@vantagesec/socc 0.1.13 → 0.1.15

package/socc-canonical/.agents/soc-copilot/skills/sequential-thinking/references/examples.md

@@ -1,274 +0,0 @@
-# Sequential Thinking Examples
-
-## Example 1: Database Performance Problem
-
-**Context**: API endpoints timing out, need to diagnose and fix.
-
-```typescript
-// Thought 1
-{
-  thought: "API timeout reports indicate database bottleneck. Need to profile queries first.",
-  thoughtNumber: 1,
-  totalThoughts: 6,
-  nextThoughtNeeded: true
-}
-
-// Thought 2
-{
-  thought: "Query logs show user profile endpoint makes 50+ queries per request. Classic N+1 pattern.",
-  thoughtNumber: 2,
-  totalThoughts: 6,
-  nextThoughtNeeded: true
-}
-
-// Thought 3
-{
-  thought: "Need to implement eager loading for relationships. Checking ORM documentation for optimal approach.",
-  thoughtNumber: 3,
-  totalThoughts: 7, // Adjusted scope
-  nextThoughtNeeded: true
-}
-
-// Thought 4
-{
-  thought: "ORM supports `include` for eager loading. Will need to modify 3 endpoints: /profile, /dashboard, /settings.",
-  thoughtNumber: 4,
-  totalThoughts: 7,
-  nextThoughtNeeded: true
-}
-
-// Thought 5
-{
-  thought: "Implementation complete. Testing shows queries reduced from 52 to 4 per request. Response time: 2.1s → 180ms.",
-  thoughtNumber: 5,
-  totalThoughts: 6, // Fewer steps than expected
-  nextThoughtNeeded: true
-}
-
-// Thought 6
-{
-  thought: "Success. Solution: eager loading eliminated N+1 queries. Next: add query monitoring to catch similar issues early.",
-  thoughtNumber: 6,
-  totalThoughts: 6,
-  nextThoughtNeeded: false // Done
-}
-```
-
-## Example 2: Architecture Decision with Branching
-
-**Context**: Choosing between microservices and monolith for new project.
-
-```typescript
-// Thought 1
-{
-  thought: "Need to decide architecture. Key factors: team size (5 devs), timeline (3 months), expected scale (10k users initially).",
-  thoughtNumber: 1,
-  totalThoughts: 8,
-  nextThoughtNeeded: true
-}
-
-// Thought 2
-{
-  thought: "Two viable approaches: monolith for simplicity or microservices for scalability. Need to evaluate both.",
-  thoughtNumber: 2,
-  totalThoughts: 10,
-  nextThoughtNeeded: true
-}
-
-// Branch A: Monolith approach
-{
-  thought: "Monolith pros: faster development, simpler deployment, easier debugging. Cons: potential future refactor cost.",
-  thoughtNumber: 3,
-  totalThoughts: 6,
-  branchFromThought: 2,
-  branchId: "monolith",
-  nextThoughtNeeded: true
-}
-
-{
-  thought: "For 10k users, single server handles load easily. Deployment: single container, straightforward CI/CD.",
-  thoughtNumber: 4,
-  totalThoughts: 6,
-  branchId: "monolith",
-  nextThoughtNeeded: true
-}
-
-{
-  thought: "Dev velocity high—team can ship in 3 months. Future scaling: can extract services later if needed.",
-  thoughtNumber: 5,
-  totalThoughts: 6,
-  branchId: "monolith",
-  nextThoughtNeeded: true
-}
-
-// Branch B: Microservices approach
-{
-  thought: "Microservices pros: independent scaling, service isolation. Cons: complexity overhead, distributed systems challenges.",
-  thoughtNumber: 3,
-  totalThoughts: 7,
-  branchFromThought: 2,
-  branchId: "microservices",
-  nextThoughtNeeded: true
-}
-
-{
-  thought: "For 5-person team: significant overhead in service coordination, API contracts, infrastructure management.",
-  thoughtNumber: 4,
-  totalThoughts: 7,
-  branchId: "microservices",
-  nextThoughtNeeded: true
-}
-
-{
-  thought: "Timeline risk: 3 months insufficient for robust microservices implementation. Need distributed tracing, service mesh, etc.",
-  thoughtNumber: 5,
-  totalThoughts: 7,
-  branchId: "microservices",
-  nextThoughtNeeded: true
-}
-
-// Convergence
-{
-  thought: "Comparing branches: monolith clearly better fit. Small team, tight timeline, modest initial scale. Microservices overhead unjustified.",
-  thoughtNumber: 6,
-  totalThoughts: 7,
-  nextThoughtNeeded: true
-}
-
-{
-  thought: "Decision: monolith with modular design. Extract services later if specific components need independent scaling.",
-  thoughtNumber: 7,
