security-mcp 1.1.0 → 1.1.2

package/dist/mcp/server.js

@@ -8,22 +8,39 @@ import { runPrGate } from "../gate/policy.js";
 import { readFileSafe } from "../repo/fs.js";
 import { searchRepo } from "../repo/search.js";
 import { createReviewAttestation, createReviewRun, readReviewRun, updateReviewStep } from "../review/store.js";
+import { createAgentRun, CreateAgentRunSchema, updateAgentStatus, UpdateAgentStatusSchema, mergeAgentFindings, MergeAgentFindingsSchema, ensureSkill, EnsureSkillSchema, readAgentMemory, ReadAgentMemorySchema, writeAgentMemory, WriteAgentMemorySchema, checkUpdates, CheckUpdatesSchema, applyUpdates, ApplyUpdatesSchema, verifySkillCoverage, VerifySkillCoverageSchema } from "./orchestration.js";
+import { recordOutcome, RecordOutcomeParams, getRouting, GetRoutingParams, getPatternReport } from "./learning.js";
+import { getModelForTask, GetModelForTaskParams, trackUsage, TrackUsageParams, getBudgetStatus, getProviderHealth, recordProviderFailure, RecordProviderFailureParams, RecordProviderFailureSchema, resetProviderCircuit, ResetProviderCircuitParams, ResetProviderCircuitSchema } from "./model-router.js";
+import { initChain, InitChainParams, attestAgent, AttestAgentParams, verifyChain, VerifyChainParams, getChain, GetChainParams } from "./audit-chain.js";
 const __dirname = dirname(fileURLToPath(import.meta.url));
 const PKG_ROOT = resolve(__dirname, "../..");
 const PROMPTS_DIR = join(PKG_ROOT, "prompts");
-// Load the generalized security prompt at startup.
-// Falls back to a short notice if the file has not been built yet.
-function loadPromptFile(name) {
-    const path = join(PROMPTS_DIR, name);
-    if (existsSync(path)) {
-        return readFileSync(path, "utf-8");
+// Read version from package.json rather than hardcoding it (M1 fix — CWE-1007).
+const _pkgVersion = (() => {
+    try {
+        const raw = readFileSync(join(PKG_ROOT, "package.json"), "utf-8");
+        return JSON.parse(raw).version ?? "0.0.0";
     }
-    return `[security-mcp] Prompt file not found: ${name}. Run "npm run build" from the package root.`;
+    catch {
+        return "0.0.0";
+    }
+})();
+// Lazily load the security prompt on first use rather than at server startup.
+// This avoids injecting ~19K tokens into every session that doesn't call a
+// security tool (e.g. non-security MCP usage in the same editor).
+let _securityPromptCache = null;
+function getSecurityPrompt() {
+    if (_securityPromptCache !== null)
+        return _securityPromptCache;
+    const path = join(PROMPTS_DIR, "SECURITY_PROMPT.md");
+    _securityPromptCache = existsSync(path)
+        ? readFileSync(path, "utf-8")
+        : `[security-mcp] Prompt file not found. Run "npm run build" from the package root.`;
+    return _securityPromptCache;
 }
-const SECURITY_PROMPT = loadPromptFile("SECURITY_PROMPT.md");
 const server = new McpServer({
     name: "security-mcp",
-    version: "1.0.0"
+    version: _pkgVersion
 });
 const tool = server.tool.bind(server);
 // ---------------------------------------------------------------------------
@@ -91,9 +108,14 @@ tool("security.start_review", "Start a stateful security review run, lock the sc
         ]
     });
 }));
+// CWE-200: restrict to SECURITY_-prefixed names so callers cannot probe arbitrary env vars
+const ATTEST_ENV_VAR_RE = /^SECURITY_[A-Z][A-Z0-9_]{0,63}$/;
 const AttestReviewParams = {
     runId: z.string().uuid().describe("Security review run ID."),
-    signatureEnvVar: z.string().optional().describe("Optional environment variable containing an HMAC key for attestation signing.")
+    signatureEnvVar: z.string()
+        .regex(ATTEST_ENV_VAR_RE, "signatureEnvVar must be a SECURITY_-prefixed env var name (e.g. SECURITY_ATTEST_KEY)")
+        .optional()
+        .describe("Optional SECURITY_-prefixed environment variable containing an HMAC key for attestation signing.")
 };
 const AttestReviewSchema = z.object(AttestReviewParams);
 tool("security.attest_review", "Generate a security review attestation with integrity hash and optional HMAC signature.", AttestReviewParams, safeTool(async (args, _extra) => {
@@ -213,7 +235,7 @@ tool("security.get_system_prompt", "Return the full security engineering system
         "**10% explanation:** One line — what was wrong, what attack it prevents, which framework " +
         "control applies (OWASP, ATT&CK, NIST). Then move on.\n\n" +
         "---\n\n";
-    let prompt = OPERATING_MANDATE + SECURITY_PROMPT;
+    let prompt = OPERATING_MANDATE + getSecurityPrompt();
     // Append a project-specific scope section if any context was provided
     if (stack ?? cloud ?? payment_processor) {
         const scopeLines = [
@@ -1371,7 +1393,7 @@ server.prompt("security-engineer", "Activate the security-mcp system prompt. Ope
             role: "user",
             content: {
                 type: "text",
-                text: SECURITY_PROMPT
+                text: getSecurityPrompt()
             }
         }
     ]
