AI Fix Prompts for Teesim

Fix a hardcoded credential in repository 'g960059__TeeSim'.

**Issue**: Hard-coded api_key found (Vault Token)
**File**: spike/pseudo-tee/main.ts
**Line**: 648
**Severity**: CRITICAL

**Current code around the issue:**
```
     643 |   camera.setParallelScale(parallelScale);
     644 |   renderer.resetCameraClippingRange();
     645 | }
     646 | 
     647 | function renderFindings(stats: RuntimeStats, controls: Controls): void {
>>>  648 |   const cpuInterpolationFinding = stats.linearInterpolationObserved
     649 |     ? `Linear interpolation produced a measurable delta vs nearest on the oblique slice (mean |Δ| ${stats.interpolationDeltaMean.toFixed(2)}, max ${stats.interpolationDeltaMax.toFixed(2)}), so the nearest-only comment in vtk.js typings appears stale for @kitware/vtk.js 35.5.2.`
     650 |     : `Nearest and linear produced no meaningful delta in this setup (mean |Δ| ${stats.interpolationDeltaMean.toFixed(4)}). That suggests the chosen plane/setup is not exposing a practical interpolation difference right now.`;
     651 |   const slabFinding = stats.slabCompositionObserved
     652 |     ? `A ${controls.slabMm} mm mean slab changed the reslice relative to a single-slice linear benchmark (mean |Δ| ${stats.slabDeltaMean.toFixed(2)}, max ${stats.slabDeltaMax.toFixed(2)}), so thick-slab composition is observably active in this setup.`
     653 |     : `A ${controls.slabMm} mm mean slab produced no meaningful delta vs the single-slice linear benchmark (mean |Δ| ${stats.slabDeltaMean.toFixed(4)}).`;
```

**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('API_KEY_KEY')` (Python) or `process.env.API_KEY_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated

**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment

Fix a hardcoded credential in repository 'g960059__TeeSim'.

**Issue**: Hard-coded api_key found (Vault Token)
**File**: spike/pseudo-tee/main.ts
**Line**: 669
**Severity**: CRITICAL

**Current code around the issue:**
```
     664 |     ),
     665 |     findingMarkup(
     666 |       'vtkImageReslice',
     667 |       `CPU oblique reslice: ${stats.cpuResliceMs.toFixed(1)} ms. Sector mask + attenuation: ${stats.cpuMaskMs.toFixed(1)} ms. Active interpolation: ${controls.interpolation}. Thick slab: ${stats.slabSlices} slices (~${controls.slabMm} mm).`,
     668 |     ),
>>>  669 |     findingMarkup('Interpolation', cpuInterpolationFinding, !stats.linearInterpolationObserved),
     670 |     findingMarkup('Thick slab', slabFinding, !stats.slabCompositionObserved && stats.slabSlices > 1),
     671 |     findingMarkup(
     672 |       'vtkImageResliceMapper',
     673 |       `${gpuFinding} Render dispatch: ${stats.gpuRenderMs.toFixed(1)} ms.`,
     674 |       stats.gpuStatus !== 'ok' && !stats.gpuStatus.startsWith('ok ('),
```

**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('API_KEY_KEY')` (Python) or `process.env.API_KEY_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated

**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment

Fix a hardcoded credential in repository 'g960059__TeeSim'.

**Issue**: Hard-coded sast found ([sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL)
**File**: src/assets/loader.ts
**Line**: 27
**Severity**: HIGH

**Current code around the issue:**
```
      22 |   approvedAt: null,
      23 |   status: 'pending' as const,
      24 | };
      25 | 
      26 | const fetchJson = async <T>(url: string): Promise<T> => {
>>>   27 |   const response = await fetch(url);
      28 |   if (!response.ok) {
      29 |     throw new Error(`Failed to fetch ${url}: ${response.status} ${response.statusText}`);
      30 |   }
      31 | 
      32 |   return (await response.json()) as T;
```

**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('SAST_KEY')` (Python) or `process.env.SAST_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated

**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment

Address OWASP A02 (Cryptographic Failures) compliance gap in 'g960059__TeeSim'.

**OWASP Category**: A02 -- Cryptographic Failures
**Fix guidance**: Remove hardcoded secrets, use strong encryption (AES-256-GCM), enforce TLS, never store passwords in plaintext (use bcrypt/argon2).

**Steps:**
1. Identify all code paths related to cryptographic failures
2. Apply the fixes described above
3. Add automated tests to verify the fix
4. Document any security assumptions in code comments

Address OWASP A06 (Vulnerable Components) compliance gap in 'g960059__TeeSim'.

**OWASP Category**: A06 -- Vulnerable Components
**Fix guidance**: Update all dependencies to latest stable versions, remove unused dependencies, monitor for new CVEs.

**Steps:**
1. Identify all code paths related to vulnerable components
2. Apply the fixes described above
3. Add automated tests to verify the fix
4. Document any security assumptions in code comments

Address OWASP A07 (Auth Failures) compliance gap in 'g960059__TeeSim'.

**OWASP Category**: A07 -- Auth Failures
**Fix guidance**: Implement proper session management, use MFA where possible, enforce strong passwords, protect against brute force.

**Steps:**
1. Identify all code paths related to auth failures
2. Apply the fixes described above
3. Add automated tests to verify the fix
4. Document any security assumptions in code comments

Repository 'g960059__TeeSim' is failing the quality gate.

Failed conditions:
- overall_score: actual 0.0 >= 50 (FAILED)
- security_score: actual 0.0 >= 40 (FAILED)
- critical_credentials: actual 2.0 <= 0 (FAILED)

Fix each failing condition to make the repo pass the quality gate.

Repository 'g960059__TeeSim' has 4 open issues:

- [CRITICAL] Hard-coded api_key: Vault Token (spike/pseudo-tee/main.ts)
- [CRITICAL] Hard-coded api_key: Vault Token (spike/pseudo-tee/main.ts)
- [HIGH] Hard-coded sast: [sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL (src/assets/loader.ts)
- [MEDIUM] GHSA-mh29-5h37-fv8m: js-yaml

Resolve each issue. For security issues, apply the appropriate fix. For quality issues, refactor the affected code.

Static analysis found 1 security issues in 'g960059__TeeSim':

- [HIGH] [sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL at src/assets/loader.ts:27

For each finding:
- SQL injection: use parameterized queries
- Command injection: use subprocess with list args, no shell=True
- Path traversal: validate and sanitize paths
- Insecure deserialization: use json instead of pickle
- IaC misconfigs: apply the suggested fix from the rule