| name | security-review |
| description | Comprehensive security review checklist for auth, OAuth, admin, and multi-tenant code changes |
| user-invocable | true |
Security Review Skill
Purpose
Comprehensive security review checklist triggered when modifying authentication, authorization, OAuth, admin, or multi-tenant code. Covers the categories identified in the Feb 2026 post-mortem audit.
CLAUDE.md Compliance
- โ
Enforces Security Engineering Rules from CLAUDE.md
- โ
Validates authorization boundaries (authn != authz)
- โ
Checks multi-tenant isolation patterns
- โ
Verifies input validation and logging hygiene
Usage
Run this skill:
- After modifying auth/OAuth/admin code
- After adding new API endpoints
- After database schema changes affecting tenant data
- Before committing security-sensitive changes
- During code review of security-related PRs
Commands
Full Security Review
echo "========================================="
echo " SECURITY REVIEW CHECKLIST"
echo "========================================="
echo ""
echo "--- 1. Authorization Boundaries ---"
echo "๐ Checking auth endpoints for authorization..."
rg "async fn.*(admin|coach|manage|assign|remove|revoke|create_token|delete)" src/routes/ --type rust -A 15 | \
rg -v "is_admin|is_super_admin|role|permission|tenant_membership" | \
rg "async fn" && \
echo "โ ๏ธ Admin endpoints may lack authorization checks" || \
echo "โ Admin endpoints have authorization checks"
echo "๐ Checking super-admin gating..."
rg "super.?admin|SuperAdmin" src/routes/ --type rust -B 3 -A 10 | \
rg "is_super_admin" | wc -l
echo "Super-admin check count (should be >0 for admin routes)"
echo ""
echo "--- 2. Multi-Tenant Isolation ---"
echo "๐ Checking SQL queries for tenant scoping..."
rg "sqlx::query" src/ --type rust -A 5 | \
rg "SELECT|INSERT|UPDATE|DELETE" | \
rg -v "tenant_id|migration|schema_version|system_config" | head -10
echo "(Above should be empty โ all queries need tenant_id)"
echo "๐ Checking cache key construction..."
rg "cache.*key|cache.*get|cache.*set|cache.*insert" src/ --type rust -A 3 | \
rg -v "tenant" | rg "fn\|let" | head -5
echo "(Above should be empty โ cache keys need tenant_id)"
echo ""
echo "--- 3. Input Domain Validation ---"
echo "๐ Checking division safety..."
rg "/ [a-z_]+" src/ --type rust -n | \
rg -v "test|//|as f64|as f32|\.len\(\)|\.count\(\)" | \
head -10
echo "(Review above for potential divide-by-zero)"
echo "๐ Checking pagination bounds..."
rg "limit|offset|page_size|per_page" src/routes/ --type rust -A 3 | \
rg "clamp|min|max|\.max\(1\)" | wc -l
echo "Pagination bound checks found"
echo ""
echo "--- 4. OAuth & Protocol Compliance ---"
echo "๐ Checking OAuth state validation..."
rg "state.*param|validate.*state|verify.*state" src/ --type rust -n | wc -l
echo "State validation checks (should be >0)"
echo "๐ Checking PKCE enforcement..."
rg "code_challenge|code_verifier" src/ --type rust -n | wc -l
echo "PKCE references (should be >0)"
echo ""
echo "--- 5. Logging Hygiene ---"
echo "๐ Checking for secrets in log statements..."
rg "(info!|warn!|error!)\(.*\{.*(token|key|secret|password)" src/ --type rust -n | \
rg -v "redact|REDACT|mask|\*\*\*|token_type|key_id|key_count" | head -5
echo "(Above should be empty โ no secrets in logs)"
echo ""
echo "--- 6. Template & Query Safety ---"
echo "๐ Checking for format! SQL injection..."
rg "format!\(.*(?:SELECT|INSERT|UPDATE|DELETE)" src/ --type rust -n && \
echo "โ CRITICAL: format! used in SQL!" || \
echo "โ No format! SQL injection"
echo "๐ Checking HTML escaping..."
rg "text/html|Content-Type.*html" src/ --type rust -B 5 -A 10 | \
rg "format!" | rg -v "html_escape" | head -5
echo "(Above should be empty โ HTML must use escaping)"
echo ""
echo "========================================="
echo " SECURITY REVIEW COMPLETE"
echo "========================================="
When to Trigger
This skill should be invoked when files in these paths are modified:
src/routes/auth.rs โ authentication/session management
src/routes/admin.rs โ admin panel operations
src/oauth2_server/ โ OAuth authorization server
src/oauth2_client/ โ OAuth client (Strava, etc.)
src/mcp/multitenant.rs โ multi-tenant MCP handling
src/database/ โ database queries (tenant scoping)
src/middleware/ โ auth/tenant middleware
Success Criteria
- โ
All admin endpoints verify role/permission (not just auth)
- โ
All SQL queries include tenant_id scoping
- โ
All cache keys include tenant_id
- โ
No divide-by-zero risks in user-facing code
- โ
Pagination has min/max bounds
- โ
OAuth state is validated on callback
- โ
No secrets/PII in INFO+ log levels
- โ
No format!() SQL construction
- โ
HTML output uses escaping functions
Standalone Script
The CI-runnable version of this skill lives at scripts/ci/security-review.sh.
It runs automatically in CI via ./scripts/ci/architectural-validation.sh --apply-skills.
Related Skills
validate-architecture โ Architectural patterns
check-no-secrets โ Secret detection
test-multitenant-isolation โ Tenant isolation tests
check-input-validation โ Input validation checks