hmj1026

doc-review

Document review via Codex MCP. Use when: reviewing .md docs, tech spec audit, document quality check. Not for: code review (use codex-code-review), test review (use test-review). Output: 5-dimension rating table + gate.

skill-health-check

Validate skill quality against routing, progressive loading, and verification criteria. Use when: auditing skills, checking skill health, reviewing skill design. Not for: code review (use codex-code-review) or doc review (use doc-review). Output: health report with per-skill ratings + Gate.

yii1-security-audit

Yii 1.1 框架安全審計工具（PHP 5.6）。針對 CAccessControlFilter / accessRules()、Yii::app()->user->checkAccess() 鑑權、CHtml::encode() 輸出編碼、CSRF 設定、CDbCommand / CDbCriteria SQL 注入、CUploadedFile 上傳驗證、Session cookie 安全等進行白盒靜態審計，映射到通用漏洞類型體系（AUTH/CSRF/XSS/SQL/CFG/LOGIC/FILE）。使用時機：用戶要對 Yii 1.1 專案執行安全審計、查找漏洞、驗證安全設定、或進行框架安全複查時，即使用戶沒有明確說「audit」也應觸發，例如「幫我檢查這個 Controller 有沒有安全問題」「這個專案的 CSRF 設定對嗎」「幫我找 SQL injection」。

agent-architecture-audit

Full-stack diagnostic for agent and LLM applications. Audits the 12-layer agent stack for wrapper regression, memory pollution, tool discipline failures, hidden repair loops, and rendering corruption. Produces severity-ranked findings with code-first fixes. Essential for developers building agent applications, autonomous loops, or any LLM-powered feature.

bug-fix

Bug fix workflow. Use when: fixing bugs, resolving issues, regression fixes. Not for: new features (use feature-dev), understanding code (use code-explore). Output: fix + regression test + review gate.

claude-health

Claude Code config health check + plugin sync. Use when: auditing .claude/ structure, checking naming, verifying hook setup, detecting plugin version drift, syncing installed assets. Not for: skill quality (use skill-health-check), code review (use codex-code-review). Output: health report + fix recommendations.

code-explore

Pure Claude code investigation. Use when: tracing execution paths, understanding architecture, diagnosing issues. Not for: dual-perspective review (use code-investigate), code review (use codex-code-review). Output: analysis report with findings.

code-investigate

Dual-perspective code investigation. Use when: deep code analysis needing both Claude and Codex perspectives. Not for: quick exploration (use code-explore), code review (use codex-code-review). Output: integrated findings from dual analysis.

codex-architect

Codex architecture consulting. Use when: designing features, evaluating architecture, getting second opinion on design. Not for: implementation (use codex-implement), code review (use codex-code-review). Output: architecture advice + design recommendations.

codex-brainstorm

Adversarial brainstorming via Claude+Codex debate. Use when: exploring solutions, feasibility analysis, exhaustive enumeration. Not for: implementation (use feature-dev), architecture only (use codex-architect). Output: Nash equilibrium consensus + action items.

codex-cli-review

Code review via Codex CLI with full disk access. Use when: deep review needing full codebase read, uncommitted change review. Not for: quick diff review (use codex-code-review), doc review (use doc-review). Output: severity-grouped findings + merge gate.

codex-code-review

Code review using Codex MCP. Use when: PR review, code audit, second opinion on changes. Not for: doc review (use doc-review), security audit (use security-review). Output: severity-grouped findings + merge gate.

codex-implement

Implement features via Codex MCP. Use when: writing new code from specs, implementing features, Codex-driven development. Not for: code review (use codex-code-review), architecture advice (use codex-architect). Output: implemented code + review loop.

context-budget

Audits Claude Code context window consumption across agents, skills, MCP servers, and rules. Identifies bloat, redundant components, and produces prioritized token-savings recommendations.

continuous-learning-v2

Instinct-based learning system that observes sessions via hooks, creates atomic instincts with confidence scoring, and evolves them into skills/commands/agents. v2.1 adds project-scoped instincts to prevent cross-project contamination.

