promptgraph-mcp 2.4.5 → 2.4.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (87) hide show
  1. package/github-import.js +28 -0
  2. package/index.js +47 -14
  3. package/indexer.js +14 -7
  4. package/package.json +1 -1
  5. package/parser.js +21 -115
  6. package/registry/training/bad/accepts-HISTORY.md +250 -0
  7. package/registry/training/bad/argparse-CHANGELOG.md +185 -0
  8. package/registry/training/bad/balanced-match-LICENSE.md +23 -0
  9. package/registry/training/bad/better-sqlite3-README.md +99 -0
  10. package/registry/training/bad/bindings-LICENSE.md +22 -0
  11. package/registry/training/bad/bl-LICENSE.md +13 -0
  12. package/registry/training/bad/body-parser-README.md +494 -0
  13. package/registry/training/bad/bytes-HISTORY.md +97 -0
  14. package/registry/training/bad/camelcase-README.md +135 -0
  15. package/registry/training/bad/chai-README.md +162 -0
  16. package/registry/training/bad/cli-progress-LICENSE.md +24 -0
  17. package/registry/training/bad/content-type-HISTORY.md +29 -0
  18. package/registry/training/bad/cookie-SECURITY.md +25 -0
  19. package/registry/training/bad/cookie-signature-HISTORY.md +70 -0
  20. package/registry/training/bad/cors-README.md +277 -0
  21. package/registry/training/bad/cross-spawn-README.md +89 -0
  22. package/registry/training/bad/deep-extend-CHANGELOG.md +46 -0
  23. package/registry/training/bad/depd-HISTORY.md +103 -0
  24. package/registry/training/bad/esprima-README.md +46 -0
  25. package/registry/training/bad/etag-HISTORY.md +83 -0
  26. package/registry/training/bad/expect-type-SECURITY.md +14 -0
  27. package/registry/training/bad/finalhandler-HISTORY.md +239 -0
  28. package/registry/training/bad/fresh-HISTORY.md +80 -0
  29. package/registry/training/bad/glob-LICENSE.md +63 -0
  30. package/registry/training/bad/hono-README.md +85 -0
  31. package/registry/training/bad/http-errors-HISTORY.md +186 -0
  32. package/registry/training/bad/jose-LICENSE.md +21 -0
  33. package/registry/training/bad/jose-README.md +153 -0
  34. package/registry/training/bad/js-yaml-README.md +299 -0
  35. package/registry/training/bad/json-schema-typed-LICENSE.md +57 -0
  36. package/registry/training/bad/json-stringify-safe-CHANGELOG.md +14 -0
  37. package/registry/training/bad/lru-cache-LICENSE.md +55 -0
  38. package/registry/training/bad/media-typer-HISTORY.md +50 -0
  39. package/registry/training/bad/minimatch-LICENSE.md +55 -0
  40. package/registry/training/bad/minimist-CHANGELOG.md +298 -0
  41. package/registry/training/bad/minimist-README.md +121 -0
  42. package/registry/training/bad/ms-LICENSE.md +21 -0
  43. package/registry/training/bad/negotiator-HISTORY.md +114 -0
  44. package/registry/training/bad/on-finished-HISTORY.md +98 -0
  45. package/registry/training/bad/pkce-challenge-CHANGELOG.md +114 -0
  46. package/registry/training/bad/postcss-README.md +28 -0
  47. package/registry/training/bad/prebuild-install-CHANGELOG.md +131 -0
  48. package/registry/training/bad/proxy-addr-HISTORY.md +161 -0
  49. package/registry/training/bad/qs-CHANGELOG.md +822 -0
  50. package/registry/training/bad/rc-README.md +227 -0
  51. package/registry/training/bad/readable-stream-CONTRIBUTING.md +38 -0
  52. package/registry/training/bad/router-HISTORY.md +228 -0
