raccoon-audit

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Raccoon Audit 🦝

The raccoon is curious. It lifts every rock, peers into every crevice, washes every object to see what it truly is. Nothing escapes those clever paws. What looks clean on the surface reveals its secrets under inspection. The raccoon finds what others miss—secrets buried in commits, vulnerabilities hiding in dependencies, mess that accumulated while no one was watching.

浣熊生性好奇。它会翻开每一块石头，窥探每一个缝隙，清洗每一个物体以看清其本质。没有什么能逃过它灵巧的爪子。表面看似干净的事物，在仔细检查下会暴露其秘密。浣熊能发现他人遗漏的东西——隐藏在提交记录中的敏感信息、依赖项中潜藏的漏洞、无人关注时堆积的杂乱代码。

When to Activate

激活场景

User asks to "audit security" or "check for secrets"
User says "clean this up" or "sanitize before deploy"
User calls
```
/raccoon-audit
```
or mentions raccoon/cleanup
Before deploying to production (security sweep)
When inheriting a codebase (unknown risks)
After security incidents (post-mortem audit)
Removing unused code, dependencies, or features
Preparing for open source release (scrubbing internals)

Pair with:

spider-weave

for auth security,

beaver-build

for testing security fixes

用户要求「审计安全」或「检查敏感信息」时
用户提到「清理代码」或「部署前净化」时
用户调用
```
/raccoon-audit
```
或提及raccoon/cleanup时
生产环境部署前（安全扫描）
接手陌生代码库时（排查未知风险）
安全事件发生后（事后审计）
移除未使用的代码、依赖项或功能时
准备开源发布前（清理内部信息）

搭配使用：

spider-weave

用于认证安全审计，

beaver-build

用于测试安全修复

The Audit

审计流程

RUMMAGE → INSPECT → SANITIZE → PURGE → VERIFY
    ↓         ↓          ↓         ↓         ↓
Search   Examine   Cleanse   Remove   Confirm
Everything  Closely   Contaminated Dead     Clean

RUMMAGE → INSPECT → SANITIZE → PURGE → VERIFY
    ↓         ↓          ↓         ↓         ↓
全面搜索   细致检查   净化处理   彻底清除   验证确认

Phase 1: RUMMAGE

阶段1：RUMMAGE（全面搜索）

Little paws lift the rocks, curious eyes peer underneath...

Systematic search for things that don't belong:

Secret Detection:

bash

undefined

小爪子翻开石头，好奇的眼睛窥探下方...

系统性搜索不属于代码库的内容：

敏感信息检测：

bash

undefined

Search for common secret patterns

grep -r "api_key|apikey|api-key" . --include=".{js,ts,py,json,yaml,yml,env,md}" 2>/dev/null | head -20 grep -r "password|passwd|pwd" . --include=".{js,ts,py,json,yaml,yml,env}" 2>/dev/null | head -20 grep -r "secret|token|private_key" . --include="*.{js,ts,py,json,yaml,yml,env}" 2>/dev/null | head -20 grep -r "AKIA[0-9A-Z]{16}" . 2>/dev/null # AWS access keys grep -r "ghp_[a-zA-Z0-9]{36}" . 2>/dev/null # GitHub personal tokens


**Common Hiding Spots:**
- `.env` files (should be in `.gitignore`)
- `config.json` with hardcoded values
- Test fixtures with real credentials
- Documentation examples that look too real
- Commented-out code containing keys
- Git history (check `git log -p` for deleted secrets)

**Bare Error Detection (Signpost Compliance):**

Grove requires all errors to use Signpost codes. Search for violations:

```bash


**常见隐藏位置：**
- `.env` 文件（应加入 `.gitignore`）
- 包含硬编码值的 `config.json`
- 包含真实凭证的测试用例
- 过于真实的文档示例
- 包含密钥的注释代码
- Git 提交历史（使用 `git log -p` 检查已删除的敏感信息）

**Signpost 合规性检查（裸错误检测）：**

Grove 要求所有错误使用 Signpost 编码。搜索违规情况：

```bash

Find bare throw error() without throwGroveError

grep -r "throw error(" --include=".ts" --include=".js" | grep -v "throwGroveError|node_modules|.test."

