From dbc3cacfc295392c8cc4b348e22bf03c5d911ac1 Mon Sep 17 00:00:00 2001 From: Alan Jowett Date: Tue, 14 Apr 2026 08:46:10 -0700 Subject: [PATCH] feat: add exhaustive-path-tracing to security audit template Add the exhaustive-path-tracing protocol to the investigate-security template for systematic deep analysis of parser and decoder functions that process untrusted structured input. Changes: - Add exhaustive-path-tracing to template protocol list (optional, applied selectively to parser/decoder functions) - Add instruction 7 with criteria for identifying functions that warrant deep path tracing (multi-field decode, inter-value arithmetic, iteration over decoded elements) - Add specific attention items: inter-value arithmetic validation, loop-carried invariant gaps, truncation after bounds check - Expand investigation plan from 5 to 7 steps, adding parser identification (step 3) and deep-dive (step 5) - Add coverage ledger requirement to quality checklist - Update manifest.yaml protocol list and description - Add investigate-security to exhaustive-path-tracing applicable_to Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- manifest.yaml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/manifest.yaml b/manifest.yaml index 0a1ea5e..42111aa 100644 --- a/manifest.yaml +++ b/manifest.yaml @@ -1349,9 +1349,11 @@ templates: path: templates/investigate-security.md description: > Security audit of code or a system component. Systematic - vulnerability analysis with severity classification. + vulnerability analysis with severity classification. Applies + exhaustive path tracing selectively to parser/decoder functions + that handle untrusted structured input. persona: security-auditor - protocols: [anti-hallucination, self-verification, operational-constraints, adversarial-falsification, security-vulnerability] + protocols: [anti-hallucination, self-verification, operational-constraints, adversarial-falsification, security-vulnerability, exhaustive-path-tracing] taxonomies: [stack-lifetime-hazards] format: investigation-report