# Security and Debugging Subagent Guide

This guide covers security and debugging-focused subagents:

- **security-engineer**: Security audits, vulnerability scanning, OWASP, pentesting
- **log-debug**: Production errors, observability, Bugsink/Sentry analysis
- **code-reviewer**: Code quality, security review, best practices

## Quick Reference

| Aspect          | security-engineer                  | log-debug                                | code-reviewer               |
| --------------- | ---------------------------------- | ---------------------------------------- | --------------------------- |
| **Primary Use** | Security audits, OWASP             | Production debugging                     | Code quality review         |
| **Key ADRs**    | ADR-016 (Security), ADR-032 (Rate) | ADR-050 (Observability)                  | ADR-034, ADR-035 (Patterns) |
| **MCP Tools**   | N/A                                | `mcp__bugsink__*`, `mcp__localerrors__*` | N/A                         |
| **Key Checks**  | Auth, input validation, CORS       | Logs, stacktraces, error patterns        | Patterns, tests, security   |
| **Delegate To** | `coder` (fix issues)               | `devops` (infra), `coder` (fixes)        | `coder`, `testwriter`       |

## The security-engineer Subagent

### When to Use

Use the **security-engineer** subagent when you need to:

- Conduct security audits of code or features
- Review authentication/authorization flows
- Identify vulnerabilities (OWASP Top 10)
- Review API security
- Assess data protection measures
- Plan security improvements

### What security-engineer Knows

The security-engineer subagent understands:

- OWASP Top 10 vulnerabilities
- Node.js/Express security best practices
- JWT authentication security
- SQL injection prevention
- XSS and CSRF protection
- Rate limiting strategies (ADR-032)
- API security hardening (ADR-016)

### Example Requests

**Security Audit:**

```
"Use security-engineer to audit the user registration and
login flow for security vulnerabilities. Check for common
issues like credential stuffing, brute force, and session
management problems."
```

**API Security Review:**

```
"Use security-engineer to review the flyer upload endpoint
for security issues. Consider file type validation, size
limits, malicious file handling, and authorization."
```

**Vulnerability Assessment:**

```
"Use security-engineer to assess our exposure to the OWASP
Top 10 vulnerabilities. Identify any gaps in our current
security measures."
```

### Security Checklist

The security-engineer subagent uses this checklist:

#### Authentication & Authorization

- [ ] Password hashing with bcrypt (cost factor >= 10)
- [ ] JWT tokens with appropriate expiration
- [ ] Refresh token rotation
- [ ] Session invalidation on password change
- [ ] Role-based access control (RBAC)

#### Input Validation

- [ ] All user input validated with Zod schemas
- [ ] SQL queries use parameterized statements
- [ ] File uploads validated for type and size
- [ ] Path traversal prevention

#### Data Protection

- [ ] Sensitive data encrypted at rest
- [ ] HTTPS enforced in production
- [ ] No secrets in source code
- [ ] Proper error messages (no stack traces to users)

#### Rate Limiting

- [ ] Login attempts limited
- [ ] API endpoints rate limited
- [ ] File upload rate limited

#### Headers & CORS

- [ ] Security headers set (Helmet.js)
- [ ] CORS configured appropriately
- [ ] Content-Security-Policy defined

### Security Patterns in This Project

**Rate Limiting (ADR-032):**

```typescript
// src/config/rateLimiters.ts
export const loginLimiter = rateLimit({
  windowMs: 15 * 60 * 1000, // 15 minutes
  max: 5, // 5 attempts per window
  message: 'Too many login attempts',
});
```

**Input Validation (ADR-003):**

```typescript
// src/middleware/validation.middleware.ts
router.post(
  '/register',
  validateRequest(registerSchema),
  async (req, res, next) => { ... }
);
```

**Authentication (ADR-048):**

```typescript
// JWT with refresh tokens
const accessToken = jwt.sign(payload, secret, { expiresIn: '15m' });
const refreshToken = jwt.sign({ userId }, refreshSecret, { expiresIn: '7d' });
```

