playbooks

home / skills / ananddtyagi / cc-marketplace / data-safety-auditor

data-safety-auditor skill

/plugins/claude-dev-infrastructure/skills/data-safety-auditor

This skill performs a rigorous data safety audit for Vue 3 apps using Pinia and IndexedDB, delivering actionable fixes and test generation.

npx playbooks add skill ananddtyagi/cc-marketplace --skill data-safety-auditor

Review the files below or copy the command above to add this skill to your agents.

Files (11)
SKILL.md
6.2 KB
---
name: data-safety-auditor
emoji: "🛡️"
description: Comprehensive data safety auditor for Vue 3 + Pinia + IndexedDB + PouchDB applications. Detects data loss risks, sync issues, race conditions, and browser-specific vulnerabilities with actionable remediation guidance.
triggers:
  - "audit data safety"
  - "check data loss risks"
  - "data safety auditor"
  - "activate data-safety-auditor"
keywords:
  - data safety
  - data loss
  - IndexedDB
  - LocalForage
  - PouchDB
  - CouchDB
  - sync
  - persistence
  - Safari ITP
  - quota
  - backup
  - integrity
activation_count: 0
last_used: null
related_skills:
  - indexeddb-backup-debugger
  - comprehensive-system-analyzer
  - qa-testing
  - couchdb-cross-device-sync
---

# Data Safety Auditor

**Purpose**: Comprehensive audit tool that identifies data loss risks in Vue 3 + Pinia + IndexedDB + PouchDB applications with actionable remediation guidance.

## Philosophy

This skill provides **rigorous data safety analysis** with:
- **Zero tolerance for data loss** - Identifies every potential failure point
- **Complete coverage** - Storage, sync, hydration, integrity, testing
- **Evidence-based findings** - Code locations, patterns, severity
- **Actionable fixes** - Specific remediation with code examples
- **Test generation** - Creates missing safety tests

## What It Detects

### CRITICAL Risks (Deployment Blockers)
- `QUOTA_EXCEEDED` - Storage full, data can't save
- `SAFARI_ITP_EXPIRATION` - 7-day data loss on Safari
- `UNHANDLED_QUOTA_ERROR` - QuotaExceededError not caught
- `NO_CONFLICT_RESOLUTION` - PouchDB conflicts not handled
- `NON_ATOMIC_UPDATES` - Multi-item updates can partially fail

### HIGH Risks (Must Fix)
- `HYDRATION_RACE_CONDITION` - Pinia data loads after render
- `NO_SYNC_ERROR_HANDLING` - Sync failures silently fail
- `INCOMPLETE_SYNC_UNDETECTED` - Stranded data not detected
- `RACE_CONDITION_SAME_KEY` - Concurrent LocalForage writes
- `UNHANDLED_STORAGE_ERROR` - Storage calls have no try/catch

### MEDIUM Risks (Should Fix)
- `NO_CHECKSUM_VERIFICATION` - Data corruption undetected
- `NO_PRIVATE_MODE_HANDLING` - Private mode data loss unhandled
- `NO_PERSISTENT_STORAGE_REQUEST` - PWA not requesting persist
- `STORAGE_PARTITIONING_UNACCOUNTED` - iframe storage isolated
- `DRIVER_VALIDATION_MISSING` - LocalForage driver not checked

### LOW Risks (Consider Fixing)
- `NO_PERSISTENCE_TESTS` - Missing persistence test coverage
- `NO_OFFLINE_TESTS` - Offline sync not tested
- `MISSING_SAFARI_TESTS` - Safari-specific tests missing

## Detection Categories

### A. Browser-Specific Data Loss Vectors
- Storage quota limits and eviction policies per browser
- Safari ITP 7-day storage limitations
- Private/incognito mode behavior
- Storage partitioning impacts

### B. Storage-Specific Patterns
- LocalForage race conditions
- Concurrent write conflicts
- Driver fallback behavior
- Configuration issues

### C. Sync Patterns
- PouchDB/CouchDB conflict detection
- Network failure handling
- Incomplete sync detection
- Sync integrity verification

### D. Vue/Pinia Risks
- Hydration race conditions
- beforeRestore/afterRestore hooks
- Object reference breakage
- Multiple persistence sources

### E. Data Integrity Checks
- Schema validation on load
- Checksum verification
- Corruption detection
- Backup/recovery validation

### F. Testing & Compliance
- Persistence test coverage
- Quota failure tests
- OWASP compliance
- GDPR data integrity

## Usage

```javascript
const auditor = new DataSafetyAuditor();

// Full project audit
const report = await auditor.auditVueApp('./src');
console.log(report.toConsole());

// Targeted audits
const quotaFindings = await auditor.checkQuotaRisks(codeAST);
const itpFindings = await auditor.checkSafariCompat(codeAST);
const piniaFindings = await auditor.checkPiniaPersistence(piniaStore);
const syncFindings = await auditor.checkSyncIntegrity(pouchdbCode);

// Generate missing tests
const tests = await auditor.generateTestSuite();

// Get detailed remediation
const fixes = await auditor.suggestRemediations(findings);
```