  53. package/registry/training/bad/semver-README.md +680 -0
  54. package/registry/training/bad/send-README.md +317 -0
  55. package/registry/training/bad/serve-static-README.md +253 -0
  56. package/registry/training/bad/statuses-HISTORY.md +87 -0
  57. package/registry/training/bad/type-is-HISTORY.md +292 -0
  58. package/registry/training/bad/vary-HISTORY.md +39 -0
  59. package/registry/training/bad/vite-LICENSE.md +2230 -0
  60. package/registry/training/bad/which-CHANGELOG.md +166 -0
  61. package/registry/training/bad/zod-README.md +191 -0
  62. package/registry/training/good/skills-store-autopilot.md +85 -0
  63. package/registry/training/good/skills-store-bot-builder.md +70 -0
  64. package/registry/training/good/skills-store-chain.md +136 -0
  65. package/registry/training/good/skills-store-evolve.md +100 -0
  66. package/registry/training/good/skills-store-game.md +27 -0
  67. package/registry/training/good/skills-store-hunt.md +102 -0
  68. package/registry/training/good/skills-store-intel.md +56 -0
  69. package/registry/training/good/skills-store-memory-gc.md +58 -0
  70. package/registry/training/good/skills-store-pcsort.md +207 -0
  71. package/registry/training/good/skills-store-pickup.md +60 -0
  72. package/registry/training/good/skills-store-recon.md +141 -0
  73. package/registry/training/good/skills-store-remember.md +64 -0
  74. package/registry/training/good/skills-store-report.md +117 -0
  75. package/registry/training/good/skills-store-router.md +225 -0
  76. package/registry/training/good/skills-store-search.md +168 -0
  77. package/registry/training/good/skills-store-surface.md +53 -0
  78. package/registry/training/good/skills-store-token-scan.md +141 -0
  79. package/registry/training/good/skills-store-triage.md +97 -0
  80. package/registry/training/good/skills-store-unity.md +733 -0
  81. package/registry/training/good/skills-store-validate.md +135 -0
  82. package/registry/training/good/skills-store-web3-audit.md +217 -0
  83. package/src/filter/classifier.js +88 -0
  84. package/src/filter/cluster.js +52 -0
  85. package/src/filter/dedup.js +36 -0
  86. package/src/filter/hard-filter.js +57 -0
  87. package/src/filter/train.js +64 -0
@@ -0,0 +1,168 @@
1
+ # Global Information Search
2
+ Activated by: `/search`
3
+
4
+ You are the cognitive core of the Global Search System. OpenCode agents are research workers that fetch and extract. You plan the strategy, evaluate credibility, synthesize findings, and produce the final answer.
5
+
6
+ ---
7
+
8
+ ## System Rules
9
+
10
+ 1. **Parallel-first:** always fan out at least 3 simultaneous search angles for any non-trivial query.
11
+ 2. **Source diversity:** never rely on a single domain. Mix: official docs, news/blogs, academic/research, community (Reddit/HN/forums).
12
+ 3. **Credibility scoring:** every source gets a credibility score before its content influences conclusions.
13
+ 4. **Citation required:** every claim in output must cite a source with URL and date.
14
+ 5. **Uncertainty explicit:** distinguish `confirmed`, `probable`, `disputed`, `unverified` claims.
15
+ 6. **Recency matters:** for time-sensitive topics, flag sources older than 90 days.
16
+ 7. **Single OpenCode CLI:** one `opencode-cli run` with Task subagents inside search-orchestrator for parallel work.
