How to build security in from day one when the people writing the code are agents, not a hardened security team.

Pillar — Security

How to build security in from day one when the people writing the code are agents, not a hardened security team.

Status

◐ Scoped, not yet detailed. Universal layer outlined below; concrete recipes ship in a future session.

Concern	Universal principle	Concrete pattern (TS)
Identity	One signed principal per call; never trust caller-supplied `userId`	`resolveAuthContext(req)` middleware; principal comes from verified session/JWT only
RBAC	Roles → capabilities → resources, persisted, audited	RBAC store with SQLite; capability check at handler entry
Vault	Secrets sealed at rest, sealer is rotatable	Key ring with KMS/HSM sealer; envelope-encrypted secrets
Audit ledger	Append-only, signed batches, Merkle-verifiable	Ed25519-signed audit entries; periodic Merkle anchoring
Egress	Allowlist outbound network access per workspace	`firewall.evaluate(url, ctx)` at every fetch; deny by default
Consent vs elevation	Scoped time-boxed user consent ≠ role escalation	`consent.grant` (scoped) and `access.breakGlass` (role-elevation) are separate contracts
PII	Classification → redaction → retention	PII profiles + redaction at log + storage boundaries
Legal hold	Suspend retention on subject of investigation	Legal-hold flag short-circuits retention GC
DSAR	Subject access / deletion request workflow	DSAR proof-of-completion record signed
Key rotation	Connector creds + sealer keys rotatable without downtime	Versioned keys, dual-write window, audit on rotate
Break-glass	Time-boxed admin elevation with signed audit	`access.breakGlass.{request,list,revoke}` writes signed ledger
Threat model	Documented and revisited per release	`docs/security/threat-model.md`, updated on RFC changes

No raw secrets in code, env files committed, or logs. Vault refs only; logs redact known PII keys at the logger.
Auth defaults to required. Every contract entry is requireAuth: true unless an explicit false survives PR review.
Audit before action. Privileged operations log to the signed ledger before they execute; rollback if they fail.
Egress is allowlist, not blocklist. Default deny.
Tenancy from the session, never the body. orgId / workspaceId is resolved from the verified principal; clients cannot spoof it.

Doc	Read when
`universal.md`	First read; the 10 non-negotiables
`rbac-pattern.md`	Designing role / capability / scope model
`vault-pattern.md`	Storing secrets; rotation; sealer
`audit-ledger-pattern.md`	Append-only signed ledger for privileged actions
`egress-firewall-pattern.md`	Outbound network allowlist
`vulnerability-mgmt-pattern.md`	SBOM, CVE triage, supply-chain attacks, signed releases
`dependency-hygiene-pattern.md`	Add / update / remove dependency lifecycle, transitive risk
`multi-tenant-isolation-pattern.md`	Tenant data isolation, noisy-neighbor, cell-based deploy
`data-classification-pattern.md`	Per-field tagging drives redaction, retention, residency
`on-call-rotation-pattern.md`	Paging structure, severity ladder, IMOC, post-mortems
`secrets-leak-postmortem-playbook.md`	Minute-by-minute response when a secret leaks
`compliance-framework-pattern.md`	SOC 2 / ISO / GDPR / HIPAA controls mapped to playbook practices
`secrets-mgmt-deep-pattern.md`	Dynamic secrets; OIDC federation; workload identity; secret-zero
`session-mgmt-pattern.md`	Hybrid JWT + refresh; cookie flags; step-up; SSO + SCIM
`rate-limiting-ddos-pattern.md`	Edge + app rate limits; algorithms; login + signup hardening
`container-k8s-security-pattern.md`	Image hygiene; SecurityContext; NetworkPolicy; admission control
`ai-llm-safety-pattern.md`	Prompt injection defense; tool authorization; cost + safety caps
`threat-model-template.md`	Per-project threat-model skeleton