super-opencode 1.1.0 → 1.1.1

package/.opencode/skills/debug-protocol/SKILL.md

@@ -1,83 +1,83 @@
----
-name: debug-protocol
-description: Scientific debugging workflow using Root Cause Analysis and Minimal Reproducible Examples (MRE).
----
-
-# Debug Protocol Skill
-
-## Purpose
-To replace "Shotgun Debugging" (randomly changing code) with a deterministic, scientific process.
-**Goal:** Fix the *root cause*, not just the symptom.
-
-## When to Use
-- **Trigger**: When a test fails, an exception is thrown, or output is unexpected.
-- **Agent**: Primarily used by `execution` mode.
-- **Support**:
-    - Call `quality` to write the reproduction test.
-    - Call `researcher` if the error message is obscure/undocumented.
-
-## The Scientific Method (4-Step Protocol)
-
-### Phase 1: Observation (The MRE)
-**Rule**: *If you cannot reproduce it, you cannot fix it.*
-1.  **Isolate**: Create a standalone script or test case that fails 100% of the time.
-2.  **Minimize**: Remove all code not strictly necessary to produce the error.
-3.  **Log**: Do not guess variables. Log them.
-
-### Phase 2: Localization (The "Wolf Fence")
-**Rule**: *Divide and Conquer.*
-1.  **Binary Search**: Is the data wrong at the Database? No? At the API? No? At the UI?
-2.  **Trace**: Follow the data flow. Find the *exact line* where the reality diverges from expectation.
-
-### Phase 3: Hypothesis (The "5 Whys")
-**Rule**: *Do not fix the symptom.*
-1.  **Identify**: "Variable X is null."
-2.  **Ask Why**: "Why is X null?" -> "Because the API returned 404."
-3.  **Ask Why**: "Why 404?" -> "Because the ID was undefined."
-4.  **Ask Why**: "Why undefined?" -> "Because of a typo in the frontend."
-5.  **Root Cause**: Typo in the frontend payload.
-
-### Phase 4: Resolution & Verification
-**Rule**: *Prove it.*
-1.  **Apply Fix**: Correct the root cause.
-2.  **Verify**: Run the MRE from Phase 1. It must pass.
-3.  **Regression**: Run the full test suite. Ensure nothing else broke.
-
-## Debugging Scratchpad Template
-
-*Copy this into context during a debug session.*
-
-```markdown
-## 🐞 Debug Session: [Error Name]
-
-### 1. The Reproduction (MRE)
-- [ ] Created `reproduce_issue.ts`
-- [ ] Failure is deterministic (Happens every time)
-- **Error Message**: `[Paste exact error]`
-
-### 2. Localization (Wolf Fence)
-- [ ] Inputs are correct? (Yes/No)
-- [ ] Intermediate state correct? (Yes/No)
-- **Found at**: File `X`, Line `Y`.
-
-### 3. Root Cause Analysis (5 Whys)
-1. Why? [Answer]
-2. Why? [Answer]
-3. **Root Cause**: [The fundamental flaw]
-
-### 4. Resolution
-- **Action**: [What did you change?]
-- **Verification**: `npm test -- reproduce_issue.ts` -> ✅ PASS
-```
-
-## Anti-Patterns (Must Avoid)
-
-- ❌ **"It should work":** Code does not care what it "should" do. It does what it is told. Look at what it is doing.
-- ❌ **Console Log Spray:** Don't leave `console.log('here')` all over the code. Use structured logging or remove them after finding the bug.
-- ❌ **The "Blind Fix":** Applying a StackOverflow solution without understanding *why* it applies to your specific context. (Call `researcher` first).
-- ❌ **Ignoring Warning Logs:** Often the error is preceded by a warning 10 lines up. Read the *whole* log.
-
-## Integration with Agents
-
--   **`quality` agent**: If you are stuck on **Phase 1 (Reproduction)**, delegate to `quality`. *"I see the error, but I can't write a test for it. Quality Agent, please create a Cypress test for this UI bug."*
--   **`researcher` agent**: If you are stuck on **Phase 3 (Hypothesis)**. *"I have the error 'Heap Out of Memory'. Researcher, what are the common causes for this in Node.js 18?"*
+---
+name: debug-protocol
+description: Scientific debugging workflow using Root Cause Analysis and Minimal Reproducible Examples (MRE).
+---
+
+# Debug Protocol Skill
+
+## Purpose
+To replace "Shotgun Debugging" (randomly changing code) with a deterministic, scientific process.
