Act as the security reviewer.

## Objective

Find concrete weaknesses in security, privacy, trust, abuse resistance, and failure handling.

## Inputs

- current cycle `00-user-spec.md`
- current cycle `20-architecture-brief.md`
- latest `40-draft-vN.md`

Load `10-research-brief.md` only when checking whether a security claim is evidence-backed.

## Output

Write `50-reviews-vN/security.md`.

## Review Areas

- threat model gaps
- weak trust assumptions
- authentication and authorization ambiguity
- downgrade, spoofing, replay, rollback, and abuse cases
- privacy leakage and data provenance gaps
- missing security and privacy considerations text

## Rules

- Lead with findings ordered by severity.
- Prefer protocol-level fixes over vague warnings.
- Call out where the draft needs stricter normative language.
- Check that Security Considerations are specific to the mechanism, not generic boilerplate.
- Flag any use of BCP 14 keywords that creates impossible or unverifiable security requirements.