cfsa-antigravity 2.19.0 → 2.19.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +1 -1
- package/template/.agent/kit-sync.md +3 -3
- package/template/.claude/commands/audit-ambiguity-execute.md +6 -0
- package/template/.claude/commands/audit-ambiguity-rubrics.md +6 -0
- package/template/.claude/commands/audit-ambiguity.md +6 -0
- package/template/.claude/commands/bootstrap-agents-fill.md +6 -0
- package/template/.claude/commands/bootstrap-agents-provision.md +6 -0
- package/template/.claude/commands/bootstrap-agents.md +6 -0
- package/template/.claude/commands/create-prd-architecture.md +6 -0
- package/template/.claude/commands/create-prd-compile.md +6 -0
- package/template/.claude/commands/create-prd-design-system.md +6 -0
- package/template/.claude/commands/create-prd-security.md +6 -0
- package/template/.claude/commands/create-prd-stack.md +6 -0
- package/template/.claude/commands/decompose-architecture-structure.md +6 -0
- package/template/.claude/commands/decompose-architecture-validate.md +6 -0
- package/template/.claude/commands/evolve-contract.md +6 -0
- package/template/.claude/commands/evolve-feature-cascade.md +6 -0
- package/template/.claude/commands/evolve-feature-classify.md +6 -0
- package/template/.claude/commands/evolve-feature.md +6 -0
- package/template/.claude/commands/ideate-discover.md +6 -0
- package/template/.claude/commands/ideate-extract.md +6 -0
- package/template/.claude/commands/ideate-validate.md +6 -0
- package/template/.claude/commands/implement-slice-setup.md +6 -0
- package/template/.claude/commands/implement-slice-tdd.md +6 -0
- package/template/.claude/commands/plan-phase-preflight.md +6 -0
- package/template/.claude/commands/plan-phase-write.md +6 -0
- package/template/.claude/commands/propagate-decision-apply.md +6 -0
- package/template/.claude/commands/propagate-decision-scan.md +6 -0
- package/template/.claude/commands/propagate-decision.md +6 -0
- package/template/.claude/commands/remediate-pipeline-assess.md +6 -0
- package/template/.claude/commands/remediate-pipeline-execute.md +6 -0
- package/template/.claude/commands/remediate-pipeline.md +6 -0
- package/template/.claude/commands/remediate-shard-split.md +6 -0
- package/template/.claude/commands/resolve-ambiguity.md +6 -0
- package/template/.claude/commands/setup-workspace-cicd.md +6 -0
- package/template/.claude/commands/setup-workspace-data.md +6 -0
- package/template/.claude/commands/setup-workspace-hosting.md +6 -0
- package/template/.claude/commands/setup-workspace-scaffold.md +6 -0
- package/template/.claude/commands/sync-kit.md +6 -0
- package/template/.claude/commands/update-architecture-map.md +6 -0
- package/template/.claude/commands/validate-phase-quality.md +6 -0
- package/template/.claude/commands/validate-phase-readiness.md +6 -0
- package/template/.claude/commands/verify-infrastructure.md +6 -0
- package/template/.claude/commands/write-architecture-spec-deepen.md +6 -0
- package/template/.claude/commands/write-architecture-spec-design.md +6 -0
- package/template/.claude/commands/write-be-spec-classify.md +6 -0
- package/template/.claude/commands/write-be-spec-write.md +6 -0
- package/template/.claude/commands/write-fe-spec-classify.md +6 -0
- package/template/.claude/commands/write-fe-spec-write.md +6 -0
- package/template/.claude/skills/accessibility/SKILL.md +522 -0
- package/template/.claude/skills/accessibility/references/WCAG.md +162 -0
- package/template/.claude/skills/accessibility/references/ia-spec-checklist.md +35 -0
- package/template/.claude/skills/adversarial-review/SKILL.md +90 -0
- package/template/.claude/skills/antigravity-workflows/SKILL.md +81 -0
- package/template/.claude/skills/antigravity-workflows/resources/implementation-playbook.md +36 -0
- package/template/.claude/skills/api-design-principles/SKILL.md +169 -0
- package/template/.claude/skills/api-design-principles/assets/api-design-checklist.md +155 -0
- package/template/.claude/skills/api-design-principles/assets/rest-api-template.py +182 -0
- package/template/.claude/skills/api-design-principles/references/graphql-schema-design.md +583 -0
- package/template/.claude/skills/api-design-principles/references/rest-best-practices.md +408 -0
- package/template/.claude/skills/api-design-principles/resources/implementation-playbook.md +513 -0
- package/template/.claude/skills/api-versioning/SKILL.md +166 -0
- package/template/.claude/skills/api-versioning/references/typescript.md +157 -0
- package/template/.claude/skills/architecture-mapping/SKILL.md +219 -0
- package/template/.claude/skills/bootstrap-agents/SKILL.md +258 -0
- package/template/.claude/skills/brainstorming/SKILL.md +177 -0
- package/template/.claude/skills/brand-guidelines/SKILL.md +44 -0
- package/template/.claude/skills/clean-code/SKILL.md +196 -0
- package/template/.claude/skills/clean-code/references/typescript.md +126 -0
- package/template/.claude/skills/code-review-pro/SKILL.md +152 -0
- package/template/.claude/skills/concise-planning/SKILL.md +107 -0
- package/template/.claude/skills/cross-layer-consistency/SKILL.md +117 -0
- package/template/.claude/skills/database-schema-design/SKILL.md +205 -0
- package/template/.claude/skills/database-schema-design/references/relational.md +228 -0
- package/template/.claude/skills/deployment-procedures/SKILL.md +241 -0
- package/template/.claude/skills/design-anti-cliche/SKILL.md +159 -0
- package/template/.claude/skills/design-direction/SKILL.md +45 -0
- package/template/.claude/skills/error-handling-patterns/SKILL.md +226 -0
- package/template/.claude/skills/error-handling-patterns/references/go.md +162 -0
- package/template/.claude/skills/error-handling-patterns/references/python.md +262 -0
- package/template/.claude/skills/error-handling-patterns/references/rust.md +112 -0
- package/template/.claude/skills/error-handling-patterns/references/typescript.md +178 -0
- package/template/.claude/skills/find-skills/SKILL.md +145 -0
- package/template/.claude/skills/git-advanced/SKILL.md +972 -0
- package/template/.claude/skills/git-workflow/SKILL.md +420 -0
- package/template/.claude/skills/idea-extraction/SKILL.md +644 -0
- package/template/.claude/skills/logging-best-practices/SKILL.md +192 -0
- package/template/.claude/skills/logging-best-practices/references/go.md +49 -0
- package/template/.claude/skills/logging-best-practices/references/python.md +52 -0
- package/template/.claude/skills/logging-best-practices/references/typescript.md +215 -0
- package/template/.claude/skills/migration-management/SKILL.md +200 -0
- package/template/.claude/skills/migration-management/references/relational.md +214 -0
- package/template/.claude/skills/minimalist-surgical-development/SKILL.md +135 -0
- package/template/.claude/skills/parallel-agents/SKILL.md +165 -0
- package/template/.claude/skills/parallel-debugging/SKILL.md +135 -0
- package/template/.claude/skills/parallel-feature-development/SKILL.md +157 -0
- package/template/.claude/skills/performance-budgeting/SKILL.md +144 -0
- package/template/.claude/skills/pipeline-rubrics/SKILL.md +51 -0
- package/template/.claude/skills/pipeline-rubrics/references/architecture-rubric.md +19 -0
- package/template/.claude/skills/pipeline-rubrics/references/be-rubric.md +21 -0
- package/template/.claude/skills/pipeline-rubrics/references/fe-rubric.md +20 -0
- package/template/.claude/skills/pipeline-rubrics/references/ia-rubric.md +19 -0
- package/template/.claude/skills/pipeline-rubrics/references/scoring.md +32 -0
- package/template/.claude/skills/pipeline-rubrics/references/vision-rubric.md +12 -0
- package/template/.claude/skills/prd-templates/SKILL.md +107 -0
- package/template/.claude/skills/prd-templates/references/architecture-completeness-checklist.md +28 -0
- package/template/.claude/skills/prd-templates/references/architecture-design-template.md +88 -0
- package/template/.claude/skills/prd-templates/references/be-spec-classification.md +41 -0
- package/template/.claude/skills/prd-templates/references/be-spec-template.md +107 -0
- package/template/.claude/skills/prd-templates/references/bootstrap-verification-protocol.md +50 -0
- package/template/.claude/skills/prd-templates/references/constraint-exploration.md +41 -0
- package/template/.claude/skills/prd-templates/references/data-placement-template.md +74 -0
- package/template/.claude/skills/prd-templates/references/decision-confirmation-protocol.md +68 -0
- package/template/.claude/skills/prd-templates/references/decision-propagation.md +121 -0
- package/template/.claude/skills/prd-templates/references/decomposition-templates.md +226 -0
- package/template/.claude/skills/prd-templates/references/deep-ideation-loading-protocol.md +114 -0
- package/template/.claude/skills/prd-templates/references/design-system-decisions.md +198 -0
- package/template/.claude/skills/prd-templates/references/design-system-prerequisite-check.md +18 -0
- package/template/.claude/skills/prd-templates/references/domain-exhaustion-criteria.md +37 -0
- package/template/.claude/skills/prd-templates/references/engagement-tier-protocol.md +58 -0
- package/template/.claude/skills/prd-templates/references/engineering-standards-template.md +126 -0
- package/template/.claude/skills/prd-templates/references/evolution-layer-guidance.md +91 -0
- package/template/.claude/skills/prd-templates/references/expansion-modes.md +27 -0
- package/template/.claude/skills/prd-templates/references/fe-classification-procedures.md +47 -0
- package/template/.claude/skills/prd-templates/references/fe-spec-template.md +90 -0
- package/template/.claude/skills/prd-templates/references/feature-ledger-protocol.md +149 -0
- package/template/.claude/skills/prd-templates/references/folder-seeding-protocol.md +77 -0
- package/template/.claude/skills/prd-templates/references/fractal-cx-template.md +58 -0
- package/template/.claude/skills/prd-templates/references/fractal-feature-template.md +93 -0
- package/template/.claude/skills/prd-templates/references/fractal-node-index-template.md +55 -0
- package/template/.claude/skills/prd-templates/references/gate-applicability.md +92 -0
- package/template/.claude/skills/prd-templates/references/ideation-crosscut-template.md +36 -0
- package/template/.claude/skills/prd-templates/references/ideation-index-template.md +111 -0
- package/template/.claude/skills/prd-templates/references/ideation-meta-template.md +126 -0
- package/template/.claude/skills/prd-templates/references/infrastructure-report-template.md +71 -0
- package/template/.claude/skills/prd-templates/references/input-classification.md +23 -0
- package/template/.claude/skills/prd-templates/references/map-guard-protocol.md +65 -0
- package/template/.claude/skills/prd-templates/references/operational-templates.md +116 -0
- package/template/.claude/skills/prd-templates/references/persona-completeness-gate.md +20 -0
- package/template/.claude/skills/prd-templates/references/placeholder-guard-template.md +21 -0
- package/template/.claude/skills/prd-templates/references/placeholder-workflow-mapping.md +50 -0
- package/template/.claude/skills/prd-templates/references/shard-boundary-analysis.md +103 -0
- package/template/.claude/skills/prd-templates/references/shard-split-remediation.md +157 -0
- package/template/.claude/skills/prd-templates/references/skill-loading-protocol.md +36 -0
- package/template/.claude/skills/prd-templates/references/slice-completion-gates.md +29 -0
- package/template/.claude/skills/prd-templates/references/spec-coverage-sweep.md +44 -0
- package/template/.claude/skills/prd-templates/references/surface-model.md +61 -0
- package/template/.claude/skills/prd-templates/references/tdd-testing-policy.md +39 -0
- package/template/.claude/skills/prd-templates/references/vision-template.md +57 -0
- package/template/.claude/skills/prd-templates/references/workflow-checkpoint-protocol.md +112 -0
- package/template/.claude/skills/prd-templates/references/write-verification-protocol.md +57 -0
- package/template/.claude/skills/prompt-engineer/SKILL.md +203 -0
- package/template/.claude/skills/regex-patterns/SKILL.md +333 -0
- package/template/.claude/skills/regex-patterns/references/go.md +44 -0
- package/template/.claude/skills/regex-patterns/references/javascript.md +63 -0
