@precisa-saude/agent-instructions 1.4.0 → 1.5.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/AGENTS.md +81 -0
  2. package/package.json +1 -1
package/AGENTS.md CHANGED
@@ -134,6 +134,87 @@ plan exactly or ask before deviating.
134
134
  3. **Never silently substitute** a simpler implementation for what was
135
135
  agreed.
136
136
 
137
+ ## Security audit protocol
138
+
139
+ When asked to run a security audit or classify a security finding,
140
+ establish the threat model **before** labelling severity. "Committed
141
+ in git" is not a severity on its own — it depends on who can read the
142
+ git history and what the value actually grants.
143
+
144
+ ### 1. Check repo visibility first
145
+
146
+ ```bash
147
+ gh repo view --json visibility -q .visibility
148
+ ```
149
+
150
+ (Run from the repo root; `gh` infers the repo from the git remote.
151
+ Returns `PUBLIC` or `PRIVATE`.)
152
+
153
+ - **Public**: committed values are real leaks. The world can read git
154
+ history, including past revisions after rotation. Severity should
155
+ reflect that reach.
156
+ - **Private**: committed values are readable only by repo
157
+ collaborators + the forge. That's a hygiene concern, not
158
+ exfiltration. Don't classify as a breach.
159
+
160
+ ### 2. Distinguish three categories before rating severity
161
+
162
+ - **Real secret** — grants capabilities the attacker doesn't already
163
+ have. Rotation actually closes something. Examples: server-side API
164
+ keys, OAuth client secrets, signing keys, database credentials,
165
+ private keys.
166
+ - **Pseudo-secret** — looks sensitive but ships publicly by design.
167
+ Already reachable via the client bundle, DNS, npm registry, or prod
168
+ HTML. Rotation doesn't reduce reach. Examples: anything intended for
169
+ browser bundles (e.g. `VITE_*`, `NEXT_PUBLIC_*`), identifiers used
170
+ only to route auth challenges, error-reporting DSNs, read-only
171
+ frontend tokens from the tech stack.
172
+ - **Hygiene debt** — a pattern that invites future mistakes without
173
+ currently being a breach. Worth fixing, but don't label Critical.
174
+ Examples: dev-only `.env` tracked, weak dev credentials, docs out
175
+ of sync with reality.
176
+
177
+ ### 3. Calibrate severity to reachability × capability
178
+
179
+ - **Critical** — active exploitation path to prod user data, auth
180
+ bypass, or RCE reachable from the internet.
181
+ - **High** — real secret exposed past its intended trust boundary;
182
+ prod-runtime dependency CVE with a known exploit chain reachable
183
+ from request input.
184
+ - **Medium** — weak default reachable from the internet; missing
185
+ defense-in-depth on a production surface; dependency CVEs reachable
186
+ only via narrow paths.
187
+ - **Low / Hygiene** — pseudo-secret committed; dev-only weak
188
+ credentials; stale docs; committed identifiers that are public
189
+ elsewhere anyway.
190
+
191
+ ### 4. Per-finding report format
192
+
193
+ - Severity **and the reasoning** behind it (don't just label).
194
+ - Who can reach/read this today (internet / specific IAM principal /
195
+ repo reader / already-public).
196
+ - What capability the value grants.
197
+ - What rotating or fixing actually closes that isn't already closed.
198
+
199
+ ### 5. Before recommending rotation or destructive ops
200
+
201
+ Verify the finding is real:
202
+
203
+ 1. What does this value actually grant?
204
+ 2. Who holds it today?
205
+ 3. What does rotation close that isn't already closed by another
206
+ channel?
207
+
208
+ If the answer to (3) is "nothing meaningful", the finding is hygiene,
209
+ not an incident.
210
+
211
+ ### 6. Don't apply a public-repo template to a private repo
212
+
213
+ A committed identifier in a private repo and a committed identifier in
214
+ a public repo are not the same finding. Re-check step 1 if the
215
+ severity feels out of proportion to the real exposure — that's usually
216
+ the signal that the threat model drifted.
217
+
137
218
  ## Test coverage — never regresses
138
219
 
139
220
  When a coverage check fails, the fix is to add tests, not lower
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@precisa-saude/agent-instructions",
3
- "version": "1.4.0",
3
+ "version": "1.5.1",
4
4
  "description": "Shared agent instructions (AGENTS.md) for Precisa Saúde repositories — the single source of truth for cross-repo conventions, consumed by Claude Code and other agent-aware editors via @path imports.",
5
5
  "keywords": [
6
6
  "agents",