/migrate, prepares a release containing schema changes, or asks if a deploy is safe — for Supabase, Prisma, Drizzle, or raw SQL alike. Runs fully offline — no API keys, no network, no credentials.
secret-preflight
Scan a repository for committed secrets, API keys, tokens, and private keys before deploying or pushing. Use before any first push to a public repo, before any deploy, when the user mentions 'did I commit a secret', 'API key in code', security review, or open-sourcing a project — and proactively if you notice a hardcoded credential while doing other work. Runs fully offline — no API keys, no network, no credentials.
prod-watch
Poll Vercel runtime logs and Supabase logs since the last run, cluster new errors by cause, and triage. Triage only — no deploys, no data changes.
multi-user-sync
Multi-user 即時同步系統的完整實戰手冊:locking / optimistic lock / 3-way merge / broadcast handler / Yjs CRDT / presence。當用戶在做或修改任何 2+ 人同編工具時觸發。 關鍵詞觸發:「多人同步」、「多人協作」、「即時同步」、「即時協作」、「實時同步」、「同編」、「同時編輯」、「衝突解決」、「樂觀鎖」、「悲觀鎖」、「3-way merge」、「CRDT」、「Yjs」、「Presence」、「在線狀態」、「誰在編輯」、「broadcast」、「廣播」、「postgres_changes」、「Supabase Realtime」、「資料覆蓋」、「打字不丟字」、「scroll 跳走」、「新增消失」、「刪除復活」、「heartbeat」、「lock TTL」、「editingBy」、「multi-user sync」、「realtime sync」、「collaborative editing」、「conflict resolution」、「optimistic locking」、「three-way merge」、「presence indicator」、「supabase realtime」、「broadcast handler」、「data race」、「debounce save」。 即使用戶只說「兩個人同時編輯怎麼辦」、「做個多人協作工具」、「同步」、「Realtime」、「我要 vibe coding 一個 multi-user app」也應觸發此 skill。任何涉及「多人並行寫入同一份資料」的功能(包含但不限於文件協作、看板、表單、財估、PM 工具、白板)都適用。 本 skill 從 Fandora 財估工具 6 天 93+ commits 累積的實戰教訓蒸餾出來,涵蓋 M-1 至 M-45 系列的所有 sync 相關 patterns + 6 個歷史災難 + 4 層保護架構。
mcp-to-mobile
Flagship AiGNITE pipeline. Takes any AiGNITE MCP server URL, lists its tools, and scaffolds a complete React Native mobile app with one screen per public tool, Supabase auth, push notifications, and Stripe subscription billing. Converts B2B MCP infrastructure into a B2C consumer product without rebuilding the backend. Use this skill whenever the user mentions turning an MCP into a mobile app, wrapping an MCP as a consumer app, building a mobile front end for an MCP, MCP to mobile, or making a consumer app from an MCP server, even if they do not name the skill by name.
mobile-app-scaffold
Generates a production-ready Expo React Native project pre-wired for AiGNITE conventions in under sixty seconds. Use this skill whenever the user mentions building a mobile app, scaffolding an Expo project, starting a new React Native app, mobile boilerplate, Expo scaffold, or kicking off a mobile project, even if they do not name the skill explicitly.
supabase-bootstrap
Stands up a Supabase project for an AiGNITE mobile app, generates a schema with RLS on by default, verifies table count, produces an API contract document, and writes keys to .env.local in one command. Use this skill whenever the user mentions adding a database, Supabase setup, auth setup, setting up Postgres, adding user accounts, wiring up Supabase, or backing a mobile app with a database, even if they do not name the skill by name.
supabase-owasp-audit
Rigorous OWASP-aligned security audit of a Supabase-backed app, combining static repo review with live database inspection (RLS, policies, grants, advisors, storage, auth). Use whenever the user wants to analyze, audit, or review the security of an app using Supabase — especially if they mention OWASP, RLS, "security score", vulnerabilities, "is my app secure", edge functions, leaked keys, or provide a repo ZIP plus a connected Supabase project. Produces a first report IN CHAT: a textual situation report, a 0–10 score per OWASP Top 10 category as wireframes, and wireframes for app structure, strong points, weak points, and the correction pipeline (plus extras as warranted) — then offers a Markdown audit report and remediation plan. Trigger even if the user just says "audit my app" or "check my Supabase security".
canary
部署後健康檢查
guard
顯示和管理安全護欄
meoo-cli
从零到上线的全栈应用构建指南,基于秒悟(Meoo)平台。 触发条件: (1) 用户提到"秒悟"或"Meoo"; (2) 用户要从零构建应用,且需求可被以下架构覆盖:前端 SPA(React/Vue)+ Supabase(数据库/Auth/Storage)+ Deno 边缘函数 + AI 大模型服务。 覆盖完整生命周期:项目初始化、本地开发、云服务开通、数据库管理、边缘函数部署、CDN 发布、沙箱代码同步、账户与权益管理。
migration-risk-reviewer
Assess Supabase/Postgres migration blast radius, rollback difficulty, data loss risk, permission regression risk, and rollout safety. Use before applying migrations to shared environments or bundling schema changes into a release.
repo-architecture-auditor
Audit Nx monorepo structure, layer responsibilities, dependency drift, public APIs, and misplaced logic. Use for architecture review, library placement, boundary erosion, duplication, and repo health checks.
repository-pattern-reviewer
Review repositories, cache behavior, data-access boundaries, and error mapping. Use when persistence code becomes leaky, caching is suspicious, or feature code reaches into transport/storage details.
supabase-api-rpc-reviewer
Review Supabase SQL functions, RPC exposure, return contracts, and API-facing database surfaces. Use for public API design, function hardening, response stability, and deciding between direct table access and RPC.
supabase-rls-security-reviewer
Review Supabase RLS, grants, schema exposure, views, and SQL function privilege boundaries. Use for policy design, auth-sensitive migrations, exposed-schema review, security-definer risk, and least-privilege database hardening.
supabase-schema-reviewer
Review Supabase/Postgres schema design, table ownership, normalization, defaults, relationships, and migration coherence. Use for new tables, column design, view design, schema cleanup, and database modeling decisions.
multi-tenant-architecture
Guidelines for building a white-label, multi-tenant church platform using Next.js App Router, Middleware, and Supabase RLS. Use when setting up subdomains, dynamic theming, or tenant isolation.
documentation-lookup
Load when a workflow-router-selected owner workflow needs current library, framework, SDK, API, CLI, or cloud-service documentation; fetch docs instead of relying on training data or ordinary repo evidence.
mushi-debug
Debug Mushi Mushi issues — SDK not reporting, API errors, LLM key exhaustion, story mapping failures, QA test failures, PDCA loop not running, edge function errors. Use when "mushi is not working", "sdk not pinging", "story map failed", "tdd test not running", "api key exhausted", "fix-worker failed", "pdca not improving", or any mushi error/failure.
mushi-setup
Set up Mushi Mushi in a new project — install SDK, configure API keys, connect to the admin console, map user stories from a live app, and generate TDD tests. Use when the user asks to "set up mushi", "add mushi to my project", "connect mushi", "configure mushi", "install mushi sdk", "map my user stories", or "start using mushi tdd".
mushi-test
Run, review, and improve Mushi Mushi TDD tests — story mapping, Playwright test generation, QA coverage, PDCA improvement loop, test approval workflow. Use when "run tdd tests", "generate tests for my stories", "check qa coverage", "improve failing tests", "test my app with mushi", "review generated tests", or any TDD/QA workflow in mushi.
supabase-switch
Switch active Supabase project for MCP connection
data-migration-safety
Review database migrations and schema changes for safety — reversibility, lock duration, online-vs-offline behavior, batch-size on backfills, tenant isolation, RLS policies (Supabase), idempotence, audit-log impact. Use this skill on any PR that touches `migrations/*`, `supabase/migrations/*`, `*.sql`, schema files (Drizzle/Prisma/SQLAlchemy), or that adds/modifies columns, indexes, constraints, RLS policies. Critical for [Project A] (procurement audit trail) and [Project B] (PHI integrity). A bad migration on staging = postmortem; on production = incident.
postgres-cli
Query and inspect PostgreSQL databases via the `psql` CLI for [Project A]/[Project B]/[Company] data needs. Use this skill whenever the user asks to "query the DB", "check schema", "run migrations", "inspect rows", "explain query", or anything that touches a Postgres connection. Replaces low-trust community Postgres MCPs. Stack-aware for Supabase, self-hosted Postgres, and cloud variants.
supabase-index-trigger-reviewer
Review Postgres indexes, triggers, write amplification, and performance risk in Supabase migrations. Use for slow queries, missing indexes, trigger-heavy designs, stale propagation issues, and DB-side performance tuning.
