Security

Defensive engineering patterns for secure-by-default software: filesystem sandboxing, authentication, and trust boundary enforcement.

← Prev ← DevOps & Infrastructure | Next → AI-Assisted Engineering →

Notes

• Filesystem Sandboxing — path traversal prevention, os.path.commonpath, chroot, and container isolation for LLM tool functions
• Authentication and Authorization — JWT validation, OAuth2 flows (client credentials, auth code + PKCE), API keys, RBAC, IDOR, token leakage
• Secrets Management — .env patterns, CI/CD secret injection, HashiCorp Vault, AWS Secrets Manager, rotation strategies
• GitHub Permissions — fine-grained PATs, GITHUB_TOKEN scopes, org/repo roles, environments and deployment gates

Links

• Software Engineering
• DevOps & Infrastructure
• AI-Assisted Engineering
• MCP Protocol