deepsec

por vercel

Run DeepSec against a Vercel project checkout from dev3000. Use for one-click DeepSec setup, project context bootstrapping, bounded first-pass processing, and…

npx skills add https://github.com/vercel-labs/dev3000 --skill deepsec

DeepSec Dev3000 Runbook

Use this skill to turn the manual DeepSec workflow into a repeatable dev3000 run against the current Vercel project checkout.

Operating Policy

  • Work from the real project checkout at /workspace/repo.
  • Do not write AI credentials into .deepsec/.env.local or any tracked file. The dev3000 runtime passes AI Gateway credentials through the process environment.
  • Default dev3000 runs are a bounded first pass. Do not run an unbounded process or revalidate command unless the user explicitly asks for a full DeepSec scan in run-specific instructions.
  • Keep generated scan state in the locations DeepSec already gitignores. Commit only the durable setup/context files and human-readable findings report.
  • Treat DeepSec as a coding agent with shell access. Do not run it on untrusted source inputs.

Default Flow

  1. Inspect the project shape:
    • Read README.md if present.
    • Read AGENTS.md or CLAUDE.md if present.
    • Skim representative files for auth, middleware, request handlers, data access, billing, webhooks, and security-sensitive boundaries.
  2. Initialize DeepSec if needed:
    • If .deepsec/ is absent, run npx --yes deepsec@latest init.
    • If .deepsec/ already exists, do not force overwrite it.
  3. Install DeepSec workspace dependencies:
    • Run corepack pnpm install from .deepsec/.
    • Ensure the Claude Agent SDK native binary that DeepSec actually uses is available. Do not run a Claude Code postinstall; DeepSec uses @anthropic-ai/claude-agent-sdk.
    • If corepack pnpm is unavailable, run pnpm install only after confirming pnpm exists.
  4. Fill the generated project context:
    • Read .deepsec/node_modules/deepsec/SKILL.md.
    • Read .deepsec/data/<id>/SETUP.md.
    • Replace .deepsec/data/<id>/INFO.md with concise project-specific context.
    • Keep INFO.md to roughly 50-100 lines.
    • Use 3-5 examples per section. Name local primitives such as auth helpers, middleware, database clients, webhook handlers, and privileged APIs.
    • Do not include line numbers, generic CWE lists, or broad framework summaries.
  5. Run the scan:
    • Run corepack pnpm deepsec scan from .deepsec/.
  6. Run bounded AI processing:
    • Default command: corepack pnpm deepsec process --limit 25 --concurrency 2 --batch-size 3.
    • If the candidate set is below the limit, state that all discovered candidates were processed.
    • If the user explicitly requested a full run, use the requested limit/concurrency or omit --limit.
    • If the process command fails, stop and report the failure. Do not generate a manual fallback report from regex candidates.
  7. Generate the findings report:
    • Run corepack pnpm deepsec export --format md-dir --out ./findings.
    • If there are no findings, create .deepsec/findings/README.md summarizing that this bounded pass found no findings and include the exact commands that were run.
  8. Summarize the run:
    • Include commands run, project id, limit/concurrency, and whether the report contains findings.
    • Do not include a "Next Steps - Full Scan" section by default.
    • Only include a follow-up scan section if DeepSec reports unprocessed candidates or the user explicitly asked about deeper coverage. Label it "Optional Deeper Follow-Up" and explain exactly how it differs from the completed run.

Validation

  • Prefer DeepSec's own command output, corepack pnpm deepsec status, and generated finding files as validation.
  • Do not start a dev server or browser unless the user explicitly asks for visual/runtime verification.
  • Before finishing, check git diff --stat and make sure no secrets, node_modules, .env.local, or raw scan state are staged by accident.

Más skills de vercel

benchmark-sandbox
vercel
Ejecuta escenarios de evaluación de vercel-plugin en Vercel Sandboxes en lugar de paneles locales de WezTerm. Aprovisiona microVMs efímeras con Claude Code y el plugin preinstalado,…
official
emil-design-eng
vercel
Esta habilidad codifica la filosofía de Emil Kowalski sobre el pulido de la interfaz de usuario, el diseño de componentes, las decisiones de animación y los detalles invisibles que hacen que el software se sienta genial.
official
vercel-react-best-practices
vercel
Directrices de optimización de rendimiento para React y Next.js de Vercel Engineering. Esta habilidad debe usarse al escribir, revisar o refactorizar React/Next.js…
official
vercel-react-best-practices
vercel
Directrices de optimización de rendimiento para React y Next.js de Vercel Engineering. Esta habilidad debe usarse al escribir, revisar o refactorizar React/Next.js…
official
write-guide
vercel
Producir una guía técnica que enseñe un caso de uso del mundo real mediante ejemplos progresivos. Los conceptos se introducen solo cuando el lector los necesita.
official
release
vercel
Liberar vercel-plugin — ejecutar gates, aumentar versión, generar artefactos, commit y push. Usar cuando se pida "release", "ship", "bump and push" o "cut a release".
official
backport-pr
vercel
Backport a merged Next.js pull request from canary to a previous release branch such as next-16-2. Use when the user asks to backport, cherry-pick, or open a…
official
frontend-design
vercel
Crear interfaces frontend distintivas y de calidad de producción con un alto nivel de diseño. Usa esta habilidad cuando el usuario solicite construir componentes web, páginas, artefactos,…
official