security-mcp 1.1.4 → 1.3.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (158) hide show
  1. package/README.md +341 -1018
  2. package/defaults/checklists/ai.json +20 -1
  3. package/defaults/checklists/api.json +35 -1
  4. package/defaults/checklists/infra.json +34 -1
  5. package/defaults/checklists/mobile.json +23 -1
  6. package/defaults/checklists/payments.json +15 -1
  7. package/defaults/checklists/web.json +11 -1
  8. package/defaults/cloud-controls/aws.json +10712 -0
  9. package/defaults/cloud-controls/azure.json +7201 -0
  10. package/defaults/cloud-controls/gcp.json +4061 -0
  11. package/defaults/control-catalog.json +24 -0
  12. package/defaults/security-policy.json +2 -2
  13. package/dist/ci/pr-gate.js +22 -5
  14. package/dist/cli/index.js +73 -2
  15. package/dist/cli/install.js +4 -55
  16. package/dist/cli/onboarding.js +18 -10
  17. package/dist/gate/baseline.js +82 -7
  18. package/dist/gate/catalog.js +10 -2
  19. package/dist/gate/checks/agentic-instructions.js +515 -0
  20. package/dist/gate/checks/ai-governance.js +132 -0
  21. package/dist/gate/checks/ai.js +757 -39
  22. package/dist/gate/checks/auth-deep.js +920 -216
  23. package/dist/gate/checks/business-logic.js +751 -0
  24. package/dist/gate/checks/ci-pipeline.js +399 -4
  25. package/dist/gate/checks/cloud-controls.js +69 -0
  26. package/dist/gate/checks/crypto.js +423 -2
  27. package/dist/gate/checks/data-platform.js +954 -0
  28. package/dist/gate/checks/dependencies.js +582 -15
  29. package/dist/gate/checks/docker-deep.js +1236 -0
  30. package/dist/gate/checks/gitops.js +724 -0
  31. package/dist/gate/checks/graphql.js +201 -19
  32. package/dist/gate/checks/iac.js +1230 -0
  33. package/dist/gate/checks/infra.js +246 -1
  34. package/dist/gate/checks/injection-deep.js +827 -184
  35. package/dist/gate/checks/k8s.js +955 -2
  36. package/dist/gate/checks/mobile-android.js +917 -3
  37. package/dist/gate/checks/mobile-ios.js +797 -5
  38. package/dist/gate/checks/required-artifacts.js +194 -0
  39. package/dist/gate/checks/runtime.js +178 -0
  40. package/dist/gate/checks/secrets.js +256 -13
  41. package/dist/gate/checks/supply-chain-deep.js +787 -0
  42. package/dist/gate/checks/web-nextjs.js +572 -48
  43. package/dist/gate/cloud-controls/apply.js +115 -0
  44. package/dist/gate/cloud-controls/bicep.js +36 -0
  45. package/dist/gate/cloud-controls/cfn.js +125 -0
  46. package/dist/gate/cloud-controls/detect.js +104 -0
  47. package/dist/gate/cloud-controls/hcl.js +140 -0
  48. package/dist/gate/cloud-controls/types.js +87 -0
  49. package/dist/gate/diff.js +17 -5
  50. package/dist/gate/evidence.js +8 -1
  51. package/dist/gate/exceptions.js +202 -9
  52. package/dist/gate/findings.js +15 -2
  53. package/dist/gate/policy.js +316 -130
  54. package/dist/gate/threat-intel.js +6 -0
  55. package/dist/mcp/audit-chain.js +131 -28
  56. package/dist/mcp/auth.js +169 -0
  57. package/dist/mcp/learning.js +129 -4
  58. package/dist/mcp/model-router.js +161 -24
  59. package/dist/mcp/orchestration.js +377 -89
  60. package/dist/mcp/server.js +460 -69
  61. package/dist/mcp/tool-audit.js +193 -0
  62. package/dist/repo/fs.js +37 -1
  63. package/dist/repo/search.js +31 -6
  64. package/dist/review/store.js +56 -3
  65. package/dist/tests/run.js +124 -1
  66. package/package.json +9 -9
  67. package/skills/_TEMPLATE/SKILL.md +99 -0
  68. package/skills/advanced-dos-tester/SKILL.md +118 -0
  69. package/skills/agentic-instruction-auditor/SKILL.md +111 -0
  70. package/skills/agentic-loop-exploiter/SKILL.md +377 -0
  71. package/skills/ai-llm-redteam/SKILL.md +113 -0
  72. package/skills/ai-model-supply-chain-agent/SKILL.md +112 -0
  73. package/skills/algorithm-implementation-reviewer/SKILL.md +107 -0
  74. package/skills/android-penetration-tester/SKILL.md +464 -46
  75. package/skills/anti-replay-tester/SKILL.md +115 -0
  76. package/skills/appsec-code-auditor/SKILL.md +94 -0
  77. package/skills/artifact-integrity-analyst/SKILL.md +450 -0
  78. package/skills/attack-navigator/SKILL.md +476 -8
  79. package/skills/auth-session-hacker/SKILL.md +111 -0
  80. package/skills/aws-penetration-tester/SKILL.md +510 -0
  81. package/skills/azure-penetration-tester/SKILL.md +542 -3
  82. package/skills/binary-auth-validator/SKILL.md +120 -0
  83. package/skills/bot-detection-specialist/SKILL.md +118 -0
  84. package/skills/business-logic-attacker/SKILL.md +240 -0
  85. package/skills/capec-code-mapper/SKILL.md +93 -0
  86. package/skills/cert-pin-rotation-specialist/SKILL.md +121 -0
  87. package/skills/cicd-pipeline-hijacker/SKILL.md +414 -0
  88. package/skills/ciso-orchestrator/SKILL.md +465 -43
  89. package/skills/cloud-infra-specialist/SKILL.md +127 -0
  90. package/skills/compliance-gap-analyst/SKILL.md +431 -0
  91. package/skills/compliance-grc/SKILL.md +94 -0
  92. package/skills/compliance-lifecycle-tracker/SKILL.md +93 -0
  93. package/skills/container-hardening-auditor/SKILL.md +125 -0
  94. package/skills/credential-stuffing-specialist/SKILL.md +111 -0
  95. package/skills/crypto-pki-specialist/SKILL.md +96 -0
  96. package/skills/csa-ccm-mapper/SKILL.md +93 -0
  97. package/skills/csf2-governance-mapper/SKILL.md +93 -0
  98. package/skills/data-platform-auditor/SKILL.md +125 -0
  99. package/skills/deep-link-fuzzer/SKILL.md +118 -0
  100. package/skills/dependency-confusion-attacker/SKILL.md +424 -0
  101. package/skills/device-integrity-aggregator/SKILL.md +117 -0
  102. package/skills/dos-resilience-tester/SKILL.md +106 -0
  103. package/skills/dread-scorer/SKILL.md +93 -0
  104. package/skills/egress-policy-enforcer/SKILL.md +108 -0
  105. package/skills/evidence-collector/SKILL.md +107 -0
  106. package/skills/file-upload-attacker/SKILL.md +118 -0
  107. package/skills/gcp-penetration-tester/SKILL.md +510 -2
  108. package/skills/git-history-secret-scanner/SKILL.md +115 -0
  109. package/skills/gitops-delivery-auditor/SKILL.md +120 -0
  110. package/skills/iac-security-auditor/SKILL.md +125 -0
  111. package/skills/iam-privesc-graph-builder/SKILL.md +161 -0
  112. package/skills/incident-responder/SKILL.md +120 -0
  113. package/skills/injection-specialist/SKILL.md +111 -0
  114. package/skills/ios-security-auditor/SKILL.md +291 -0
  115. package/skills/json-ambiguity-tester/SKILL.md +145 -0
  116. package/skills/k8s-container-escaper/SKILL.md +406 -0
  117. package/skills/key-management-lifecycle-analyst/SKILL.md +107 -0