-  totalThoughts: 7,
-  nextThoughtNeeded: false
-}
-```
-
-## Example 3: Debugging with Revision
-
-**Context**: Feature works in dev, fails in production.
-
-```typescript
-// Thought 1
-{
-  thought: "Payment processing works locally but fails in prod. Checking error logs.",
-  thoughtNumber: 1,
-  totalThoughts: 5,
-  nextThoughtNeeded: true
-}
-
-// Thought 2
-{
-  thought: "Logs show 'Connection refused' to payment API. Likely firewall or network config issue.",
-  thoughtNumber: 2,
-  totalThoughts: 5,
-  nextThoughtNeeded: true
-}
-
-// Thought 3
-{
-  thought: "Checked firewall rules—payment API port (443) is open. Must be something else.",
-  thoughtNumber: 3,
-  totalThoughts: 6,
-  nextThoughtNeeded: true
-}
-
-// Thought 4 - Revision
-{
-  thought: "Wait—reviewing logs more carefully. Error message includes 'certificate verify failed'. Not firewall, it's SSL/TLS issue.",
-  thoughtNumber: 4,
-  totalThoughts: 6,
-  isRevision: true,
-  revisesThought: 2,
-  nextThoughtNeeded: true
-}
-
-// Thought 5
-{
-  thought: "Prod environment missing intermediate CA certificates. Dev works because it uses self-signed cert with verification disabled.",
-  thoughtNumber: 5,
-  totalThoughts: 6,
-  nextThoughtNeeded: true
-}
-
-// Thought 6
-{
-  thought: "Installed CA bundle on prod server. Payment processing now works. Root cause: incomplete SSL cert chain.",
-  thoughtNumber: 6,
-  totalThoughts: 6,
-  nextThoughtNeeded: false
-}
-```
-
-## Example 4: Complex Feature Planning
-
-**Context**: Building real-time collaborative editing feature.
-
-```typescript
-// Thought 1
-{
-  thought: "Real-time collab editing requires: WebSocket connections, operational transformation or CRDT, conflict resolution, presence tracking.",
-  thoughtNumber: 1,
-  totalThoughts: 12,
-  nextThoughtNeeded: true
-}
-
-// Thought 2
-{
-  thought: "Core decision: OT vs CRDT. OT requires central server for transform logic, CRDT enables P2P. For our use case, CRDT better.",
-  thoughtNumber: 2,
-  totalThoughts: 12,
-  nextThoughtNeeded: true
-}
-
-// Thought 3
-{
-  thought: "Research CRDT libraries: Yjs (popular, mature), Automerge (good TypeScript support). Yjs has better performance benchmarks.",
-  thoughtNumber: 3,
-  totalThoughts: 14, // Scope expanding
-  nextThoughtNeeded: true
-}
-
-// Thought 4
-{
-  thought: "Architecture: Yjs + WebSocket provider + persistence layer. Client-side: Yjs doc syncs via WebSocket. Server: broadcast updates + store snapshots.",
-  thoughtNumber: 4,
-  totalThoughts: 14,
-  nextThoughtNeeded: true
-}
-
-// Thought 5
-{
-  thought: "Implementation phases: (1) Basic sync, (2) Presence/cursors, (3) Persistence, (4) Conflict UI. Estimate 4 weeks total.",
-  thoughtNumber: 5,
-  totalThoughts: 14,
-  nextThoughtNeeded: true
-}
-
-// ... continues through implementation details
-
-// Final thought
-{
-  thought: "Plan complete. MVP: Yjs + WebSocket + Redis persistence. 4-week timeline. Main risk: scaling WebSocket connections—mitigate with load balancer sticky sessions.",
-  thoughtNumber: 14,
-  totalThoughts: 14,
-  nextThoughtNeeded: false
-}
-```
-
-## Usage Patterns Summary
-
-| Scenario | Pattern | Key Features |
-|----------|---------|--------------|
-| Linear problem-solving | Sequential thoughts | Steady progress, scope adjustment |
-| Exploring alternatives | Branching | Multiple paths from decision point |
-| Correcting mistakes | Revision | Reference earlier thought, update conclusion |
-| Complex analysis | Mixed | Combine all features as needed |
-
-## Tips for Effective Use
-
-1. **Start broad, narrow down**: Early thoughts explore problem space, later thoughts dive into specifics
-2. **Show your work**: Document reasoning process, not just conclusions
-3. **Revise when wrong**: Don't continue down incorrect path—backtrack and correct
-4. **Branch at crossroads**: When facing clear alternatives, explore each systematically
-5. **Adjust dynamically**: Change `totalThoughts` as understanding evolves
-6. **End decisively**: Final thought should summarize conclusion and next actions