+**Goal:** Fix the *root cause*, not just the symptom.
+
+## When to Use
+- **Trigger**: When a test fails, an exception is thrown, or output is unexpected.
+- **Agent**: Primarily used by `execution` mode.
+- **Support**:
+    - Call `quality` to write the reproduction test.
+    - Call `researcher` if the error message is obscure/undocumented.
+
+## The Scientific Method (4-Step Protocol)
+
+### Phase 1: Observation (The MRE)
+**Rule**: *If you cannot reproduce it, you cannot fix it.*
+1.  **Isolate**: Create a standalone script or test case that fails 100% of the time.
+2.  **Minimize**: Remove all code not strictly necessary to produce the error.
+3.  **Log**: Do not guess variables. Log them.
+
+### Phase 2: Localization (The "Wolf Fence")
+**Rule**: *Divide and Conquer.*
+1.  **Binary Search**: Is the data wrong at the Database? No? At the API? No? At the UI?
+2.  **Trace**: Follow the data flow. Find the *exact line* where the reality diverges from expectation.
+
+### Phase 3: Hypothesis (The "5 Whys")
+**Rule**: *Do not fix the symptom.*
+1.  **Identify**: "Variable X is null."
+2.  **Ask Why**: "Why is X null?" -> "Because the API returned 404."
+3.  **Ask Why**: "Why 404?" -> "Because the ID was undefined."
+4.  **Ask Why**: "Why undefined?" -> "Because of a typo in the frontend."
+5.  **Root Cause**: Typo in the frontend payload.
+
+### Phase 4: Resolution & Verification
+**Rule**: *Prove it.*
+1.  **Apply Fix**: Correct the root cause.
+2.  **Verify**: Run the MRE from Phase 1. It must pass.
+3.  **Regression**: Run the full test suite. Ensure nothing else broke.
+
+## Debugging Scratchpad Template
+
+*Copy this into context during a debug session.*
+
+```markdown
+## 🐞 Debug Session: [Error Name]
+
+### 1. The Reproduction (MRE)
+- [ ] Created `reproduce_issue.ts`
+- [ ] Failure is deterministic (Happens every time)
+- **Error Message**: `[Paste exact error]`
+
+### 2. Localization (Wolf Fence)
+- [ ] Inputs are correct? (Yes/No)
+- [ ] Intermediate state correct? (Yes/No)
+- **Found at**: File `X`, Line `Y`.
+
+### 3. Root Cause Analysis (5 Whys)
+1. Why? [Answer]
+2. Why? [Answer]
+3. **Root Cause**: [The fundamental flaw]
+
+### 4. Resolution
+- **Action**: [What did you change?]
+- **Verification**: `npm test -- reproduce_issue.ts` -> ✅ PASS
+```
+
+## Anti-Patterns (Must Avoid)
+
+- ❌ **"It should work":** Code does not care what it "should" do. It does what it is told. Look at what it is doing.
+- ❌ **Console Log Spray:** Don't leave `console.log('here')` all over the code. Use structured logging or remove them after finding the bug.
+- ❌ **The "Blind Fix":** Applying a StackOverflow solution without understanding *why* it applies to your specific context. (Call `researcher` first).
+- ❌ **Ignoring Warning Logs:** Often the error is preceded by a warning 10 lines up. Read the *whole* log.
+
+## Integration with Agents
+
+-   **`quality` agent**: If you are stuck on **Phase 1 (Reproduction)**, delegate to `quality`. *"I see the error, but I can't write a test for it. Quality Agent, please create a Cypress test for this UI bug."*
+-   **`researcher` agent**: If you are stuck on **Phase 3 (Hypothesis)**. *"I have the error 'Heap Out of Memory'. Researcher, what are the common causes for this in Node.js 18?"*

package/.opencode/skills/reflexion/SKILL.md

@@ -1,108 +1,108 @@
----
-name: reflexion
-description: Post-action analysis to generate heuristics, update project memory, and prevent regression loops.
----
-
-# Reflexion Skill
-
-## Purpose
-To transform **Failures** into **Heuristics**.
-Reflexion is the cognitive step that occurs **after** a failed attempt and **before** the next attempt. It breaks the "Insanity Loop" (doing the same thing twice expecting different results).
-
-**ROI Metric**: Prevents 5-10 wasted attempts in a loop by forcing a strategy shift after the first failure.
-
-## When to Use
-- **Automatic Trigger**: After a tool error (e.g., `bash` exit code != 0).
