npm - @raishin/vanguard-frontier-agentic - Versions diffs - 2.0.0 → 2.1.0 - Mend

@raishin/vanguard-frontier-agentic 2.0.0 → 2.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (342) hide show

package/catalog/skills.json CHANGED Viewed

@@ -21,6 +21,34 @@
     "author": "github: Claude",
     "version": "1.0.0"
   },
+  {
+    "id": "ai-advertising-targeting-fairness-review",
+    "name": "AI Advertising Targeting Fairness Review",
+    "type": "skill",
+    "provider": "marketing",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Review ad-platform audience targeting configurations and AI feature usage for protected-class discrimination risk under Fair Housing Act, ECOA, and EU AI Act Article 5 — proxy segments, algorithmic disparate impact, and missing Special Ad Category declarations.",
+    "source_type": "original",
+    "official_docs": [
+      "https://www.ftc.gov/business-guidance/blog/2023/02/ftcs-ai-related-enforcement-actions",
+      "https://www.hud.gov/program_offices/fair_housing_equal_opp/fair_housing_act_overview",
+      "https://www.consumerfinance.gov/about-us/blog/cfpb-issues-guidance-on-credit-denials-by-lenders-using-artificial-intelligence/",
+      "https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai",
+      "https://www.federalregister.gov/documents/2023/07/13/2023-14625/civil-rights-principles-for-the-use-of-artificial-intelligence"
+    ],
+    "security_notes": "Ad-platform AI features that optimize on historical converter populations can propagate protected-class disparate impact without explicit discriminatory intent. Review works from sanitized audience spec exports and declared AI feature annotations only; never request live campaign credentials, ad-account access tokens, or real user audience data.",
+    "last_verified": "2026-05-17",
+    "path": "skills/marketing/ai-advertising-targeting-fairness-review",
+    "author": "github: Raishin",
+    "version": "0.1.0"
+  },
   {
     "id": "alibaba-ack-container-platform-operator",
     "name": "Alibaba Cloud ACK Container Platform Operator",
@@ -1146,6 +1174,35 @@
     "author": "github: Raishin",
     "version": "0.1.0"
   },
+  {
+    "id": "analytics-data-minimization-review",
+    "name": "Analytics Data-Minimization Review",
+    "type": "skill",
+    "provider": "marketing",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Review analytics platform configuration — GA4 property settings, BigQuery export schema, custom event-parameter definitions, and user-property declarations — for data-minimization violations, excessive collection, and storage-period over-retention under GDPR Article 5(1)(c) and 5(1)(e) and EU DPA enforcement on GA4.",
+    "source_type": "original",
+    "official_docs": [
+      "https://gdpr-info.eu/art-5-gdpr/",
+      "https://www.cnil.fr/en/use-google-analytics-and-data-transfers-united-states-cnil-orders-website-manageroperator-comply/",
+      "https://www.cnil.fr/en/google-analytics-and-data-transfers-how-make-your-analytics-tool-compliant-gdpr",
+      "https://www.garanteprivacy.it/home/docweb/-/docweb-display/docweb/9782874",
+      "https://support.google.com/analytics/answer/9019185"
+    ],
+    "security_notes": "Read-only static review of sanitized analytics configuration exports and schema definitions only. Never request live analytics data, raw event exports containing real user identifiers, GA4 admin credentials, or BigQuery service-account keys. Findings may indicate cross-border data transfer violations requiring DPA notification — route remediation and legal assessment to qualified privacy counsel before acting on findings.",
+    "last_verified": "2026-05-17",
+    "path": "skills/marketing/analytics-data-minimization-review",
+    "author": "github: Raishin",
+    "version": "0.1.0",
+    "lifecycle": "experimental"
+  },
   {
     "id": "argo-rollouts-progressive-delivery-review",
     "name": "Argo Rollouts Progressive Delivery Review",
@@ -3654,6 +3711,34 @@
     "version": "0.1.0",
     "author": "github: Raishin"
   },
+  {
+    "id": "ci-test-pipeline-review",
+    "name": "CI Test Pipeline Review",
+    "type": "skill",
+    "provider": "generic",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Review how a CI pipeline runs tests — gating, sharding, parallelism, fail-fast, artifact retention, quarantine wiring, and secret exposure — to verify the test suite actually blocks bad merges. Static review only.",
+    "source_type": "original",
+    "official_docs": [
+      "https://docs.github.com/en/actions/using-jobs/using-a-matrix-for-your-jobs",
+      "https://docs.github.com/en/repositories/configuring-branches-and-merges/about-protected-branches",
