global-plugin

Scaffold or upgrade a project-scope `.mcp.json` from global-plugin's curated MCP server registry. Stack-aware, idempotent, re-runnable — preserves hand-edited and non-managed entries.

File a tracked suggestion (new skill / hook / command / subagent / docs / mod) against the global-plugin repo as a GitHub issue, with auto-collected session context.

Use when reviewing a change that crosses service/app boundaries, adds a new top-level package, or shifts dependency direction in the monorepo. Do NOT use for intra-app structure concerns — use nextjs-app-structure-guard or nestjs-service-boundary-guard instead. Covers monorepo ownership, dependency direction, shared-package scope, cross-service contracts.

Use when reviewing or editing authentication, sessions, JWT/tokens, RBAC/ABAC logic, or any route/handler/procedure that accesses user data. Do NOT use for infra-level IAM (use `infra-safe-change` / `aws-deploy-safety`). Covers authN flows, session/token hygiene, RBAC/ABAC checks, CSRF, permission inheritance.

Use when writing or reviewing React Native + Expo mobile code — screens, navigation, native module usage, OTA updates. Do NOT use for web React (use `frontend-implementation-guard`). Covers RN/Expo structure, navigation patterns, native module boundaries, EAS Build / EAS Update, platform-specific behaviour, offline UX.

Use when writing or reviewing any UI — web or mobile — that a user interacts with. Do NOT skip this for "internal tools"; internal users also use assistive tech. Covers WCAG 2.2 AA, keyboard navigation, focus management, ARIA correctness, colour contrast, reduced motion, form accessibility.

Use when deploying to AWS (ECS Fargate, Lambda, App Runner) or changing deploy-related AWS resources (task definitions, Lambda config, secrets references, roles consumed at runtime). Do NOT use for IaC review (use `infra-safe-change`) or for CI pipeline integrity (use `cicd-pipeline-safety`). Covers deploy strategies, task role discipline, Secrets Manager integration, health checks, rolling vs blue-green, zero-downtime migrations.

Use when evaluating risk for a planned change at PR time. Covers risk rating, blast-radius analysis (importer graph, change classification, query-plan regression, spooky-action surfaces), deploy strategy, monitoring signals, rollback path (mechanism choice, migration reversibility, kill-switch design, time-to-rollback, dual-support, rehearsal), and stakeholder notification. Do NOT use for code-level review (that's the domain skills) or simple feature-flagged changes that default off.

Use when reviewing or editing GitHub Actions workflows, reusable workflows, required-check configuration, or promotion logic between environments. Do NOT use for application deploy mechanics (use `aws-deploy-safety`). Covers OIDC to AWS, secret scoping, required checks, branch protection, artifact integrity, environment promotion, third-party action pinning.

Use when asked "are we testing the right things" or after a feature is complete but before merge, to find critical untested paths. Do NOT use for test authoring patterns (use `test-strategy-enforcement`). Covers critical-path identification, missing negative tests, untested error branches, edge-case discovery.

Use when writing or reviewing React components, hooks, component-level state, or data-fetching at the component layer. Do NOT use for Next.js routing/rendering structure (use `nextjs-app-structure-guard`), accessibility (use `accessibility-guard`), or bundle/runtime perf (use `performance-budget-guard`). Covers component structure, state placement, data flow, hook discipline, composition.

Use when reviewing or editing Terraform, CloudFormation, CDK, or any IaC that provisions cloud resources — especially state stores, networking, IAM, and compute scaling. Do NOT use for application-level AWS SDK calls (use `aws-deploy-safety`). Covers IaC review, state management, drift detection, destructive plan detection, IAM policies, networking changes.

Use when reviewing or editing a public HTTP API, webhook payload, event schema, or any boundary another team/service depends on. Do NOT use for internal intra-module calls (use `nestjs-service-boundary-guard`). Covers API versioning, breaking-change detection, schema evolution, webhook/event contracts, consumer migration.

Use when reviewing or editing a NestJS module, controller, provider, or DTO. Do NOT use for database query shape (use `prisma-data-access-guard`) or for cross-service contracts (use `integration-contract-safety`). Covers module ownership, provider scope, controller/service split, DTO validation, transaction placement, cross-module coupling.

Use when reviewing or editing a Next.js App Router file — page, layout, route handler, middleware, server action, or a component that crosses the server/client boundary. Do NOT use for pure client component state logic (use `frontend-implementation-guard`) or for data access (use `prisma-data-access-guard`). Covers RSC vs client, route handlers, middleware, server actions, streaming, caching, route groups.

