clearctx 3.0.0 → 3.1.0

package/skills/security/SKILL.md

@@ -0,0 +1,1000 @@
+---
+name: security
+description: Production-grade application security covering authentication, authorization, input validation, XSS/CSRF/SQLi prevention, and secrets management
+domain: security
+keywords: [security, authentication, authorization, jwt, xss, csrf, sql-injection, encryption, cors, helmet]
+version: 1.0.0
+---
+
+# Security Expertise Skill
+
+## Worker Context
+
+You are a security specialist worker. Your role is to implement production-grade security controls following industry best practices. Every security decision has real consequences — a single vulnerability can compromise the entire application.
+
+### Authentication
+
+**JWT Token Strategy**
+
+CRITICAL: Implement dual-token architecture:
+- **Access token**: 15min expiry, stored in memory or httpOnly cookie
+- **Refresh token**: 7d expiry, stored in httpOnly, secure, SameSite=Strict cookie
+
+NEVER store JWT in localStorage (XSS-accessible).
+
+**Token Structure**
+```javascript
+{
+  sub: "user-id",
+  iat: 1234567890,
+  exp: 1234568790,
+  role: "admin"
+}
+```
+
+**Password Hashing**
+- Use bcrypt with cost factor 12+ (or argon2id)
+- NEVER use MD5, SHA1, or SHA256 for passwords
+- Check passwords against breach databases (HaveIBeenPwned API)
+- Minimum length: 8 characters
+
+```javascript
+// GOOD
+const bcrypt = require('bcrypt');
+const hashedPassword = await bcrypt.hash(password, 12);
+
+// BAD
+const hashedPassword = crypto.createHash('md5').update(password).digest('hex');
+```
+
+### Authorization
+
+**RBAC (Role-Based Access Control)**
+
+Implement three-tier model:
+1. **Roles**: admin, user, viewer
+2. **Permissions**: read, write, delete
+3. **Resources**: orders, users, reports
+
+**Middleware Pattern**
+```javascript
+// GOOD: Server-side role check
+function requireRole(role) {
+  return (req, res, next) => {
+    if (req.user.role !== role) {
+      return res.status(403).json({ error: 'Forbidden' });
+    }
+    next();
+  };
+}
+
+// Resource-level authorization
+function requireOwnership(req, res, next) {
+  if (req.user.id !== resource.ownerId) {
+    return res.status(403).json({ error: 'Forbidden' });
+  }
+  next();
+}
+```
+
+NEVER rely solely on client-side role checks — always enforce server-side.
+
+### Input Validation
+
+CRITICAL: Validate ALL inputs server-side:
+- req.body
+- req.params
+- req.query
+- headers
+
+**Validation Strategy**
+- Whitelist allowed values, NEVER blacklist
+- Use schema validation (Zod, Joi) at route level
+- Sanitize HTML with DOMPurify before rendering
+
+```javascript
+// GOOD: Schema validation
+const userSchema = z.object({
+  email: z.string().email(),
+  age: z.number().min(18).max(120),
+  role: z.enum(['admin', 'user', 'viewer'])
+});
+
+app.post('/users', (req, res) => {
+  const result = userSchema.safeParse(req.body);
+  if (!result.success) {
+    return res.status(400).json({ error: result.error });
+  }
+  // Proceed with validated data
+});
+
+// BAD: No validation
+app.post('/users', (req, res) => {
+  const { email, age, role } = req.body;
+  db.createUser({ email, age, role }); // Vulnerable
+});
+```
+
+### SQL Injection Prevention
+
+CRITICAL: ALWAYS use parameterized queries. NEVER concatenate user input into SQL strings.
+
+```javascript
+// GOOD: Parameterized query
+const result = await db.query(
+  'SELECT * FROM users WHERE id = $1 AND status = $2',
+  [userId, status]
+);
+
+// BAD: String concatenation - VULNERABLE TO SQL INJECTION
+const result = await db.query(
+  'SELECT * FROM users WHERE id = ' + userId + ' AND status = "' + status + '"'
+);
+```
+
+**Query Builder Safety**
+```javascript
+// GOOD: Using query builder properly
+const user = await db('users')
+  .where({ id: userId })
+  .first();
+
+// BAD: Raw queries with interpolation
+const user = await db.raw(`SELECT * FROM users WHERE id = ${userId}`);
+```
+
+### XSS Prevention
+
+**Output Encoding**
+
+CRITICAL: Encode all user content before rendering.
