lgtm-security-reviewlisted

# lgtm Security Review Use when selected phase touch security-sensitive behavior. ## Trigger Surfaces Run review when touched code/config involve: - auth or authz - secrets, tokens, credentials, private keys, env vars - command execution or shell args - file read, write, paths, archives, uploads, downloads - network calls, webhooks, callbacks, redirects, user-controlled URLs - user input parse or interpolation - database queries - dependency, package, lockfile, tool changes - MCP server config, tool config, plugin config, agent tool boundaries - logs maybe hold sensitive data - permission, sandbox, approval behavior ## Workflow 1. Find security-sensitive touched surfaces. 2. Trace user/external input to dangerous sinks. 3. Check secrets committed or newly exposed. 4. Check shell commands for injection, quoting, untrusted args. 5. Check file paths for traversal, unintended overwrite, unsafe deletion. 6. Check network calls for SSRF, open redirect, insecure transport, credential leak. 7. Check auth changes for missing checks, privilege escalation, insecure defaults. 8. Check dependency changes for unpinned, unexpected, vulnerable packages where practical. 9. Check MCP/tool config for hardcoded secrets, unsafe args, latest-style pinning, broad permissions. 10. Fix confirmed issues in scope for selected phase. 11. Report out-of-scope risks, no expand implementation. ## Finding Standard No report speculative issues as confirmed vulns. Each confirmed finding, know: - affe