security-audit
Security Audit
Systematic security review for application code, dependencies, and configuration.
Not a replacement for professional penetration testing. Identifies common vulnerabilities within scope of code review.
Audit Types
| Type | Focus | When to Use |
|---|---|---|
| Code Review | OWASP Top 10, injection, auth | New features, PRs, suspicious code |
| Dependency | CVEs, outdated packages | Before deploy, periodic, CI/CD |
| Configuration | Secrets, permissions, hardening | Infrastructure changes, new envs |
| Architecture | Attack surface, data flow | Design phase, major refactors |
| API Security | Auth, authz, rate limiting | New endpoints, public APIs |
When NOT to Use
- Designing new auth flows — Use
api-designfor designing OAuth2/JWT endpoints from scratch
More from srstomp/pokayokay
architecture-review
Use when auditing project structure, planning refactors, improving code organization, analyzing dependencies and module boundaries, or identifying structural issues. TypeScript/JavaScript-primary with language-agnostic patterns.
301figma-plugin
Use when building Figma plugins, creating design automation tools, implementing sandbox/UI communication, or working with the Figma Plugin API for node manipulation, styles, and components.
79sdk-development
Use when building TypeScript SDKs, extracting shared code into packages, creating developer tooling libraries, designing clean API surfaces, or publishing to npm (public or private). Covers typed clients, error handling, multi-target bundling (ESM/CJS/browser).
28testing-strategy
Use when designing test architecture, building API test suites, validating API contracts, setting up component or E2E testing, managing test data, debugging flaky tests, reviewing coverage strategy, or organizing test files. Covers test pyramid, mocking (MSW), frontend (React Testing Library, Playwright), and CI integration.
28session-review
Use after completing work sessions to analyze agent behavior patterns, prepare session handoffs for continuity, document completed work, identify blockers, or preserve context for the next session.
27spike
Time-boxed technical investigation with structured output. Use for feasibility studies, architecture exploration, integration assessment, performance analysis, or risk evaluation. Creates spike tasks in ohno, enforces time-boxing, generates spike reports, and creates actionable follow-up tasks.
25