Stack-Specific Application Security Checks

Security patterns specific to this repo's technology stack.

How to Use This Checklist

• Review changed files against the relevant sections below.
• Not every section applies to every PR — better-auth checks apply to auth code, SpiceDB checks apply to .zed files and permission-check code, Next.js RSC checks apply to components with 'use server' or 'use client' directives.
• When unsure whether a pattern is vulnerable, lower confidence rather than asserting.

§1 better-auth

• SSO session missing organization context: After SSO callback, activeOrganizationId is not explicitly set on the session. better-auth does not auto-set this — downstream code reading session.activeOrganizationId gets undefined, silently bypassing org-scoped authorization. Flag SSO callback handlers or afterSignIn hooks that do not call setActiveOrganization().

• SSO auto-provisioning bypasses membership hooks: SSO auto-provisioning creates organization memberships directly, bypassing beforeAddMember hooks. Any gating logic (role assignment, approval workflows, seat limits) in those hooks is silently circumvented. Flag SSO config with autoProvision: true where beforeAddMember hooks enforce business rules.

• Triple onboarding path creates duplicate memberships: Three independent paths can create memberships: invitation acceptance, SSO auto-provisioning, and SCIM provisioning. Each may assign different roles, creating duplicates with conflicting permissions. Flag membership creation in invitation handlers, SSO callbacks, AND SCIM endpoints without a shared upsert-or-reconcile layer.