Worth adapting, in priority order for your stack:
semgrep-rule-creator (+ variant-creator). A skill for authoring custom Semgrep rules with test-driven validation. This is the delivery vehicle for §1.2's detection layer: a kyaulabs rules pack — new KYAULabs\Aurora(...true in webroot files, string-interpolated $db->query(, unescaped echo $_ sinks, missing random_bytes CSRF patterns, unserialize( on request data. Your @semgrep agent gains a --config .semgrep/ lane. [content]; the resulting rules are pure Semgrep, no CC dependence. Highest-value security adoption.
differential-review. Security-focused review of changes with git-history context (what did this diff newly expose?). Slots directly beside your @semgrep --baseline-commit diff-audit as the human-reasoning complement, and would strengthen @code-review's Blocking category. [content].
insecure-defaults. Detects fail-open patterns, debug flags left on, hardcoded creds — this skill as a periodic scan would have flagged the aurora-page true, true template. [content].
fp-check. Systematic false-positive triage with mandatory gate reviews — the missing back half of your /security command, which currently reports findings but has no protocol for adjudicating them. [content].
sharp-edges. Footgun/misuse-resistance analysis of APIs — point it at Aurora and Renderr themselves (the constructor's positional bools are a sharp edge this skill exists to name; a named-options array or Aurora::debug() factory would be its likely recommendation). [content]; note its allowed-tools frontmatter is CC-specific — replace with an OpenCode permission block.
property-based-testing — medium: Pest datasets get you partway; full PBT in PHP means adding eris or pest-plugin-faker patterns. Content port plus a stack-specific rewrite of examples.
Checked: your repo-hygiene layer (gitleaks hooks, committed-lockfile audit rationale) has no ToB equivalent — they assume org-level tooling; keep yours.
Worth adapting, in priority order for your stack:
semgrep-rule-creator(+ variant-creator). A skill for authoring custom Semgrep rules with test-driven validation. This is the delivery vehicle for §1.2's detection layer: akyaulabsrules pack —new KYAULabs\Aurora(...truein webroot files, string-interpolated$db->query(, unescapedecho $_sinks, missingrandom_bytesCSRF patterns,unserialize(on request data. Your@semgrepagent gains a--config .semgrep/lane. [content]; the resulting rules are pure Semgrep, no CC dependence. Highest-value security adoption.differential-review. Security-focused review of changes with git-history context (what did this diff newly expose?). Slots directly beside your@semgrep --baseline-commitdiff-audit as the human-reasoning complement, and would strengthen@code-review's Blocking category. [content].insecure-defaults. Detects fail-open patterns, debug flags left on, hardcoded creds — this skill as a periodic scan would have flagged the aurora-pagetrue, truetemplate. [content].fp-check. Systematic false-positive triage with mandatory gate reviews — the missing back half of your/securitycommand, which currently reports findings but has no protocol for adjudicating them. [content].sharp-edges. Footgun/misuse-resistance analysis of APIs — point it at Aurora and Renderr themselves (the constructor's positional bools are a sharp edge this skill exists to name; a named-options array orAurora::debug()factory would be its likely recommendation). [content]; note itsallowed-toolsfrontmatter is CC-specific — replace with an OpenCode permission block.property-based-testing— medium: Pest datasets get you partway; full PBT in PHP means adding eris or pest-plugin-faker patterns. Content port plus a stack-specific rewrite of examples.Checked: your repo-hygiene layer (gitleaks hooks, committed-lockfile audit rationale) has no ToB equivalent — they assume org-level tooling; keep yours.