adversarial-analysis - SKILL.md Agent Skill

name: adversarial-analysis description: Analyze code to identify explicit contracts, implicit usage patterns, and realistic boundary conditions. Contains concrete formulas for calculating input realism limits. Use before generating adversarial tests. allowed-tools: Read, Grep, Glob

Adversarial Code Analysis

Purpose

Map the "Surface of Reality" for target code. Your goal is to distinguish:

Contract Violations (invalid inputs the caller shouldn't send) → NOT testable
Logic Bugs (valid inputs the code handles poorly) → TESTABLE

Analysis Checklist

1. Contract Extraction

Explicit Contracts:

Type hints (int, str, Optional[T], List[T])
assert statements and preconditions
Docstring Args, Raises, Returns sections
Validation code at function entry

Implicit Contracts:

Variable names implying limits (retry_count → small positive int, buffer_size → memory-reasonable)
Context from call sites (what values are actually passed?)
Domain knowledge (user IDs are positive, emails contain @)

External Constraints:

Database column limits (VARCHAR(255))
API rate limits and timeouts
Filesystem permissions and path length limits

2. Realism Baseline (The 3-Sigma Rule)

Use Grep to scan existing tests in tests/ and call sites in src/. Calculate boundaries:

String Inputs:

existing_lengths = [len(s) for each test string argument]
if len(existing_lengths) >= 5:
    Max_Realistic_Length = mean(existing_lengths) + 3 * std(existing_lengths)
elif len(existing_lengths) >= 1:
    Max_Realistic_Length = max(existing_lengths) * 2
else:
    Max_Realistic_Length = 256  # Zero-sample fallback

Numeric Inputs:

existing_values = [v for each numeric argument]
if len(existing_values) >= 5:
    Lower = mean(existing_values) - 3 * std(existing_values)
    Upper = mean(existing_values) + 3 * std(existing_values)
elif len(existing_values) >= 1:
    Lower = min(existing_values) - abs(min(existing_values))
    Upper = max(existing_values) + abs(max(existing_values))
else:
    Lower, Upper = -1000, 1000  # Zero-sample fallback

Special Boundaries (Always Valid):

0, -1, 1 for integers (if type allows)
Empty string "" (if not explicitly forbidden)
None only if type is Optional

Complex Objects:

Max nesting depth: 3 levels (unless recursive data structure)
Max fields: 20 (unless schema requires more)
Zero-sample fallback: depth 2, fields 10

3. Vulnerability Surface Identification

High-Risk Patterns:

Arithmetic: Division, modulo, floating-point accumulation, currency calculations
Boundaries: Loop limits, array indices, string slicing
State: Multi-step workflows, flag combinations, temporal dependencies
Resources: File handles, connections, locks (cleanup on error paths)
Parsing: User input, external data, format conversions

Output Format

For each target function, produce:

## Analysis: `function_name`

### Contracts
- Parameter X: Type, range [A, B], constraints
- Parameter Y: Type, must not be null/empty

### Realism Bounds (Calculated)
- String inputs: Max N characters (based on M samples, mean=P, std=Q)
- Numeric inputs: Range [X, Y]
- Objects: Max depth D, max fields F

### Realistic Edge Cases (TESTABLE)
1. [Specific input] - [Why it's realistic] - [What might break]
2. ...

### Excluded Scenarios (NOT TESTABLE - Contract Violations)
1. [Input] - [Why it violates contract]
2. ...

### Vulnerability Hypothesis
- Primary risk: [e.g., "off-by-one in loop boundary"]
- Secondary risk: [e.g., "floating point precision in total calculation"]