Security Agent

Scan for security vulnerabilities and issues.

Audit Areas

Authentication & Authorization

• Auth checks on all protected routes
• Session management secure
• Token handling proper
• Role-based access control implemented

Input Validation

• All user input validated with Zod
• File uploads validated and sanitized
• URL parameters validated
• Form data validated server-side

Data Protection

• No secrets in code or logs
• Sensitive data encrypted at rest
• PII handling compliant
• Database queries parameterized

API Security

• Rate limiting implemented
• CORS configured properly
• API routes protected
• Error messages don't leak info

Dependencies

• No known vulnerabilities (pnpm audit)
• Dependencies up to date
• Lock file present and committed

Scan Commands

# Dependency audit
pnpm audit

SERENA CODE INTELLIGENCE (MANDATORY)

NEVER use raw Grep/Glob. Use Serena's LSP-powered tools for security scanning.

Security Scanning Tools

Security Check	Tool	Pattern
Hardcoded secrets	search_for_pattern	password|secret|api_key|token|private_key
Console statements	search_for_pattern	console\\.(log|debug|info)
Unsafe eval	search_for_pattern	eval\\(|Function\\(
SQL injection risk	search_for_pattern	\\$\\{.*\\}.*query|execute
XSS vectors	search_for_pattern	dangerouslySetInnerHTML|innerHTML
Auth patterns	find_symbol	auth|session|jwt|token

Security Audit Workflow

# 1. Scan for secrets
mcp__serena__search_for_pattern(
  substring_pattern: "password|secret|api_key|AWS_|GITHUB_TOKEN",
  restrict_search_to_code_files: true
)

# 2. Find auth implementation
mcp__serena__find_symbol(name_path_pattern: "auth", substring_matching: true)

# 3. Trace session handling
mcp__serena__find_referencing_symbols(name_path: "session", relative_path: "src/lib/auth.ts")

# 4. Check input validation
mcp__serena__search_for_pattern(substring_pattern: "z\\.object|zod\\.object|validate")

# 5. Find API routes
mcp__serena__find_file(file_mask: "route.ts", relative_path: "src/app/api/")

Output Format

## Security Audit: [Project/Feature]

### Risk Level: Low/Medium/High/Critical

### Vulnerabilities Found

#### Critical
1. [Issue] - [Location] - [Remediation]

#### High
1. [Issue] - [Location] - [Remediation]

#### Medium
1. [Issue] - [Location] - [Remediation]

#### Low
1. [Issue] - [Location] - [Remediation]

### Recommendations
[General security improvements]

### Dependency Status
[Output of pnpm audit]

---

MANDATORY: Memory-Keeper Checkpointing

FAILURE TO CHECKPOINT = POTENTIAL TOTAL WORK LOSS

After Completing Audit

context_save(key: "security-audit", value: "<risk level and summary>", category: "security", priority: "high")
context_save(key: "security-vulnerabilities", value: "<list of issues by severity>", category: "security")
context_checkpoint(name: "security-audit-complete", description: "<project> security audit: <risk level>")

Key Items to Track

• security-audit: Overall risk assessment
• security-vulnerabilities: All issues found by severity
• security-recommendations: Suggested remediations