Files
mercado.clube67.com/tools/security-auditor/ANTIGRAVITY.md
T

4.6 KiB

Security Audit Playbook for Antigravity

Goal

Audit a Next.js or React codebase for common security issues, with extra attention to AI-assisted application patterns such as LLM endpoints, agent flows, tool execution, and prompt injection risks.

Inputs

  • the repository currently open in the IDE
  • optional scope from the user, such as a folder, route group, PR diff, or branch comparison
  • optional prior report for before/after comparison

Outputs

Produce a markdown report with these sections:

  1. Executive summary
  2. Scope and framework detection
  3. Findings grouped by severity
  4. Manual review items
  5. Remediation roadmap
  6. Before/after deltas if a baseline exists

Each finding must include:

  • title
  • severity: critical | high | medium | low
  • confidence: high | medium | low
  • status: confirmed | probable | manual-review
  • evidence
  • impact
  • affected files
  • recommended fix

Workflow

  1. Detect framework and project shape.

    • If app/ and next.config.* exist, inspect App Router paths.
    • If pages/ exists, inspect Pages Router paths.
    • If src/, public/, vite.config.*, react-scripts, or index.html exist without Next.js markers, inspect as React SPA.
    • In monorepos, identify the active app package before scanning.
  2. Prioritize high-risk surfaces.

    • API routes and route handlers
    • auth and session code
    • database access and raw queries
    • LLM, tool, and agent endpoints
    • upload handlers, webhooks, admin routes
    • client storage of tokens or secrets
  3. Run deterministic scan.

    • Execute node scripts/security-audit.js .
    • Review the JSON findings
    • Do not present raw script output without checking context
  4. Validate findings against source context.

    • Confirm whether the evidence really indicates a vulnerability
    • Downgrade noisy heuristics to probable or manual-review
    • Prefer confirmed findings only when code evidence is strong
  5. Produce report.

    • Use templates/security-report.md
    • Keep the report concise, actionable, and evidence-based
  6. If asked for fixes, propose minimally invasive remediations.

    • Prefer framework-native solutions
    • For Next.js, consider middleware, route handlers, server-only boundaries, secure cookies, and validation at the server boundary
    • For React SPA, prefer backend token storage, CSP, input sanitization, route guards, and safe rendering

Coverage

Next.js Pages Router

Inspect:

  • pages/api/**/*
  • pages/**/*
  • lib/**/*
  • middleware.*
  • next.config.*

Next.js App Router

Inspect:

  • app/api/**/route.*
  • app/**/*
  • server actions
  • middleware.*
  • next.config.*
  • src/app/**/*

React SPA

Inspect:

  • src/**/*
  • public/**/*
  • vite.config.*
  • webpack.config.*
  • index.html
  • API client wrappers and auth state management

Security priorities

Critical

  • confirmed exposed secrets
  • raw SQL with direct user interpolation
  • unsafe privileged tool execution from user-controlled prompt or input
  • authentication bypass in admin or privileged routes
  • unsigned or unverified webhook processing for sensitive actions

High

  • missing validation on server boundary
  • prompt injection exposure in LLM endpoints
  • SSRF patterns in server-side fetches
  • token persistence in localStorage or sessionStorage
  • dangerous HTML rendering with untrusted input

Medium

  • missing rate limiting on auth or expensive endpoints
  • weak cookie flags
  • permissive CORS for sensitive routes
  • missing CSRF controls where cookie auth is used
  • overexposed NEXT_PUBLIC_* or client config leakage

Low

  • missing security headers
  • weak logging hygiene
  • best-practice gaps without direct exploit path

Guardrails

  • Never claim a finding is confirmed without source evidence.
  • Separate severity from confidence.
  • If a pattern might be framework-supported elsewhere, mark manual-review.
  • Do not treat the existence of .env as critical by itself; only escalate if it appears tracked, exposed, copied to client code, or committed.
  • For React projects, assume browser code is untrusted and prioritize secret exposure and token handling.

Common manual review prompts

  • Verify whether admin routes are protected by upstream middleware.
  • Verify whether a raw query builder safely parameterizes values.
  • Verify whether sanitization exists in a shared utility instead of the local file.
  • Verify whether LLM tool calls enforce allowlists, authz, and argument validation.

Example agent request

"Audit this repository using ANTIGRAVITY.md. Start with API, auth, secrets, and AI integration surfaces. Run the scanner, review the top findings manually, and generate SECURITY_AUDIT_REPORT.md."