bugsink mcp and claude subagents - documentation and test fixes

docs/subagents/SECURITY-DEBUG-GUIDE.md

@@ -34,6 +34,7 @@ The security-engineer subagent understands:
 ### Example Requests
 
 **Security Audit:**
+
 ```
 "Use security-engineer to audit the user registration and
 login flow for security vulnerabilities. Check for common
@@ -42,6 +43,7 @@ management problems."
 ```
 
 **API Security Review:**
+
 ```
 "Use security-engineer to review the flyer upload endpoint
 for security issues. Consider file type validation, size
@@ -49,6 +51,7 @@ limits, malicious file handling, and authorization."
 ```
 
 **Vulnerability Assessment:**
+
 ```
 "Use security-engineer to assess our exposure to the OWASP
 Top 10 vulnerabilities. Identify any gaps in our current
@@ -60,6 +63,7 @@ security measures."
 The security-engineer subagent uses this checklist:
 
 #### Authentication & Authorization
+
 - [ ] Password hashing with bcrypt (cost factor >= 10)
 - [ ] JWT tokens with appropriate expiration
 - [ ] Refresh token rotation
@@ -67,23 +71,27 @@ The security-engineer subagent uses this checklist:
 - [ ] Role-based access control (RBAC)
 
 #### Input Validation
+
 - [ ] All user input validated with Zod schemas
 - [ ] SQL queries use parameterized statements
 - [ ] File uploads validated for type and size
 - [ ] Path traversal prevention
 
 #### Data Protection
+
 - [ ] Sensitive data encrypted at rest
 - [ ] HTTPS enforced in production
 - [ ] No secrets in source code
 - [ ] Proper error messages (no stack traces to users)
 
 #### Rate Limiting
+
 - [ ] Login attempts limited
 - [ ] API endpoints rate limited
 - [ ] File upload rate limited
 
 #### Headers & CORS
+
 - [ ] Security headers set (Helmet.js)
 - [ ] CORS configured appropriately
 - [ ] Content-Security-Policy defined
@@ -91,6 +99,7 @@ The security-engineer subagent uses this checklist:
 ### Security Patterns in This Project
 
 **Rate Limiting (ADR-032):**
+
 ```typescript
 // src/config/rateLimiters.ts
 export const loginLimiter = rateLimit({
@@ -101,6 +110,7 @@ export const loginLimiter = rateLimit({
 ```
 
 **Input Validation (ADR-003):**
+
 ```typescript
 // src/middleware/validation.middleware.ts
 router.post(
@@ -111,6 +121,7 @@ router.post(
 ```
 
 **Authentication (ADR-048):**
+
 ```typescript
 // JWT with refresh tokens
 const accessToken = jwt.sign(payload, secret, { expiresIn: '15m' });
@@ -158,6 +169,7 @@ mcp__localerrors__list_issues({ project_id: 1 })
 ### Example Requests
 
 **Production Error Investigation:**
+
 ```
 "Use log-debug to investigate the spike in 500 errors on the
 flyer processing endpoint yesterday. Check Bugsink for error
@@ -165,6 +177,7 @@ patterns and identify the root cause."
 ```
 
 **Performance Analysis:**
+
 ```
 "Use log-debug to analyze the slow response times on the deals
 page. Check logs for database query timing and identify any
@@ -172,6 +185,7 @@ bottlenecks."
 ```
 
