50fa79407d
Some checks are pending
CI — CoM Config Validation / Validate JSON Configs (push) Waiting to run
CI — CoM Config Validation / Validate YAML Configs (push) Waiting to run
CI — CoM Config Validation / Lint Shell Scripts (push) Waiting to run
CI — CoM Config Validation / Secret Detection (push) Waiting to run
CI — CoM Config Validation / Lint Markdown (push) Waiting to run
CI — CoM Config Validation / Validate CODEOWNERS (push) Waiting to run
Public, sanitized mirror of an AI orchestration command center: agents, skills, MCP servers, slash-command workflows. All infrastructure identifiers, hostnames, mesh IPs/subnets, repo paths, maintainer identity, and hardware fleet specifics scrubbed to <placeholders>; session debug logs and host-specific memory removed. No live credentials. Verified clean by automated leak sweep. See SANITIZATION.md. churchofmalware.org . authorized research only
3.1 KiB
3.1 KiB
| name | description | argument-hint | allowed-tools | |||
|---|---|---|---|---|---|---|
| audit | Three-pass security audit pipeline. Aegis (SAST) → Specter (DAST) → Apex (synthesis). Use for security auditing any crate, directory, or the full workspace. |
|
Bash, Read, Grep, Glob, Agent |
/audit — CoM Multi-Pass Security Audit
You are executing the CoM three-pass security audit pipeline. This is a Pod A coordinated operation.
PASS 1: Static Analysis (Aegis — The Sage)
Run the SAST pipeline against the target scope:
cargo clippy --workspace --all-targets -- -D warnings— lint analysiscargo deny check— dependency policy compliance (deny.toml)cargo audit— CVE scanning against RUSTSEC advisory database (if installed)- Inventory all
unsafeblocks — document each with file, line, and justification status - Secret scan — verify no API keys, tokens, or credentials in staged/modified files
- Review
red-team/synos-redteam/docs/ATTACK_SURFACE_MAP.mdfor current attack surface
Produce a SAST Findings Report with P0/P1/P2 classifications.
PASS 2: Dynamic Analysis (Specter — The Outlaw)
Conduct DAST review of the same scope:
- Map all entry points, interfaces, and trust boundaries in the target
- Apply STRIDE threat model (Spoofing, Tampering, Repudiation, Information Disclosure, DoS, Elevation of Privilege)
- Review sandbox isolation: namespace boundaries, cgroup limits, seccomp filters
- Analyze privilege escalation paths from any compromised component
- Check input validation logic for injection vectors (command, path traversal)
- Cross-reference against the 17 attack vectors in
red-team/synos-redteam/src/sandbox.rs
Produce a DAST Findings Report with attack vectors and remediation recommendations.
PASS 3: Tech Lead Synthesis (Apex — The Magician)
Synthesize SAST + DAST findings into a final assessment:
- Merge findings from Pass 1 and Pass 2, deduplicate
- Classify combined severity:
- P0 (Critical): Exploitable vulnerabilities, credential exposure, sandbox escape paths
- P1 (Important): Unsafe code without justification, banned deps, failing deny check
- P2 (Advisory): Clippy warnings, code smell, maintainability concerns
- Assess technical debt impact of findings
- Produce final audit report with action items assigned to Cipher
Output location: docs/internal/security-audits/audit-[date].md
EXECUTION CONSTRAINTS
- On hardware with <= RAM (oracle): run passes sequentially (not parallel)
- On hardware with >= RAM (): Pass 1 and Pass 2 may run in parallel
- All three passes must complete before the audit is considered done
- P0 findings require immediate escalation to CADevO/Ty — do not wait for synthesis
- The audit report must include an Unknowns section (what wasn't covered)
SCOPE
If $ARGUMENTS is provided, audit that specific crate or directory:
/audit synos-lab-sandbox→ audit onlycrates/synos-lab-sandbox//audit workspace→ audit the full workspace/audit red-team→ auditred-team/synos-redteam/
Default (no arguments): audit the full workspace.