+      "https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions",
+      "https://docs.gitlab.com/ee/ci/yaml/",
+      "https://playwright.dev/docs/test-sharding"
+    ],
+    "security_notes": "Static review only — reads CI workflow and branch-protection configuration, never triggers or runs pipelines. Flags secret exposure to test jobs on pull_request_target or fork PRs. Never request or accept CI secrets, deploy keys, or registry tokens; ask for sanitized workflow files.",
+    "last_verified": "2026-05-17",
+    "path": "skills/qa/ci-test-pipeline-review",
+    "author": "github: Raishin",
+    "version": "0.1.0"
+  },
   {
     "id": "cilium-network-policy-review",
     "name": "Cilium Network Policy Review",
@@ -3836,6 +3921,63 @@
     "author": "github: Raishin",
     "version": "0.1.0"
   },
+  {
+    "id": "email-sender-authentication-review",
+    "name": "Email Sender Authentication Review",
+    "type": "skill",
+    "provider": "marketing",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Review DNS sender-authentication records (SPF, DKIM, DMARC, BIMI) for a marketing domain to identify policy gaps exposing campaigns to rejection, spoofing, or inbox displacement.",
+    "source_type": "original",
+    "official_docs": [
+      "https://datatracker.ietf.org/doc/html/rfc7489",
+      "https://support.google.com/mail/answer/81126",
+      "https://www.pcisecuritystandards.org/document_library/",
+      "https://www.cisa.gov/sites/default/files/publications/bod-18-01.pdf",
+      "https://datatracker.ietf.org/doc/html/rfc7208"
+    ],
+    "security_notes": "Email authentication reviews work from sanitized DNS TXT record exports only. Never request live DMARC aggregate report XML, ESP account credentials, or sending-platform API keys. SPF, DKIM, and DMARC records are publicly resolvable; the artifact is the domain's own export, not live lookups against production DNS.",
+    "last_verified": "2026-05-17",
+    "path": "skills/marketing/email-sender-authentication-review",
+    "author": "github: Raishin",
+    "version": "0.1.0",
+    "lifecycle": "experimental"
+  },
+  {
+    "id": "eu-ai-act-marketing-system-review",
+    "name": "EU AI Act Marketing System Review",
+    "type": "skill",
+    "provider": "marketing",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Review a marketing AI system description card against EU AI Act Regulation 2024/1689 risk-tier criteria — classify the system, flag documentation obligations (Articles 11, 13, 14, 43), and identify deployment-readiness gaps before the August 2, 2026 full-enforcement date.",
+    "source_type": "original",
+    "official_docs": [
+      "https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32024R1689",
+      "https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai",
+      "https://www.europarl.europa.eu/topics/en/article/20230601STO93804/eu-ai-act-first-regulation-on-artificial-intelligence",
+      "https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-022023-technical-scope-art-22-gdpr_en",
+      "https://artificialintelligenceact.eu/the-act/"
+    ],
+    "security_notes": "EU AI Act classification determines conformity assessment, CE marking, and EU AI database registration obligations — misclassification is itself a compliance gap. Review works from sanitized AI system description cards only; never request model weights, training datasets, internal performance logs, or vendor system-access credentials. Legal determination of Article 5 prohibited practices is routed to qualified counsel.",
+    "last_verified": "2026-05-17",
+    "path": "skills/marketing/eu-ai-act-marketing-system-review",
+    "author": "github: Raishin",
+    "version": "0.1.0"
+  },
   {
     "id": "external-secrets-operator-review",
     "name": "External Secrets Operator Review",
@@ -5419,6 +5561,36 @@
     "author": "github: Raishin",
     "version": "0.1.0"
   },
+  {
+    "id": "helm-chart-quality-review",
+    "name": "Helm Chart Quality Review",
+    "type": "skill",
+    "provider": "generic",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Review a Helm chart for quality, security, and testability defects — linting gaps, insecure securityContext, missing resource limits, absent health probes, RBAC over-permission, hardcoded secrets, and missing helm test coverage — statically, without installing or contacting a cluster.",
+    "source_type": "original",
+    "official_docs": [
+      "https://helm.sh/docs/chart_best_practices/",
+      "https://helm.sh/docs/helm/helm_lint/",
+      "https://helm.sh/docs/helm/helm_template/",
+      "https://helm.sh/docs/topics/chart_tests/",
