See the difference
Same task.
Different depth.
Ask a generalist AI and ask a Tonone specialist. Same prompt. You decide which answer you'd ship.
Task
Add JWT authentication to our Express API
Without TononeNo specialist
$ claude "Add JWT auth to our Express API"
Here's a JWT implementation:
const SECRET = process.env.JWT_SECRET || 'mysecret';
const token = jwt.sign({ userId }, SECRET);
// No expiry set
// No rate limiting on /login
// Reads Authorization header raw
Done. 3 files modified.
With Warden/warden-threat
$ /warden-threat "Add JWT auth to our Express API"
Threat model: 5 issues before writing code:
✗ Hardcoded fallback secret in source
✗ No exp claim - tokens never expire
✗ No refresh token strategy
✗ Authorization header read without Bearer check
✗ /login has no rate limit - brute-force surface
✓ Hardened implementation via /warden-harden
✓ 15min access tokens + rotating refresh
✓ /login: 5 req/min per IP with lockout