package/socc-canonical/.agents/soc-copilot/skills/soc-generalist/SKILL.md

@@ -1,53 +0,0 @@
----
-name: soc-generalist
-description: |
-  Playbook geral para conversa operacional de SOC em linguagem natural.
-  Use quando o analista fizer perguntas abertas sobre CVEs, hashes, IOCs, TTPs,
-  comportamento suspeito, hipóteses, hunting, priorização, correlação ou dúvidas
-  técnicas que não sejam claramente só phishing, URL, malware comportamental ou
-  payload/log para triagem estruturada.
----
-
-# SOC Generalist
-
-Assistente conversacional para o dia a dia do SOC.
-
-## Quando usar
-
-- perguntas abertas em linguagem natural
-- dúvidas sobre CVE, hash, IOC, domínio, IP, TTP, ATT&CK, detecção ou hunting
-- pedidos de interpretação de comportamento suspeito
-- perguntas sobre como investigar, validar, priorizar ou explicar um caso
-- comparações, hipóteses e raciocínio técnico sem payload estruturado claro
-
-## Objetivo
-
-- ajudar o analista a pensar melhor e mais rápido
-- responder de forma consultiva, não binária por padrão
-- adaptar profundidade ao pedido real do analista
-- diferenciar fato conhecido, hipótese e recomendação prática
-
-## Estilo de resposta
-
-- responda em PT-BR
-- aceite perguntas curtas, ambíguas ou exploratórias
-- quando a entrada for insuficiente, peça contexto de forma operacional, sem travar a conversa
-- se o analista pedir explicação, priorize clareza
-- se o analista pedir triagem, priorize evidências, risco e próximos passos
-- não force verdict fechado quando a pergunta for exploratória
-
-## Estrutura recomendada
-
-Quando fizer sentido, organize a resposta em:
-
-1. leitura inicial
-2. o que isso pode significar
-3. o que validar a seguir
-4. impacto ou prioridade
-
-## Guardrails
-
-- não invente reputação, exploração ativa, CVE associada ou família de malware sem evidência
-- não transforme toda pergunta em classificação binária
-- quando houver incerteza, explicite limitações e caminhos de validação
-- se o usuário colar um payload/log claro, aceite que outro playbook pode ser mais adequado

package/socc-canonical/.agents/soc-copilot/skills/suspicious-url/SKILL.md

@@ -1,51 +0,0 @@
----
-name: suspicious-url
-description: |
-  Specialized SOC Copilot skill for analyzing suspicious URLs, domains, redirect patterns, typo-squatting,
-  and web-delivered indicators.
-  Use when the primary artifact is a URL, domain, or web destination.
----
-
-# Suspicious URL
-
-Focused workflow for web indicators and suspicious destinations.
-
-## When to Use
-
-- primary artifact is a URL, domain, or redirect chain
-- user asks whether a link is suspicious
-- the input contains obvious web navigation or destination details
-
-## Workflow
-
-### 1. Parse the web artifact
-
-- extract scheme, domain, subdomain, path, parameters, and visible redirect clues
-- note encoding, shortening, impersonation, or typo-squatting patterns
-
-### 2. Evaluate risk indicators
-
-- identify suspicious hosting, deceptive pathing, brand impersonation, and unusual parameter usage
-- separate structural risk from reputation-based claims
-
-### 3. Determine verdict carefully
-
-Read [`../../references/evidence-rules.md`](../../references/evidence-rules.md).
-
-- determine whether the URL is suspicious, malicious, benign, or inconclusive
-- explain what part of the URL or context supports that conclusion
-
-### 4. Recommend safe validation
-
-- suggest sandboxing, proxy validation, DNS checks, or user notification where appropriate
-- avoid encouraging unsafe live-click validation
-
-## Output Contract
-
-Read [`../../references/output-contract.md`](../../references/output-contract.md).
-
-## Guardrails
-
-- Do not claim malicious reputation without an actual lookup.
-- Make conditional statements explicit when the conclusion depends on missing context.
-- Keep the advice safe for analysts and end users.

package/socc-canonical/.agents/soc-copilot/skills/systematic-debugging/CREATION-LOG.md

