axiom-security

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Security & Credentials

安全与凭据

You MUST use this skill for ANY keychain, encryption, passkey, app integrity, file protection, or code signing work.

任何涉及Keychain、加密、Passkey、应用完整性、文件保护或代码签名的工作，都必须使用本技能。

Quick Reference

快速参考

Symptom / Task	Reference
Store tokens, passwords, API keys securely	See `skills/keychain.md`
Choose kSecAttrAccessible level, biometric protection	See `skills/keychain.md`
SecItem function signatures, attribute constants	See `skills/keychain-ref.md`
errSecDuplicateItem, errSecItemNotFound, errSecInteractionNotAllowed	See `skills/keychain-diag.md`
Encrypt data, sign payloads, key management	See `skills/cryptokit.md`
Hash functions, HMAC, AES-GCM, ChaChaPoly, ECDSA, EdDSA, key agreement	See `skills/cryptokit-ref.md`
Passkey sign-in, WebAuthn, ASAuthorizationController	See `skills/passkeys.md`
App integrity verification, DCAppAttestService	See `skills/app-attest.md`
NSFileProtection levels, data protection at rest	See `skills/file-protection-ref.md`
Certificate management, provisioning profiles, CI/CD signing	See `skills/code-signing.md`
Certificate not found, profile mismatch, entitlement errors	See `skills/code-signing-diag.md`
Certificate CLI, profile inspection, entitlement extraction	See `skills/code-signing-ref.md`

症状/任务	参考文档
安全存储令牌、密码、API密钥	查看 `skills/keychain.md`
选择kSecAttrAccessible级别、生物识别保护	查看 `skills/keychain.md`
SecItem函数签名、属性常量	查看 `skills/keychain-ref.md`
errSecDuplicateItem、errSecItemNotFound、errSecInteractionNotAllowed	查看 `skills/keychain-diag.md`
加密数据、签名负载、密钥管理	查看 `skills/cryptokit.md`
哈希函数、HMAC、AES-GCM、ChaChaPoly、ECDSA、EdDSA、密钥协商	查看 `skills/cryptokit-ref.md`
Passkey登录、WebAuthn、ASAuthorizationController	查看 `skills/passkeys.md`
应用完整性验证、DCAppAttestService	查看 `skills/app-attest.md`
NSFileProtection级别、静态数据保护	查看 `skills/file-protection-ref.md`
证书管理、配置文件、CI/CD签名	查看 `skills/code-signing.md`
证书未找到、配置文件不匹配、权限错误	查看 `skills/code-signing-diag.md`
证书CLI、配置文件检查、权限提取	查看 `skills/code-signing-ref.md`

Decision Tree

决策树

dot

digraph security {
    start [label="Security task" shape=ellipse];
    what [label="What do you need?" shape=diamond];

    start -> what;
    what -> "skills/keychain.md" [label="store/retrieve\ncredentials, tokens,\nsecrets"];
    what -> "skills/keychain-ref.md" [label="SecItem API syntax,\nattribute constants,\naccess levels"];
    what -> "skills/keychain-diag.md" [label="keychain errors\n(errSec codes)"];
    what -> "skills/cryptokit.md" [label="encrypt data,\nsign payloads,\nSecure Enclave keys"];
    what -> "skills/cryptokit-ref.md" [label="CryptoKit API\n(AES, ECDSA, HPKE,\npost-quantum)"];
    what -> "skills/passkeys.md" [label="passkey sign-in,\nreplace passwords"];
    what -> "skills/app-attest.md" [label="app integrity,\nfraud prevention"];
    what -> "skills/file-protection-ref.md" [label="file encryption,\nNSFileProtection"];
    what -> "skills/code-signing.md" [label="set up signing,\nprofiles, CI/CD"];
    what -> "skills/code-signing-diag.md" [label="signing errors,\nupload rejections"];
    what -> "skills/code-signing-ref.md" [label="CLI commands,\nprofile inspection"];
}

