// Use when storing credentials securely, encrypting data, implementing passkeys, code signing, or managing certificates and provisioning profiles.
Use when the user mentions GRDB performance review, slow GRDB queries, app-group database setup audit, or pre-release GRDB scan.
Use when writing ANY async code, actors, threads, or seeing ANY concurrency error. Covers Swift 6 concurrency, @MainActor, Sendable, data races, async/await patterns.
Use when working with ANY data persistence, database, storage, CloudKit, migration, or serialization. Covers SwiftData, Core Data, GRDB, SQLite, CloudKit sync, file storage, Codable, migrations.
Use when integrating ANY iOS system feature - Siri, Shortcuts, widgets, IAP, localization, privacy, alarms, calendar, reminders, contacts, background tasks, push notifications, timers. Covers App Intents, WidgetKit, StoreKit, EventKit, Contacts.
Use when app feels slow, memory grows, battery drains, or diagnosing ANY performance issue. Covers memory leaks, profiling, Instruments workflows, retain cycles, performance optimization.
Use when building, fixing, or improving ANY SwiftUI UI — views, navigation, layout, animations, performance, architecture, gestures, debugging, iOS 26 features.
| name | axiom-security |
| description | Use when storing credentials securely, encrypting data, implementing passkeys, code signing, or managing certificates and provisioning profiles. |
| license | MIT |
You MUST use this skill for ANY keychain, encryption, passkey, app integrity, file protection, or code signing work.
| Symptom / Task | Reference |
|---|---|
| Store tokens, passwords, API keys securely | See skills/keychain.md |
| Choose kSecAttrAccessible level, biometric protection | See skills/keychain.md |
| SecItem function signatures, attribute constants | See skills/keychain-ref.md |
| errSecDuplicateItem, errSecItemNotFound, errSecInteractionNotAllowed | See skills/keychain-diag.md |
| Encrypt data, sign payloads, key management | See skills/cryptokit.md |
| Hash functions, HMAC, AES-GCM, ChaChaPoly, ECDSA, EdDSA, key agreement | See skills/cryptokit-ref.md |
| Passkey sign-in, WebAuthn, ASAuthorizationController | See skills/passkeys.md |
| App integrity verification, DCAppAttestService | See skills/app-attest.md |
| NSFileProtection levels, data protection at rest | See skills/file-protection-ref.md |
| Certificate management, provisioning profiles, CI/CD signing | See skills/code-signing.md |
| Certificate not found, profile mismatch, entitlement errors | See skills/code-signing-diag.md |
| Certificate CLI, profile inspection, entitlement extraction | See skills/code-signing-ref.md |
| Apple Pay payment certs / pass type certs / Tap to Pay entitlement | See axiom-payments suite |
digraph security {
start [label="Security task" shape=ellipse];
what [label="What do you need?" shape=diamond];
start -> what;
what -> "skills/keychain.md" [label="store/retrieve\ncredentials, tokens,\nsecrets"];
what -> "skills/keychain-ref.md" [label="SecItem API syntax,\nattribute constants,\naccess levels"];
what -> "skills/keychain-diag.md" [label="keychain errors\n(errSec codes)"];
what -> "skills/cryptokit.md" [label="encrypt data,\nsign payloads,\nSecure Enclave keys"];
what -> "skills/cryptokit-ref.md" [label="CryptoKit API\n(AES, ECDSA, HPKE,\npost-quantum)"];
what -> "skills/passkeys.md" [label="passkey sign-in,\nreplace passwords"];
what -> "skills/app-attest.md" [label="app integrity,\nfraud prevention"];
what -> "skills/file-protection-ref.md" [label="file encryption,\nNSFileProtection"];
what -> "skills/code-signing.md" [label="set up signing,\nprofiles, CI/CD"];
what -> "skills/code-signing-diag.md" [label="signing errors,\nupload rejections"];
what -> "skills/code-signing-ref.md" [label="CLI commands,\nprofile inspection"];
}
skills/keychain.md
1a. Need SecItem function signatures, attribute constants? → skills/keychain-ref.md
1b. Keychain errors (errSecDuplicateItem, errSecItemNotFound)? → skills/keychain-diag.mdskills/cryptokit.md
2a. Need CryptoKit API details (AES-GCM, ECDSA, HPKE, post-quantum)? → skills/cryptokit-ref.mdskills/passkeys.mdskills/app-attest.mdskills/file-protection-ref.mdskills/code-signing.md
6a. Code signing error troubleshooting? → skills/code-signing-diag.md
6b. Certificate CLI commands, profile inspection? → skills/code-signing-ref.md/skill axiom-shipping/skill axiom-data/skill axiom-networkingsecurity vs axiom-build: When build fails with signing errors:
CODESIGN, ITMS-90xxx, errSec → securitysecurity vs shipping: When preparing for App Store:
security vs axiom-data: When storing sensitive data:
.db/-wal/-shm trio, widget-while-locked access) → See axiom-data (skills/grdb-app-groups.md) §4security vs axiom-networking: When securing network communication:
Keychain (skills/keychain.md):
Keychain API (skills/keychain-ref.md):
Keychain Diagnostics (skills/keychain-diag.md):
CryptoKit (skills/cryptokit.md):
CryptoKit API (skills/cryptokit-ref.md):
Passkeys (skills/passkeys.md):
App Attest (skills/app-attest.md):
File Protection (skills/file-protection-ref.md):
Code Signing (skills/code-signing.md):
Code Signing Diagnostics (skills/code-signing-diag.md):
Code Signing CLI (skills/code-signing-ref.md):
security find-identity, security cms -D for profile inspectioncodesign -d --entitlements for entitlement extractionSecurity audit → Launch security-privacy-scanner agent (scans for hardcoded credentials, insecure token storage, Privacy Manifest coverage gaps, ATS violations, missing ATT descriptions, missing export compliance, weak Keychain ACLs, and compound rejection risks; scores posture HARDENED/GAPS/VULNERABLE)
| Thought | Reality |
|---|---|
| "I'll store the token in UserDefaults for now" | UserDefaults is a plist file readable by any process with file access. Keychain takes 10 lines. skills/keychain.md shows the pattern. |
| "My app doesn't need encryption" | If you store any user data at rest, iOS file protection is free. skills/file-protection-ref.md covers protection levels. |
| "CommonCrypto works fine, no need to migrate" | CommonCrypto is C API with manual memory management and no compile-time safety. CryptoKit prevents buffer overflows and key misuse. |
| "I'll just use automatic signing" | Automatic signing works until CI, team scaling, or capability changes break it. Understand manual signing before you need it. skills/code-signing.md covers both. |
| "Passkeys are too new, passwords are fine" | Passkeys are phishing-resistant and supported since iOS 16. The migration path supports both simultaneously. skills/passkeys.md shows combined flows. |
| "I'll regenerate all certificates to fix this" | Regenerating revokes existing certs and breaks every teammate's build. Diagnose first. skills/code-signing-diag.md has the diagnostic flow. |
| "App Attest is overkill for my app" | If your app has any server-verified purchase, promotion, or competitive feature, tampered clients will exploit it. skills/app-attest.md covers gradual rollout. |
| "I'll use @unchecked Sendable on my crypto wrapper" | Hiding thread-safety issues from the compiler in security code is how data corruption happens. See axiom-concurrency for safe patterns. |
| "kSecAttrAccessibleAlways is fine" | Deprecated since iOS 12. Items are accessible even when device is locked and unencrypted during backup. Use kSecAttrAccessibleAfterFirstUnlock at minimum. |
User: "How do I store an auth token securely?"
→ Read: skills/keychain.md
User: "errSecDuplicateItem when saving to keychain"
→ Read: skills/keychain-diag.md
User: "What are the SecItem attribute constants?"
→ Read: skills/keychain-ref.md
User: "How do I encrypt user data with AES?"
→ Read: skills/cryptokit.md
User: "What's the CryptoKit API for ECDSA signing?"
→ Read: skills/cryptokit-ref.md
User: "How do I add passkey sign-in to my app?"
→ Read: skills/passkeys.md
User: "How do I verify my app hasn't been tampered with?"
→ Read: skills/app-attest.md
User: "What NSFileProtection level should I use?"
→ Read: skills/file-protection-ref.md
User: "My build fails with 'No signing certificate found'"
→ Read: skills/code-signing-diag.md
User: "How do I set up fastlane match for CI?"
→ Read: skills/code-signing.md
User: "How do I inspect a provisioning profile?"
→ Read: skills/code-signing-ref.md
User: "Scan my code for security issues"
→ Invoke: security-privacy-scanner agent