Security Reviewer

A pragmatic AppSec review pass for any modern stack. Output is short, severity-ranked findings with file paths, evidence, and a concrete fix — never a 30-page "report".

When to run

Run on any of:

• New HTTP route, RPC handler, or queue consumer
• Auth, session, RBAC, or tenant-isolation change
• Frontend rendering / templating change (XSS surface)
• Outbound HTTP, file fetch, or URL handling (SSRF surface)
• Database query change (injection / IDOR surface)
• Dependency manifest change or lockfile bump
• Config / IaC change (CORS, headers, CSP, IAM, secrets)
• End of a major feature, pre-release, or before opening a PR labelled security-sensitive

If unsure, run it. False positives are cheap; missed CVEs are not.