+      "https://github.com/helm/chart-testing",
+      "https://kubernetes.io/docs/concepts/security/pod-security-standards/",
+      "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/"
+    ],
+    "security_notes": "Static review only — reads chart source files (Chart.yaml, values.yaml, templates/, tests/), never installs a chart, never connects to a Kubernetes cluster, never requests kubeconfig, cluster credentials, or cloud provider credentials. Do not accept values files containing live credentials, connection strings, or tenant IDs; ask for sanitized versions with placeholder values.",
+    "last_verified": "2026-05-17",
+    "path": "skills/qa/helm-chart-quality-review",
+    "version": "0.1.0",
+    "author": "github: Raishin"
+  },
   {
     "id": "hetzner-capacity-planner",
     "name": "Hetzner Cloud Capacity Planner",
@@ -6691,6 +6863,35 @@
     "author": "github: Raishin",
     "version": "0.1.0"
   },
+  {
+    "id": "influencer-disclosure-compliance-review",
+    "name": "Influencer Disclosure Compliance Review",
+    "type": "skill",
+    "provider": "marketing",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Review influencer campaign audit packs — brief, contract, post descriptions, and disclosure placement specs — for FTC Endorsement Guide violations: undisclosed material connections, inadequate disclosure placement, and brand liability exposure.",
+    "source_type": "original",
+    "official_docs": [
+      "https://www.ftc.gov/legal-library/browse/rules/endorsement-guides",
+      "https://www.ecfr.gov/current/title-16/chapter-I/subchapter-B/part-255",
+      "https://www.ftc.gov/system/files/ftc_gov/pdf/ftc-endorsement-guides-final-rule.pdf",
+      "https://www.ftc.gov/legal-library/browse/statutes/federal-trade-commission-act",
+      "https://www.ftc.gov/business-guidance/resources/ftcs-endorsement-guides-what-people-are-asking"
+    ],
+    "security_notes": "Review works from a structured influencer campaign audit pack only — brief, contract excerpt, post descriptions, and disclosure spec. Never accept raw personal data about creators, unpublished negotiations, or brand financial terms beyond what is needed to assess disclosure adequacy. This is a static compliance review; it does not generate campaign content or creator instructions.",
+    "last_verified": "2026-05-17",
+    "path": "skills/marketing/influencer-disclosure-compliance-review",
+    "author": "github: Raishin",
+    "version": "0.1.0",
+    "lifecycle": "experimental"
+  },
   {
     "id": "ionos-cost-optimization-analyst",
     "name": "IONOS Cost Optimization Analyst",
@@ -7025,6 +7226,36 @@
     "source_type": "original",
     "version": "0.1.0"
   },
+  {
+    "id": "kubernetes-manifest-quality-review",
+    "name": "Kubernetes Manifest Quality Review",
+    "type": "skill",
+    "provider": "generic",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Review raw Kubernetes YAML manifests for security, quality, and policy defects — deprecated APIs, missing securityContext, absent resource limits, missing health probes, RBAC over-permission, plaintext secrets, and network exposure — statically, without applying manifests or contacting a cluster.",
+    "source_type": "original",
+    "official_docs": [
+      "https://kubernetes.io/docs/concepts/security/pod-security-standards/",
+      "https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/",
+      "https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/",
+      "https://kubernetes.io/docs/reference/access-authn-authz/rbac/",
+      "https://kubernetes.io/docs/concepts/services-networking/network-policies/",
+      "https://github.com/yannh/kubeconform",
+      "https://github.com/zegl/kube-score"
+    ],
+    "security_notes": "Static review only — reads manifest YAML files, never applies manifests to a cluster, never connects to the Kubernetes API, and never requests kubeconfig, service account tokens, or cloud credentials. Do not accept manifests containing real secret values or connection strings decoded from base64; ask for sanitized versions with placeholder values.",
+    "last_verified": "2026-05-17",
+    "path": "skills/qa/kubernetes-manifest-quality-review",
+    "author": "github: Raishin",
+    "version": "0.1.0"
+  },
   {
     "id": "kubernetes-network-architecture-review",
     "name": "Kubernetes Network Architecture Review",
@@ -7202,6 +7433,261 @@
     "author": "github: Raishin",
     "version": "0.1.0"
   },
+  {
+    "id": "llm-ai-pipeline-test-review",
+    "name": "LLM AI Pipeline Test Review",
+    "type": "skill",
