fengming 0.3.9 → 0.3.11

package/docs/reference/transcript-hygiene.md

@@ -1,214 +0,0 @@
----
-summary: "Reference: provider-specific transcript sanitization and repair rules"
-read_when:
-  - You are debugging provider request rejections tied to transcript shape
-  - You are changing transcript sanitization or tool-call repair logic
-  - You are investigating tool-call id mismatches across providers
-title: "Transcript hygiene"
----
-
-FengMing applies **provider-specific fixes** to transcripts before a run (building model context). Most of these are **in-memory** adjustments used to satisfy strict provider requirements. A separate session-file repair pass may also rewrite stored JSONL before the session is loaded, but only for malformed lines or persisted turns that are invalid durable records. Delivered assistant replies are preserved on disk; provider-specific assistant-prefill stripping happens only while constructing outbound payloads. When a repair occurs, the original file is written to a transient `*.bak-<pid>-<ts>` sibling before the atomic replace and removed once the replace succeeds; the backup is only retained if cleanup itself fails (in which case the path is reported back).
-
-Scope includes:
-
-- Runtime-only prompt context staying out of user-visible transcript turns
-- Tool call id sanitization
-- Tool call input validation
-- Tool result pairing repair
-- Turn validation / ordering
-- Thought signature cleanup
-- Thinking signature cleanup
-- Image payload sanitization
-- Blank text-block cleanup before provider replay
-- User-input provenance tagging (for inter-session routed prompts)
-- Empty assistant error-turn repair for Bedrock Converse replay
-
-If you need transcript storage details, see:
-
-- [Session management deep dive](/reference/session-management-compaction)
-
----
-
-## Global rule: runtime context is not user transcript
-
-Runtime/system context can be added to the model prompt for a turn, but it is
-not end-user-authored content. FengMing keeps a separate transcript-facing
-prompt body for Gateway replies, queued followups, ACP, CLI, and embedded FengMing
-runs. Stored visible user turns use that transcript body instead of the
-runtime-enriched prompt.
-
-For legacy sessions that already persisted runtime wrappers, Gateway history
-surfaces apply a display projection before returning messages to WebChat,
-TUI, REST, or SSE clients.
-
----
-
-## Where this runs
-
-All transcript hygiene is centralized in the embedded runner:
-
-- Policy selection: `src/agents/transcript-policy.ts`
-- Sanitization/repair application: `sanitizeSessionHistory` in `src/agents/embedded-agent-runner/replay-history.ts`
-
-The policy uses `provider`, `modelApi`, and `modelId` to decide what to apply.
-
-Separate from transcript hygiene, session files are repaired (if needed) before load:
-
-- `repairSessionFileIfNeeded` in `src/agents/session-file-repair.ts`
-- Called from `run/attempt.ts` and `compact.ts` (embedded runner)
-
----
-
-## Global rule: image sanitization
-
-Image payloads are always sanitized to prevent provider-side rejection due to size
-limits (downscale/recompress oversized base64 images).
-
-This also helps control image-driven token pressure for vision-capable models.
-Lower max dimensions generally reduce token usage; higher dimensions preserve detail.
-
-Implementation:
-
-- `sanitizeSessionMessagesImages` in `src/agents/embedded-agent-helpers/images.ts`
-- `sanitizeContentBlocksImages` in `src/agents/tool-images.ts`
-- Max image side is configurable via `agents.defaults.imageMaxDimensionPx` (default: `1200`).
-- Blank text blocks are removed while this pass walks replay content. Assistant
-  turns that become empty are dropped from the replay copy; user and tool-result
-  turns that become empty receive a non-empty omitted-content placeholder.
-
----
-
-## Global rule: malformed tool calls
-
-Assistant tool-call blocks that are missing both `input` and `arguments` are dropped
-before model context is built. This prevents provider rejections from partially
-persisted tool calls (for example, after a rate limit failure).
