devlyn-cli 1.0.0 → 1.0.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CLAUDE.md +1 -1
- package/README.md +1 -0
- package/config/skills/devlyn:auto-resolve/SKILL.md +40 -4
- package/package.json +1 -1
package/CLAUDE.md
CHANGED
|
@@ -56,7 +56,7 @@ For hands-free build-evaluate-polish cycles — works for bugs, features, refact
|
|
|
56
56
|
/devlyn:auto-resolve [task description]
|
|
57
57
|
```
|
|
58
58
|
|
|
59
|
-
This runs the full pipeline automatically: **Build → Evaluate → Fix Loop → Simplify → Review → Clean → Docs**. Each phase runs as a separate subagent with its own context. Communication between phases happens via files (`.claude/done-criteria.md`, `.claude/EVAL-FINDINGS.md`).
|
|
59
|
+
This runs the full pipeline automatically: **Build → Evaluate → Fix Loop → Simplify → Review → Security Review → Clean → Docs**. Each phase runs as a separate subagent with its own context. Communication between phases happens via files (`.claude/done-criteria.md`, `.claude/EVAL-FINDINGS.md`).
|
|
60
60
|
|
|
61
61
|
Optional flags:
|
|
62
62
|
- `--max-rounds 3` — increase max evaluate-fix iterations (default: 2)
|
package/README.md
CHANGED
|
@@ -142,6 +142,7 @@ One command runs the full cycle — no human intervention needed:
|
|
|
142
142
|
| **Fix Loop** | If evaluation fails, fixes findings and re-evaluates (up to N rounds) |
|
|
143
143
|
| **Simplify** | Quick cleanup pass for reuse and efficiency |
|
|
144
144
|
| **Review** | Multi-perspective team review |
|
|
145
|
+
| **Security** | Dedicated OWASP-focused audit (auto-detects when changes touch auth, secrets, APIs) |
|
|
145
146
|
| **Clean** | Remove dead code and unused dependencies |
|
|
146
147
|
| **Docs** | Sync documentation with changes |
|
|
147
148
|
|
|
@@ -17,6 +17,7 @@ $ARGUMENTS
|
|
|
17
17
|
2. Determine optional flags from the input (defaults in parentheses):
|
|
18
18
|
- `--max-rounds N` (2) — max evaluate-fix loops before stopping with a report
|
|
19
19
|
- `--skip-review` (false) — skip team-review phase
|
|
20
|
+
- `--security-review` (auto) — run dedicated security audit. Auto-detects: runs when changes touch auth, secrets, user data, API endpoints, env/config, or crypto. Force with `--security-review always` or skip with `--security-review skip`
|
|
20
21
|
- `--skip-clean` (false) — skip clean phase
|
|
21
22
|
- `--skip-docs` (false) — skip update-docs phase
|
|
22
23
|
|
|
@@ -27,7 +28,7 @@ $ARGUMENTS
|
|
|
27
28
|
```
|
|
28
29
|
Auto-resolve pipeline starting
|
|
29
30
|
Task: [extracted task description]
|
|
30
|
-
Phases: Build → Evaluate → [Fix loop if needed] → Simplify → [Review] → [Clean] → [Docs]
|
|
31
|
+
Phases: Build → Evaluate → [Fix loop if needed] → Simplify → [Review] → [Security] → [Clean] → [Docs]
|
|
31
32
|
Max evaluation rounds: [N]
|
|
32
33
|
```
|
|
33
34
|
|
|
@@ -174,7 +175,41 @@ Clean up the team after completion.
|
|
|
174
175
|
1. If CRITICAL issues remain unfixed, log a warning in the final report
|
|
175
176
|
2. **Checkpoint**: Run `git add -A && git commit -m "chore(pipeline): review fixes complete"` if there are changes
|
|
176
177
|
|
|
177
|
-
## PHASE 5:
|
|
178
|
+
## PHASE 5: SECURITY REVIEW (conditional)
|
|
179
|
+
|
|
180
|
+
Determine whether to run this phase:
|
|
181
|
+
- If `--security-review always` → run
|
|
182
|
+
- If `--security-review skip` → skip
|
|
183
|
+
- If `--security-review auto` (default) → auto-detect by scanning changed files for security-sensitive patterns:
|
|
184
|
+
- Run `git diff main --name-only` and check for files matching: `*auth*`, `*login*`, `*session*`, `*token*`, `*secret*`, `*crypt*`, `*password*`, `*api*`, `*middleware*`, `*env*`, `*config*`, `*permission*`, `*role*`, `*access*`
|
|
185
|
+
- Also run `git diff main` and scan for patterns: `API_KEY`, `SECRET`, `TOKEN`, `PASSWORD`, `PRIVATE_KEY`, `Bearer`, `jwt`, `bcrypt`, `crypto`, `env.`, `process.env`
|
|
186
|
+
- If any match → run. If no matches → skip and note "Security review skipped — no security-sensitive changes detected."