  118. package/skills/kill-switch-engineer/SKILL.md +111 -0
  119. package/skills/linddun-privacy-analyst/SKILL.md +111 -0
  120. package/skills/logic-race-fuzzer/SKILL.md +452 -0
  121. package/skills/mobile-api-network-attacker/SKILL.md +430 -0
  122. package/skills/mobile-binary-hardener/SKILL.md +111 -0
  123. package/skills/mobile-security-specialist/SKILL.md +94 -0
  124. package/skills/mobile-webview-auditor/SKILL.md +105 -0
  125. package/skills/model-extraction-attacker/SKILL.md +228 -0
  126. package/skills/multipart-abuse-tester/SKILL.md +93 -0
  127. package/skills/oauth-pkce-specialist/SKILL.md +113 -0
  128. package/skills/parser-exhaustion-tester/SKILL.md +151 -0
  129. package/skills/pentest-infra/SKILL.md +107 -0
  130. package/skills/pentest-social/SKILL.md +210 -0
  131. package/skills/pentest-team/SKILL.md +96 -0
  132. package/skills/pentest-web-api/SKILL.md +107 -0
  133. package/skills/privacy-flow-analyst/SKILL.md +243 -0
  134. package/skills/prompt-injection-specialist/SKILL.md +403 -0
  135. package/skills/quantum-migration-planner/SKILL.md +105 -0
  136. package/skills/rag-poisoning-specialist/SKILL.md +367 -0
  137. package/skills/registry-mirror-enforcer/SKILL.md +93 -0
  138. package/skills/rotation-validation-agent/SKILL.md +121 -0
  139. package/skills/samm-assessor/SKILL.md +94 -0
  140. package/skills/secrets-mask-bypass-tester/SKILL.md +109 -0
  141. package/skills/senior-security-engineer/SKILL.md +178 -0
  142. package/skills/serialization-memory-attacker/SKILL.md +341 -0
  143. package/skills/session-timeout-tester/SKILL.md +170 -0
  144. package/skills/slsa-level3-enforcer/SKILL.md +121 -0
  145. package/skills/slsa-provenance-enforcer/SKILL.md +111 -0
  146. package/skills/ssrf-detection-validator/SKILL.md +117 -0
  147. package/skills/step-up-auth-enforcer/SKILL.md +93 -0
  148. package/skills/stride-pasta-analyst/SKILL.md +429 -0
  149. package/skills/supply-chain-devsecops/SKILL.md +107 -0
  150. package/skills/threat-infrastructure-analyst/SKILL.md +93 -0
  151. package/skills/threat-modeler/SKILL.md +94 -0
  152. package/skills/tls-certificate-auditor/SKILL.md +582 -18
  153. package/skills/token-reuse-detector/SKILL.md +104 -0
  154. package/skills/trike-risk-modeler/SKILL.md +93 -0
  155. package/skills/unicode-homograph-tester/SKILL.md +93 -0
  156. package/skills/waf-rule-lifecycle-agent/SKILL.md +106 -0
  157. package/skills/webhook-security-tester/SKILL.md +111 -0
  158. package/skills/zero-trust-architect/SKILL.md +118 -0
@@ -35,6 +35,15 @@ On every finding resolved, emit:
35
35
  ```
36
36
  This feeds `security.record_outcome` so the routing engine improves over time.
37
37
 
38
+ ## BEYOND THE CHECKS — AUTONOMOUS DETECT & FIX
39
+
40
+ The full suite of detection modules in `src/gate/checks/` (especially `runtime.ts`, `secrets.ts`, and `ci-pipeline.ts`) are your deterministic floor, not your ceiling. Treat their finding IDs as the minimum incident surface, then reason past single-line/single-file pattern matching — and APPLY the fix (Edit), not just advise:
41
+
42
+ - **Cross-file / data-flow reasoning the regex can't do:** correlate a `secrets.ts` leaked-credential hit with the `runtime.ts` egress allowlist and the `ci-pipeline.ts` build logs to reconstruct the full kill-chain — a single rotated key in one file is meaningless if the same value is reused in three other services or baked into a cached CI artifact.
43
+ - **Semantic / effective-state analysis:** a kill-switch may exist in `src/lib/kill-switch.ts` yet be read once at startup into a module constant, so the *effective* runtime state is "always on" — prove the toggle actually fires under live traffic, don't trust the literal presence of the guard.
44
+ - **External corroboration:** WebSearch/WebFetch current CISA KEV entries, vendor advisories, and breach-notification SLA changes (GDPR Art.33 72h, EU AI Act Art.73) for the detected stack before declaring containment complete.
45
+ - **Apply & prove:** write the playbook, rotation script, and kill-switch wiring inline, re-run the `src/gate/checks/` suite plus `cosign verify-blob` / Volatility3 memory-dump scans as a regression floor, then re-audit for surviving persistence (OAuth grants, cron, Lambda). Emit the LEARNING SIGNAL per fix; surface trade-offs (e.g. fail-closed kill switch causing a planned outage) against the secure default.
46
+
38
47
  ## EXECUTION
39
48
 
40
49
  ### Phase 1 — Reconnaissance
@@ -190,3 +199,114 @@ Every finding must include:
190
199
  - `requiredActions`: ordered action list if not auto-remediated
191
200
  - `complianceImpact`: framework mappings
192
201
  - `beyondSkillMd`: true if finding goes beyond the SKILL.md mandate
202
+
203
+ Every findings JSON MUST also include `intelligenceForOtherAgents`:
204
+ ```json
205
+ {
206
+ "intelligenceForOtherAgents": {
207
+ "forPentestTeam": [{ "type": "HIGH_VALUE_TARGET", "description": "Active attacker foothold or unpatched vector discovered during IR", "exploitHint": "Lateral movement path still open; pivot point identified in auth service" }],
208
+ "forCryptoSpecialist": [{ "type": "CRYPTO_WEAKNESS_REFERENCE", "algorithm": "RSA-2048 signing key exposed in breach", "location": "config/signing-keys/" }],
209
+ "forCloudSpecialist": [{ "type": "SSRF_TO_CLOUD_CHAIN", "ssrfLocation": "Internal metadata endpoint accessed during incident", "escalationPath": "IMDSv1 → IAM role credential theft → S3 bucket exfiltration" }],
210
+ "forComplianceGrc": [{ "type": "COMPLIANCE_BLOCKER", "frameworks": ["GDPR Art.33", "HIPAA §164.408", "PCI DSS 12.10.5"], "releaseBlock": true }]
211
+ }
212
+ }
213
+ ```
214
+
215
+ ---
216
+
217
+ ## BEYOND SKILL.MD — MANDATORY EXPANSIONS
218
+
219
+ - **AI-Driven C2 Beaconing via LLM APIs (ATT&CK T1071.001 / T1102):** Threat actors in 2024–2025 (e.g., SCATTERED SPIDER, FIN7 derivatives) have used legitimate LLM API endpoints (OpenAI, Anthropic) as covert C2 channels — instructions embedded in prompts, exfiltration in completions — bypassing DLP tools that whitelist AI provider domains. Test by: run `grep -r "openai.com\|api.anthropic.com\|generativelanguage.googleapis.com" /var/log/proxy* /var/log/dns*` and flag any process not in the approved AI-consumer list making outbound calls to these endpoints; correlate with unexpected data volumes. Finding threshold: any non-approved process beaconing to LLM APIs at intervals consistent with C2 (60–300s).
