old4ever/local-cal
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

chore: update skills

Browse Source 
Signed-off-by: Dmytro Stanchiev <git@dmytros.dev>
This commit is contained in:
Dmytro Stanchiev
2026-04-07 17:06:08 -04:00
parent 7ffcb4dc43
commit 685241c92f
12 changed files with 58 additions and 532 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
.claude/skills/broken-authentication/.openskills.json
View File

@@ -1,6 +0,0 @@
{
"source": "/tmp/skill-selector-curated-3423638041",
"sourceType": "local",
"localPath": "/tmp/skill-selector-curated-3423638041/broken-authentication",
"installedAt": "2026-04-07T00:45:24.780Z"
}

480
.claude/skills/broken-authentication/SKILL.md
View File

@@ -1,480 +0,0 @@
---
name: broken-authentication
description: "Identify and exploit authentication and session management vulnerabilities in web applications. Broken authentication consistently ranks in the OWASP Top 10 and can lead to account takeover, identity theft, and unauthorized access to sensitive systems."
risk: unknown
source: community
author: zebbern
date_added: "2026-02-27"
---
# Broken Authentication Testing
## Purpose
Identify and exploit authentication and session management vulnerabilities in web applications. Broken authentication consistently ranks in the OWASP Top 10 and can lead to account takeover, identity theft, and unauthorized access to sensitive systems. This skill covers testing methodologies for password policies, session handling, multi-factor authentication, and credential management.
## Prerequisites
### Required Knowledge
- HTTP protocol and session mechanisms
- Authentication types (SFA, 2FA, MFA)
- Cookie and token handling
- Common authentication frameworks
### Required Tools
- Burp Suite Professional or Community
- Hydra or similar brute-force tools
- Custom wordlists for credential testing
- Browser developer tools
### Required Access
- Target application URL
- Test account credentials
- Written authorization for testing
## Outputs and Deliverables
1. **Authentication Assessment Report** - Document all identified vulnerabilities
2. **Credential Testing Results** - Brute-force and dictionary attack outcomes
3. **Session Security Analysis** - Token randomness and timeout evaluation
4. **Remediation Recommendations** - Security hardening guidance
## Core Workflow
### Phase 1: Authentication Mechanism Analysis
Understand the application's authentication architecture:
```
# Identify authentication type
- Password-based (forms, basic auth, digest)
- Token-based (JWT, OAuth, API keys)
- Certificate-based (mutual TLS)
- Multi-factor (SMS, TOTP, hardware tokens)
# Map authentication endpoints
/login, /signin, /authenticate
/register, /signup
/forgot-password, /reset-password
/logout, /signout
/api/auth/*, /oauth/*
```
Capture and analyze authentication requests:
```http
POST /login HTTP/1.1
Host: target.com
Content-Type: application/x-www-form-urlencoded
username=test&password=test123
```
### Phase 2: Password Policy Testing
Evaluate password requirements and enforcement:
```bash
# Test minimum length (a, ab, abcdefgh)
# Test complexity (password, password1, Password1!)
# Test common weak passwords (123456, password, qwerty, admin)
# Test username as password (admin/admin, test/test)
```
Document policy gaps: Minimum length <8, no complexity, common passwords allowed, username as password.
### Phase 3: Credential Enumeration
Test for username enumeration vulnerabilities:
```bash
# Compare responses for valid vs invalid usernames
# Invalid: "Invalid username" vs Valid: "Invalid password"
# Check timing differences, response codes, registration messages
```
# Password reset
"Email sent if account exists" (secure)
"No account with that email" (leaks info)
# API responses
{"error": "user_not_found"}
{"error": "invalid_password"}
```
### Phase 4: Brute Force Testing
Test account lockout and rate limiting:
```bash
# Using Hydra for form-based auth
hydra -l admin -P /usr/share/wordlists/rockyou.txt \
target.com http-post-form \
"/login:username=^USER^&password=^PASS^:Invalid credentials"
# Using Burp Intruder
1. Capture login request
2. Send to Intruder
3. Set payload positions on password field
4. Load wordlist
5. Start attack
6. Analyze response lengths/codes
```
Check for protections:
```bash
