symfony-securitylisted

# Symfony Security ## When to use This skill is the Symfony/PHP-specific layer on top of `secure-coding`. Symfony has a sophisticated Security Component but plenty of foot-guns: firewall ordering, missing voters, Doctrine string-interpolation, Twig opt-outs, and PHP's enduring RCE classes (unserialize gadget chains, dynamic includes, type juggling). Triggers on: - A question like "review this Symfony app for security", "is our security.yaml correct", "Doctrine SQLi check", "Twig |raw on user input", "PHP unserialize on request body", "Symfony Profiler in prod". - Presence of `composer.json` with `symfony/*` packages, `config/packages/security.yaml`, `config/services.yaml`, `src/Controller/`, `src/Entity/`, `templates/*.twig`, `bin/console`. - A PR that touches `security.yaml`, voter classes, Doctrine repositories with raw SQL or DQL, Twig templates with `|raw`, or any controller that calls `unserialize()`, `include $var`, `system()`, or `eval()`. - Symfony version bumps or security advisories from the Symfony blog. - A handoff from `security-review` or `api-security` when Symfony is in the stack. - A Symfony-based CMS (Sulu, Ibexa, Bolt) review. ### When NOT (handoff) - General PHP secure-coding (not Symfony-specific) → `secure-coding`. - API design and OWASP API Top 10 → `api-security`. Use this skill for the Symfony-specific implementation; that skill for the conceptual API layer. - SAST tooling (Psalm, PHPStan, Phan with security rules, Semgrep `p/php`) → `sast-orche