confirming-pentest-authorization

What this skill does

# Confirming Pentest Authorization

## Overview

Penetration testing is computer access. Without explicit
authorization from the owner of the system under test, that
access is a crime — Computer Fraud and Abuse Act in the US,
Computer Misuse Act in the UK, equivalent laws everywhere
else. The line between an authorized pentester and an
unauthorized attacker is one signature on one document.

The penetration-tester pack's other skills (TLS analysis, CORS
audit, dependency CVE scan, etc.) all assume that line has been
crossed correctly. This skill is the first gate the orchestrator
routes to. It refuses to declare an engagement authorized until
a Rules of Engagement (ROE) attestation file exists, is signed,
and contains the fields any real-world legal review will look for.

This is not paranoia or paperwork theater. Engagements DO go
sideways: scope creeps mid-test, a tester probes an out-of-scope
adjacent system, an SOC team escalates a "real" attack to legal,
and the question "show us the ROE" comes up. If the ROE is in
order, the answer is "here it is." If not, the conversation gets
expensive fast.

## When the skill produces findings

| Finding | Severity | Threshold | Affected control |
|---|---|---|---|
| ROE file missing | **CRITICAL** | No attestation file at the expected path | (legal) |
| Required field missing | **CRITICAL** | authorizer, in_scope_targets, time_window, emergency_contact, or signature absent | (legal) |
| Signature missing | **CRITICAL** | No signature_block in ROE | (legal) |
| Signer not in allowlist | **CRITICAL** | signer email/key id not in `.allowed-authorizers` | (legal) |
| Time window expired | **HIGH** | current time outside `time_window.start` / `time_window.end` | (legal) |
| Time window not yet active | **HIGH** | current time before `time_window.start` | (legal) |
| In-scope target list empty | **HIGH** | `in_scope_targets` field present but empty | (legal) |
| Out-of-scope override (manual flag) | **MEDIUM** | tester requests a target not in the in-scope list | (legal) |
| Stale ROE (>30 days from sign date) | **MEDIUM** | last_signed_at older than 30 days; suggests refresh | (operational) |
| ROE present + signed + in window | **INFO** | All gates pass; engagement is authorized | (positive confirmation) |

## Prerequisites

- Python 3.9+
- ROE attestation file at `./roe.yaml` (or pass `--roe FILE`).
- Optional `.allowed-authorizers` file listing email addresses or
  GPG key fingerprints permitted to sign ROEs.

## ROE attestation file schema

```yaml
engagement_id: ACME-2026-Q2-PENTEST-001
authorizer:
  name: Jane Doe
  email: [email protected]
  role: CISO
  organization: ACME Corp
in_scope_targets:
  - host: app.acme.example
    notes: production web app, full-stack pentest authorized
  - host: api.acme.example
  - cidr: 10.50.0.0/16
    notes: internal corporate range
out_of_scope_targets:
  - host: payments.acme.example
    reason: PCI scope, separate authz required
  - cidr: 10.99.0.0/16
    reason: production database tier, separate authz required
time_window:
  start: 2026-06-01T00:00:00Z
  end: 2026-06-30T23:59:59Z
emergency_contact:
  name: SOC On-Call
  phone: "+1-555-555-5555"
  email: [email protected]
rules:
  - No exploitation of confirmed findings without written prompt approval
  - No password cracking against production accounts
  - All testing pauses on declared business-hours blackouts
signature_block:
  signer: [email protected]
  signed_at: 2026-05-30T14:22:00Z
  signature: |
    -----BEGIN PGP SIGNATURE-----
    ...
    -----END PGP SIGNATURE-----
```

## Instructions

### Step 1 — Locate the ROE

The skill looks for `./roe.yaml` by default. Override with
`--roe FILE`. The ROE file should live with the engagement
artifacts, NOT in the repo under test — typical layout is
`engagements/<client>-<date>/roe.yaml`.

### Step 2 — Run the verification

```bash
python3 ./scripts/check_authorization.py --roe engagements/acme-2026-q2/roe.yaml
```

Options:

```
Usage: check_authorization.py [OPTIONS]

Options:
  --roe FILE              Path to ROE attestation YAML (default: ./roe.yaml)
  --allowed FILE          Path to allowed-authorizers list (default: .allowed-authorizers)
  --check-target HOST     Verify HOST is in the in-scope list (repeatable)
  --output FILE           Write findings to FILE
  --format FMT            json | jsonl | markdown (default: markdown)
  --min-severity SEV      Default info
```

### Step 3 — Interpret findings

CRITICAL = engagement is NOT authorized. Halt all testing
immediately. Resolve the missing requirement before any further
skill runs.

HIGH = the engagement was authorized at some point but the
current state is out-of-window. Either extend the time window
with a new signature or wait.

MEDIUM = operational concerns that warrant attention but don't
block testing. A stale ROE should be refreshed; a manual
out-of-scope target request needs explicit additional authz.

INFO = positive confirmation that the engagement is authorized.

### Step 4 — Save the result

The skill's output IS the authorization record. Save the markdown
report alongside the ROE itself; it becomes part of the engagement
evidence chain (see `recording-pentest-engagement` for the
storage pattern).

## Examples

### Example 1 — Pre-flight check before any scan

```bash
python3 ./scripts/check_authorization.py --roe engagements/acme-2026-q2/roe.yaml --format markdown
# If exit code != 0, halt testing.
```

### Example 2 — Confirm a specific target is in-scope before probing

```bash
python3 ./scripts/check_authorization.py \
    --roe engagements/acme-2026-q2/roe.yaml \
    --check-target app.acme.example \
    --check-target api.acme.example
```

The skill returns an explicit INFO Finding per target if all
checks pass, and a HIGH/CRITICAL Finding per target if any are
out-of-scope.

### Example 3 — Generate authorization evidence for the audit trail

```bash
python3 ./scripts/check_authorization.py --roe engagements/acme-2026-q2/roe.yaml \
    --format json \
    --output engagements/acme-2026-q2/evidence/authz-check-$(date +%Y%m%d).json
```

## Output

JSON / JSONL / Markdown per `lib/report.py`. Exit codes: 0 clean,
1 high/critical (engagement NOT authorized), 2 error.

Each Finding includes:

- `id` — `authz::<field>` or `authz::target::<target>`
- `severity` — CRITICAL / HIGH / MEDIUM / INFO
- `category` — `engagement-authorization`
- `summary` — what's missing or wrong
- `evidence` — engagement_id, authorizer email, time window, target

## Error Handling

- **ROE file not found** → emits a CRITICAL finding and exits 1.
- **Unparseable YAML** → emits a CRITICAL finding with the parser
  error and exits 2.
- **Allowed-authorizers file missing** → emits an INFO finding
  (allowlist is recommended but not required) and proceeds with
  field-level verification only.
- **Signature block present but unparseable** → emits a CRITICAL
  finding flagging the issue; does NOT attempt to verify
  cryptographically (separate `gpg --verify` step recommended for
  signature validation; this skill validates the structural
  presence and signer-identity claim).

## Resources

- `references/THEORY.md` — Why pentest authorization is a legal
  primitive (CFAA, CMA, equivalent statutes), ROE structure
  history (OSSTMM / PTES origins), signature options
  (PGP / S/MIME / DocuSign), scope-creep failure modes
- `references/PLAYBOOK.md` — ROE templates per engagement type
  (external pentest, internal pentest, red team, purple team),
  authorization escalation flow, time-window extension procedures,
  emergency-stop protocol