23 routes for "security"

Flows category icon
QA

Security Basics Review

The essential security pass for AI-built apps: secrets, auth enforcement, input handling, and data exposure.

01Hunt exposed secrets
02Attack the auth enforcement
03Harden input handling

+2 more steps to Done

Best forproduction-grade builds with strict verification

5 steps60-90 minutesAdvanced
Flows category icon
QA

Auth Flow QA

Dedicated auth testing: signup, login, sessions, guards, reset, and the edge cases that expose fake auth.

01Test the signup surface
02Test the login surface
03Test the session lifecycle

+2 more steps to Done

Best forbuilders who have shipped a basic app before

5 steps45-75 minutesIntermediate
Flows category icon
Debugging

Fix Fake Auth

Your login 'works' but nothing is real: convert visual-only auth into persisted users, sessions, and guards.

01Diagnose what is fake
02Implement real user persistence
03Implement real credential verification

+3 more steps to Done

Best forbuilders who have shipped a basic app before

6 steps45-90 minutesIntermediate
Flows category icon
Agent QA & Security

Secrets Hygiene in Agent Logs

Keep credentials out of prompts, tool outputs, logs, and traces: detection, redaction, and safe handling across the whole agent pipeline.

01Build the secret detector
02Redact at every capture point
03Inject real secrets safely

+1 more steps to Done

Best forbuilders who have shipped a basic app before

4 steps60-90 minutesIntermediate
Flows category icon
Agent QA & Security

Build a Command Security Pipeline for Your Agent

Replace scattered if-else safety checks with a layered validator pipeline: single-purpose checks, an allow/ask/deny/passthrough contract, and severity-aware ordering.

01Define the contract and pipeline skeleton
02Implement early validators and input hygiene
03Build the main validator chain and hard path constraints

+1 more steps to Done

Best forproduction-grade builds with strict verification

4 steps120-180 minutesAdvanced
Flows category icon
Agent QA & Security

Prompt Injection Defense Checklist

Systematically defend your agent against prompt injection: trust boundaries, content isolation, and defense-in-depth that assumes injection will happen.

01Map trust boundaries
02Isolate and label untrusted content
03Separate authority from content

+1 more steps to Done

Best forproduction-grade builds with strict verification

4 steps90-150 minutesAdvanced
Flows category icon
App Builder

Working Signup/Auth System

Build a real signup, login, session, and protected route flow - not a form that only looks functional.

01Define auth requirements
02Choose auth method
03Define the user database model

+10 more steps to Done

Best forbuilders who have shipped a basic app before

13 steps45-90 minutesIntermediate
Flows category icon
Agent QA & Security

Guard Memory Writes Against Injection

Stop poisoned data from becoming persistent agent beliefs: validate, attribute, and quarantine memory writes as untrusted input.

01Make writes source-aware
02Validate content before persistence
03Quarantine and require corroboration

+1 more steps to Done

Best forproduction-grade builds with strict verification

4 steps90-120 minutesAdvanced
Flows category icon
Agent QA & Security

Dependency and Supply-Chain Scanning for Agents

Guard against the dependencies your agent adds: vulnerability scanning, hallucinated-package detection, and gated installs.

01Intercept dependency additions
02Verify existence and reputation
03Scan for vulnerabilities

+1 more steps to Done

Best forbuilders who have shipped a basic app before

4 steps60-90 minutesIntermediate
Flows category icon
Agent QA & Security

Threat-Model Your MCP Server

Systematically threat-model an MCP server before it is exploited: assets, entry points, trust boundaries, and mitigations documented and tested.

01Inventory assets and entry points
02Map boundaries and enumerate threats
03Rank threats and assign mitigations

+1 more steps to Done

Best forproduction-grade builds with strict verification

4 steps90-120 minutesAdvanced
Flows category icon
App Builder

SaaS MVP Builder

Go from idea to a working SaaS MVP: auth, core feature, billing readiness, and a landing page that converts.

01Define the MVP in one sentence
02Build the landing page
03Add working auth

+3 more steps to Done

Best forproduction-grade builds with strict verification

6 steps2-4 hoursAdvanced
Flows category icon
Agent QA & Security

Detect Command Obfuscation and Parser-Mismatch Attacks

Catch the attacks your parser cannot see: quote-concatenation flags, ANSI-C quoting, brace expansion, and escaped operators that make bash execute something your checks never inspected.

01Build multi-view quote extraction
02Detect quote-trick flag smuggling
03Detect parser-vs-shell divergence

+1 more steps to Done

Best forproduction-grade builds with strict verification

4 steps120-180 minutesAdvanced
Flows category icon
Agent QA & Security

Red-Team Your Agent with Adversarial Prompts

Systematically attack your own agent using red-teaming frameworks: vulnerability probes, attack methods, and a repeatable adversarial suite.

01Build a threat-driven probe set
02Arm each probe with attack methods
03Automate execution and score

+1 more steps to Done

Best forproduction-grade builds with strict verification

4 steps120-180 minutesAdvanced
Flows category icon
Agent QA & Security

Audit Trails for Tool Calls

Record an immutable, queryable trail of every action your agent takes - who, what, when, why, and outcome - for security and accountability.

01Define the audit record and scope
02Write records reliably and scrubbed
03Make the trail tamper-evident

+1 more steps to Done

Best forbuilders who have shipped a basic app before

4 steps60-90 minutesIntermediate
Flows category icon
Agent QA & Security

Release Gates for Agent-Generated Code

Put agent output through a real merge gate: automated review, tests, security scans, and human sign-off proportional to risk.