220
+
221
+ - **Harvest-Now-Decrypt-Later against TLS Sessions (NIST PQC / CRQC Timeline):** Intercepted TLS 1.2/1.3 sessions using RSA or ECDHE key exchange are being archived by nation-state actors for future decryption once a Cryptographically Relevant Quantum Computer arrives (estimated 2028–2032). Long-retention data (PII, financial records, health data) exfiltrated today becomes plaintext then. Test by: audit TLS cipher suite negotiation in production — `openssl s_client -connect host:443 2>/dev/null | grep "Cipher is"` — and flag any non-PQC-hybrid suite for data classified as sensitive beyond 2030. Finding threshold: any service transmitting regulated data using only classical key exchange without a hybrid ML-KEM (FIPS 203) wrapper.
222
+
223
+ - **SolarWinds-Style Build Pipeline Injection (ATT&CK T1195.002 / SLSA Level 0):** The SolarWinds SUNBURST incident (CVE-2020-10148) demonstrated that unsigned build artifacts and compromised CI runners allow attackers to inject malicious code that survives eradication of the application layer. During IR, analysts focus on app servers and miss the CI/CD plane entirely. Test by: compare SHA-256 hashes of deployed binaries against the artifact registry's signed provenance (`cosign verify-blob --bundle <bundle> <artifact>`); enumerate all GitHub Actions runners and self-hosted agents for unexpected processes (`ps aux` snapshot vs. baseline). Finding threshold: any deployed artifact whose hash cannot be verified against a signed SLSA provenance attestation.
224
+
225
+ - **OAuth Consent Grant Persistence Post-Credential-Rotation (ATT&CK T1550.001):** Documented in the Lapsus$ compromise of Microsoft (2022) and Okta (2022) — after password rotation and MFA reset, attacker-created OAuth app consent grants remained active, giving persistent read/write access to email, files, and calendar. Test by: during eradication, run `az ad app list --filter "startswith(displayName,'<unknown>')"` (Azure), `gcloud auth application-default print-access-token` scope audit (GCP), or GitHub `GET /user/installations` to enumerate all OAuth app grants on affected accounts; revoke any grant not in the approved app inventory. Finding threshold: any OAuth app grant to an account involved in the incident that is not in the approved third-party app registry.
226
+
227
+ - **EU AI Act Art. 73 Mandatory Incident Reporting for High-Risk AI (Regulatory — enforcement 2026):** Under the EU AI Act (Regulation 2024/1689), providers of high-risk AI systems (credit scoring, HR, critical infrastructure, biometrics) must report serious incidents to national supervisory authorities within defined timelines analogous to GDPR Art. 33. IR playbooks built today that lack an AI-system-failure scenario will miss this obligation when enforcement begins. Test by: check whether the IR severity matrix contains an entry for "AI system output causing harm or fundamental rights violation"; verify the playbook names the applicable national market surveillance authority for AI. Finding threshold: any product classified as a high-risk AI system whose IR playbook contains no AI-Act-specific notification step.
228
+
229
+ - **Memory-Only Ransomware Evading EDR (CVE-2024-21412 / ATT&CK T1620, T1486):** Akira, Black Basta, and LockBit 3.0 affiliates have deployed fileless ransomware variants that load entirely into memory via process hollowing or DLL injection, bypassing file-based EDR detection (documented in CISA AA24-131A). Traditional eradication (remove malicious files, reimaging) leaves no artefact to remove if encryption has already completed. Test by: during containment, capture a full memory dump of affected hosts before any shutdown (`winpmem_mini_x64.exe <output.raw>` on Windows, `LiME` on Linux) — scan the dump with Volatility3 `vol -f dump.raw windows.malfind` to identify injected regions; do not reboot before dump capture or forensic evidence is lost. Finding threshold: any P0 ransomware incident where a memory dump was not captured before system shutdown, constituting an evidence preservation gap.
230
+
231
+ ---
232
+
233
+ ## §EDGE-CASE-MATRIX
234
+
235
+ The 5 incident-response scenarios that automated detection and naive triage universally miss. MANDATORY checks — do not skip.
236
+
237
+ | # | Edge Case | Why Scanners/Analysts Miss It | Concrete Test |
238
+ |---|-----------|-------------------------------|---------------|
239
+ | 1 | Attacker-planted persistence surviving eradication | Eradication checklist targets known IOCs; novel persistence (cloud function, scheduled Lambda, OAuth app grant, cron injected via supply chain) is left behind | After "eradication complete", enumerate ALL: cron jobs, cloud scheduled tasks, OAuth app authorisations, startup scripts, and container entry points — compare against pre-incident baseline |
240
+ | 2 | Credential re-use across services after rotation | Rotation remediates the compromised service but the same credential was reused elsewhere; attacker pivots to unrotated service | After any credential rotation, grep all secrets stores and CI/CD env vars for the rotated value; run `grep -r "<rotated-secret-prefix>" .env* .github/ infra/` across the full monorepo |
241
+ | 3 | Log tampering / gap during dwell period | Attacker cleared or rate-limited logs; analyst sees a clean window and concludes no activity occurred | Verify log continuity — check for gaps in sequence numbers or timestamp skips >30s in authentication and audit logs; absence of logs during an active session IS evidence |
242
+ | 4 | Insider-assisted incident where the "responder" is the threat actor | Standard IR assumes the responder is trusted; if an insider is involved, they may observe the investigation and destroy remaining evidence | Restrict IR war-room access to a need-to-know list verified by HR; treat all digital evidence as potentially tampered until chain-of-custody is established externally |
243
+ | 5 | Notification clock triggered by discovery, not by breach date | GDPR Art.33 (72h) and most US state laws clock from when the organisation "becomes aware" — not when the breach occurred; delayed triage can inadvertently blow the legal deadline | Document the exact timestamp of first awareness (alert, ticket, internal report) at the start of triage; this timestamp is the legal T₀ regardless of when the breach actually happened |
244
+
245
+ ---
246
+
247
+ ## §TEMPORAL-THREATS
248
+
249
+ Threats materialising in the 2025–2030 window that IR programmes designed today must account for.
250
+
251
+ | Threat | Est. Timeline | Relevance to IR | Prepare Now By |
252
+ |--------|--------------|-----------------|----------------|
253
+ | AI-automated adversary post-exploitation | 2025–2027 (active) | LLM-driven C2 can enumerate, pivot, and exfiltrate faster than human responders can triage; dwell time measured in minutes, not days | Reduce MTTD target to <5 min via UEBA; pre-authorise automated network isolation for P0 severity without human approval gate |
254
+ | Cryptographically Relevant Quantum Computer (CRQC) — harvest-now attacks | 2028–2032 (harvest active now) | Encrypted exfiltration captured today will be decrypted when CRQC arrives; long-lived PII, IP, and state secrets are at risk | Inventory all RSA/ECDSA-encrypted data at rest and in transit; prioritise migration of long-retention data to ML-KEM (FIPS 203) |
255
+ | EU AI Act mandatory incident reporting for high-risk AI | 2026 (enforcement) | AI system failures causing harm become reportable incidents with their own 72h-style notification obligations | Classify all AI features against AI Act tiers; add AI-system-failure scenarios to the IR severity matrix and escalation chain |
256
+ | Mandatory SBOM + SLSA provenance (US EO 14028 / EU CRA) | 2025–2026 (active) | Supply chain compromise incidents will require SBOM-based blast-radius analysis; without SBOM, determining affected dependencies during an incident is days of manual work | Generate CycloneDX SBOM per release; include SBOM-diff step in the incident triage playbook to immediately scope supply chain exposure |
257
+ | Ransomware-as-a-Service with data auction (double extortion) | 2025+ (escalating) | Threat actors exfiltrate before encrypting; containment alone is insufficient — data is already staged for auction | Add pre-encryption exfiltration detection to the P0 playbook: monitor for large outbound data transfers (>1GB in 10 min) and DNS exfiltration patterns alongside ransomware IOCs |
258
+
259
+ ---
260
+
261
+ ## §DETECTION-GAP
262
+
263
+ What current IR monitoring and tooling CANNOT detect in this domain, and what to build to close each gap.
