Goal
Run a security review pass on Phase 2 work before the sandbox-backed previews ship broadly. Findings encoded as additional issues the same way Phase 1's review was.
Scope
- Sandbox isolation model — verify logical separation (Kustomize
nameSuffix) holds under the shared wallet-eng-dev namespace; namespace-quota safety; trust assumptions documented
freighter-config access controls — restricted to SDF; PR approval requirements; what data leaks if read-public- Fork PR gating across iOS Simulator + Android Emulator workflows — verify both Phase 1 mobile workflows apply the same
author_association + fork-guard pattern as the extension workflow; verify the forbidden-triggers invariant comment block is present
- Mobile build artifact secrets — what's baked into the unsigned iOS Simulator
.app and the debug Android APK? WalletKit DEV keys, Sentry stubs, etc. should be stripped or stubbed like the extension preview build. (Note: no Apple Connect / Match credentials are involved in Phase 1/2 mobile workflows by design — that surface returns in Phase 3.)
- Draft-release channel parity across repos — confirm the SDF-only audience boundary verified for
stellar/freighter drafts also holds on stellar/freighter-mobile (same org, same model). Quick re-test with an SDF read-only collaborator + a non-SDF account to be sure.
Acceptance criteria
Approach
Use the same multi-agent review pattern as Phase 1 (trigger model / supply chain / secret leakage / distribution). Spawn 4 parallel agents on the Phase 2 changes once they're staged, before merging.
Dependencies
- Should run while Phase 2 implementation is in progress (don't block Phase 2 start; review as work lands)
Reference
Fullstack PR Preview Flow design doc — § Security, § Subsequent reviews; pr-preview-workflow-security-review.md (Phase 1 review file as the template)
Goal
Run a security review pass on Phase 2 work before the sandbox-backed previews ship broadly. Findings encoded as additional issues the same way Phase 1's review was.
Scope
nameSuffix) holds under the sharedwallet-eng-devnamespace; namespace-quota safety; trust assumptions documentedfreighter-configaccess controls — restricted to SDF; PR approval requirements; what data leaks if read-publicauthor_association+ fork-guard pattern as the extension workflow; verify the forbidden-triggers invariant comment block is present.appand the debug Android APK? WalletKit DEV keys, Sentry stubs, etc. should be stripped or stubbed like the extension preview build. (Note: no Apple Connect / Match credentials are involved in Phase 1/2 mobile workflows by design — that surface returns in Phase 3.)stellar/freighterdrafts also holds onstellar/freighter-mobile(same org, same model). Quick re-test with an SDF read-only collaborator + a non-SDF account to be sure.Acceptance criteria
pr-preview-workflow-security-review-phase2.md(same shape as Phase 1's review file)Fullstack PR PreviewlabelApproach
Use the same multi-agent review pattern as Phase 1 (trigger model / supply chain / secret leakage / distribution). Spawn 4 parallel agents on the Phase 2 changes once they're staged, before merging.
Dependencies
Reference
Fullstack PR Preview Flow design doc — § Security, § Subsequent reviews;
pr-preview-workflow-security-review.md(Phase 1 review file as the template)