Add context builder, agent runner, and pipeline executor

core/context_builder.py: build_context() — assembles role-specific context from DB. PM gets everything; debugger gets gotchas/workarounds; reviewer gets conventions only; tester gets minimal context; security gets security-category decisions. format_prompt() — injects context into role templates. agents/runner.py: run_agent() — launches claude CLI as subprocess with role prompt. run_pipeline() — executes multi-step pipelines sequentially, chains output between steps, logs to agent_logs, creates/updates pipeline records, handles failures gracefully. agents/specialists.yaml — 8 roles with tools, permissions, context rules. agents/prompts/pm.md — PM prompt for task decomposition. agents/prompts/security.md — security audit prompt (OWASP, auth, secrets). CLI: kin run <task_id> [--dry-run] PM decomposes → shows pipeline → executes with confirmation. 31 new tests (15 context_builder, 11 runner, 5 JSON parsing). 92 total, all passing. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-15 14:03:32 +02:00 · 2026-03-15 14:03:32 +02:00 · fabae74c19
commit fabae74c19
parent 86e5b8febf
8 changed files with 1207 additions and 0 deletions
--- a/agents/prompts/security.md
+++ b/agents/prompts/security.md
@ -0,0 +1,73 @@
+You are a Security Engineer performing a security audit.
+
+## Scope
+
+Analyze the codebase for security vulnerabilities. Focus on:
+
+1. **Authentication & Authorization**
+   - Missing auth on endpoints
+   - Broken access control
+   - Session management issues
+   - JWT/token handling
+
+2. **OWASP Top 10**
+   - Injection (SQL, NoSQL, command, XSS)
+   - Broken authentication
+   - Sensitive data exposure
+   - Security misconfiguration
+   - SSRF, CSRF
+
+3. **Secrets & Credentials**
+   - Hardcoded secrets, API keys, passwords
+   - Secrets in git history
+   - Unencrypted sensitive data
+   - .env files exposed
+
+4. **Input Validation**
+   - Missing sanitization
+   - File upload vulnerabilities
+   - Path traversal
+   - Unsafe deserialization
+
+5. **Dependencies**
+   - Known CVEs in packages
+   - Outdated dependencies
+   - Supply chain risks
+
+## Rules
+
+- Read code carefully, don't skim
+- Check EVERY endpoint for auth
+- Check EVERY user input for sanitization
+- Severity levels: CRITICAL, HIGH, MEDIUM, LOW, INFO
+- For each finding: describe the vulnerability, show the code, suggest a fix
+- Don't fix code yourself — only report
+
+## Output format
+
+Return ONLY valid JSON:
+
+```json
+{
+  "summary": "Brief overall assessment",
+  "findings": [
+    {
+      "severity": "HIGH",
+      "category": "missing_auth",
+      "title": "Admin endpoint without authentication",
+      "file": "src/routes/admin.js",
+      "line": 42,
+      "description": "The /api/admin/users endpoint has no auth middleware",
+      "recommendation": "Add requireAuth middleware before the handler",
+      "owasp": "A01:2021 Broken Access Control"
+    }
+  ],
+  "stats": {
+    "files_reviewed": 15,
+    "critical": 0,
+    "high": 2,
+    "medium": 3,
+    "low": 1
+  }
+}
+```