# secure-code-skill-cascade

Cascaded secure-coding skills for AI agents: OWASP, CWE, auth, data, dependencies, cloud, and AI-agent security checks.

This project is Mirogate's flagship open-source security contribution for AI-assisted software engineering. It ships a real Codex skill and portable Markdown modules for other agents.

## Why Cascaded Skills

Security guidance becomes harder to maintain when every rule is copied into one giant prompt. This project keeps a small root skill and loads focused modules only when the task needs them.

```mermaid
flowchart TD
  A["User task"] --> B["secure-code root skill"]
  B --> C{"Relevant surface?"}
  C --> D["OWASP / ASVS / CWE"]
  C --> E["Auth / input / data"]
  C --> F["Dependencies / cloud"]
  C --> G["AI-agent security"]
  D --> H["Patch + test + residual risk"]
  E --> H
  F --> H
  G --> H
```

## Quick Start

```bash
npm install
npm test
node scripts/compose.mjs --scenario web-api-auth
```

List available modules:

```bash
node scripts/compose.mjs --list
```

## What Is Included

- `skills/secure-code/SKILL.md`: the Codex root skill.
- `skills/secure-code/references/`: focused security modules.
- `portable/secure-code-cascade.md`: portable bundle for Claude Code, Cursor, or other agents.
- `examples/scenarios/`: task-to-module examples.
- `examples/vulnerable-patches/`: before/after demos for common security mistakes.
- `scripts/validate.mjs`: checks module metadata, scenarios, required files, and demos.
- `scripts/compose.mjs`: assembles the root skill with selected modules for a scenario.

## Module Map

| Module | Use When |
| --- | --- |
| `owasp-top10` | Broad web application and API risk review. |
| `asvs-baseline` | Turning security intent into verification checks. |
| `cwe-top25` | Implementation weakness review. |
| `auth-session` | Login, sessions, JWT, password reset, authorization, tenants. |
| `input-output` | Injection, XSS, CSRF, SSRF, file upload, path, parsing. |
| `data-secrets` | Secrets, PII, logs, encryption, retention, tenant data. |
| `dependencies-supply-chain` | Packages, lockfiles, install scripts, actions, images. |
| `cloud-deploy` | Headers, CORS, CSP, redirects, environment variables, edge deploys. |
| `ai-agent-security` | Prompt injection, tool permissions, untrusted content, secret exposure. |
| `verification` | Tests, acceptance checks, and residual-risk language. |

## Example Scenarios

```bash
node scripts/compose.mjs --scenario web-api-auth
node scripts/compose.mjs --scenario form-input-handling
node scripts/compose.mjs --scenario dependency-update
node scripts/compose.mjs --scenario cloudflare-worker-deploy
node scripts/compose.mjs --scenario ai-agent-tooling
```

Each scenario intentionally loads a small set of modules. That is the point: security checks should be specific enough to edit and audit.

## Limits

This is not a vulnerability scanner, penetration test, compliance certification, or affiliation with OWASP, MITRE, Claude, Cursor, or OpenAI. It is a practical skill architecture for AI-assisted secure coding.

Use the official references when making policy decisions:

- OWASP Top 10: https://owasp.org/www-project-top-ten/
- OWASP ASVS: https://owasp.org/www-project-application-security-verification-standard/
- CWE Top 25: https://cwe.mitre.org/top25/
- OWASP Cheat Sheet Series: https://cheatsheetseries.owasp.org/

## Security

Please report security issues to `security@mirogate.com`. See `SECURITY.md`.