security-gatelisted

# Gate 2: Security Review > "Security isn't a feature you add later. It's a foundation you build on." ## Purpose This gate catches common security vulnerabilities before they reach production. Issues don't BLOCK, but generate strong WARNINGS. ## Gate Status - **PASS** — No security issues found - **WARNING** — Issues found that should be fixed before production - **CRITICAL WARNING** — Severe issues that really should block --- ## Gate Questions ### Question 1: Input Entry Points > "Where does user input enter this feature?" **Looking for:** - Awareness of all input sources (forms, URLs, headers, etc.) - Understanding that ALL input is untrusted - Identification of data flow **Follow-up if input exists:** > "How is that input validated before it's used?" ### Question 2: Data Access > "What data does this feature access? Who should be able to access it?" **Looking for:** - Understanding of data sensitivity - Awareness of authorization requirements - Knowledge of who can see what **Follow-up:** > "How do you verify the requesting user is allowed to access this data?" ### Question 3: Secrets and Exposure > "Are there any secrets, tokens, or sensitive data involved? Where are they stored?" **Looking for:** - Secrets in environment variables, not code - No sensitive data in logs - No tokens in URLs or client-side storage (unless necessary) --- ## Security Checklist Review the code for these common issues: ### Input Handling - [ ] All user input validated server-