| Threat model, entry points, trust boundaries | reference/01-planning.md |
.env*, API keys, credentials, secret rotation, leak response | reference/02-secrets.md |
| Password storage, login, sessions, JWT, 2FA | reference/03-patterns/auth.md |
| Per-resource permission, IDOR, admin routes, mass assignment | reference/03-patterns/authorization.md |
| Request body / query / path validation, schema enforcement | reference/03-patterns/validation.md |
SQL, NoSQL, Mongo $where, raw queries, dynamic identifiers | reference/03-patterns/injection.md |
Browser HTML rendering, dangerouslySetInnerHTML, CSP-related XSS, CSRF | reference/03-patterns/xss-csrf.md |
Server-side fetch of user-supplied URLs, webhooks, image proxies | reference/03-patterns/ssrf.md |
| File upload, multipart, image processing, S3 puts | reference/03-patterns/uploads.md |
| Catch blocks, error responses, log fields | reference/03-patterns/errors-logging.md |
| Response headers, CSP, HSTS, COOP/CORP, helmet config | reference/03-patterns/headers.md |
| Rate limiting, abuse, crypto primitives, random tokens, timing safety | reference/03-patterns/rate-limit-crypto.md |
package.json / requirements.txt / Cargo.toml changes, lockfiles, typosquatting, install scripts, SBOM | reference/04-supply-chain.md |
New project scaffolding, .editorconfig, SECURITY.md, THREAT_MODEL.md | reference/05-project-config.md |
Dockerfile, docker-compose.yml, base image pinning, BuildKit secrets | reference/06-docker.md |
.github/workflows/*, GitHub Actions, OIDC, Rulesets | reference/07-ci-cd.md |
| Test cases for authz, validation, rate-limit, file-upload edge cases | reference/08-tests.md |
| Bootstrapping a new private GitHub repo end-to-end | reference/09-new-project-flow.md |
.github/dependabot.yml, CODEOWNERS, .pre-commit-config.yaml, .dockerignore | reference/10-recommended-files.md |
| Detailed pre-commit / pre-push checklist | reference/11-commit-push.md |
| End-of-task summary template | reference/12-summary-template.md |
| Detailed pause-and-ask checklist | reference/13-pause-and-ask.md |
| Stack-specific quick wins | reference/14-stacks/{node,nextjs,fastapi,django,go,rust,spring,dotnet,rails}.md |