@precisa-saude/agent-instructions 1.4.0 → 1.5.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/AGENTS.md +81 -0
- package/package.json +1 -1
package/AGENTS.md
CHANGED
|
@@ -134,6 +134,87 @@ plan exactly or ask before deviating.
|
|
|
134
134
|
3. **Never silently substitute** a simpler implementation for what was
|
|
135
135
|
agreed.
|
|
136
136
|
|
|
137
|
+
## Security audit protocol
|
|
138
|
+
|
|
139
|
+
When asked to run a security audit or classify a security finding,
|
|
140
|
+
establish the threat model **before** labelling severity. "Committed
|
|
141
|
+
in git" is not a severity on its own — it depends on who can read the
|
|
142
|
+
git history and what the value actually grants.
|
|
143
|
+
|
|
144
|
+
### 1. Check repo visibility first
|
|
145
|
+
|
|
146
|
+
```bash
|
|
147
|
+
gh repo view --json visibility -q .visibility
|
|
148
|
+
```
|
|
149
|
+
|
|
150
|
+
(Run from the repo root; `gh` infers the repo from the git remote.
|
|
151
|
+
Returns `PUBLIC` or `PRIVATE`.)
|
|
152
|
+
|
|
153
|
+
- **Public**: committed values are real leaks. The world can read git
|
|
154
|
+
history, including past revisions after rotation. Severity should
|
|
155
|
+
reflect that reach.
|
|
156
|
+
- **Private**: committed values are readable only by repo
|
|
157
|
+
collaborators + the forge. That's a hygiene concern, not
|
|
158
|
+
exfiltration. Don't classify as a breach.
|
|
159
|
+
|
|
160
|
+
### 2. Distinguish three categories before rating severity
|
|
161
|
+
|
|
162
|
+
- **Real secret** — grants capabilities the attacker doesn't already
|
|
163
|
+
have. Rotation actually closes something. Examples: server-side API
|
|
164
|
+
keys, OAuth client secrets, signing keys, database credentials,
|
|
165
|
+
private keys.
|
|
166
|
+
- **Pseudo-secret** — looks sensitive but ships publicly by design.
|
|
167
|
+
Already reachable via the client bundle, DNS, npm registry, or prod
|
|
168
|
+
HTML. Rotation doesn't reduce reach. Examples: anything intended for
|
|
169
|
+
browser bundles (e.g. `VITE_*`, `NEXT_PUBLIC_*`), identifiers used
|
|
170
|
+
only to route auth challenges, error-reporting DSNs, read-only
|
|
171
|
+
frontend tokens from the tech stack.
|
|
172
|
+
- **Hygiene debt** — a pattern that invites future mistakes without
|
|
173
|
+
currently being a breach. Worth fixing, but don't label Critical.
|
|
174
|
+
Examples: dev-only `.env` tracked, weak dev credentials, docs out
|
|
175
|
+
of sync with reality.
|
|
176
|
+
|
|
177
|
+
### 3. Calibrate severity to reachability × capability
|
|
178
|
+
|
|
179
|
+
- **Critical** — active exploitation path to prod user data, auth
|
|
180
|
+
bypass, or RCE reachable from the internet.
|
|
181
|
+
- **High** — real secret exposed past its intended trust boundary;
|
|
182
|
+
prod-runtime dependency CVE with a known exploit chain reachable
|
|
183
|
+
from request input.
|
|
184
|
+
- **Medium** — weak default reachable from the internet; missing
|
|
185
|
+
defense-in-depth on a production surface; dependency CVEs reachable
|
|
186
|
+
only via narrow paths.
|
|
187
|
+
- **Low / Hygiene** — pseudo-secret committed; dev-only weak
|
|
188
|
+
credentials; stale docs; committed identifiers that are public
|
|
189
|
+
elsewhere anyway.
|
|
190
|
+
|
|
191
|
+
### 4. Per-finding report format
|
|
192
|
+
|
|
193
|
+
- Severity **and the reasoning** behind it (don't just label).
|
|
194
|
+
- Who can reach/read this today (internet / specific IAM principal /
|
|
195
|
+
repo reader / already-public).
|
|
196
|
+
- What capability the value grants.
|
|
197
|
+
- What rotating or fixing actually closes that isn't already closed.
|
|
198
|
+
|
|
199
|
+
### 5. Before recommending rotation or destructive ops
|
|
200
|
+
|
|
201
|
+
Verify the finding is real:
|
|
202
|
+
|
|
203
|
+
1. What does this value actually grant?
|
|
204
|
+
2. Who holds it today?
|
|
205
|
+
3. What does rotation close that isn't already closed by another
|
|
206
|
+
channel?
|
|
207
|
+
|
|
208
|
+
If the answer to (3) is "nothing meaningful", the finding is hygiene,
|
|
209
|
+
not an incident.
|
|
210
|
+
|
|
211
|
+
### 6. Don't apply a public-repo template to a private repo
|
|
212
|
+
|
|
213
|
+
A committed identifier in a private repo and a committed identifier in
|
|
214
|
+
a public repo are not the same finding. Re-check step 1 if the
|
|
215
|
+
severity feels out of proportion to the real exposure — that's usually
|
|
216
|
+
the signal that the threat model drifted.
|
|
217
|
+
|
|
137
218
|
## Test coverage — never regresses
|
|
138
219
|
|
|
139
220
|
When a coverage check fails, the fix is to add tests, not lower
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@precisa-saude/agent-instructions",
|
|
3
|
-
"version": "1.
|
|
3
|
+
"version": "1.5.0",
|
|
4
4
|
"description": "Shared agent instructions (AGENTS.md) for Precisa Saúde repositories — the single source of truth for cross-repo conventions, consumed by Claude Code and other agent-aware editors via @path imports.",
|
|
5
5
|
"keywords": [
|
|
6
6
|
"agents",
|