security

# Security Skill Security best practices and automated security testing for all projects. --- ## Core Principle **Security is not optional.** Every project must pass security checks before merge. Assume all input is malicious, all secrets will leak if committed, and all dependencies have vulnerabilities. --- ## Required Security Setup ### 1. Gitignore (Non-Negotiable) Every project must have these in `.gitignore`: ```gitignore # Environment files - NEVER commit .env .env.* !.env.example # Secrets *.pem *.key *.p12 *.pfx credentials.json secrets.json *-credentials.json service-account*.json # IDE and OS .idea/ .vscode/settings.json .DS_Store Thumbs.db # Dependencies node_modules/ __pycache__/ *.pyc .venv/ venv/ # Build outputs dist/ build/ *.egg-info/ # Logs that might contain sensitive data *.log logs/ ``` ### 2. Environment Variables **Create `.env.example`** with all required vars (no values): ```bash # .env.example - Copy to .env and fill in values # Server-side only (NEVER prefix with VITE_ or NEXT_PUBLIC_) DATABASE_URL= ANTHROPIC_API_KEY= SUPABASE_SERVICE_ROLE_KEY= # Client-side safe (public, non-sensitive) VITE_SUPABASE_URL= VITE_SUPABASE_ANON_KEY= ``` ### Frontend Environment Variables (Critical!) **NEVER put secrets in client-exposed env vars:** | Framework | Client-Exposed Prefix | Server-Only | |-----------|----------------------|-------------| | Vite | `VITE_*` | No prefix | | Next.js | `NEXT_PUBLIC_*` | No prefix | | Create React App | `REACT...