@jetrabbits/agentic 0.0.1

package/areas/software/qa/skills/test-data-management/SKILL.md

@@ -0,0 +1,161 @@
+---
+name: test-data-management
+type: skill
+description: Manage test data with factories, fixtures, isolation strategies, and cleanup to prevent test pollution.
+related-rules:
+  - test-strategy.md
+  - test-data.md
+allowed-tools: Read, Write, Edit, Bash
+---
+
+# Test Data Management Skill
+
+> **Expertise:** Factory functions, database isolation, seed data strategies, test pollution prevention.
+
+## Factory Pattern (Python — pytest)
+
+```python
+# tests/factories.py
+from faker import Faker
+from decimal import Decimal
+import pytest_asyncio
+
+fake = Faker()
+
+def build_user(**overrides) -> dict:
+    """Build a user dict — does NOT write to DB"""
+    return {
+        "email": fake.email(domain="example-test.com"),  # Never real domains
+        "name": fake.name(),
+        "role": "viewer",
+        "password_hash": "hashed_test_password",
+        **overrides,
+    }
+
+def build_order(**overrides) -> dict:
+    return {
+        "status": "pending",
+        "total_amount": Decimal("99.99"),
+        "currency": "USD",
+        **overrides,
+    }
+
+# Async factory fixture — writes to DB
+@pytest_asyncio.fixture
+async def create_user(db_session):
+    created = []
+    async def _create(**overrides):
+        user = User(**build_user(**overrides))
+        db_session.add(user)
+        await db_session.flush()  # Get ID without committing
+        created.append(user)
+        return user
+    yield _create
+    # Cleanup is handled by transaction rollback (see isolation below)
+
+# Usage in test
+async def test_user_can_view_own_profile(create_user, client):
+    user = await create_user(role="viewer")
+    response = await client.get(f"/users/{user.id}", headers=auth_headers(user))
+    assert response.status_code == 200
+    assert response.json()["email"] == user.email
+```
+
+## Database Isolation Strategies
+
+### Option 1: Transaction rollback (fastest — no cleanup needed)
+```python
+# conftest.py
+@pytest_asyncio.fixture
+async def db_session(engine):
+    async with engine.connect() as conn:
+        transaction = await conn.begin()
+        session = AsyncSession(bind=conn)
+        yield session
+        await transaction.rollback()   # Rollback after each test — zero pollution
+        await session.close()
+```
+
+### Option 2: Truncate tables (compatible with most ORM features)
+```python
+@pytest_asyncio.fixture(autouse=True)
+async def clean_tables(db_session):
+    yield
+    # After test: truncate in reverse FK order
+    await db_session.execute(text("TRUNCATE order_items, orders, users RESTART IDENTITY CASCADE"))
+    await db_session.commit()
+```
+
+### Option 3: Separate test database (for E2E / integration)
+```bash
+# docker-compose.test.yml
+services:
+  db-test:
+    image: postgres:16
+    environment:
+      POSTGRES_DB: myapp_test
+    tmpfs: [/var/lib/postgresql/data]   # In-memory — fast and isolated per run
+```
+
+## Seed Data for E2E Tests
+
+```python
+# tests/e2e/seeds/standard.py
+async def seed_standard_dataset(db: AsyncSession):
+    """
+    Creates a deterministic dataset for E2E tests.
+    All IDs and values are fixed — tests can reference them directly.
+    """
+    # Admin user — for management UI tests
+    admin = User(id=1, email="admin@test.example", role="admin", ...)
+    # Regular user — for end-user flow tests
+    user = User(id=2, email="user@test.example", role="viewer", ...)
+    # Products — for order flow tests
+    product_a = Product(id=101, name="Widget A", price=Decimal("29.99"), stock=100)
+    product_b = Product(id=102, name="Widget B", price=Decimal("49.99"), stock=50)
+
+    db.add_all([admin, user, product_a, product_b])
+    await db.commit()
+
+# Apply before E2E suite
+@pytest.fixture(scope="session", autouse=True)
+async def seed(db_session):
+    await seed_standard_dataset(db_session)
+```
+
+## Anti-Patterns to Avoid
+
+```python
+# ❌ Shared mutable state between tests
+orders = []  # module-level list
+
+def test_1():
+    orders.append(create_order())  # test 1 adds
+
+def test_2():
+    assert len(orders) == 0       # fails if test_1 ran first — order-dependent
+
+# ✅ Each test creates its own data
+async def test_order_count_for_new_user(create_user, client):
+    user = await create_user()
+    response = await client.get(f"/users/{user.id}/orders")
+    assert response.json()["count"] == 0   # always true — isolated
+
+# ❌ Real email addresses in test data — risk of sending to real people
+user = build_user(email="john.doe@gmail.com")
+
+# ✅ Always use test-safe domains
+user = build_user(email=fake.email(domain="example-test.com"))
+```
+
+## Test Data Cleanup Verification
+
+```bash
+# Verify no test data leaked to production DB
+SELECT count(*) FROM users WHERE email LIKE '%example-test.com%';
+# → Should always be 0 in production
+
+# Verify test DB is clean before test run
+SELECT count(*) FROM users;
+# → Should be 0 or match seed count only
+```