kyma-deploy
Deploy kyma to production (AWS Fargate + S3 + Supabase) or run a Supabase-backed local test drive. Use when the user asks to deploy kyma, self-host kyma in production, set up kyma on AWS/Supabase, or tear a kyma deployment down. Drives the `kyma deploy` CLI wizard (Terraform or Pulumi under the hood).
video-transcribe
Video/audio transcription, visual frame analysis, Groq Whisper long-form transcripts, timestamped Obsidian notes, and keyframe-based visual summaries. Use for video links, audio links, 字幕/转录/视频总结/画面分析/图文笔记, especially when the result must replace watching the video. Keywords: video, transcribe, 转录, 视频, 音频, audio, subtitle, 字幕, summary, 总结, 图文笔记, 视频内容, 画面分析, visual analysis, keyframe, whisper, groq, yt-dlp
ios-ai-dev
小K酱|你的 AI 开发贴身助理,专门帮没有编程背景的主人把 App 做出来~ 三个入口: 1. 新项目启动 → 小K陪你从零开始,生成 CLAUDE.md,开工前全部想清楚 2. 开发中遇到问题 → 告诉小K哪里不对,小K来诊断 3. 上线前检查 → 小K陪你逐项过审核清单,确保顺利上架 触发方式:/ios-ai-dev、「我要开始做一个 App」「帮我生成 CLAUDE.md」「我要上架了」
cm-how-it-work
Complete guide to vibe coding with the CodyMaster skill kit — from idea to deploy. Covers the full workflow, skills used at each phase, and common use cases. Read this first if you are new; reference it whenever you're unsure which skill to invoke.
firebase
Firebase: Firestore database, Authentication, Realtime Database, Cloud Functions, Firebase Storage, and security rules — for web and mobile apps
saas-scaffolder
SaaS project scaffolder: generate a complete production-ready SaaS codebase from a description — Next.js, auth, database, payments, email, and deployment configured
vibe-proof
Security-focused hardening for vibe-coded full-stack apps. Runs parallel audits across frontend, backend, and config layers, then fixes issues systematically by severity. Covers injection, PII exposure, missing headers, error leakage, dead code, and credential hygiene.
supabase-query
Execute SQL queries on any Supabase project via Management API. Use when needing to run SQL on Supabase, create tables, query data, or manage database schemas.
security-reviewer
Pre-launch security review covering auth, data exposure, input validation, and dependency vulns. Produces a remediation list, not a "looks good" stamp.
nextjs-security
Security audit specific to Next.js applications including App Router and Pages Router, Server Actions, middleware, Route Handlers, Server Components, environment variable exposure (NEXT_PUBLIC_), getServerSideProps/getStaticProps secret leakage, Image Optimization SSRF, and Next.js-specific authentication patterns. Use this skill whenever the user mentions Next.js, App Router, Pages Router, Server Actions, RSC, server components, middleware.ts, route handlers, NEXT_PUBLIC_, Vercel deployment patterns, next.config.js, or asks "audit my Next.js app", "is my middleware safe", "Server Actions security", "Next.js auth review". Trigger when the codebase contains a `next.config.js`/`next.config.mjs`/`next.config.ts` file, `app/` directory with `page.tsx` files, or `pages/` directory with Next.js conventions.
saas-api-security
Audit SaaS API surface security including rate limiting, CORS configuration, webhook signature verification, GraphQL query depth/complexity, REST API best practices, idempotency keys, request signing, and API key management. Use this skill whenever the user asks about rate limiting, CORS, webhook security, HMAC signatures, GraphQL security, API abuse, throttling, idempotency, replay protection, or "is my API safe". Trigger on phrases like "audit my API", "review my CORS", "webhook security", "rate limit", "GraphQL depth attack", "API abuse", "signature verification". Use this even when only one API surface is mentioned.
saas-code-security-review
Application-code security review for SaaS backends focusing on authentication, authorization, IDOR/BOLA, SSRF, JWT handling, injection (SQL/NoSQL/command/template), deserialization, mass assignment, and SAST findings. Multi-stack (Node/TypeScript, Python, Go, Java, Ruby). Use this skill whenever the user asks to review code for security bugs, find IDOR or BOLA vulnerabilities, audit auth flows, check JWT validation, look for SSRF, hunt for injection, review session management, or interpret SAST output from CodeQL/Semgrep/Snyk Code. Trigger on phrases like 'review this code for security', 'find IDOR', 'is my JWT validation safe', 'SSRF check', 'SAST report', 'auth bypass', 'BOLA', 'audit my auth', 'session security'. Use this when the user shares a code file and security context.
