security-bluebook-builder
Build a minimal but real security policy for sensitive apps. The output is a single, coherent Blue Book document using MUST/SHOULD/CAN language, with explicit assumptions, scope, and security gates.
What this skill does
# Security Bluebook Builder ## When to Use - You need a concise but enforceable security policy for an app handling sensitive data. - You want a single Blue Book document with explicit assumptions, controls, and go/no-go gates. - The user needs policy guidance grounded in scope, threat model, and operational security defaults rather than generic advice. ## Overview Build a minimal but real security policy for sensitive apps. The output is a single, coherent Blue Book document using MUST/SHOULD/CAN language, with explicit assumptions, scope, and security gates. ## Workflow ### 1) Gather inputs (ask only if missing) Collect just enough context to fill the template. If the user has not provided details, ask up to 6 short questions: - What data classes are handled (PII, PHI, financial, tokens, content)? - What are the trust boundaries (client/server/third parties)? - How do users authenticate (OAuth, email/password, SSO, device sessions)? - What storage is used (DB, object storage, logs, analytics)? - What connectors or third parties are used? - Retention and deletion expectations (default + user-initiated)? If the user cannot answer, proceed with safe defaults and mark TODOs. ### 2) Draft the Blue Book Load `references/bluebook_template.md` and fill it with the provided details. Keep it concise, deterministic, and enforceable. ### 3) Enforce guardrails - Do not include secrets, tokens, or internal credentials. - If something is unknown, write "TODO" plus a clear assumption. - Fail closed: if a capability is required but unavailable, call it out explicitly. - Keep scope minimal; do not add features or tools beyond what the user asked for. ### 4) Quality checks Confirm the Blue Book includes: - Threat model (assumptions + out-of-scope) - Data classification + handling rules - Trust boundaries + controls - Auth/session policy - Token handling policy - Logging/audit policy - Retention/deletion - Incident response mini-runbook - Security gates + go/no-go checklist ## Resources - `references/bluebook_template.md` ## Limitations - Use this skill only when the task clearly matches the scope described above. - Do not treat the output as a substitute for environment-specific validation, testing, or expert review. - Stop and ask for clarification if required inputs, permissions, safety boundaries, or success criteria are missing.
Related in Security
mac-ops
IncludedComprehensive macOS workstation operations — diagnose kernel panics, identify failing drives, audit launchd startup items, decode wake reasons, triage TCC permission denials, manage APFS snapshots, recover from no-boot. Use for: Mac is slow, slow bootup, won't boot, kernel panic, kernel_task hot, mds_stores CPU, photoanalysisd, cloudd, login loop, gray screen, sleep wake failure, drive failing, IO errors, APFS snapshots eating space, Time Machine local snapshots, Spotlight indexing, launchd, LaunchAgent, LaunchDaemon, login items, TCC permissions, Full Disk Access, Screen Recording denied, Gatekeeper, quarantine, com.apple.quarantine, app is damaged, helper tool, /Library/PrivilegedHelperTools, pmset, wake reasons, dark wake, sysdiagnose, panic.ips, DiagnosticReports, configuration profile, MDM profile, remote diagnostics over SSH.
a11y-audit
IncludedRun accessibility audits on web projects combining automated scanning (axe-core, Lighthouse) with WCAG 2.1 AA compliance mapping, manual check guidance, and structured reporting. Output is configurable: markdown report only, markdown plus machine-readable JSON, or markdown plus issue tracker integration. Use this skill whenever the user mentions "accessibility audit", "a11y audit", "WCAG audit", "accessibility check", "compliance scan", or asks to check a web project for accessibility issues. Also trigger when the user wants to verify WCAG conformance or map findings to a specific standard (CAN-ASC-6.2, EN 301 549, ADA/AODA).
erpclaw
IncludedAI-native ERP system with self-extending OS. Full accounting, invoicing, inventory, purchasing, tax, billing, HR, payroll, advanced accounting (ASC 606/842, intercompany, consolidation), and financial reporting. 413 actions across 14 domains, 43 expansion modules. Constitutional guardrails, adversarial audit, schema migration. Double-entry GL, immutable audit trail, US GAAP.
assess
IncludedAssesses and rates quality 0-10 across multiple dimensions (correctness, maintainability, security, performance, testability, simplicity) with pros/cons analysis. Compares against project conventions and prior decisions from memory. Produces structured evaluation reports with actionable improvement suggestions. Use when evaluating code, designs, architectures, or comparing alternative approaches.
spring-boot-security-jwt
IncludedProvides JWT authentication and authorization patterns for Spring Boot 3.5.x covering token generation with JJWT, Bearer/cookie authentication, database/OAuth2 integration, and RBAC/permission-based access control using Spring Security 6.x. Use when implementing authentication or authorization in Spring Boot applications.
code-hardcode-audit
IncludedDetect hardcoded values, magic numbers, and leaked secrets. TRIGGERS - hardcode audit, magic numbers, PLR2004, secret scanning.