local-review-harness/docs/SELF_REVIEW_2026-04-30.md

# Scrum Test — local-review-harness-full-md
> **Self-review snapshot** — captured 2026-04-30 against commit `f3ee472` (Phase A + B MVP).
> Re-run with `./review-harness scrum .` for live numbers.
>
> The 3 critical findings below are from `tests/fixtures/insecure-repo/` — planted on
> purpose to prove the secret-pattern + env-file analyzers fire. Real codebase secrets
> would land in the same shape; operators dismiss fixture content as known-intentional.


**Generated:** 2026-04-30T05:55:10.657498039Z
**Branch:** (no git) · **Commit:** —

## Verdict

**blocked** — critical-severity finding present. See Confirmed Risks; rotate any leaked credentials, then re-run.

## Evidence

- repo path: `/home/profit/share/local-review-harness-full-md`
- file count: 36
- languages: Go (18), Markdown (7), TypeScript (2), YAML (2), JSON (1)
- dependency manifests: 3 (go.mod, go.sum, tests/fixtures/clean-repo/package.json)
- test files/dirs: 9
- LLM review: **skipped** (Phase C not implemented OR provider unavailable; see model-doctor.json)

## Confirmed Risks

| Severity | File:Line | Title | Evidence |
|---|---|---|---|
| high | `tests/fixtures/insecure-repo/.env` | Environment file in source tree | `filename=.env` |

## Suspected Risks

Each entry is a static-scan regex hit awaiting validation (Phase D / LLM cross-check).

| Severity | File:Line | Title | Evidence |
|---|---|---|---|
| critical | `tests/fixtures/insecure-repo/src/handler.go:23` | Possible secret committed to source | `const API_KEY = "sk-1234567890abcdefABCDEFGHIJKLMNOPQRSTUV"` |
| critical | `tests/fixtures/insecure-repo/src/handler.go:23` | Possible secret committed to source | `const API_KEY = "sk-1234567890abcdefABCDEFGHIJKLMNOPQRSTUV"` |
| critical | `tests/fixtures/insecure-repo/src/server.js:5` | Possible secret committed to source | `const AWS_KEY = "AKIAIOSFODNN7EXAMPLE";` |
| high | `PROMPT.md:419` | Shell command execution | `- `exec(`` |
| high | `PROMPT.md:420` | Shell command execution | `- `spawn(`` |
| high | `PROMPT.md:421` | Shell command execution | `- `Command::new`` |
| high | `PROMPT.md:423` | Raw SQL interpolation | `- `format!("SELECT`` |
| high | `PROMPT.md:429` | Wildcard CORS | `- `Access-Control-Allow-Origin: *`` |
| high | `internal/analyzers/checks.go:101` | Shell command execution | ``Command::new\|` + // Rust` |
| high | `internal/analyzers/checks.go:140` | Raw SQL interpolation | `rawSQLFmtRe = regexp.MustCompile(`(?i)(?:format!\|fmt\.Sprintf\|String::from\|f"\|f')[^\n]{0,80}?(?:SELECT\|INSERT\|UPDA…` |
| high | `internal/analyzers/checks.go:143` | Raw SQL interpolation | `rawSQLConcatRe = regexp.MustCompile(`(?i)(?:SELECT\|INSERT\|UPDATE\|DELETE)\b[^\n]{0,40}(?:\+\s*\w\|%s\|%v\|\$\{\|` + "`…` |
| high | `internal/analyzers/checks.go:177` | Wildcard CORS | `// styles: Express's res.setHeader("Access-Control-Allow-Origin", "*"),` |
| high | `internal/analyzers/checks.go:180` | Wildcard CORS | `var corsAnyRe = regexp.MustCompile(`Access-Control-Allow-Origin[^\n]{0,40}\*`)` |
| high | `internal/analyzers/checks.go:194` | Wildcard CORS | `Reason:   "Access-Control-Allow-Origin: * permits cross-origin reads from any domain. Narrow to an explicit allowlist un…` |
| high | `internal/analyzers/checks.go:89` | Shell command execution | `// === 2. shell execution (exec, spawn, Command::new, subprocess) ===` |
| high | `tests/fixtures/insecure-repo/src/handler.go:14` | Raw SQL interpolation | `q := fmt.Sprintf("SELECT * FROM users WHERE name = '%s'", name)` |
| high | `tests/fixtures/insecure-repo/src/handler.go:19` | Shell command execution | `exec.Command("bash", "-c", cmd).Run()` |
| high | `tests/fixtures/insecure-repo/src/server.js:2` | Wildcard CORS | `res.setHeader("Access-Control-Allow-Origin", "*");` |
| medium | `review-harness:1-18860` | Large file | `18860 lines (limit: 800)` |
| medium | `tests/fixtures/insecure-repo/src/handler.go:10` | Hardcoded absolute path | `const HARDCODED_PATH = "/home/profit/secrets/key.pem"` |
| medium | `tests/fixtures/insecure-repo/src/handler.go:11` | Hardcoded private-network IP | `const SERVER_IP = "192.168.1.176"` |
| medium | `tests/fixtures/insecure-repo/src/huge.go:1-901` | Large file | `901 lines (limit: 800)` |
| medium | `tests/fixtures/insecure-repo/src/server.js:7` | Mutation route in file with no visible auth | `app.post("/api/users", function(req, res) { /* no auth */ });` |
| medium | `tests/fixtures/insecure-repo/src/server.js:8` | Mutation route in file with no visible auth | `app.delete("/api/admin", function(req, res) { /* no auth */ });` |
| low | `tests/fixtures/insecure-repo/src/handler.go:22` | TODO/FIXME comment | `// FIXME: hardcoded creds` |
| low | `tests/fixtures/insecure-repo/src/handler.go:9` | TODO/FIXME comment | `// TODO: rotate this and move to env` |
| low | `tests/fixtures/insecure-repo/src/server.js:1` | TODO/FIXME comment | `// HACK: open CORS for now` |