package/areas/software/qa/skills/test-pyramid/SKILL.md

@@ -0,0 +1,127 @@
+---
+name: test-pyramid
+type: skill
+description: Decide what type of test to write, structure the suite, measure health, and apply test doubles correctly.
+related-rules:
+  - test-strategy.md
+  - quality-gates.md
+allowed-tools: Read, Write, Edit, Bash
+---
+
+# Test Pyramid Strategy Skill
+
+> **Expertise:** Test type selection, suite health, test doubles, coverage strategy, CI integration.
+
+## Test Type Decision Tree
+
+```
+Is this a user-visible multi-step workflow (login → action → confirmation)?
+  → E2E test (Playwright/Cypress/Detox)
+
+Does the code call external systems (DB, API, queue, file system)?
+  → Integration test (real or containerized dependency)
+
+Is this pure business logic, calculation, data transformation, conditional?
+  → Unit test (fast, isolated, no I/O)
+
+Is this a contract between two services?
+  → Contract test (Pact or schema validation)
+```
+
+## Healthy Suite Ratios
+
+| Layer | Target % | When runs | Max duration |
+|---|---|---|---|
+| Unit | 70% | Every commit | < 2 min |
+| Integration | 20% | Every PR | < 5 min |
+| E2E | 10% | Pre-release | < 20 min |
+
+**Suite health signals to act on:**
+- Tests take > 10 min → too many E2E, not enough unit
+- Flake rate > 1% → isolation problems
+- Coverage high but bugs still escape → testing implementation, not behavior
+
+## Test Doubles Reference
+
+```
+Situation                                      → Double
+──────────────────────────────────────────────────────────
+Verify a function WAS called                   → Mock
+Control what a dependency returns              → Stub
+Need working but simplified implementation     → Fake (in-memory DB)
+Observe calls without replacing behavior       → Spy
+```
+
+**Golden rule:** Never mock what you don't own.
+Wrap third-party libraries in your own adapter → mock the adapter.
+
+```python
+# ❌ Mocking requests directly
+with patch("requests.get") as mock:
+    mock.return_value.json.return_value = {"status": "ok"}
+
+# ✅ Mock your own wrapper
+class HttpClient:
+    async def get(self, url: str) -> dict: ...
+
+class FakeHttpClient:
+    async def get(self, url: str) -> dict:
+        return {"status": "ok"}
+
+service = MyService(http_client=FakeHttpClient())
+```
+
+## Coverage Strategy (Risk-Based Priority)
+
+Coverage is a floor, not a ceiling. Priority:
+1. Data mutations — anything that writes to DB
+2. Business rules — validation, state machines, calculations
+3. Error paths — what happens when things fail
+4. Integration boundaries — DB queries, API calls, queue messages
+5. Happy path UI flows — last, most expensive
+
+```python
+# ❌ Coverage inflation — tests nothing meaningful
+def test_order_fields_exist():
+    order = Order(id=1, status="pending")
+    assert order.id == 1    # tests Python, not your logic
+
+# ✅ Tests behavior and business rules
+def test_order_cannot_be_cancelled_if_already_shipped():
+    order = Order(id=1, status="shipped")
+    with pytest.raises(OrderStateError, match="Cannot cancel shipped order"):
+        order.cancel()
+```
+
+## Pytest Conventions
+
+```python
+# Naming: test_<when>_<expected_outcome>
+def test_create_order_with_invalid_product_id_raises_not_found(): ...
+def test_apply_discount_when_code_expired_returns_zero(): ...
+
+# Structure: Arrange / Act / Assert
+def test_order_total_includes_tax():
+    order = Order(items=[OrderItem(price=Decimal("100.00"), quantity=2)])
+    total = order.calculate_total(tax_rate=Decimal("0.20"))
+    assert total == Decimal("240.00")
+
+# Parametrize for multiple inputs
+@pytest.mark.parametrize("quantity,expected_error", [
+    (0, "must be greater than 0"),
+    (-1, "must be greater than 0"),
+    (1001, "exceeds maximum"),
+])
+def test_order_item_quantity_validation(quantity, expected_error):
+    with pytest.raises(ValidationError, match=expected_error):
+        OrderItem(product_id="prod_1", quantity=quantity)
+```
+
+## Suite Health Checklist
+
+- [ ] `make test` (unit + integration) < 5 min
+- [ ] E2E suite < 20 min
+- [ ] Zero flaky tests (0% flake rate over last 20 CI runs)
+- [ ] Coverage ≥ project threshold on critical paths
+- [ ] No `time.sleep()` — use explicit waits or mocks for time
+- [ ] Each test independent — no shared mutable state between tests

