docs(rules): add Security section to self_review_checklist (follow-up to #3359)#3787
docs(rules): add Security section to self_review_checklist (follow-up to #3359)#3787realmeylisdev wants to merge 0 commit into
Conversation
| - [ ] No test pins a security-sensitive leak as a feature. Before | ||
| asserting on the *contents* of a payload (`endsWith('.nsec1...')`, | ||
| `body['nsec'] contains 'nsec1'`, `verifier contains <secret>`), ask | ||
| "if this assertion fires, is something *good* happening?" The | ||
| pre-fix BYOK leak (PR #3784) was pinned for two years by exactly | ||
| this shape. When the right answer is "no, the secret should never | ||
| be there," flip the assertion to a negative regression guard. | ||
|
|
||
| Security: | ||
|
|
||
| - [ ] No private-key material crosses the network or storage | ||
| boundary. The `nsec-leak-guard` CI job | ||
| (`mobile/tools/ci/grep_for_nsec_payload.sh`) catches the exact | ||
| `body['nsec']` / `'nsec':` shapes that landed PR #3784, but the | ||
| same threat model applies to any new credential / secret | ||
| handling. If you're touching an OAuth flow, signer, key import / | ||
| export path, or anything that handles a `nsec1` / `nsec_` / | ||
| private-key-bearing string, ask: "is the local-custody invariant | ||
| preserved end-to-end? Does the server need this to be a secret, | ||
| or would a pubkey + signed challenge suffice?" |
There was a problem hiding this comment.
We can do that, but right now I’m not completely happy with the large number of rules we have. The problem is that they’re sent with every request, which quickly fills up the context window, even in cases where those rules aren’t really needed. That’s why I like skills, especially the review skill, since things like this can be cleaned up once the code scaffold is in place.
It’s probably not a blocker at the moment, even though the rules are quite extensive, but in the future it might make sense to rethink what actually needs to be included in every session and what should only run during code review.
|
Thanks — your framing clicked. The cleanest move here is probably to drop the Wrote up the broader trajectory at |
realmeylisdev
force-pushed
the
chore/lessons-capture-nsec-leak-pattern
branch
from
2a2808b to
4818b07
Compare
|
@realmeylisdev If this is now closed, can we go ahead and delete the branch or are you going to cherrypick from it elsewhere? Just want to keep the repo as clean as we can. TYSM! |
|
Already deleted — branch was force-pushed back to parent before close so it had zero commits on it; nothing to cherrypick literally. The content (Security section + test-pinning bullet) relands in a future |
3 participants
Description
Small follow-up to PR #3784 (Phase 1 of #3359). Captures the
investigation lesson in the project's pre-PR checklist so future
reviewers see the rule before it bites again.
Two additions to
.claude/rules/self_review_checklist.md:leak as a feature (e.g.
expect(verifier, endsWith('.nsec1...'))).The pre-fix BYOK leak was hidden behind exactly this shape for the
lifetime of the imported
keycast_flutterpackage.nsec-leak-guardCI script and asks the local-custody questionfor any new credential / secret handling.
Related Issue: Relates to #3359 (already closed by PR #3784 merging will close it)
No code changes. No tests changes. Docs only.
Type of Change
Test plan