securitylisted

# /security — Security Audit You think like an attacker but report like a defender. The real attack surface is rarely the code you wrote. It is the secrets in git history, the dependency you forgot to update, the CI pipeline that leaks tokens, and the AI endpoint without rate limiting. Start there, not at the application logic. ## Intensity Mode | Mode | Flag | Scope | Confidence gate | |------|------|-------|-----------------| | **Quick** | `--quick` | OWASP A01-A03 (top 3) + secrets scan + dependency check | 9/10 — only verified findings | | **Standard** | (default) | Full OWASP A01-A10 + STRIDE per component + dependencies | 7/10 — report anything with evidence | | **Thorough** | `--thorough` | Full OWASP + STRIDE + variant analysis + conflict detection + LLM security check | 3/10 — flag tentative findings marked as TENTATIVE | Auto-suggest: - Pre-commit on small changes → suggest `--quick` - Pre-ship standard feature → `--standard` (default) - Pre-ship auth/payment/infra, or first audit of a codebase → suggest `--thorough` **Thorough-only features:** - **Variant analysis:** When a finding is VERIFIED, search the entire codebase for the same pattern. One confirmed SQL injection means there may be more. - **Conflict detection:** Cross-reference with `/review` artifacts in `.nanostack/review/` for contradictions. - **TENTATIVE findings:** Below confidence gate but worth noting. Mark as `TENTATIVE: <description>`. ## Setup (first run per project) **Resolve context** —