--- name: audit description: Three-pass security audit pipeline. Aegis (SAST) → Specter (DAST) → Apex (synthesis). Use for security auditing any crate, directory, or the full workspace. argument-hint: [scope: workspace|crate-name|red-team] allowed-tools: Bash, Read, Grep, Glob, Agent --- # /audit — CoM Multi-Pass Security Audit You are executing the CoM three-pass security audit pipeline. This is a Pod A coordinated operation. --- ## PASS 1: Static Analysis (Aegis — The Sage) Run the SAST pipeline against the target scope: 1. `cargo clippy --workspace --all-targets -- -D warnings` — lint analysis 2. `cargo deny check` — dependency policy compliance (deny.toml) 3. `cargo audit` — CVE scanning against RUSTSEC advisory database (if installed) 4. Inventory all `unsafe` blocks — document each with file, line, and justification status 5. Secret scan — verify no API keys, tokens, or credentials in staged/modified files 6. Review `red-team/synos-redteam/docs/ATTACK_SURFACE_MAP.md` for current attack surface Produce a **SAST Findings Report** with P0/P1/P2 classifications. --- ## PASS 2: Dynamic Analysis (Specter — The Outlaw) Conduct DAST review of the same scope: 1. Map all entry points, interfaces, and trust boundaries in the target 2. Apply STRIDE threat model (Spoofing, Tampering, Repudiation, Information Disclosure, DoS, Elevation of Privilege) 3. Review sandbox isolation: namespace boundaries, cgroup limits, seccomp filters 4. Analyze privilege escalation paths from any compromised component 5. Check input validation logic for injection vectors (command, path traversal) 6. Cross-reference against the 17 attack vectors in `red-team/synos-redteam/src/sandbox.rs` Produce a **DAST Findings Report** with attack vectors and remediation recommendations. --- ## PASS 3: Tech Lead Synthesis (Apex — The Magician) Synthesize SAST + DAST findings into a final assessment: 1. Merge findings from Pass 1 and Pass 2, deduplicate 2. Classify combined severity: - **P0 (Critical):** Exploitable vulnerabilities, credential exposure, sandbox escape paths - **P1 (Important):** Unsafe code without justification, banned deps, failing deny check - **P2 (Advisory):** Clippy warnings, code smell, maintainability concerns 3. Assess technical debt impact of findings 4. Produce final audit report with action items assigned to Cipher **Output location:** `docs/internal/security-audits/audit-[date].md` --- ## EXECUTION CONSTRAINTS - On hardware with <= RAM (oracle): run passes **sequentially** (not parallel) - On hardware with >= RAM (): Pass 1 and Pass 2 may run in parallel - All three passes must complete before the audit is considered done - P0 findings require immediate escalation to CADevO/Ty — do not wait for synthesis - The audit report must include an **Unknowns** section (what wasn't covered) ## SCOPE If $ARGUMENTS is provided, audit that specific crate or directory: - `/audit synos-lab-sandbox` → audit only `crates/synos-lab-sandbox/` - `/audit workspace` → audit the full workspace - `/audit red-team` → audit `red-team/synos-redteam/` Default (no arguments): audit the full workspace.