security-mcp 1.1.4 → 1.3.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (158) hide show
  1. package/README.md +341 -1018
  2. package/defaults/checklists/ai.json +20 -1
  3. package/defaults/checklists/api.json +35 -1
  4. package/defaults/checklists/infra.json +34 -1
  5. package/defaults/checklists/mobile.json +23 -1
  6. package/defaults/checklists/payments.json +15 -1
  7. package/defaults/checklists/web.json +11 -1
  8. package/defaults/cloud-controls/aws.json +10712 -0
  9. package/defaults/cloud-controls/azure.json +7201 -0
  10. package/defaults/cloud-controls/gcp.json +4061 -0
  11. package/defaults/control-catalog.json +24 -0
  12. package/defaults/security-policy.json +2 -2
  13. package/dist/ci/pr-gate.js +22 -5
  14. package/dist/cli/index.js +73 -2
  15. package/dist/cli/install.js +4 -55
  16. package/dist/cli/onboarding.js +18 -10
  17. package/dist/gate/baseline.js +82 -7
  18. package/dist/gate/catalog.js +10 -2
  19. package/dist/gate/checks/agentic-instructions.js +515 -0
  20. package/dist/gate/checks/ai-governance.js +132 -0
  21. package/dist/gate/checks/ai.js +757 -39
  22. package/dist/gate/checks/auth-deep.js +920 -216
  23. package/dist/gate/checks/business-logic.js +751 -0
  24. package/dist/gate/checks/ci-pipeline.js +399 -4
  25. package/dist/gate/checks/cloud-controls.js +69 -0
  26. package/dist/gate/checks/crypto.js +423 -2
  27. package/dist/gate/checks/data-platform.js +954 -0
  28. package/dist/gate/checks/dependencies.js +582 -15
  29. package/dist/gate/checks/docker-deep.js +1236 -0
  30. package/dist/gate/checks/gitops.js +724 -0
  31. package/dist/gate/checks/graphql.js +201 -19
  32. package/dist/gate/checks/iac.js +1230 -0
  33. package/dist/gate/checks/infra.js +246 -1
  34. package/dist/gate/checks/injection-deep.js +827 -184
  35. package/dist/gate/checks/k8s.js +955 -2
  36. package/dist/gate/checks/mobile-android.js +917 -3
  37. package/dist/gate/checks/mobile-ios.js +797 -5
  38. package/dist/gate/checks/required-artifacts.js +194 -0
  39. package/dist/gate/checks/runtime.js +178 -0
  40. package/dist/gate/checks/secrets.js +256 -13
  41. package/dist/gate/checks/supply-chain-deep.js +787 -0
  42. package/dist/gate/checks/web-nextjs.js +572 -48
  43. package/dist/gate/cloud-controls/apply.js +115 -0
  44. package/dist/gate/cloud-controls/bicep.js +36 -0
  45. package/dist/gate/cloud-controls/cfn.js +125 -0
  46. package/dist/gate/cloud-controls/detect.js +104 -0
  47. package/dist/gate/cloud-controls/hcl.js +140 -0
  48. package/dist/gate/cloud-controls/types.js +87 -0
  49. package/dist/gate/diff.js +17 -5
  50. package/dist/gate/evidence.js +8 -1
  51. package/dist/gate/exceptions.js +202 -9
  52. package/dist/gate/findings.js +15 -2
  53. package/dist/gate/policy.js +316 -130
  54. package/dist/gate/threat-intel.js +6 -0
  55. package/dist/mcp/audit-chain.js +131 -28
  56. package/dist/mcp/auth.js +169 -0
  57. package/dist/mcp/learning.js +129 -4
  58. package/dist/mcp/model-router.js +161 -24
  59. package/dist/mcp/orchestration.js +377 -89
  60. package/dist/mcp/server.js +460 -69
  61. package/dist/mcp/tool-audit.js +193 -0
  62. package/dist/repo/fs.js +37 -1
  63. package/dist/repo/search.js +31 -6
  64. package/dist/review/store.js +56 -3
  65. package/dist/tests/run.js +124 -1
  66. package/package.json +9 -9
  67. package/skills/_TEMPLATE/SKILL.md +99 -0
  68. package/skills/advanced-dos-tester/SKILL.md +118 -0
  69. package/skills/agentic-instruction-auditor/SKILL.md +111 -0
  70. package/skills/agentic-loop-exploiter/SKILL.md +377 -0
  71. package/skills/ai-llm-redteam/SKILL.md +113 -0
  72. package/skills/ai-model-supply-chain-agent/SKILL.md +112 -0
  73. package/skills/algorithm-implementation-reviewer/SKILL.md +107 -0
  74. package/skills/android-penetration-tester/SKILL.md +464 -46
  75. package/skills/anti-replay-tester/SKILL.md +115 -0
  76. package/skills/appsec-code-auditor/SKILL.md +94 -0
  77. package/skills/artifact-integrity-analyst/SKILL.md +450 -0
  78. package/skills/attack-navigator/SKILL.md +476 -8
  79. package/skills/auth-session-hacker/SKILL.md +111 -0
  80. package/skills/aws-penetration-tester/SKILL.md +510 -0
  81. package/skills/azure-penetration-tester/SKILL.md +542 -3