saas-compliance-audit
Audit SaaS applications against common compliance frameworks (SOC2, GDPR, HIPAA, PCI-DSS) with focus on technically-verifiable controls including audit logging, data retention, encryption at rest and in transit, DSAR (Data Subject Access Request) endpoints, breach notification readiness, vendor risk, and access reviews. Use this skill whenever the user asks about SOC2, GDPR, HIPAA, PCI-DSS, compliance audit, audit logging, data retention, DSAR, "right to be forgotten", erasure requests, evidence collection, ISO 27001, or "are we compliant". Trigger on phrases like "audit my compliance posture", "SOC2 readiness", "GDPR controls", "do we have the right logs", "data retention policy", "DSAR endpoint", "data deletion", "compliance evidence". Use this even when only one framework or control is mentioned.
saas-tenant-isolation
Audit multi-tenant SaaS applications for cross-tenant data leakage including query scoping, tenant_id enforcement, cache key isolation, file storage path scoping, search index isolation, and tenant binding across billing, analytics, and background jobs. Use this skill whenever the user mentions multi-tenant, tenant isolation, cross-tenant leak, tenant_id, organization scoping, workspace isolation, B2B isolation, "are my tenants isolated", shared database with tenant column, schema-per-tenant, or database-per-tenant. Trigger on phrases like "audit my multi-tenancy", "check tenant isolation", "cross-tenant data leak", "tenant_id scoping", "are my orgs isolated". Use this even when only one isolation surface is mentioned.
supabase-security-audit
Audit Supabase project security including Row-Level Security (RLS) policies, SECURITY DEFINER functions, anon/authenticated role grants, service_role key exposure, edge function authentication, and JWT verification on edge endpoints. Use this skill whenever the user mentions Supabase, RLS, row-level security, SECURITY DEFINER, anon role exposure, service_role leak, supabase-js client, edge functions auth, or asks "is my Supabase project safe". Trigger on phrases like "audit my Supabase", "review my RLS", "is RLS enabled", "SECURITY DEFINER risk", "anon role grants", "edge function security", "service role exposure", "Postgres function audit". Use this even if only one sub-topic is mentioned.
dba
Postgres-first DBA workflows — run a full database health audit, design and implement schema (tables, constraints, RLS, indexes, migrations + tests), clean up unused indexes / bloat / dead tuples, diagnose and fix slow queries, and investigate live database incidents (high CPU, lock storms, error spikes, connection exhaustion). Use whenever the user says "audit the database", "DB health check", "design a schema", "model this table", "add a table for X", "clean up indexes", "database bloat", "why is this query slow", "optimize this query", "explain analyze this", "investigate the database", "the DB is on fire", "high CPU on Postgres", "connection pool exhausted", or types "/dba" — even when they don't say the word "DBA" or name a specific workflow. Discovers each project's migration, test, and deploy conventions at runtime rather than assuming them.
supabase
Supabase platform standards — Row-Level Security, publishable/anon and secret/service_role key boundaries, Postgres and Edge functions, Storage, Realtime, and the CLI migration workflow. Use when working with RLS policies, Supabase clients, Edge Functions, or supabase/ migrations. Loads alongside the database (Postgres) domain.
e2e-auth
This skill should be used when an agent or user needs to run or author an AUTHENTICATED browser test or walkthrough — "test this as a logged-in user", "run the e2e / smoke", "verify the dashboard", "the smoke can't log in", "sign in for tests", "set up Playwright auth", "test the authed flow". Covers getting past the auth provider's bot-detection / MFA (Clerk Testing Tokens; Auth0 / NextAuth / Supabase / custom equivalents), caching the session with storageState, and why auth-gated specs use Playwright, not agent-browser.
sql-queries
Write correct, performant SQL across all major data warehouse dialects (Snowflake, BigQuery, Databricks, PostgreSQL, etc.). Use when writing queries, optimizing slow SQL, translating between dialects, or building complex analytical queries with CTEs, window functions, or aggregations.
jikime-platform-supabase
Supabase specialist covering PostgreSQL 16, pgvector, RLS, real-time subscriptions, Edge Functions, and Postgres performance optimization. Use when building full-stack apps with Supabase backend or optimizing database performance.