- package/template/.claude/skills/regex-patterns/references/python.md +77 -0
- package/template/.claude/skills/regex-patterns/references/rust.md +43 -0
- package/template/.claude/skills/resolve-ambiguity/SKILL.md +278 -0
- package/template/.claude/skills/security-scanning-security-hardening/SKILL.md +231 -0
- package/template/.claude/skills/session-continuity/SKILL.md +732 -0
- package/template/.claude/skills/session-continuity/protocols/01-session-resumption.md +38 -0
- package/template/.claude/skills/session-continuity/protocols/02-progress-generation.md +85 -0
- package/template/.claude/skills/session-continuity/protocols/03-progress-update.md +70 -0
- package/template/.claude/skills/session-continuity/protocols/04-pattern-extraction.md +60 -0
- package/template/.claude/skills/session-continuity/protocols/05-session-close.md +37 -0
- package/template/.claude/skills/session-continuity/protocols/06-decision-analysis.md +84 -0
- package/template/.claude/skills/session-continuity/protocols/07-spec-pipeline-generation.md +48 -0
- package/template/.claude/skills/session-continuity/protocols/08-spec-pipeline-update.md +55 -0
- package/template/.claude/skills/session-continuity/protocols/09-parallel-claim.md +122 -0
- package/template/.claude/skills/session-continuity/protocols/10-placeholder-verification-gate.md +83 -0
- package/template/.claude/skills/session-continuity/protocols/11-parallel-synthesis.md +21 -0
- package/template/.claude/skills/session-continuity/protocols/ambiguity-gates.md +48 -0
- package/template/.claude/skills/skill-creator/SKILL.md +203 -0
- package/template/.claude/skills/skill-creator/references/.gitkeep +0 -0
- package/template/.claude/skills/skill-creator/scripts/.gitkeep +0 -0
- package/template/.claude/skills/spec-writing/SKILL.md +110 -0
- package/template/.claude/skills/systematic-debugging/CREATION-LOG.md +119 -0
- package/template/.claude/skills/systematic-debugging/SKILL.md +297 -0
- package/template/.claude/skills/systematic-debugging/condition-based-waiting-example.ts +158 -0
- package/template/.claude/skills/systematic-debugging/condition-based-waiting.md +115 -0
- package/template/.claude/skills/systematic-debugging/defense-in-depth.md +122 -0
- package/template/.claude/skills/systematic-debugging/find-polluter.sh +63 -0
- package/template/.claude/skills/systematic-debugging/root-cause-tracing.md +169 -0
- package/template/.claude/skills/systematic-debugging/test-academic.md +14 -0
- package/template/.claude/skills/systematic-debugging/test-pressure-1.md +58 -0
- package/template/.claude/skills/systematic-debugging/test-pressure-2.md +68 -0
- package/template/.claude/skills/systematic-debugging/test-pressure-3.md +69 -0
- package/template/.claude/skills/tdd-workflow/SKILL.md +186 -0
- package/template/.claude/skills/tdd-workflow/references/typescript.md +231 -0
- package/template/.claude/skills/tech-stack-catalog/SKILL.md +49 -0
- package/template/.claude/skills/tech-stack-catalog/references/constraint-questions.md +237 -0
- package/template/.claude/skills/tech-stack-catalog/references/dev-tooling-decisions.md +37 -0
- package/template/.claude/skills/tech-stack-catalog/references/surface-decision-tables.md +69 -0
- package/template/.claude/skills/technical-writer/SKILL.md +242 -0
- package/template/.claude/skills/testing-strategist/SKILL.md +319 -0
- package/template/.claude/skills/testing-strategist/references/typescript.md +328 -0
- package/template/.claude/skills/verification-before-completion/SKILL.md +97 -0
- package/template/.claude/skills/workflow-automation/SKILL.md +166 -0
- package/template/.claude/skills/workflow-automation/references/inngest.md +88 -0
- package/template/.claude/skills/workflow-automation/references/temporal.md +64 -0
|
@@ -0,0 +1,278 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: resolve-ambiguity
|
|
3
|
+
description: "Systematic ambiguity resolution through tiered information gathering. Use when facing unclear requirements, unknown context, uncertain implementation choices, or any situation where guessing would be risky."
|
|
4
|
+
version: 1.0.0
|
|
5
|
+
---
|
|
6
|
+
|
|
7
|
+
# Resolve Ambiguity
|
|
8
|
+
|
|
9
|
+
Resolve ambiguity through a systematic process that prioritizes accurate information over guessing. This skill determines the best source for missing information and retrieves it efficiently.
|
|
10
|
+
|
|
11
|
+
**Core principle**: Rather ask than guess. Wrong assumptions waste more time than clarifying questions.
|
|
12
|
+
|
|
13
|
+
**Usage**: Invoke this skill reactively — whenever an agent encounters something it doesn't know during any pipeline step.
|
|
14
|
+
|
|
15
|
+
---
|
|
16
|
+
|
|
17
|
+
## Quick Start
|
|
18
|
+
|
|
19
|
+
When you encounter ambiguity, classify it:
|
|
20
|
+
|
|
21
|
+
1. **Technical/Factual** — "How does X work?" "What is the correct syntax?" "What did the architecture doc decide?"
|
|
22
|
+
- Likely found in project or online sources
|
|
23
|
+
- Follow the tiered lookup process
|
|
24
|
+
|
|
25
|
+
2. **Intent/Choice** — "Which approach should I use?" "What does the user want?" "Should we prioritize X or Y?"
|
|
26
|
+
- Requires user input
|
|
27
|
+
- Go directly to User Clarification (skip lookup)
|
|
28
|
+
|
|
29
|
+
---
|
|
30
|
+
|
|
31
|
+
## Tiered Lookup (for Technical/Factual ambiguity)
|
|
32
|
+
|
|
33
|
+
Check sources in this order. **Stop as soon as you find authoritative information.**
|
|
34
|
+
|
|
35
|
+
### Tier 1: Project Context Files
|
|
36
|
+
|
|
37
|
+
**Check first — fastest and most relevant**
|
|
38
|
+
|
|
39
|
+
Look for project-specific context that may already answer the question:
|
|
40
|
+
- `AGENTS.md` or `GEMINI.md` — Agent instructions, tech stack, validation commands
|
|
41
|
+
- `.agent/instructions/tech-stack.md` — Technology decisions
|
|
42
|
+
- `.agent/instructions/patterns.md` — Code conventions
|
|
43
|
+
- `.agent/instructions/structure.md` — Directory layout
|
|
44
|
+
- `.agent/instructions/commands.md` — Dev, test, lint, build
|
|
45
|
+
|
|
46
|
+
If these files contain `{{PLACEHOLDER}}` values, the information hasn't been decided yet — move to the next tier.
