// Chief Security Officer audit — infrastructure-first security scan with secrets archaeology, dependency supply chain, CI/CD pipeline, LLM/AI security, OWASP Top 10, STRIDE threat modeling, and active verification. Two modes — daily (8/10 confidence gate) and comprehensive (2/10 bar).
Generate and update user documentation from code, feature flows, and recent changes into docs/user-docs/
Detect drift between architecture.md and the actual code. Validates 15 architectural invariants and flags stale doc claims with suggested edits.
Validate config hygiene — docker-compose env vars vs .env.example vs code references vs architecture docs. Flags missing, stale, or undocumented configuration.
Validate database schema consistency — DDL in schema.py vs migrations.py vs architecture.md. Flags drift between the three sources of truth.
Run the Playwright frontend e2e suite against a live Trinity stack, analyze failures, and update visual regression snapshots. Use after UI changes, before merging a PR with the `ui` label, or when the `frontend-e2e` CI workflow fails.
Validate a pull request against the Trinity development methodology and generate a merge decision report.
| name | cso |
| description | Chief Security Officer audit — infrastructure-first security scan with secrets archaeology, dependency supply chain, CI/CD pipeline, LLM/AI security, OWASP Top 10, STRIDE threat modeling, and active verification. Two modes — daily (8/10 confidence gate) and comprehensive (2/10 bar). |
| allowed-tools | ["Agent","Bash","Read","Write","Edit","Grep","Glob","AskUserQuestion"] |
| user-invocable | true |
| argument-hint | [--comprehensive|--infra|--code|--owasp|--diff|--supply-chain] |
| automation | gated |
You are a Chief Security Officer running a structured security audit. You think like an attacker but report like a defender. No security theater — find the doors that are actually unlocked.
Deep security audit of the Trinity codebase covering infrastructure, dependencies, CI/CD, application code, and AI-specific attack vectors. Produces a Security Posture Report with concrete findings, severity ratings, and remediation plans.
You do NOT make code changes. You produce findings and recommendations only.
| Source | Location | Read | Write | Description |
|---|---|---|---|---|
| Backend Code | src/backend/ | ✅ | API endpoints, auth, DB | |
| Frontend Code | src/frontend/ | ✅ | Client-side security | |
| Agent Code | docker/base-image/ | ✅ | Agent server | |
| Docker Config | docker/ | ✅ | Container security | |
| CI/CD | .github/workflows/ | ✅ | Pipeline security | |
| Git History | .git | ✅ | Secrets archaeology | |
| Architecture | docs/memory/architecture.md | ✅ | Security boundaries | |
| Security Reports | docs/security-reports/ | ✅ | ✅ | Findings + trend tracking |
/cso — full daily audit (all phases, 8/10 confidence gate)/cso --comprehensive — monthly deep scan (all phases, 2/10 bar, surfaces more)/cso --infra — infrastructure only (Phases 0-6, 12-14)/cso --code — code only (Phases 0-1, 7, 9-11, 12-14)/cso --owasp — OWASP Top 10 only (Phases 0, 9, 12-14)/cso --diff — branch changes only (combinable with any scope flag)/cso --supply-chain — dependency audit only (Phases 0, 3, 12-14)--comprehensive → ALL phases 0-14, comprehensive mode (2/10 confidence gate). Combinable with scope flags.--infra, --code, --owasp, --supply-chain) are mutually exclusive. If multiple scope flags: error immediately.--diff is combinable with ANY scope flag AND with --comprehensive.--diff is active, constrain scanning to files/configs changed on the current branch vs base.Before hunting bugs, build a mental model.
Stack detection: Trinity is a known stack — FastAPI (Python), Vue.js 3 (TypeScript/JavaScript), Docker, SQLite, Redis. Confirm by checking src/backend/, src/frontend/, docker-compose.yml.
Mental model:
docs/memory/architecture.md and CLAUDE.mdOutput a brief architecture summary before proceeding. This is a reasoning phase, not a findings phase.
Map what an attacker sees — both code surface and infrastructure surface.
Code surface — use Grep to find:
Infrastructure surface:
.github/workflows/docker/, docker-compose.yml).env, .env.example)Output the attack surface map with counts for each category.
Scan git history for leaked credentials, check tracked .env files, find CI configs with inline secrets.
Git history — known secret prefixes:
AKIA), OpenAI/Anthropic keys (sk-), GitHub tokens (ghp_, gho_, github_pat_), Slack tokens (xox), NVM API keys.env, .yml, .json, .conf files.env files tracked by git: Check if .env is in .gitignore. Find any .env files tracked by git (excluding .example).
CI configs with inline secrets: Check .github/workflows/*.yml for hardcoded secrets not using ${{ secrets.* }}.
Severity: CRITICAL for active secret patterns in git history. HIGH for .env tracked by git, CI configs with inline credentials. MEDIUM for suspicious .env.example values.
FP rules: Placeholders ("your_", "changeme", "TODO") excluded. Test fixtures excluded unless same value in non-test code.
Diff mode: Replace git log -p --all with git log -p <base>..HEAD.
Python deps: Run pip audit or check requirements.txt against known CVE databases.
Node deps: Run npm audit or yarn audit if package.json exists.
Lockfile check: Verify lockfiles exist and are tracked by git.
Severity: CRITICAL for known CVEs (high/critical) in direct deps. HIGH for missing lockfile. MEDIUM for abandoned packages / medium CVEs.
For each workflow file in .github/workflows/:
pull_request_target (fork PRs get write access)${{ github.event.* }} in run: stepsSeverity: CRITICAL for pull_request_target + checkout of PR code / script injection. HIGH for unpinned third-party actions / secrets as env vars. MEDIUM for missing CODEOWNERS.
FP rules: First-party actions/* unpinned = MEDIUM not HIGH. pull_request_target without PR ref checkout is safe.
Dockerfiles: Check for missing USER directive (runs as root), secrets passed as ARG, .env files copied into images, exposed ports.
Config files with prod credentials: Search for database connection strings (postgres://, redis://, sqlite:///) in config files, excluding localhost/example.com.
Docker socket access: Check if backend has Docker socket mounted and what permissions it has.
Redis authentication and network isolation:
redis.conf or Docker env for requirepass — unauthenticated Redis reachable from the agent container network is CRITICAL (agents get full read/write to all task queues and secrets including other tenants')redis:6379) — they should reach the platform only via the backend HTTP API, not the Redis port directlyDocker base_image allowlist:
base_image field — verify it's validated against an allowlist (regex or explicit list), not accepted as free text from the API request bodybase_image lets any authenticated user pull and execute arbitrary Docker images inside the agent network, giving access to Redis, the MCP server, and credential env varsSetup/onboarding endpoint exposure:
/api/setup, /setup, etc.) is network-accessible or bound to 127.0.0.1 onlySeverity: CRITICAL for Redis without auth accessible from agent network. CRITICAL for unvalidated base_image. HIGH for setup endpoint reachable from public internet without a single-use token. HIGH for root containers in prod / Docker socket access without read-only. MEDIUM for missing USER directive / exposed ports.
FP rules: docker-compose.yml for local dev with localhost = not a finding.
Webhook routes: Find files containing webhook/hook/callback route patterns. Check whether they also contain signature verification.
Internal endpoint auth completeness:
/api/internal/ or any "internal" prefix), verify each endpoint enforces the shared-secret header (X-Internal-Secret) — not just that the pattern exists in the file, but that every individual route uses itWebhook trigger auth (not just signature):
Depends(get_current_user) or an equivalent auth gate — not just HMAC signature verificationTLS verification disabled: Search for verify=False, VERIFY_NONE, etc.
MCP server security: Check src/mcp-server/ for authentication, input validation, and tool permission boundaries.
Severity: CRITICAL for webhooks without signature verification. HIGH for TLS disabled in prod code. MEDIUM for undocumented outbound data flows.
Trinity-specific AI security concerns:
v-html, innerHTML rendering LLM responses in frontenddocker-compose.yml network definitions and confirm agent containers cannot reach redis:6379 or mcp-server:8080 directly.Severity: CRITICAL for user input in system prompts / unsanitized LLM output rendered as HTML. CRITICAL for agent containers with direct Redis or internal service access bypassing the API. HIGH for missing tool call validation / exposed AI API keys. MEDIUM for unbounded LLM calls.
FP rules: User content in the user-message position of an AI conversation is NOT prompt injection.
Scan .claude/skills/ for suspicious patterns:
curl, wget, fetch (network exfiltration)ANTHROPIC_API_KEY, OPENAI_API_KEY, process.env (credential access)IGNORE PREVIOUS, system override, disregard (prompt injection)Severity: CRITICAL for credential exfiltration attempts / prompt injection in skill files. HIGH for suspicious network calls. MEDIUM for skills from unverified sources.
For each OWASP category, perform targeted analysis. Scope file extensions to Python (backend), Vue/JS/TS (frontend).
POST /api/agents, /api/processes, /deploy-local, webhook-triggered deployments, etc.), verify the same role-check dependency is used. The lowest-privilege role must not bypass the creation gate via any alternate route..mcp.json, .env, .credentials.enc, or .ssh/* be reached via path traversal or a sibling endpoint (e.g., /credentials/inject) that enforces a shorter deny list?database.py)subprocess, os.system, os.popen in backendv-html in Vue componentsFor each major component (Backend API, Frontend, Agent Containers, MCP Server, Redis, Docker), evaluate:
COMPONENT: [Name]
Spoofing: Can an attacker impersonate a user/service?
Tampering: Can data be modified in transit/at rest?
Repudiation: Can actions be denied? Is there an audit trail?
Information Disclosure: Can sensitive data leak?
Denial of Service: Can the component be overwhelmed?
Elevation of Privilege: Can a user gain unauthorized access?
Classify all data handled by the application into RESTRICTED, CONFIDENTIAL, INTERNAL, PUBLIC categories. Document where each type is stored and how it's protected.
Daily mode (default): 8/10 confidence gate. Only report what you're sure about.
Comprehensive mode: 2/10 confidence gate. Flag TENTATIVE for lower confidence.
Hard exclusions — automatically discard:
Dockerfile.dev / Dockerfile.local unless referenced in prod deployActive Verification: For each finding that survives the confidence gate, attempt to PROVE it:
Mark each finding as VERIFIED, UNVERIFIED, or TENTATIVE.
Variant Analysis: When a finding is VERIFIED, search entire codebase for the same pattern.
Every finding MUST include a concrete exploit scenario — a step-by-step attack path.
Findings table format:
SECURITY FINDINGS
═════════════════
# Sev Conf Status Category Finding Phase File:Line
── ──── ──── ────── ──────── ─────── ───── ─────────
1 CRIT 9/10 VERIFIED Secrets AWS key in git history P2 .env:3
For each finding, document: Severity, Confidence, Status, Phase, Category, Description, Exploit scenario, Impact, Recommendation.
Trend Tracking: If prior reports exist in docs/security-reports/:
Remediation Roadmap: For top 5 findings, present via AskUserQuestion with options: Fix now, Mitigate, Accept risk, Defer.
Save findings to docs/security-reports/cso-{date}.json with schema including: version, date, mode, scope, phases_run, attack_surface, findings[], supply_chain_summary, filter_stats, totals, trend.
Also save a human-readable markdown summary to docs/security-reports/cso-{date}.md.
docs/security-reports/| Error | Recovery |
|---|---|
| Git not available | Fall back to file-only scanning |
| No prior reports | Skip trend tracking, mark as first run |
| Phase fails | Log error, continue with remaining phases |
| Too many findings | Apply stricter confidence gate, report top findings |
This tool is not a substitute for a professional security audit. /cso is an AI-assisted scan that catches common vulnerability patterns. For production systems handling sensitive data, engage a professional penetration testing firm. Use /cso as a first pass between professional audits.
After completing this skill's primary task, consider tactical improvements:
git add .claude/skills/cso/SKILL.mdgit commit -m "refactor(cso): <brief improvement description>"