red-team-adversariallisted

# Red Team / Adversarial Testing ## Overview This skill applies **adversarial thinking** to code changes: instead of checking against a compliance list (that's what `security_guardrails.md` does), it actively asks "how would an attacker exploit this change?" and "what breaks under extreme conditions?" It complements — never replaces — the existing OWASP security scan in `/review`. ## Ironclad Rules 1. **No bypass of governance**: This skill executes within `/review` and `/test` phases only. It cannot override gates, skip phases, or alter classification. 2. **Severity honesty**: Only mark CRITICAL when there is a concrete, exploitable attack path with evidence (file:line). Speculative risks are HIGH at most. 3. **Additive only**: Red Team findings supplement existing security findings — never contradict or override them. ## When to Use (Auto-Trigger Matrix) AI MUST check the task classification from the Work Log and apply this matrix automatically: ``` Classification │ /review │ /test ──────────────────────┼──────────────────┼───────────────── tiny-fix │ — │ — quick-win │ — │ — hotfix │ Lite Red Team │ Lite Adversarial (1-2 cases) feature │ Full Red Team │ Adversarial Cases architecture-change │ Full Red Team │ Adversarial Cases + Beast Mode ``` **Auto-trigger logic**: During `/review` or `/test`, read `Classification:` from the active Work Log. If classifica