一键导入
security-audit
Perform a project-wide security and safety audit of the 5thPlanet workspace.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
Perform a project-wide security and safety audit of the 5thPlanet workspace.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
A disciplined workflow for tracing hard / stubborn bugs in the 5thPlanet Saturn emulator without tunnel-visioning — classify the failure, make it deterministic, write the hypothesis with explicit falsification, win by register-completeness + an EARLY oracle diff, instrument the transform's OUTPUT, ALWAYS fan out to multiple parallel agents with competing hypotheses, and run a self-check tripwire when probes stop narrowing. Use it for LLE fidelity gaps (render / audio / timing / boot), intermittent stalls, "random" crashes, and any bug where the first few probes haven't eliminated a cause.
Dump a physical SEGA Saturn game disc to a 5thPlanet-loadable CUE-BIN image, using redumper (preferred) or cdrdao (handling its MSB-first CD-DA byte-swap gotcha).
Manage the full software release process for the 5thPlanet workspace — version bumps, changelogs, Git tags, and (when applicable) GitHub releases.
Perform a project-wide code review of the 5thPlanet SEGA Saturn emulator, covering correctness, emulation accuracy, code quality, tests, documentation, and style.
Audit and update all project documentation to stay in sync with the current development status of the 5thPlanet SEGA Saturn emulator.
Profile and analyze the performance of the 5thPlanet SEGA Saturn emulator end-to-end — from the SH-2 interpreter core through the VDP2 compositor to the SDL2 jupiter frontend — then report concrete, accuracy-safe optimization opportunities.
| name | security-audit |
| description | Perform a project-wide security and safety audit of the 5thPlanet workspace. |
When performing a security audit, always follow these steps:
Audit dependencies — run cargo audit (install with cargo install cargo-audit if missing) against Cargo.lock to check for known RustSec advisories. Then run cargo tree --workspace --duplicates to flag duplicate transitive dependencies that could mask CVE fixes. Treat any unmaintained or yanked crate as a Medium finding even without a known vuln.
Verify the unsafe-code lint is intact — the workspace Cargo.toml must keep [workspace.lints.rust] unsafe_code = "forbid". Grep for any per-crate #![allow(unsafe_code)] overrides; any that exist must carry a justification comment and a soundness argument. New unsafe blocks land as Critical findings until justified.
Static review of trust boundaries — the only trust boundary in M1 is the Bus trait. Audit each Bus impl (notably sh2::harness::MemBus and any future Saturn bus) for:
wrapping_* and explicit bounds, never raw Vec indexing in production paths).Static review of host-facing future code — for any code that will eventually touch the host (file I/O for CD images, save states, BIOS loading, SDL2 frontend), confirm:
Vec::with_capacity(untrusted_u32 as usize)).(Most of these don't exist yet — note the gap as a roadmap reminder rather than a finding.)
Build-time / supply-chain check — confirm no build.rs in any workspace crate executes network requests or shells out to untrusted binaries. Confirm Cargo.lock is committed and matches the manifest.
Report findings — document all identified risks grouped by category (Dependencies, Unsafe Code, Trust Boundaries, Host Boundary, Build/Supply Chain). Classify each by severity (Critical / High / Medium / Low) and provide concrete remediation steps. For each finding, cite the file path, line number, and the relevant audit advisory ID (when applicable).