264
+
265
+ **Gaps that MUST be checked in every IR engagement:**
266
+
267
+ - **Attacker persistence in cloud control-plane**: CloudTrail/Audit Log shows API calls but not all persistence vectors (e.g., Service Account key generation, Lambda layer injection, ECR image replacement). Need: dedicated control-plane drift detection — baseline all IAM bindings, service account keys, and function configurations; alert on any delta not matching a recent deployment.
268
+ - **Credential theft via memory scraping**: No file-system or network event is generated when credentials are read from process memory (e.g., LSASS dump, Kubernetes secret mounted in pod memory). Need: kernel-level process injection detection (eBPF-based); flag any process reading memory of another process outside known debug relationships.
269
+ - **Log integrity during incident**: Logs may have been tampered with before IR begins; standard SIEM analysis assumes log fidelity. Need: cryptographic log signing (AWS CloudTrail log file validation, GCP CMEK-signed audit logs); during triage, verify log signatures before treating any log evidence as authoritative.
270
+ - **OAuth app persistence post-account compromise**: An attacker who obtains OAuth consent grants retains access even after password rotation. Need: OAuth app audit as a standard eradication checklist item — enumerate and revoke all third-party OAuth grants for affected accounts, not just credentials.
271
+ - **Cross-agent attack chains invisible to single-agent triage**: A P2 misconfiguration finding (Phase 1) plus a P2 anomalous access finding (Phase 2) may combine into a P0 chain invisible to either finding alone. Need: CISO orchestrator Phase 1 synthesis step — correlate all agent findings before Phase 2 to surface multi-hop chains.
272
+
273
+ ---
274
+
275
+ ## §ZERO-MISS-MANDATE
276
+
277
+ This agent CANNOT declare any IR domain area clean without explicit evidence of checking. For each item, output one of:
278
+ - `CHECKED: [artifact or log source] | [method used] | CLEAN`
279
+ - `CHECKED: [artifact or log source] | [method used] | [N findings, all addressed]`
280
+ - `SKIPPED: [reason — must be "not applicable: [evidence]"]`
281
+
282
+ **Silent skip = FAILED COVERAGE.** The orchestrator flags this as a quality gap.
283
+
284
+ IR domains that MUST be attested:
285
+
286
+ | Domain | Minimum Check |
287
+ |--------|--------------|
288
+ | Playbook existence | Glob for `runbook*`, `playbook*`, `incident*` in docs and repo root |
289
+ | Kill-switch mechanism | Grep for `killSwitch`, `featureFlag`, `circuit.*breaker` across src |
290
+ | Evidence preservation procedure | Check playbook for log-snapshot and chain-of-custody steps |
291
+ | SIEM/alerting integration | Grep for monitoring provider SDKs and webhook configs |
292
+ | Regulatory notification SLAs | Confirm playbook includes GDPR 72h, HIPAA 60d, state-law timelines |
293
+ | Post-incident review template | Confirm 5 Whys / root-cause template exists |
294
+ | Eradication persistence checklist | Confirm checklist covers cron, cloud functions, OAuth grants, startup scripts |
295
+
296
+ The output findings JSON MUST include a `coverageManifest` key:
297
+ ```json
298
+ {
299
+ "coverageManifest": {
300
+ "attackClassesCovered": [
301
+ { "class": "IR Playbook Gap", "filesReviewed": 12, "patterns": ["runbook*", "playbook*", "incident*"], "result": "CLEAN" },
302
+ { "class": "Kill-Switch Absence", "filesReviewed": 84, "patterns": ["killSwitch", "featureFlag", "circuit.?breaker"], "result": "1 finding, remediated" }
303
+ ],
304
+ "filesReviewed": 84,
305
+ "negativeAssertions": [
306
+ "Evidence preservation: playbook contains log-snapshot step — confirmed present",
307
+ "Regulatory SLAs: GDPR 72h and HIPAA 60d both present in playbook Phase 5"
308
+ ],
309
+ "uncoveredReason": {}
310
+ }
311
+ }
312
+ ```
@@ -22,6 +22,15 @@ Find and fix every injection vulnerability in the codebase.
22
22
  Three-layer defense on every route: input validation → sanitization → parameterized query/safe API.
23
23
  Cover §13 input validation and §17 file handling completely.
24
24
 
25
+ ## BEYOND THE CHECKS — AUTONOMOUS DETECT & FIX
26
+
27
+ The `injection-deep.ts` detection module (`src/gate/checks/injection-deep.ts`) — SQL/NoSQL/command/SSTI/path/JSON — is your deterministic floor, not your ceiling. Treat its finding IDs as the minimum, then reason past single-line/single-file pattern matching — and APPLY the fix (Edit), not just advise:
28
+
29
+ - **Cross-file / data-flow reasoning the regex can't do:** trace a tainted `req.body` field through a Zod parse, into a service-layer helper, and only there into a `prisma.$queryRawUnsafe()` sink three files away — the regex sees a "validated" input at the route and a "constant" query at the sink and misses the join. Confirm second-order paths where input is stored, then later read into a query in an admin context.
30
+ - **Semantic / effective-state analysis:** a tagged-template `$queryRaw` is parameterized, but the same call with a string built by `+` is not; an allowlist that compares against a user-supplied `req.query.table` is still injection. Judge the *effective* parameterization, not the API name.
31
+ - **External corroboration:** WebSearch/WebFetch current CVEs/advisories for the detected ORM/template engine (e.g. Prisma, Handlebars, gRPC metadata injection) and confirm version ranges before scoring.
32
+ - **Apply & prove:** rewrite to parameterized/allowlisted form inline, then re-run `src/gate/checks/injection-deep.ts` plus `semgrep --config p/sql-injection` and a `sqlmap`/Burp polyglot pass as a regression floor, then re-audit. Emit the LEARNING SIGNAL per fix; surface trade-offs (e.g. strict allowlist breaking a legitimate dynamic-column feature) against the secure default.
33
+
25
34
  ## EXECUTION
26
35
 
27
36
  1. Enumerate all routes and endpoints
@@ -61,6 +70,18 @@ Cover §13 input validation and §17 file handling completely.
