Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

popup-studio-ai/skills/phase-7-seo-security

Name: skills/phase-7-seo-security
Author: popup-studio-ai

skills/phase-7-seo-security/SKILL.md

npx skillsauth add popup-studio-ai/bkit-claude-code skills/phase-7-seo-security

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

Phase 7: SEO/Security

Search optimization and security enhancement

Purpose

Make the application discoverable through search and defend against security vulnerabilities.

What to Do in This Phase

SEO Optimization: Meta tags, structured data, sitemap
Performance Optimization: Core Web Vitals improvement
Security Enhancement: Authentication, authorization, vulnerability defense

Deliverables

docs/02-design/
├── seo-spec.md             # SEO specification
└── security-spec.md        # Security specification

src/
├── middleware/             # Security middleware
└── components/
    └── seo/                # SEO components

PDCA Application

Plan: Define SEO/security requirements
Design: Meta tags, security policy design
Do: SEO/security implementation
Check: Inspection and verification
Act: Improve and proceed to Phase 8

Level-wise Application

| Level | Application Method | |-------|-------------------| | Starter | SEO only (minimal security) | | Dynamic | SEO + basic security | | Enterprise | SEO + advanced security |

SEO Checklist

Basic

[ ] Per-page title, description
[ ] Open Graph meta tags
[ ] Canonical URL
[ ] sitemap.xml
[ ] robots.txt

Structured Data

[ ] JSON-LD schema
[ ] Breadcrumb
[ ] Product/Review schema (if applicable)

Performance

[ ] Image optimization (next/image)
[ ] Font optimization
[ ] Code splitting

Security Checklist

Authentication/Authorization

[ ] Secure session management
[ ] CSRF protection
[ ] Proper permission checks

Data Protection

[ ] Input validation
[ ] SQL injection defense
[ ] XSS defense

Communication Security

[ ] HTTPS enforcement
[ ] Security header configuration
[ ] CORS policy

Security Architecture (Cross-Phase Connection)

Security Layer Structure

┌─────────────────────────────────────────────────────────────┐
│                     Client (Browser)                         │
├─────────────────────────────────────────────────────────────┤
│   Phase 6: UI Security                                       │
│   - XSS defense (input escaping)                            │
│   - CSRF token inclusion                                     │
│   - No sensitive info storage on client                      │
├─────────────────────────────────────────────────────────────┤
│   Phase 4/6: API Communication Security                      │
│   - HTTPS enforcement                                        │
│   - Authorization header (Bearer Token)                      │
│   - Content-Type validation                                  │
├─────────────────────────────────────────────────────────────┤
│   Phase 4: API Server Security                               │
│   - Input validation                                         │
│   - Rate Limiting                                            │
│   - Minimal error messages (prevent sensitive info exposure) │
├─────────────────────────────────────────────────────────────┤
│   Phase 2/9: Environment Variable Security                   │
│   - Secrets management                                       │
│   - Environment separation                                   │
│   - Client-exposed variable distinction                      │
└─────────────────────────────────────────────────────────────┘

Security Responsibilities by Phase

| Phase | Security Responsibility | Verification Items | |-------|------------------------|-------------------| | Phase 2 | Environment variable convention | NEXT_PUBLIC_* distinction, Secrets list | | Phase 4 | API security design | Auth method, error codes, input validation | | Phase 6 | Client security | XSS defense, token management, sensitive info | | Phase 7 | Security implementation/inspection | Full security checklist | | Phase 9 | Deployment security | Secrets injection, HTTPS, security headers |

Client Security (Phase 6 Connection)

XSS Defense Principles

⚠️ XSS (Cross-Site Scripting) Defense

1. Never use innerHTML directly
2. Always sanitize user input when rendering as HTML
3. Leverage React's automatic escaping
4. Use DOMPurify library when needed

No Sensitive Information Storage

// ❌ Forbidden: Sensitive info in localStorage
localStorage.setItem('password', password);
localStorage.setItem('creditCard', cardNumber);

// ✅ Allowed: Store only tokens (httpOnly cookies recommended)
localStorage.setItem('auth_token', token);

