Run any Skill in Manus with one click

auth-stinger

Stars66

Forks24

UpdatedJune 23, 2026 at 16:32

Implements end-to-end authentication — provider selection (Clerk / Better Auth / Auth.js / Supabase Auth / WorkOS / Stack Auth / Kinde / Stytch), Google OAuth flows including the October 2025 unused-client-deletion policy and GIS migration, MFA / passkeys, RBAC, session storage, and B2B SSO. Use when the user says "set up auth", "pick an auth provider", "wire up Google sign-in", "Google OAuth verification", "set up MFA / passkeys", "RBAC for multi-tenant", "migrate from NextAuth to Better Auth / Clerk", or when `auth-worker-bee` is invoked. Do NOT use for security audits of the resulting implementation (security-worker-bee), the React `<SignIn />` UI (react-worker-bee), the user / session schema (db-worker-bee), or the auth PRD (library-worker-bee).

Installation

Install with Codex or Claude Copy this prompt, paste it into Codex, Claude, or another assistant, and let it review the skill page and install it for you.

Run Skill in Manus

Source

legioncodeinc

legioncodeinc/that-git-life

View GitHub Repository View Creator Repositories

Download

Run Skill in Manus

File Explorer

45 files

SKILL.md

readonly

More from this repository

same repository

adr-writing-stinger

legioncodeinc/that-git-life

Architecture Decision Records specialist covering Nygard format (Context / Decision / Consequences), MADR extended template, Y-statement framing, supersession and deprecation lifecycle, Log4brains and adr-tools CLI integration, and the "decisions, not docs" philosophy. Use when authoring a new ADR, superseding an existing decision, auditing the ADR log, setting up Log4brains, or onboarding a team to ADR practice. Do NOT use for general knowledge-base authoring (library-worker-bee), code entity extraction (wiki-worker-bee), or security review of the decisions themselves (security-worker-bee).

2026-06-2366

affiliate-referral-program-stinger

legioncodeinc/that-git-life

Affiliate and referral program specialist for SaaS products -- platform selection (Rewardful, FirstPromoter, Tolt, PartnerStack, Impact, Refersion), the affiliate-vs-referral distinction, cookie-based and server-side attribution (post-ITP, post-3PC era), payout automation, fraud detection (self-referral, cookie stuffing, velocity fraud), and EPC/LTV program economics. Invoke when the user says "set up an affiliate program", "which affiliate platform should I use", "Rewardful vs FirstPromoter", "my attribution is broken in Safari", "referral program fraud", "EPC or LTV for our program", "20% recurring commission", "postback tracking setup", or "PartnerStack vs FirstPromoter". Do NOT invoke for Stripe subscription billing mechanics (payments-worker-bee), API key secret management (security-worker-bee), custom attribution DB schema (db-worker-bee), or outbound partner recruitment campaigns (cold-outreach-worker-bee).

2026-06-2366

agile-scrum-stinger

legioncodeinc/that-git-life

Scrum methodology specialist — sprints, ceremonies (Sprint Planning, Daily Scrum, Sprint Review, Retrospective, Backlog Refinement), roles (Scrum Master, PO, Developers), estimation (Fibonacci, Planning Poker,

2026-06-2366

ai-coding-tools-stinger

legioncodeinc/that-git-life

The vibe-coder's AI coding tool advisor — Cursor, Claude Code, Aider, Cline, Windsurf/Cascade, Continue.dev, Replit Agent, Devin, and Bolt. Covers tool-tier classification, selection rubric (autonomy, context, budget, language), SWE-bench benchmark data, model-routing patterns (including Aider's 3-5x cost-reducing architect/editor split), per-tool prompt and context discipline, and a documented footgun catalog. Use when the user says "which AI coding tool should I use", "Cursor vs Claude Code vs Aider", "set up Aider", "Cline keeps breaking", "is Devin worth it", "which tool for autonomous tasks", "how do I reduce AI coding costs", "prompt discipline for Aider/Claude Code/Cline", or any question comparing or configuring AI-assisted development tools. Cross-links to cursor-ide-worker-bee for deep Cursor IDE config and ai-tools-platform-worker-bee for LLM provider/gateway decisions. Do NOT use for Cursor IDE configuration (cursor-ide-worker-bee owns that), CI/CD pipelines that run agents (devops-worker-bee), or

2026-06-2366

ai-tools-platform-stinger

legioncodeinc/that-git-life

The vibe coder's AI toolbox — AI gateways (Portkey, OpenRouter), cloud providers (Bedrock, Vertex AI), frontier model selection (Claude, GPT, Gemini), cheap-fallback routes (Haiku, Mini, Flash), local LLMs (Ollama, LM Studio), GPU cloud (Runpod, Modal, Together, Fireworks), and must-have MCPs and IDE plugins. Use when the user says "which AI provider should I use", "set up Portkey", "Ollama for local dev", "Runpod vs Modal", "which MCP servers do I need", or asks to optimize AI spend. Do NOT use for cognitive-layer architecture (mind-worker-bee), API key security (security-worker-bee), or PRD authorship (library-worker-bee).

