Run a repeatable, multi-dimension code-quality / architecture / WOPI-spec-compliance audit of the WopiHost codebase and produce a tracker-ready findings report. Use this whenever the user wants to sweep the codebase for smells — code duplication, leaky abstractions, architectural inconsistencies, non-idiomatic .NET / Minimal-API patterns, wrong patterns, refactoring opportunities, security smells, performance issues, tech debt (TODOs, `#pragma` suppressions, hardcoded constants), test-coverage gaps, or WOPI spec non-compliance. Trigger on phrasings like "audit the codebase", "find code smells", "tech-debt sweep", "is the codebase in good shape", "review the architecture", "find duplication / leaky abstractions / refactors", "check WOPI spec compliance", or "keep the codebase in top shape" — even when the user doesn't say the word "audit". This is the standing health-check for the repo; prefer it over an ad-hoc grep sweep.
Run a repeatable, threat-model-driven security audit of the WopiHost codebase and produce a tracker-ready findings report. Use this whenever the user wants a security-focused sweep — a WOPI threat-model review, "is this safe to ship", token/JWT and WOPI-proof validation, access-token scoping and authorization-bypass, path traversal in a storage provider, secret handling (keys, tokens, proof headers in logs), constant-time comparison, weak randomness, postMessage / origin validation, XXE in discovery-XML parsing, dependency CVEs, dev-only escape hatches, or info disclosure. Trigger on phrasings like "security audit", "security review", "threat model", "pen-test the host", "check for auth bypass / path traversal / secret leakage", "is the token handling safe", "harden the host", or "find security holes" — even when the user doesn't say the word "audit". This is the security counterpart to `codebase-audit` (which is the broad code-quality sweep); reach for this one when the lens is specifically security.
Turn the merged-PR changelog since the last release into polished, consolidated GitHub release notes (Highlights, ✨ New, 🐛 Fixes, 🧹 Refactors, 🔧 Maintenance/CI/deps, 💥 Breaking changes, and a verified Migration guide) modeled on this repo's prior releases, then open a **draft** GitHub release for review. Use whenever the user wants to cut, prep, draft, or write notes for a release. Trigger on phrasings like "prep a release", "prepare the 9.0.0 release", "cut a release", "draft a release", "release X.Y.Z", "write release notes", or "generate the changelog for the next version" — even when the version number isn't given.