61
70
  - Fixed code written inline
62
71
  - §13/§17 section covered
63
72
 
73
+ Every findings JSON MUST include `intelligenceForOtherAgents`:
74
+ ```json
75
+ {
76
+ "intelligenceForOtherAgents": {
77
+ "forPentestTeam": [{ "type": "HIGH_VALUE_TARGET", "description": "...", "exploitHint": "..." }],
78
+ "forCryptoSpecialist": [{ "type": "CRYPTO_WEAKNESS_REFERENCE", "algorithm": "...", "location": "..." }],
79
+ "forCloudSpecialist": [{ "type": "SSRF_TO_CLOUD_CHAIN", "ssrfLocation": "...", "escalationPath": "..." }],
80
+ "forComplianceGrc": [{ "type": "COMPLIANCE_BLOCKER", "frameworks": ["..."], "releaseBlock": true }]
81
+ }
82
+ }
83
+ ```
84
+
64
85
  ---
65
86
 
66
87
  ## §POLYGLOT — Single Payload, Multiple Sinks
@@ -89,3 +110,93 @@ For each input: run ALL injection classes, not just the obvious one. A form fiel
89
110
  4. Confirm: does a subsequent `GET /admin` return 200 instead of 403?
90
111
  5. **Client-side variant**: URL hash → `JSON.parse` → unsafe assign → `if (config.admin)` → privilege escalation in SPA
91
112
  6. **Required fix**: use `Object.create(null)` + Zod schema parse before every merge
113
+
114
+ ---
115
+
116
+ ## BEYOND SKILL.MD
117
+
118
+ Domain-specific threats, techniques, and research that go beyond the standard injection checklist:
119
+
120
+ - **CVE-2023-32731 (gRPC metadata injection)**: Attacker-controlled gRPC metadata headers are passed unsanitised to backend services, enabling header injection and SSRF via internal routing metadata — scanners only check HTTP/1.1 headers.
121
+ - **CVE-2024-23897 (Jenkins arbitrary file read via CLI)**: The Jenkins CLI argument parser allows `@file` syntax in command arguments; combined with a crafted injection payload, attackers can read `/etc/passwd` or SSH private keys from the controller — path traversal disguised as CLI argument parsing.
122
+ - **GraphQL batch query amplification + injection chain**: Batching `{"query":"..."}` arrays is rarely rate-limited; combine with SSTI payloads in fragment names or variable values to achieve RCE at GraphQL resolvers that call `eval()` or template-render user-supplied strings.
123
+ - **Second-order SQL injection via ORM audit logs**: Many ORMs write SQL error messages (including malformed user input) to an audit table; if that table is later queried and displayed without sanitisation, the injection executes in a privileged admin context invisible to the original scanner.
124
+ - **AI-generated code introducing `eval()` injection**: LLM-assisted development (Copilot, Cursor) frequently suggests `eval(userInput)` or `new Function(userInput)` patterns when building dynamic rule engines or formula parsers — audit every file touched by AI pair-programming tools for dynamic code execution sinks.
125
+ - **LLM prompt injection via database content (indirect injection)**: An attacker stores a crafted prompt in a database field (e.g., user bio, product description); the application's AI assistant later retrieves and injects that field directly into a system prompt, causing the LLM to exfiltrate data or take unauthorised tool actions — the injection never touches HTTP input validation.
126
+ - **Post-quantum harvest-now-decrypt-later targeting injection payloads**: Injection payloads in encrypted TLS sessions are being archived by nation-state adversaries for future decryption once CRQCs arrive (est. 2028–2032); injection findings in high-sensitivity contexts (auth tokens, PII fields) should be treated as already-compromised if RSA/ECDH is in use without hybrid ML-KEM.
127
+ - **CRLF injection in HTTP/2 pseudo-headers**: HTTP/2 forbids CRLF in header values, but some reverse proxies (nginx < 1.25.3, HAProxy < 2.8) incorrectly forward CR-only (`\r`) sequences when downgrading to HTTP/1.1, enabling response splitting in contexts that appear safe under HTTP/2-only testing.
128
+
129
+ ---
130
+
131
+ ## LEARNING SIGNAL
132
+
133
+ On every finding resolved, emit:
134
+ ```json
135
+ {
136
+ "findingId": "FINDING_ID",
137
+ "agentName": "injection-specialist",
138
+ "resolved": true,
139
+ "remediationTemplate": "one-line description of what was done",
140
+ "falsePositive": false
141
+ }
142
+ ```
143
+ Call `security.record_outcome` with this payload so the routing engine learns which agent resolves each finding class most successfully. If a finding is a false positive, set `falsePositive: true` — this prevents the false-positive pattern from being routed here again.
144
+
145
+ ---
146
+
147
+ ## §EDGE-CASE-MATRIX
148
+
149
+ The 5 attack cases in this domain that automated scanners and naive manual review universally miss. MANDATORY checks — do not skip.
150
+
151
+ | # | Edge Case | Why Scanners Miss It | Concrete Test |
152
+ |---|-----------|----------------------|---------------|
153
+ | 1 | Second-order / stored payload executed in different context | Scanner checks input context, not execution context | Store payload safely; trigger in separate request/session |
154
+ | 2 | Unicode normalisation bypass | Regex filters run before normalisation; attacker uses homoglyphs or composed forms | Submit Ⅰ (U+2160) or < (U+FF1C) variants of known-bad strings |
155
+ | 3 | Polyglot payload active in multiple sinks simultaneously | Scanners test one injection class per payload | `'"><script>{{7*7}}</script><!--` — SQL + XSS + SSTI in one request |
156
+ | 4 | Out-of-band exfiltration (DNS/HTTP callback) | Scanner looks for inline response difference; OOB leaves no visible trace | Use Burp Collaborator / interactsh; inject DNS lookup payload |
157
+ | 5 | Race condition between check and use (TOCTOU) | Sequential scanners don't model concurrency | Send two simultaneous requests to the same state-changing endpoint |
158
+
159
+ ## §TEMPORAL-THREATS
160
+
161
+ Threats materialising in the 2025–2030 window that defences designed today must account for.
162
+
163
+ | Threat | Est. Timeline | Relevance to This Domain | Prepare Now By |
164
+ |--------|--------------|--------------------------|----------------|
165
+ | Cryptographically Relevant Quantum Computer (CRQC) | 2028–2032 | Harvest-now-decrypt-later attacks active today; RSA/ECDSA keys signed today will be broken | Inventory all RSA/ECDSA usage; migrate long-lived data to ML-KEM (FIPS 203) |
166
+ | AI-assisted adversaries at scale | 2025–2027 (active) | LLM-powered fuzzing finds 10× more edge cases; automated PoC generation | Assume attackers have LLM help; expand test surface to match |
167
+ | EU AI Act full enforcement | 2026 | High-risk AI systems require mandatory conformity assessments | Classify all AI features against AI Act tiers now |
168
+ | Post-quantum TLS migration deadline | 2028–2030 | Browser vendors will drop classical-only TLS connections | Begin TLS agility assessment; test hybrid key exchange |
169
+ | Mandatory SBOM + build provenance (US EO 14028 / EU CRA) | 2025–2026 (active) | SBOM and SLSA attestation are becoming legally required | Achieve SLSA L2 minimum; generate CycloneDX SBOM per release |
170
+
171
+ ## §DETECTION-GAP
172
+
173
+ What current security monitoring CANNOT detect in this domain, and what to build to close each gap.
174
+
175
+ **Standard gaps that MUST be checked:**
176
+
177
+ - **Second-order attack execution**: The storage request looks safe; only the retrieval+execution step is dangerous. Need: correlate write events with downstream read+execute events in the same SIEM query window.
178
+ - **Timing-side-channel leakage**: No log event emitted; only observable as microsecond response-time variance. Need: per-endpoint p99 latency tracking with statistical anomaly detection.
179
+ - **Low-and-slow credential stuffing**: Individually, each request is under rate limits. Need: behavioural baseline — flag accounts with geographically impossible velocity or device-fingerprint mismatch across authentication attempts.
180
+ - **Insider exfiltration via legitimate process**: Authorised exports, reports, and data downloads that individually are permitted but collectively constitute data exfiltration. Need: data-volume anomaly detection — alert when a single user's data access volume exceeds 3× their 30-day baseline within 24 hours.
181
+ - **Cross-agent attack chains**: Phase 1 finding A + Phase 1 finding B = CRITICAL chain invisible to either agent alone. Need: CISO orchestrator Phase 1 synthesis step — correlate all agent findings before Phase 2.