17
+
18
+ ---
19
+
20
+ ## Phase 0: Query Analysis
21
+
22
+ Parse the user's request and classify:
23
+
24
+ | Type | Strategy | Agent count |
25
+ |------|----------|-------------|
26
+ | **Factual** — "what is X", "when did Y happen" | 3 sources confirming same fact | 3 researchers |
27
+ | **Technical** — "how to do X", "why does Y happen" | Official docs + community + examples | 4 researchers |
28
+ | **Comparative** — "X vs Y", "best tool for Z" | One researcher per option + synthesizer | 4-6 researchers |
29
+ | **Research/deep** — topic overview, current state | Broad first wave + deep second wave | 6-10 researchers |
30
+ | **News/current** — "latest on X", "what happened with Y" | Recency-filtered search | 4 researchers |
31
+ | **Person/company** — who/what is X | Official + news + community | 4 researchers |
32
+
33
+ Extract:
34
+ - **Core query:** the single most important question to answer
35
+ - **Sub-queries:** 2-5 distinct angles that together answer the core query
36
+ - **Required recency:** any time constraints ("latest", "2024", "current")
37
+ - **Output format:** quick answer, detailed report, comparison table, timeline
38
+
39
+ ---
40
+
41
+ ## Phase 1: Search Strategy
42
+
43
+ Expand core query into search tasks. Each task is an independent search angle:
44
+
45
+ ```bash
46
+ opencode-cli run --attach http://localhost:4100 --agent search-planner \
47
+ "User query: '<query>'. Generate 4-6 independent search tasks that together answer this query comprehensively. Each task: distinct angle, specific search terms, target source type (official/news/community/academic). Output JSON array. Do NOT use the Task tool."
48
+ ```
49
+
50
+ Read planner output. This is your research brief.
51
+
52
+ ---
53
+
54
+ ## Phase 2: Parallel Research Wave
55
+
56
+ Dispatch researchers in parallel via the web-researcher agent:
57
+
58
+ ```bash
59
+ opencode-cli run --attach http://localhost:4100 --agent web-researcher \
60
+ "Research task: '<task>'. Search for relevant, recent, credible sources. For each source: fetch content, extract key claims relevant to the task, note publication date, note author/publisher. Write findings to .search-results/<task-id>.json. Do NOT use the Task tool."
61
+ ```
62
+
63
+ For broad queries, dispatch all researchers simultaneously via unity-orchestrator:
64
+
65
+ ```bash
66
+ opencode-cli run --attach http://localhost:4100 --agent unity-orchestrator \
67
+ "Dispatch these search tasks as independent parallel Task subagents, each using the web-researcher agent. Tasks: <JSON array>. Each researcher writes to .search-results/<task-id>.json. DEPTH GUARD: Do NOT use Task tool inside web-researcher."
68
+ ```
69
+
70
+ ---
71
+
72
+ ## Phase 3: Source Credibility Ranking
73
+
74
+ For each source found, apply this credibility matrix:
75
+
76
+ | Source type | Base score | Modifiers |
77
+ |-------------|-----------|-----------|
78
+ | Official documentation | 90 | +5 if versioned, -10 if deprecated |
79
+ | Peer-reviewed paper | 85 | +5 if cited 100+, -15 if > 5 years old for fast-moving fields |
80
+ | Major news outlet | 70 | +10 if primary source cited, -15 if anonymous sources |
81
+ | Official company blog | 65 | -10 if promotional tone |
82
+ | GitHub README / source | 75 | +10 if actively maintained |
83
+ | Stack Overflow accepted answer | 60 | +15 if score > 100, -10 if > 3 years old for APIs |
84
+ | Forum/Reddit post | 40 | +20 if cited sources, +10 if highly upvoted |
85
+ | Personal blog | 35 | +15 if author is known expert |
86
+ | Unattributed / AI-generated | 10 | Discard for factual claims |
87
+
88
+ Credibility ≥ 60: use as evidence.
89
+ Credibility 40-59: use as corroboration only (must have ≥60 source agreeing).
90
+ Credibility < 40: mention as "some sources suggest", never as fact.
91
+
92
+ ---
93
+
94
+ ## Phase 4: Synthesis
95
+
96
+ ```bash
97
+ opencode-cli run --attach http://localhost:4100 --agent synthesizer \
98
+ "Synthesize research from these files: <list of .search-results/*.json>. Core question: '<query>'. Produce: direct answer, supporting evidence with credibility scores, contradicting evidence if any, confidence level, knowledge gaps. Apply credibility matrix. Do NOT use the Task tool."
