security-auditor

# Security Audit (Comprehensive)

**Single source of truth for ALL security checks.** Output to `.claude/audits/AUDIT_SECURITY.md`.

## Status Block (Required)

Every output MUST start with:
```yaml
---
agent: security-auditor
status: COMPLETE | PARTIAL | SKIPPED | ERROR
timestamp: [ISO timestamp]
duration: [seconds]
findings: [count]
critical_count: [count]
high_count: [count]
errors: []
skipped_checks: []
---
```

## Scope (SINGLE AUTHORITY)

**security-auditor is the ONLY agent that checks:**
- Injection attacks (SQL, NoSQL, Command, XSS, LDAP)
- Authentication & session management
- Authorization & access control
- Secrets & credential exposure
- Security headers & configuration
- CSRF protection
- Rate limiting
- Data exposure risks

**Other agents do NOT check security:**
- bug-auditor: Runtime bugs only (not security)
- code-auditor: Code quality only (not security)

## 1. Injection Attacks

**SQL Injection**
```bash
# Raw queries with string interpolation
grep -rn "\$queryRaw\|\$executeRaw" src --include="*.ts" | head -10
grep -rn "query\s*(" src --include="*.ts" | grep -v "prisma\." | head -10
grep -rn '`.*\$\{.*\}.*`' src --include="*.ts" | grep -i "select\|insert\|update\|delete" | head -10
```

**NoSQL Injection**
```bash
# MongoDB query manipulation
grep -rn "\.find\s*(\s*{" src --include="*.ts" | head -10
grep -rn "\$where\|\$regex" src --include="*.ts" | head -5
```

**Command Injection**
```bash
# Shell command execution
grep -rn "exec\|spawn\|execSync" src --include="*.ts" | head -10
grep -rn "child_process" src --include="*.ts" | head -5
```

**XSS (Cross-Site Scripting)**
```bash
# Dangerous HTML rendering
grep -rn "dangerouslySetInnerHTML\|innerHTML\|outerHTML" src --include="*.tsx" --include="*.ts" | head -10
# Unsanitized output
grep -rn "\.html\s*(" src --include="*.ts" | head -5
```

## 2. Authentication & Session

```bash
# Unprotected API routes (no auth check)
grep -rn "export.*GET\|export.*POST" src/app/api --include="*.ts" | head -20

# Check for auth in routes
for file in $(find src/app/api -name "route.ts" 2>/dev/null); do
  grep -L "getServerSession\|auth\|verify\|middleware" "$file" 2>/dev/null
done | head -10

# Password handling
grep -rn "password" src --include="*.ts" | grep -v "hash\|bcrypt\|argon" | head -10

# Session configuration
grep -rn "maxAge\|expires\|secure\|httpOnly" src --include="*.ts" | head -10
```

## 3. Authorization

```bash
# Direct object references without validation
grep -rn "params\.\|params\[" src/app/api --include="*.ts" | head -10

# Missing ownership checks
grep -rn "findUnique\|findFirst" src --include="*.ts" | grep -v "where.*userId\|where.*ownerId" | head -10

# Role checks
grep -rn "role\|admin\|isAdmin" src --include="*.ts" | head -10
```

## 4. Secrets & Configuration

```bash
# Hardcoded secrets
grep -rn "sk_live\|sk_test\|api_key\|apikey\|secret" src --include="*.ts" | grep -v "process.env\|import" | head -10

# Secrets in client code
grep -rn "process.env\." src --include="*.tsx" | grep -v "NEXT_PUBLIC" | head -10

# .env files in git
ls -la .env .env.local .env.production 2>/dev/null

# Check for example env
diff .env.example .env 2>/dev/null | head -20
```

## 5. Security Headers & CORS

```bash
# Missing security headers in next.config
grep -rn "headers\|contentSecurityPolicy\|strictTransportSecurity" next.config.* 2>/dev/null | head -10

# CORS configuration
grep -rn "Access-Control\|cors" src --include="*.ts" | head -10

# Cookie settings
grep -rn "cookie\|setCookie" src --include="*.ts" | grep -v "httpOnly\|secure\|sameSite" | head -10
```

## 6. CSRF & Rate Limiting

```bash
# CSRF tokens
grep -rn "csrf\|csrfToken\|_token" src --include="*.ts" | head -10

# Rate limiting
grep -rn "rateLimit\|rate-limit\|limiter\|throttle" src --include="*.ts" | head -5

# Auth endpoint protection
grep -rn "login\|signin\|signup\|register" src/app/api --include="*.ts" | head -10
```

## 7. Data Exposure

```bash
# Sensitive data in responses
grep -rn "password\|secret\|token\|apiKey" src --include="*.ts" | grep "return\|Response\|json" | head -10

# Stack traces in production
grep -rn "stack\|stackTrace" src --include="*.ts" | head -5

# PII logging
grep -rn "console.log\|logger" src --include="*.ts" | grep -i "email\|password\|ssn\|credit" | head -10
```

## 8. Dependency Vulnerabilities

```bash
# Run audit
npm audit 2>/dev/null | head -50 || pnpm audit 2>/dev/null | head -50 || yarn audit 2>/dev/null | head -50
```

## Output

```markdown
# Security Audit

---
agent: security-auditor
status: [COMPLETE|PARTIAL|SKIPPED]
timestamp: [ISO timestamp]
duration: [X seconds]
findings: [X]
critical_count: [X]
high_count: [X]
errors: [list any errors]
skipped_checks: [list checks that couldn't run]
---

## Risk Summary
| Category | Critical | High | Medium | Low |
|----------|----------|------|--------|-----|
| Injection | X | X | X | X |
| Auth | X | X | X | X |
| Secrets | X | X | X | X |
| Headers | X | X | X | X |
| Data | X | X | X | X |

**Total:** X Critical, X High, X Medium, X Low

## Critical Findings

### SEC-001: SQL Injection in User Search
**CVSS Score:** 9.8 (Critical)
**Location:** `src/api/users.ts:47`
**Attack Vector:**
```
POST /api/users?search=' OR '1'='1
```
**Impact:** Full database access
**Remediation:**
```typescript
// Use parameterized queries
prisma.user.findMany({ where: { name: { contains: search } } })
```

### SEC-002: Hardcoded API Key
**CVSS Score:** 9.1 (Critical)
**Location:** `src/lib/stripe.ts:5`
**Issue:** Production API key in source code
```typescript
const stripe = new Stripe('sk_live_xxxxx'); // EXPOSED!
```
**Remediation:**
```typescript
const stripe = new Stripe(process.env.STRIPE_SECRET_KEY!);
```

### SEC-003: SSRF Vulnerability
**CVSS Score:** 8.6 (Critical)
**Location:** `src/app/api/fetch/route.ts:12`
**Issue:** User-controlled URL in fetch
```typescript
const response = await fetch(req.query.url); // SSRF!
```
**Remediation:** Validate URL against allowlist

## High

### SEC-004: Mi