C_SHARP_SKILLS/.ai/skills/16-security-reliability-performance.md

Skill 16 - Security, Reliability, and Performance

Security Rules

• Never store secrets in source code.
• Use user secrets for local development and a secret manager in production.
• Validate all external input.
• Encode output according to context.
• Use parameterized queries or EF Core LINQ, never string-concatenated SQL with untrusted input.
• Use HTTPS and secure cookies for web apps.
• Apply authentication and authorization at server boundaries.
• Keep dependencies and runtimes patched.

Reliability Rules

• Use structured logging.
• Include correlation/request IDs when available.
• Use cancellation tokens for I/O and long-running operations.
• Add retries only for transient failures and only when operations are safe to retry.
• Use timeouts for external calls.
• Handle partial failure explicitly.
• Use health checks for hosted services.

Performance Rules

• Measure before optimizing.
• Avoid needless allocations in hot paths.
• Stream large payloads.
• Use async I/O on servers.
• Page large query results.
• Avoid N+1 database calls.
• Cache only when invalidation is understood.
• Prefer compiled/generated regex and source-generated JSON for hot paths.

Cross-Platform Rules

• Use Path APIs for filesystem paths.
• Respect case-sensitive filesystems.
• Avoid Windows-only assumptions unless the target is Windows-only.
• Test on Linux when deploying to Linux.