@vigolium/piolium 0.0.1

package/skills/zeroize-audit/schemas/input.json

@@ -0,0 +1,83 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "title": "zeroize-audit input",
+  "type": "object",
+  "properties": {
+    "path": { "type": "string", "description": "Repository root path" },
+    "compile_db": { "type": ["string", "null"], "default": null, "description": "Path to compile_commands.json for C/C++ analysis. Required if cargo_manifest is not set." },
+    "cargo_manifest": { "type": ["string", "null"], "default": null, "description": "Path to Cargo.toml for Rust crate analysis. Required if compile_db is not set." },
+    "config": { "type": ["string", "null"], "description": "Path to config YAML" },
+    "opt_levels": {
+      "type": "array",
+      "items": { "type": "string", "enum": ["O0", "O1", "O2", "O3", "Os", "Oz"] },
+      "default": ["O0", "O1", "O2"]
+    },
+    "languages": {
+      "type": "array",
+      "items": { "type": "string", "enum": ["c", "cpp", "rust"] },
+      "default": ["c", "cpp", "rust"]
+    },
+    "max_tus": { "type": "integer", "minimum": 1, "default": 50 },
+    "enable_semantic_ir": { "type": "boolean", "default": false, "description": "Enable semantic LLVM IR analysis" },
+    "enable_cfg": { "type": "boolean", "default": false, "description": "Enable control-flow graph analysis" },
+    "enable_runtime_tests": { "type": "boolean", "default": false, "description": "Enable runtime PoC test generation and execution" },
+    "enable_asm": { "type": "boolean", "default": true, "description": "Enable assembly emission and analysis" },
+    "mcp_mode": {
+      "type": "string",
+      "enum": ["off", "prefer", "require"],
+      "default": "prefer",
+      "description": "Control MCP semantic analysis usage"
+    },
+    "mcp_required_for_advanced": {
+      "type": "boolean",
+      "default": true,
+      "description": "Downgrade advanced findings when MCP semantic evidence is unavailable"
+    },
+    "mcp_timeout_ms": {
+      "type": "integer",
+      "minimum": 100,
+      "default": 10000,
+      "description": "Timeout budget for MCP semantic queries"
+    },
+    "poc_categories": {
+      "type": "array",
+      "items": {
+        "type": "string",
+        "enum": [
+          "MISSING_SOURCE_ZEROIZE",
+          "PARTIAL_WIPE",
+          "NOT_ON_ALL_PATHS",
+          "OPTIMIZED_AWAY_ZEROIZE",
+          "STACK_RETENTION",
+          "REGISTER_SPILL",
+          "SECRET_COPY",
+          "INSECURE_HEAP_ALLOC",
+          "MISSING_ON_ERROR_PATH",
+          "NOT_DOMINATING_EXITS",
+          "LOOP_UNROLLED_INCOMPLETE"
+        ]
+      },
+      "default": [
+        "MISSING_SOURCE_ZEROIZE",
+        "PARTIAL_WIPE",
+        "NOT_ON_ALL_PATHS",
+        "OPTIMIZED_AWAY_ZEROIZE",
+        "STACK_RETENTION",
+        "REGISTER_SPILL",
+        "SECRET_COPY",
+        "INSECURE_HEAP_ALLOC",
+        "MISSING_ON_ERROR_PATH",
+        "NOT_DOMINATING_EXITS",
+        "LOOP_UNROLLED_INCOMPLETE"
+      ],
+      "description": "Finding categories for which to generate PoCs"
+    },
+    "poc_output_dir": {
+      "type": ["string", "null"],
+      "default": null,
+      "description": "Output directory for generated PoCs (default: generated_pocs/)"
+    }
+  },
+  "required": ["path"],
+  "additionalProperties": false
+}

package/skills/zeroize-audit/schemas/output.json

@@ -0,0 +1,140 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "title": "zeroize-audit output",
+  "type": "object",
+  "properties": {
+    "tool": { "type": "string", "const": "zeroize-audit" },
+    "version": { "type": "string" },
+    "summary": {
+      "type": "object",
+      "properties": {
+        "path": { "type": "string" },
+        "files_scanned": { "type": "integer", "minimum": 0 },
+        "translation_units_analyzed": { "type": "integer", "minimum": 0 },
+        "issues_found": { "type": "integer", "minimum": 0 },
+        "by_category": {
+          "type": "object",
+          "properties": {
+            "MISSING_SOURCE_ZEROIZE": { "type": "integer", "minimum": 0 },
+            "OPTIMIZED_AWAY_ZEROIZE": { "type": "integer", "minimum": 0 },
+            "PARTIAL_WIPE": { "type": "integer", "minimum": 0 },
+            "NOT_ON_ALL_PATHS": { "type": "integer", "minimum": 0 },
+            "STACK_RETENTION": { "type": "integer", "minimum": 0 },
+            "REGISTER_SPILL": { "type": "integer", "minimum": 0 },
+            "SECRET_COPY": { "type": "integer", "minimum": 0 },
+            "INSECURE_HEAP_ALLOC": { "type": "integer", "minimum": 0 },
+            "MISSING_ON_ERROR_PATH": { "type": "integer", "minimum": 0 },
+            "LOOP_UNROLLED_INCOMPLETE": { "type": "integer", "minimum": 0 },
+            "NOT_DOMINATING_EXITS": { "type": "integer", "minimum": 0 }
+          },
+          "required": [
+            "MISSING_SOURCE_ZEROIZE",
+            "OPTIMIZED_AWAY_ZEROIZE",
+            "PARTIAL_WIPE",
+            "NOT_ON_ALL_PATHS",
+            "STACK_RETENTION",
+            "REGISTER_SPILL",
+            "SECRET_COPY",
+            "INSECURE_HEAP_ALLOC",
+            "MISSING_ON_ERROR_PATH",
+            "LOOP_UNROLLED_INCOMPLETE",
+            "NOT_DOMINATING_EXITS"
+          ],
+          "additionalProperties": false
+        },
+        "poc_generation": {
+          "type": "object",
+          "properties": {
+            "pocs_generated": { "type": "integer", "minimum": 0 },
+            "pocs_requiring_adjustment": { "type": "integer", "minimum": 0 },
+            "output_dir": { "type": "string" },
+            "categories_covered": { "type": "array", "items": { "type": "string" } }
+          }
+        },
+        "poc_validation_summary": {
+          "type": "object",
+          "properties": {
+            "total_findings": { "type": "integer", "minimum": 0 },
+            "pocs_generated": { "type": "integer", "minimum": 0 },
+            "pocs_validated": { "type": "integer", "minimum": 0 },
+            "exploitable_confirmed": { "type": "integer", "minimum": 0 },
+            "not_exploitable": { "type": "integer", "minimum": 0 },
+            "compile_failures": { "type": "integer", "minimum": 0 },
+            "no_poc_generated": { "type": "integer", "minimum": 0 }
+          },
+          "required": ["total_findings", "pocs_generated", "pocs_validated", "exploitable_confirmed", "not_exploitable", "compile_failures", "no_poc_generated"],
+          "additionalProperties": false
+        }
+      },
+      "required": ["path", "files_scanned", "translation_units_analyzed", "issues_found", "by_category", "poc_validation_summary"],
+      "additionalProperties": false
+    },
+    "findings": {
+      "type": "array",
+      "items": {
+        "type": "object",
+        "properties": {
+          "id": { "type": "string" },
+          "category": {
+            "type": "string",
+            "enum": [
+              "MISSING_SOURCE_ZEROIZE",
+              "OPTIMIZED_AWAY_ZEROIZE",
+              "PARTIAL_WIPE",
+              "NOT_ON_ALL_PATHS",
+              "STACK_RETENTION",
+              "REGISTER_SPILL",
+              "SECRET_COPY",
+              "INSECURE_HEAP_ALLOC",
+              "MISSING_ON_ERROR_PATH",
+              "LOOP_UNROLLED_INCOMPLETE",
+              "NOT_DOMINATING_EXITS"
+            ]
+          },
+          "severity": { "type": "string", "enum": ["low", "medium", "high", "critical"] },
+          "confidence": { "type": "string", "enum": ["confirmed", "likely", "needs_review"] },
+          "language": { "type": "string", "enum": ["c", "cpp", "rust", "unknown"] },
+          "file": { "type": "string" },
+          "line": { "type": "integer", "minimum": 1 },
+          "symbol": { "type": ["string", "null"] },
+          "evidence": { "type": "string" },
+          "compiler_evidence": {
+            "type": ["object", "null"],
+            "properties": {
+              "opt_levels": { "type": "array", "items": { "type": "string" } },
+              "o0": { "type": ["string", "null"] },
+              "o1": { "type": ["string", "null"] },
+              "o2": { "type": ["string", "null"] },
+              "o3": { "type": ["string", "null"] },
+              "diff_summary": { "type": ["string", "null"] }
+            },
+            "required": ["opt_levels"],
+            "additionalProperties": false
+          },
+          "suggested_fix": { "type": "string" },
+          "poc": {
+            "type": "object",
+            "properties": {
+              "file": { "type": "string" },
+              "makefile_target": { "type": "string" },
+              "compile_opt": { "type": "string" },
+              "requires_manual_adjustment": { "type": "boolean" },
+              "adjustment_notes": { "type": ["string", "null"] },
+              "exit_code": { "type": ["integer", "null"] },
+              "validated": { "type": "boolean" },
+              "validation_result": {
+                "type": "string",
+                "enum": ["exploitable", "not_exploitable", "compile_failure", "no_poc", "pending"]
+              }
+            },
+            "required": ["file", "makefile_target", "compile_opt", "requires_manual_adjustment", "validated", "validation_result"]
+          }
+        },
+        "required": ["id", "category", "severity", "confidence", "language", "file", "line", "evidence", "suggested_fix", "poc"],
+        "additionalProperties": false
+      }
+    }
+  },
+  "required": ["tool", "version", "summary", "findings"],
+  "additionalProperties": false
+}

package/skills/zeroize-audit/tools/analyze_asm.sh

@@ -0,0 +1,202 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Analyze assembly for secret exposure patterns.
