pi-skill-search 0.1.0

package/skills/vetc-reconcile-patterns/SKILL.md

@@ -0,0 +1,117 @@
+---
+name: vetc-reconcile-patterns
+description: PROACTIVELY activate khi implement reconciliation job, debug reconcile logic (mismatch, duplicate, missing), hoặc thêm nguồn đối soát mới. SourceProcessor, distributed locking, idempotency patterns.
+---
+
+# VETC Reconciliation Patterns
+
+Patterns cho hệ thống đối soát VETC E-Wallet.
+
+## When to Activate
+
+- Implement reconciliation job hoặc processor mới
+- Debug reconcile logic (mismatch, duplicate, missing)
+- Thêm nguồn dữ liệu mới vào reconcile pipeline
+- Review reconcile code
+
+## Do NOT Activate When
+
+- Làm tính năng không liên quan reconciliation (wallet, eKYC, commission, etc.)
+- Chỉ làm frontend cho reconcile UI (dùng `vetc-frontend-patterns`)
+- Chỉ viết unit test đơn giản, không cần reconcile domain knowledge
+
+## Core Architecture
+
+```
+ReconcileScheduler (Quartz/Spring @Scheduled)
+    ↓
+ReconcileOrchestrator
+    ├── SourceProcessorChain (Chain of Responsibility)
+    │     ├── BankGwSourceProcessor
+    │     ├── WalletSourceProcessor
+    │     └── ACSSourceProcessor
+    ↓
+ReconcileEngine
+    ├── MatchingStrategy (1:1, 1:N, N:M)
+    ├── DiffCalculator
+    └── ReconcileReportBuilder
+
+## SourceProcessor Pattern
+
+```java
+public interface SourceProcessor {
+    boolean canHandle(ReconcileContext context);
+    List extract(ReconcileContext context);
+}
+
+// Chain implementation
+@Service
+@Slf4j
+public class BankGwSourceProcessor implements SourceProcessor {
+    @Override
+    public boolean canHandle(ReconcileContext context) {
+        return ReconcileType.BANK_GW.equals(context.getType());
+
+## Distributed Locking (Redisson)
+
+```java
+// Ngăn duplicate job khi deploy nhiều instance
+@Service
+public class ReconcileOrchestratorImpl {
+
+    @Autowired
+    private RedissonClient redissonClient;
+
+    public void runReconcile(ReconcileContext ctx) {
+        String lockKey = "vetc:reconcile:" + ctx.getType() + ":" + ctx.getDateKey();
+        RLock lock = redissonClient.getLock(lockKey);
+
+        boolean acquired = false;
+
+## Idempotency Pattern
+
+```java
+// Kiểm tra đã process chưa trước khi xử lý
+public void processRecord(ReconcileRecord record) {
+    String idempotencyKey = "vetc:recon:" + record.getTransactionRef();
+    boolean isNew = redisTemplate.opsForValue()
+        .setIfAbsent(idempotencyKey, "1", 24, TimeUnit.HOURS);
+    
+    if (!isNew) {
+        log.debug("Already processed: {}", record.getTransactionRef());
+        return;
+    }
+    // Process record...
+}
+```
+
+## Matching Strategies
+
+```java
+public enum MatchResult {
+    MATCHED,        // Khớp hoàn toàn
+    AMOUNT_MISMATCH,// Ref khớp, amount khác
+    NOT_FOUND,      // Có trong source, không có trong wallet
+    DUPLICATE,      // Xuất hiện nhiều lần
+    SETTLED_LATE    // Transaction đã settle sau cutoff
+}
+```
+
+## Common Reconcile Issues
+
+| Issue | Root Cause | Fix |
+|-------|-----------|-----|
+| Duplicate record | Idempotency key thiếu hoặc sai | Thêm idempotency check |
+| Amount mismatch | Fee/VAT tính khác | Align fee calculation |
+| Missing transaction | Timezone mismatch (UTC vs +07) | Normalize về UTC trước compare |
+| Race condition | Multiple instances chạy cùng lúc | Redisson distributed lock |
+| Memory spike | Load toàn bộ data vào RAM | Page-based processing |
+
+## Coverage Targets
+
+```
+ReconcileEngine:        ≥ 85% (mandatory — core matching logic)
+SourceProcessor (mỗi): ≥ 80% (mandatory)
+ReconcileReportBuilder: ≥ 75% (recommended)
+
+

package/skills/vetc-refactoring/SKILL.md

@@ -0,0 +1,96 @@
+---
+name: vetc-refactoring
+description: PROACTIVELY activate khi code smell xuất hiện, cần restructure không thay behavior — extract method/class, rename, replace conditional, strangler fig migration. KHÔNG kết hợp refactoring với feature work. Tests phải pass trước và sau.