+    "provider": "generic",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Review an LLM or AI pipeline's evaluation setup for test-quality defects — missing hallucination, relevancy, faithfulness, bias, toxicity, and tool-correctness metrics; absent golden datasets; unthresholded or single-shot evals; and no regression gate across model versions. Static review only.",
+    "source_type": "original",
+    "official_docs": [
+      "https://docs.confident-ai.com/",
+      "https://docs.confident-ai.com/docs/metrics-hallucination",
+      "https://docs.confident-ai.com/docs/metrics-answer-relevancy",
+      "https://docs.confident-ai.com/docs/metrics-faithfulness",
+      "https://docs.confident-ai.com/docs/metrics-bias",
+      "https://docs.confident-ai.com/docs/metrics-tool-correctness",
+      "https://www.istqb.org/certifications/certified-tester-foundation-level"
+    ],
+    "security_notes": "Static review only — reads eval configuration and test source; never calls LLM APIs, never runs evaluations, never requests model API keys or inference endpoints. Do not accept eval fixtures containing real user PII, private prompt chains, or model weights; ask for sanitized configurations.",
+    "last_verified": "2026-05-17",
+    "path": "skills/qa/llm-ai-pipeline-test-review",
+    "version": "0.1.0",
+    "author": "github: Raishin"
+  },
+  {
+    "id": "lookalike-audience-upload-compliance-review",
+    "name": "Lookalike Audience Upload Compliance Review",
+    "type": "skill",
+    "provider": "marketing",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Review custom-audience and lookalike-audience upload specifications for hashing adequacy, PII field scope, consent-basis validity, and platform data-sharing restrictions before upload to Meta, Google, LinkedIn, or TikTok — catching underhashed identifiers, consent-scope mismatches, and re-identification surfaces.",
+    "source_type": "original",
+    "official_docs": [
+      "https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679",
+      "https://oag.ca.gov/privacy/ccpa",
+      "https://www.ftc.gov/reports/data-brokers-call-transparency-accountability",
+      "https://developers.facebook.com/docs/marketing-api/audiences/guides/custom-audiences/",
+      "https://support.google.com/google-ads/answer/6334160"
+    ],
+    "security_notes": "Custom-audience uploads transmit hashed personal data to ad platforms under data-sharing arrangements that must have a lawful basis, appropriate consent scope, and adequate pseudonymization. Review works from sanitized field-mapping specifications, declared hashing methods, and consent-basis documentation only; never request actual audience files, real customer records, or platform API credentials.",
+    "last_verified": "2026-05-17",
+    "path": "skills/marketing/lookalike-audience-upload-compliance-review",
+    "author": "github: Raishin",
+    "version": "0.1.0"
+  },
+  {
+    "id": "marketing-consent-data-collection-review",
+    "name": "Marketing Consent and Data-Collection Review",
+    "type": "skill",
+    "provider": "marketing",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Review marketing consent and data-collection posture — CMP banner config, tag-manager containers, Consent Mode wiring, and cookie policy — for GDPR/ePrivacy/CCPA correctness, dark patterns, and undisclosed trackers.",
+    "source_type": "original",
+    "official_docs": [
+      "https://eur-lex.europa.eu/eli/reg/2016/679/oj",
+      "https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32002L0058",
+      "https://oag.ca.gov/privacy/ccpa",
+      "https://developers.google.com/tag-platform/security/guides/consent",
+      "https://iabeurope.eu/transparency-consent-framework/"
+    ],
+    "security_notes": "Marketing tags that fire before a consent signal collect personal data with no lawful basis and expose the controller to GDPR/ePrivacy enforcement and CCPA class actions. Consent banners with non-symmetric choice or pre-ticked boxes invalidate consent. Review works from sanitized configuration only; never request real visitor data, consent-string archives, or analytics account credentials.",
+    "last_verified": "2026-05-17",
+    "path": "skills/marketing/marketing-consent-data-collection-review",
+    "author": "github: Raishin",
+    "version": "0.1.0"
+  },
+  {
+    "id": "marketing-conversion-flow-dark-pattern-review",
+    "name": "Marketing Conversion Flow Dark-Pattern Review",
+    "type": "skill",
+    "provider": "marketing",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Review marketing conversion flow specifications — subscription sign-up, upsell interstitial, free-trial enrollment, and cancellation path — for dark-pattern practices that invalidate consent or constitute unfair or deceptive acts under FTC Section 5, the FTC Negative Option Rule, CPRA, and EU AI Act Article 5(1)(b).",
