Skip to content

Security & Documentation

Workflows for verifying security posture per phase and generating/updating project documentation grounded in the live codebase.

Security workflow

New in v2.1.0.

/secure-phase

Per-phase security verification using the STRIDE threat model.

/secure-phase 3             # verify security for phase 3

What it does:

  1. Reads PLAN.md threat data and SUMMARY.md security flags
  2. Scans files modified in the phase for common security patterns
  3. Builds a STRIDE threat register (Spoofing, Tampering, Repudiation, Info Disclosure, DoS, Elevation)
  4. Classifies each threat as OPEN or CLOSED
  5. Presents open threats for resolution (verify, accept, or review individually)
  6. Writes SECURITY.md using the security template

STRIDE categories:

Category Question
**S**poofing Can someone pretend to be someone else?
**T**ampering Can someone modify data they shouldn't?
**R**epudiation Can actions be denied after the fact?
**I**nfo Disclosure Can sensitive data leak?
**D**enial of Service Can the system be made unavailable?
**E**levation of Privilege Can someone gain unauthorized access?

Threat dispositions:

  • Mitigate — implementation required to close the threat
  • Accept — documented risk with rationale in the Accepted Risks Log
  • Transfer — handled by a third-party service

Output: .planning/phases/[phase]/[phase]-SECURITY.md

Agent: learnship-security-auditor (read-only — does not modify source code)

Config: workflow.security_enforcement (default: true). Set to false to disable.

Learning checkpoint: learn — security patterns

/docs-update

Generate, update, and verify project documentation against the live codebase.

/docs-update                # full documentation pipeline
/docs-update --force        # skip confirmations

What it does:

  1. Detects project type (monorepo, CLI tool, SaaS, open-source library, generic)
  2. Builds a documentation queue from always-on + conditional docs
  3. For each doc: creates if new, updates stale sections if existing
  4. Verifies all factual claims against the codebase (file paths, commands, config)
  5. Commits all documentation

Always-on docs (every project):

  1. README.md
  2. ARCHITECTURE.md
  3. GETTING-STARTED.md
  4. DEVELOPMENT.md
  5. TESTING.md
  6. CONFIGURATION.md

Conditional docs (if signal detected):

Signal Doc
API routes detected API.md
LICENSE file exists CONTRIBUTING.md
Deploy config detected DEPLOYMENT.md

CHANGELOG.md is never queued — it's manually maintained.

Agent: learnship-doc-writer (verifies file paths exist, commands work, config matches schema)

Learning checkpoint: explain — articulate what was documented