|
|
47
|
+
|
|
48
|
+
### Tier 2: Upstream Spec Documents
|
|
49
|
+
|
|
50
|
+
**Check second — the pipeline's own output**
|
|
51
|
+
|
|
52
|
+
The answer may already exist in a document written by an earlier pipeline stage:
|
|
53
|
+
- `docs/plans/ideation/ideation-index.md` + fractal domain tree (folder `*-index.md`, `*-cx.md`, and feature files) — Problem, personas, features, constraints, domain map
|
|
54
|
+
- `docs/plans/*-architecture-design.md` — Tech stack, system design, security model
|
|
55
|
+
- `docs/plans/ENGINEERING-STANDARDS.md` — Quality thresholds, performance budgets
|
|
56
|
+
- `docs/plans/ia/*.md` — IA shards (features, data models, access control, edge cases)
|
|
57
|
+
- `docs/plans/ia/deep-dives/*.md` — Detailed architectural decisions
|
|
58
|
+
- `docs/plans/be/*.md` — BE specs (endpoints, contracts, schemas)
|
|
59
|
+
- `docs/plans/fe/*.md` — FE specs (components, routing, state, a11y)
|
|
60
|
+
|
|
61
|
+
**Read the specific section, not the entire document.** Use the IA/BE/FE index files to locate the relevant shard or spec.
|
|
62
|
+
|
|
63
|
+
### Tier 3: Architectural & Config Files
|
|
64
|
+
|
|
65
|
+
**Check third — project-specific patterns**
|
|
66
|
+
|
|
67
|
+
Look within the codebase for answers embedded in configuration or existing code:
|
|
68
|
+
- `package.json`, `tsconfig.json` — Dependencies, TypeScript config
|
|
69
|
+
- `pyproject.toml`, `setup.py` — Python config
|
|
70
|
+
- `Cargo.toml` — Rust config
|
|
71
|
+
- `.env.example` — Environment variables
|
|
72
|
+
- `README.md` — Project overview and setup
|
|
73
|
+
- `ARCHITECTURE.md` or `docs/architecture.md` — Design decisions
|
|
74
|
+
|
|
75
|
+
Also check existing code for established patterns:
|
|
76
|
+
- Search for files matching the pattern you're trying to follow
|
|
77
|
+
- Search for similar implementations in the codebase
|
|
78
|
+
|
|
79
|
+
### Tier 4: MCP Documentation Tools
|
|
80
|
+
|
|
81
|
+
**Check fourth — if MCP documentation tools are available**
|
|
82
|
+
|
|
83
|
+
If MCP tools are available for documentation lookup, use them:
|
|
84
|
+
- Context7, Firecrawl, or other documentation-specific MCP tools
|
|
85
|
+
- These provide structured access to official library and framework documentation
|
|
86
|
+
|
|
87
|
+
### Tier 5: Web Search Official Sources
|
|
88
|
+
|
|
89
|
+
**Check fifth — for external APIs, libraries, standards**
|
|
90
|
+
|
|
91
|
+
Search the web for:
|
|
92
|
+
- Official documentation sites
|
|
93
|
+
- GitHub repositories of libraries
|
|
94
|
+
- API reference documentation
|
|
95
|
+
- RFC or specification documents
|
|
96
|
+
|
|
97
|
+
**Search strategy**:
|
|
98
|
+
1. Search with specific query: `"{library/API name} documentation {specific topic}"`
|
|
99
|
+
2. Fetch the most authoritative result (official docs preferred)
|
|
100
|
+
3. Extract only the relevant information
|
|
101
|
+
|
|
102
|
+
Prefer sources in this order:
|
|
103
|
+
1. Official documentation (*.dev, *.io, readthedocs)
|
|
104
|
+
2. GitHub repository README/docs
|
|
105
|
+
3. Stack Overflow with high votes (for edge cases)
|
|
106
|
+
|
|
107
|
+
### When to Stop
|
|
108
|
+
|
|
109
|
+
Stop the tiered lookup when:
|
|
110
|
+
- You find authoritative information that resolves the ambiguity
|
|
111
|
+
- You've checked all relevant tiers without finding information
|
|
112
|
+
- The information found indicates this is actually a choice/intent question
|
|
113
|
+
|
|
114
|
+
If all tiers exhausted without answer, proceed to User Clarification.
|
|
115
|
+
|
|
116
|
+
---
|
|
117
|
+
|
|
118
|
+
## User Clarification (for Intent/Choice ambiguity)
|
|
119
|
+
|
|
120
|
+
For intent/choice questions, or when tiered lookup fails, ask the user directly. **Never guess when user input is available.**
|
|
121
|
+
|
|
122
|
+
### Principles
|
|
123
|
+
|
|
124
|
+
1. **Explain what you need** — Tell the user what information is missing
|
|
125
|
+
2. **Explain why you need it** — Describe how the answer affects the outcome
|
|
126
|
+
3. **Offer smart choices** — If you can infer likely options, present them
|
|
127
|
+
4. **Best practice first** — Order choices with recommended approach at top
|
|
128
|
+
5. **Bad ideas last** — If including risky options, put them at the bottom
|
|
129
|
+
6. **Always allow custom input** — User can always provide their own answer
|
|
130
|
+
7. **When uncertain, don't guess choices** — Better to ask open-ended than offer wrong options
|
|
131
|
+
|
|
132
|
+
### With Known Choices
|
|
133
|
+
|
|
134
|
+
When you can confidently identify the options, present them to the user:
|
|
135
|
+
- Question: Clear, specific question explaining context
|
|
136
|
+
- Options ordered by preference (2-4 max):
|
|
137
|
+
1. Best practice / Most common / Recommended
|
|
138
|
+
2. Good alternative
|
|
139
|
+
3. Another valid option
|
|
140
|
+
4. Least recommended / Has drawbacks
|
|
141
|
+
- Each option includes description explaining implications
|
|
142
|
+
- User can always provide custom input
|
|
143
|
+
|
|
144
|
+
### Without Known Choices
|
|
145
|
+
|
|
146
|
+
When you cannot confidently identify the options:
|
|
147
|
+
|
|
148
|
+
**DO NOT GUESS.** Ask an open-ended question instead:
|
|
149
|
+
- Explain what you need to know and why
|
|
150
|
+
- Keep options minimal or omit entirely
|
|
151
|
+
- Allow free-form input as primary response method
|
|
152
|
+
|
|
153
|
+
### Formatting Rules
|
|
154
|
+
|
|
155
|
+
1. **Single question at a time** — Don't overwhelm with multiple questions
|
|
156
|
+
2. **2-4 options maximum** — More becomes confusing
|
|
157
|
+
3. **Descriptions are required** — Every option needs context
|
|
158
|
+
4. **No yes/no when options exist** — Offer the actual choices instead
|
|
159
|
+
5. **Acknowledge uncertainty** — "I'm not sure which applies, so..."
