compound-agent 1.7.6 → 2.0.0

package/docs/research/security/data-exposure.md

@@ -1,185 +0,0 @@
-# Data Exposure Patterns
-
-*February 23, 2026*
-
-Reference for AI agents reviewing code for sensitive data leakage.
-Derived from [secure-coding-failure.md](secure-coding-failure.md) section 4.8.
-
----
-
-## PII in Logs
-
-Logging calls that dump unfiltered request data or user records.
-
-### Unsafe patterns
-
-```typescript
-// Logging entire request body (may contain passwords, tokens, PII)
-console.log('Request:', req.body);
-logger.info('User login', { body: req.body });
-
-// Logging user records with sensitive fields
-logger.info('User fetched', user);  // user object may include password_hash
-
-// Logging authorization headers
-console.log('Headers:', req.headers);  // includes Authorization: Bearer ...
-```
-
-```python
-# Logging full request object
-logging.info("Request: %s", request.json)
-
-# Logging user record
-logger.info("User: %s", user.__dict__)
-```
-
-### Safe patterns
-
-```typescript
-// Log only what you need
-logger.info('User login', { userId: req.body.userId });
-
-// Explicitly exclude sensitive fields
-const { password, ...safeBody } = req.body;
-logger.info('Request:', safeBody);
-```
-
-```python
-# Log specific fields only
-logger.info("User login: user_id=%s", request.json.get("user_id"))
-```
-
----
-
-## Verbose Error Responses
-
-Stack traces and internal details sent to clients.
-
-### Unsafe patterns
-
-```typescript
-// Stack trace sent to client
-app.use((err, req, res, next) => {
-  res.status(500).json({ error: err.message, stack: err.stack });
-});
-
-// DB connection string in error
-catch (err) {
-  res.status(500).json({ error: `DB error: ${err.message}` });
-  // err.message may contain: "connection to postgres://user:pass@host:5432 failed"
-}
-```
-
-```python
-# Django DEBUG=True in production exposes full stack traces and settings
-# Flask returning exception details
-@app.errorhandler(500)
-def handle_error(e):
-    return {"error": str(e), "trace": traceback.format_exc()}, 500
-```
-
-### Safe patterns
-
-```typescript
-// Generic error to client, detailed error to logs
-app.use((err, req, res, next) => {
-  logger.error('Internal error', { error: err.message, stack: err.stack });
-  res.status(500).json({ error: 'Internal server error' });
-});
-```
-
-```python
-@app.errorhandler(500)
-def handle_error(e):
-    app.logger.error("Internal error: %s", e)
-    return {"error": "Internal server error"}, 500
-```
-
----
-
-## Sensitive Data in URLs
-
-Tokens and PII in query parameters leak through referrer headers, browser history,
-server logs, and proxy logs -- even with TLS.
-
-### Unsafe patterns
-
-```typescript
-// Token in query string
-app.get('/api/verify?token=abc123', verifyEmail);
-// Leaks in: server access logs, browser history, Referer header
-
-// PII in URL
-app.get('/api/users?email=user@example.com', findUser);
-```
-
-### Safe patterns
-
-```typescript
-// Token in request body or header
-app.post('/api/verify', verifyEmail);  // token in POST body
-
-// Use path params for non-sensitive IDs only; sensitive data in body/headers
-app.get('/api/users/:id', findUser);  // opaque ID, not email
-```
-
----
-
-## Overly Broad API Responses
-
-Returning full database records instead of selecting specific fields.
-
-### Unsafe patterns
-
-```typescript
-// Returns entire user record including internal fields
-app.get('/api/users/:id', async (req, res) => {
-  const user = await db.get('SELECT * FROM users WHERE id = ?', [req.params.id]);
-  res.json(user);
-  // Response includes: password_hash, internal_id, created_by_admin, etc.
-});
-```
-
-```python
-# Django serializer with all fields
-class UserSerializer(serializers.ModelSerializer):
-    class Meta:
-        model = User
-        fields = '__all__'  # includes password_hash, is_superuser, etc.
