lucidlabs-hq/pre-production
.claude/skills/pre-production/SKILL.md
Pre-Production Security & Quality Check with Strix AI. Use BEFORE deploying to production to catch vulnerabilities and issues.
$ install --global
skillsauthnpx skillsauth add lucidlabs-hq/agent-kit pre-productionInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 16, 2026, 9:27 PM234.4s1 file scanned
SKILL.md
- name:
- pre-production
- description:
- Pre-Production Security & Quality Check with Strix AI. Use BEFORE deploying to production to catch vulnerabilities and issues.
- allowed-tools:
- Bash, Read
- argument-hint:
- [mvp|production]
Pre-Production Check
Führe Security- und Quality-Checks durch bevor Code in Production geht.
Wann welchen Check?
┌─────────────────────────────────────────────────────────────────┐
│ │
│ MVP / Staging PRODUCTION DELIVERY │
│ ───────────── ─────────────────── │
│ /pre-production mvp /pre-production production │
│ │
│ ✅ Quick Security Scan ✅ Full Security Audit │
│ ✅ Basic Vulnerability Check ✅ Deep Vulnerability Scan │
│ ✅ Essential E2E Tests ✅ Full E2E Test Suite │
│ ✅ Build Verification ✅ Performance Check │
│ │
│ Dauer: ~5 Minuten Dauer: ~15-30 Minuten │
│ │
│ Für: Interne Demos, Für: Echte User, │
│ Beta Testing, Paid Customers, │
│ Staging Deploy Final Release │
│ │
└─────────────────────────────────────────────────────────────────┘
Voraussetzungen
Strix Installation
# Via curl
curl -sSL https://strix.ai/install | bash
# Oder via pipx
pipx install strix-agent
# Environment Variables
export STRIX_LLM="anthropic/claude-sonnet-4-20250514"
export LLM_API_KEY="your-api-key"
MVP Check (/pre-production mvp)
Schneller Check für interne Demos und Staging:
1. Build Verification
cd frontend && pnpm run build
2. Type & Lint Check
cd frontend && pnpm run validate
3. Quick Security Scan
# Lokaler Code-Scan
strix --target ./frontend --scan-mode quick -n
# Oder gegen Staging URL
strix --target https://staging.your-app.com --scan-mode quick -n
4. Essential E2E Tests
cd frontend && pnpm run test:e2e -- --grep "@critical"
MVP Checklist
- [ ] Build erfolgreich?
- [ ] TypeScript/ESLint Fehler?
- [ ] Kritische Security Issues?
- [ ] Login/Logout funktioniert?
- [ ] Hauptfunktion nutzbar?
Production Check (/pre-production production)
Vollständiger Check vor echtem Production Deploy:
1. Full Build & Validation
cd frontend && pnpm run build
cd frontend && pnpm run validate
cd frontend && pnpm run test
2. Full Security Audit mit Strix
# Vollständiger Scan gegen Production-ähnliche Umgebung
strix --target https://staging.your-app.com \
--instruction-file .strix/production-check.md \
-n
3. Vulnerability Scan
# Mit spezifischen Anweisungen
strix --target https://staging.your-app.com \
--instruction "Focus on: authentication bypass, injection attacks, access control, XSS, SSRF"
4. Full E2E Suite
cd frontend && pnpm run test:e2e
5. Performance Check (Optional)
# Lighthouse via agent-browser
agent-browser open https://staging.your-app.com
agent-browser evaluate "JSON.stringify(window.performance.timing)"
Production Checklist
- [ ] Build erfolgreich?
- [ ] Alle Tests bestanden?
- [ ] Keine kritischen Security Issues?
- [ ] Keine Injection Vulnerabilities?
- [ ] Keine Access Control Flaws?
- [ ] Keine XSS Vulnerabilities?
- [ ] Login/Logout/Auth Flow sicher?
- [ ] Sensitive Daten geschützt?
- [ ] Error Handling korrekt?
- [ ] Performance akzeptabel?
Strix Instruction File
Erstelle .strix/production-check.md für konsistente Checks:
# Production Security Check
## Target Information
- Next.js 16 Application
- Convex Database
- Better Auth Authentication
## Focus Areas
### Authentication
- Test login/logout flows
- Check session handling
- Verify JWT/token security
- Test password reset flow
### Authorization
- Test role-based access
- Verify API endpoint protection
- Check for IDOR vulnerabilities
### Injection
- Test all input fields
- Check API parameters
- Verify SQL/NoSQL injection protection
### Client-Side
- Check for XSS in user inputs
- Verify CSP headers
- Test for open redirects
### API Security
- Check rate limiting
- Verify CORS configuration
- Test for SSRF
## Exclude
- /api/health (public)
- Static assets
Workflow Integration
Development Staging Production
─────────── ─────── ──────────
/visual-verify → /pre-production → /pre-production
mvp production
Schnell Quick Check Full Audit
UI Focus Security Basics Complete Security
Vor MVP/Staging Deploy
/pre-production mvp
Vor Production Deploy
/pre-production production
Security Issue Response
Kritisch (BLOCKER)
| Issue | Aktion | |-------|--------| | SQL/NoSQL Injection | STOP - Sofort fixen | | Auth Bypass | STOP - Sofort fixen | | RCE Vulnerability | STOP - Sofort fixen |
Hoch
| Issue | Aktion | |-------|--------| | XSS (Stored) | Fix vor Production | | IDOR | Fix vor Production | | SSRF | Fix vor Production |
Mittel
| Issue | Aktion | |-------|--------| | XSS (Reflected) | Dokumentieren, zeitnah fixen | | Missing Rate Limit | Dokumentieren, zeitnah fixen |
Niedrig
| Issue | Aktion | |-------|--------| | Information Disclosure | Backlog | | Missing Headers | Backlog |
Referenzen
- Strix GitHub
- OWASP Top 10
Related Skills
lucidlabs-hq/deploy
development
VerifiedTrustedCommunity
Deploy invoice-accounting-assistant to HQ server. Runs tests first (TDD), then builds and deploys. Use when ready to push changes to staging/production.
1SKILL.mdUpdated Apr 16, 2026
lucidlabs-hq/visual-verify
testing
VerifiedTrustedCommunity
Visual UI verification with agent-browser. Use after implementing UI components to take screenshots, verify interactions, and self-check your work. FASTER than E2E tests.
1SKILL.mdUpdated Apr 16, 2026
lucidlabs-hq/update-readme
documentation
VerifiedTrustedCommunity
Update README with current project status and features. Use after completing features.
1SKILL.mdUpdated Apr 16, 2026
lucidlabs-hq/.claude/skills/time-report
tools
VerifiedTrustedCommunity
--- name: time-report description: Cross-project time report. Aggregates all session data from ~/.claude-time/sessions/. Use to see how much time was spent across all projects. disable-model-invocation: true allowed-tools: Bash, Read argument-hint: [all | this-week | this-month | last-month | {project-name}] --- # Time Report: Cross-Project Session Overview ## Objective Read ALL session files from `~/.claude-time/sessions/*.json` and produce an aggregated time report. Supports filtering by pe
1SKILL.mdUpdated Apr 16, 2026