Endika

exploit-hunt

Use when hunting for actually-exploitable vulnerabilities — reachable, user-controlled paths into a real sink (SSRF, SQLi, command injection, RCE, deserialization, path traversal, XSS), discarding theoretical or local-only noise. Offensive triage, the counterpart to security-bar's defensive checklist.

gdpr

Use when building, shipping, or auditing one of my B2C apps for GDPR/privacy — classify the data posture (offline / Supabase-backed / ships-to-AI-processor), run the decision gates (personal data? lawful basis? processor DPA? transfer? minimization? DSR/erasure?), add a privacy notice, and add privacy-first cookieless analytics without triggering consent. EU GDPR; references security-bar for the controls.

Code & Development Listed

standards

Use when about to commit, write or design tests, name identifiers, write user-facing copy, choose an ID type, or push — enforces my non-negotiable conventions for commits, test design, repo hygiene, inclusive language, IDs, and pre-push checks.

context-budget

Use when context feels heavy or you've added skills, agents, MCP servers, or memory and want a token-consumption audit of the whole setup with a prioritized trim list.

perf-bar

Use when assessing performance or algorithmic soundness — Big-O on hot paths, N+1 queries, Supabase egress, and benchmarking hard challenges; feeds the SPIKE sub-phase and per-task review.

Code & Development Listed

stack-gotchas

Use when hitting a known failure in my stack — release-please rate-limit or auto-merge loop, GitHub Pages env branch-policy, Supabase egress/RLS/stale-client-blob, a Flipper FAP release/build/version-triad failure or a FAP whose UI won't refresh when launched from favourites/quick-buttons, or verifying mobile/responsive rendering in WSL — for a direct diagnose-and-recover recipe.

task-flow

Use when implementing a feature or multi-step task end-to-end — orchestrates spec intake, adaptive analysis, planning, and a per-task implement/verify/review loop over superpowers, with a single human gate after the plan; includes a human-pulled respec gate to correct the spec mid-build.

Web & Frontend Listed

ux-bar

Use when building or reviewing UI to apply my design and UX bar on top of frontend-design — semantic color, design-system rules (coral is brand; positive=owed, warn=owes, danger=error/delete), and responsive / horizontal-overflow checks.

security-bar

Use when reviewing changes for security to apply my checklist on top of security-review — input handling, secrets, authz, Supabase RLS, egress limits, server-side PIN enforcement, and the agent-harness surface (config secrets, hook injection, MCP risk, over-broad permissions).

API & Backend Listed

stacks

Use when building or maintaining a project in one of my non-default stacks — Flipper Zero FAP in C now, Django / Flask / FastAPI coming — for its architecture, build, test, formatting and release conventions. Routes to references/<stack>/. The web stack (TS / Supabase / PWA) is the pack's implicit default and has no entry here.

arch-bar

Use when judging whether a design's architecture fits its scale — catches both over-engineering and under-engineering, agnostic to SaaS, small monolith, or microservices.

gen-uml

Use when you need a Mermaid diagram (architecture, flow, or sequence) generated from existing code, and a check that the diagram matches what was actually built.

Data & Documents Listed

postmortem

Use when capturing an important bug or production failure — record the incident, root cause, fix, and lesson as an archivable markdown document.

spec-intake

Use when starting from a task described in Jira, Linear, a URL, or free text and you need it normalized into a spec (objective, acceptance criteria, constraints, definition of done) before planning.