Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

digirati-co-uk/auth-authorization

Name: auth-authorization
Author: digirati-co-uk

.agents/skills/auth-authorization/SKILL.md

npx skillsauth add digirati-co-uk/madoc-platform auth-authorization

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

Auth & Authorization (Madoc TS)

Overview

Document how Madoc TS authenticates users, parses/verifies JWTs, and applies authorization in middleware and route handlers.

Key Entry Points

Auth server: services/madoc-ts/src/auth-server.ts
Auth strategies: services/madoc-ts/src/auth/index.ts, services/madoc-ts/src/auth/github.ts
Provider login flow: services/madoc-ts/src/auth/utils/login-with-provider.ts
JWT parsing middleware: services/madoc-ts/src/middleware/parse-jwt.ts
JWT cookie setter: services/madoc-ts/src/middleware/set-jwt.ts
Token verification: services/madoc-ts/src/utility/verify-signed-token.ts

Auth Flow Summary (Based on Source)

Strategies are registered in src/auth/index.ts and exposed via getAuthRoutes().
GitHub auth uses koa-passport and passport-github2 in src/auth/github.ts.
GitHub strategy is enabled only if GITHUB_CLIENT_ID, GITHUB_CLIENT_SECRET, and GITHUB_CLIENT_CALLBACK_URL are set.
Provider login flow is handled by loginWithProvider, which:
- Matches a federated login against the user table (federated_logins JSON column).
- If a user is found, calls context.siteManager.getVerifiedLogin and sets context.state.authenticatedUser.
- Redirects to / after successful login.
JWT verification uses verifySignedToken (RS256, public key from getPublicPem).
parseJwt middleware:
- Reads JWT cookie for site slug routes (/s/:slug/...).
- Refreshes expired tokens when possible via context.siteManager.refreshExpiredToken and sets new cookies.
- For non-site routes, extracts token via getToken() and verifies it (normally gateway-verified but rechecked here).
- Sets context.state.jwt and context.state.user when a token is valid.
- Throws NotAuthorized if a non-site request lacks a valid token.
setJwt middleware sets auth cookies for authenticated users when no JWT is present yet.

Quick Start Workflow

Inspect auth/index.ts to see registered strategies and routes.
If adding a provider, implement a new strategy (patterned after auth/github.ts) and include it in strategies.
Follow login-with-provider.ts to see how federated login is linked to a user and how session cookies are set.
Trace parse-jwt.ts for cookie parsing, token refresh, and fallback token verification.
Confirm JWT verification details in verify-signed-token.ts.

Common Tasks

Add or update an auth provider
Debug missing/invalid JWTs
Adjust token refresh window or cookie naming
Add authorization checks to a new route

Pitfalls

Strategy enabled without required env vars (throws at register)
Tokens verified but user state not set (check parse-jwt control flow)
Route missing auth guard (ensure middleware coverage)

Suggested Checks

Auth login flow success (provider callback and redirect)
JWT verification success and context.state.jwt set
Token refresh path works (expired cookie refreshes)

digirati-co-uk/auth-authorization

.agents/skills/auth-authorization/SKILL.md

Trace or modify Madoc TS authentication and authorization. Use when working on login strategies, JWT parsing/verification, cookie handling, or route-level authorization in services/madoc-ts.

56 stars

documentation

Updated Apr 16, 2026

$ install --global

skillsauth

npx skillsauth add digirati-co-uk/madoc-platform auth-authorization

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: Apr 16, 2026, 3:52 PM4.6s2 files scanned

SKILL.md

name:: auth-authorization
description:: Trace or modify Madoc TS authentication and authorization. Use when working on login strategies, JWT parsing/verification, cookie handling, or route-level authorization in services/madoc-ts.

Auth & Authorization (Madoc TS)

Overview

Document how Madoc TS authenticates users, parses/verifies JWTs, and applies authorization in middleware and route handlers.

