Skip to content

Add /sweep-security command#1193

Merged
brendancol merged 1 commit into
masterfrom
add-sweep-security-command
Apr 14, 2026
Merged

Add /sweep-security command#1193
brendancol merged 1 commit into
masterfrom
add-sweep-security-command

Conversation

@brendancol
Copy link
Copy Markdown
Contributor

@brendancol brendancol commented Apr 13, 2026

Summary

  • New /sweep-security slash command that audits xrspatial modules for security vulnerabilities specific to numeric/GPU raster libraries
  • Scores modules by security-relevant metadata (CUDA kernels, file I/O, dimension-based allocations, shared memory, numba JIT) and dispatches parallel worktree-isolated subagents for the top N
  • Covers 6 audit categories: unbounded allocation/DoS, integer overflow in index math, NaN/Inf logic errors, GPU kernel bounds safety, file path injection, and dtype confusion
  • 4-tier severity (CRITICAL/HIGH/MEDIUM/LOW); CRITICAL and HIGH issues get fixed via /rockout, MEDIUM/LOW are documented only
  • Follows the same single-phase structure as /sweep-accuracy: gather metadata, score, dispatch, subagents update state file directly

Initial sweep run found and fixed 4 issues across geotiff and reproject (#1184, #1185, #1186, #1187 -- PRs #1188, #1189). The hydro subpackage came back clean at HIGH+ severity.

Test plan

  • Run /sweep-security --top 1 and verify a single subagent launches
  • Run /sweep-security --only-io --top 1 and verify geotiff gets audited
  • Verify .claude/security-sweep-state.json is created with correct schema after a run
  • Run /sweep-security --reset-state and verify state file is deleted

@brendancol
Add /sweep-security command for security vulnerability audits
dda2a5a 
New slash command that audits xrspatial modules for security issues
specific to numeric/GPU raster libraries. Dispatches parallel subagents
to check 6 categories: unbounded allocations, integer overflow in
index math, NaN/Inf logic errors, GPU kernel bounds safety, file path
injection, and dtype confusion.

Follows the same single-phase pattern as /sweep-accuracy: score modules
by security-relevant metadata (CUDA kernels, file I/O, allocations from
dimensions), dispatch worktree-isolated subagents for the top N, and
fix CRITICAL/HIGH issues via /rockout.
@github-actions github-actions Bot added the performance PR touches performance-sensitive code label Apr 13, 2026
@brendancol brendancol merged commit 476e0c5 into master Apr 14, 2026
11 checks passed
@brendancol brendancol deleted the add-sweep-security-command branch May 5, 2026 03:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

performance PR touches performance-sensitive code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@brendancol