+
+```javascript
+// GOOD: Using DOMPurify for rich text
+import DOMPurify from 'dompurify';
+const clean = DOMPurify.sanitize(userContent);
+
+// BAD: Direct innerHTML - VULNERABLE TO XSS
+element.innerHTML = userContent;
+```
+
+**Content Security Policy**
+```javascript
+app.use(helmet.contentSecurityPolicy({
+  directives: {
+    defaultSrc: ["'self'"],
+    scriptSrc: ["'self'"],
+    styleSrc: ["'self'", "'unsafe-inline'"],
+    imgSrc: ["'self'", "data:", "https:"],
+    connectSrc: ["'self'"],
+    fontSrc: ["'self'"],
+    objectSrc: ["'none'"],
+    mediaSrc: ["'self'"],
+    frameSrc: ["'none'"]
+  }
+}));
+```
+
+NEVER use:
+- `dangerouslySetInnerHTML` with unsanitized input
+- `eval()` or `new Function()` with user input
+- `onclick="user_data"` inline event handlers
+
+### CSRF Protection
+
+**Defense Layers**
+
+1. **SameSite Cookies** (Primary defense)
+```javascript
+res.cookie('session', token, {
+  httpOnly: true,
+  secure: true,
+  sameSite: 'strict',
+  maxAge: 604800000 // 7 days
+});
+```
+
+2. **CSRF Tokens** (Double-submit cookie pattern)
+```javascript
+const csrf = require('csurf');
+app.use(csrf({ cookie: true }));
+
+app.get('/form', (req, res) => {
+  res.render('form', { csrfToken: req.csrfToken() });
+});
+```
+
+3. **Origin/Referer Verification**
+```javascript
+function verifyOrigin(req, res, next) {
+  const origin = req.get('Origin') || req.get('Referer');
+  if (!origin || !origin.startsWith('https://yourdomain.com')) {
+    return res.status(403).json({ error: 'Invalid origin' });
+  }
+  next();
+}
+```
+
+### Password Security
+
+**Hashing Parameters**
+- bcrypt cost: 12 minimum (increases computation time exponentially)
+- argon2id: memory=64MB, iterations=3, parallelism=4
+
+**Password Requirements**
+- Minimum 8 characters
+- Check against breached password lists (HaveIBeenPwned API)
+- NEVER store plaintext
+- NEVER send passwords in URL/query params
+
+```javascript
+// GOOD: Secure password handling
+const bcrypt = require('bcrypt');
+const SALT_ROUNDS = 12;
+
+async function hashPassword(password) {
+  return await bcrypt.hash(password, SALT_ROUNDS);
+}
+
+async function verifyPassword(password, hash) {
+  return await bcrypt.compare(password, hash);
+}
+
+// BAD: Insecure hashing
+const hash = crypto.createHash('sha256').update(password).digest('hex');
+```
+
+### HTTPS & Transport Security
+
+**Force HTTPS**
+```javascript
+app.use((req, res, next) => {
+  if (req.header('x-forwarded-proto') !== 'https') {
+    return res.redirect(`https://${req.header('host')}${req.url}`);
+  }
+  next();
+});
+```
+
+**HSTS Header**
+```javascript
+app.use(helmet.hsts({
+  maxAge: 31536000, // 1 year
+  includeSubDomains: true,
+  preload: true
+}));
+```
+
+**Secure Cookie Flags**
+```javascript
+// GOOD
+res.cookie('token', value, {
+  secure: true,       // HTTPS only
+  httpOnly: true,     // Not accessible via JavaScript
+  sameSite: 'strict'  // CSRF protection
+});
+
+// BAD
+res.cookie('token', value); // Vulnerable
+```
+
+### Rate Limiting
+
+**Tiered Rate Limits**
+
+| Endpoint Type | Limit | Window |
+|---------------|-------|--------|
+| Public endpoints | 100 req | 15 min |
+| Authenticated | 1000 req | 15 min |
+| Auth routes (login/register) | 5 req | 15 min |
+
+```javascript
+const rateLimit = require('express-rate-limit');
+
+// Auth endpoints
+const authLimiter = rateLimit({
+  windowMs: 15 * 60 * 1000,
+  max: 5,
+  message: 'Too many login attempts, try again later',
+  standardHeaders: true,
+  legacyHeaders: false
+});
+
+app.post('/login', authLimiter, loginHandler);
+
+// API endpoints
+const apiLimiter = rateLimit({
+  windowMs: 15 * 60 * 1000,
+  max: 100,
+  keyGenerator: (req) => req.user?.id || req.ip
+});
+```
+
+**Exponential Backoff**
+```javascript
+// Failed login tracking
+const loginAttempts = new Map();
+
+function getBackoffDelay(userId) {
+  const attempts = loginAttempts.get(userId) || 0;
+  return Math.min(Math.pow(2, attempts) * 1000, 30000); // Max 30s
+}
+```
+
+Return 429 status with Retry-After header on rate limit.