01Assemble the automated gate
02Classify change risk
03Label provenance and require sign-off

+1 more steps to Done

Best forbuilders who have shipped a basic app before

4 steps60-90 minutesIntermediate
Flows category icon
App Builder
Generated

Build a Login Page with Auth Metrics Tracking

Create a real login page with working authentication and instrument it to capture useful investment-app auth metrics such as signups, login attempts, success rate, failures, and drop-off.

01Define the auth flow and metrics schema
02Create or wire the authentication foundation
03Build the login page UI with validation

+6 more steps to Done

Best forbuilders who have shipped a basic app before

9 steps60-120 minutesIntermediate
Flows category icon
App Builder
Generated

Add Team Invites to a SaaS App

Build a real team invitation system for a SaaS app, including invite creation, email/share flow, acceptance, membership creation, role assignment, validation, and end-to-end testing.

01Audit Existing Team, User, and Auth Models
02Add Invitation Data Model and Migration
03Implement Secure Invite Creation API

+7 more steps to Done

Best forbuilders who have shipped a basic app before

10 steps60-120 minutesIntermediate
Flows category icon
App Builder
Generated

Add a Working Team Invite System to a SaaS App

Build a real invite flow for a SaaS app so existing users can invite teammates by email, store invite records, validate tokens, accept invitations, and join the correct workspace with proper permissions.

01Audit the current auth and workspace model
02Add the invite data model and migration
03Build secure invite creation on the server

+6 more steps to Done

Best forbuilders who have shipped a basic app before

9 steps60-120 minutesIntermediate
Flows category icon
Harness Engineering

Sandbox Untrusted Code Execution

Contain what your agent runs: isolated execution environments with resource limits, network policy, and workspace mounting done right.

01Choose the isolation and define the policy
02Build the sandboxed executor
03Enforce and verify the network policy

+1 more steps to Done

Best forproduction-grade builds with strict verification

4 steps120-180 minutesAdvanced
Flows category icon
App Builder

Role-Based Access Control

Add real roles and permissions: enforced on backend endpoints and reflected honestly in the UI.

01Define roles and the permission matrix
02Add roles to the user model
03Enforce permissions on the backend

+3 more steps to Done

Best forproduction-grade builds with strict verification

6 steps60-120 minutesAdvanced
Flows category icon
Agent QA & Security

Incident Response Runbook for Agent Mishaps

Prepare for the day your agent does damage: detection, containment, rollback, investigation, and prevention - written before you need it.

01Define detection and the kill switch
02Write containment and rollback procedures
03Write the investigation procedure

+1 more steps to Done

Best forbuilders who have shipped a basic app before

4 steps60-90 minutesIntermediate
Flows category icon
Agent QA & Security

Stand Up an Adversarial Verification Agent

Stop trusting your agent's own 'it works': dispatch a read-only verifier that must run real commands, probe adversarially, and return an evidence-backed PASS/FAIL verdict.

01Define the verifier with hard read-only constraints
02Feed it the real task and require evidence
03Add adversarial probes

+1 more steps to Done

Best forproduction-grade builds with strict verification

4 steps90-150 minutesAdvanced
Flows category icon
Agent QA & Security

Jailbreak Regression Suite

Turn every jailbreak you find into a permanent regression test, so safety boundaries never silently erode across model and prompt changes.

01Assemble the jailbreak corpus
02Build reliable compliance evaluation
03Version, gate, and grow the suite

Best forbuilders who have shipped a basic app before

3 steps60-90 minutesIntermediate

From the Research Vault

View all

4 research sources for "security"

Claude Code Internals
Tier 1

Deep Dive: Prompt-Layer Security in BashTool

Dissects how BashTool's prompt forms the first line of defense: a three-layer structure (tool preference chains, usage constraints, git-safety and sandbox protocols) assembled dynamically per environment. Shows how wording strategy works - capitalized NOT, positive alternatives ('use Edit' rather than 'avoid sed'), and 'better user experience' framing instead of 'security' - and how token budget (config dedup, conditional blocks) is treated as a first-class engineering constraint rather than an afterthought.

Claude Code Internals
Tier 1

Deep Dive: Code-Layer Security - 20+ Validators Behind BashTool

Walks the layered validation pipeline that backs up the prompt when the model ignores its 'suggestions': control-character checks, multi-view quote extraction, obfuscated-flag detection (ANSI-C quoting, empty-quote concatenation, quote chains, triple quotes), brace-expansion and backslash-escaped-operator traps, hard path constraints, a whitelist-plus-denylist sed validator, and per-tool exit-code semantics. Every validator returns allow/ask/deny/passthrough, and misparsing-class findings outrank informational ones.

Claude Code Internals
Tier 1

claude-code-book (SCUTBrothers)

A second book-length Chinese treatment of Claude Code's source ('Understanding Claude Code In Depth') with a compiled PDF and LaTeX sources. Focuses on turning the complex system into reusable engineering knowledge: source structure, runtime mechanics, permissions and extension points, security and context strategy.

Agent Memory
Tier 3

semantic-memory (RecursiveIntell)

Local-first hybrid semantic search backed by authoritative SQLite state plus a vector sidecar: facts, chunked documents, conversation messages, and episodes searched via BM25 (FTS5) and vector retrieval fused with Reciprocal Rank Fusion, with explainable search.

Made with Emergent