| Expert(s) | Possible Keywords | Question | Plan |
Browse files| --------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| AppSec Lead, DevSecOps Engineer, Red-Team Operator, SRE, Privacy Counsel (UK), Frontend/Backend Staff Engineers | OWASP ASVS, STRIDE, SLSA, SBOM, CycloneDX, Sigstore, COSIGN, CIS Benchmarks, ZTA, mTLS, HSTS, CSP, SSRF, RCE, CSRF, RBAC/ABAC, OIDC, DPAPI/KMS, UK GDPR/DPA 2018, DPIA, SOC2/ISO27001, SAST/DAST/IAST, fuzzing, gitleaks, trufflehog, Vault, Zod, React Hook Form, Playwright, Cypress, Hardhat, Slither, Echidna, Foundry, Multisig, Timelock, Reentrancy, CEI pattern, Rate limiting, Idempotency keys, Backoff jitter | Elevate the engineering “house rules” into a white-hat, security-first standard that bakes ethical, legal, and privacy-by-design controls into code, CI/CD, testing, and operations. | Map threats (🎓 STRIDE) → codify secure defaults (headers, authn/z, storage) → secure SDLC (SAST/DAST/Secrets/SBOM) → hardened CI/CD & supply chain (🎓 SLSA) → privacy compliance (UK GDPR) → monitoring/IR runbook → anti-abuse controls → per-surface addenda (Web, API, Mobile, Web3). [Topic][Region=UK][Audience=Execs][Goal=Tool] |
---
### This part covers
* A fully revised, security-first rulebook aligned with ethical (“white-hat”) practice, legal boundaries, and operational reality.
* Applies across web, backend, mobile, and optional Web3.
Use `/summary` to compress; `/review` to critique gaps; `/q` for next prompts; `/alt` if you want a lighter “startup-mode” variant; `/arg` for a stricter, compliance-max take.
---
## 🎓 White-Hat Engineering Standard (V1)
> **Assumptions**: UK jurisdiction; greenfield or refactor-friendly codebase; pnpm monorepo; GitHub/GitLab; containerized deploys; IaC present. Links are reference search queries only.
> Core refs: [OWASP ASVS](https://www.google.com/search?q=OWASP+ASVS), [STRIDE](https://www.google.com/search?q=STRIDE+threat+model), [SLSA](https://www.google.com/search?q=Google+SLSA), [CycloneDX SBOM](https://www.google.com/search?q=CycloneDX+SBOM), [UK GDPR](https://www.google.com/search?q=UK+GDPR+summary).
---
### 0) 🧭 Ethical & Legal Guardrails (White-Hat Code)
* Operate with **written permission** and documented **scope** for all testing; maintain an allow-list of domains/targets and **rate-limit** offensive tooling.
* **No production user harm**: only synthetic/test identities & sandbox data; **DPIA** where personal data exists.
* **Responsible disclosure** policy in `SECURITY.md`; triage SLA & safe-harbor language.
* Maintain **Audit Log** for privileged actions; tamper-evident storage for IR.
---
### 1) GLOBAL DEFAULTS
* Production-grade, runnable TS by default; modular, DI-friendly; SOLID where it clarifies ownership.
* DX: explicit foldering, clear names, zero magic; comments explain **why**, not “what.”
* Clarify blockers **only** when execution is impossible; otherwise proceed with sane defaults and list **Assumptions** up top.
---
### 2) STYLE & QA
* TS Strict; ESLint (airbnb or standard-with-typescript) + Prettier + EditorConfig; `pnpm lint && pnpm typecheck && pnpm test` must pass.
* Conventional Commits; include suggested commit per change.
* **Security linters**: eslint-plugin-security, eslint-plugin-unicorn minimal unsafe patterns.
---
### 3) TESTING POLICY
* Unit tests per module (Vitest/Jest); React uses testing-library.
* E2E outlines with Playwright/Cypress; tag **security flows** (auth, payments, admin) as critical.
* **No live network** in tests; **mock** externals; use **property tests/fuzzing** for parsers/encoders.
* Add regression tests for every fixed vuln (TDD for vulns).
---
### 4) 🔐 SECURITY (Expanded)
**Input & Output**
* Validate all inputs with **Zod** (Nest: class-validator) at the **edge**; sanitize outputs; **encode** on render to prevent XSS.
* For HTTP clients, enforce **timeouts**, **retries with jitter**, circuit-breaker, and bounded concurrency; **safe JSON parse**.
**AuthN/Z & Session**
* OIDC/OAuth2 where possible; short-lived tokens; refresh via **rotating** refresh tokens; session cookies `HttpOnly`, `Secure`, `SameSite=Lax` and bound to IP/UA when appropriate.