@@ -1392,6 +1414,132 @@ server.prompt("threat-model-template", "Generate a blank STRIDE + PASTA + MITRE
     ]
 }));
 // ---------------------------------------------------------------------------
+// Orchestration tools — multi-agent coordination
+// ---------------------------------------------------------------------------
+tool("orchestration.create_agent_run", "Initialise a multi-agent orchestration run. Creates the agent-run directory and manifest. Call after security.start_review.", CreateAgentRunSchema.shape, safeTool(async (args, _extra) => {
+    const parsed = CreateAgentRunSchema.parse(args);
+    const result = await createAgentRun(parsed);
+    return asTextResponse(result);
+}));
+tool("orchestration.update_agent_status", "Update an agent's lifecycle status (running/completed/completed_partial/failed). Called by each agent at start and end.", UpdateAgentStatusSchema.shape, safeTool(async (args, _extra) => {
+    const parsed = UpdateAgentStatusSchema.parse(args);
+    const result = await updateAgentStatus(parsed);
+    return asTextResponse(result);
+}));
+tool("orchestration.merge_agent_findings", "Merge and deduplicate findings from all agents. Sorts by severity (CRITICAL first). Hooks into the attestation flow via updateReviewStep. Call in Phase 3 after all agents complete.", MergeAgentFindingsSchema.shape, safeTool(async (args, _extra) => {
+    const parsed = MergeAgentFindingsSchema.parse(args);
+    const result = await mergeAgentFindings(parsed);
+    return asTextResponse(result);
+}));
+tool("orchestration.ensure_skill", "Download a skill from the skills registry if it is not already installed or if it is outdated. Uses the skills-manifest.json registry. Requires internet access.", EnsureSkillSchema.shape, safeTool(async (args, _extra) => {
+    const parsed = EnsureSkillSchema.parse(args);
+    const result = await ensureSkill(parsed);
+    return asTextResponse(result);
+}));
+tool("orchestration.read_agent_memory", "Read the persistent memory files for a named agent: patterns, false-positives, remediations, intel, and errors.", ReadAgentMemorySchema.shape, safeTool(async (args, _extra) => {
+    const parsed = ReadAgentMemorySchema.parse(args);
+    const result = await readAgentMemory(parsed);
+    return asTextResponse(result);
+}));
+tool("orchestration.write_agent_memory", "Append new entries to an agent's persistent memory (patterns, false-positives, remediations, intel). Memory persists across runs and is used to calibrate findings.", WriteAgentMemorySchema.shape, safeTool(async (args, _extra) => {
+    const parsed = WriteAgentMemorySchema.parse(args);
+    const result = await writeAgentMemory(parsed);
+    return asTextResponse(result);
+}));
+tool("orchestration.check_updates", "Check the npm registry and skills manifest for available updates to security-mcp and installed skills.", CheckUpdatesSchema.shape, safeTool(async (args, _extra) => {
+    const parsed = CheckUpdatesSchema.parse(args);
+    const result = await checkUpdates(parsed);
+    return asTextResponse(result);
+}));
+tool("orchestration.apply_updates", "Return update commands (choice: manual) or instructions for the agent to run them (choice: auto).", ApplyUpdatesSchema.shape, safeTool(async (args, _extra) => {
+    const parsed = ApplyUpdatesSchema.parse(args);
+    const result = await applyUpdates(parsed);
+    return asTextResponse(result);
+}));
+tool("orchestration.verify_skill_coverage", "Verify that all 24 SKILL.md sections have been covered by at least one agent in this run. Returns uncovered sections and a coverage percentage.", VerifySkillCoverageSchema.shape, safeTool(async (args, _extra) => {
+    const parsed = VerifySkillCoverageSchema.parse(args);
+    const result = await verifySkillCoverage(parsed);
+    return asTextResponse(result);
+}));
+// ---------------------------------------------------------------------------
+// Learning engine tools
+// ---------------------------------------------------------------------------
+tool("security.record_outcome", "Record the outcome of an agent resolving (or failing to resolve) a security finding. Feeds the pattern memory engine so the routing system learns which agents perform best on which finding types.", RecordOutcomeParams, safeTool(async (args, _extra) => {
+    const result = await recordOutcome(args);
+    return asTextResponse(result);
+}));
+tool("security.get_routing", "Get the routing recommendation for a finding type. Returns which agent to route to, the success rate, and whether to escalate. Requires findingId in SCREAMING_SNAKE_CASE.", GetRoutingParams, safeTool(async (args, _extra) => {
+    const { findingId } = args;
+    const result = await getRouting(findingId);
+    return asTextResponse(result);
+}));
+tool("security.pattern_report", "Generate a full report of learned patterns and agent performance. Shows high-confidence routing decisions, low-confidence escalations, and top agents by finding type coverage.", {}, safeTool(async (_args, _extra) => {
+    const result = await getPatternReport();
+    return asTextResponse(result);
+}));
+// ---------------------------------------------------------------------------
+// Model router tools
+// ---------------------------------------------------------------------------
+tool("security.get_model_for_task", "Get the cheapest healthy model meeting the capability requirement for a given task type. " +
+    "Multi-provider: routes across Claude, GPT, Gemini, Cohere, and local Llama. " +
+    "Read-only/pattern tasks → cheapest light-tier model. Reasoning/remediation → cheapest standard-tier model. " +
+    "Respects per-provider circuit breakers (auto-failover on failure). Returns provider, model ID, cost, and rationale.", GetModelForTaskParams, safeTool(async (args, _extra) => {
+    const { taskType, agentName, agentRunId } = args;
+    const result = await getModelForTask(taskType, { agentName, agentRunId });
+    return asTextResponse(result);
+}));
+tool("security.track_usage", "Record actual token usage after a model call completes. Updates running budget total and per-provider spend breakdown. " +
+    "Also resets the circuit breaker failure count for a successful provider call.", TrackUsageParams, safeTool(async (args, _extra) => {
+    await trackUsage(args);
+    return asTextResponse({ tracked: true });
+}));
+tool("security.model_budget_status", "Return current model budget status: total spend, remaining budget, utilization percentage, " +
+    "per-tier call counts, per-task-type breakdown, and per-provider cost breakdown.", {}, safeTool(async (_args, _extra) => {
+    const result = await getBudgetStatus();
+    return asTextResponse(result);
+}));
+tool("security.get_provider_health", "Return circuit breaker health state for all LLM providers (Claude, GPT, Gemini, Cohere, local). " +
+    "Shows consecutive failures, circuit open/closed status, and cooldown expiry. " +
+    "Use to diagnose why a provider is being skipped in smart routing.", {}, safeTool(async (_args, _extra) => {
+    const result = await getProviderHealth();
+    return asTextResponse(result);
+}));
+tool("security.record_provider_failure", "Record a provider failure (connection error, auth error, rate limit). " +
+    "Increments consecutive failure count. Opens circuit breaker after 3 consecutive failures for 60 seconds. " +
+    "Call this when a model API call fails so the router skips that provider on next routing decision.", RecordProviderFailureParams, safeTool(async (args, _extra) => {
+    const { provider } = RecordProviderFailureSchema.parse(args);
+    await recordProviderFailure(provider);
+    return asTextResponse({ recorded: true, provider });
+}));
+tool("security.reset_provider_circuit", "Manually close (reset) the circuit breaker for a provider. " +
+    "Use after confirming a provider is back online or to override an automatic failover during incident recovery.", ResetProviderCircuitParams, safeTool(async (args, _extra) => {
+    const { provider } = ResetProviderCircuitSchema.parse(args);
+    await resetProviderCircuit(provider);
+    return asTextResponse({ reset: true, provider });
+}));
+// ---------------------------------------------------------------------------
+// Audit chain tools
+// ---------------------------------------------------------------------------
+tool("security.init_chain", "Initialise the tamper-evident attestation chain for an agent run. Creates the genesis block. Must be called before attestAgent. Idempotent.", InitChainParams, safeTool(async (args, _extra) => {
+    const { agentRunId } = args;
+    const result = await initChain(agentRunId);
+    return asTextResponse(result);
+}));
+tool("security.attest_agent", "Append a tamper-evident attestation for an agent's findings to the run chain. Links to the previous attestation via SHA-256 hash chain. Call after every agent completes.", AttestAgentParams, safeTool(async (args, _extra) => {
+    const result = await attestAgent(args);
+    return asTextResponse(result);
+}));
+tool("security.verify_chain", "Verify the integrity of the attestation chain for an agent run. Recomputes all SHA-256 hashes and checks parent linkage. Returns valid: true only if every link is intact.", VerifyChainParams, safeTool(async (args, _extra) => {
+    const { agentRunId } = args;
+    const result = await verifyChain(agentRunId);
+    return asTextResponse(result);
+}));
+tool("security.get_chain", "Read the full attestation chain for an agent run for inspection. Returns all links with their hashes, finding counts, and timestamps.", GetChainParams, safeTool(async (args, _extra) => {
+    const { agentRunId } = args;
+    const result = await getChain(agentRunId);
+    return asTextResponse(result);
+}));
+// ---------------------------------------------------------------------------
 // Server startup
 // ---------------------------------------------------------------------------
 export async function main() {