# Account lockout
- After how many attempts?
- Duration of lockout?
- Lockout notification?
# Rate limiting
- Requests per minute limit?
- IP-based or account-based?
- Bypass via headers (X-Forwarded-For)?
# CAPTCHA
- After failed attempts?
- Easily bypassable?
```
### Phase 5: Credential Stuffing
Test with known breached credentials:
```bash
# Credential stuffing differs from brute force
# Uses known email:password pairs from breaches
# Using Burp Intruder with Pitchfork attack
1. Set username and password as positions
2. Load email list as payload 1
3. Load password list as payload 2 (matched pairs)
4. Analyze for successful logins
# Detection evasion
- Slow request rate
- Rotate source IPs
- Randomize user agents
- Add delays between attempts
```
### Phase 6: Session Management Testing
Analyze session token security:
```bash
# Capture session cookie
Cookie: SESSIONID=abc123def456
# Test token characteristics
1. Entropy - Is it random enough?
2. Length - Sufficient length (128+ bits)?
3. Predictability - Sequential patterns?
4. Secure flags - HttpOnly, Secure, SameSite?
```
Session token analysis:
```python
#!/usr/bin/env python3
import requests
import hashlib
# Collect multiple session tokens
tokens = []
for i in range(100):
response = requests.get("https://target.com/login")
token = response.cookies.get("SESSIONID")
tokens.append(token)
# Analyze for patterns
# Check for sequential increments
# Calculate entropy
# Look for timestamp components
```
### Phase 7: Session Fixation Testing
Test if session is regenerated after authentication:
```bash
# Step 1: Get session before login
GET /login HTTP/1.1
Response: Set-Cookie: SESSIONID=abc123
# Step 2: Login with same session
POST /login HTTP/1.1
Cookie: SESSIONID=abc123
username=valid&password=valid
# Step 3: Check if session changed
# VULNERABLE if SESSIONID remains abc123
# SECURE if new session assigned after login
```
Attack scenario:
```bash
# Attacker workflow:
1. Attacker visits site, gets session: SESSIONID=attacker_session
2. Attacker sends link to victim with fixed session:
https://target.com/login?SESSIONID=attacker_session
3. Victim logs in with attacker's session
4. Attacker now has authenticated session
```
### Phase 8: Session Timeout Testing
Verify session expiration policies:
```bash
# Test idle timeout
1. Login and note session cookie
2. Wait without activity (15, 30, 60 minutes)
3. Attempt to use session
4. Check if session is still valid
# Test absolute timeout
1. Login and continuously use session
2. Check if forced logout after set period (8 hours, 24 hours)
# Test logout functionality
1. Login and note session
2. Click logout
3. Attempt to reuse old session cookie
4. Session should be invalidated server-side
```
### Phase 9: Multi-Factor Authentication Testing
Assess MFA implementation security:
```bash
# OTP brute force
- 4-digit OTP = 10,000 combinations
- 6-digit OTP = 1,000,000 combinations
- Test rate limiting on OTP endpoint
# OTP bypass techniques
- Skip MFA step by direct URL access
- Modify response to indicate MFA passed
- Null/empty OTP submission
- Previous valid OTP reuse
# API Version Downgrade Attack (crAPI example)
# If /api/v3/check-otp has rate limiting, try older versions:
POST /api/v2/check-otp
{"otp": "1234"}
# Older API versions may lack security controls
# Using Burp for OTP testing
1. Capture OTP verification request
2. Send to Intruder
3. Set OTP field as payload position
4. Use numbers payload (0000-9999)
5. Check for successful bypass
```
Test MFA enrollment:
```bash
# Forced enrollment
- Can MFA be skipped during setup?
- Can backup codes be accessed without verification?
# Recovery process
- Can MFA be disabled via email alone?
- Social engineering potential?
```
### Phase 10: Password Reset Testing
Analyze password reset security:
```bash
# Token security
1. Request password reset
2. Capture reset link
3. Analyze token:
- Length and randomness
- Expiration time
- Single-use enforcement
- Account binding
# Token manipulation
https://target.com/reset?token=abc123&user=victim
# Try changing user parameter while using valid token
# Host header injection
POST /forgot-password HTTP/1.1
Host: attacker.com
email=victim@email.com
# Reset email may contain attacker's domain
```
## Quick Reference
### Common Vulnerability Types
| Vulnerability | Risk | Test Method |
