acaprino/platform-engineering
plugins/platform-engineering/skills/platform-engineering/SKILL.md
Cross-platform development rulebook covering security, architecture, and performance for SPA, PWA, mobile (iOS/Android), and desktop (Electron/Tauri) applications. MUST/DO/DON'T framework with real-world incident references and platform-specific guidance. TRIGGER WHEN: reviewing or building cross-platform apps, checking security posture, validating architecture decisions, optimizing performance, or auditing code against industry standards (OWASP, Core Web Vitals, OAuth 2.1). DO NOT TRIGGER WHEN: the task is purely about UI design, copywriting, or business logic unrelated to platform engineering concerns.
$ install --global
skillsauthnpx skillsauth add acaprino/alfio-claude-plugins platform-engineeringInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
70%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 14, 2026, 3:06 AM146.7s1 file scanned
SKILL.md
- name:
- platform-engineering
- description:
- >
- TRIGGER WHEN:
- reviewing or building cross-platform apps, checking security posture,
- DO NOT TRIGGER WHEN:
- the task is purely about UI design, copywriting, or business logic
Cross-Platform Development Rulebook
Three pillars govern every application you ship -- Security, Architecture, and Performance. Each rule is tagged with severity (MUST/DO/DON'T) and platform applicability.
Quick Platform Decision Matrix
| Concern | SPA | PWA | Mobile | Electron | Tauri | |---------|-----|-----|--------|----------|-------| | Auth token storage | JS memory + httpOnly cookies | JS memory + httpOnly cookies | Platform Keychain/Keystore | OS credential store | OS credential store | | OAuth flow | Auth Code + PKCE | Auth Code + PKCE | System browser + PKCE | Standard PKCE | Standard PKCE | | XSS impact | Session hijack | + persistent SW hijack | WebView bridge access | XSS to RCE | Limited to web context | | CSP | Critical | Critical | WebViews only | Critical | Relevant | | Offline strategy | Optional | IndexedDB + Cache API + SW | Room/CoreData + sync queue | Optional | Optional | | Bundle target | <170KB compressed JS | <170KB compressed JS | <20MB APK/IPA | 80-150MB (Chromium) | <10MB total | | API style | REST or GraphQL | REST (SW caching) | GraphQL (fewer round-trips) | REST (server-side aggregation) | REST | | State management | Zustand/Redux + TanStack Query | IndexedDB + Cache API | ViewModel+StateFlow / SwiftUI | IPC + context isolation | Rust invoke commands |
When to Load References
- Security review or audit: Load
server-validation,auth-tokens,passkeys-webauthn,api-security,xss-csp,secrets-management,platform-security - Architecture decisions: Load
client-server-architecture,api-design,offline-first,infrastructure - Performance optimization: Load
frontend-performance,backend-and-platform-performance - Full platform review: Load all 13 references
Reference Materials
Security (Part 1)
- server-validation.md -- Server-side validation rules, trust boundaries, real-world bypass incidents
- auth-tokens.md -- Token storage per platform, OAuth 2.1 flows, JWT best practices, secure storage APIs
- passkeys-webauthn.md -- WebAuthn Level 3 / passkey patterns, server-side verification, cross-platform support, cloned-authenticator detection
- api-security.md -- Endpoint auth, rate limiting, CORS, OWASP API risks, Peloton/Parler case studies
- xss-csp.md -- XSS severity by platform, CSP directives, anti-CSRF, sanitization, British Airways incident
- secrets-management.md -- Secret exposure risks, environment variables, vault services, GitGuardian stats
- platform-security.md -- Mobile (Keychain/Keystore, cert pinning), Electron (nodeIntegration, contextIsolation, sandbox), Tauri (deny-by-default), PWA (service worker scope, Cache API risks), security headers matrix
Architecture (Part 2)
- client-server-architecture.md -- Thin client principle, BFF pattern, server-authoritative design
- api-design.md -- REST vs GraphQL trade-offs by platform, pagination strategies, state management per platform
- offline-first.md -- Conflict resolution strategies (LWW, CRDTs, OT), optimistic UI, sync patterns
- infrastructure.md -- Monolith-first principle, database access patterns, CI/CD pipelines per platform, observability, feature flag lifecycle
Performance (Part 3)
- frontend-performance.md -- Bundle size optimization, image formats and responsive loading, Core Web Vitals (LCP, INP, CLS) with business impact data
- backend-and-platform-performance.md -- API/DB performance (pagination, indexing, connection pooling), mobile battery/memory, SSR/SSG/ISR rendering strategies, CDN caching patterns
Related Skills
acaprino/frontend-css
development
VerifiedTrustedCommunity
Unified web frontend knowledge base covering CSS architecture, UX psychology, UI components, distinctive aesthetics, and interface design generation. TRIGGER WHEN: working on web styling, design systems, component decisions, responsive strategy, distinctive frontend aesthetics, or exploring multiple interface designs. DO NOT TRIGGER WHEN: the task is purely backend or unrelated to web frontend.
5SKILL.mdUpdated May 13, 2026
acaprino/multi-reviewer-patterns
development
VerifiedTrustedCommunity
Coordinate parallel code reviews across multiple quality dimensions with finding deduplication, severity calibration, and consolidated reporting. Use this skill when organizing multi-reviewer code reviews, calibrating finding severity, or consolidating review results.
5SKILL.mdUpdated Apr 1, 2026
acaprino/codebase-mapper
tools
VerifiedTrustedCommunity
Knowledge base for the codebase-mapper plugin. Provides writing guidelines, tone rules, and diagram conventions for generating human-readable project guides. Referenced by all codebase-mapper agents during document generation. TRIGGER WHEN: referenced by codebase-mapper pipeline agents (codebase-explorer, overview-writer, tech-writer, flow-writer, onboarding-writer, ops-writer, config-writer, guide-reviewer) during document generation. DO NOT TRIGGER WHEN: outside the /map-codebase pipeline (general documentation work should use docs:readme-craft or codebase-mapper:docs-create).
5SKILL.mdUpdated Mar 26, 2026
acaprino/pwa-development
tools
VerifiedTrustedCommunity
Progressive Web App knowledge base for 2025-2026: Web App Manifest, Service Workers (Workbox 7, Serwist), Web Push (VAPID, RFC 8030/8291/8292, Declarative Push for Safari 18.4+), install flows (beforeinstallprompt, Window Controls Overlay), OPFS storage, Project Fugu, Core Web Vitals (INP < 200ms), security (HTTPS, CSP, COOP/COEP), and distribution (Bubblewrap, PWA Builder MSIX, Capacitor). TRIGGER WHEN: building, auditing, or debugging PWAs, including manifest, service worker, Web Push, install flow, OPFS, Background Sync, Wake Lock, vite-plugin-pwa, Next.js Serwist, @angular/pwa, @vite-pwa/nuxt, Bubblewrap, TWA, PWA Builder, or Capacitor wrapping. DO NOT TRIGGER WHEN: the task is generic frontend styling (use frontend), React performance (use react-development:review-react), cross-platform security unrelated to PWA (use platform-engineering), Tauri or Electron wrappers (use tauri-development), or GA4 / analytics (use digital-marketing).
3SKILL.mdUpdated May 26, 2026