From 60b0c4e8c17463e7c14fd8dd40bff56f36f20c6d Mon Sep 17 00:00:00 2001
From: Garry Tan <garrytan@gmail.com>
Date: Sun, 22 Mar 2026 10:12:41 -0700
Subject: [PATCH] docs: update project documentation for v0.9.10.0

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 CHANGELOG.md   | 19 +++++++++++++++++++
 CLAUDE.md      |  1 +
 README.md      |  5 +++--
 VERSION        |  2 +-
 docs/skills.md | 22 ++++++++++++++++++++++
 5 files changed, 46 insertions(+), 3 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 1d88f8d8..00f16ebe 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,24 @@
 # Changelog
 
+## [0.9.10.0] - 2026-03-22 — Community Security Wave
+
+### Added
+
+- **`/cso` — Chief Security Officer audit.** Run `/cso` on any codebase for an OWASP Top 10 + STRIDE threat model scan. Checks injection, auth, crypto, access control, and six more categories. Each finding includes severity, evidence, and a fix. Community contribution from the HMAKT99 batch.
+- **`browse storage` now redacts secrets automatically.** Tokens, JWTs, API keys, GitHub PATs, and Bearer tokens are detected by both key name (`auth_token`, `session`, `api_key`, etc.) and value prefix (`eyJ`, `sk-`, `ghp_`, `xox`). You see `[REDACTED — 42 chars]` instead of the secret. No more accidentally pasting credentials into your conversation.
+- **Azure metadata endpoint blocked.** The existing SSRF protection for `browse goto` now also blocks `metadata.azure.internal` — closing the last cloud provider gap alongside AWS and GCP.
+
+### Fixed
+
+- **`gstack-slug` hardened against shell injection.** The slug script output is now sanitized to alphanumeric, dot, dash, and underscore only. Prevents shell metacharacter injection when the output is consumed via `eval`. New test validates the character allowlist.
+- **Orphaned Chromium processes cleaned up on restart.** When the browse server restarts or loses connection, it now kills the old server process before starting a new one. No more zombie browsers accumulating.
+- **CI workflow YAML lint error fixed.** Nested mapping in compact sequence entries in `skill-docs.yml` now uses proper block syntax.
+
+### For contributors
+
+- **Community PR triage process documented.** CONTRIBUTING.md now includes the wave-based triage pattern: categorize, deduplicate, collector branch, close with context, ship as one PR. References PR #205 as the original example.
+- **Storage redaction test coverage.** Four new tests verify key-based redaction, value-based prefix detection, pass-through for normal values, and length preservation in redacted output.
+
 ## [0.9.9.0] - 2026-03-21 — Harder Office Hours
 
 ### Changed
diff --git a/CLAUDE.md b/CLAUDE.md
index 6adb48b9..237fcfda 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -75,6 +75,7 @@ gstack/
 ├── investigate/     # /investigate skill (systematic root-cause debugging)
 ├── retro/           # Retrospective skill
 ├── document-release/ # /document-release skill (post-ship doc updates)
+├── cso/             # /cso skill (OWASP Top 10 + STRIDE security audit)
 ├── setup            # One-time setup: build binary + symlink skills
 ├── SKILL.md         # Generated from SKILL.md.tmpl (don't edit directly)
 ├── SKILL.md.tmpl    # Template: edit this, run gen:skill-docs
diff --git a/README.md b/README.md
index 5a032b3e..23e0f916 100644
--- a/README.md
+++ b/README.md
@@ -16,7 +16,7 @@ In the last 60 days I have written **over 600,000 lines of production code** —
 
 Same person. Different era. The difference is the tooling.
 
-**gstack is how I do it.** It is my open source software factory. It turns Claude Code into a virtual engineering team you actually manage — a CEO who rethinks the product, an eng manager who locks the architecture, a designer who catches AI slop, a paranoid reviewer who finds production bugs, a QA lead who opens a real browser and clicks through your app, and a release engineer who ships the PR. Eighteen specialists and seven power tools, all as slash commands, all Markdown, **all free, MIT license, available right now.**
+**gstack is how I do it.** It is my open source software factory. It turns Claude Code into a virtual engineering team you actually manage — a CEO who rethinks the product, an eng manager who locks the architecture, a designer who catches AI slop, a paranoid reviewer who finds production bugs, a QA lead who opens a real browser and clicks through your app, and a release engineer who ships the PR. Nineteen specialists and seven power tools, all as slash commands, all Markdown, **all free, MIT license, available right now.**
 
 I am learning how to get to the edge of what agentic systems can do as of March 2026, and this is my live experiment. I am sharing it because I want the whole world on this journey with me.
 
