Real-World Examples

/dispatch do a security review of this project. use opus, do it in a worktree

# Security Audit

- [ ] Scan codebase for hardcoded secrets (API keys, tokens, passwords)
- [ ] Review authentication and authorization logic
- [ ] Check for SQL injection vulnerabilities
- [ ] Audit input validation and sanitization
- [ ] Review dependency versions for known CVEs
- [ ] Check CORS and CSP configurations
- [ ] Write findings report to .dispatch/tasks/security-audit/output.md

Dispatched security-audit using opus (worktree).
Plan: 7 items covering secrets, auth, injection, validation, deps, and config.

# Security Audit

- [x] Scan codebase for hardcoded secrets — found 2 instances in config.ts:14 and api/client.ts:8
- [x] Review authentication and authorization logic — JWT implementation looks solid
- [x] Check for SQL injection vulnerabilities — using parameterized queries throughout
- [ ] Audit input validation and sanitization (in progress)
- [ ] Review dependency versions for known CVEs
- [ ] Check CORS and CSP configurations  
- [ ] Write findings report

Worker is asking: "Found INFO-level logging of user emails in auth.ts:42. 
Should I flag this as a privacy concern?"

Yes, flag it. We should not log PII at INFO level.

security-audit complete. Found 4 issues:
1. Hardcoded API keys in config.ts:14 and api/client.ts:8 (CRITICAL)
2. No rate limiting on /api/login endpoint (HIGH)
3. User emails logged at INFO level in auth.ts:42 (MEDIUM)
4. Outdated dependency: [email protected] (CVE-2022-23529) (HIGH)

Full report at .dispatch/tasks/security-audit/output.md

/dispatch refactor the auth module to use JWT instead of sessions. use sonnet

# Refactor Auth to JWT

- [ ] Review current session-based implementation
- [ ] Install and configure jsonwebtoken library
- [ ] Create JWT signing and verification utilities
- [ ] Update login endpoint to issue JWT tokens
- [ ] Update authentication middleware to verify JWTs
- [ ] Update logout logic (client-side token removal)
- [ ] Write migration guide for existing users
- [ ] Update tests to cover JWT flow
- [ ] Write summary to .dispatch/tasks/auth-refactor/output.md

- [x] Review current session-based implementation — uses express-session with Redis
- [x] Install and configure jsonwebtoken library — added to package.json
- [x] Create JWT signing and verification utilities — utilities/jwt.ts created
- [x] Update login endpoint to issue JWT tokens — POST /auth/login now returns token
- [x] Update authentication middleware to verify JWTs — middleware/auth.ts updated
- [x] Update logout logic — now client-side token removal (no server state)
- [x] Write migration guide — docs/jwt-migration.md created
- [x] Update tests — all auth tests passing with JWT flow
- [x] Write summary

auth-refactor complete!

Refactored authentication from sessions to JWT:
- Created signing/verification utilities
- Updated login endpoint and auth middleware
- Migrated all tests
- Documented migration path for existing users

Changes ready for review. No breaking changes to API — clients just receive
tokens instead of session cookies.

/dispatch we launch Thursday, need a full pre-launch sweep:

1) security audit the auth flow (JWT, sessions, password reset) and the
   stripe payment integration. use opus, do it in a worktree

2) performance - load test the top 5 API endpoints, find N+1 queries,
   check db indexes on users/orders/products tables. sonnet in a worktree

3) frontend audit - accessibility (WCAG 2.1 AA), bundle size, flag any
   components missing error boundaries. dispatch sonnet

4) generate OpenAPI specs for every endpoint that's missing one. use gemini

5) error handling audit - find uncaught exceptions, missing try/catch,
   inconsistent error response formats across all API routes. sonnet, worktree

ask me if anything is unclear. security is highest priority - flag
anything critical immediately

All 5 workers dispatched with their monitors. Here's the summary:

Security (worktree):
  ● security-audit — Opus 4-6 (worktree): Full auth + payment security review

