| Skill | Description | | ---------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | `adversarial-performance` | Multi-pass adversarial performance audit for entire repositories. Combines structured profiling (Agent A) with adversarial stress-testing critique (Agent B) through iterative passes. Optimize repo/backend performance, hot-paths, build size, and server throughput. Do NOT use for frontend page load metrics or Lighthouse audits (use web-perf). NOT for frontend Core Web Vitals (use web-perf). | | `adversarial-planner` | Multi-pass adversarial planning and review skill that improves agent-generated plans through structured critique stages. Combines an initial planning agent (structure, logic, task sequencing) with an adversarial review agent (performance, security, maintainability) and a final Copilot extension validation pass. Use when creating implementation plans, designing architecture, planning roadmaps or milestones, or when the user says "plan this", "review my plan", "adversarial review", or "multi-pass plan". | | `adversarial-security` | Multi-pass adversarial security audit for entire repositories. Combines structured threat modeling (Agent A) with adversarial attack surface analysis (Agent B) through iterative passes. Merges the security-audit workflow's 10-category checklist with the adversarial-planner's structured critique methodology. Use when running security audits, threat modeling, or when the user says "security audit", "adversarial security", "threat model this repo", "red team this repo", or "find vulnerabilities". NOT for fixing or remediating known security issues (use autonomous-dev instead). NOT for supply chain dependency scanning. NOT for general workflow audits or code quality. If user says 'fix security issues', ask whether they want to audit first or fix known issues. | | `adversarial-skill-audit` | Multi-pass adversarial quality audit for agent skill directories. Combines structured evaluation with adversarial stress-testing to assess skill completeness, instruction clarity, trigger accuracy, and security. Use when auditing a skills directory. | | `adversarial-workflow-audit` | Multi-pass adversarial quality audit for flat markdown workflow files. Combines structured evaluation (Agent A) with adversarial stress-testing (Agent B) to assess sequential clarity, prerequisite validation, HITL (Human-in-the-loop) safety gates, loop prevention, and formatting. Use when auditing workflow scripts (e.g., slash-commands like /bump-deploy), or when the user asks to review or improve operational playbooks. | | `agents-sdk` | Build AI agents on Cloudflare Workers using the Agents SDK. Load when creating stateful agents, durable workflows, real-time WebSocket apps, scheduled tasks, MCP servers, or chat applications. Covers Agent class, state management, callable RPC, Workflows integration, and React hooks. Do NOT trigger for generic 'build a server' requests unless the platform is explicitly specified as Cloudflare Agents. | | `auth-identity` | Standards for Authentication and Identity management. Use when configuring OAuth, JWTs, sessions, RBAC (Role-Based Access Control), or integrating auth providers (Auth0, Clerk, NextAuth). | | `autonomous-dev` | Harness for autonomous software development. Use when fixing or remediating known issues (including security vulnerabilities). Enforces lifecycle through alignment gates (PROJECT.md), adversarial generator/evaluator agents, and autonomous orchestration of project issues. NOT for setting up standalone CI/CD pipelines. | | `aws` | Comprehensive AWS (Amazon Web Services) best practices and infrastructure guidelines. Use when deploying to AWS, writing CloudFormation/CDK/Terraform for AWS, configuring IAM permissions, S3 buckets, EC2 instances, Lambda functions, or ECS/EKS clusters. Do NOT trigger for generic "deploy my app" requests without clarifying the target platform. | | `azure` | Microsoft Azure best practices. Use when deploying to Azure App Service, Azure Functions, AKS (Azure Kubernetes Service), Cosmos DB, configuring Azure Entra ID (Active Directory), or managing Azure Resource Manager (ARM/Bicep) templates. Do NOT trigger for generic "deploy my app" requests without clarifying the target platform. | | `biome` | Biome formatting and linting standards. Use when configuring Biome (biome.json) for fast formatting, linting, and sorting imports as a replacement for Prettier and ESLint. | | `bun` | Master the Bun all-in-one toolkit — runtime, package