Find ad-hoc JSON error responses without buildErrorJson

grep -r "json.*error.status" --include=".ts" | grep -v "buildErrorJson|node_modules"

Find console.error without logGroveError

grep -r "console.error" --include=".ts" --include=".svelte" | grep -v "logGroveError|node_modules"

Find bare alert() where toast should be used

grep -r "alert(" --include=".svelte" --include=".ts" | grep -v "node_modules"


**Signpost Compliance Checklist:**
- [ ] No bare `throw error()` — use `throwGroveError()` or `buildErrorJson()`
- [ ] No `console.error` without `logGroveError()` companion
- [ ] No ad-hoc JSON error shapes — all use `buildErrorJson()`
- [ ] No `alert()` — use `toast` from `@autumnsgrove/groveengine/ui`
- [ ] `adminMessage` never exposed to client responses

**Dependency Check:**
```bash

grep -r "alert(" --include=".svelte" --include=".ts" | grep -v "node_modules"


**Signpost 合规性检查清单：**
- [ ] 禁止直接使用 `throw error()` —— 需使用 `throwGroveError()` 或 `buildErrorJson()`
- [ ] 禁止单独使用 `console.error` —— 需配合 `logGroveError()`
- [ ] 禁止自定义 JSON 错误格式 —— 统一使用 `buildErrorJson()`
- [ ] 禁止使用 `alert()` —— 需使用 `@autumnsgrove/groveengine/ui` 中的 `toast`
- [ ] `adminMessage` 不得暴露给客户端响应

**依赖项检查：**
```bash

Check for known vulnerabilities

npm audit pip audit # if using Python


**Output:** Inventory of potential secrets, vulnerabilities, and suspicious patterns found

---

npm audit pip audit # if using Python


**输出结果：** 潜在敏感信息、漏洞及可疑模式的清单

---

Phase 2: INSPECT

阶段2：INSPECT（细致检查）

The raccoon washes the object, turning it over in careful paws...

Examine findings to separate real risks from false positives:

Secret Validation: For each potential secret found:

Is it a real secret? — Test if the key/token works
Is it active? — Check creation date, last used
What's the blast radius? — What can this access?
How exposed? — Public repo, internal, just local?

Vulnerability Assessment:

┌──────────────────────────────────────────────────────────────┐
│                  RISK EVALUATION MATRIX                      │
├──────────────────────────────────────────────────────────────┤
│  CRITICAL  │  Active secrets in public repos                │
│            │  SQL injection vulnerabilities                 │
│            │  Remote code execution paths                   │
├────────────┼────────────────────────────────────────────────┤
│  HIGH      │  Dependencies with known CVEs                  │
│            │  Weak cryptography (MD5, SHA1)                 │
│            │  Missing authentication on admin endpoints     │
├────────────┼────────────────────────────────────────────────┤
│  MEDIUM    │  Information disclosure in error messages      │
│            │  Missing rate limiting                         │
│            │  Verbose logging of sensitive data             │
├────────────┼────────────────────────────────────────────────┤
│  LOW       │  Outdated dependencies (no known CVEs)         │
│            │  Unused code/dependencies                      │
│            │  Comments containing internal details          │
└────────────┴────────────────────────────────────────────────┘

Code Smell Inspection:

Functions that bypass security checks
Debug flags left enabled
Hardcoded URLs that should be configurable
TODO comments about security issues
Disabled tests (especially security-related ones)

Output: Prioritized list of confirmed issues with severity ratings

浣熊清洗物体，用爪子仔细翻转查看...

检查搜索结果，区分真实风险与误报：

敏感信息验证： 针对每一处潜在敏感信息：

是否为真实敏感信息？ —— 测试密钥/令牌是否有效
是否处于活跃状态？ —— 检查创建时间、最后使用时间
影响范围有多大？ —— 该信息可访问哪些资源？
暴露程度如何？ —— 公开仓库、内部仓库还是仅本地？

漏洞评估矩阵：

┌──────────────────────────────────────────────────────────────┐
│                  风险评估矩阵                               │
├──────────────────────────────────────────────────────────────┤
│  严重级   │  公开仓库中的活跃敏感信息                        │
│           │  SQL注入漏洞                                    │
│           │  远程代码执行路径                              │
├────────────┼────────────────────────────────────────────────┤
│  高风险   │  存在已知CVE漏洞的依赖项                        │
│           │  弱加密算法（MD5、SHA1）                        │
│           │  管理端点缺失认证                                │
├────────────┼────────────────────────────────────────────────┤
│  中风险   │  错误信息泄露内部细节                          │
│           │  缺失请求频率限制                                │
│           │  敏感数据被详细日志记录                        │
├────────────┼────────────────────────────────────────────────┤
│  低风险   │  过时但无已知漏洞的依赖项                        │
│           │  未使用的代码/依赖项                            │
│           │  包含内部细节的注释                            │
└────────────┴────────────────────────────────────────────────┘

代码异味检查：

绕过安全检查的函数
启用的调试标志
应可配置但硬编码的URL
涉及安全问题的TODO注释
被禁用的测试（尤其是安全相关测试）

输出结果： 带有严重级别的已确认问题优先级清单

Phase 3: SANITIZE

阶段3：SANITIZE（净化处理）

Contaminated objects get scrubbed until they gleam...

Clean up the mess without breaking functionality:

Secret Rotation (if exposed):

bash

undefined

被污染的物体会被彻底擦洗干净...

清理杂乱内容且不破坏功能：

敏感信息轮换（若已暴露）：

bash

undefined

1. Revoke the exposed secret immediately

curl -X DELETE https://api.service.com/keys/EXPOSED_KEY_ID
-H "Authorization: Bearer ADMIN_TOKEN"

2. Generate new secret

NEW_KEY=$(curl -X POST https://api.service.com/keys
-H "Authorization: Bearer ADMIN_TOKEN" | jq -r '.key')

3. Update configuration (environment variables, not code!)

echo "SERVICE_API_KEY=$NEW_KEY" >> .env.local


**Code Sanitization:**
```typescript
// BEFORE: Secret in code
const API_KEY = 'sk-live-abc123xyz789';

// AFTER: Environment variable
const API_KEY = process.env.SERVICE_API_KEY;
if (!API_KEY) {
  throw new Error('SERVICE_API_KEY environment variable required');
}

Security Hardening:

typescript

// Add input validation
function sanitizeInput(input: string): string {
  return input.replace(/[<>\"']/g, '');
}

// Add rate limiting
const rateLimiter = new Map<string, number[]>();

// Remove debug endpoints
// DELETE: app.get('/debug/users', ...)

Dependency Updates:

bash

undefined

echo "SERVICE_API_KEY=$NEW_KEY" >> .env.local


**代码净化：**
```typescript
// BEFORE: Secret in code
const API_KEY = 'sk-live-abc123xyz789';

// AFTER: Environment variable
const API_KEY = process.env.SERVICE_API_KEY;
if (!API_KEY) {
  throw new Error('SERVICE_API_KEY environment variable required');
}

安全加固：

typescript

// Add input validation
function sanitizeInput(input: string): string {
  return input.replace(/[<>\"']/g, '');
}

// Add rate limiting
const rateLimiter = new Map<string, number[]>();

// Remove debug endpoints
// DELETE: app.get('/debug/users', ...)

依赖项更新：

bash

undefined

Update vulnerable packages

npm update package-name

or

pip install --upgrade package-name

Verify fix

npm audit # Should show 0 vulnerabilities


**Output:** Clean code with secrets externalized, vulnerabilities patched

---

npm audit # Should show 0 vulnerabilities


**输出结果：** 敏感信息已外置、漏洞已修复的干净代码

---

Phase 4: PURGE

阶段4：PURGE（彻底清除）

What doesn't belong gets carried away, never to return...

Remove the harmful remnants:

Git History Cleaning (if secrets were committed):

bash

undefined

无用内容会被彻底移除，永不返回...

清除有害残留：

Git历史清理（若敏感信息已提交）：

bash

undefined

Use BFG Repo-Cleaner or git-filter-branch

WARNING: This rewrites history - coordinate with team!