|
|
160
|
+
|
|
161
|
+
---
|
|
162
|
+
|
|
163
|
+
## Ambiguity Categories
|
|
164
|
+
|
|
165
|
+
### Technical Implementation
|
|
166
|
+
**Examples**: "How do I call this API?" "What's the correct syntax?"
|
|
167
|
+
|
|
168
|
+
**Resolution path**:
|
|
169
|
+
1. Check project context files → upstream specs
|
|
170
|
+
2. Check architectural docs and existing code
|
|
171
|
+
3. Search official documentation
|
|
172
|
+
4. If still unclear → ask user for clarification
|
|
173
|
+
|
|
174
|
+
### Project Conventions
|
|
175
|
+
**Examples**: "What naming convention?" "Where should this file go?"
|
|
176
|
+
|
|
177
|
+
**Resolution path**:
|
|
178
|
+
1. Check agent instructions and patterns for explicit conventions
|
|
179
|
+
2. Check existing code for patterns
|
|
180
|
+
3. Check README/contributing guide
|
|
181
|
+
4. If no clear pattern → ask user preference
|
|
182
|
+
|
|
183
|
+
### Spec Interpretation
|
|
184
|
+
**Examples**: "Does the IA shard mean X or Y?" "Is this edge case in scope?"
|
|
185
|
+
|
|
186
|
+
**Resolution path**:
|
|
187
|
+
1. Re-read the specific section of the upstream spec
|
|
188
|
+
2. Check cross-shard references for clarification
|
|
189
|
+
3. Check deep dives for architectural decisions
|
|
190
|
+
4. If genuinely ambiguous → ask user (this is a spec gap that should be fixed)
|
|
191
|
+
|
|
192
|
+
### User Intent
|
|
193
|
+
**Examples**: "Which feature first?" "Should I also refactor X?"
|
|
194
|
+
|
|
195
|
+
**Resolution path**:
|
|
196
|
+
1. Skip lookup — this requires user input
|
|
197
|
+
2. Ask user immediately
|
|
198
|
+
3. Present inferred options if confident
|
|
199
|
+
4. Allow open-ended response if uncertain
|
|
200
|
+
|
|
201
|
+
### External Dependencies
|
|
202
|
+
**Examples**: "Which version of X?" "What's the API for Y?"
|
|
203
|
+
|
|
204
|
+
**Resolution path**:
|
|
205
|
+
1. Check package.json/pyproject.toml for versions
|
|
206
|
+
2. Search for current documentation
|
|
207
|
+
3. Fetch official docs
|
|
208
|
+
4. If version-specific behavior → confirm with user
|
|
209
|
+
|
|
210
|
+
### Architectural Decisions
|
|
211
|
+
**Examples**: "Monolith or microservices?" "Which pattern to use?"
|
|
212
|
+
|
|
213
|
+
**Resolution path**:
|
|
214
|
+
1. Check architecture-design.md for prior decisions
|
|
215
|
+
2. Check ENGINEERING-STANDARDS.md for constraints
|
|
216
|
+
3. This is usually a choice → ask user
|
|
217
|
+
4. Present trade-offs clearly in options
|
|
218
|
+
|
|
219
|
+
---
|
|
220
|
+
|
|
221
|
+
## Relationship to `/audit-ambiguity`
|
|
222
|
+
|
|
223
|
+
This skill and the audit workflow are complementary:
|
|
224
|
+
|
|
225
|
+
| Aspect | `resolve-ambiguity` | `/audit-ambiguity` |
|
|
226
|
+
|--------|---------------------|---------------------|
|
|
227
|
+
| **When** | During any step, at any time | Between pipeline stages |
|
|
228
|
+
| **Trigger** | Agent encounters something it doesn't know | User invokes as a gate |
|
|
229
|
+
| **Scope** | Single question or decision | Entire spec layer |
|
|
230
|
+
| **Output** | Answer or user decision | Scored report with punch list |
|
|
231
|
+
| **Purpose** | Prevent guessing during execution | Verify completeness after writing |
|
|
232
|
+
|
|
233
|
+
**Composition**: After `/audit-ambiguity` produces a punch list, it invokes this skill on each gap:
|
|
234
|
+
- **Technical gaps** → tiered lookup finds the answer → **mechanical fix** with source citation
|
|
235
|
+
- **Intent gaps** → no source has the answer → **judgment call** presented to user
|
|
236
|
+
- This powers the audit's remediation phase with structured, source-backed resolution
