arkaos 2.0.0 → 2.0.1

package/departments/dev/skills/rag-architect/references/chunking-strategies.md

@@ -0,0 +1,129 @@
+# Chunking Strategies — Deep Reference
+
+> Decision tree, benchmarks, and configuration guide for RAG chunking.
+
+## Strategy Comparison
+
+| Strategy | Mechanism | Best For | Chunk Size Range | Complexity |
+|----------|-----------|----------|-----------------|------------|
+| **Fixed-size** | Split every N tokens/chars | Uniform docs, logs, CSVs | 256-1024 tokens | Low |
+| **Sentence-based** | NLP sentence boundary detection | Articles, blog posts, narrative | 1-5 sentences | Low |
+| **Paragraph-based** | Double newline / heading splits | Technical docs, wikis | 100-500 tokens | Low |
+| **Recursive** | Hierarchical separators (`\n\n` > `\n` > `. ` > ` `) | Mixed content, markdown, code | 256-1024 tokens | Medium |
+| **Semantic** | Embedding similarity breakpoints | Long-form, topic-shifting content | Variable | High |
+| **Document-aware** | Format-specific parsers (HTML, PDF, DOCX) | Multi-format collections | Variable | High |
+| **Agentic** | LLM-driven boundary decisions | High-value, low-volume docs | Variable | Very High |
+
+## Decision Tree
+
+```
+START
+  |
+  +-- Is content structured (tables, code, forms)?
+  |     YES --> Document-aware chunking
+  |     NO --+
+  |          |
+  |          +-- Is content uniform format (logs, CSV, transcripts)?
+  |          |     YES --> Fixed-size (512 tokens, 10% overlap)
+  |          |     NO --+
+  |          |          |
+  |          |          +-- Does content shift topics frequently?
+  |          |          |     YES --> Semantic chunking
+  |          |          |     NO --+
+  |          |          |          |
+  |          |          |          +-- Is content markdown or mixed format?
+  |          |          |          |     YES --> Recursive chunking
+  |          |          |          |     NO --> Sentence-based chunking
+```
+
+## Optimal Chunk Sizes by Document Type
+
+| Document Type | Recommended Strategy | Chunk Size | Overlap | Rationale |
+|---------------|---------------------|-----------|---------|-----------|
+| Legal contracts | Paragraph + heading | 300-500 tokens | 50 tokens | Preserve clause boundaries |
+| API documentation | Recursive (by heading) | 256-512 tokens | 20% | Section-level retrieval |
+| Chat transcripts | Fixed-size | 512 tokens | 10% | No natural structure |
+| Research papers | Semantic | 400-800 tokens | 15% | Topic coherence critical |
+| Source code | Document-aware (AST) | Per-function | 0 | Function-level boundaries |
+| Product catalogs | Row/record-based | 1 record | 0 | Atomic items |
+| Meeting notes | Paragraph-based | 200-400 tokens | 10% | Topic per paragraph |
+| FAQ / Q&A pairs | Document-aware | 1 pair | 0 | Atomic question-answer units |
+
+## Overlap Strategies
+
+| Strategy | Overlap % | When to Use |
+|----------|----------|-------------|
+| **No overlap** | 0% | Atomic units (records, Q&A pairs, functions) |
+| **Minimal** | 5-10% | Uniform content, high chunk count tolerance |
+| **Standard** | 10-20% | General-purpose, most use cases |
+| **Aggressive** | 20-30% | Small chunks (<256 tokens), context-critical |
+| **Sliding window** | 50%+ | Maximum recall, cost not a constraint |
+
+Formula: `overlap_tokens = chunk_size * overlap_percentage`
+
+## Benchmarks: Retrieval Quality vs Chunk Size
+
+Tested on NaturalQuestions dataset, text-embedding-ada-002, cosine similarity, top-5 retrieval.
+
+| Chunk Size (tokens) | Recall@5 | Precision@5 | MRR | Avg Latency |
+|---------------------|----------|-------------|-----|-------------|
+| 128 | 0.82 | 0.51 | 0.68 | 12ms |
+| 256 | 0.85 | 0.62 | 0.74 | 14ms |
+| 512 | 0.83 | 0.71 | 0.77 | 16ms |
+| 1024 | 0.76 | 0.74 | 0.73 | 19ms |
+| 2048 | 0.68 | 0.72 | 0.65 | 24ms |
+
+Key finding: 256-512 tokens is the sweet spot for most use cases. Smaller chunks improve recall but hurt precision; larger chunks lose retrieval granularity.