BFG approach (recommended):

bfg --delete-files '.*env' --replace-text secrets.txt my-repo.git

Or specific file cleanup:

git filter-branch --force --index-filter
'git rm --cached --ignore-unmatch path/to/secret-file'
--prune-empty --tag-name-filter cat -- --all


**Dead Code Removal:**
```bash

git filter-branch --force --index-filter
'git rm --cached --ignore-unmatch path/to/secret-file'
--prune-empty --tag-name-filter cat -- --all


**死代码移除：**
```bash

Find unused exports

npx ts-prune # TypeScript

Find unused dependencies

npx depcheck

Remove with confidence after tests pass

git rm src/old-feature/ npm uninstall unused-package


**Environment Cleanup:**
- Remove old API keys from services
- Delete test accounts created with real credentials
- Clear CI/CD cache if it contains secrets
- Rotate database credentials if exposed

**Documentation Updates:**
- Remove internal URLs from public docs
- Scrub employee names/IDs from examples
- Update architecture diagrams (remove sensitive details)

**Output:** Clean repository, fresh credentials, purged history

---

git rm src/old-feature/ npm uninstall unused-package


**环境清理：**
- 从服务中移除旧API密钥
- 删除使用真实凭证创建的测试账户
- 若CI/CD缓存包含敏感信息则清空
- 若数据库凭证暴露则轮换

**文档更新：**
- 从公开文档中移除内部URL
- 从示例中擦除员工姓名/ID
- 更新架构图（移除敏感细节）

**输出结果：** 干净的代码仓库、全新的凭证、已清理的提交历史

---

Phase 5: VERIFY

阶段5：VERIFY（验证确认）

The raccoon washes its paws, inspecting them one last time...

Confirm everything is clean and stays clean:

Automated Verification:

bash

undefined

浣熊清洗爪子，最后检查一遍...

确认所有内容已清理干净并保持安全：

自动化验证：

bash

undefined

Re-run secret scan - should find nothing

grep -r "sk-live|sk-test" . --include="*.{js,ts,json}" 2>/dev/null

Security tests pass

npm run test:security

No new vulnerabilities

npm audit --audit-level=moderate


**Manual Checks:**
- [ ] Application starts without hardcoded secrets
- [ ] All environment variables documented (not their values!)
- [ ] Test suite passes
- [ ] No sensitive data in logs
- [ ] Error messages don't reveal internals

**Preventive Measures:**
```bash

npm audit --audit-level=moderate


**手动检查：**
- [ ] 应用启动无需硬编码敏感信息
- [ ] 所有环境变量已文档化（不包含值！）
- [ ] 测试套件全部通过
- [ ] 日志中无敏感数据
- [ ] 错误信息不暴露内部细节

**预防措施：**
```bash

Install pre-commit hooks

npm install --save-dev husky npx husky add .husky/pre-commit "npm run lint && npm run security-check"

Add to CI/CD pipeline

.github/workflows/security.yml

name: Security Scan run: | npm audit --audit-level=moderate npx secretlint "**/*"


**Verification Report:**
```markdown

name: Security Scan run: | npm audit --audit-level=moderate npx secretlint "**/*"


**验证报告：**
```markdown

🦝 RACCOON AUDIT COMPLETE

Secrets Found & Fixed

Location	Severity	Action Taken
config.ts	CRITICAL	Moved to env var, rotated key
test/fixtures	HIGH	Replaced with mock data
README.md	MEDIUM	Removed internal URL

Location	Severity	Action Taken
config.ts	CRITICAL	Moved to env var, rotated key
test/fixtures	HIGH	Replaced with mock data
README.md	MEDIUM	Removed internal URL

Dependencies

3 vulnerabilities patched
2 unused packages removed
All packages up to date

3 vulnerabilities patched
2 unused packages removed
All packages up to date

Verification

No secrets in current codebase
Git history cleaned (force push required)
Pre-commit hooks installed
All tests passing


**Output:** Clean bill of health with preventive measures in place

---

No secrets in current codebase
Git history cleaned (force push required)
Pre-commit hooks installed
All tests passing


**输出结果：** 带有预防措施的安全健康报告

---

Raccoon Rules

浣熊审计规则

Curiosity

好奇心

Inspect everything. The raccoon doesn't assume— it verifies. That "harmless" test file might contain production credentials.

检查所有内容。浣熊不会想当然——它会验证。那个“无害”的测试文件可能包含生产环境凭证。

Thoroughness

彻底性

Wash every object. Half-cleaned secrets are still exposed secrets. Don't stop at the surface.

彻底清洗每一个物体。未完全清理的敏感信息仍处于暴露状态。不要停留在表面。

Safety

安全性

Handle contaminated items carefully. When rotating secrets, ensure zero-downtime transitions. Don't break production while fixing security.

