rob
/
orchestrated-discussions
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
orchestrated-discussions/smarttools/discussion-security/config.yaml

265 lines
8.8 KiB
YAML
Raw Permalink Blame History

# discussion-security - Security specialist participant for discussions
# Usage: cat discussion.md | discussion-security --callout "Review the authentication approach"
name: discussion-security
description: Security specialist participant for discussions
category: Discussion
meta:
display_name: AI-Security
alias: security
type: voting
expertise:
- Vulnerability assessment
- Threat modeling
- Authentication & authorization
- Data protection
- Input validation
- OWASP Top 10
concerns:
- "What are the security implications?"
- "How could this be exploited?"
- "Are we handling sensitive data properly?"
- "What's the attack surface?"
arguments:
- flag: --callout
variable: callout
default: ""
description: Specific question or @mention context
- flag: --templates-dir
variable: templates_dir
default: "templates"
description: Path to templates directory
- flag: --diagrams-dir
variable: diagrams_dir
default: "diagrams"
description: Path to save diagrams
- flag: --log-file
variable: log_file
default: ""
description: Path to log file for progress updates
steps:
# Step 1: Extract phase context from template
- type: code
code: |
import re
import os
phase_match = re.search(r'<!--\s*Phase:\s*(\w+)\s*-->', input, re.IGNORECASE)
template_match = re.search(r'<!--\s*Template:\s*(\w+)\s*-->', input, re.IGNORECASE)
current_phase = phase_match.group(1) if phase_match else "initial_feedback"
template_name = template_match.group(1) if template_match else "feature"
template_path = os.path.join(templates_dir, template_name + ".yaml")
phase_goal = "Provide security feedback"
phase_instructions = "Review the proposal for security concerns."
if os.path.exists(template_path):
import yaml
with open(template_path, 'r') as f:
template = yaml.safe_load(f)
phases = template.get("phases", {})
phase_info = phases.get(current_phase, {})
phase_goal = phase_info.get("goal", phase_goal)
phase_instructions = phase_info.get("instructions", phase_instructions)
phase_context = "Current Phase: " + current_phase + "\n"
phase_context += "Phase Goal: " + phase_goal + "\n"
phase_context += "Phase Instructions:\n" + phase_instructions
output_var: phase_context, current_phase
# Step 2: Prepare diagram path
- type: code
code: |
import re
import os
title_match = re.search(r'<!--\s*Title:\s*(.+?)\s*-->', input)
discussion_name = "discussion"
if title_match:
discussion_name = title_match.group(1).strip().lower()
discussion_name = re.sub(r'[^a-z0-9]+', '-', discussion_name)
os.makedirs(diagrams_dir, exist_ok=True)
existing = []
if os.path.exists(diagrams_dir):
for f in os.listdir(diagrams_dir):
if f.startswith(discussion_name):
existing.append(f)
next_num = len(existing) + 1
diagram_path = diagrams_dir + "/" + discussion_name + "_security_" + str(next_num) + ".puml"
output_var: diagram_path
# Step 3: Log progress before AI call
- type: code
code: |
import sys
import datetime as dt
timestamp = dt.datetime.now().strftime("%H:%M:%S")
for msg in [f"Phase: {current_phase}", "Calling AI provider..."]:
line = f"[{timestamp}] [security] {msg}"
print(line, file=sys.stderr)
sys.stderr.flush()
if log_file:
with open(log_file, 'a') as f:
f.write(line + "\n")
f.flush()
output_var: _progress1
# Step 4: Generate response
- type: prompt
prompt: |
You are AI-Security (also known as Steve), a security specialist who identifies
vulnerabilities, threat vectors, and security best practices.
## Your Role
- Identify security risks and vulnerabilities
- Suggest mitigations and security controls
- Consider threat models and attack surfaces
- Ensure compliance with security best practices
- Balance security with usability
## Your Perspective
- Assume malicious actors will try to exploit the system
- Consider both external and internal threats
- Think about data protection and privacy
- Focus on practical, implementable security measures
- Apply defense in depth principles
## Security Checklist
- Input validation and sanitization
- Authentication and authorization
- Session management
- Data encryption (at rest and in transit)
- Error handling and logging
- Rate limiting and DoS protection
- Injection vulnerabilities (SQL, XSS, etc.)