-
-Implementation:
-
-- `sanitizeToolCallInputs` in `src/agents/session-transcript-repair.ts`
-- Applied in `sanitizeSessionHistory` in `src/agents/embedded-agent-runner/replay-history.ts`
-
----
-
-## Global rule: inter-session input provenance
-
-When an agent sends a prompt into another session via `sessions_send` (including
-agent-to-agent reply/announce steps), FengMing persists the created user turn with:
-
-- `message.provenance.kind = "inter_session"`
-
-FengMing also prepends a same-turn `[Inter-session message ... isUser=false]`
-marker before the routed prompt text so the active model call can distinguish
-foreign session output from external end-user instructions. This marker includes
-the source session, channel, and tool when available. The transcript still uses
-`role: "user"` for provider compatibility, but the visible text and provenance
-metadata both mark the turn as inter-session data.
-
-During context rebuild, FengMing applies the same marker to older persisted
-inter-session user turns that only have provenance metadata.
-
----
-
-## Provider matrix (current behavior)
-
-**OpenAI / OpenAI Codex**
-
-- Image sanitization only.
-- Drop orphaned reasoning signatures (standalone reasoning items without a following content block) for OpenAI Responses/Codex transcripts, and drop replayable OpenAI reasoning after a model route switch.
-- Preserve replayable OpenAI Responses reasoning item payloads, including encrypted empty-summary items, so manual/WebSocket replay keeps required `rs_*` state paired with assistant output items.
-- Native ChatGPT Codex Responses follows Codex wire parity by replaying prior Responses reasoning/message/function payloads without prior item IDs while preserving session `prompt_cache_key`.
-- OpenAI Responses-family replay preserves canonical `call_*|fc_*` same-model reasoning pairs, but deterministically normalizes malformed or overlong `call_id` / function-call item ids before pi-ai payload conversion.
-- Tool result pairing repair may move real matched outputs and synthesize Codex-style `aborted` outputs for missing tool calls.
-- No turn validation or reordering.
-- Missing OpenAI Responses-family tool outputs are synthesized as `aborted` to match Codex replay normalization.
-- No thought signature stripping.
-
-**OpenAI-compatible Chat Completions**
-
-- Historical assistant thinking/reasoning blocks are stripped before replay so
-  local and proxy-style OpenAI-compatible servers do not receive prior-turn
-  reasoning fields such as `reasoning` or `reasoning_content`.
-- Current same-turn tool-call continuations keep the assistant reasoning block
-  attached to the tool call until the tool result has been replayed.
-- Provider-owned exceptions can opt out when their wire protocol requires
-  replayed reasoning metadata.
-
-**Google (Generative AI / Gemini CLI / Antigravity)**
-
-- Tool call id sanitization: strict alphanumeric.
-- Tool result pairing repair and synthetic tool results.
-- Turn validation (Gemini-style turn alternation).
-- Google turn ordering fixup (prepend a tiny user bootstrap if history starts with assistant).
-- Antigravity Claude: normalize thinking signatures; drop unsigned thinking blocks.
-
-**Anthropic / Minimax (Anthropic-compatible)**
-
-- Tool result pairing repair and synthetic tool results.
-- Turn validation (merge consecutive user turns to satisfy strict alternation).
-- Trailing assistant prefill turns are stripped from outgoing Anthropic Messages
-  payloads when thinking is enabled, including Cloudflare AI Gateway routes.
-- Thinking blocks with missing, empty, or blank replay signatures are stripped
-  before provider conversion. If that empties an assistant turn, FengMing keeps
-  turn shape with non-empty omitted-reasoning text.
-- Older thinking-only assistant turns that must be stripped are replaced with
-  non-empty omitted-reasoning text so provider adapters do not drop the replay
-  turn.
-
-**Amazon Bedrock (Converse API)**
-
-- Empty assistant stream-error turns are repaired to a non-empty fallback text block
-  before replay. Bedrock Converse rejects assistant messages with `content: []`, so
-  persisted assistant turns with `stopReason: "error"` and empty content are also
-  repaired on disk before load.
-- Assistant stream-error turns that contain only blank text blocks are dropped
-  from the in-memory replay copy instead of replaying an invalid blank block.
-- Claude thinking blocks with missing, empty, or blank replay signatures are
-  stripped before Converse replay. If that empties an assistant turn, FengMing
-  keeps turn shape with non-empty omitted-reasoning text.
-- Older thinking-only assistant turns that must be stripped are replaced with
-  non-empty omitted-reasoning text so the Converse replay keeps strict turn shape.
