How do I install security-patterns?

Run `npx skills add https://github.com/yonatangross/orchestkit --skill security-patterns` in your terminal. You need to have run `npx skills init` once in your project first.

Which agent frameworks does security-patterns support?

security-patterns works with any agent framework supported by the Skills registry, including Claude Code, Cursor, GitHub Copilot, Cline, Codex, and Gemini CLI.

Is security-patterns free to use?

Yes. security-patterns is free to install and use. It is available from the open Skills registry published by yonatangross.

Productivity

security-patterns▌

Name: security-patterns
Availability: InStock
Author: yonatangross

yonatangross/orchestkit · updated Apr 8, 2026

$npx skills add https://github.com/yonatangross/orchestkit --skill security-patterns

summary

Comprehensive security patterns for building hardened applications. Each category has individual rule files in rules/ loaded on-demand.

skill.md

Security Patterns

Comprehensive security patterns for building hardened applications. Each category has individual rule files in rules/ loaded on-demand.

Quick Reference

Category	Rules	Impact	When to Use
Authentication	3	CRITICAL	JWT tokens, OAuth 2.1/PKCE, RBAC/permissions
Defense-in-Depth	2	CRITICAL	Multi-layer security, zero-trust architecture
Input Validation	3	HIGH	Schema validation (Zod/Pydantic), output encoding, file uploads
OWASP Top 10	2	CRITICAL	Injection prevention, broken authentication fixes
LLM Safety	3	HIGH	Prompt injection defense, output guardrails, content filtering
PII Masking	2	HIGH	PII detection/redaction with Presidio, Langfuse, LLM Guard
Scanning	3	HIGH	Dependency audit, SAST (Semgrep/Bandit), secret detection
Advanced Guardrails	2	CRITICAL	NeMo/Guardrails AI validators, red-teaming, OWASP LLM

Total: 20 rules across 8 categories

Quick Start

# Argon2id password hashing
from argon2 import PasswordHasher
ph = PasswordHasher()
password_hash = ph.hash(password)
ph.verify(password_hash, password)

# JWT access token (15-min expiry)
import jwt
from datetime import datetime, timedelta, timezone
payload = {
    'sub': user_id, 'type': 'access',
    'exp': datetime.now(timezone.utc) + timedelta(minutes=15),
}
token = jwt.encode(payload, SECRET_KEY, algorithm='HS256')

// Zod v4 schema validation
import { z } from 'zod';
const UserSchema = z.object({
  email: z.string().email(),
  name: z.string().min(2).max(100),
  role: z.enum(['user', 'admin']).default('user'),
});
const result = UserSchema.safeParse(req.body);

# PII masking with Langfuse
import re
from langfuse import Langfuse

def mask_pii(data, **kwargs):
    if isinstance(data, str):
        data = re.sub(r'\b[\w.-]+@[\w.-]+\.\w+\b', '[REDACTED_EMAIL]', data)
        data = re.sub(r'\b\d{3}-\d{2}-\d{4}\b', '[REDACTED_SSN]', data)
    return data

langfuse = Langfuse(mask=mask_pii)

Authentication

Secure authentication with OAuth 2.1, Passkeys/WebAuthn, JWT tokens, and role-based access control.

Rule	Description
`auth-jwt.md`	JWT creation, verification, expiry, refresh token rotation
`auth-oauth.md`	OAuth 2.1 with PKCE, DPoP, Passkeys/WebAuthn
`auth-rbac.md`	Role-based access control, permission decorators, MFA

Key Decisions: Argon2id > bcrypt | Access tokens 15 min | PKCE required | Passkeys > TOTP > SMS

Defense-in-Depth

Multi-layer security architecture with no single point of failure.

Rule	Description
`defense-layers.md`	8-layer security architecture (edge to observability)
`defense-zero-trust.md`	Immutable request context, tenant isolation, audit logging

Key Decisions: Immutable dataclass context | Query-level tenant filtering | No IDs in LLM prompts

Input Validation

Validate and sanitize all untrusted input using Zod v4 and Pydantic.