package/areas/software/qa/workflows/flakiness-investigation.md

@@ -0,0 +1,63 @@
+---
+name: flakiness-investigation
+type: workflow
+trigger: /flakiness-investigation
+description: Diagnose and eliminate flaky tests with reproducible evidence and root cause documentation.
+inputs:
+  - flaky_test_target
+  - ci_history
+outputs:
+  - flakiness_root_cause_report
+  - stabilized_test_suite
+roles:
+  - qa
+  - developer
+  - team-lead
+execution:
+  initiator: qa
+related-rules:
+  - flakiness-policy.md
+  - test-strategy.md
+uses-skills:
+  - e2e-patterns
+  - test-data-management
+quality-gates:
+  - root cause identified (not just test quarantined)
+  - stabilization confirmed by 5+ consecutive green CI runs
+  - flakiness policy applied (quarantine before fix, never suppress)
+---
+
+## Steps
+
+### 1. Collect Failure Signals & Patterns — `@qa`
+- **Input:** flaky test name, CI history
+- **Actions:** pull last 20 CI runs; calculate flake rate; identify patterns: time-of-day, parallel vs. serial, specific test data, resource contention signals; quarantine the test immediately per flakiness policy
+- **Output:** flake rate + pattern analysis; test quarantined
+- **Done when:** flakiness pattern identified; test not blocking CI
+
+### 2. Reproduce & Classify Root Cause — `@qa` + `@developer`
+- **Input:** pattern analysis
+- **Actions:** attempt local reproduction; classify root cause category: timing/race condition; test data pollution; external dependency non-determinism; test isolation failure; environment-specific (CI vs. local); `@developer` assists with code-level investigation
+- **Output:** confirmed reproduction method; root cause category
+- **Done when:** root cause category confirmed; can reproduce on demand
+
+### 3. Stabilization Fix — `@developer`
+- **Input:** confirmed root cause
+- **Actions:** apply fix appropriate to root cause: add explicit waits/retries for timing; isolate test data per test; mock non-deterministic external deps; fix test setup/teardown isolation; implement fix as minimal change; do not just increase timeouts without addressing root cause
+- **Output:** fix on feature branch
+- **Done when:** fix addresses root cause, not just symptoms
+
+### 4. Stress Re-run & Quarantine Decision — `@qa`
+- **Input:** fix branch
+- **Actions:** run fixed test 10+ times in CI; if stable: remove from quarantine; if still flaky: escalate with detailed root cause report for `@team-lead` decision (fix deeper vs. delete test)
+- **Output:** stress run results; quarantine decision
+- **Done when:** test stable for 5+ consecutive runs OR deletion decision made
+
+### 5. Policy Review & Closure — `@team-lead`
+- **Input:** stabilized test or escalation
+- **Actions:** review fix quality; if test deleted: confirm equivalent coverage exists elsewhere; update flakiness tracking log; review if pattern reveals systemic issue requiring broader action
+- **Output:** closure note in flakiness log; systemic action item if needed
+- **Done when:** flakiness log updated; test unquarantined or deleted
+
+## Exit
+Stable test in CI + root cause documented + log updated = investigation closed.

