Ultaura-specific security review for backend changes. Grounded in OWASP Top 10, SOC 2 controls, and HIPAA considerations. Produces risk-rated findings (Critical/High/Medium/Low). Use this skill when: - Reviewing new or modified API routes - Reviewing database migrations or RLS policy changes - Reviewing auth changes or permission modifications - Any backend change during the delegation workflow Does NOT cover: Safety system integrity (AI classifier, heuristics, keyword scanning, verification gate) — that is governed separately by the non-negotiable principles in CLAUDE.md.
This skill covers:
This skill does NOT cover:
Only during the delegation workflow for backend changes. Specifically:
src/app/api/ or telephony routes)supabase/migrations/src/lib/ultaura/crypto-*.ts)src/lib/ultaura/health/consent.ts, src/lib/ultaura/sharing-gate.ts)Work through all seven categories. Each has a detailed reference file.
Full checks: references/encryption-checks.md
crypto-dek.ts — never inline crypto.createCipheriv()account_id + line_id + typeimport 'server-only' on all files in src/lib/ultaura/Full checks: references/rls-checks.md
ALTER TABLE ... ENABLE ROW LEVEL SECURITY(select auth.uid()) not bare auth.uid() (Supabase lint 0003)SECURITY DEFINER functions have SET search_path = publicis_ultaura_account_owner() and can_access_ultaura_health_line()enforce_health_account_line_consistency() triggerFull checks: references/api-auth-checks.md
supabase.auth.getUser() first (not getSession())created_by_user_id === userIdvalidateWebhookSecret() with crypto.timingSafeEqualapp_metadata.role === 'super-admin'getSupabaseRouteHandlerClient() from src/lib/server/Full checks: references/input-validation-checks.md
/^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/icrypto.timingSafeEqual (not ===)sanitizeSummaryParaphrase() from src/lib/ultaura/health/sanitize.tsdangerouslySetInnerHTML without sanitizationFull checks: references/privacy-checks.md
https: before issuingFull checks: references/consent-checks.md
health_consent === 'granted'requireHealthLineAccess() and requireHealthOwner() are the central gatesultaura_health_consent_history (encrypted)Full checks: references/db-migration-checks.md
YYYYMMDDHHMMSS_snake_case_description.sqlENABLE ROW LEVEL SECURITY + at least one policyencrypted_data + encrypted_data_key (or health-specific payload columns)IF NOT EXISTS) and have a safe rollback pathSET search_path = public on all SECURITY DEFINER functions## Security Review: [area/file(s) reviewed]
### Findings
| # | Severity | Category | Finding | File:Line | Recommendation |
|---|----------|----------|---------|-----------|----------------|
| 1 | CRITICAL | Encryption | Inline crypto.createCipheriv() instead of using crypto-dek.ts | src/lib/foo.ts:42 | Use encryptPayload() from crypto-dek.ts |
| 2 | HIGH | RLS | New table missing RLS policy | migrations/20260317_foo.sql:15 | Add owner-scoped SELECT policy |
| 3 | MEDIUM | API Auth | Using getSession() instead of getUser() | src/app/api/foo/route.ts:8 | Switch to getUser() for server-side verification |
| 4 | LOW | Input | Missing length cap on user-provided string | src/app/api/foo/route.ts:25 | Add maxLength validation |
### Severity Definitions
- **CRITICAL**: Exploitable now — data exposure, auth bypass, or encryption failure. Must fix before merge.
- **HIGH**: Likely exploitable under specific conditions — missing RLS, weak auth, timing attack vector. Must fix before merge.
- **MEDIUM**: Defense-in-depth gap — not directly exploitable but weakens security posture. Should fix.
- **LOW**: Best practice deviation — minimal immediate risk but worth addressing. Consider fixing.
### Summary
- **Total findings**: N
- **Critical**: N | **High**: N | **Medium**: N | **Low**: N
- **Recommendation**: PASS / PASS WITH CONDITIONS / FAIL
PASS = No Critical or High findings
PASS WITH CONDITIONS = No Critical, but High findings exist with documented mitigation plan
FAIL = Any Critical finding, or 3+ unmitigated High findings
| Ultaura Check Category | OWASP Category |
|---|---|
| RLS, API Auth, Consent | A01:2021 — Broken Access Control |
| Encryption | A02:2021 — Cryptographic Failures |
| Input Validation | A03:2021 — Injection |
| Privacy, Consent, DB Migration | A04:2021 — Insecure Design |
| API Auth | A07:2021 — Identification and Authentication Failures |
| DB Migration | A08:2021 — Software and Data Integrity Failures |
| SOC 2 Control | Ultaura Check Categories |
|---|---|
| CC6.1 — Logical Access Security | RLS, API Auth, Consent |
| CC6.6 — System Boundaries | API Auth, Input Validation |
| CC6.7 — Data Transmission/Movement | Encryption, Privacy |
| CC7.2 — System Monitoring | Consent audit trail, access token logging |
Ultaura handles health-related data for seniors. Even if not yet a HIPAA covered entity, these controls align with HIPAA requirements:
| HIPAA Requirement | Ultaura Implementation |
|---|---|
| Encryption at rest (§164.312(a)(2)(iv)) | AES-256-GCM with per-line DEKs, two-layer key hierarchy |
| Minimum necessary access (§164.502(b)) | RLS policies scoped to account ownership, requireHealthLineAccess() gate |
| Audit logging (§164.312(b)) | Consent history table with encrypted audit entries |
| Access controls (§164.312(a)(1)) | Multi-layer auth: Supabase Auth → application ownership → RLS → consent gate → entitlement check |
| Consent verification (§164.508) | Four-state consent machine, DB-enforced state transitions, 30-day re-prompt cooldown |