@massu/core 0.6.0 → 0.6.1

package/commands/_shared-references/verification-table.md

@@ -23,6 +23,9 @@
 | VR-BROWSER | Playwright: navigate, snapshot, console_messages, interact | 0 errors, UI works | ANY UI fix/change (CR-41) |
 | VR-SPEC-MATCH | Grep for EXACT CSS classes/structure from plan | All plan-specified strings found | UI plan items (CR-42) |
 | VR-PIPELINE | Trigger pipeline procedure, verify non-empty output | Output contains data | Data pipeline features (CR-43) |
+| VR-BOOT | Start service via launchctl/python, wait 5s, check process alive + exit 0 | Process running after 5s | ANY plan item creating/modifying a daemon, LaunchAgent, or service (CR-44) |
+| VR-DEPS | Verify `.venv/bin/python3` exists + all imports in main.py are importable | All imports resolve | ANY Python service with a venv-based plist (CR-44) |
+| VR-COMPAT | Check Python version vs syntax used (`\|` unions require 3.10+, `match` requires 3.10+) | No version-incompatible syntax | Python services on systems with Python < 3.10 (CR-44) |
 
 **Full VR-* reference (50+ types)**: [reference/vr-verification-reference.md](../../reference/vr-verification-reference.md)
 

package/commands/massu-golden-path/references/phase-2-implementation.md

@@ -199,6 +199,12 @@ WHILE true:
     VR-PIPELINE: For features with data pipelines (AI, cron, generation),
     trigger the pipeline procedure and verify output is non-empty. Empty = gap.
 
+    VR-BOOT (CR-44): For ANY plan item that creates/modifies a daemon,
+    LaunchAgent, or service: actually start it and verify it stays alive for 5s.
+    Check: venv exists, imports resolve, process exit code 0, no stderr crashes.
+    Static verification CANNOT catch missing venvs, missing pip packages, or
+    Python version incompatibilities. This check is MANDATORY for service items.
+
     SPRINT CONTRACT VERIFICATION: For each plan item with a sprint contract
     (from Phase 2A.5), verify EVERY acceptance criterion is met:
     - Read the contract's acceptance criteria list

package/commands/massu-golden-path/references/phase-2.5-gap-analyzer.md

@@ -91,6 +91,20 @@ WHILE iteration < MAX_ITERATIONS:
     - Background-only features (crons, webhooks): WRITE->STORE->READ sufficient
     - Query-only features (read views): READ->DISPLAY sufficient
 
+    I. RUNTIME & BOOT VERIFICATION (CR-44, Incident 2026-03-29)
+    - For EACH service that was created, modified, or registered in this session:
+      1. VR-DEPS: Verify .venv/bin/python3 exists (if plist references it)
+      2. VR-DEPS: Parse imports from main.py, verify each is installed in the venv
+      3. VR-COMPAT: Check for Python 3.10+ syntax (x | None, match/case) on Python 3.9 systems
+      4. VR-BOOT: Actually start the service (launchctl bootstrap or direct python), wait 5s, verify:
+         - Process is still alive (pgrep)
+         - Exit code is 0 (launchctl list | grep service)
+         - stderr log has no import errors or crashes
+      5. If boot fails: read stderr log, diagnose (missing package? wrong path? syntax error?), fix, retry
+    - Skip condition: plan has NO service/daemon/LaunchAgent items
+    - This category exists because static verification (VR-SYNTAX, VR-GREP) cannot catch:
+      missing venvs, missing pip packages, Python version incompatibilities, or runtime import errors
+
     H. SPRINT CONTRACT COMPLIANCE (if contracts exist from Phase 2A.5)
     - Read the sprint contracts from the Phase 2A tracking table
     - For EACH plan item with a sprint contract:

package/commands/massu-golden-path/references/phase-3.5-security-audit.md

@@ -0,0 +1,108 @@
+# Phase 3.5: Deep Security Audit
+
+> Reference doc for `/massu-golden-path`. Return to main file for overview.
+
+```
+[GOLDEN PATH -- PHASE 3.5: DEEP SECURITY AUDIT]
+```
+
+## Purpose
+
+Run a full adversarial security audit loop against ALL files changed in this golden path run. This is a deep, iterative audit with parallel red-team agents that converges to zero findings. It runs AFTER simplification (Phase 3) so the audit targets the final, cleaned-up code -- and BEFORE pre-commit verification (Phase 4) so all security fixes are included in the verification gates.
+
+**This phase is NEVER skipped.** Security is non-negotiable regardless of change size, type, or scope.
+
+---
+
+## 3.5.1 Determine Audit Scope
+
+Collect ALL files changed during this golden path run:
+
+```bash
+git diff --name-only HEAD
+```
+
+If files were already committed in earlier phases, also include:
+```bash
+git diff --name-only main...HEAD
+```
+
+The audit scope is the union of all changed files. Do NOT narrow scope -- every changed file gets audited.
+
+**Output:**
+```
+SECURITY AUDIT SCOPE:
+  Files: [N]
+  [list of files]
+```
+
+---
+
+## 3.5.2 Execute Deep Security Audit
+
+Run the full security audit protocol against the scoped files:
+
+1. **Launch 2-4 parallel adversarial reviewer agents** adapted to the codebase area:
+   - Backend/API code: 4 agents (Injection, Network/Leakage, DoS/Resources, Red Team Bypass)
+   - Frontend code: 3 agents (XSS/Injection, Auth/Data Exposure, Input Validation/Logic)
+   - Infrastructure/config: 2 agents (Secrets/Config, Dependencies/Supply Chain)
+
+2. **Consolidate findings** -- deduplicate across agents, take higher severity on disagreements
+
+3. **Fix ALL findings** -- CRITICAL first, then HIGH, MEDIUM, LOW. INFO documented only.
+
+4. **Verify fixes** -- import checks, input validation tests, functionality preserved
+
+5. **Loop until zero findings** -- max 5 iterations, escalate to user if still failing after 5
+
+---
+
+## 3.5.3 Attack Vector Coverage
+
+Every audit iteration MUST verify the complete attack vector checklist:
+
+### Universal
+- Hardcoded secrets / API keys / credentials
+- Error messages leaking internal details
+- Dependency vulnerabilities
+- Input validation on ALL external boundaries
+
+### Backend / API
+- SQL injection, command injection, path traversal
+- SSRF, authentication bypass, authorization bypass
+- DoS via unbounded inputs, memory leaks, race conditions
+- Response validation, type confusion
+
+### Frontend
+- XSS, open redirects, sensitive data in client state
+- CSRF, client-side auth bypass
+
+### LLM / AI Specific
+- Prompt injection, model output trust
+- Tool argument injection, vision/multimodal injection
+
+---
+
+## 3.5.4 Completion Gate
+
+The phase completes ONLY when the audit loop achieves a clean pass with zero findings.
+
+```
+SECURITY_AUDIT_GATE: PASS
+  Iterations: [N]
+  Total findings fixed: [N]
+  Breakdown: [X] CRITICAL, [X] HIGH, [X] MEDIUM, [X] LOW fixed
+  Clean pass: Iteration [N]
+```
+
+**Do NOT proceed to Phase 4 until SECURITY_AUDIT_GATE = PASS.**
+
+---
+
+## Rules
+
+1. **NEVER skip this phase** -- not for small changes, not for docs, not for config
+2. **NEVER proceed with findings unfixed** -- zero means zero
+3. **ALL severity levels get fixed** -- CRITICAL through LOW
+4. **No commit prompt** -- unlike standalone security audit commands, do NOT offer to commit here (Phase 4 handles commits)
+5. **Findings feed Phase 4** -- security fixes are verified by Phase 4's type check, build, lint, and secrets gates automatically

package/commands/massu-golden-path.md

@@ -12,10 +12,10 @@ name: massu-golden-path
 ## Objective
 
 Execute the COMPLETE development workflow in one continuous run:
-**Requirements -> Plan Creation -> Plan Audit -> Implementation -> Gap Analysis -> Simplification -> Commit -> Push**
+**Requirements -> Plan Creation -> Plan Audit -> Implementation -> Gap Analysis -> Simplification -> Security Audit -> Commit -> Push**
 