-- Replay filters FengMing delivery-mirror and gateway-injected assistant turns.
-- Image sanitization applies through the global rule.
-
-**Mistral (including model-id based detection)**
-
-- Tool call id sanitization: strict9 (alphanumeric length 9).
-
-**OpenRouter Gemini**
-
-- Thought signature cleanup: strip non-base64 `thought_signature` values (keep base64).
-
-**OpenRouter Anthropic**
-
-- Trailing assistant prefill turns are stripped from verified OpenRouter
-  OpenAI-compatible Anthropic model payloads when reasoning is enabled, matching
-  direct Anthropic and Cloudflare Anthropic replay behavior.
-
-**Everything else**
-
-- Image sanitization only.
-
----
-
-## Historical behavior (pre-2026.1.22)
-
-Before the 2026.1.22 release, FengMing applied multiple layers of transcript hygiene:
-
-- A **transcript-sanitize extension** ran on every context build and could:
-  - Repair tool use/result pairing.
-  - Sanitize tool call ids (including a non-strict mode that preserved `_`/`-`).
-- The runner also performed provider-specific sanitization, which duplicated work.
-- Additional mutations occurred outside the provider policy, including:
-  - Stripping `<final>` tags from assistant text before persistence.
-  - Dropping empty assistant error turns.
-  - Trimming assistant content after tool calls.
-
-This complexity caused cross-provider regressions (notably `openai-responses`
-`call_id|fc_id` pairing). The 2026.1.22 cleanup removed the extension, centralized
-logic in the runner, and made OpenAI **no-touch** beyond image sanitization.
-
-## Related
-
-- [Session management](/concepts/session)
-- [Session pruning](/concepts/session-pruning)

package/docs/reference/wizard.md

@@ -1,252 +0,0 @@
----
-summary: "Full reference for CLI onboarding: every step, flag, and config field"
-read_when:
-  - Looking up a specific onboarding step or flag
-  - Automating onboarding with non-interactive mode
-  - Debugging onboarding behavior
-title: "Onboarding reference"
-sidebarTitle: "Onboarding Reference"
----
-
-This is the full reference for `fengming onboard`.
-For a high-level overview, see [Onboarding (CLI)](/start/wizard).
-
-## Flow details (local mode)
-
-<Steps>
-  <Step title="Existing config detection">
-    - If `~/.fengming/fengming.json` exists, choose **Keep current values**, **Review and update**, or **Reset before setup**.
-    - Re-running onboarding does **not** wipe anything unless you explicitly choose **Reset**
-      (or pass `--reset`).
-    - CLI `--reset` defaults to `config+creds+sessions`; use `--reset-scope full`
-      to also remove workspace.
-    - If the config is invalid or contains legacy keys, the wizard stops and asks
-      you to run `fengming doctor` before continuing.
-    - Reset uses `trash` (never `rm`) and offers scopes:
-      - Config only
-      - Config + credentials + sessions
-      - Full reset (also removes workspace)
-
-  </Step>
-  <Step title="Model/Auth">
-    - **Anthropic API key**: uses `ANTHROPIC_API_KEY` if present or prompts for a key, then saves it for daemon use.
-    - **Anthropic API key**: preferred Anthropic assistant choice in onboarding/configure.
-    - **Anthropic setup-token**: still available in onboarding/configure, though FengMing now prefers Claude CLI reuse when available.
-    - **OpenAI Code (Codex) subscription (OAuth)**: browser flow; paste the `code#state`.
-      - Sets `agents.defaults.model` to `openai/gpt-5.5` through the Codex runtime when model is unset or already OpenAI-family.
-    - **OpenAI Code (Codex) subscription (device pairing)**: browser pairing flow with a short-lived device code.
-      - Sets `agents.defaults.model` to `openai/gpt-5.5` through the Codex runtime when model is unset or already OpenAI-family.
-    - **OpenAI API key**: uses `OPENAI_API_KEY` if present or prompts for a key, then stores it in auth profiles.
-      - Sets `agents.defaults.model` to `openai/gpt-5.5` when model is unset, `openai/*`, or `openai-codex/*`.
-    - **xAI (Grok) OAuth / API key**: signs in with xAI OAuth when chosen, or prompts for `XAI_API_KEY` on the API-key path, and configures xAI as a model provider.
