ln-760-security-setup

SKILL.md

Paths: File paths (references/, ../ln-*) are relative to this skill directory.

Security Setup Coordinator

Type: L2 Domain Coordinator
Category: 7XX Bootstrap

Purpose & Scope

Coordinate secret scanning (ln-761) and dependency vulnerability audit (ln-625)

Aggregate findings from both workers into unified report

Generate security infrastructure: SECURITY.md, pre-commit hooks, CI workflow

Provide overall security score and risk assessment

When to Use

During project bootstrap (invoked by ln-700-project-bootstrap)

Manual security audit request

CI/CD pipeline initialization

Workflow

Phase 1: Pre-flight Check

Step 1: Detect Project Type

Identify primary ecosystem(s): Node.js, .NET, Python, Go, etc.

Check for existing security configs (.gitleaks.toml, SECURITY.md)

Step 2: Check Tool Availability

Verify gitleaks/trufflehog available for secret scanning

Verify ecosystem-specific audit tools available

Log warnings for missing tools (do not fail)

Step 3: Load Existing Configs

If .gitleaks.toml exists: note for preservation

If SECURITY.md exists: note for update (not overwrite)

If .pre-commit-config.yaml exists: check for gitleaks hook

Phase 2: Delegate Scans

Step 1: Invoke ln-761 Secret Scanner

Delegate via Agent tool

Receive: findings list, severity summary, remediation guidance

Step 2: Invoke ln-625 Dependencies Auditor (mode=vulnerabilities_only)

Delegate via Agent tool (can run parallel with Step 1)

Pass parameter: mode=vulnerabilities_only

Receive: vulnerability list, CVSS scores, fix recommendations

Phase 3: Aggregate Reports

Step 1: Combine Findings

Merge findings from both workers

Group by severity (Critical first)

Calculate overall security score

Step 2: Risk Assessment

Critical findings: flag for immediate attention

High findings: recommend fix within 48h

Medium/Low: add to backlog

Step 3: Build Summary

Files scanned count

Secrets found (by severity)

Vulnerabilities found (by severity)

Overall pass/warn/fail status

Phase 4: Generate Outputs

Step 1: Create/Update SECURITY.md

Use template from references/templates/security_md_template.md

If exists: update, preserve custom sections

If new: generate with placeholders

Step 2: Configure Pre-commit Hooks

If .pre-commit-config.yaml missing: create from template

If exists without gitleaks: recommend adding

Template: references/templates/precommit_config_template.yaml

Step 3: Generate CI Workflow

If .github/workflows/security.yml missing: create from template

Template: references/templates/ci_workflow_template.yaml

Include ecosystem-specific audit jobs

Step 4: Update .gitignore

Ensure secret-related patterns present:

.env, .env.*, !.env.example

*.pem, *.key

Preserve existing entries

Worker Invocation (MANDATORY)

Host Skill Invocation: Skill(skill: "...", args: "...") is mandatory delegation.

Claude: call the Skill tool exactly as shown.

Codex: if no Skill tool exists, locate the named skill in available skills, read its SKILL.md, treat args as $ARGUMENTS, execute that skill workflow, then return here with its result/artifact.

Do not inline worker logic or mark the worker complete without executing the target skill.

CRITICAL: All delegations use Agent tool with subagent_type: "general-purpose" for context isolation.

Worker
Parallel
Purpose

ln-761-secret-scanner
Yes
Hardcoded secret detection

ln-625-dependency-reuse-auditor
Yes
Vulnerability scanning (mode=vulnerabilities_only)

Prompt template:

Agent(description: "Secret scanning via ln-761",
     prompt: "Execute security scanner.

Step 1: Invoke worker:
  Skill(skill: \"ln-761-secret-scanner\")

CONTEXT:
Project: {projectPath}",
     subagent_type: "general-purpose")

Agent(description: "Dependency vulnerability scan via ln-625",
     prompt: "Execute vulnerability scanner.

Step 1: Invoke worker:
  Skill(skill: \"ln-625-dependency-reuse-auditor\")

CONTEXT:
Project: {projectPath}
Mode: vulnerabilities_only (only CVE scan, skip outdated/unused checks)",
     subagent_type: "general-purpose")

Pattern: Both workers can execute in parallel via Agent tool, then aggregate results.

Anti-Patterns:

❌ Direct Skill tool invocation without Agent wrapper

❌ Any execution bypassing subagent context isolation

❌ Calling ln-625 without mode parameter (would run full audit)

Definition of Done

 Both workers (ln-761, ln-625) invoked and completed

 Findings aggregated with severity classification

 SECURITY.md created/updated

 Pre-commit hook configured (or recommendation logged)

 CI workflow generated (or recommendation logged)

 .gitignore updated with secret patterns

 Summary report returned to parent orchestrator

TodoWrite format (mandatory)

- Phase 1: Invoke secret scanner ln-761 (pending)
- Phase 2: Invoke dependency auditor ln-625 (pending)
- Phase 3: Aggregate findings (pending)
- Phase 4: Generate security artifacts (pending)
- Phase 5: Return summary (pending)

Meta-Analysis

Optional reference: load references/meta_analysis_protocol.md only when the user asks for post-run meta-analysis or protocol-formatted run reflection.

Skill type: planning-coordinator. When requested, run after all phases complete. Output to chat using the protocol format.

Reference Files

File
Purpose

references/templates/security_md_template.md
Template for SECURITY.md generation

references/templates/precommit_config_template.yaml
Pre-commit hooks configuration

references/templates/ci_workflow_template.yaml
GitHub Actions security workflow

Critical Rules

Always pass mode=vulnerabilities_only to ln-625 — full audit mode is not appropriate for bootstrap context

Preserve existing configs — if .gitleaks.toml, SECURITY.md, or .pre-commit-config.yaml exist, update rather than overwrite

Use Agent tool with subagent_type: "general-purpose" for all worker delegations (context isolation)

Never fail on missing tools — log warnings for unavailable scanners, continue with available ones

Critical findings block completion — flag for immediate attention before returning to parent

Version: 3.0.0
Last Updated: 2026-02-05