{
  "id": "scope-boundary:security-review.scope",
  "_kind": "ScopeBoundary",
  "_file": "sourceref-scope/scope-boundaries/security-review.yaml",
  "_cluster": "sourceref-scope",
  "attributes": {
    "subjectId": "skill:security-review",
    "inScope": "Static review of pending diffs for OWASP-Top-10-class vulnerabilities\nin application code — injection (SQL, command, template), broken\nauth/session handling, IDOR, SSRF, XXE, hardcoded secrets, insecure\ndeserialization, and missing input validation. Produces structured\nreview comments tied to specific lines.\n",
    "outOfScope": "Penetration testing, dynamic analysis, fuzzing, dependency-vulnerability\nscanning (delegated to SCA tools), threat modeling of unmodified code,\ncryptographic primitive design review, and compliance attestation\n(SOC2, ISO 27001).\n",
    "outOfScopeReasonIds": [
      "out-of-scope-reason:runtime-only",
      "out-of-scope-reason:implementation-detail"
    ]
  },
  "outgoingEdges": [
    {
      "from": "scope-boundary:security-review.scope",
      "to": "skill:security-review",
      "kind": "bounds_subject"
    }
  ],
  "incomingEdges": []
}