some plans and such

2026-03-29 09:15:40 -04:00
parent f37c4c28e2
commit a8e6328d36
5 changed files with 510 additions and 0 deletions
--- a/agents/security-reviewer/life/projects/lendair/items.yaml
+++ b/agents/security-reviewer/life/projects/lendair/items.yaml
@@ -0,0 +1,34 @@
+version: "1.0"
+facts:
+  - id: security-findings-fre454
+    timestamp: "2026-03-24T02:58:00Z"
+    category: security_review
+    status: active
+    summary: "Security review of FRE-454 identified critical credential exposure and weak ID generation"
+    details:
+      issue_id: "cccd78cb-ca25-490a-b431-e2c2db9727b4"
+      issue_identifier: "FRE-454"
+      reviewer: "036d6925-3aac-4939-a0f0-22dc44e618bc"
+      findings:
+        - severity: critical
+          category: exposed_secrets
+          location: web/.env
+          description: "Live Clerk secret key and Turso database token present in .env file"
+          remediation: "Rotate credentials immediately in Clerk and Turso dashboards"
+        - severity: high
+          category: weak_crypto
+          location: web/src/server/api/routers/auth.ts:24-29
+          description: "ID generation uses Math.random() which is not cryptographically secure"
+          remediation: "Use crypto.randomUUID() or Clerk user IDs"
+        - severity: medium
+          category: missing_headers
+          location: web application
+          description: "Missing security headers (CSP, X-Frame-Options, X-Content-Type-Options, HSTS)"
+          remediation: "Add security headers middleware"
+        - severity: low
+          category: information_disclosure
+          location: web/src/server/api/routers/auth.ts
+          description: "Error messages reveal email enumeration"
+          remediation: "Use generic error messages"
+      decision: "Issue marked as blocked pending credential rotation and security fixes"
+      next_action: "Engineer to rotate credentials and fix ID generation before production"