+
+### Secrets Management
+
+CRITICAL: NEVER commit secrets to version control.
+
+**Environment Variables**
+```bash
+# .env (MUST be in .gitignore)
+DATABASE_URL=postgresql://user:pass@localhost/db
+JWT_SECRET=your-secret-key-here
+API_KEY=your-api-key-here
+
+# .env.example (commit this)
+DATABASE_URL=
+JWT_SECRET=
+API_KEY=
+```
+
+**Loading Secrets**
+```javascript
+// GOOD
+require('dotenv').config();
+const dbUrl = process.env.DATABASE_URL;
+
+// BAD: Hardcoded secrets
+const dbUrl = 'postgresql://user:password@localhost/db';
+```
+
+**Logging Secrets**
+```javascript
+// GOOD: Redact sensitive fields
+const pino = require('pino');
+const logger = pino({
+  redact: ['req.headers.authorization', 'password', 'token', 'apiKey']
+});
+
+// BAD: Logging raw requests
+console.log('Request:', req.body); // May contain passwords
+```
+
+NEVER:
+- Commit .env files
+- Put secrets in Dockerfile
+- Log secrets (use Pino redact)
+- Send secrets in error messages
+
+**Secret Rotation**
+- Rotate on suspected breach
+- Rotate JWT secrets every 90 days
+- Use different secrets per environment
+
+### Security Headers
+
+**Helmet.js Configuration**
+```javascript
+const helmet = require('helmet');
+
+app.use(helmet({
+  contentSecurityPolicy: {
+    directives: {
+      defaultSrc: ["'self'"],
+      scriptSrc: ["'self'"]
+    }
+  },
+  hsts: {
+    maxAge: 31536000,
+    includeSubDomains: true
+  }
+}));
+```
+
+**Critical Headers**
+```javascript
+X-Content-Type-Options: nosniff
+X-Frame-Options: DENY
+X-XSS-Protection: 1; mode=block
+Referrer-Policy: strict-origin-when-cross-origin
+Permissions-Policy: camera=(), microphone=(), geolocation=()
+```
+
+### CORS Configuration
+
+CRITICAL: NEVER use `origin: '*'` with credentials.