create-request

Create, update, or scan per-task request tickets for progress tracking. These are date-prefixed non-lifecycle docs under requests/, NOT feature-level requirements (use /req-analyze for those). Use when: tracking task progress, updating completion status, scanning incomplete requests, checking request status dashboard. Not for: feature-level problem-space analysis (use req-analyze for 1-requirements.md lifecycle doc), tech specs (use tech-spec), code implementation (use feature-dev). Output: request ticket with status tracking, referencing parent tech-spec.

de-ai-flavor

Remove AI artifacts from documents. Use when: cleaning AI-generated text, removing tool names, fixing boilerplate patterns. Not for: doc review (use doc-review), doc refactoring (use doc-refactor). Output: cleaned document preserving original intent.

deploy-list

Cross-project / cross-platform deploy file list generator (schema=v1). Three scope modes: --anchor STRING (rg source-tree grep on in-code markers), --deploy-commits CSV (union of pinned commits' diffs), or fallback (whole base..head). Filters dev-only paths (tests, docs, AI harness, CI configs), groups remaining files by ecosystem preset (php-yii, laravel, node, python, generic — or a custom project preset), and emits a deterministic deploy checklist. `--tag` is metadata only, not used for grouping. The script does all the work; Claude only parses arguments and forwards stdout.

adaptive-dev-workflow

Workflow router for substantial changes — classify feature / bugfix / refactor / security / perf / OpenSpec into Feature Delivery, Bug Investigation, or Lightweight Maintenance; output required artifacts + gates. Not for tiny edits, investigation already underway, code review, or apply-ready OpenSpec tasks.

codex-explain

Explain complex code via Codex MCP. Use when: understanding complex logic, tracing data flow, onboarding to unfamiliar code. Not for: code review (use codex-code-review), exploration (use code-explore). Output: structured explanation at chosen depth.

bug-investigation

Systematic 5-phase bug investigation workflow for unexpected behavior, test failures, performance regressions, data inconsistencies, and root cause tracing. Use when users ask to investigate/trace bugs or data flow (e.g., bug investigation, 測試失敗, 效能異常, 調查 Bug, 追蹤資料流, root cause analysis). Not for direct implementation-only tasks where root cause is already confirmed. Output: phase-based investigation report with evidence, root cause, and fix options.

legacy-code-characterization

Write characterization tests for untested legacy code to lock current behavior before refactoring. Use when users want to safely refactor legacy controllers/models/services, add regression safety nets, or prepare code for extraction. Trigger words: characterization test, lock behavior, legacy test, safe refactor, 行為鎖定, 特徵測試, 安全重構. Not for: greenfield code, already well-tested modules, or pure bug fixes. Output: characterization test files + coverage delta report.

multi-ai-sync

Compare and synchronize Claude-first agent configuration across Codex, Gemini, and Antigravity (.agent). Generate read-only plans, create OpenSpec tasks, apply safe sync changes with dry-run preview and writable-path fallback, and validate post-sync results. Use when aligning `.claude` skills, commands, hooks, agents, or orchestration rules to other AI platforms, when comparing multi-platform agent setup drift, or when preparing a Claude-to-Codex/Gemini/.agent migration. Also matches requests such as `sync claude to codex`, `align multi-platform AI config`, `同步 claude 技能到 codex`, or `對齊多 AI 設定`. Not for single-platform edits, reverse sync, or missing `.claude` source.

php-pro

Use when building, debugging, refactoring, testing, or reviewing PHP code in Laravel, Symfony, generic modern PHP, or legacy PHP 5.6 + Yii 1.1 codebases. Detect the active runtime first, then load only the matching reference set; for Laravel, confirm the resolved major version and load the version-specific reference before touching bootstrap/app.php, middleware, exceptions, auth, testing infrastructure, or Laravel-coupled packages. Not for frontend-only or non-PHP tasks.

