Security and Safety Mindset

Intent

• Treat every change as a potential attack surface or failure amplifier.
• Ensure data classification, secret handling, and permission scopes stay compliant.
• Bake safety checks (rate limits, input validation, monitoring) into the design, not after.

Baseline Checklist

1. Threat model quickly: Who could abuse this surface? What capabilities do they need? What happens if they succeed?
2. Data stewardship: Classify data touched (PII, payments, assets) and enforce encryption, retention, and locality rules.
3. Access + identity: Validate authn/authz paths, key rotation, wallet signatures, and privilege escalation barriers.
4. Dependency hygiene: Pin versions, verify licenses, review changelogs, and prefer audited libraries/contracts.
5. Secrets + config: Never log secrets; store them in the project’s approved secret manager. Guard env var usage.

Workflow

1. Enumerate entry points (mobile UI, API, smart contract, admin tools) and list unchecked inputs.
2. Define validation layers: schema-level, business-level, and environment-level (e.g., chain ID, platform version).
3. Ensure every state change is reversible or compensatable (feature flags, contract pausing, migration guards).
4. Instrument detection: structured logs, metrics, or on-chain events that can surface abuse or regressions fast.