mancitrus/system-prompts-and-models-of-ai-tools
1
0
Fork 0
mirror of https://github.com/x1xhlol/system-prompts-and-models-of-ai-tools.git synced 2026-06-19 15:59:37 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
83150b97b5
system-prompts-and-models-o.../salesflow-saas/.claude/commands/security-check.md
Claude 83210b9d12
feat: Add founder strategy, Claude Code control plane, SaaS launch readiness 
Founder Strategy & GTM (from prompts #1, #10):
- niche-brief.md: Saudi real estate primary, healthcare secondary
- icp-brief.md: Full ICP with Arabic objection handling
- content-map.md: 20 content ideas, SEO keywords, weekly schedule
- outreach-map.md: WhatsApp/Email cold outreach with Arabic templates
- launch-plan.md: 14-day sprint + 30-day plan with revenue targets
- interview-template.md: 15 Arabic customer discovery questions

Claude Code Control Plane (from prompt #2):
- .claude/settings.json: Permissions and preferences
- .claude/commands/: 5 custom commands (review-pr, release-prep, security-check, generate-tests, architecture-review)
- .claude/hooks/: pre-commit.sh (secrets check), pre-push.sh (tests)

SaaS Launch Readiness (from prompt #4):
- saas-readiness-audit.md: Full audit with gap analysis
- deployment-checklist.md: Deploy + rollback procedures
- launch-checklist.md: 100+ launch day checklist items
- feature_flags.py: Redis-backed feature flags with per-tenant control

https://claude.ai/code/session_01LsnvBa7HwF5hs99VZbgLGj
2026-04-11 08:09:50 +00:00

103 lines
4.0 KiB
Markdown
Raw Blame History

# /security-check — Security Preflight for Dealix
Run a comprehensive security audit before deployment or PR merge.
## Steps
### 1. Hardcoded Secrets Detection
Scan all source files for embedded credentials:
```bash
grep -rn "API_KEY\s*=\s*['\"]" backend/app/ --include="*.py" | grep -v "os\.environ\|get_settings\|config\.\|settings\.\|# example\|# test"
grep -rn "SECRET\s*=\s*['\"]" backend/app/ --include="*.py" | grep -v "os\.environ\|get_settings\|config\.\|settings\.\|# example"
grep -rn "PASSWORD\s*=\s*['\"]" backend/app/ --include="*.py" | grep -v "os\.environ\|get_settings\|config\.\|settings\.\|# example\|hash_password"
grep -rn "PRIVATE_KEY\s*=\s*['\"]" backend/app/ --include="*.py" | grep -v "os\.environ\|get_settings"
grep -rn "Bearer\s\+[A-Za-z0-9_-]\{20,\}" backend/app/ --include="*.py"
```
Any match is a **CRITICAL** finding.
### 2. SQL Injection Vectors
Check for unsafe SQL construction:
```bash
grep -rn "f\".*SELECT\|f\".*INSERT\|f\".*UPDATE\|f\".*DELETE\|f'.*SELECT\|f'.*INSERT\|f'.*UPDATE\|f'.*DELETE" backend/app/ --include="*.py"
grep -rn "\.execute(f\"\|\.execute(f'" backend/app/ --include="*.py"
grep -rn "text(f\"\|text(f'" backend/app/ --include="*.py"
```
All SQL must use SQLAlchemy ORM or parameterized `text()` binds.
### 3. XSS Prevention
Check frontend for unsafe rendering:
```bash
grep -rn "dangerouslySetInnerHTML" frontend/src/ --include="*.tsx" --include="*.ts"
grep -rn "v-html" frontend/src/ --include="*.vue" 2>/dev/null
```
Flag each occurrence and verify input is sanitized.
### 4. PDPL Consent Verification
Check all message-sending endpoints enforce consent:
```bash
grep -rn "send_whatsapp\|send_sms\|send_email\|send_message" backend/app/api/ --include="*.py" -l
```
For each file found, verify it calls `ConsentManager.check_consent()` or `consent_manager.verify_consent()` before sending.
Check that personal data endpoints log access:
```bash
grep -rn "def get_lead\|def get_contact\|def export" backend/app/api/ --include="*.py" -l
```
Each must call `audit_service.log_access()` or equivalent.
### 5. JWT Validation
Verify JWT security configuration:
```bash
grep -rn "JWT_ALGORITHM\|jwt\.decode\|jwt\.encode" backend/app/ --include="*.py"
```
- Algorithm must be HS256 or RS256 (not `none`)
- Token expiry must be set (not unlimited)
- Secret key must come from environment, not hardcoded
- Refresh token rotation must be implemented
### 6. Tenant Isolation Audit
Check that all database queries enforce tenant boundaries:
```bash
grep -rn "def get\|def list\|def update\|def delete" backend/app/services/ --include="*.py" -l
```
For each service file, verify queries include `tenant_id` filter. Flag any query that accesses data without tenant scoping.
Check for cross-tenant data leakage in API responses:
- Ensure no endpoint returns data from multiple tenants
- Verify tenant_id is extracted from JWT, not from request body
### 7. Dependency Vulnerabilities
```bash
pip-audit -r backend/requirements.txt 2>/dev/null || echo "Run: pip install pip-audit"
cd frontend && npm audit --production 2>/dev/null || echo "Run npm audit manually"
```
### 8. File Upload Security
```bash
grep -rn "UploadFile\|file.*upload\|multipart" backend/app/ --include="*.py"
```
For each upload endpoint verify:
- Content-type validation (whitelist, not blacklist)
- File size limits enforced
- Files stored outside web root
- Filenames are sanitized (no path traversal)
### 9. Rate Limiting & Abuse Prevention
```bash
grep -rn "rate_limit\|throttle\|RateLimiter" backend/app/ --include="*.py"
```
Verify rate limiting on:
- Login / OTP endpoints
- Password reset
- API endpoints (per-tenant)
- WhatsApp message sending
### 10. Security Report
Generate a report with severity levels:
- **CRITICAL** — Must fix immediately (secrets, SQL injection, auth bypass)
- **HIGH** — Fix before release (missing consent checks, no tenant isolation)
- **MEDIUM** — Fix soon (missing rate limits, weak validation)
- **LOW** — Track for improvement (missing CSP headers, verbose errors)
Include specific file paths and line numbers for each finding.
Reference in New Issue View Git Blame Copy Permalink