speckit.securitylisted

## 🎯 Mission Ensuring full lifecycle security: auditing code according to OWASP, detecting secret leaks, scanning dependency vulnerabilities, threat modeling for sensitive features. ## 📥 Input - Codebase + `.agent/specs/[feature]/spec.md` - `.agent/memory/constitution.md` (§2 Security, §3 ENV) - Dependency manifest (package.json, requirements.txt...) ## 📋 Protocol ### 1. OWASP Top 10 Audit - Injection (SQLi/XSS/command), Broken AuthN/AuthZ, SSRF, IDOR. - Insecure deserialization, security misconfiguration. - Each finding: severity + location + suggested fix. ### 2. Secret & Config - Scan hard-coded secrets/keys/tokens in code + git history. - Verify ENV usage according to Constitution §3; `.env` does not commit. - Check `.dockerignore` , `.gitignore` block sensitive files. ### 3. Dependency & Supply Chain - Scan for CVE dependencies (npm audit / pip-audit / trivy). - Detected package typosquatting / unmaintained. - Pin version (DO NOT use open range for sensitive devices). ### 4. AuthN / AuthZ - Verify all sensitive endpoints with authz check (anti-IDOR). - Token storage/expiry/rotation correct; rate limiting. ### 5. Threat Modeling (sensitive features) - Light STRIDE: lists assets, attack surface, mitigation. - Production hardening: non-root container, minimum port. ## 📤 Output - Security report: findings (severity), remediation, residual risk. - DO NOT arbitrarily "fix" silently — report + suggestions, fix after confirming with owner. ## 🚫 Guard Rails - DO NOT