+
+```javascript
+// GOOD: Whitelist specific origins
+const cors = require('cors');
+
+app.use(cors({
+  origin: ['https://app.example.com', 'https://admin.example.com'],
+  credentials: true,
+  methods: ['GET', 'POST', 'PUT', 'DELETE'],
+  allowedHeaders: ['Content-Type', 'Authorization'],
+  maxAge: 86400 // Preflight cache: 24 hours
+}));
+
+// BAD: Permissive CORS with credentials
+app.use(cors({
+  origin: '*',
+  credentials: true // VULNERABLE
+}));
+```
+
+**Dynamic Origin Validation**
+```javascript
+const allowedOrigins = [
+  'https://app.example.com',
+  'https://admin.example.com'
+];
+
+app.use(cors({
+  origin: (origin, callback) => {
+    if (!origin || allowedOrigins.includes(origin)) {
+      callback(null, true);
+    } else {
+      callback(new Error('Not allowed by CORS'));
+    }
+  },
+  credentials: true
+}));
+```
+
+### Error Handling
+
+**Production vs Development**
+
+```javascript
+// GOOD: Safe error responses
+app.use((err, req, res, next) => {
+  logger.error(err); // Log full error server-side
+
+  if (process.env.NODE_ENV === 'production') {
+    res.status(500).json({ error: 'Internal server error' });
+  } else {
+    res.status(500).json({
+      error: err.message,
+      stack: err.stack
+    });
+  }
+});
+
+// BAD: Exposing sensitive information
+app.use((err, req, res, next) => {
+  res.status(500).json({
+    error: err.message,
+    stack: err.stack,
+    query: req.query // May contain SQL or tokens
+  });
+});
+```
+
+NEVER expose in production:
+- Stack traces
+- Database error messages
+- File paths
+- SQL queries
+- Environment variables
+
+## Conventions
+
+### Response Format
+```javascript
+// Success
+{ data: <result> }
+
+// Error
+{ error: <message> }
+```
+
+### HTTP Status Codes
+- 200: Success (read, update, delete)
+- 201: Created
+- 400: Bad request (validation failed)
+- 401: Unauthorized (no/invalid token)
+- 403: Forbidden (valid token, insufficient permissions)
+- 404: Not found
+- 409: Conflict (duplicate resource)
+- 429: Too many requests (rate limited)
+- 500: Internal server error
+
+### Naming Conventions
+- Database columns: snake_case
+- JavaScript variables: camelCase
+- Environment variables: UPPER_SNAKE_CASE
+- File names: kebab-case
+
+### Token Expiry Times
+- Access token: 900 (15 minutes)
+- Refresh token: 604800 (7 days)
+- Remember-me token: 2592000 (30 days)
+
+## Common Patterns
+
+### 1. JWT Authentication Middleware
+
+```javascript
+const jwt = require('jsonwebtoken');
+
+function authenticateToken(req, res, next) {
+  // Extract token from Authorization header or cookie
+  const authHeader = req.headers['authorization'];
+  const token = authHeader?.split(' ')[1] || req.cookies.accessToken;
+
+  if (!token) {
+    return res.status(401).json({ error: 'Authentication required' });
+  }
+
+  try {
+    const user = jwt.verify(token, process.env.JWT_SECRET);
+    req.user = user;
+    next();
+  } catch (err) {
+    if (err.name === 'TokenExpiredError') {
+      return res.status(401).json({ error: 'Token expired' });
+    }
+    return res.status(403).json({ error: 'Invalid token' });
+  }
+}
+
+// Usage
+app.get('/protected', authenticateToken, (req, res) => {
+  res.json({ data: req.user });
+});
+```
+
+### 2. Refresh Token Rotation
+
+```javascript
+async function refreshAccessToken(req, res) {
+  const refreshToken = req.cookies.refreshToken;
+
+  if (!refreshToken) {
+    return res.status(401).json({ error: 'Refresh token required' });
+  }
+
+  try {
+    const user = jwt.verify(refreshToken, process.env.JWT_REFRESH_SECRET);
+
+    // Issue new access token
+    const newAccessToken = jwt.sign(
+      { sub: user.sub, role: user.role },
+      process.env.JWT_SECRET,
+      { expiresIn: '15m' }
+    );
+
+    // Rotate refresh token
+    const newRefreshToken = jwt.sign(
+      { sub: user.sub },
+      process.env.JWT_REFRESH_SECRET,
+      { expiresIn: '7d' }
+    );
+
+    // Set new tokens
+    res.cookie('accessToken', newAccessToken, {
+      httpOnly: true,
+      secure: true,
+      sameSite: 'strict',
+      maxAge: 900000 // 15 min
+    });
+
+    res.cookie('refreshToken', newRefreshToken, {
+      httpOnly: true,