|
|
237
|
+
|
|
238
|
+
---
|
|
239
|
+
|
|
240
|
+
## Anti-Patterns
|
|
241
|
+
|
|
242
|
+
### Guessing and Hoping
|
|
243
|
+
**Wrong**: Making assumptions and proceeding without verification
|
|
244
|
+
**Instead**: Take 30 seconds to check or ask
|
|
245
|
+
|
|
246
|
+
### Too Many Questions
|
|
247
|
+
**Wrong**: Asking 5 questions before doing anything
|
|
248
|
+
**Instead**: Ask only what's blocking immediate progress
|
|
249
|
+
|
|
250
|
+
### Vague Questions
|
|
251
|
+
**Wrong**: "How should I proceed?"
|
|
252
|
+
**Instead**: "Should I use approach A (benefit) or B (benefit)?"
|
|
253
|
+
|
|
254
|
+
### Assuming User Expertise
|
|
255
|
+
**Wrong**: "Should I use the factory pattern or strategy pattern?"
|
|
256
|
+
**Instead**: Explain the options in plain terms with trade-offs
|
|
257
|
+
|
|
258
|
+
### Hiding Behind Defaults
|
|
259
|
+
**Wrong**: Silently using a default without mentioning alternatives
|
|
260
|
+
**Instead**: "I'll use X (the standard approach). Let me know if you'd prefer Y."
|
|
261
|
+
|
|
262
|
+
### Skipping Upstream Specs
|
|
263
|
+
**Wrong**: Searching the web for an answer that's already in the architecture doc
|
|
264
|
+
**Instead**: Check Tier 1 and 2 (project docs and upstream specs) before going external
|
|
265
|
+
|
|
266
|
+
### Not Recording the Resolution
|
|
267
|
+
**Wrong**: Resolving ambiguity verbally but not updating the spec
|
|
268
|
+
**Instead**: When a gap is resolved, update the relevant spec document so future readers don't hit the same ambiguity
|
|
269
|
+
|
|
270
|
+
---
|
|
271
|
+
|
|
272
|
+
## Process Summary
|
|
273
|
+
|
|
274
|
+
1. **Detect**: Identify what information is missing
|
|
275
|
+
2. **Classify**: Technical/Factual → Tiered lookup | Intent/Choice → User clarification
|
|
276
|
+
3. **Resolve**: Execute the appropriate resolution path
|
|
277
|
+
4. **Apply**: Use the information to proceed with the task
|
|
278
|
+
5. **Record**: Update relevant documents so the resolution persists
|
|
@@ -0,0 +1,231 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: security-scanning-security-hardening
|
|
3
|
+
description: "Coordinate multi-layer security scanning and hardening across application, infrastructure, and compliance controls."
|
|
4
|
+
---
|
|
5
|
+
|
|
6
|
+
Implement comprehensive security hardening with defense-in-depth strategy through coordinated multi-agent orchestration:
|
|
7
|
+
|
|
8
|
+
[Extended thinking: This workflow implements a defense-in-depth security strategy across all application layers. It coordinates specialized security agents to perform comprehensive assessments, implement layered security controls, and establish continuous security monitoring. The approach follows modern DevSecOps principles with shift-left security, automated scanning, and compliance validation. Each phase builds upon previous findings to create a resilient security posture that addresses both current vulnerabilities and future threats.]
|
|
9
|
+
|
|
10
|
+
## Use this skill when
|
|
11
|
+
|
|
12
|
+
- Running a coordinated security hardening program
|
|
13
|
+
- Establishing defense-in-depth controls across app, infra, and CI/CD
|
|
14
|
+
- Prioritizing remediation from scans and threat modeling
|
|
15
|
+
|
|
16
|
+
## Do not use this skill when
|
|
17
|
+
|
|
18
|
+
- You only need a quick scan without remediation work
|
|
19
|
+
- You lack authorization for security testing or changes
|
|
20
|
+
- The environment cannot tolerate invasive security controls
|
|
21
|
+
|
|
22
|
+
## Instructions
|
|
23
|
+
|
|
24
|
+
1. Execute Phase 1 to establish a security baseline.
|
|
25
|
+
2. Apply Phase 2 remediations for high-risk issues.
|
|
26
|
+
3. Implement Phase 3 controls and validate defenses.
|
|
27
|
+
4. Complete Phase 4 validation and compliance checks.
|
|
28
|
+
|
|
29
|
+
## Safety
|
|
30
|
+
|
|
31
|
+
- Avoid intrusive testing in production without approval.
|
|
32
|
+
- Ensure rollback plans exist before hardening changes.
|
|
33
|
+
|
|
34
|
+
## Phase 1: Comprehensive Security Assessment
|
|
35
|
+
|
|
36
|
+
### 1. Initial Vulnerability Scanning
|
|
37
|
+
- Use Task tool with subagent_type="security-auditor"
|
|
38
|
+
- Prompt: "Perform comprehensive security assessment on: $ARGUMENTS. Execute SAST analysis with Semgrep/SonarQube, DAST scanning with OWASP ZAP, dependency audit with Snyk/Trivy, secrets detection with GitLeaks/TruffleHog. Generate SBOM for supply chain analysis. Identify OWASP Top 10 vulnerabilities, CWE weaknesses, and CVE exposures."
|
|
39
|
+
- Output: Detailed vulnerability report with CVSS scores, exploitability analysis, attack surface mapping, secrets exposure report, SBOM inventory
|
|
40
|
+
- Context: Initial baseline for all remediation efforts
|
|
41
|
+
|
|
42
|
+
### 2. Threat Modeling and Risk Analysis
|
|
43
|
+
- Use Task tool with subagent_type="security-auditor"
|
|
44
|
+
- Prompt: "Conduct threat modeling using STRIDE methodology for: $ARGUMENTS. Analyze attack vectors, create attack trees, assess business impact of identified vulnerabilities. Map threats to MITRE ATT&CK framework. Prioritize risks based on likelihood and impact."
|
|
45
|
+
- Output: Threat model diagrams, risk matrix with prioritized vulnerabilities, attack scenario documentation, business impact analysis
|
|
46
|
+
- Context: Uses vulnerability scan results to inform threat priorities
|
|
47
|
+
|
|
48
|
+
### 3. Architecture Security Review
|
|
49
|
+
- Use Task tool with subagent_type="backend-api-security::backend-architect"
|
|
50
|
+
- Prompt: "Review architecture for security weaknesses in: $ARGUMENTS. Evaluate service boundaries, data flow security, authentication/authorization architecture, encryption implementation, network segmentation. Design zero-trust architecture patterns. Reference threat model and vulnerability findings."
|
|
51
|
+
- Output: Security architecture assessment, zero-trust design recommendations, service mesh security requirements, data classification matrix
|
|
52
|
+
- Context: Incorporates threat model to address architectural vulnerabilities
|
|
53
|
+
|
|
54
|
+
## Phase 2: Vulnerability Remediation
|
|
55
|
+
|
|
56
|
+
### 4. Critical Vulnerability Fixes
|
|
57
|
+
- Use Task tool with subagent_type="security-auditor"
|
|
58
|
+
- Prompt: "Coordinate immediate remediation of critical vulnerabilities (CVSS 7+) in: $ARGUMENTS. Fix SQL injections with parameterized queries, XSS with output encoding, authentication bypasses with secure session management, insecure deserialization with input validation. Apply security patches for CVEs."
|
|
59
|
+
- Output: Patched code with vulnerability fixes, security patch documentation, regression test requirements
|
|
60
|
+
- Context: Addresses high-priority items from vulnerability assessment
|
|
61
|
+
|
|
62
|
+
### 5. Backend Security Hardening
|
|
63
|
+
- Use Task tool with subagent_type="backend-api-security::backend-security-coder"
|
|
64
|
+
- Prompt: "Implement comprehensive backend security controls for: $ARGUMENTS. Add input validation with OWASP ESAPI, implement rate limiting and DDoS protection, secure API endpoints with OAuth2/JWT validation, add encryption for data at rest/transit using AES-256/TLS 1.3. Implement secure logging without PII exposure."