backend-patterns
Backend architecture patterns, API design, database optimization, and server-side best practices for Node.js, Express, and Next.js API routes.
qa-gate-vercel
Pre-production validation gate for Vercel/Supabase/Firebase stack — generates test plans, executes test suites, validates APIs, UI, toasts, LLM output quality, and produces go/no-go reports
local-e2e
Local LeadAce E2E testing skill. Triggers: 'local E2E', 'ローカル E2E', 'local-e2e', 'E2E テスト', E2E run against the local stack. Encodes the prerequisites: host-side `claude` CLI, real Google OAuth, local Supabase / Workers / Frontend. Concrete scenarios are user-supplied per run.
local-e2e
Local LeadAce E2E testing skill. Triggers: 'local E2E', 'ローカル E2E', 'local-e2e', 'E2E テスト', E2E run against the local stack. Encodes the prerequisites: host-side `claude` CLI, real Google OAuth, local Supabase / Workers / Frontend. Concrete scenarios are user-supplied per run.
template-ui
startup-saas-template UI-specific patterns. For generic patterns, see: typescript, react-19, nextjs-15, tailwind-4. Trigger: When working inside ui/ on template-specific conventions (shadcn, folder placement, actions, shared types/hooks/stores).
sql-queries
Write correct, performant SQL across all major data warehouse dialects (Snowflake, BigQuery, Databricks, PostgreSQL, etc.). Use when writing queries, optimizing slow SQL, translating between dialects, or building complex analytical queries with CTEs, window functions, or aggregations.
write-query
Write optimized SQL for your dialect with best practices. Use when translating a natural-language data need into SQL, building a multi-CTE query with joins and aggregations, optimizing a query against a large partitioned table, or getting dialect-specific syntax for Snowflake, BigQuery, Postgres, etc.
legal-check
Full-stack legal, privacy, and compliance audit engine for web applications and SaaS platforms. Use this skill when the user wants to audit a codebase for legal exposure, privacy risks, GDPR/CCPA compliance gaps, missing consent flows, unsafe data practices, cookie policy issues, payment/auth compliance, AI disclosure requirements, or platform liability risks. Trigger whenever the user says "audit my app for compliance", "check my codebase for privacy issues", "do a legal check", "GDPR audit", "privacy policy review", "terms of service check", "is my app compliant", or uploads/shares a codebase and asks about legal or privacy concerns. Also trigger proactively when reviewing any app that handles user accounts, payments, AI outputs, or file uploads — even if the user doesn't use the word "legal".
start-work
/start-work - Begin Working on a GitHub Issue
devops-engineer
Senior DevOps Engineer persona — CI/CD, infrastructure as code, deployment automation
compile
Load the marketing assessment pipeline lessons, pitfalls, and quality checklist before generating or reviewing a client deck. Invoke with /compile before any pipeline run to ensure all 24 learned pitfalls are loaded into context. Also use after a pipeline run to verify output against the quality checklist.
supabase-architect
Automates Supabase workflows including migrations, type synchronization, and schema security audits. Use when creating new database tables, updating schemas, or ensuring RLS compliance.
backend-patterns
Backend architecture patterns, API design, database optimization, and server-side best practices for Node.js, Express, and Next.js API routes.
authentication
Auth flows, session management, OAuth integration, domain-restricted access, and role-based access control for TopNetworks properties. Primary implementation is Better Auth 1.x with Google OAuth in route-genius. Use when implementing login, session checks, protected routes, or any access control logic.
cicd-pipeline
Use when setting up GitHub Actions, automated testing, build checks, or deployment workflows. Triggers on "CI/CD", "pipeline", "GitHub Actions", "deploy", "automated testing", "build check".
real-time-features
Use when implementing real-time updates, WebSocket connections, live data synchronization, or Supabase Realtime subscriptions - focuses on real-time data patterns
cicd-pipeline
Use when setting up GitHub Actions, automated testing, build checks, or deployment workflows. Triggers on "CI/CD", "pipeline", "GitHub Actions", "deploy", "automated testing", "build check".
create-adr
Create MADR-format Architecture Decision Record. Use when recording an architectural decision, documenting a technical choice, or creating an ADR.
authentication
Auth flows, session management, OAuth integration, domain-restricted access, and role-based access control for TopNetworks properties. Primary implementation is Better Auth 1.x with Google OAuth in route-genius. Use when implementing login, session checks, protected routes, or any access control logic.
Integration detected automatically from skill content. Some results may be false positives.