🎯 Problem Statement
Currently, the SDD (Spec-Driven Development) workflow focuses heavily on functional requirements, but lacks a formal, automated mechanism to integrate security-first principles into the lifecycle. Security is often treated as a manual checklist rather than a managed technical artifact, creating a gap between threat modeling and actual implementation/verification.
💡 Proposed Solution: The "Security Bluebook" Skill
I propose adding a new core skill: security-bluebook-builder.
This skill will allow the orchestrator to generate a Security Bluebook—a formal, enforceable policy document that acts as a "Source of Truth" for the security posture of a project.
How it integrates with SDD:
sdd-spec phase: Injects security requirements and data classification into the delta specs.
sdd-design phase: Provides the technical constraints and trust boundaries that the architecture must respect.
sdd-verify phase: Serves as the authoritative checklist for the verification agent to prove that the implementation meets the defined security gates.
✨ Value Proposition
- Security by Design: Moves security from an afterthought to a first-class citizen in the orchestration.
- Automated Compliance: Provides a foundation for automated compliance checks (GDPR, HIPAA, etc.) during the verification phase.
- Reduced Cognitive Load: Instead of engineers guessing security requirements, the orchestrator provides a deterministic policy.
🛠️ Implementation Note
I have already prototyped the skill locally and validated its structure. It is designed to be lightweight, strictly following the gentle-ai skill standard, and avoids any heavy dependencies.
I am happy to submit a Pull Request following this discussion.
🎯 Problem Statement
Currently, the SDD (Spec-Driven Development) workflow focuses heavily on functional requirements, but lacks a formal, automated mechanism to integrate security-first principles into the lifecycle. Security is often treated as a manual checklist rather than a managed technical artifact, creating a gap between threat modeling and actual implementation/verification.
💡 Proposed Solution: The "Security Bluebook" Skill
I propose adding a new core skill:
security-bluebook-builder.This skill will allow the orchestrator to generate a Security Bluebook—a formal, enforceable policy document that acts as a "Source of Truth" for the security posture of a project.
How it integrates with SDD:
sdd-specphase: Injects security requirements and data classification into the delta specs.sdd-designphase: Provides the technical constraints and trust boundaries that the architecture must respect.sdd-verifyphase: Serves as the authoritative checklist for the verification agent to prove that the implementation meets the defined security gates.✨ Value Proposition
🛠️ Implementation Note
I have already prototyped the skill locally and validated its structure. It is designed to be lightweight, strictly following the
gentle-aiskill standard, and avoids any heavy dependencies.I am happy to submit a Pull Request following this discussion.