security-and-hardening
A threat-model-first workflow for hardening user input, auth, data, and external integrations.
30-Second Summary
This skill makes security a design constraint rather than a final checklist.
It maps trust boundaries, names assets, runs STRIDE-style questions, and separates always, ask-first, and never rules.
Use it before an agent changes auth, data storage, external integrations, or any user-controlled surface.
1-Minute Read
What it is
A SKILL.md workflow for threat modeling and hardening web application changes. It covers trust boundaries, abuse cases, input validation, access control, dependency hygiene, secrets, and AI-specific risks.
When to use it
Use it for features involving user input, authentication, authorization, sensitive data, file uploads, webhooks, third-party APIs, payments, or LLM tool surfaces. It is also useful before production DB or permissions work.
How to test it first
Ask the agent to list trust boundaries and one abuse case for a planned feature before editing code. Then require the implementation or review notes to map each abuse case to a concrete control.
Watch out
It is a review and hardening workflow, not permission to run dangerous changes. Keep secret handling, production writes, auth changes, and elevated grants behind explicit human approval.