php56-yii-dev

Generic backend development workflow for legacy Yii 1.x applications running on PHP 5.6 that must stay compatible with future PHP 7 upgrades. Use when implementing, refactoring, debugging, testing, or reviewing Yii 1.x backend code such as Controllers, FormModels, CActiveRecord, services, repositories, DAO queries, validation rules, security hardening, or domain-driven design boundaries. Includes pragmatic DDD placement, Context7-first knowledge refresh, and full TDD guidance. Not for frontend-only work, documentation-only edits, or non-PHP stacks.

js-lint-config

ESLint 9 flat config tier pattern (Tier 1 strict / 1.5 core-exempt / 1.7 deferred-migration / 2 test / Global vendor ignores), custom no-restricted-syntax AST selectors, project legacy-globals whitelist three-way sync (eslint config / TS ambient .d.ts / JSDoc typedef), TypeScript noEmit gate design, progress-measurement grep templates. Use when planning per-leaf cleanup, adding a leaf that introduces a new global, interpreting /ts-check-status output, validating Phase 2 exit gate, editing eslint.config.js or tsconfig.json, frontend-reviewer auditing tier consistency, or deciding which tier a new file belongs to. Not for everyday JS business-logic writing or simple AJAX wrapper lookups.

js-static-check-strategy

Progressive `// @ts-check` per-leaf rollout playbook for legacy JS bundles. Covers the three-list legacy-globals sync (ESLint globals / TypeScript ambient .d.ts / JSDoc typedef), tsconfig exclude strategy for files that resist type-check, leaf classification (typedef-widening-fixable vs permanent-exclude), line-anchored progress grep traps, and Phase-2 exit-gate semantics. Use when planning a per-leaf cleanup PR, introducing a new leaf-level global, editing tsconfig's exclude list, interpreting /ts-check-status output, or validating that the strict-checkJs exit gate is met. For day-to-day lint-rule lookups, the sibling skill js-lint-config and the references/static-checks.md index are enough.

laravel-10-notes

Laravel 10.x (February 2023) signature features and the breaking-change traps from 9 → 10. Use when writing or reviewing code in a Laravel 10 project, or in a package whose composer constraint includes ^10.0. Covers native return types throughout the app skeleton, invokable validation rules via the ValidationRule contract, the Process facade for shell invocation, the Pest-as-default test option, and the Predis 2.x default.

laravel-11-notes

Laravel 11.x (March 2024) signature features and the (significant) breaking-change traps from 10 → 11. Use when writing or reviewing code in a Laravel 11 project, or in a package whose composer constraint includes ^11.0. Covers the streamlined app structure (bootstrap/app.php replaces three Kernel/Handler files), the Model casts() method that replaces $casts property, per-second rate limiting, the /up health endpoint, SQLite-as-default, Sanctum 4, and the array-style middleware exception handling.

laravel-6-notes

Laravel 6.x (LTS, Sep 2019) signature features and the breaking-change traps from 5.8 → 6.0. Use when writing or reviewing code in a Laravel 6 project, or in a package whose composer constraint includes ^6.0. Covers job middleware, lazy collections, the Str/Arr helper migration, the strict-semver shift, and the deprecations Laravel 6 removed from 5.x. Not for application business logic — load when working on framework-touching code (service providers, jobs, model attributes) or planning a 5.8 → 6 upgrade.

laravel-7-notes

Laravel 7.x (March 2020) signature features and the breaking-change traps from 6 → 7. Use when writing or reviewing code in a Laravel 7 project, or in a package whose composer constraint includes ^7.0. Covers the new HTTP client facade, custom Eloquent casts via the CastsAttributes interface, the Blade x-component overhaul, Symfony 5 upgrade implications, and route-model-binding-by-key.

laravel-8-notes

Laravel 8.x (September 2020) signature features and the breaking-change traps from 7 → 8. Use when writing or reviewing code in a Laravel 8 project, or in a package whose composer constraint includes ^8.0. Covers the factory class rewrite (HasFactory trait), Jetstream/Fortify scaffolding split, job batching, queueable closures, the app/Models/ relocation, dynamic Blade components, migration squashing, and the Tailwind-by-default switch.

