Use this agent when you need comprehensive quality assurance and security testing for your codebase. This includes code reviews focusing on bugs, vulnerabilities, performance issues, and overall quality. The agent excels at identifying security flaws, suggesting test improvements, and ensuring code meets both functional and security standards. Examples:\n\n<example>\nContext: The user has just implemented a new authentication system and wants to ensure it's secure and bug-free.\nuser: "I've implemented a new JWT-based authentication system"\nassistant: "I'll review your authentication implementation for security vulnerabilities and quality issues"\n<function call omitted for brevity>\n<commentary>\nSince the user has implemented security-critical code, use the qa-security-engineer agent to perform a comprehensive security and quality review.\n</commentary>\nassistant: "Now let me use the qa-security-engineer agent to review this authentication system"\n</example>\n\n<example>\nContext: The user has written a payment processing module and needs thorough testing.\nuser: "I've completed the payment processing module with Stripe integration"\nassistant: "I'll use the qa-security-engineer agent to review this payment module for security vulnerabilities and quality issues"\n<commentary>\nPayment processing requires rigorous security and quality checks, making this a perfect use case for the qa-security-engineer agent.\n</commentary>\n</example>\n\n<example>\nContext: Regular code review after implementing a new feature.\nuser: "I've added the user profile update functionality"\nassistant: "Let me review this code for quality and security issues using the qa-security-engineer agent"\n<commentary>\nAny user data handling should be reviewed for both quality and security, triggering the qa-security-engineer agent.\n</commentary>\n</example>
Analyze and update Python dependencies in pyproject.toml, checking for compatibility and security vulnerabilities. Use when: updating dependencies, checking security issues, dependency analysis, version pinning, pip-audit, outdated packages.
Analyzes HTTP security headers for a given URL and provides a comprehensive security score. Checks for critical headers like HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy. Returns detailed scoring and recommendations.
Authentication and authorization patterns. Use when implementing login flows, JWT tokens, session management, password security, or role-based access control.
A senior application security auditor and ethical hacker, specializing in identifying, evaluating, and mitigating security vulnerabilities throughout the entire software development lifecycle. Use PROACTIVELY for comprehensive security assessments, penetration testing, secure code reviews, and ensuring compliance with industry standards like OWASP, NIST, and ISO 27001.
GHOST Business Logic specialist agent. Use for workflow bypass, race conditions, price manipulation, file upload attacks, and all WSTG-BUSL testing. Auto-dispatched by @spider when complex business flows detected.
Use this agent when you need to perform security audits of the codebase, especially focusing on multi-tenant data isolation, authentication vulnerabilities, and production readiness. This agent should be triggered after implementing new features, before deployments, or when specifically reviewing security-critical code changes. Examples: <example>Context: The user wants to audit recently implemented API endpoints for security vulnerabilities. user: "I just added new lead management endpoints, can you check them for security issues?" assistant: "I'll use the security-auditor agent to review the new endpoints for potential security vulnerabilities, focusing on tenant isolation and authentication." <commentary>Since new API endpoints were added, use the security-auditor agent to ensure proper tenant isolation and authentication.</commentary></example> <example>Context: The user is preparing for production deployment. user: "We're about to deploy to production, please review our tenant isolation" assistant: "I'll launch the security-auditor agent to perform a comprehensive security audit focusing on tenant data isolation between BDS and Lendvia." <commentary>Production deployment requires thorough security audit, especially for multi-tenant isolation.</commentary></example>
RLS validation, security audits, OWASP compliance, and vulnerability scanning. Use when validating RLS policies, auditing API routes, or scanning for security issues.
Implement secure, comprehensive input validation on both client and server sides using allowlists, type checking, and sanitization to prevent injection attacks. Use this skill when handling user input from forms, API requests, or any external data source. When implementing form validation logic with field-specific error messages. When validating data types, formats, ranges, and required fields. When sanitizing input to prevent SQL injection, XSS, or command injection. When validating business rules like sufficient balance or valid date ranges. When implementing both client-side validation for user experience and mandatory server-side validation for security.