58 lines
2.4 KiB
Plaintext
58 lines
2.4 KiB
Plaintext
You are performing a mandatory code review and security audit of MS22 Phase 1 modules in ~/src/mosaic-stack.
|
|
|
|
## Objective
|
|
Audit all MS22 modules for correctness, missing dependencies, and security issues. Produce a written report regardless of findings. If nothing needs fixing, that is itself a valid result — document it.
|
|
|
|
## MS22 Modules to Audit
|
|
- apps/api/src/container-lifecycle/
|
|
- apps/api/src/crypto/
|
|
- apps/api/src/agent-config/
|
|
- apps/api/src/onboarding/
|
|
- apps/api/src/fleet-settings/
|
|
- apps/api/src/chat-proxy/
|
|
|
|
## What to Check
|
|
|
|
### 1. NestJS Module Dependency Audit
|
|
For each *.module.ts file:
|
|
- Does it import every module whose services/guards are used in its controllers/services?
|
|
- Are all providers listed that are used?
|
|
- Are exports correct?
|
|
|
|
### 2. Security Review
|
|
- fleet-settings: are admin-only routes properly guarded? Can a non-admin access provider secrets?
|
|
- agent-config: is the bearer token guard timing-safe? Is the internal route isolated?
|
|
- onboarding: can onboarding be re-run after completion?
|
|
- crypto: is AES-256-GCM implemented correctly? IV uniqueness, auth tag verification?
|
|
- chat-proxy: can a user proxy to another user's container?
|
|
|
|
### 3. Input Validation
|
|
- Are DTOs using class-validator decorators?
|
|
- Any unvalidated inputs?
|
|
|
|
### 4. Error Handling
|
|
- Are errors leaking sensitive data?
|
|
- Are Prisma errors caught before reaching HTTP layer?
|
|
|
|
## Process — MANDATORY, follow exactly
|
|
|
|
1. git checkout main && git pull --ff-only origin main
|
|
2. Read each module file carefully
|
|
3. Create branch: fix/ms22-audit
|
|
4. Write a report file at docs/audits/ms22-phase1-audit.md documenting:
|
|
- Each module reviewed
|
|
- Findings (or "no issues found") per module
|
|
- Security assessment
|
|
- Changes made (if any)
|
|
5. If you found issues: fix them, include fixes in the same commit
|
|
6. If no issues found: still commit the report file
|
|
7. Run quality gates: pnpm turbo lint typecheck --filter=@mosaic/api
|
|
8. Commit: "fix(api): MS22 Phase 1 audit report and fixes"
|
|
9. Push: git push origin fix/ms22-audit
|
|
10. Create PR: ~/.config/mosaic/tools/git/pr-create.sh -t "fix(api): MS22 Phase 1 post-coding audit" -b "Mandatory post-coding audit of all MS22 Phase 1 modules. Report at docs/audits/ms22-phase1-audit.md."
|
|
|
|
DO NOT exit without pushing and creating a PR. The audit report is required even if all modules are clean.
|
|
|
|
When completely finished:
|
|
openclaw system event --text "Done: MS22 audit PR ready — check docs/audits/ms22-phase1-audit.md" --mode now
|