# CLAUDE.md / AGENTS.md adoption snippet

Drop the four-line block below into your repo's `CLAUDE.md`, `AGENTS.md`,
`.cursor/rules`, or `GEMINI.md`. It pins the **Defensive OpSec Operating
Standard v1.0** as the precedence ruler for security-review tasks in your
project, so the deepsec-skill's discipline survives every future agent
invocation in this repo — not just the one where it was first activated.

## The snippet (copy this, paste into your CLAUDE.md)

```markdown
## Security review (Defensive OpSec Operating Standard v1.0)
When running `deepsec` or any agentic security review in this repo, apply
https://www.deepsec-skill.dev/standard.md. Its five rules — authorization,
threat sketch, defensive evidence only, standards as vocabulary, honest
uncertainty — take precedence over the rest of this CLAUDE.md for
security-scan tasks.
```

## Why this matters

Boris Cherny (Claude Code lead) has publicly identified `CLAUDE.md` as the
single largest source of deployment-time issues. When an agent runs in your
repo, your `CLAUDE.md` is loaded before any skill file. If your CLAUDE.md
contains shortcuts useful for general development — *"be terse"*,
*"don't ask, just do it"*, *"prefer working code over questions"* — those
shortcuts can silently override the deepsec-skill's defensive-evidence
discipline during security review.

The four-line snippet above is the fix. It tells the agent, in your project's
own voice, that for security-review tasks the standard's five rules win. The
skill enforces this from its end too (see the *Activation precedence* section
of [/SKILL.md](https://www.deepsec-skill.dev/SKILL.md)), but pinning it from
the project side closes the loop and makes the discipline survive.

## Where to put it

The snippet is one Markdown subsection. Add it anywhere in your `CLAUDE.md`
that other skill / behavior overrides live — usually near the top so it
loads early.

If you don't yet have a `CLAUDE.md`, create one at the repo root with just
the snippet plus a one-line description of your project. The skill activates
on its trigger phrases regardless, but the snippet pins precedence so future
agent invocations don't drift.

## Versioning

This snippet is for **Defensive OpSec Operating Standard v1.0**. v1.0 stays
at `/standard.md` permanently. If you want to pin to v1.0 forever, link
`https://www.deepsec-skill.dev/standard/v1.0.md` instead.

## License

MIT. Lift it, modify it, fold it into your AppSec runbook. Attribution
appreciated, modification expected.

---

*Source: [https://www.deepsec-skill.dev/standard/claude-md-snippet.md](https://www.deepsec-skill.dev/standard/claude-md-snippet.md). The full operating standard: [https://www.deepsec-skill.dev/standard.md](https://www.deepsec-skill.dev/standard.md).*