chore: apply agent kit project structure
This commit is contained in:
16
docs/security-review.md
Normal file
16
docs/security-review.md
Normal file
@@ -0,0 +1,16 @@
|
||||
# Security Review
|
||||
|
||||
## Checked Areas
|
||||
|
||||
- Shell execution: browser auto-open is gated by `AUTO_OPEN_BROWSER` and defaults to false.
|
||||
- Secrets: `.env` remains ignored; `.env.example` contains no real keys.
|
||||
- External network calls: source fetches use timeout/retry diagnostics and expose degraded state.
|
||||
- Manual actions: `/api/sweep` is local-only unless `SWEEP_TOKEN` is configured.
|
||||
- File writes: runtime writes are limited to `runs/`.
|
||||
- HTML injection: dashboard data is JSON-injected only by the CLI path; server mode serves data through API/SSE.
|
||||
|
||||
## Residual Risk
|
||||
|
||||
- External feeds can return malformed, stale, or adversarial content. UI rendering should continue to sanitize titles and URLs.
|
||||
- LLM outputs are advisory only and must not be treated as financial advice.
|
||||
- `node:sqlite` availability depends on the Node 22 build; when unavailable the memory database degrades to a no-op placeholder.
|
||||
Reference in New Issue
Block a user