+    "source_type": "original",
+    "official_docs": [
+      "https://www.ftc.gov/legal-library/browse/rules/negative-option-rule",
+      "https://www.ftc.gov/system/files/ftc_gov/pdf/P214800+Dark+Patterns+Report+9.14.2022+-+FINAL.pdf",
+      "https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV&sectionNum=1798.140.",
+      "https://oag.ca.gov/privacy/ccpa",
+      "https://eur-lex.europa.eu/eli/reg/2024/1689/oj/eng"
+    ],
+    "security_notes": "Read-only static review of sanitized UX flow specifications and annotated wireframes only. Never request real payment credentials, live user-session data, or production A/B-test results. Findings may indicate violations of FTC rules carrying civil penalties — route remediation and enforcement-risk assessment to qualified legal counsel before acting on findings.",
+    "last_verified": "2026-05-17",
+    "path": "skills/marketing/marketing-conversion-flow-dark-pattern-review",
+    "author": "github: Raishin",
+    "version": "0.1.0",
+    "lifecycle": "experimental"
+  },
+  {
+    "id": "marketing-email-list-retention-review",
+    "name": "Marketing Email List Retention Review",
+    "type": "skill",
+    "provider": "marketing",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Review marketing email list segment metadata, consent-record completeness, suppression-list coverage, and data-retention schedules for GDPR, CASL, and CCPA deletion-right compliance.",
+    "source_type": "original",
+    "official_docs": [
+      "https://gdpr-info.eu/art-5-gdpr/",
+      "https://gdpr-info.eu/art-17-gdpr/",
+      "https://laws-lois.justice.gc.ca/eng/acts/C-28.65/page-1.html",
+      "https://oag.ca.gov/privacy/ccpa",
+      "https://www.canada.ca/en/radio-television-telecommunications/news/2014/07/compliance-and-enforcement-information-bulletin-crtc-2014-326.html"
+    ],
+    "security_notes": "Review works from sanitized CRM/ESP exports only — placeholder values for email addresses, subscriber IDs, and timestamps. Never accept real subscriber PII, live CRM credentials, or ESP API keys. Findings of missing consent records or absent suppression-list sync may constitute an ongoing GDPR or CASL violation requiring legal escalation.",
+    "last_verified": "2026-05-17",
+    "path": "skills/marketing/marketing-email-list-retention-review",
+    "author": "github: Raishin",
+    "version": "0.1.0",
+    "lifecycle": "experimental"
+  },
+  {
+    "id": "marketing-gpc-signal-honoring-review",
+    "name": "Marketing GPC Signal Honoring Review",
+    "type": "skill",
+    "provider": "marketing",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Review the technical signal path by which a Global Privacy Control opt-out travels through the CMP and tag stack to confirm ad tags, server-side conversion APIs, and CAPI forwarding actually cease firing on opt-out.",
+    "source_type": "original",
+    "official_docs": [
+      "https://cppa.ca.gov/regulations/pdf/cppa_regs.pdf",
+      "https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?sectionNum=1798.135.&lawCode=CIV",
+      "https://globalprivacycontrol.org/",
+      "https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=202520260AB566",
+      "https://oag.ca.gov/privacy/ccpa"
+    ],
+    "security_notes": "GPC honoring reviews work from sanitized tag-manager container exports and CMP configuration exports only. Never request live CMP consent logs, visitor opt-out records, or ad-platform credentials. Findings of non-compliance may constitute evidence in an enforcement proceeding — route legal determinations to qualified privacy counsel, not to this skill.",
+    "last_verified": "2026-05-17",
+    "path": "skills/marketing/marketing-gpc-signal-honoring-review",
+    "author": "github: Raishin",
+    "version": "0.1.0",
+    "lifecycle": "experimental"
+  },
+  {
+    "id": "marketing-maestro",
+    "name": "Marketing Maestro",
+    "type": "skill",
+    "provider": "marketing",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Route marketing-governance review tasks to the narrowest specialist across all 13 domains: consent and data-collection, advertising-pixel data-leakage, martech access-governance, GPC signal-honoring, email sender authentication, programmatic supply-chain integrity, AI ad-targeting fairness, EU AI Act marketing-system classification, lookalike audience upload compliance, email list retention, influencer disclosure, conversion-flow dark patterns, and analytics data minimization. Dispatches single or parallel teams (max 4); requires human gate for any mutation intent.",
