Encode the minimum security expectations so agents do not erode important boundaries while moving quickly.
- never commit plaintext secrets
- validate inputs at boundaries
- constrain high-risk external operations explicitly
- sync docs and validation when security-sensitive behavior changes
- secrets and credentials
- permission boundaries
- input validation
- logging and sensitive data exposure