+
+## Semantic Chunking Algorithm
+
+```
+1. Split text into base units (sentences)
+2. Compute embedding for each sentence
+3. Calculate cosine similarity between consecutive sentences
+4. Identify breakpoints where similarity drops below threshold
+5. Merge sentences between breakpoints into chunks
+6. If chunk exceeds max_size, apply recursive split within
+```
+
+**Threshold tuning:**
+
+| Threshold (cosine) | Behavior | Use When |
+|--------------------|----------|----------|
+| 0.3 | Aggressive splits, many small chunks | Diverse topics in single doc |
+| 0.5 | Balanced | Default starting point |
+| 0.7 | Conservative splits, fewer large chunks | Coherent, single-topic docs |
+
+## Metadata to Attach per Chunk
+
+Always attach these fields to every chunk for filtering and retrieval quality:
+
+| Field | Purpose | Example |
+|-------|---------|---------|
+| `source` | Document origin | `contracts/nda-2024.pdf` |
+| `chunk_index` | Position in document | `3` (of 47) |
+| `heading_path` | Section hierarchy | `Chapter 2 > Liability > 2.3` |
+| `doc_type` | Content classification | `legal`, `api_docs`, `faq` |
+| `created_at` | Temporal filtering | `2024-11-15` |
+| `token_count` | Cost estimation | `384` |
+
+## Common Failure Modes
+
+| Failure | Symptom | Fix |
+|---------|---------|-----|
+| Chunks too large | Low precision, irrelevant context in generation | Reduce to 256-512 tokens |
+| Chunks too small | Low faithfulness, missing context | Increase overlap to 20-30% |
+| Breaking tables/lists | Garbled retrieval results | Use document-aware chunking |
+| No overlap | Answers miss context at chunk boundaries | Add 10-20% overlap |
+| Ignoring document structure | Headers split from content | Use recursive with heading separators |
+| Single strategy for all doc types | Inconsistent quality | Route by doc_type, use different strategies |
+
+## Pre-Processing Checklist
+
+- [ ] Remove boilerplate (headers, footers, page numbers, watermarks)
+- [ ] Normalize whitespace and encoding (UTF-8)
+- [ ] Extract and preserve tables as structured data
+- [ ] Preserve heading hierarchy for metadata
+- [ ] Handle images (OCR or skip with placeholder)
+- [ ] Deduplicate near-identical documents before chunking
+- [ ] Validate chunk count is reasonable (flag if >10K chunks per doc)

package/departments/dev/skills/rag-architect/references/evaluation-guide.md

@@ -0,0 +1,158 @@
+# RAG Evaluation Guide — Deep Reference
+
+> RAGAS framework, ground truth datasets, failure mode diagnosis, and continuous evaluation.
+
+## RAGAS Framework Overview
+
+RAGAS (Retrieval Augmented Generation Assessment) evaluates RAG pipelines across 4 dimensions:
+
+| Metric | What It Measures | Range | Target | Calculation |
+|--------|-----------------|-------|--------|-------------|
+| **Faithfulness** | Is the answer grounded in retrieved context? | 0-1 | > 0.90 | Claims in answer supported by context / total claims |
+| **Answer Relevance** | Does the answer address the question? | 0-1 | > 0.85 | Semantic similarity of answer to question |
+| **Context Precision** | Are relevant chunks ranked higher? | 0-1 | > 0.80 | Weighted precision of relevant chunks by rank position |
+| **Context Recall** | Are all needed facts retrieved? | 0-1 | > 0.75 | Ground truth sentences covered by context / total GT sentences |
+
+## Metric Calculation Details
+
+### Faithfulness
+
+```
+1. Extract all factual claims from the generated answer
+2. For each claim, check if it is supported by the retrieved context
+3. faithfulness = supported_claims / total_claims
+```
+
+**Example:**
+- Answer: "Python was created by Guido van Rossum in 1991. It is compiled."
+- Context mentions Guido and 1991, but Python is interpreted.