laravel-9-notes

Laravel 9.x (February 2022) signature features and the breaking-change traps from 8 → 9. Use when writing or reviewing code in a Laravel 9 project, or in a package whose composer constraint includes ^9.0. Covers anonymous migrations, the Symfony 6 upgrade, Symfony Mailer replacing Swift Mailer, Flysystem 3 breaking changes (visibility / exception API), PHP 8.0 floor, query builder improvements, enum casts, and the new Ignition error page.

library-dual-testsuite-map

Map edited file paths to the correct testsuite(s) for libraries with a framework-agnostic Core layer and a framework-specific glue layer. Use when editing any `src/**` file in a library whose phpunit.xml declares multiple testsuites (commonly `core` + `laravel`, or `core` + `symfony`, etc.) and you need to know which `composer test:*` command(s) to run. Saves the round-trip of "I ran the wrong suite, the failing test is in the other one". Companion to (not duplicate of) `polyfill-version-matrix-audit` which works at the version-guard level; this skill works at the directory level.

matrix-cell-onboard

Checklist + procedure for adding a new PHP/Laravel/PHPUnit/Monolog cell to a multi-major library's CI matrix. Use when extending support to a new runtime version (e.g. "add PHP 8.3 + Laravel 12 to the matrix"), bumping a dep major (e.g. "Monolog 4 came out, plan the cell"), or restoring a previously dropped cell. Cross-checks `composer.json` constraints, `.github/workflows/*.yml` matrix rows, Testbench mapping for Laravel, and triggers a polyfill-coverage check for the new cell's dep versions. Pairs with the `laravel-testbench-matrix` skill (which covers per-cell Testbench install logic) and `composer-package-hygiene` (which covers the semver implication of raising the floor).

php-modern-pro

PHP 7.4 → 8.x modern idioms and dual-version-floor library packaging. Use when writing or reviewing PHP code that targets ≥7.4 (typed properties, arrow fns, null-coalesce assignment, spread in arrays, numeric literal separator) or a composer package whose constraint spans 7.x→8.x (where 8.0+ features like match / nullsafe / named args / attributes / readonly / enums must be used conditionally). Also covers polyfill / class_alias / autoload-time runtime-detection patterns for libraries that span Monolog 2/3, Laravel 6→11, Flysystem 1→3, or similar dual-major-version dependencies. Counterpart to php-pro (which targets 5.6 baseline and forbids ≥7.0 syntax). Not for everyday business logic — load when designing a public API, picking between a 7.4 and an 8.x idiom, writing a polyfill / version-conditional shim, or reviewing composer.json constraint hygiene.

php-8x-features

PHP 8.0 → 8.3 language features and when to use them. Use when the project's declared PHP floor permits 8.x syntax, when reviewing whether a 7.4-and-up library can adopt an 8.x idiom conditionally, when designing a public API that should leverage attributes / enums / readonly for type safety, or when working through migration from a 7.4-style class to its 8.x equivalent. Covers match / nullsafe / named arguments / constructor promotion / attributes / readonly properties / enums / intersection types / new in initializers / readonly classes / DNF types / typed class constants — with per-feature min-PHP markers so library authors know what their composer constraint permits. Counterpart to php-modern-pro (which is 7.4-baseline). Not for everyday business logic — load when picking between two valid idioms or designing API shape.

phpunit-10-notes

PHPUnit 10.x (February 2023) signature features and the breaking-change traps from 9 → 10. Use when writing or reviewing tests in a PHPUnit 10 project, or when migrating a PHPUnit 9 suite to 10. Covers PHP 8.1 floor, the attribute-style annotation system (#[DataProvider] /

phpunit-11-notes

PHPUnit 11.x (February 2024) signature features and the breaking-change traps from 10 → 11. Use when writing or reviewing tests in a PHPUnit 11 project, or when migrating a PHPUnit 10 suite to 11. Covers PHP 8.2 floor, the full removal of doc-comment annotations (PHP 8 attributes are now the only path), assertObjectHasProperty replacing assertObjectHasAttribute, the static-data-provider hard requirement, and the test-name discovery changes.