 This command has FULL FEATURE PARITY with the individual commands it replaces:
-`/massu-create-plan` -> `/massu-plan` -> `/massu-loop` -> `/massu-loop-playwright` -> `/massu-simplify` -> `/massu-commit` -> `/massu-push`
+`/massu-create-plan` -> `/massu-plan` -> `/massu-loop` -> `/massu-loop-playwright` -> `/massu-simplify` -> `/massu-security` -> `/massu-commit` -> `/massu-push`
 
 ---
 
@@ -76,6 +76,7 @@ After receiving approval, immediately continue. Do NOT ask "shall I continue?" -
 | 2-COMP | Competitive Implementation | Spawn N agents with bias presets, score, select winner (`--competitive` only) | WINNER SELECTION |
 | 2.5 | Gap & Enhancement Analysis | Find+fix gaps, UX issues, security, pattern compliance; loop until zero | -- |
 | 3 | Simplification | Pattern scanner, parallel semantic review, apply findings | -- |
+| 3.5 | Deep Security Audit | Full adversarial audit loop with parallel red-team agents, iterate to zero findings | -- |
 | 4 | Pre-Commit Verification | Verification gates, quality scoring | COMMIT APPROVAL |
 | 5 | Push Verification | `scripts/push-verify.sh`, CI monitoring via `scripts/ci-status.sh` | PUSH APPROVAL |
 | 6 | Completion | Final report, plan update, auto-learning, feature registration | -- |
@@ -137,6 +138,14 @@ Read `references/phase-3-simplify.md` for full details.
 
 ---
 
+## PHASE 3.5: DEEP SECURITY AUDIT
+
+Read `references/phase-3.5-security-audit.md` for full details.
+
+**Summary**: Run a full adversarial security audit loop against ALL changed files. Launches 2-4 parallel red-team agents (injection, network/leakage, DoS, bypass) per iteration. Every finding is fixed in-place. Loop iterates until zero findings remain (max 5 iterations). This phase is NEVER skipped -- security is non-negotiable. Security fixes flow into Phase 4's verification gates automatically.
+
+---
+
 ## PHASE 4: PRE-COMMIT VERIFICATION
 
 Read `references/phase-4-commit.md` for full details.
@@ -179,6 +188,7 @@ This skill is a folder. The following files are available for reference:
 | `references/vr-visual-calibration.md` | Score 5/3/1 calibration examples for VR-VISUAL weighted dimensions | Calibrating VR-VISUAL evaluator scoring |
 | `references/phase-2.5-gap-analyzer.md` | Gap/enhancement analysis loop, 7 categories (incl. sprint contract compliance), fix-and-repass until zero | After implementation, before simplification |
 | `references/phase-3-simplify.md` | Pattern scanner fast gate, dead code detection, parallel semantic review agents | Running simplification after implementation |
+| `references/phase-3.5-security-audit.md` | Deep adversarial security audit loop with parallel red-team agents, iterate to zero findings | After simplification, before commit verification |
 | `references/phase-4-commit.md` | Verification gates, quality scoring, commit format | Preparing a commit |
 | `references/phase-5-push.md` | Pre-flight, push verification, regression detection | Preparing to push to remote |
 | `references/phase-6-completion.md` | Final report, plan status update, auto-learning, feature registration | After all verification; completing the golden path |
@@ -232,6 +242,7 @@ AUTHORIZED_COMMAND: massu-golden-path
 4a. **Phase 2-COMP**: Competitive implementation (if --competitive) -> **PAUSE: Winner Selection**
 5. **Phase 2.5**: Gap & enhancement analysis loop (until zero gaps)
 6. **Phase 3**: Simplification (efficiency, reuse, patterns)
+6.5. **Phase 3.5**: Deep security audit (adversarial red-team loop to zero findings)
 7. **Phase 4**: Pre-commit verification -> **PAUSE: Commit Approval**
 8. **Phase 5**: Push verification via `scripts/push-verify.sh` -> **PAUSE: Push Approval**
 9. **Phase 6**: Completion, learning, quality metrics

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@massu/core",
-  "version": "0.6.0",
+  "version": "0.6.1",
   "type": "module",
   "description": "AI Engineering Governance MCP Server - Session memory, knowledge system, feature registry, code intelligence, rule enforcement, tiered tooling (12 free / 72 total), 55+ workflow commands, 11 agents, 20+ patterns",
   "main": "src/server.ts",