+---
+
+# VETC Refactoring — Behavior-Preserving Restructure
+
+Cải thiện cấu trúc code KHÔNG thay đổi behavior. Tests xanh → refactor → tests vẫn xanh. Inspired by Karpathy + Fowler refactoring catalog.
+
+## When to Activate
+
+- Code smell: long method, duplicate code, god class, feature envy, shotgun surgery
+- Pre-change cleanup: "Make change easy, then make easy change" (Kent Beck)
+- Post-ralph deslop pass — cleanup after implementation
+- Strangler fig migration — gradually replace legacy component
+- Rename signals: unclear names, ambiguous abbreviations
+- Replace conditional with polymorphism (many if/else branches)
+- Extract method (< 20-line method rule)
+- Extract class (class > 200 lines or > 7 public methods)
+
+## Do NOT Activate When
+
+- **No tests exist** → Write tests FIRST (`vetc-tdd`), refactor AFTER
+- **Mid-feature work** → Do not mix refactor + feature work. Finish feature, then refactor.
+- **Code works + tests pass + readable** → don't refactor for the sake of it
+- Red tests (failing) → Fix tests first, then consider refactor
+- No user request and no code smell → "if it ain't broke, don't fix it"
+- Architecture change needed (not refactor) → use `vetc-ralplan`
+
+
+
+## Core Pattern: Red-Green-Refactor
+
+```
+RED (failing test, for new feature) — not our domain here
+       ↓
+GREEN (passing test)
+       ↓
+REFACTOR (this skill!)  ← structure improvement
+       ↓
+GREEN (still passing)
+       ↓
+Commit (atomic: "refactor(wallet): extract balance calculation")
+```
+
+## Refactoring Catalog (VETC-adapted)
+
+### Method-level
+
+| Refactoring | When | Example |
+|-------------|------|---------|
+| **Extract Method** | Method > 20 lines or does 2+ things | `processTransfer()` → extract `validateAmount()` + `debitAccount()` + `creditAccount()` |
+| **Inline Method** | Trivial method (1-liner) only called once | Remove `private boolean isValid() { return amount > 0; }` inline |
+| **Extract Variable** | Complex expression used multiple times | `BigDecimal fee = amount.multiply(FEE_RATE);` instead of inlining |
+| **Inline Variable** | Variable is trivial alias | Remove `Long id = wallet.getId(); repo.find(id);` → `repo.find(wallet.getId())` |
+| **Rename** | Unclear name | `process()` → `debitAndNotify()` |
+
+### Class-level
+
+| Refactoring | When | Example |
+|-------------|------|---------|
+| **Extract Class** | Class > 200 lines OR > 7 public methods OR multiple responsibilities | Split `WalletService` → `BalanceService` + `TransferService` + `NotificationService` |
+| **Move Method** | Method uses another class more than own | Move `Money.compare(a, b)` from `WalletService` to `Money` entity |
+| **Pull Up Field/Method** | Subclasses share field/method | Move common `@Column(name="created_at")` to `BaseEntity` |
+| **Replace Inheritance with Delegation** | Inheritance not true "is-a" | `class OracleRepo extends BaseRepo` → `class OracleRepo { BaseRepo base; }` |
+
+### Conditional logic
+
+| Refactoring | When | Example |
+|-------------|------|---------|
+| **Replace Conditional with Polymorphism** | Many if/else based on type | `if (type == JE_DEBIT) ... else if (type == JE_CREDIT) ...` → `JournalEntryStrategy` with subclasses |
+| **Introduce Null Object** | Null check scattered | `if (wallet == null) return zero` → `WalletEmpty` class returning zero |
+| **Replace Magic Number** | `if (amount > 500000)` | `if (amount > OTP_THRESHOLD)` |
+| **Decompose Conditional** | Complex condition with comment | Extract condition to `isHighRiskTransaction()` method |
+
+### VETC-specific
+
+| Refactoring | When | Example |
+|-------------|------|---------|
+| **Encapsulate Oracle sequence** | Multiple places call sequence directly | Create `SequenceGenerator` service with cached next-values |
+| **Extract Feign client** | Inline RestTemplate/HTTP calls | Replace with typed Feign interface + `@FeignClient` |
+| **Parameterize SQL** | String concat in native query | Replace `"WHERE id = " + id` with `"WHERE id = :id"` + setParameter |
