ln-760-security-setup

L2 Domain Coordinator - Orchestrates security scanning and configuration

Main Workflow

stateDiagram-v2 [*] --> Phase1: Start Security Setup state Phase1 { [*] --> DetectType DetectType --> CheckTools CheckTools --> LoadConfigs LoadConfigs --> [*] DetectType: Detect project type CheckTools: Check tool availability LoadConfigs: Load existing configs } Phase1 --> Phase2: Pre-flight Complete state Phase2 { [*] --> Parallel state Parallel { [*] --> Secrets [*] --> Dependencies Secrets --> [*] Dependencies --> [*] } Parallel --> [*] Secrets: ln-761 Secret Scanner Dependencies: ln-625 Dependencies Auditor } Phase2 --> Phase3: Scans Complete state Phase3 { [*] --> Combine Combine --> Assess Assess --> Summary Summary --> [*] Combine: Combine findings Assess: Risk assessment Summary: Build summary } Phase3 --> Phase4: Report Ready state Phase4 { [*] --> SecurityMD SecurityMD --> PreCommit PreCommit --> CIWorkflow CIWorkflow --> Gitignore Gitignore --> [*] SecurityMD: Create SECURITY.md PreCommit: Configure pre-commit CIWorkflow: Generate CI workflow Gitignore: Update .gitignore } Phase4 --> [*]: Security Configured

Worker Delegation Pattern

sequenceDiagram participant C as ln-760 Coordinator participant S as ln-761 Secret Scanner participant D as ln-625 Dependencies Auditor participant R as Report C->>C: Phase 1: Pre-flight checks par Phase 2: Parallel Scans C->>S: Invoke secret scan S-->>C: Findings + remediation and C->>D: Invoke dependency audit D-->>C: Vulnerabilities + fixes end C->>C: Phase 3: Aggregate findings C->>R: Phase 4: Generate outputs alt Critical findings R->>R: Flag for immediate action else High findings R->>R: Recommend 48h fix else Medium/Low R->>R: Add to backlog end R-->>C: Summary report

Output Generation

flowchart TD subgraph Inputs["Scan Results"] Secrets[Secret Findings] Vulns[Vulnerability Findings] end subgraph Process["Generation"] Aggregate[Aggregate & Score] end subgraph Outputs["Generated Files"] Security[SECURITY.md] PreCommit[.pre-commit-config.yaml] CI[.github/workflows/security.yml] Gitignore[.gitignore updates] end Secrets --> Aggregate Vulns --> Aggregate Aggregate --> Security Aggregate --> PreCommit Aggregate --> CI Aggregate --> Gitignore classDef input fill:#FFB6C1 classDef process fill:#87CEEB classDef output fill:#90EE90 class Secrets,Vulns input class Aggregate process class Security,PreCommit,CI,Gitignore output

Pre-flight Decision Tree

flowchart TD Start([Start Pre-flight]) --> CheckGitleaks{gitleaks.toml exists?} CheckGitleaks -->|Yes| PreserveConfig[Preserve existing config] CheckGitleaks -->|No| UseDefault[Use default patterns] PreserveConfig --> CheckSecurity{SECURITY.md exists?} UseDefault --> CheckSecurity CheckSecurity -->|Yes| UpdateMode[Update mode - preserve custom] CheckSecurity -->|No| CreateMode[Create mode - from template] UpdateMode --> CheckPreCommit{.pre-commit-config.yaml exists?} CreateMode --> CheckPreCommit CheckPreCommit -->|Yes| HasGitleaks{Has gitleaks hook?} CheckPreCommit -->|No| CreatePreCommit[Create from template] HasGitleaks -->|Yes| SkipHook[Skip - already configured] HasGitleaks -->|No| RecommendAdd[Recommend adding hook] SkipHook --> Ready([Ready to scan]) RecommendAdd --> Ready CreatePreCommit --> Ready classDef exists fill:#90EE90 classDef missing fill:#FFB6C1 classDef action fill:#87CEEB class PreserveConfig,UpdateMode,SkipHook exists class UseDefault,CreateMode,CreatePreCommit missing class RecommendAdd action