99
+ ```
100
+
101
+ Read synthesis. If confidence is LOW or knowledge gaps are critical → trigger a second research wave targeting the gaps.
102
+
103
+ ---
104
+
105
+ ## Phase 5: Output
106
+
107
+ Format based on query type:
108
+
109
+ ### Quick answer:
110
+ ```
111
+ **Answer:** <1-2 sentence direct response>
112
+ **Confidence:** High/Medium/Low
113
+ **Sources:** [1] URL (date), [2] URL (date)
114
+ ```
115
+
116
+ ### Detailed report:
117
+ ```
118
+ ## <Topic>
119
+ *Researched: <date> | Sources: <N> | Confidence: High/Medium/Low*
120
+
121
+ ### Key Findings
122
+ 1. <finding> [1]
123
+ 2. <finding> [2,3]
124
+
125
+ ### Technical Details
126
+ <structured content with citations>
127
+
128
+ ### Contradictions / Disputes
129
+ <any conflicting information found>
130
+
131
+ ### What's Unknown
132
+ <gaps in available information>
133
+
134
+ ### Sources
135
+ | # | URL | Publisher | Date | Credibility |
136
+ |---|-----|-----------|------|-------------|
137
+ ```
138
+
139
+ ### Comparison table:
140
+ ```
141
+ | Feature | Option A | Option B | Option C |
142
+ |---------|----------|----------|----------|
143
+ | X | ... | ... | ... |
144
+ Source: [1], [2], [3]
145
+ ```
146
+
147
+ ---
148
+
149
+ ## Agent Routing Table
150
+
151
+ | Agent | Use for |
152
+ |-------|---------|
153
+ | `search-planner` | Expanding query into parallel search tasks |
154
+ | `web-researcher` | Searching + fetching + extracting from sources |
155
+ | `synthesizer` | Combining multi-source findings into coherent answer |
156
+ | `unity-orchestrator` | Dispatching parallel researcher wave |
157
+
158
+ ---
159
+
160
+ ## Core Rules (never violate)
161
+
162
+ 1. No claim without citation. Never present unverified content as fact.
163
+ 2. Confidence must reflect actual source quality, not what the user wants to hear.
164
+ 3. If sources conflict — show the conflict, don't hide it.
165
+ 4. For medical, legal, financial topics: always add disclaimer that professional advice is needed.
166
+ 5. Recency: always check publication date. Stale sources on fast-moving topics (AI, security, software) must be flagged.
167
+ 6. Don't stop at first search result — always cross-validate with at least 2 independent sources.
168
+
@@ -0,0 +1,53 @@
1
+ ---
2
+ name: surface
3
+ description: Show ranked attack surface for a target based on recon output + hunt memory. Invokes recon-ranker agent. Usage: /surface target.com
4
+ ---
5
+
6
+ # /surface
7
+
8
+ View the prioritized attack surface for a target.
9
+
10
+ ## What This Does
11
+
12
+ 1. Reads cached recon output from `recon/<target>/`
13
+ 2. Reads hunt memory for patterns and previously tested endpoints
14
+ 3. Invokes the `recon-ranker` agent to produce a prioritized ranking
15
+ 4. Outputs P1 (start here), P2 (after P1), and Kill List (skip)
16
+
17
+ ## Usage
18
+
19
+ ```
20
+ /surface target.com
21
+ ```
22
+
23
+ ## Prerequisites
24
+
25
+ Run `/recon target.com` first. If no recon data exists, you'll be prompted to run recon.
