etylsarin/security-hardening
src/orchestrator/skills/security-hardening/SKILL.md
Security architecture including authentication, authorization, RLS policies, CSP, input validation, and API security. Use when implementing auth flows, writing RLS policies, configuring CSP/headers, validating inputs, or auditing security. Trigger terms: RLS, CSP, Server Actions, Zod, auth flow
$ install --global
skillsauthnpx skillsauth add etylsarin/opencastle security-hardeningInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 17, 2026, 3:08 AM221.2s1 file scanned
SKILL.md
- name:
- security-hardening
- description:
- Security architecture including authentication, authorization, RLS policies, CSP, input validation, and API security. Use when implementing auth flows, writing RLS policies, configuring CSP/headers, validating inputs, or auditing security. Trigger terms: RLS, CSP, Server Actions, Zod, auth flow
Security Hardening
Architecture
| Layer | Tool | Protection |
|-------|------|------------|
| Edge | WAF / CDN | DDoS, bot detection |
| Headers | Framework config | HSTS, CSP, X-Frame-Options |
| Middleware | Proxy layer | Session refresh, protected routes |
| Server Actions | Auth provider | Authentication, CSRF |
| Database | RLS Policies | Row-level authorization |
| API Routes | CRON_SECRET | Cron job authorization |
| Input | Zod | Schema validation |
| Rate Limiting | Proxy layer | IP-based throttling |
Authentication
Auth provider with Server Actions pattern. Resolve library via database capability slot in skill matrix.
| Concern | Approach |
|---------|----------|
| Sign in/up/out | Server Actions (POST-only → automatic CSRF protection) |
| Session refresh | Middleware updateSession(), HTTP-only cookies |
| Protected routes | Middleware check |
| OAuth | Configured in auth provider dashboard |
| User roles | profiles.roles TEXT[] |
| Cron auth | CRON_SECRET env var, Bearer token in authorization header |
CSP
Principle of least privilege. External domains are project-specific (see deployment customization).
default-src 'self'— deny by defaultobject-src 'none'— block pluginsframe-ancestors 'self'— prevent clickjackingupgrade-insecure-requests— enforce HTTPS- Whitelist only required external domains per directive
Note: 'unsafe-inline'/'unsafe-eval' may be required in dev mode — use nonces/hashes in production.
Examples — Next.js next.config.js headers and middleware pattern:
// next.config.js
module.exports = {
async headers() {
return [
{
source: '/(.*)',
headers: [
{
key: 'Content-Security-Policy',
// minimal example; restrict further per app needs
value: "default-src 'self'; script-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self' https://api.example.com;",
},
],
},
];
},
};
// middleware.js (Next.js Edge middleware example)
import { NextResponse } from 'next/server';
export function middleware(request) {
const res = NextResponse.next();
res.headers.set('Content-Security-Policy', "default-src 'self'; img-src 'self' data:;");
return res;
}
RLS
SQL examples and role system: See the database skill (authoritative source for RLS).
ALTER TABLE x ENABLE ROW LEVEL SECURITY;on all tables- Use
auth.uid()for auth checks; EXISTS subqueries for role checks - Never rely solely on client-side authorization; never disable RLS in production
RLS verification & test pattern
- Confirm RLS is enabled for a table (Postgres):
-- run in psql
SELECT relname, relrowsecurity
FROM pg_class
WHERE relname = 'your_table_name';
relrowsecurity = true indicates RLS enabled.
- Test pattern: verify a user without privileges cannot read rows.
-- As owner (create test row)
INSERT INTO your_table_name (id, owner_id, data) VALUES (1, 'owner-uid', 'secret');
-- As another_role (should return zero rows if RLS correct)
SET ROLE other_role;
SELECT * FROM your_table_name WHERE id = 1;
-- expected: 0 rows
Automate this check in CI: run the enabling query and a simple positive/negative test as part of the security gate.
Server Action Zod example
'use server';
import { z } from 'zod';
import { revalidatePath } from 'next/cache';
const schema = z.object({ name: z.string().min(1), price: z.number().positive() });
export async function createItem(formData: FormData) {
const parsed = schema.safeParse(Object.fromEntries(formData.entries()));
if (!parsed.success) return { error: 'Validation failed', details: parsed.error.format() };
// insert into DB ...
revalidatePath('/items');
return { success: true };
}
API Security
// Cron authorization pattern
const authHeader = request.headers.get('authorization');
if (!authHeader || authHeader !== `Bearer ${process.env.CRON_SECRET}`) {
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
}
Generate secret: openssl rand -hex 32. Rotate quarterly.
Input: Zod schemas in all Server Actions and route handlers; React Hook Form client-side.
Critical Rules
- Never commit secrets — use env vars.
- Server Actions for all auth operations.
- RLS on all tables — default-deny, explicit-allow.
- Validate all inputs with Zod before DB operations.
- Sanitize user content (escape HTML).
- Parameterized queries (DB client handles automatically).
- Rotate secrets quarterly.
Implementation checklist
- Enable RLS on tables and add an automated enablement check in CI (example:
SELECT relrowsecurity FROM pg_class WHERE relname = 'your_table'). - Configure authentication and session middleware; verify via an integration smoke test against a protected endpoint (e.g.,
/api/me). - Add CSP and security headers in
next.config.jsor middleware; validate headers withcurl -Iagainst a preview URL. - Add Zod validation to all Server Actions and route handlers (see Zod example above).
- Run a security audit (RLS positive/negative tests, header validation, and input fuzzing) and block merges on failing gates.
Cross-reference: see api-patterns/SKILL.md for Server Action patterns and session-checkpoints/SKILL.md for checkpointing security-sensitive work.
Related Skills
etylsarin/validation-gates
development
VerifiedTrustedCommunity
Defines 10 sequential validation gates: secret scanning, lint/test/build checks, blast radius analysis, dependency auditing, browser testing, cache management, regression checks, and smoke tests. Use when running pre-deploy validation or CI checks, CI/CD pipelines, deployment pipeline validation, pre-merge checks, continuous integration, or pull request validation.
44SKILL.mdUpdated May 17, 2026
etylsarin/testing-workflow
development
VerifiedTrustedCommunity
Generates test plans, writes unit/integration/E2E test files, identifies coverage gaps, and flags common testing anti-patterns. Use when writing tests, creating test suites, planning test strategies, mocking dependencies, measuring code coverage, or test planning.
44SKILL.mdUpdated May 17, 2026
etylsarin/team-lead-reference
development
VerifiedTrustedCommunity
Provides model routing rules, validates delegation prerequisites, supplies cost tracking templates, and defines dead-letter queue formats for Team Lead orchestration. Load when assigning tasks to agents, choosing model tiers, starting a delegation session, running a multi-agent workflow, delegating work, choosing which model to use, or assigning tasks.
44SKILL.mdUpdated May 17, 2026
etylsarin/session-checkpoints
testing
VerifiedTrustedCommunity
Saves and restores session state including task progress, file changes, and delegation history. Use when saving progress, resuming interrupted work, picking up where you left off, or checkpointing current work.
44SKILL.mdUpdated May 17, 2026