+      secure: true,
+      sameSite: 'strict',
+      maxAge: 604800000 // 7 days
+    });
+
+    res.json({ data: { accessToken: newAccessToken } });
+  } catch (err) {
+    res.status(403).json({ error: 'Invalid refresh token' });
+  }
+}
+```
+
+### 3. Input Validation with Zod
+
+```javascript
+const { z } = require('zod');
+
+// Define schemas
+const createUserSchema = z.object({
+  email: z.string().email().max(255),
+  password: z.string().min(8).max(128),
+  name: z.string().min(1).max(100),
+  role: z.enum(['admin', 'user', 'viewer']).optional()
+});
+
+const updateUserSchema = z.object({
+  name: z.string().min(1).max(100).optional(),
+  email: z.string().email().max(255).optional()
+}).refine(data => Object.keys(data).length > 0, {
+  message: 'At least one field required'
+});
+
+// Validation middleware
+function validate(schema) {
+  return (req, res, next) => {
+    const result = schema.safeParse(req.body);
+    if (!result.success) {
+      return res.status(400).json({
+        error: 'Validation failed',
+        details: result.error.errors
+      });
+    }
+    req.validatedData = result.data;
+    next();
+  };
+}
+
+// Usage
+app.post('/users', validate(createUserSchema), async (req, res) => {
+  const user = await createUser(req.validatedData);
+  res.status(201).json({ data: user });
+});
+```
+
+### 4. RBAC Permission Checker
+
+```javascript
+// Permission definitions
+const PERMISSIONS = {
+  admin: ['users:read', 'users:write', 'users:delete', 'orders:read', 'orders:write'],
+  user: ['orders:read', 'orders:write'],
+  viewer: ['orders:read']
+};
+
+function requirePermission(permission) {
+  return (req, res, next) => {
+    const userPermissions = PERMISSIONS[req.user.role] || [];
+
+    if (!userPermissions.includes(permission)) {
+      return res.status(403).json({
+        error: 'Insufficient permissions',
+        required: permission,
+        has: userPermissions
+      });
+    }
+
+    next();
+  };
+}
+
+// Usage
+app.delete('/users/:id',
+  authenticateToken,
+  requirePermission('users:delete'),
+  deleteUserHandler
+);
+```
+
+### 5. Secure Password Reset Flow
+
+```javascript
+const crypto = require('crypto');
+
+// Generate reset token
+async function initiatePasswordReset(email) {
+  const user = await findUserByEmail(email);
+  if (!user) {
+    // Don't reveal if email exists
+    return { success: true };
+  }
+
+  // Generate secure token
+  const resetToken = crypto.randomBytes(32).toString('hex');
+  const resetTokenHash = crypto
+    .createHash('sha256')
+    .update(resetToken)
+    .digest('hex');
+
+  // Store hashed token with expiry
+  await db('users').where({ id: user.id }).update({
+    reset_token_hash: resetTokenHash,
+    reset_token_expires: new Date(Date.now() + 3600000) // 1 hour
+  });
+
+  // Send email with plain token (only time it's visible)
+  await sendResetEmail(user.email, resetToken);
+
+  return { success: true };
+}
+
+// Verify and reset password
+async function resetPassword(token, newPassword) {
+  const tokenHash = crypto
+    .createHash('sha256')
+    .update(token)
+    .digest('hex');
+
+  const user = await db('users')
+    .where({ reset_token_hash: tokenHash })
+    .where('reset_token_expires', '>', new Date())
+    .first();
+
+  if (!user) {
+    return { error: 'Invalid or expired reset token' };
+  }
+
+  const hashedPassword = await bcrypt.hash(newPassword, 12);
+
+  await db('users').where({ id: user.id }).update({
+    password_hash: hashedPassword,
+    reset_token_hash: null,
+    reset_token_expires: null
+  });
+
+  return { success: true };
+}
+```
+
+## Anti-Patterns
+
+### 1. JWT in localStorage
+
+```javascript
+// BAD: Vulnerable to XSS
+localStorage.setItem('token', jwtToken);
+const token = localStorage.getItem('token');
+
+// GOOD: httpOnly cookie
+res.cookie('accessToken', jwtToken, {
+  httpOnly: true,      // Not accessible via JavaScript
+  secure: true,        // HTTPS only
+  sameSite: 'strict',  // CSRF protection
+  maxAge: 900000       // 15 min
+});
+```
+
+**Why**: localStorage is accessible via JavaScript, making tokens vulnerable to XSS attacks. httpOnly cookies cannot be accessed by client-side scripts.