@@ -143,6 +143,7 @@ One sprint, one person, one feature — that takes about 30 minutes with gstack.
 | `/land-and-deploy` | **Release Engineer** | Merge the PR, wait for CI and deploy, verify production health. Takes over after `/ship`. One command from "approved" to "verified in production." |
 | `/canary` | **SRE** | Post-deploy monitoring loop. Watches for console errors, performance regressions, and page failures. Periodic screenshots and anomaly detection. |
 | `/benchmark` | **Performance Engineer** | Baseline page load times, Core Web Vitals, and resource sizes. Compare before/after on every PR. Catch bundle size regressions before they ship. |
+| `/cso` | **Chief Security Officer** | OWASP Top 10 + STRIDE threat modeling security audit. Scans your codebase for injection, auth, crypto, and access control issues. |
 | `/document-release` | **Technical Writer** | Update all project docs to match what you just shipped. Catches stale READMEs automatically. |
 | `/retro` | **Eng Manager** | Team-aware weekly retro. Per-person breakdowns, shipping streaks, test health trends, growth opportunities. |
 | `/browse` | **QA Engineer** | Give the agent eyes. Real Chromium browser, real clicks, real screenshots. ~100ms per command. |
@@ -206,7 +207,7 @@ Same tools, different outcome — because gstack gives you structured roles and
 
 The models are getting better fast. The people who figure out how to work with them now — really work with them, not just dabble — are going to have a massive advantage. This is that window. Let's go.
 
-Eighteen specialists and seven power tools. All slash commands. All Markdown. All free. **[github.com/garrytan/gstack](https://github.com/garrytan/gstack)** — MIT License
+Nineteen specialists and seven power tools. All slash commands. All Markdown. All free. **[github.com/garrytan/gstack](https://github.com/garrytan/gstack)** — MIT License
 
 > **We're hiring.** Want to ship 10K+ LOC/day and help harden gstack?
 > Come work at YC — [ycombinator.com/software](https://ycombinator.com/software)
diff --git a/VERSION b/VERSION
index 94688c2a..82e28fcb 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-0.9.9.0
+0.9.10.0
diff --git a/docs/skills.md b/docs/skills.md
index 315b5ce7..afbac0d2 100644
--- a/docs/skills.md
+++ b/docs/skills.md
@@ -15,6 +15,7 @@ Detailed guides for every gstack skill — philosophy, workflow, and examples.
 | [`/qa`](#qa) | **QA Lead** | Test your app, find bugs, fix them with atomic commits, re-verify. Auto-generates regression tests for every fix. |
 | [`/qa-only`](#qa) | **QA Reporter** | Same methodology as /qa but report only. Use when you want a pure bug report without code changes. |
 | [`/ship`](#ship) | **Release Engineer** | Sync main, run tests, audit coverage, push, open PR. Bootstraps test frameworks if you don't have one. One command. |
+| [`/cso`](#cso) | **Chief Security Officer** | OWASP Top 10 + STRIDE threat modeling security audit. Scans for injection, auth, crypto, and access control issues. |
 | [`/document-release`](#document-release) | **Technical Writer** | Update all project docs to match what you just shipped. Catches stale READMEs automatically. |
 | [`/retro`](#retro) | **Eng Manager** | Team-aware weekly retro. Per-person breakdowns, shipping streaks, test health trends, growth opportunities. |
 | [`/browse`](#browse) | **QA Engineer** | Give the agent eyes. Real Chromium browser, real clicks, real screenshots. ~100ms per command. |
@@ -524,6 +525,27 @@ A lot of branches die when the interesting work is done and only the boring rele
 
 ---
 
+## `/cso`
+
+This is my **Chief Security Officer**.
+
+Run `/cso` on any codebase and it performs an OWASP Top 10 + STRIDE threat model audit. It scans for injection vulnerabilities, broken authentication, sensitive data exposure, XML external entities, broken access control, security misconfiguration, XSS, insecure deserialization, known-vulnerable components, and insufficient logging. Each finding includes severity, evidence, and a recommended fix.
+
+```
+You:   /cso
+
+Claude: Running OWASP Top 10 + STRIDE security audit...
+
+        CRITICAL: SQL injection in user search (app/models/user.rb:47)
+        HIGH: Session tokens stored in localStorage (app/frontend/auth.ts:12)
+        MEDIUM: Missing rate limiting on /api/login endpoint
+        LOW: X-Frame-Options header not set
+
+        4 findings across 12 files scanned. 1 critical, 1 high.
+```
+
+---
+
 ## `/document-release`
 
 This is my **technical writer mode**.