securitylisted

# Security Review — Dual-Judge Protocol > **SUBAGENT-STOP gate**: if you are running as a subagent invoked by another subagent, STOP. Return `status: blocked` with reason `nested-subagent-loop-detected`. This skill must be invoked by the orchestrator or top-level agent only. The orchestrator NEVER reviews security itself. It launches two independent `security` judge sub-agents in parallel, synthesizes their findings, and iterates until the code is clean. ## Anti-rationalization table (judges must reject these excuses) | Excuse | Reality | |-------------------------------------------------|--------------------------------------------------| | "It's just a demo, security can wait" | Demos leak. Flag it. | | "The framework handles it" | Verify the framework actually handles THIS case. | | "It's behind auth, no risk" | Auth can be bypassed. Defense in depth. | | "I'll add validation later" | Now or `status: blocked`. | | "Tests don't cover this so it's not critical" | Lack of tests is a finding, not an excuse. | ## Phase 1 — Launch both judges in parallel Launch two Task calls simultaneously to the `security` agent with identical inputs: - `target_files`: all files modified during the plan - `project_root`: working directory - Inject `## Project Standards (