Axiom Security

# Security & Credentials

**You MUST use this skill for ANY keychain, encryption, passkey, app integrity, file protection, or code signing work.**

## Quick Reference

| Symptom / Task | Reference |
|----------------|-----------|
| Store tokens, passwords, API keys securely | See `skills/keychain.md` |
| Choose kSecAttrAccessible level, biometric protection | See `skills/keychain.md` |
| SecItem function signatures, attribute constants | See `skills/keychain-ref.md` |
| errSecDuplicateItem, errSecItemNotFound, errSecInteractionNotAllowed | See `skills/keychain-diag.md` |
| Encrypt data, sign payloads, key management | See `skills/cryptokit.md` |
| Hash functions, HMAC, AES-GCM, ChaChaPoly, ECDSA, EdDSA, key agreement | See `skills/cryptokit-ref.md` |
| Passkey sign-in, WebAuthn, ASAuthorizationController | See `skills/passkeys.md` |
| App integrity verification, DCAppAttestService | See `skills/app-attest.md` |
| NSFileProtection levels, data protection at rest | See `skills/file-protection-ref.md` |
| Certificate management, provisioning profiles, CI/CD signing | See `skills/code-signing.md` |
| Certificate not found, profile mismatch, entitlement errors | See `skills/code-signing-diag.md` |
| Certificate CLI, profile inspection, entitlement extraction | See `skills/code-signing-ref.md` |
| Apple Pay payment certs / pass type certs / Tap to Pay entitlement | See `axiom-payments` suite |

## Decision Tree

```dot
digraph security {
    start [label="Security task" shape=ellipse];
    what [label="What do you need?" shape=diamond];

    start -> what;
    what -> "skills/keychain.md" [label="store/retrieve\ncredentials, tokens,\nsecrets"];
    what -> "skills/keychain-ref.md" [label="SecItem API syntax,\nattribute constants,\naccess levels"];
    what -> "skills/keychain-diag.md" [label="keychain errors\n(errSec codes)"];
    what -> "skills/cryptokit.md" [label="encrypt data,\nsign payloads,\nSecure Enclave keys"];
    what -> "skills/cryptokit-ref.md" [label="CryptoKit API\n(AES, ECDSA, HPKE,\npost-quantum)"];
    what -> "skills/passkeys.md" [label="passkey sign-in,\nreplace passwords"];
    what -> "skills/app-attest.md" [label="app integrity,\nfraud prevention"];
    what -> "skills/file-protection-ref.md" [label="file encryption,\nNSFileProtection"];
    what -> "skills/code-signing.md" [label="set up signing,\nprofiles, CI/CD"];
    what -> "skills/code-signing-diag.md" [label="signing errors,\nupload rejections"];
    what -> "skills/code-signing-ref.md" [label="CLI commands,\nprofile inspection"];
}
```

1. Store tokens, passwords, API keys securely? → `skills/keychain.md`
1a. Need SecItem function signatures, attribute constants? → `skills/keychain-ref.md`
1b. Keychain errors (errSecDuplicateItem, errSecItemNotFound)? → `skills/keychain-diag.md`
2. Encrypt data, sign payloads, manage keys? → `skills/cryptokit.md`
2a. Need CryptoKit API details (AES-GCM, ECDSA, HPKE, post-quantum)? → `skills/cryptokit-ref.md`
3. Implement passkey sign-in, replace passwords? → `skills/passkeys.md`
4. Verify app integrity, prevent fraud? → `skills/app-attest.md`
5. File encryption at rest, NSFileProtection levels? → `skills/file-protection-ref.md`
6. Set up code signing, manage certificates, CI/CD? → `skills/code-signing.md`
6a. Code signing error troubleshooting? → `skills/code-signing-diag.md`
6b. Certificate CLI commands, profile inspection? → `skills/code-signing-ref.md`
7. Build/upload failures after signing? → See axiom-build
8. App Store submission prep? → `/skill axiom-shipping`
9. Privacy manifests, tracking transparency? → See axiom-integration
10. Data persistence (SwiftData, Core Data, storage strategy)? → `/skill axiom-data`
11. TLS configuration, certificate pinning for network requests? → `/skill axiom-networking`
12. Want au