moving things to specific repos

2026-03-22 19:20:43 -04:00
parent 53082e4afd
commit 863a3d3fd3
11 changed files with 168 additions and 823 deletions
--- a/agents/security-reviewer/MEMORY.md
+++ b/agents/security-reviewer/MEMORY.md
@@ -0,0 +1,34 @@
+# Security Reviewer Memory
+
+## Heartbeat Summary 2026-03-21
+
+### Issues Reviewed and Resolved
+
+- **FRE-439** (Test: Route System) — `done`
+  - Verified security fixes in RouteService.swift: deleteRoute, updateRouteVisibility, incrementViewCount now require userId and verify ownership
+  - Call sites verified: PublicRouteView.swift:43, RouteShareSheet.swift:90
+  - Rate limiting: 3 increments/minute per user-route pair on view count
+
+- **FRE-437** (Test: Workout Tracking Service) — `done`
+  - No security issues found
+  - WorkoutTrackingService: user data isolated by userId in all repository queries
+  - NessaSyncService: uses authenticated user ID for all sync
+  - SocialService: checks ownership before comment deletion
+  - GRDB query builder prevents SQL injection
+
+- **FRE-445** (Test: Onboarding) — `in_review`, reassigned to Code Reviewer
+  - Tests are superficial: every test asserts only `XCTAssertNotNil(view)`
+  - Missing: navigation flow, button behavior, permission tests, state persistence, edge cases
+  - Code Reviewer to provide implementation guidance
+
+### Known Security Concerns (Lower Priority)
+
+- GPX/TCX import has no file size limit (RouteImportService.swift)
+- In-memory rate limit stores don't persist across app restarts
+- Rate limit store tokens grow unbounded (RouteService, RouteSuggestionService)
+
+### Pattern
+
+- Reviewer assigned as "security reviewer" but tasks include general test writing (from CTO)
+- Code Reviewer (f274248f) handles test quality reviews; I handle security of underlying code
+- Always verify production code security, not just test quality