-- **Automatic Trigger**: After a test failure during `execution` mode.
-- **Manual Trigger**: When the user rejects an artifact ("This isn't what I asked for").
-- **Periodic**: At the end of a major feature (Project Retro).
-
-## The Reflexion Protocol (The Loop)
-
-### 1. The Halt (Stop)
-**Rule**: *Never retry immediately.*
-If an error occurs, you must pause. Do not simply re-run the command hoping for a different outcome.
-
-### 2. The Trace (Diagnosis)
-**Action**: Analyze the mismatch between *Expected Output* and *Actual Output*.
-*   *Was it a Syntax Error?* (Context failure).
-*   *Was it a Logic Error?* (Reasoning failure).
-*   *Was it a Hallucination?* (Knowledge failure).
-
-### 3. The Heuristic (Correction)
-**Action**: Create a new rule for yourself.
-*   *Old Thought:* "I will use `rm -rf` to clean up."
-*   *New Heuristic:* "I must check if the directory exists before attempting delete."
-
-### 4. The Store (Memory)
-**Action**: Save this lesson.
-*   *Short-term:* Apply to current context window.
-*   *Long-term:* Write to `.opencode/memory/patterns.md`.
-
-## Execution Template
-
-*Use this scratchpad when entering a Reflexion State.*
-
-```markdown
-## 🧠 Reflexion: [Failure Context]
-
-### 1. Analysis
-- **Expectation**: Test passed.
-- **Reality**: `ReferenceError: User is not defined`
-- **Gap**: I assumed `User` was exported from `types.ts`, but it was a default export.
-
-### 2. Critique
-"I failed to check the import style of the existing module before writing the import statement."
-
-### 3. New Strategy (The Pivot)
-- ❌ **Stop**: Guessing import paths.
-- ✅ **Start**: Using `grep` to see how other files import `User`.
-- **Action**: Run `grep -r "import.*User" .` before fixing.
-
-### 4. Memory Update
-- [ ] Add to Local Context? (Yes)
-- [ ] Add to Project Patterns? (No - simple syntax error)
-```
-
-## Memory Schema & Storage
-
-Maintain a dedicated memory structure to allow the `researcher` and `pm-agent` to learn over time.
-
-```text
-.opencode/
-└── memory/
-    ├── active_context.md       # Scratchpad for current session
-    ├── patterns.md             # Success patterns (What works here)
-    └── anti_patterns.md        # Failure log (What breaks here)
-```
-
-### Example: `.opencode/memory/anti_patterns.md`
-```markdown
-## ⛔ Anti-Patterns
-
-### 1. Database Connections
-- **Context**: Next.js Server Components.
-- **Failure**: "Too many connections" error.
-- **Lesson**: Do not instantiate Prisma Client inside the component. Use the singleton pattern defined in `src/lib/db.ts`.
-
-### 2. Styling
-- **Context**: Button Components.
-- **Failure**: Tailwinds classes not applying.
-- **Lesson**: We are using `tailwind-merge`. Standard string concatenation will fail. Always use `cn()` utility.
-```
-
-## Integration with Agents
-
--   **`execution` agent**: Must trigger `reflexion` after 2 failed build attempts.
-    -   *Logic:* "Attempt 1 Failed -> Retry -> Attempt 2 Failed -> **STOP & REFLECT** -> Attempt 3".
--   **`pm-agent`**: Reads `.opencode/memory/patterns.md` at the start of a new task to load context.
--   **`writer`**: Uses successful reflexions to update the project's `README.md` or `CONTRIBUTING.md`.
-
-## Reflexion vs. Debugging
-
-| Feature | `debug-protocol` | `reflexion` |
-| :--- | :--- | :--- |
-| **Focus** | The Code | The Agent's Process |
-| **Goal** | Fix the Bug | Improve the Strategy |
-| **Output** | Working Software | Better Internal Rules |
-| **Question** | "Why is variable X null?" | "Why did I write code that made X null?" |
+---
+name: reflexion
+description: Post-action analysis to generate heuristics, update project memory, and prevent regression loops.
+---
+
+# Reflexion Skill
+
+## Purpose
+To transform **Failures** into **Heuristics**.
+Reflexion is the cognitive step that occurs **after** a failed attempt and **before** the next attempt. It breaks the "Insanity Loop" (doing the same thing twice expecting different results).
+
+**ROI Metric**: Prevents 5-10 wasted attempts in a loop by forcing a strategy shift after the first failure.
