23 routes for "security"
Security Basics Review
The essential security pass for AI-built apps: secrets, auth enforcement, input handling, and data exposure.
+2 more steps to Done
Best forproduction-grade builds with strict verification
Auth Flow QA
Dedicated auth testing: signup, login, sessions, guards, reset, and the edge cases that expose fake auth.
+2 more steps to Done
Best forbuilders who have shipped a basic app before
Fix Fake Auth
Your login 'works' but nothing is real: convert visual-only auth into persisted users, sessions, and guards.
+3 more steps to Done
Best forbuilders who have shipped a basic app before
Secrets Hygiene in Agent Logs
Keep credentials out of prompts, tool outputs, logs, and traces: detection, redaction, and safe handling across the whole agent pipeline.
+1 more steps to Done
Best forbuilders who have shipped a basic app before
Build a Command Security Pipeline for Your Agent
Replace scattered if-else safety checks with a layered validator pipeline: single-purpose checks, an allow/ask/deny/passthrough contract, and severity-aware ordering.
+1 more steps to Done
Best forproduction-grade builds with strict verification
Prompt Injection Defense Checklist
Systematically defend your agent against prompt injection: trust boundaries, content isolation, and defense-in-depth that assumes injection will happen.
+1 more steps to Done
Best forproduction-grade builds with strict verification
Working Signup/Auth System
Build a real signup, login, session, and protected route flow - not a form that only looks functional.
+10 more steps to Done
Best forbuilders who have shipped a basic app before
Guard Memory Writes Against Injection
Stop poisoned data from becoming persistent agent beliefs: validate, attribute, and quarantine memory writes as untrusted input.
+1 more steps to Done
Best forproduction-grade builds with strict verification
Dependency and Supply-Chain Scanning for Agents
Guard against the dependencies your agent adds: vulnerability scanning, hallucinated-package detection, and gated installs.
+1 more steps to Done
Best forbuilders who have shipped a basic app before
Threat-Model Your MCP Server
Systematically threat-model an MCP server before it is exploited: assets, entry points, trust boundaries, and mitigations documented and tested.
+1 more steps to Done
Best forproduction-grade builds with strict verification
SaaS MVP Builder
Go from idea to a working SaaS MVP: auth, core feature, billing readiness, and a landing page that converts.
+3 more steps to Done
Best forproduction-grade builds with strict verification
Detect Command Obfuscation and Parser-Mismatch Attacks
Catch the attacks your parser cannot see: quote-concatenation flags, ANSI-C quoting, brace expansion, and escaped operators that make bash execute something your checks never inspected.
+1 more steps to Done
Best forproduction-grade builds with strict verification
Red-Team Your Agent with Adversarial Prompts
Systematically attack your own agent using red-teaming frameworks: vulnerability probes, attack methods, and a repeatable adversarial suite.
+1 more steps to Done
Best forproduction-grade builds with strict verification
Audit Trails for Tool Calls
Record an immutable, queryable trail of every action your agent takes - who, what, when, why, and outcome - for security and accountability.
+1 more steps to Done
Best forbuilders who have shipped a basic app before
Release Gates for Agent-Generated Code
Put agent output through a real merge gate: automated review, tests, security scans, and human sign-off proportional to risk.
+1 more steps to Done
Best forbuilders who have shipped a basic app before
Build a Login Page with Auth Metrics Tracking
Create a real login page with working authentication and instrument it to capture useful investment-app auth metrics such as signups, login attempts, success rate, failures, and drop-off.
+6 more steps to Done
Best forbuilders who have shipped a basic app before
Add Team Invites to a SaaS App
Build a real team invitation system for a SaaS app, including invite creation, email/share flow, acceptance, membership creation, role assignment, validation, and end-to-end testing.
+7 more steps to Done
Best forbuilders who have shipped a basic app before
Add a Working Team Invite System to a SaaS App
Build a real invite flow for a SaaS app so existing users can invite teammates by email, store invite records, validate tokens, accept invitations, and join the correct workspace with proper permissions.
+6 more steps to Done
Best forbuilders who have shipped a basic app before
Sandbox Untrusted Code Execution
Contain what your agent runs: isolated execution environments with resource limits, network policy, and workspace mounting done right.
+1 more steps to Done
Best forproduction-grade builds with strict verification
Role-Based Access Control
Add real roles and permissions: enforced on backend endpoints and reflected honestly in the UI.
+3 more steps to Done
Best forproduction-grade builds with strict verification
Incident Response Runbook for Agent Mishaps
Prepare for the day your agent does damage: detection, containment, rollback, investigation, and prevention - written before you need it.
+1 more steps to Done
Best forbuilders who have shipped a basic app before
Stand Up an Adversarial Verification Agent
Stop trusting your agent's own 'it works': dispatch a read-only verifier that must run real commands, probe adversarially, and return an evidence-backed PASS/FAIL verdict.
+1 more steps to Done
Best forproduction-grade builds with strict verification
Jailbreak Regression Suite
Turn every jailbreak you find into a permanent regression test, so safety boundaries never silently erode across model and prompt changes.
Best forbuilders who have shipped a basic app before
From the Research Vault
View all4 research sources for "security"
Deep Dive: Prompt-Layer Security in BashTool
Dissects how BashTool's prompt forms the first line of defense: a three-layer structure (tool preference chains, usage constraints, git-safety and sandbox protocols) assembled dynamically per environment. Shows how wording strategy works - capitalized NOT, positive alternatives ('use Edit' rather than 'avoid sed'), and 'better user experience' framing instead of 'security' - and how token budget (config dedup, conditional blocks) is treated as a first-class engineering constraint rather than an afterthought.
Deep Dive: Code-Layer Security - 20+ Validators Behind BashTool
Walks the layered validation pipeline that backs up the prompt when the model ignores its 'suggestions': control-character checks, multi-view quote extraction, obfuscated-flag detection (ANSI-C quoting, empty-quote concatenation, quote chains, triple quotes), brace-expansion and backslash-escaped-operator traps, hard path constraints, a whitelist-plus-denylist sed validator, and per-tool exit-code semantics. Every validator returns allow/ask/deny/passthrough, and misparsing-class findings outrank informational ones.
claude-code-book (SCUTBrothers)
A second book-length Chinese treatment of Claude Code's source ('Understanding Claude Code In Depth') with a compiled PDF and LaTeX sources. Focuses on turning the complex system into reusable engineering knowledge: source structure, runtime mechanics, permissions and extension points, security and context strategy.
semantic-memory (RecursiveIntell)
Local-first hybrid semantic search backed by authoritative SQLite state plus a vector sidecar: facts, chunked documents, conversation messages, and episodes searched via BM25 (FTS5) and vector retrieval fused with Reciprocal Rank Fusion, with explainable search.