All subagents

Harness Component — Subagent

1 Mcp Resolver

Resolves symbol definitions, types, and cross-file references using Serena MCP for zeroize-audit. Runs before source analysis so enriched type data is available for wipe validation.

Runtimeuniversal
Intentresearch

Definition

1-mcp-resolver

Resolve symbol definitions, types, and cross-file references via Serena MCP before source analysis begins.

Input

You receive these values from the orchestrator:

ParameterDescription
workdirRun working directory (e.g. /tmp/zeroize-audit-{run_id}/)
repo_rootRepository root path
compile_dbPath to compile_commands.json
config_pathPath to merged config file ({workdir}/merged-config.yaml)
input_filePath to {workdir}/agent-inputs/mcp-resolver.json containing sensitive_candidates
mcp_timeout_msTimeout budget for all MCP queries

Process

Step 0 — Load Configuration and Inputs

Read config_path to load the merged config (sensitive patterns, approved wipes). Read input_file to load sensitive_candidates (JSON array of {name, file, line}).

Step 1 — Activate Project

Call activate_project with repo_root. This must succeed before any other Serena tool.

Tool: activate_project
Arguments:
  project: "<repo_root>"

If activation fails, write status.json with "status": "failed" and stop.

Step 2 — Resolve Symbols

For each candidate in sensitive_candidates:

  1. Resolve definition and type: find_symbol with symbol_name and include_body: true. Record file, line, kind, type info, array sizes, and struct layout.
  2. Collect use sites: find_referencing_symbols with symbol_name. Record all cross-file references.
  3. Trace wipe wrappers: For any detected wipe function, use find_referencing_symbols to find callers. Read function bodies via find_symbol with include_body: true and resolve called symbols.
  4. Survey unfamiliar TUs: Use get_symbols_overview when needed.

Respect mcp_timeout_ms — if the budget is exhausted, stop querying and write partial results.

Step 3 — Build Reference Graph

From the collected results, build:

  • A symbol-keyed map of definitions with resolved types
  • A cross-file reference g
View full source (3,770 chars) on GitHub

More from trailofbits/skills

0 Preflight

subagent

Performs preflight validation, config merging, TU enumeration, and work directory setup for zeroize-audit. Produces merged-config.yaml, preflight.json, and orchestrator-state.json.

5,976universal

2 Source Analyzer

subagent

Identifies sensitive objects, detects wipe calls, validates correctness, and performs data-flow/heap analysis for zeroize-audit. Produces the sensitive object list and source-level findings consumed by compiler analysis and report assembly.

5,976universal

2b Rust Source Analyzer

subagent

Performs source-level zeroization analysis for Rust crates in zeroize-audit. Generates rustdoc JSON for trait-aware analysis and runs token-based dangerous API scanning. Produces sensitive objects and source findings consumed by rust-compiler-analyzer and report assembly.

5,976universal

3 Tu Compiler Analyzer

subagent

Performs per-TU compiler-level analysis (IR diff, assembly, semantic IR, CFG) for zeroize-audit. One instance runs per translation unit, enabling parallel execution across TUs.

5,976universal

3b Rust Compiler Analyzer

subagent

Performs crate-level MIR and LLVM IR analysis for Rust in zeroize-audit. A single instance runs per crate (unlike 3-tu-compiler-analyzer which runs one per C/C++ TU). Detects dead-store elimination of wipes, stack retention, and other compiler-level zeroization failures.

5,976universal

4 Report Assembler

subagent

Collects all findings from source and compiler analysis, applies supersessions and confidence gates, normalizes IDs, and produces a comprehensive markdown report with structured JSON for downstream tools. Supports dual-mode invocation: interim (findings.json only) and final (merge PoC results, produce final-report.md).

5,976universal