Security policy should be repository-local and versioned.

• Do not commit secrets
• Prefer boring dependencies and explicit interfaces
• Document new trust boundaries before implementing them

When services and clients are introduced, document:

• Authn and authz model
• Secret management
• Data classification
• External service boundaries
• Security review checklist