solomonsjoseph · solomonsjoseph · May 2, 2026 · May 2, 2026 · May 2, 2026
@@ -0,0 +1,9 @@
+# Configure actual owners before relying on this.
+# Branch protection rules must be configured in GitHub settings for CODEOWNERS to enforce review.
+
+* @solomonsjoseph
+SECURITY-OPERATING-CONTRACT.md @solomonsjoseph
+governance/** @solomonsjoseph
+context/** @solomonsjoseph
+ci/** @solomonsjoseph
+.github/** @solomonsjoseph
@@ -0,0 +1,39 @@
+# Pull Request Security Checklist
+
+## Role
+
+- [ ] Designer
+- [ ] Implementer
+- [ ] Reviewer
+- [ ] Release Reviewer
+
+## Scope
+
+Related spec:
+
+```text
+specs/...
+```
+
+## Required Checks
+
+- [ ] Scope matches approved spec.
+- [ ] Data classification impact documented.
+- [ ] Threat model impact documented.
+- [ ] Security requirements mapped.
+- [ ] Tests added/updated.
+- [ ] Abuse-case tests added/updated where applicable.
+- [ ] No secrets or restricted data in logs/prompts/test artifacts.
+- [ ] Dependencies reviewed if changed.
+- [ ] Evidence saved under `evidence/`.
+- [ ] Independent review completed.
+
+## Reviewer Verdict
+
+- [ ] PASS
+- [ ] PASS WITH MINOR NOTES
+- [ ] BLOCKED
+
+## Evidence Links
+
+-
@@ -0,0 +1,20 @@
+name: Security Baseline
+
+on:
+  pull_request:
+  push:
+    branches: [ main ]
+
+permissions:
+  contents: read
+
+jobs:
+  methodology-verification:
+    name: Verify Secure-AI-Flow methodology files
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Verify methodology baseline
+        run: bash scripts/verify-methodology.sh
@@ -0,0 +1,21 @@
+name: Security Methodology Check
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+
+permissions:
+  contents: read
+
+jobs:
+  methodology-structure:
+    name: Verify Secure-AI-Flow structure
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Run methodology structure check
+        run: bash scripts/check-security-methodology.sh
@@ -0,0 +1,18 @@
+name: Security Methodology Guard
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: read
+
+jobs:
+  verify-methodology:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Verify methodology structure
+        run: bash scripts/verify-methodology.sh
@@ -0,0 +1,21 @@
+# OS/editor noise
+.DS_Store
+Thumbs.db
+*.swp
+*.tmp
+
+# Local environment/secrets
+.env
+.env.*
+*.pem
+*.key
+*.p12
+*.pfx
+
+# Build/cache noise
+node_modules/
+__pycache__/
+.pytest_cache/
+.coverage
+dist/
+build/
@@ -0,0 +1,122 @@
+# CLAUDE.md
+
+You are operating inside Secure-AI-Flow, a security-first AI system delivery methodology.
+
+## Required Reading Order
+
+Before any design, implementation, review, or release work, read:
+
+1. `SECURITY-OPERATING-CONTRACT.md`
+2. `governance/00-risk-appetite-and-authority.md`
+3. `governance/01-control-standard-map.md`
+4. `governance/02-human-approval-policy.md`
+5. `governance/03-regulatory-obligations.md`
+6. `context/01-product-charter.md`
+7. `context/02-data-classification-and-privacy.md`
+8. `context/03-system-context-and-trust-boundaries.md`
+9. `context/04-threat-model.md`
+10. `context/05-secure-architecture.md`
+11. `context/06-security-requirements.md`
+12. `context/07-agent-security-model.md`
+13. `context/08-design-system-and-ux-rules.md`
+14. `context/09-secure-coding-standards.md`
+15. `context/10-testing-and-verification.md`
+16. `context/11-supply-chain-security.md`
+17. `context/12-observability-and-incident-response.md`
+18. `context/13-reviewer-playbook.md`
+19. `context/14-progress-risk-and-evidence-register.md`
+20. `context/15-security-stress-test-matrix.md`
+
+## Operating Rules
+
+- Security comes before features.
+- Design comes before implementation.
+- Evidence comes before approval.
+- Least privilege comes before automation.
+- Independent review comes before merge.
+- Do not invent missing requirements.
+- Do not weaken security invariants.
+- Do not add dependencies without review.
+- Do not expose secrets or restricted data.
+- Do not approve your own implementation.
+- Stop and mark `BLOCKED` when requirements conflict or evidence is missing.
+
+## Role Selection
+
+Before acting, state which role you are operating as:
+
+```text
+DESIGNER
+IMPLEMENTER
+REVIEWER
+RELEASE REVIEWER
+```
+
+If the requested task mixes roles, split the work. Do not design, implement, and approve in the same role pass.
+
+## Designer Rules
+
+The Designer may:
+
+```text
+- Create or update specs.
+- Update data classification.
+- Update system context and trust boundaries.
+- Update threat model and abuse cases.
+- Propose secure architecture decisions.
+- Define acceptance criteria and required evidence.
+```
+
+The Designer must not:
+
+```text
+- Write production code.
+- Approve implementation.
+- Skip threat modeling.
+```
+
+## Implementer Rules
+
+The Implementer may:
+
+```text
+- Implement exactly one approved spec at a time.
+- Add required tests.
+- Update evidence files.
+- Update progress/risk/evidence register.
+```
+
+The Implementer must not:
+
+```text
+- Expand scope.
+- Add dependencies without review.
+- Weaken security gates.
+- Approve its own work.
+- Ignore missing requirements.
+```
+
+## Reviewer Rules
+
+The Reviewer must return one of:
+
+```text
+PASS
+PASS WITH MINOR NOTES
+BLOCKED
+```
+
+The Reviewer must cite evidence for every claim and must block if evidence is missing.
+
+## Completion Rule
+
+A task is complete only when:
+
+1. The implementation matches the approved spec.
+2. Functional tests pass.
+3. Security tests pass.
+4. Threat model impact is documented.
+5. Data classification impact is documented.
+6. Dependency impact is documented.
+7. Evidence is stored under `evidence/`.
+8. Independent review returns `PASS`.
@@ -0,0 +1,43 @@
+# Push Commands for Secure-AI-Flow
+
+Use these commands to push this package into the GitHub repository.
+
+## Terminal Method
+
+Assume the downloaded zip is named `Secure-AI-Flow-security-first-methodology.zip`.
+
+```bash
+mkdir -p /tmp/secure-ai-flow-template
+unzip Secure-AI-Flow-security-first-methodology.zip -d /tmp/secure-ai-flow-template
+
+git clone git@github.com:solomonsjoseph/Secure-AI-Flow.git /tmp/Secure-AI-Flow-repo
+rsync -a --exclude='.git' /tmp/secure-ai-flow-template/Secure-AI-Flow/ /tmp/Secure-AI-Flow-repo/
+
+cd /tmp/Secure-AI-Flow-repo
+bash scripts/verify-methodology.sh
+git add .
+git commit -m "Add Secure-AI-Flow security-first methodology"
+git branch -M main
+git push -u origin main
+```
+
+## HTTPS with GitHub CLI
+
+```bash
+mkdir -p /tmp/secure-ai-flow-template
+unzip Secure-AI-Flow-security-first-methodology.zip -d /tmp/secure-ai-flow-template
+
+gh repo clone solomonsjoseph/Secure-AI-Flow /tmp/Secure-AI-Flow-repo
+rsync -a --exclude='.git' /tmp/secure-ai-flow-template/Secure-AI-Flow/ /tmp/Secure-AI-Flow-repo/
+
+cd /tmp/Secure-AI-Flow-repo
+bash scripts/verify-methodology.sh
+git add .
+git commit -m "Add Secure-AI-Flow security-first methodology"
+git branch -M main
+git push -u origin main
+```
+
+## Manual GitHub Web Upload
+
+Manual upload works, but it is worse because hidden files like `.github/workflows/security-methodology-guard.yml` and `.gitignore` are easy to miss. Terminal push is cleaner.
@@ -0,0 +1,56 @@
+# Push This Methodology to GitHub
+
+Repository:
+
+```text
+https://github.com/solomonsjoseph/Secure-AI-Flow.git
+```
+
+## Option A: GitHub CLI
+
+```bash
+gh auth login
+cd Secure-AI-Flow
+git init
+git branch -M main
+git add .
+git commit -m "Initialize Security-First AI Flow methodology"
+git remote add origin https://github.com/solomonsjoseph/Secure-AI-Flow.git
+git push -u origin main
+```
+
+## Option B: SSH
+
+```bash
+cd Secure-AI-Flow
+git init
+git branch -M main
+git add .
+git commit -m "Initialize Security-First AI Flow methodology"
+git remote add origin git@github.com:solomonsjoseph/Secure-AI-Flow.git
+git push -u origin main
+```
+
+## Option C: GitHub Web UI
+
+1. Open the empty repository.
+2. Upload all files and folders from this package.
+3. Commit to `main`.
+4. Confirm `.github/workflows/security-baseline.yml` runs.
+5. Configure branch protection for `main`.
+
+## Recommended Branch Protection
+
+In GitHub repository settings, configure:
+
+```text
+- Require pull request before merging.
+- Require status checks to pass.
+- Require the Security Baseline workflow.
+- Require review from CODEOWNERS.
+- Restrict who can dismiss reviews.
+- Block force pushes.
+- Block deletion of main.
+```
+
+Do not paste access tokens into chat. Use GitHub CLI, SSH keys, or the official GitHub app/connector permissions.