بنقرة واحدة
operator-recon
Discovery alpha — file triage, git patch mining, recon invariant tests before deep analysis.
التثبيت باستخدام Codex أو Claude انسخ هذا Prompt والصقه في Codex أو Claude أو مساعد آخر ليراجع صفحة Skill ويثبّتها لك.
القائمة
Discovery alpha — file triage, git patch mining, recon invariant tests before deep analysis.
التثبيت باستخدام Codex أو Claude انسخ هذا Prompt والصقه في Codex أو Claude أو مساعد آخر ليراجع صفحة Skill ويثبّتها لك.
استنادا إلى تصنيف SOC المهني
Practitioner-elevated asset tracing patterns from SlowMist Crypto-Asset-Tracing-Handbook. Provides canonical property tables for obfuscation patterns (peel chains, mixers, bridge hops), address behavior clustering/risk profiling, cross-chain reconstruction workflows. Hard-first on behavioral + flow invariants. Integrates with codegraph-x-ray, deep-dive-handoff, and bounty forensics. Includes reference implementation for mixer deposit/withdrawal clustering. Trigger: alpha-miner on tracing handbook or similar.
Drop-in skill adapted from Glider query engine for static analysis, taint tracking, CFG/DFG traversal in bug bounty. Supports lazy reference loading, creativity layer for audited targets, integrates with bounty-loop. EVM priority with Solana compatibility.
Use for mining validator/runtime/cache/storage-key coherence bugs in blockchain clients, VMs, program loaders, bridge runtimes, and execution harnesses. Hard-first on stale cache, recycled identifier, partial flush, epoch/generation drift, mempool/order-dependent runtime state, and storage-key confusion. Trigger on runtime cache invariant, stale cache bug, VM storage confusion, client cache coherence, Aptos-style hijack, validator-local state, epoch-boundary bug, or when alpha-miner extracts runtime/client exploit engineering.
Cross-references a graphified target codebase (codegraph-x-ray output) against the local AuditVault corpus to surface structurally analogous historical vulnerabilities. Run after codegraph-x-ray has completed and produced invariants.md and property_candidates.md. Produces ranked pattern-match hits with per-finding graph anchor evidence. Pattern matches are advisory signals only — never evidence of exploitability and never a substitute for live reproduction or submission-gate validation.
Combines structured codegraph intelligence with rigorous invariant synthesis. Enforces high-quality usage of codegraph to identify the Primary Target Subsystem, then applies ordered structural invariant discovery with strict verification gates. Produces categorized invariants and high-quality property candidates ready for ultrafuzz-discovery. Trigger on codegraph-x-ray, x-ray with codegraph, invariant synthesis, primary subsystem invariants.
Optional accelerator and scaffolder for ultrafuzz-discovery. Brings parallel specialized invariant discovery agents, automated harness/handler scaffolding, coverage-driven refinement loops, property tagging, and reproducible test generation helpers from high-quality EVM fuzz patterns. Designed to speed up property fan-in and executable attempts phases while preserving NSS rigor, fresh-context pass@k, adjudication, and Crucible usage. Trigger on fuzz-scaffolder, accelerate invariant discovery, generate fuzz harness, scaffold handlers.
| name | operator-recon |
| description | Discovery alpha — file triage, git patch mining, recon invariant tests before deep analysis. |
Phase B discovery workflow. Run before hypothesis-expansion on a cloned target repo.
cd /home/kt/projects/rtp/night-shift-security
.venv/bin/python -m night_shift_security.cli.main semantic map \
--slug <slug> \
--repo /path/to/repo
For Wormhole:
.venv/bin/python -m night_shift_security.cli.main semantic map \
--slug wormhole \
--repo sources/wormhole/repo \
--kind bridge
Artifacts land under data/security_results/semantic/<slug>/; concrete candidates are upserted into data/security_results/knowledge/concrete_candidates.jsonl.
cd /home/kt/projects/rtp/night-shift-security
.venv/bin/python -m night_shift_security.cli.main triage files \
--repo /path/to/klend-repo \
--slug kamino \
--min-score 4 \
--output data/security_results/triage/kamino_files.json
.venv/bin/python -m night_shift_security.cli.main triage patches \
--repo /path/to/klend-repo \
--slug kamino \
--output data/security_results/triage/kamino_patch_shapes.jsonl
Pass ranked paths for analogue hints:
--ranked-file programs/klend/src/oracle.rs \
--ranked-file programs/klend/src/borrow.rs
.venv/bin/python -m night_shift_security.cli.main invariants test \
--from-recon sources/kamino/recon.json \
--output-dir data/security_results/invariants
Failures → refinement_seeds for RSI / hypothesis-expansion context.
For Wormhole targets (not Nomad proxy analogue):
# One-time clone (sparse solana + ethereum):
git clone --depth 1 --filter=blob:none --sparse https://github.com/wormhole-foundation/wormhole.git sources/wormhole/repo
cd sources/wormhole/repo && git sparse-checkout set solana ethereum
.venv/bin/python -m night_shift_security.cli.main triage files \
--repo sources/wormhole/repo --slug wormhole --min-score 4 \
--output data/security_results/triage/wormhole_files.json
.venv/bin/python -m night_shift_security.cli.main triage wormhole-map \
--repo sources/wormhole/repo \
--output data/security_results/triage/wormhole_program_map.json
Canonical IDs land in sources/wormhole/recon.json. Catalogue analogue remains validation-only.
Scoped proposals (no delegate required for parametric pass):
.venv/bin/python hermes/scripts/nss-write-wormhole-triage-proposals.py --min-score 5
.venv/bin/python -m night_shift_security.cli.main --config src/night_shift_security/config/wormhole_shoestring.json \
--proposals data/security_results/hermes_proposals/latest.json run
.venv/bin/python -m night_shift_security.cli.main tools opengrep \
--slug <slug> --repo /path/to/repo
If opengrep/semgrep is absent, tool_missing is non-fatal. SARIF findings never bypass validation.
Write operator-checkpoint with ranked_files from triage output, then scoped hypothesis-expansion on files ≥4 only.
patches (not bare sources/ JSON)NSS_KLEND_FIXTURE=1 in CI; live validator needs RPC + human gate per SOULsources/kamino/recon.json are expected — they feed refinement, not submission