| name | onboard-privesc-technique |
| description | Add a single AWS IAM privilege-escalation technique (e.g. from pathfinding.cloud) to cloudsplaining's detection. This skill should be used when the method name and required action list are already decided — it is a pure executor, not a planner. It updates constants.py with TDD, regenerates fixtures with a regression check, and updates the docs. |
| allowed-tools | Bash(uv run:*), Bash(just:*), Bash(git add:*), Bash(git commit:*), Edit, Read, Write |
Onboard Privilege-Escalation Technique
Add one privilege-escalation method to cloudsplaining/shared/constants.py and wire up its test,
fixtures, and docs. This is an EXECUTOR: the method name and action list are inputs (decided upstream
by triage-github-issue or mega-pipeline phase 0). Do no planning here.
Inputs
- A PascalCase method name, e.g.
PassExistingRoleToNewECSService.
- A list of exact lowercase IAM actions, e.g.
["iam:passrole", "ecs:registertaskdefinition", "ecs:createservice"].
Source: research/pathfinding-cloud/proposed-privilege-escalation-methods.py.
- The originating pathfinding path id (for the docs link), if any.
(Below, ACTIONS denotes that action list.)
Workflow (strict TDD)
-
Verify policy_sentry recognizes every action. Wildcard expansion only works for known actions:
uv run python -c "from policy_sentry.querying.all import get_all_actions; known={a.lower() for a in get_all_actions()}; missing=[a for a in ACTIONS if a.lower() not in known]; import sys; print('MISSING: '+', '.join(missing)) if missing else print('all actions known')"
If any action is missing, STOP — the policy_sentry datastore may need updating.
-
Idempotency guard. grep -n "<MethodName>" cloudsplaining/shared/constants.py and confirm no
existing entry already has the same action set. If present, skip — already onboarded.
-
RED — failing test first. In test/scanning/test_policy_document.py (inside TestPolicyDocument),
add a test: a policy granting exactly ACTIONS on Resource: "*" must yield
[{"type": "<MethodName>", "actions": ACTIONS}] from allows_privilege_escalation. Run it; watch it FAIL.
-
GREEN. Append the entry to PRIVILEGE_ESCALATION_METHODS (or ACTIONS_THAT_RETURN_CREDENTIALS for
credential-returning paths) in cloudsplaining/shared/constants.py. Re-run the test; it PASSES.
-
Fix brittle assertions. Adding a method can break tests that assert an exact privesc list for a policy
whose actions are a superset of the new method. Run just unit-tests; for each failure, prefer converting
the exact-list assertion to membership (self.assertIn(expected_finding, results)) rather than appending.
See research/pathfinding-cloud/INTEGRATION-ANALYSIS.md §4c for the known list.
-
Regenerate + regression-check. Use the report-regression-check skill (snapshot → just generate-report
→ just compare-reports → dogfood). Confirm the new method's findings are ADDED and nothing is removed.
Then just test-js; update inline-policies-test.js expectedResult only if it legitimately changed.
-
Docs. Add the technique to docs/glossary/privilege-escalation.md with its pathfinding.cloud link.
-
Verify + commit. just unit-tests && just type-check && just test-js all green; just safety-scan
clean. Commit locally (no push).
Notes
- Action lists must be exact lowercase
service:action strings (matching policy_sentry's wildcard expansion).
- Method names become the finding
type and a readthedocs URL anchor — keep PascalCase, matching existing entries.
- Skip "variant" combinations that are supersets of an existing method (they produce duplicate findings); see
INTEGRATION-ANALYSIS.md §5.1.