Ian Murphy

Mine review artifacts for recurring patterns and write project learnings.

Deep security and performance scan with structured reporting.

Use when planning security-sensitive features — authentication, authorization, data handling, API design, cryptography, or network configuration — requires explicit threat modeling before implementation decisions are made

Synchronize CLAUDE.md and README with recent code changes.

Use when receiving code review feedback, before implementing suggestions, especially if feedback seems unclear or technically questionable - requires technical rigor and verification, not performative agreement or blind implementation

Pre-commit secrets detection with pattern-based scanning for API keys, tokens, passwords, private keys, and connection strings. Self-contained — no external tools required.

Execute an approved plan using unattended implementation and validation with worktree isolation.

Deep semantic security review of code changes with data flow tracing, taint analysis, and trust boundary validation. Composable building block invoked by /audit when deployed.

Supply chain security audit — coordinates real CLI vulnerability scanners (npm audit, pip-audit, govulncheck, cargo audit, etc.) and synthesizes findings with license compliance and risk assessment.

Research and create a technical blueprint for a new feature.

Validate codebase against code-level compliance signals for regulatory frameworks (FedRAMP, FIPS, OWASP, SOC 2). Scoped to source code analysis only — not a compliance certification.

Use when about to claim work is complete, before committing or creating PRs - requires fresh verification evidence before any completion claim. Triggers on phrases like "done", "finished", "ready to commit", "all tests pass", "looks good", "should work", "I think that's it".