Skip to content

v0.24.0 - SECURITY-REVIEW worked example + zh hero v16

Choose a tag to compare

View all tags
@MorrisLu-Taipei MorrisLu-Taipei released this 15 Jun 04:55
· 10 commits to main since this release
v0.24.0
bdcd3b2

v0.24.0 — SECURITY-REVIEW worked example + zh hero v16

The final piece of the four-piece security set: methodology + skill + negative example + positive example. The Code2n8n audit promise now has a concrete worked reference you can clone.

Layer Where
Why audit at all (the manifesto) CODE2N8N.md "Demo ≠ Production"
How to audit (the methodology) code-to-workflow Step 1.5 + hard rules §3/§8/§9
What to audit with (the skill) n8n-security-governance (141 lines)
Disclose-when-you-don't-fix (negative example) SECURITY-CAVEATS.md
What a completed audit looks like (positive example) — NEW SECURITY-REVIEW.md

🆕 New: examples/line-ai-customer-service-onprem/SECURITY-REVIEW.md

The full structured n8n-security-governance review applied to the bundled on-prem case, formal BLOCKED decision included.

  • 10 numbered sections matching the skill's required outputs (metadata, scope, mandatory checks, findings, chain analysis, decision, traceability, rollback, cross-refs, re-review triggers).
  • 13-entry trust-boundary matrix — every entry point with declared auth vs actual auth state.
  • 10 structured SEC-### findings, each with Severity, Status, Evidence at file:line, Impact, Reproduction, Required fix, Validation, Owner, Target version.
  • Chain analysis — how the single attack path (no-auth → SQL identifier injection → no audit log) collapses to "unauthenticated arbitrary SQL execution with no forensics".
  • Compounding score: 8 FAIL / 2 PARTIAL / 1 PASS across 11 mandatory check dimensions, BLOCKED before any single Critical finding is considered.
  • Formal BLOCKED decision with a 10-step deployment requirement list to qualify for re-review.
  • Release traceability + Rollback section honestly marked "n/a — this case is BLOCKED from production".
  • Cross-references the short-form caveats, the skill, and the policy rationale in CREDITS.md.
  • Re-review trigger conditions so the document doesn't go stale.

Anyone forking the on-prem case to harden it can replace this file with their own review. Anyone writing a SECURITY-REVIEW for their own Code2n8n port has a clone-and-modify template.

📝 Wiring

  • SECURITY-CAVEATS.md gets a one-line link to the long-form review at the top so readers find the underlying audit.
  • On-prem README pointer changed from "complete list via CAVEATS" to "short version → CAVEATS, full review → REVIEW".

🎨 Chinese hero now matches the English master

docs/images/code2n8n-hero-zh.png upgraded to v16 user-master-remaster-native. Resolves the v15 font/logo overlap that forced the temporary v11 revert in v0.22.x. English and Chinese READMEs now both ship the v16 master remaster.

🤖 Generated with Claude Code

Assets 2
Loading