## Phase Context
{phase_context}
## Diagrams
When creating threat models or security diagrams, you MUST include a reference marker.
Diagram path to use: {diagram_path}
IMPORTANT: When you create a diagram, your comment MUST include:
DIAGRAM: {diagram_path}
This marker makes the diagram discoverable. Example comment structure:
"## Security Analysis
[Your security analysis with threat model description]
DIAGRAM: {diagram_path}"
## Current Discussion
{input}
## Your Task
{callout}
Follow the phase instructions. Analyze from a security perspective.
## Response Format
Respond with valid JSON only. Use \n for newlines in strings (not literal newlines):
{{
"comment": "Line 1\nLine 2\nCONCERN: Issue here",
"vote": "READY" or "CHANGES" or "REJECT" or null,
"diagram": "@startuml\nactor Attacker\n@enduml"
}}
Important: The diagram field must use \n for newlines, not actual line breaks.
Vote meanings:
- READY: No significant security concerns
- CHANGES: Security improvements needed (specify what)
- REJECT: Critical security issues (explain why)
- null: Comment only, no vote change
If you have nothing meaningful to add, respond: {{"sentinel": "NO_RESPONSE"}}
provider: claude-sonnet
output_var: response
# Step 5: Log progress after AI call
- type: code
code: |
import sys
import datetime as dt
timestamp = dt.datetime.now().strftime("%H:%M:%S")
line = f"[{timestamp}] [security] AI response received"
print(line, file=sys.stderr)
sys.stderr.flush()
if log_file:
with open(log_file, 'a') as f:
f.write(line + "\n")
f.flush()
output_var: _progress2
# Step 6: Extract JSON from response (may be wrapped in markdown code block)
- type: code
code: |
import re
json_text = response.strip()
code_block = re.search(r'```(?:json)?\s*(.*?)```', json_text, re.DOTALL)
if code_block:
json_text = code_block.group(1).strip()
output_var: json_text
# Step 5: Parse JSON
- type: code
code: |
import json
try:
parsed = json.loads(json_text)
except json.JSONDecodeError as e:
# AI often returns literal newlines in JSON strings - escape them
fixed = json_text.replace('\n', '\\n')
try:
parsed = json.loads(fixed)
except json.JSONDecodeError:
# Last resort: try to extract just the fields we need via regex
import re
comment_match = re.search(r'"comment"\s*:\s*"(.*?)"(?=\s*[,}])', json_text, re.DOTALL)
vote_match = re.search(r'"vote"\s*:\s*("?\w+"?|null)', json_text)
diagram_match = re.search(r'"diagram"\s*:\s*"(.*?)"(?=\s*[,}])', json_text, re.DOTALL)
parsed = {
"comment": comment_match.group(1).replace('\n', ' ') if comment_match else "Parse error",
"vote": vote_match.group(1).strip('"') if vote_match else None,
"diagram": diagram_match.group(1) if diagram_match else None
}
if parsed["vote"] == "null":
parsed["vote"] = None
comment = parsed.get("comment", "")
vote = parsed.get("vote")
diagram_content = parsed.get("diagram")
has_diagram = "true" if diagram_content else "false"
output_var: comment, vote, diagram_content, has_diagram
# Step 6: Save diagram if present
- type: code
code: |
if has_diagram == "true" and diagram_content:
with open(diagram_path, 'w') as f:
f.write(diagram_content)
saved_diagram = diagram_path
else:
saved_diagram = ""
output_var: saved_diagram
# Step 7: Build final response
- type: code
code: |
import json
result = {"comment": comment, "vote": vote}
if saved_diagram:
result["diagram_file"] = saved_diagram
final_response = json.dumps(result)
output_var: final_response
output: "{final_response}"
Reference in New Issue View Git Blame Copy Permalink