// ✅ More secure: httpOnly cookie (set by server)
// Set-Cookie: token=xxx; HttpOnly; Secure; SameSite=Strict

CSRF Defense

// Include CSRF token in API client
// lib/api/client.ts
private async request<T>(endpoint: string, config: RequestConfig = {}) {
  const headers = new Headers(config.headers);

  // Add CSRF token
  const csrfToken = this.getCsrfToken();
  if (csrfToken) {
    headers.set('X-CSRF-Token', csrfToken);
  }
  // ...
}

API Security (Phase 4 Connection)

Input Validation (Server-side)

// All input must be validated on the server
import { z } from 'zod';

const CreateUserSchema = z.object({
  email: z.string().email(),
  password: z.string().min(8).max(100),
  name: z.string().min(1).max(50),
});

// Usage in API Route
export async function POST(req: Request) {
  const body = await req.json();

  const result = CreateUserSchema.safeParse(body);
  if (!result.success) {
    return Response.json({
      error: {
        code: 'VALIDATION_ERROR',
        message: 'Input is invalid.',
        details: result.error.flatten().fieldErrors,
      }
    }, { status: 400 });
  }

  const { email, password, name } = result.data;
}

Error Message Security

// ❌ Dangerous: Detailed error info exposure
{
  message: 'User with email [email protected] not found',
  stack: error.stack,  // Stack trace exposed!
}

// ✅ Safe: Minimal information only
{
  code: 'NOT_FOUND',
  message: 'User not found.',
}

// Detailed logs only on server
console.error(`User not found: ${email}`, error);

Rate Limiting

// middleware.ts
import { Ratelimit } from '@upstash/ratelimit';

const ratelimit = new Ratelimit({
  redis: Redis.fromEnv(),
  limiter: Ratelimit.slidingWindow(10, '10 s'),
});

export async function middleware(request: NextRequest) {
  const ip = request.ip ?? '127.0.0.1';
  const { success } = await ratelimit.limit(ip);

  if (!success) {
    return new Response('Too Many Requests', { status: 429 });
  }
}

Environment Variable Security (Phase 2/9 Connection)

Client Exposure Check

// lib/env.ts
const serverEnvSchema = z.object({
  DATABASE_URL: z.string(),      // Server only
  AUTH_SECRET: z.string(),       // Server only
});

const clientEnvSchema = z.object({
  NEXT_PUBLIC_APP_URL: z.string(),   // Can be exposed to client
});

export const serverEnv = serverEnvSchema.parse(process.env);
export const clientEnv = clientEnvSchema.parse({
  NEXT_PUBLIC_APP_URL: process.env.NEXT_PUBLIC_APP_URL,
});

Security Header Configuration

// next.config.js
const securityHeaders = [
  { key: 'Strict-Transport-Security', value: 'max-age=63072000' },
  { key: 'X-Frame-Options', value: 'SAMEORIGIN' },
  { key: 'X-Content-Type-Options', value: 'nosniff' },
  { key: 'Referrer-Policy', value: 'origin-when-cross-origin' },
];

module.exports = {
  async headers() {
    return [{ source: '/:path*', headers: securityHeaders }];
  },
};

Security Verification Checklist (Phase 8 Connection)

Required (All Levels)

[ ] HTTPS enforcement
[ ] No sensitive info exposed to client
[ ] Input validation (server-side)
[ ] XSS defense
[ ] No sensitive info in error messages

Recommended (Dynamic and above)

[ ] CSRF token applied
[ ] Rate Limiting applied
[ ] Security headers configured
[ ] httpOnly cookies (auth token)

Advanced (Enterprise)

[ ] Content Security Policy (CSP)
[ ] Security audit logs
[ ] Regular security scans

Next.js SEO Example

// app/layout.tsx
export const metadata: Metadata = {
  title: {
    default: 'Site Name',
    template: '%s | Site Name',
  },
  description: 'Site description',
  openGraph: {
    type: 'website',
    locale: 'en_US',
    url: 'https://example.com',
    siteName: 'Site Name',
  },
};

Template

See templates/pipeline/phase-7-seo-security.template.md

Next Phase

Phase 8: Review → After optimization, verify overall code quality

popup-studio-ai/skills/phase-7-seo-security

skills/phase-7-seo-security/SKILL.md

--- name: phase-7-seo-security classification: capability classification-reason: Pattern guidance may overlap with model's built-in knowledge as it improves deprecation-risk: medium effort: medium user-invocable: false description: | Enhance SEO (meta tags, semantic HTML) and security (vulnerability checks, hardening). Triggers: SEO, security, meta tags, vulnerability, 검색 최적화, 보안. imports: - ${PLUGIN_ROOT}/templates/pipeline/phase-7-seo-security.template.md agents: default: bkit:code-ana

510 stars

tools

Updated Apr 18, 2026

$ install --global

skillsauth

npx skillsauth add popup-studio-ai/bkit-claude-code skills/phase-7-seo-security

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: Apr 18, 2026, 6:22 AM38.7s1 file scanned

SKILL.md

name:: phase-7-seo-security
classification:: capability
classification-reason:: Pattern guidance may overlap with model's built-in knowledge as it improves
deprecation-risk:: medium
effort:: medium
user-invocable:: false
description:: |
Triggers:: SEO, security, meta tags, vulnerability, 검색 최적화, 보안.
default:: bkit:code-analyzer
security:: bkit:security-architect
next-skill:: phase-8-review
pdca-phase:: do
task-template:: [Phase-7] {feature}

Phase 7: SEO/Security

Search optimization and security enhancement

Purpose

Make the application discoverable through search and defend against security vulnerabilities.

What to Do in This Phase

SEO Optimization: Meta tags, structured data, sitemap
Performance Optimization: Core Web Vitals improvement
Security Enhancement: Authentication, authorization, vulnerability defense

Deliverables

docs/02-design/
├── seo-spec.md             # SEO specification
└── security-spec.md        # Security specification

src/
├── middleware/             # Security middleware
└── components/
    └── seo/                # SEO components

PDCA Application

Plan: Define SEO/security requirements
Design: Meta tags, security policy design
Do: SEO/security implementation
Check: Inspection and verification
Act: Improve and proceed to Phase 8

Level-wise Application

| Level | Application Method | |-------|-------------------| | Starter | SEO only (minimal security) | | Dynamic | SEO + basic security | | Enterprise | SEO + advanced security |

SEO Checklist

Basic

[ ] Per-page title, description
[ ] Open Graph meta tags
[ ] Canonical URL
[ ] sitemap.xml
[ ] robots.txt

Structured Data

[ ] JSON-LD schema
[ ] Breadcrumb
[ ] Product/Review schema (if applicable)

Performance

[ ] Image optimization (next/image)
[ ] Font optimization
[ ] Code splitting

Security Checklist

Authentication/Authorization

[ ] Secure session management
[ ] CSRF protection
[ ] Proper permission checks

Data Protection

[ ] Input validation
[ ] SQL injection defense
[ ] XSS defense

Communication Security

[ ] HTTPS enforcement
[ ] Security header configuration
[ ] CORS policy

Security Architecture (Cross-Phase Connection)

Security Layer Structure

┌─────────────────────────────────────────────────────────────┐
│                     Client (Browser)                         │
├─────────────────────────────────────────────────────────────┤
│   Phase 6: UI Security                                       │
│   - XSS defense (input escaping)                            │
│   - CSRF token inclusion                                     │
│   - No sensitive info storage on client                      │
├─────────────────────────────────────────────────────────────┤
│   Phase 4/6: API Communication Security                      │
│   - HTTPS enforcement                                        │
│   - Authorization header (Bearer Token)                      │
│   - Content-Type validation                                  │
├─────────────────────────────────────────────────────────────┤
│   Phase 4: API Server Security                               │
│   - Input validation                                         │
│   - Rate Limiting                                            │
│   - Minimal error messages (prevent sensitive info exposure) │
├─────────────────────────────────────────────────────────────┤
│   Phase 2/9: Environment Variable Security                   │
│   - Secrets management                                       │
│   - Environment separation                                   │
│   - Client-exposed variable distinction                      │
└─────────────────────────────────────────────────────────────┘

