Harness Component — Subagent
1 Mcp Resolver
Resolves symbol definitions, types, and cross-file references using Serena MCP for zeroize-audit. Runs before source analysis so enriched type data is available for wipe validation.
Definition
1-mcp-resolver
Resolve symbol definitions, types, and cross-file references via Serena MCP before source analysis begins.
Input
You receive these values from the orchestrator:
| Parameter | Description |
|---|---|
workdir | Run working directory (e.g. /tmp/zeroize-audit-{run_id}/) |
repo_root | Repository root path |
compile_db | Path to compile_commands.json |
config_path | Path to merged config file ({workdir}/merged-config.yaml) |
input_file | Path to {workdir}/agent-inputs/mcp-resolver.json containing sensitive_candidates |
mcp_timeout_ms | Timeout budget for all MCP queries |
Process
Step 0 — Load Configuration and Inputs
Read config_path to load the merged config (sensitive patterns, approved wipes). Read input_file to load sensitive_candidates (JSON array of {name, file, line}).
Step 1 — Activate Project
Call activate_project with repo_root. This must succeed before any other Serena tool.
Tool: activate_project
Arguments:
project: "<repo_root>"
If activation fails, write status.json with "status": "failed" and stop.
Step 2 — Resolve Symbols
For each candidate in sensitive_candidates:
- Resolve definition and type:
find_symbolwithsymbol_nameandinclude_body: true. Record file, line, kind, type info, array sizes, and struct layout. - Collect use sites:
find_referencing_symbolswithsymbol_name. Record all cross-file references. - Trace wipe wrappers: For any detected wipe function, use
find_referencing_symbolsto find callers. Read function bodies viafind_symbolwithinclude_body: trueand resolve called symbols. - Survey unfamiliar TUs: Use
get_symbols_overviewwhen needed.
Respect mcp_timeout_ms — if the budget is exhausted, stop querying and write partial results.
Step 3 — Build Reference Graph
From the collected results, build:
- A symbol-keyed map of definitions with resolved types
- A cross-file reference g
More from trailofbits/skills
0 Preflight
subagentPerforms preflight validation, config merging, TU enumeration, and work directory setup for zeroize-audit. Produces merged-config.yaml, preflight.json, and orchestrator-state.json.
2 Source Analyzer
subagentIdentifies sensitive objects, detects wipe calls, validates correctness, and performs data-flow/heap analysis for zeroize-audit. Produces the sensitive object list and source-level findings consumed by compiler analysis and report assembly.
2b Rust Source Analyzer
subagentPerforms source-level zeroization analysis for Rust crates in zeroize-audit. Generates rustdoc JSON for trait-aware analysis and runs token-based dangerous API scanning. Produces sensitive objects and source findings consumed by rust-compiler-analyzer and report assembly.
3 Tu Compiler Analyzer
subagentPerforms per-TU compiler-level analysis (IR diff, assembly, semantic IR, CFG) for zeroize-audit. One instance runs per translation unit, enabling parallel execution across TUs.
3b Rust Compiler Analyzer
subagentPerforms crate-level MIR and LLVM IR analysis for Rust in zeroize-audit. A single instance runs per crate (unlike 3-tu-compiler-analyzer which runs one per C/C++ TU). Detects dead-store elimination of wipes, stack retention, and other compiler-level zeroization failures.
4 Report Assembler
subagentCollects all findings from source and compiler analysis, applies supersessions and confidence gates, normalizes IDs, and produces a comprehensive markdown report with structured JSON for downstream tools. Supports dual-mode invocation: interim (findings.json only) and final (merge PoC results, produce final-report.md).