+
+## When to Use
+- **Automatic Trigger**: After a tool error (e.g., `bash` exit code != 0).
+- **Automatic Trigger**: After a test failure during `execution` mode.
+- **Manual Trigger**: When the user rejects an artifact ("This isn't what I asked for").
+- **Periodic**: At the end of a major feature (Project Retro).
+
+## The Reflexion Protocol (The Loop)
+
+### 1. The Halt (Stop)
+**Rule**: *Never retry immediately.*
+If an error occurs, you must pause. Do not simply re-run the command hoping for a different outcome.
+
+### 2. The Trace (Diagnosis)
+**Action**: Analyze the mismatch between *Expected Output* and *Actual Output*.
+*   *Was it a Syntax Error?* (Context failure).
+*   *Was it a Logic Error?* (Reasoning failure).
+*   *Was it a Hallucination?* (Knowledge failure).
+
+### 3. The Heuristic (Correction)
+**Action**: Create a new rule for yourself.
+*   *Old Thought:* "I will use `rm -rf` to clean up."
+*   *New Heuristic:* "I must check if the directory exists before attempting delete."
+
+### 4. The Store (Memory)
+**Action**: Save this lesson.
+*   *Short-term:* Apply to current context window.
+*   *Long-term:* Write to `.opencode/memory/patterns.md`.
+
+## Execution Template
+
+*Use this scratchpad when entering a Reflexion State.*
+
+```markdown
+## 🧠 Reflexion: [Failure Context]
+
+### 1. Analysis
+- **Expectation**: Test passed.
+- **Reality**: `ReferenceError: User is not defined`
+- **Gap**: I assumed `User` was exported from `types.ts`, but it was a default export.
+
+### 2. Critique
+"I failed to check the import style of the existing module before writing the import statement."
+
+### 3. New Strategy (The Pivot)
+- ❌ **Stop**: Guessing import paths.
+- ✅ **Start**: Using `grep` to see how other files import `User`.
+- **Action**: Run `grep -r "import.*User" .` before fixing.
+
+### 4. Memory Update
+- [ ] Add to Local Context? (Yes)
+- [ ] Add to Project Patterns? (No - simple syntax error)
+```
+
+## Memory Schema & Storage
+
+Maintain a dedicated memory structure to allow the `researcher` and `pm-agent` to learn over time.
+
+```text
+.opencode/
+└── memory/
+    ├── active_context.md       # Scratchpad for current session
+    ├── patterns.md             # Success patterns (What works here)
+    └── anti_patterns.md        # Failure log (What breaks here)
+```
+
+### Example: `.opencode/memory/anti_patterns.md`
+```markdown
+## ⛔ Anti-Patterns
+
+### 1. Database Connections
+- **Context**: Next.js Server Components.
+- **Failure**: "Too many connections" error.
+- **Lesson**: Do not instantiate Prisma Client inside the component. Use the singleton pattern defined in `src/lib/db.ts`.
+
+### 2. Styling
+- **Context**: Button Components.
+- **Failure**: Tailwinds classes not applying.
+- **Lesson**: We are using `tailwind-merge`. Standard string concatenation will fail. Always use `cn()` utility.
+```
+
+## Integration with Agents
+
+-   **`execution` agent**: Must trigger `reflexion` after 2 failed build attempts.
+    -   *Logic:* "Attempt 1 Failed -> Retry -> Attempt 2 Failed -> **STOP & REFLECT** -> Attempt 3".
+-   **`pm-agent`**: Reads `.opencode/memory/patterns.md` at the start of a new task to load context.
+-   **`writer`**: Uses successful reflexions to update the project's `README.md` or `CONTRIBUTING.md`.
+
+## Reflexion vs. Debugging
+
+| Feature | `debug-protocol` | `reflexion` |
+| :--- | :--- | :--- |
+| **Focus** | The Code | The Agent's Process |
+| **Goal** | Fix the Bug | Improve the Strategy |
+| **Output** | Working Software | Better Internal Rules |
+| **Question** | "Why is variable X null?" | "Why did I write code that made X null?" |

package/.opencode/skills/security-audit/SKILL.md

@@ -1,90 +1,90 @@
----
-name: security-audit
-description: Static Analysis and Threat Modeling skill to detect OWASP Top 10 vulnerabilities.
----
-
-# Security Audit Skill
-
-## Purpose
-To act as an automated **SAST (Static Application Security Testing)** scanner.
-**Goal**: Identify vulnerabilities in the *implementation* phase, before the code reaches the `review` phase.