-```
-
-### Safe patterns
-
-```typescript
-// Select only needed fields
-const user = await db.get(
-  'SELECT id, name, email FROM users WHERE id = ?',
-  [req.params.id]
-);
-res.json(user);
-```
-
-```python
-class UserSerializer(serializers.ModelSerializer):
-    class Meta:
-        model = User
-        fields = ['id', 'name', 'email']
-```
-
----
-
-## Detection Heuristics
-
-| Pattern to match | What it indicates | Severity |
-|-----------------|-------------------|----------|
-| `console.log(req.body)`, `console.log(req.headers)` | PII/credentials in logs | P2 |
-| `logger.info(user)`, `logger.info(request.json)` | Unfiltered record in logs | P2 |
-| Error handler returning `err.stack` or `err.message` to response | Internal details exposed to client | P2 |
-| `DEBUG = True` in production config | Full stack traces and settings exposed | P1 |
-| Query params named `token`, `key`, `auth`, `password`, `secret` | Sensitive data in URL | P2 |
-| `SELECT * FROM` in API handler without field filtering before response | Overly broad response | P3 |
-| `fields = '__all__'` in serializer for user-facing API | Internal fields in response | P2 |
-
-## Source
-
-Derived from [secure-coding-failure.md](secure-coding-failure.md) section 4.8.

package/docs/research/security/dependency-security.md

@@ -1,91 +0,0 @@
-# Dependency Security Reference
-
-*February 23, 2026*
-
-Reference for AI agents reviewing dependency changes and supply chain risk.
-Derived from [secure-coding-failure.md](secure-coding-failure.md) section 4.9.
-
----
-
-## Risk Model
-
-### Direct Dependencies
-- Explicitly chosen by the project (listed in `package.json`, `pyproject.toml`, etc.).
-- Developer has evaluated fitness and should track updates.
-
-### Transitive Dependencies
-- Pulled in by direct deps. Often invisible to the developer.
-- A vulnerability in a transitive dep can be exploitable even if the direct dep's API seems safe.
-- Transitive deps are the primary source of surprise CVEs.
-
----
-
-## Audit Tools
-
-| Ecosystem | Tool | Command |
-|-----------|------|---------|
-| Node.js / pnpm | pnpm audit | `pnpm audit` |
-| Node.js / npm | npm audit | `npm audit` |
-| Node.js / yarn | yarn audit | `yarn audit` |
-| Python | pip-audit | `pip-audit` |
-| Python | safety | `safety check` |
-| Multi-language | Snyk | `snyk test` |
-| Multi-language | Trivy | `trivy fs .` |
-
-Run the appropriate audit command during CI and before merging dependency changes.
-
----
-
-## Risky Patterns to Flag
-
-### Pinned Old Major Versions
-- Direct dependency 3+ major versions behind latest.
-- Older major versions often stop receiving security patches.
-- Flag and recommend evaluating upgrade feasibility.
-
-### Unmaintained Packages
-- No commits or releases in 2+ years.
-- No response to open security issues.
-- Consider whether a maintained alternative exists.
-
-### Packages with postinstall Scripts
-- `postinstall` (and `preinstall`, `install`) scripts execute arbitrary code during `npm install` / `pnpm install`.
-- A compromised or malicious package can use this to exfiltrate secrets or modify the filesystem.
-- Flag any newly added dependency that includes lifecycle scripts.
-
-### Typosquat Risk
-- New or unfamiliar packages with names similar to popular packages.
-- Check download counts, repository links, and publisher history.
-- Examples: `lodahs` vs `lodash`, `coolor` vs `color`.
-
----
-
-## What to Check on Lockfile Changes
-
-When a PR modifies `pnpm-lock.yaml`, `package-lock.json`, `yarn.lock`, or
-`requirements.txt` / `poetry.lock`, review the following:
-
-| Change | Question | Risk |
-|--------|----------|------|
-| New direct dependency | Was this intentional and discussed? | Supply chain expansion |
-| Version downgrade | Why was a version lowered? | May reintroduce patched CVE |
-| New postinstall script | Does the new dep run code at install time? | Arbitrary code execution |
-| Removed integrity hashes | Were `integrity` / `hash` fields deleted? | Tamper detection weakened |
-| Large transitive tree addition | Does the new dep pull in many transitive deps? | Expanded attack surface |
-| Dependency removed | Was the removal intentional? | May break functionality or remove security fix |
-
----
-
-## Triage Rules
-
-| Condition | Severity |
-|-----------|----------|
-| Known CVE with active exploitation and RCE impact | P0 |
-| Known CVE with high CVSS but no known active exploitation | P1 |
-| Outdated dep, no known CVE but unmaintained | P2 |
-| Missing audit in CI pipeline | P3 |
-| New dep with postinstall script, no prior discussion | P2 |
-
-## Source
-
-Derived from [secure-coding-failure.md](secure-coding-failure.md) section 4.9.

