Threat Model + Security Hardening
Goal
Senior-grade security posture for PRODUCTION+: explicit threats, mitigations, and verifiable enforcement.
When to use
- •Any authenticated app.
- •All SaaS/CRM.
- •Before client handoff.
Minimal inputs (ask only if missing)
- •Actors/assets/boundaries.
- •Sensitive operations list.
Procedure (MUST)
- •Create
docs/threat_model.mdanddocs/security_checklist.mdfrom templates. - •Identify top risks (object access, privilege escalation, tenant leakage, CSRF where applicable, insecure webhook ingestion).
- •Implement mitigations.
- •Add tests asserting denials and boundary enforcement.
- •Record residual risks and monitoring notes.
Outputs (MUST produce)
- •Threat model + checklist docs.
- •Implemented mitigations + tests.
Safety
If real production systems/credentials are involved, REQUEST REVIEW.