AgentSkillsCN

security-secrets-management

针对存储、轮换与访问审计的秘钥生命周期管控的专项工作流程。当安全控制、滥用路径分析或漏洞修复是核心关注点时使用;切勿用于非安全性的质量优化。

SKILL.md
--- frontmatter
name: security-secrets-management
description: Specialized workflow for secret lifecycle controls for storage, rotation, and access auditing. Use when security controls, abuse-path analysis, or vulnerability treatment are central; do not use for non-security quality optimization.

Security Secrets Management

Trigger Boundary

  • Use when security controls, abuse paths, or compliance obligations must be defined.
  • Do not use for non-security product prioritization; use requirement or roadmap skills.
  • Do not use for purely aesthetic UI decisions.

Goal

Reduce exploitable risk with verifiable security controls.

Inputs

  • Change scope and risk profile
  • Domain evidence for secret lifecycle controls for storage, rotation, and access auditing
  • Operational, compliance, and rollout constraints

Outputs

  • Secrets inventory with rotation schedule
  • Decision log for secret lifecycle controls for storage, rotation, and access auditing
  • Verification checklist with measurable pass-fail criteria

Workflow

  1. Clarify outcomes and hard constraints for secret lifecycle controls for storage, rotation, and access auditing.
  2. Produce options and select an approach for secret lifecycle controls for storage, rotation, and access auditing.
  3. Evaluate trade-offs across security, performance, operability, and maintainability.
  4. Verify decisions using rotation rehearsal and access log review.
  5. Publish decisions, residual risks, and accountable follow-up actions.

Quality Gates

  • Scope and assumptions for secret lifecycle controls for storage, rotation, and access auditing are explicit and reviewable.
  • Decision rationale is backed by evidence instead of preference.
  • Rollout and rollback criteria are defined when production impact exists.
  • Residual risks have owners, due dates, and verification steps.

Failure Handling

  • Stop when secrets are unmanaged, hardcoded, or unrotated.
  • Escalate when accepted risk exceeds team policy thresholds.