+| **Centralize PII masking** | Logger calls with CCCD/phone | Extract `PiiMasker.mask(cccd)` helper, use consistently |
+| **Introduce Cache-Aside** | Repeated expensive queries | Wrap with Redis `@Cacheable` on service method |
+
+### Strangler Fig (gradual legacy replacement)
+
+When legacy component (monolithic `WalletServiceLegacy`) needs replacement:
+
+```
+Phase 1: Build new service in parallel (WalletService)
+Phase 2: Route 5% traffic via feature flag
+Phase 3: Monitor errors, increase to 50% if OK
+Phase 4: 100% traffic to new
+Phase 5: Delete legacy
+```

package/skills/vetc-runbook/SKILL.md

@@ -0,0 +1,118 @@
+---
+name: vetc-runbook
+description: PROACTIVELY activate khi debug incident, runtime error, hoặc production issue. Investigation flow, common error patterns cho VETC stack, structured report output.
+---
+
+# VETC Runbook — Incident & Debug Guide
+
+Runbook cho common issues trong VETC E-Wallet system.
+
+## When to Activate
+
+- Runtime error trong production hoặc staging
+- Incident cần investigation
+- Debug issue không rõ root cause
+- Performance degradation
+- User nói: "debug", "investigate", "runbook", "troubleshoot"
+
+## Do NOT Activate When
+
+- Tạo tính năng mới, không phải debug/investigate (dùng SDLC skills)
+- Chỉ cần code review (dùng reviewer agents)
+- Issue chỉ xảy ra 1 lần, không cần structured investigation
+
+## Investigation Flow
+
+```
+1. Triage → Phân loại severity
+2. Gather → Thu thập logs, traces, data
+3. Hypothesize → Đưa ra hypotheses (top 3)
+4. Test → Verify từng hypothesis
+5. Fix → Apply minimal fix
+6. Verify → Confirm fix resolves issue
+7. Report → Structured post-mortem
+```
+
+## Common Error Patterns
+
+### Category 1 — Database Issues
+
+| Symptom | Likely Cause | Investigation |
+|---------|-------------|---------------|
+| `ORA-00001: unique constraint` | Duplicate insert | Check idempotency key, sequence value |
+| `ORA-02291: integrity constraint` | FK reference missing | Check parent record exists |
+| `ORA-12899: value too large` | Column overflow | Check string length vs column size |
+| Slow query | Missing index / bad plan | `EXPLAIN PLAN FOR <query>` |
+| Deadlock | Lock ordering | Check `@Transactional` scope |
+
+### Category 2 — External Service Issues
+
+| Symptom | Likely Cause | Investigation |
+|---------|-------------|---------------|
+| ACS timeout | Network / ACS down | Check Feign timeout config, ACS health |
+| Bank GW 500 | Invalid request format | Compare request with spec, check encoding |
+| eKYC rejection | Invalid image / session expired | Check image quality, session timeout |
+| RabbitMQ message stuck | Consumer error / queue full | Check consumer logs, queue depth |
+
+### Category 3 — Authentication Issues
+
+| Symptom | Likely Cause | Investigation |
+|---------|-------------|---------------|
+| 401 Unauthorized | Token expired / invalid | Check JWT expiry, issuer, audience |
+| 403 Forbidden | Role mismatch | Check user role vs required role |
+| OTP verify fail | OTP expired / wrong attempt | Check OTP generation time, attempt count |
+
+### Category 4 — Frontend Issues
+
+| Symptom | Likely Cause | Investigation |
+|---------|-------------|---------------|
+| White screen | JS error / route missing | Check browser console, network tab |
+| API 404 | Wrong URL / base URL | Check Axios config, API path |
+| State not updating | Stale closure / wrong selector | Check Redux devtools, useEffect deps |
+
+## Report Format
+
+```markdown
+# Incident Report: [Title]
+**Date**: [date]
+**Severity**: P1 / P2 / P3
+**Status**: INVESTIGATING / FIXED / MONITORING
+
+## Timeline
+- [HH:MM] Symptom detected
+- [HH:MM] Investigation started
+- [HH:MM] Root cause identified
+- [HH:MM] Fix applied
+- [HH:MM] Verified
+
+## Root Cause
+[1-2 câu]
+
+## Fix
+[What was changed, file:line]
+
+## Prevention
+[What to add to prevent recurrence]
+
+## Lessons Learned
+[Key takeaway]
+```
+
+## Gotchas
+
+1. **Fix symptoms not root cause** → 500 error do ACS timeout, nhưng root cause là network config. Luôn trace đến root.
