Skip to content

[Proposal] Security & Compliance Layer for SDD Workflow #1002

Description

@mauroociappinaph

🎯 Problem Statement

Currently, the SDD (Spec-Driven Development) workflow focuses heavily on functional requirements, but lacks a formal, automated mechanism to integrate security-first principles into the lifecycle. Security is often treated as a manual checklist rather than a managed technical artifact, creating a gap between threat modeling and actual implementation/verification.

💡 Proposed Solution: The "Security Bluebook" Skill

I propose adding a new core skill: security-bluebook-builder.

This skill will allow the orchestrator to generate a Security Bluebook—a formal, enforceable policy document that acts as a "Source of Truth" for the security posture of a project.

How it integrates with SDD:

  • sdd-spec phase: Injects security requirements and data classification into the delta specs.
  • sdd-design phase: Provides the technical constraints and trust boundaries that the architecture must respect.
  • sdd-verify phase: Serves as the authoritative checklist for the verification agent to prove that the implementation meets the defined security gates.

✨ Value Proposition

  • Security by Design: Moves security from an afterthought to a first-class citizen in the orchestration.
  • Automated Compliance: Provides a foundation for automated compliance checks (GDPR, HIPAA, etc.) during the verification phase.
  • Reduced Cognitive Load: Instead of engineers guessing security requirements, the orchestrator provides a deterministic policy.

🛠️ Implementation Note

I have already prototyped the skill locally and validated its structure. It is designed to be lightweight, strictly following the gentle-ai skill standard, and avoids any heavy dependencies.

I am happy to submit a Pull Request following this discussion.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions