medcore-bola-sweep
OfficialClose BOLA gaps in patient-scoped routes
AuthorGlobussoft-Technologies
Version1.0.0
Installs0
System Documentation
What problem does it solve?
It reduces the risk of cross-patient data exposure (BOLA/IDOR) in MedCore’s API by auditing patient-reachable Express route handlers and ensuring each row access is correctly authorized.
Core Features & Use Cases
- Route file BOLA sweep: Scans a single
apps/api/src/routes/route file for/:id-style handlers and determines whether PATIENT callers can access resources they do not own. - Patch or document outcomes: Applies
assertPatientOwnsResource(with the correct parent/ownership argument shape) to patch real gaps, or adds an inline verified-safe / staff-only rationale. - Per-route integration tests: Creates isolated
apps/api/src/test/integration/cross-patient-<route>.test.tscoverage for PATCHED handlers to prevent regressions, without racing on shared test files. - Batch-safe workflow support: Works as a paired step with
/medcore-fanoutto close Issue #511’s long tail efficiently and safely.
Quick Start
Audit and patch a candidate route file by invoking this skill on apps/api/src/routes/<x>.ts, letting it scan PATIENT-reachable /:id handlers, apply assertPatientOwnsResource where needed, and generate a matching cross-patient-<route>.test.ts file.
Dependency Matrix
Required Modules
None requiredComponents
references
💻 Claude Code Installation
Recommended: Let Claude install automatically. Simply copy and paste the text below to Claude Code.
Please help me install this Skill: Name: medcore-bola-sweep Download link: https://github.com/Globussoft-Technologies/medcore/archive/main.zip#medcore-bola-sweep Please download this .zip file, extract it, and install it in the .claude/skills/ directory.
Agent Skills Search Helper
Install a tiny helper to your Agent, search and equip skill from 471,000+ vetted skills library on demand.