// Explicit helper for authentication and payment implementation with Clerk, Supabase Auth, or Stripe. Do NOT load for: general UI work, database design, or non-auth features.
| name | auth |
| description | Explicit helper for authentication and payment implementation with Clerk, Supabase Auth, or Stripe. Do NOT load for: general UI work, database design, or non-auth features. |
| description-en | Explicit helper for authentication and payment implementation with Clerk, Supabase Auth, or Stripe. Do NOT load for: general UI work, database design, or non-auth features. |
| description-ja | Clerk、Supabase Auth、Stripe を使う認証・決済実装の明示補助スキル。一般的なUI作業、データベース設計、認証以外の機能には使わない。 |
| allowed-tools | ["Read","Write","Edit","Bash"] |
| user-invocable | false |
| disable-model-invocation | true |
認証と決済機能の実装を担当するスキル群です。
| 機能 | 詳細 |
|---|---|
| 認証機能 | See references/authentication.md |
| 決済機能 | See references/payments.md |
認証・決済機能は常にセキュリティリスクが高いため、作業開始前に必ず以下を表示:
🔐 セキュリティチェックリスト
この作業はセキュリティ上重要です。以下を確認してください:
### 認証関連
- [ ] パスワードはハッシュ化(bcrypt/argon2)
- [ ] セッション管理は安全か(HTTPOnly Cookie)
- [ ] CSRF 対策は実装されているか
- [ ] レート制限(ブルートフォース対策)
### 決済関連
- [ ] 機密情報(カード番号等)をサーバーに保存しない
- [ ] Stripe/決済プロバイダの SDK を正しく使用
- [ ] Webhook の署名検証
- [ ] 金額改ざん防止(サーバー側で金額を確定)
### 共通
- [ ] エラーメッセージが詳細すぎないか(情報漏洩防止)
- [ ] ログに機密情報を出力していないか
⚠️ 注意レベル: 🔴 高
この機能は以下のリスクがあります:
- 認証情報の漏洩
- 不正アクセス
- 決済の不正操作
専門家によるレビューを推奨します。
🔐 安全にログイン・決済機能を作るために
1. **パスワードは「ハッシュ化」する**
- 元のパスワードを復元できない形で保存
- 万が一データが漏れても安全
2. **カード情報はサーバーに保存しない**
- Stripe などの専用サービスに任せる
- 自分のサーバーには一切保存しない
3. **エラーメッセージは曖昧に**
- 「パスワードが違います」ではなく「認証に失敗しました」
- 悪意ある人にヒントを与えない
Read-only delegate to cursor-agent (Composer) for questions, investigation, design discussion, and adversarial sanity checks. No worktree, no cherry-pick, no Lead diff review — cursor-agent is locked to ask mode and cannot write. Use when user says: ask cursor, cursor sanity check, get a second opinion, adversarial review, design discussion, investigate with cursor, /cursor:ask, /ask-cursor. Do NOT load for: implementation, refactor, file edits, commit/push work, anything requiring write access (use /cursor:do or /breezing --cursor instead).
Delegate a single write task to Cursor Composer via cursor-companion.sh inside an isolated worktree, then Lead-review the diff and cherry-pick. Use when user invokes /cursor:do, says delegate to cursor, have composer write it, refactor with cursor, hand a file edit to Composer. Do NOT load for: planning, code review only, read-only investigation, or multi-task team runs (use breezing --cursor or /cursor:ask instead).
HAR: Multi-angle code, plan, scope review. Security/quality check. Trigger: review, code review, plan review, scope analysis. Do NOT load for: implementation, new features, bugfix, setup, release.
Team execution mode — backward-compatible alias for harness-work with team orchestration.
Read-only delegate to cursor-agent (Composer) for questions, investigation, design discussion, and adversarial sanity checks. No worktree, no cherry-pick, no Lead diff review — cursor-agent is locked to ask mode and cannot write. Use when user says: ask cursor, cursor sanity check, get a second opinion, adversarial review, design discussion, investigate with cursor, /cursor:ask, /ask-cursor. Do NOT load for: implementation, refactor, file edits, commit/push work, anything requiring write access (use /cursor:do or /breezing --cursor instead).
Delegate a single write task to Cursor Composer via cursor-companion.sh inside an isolated worktree, then Lead-review the diff and cherry-pick. Use when user invokes /cursor:do, says delegate to cursor, have composer write it, refactor with cursor, hand a file edit to Composer. Do NOT load for: planning, code review only, read-only investigation, or multi-task team runs (use breezing --cursor or /cursor:ask instead).