+    "source_type": "original",
+    "official_docs": [
+      "https://eur-lex.europa.eu/eli/reg/2016/679/oj",
+      "https://oag.ca.gov/privacy/ccpa"
+    ],
+    "security_notes": "Read-only routing skill. Never accepts real visitor data, consent-string archives, ad-platform credentials, API keys, OAuth tokens, or tenant-specific data. No live-guard agents exist in v1; any mutation request is refused and escalated to a human operator.",
+    "last_verified": "2026-05-17",
+    "path": "skills/marketing/marketing-maestro",
+    "author": "github: Raishin",
+    "version": "0.1.0",
+    "lifecycle": "experimental"
+  },
+  {
+    "id": "marketing-pixel-data-leakage-review",
+    "name": "Marketing Pixel Data-Leakage Review",
+    "type": "skill",
+    "provider": "marketing",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Review advertising pixels and conversion event tracking for personal-data leakage to ad networks — PII in payloads, form-field auto-capture, pixels on sensitive pages, and unhashed identifier transmission.",
+    "source_type": "original",
+    "official_docs": [
+      "https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-online-tracking/index.html",
+      "https://www.ftc.gov/legal-library/browse/rules/health-breach-notification-rule",
+      "https://developers.facebook.com/docs/meta-pixel/",
+      "https://support.google.com/google-ads/answer/9888656",
+      "https://owasp.org/www-project-top-ten/"
+    ],
+    "security_notes": "Advertising pixels that capture email, phone, health, or financial data transmit personal data to third-party ad networks with no contract, no consent scope, and no breach visibility — a pattern behind major HIPAA settlements, FTC Health Breach Notification Rule actions, and wiretap class actions. Review works from sanitized payloads and container exports only; never request real visitor data or ad-platform credentials.",
+    "last_verified": "2026-05-17",
+    "path": "skills/marketing/marketing-pixel-data-leakage-review",
+    "author": "github: Raishin",
+    "version": "0.1.0"
+  },
+  {
+    "id": "martech-access-governance-review",
+    "name": "Martech Access Governance Review",
+    "type": "skill",
+    "provider": "marketing",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Review access governance across a marketing technology stack — OAuth connected apps, API keys, CRM and marketing-automation roles, and integration scopes — for least-privilege violations, shared and stale credentials, and missing ownership.",
+    "source_type": "original",
+    "official_docs": [
+      "https://datatracker.ietf.org/doc/html/rfc6749",
+      "https://oauth.net/2/scope/",
+      "https://csrc.nist.gov/glossary/term/least_privilege",
+      "https://owasp.org/www-project-top-ten/",
+      "https://csrc.nist.gov/pubs/sp/800/207/final"
+    ],
+    "security_notes": "A marketing technology stack holds the full customer database and accumulates OAuth grants, API keys, and seats faster than it deprovisions them. Over-broad connector scopes, shared non-rotating credentials, and stale grants from departed staff or ended vendors are a heavily exploited SaaS breach path. Review works from sanitized inventories only; never request, collect, or echo credential values, tokens, or secrets.",
+    "last_verified": "2026-05-17",
+    "path": "skills/marketing/martech-access-governance-review",
+    "author": "github: Raishin",
+    "version": "0.1.0"
+  },
   {
     "id": "nvidia-agentic-ai-platform-review",
     "name": "NVIDIA Agentic AI Platform Review",
@@ -8799,6 +9285,120 @@
     "version": "0.1.0",
     "author": "github: Raishin"
   },
+  {
+    "id": "playwright-e2e-execution-run",
+    "name": "Playwright E2E Execution Run",
+    "type": "skill",
+    "provider": "generic",
+    "harnesses": [
+      "claude-code",
+      "cursor"
+    ],
+    "summary": "Execute an existing Playwright E2E suite against an operator-confirmed non-production target and emit a structured run attestation — pass/fail/flaky counts, slowest tests, and trace artifact locations. Live-execution counterpart to playwright-e2e-suite-review.",
+    "source_type": "original",
+    "official_docs": [
+      "https://playwright.dev/docs/test-cli",
+      "https://playwright.dev/docs/running-tests",
+      "https://playwright.dev/docs/test-reporters",
+      "https://playwright.dev/docs/trace-viewer",
+      "https://playwright.dev/docs/ci"
+    ],