package/areas/software/qa/workflows/performance-audit.md

@@ -0,0 +1,59 @@
+---
+name: performance-audit
+type: workflow
+trigger: /performance-audit
+description: Execute performance testing and turn findings into prioritized, actionable engineering work.
+inputs:
+  - target_endpoint_or_flow
+  - test_type
+  - slo_baseline
+outputs:
+  - performance_report
+  - prioritized_remediation_plan
+roles:
+  - qa
+  - developer
+  - team-lead
+  - pm
+execution:
+  initiator: qa
+related-rules:
+  - quality-gates.md
+  - test-strategy.md
+uses-skills:
+  - performance-testing
+  - api-testing
+quality-gates:
+  - SLO regressions explicitly identified vs. baseline
+  - bottleneck root cause identified (not just symptom)
+  - remediation actions assigned with priority
+---
+
+## Steps
+
+### 1. Scenario Definition & Baseline Alignment — `@qa`
+- **Input:** target, test type, SLO baseline
+- **Actions:** define test scenarios (load / stress / soak / spike) matching production traffic patterns; confirm SLO baseline values (p50, p99 latency; error rate; throughput); align on success/failure thresholds with `@team-lead`
+- **Output:** test plan with scenarios and thresholds
+- **Done when:** `@team-lead` approves test plan
+
+### 2. Load/Stress Execution & Monitoring Capture — `@qa`
+- **Input:** approved test plan
+- **Actions:** run load test; capture: latency percentiles (p50/p95/p99), error rate, throughput, saturation metrics (CPU, memory, DB connections); identify breaking point if stress test
+- **Output:** raw performance metrics; test execution evidence
+- **Done when:** all scenarios executed; metrics captured
+
+### 3. Bottleneck Analysis & Fix Proposal — `@developer` + `@qa`
+- **Input:** performance metrics
+- **Actions:** identify bottleneck location: DB queries (EXPLAIN ANALYZE), service CPU, network, memory pressure; `@developer` proposes targeted fix per bottleneck; estimate improvement before implementing
+- **Output:** bottleneck analysis with proposed fixes and estimates
+- **Done when:** root cause per regression identified; fixes proposed
+
+### 4. Prioritization & Delivery Planning — `@team-lead` + `@pm`
+- **Input:** analysis with fix proposals
+- **Actions:** prioritize fixes by SLO impact and effort; `@pm` schedules as engineering work items; produce `performance_report.md` with: scenario results vs. SLO, bottleneck analysis, remediation backlog with priority
+- **Output:** `performance_report.md`; remediation backlog items created
+- **Done when:** report complete; backlog items assigned
+
+## Exit
+Published report + prioritized remediation plan + backlog items created = audit complete.