182
+
183
+ ## §ZERO-MISS-MANDATE
184
+
185
+ This agent CANNOT declare any attack class clean without explicit evidence of checking. For each item, output one of:
186
+ - `CHECKED: [N files] | [patterns used] | CLEAN`
187
+ - `CHECKED: [N files] | [patterns used] | [N findings, all fixed]`
188
+ - `SKIPPED: [reason — must be "not applicable: [evidence]"]`
189
+
190
+ **Silent skip = FAILED COVERAGE.** The orchestrator flags this as a quality gap.
191
+
192
+ The output findings JSON MUST include a `coverageManifest` key:
193
+ ```json
194
+ {
195
+ "coverageManifest": {
196
+ "attackClassesCovered": [{ "class": "SQL Injection", "filesReviewed": 47, "patterns": ["queryRaw", "string concat"], "result": "CLEAN" }],
197
+ "filesReviewed": 47,
198
+ "negativeAssertions": ["SQL Injection: queryRaw pattern searched across 47 files — 0 matches"],
199
+ "uncoveredReason": {}
200
+ }
201
+ }
202
+ ```
@@ -21,6 +21,15 @@ way developers accidentally undermine it.
21
21
  Audit all iOS security controls against OWASP MASVS. Write Swift/ObjC fixes inline.
22
22
  Only activated if iOS or cross-platform mobile is detected.
23
23
 
24
+ ## BEYOND THE CHECKS — AUTONOMOUS DETECT & FIX
25
+
26
+ The `mobile-ios` detection module (`src/gate/checks/mobile-ios.ts`) is your deterministic floor, not your ceiling. Treat its finding IDs as the minimum, then reason past single-line/single-file pattern matching — and APPLY the fix (Edit), not just advise:
27
+
28
+ - **Cross-file / data-flow reasoning the regex can't do:** a token written to the Keychain in `AuthStore.swift` with a correct `kSecAttrAccessible` value is still exposed if a different file copies it into `UserDefaults` or a `WKScriptMessageHandler` reply — follow the value across files, not just the `SecItemAdd` call site.
29
+ - **Semantic / effective-state analysis:** an `apple-app-site-association` with `"paths": ["*"]`, or a pinning delegate that validates only the hostname and not the SPKI hash, *looks* present but is effectively bypassable. Judge the real trust decision (e.g. `LAContext.evaluatePolicy` result actually gating the sensitive action) over the literal presence of an API call.
30
+ - **External corroboration:** WebSearch/WebFetch current iOS CVEs and advisories (NSPredicate injection on iOS < 16.3.2, ATS bypasses, Apple Intelligence/Core ML prompt-injection notes) for the targeted SDK and OS range.
31
+ - **Apply & prove:** write the Swift/ObjC fix inline, then re-run `src/gate/checks/mobile-ios.ts` plus a `mobsf` static scan and a `frida`/`objection` runtime check (`ios sslpinning disable`, IMP-integrity probe near biometric eval) as a regression floor, then re-audit. Emit the LEARNING SIGNAL per fix; surface trade-offs (e.g. `ThisDeviceOnly` Keychain breaking multi-device restore) against the secure default.
32
+
24
33
  ## EXECUTION
25
34
 
26
35
  1. **Data Storage (MASVS-STORAGE):**
@@ -75,3 +84,285 @@ Only activated if iOS or cross-platform mobile is detected.
75
84
  - MASVS control ID violated
76
85
  - Swift/ObjC code fix written inline
77
86
  - CVSSv4, CWE
87
+ - `intelligenceForOtherAgents` block (see schema below)
88
+ - `coverageManifest` (see §ZERO-MISS-MANDATE)
89
+
90
+ Every findings JSON MUST include `intelligenceForOtherAgents`:
91
+ ```json
92
+ {
93
+ "intelligenceForOtherAgents": {
94
+ "forPentestTeam": [{ "type": "HIGH_VALUE_TARGET", "description": "...", "exploitHint": "..." }],
95
+ "forCryptoSpecialist": [{ "type": "CRYPTO_WEAKNESS_REFERENCE", "algorithm": "...", "location": "..." }],
96
+ "forCloudSpecialist": [{ "type": "SSRF_TO_CLOUD_CHAIN", "ssrfLocation": "...", "escalationPath": "..." }],
97
+ "forComplianceGrc": [{ "type": "COMPLIANCE_BLOCKER", "frameworks": ["..."], "releaseBlock": true }]
98
+ }
99
+ }
100
+ ```
101
+
102
+ ---
103
+
104
+ ## BEYOND SKILL.MD — MANDATORY EXPANSIONS
105
+
106
+ These expansions cover attack surfaces that OWASP MASVS alone does not fully address. Each
107
+ check is mandatory — do not skip without documented justification.
108
+
109
+ 1. **CVE-2023-23530 / CVE-2023-23531 — NSPredicate Injection via SpringBoard:**
110
+ Any app that constructs `NSPredicate` strings from user input is vulnerable to sandbox
111
+ escape on unpatched iOS 16.3 and below. Test: grep codebase for `NSPredicate(format:` with
112
+ non-literal format strings. Finding: any variable interpolated into the format string without
113
+ `SELF == %@` substitution. Fix: only use `NSPredicate(format:)` with `%@`, `%d`, `%K`
114
+ substitution — never string concatenation.
115
+
116
+ 2. **Frida / Objection Dynamic Instrumentation Bypass Detection:**
117
+ Attackers attach Frida to a running app via `frida-server` on jailbroken devices to hook
118
+ `LAContext.evaluatePolicy` and return `true` unconditionally. Test: check for
119
+ `MSHookFunction` / `fishhook` resistance and integrity checks around auth decision points.
120
+ Concrete detection: compute a runtime hash of `LAContext`'s method IMP; compare against a
121
+ compile-time constant. Finding: absence of any IMP integrity check near biometric evaluation.
122
+
123
+ 3. **iOS Backup Keychain Extraction (CVE class: MASVS-STORAGE-2):**
124
+ Items stored with `kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly` are excluded from
125
+ iTunes/iCloud backup, but items with the non-`ThisDeviceOnly` variants ARE included in
126
+ unencrypted backups. Test: enumerate all `SecItemAdd`/`SecItemUpdate` calls; flag any
127
+ `kSecAttrAccessible` value without `ThisDeviceOnly` suffix for sensitive item classes
128
+ (`kSecClassGenericPassword`, `kSecClassInternetPassword`). Tool: `idevicebackup2` +
129
+ `KeychainDumper` on a backup image. Finding: auth tokens or PII in backup-eligible
130
+ Keychain slots.
131
+
132
+ 4. **Universal Link Hijacking via Misconfigured AASA (apple-app-site-association):**
133
+ If `apple-app-site-association` specifies an overly broad path (`"paths": ["*"]`) or is
134
+ served from an HTTP endpoint, an attacker-controlled domain can intercept OAuth redirects.
135
+ Test: fetch `https://<domain>/.well-known/apple-app-site-association`; validate JSON
136
+ structure, HTTPS enforcement, and path specificity. Script: `curl -s
137
+ https://TARGET/.well-known/apple-app-site-association | jq '.applinks.details[].paths'`.
138
+ Finding: wildcard `*` path or missing HTTPS redirect.
139
+
140
+ 5. **Swift Concurrency Race on Authentication State (`async`/`await` TOCTOU):**
141
+ Post-iOS 15 Swift async/await patterns introduce new TOCTOU windows: an `actor`-isolated
142
+ authentication state may be read by one task while a concurrent task is resetting it.