## The log-debug Subagent

### When to Use

Use the **log-debug** subagent when you need to:

- Debug production errors
- Analyze Bugsink/Sentry error reports
- Investigate performance issues
- Trace request flows through logs
- Identify patterns in error occurrences

### What log-debug Knows

The log-debug subagent understands:

- Pino structured logging
- Bugsink/Sentry error tracking
- Log aggregation with Logstash
- PostgreSQL function observability (ADR-050)
- Request tracing patterns
- Error correlation

### MCP Tools for Debugging

The log-debug subagent can use MCP tools to access error tracking:

```
// Check Bugsink for production errors
mcp__bugsink__list_projects()
mcp__bugsink__list_issues({ project_id: 1 })
mcp__bugsink__get_event({ event_id: "..." })
mcp__bugsink__get_stacktrace({ event_id: "..." })

// Check local dev errors
mcp__localerrors__list_issues({ project_id: 1 })
```

### Example Requests

**Production Error Investigation:**

```
"Use log-debug to investigate the spike in 500 errors on the
flyer processing endpoint yesterday. Check Bugsink for error
patterns and identify the root cause."
```

**Performance Analysis:**

```
"Use log-debug to analyze the slow response times on the deals
page. Check logs for database query timing and identify any
bottlenecks."
```

**Error Pattern Analysis:**

```
"Use log-debug to identify patterns in the authentication
failures over the past week. Are they coming from specific
IPs or affecting specific users?"
```

### Log Analysis Patterns

**Structured Log Format (Pino):**

```json
{
  "level": 50,
  "time": 1704067200000,
  "pid": 1234,
  "hostname": "server1",
  "module": "flyerService",
  "requestId": "abc-123",
  "userId": "user-456",
  "msg": "Flyer processing failed",
  "err": {
    "type": "AIExtractionError",
    "message": "Rate limit exceeded",
    "stack": "..."
  }
}
```

**Request Tracing:**

```typescript
// Each request gets a unique ID for tracing
app.use((req, res, next) => {
  req.requestId = crypto.randomUUID();
  req.log = logger.child({ requestId: req.requestId });
  next();
});
```

**Error Correlation:**

- Same `requestId` across all logs for a request
- Same `userId` for user-related errors
- Same `flyerId` for flyer processing errors

### Bugsink Error Tracking

**Production Bugsink Projects:**

| Project                      | ID  | Purpose         |
| ---------------------------- | --- | --------------- |
| flyer-crawler-backend        | 1   | Backend errors  |
| flyer-crawler-frontend       | 2   | Frontend errors |
| flyer-crawler-backend-test   | 3   | Test backend    |
| flyer-crawler-frontend-test  | 4   | Test frontend   |
| flyer-crawler-infrastructure | 5   | Infra errors    |

**Accessing Bugsink:**

- Production: https://bugsink.projectium.com
- Dev Container: http://localhost:8000

### Log File Locations

| Environment   | Log Path                                                  |
| ------------- | --------------------------------------------------------- |
| Production    | `/var/www/flyer-crawler.projectium.com/logs/app.log`      |
| Test          | `/var/www/flyer-crawler-test.projectium.com/logs/app.log` |
| Dev Container | `/app/logs/app.log`                                       |

## The code-reviewer Subagent

### When to Use

Use the **code-reviewer** subagent when you need to:

- Review code quality before merging
- Identify potential issues in implementations
- Check adherence to project patterns
- Review security implications
- Assess test coverage

### What code-reviewer Knows

The code-reviewer subagent understands:

- Project architecture patterns (ADRs)
- Repository pattern standards (ADR-034)
- Service layer architecture (ADR-035)
- Testing standards (ADR-010)
- TypeScript best practices
- Security considerations

### Example Requests

**Code Review:**

```
"Use code-reviewer to review the changes in the shopping list
feature branch. Check for adherence to project patterns,
potential bugs, and security issues."
```