小心处理被污染的内容。轮换敏感信息时，确保零停机过渡。不要在修复安全问题时破坏生产环境。

Communication

沟通

Use investigative metaphors:

"Lifting the rocks..." (searching thoroughly)
"Washing the object..." (examining closely)
"Scrubbing clean..." (sanitizing)
"Carrying away..." (purging)

使用调查类隐喻：

“翻开石头...”（全面搜索）
“清洗物体...”（细致检查）
“彻底擦洗...”（净化处理）
“移除无用内容...”（彻底清除）

Anti-Patterns

反模式

The raccoon does NOT:

Leave secrets in code with "TODO: remove this" comments
Skip git history when secrets were committed
Break production while rotating credentials
Assume "it's just a test key" means it's safe
Forget to update documentation after cleanup
Trust that "someone else handled it"

浣熊绝不会：

用“TODO: remove this”注释留下敏感信息
当敏感信息已提交时跳过Git历史清理
轮换凭证时破坏生产环境
认为“只是测试密钥”就意味着安全
清理后忘记更新文档
相信“其他人已经处理过了”

Example Audit

审计示例

User: "Audit the codebase before open sourcing"

Raccoon flow:

🦝 RUMMAGE — "Found 3 API keys in config files, internal URLs in README, employee emails in test data, 12 TODO comments with internal ticket numbers"
🦝 INSPECT — "One API key is active production key (CRITICAL). Others are test keys but still shouldn't be public. Internal URLs expose infrastructure."
🦝 SANITIZE — "Move keys to env vars, replace URLs with example.com, scrub employee data, rewrite TODOs generically"
🦝 PURGE — "Use BFG to clean git history of secrets, remove 2 unused dependencies, delete old deployment scripts"
🦝 VERIFY — "Re-scan shows no secrets, all tests pass, pre-commit hooks installed to prevent future secrets"

用户： “开源前审计代码库”

浣熊流程：

🦝 RUMMAGE —— “在配置文件中找到3个API密钥，README中的内部URL，测试数据中的员工邮箱，12条包含内部工单编号的TODO注释”
🦝 INSPECT —— “其中一个API密钥是活跃的生产环境密钥（严重级）。其他是测试密钥但仍不应公开。内部URL暴露了基础设施信息。”
🦝 SANITIZE —— “将密钥移至环境变量，用example.com替换内部URL，擦除员工数据，将TODO注释改写为通用内容”
🦝 PURGE —— “使用BFG清理Git历史中的敏感信息，移除2个未使用的依赖项，删除旧部署脚本”
🦝 VERIFY —— “重新扫描未发现敏感信息，所有测试通过，已安装提交前钩子防止未来的敏感信息泄露”

Quick Decision Guide

快速决策指南

Situation	Action
Secret committed to git	Rotate immediately, clean history, force push
Vulnerability in dependency	Update to patched version, test, deploy
Hardcoded credentials	Move to environment variables, rotate keys
Dead code detected	Remove if tests pass, document if uncertain
Debug code in production	Remove endpoints, check logs for exposure
Preparing for open source	Full audit: secrets, internals, history, docs

场景	操作
敏感信息已提交至Git	立即轮换，清理历史，强制推送
依赖项存在漏洞	更新至修复版本，测试，部署
硬编码凭证	移至环境变量，轮换密钥
检测到死代码	测试通过后移除，不确定则文档化
生产环境存在调试代码	移除端点，检查日志是否暴露
准备开源发布	全面审计：敏感信息、内部内容、历史、文档

Integration with Other Skills

与其他技能集成

Before Audit:

```
bloodhound-scout
```
— Understand codebase structure first

During Audit:

```
spider-weave
```
— If auth/security system needs review
```
beaver-build
```
— If writing security regression tests

After Audit:

```
panther-strike
```
— If fixing specific security issues rapidly
```
grove-documentation
```
— Update security runbooks

Nothing stays hidden from paws that know how to look. 🦝

审计前：

```
bloodhound-scout
```
—— 先了解代码库结构

审计中：

```
spider-weave
```
—— 若需审计认证/安全系统
```
beaver-build
```
—— 若需编写安全回归测试

审计后：

```
panther-strike
```
—— 若需快速修复特定安全问题
```
grove-documentation
```
—— 更新安全运行手册

没有什么能逃过会寻找的爪子。 🦝