Security Responsibilities by Phase

Client Security (Phase 6 Connection)

XSS Defense Principles

⚠️ XSS (Cross-Site Scripting) Defense

1. Never use innerHTML directly
2. Always sanitize user input when rendering as HTML
3. Leverage React's automatic escaping
4. Use DOMPurify library when needed

No Sensitive Information Storage

// ❌ Forbidden: Sensitive info in localStorage
localStorage.setItem('password', password);
localStorage.setItem('creditCard', cardNumber);

// ✅ Allowed: Store only tokens (httpOnly cookies recommended)
localStorage.setItem('auth_token', token);

// ✅ More secure: httpOnly cookie (set by server)
// Set-Cookie: token=xxx; HttpOnly; Secure; SameSite=Strict

CSRF Defense

// Include CSRF token in API client
// lib/api/client.ts
private async request<T>(endpoint: string, config: RequestConfig = {}) {
  const headers = new Headers(config.headers);

  // Add CSRF token
  const csrfToken = this.getCsrfToken();
  if (csrfToken) {
    headers.set('X-CSRF-Token', csrfToken);
  }
  // ...
}

API Security (Phase 4 Connection)

Input Validation (Server-side)

// All input must be validated on the server
import { z } from 'zod';

const CreateUserSchema = z.object({
  email: z.string().email(),
  password: z.string().min(8).max(100),
  name: z.string().min(1).max(50),
});

// Usage in API Route
export async function POST(req: Request) {
  const body = await req.json();

  const result = CreateUserSchema.safeParse(body);
  if (!result.success) {
    return Response.json({
      error: {
        code: 'VALIDATION_ERROR',
        message: 'Input is invalid.',
        details: result.error.flatten().fieldErrors,
      }
    }, { status: 400 });
  }

  const { email, password, name } = result.data;
}

Error Message Security

// ❌ Dangerous: Detailed error info exposure
{
  message: 'User with email [email protected] not found',
  stack: error.stack,  // Stack trace exposed!
}

// ✅ Safe: Minimal information only
{
  code: 'NOT_FOUND',
  message: 'User not found.',
}

// Detailed logs only on server
console.error(`User not found: ${email}`, error);

Rate Limiting

// middleware.ts
import { Ratelimit } from '@upstash/ratelimit';

const ratelimit = new Ratelimit({
  redis: Redis.fromEnv(),
  limiter: Ratelimit.slidingWindow(10, '10 s'),
});

export async function middleware(request: NextRequest) {
  const ip = request.ip ?? '127.0.0.1';
  const { success } = await ratelimit.limit(ip);

  if (!success) {
    return new Response('Too Many Requests', { status: 429 });
  }
}

Environment Variable Security (Phase 2/9 Connection)

Client Exposure Check

// lib/env.ts
const serverEnvSchema = z.object({
  DATABASE_URL: z.string(),      // Server only
  AUTH_SECRET: z.string(),       // Server only
});

const clientEnvSchema = z.object({
  NEXT_PUBLIC_APP_URL: z.string(),   // Can be exposed to client
});

export const serverEnv = serverEnvSchema.parse(process.env);
export const clientEnv = clientEnvSchema.parse({
  NEXT_PUBLIC_APP_URL: process.env.NEXT_PUBLIC_APP_URL,
});

Security Header Configuration

// next.config.js
const securityHeaders = [
  { key: 'Strict-Transport-Security', value: 'max-age=63072000' },
  { key: 'X-Frame-Options', value: 'SAMEORIGIN' },
  { key: 'X-Content-Type-Options', value: 'nosniff' },
  { key: 'Referrer-Policy', value: 'origin-when-cross-origin' },
];

module.exports = {
  async headers() {
    return [{ source: '/:path*', headers: securityHeaders }];
  },
};

Security Verification Checklist (Phase 8 Connection)

Required (All Levels)