|--------------|------|-------------|
| Weak passwords | High | Policy testing, dictionary attack |
| No lockout | High | Brute force testing |
| Username enumeration | Medium | Differential response analysis |
| Session fixation | High | Pre/post-login session comparison |
| Weak session tokens | High | Entropy analysis |
| No session timeout | Medium | Long-duration session testing |
| Insecure password reset | High | Token analysis, workflow bypass |
| MFA bypass | Critical | Direct access, response manipulation |
### Credential Testing Payloads
```bash
# Default credentials
admin:admin
admin:password
admin:123456
root:root
test:test
user:user
# Common passwords
123456
password
12345678
qwerty
abc123
password1
admin123
# Breached credential databases
- Have I Been Pwned dataset
- SecLists passwords
- Custom targeted lists
```
### Session Cookie Flags
| Flag | Purpose | Vulnerability if Missing |
|------|---------|------------------------|
| HttpOnly | Prevent JS access | XSS can steal session |
| Secure | HTTPS only | Sent over HTTP |
| SameSite | CSRF protection | Cross-site requests allowed |
| Path | URL scope | Broader exposure |
| Domain | Domain scope | Subdomain access |
| Expires | Lifetime | Persistent sessions |
### Rate Limiting Bypass Headers
```http
X-Forwarded-For: 127.0.0.1
X-Real-IP: 127.0.0.1
X-Originating-IP: 127.0.0.1
X-Client-IP: 127.0.0.1
X-Remote-IP: 127.0.0.1
True-Client-IP: 127.0.0.1
```
## Constraints and Limitations
### Legal Requirements
- Only test with explicit written authorization
- Avoid testing with real breached credentials
- Do not access actual user accounts
- Document all testing activities
### Technical Limitations
- CAPTCHA may prevent automated testing
- Rate limiting affects brute force timing
- MFA significantly increases attack difficulty
- Some vulnerabilities require victim interaction
### Scope Considerations
- Test accounts may behave differently than production
- Some features may be disabled in test environments
- Third-party authentication may be out of scope
- Production testing requires extra caution
## Examples
### Example 1: Account Lockout Bypass
**Scenario:** Test if account lockout can be bypassed
```bash
# Step 1: Identify lockout threshold
# Try 5 wrong passwords for admin account
# Result: "Account locked for 30 minutes"
# Step 2: Test bypass via IP rotation
# Use X-Forwarded-For header
POST /login HTTP/1.1
X-Forwarded-For: 192.168.1.1
username=admin&password=attempt1
# Increment IP for each attempt
X-Forwarded-For: 192.168.1.2
# Continue until successful or confirmed blocked
# Step 3: Test bypass via case manipulation
username=Admin (vs admin)
username=ADMIN
# Some systems treat these as different accounts
```
### Example 2: JWT Token Attack
**Scenario:** Exploit weak JWT implementation
```bash
# Step 1: Capture JWT token
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoidGVzdCJ9.signature
# Step 2: Decode and analyze
# Header: {"alg":"HS256","typ":"JWT"}
# Payload: {"user":"test","role":"user"}
# Step 3: Try "none" algorithm attack
# Change header to: {"alg":"none","typ":"JWT"}
# Remove signature
eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJ1c2VyIjoiYWRtaW4iLCJyb2xlIjoiYWRtaW4ifQ.
# Step 4: Submit modified token
Authorization: Bearer eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJ1c2VyIjoiYWRtaW4ifQ.
```
### Example 3: Password Reset Token Exploitation
**Scenario:** Test password reset functionality
```bash
# Step 1: Request reset for test account
POST /forgot-password
email=test@example.com
# Step 2: Capture reset link
https://target.com/reset?token=a1b2c3d4e5f6
# Step 3: Test token properties
# Reuse: Try using same token twice
# Expiration: Wait 24+ hours and retry
# Modification: Change characters in token
# Step 4: Test for user parameter manipulation
https://target.com/reset?token=a1b2c3d4e5f6&email=admin@example.com
# Check if admin's password can be reset with test user's token
```
## Troubleshooting
| Issue | Solutions |
|-------|-----------|
| Brute force too slow | Identify rate limit scope; IP rotation; add delays; use targeted wordlists |
| Session analysis inconclusive | Collect 1000+ tokens; use statistical tools; check for timestamps; compare accounts |
