Security rules an agent should remember

Security guidance works best when it is boring and always present. A seed pack does not replace review, but it can keep the agent from making the easy mistakes:

• never commit secrets
• validate at trust boundaries
• use parameterized queries
• avoid logging PII or tokens
• keep Docker images small and non-root
• pin infrastructure versions deliberately

@rulepack/security-basics is the general memory. @rulepack/docker and @rulepack/terraform add deployment-specific guardrails.