gathering-security
Gathering Security 🌲🕷️🦝🐢
The drum echoes in the shadows. The Spider weaves intricate webs of authentication, each strand placed with precision. The Raccoon rummages through every corner, finding what doesn't belong, cleaning what could harm. The Turtle moves with ancient patience, layering defense upon defense, testing every plate of the shell. Together they secure the forest — doors locked tight, secrets safe, paths protected, and the ground itself hardened against anything that comes.
When to Summon
- Implementing authentication systems
- Adding OAuth or session management
- Security auditing before launch
- After security incidents
- Preparing for production deployment
- When auth, security audit, and deep hardening must work together
- Building a new feature that handles sensitive data
- Hardening existing code for defense in depth
Grove Tools for This Gathering
Use gw and gf throughout. Quick reference for security work:
# Find security-relevant code patterns
gf --agent search "sanitize|escape|validate" # Security patterns
gf --agent auth # Find auth code and middleware
# Verify security changes don't break anything
gw ci --affected --diagnose # Run CI on affected packages
The Gathering
SUMMON --> ORGANIZE --> EXECUTE --> VALIDATE --> COMPLETE
| | | | |
Receive Dispatch Animals Verify Security
Request Animals Work Check Hardened
Animals Mobilized
- 🕷️ Spider — Weave authentication webs with patient precision
- 🦝 Raccoon — Rummage for security risks and cleanup
- 🐢 Turtle — Harden with layered, defense-in-depth protection
Phase 1: SUMMON
The drum sounds. The shadows shift...
Receive and parse the request:
Clarify the Security Work:
- Adding new auth provider? (OAuth, SSO)
- Securing routes and APIs?
- General security audit?
- Deep security hardening?
- Post-incident cleanup?
- Pre-production hardening?
Error Codes as Security Posture: All errors MUST use Signpost codes — this is a security requirement, not just a convention:
- All server errors use codes from the appropriate catalog (
API_ERRORS,AUTH_ERRORS, etc.) userMessageis always generic and warm — no technical details leak to clientsadminMessageis detailed — stays in server logs only- Auth errors NEVER reveal user existence ("Invalid credentials" — not "user not found")
logGroveError()for all server errors — neverconsole.erroralone
Scope Check:
"I'll mobilize a security gathering for: [security work]
This will involve:
- 🕷️ Spider weaving authentication
- OAuth/PKCE flow
- Session management
- Route protection
- Token handling
- 🦝 Raccoon auditing security
- Secret scanning
- Vulnerability check
- Dependency audit
- Dead code removal
- 🐢 Turtle hardening defenses
- Input/output validation
- Security headers & CSP
- Defense-in-depth enforcement
- Exotic attack vector testing
- Hardening report
Proceed with the gathering?"
Selective Mobilization: Not every gathering needs all three animals:
| Situation | Animals Needed |
|---|---|
| New auth system + full security | All three: Spider → Raccoon → Turtle |
| Auth already exists, need hardening | Raccoon → Turtle |
| New feature, ensure secure by design | Turtle only (or Turtle → Raccoon) |
| Secrets leak / incident response | Raccoon → Spider (rotate creds) → Turtle (verify) |
| Pre-production deploy | Raccoon → Turtle |
Phase 2: ORGANIZE
The animals take their positions in the shadows...
Dispatch in sequence:
Full Dispatch Order:
Spider ──→ Raccoon ──→ Turtle
│ │ │
│ │ │
Weave Audit Harden
Auth Secrets Defenses
Dependencies:
- Spider must complete before Raccoon (needs auth to audit)
- Raccoon should complete before Turtle (clean first, then harden)
- May iterate: Turtle findings → Spider/Raccoon fixes → Turtle re-verify
Iteration Cycle (When Vulnerabilities Found):
┌──────────────────────────────────────────────────────────────────┐
│ SECURITY ITERATION │
├──────────────────────────────────────────────────────────────────┤
│ │
│ 🕷️ Spider ──► 🦝 Raccoon ──► 🐢 Turtle │
│ weaves auth audits hardens & tests │
│ ▲ │ │
│ │ ▼ │
│ │ Deep vulnerabilities? │
│ │ / \ │
│ │ Yes No │
│ │ │ │ │
│ │ ┌────────────┘ ▼ │
│ │ ▼ ✅ Hardened │
│ │ Auth issue? │
│ │ / \ │
│ │ Yes No │
│ │ │ │ │
│ └───┘ Raccoon/Turtle │
│ fixes directly │
└──────────────────────────────────────────────────────────────────┘
Iteration Rules:
- Turtle finds auth vulnerability → Spider patches → Turtle re-verifies
- Turtle finds non-auth vulnerability → Fix directly → Turtle re-verifies
- Raccoon finds secrets → Raccoon cleans → Turtle verifies no residual exposure
- Maximum 3 iterations per issue (if more needed, architectural review required)
- Each iteration focuses only on newly found/fixed items
- Document all iterations in final report
Phase 3: EXECUTE
The web is woven. The audit begins. The shell hardens...
