Columbia-Cloudworks-LLC/compasses
.cursor/skills/compasses/SKILL.md
Use when reviewing authorization boundaries, rate limiting, tenant isolation, IAM scope, or runtime guardrails that keep the application within its intended bounds.
$ install --global
skillsauthnpx skillsauth add Columbia-Cloudworks-LLC/EquipQR compassesInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 16, 2026, 10:46 PM15.7s1 file scanned
SKILL.md
- name:
- compasses
- description:
- Use when reviewing authorization boundaries, rate limiting, tenant isolation, IAM scope, or runtime guardrails that keep the application within its intended bounds.
Compasses
Symbolism
The compasses circumscribe the work and keep it within due bounds.
Purpose
Analyze the application's boundaries and guardrails so it cannot stray into unauthorized data access, runaway execution, or over-broad privilege.
This skill is about enforcing limits at the seams: APIs, roles, rate limits, function boundaries, data scope, and operational controls.
Invocation
/compasses/compasses <optional-scope-path>
Operating Rules
- Focus on boundary enforcement, not general code quality.
- Review identity, authorization, tenant scope, and rate or execution limits together.
- Prefer fail-closed defaults and least privilege.
- Check each trust boundary hop, not just the first entry point.
- Treat missing guards on destructive or high-cost paths as high-risk.
Workflow
Copy this checklist and track it while running:
Compasses Progress
- [ ] 1) Confirm scope and trust boundaries
- [ ] 2) Map entry points, privileges, and data reach
- [ ] 3) Check rate limits, authorization guards, and execution bounds
- [ ] 4) Identify places the app can stray beyond scope
- [ ] 5) Produce a guardrail plan
1) Confirm scope and trust boundaries
Identify the relevant APIs, background jobs, edge functions, UI actions, or automation paths and the trust boundaries between them.
2) Map entry points, privileges, and data reach
Document who can call what, what permissions are required, and what data or side effects each path can reach.
3) Check rate limits, authorization guards, and execution bounds
Look for:
- missing or weak rate limiting
- over-broad IAM or service role usage
- missing role or tenant checks
- background tasks without execution limits or circuit breakers
4) Identify places the app can stray beyond scope
Flag every path where a caller could access more data, trigger more work, or hold more power than intended.
5) Produce a guardrail plan
Recommend the smallest set of controls needed to keep the system within bounds.
Output Contract
- Boundary Map
- Out-of-Bounds Findings
- Guardrail Plan
- Priority Order
- Next Step
Guardrails
- Do not assume upstream checks make downstream guards unnecessary.
- Do not conflate admin convenience with least privilege.
- Do not ignore tenant isolation on shared tables or APIs.
- Do not recommend adding limits without explaining the abuse or failure mode they prevent.
Related Skills
Columbia-Cloudworks-LLC/react-best-practices
development
VerifiedTrustedCommunity
React performance optimization guidelines from Vercel Engineering, with EquipQR-specific mappings (Vite + React Router + TanStack Query). Use when writing, reviewing, or refactoring React code in this repo, especially around waterfalls, bundle size, and re-renders.
1SKILL.mdUpdated Apr 16, 2026
Columbia-Cloudworks-LLC/postgres-best-practices
testing
VerifiedTrustedCommunity
Postgres performance optimization and best practices from Supabase, adapted to EquipQR's Supabase (Postgres + RLS) workflow. Use when editing SQL, migrations, indexes, or RLS policies.
1SKILL.mdUpdated Apr 16, 2026
Columbia-Cloudworks-LLC/brand-guidelines
development
VerifiedTrustedCommunity
Applies EquipQR's brand colors and design-system tokens to any artifact that should match EquipQR's look-and-feel. Use it when brand colors, style guidelines, visual formatting, or EquipQR design standards apply.
1SKILL.mdUpdated Apr 16, 2026
Columbia-Cloudworks-LLC/trowel
development
VerifiedTrustedCommunity
Use when auditing dependency health, API contract consistency, shared data shapes, or brittle integration seams between modules, services, and packages.
1SKILL.mdUpdated Apr 16, 2026