package/docs/research/security/injection-patterns.md

@@ -1,249 +0,0 @@
-# Injection Pattern Reference
-
-*February 23, 2026*
-
-Actionable patterns for detecting injection vulnerabilities during code review.
-Covers SQL, Command, XSS, SSRF, and SSTI (survey sections 4.1-4.5).
-
----
-
-## SQL Injection (OWASP A03 -- P0/P1)
-
-### Unsafe -- JS/TS
-```typescript
-// Template literal interpolation into SQL
-const q = `SELECT * FROM users WHERE id = ${req.query.id}`;
-db.query(q);
-
-// String concatenation into SQL
-db.query('SELECT * FROM users WHERE name = \'' + name + '\'');
-```
-
-### Safe -- JS/TS
-```typescript
-// Parameterized query
-db.query('SELECT * FROM users WHERE id = $1', [req.query.id]);
-
-// ORM with bound parameters (Knex example)
-knex('users').where({ id: req.query.id });
-```
-
-### better-sqlite3 (project-specific)
-```typescript
-// UNSAFE: db.exec() has NO parameterization support
-db.exec(`INSERT INTO items VALUES ('${userInput}')`);  // P0
-
-// SAFE: Use db.prepare().run() with bound parameters
-db.prepare('INSERT INTO items VALUES (?)').run(userInput);
-```
-
-### Unsafe -- Python
-```python
-# f-string in SQL
-cursor.execute(f"SELECT * FROM users WHERE id = {user_id}")
-
-# Percent formatting in SQL
-cursor.execute("SELECT * FROM users WHERE id = %s" % user_id)
-```
-
-### Safe -- Python
-```python
-# Parameterized query
-cursor.execute("SELECT * FROM users WHERE id = %s", (user_id,))
-
-# ORM (SQLAlchemy)
-session.query(User).filter(User.id == user_id).first()
-```
-
----
-
-## Command Injection (OWASP A03 -- P0)
-
-### Unsafe -- JS/TS
-```typescript
-// exec invokes shell, allows metacharacter injection
-const { exec } = require('child_process');
-exec('convert ' + req.query.file + ' output.png');
-```
-
-### Safe -- JS/TS
-```typescript
-// execFile bypasses shell, arguments are array elements
-const { execFile } = require('child_process');
-execFile('convert', [req.query.file, 'output.png']);
-
-// spawn with explicit args array
-const { spawn } = require('child_process');
-spawn('convert', [req.query.file, 'output.png']);
-```
-
-### Unsafe -- Python
-```python
-# shell=True allows metacharacter injection
-import subprocess
-subprocess.run("tar xf " + archive_name, shell=True)
-
-# os.system always invokes shell
-import os
-os.system("tar xf " + archive_name)
-```
-
-### Safe -- Python
-```python
-# shell=False (default), args as list
-import subprocess
-subprocess.run(["tar", "xf", archive_name])
-
-# shlex.quote if shell is unavoidable (rare, last resort)
-import shlex
-subprocess.run(f"tar xf {shlex.quote(archive_name)}", shell=True)
-```
-
----
-
-## Cross-Site Scripting / XSS (OWASP A03 -- P1)
-
-### Unsafe -- JS/TS
-```typescript
-// Direct innerHTML assignment
-element.innerHTML = userInput;
-
-// Raw HTML in response
-res.send('<div>' + req.query.name + '</div>');
-
-// React escape hatch
-<div dangerouslySetInnerHTML={{ __html: userInput }} />
-
-// Vue escape hatch
-<div v-html="userInput"></div>
-```
-
-### Safe -- JS/TS
-```typescript
-// textContent does not parse HTML
-element.textContent = userInput;
-
-// Framework auto-escaping (React default)
-<div>{userInput}</div>
-
-// DOMPurify for cases requiring HTML
-import DOMPurify from 'dompurify';
-element.innerHTML = DOMPurify.sanitize(userInput);
-```
-
-### Unsafe -- Python (Jinja2/Django)
-```python
-# Marking user input as safe bypasses auto-escaping
-{{ user_input | safe }}
-
-# Disabling auto-escape globally
-app.jinja_env.autoescape = False
-```
-
-### Safe -- Python (Jinja2/Django)