manager, test runner, and bundler. Use when writing, running, testing, or bundling TypeScript/JavaScript with Bun. Triggers on "bun", "bunx", "bun install", "bun test", "bun run". If the user asks to 'write tests' without specifying the type, you MUST ask 'Unit, E2E, or both?' before proceeding. | | `cloudflare` | (GENERIC ROUTING ONLY) General Cloudflare platform skill for infrastructure, storage, and networking. Use when choosing between Cloudflare products (KV vs D1 vs R2) or doing general Cloudflare tasks. NOT for building AI agents (use agents-sdk). NOT for building MCP servers (use mcp-builder). NOT for deploying applications unless Cloudflare is the explicit target platform. Do NOT use for code-reviewing Workers (use workers-best-practices instead) or for CLI deployment/management (use wrangler instead). NOT for orchestrating CI/CD pipelines (use github-actions instead). NOT for AWS, GCP, Azure, Render, or generic container deployment. Use specific skills like `wrangler` or `workers-best-practices` when the task is narrowly scoped. references: - workers - pages - d1 - durable-objects - workers-ai | | `docker` | Production-grade Docker and container best practices. Use when containerizing apps with Docker, writing Dockerfiles, or managing Docker Compose environments. "multi-stage build", "image size", "docker-compose". Use ONLY when a Dockerfile or container registry is the explicit target for deployment. NOT for serverless or Cloudflare Workers. NOT for generic app deployment without containers. NOT for orchestrating CI/CD pipelines natively (use github-actions instead). Do NOT trigger for generic "deploy my app" requests without clarifying the target platform. | | `drizzle-orm` | Drizzle ORM best practices. Use when configuring databases, designing schemas, writing queries, or handling migrations with Drizzle ORM, particularly with Cloudflare D1 or SQLite. NOT for database setup without an explicit engine. Require engine specification (Postgres/MySQL/SQLite). Use for ORM-managed migrations. | | `durable-objects` | Create and review Cloudflare Durable Objects. Use when building stateful coordination (chat rooms, multiplayer games, booking systems), implementing RPC methods, SQLite storage, alarms, WebSockets, or reviewing DO code for best practices. Covers Workers integration, wrangler config, and testing with Vitest. | | `gcp` | Google Cloud Platform (GCP) best practices. Use when provisioning GCP infrastructure, configuring IAM, deploying to Cloud Run, GKE (Kubernetes Engine), Cloud Functions, Cloud SQL, or managing BigQuery. Do NOT trigger for generic "deploy my app" requests without clarifying the target platform. | | `github-actions` | Master GitHub Actions CI/CD workflows with production-grade security and performance patterns. Use ONLY when explicitly setting up CI/CD pipelines specifically via GitHub Actions, setting up matrix strategies, caching dependencies, managing artifacts, or implementing reusable workflows. For deployment requests, use ONLY when the deploy step is inside a .github/workflows file. NOT for GitLab or autonomous-dev. NOT for Render, AWS, Azure, or GCP deployments unless explicitly triggered from within a CI/CD workflow context. Do NOT trigger for generic "deploy my app" requests without clarifying the target platform. | | `github-commander` | Structured workflows for GitHub issues, PRs, milestones, and code audits with validation gates and HITL checkpoints. Use when assigned a GitHub issue, reviewing a PR, sprinting through a milestone, updating dependencies, or running code audits. Also use when asked to "triage an issue", "review a PR", or "update deps". Do NOT trigger on bare verbs (e.g. "fix this"); require GitHub context. NOT for pipeline authoring (use github-actions instead). NOT for skill/workflow/security audits (use dedicated adversarial skills instead). | | `github-copilot-cli` | Documentation and instructions for integrating the GitHub Copilot CLI (`copilot`) into agentic workflows. Use this skill when you need a "second opinion" adversarial review of a local codebase, a pre-push PR review using alternative advanced models, or shell suggestion capabilities from GitHub. Activates on "Copilot CLI", "local PR review", "codebase Copilot review", "second opinion", "use gh copilot", or "ask Copilot". | | `github-repo-setup` | Reusable scaffold for public TypeScript/Node.js repositories under a target organization. Use when creating a new GitHub repository to generate