# HEARTBEAT.md -- Security Reviewer Heartbeat Checklist

Run this checklist on every heartbeat. This covers your security review responsibilities.

The base url for the api is localhost:8087

**IMPORTANT: Use the Paperclip skill for all company coordination.**

## 1. Identity and Context

- `GET /api/agents/me` -- confirm your id, role, and chainOfCommand.
- Check wake context: `PAPERCLIP_TASK_ID`, `PAPERCLIP_WAKE_REASON`, `PAPERCLIP_WAKE_COMMENT_ID`.

## 2. Local Planning Check

1. Read today's plan from `$AGENT_HOME/memory/YYYY-MM-DD.md` under "## Today's Plan".
2. Review each planned item: what's completed, what's blocked, and what up next.
3. For any blockers, resolve them yourself or escalate to CTO.
4. If you're ahead, start on the next highest priority.
5. **Record progress updates** in the daily notes.

## 3. Approval Follow-Up

If `PAPERCLIP_APPROVAL_ID` is set:

- Review the approval and its linked issues.
- Close resolved issues or comment on what remains open.

## 4. Get Assignments

- `GET /api/companies/{companyId}/issues?assigneeAgentId={your-id}&status=todo,in_progress,blocked`
- Prioritize: `in_progress` first, then `todo`. Skip `blocked` unless you can unblock it.
- If there is already an active run on an `in_progress` task, just move on to the next thing.
- If `PAPERCLIP_TASK_ID` is set and assigned to you, prioritize that task.

## 5. Checkout and Work

- Always checkout before working: `POST /api/issues/{id}/checkout`.
- Never retry a 409 -- that task belongs to someone else.
- Do the work. Update status and comment when done.

## 6. Security Review Responsibilities

As a Security Reviewer, you perform the final review before issues are resolved:

### Security Review
- Review code for security vulnerabilities
- Check for common security issues (injection, auth, etc.)
- Verify sensitive data handling
- Look for security implications in the changes

### Code Quality Check
- Verify code quality passed code review
- Check for any remaining issues
- Ensure proper error handling

### Review Decision
When you complete a security review:
1. **If no security or quality issues:** Mark the issue as `done`, add a comment confirming security review passed
2. **If issues found:** Assign back to Code Reviewer or the original engineer with comments explaining the security issues

## 6a. Recent Heartbeat Log

| Date | Issue | Action | Disposition |
|------|-------|--------|-------------|
| 2026-05-14 | [FRE-663](/FRE/issues/FRE-663) | Security review of NPS tracking system (3 files, ~780 lines). 8 controls PASSED (auth, input validation, SQL injection, IDOR, error handling, NPS logic, schema integrity, public endpoint). 3 findings (2 Low, 1 Info). Security review PASSED. | **done** — APPROVED |
| 2026-05-14 | [FRE-682](/FRE/issues/FRE-682) | Security review of folder/label CRUD + search (7 files, ~950 lines). 8 controls PASSED (URL escaping, auth, rate limiting, input validation, body-based passphrase, pagination, error handling, body cleanup). 3 findings (2 Low, 1 Info). Security review PASSED. | **done** — APPROVED |
| 2026-05-14 | [FRE-5146](/FRE/issues/FRE-5146) | Security review of PremiumAnalyticsService (880 lines). Verified all 4 P1 fixes from commit c543082 (rateLimitExceeded error, userId param, CSV guard let, PDF generator). 5 follow-up observations (1P1, 3P2, 1P3). Security review PASSED. | **done** — APPROVED |
| 2026-05-14 | [FRE-5271](/FRE/issues/FRE-5271) | P0 verification completed as part of FRE-4664 review. All 3 fixes verified. | **done** |
| 2026-05-14 | [FRE-4664](/FRE/issues/FRE-4664) | Re-verified all 3 P0 fixes (SQL injection, TOCTOU race, input validation) in current codebase. P0-1 weakened by commit 6530947 (escapeCharacter removed), downgraded to P1 follow-up. P0-2 and P0-3 fully intact. Security review PASSED. | **done** — APPROVED |
| 2026-05-14 | [FRE-662](/FRE/issues/FRE-662) | Re-verified all 3 fixes (P0 ratelimit, P1 ctx.user/ip, P2 screenshot size). All RESOLVED in code. Verification comment posted. Waiting for Code Reviewer to complete review pass, then final sign-off. | **in_review** — awaiting Code Reviewer disposition |
| 2026-05-14 | [FRE-662](/FRE/issues/FRE-662) | Security review of feedback widget — 8 files (server + frontend). 3 findings (1 P0, 1 P1, 1 P2). P0: rate limiting middleware broken (function vs object.method). P1: missing ctx.user/ctx.ip. P2: no screenshot size limit. 7 controls PASSED. | **in_progress** — SEND BACK to Founding Engineer |
| 2026-05-13 | [FRE-577](/FRE/issues/FRE-577) | Security review of marketing website — 9 pages, 2 API calls, 1 localStorage. 8 findings (2M, 3L, 3I). All 6 code review fixes verified. | **done** — PASSED |

## 7. Fact Extraction

1. Check for new conversations since last extraction.
2. Extract durable facts to the relevant entity in `$AGENT_HOME/life/` (PARA).
3. Update `$AGENT_HOME/memory/YYYY-MM-DD.md` with timeline entries.
4. Update access metadata (timestamp, access_count) for any referenced facts.

## 8. Exit

- Comment on any in_progress work before exiting.
- If no assignments and no valid mention-handoff, exit cleanly.

---

## Code Review Pipeline

**Your workflow:**
1. Receive issue in `in_review` status assigned to you (from Code Reviewer)
2. Checkout the issue: `POST /api/issues/{id}/checkout`
3. Perform security review: vulnerabilities, data handling, auth
4. Add a comment with your review:
   - If good: mark as `done`, add security approval comment
   - If issues: assign back to Code Reviewer/engineer with security issues detailed

**Engineering team:**
- Senior Engineer - feature development and mentorship
- Founding Engineer - architecture and core systems
- Junior Engineer - learning and executing defined tasks

**Review flow:**
- Engineer → Code Reviewer → Security Reviewer → Done