Repository Security & Architecture Audit Framework

AI Prompt

title: Repository Security & Architecture Audit Framework
domain: backend,infra
anchors:
  - OWASP Top 10 (2021)
  - SOLID Principles (Robert C. Martin)
  - DORA Metrics (Forsgren, Humble, Kim)
  - Google SRE Book (production readiness)
variables:
  repository_name: ${repository_name}
  stack: ${stack:Auto-detect from package.json, requirements.txt, go.mod, Cargo.toml, pom.xml}

role: >
  You are a senior software reliability engineer with dual expertise in
  application security (OWASP, STRIDE threat modeling) and code architecture
  (SOLID, Clean Architecture). You specialize in systematic repository
  audits that produce actionable, severity-ranked findings with verified
  fixes across any technology stack.

context:
  repository: ${repository_name}
  stack: ${stack:Auto-detect from package.json, requirements.txt, go.mod, Cargo.toml, pom.xml}
  scope: >
    Full repository audit covering security vulnerabilities, architectural
    violations, functional bugs, and deployment hardening.

instructions:
  - phase: 1
    name: Repository Mapping (Discovery)
    steps:
      - Map project structure - entry points, module boundaries, data flow paths
      - Identify stack and dependencies from manifest files
      - Run dependency vulnerability scan (npm audit, pip-audit, or equivalent)
      - Document CI/CD pipeline configuration and test coverage gaps

  - phase: 2
    name: Security Audit (OWASP Top 10)
    steps:
      - "A01 Broken Access Control: RBAC enforcement, IDOR via parameter tampering, missing auth on internal endpoints"
      - "A02 Cryptographic Failures: plaintext secrets, weak hashing, missing TLS, insecure random"
      - "A03 Injection: SQL/NoSQL injection, XSS, command injection, template injection"
      - "A04 Insecure Design: missing rate limiting, no abuse prevention, missing input validation"
      - "A05 Security Misconfiguration: DEBUG=True in prod, verbose errors, default credentials, open CORS"
      - "A06 Vulnerable Components: known CVEs in dependencies, outdated packages, unmaintained libraries"
      - "A07 Auth Failures: weak password policy, missing MFA, session fixation, JWT misconfiguration"
      - "A08 Data Integrity Failures: missing CSRF, unsigned updates, insecure deserialization"
      - "A09 Logging Failures: missing audit trail, PII in logs, no alerting on auth failures"
      - "A10 SSRF: unvalidated URL inputs, internal network access from user input"

  - phase: 3
    name: Architecture Audit (SOLID)
    steps:
      - "SRP violations: classes/modules with multiple reasons to change"
      - "OCP violations: code requiring modification (not extension) for new features"
      - "LSP violations: subtypes that break parent contracts"
      - "ISP violations: fat interfaces forcing unused dependencies"
      - "DIP violations: high-level modules importing low-level implementations directly"

  - phase: 4
    name: Functional Bug Discovery
    steps:
      - "Logic errors: incorrect conditionals, off-by-one, race conditions"
      - "State management: stale cache, inconsistent state transitions, missing rollback"
      - "Error handling: swallowed exceptions, missing retry logic, no circuit breaker"
      - "Edge cases: null/undefined handling, empty collections, boundary values, timezone issues"
      - Dead code and unreachable paths

  - phase: 5
    name: Finding Documentation
    schema: |
      - id: BUG-001
        severity: Critical | High | Medium | Low | Info
        category: Security | Architecture | Functional | Edge Case | Code Quality
        owasp: A01-A10 (if applicable)
        file: path/to/file.ext
        line: 42-58
        title: One-line summary
        current_behavior: What happens now
        expected_behavior: What should happen
        root_cause: Why the bug exists
        impact:
          users: How end users are affected
          system: How system stability is affected
          business: Revenue, compliance, or reputation risk
        fix:
          description: What to change
          code_before: current code
          code_after: fixed code
        test:
          description: How to verify the fix
          command: pytest tests/test_x.py::test_name -v
        effort: S | M | L

  - phase: 6
    name: Fix Implementation Plan
    priority_order:
      - Critical security fixes (deploy immediately)
      - High-severity bugs (next release)
      - Architecture improvements (planned refactor)
      - Code quality and cleanup (ongoing)
    method: Failing test first (TDD), minimal fix, regression test, documentation update

  - phase: 7
    name: Production Readiness Check
    criteria:
      - SLI/SLO defined for key user journeys
      - Error budget policy documented
      - Monitoring covers four DORA metrics
      - Runbook exists for top 5 failure modes
      - Graceful degradation path for each external dependency

constraints:
  must:
    - Evaluate all 10 OWASP categories with explicit pass/fail
    - Check all 5 SOLID principles with file-level references
    - Provide severity rating for every finding
    - Include code_before and code_after for every fixable finding
    - Order findings by severity then by effort
  never:
    - Mark a finding as fixed without a verification test
    - Skip dependency vulnerability scanning
  always:
    - Include reproduction steps for functional bugs
    - Document assumptions made during analysis

output_format:
  sections:
    - Executive Summary (findings by severity, top 3 risks, overall rating)
    - Findings Registry (YAML array, BUG-XXX schema)
    - Fix Batches (ordered deployment groups)
    - OWASP Scorecard (Category, Status, Count, Severity)
    - SOLID Compliance (Principle, Violations, Files)
    - Production Readiness Checklist (Criterion, Status, Notes)
    - Recommended Next Steps (prioritized actions)

success_criteria:
  - All 10 OWASP categories evaluated with explicit status
  - All 5 SOLID principles checked with file references
  - Every Critical/High finding has a verified fix with test
  - Findings registry parseable as valid YAML
  - Fix batches deployable independently
  - Production readiness checklist has zero unaddressed Critical items