package/areas/software/qa/workflows/regression-suite.md

@@ -0,0 +1,59 @@
+---
+name: regression-suite
+type: workflow
+trigger: /regression-suite
+description: Execute and analyze regression suites to produce a confident, evidence-backed release recommendation.
+inputs:
+  - environment
+  - regression_scope
+outputs:
+  - regression_report
+  - blocker_list
+roles:
+  - qa
+  - developer
+  - team-lead
+execution:
+  initiator: qa
+related-rules:
+  - quality-gates.md
+  - test-strategy.md
+  - flakiness-policy.md
+uses-skills:
+  - e2e-patterns
+  - test-pyramid
+  - test-data-management
+quality-gates:
+  - no unresolved critical failures in selected scope
+  - flaky test handling policy applied (quarantine, not suppress)
+  - go/no-go recommendation explicit
+---
+
+## Steps
+
+### 1. Scope Selection & Environment Readiness — `@qa`
+- **Input:** environment, regression scope
+- **Actions:** confirm environment health (services up, test data seeded); select test scope based on change surface (smoke / targeted / full regression); ensure no flaky tests in scope without quarantine decision
+- **Output:** confirmed scope + environment health check
+- **Done when:** environment ready; scope documented
+
+### 2. Suite Execution & Evidence Capture — `@qa`
+- **Input:** ready environment + scope
+- **Actions:** execute selected test suite; capture: pass/fail per scenario, logs, screenshots on failure, duration metrics
+- **Output:** raw execution results
+- **Done when:** full suite run complete; results captured
+
+### 3. Failure Triage & Fixes — `@developer` + `@qa`
+- **Input:** raw execution results
+- **Actions:** `@qa` triages failures: real defect vs. flaky vs. environment issue; `@developer` fixes real defects; `@qa` applies flakiness policy for flaky tests (quarantine, not suppress); re-run after fixes
+- **Output:** resolved defect list; updated execution results
+- **Done when:** all failures triaged; real defects fixed or explicitly accepted with risk note
+
+### 4. Risk Review & Release Recommendation — `@team-lead` + `@qa`
+- **Input:** final execution results + defect list
+- **Actions:** assess residual risk of accepted failures; produce `regression_report.md` with: pass rate, defect list with severity, risk assessment, explicit go/no-go recommendation
+- **Output:** `regression_report.md`; go/no-go decision
+- **Done when:** recommendation is explicit; stakeholders informed
+
+## Exit
+Go recommendation + regression report = release confidence confirmed.

package/areas/software/qa/workflows/smoke-test.md

@@ -0,0 +1,64 @@
+---
+name: smoke-test
+type: workflow
+trigger: /smoke-test
+description: Rapid post-change validation of critical user and system paths after a deployment.
+inputs:
+  - target_environment
+  - deployment_context
+outputs:
+  - smoke_result_summary
+  - rollback_recommendation
+roles:
+  - qa
+  - developer
+  - team-lead
+  - pm
+execution:
+  initiator: qa
+related-rules:
+  - quality-gates.md
+  - test-strategy.md
+  - test-data.md
+uses-skills:
+  - e2e-patterns
+  - api-testing
+quality-gates:
+  - critical path checks complete within 15 minutes of deployment
+  - any blocking failure escalated immediately with rollback recommendation
+---
+
+## Steps
+
+### 1. Prepare Environment & Test Data — `@qa`
+- **Input:** deployed environment
+- **Actions:** confirm services responding; seed or verify required test data; confirm smoke suite targets correct environment (not staging vs. production mix)
+- **Output:** environment ready; test data confirmed
+- **Done when:** ready to execute in < 5 minutes of deployment
+
+### 2. Run Critical Smoke Scenarios — `@qa`
+- **Input:** ready environment
+- **Actions:** execute smoke suite covering: authentication, core business action, key API endpoints, data read/write round-trip; capture evidence (response codes, screenshots, timing)
+- **Output:** pass/fail per scenario; evidence captured
+- **Done when:** all scenarios executed
+
+### 3. Defect Triage & Fix — `@developer`
+- **Input:** smoke failures (if any)
+- **Actions:** `@qa` classifies failure: blocking (rollback) vs. non-blocking (monitor); if blocking → `@developer` assesses rollback vs. hotfix; if non-blocking → document and continue
+- **Output:** triage decision per failure
+- **Done when:** all failures triaged; rollback or hotfix decision made if needed
+
+### 4. Operational Risk Assessment — `@team-lead`
+- **Input:** triage results
+- **Actions:** review blocking vs. non-blocking failure list; assess overall risk of keeping deployment live; confirm rollback decision if blocking failures present
+- **Output:** risk assessment note
+- **Done when:** go/no-go confirmed by `@team-lead`
+
+### 5. Communicate Go/No-Go — `@pm` + `@qa`
+- **Input:** risk assessment
+- **Actions:** `@qa` produces `smoke_result_summary.md`; `@pm` communicates status to stakeholders; if rollback: trigger `/deploy-production` with previous version
+- **Output:** `smoke_result_summary.md`; stakeholders informed
+- **Done when:** all parties notified; action taken if needed
+
+## Exit
+Go status + summary published = deployment validated. No-go + rollback triggered = incident response starts.