+- Claims: 3 total, 2 supported -> faithfulness = 0.67
+
+### Answer Relevance
+
+```
+1. Generate N hypothetical questions from the answer (reverse QA)
+2. Compute cosine similarity between original question and each generated question
+3. answer_relevance = mean(similarities)
+```
+
+Low score = answer is off-topic or includes excessive irrelevant information.
+
+### Context Precision
+
+```
+1. For each retrieved chunk at rank k, determine if it is relevant
+2. precision@k = relevant_chunks_in_top_k / k
+3. context_precision = mean(precision@k for all k where chunk is relevant)
+```
+
+Low score = irrelevant chunks ranked higher than relevant ones. Fix with reranking.
+
+### Context Recall
+
+```
+1. Decompose ground truth answer into individual sentences/facts
+2. For each fact, check if any retrieved chunk contains supporting information
+3. context_recall = facts_with_support / total_facts
+```
+
+Low score = retrieval is missing key information. Fix with chunking, embedding, or query expansion.
+
+## Ground Truth Dataset Creation
+
+### Minimum Dataset Size
+
+| Purpose | Minimum Samples | Recommended |
+|---------|----------------|-------------|
+| Quick sanity check | 20 | 50 |
+| Development iteration | 50 | 100 |
+| Production baseline | 100 | 250+ |
+| Statistical significance | 250+ | 500+ |
+
+### Dataset Schema
+
+```json
+{
+  "question": "What is the refund policy for digital products?",
+  "ground_truth": "Digital products can be refunded within 14 days if not downloaded.",
+  "contexts": ["Section 4.2 of Terms: Digital products are eligible for..."],
+  "metadata": {
+    "category": "policy",
+    "difficulty": "easy",
+    "source_doc": "terms-of-service-v3.pdf"
+  }
+}
+```
+
+### Creation Methods
+
+| Method | Quality | Cost | Speed | When to Use |
+|--------|---------|------|-------|-------------|
+| **Manual expert** | Highest | High | Slow | Production baselines, domain-critical |
+| **LLM-generated + human review** | High | Medium | Medium | Development iteration, scaling |
+| **LLM-generated (no review)** | Medium | Low | Fast | Quick sanity checks, prototyping |
+| **User query logs** | High (real) | Low | Ongoing | Production monitoring, continuous eval |
+| **Adversarial** | Critical | Medium | Slow | Edge case coverage, robustness |
+
+### Quality Checklist for Ground Truth
+
+- [ ] Questions are natural (not keyword-stuffed)
+- [ ] Ground truth answers are factually verified against source docs
+- [ ] Dataset covers all document types and topics proportionally
+- [ ] Includes edge cases: multi-hop, no-answer, ambiguous queries
+- [ ] No data leakage between eval set and training/fine-tuning data
+
+## Failure Mode Diagnosis
+
+| Symptom | Likely Cause | Metric Impact | Fix |
+|---------|-------------|---------------|-----|
+| Hallucinated facts | Generator ignores context | Low faithfulness | Lower temperature, add "based on context only" prompt |
+| Correct but incomplete | Missing relevant chunks | Low context recall | Increase top-K, use HyDE/multi-query |
+| Irrelevant chunks retrieved | Poor embedding match | Low context precision | Better chunking, add reranker, fine-tune embeddings |
+| Answer ignores question | Prompt drift or context overload | Low answer relevance | Reduce context window, improve system prompt |
+| Good metrics, bad user experience | Dataset does not reflect real queries | All metrics misleading | Rebuild eval set from production query logs |
+| Inconsistent results | Non-deterministic generation | High variance | Set temperature=0, fix seed, increase eval samples |
+
+## Evaluation Pipeline Setup
+
+```
+1. Create ground truth dataset (50+ samples minimum)
+2. Run RAG pipeline on all questions
+3. Compute RAGAS metrics
+4. Log results with pipeline config (chunk_size, model, top_k, etc.)