Store tokens, passwords, API keys securely? →
```
skills/keychain.md
```
1a. Need SecItem function signatures, attribute constants? →
```
skills/keychain-ref.md
```
1b. Keychain errors (errSecDuplicateItem, errSecItemNotFound)? →
```
skills/keychain-diag.md
```
Encrypt data, sign payloads, manage keys? →
```
skills/cryptokit.md
```
2a. Need CryptoKit API details (AES-GCM, ECDSA, HPKE, post-quantum)? →
```
skills/cryptokit-ref.md
```
Implement passkey sign-in, replace passwords? →
```
skills/passkeys.md
```
Verify app integrity, prevent fraud? →
```
skills/app-attest.md
```
File encryption at rest, NSFileProtection levels? →
```
skills/file-protection-ref.md
```
Set up code signing, manage certificates, CI/CD? →
```
skills/code-signing.md
```
6a. Code signing error troubleshooting? →
```
skills/code-signing-diag.md
```
6b. Certificate CLI commands, profile inspection? →
```
skills/code-signing-ref.md
```
Build/upload failures after signing? → See axiom-build
App Store submission prep? →
```
/skill axiom-shipping
```
Privacy manifests, tracking transparency? → See axiom-integration
Data persistence (SwiftData, Core Data, storage strategy)? →
```
/skill axiom-data
```
TLS configuration, certificate pinning for network requests? →
```
/skill axiom-networking
```
Want automated security scan? → security-privacy-scanner (Agent)

dot

digraph security {
    start [label="Security task" shape=ellipse];
    what [label="What do you need?" shape=diamond];

    start -> what;
    what -> "skills/keychain.md" [label="store/retrieve\ncredentials, tokens,\nsecrets"];
    what -> "skills/keychain-ref.md" [label="SecItem API syntax,\nattribute constants,\naccess levels"];
    what -> "skills/keychain-diag.md" [label="keychain errors\n(errSec codes)"];
    what -> "skills/cryptokit.md" [label="encrypt data,\nsign payloads,\nSecure Enclave keys"];
    what -> "skills/cryptokit-ref.md" [label="CryptoKit API\n(AES, ECDSA, HPKE,\npost-quantum)"];
    what -> "skills/passkeys.md" [label="passkey sign-in,\nreplace passwords"];
    what -> "skills/app-attest.md" [label="app integrity,\nfraud prevention"];
    what -> "skills/file-protection-ref.md" [label="file encryption,\nNSFileProtection"];
    what -> "skills/code-signing.md" [label="set up signing,\nprofiles, CI/CD"];
    what -> "skills/code-signing-diag.md" [label="signing errors,\nupload rejections"];
    what -> "skills/code-signing-ref.md" [label="CLI commands,\nprofile inspection"];
}

需要安全存储令牌、密码、API密钥？→
```
skills/keychain.md
```
1a. 需要SecItem函数签名、属性常量？→
```
skills/keychain-ref.md
```
1b. 遇到Keychain错误（errSecDuplicateItem、errSecItemNotFound）？→
```
skills/keychain-diag.md
```
需要加密数据、签名负载、管理密钥？→
```
skills/cryptokit.md
```
2a. 需要CryptoKit API详情（AES-GCM、ECDSA、HPKE、后量子算法）？→
```
skills/cryptokit-ref.md
```
需要实现Passkey登录、替代密码？→
```
skills/passkeys.md
```
需要验证应用完整性、防范欺诈？→
```
skills/app-attest.md
```
需要静态文件加密、NSFileProtection级别设置？→
```
skills/file-protection-ref.md
```
需要设置代码签名、管理证书、CI/CD配置？→
```
skills/code-signing.md
```
6a. 需要排查代码签名错误？→
```
skills/code-signing-diag.md
```
6b. 需要证书CLI命令、配置文件检查？→
```
skills/code-signing-ref.md
```
签名后构建/上传失败？→ 查看axiom-build
App Store提交准备？→
```
/skill axiom-shipping
```
隐私清单、追踪透明度？→ 查看axiom-integration
数据持久化（SwiftData、Core Data、存储策略）？→
```
/skill axiom-data
```
TLS配置、网络请求证书固定？→
```
/skill axiom-networking
```
需要自动安全扫描？→ security-privacy-scanner (Agent)

Conflict Resolution

冲突解决

security vs axiom-build: When build fails with signing errors:

Code signing errors (certificate, profile, entitlement) → use security
Environment issues (Xcode version, simulator, Derived Data) → use axiom-build
If unsure, check the error message:
```
CODESIGN
```
,
```
ITMS-90xxx
```
,
```
errSec
```
→ security

security vs shipping: When preparing for App Store:

Privacy manifests, submission checklists, rejections → use shipping
Code signing for distribution, certificate management → use security

security vs axiom-data: When storing sensitive data:

Tokens, passwords, API keys → use security (keychain)
User preferences, non-sensitive settings → use axiom-data (UserDefaults/SwiftData)
File encryption levels for database files → use security (file-protection-ref)

security vs axiom-networking: When securing network communication:

TLS configuration, certificate pinning → use axiom-networking
Signing API requests, encrypting payloads → use security (CryptoKit)

security vs axiom-build：当构建因签名错误失败时：

代码签名错误（证书、配置文件、权限问题）→ 使用security
环境问题（Xcode版本、模拟器、Derived Data）→ 使用axiom-build
若不确定，查看错误信息：
```
CODESIGN
```
、
```
ITMS-90xxx
```
、
```
errSec
```
→ security

security vs shipping：当准备App Store提交时：

隐私清单、提交检查清单、驳回问题 → 使用shipping
分发代码签名、证书管理 → 使用security

security vs axiom-data：当存储敏感数据时：

令牌、密码、API密钥 → 使用security（Keychain）
用户偏好、非敏感设置 → 使用axiom-data（UserDefaults/SwiftData）
数据库文件的加密级别设置 → 使用security（file-protection-ref）

security vs axiom-networking：当保障网络通信安全时：

TLS配置、证书固定 → 使用axiom-networking
API请求签名、负载加密 → 使用security（CryptoKit）

Critical Patterns

核心模式

Keychain (

skills/keychain.md

SecItem mental model: uniqueness constraints, data protection classes
Biometric access control (Face ID / Touch ID)
Keychain sharing between app and extensions
Background access pitfalls, Mac keychain differences
Migration from UserDefaults/@AppStorage for sensitive data

Keychain API (

skills/keychain-ref.md

SecItemAdd/CopyMatching/Update/Delete signatures
Item class attributes, uniqueness constraint rules
kSecAttrAccessible levels and when each applies
Access control flags, biometric integration
Complete error code reference

Keychain Diagnostics (

skills/keychain-diag.md

errSecDuplicateItem from unexpected uniqueness constraints
errSecItemNotFound despite item existing (query mismatch)
errSecInteractionNotAllowed in background contexts
Access group and entitlement mismatches
Items disappearing after app updates

CryptoKit (

skills/cryptokit.md

AES-GCM and ChaChaPoly authenticated encryption
ECDSA/EdDSA digital signatures
Secure Enclave hardware-backed keys
Key agreement (ECDH) for end-to-end encryption
HPKE for modern asymmetric encryption
Post-quantum algorithms (ML-KEM, ML-DSA)
CommonCrypto migration path

CryptoKit API (

skills/cryptokit-ref.md

Hash functions (SHA-256/384/512, SHA-3), HMAC
Symmetric encryption (AES-GCM, ChaChaPoly)
Asymmetric signing (P256, P384, P521, Curve25519, Ed25519)
Key agreement, key derivation (HKDF)
Secure Enclave key creation and usage
Swift Crypto cross-platform parity

Passkeys (

skills/passkeys.md

ASAuthorizationController registration and assertion flows
AutoFill-assisted requests (QuickType bar integration)
Automatic passkey upgrades for existing users (iOS 18+)
Combined credential requests (passkey + password + Sign in with Apple)
Associated domains configuration for WebAuthn

App Attest (

skills/app-attest.md

DCAppAttestService attestation and assertion flows
Server-side validation of attestation objects
DeviceCheck 2-bit per-device state
Gradual rollout strategies for large install bases
Handling unsupported devices gracefully

File Protection (

skills/file-protection-ref.md

NSFileProtection levels (complete, completeUnlessOpen, afterFirstUnlock, none)
Hardware-accelerated encryption tied to device passcode
Background file access requirements
Keychain vs file protection comparison

Code Signing (

skills/code-signing.md

Automatic vs manual signing tradeoffs
Certificate and profile management across teams
fastlane match for team-wide certificate sharing
CI/CD signing setup (GitHub Actions, Xcode Cloud)
Distribution build preparation (App Store, TestFlight, Ad Hoc)

Code Signing Diagnostics (

skills/code-signing-diag.md

Certificate issues (expired, missing, wrong type, revoked)
Provisioning profile issues (expired, missing cert, wrong App ID)
Entitlement mismatches (capability in Xcode but not in profile)
Keychain issues in CI (locked keychain, errSecInternalComponent)
Archive/export failures (wrong export method, wrong cert type)

Code Signing CLI (

skills/code-signing-ref.md

```
security find-identity
```
,
```
security cms -D
```
for profile inspection
```
codesign -d --entitlements
```
for entitlement extraction
Certificate types, validity periods, per-account limits
fastlane match commands and Keychain management

Keychain (

skills/keychain.md

)：

SecItem思维模型：唯一性约束、数据保护类别
生物识别访问控制（Face ID / Touch ID）
应用与扩展之间的Keychain共享
后台访问陷阱、Mac Keychain差异
从UserDefaults/@AppStorage迁移至敏感数据存储

Keychain API (

skills/keychain-ref.md

)：

SecItemAdd/CopyMatching/Update/Delete签名
项目类别属性、唯一性约束规则
kSecAttrAccessible级别及其适用场景
访问控制标志、生物识别集成
完整错误码参考

Keychain诊断 (

skills/keychain-diag.md

)：

因意外唯一性约束导致的errSecDuplicateItem
项目存在但仍出现errSecItemNotFound（查询不匹配）
后台上下文出现errSecInteractionNotAllowed
访问组与权限不匹配
应用更新后项目消失

CryptoKit (

skills/cryptokit.md

)：

AES-GCM和ChaChaPoly认证加密
ECDSA/EdDSA数字签名
Secure Enclave硬件支持密钥
密钥协商（ECDH）用于端到端加密
HPKE现代非对称加密
后量子算法（ML-KEM、ML-DSA）
CommonCrypto迁移路径

CryptoKit API (

skills/cryptokit-ref.md

)：

哈希函数（SHA-256/384/512、SHA-3）、HMAC
对称加密（AES-GCM、ChaChaPoly）
非对称签名（P256、P384、P521、Curve25519、Ed25519）
密钥协商、密钥派生（HKDF）
Secure Enclave密钥创建与使用
Swift Crypto跨平台一致性

Passkeys (

skills/passkeys.md

)：

ASAuthorizationController注册与断言流程
AutoFill辅助请求（QuickType栏集成）
为现有用户自动升级Passkey（iOS 18+）
组合凭据请求（Passkey + 密码 + Apple登录）
WebAuthn的关联域配置

App Attest (

skills/app-attest.md

)：

DCAppAttestService认证与断言流程
认证对象的服务器端验证
DeviceCheck每设备2位状态
针对大规模安装基数的逐步推出策略
优雅处理不支持的设备

文件保护 (

skills/file-protection-ref.md

)：

NSFileProtection级别（complete、completeUnlessOpen、afterFirstUnlock、none）
与设备密码绑定的硬件加速加密
后台文件访问要求
Keychain与文件保护对比

代码签名 (

skills/code-signing.md

)：

自动签名与手动签名的权衡
跨团队的证书与配置文件管理
fastlane match用于团队范围内的证书共享
CI/CD签名设置（GitHub Actions、Xcode Cloud）
分发构建准备（App Store、TestFlight、Ad Hoc）

代码签名诊断 (

skills/code-signing-diag.md

)：

证书问题（过期、缺失、类型错误、吊销）
配置文件问题（过期、缺少证书、App ID错误）
权限不匹配（Xcode中启用了功能但配置文件中未包含）
CI中的Keychain问题（锁定的Keychain、errSecInternalComponent）
归档/导出失败（导出方法错误、证书类型错误）

代码签名CLI (

skills/code-signing-ref.md

)：

```
security find-identity
```
、
```
security cms -D
```
用于配置文件检查
```
codesign -d --entitlements
```
用于权限提取
证书类型、有效期、每个账户的限制
fastlane match命令与Keychain管理

Automated Scanning

自动化扫描

Security audit → Launch

security-privacy-scanner

agent (scans for hardcoded credentials, insecure @AppStorage usage, missing Privacy Manifests, ATS violations, sensitive data in logs)

安全审计 → 启动

security-privacy-scanner

Agent（扫描硬编码凭据、不安全的@AppStorage使用、缺失的隐私清单、ATS违规、日志中的敏感数据）

Anti-Rationalization

误区纠正

Thought	Reality
"I'll store the token in UserDefaults for now"	UserDefaults is a plist file readable by any process with file access. Keychain takes 10 lines. `skills/keychain.md` shows the pattern.
"My app doesn't need encryption"	If you store any user data at rest, iOS file protection is free. `skills/file-protection-ref.md` covers protection levels.
"CommonCrypto works fine, no need to migrate"	CommonCrypto is C API with manual memory management and no compile-time safety. CryptoKit prevents buffer overflows and key misuse.
"I'll just use automatic signing"	Automatic signing works until CI, team scaling, or capability changes break it. Understand manual signing before you need it. `skills/code-signing.md` covers both.
"Passkeys are too new, passwords are fine"	Passkeys are phishing-resistant and supported since iOS 16. The migration path supports both simultaneously. `skills/passkeys.md` shows combined flows.
"I'll regenerate all certificates to fix this"	Regenerating revokes existing certs and breaks every teammate's build. Diagnose first. `skills/code-signing-diag.md` has the diagnostic flow.
"App Attest is overkill for my app"	If your app has any server-verified purchase, promotion, or competitive feature, tampered clients will exploit it. `skills/app-attest.md` covers gradual rollout.
"I'll use @unchecked Sendable on my crypto wrapper"	Hiding thread-safety issues from the compiler in security code is how data corruption happens. See axiom-concurrency for safe patterns.
"kSecAttrAccessibleAlways is fine"	Deprecated since iOS 12. Items are accessible even when device is locked and unencrypted during backup. Use kSecAttrAccessibleAfterFirstUnlock at minimum.

错误想法	实际情况
"我现在先把令牌存在UserDefaults里"	UserDefaults是plist文件，任何拥有文件访问权限的进程都能读取。Keychain实现仅需10行代码。 `skills/keychain.md` 展示了实现模式。
"我的应用不需要加密"	如果你存储任何用户静态数据，iOS文件保护是免费的。 `skills/file-protection-ref.md` 涵盖了保护级别。
"CommonCrypto用得好好的，不需要迁移"	CommonCrypto是C API，需要手动内存管理且无编译时安全保障。CryptoKit可防止缓冲区溢出和密钥误用。
"我只用自动签名就行"	自动签名在CI、团队扩展或功能变更时会失效。在需要手动签名前先了解它。 `skills/code-signing.md` 涵盖了两种方式。
"Passkey太新了，密码就够用"	Passkey具备防钓鱼能力，自iOS 16起就支持。迁移路径允许同时使用两者。 `skills/passkeys.md` 展示了组合流程。
"我重新生成所有证书来解决这个问题"	重新生成会吊销现有证书，导致所有团队成员的构建失败。先诊断问题。 `skills/code-signing-diag.md` 有诊断流程。
"App Attest对我的应用来说太小题大做了"	如果你的应用有任何服务器验证的购买、促销或竞争功能，被篡改的客户端会利用它。 `skills/app-attest.md` 涵盖了逐步推出策略。
"我在加密包装器上用@unchecked Sendable"	在安全代码中向编译器隐藏线程安全问题会导致数据损坏。查看axiom-concurrency获取安全模式。
"kSecAttrAccessibleAlways没问题"	自iOS 12起已废弃。即使设备锁定且备份时未加密，项目仍可访问。至少使用kSecAttrAccessibleAfterFirstUnlock。

Example Invocations

调用示例

User: "How do I store an auth token securely?" → Read:

skills/keychain.md

User: "errSecDuplicateItem when saving to keychain" → Read:

skills/keychain-diag.md

User: "What are the SecItem attribute constants?" → Read:

skills/keychain-ref.md

User: "How do I encrypt user data with AES?" → Read:

skills/cryptokit.md

User: "What's the CryptoKit API for ECDSA signing?" → Read:

skills/cryptokit-ref.md

User: "How do I add passkey sign-in to my app?" → Read:

skills/passkeys.md

User: "How do I verify my app hasn't been tampered with?" → Read:

skills/app-attest.md

User: "What NSFileProtection level should I use?" → Read:

skills/file-protection-ref.md

User: "My build fails with 'No signing certificate found'" → Read:

skills/code-signing-diag.md

User: "How do I set up fastlane match for CI?" → Read:

skills/code-signing.md

User: "How do I inspect a provisioning profile?" → Read:

skills/code-signing-ref.md

User: "Scan my code for security issues" → Invoke:

security-privacy-scanner

agent

用户："如何安全存储认证令牌？" → 参考：

skills/keychain.md

用户："保存到Keychain时出现errSecDuplicateItem错误" → 参考：

skills/keychain-diag.md

用户："SecItem的属性常量有哪些？" → 参考：

skills/keychain-ref.md

用户："如何用AES加密用户数据？" → 参考：

skills/cryptokit.md

用户："CryptoKit中ECDSA签名的API是什么？" → 参考：

skills/cryptokit-ref.md

用户："如何在我的应用中添加Passkey登录？" → 参考：

skills/passkeys.md

用户："如何验证我的应用未被篡改？" → 参考：

skills/app-attest.md

用户："我应该使用哪个NSFileProtection级别？" → 参考：

skills/file-protection-ref.md

用户："我的构建失败，提示'未找到签名证书'" → 参考：

skills/code-signing-diag.md

用户："如何为CI设置fastlane match？" → 参考：

skills/code-signing.md

用户："如何检查配置文件？" → 参考：

skills/code-signing-ref.md

用户："扫描我的代码查找安全问题" → 调用：

security-privacy-scanner

Agent