## Report Formats

- **Console** - Colored, readable CLI output with severity indicators
- **JSON** - Machine-readable for CI/CD integration
- **Markdown** - Documentation and reports
- **HTML** - Interactive dashboard view

## Deployment Gate

The auditor enforces deployment gates:
- **CRITICAL findings** = Deployment blocked
- **HIGH findings** = Warning, recommend fixing
- **MEDIUM/LOW** = Information only

## When to Use

Use this skill when:
- Before deploying to production
- After adding new persistence features
- When debugging data loss issues
- During code review of storage code
- Setting up CI/CD quality gates
- Auditing third-party storage libraries

## Integration

### CI/CD Pipeline
```javascript
const report = await auditor.auditVueApp('./src');
if (report.hasBlockers()) {
  console.error('DEPLOYMENT BLOCKED: Critical data safety issues found');
  process.exit(1);
}
```

### Custom Rules
```javascript
auditor.rules.addRule('MUST_USE_ENCRYPTION', (code) => {
  if (code.includes('sensitive_data') && !code.includes('crypto.subtle')) {
    return { severity: 'CRITICAL', msg: 'Sensitive data must be encrypted' };
  }
});
```

---

## MANDATORY USER VERIFICATION REQUIREMENT

### Policy: No Safety Claims Without User Confirmation

**CRITICAL**: Before claiming ANY data safety issue is "fixed", "resolved", or "safe", the following verification protocol is MANDATORY:

#### Step 1: Technical Verification
- Run full audit with all detectors
- Verify no CRITICAL or HIGH findings
- Take screenshots/evidence of clean audit

#### Step 2: User Verification Request
**REQUIRED**: Use the `AskUserQuestion` tool to explicitly ask the user to verify:

```
"I've completed the data safety audit. Before confirming your app is safe, please verify:
1. [Specific storage operations to test]
2. [Sync scenarios to test]
3. [Browser-specific tests to run]

Please confirm the data persists correctly, or let me know what's failing."
```

#### Step 3: Wait for User Confirmation
- **DO NOT** claim app is "data safe" until user confirms
- **DO NOT** approve deployment without user verification
- **DO NOT** skip any CRITICAL finding verification

**Remember: The user is the final authority on data safety. No exceptions.**

Overview

This skill performs a comprehensive data safety audit for Vue 3 + Pinia apps using IndexedDB, LocalForage, and PouchDB, identifying risks that can cause data loss, sync failures, and browser-specific vulnerabilities. It produces evidence-based findings with code locations, severity levels, and actionable remediation guidance. It also generates missing safety tests and supports CI/CD gating to block unsafe deployments.

How this skill works

The auditor analyzes project source code and ASTs, inspects Pinia persistence hooks, LocalForage driver usage, and PouchDB sync patterns to surface race conditions, quota issues, and conflict gaps. It runs targeted detectors for browser-specific vectors (Safari ITP, private mode, partitioning), storage patterns (concurrent writes, driver fallbacks), sync integrity, and data integrity checks, then outputs findings in JSON, Markdown, console, or HTML formats. It can also generate test suites and remediation snippets tailored to each finding.

When to use it

  • Before deploying to production to prevent data-loss regressions
  • After adding or refactoring persistence, sync, or hydration logic
  • During code review of storage, sync, or Pinia persistence code
  • When debugging reproducible or intermittent data loss or sync inconsistencies
  • To enforce data-safety gates in CI/CD pipelines

Best practices

  • Run a full audit and fix all CRITICAL findings before deployment; the auditor treats CRITICAL as deployment blockers
  • Include generated persistence and offline tests in CI to detect regressions early
  • Validate LocalForage driver selection and wrap storage calls in try/catch with retries and backoff
  • Implement conflict resolution for PouchDB sync and verify incomplete sync detection and recovery paths
  • Perform browser-specific tests (Safari, private mode, storage partitioning) and enable quota-failure test cases

Example use cases

  • Full-project audit that lists QUOTA_EXCEEDED and NO_CONFLICT_RESOLUTION findings with remediation code examples
  • Targeted check for Pinia hydration race conditions and suggestions to move restores into beforeRestore/afterRestore hooks
  • PouchDB sync audit that detects missing conflict handlers and generates conflict-resolution templates
  • CI integration that blocks deploy when CRITICAL findings exist and outputs machine-readable JSON for pipelines
  • Auto-generation of persistence and quota-failure tests to add to the test suite

FAQ

Do I need to manually verify fixes before marking issues resolved?

Yes. Follow a verification protocol: run the full audit, confirm no CRITICAL or HIGH findings, capture evidence, and manually test the indicated storage and sync scenarios before declaring the app safe.

What report formats are available?

Console (readable CLI), JSON (CI-friendly), Markdown (docs), and interactive HTML dashboard.

Can I add custom checks?

Yes. You can register custom rules to detect project-specific safety requirements, including required encryption or special compliance checks.