|
|
65
|
+
- Output: Hardened API endpoints, validation middleware, encryption implementation, secure configuration templates
|
|
66
|
+
- Context: Builds upon vulnerability fixes with preventive controls
|
|
67
|
+
|
|
68
|
+
### 6. Frontend Security Implementation
|
|
69
|
+
- Use Task tool with subagent_type="frontend-mobile-security::frontend-security-coder"
|
|
70
|
+
- Prompt: "Implement frontend security measures for: $ARGUMENTS. Configure CSP headers with nonce-based policies, implement XSS prevention with DOMPurify, secure authentication flows with PKCE OAuth2, add SRI for external resources, implement secure cookie handling with SameSite/HttpOnly/Secure flags."
|
|
71
|
+
- Output: Secure frontend components, CSP policy configuration, authentication flow implementation, security headers configuration
|
|
72
|
+
- Context: Complements backend security with client-side protections
|
|
73
|
+
|
|
74
|
+
### 7. Mobile Security Hardening
|
|
75
|
+
- Use Task tool with subagent_type="frontend-mobile-security::mobile-security-coder"
|
|
76
|
+
- Prompt: "Implement mobile app security for: $ARGUMENTS. Add certificate pinning, implement biometric authentication, secure local storage with encryption, obfuscate code with ProGuard/R8, implement anti-tampering and root/jailbreak detection, secure IPC communications."
|
|
77
|
+
- Output: Hardened mobile application, security configuration files, obfuscation rules, certificate pinning implementation
|
|
78
|
+
- Context: Extends security to mobile platforms if applicable
|
|
79
|
+
|
|
80
|
+
## Phase 3: Security Controls Implementation
|
|
81
|
+
|
|
82
|
+
### 8. Authentication and Authorization Enhancement
|
|
83
|
+
- Use Task tool with subagent_type="security-auditor"
|
|
84
|
+
- Prompt: "Implement modern authentication system for: $ARGUMENTS. Deploy OAuth2/OIDC with PKCE, implement MFA with TOTP/WebAuthn/FIDO2, add risk-based authentication, implement RBAC/ABAC with principle of least privilege, add session management with secure token rotation."
|
|
85
|
+
- Output: Authentication service configuration, MFA implementation, authorization policies, session management system
|
|
86
|
+
- Context: Strengthens access controls based on architecture review
|
|
87
|
+
|
|
88
|
+
### 9. Infrastructure Security Controls
|
|
89
|
+
- Use Task tool with subagent_type="deployment-strategies::deployment-engineer"
|
|
90
|
+
- Prompt: "Deploy infrastructure security controls for: $ARGUMENTS. Configure WAF rules for OWASP protection, implement network segmentation with micro-segmentation, deploy IDS/IPS systems, configure cloud security groups and NACLs, implement DDoS protection with rate limiting and geo-blocking."
|
|
91
|
+
- Output: WAF configuration, network security policies, IDS/IPS rules, cloud security configurations
|
|
92
|
+
- Context: Implements network-level defenses
|
|
93
|
+
|
|
94
|
+
### 10. Secrets Management Implementation
|
|
95
|
+
- Use Task tool with subagent_type="deployment-strategies::deployment-engineer"
|
|
96
|
+
- Prompt: "Implement enterprise secrets management for: $ARGUMENTS. Deploy HashiCorp Vault or AWS Secrets Manager, implement secret rotation policies, remove hardcoded secrets, configure least-privilege IAM roles, implement encryption key management with HSM support."
|
|
97
|
+
- Output: Secrets management configuration, rotation policies, IAM role definitions, key management procedures
|
|
98
|
+
- Context: Eliminates secrets exposure vulnerabilities
|
|
99
|
+
|
|
100
|
+
## Phase 4: Validation and Compliance
|
|
101
|
+
|
|
102
|
+
### 11. Penetration Testing and Validation
|
|
103
|
+
- Use Task tool with subagent_type="security-auditor"
|
|
104
|
+
- Prompt: "Execute comprehensive penetration testing for: $ARGUMENTS. Perform authenticated and unauthenticated testing, API security testing, business logic testing, privilege escalation attempts. Use Burp Suite, Metasploit, and custom exploits. Validate all security controls effectiveness."
|
|
105
|
+
- Output: Penetration test report, proof-of-concept exploits, remediation validation, security control effectiveness metrics
|
|
106
|
+
- Context: Validates all implemented security measures
|
|
107
|
+
|
|
108
|
+
### 12. Compliance and Standards Verification
|
|
109
|
+
- Use Task tool with subagent_type="security-auditor"
|
|
110
|
+
- Prompt: "Verify compliance with security frameworks for: $ARGUMENTS. Validate against OWASP ASVS Level 2, CIS Benchmarks, SOC2 Type II requirements, GDPR/CCPA privacy controls, HIPAA/PCI-DSS if applicable. Generate compliance attestation reports."
|
|
111
|
+
- Output: Compliance assessment report, gap analysis, remediation requirements, audit evidence collection
|
|
112
|
+
- Context: Ensures regulatory and industry standard compliance
|
|
113
|
+
|
|
114
|
+
### 13. Security Monitoring and SIEM Integration
|
|
115
|
+
- Use Task tool with subagent_type="incident-response::devops-troubleshooter"
|
|
116
|
+
- Prompt: "Implement security monitoring and SIEM for: $ARGUMENTS. Deploy Splunk/ELK/Sentinel integration, configure security event correlation, implement behavioral analytics for anomaly detection, set up automated incident response playbooks, create security dashboards and alerting."
