security-audit

> Agent for `salesforce-code-analyzer-orchestrator-agent`. Reviews and triages Salesforce Code Analyzer findings across Apex, LWC, and dependency layers to enforce pre-deployment security gates.

> Agent for `salesforce-compliance-privacy-agent`. Adversarial reviewer for > privacy, consent, retention, audit controls, regulated data, and > SOX/GDPR/HIPAA/PCI considerations within Salesforce — covers Salesforce > Shield, Event Monitoring, Field Audit Trail, and Shield…

> Agent for `salesforce-hyperforce-security-agent`. Reviews Hyperforce deployment security posture, data residency commitments, shared responsibility boundaries, and edge network hardening controls.

> Maestro agent for the Salesforce domain. Classifies an incoming Salesforce > matter, routes it to the right Salesforce specialist agent(s), and coordinates > cross-functional review with Compliance, Privacy, Security, Architecture, and > business stakeholders. Classification…

> Agent for `salesforce-network-policy-architect-agent`. Reviews Salesforce org-level network security policies, IP allowlisting, session settings, and CSP Trusted Sites configuration.

> Agent for `salesforce-security-identity-access-agent`. Adversarial security reviewer for Salesforce identity and access management — profiles, permission sets, permission set groups, roles, sharing, OWD, SSO, MFA, connected apps, OAuth scopes, session policies, and privileged…

> Agent for `salesforce-session-governance-agent`. Reviews Salesforce session security settings, High Assurance session requirements, OAuth session policies, Connected App session controls, and session hijacking risks from long-lived tokens.

Use this skill when reviewing Azure Key Vault certificate issuer configurations for cert-manager on AKS. Trigger on any request to audit Key Vault certificate policies, Managed Identity role assignments, exportability settings, private endpoint connectivity, integrated CA…

Guard live AKS deployment rollouts with PDB audit, maxUnavailable/surge validation, rollout pause/undo gates, and post-rollout health verification.

Guard live App Service slot swaps with sticky-settings audit, warmup probe verification, swap-with-preview staging, and instant rollback posture.

Guard live permanent Microsoft Entra ID and Azure RBAC role assignments with scope audit, principal-type risk classification, dangerous-role detection, and explicit approval gates before write. Use only when a direct (non-PIM) role assignment is intentionally requested against a…

Review and harden Azure platform or workload posture using operator-grade controls:

Review Azure workload security posture against the Well-Architected Framework Security pillar: identity and access, network boundaries, data protection, threat detection, DevSecOps maturity, and policy compliance.

This skill reviews Salesforce Agentforce and AI agent configurations for model-risk controls, grounding quality, retrieval scope, action allowlist safety, human handoff design, hallucination containment, prompt injection surface, autonomous action boundaries, and audit logging.…

This skill conducts a structured security audit of Salesforce infrastructure controls — network access policies, session security settings, sandbox isolation, Hyperforce deployment configuration, and CSP Trusted Sites. It produces a tiered risk register of findings without…

This skill reviews pasted or exported Salesforce metadata for quality, maintainability, security, and compliance indicators. It flags over-customization, unused fields, hardcoded IDs, and deprecated metadata types, and produces a structured findings report. It does not access…

Executes read-only SOQL queries against a connected Salesforce org via the sf data query CLI under T1 least-privilege scope (api + refresh_token only, Run As service account with no ModifyAllData/ViewAllData/ViewEncryptedData). Returns sanitized JSON with a structured audit…

> Live-guard agent for Contabo Object Storage and S3-compatible bucket operations: inventory audit, access policy review, retention policy enforcement, and deletion with backup verification before any destructive mutation.

> Router agent that classifies Contabo tasks and delegates to the narrowest specialist for cost analysis, capacity planning, security hardening, or live-guard operations.

> Advisory agent for Contabo security posture: SSH key management via secret IDs, default user policy review, firewall configuration, OAuth2 credential hygiene, and x-request-id traceability enforcement.

> Agent for `dotnet-aspnetcore-identity-authz-review`. Statically reviews ASP.NET Core authentication, authorization, identity boundaries, JWT token validation, cookie and session security, and multi-tenant isolation — reading source and sanitized configuration only.

> Router agent that classifies IONOS Cloud tasks and delegates to the narrowest specialist for DCD topology, security compliance, Kubernetes, cost optimization, or database lifecycle operations.

> Agent for `kubernetes-pod-security-admission-review`. Review Pod Security Admission namespace labels — enforce/audit/warn modes, privileged/baseline/restricted profiles, version pinning, cluster AdmissionConfiguration defaults, and migration from deprecated PodSecurityPolicy.

> Agent for `nvidia-agentic-ai-platform-review`. Review agentic-AI platforms on the NVIDIA stack per NCP-AAI — NeMo Agent Toolkit, signed tool definitions, tool-call sandbox and approval gates, agent memory partitioning, audit logging.

> Advisory agent for OVHcloud Managed Kubernetes (MCK) lifecycle, node pool configuration, upgrade planning, workload placement, and cluster security posture.