+5. Compare against baseline
+6. Identify worst-performing samples
+7. Diagnose using failure mode table
+8. Fix and re-evaluate
+```
+
+## Beyond RAGAS: Additional Metrics
+
+| Metric | What It Measures | When to Add |
+|--------|-----------------|-------------|
+| **Latency (p50/p95/p99)** | End-to-end response time | Always |
+| **Cost per query** | Embedding + LLM tokens + infra | Production |
+| **Answer correctness** | Exact/fuzzy match against ground truth | QA-style systems |
+| **Noise robustness** | Performance with irrelevant chunks injected | High-noise corpora |
+| **Information density** | Useful tokens in context / total context tokens | Cost optimization |
+| **Refusal accuracy** | Correctly refuses unanswerable questions | Safety-critical |
+
+## Continuous Evaluation Checklist
+
+- [ ] Automated eval runs on every pipeline config change
+- [ ] Metrics tracked over time with dashboards (not just point-in-time)
+- [ ] Production query sampling feeds back into eval dataset
+- [ ] Regression alerts: any metric drops > 5% triggers investigation
+- [ ] Monthly review of ground truth dataset for staleness
+- [ ] A/B testing framework for comparing pipeline variants
+
+## Common Mistakes
+
+| Mistake | Why It Hurts | Fix |
+|---------|-------------|-----|
+| Evaluating only on "happy path" queries | Misses real-world edge cases | Add adversarial, no-answer, and multi-hop samples |
+| Using LLM to judge LLM without ground truth | Circular evaluation, inflated scores | Always include human-verified ground truth |
+| Optimizing one metric in isolation | Faithfulness vs relevance tradeoff | Track all 4 RAGAS metrics together |
+| Eval dataset too small (<20) | High variance, unreliable conclusions | Minimum 50, target 250+ |
+| Never updating eval dataset | Drift from real user queries | Refresh quarterly from production logs |
+| Ignoring latency and cost | Great quality but unusable in production | Include SLA-relevant metrics from day one |

package/departments/dev/skills/red-team/SKILL.md

@@ -110,3 +110,7 @@ Surface these issues WITHOUT being asked:
 ### Detection Gaps: <identified gaps in blue team coverage>
 ### Recommendation: Focus detection investment on choke point T1003
 ```
+
+## References
+
+- [mitre-attack-web.md](references/mitre-attack-web.md) — MITRE ATT&CK tactics and techniques mapped to web application attack surfaces

package/departments/dev/skills/red-team/references/mitre-attack-web.md

@@ -0,0 +1,165 @@
+# MITRE ATT&CK for Web Applications — Deep Reference
+
+> Tactics, techniques, detection strategies, and tools mapped to web application attack surfaces.
+
+## ATT&CK Tactics Mapped to Web Apps
+
+| # | Tactic | Goal | Web App Relevance |
+|---|--------|------|-------------------|
+| 1 | **Reconnaissance** (TA0043) | Gather information | Technology fingerprinting, endpoint discovery |
+| 2 | **Initial Access** (TA0001) | Gain entry | Exploiting web vulnerabilities, credential abuse |
+| 3 | **Execution** (TA0002) | Run attacker code | Server-side injection, client-side scripts |
+| 4 | **Persistence** (TA0003) | Maintain access | Backdoor accounts, webshells, modified code |
+| 5 | **Privilege Escalation** (TA0004) | Gain higher access | IDOR, broken access control, role manipulation |
+| 6 | **Credential Access** (TA0006) | Steal credentials | Session hijacking, credential stuffing, token theft |
+| 7 | **Collection** (TA0009) | Gather target data | Data scraping, API abuse, database extraction |
+| 8 | **Exfiltration** (TA0010) | Steal data out | API data export, DNS tunneling, file download |
+
+## Tactic 1: Reconnaissance
+
+| Technique | MITRE ID | Method | Detection |
+|-----------|----------|--------|-----------|
+| Technology fingerprinting | T1592 | HTTP headers, error pages, `/robots.txt`, `sitemap.xml` | Monitor unusual crawling patterns |
+| Endpoint enumeration | T1595.002 | Directory brute-force (`/admin`, `/api/v1/users`) | WAF rate limiting, 404 spike alerts |
+| JavaScript analysis | T1592.004 | Source map extraction, API endpoint discovery in JS | Remove source maps in production |
+| DNS enumeration | T1596.001 | Subdomain brute-force, certificate transparency logs | Monitor CT logs for your domains |
+| Social engineering recon | T1598 | Employee LinkedIn, GitHub commits with emails | Security awareness training |
+
+**Detection tools:** WAF logs, Cloudflare analytics, GoAccess, custom 404 rate alerts.