+
+2. **Logging quá nhiều** → Log flood che mất signal. Tìm theo correlation ID hoặc timestamp cụ thể.
+
+3. **Assume external service OK** → Luôn verify external service health trước khi investigate internal logic.
+
+4. **Skip reproduction** → Luôn reproduce locally trước khi fix. "Fix" mà không reproduce = blind fix.
+
+5. **Not checking recent deployments** → Kiểm tra `git log --oneline -10` xem có deploy nào gần đây gây vấn đề.
+
+## References
+
+- Architecture profiles: `../../shared/architecture-profiles.md`
+
+
+

package/skills/vetc-sast/SKILL.md

@@ -0,0 +1,118 @@
+---
+name: vetc-sast
+description: PROACTIVELY activate trước mỗi release/PR merge để chạy static application security testing — Trivy (container/deps), OWASP Dep-Check (CVE), SonarQube (code smells + security), Semgrep (custom rules). Không edit code — chỉ report + triage.
+---
+
+# VETC SAST — Static Application Security Testing
+
+Automated scan CVE, dependency vulnerabilities, code-level security issues, container image risks TRƯỚC khi merge/release. Triage findings: critical/high → block, medium/low → track.
+
+## When to Activate
+
+- PR merge candidate — final security gate
+- Pre-release (release candidate tag) — full SAST sweep
+- Dependency update (renovate/dependabot PR) — verify no new CVEs
+- Container image build — scan Docker layers
+- After `vetc-security` review — automated SAST complements manual review
+- Quarterly audit — full baseline scan
+
+## Do NOT Activate When
+
+- Local dev iteration — SAST too slow for tight loop (use IDE linters)
+- Documentation-only PR — no code/deps changed
+- Hotfix in emergency — note as debt, scan within 24h
+- Private/internal tool with no external exposure — lower priority
+
+## Tools & Coverage Matrix
+
+| Tool | Target | Runs in | Fail threshold |
+|------|--------|---------|----------------|
+| **OWASP Dep-Check** | Maven/npm deps | CI (PR) | CVE CVSS ≥ 7.0 |
+| **Trivy** | Docker image, IaC | CI (release) | CRITICAL, HIGH |
+| **SonarQube** | Java/TS source | CI (merge main) | Security Hotspots = 0 new |
+| **Semgrep** | Custom VETC rules | CI (PR) | ERROR severity = 0 |
+| **Secret scan** | Git history | pre-commit + CI | Any match |
+| **npm audit** | Node packages | CI (PR on FE) | HIGH, CRITICAL |
+
+## Workflow
+
+### Step 1 — Identify Scope
+
+Read git diff to identify scan targets:
+- `pom.xml` / `package.json` changed → dep scan
+- `Dockerfile` / IaC changed → container/IaC scan
+- `.java` / `.ts` changed → code scan
+- New file added → secret scan (full)
+
+### Step 2 — Run Scans (Parallel)
+
+```bash
+# 1. OWASP Dep-Check (Maven)
+mvn -q dependency-check:check -DfailBuildOnCVSS=7 -Dformat=HTML -DnvdApiKey=$NVD_API_KEY
+
+# 2. Trivy (Docker image)
+trivy image --severity CRITICAL,HIGH --exit-code 1 \
+  --format json -o trivy-report.json \
+  vetc/wallet-service:${VERSION}
+
+# 3. Trivy (filesystem - IaC)
+trivy fs --scanners vuln,misconfig,secret --severity CRITICAL,HIGH .