-```python
-# Default auto-escaping (leave it enabled)
-{{ user_input }}
-
-# Explicit escaping if autoescape is off for some reason
-{{ user_input | e }}
-```
-
----
-
-## Server-Side Request Forgery / SSRF (OWASP A10 -- P1, escalate to P0 for cloud metadata)
-
-### Unsafe -- JS/TS
-```typescript
-// User-controlled URL passed directly to HTTP client
-const response = await axios.get(req.query.url);
-```
-
-### Safe -- JS/TS
-```typescript
-// Allowlist validation before request
-const ALLOWED_HOSTS = new Set(['api.example.com', 'cdn.example.com']);
-const parsed = new URL(req.query.url);
-if (!ALLOWED_HOSTS.has(parsed.hostname)) {
-  return res.status(400).json({ error: 'Host not allowed' });
-}
-const response = await axios.get(parsed.toString());
-```
-
-### Unsafe -- Python
-```python
-# User-controlled URL with no validation
-import requests
-resp = requests.get(request.args['url'])
-```
-
-### Safe -- Python
-```python
-# Allowlist validation
-from urllib.parse import urlparse
-
-ALLOWED_HOSTS = {'api.example.com', 'cdn.example.com'}
-parsed = urlparse(request.args['url'])
-if parsed.hostname not in ALLOWED_HOSTS:
-    abort(400, 'Host not allowed')
-resp = requests.get(request.args['url'])
-```
-
----
-
-## Server-Side Template Injection / SSTI (OWASP A03 -- P0)
-
-### Unsafe -- JS/TS (Nunjucks example)
-```typescript
-// User input as template source -- attacker controls template syntax
-const nunjucks = require('nunjucks');
-const output = nunjucks.renderString(req.body.template, { data: someData });
-```
-
-### Safe -- JS/TS
-```typescript
-// User input as data only, template is a constant
-const nunjucks = require('nunjucks');
-const output = nunjucks.render('page.njk', { data: req.body.data });
-```
-
-### Unsafe -- Python (Jinja2)
-```python
-# User input compiled as template source
-from jinja2 import Template
-output = Template(user_input).render()
-```
-
-### Safe -- Python (Jinja2)
-```python
-# Constant template, user input as render data only
-from jinja2 import Template
-output = Template("Hello {{ name }}").render(name=user_input)
-
-# Or use SandboxedEnvironment for extra protection
-from jinja2.sandbox import SandboxedEnvironment
-env = SandboxedEnvironment()
-template = env.from_string("Hello {{ name }}")
-output = template.render(name=user_input)
-```
-
----
-
-## Detection Heuristics Summary
-
-| API / Pattern | Language | Risk Level | Injection Type |
-|---------------|----------|------------|----------------|
-| `db.query` with template literal or concat | JS/TS | HIGH | SQL |
-| `cursor.execute` with f-string or `%` format | Python | HIGH | SQL |
-| `child_process.exec` with user input | JS/TS | HIGH | Command |
-| `os.system`, `subprocess.run(..., shell=True)` with user input | Python | HIGH | Command |
-| `innerHTML` assignment from user input | JS/TS | MEDIUM | XSS |
-| `dangerouslySetInnerHTML`, `v-html` | JS/TS | MEDIUM | XSS |
-| `{{ var \| safe }}` with user-sourced var | Python | MEDIUM | XSS |
-| `axios.get(req.query.url)`, `requests.get(user_url)` | Both | HIGH | SSRF |
-| `Template(user_input)` or `renderString(user_input, ...)` | Both | HIGH | SSTI |
-| `eval()`, `new Function()` with user input | JS/TS | HIGH | Code injection |
-
-## Source
-
-Derived from [secure-coding-failure.md](secure-coding-failure.md) sections 4.1-4.5.

package/docs/research/security/overview.md

@@ -1,81 +0,0 @@
-# Security Review Overview
-
-*February 23, 2026*
-
-Quick-reference guide for AI code review agents performing security triage.