|
|
187
|
+
|
|
188
|
+
Spawn a subagent using the Agent tool for a dedicated security audit.
|
|
189
|
+
|
|
190
|
+
Agent prompt — pass this to the Agent tool:
|
|
191
|
+
|
|
192
|
+
You are a security auditor performing a dedicated security review. This is NOT a general code review — focus exclusively on security concerns.
|
|
193
|
+
|
|
194
|
+
Examine all recent changes (use `git diff main` to see what changed). For every changed file:
|
|
195
|
+
|
|
196
|
+
1. **Input validation**: Trace every user input from entry point to storage/output. Check for: SQL injection, XSS, command injection, path traversal, SSRF.
|
|
197
|
+
2. **Authentication & authorization**: Are new endpoints properly protected? Are auth checks consistent with existing patterns? Any privilege escalation paths?
|
|
198
|
+
3. **Secrets & credentials**: Grep for hardcoded API keys, tokens, passwords, private keys. Check that secrets come from env vars, not source code. Verify .gitignore covers sensitive files.
|
|
199
|
+
4. **Data exposure**: Are error messages leaking internal details? Are logs capturing sensitive data? Are API responses returning more data than needed?
|
|
200
|
+
5. **Dependencies**: If package.json/requirements.txt changed, run the package manager's audit command (npm audit, pip-audit, etc.).
|
|
201
|
+
6. **CSRF/CORS**: For new endpoints with side effects, verify CSRF protection. Check CORS configuration for overly permissive origins.
|
|
202
|
+
|
|
203
|
+
For each finding, provide: severity (CRITICAL/HIGH/MEDIUM), file:line, OWASP category, description, and suggested fix.
|
|
204
|
+
|
|
205
|
+
Fix any CRITICAL findings directly. For HIGH findings, fix if straightforward, otherwise document clearly.
|
|
206
|
+
|
|
207
|
+
**After the agent completes**:
|
|
208
|
+
1. If CRITICAL issues were found and fixed, this is expected — continue
|
|
209
|
+
2. If CRITICAL issues remain unfixed, log a warning in the final report
|
|
210
|
+
3. **Checkpoint**: Run `git add -A && git commit -m "chore(pipeline): security review complete"` if there are changes
|
|
211
|
+
|
|
212
|
+
## PHASE 6: CLEAN (skippable)
|
|
178
213
|
|
|
179
214
|
Skip if `--skip-clean` was set.
|
|
180
215
|
|
|
@@ -187,7 +222,7 @@ Scan the codebase for dead code, unused dependencies, and code hygiene issues in
|
|
|
187
222
|
**After the agent completes**:
|
|
188
223
|
1. **Checkpoint**: Run `git add -A && git commit -m "chore(pipeline): cleanup complete"` if there are changes
|
|
189
224
|
|
|
190
|
-
## PHASE
|
|
225
|
+
## PHASE 7: DOCS (skippable)
|
|
191
226
|
|
|
192
227
|
Skip if `--skip-docs` was set.
|
|
193
228
|
|
|
@@ -200,7 +235,7 @@ Synchronize documentation with recent code changes. Use `git log --oneline -20`
|
|
|
200
235
|
**After the agent completes**:
|
|
201
236
|
1. **Checkpoint**: Run `git add -A && git commit -m "chore(pipeline): docs updated"` if there are changes
|
|
202
237
|
|
|
203
|
-
## PHASE
|
|
238
|
+
## PHASE 8: FINAL REPORT
|
|
204
239
|
|
|
205
240
|
After all phases complete:
|
|
206
241
|
|
|
@@ -225,6 +260,7 @@ After all phases complete:
|
|
|
225
260
|
| Fix rounds | [N rounds / skipped] | [what was fixed] |
|
|
226
261
|
| Simplify | [completed / skipped] | [changes made] |
|
|
227
262
|
| Review (team-review) | [completed / skipped] | [findings summary] |
|
|
263
|
+
| Security review | [completed / skipped / auto-skipped] | [findings or "no security-sensitive changes"] |
|
|
228
264
|
| Clean | [completed / skipped] | [items cleaned] |
|
|
229
265
|
| Docs (update-docs) | [completed / skipped] | [docs updated] |
|
|
230
266
|
|