/safina:hunt
Offensive analysis — run before any PR or merge. Hunts for security vulnerabilities, hidden bugs, dependency risks, regressions, and flaky tests. Looks for things an engineer wouldn’t catch in normal review.
This is not a standards check. It doesn’t care about naming conventions or API structure — that’s /safina:test. Hunt looks for things that could cause data loss, security incidents, production outages, or silent failures in the field.
When to run it
- Before every PR or merge — mandatory
- Any time you touch auth, payments, data access, or external integrations
- When you’ve added a dependency or upgraded one
- Any time something feels off but you can’t point to it
Domains covered
| Domain | What hunt looks for |
|---|---|
| Security | OWASP Top 10: injection, XSS, auth bypass, insecure data exposure, CSRF, CORS misconfiguration |
| Secrets | Hardcoded API keys, tokens, passwords, connection strings in code |
| Auth & authz | Missing auth middleware, privilege escalation paths, object-level access not checked |
| Sensitive data | PII/PHI in logs or error responses, stack traces in production errors |
| Dependencies | Known CVEs, version mismatches, deprecated packages with vulnerabilities, dev deps in prod |
| Logic bugs | Null dereferences, unchecked errors, empty catch blocks, type coercion surprises, off-by-one |
| Race conditions | Check-then-act patterns that aren’t atomic, interleaved async operations |
| Regressions | Changes that alter behaviour existing callers depend on, schema changes during rolling deploys |
| Flaky tests | Wall-clock time assertions, real network calls in unit tests, shared mutable state, non-deterministic values |
| Data integrity | Missing input validation at boundaries, unparameterized queries, enum values not validated |
| Multi-tenancy | Queries not scoped by institution/tenant ID, cross-tenant data leakage paths (critical for ILMIYA/FERPA) |
| Resource leaks | Unclosed DB connections, file handles not closed, event listeners not removed |
| Dead/dangerous code | Commented-out credentials, TODO/FIXME marking broken production behaviour, deprecated APIs still called |
The report
## /safina:hunt — YYYY-MM-DD
Scope: [what was hunted]
Domains checked: [list]
### Errors (N)
[Critical — security vulnerabilities, auth bypass, data leaks, crash paths]
file:line — What the problem is and why it's dangerous.
[Attack vector if exploitable.]
### Patches (N)
[Serious — bugs that will surface in production, flaky tests, dep CVEs]
file:line — What it is and what it risks.
### Notices (N)
[Informational — dead code, suspicious patterns, dep lag without known CVE]
file:line — What it is.
### Dependency report
| Package | Version | Issue |
|---------|---------|-------|
| name | x.y.z | CVE / deprecation / peer conflict |
### Summary
Most dangerous finding, overall risk posture, what to fix before this ships.
Severity guide
| Tier | Meaning | Action |
|---|---|---|
| Error | Security vulnerability, crash path, data leak | Fix before merge — no exceptions |
| Patch | Serious bug, flaky test, dep CVE | Fix before merge where possible |
| Notice | Dead code, dep lag, suspicious pattern | Track; not blocking |
Security findings go directly to Taha
If hunt surfaces a critical security finding, the command offers to post a private comment on your active ticket and notes that Taha should be flagged directly — not just in the normal update flow.
What it gates
/safina:update will not allow a QA-ready or PR-ready flag if:
- Hunt hasn’t been run this session, or
- Errors from hunt remain unresolved
The developer is sent back to hunt to remediate before the update is posted with a PR/QA signal.
Recommended follow-up
Hunt surfaces patterns but can’t run live CVE lookups against a database. After running hunt, run:
npm audit/pip-audit/cargo auditfor your package manager- Check flagged deps against NIST NVD if hunt flags a version gap