+    "security_notes": "Live-execution skill, read-only-runtime tier. Default mode is static and runs nothing; runtime execution is a per-session opt-in requiring explicit operator confirmation of a non-production target. The Bash allowlist locks invocations to `npx playwright test`, `npx playwright install`, and `npx playwright show-report` — no deploy, migration, seed, or registry commands. Refuses production targets. Never accepts or echoes credentials, tokens, or storageState; test credentials come from the operator-controlled environment. Egress limited to the operator-confirmed target host and the Playwright browser CDN; blocked CDN egress degrades to manual-review rather than a false fail.",
+    "last_verified": "2026-05-17",
+    "path": "skills/qa/playwright-e2e-execution-run",
+    "category": "delivery",
+    "lifecycle": "experimental",
+    "execution_tier": "read-only-runtime",
+    "author": "github: Raishin",
+    "version": "0.1.0"
+  },
+  {
+    "id": "playwright-e2e-suite-review",
+    "name": "Playwright E2E Suite Review",
+    "type": "skill",
+    "provider": "generic",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Review a Playwright end-to-end test suite for flakiness, selector brittleness, test isolation defects, retry masking, and CI reliability — statically, without executing the suite.",
+    "source_type": "original",
+    "official_docs": [
+      "https://playwright.dev/docs/best-practices",
+      "https://playwright.dev/docs/locators",
+      "https://playwright.dev/docs/test-assertions",
+      "https://playwright.dev/docs/test-retries",
+      "https://playwright.dev/docs/test-parallel",
+      "https://playwright.dev/docs/test-sharding",
+      "https://playwright.dev/docs/trace-viewer"
+    ],
+    "security_notes": "Static review only — reads test specs and config, never executes the suite, launches browsers, or contacts a target application. Never request or accept live application URLs with embedded credentials, auth tokens, real storageState files, or .env secrets; ask for sanitized snippets.",
+    "last_verified": "2026-05-17",
+    "path": "skills/qa/playwright-e2e-suite-review",
+    "author": "github: Raishin",
+    "version": "0.1.0"
+  },
+  {
+    "id": "plc-control-logic-safety-review",
+    "name": "PLC Control Logic Safety Review",
+    "type": "skill",
+    "provider": "generic",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Statically review exported IEC 61131-3 PLC program logic (LD, ST, FBD, SFC) for safety and reliability defects — E-stop implementation, output fail-safe paths, latch integrity, memory-write races, forced I/O, interlock bypass governance, timer determinism, and watchdog coverage — without connecting to a live controller.",
+    "source_type": "original",
+    "official_docs": [
+      "https://plcopen.org/iec-61131-3",
+      "https://webstore.iec.ch/publication/4552",
+      "https://webstore.iec.ch/publication/22273",
+      "https://webstore.iec.ch/publication/26037",
+      "https://content.helpme-codesys.com/en/CODESYS%20Development%20System/_cds_structure_application_objects.html"
+    ],
+    "security_notes": "Static review only — reads exported program logic, never connects to a live PLC, never writes to a controller, and never advises modifying running logic or bypassing a safety function. Never request or accept live controller IP addresses, plant network credentials, historian credentials, or any identifier that maps to a production asset. Ask for sanitized, anonymized exports only.",
+    "last_verified": "2026-05-17",
+    "path": "skills/qa/plc-control-logic-safety-review",
+    "author": "github: Raishin",
+    "version": "0.1.0"
+  },
+  {
+    "id": "programmatic-supply-chain-integrity-review",
+    "name": "Programmatic Supply Chain Integrity Review",
+    "type": "skill",
+    "provider": "marketing",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Review ads.txt, app-ads.txt, and sellers.json files for a publisher or advertiser's programmatic supply chain to detect unauthorized resellers, domain-spoofing exposure, and SupplyChain Object gaps.",
+    "source_type": "original",
+    "official_docs": [
+      "https://iabtechlab.com/ads-txt/",
+      "https://iabtechlab.com/sellers-json/",
+      "https://iabtechlab.com/supplychain-object/",
+      "https://mediaratingcouncil.org/sites/default/files/Standards/MRC%20Invalid%20Traffic%20Detection%20and%20Filtration%20Guidelines%20Addendum.pdf",
+      "https://iabtechlab.com/app-ads-txt/"
+    ],
+    "security_notes": "Supply chain integrity reviews work from the raw text of ads.txt, app-ads.txt, and sellers.json files pasted as input. Never request DSP credentials, exchange account tokens, or bid-stream logs. ads.txt and sellers.json are publicly resolvable files; the artifact is the publisher's or exchange's own exported text, not a live crawl of production endpoints.",