[ ] HTTPS enforcement
[ ] No sensitive info exposed to client
[ ] Input validation (server-side)
[ ] XSS defense
[ ] No sensitive info in error messages

Recommended (Dynamic and above)

[ ] CSRF token applied
[ ] Rate Limiting applied
[ ] Security headers configured
[ ] httpOnly cookies (auth token)

Advanced (Enterprise)

[ ] Content Security Policy (CSP)
[ ] Security audit logs
[ ] Regular security scans

Next.js SEO Example

// app/layout.tsx
export const metadata: Metadata = {
  title: {
    default: 'Site Name',
    template: '%s | Site Name',
  },
  description: 'Site description',
  openGraph: {
    type: 'website',
    locale: 'en_US',
    url: 'https://example.com',
    siteName: 'Site Name',
  },
};

Template

See templates/pipeline/phase-7-seo-security.template.md

Next Phase

Phase 8: Review → After optimization, verify overall code quality

Related Skills

popup-studio-ai/sprint

testing

VerifiedTrustedCommunity

Sprint Management — generic sprint capability for ANY bkit user. 16 sub-actions: init, start, status, watch, phase, iterate, qa, report, archive, list, feature, pause, resume, fork, help, master-plan. Triggers: sprint, sprint start, sprint init, sprint status, sprint list, 스프린트, 스프린트 시작, 스프린트 상태, スプリント, スプリント開始, スプリント状態, 冲刺, 冲刺开始, 冲刺状态, sprint, iniciar sprint, estado sprint, sprint, demarrer sprint, statut sprint, Sprint, Sprint starten, Sprint Status, sprint, avviare sprint, stato sprint, master plan, multi-sprint plan, sprint master plan, 마스터 플랜, 멀티 스프린트 계획, 스프린트 마스터 플랜, マスタープラン, マルチスプリント計画, スプリントマスタープラン, 主计划, 多冲刺计划, 冲刺主计划, plan maestro, plan multi-sprint, plan maestro sprint, plan maître, plan multi-sprint, plan maître sprint, Masterplan, Multi-Sprint-Plan, Sprint-Masterplan, piano principale, piano multi-sprint, piano principale sprint.

548SKILL.mdUpdated May 13, 2026

popup-studio-ai/sprint

popup-studio-ai/cc-version-analysis

tools

VerifiedTrustedCommunity

CC CLI version upgrade impact analysis — research changes, analyze bkit impact, generate report. Triggers: cc-version-analysis, CC upgrade, version analysis, CC 버전 분석, 버전 영향.

545SKILL.mdUpdated Apr 18, 2026

popup-studio-ai/cc-version-analysis

popup-studio-ai/rollback

testing

VerifiedTrustedCommunity

Manage PDCA checkpoints and rollback — create, list, restore for safe recovery. Rollback events are recorded via lib/audit/audit-logger ACTION_TYPES.rollback_executed. For sprint-level recovery, individual feature rollbacks may be triggered from within sprint phases (sprint itself is forward-only — terminal state is `archived`, not rolled back; v2.1.13). Triggers: rollback, checkpoint, restore, undo, 롤백, 체크포인트, 복원.

539SKILL.mdUpdated Apr 18, 2026

popup-studio-ai/rollback

popup-studio-ai/qa-phase

testing

VerifiedTrustedCommunity

QA Phase execution — L1-L5 test planning, generation, execution, and reporting for a single feature. For sprint-level QA (7-Layer dataFlowIntegrity / S1 gate across multiple features) use /sprint qa <sprintId> which delegates to sprint-qa-flow agent (v2.1.13). Triggers: qa phase, QA test, qa run, QA 실행, QAフェーズ, QA阶段, fase QA, phase QA, QA-Phase, fase QA.

539SKILL.mdUpdated Apr 18, 2026

popup-studio-ai/qa-phase

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/popup-studio-ai/bkit-claude-code.git

# Copy into Claude Code skills folder (global)
cp -r bkit-claude-code/skills/phase-7-seo-security ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

popup-studio-ai/bkit-claude-code

510 stars

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT