feat(prompts): inject security-engineering discipline into codegen#366
Merged
Conversation
Add SECURITY_DISCIPLINE constant (parallel to PROGRESSIVE_EXPLORATION
and EXTERNAL_KNOWLEDGE) and inject it into the generateCodeForFile and
generateModifiedCode system prompts, so the executor codegen layer is
told to avoid the common web vulnerability classes (XSS via unsanitized
innerHTML/dangerouslySetInnerHTML, command/SQL injection, secrets in
client code, unsafe eval/URL/redirect handling) and to fix insecure code
it notices. Includes a reverse constraint to keep security proportionate
to the app and avoid over-engineering trivial UI.
Learned from the Claude Code agentic prompt ("Doing tasks" security
bullet). Prompt-only; no schema, tool routing, executor contract, or
planner changes. Adds prompt-capture tests asserting both codegen system
prompts carry the discipline and key security phrases.
Closes #365
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
代码评审报告: feat(prompts): inject security-engineering discipline into codegen风险等级: 中 级联分析
问题发现模型未返回可结构化的问题发现;已提取可用的决策字段,原始非契约内容未附在评论中。 行级发现
Karpathy 评审
缺失覆盖
|
This was referenced Jun 16, 2026
ceilf6
added a commit
that referenced
this pull request
Jun 21, 2026
#370) Extend buildCodeQualityLlmReviewPrompt's system prompt so the code-quality review sub-agent actively flags common web security vulnerabilities (XSS via unsanitized innerHTML/dangerouslySetInnerHTML, command/SQL injection, secrets hardcoded in client code, unsafe eval/dynamic code or unvalidated URL/redirect handling) alongside the existing SDD-constraint and maintainability dimensions. This is the review-layer counterpart to the codegen security discipline added in #366: generate-safely + review-for-safety defense in depth. Reuses the existing CodeQualityIssue shape (rule "security/<kind>", severity), so no schema or subagent-logic change. Learned from the Claude Code agentic prompt. Closes #369 Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Linked Issue Or Context
Closes #365.
Summary
SECURITY_DISCIPLINEconstant topackages/core/src/llm/prompts.ts, parallel to the existingPROGRESSIVE_EXPLORATION_PROTOCOLandEXTERNAL_KNOWLEDGE_PROTOCOL.generateCodeForFileandgenerateModifiedCode) so generated/modified frontend code avoids the common web vulnerability classes: XSS via unsanitizeddangerouslySetInnerHTML/innerHTML, command/SQL injection, secrets hardcoded into client bundles, and unsafeeval/URL/redirect handling — and so the model fixes insecure code it notices.Learned from the Claude Code agentic prompt's "Doing tasks" security bullet ("Be careful not to introduce security vulnerabilities such as command injection, XSS, SQL injection, and other OWASP top 10 … If you notice that you wrote insecure code, immediately fix it. Prioritize writing safe, secure, and correct code.").
Impact Scope
Prompt-only change in
packages/core/src/llm/prompts.ts(new constant) andpackages/core/src/llm/code-generation.ts(two system-prompt injections), plus focused tests inpackages/core/src/llm/code-generation.test.ts. No schema, tool routing, executor contract, planner, or runtime security-sandbox changes. Planner-side injection and a runtime security lint are explicitly left as follow-ups.GitNexus Impact Summary
impact(generateCodeForFile, upstream)andimpact(generateModifiedCode, upstream)both returned LOW with direct=1, processes_affected=0, modules_affected=1 (Llm). The single direct caller of each is theLLMServicethin wrapper; signatures and return contracts are unchanged (system-prompt string append only).gitnexus detect_changes(scope=unstaged) reported changed_count=2, changed_files=3, affected_count=0, risk_level=low; changed symbols weregenerateCodeForFileandgenerateModifiedCodeonly, with zero affected processes.Verification
pnpm --filter @frontagent/core test -- code-generation.test.ts— 11/11 pass (4 system-prompt tests: 2 external-knowledge + 2 new security).pnpm exec biome checkon the 3 changed files — clean.pnpm quality:precommit(lint + typecheck + test + test:workflows) — green.gitnexus impact(both functions) +gitnexus detect_changes— LOW, 0 affected processes.Checklist