Finapp
Open Finapp
Ai Workflow

Skills

On-demand guides for security review, TDD, Nuxt 4 patterns, and E2E testing.

What Are Skills

Skills are detailed guides that Claude loads on demand via slash commands. They provide checklists, code examples, and patterns for specific workflows. They live in .claude/skills/.

Available Skills

security-review

Invoke: /security-review

Comprehensive security checklist adapted for Supabase + PowerSync + Vue 3.

Sections:

  1. Secrets management - env vars, VITE_SUPABASE_URL, VITE_SUPABASE_ANON_KEY, VITE_POWERSYNC_URL
  2. Input validation - Zod (frontend) + Postgres constraints/RLS (server); no server-side business validators
  3. Auth & authorization - Supabase JWT / RLS, data isolation by userId, cookie security
  4. XSS prevention - v-html sanitization, Vue auto-escaping
  5. CSRF protection - Supabase JWT / RLS (no traditional CSRF), trustedOrigins, webhook secrets
  6. Sensitive data exposure - logging, error messages, Supabase/PowerSync query results
  7. Dependency security - pnpm audit
  8. Offline queue security - localStorage ops, frontend ID trust boundaries

Includes a pre-deployment checklist with all items to verify before production.

tdd-workflow

Invoke: /tdd-workflow

Test-driven development cycle with Vitest.

TDD Cycle:

  1. RED - Write a failing test with describe/it/expect
  2. GREEN - Minimal implementation to pass
  3. REFACTOR - Improve code, verify tests still pass

Includes:

  • Project test conventions (file location, structure)
  • Running tests: pnpm test, --run, --coverage
  • Mocking patterns for PowerSync, Pinia stores, localStorage
  • What to test vs what to skip
  • 80% coverage target on business logic

nuxt4-patterns

Invoke: /nuxt4-patterns

Nuxt 4 patterns adapted for Finapp's SPA mode.

Sections:

  • SPA mode notes - what applies and what doesn't with ssr: false
  • Data fetching - PowerSync watchTable + supabase-js (not useFetch), $fetch for external APIs
  • Lazy loading - Lazy prefix, v-if for deferred chunks, when to use/skip
  • Component organization - feature grouping, auto-imports, PascalCase
  • Composables - use prefix, shallowRef, computed for derived state
  • Pinia store pattern - shallowRef, immutable updates, debouncedPersist
  • Build optimization - manualChunks for heavy libs like echarts

e2e-testing

Invoke: /e2e-testing

Playwright E2E testing patterns (foundation for future implementation).

Sections:

  • Setup and configuration for port 3050
  • Page Object Model pattern
  • Test patterns for auth flow and transaction CRUD
  • Locator best practices (data-testid > CSS selectors)
  • SPA-specific waits (client render, PowerSync first sync)
  • Flaky test quarantine
  • Critical user journeys to cover (auth, transactions, wallets, categories, statistics, offline)

Agents

Specialized AI subagents for code review, TypeScript review, planning, and build fixing.

Troubleshooting

Known gotchas for the local Supabase+PowerSync dev setup and offline-first data layer.