security-auditlisted

# security-audit ## Purpose Find the security gaps that block a clean TestFlight or Play Store submission. Fix the Critical and High issues. Confirm the fixes did not introduce new gaps. Hand back a signed audit document. ## When to trigger Trigger on these user phrases. Match loosely. - "security audit" - "pre-deploy check" - "is this safe to ship" - "check for vulnerabilities" - "security review" - "audit my app" - "OWASP check" - "ready for App Store" ## Behavior: three passes ### Pass 1: identify Scan the entire project. Produce findings tagged Critical, High, Medium, Low with CWE references. Write to `SECURITY_AUDIT.md`. Checks the skill runs: - Hard-coded secrets in source (CWE-798) - Exposed environment variables in client bundles (CWE-200) - Missing server-side validation on API routes (CWE-20) - Default-open database policies (CWE-732) - Missing or inconsistent auth middleware (CWE-287) - Hallucinated package imports (CWE-829) - Console logs leaking request bodies or tokens (CWE-532) - Missing rate limiting on expensive operations (CWE-770) - CORS misconfigurations (CWE-942) - SQL injection patterns in raw queries (CWE-89) - XSS in user-supplied content paths (CWE-79) - Insecure deep linking handlers (CWE-925) - Hard-coded API URLs pointing at staging (CWE-1188) ### Pass 2: fix Implement fixes for every Critical and High finding. Apply Medium and Low fixes if the user opts in. After each fix, update `SECURITY_AUDIT.md` with the resolution and the diff lin