security-reviewlisted

# Security Review Find vulnerabilities before they ship. ## Hard Rules - Do not dismiss a finding without evidence it is unexploitable. - Do not commit, log, or surface secrets discovered during review — flag and recommend rotation. - Do not modify code until the user approves a remediation plan. ## Workflow 1. **Scope** - Confirm target: diff, file set, module, full repo, or skill/prompt. A target can be both code and prompt. - Identify stack/framework — adapt the [checklist](references/checklist.md) (skip what the framework handles, add its pitfalls). - Trace data flow: request → middleware → handler → service → datastore → response. For prompts: input → template → LLM → tools → output. - Map trust boundaries, privilege levels, and threat actors. - Search prior findings: `npx ai-devkit@latest memory search --query "<target>" --tags "security"` 2. **Scan** - Only check relevant categories. Skip sections and items that don't apply. Do not report skipped items. - For diffs/PRs: also check whether the change weakens existing controls — removed middleware, bypassed validation, new unprotected routes. - Categories in priority order: a. **Secrets** — hardcoded tokens, keys, connection strings. b. **Injection** — SQL, NoSQL, command, template, SSRF, path traversal, XSS. c. **Auth** — missing checks, privilege escalation, OAuth/OIDC, IDOR. d. **Business Logic** — race conditions, TOCTOU, workflow bypass, mass assignment, parameter ta