npm - @vigolium/piolium - Versions diffs - 0.0.1 - Mend

@vigolium/piolium 0.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (271) hide show

package/LICENSE +21 -0
package/README.md +117 -0
package/agents/access-auditor.md +300 -0
package/agents/assumption-breaker.md +154 -0
package/agents/attack-designer.md +116 -0
package/agents/code-scanner.md +139 -0
package/agents/concurrency-auditor.md +238 -0
package/agents/confirm-writer.md +257 -0
package/agents/context-reviewer.md +274 -0
package/agents/cross-verifier.md +165 -0
package/agents/cve-scout.md +381 -0
package/agents/env-builder.md +282 -0
package/agents/env-profiler.md +205 -0
package/agents/evidence-collector.md +140 -0
package/agents/finding-grader.md +142 -0
package/agents/finding-writer.md +148 -0
package/agents/flow-tracer.md +106 -0
package/agents/goal-backtracer.md +146 -0
package/agents/history-miner.md +467 -0
package/agents/independent-verifier.md +118 -0
package/agents/intent-mapper.md +183 -0
package/agents/longshot-collector.md +128 -0
package/agents/longshot-prober.md +126 -0
package/agents/patch-auditor.md +73 -0
package/agents/poc-author.md +124 -0
package/agents/poc-runner.md +194 -0
package/agents/probe-lead.md +269 -0
package/agents/red-challenger.md +101 -0
package/agents/report-composer.md +208 -0
package/agents/review-adjudicator.md +216 -0
package/agents/spec-auditor.md +155 -0
package/agents/taint-tracer.md +265 -0
package/agents/test-locator.md +209 -0
package/agents/threat-modeler.md +132 -0
package/agents/variant-scanner.md +108 -0
package/agents/variant-spotter.md +110 -0
package/bin/piolium.mjs +376 -0
package/extensions/piolium/_vendor/yaml.bundle.d.mts +6 -0
package/extensions/piolium/_vendor/yaml.bundle.mjs +139 -0
package/extensions/piolium/agent-runner.ts +322 -0
package/extensions/piolium/agents.ts +266 -0
package/extensions/piolium/audit-state.ts +522 -0
package/extensions/piolium/bundled-resources.ts +97 -0
package/extensions/piolium/candidate-scan.ts +966 -0
package/extensions/piolium/command-target.ts +177 -0
package/extensions/piolium/console-stream.ts +57 -0
package/extensions/piolium/export-results.ts +380 -0
package/extensions/piolium/findings.ts +448 -0
package/extensions/piolium/heartbeat.ts +182 -0
package/extensions/piolium/help.ts +234 -0
package/extensions/piolium/index.ts +1865 -0
package/extensions/piolium/longshot.ts +530 -0
package/extensions/piolium/matcher-suggestions.ts +196 -0
package/extensions/piolium/matcher-utils.ts +83 -0
package/extensions/piolium/modes/balanced.ts +750 -0
package/extensions/piolium/modes/confirm-bootstrap.ts +186 -0
package/extensions/piolium/modes/confirm.ts +697 -0
package/extensions/piolium/modes/deep.ts +917 -0
package/extensions/piolium/modes/diff.ts +177 -0
package/extensions/piolium/modes/lite.ts +540 -0
package/extensions/piolium/modes/longshot.ts +595 -0
package/extensions/piolium/modes/merge.ts +204 -0
package/extensions/piolium/modes/phase-runner.ts +267 -0
package/extensions/piolium/modes/reinvest.ts +546 -0
package/extensions/piolium/modes/revisit.ts +279 -0
package/extensions/piolium/modes.ts +48 -0
package/extensions/piolium/phase-labels.ts +123 -0
package/extensions/piolium/phase-status-strip.ts +92 -0
package/extensions/piolium/prompt-prefix-editor.ts +39 -0
package/extensions/piolium/providers/anthropic-vertex.ts +836 -0
package/extensions/piolium/recon.ts +409 -0
package/extensions/piolium/result-stats.ts +105 -0
package/extensions/piolium/retry.ts +120 -0
package/extensions/piolium/scheduler.ts +212 -0
package/extensions/piolium/secrets.ts +368 -0
package/extensions/piolium/tools/web-tools.ts +148 -0
package/package.json +77 -0
package/skills/agentic-actions-auditor/SKILL.md +327 -0
package/skills/agentic-actions-auditor/references/action-profiles.md +186 -0
package/skills/agentic-actions-auditor/references/cross-file-resolution.md +209 -0
package/skills/agentic-actions-auditor/references/foundations.md +94 -0
package/skills/agentic-actions-auditor/references/vector-a-env-var-intermediary.md +77 -0
package/skills/agentic-actions-auditor/references/vector-b-direct-expression-injection.md +83 -0
package/skills/agentic-actions-auditor/references/vector-c-cli-data-fetch.md +83 -0
package/skills/agentic-actions-auditor/references/vector-d-pr-target-checkout.md +88 -0
package/skills/agentic-actions-auditor/references/vector-e-error-log-injection.md +88 -0
package/skills/agentic-actions-auditor/references/vector-f-subshell-expansion.md +82 -0
package/skills/agentic-actions-auditor/references/vector-g-eval-of-ai-output.md +91 -0
package/skills/agentic-actions-auditor/references/vector-h-dangerous-sandbox-configs.md +102 -0
package/skills/agentic-actions-auditor/references/vector-i-wildcard-allowlists.md +88 -0
package/skills/audit/SKILL.md +562 -0
package/skills/audit/assets/icon.svg +7 -0
package/skills/audit/hooks/scripts/validate_phase_output.py +550 -0
package/skills/audit/references/adversarial-review.md +148 -0
package/skills/audit/references/architecture-aware-sast.md +306 -0
package/skills/audit/references/audit-workflow.md +737 -0
package/skills/audit/references/chamber-protocol.md +384 -0
package/skills/audit/references/creative-attack-modes.md +221 -0
package/skills/audit/references/deep-analysis.md +273 -0
package/skills/audit/references/domain-attack-playbooks.md +1129 -0
package/skills/audit/references/knowledge-base-template.md +513 -0
package/skills/audit/references/real-env-validation.md +191 -0
package/skills/audit/references/report-templates.md +417 -0
package/skills/audit/references/triage-and-prereqs.md +134 -0
package/skills/audit/scripts/consolidate_drafts.py +554 -0
package/skills/audit/scripts/partition_findings.py +152 -0
package/skills/audit/scripts/rg-hotspots.sh +121 -0
package/skills/audit/scripts/stamp_file_state.py +349 -0
package/skills/code-reviewer/SKILL.md +65 -0
package/skills/codeql/SKILL.md +281 -0
package/skills/codeql/references/build-fixes.md +90 -0
package/skills/codeql/references/diagnostic-query-templates.md +339 -0
package/skills/codeql/references/extension-yaml-format.md +209 -0
package/skills/codeql/references/important-only-suite.md +153 -0
package/skills/codeql/references/language-details.md +207 -0
package/skills/codeql/references/macos-arm64e-workaround.md +179 -0
package/skills/codeql/references/performance-tuning.md +111 -0
package/skills/codeql/references/quality-assessment.md +172 -0
package/skills/codeql/references/ruleset-catalog.md +63 -0
package/skills/codeql/references/run-all-suite.md +92 -0
package/skills/codeql/references/sarif-processing.md +79 -0
package/skills/codeql/references/threat-models.md +51 -0
package/skills/codeql/workflows/build-database.md +280 -0
package/skills/codeql/workflows/create-data-extensions.md +261 -0
package/skills/codeql/workflows/run-analysis.md +301 -0
package/skills/differential-review/SKILL.md +220 -0
package/skills/differential-review/adversarial.md +203 -0
package/skills/differential-review/methodology.md +234 -0
package/skills/differential-review/patterns.md +300 -0
package/skills/differential-review/reporting.md +369 -0
package/skills/fp-check/SKILL.md +125 -0
package/skills/fp-check/references/bug-class-verification.md +114 -0
package/skills/fp-check/references/deep-verification.md +143 -0
package/skills/fp-check/references/evidence-templates.md +91 -0
package/skills/fp-check/references/false-positive-patterns.md +115 -0
package/skills/fp-check/references/gate-reviews.md +27 -0
package/skills/fp-check/references/standard-verification.md +78 -0
package/skills/insecure-defaults/SKILL.md +117 -0
package/skills/insecure-defaults/references/examples.md +409 -0
package/skills/last30days/SKILL.md +444 -0
package/skills/sarif-parsing/SKILL.md +483 -0
package/skills/sarif-parsing/resources/jq-queries.md +162 -0
package/skills/sarif-parsing/resources/sarif_helpers.py +331 -0
package/skills/security-threat-model/LICENSE.txt +201 -0
package/skills/security-threat-model/SKILL.md +81 -0
package/skills/security-threat-model/agents/openai.yaml +4 -0
package/skills/security-threat-model/references/prompt-template.md +255 -0
package/skills/security-threat-model/references/security-controls-and-assets.md +32 -0
package/skills/semgrep/SKILL.md +212 -0
package/skills/semgrep/references/rulesets.md +162 -0
package/skills/semgrep/references/scan-modes.md +110 -0
package/skills/semgrep/references/scanner-task-prompt.md +140 -0
package/skills/semgrep/scripts/merge_sarif.py +203 -0
package/skills/semgrep/workflows/scan-workflow.md +311 -0
package/skills/semgrep-rule-creator/SKILL.md +168 -0
package/skills/semgrep-rule-creator/references/quick-reference.md +202 -0
package/skills/semgrep-rule-creator/references/workflow.md +240 -0
package/skills/semgrep-rule-variant-creator/SKILL.md +205 -0
package/skills/semgrep-rule-variant-creator/references/applicability-analysis.md +250 -0
package/skills/semgrep-rule-variant-creator/references/language-syntax-guide.md +324 -0
package/skills/semgrep-rule-variant-creator/references/workflow.md +518 -0
package/skills/sharp-edges/SKILL.md +292 -0
package/skills/sharp-edges/references/auth-patterns.md +252 -0
package/skills/sharp-edges/references/case-studies.md +274 -0
package/skills/sharp-edges/references/config-patterns.md +333 -0
package/skills/sharp-edges/references/crypto-apis.md +190 -0
package/skills/sharp-edges/references/lang-c.md +205 -0
package/skills/sharp-edges/references/lang-csharp.md +285 -0
package/skills/sharp-edges/references/lang-go.md +270 -0
package/skills/sharp-edges/references/lang-java.md +263 -0
package/skills/sharp-edges/references/lang-javascript.md +269 -0
package/skills/sharp-edges/references/lang-kotlin.md +265 -0
package/skills/sharp-edges/references/lang-php.md +245 -0
package/skills/sharp-edges/references/lang-python.md +274 -0
package/skills/sharp-edges/references/lang-ruby.md +273 -0
package/skills/sharp-edges/references/lang-rust.md +272 -0
package/skills/sharp-edges/references/lang-swift.md +287 -0
package/skills/sharp-edges/references/language-specific.md +588 -0
package/skills/spec-to-code-compliance/SKILL.md +357 -0
package/skills/spec-to-code-compliance/resources/COMPLETENESS_CHECKLIST.md +69 -0
package/skills/spec-to-code-compliance/resources/IR_EXAMPLES.md +417 -0
package/skills/spec-to-code-compliance/resources/OUTPUT_REQUIREMENTS.md +105 -0
package/skills/supply-chain-risk-auditor/SKILL.md +67 -0
package/skills/supply-chain-risk-auditor/resources/results-template.md +41 -0
package/skills/variant-analysis/METHODOLOGY.md +327 -0
package/skills/variant-analysis/SKILL.md +142 -0
package/skills/variant-analysis/resources/codeql/cpp.ql +119 -0
package/skills/variant-analysis/resources/codeql/go.ql +69 -0
package/skills/variant-analysis/resources/codeql/java.ql +71 -0
package/skills/variant-analysis/resources/codeql/javascript.ql +63 -0
package/skills/variant-analysis/resources/codeql/python.ql +80 -0
package/skills/variant-analysis/resources/semgrep/cpp.yaml +98 -0
package/skills/variant-analysis/resources/semgrep/go.yaml +63 -0
package/skills/variant-analysis/resources/semgrep/java.yaml +61 -0
package/skills/variant-analysis/resources/semgrep/javascript.yaml +60 -0
package/skills/variant-analysis/resources/semgrep/python.yaml +72 -0
package/skills/variant-analysis/resources/variant-report-template.md +75 -0
package/skills/vuln-report/SKILL.md +137 -0
package/skills/vuln-report/agents/openai.yaml +4 -0
package/skills/vuln-report/references/report-template.md +135 -0
package/skills/wooyun-legacy/SKILL.md +367 -0
package/skills/wooyun-legacy/references/bank-penetration.md +222 -0
package/skills/wooyun-legacy/references/checklists/command-execution-checklist.md +119 -0
package/skills/wooyun-legacy/references/checklists/csrf-checklist.md +74 -0
package/skills/wooyun-legacy/references/checklists/file-upload-checklist.md +108 -0
package/skills/wooyun-legacy/references/checklists/info-disclosure-checklist.md +114 -0
package/skills/wooyun-legacy/references/checklists/logic-flaws-checklist.md +95 -0
package/skills/wooyun-legacy/references/checklists/misconfig-checklist.md +124 -0
package/skills/wooyun-legacy/references/checklists/path-traversal-checklist.md +87 -0
package/skills/wooyun-legacy/references/checklists/rce-checklist.md +93 -0
package/skills/wooyun-legacy/references/checklists/sql-injection-checklist.md +97 -0
package/skills/wooyun-legacy/references/checklists/ssrf-checklist.md +99 -0
package/skills/wooyun-legacy/references/checklists/unauthorized-access-checklist.md +89 -0
package/skills/wooyun-legacy/references/checklists/weak-password-checklist.md +115 -0
package/skills/wooyun-legacy/references/checklists/xss-checklist.md +103 -0
package/skills/wooyun-legacy/references/checklists/xxe-checklist.md +130 -0
package/skills/wooyun-legacy/references/info-disclosure.md +975 -0
package/skills/wooyun-legacy/references/logic-flaws.md +721 -0
package/skills/wooyun-legacy/references/path-traversal.md +1191 -0
package/skills/wooyun-legacy/references/telecom-penetration.md +156 -0
package/skills/wooyun-legacy/references/unauthorized-access.md +980 -0
package/skills/wooyun-legacy/references/xss.md +746 -0
package/skills/zeroize-audit/SKILL.md +371 -0
package/skills/zeroize-audit/configs/c.yaml +21 -0
package/skills/zeroize-audit/configs/default.yaml +128 -0
package/skills/zeroize-audit/configs/rust.yaml +83 -0
package/skills/zeroize-audit/prompts/report_template.md +238 -0
package/skills/zeroize-audit/prompts/system.md +163 -0
package/skills/zeroize-audit/prompts/task.md +97 -0
package/skills/zeroize-audit/references/compile-commands.md +231 -0
package/skills/zeroize-audit/references/detection-strategy.md +191 -0
package/skills/zeroize-audit/references/ir-analysis.md +252 -0
package/skills/zeroize-audit/references/mcp-analysis.md +221 -0
package/skills/zeroize-audit/references/poc-generation.md +470 -0
package/skills/zeroize-audit/references/rust-zeroization-patterns.md +867 -0
package/skills/zeroize-audit/schemas/input.json +83 -0
package/skills/zeroize-audit/schemas/output.json +140 -0
package/skills/zeroize-audit/tools/analyze_asm.sh +202 -0
package/skills/zeroize-audit/tools/analyze_cfg.py +381 -0
package/skills/zeroize-audit/tools/analyze_heap.sh +211 -0
package/skills/zeroize-audit/tools/analyze_ir_semantic.py +429 -0
package/skills/zeroize-audit/tools/diff_ir.sh +135 -0
package/skills/zeroize-audit/tools/diff_rust_mir.sh +189 -0
package/skills/zeroize-audit/tools/emit_asm.sh +67 -0
package/skills/zeroize-audit/tools/emit_ir.sh +77 -0
package/skills/zeroize-audit/tools/emit_rust_asm.sh +178 -0
package/skills/zeroize-audit/tools/emit_rust_ir.sh +150 -0
package/skills/zeroize-audit/tools/emit_rust_mir.sh +158 -0
package/skills/zeroize-audit/tools/extract_compile_flags.py +284 -0
package/skills/zeroize-audit/tools/generate_poc.py +1329 -0
package/skills/zeroize-audit/tools/mcp/apply_confidence_gates.py +113 -0
package/skills/zeroize-audit/tools/mcp/check_mcp.sh +68 -0
package/skills/zeroize-audit/tools/mcp/normalize_mcp_evidence.py +125 -0
package/skills/zeroize-audit/tools/scripts/check_llvm_patterns.py +481 -0
package/skills/zeroize-audit/tools/scripts/check_mir_patterns.py +554 -0
package/skills/zeroize-audit/tools/scripts/check_rust_asm.py +424 -0
package/skills/zeroize-audit/tools/scripts/check_rust_asm_aarch64.py +300 -0
package/skills/zeroize-audit/tools/scripts/check_rust_asm_x86.py +283 -0
package/skills/zeroize-audit/tools/scripts/find_dangerous_apis.py +375 -0
package/skills/zeroize-audit/tools/scripts/semantic_audit.py +923 -0
package/skills/zeroize-audit/tools/track_dataflow.sh +196 -0
package/skills/zeroize-audit/tools/validate_rust_toolchain.sh +298 -0
package/skills/zeroize-audit/workflows/phase-0-preflight.md +150 -0
package/skills/zeroize-audit/workflows/phase-1-source-analysis.md +144 -0
package/skills/zeroize-audit/workflows/phase-2-compiler-analysis.md +139 -0
package/skills/zeroize-audit/workflows/phase-3-interim-report.md +46 -0
package/skills/zeroize-audit/workflows/phase-4-poc-generation.md +46 -0
package/skills/zeroize-audit/workflows/phase-5-poc-validation.md +136 -0
package/skills/zeroize-audit/workflows/phase-6-final-report.md +44 -0
package/skills/zeroize-audit/workflows/phase-7-test-generation.md +42 -0
package/themes/piolium-srcery.json +94 -0

package/skills/zeroize-audit/tools/diff_rust_mir.sh ADDED Viewed

@@ -0,0 +1,189 @@
+#!/usr/bin/env bash
+# diff_rust_mir.sh — Normalize and diff Rust MIR across optimization levels.
+#
+# Compares MIR output from different optimization levels to detect zeroize-
+# related transformations: drop glue removal, StorageDead elimination, and
+# zeroize call elimination.
+#
+# Exit codes:
+#   0  all files are identical after normalization
+#   1  at least one diff found (or wipe patterns disappeared)
+#   2  argument error
+#
+# Usage (two-file, backward-compatible):
+#   diff_rust_mir.sh <O0.mir> <O2.mir>
+#
+# Usage (multi-level — recommended):
+#   diff_rust_mir.sh <O0.mir> <O1.mir> <O2.mir> [<O3.mir> ...]
+#
+# Output:
+# - Unified diff for each pair of adjacent files.
+# - For 3+ files, a ZEROIZE PATTERN SUMMARY identifying the first opt level
+#   at which patterns disappear.
+#
+# Wipe patterns detected:
+#   zeroize::, Zeroize::zeroize, volatile_set_memory, drop_in_place,
+#   StorageDead for sensitive locals, ptr::write_bytes
+set -euo pipefail
+usage() {
+  cat <<'EOF'
+Usage:
+  diff_rust_mir.sh <baseline.mir> <file2.mir> [<file3.mir> ...]
+Compares Rust MIR files across optimization levels. Normalizes away noisy
+metadata (source locations, scope info, storage annotations) and diffs
+the semantic content. Detects disappearance of zeroize-related patterns.
+Examples:
+  diff_rust_mir.sh crate.O0.mir crate.O2.mir
+  diff_rust_mir.sh crate.O0.mir crate.O1.mir crate.O2.mir crate.O3.mir
+EOF
+}
+if [[ $# -lt 2 ]]; then
+  usage
+  exit 2
+fi
+for f in "$@"; do
+  if [[ ! -f "$f" ]]; then
+    echo "diff_rust_mir.sh: missing file: $f" >&2
+    exit 2
+  fi
+done
+# ---------------------------------------------------------------------------
+# Normalization: strip noisy metadata that changes between opt levels
+# but is semantically irrelevant for zeroize analysis.
+# ---------------------------------------------------------------------------
+norm() {
+  sed -E \
+    -e '/^\/\/ WARNING:/d' \
+    -e '/^\/\/ MIR for/d' \
+    -e 's/scope [0-9]+ at [^ ]+:[0-9]+:[0-9]+/scope N at <loc>/g' \
+    -e 's/at [^ ]+\.rs:[0-9]+:[0-9]+/at <loc>/g' \
+    -e 's/\/\/ .*$//g' \
+    -e '/^\s*$/d'
+}
+# ---------------------------------------------------------------------------
+# Pattern detection: Rust MIR zeroize-related constructs
+# ---------------------------------------------------------------------------
+has_zeroize_pattern() {
+  grep -qE \
+    'zeroize::|Zeroize::zeroize|volatile_set_memory|ptr::write_bytes|drop_in_place.*[Kk]ey|drop_in_place.*[Ss]ecret|drop_in_place.*[Pp]assword|drop_in_place.*[Tt]oken|drop_in_place.*[Nn]once|drop_in_place.*[Ss]eed|drop_in_place.*[Pp]riv|Zeroizing|ZeroizeOnDrop' \
+    "$1"
+}
+has_drop_glue() {
+  grep -qE 'drop_in_place|drop\(_[0-9]+\)' "$1"
+}
+# shellcheck disable=SC2329,SC2317 # invoked indirectly by agent prompts
+has_storage_dead_sensitive() {
+  grep -qE 'StorageDead\(_[0-9]+\)' "$1" &&
+    grep -qE '(key|secret|password|token|nonce|seed|priv|master|credential)' "$1"
+}
+# ---------------------------------------------------------------------------
+# Setup
+# ---------------------------------------------------------------------------
+FILES=("$@")
+NUM_FILES=${#FILES[@]}
+TMPDIR_BASE="$(mktemp -d -t za-mir-XXXXXX)"
+trap 'rm -rf "$TMPDIR_BASE"' EXIT
+NORMFILES=()
+for i in "${!FILES[@]}"; do
+  tmp="$TMPDIR_BASE/norm_${i}.mir"
+  norm <"${FILES[$i]}" >"$tmp"
+  NORMFILES+=("$tmp")
+done
+# ---------------------------------------------------------------------------
+# Two-file mode: backward-compatible, single diff, no summary.
+# ---------------------------------------------------------------------------
+if [[ $NUM_FILES -eq 2 ]]; then
+  diff_rc=0
+  diff -u "${NORMFILES[0]}" "${NORMFILES[1]}" || diff_rc=$?
+  if [[ $diff_rc -eq 2 ]]; then
+    echo "diff_rust_mir.sh: diff failed (internal error)" >&2
+    exit 1
+  fi
+  exit $diff_rc
+fi
+# ---------------------------------------------------------------------------
+# Multi-file mode: pairwise diffs + zeroize pattern summary.
+# ---------------------------------------------------------------------------
+any_diff=0
+for ((i = 0; i < NUM_FILES - 1; i++)); do
+  j=$((i + 1))
+  A_LABEL="$(basename "${FILES[$i]}")"
+  B_LABEL="$(basename "${FILES[$j]}")"
+  echo "=== DIFF File $((i + 1)) ($A_LABEL) vs File $((j + 1)) ($B_LABEL) ==="
+  if ! diff -u --label "$A_LABEL" --label "$B_LABEL" \
+    "${NORMFILES[$i]}" "${NORMFILES[$j]}"; then
+    any_diff=1
+  fi
+  echo ""
+done
+# ---------------------------------------------------------------------------
+# Zeroize pattern summary
+# ---------------------------------------------------------------------------
+echo "=== ZEROIZE PATTERN SUMMARY ==="
+first_absent=-1
+for i in "${!NORMFILES[@]}"; do
+  LABEL="$(basename "${FILES[$i]}")"
+  if has_zeroize_pattern "${NORMFILES[$i]}"; then
+    echo "  File $((i + 1)) ($LABEL): ZEROIZE CALLS PRESENT"
+  else
+    echo "  File $((i + 1)) ($LABEL): ZEROIZE CALLS ABSENT"
+    if [[ $first_absent -eq -1 ]]; then
+      first_absent=$i
+    fi
+  fi
+done
+echo ""
+# ---------------------------------------------------------------------------
+# Drop glue summary
+# ---------------------------------------------------------------------------
+echo "=== DROP GLUE SUMMARY ==="
+first_drop_absent=-1
+for i in "${!NORMFILES[@]}"; do
+  LABEL="$(basename "${FILES[$i]}")"
+  if has_drop_glue "${NORMFILES[$i]}"; then
+    echo "  File $((i + 1)) ($LABEL): DROP GLUE PRESENT"
+  else
+    echo "  File $((i + 1)) ($LABEL): DROP GLUE ABSENT"
+    if [[ $first_drop_absent -eq -1 ]]; then
+      first_drop_absent=$i
+    fi
+  fi
+done
+echo ""
+# ---------------------------------------------------------------------------
+# Verdict
+# ---------------------------------------------------------------------------
+if [[ $first_absent -ne -1 ]]; then
+  LABEL="$(basename "${FILES[$first_absent]}")"
+  echo "WARNING: Zeroize patterns first disappear at File $((first_absent + 1)) ($LABEL)."
+  echo "  Evidence: OPTIMIZED_AWAY_ZEROIZE — zeroize calls present at lower opt level(s) but absent here."
+  any_diff=1
+elif [[ $first_drop_absent -ne -1 ]]; then
+  LABEL="$(basename "${FILES[$first_drop_absent]}")"
+  echo "WARNING: Drop glue first disappears at File $((first_drop_absent + 1)) ($LABEL)."
+  echo "  Evidence: Drop glue present at lower opt level(s) but absent here — sensitive type drop may be inlined or elided."
+  any_diff=1
+else
+  echo "OK: Zeroize patterns and drop glue present at all opt levels analyzed."
+fi
+exit $any_diff

package/skills/zeroize-audit/tools/emit_asm.sh ADDED Viewed

@@ -0,0 +1,67 @@
+#!/usr/bin/env bash
+set -euo pipefail
+# Emit assembly for a given translation unit.
+#
+# Usage:
+#   emit_asm.sh --cc clang --src path/to/file.c --out /tmp/file.s --opt O2 -- <extra compile args>
+usage() {
+  echo "Usage: $0 --src <file> --out <out.s> [--cc clang] [--opt O0|O1|O2|O3|Os|Oz] -- <extra args>" >&2
+}
+CC="clang"
+SRC=""
+OUT=""
+OPT="O0"
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    --cc)
+      CC="$2"
+      shift 2
+      ;;
+    --src)
+      SRC="$2"
+      shift 2
+      ;;
+    --out)
+      OUT="$2"
+      shift 2
+      ;;
+    --opt)
+      OPT="$2"
+      shift 2
+      ;;
+    --)
+      shift
+      break
+      ;;
+    *)
+      echo "Unknown arg: $1" >&2
+      usage
+      exit 2
+      ;;
+  esac
+done
+if [[ -z "$SRC" || -z "$OUT" ]]; then
+  usage
+  exit 2
+fi
+case "$OPT" in
+  O0 | O1 | O2 | O3 | Os | Oz) ;;
+  *)
+    echo "Invalid --opt: $OPT" >&2
+    usage
+    exit 2
+    ;;
+esac
+EXTRA=("$@")
+mkdir -p "$(dirname "$OUT")"
+"$CC" "-$OPT" -S "$SRC" -o "$OUT" ${EXTRA[@]+"${EXTRA[@]}"}
+echo "OK: wrote asm to $OUT"

package/skills/zeroize-audit/tools/emit_ir.sh ADDED Viewed

@@ -0,0 +1,77 @@
+#!/usr/bin/env bash
+set -euo pipefail
+# Emit LLVM IR for a given translation unit.
+#
+# Usage:
+#   emit_ir.sh --cc clang --src path/to/file.c --out /tmp/file.ll --opt O2 -- <extra compile args>
+#
+# Notes:
+# - Use `--` to pass through extra include/define flags.
+# - We intentionally do not attempt to parse compile_commands.json here.
+#   Your runner should extract the TU command and pass flags after `--`.
+usage() {
+  echo "Usage: $0 --src <file> --out <out.ll> [--cc clang] [--opt O0|O1|O2|O3|Os|Oz] -- <extra args>" >&2
+}
+CC="clang"
+SRC=""
+OUT=""
+OPT="O0"
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    --cc)
+      CC="$2"
+      shift 2
+      ;;
+    --src)
+      SRC="$2"
+      shift 2
+      ;;
+    --out)
+      OUT="$2"
+      shift 2
+      ;;
+    --opt)
+      OPT="$2"
+      shift 2
+      ;;
+    --)
+      shift
+      break
+      ;;
+    *)
+      echo "Unknown arg: $1" >&2
+      usage
+      exit 2
+      ;;
+  esac
+done
+if [[ -z "$SRC" || -z "$OUT" ]]; then
+  usage
+  exit 2
+fi
+# Normalize OPT -> clang flag
+case "$OPT" in
+  O0 | O1 | O2 | O3 | Os | Oz) ;;
+  *)
+    echo "Invalid --opt: $OPT" >&2
+    usage
+    exit 2
+    ;;
+esac
+# Extra args after --
+EXTRA=("$@")
+# Ensure output dir exists
+mkdir -p "$(dirname "$OUT")"
+# Emit IR
+"$CC" "-$OPT" -S -emit-llvm "$SRC" -o "$OUT" ${EXTRA[@]+"${EXTRA[@]}"}
+echo "OK: wrote IR to $OUT"

package/skills/zeroize-audit/tools/emit_rust_asm.sh ADDED Viewed

@@ -0,0 +1,178 @@
+#!/usr/bin/env bash
+# emit_rust_asm.sh — Emit Rust assembly for zeroize analysis.
+#
+# Exit codes:
+#   0  success
+#   1  build/output failure
+#   2  argument error
+set -euo pipefail
+usage() {
+  cat <<'EOF'
+Usage:
+  emit_rust_asm.sh --manifest <Cargo.toml> --out <path> [options] [-- <extra cargo rustc args>]
+Options:
+  --manifest <file>        Cargo manifest path (required)
+  --out <path>             Output .s file or directory (required)
+  --opt <O0|O1|O2|O3>      Opt level (default: O2)
+  --crate <pkg>            Workspace package (-p)
+  --bin <target>           Build only a specific bin target
+  --lib                    Build only the lib target
+  --target <triple>        Cross-compile target (e.g. x86_64-unknown-linux-gnu)
+  --intel-syntax           Emit Intel syntax instead of AT&T (default: AT&T)
+  --help                   Show this help text
+Examples:
+  emit_rust_asm.sh --manifest Cargo.toml --opt O2 --out /tmp/crate.O2.s
+  emit_rust_asm.sh --manifest Cargo.toml --opt O0 --out /tmp/asm/ --lib
+  emit_rust_asm.sh --manifest Cargo.toml --out /tmp/crate.O2.s --crate mycrate --target x86_64-unknown-linux-gnu
+EOF
+}
+die_arg() {
+  echo "emit_rust_asm.sh: $*" >&2
+  exit 2
+}
+die_run() {
+  echo "emit_rust_asm.sh: $*" >&2
+  exit 1
+}
+require_value() {
+  local opt="$1"
+  local val="${2-}"
+  [[ -n "$val" ]] || die_arg "missing value for ${opt}"
+}
+MANIFEST=""
+OUT=""
+OPT="O2"
+CRATE=""
+BIN_TARGET=""
+LIB_TARGET=false
+TARGET_TRIPLE=""
+INTEL_SYNTAX=false
+EXTRA_ARGS=()
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    --manifest)
+      require_value "$1" "${2-}"
+      MANIFEST="$2"
+      shift 2
+      ;;
+    --out)
+      require_value "$1" "${2-}"
+      OUT="$2"
+      shift 2
+      ;;
+    --opt)
+      require_value "$1" "${2-}"
+      OPT="$2"
+      shift 2
+      ;;
+    --crate)
+      require_value "$1" "${2-}"
+      CRATE="$2"
+      shift 2
+      ;;
+    --bin)
+      require_value "$1" "${2-}"
+      BIN_TARGET="$2"
+      shift 2
+      ;;
+    --lib)
+      LIB_TARGET=true
+      shift
+      ;;
+    --target)
+      require_value "$1" "${2-}"
+      TARGET_TRIPLE="$2"
+      shift 2
+      ;;
+    --intel-syntax)
+      INTEL_SYNTAX=true
+      shift
+      ;;
+    --help | -h)
+      usage
+      exit 0
+      ;;
+    --)
+      shift
+      EXTRA_ARGS=("$@")
+      break
+      ;;
+    *)
+      die_arg "unknown argument: $1"
+      ;;
+  esac
+done
+[[ -n "$MANIFEST" ]] || die_arg "--manifest is required"
+[[ -n "$OUT" ]] || die_arg "--out is required"
+[[ -f "$MANIFEST" ]] || die_run "manifest not found: $MANIFEST"
+[[ -n "$BIN_TARGET" && "$LIB_TARGET" == true ]] && die_arg "--bin and --lib are mutually exclusive"
+case "$OPT" in
+  O0) LEVEL="0" ;;
+  O1) LEVEL="1" ;;
+  O2) LEVEL="2" ;;
+  O3) LEVEL="3" ;;
+  *) die_arg "unsupported opt level: $OPT (use O0, O1, O2, O3)" ;;
+esac
+OUT_IS_FILE=false
+if [[ "$OUT" == *.s || "$OUT" == *.asm ]]; then
+  OUT_IS_FILE=true
+  mkdir -p "$(dirname "$OUT")"
+else
+  mkdir -p "$OUT"
+fi
+CARGO_ARGS=(+nightly rustc --manifest-path "$MANIFEST")
+[[ -n "$CRATE" ]] && CARGO_ARGS+=("-p" "$CRATE")
+[[ -n "$BIN_TARGET" ]] && CARGO_ARGS+=("--bin" "$BIN_TARGET")
+[[ "$LIB_TARGET" == true ]] && CARGO_ARGS+=("--lib")
+[[ -n "$TARGET_TRIPLE" ]] && CARGO_ARGS+=("--target" "$TARGET_TRIPLE")
+RUSTC_FLAGS=(--emit=asm -C "opt-level=$LEVEL")
+[[ "$INTEL_SYNTAX" == true ]] && RUSTC_FLAGS+=(-C "llvm-args=-x86-asm-syntax=intel")
+TARGET_DIR="${TMPDIR:-/tmp}/zeroize_rust_asm_${LEVEL}_$$"
+rm -rf "$TARGET_DIR"
+mkdir -p "$TARGET_DIR"
+echo "=== emit_rust_asm.sh ==="
+echo "manifest: $MANIFEST"
+echo "opt:      $OPT"
+echo "target:   $TARGET_DIR"
+echo "output:   $OUT"
+[[ -n "$TARGET_TRIPLE" ]] && echo "triple:   $TARGET_TRIPLE"
+[[ "$INTEL_SYNTAX" == true ]] && echo "syntax:   intel"
+if ! CARGO_TARGET_DIR="$TARGET_DIR" cargo "${CARGO_ARGS[@]}" \
+  "${EXTRA_ARGS[@]+"${EXTRA_ARGS[@]}"}" \
+  -- "${RUSTC_FLAGS[@]}"; then
+  die_run "cargo rustc failed for opt=${OPT}"
+fi
+declare -a ASM_FILES=()
+while IFS= read -r file; do
+  ASM_FILES+=("$file")
+done < <(find "$TARGET_DIR" -type f -name "*.s" | LC_ALL=C sort)
+[[ "${#ASM_FILES[@]}" -gt 0 ]] || die_run "no .s files found under $TARGET_DIR"
+if [[ "$OUT_IS_FILE" == true ]]; then
+  : >"$OUT"
+  for file in "${ASM_FILES[@]}"; do
+    cat "$file" >>"$OUT"
+  done
+  [[ -s "$OUT" ]] || die_run "emitted assembly is empty: $OUT"
+else
+  cp "${ASM_FILES[@]}" "$OUT/"
+fi

package/skills/zeroize-audit/tools/emit_rust_ir.sh ADDED Viewed

@@ -0,0 +1,150 @@
+#!/usr/bin/env bash
+# emit_rust_ir.sh — Emit Rust LLVM IR for zeroize analysis.
