6b153ca3cb
Two recent platform-level security changes (#319 channel_config encryption, #337 constant-time webhook_secret compare) were not reflected in the Security Auditor's system prompt or the schedule cron prompt. That meant the auditor wouldn't proactively look for the *next* instance of either class — a new credential field added to channel_config without being added to sensitiveFields, or a new secret comparison using raw `!=`, would slip through until a human happened to notice. Updated two files: 1. org-templates/molecule-dev/security-auditor/system-prompt.md Added two bullets to "What You Check": - Secret comparisons must use subtle.ConstantTimeCompare / crypto.timingSafeEqual (cites #337 as the repo's recent instance) - Secret storage at rest: any new channel_config credential field must be added to sensitiveFields and exercised in both the Encrypt (write) and Decrypt (read) boundary helpers, and the ec1: prefix must never leak into API responses (cites #319) 2. org-templates/molecule-dev/org.yaml Same two checks added to the Security Auditor's 12-hour cron prompt's "MANUAL REVIEW of every changed file" section. Wording is concrete enough to paste into a grep: "flag any `!=` / `==` / bytes.Equal against a user-supplied value that gates auth". Pure config / prompt — no code changes, no tests to write. YAML parse verified, TestPlugins_UnionWithDefaults still passes. Closes #342 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| free-beats-all | ||
| medo-smoke | ||
| molecule-dev | ||
| molecule-worker-gemini | ||
| reno-stars | ||