Add /ultraresearch-local for structured research combining local codebase analysis with external knowledge via parallel agent swarms. Produces research briefs with triangulation, confidence ratings, and source quality assessment. New command: /ultraresearch-local with modes --quick, --local, --external, --fg. New agents: research-orchestrator (opus), docs-researcher, community-researcher, security-researcher, contrarian-researcher, gemini-bridge (all sonnet). New template: research-brief-template.md. Integration: --research flag in /ultraplan-local accepts pre-built research briefs (up to 3), enriches the interview and exploration phases. Planning orchestrator cross-references brief findings during synthesis. Design principle: Context Engineering — right information to right agent at right time. Research briefs are structured artifacts in the pipeline: ultraresearch → brief → ultraplan --research → plan → ultraexecute. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
125 lines
4.3 KiB
Markdown
125 lines
4.3 KiB
Markdown
# Pre-Deployment Security Checklist
|
||
|
||
<!--
|
||
TEMPLATE USAGE
|
||
This is a reference document describing the expected output structure for `/security pre-deploy`.
|
||
Agents use this as a formatting guide for the pre-deployment checklist report.
|
||
Fill every section with real observations. Do NOT output placeholder text.
|
||
Run all 10 automated checks first, then ask the 3 manual verification questions.
|
||
State the verdict clearly at the end based on the PASS count.
|
||
-->
|
||
|
||
---
|
||
|
||
## Header
|
||
|
||
**Project:** [Name of the project or directory assessed]
|
||
**Assessment date:** [ISO 8601 — e.g. 2026-02-19]
|
||
**Assessed by:** llm-security plugin v[X.X] — pre-deploy checklist
|
||
**Mode:** Pre-deployment checklist
|
||
|
||
---
|
||
|
||
## Score Summary
|
||
|
||
**Passed: X/10 automated checks**
|
||
|
||
```
|
||
[========--] 8/10
|
||
```
|
||
|
||
**Verdict:** [Ready for deployment / Nearly ready / Not ready]
|
||
|
||
---
|
||
|
||
## Automated Checks
|
||
|
||
Status values: PASS — control confirmed | FAIL — control absent or broken | WARN — partial or unverified | N/A — not applicable
|
||
|
||
| # | Check | Status | Detail |
|
||
|---|-------|--------|--------|
|
||
| 1 | Deny-first permissions | [PASS/FAIL/WARN/N/A] | [finding detail] |
|
||
| 2 | Secrets hook active | [PASS/FAIL/WARN/N/A] | [finding detail] |
|
||
| 3 | Path guard active | [PASS/FAIL/WARN/N/A] | [finding detail] |
|
||
| 4 | Destructive command guard | [PASS/FAIL/WARN/N/A] | [finding detail] |
|
||
| 5 | MCP servers verified | [PASS/FAIL/WARN/N/A] | [finding detail] |
|
||
| 6 | No hardcoded secrets | [PASS/FAIL/WARN/N/A] | [finding detail] |
|
||
| 7 | .gitignore covers secrets | [PASS/FAIL/WARN/N/A] | [finding detail] |
|
||
| 8 | CLAUDE.md security docs | [PASS/FAIL/WARN/N/A] | [finding detail] |
|
||
| 9 | Sandbox enabled | [PASS/FAIL/WARN/N/A] | [finding detail] |
|
||
| 10 | Audit logging configured | [PASS/FAIL/WARN/N/A] | [finding detail] |
|
||
|
||
---
|
||
|
||
## Manual Verification
|
||
|
||
Answers provided by the user during the assessment session.
|
||
|
||
- [ ] **Enterprise plan:** [user answer]
|
||
- [ ] **DPIA completed:** [user answer]
|
||
- [ ] **Incident response plan:** [user answer]
|
||
|
||
---
|
||
|
||
## Recommendations
|
||
|
||
FAIL items are listed first (blocking), followed by WARN items (advisory). Items with PASS or N/A status are omitted.
|
||
|
||
| Priority | Check # | Action | Effort |
|
||
|----------|---------|--------|--------|
|
||
| FAIL | [#] | [Specific remediation step for the failed check] | [Low / Medium / High] |
|
||
| FAIL | [#] | [Specific remediation step for the failed check] | [Low / Medium / High] |
|
||
| WARN | [#] | [Specific remediation step for the warned check] | [Low / Medium / High] |
|
||
| WARN | [#] | [Specific remediation step for the warned check] | [Low / Medium / High] |
|
||
|
||
> If no FAIL or WARN items exist, write: "No recommendations — all automated checks passed."
|
||
|
||
---
|
||
|
||
## Verdict
|
||
|
||
**[Ready for deployment / Nearly ready / Not ready]**
|
||
|
||
- **10/10 PASS:** Ready for deployment — all automated checks passed.
|
||
- **7–9 PASS:** Nearly ready — address the remaining items before deploying.
|
||
- **<7 PASS:** Not ready — significant security gaps remain. Resolve FAIL items before deployment.
|
||
|
||
---
|
||
|
||
## Footer
|
||
|
||
| Field | Value |
|
||
|-------|-------|
|
||
| llm-security version | [e.g. 0.1.0] |
|
||
| Assessment engine | pre-deploy checklist |
|
||
| OWASP references | LLM Top 10 (2025), Agentic AI Top 10 |
|
||
| Full audit command | `/security audit` |
|
||
| Report generated | [ISO 8601 timestamp] |
|
||
|
||
---
|
||
|
||
<!--
|
||
SCORING LOGIC (for agents filling in this template)
|
||
|
||
Score = count of checks with status PASS only.
|
||
WARN and N/A do not count as PASS for scoring purposes.
|
||
FAIL counts against the score.
|
||
|
||
Progress bar fill = round((pass_count / 10) * 10) filled blocks out of 10
|
||
Example: 8 PASS → round((8/10) * 10) = 8 filled blocks → [========--]
|
||
Filled block: = Empty block: -
|
||
|
||
Verdict thresholds:
|
||
10/10 PASS → "Ready for deployment — all automated checks passed."
|
||
7–9 PASS → "Nearly ready — address the remaining items before deploying."
|
||
<7 PASS → "Not ready — significant security gaps remain. Resolve FAIL items before deployment."
|
||
|
||
RECOMMENDATIONS SORTING
|
||
List FAIL items before WARN items, in ascending check number order within each group.
|
||
Omit PASS and N/A checks from the recommendations table entirely.
|
||
Each row must have a specific, actionable remediation step — not a generic instruction.
|
||
|
||
MANUAL VERIFICATION
|
||
Ask questions one at a time using AskUserQuestion.
|
||
Mark checkbox as checked [x] if user confirms yes; leave unchecked [ ] if no or unsure.
|
||
-->
|