/gaia-review-security
user-facingWhat it does
Performs an OWASP-focused security review: OWASP Top 10 scan, hardcoded secrets and API key detection, and authentication/authorization pattern review. Cross-references the threat model when available.
When to use it
- Code or a document needs security review. Works on stories in review status or as an anytime review on any target.
Prerequisites
- Story must be in
reviewstatus (for story-based reviews). The story file must exist under.gaia/artifacts/implementation-artifacts/.
How to invoke
/gaia-review-security E3-S7What it does step by step
- Resolve target Locates the story file or review target.
- Run deterministic analysis Executes per-stack tooling to collect evidence.
- Apply LLM judgment Performs semantic review on top of the deterministic evidence.
- Compute verdict The verdict (APPROVE, REQUEST_CHANGES, or BLOCKED) is computed by the verdict resolver -- the LLM does not determine the verdict.
- Update Review Gate Records the verdict in the story's Review Gate table.
Inputs
Story file, associated source files, and project configuration are read automatically.
Outputs
A review report is written to .gaia/artifacts/implementation-artifacts/. The story's Review Gate row is updated with PASSED or FAILED.
Example session
> /gaia-review-security E3-S7
Resolving story E3-S7...
Running deterministic analysis...
Applying semantic review...
Verdict: APPROVE
Review Gate updated: PASSED
0 critical, 1 warning, 2 suggestions.What to run next
/gaia-review-all-- run all remaining reviews./gaia-check-review-gate-- check if all reviews pass.
Troubleshooting
"Story must be in review status"
Run /gaia-dev-story to implement and transition the story first.
"Story file not found"
Verify the story key and check that the file exists under .gaia/artifacts/implementation-artifacts/.