  82. package/skills/binary-auth-validator/SKILL.md +120 -0
  83. package/skills/bot-detection-specialist/SKILL.md +118 -0
  84. package/skills/business-logic-attacker/SKILL.md +240 -0
  85. package/skills/capec-code-mapper/SKILL.md +93 -0
  86. package/skills/cert-pin-rotation-specialist/SKILL.md +121 -0
  87. package/skills/cicd-pipeline-hijacker/SKILL.md +414 -0
  88. package/skills/ciso-orchestrator/SKILL.md +465 -43
  89. package/skills/cloud-infra-specialist/SKILL.md +127 -0
  90. package/skills/compliance-gap-analyst/SKILL.md +431 -0
  91. package/skills/compliance-grc/SKILL.md +94 -0
  92. package/skills/compliance-lifecycle-tracker/SKILL.md +93 -0
  93. package/skills/container-hardening-auditor/SKILL.md +125 -0
  94. package/skills/credential-stuffing-specialist/SKILL.md +111 -0
  95. package/skills/crypto-pki-specialist/SKILL.md +96 -0
  96. package/skills/csa-ccm-mapper/SKILL.md +93 -0
  97. package/skills/csf2-governance-mapper/SKILL.md +93 -0
  98. package/skills/data-platform-auditor/SKILL.md +125 -0
  99. package/skills/deep-link-fuzzer/SKILL.md +118 -0
  100. package/skills/dependency-confusion-attacker/SKILL.md +424 -0
  101. package/skills/device-integrity-aggregator/SKILL.md +117 -0
  102. package/skills/dos-resilience-tester/SKILL.md +106 -0
  103. package/skills/dread-scorer/SKILL.md +93 -0
  104. package/skills/egress-policy-enforcer/SKILL.md +108 -0
  105. package/skills/evidence-collector/SKILL.md +107 -0
  106. package/skills/file-upload-attacker/SKILL.md +118 -0
  107. package/skills/gcp-penetration-tester/SKILL.md +510 -2
  108. package/skills/git-history-secret-scanner/SKILL.md +115 -0
  109. package/skills/gitops-delivery-auditor/SKILL.md +120 -0
  110. package/skills/iac-security-auditor/SKILL.md +125 -0
  111. package/skills/iam-privesc-graph-builder/SKILL.md +161 -0
  112. package/skills/incident-responder/SKILL.md +120 -0
  113. package/skills/injection-specialist/SKILL.md +111 -0
  114. package/skills/ios-security-auditor/SKILL.md +291 -0
  115. package/skills/json-ambiguity-tester/SKILL.md +145 -0
  116. package/skills/k8s-container-escaper/SKILL.md +406 -0
  117. package/skills/key-management-lifecycle-analyst/SKILL.md +107 -0
  118. package/skills/kill-switch-engineer/SKILL.md +111 -0
  119. package/skills/linddun-privacy-analyst/SKILL.md +111 -0
  120. package/skills/logic-race-fuzzer/SKILL.md +452 -0
  121. package/skills/mobile-api-network-attacker/SKILL.md +430 -0
  122. package/skills/mobile-binary-hardener/SKILL.md +111 -0
  123. package/skills/mobile-security-specialist/SKILL.md +94 -0
  124. package/skills/mobile-webview-auditor/SKILL.md +105 -0
  125. package/skills/model-extraction-attacker/SKILL.md +228 -0
  126. package/skills/multipart-abuse-tester/SKILL.md +93 -0
  127. package/skills/oauth-pkce-specialist/SKILL.md +113 -0
  128. package/skills/parser-exhaustion-tester/SKILL.md +151 -0
  129. package/skills/pentest-infra/SKILL.md +107 -0
  130. package/skills/pentest-social/SKILL.md +210 -0
  131. package/skills/pentest-team/SKILL.md +96 -0
  132. package/skills/pentest-web-api/SKILL.md +107 -0
  133. package/skills/privacy-flow-analyst/SKILL.md +243 -0
  134. package/skills/prompt-injection-specialist/SKILL.md +403 -0
  135. package/skills/quantum-migration-planner/SKILL.md +105 -0
  136. package/skills/rag-poisoning-specialist/SKILL.md +367 -0
  137. package/skills/registry-mirror-enforcer/SKILL.md +93 -0
  138. package/skills/rotation-validation-agent/SKILL.md +121 -0
  139. package/skills/samm-assessor/SKILL.md +94 -0
  140. package/skills/secrets-mask-bypass-tester/SKILL.md +109 -0
  141. package/skills/senior-security-engineer/SKILL.md +178 -0
  142. package/skills/serialization-memory-attacker/SKILL.md +341 -0
  143. package/skills/session-timeout-tester/SKILL.md +170 -0
  144. package/skills/slsa-level3-enforcer/SKILL.md +121 -0
  145. package/skills/slsa-provenance-enforcer/SKILL.md +111 -0
  146. package/skills/ssrf-detection-validator/SKILL.md +117 -0
  147. package/skills/step-up-auth-enforcer/SKILL.md +93 -0
  148. package/skills/stride-pasta-analyst/SKILL.md +429 -0
  149. package/skills/supply-chain-devsecops/SKILL.md +107 -0
  150. package/skills/threat-infrastructure-analyst/SKILL.md +93 -0
  151. package/skills/threat-modeler/SKILL.md +94 -0
  152. package/skills/tls-certificate-auditor/SKILL.md +582 -18
  153. package/skills/token-reuse-detector/SKILL.md +104 -0
  154. package/skills/trike-risk-modeler/SKILL.md +93 -0
  155. package/skills/unicode-homograph-tester/SKILL.md +93 -0
  156. package/skills/waf-rule-lifecycle-agent/SKILL.md +106 -0
  157. package/skills/webhook-security-tester/SKILL.md +111 -0
  158. package/skills/zero-trust-architect/SKILL.md +118 -0
@@ -35,6 +35,15 @@ On every finding resolved, emit:
35
35
  }
36
36
  ```
37
37
 
38
+ ## BEYOND THE CHECKS — AUTONOMOUS DETECT & FIX
39
+
40
+ The full suite of detection modules in `src/gate/checks/` — especially `injection-deep.ts`, `auth-deep.ts`, `api.ts`, and `secrets.ts` — are the deterministic floor you correlate CAPEC→CWE→ATT&CK chains across, not your ceiling. Treat their finding IDs as the minimum surface evidence, then reason past what single-line/single-file pattern matching can see — and APPLY the fix (Edit the vulnerable code), not just advise:
41
+
42
+ - **Cross-file / data-flow reasoning the regex can't do:** a `req.query` value (CAPEC-88 input surface) flowing through a util module into `$queryRaw` (CAPEC-66) is a taint chain neither the input-side nor sink-side grep resolves alone — trace source→sink across files to confirm the CAPEC mapping is live, not theoretical.
43
+ - **Semantic / effective-state analysis:** for each CAPEC mapping, determine whether the mitigating control is *effective* (parameterized query actually used on the tainted path, `algorithms` pinned on the reached `jwt.verify`, authz enforced on the IDOR'd object) and build the compound CAPEC→CWE→CVE exploit chain.
44
+ - **External corroboration:** use WebSearch/WebFetch for the current CAPEC catalog, CWE→CVE mappings on NVD, and D3FEND countermeasures for each mapped pattern.
45
+ - **Apply & prove:** write the fix inline for each OPEN CAPEC finding, re-run the relevant `src/gate/checks/` modules plus semgrep as a regression floor, then re-audit the taint chain semantically. Emit the LEARNING SIGNAL per fix; surface any fix that changes intended behavior as an explicit trade-off with the secure default.
46
+
38
47
  ## EXECUTION
39
48
 
40
49
  ### Phase 1 — Reconnaissance
@@ -161,3 +170,87 @@ If internet permitted:
161
170
  - `requiredActions`: ordered action list
162
171
  - `complianceImpact`: framework mappings
163
172
  - `beyondSkillMd`: true if finding goes beyond the SKILL.md mandate
173
+
174
+ Every findings JSON MUST include `intelligenceForOtherAgents`:
175
+ ```json
176
+ {
177
+ "intelligenceForOtherAgents": {
178
+ "forPentestTeam": [{ "type": "HIGH_VALUE_TARGET", "description": "...", "exploitHint": "..." }],
179
+ "forCryptoSpecialist": [{ "type": "CRYPTO_WEAKNESS_REFERENCE", "algorithm": "...", "location": "..." }],
180
+ "forCloudSpecialist": [{ "type": "SSRF_TO_CLOUD_CHAIN", "ssrfLocation": "...", "escalationPath": "..." }],
181
+ "forComplianceGrc": [{ "type": "COMPLIANCE_BLOCKER", "frameworks": ["..."], "releaseBlock": true }]
182
+ }
183
+ }
184
+ ```
185
+
186
+ ## BEYOND SKILL.MD
187
+
188
+ Domain-specific intelligence that extends beyond the base CAPEC mapping mandate:
189
+
190
+ - **CAPEC-194 + CVE-2023-29374 (Spring Framework mass assignment)**: Auto-binding frameworks silently map attacker-controlled HTTP parameters to model fields. Grep for `@ModelAttribute`, `@RequestBody` without `@JsonIgnoreProperties` — one field difference between "safe" and "full account takeover."
191
+ - **CAPEC-460 (HTTP Response Splitting) via CRLF injection** — still present in raw header-write code even in 2025; CVE-2023-24998 (Apache Commons FileUpload) demonstrates the chain. Search for `res.setHeader` with unsanitized user input.
192
+ - **CAPEC-666 (Exploitation of Permissions via Confused Deputy) — AI/LLM era**: When an LLM agent can call tools on behalf of users, prompt injection (CAPEC-114) becomes a confused-deputy attack. Attacker-controlled document content tricks the LLM into invoking privileged tools with the user's credentials. No CVE yet, but PortSwigger Research 2024 demonstrated full account takeover via indirect prompt injection in a GenAI assistant.
193
+ - **CAPEC-116 (Excavation via Differential Analysis) + post-quantum timing**: Classical constant-time code guarantees break under quantum simulation environments. Harvest-now-decrypt-later (HNDL) attacks mean RSA-2048 ciphertext captured today is already at risk. CVE-2024-28882 illustrates OpenSSH timing leakage. Inventory all `crypto.createDiffieHellman` and `crypto.generateKeyPairSync` calls for algorithm agility.
194
+ - **CAPEC-153 (Input Data Manipulation) via GraphQL batching abuse** — CVE-2023-28425 (Redis) and analogous patterns in Apollo Server: attackers batch thousands of mutations in a single HTTP request, bypassing per-request rate limits. Check for `apollo-server` without `@graphql-armor/max-directives` or query-cost analysis.
195
+ - **CAPEC-1 (Accessing Functionality Not Properly Constrained) in server-side AI tool calls**: LLM function-calling surfaces expose internal APIs to model-controlled dispatch. Without a capability allowlist, an attacker who controls the prompt controls which functions are called. Map every `tools: [...]` array in Anthropic/OpenAI SDK calls to a permission boundary check.
196
+ - **CAPEC-56 (Removing/Adding Data Stores) via prototype pollution** — CVE-2022-37601 (webpack loader-utils), CVE-2023-26136 (tough-cookie): `__proto__` mutation still appears in lodash `_.merge` and `JSON.parse` + dynamic key assignment patterns. Grep for `Object.assign(target, userInput)` and `[userKey] =` with untrusted keys.
197
+ - **CAPEC-549 (Local Execution of Code) via supply-chain compromised package** — post-quantum threat vector: adversaries use AI-generated lookalike packages (typosquatting at scale) to inject CAPEC-549 payloads. CVE-2024-21501 (sanitize-html bypass) illustrates how a "security" package itself became the attack vector. Verify every `package.json` dependency against npm provenance attestations (`npm audit signatures`).
198
+
199
+ ---
200
+
201
+ ## §EDGE-CASE-MATRIX
202
+
203
+ The 5 attack cases in this domain that automated scanners and naive manual review universally miss. MANDATORY checks — do not skip.
204
+
205
+ | # | Edge Case | Why Scanners Miss It | Concrete Test |
206
+ |---|-----------|----------------------|---------------|
207
+ | 1 | Second-order / stored payload executed in different context | Scanner checks input context, not execution context | Store payload safely; trigger in separate request/session |
208
+ | 2 | Unicode normalisation bypass | Regex filters run before normalisation; attacker uses homoglyphs or composed forms | Submit Ⅰ (U+2160) or < (U+FF1C) variants of known-bad strings |
209
+ | 3 | Polyglot payload active in multiple sinks simultaneously | Scanners test one injection class per payload | `'"><script>{{7*7}}</script><!--` — SQL + XSS + SSTI in one request |
210
+ | 4 | Out-of-band exfiltration (DNS/HTTP callback) | Scanner looks for inline response difference; OOB leaves no visible trace | Use Burp Collaborator / interactsh; inject DNS lookup payload |
211
+ | 5 | Race condition between check and use (TOCTOU) | Sequential scanners don't model concurrency | Send two simultaneous requests to the same state-changing endpoint |
212
+
213
+ ## §TEMPORAL-THREATS
214
+
215
+ Threats materialising in the 2025–2030 window that defences designed today must account for.
216
+
217
+ | Threat | Est. Timeline | Relevance to This Domain | Prepare Now By |
218
+ |--------|--------------|--------------------------|----------------|
219
+ | Cryptographically Relevant Quantum Computer (CRQC) | 2028–2032 | Harvest-now-decrypt-later attacks active today; RSA/ECDSA keys signed today will be broken | Inventory all RSA/ECDSA usage; migrate long-lived data to ML-KEM (FIPS 203) |
220
+ | AI-assisted adversaries at scale | 2025–2027 (active) | LLM-powered fuzzing finds 10× more edge cases; automated PoC generation | Assume attackers have LLM help; expand test surface to match |
221
+ | EU AI Act full enforcement | 2026 | High-risk AI systems require mandatory conformity assessments | Classify all AI features against AI Act tiers now |
222
+ | Post-quantum TLS migration deadline | 2028–2030 | Browser vendors will drop classical-only TLS connections | Begin TLS agility assessment; test hybrid key exchange |
223
+ | Mandatory SBOM + build provenance (US EO 14028 / EU CRA) | 2025–2026 (active) | SBOM and SLSA attestation are becoming legally required | Achieve SLSA L2 minimum; generate CycloneDX SBOM per release |
224
+
225
+ ## §DETECTION-GAP
226
+
227
+ What current security monitoring CANNOT detect in this domain, and what to build to close each gap.
228
+
229
+ **Standard gaps that MUST be checked:**
230
+
231
+ - **Second-order attack execution**: The storage request looks safe; only the retrieval+execution step is dangerous. Need: correlate write events with downstream read+execute events in the same SIEM query window.
232
+ - **Timing-side-channel leakage**: No log event emitted; only observable as microsecond response-time variance. Need: per-endpoint p99 latency tracking with statistical anomaly detection.
233
+ - **Low-and-slow credential stuffing**: Individually, each request is under rate limits. Need: behavioural baseline — flag accounts with geographically impossible velocity or device-fingerprint mismatch across authentication attempts.
234
+ - **Insider exfiltration via legitimate process**: Authorised exports, reports, and data downloads that individually are permitted but collectively constitute data exfiltration. Need: data-volume anomaly detection — alert when a single user's data access volume exceeds 3× their 30-day baseline within 24 hours.
235
+ - **Cross-agent attack chains**: Phase 1 finding A + Phase 1 finding B = CRITICAL chain invisible to either agent alone. Need: CISO orchestrator Phase 1 synthesis step — correlate all agent findings before Phase 2.
236
+
237
+ ## §ZERO-MISS-MANDATE
238
+
239
+ This agent CANNOT declare any attack class clean without explicit evidence of checking. For each item, output one of:
240
+ - `CHECKED: [N files] | [patterns used] | CLEAN`
241
+ - `CHECKED: [N files] | [patterns used] | [N findings, all fixed]`
242
+ - `SKIPPED: [reason — must be "not applicable: [evidence]"]`
243
+
244
+ **Silent skip = FAILED COVERAGE.** The orchestrator flags this as a quality gap.
245
+
246
+ The output findings JSON MUST include a `coverageManifest` key:
247
+ ```json
248
+ {
249
+ "coverageManifest": {
250
+ "attackClassesCovered": [{ "class": "SQL Injection", "filesReviewed": 47, "patterns": ["queryRaw", "string concat"], "result": "CLEAN" }],
251
+ "filesReviewed": 47,
252
+ "negativeAssertions": ["SQL Injection: queryRaw pattern searched across 47 files — 0 matches"],
253
+ "uncoveredReason": {}
254
+ }
255
+ }
256
+ ```
@@ -34,6 +34,15 @@ On every finding resolved, emit:
34
34
  }
35
35
  ```
36
36
 
37
+ ## BEYOND THE CHECKS — AUTONOMOUS DETECT & FIX
38
+
39
+ The `crypto.ts` detection module (`src/gate/checks/crypto.ts`) — supported by `mobile-android.ts` and `mobile-ios.ts` for the pinning configs — is your deterministic floor, not your ceiling. Treat its finding IDs as the minimum, then reason past what single-line/single-file pattern matching can see — and APPLY the fix (Edit the pinning config / rotation runbook), not just advise:
40
+
41
+ - **Cross-file / data-flow reasoning the regex can't do:** a `fetchPinUpdate()` that returns `null` on error in one file, wired to a pin-enforcement path in another, is a fail-open MitM window — the regex sees "safe error handling," not "pinning disabled."
42
+ - **Semantic / effective-state analysis:** verify each pinned hash is a *SPKI* hash (not a leaf-cert fingerprint that breaks on renewal), that the backup pin value is genuinely distinct from the primary, that the OTA config is signature-verified before acceptance, and that the `expiration` date leaves real rotation headroom.
43
+ - **External corroboration:** use WebSearch/WebFetch for the CA/B Forum 90-day-cert ballot, CT-log monitoring APIs (crt.sh), and FIPS 203/204 post-quantum migration guidance for pinned key algorithms.
44
+ - **Apply & prove:** write the fix inline (add a distinct SPKI backup pin, make the OTA path fail-closed, add signature verification, wire a CI expiration-check gate), re-run the `crypto.ts` checks plus an `openssl` SPKI-extraction + duplicate-pin diff as a regression floor, then re-audit the rotation lifecycle semantically. Emit the LEARNING SIGNAL per fix; surface any fix that changes intended behavior as an explicit trade-off with the secure default.
45
+
37
46
  ## EXECUTION
38
47
 
39
48
  ### Phase 1 — Reconnaissance
@@ -198,3 +207,115 @@ export async function fetchPinUpdate(): Promise<string[] | null> {
198
207
  - `requiredActions`: ordered action list
199
208
  - `complianceImpact`: framework mappings
200
209
  - `beyondSkillMd`: true if finding goes beyond the SKILL.md mandate
210
+
211
+ Every findings JSON MUST include `intelligenceForOtherAgents`:
212
+ ```json
213
+ {
214
+ "intelligenceForOtherAgents": {
215
+ "forPentestTeam": [{ "type": "HIGH_VALUE_TARGET", "description": "App falls back to no pinning on pin-fetch failure — MitM window open during remote-config fetch", "exploitHint": "Block config.yourdomain.com at network layer; client reverts to no-pin mode" }],
216
+ "forCryptoSpecialist": [{ "type": "CRYPTO_WEAKNESS_REFERENCE", "algorithm": "SHA-1 certificate fingerprint used as pin (not SPKI SHA-256)", "location": "android/res/xml/network_security_config.xml" }],
217
+ "forCloudSpecialist": [{ "type": "SSRF_TO_CLOUD_CHAIN", "ssrfLocation": "Remote pin-config fetch URL is user-controllable", "escalationPath": "Attacker supplies internal metadata endpoint as config URL; server fetches and returns cloud credentials" }],
218
+ "forComplianceGrc": [{ "type": "COMPLIANCE_BLOCKER", "frameworks": ["PCI-DSS 4.2.1", "NIST SP 800-53 SC-17"], "releaseBlock": true }]
219
+ }
220
+ }
221
+ ```
222
+
223
+ ---
224
+
225
+ ## BEYOND SKILL.MD — MANDATORY EXPANSIONS
226
+
227
+ - **AI-Assisted Pin-Bypass Script Generation (ATT&CK T1557.002 — AiTM Phishing):** LLM-powered tools (e.g., Frida-AI wrappers seen in 2024 red-team toolkits) analyze an APK's OkHttp or TrustKit configuration at runtime and auto-generate a Frida hook script tailored to that app's specific pin-check method signature, bypassing pinning without touching network traffic. Test by: run `objection -g <package> explore --startup-command "android sslpinning disable"` on a debug build and verify the app refuses the MITM certificate anyway; then attempt the AI-generated hook against the release build and confirm certificate pinning still blocks the connection. Finding threshold: any release build where a generic objection script or auto-generated Frida hook bypasses pinning without requiring app-specific reverse engineering.
228
+
229
+ - **90-Day Certificate Lifetime Ballot (CA/B Forum SC-081, effective 2026):** The CA/Browser Forum ballot SC-081 mandates maximum 90-day TLS certificate lifetimes by 2026, shattering rotation runbooks designed around 1–2-year certs. Apps that pin leaf SPKI hashes and rely on a 60-day pre-release update cycle will break quarterly. Test by: simulate a 90-day rotation in staging — revoke the pinned cert, issue a new one, measure the time from "backup pin shipped in app" to ">80% user adoption" via store analytics; if that window exceeds 30 days, the rotation model is broken. Finding threshold: any mobile app with an OTA pin-update path whose end-to-end propagation time exceeds 30 days, or any app without OTA rotation at all.
230
+
231
+ - **Post-Quantum Harvest-Now-Decrypt-Later Against Pinned SPKI (NIST PQC FIPS 203/204):** Nation-state adversaries are capturing encrypted TLS sessions today with intent to decrypt when a cryptographically relevant quantum computer (CRQC) arrives (~2028–2032). SPKI pins based on RSA-2048 or P-256 public keys do not prevent harvest; they only authenticate the endpoint. Sessions pinned to a P-256 endpoint are captured and queued for CRQC decryption. Test by: inventory every pinned domain's current key algorithm via `openssl s_client -connect <host>:443 2>/dev/null | openssl x509 -noout -text | grep "Public Key Algorithm"` — flag all RSA and ECDSA (P-256/P-384) endpoints; confirm no ML-KEM (FIPS 203) hybrid is negotiated in the TLS handshake. Finding threshold: any pinned production endpoint using RSA or classical ECDSA without a hybrid post-quantum key exchange scheduled for deployment before 2027.
232
+
233
+ - **CT Log Rogue Certificate Issuance for Pinned Domains (CVE-2022-26923 — AD CS ESC1 variant / ATT&CK T1588.004):** An attacker who compromises an intermediate CA (or exploits a misconfigured Active Directory Certificate Services ESC1 template) can issue a certificate for a pinned domain. The pin rejects it at connection time on already-deployed clients, but newly installed app versions that shipped before the pin was added are silently vulnerable, and no server-side alert fires. Test by: set up a crt.sh webhook (via `https://crt.sh/atom?q=%.yourdomain.com`) or use the Google Certificate Transparency API to alert on newly logged certificates for all pinned domains; verify the alert fires within 1 hour of a test issuance. Finding threshold: any pinned domain with no CT log monitoring configured where unauthorized issuance would go undetected for more than 24 hours.
234
+
235
+ - **Supply Chain Attack on Pin-Config Signing Key via Compromised CI/CD (ATT&CK T1195.002 — Compromise Software Supply Chain):** The OTA pin-config signing key is typically stored as a CI/CD secret (GitHub Actions, CircleCI). A supply-chain compromise of the CI environment (e.g., a malicious dependency in the build pipeline — see the 2024 `xz-utils` backdoor pattern, CVE-2024-3094) allows an attacker to exfiltrate the signing key and issue a fraudulent pin-config payload that pushes attacker-controlled pins to all live app clients. Test by: audit the signing key's storage location; verify it is stored in a hardware-backed secret store (AWS KMS, GCP KMS, or HashiCorp Vault with HSM backend) and that the CI pipeline never writes the raw private key to disk or logs; confirm key rotation has occurred at least once. Finding threshold: any OTA pin-config signing key stored as a plaintext CI secret or file on disk rather than in a KMS-backed store.
236
+
237
+ - **SBOM/Compliance Gap — Undeclared CA Root and Config Signing Key Material (US EO 14028 / EU Cyber Resilience Act):** US Executive Order 14028 and the EU Cyber Resilience Act (CRA, effective 2027) require a Software Bill of Materials that includes all cryptographic key material and trust anchors used in a product. CA root SPKI hashes pinned in `network_security_config.xml` and OTA config signing key fingerprints are cryptographic trust anchors that must appear in the CycloneDX SBOM; their absence is a compliance blocker for US federal customers and EU market access. Test by: parse the app's CycloneDX SBOM (`cdxgen -o sbom.json .`) and verify that every SPKI hash present in pinning configs and every public key fingerprint used for config signature verification appears as a `cryptoMaterial` component in the SBOM; cross-reference against `network_security_config.xml` and `TrustKit` config entries. Finding threshold: any SPKI pin hash or signing key fingerprint present in source code that does not appear in the project's CycloneDX SBOM.
238
+
239
+ ---
240
+
241
+ ## §EDGE-CASE-MATRIX
242
+
243
+ The 5 attack cases in certificate pinning and rotation that automated scanners and naive manual review universally miss. MANDATORY checks — do not skip.
244
+
245
+ | # | Edge Case | Why Scanners Miss It | Concrete Test |
246
+ |---|-----------|----------------------|---------------|
247
+ | 1 | OTA pin-config fetch fails open — no pinning enforced | Static analysis sees `return null` and marks it as safe error handling; it does not model that `null` disables all pin checks | Block the remote config URL at the network layer; confirm the app still connects (should fail closed, not succeed) |
248
+ | 2 | Leaf-certificate hash pinned instead of SPKI hash | Both look like SHA-256 base64 strings; scanners check presence of a hash, not which hash type it is | Re-run `openssl s_client` extraction using the certificate-fingerprint command (`-fingerprint -sha256`) vs. the SPKI path; compare — if they match there is no bug, if they differ and the code uses the fingerprint path, it will break on cert renewal |
249
+ | 3 | Backup pin is a duplicate of the primary pin | Static analysis confirms two `<pin>` entries exist and marks the backup-pin requirement satisfied; it does not check value equality | Hash-compare all pin values in `network_security_config.xml` and TrustKit config; duplicate pins provide zero rotation headroom |
250
+ | 4 | Root CA pin bypassed by intermediate CA cross-signed under attacker-controlled trust anchor | Pinning tools verify the chain against the device trust store; an attacker who controls a trust anchor on the device can issue a chain that passes the OS check before the pin is evaluated on older OkHttp versions | Test on a device with a custom CA installed; verify the app rejects the connection even when OS chain validation succeeds |
251
+ | 5 | Pin expiration date is set but rotation runbook is never triggered — expiry silently passes in production | CI/CD pipelines do not parse `expiration` from XML and no calendar alert was created | Write a CI step or cron job that parses the `expiration` attribute and fails the build if it is within 60 days; confirm the alert fires in staging |
252
+
253
+ ---
254
+
255
+ ## §TEMPORAL-THREATS
256
+
257
+ Threats materialising in the 2025–2030 window that pinning and PKI lifecycle defences designed today must account for.
258
+
259
+ | Threat | Est. Timeline | Relevance to Cert-Pin Rotation | Prepare Now By |
260
+ |--------|--------------|-------------------------------|----------------|
261
+ | Cryptographically Relevant Quantum Computer (CRQC) breaks RSA/ECDSA | 2028–2032 | SPKI pins are hashes of RSA/EC public keys; harvest-now-decrypt-later adversaries capture pinned TLS sessions today to decrypt when CRQC arrives | Inventory all pinned keys; flag RSA-2048 and P-256 endpoints for post-quantum migration; plan ML-KEM (FIPS 203) hybrid TLS rollout |
262
+ | 90-day maximum TLS certificate lifetimes (CA/B Forum ballot) | 2025–2026 (active) | Planned rotation cycles designed around 1–2-year certs break immediately; OTA rotation becomes mandatory, not optional | Shorten rotation runbook to a 60-day cycle; validate OTA pin-update path can complete a full rotation within 30 days end-to-end |
263
+ | AI-assisted MitM tooling (LLM-generated per-target payloads) | 2025–2027 (active) | Attackers generate per-app bypass scripts that target the specific OTA config fetch pattern used; generic defences fail | Require HMAC-signed pin-config payloads with a server-side nonce; reject unsigned or replayed config responses |
264
+ | Browser/OS removal of SHA-1 and SHA-256 leaf cert trust | 2026 | Apps still pinning SHA-1 fingerprints (not SPKI) will start failing as intermediates are re-issued with stronger algorithms, changing fingerprints | Audit every pinned hash for algorithm type; migrate all to SPKI SHA-256 |
265
+ | Mandatory SBOM + build provenance (US EO 14028 / EU CRA) | 2025–2026 (active) | Pin-config signing keys and CA root certificates must appear in SBOM; undocumented key material is a compliance gap | Include CA root SPKI hashes and config signing key fingerprints in CycloneDX SBOM |
266
+
267
+ ---
268
+
269
+ ## §DETECTION-GAP
270
+
271
+ What current monitoring CANNOT detect in certificate-pinning and rotation, and what to build to close each gap.
272
+
273
+ **Domain-specific gaps that MUST be checked:**
274
+
275
+ - **Silent pin expiration in production**: The `expiration` attribute in Android `network_security_config.xml` is parsed only at app startup on the device; no server-side event is emitted when a pin set expires. Need: a CI/CD step and an out-of-band cron job that parse expiration dates and page on-call at 90, 60, and 30 days before expiry.
276
+ - **OTA config fetch returning stale or attacker-substituted pins**: The fetch succeeds with HTTP 200 and the app logs no error, but the returned pin set was served from a CDN cache poisoned days earlier. Need: pin the OTA config endpoint itself (meta-pinning) and include a `issuedAt` timestamp in the signed payload; reject responses older than 24 hours.
277
+ - **Duplicate-pin false positive in backup-pin audit**: Automated pin-count checks report "2 pins present — compliant." They do not compare values. Need: a lint rule or pre-commit hook that asserts all pin values in a config file are unique.
278
+ - **Certificate Transparency log divergence**: An unauthorized certificate for a pinned domain is issued by a rogue CA. The app's pin would reject it, but no alert fires because the attack is detected only at connection time on the device, not centrally. Need: CT log monitoring (e.g., crt.sh webhook or Google Certificate Transparency API) alerting on any newly issued certificate for pinned domains.
279
+ - **Cross-agent chain — OTA fetch SSRF + pin bypass**: The OTA config URL is partially user-controlled (SSRF) and the fetch-fail-open path is active. Phase 1 SSRF agent flags the SSRF; Phase 1 cert-pin agent flags the fail-open. Neither agent alone sees the critical chain. Need: CISO orchestrator Phase 1 synthesis to correlate both findings into a single CRITICAL escalation.
280
+
281
+ ---
282
+
283
+ ## §ZERO-MISS-MANDATE
284
+
285
+ This agent CANNOT declare any attack class clean without explicit evidence of checking. For each item, output one of:
286
+ - `CHECKED: [N files] | [patterns used] | CLEAN`
287
+ - `CHECKED: [N files] | [patterns used] | [N findings, all fixed]`
288
+ - `SKIPPED: [reason — must be "not applicable: [evidence]"]`
289
+
290
+ **Silent skip = FAILED COVERAGE.** The orchestrator flags this as a quality gap.
291
+
292
+ **Mandatory attack classes for cert-pin-rotation-specialist:**
293
+
294
+ | Class | Patterns to Search | Acceptable Skip Condition |
295
+ |-------|--------------------|--------------------------|
296
+ | Single pin (no backup) | Count of `<pin>` / `PublicKeyHashes` entries per domain | Not applicable only if project has zero network calls |
297
+ | Leaf-cert hash vs. SPKI hash | Compare `openssl -fingerprint` output vs. SPKI extraction output for each pinned value | Not applicable only if no TLS pinning code exists |
298
+ | OTA fetch fail-open | Search for `return null` / `return []` / empty-catch in pin-fetch function | Not applicable only if no OTA rotation mechanism exists |
299
+ | Expired or near-expiry pin set | Parse `expiration` from XML / `kTSKExpirationDate` from Swift config | Not applicable only if no expiration date field exists in config |
300
+ | Unsigned or unverified OTA pin config | Look for missing `verifyConfigSignature` or equivalent before accepting fetched pins | Not applicable only if pins are never fetched remotely |
301
+
302
+ The output findings JSON MUST include a `coverageManifest` key:
303
+ ```json
304
+ {
305
+ "coverageManifest": {
306
+ "attackClassesCovered": [
307
+ { "class": "Single pin no backup", "filesReviewed": 3, "patterns": ["<pin>", "PublicKeyHashes"], "result": "CLEAN" },
308
+ { "class": "Leaf-cert hash vs. SPKI", "filesReviewed": 3, "patterns": ["openssl fingerprint vs spki extraction"], "result": "1 finding, fixed" },
309
+ { "class": "OTA fetch fail-open", "filesReviewed": 5, "patterns": ["return null", "catch {}"], "result": "CLEAN" },
310
+ { "class": "Expired or near-expiry pin set", "filesReviewed": 3, "patterns": ["expiration", "kTSKExpirationDate"], "result": "CLEAN" },
311
+ { "class": "Unsigned OTA pin config", "filesReviewed": 5, "patterns": ["verifyConfigSignature", "signature"], "result": "CLEAN" }
312
+ ],
313
+ "filesReviewed": 11,
314
+ "negativeAssertions": [
315
+ "OTA fetch fail-open: return-null and empty-catch patterns searched across 5 files — 0 unguarded paths",
316
+ "Unsigned OTA config: signature verification present in all remote-fetch paths"
317
+ ],
318
+ "uncoveredReason": {}
319
+ }
320
+ }
321
+ ```