Stats
Actions
Tags
From hatch3r
Verifies security gates before commit/release: OAuth 2.1+OIDC+DPoP+WebAuthn, supply-chain checks (SBOM, provenance, SHA-pin, cosign), OWASP ASI01-10 coverage, and CVE acknowledgement.
How this skill is triggered — by the user, by Claude, or both
Slash command
/hatch3r:hatch3r-security-verifyThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
This skill defines what "done" means for any feature shipping security-sensitive code or release-touching artifacts. Run before declaring a feature complete. The 8 gates below mix automated checks (machine-checkable on every PR) with one release-cadence gate (CVE acknowledgement at release-cut). Skipping any gate = the feature is not done. Reviewer approval and passing functional tests alone do...
This skill defines what "done" means for any feature shipping security-sensitive code or release-touching artifacts. Run before declaring a feature complete. The 8 gates below mix automated checks (machine-checkable on every PR) with one release-cadence gate (CVE acknowledgement at release-cut). Skipping any gate = the feature is not done. Reviewer approval and passing functional tests alone do not satisfy this bar — a missing PKCE flag, an unpinned action SHA, or an alg: none JWT verifier ships exploitable code.
Inputs the skill expects:
src/auth/ (or equivalent path), .github/workflows/, lockfiles (package-lock.json / pnpm-lock.yaml / yarn.lock), and release manifests (Dockerfile, kubernetes/*.yaml).gh api repos/{owner}/{repo}/dependabot/alerts) for Gate 8.algorithms, audience, issuer).Outputs the skill produces: an 8-line verdict block written to the PR conversation, plus a JSON artifact at .audit-workspace/security-verify-<sha>.json for downstream consumption by hatch3r-release.
Before any work, scan the invocation for unresolved questions in scope, intent, acceptance criteria, target environment, or irreversibility. If any are found, ask the user via the platform-native question tool per agents/shared/user-question-protocol.md. Default path, not exception. Triggers for THIS skill: auth-flow scope (sign-in vs refresh vs step-up vs M2M), release-surface scope (workflow YAML vs container manifests vs SBOM tooling), gate selection (auth-only vs supply-chain-only vs full), threat-model assumptions (DPoP-bound browser tokens vs mTLS-bound service tokens vs bare bearer), and fix authority (fixes-in-scope vs audit-only).
Fan-out scales with task size; token cost never justifies serializing independent work (rules/hatch3r-fan-out-discipline.md P8 B2; agents/shared/efficiency-patterns.md). Emit sub_agents_spawned: { count, rationale } in your output.
This skill is the verification HARNESS — it declares HOW each security gate is checked. The DISPATCHER that decides WHEN to run it is the CQ specialist agent:
agents/hatch3r-security.md — invokes this skill as the closing security gate (CQ3) on auth-touching PRs and release-prep flows. The agent contributes the review trigger and Phase-4 dispatch; this skill contributes the 8-gate procedure.No duplication: the agent decides WHEN, this skill defines HOW.
response_type=code only; implicit grant absent; ROPC grant absent.redirect_uri allowlist (no wildcards); refresh-token rotation with reuse detection that revokes the entire token family on reuse.rg -n "response_type=code" src/auth/ | rg -v "code_challenge" — any match fails this gate (auth-code flow without PKCE).rg -n "grant_type=(implicit|password)" src/auth/ — any match fails this gate.draft-ietf-oauth-v2-1-15.iss, aud, azp (when aud is multi-valued), exp, nonce, and JWKS signature before session creation.end_session_endpoint) and back-channel logout wired for SSO sessions.rg -n "jwt\.(verify|decode)" src/auth/ | rg -v "audience|issuer" — any match fails this gate (validator missing aud or iss).htm/htu/iat/jti claims and access token bound via cnf.jkt thumbprint.rg -n "Bearer " src/ | rg -v "DPoP|mTLS|cnf\.jkt" — any browser-issued bearer without sender constraint fails the gate.alg pinned per issuer; alg: none rejected at the verifier; alg: HS* rejected when verification key is asymmetric (key-confusion guard).kid resolved against JWKS endpoint with cache TTL 1-24h; no PII in payload; revocation strategy named (introspection OR token-version table).rg -n "alg.*none|jwt\.verify\([^,]+,[^,)]+\)$" src/ — any match fails this gate (alg: none accepted OR no algorithms option pinned).--provenance; every GitHub Action reference is a 40-char commit SHA.rg -nE "uses: [^@]+@v?[0-9]+(\.[0-9]+)*$" .github/workflows/ — any match fails this gate (tag instead of 40-char SHA).gh release view --json assets --jq '.assets[].name' | rg -i "(cyclonedx|spdx)" — empty output on tagged release fails this gate.origin allowlist verified at assertion; RP-ID hash matched.user.id is a server-side opaque identifier (NOT email or username).rg -n "signCount" src/ | rg -v "[><]" — any match fails this gate (counter stored without strict-monotonic check).__Host- prefix + HttpOnly + Secure + SameSite=Strict|Lax.SameSite=None paired with Partitioned (CHIPS) only when the cross-site context is documented.rg -n "Set-Cookie" src/ | rg -v "__Host-|HttpOnly|Secure|SameSite" — any auth cookie missing any flag fails this gate.mitigated OR accepted verdict + evidence URL.gh api repos/{owner}/{repo}/dependabot/alerts --jq '.[] | select(.state=="open")' — any unacknowledged alert ≤90 days old fails this gate.rules/hatch3r-secrets-management.md.All 8 gates pass = the feature is "done". Anything less = not done.
src/: 0 (CRITICAL on any hit).alg: none acceptance: 0 occurrences in src/.__Host- + HttpOnly + Secure + SameSite).The orchestrator running this skill emits a single-line verdict per gate (GATE_N: PASS|FAIL <evidence-path>) and aggregates them. One FAIL on a required gate blocks the merge regardless of reviewer approval status.
Failure escalation per agents/hatch3r-security.md Status discipline table: Gate 4 fail (alg: none accepted) → CRITICAL; Gate 1 fail (refresh-token rotation absent) → CRITICAL; Gate 5 fail (production container by tag) → CRITICAL; Gate 6/3/7/2 → High; Gate 8 → Medium escalating to High when exploitable.
src/auth/*, JWT verification, cookie wiring, OAuth client config, WebAuthn ceremony, or release workflow under .github/workflows/*.yml.tags: floor:security or tags: floor:content-quality.rules/hatch3r-auth-patterns.mdrules/hatch3r-passkey-server.mdrules/hatch3r-security-patterns.mdrules/hatch3r-secrets-management.mdrules/hatch3r-dependency-management.mdrules/hatch3r-container-hardening.mddraft-ietf-oauth-v2-1-15) — datatracker.ietf.org/doc/draft-ietf-oauth-v2-1/openid.net/specs/openid-connect-core-1_0.htmlwww.rfc-editor.org/rfc/rfc9449.htmlwww.rfc-editor.org/rfc/rfc8725.htmlwww.w3.org/TR/webauthn-3/owasp.org/www-project-cyclonedx/sigstore.devowasp.org/www-project-application-security-verification-standard/npx claudepluginhub hatch3r/hatch3r --plugin hatch3rRun repository security scans for vulnerabilities, dependency risk, secrets, and release gates with composable binary and prompt-surface testing primitives.
Conducts security audits for DevSecOps, reviews SDLC controls, CI/CD pipelines, threat models, vulnerabilities, authentication, authorization, and compliance frameworks.
Blocks unsafe code before commit with secret scanning, OWASP Top 10 detection, dependency audits (npm/pip/cargo), and permission checks. Hard security gate on critical findings.