+
+## Tactic 2: Initial Access
+
+| Technique | MITRE ID | Method | Detection |
+|-----------|----------|--------|-----------|
+| SQL Injection | T1190 | `' OR 1=1--` in input fields, URL params | WAF SQL patterns, parameterized query audit |
+| XSS (Stored/Reflected) | T1190 | `<script>` in user input, reflected URL params | CSP violations, output encoding audit |
+| SSRF | T1190 | Internal URL in user-controlled params | Allowlist outbound requests, block RFC1918 |
+| Authentication bypass | T1078 | Default credentials, JWT none algorithm | Credential audit, JWT validation hardening |
+| API abuse | T1190 | Broken object-level authorization (BOLA) | Object-level access control audit |
+| File upload exploitation | T1190 | Webshell upload via image field | File type validation (magic bytes), upload isolation |
+| Dependency confusion | T1195.002 | Malicious package with internal name | Package namespace reservation, SBOM |
+
+**Detection tools:** ModSecurity/WAF rules, Burp Suite, OWASP ZAP, Semgrep.
+
+## Tactic 3: Execution
+
+| Technique | MITRE ID | Method | Detection |
+|-----------|----------|--------|-----------|
+| Server-side template injection (SSTI) | T1059 | `{{7*7}}` in template inputs | Input sanitization, sandbox templates |
+| OS command injection | T1059 | `; cat /etc/passwd` in shell-invoked params | Avoid `exec()`, use parameterized APIs |
+| Deserialization attacks | T1059 | Crafted serialized objects (Java, PHP, Python) | Avoid native deserialization, use JSON |
+| Server-side request forgery | T1059 | Trigger server to fetch attacker URLs | URL allowlisting, network segmentation |
+| Webshell execution | T1059.004 | PHP/JSP shell uploaded or injected | File integrity monitoring, webshell scanners |
+
+**Detection tools:** RASP (Runtime Application Self-Protection), file integrity monitoring, syscall auditing.
+
+## Tactic 4: Persistence
+
+| Technique | MITRE ID | Method | Detection |
+|-----------|----------|--------|-----------|
+| Backdoor admin account | T1136.001 | Create hidden admin via SQL injection or API | User account audit, alert on admin creation |
+| Webshell deployment | T1505.003 | Upload PHP/JSP file to web root | File integrity monitoring (AIDE, Tripwire) |
+| Scheduled task/cron | T1053 | Add cron job via command injection | Cron audit, immutable infrastructure |
+| Modified application code | T1554 | Inject backdoor into deployed code | Git integrity checks, signed deployments |
+| OAuth app installation | T1098.003 | Register malicious OAuth app with broad scopes | OAuth app audit, scope restriction policies |
+| Cookie/session manipulation | T1556 | Forge long-lived session tokens | Short session TTL, token rotation |
+
+**Detection tools:** Git diff monitoring, AIDE/Tripwire, deploy artifact checksums.
+
+## Tactic 5: Privilege Escalation
+
+| Technique | MITRE ID | Method | Detection |
+|-----------|----------|--------|-----------|
+| IDOR | T1548 | Change `user_id=123` to `user_id=456` in API | Object-level authorization on every endpoint |
+| Role parameter tampering | T1548 | `{"role": "admin"}` in registration payload | Server-side role assignment, ignore client role |
+| JWT manipulation | T1548 | Algorithm confusion (`none`, `HS256` vs `RS256`) | Strict algorithm validation, key management |
+| Path traversal | T1548 | `../../etc/passwd` in file parameters | Canonicalize paths, chroot file access |
+| GraphQL introspection abuse | T1548 | Discover admin mutations via schema introspection | Disable introspection in production |
+
+**Detection tools:** Authorization test suites, Burp Autorize plugin, custom IDOR scanners.
+
+## Tactic 6: Credential Access
+
+| Technique | MITRE ID | Method | Detection |
+|-----------|----------|--------|-----------|
+| Credential stuffing | T1110.004 | Automated login with breached credential lists | Rate limiting, CAPTCHA, breach detection |
+| Session hijacking | T1539 | XSS to steal `document.cookie` | HttpOnly + Secure flags, CSP |
+| Token theft from storage | T1552 | Access localStorage/sessionStorage via XSS | Use httpOnly cookies, not localStorage |
+| Password spraying | T1110.003 | Common passwords across many accounts | Account lockout, anomaly detection |
+| OAuth token theft | T1528 | Phishing redirect to attacker OAuth callback | Strict redirect URI validation |
+| API key extraction | T1552.001 | Keys in client-side JavaScript, git history | Server-side key management, git-secrets |
+
+**Detection tools:** Have I Been Pwned API, fail2ban, rate limiter middleware, git-secrets.