**Architecture Review:**

```
"Use code-reviewer to review the proposed changes to the
caching layer. Does it follow our patterns? Are there
potential issues with cache invalidation?"
```

**Security-Focused Review:**

```
"Use code-reviewer to review the new file upload handling
code with a focus on security. Check for path traversal,
file type validation, and size limits."
```

### Code Review Checklist

The code-reviewer subagent checks:

#### Code Quality

- [ ] Follows TypeScript strict mode
- [ ] No `any` types without justification
- [ ] Proper error handling
- [ ] Meaningful variable names
- [ ] Appropriate comments

#### Architecture

- [ ] Follows layer separation (Routes -> Services -> Repositories)
- [ ] Uses correct file naming conventions
- [ ] Repository methods follow naming patterns
- [ ] Transactions used for multi-operation changes

#### Testing

- [ ] New code has corresponding tests
- [ ] Tests follow project patterns
- [ ] Edge cases covered
- [ ] Mocks used appropriately

#### Security

- [ ] Input validation present
- [ ] Authorization checks in place
- [ ] No secrets in code
- [ ] Error messages don't leak information

#### Performance

- [ ] No obvious N+1 queries
- [ ] Appropriate use of caching
- [ ] Large data sets paginated
- [ ] Expensive operations async/queued

### Review Output Format

```markdown
## Code Review: [Feature/PR Name]

### Summary

Brief overview of the changes reviewed.

### Issues Found

#### Critical

- **[File:Line]** Description of critical issue
  - Impact: What could go wrong
  - Suggestion: How to fix

#### High Priority

- **[File:Line]** Description

#### Medium Priority

- **[File:Line]** Description

#### Low Priority / Suggestions

- **[File:Line]** Description

### Positive Observations

- Good patterns followed
- Well-tested areas
- Clean implementations

### Recommendations

1. Priority items to address before merge
2. Items for follow-up tickets
```

## Debugging Workflow

### 1. Error Investigation

```
1. Identify the error in Bugsink
   mcp__bugsink__list_issues({ project_id: 1, status: "unresolved" })

2. Get error details
   mcp__bugsink__get_issue({ issue_id: "..." })

3. Get full stacktrace
   mcp__bugsink__get_stacktrace({ event_id: "..." })

4. Check for patterns across events
   mcp__bugsink__list_events({ issue_id: "..." })
```

### 2. Log Correlation

```bash
# Find related logs by request ID
grep "requestId\":\"abc-123\"" /var/www/flyer-crawler.projectium.com/logs/app.log

# Find all errors in a time range
jq 'select(.level >= 50 and .time >= 1704067200000)' app.log
```

### 3. Database Query Analysis

```bash
# Check slow query log
tail -f /var/log/postgresql/postgresql-$(date +%Y-%m-%d).log | grep "duration:"
```

### 4. Root Cause Analysis

- Correlate error timing with deployments
- Check for resource constraints (memory, connections)
- Review recent code changes
- Check external service status

## Related Documentation

- [OVERVIEW.md](./OVERVIEW.md) - Subagent system overview
- [DEVOPS-GUIDE.md](./DEVOPS-GUIDE.md) - Infrastructure debugging
- [TESTER-GUIDE.md](./TESTER-GUIDE.md) - Security testing
- [../adr/0016-api-security-hardening.md](../adr/0016-api-security-hardening.md) - Security ADR
- [../adr/0032-rate-limiting-strategy.md](../adr/0032-rate-limiting-strategy.md) - Rate limiting
- [../adr/0015-error-tracking-and-observability.md](../adr/0015-error-tracking-and-observability.md) - Monitoring ADR
- [../adr/0050-postgresql-function-observability.md](../adr/0050-postgresql-function-observability.md) - Database observability
- [../operations/BARE-METAL-SETUP.md](../operations/BARE-METAL-SETUP.md) - Production setup
- [../tools/BUGSINK-SETUP.md](../tools/BUGSINK-SETUP.md) - Bugsink configuration