all community standards, CI/CD, config files, labels, and topics in one pass. | | `gitlab` | Specialized assistant skill for managing repositories and CI/CD in GitLab. Activate when the user asks about GitLab projects or repositories, wants to see merge requests or pipelines, needs to search code or files, asks about CI/CD status or job logs, or wants to browse repository contents. Mentions "GitLab", "glab" CLI, or explicitly asks for GitLab MRs/pipelines. Must see explicit keyword 'GitLab' or 'glab'. NOT for GitHub Actions. | | `golang` | Master Go development using production-grade best practices merged from the Google and Uber style guides. Use whenever writing backend Go microservices, designing APIs, handling errors, managing goroutines, or configuring linters. Keywords: channels, context propagation, go.mod, Go generics. Do NOT trigger for generic 'build a server' requests unless the platform/language is explicitly specified as Go/Golang. | | `graphql` | GraphQL best practices. Use when designing GraphQL schemas, writing resolvers, handling mutations, avoiding N+1 query problems (DataLoader), or configuring GraphQL servers. | | `hono` | Hono framework best practices. Use when building, reviewing, or debugging Hono applications, especially on Cloudflare Workers. Covers routing, middleware, context (c), and RPC patterns. Do NOT trigger for generic 'build a server' requests unless Hono or Cloudflare Workers is explicitly requested. | | `journal-optimizer` | Guided database pruning and optimization workflows for memory-journal-mcp. Uses importance scores, relationship density, and entry metadata to identify low-value entries for safe soft-deletion. Includes dry-run previews, backup gates, and revert guidance. Use when the user says "clean up the database", "optimize entries", "prune old entries", "database maintenance", "what entries can I delete?", "my journal is getting too big", or "archive old entries". | | `llm-app-engineering` | Master modern LLM application engineering patterns. Use when designing prompt chains, evaluating output quality, managing token limits, streaming responses, or integrating LLMs into full-stack applications. | | `mcp-builder` | Core rules for code quality and specifications of Model Context Protocol (MCP) servers. Use when reviewing MCP code quality, enforcing specification rules, or checking schemas/error responses. Must see the explicit keyword "MCP" or "Model Context Protocol". NOT for general REST APIs or Cloudflare Workers. Do NOT trigger for generic 'build a server' requests unless the type is explicitly specified as an MCP server. (Invoke explicitly with `/mcp-builder` — does not auto-trigger). disable-model-invocation: true | | `monorepo` | Monorepo architecture and configuration standards. Use when working with Turborepo, pnpm workspaces, npm workspaces, or configuring shared packages, tsconfig bases, and internal dependencies. | | `multi-agent-orchestration` | Patterns for multi-agent systems and agentic workflows. Use when designing systems where multiple AI agents collaborate, delegate tasks, or follow structured workflows (e.g. Plan-and-Execute). | | `mysql` | Use when designing, querying, or managing a MySQL or MariaDB database. Enforces enterprise production rules for query safety (strict parameterization), connection pooling, and strict schema configurations (STRICT_TRANS_TABLES). MUST-ASK: Require explicit database engine name before triggering. Never guess. Do NOT trigger for generic "set up a database" requests. NOT for Postgres or SQLite. NOT for ORM-managed migrations. | | `next-best-practices` | Next.js best practices - file conventions, RSC boundaries, data patterns, async APIs, metadata, error handling. NOT for general React queries (use react-best-practices). NOT for granular component caching strategies (use next-cache-components). user-invocable: false | | `next-cache-components` | Next.js 16 Cache Components guidance. Use when refactoring React Server Components for performance, debugging Partial Prerendering (PPR) issues, or applying the `use cache` directive, `cacheLife`, `cacheTag`, `updateTag`, and `revalidateTag`. Also use when deciding whether data should be static, cached, or dynamic, or when addressing stale data and cache invalidation. For general Next.js performance, adversarial-performance may also apply. | | `next-upgrade` | Upgrade Next.js to a specific target version using safe dependency bumps, codemods, and diff reviews. Use when you need to