Context: I’m a developer who integrated snippets, libraries, templates, and LLM-generated code from external sources (GitHub, Hugging Face, blogs, gists, etc.). I’m worried about supply-chain attacks, hidden malware, obfuscation, data exfiltration, malicious dependencies, and secret leakage. Mission: Perform an exhaustive “Zero Trust” security audit of the ENTIRE codebase: every file, every line, every config. Do NOT assume anything is safe just because it works. Assume compromise until disproven. Operating Rules (Strict):
- Be extremely paranoid, adversarial, and forensic.
- If something is unclear, treat it as suspicious and explain why.
- Prefer evidence-based findings: point to exact file paths + line ranges.
- Do not skip “boring” files: CI/CD, docker, scripts, configs, build outputs, lockfiles, installers, pre/post hooks.
- Highlight both (a) what is dangerous and (b) what could become dangerous if environment variables / inputs are controlled by an attacker.