26
+
27
+ ## Output
28
+
29
+ ```
30
+ ATTACK SURFACE: target.com
31
+ ═══════════════════════════════════════
32
+
33
+ Priority 1 (start here):
34
+ 1. api.target.com/v2/users/{id} — IDOR candidate
35
+ Tech: Express + PostgreSQL | First seen 12 days ago
36
+ Suggested: numeric ID swap on GET/PUT/DELETE
37
+
38
+ 2. api.target.com/graphql — introspection enabled, 47 mutations
39
+ Suggested: field-level auth check on sensitive mutations
40
+
41
+ Priority 2 (after P1):
42
+ 1. cdn.target.com:8443/upload — file upload endpoint
43
+ Suggested: extension bypass, magic bytes
44
+
45
+ Kill List (skip):
46
+ - static.target.com — CDN only
47
+ - docs.target.com — third-party hosted
48
+
49
+ Memory:
50
+ - Pattern from alpha.com (same tech): auth bypass via method override ($800)
51
+ - 3 endpoints tested in previous session, 5 remain
52
+ ```
53
+
@@ -0,0 +1,141 @@
1
+ ---
2
+ name: token-scan
3
+ description: Meme coin and token security scan — checks for rug pull vectors (hidden mint, honeypot, fee manipulation, LP lock bypass, authority retention, bonding curve exploits, fake renounce, sandwich amplification). Runs automated token_scanner.py + manual 8-class audit. Usage: /token-scan <contract_path_or_dir> [--chain solana]
4
+ ---
5
+
6
+ # /token-scan
7
+
8
+ Fast rug pull detection for meme coins and token contracts. Covers EVM (Solidity) and Solana (Rust/Anchor).
9
+
10
+ ## Usage
11
+
12
+ ```
13
+ /token-scan contracts/Token.sol # Single EVM contract
14
+ /token-scan src/ --recursive # Scan entire directory
15
+ /token-scan programs/token/ --chain solana --recursive # Solana program
16
+ /token-scan contracts/Token.sol --output findings/report.md # Save report
17
+ ```
18
+
19
+ ## Step 0: Quick Kill Signals
20
+
21
+ Before scanning code, check:
22
+
23
+ ```
24
+ [ ] Contract is verified (source code available)?
25
+ [ ] Deployer has no rug history?
26
+ [ ] Token has been trading > 1 hour?
27
+ [ ] Liquidity > $5K?
28
+ [ ] Not a proxy with retained admin?
29
+ ```
30
+
31
+ If ANY answer is NO → flag and proceed with extreme caution.
32
+
33
+ ## Step 1: Run Automated Scanner
34
+
35
+ ```bash
36
+ # EVM
37
+ python3 tools/token_scanner.py <contract_path>
38
+
39
+ # Solana
40
+ python3 tools/token_scanner.py <program_dir> --chain solana --recursive
41
+
42
+ # JSON output for piping
43
+ python3 tools/token_scanner.py <path> --json
44
+ ```
45
+
46
+ The scanner checks all 8 bug classes via regex and returns a risk score + verdict.
47
+
48
+ ## Step 2: Hidden Mint Check
49
+
50
+ ```bash
51
+ grep -rn "function mint\|_mint(\|_balances\[.*\] +=" src/ --include="*.sol" | grep -v "test\|lib"
52
+ grep -rn "delegatecall" src/ --include="*.sol"
53
+ # Solana:
54
+ grep -rn "MintTo\|mint_to\|mint_authority" src/ --include="*.rs"
55
+ ```
56
+
57
+ Look for: mint without MAX_SUPPLY cap, direct balance manipulation, delegatecall to unknown targets.
58
+
59
+ ## Step 3: Honeypot Check
60
+
61
+ ```bash
62
+ grep -rn "blacklist\|isBlacklisted\|_bots\|maxTxAmount\|approve.*override" src/ --include="*.sol"
63
+ # Solana:
64
+ grep -rn "freeze_authority\|transfer_hook\|permanent_delegate" src/ --include="*.rs"
65
+ ```
66
+
67
+ Look for: blacklist mappings, max tx setters without minimum bound, approve overrides that don't call super.
