Initial import from garrytan/gstack@026751e (main snapshot via local relay)
Some checks failed
Workflow Lint / actionlint (push) Has been cancelled
Build CI Image / build (push) Has been cancelled
Skill Docs Freshness / check-freshness (push) Has been cancelled
Periodic Evals / build-image (push) Has been cancelled
Periodic Evals / evals (map[file:test/codex-e2e.test.ts name:e2e-codex]) (push) Has been cancelled
Periodic Evals / evals (map[file:test/gemini-e2e.test.ts name:e2e-gemini]) (push) Has been cancelled
Periodic Evals / evals (map[file:test/skill-e2e-design.test.ts name:e2e-design]) (push) Has been cancelled
Periodic Evals / evals (map[file:test/skill-e2e-plan.test.ts name:e2e-plan]) (push) Has been cancelled
Periodic Evals / evals (map[file:test/skill-e2e-qa-bugs.test.ts name:e2e-qa-bugs]) (push) Has been cancelled
Periodic Evals / evals (map[file:test/skill-e2e-qa-workflow.test.ts name:e2e-qa-workflow]) (push) Has been cancelled
Periodic Evals / evals (map[file:test/skill-e2e-review.test.ts name:e2e-review]) (push) Has been cancelled
Periodic Evals / evals (map[file:test/skill-e2e-workflow.test.ts name:e2e-workflow]) (push) Has been cancelled
Periodic Evals / evals (map[file:test/skill-routing-e2e.test.ts name:e2e-routing]) (push) Has been cancelled
Some checks failed
Workflow Lint / actionlint (push) Has been cancelled
Build CI Image / build (push) Has been cancelled
Skill Docs Freshness / check-freshness (push) Has been cancelled
Periodic Evals / build-image (push) Has been cancelled
Periodic Evals / evals (map[file:test/codex-e2e.test.ts name:e2e-codex]) (push) Has been cancelled
Periodic Evals / evals (map[file:test/gemini-e2e.test.ts name:e2e-gemini]) (push) Has been cancelled
Periodic Evals / evals (map[file:test/skill-e2e-design.test.ts name:e2e-design]) (push) Has been cancelled
Periodic Evals / evals (map[file:test/skill-e2e-plan.test.ts name:e2e-plan]) (push) Has been cancelled
Periodic Evals / evals (map[file:test/skill-e2e-qa-bugs.test.ts name:e2e-qa-bugs]) (push) Has been cancelled
Periodic Evals / evals (map[file:test/skill-e2e-qa-workflow.test.ts name:e2e-qa-workflow]) (push) Has been cancelled
Periodic Evals / evals (map[file:test/skill-e2e-review.test.ts name:e2e-review]) (push) Has been cancelled
Periodic Evals / evals (map[file:test/skill-e2e-workflow.test.ts name:e2e-workflow]) (push) Has been cancelled
Periodic Evals / evals (map[file:test/skill-routing-e2e.test.ts name:e2e-routing]) (push) Has been cancelled
Source: https://github.com/garrytan/gstack/commit/026751e
This commit is contained in:
Rocky
45
review/specialists/red-team.md
Normal file
45
review/specialists/red-team.md
Normal file
@@ -0,0 +1,45 @@
|
||||
# Red Team Review
|
||||
|
||||
Scope: When diff > 200 lines OR security specialist found CRITICAL findings. Runs AFTER other specialists.
|
||||
Output: JSON objects, one finding per line. Schema:
|
||||
{"severity":"CRITICAL|INFORMATIONAL","confidence":N,"path":"file","line":N,"category":"red-team","summary":"...","fix":"...","fingerprint":"path:line:red-team","specialist":"red-team"}
|
||||
Optional: line, fix, fingerprint, evidence, test_stub.
|
||||
If no findings: output `NO FINDINGS` and nothing else.
|
||||
|
||||
---
|
||||
|
||||
This is NOT a checklist review. This is adversarial analysis.
|
||||
|
||||
You have access to the other specialists' findings (provided in your prompt). Your job is to find what they MISSED. Think like an attacker, a chaos engineer, and a hostile QA tester simultaneously.
|
||||
|
||||
## Approach
|
||||
|
||||
### 1. Attack the Happy Path
|
||||
- What happens when the system is under 10x normal load?
|
||||
- What happens when two requests hit the same resource simultaneously?
|
||||
- What happens when the database is slow (>5s query time)?
|
||||
- What happens when an external service returns garbage?
|
||||
|
||||
### 2. Find the Silent Failures
|
||||
- Error handling that swallows exceptions (catch-all with just a log)
|
||||
- Operations that can partially complete (3 of 5 items processed, then crash)
|
||||
- State transitions that leave records in inconsistent states on failure
|
||||
- Background jobs that fail without alerting anyone
|
||||
|
||||
### 3. Exploit Trust Assumptions
|
||||
- Data validated on the frontend but not the backend
|
||||
- Internal APIs called without authentication (assuming "only our code calls this")
|
||||
- Configuration values assumed to be present but not validated
|
||||
- File paths or URLs constructed from user input without sanitization
|
||||
|
||||
### 4. Break the Edge Cases
|
||||
- What happens with the maximum possible input size?
|
||||
- What happens with zero items, empty strings, null values?
|
||||
- What happens on the first run ever (no existing data)?
|
||||
- What happens when the user clicks the button twice in 100ms?
|
||||
|
||||
### 5. Find What the Other Specialists Missed
|
||||
- Review each specialist's findings. What's the gap between their categories?
|
||||
- Look for cross-category issues (e.g., a performance issue that's also a security issue)
|
||||
- Look for issues at integration boundaries (where two systems meet)
|
||||
- Look for issues that only manifest in specific deployment configurations
|
||||
Reference in New Issue
Block a user