Fullstack Security Skill

Atomic skill for security auditing and performance optimization.

Responsibility

Single Purpose: Audit security, optimize performance, and ensure compliance

Actions

`audit_security`

Perform security audit against specified standards.

// Input
{
  action: "audit_security",
  audit_type: "owasp",
  target: "backend"
}

// Output
{
  success: true,
  vulnerabilities: [
    {
      severity: "high",
      category: "A03:Injection",
      title: "SQL Injection Risk",
      location: "src/routes/users.ts:45",
      remediation: "Use parameterized queries"
    }
  ],
  compliance_status: { owasp_score: 75, passing: 8, failing: 2 },
  recommendations: ["Add input validation", "Implement CSP headers"]
}

`optimize_performance`

Analyze and optimize application performance.

`configure_caching`

Set up caching strategies.

`harden_infrastructure`

Apply security hardening to infrastructure.

Validation Rules

function validateParams(params: SkillParams): ValidationResult {
  if (!params.action) {
    return { valid: false, error: "action is required" };
  }

  if (params.action === 'audit_security' && !params.target) {
    return { valid: false, error: "target required for security audit" };
  }

  return { valid: true };
}

Error Handling

Error Code	Description	Recovery
CRITICAL_VULNERABILITY	Critical security issue found	Block deployment, immediate fix
PERFORMANCE_REGRESSION	Performance degraded	Rollback or optimize
COMPLIANCE_VIOLATION	Compliance requirement not met	Document and remediate
SCAN_FAILED	Security scanner failed	Use alternative tool

Logging Hooks

{
  "on_invoke": "log.info('fullstack-security invoked', { action, target })",
  "on_vulnerability": "log.warn('Vulnerability found', { severity, category })",
  "on_success": "log.info('Security check completed', { score, recommendations })",
  "on_error": "log.error('Security skill failed', { error })"
}

Unit Test Template

import { describe, it, expect } from 'vitest';
import { fullstackSecurity } from './fullstack-security';

describe('fullstack-security skill', () => {
  describe('audit_security', () => {
    it('should detect OWASP Top 10 vulnerabilities', async () => {
      const result = await fullstackSecurity({
        action: 'audit_security',
        audit_type: 'owasp',
        target: 'backend'
      });

      expect(result.success).toBe(true);
      expect(result.compliance_status.owasp_score).toBeDefined();
    });

    it('should provide remediation steps', async () => {
      const result = await fullstackSecurity({
        action: 'audit_security',
        target: 'backend'
      });

      result.vulnerabilities.forEach(v => {
        expect(v.remediation).toBeDefined();
      });
    });
  });

  describe('optimize_performance', () => {
    it('should analyze Core Web Vitals', async () => {
      const result = await fullstackSecurity({
        action: 'optimize_performance',
        target: 'frontend'
      });

      expect(result.success).toBe(true);
      expect(result.performance_report.lcp).toBeDefined();
    });
  });
});

Security Checklist

const securityChecklist = {
  authentication: [
    "Strong password policy enforced",
    "MFA available and encouraged",
    "Session timeout configured",
    "Token rotation implemented"
  ],
  authorization: [
    "Role-based access control",
    "Principle of least privilege",
    "Resource-level permissions",
    "Access logging enabled"
  ],
  data_protection: [
    "Encryption at rest",
    "Encryption in transit (TLS 1.3)",
    "PII handling compliant",
    "Backup encryption enabled"
  ]
};

Integration

Bonded Agent: 07-security-performance
Upstream Skills: All development and DevOps skills
Downstream Skills: None (final checkpoint)

Version History

Version	Date	Changes
1.0.0	2024-01	Initial release
2.0.0	2025-01	Production-grade upgrade with OWASP 2024

fullstack-security