Key Entry Points

Auth server: services/madoc-ts/src/auth-server.ts
Auth strategies: services/madoc-ts/src/auth/index.ts, services/madoc-ts/src/auth/github.ts
Provider login flow: services/madoc-ts/src/auth/utils/login-with-provider.ts
JWT parsing middleware: services/madoc-ts/src/middleware/parse-jwt.ts
JWT cookie setter: services/madoc-ts/src/middleware/set-jwt.ts
Token verification: services/madoc-ts/src/utility/verify-signed-token.ts

Auth Flow Summary (Based on Source)

Strategies are registered in src/auth/index.ts and exposed via getAuthRoutes().
GitHub auth uses koa-passport and passport-github2 in src/auth/github.ts.
GitHub strategy is enabled only if GITHUB_CLIENT_ID, GITHUB_CLIENT_SECRET, and GITHUB_CLIENT_CALLBACK_URL are set.
Provider login flow is handled by loginWithProvider, which:
- Matches a federated login against the user table (federated_logins JSON column).
- If a user is found, calls context.siteManager.getVerifiedLogin and sets context.state.authenticatedUser.
- Redirects to / after successful login.
JWT verification uses verifySignedToken (RS256, public key from getPublicPem).
parseJwt middleware:
- Reads JWT cookie for site slug routes (/s/:slug/...).
- Refreshes expired tokens when possible via context.siteManager.refreshExpiredToken and sets new cookies.
- For non-site routes, extracts token via getToken() and verifies it (normally gateway-verified but rechecked here).
- Sets context.state.jwt and context.state.user when a token is valid.
- Throws NotAuthorized if a non-site request lacks a valid token.
setJwt middleware sets auth cookies for authenticated users when no JWT is present yet.

Quick Start Workflow

Inspect auth/index.ts to see registered strategies and routes.
If adding a provider, implement a new strategy (patterned after auth/github.ts) and include it in strategies.
Follow login-with-provider.ts to see how federated login is linked to a user and how session cookies are set.
Trace parse-jwt.ts for cookie parsing, token refresh, and fallback token verification.
Confirm JWT verification details in verify-signed-token.ts.

Common Tasks

Add or update an auth provider
Debug missing/invalid JWTs
Adjust token refresh window or cookie naming
Add authorization checks to a new route

Pitfalls

Strategy enabled without required env vars (throws at register)
Tokens verified but user state not set (check parse-jwt control flow)
Route missing auth guard (ensure middleware coverage)

Suggested Checks

Auth login flow success (provider callback and redirect)
JWT verification success and context.state.jwt set
Token refresh path works (expired cookie refreshes)

Related Skills

digirati-co-uk/utility-core

tools

VerifiedTrustedCommunity

Work on Madoc TS shared utility helpers (JWT, metadata, errors, IIIF helpers, auth helpers). Use when changing core utility functions or shared helpers in services/madoc-ts.

56SKILL.mdUpdated Apr 16, 2026

digirati-co-uk/utility-core

digirati-co-uk/types-schemas

development

VerifiedTrustedCommunity

Work on Madoc TS shared type definitions and schema contracts. Use when updating TypeScript types, JSON schema shapes, or cross-layer data contracts in services/madoc-ts.

56SKILL.mdUpdated Apr 16, 2026

digirati-co-uk/types-schemas

digirati-co-uk/tasks-automation

tools

VerifiedTrustedCommunity

Understand and extend Madoc TS task automation, including bots and task-related extensions. Use when adding task automation, bot behavior, or task metadata resolution in services/madoc-ts.

56SKILL.mdUpdated Apr 16, 2026

digirati-co-uk/tasks-automation

digirati-co-uk/ssr-site

development

VerifiedTrustedCommunity

Work on Madoc TS site SSR pipeline, HTML template injection, and site render data wiring. Use when changing site SSR behavior, template tokens, or site SSR data wiring in services/madoc-ts.

56SKILL.mdUpdated Apr 16, 2026

digirati-co-uk/ssr-site

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/digirati-co-uk/madoc-platform.git

# Copy into Claude Code skills folder (global)
cp -r madoc-platform/.agents/skills/auth-authorization ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

digirati-co-uk/madoc-platform

56 stars

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT