Fullstack Security Skill
Atomic skill for security auditing and performance optimization.
Responsibility
Single Purpose: Audit security, optimize performance, and ensure compliance
Actions
audit_security
Perform security audit against specified standards.
// Input
{
action: "audit_security",
audit_type: "owasp",
target: "backend"
}
// Output
{
success: true,
vulnerabilities: [
{
severity: "high",
category: "A03:Injection",
title: "SQL Injection Risk",
location: "src/routes/users.ts:45",
remediation: "Use parameterized queries"
}
],
compliance_status: { owasp_score: 75, passing: 8, failing: 2 },
recommendations: ["Add input validation", "Implement CSP headers"]
}
optimize_performance
Analyze and optimize application performance.
configure_caching
Set up caching strategies.
harden_infrastructure
Apply security hardening to infrastructure.
Validation Rules
function validateParams(params: SkillParams): ValidationResult {
if (!params.action) {
return { valid: false, error: "action is required" };
}
if (params.action === 'audit_security' && !params.target) {
return { valid: false, error: "target required for security audit" };
}
return { valid: true };
}
Error Handling
| Error Code | Description | Recovery | |------------|-------------|----------| | CRITICAL_VULNERABILITY | Critical security issue found | Block deployment, immediate fix | | PERFORMANCE_REGRESSION | Performance degraded | Rollback or optimize | | COMPLIANCE_VIOLATION | Compliance requirement not met | Document and remediate | | SCAN_FAILED | Security scanner failed | Use alternative tool |
Logging Hooks
{
"on_invoke": "log.info('fullstack-security invoked', { action, target })",
"on_vulnerability": "log.warn('Vulnerability found', { severity, category })",
"on_success": "log.info('Security check completed', { score, recommendations })",
"on_error": "log.error('Security skill failed', { error })"
}
Unit Test Template
import { describe, it, expect } from 'vitest';
import { fullstackSecurity } from './fullstack-security';
describe('fullstack-security skill', () => {
describe('audit_security', () => {
it('should detect OWASP Top 10 vulnerabilities', async () => {
const result = await fullstackSecurity({
action: 'audit_security',
audit_type: 'owasp',
target: 'backend'
});
expect(result.success).toBe(true);
expect(result.compliance_status.owasp_score).toBeDefined();
});
it('should provide remediation steps', async () => {
const result = await fullstackSecurity({
action: 'audit_security',
target: 'backend'
});
result.vulnerabilities.forEach(v => {
expect(v.remediation).toBeDefined();
});
});
});
describe('optimize_performance', () => {
it('should analyze Core Web Vitals', async () => {
const result = await fullstackSecurity({
action: 'optimize_performance',
target: 'frontend'
});
expect(result.success).toBe(true);
expect(result.performance_report.lcp).toBeDefined();
});
});
});
Security Checklist
const securityChecklist = {
authentication: [
"Strong password policy enforced",
"MFA available and encouraged",
"Session timeout configured",
"Token rotation implemented"
],
authorization: [
"Role-based access control",
"Principle of least privilege",
"Resource-level permissions",
"Access logging enabled"
],
data_protection: [
"Encryption at rest",
"Encryption in transit (TLS 1.3)",
"PII handling compliant",
"Backup encryption enabled"
]
};
Integration
- Bonded Agent: 07-security-performance
- Upstream Skills: All development and DevOps skills
- Downstream Skills: None (final checkpoint)
Version History
| Version | Date | Changes | |---------|------|---------| | 1.0.0 | 2024-01 | Initial release | | 2.0.0 | 2025-01 | Production-grade upgrade with OWASP 2024 |