This is a comprehensive security checklist that enforces the kind of paranoid thinking production code actually needs. It walks you through OWASP Top 10 prevention with real TypeScript examples, from parameterized queries and bcrypt hashing to helmet middleware and Zod validation at route boundaries. The three-tier boundary system (always do, ask first, never do) is genuinely useful for keeping security decisions consistent across a codebase. The npm audit triage decision tree alone is worth the read because it gives you a framework for prioritizing CVE fixes instead of treating every moderate severity warning like a five-alarm fire. If you're touching auth, user input, or external APIs, this covers the non-negotiables.
npx skills add https://github.com/addyosmani/agent-skills --skill security-and-hardening