java-secure-codinglisted

# Skill: java-secure-coding ## Activation Contract Use this skill when reviewing or designing Java code for secure coding practices: input validation, trust boundaries, injection, serialization/deserialization, sensitive data, resource exhaustion, mutability, access control, and third-party code risk. Do **not** use this skill for full threat modeling, compliance audits, cryptography design, infrastructure hardening, or non-Java security work. ## Responsibility This skill teaches Java secure-coding review based on Java platform concerns and Oracle Secure Coding Guidelines. It does not call other skills, certify security, or replace a formal security review. ## Required Context - Data sources and trust boundaries. - Inputs accepted and outputs generated. - Sensitive data handled. - Resource-intensive operations. - Serialization, reflection, XML, SQL, command execution, or third-party dependencies involved. ## Context Budget - Keep this `SKILL.md` focused on secure-coding decisions. - Use `references/java-secure-coding-guidance.md` for checklist details. ## Hard Rules - Establish trust boundaries before judging input safety. - Validate and canonicalize untrusted input before use. - Avoid dynamic SQL; use parameterized statements or safe higher-level APIs. - Do not log secrets or expose sensitive data in exceptions. - Release resources and defend against resource exhaustion. - Treat deserialization, XML, reflection, JNDI, command execution, and third-party code as hig