Execute each animal's phase by loading and running their dedicated skill:
🕷️ SPIDER — WEAVE
Load skill: spider-weave
Execute the full Spider workflow for [the auth system being implemented]. Handoff: working authentication system (OAuth flow, session management, protected routes, CSRF protection) → Raccoon for audit
🦝 RACCOON — AUDIT
Load skill: raccoon-audit
Execute the full Raccoon workflow on the entire codebase, with particular attention to the Spider's auth implementation. If secrets found or auth issues discovered → Spider patches → Raccoon re-verifies. Handoff: clean audit report (no secrets, vulnerabilities patched, dead code removed, pre-commit hooks installed) → Turtle for hardening
🐢 TURTLE — HARDEN
Load skill: turtle-harden
Execute the full Turtle workflow on the codebase, including auth routes, API endpoints, and data flows. If deep vulnerabilities found in auth → Spider patches → Turtle re-verifies. Maximum 3 iterations per issue. Handoff: hardening report (defense-in-depth verified, exotic vectors tested, all layers applied) → VALIDATE phase
Phase 4: VALIDATE
The web holds. The audit confirms. The shell endures...
Validation Checklist:
- Spider: Auth flow works end-to-end
- Spider: Routes properly protected
- Spider: Sessions expire correctly
- Spider: CSRF protection active
- Raccoon: No secrets in codebase
- Raccoon: Dependencies up to date
- Raccoon: No sensitive data in logs
- Raccoon: Pre-commit hooks installed
- Turtle: Input validation on all entry points
- Turtle: Output encoding on all exit points
- Turtle: Security headers complete
- Turtle: CSP enforced (nonce-based)
- Turtle: CORS restricted to exact origins
- Turtle: Defense-in-depth verified (2+ layers per critical function)
- Turtle: Exotic attack vectors tested and clear
- Turtle: Multi-tenant isolation verified (if applicable)
Rootwork Boundary Validation:
- Form data parsed with
parseFormData(), not rawformData.get() - JSON reads validated with
safeJsonParse(), not unsafeascasts - Caught exceptions use
isRedirect()/isHttpError()type guards - No
as anyoras SomeTypecasts at trust boundaries - Schemas defined at module scope, not inside handlers
Security Test Cases:
Authentication:
[ ] Login redirects to provider
[ ] Callback exchanges code for tokens
[ ] Sessions created correctly
[ ] Logout clears sessions server-side
[ ] Expired tokens rejected
[ ] Session fixation prevented
Authorization:
[ ] Protected routes require auth
[ ] Admin routes check roles
[ ] API endpoints verify tokens
[ ] Users can't access others' data (IDOR tested)
[ ] Horizontal escalation prevented
[ ] Vertical escalation prevented
Hardening:
[ ] SQL injection prevented (parameterized queries)
[ ] XSS prevented (output encoding + CSP)
[ ] CSRF prevented (tokens + SameSite cookies)
[ ] File uploads sanitized (type + size + rename)
[ ] Rate limiting active on all sensitive endpoints
[ ] Prototype pollution vectors blocked
[ ] Timing attacks mitigated (constant-time comparison)
[ ] Race conditions prevented (atomic operations)
[ ] SSRF prevented (URL allowlist, no redirect following)
Phase 5: COMPLETE
The gathering ends. The forest is fortified...