execute major version bumps, resolve breaking changes, "upgrading Next.js", "migrate to Next.js 15 or 16", or safely "run @next/codemod" against the repository before upgrading. | | `nodejs` | Node.js core runtime standards. Use when working with native Node.js APIs like streams, buffers, child_process, worker_threads, filesystem, or event loop tuning. Do NOT trigger for generic 'build a server' requests unless the platform/language is explicitly specified. | | `opentelemetry` | Observability standards using OpenTelemetry. Use when instrumenting applications for distributed tracing, metrics, and structured logging. NOT for Cloudflare Workers observability (use workers-best-practices). NOT for performance optimization � use adversarial-performance or web-perf. | | `playwright-standard` | Comprehensive, opinionated guidance for Playwright test development. Use ONLY when writing E2E, browser tests, UI tests, API, component, or visual tests, debugging failures, implementing Page Object Model, or configuring CI/CD. For unit tests, use vitest-standard. Use Playwright solely for E2E, API, and component tests. NOT for unit testing (use Vitest). If the user asks to "write tests" without specifying the type, you MUST ask "Unit, E2E, or both?" before proceeding. | | `postgres` | Use when designing, querying, or managing a PostgreSQL database. Enforces enterprise production rules for advanced querying, composite indexing, JSONB data handling, and strict optimization patterns (avoiding N+1). Keywords: PostgreSQL query, JSONB, pg, pgvector, RLS, Postgres migration. MUST-ASK: Require explicit database engine name before triggering. Never guess. Do NOT trigger for generic "set up a database" requests. NOT for SQLite or MySQL. NOT for ORM-managed migrations. | | `python` | Master modern Python development with production-grade tooling and idioms. Use when writing Python code, configuring project structure, managing dependencies with uv, linting with ruff, adding type hints, writing pytest tests, or building FastAPI/Django/Flask applications. Triggers on "Python", "FastAPI", "Django", "Flask", "pytest", "uv", "ruff", "pyproject.toml". Do NOT trigger for generic 'build a server' requests unless the platform/language is explicitly specified as Python (e.g. FastAPI, Django, Flask). | | `rag-pipelines` | Best practices for Retrieval-Augmented Generation (RAG) pipelines. Use when working with vector databases, embeddings, chunking strategies, semantic search, or hybrid search architectures. | | `react-best-practices` | React performance optimization guidelines from Vercel Engineering. Use ONLY when explicitly optimizing React performance, Core Web Vitals, or bundle size. NOT for Next.js feature development tasks. NOT for generic caching questions (use next-cache-components). NOT for generic web performance or backend profiling. license: MIT metadata: author: vercel version: '1.0.0' | | `redis` | Redis best practices. Use when configuring caching strategies, connection pooling, handling TTLs (Time-To-Live), or managing Redis data structures (Hash, Set, List) in Node/TypeScript projects. MUST-ASK: Require explicit database engine name before triggering. Never guess. Do NOT use for generic "set up a database" or "create a DB" requests without clarifying. | | `render` | Render platform deployment and management best practices. Use when configuring render.yaml (Blueprint specs), deploying web services, background workers, cron jobs, or managing Render PostgreSQL/Redis instances. NOT for AWS, GCP, Azure, or generic container orchestration. Do NOT trigger for generic "deploy my app" requests without clarifying the target platform. | | `rust` | Master production Rust code, lifetimes, and systems programming using a layer-based "meta-cognition" framework. Use whenever writing production Rust code, resolving borrow checker errors (E0382, E0596), designing ownership patterns (Arc, Mutex), or performing crate selection. Do NOT trigger for generic WASM or TS questions unless Rust is the primary focus. Do NOT trigger for generic 'build a server' requests unless the platform/language is explicitly specified. | | `sandbox-sdk` | Build sandboxed applications for secure code execution. Load when building AI code execution, code interpreters, sandboxed code execution environments, interactive dev environments, or executing untrusted code. Covers Sandbox SDK lifecycle, commands, files, code interpreter, and preview URLs. | | `shadcn-ui` | Use when adding, customizing, or