68
+
69
+ ## Step 4: Fee Manipulation Check
70
+
71
+ ```bash
72
+ grep -rn "setFee\|setSellFee\|_taxFee\|_sellFee" src/ --include="*.sol"
73
+ grep -rn "function set.*Fee" -A5 src/ --include="*.sol" | grep -v "require\|MAX"
74
+ ```
75
+
76
+ Look for: fee setters without upper bound, fee exclusion for owner.
77
+
78
+ ## Step 5: LP Drain Check
79
+
80
+ ```bash
81
+ grep -rn "migrateLP\|emergencyWithdraw\|\.sync()\|setPair\|setRouter" src/ --include="*.sol"
82
+ grep -rn "addLiquidityETH" -A5 src/ --include="*.sol" | grep "owner\|msg.sender"
83
+ ```
84
+
85
+ Look for: LP migration functions, emergency withdraw, auto-LP to owner wallet.
86
+
87
+ ## Step 6: Bonding Curve Check
88
+
89
+ ```bash
90
+ grep -rn "virtualReserve\|setCurve\|graduate\|bonding_curve" src/ --include="*.sol" --include="*.rs"
91
+ ```
92
+
93
+ Look for: mutable curve parameters, manipulable graduation threshold.
94
+
95
+ ## Step 7: Authority Check (Solana)
96
+
97
+ ```bash
98
+ grep -rn "mint_authority\|freeze_authority\|update_authority\|close_authority" src/ --include="*.rs"
99
+ grep -rn "set_authority.*None" src/ --include="*.rs"
100
+ grep -rn "upgrade_authority" src/ --include="*.rs"
101
+ ```
102
+
103
+ Look for: retained authorities that should be None, upgradeable programs.
104
+
105
+ ## Step 8: Fake Renounce Check
106
+
107
+ ```bash
108
+ grep -rn "renounceOwnership.*override" src/ --include="*.sol"
109
+ grep -rn "_shadowAdmin\|_backupOwner" src/ --include="*.sol"
110
+ ```
111
+
112
+ Look for: overridden renounce without actual transfer, secondary admin roles.
113
+
114
+ ## Step 9: Sandwich Amplification Check
115
+
116
+ ```bash
117
+ grep -rn "swapExactTokensForETH" -A5 src/ --include="*.sol" | grep "0,"
118
+ grep -rn "swapThreshold\|_rebase\|reflect()" src/ --include="*.sol"
119
+ ```
120
+
121
+ Look for: auto-swap with amountOutMin=0, rebase on every transfer.
122
+
123
+ ## Output
124
+
125
+ The scanner produces:
126
+ - **Risk score** (0-100) based on finding severity
127
+ - **Verdict** (CLEAN / LOW RISK / MEDIUM RISK / HIGH RISK / CRITICAL RISK)
128
+ - **Individual findings** with file:line, code snippet, and recommendation
129
+ - **Exit code** 1 if CRITICAL/HIGH findings (for CI integration)
130
+
131
+ ## What to Do Next
132
+
133
+ - If CRITICAL findings → **DO NOT INTERACT**. Report if on Immunefi/Code4rena.
134
+ - If HIGH findings → Manual deep review. May be intentional design. Check deployer history.
135
+ - If MEDIUM findings → Flag for awareness. Likely not rug but worth monitoring.
136
+ - If CLEAN → Token passes automated checks. Still verify on-chain state manually.
137
+
138
+ ## 5-Minute Rule
139
+
140
+ If you've been scanning for 5 minutes and found no red flags across all 8 classes + automated scan → the token is likely clean. Move on. Don't hunt for phantom bugs.
141
+
@@ -0,0 +1,97 @@
1
+ ---
2
+ name: triage
3
+ description: Quick 7-Question Gate triage on a finding before writing a report. Kills N/A submissions before they happen. Faster than /validate — for quick go/no-go decisions. Usage: /triage
4
+ ---
5
+
6
+ # /triage
7
+
8
+ Quick triage to decide: submit or kill?
