mirror of
https://github.com/garrytan/gstack.git
synced 2026-05-01 19:25:10 +02:00
Garry Tan
a4a181ca92
* feat: extend gstack-diff-scope with SCOPE_MIGRATIONS, SCOPE_API, SCOPE_AUTH
Three new scope signals for Review Army specialist activation:
- SCOPE_MIGRATIONS: db/migrate/, prisma/migrations/, alembic/, *.sql
- SCOPE_API: *controller*, *route*, *endpoint*, *.graphql, openapi.*
- SCOPE_AUTH: *auth*, *session*, *jwt*, *oauth*, *permission*, *role*
* feat: add 7 specialist checklist files for Review Army
- testing.md (always-on): coverage gaps, flaky patterns, security enforcement
- maintainability.md (always-on): dead code, DRY, stale comments
- security.md (conditional): OWASP deep analysis, auth bypass, injection
- performance.md (conditional): N+1 queries, bundle impact, complexity
- data-migration.md (conditional): reversibility, lock duration, backfill
- api-contract.md (conditional): breaking changes, versioning, error format
- red-team.md (conditional): adversarial analysis, cross-cutting concerns
All use standard header with JSON output schema and NO FINDINGS fallback.
* feat: Review Army resolver — parallel specialist dispatch + merge
New resolver in review-army.ts generates template prose for:
- Stack detection and specialist selection
- Parallel Agent tool dispatch with learning-informed prompts
- JSON finding collection, fingerprint dedup, consensus highlighting
- PR quality score computation
- Red Team conditional dispatch
Registered as REVIEW_ARMY in resolvers/index.ts.
* refactor: restructure /review template for Review Army
- Replace Steps 4-4.75 with CRITICAL pass + {{REVIEW_ARMY}}
- Remove {{DESIGN_REVIEW_LITE}} and {{TEST_COVERAGE_AUDIT_REVIEW}}
(subsumed into Design and Testing specialists respectively)
- Extract specialist-covered categories from checklist.md
- Keep CRITICAL + uncovered INFORMATIONAL in main agent pass
* test: Review Army — 14 diff-scope tests + 7 E2E tests
- test/diff-scope.test.ts: 14 tests for all 9 scope signals
- test/skill-e2e-review-army.test.ts: 7 E2E tests
Gate: migration safety, N+1 detection, delivery audit,
quality score, JSON findings
Periodic: red team, consensus
- Updated gen-skill-docs tests for new review structure
- Added touchfile entries and tier classifications
* docs: update SELF_LEARNING_V0.md with Release 2 status + Release 2.5
Mark Release 2 (Review Army) as in-progress. Add Release 2.5 for
deferred expansions (E1 adaptive gating, E3 test stubs, E5 cross-review
dedup, E7 specialist tracking).
* chore: bump version and changelog (v0.14.3.0)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
61 lines
2.9 KiB
Markdown
61 lines
2.9 KiB
Markdown
# Security Specialist Review Checklist
|
|
|
|
Scope: When SCOPE_AUTH=true OR (SCOPE_BACKEND=true AND diff > 100 lines)
|
|
Output: JSON objects, one finding per line. Schema:
|
|
{"severity":"CRITICAL|INFORMATIONAL","confidence":N,"path":"file","line":N,"category":"security","summary":"...","fix":"...","fingerprint":"path:line:security","specialist":"security"}
|
|
If no findings: output `NO FINDINGS` and nothing else.
|
|
|
|
---
|
|
|
|
This checklist goes deeper than the main CRITICAL pass. The main agent already checks SQL injection, race conditions, LLM trust, and enum completeness. This specialist focuses on auth/authz patterns, cryptographic misuse, and attack surface expansion.
|
|
|
|
## Categories
|
|
|
|
### Input Validation at Trust Boundaries
|
|
- User input accepted without validation at controller/handler level
|
|
- Query parameters used directly in database queries or file paths
|
|
- Request body fields accepted without type checking or schema validation
|
|
- File uploads without type/size/content validation
|
|
- Webhook payloads processed without signature verification
|
|
|
|
### Auth & Authorization Bypass
|
|
- Endpoints missing authentication middleware (check route definitions)
|
|
- Authorization checks that default to "allow" instead of "deny"
|
|
- Role escalation paths (user can modify their own role/permissions)
|
|
- Direct object reference vulnerabilities (user A accesses user B's data by changing an ID)
|
|
- Session fixation or session hijacking opportunities
|
|
- Token/API key validation that doesn't check expiration
|
|
|
|
### Injection Vectors (beyond SQL)
|
|
- Command injection via subprocess calls with user-controlled arguments
|
|
- Template injection (Jinja2, ERB, Handlebars) with user input
|
|
- LDAP injection in directory queries
|
|
- SSRF via user-controlled URLs (fetch, redirect, webhook targets)
|
|
- Path traversal via user-controlled file paths (../../etc/passwd)
|
|
- Header injection via user-controlled values in HTTP headers
|
|
|
|
### Cryptographic Misuse
|
|
- Weak hashing algorithms (MD5, SHA1) for security-sensitive operations
|
|
- Predictable randomness (Math.random, rand()) for tokens or secrets
|
|
- Non-constant-time comparisons (==) on secrets, tokens, or digests
|
|
- Hardcoded encryption keys or IVs
|
|
- Missing salt in password hashing
|
|
|
|
### Secrets Exposure
|
|
- API keys, tokens, or passwords in source code (even in comments)
|
|
- Secrets logged in application logs or error messages
|
|
- Credentials in URLs (query parameters or basic auth in URL)
|
|
- Sensitive data in error responses returned to users
|
|
- PII stored in plaintext when encryption is expected
|
|
|
|
### XSS via Escape Hatches
|
|
- Rails: .html_safe, raw() on user-controlled data
|
|
- React: dangerouslySetInnerHTML with user content
|
|
- Vue: v-html with user content
|
|
- Django: |safe, mark_safe() on user input
|
|
- General: innerHTML assignment with unsanitized data
|
|
|
|
### Deserialization
|
|
- Deserializing untrusted data (pickle, Marshal, YAML.load, JSON.parse of executable types)
|
|
- Accepting serialized objects from user input or external APIs without schema validation
|