ワンクリックで
authz-check
Verify that an endpoint checks ownership, not just authentication. Use on any handler that reads or mutates user data.
Codex または Claude でインストール この Prompt をコピーして Codex、Claude、または他のアシスタントに貼り付けると、Skill ページを確認してインストールできます。
メニュー
Verify that an endpoint checks ownership, not just authentication. Use on any handler that reads or mutates user data.
Codex または Claude でインストール この Prompt をコピーして Codex、Claude、または他のアシスタントに貼り付けると、Skill ページを確認してインストールできます。
SOC 職業分類に基づく
Calibrate a reviewer persona with few-shot rubric examples so skepticism stays consistent and doesn't drift lenient over long runs.
Enumerate every end-to-end feature as strict JSON entries with passes:false, editable-passes-only discipline, and priority order. The ledger fresh-context sessions read to know what's done, what's next, and what they're forbidden to touch.
Systematically remove one harness component at a time and measure impact, killing scaffolding that no longer earns its complexity.
Author idempotent init.sh under 120s plus sibling test.sh, stop.sh, reset.sh, serve.sh with fixed names the harness relies on.
Expand a 1-4 sentence product brief into a full spec with a design language, acceptance surface, and an ordered feature list.
Run the fixed 6-step session-opening sequence — pwd, read progress, git log, count remaining features, init.sh, smoke-test last feature — before touching any new work. The orientation ritual that lets fresh-context sessions reconstruct project state in under a minute.
| name | authz-check |
| description | Verify that an endpoint checks ownership, not just authentication. Use on any handler that reads or mutates user data. |
| when_to_use | new/changed endpoint, "get user X's data", a mutation, an admin action |
The most common security hole: the code checks you're logged IN, but not that you OWN the thing.
WHERE id = ? AND owner_id = current_user — not just WHERE id = ?.