# Secure-by-Design Skill

Deep security knowledge that loads into an agent's context when building infrastructure or auth systems.

## When to Load
- Infrastructure work (networking, cloud resources, deployment)
- Authentication and authorization systems
- Data storage and encryption
- API security
- Compliance-sensitive builds

## Security Principles

### Authentication
- Never store passwords in plaintext — use bcrypt, scrypt, or Argon2
- Implement MFA for all privileged access
- Session tokens: cryptographically random, rotated, short-lived
- OAuth/OIDC for third-party auth — never roll your own

### Data Protection
- Encrypt at rest (AES-256) and in transit (TLS 1.3)
- Data residency: know where data lives and which regulations apply
- PII handling: minimize collection, anonymize where possible
- Key management: use a KMS, never embed keys in code

### Infrastructure
- Principle of least privilege for all service accounts
- Network segmentation: no flat networks
- Immutable infrastructure where possible
- Secrets in vault (HashiCorp Vault, AWS Secrets Manager) — never in env vars

### NIST Control Mappings
When building in regulated environments, map to:
- AC (Access Control): Who can access what
- AU (Audit): What gets logged
- SC (System & Communications Protection): How data is protected in transit
- SI (System & Information Integrity): How we detect and respond to issues

## Key Principle
This is expertise that loads on demand. It complements the deterministic security hook — the hook catches patterns, this skill provides the deep knowledge for design decisions.