@@ -1,119 +0,0 @@
-# Creation Log: Systematic Debugging Skill
-
-Reference example of extracting, structuring, and bulletproofing a critical skill.
-
-## Source Material
-
-Extracted debugging framework from `/Users/jesse/.claude/CLAUDE.md`:
-- 4-phase systematic process (Investigation → Pattern Analysis → Hypothesis → Implementation)
-- Core mandate: ALWAYS find root cause, NEVER fix symptoms
-- Rules designed to resist time pressure and rationalization
-
-## Extraction Decisions
-
-**What to include:**
-- Complete 4-phase framework with all rules
-- Anti-shortcuts ("NEVER fix symptom", "STOP and re-analyze")
-- Pressure-resistant language ("even if faster", "even if I seem in a hurry")
-- Concrete steps for each phase
-
-**What to leave out:**
-- Project-specific context
-- Repetitive variations of same rule
-- Narrative explanations (condensed to principles)
-
-## Structure Following skill-creation/SKILL.md
-
-1. **Rich when_to_use** - Included symptoms and anti-patterns
-2. **Type: technique** - Concrete process with steps
-3. **Keywords** - "root cause", "symptom", "workaround", "debugging", "investigation"
-4. **Flowchart** - Decision point for "fix failed" → re-analyze vs add more fixes
-5. **Phase-by-phase breakdown** - Scannable checklist format
-6. **Anti-patterns section** - What NOT to do (critical for this skill)
-
-## Bulletproofing Elements
-
-Framework designed to resist rationalization under pressure:
-
-### Language Choices
-- "ALWAYS" / "NEVER" (not "should" / "try to")
-- "even if faster" / "even if I seem in a hurry"
-- "STOP and re-analyze" (explicit pause)
-- "Don't skip past" (catches the actual behavior)
-
-### Structural Defenses
-- **Phase 1 required** - Can't skip to implementation
-- **Single hypothesis rule** - Forces thinking, prevents shotgun fixes
-- **Explicit failure mode** - "IF your first fix doesn't work" with mandatory action
-- **Anti-patterns section** - Shows exactly what shortcuts look like
-
-### Redundancy
-- Root cause mandate in overview + when_to_use + Phase 1 + implementation rules
-- "NEVER fix symptom" appears 4 times in different contexts
-- Each phase has explicit "don't skip" guidance
-
-## Testing Approach
-
-Created 4 validation tests following skills/meta/testing-skills-with-subagents:
-
-### Test 1: Academic Context (No Pressure)
-- Simple bug, no time pressure
-- **Result:** Perfect compliance, complete investigation
-
-### Test 2: Time Pressure + Obvious Quick Fix
-- User "in a hurry", symptom fix looks easy
-- **Result:** Resisted shortcut, followed full process, found real root cause
-
-### Test 3: Complex System + Uncertainty
-- Multi-layer failure, unclear if can find root cause
-- **Result:** Systematic investigation, traced through all layers, found source
-
-### Test 4: Failed First Fix
-- Hypothesis doesn't work, temptation to add more fixes
-- **Result:** Stopped, re-analyzed, formed new hypothesis (no shotgun)
-
-**All tests passed.** No rationalizations found.
-
-## Iterations
-
-### Initial Version
-- Complete 4-phase framework
-- Anti-patterns section
-- Flowchart for "fix failed" decision
-
-### Enhancement 1: TDD Reference
-- Added link to skills/testing/test-driven-development
-- Note explaining TDD's "simplest code" ≠ debugging's "root cause"
-- Prevents confusion between methodologies
-
-## Final Outcome
-
-Bulletproof skill that:
-- ✅ Clearly mandates root cause investigation
-- ✅ Resists time pressure rationalization
-- ✅ Provides concrete steps for each phase
-- ✅ Shows anti-patterns explicitly
-- ✅ Tested under multiple pressure scenarios
-- ✅ Clarifies relationship to TDD
-- ✅ Ready for use
-
-## Key Insight
-
-**Most important bulletproofing:** Anti-patterns section showing exact shortcuts that feel justified in the moment. When Claude thinks "I'll just add this one quick fix", seeing that exact pattern listed as wrong creates cognitive friction.
-
-## Usage Example
-
-When encountering a bug:
-1. Load skill: skills/debugging/systematic-debugging
-2. Read overview (10 sec) - reminded of mandate
-3. Follow Phase 1 checklist - forced investigation
-4. If tempted to skip - see anti-pattern, stop
-5. Complete all phases - root cause found
-
-**Time investment:** 5-10 minutes
-**Time saved:** Hours of symptom-whack-a-mole
-
----
-
-*Created: 2025-10-03*
-*Purpose: Reference example for skill extraction and bulletproofing*