AI Audit: Findings and Recommendations

[koxon]

Summary

Two-pass security audit of src/SA/SnsHandler.php covering message validation, SNS signature verification, injection vectors, error handling, and dependency risks.

Findings by Severity

Severity	Count	Key Issues
Critical	2	No SNS signature verification (architectural gap); Hardcoded DynamoDB table name
High	4	No ARN validation; Dynamic method invocation via user input; Namespace bug in catch block (DynamoDB errors never caught); No type validation on constructor
Medium	6	GCM deprecated; TTL not validated; Logging leaks PII; Batch errors swallowed; Timestamp collisions; array_merge_recursive gotcha
Low	5	PHP 7.0 EOL; Echo fallback logger; SDK version "latest"; Missing return types; GitHub Actions wrong branch

CLAUDE.md Corrections

The existing CLAUDE.md contained 5 factual inaccuracies that would mislead AI agents:

• Constructor signature was wrong (documented key/secret params that don't exist)
• 3 methods listed that don't exist in the code (publishToTopic, publishGCM, publishAPNS)
• Missing DynamoDB dependency documentation
• Incorrect "direct credentials" warning (code actually uses default provider chain)

Updated CLAUDE.md includes: accurate API documentation, message flow diagram, DynamoDB IAM requirements, consumer list from codebase search, comprehensive gotchas from audit findings.

Files

• FINDINGS.md — Full audit report (Critical > High > Medium > Low > Agent Skill Improvements > Positive Observations)
• CLAUDE.md — Rewritten with accurate API docs, message flow, security considerations, gotchas

Test plan

• Review each finding against src/SA/SnsHandler.php source code
• Verify CLAUDE.md API documentation matches actual constructor and method signatures
• Confirm consumer list accuracy against sa_site_daemons codebase
• Prioritize Critical/High findings for remediation

🤖 Generated with Claude Code