+
+# 4. SonarQube scan (post-build)
+mvn -q sonar:sonar \
+  -Dsonar.host.url=$SONAR_URL \
+  -Dsonar.projectKey=vetc-wallet \
+  -Dsonar.login=$SONAR_TOKEN
+
+# 5. Semgrep custom rules
+semgrep --config=.semgrep/vetc-rules.yml --error .
+
+# 6. Secret scan (gitleaks)
+gitleaks detect --source . --no-git --exit-code 1
+
+### Step 3 — Aggregate & Triage
+
+For each finding, classify:
+
+| Level | Action |
+|-------|--------|
+| **CRITICAL** (CVSS 9.0-10) | BLOCK merge. Fix/upgrade immediately or isolate usage. |
+| **HIGH** (CVSS 7.0-8.9) | BLOCK merge. Fix in same PR or separate hotfix PR. |
+| **MEDIUM** (CVSS 4.0-6.9) | Track in backlog. Fix within sprint. Do not block merge unless payment/auth. |
+| **LOW** (CVSS 0.1-3.9) | Track in backlog. Fix opportunistically. |
+| **INFO** (hardening recommendation) | Note in tech-debt file. |
+
+VETC-specific escalation (force to HIGH regardless of CVSS):
+- Any finding in `auth-service`, `payment-gateway`, `wallet-service` core
+- SQL injection in native query (even if param)
+
+### Step 4 — Create Triage Report
+
+Location: `security/sast-reports/{YYYY-MM-DD}-{branch}.md`
+
+```markdown
+# SAST Report - feature/smart-otp - 2026-04-17
+
+## Summary
+| Tool | Total | Critical | High | Medium | Low |
+|------|-------|----------|------|--------|-----|
+| OWASP Dep-Check | 3 | 0 | 1 | 2 | 0 |
+| Trivy Image | 8 | 0 | 0 | 5 | 3 |
+| SonarQube | 15 | 0 | 2 | 8 | 5 |
+| Semgrep | 1 | 0 | 1 | 0 | 0 |
+
+## Critical/High Findings
+
+### 1. [HIGH] CVE-2024-12345 — jackson-databind 2.13.0
+**File**: `pom.xml:45`
+**Description**: Deserialization vulnerability in jackson-databind < 2.15.2
+**Fix**: Upgrade to 2.15.2+
+**Owner**: backend-lead
+**Due**: Before merge
+
+### 2. [HIGH] Semgrep — SQL injection in NativeQueryBuilder
+**File**: `wallet-service/src/main/java/vn/vetc/wallet/repo/TransactionRepo.java:87`
+**Description**: String concatenation in `WHERE account_no = '" + accountNo + "'"`
+**Fix**: Use `setParameter("accountNo", accountNo)`
+
+

package/skills/vetc-sdlc/SKILL.md

@@ -0,0 +1,97 @@
+---
+name: vetc-sdlc
+description: PROACTIVELY activate khi user bắt đầu tính năng mới, hỏi "bắt đầu từ đâu", hoặc cần routing đến đúng SDLC path. Entry point cho toàn bộ workflow từ spec đến deploy.
+---
+
+# VETC SDLC — Level 5 Workflow
+
+Điều phối toàn bộ quy trình phát triển Level 5 của VETC E-Wallet.