Use when debugging a production or staging issue, monitoring a hot path, or instrumenting code that should be observable. Do NOT use for local-only debugging of new code (use your IDE). Covers logs/metrics/traces-first method, structured logging, correlation ID propagation, alarm design.

Use when editing Claude Code tooling files (SKILL.md, hooks.json, agents/*.md, .mcp.json, .claude-plugin/plugin.json, CLAUDE.md) or designing/auditing plugins, skills, hooks, subagents, MCP servers, or Agent SDK applications. Do NOT use for app code (React components, NestJS services, Prisma schemas) — those have dedicated guard skills. Covers harness primitives, plugin design, skill authoring, hook patterns, MCP integration, Agent SDK usage. TRIGGER when editing files matching the paths above, or when the task mentions "claude code", "agent SDK", "MCP server", "subagent", "plugin design", "skill authoring", or "hook". SKIP when writing app/feature code in a consumer project — those route to the matching guard skill (frontend-implementation-guard, nestjs-service-boundary-guard, prisma-data-access-guard, etc.).

Use when reviewing or creating a new route, dependency, heavy computation, DB query on a hot path, or UI that might affect Core Web Vitals. Do NOT use for pure logic correctness review (use `typescript-rigor`) or for DB query shape (use `prisma-data-access-guard`). Covers Core Web Vitals, JS bundle budgets, query p95 budgets, memoization, streaming, caching layers.

Use when designing or modifying a PostgreSQL column's shape — choosing JSONB vs relational columns vs child tables vs external object store, planning a new table, or reviewing a `schema.prisma` change that introduces or widens a JSONB column. Do NOT use for query shape, indexes on existing columns, transactions, or migration mechanics (use `prisma-data-access-guard`); cross-package data ownership (use `architecture-guard`). Covers JSONB justification gates (shape, access/writes, cost), staging vs system-of-record, GIN / `jsonb_path_ops` indexing strategy chosen at design time, TOAST/WAL update amplification.

Use when reviewing or editing Prisma queries, schema, or migrations. Do NOT use for schema design decisions without a concrete query (use `architecture-guard`). Covers query shape, N+1, transactions, migration safety, indexes, raw SQL safety, selection shape.

Use when publishing to or consuming from SQS, EventBridge, or any message queue; also for background jobs with retry semantics. Do NOT use for in-process retries of a function call (use `resilience-and-error-handling`). Covers at-least-once delivery, idempotency keys, DLQ strategy, poison message handling, visibility timeout, ordering.

Use when reviewing or designing code that calls a network service, handles an error, sets a timeout, implements a retry, or exposes a user-facing failure path. Do NOT use for queue-specific retry semantics (use `queue-and-retry-safety`). Covers timeouts, retry with jitter, circuit breakers, error boundaries, idempotency of external calls, graceful degradation, typed errors.

Use when touching environment variables, secret references, or config that varies across environments. Do NOT use for IAM policy review (use `infra-safe-change`) or runtime observability (use `observability-first-debugging`). Covers secret sourcing, env var discipline, config drift, client-vs-server env boundaries, secret rotation awareness.

Use when reviewing a change that writes data AND the UI caches or optimistically updates that data, or when cache/invalidation behaviour changes on either side. Do NOT use for pure DB write review (use `prisma-data-access-guard`) or pure UI state shape (use `frontend-implementation-guard`). Covers cache invalidation, optimistic updates, server/client divergence, stale reads.

Use when adding, upgrading, or pinning a dependency; or when reviewing lockfile churn, CVE reports, or license changes. Do NOT use for internal package imports (use `architecture-guard`). Covers lockfile discipline, SCA, pinned versions, license policy, peer-dep drift, typosquat detection.

Use when adding tests, changing testing patterns, or reviewing a PR's test plan. Do NOT use for missing-coverage analysis (use `coverage-gap-detection`) or for risk assessment (use `change-risk-evaluation`). Covers test pyramid, unit vs integration vs e2e split, flake hygiene, test data, mocks vs real services.

Use when authoring or reviewing TypeScript types, generics, DTOs, or boundary parsing. Do NOT use for runtime/logic review without a type concern. Covers strict compiler options, discriminated unions, branded types, exhaustiveness, zod boundaries, error types.

2 hooks across 2 events