phpunit-9-modern

PHPUnit 8.5 → 9.x modern test patterns. Use when writing or reviewing tests in a project on PHPUnit 8.5+ or 9.x, when migrating tests from PHPUnit 5/6/7 conventions, when adding type declarations to existing test methods, when picking between assertSame / assertEquals / assertIsXxx, when designing data providers, or when removing deprecated APIs (ProphecyTestCase, TestListener, @expectedException annotations). Counterpart to the phpunit-5.7 module (which targets the older API). Not for everyday assertion writing — load when reviewing test discipline, planning a PHPUnit upgrade, designing per-test fixtures, or picking between mock styles.

composer-package-hygiene

Composer-published package author concerns — semver decisions, public API surface declaration (@api / @internal / final), composer.json autoloader hygiene (PSR-4 vs files, allow-plugins, suggest vs require), Laravel package discovery validation (extra.laravel.providers/aliases), and the release flow (changelog ↔ tag ↔ gh release consistency). Framework-agnostic — applies to any PHP package distributed via Packagist, whether plain library, Symfony bundle, or Laravel package. Use when designing a public API for a new package, reviewing a composer.json before publishing, cutting a release, deciding whether a change is a major/minor/patch bump, auditing autoload entries, or validating that Laravel package discovery still works. Not for everyday application code — load only when working on a library that other projects will install. Counterpart to php-modern-pro (language-level idioms) and any future laravel-N-dev (framework patterns).

dhpk-execution-policy

Default workflow for software engineering tasks: task modes (small change, bug fix, new feature, architecture change), skill priority order, mandatory post-edit review steps (sentinel-driven), anti-loop guidance, and standard output shape. Triggers: how should I approach this, what is the workflow, do I need a plan, what reviews are required, I am stuck in a loop, what to do after editing. Use this skill at task kickoff to pick the right flow, and after edits to confirm review obligations.

execution-checklist

End-of-task self-check before wrapping up. Use when a major task is about to wrap — final Edit/Write done, ready to reply with Conclusion, or commit incoming — especially after writing a feature/bugfix, touching SQL or repository code, changing auth/crypto/money/file-upload paths, modifying repository methods on a high-volume table, or editing JS/TS source or template-embedded `<script>` blocks. Not for trivial one-line edits, pure research/planning (no Edit/Write), or pure typo fixes.

API & Backend Listed

ios-platform

iOS SDK framework guidance for a health/PHI app — Core Data at-rest encryption (SQLCipher/EncryptedCoreData + File Protection Complete fallback), CryptoKit AES.GCM + Keychain key management (accessibility classes, no iCloud sync), Vision OCR (RecognizeTextRequest / VNRecognizeTextRequest, handwriting limits, mandatory manual fallback), AVFoundation capture, LocalAuthentication biometric lock, UserNotifications (Time Sensitive, 64-pending limit, rollover scheduling), HealthKit read-only, and privacy-manifest / data-protection / iCloud-prohibition compliance. Use when implementing or reviewing persistence, encryption, Keychain, OCR, camera, biometric auth, local notifications, HealthKit, or the privacy manifest in an iOS app. Requires the swift module. Not for SwiftUI view composition (swiftui) or pure language questions (swift).

laravel-5.4-notes

Laravel 5.4 (February 2017) signature features and the breaking-change traps from 5.3 → 5.4. Use when writing or reviewing code in a Laravel 5.4 project, or in a package whose composer constraint includes 5.4.*. Covers Blade components & slots, route model binding, middleware groups, realtime facades, markdown mailables, higher-order messages, and the Elixir → Mix frontend transition. Not for application business logic — load when working on framework-touching code (Blade templates, routing, mailables, service providers, Mix config) or planning a 5.3 → 5.4 upgrade.

