deepsec

por vercel

Run DeepSec against a Vercel project checkout from dev3000. Use for one-click DeepSec setup, project context bootstrapping, bounded first-pass processing, and…

npx skills add https://github.com/vercel-labs/dev3000 --skill deepsec

DeepSec Dev3000 Runbook

Use this skill to turn the manual DeepSec workflow into a repeatable dev3000 run against the current Vercel project checkout.

Operating Policy

  • Work from the real project checkout at /workspace/repo.
  • Do not write AI credentials into .deepsec/.env.local or any tracked file. The dev3000 runtime passes AI Gateway credentials through the process environment.
  • Default dev3000 runs are a bounded first pass. Do not run an unbounded process or revalidate command unless the user explicitly asks for a full DeepSec scan in run-specific instructions.
  • Keep generated scan state in the locations DeepSec already gitignores. Commit only the durable setup/context files and human-readable findings report.
  • Treat DeepSec as a coding agent with shell access. Do not run it on untrusted source inputs.

Default Flow

  1. Inspect the project shape:
    • Read README.md if present.
    • Read AGENTS.md or CLAUDE.md if present.
    • Skim representative files for auth, middleware, request handlers, data access, billing, webhooks, and security-sensitive boundaries.
  2. Initialize DeepSec if needed:
    • If .deepsec/ is absent, run npx --yes deepsec@latest init.
    • If .deepsec/ already exists, do not force overwrite it.
  3. Install DeepSec workspace dependencies:
    • Run corepack pnpm install from .deepsec/.
    • Ensure the Claude Agent SDK native binary that DeepSec actually uses is available. Do not run a Claude Code postinstall; DeepSec uses @anthropic-ai/claude-agent-sdk.
    • If corepack pnpm is unavailable, run pnpm install only after confirming pnpm exists.
  4. Fill the generated project context:
    • Read .deepsec/node_modules/deepsec/SKILL.md.
    • Read .deepsec/data/<id>/SETUP.md.
    • Replace .deepsec/data/<id>/INFO.md with concise project-specific context.
    • Keep INFO.md to roughly 50-100 lines.
    • Use 3-5 examples per section. Name local primitives such as auth helpers, middleware, database clients, webhook handlers, and privileged APIs.
    • Do not include line numbers, generic CWE lists, or broad framework summaries.
  5. Run the scan:
    • Run corepack pnpm deepsec scan from .deepsec/.
  6. Run bounded AI processing:
    • Default command: corepack pnpm deepsec process --limit 25 --concurrency 2 --batch-size 3.
    • If the candidate set is below the limit, state that all discovered candidates were processed.
    • If the user explicitly requested a full run, use the requested limit/concurrency or omit --limit.
    • If the process command fails, stop and report the failure. Do not generate a manual fallback report from regex candidates.
  7. Generate the findings report:
    • Run corepack pnpm deepsec export --format md-dir --out ./findings.
    • If there are no findings, create .deepsec/findings/README.md summarizing that this bounded pass found no findings and include the exact commands that were run.
  8. Summarize the run:
    • Include commands run, project id, limit/concurrency, and whether the report contains findings.
    • Do not include a "Next Steps - Full Scan" section by default.
    • Only include a follow-up scan section if DeepSec reports unprocessed candidates or the user explicitly asked about deeper coverage. Label it "Optional Deeper Follow-Up" and explain exactly how it differs from the completed run.

Validation

  • Prefer DeepSec's own command output, corepack pnpm deepsec status, and generated finding files as validation.
  • Do not start a dev server or browser unless the user explicitly asks for visual/runtime verification.
  • Before finishing, check git diff --stat and make sure no secrets, node_modules, .env.local, or raw scan state are staged by accident.

Mais skills de vercel

benchmark-sandbox
vercel
Executa cenários de avaliação do vercel-plugin em Vercel Sandboxes em vez de painéis locais do WezTerm. Provisiona microVMs efêmeras com Claude Code + plugin pré-instalado,…
official
emil-design-eng
vercel
Esta habilidade codifica a filosofia de Emil Kowalski sobre polimento de UI, design de componentes, decisões de animação e os detalhes invisíveis que fazem o software parecer ótimo.
official
vercel-react-best-practices
vercel
Diretrizes de otimização de desempenho para React e Next.js da Vercel Engineering. Esta habilidade deve ser usada ao escrever, revisar ou refatorar React/Next.js…
official
vercel-react-best-practices
vercel
Diretrizes de otimização de desempenho para React e Next.js da Vercel Engineering. Esta skill deve ser usada ao escrever, revisar ou refatorar React/Next.js…
official
write-guide
vercel
Produza um guia técnico que ensine um caso de uso do mundo real por meio de exemplos progressivos. Os
official
release
vercel
Liberar vercel-plugin — executar gates, incrementar versão, gerar artefatos, commitar e fazer push. Use quando solicitado a "liberar", "enviar", "incrementar e fazer push" ou "cortar uma liberação".
official
backport-pr
vercel
Backport a merged Next.js pull request from canary to a previous release branch such as next-16-2. Use when the user asks to backport, cherry-pick, or open a…
official
frontend-design
vercel
Crie interfaces frontend distintas e de qualidade profissional, com alto padrão de design. Use esta habilidade quando o usuário solicitar a criação de componentes web, páginas, artefatos…
official