AP-004 — Security by design¶
The system is secure by default. An engineer who wants to reduce a security control has to make a deliberate, documented decision to do so. The burden of proof runs the other way.
No standing production access. All sessions time-limited, approved, and recorded. All secrets in vault with automatic rotation. Least privilege everywhere. Zero trust between services. All data encrypted at rest and in transit. All actions logged, immutably.
Security is not a feature sprint added at the end. It is baked into the infrastructure templates, the CI pipeline, and the CLAUDE.md for every repo.
Applied to AI-assisted development. Claude Code must never generate code that hardcodes secrets, disables authentication, skips input validation, or creates permissive access controls for any reason. Any such code in a PR is a blocker.
KISS check: Every security control must be justified by a specific threat. Security theatre — controls that create paperwork without meaningfully reducing risk — violates this principle and AP-001 simultaneously.
See also: Security architecture for platform implementation.
Relationship to other principles¶
| Principle | Relationship |
|---|---|
| AP-001 KISS | Security theatre violates both principles simultaneously — every control needs a specific threat justification. |
| AP-002 Data governance | PII handling rules and encryption requirements are shared between data governance and security. |
| AP-003 Compliance by design | The three lines of defence in system roles implement both compliance and security controls. |
| AP-007 Evolution by design | Security controls baked into infrastructure templates evolve with the system without requiring rework. |
See the full architectural principles index.