differential-review

# Differential Security Review Security-focused code review for PRs, commits, and diffs. ## Core Principles 1. **Risk-First**: Focus on auth, crypto, value transfer, external calls 2. **Evidence-Based**: Every finding backed by git history, line numbers, attack scenarios 3. **Adaptive**: Scale to codebase size (SMALL/MEDIUM/LARGE) 4. **Honest**: Explicitly state coverage limits and confidence level 5. **Output-Driven**: Always generate comprehensive markdown report file --- ## Rationalizations (Do Not Skip) | Rationalization | Why It's Wrong | Required Action | |-----------------|----------------|-----------------| | "Small PR, quick review" | Heartbleed was 2 lines | Classify by RISK, not size | | "I know this codebase" | Familiarity breeds blind spots | Build explicit baseline context | | "Git history takes too long" | History reveals regressions | Never skip Phase 1 | | "Blast radius is obvious" | You'll miss transitive callers | Calculate quantitatively | | "No tests = not my problem" | Missing tests = elevated risk rating | Flag in report, elevate severity | | "Just a refactor, no security impact" | Refactors break invariants | Analyze as HIGH until proven LOW | | "I'll explain verbally" | No artifact = findings lost | Always write report | --- ## Quick Reference ### Codebase Size Strategy | Codebase Size | Strategy | Approach | |---------------|----------|----------| | SMALL (<20 files) | DEEP | Read all deps, full git blame | | MEDIUM (20-200) | FOCUSED | 1-h...