--- name: nexus-security-review description: Use when reviewing or changing Nexus backend/API/security-sensitive code. Focuses on FastAPI admin APIs, SQLAlchemy data access, SSH operations, file manager boundaries, logging redaction, and regression tests. --- # Nexus Security Review Use this skill before changing Nexus backend/API code or doing a security pass. ## Required workflow 1. Identify entrypoints: FastAPI router, service method, DB model/session, Redis/lock usage, SSH/BT panel call. 2. Draw the request path in notes: API -> schema -> service -> DB/Redis/SSH/external. 3. Check auth first: admin-only endpoints must depend on the current admin dependency; background/admin tools must still preserve audit logs. 4. Validate every user-controlled value at the schema/API boundary and again before shell/path-sensitive sinks. 5. For every fix, add pytest coverage for the dangerous case and the allowed case. 6. Run focused tests, then full pytest when practical, then git diff --check. 7. Update the Nexus Markdown report with changed files, tests, and residual risks. ## Nexus-specific rules - Do not print secrets: passwords, SSH keys, tokens, cookies, API keys, .env values, BT panel credentials. - script_service is an intentional administrator remote shell. Do not report arbitrary shell execution there as a vulnerability. Review only auth, audit trail, timeout, output truncation, and redaction. - File manager APIs must not unexpectedly operate outside the target path/server chosen by the admin UI. - Any remote shell command must use shlex.quote; add -- where command options can be confused with filenames. - Archive extraction must list and validate members before extraction; reject absolute paths, .., backslashes, and special file types. - Error responses must not expose stack traces or secrets. - DB access should use SQLAlchemy parameters/query builder, not raw string interpolation. ## Review output For each finding record: - Severity: Critical/High/Medium/Low/Hardening - Call chain - Evidence file/function - Exploit or failure boundary - Fix summary - Test command/result - Commit hash if committed