+
+### 2. Secrets in Code
+
+```javascript
+// BAD: Hardcoded secrets
+const JWT_SECRET = 'my-secret-key-123';
+const API_KEY = 'sk-1234567890abcdef';
+
+app.listen(3000, () => {
+  console.log('JWT Secret:', JWT_SECRET); // Logged secret
+});
+
+// GOOD: Environment variables
+require('dotenv').config();
+const JWT_SECRET = process.env.JWT_SECRET;
+const API_KEY = process.env.API_KEY;
+
+if (!JWT_SECRET || !API_KEY) {
+  throw new Error('Missing required environment variables');
+}
+```
+
+**Why**: Hardcoded secrets are visible in version control and logs. Environment variables keep secrets out of code and allow different values per environment.
+
+### 3. Client-Side Only Validation
+
+```javascript
+// BAD: Only client-side validation
+// frontend.js
+if (email.includes('@')) {
+  fetch('/api/users', {
+    method: 'POST',
+    body: JSON.stringify({ email })
+  });
+}
+
+// backend.js
+app.post('/api/users', (req, res) => {
+  const { email } = req.body;
+  db.createUser({ email }); // No validation - VULNERABLE
+});
+
+// GOOD: Server-side validation (client-side is optional UX enhancement)
+// backend.js
+const emailSchema = z.string().email().max(255);
+
+app.post('/api/users', (req, res) => {
+  const result = emailSchema.safeParse(req.body.email);
+  if (!result.success) {
+    return res.status(400).json({ error: 'Invalid email' });
+  }
+  db.createUser({ email: result.data });
+});
+```
+
+**Why**: Client-side validation can be bypassed by sending direct HTTP requests. ALWAYS validate server-side.
+
+### 4. Verbose Error Messages
+
+```javascript
+// BAD: Exposing internal details
+app.use((err, req, res, next) => {
+  res.status(500).json({
+    error: err.message,
+    stack: err.stack,
+    sql: err.sql,              // Exposes database schema
+    query: req.query,          // May contain sensitive data
+    env: process.env           // CRITICAL: Exposes all secrets
+  });
+});
+
+// GOOD: Generic error in production
+app.use((err, req, res, next) => {
+  // Log full error server-side
+  logger.error({
+    message: err.message,
+    stack: err.stack,
+    user: req.user?.id,
+    path: req.path
+  });
+
+  // Return generic error to client
+  const message = process.env.NODE_ENV === 'production'
+    ? 'Internal server error'
+    : err.message;
+
+  res.status(500).json({ error: message });
+});
+```
+
+**Why**: Detailed error messages leak sensitive information about your system architecture, database schema, and file structure. Attackers use this information to craft targeted attacks.
+
+### 5. MD5 for Security
+
+```javascript
+// BAD: Using MD5 or SHA for passwords
+const crypto = require('crypto');
+const hashedPassword = crypto
+  .createHash('md5')
+  .update(password)
+  .digest('hex');
+
+// Also BAD: SHA-256 (too fast for passwords)
+const hashedPassword = crypto
+  .createHash('sha256')
+  .update(password)
+  .digest('hex');
+
+// GOOD: bcrypt with proper cost factor
+const bcrypt = require('bcrypt');
+const hashedPassword = await bcrypt.hash(password, 12);
+
+// Or argon2id
+const argon2 = require('argon2');
+const hashedPassword = await argon2.hash(password, {
+  type: argon2.argon2id,
+  memoryCost: 65536,    // 64 MB
+  timeCost: 3,
+  parallelism: 4
+});
+```
+
+**Why**: MD5 and SHA are designed for speed, making them vulnerable to brute-force attacks. Modern GPUs can compute billions of MD5 hashes per second. bcrypt and argon2id are designed to be slow and resistant to hardware acceleration.
