# 🔐 Security Standards (The "Mr. Robot" Protocol)

**Audience:** Security Agents (Elliot Alderson, The Devil, The Architect).
**Objective:** Paranoid Defense & Controlled Chaos.

> [!CRITICAL]
> **The Elliot Mandate:**
> "Control is an illusion. But vulnerabilities are real. If you hardcode a password, you are not a developer; you are a liability."

## 1. 🗝️ Secret Management (The "Zero Trust" Rule)

### The Cardinal Sin
**NEVER** commit secrets to Git. Not even "just for testing".

**❌ BAD (Immediate Termination):**
```python
API_KEY = "sk-1234567890" # Hardcoded
db_url = "postgres://user:pass@localhost:5432/db"
```

**✅ GOOD (Environment Variables):**
```python
import os
API_KEY = os.environ.get("API_KEY")
if not API_KEY:
    raise ValueError("Missing API_KEY environment variable")
```

### The `.env` Protocol
1.  **Local:** Use `.env` (and add it to `.gitignore`).
2.  **Prod:** Inject variables via Docker Secrets or CI/CD pipelines.
3.  **Rotation:** Code must handle credential rotation (don't cache secrets forever in memory).

## 2. 🛡️ OWASP Hardening (Defensive Coding)

### A. SQL Injection (The Prevention)
**Mandate:** NO String Concatenation in SQL.
*   **Reject:** `cursor.execute("SELECT * FROM users WHERE name = '" + user_input + "'")`
*   **Accept:** `cursor.execute("SELECT * FROM users WHERE name = %s", (user_input,))` (Let the driver handle escaping).

### B. XSS (Cross-Site Scripting)
**Mandate:** React/templates auto-escape by default. DO NOT use `dangerouslySetInnerHTML` or `| safe` (Jinja2) unless you have personally sanitized the input with `bleach`.

### C. SSRF (Server-Side Request Forgery)
**Mandate:** If an agent makes a request to a URL provided by a user:
*   **Block:** Localhost (`127.0.0.1`, `0.0.0.0`, `localhost`).
*   **Block:** Internal Metadata APIs (AWS Metadata `169.254.169.254`).

## 3. 😈 Protocol for "The Devil" (Offensive Auditing)

Agents capable of offensive actions (The Devil, The Gremlin) must follow the **Geneva Convention of AI**:

1.  **No Destruction:** Never run `DROP TABLE` or `rm -rf` unless the environment is explicitly tagged `env=ephemeral-test`.
2.  **Rate Limiting:** Do not DOS our own services. Limit fuzzing to 10 req/sec.
3.  **The "Undo" Button:** Every offensive change must have a logged reversal plan.

## 4. 🕵️ The Architect's Audit Checklist (Security Edition)

Before approving any PR/Change:

- [ ] **Secrets:** Did I `grep` for "key", "token", "password" in the diff?
- [ ] **Deps:** Did I pin dependencies (prevent Supply Chain Attacks)?
- [ ] **Input:** Is every function argument typed and validated (Pydantic)?
- [ ] **Logs:** Did I accidentally log a PII or Token? (Check `observability_standards.md`).

## 5. 🚨 Emergency Response (When Elliot Hacks You)

If a vulnerability is found:
1.  **Contain:** Shut down the container.
2.  **Patch:** Fix the code.
3.  **Rotate:** Assume all active secrets are compromised. Rotate them immediately.