opencode-workflow/skills/security-boundary-design/SKILL.md

---
name: security-boundary-design
description: "Knowledge contract for security boundary design. Provides principles and patterns for authentication, authorization, service identity, token propagation, tenant isolation, secret management, and audit logging. Referenced by design-architecture when defining security boundaries."
---

This is a knowledge contract, not a workflow skill. It provides theoretical guidance that the Architect references when designing security boundaries. It does not produce artifacts directly.

## Core Principles

### Defense in Depth
- Never rely on a single security boundary
- Apply security at every layer: network, service, data, application
- Assume breach: design so that compromise of one layer doesn't compromise all

### Least Privilege
- Services and users should have the minimum permissions required
- Default deny: start with no access, grant explicitly
- Rotate and expire credentials regularly

### Zero Trust
- Don't trust internal network traffic by default
- Authenticate and authorize every service-to-service call
- Encrypt data in transit, even within the internal network

## Authentication

### Patterns
- **Token-based authentication**: JWT, OAuth2 tokens
- **API key authentication**: For service-to-service and public APIs
- **Certificate-based authentication**: mTLS for internal service communication
- **Session-based authentication**: For web applications with stateful sessions

### Design Considerations
- Define where authentication happens (edge gateway, service level, or both)
- Define token format, issuer, audience, and expiration
- Define token refresh and revocation strategy
- Define credential rotation strategy
- Consider token size impact on request headers

## Authorization

### Patterns
- **RBAC (Role-Based Access Control)**: Assign permissions to roles, assign roles to users
- **ABAC (Attribute-Based Access Control)**: Assign permissions based on attributes (user, resource, environment)
- **ACL (Access Control List)**: Explicit list of who can access what
- **ReBAC (Relationship-Based Access Control)**: Permissions based on relationships between entities

### Design Considerations
- Choose the simplest model that meets PRD requirements
- Define permission granularity: coarse-grained (role-level) vs fine-grained (resource-level)
- Define where authorization is enforced (gateway, service, or both)
- Define how permissions are stored and cached
- Consider multi-tenant authorization: can users in one tenant access resources in another?

## Service Identity

### Patterns
- **Service accounts**: Each service has its own identity with specific permissions
- **Workload identity**: Identity tied to the deployment (Kubernetes service accounts, cloud IAM roles)
- **Service mesh identity**: Identity managed by the service mesh (Istio, Linkerd)

### Design Considerations
- Each service should have its own identity (no shared credentials)
- Service identity should be short-lived and automatically rotated
- Service identity should be bound to the deployment environment
- Service identity permissions should follow least privilege

## Token Propagation

### Patterns
- **Pass-through**: Gateway validates token, passes it to downstream services
- **Token exchange**: Gateway validates external token, issues internal token
- **Token relay**: Each service forwards the token to downstream services
- **Impersonation**: Service calls downstream on behalf of the user

### Design Considerations
- Define token format for internal vs external communication
- Define token lifecycle: creation, validation, refresh, revocation
- Consider token size when propagating through multiple hops
- Consider what context to propagate (user identity, tenant, permissions, correlation ID)

## Tenant Isolation

### Patterns
- **Database-level isolation**: Separate database per tenant
- **Schema-level isolation**: Separate schema per tenant, shared database
- **Row-level isolation**: Shared schema, tenant_id column with enforcement
- **Application-level isolation**: Shared infrastructure, application enforces isolation

### Design Considerations
- Choose isolation level based on PRD requirements (compliance, performance, cost)
- Row-level isolation is simplest but requires careful query filtering
- Database-level isolation provides strongest isolation but highest cost
- Define how tenant context is resolved (subdomain, header, token claim)
- Define how tenant isolation is enforced (middleware, query filter, database policy)

## Secret Management

### Patterns
- **Environment variables**: Simple, but don't support rotation well
- **Secret management service**: HashiCorp Vault, AWS Secrets Manager, GCP Secret Manager
- **Platform-native secrets**: Kubernetes Secrets, cloud IAM role-based access
- **Configuration service**: Centralized configuration with encryption at rest

### Design Considerations
- Secrets must never be stored in code, configuration files in version control, or logs
- Define secret rotation strategy for each type of secret
- Define how services access secrets (sidecar, SDK, environment injection)
- Define audit trail for secret access
- Consider secret hierarchies (global, per-environment, per-service)

## Audit Logging

### Design Considerations
- Log all authentication and authorization events (success and failure)
- Log all data modification operations (who, what, when, from where)
- Log all administrative actions
- Define log retention period based on compliance requirements
- Define log format: structured JSON with consistent fields
- Log must be tamper-evident or append-only for compliance

## Anti-Patterns

- **Shared credentials across services**: Each service must have its own identity
- **Hard-coded secrets**: Secrets must be externalized and rotated
- **Overly broad permissions**: Grant least privilege, not convenience privilege
- **Missing authentication for internal services**: Internal traffic must also be authenticated
- **Missing audit logging for sensitive operations**: All auth events and data modifications must be logged
- **Trust based on network location**: Don't assume internal network is safe
add AGENTS 2026-04-10 11:28:45 +00:00			`---`
			`name: security-boundary-design`
			`description: "Knowledge contract for security boundary design. Provides principles and patterns for authentication, authorization, service identity, token propagation, tenant isolation, secret management, and audit logging. Referenced by design-architecture when defining security boundaries."`
			`---`