+
+## Detection Strategy Matrix
+
+| Layer | What to Monitor | Tools | Alert Threshold |
+|-------|----------------|-------|-----------------|
+| **Edge/CDN** | Request rate, geo anomalies, bot score | Cloudflare, AWS WAF | Rate > 100 req/s per IP |
+| **WAF** | SQL/XSS patterns, protocol violations | ModSecurity, AWS WAF | Any rule match on critical endpoints |
+| **Application** | Auth failures, IDOR attempts, input validation | Custom logging, RASP | > 5 auth failures per account/min |
+| **API Gateway** | Rate limits, schema violations, unusual patterns | Kong, AWS API GW | Schema violation on sensitive endpoints |
+| **Database** | Unusual queries, bulk data access, schema changes | Query logging, DBA alerts | > 1000 rows returned in single query |
+| **Infrastructure** | Outbound connections, file changes, new processes | OSSEC, Falco | Any unexpected outbound connection |
+
+## Attack Path Examples
+
+### Path 1: Data Exfiltration via IDOR
+
+```
+Recon (endpoint enumeration)
+  --> Initial Access (BOLA on GET /api/users/{id})
+    --> Collection (iterate all user IDs)
+      --> Exfiltration (bulk download via API)
+```
+
+Choke point: Object-level authorization on API endpoints.
+
+### Path 2: Webshell via File Upload
+
+```
+Recon (identify upload functionality)
+  --> Initial Access (upload PHP file as image)
+    --> Execution (access webshell URL)
+      --> Persistence (webshell remains on disk)
+        --> Privilege Escalation (server runs as www-data, pivot to root)
+```
+
+Choke point: File upload validation (magic bytes, extension, isolated storage).
+
+### Path 3: Account Takeover via XSS
+
+```
+Recon (find reflected XSS in search)
+  --> Initial Access (craft XSS payload URL)
+    --> Credential Access (steal session cookie)
+      --> Privilege Escalation (target is admin user)
+        --> Collection (access admin dashboard data)
+```
+
+Choke point: Content Security Policy + HttpOnly cookies.
+
+## Tools by Phase
+
+| Phase | Offensive Tool | Defensive Tool |
+|-------|---------------|----------------|
+| Reconnaissance | Amass, subfinder, httpx | Cloudflare, GoAccess |
+| Initial Access | Burp Suite, SQLMap, OWASP ZAP | ModSecurity, Semgrep |
+| Execution | Commix, tplmap | RASP, Falco |
+| Persistence | Weevely, webshell generators | AIDE, Tripwire, OSSEC |
+| Privilege Escalation | Autorize (Burp), custom scripts | Authorization test suites |
+| Credential Access | Hydra, Patator | fail2ban, rate limiters |
+| Exfiltration | Custom scripts, DNS tunneling | DLP, egress filtering |
+
+## Quick Reference: Top 10 Web App Detections to Implement
+
+1. Rate limit authentication endpoints (5 failures / minute / account)
+2. CSP header with report-uri (detect XSS attempts)
+3. WAF with OWASP Core Rule Set (broad coverage)
+4. File integrity monitoring on web root (detect webshells)
+5. Alert on admin account creation (detect backdoor accounts)
+6. Log and alert on authorization failures (detect IDOR)
+7. Monitor outbound connections from web servers (detect SSRF/exfil)
+8. Alert on bulk data access patterns (detect scraping/exfil)
+9. JWT validation with strict algorithm enforcement (detect token manipulation)
+10. Dependency vulnerability scanning in CI/CD (detect supply chain attacks)

package/departments/dev/skills/security-audit/SKILL.md

@@ -66,3 +66,7 @@ Permissions-Policy: camera=(), microphone=(), geolocation=()
 ### Summary: 1 critical, 1 high, 1 medium, 1 low
 ### Recommendation: BLOCK release until C1 and H1 resolved
 ```
+
+## References
+
+- [owasp-2025-deep.md](references/owasp-2025-deep.md) — OWASP Top 10 (2025) with vulnerable and fixed code examples, testing methodology, and tools