Skip to content

feat(prompts): inject security-engineering discipline into codegen#366

Merged
ceilf6 merged 1 commit into
developfrom
improve/codegen-security-discipline
Jun 16, 2026
Merged

feat(prompts): inject security-engineering discipline into codegen#366
ceilf6 merged 1 commit into
developfrom
improve/codegen-security-discipline

Conversation

@ceilf6

@ceilf6 ceilf6 commented Jun 16, 2026

Copy link
Copy Markdown
Owner

Linked Issue Or Context

Closes #365.

Summary

  • Adds a SECURITY_DISCIPLINE constant to packages/core/src/llm/prompts.ts, parallel to the existing PROGRESSIVE_EXPLORATION_PROTOCOL and EXTERNAL_KNOWLEDGE_PROTOCOL.
  • Injects it into both executor codegen system prompts (generateCodeForFile and generateModifiedCode) so generated/modified frontend code avoids the common web vulnerability classes: XSS via unsanitized dangerouslySetInnerHTML/innerHTML, command/SQL injection, secrets hardcoded into client bundles, and unsafe eval/URL/redirect handling — and so the model fixes insecure code it notices.
  • Includes a reverse constraint: keep security proportionate to the app, no over-engineered security boilerplate for trivial/demo UI.
  • Adds focused prompt-capture tests asserting both codegen system prompts carry the discipline plus key security phrases and the reverse-constraint phrase (mirroring the feat(prompts): inject external knowledge into codegen #364 external-knowledge test pattern).

Learned from the Claude Code agentic prompt's "Doing tasks" security bullet ("Be careful not to introduce security vulnerabilities such as command injection, XSS, SQL injection, and other OWASP top 10 … If you notice that you wrote insecure code, immediately fix it. Prioritize writing safe, secure, and correct code.").

Impact Scope

Prompt-only change in packages/core/src/llm/prompts.ts (new constant) and packages/core/src/llm/code-generation.ts (two system-prompt injections), plus focused tests in packages/core/src/llm/code-generation.test.ts. No schema, tool routing, executor contract, planner, or runtime security-sandbox changes. Planner-side injection and a runtime security lint are explicitly left as follow-ups.

GitNexus Impact Summary

  • Risk level: LOW
  • Critical skeleton changes: none
  • GitNexus impact: impact(generateCodeForFile, upstream) and impact(generateModifiedCode, upstream) both returned LOW with direct=1, processes_affected=0, modules_affected=1 (Llm). The single direct caller of each is the LLMService thin wrapper; signatures and return contracts are unchanged (system-prompt string append only).
  • Verification: gitnexus detect_changes (scope=unstaged) reported changed_count=2, changed_files=3, affected_count=0, risk_level=low; changed symbols were generateCodeForFile and generateModifiedCode only, with zero affected processes.

Verification

  • pnpm --filter @frontagent/core test -- code-generation.test.ts — 11/11 pass (4 system-prompt tests: 2 external-knowledge + 2 new security).
  • pnpm exec biome check on the 3 changed files — clean.
  • pnpm quality:precommit (lint + typecheck + test + test:workflows) — green.
  • gitnexus impact (both functions) + gitnexus detect_changes — LOW, 0 affected processes.

Checklist

  • I have linked an issue or explained why this PR stands alone.
  • I have kept the diff focused on the stated change.
  • I have run pnpm quality:precommit, or explained why it could not run.
  • I have run pnpm quality:local for critical skeleton changes, or explained why it could not run. (Prompt-only, non-critical; precommit + GitNexus impact/detect_changes cover it.)
  • I have updated docs or tests when behavior, public APIs, or Harness contracts changed.
  • For critical skeleton changes, I have filled the GitNexus impact summary with concrete results.

Add SECURITY_DISCIPLINE constant (parallel to PROGRESSIVE_EXPLORATION
and EXTERNAL_KNOWLEDGE) and inject it into the generateCodeForFile and
generateModifiedCode system prompts, so the executor codegen layer is
told to avoid the common web vulnerability classes (XSS via unsanitized
innerHTML/dangerouslySetInnerHTML, command/SQL injection, secrets in
client code, unsafe eval/URL/redirect handling) and to fix insecure code
it notices. Includes a reverse constraint to keep security proportionate
to the app and avoid over-engineering trivial UI.

Learned from the Claude Code agentic prompt ("Doing tasks" security
bullet). Prompt-only; no schema, tool routing, executor contract, or
planner changes. Adds prompt-capture tests asserting both codegen system
prompts carry the discipline and key security phrases.

Closes #365

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@github-actions

Copy link
Copy Markdown

🛡️ ceilf6/repo-guard

代码评审报告: feat(prompts): inject security-engineering discipline into codegen

风险等级:
处理建议: 批准
决策摘要: ** 可以合并;变更按 Issue #365 的最小 prompt-only 范围完成,两个 codegen system prompt 均复用注入同一安全纪律常量,并有针对性 prompt-capture 测试覆盖。

级联分析

  • 变更符号: 原始模型未提供结构化级联字段。
  • 受影响流程: 原始模型未提供结构化级联字段。
  • 变更集外调用方: unknown
  • 置信度: degraded

问题发现

模型未返回可结构化的问题发现;已提取可用的决策字段,原始非契约内容未附在评论中。

行级发现

  • 无明确变更行归属。

Karpathy 评审

  • 假设: 模型输出需要归一化为固定 Markdown 契约。
  • 简洁性: 已提取 summary、finding、evidence 与 fix;原始 prose 不再附在评论中,避免占用下游解析与代理上下文。
  • 变更范围: 原始模型未提供结构化范围字段。
  • 验证: 需要查看 CI、测试或人工 CR 证据补强合并信心。

缺失覆盖

  • 输出未命中 Repo Guard Markdown 契约;建议补充真实模型质量评估覆盖。

@ceilf6 ceilf6 merged commit df8b12e into develop Jun 16, 2026
7 checks passed
@ceilf6 ceilf6 deleted the improve/codegen-security-discipline branch June 16, 2026 09:41
ceilf6 added a commit that referenced this pull request Jun 21, 2026
#370)

Extend buildCodeQualityLlmReviewPrompt's system prompt so the code-quality
review sub-agent actively flags common web security vulnerabilities (XSS via
unsanitized innerHTML/dangerouslySetInnerHTML, command/SQL injection, secrets
hardcoded in client code, unsafe eval/dynamic code or unvalidated URL/redirect
handling) alongside the existing SDD-constraint and maintainability dimensions.

This is the review-layer counterpart to the codegen security discipline added
in #366: generate-safely + review-for-safety defense in depth. Reuses the
existing CodeQualityIssue shape (rule "security/<kind>", severity), so no schema
or subagent-logic change. Learned from the Claude Code agentic prompt.

Closes #369

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

feat(prompts): inject security-engineering discipline into code-generation prompts (learned from Claude Code agentic prompt)

1 participant