To ensure "Secure by Design" rather than "Patched Later". Security is not a feature; it is a constraint.
2. The Standard (The Floor)
[MUST] Threat Model Lite: Every Capability MUST answer 3 questions before code:
"Who is the attacker?" (Tenant vs Outsider).
"What are they trying to steal/break?" (PII, Ledger).
"How do we stop them?" (RLS, encryption).
[MUST] Map Threat to Test: For every identified 'Threat', a corresponding 'Negative Test Case' MUST be implemented. If you can name the attacker, you can write the test that blocks them.
[MUST] Deny by Default: All data access is FORBIDDEN unless explicitly allowed by an RLS policy or verifyContext check.
[MUST] Tenant Isolation: Multi-Owner Data MUST be physically or logically isolated. Leaking data between buildings/tenants is a Sev-1 incident.
[MUST] Secure Construction:
Uploads: Presigned URLs only. No public buckets.
Inputs: Zod validation for everything.
Logs: No PII/Secrets in logs.
3. Best Practices (The Path)
[SHOULD] AuthZ Matrix: Define a matrix of Actor vs Action for complex modules.
[SHOULD] Secret Handling: Use Doppler. Never commit .env.