package/areas/software/qa/workflows/test-coverage-report.md

@@ -0,0 +1,57 @@
+---
+name: test-coverage-report
+type: workflow
+trigger: /test-coverage-report
+description: Measure, analyze, and improve test coverage based on business risk to drive targeted test investment.
+inputs:
+  - coverage_artifacts
+  - threshold
+outputs:
+  - coverage_analysis_report
+  - targeted_test_improvement_plan
+roles:
+  - qa
+  - developer
+  - team-lead
+execution:
+  initiator: qa
+related-rules:
+  - quality-gates.md
+  - test-strategy.md
+uses-skills:
+  - test-pyramid
+  - test-data-management
+quality-gates:
+  - critical business paths meet coverage threshold
+  - top uncovered risks have assigned owners
+  - coverage trend tracked (not just snapshot)
+---
+
+## Steps
+
+### 1. Collect & Compare Metrics — `@qa`
+- **Input:** coverage artifacts, threshold
+- **Actions:** collect coverage report from CI (line, branch, function coverage); compare to previous sprint/release; identify regressions (coverage dropped) and improvements; segment by module/service for targeted analysis
+- **Output:** coverage metrics with delta vs. previous; per-module breakdown
+- **Done when:** metrics collected; delta computed
+
+### 2. Identify High-Risk Gaps — `@qa` + `@team-lead`
+- **Input:** per-module coverage breakdown
+- **Actions:** map untested code to business criticality (payment flows > UI helpers); rank gaps by: data integrity risk, frequency of change, defect history; distinguish: "not worth testing" vs. "must cover"
+- **Output:** prioritized gap list with risk classification
+- **Done when:** gaps ranked; `@team-lead` agrees on priorities
+
+### 3. Implement Targeted Tests & Fixes — `@developer` + `@qa`
+- **Input:** prioritized gap list
+- **Actions:** `@developer` fixes testability issues (DI, interfaces) if needed; `@qa` implements targeted tests for high-risk gaps; focus on behavior tests, not coverage inflation (no tests that only chase the number)
+- **Output:** new tests on feature branch; coverage improved on critical paths
+- **Done when:** critical paths meet threshold; no coverage-inflating tests added
+
+### 4. Publish Trend & Action Plan — `@qa`
+- **Input:** updated coverage metrics
+- **Actions:** produce `coverage_report.md` with: coverage delta, module breakdown, newly covered critical paths, remaining known gaps with risk justification, trend chart (last 4 sprints if available)
+- **Output:** `coverage_report.md`; next sprint coverage actions noted
+- **Done when:** report shared with team; action items logged
+
+## Exit
+Critical paths at threshold + trend published + gaps assigned = coverage cycle complete.

