Add /ultraresearch-local for structured research combining local codebase analysis with external knowledge via parallel agent swarms. Produces research briefs with triangulation, confidence ratings, and source quality assessment. New command: /ultraresearch-local with modes --quick, --local, --external, --fg. New agents: research-orchestrator (opus), docs-researcher, community-researcher, security-researcher, contrarian-researcher, gemini-bridge (all sonnet). New template: research-brief-template.md. Integration: --research flag in /ultraplan-local accepts pre-built research briefs (up to 3), enriches the interview and exploration phases. Planning orchestrator cross-references brief findings during synthesis. Design principle: Context Engineering — right information to right agent at right time. Research briefs are structured artifacts in the pipeline: ultraresearch → brief → ultraplan --research → plan → ultraexecute. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
151 lines
4.3 KiB
Markdown
151 lines
4.3 KiB
Markdown
# Security Clean Report — {{TARGET}}
|
|
|
|
**Date:** {{TIMESTAMP}}
|
|
**Mode:** {{MODE}} (live / dry-run)
|
|
**Backup:** {{BACKUP_PATH}}
|
|
**Duration:** {{DURATION_MS}}ms
|
|
|
|
---
|
|
|
|
## Remediation Summary
|
|
|
|
> [!{{VERDICT_TYPE}}]
|
|
> **Pre-clean:** {{PRE_VERDICT}} ({{PRE_RISK_SCORE}}/100) — {{PRE_TOTAL_FINDINGS}} findings
|
|
> **Post-clean:** {{POST_VERDICT}} ({{POST_RISK_SCORE}}/100) — {{POST_TOTAL_FINDINGS}} findings
|
|
> **Risk reduction:** {{RISK_REDUCTION}}%
|
|
|
|
| Metric | Before | After | Delta |
|
|
|--------|--------|-------|-------|
|
|
| Risk Score | {{PRE_RISK_SCORE}} | {{POST_RISK_SCORE}} | {{RISK_DELTA}} |
|
|
| Total Findings | {{PRE_TOTAL_FINDINGS}} | {{POST_TOTAL_FINDINGS}} | {{FINDINGS_DELTA}} |
|
|
| Critical | {{PRE_CRITICAL}} | {{POST_CRITICAL}} | {{CRITICAL_DELTA}} |
|
|
| High | {{PRE_HIGH}} | {{POST_HIGH}} | {{HIGH_DELTA}} |
|
|
| Medium | {{PRE_MEDIUM}} | {{POST_MEDIUM}} | {{MEDIUM_DELTA}} |
|
|
| Low | {{PRE_LOW}} | {{POST_LOW}} | {{LOW_DELTA}} |
|
|
| Info | {{PRE_INFO}} | {{POST_INFO}} | {{INFO_DELTA}} |
|
|
|
|
---
|
|
|
|
## Fix Summary
|
|
|
|
| Category | Count |
|
|
|----------|-------|
|
|
| Auto-fixes applied | {{AUTO_APPLIED}} |
|
|
| Semi-auto approved | {{SEMI_APPROVED}} |
|
|
| Semi-auto skipped | {{SEMI_SKIPPED}} |
|
|
| LLM-detected auto-fixes | {{LLM_AUTO_APPLIED}} |
|
|
| LLM-detected semi-auto approved | {{LLM_SEMI_APPROVED}} |
|
|
| Manual (reported only) | {{MANUAL_COUNT}} |
|
|
| Skipped (historical) | {{HISTORICAL_COUNT}} |
|
|
| Failed | {{FAILED_COUNT}} |
|
|
| **Total processed** | **{{TOTAL_PROCESSED}}** |
|
|
|
|
---
|
|
|
|
## Auto-Fixes Applied
|
|
|
|
<!-- Findings removed fully automatically — no user interaction required. -->
|
|
|
|
| Finding ID | File | Operation | Description |
|
|
|------------|------|-----------|-------------|
|
|
{{AUTO_FIXES_ROWS}}
|
|
|
|
> [!TIP]
|
|
> Auto-fixes are lossless operations: stripping zero-width characters, removing known-malicious
|
|
> strings, or replacing hardcoded secrets with placeholder tokens.
|
|
|
|
---
|
|
|
|
## Semi-Auto Fixes Applied
|
|
|
|
<!-- Findings where the fix was proposed and the user approved the change. -->
|
|
|
|
| Finding ID | File | Change Description | Rationale |
|
|
|------------|----|-------------------|-----------|
|
|
{{SEMI_AUTO_APPLIED_ROWS}}
|
|
|
|
---
|
|
|
|
## Semi-Auto Fixes Skipped
|
|
|
|
<!-- Findings where the proposed fix was reviewed but the user chose not to apply it. -->
|
|
|
|
| Finding ID | Proposed Change | User Decision |
|
|
|------------|----------------|---------------|
|
|
{{SEMI_AUTO_SKIPPED_ROWS}}
|
|
|
|
---
|
|
|
|
## Remaining Manual Findings
|
|
|
|
<!-- These findings require human judgment or architectural changes and cannot be auto-remediated. -->
|
|
|
|
| Finding ID | Severity | File | Description | Recommendation |
|
|
|------------|----------|------|-------------|----------------|
|
|
{{MANUAL_FINDINGS_ROWS}}
|
|
|
|
> [!CAUTION]
|
|
> Manual findings are not reduced by re-running `/security clean`. Address them directly
|
|
> in the codebase, then re-run `/security scan` to verify the fix.
|
|
|
|
---
|
|
|
|
## Skipped (Historical)
|
|
|
|
<!-- GIT findings that exist in commit history. They cannot be cleaned without rewriting history. -->
|
|
|
|
| Finding ID | Severity | Commit | Description |
|
|
|------------|----------|--------|-------------|
|
|
{{HISTORICAL_ROWS}}
|
|
|
|
> [!NOTE]
|
|
> Historical findings in git history require `git filter-repo` or a force-push to remove.
|
|
> Consult your team before rewriting shared history. These findings are listed for awareness only.
|
|
|
|
---
|
|
|
|
## File Modification Log
|
|
|
|
| File Path | Operations | Validation |
|
|
|-----------|-----------|------------|
|
|
{{FILE_MOD_ROWS}}
|
|
|
|
---
|
|
|
|
## Validation Results
|
|
|
|
Each modified file was validated after changes were applied. Any file that failed validation
|
|
was automatically restored from the backup.
|
|
|
|
| File | Check | Result | Detail |
|
|
|------|-------|--------|--------|
|
|
{{VALIDATION_ROWS}}
|
|
|
|
**Validation rules:**
|
|
- `.json` files: `JSON.parse()` succeeded
|
|
- Frontmatter files (`.md`, `.yaml`): `^---\n` prefix present
|
|
- `.mjs` / `.js` files: `node --check` passed
|
|
- All other files: character encoding check only
|
|
|
|
> [!WARNING]
|
|
> Files marked `FAIL` in validation were **restored from backup**. The finding they targeted
|
|
> is still present and has been moved back to the Manual Findings section above.
|
|
|
|
---
|
|
|
|
## Rollback
|
|
|
|
To restore the original (pre-clean) state:
|
|
|
|
```bash
|
|
rm -rf {{TARGET}}
|
|
mv {{BACKUP_PATH}} {{TARGET}}
|
|
```
|
|
|
|
> [!WARNING]
|
|
> The backup will be removed when you next run `/security clean` on this target.
|
|
> Copy or rename it if you want to preserve it permanently.
|
|
|
|
---
|
|
|
|
*Generated by llm-security clean v1.3.0*
|