* **RBAC/ABAC**; default-deny; explicit resource scoping; idempotency keys on mutations.
**Secrets & Crypto**
* No hardcoded secrets; use Vault/KMS; rotate keys; least privilege for service accounts.
* TLS 1.2+ (prefer **1.3**); HSTS, OCSP stapling; at rest via KMS.
* Password hashing via **Argon2id**; per-record salts; enforce strong policies.
**Headers & Browser Security**
* **CSP** (non-wildcard), **X-Frame-Options: DENY**, **X-Content-Type-Options: nosniff**, **Referrer-Policy: strict-origin-when-cross-origin**, **Permissions-Policy** minimal.
* File uploads: MIME sniffing off; server-side type/size allow-list; virus scan; store outside web root.
**SSRF/RCE/Deserialization**
* SSRF: egress allow-list; block link-local/metadata IPs; sanitize URLs.
* Avoid `eval`, dynamic `Function`, unsafe regex; safe parsers for YAML/CSV.
* No insecure deserialization; sign/verify serialized blobs.
**Abuse & Availability**
* Global & per-route **rate limits**; IP/device/account heuristics; CAPTCHA only as last resort.
* Queue length caps, timeouts, backpressure, and **dead-letter** strategy.
**Compliance**
* Map data categories; **minimize** collection; retention with TTL & deletion jobs; UK GDPR lawful basis and **DPIA** recorded.
---
### 5) 🚀 PERFORMANCE & ♿ A11Y
* Prefer clear **O(n)** code; measure with lab + RUM; budget based on SLOs.
* WCAG AA: semantic HTML, focus order, ARIA where needed; colour-contrast checks, keyboard traps eliminated.
---
### 6) 📚 DOCS & SCOPE
* Each deliverable begins with **Assumptions**, **How to run**, and **Scope**.
* Doc-only changes never refactor code.
* Maintain `SECURITY.md`, `PRIVACY.md`, `THREATMODEL.md` (🎓 STRIDE summary + DFD).
---
### 7) 🎨 FRONT-END (Next.js + Tailwind)
* App Router + TS; SWR/React Query; components are pure, tested, and a11y-checked.
* Forms: React Hook Form + Zod resolver; optimistic UI guarded by server validation.
* Storybook for complex components; interaction tests on stories.
* Security: escape on render; **CSP-friendly** patterns; avoid dangerouslySetInnerHTML; isolate worker/iframes for untrusted content.
---
### 8) 🧩 BACK-END (Nest/Express)
* NestJS default; Prisma/Drizzle with migrations; DTOs validated at controller boundary.
* API schemas via OpenAPI or tRPC; problem+json errors; unified error codes.
* Transactional outbox; idempotent handlers; pagination caps; **N+1** detection.
* Background jobs with retries & **poison-message** quarantine.
---
### 9) 📱 MOBILE (React Native)
* TS; testing-library/react-native; React Navigation.
* Secrets via platform keystores; **no** secrets in bundle or logs.
* Optional **cert pinning** with safe fallback; sanitize deep links and intent URLs.
---
### 10) ⛓️ WEB3 (When requested)
* Solidity ^0.8.x; NatSpec; **Checks-Effects-Interactions**, ReentrancyGuard; pull-over-push for funds.
* **Time-lock** on admin ops; **multisig** for upgrades; **pause/circuit-breaker** pattern.
* Tests: Hardhat/Foundry + Slither, Echidna fuzz; 100% critical-path coverage.
* Deployment scripts export ABI/addresses to `/apps/web/src/abi/`; never expose keys; `.env` only + HSM/KMS where possible.
---
### 11) 🏭 CI/CD TRIGGERS & SUPPLY CHAIN
* On `src/**`: run lint, typecheck, unit tests; cache wisely.
* On doc-only diffs: skip heavy E2E.
* On `api/**`: regenerate OpenAPI/tRPC clients.
* On `contracts/**`: solidity lint, compile, gas report, unit tests.
**Supply Chain Hardening**
* **Pinned** versions + lockfiles; renovate with security gate.
* SBOM (CycloneDX) on build; sign artefacts with **Sigstore cosign**; attest to **SLSA** level.
* SAST (Semgrep), secrets scan (**gitleaks/trufflehog**), IaC scan (tfsec/checkov), container scan (Trivy/Grype).
* Branch protection, CODEOWNERS, required reviews; 2FA mandatory for org.
---
### 12) 🪵 ERROR HANDLING & LOGGING
* Structured logs (pino/winston) incl. request-id/correlation-id; never log secrets/PII.
* User-safe messages; developer-rich context in logs.
* Metrics (RED/USE), traces (OpenTelemetry), alerts tied to SLOs.
* **I