+
+
+
+## When to Activate
+
+- User đề cập tính năng mới, requirement mới
+- User hỏi "bắt đầu từ đâu", "làm thế nào", "flow như thế nào"
+- Bắt đầu sprint hoặc ticket mới
+- User không biết dùng skill/agent nào
+
+## Do NOT Activate When
+
+- User chỉ hỏi câu hỏi đơn giản, không liên quan phát triển tính năng
+- Đang chỉ đọc code / explore codebase, không có intent implement
+- Debug one-off issue cụ thể (dùng `vetc-runbook` hoặc `vetc-build-resolver`)
+
+## Pre-Execution Gate
+
+**VETC SDLC chặn vague execution requests** và redirect đến planning trước:
+
+| Vague (→ ralplan/deep-interview) | Cụ thể (→ execute trực tiếp) |
+|----------------------------------|------------------------------|
+| "thêm chức năng transfer" | "Implement POST /wallet/transfer theo spec task T3" |
+| "fix lỗi" | "Fix NullPointerException WalletService.java:45" |
+| "làm tính năng nạp tiền" | Có file path / task breakdown / issue number |
+
+**Bypass gate:** prefix `force:` hoặc `!`
+
+## The VETC Level 5 Workflow
+
+### Path A — Full BA Pipeline (có tài liệu BA)
+
+```
+┌──────────────────────────────────────────────────────────────────────────┐
+│              VETC SDLC — Level 5 Full BA Pipeline                        │
+├────────────┬──────────────────────────┬────────────────────────────────  │
+│ Phase      │ Skill                    │ Output                           │
+├────────────┼──────────────────────────┼──────────────────────────────────┤
+│ 0. Scan    │ vetc-analyze-codebase    │ codebase-spec.md + data-model.md │
+│ 1. PM      │ vetc-thinking-pm         │ raw-ba-requirements.md (chuẩn)   │
+│ 2. BA      │ vetc-analyze-ba (1-3)    │ 01-ba-analysis + 02-clarify      │
+│ 3. Spec    │ vetc-analyze-ba (3)      │ 03-feature-spec.md (SOURCE)      │
+│ 4. Design  │ vetc-analyze-ba (4-5)    │ 04-technical + 05-api-design     │
+│ 5. Plan    │ vetc-analyze-ba (6-6b)   │ 06-task-breakdown + tasks/       │
+│ 6. Code    │ vetc-analyze-ba (7)      │ 07-implement-ledger + code       │
+
+### Path B — Quick Implementation (đã có spec rõ)
+
+```
+┌──────────────────────────────────────────────────────────────────┐
+│              VETC SDLC — Quick Path                              │
+├──────────┬────────────────────┬──────────────────────────────────┤
+│ Phase    │ Skill / Agent      │ Output                           │
+├──────────┼────────────────────┼──────────────────────────────────┤
+│ 1. Spec  │ vetc-spec-driven   │ Structured spec + edge cases     │
+│ 2. Design│ vetc-api-design    │ ERD + API contract + flow        │
+│ 3. Plan  │ vetc-planner agent │ Task list với file paths         │
+│ 4a. BE   │ vetc-java-patterns │ Spring Boot implementation       │
+│ 4b. FE   │ vetc-frontend-pat..│ React/TS implementation         │
+│ 5. Test  │ vetc-tdd           │ JUnit + Integration tests        │
+│ 6. Review│ java/ts-reviewer   │ Review report + blockers         │
+
+## Routing Logic
+
+Khi nhận yêu cầu, routing theo context:
+
+| Signal | → Skill/Agent |
+|--------|-------------|
+| "mới vào project", "cần bản đồ codebase" | → `vetc-analyze-codebase` |
+| Requirement mơ hồ, cần clarify trước khi plan | → `vetc-deep-interview` |
+| BA gửi file Word/Jira/text, cần chuẩn hóa | → `vetc-thinking-pm` |
+| Có spec, cần plan + Architect+Critic review | → `vetc-ralplan` |
+| Có approved plan, cần implement đến hoàn thành | → `vetc-ralph` |
+| Có `raw-ba-requirements.md`, cần implement 13 bước | → `vetc-analyze-ba` |
+| "tính năng mới" (quick path, không có BA doc) | → `vetc-spec-driven` |
+| Có spec, cần thiết kế DB/API | → `vetc-api-design` |
+| Có design, cần task list | → `vetc-planner` agent |
+
+## Senior Engineer Test (từ Karpathy)
+
+Trước khi bắt đầu implementation, hỏi:
+
+> "Một senior engineer review code này có hỏi 'TẠI SAO lại làm vậy?' không?"
+
+Nếu câu trả lời là "yes" → cần justify trong spec/plan. Nếu không justify được → đừng làm.
