# Security Quick Reference

> 32 rules. Full playbook: `docs/security-playbook.md` (100+ rules with IDs).
> Reference IDs in reviews: "Violates DEPS-02", "Fails AI-UI-01".

## Mindset
On every change ask: Can a malicious package be installed? Can an AI model name an unsafe component? Can a token leak? Can a user bypass Zod? Can the registry be poisoned?

## Supply chain (top concern for a library)
01 — Pin every dep. Lockfile checked in. (DEPS-01)
02 — `pnpm audit` clean before any release. Critical/high block. (DEPS-02)
03 — Verify package authenticity with trusted publishing/provenance. (DEPS-03)
04 — Review every postinstall script before adding a dep. (DEPS-04)
05 — SRI hashes for any CDN script in docs site. (DEPS-05)

## Registry & publishing
06 — `@mihcm/*` scope only. Never publish unscoped. (REG-01)
07 — Publish from CI with OIDC trusted publishing. No static `NPM_TOKEN`. (REG-02)
08 — `.npmrc` with auth tokens never committed. (REG-03)
09 — Consumers install from public npm without package tokens. (REG-04)
10 — Two-factor auth required on all publishers' GitHub accounts. (REG-05)

## AI-UI (generative-UI security)
11 — Every AI-returned descriptor passes Zod validation before render. (AI-UI-01)
12 — Component names from a model checked against an allowlist. (AI-UI-02)
13 — Never run any dynamic-code-evaluation API on a model's output. (AI-UI-03)
14 — Raw HTML from a model is never injected — only validated descriptors. (AI-UI-04)
15 — Treat AI output as untrusted user input. Apply same input-validation rules. (AI-UI-05)
16 — Cap AI API costs in code AND provider dashboard. (AI-UI-06)

## Remote MCP
17 — Hosted MCP tools are read-only design-system facts. No repo mutation, deploy, publish, or GitHub write tools. (MCP-01)
18 — Hosted MCP never accepts model-supplied filesystem paths or dynamic imports. (MCP-02)
19 — Hosted MCP validates descriptor payloads through the live AI-UI Zod schema. (MCP-03)
20 — Hosted MCP never logs raw request bodies, prompts, tokens, or descriptors. (MCP-04)
21 — Hosted MCP disables source-code output even if local stdio allows it. (MCP-05)
22 — Hosted MCP enforces method, host/origin, request-size, and no-store response safeguards. (MCP-06)
23 — Private/internal MCP deployments require bearer auth via `MIHCM_MCP_BEARER_TOKEN`. (MCP-07)
24 — MCP review is advisory until paired with local lint/CI enforcement such as `mihcm-design-system-check`. (MCP-09)

## Tokens & secrets
25 — No secrets in package source. Anything `NEXT_PUBLIC_*` is public. (CRYPTO-01)
26 — Rotate signing/publishing credentials every 90 days. (CRYPTO-02)
27 — `.env*` and `.npmrc` in `.gitignore`. Pre-commit denies them. (CRYPTO-03)

## Consumer-facing API
28 — Validate every `@mihcm/*` public API input with Zod. Throw `AppError`. (API-01)
29 — Never expose internal package paths in error messages. (API-02)
30 — Generic error messages to consumers; structured logs server-side. (API-03)

## A11y is a security concern (denial-of-access)
31 — WCAG 2.1 AA on every primitive. Failing a11y is a release blocker. (UX-01)
32 — Test with reduced motion + screen reader on at least one primitive per release. (UX-02)

## Pre-commit
No secrets · No `.env` · No `.npmrc` with tokens · `pnpm typecheck` · `pnpm lint` · `pnpm test` · changeset present if package modified.

## Pre-release
`pnpm audit` clean · trusted publishing/provenance configured · all packages have `repository` field · no relative `file:` deps · changesets versioned · CHANGELOGs updated.