structuring shadcn/ui components in a project. Also use when dealing with `components.json`, Tailwind configuration for shadcn, or component registries. Use when working with shadcn/ui, `components.json`, `lucide-react`, `radix-ui`, or Tailwind component registries. | | `skill-builder` | Guide for creating, evaluating, and refining agent skills (.md files with YAML frontmatter). Use this skill whenever you are creating a new skill, improving an existing skill, reviewing skill quality, writing skill descriptions, or when the user asks about skill structure, progressive disclosure, or best practices for agent instructions. | | `sqlite` | Enforced meta-cognitive rules and production configurations for SQLite development. Use when designing SQLite schemas, PRAGMAs, transactions, migrations, locking, or backups. Also use when debugging SQLite performance or writing queries against an SQLite database. MUST-ASK: Require explicit database engine name before triggering. Never guess. Do NOT use for generic "set up a database" or "create a DB" requests without clarifying. NOT for Postgres or MySQL. NOT for ORM-managed migrations. | | `tailwind-css` | Master Tailwind CSS v4 with its CSS-first configuration paradigm. Use when writing utility classes, configuring design tokens via @theme, implementing dark mode, migrating from v3, or integrating with React/Vue/Svelte. Triggers on "Tailwind", "utility CSS", "Tailwind v4", "@theme", "dark mode classes", "responsive design", "Tailwind migration". | | `trpc` | tRPC standards for TypeScript backends. Use when building end-to-end typesafe APIs, defining routers, procedures, middleware, or integrating with React and Next.js. | | `typescript` | Comprehensive enterprise-grade TypeScript operational guide. Use when configuring TS projects, writing complex generics, or enforcing strict type safety. Triggers on "TypeScript", "tsconfig.json", "generics", "type errors", "strict mode". | | `vercel-ai-sdk` | Vercel AI SDK best practices and patterns. Use when building AI applications with React/Next.js and `@ai-sdk/react`, `@ai-sdk/core`, or `@ai-sdk/ui`. Covers `useChat`, `streamText`, `generateObject`, tool calling, and streaming architectures. | | `vitest-standard` | Comprehensive unit testing expertise covering Vitest, test-driven development (TDD), mocking strategies, and production-grade best practices. Activates ONLY for unit testing scope (unit tests, integration tests, Vitest, TDD, Red-Green-Refactor, mocking, stubbing, spying, test coverage, and test architecture in TypeScript/Node projects). NOT for E2E testing (use Playwright). If the user asks to "write tests" without specifying the type, you MUST ask "Unit, E2E, or both?" before proceeding. | | `web-perf` | Optimize page load, frontend Lighthouse metrics, and Core Web Vitals (LCP, INP, CLS). Analyzes web performance using Chrome DevTools MCP. Measures Core Web Vitals (FCP, LCP, TBT, CLS, Speed Index), identifies render-blocking resources, network dependency chains, layout shifts, caching issues, and accessibility gaps. Use ONLY for frontend page load performance (Lighthouse, Core Web Vitals, LCP, CLS, site speed). Do NOT use for backend performance, hot-paths, or bundle size (use adversarial-performance instead). Use ONLY when Chrome DevTools MCP server is configured and attached. | | `workers-best-practices` | (APPLICATION CODE ONLY) Reviews and authors Cloudflare Workers code against production best practices. Use ONLY when writing or reviewing Worker code, configuring wrangler.jsonc, or checking for anti-patterns. Do NOT use for general Cloudflare product discovery (use cloudflare instead) or CLI management (use wrangler instead). NOT for Docker or general MCP servers. Do NOT trigger for generic 'build a server' requests unless the platform is explicitly specified as Cloudflare Workers. | | `wrangler` | (CLI OPERATIONS ONLY) Cloudflare Wrangler CLI dispatcher. Use ONLY when Cloudflare Workers or Pages is the explicitly named target platform for deployment, or when managing Cloudflare bindings using the wrangler CLI. Do NOT use for general Cloudflare product discovery (use cloudflare instead) or for writing/reviewing Worker code (use workers-best-practices instead). (Invoke explicitly — does not auto-trigger). disable-model-invocation: true | | `zod` | Zod schema validation standards. Use when defining schemas, parsing user input, transforming data, or integrating type-safe boundaries in API endpoints and configurations. |