Enforced by the security-reviewer agent and npx reins verify --only security.

• No hard-coded credentials, API keys, tokens, or private keys. Use environment variables or a secrets manager.
• Never write secrets to logs or stdout. Keep .env files out of version control.
• The secret scanner runs on edits, on pre-commit, and in CI; any finding blocks.

• Every new dependency must be necessary, reputable, and pinned.
• The dependency audit blocks at severity high or above by default (tune in reins.config.json → security.depsAudit.failOn).

• Validate and bound all untrusted input before it reaches a shell, query, file path, or deserializer.
• Fail closed: when in doubt, reject the input.

Any change touching authentication, input parsing, file/network IO, secrets, or dependencies.