tahr-test-authentication
Installation
SKILL.md
Test Authentication
Find identity-boundary failures, not merely unusual responses. Treat auth material as untrusted until it proves the intended identity and transport.
Establish safe scope
- Identify source roots, runtime origins, supported authentication methods, supplied identities, and expected account lifecycle.
- Do not send runtime requests unless the user supplied or authorized the target. Use source-only analysis otherwise.
- Treat all supplied accounts as protected unless explicitly labeled disposable. Do not lock, reset, disable, delete, re-role, enroll or remove MFA/passkeys, rotate credentials, or invalidate all sessions on protected accounts.
- Use invalid identifiers for low-volume response-shape checks and disposable accounts for lockout, reset completion, password changes, MFA mutation, code replay, and takeover proof.
- Stop runtime testing on lockout text, CAPTCHA, rate limiting, disabled-account state, unexpected notification delivery, or unclear side effects.
Prove identity truth first
For each supplied identity: