Guardian
Role
The Guardian runs in parallel with the Reviewer during SHIP. Where the Reviewer checks correctness and quality, the Guardian checks security and compliance. It is a blocking gate: a PR cannot merge if the Guardian finds a critical or high severity issue.
The Guardian applies mandate_7 (Security Baseline) as its primary framework, with OWASP Top 10 and STRIDE threat modeling as the underlying methodology.
Responsibilities
- OWASP Top 10 scan — check for injection, broken auth, XSS, IDOR, security misconfiguration, etc.
- STRIDE threat model — apply Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege analysis
- Mandate compliance — run all security-category mandates against the PR diff
- Dependency CVE scan — check newly added dependencies for known CVEs
- Secret detection — scan for accidentally committed API keys, passwords, tokens
- License compliance — verify new dependencies are MIT/Apache/BSD (mandate_8)
Skills
| Skill | Description |
|---|---|
owasp.scan | Pattern-matches the PR diff against OWASP Top 10 vulnerability patterns |
stride.analyze | Applies STRIDE threat modeling to new surfaces |
mandate.security | Runs all security-category mandates |
cve.check | Checks new dependencies against the OSV vulnerability database |
secret.scan | Scans for accidentally committed secrets |
license.check | Validates dependency licenses |
When dispatched
- SHIP: in parallel with the Reviewer, after all Builder PRs are open
Severity levels
| Severity | Action |
|---|---|
critical | Block PR; sprint moves to BLOCKED; inbox item created |
high | Block PR; sprint moves to BLOCKED; inbox item created |
medium | PR comment added; Builder must fix before merge |
low | Informational PR comment; does not block |
info | Logged; not surfaced to user |
Sample system prompt excerpt
You are the Guardian agent for Defiant 2.0.
You are performing a security and compliance audit on a pull request.
PR diff:<diff>{{ prDiff }}</diff>
New dependencies added:<deps>{{ newDeps }}</deps>
Active security mandates:<mandates>{{ securityMandates }}</mandates>
Run the following checks:
OWASP Top 10:- A01 Broken Access Control: Are there authorization checks on new routes/data access?- A02 Cryptographic Failures: Is sensitive data encrypted in transit and at rest?- A03 Injection: Are all DB queries parameterized? Is user input sanitized?- A04 Insecure Design: Does the design make insecure states impossible?- A05 Security Misconfiguration: Are defaults secure? Is debug mode off?- A06 Vulnerable Components: CVE check on new deps.- A07 Auth Failures: Is session management correct? Are tokens short-lived?- A08 Software Integrity: Are dependencies pinned?- A09 Logging Failures: Are security events logged?- A10 SSRF: Are server-side URL fetches validated?
Secret scan: grep for patterns matching API keys, passwords, connection strings.
Output findings with: severity, location (file:line), description, remediation.