feat: add exhaustive-path-tracing to security audit template

Alan-Jowett · Copilot · Alan-Jowett · commit b2c3b1a76614 · 2026-04-14T08:46:10.000-07:00
Add the exhaustive-path-tracing protocol to the investigate-security
template for systematic deep analysis of parser and decoder functions
that process untrusted structured input.

Changes:
- Add exhaustive-path-tracing to template protocol list (optional,
  applied selectively to parser/decoder functions)
- Add instruction 7 with criteria for identifying functions that
  warrant deep path tracing (multi-field decode, inter-value
  arithmetic, iteration over decoded elements)
- Add specific attention items: inter-value arithmetic validation,
  loop-carried invariant gaps, truncation after bounds check
- Expand investigation plan from 5 to 7 steps, adding parser
  identification (step 3) and deep-dive (step 5)
- Add coverage ledger requirement to quality checklist
- Update manifest.yaml protocol list and description
- Add investigate-security to exhaustive-path-tracing applicable_to

Co-authored-by: Copilot &lt;223556219+Copilot@users.noreply.github.com&gt;
diff --git a/manifest.yaml b/manifest.yaml
@@ -1349,9 +1349,11 @@ templates:
       path: templates/investigate-security.md
       description: >
         Security audit of code or a system component. Systematic
-        vulnerability analysis with severity classification.
+        vulnerability analysis with severity classification. Applies
+        exhaustive path tracing selectively to parser/decoder functions
+        that handle untrusted structured input.
       persona: security-auditor
-      protocols: [anti-hallucination, self-verification, operational-constraints, security-vulnerability]
+      protocols: [anti-hallucination, self-verification, operational-constraints, adversarial-falsification, security-vulnerability, exhaustive-path-tracing]
       taxonomies: [stack-lifetime-hazards]
       format: investigation-report
 
diff --git a/protocols/reasoning/exhaustive-path-tracing.md b/protocols/reasoning/exhaustive-path-tracing.md
@@ -11,6 +11,7 @@ description: >
 applicable_to:
   - review-code
   - investigate-bug
+  - investigate-security
   - exhaustive-bug-hunt
 ---
 
diff --git a/templates/investigate-security.md b/templates/investigate-security.md
@@ -12,7 +12,9 @@ protocols:
   - guardrails/anti-hallucination
   - guardrails/self-verification
   - guardrails/operational-constraints
+  - guardrails/adversarial-falsification
   - analysis/security-vulnerability
+  - reasoning/exhaustive-path-tracing  # optional — apply selectively to parser/decoder functions
 taxonomies:
   - stack-lifetime-hazards
 format: investigation-report
@@ -88,6 +90,42 @@ code or system component.
    - Prefer deterministic methods (targeted search, structured enumeration)
    - Document your search strategy for reproducibility
 
+7. **Apply the exhaustive-path-tracing protocol selectively** to
+   **parser and decoder functions** that process untrusted structured input.
+   This protocol is not applied to every function — only to functions
+   identified during Phase 2 (attack surface enumeration) that meet
+   ALL of the following criteria:
+
+   - The function **decodes multiple fields** from a wire format, file
+     format, or serialized structure controlled by an untrusted source
+   - The function **performs arithmetic** (subtraction, addition,
+     multiplication, shift) on two or more decoded values, or between
+     a decoded value and a running accumulator
+   - The function contains **loops** that iterate over a variable number
+     of decoded elements, where each iteration updates shared state
+     (offsets, remaining lengths, accumulators)
+
+   For each such function, apply the full exhaustive-path-tracing
+   protocol with particular attention to:
+
+   - **Inter-value arithmetic validation**: After decoding a new field
+     value, verify that every subsequent arithmetic operation using that
+     value against a running accumulator (e.g., `Largest -= Count`) is
+     guarded against underflow or overflow — not just at the decode site,
+     but at every use site within the function, including the *current*
+     loop iteration (not just the next iteration's entry check).
+   - **Loop-carried invariant gaps**: When a loop body decodes a fresh
+     value and uses it immediately, but the bounds check for that value
+     only runs at the *next* iteration's entry, the current iteration's
+     use is unguarded. Explicitly verify that each decoded value is
+     validated before its first arithmetic use within the same iteration.
+   - **Truncation after bounds check**: When a decoded uint64_t value
+     passes a bounds check against a uint16_t buffer length and is then
+     cast to uint16_t, the cast is safe. But when a decoded value is
+     used in arithmetic *without* a prior bounds check against the
+     current accumulator, the arithmetic may underflow even though the
+     decode itself succeeded.
+
 ## Non-Goals
 
 Explicitly define what is OUT OF SCOPE for this security audit.
@@ -110,10 +148,19 @@ Before beginning analysis, produce a concrete step-by-step plan:
    data enters the system.
 2. **Enumerate attack surface**: List every input handling path,
    authentication point, and privilege transition.
-3. **Classify**: Apply the security-vulnerability protocol systematically
+3. **Identify parser/decoder functions for deep analysis**: From the
+   attack surface enumeration, identify functions that decode multiple
+   fields from untrusted structured input and perform inter-value
+   arithmetic (see instruction 7). List these functions explicitly —
+   they will receive exhaustive path tracing.
+4. **Classify**: Apply the security-vulnerability protocol systematically
    to each attack surface element.
-4. **Rank**: Order findings by exploitability and impact.
-5. **Report**: Produce the output according to the specified format.
+5. **Deep-dive**: Apply the exhaustive-path-tracing protocol to each
+   function identified in step 3. For each, trace every arithmetic
+   operation on decoded values through every loop iteration and
+   verify underflow/overflow guards exist at every use site.
+6. **Rank**: Order findings by exploitability and impact.
+7. **Report**: Produce the output according to the specified format.
 
 ## Quality Checklist
 
@@ -127,3 +174,6 @@ Before finalizing, verify:
 - [ ] At least 3 findings have been re-verified against the source
 - [ ] Coverage statement documents what was and was not examined
 - [ ] No fabricated vulnerabilities — unknowns marked with [UNKNOWN]
+- [ ] All parser/decoder functions identified in step 3 have coverage
+      ledgers from exhaustive-path-tracing (or explicit justification
+      for skipping)
