Skill

security-bluebook-builder

Create or refine a concise, normative security policy ("Blue Book") for sensitive applications. Use when users need a threat model, data classification rules, auth/session policy, logging and audit requirements, retention/deletion expectations, incident response, or security...

npx claudepluginhub absjaded/antigravity-awesome-skills

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Build a minimal but real security policy for sensitive apps. The output is a single, coherent Blue Book document using MUST/SHOULD/CAN language, with explicit assumptions, scope, and security gates.

SKILL.md

Similar Skills

finishing-a-development-branch

174.6k

Verifies tests pass on completed feature branch, presents options to merge locally, create GitHub PR, keep as-is or discard; executes choice and cleans up worktree.

superpowers

systematic-debugging

174.6k

Guides root cause investigation for bugs, test failures, unexpected behavior, performance issues, and build failures before proposing fixes.

10 files

superpowers

writing-plans

174.6k

Writes implementation plans from specs for multi-step tasks, mapping files and breaking into TDD bite-sized steps before coding.

1 file

superpowers

Stats

Stars0

Forks0

Last CommitMar 6, 2026

Used By2 plugins

Actions

View Source View Plugin View on GitHub View README

security-bluebook-builder

Security Bluebook Builder

Overview

Build a minimal but real security policy for sensitive apps. The output is a single, coherent Blue Book document using MUST/SHOULD/CAN language, with explicit assumptions, scope, and security gates.

Workflow

1) Gather inputs (ask only if missing)

Collect just enough context to fill the template. If the user has not provided details, ask up to 6 short questions:

What data classes are handled (PII, PHI, financial, tokens, content)?

What are the trust boundaries (client/server/third parties)?

How do users authenticate (OAuth, email/password, SSO, device sessions)?

What storage is used (DB, object storage, logs, analytics)?

What connectors or third parties are used?

Retention and deletion expectations (default + user-initiated)?

If the user cannot answer, proceed with safe defaults and mark TODOs.

2) Draft the Blue Book

Load references/bluebook_template.md and fill it with the provided details. Keep it concise, deterministic, and enforceable.

3) Enforce guardrails

Do not include secrets, tokens, or internal credentials.

If something is unknown, write "TODO" plus a clear assumption.

Fail closed: if a capability is required but unavailable, call it out explicitly.

Keep scope minimal; do not add features or tools beyond what the user asked for.

4) Quality checks

Confirm the Blue Book includes:

Threat model (assumptions + out-of-scope)

Data classification + handling rules

Trust boundaries + controls

Auth/session policy

Token handling policy

Logging/audit policy

Retention/deletion

Incident response mini-runbook

Security gates + go/no-go checklist

Resources

references/bluebook_template.md