+
+## Integration Notes
+
+### Workflow
+
+1. **Before starting**: Call `team_check_inbox` to check for messages from orchestrator or other workers
+
+2. **Read conventions**: Use the `artifact_read` tool to read the `shared-conventions` artifact for:
+   - Auth token format (JWT structure, claims)
+   - Error response format
+   - HTTP status codes
+   - Cookie configuration (names, flags)
+   - Rate limit values per endpoint type
+
+3. **Publish security configuration**: Create a `security-config` artifact containing:
+   ```json
+   {
+     "cors": {
+       "origins": ["https://app.example.com"],
+       "credentials": true,
+       "methods": ["GET", "POST", "PUT", "DELETE"]
+     },
+     "rateLimits": {
+       "auth": { "max": 5, "windowMs": 900000 },
+       "api": { "max": 100, "windowMs": 900000 },
+       "authenticated": { "max": 1000, "windowMs": 900000 }
+     },
+     "headers": {
+       "hsts": { "maxAge": 31536000, "includeSubDomains": true },
+       "csp": {
+         "defaultSrc": ["'self'"],
+         "scriptSrc": ["'self'"]
+       }
+     },
+     "auth": {
+       "accessTokenExpiry": "15m",
+       "refreshTokenExpiry": "7d",
+       "bcryptRounds": 12,
+       "cookieConfig": {
+         "httpOnly": true,
+         "secure": true,
+         "sameSite": "strict"
+       }
+     }
+   }
+   ```
+
+4. **Coordinate with other workers**:
+   - **Backend worker**: Use `team_ask` to confirm middleware integration points and error handling format
+   - **Frontend worker**: Use `team_ask` to confirm token storage strategy and CORS origins
+   - **Database worker**: Use `team_ask` to confirm user table schema includes password_hash, reset_token_hash, reset_token_expires columns
+
+5. **Implementation order**:
+   - Set up Helmet and security headers first
+   - Implement authentication middleware
+   - Add authorization/RBAC
+   - Apply input validation schemas
+   - Configure rate limiting
+   - Set up CORS with proper origins
+
+6. **File paths**: Use relative paths only (e.g., `./middleware/auth.js`, not `/app/middleware/auth.js`)
+
+7. **Broadcast completion**: After publishing the security-config artifact, use `team_broadcast` to notify:
+   ```javascript
+   {
+     from: "security",
+     content: "Security configuration published. All workers must consume security-config artifact for auth middleware, CORS, and headers."
+   }
+   ```
+
+### Critical Dependencies
+
+All workers MUST consume the `security-config` artifact before implementing:
+- API routes (need auth middleware and rate limiting)
+- Frontend API calls (need CORS origins and token handling)
+- Database operations (need input validation to prevent SQL injection)
+- Error handlers (need proper error format without leaking details)
+
+### Environment Variables Required
+
+Ensure these are in `.env.example`:
+```bash
+# JWT
+JWT_SECRET=
+JWT_REFRESH_SECRET=
+
+# Database
+DATABASE_URL=
+
+# CORS
+ALLOWED_ORIGINS=https://app.example.com,https://admin.example.com
+
+# Rate Limiting
+RATE_LIMIT_WINDOW_MS=900000
+RATE_LIMIT_MAX_REQUESTS=100
+
+# Environment
+NODE_ENV=development
+```
+
+### Testing Security
+
+Before marking security implementation as complete:
+1. Verify all endpoints require authentication
+2. Test RBAC with different roles
+3. Attempt SQL injection with `' OR '1'='1` payloads
+4. Verify CORS blocks unauthorized origins
+5. Test rate limiting with rapid requests
+6. Confirm secrets are not in git history: `git log -p | grep -i "password\|secret\|api_key"`
+
+### Security Checklist
+
+- [ ] All passwords hashed with bcrypt (cost ≥12)
+- [ ] JWT in httpOnly cookies, NOT localStorage
+- [ ] All SQL queries parameterized
+- [ ] Input validation on ALL endpoints
+- [ ] Rate limiting on auth endpoints (5/15min)
+- [ ] CORS whitelist (no `*` with credentials)
+- [ ] HSTS header configured
+- [ ] CSP header blocks inline scripts
+- [ ] Secrets in .env, NOT in code
+- [ ] .env in .gitignore
+- [ ] Error messages don't expose stack traces in production
+- [ ] HTTPS enforced via redirect