-    - **OpenCode**: prompts for `OPENCODE_API_KEY` (or `OPENCODE_ZEN_API_KEY`, get it at https://opencode.ai/auth) and lets you pick the Zen or Go catalog.
-    - **Ollama**: offers **Cloud + Local**, **Cloud only**, or **Local only** first. `Cloud only` prompts for `OLLAMA_API_KEY` and uses `https://ollama.com`; the host-backed modes prompt for the Ollama base URL, discover available models, and auto-pull the selected local model when needed; `Cloud + Local` also checks whether that Ollama host is signed in for cloud access.
-    - More detail: [Ollama](/providers/ollama)
-    - **API key**: stores the key for you.
-    - **Vercel AI Gateway (multi-model proxy)**: prompts for `AI_GATEWAY_API_KEY`.
-    - More detail: [Vercel AI Gateway](/providers/vercel-ai-gateway)
-    - **Cloudflare AI Gateway**: prompts for Account ID, Gateway ID, and `CLOUDFLARE_AI_GATEWAY_API_KEY`.
-    - More detail: [Cloudflare AI Gateway](/providers/cloudflare-ai-gateway)
-    - **MiniMax**: config is auto-written; hosted default is `MiniMax-M2.7`.
-      API-key setup uses `minimax/...`, and OAuth setup uses
-      `minimax-portal/...`.
-    - More detail: [MiniMax](/providers/minimax)
-    - **StepFun**: config is auto-written for StepFun standard or Step Plan on China or global endpoints.
-    - Standard currently includes `step-3.5-flash`, and Step Plan also includes `step-3.5-flash-2603`.
-    - More detail: [StepFun](/providers/stepfun)
-    - **Synthetic (Anthropic-compatible)**: prompts for `SYNTHETIC_API_KEY`.
-    - More detail: [Synthetic](/providers/synthetic)
-    - **Moonshot (Kimi K2)**: config is auto-written.
-    - **Kimi Coding**: config is auto-written.
-    - More detail: [Moonshot AI (Kimi + Kimi Coding)](/providers/moonshot)
-    - **Skip**: no auth configured yet.
-    - Pick a default model from detected options (or enter provider/model manually). For best quality and lower prompt-injection risk, choose the strongest latest-generation model available in your provider stack.
-    - Onboarding runs a model check and warns if the configured model is unknown or missing auth.
-    - API key storage mode defaults to plaintext auth-profile values. Use `--secret-input-mode ref` to store env-backed refs instead (for example `keyRef: { source: "env", provider: "default", id: "OPENAI_API_KEY" }`).
-    - Auth profiles live in `~/.fengming/agents/<agentId>/agent/auth-profiles.json` (API keys + OAuth). `~/.fengming/credentials/oauth.json` is legacy import-only.
-    - More detail: [/concepts/oauth](/concepts/oauth)
-    <Note>
-    Headless/server tip: complete OAuth on a machine with a browser, then copy
-    that agent's `auth-profiles.json` (for example
-    `~/.fengming/agents/<agentId>/agent/auth-profiles.json`, or the matching
-    `$FENGMING_STATE_DIR/...` path) to the gateway host. `credentials/oauth.json`
-    is only a legacy import source.
-    </Note>
-  </Step>
-  <Step title="Workspace">
-    - Default `~/.fengming/workspace` (configurable).
-    - Seeds the workspace files needed for the agent bootstrap ritual.
-    - Full workspace layout + backup guide: [Agent workspace](/concepts/agent-workspace)
-
-  </Step>
-  <Step title="Gateway">
-    - Port, bind, auth mode, tailscale exposure.
-    - Auth recommendation: keep **Token** even for loopback so local WS clients must authenticate.
-    - In token mode, interactive setup offers:
-      - **Generate/store plaintext token** (default)
-      - **Use SecretRef** (opt-in)
-      - Quickstart reuses existing `gateway.auth.token` SecretRefs across `env`, `file`, and `exec` providers for onboarding probe/dashboard bootstrap.
-      - If that SecretRef is configured but cannot be resolved, onboarding fails early with a clear fix message instead of silently degrading runtime auth.
-    - In password mode, interactive setup also supports plaintext or SecretRef storage.