laravel-mix-notes

Laravel Mix 5 (^5.0.9) signature features and the webpack 4 era build traps. Use when editing webpack.mix.js, the resources/assets/ asset sources, or the package.json npm build scripts in a Laravel 5.4 / Mix 5 project, or diagnosing why a dev/watch/prod build fails on a newer Node. Covers the entry/output mapping, mix() versioning + manifest, the dev/watch/hot/prod script ladder, the Elixir heritage, and the legacy-OpenSSL flag. Not for application or Vue component logic — load when working on the asset pipeline itself or planning a Mix 5 → 6 upgrade.

swift-language

Swift 6 language baseline with Swift 5.10 / iOS 17 compatibility notes — strict concurrency (Sendable, actors, @MainActor, data-race safety), async/await + structured concurrency (TaskGroup, cancellation, continuations), optionals discipline (no force-unwrap outside tests), value-vs-reference decision rules, property-wrapper authoring, error handling (typed throws / Result). Use when writing or reviewing any .swift file, deciding actor vs @MainActor vs Sendable struct, unwrapping optionals, choosing struct vs class, or porting Swift 5.10 code onto the Swift 6 language mode. Not for SwiftUI view composition (see swiftui module) or iOS SDK frameworks (see ios-platform module).

swiftui-architecture

SwiftUI app architecture — MVVM + Coordinator pattern, Observation framework (@Observable view models, @Bindable in views, replacing ObservableObject/@Published on the iOS 17 floor), NavigationStack + type-safe NavigationPath routing owned by a coordinator, state-ownership rules (@State/@Binding/@Environment/@Bindable), Combine bridging for callback APIs, and UIKit interop (UIViewRepresentable, UIHostingController) for camera preview and background-blur masking. Use when building a SwiftUI screen, wiring a view model, adding navigation/routing, deciding which state-ownership property wrapper applies, or bridging a UIKit/Combine API into SwiftUI. Requires the swift module. Not for iOS SDK frameworks (ios-platform) or pure language questions (swift).

vue-2-notes

Vue 2 (^2.5.17, Options API era) component structure and the reactivity caveats that bite when mutating reactive state. Use when writing or reviewing .vue single-file components in a Vue 2 project (resources/assets/js), or in a codebase whose package.json pins vue ^2.5.x. Covers the data()/computed/methods/watch + lifecycle shape, props-down + $emit events-up, vue-loader SFC compilation, the Vue.set / array-mutation traps, and @vue/test-utils 1.x + vue-jest 3 SFC testing. Not for Vue 3 or 2.7 Composition API code — this version predates setup() and <script setup>; load when touching components, or planning a Vue 2 → 3 migration.

ios-icon-gen

Generate iOS/macOS asset-catalog imagesets (1x/2x/3x PNG + Contents.json) from SF Symbols (Apple-native, offline, macOS) or the Iconify API (275k+ open-source icons, online). Use when adding icons to an Xcode asset catalog, replacing placeholder glyphs, or searching for an icon that matches a project's style. Part of the xcode-tooling module; requires the swift module.

xcode-build-tooling

Xcode / SwiftLint / xcodebuild / Swift Package Manager tooling — SwiftLint rule-tier strategy and per-package .swiftlint.yml, xcodebuild -scheme/-destination build & test invocation vs swift build/swift test for SPM packages, scheme and code-signing notes for a no-iCloud capability set. Use when configuring SwiftLint, deciding how to build/test an iOS app or SPM package from the CLI, interpreting the module's post-edit SwiftLint hook or pre-commit build gate, or setting up CI build commands. Requires the swift module. This module also wires the post-edit-swiftlint.sh and pre-commit-swift-build.sh hooks.

swift-test-strategy

iOS test strategy across Swift Testing (@Test /

phpunit-batch-refactor

PHPUnit 5.7 批次重構工作流（已完成 Wave 1-5）：@test 移除、assertEquals→assertSame、方法命名標準化。適用場景：多個測試檔案同時進行批量改動。