Audits a Claude Code skill for security risks in three modes: before download (from a URL or install command), after download but before install (from a .skill file), or after install (from a local skills directory). Use this skill whenever a user is about to install a skill from any source — including GitHub URLs, git clone commands, npx/npm commands, curl/wget downloads, pip installs, marketplace links, or raw SKILL.md URLs. Also trigger when a user asks "is this skill safe?", "should I trust this skill?", "can you check this before I install it?", "audit this skill", or pastes any link to a skill repository or .skill file. If a user mentions installing ANY skill, proactively offer to audit it first — do not wait for them to ask.

Enforces pgsodium Vault for secret storage accessed only via SECURITY DEFINER functions on service_role.

BC SaaS performance patterns, data access optimization, and best practices

Standards and workflows for building secure, well-structured Terraform modules, including planning gates, validation steps, and implementation guidance.

Database architecture skills, docs, and rules for high-demand multi-tenant commerce platforms (PostgreSQL source of truth, Neo4j as derived GraphRAG projection, transactional outbox, RLS-based tenant isolation). Includes live schema introspection workflow via explicit Supabase MCP/read-only schema sources.

Control AL object visibility with Access property (Public, Internal, Protected, Local)

Enforces PKCE-based OAuth code flow replacing implicit auth flows for modern Supabase auth.

Secures Supabase Realtime private channels via RLS policies on the realtime.messages table.

Spec-driven workflow covering requirement gathering, spec authoring, implementation review, and verification — with skills, rules, and evaluation scenarios.

Enforces strict isolation of service_role key to server-side contexts only.

Configures Prometheus scraping, log drains, and observability for Supabase infrastructure monitoring.

Configures server-side session synchronization via secure HTTP-only cookies for SSR frameworks.

Gemini Enterprise A2A configuration and rules.

Expert OpenTelemetry guidance for collector configuration, pipeline design, and production telemetry instrumentation. Use when configuring collectors, designing pipelines, instrumenting applications, implementing sampling, managing cardinality, securing telemetry, writing OTTL transformations, or setting up AI coding agent observability (Claude Code, Codex, Gemini CLI, GitHub Copilot).

Injects tenant ID and RBAC permissions into JWT via Postgres Auth Hooks during token issuance.

Prevents directory traversal in Supabase Storage via path validation functions and storage RLS.

OAuth 2.0 Client Credentials and Authorization Code flows for Business Central

Calibrate research done on socially noisy web sources so agents do not mistake crowd mood for truth. Includes source-specific skills for Moltbook, Hacker News, Reddit, and Product Hunt.

Agent-native E2E runtime with verifiable safety. 16 MCP tools including alethia_propose_tests (agent generates tests from a URL), alethia_assert_safety (proves destructive actions are blocked), and the expect block: NLP primitive unique to Alethia. Zero-IPC; 2-5x faster than Playwright MCP per flow; signed evidence packs. Works with Claude Code, Cursor, Cline.

SonicJS headless CMS knowledge base, coding standards, and architectural guidelines.