-    - Non-interactive token SecretRef path: `--gateway-token-ref-env <ENV_VAR>`.
-      - Requires a non-empty env var in the onboarding process environment.
-      - Cannot be combined with `--gateway-token`.
-    - Disable auth only if you fully trust every local process.
-    - Non-loopback binds still require auth.
-
-  </Step>
-  <Step title="Channels">
-    - [WhatsApp](/channels/whatsapp): optional QR login.
-    - [Telegram](/channels/telegram): bot token.
-    - [Discord](/channels/discord): bot token.
-    - [Google Chat](/channels/googlechat): service account JSON + webhook audience.
-    - [Mattermost](/channels/mattermost) (plugin): bot token + base URL.
-    - [Signal](/channels/signal): optional `signal-cli` install + account config.
-    - [iMessage](/channels/imessage): `imsg` CLI path + Messages DB access; use an SSH wrapper when the Gateway runs off-Mac.
-    - DM security: default is pairing. First DM sends a code; approve via `fengming pairing approve <channel> <code>` or use allowlists.
-
-  </Step>
-  <Step title="Web search">
-    - Pick a supported provider such as Brave, DuckDuckGo, Exa, Firecrawl, Gemini, Grok, Kimi, MiniMax Search, Ollama Web Search, Perplexity, SearXNG, or Tavily (or skip).
-    - API-backed providers can use env vars or existing config for quick setup; key-free providers use their provider-specific prerequisites instead.
-    - Skip with `--skip-search`.
-    - Configure later: `fengming configure --section web`.
-
-  </Step>
-  <Step title="Daemon install">
-    - macOS: LaunchAgent
-      - Requires a logged-in user session; for headless, use a custom LaunchDaemon (not shipped).
-    - Linux (and Windows via WSL2): systemd user unit
-      - Onboarding attempts to enable lingering via `loginctl enable-linger <user>` so the Gateway stays up after logout.
-      - May prompt for sudo (writes `/var/lib/systemd/linger`); it tries without sudo first.
-    - **Runtime selection:** Node (recommended; required for WhatsApp/Telegram). Bun is **not recommended**.
-    - If token auth requires a token and `gateway.auth.token` is SecretRef-managed, daemon install validates it but does not persist resolved plaintext token values into supervisor service environment metadata.
-    - If token auth requires a token and the configured token SecretRef is unresolved, daemon install is blocked with actionable guidance.
-    - If both `gateway.auth.token` and `gateway.auth.password` are configured and `gateway.auth.mode` is unset, daemon install is blocked until mode is set explicitly.
-
-  </Step>
-  <Step title="Health check">
-    - Starts the Gateway (if needed) and runs `fengming health`.
-    - Tip: `fengming status --deep` adds the live gateway health probe to status output, including channel probes when supported (requires a reachable gateway).
-
-  </Step>
-  <Step title="Skills (recommended)">
-    - Reads the available skills and checks requirements.
-    - Lets you choose a node manager: **npm / pnpm** (bun not recommended).
-    - Installs optional dependencies (some use Homebrew on macOS).
-
-  </Step>
-  <Step title="Finish">
-    - Summary + next steps, including the **How do you want to hatch your agent?** prompt for Terminal, Browser, or later.
-
-  </Step>
-</Steps>
-
-<Note>
-If no GUI is detected, onboarding prints SSH port-forward instructions for the Control UI instead of opening a browser.
-If the Control UI assets are missing, onboarding attempts to build them; fallback is `pnpm ui:build` (auto-installs UI deps).
-</Note>
-
-## Non-interactive mode
-
-Use `--non-interactive` to automate or script onboarding:
-
-```bash
-fengming onboard --non-interactive \
-  --mode local \
-  --auth-choice apiKey \
-  --anthropic-api-key "$ANTHROPIC_API_KEY" \
-  --gateway-port 18789 \
-  --gateway-bind loopback \
-  --install-daemon \
-  --daemon-runtime node \
-  --skip-skills
-```
-
-Add `--json` for a machine-readable summary.
