ln-621-security-auditor

> **Paths:** File paths (`shared/`, `references/`, `../ln-*`) are relative to skills repo root. If not found at CWD, locate this SKILL.md directory and go up one level for repo root. If `shared/` is missing, fetch files via WebFetch from `https://raw.githubusercontent.com/levnikolaevich/claude-code-skills/master/skills/{path}`.

# Security Auditor (L3 Worker)

**Type:** L3 Worker

Specialized worker auditing security vulnerabilities in codebase.

## Purpose & Scope

- **Worker in ln-620 coordinator pipeline** - invoked by ln-620-codebase-auditor
- Audit codebase for **security vulnerabilities** (Category 1: Critical Priority)
- Scan for hardcoded secrets, SQL injection, XSS, insecure dependencies, missing input validation
- Return structured findings to coordinator with severity, location, effort, recommendations
- Calculate compliance score (X/10) for Security category

## Inputs (from Coordinator)

**MANDATORY READ:** Load `shared/references/audit_worker_core_contract.md`.

Receives `contextStore` with: `tech_stack`, `best_practices`, `principles`, `codebase_root`, `output_dir`.

## Workflow

**MANDATORY READ:** Load `shared/references/two_layer_detection.md` for detection methodology.

1) **Parse Context:** Extract tech stack, best practices, codebase root, output_dir from contextStore
2) **Scan Codebase (Layer 1):** Run security checks using Glob/Grep patterns (see Audit Rules below)
3) **Analyze Context (Layer 2):** For each candidate, read surrounding code to classify:
   - Secrets: test fixture / example / template -> FP. Production code -> confirmed
   - SQL injection: ORM parameterization nearby -> FP. Raw string concat with user input -> confirmed
   - XSS: framework auto-escapes (React JSX, Go templates) -> FP. Unsafe context (`innerHTML`, `| safe`) -> confirmed
   - Deps: vulnerable API not called in project -> downgrade. Exploitable path -> confirmed
   - Validation: internal service-to-service endpoint -> downgrade. Public API -> confirmed
4) **Collect Findings:** Record confirmed violations with severity, location (file:line), effort estimate (S/M/L), recommendation
5) **Calculate Score:** Count violations by severity, calculate compliance score (X/10)
6) **Write Report:** Build full markdown report in memory per `shared/templates/audit_worker_report_template.md`, write to `{output_dir}/621-security.md` in single Write call
7) **Return Summary:** Return minimal summary to coordinator (see Output Format)

## Audit Rules (Priority: CRITICAL)

### 1. Hardcoded Secrets
**What:** API keys, passwords, tokens, private keys in source code

**Detection:**
- Search patterns: `API_KEY = "..."`, `password = "..."`, `token = "..."`, `SECRET = "..."`
- File extensions: `.ts`, `.js`, `.py`, `.go`, `.java`, `.cs`
- Exclude: `.env.example`, `README.md`, test files with mock data

**Severity:**
- **CRITICAL:** Production credentials (AWS keys, database passwords, API tokens)
- **HIGH:** Development/staging credentials
- **MEDIUM:** Test credentials in non-test files

**Recommendation:** Move to environment variables (.env), use secret management (Vault, AWS Secrets Manager)

**Effort:** S (replace hardcoded value with `process.env.VAR_NAME`)

### 2. SQL Injection Patterns
**What:** String concatenation in SQL queries instead of parameterized queries

**Detection:**
- Patterns: `query = "SELECT * FROM users WHERE id=" + userId`, `db.execute(f"SELECT * FROM {table}")`, `` `SELECT * FROM ${table}` ``
- Languages: JavaScript, Python, PHP, Java

**Severity:**
- **CRITICAL:** User input directly concatenated without sanitization
- **HIGH:** Variable concatenation in production code
- **MEDIUM:** Concatenation with internal variables only

**Recommendation:** Use parameterized queries (prepared statements), ORM query builders

**Effort:** M (refactor query to use placeholders)

### 3. XSS Vulnerabilities
**What:** Unsanitized user input rendered in HTML/templates

**Detection:**
- Patterns: `innerHTML = userInput`, `dangerouslySetInnerHTML={{__html: data}}`, `echo $userInput;`
- Template engines: Check for unescaped output (`{{ var | safe }}`, `<%- var %>`)