+#
+# Usage:
+#   analyze_asm.sh --asm path/to/file.s --symbol secret_func --out /tmp/analysis.json
+#
+# Detects:
+# - Register spills to stack (movq/movdqa %reg, -offset(%rbp/%rsp))
+# - Stack allocations that may retain secrets
+# - Missing red-zone clearing
+# - Secrets in callee-saved registers pushed to stack
+
+usage() {
+  echo "Usage: $0 --asm <file.s> --out <analysis.json> [--symbol <func_name>]" >&2
+}
+
+json_escape() {
+  local s="$1"
+  s="${s//\\/\\\\}"
+  s="${s//\"/\\\"}"
+  s="${s//$'\n'/\\n}"
+  s="${s//$'\t'/\\t}"
+  printf '%s' "$s"
+}
+
+ASM=""
+SYMBOL=""
+OUT=""
+
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    --asm)
+      ASM="$2"
+      shift 2
+      ;;
+    --symbol)
+      SYMBOL="$2"
+      shift 2
+      ;;
+    --out)
+      OUT="$2"
+      shift 2
+      ;;
+    *)
+      echo "Unknown arg: $1" >&2
+      usage
+      exit 2
+      ;;
+  esac
+done
+
+if [[ -z "$ASM" || -z "$OUT" ]]; then
+  usage
+  exit 2
+fi
+
+if [[ ! -f "$ASM" ]]; then
+  echo "Assembly file not found: $ASM" >&2
+  exit 2
+fi
+
+# Extract function boundaries if symbol specified
+START_LINE=1
+END_LINE=$(wc -l <"$ASM")
+
+if [[ -n "$SYMBOL" ]]; then
+  # Find function start/end
+  START_LINE=$(grep -n "^${SYMBOL}:" "$ASM" | head -1 | cut -d: -f1 || echo "")
+  if [[ -z "$START_LINE" ]]; then
+    echo "WARNING: symbol '${SYMBOL}' not found in $ASM; analyzing full file" >&2
+    START_LINE=1
+  fi
+  # Find next function or end of file
+  END_LINE=$(tail -n +"$((START_LINE + 1))" "$ASM" | grep -n "^[a-zA-Z_][a-zA-Z0-9_]*:" | head -1 | cut -d: -f1 || echo "$(($(wc -l <"$ASM") - START_LINE + 1))")
+  END_LINE=$((START_LINE + END_LINE - 1))
+fi
+
+# Extract function body
+FUNC_ASM=$(sed -n "${START_LINE},${END_LINE}p" "$ASM")
+
+# Detect patterns
+REGISTER_SPILLS=()
+STACK_STORES=()
+CALLEE_SAVED_PUSHES=()
+STACK_SIZE=0
+RED_ZONE_CLEARED=false
+
+# Parse assembly
+while IFS= read -r line; do
+  # Skip comments and empty lines
+  [[ "$line" =~ ^[[:space:]]*# ]] && continue
+  [[ -z "${line// /}" ]] && continue
+
+  # Detect stack allocation (subq $size, %rsp)
+  if [[ "$line" =~ subq[[:space:]]+\$([0-9]+),[[:space:]]*%rsp ]]; then
+    STACK_SIZE="${BASH_REMATCH[1]}"
+  fi
+
+  # Detect register spills to stack (movq/movdqa/movaps %reg, -offset(%rsp/%rbp))
+  if [[ "$line" =~ (movq|movdqa|movaps|movups|vmovdqa|vmovaps)[[:space:]]+%([a-z0-9]+),[[:space:]]*-([0-9]+)\(%(rsp|rbp)\) ]]; then
+    REG="${BASH_REMATCH[2]}"
+    OFFSET="${BASH_REMATCH[3]}"
+    BASE="${BASH_REMATCH[4]}"
+    REGISTER_SPILLS+=("{\"register\": \"$REG\", \"offset\": -$OFFSET, \"base\": \"$BASE\", \"line\": \"$(json_escape "$line")\"}")
+  fi
+