-
-Gateway token SecretRef in non-interactive mode:
-
-```bash
-export FENGMING_GATEWAY_TOKEN="your-token"
-fengming onboard --non-interactive \
-  --mode local \
-  --auth-choice skip \
-  --gateway-auth token \
-  --gateway-token-ref-env FENGMING_GATEWAY_TOKEN
-```
-
-`--gateway-token` and `--gateway-token-ref-env` are mutually exclusive.
-
-<Note>
-`--json` does **not** imply non-interactive mode. Use `--non-interactive` (and `--workspace`) for scripts.
-</Note>
-
-Provider-specific command examples live in [CLI Automation](/start/wizard-cli-automation#provider-specific-examples).
-Use this reference page for flag semantics and step ordering.
-
-### Add agent (non-interactive)
-
-```bash
-fengming agents add work \
-  --workspace ~/.fengming/workspace-work \
-  --model openai/gpt-5.5 \
-  --bind whatsapp:biz \
-  --non-interactive \
-  --json
-```
-
-## Gateway wizard RPC
-
-The Gateway exposes the onboarding flow over RPC (`wizard.start`, `wizard.next`, `wizard.cancel`, `wizard.status`).
-Clients (macOS app, Control UI) can render steps without re-implementing onboarding logic.
-
-## Signal setup (signal-cli)
-
-Onboarding can install `signal-cli` from GitHub releases:
-
-- Downloads the appropriate release asset.
-- Stores it under `~/.fengming/tools/signal-cli/<version>/`.
-- Writes `channels.signal.cliPath` to your config.
-
-Notes:
-
-- JVM builds require **Java 21**.
-- Native builds are used when available.
-- Windows uses WSL2; signal-cli install follows the Linux flow inside WSL.
-
-## What the wizard writes
-
-Typical fields in `~/.fengming/fengming.json`:
-
-- `agents.defaults.workspace`
-- `agents.defaults.model` / `models.providers` (if Minimax chosen)
-- `tools.profile` (local onboarding defaults to `"coding"` when unset; existing explicit values are preserved)
-- `gateway.*` (mode, bind, auth, tailscale)
-- `session.dmScope` (behavior details: [CLI Setup Reference](/start/wizard-cli-reference#outputs-and-internals))
-- `channels.telegram.botToken`, `channels.discord.token`, `channels.matrix.*`, `channels.signal.*`, `channels.imessage.*`
-- Channel allowlists (Slack/Discord/Matrix/Microsoft Teams) when you opt in during the prompts (names resolve to IDs when possible).
-- `skills.install.nodeManager`
-  - `setup --node-manager` accepts `npm`, `pnpm`, or `bun`.
-  - Manual config can still use `yarn` by setting `skills.install.nodeManager` directly.
-- `wizard.lastRunAt`
-- `wizard.lastRunVersion`
-- `wizard.lastRunCommit`
-- `wizard.lastRunCommand`
-- `wizard.lastRunMode`
-
-`fengming agents add` writes `agents.list[]` and optional `bindings`.
-
-WhatsApp credentials go under `~/.fengming/credentials/whatsapp/<accountId>/`.
-Sessions are stored under `~/.fengming/agents/<agentId>/sessions/`.
-
-Some channels are delivered as plugins. When you pick one during setup, onboarding
-will prompt to install it (npm or a local path) before it can be configured.
-
-## Related docs
-
-- Onboarding overview: [Onboarding (CLI)](/start/wizard)
-- macOS app onboarding: [Onboarding](/start/onboarding)
-- Config reference: [Gateway configuration](/gateway/configuration)
-- Providers: [WhatsApp](/channels/whatsapp), [Telegram](/channels/telegram), [Discord](/channels/discord), [Google Chat](/channels/googlechat), [Signal](/channels/signal), [iMessage](/channels/imessage)
-- Skills: [Skills](/tools/skills), [Skills config](/tools/skills-config)

package/docs/security/CONTRIBUTING-THREAT-MODEL.md

@@ -1,101 +0,0 @@
----
-summary: "How to contribute to the FengMing threat model"
-title: "Contributing to the threat model"
-read_when:
-  - You want to contribute security findings or threat scenarios
-  - Reviewing or updating the threat model
----
-
-Thanks for helping make FengMing more secure. This threat model is a living document and we welcome contributions from anyone - you don't need to be a security expert.
