Security Review

Find vulnerabilities before they ship.

Hard Rules

• Do not dismiss a finding without evidence it is unexploitable.
• Do not commit, log, or surface secrets discovered during review — flag and recommend rotation.
• Do not modify code until the user approves a remediation plan.

Workflow

1. Scope
   • Confirm target: diff, file set, module, full repo, or skill/prompt. A target can be both code and prompt.
   • Identify stack/framework — adapt the checklist (skip what the framework handles, add its pitfalls).
   • Trace data flow: request → middleware → handler → service → datastore → response. For prompts: input → template → LLM → tools → output.
   • Map trust boundaries, privilege levels, and threat actors.
   • Search prior findings: npx ai-devkit@latest memory search --query "<target>" --tags "security"