| MFA cannot be bypassed | Document as secure; test backup/recovery mechanisms; check MFA fatigue; verify enrollment |
| Account lockout prevents testing | Request multiple test accounts; test threshold first; use slower timing |
## When to Use
This skill is applicable to execute the workflow or actions described in the overview.

6
.claude/skills/bun-development/SKILL.md
View File

@@ -145,7 +145,7 @@ bun install # or 'bun i'
# Add dependencies
bun add express # Regular dependency
bun add -d typescript # Dev dependency
bun add -D @types/node # Dev dependency (alias)
bun add -D @types/bun # Dev dependency (alias)
bun add --optional pkg # Optional dependency
# From specific registry
@@ -176,7 +176,7 @@ bun update --latest # Update to latest (ignore ranges)
bun outdated
```
### 3.3 bunx (npx equivalent)
### 3.3 bunx (bunx --bun equivalent)
```bash
# Execute package binaries
@@ -595,7 +595,7 @@ rm -rf node_modules package-lock.json
bun install
# 3. Update scripts in package.json
# "start": "node index.js" → "start": "bun run index.ts"
# "start": "bun --bun index.js" → "start": "bun run index.ts"
# "test": "jest" → "test": "bun test"
# 4. Add Bun types

10
.claude/skills/drizzle-orm-expert/SKILL.md
View File

@@ -205,16 +205,16 @@ export default defineConfig({
```bash
# Generate migration SQL from schema changes
npx drizzle-kit generate
bunx --bun drizzle-kit generate
# Push schema directly to database (development only — skips migration files)
npx drizzle-kit push
bunx --bun drizzle-kit push
# Run pending migrations (production)
npx drizzle-kit migrate
bunx --bun drizzle-kit migrate
# Open Drizzle Studio (GUI database browser)
npx drizzle-kit studio
bunx --bun drizzle-kit studio
```
## Database Client Setup
@@ -357,7 +357,7 @@ export async function createUser(formData: FormData) {
**Solution:** Pass all schema objects (including relations) to `drizzle()`: `drizzle(client, { schema })`
**Problem:** Migration conflicts after schema changes
**Solution:** Run `npx drizzle-kit generate` to create a new migration, then `npx drizzle-kit migrate`
**Solution:** Run `bunx --bun drizzle-kit generate` to create a new migration, then `bunx --bun drizzle-kit migrate`
**Problem:** Type errors on `.returning()` with MySQL
**Solution:** MySQL does not support `RETURNING`. Use `.execute()` and read `insertId` from the result instead.

30
.claude/skills/nextjs-developer/references/deployment.md
View File

@@ -6,7 +6,7 @@
```bash
# Install Vercel CLI
npm i -g vercel
bun --bun i -g vercel
# Deploy
vercel
@@ -21,7 +21,7 @@ vercel --prod
{
"buildCommand": "next build",
"devCommand": "next dev",
"installCommand": "npm install",
"installCommand": "bun --bun install",
"framework": "nextjs",
"regions": ["iad1"],
"env": {
@@ -88,7 +88,7 @@ module.exports = nextConfig
```bash
# Build
npm run build
bun --bun run build
# The standalone folder contains everything needed
# Copy these to your server:
@@ -97,20 +97,20 @@ npm run build
# - public/
# Run on server
node .next/standalone/server.js
bun --bun .next/standalone/server.js
```
### Node.js Server
```bash
# Build
npm run build
bun --bun run build
# Start production server
npm start
bun --bun start
# With PM2 for process management
pm2 start npm --name "nextjs" -- start
pm2 start bun --bun --name "nextjs" -- start
pm2 startup
pm2 save
```
@@ -126,7 +126,7 @@ RUN apk add --no-cache libc6-compat
WORKDIR /app
COPY package.json package-lock.json ./
RUN npm ci
RUN bun --bun ci
# Stage 2: Builder
FROM node:20-alpine AS builder
@@ -136,7 +136,7 @@ COPY . .
ENV NEXT_TELEMETRY_DISABLED 1
RUN npm run build
RUN bun --bun run build
# Stage 3: Runner
FROM node:20-alpine AS runner
@@ -298,13 +298,13 @@ module.exports = nextConfig
```bash
# Install analyzer
npm install -D @next/bundle-analyzer
bun --bun install -D @next/bundle-analyzer
# Analyze
ANALYZE=true npm run build
ANALYZE=true bun --bun run build
# Or use built-in
npm run build -- --experimental-build-mode=compile
bun --bun run build -- --experimental-build-mode=compile
```
### Performance Monitoring
@@ -474,13 +474,13 @@ jobs:
cache: 'npm'
- name: Install dependencies
run: npm ci
run: bun --bun ci
- name: Run tests
run: npm test
run: bun --bun test
- name: Build
run: npm run build
run: bun --bun run build
env:
DATABASE_URL: ${{ secrets.DATABASE_URL }}
NEXTAUTH_SECRET: ${{ secrets.NEXTAUTH_SECRET }}