|
|
117
|
+
- Output: SIEM configuration, correlation rules, incident response playbooks, security dashboards, alert definitions
|
|
118
|
+
- Context: Establishes continuous security monitoring
|
|
119
|
+
|
|
120
|
+
## Configuration Options
|
|
121
|
+
- scanning_depth: "quick" | "standard" | "comprehensive" (default: comprehensive)
|
|
122
|
+
- compliance_frameworks: ["OWASP", "CIS", "SOC2", "GDPR", "HIPAA", "PCI-DSS"]
|
|
123
|
+
- remediation_priority: "cvss_score" | "exploitability" | "business_impact"
|
|
124
|
+
- monitoring_integration: "splunk" | "elastic" | "sentinel" | "custom"
|
|
125
|
+
- authentication_methods: ["oauth2", "saml", "mfa", "biometric", "passwordless"]
|
|
126
|
+
|
|
127
|
+
## Success Criteria
|
|
128
|
+
- All critical vulnerabilities (CVSS 7+) remediated
|
|
129
|
+
- OWASP Top 10 vulnerabilities addressed
|
|
130
|
+
- Zero high-risk findings in penetration testing
|
|
131
|
+
- Compliance frameworks validation passed
|
|
132
|
+
- Security monitoring detecting and alerting on threats
|
|
133
|
+
- Incident response time < 15 minutes for critical alerts
|
|
134
|
+
- SBOM generated and vulnerabilities tracked
|
|
135
|
+
- All secrets managed through secure vault
|
|
136
|
+
- Authentication implements MFA and secure session management
|
|
137
|
+
- Security tests integrated into CI/CD pipeline
|
|
138
|
+
|
|
139
|
+
## Coordination Notes
|
|
140
|
+
- Each phase provides detailed findings that inform subsequent phases
|
|
141
|
+
- Security-auditor agent coordinates with domain-specific agents for fixes
|
|
142
|
+
- All code changes undergo security review before implementation
|
|
143
|
+
- Continuous feedback loop between assessment and remediation
|
|
144
|
+
- Security findings tracked in centralized vulnerability management system
|
|
145
|
+
- Regular security reviews scheduled post-implementation
|
|
146
|
+
|
|
147
|
+
Security hardening target: $ARGUMENTS
|
|
148
|
+
|
|
149
|
+
## Attack Surface Review Protocol
|
|
150
|
+
|
|
151
|
+
This protocol runs during `/create-prd-security`. Universal checks apply to all projects. Surface-specific checks are conditional — they run only if the corresponding surface has been confirmed during `/create-prd-stack`.
|
|
152
|
+
|
|
153
|
+
### Universal Checks (All Projects)
|
|
154
|
+
|
|
155
|
+
#### 1. Secret Management
|
|
156
|
+
|
|
157
|
+
Where secrets are stored (env vars, vault, cloud secret manager), access policy, rotation cadence, CI injection method (environment variables, OIDC, sealed secrets).
|
|
158
|
+
|
|
159
|
+
Document under `## Security — Attack Surface > Secret Management`.
|
|
160
|
+
|
|
161
|
+
#### 2. Dependency Audit Cadence
|
|
162
|
+
|
|
163
|
+
Scan frequency; CI gate behavior on critical CVE (block merge, warn, ignore); triage policy for high-severity CVEs (patch within N days) and medium-severity CVEs (patch within N days or accept-with-justification).
|
|
164
|
+
|
|
165
|
+
Document under `## Security — Attack Surface > Dependency Auditing`.
|
|
166
|
+
|
|
167
|
+
### Web Surface Checks (If Web Surface Confirmed)
|
|
168
|
+
|
|
169
|
+
#### 1. OWASP Top 10 Review
|
|
170
|
+
|
|
171
|
+
For each of the 10 categories, name the specific mechanism that mitigates it.
|
|
172
|
+
|
|
173
|
+
**Rule:** "Handled by framework" is not acceptable — name the framework feature, the configuration, and the fallback if the framework is bypassed.
|
|
174
|
+
|
|
175
|
+
Document under `## Security — Attack Surface > Web > OWASP Top 10`.
|
|
176
|
+
|
|
177
|
+
#### 2. Security Headers
|
|
178
|
+
|
|
179
|
+
Configured values for each of the following headers:
|
|
180
|
+
|
|
181
|
+
- `Content-Security-Policy`
|
|
182
|
+
- `Strict-Transport-Security`
|
|
183
|
+
- `X-Content-Type-Options`
|
|
184
|
+
- `X-Frame-Options`
|
|
185
|
+
- `Referrer-Policy`
|
|
186
|
+
- `Permissions-Policy`
|
|
187
|
+
|
|
188
|
+
**Rule:** Each header must have a specific value, not just "enabled".
|
|
189
|
+
|
|
190
|
+
Document under `## Security — Attack Surface > Web > Security Headers`.
|
|
191
|
+
|
|
192
|
+
### API Surface Checks (If API Surface Confirmed)
|
|
193
|
+
|
|
194
|
+
#### 1. OWASP API Security Top 10
|
|
195
|
+
|
|
196
|
+
For each category, name the mechanism that mitigates it.
|
|
197
|
+
|
|
198
|
+
**Special emphasis:** BOLA/IDOR requires a per-endpoint ownership check strategy — name how each endpoint verifies the requesting user owns the requested resource.
|
|
199
|
+
|
|
200
|
+
Document under `## Security — Attack Surface > API > OWASP API Top 10`.
|
|
201
|
+
|
|
202
|
+
### Desktop Surface Checks (If Desktop Surface Confirmed)
|
|
203
|
+
|
|
204
|
+
#### 1. Sandboxing Model
|
|
205
|
+
|
|
206
|
+
Sandboxing strategy, IPC security boundaries, auto-update verification, code signing chain.
|
|
207
|
+
|
|
208
|
+
#### 2. Notarization
|
|
209
|
+
|
|
210
|
+
Notarization workflow (macOS notarization, Windows SmartScreen signing), signing certificate source, CI step that performs notarization.
|
|
211
|
+
|
|
212
|
+
#### 3. Local Data Encryption
|
|
213
|
+
|
|
214
|
+
Strategy for encrypting sensitive data at rest (encryption library, key storage mechanism, what data is encrypted).
|
|
215
|
+
|
|
216
|
+
Document all three under `## Security — Attack Surface > Desktop`.
|
|
217
|
+
|
|
218
|
+
### Mobile Surface Checks (If Mobile Surface Confirmed)
|
|
219
|
+
|
|
220
|
+
#### 1. Mobile-Specific Threats
|
|
221
|
+
|
|
222
|
+
Certificate pinning strategy, secure storage approach, jailbreak/root detection policy, deep link validation.
|
|
223
|
+
|
|
224
|
+
Document under `## Security — Attack Surface > Mobile`.
|
|
225
|
+
|
|
226
|
+
### User Presentation Prompts
|
|
227
|
+
|
|
228
|
+
Present these two questions to the user for confirmation:
|
|
229
|
+
|
|
230
|
+
1. "Are there any attack vectors I've missed for your specific domain?"
|
|
231
|
+
2. "Do the OWASP mechanisms look correct, or are any of them actually handled differently?"
|