Skip to content

Add /sweep-security command#1193

Merged
brendancol merged 1 commit intomasterfrom
add-sweep-security-command
Apr 14, 2026
Merged

Add /sweep-security command#1193
brendancol merged 1 commit intomasterfrom
add-sweep-security-command

Conversation

@brendancol
Copy link
Copy Markdown
Contributor

@brendancol brendancol commented Apr 13, 2026

Summary

  • New /sweep-security slash command that audits xrspatial modules for security vulnerabilities specific to numeric/GPU raster libraries
  • Scores modules by security-relevant metadata (CUDA kernels, file I/O, dimension-based allocations, shared memory, numba JIT) and dispatches parallel worktree-isolated subagents for the top N
  • Covers 6 audit categories: unbounded allocation/DoS, integer overflow in index math, NaN/Inf logic errors, GPU kernel bounds safety, file path injection, and dtype confusion
  • 4-tier severity (CRITICAL/HIGH/MEDIUM/LOW); CRITICAL and HIGH issues get fixed via /rockout, MEDIUM/LOW are documented only
  • Follows the same single-phase structure as /sweep-accuracy: gather metadata, score, dispatch, subagents update state file directly

Initial sweep run found and fixed 4 issues across geotiff and reproject (#1184, #1185, #1186, #1187 -- PRs #1188, #1189). The hydro subpackage came back clean at HIGH+ severity.

Test plan

  • Run /sweep-security --top 1 and verify a single subagent launches
  • Run /sweep-security --only-io --top 1 and verify geotiff gets audited
  • Verify .claude/security-sweep-state.json is created with correct schema after a run
  • Run /sweep-security --reset-state and verify state file is deleted

@brendancol
Add /sweep-security command for security vulnerability audits
dda2a5a 
New slash command that audits xrspatial modules for security issues
specific to numeric/GPU raster libraries. Dispatches parallel subagents
to check 6 categories: unbounded allocations, integer overflow in
index math, NaN/Inf logic errors, GPU kernel bounds safety, file path
injection, and dtype confusion.

Follows the same single-phase pattern as /sweep-accuracy: score modules
by security-relevant metadata (CUDA kernels, file I/O, allocations from
dimensions), dispatch worktree-isolated subagents for the top N, and
fix CRITICAL/HIGH issues via /rockout.
@github-actions github-actions bot added the performance PR touches performance-sensitive code label Apr 13, 2026
@brendancol brendancol merged commit 476e0c5 into master Apr 14, 2026
11 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

performance PR touches performance-sensitive code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@brendancol