-Distilled from [secure-coding-failure.md](secure-coding-failure.md) (survey section 4.10).
-
-## Severity Classification
-
-| Level | Label | Description | Examples |
-|-------|-------|-------------|----------|
-| **P0** | Critical | Unauthenticated RCE, credential compromise, mass data breach | Unauth command injection, leaked production DB credentials, unauth SQL injection yielding full table dump |
-| **P1** | High | Auth-required exploit, targeted data breach, privilege escalation | Authenticated SQLi, IDOR exposing other users' data, JWT signature bypass |
-| **P2** | Medium | Harder to exploit, limited blast radius | Reflected XSS requiring user interaction, SSRF blocked by network policy but code-level vuln present |
-| **P3** | Hardening | Best practice gap, defense-in-depth improvement | Missing rate limiting, verbose error messages in staging, outdated dep with no known exploit path |
-
-## OWASP Category to Default Severity
-
-| OWASP Category | Default Severity | Escalation Condition |
-|----------------|-----------------|----------------------|
-| A01 Broken Access Control | P1 | Escalate to P0 if unauthenticated access to admin or sensitive data |
-| A02 Cryptographic Failures | P1 | Escalate to P0 if plaintext credentials stored or transmitted |
-| A03 Injection (SQL/Cmd/XSS/SSTI) | P0 (RCE) or P1 (data-only) | P0 if command/template injection yields RCE; P1 if SQLi yields data leak only |
-| A04 Insecure Design | P2 | Escalate to P1 if missing security controls enable auth bypass |
-| A05 Security Misconfiguration | P2 | Escalate to P1 if default credentials or debug mode exposed in production |
-| A06 Vulnerable Components | P2 | Escalate to P0/P1 if CVE is actively exploited or yields RCE |
-| A07 Auth Failures | P1 | Escalate to P0 if credential stuffing or brute force is trivially possible |
-| A08 Software/Data Integrity Failures | P2 | Escalate to P0 if CI/CD pipeline compromise or unsigned updates possible |
-| A09 Security Logging Failures | P3 | Escalate to P2 if no logging on auth events or admin actions |
-| A10 SSRF | P1 | Escalate to P0 if cloud metadata endpoint (169.254.169.254) is reachable |
-
-## Escalation Triggers
-
-When the review agent detects one of the following patterns, it should invoke the
-corresponding specialist skill for deeper analysis.
-
-### /security-injection
-Trigger when:
-- String concatenation or template interpolation inside a SQL query
-- `child_process.exec` or `os.system` called with user-derived arguments
-- Template engine receives user input as the template source (not data)
-
-### /security-secrets
-Trigger when:
-- Hardcoded strings matching API key or token patterns (see [secrets-checklist.md](secrets-checklist.md))
-- `.env` files tracked in git
-- Variables named `password`, `secret`, `token`, `apiKey` assigned string literals
-
-### /security-auth
-Trigger when:
-- Route handlers missing auth middleware present on sibling routes
-- Database queries using user-supplied IDs without ownership filter
-- CORS configured with `origin: '*'` alongside `credentials: true`
-
-### /security-data
-Trigger when:
-- Logging calls receive entire request objects (`console.log(req.body)`)
-- Error handlers pass `err.stack` or `err.message` directly to HTTP response
-- Tokens or PII appear in URL query parameters
-
-### /security-deps
-Trigger when:
-- Lockfile changes introduce new direct dependencies
-- Package version downgrades appear in diffs
-- Packages with `postinstall` scripts are added
-- Dependencies are 3+ major versions behind latest
-
-## Domain-Specific References
-
-| Domain | Reference Document |
-|--------|--------------------|
-| Injection (SQL, Cmd, XSS, SSRF, SSTI) | [injection-patterns.md](injection-patterns.md) |
-| Secrets and credentials | [secrets-checklist.md](secrets-checklist.md) |
-| Authentication and authorization | [auth-patterns.md](auth-patterns.md) |
-| Data exposure and logging | [data-exposure.md](data-exposure.md) |
-| Dependency and supply chain | [dependency-security.md](dependency-security.md) |
-
-## Source
-
-All patterns derived from the research survey:
-[secure-coding-failure.md](secure-coding-failure.md) -- sections 4.1-4.10 and comparative synthesis.