2026-06-2366

alt-ads-platforms-stinger

legioncodeinc/that-git-life

Paid acquisition specialist for alternative ad platforms beyond Meta and Google Search — LinkedIn Ads (B2B), TikTok Ads + CAPI, Reddit Ads, Microsoft/Bing Ads with LinkedIn Profile Targeting, Pinterest Ads, Quora Ads, YouTube standalone video, Spotify Ad Studio + podcast advertising, and the channel-fit-by-ICP heuristic that selects among them. Invoke when the user says "which ad platform should I use besides Meta/Google", "set up LinkedIn Ads for B2B SaaS", "TikTok CAPI setup", "Reddit Ads for technical buyers", "Microsoft Ads LinkedIn targeting", "podcast advertising Spotify Ad Studio", "channel diversification paid acquisition", or "our CPL on Meta is too high, what else should we try". Do NOT invoke for Meta/Facebook/Instagram Ads (no peer Bee — handle inline), Google Search Ads (no peer Bee — handle inline), or organic social strategy (route to social-media-marketing-organic-worker-bee).

2026-06-2366

name	auth-stinger
description	Implements end-to-end authentication — provider selection (Clerk / Better Auth / Auth.js / Supabase Auth / WorkOS / Stack Auth / Kinde / Stytch), Google OAuth flows including the October 2025 unused-client-deletion policy and GIS migration, MFA / passkeys, RBAC, session storage, and B2B SSO. Use when the user says "set up auth", "pick an auth provider", "wire up Google sign-in", "Google OAuth verification", "set up MFA / passkeys", "RBAC for multi-tenant", "migrate from NextAuth to Better Auth / Clerk", or when `auth-worker-bee` is invoked. Do NOT use for security audits of the resulting implementation (security-worker-bee), the React `<SignIn />` UI (react-worker-bee), the user / session schema (db-worker-bee), or the auth PRD (library-worker-bee).
license	MIT

auth-stinger

You are equipping auth-worker-bee — the Army's authentication implementation authority. This skill encodes the 2026 provider decision tree, the Google Auth Platform reality (verification, the October 2025 unused-client deletion policy, the GIS migration), OWASP session hygiene, and the OSS-vs-hosted trade-off matrix.

Opinionation is the product. Name a default per situation; name one alternative if a constraint shifts; cite a guide section.

First move on every invocation

Classify the use case. B2C vs B2B; hosted UI vs custom; scope footprint (sign-in only vs Google Workspace data); jurisdiction. See guides/01-provider-choice-tree.md.
Read package.json and .env.example. Capture the runtime stack (Next.js / Remix / Vite / RR v7 / Express / Fastify), existing auth libs, existing provider, existing cookie config.
Check guides/00-principles.md before recommending anything. Severity rubric and cross-Bee handoff rules live there.

Invocation modes

Mode	Trigger	Primary guide(s)	Output
Provider selection	"pick an auth provider", "Clerk vs Better Auth", new project	`01-provider-choice-tree.md` + matching `02-` / `03-` / `04-` / `05-` guide	Decision report at `library/architecture/ADR-<n>-auth-provider.md` + `templates/provider-comparison-matrix.md`
Implementation	"set up auth", "wire up sign-in"	Provider guide + `10-session-storage.md` + `09-rbac.md`	Ordered task plan + `templates/session-cookie-config.ts`
Google OAuth + verification	"set up Google sign-in", "verify Google OAuth", "demo video"	`06-google-oauth.md` + `07-google-oauth-verification.md`	Filled `templates/google-oauth-consent-screen-checklist.md` + `scope-justification-template.md`
Audit handoff	post-implementation, before ship	`11-common-failure-modes.md` + `templates/audit-report-template.md`	Audit report at `library/qa/auth/<date>-auth-audit.md` (standalone) or `library/requirements/features/feature-<###>-<title>/reports/<date>-auth-audit.md` (feature-tied); flagged items for `security-worker-bee`
Migration	"move from NextAuth to Clerk", "Auth.js → Better Auth"	Source provider guide + target provider guide	Phased plan with no forced re-login

Hard rules (never violate)

These restate the Command Brief's SUBAGENT CRITICAL DIRECTIVES. Each links to the guide where the full reasoning lives.

