Raffa-jarrl

lictor-explain

Takes any security finding, error message, or jargon-heavy security advice and explains it in plain English. Use this when someone is confused by what /lictor-security-check found, or when they got a security warning from another tool and don't understand it.

lictor-fix-it

Applies the fixes recommended by /lictor-security-check, with the user's explicit permission for each change. Walks through findings one at a time, shows the proposed change, gets approval, applies, runs tests if available, and moves on. Some fixes (rotating leaked credentials) require the user to act outside Claude — surface those clearly.

lictor-rotate

Walks the user through rotating a leaked API key — step by step, provider-specific. Knows the exact URL to visit, the exact button to click, and how to verify the rotation worked. Supports Stripe, OpenAI, Anthropic, Google Cloud / AI Studio, GitHub, AWS, Slack, Supabase, Firebase, Postmark, and generic OAuth providers.

lictor-security-check

Pre-release security audit for AI-built web apps. Scans the user's project for 7 common bugs that get vibe-coded SaaS apps embarrassed in public — leaked API keys, unprotected user-data endpoints, open databases, the wrong kind of admin-page lock, exposed config files, dangerous AI chat setups, and over-permissive cross-origin settings. Writes a plain-English markdown report. No jargon.