security-auditlisted

# Security audit Deep-dive security review. Complementary to Claude Code's built-in `/security-review` (fast, diff-scoped) and to the `pr-review` skill (catches critical classes on every PR). Use this skill when: - The diff materially touches security boundaries — auth, credential handling, tool policy, shell execution, network egress, data storage. - The codebase is moving into production / public availability. - Monthly / quarterly posture review. - A specific concern ("I want to know whether our session-resume flow is safe against replay") — scope with `--diff` or a directory. ## Modes - **Full audit** — all phases, all OWASP categories, STRIDE pass on major components. Slow. Use when you have time and want coverage. - **Diff-scoped** — only analyses changes in the current branch vs the base. Fast. Use as a gate before merging security-sensitive work. - **Category-scoped** — `--owasp`, `--supply-chain`, `--infra`, `--code`, `--skills`. Mutually exclusive. For targeted dives. ## Phase 1 — Secrets and credential hygiene Go wide before going deep. Before any logic analysis, confirm the repo doesn't leak secrets. - `git log --all -p -S "-----BEGIN"` — look for committed private keys in history, even if removed later. - Grep for common key prefixes: `sk_`, `pk_`, `xoxb-`, `ghp_`, `eyJ0eXAi` (JWT header base64). - `.env` files committed? Even empty files can leak path assumptions. - Hardcoded passwords, tokens, seeds for CSPRNGs. - Debug flags (`DEBU