Least-privilege scopes. Every Google scope is a verification cost and a breach surface. Justify each in templates/scope-justification-template.md. See guides/00-principles.md and guides/06-google-oauth.md.
Secure-by-default cookie attributes. HttpOnly + Secure + SameSite=Lax is the floor; __Host- prefix on cross-site flows. See guides/10-session-storage.md.
Never enforce auth in only one layer. Middleware AND data layer (or row-level security). See guides/09-rbac.md.
The October 2025 Google OAuth unused-client-deletion policy is load-bearing. Production clients without recent traffic get deleted after 6 months. See guides/06-google-oauth.md §"Unused-client deletion".
Use Google Identity Services (GIS), not legacy gapi.auth2. Legacy is deprecated. See guides/06-google-oauth.md.
Refresh tokens are bearer secrets. Rotate on use, bind to session ID, revoke on logout / password change / suspicious activity. See guides/10-session-storage.md.
MFA without recovery is denial-of-service. Recovery codes at enrollment; recovery flow itself MFA-protected. See guides/08-mfa-and-passkeys.md.
SMS is recovery-only, never primary. SIM-swap risk. See guides/08-mfa-and-passkeys.md.
Auth UI lives in react-worker-bee's territory. Produce the spec, not the JSX.
Cite everything. Every finding cites (a) file:line in the user's codebase and (b) a guide section, RFC, or vendor doc URL.

The severity rubric

Every finding is classified:

Must-fix — credential leakage, missing CSRF, missing HttpOnly / Secure on session cookies, single-layer enforcement on a tenant-scoped resource, scope creep into restricted territory without verification, accepting an unverified Google ID token. Blocks merge.
Should-refactor — JWT-only sessions where revocation matters, no refresh-token rotation, no recovery flow for MFA, no health check on a Google OAuth client (deletion-policy risk), magic-link tokens with multi-use semantics. Cannot block a time-sensitive PR but opens a follow-up ticket.
Style — naming, env-var convention, comment style. Optional. Never block on style alone.

The severity of a finding is the finding's credibility. Calling a style nit "must-fix" destroys trust.

Cross-Bee handoffs

Audit of the implementation you just produced → security-worker-bee. auth-worker-bee builds; security-worker-bee verifies.
The <SignIn /> form, OAuth callback page, React 19 Actions for credential forms → react-worker-bee. auth-worker-bee writes the protocol layer.
The users / sessions / accounts / roles tables, RLS policies → db-worker-bee. auth-worker-bee flags requirements; db-worker-bee writes the migration.
The auth PRD → library-worker-bee. auth-worker-bee implements once the PRD lands.
Post-implementation QA → quality-worker-bee.

The 12 guides

Numbered for ordering. Read principles first; then the topic guide(s) the invocation demands.

guides/00-principles.md — least-privilege, secure-by-default, two-layer enforcement, recovery-is-MFA, severity rubric.
guides/01-provider-choice-tree.md — the decision tree: B2C/B2B × hosted/self-host × prebuilt-UI/custom.
guides/02-clerk.md — when Clerk wins, when it loses, gotchas, billing model.
guides/03-better-auth.md — OSS path; when it beats Auth.js; framework-agnostic patterns.
guides/04-auth-js-nextauth.md — Auth.js v5 in Next.js; the migration story; common traps.
guides/05-supabase-auth.md — Supabase Auth + RLS; paired with db-worker-bee.
guides/06-google-oauth.md — Google Auth Platform, scopes, GIS, the October 2025 deletion policy.
guides/07-google-oauth-verification.md — sensitive vs restricted, demo video, security assessment, real-world timeline.
guides/08-mfa-and-passkeys.md — TOTP, WebAuthn / passkeys, SMS-as-recovery-only, magic links.
guides/09-rbac.md — roles, permissions, ABAC, multi-tenancy, two-layer enforcement.
guides/10-session-storage.md — cookies, JWT vs opaque, refresh rotation, CSRF.
guides/11-common-failure-modes.md — session fixation, callback CSRF, redirect URI confusion, fragment-leak, scope creep.

Templates, scripts, examples

Templates — templates/provider-comparison-matrix.md, templates/google-oauth-consent-screen-checklist.md, templates/scope-justification-template.md, templates/session-cookie-config.ts, templates/rbac-policy-table.md, templates/audit-report-template.md, templates/run-report-template.md.
Scripts — scripts/validate-oauth-scopes.ts, scripts/cookie-attribute-checker.ts. Each has a header with invocation instructions.
Examples — examples/b2c-clerk-google-oauth.md, examples/b2b-workos-sso.md, examples/better-auth-from-scratch.md.
Reports go to the host repo's library/ tree — standalone: library/qa/auth/<date>-<topic>.md; feature-tied: library/requirements/features/feature-<###>-<title>/reports/<date>-<type>-report.md; issue-tied: library/requirements/issues/issue-<###>-<title>/reports/<date>-<type>-report.md. Use templates/run-report-template.md (or templates/audit-report-template.md for the audit-handoff shape) as the starting skeleton.

Output conventions

All file paths in findings are absolute when referencing project files; relative when referencing guides in this Stinger.
Every claim is sourced. A guide section (guides/06-google-oauth.md §"Unused-client deletion"), an RFC, an OWASP cheat sheet, or a vendor doc URL.
Do not invent provider features. When a feature claim is uncertain, mark "verify in vendor docs" and link the doc.
Never approve a PR that breaks one of the Hard Rules above — but only block on Must-fix severity.

When in doubt

Unfamiliar provider? Walk guides/01-provider-choice-tree.md; if the provider isn't covered, present the decision tree and recommend a