## Blocked Checks

- LLM review (Phase 2 in REVIEW_PIPELINE.md). Reason: provider unavailable or stub. Next command: `review-harness model doctor`

## Sprint Backlog

**Sprint 0 — Reproducibility Gate**

- Wire `just verify` (or equivalent) to run the static checks before every commit/PR.
- Add a CI step that fails on `critical` findings.
- Triage the 28 findings emitted by this run; mark each as accepted / blocking / dismiss-with-reason.

**Sprint 1 — Trust Boundary Gate**

- Resolve every `critical` and `high` finding before non-loopback deploy.
- Confirm auth posture for any mutation endpoint flagged as exposed.
- Replace raw SQL interpolation with parameterized queries.

**Sprint 2 — Memory Correctness Gate**

- (Phase E) Wire append-only `.memory/` writes for known-risks + fixed-patterns.
- Add a regression test that re-runs the harness and asserts no regression in confirmed-finding count.

**Sprint 3 — Agent Loop Reality Gate**

- (Phase C) Wire local-Ollama LLM review.
- (Phase D) Validator pass cross-checks every LLM finding against repo evidence.

**Sprint 4 — Deployment Gate**

- Ship the harness as a single static binary (`go build -o review-harness`).
- Document operator runbook (model setup, profile editing, output retention).

## Acceptance Gates

Each gate must be testable. Format: command + verifiable post-condition.

1. **Reproducibility:** `review-harness repo .` exits 0; `reports/latest/repo-intake.json` exists with non-zero `file_count`.
2. **No false positives on a clean fixture:** `review-harness repo tests/fixtures/clean-repo` produces zero `confirmed` findings.
3. **Every documented static check fires on the insecure fixture:** `jq '[.findings[] | .check_id] | unique | length' reports/latest/static-findings.json` ≥ 8.
4. **Receipts are honest about degraded phases:** `jq '[.phases[] | select(.status == "degraded")]' reports/latest/receipts.json` lists every skipped/stubbed phase.
5. **Critical findings block production deploy:** at least one critical finding is currently present; resolve before deploy.

## Next Commands

1. Open the risk register: `cat reports/latest/risk-register.md`
2. Triage every `critical` finding; rotate any leaked credentials immediately.
- Probe the model provider: `review-harness model doctor`
- Re-run after fixes: `review-harness repo /home/profit/share/local-review-harness-full-md`
- Generate the full Scrum bundle: `review-harness scrum /home/profit/share/local-review-harness-full-md`