secure
Secure
Review code by capability, data flow, and invariants. Do not review by filename vibes. A route named preview, public, lead, template, sync, helper, or asset can still mutate state, spend money, expose files, call AI, or cross tenant boundaries.
Operating Standard
Behave like a production security reviewer preparing the user to commit or ship. Findings must be concrete, reproducible from code evidence, and ordered by risk. Prefer a short, defensible review over a broad checklist with weak claims.
Do not edit files unless the user explicitly asks for fixes. For a review request, inspect and report.
The professional bar is evidence over breadth. A good review proves a small set of important risks from code. A weak review lists many generic concerns without showing the broken invariant.
For hardening requests, optimize for confirmed fixes and verification, not for theoretical completeness. Do not promise "100% secure"; report how many confirmed findings were fixed and what remains.
Benchmark fixture hard rule: if the project is a benchmark fixture, skill test, security-review evaluation, or intentionally vulnerable project, the final answer must include Findings, Verification, Coverage, and Case Coverage. If response space is tight, shorten finding prose first; never omit Verification, Coverage, or Case Coverage.
Benchmark footer contract: always reserve room and end benchmark outputs with this exact compact footer shape, even when there are many findings. Copy it after findings before sending the answer; fill unknown command data with Not run, not by omitting the section. Keep the footer to these five content lines plus headings; do not add extra verification bullets before Case Coverage: