mancitrus/system-prompts-and-models-of-ai-tools
1
0
Fork 0
mirror of https://github.com/x1xhlol/system-prompts-and-models-of-ai-tools.git synced 2026-06-18 15:29:36 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
3e8cd100d4
system-prompts-and-models-o.../salesflow-saas/.claude/commands/security-check.md
Claude 83210b9d12
feat: Add founder strategy, Claude Code control plane, SaaS launch readiness 
Founder Strategy & GTM (from prompts #1, #10):
- niche-brief.md: Saudi real estate primary, healthcare secondary
- icp-brief.md: Full ICP with Arabic objection handling
- content-map.md: 20 content ideas, SEO keywords, weekly schedule
- outreach-map.md: WhatsApp/Email cold outreach with Arabic templates
- launch-plan.md: 14-day sprint + 30-day plan with revenue targets
- interview-template.md: 15 Arabic customer discovery questions

Claude Code Control Plane (from prompt #2):
- .claude/settings.json: Permissions and preferences
- .claude/commands/: 5 custom commands (review-pr, release-prep, security-check, generate-tests, architecture-review)
- .claude/hooks/: pre-commit.sh (secrets check), pre-push.sh (tests)

SaaS Launch Readiness (from prompt #4):
- saas-readiness-audit.md: Full audit with gap analysis
- deployment-checklist.md: Deploy + rollback procedures
- launch-checklist.md: 100+ launch day checklist items
- feature_flags.py: Redis-backed feature flags with per-tenant control

https://claude.ai/code/session_01LsnvBa7HwF5hs99VZbgLGj
2026-04-11 08:09:50 +00:00

4.0 KiB
Raw Blame History

/security-check — Security Preflight for Dealix

Run a comprehensive security audit before deployment or PR merge.

Steps

1. Hardcoded Secrets Detection

Scan all source files for embedded credentials:

grep -rn "API_KEY\s*=\s*['\"]" backend/app/ --include="*.py" | grep -v "os\.environ\|get_settings\|config\.\|settings\.\|# example\|# test"
grep -rn "SECRET\s*=\s*['\"]" backend/app/ --include="*.py" | grep -v "os\.environ\|get_settings\|config\.\|settings\.\|# example"
grep -rn "PASSWORD\s*=\s*['\"]" backend/app/ --include="*.py" | grep -v "os\.environ\|get_settings\|config\.\|settings\.\|# example\|hash_password"
grep -rn "PRIVATE_KEY\s*=\s*['\"]" backend/app/ --include="*.py" | grep -v "os\.environ\|get_settings"
grep -rn "Bearer\s\+[A-Za-z0-9_-]\{20,\}" backend/app/ --include="*.py"

Any match is a CRITICAL finding.

2. SQL Injection Vectors

Check for unsafe SQL construction:

grep -rn "f\".*SELECT\|f\".*INSERT\|f\".*UPDATE\|f\".*DELETE\|f'.*SELECT\|f'.*INSERT\|f'.*UPDATE\|f'.*DELETE" backend/app/ --include="*.py"
grep -rn "\.execute(f\"\|\.execute(f'" backend/app/ --include="*.py"
grep -rn "text(f\"\|text(f'" backend/app/ --include="*.py"

All SQL must use SQLAlchemy ORM or parameterized text() binds.

3. XSS Prevention

Check frontend for unsafe rendering:

grep -rn "dangerouslySetInnerHTML" frontend/src/ --include="*.tsx" --include="*.ts"
grep -rn "v-html" frontend/src/ --include="*.vue" 2>/dev/null

Flag each occurrence and verify input is sanitized.

4. PDPL Consent Verification

Check all message-sending endpoints enforce consent:

grep -rn "send_whatsapp\|send_sms\|send_email\|send_message" backend/app/api/ --include="*.py" -l

For each file found, verify it calls ConsentManager.check_consent() or consent_manager.verify_consent() before sending.

Check that personal data endpoints log access:

grep -rn "def get_lead\|def get_contact\|def export" backend/app/api/ --include="*.py" -l

Each must call audit_service.log_access() or equivalent.

5. JWT Validation

Verify JWT security configuration:

grep -rn "JWT_ALGORITHM\|jwt\.decode\|jwt\.encode" backend/app/ --include="*.py"
  • Algorithm must be HS256 or RS256 (not none)
  • Token expiry must be set (not unlimited)
  • Secret key must come from environment, not hardcoded
  • Refresh token rotation must be implemented

6. Tenant Isolation Audit

Check that all database queries enforce tenant boundaries:

grep -rn "def get\|def list\|def update\|def delete" backend/app/services/ --include="*.py" -l

For each service file, verify queries include tenant_id filter. Flag any query that accesses data without tenant scoping.

Check for cross-tenant data leakage in API responses:

  • Ensure no endpoint returns data from multiple tenants
  • Verify tenant_id is extracted from JWT, not from request body

7. Dependency Vulnerabilities

pip-audit -r backend/requirements.txt 2>/dev/null || echo "Run: pip install pip-audit"
cd frontend && npm audit --production 2>/dev/null || echo "Run npm audit manually"

8. File Upload Security

grep -rn "UploadFile\|file.*upload\|multipart" backend/app/ --include="*.py"

For each upload endpoint verify:

  • Content-type validation (whitelist, not blacklist)
  • File size limits enforced
  • Files stored outside web root
  • Filenames are sanitized (no path traversal)

9. Rate Limiting & Abuse Prevention

grep -rn "rate_limit\|throttle\|RateLimiter" backend/app/ --include="*.py"

Verify rate limiting on:

  • Login / OTP endpoints
  • Password reset
  • API endpoints (per-tenant)
  • WhatsApp message sending

10. Security Report

Generate a report with severity levels:

  • CRITICAL — Must fix immediately (secrets, SQL injection, auth bypass)
  • HIGH — Fix before release (missing consent checks, no tenant isolation)
  • MEDIUM — Fix soon (missing rate limits, weak validation)
  • LOW — Track for improvement (missing CSP headers, verbose errors)

Include specific file paths and line numbers for each finding.