Performance (worktree):
  ● perf-audit — Sonnet 4-6 (worktree): API load testing + DB index review

Frontend (single worker):
  ● frontend-audit — Sonnet 4-6: Accessibility, bundle size, error boundaries

Docs (single worker):
  ● api-docs — Gemini 2.5 Flash: Generate missing OpenAPI specs

Error handling (worktree):
  ● error-handling — Sonnet 4-6 (worktree): Uncaught exceptions + error format audit

All running in background. Five workers, three models, three worktrees —
your session wrote five checklists and is idle. Dispatch more work or say
"status" anytime.

/dispatch status

Here's the current status:

● security-audit (opus, worktree) — 4/6 items complete
  ✓ Audit JWT implementation
  ✓ Review password reset flow
  ✓ Audit Stripe integration
  ✓ Check for timing attacks
  ⋯ Review session management (in progress)
  ○ Write findings report

● perf-audit (sonnet, worktree) — COMPLETE
  ✓ Load test top 5 endpoints
  ✓ Find N+1 queries
  ✓ Check database indexes
  ✓ Write performance report
  
  Found 3 N+1 queries and 2 missing indexes. Details in output.md.

● frontend-audit (sonnet) — 3/5 items complete
  ✓ Run accessibility audit
  ✓ Check bundle size
  ✓ Find components without error boundaries
  ⋯ Write findings report (in progress)
  ○ Commit report

● api-docs (gemini) — 2/3 items complete
  ✓ Scan for endpoints missing OpenAPI specs
  ✓ Generate specs for /auth endpoints
  ⋯ Generate specs for /users endpoints (in progress)
  ○ Generate specs for /orders endpoints

● error-handling (sonnet, worktree) — 1/4 items complete  
  ✓ Scan for uncaught exceptions
  ⋯ Find missing try/catch blocks (in progress)
  ○ Check error response consistency
  ○ Write findings report

Worker is asking: "Found a critical issue: Stripe webhook signature verification
is disabled in production config. This allows arbitrary payment events to be
injected. Should I halt and escalate immediately?"

Yes, halt the launch. Create a high-priority task to fix this.
Flag it in your report as CRITICAL BLOCKER.

All 5 tasks complete! Here's the summary:

✓ security-audit (opus, worktree)
  Found 1 CRITICAL issue (Stripe signature verification disabled),
  2 HIGH (rate limiting, outdated deps), 1 MEDIUM (PII logging).
  Report: .dispatch/tasks/security-audit/output.md

✓ perf-audit (sonnet, worktree)
  Found 3 N+1 queries in /orders endpoints, 2 missing indexes on
  users.email and orders.created_at.
  Report: .dispatch/tasks/perf-audit/output.md

✓ frontend-audit (sonnet)
  11 accessibility issues (all WCAG 2.1 AA violations), bundle size
  is 340KB (under 500KB target), 3 components missing error boundaries.
  Report: .dispatch/tasks/frontend-audit/output.md

✓ api-docs (gemini)
  Generated OpenAPI specs for 8 endpoints that were missing them.
  Specs committed to docs/openapi/.

✓ error-handling (sonnet, worktree)
  Found 5 uncaught exception paths, 12 inconsistent error response formats.
  Report: .dispatch/tasks/error-handling/output.md

**LAUNCH BLOCKER:** Stripe webhook signature verification is disabled.
Fix this before Thursday.

/dispatch fix the typo in README.md line 42 ("recieve" → "receive")

# Fix Typo in README

- [ ] Fix "recieve" → "receive" in README.md:42 and commit

Done! Fixed the typo and committed:

  fix: correct spelling of "receive" in README.md

commit: a3f8d92

/dispatch research the best design patterns for our new payment module.
use opus, output a proposal document

/dispatch implement the payment module using the factory pattern
recommended in .dispatch/tasks/payment-research/output.md.
use sonnet

/dispatch write comprehensive tests for the payment module. use sonnet