Security-first rules, skills, hooks, and agents for building safer applications from an AppSec perspective.
When generating or modifying code with AI assistance:
- Do not invent security APIs, package names, environment variables, permission names, or cloud policy fields. Verify against existing project usage or official documentation.
- Do not remove validation, authorization, escaping, CSRF checks, rate limits, audit logs, or secret redaction unless the user explicitly requests it and the replacement is safer.
- Preserve existing security tests. If changing behavior, update or add tests that prove the intended control still works.
- Mark uncertain security assumptions explicitly instead of silently coding around them.
- Do not add broad catch-all exception handlers that hide authentication, authorization, payment, or integrity failures.
- Keep generated examples non-sensitive. Never include real-looking tokens, keys, passwords, hostnames, customer data, or private URLs.