+  # Detect stores to stack (mov* reg/imm, -offset(%rsp/%rbp))
+  if [[ "$line" =~ mov[a-z]*[[:space:]]+[^,]+,[[:space:]]*-([0-9]+)\(%(rsp|rbp)\) ]]; then
+    OFFSET="${BASH_REMATCH[1]}"
+    BASE="${BASH_REMATCH[2]}"
+    STACK_STORES+=("{\"offset\": -$OFFSET, \"base\": \"$BASE\", \"line\": \"$(json_escape "$line")\"}")
+  fi
+
+  # Detect callee-saved register pushes (pushq %rbx/%r12/%r13/%r14/%r15/%rbp)
+  if [[ "$line" =~ pushq[[:space:]]+%(rbx|r12|r13|r14|r15|rbp) ]]; then
+    REG="${BASH_REMATCH[1]}"
+    CALLEE_SAVED_PUSHES+=("{\"register\": \"$REG\", \"line\": \"$(json_escape "$line")\"}")
+  fi
+
+  # Detect red-zone clearing (movq $0, -offset(%rsp) for offset <= 128)
+  if [[ "$line" =~ movq[[:space:]]+\$0,[[:space:]]*-([0-9]+)\(%rsp\) ]]; then
+    OFFSET="${BASH_REMATCH[1]}"
+    if [[ "$OFFSET" -le 128 ]]; then
+      RED_ZONE_CLEARED=true
+    fi
+  fi
+
+done <<<"$FUNC_ASM"
+
+# Generate JSON report
+mkdir -p "$(dirname "$OUT")"
+
+cat >"$OUT" <<EOF
+{
+  "asm_file": "$ASM",
+  "symbol": "$SYMBOL",
+  "analysis": {
+    "stack_size": $STACK_SIZE,
+    "red_zone_cleared": $RED_ZONE_CLEARED,
+    "register_spills": [
+      $(
+  IFS=,
+  echo "${REGISTER_SPILLS[*]}"
+)
+    ],
+    "stack_stores": [
+      $(
+  IFS=,
+  echo "${STACK_STORES[*]}"
+)
+    ],
+    "callee_saved_pushes": [
+      $(
+  IFS=,
+  echo "${CALLEE_SAVED_PUSHES[*]}"
+)
+    ]
+  },
+  "warnings": []
+}
+EOF
+
+# Validate JSON output
+if command -v jq &>/dev/null; then
+  if ! jq empty "$OUT" 2>/dev/null; then
+    echo "ERROR: generated JSON is malformed: $OUT" >&2
+    exit 1
+  fi
+fi
+
+# Add warnings based on findings
+WARNINGS=()
+
+if [[ ${#REGISTER_SPILLS[@]} -gt 0 ]]; then
+  WARNINGS+=("{\"type\": \"REGISTER_SPILL\", \"message\": \"Found ${#REGISTER_SPILLS[@]} register spill(s) to stack. Spilled values may contain secrets.\"}")
+fi
+
+if [[ $STACK_SIZE -gt 0 ]] && [[ "$RED_ZONE_CLEARED" == "false" ]]; then
+  WARNINGS+=("{\"type\": \"STACK_RETENTION\", \"message\": \"Stack frame (${STACK_SIZE} bytes) may retain secrets after function return. Consider clearing red-zone.\"}")
+fi
+
+if [[ ${#CALLEE_SAVED_PUSHES[@]} -gt 0 ]]; then
+  WARNINGS+=("{\"type\": \"CALLEE_SAVED_SPILL\", \"message\": \"Callee-saved registers pushed to stack. If they contain secrets, stack will retain them.\"}")
+fi
+
+# Update JSON with warnings
+if [[ ${#WARNINGS[@]} -gt 0 ]]; then
+  WARNINGS_JSON=$(
+    IFS=,
+    echo "${WARNINGS[*]}"
+  )
+  if command -v jq &>/dev/null; then
+    TMP=$(mktemp)
+    jq ".warnings = [$WARNINGS_JSON]" "$OUT" >"$TMP" && mv "$TMP" "$OUT"
+  else
+    echo "WARNING: jq not found; warnings could not be added to output" >&2
+  fi
+fi
+
+echo "OK: assembly analysis written to $OUT"