-
-## Ways to contribute
-
-### Add a threat
-
-Spotted an attack vector or risk we haven't covered? Open an issue on [fengming/trust](https://github.com/fengming/trust/issues) and describe it in your own words. You don't need to know any frameworks or fill in every field - just describe the scenario.
-
-**Helpful to include (but not required):**
-
-- The attack scenario and how it could be exploited
-- Which parts of FengMing are affected (CLI, gateway, channels, ClawHub, MCP servers, etc.)
-- How severe you think it is (low / medium / high / critical)
-- Any links to related research, CVEs, or real-world examples
-
-We'll handle the ATLAS mapping, threat IDs, and risk assessment during review. If you want to include those details, great - but it's not expected.
-
-> **This is for adding to the threat model, not reporting live vulnerabilities.** If you've found an exploitable vulnerability, see our [Trust page](https://trust.fengming.ai) for responsible disclosure instructions.
-
-### Suggest a mitigation
-
-Have an idea for how to address an existing threat? Open an issue or PR referencing the threat. Useful mitigations are specific and actionable - for example, "per-sender rate limiting of 10 messages/minute at the gateway" is better than "implement rate limiting."
-
-### Propose an attack chain
-
-Attack chains show how multiple threats combine into a realistic attack scenario. If you see a dangerous combination, describe the steps and how an attacker would chain them together. A short narrative of how the attack unfolds in practice is more valuable than a formal template.
-
-### Fix or improve existing content
-
-Typos, clarifications, outdated info, better examples - PRs welcome, no issue needed.
-
-## What we use
-
-### MITRE ATLAS framework
-
-This threat model is built on [MITRE ATLAS](https://atlas.mitre.org/) (Adversarial Threat Landscape for AI Systems), a framework designed specifically for AI/ML threats like prompt injection, tool misuse, and agent exploitation. You don't need to know ATLAS to contribute - we map submissions to the framework during review.
-
-### Threat ids
-
-Each threat gets an ID like `T-EXEC-003`. The categories are:
-
-| Code    | Category                                   |
-| ------- | ------------------------------------------ |
-| RECON   | Reconnaissance - information gathering     |
-| ACCESS  | Initial access - gaining entry             |
-| EXEC    | Execution - running malicious actions      |
-| PERSIST | Persistence - maintaining access           |
-| EVADE   | Defense evasion - avoiding detection       |
-| DISC    | Discovery - learning about the environment |
-| EXFIL   | Exfiltration - stealing data               |
-| IMPACT  | Impact - damage or disruption              |
-
-IDs are assigned by maintainers during review. You don't need to pick one.
-
-### Risk levels
-
-| Level        | Meaning                                                           |
-| ------------ | ----------------------------------------------------------------- |
-| **Critical** | Full system compromise, or high likelihood + critical impact      |
-| **High**     | Significant damage likely, or medium likelihood + critical impact |
-| **Medium**   | Moderate risk, or low likelihood + high impact                    |
-| **Low**      | Unlikely and limited impact                                       |
-
-If you're unsure about the risk level, just describe the impact and we'll assess it.
-
-## Review process
-
-1. **Triage** - We review new submissions within 48 hours
-2. **Assessment** - We verify feasibility, assign ATLAS mapping and threat ID, validate risk level
-3. **Documentation** - We ensure everything is formatted and complete
-4. **Merge** - Added to the threat model and visualization
-
-## Resources
-
-- [ATLAS Website](https://atlas.mitre.org/)
-- [ATLAS Techniques](https://atlas.mitre.org/techniques/)
-- [ATLAS Case Studies](https://atlas.mitre.org/studies/)
-- [FengMing Threat Model](/security/THREAT-MODEL-ATLAS)
-
-## Contact
-
-- **Security vulnerabilities:** See our [Trust page](https://trust.fengming.ai) for reporting instructions
-- **Threat model questions:** Open an issue on [fengming/trust](https://github.com/fengming/trust/issues)
-- **General chat:** Discord #security channel
-
-## Recognition
-
-Contributors to the threat model are recognized in the threat model acknowledgments, release notes, and the FengMing security hall of fame for significant contributions.
-
-## Related
-
-- [Threat model](/security/THREAT-MODEL-ATLAS)
-- [Formal verification](/security/formal-verification)