0
.claude/skills/typescript-sdk/.openskills.json → .claude/skills/openrouter-typescript-sdk/.openskills.json
View File

2
.claude/skills/typescript-sdk/SKILL.md → .claude/skills/openrouter-typescript-sdk/SKILL.md
View File

@@ -13,7 +13,7 @@ A comprehensive TypeScript SDK for interacting with OpenRouter's unified API, pr
## Installation
```bash
npm install @openrouter/sdk
bun --bun install @openrouter/sdk
```
## Setup

0
.claude/skills/typescript-sdk/metadata.json → .claude/skills/openrouter-typescript-sdk/metadata.json
View File

30
.claude/skills/typescript-expert/SKILL.md
View File

@@ -27,10 +27,10 @@ You are an advanced TypeScript expert with deep, practical knowledge of type-lev
```bash
# Core versions and configuration
npx tsc --version
node -v
bunx --bun tsc --version
bun --bun -v
# Detect tooling ecosystem (prefer parsing package.json)
node -e "const p=require('./package.json');console.log(Object.keys({...p.devDependencies,...p.dependencies}||{}).join('\n'))" 2>/dev/null | grep -E 'biome|eslint|prettier|vitest|jest|turborepo|nx' || echo "No tooling detected"
bun --bun -e "const p=require('./package.json');console.log(Object.keys({...p.devDependencies,...p.dependencies}||{}).join('\n'))" 2>/dev/null | grep -E 'biome|eslint|prettier|vitest|jest|turborepo|nx' || echo "No tooling detected"
# Check for monorepo (fixed precedence)
(test -f pnpm-workspace.yaml || test -f lerna.json || test -f nx.json || test -f turbo.json) && echo "Monorepo detected"
```
@@ -48,10 +48,10 @@ You are an advanced TypeScript expert with deep, practical knowledge of type-lev
4. Validate thoroughly:
```bash
# Fast fail approach (avoid long-lived processes)
npm run -s typecheck || npx tsc --noEmit
npm test -s || npx vitest run --reporter=basic --no-watch
bun --bun run -s typecheck || bunx --bun tsc --noEmit
bun --bun test -s || bunx --bun vitest run --reporter=basic --no-watch
# Only if needed and build affects outputs/config
npm run -s build
bun --bun run -s build
```
**Safety note:** Avoid watch/serve processes in validation. Use one-shot diagnostics only.
@@ -110,7 +110,7 @@ type Route = typeof routes[number]; // '/home' | '/about' | '/contact'
**Type Checking Performance**
```bash
# Diagnose slow type checking
npx tsc --extendedDiagnostics --incremental false | grep -E "Check time|Files:|Lines:|Nodes:"
bunx --bun tsc --extendedDiagnostics --incremental false | grep -E "Check time|Files:|Lines:|Nodes:"
# Common fixes for "Type instantiation is excessively deep"
# 1. Replace type intersections with interfaces
@@ -197,8 +197,8 @@ type NestedArray<T, D extends number = 5> =
# 4. Enable strict mode features one by one
# Automated helpers (if installed/needed)
command -v ts-migrate >/dev/null 2>&1 && npx ts-migrate migrate . --sources 'src/**/*.js'
command -v typesync >/dev/null 2>&1 && npx typesync # Install missing @types packages
command -v ts-migrate >/dev/null 2>&1 && bunx --bun ts-migrate migrate . --sources 'src/**/*.js'
command -v typesync >/dev/null 2>&1 && bunx --bun typesync # Install missing @types packages
```
**Tool Migration Decisions**
@@ -275,20 +275,20 @@ test('Avatar props are correctly typed', () => {
### CLI Debugging Tools
```bash
# Debug TypeScript files directly (if tools installed)
command -v tsx >/dev/null 2>&1 && npx tsx --inspect src/file.ts
command -v ts-node >/dev/null 2>&1 && npx ts-node --inspect-brk src/file.ts
command -v tsx >/dev/null 2>&1 && bunx --bun tsx --inspect src/file.ts
command -v ts-node >/dev/null 2>&1 && bunx --bun ts-node --inspect-brk src/file.ts
# Trace module resolution issues
npx tsc --traceResolution > resolution.log 2>&1
bunx --bun tsc --traceResolution > resolution.log 2>&1
grep "Module resolution" resolution.log
# Debug type checking performance (use --incremental false for clean trace)
npx tsc --generateTrace trace --incremental false
bunx --bun tsc --generateTrace trace --incremental false
# Analyze trace (if installed)
command -v @typescript/analyze-trace >/dev/null 2>&1 && npx @typescript/analyze-trace trace
command -v @typescript/analyze-trace >/dev/null 2>&1 && bunx --bun @typescript/analyze-trace trace
# Memory usage analysis
node --max-old-space-size=8192 node_modules/typescript/lib/tsc.js
bun --bun --max-old-space-size=8192 node_modules/typescript/lib/tsc.js
```
### Custom Error Classes

