igmarin/hanakai-yaku

Curated library of atomic AI agent skills for Hanami, dry-rb, and ROM Ruby development. Covers actions, slices, repositories, relations, changesets, providers, DI, operations, TDD, CLI, views, routing, and validation. Shared Ruby process skills have moved to ruby-core-skills. Uses Markdown + Front-matter architecture.

1.33x

Quality

94%

Does it follow best practices?

Impact

92%

1.33x

Average score across 35 eval scenarios

Securityby

Passed

No known issues

name:: review-security
license:: MIT
description:: Use when conducting a security audit, vulnerability check, or code review on Hanami 2.x applications. Validates parameter handling, detects CSRF misconfigurations, audits authentication integration points, flags SQL injection and XSS risks, enforces input sanitization, and identifies secrets management and session configuration issues.
metadata:: {"ecosystem_sources":["hanami/hanami"],"tags":["security","review","csrf","authentication","vulnerabilities"],"version":"1.0.0"}

review-security

Name: igmarin/hanakai-yaku
Rating: 92.2 (1 reviews)
Author: igmarin

Use this skill when reviewing Hanami 2.x code for security concerns.

Core principle: Security is layered. Validate at the boundary, authenticate explicitly, and never trust input.

Review Workflow

Follow this sequence when performing a security review:

Validate params — Check every Action for a params block. Grep: grep -rn 'request.params' app/actions/ | grep -v 'params do'
Verify CSRF config — Confirm config.actions.csrf_protection = true in config/app.rb for HTML apps.
Audit auth checks — Confirm every sensitive Action has an explicit before :authenticate! or equivalent. Grep: grep -rn 'def handle' app/actions/ and cross-check with grep -rn 'authenticate'
Check authorization — Confirm role/permission checks exist in Actions or service objects beyond mere authentication.
Scan for secrets in code — Grep: grep -rn 'secret\|password\|api_key\|token' app/ config/ --include='*.rb' | grep -v 'settings\|ENV'
Check logging — Grep: grep -rn 'logger' app/ | grep 'password\|token\|secret'
Check SQL safety — Grep: grep -rn 'where("' app/ to find potential string interpolation in queries.
Check template output — Grep: grep -rn 'raw ' app/ to find unescaped output.
Review session config — Confirm config.sessions has a secret from settings, not hardcoded.
Review error messages — Confirm auth failures return generic messages (no user enumeration).

Quick Reference Checklist

Concern	Red Flag
Param validation	`request.params` used directly in business logic
CSRF protection	Missing `csrf_protection = true` for HTML endpoints
Authentication	Auth assumed by convention, not explicit check
Authorization	Only authn, no authz
Error messages	Messages like "User not found" or "Password incorrect"
Logging	`params[:password]` or tokens in log calls
Secrets	Hardcoded strings for keys/secrets in source files
SQL injection	String interpolation in `where("...")`
XSS	`raw` or `html_safe` on user input
Session management	No secret, no expiration, or hardcoded secret

Core Rules

Validate all params via the Params DSL:
```
# GOOD
params do
  required(:email).value(:string, format?: /\A.+@.+\z/)
  required(:password).value(:string, min_size?: 8)
end

# BAD — mass assignment risk
user_repo.create(request.params)
```

Enable CSRF protection for HTML endpoints:

# config/app.rb
config.actions.csrf_protection = true

Authenticate in Actions using injected services:

include Deps["authentication"]
before :authenticate!

def authenticate!(request, response)
  halt 401 unless authentication.valid?(request)
end

Never log sensitive data:

# GOOD
logger.info("Login attempt: #{params[:email]}")

# BAD
logger.info("Login: #{params[:email]}, password: #{params[:password]}")

Store secrets in settings, never in code:

# config/settings.rb
setting :session_secret, constructor: Types::String

# .env
SESSION_SECRET=your-secret-here

Prevent SQL injection using ROM's query interface:

# GOOD
users.where(email: params[:email]).one

# BAD
users.where("email = '#{params[:email]}'")

Escape output in templates to prevent XSS:

<!-- GOOD -->
<p><%= user.bio %></p>

<!-- BAD -->
<p><%= raw user.bio %></p>

Use secure session configuration:

config.sessions = :cookie, {
  key: "my_app.session",
  secret: settings.session_secret,
  expire_after: 60 * 60 * 24 * 7
}

Return generic error messages for auth failures:

# GOOD
halt 401, { error: "Invalid credentials" }.to_json

# BAD — reveals account existence
halt 401, { error: "User not found" }.to_json

Integration

Related Skill	When to chain
validate-params	All params must be validated before use.
handle-errors	Error responses must not leak sensitive information.
settings	Secrets and configuration must use Settings, not hardcoded values.
code-review	Security review is part of every code review.
setup-authentication	For implementing auth strategies.
security-review-process (from ruby-core-skills)	OWASP checklist, Ruby-level security concerns.

Rails → Hanami

Rails	Hanami 2.x
`protect_from_forgery`	`config.actions.csrf_protection = true`
`before_action :authenticate_user!`	Explicit `before :authenticate!` in each Action
`strong_parameters`	Params DSL with type coercion and constraints
`Rails.application.credentials`	Settings with environment variables
`html_safe` / `raw`	ERB auto-escapes; avoid `raw` on user input
`config.session_store`	`config.sessions = :cookie, { ... }` in `config/app.rb`

docs

evals

skills

actions

cli

context

cross-cutting

dry-monads

dry-rb

providers

review-security

SKILL.md

routing

slices

testing

views

README.md

tile.json

igmarin/hanakai-yaku

SKILL.md.css-3qkkll{font-size:var(--chakra-font-sizes-sm);font-weight:var(--chakra-font-weights-normal);color:var(--chakra-colors-gray-300);}skills/review-security/

review-security

Review Workflow

Quick Reference Checklist

Core Rules

Integration

Rails → Hanami

SKILL.mdskills/review-security/