Safina

/safina:hunt

Offensive analysis — run before any PR or merge. Hunts for security vulnerabilities, hidden bugs, dependency risks, regressions, and flaky tests. Looks for things an engineer wouldn’t catch in normal review.

This is not a standards check. It doesn’t care about naming conventions or API structure — that’s /safina:test. Hunt looks for things that could cause data loss, security incidents, production outages, or silent failures in the field.


When to run it

  • Before every PR or merge — mandatory
  • Any time you touch auth, payments, data access, or external integrations
  • When you’ve added a dependency or upgraded one
  • Any time something feels off but you can’t point to it

Domains covered

DomainWhat hunt looks for
SecurityOWASP Top 10: injection, XSS, auth bypass, insecure data exposure, CSRF, CORS misconfiguration
SecretsHardcoded API keys, tokens, passwords, connection strings in code
Auth & authzMissing auth middleware, privilege escalation paths, object-level access not checked
Sensitive dataPII/PHI in logs or error responses, stack traces in production errors
DependenciesKnown CVEs, version mismatches, deprecated packages with vulnerabilities, dev deps in prod
Logic bugsNull dereferences, unchecked errors, empty catch blocks, type coercion surprises, off-by-one
Race conditionsCheck-then-act patterns that aren’t atomic, interleaved async operations
RegressionsChanges that alter behaviour existing callers depend on, schema changes during rolling deploys
Flaky testsWall-clock time assertions, real network calls in unit tests, shared mutable state, non-deterministic values
Data integrityMissing input validation at boundaries, unparameterized queries, enum values not validated
Multi-tenancyQueries not scoped by institution/tenant ID, cross-tenant data leakage paths (critical for ILMIYA/FERPA)
Resource leaksUnclosed DB connections, file handles not closed, event listeners not removed
Dead/dangerous codeCommented-out credentials, TODO/FIXME marking broken production behaviour, deprecated APIs still called

The report

## /safina:hunt — YYYY-MM-DD

Scope: [what was hunted]
Domains checked: [list]

### Errors  (N)
[Critical — security vulnerabilities, auth bypass, data leaks, crash paths]
file:line — What the problem is and why it's dangerous.
[Attack vector if exploitable.]

### Patches  (N)
[Serious — bugs that will surface in production, flaky tests, dep CVEs]
file:line — What it is and what it risks.

### Notices  (N)
[Informational — dead code, suspicious patterns, dep lag without known CVE]
file:line — What it is.

### Dependency report
| Package | Version | Issue |
|---------|---------|-------|
| name | x.y.z  | CVE / deprecation / peer conflict |

### Summary
Most dangerous finding, overall risk posture, what to fix before this ships.

Severity guide

TierMeaningAction
ErrorSecurity vulnerability, crash path, data leakFix before merge — no exceptions
PatchSerious bug, flaky test, dep CVEFix before merge where possible
NoticeDead code, dep lag, suspicious patternTrack; not blocking

Security findings go directly to Taha

If hunt surfaces a critical security finding, the command offers to post a private comment on your active ticket and notes that Taha should be flagged directly — not just in the normal update flow.


What it gates

/safina:update will not allow a QA-ready or PR-ready flag if:

  • Hunt hasn’t been run this session, or
  • Errors from hunt remain unresolved

The developer is sent back to hunt to remediate before the update is posted with a PR/QA signal.


Hunt surfaces patterns but can’t run live CVE lookups against a database. After running hunt, run:

  • npm audit / pip-audit / cargo audit for your package manager
  • Check flagged deps against NIST NVD if hunt flags a version gap