docs: consolidate copilot governance and add medassist skills (#160)
This commit is contained in:
Daniel Volz
GitHub
@@ -0,0 +1,43 @@
|
||||
---
|
||||
name: medassist-security-sanity
|
||||
description: Apply baseline security checks to MedAssist code changes, especially for backend routes, auth flows, and input handling, including equivalent requests phrased in German.
|
||||
---
|
||||
|
||||
# Skill Instructions
|
||||
|
||||
Use this skill when a change touches backend routes, auth/session logic, file handling, imports/exports, or external input.
|
||||
|
||||
## Objective
|
||||
|
||||
Prevent common security regressions with fast, practical checks during implementation.
|
||||
|
||||
## Required Checks
|
||||
|
||||
1. Validate and sanitize external input at API boundaries.
|
||||
2. Enforce auth/authz server-side for protected actions.
|
||||
3. Ensure secrets/tokens are never hardcoded or logged.
|
||||
4. Avoid information leakage in error responses.
|
||||
5. Keep permission-sensitive operations explicit and auditable.
|
||||
|
||||
## MedAssist Focus Areas
|
||||
|
||||
- Route handlers in `backend/src/routes/`.
|
||||
- Auth-related code in `backend/src/plugins/` and auth routes.
|
||||
- Data import/export and sharing endpoints.
|
||||
- File/image upload and serving paths.
|
||||
|
||||
## Anti-Patterns
|
||||
|
||||
- Trusting frontend-only checks.
|
||||
- Accepting unchecked query/body/path input.
|
||||
- Returning raw internal errors to clients.
|
||||
- Weak defaults for sensitive operations.
|
||||
|
||||
## Response Format
|
||||
|
||||
Report:
|
||||
|
||||
- Security-sensitive files reviewed
|
||||
- Findings by severity (critical/major/minor)
|
||||
- Concrete remediation actions
|
||||
- Residual risk (if any)
|
||||
Reference in New Issue
Block a user