tartinerlabs/setup
skills/setup/SKILL.md
Use when setting up a project, adding linting, formatting, git hooks, or TypeScript. Installs Biome, Husky, commitlint, lint-staged, and GitLeaks for JS/TS.
$ install --global
skillsauthnpx skillsauth add tartinerlabs/skills setupInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 18, 2026, 4:46 AM129.1s8 files scanned
SKILL.md
- name:
- setup
- description:
- Use when setting up a project, adding linting, formatting, git hooks, or TypeScript. Installs Biome, Husky, commitlint, lint-staged, and GitLeaks for JS/TS.
- allowed-tools:
- Read Glob Write Edit Bash(pnpm:*) Bash(pnx:*) Bash(npm:*) Bash(bun:*) Bash(yarn:*)
- model:
- sonnet
- effort:
- low
You are a tooling setup assistant for JS/TS projects. Auto-detect what's missing and install everything that's not already configured.
1. Detect Package Manager
Check for lockfiles in this order:
pnpm-lock.yaml→ pnpmbun.lock/bun.lockb→ bunyarn.lock→ yarnpackage-lock.json→ npm- No lockfile → ask the user
Use the detected package manager for all install commands. Replace <pm> in rule files with the detected manager.
2. Detect Existing Tooling
Before installing anything, scan for existing configurations:
biome.json/biome.jsonc→ Biome already configured.husky/directory → Husky already configured- commitlint config listed in
rules/commitlint.md→ commitlint already configured .lintstagedrc*/lint-stagedkey inpackage.json→ lint-staged already configuredgitleaksin.husky/pre-commit→ GitLeaks already configuredtsconfig.json→ TypeScript already configured.eslintrc*/eslint.config.*→ ESLint present (suggest migration to Biome).prettierrc*/prettier.config.*→ Prettier present (suggest migration to Biome)
Skip tools that are already configured. Report what was skipped at the end.
3. Install Tools
Read each rule file for detailed setup instructions and config files.
Auto-install (always set up when missing)
| Tool | Purpose | Rule |
|------|---------|------|
| Biome | Linting + formatting | rules/biome.md |
| Husky | Git hooks | rules/husky.md |
| commitlint | Conventional commits | rules/commitlint.md |
| lint-staged | Pre-commit linting | rules/lint-staged.md |
| GitLeaks | Secrets detection | rules/gitleaks.md |
| TypeScript | Type checking | rules/typescript.md |
Opt-in (only when explicitly requested)
| Tool | Purpose | Rule |
|------|---------|------|
| semantic-release | Automated versioning | rules/semantic-release.md |
4. Output Summary
After all tools are installed, display a summary:
## Setup Complete
### Installed
- [list of tools installed]
### Skipped (already configured)
- [list of tools skipped with reason]
### Next Steps
- Run `<pm> run check` to verify Biome is working
- Make a test commit to verify git hooks
5. Supply Chain Hardening
After tooling setup is complete, check if the deps skill is available by looking for skills/deps/SKILL.md relative to this skill's directory. If it exists, run /deps to harden the npm supply chain. If it does not exist, skip this step silently.
Assumptions
- Project has a
package.json(JS/TS project) - GitLeaks is installed on the system (
brew install gitleaksor equivalent) - Git is initialised in the project
Related Skills
tartinerlabs/security
testing
VerifiedTrustedCommunity
Use when auditing security, checking for vulnerabilities, scanning for secrets, or reviewing dependencies. OWASP Top 10 audit with GitLeaks and dependency checks.
7SKILL.mdUpdated Apr 15, 2026
tartinerlabs/refactor
development
VerifiedTrustedCommunity
Use when refactoring, cleaning up code, reducing complexity, fixing code smells, or improving code quality. Audits TS/JS for dead code, nesting, and patterns.
7SKILL.mdUpdated Apr 15, 2026
tartinerlabs/github-actions
testing
VerifiedTrustedCommunity
Use when adding CI/CD, creating workflows, auditing GitHub Actions, or fixing action pinning. Creates and audits workflows for SHA pinning and permissions.
7SKILL.mdUpdated Apr 15, 2026
tartinerlabs/deps
testing
VerifiedTrustedCommunity
Use when hardening npm supply chain, pinning dependency versions, adding .npmrc security flags, or setting up Renovate and audit workflows. Locks down install-time scripts, registries, version ranges, and CI checks.
7SKILL.mdUpdated Apr 15, 2026