deepsec

tarafından vercel

Run DeepSec against a Vercel project checkout from dev3000. Use for one-click DeepSec setup, project context bootstrapping, bounded first-pass processing, and…

npx skills add https://github.com/vercel-labs/dev3000 --skill deepsec

DeepSec Dev3000 Runbook

Use this skill to turn the manual DeepSec workflow into a repeatable dev3000 run against the current Vercel project checkout.

Operating Policy

  • Work from the real project checkout at /workspace/repo.
  • Do not write AI credentials into .deepsec/.env.local or any tracked file. The dev3000 runtime passes AI Gateway credentials through the process environment.
  • Default dev3000 runs are a bounded first pass. Do not run an unbounded process or revalidate command unless the user explicitly asks for a full DeepSec scan in run-specific instructions.
  • Keep generated scan state in the locations DeepSec already gitignores. Commit only the durable setup/context files and human-readable findings report.
  • Treat DeepSec as a coding agent with shell access. Do not run it on untrusted source inputs.

Default Flow

  1. Inspect the project shape:
    • Read README.md if present.
    • Read AGENTS.md or CLAUDE.md if present.
    • Skim representative files for auth, middleware, request handlers, data access, billing, webhooks, and security-sensitive boundaries.
  2. Initialize DeepSec if needed:
    • If .deepsec/ is absent, run npx --yes deepsec@latest init.
    • If .deepsec/ already exists, do not force overwrite it.
  3. Install DeepSec workspace dependencies:
    • Run corepack pnpm install from .deepsec/.
    • Ensure the Claude Agent SDK native binary that DeepSec actually uses is available. Do not run a Claude Code postinstall; DeepSec uses @anthropic-ai/claude-agent-sdk.
    • If corepack pnpm is unavailable, run pnpm install only after confirming pnpm exists.
  4. Fill the generated project context:
    • Read .deepsec/node_modules/deepsec/SKILL.md.
    • Read .deepsec/data/<id>/SETUP.md.
    • Replace .deepsec/data/<id>/INFO.md with concise project-specific context.
    • Keep INFO.md to roughly 50-100 lines.
    • Use 3-5 examples per section. Name local primitives such as auth helpers, middleware, database clients, webhook handlers, and privileged APIs.
    • Do not include line numbers, generic CWE lists, or broad framework summaries.
  5. Run the scan:
    • Run corepack pnpm deepsec scan from .deepsec/.
  6. Run bounded AI processing:
    • Default command: corepack pnpm deepsec process --limit 25 --concurrency 2 --batch-size 3.
    • If the candidate set is below the limit, state that all discovered candidates were processed.
    • If the user explicitly requested a full run, use the requested limit/concurrency or omit --limit.
    • If the process command fails, stop and report the failure. Do not generate a manual fallback report from regex candidates.
  7. Generate the findings report:
    • Run corepack pnpm deepsec export --format md-dir --out ./findings.
    • If there are no findings, create .deepsec/findings/README.md summarizing that this bounded pass found no findings and include the exact commands that were run.
  8. Summarize the run:
    • Include commands run, project id, limit/concurrency, and whether the report contains findings.
    • Do not include a "Next Steps - Full Scan" section by default.
    • Only include a follow-up scan section if DeepSec reports unprocessed candidates or the user explicitly asked about deeper coverage. Label it "Optional Deeper Follow-Up" and explain exactly how it differs from the completed run.

Validation

  • Prefer DeepSec's own command output, corepack pnpm deepsec status, and generated finding files as validation.
  • Do not start a dev server or browser unless the user explicitly asks for visual/runtime verification.
  • Before finishing, check git diff --stat and make sure no secrets, node_modules, .env.local, or raw scan state are staged by accident.

vercel tarafından daha fazla skill

benchmark-sandbox
vercel
Vercel Sandbox'larda vercel-plugin eval senaryolarını çalıştırır, yerel WezTerm panelleri yerine. Claude Code ve önceden yüklenmiş plugin ile geçici mikroVM'ler sağlar,…
official
emil-design-eng
vercel
Bu beceri, Emil Kowalski'nin UI cilası, bileşen tasarımı, animasyon kararları ve yazılımı harika hissettiren görünmez detaylar üzerine felsefesini kodlar.
official
vercel-react-best-practices
vercel
Vercel Mühendisliği'nden React ve Next.js performans optimizasyonu yönergeleri. Bu yetenek, React/Next.js yazarken, gözden geçirirken veya yeniden düzenlerken kullanılmalıdır…
official
vercel-react-best-practices
vercel
Vercel Mühendisliği'nden React ve Next.js performans optimizasyonu yönergeleri. Bu yetenek, React/Next.js yazarken, gözden geçirirken veya yeniden düzenlerken kullanılmalıdır…
official
write-guide
vercel
Gerçek dünya kullanım senaryosunu aşamalı örneklerle öğreten bir teknik rehber oluşturur. Kavramlar yalnızca okuyucunun ihtiyaç duyduğu anda tanıtılır.
official
release
vercel
Vercel eklentisini yayınla — gate’leri çalıştır, sürümü yükselt, yapıtlar oluştur, commit yap ve push’la. "Yayınla", "gönder", "yükselt ve push’la" veya "sürüm kes" dendiğinde kullan.
official
backport-pr
vercel
Backport a merged Next.js pull request from canary to a previous release branch such as next-16-2. Use when the user asks to backport, cherry-pick, or open a…
official
frontend-design
vercel
Ayırt edici, üretim kalitesinde ön yüz arayüzleri yüksek tasarım kalitesiyle oluşturun. Kullanıcı web bileşenleri, sayfalar, yapılar oluşturmayı istediğinde bu beceriyi kullanın.
official