Skip to content

v2.3.0 — Expanded Domains

Choose a tag to compare

@j-morgan6 j-morgan6 released this 26 Mar 17:14

What's New

5 new skills covering Phoenix development domains beyond core LiveView/Ecto:

  • security-essentials — 7 RULES: atom exhaustion, SQL injection, XSS, open redirects, sensitive logging, timing attacks, dependency auditing
  • deployment-gotchas — 7 RULES: runtime.exs, release migrations, PHX_HOST/PHX_SERVER, asset deployment, secrets, health endpoints, log levels
  • phoenix-channels-essentials — 6 RULES: socket authentication, topic authorization, handle_in/push/broadcast, Presence, testing
  • telemetry-essentials — 6 RULES: structured logging, handler attachment, Ecto telemetry events, LiveDashboard, metadata tagging
  • phoenix-json-api — 7 RULES: :api pipeline, FallbackController, pagination, URL versioning, Bearer token auth, json/2

6 new security enforcement hooks:

Hook Type What it catches
atom-from-user-input Blocking String.to_atom/1 — atom table exhaustion
unparameterized-sql-fragment Blocking String interpolation in Ecto fragment — SQL injection
unsafe-redirect Blocking Redirect to user-controlled URLs — open redirect
raw-html-warning Warning raw/1 usage — XSS risk
sensitive-logging Warning password/token/secret in Logger calls
timing-unsafe-compare Warning == with tokens/secrets — timing attacks

Other changes:

  • SubagentStart rules expanded with Security, Channel, Telemetry, Deployment, and JSON API rule sets
  • CLAUDE.md.template updated with invocation instructions for all 19 skills
  • Skill count: 14 → 19 | Hook count: 21 → 27

See CHANGELOG.md for full details.


Install: See README.md for installation instructions.