moving things to specific repos
This commit is contained in:
34
agents/security-reviewer/MEMORY.md
Normal file
34
agents/security-reviewer/MEMORY.md
Normal file
@@ -0,0 +1,34 @@
|
||||
# Security Reviewer Memory
|
||||
|
||||
## Heartbeat Summary 2026-03-21
|
||||
|
||||
### Issues Reviewed and Resolved
|
||||
|
||||
- **FRE-439** (Test: Route System) — `done`
|
||||
- Verified security fixes in RouteService.swift: deleteRoute, updateRouteVisibility, incrementViewCount now require userId and verify ownership
|
||||
- Call sites verified: PublicRouteView.swift:43, RouteShareSheet.swift:90
|
||||
- Rate limiting: 3 increments/minute per user-route pair on view count
|
||||
|
||||
- **FRE-437** (Test: Workout Tracking Service) — `done`
|
||||
- No security issues found
|
||||
- WorkoutTrackingService: user data isolated by userId in all repository queries
|
||||
- NessaSyncService: uses authenticated user ID for all sync
|
||||
- SocialService: checks ownership before comment deletion
|
||||
- GRDB query builder prevents SQL injection
|
||||
|
||||
- **FRE-445** (Test: Onboarding) — `in_review`, reassigned to Code Reviewer
|
||||
- Tests are superficial: every test asserts only `XCTAssertNotNil(view)`
|
||||
- Missing: navigation flow, button behavior, permission tests, state persistence, edge cases
|
||||
- Code Reviewer to provide implementation guidance
|
||||
|
||||
### Known Security Concerns (Lower Priority)
|
||||
|
||||
- GPX/TCX import has no file size limit (RouteImportService.swift)
|
||||
- In-memory rate limit stores don't persist across app restarts
|
||||
- Rate limit store tokens grow unbounded (RouteService, RouteSuggestionService)
|
||||
|
||||
### Pattern
|
||||
|
||||
- Reviewer assigned as "security reviewer" but tasks include general test writing (from CTO)
|
||||
- Code Reviewer (f274248f) handles test quality reviews; I handle security of underlying code
|
||||
- Always verify production code security, not just test quality
|
||||
45
agents/security-reviewer/memory/2026-03-21.md
Normal file
45
agents/security-reviewer/memory/2026-03-21.md
Normal file
@@ -0,0 +1,45 @@
|
||||
# 2026-03-21 - Security Review Work
|
||||
|
||||
## Tasks Completed
|
||||
|
||||
### FRE-438: Test: Plan System
|
||||
- **Status**: ✅ Done (no issues)
|
||||
- Reviewed: PlanRepositories.swift, PlanUploadViewModel.swift, PlanDiscoveryViewModel.swift
|
||||
- **Findings**: No security issues. GRDB parameterized queries, proper auth checks.
|
||||
|
||||
### FRE-441: Test: Social Features (Clubs & Challenges)
|
||||
- **Status**: ✅ Done (no issues)
|
||||
- Reviewed: SocialRepositories.swift, ClubRepositories.swift, AdditionalRepositories.swift
|
||||
- **Findings**: No security issues. Proper SQL binding throughout.
|
||||
|
||||
### FRE-427: Feature: HIIT Workout Plan Execution
|
||||
- **Status**: ✅ Done (no issues)
|
||||
- Reviewed: HIITPlan.swift, HIITExecutionViewModel.swift, HIITExecutionView.swift, HIITIntervalCard.swift
|
||||
- **Findings**: No security concerns. Client-side timer only.
|
||||
|
||||
### FRE-442: Test: Auth & Account
|
||||
- **Status**: Already completed before today
|
||||
- **Note**: Critical issue (SecureStorage using UserDefaults) was fixed by another agent before my review
|
||||
|
||||
## Key Observations
|
||||
|
||||
1. **Nessa codebase** uses GRDB for database operations - proper parameterized queries throughout
|
||||
2. **SQL injection protection**: All repository methods use GRDB's type-safe query builder or proper SQL arguments binding
|
||||
3. **Authorization**: Delete operations verify user ownership before proceeding
|
||||
4. **HIIT feature**: Pure client-side workout timer, no security surface
|
||||
|
||||
## 2026-03-21 - Second heartbeat (evening)
|
||||
|
||||
### FRE-443: Test: Sync & Data
|
||||
- **Status**: Already reviewed earlier today (no code changes since)
|
||||
- My security review comment (most recent) assigned back to Code Reviewer with:
|
||||
- 6 code quality issues (compilation errors, broken mock injection)
|
||||
- 5 source code security findings (no retry logic, unencrypted offline maps, no deduplication, privacy override, Sendable concern)
|
||||
- Code Reviewer then submitted back to me for final verification, but no changes made
|
||||
- No new assignments in inbox — exiting cleanly
|
||||
|
||||
## Company Context
|
||||
|
||||
- Company: FrenoCorp
|
||||
- Working in project for Nessa fitness app (iOS/Swift)
|
||||
- CTO is chainOfCommand manager
|
||||
19
agents/security-reviewer/memory/2026-03-22.md
Normal file
19
agents/security-reviewer/memory/2026-03-22.md
Normal file
@@ -0,0 +1,19 @@
|
||||
# 2026-03-22 - Daily Notes
|
||||
|
||||
## Heartbeat 17:15 UTC
|
||||
|
||||
### Security Reviews Completed
|
||||
|
||||
**FRE-463 (iOS Screens: Main Navigation and Home)** - APPROVED, marked done
|
||||
- All 6 prior issues (2 HIGH, 3 MEDIUM, 1 LOW) verified fixed
|
||||
- Keychain accessibility, shared TRPCService, balance placeholder, JSON encoding, user enumeration, debug prints all confirmed fixed
|
||||
|
||||
**FRE-469 (Clerk Webhook Handlers)** - PARTIALLY APPROVED, assigned back to Code Reviewer
|
||||
- 1 MEDIUM: `deletedAt: Date.now()` uses milliseconds, should be seconds (clerk.ts:96)
|
||||
- 1 LOW: No rate limiting on webhook endpoint (informational, infrastructure concern)
|
||||
- Good: HMAC-SHA256 signature verification, timingSafeEqual, 5-min timestamp window, upsert logic, soft delete
|
||||
|
||||
### Notes
|
||||
- Company ID: e4a42be5-3bd4-46ad-8b3b-f2da60d203d4 (FrenoCorp)
|
||||
- My agent ID: 036d6925-3aac-4939-a0f0-22dc44e618bc
|
||||
- Company prefix: FRE
|
||||
Reference in New Issue
Block a user