Completion Report:
## GATHERING SECURITY COMPLETE
### Security Work: [Description]
### Animals Mobilized
🕷️ Spider → 🦝 Raccoon → 🐢 Turtle
### Authentication Implemented
- **Provider:** [OAuth 2.0 / GitHub / Google / etc.]
- **Flow:** [PKCE / Authorization Code]
- **Session Type:** [Token / Session Cookie]
- **Routes Protected:** [count]
### Security Audit Results
- Secrets found: [count] (all rotated/removed)
- Dependencies patched: [count]
- Dead code removed: [lines]
- Pre-commit hooks: Installed
### Hardening Applied
| Defense Layer | Status | Details |
| ---------------- | --------------- | -------------------------------------- |
| Input Validation | [PASS/FAIL] | Zod schemas on all endpoints |
| Output Encoding | [PASS/FAIL] | Context-aware, DOMPurify for rich text |
| SQL Injection | [PASS/FAIL] | All queries parameterized |
| Security Headers | [PASS/FAIL] | CSP, HSTS, X-Frame, etc. |
| CORS | [PASS/FAIL] | Exact origin allowlist |
| Session Security | [PASS/FAIL] | HttpOnly, Secure, SameSite |
| CSRF Protection | [PASS/FAIL] | Tokens + SameSite |
| Rate Limiting | [PASS/FAIL] | Per-endpoint limits configured |
| Multi-Tenant | [PASS/FAIL/N/A] | Tenant scoping verified |
| File Uploads | [PASS/FAIL/N/A] | Type/size/rename enforced |
### Exotic Attack Vectors Tested
| Vector | Status |
| ------------------- | ------------- |
| Prototype Pollution | [CLEAR/FOUND] |
| Timing Attacks | [CLEAR/FOUND] |
| Race Conditions | [CLEAR/FOUND] |
| ReDoS | [CLEAR/FOUND] |
| SSRF | [CLEAR/FOUND] |
| Unicode Attacks | [CLEAR/FOUND] |
| Cache Poisoning | [CLEAR/FOUND] |
| SVG XSS | [CLEAR/FOUND] |
### Defense-in-Depth Compliance
- **Layers verified:** [X/5] (Network, Application, Data, Infrastructure, Process)
- **Critical functions with 2+ layers:** [X/Y]
### Vulnerabilities Found & Fixed
| Severity | Count | Status |
| -------- | ----- | ---------------- |
| CRITICAL | [n] | All fixed |
| HIGH | [n] | All fixed |
| MEDIUM | [n] | [fixed/accepted] |
| LOW | [n] | [fixed/deferred] |
### Files Created/Modified
- Auth routes: [files]
- Middleware: [files]
- Configuration: [files]
- Security tests: [files]
_Woven tight, audited clean, hardened deep — the forest endures._ 🌲
Example Gathering
User: "/gathering-security Add GitHub OAuth, audit everything, and harden for production"
Gathering execution:
-
🌲 SUMMON — "Mobilizing full security gathering: GitHub OAuth + audit + hardening. All three animals needed."
-
🌲 ORGANIZE — "Spider implements auth → Raccoon audits for secrets/vulns → Turtle hardens everything"
-
🌲 EXECUTE —
- 🕷️ Spider: "OAuth client registered, PKCE flow implemented, sessions working, routes protected"
- 🦝 Raccoon: "No secrets found, 2 dependency vulns patched, dead debug endpoint removed"
- 🐢 Turtle: "CSP configured with nonces, CORS locked to exact origins, all inputs validated with Zod, constant-time token comparison added, prototype pollution vector in config merge fixed, defense-in-depth verified at 3 layers per critical function"
-
🌲 VALIDATE — "Auth works, audit clean, hardening verified, all exotic vectors tested clear"
-
🌲 COMPLETE — "GitHub OAuth live, secrets clean, shell hardened. The forest endures."
Quick Decision Guide
| Situation | Animals to Mobilize |
|---|---|
| New auth + full security | Spider → Raccoon → Turtle |
| Auth exists, need deep hardening | Raccoon → Turtle |
| New feature, secure by design | Turtle (optionally + Raccoon) |
| Incident response | Raccoon → Spider → Turtle |
| Pre-production deploy | Raccoon → Turtle |
| Auth-only work | Spider → Raccoon (no Turtle needed) |
Woven tight, audited clean, hardened deep — the forest endures. 🌲