From spicedb-dev
Use when a user wants to plan, scope, or get started with adding authorization to their application - guides brainstorming to produce a phased implementation plan that incorporates the right skills and commands in sequence
npx claudepluginhub authzed/authzed-marketplace --plugin spicedb-devThis skill uses the workspace's default tool permissions.
This plugin adds a first pass at SpiceDB fine-grained authorization to an application
Implements structured self-debugging workflow for AI agent failures: capture errors, diagnose patterns like loops or context overflow, apply contained recoveries, and generate introspection reports.
Monitors deployed URLs for regressions in HTTP status, console errors, performance metrics, content, network, and APIs after deploys, merges, or upgrades.
Provides React and Next.js patterns for component composition, compound components, state management, data fetching, performance optimization, forms, routing, and accessible UIs.
This plugin adds a first pass at SpiceDB fine-grained authorization to an application being built or modified. The goal is getting authorization structurally correct -- right permissions, right places, right operations. It is not a production hardening or debugging tool.
Run /spicedb-dev:plan. This scopes the work, produces authorization-plan.md,
and writes an authorization snippet to CLAUDE.md so permissions are considered
automatically in every future session without needing to invoke any command. This is
the most important setup step.
Then /spicedb-dev:design-model -- scans for existing model files and extracts
entity names. Produces permission-model.md.
Then /spicedb-dev:generate-schema -- converts the model to schema.zed.
Schema-validator runs automatically.
Deploy the schema externally: zed schema write schema.zed.
Every feature needs both operations -- this is the most common implementation mistake:
Relationship writes (/spicedb-dev:implement-spicedb-relationships) --
run when writing handlers that create resources, grant membership, or delete resources.
SpiceDB returns NO_PERMISSION for everything until relationships are written. Writes
must come before checks.
Permission checks (/spicedb-dev:implement-spicedb-checks) -- run when
writing any handler that reads, modifies, or deletes a resource on behalf of a user.
For list endpoints, use LookupResources -- not CheckPermission in a loop.
Use /spicedb-dev:implement-spicedb when unsure which is needed -- it
communicates the paired requirement and routes to the right command.
/spicedb-dev:audit-coverage produces a coverage matrix: every permission in
the schema vs. whether a corresponding check exists in code. Routes each gap to the
correct implement command.
/spicedb-dev:test-permissions generates test fixtures and integration tests
from the schema.
/spicedb-dev:plan/spicedb-dev:design-model/spicedb-dev:generate-schema/spicedb-dev:implement-spicedb/spicedb-dev:audit-coveragespicedb-schema-design skillspicedb-best-practices skillGreenfield: Start with the simplest model that works. Three resources with basic RBAC beats ten resources with speculative complexity. Add caveats and custom roles only when a concrete scenario requires them.
Existing app: The checkpoint-identifier agent can map current authorization
boundaries before designing the SpiceDB model. Run it early to reveal scope that
isn't obvious from the data model alone.
Multi-tenant SaaS: Finalize tenant isolation before designing resource-level permissions. The tenant boundary is the most consequential design decision -- getting it wrong affects every other resource.
Migration: Do not skip Phase 1. Read existing auth code first to understand the
current permission surface. See the Migration Track in /spicedb-dev:plan.