 **Error Pattern Analysis:**
+
 ```
 "Use log-debug to identify patterns in the authentication
 failures over the past week. Are they coming from specific
@@ -181,6 +195,7 @@ IPs or affecting specific users?"
 ### Log Analysis Patterns
 
 **Structured Log Format (Pino):**
+
 ```json
 {
   "level": 50,
@@ -200,6 +215,7 @@ IPs or affecting specific users?"
 ```
 
 **Request Tracing:**
+
 ```typescript
 // Each request gets a unique ID for tracing
 app.use((req, res, next) => {
@@ -210,6 +226,7 @@ app.use((req, res, next) => {
 ```
 
 **Error Correlation:**
+
 - Same `requestId` across all logs for a request
 - Same `userId` for user-related errors
 - Same `flyerId` for flyer processing errors
@@ -218,25 +235,26 @@ app.use((req, res, next) => {
 
 **Production Bugsink Projects:**
 
-| Project | ID | Purpose |
-|---------|-----|---------|
-| flyer-crawler-backend | 1 | Backend errors |
-| flyer-crawler-frontend | 2 | Frontend errors |
-| flyer-crawler-backend-test | 3 | Test backend |
-| flyer-crawler-frontend-test | 4 | Test frontend |
-| flyer-crawler-infrastructure | 5 | Infra errors |
+| Project                      | ID  | Purpose         |
+| ---------------------------- | --- | --------------- |
+| flyer-crawler-backend        | 1   | Backend errors  |
+| flyer-crawler-frontend       | 2   | Frontend errors |
+| flyer-crawler-backend-test   | 3   | Test backend    |
+| flyer-crawler-frontend-test  | 4   | Test frontend   |
+| flyer-crawler-infrastructure | 5   | Infra errors    |
 
 **Accessing Bugsink:**
+
 - Production: https://bugsink.projectium.com
 - Dev Container: http://localhost:8000
 
 ### Log File Locations
 
-| Environment | Log Path |
-|-------------|----------|
-| Production | `/var/www/flyer-crawler.projectium.com/logs/app.log` |
-| Test | `/var/www/flyer-crawler-test.projectium.com/logs/app.log` |
-| Dev Container | `/app/logs/app.log` |
+| Environment   | Log Path                                                  |
+| ------------- | --------------------------------------------------------- |
+| Production    | `/var/www/flyer-crawler.projectium.com/logs/app.log`      |
+| Test          | `/var/www/flyer-crawler-test.projectium.com/logs/app.log` |
+| Dev Container | `/app/logs/app.log`                                       |
 
 ## The code-reviewer Subagent
 
@@ -264,6 +282,7 @@ The code-reviewer subagent understands:
 ### Example Requests
 
 **Code Review:**
+
 ```
 "Use code-reviewer to review the changes in the shopping list
 feature branch. Check for adherence to project patterns,
@@ -271,6 +290,7 @@ potential bugs, and security issues."
 ```
 
 **Architecture Review:**
+
 ```
 "Use code-reviewer to review the proposed changes to the
 caching layer. Does it follow our patterns? Are there
@@ -278,6 +298,7 @@ potential issues with cache invalidation?"
 ```
 
 **Security-Focused Review:**
+
 ```
 "Use code-reviewer to review the new file upload handling
 code with a focus on security. Check for path traversal,
@@ -289,6 +310,7 @@ file type validation, and size limits."
 The code-reviewer subagent checks:
 
 #### Code Quality
+
 - [ ] Follows TypeScript strict mode
 - [ ] No `any` types without justification
 - [ ] Proper error handling
@@ -296,24 +318,28 @@ The code-reviewer subagent checks:
 - [ ] Appropriate comments
 
 #### Architecture
+
 - [ ] Follows layer separation (Routes -> Services -> Repositories)
 - [ ] Uses correct file naming conventions
 - [ ] Repository methods follow naming patterns
 - [ ] Transactions used for multi-operation changes
 
 #### Testing
+
 - [ ] New code has corresponding tests
 - [ ] Tests follow project patterns
 - [ ] Edge cases covered
 - [ ] Mocks used appropriately
 
 #### Security
+
 - [ ] Input validation present
 - [ ] Authorization checks in place
 - [ ] No secrets in code
 - [ ] Error messages don't leak information
 
 #### Performance
+
 - [ ] No obvious N+1 queries
 - [ ] Appropriate use of caching
 - [ ] Large data sets paginated
@@ -325,30 +351,37 @@ The code-reviewer subagent checks:
 ## Code Review: [Feature/PR Name]
 
 ### Summary
+
 Brief overview of the changes reviewed.
 
 ### Issues Found
 
 #### Critical
+
 - **[File:Line]** Description of critical issue
   - Impact: What could go wrong
   - Suggestion: How to fix
 
 #### High Priority
+
 - **[File:Line]** Description
 
 #### Medium Priority
+
 - **[File:Line]** Description
 
 #### Low Priority / Suggestions
+
 - **[File:Line]** Description
 
 ### Positive Observations
+
 - Good patterns followed
 - Well-tested areas
 - Clean implementations
 
 ### Recommendations
+
 1. Priority items to address before merge
 2. Items for follow-up tickets
 ```