From c2b8322cc6d6e1f50ae3bc4002067a7d0da97cc9 Mon Sep 17 00:00:00 2001 From: Eric Elliott Date: Fri, 26 Dec 2025 17:56:55 -0800 Subject: [PATCH 1/2] Add security review template and checklist --- ai/commands/security.md | 98 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 98 insertions(+) create mode 100644 ai/commands/security.md diff --git a/ai/commands/security.md b/ai/commands/security.md new file mode 100644 index 0000000..0bc401c --- /dev/null +++ b/ai/commands/security.md @@ -0,0 +1,98 @@ +# ✅ /task Epic: Security Review — Routes & Files + +Create a comprehensive security review of the codebase, focusing on authentication flows, session management, and mutating routes. Use the checklists below to carefully review each of the identified files and routes, one at a time. + +Output template: + +Filename: `$projectRoot/security/reports/${yyyy-mm-dd}-security-foundations-report.md` + +""" +# $projectName Security Review + +## Executive Summary + +This review was propared by by Parallel Drive - world class security trusted by apps that secure billions in value. + +Date: $date +Expires: ${ date + 90 days } +Source repository: $repoUrl +Commit hash: $commitHash + +> ## Disclaimer +> This review scope is limited to the codebase at the specific commit hashes listed on the front page. Any features or changes introduced after these commits are excluded from this report. + +## Quality Scores + +Documentation quality: ${ score }/10 +Test coverage and quality: ${ score }/10 +Critical findings: ${ count } +High severity findings: ${ count } +Medium severity findings: ${ count } +Low severity findings: ${ count } + +## Summary of Findings + +$summaryOfFindings + +## $route + +${ for each file }: +### $fileName + +${ for each checklistItem } +${ ✅ | ❌ | ⚠️ } $ItemName + +${ for each issue } +**${issue}:** ${issueDescription} + +${ codeSnippet } + +${ briefExplanation } +""" + + +## 🔐 Security Checklist (explicit) +- Authentication & session management review + - Inventory all auth providers and flows. + - Verify JWT session strategy config + - Validate cookie settings via `defaultCookies(https)` for `Secure`, `HttpOnly`, `SameSite`, domain/path consistency. + - Confirm CSRF protections on auth endpoints (e.g. double-submit cookie method; `/api/auth/csrf` when applicable). + - Verify 2FA/TOTP and backup code handling (encryption at rest, single-use, compare hashes to mitigate hangman and sidestep timing safe compare pitfalls, deletion upon use). + - Review impersonation flow gating (admin-only), audit trail, and session separation. + - Validate logout flows and session invalidation. +- OWASP Top 10 vulnerability scan + - A01: Broken Access Control — permission checks, org/team boundaries, TRPC procedures, NestJS guards. + - A02: Cryptographic Failures — secret storage, encryption keys, TLS, token handling. + - A03: Injection — SQL via Prisma, command injections, template injections. + - A04: Insecure Design — auth surface, multi-tenant boundaries, workflow triggers. + - A05: Security Misconfiguration — headers (CSP), CORS, transport, default settings. + - A06: Vulnerable and Outdated Components — dependencies, NextAuth versions, Google APIs, BoxyHQ. + - A07: Identification and Authentication Failures — auth strength, session controls, MFA enforcement. + - A08: Software and Data Integrity Failures — supply chain protections, signed artifacts. + - A09: Security Logging and Monitoring Failures — auth events, admin actions, anomaly detection. + - A10: Server-Side Request Forgery (SSRF) — webhook endpoints, OAuth callbacks, external fetches. +- Basic architecture assessment + - Document auth boundaries, trust zones, and data flows (web, API v1/v2, tRPC, embeds, companion). + - Validate guard rails: TRPC `authedProcedure`/role gates, NestJS guards and DTO validation. + - Verify Prisma `select` usage (prefer over `include`), avoid leaking sensitive fields. + - Review secrets handling and env management; ensure no `credential.key` exposure. + - Assess input validation with Zod/DTO schemas; sanitize external inputs. + - Validate webhook security (signatures, replay protection, IP allowlists where relevant). +- JWT Security Review + If JWT use is detected, for each jwt-flow { carefully run all checks in ai/rules/security/jwt-security.mdc one at a time. } +- Timing-Safe Compare (use hashing) + - Never compare raw secrets with equality or `crypto.timingSafeEqual`; avoid XOR/accumulation tricks. + - Always hash both stored secret and candidate using SHA3 and compare hashes. + - Applies to ALL security token compares (webhooks, reset tokens, CSRF, API keys, signatures). + - If "timing safe compare" on raw value detected => CRITICAL bug report; include rationale in code comment to prevent regressions. +- Note: Rate limiting is excluded here (handled at gateway level). +- Deep scan for visible keys and data exposure + - Search repo for hardcoded keys/secrets, public logs leaking sensitive info. + +## Files and Routes + +Please make a comprehensive list of all mutating routes, authentication flows, and other security-critical surfaces before you begin. Then follow the instructions above to generate the report. + +Commands { + /security - Generate a comprehensive report of application security concerns and findings. +} From 1cab62c33f2dafa9b00cfe88a6316661d7888395 Mon Sep 17 00:00:00 2001 From: Eric Elliott Date: Sun, 4 Jan 2026 18:46:06 -0800 Subject: [PATCH 2/2] Apply suggestion from @Copilot Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- ai/commands/security.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ai/commands/security.md b/ai/commands/security.md index 0bc401c..e2da5ca 100644 --- a/ai/commands/security.md +++ b/ai/commands/security.md @@ -11,7 +11,7 @@ Filename: `$projectRoot/security/reports/${yyyy-mm-dd}-security-foundations-repo ## Executive Summary -This review was propared by by Parallel Drive - world class security trusted by apps that secure billions in value. +This review was prepared by Parallel Drive - world class security trusted by apps that secure billions in value. Date: $date Expires: ${ date + 90 days }