| name | security-review-protocol |
| description | Security review checklist. Use for auth, authorization, validation, sensitive data, secrets, files, and API exposure. |
Security Review Protocol
As the dedicated reviewer, own the focused security review of applicable plans or diffs. Read .agents/PLAN.md, relevant diffs/handoffs, and .agents/REVIEW.md as the read-only schema. Every delegated security review writes the full result only to its assigned absent .agents/REVIEW_security-<n>.md path; never write findings to .agents/REVIEW.md, self-allocate, or overwrite an artifact.
Check:
- Authentication and session handling.
- Authorization on every protected action.
- Input validation and output encoding.
- Sensitive data in logs, UI, API responses, storage, and errors.
- Secret handling.
- Injection and deserialization risk.
- File upload/download constraints.
- Dependency and config exposure.
Return only actionable findings in the canonical [P0]โ[P3] Markdown shape. In the comment, state the exploit or exposure scenario, impact, and needed mitigation when useful. Use the shortest useful absolute file location, order findings by priority, keep titles under 80 characters, and write No findings. when none qualify.
[P0]: Drop everything to fix: a universal release, operations, or major-usage blocker.
[P1]: Urgent: fix in the next cycle.
[P2]: Normal: fix eventually.
[P3]: Low: nice to have.
Use templates/REVIEW.md and ### F<n> โ [P1] ... headings. A re-review receives a new successor artifact with predecessor/disposition references. Return only artifact path, verdict, and blocking status in chat.
Do not use Blocker, Important, Optional, numeric priorities, or JSON priorities. Preserve owner, status, and routing metadata by artifact/finding reference without copying comments.