bug-audit

# Bug Audit — Dissect, Then Verify

Do NOT run a generic checklist. Instead: read the code, extract every auditable entity, then exhaustively question each one.

## Phase 1: Dissect (10-15 min)

Read all project files. Build 7 tables. These tables ARE the audit — everything found here gets verified in Phase 2.

### Table 1: API Endpoints

For every route in server-side code:

```
| # | Method | Path | Auth? | Params validated? | Precondition | Returns | Attack vector |
```

For each endpoint, ask:
- Can I call this without authentication?
- Can I pass 0, negative, NaN, huge numbers, arrays, objects?
- Can I skip a prerequisite API and call this directly?
- What happens if I call this 100 times per second?
- Does the response leak sensitive data (openid, internal IDs, full user objects)?

### Table 2: State Machines

For every boolean/enum state variable (isGameOver, battleState, Game.running, phase, mode...):

```
| # | Variable | Set by | Read by | Init value | Reset when? | Can it leak across lifecycles? |
```

For each variable, ask:
- If the game/session ends, does this get reset?
- If I start a new round immediately, will stale state from the previous round affect it?
- Are there race conditions between setters?

### Table 3: Timers

For every setTimeout/setInterval:

```
| # | Type | Delay | Created in | Cleared in | What if lifecycle ends before it fires? |
```

For each timer, ask:
- Is the handle stored for cleanup?
- If the game ends / user disconnects / page navigates, does this still fire?
- If it fires after cleanup, does it reference destroyed objects?

### Table 4: Numeric Values

For every user-influenceable number (cost, score, damage, lootValue, kills, quantity...):

```
| # | Name | Source (client/server/config) | Validated? | Min | Max | What if 0? | What if negative? |
```

For each value, ask:
- Is the server-side cap realistic? (kills cap 200 but max enemies is 50?)
- Can the client send a value the server trusts without verification?
- Float...

# 🔍 Bug Audit Skill

[![ClawHub](https://img.shields.io/badge/ClawHub-bug--audit-blue?style=flat-square)](https://clawhub.com)
[![License: MIT](https://img.shields.io/badge/License-MIT-green?style=flat-square)](LICENSE)
[![OpenClaw Skill](https://img.shields.io/badge/OpenClaw-Agent_Skill-orange?style=flat-square)](https://github.com/openclaw/openclaw)

> Don't run a checklist. Dissect the project, then exhaustively verify every entity.

Built from a hard lesson: a project took **21 rounds** to find 172 bugs using generic checklists. Post-mortem revealed that building project-specific check matrices first would have caught most bugs in **3-4 rounds**.

## The Problem with Checklists

Generic checklists catch "known pattern" bugs (CORS, XSS, timezone). But most critical bugs are **project-specific logic vulnerabilities**:
- `buy` API accepts `cost=0` → free purchases (not in any checklist)
- `raid-result` callable without calling `buy` first → infinite money exploit
- Search completion doesn't verify distance → remote looting

These bugs live in the **relationships between APIs**, not in individual code patterns.

## The Solution: Dissect → Verify → Supplement

```
Phase 1: Dissect — Read code, build 6 project-specific tables (10-15 min)
Phase 2: Verify  — Exhaustively check every row in every table
Phase 3: Supplement — Run generic modules as safety net
Phase 4: Regress — Check fixes didn't introduce new bugs
Phase 5: Archive — Record pitfalls for next audit
```

### The 6 Tables

| Table | Extracts | Key Question |
|-------|----------|-------------|
| API Endpoints | Every route: method, path, auth, params | Can I bypass? What if I send garbage? |
| State Machines | Every state variable: setter, reader, lifecycle | Does it leak across lifecycles? |
| Timers | Every setTimeout/setInterval | Does it fire after cleanup? |
| Numeric Values | Every user-influenceable number | What if 0? Negative? Huge? |
| Data Flows | Every related API pair (buy→use) | Can I skip Step...