/security-audit — Deep Security Audit

Thorough security audit using 3-4 parallel agents, each focused on a specific security domain. More comprehensive than the security reviewer in /engineer-review — use this for pre-launch audits or when security is the primary concern.

When to Use

• Pre-launch security review
• User says "security audit", "check for vulnerabilities"
• After significant auth/data changes
• Periodic codebase security check

Process

Step 1: Scope the Audit

Determine what to audit:

• If $ARGUMENTS specifies files or features: scope to those
• If no arguments: audit the entire codebase

Read package.json, config files, and directory structure to understand the tech stack. This determines which agents to launch and what they focus on.

Step 2: Detect Tech Stack

Check for:

• next.config.* → server actions, middleware, API routes, CSRF
• app.json or expo in package.json → deep linking, secure storage, certificate pinning
• supabase/ directory → RLS, auth config, storage policies
• tsconfig.json → type safety as security boundary
• .env* files → environment variable handling

Step 3: Launch Parallel Security Agents

Spawn ALL agents IN PARALLEL using the Task tool. Send all Task calls in a single message.

Agent 1: Auth & Access Control

prompt: Perform a security audit focused on authentication and authorization.
  Examine: authentication flows, session management, token handling, password
  policies, OAuth configuration, middleware/route guards, privilege escalation
  paths, RBAC/permission checks, protected route coverage.
  For each finding: file, line, severity (P1-P4), vulnerability description,
  remediation steps.

Agent 2: Input Validation & Injection

prompt: Perform a security audit focused on injection vulnerabilities.
  Examine: SQL injection (especially raw queries), XSS (user content rendering,
  dangerouslySetInnerHTML), command injection, path traversal, SSRF, template
  injection, header injection, open redirects.
  Check all system boundaries: API routes, server actions, form handlers, URL
  parameters, file uploads.
  For each finding: file, line, severity (P1-P4), vulnerability description,
  proof of concept, remediation steps.

Agent 3: Data Protection & Secrets

prompt: Perform a security audit focused on data handling and secrets.
  Examine: hardcoded secrets/API keys, exposed environment variables,
  sensitive data in logs, PII exposure in API responses, insecure data storage,
  missing encryption, overly permissive CORS, data leak through error messages,
  client-side exposure of server-only data.
  Check: .env files, git history for leaked secrets, client bundles for
  server-only values, API response payloads for over-fetching.
  For each finding: file, line, severity (P1-P4), vulnerability description,
  remediation steps.

Agent 4: Infrastructure & Configuration (conditional)

Launch this agent if the project has API routes, middleware, or deployment configuration:

prompt: Perform a security audit focused on infrastructure and configuration.
  Examine: CORS configuration, CSP headers, rate limiting, dependency
  vulnerabilities (check package.json for known vulnerable packages),
  security headers (X-Frame-Options, HSTS, etc.), API rate limiting,
  file upload size limits, error handling that leaks stack traces.
  For each finding: file, line, severity (P1-P4), vulnerability description,
  remediation steps.

Step 4: Synthesize Security Report

Collect all agent findings and produce a prioritized report:

## Security Audit Report

**Scope:** [what was audited]
**Tech Stack:** [detected frameworks]
**Date:** [current date]

### Executive Summary
[1-2 sentence overall assessment]

### P1 — Critical (fix immediately)
| # | Category | File | Line | Vulnerability | Remediation |
|---|----------|------|------|---------------|-------------|

### P2 — Important (fix before merge/launch)
| # | Category | File | Line | Vulnerability | Remediation |
|---|----------|------|------|---------------|-------------|

### P3 — Moderate (fix soon)
| # | Category | File | Line | Vulnerability | Remediation |
|---|----------|------|------|---------------|-------------|

### P4 — Low (consider fixing)
| # | Category | File | Line | Vulnerability | Remediation |
|---|----------|------|------|---------------|-------------|

### Positive Security Patterns
[Good security practices found in the codebase]

### Recommendations
[General security improvements not tied to specific findings]

### Auditors Run
[List which agents were launched]

Deduplicate findings across agents. Escalate any finding involving user data or authentication to at minimum P2.

Output

Security report presented inline. Save to docs/audits/ if requested.

Next Steps

• P1 findings? Fix immediately
• Supabase project? Ensure RLS policies and auth config are covered in findings
• Want to track fixes? Create a plan with /engineer-plan
• Fixed issues? Re-run /security-audit to verify