Security rules for untrusted NanoClaw groups. Credential protection, internal file protection, social engineering defenses.

Enforces pgsodium Vault for secret storage accessed only via SECURITY DEFINER functions on service_role.

Run quality checks on Java code before committing. Validates against best practices, enterprise standards, and common issues.

Standards and workflows for building secure, well-structured Terraform modules, including planning gates, validation steps, and implementation guidance.

Discover and apply best practice skills automatically. Gap analysis scans the codebase, skill-search fills gaps from the registry, skill-classifier separates proactive from reactive skills, quality-standards generates CLAUDE.md guidance, self-review compares code against checklists, and verification-strategy sets up test/lint/typecheck feedback loops.

Database architecture skills, docs, and rules for high-demand multi-tenant commerce platforms (PostgreSQL source of truth, Neo4j as derived GraphRAG projection, transactional outbox, RLS-based tenant isolation). Includes live schema introspection workflow via Postgres MCP.

Enforces PKCE-based OAuth code flow replacing implicit auth flows for modern Supabase auth.

Closing the intent-to-code chasm - specification-driven development with BDD verification chain

Secures Supabase Realtime private channels via RLS policies on the realtime.messages table.

Spec-driven workflow covering requirement gathering, spec authoring, implementation review, and verification — with skills, rules, and evaluation scenarios.

Enforces strict isolation of service_role key to server-side contexts only.

Configures Prometheus scraping, log drains, and observability for Supabase infrastructure monitoring.

Configures server-side session synchronization via secure HTTP-only cookies for SSR frameworks.

Gemini Enterprise A2A configuration and rules.

Core behavioral rules and skills for NanoClaw personal assistant agents. Always-on rules for communication, verification, memory, and formatting.

Injects tenant ID and RBAC permissions into JWT via Postgres Auth Hooks during token issuance.

Prevents directory traversal in Supabase Storage via path validation functions and storage RLS.

Evidence-first pull request review with independent critique, selective challenger review, and human handoff.

Agent-native E2E runtime with verifiable safety. 16 MCP tools including alethia_propose_tests (agent generates tests from a URL), alethia_assert_safety (proves destructive actions are blocked), and the expect block: NLP primitive unique to Alethia. Zero-IPC; 2-5x faster than Playwright MCP per flow; signed evidence packs. Works with Claude Code, Cursor, Cline.

Rego is the declarative policy language used by Open Policy Agent (OPA). This tile covers writing and testing Rego policies for Kubernetes admission control, Terraform and infrastructure-as-code plan validation, Docker container authorization, HTTP API authorization, RBAC and role-based access control, data filtering, metadata annotations with opa inspect, and OPA policy testing with opa test.