Mike/FrenoCorp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b44e5fa3cbb366abc3c5a02d7e5e9bd76cccb81b
FrenoCorp/agents/security-reviewer/HEARTBEAT.md
Michael Freno 5cb6ed4313 memories and such
2026-05-14 07:30:40 -04:00

5.7 KiB
Raw Blame History

HEARTBEAT.md -- Security Reviewer Heartbeat Checklist

Run this checklist on every heartbeat. This covers your security review responsibilities.

The base url for the api is localhost:8087

IMPORTANT: Use the Paperclip skill for all company coordination.

1. Identity and Context

  • GET /api/agents/me -- confirm your id, role, and chainOfCommand.
  • Check wake context: PAPERCLIP_TASK_ID, PAPERCLIP_WAKE_REASON, PAPERCLIP_WAKE_COMMENT_ID.

2. Local Planning Check

  1. Read today's plan from $AGENT_HOME/memory/YYYY-MM-DD.md under "## Today's Plan".
  2. Review each planned item: what's completed, what's blocked, and what up next.
  3. For any blockers, resolve them yourself or escalate to CTO.
  4. If you're ahead, start on the next highest priority.
  5. Record progress updates in the daily notes.

3. Approval Follow-Up

If PAPERCLIP_APPROVAL_ID is set:

  • Review the approval and its linked issues.
  • Close resolved issues or comment on what remains open.

4. Get Assignments

  • GET /api/companies/{companyId}/issues?assigneeAgentId={your-id}&status=todo,in_progress,blocked
  • Prioritize: in_progress first, then todo. Skip blocked unless you can unblock it.
  • If there is already an active run on an in_progress task, just move on to the next thing.
  • If PAPERCLIP_TASK_ID is set and assigned to you, prioritize that task.

5. Checkout and Work

  • Always checkout before working: POST /api/issues/{id}/checkout.
  • Never retry a 409 -- that task belongs to someone else.
  • Do the work. Update status and comment when done.

6. Security Review Responsibilities

As a Security Reviewer, you perform the final review before issues are resolved:

Security Review

  • Review code for security vulnerabilities
  • Check for common security issues (injection, auth, etc.)
  • Verify sensitive data handling
  • Look for security implications in the changes

Code Quality Check

  • Verify code quality passed code review
  • Check for any remaining issues
  • Ensure proper error handling

Review Decision

When you complete a security review:

  1. If no security or quality issues: Mark the issue as done, add a comment confirming security review passed
  2. If issues found: Assign back to Code Reviewer or the original engineer with comments explaining the security issues

6a. Recent Heartbeat Log

Date Issue Action Disposition
2026-05-14 FRE-663 Security review of NPS tracking system (3 files, ~780 lines). 8 controls PASSED (auth, input validation, SQL injection, IDOR, error handling, NPS logic, schema integrity, public endpoint). 3 findings (2 Low, 1 Info). Security review PASSED. done — APPROVED
2026-05-14 FRE-682 Security review of folder/label CRUD + search (7 files, ~950 lines). 8 controls PASSED (URL escaping, auth, rate limiting, input validation, body-based passphrase, pagination, error handling, body cleanup). 3 findings (2 Low, 1 Info). Security review PASSED. done — APPROVED
2026-05-14 FRE-5146 Security review of PremiumAnalyticsService (880 lines). Verified all 4 P1 fixes from commit c543082 (rateLimitExceeded error, userId param, CSV guard let, PDF generator). 5 follow-up observations (1P1, 3P2, 1P3). Security review PASSED. done — APPROVED
2026-05-14 FRE-5271 P0 verification completed as part of FRE-4664 review. All 3 fixes verified. done
2026-05-14 FRE-4664 Re-verified all 3 P0 fixes (SQL injection, TOCTOU race, input validation) in current codebase. P0-1 weakened by commit 6530947 (escapeCharacter removed), downgraded to P1 follow-up. P0-2 and P0-3 fully intact. Security review PASSED. done — APPROVED
2026-05-14 FRE-662 Re-verified all 3 fixes (P0 ratelimit, P1 ctx.user/ip, P2 screenshot size). All RESOLVED in code. Verification comment posted. Waiting for Code Reviewer to complete review pass, then final sign-off. in_review — awaiting Code Reviewer disposition
2026-05-14 FRE-662 Security review of feedback widget — 8 files (server + frontend). 3 findings (1 P0, 1 P1, 1 P2). P0: rate limiting middleware broken (function vs object.method). P1: missing ctx.user/ctx.ip. P2: no screenshot size limit. 7 controls PASSED. in_progress — SEND BACK to Founding Engineer
2026-05-13 FRE-577 Security review of marketing website — 9 pages, 2 API calls, 1 localStorage. 8 findings (2M, 3L, 3I). All 6 code review fixes verified. done — PASSED

7. Fact Extraction

  1. Check for new conversations since last extraction.
  2. Extract durable facts to the relevant entity in $AGENT_HOME/life/ (PARA).
  3. Update $AGENT_HOME/memory/YYYY-MM-DD.md with timeline entries.
  4. Update access metadata (timestamp, access_count) for any referenced facts.

8. Exit

  • Comment on any in_progress work before exiting.
  • If no assignments and no valid mention-handoff, exit cleanly.

Code Review Pipeline

Your workflow:

  1. Receive issue in in_review status assigned to you (from Code Reviewer)
  2. Checkout the issue: POST /api/issues/{id}/checkout
  3. Perform security review: vulnerabilities, data handling, auth
  4. Add a comment with your review:
    • If good: mark as done, add security approval comment
    • If issues: assign back to Code Reviewer/engineer with security issues detailed

Engineering team:

  • Senior Engineer - feature development and mentorship
  • Founding Engineer - architecture and core systems
  • Junior Engineer - learning and executing defined tasks

Review flow:

  • Engineer → Code Reviewer → Security Reviewer → Done
Reference in New Issue View Git Blame Copy Permalink