security-audit

The security-audit skill provides a rigorous security-first harness for software agents, focusing on maintaining infrastructure integrity in production-tested environments. Designed for developers and AI agents working within the SAFe methodology, it enforces strict database isolation and secure coding practices. It prevents common vulnerabilities such as SQL injection, hardcoded secret exposure, and authentication bypasses by integrating directly with Prisma ORM, Clerk authentication, and standard security scanning tools.

• Performs automated RLS (Row Level Security) validation to ensure database operations are properly scoped using context wrappers (withUserContext, withAdminContext).
• Audits API route handlers to guarantee that authentication checks are performed before sensitive data access, preventing unauthorized endpoints.
• Scans for hardcoded credentials and potential secrets, ensuring compliance with environment variable management practices.
• Validates OWASP Top 10 risks, including A01 (Broken Access Control), A03 (Injection), and A06 (Vulnerable Dependencies).
• Integrates with standard CLI tooling like npm audit, yarn audit, grep, and git-secrets for continuous vulnerability assessment.
• Provides a standardized Security Audit Report template to facilitate pre-deployment reviews and sign-offs.
• Enforces Stop-the-Line conditions when dangerous patterns like raw SQL interpolation or missing auth checks are detected.

Use this skill during pre-deployment security reviews, code refactoring, or whenever adding new database-interfacing features. It expects a structured codebase using TypeScript and the Next.js App Router, and outputs actionable findings categorized by severity. It requires the presence of security-first documentation (ADRs and policy catalogs) and standard project security configs. Always invoke this skill when auditing authentication flows, validating database schemas, or preparing a release candidate for production deployment to minimize security debt.