feat: initial project structure (Model Project) - Backend + Multi-Frontend + Docker
This commit is contained in:
@@ -0,0 +1,135 @@
|
||||
# Security Audit Playbook for Antigravity
|
||||
|
||||
## Goal
|
||||
Audit a Next.js or React codebase for common security issues, with extra attention to AI-assisted application patterns such as LLM endpoints, agent flows, tool execution, and prompt injection risks.
|
||||
|
||||
## Inputs
|
||||
- the repository currently open in the IDE
|
||||
- optional scope from the user, such as a folder, route group, PR diff, or branch comparison
|
||||
- optional prior report for before/after comparison
|
||||
|
||||
## Outputs
|
||||
Produce a markdown report with these sections:
|
||||
1. Executive summary
|
||||
2. Scope and framework detection
|
||||
3. Findings grouped by severity
|
||||
4. Manual review items
|
||||
5. Remediation roadmap
|
||||
6. Before/after deltas if a baseline exists
|
||||
|
||||
Each finding must include:
|
||||
- title
|
||||
- severity: critical | high | medium | low
|
||||
- confidence: high | medium | low
|
||||
- status: confirmed | probable | manual-review
|
||||
- evidence
|
||||
- impact
|
||||
- affected files
|
||||
- recommended fix
|
||||
|
||||
## Workflow
|
||||
|
||||
1. Detect framework and project shape.
|
||||
- If `app/` and `next.config.*` exist, inspect App Router paths.
|
||||
- If `pages/` exists, inspect Pages Router paths.
|
||||
- If `src/`, `public/`, `vite.config.*`, `react-scripts`, or `index.html` exist without Next.js markers, inspect as React SPA.
|
||||
- In monorepos, identify the active app package before scanning.
|
||||
|
||||
2. Prioritize high-risk surfaces.
|
||||
- API routes and route handlers
|
||||
- auth and session code
|
||||
- database access and raw queries
|
||||
- LLM, tool, and agent endpoints
|
||||
- upload handlers, webhooks, admin routes
|
||||
- client storage of tokens or secrets
|
||||
|
||||
3. Run deterministic scan.
|
||||
- Execute `node scripts/security-audit.js .`
|
||||
- Review the JSON findings
|
||||
- Do not present raw script output without checking context
|
||||
|
||||
4. Validate findings against source context.
|
||||
- Confirm whether the evidence really indicates a vulnerability
|
||||
- Downgrade noisy heuristics to probable or manual-review
|
||||
- Prefer confirmed findings only when code evidence is strong
|
||||
|
||||
5. Produce report.
|
||||
- Use `templates/security-report.md`
|
||||
- Keep the report concise, actionable, and evidence-based
|
||||
|
||||
6. If asked for fixes, propose minimally invasive remediations.
|
||||
- Prefer framework-native solutions
|
||||
- For Next.js, consider middleware, route handlers, server-only boundaries, secure cookies, and validation at the server boundary
|
||||
- For React SPA, prefer backend token storage, CSP, input sanitization, route guards, and safe rendering
|
||||
|
||||
## Coverage
|
||||
|
||||
### Next.js Pages Router
|
||||
Inspect:
|
||||
- `pages/api/**/*`
|
||||
- `pages/**/*`
|
||||
- `lib/**/*`
|
||||
- `middleware.*`
|
||||
- `next.config.*`
|
||||
|
||||
### Next.js App Router
|
||||
Inspect:
|
||||
- `app/api/**/route.*`
|
||||
- `app/**/*`
|
||||
- server actions
|
||||
- `middleware.*`
|
||||
- `next.config.*`
|
||||
- `src/app/**/*`
|
||||
|
||||
### React SPA
|
||||
Inspect:
|
||||
- `src/**/*`
|
||||
- `public/**/*`
|
||||
- `vite.config.*`
|
||||
- `webpack.config.*`
|
||||
- `index.html`
|
||||
- API client wrappers and auth state management
|
||||
|
||||
## Security priorities
|
||||
|
||||
### Critical
|
||||
- confirmed exposed secrets
|
||||
- raw SQL with direct user interpolation
|
||||
- unsafe privileged tool execution from user-controlled prompt or input
|
||||
- authentication bypass in admin or privileged routes
|
||||
- unsigned or unverified webhook processing for sensitive actions
|
||||
|
||||
### High
|
||||
- missing validation on server boundary
|
||||
- prompt injection exposure in LLM endpoints
|
||||
- SSRF patterns in server-side fetches
|
||||
- token persistence in localStorage or sessionStorage
|
||||
- dangerous HTML rendering with untrusted input
|
||||
|
||||
### Medium
|
||||
- missing rate limiting on auth or expensive endpoints
|
||||
- weak cookie flags
|
||||
- permissive CORS for sensitive routes
|
||||
- missing CSRF controls where cookie auth is used
|
||||
- overexposed `NEXT_PUBLIC_*` or client config leakage
|
||||
|
||||
### Low
|
||||
- missing security headers
|
||||
- weak logging hygiene
|
||||
- best-practice gaps without direct exploit path
|
||||
|
||||
## Guardrails
|
||||
- Never claim a finding is confirmed without source evidence.
|
||||
- Separate severity from confidence.
|
||||
- If a pattern might be framework-supported elsewhere, mark manual-review.
|
||||
- Do not treat the existence of `.env` as critical by itself; only escalate if it appears tracked, exposed, copied to client code, or committed.
|
||||
- For React projects, assume browser code is untrusted and prioritize secret exposure and token handling.
|
||||
|
||||
## Common manual review prompts
|
||||
- Verify whether admin routes are protected by upstream middleware.
|
||||
- Verify whether a raw query builder safely parameterizes values.
|
||||
- Verify whether sanitization exists in a shared utility instead of the local file.
|
||||
- Verify whether LLM tool calls enforce allowlists, authz, and argument validation.
|
||||
|
||||
## Example agent request
|
||||
"Audit this repository using ANTIGRAVITY.md. Start with API, auth, secrets, and AI integration surfaces. Run the scanner, review the top findings manually, and generate SECURITY_AUDIT_REPORT.md."
|
||||
Reference in New Issue
Block a user