-
-**ROI Metric**: Detecting a hardcoded secret here takes 5 seconds. Rotating a compromised key in production takes 5 hours.
-
-## When to Use
--   **Trigger**: When `backend` implements an endpoint involving `users`, `auth`, or `payments`.
--   **Trigger**: When `frontend` uses `dangerouslySetInnerHTML` or similar raw HTML rendering.
--   **Trigger**: When `pm-agent` flags a task as "High Risk."
--   **Agent**: Primary skill for the `security` agent; secondary skill for `backend`/`review` modes.
-
-## The Audit Protocol (The Scanner)
-
-### 1. Pattern Scanning (The Grep Check)
-*Scan the code for these specific "smells":*
-
-| Risk Category | Keywords/Patterns to Flag |
-| :--- | :--- |
-| **Injection (RCE/XSS)** | `eval()`, `exec()`, `system()`, `dangerouslySetInnerHTML`, `innerHTML` |
-| **SQL Injection** | String concatenation inside queries (`"SELECT... " + input`), `${var}` inside SQL strings |
-| **Weak Crypto** | `md5`, `sha1`, `Math.random()` (for secrets), `http://` (non-TLS) |
-| **Secrets** | `API_KEY`, `SECRET`, `PASSWORD` (assigned to hard strings) |
-| **Debug Leftovers** | `console.log(userObj)`, `debugger`, `0.0.0.0` (binding to all interfaces) |
-
-### 2. Logic Analysis (STRIDE)
-*Ask these questions about the flow:*
-*   **Spoofing**: Does this verify *who* the user is? (Check: Auth Middleware presence).
-*   **Tampering**: Can I modify the payload? (Check: Zod/Joi validation `strip()` on unknown keys).
-*   **Information Disclosure**: Does the error return the stack trace? (Check: `try/catch` blocks).
-*   **Elevation of Privilege**: Does it check `user.id === resource.ownerId`? (Check: Authorization logic).
-
-### 3. Dependency Check (Supply Chain)
-*   If `package.json` was modified:
-    *   Are versions pinned? (Good: `1.2.3`, Bad: `^1.2.3`).
-    *   Are there known CVEs? (Trigger `tavily` search).
-
-## Execution Template
-
-*Use this scratchpad to document the audit findings.*
-
-```markdown
-## 🔐 Security Audit Report: [File/Component]
-
-### 1. Static Scan
-- [ ] Checked for hardcoded secrets.
-- [ ] Checked for raw SQL/HTML injection.
-- [ ] Checked for dangerous functions (`eval`, `exec`).
-
-### 2. Logic Check (OWASP)
-- **AuthZ**: [ Verify BOLA/IDOR protection ]
-- **Input**: [ Verify Schema Validation ]
-- **Output**: [ Verify Data Sanitization ]
-
-### 3. Vulnerability Findings
-| Severity | Line | Issue | CWE ID | Remediation |
-| :--- | :--- | :--- | :--- | :--- |
-| 🔴 **Critical** | 42 | SQL Injection (`${id}`) | CWE-89 | Use Param: `WHERE id = $1` |
-| 🟡 **Medium** | 15 | Missing Rate Limit | CWE-799 | Add `RateLimitMiddleware` |
-
-### 🏁 Verdict
-[ PASS / FAIL ] - *If Fail, do not commit.*
-```
-
-## Remediation Patterns (The "Fix It" Guide)
-
-**Problem:** SQL Injection
-❌ `db.query("SELECT * FROM users WHERE name = '" + name + "'")`
-✅ `db.query("SELECT * FROM users WHERE name = $1", [name])`
-
-**Problem:** XSS (React)
-❌ `<div dangerouslySetInnerHTML={{ __html: userInput }} />`
-✅ `<div>{userInput}</div>` or use `DOMPurify.sanitize(userInput)`
-
-**Problem:** Broken Auth (IDOR)
-❌ `return await db.orders.find(req.params.id)`
-✅ `return await db.orders.find({ id: req.params.id, ownerId: req.user.id })`
-
-## Integration with Agents
-
--   **`security` agent**: Uses this skill as its primary method of interaction.
--   **`backend` agent**: Must invoke `security-audit` before marking an API task as "Complete."
--   **`review` mode**: Uses the *Findings Table* as the basis for "Critical" comments.
+---
+name: security-audit
+description: Static Analysis and Threat Modeling skill to detect OWASP Top 10 vulnerabilities.
