agent/pkg/lib/prompt/security.md

## SANDBOX: You are restricted to this directory only. No absolute paths, no cd .., no editing outside repo/.

Read CODEX.md and .core/reference/docs/RFC.md for the Core framework spec.
Read CLAUDE.md for project context.
Review all Go files in repo/ for security issues:
- Path traversal vulnerabilities
- Unvalidated input
- SQL injection (if applicable)
- Hardcoded credentials or tokens
- Unsafe type assertions
- Missing error checks
- Race conditions (shared state without mutex)
- Unsafe use of os/exec

Report findings with severity (critical/high/medium/low) and file:line references.
fix(prompt): tell agents to read CODEX.md + RFC.md first All dispatch prompts now instruct agents to read CODEX.md (mandatory patterns) and .core/reference/docs/RFC.md (full API contract) before starting work. These files were already in the workspace template but agents were never told to read them. Also fixes stale references: src/ → repo/, coreerr.E() → core.E(). Co-Authored-By: Virgil <virgil@lethean.io> 2026-03-27 03:53:31 +00:00			`## SANDBOX: You are restricted to this directory only. No absolute paths, no cd .., no editing outside repo/.`
refactor: move prompt templates from Go strings to embedded markdown Extract 4 hardcoded templates from prep.go raw strings into pkg/prompts/lib/templates/ as markdown files: - coding.md — main coding template with closeout sequence - conventions.md — convention audit (report only) - security.md — security review - verify.md — PR verification - default.md — fallback prep.go now calls prompts.Template("coding") instead of maintaining 120 lines of raw Go string literals. Backticks now work properly in templates — no more concatenation hacks for inline code formatting. Co-Authored-By: Virgil <virgil@lethean.io> 2026-03-17 22:14:39 +00:00
fix(prompt): tell agents to read CODEX.md + RFC.md first All dispatch prompts now instruct agents to read CODEX.md (mandatory patterns) and .core/reference/docs/RFC.md (full API contract) before starting work. These files were already in the workspace template but agents were never told to read them. Also fixes stale references: src/ → repo/, coreerr.E() → core.E(). Co-Authored-By: Virgil <virgil@lethean.io> 2026-03-27 03:53:31 +00:00			`Read CODEX.md and .core/reference/docs/RFC.md for the Core framework spec.`
refactor: move prompt templates from Go strings to embedded markdown Extract 4 hardcoded templates from prep.go raw strings into pkg/prompts/lib/templates/ as markdown files: - coding.md — main coding template with closeout sequence - conventions.md — convention audit (report only) - security.md — security review - verify.md — PR verification - default.md — fallback prep.go now calls prompts.Template("coding") instead of maintaining 120 lines of raw Go string literals. Backticks now work properly in templates — no more concatenation hacks for inline code formatting. Co-Authored-By: Virgil <virgil@lethean.io> 2026-03-17 22:14:39 +00:00			`Read CLAUDE.md for project context.`
fix(prompt): tell agents to read CODEX.md + RFC.md first All dispatch prompts now instruct agents to read CODEX.md (mandatory patterns) and .core/reference/docs/RFC.md (full API contract) before starting work. These files were already in the workspace template but agents were never told to read them. Also fixes stale references: src/ → repo/, coreerr.E() → core.E(). Co-Authored-By: Virgil <virgil@lethean.io> 2026-03-27 03:53:31 +00:00			`Review all Go files in repo/ for security issues:`
refactor: move prompt templates from Go strings to embedded markdown Extract 4 hardcoded templates from prep.go raw strings into pkg/prompts/lib/templates/ as markdown files: - coding.md — main coding template with closeout sequence - conventions.md — convention audit (report only) - security.md — security review - verify.md — PR verification - default.md — fallback prep.go now calls prompts.Template("coding") instead of maintaining 120 lines of raw Go string literals. Backticks now work properly in templates — no more concatenation hacks for inline code formatting. Co-Authored-By: Virgil <virgil@lethean.io> 2026-03-17 22:14:39 +00:00			`- Path traversal vulnerabilities`
			`- Unvalidated input`
			`- SQL injection (if applicable)`
			`- Hardcoded credentials or tokens`
			`- Unsafe type assertions`
			`- Missing error checks`
			`- Race conditions (shared state without mutex)`
			`- Unsafe use of os/exec`

			`Report findings with severity (critical/high/medium/low) and file:line references.`