菜单
Enables ultra-granular, line-by-line code analysis to build deep architectural context before vulnerability or bug finding.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
| name | audit-context-building |
| description | Enables ultra-granular, line-by-line code analysis to build deep architectural context before vulnerability or bug finding. |
This skill governs how Claude thinks during the context-building phase of an audit.
When active, Claude will:
This skill defines a structured analysis format (see Example: Function Micro-Analysis below) and runs before the vulnerability-hunting phase.
Use when:
Do not use for:
When active, Claude will:
Goal: deep, accurate understanding, not conclusions.
| Rationalization | Why It's Wrong | Required Action |
|---|---|---|
| "I get the gist" | Gist-level understanding misses edge cases | Line-by-line analysis required |
| "This function is simple" | Simple functions compose into complex bugs | Apply 5 Whys anyway |
| "I'll remember this invariant" | You won't. Context degrades. | Write it down explicitly |
| "External call is probably fine" | External = adversarial until proven otherwise | Jump into code or model as hostile |
| "I can skip this helper" | Helpers contain assumptions that propagate | Trace the full call chain |
| "This is taking too long" | Rushed context = hallucinated vulnerabilities later | Slow is fast |
Before deep analysis, Claude performs a minimal mapping:
This establishes anchors for detailed analysis.
Every non-trivial function receives full micro analysis.
For each function:
Purpose
Inputs & Assumptions
Outputs & Effects
Block-by-Block / Line-by-Line Analysis For each logical block:
Apply per-block:
(Full Integration of Jump-Into-External-Code Rule)
When encountering calls, continue the same micro-first analysis across boundaries.
Case A — External Call to a Contract Whose Code Exists in the Codebase Treat as an internal call:
Case B — External Call Without Available Code (True External / Black Box) Analyze as adversarial:
Treat the entire call chain as one continuous execution flow. Never reset context. All invariants, assumptions, and data dependencies must propagate across calls.
See FUNCTION_MICRO_ANALYSIS_EXAMPLE.md for a complete walkthrough demonstrating:
This example demonstrates the level of depth and structure required for all analyzed functions.
When performing ultra-granular analysis, Claude MUST structure output following the format defined in OUTPUT_REQUIREMENTS.md.
Key requirements:
Quality thresholds:
Before concluding micro-analysis of a function, verify against the COMPLETENESS_CHECKLIST.md:
Analysis is complete when all checklist items are satisfied and no unresolved "unclear" items remain.
After sufficient micro-analysis:
State & Invariant Reconstruction
Workflow Reconstruction
Trust Boundary Mapping
Complexity & Fragility Clustering
These clusters help guide the vulnerability-hunting phase.
(Anti-Hallucination, Anti-Contradiction)
Claude must:
Never reshape evidence to fit earlier assumptions. When contradicted:
Periodically anchor key facts Summarize core:
Avoid vague guesses Use:
Cross-reference constantly Connect new insights to previous state, flows, and invariants to maintain global coherence.
Claude may spawn subagents for:
Use the function-analyzer agent for per-function deep analysis.
It follows the full microstructure checklist, cross-function flow
rules, and quality thresholds defined in this skill, and enforces
the pure-context-building constraint.
Subagents must:
This skill runs before:
It exists solely to build:
While active, Claude should NOT:
This is pure context building only.
Reviewer persona for authorization models — RBAC, ABAC, ReBAC, and hybrids. Catches the bugs that ship after auth is correct but authz is wrong: missing tenant scoping, IDOR via predictable IDs, role escalation through unchecked write paths, permission caching staleness, transitive-trust loopholes, RBAC/ReBAC drift between policy doc and code. Use when reviewing endpoints that gate access by user/role/relationship, when adding a new role/permission/scope, when changing tenant isolation, or when designing a permission system from scratch. Triggers: RBAC, ABAC, ReBAC, IDOR, tenant isolation, multi-tenant, permission check, role, scope, principal, Zanzibar, OpenFGA, casbin, authz, can_, has_permission, isAuthorized.
Stand up a full c1 dev stack inside a Squire env — process-compose, postgres, envoy, pub-api, pub-auth, be-* services — wired so an external client can drive c1's gRPC surface end to end with TLS + OAuth2 client_credentials. Use when testing a Latchkey or other c1 client against a real (not stubbed) c1 backend, or when reproducing c1 server-side behavior locally. Triggers on: c1 dev env, squire c1 stack, pc/up, dev-util mint-test-client, test against c1, c1 OAuth client_credentials, run c1 integration tests in squire, repro buildkite integration test, TEST_LOCAL_EXEC, api_no_uplift.
c1-specific values for the general squire dispatch protocols defined in squire-env-management. Provides the c1 gate bundle's contents, the task-family table for c1 work, the c1 always-actives, and the list of c1 skills that should NOT be spent on a squire env. Use when about to spawn a squire env to execute c1 work, when writing a brief for a remote c1 agent, or when filing a c1 bead intended for squire dispatch. Triggers: c1 squire dispatch, c1 squire brief, c1 remote work, c1 ephemeral env, c1 fire-and-forget.
Reviewer persona for detecting hand-rolled cryptography. Distinct from `sharp-edges` (which catches footgun APIs) and `key-lifecycle-review` (which covers lifecycle hygiene): this skill catches the class where someone wrote their own MAC, KDF, AEAD, signature scheme, secret-comparison routine, RNG, or password hash. Almost all custom crypto is broken. Use when reviewing any code that does math on bytes, manipulates buffers in a 'crypto-shaped' way, or implements something whose docs reference a named primitive (HMAC, AES-GCM, Argon2, X25519). Triggers: hand-rolled crypto, custom MAC, custom hash, custom KDF, byte XOR, constant-time compare, derived key, password hashing, HKDF, encrypt_then_mac, mac_then_encrypt, AE, AEAD.
Reviewer persona for the full lifecycle of cryptographic keys and high-value secrets: generation, storage, distribution, rotation, revocation, and destruction. Trail of Bits' `zeroize-audit` covers the destruction half; this skill covers the other four phases plus closes the loop with destruction. Use when reviewing key management code, secret stores, KMS integrations, rotation logic, key derivation, RNG usage, or any system that issues, holds, or revokes long-lived credentials. Triggers: key generation, key rotation, KMS, HSM, secret store, vault, key derivation, KDF, master key, DEK, KEK, rotation, revocation, RNG, entropy, random, secrets management.
Reviewer persona for OAuth 2.0 / 2.1 and OpenID Connect flow implementations. Catches the well-documented attack classes that still ship: missing PKCE, wildcard redirect URIs, mishandled refresh tokens, scope creep, mixed flows on a single endpoint, leaking tokens through referrer or logs, JWT signature bypass. Use when reviewing any code that issues, accepts, validates, exchanges, refreshes, revokes, or stores tokens; when designing a new auth integration; when a PR touches /authorize, /token, /userinfo, /jwks, /introspect, /revoke, OIDC discovery, or a third-party identity provider client. Triggers: OAuth, OIDC, JWT, PKCE, redirect_uri, scope, refresh token, access token, id_token, client_credentials, authorization code, implicit, device code, token exchange, identity provider, IdP, SSO.