package/docs/research/security/secrets-checklist.md

@@ -1,92 +0,0 @@
-# Secrets Detection Checklist
-
-*February 23, 2026*
-
-Reference for AI agents performing secret detection during code review.
-Derived from [secure-coding-failure.md](secure-coding-failure.md) section 4.6.
-
----
-
-## What Counts as a Secret
-
-**Flag these:**
-- API keys and access tokens (AWS, GCP, Azure, GitHub, Slack, Stripe, etc.)
-- Passwords and passphrases
-- Private keys (RSA, EC, PGP)
-- Database connection strings with credentials
-- JWT signing secrets
-- Webhook secrets and HMAC keys
-- OAuth client secrets
-
-**Ignore these (not secrets):**
-- Test fixtures prefixed with `test_`, `fake_`, `mock_`, `dummy_`
-- Example placeholders: `YOUR_API_KEY_HERE`, `xxx`, `changeme`, `REPLACE_ME`
-- Public keys (designed to be shared)
-- Hash algorithm names or constants (`sha256`, `aes-256-cbc`)
-- Empty strings assigned to secret-named variables (skeleton config)
-
----
-
-## Common Hiding Spots
-
-| Location | Detection Method |
-|----------|-----------------|
-| Source code (`.ts`, `.js`, `.py`) | Scan string literals and variable assignments |
-| `.env` files committed to git | Check if `.env` is tracked (should be in `.gitignore`) |
-| CI/CD config (`.github/workflows/*.yml`, `.gitlab-ci.yml`) | Scan for inline secrets vs `${{ secrets.X }}` references |
-| Docker files (`Dockerfile`, `docker-compose.yml`) | Check `ENV` and `ARG` directives for credential values |
-| Git history | Secrets removed from HEAD may persist in older commits |
-| Config files (`config.json`, `settings.py`) | Scan for credential fields with literal values |
-
----
-
-## Known Key Format Patterns
-
-| Provider / Type | Regex Pattern |
-|----------------|---------------|
-| AWS Access Key | `AKIA[0-9A-Z]{16}` |
-| AWS Secret Key | 40-char base64 string near `aws_secret_access_key` |
-| GitHub PAT | `ghp_[a-zA-Z0-9]{36}` |
-| GitHub OAuth | `gho_[a-zA-Z0-9]{36}` |
-| GitHub App | `ghs_[a-zA-Z0-9]{36}` |
-| Slack Bot Token | `xoxb-[0-9]+-[0-9a-zA-Z]+` |
-| Slack User Token | `xoxp-[0-9]+-[0-9a-zA-Z]+` |
-| Stripe Secret Key | `sk_live_[a-zA-Z0-9]{24,}` |
-| Stripe Publishable | `pk_live_[a-zA-Z0-9]{24,}` (lower risk, still flag) |
-| Google API Key | `AIza[0-9A-Za-z_-]{35}` |
-| Private Key Header | `-----BEGIN (RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----` |
-| Generic high-entropy | 20+ chars, mixed case + digits + special, not a known non-secret format |
-
----
-
-## Variable Name Patterns to Flag
-
-Scan assignment targets and object property names for these patterns (case-insensitive):
-
-- `password`, `passwd`, `pwd`
-- `secret`, `secret_key`, `secretKey`
-- `token`, `access_token`, `accessToken`, `auth_token`
-- `api_key`, `apiKey`, `api_secret`
-- `credential`, `credentials`
-- `private_key`, `privateKey`
-- `connection_string`, `connectionString`, `database_url`, `databaseUrl`
-- `signing_key`, `signingKey`, `hmac_key`
-
-When a flagged variable name is assigned a string literal (not an env var reference or
-placeholder), report it. If the value also matches a known key pattern, escalate to P0.
-
----
-
-## Triage Rules
-
-| Condition | Severity |
-|-----------|----------|
-| Known provider key format + production context | P0 |
-| Generic high-entropy string in secret-named variable | P1 |
-| `.env` file committed with credential values | P1 |
-| Secret in CI config as inline value (not a secret ref) | P1 |
-| Secret-named variable assigned a placeholder or empty string | P3 (informational) |
-
-## Source
-
-Derived from [secure-coding-failure.md](secure-coding-failure.md) section 4.6.