Skill

security-architecture

Threat modeling, zero trust design, identity architecture, encryption strategy, and compliance mapping for software systems. Trigger: "security architecture", "threat model", "zero trust", "identity", "encryption", "compliance", "OWASP".

From sovereign-architect

Install

Run in your terminal

npx claudepluginhub javimontano/mao-sovereign-architect

Tool Access

This skill is limited to using the following tools:

ReadGlobGrepBashAgent

Supporting Assets

View in Repository

evals/evals.json

examples/sample-output.md

prompts/use-case-prompts.md

references/body-of-knowledge.md

Skill Content

Security Architecture

Design and evaluate the security posture of software systems: threat modeling, zero trust network architecture, identity and access management, encryption at rest/transit, and compliance mapping.

Guiding Principle

"Security is not a feature — it is a property of the entire system. Every boundary is a trust decision, every data flow is an attack surface."

Procedure

Step 1 — Threat Modeling

Identify system entry points, trust boundaries, and data flows (DFD Level 1)
Apply STRIDE per element: Spoofing, Tampering, Repudiation, Information Disclosure, DoS, Elevation of Privilege
Enumerate threats and score using DREAD or CVSS methodology
Map threats to existing mitigations and identify gaps
Produce a prioritized threat register with remediation recommendations

Step 2 — Zero Trust Design

Identify all network boundaries and trust zones
Design micro-segmentation strategy: service-to-service, user-to-service
Define authentication at every boundary: mTLS, JWT validation, API keys
Implement least-privilege access for all service accounts and roles
Design continuous verification: device posture, user behavior analytics

Step 3 — Identity & Access Architecture

Design identity provider topology: IdP selection, federation, SSO
Define authentication flows: OAuth 2.0 / OIDC for each client type
Design authorization model: RBAC, ABAC, or ReBAC based on requirements
Specify token strategy: lifetimes, refresh, revocation, scope management
Design privileged access management for infrastructure and admin operations

Step 4 — Encryption & Compliance

Define encryption strategy: at rest (AES-256), in transit (TLS 1.3), in use (where applicable)
Design key management: KMS, rotation policies, separation of duties
Map security controls to compliance frameworks (SOC2, PCI-DSS, GDPR, HIPAA)
Identify compliance gaps and remediation requirements
Produce a compliance control matrix with evidence mapping

Quality Criteria

Threat model covers all trust boundaries with no unmitigated critical threats
Zero trust enforced at network, application, and data layers
All secrets managed via vault/KMS with automated rotation
Compliance matrix maps every control to implementation evidence

Anti-Patterns

Perimeter-only security with implicit trust inside the network
Hardcoded secrets or credentials in source code or configuration
Over-privileged service accounts with broad wildcard permissions
Compliance checkbox approach without actual security engineering

Similar Skills

agent-harness-construction

Designs and optimizes AI agent action spaces, tool definitions, observation formats, error recovery, and context for higher task completion rates.

everything-claude-code

138.0k

agent-payment-x402

Enables AI agents to execute x402 payments with per-task budgets, spending controls, and non-custodial wallets via MCP tools. Use when agents pay for APIs, services, or other agents.

everything-claude-code

138.0k

agent-eval

Compares coding agents like Claude Code and Aider on custom YAML-defined codebase tasks using git worktrees, measuring pass rate, cost, time, and consistency.

everything-claude-code

138.0k

Stats

Stars0

Forks0

Last CommitMar 28, 2026

Actions

View Source View Plugin View on GitHub View README

Procedure

Step 1 — Threat Modeling

Identify system entry points, trust boundaries, and data flows (DFD Level 1)

Apply STRIDE per element: Spoofing, Tampering, Repudiation, Information Disclosure, DoS, Elevation of Privilege

Enumerate threats and score using DREAD or CVSS methodology

Map threats to existing mitigations and identify gaps

Produce a prioritized threat register with remediation recommendations

Step 2 — Zero Trust Design

Identify all network boundaries and trust zones

Design micro-segmentation strategy: service-to-service, user-to-service

Define authentication at every boundary: mTLS, JWT validation, API keys

Implement least-privilege access for all service accounts and roles

Design continuous verification: device posture, user behavior analytics

Step 3 — Identity & Access Architecture

Design identity provider topology: IdP selection, federation, SSO

Define authentication flows: OAuth 2.0 / OIDC for each client type

Design authorization model: RBAC, ABAC, or ReBAC based on requirements

Specify token strategy: lifetimes, refresh, revocation, scope management

Design privileged access management for infrastructure and admin operations

Step 4 — Encryption & Compliance

Define encryption strategy: at rest (AES-256), in transit (TLS 1.3), in use (where applicable)

Design key management: KMS, rotation policies, separation of duties

Map security controls to compliance frameworks (SOC2, PCI-DSS, GDPR, HIPAA)

Identify compliance gaps and remediation requirements

Produce a compliance control matrix with evidence mapping