**Severity:**
- **CRITICAL:** User input directly inserted into DOM without sanitization
- **HIGH:** User input with partial sanitization (insufficient escaping)
- **MEDIUM:** Internal data with potential XSS if compromised

**Recommendation:** Use framework escaping (React auto-escapes, use `textContent`), sanitize with DOMPurify

**Effort:** S-M (replace `innerHTML` with `textContent` or sanitize)

### 4. Insecure Dependencies
**What:** Dependencies with known CVEs (Common Vulnerabilities and Exposures)

**Detection:**
- Run `npm audit` (Node.js), `pip-audit` (Python), `cargo audit` (Rust), `dotnet list package --vulnerable` (.NET)
- Check for outdated critical dependencies

**Severity:**
- **CRITICAL:** CVE with exploitable vulnerability in production dependencies
- **HIGH:** CVE in dev dependencies or lower severity production CVEs
- **MEDIUM:** Outdated packages without known CVEs but security risk

**Recommendation:** Update to patched versions, replace unmaintained packages

**Effort:** S-M (update package.json, test), L (if breaking changes)

### 5. Missing Input Validation
**What:** Missing validation at system boundaries (API endpoints, user forms, file uploads)

**Detection:**
- API routes without validation middleware
- Form handlers without input sanitization
- File uploads without type/size checks
- Missing CORS configuration

**Severity:**
- **CRITICAL:** File upload without validation, authentication bypass potential
- **HIGH:** Missing validation on sensitive endpoints (payment, auth, user data)
- **MEDIUM:** Missing validation on read-only or internal endpoints

**Recommendation:** Add validation middleware (Joi, Yup, express-validator), implement input sanitization

**Effort:** M (add validation schema and middleware)

## Scoring Algorithm

**MANDATORY READ:** Load `shared/references/audit_worker_core_contract.md` and `shared/references/audit_scoring.md`.

## Output Format

**MANDATORY READ:** Load `shared/references/audit_worker_core_contract.md` and `shared/templates/audit_worker_report_template.md`.

If summaryArtifactPath is present, write JSON summary per shared/references/audit_summary_contract.md. Compact text output is fallback only.

Write report to `{output_dir}/621-security.md` with `category: "Security"` and checks: hardcoded_secrets, sql_injection, xss_vulnerabilities, insecure_dependencies, missing_input_validation.

Return summary per `shared/references/audit_summary_contract.md`.

Legacy compact text output is allowed only when `summaryArtifactPath` is absent:
```
Report written: .hex-skills/runtime-artifacts/runs/{run_id}/audit-report/621-security.md
Score: X.X/10 | Issues: N (C:N H:N M:N L:N)
```

## Critical Rules

**MANDATORY READ:** Load `shared/references/audit_worker_core_contract.md`.

- **Do not auto-fix:** Report violations only; coordinator creates task for user to fix
- **Tech stack aware:** Use contextStore to apply framework-specific patterns (e.g., React XSS vs PHP XSS)
- **False positive reduction:** Exclude test files, example configs, documentation
- **Effort realism:** S = <1 hour, M = 1-4 hours, L = >4 hours
- **Location precision:** Always include `file:line` for programmatic navigation

## Definition of Done

**MANDATORY READ:** Load `shared/references/audit_worker_core_contract.md`.

- [ ] contextStore parsed successfully (including output_dir)
- [ ] All 5 security checks completed (secrets, SQL injection, XSS, deps, validation)
- [ ] Findings collected with severity, location, effort, recommendation
- [ ] Score calculated using penalty algorithm
- [ ] Report written to `{output_dir}/621-security.md` (atomic single Write call)
- [ ] Summary written per contract

## Reference Files

- **Audit output schema:** `shared/references/audit_output_schema.md`
- Security audit rules: [references/security_rules.md](references/security_rules.md)

---
**Version:** 3.0.0
**Last Updated:** 2025-12-23