/security <spec-group-id>                   # Security review all changes for spec group
/security <spec-group-id> <atomic-spec-id>  # Review specific atomic spec implementation

Implementation → Unify → Code Review → Security Review → Merge
                                            ↑
                                        You are here

# Load manifest
cat .claude/specs/groups/<spec-group-id>/manifest.json

# Verify code review passed
# convergence.code_review_passed: true

# Load spec for context
cat .claude/specs/groups/<spec-group-id>/spec.md

# List atomic specs
ls .claude/specs/groups/<spec-group-id>/atomic/

# Build file list from Implementation Evidence in each atomic spec

# Find input sources
grep -r "req.body\|req.query\|req.params" src/ --include="*.ts"

# Check for validation
grep -r "z\.\|Zod\|validate" src/ --include="*.ts"

// Input validated with Zod
const LoginSchema = z.object({
  email: z.string().email().max(255),
  password: z.string().min(8).max(128)
});

const input = LoginSchema.parse(req.body);

// No validation - vulnerable
const { email, password } = req.body;
login(email, password);

### Finding 1: Missing Input Validation (High)
- **File**: src/api/auth.ts:42
- **Atomic Spec**: as-002
- **Issue**: Email not validated before use
- **Risk**: Injection attacks, malformed data
- **Recommendation**: Add Zod schema validation

# Find database queries
grep -r "db.query\|db.raw\|sql\`" src/ --include="*.ts"

// Parameterized query
const user = await db.query(
  "SELECT * FROM users WHERE email = $1",
  [email]
);

// SQL injection vulnerable
const user = await db.query(
  `SELECT * FROM users WHERE email = '${email}'`
);

# Find shell commands
grep -r "exec\|spawn\|execFile" src/ --include="*.ts"

# Find HTML rendering
grep -r "innerHTML\|dangerouslySetInnerHTML" src/ --include="*.tsx"

# Find auth middleware
grep -r "authenticate\|authorize\|requireAuth" src/ --include="*.ts"

# Find protected routes
grep -r "router\.\|app\.\|@Get\|@Post" src/ --include="*.ts"

# Find potential secrets
grep -r "password\|secret\|key\|token" src/ --include="*.ts"

# Check for hardcoded secrets
grep -r "\".*secret.*\"\|'.*secret.*'" src/ --include="*.ts"

# Find logging statements
grep -r "console.log\|logger\." src/ --include="*.ts"

# Run security audit
npm audit

# Check for high/critical vulnerabilities
npm audit --audit-level=high

# Security Review Report: <spec-group-id>

**Date**: 2026-01-14
**Reviewer**: security-reviewer
**Spec Group**: .claude/specs/groups/<spec-group-id>/

## Summary: ✅ PASS

No critical or high-severity issues found. 1 medium-severity recommendation.

---

## Per Atomic Spec Review

### as-001: Logout Button UI
- **Files**: src/components/UserMenu.tsx
- **Security**: ✅ No security concerns (pure UI)

### as-002: Token Clearing
- **Files**: src/services/auth-service.ts
- **Security**: ✅ Pass
- **Notes**: Token properly cleared from localStorage

### as-003: Post-Logout Redirect
- **Files**: src/router/auth-router.ts
- **Security**: ✅ Pass
- **Notes**: Redirect uses hardcoded path (no open redirect)

### as-004: Error Handling
- **Files**: src/services/auth-service.ts
- **Security**: ⚠️ 1 Medium finding
- **Notes**: Error message could be more specific

---

## Findings

### Medium Severity

#### Finding 1: Weak Error Message
- **File**: src/services/auth-service.ts:47
- **Atomic Spec**: as-004
- **Issue**: Error message "Logout failed. Please try again." doesn't indicate cause
- **Risk**: Medium - User confusion, but no security impact
- **Recommendation**: Add specific error codes without leaking sensitive info

---

## Security Checklist

### Input Validation: ✅ Pass
- No user input in logout flow
- N/A

### Injection Prevention: ✅ Pass
- No SQL queries
- No shell commands
- No HTML rendering

### Authentication & Authorization: ✅ Pass
- Logout endpoint properly authenticated
- Token cleared after server confirms logout
- No auth bypasses

### Secrets & Sensitive Data: ✅ Pass
- No secrets in code
- Token cleared from localStorage
- No sensitive data logged

### Data Protection: ✅ Pass
- No PII handled in this feature
- Error messages generic

### Dependencies: ✅ Pass
- No new dependencies added
- Existing deps: 0 vulnerabilities

---

## Approval: ✅ CAN PROCEED

**Status**: Pass with recommendations

**Next Steps**:
1. Address medium-severity finding (optional)
2. Proceed to browser testing (if applicable)
3. Ready for commit

## Summary: ❌ FAIL

**Critical issues found. DO NOT MERGE.**

---

## Critical Findings

### Finding 1: SQL Injection Vulnerability (Critical)
- **File**: src/api/users.ts:34
- **Atomic Spec**: as-002
- **Issue**: User input directly concatenated into SQL query
- **Risk**: CRITICAL - Attacker can access/modify entire database
- **POC**: `userId = "1 OR 1=1--"` returns all users
- **Recommendation**: Use parameterized query immediately
```typescript
// Fix required
const user = await db.query(
  "SELECT * FROM users WHERE id = $1",
  [userId]  // Parameterized
);

**Severity levels**:
- **Critical**: Immediate data breach or system compromise risk
- **High**: Significant security risk, should be fixed before merge
- **Medium**: Security concern, should be addressed soon
- **Low**: Best practice improvement, nice to have

### Step 10: Update Manifest

Update manifest.json with security review status:

```json
{
  "convergence": {
    "security_review_passed": true
  },
  "decision_log": [
    {
      "timestamp": "<ISO timestamp>",
      "actor": "agent",
      "action": "security_review_complete",
      "details": "0 critical, 0 high, 1 medium - PASS"
    }
  ]
}

❌ FAIL - Critical SQL injection vulnerability

**Finding**: User input directly in SQL query
**File**: src/api/search.ts:12
**Atomic Spec**: as-001
**Fix**: Use parameterized query

DO NOT MERGE until fixed.

✅ PASS with recommendations

**Finding (Medium)**: Weak password requirements
**Atomic Spec**: as-001
**Recommendation**: Increase minimum password length to 8 characters

Can proceed to merge, but recommend addressing finding in future iteration.