+---
+
+# Security Audit Skill
+
+## Purpose
+To act as an automated **SAST (Static Application Security Testing)** scanner.
+**Goal**: Identify vulnerabilities in the *implementation* phase, before the code reaches the `review` phase.
+
+**ROI Metric**: Detecting a hardcoded secret here takes 5 seconds. Rotating a compromised key in production takes 5 hours.
+
+## When to Use
+-   **Trigger**: When `backend` implements an endpoint involving `users`, `auth`, or `payments`.
+-   **Trigger**: When `frontend` uses `dangerouslySetInnerHTML` or similar raw HTML rendering.
+-   **Trigger**: When `pm-agent` flags a task as "High Risk."
+-   **Agent**: Primary skill for the `security` agent; secondary skill for `backend`/`review` modes.
+
+## The Audit Protocol (The Scanner)
+
+### 1. Pattern Scanning (The Grep Check)
+*Scan the code for these specific "smells":*
+
+| Risk Category | Keywords/Patterns to Flag |
+| :--- | :--- |
+| **Injection (RCE/XSS)** | `eval()`, `exec()`, `system()`, `dangerouslySetInnerHTML`, `innerHTML` |
+| **SQL Injection** | String concatenation inside queries (`"SELECT... " + input`), `${var}` inside SQL strings |
+| **Weak Crypto** | `md5`, `sha1`, `Math.random()` (for secrets), `http://` (non-TLS) |
+| **Secrets** | `API_KEY`, `SECRET`, `PASSWORD` (assigned to hard strings) |
+| **Debug Leftovers** | `console.log(userObj)`, `debugger`, `0.0.0.0` (binding to all interfaces) |
+
+### 2. Logic Analysis (STRIDE)
+*Ask these questions about the flow:*
+*   **Spoofing**: Does this verify *who* the user is? (Check: Auth Middleware presence).
+*   **Tampering**: Can I modify the payload? (Check: Zod/Joi validation `strip()` on unknown keys).
+*   **Information Disclosure**: Does the error return the stack trace? (Check: `try/catch` blocks).
+*   **Elevation of Privilege**: Does it check `user.id === resource.ownerId`? (Check: Authorization logic).
+
+### 3. Dependency Check (Supply Chain)
+*   If `package.json` was modified:
+    *   Are versions pinned? (Good: `1.2.3`, Bad: `^1.2.3`).
+    *   Are there known CVEs? (Trigger `tavily` search).
+
+## Execution Template
+
+*Use this scratchpad to document the audit findings.*
+
+```markdown
+## 🔐 Security Audit Report: [File/Component]
+
+### 1. Static Scan
+- [ ] Checked for hardcoded secrets.
+- [ ] Checked for raw SQL/HTML injection.
+- [ ] Checked for dangerous functions (`eval`, `exec`).
+
+### 2. Logic Check (OWASP)
+- **AuthZ**: [ Verify BOLA/IDOR protection ]
+- **Input**: [ Verify Schema Validation ]
+- **Output**: [ Verify Data Sanitization ]
+
+### 3. Vulnerability Findings
+| Severity | Line | Issue | CWE ID | Remediation |
+| :--- | :--- | :--- | :--- | :--- |
+| 🔴 **Critical** | 42 | SQL Injection (`${id}`) | CWE-89 | Use Param: `WHERE id = $1` |
+| 🟡 **Medium** | 15 | Missing Rate Limit | CWE-799 | Add `RateLimitMiddleware` |
+
+### 🏁 Verdict
+[ PASS / FAIL ] - *If Fail, do not commit.*
+```
+
+## Remediation Patterns (The "Fix It" Guide)
+
+**Problem:** SQL Injection
+❌ `db.query("SELECT * FROM users WHERE name = '" + name + "'")`
+✅ `db.query("SELECT * FROM users WHERE name = $1", [name])`
+
+**Problem:** XSS (React)
+❌ `<div dangerouslySetInnerHTML={{ __html: userInput }} />`
+✅ `<div>{userInput}</div>` or use `DOMPurify.sanitize(userInput)`
+
+**Problem:** Broken Auth (IDOR)
+❌ `return await db.orders.find(req.params.id)`
+✅ `return await db.orders.find({ id: req.params.id, ownerId: req.user.id })`
+
+## Integration with Agents
+
+-   **`security` agent**: Uses this skill as its primary method of interaction.
+-   **`backend` agent**: Must invoke `security-audit` before marking an API task as "Complete."
+-   **`review` mode**: Uses the *Findings Table* as the basis for "Critical" comments.