v2.3.0 — Expanded Domains
What's New
5 new skills covering Phoenix development domains beyond core LiveView/Ecto:
- security-essentials — 7 RULES: atom exhaustion, SQL injection, XSS, open redirects, sensitive logging, timing attacks, dependency auditing
- deployment-gotchas — 7 RULES: runtime.exs, release migrations, PHX_HOST/PHX_SERVER, asset deployment, secrets, health endpoints, log levels
- phoenix-channels-essentials — 6 RULES: socket authentication, topic authorization, handle_in/push/broadcast, Presence, testing
- telemetry-essentials — 6 RULES: structured logging, handler attachment, Ecto telemetry events, LiveDashboard, metadata tagging
- phoenix-json-api — 7 RULES: :api pipeline, FallbackController, pagination, URL versioning, Bearer token auth, json/2
6 new security enforcement hooks:
| Hook | Type | What it catches |
|---|---|---|
| atom-from-user-input | Blocking | String.to_atom/1 — atom table exhaustion |
| unparameterized-sql-fragment | Blocking | String interpolation in Ecto fragment — SQL injection |
| unsafe-redirect | Blocking | Redirect to user-controlled URLs — open redirect |
| raw-html-warning | Warning | raw/1 usage — XSS risk |
| sensitive-logging | Warning | password/token/secret in Logger calls |
| timing-unsafe-compare | Warning | == with tokens/secrets — timing attacks |
Other changes:
- SubagentStart rules expanded with Security, Channel, Telemetry, Deployment, and JSON API rule sets
- CLAUDE.md.template updated with invocation instructions for all 19 skills
- Skill count: 14 → 19 | Hook count: 21 → 27
See CHANGELOG.md for full details.
Install: See README.md for installation instructions.