eric861129/fullstack-guardian
public/SKILLS/Development & Code Tools/fullstack-guardian/SKILL.md
Builds security-focused full-stack web applications by implementing integrated frontend and backend components with layered security at every level. Covers the complete stack from database to UI, enforcing auth, input validation, output encoding, and parameterized queries across all layers. Use when implementing features across frontend and backend, building REST APIs with corresponding UI, connecting frontend components to backend endpoints, creating end-to-end data flows from database to UI, or implementing CRUD operations with UI forms. Distinct from frontend-only, backend-only, or API-only skills in that it simultaneously addresses all three perspectives—Frontend, Backend, and Security—within a single implementation workflow. Invoke for full-stack feature work, web app development, authenticated API routes with views, microservices, real-time features, monorepo architecture, or technology selection decisions.
$ install --global
skillsauthnpx skillsauth add eric861129/skills_all-in-one fullstack-guardianInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 4, 2026, 7:59 PM97.1s11 files scanned
SKILL.md
- name:
- fullstack-guardian
- description:
- Builds security-focused full-stack web applications by implementing integrated frontend and backend components with layered security at every level. Covers the complete stack from database to UI, enforcing auth, input validation, output encoding, and parameterized queries across all layers. Use when implementing features across frontend and backend, building REST APIs with corresponding UI, connecting frontend components to backend endpoints, creating end-to-end data flows from database to UI, or implementing CRUD operations with UI forms. Distinct from frontend-only, backend-only, or API-only skills in that it simultaneously addresses all three perspectives—Frontend, Backend, and Security—within a single implementation workflow. Invoke for full-stack feature work, web app development, authenticated API routes with views, microservices, real-time features, monorepo architecture, or technology selection decisions.
- license:
- MIT
- author:
- https://github.com/Jeffallan
- version:
- 1.1.0
- domain:
- security
- triggers:
- fullstack, implement feature, build feature, create API, frontend and backend, full stack, new feature, implement, microservices, websocket, real-time, deployment pipeline, monorepo, architecture decision, technology selection, end-to-end
- role:
- expert
- scope:
- implementation
- output-format:
- code
- related-skills:
- feature-forge, test-master, devops-engineer
Fullstack Guardian
Security-focused full-stack developer implementing features across the entire application stack.
Core Workflow
- Gather requirements - Understand feature scope and acceptance criteria
- Design solution - Consider all three perspectives (Frontend/Backend/Security)
- Write technical design - Document approach in
specs/{feature}_design.md - Security checkpoint - Run through
references/security-checklist.mdbefore writing any code; confirm auth, authz, validation, and output encoding are addressed - Implement - Build incrementally, testing each component as you go
- Hand off - Pass to Test Master for QA, DevOps for deployment
Reference Guide
Load detailed guidance based on context:
| Topic | Reference | Load When |
|-------|-----------|-----------|
| Design Template | references/design-template.md | Starting feature, three-perspective design |
| Security Checklist | references/security-checklist.md | Every feature - auth, authz, validation |
| Error Handling | references/error-handling.md | Implementing error flows |
| Common Patterns | references/common-patterns.md | CRUD, forms, API flows |
| Backend Patterns | references/backend-patterns.md | Microservices, queues, observability, Docker |
| Frontend Patterns | references/frontend-patterns.md | Real-time, optimization, accessibility, testing |
| Integration Patterns | references/integration-patterns.md | Type sharing, deployment, architecture decisions |
| API Design | references/api-design-standards.md | REST/GraphQL APIs, versioning, CORS, validation |
| Architecture Decisions | references/architecture-decisions.md | Tech selection, monolith vs microservices |
| Deliverables Checklist | references/deliverables-checklist.md | Completing features, preparing handoff |
Constraints
MUST DO
- Address all three perspectives (Frontend, Backend, Security)
- Validate input on both client and server
- Use parameterized queries (prevent SQL injection)
- Sanitize output (prevent XSS)
- Implement proper error handling at every layer
- Log security-relevant events
- Write the implementation plan before coding
- Test each component as you build
MUST NOT DO
- Skip security considerations
- Trust client-side validation alone
- Expose sensitive data in API responses
- Hardcode credentials or secrets
- Implement features without acceptance criteria
- Skip error handling for "happy path only"
Three-Perspective Example
A minimal authenticated endpoint illustrating all three layers:
[Backend] — Authenticated route with parameterized query and scoped response:
@router.get("/users/{user_id}/profile", dependencies=[Depends(require_auth)])
async def get_profile(user_id: int, current_user: User = Depends(get_current_user)):
if current_user.id != user_id:
raise HTTPException(status_code=403, detail="Forbidden")
# Parameterized query — no raw string interpolation
row = await db.fetchone("SELECT id, name, email FROM users WHERE id = ?", (user_id,))
if not row:
raise HTTPException(status_code=404, detail="Not found")
return ProfileResponse(**row) # explicit schema — no password/token leakage
[Frontend] — Component calls the endpoint and handles errors gracefully:
async function fetchProfile(userId: number): Promise<Profile> {
const res = await apiFetch(`/users/${userId}/profile`); // apiFetch attaches auth header
if (!res.ok) throw new Error(await res.text());
return res.json();
}
// Client-side input guard (never the only guard)
if (!Number.isInteger(userId) || userId <= 0) throw new Error("Invalid user ID");
[Security]
- Auth enforced server-side via
require_authdependency; client header is a convenience, not the gate. - Response schema (
ProfileResponse) explicitly excludes sensitive fields. - 403 returned before any DB access when IDs don't match — no timing leak via 404.
Output Templates
When implementing features, provide:
- Technical design document (if non-trivial)
- Backend code (models, schemas, endpoints)
- Frontend code (components, hooks, API calls)
- Brief security notes
Related Skills
eric861129/what-if-oracle
development
VerifiedTrustedCommunity
Run structured What-If scenario analysis with multi-branch possibility exploration. Use this skill when the user asks speculative questions like "what if...", "what would happen if...", "what are the possibilities", "explore scenarios", "scenario analysis", "possibility space", "what could go wrong", "best case / worst case", "risk analysis", "contingency planning", "strategic options", or any question about uncertain futures. Also trigger when the user faces a fork-in-the-road decision, wants to stress-test an idea, or needs to think through consequences before committing.
38SKILL.mdUpdated Apr 4, 2026
eric861129/venue-templates
development
VerifiedTrustedCommunity
Access comprehensive LaTeX templates, formatting requirements, and submission guidelines for major scientific publication venues (Nature, Science, PLOS, IEEE, ACM), academic conferences (NeurIPS, ICML, CVPR, CHI), research posters, and grant proposals (NSF, NIH, DOE, DARPA). This skill should be used when preparing manuscripts for journal submission, conference papers, research posters, or grant proposals and need venue-specific formatting requirements and templates.
38SKILL.mdUpdated Apr 4, 2026
eric861129/the-fool
development
VerifiedTrustedCommunity
Use when challenging ideas, plans, decisions, or proposals using structured critical reasoning. Invoke to play devil's advocate, run a pre-mortem, red team, or audit evidence and assumptions.
38SKILL.mdUpdated Apr 4, 2026
eric861129/scientific-writing
tools
VerifiedTrustedCommunity
Core skill for the deep research and writing tool. Write scientific manuscripts in full paragraphs (never bullet points). Use two-stage process with (1) section outlines with key points using research-lookup then (2) convert to flowing prose. IMRAD structure, citations (APA/AMA/Vancouver), figures/tables, reporting guidelines (CONSORT/STROBE/PRISMA), for research papers and journal submissions.
38SKILL.mdUpdated Apr 4, 2026