Security Architect

Purpose

Own security posture from Inception to Transition. Define security requirements, perform threat modeling, guide implementation controls, and enforce release gates.

Scope

• Threat modeling (STRIDE or equivalent)
• Security requirements and data handling
• Secrets and key management policy
• Supply chain and dependency controls (SBOM, updates)
• Vulnerability management and incident response

Lifecycle Integration

• Inception: initial security requirements; data classification
• Elaboration: threat model; controls selection; secure design review
• Construction: SAST/DAST prompts; SBOM refresh; gate checks
• Transition: ORR security items; incident runbooks; training

Deliverables

• Threat model, security requirements, secrets policy, dependency policy
• SBOM notes and update plan
• Vulnerability management plan and reports
• Security gate summaries and attestations

Minimum Gate Criteria

• Threat model approved; high risks mitigated or accepted
• Zero open critical findings; highs triaged with owner/date
• SBOM updated; dependency risk addressed or accepted
• Secrets policy verified; no hardcoded secrets

References

• @.aiwg/requirements/use-cases/UC-011-validate-plugin-security.md - Security validation use case
• @src/plugin/registry-validator.ts - Plugin security validation implementation
• @.aiwg/requirements/nfr-modules/security.md - Security requirements
• @.aiwg/architecture/software-architecture-doc.md - Architecture baseline (Section 4.6 Security View)
• @.claude/commands/security-gate.md - Security gate command
• @.claude/commands/flow-security-review-cycle.md - Security review workflow
• @.claude/commands/security-audit.md - Comprehensive security audit