ReddRadar
Agent skill
rbac-policy-tester
Creates comprehensive permission tests ensuring RBAC doesn't regress with test matrices, CI gating, and authorization coverage. Use for "RBAC testing", "permission tests", "authorization testing", or "access control tests".
Install this agent skill to your Project
npx add-skill https://github.com/patricio0312rev/skills/tree/main/security/rbac-policy-tester
SKILL.md
RBAC/Policy Tester
Comprehensive testing for role-based access control.
Permission Test Matrix
type Role = 'ADMIN' | 'MANAGER' | 'USER' | 'GUEST';
type Action = 'create' | 'read' | 'update' | 'delete';
type Resource = 'users' | 'orders' | 'reports';
const permissionMatrix: Record<Role, Record<Resource, Action[]>> = {
ADMIN: {
users: ['create', 'read', 'update', 'delete'],
orders: ['create', 'read', 'update', 'delete'],
reports: ['create', 'read', 'update', 'delete'],
},
MANAGER: {
users: ['read', 'update'],
orders: ['create', 'read', 'update'],
reports: ['read', 'update'],
},
USER: {
users: ['read'], // Only own profile
orders: ['create', 'read'], // Only own orders
reports: ['read'],
},
GUEST: {
users: [],
orders: [],
reports: ['read'],
},
};
describe('RBAC Tests', () => {
Object.entries(permissionMatrix).forEach(([role, resources]) => {
describe(\`Role: \${role}\`, () => {
Object.entries(resources).forEach(([resource, actions]) => {
actions.forEach(action => {
it(\`should allow \${action} on \${resource}\`, async () => {
const token = generateToken({ role });
await request(app)
.post(\`/api/\${resource}/\${action}\`)
.set('Authorization', \`Bearer \${token}\`)
.expect(200);
});
});
// Test forbidden actions
const allActions: Action[] = ['create', 'read', 'update', 'delete'];
const forbidden = allActions.filter(a => !actions.includes(a));
forbidden.forEach(action => {
it(\`should deny \${action} on \${resource}\`, async () => {
const token = generateToken({ role });
await request(app)
.post(\`/api/\${resource}/\${action}\`)
.set('Authorization', \`Bearer \${token}\`)
.expect(403);
});
});
});
});
});
});
Output Checklist
- Permission matrix defined
- Test suite for all roles
- Positive and negative tests
- CI gating enabled
- Coverage monitoring ENDFILE
Recommended Agent Skills
Expand your agent's capabilities with these related and highly-rated skills.
patricio0312rev/skills
rate-limiting-abuse-protection
Implements rate limiting and abuse prevention with per-route policies, IP/user-based limits, sliding windows, safe error responses, and observability. Use when adding "rate limiting", "API protection", "abuse prevention", or "DDoS protection".
patricio0312rev/skills
rbac-permissions-builder
Implements role-based access control with permission matrix, route guards, policy functions, and UI permission hints. Provides middleware/guards, helper utilities, test suggestions, and permission checking patterns. Use when building "RBAC", "permissions", "access control", or "authorization".
patricio0312rev/skills
websocket-realtime-builder
Implements real-time features using WebSockets with Socket.io, rooms, authentication, and reconnection handling. Use when users request "real-time updates", "WebSocket", "Socket.io", "live chat", or "push notifications".
patricio0312rev/skills
webhook-receiver-hardener
Secures webhook receivers with signature verification, retry handling, deduplication, idempotency keys, and error responses. Provides verification code, dedupe storage strategy, runbook for incidents. Use when implementing "webhooks", "webhook security", "event receivers", or "third-party integrations".
patricio0312rev/skills
auth-module-builder
Implements secure authentication patterns including login/registration, session management, JWT tokens, password hashing, cookie settings, and CSRF protection. Provides auth routes, middleware, security configurations, and threat model documentation. Use when building "authentication", "login system", "JWT auth", or "session management".
patricio0312rev/skills
rest-to-graphql-migrator
Migrates REST APIs to GraphQL incrementally with schema stitching, REST datasources, and gradual endpoint migration. Use when users request "migrate to GraphQL", "REST to GraphQL", "GraphQL wrapper", or "API modernization".
Didn't find tool you were looking for?