+#
+# Exit codes:
+#   0  success
+#   1  build/output failure
+#   2  argument error
+set -euo pipefail
+usage() {
+  cat <<'EOF'
+Usage:
+  emit_rust_ir.sh --manifest <Cargo.toml> --out <path> [options] [-- <extra cargo rustc args>]
+Options:
+  --manifest <file>        Cargo manifest path (required)
+  --out <path>             Output .ll file (required)
+  --opt <O0|O1|O2|O3>      Opt level (default: O2)
+  --crate <pkg>            Workspace package (-p)
+  --bin <target>           Build only a specific bin target
+  --lib                    Build only the lib target
+  --help                   Show this help text
+Examples:
+  emit_rust_ir.sh --manifest Cargo.toml --opt O0 --out /tmp/crate.O0.ll
+  emit_rust_ir.sh --manifest Cargo.toml --opt O2 --bin cli --out /tmp/cli.O2.ll
+EOF
+}
+die_arg() {
+  echo "emit_rust_ir.sh: $*" >&2
+  exit 2
+}
+die_run() {
+  echo "emit_rust_ir.sh: $*" >&2
+  exit 1
+}
+require_value() {
+  local opt="$1"
+  local val="${2-}"
+  [[ -n "$val" ]] || die_arg "missing value for ${opt}"
+}
+MANIFEST=""
+OUT=""
+OPT="O2"
+CRATE=""
+BIN_TARGET=""
+LIB_TARGET=false
+EXTRA_ARGS=()
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    --manifest)
+      require_value "$1" "${2-}"
+      MANIFEST="$2"
+      shift 2
+      ;;
+    --out)
+      require_value "$1" "${2-}"
+      OUT="$2"
+      shift 2
+      ;;
+    --opt)
+      require_value "$1" "${2-}"
+      OPT="$2"
+      shift 2
+      ;;
+    --crate)
+      require_value "$1" "${2-}"
+      CRATE="$2"
+      shift 2
+      ;;
+    --bin)
+      require_value "$1" "${2-}"
+      BIN_TARGET="$2"
+      shift 2
+      ;;
+    --lib)
+      LIB_TARGET=true
+      shift
+      ;;
+    --help | -h)
+      usage
+      exit 0
+      ;;
+    --)
+      shift
+      EXTRA_ARGS=("$@")
+      break
+      ;;
+    *)
+      die_arg "unknown argument: $1"
+      ;;
+  esac
+done
+[[ -n "$MANIFEST" ]] || die_arg "--manifest is required"
+[[ -n "$OUT" ]] || die_arg "--out is required"
+[[ -f "$MANIFEST" ]] || die_run "manifest not found: $MANIFEST"
+[[ -n "$BIN_TARGET" && "$LIB_TARGET" == true ]] && die_arg "--bin and --lib are mutually exclusive"
+[[ "$OUT" == *.ll ]] || die_arg "--out must be a .ll file path"
+case "$OPT" in
+  O0) LEVEL="0" ;;
+  O1) LEVEL="1" ;;
+  O2) LEVEL="2" ;;
+  O3) LEVEL="3" ;;
+  *) die_arg "unsupported opt level: $OPT (use O0, O1, O2, O3)" ;;
+esac
+mkdir -p "$(dirname "$OUT")"
+CARGO_ARGS=(+nightly rustc --manifest-path "$MANIFEST")
+[[ -n "$CRATE" ]] && CARGO_ARGS+=("-p" "$CRATE")
+[[ -n "$BIN_TARGET" ]] && CARGO_ARGS+=("--bin" "$BIN_TARGET")
+[[ "$LIB_TARGET" == true ]] && CARGO_ARGS+=("--lib")
+TARGET_DIR="${TMPDIR:-/tmp}/zeroize_rust_ir_${LEVEL}_$$"
+rm -rf "$TARGET_DIR"
+mkdir -p "$TARGET_DIR"
+echo "=== emit_rust_ir.sh ==="
+echo "manifest: $MANIFEST"
+echo "opt:      $OPT"
+echo "target:   $TARGET_DIR"
+echo "output:   $OUT"
+if ! CARGO_TARGET_DIR="$TARGET_DIR" cargo "${CARGO_ARGS[@]}" \
+  ${EXTRA_ARGS[@]+"${EXTRA_ARGS[@]}"} \
+  -- --emit=llvm-ir -C opt-level="$LEVEL"; then
+  die_run "cargo rustc failed for opt=${OPT}"
+fi
+declare -a LL_FILES=()
+while IFS= read -r file; do
+  LL_FILES+=("$file")
+done < <(find "$TARGET_DIR" -type f -name "*.ll" | LC_ALL=C sort)
+[[ "${#LL_FILES[@]}" -gt 0 ]] || die_run "no .ll files found under $TARGET_DIR"
+: >"$OUT"
+for file in "${LL_FILES[@]}"; do
+  cat "$file" >>"$OUT"
+done
+[[ -s "$OUT" ]] || die_run "emitted IR is empty: $OUT"