blue-teamlisted

# /blue-team — Defensive Security Hardening Read the latest red-team report and systematically fix every finding. ## Usage ``` /blue-team # Fix all findings from latest report /blue-team $ARGUMENTS # Fix specific finding (e.g. RT-001) ``` ## Pipeline ### Step 1: Load latest red-team report ```bash ls -t tasks/audit/red-team-*.md | head -1 ``` Read and parse all findings. ### Step 2: Prioritize fixes Order: CRITICAL → HIGH → MEDIUM → LOW Within same severity: kill chain findings first (they have multiplied impact). ### Step 3: For each finding, apply fix pattern | Finding type | Fix pattern | |-------------|-------------| | SQL injection | Replace f-strings with parameterized queries (`?`) | | Command injection | Use `shlex.quote()` on user input, whitelist commands | | Path traversal | Use `pathlib.resolve()` + check prefix matches allowed dir | | XSS | Escape HTML output with `html.escape()` or template engine | | Auth bypass | Add auth decorator/middleware to unprotected routes | | Hardcoded secrets | Move to `.env`, use `os.environ.get()` | | Debug exposure | Remove `print(error)`, use `logging` with appropriate level | | File permissions | `chmod 600` on `.env`, `.db`, `.pem`, `.key` files | | Missing validation | Add type checks, range checks, sanitization | | Dependency vuln | `pip install --upgrade {package}` | | Vibe-coding pattern | Rewrite the specific pattern with secure alternative | ### Step 4: Verify each fix