+    "last_verified": "2026-05-17",
+    "path": "skills/marketing/programmatic-supply-chain-integrity-review",
+    "author": "github: Raishin",
+    "version": "0.1.0",
+    "lifecycle": "experimental"
+  },
   {
     "id": "prometheus-alerting-cardinality-review",
     "name": "Prometheus Alerting and Cardinality Review",
@@ -8855,6 +9455,35 @@
     "version": "0.1.2",
     "lifecycle": "experimental"
   },
+  {
+    "id": "rpa-workflow-resilience-review",
+    "name": "RPA Workflow Resilience Review",
+    "type": "skill",
+    "provider": "generic",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Review exported RPA workflow definitions (UiPath XAML, Automation Anywhere, Power Automate Desktop, Blue Prism) for resilience and security defects — hardcoded credentials, brittle selectors, missing exception handling, non-idempotent logic, fixed delays, and invisible failures — statically, without connecting to a live orchestrator.",
+    "source_type": "original",
+    "official_docs": [
+      "https://docs.uipath.com/studio/standalone/latest/user-guide/about-workflow-analyzer",
+      "https://docs.uipath.com/studio/standalone/latest/user-guide/about-debugging",
+      "https://docs.uipath.com/orchestrator/standalone/latest/user-guide/about-assets",
+      "https://docs.automationanywhere.com/",
+      "https://learn.microsoft.com/en-us/power-automate/guidance/coding-guidelines/overview",
+      "https://learn.microsoft.com/en-us/power-automate/guidance/coding-guidelines/error-handling"
+    ],
+    "security_notes": "Static review only — reads exported workflow definitions, never connects to a live orchestrator, never executes a bot, and never requests runner credentials, orchestrator URLs, or production queue data. Never accept workflow exports containing live PII, real customer data, or production connection strings; ask for sanitized snippets.",
+    "last_verified": "2026-05-17",
+    "path": "skills/qa/rpa-workflow-resilience-review",
+    "author": "github: Raishin",
+    "version": "0.1.0"
+  },
   {
     "id": "scaleway-cost-optimizer",
     "name": "Scaleway Cost Optimizer",
@@ -9076,6 +9705,62 @@
     "author": "github: Raishin",
     "version": "0.1.0"
   },
+  {
+    "id": "test-coverage-quality-review",
+    "name": "Test Coverage Quality Review",
+    "type": "skill",
+    "provider": "generic",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Review a test suite for assertion quality over coverage percentage — detecting coverage theater, assertion-free and tautological tests, mock over-specification, and untested branches, and recommending a meaningful coverage gate. Static review only.",
+    "source_type": "original",
+    "official_docs": [
+      "https://martinfowler.com/bliki/TestCoverage.html",
+      "https://martinfowler.com/articles/mocksArentStubs.html",
+      "https://istanbul.js.org/docs/tutorials/coverage/",
+      "https://jestjs.io/docs/configuration",
+      "https://docs.pytest.org/en/stable/how-to/assert.html"
+    ],
+    "security_notes": "Static review only — reads test source and coverage reports, never executes tests or runs a coverage tool. Never request or accept credentials, fixtures containing real customer data, or production database snapshots; ask for sanitized test code.",
+    "last_verified": "2026-05-17",
+    "path": "skills/qa/test-coverage-quality-review",
+    "author": "github: Raishin",
+    "version": "0.1.0"
+  },
+  {
+    "id": "test-flakiness-triage",
+    "name": "Test Flakiness Triage",
+    "type": "skill",
+    "provider": "generic",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Triage flaky tests across any framework into root-cause categories, assign a quarantine or fix path per test, and assess quarantine policy and CI retry configuration — statically, without re-running tests.",
+    "source_type": "original",
+    "official_docs": [
+      "https://playwright.dev/docs/test-retries",
+      "https://docs.cypress.io/guides/guides/test-retries",
+      "https://jestjs.io/docs/cli",
+      "https://docs.pytest.org/en/stable/how-to/flaky.html",
+      "https://martinfowler.com/articles/nonDeterminism.html"
+    ],
+    "security_notes": "Static review only — analyzes failure logs, rerun history, and test source; never executes or re-runs tests. Never request or accept CI credentials, dashboard API tokens, or production data embedded in failure logs; ask for sanitized excerpts.",
+    "last_verified": "2026-05-17",
+    "path": "skills/qa/test-flakiness-triage",
+    "author": "github: Raishin",
+    "version": "0.1.0"
+  },
   {
     "id": "velero-backup-restore-guard",
     "name": "Velero Backup/Restore Guard",