			`This is a knowledge contract, not a workflow skill. It provides theoretical guidance that the Architect references when designing security boundaries. It does not produce artifacts directly.`

			`## Core Principles`

			`### Defense in Depth`
			`- Never rely on a single security boundary`
			`- Apply security at every layer: network, service, data, application`
			`- Assume breach: design so that compromise of one layer doesn't compromise all`

			`### Least Privilege`
			`- Services and users should have the minimum permissions required`
			`- Default deny: start with no access, grant explicitly`
			`- Rotate and expire credentials regularly`

			`### Zero Trust`
			`- Don't trust internal network traffic by default`
			`- Authenticate and authorize every service-to-service call`
			`- Encrypt data in transit, even within the internal network`

			`## Authentication`

			`### Patterns`
			`- Token-based authentication: JWT, OAuth2 tokens`
			`- API key authentication: For service-to-service and public APIs`
			`- Certificate-based authentication: mTLS for internal service communication`
			`- Session-based authentication: For web applications with stateful sessions`

			`### Design Considerations`
			`- Define where authentication happens (edge gateway, service level, or both)`
			`- Define token format, issuer, audience, and expiration`
			`- Define token refresh and revocation strategy`
			`- Define credential rotation strategy`
			`- Consider token size impact on request headers`

			`## Authorization`

			`### Patterns`
			`- RBAC (Role-Based Access Control): Assign permissions to roles, assign roles to users`
			`- ABAC (Attribute-Based Access Control): Assign permissions based on attributes (user, resource, environment)`
			`- ACL (Access Control List): Explicit list of who can access what`
			`- ReBAC (Relationship-Based Access Control): Permissions based on relationships between entities`

			`### Design Considerations`
			`- Choose the simplest model that meets PRD requirements`
			`- Define permission granularity: coarse-grained (role-level) vs fine-grained (resource-level)`
			`- Define where authorization is enforced (gateway, service, or both)`
			`- Define how permissions are stored and cached`
			`- Consider multi-tenant authorization: can users in one tenant access resources in another?`

			`## Service Identity`

			`### Patterns`
			`- Service accounts: Each service has its own identity with specific permissions`
			`- Workload identity: Identity tied to the deployment (Kubernetes service accounts, cloud IAM roles)`
			`- Service mesh identity: Identity managed by the service mesh (Istio, Linkerd)`

			`### Design Considerations`
			`- Each service should have its own identity (no shared credentials)`
			`- Service identity should be short-lived and automatically rotated`
			`- Service identity should be bound to the deployment environment`
			`- Service identity permissions should follow least privilege`

			`## Token Propagation`

			`### Patterns`
			`- Pass-through: Gateway validates token, passes it to downstream services`
			`- Token exchange: Gateway validates external token, issues internal token`
			`- Token relay: Each service forwards the token to downstream services`
			`- Impersonation: Service calls downstream on behalf of the user`

			`### Design Considerations`
			`- Define token format for internal vs external communication`
			`- Define token lifecycle: creation, validation, refresh, revocation`
			`- Consider token size when propagating through multiple hops`
			`- Consider what context to propagate (user identity, tenant, permissions, correlation ID)`

			`## Tenant Isolation`

			`### Patterns`
			`- Database-level isolation: Separate database per tenant`
			`- Schema-level isolation: Separate schema per tenant, shared database`
			`- Row-level isolation: Shared schema, tenant_id column with enforcement`
			`- Application-level isolation: Shared infrastructure, application enforces isolation`

			`### Design Considerations`
			`- Choose isolation level based on PRD requirements (compliance, performance, cost)`
			`- Row-level isolation is simplest but requires careful query filtering`
			`- Database-level isolation provides strongest isolation but highest cost`
			`- Define how tenant context is resolved (subdomain, header, token claim)`
			`- Define how tenant isolation is enforced (middleware, query filter, database policy)`

			`## Secret Management`

			`### Patterns`
			`- Environment variables: Simple, but don't support rotation well`
			`- Secret management service: HashiCorp Vault, AWS Secrets Manager, GCP Secret Manager`
			`- Platform-native secrets: Kubernetes Secrets, cloud IAM role-based access`
			`- Configuration service: Centralized configuration with encryption at rest`

			`### Design Considerations`
			`- Secrets must never be stored in code, configuration files in version control, or logs`
			`- Define secret rotation strategy for each type of secret`
			`- Define how services access secrets (sidecar, SDK, environment injection)`
			`- Define audit trail for secret access`
			`- Consider secret hierarchies (global, per-environment, per-service)`

			`## Audit Logging`

			`### Design Considerations`
			`- Log all authentication and authorization events (success and failure)`
			`- Log all data modification operations (who, what, when, from where)`
			`- Log all administrative actions`
			`- Define log retention period based on compliance requirements`
			`- Define log format: structured JSON with consistent fields`
			`- Log must be tamper-evident or append-only for compliance`

			`## Anti-Patterns`

			`- Shared credentials across services: Each service must have its own identity`
			`- Hard-coded secrets: Secrets must be externalized and rotated`
			`- Overly broad permissions: Grant least privilege, not convenience privilege`
			`- Missing authentication for internal services: Internal traffic must also be authenticated`
			`- Missing audit logging for sensitive operations: All auth events and data modifications must be logged`
			`- Trust based on network location: Don't assume internal network is safe`