Secure Development Policy (A.8.25)

Document ID: secure-development-policy
Version: 1.0
Effective from: 2025-01-01
Owner: Founder / CEO
Review cycle: Annual

Purpose

Define security requirements embedded throughout the software development lifecycle (SDLC) for SigmaShake's cloud-native TypeScript/Rust/Python codebase.

Secure-by-default principles

No secrets in code — All secrets stored in Cloudflare Secrets Store. Governance hook (ssg hook eval) blocks template-literal SQL interpolation and secret patterns in commits.
Input validation — All API inputs validated at route entry before reaching application logic. External data treated as untrusted.
No eval, no unsafe — Cloudflare Workers have no eval; Rust code uses #![forbid(unsafe_code)] where applicable.
Dependency pinning — bun.lock / Cargo.lock committed. Dependabot monitors for CVEs daily.

Development workflow

Branch protection

All changes via pull request (PR) — no direct pushes to main
Required PR review for sensitive paths (enforced by branch-protection collector)
Signed commits encouraged; merge commits are Ed25519-verified via CI

Code review checklist

Before merging any PR:

No secrets or PII in diff
SQL queries use parameterised bindings (.bind())
New external inputs validated
No new any types without justification
Evidence collectors updated if controls change

Dependency management

dep-vulns collector runs daily and reports Dependabot alerts
Critical/high CVEs must be patched within 72 hours
Dependencies reviewed for licence compatibility before adoption

Pre-commit governance

The ssg hook eval daemon evaluates every Write/Edit/Bash tool call against .sigmashake/rules/ governance rules. This provides a per-operation compliance gate for AI-assisted development.

Active rules:

no-sql-interpolation — blocks raw SQL template literals
ts_write_safety — blocks dangerous TypeScript patterns
secret-file-blocking — blocks writing known secret patterns

Threat modelling

Architecture decisions are captured in THREAT_MODEL.md. Significant changes to data flows or trust boundaries require updating the threat model (A.8.27, architecture-review attestation).

Security testing

Static analysis: TypeScript typecheck (tsc --noEmit) on every PR
Dependency scanning: Dependabot + dep-vulns collector
Penetration testing: Annual external pentest (see pen-test-report collector)

Evidence

Collector	Cadence	Control
`branch-protection`	Daily	A.8.25, A.8.26, A.8.31
`dep-vulns`	Daily	A.8.7, A.8.8, A.8.26, A.8.29
`rule-eval-integrity`	Daily	A.5.36, A.8.28
`merge-activity`	Daily	A.8.25, A.8.32
`pen-test-report`	Quarterly	A.5.35, A.8.29

Purpose​

Secure-by-default principles​

Development workflow​

Branch protection​

Code review checklist​

Dependency management​

Pre-commit governance​

Threat modelling​

Security testing​

Evidence​