8
.claude/skills/typescript-expert/scripts/ts_diagnostic.py
View File

@@ -23,8 +23,8 @@ def check_versions():
print("\n📦 Versions:")
print("-" * 40)
ts_version = run_cmd("npx tsc --version 2>/dev/null").strip()
node_version = run_cmd("node -v 2>/dev/null").strip()
ts_version = run_cmd("bunx --bun tsc --version 2>/dev/null").strip()
node_version = run_cmd("bun --bun -v 2>/dev/null").strip()
print(f" TypeScript: {ts_version or 'Not found'}")
print(f" Node.js: {node_version or 'Not found'}")
@@ -134,7 +134,7 @@ def check_type_errors():
print("\n🔍 Type Check:")
print("-" * 40)
result = run_cmd("npx tsc --noEmit 2>&1 | head -20")
result = run_cmd("bunx --bun tsc --noEmit 2>&1 | head -20")
if "error TS" in result:
errors = result.count("error TS")
print(f"{errors}+ type errors found")
@@ -174,7 +174,7 @@ def check_performance():
print("\n⏱️ Type Check Performance:")
print("-" * 40)
result = run_cmd("npx tsc --extendedDiagnostics --noEmit 2>&1 | grep -E 'Check time|Files:|Lines:|Nodes:'")
result = run_cmd("bunx --bun tsc --extendedDiagnostics --noEmit 2>&1 | grep -E 'Check time|Files:|Lines:|Nodes:'")
if result.strip():
for line in result.strip().split('\n'):
print(f" {line}")

2
.claude/skills/typescript-pro/references/configuration.md
View File

@@ -424,7 +424,7 @@ tsc --extendedDiagnostics
tsc --generateTrace trace
# Analyze with @typescript/analyze-trace
npx @typescript/analyze-trace trace
bunx --bun @typescript/analyze-trace trace
```
## Quick Reference

16
.ruler/99-OPENSKILLS.md
View File

@@ -29,8 +29,8 @@ Usage notes:
</skill>
<skill>
<name>broken-authentication</name>
<description>"Identify and exploit authentication and session management vulnerabilities in web applications. Broken authentication consistently ranks in the OWASP Top 10 and can lead to account takeover, identity theft, and unauthorized access to sensitive systems."</description>
<name>bun-development</name>
<description>"Fast, modern JavaScript/TypeScript development with the Bun runtime, inspired by [oven-sh/bun](https://github.com/oven-sh/bun)."</description>
<location>project</location>
</skill>
@@ -70,6 +70,12 @@ Usage notes:
<location>project</location>
</skill>
<skill>
<name>openrouter-typescript-sdk</name>
<description>Complete reference for integrating with 300+ AI models through the OpenRouter TypeScript SDK using the callModel pattern</description>
<location>project</location>
</skill>
<skill>
<name>react-nextjs-development</name>
<description>"React and Next.js 14+ application development with App Router, Server Components, TypeScript, Tailwind CSS, and modern frontend patterns."</description>
@@ -100,6 +106,12 @@ Usage notes:
<location>project</location>
</skill>
<skill>
<name>zod-validation-expert</name>
<description>"Expert in Zod — TypeScript-first schema validation. Covers parsing, custom errors, refinements, type inference, and integration with React Hook Form, Next.js, and tRPC."</description>
<location>project</location>
</skill>
</available_skills>
<!-- SKILLS_TABLE_END -->