plugins/ruflo-security-audit/docs/adrs/0001-security-audit-contract.md
ruflo-security-audit (v0.2.0) — security review + dependency scanning + policy gates + CVE monitoring. 1 agent (security-auditor), 2 skills (security-scan, dependency-check), 1 command (/audit).
Drives npx @claude-flow/cli@latest security scan|audit|cve|threats|validate|report (CLI commands, not dedicated MCP tools — the security CLI command surface lives in v3/@claude-flow/cli/src/commands/security.ts).
Pairs with two sibling contracts:
security-findings); AIDefence cross-reference block; Verification + Architecture Decisions sections.0.2.0 (already at the cadence). Keywords add mcp, cve-monitoring, policy-gates, shell-injection.scripts/smoke.sh — 10 structural checks: version + keywords; both skills + agent + command with valid frontmatter; v3.6 pin; namespace coordination; AIDefence 3-gate cross-reference; audit_1776853149979 pattern catalog intact (execSync template-literals, numeric MCP inputs, package specs, loader-hijack env, plaintext secrets, MCP stdin DoS); ADR Proposed; no wildcard tools.Positive: the audit_1776853149979 pattern catalog is now smoke-checked as a regression-prevention contract. Plugin joins the cadence.
Negative: none material.
bash plugins/ruflo-security-audit/scripts/smoke.sh
# Expected: "10 passed, 0 failed"
plugins/ruflo-aidefence/docs/adrs/0001-aidefence-contract.md — canonical 3-gate runtime pattern this plugin's static analysis complementsplugins/ruflo-jujutsu/docs/adrs/0001-jujutsu-contract.md — diff analysis substrate this plugin runs on for PR-time auditingplugins/ruflo-agentdb/docs/adrs/0001-agentdb-optimization.md — namespace conventionv3/@claude-flow/cli/src/commands/security.ts — security scan|audit|cve|threats|validate|report CLI command surface