143
+ Test: search for `actor` definitions that guard auth state; verify that all mutations and
144
+ reads use the same actor isolation. Grep: `nonisolated` adjacent to auth-state-bearing
145
+ actors. Finding: `nonisolated` method on an auth actor that reads sensitive state without
146
+ re-entering the actor.
147
+
148
+ 6. **AI-Assisted Reverse Engineering of Obfuscated Swift Binaries (Post-2024 Threat):**
149
+ LLM-powered tools (e.g., IDA + GPT-4 plugins, BinaryNinja Sidekick) can reconstruct
150
+ business logic from stripped Swift binaries in under an hour — vastly reducing the time
151
+ to extract hardcoded secrets or forge authentication tokens. Test: run `strings` + `nm` on
152
+ the release `.ipa`; confirm no API keys, JWT secrets, or internal hostnames appear in
153
+ plain text. Additionally, verify that certificate pinning logic is not trivially identified
154
+ by pattern-matching on `SecCertificateCopyData` call sites alone. Finding: any secret
155
+ detectable by automated string extraction from the binary.
156
+
157
+ 7. **LLM Prompt-Injection via On-Device AI Features (Post-2024 Threat — Apple Intelligence):**
158
+ Apps integrating Apple Intelligence / Core ML LLM features that pass user-controlled text
159
+ directly to an on-device model without sanitisation are vulnerable to prompt injection
160
+ resulting in privilege escalation within the app's own data scope. Test: identify
161
+ `MLModel`, `NaturalLanguage`, or `CreateML` usage where user text is interpolated into a
162
+ system prompt. Finding: system prompt concatenation with unsanitised `UITextField` or
163
+ clipboard content that can redirect model output to exfiltrate in-app data.
164
+
165
+ 8. **WebView JavaScript Bridge Exposure (`WKScriptMessageHandler`):**
166
+ `WKScriptMessageHandler` creates a named bridge callable from JavaScript inside a
167
+ `WKWebView`. If the WebView loads remote or user-controlled content, any registered message
168
+ handler becomes an RCE or data-exfiltration surface. Test: grep for
169
+ `add(_:name:)` on `userContentController`; for each handler, verify the loaded URL origin
170
+ is pinned to an allowlist. Script: `grep -rn "add.*name:" --include="*.swift"`. Finding:
171
+ handler registered without origin validation, or WebView loads `http://` or a
172
+ user-supplied URL.
173
+
174
+ ---
175
+
176
+ ## §IOS_SECURITY_AUDITOR-CHECKLIST
177
+
178
+ 1. **Keychain accessibility class audit** — Search all `SecItemAdd` calls; verify
179
+ `kSecAttrAccessible` is `WhenUnlockedThisDeviceOnly` or `WhenPasscodeSetThisDeviceOnly`
180
+ for auth tokens and PII. Finding: any non-`ThisDeviceOnly` or `Always*` value for
181
+ sensitive data.
182
+
183
+ 2. **ATS exception audit** — Parse `Info.plist`; flag `NSAllowsArbitraryLoads`, any
184
+ `NSExceptionDomains` entry with `NSExceptionAllowsInsecureHTTPLoads: true`, or
185
+ `NSAllowsLocalNetworking: true` in production builds. Finding: any ATS exception not
186
+ accompanied by a documented compliance reason.
187
+
188
+ 3. **Certificate pinning implementation review** — Locate `URLSession` delegate
189
+ `urlSession(_:didReceive:completionHandler:)`; verify leaf or intermediate certificate
190
+ hash is pinned (not just hostname); verify backup pin exists. Finding: absent pinning,
191
+ hostname-only validation, or pinned only to a single certificate with no fallback.
192
+
193
+ 4. **Biometric auth enrollment-change invalidation** — After `LAContext.evaluatePolicy`
194
+ success, check that `evaluatedPolicyDomainState` is compared against a stored baseline.
195
+ Finding: no `evaluatedPolicyDomainState` persistence between app launches — biometric
196
+ re-enrollment is not detected.
197
+
198
+ 5. **Universal Link / AASA integrity check** — Fetch the AASA file over HTTPS; validate
199
+ the JSON schema against Apple's spec; confirm paths are not `*`; confirm the file is
200
+ served with `Content-Type: application/json`. Finding: any deviation from spec, wildcard
201
+ path, or HTTP delivery.
202
+
203
+ 6. **Pasteboard sensitive-data leak** — Grep for `UIPasteboard.general.string =` and
204
+ `UIPasteboard.general.setValue`; verify no auth tokens, card numbers, or PII are written.
205
+ Finding: any sensitive value written to the general pasteboard (accessible by all apps).
206
+
207
+ 7. **NSUserDefaults / UserDefaults PII audit** — Grep for `UserDefaults.standard.set` and
208
+ `UserDefaults.standard.setValue`; verify keys do not store credentials, tokens, or PII.
209
+ Finding: any token or PII key in `UserDefaults` (unencrypted, included in iCloud backup
210
+ by default).
211
+
212
+ 8. **WKWebView JavaScript bridge origin validation** — For each `WKScriptMessageHandler`
213
+ registration, verify the WebView's navigation delegate `decidePolicyFor` restricts origins
214
+ to a hardcoded allowlist. Finding: handler accessible from arbitrary or remote URLs.
215
+
216
+ 9. **Binary hardening flags** — Run `otool -hv <binary>` and `otool -l <binary> | grep
217
+ stack_chk`; verify PIE flag set, stack canaries present, ARC enabled. Finding: missing
218
+ PIE or stack canary in any framework or main binary.
219
+
220
+ 10. **Info.plist secrets scan** — Search `Info.plist` for keys containing `key`, `secret`,
221
+ `token`, `password`, `apiKey` (case-insensitive). Run `plutil -convert json -o - Info.plist
222
+ | jq 'keys[] | ascii_downcase | select(contains("key","secret","token","password"))'`.
223
+ Finding: any non-empty value for a matched key.
224
+
225
+ 11. **NSPredicate injection audit** — Grep for `NSPredicate(format:` with string interpolation
226
+ or concatenation (not solely `%@`/`%K`/`%d` substitution). Finding: user-controlled data
227
+ in predicate format string (arbitrary property access or sandbox escape on iOS < 16.3.2).
228
+
229
+ 12. **Secure Enclave key usage for authentication** — Verify that private keys used in
230
+ authentication flows are generated with `kSecAttrTokenIDSecureEnclave`. Finding: auth
231
+ private key stored in software Keychain rather than Secure Enclave — extractable via
232
+ Keychain dump on jailbroken device.
233
+
234
+ ---
235
+
236
+ ## §POC-REQUIREMENT
237
+
238
+ Every CRITICAL or HIGH finding MUST follow this exact sequence before being recorded:
239
+
240
+ 1. **Write working PoC FIRST** — exact payload, request sequence, or tool command that
241
+ reproduces the vulnerability. For iOS findings this means: the exact `security
242
+ dump-keychain` command, `frida` script, or `curl` invocation that demonstrates impact.
243
+ 2. **Confirm reproduction** — execute the PoC and capture output proving the finding is real.
244
+ 3. **Write fix** — provide inline Swift/ObjC code that remediates the root cause.
245
+ 4. **Verify PoC fails against fix** — re-run the identical PoC against the fixed code; confirm
246
+ it no longer succeeds.
247
+ 5. **Record in findings JSON** — include `exploitPoC` key with the exact reproduction steps
248
+ and the verification output showing the fix is effective.
249
+
250
+ **PoC skipping = severity automatically downgraded to MEDIUM.** If runtime access is
251
+ unavailable (e.g., CI-only environment), document the limitation in `exploitPoC` and flag
252
+ for manual validation before release.