+
+**Complexity Gate:**
+
+

package/skills/vetc-security/SKILL.md

@@ -0,0 +1,117 @@
+---
+name: vetc-security
+description: PROACTIVELY scan OWASP Top 10 trước khi merge PR chứa auth/payment/user data, hoặc trước Pentest/UAT. Không edit code — chỉ report findings với fix recommendations.
+---
+
+# VETC Security Review
+
+OWASP Top 10 scan tập trung vào VETC-specific attack vectors.
+
+## When to Activate
+
+- Trước khi mở PR chứa authentication, payment, user data
+- Trước Pentest / UAT
+- Code review yêu cầu security check
+- Thêm endpoint mới, external integration mới
+
+## Do NOT Activate When
+
+- Chỉ fix UI/layout, không liên quan security → dùng `vetc-frontend-patterns`
+- Code review general (không phải security-focused) → dùng `vetc-review`
+- Đã có security review gần đây, chỉ refactor nhỏ không affect security
+- Task chỉ liên quan đến documentation, không code changes
+
+## OWASP Checklist — VETC Context
+
+### A01: Broken Access Control
+
+FAIL: No ownership check — any user can access any account:
+```java
+// NGUY HIỂM — IDOR
+@GetMapping("/{id}")
+public ResponseEntity<?> getById(@PathVariable Long id) {
+    return ResponseEntity.ok(service.findById(id)); // No ownership check!
+}
+```
+
+PASS: Verify user owns the resource:
+```java
+// AN TOÀN — Ownership verified
+@GetMapping("/{id}")
+
+### A02: Cryptographic Failures
+
+FAIL: Hardcoded secret in source code:
+```java
+// NGUY HIỂM — Secret lộ trong git
+private static final String API_KEY = "sk-proj-abc123xyz";
+String token = JwtUtils.encode(payload, "my-secret-key");
+```
+
+PASS: Secrets from environment, secure algorithm:
+```java
+// AN TOÀN — Environment variable + RS256
+@Value("${jwt.private-key-path}") private Resource keyResource;
+PrivateKey key = KeyFactory.getInstance("RSA")
+    .generatePrivate(new PKCS8EncodedKeySpec(keyResource.getInputStream().readAllBytes()));
+
+### A03: Injection (Critical for Oracle)
+
+FAIL: SQL injection via string concatenation:
+```java
+// NGUY HIỂM — SQL Injection
+"SELECT * FROM T WHERE NAME = '" + userInput + "'"
+```
+
+PASS: Parameterized query prevents injection:
+```java
+// AN TOÀN — Parameterized
+@Query("... WHERE NAME = :name")
+void find(@Param("name") String name);
+```
+- [ ] Mọi native query đều dùng `:param` placeholder?
+- [ ] JdbcTemplate dùng `?` không dùng concat?
+- [ ] Log injection: user input không log trực tiếp?
+
+### A04: Insecure Design
+
+FAIL: No idempotency — duplicate transfers possible:
+```java
+// NGUY HIỂM — Double-spend nếu network retry
+public TransferResponse transfer(TransferRequest req) {
+    wallet.setBalance(wallet.getBalance().subtract(req.getAmount()));
+    walletRepo.save(wallet);
+    // No idempotency check — retry = double charge!
+}
+```
+
+PASS: Idempotency key prevents duplicates:
+```java
+// AN TOÀN — Idempotency gate
+
+### A05: Security Misconfiguration
+
+FAIL: Wildcard CORS + exposed actuator on production:
+```java
+// NGUY HIỂM — CORS mở rộng, actuator lộ cấu hình
+@CrossOrigin("*")
+@RestController
+public class WalletController { ... }
+
+// application-prod.yml
+management:
+  endpoints:
+    web:
+      exposure:
+        include: "*"  // /actuator/env, /heapdump public!
+
+### A07: Auth Failures
+
+FAIL: OTP không có expiry + brute-force possible:
+```java
+// NGUY HIỂM — OTP không hết hạn, không giới hạn retry
+public boolean verifyOtp(String phone, String otp) {
+    String stored = redis.get("otp:" + phone);
+    return otp.equals(stored); // No expiry check, no attempt limit!
+}
+```