// Use when reviewing code security, auditing dependencies for CVEs, checking configuration or secret security, assessing authentication and authorization patterns, identifying OWASP vulnerabilities (injection, XSS, CSRF), or addressing security concerns about implementations.
Comprehensive UX audit using IxDF's 7 factors, 5 usability characteristics, and 5 interaction dimensions. Holistic evaluation with redesign proposals based on user-centered design principles.
Conduct enterprise-grade research with multi-source synthesis, citation tracking, and verification. Use when user needs comprehensive analysis requiring 10+ sources, verified claims, or comparison of approaches. Triggers include "deep research", "comprehensive analysis", "research report", "compare X vs Y", or "analyze trends". Do NOT use for simple lookups, debugging, or questions answerable with 1-2 searches.
Web scraping with anti-bot bypass, content extraction, undocumented APIs and poison pill detection. Use when extracting content from websites, handling paywalls, implementing scraping cascades or processing social media. Covers requests, trafilatura, Playwright with stealth mode, yt-dlp and instaloader patterns.
Production-tested setup for Tailwind CSS v4 with shadcn/ui, Vite, and React. Use when: initializing React projects with Tailwind v4, setting up shadcn/ui, implementing dark mode, debugging CSS variable issues, fixing theme switching, migrating from Tailwind v3, or encountering color/theming problems. Covers: @theme inline pattern, CSS variable architecture, dark mode with ThemeProvider, component composition, vite.config setup, common v4 gotchas, and production-tested patterns. Keywords: Tailwind v4, shadcn/ui, @tailwindcss/vite, @theme inline, dark mode, CSS variables, hsl() wrapper, components.json, React theming, theme switching, colors not working, variables broken, theme not applying, @plugin directive, typography plugin, forms plugin, prose class, @tailwindcss/typography, @tailwindcss/forms
Use when evaluating business model viability, analyzing profitability per customer/product/transaction, validating startup metrics (CAC, LTV, payback period), making pricing decisions, assessing scalability, comparing business models, or when user mentions unit economics, CAC/LTV ratio, contribution margin, customer profitability, break-even analysis, or needs to determine if a business can be profitable at scale.
When the user wants to audit, review, or diagnose SEO issues on their site. Also use when the user mentions "SEO audit," "technical SEO," "why am I not ranking," "SEO issues," "on-page SEO," "meta tags review," or "SEO health check." For building pages at scale to target keywords, see programmatic-seo. For adding structured data, see schema-markup.
| name | security-audit |
| agents | ["yokay-security-scanner"] |
| description | Use when reviewing code security, auditing dependencies for CVEs, checking configuration or secret security, assessing authentication and authorization patterns, identifying OWASP vulnerabilities (injection, XSS, CSRF), or addressing security concerns about implementations. |
Systematic security review for application code, dependencies, and configuration.
Not a replacement for professional penetration testing. Identifies common vulnerabilities within scope of code review.
| Type | Focus | When to Use |
|---|---|---|
| Code Review | OWASP Top 10, injection, auth | New features, PRs, suspicious code |
| Dependency | CVEs, outdated packages | Before deploy, periodic, CI/CD |
| Configuration | Secrets, permissions, hardening | Infrastructure changes, new envs |
| Architecture | Attack surface, data flow | Design phase, major refactors |
| API Security | Auth, authz, rate limiting | New endpoints, public APIs |
api-design for designing OAuth2/JWT endpoints from scratchperformance-optimization even if caused by auth overheadci-cd for pipeline hardening (secret management, permissions)| Reference | Description |
|---|---|
| owasp-top-10.md | OWASP vulnerabilities with detection and fixes |
| dependency-security.md | npm audit, pip-audit, Snyk, CI/CD integration |
| auth-patterns.md | Secure authentication and authorization patterns |
| api-security.md | API-specific security concerns |
| secrets-management.md | Handling sensitive configuration |