package/areas/software/security/AGENTS.md

@@ -0,0 +1,58 @@
+# Security — guidance index
+
+## What this area covers
+
+Application and infrastructure security: secure coding standards, dependency auditing, SAST/DAST interpretation, threat modeling, auth patterns, cryptography standards, security headers, secret rotation, and compliance reporting.
+
+## Guidance chain
+
+1. Project `.agent/` baseline (`AGENTS.md` + `.agent/*`)
+2. `software/general/rules/*` — always active
+3. `security/rules/*` — load all for this spec
+4. `security/skills/*/SKILL.md` — load only the skill matching the current task
+5. `security/workflows/*` — load the workflow matching the triggered command
+
+## Inherited from general
+
+- Git / CI quality baseline
+- SDLC role responsibilities and handoff contracts
+
+## Security-specific constraints
+
+- Security findings with CVSS ≥ 7.0 are release blockers — they are not deferred without explicit documented acceptance by Team Lead and Product Owner.
+- Secrets appearing in source code, commits, or logs trigger immediate rotation — no grace period.
+- Threat model review is mandatory for features that introduce new data flows, auth boundaries, or external integrations.
+- Compliance baseline (`rules/compliance-baseline.md`) applies to every new service by default.
+
+## Spec map
+
+```text
+security/
+├── rules/
+│   ├── secure-coding.md          ← OWASP Top 10 mitigations, input validation, output encoding
+│   ├── secrets-policy.md         ← storage, rotation, access audit, emergency rotation
+│   ├── dependency-policy.md      ← vulnerability SLAs, allowed licenses, patching cadence
+│   └── compliance-baseline.md    ← SOC 2 / ISO 27001 controls applicable to all services
+├── skills/
+│   ├── threat-modeling/SKILL.md          ← STRIDE, DFD construction, mitigations
+│   ├── auth-patterns/SKILL.md            ← OAuth2, OIDC, JWT, session management
+│   ├── crypto-standards/SKILL.md         ← algorithm selection, key management, TLS config
+│   ├── dependency-audit/SKILL.md         ← npm audit, Snyk, OSV, triage workflow
+│   ├── sast-dast-interpretation/SKILL.md ← Semgrep, Bandit, OWASP ZAP results triage
+│   └── security-headers/SKILL.md         ← CSP, HSTS, CORS, referrer policy
+├── workflows/
+│   ├── security-scan.md          ← /security-scan
+│   ├── threat-model-review.md    ← /threat-model-review
+│   ├── secret-rotation.md        ← /secret-rotation
+│   ├── pen-test-sim.md           ← /pen-test-sim
+│   └── compliance-report.md      ← /compliance-report
+└── prompts/
+    └── *.md
+```
+
+## Discovery patterns
+
+- `rules/*.md`
+- `skills/*/SKILL.md`
+- `workflows/*.md`
+- `prompts/*.md`

package/areas/software/security/PROMPTS.md

@@ -0,0 +1,32 @@
+# PROMPTS: security
+
+Use these prompts with `AGENTS.md` from the same directory.
+
+## 1) Initialize agent behavior
+
+```text
+Read `security/AGENTS.md` and adopt its rules, skills loading strategy, and workflows as hard constraints.
+List the active rules and the selected workflow before implementation.
+```
+
+## 2) Implement a feature
+
+```text
+Using `security/AGENTS.md`, implement: <feature description>.
+Before coding: provide architecture notes, risk list, and test plan.
+After coding: run checks and report exact commands and results.
+```
+
+## 3) Incident / debug mode
+
+```text
+Using `security/AGENTS.md`, run incident triage for: <incident summary>.
+Return root cause hypotheses, validation steps, fix plan, and rollback plan.
+```
+
+## 4) Release readiness
+
+```text
+Using `security/AGENTS.md`, prepare release checklist for: <release scope>.
+Include quality gates, security gates, performance gates, and deployment validation.
+```