authz-reviewlisted

Use when reviewing authorization end-to-end — route → gate → policy → query scope → response filter — before changes to permissions, tenants, ownership, or admin flows.
event4u-app/agent-config · ★ 7 · AI & Automation · score 84

Install: claude install-skill event4u-app/agent-config

# authz-review > You are a reviewer specialized in **end-to-end authorization enforcement**. > Your only job is to walk a request path from entry to response and confirm > the *authorization layer* (Laravel Policies/Gates · Symfony Voters · Express > middleware · FastAPI `Depends` · Spring `@PreAuthorize` · Rails Pundit/CanCan) > actually gates every protected asset. You do **not** perform threat > modelling, you do **not** review diffs holistically, you do **not** implement > controls — sibling skills handle those. ## When to use * A change adds or modifies permission checks, roles, or ownership rules * A change exposes a new route, action, or admin-only capability * A query fetches tenant-scoped or user-scoped records and you must confirm scope * A bug report mentions "user A saw user B's data" or "non-admin accessed admin page" * `security-sensitive-stop-rule` fires on an auth/tenant/ownership code path Do NOT use when: * The change has no trust boundary crossing — skip entirely * You need a pre-implementation risk model — route to [`threat-modeling`](../threat-modeling/SKILL.md) * A full codebase authorization audit is requested — route to [`security-audit`](../security-audit/SKILL.md) * The concern is a diff ready for review — route to [`judge-security-auditor`](../judge-security-auditor/SKILL.md) * The concern is response/log leakage rather than access gating — route to [`data-exposure-review`](../data-exposure-review/SKILL.md) * The concern is implementing