9
+
10
+ ## When to Use
11
+
12
+ Use this before spending time writing a full report. If triage passes, run `/validate` for the full 4-gate check, then `/report`.
13
+
14
+ ## Usage
15
+
16
+ ```
17
+ /triage
18
+ ```
19
+
20
+ Describe the finding in one sentence. Example:
21
+ - "I can read other users' orders by changing user_id in /api/orders/{id}"
22
+ - "The /api/export endpoint returns 200 with data even with no auth header"
23
+ - "I found X-Forwarded-Host is reflected in the password reset email"
24
+
25
+ ## The 7 Questions (Fast Version)
26
+
27
+ Answer YES or NO to each. First NO = kill it immediately.
28
+
29
+ ```
30
+ Q1: Can I demonstrate this with a real HTTP request RIGHT NOW?
31
+ YES: I have the request/response already
32
+ NO: I need to look at more code first → KILL
33
+
34
+ Q2: Is this impact type accepted by the program?
35
+ YES: Bug class is on their accepted list
36
+ NO: They explicitly exclude this type → KILL
37
+
38
+ Q3: Is the vulnerable asset owned by and in scope for the program?
39
+ YES: Domain confirmed in-scope, not third-party
40
+ NO: Third-party service or excluded domain → KILL
41
+
42
+ Q4: Does this work without admin/privileged access?
43
+ YES: Regular user account is enough
44
+ NO: Requires admin → KILL (99% of programs)
45
+
46
+ Q5: Is this NOT already known/disclosed/documented behavior?
47
+ YES: Not in changelogs, not in disclosed reports
48
+ NO: It's documented as intended → KILL
49
+
50
+ Q6: Can I prove impact beyond "technically possible"?
51
+ YES: I have actual data in the response / action completed
52
+ NO: I only have a 200 status or error message → DOWNGRADE
53
+
54
+ Q7: Is this NOT on the never-submit list?
55
+ YES: It's a real bug class
56
+ NO: Missing headers, self-XSS, open redirect alone, etc. → KILL or CHAIN
57
+ ```
58
+
59
+ ## Fast Kill Checklist
60
+
61
+ Kill immediately if ANY of these are true:
62
+ ```
63
+ [ ] "Admin can do X" = not a bug
64
+ [ ] "Could theoretically lead to..." = no PoC = not a bug
65
+ [ ] Bug requires 3+ preconditions simultaneously
66
+ [ ] Finding is a missing header, missing flag, missing DMARC
67
+ [ ] SSRF with DNS callback only, no data returned
68
+ [ ] Open redirect with no OAuth chain or ATO path
69
+ [ ] Self-XSS (only affects your own account)
70
+ [ ] Introspection only (no IDOR, no auth bypass shown)
71
+ [ ] Rate limit on login/contact/search (Cloudflare covers it)
72
+ ```
73
+
74
+ ## Conditional Kill (chain required)
75
+
76
+ If it's on the never-submit list BUT you can chain it:
77
+ ```
78
+ Open redirect → OAuth code theft → ATO = report the chain
79
+ SSRF DNS → internal service access = data = report the chain
80
+ CORS → credentialed data exfil PoC = report the chain
81
+ Prompt injection → IDOR via chatbot = report the chain
82
+ ```
83
+
84
+ If you can't build the chain today → KILL IT.
85
+
86
+ ## Output
87
+
88
+ **GO:** "All 7 pass. Run /validate for full check, then /report."
89
+
90
+ **KILL [reason]:**
91
+ - "Q1 fails — no HTTP request yet"
92
+ - "Q4 fails — requires admin access"
93
+ - "Q7 fails — open redirect alone is not submittable. Chain it with OAuth theft first."
94
+
95
+ **DOWNGRADE:**
96
+ - "Q6 — you have 200 status but not actual other-user data. Reproduce with two accounts and show victim's PII in the response before reporting."
97
+