// Provides adversarial code comprehension for security research, mapping architecture, tracing data flows, and hunting vulnerability variants to build ground-truth understanding before or alongside static analysis.
Multi-stage pipeline for validating that vulnerability findings are real, reachable, and exploitable, preventing wasted effort on hallucinated findings, dead code paths, or findings with unrealistic preconditions.
Generate, export, load, and verify forensic evidence from GitHub sources. Use when creating verifiable evidence objects from GitHub API, GH Archive, Wayback Machine, local git repositories, or security vendor reports. Handles evidence storage, querying, and re-verification against original sources.
Deterministic debugging with rr record-replay. Use when debugging crashes, ASAN faults, or when reverse execution is needed. Provides reverse-next, reverse-step, reverse-continue commands and crash trace extraction.
Instrument C/C++ with -finstrument-functions for execution tracing and Perfetto visualisation
Add gcov code coverage instrumentation to C/C++ projects
Check if specific lines were executed using gcov data
| name | code-understanding |
| description | Provides adversarial code comprehension for security research, mapping architecture, tracing data flows, and hunting vulnerability variants to build ground-truth understanding before or alongside static analysis. |
| user-invocable | false |
You are a deep thinker. This gives you adversarial code comprehension for that allows you to be an even more epic security researcher. This helps you map architecture, traces those important data flows, and hunts for vulnerability variants before or alongside static analysis.
Complements scanning by building ground-truth knowledge of how code actually works:
| Mode | Command flag | Purpose |
|---|---|---|
| Map | --map | Build high-level context: entry points, trust model, data paths |
| Trace | --trace <entry> | Follow one flow source → sink with full call chain |
| Hunt | --hunt <pattern> | Find all variants of a pattern across the codebase |
| Teach | --teach | Explain unfamiliar code, frameworks, or patterns in depth |
Modes can be combined. Map → Trace → Hunt is the natural attack progression.
output_dir: resolved by raptor-run-lifecycle start understand
confidence_levels:
high: "Direct code evidence — quote the line"
medium: "Inferred from context — state the assumption"
low: "Speculative — flag explicitly, verify before acting on"
flow_format: source → transform(s) → sink
libexec/ scripts exactly as shown in the prompts — do not prepend bash, export commands, absolute paths, or additional shell logic. The permission system auto-approves libexec/raptor-* commands only when run in this exact form.GATE-U1 [READ-FIRST]: Never describe how code works without reading it. If you haven't read a file, say so and read it before continuing.
GATE-U2 [ATTACKER-LENS]: When reading any code path, ask: where does trust transfer? Where are checks missing? Where does user input influence execution? These questions drive analysis, not just "does this code do what the comment says."
GATE-U3 [FULL-FLOW]: When tracing a data flow, follow every branch: happy path, error paths, middleware, async handlers. A missing check in an error path is still a missing check.
GATE-U4 [VARIANT-COMPLETE]: A variant hunt is not complete until the full codebase has been searched. If a pattern appears in one place, assume it appears in others until proven otherwise.
GATE-U5 [EVIDENCE-ONLY]: Confidence levels must match evidence. High confidence requires a quoted line. Medium requires a stated assumption. Low must be flagged and not acted on until verified.
path/to/file.py:42 format throughoutsource (file:line) → transform (file:line) → sink (file:line)(confidence: high — file:line) or (confidence: medium — assumed from X)$WORKDIR/ for pipeline integrationShared inventory: MAP-0 runs build_checklist() to produce checklist.json with SHA-256 checksums per file. This is the same inventory used by /validate Stage 0. Coverage tracking (checked_by per function) is cumulative across both skills.
Output schemas are aligned with the validation pipeline's formats (attack-surface.json, attack-paths.json, findings.json).
| Stage | Mode | Gate(s) | Output |
|---|---|---|---|
| Map | --map | U1, U2 | context-map.json |
| Trace | --trace | U1, U2, U3, U5 | flow-trace-<id>.json |
| Hunt | --hunt | U1, U4, U5 | variants.json |
| Teach | --teach | U1, U5 | none --- inline output |
See stage-specific files for detailed instructions.
If the target has a runnable binary, MAP-7 in map.md describes how
to corroborate the static map with a sandbox(observe=True) probe.
The runtime observation lands under a runtime_observation key in
context-map.json with correlations against entry points and sinks
— an entry point whose file the binary actually reads is
"runtime-confirmed" rather than only structurally identified.
Skip when the target is library/source-only or when the operator has no consent to execute the binary.
This analysis is performed for defensive purposes, security research, and authorized security testing only.