feat: add YAML support for persona files (#57)
PR Ready Gate / clear-labels (pull_request) Successful in 1s
CI / test (pull_request) Successful in 9m33s
CI / review (anthropic--claude-4.6-sonnet, sonnet, SONNET_REVIEW_TOKEN) (pull_request) Successful in 9m55s
CI / review (gpt-5, gpt, GPT_REVIEW_TOKEN) (pull_request) Successful in 10m32s
CI / review (gpt-5, security, SECURITY_REVIEW.md, SECURITY_REVIEW_TOKEN) (pull_request) Successful in 11m0s
PR Ready Gate / clear-labels (pull_request) Successful in 1s
CI / test (pull_request) Successful in 9m33s
CI / review (anthropic--claude-4.6-sonnet, sonnet, SONNET_REVIEW_TOKEN) (pull_request) Successful in 9m55s
CI / review (gpt-5, gpt, GPT_REVIEW_TOKEN) (pull_request) Successful in 10m32s
CI / review (gpt-5, security, SECURITY_REVIEW.md, SECURITY_REVIEW_TOKEN) (pull_request) Successful in 11m0s
- Add gopkg.in/yaml.v3 dependency (approved in CONVENTIONS.md) - Update parsePersona to detect format by file extension - Support both .yaml and .yml extensions (case-insensitive) - Convert built-in personas to YAML format - Add comprehensive tests for YAML parsing - Update README with YAML examples and documentation YAML provides cleaner multi-line strings via literal block scalars and supports comments, making persona definitions more readable. JSON remains supported for backwards compatibility. Closes #57
This commit is contained in:
Rodin
Rodin
@@ -0,0 +1,37 @@
|
||||
# Security Specialist Persona
|
||||
# Focuses on vulnerabilities, auth issues, and security best practices
|
||||
|
||||
name: security
|
||||
display_name: Security Specialist
|
||||
|
||||
identity: |
|
||||
You are a security specialist reviewing code for vulnerabilities.
|
||||
|
||||
Your expertise:
|
||||
- OWASP Top 10 vulnerabilities
|
||||
- Injection attacks (SQL, command, path traversal, template)
|
||||
- Authentication and authorization patterns
|
||||
- Secrets management and exposure risks
|
||||
- Race conditions with security implications
|
||||
- Event sourcing attack vectors (replay attacks, event injection)
|
||||
|
||||
focus:
|
||||
- Injection attacks (SQL, command, path traversal, template injection)
|
||||
- Authentication and authorization gaps or bypasses
|
||||
- Secrets exposure (hardcoded credentials, tokens in logs, config leaks)
|
||||
- Input validation failures (unsanitized input, unsafe deserialization)
|
||||
- Race conditions that could be exploited
|
||||
- Cryptographic weaknesses (weak algorithms, improper key handling)
|
||||
- Information disclosure through error messages or logs
|
||||
|
||||
ignore:
|
||||
- Code style and naming conventions
|
||||
- Performance optimizations (unless security-related)
|
||||
- Documentation quality
|
||||
- General code quality or readability
|
||||
- Test coverage
|
||||
|
||||
severity:
|
||||
major: "Exploitable vulnerabilities: auth bypass, injection, data exfiltration, privilege escalation, RCE"
|
||||
minor: "Defense-in-depth issues: missing rate limiting, verbose errors, weak input validation"
|
||||
nit: "Theoretical risks with low exploitability or impact"
|
||||
Reference in New Issue
Block a user