Rule	Description
`validation-input.md`	Schema validation with Zod v4 and Pydantic, type coercion
`validation-output.md`	HTML sanitization, output encoding, XSS prevention
`validation-schemas.md`	Discriminated unions, file upload validation, URL allowlists

Key Decisions: Allowlist over blocklist | Server-side always | Validate magic bytes not extensions

OWASP Top 10

Protection against the most critical web application security risks.

Rule	Description
`owasp-injection.md`	SQL/command injection, parameterized queries, SSRF prevention
`owasp-broken-auth.md`	JWT algorithm confusion, CSRF protection, timing attacks

Key Decisions: Parameterized queries only | Hardcode JWT algorithm | SameSite=Strict cookies

LLM Safety

Security patterns for LLM integrations including context separation and output validation.

Rule	Description
`llm-prompt-injection.md`	Context separation, prompt auditing, forbidden patterns
`llm-guardrails.md`	Output validation pipeline: schema, grounding, safety, size
`llm-content-filtering.md`	Pre-LLM filtering, post-LLM attribution, three-phase pattern

Key Decisions: IDs flow around LLM, never through | Attribution is deterministic | Audit every prompt

Context Separation (CRITICAL)

Sensitive IDs and data flow AROUND the LLM, never through it. The LLM sees only content — mapping back to entities happens deterministically after.

# CORRECT: IDs bypass the LLM
context = {"user_id": user_id, "tenant_id": tenant_id}  # kept server-side
llm_input = f"Summarize this document:\n{doc_text}"       # no IDs in prompt
llm_output = call_llm(llm_input)
result = {"summary": llm_output, **context}               # IDs reattached after

Output Validation Pipeline

Every LLM response MUST pass a 4-stage guardrail pipeline before reaching the user:

def validate_llm_output(raw_output: str, schema, sources: list[str]) -> str:
    # 1. Schema — does it match expected structure?
    parsed = schema.parse(raw_output)
    # 2. Grounding — are claims supported by source documents?
    assert_grounded(parsed, sources)
    # 3. Safety — toxicity, PII leakage, prompt leakage
    assert_safe(parsed, max_toxicity=0.5)
    # 4. Size — prevent token-bomb responses
    assert len(parsed.text) < MAX_OUTPUT_CHARS
    return parsed.text

PII Masking

PII detection and masking for LLM observability pipelines and logging.

Rule	Description
`pii-detection.md`	Microsoft Presidio, regex patterns, LLM Guard Anonymize
`pii-redaction.md`	Langfuse mask callback, structlog/loguru processors, Vault deanonymization

Key Decisions: Presidio for enterprise | Replace with type tokens | Use mask callback at init

Scanning

Automated security scanning for dependencies, code, and secrets.

Rule	Description
`scanning-dependency.md`	npm audit, pip-audit, Trivy container scanning, CI gating
`scanning-sast.md`	Semgrep and Bandit static analysis, custom rules, pre-commit
`scanning-secrets.md`	Gitleaks, TruffleHog, detect-secrets with baseline management

Key Decisions: Pre-commit hooks for shift-left | Block on critical/high | Gitleaks + detect-secrets baseline

Advanced Guardrails

Production LLM safety with NeMo Guardrails, Guardrails AI validators, and DeepTeam red-teaming.

Rule	Description
`guardrails-nemo.md`	NeMo Guardrails, Colang 2.0 flows, Guardrails AI validators, layered validation
`guardrails-llm-validation.md`	DeepTeam red-teaming (40+ vulnerabilities), OWASP LLM Top 10 compliance

Key Decisions: NeMo for flows, Guardrails AI for validators | Toxicity 0.5 threshold | Red-team pre-release + quarterly

Managed Hook Hierarchy (CC 2.1.49)

Plugin settings follow a 3-tier precedence:

Tier	Source	Overridable?
1. Managed (plugin `settings.json`)	Plugin author ships defaults	Yes, by user
2. Project (`.claude/settings.json`)	Repository config	Yes, by user
3. User (`~/.claude/settings.json`)	Personal preferences	Final authority

Security hooks shipped by OrchestKit are managed defaults — users can disable them but are warned. Enterprise admins can lock settings via managed profiles.

