Gathering Security 🌲🕷️🦝🐢 The drum echoes in the shadows. The Spider weaves intricate webs of authentication, each strand placed with precision. The Raccoon rummages through every corner, finding what doesn't belong, cleaning what could harm. The Turtle moves with ancient patience, layering defense upon defense, testing every plate of the shell. Together they secure the forest — doors locked tight, secrets safe, paths protected, and the ground itself hardened against anything that comes. When to Summon Implementing authentication systems Adding OAuth or session management Security auditing before launch After security incidents Preparing for production deployment When auth, security audit, and deep hardening must work together Building a new feature that handles sensitive data Hardening existing code for defense in depth Grove Tools for This Gathering Use gw and gf throughout. Quick reference for security work:

Find security-relevant code patterns

gf --agent search "sanitize|escape|validate"

Security patterns

gf --agent auth

Find auth code and middleware

Verify security changes don't break anything

gw ci --affected --diagnose

Run CI on affected packages

The Gathering SUMMON --> ORGANIZE --> EXECUTE --> VALIDATE --> COMPLETE | | | | | Receive Dispatch Animals Verify Security Request Animals Work Check Hardened Animals Mobilized 🕷️ Spider — Weave authentication webs with patient precision 🦝 Raccoon — Rummage for security risks and cleanup 🐢 Turtle — Harden with layered, defense-in-depth protection Phase 1: SUMMON The drum sounds. The shadows shift... Receive and parse the request: Clarify the Security Work: Adding new auth provider? (OAuth, SSO) Securing routes and APIs? General security audit? Deep security hardening? Post-incident cleanup? Pre-production hardening? Error Codes as Security Posture: All errors MUST use Signpost codes — this is a security requirement, not just a convention: All server errors use codes from the appropriate catalog ( API_ERRORS , AUTH_ERRORS , etc.) userMessage is always generic and warm — no technical details leak to clients adminMessage is detailed — stays in server logs only Auth errors NEVER reveal user existence ("Invalid credentials" — not "user not found") logGroveError() for all server errors — never console.error alone Scope Check: "I'll mobilize a security gathering for: [security work] This will involve: 🕷️ Spider weaving authentication OAuth/PKCE flow Session management Route protection Token handling 🦝 Raccoon auditing security Secret scanning Vulnerability check Dependency audit Dead code removal 🐢 Turtle hardening defenses Input/output validation Security headers & CSP Defense-in-depth enforcement Exotic attack vector testing Hardening report Proceed with the gathering?" Selective Mobilization: Not every gathering needs all three animals: Situation Animals Needed New auth system + full security All three: Spider → Raccoon → Turtle Auth already exists, need hardening Raccoon → Turtle New feature, ensure secure by design Turtle only (or Turtle → Raccoon) Secrets leak / incident response Raccoon → Spider (rotate creds) → Turtle (verify) Pre-production deploy Raccoon → Turtle Phase 2: ORGANIZE The animals take their positions in the shadows... Dispatch in sequence: Full Dispatch Order: Spider ──→ Raccoon ──→ Turtle │ │ │ │ │ │ Weave Audit Harden Auth Secrets Defenses Dependencies: Spider must complete before Raccoon (needs auth to audit) Raccoon should complete before Turtle (clean first, then harden) May iterate: Turtle findings → Spider/Raccoon fixes → Turtle re-verify Iteration Cycle (When Vulnerabilities Found): ┌──────────────────────────────────────────────────────────────────┐ │ SECURITY ITERATION │ ├──────────────────────────────────────────────────────────────────┤ │ │ │ 🕷️ Spider ──► 🦝 Raccoon ──► 🐢 Turtle │ │ weaves auth audits hardens & tests │ │ ▲ │ │ │ │ ▼ │ │ │ Deep vulnerabilities? │ │ │ / \ │ │ │ Yes No │ │ │ │ │ │ │ │ ┌────────────┘ ▼ │ │ │ ▼ ✅ Hardened │ │ │ Auth issue? │ │ │ / \ │ │ │ Yes No │ │ │ │ │ │ │ └───┘ Raccoon/Turtle │ │ fixes directly │ └──────────────────────────────────────────────────────────────────┘ Iteration Rules: Turtle finds auth vulnerability → Spider patches → Turtle re-verifies Turtle finds non-auth vulnerability → Fix directly → Turtle re-verifies Raccoon finds secrets → Raccoon cleans → Turtle verifies no residual exposure Maximum 3 iterations per issue (if more needed, architectural review required) Each iteration focuses only on newly found/fixed items Document all iterations in final report Phase 3: EXECUTE The web is woven. The audit begins. The shell hardens... Execute each animal's phase by loading and running their dedicated skill: 🕷️ SPIDER — WEAVE Load skill: spider-weave Execute the full Spider workflow for [the auth system being implemented]. Handoff: working authentication system (OAuth flow, session management, protected routes, CSRF protection) → Raccoon for audit 🦝 RACCOON — AUDIT Load skill: raccoon-audit Execute the full Raccoon workflow on the entire codebase, with particular attention to the Spider's auth implementation. If secrets found or auth issues discovered → Spider patches → Raccoon re-verifies. Handoff: clean audit report (no secrets, vulnerabilities patched, dead code removed, pre-commit hooks installed) → Turtle for hardening 🐢 TURTLE — HARDEN Load skill: turtle-harden Execute the full Turtle workflow on the codebase, including auth routes, API endpoints, and data flows. If deep vulnerabilities found in auth → Spider patches → Turtle re-verifies. Maximum 3 iterations per issue. Handoff: hardening report (defense-in-depth verified, exotic vectors tested, all layers applied) → VALIDATE phase Phase 4: VALIDATE The web holds. The audit confirms. The shell endures... Validation Checklist: Spider: Auth flow works end-to-end Spider: Routes properly protected Spider: Sessions expire correctly Spider: CSRF protection active Raccoon: No secrets in codebase Raccoon: Dependencies up to date Raccoon: No sensitive data in logs Raccoon: Pre-commit hooks installed Turtle: Input validation on all entry points Turtle: Output encoding on all exit points Turtle: Security headers complete Turtle: CSP enforced (nonce-based) Turtle: CORS restricted to exact origins Turtle: Defense-in-depth verified (2+ layers per critical function) Turtle: Exotic attack vectors tested and clear Turtle: Multi-tenant isolation verified (if applicable) Rootwork Boundary Validation: Form data parsed with parseFormData() , not raw formData.get() JSON reads validated with safeJsonParse() , not unsafe as casts Caught exceptions use isRedirect() / isHttpError() type guards No as any or as SomeType casts at trust boundaries Schemas defined at module scope, not inside handlers Security Test Cases: Authentication: [ ] Login redirects to provider [ ] Callback exchanges code for tokens [ ] Sessions created correctly [ ] Logout clears sessions server-side [ ] Expired tokens rejected [ ] Session fixation prevented Authorization: [ ] Protected routes require auth [ ] Admin routes check roles [ ] API endpoints verify tokens [ ] Users can't access others' data (IDOR tested) [ ] Horizontal escalation prevented [ ] Vertical escalation prevented Hardening: [ ] SQL injection prevented (parameterized queries) [ ] XSS prevented (output encoding + CSP) [ ] CSRF prevented (tokens + SameSite cookies) [ ] File uploads sanitized (type + size + rename) [ ] Rate limiting active on all sensitive endpoints [ ] Prototype pollution vectors blocked [ ] Timing attacks mitigated (constant-time comparison) [ ] Race conditions prevented (atomic operations) [ ] SSRF prevented (URL allowlist, no redirect following) Phase 5: COMPLETE The gathering ends. The forest is fortified... Completion Report:

GATHERING SECURITY COMPLETE

Security Work: [Description]

Animals Mobilized 🕷️ Spider → 🦝 Raccoon → 🐢 Turtle

Authentication Implemented

** Provider: ** [OAuth 2.0 / GitHub / Google / etc.] - ** Flow: ** [PKCE / Authorization Code] - ** Session Type: ** [Token / Session Cookie] - ** Routes Protected: ** [count]

Security Audit Results

Secrets found: [count] (all rotated/removed)

Dependencies patched: [count]

Dead code removed: [lines]

Pre-commit hooks: Installed

|

Exotic Attack Vectors Tested | Vector | Status | |

|

Defense-in-Depth Compliance

** Layers verified: ** [X/5] (Network, Application, Data, Infrastructure, Process) - ** Critical functions with 2+ layers: ** [X/Y]

|

| | CRITICAL | [n] | All fixed | | HIGH | [n] | All fixed | | MEDIUM | [n] | [fixed/accepted] | | LOW | [n] | [fixed/deferred] |

Files Created/Modified

Auth routes: [files]

Middleware: [files]

Configuration: [files]

Security tests: [files] _ Woven tight, audited clean, hardened deep — the forest endures. _ 🌲 Example Gathering User: "/gathering-security Add GitHub OAuth, audit everything, and harden for production" Gathering execution: 🌲 SUMMON — "Mobilizing full security gathering: GitHub OAuth + audit + hardening. All three animals needed." 🌲 ORGANIZE — "Spider implements auth → Raccoon audits for secrets/vulns → Turtle hardens everything" 🌲 EXECUTE — 🕷️ Spider: "OAuth client registered, PKCE flow implemented, sessions working, routes protected" 🦝 Raccoon: "No secrets found, 2 dependency vulns patched, dead debug endpoint removed" 🐢 Turtle: "CSP configured with nonces, CORS locked to exact origins, all inputs validated with Zod, constant-time token comparison added, prototype pollution vector in config merge fixed, defense-in-depth verified at 3 layers per critical function" 🌲 VALIDATE — "Auth works, audit clean, hardening verified, all exotic vectors tested clear" 🌲 COMPLETE — "GitHub OAuth live, secrets clean, shell hardened. The forest endures." Quick Decision Guide Situation Animals to Mobilize New auth + full security Spider → Raccoon → Turtle Auth exists, need deep hardening Raccoon → Turtle New feature, secure by design Turtle (optionally + Raccoon) Incident response Raccoon → Spider → Turtle Pre-production deploy Raccoon → Turtle Auth-only work Spider → Raccoon (no Turtle needed) Woven tight, audited clean, hardened deep — the forest endures. 🌲

安装