AgentSkillsCN

security-context

当您需要为技术成果添加安全、隐私与合规方面的约束时,此技能将在技术规划前后发挥作用。但请注意:此技能并不负责实际的代码实现。

SKILL.md
--- frontmatter
name: security-context
description: Use when adding security/privacy/compliance constraints to technical artifacts. Before or after technical planning. Does NOT implement code.

Security Context (Addendum)

Harden engineering work by adding security constraints to story artifacts.

Inputs

  • Tech vision docs (if provided)
  • PRD ({ide-folder}/{outputFolder}/product/prd/.../US-*.md)
  • Technical context (if exists)
  • Technical plan (if exists)

Output

{ide-folder}/{outputFolder}/task/{epicNumber}-EPIC-{epicName}/US-{usName}-{usNumber}/security-addendum.md

How to Operate

  • If only technical-context.md exists: focus on constraints, threat model, missing info
  • If technical-plan.md exists: propose concrete security constraints (no code)
  • If both: consolidated addendum, clearly state what applies to context vs plan

Required Structure

yaml
Epic ID: EPIC-{epicNumber}
User Story ID: US-{usNumber}
Document: Security Addendum
Status: Draft | Ready
Owner: Security Engineer (Addendum)
Last Updated: (ISO timestamp)
Inputs: (list exact paths)
#SectionContent
1Security objectivesWhat must be protected and why (1-5 bullets)
2Mini threat modelAssets, actors, trust boundaries, abuse cases (top 3)
3Multi-tenancy isolationMANDATORY - tenant boundary, "must never happen" list
4Security requirementsSEC-REQ-01... - specific, testable. Cover: AuthN/Z, input validation, CSRF, rate limiting, logging, secrets, error handling
5OWASP Top 10 mappingOnly relevant items, not generic checkbox
6Privacy / GDPR constraintsData minimization, retention, access/export, logging
7Security Verification MatrixMANDATORY - SEC-REQ-* → tests/checks
8Required changes to Technical PlanExplicit additions/edits with SEC-REQ-* / AC-* refs
9Open questions / assumptionsOnly blockers, propose safe defaults

Guardrails

  • Do not write implementation code
  • Do not expand product scope
  • Prefer requirements enforceable by tests and automated checks
  • If architecture is unsafe, say so clearly and propose safer options
  • Run /sync-issue after writing