Anti-Patterns (FORBIDDEN)

# Authentication
user.password = request.form['password']       # Plaintext password storage
response_type=token                             # Implicit OAuth grant (deprecated)
return "Email not found"                        # Information disclosure

# Input Validation
"SELECT * FROM users WHERE name = '" + name + "'"  # SQL injection
if (file.type === 'image/png') {...}               # Trusting Content-Type header

# LLM Safety
prompt = f"Analyze for user {user_id}"             # ID in prompt
artifact.user_id = llm_output["user_id"]           # Trusting LLM-generated IDs

# PII
logger.info(f"User email: {user.email}")           # Raw PII in logs
langfuse.trace(input=raw_prompt)                   # Unmasked observability data

Detailed Documentation

Load on demand with Read("${CLAUDE_SKILL_DIR}/references/<file>"):

File	Content
`oauth-2.1-passkeys.md`	OAuth 2.1, PKCE, DPoP, Passkeys/WebAuthn
`request-context-pattern.md`	Immutable request context for identity flow
`tenant-isolation.md`	Tenant-scoped repository, vector/full-text search
`audit-logging.md`	Sanitized structured logging, compliance
`zod-v4-api.md`	Zod v4 types, coercion, transforms, refinements
`vulnerability-demos.md`	OWASP vulnerable vs secure code examples
`context-separation.md`	LLM context separation architecture
`output-guardrails.md`	Output validation pipeline implementation
`pre-llm-filtering.md`	Tenant-scoped retrieval, content extraction
`post-llm-attribution.md`	Deterministic attribution pattern
`prompt-audit.md`	Prompt audit patterns, safe prompt builder
`presidio-integration.md`	Microsoft Presidio setup, custom recognizers
`langfuse-mask-callback.md`	Langfuse SDK mask implementation
`llm-guard-sanitization.md`	LLM Guard Anonymize/Deanonymize with Vault
`logging-redaction.md`	structlog/loguru pre-logging redaction

Related Skills

api-design-framework - API security patterns
ork:rag-retrieval - RAG pipeline patterns requiring tenant-scoped retrieval
llm-evaluation - Output quality assessment including hallucination detection

Capability Details

authentication

Keywords: password, hashing, JWT, token, OAuth, PKCE, passkey, WebAuthn, RBAC, session Solves:

Implement secure authentication with modern standards
JWT token management with proper expiry
OAuth 2.1 with PKCE flow
Passkeys/WebAuthn registration and login
Role-based access control

defense-in-depth

Keywords: defense in depth, security layers, multi-layer, request context, tenant isolation Solves:

How to secure AI applications end-to-end
Implement 8-layer security architecture
Create immutable request context
Ensure tenant isolation at query level

input-validation

Keywords: schema, validate, Zod, Pydantic, sanitize, HTML, XSS, file upload Solves:

Validate input against schemas (Zod v4, Pydantic)
Prevent injection attacks with allowlists
Sanitize HTML and prevent XSS
Validate file uploads by magic bytes

owasp-top-10

Keywords: OWASP, sql injection, broken access control, CSRF, XSS, SSRF Solves:

Fix OWASP Top 10 vulnerabilities
Prevent SQL and command injection
Implement CSRF protection
Fix broken authentication

llm-safety

Keywords: prompt injection, context separation, guardrails, hallucination, LLM output Solves:

Prevent prompt injection attacks
Implement context separation (IDs around LLM)
Validate LLM output with guardrail pipeline
Deterministic post-LLM attribution

pii-masking

Keywords: PII, masking, Presidio, Langfuse, redact, GDPR, privacy Solves:

Detect and mask PII in LLM pipelines
Integrate masking with Langfuse observability
Implement pre-logging redaction
GDPR-compliant data handling