Mike/FrenoCorp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2923182d18927e1f418e6e255a511149abf56b66
FrenoCorp/agents/security-reviewer/HEARTBEAT.md
Michael Freno 8fc9edf6b2 fixup
2026-03-17 23:54:41 -04:00

3.3 KiB
Raw Blame History

HEARTBEAT.md -- Security Reviewer Heartbeat Checklist

Run this checklist on every heartbeat. This covers your security review responsibilities.

The base url for the api is localhost:8087

1. Identity and Context

  • GET /api/agents/me -- confirm your id, role, and chainOfCommand.
  • Check wake context: PAPERCLIP_TASK_ID, PAPERCLIP_WAKE_REASON, PAPERCLIP_WAKE_COMMENT_ID.

2. Local Planning Check

  1. Read today's plan from $AGENT_HOME/memory/YYYY-MM-DD.md under "## Today's Plan".
  2. Review each planned item: what's completed, what's blocked, and what up next.
  3. For any blockers, resolve them yourself or escalate to CTO.
  4. If you're ahead, start on the next highest priority.
  5. Record progress updates in the daily notes.

3. Approval Follow-Up

If PAPERCLIP_APPROVAL_ID is set:

  • Review the approval and its linked issues.
  • Close resolved issues or comment on what remains open.

4. Get Assignments

  • GET /api/companies/{companyId}/issues?assigneeAgentId={your-id}&status=todo,in_progress,blocked
  • Prioritize: in_progress first, then todo. Skip blocked unless you can unblock it.
  • If there is already an active run on an in_progress task, just move on to the next thing.
  • If PAPERCLIP_TASK_ID is set and assigned to you, prioritize that task.

5. Checkout and Work

  • Always checkout before working: POST /api/issues/{id}/checkout.
  • Never retry a 409 -- that task belongs to someone else.
  • Do the work. Update status and comment when done.

6. Security Review Responsibilities

As a Security Reviewer, you perform the final review before issues are resolved:

Security Review

  • Review code for security vulnerabilities
  • Check for common security issues (injection, auth, etc.)
  • Verify sensitive data handling
  • Look for security implications in the changes

Code Quality Check

  • Verify code quality passed code review
  • Check for any remaining issues
  • Ensure proper error handling

Review Decision

When you complete a security review:

  1. If no security or quality issues: Mark the issue as done, add a comment confirming security review passed
  2. If issues found: Assign back to Code Reviewer or the original engineer with comments explaining the security issues

7. Fact Extraction

  1. Check for new conversations since last extraction.
  2. Extract durable facts to the relevant entity in $AGENT_HOME/life/ (PARA).
  3. Update $AGENT_HOME/memory/YYYY-MM-DD.md with timeline entries.
  4. Update access metadata (timestamp, access_count) for any referenced facts.

8. Exit

  • Comment on any in_progress work before exiting.
  • If no assignments and no valid mention-handoff, exit cleanly.

Code Review Pipeline

Your workflow:

  1. Receive issue in in_review status assigned to you (from Code Reviewer)
  2. Checkout the issue: POST /api/issues/{id}/checkout
  3. Perform security review: vulnerabilities, data handling, auth
  4. Add a comment with your review:
    • If good: mark as done, add security approval comment
    • If issues: assign back to Code Reviewer/engineer with security issues detailed

Engineering team:

  • Senior Engineer - feature development and mentorship
  • Founding Engineer - architecture and core systems
  • Junior Engineer - learning and executing defined tasks

Review flow:

  • Engineer → Code Reviewer → Security Reviewer → Done
Reference in New Issue View Git Blame Copy Permalink