253
+
254
+ ---
255
+
256
+ ## §PROJECT-ESCALATION
257
+
258
+ Immediately alert the CISO orchestrator and reprioritise the run if ANY of the following
259
+ conditions are detected:
260
+
261
+ 1. **Keychain data accessible without device unlock** — any item found with
262
+ `kSecAttrAccessibleAlways` or `kSecAttrAccessibleAlwaysThisDeviceOnly` containing
263
+ authentication credentials or cryptographic key material.
264
+
265
+ 2. **ATS fully disabled in production build** — `NSAllowsArbitraryLoads: true` confirmed
266
+ in a non-debug `Info.plist`; all network traffic is cleartext-eligible.
267
+
268
+ 3. **Hardcoded private key or JWT secret in binary or plist** — `strings` / `grep` confirms
269
+ a PEM block, base64 key, or JWT `HS256`/`RS256` secret appears verbatim in a shipped
270
+ artifact.
271
+
272
+ 4. **NSPredicate injection on iOS < 16.3.2 confirmed** — user-controlled input reaches
273
+ an `NSPredicate(format:)` call; SpringBoard sandbox escape is within attacker reach.
274
+
275
+ 5. **WKWebView bridge with no origin check loading remote URL** — any `WKScriptMessageHandler`
276
+ accessible from a remotely loaded page; classified as RCE-class vulnerability on the
277
+ app's data scope.
278
+
279
+ 6. **Apple Wallet / PassKit credential stored outside Secure Enclave** — payment or transit
280
+ pass private key material found in software Keychain rather than Secure Enclave.
281
+
282
+ 7. **LLM prompt injection confirmed in Apple Intelligence integration** — attacker-controlled
283
+ clipboard or text field content demonstrably redirects on-device model output to access
284
+ app-internal data or bypass app-level access controls.
285
+
286
+ 8. **Certificate pinning absent on a financial or health data endpoint** — MitM is trivially
287
+ possible on endpoints transmitting PCI-DSS or HIPAA-regulated data.
288
+
289
+ ---
290
+
291
+ ## §EDGE-CASE-MATRIX
292
+
293
+ The 5 attack cases in this domain that automated scanners and naive manual review universally miss. MANDATORY checks — do not skip.
294
+
295
+ | # | Edge Case | Why Scanners Miss It | Concrete Test |
296
+ |---|-----------|----------------------|---------------|
297
+ | 1 | Second-order / stored payload executed in different context | Scanner checks input context, not execution context | Store payload safely; trigger in separate request/session |
298
+ | 2 | Unicode normalisation bypass | Regex filters run before normalisation; attacker uses homoglyphs or composed forms | Submit Ⅰ (U+2160) or < (U+FF1C) variants of known-bad strings |
299
+ | 3 | Polyglot payload active in multiple sinks simultaneously | Scanners test one injection class per payload | `'"><script>{{7*7}}</script><!--` — SQL + XSS + SSTI in one request |
300
+ | 4 | Out-of-band exfiltration (DNS/HTTP callback) | Scanner looks for inline response difference; OOB leaves no visible trace | Use Burp Collaborator / interactsh; inject DNS lookup payload |
301
+ | 5 | Race condition between check and use (TOCTOU) | Sequential scanners don't model concurrency | Send two simultaneous requests to the same state-changing endpoint |
302
+
303
+ ---
304
+
305
+ ## §TEMPORAL-THREATS
306
+
307
+ Threats materialising in the 2025–2030 window that defences designed today must account for.
308
+
309
+ | Threat | Est. Timeline | Relevance to This Domain | Prepare Now By |
310
+ |--------|--------------|--------------------------|----------------|
311
+ | Cryptographically Relevant Quantum Computer (CRQC) | 2028–2032 | Harvest-now-decrypt-later attacks active today; RSA/ECDSA keys signed today will be broken | Inventory all RSA/ECDSA usage; migrate long-lived data to ML-KEM (FIPS 203) |
312
+ | AI-assisted adversaries at scale | 2025–2027 (active) | LLM-powered fuzzing finds 10× more edge cases; automated PoC generation | Assume attackers have LLM help; expand test surface to match |
313
+ | EU AI Act full enforcement | 2026 | High-risk AI systems require mandatory conformity assessments | Classify all AI features against AI Act tiers now |
314
+ | Post-quantum TLS migration deadline | 2028–2030 | Browser vendors will drop classical-only TLS connections | Begin TLS agility assessment; test hybrid key exchange |
315
+ | Mandatory SBOM + build provenance (US EO 14028 / EU CRA) | 2025–2026 (active) | SBOM and SLSA attestation are becoming legally required | Achieve SLSA L2 minimum; generate CycloneDX SBOM per release |
316
+
317
+ ---
318
+
319
+ ## §DETECTION-GAP
320
+
321
+ What current security monitoring CANNOT detect in this domain, and what to build to close each gap.
322
+
323
+ **Standard gaps that MUST be checked:**
324
+
325
+ - **Second-order attack execution**: The storage request looks safe; only the retrieval+execution step is dangerous. Need: correlate write events with downstream read+execute events in the same SIEM query window.
326
+ - **Timing-side-channel leakage**: No log event emitted; only observable as microsecond response-time variance. Need: per-endpoint p99 latency tracking with statistical anomaly detection.
327
+ - **Low-and-slow credential stuffing**: Individually, each request is under rate limits. Need: behavioural baseline — flag accounts with geographically impossible velocity or device-fingerprint mismatch across authentication attempts.
328
+ - **Insider exfiltration via legitimate process**: Authorised exports, reports, and data downloads that individually are permitted but collectively constitute data exfiltration. Need: data-volume anomaly detection — alert when a single user's data access volume exceeds 3× their 30-day baseline within 24 hours.
329
+ - **Cross-agent attack chains**: Phase 1 finding A + Phase 1 finding B = CRITICAL chain invisible to either agent alone. Need: CISO orchestrator Phase 1 synthesis step — correlate all agent findings before Phase 2.
330
+
331
+ ---
332
+
333
+ ## §ZERO-MISS-MANDATE
334
+
335
+ This agent CANNOT declare any attack class clean without explicit evidence of checking. For each item, output one of:
336
+ - `CHECKED: [N files] | [patterns used] | CLEAN`
337
+ - `CHECKED: [N files] | [patterns used] | [N findings, all fixed]`
338
+ - `SKIPPED: [reason — must be "not applicable: [evidence]"]`
339
+
340
+ **Silent skip = FAILED COVERAGE.** The orchestrator flags this as a quality gap.
341
+
342
+ The output findings JSON MUST include a `coverageManifest` key:
343
+ ```json
344
+ {
345
+ "coverageManifest": {
346
+ "attackClassesCovered": [{ "class": "SQL Injection", "filesReviewed": 47, "patterns": ["queryRaw", "string concat"], "result": "CLEAN" }],
347
+ "filesReviewed": 47,
348
+ "negativeAssertions": ["SQL Injection: queryRaw pattern searched across 47 files — 0 matches"],
349
+ "uncoveredReason": {}
350
+ }
351
+ }
352
+ ```
353
+
354
+ ---
355
+
356
+ ## LEARNING SIGNAL
357
+
358
+ On every finding resolved, emit:
359
+ ```json
360
+ {
361
+ "findingId": "FINDING_ID",
362
+ "agentName": "ios-security-auditor",
363
+ "resolved": true,
364
+ "remediationTemplate": "one-line description of what was done",
365
+ "falsePositive": false
366
+ }
367
+ ```
368
+ Call `security.record_outcome` with this payload so the routing engine learns which agent resolves each finding class most successfully. If a finding is a false positive, set `falsePositive: true` — this prevents the false-positive pattern from being routed here again.