a4e667de10
Single-commit clean baseline after security scrub of niche-tells, project codenames, internal jargon, and contributor-email leaks. Contents: - 100 Rust crates (_primitives/_rust/) - 37 agent manifests (_manifests/) + generated specs (_generated/) - 67 user-invocable skills (skills/) - 33 hooks (hooks/) - Composition blocks (_blocks/) - Documentation (docs/, README.md) - TS adapter packages (_ts_packages/) - Assembler (_assembler/) - Roles (_roles/) - Templates (_templates/) - Forgejo CI (.forgejo/) Author: Denis Parfionovich <info@greendragon.info> License: see LICENSE.
34 lines
1.3 KiB
Markdown
34 lines
1.3 KiB
Markdown
## Severity grade on findings
|
|
|
|
Every finding in your return MUST carry a severity grade:
|
|
`[HIGH]`, `[MEDIUM]`, or `[LOW]`. Write the grade as the first
|
|
token of the finding's header.
|
|
|
|
Grading rubric:
|
|
- **[HIGH]** — auth, crypto, memory safety, data loss, IP leak,
|
|
network protocol flaw, unsound FFI, secret in source, or any
|
|
issue that could compromise a production deploy.
|
|
- **[MEDIUM]** — input validation, error handling, resource
|
|
exhaustion, config drift, missing test coverage on a critical
|
|
path, performance regression with measurable impact.
|
|
- **[LOW]** — docs inaccuracy, formatting, non-idiomatic code,
|
|
comment drift, minor style, opportunistic refactor.
|
|
|
|
Example:
|
|
|
|
**[HIGH]** Unbounded allocation in request parser
|
|
- File: crates/api/src/parse.rs:47
|
|
- Class: resource exhaustion
|
|
- Scenario: attacker sends 2GB body, process OOMs
|
|
- Fix: cap read at 16 MiB via `take(...)`
|
|
|
|
**[LOW]** Typo in module docstring
|
|
- File: crates/api/src/lib.rs:3
|
|
|
|
The verifier parses your return, locates every `## ` section
|
|
containing the word "Finding" (case-insensitive) or matching the
|
|
format above, and rejects the return if any finding lacks a
|
|
`[HIGH|MEDIUM|LOW]` token.
|
|
|
|
Empty finding lists are fine — state "No findings" and no grade
|
|
is required.
|