Loading...
Loading...
Found 76 Skills
Composes, debugs, and optimizes Guillotine GraphQL queries for Enonic XP headless content delivery. Covers query construction, variable usage, filtering, aggregation, pagination, sorting, and TypeScript type generation from the auto-generated Guillotine schema. Use when writing or troubleshooting Guillotine queries, querying custom content types through GraphQL, or generating typed interfaces from Guillotine responses. Don't use for content type XML definitions, non-Enonic GraphQL APIs (Apollo, Hasura), server-side lib-content queries, or Guillotine deployment and CORS configuration.
Build backend APIs for Chrome extensions. NestJS + MongoDB (Mongoose) recommended stack. Auth, webhooks, license verification, CORS. Use when: backend, API, server, database, license, webhook.
MUST be used whenever reviewing a Dune app for security issues, or before shipping any feature that handles credentials, user input, or external data. Do NOT skip this when the user asks for a security review, security audit, or vulnerability check — run every step in order. Triggers: security, security review, security audit, vulnerability, XSS, injection, credentials, secrets, auth, authentication, authorization, token, sensitive data, input validation, CORS, CSP, dependency audit.
Build Next.js 16 apps with App Router, Server Components/Actions, Cache Components ("use cache"), and async route params. Includes proxy.ts (replaces middleware.ts) and React 19.2. Use when: building Next.js 16 projects, or troubleshooting async params (Promise types), "use cache" directives, parallel route 404s (missing default.js), or proxy.ts CORS.
Cloudflare R2 object storage playbook: buckets, Workers Binding API, S3 compatibility, presigned URLs, multipart uploads, CORS, lifecycle policies, event notifications, public buckets, storage classes, data migration. Keywords: Cloudflare R2, object storage, S3 compatible, Workers binding, R2Bucket, presigned URLs, multipart upload, CORS, lifecycle, event notifications, Super Slurper, Sippy, R2 pricing.
Use this skill when building Model Context Protocol (MCP) servers on Cloudflare Workers. This skill should be used when deploying remote MCP servers with TypeScript, implementing OAuth authentication (GitHub, Google, Azure, etc.), using Durable Objects for stateful MCP servers, implementing WebSocket hibernation for cost optimization, or configuring dual transport methods (SSE + Streamable HTTP). The skill prevents 15+ common errors including McpAgent class export issues, OAuth redirect URI mismatches, WebSocket state loss, Durable Objects binding errors, and CORS configuration mistakes. Includes production-tested templates for basic MCP servers, OAuth proxy integration, stateful servers with Durable Objects, and complete wrangler.jsonc configurations. Covers all 4 authentication patterns: token validation, remote OAuth with DCR, OAuth proxy (workers-oauth-provider), and full OAuth provider implementation. Self-contained with Worker and Durable Objects basics. Token efficiency: ~87% savings (40k → 5k tokens). Production tested on Cloudflare's official MCP servers. Keywords: MCP server, Model Context Protocol, cloudflare mcp, mcp workers, remote mcp server, mcp typescript, @modelcontextprotocol/sdk, mcp oauth, mcp authentication, github oauth mcp, durable objects mcp, websocket hibernation, mcp sse, streamable http, McpAgent class, mcp tools, mcp resources, mcp prompts, oauth proxy, workers-oauth-provider, mcp deployment, McpAgent export error, OAuth redirect URI, WebSocket state loss, mcp cors, mcp dcr
Load PROACTIVELY when task involves security review, vulnerability assessment, or hardening. Use when user says "check for security issues", "audit for vulnerabilities", "scan for secrets", "review auth security", or "check OWASP compliance". Covers authentication and session security, authorization and access control, input validation and injection prevention, data protection and encryption, dependency vulnerability scanning, API security (CORS, rate limiting, headers), and infrastructure hardening. Produces structured reports with severity ratings.
Verify and configure HTTP security headers (CSP, HSTS, CORS, X-Frame-Options, etc). Checks current configuration and generates framework-specific fixes.
Use when writing server-side code with Supabase — Edge Functions, Hono apps, webhook handlers, or any backend that needs Supabase auth and client creation. Trigger whenever the user imports from `@supabase/server`, mentions `supabase/server`, Supabase Edge Functions, or needs server-side auth (JWT verification, API key validation, CORS handling) with Supabase. Also trigger when you see legacy patterns in existing code — `Deno.serve`, `createClient(Deno.env.get('SUPABASE_URL'))`, imports from `esm.sh/@supabase`, `deno.land/std` serve, or usage of `SUPABASE_ANON_KEY` / `SUPABASE_SERVICE_ROLE_KEY` — these indicate code that should be migrated to this package.
Answer Enable Banking API FAQs and apply best practices for ASPSP/PSU terminology, pricing and activation expectations, production compliance fields, restricted application account linking, ASPSP identifiers and BICs, beta integrations, user identification, balances, transaction history and continuation keys, PSU headers, rate limits, JWT handling, session validity, expired sessions, language selection, ASPSP_ERROR retries, iframe/WebView/CORS issues, payment statuses, bulk payments, TPP infrastructure, and sandbox credential lookup. Use when Codex needs to explain edge cases, design robust Enable Banking behavior, or troubleshoot recurring API and UX problems.
This skill deploys frontend and full-stack projects to EdgeOne Pages (Tencent EdgeOne). It should be used when the user's primary intent is to deploy, publish, ship, host, launch, go live, or release a new version — e.g. "deploy my app", "publish this site", "push this live", "create a preview deployment", "deploy to EdgeOne", "ship to production", "上线", "发布", "发一版", "重新部署". Do NOT trigger when deployment is only mentioned as a secondary step (e.g. "write an API and deploy it" — primary intent is writing code, use edgeone-pages-dev). Do NOT trigger for post-deployment runtime errors (e.g. CORS issues, 500 errors after deploy — use edgeone-pages-dev for troubleshooting).
MUST be used whenever fixing security issues in a Flows app, or before shipping any feature that handles credentials, user input, or external data. This skill finds AND fixes security problems — it does not just report them. Do NOT skip this when the user asks for a security fix, security hardening, or vulnerability remediation — run every step in order. Triggers: security, security fix, security hardening, vulnerability, XSS, injection, credentials, secrets, auth, authentication, authorization, token, sensitive data, input validation, CORS, CSP, dependency audit.