v2.3.0 adds five new skills and six security hooks.
The plugin now covers 19 skills across security, deployment, channels, telemetry, and JSON APIs alongside the existing LiveView, Ecto, and OTP coverage. The new security hooks run as you write code, blocking SQL injection, atom exhaustion, and open redirects, and warning on raw/1 usage, sensitive data in logs, and timing-unsafe comparisons.
New skills:
- security-essentials - 7 rules: atom exhaustion, SQL injection, XSS, open redirects, sensitive logging, timing attacks, dependency auditing
- deployment-gotchas - 7 rules: runtime.exs, release migrations, PHX_HOST/PHX_SERVER, asset deployment, secrets, health endpoints, log levels
- phoenix-channels-essentials - 6 rules: socket auth, topic authorization, handle_in/push/broadcast, Presence, testing
- telemetry-essentials - 6 rules: structured logging, handler attachment, Ecto telemetry events, LiveDashboard, metadata tagging
- phoenix-json-api - 7 rules: :api pipeline, FallbackController, pagination, URL versioning, Bearer token auth, json/2
New security hooks:
- atom-from-user-input (Blocking) - String.to_atom/1 on user input
- unparameterized-sql-fragment (Blocking) - String interpolation in Ecto fragment
- unsafe-redirect (Blocking) - Redirect to user-controlled URLs
- raw-html-warning (Warning) - raw/1 usage
- sensitive-logging (Warning) - password/token/secret in Logger calls
- timing-unsafe-compare (Warning) - == with tokens/secrets
Plugin at a glance:
- 19 skills: Elixir, LiveView, Ecto, OTP, uploads, testing, auth, nested associations, changesets, PubSub, code quality, security, deployment, channels, telemetry, JSON API, authorization, auth customization, LiveView auth
- 27 hooks: real-time blocking and warnings
- 4 agent docs: detailed reference for complex tasks