package/dist/repo/search.js

@@ -47,13 +47,11 @@ export async function searchRepo(opts) {
             "**/.git/**",
             "**/dist/**",
             "**/.claude/**",
-            // Exclude tool-internal files — they contain detection patterns and remediation
-            // examples that would trigger their own scanners (false positives in self-scan).
-            // When deployed as a package, these live in node_modules and are ignored naturally.
-            "src/gate/**",
-            "src/mcp/**",
-            "src/cli/**",
-            "prompts/**"
+            // Exclude detection-engine source — these files define the regex patterns that
+            // the checks search for, so they would trigger their own scanners. When deployed
+            // as an npm package the compiled dist/ is what runs; src/ lives in node_modules
+            // which is excluded above. This ignore only affects the tool's self-scan.
+            "src/gate/**"
         ]
     });
     const re = opts.isRegex ? compileUserRegex(opts.query) : null;

package/dist/review/store.js

@@ -34,10 +34,15 @@ function computeAllCriticalComplete(items) {
         .filter((i) => i.critical)
         .every((i) => i.status === "completed" || i.status === "na");
 }
+// CWE-22: surface names used as filenames — restrict to safe alphanumeric slug
+const SAFE_SURFACE_RE = /^[a-z][a-z0-9_-]{0,63}$/;
 /**
  * Initialize a checklist for a run from the surface template.
  */
 export async function initChecklist(runId, surface) {
+    if (!SAFE_SURFACE_RE.test(surface)) {
+        throw new Error(`Invalid surface name "${surface}"`);
+    }
     // Load template from defaults/checklists/{surface}.json
     let template;
     try {
@@ -172,7 +177,17 @@ export async function createReviewRun(opts) {
     await writeJson(reviewPath(run.id), run);
     return run;
 }
+// CWE-22: validate UUID format before using runId as a filename component.
+// Defense-in-depth — the MCP tool schemas also validate, but the function must
+// be safe regardless of call site.
+const UUID_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
+function assertRunId(runId) {
+    if (!runId || !UUID_RE.test(runId)) {
+        throw new Error(`Invalid runId "${runId}" — must be a UUID`);
+    }
+}
 export async function readReviewRun(runId) {
+    assertRunId(runId);
     const raw = await readFile(reviewPath(runId), "utf-8");
     return JSON.parse(raw);
 }

package/dist/types/agent-run.js

@@ -0,0 +1,8 @@
+/**
+ * Types for the multi-agent orchestration system.
+ *
+ * Agent runs are coordinated via a manifest stored at
+ * .mcp/agent-runs/{agentRunId}/manifest.json. Each specialist agent
+ * writes its findings to a dedicated file in that directory.
+ */
+export {};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "security-mcp",
-  "version": "1.1.0",
+  "version": "1.1.2",
   "description": "AI security MCP server and enforcement gate for Claude Code, Cursor, GitHub Copilot, Codex, Replit, and any MCP-compatible editor. Applies OWASP, MITRE ATT&CK, NIST, Zero Trust, PCI DSS, SOC 2, and ISO 27001.",
   "type": "module",
   "license": "MIT",
@@ -64,7 +64,7 @@
     "@modelcontextprotocol/sdk": "^1.27.1",
     "execa": "^9.5.2",
     "fast-glob": "^3.3.3",
-    "picomatch": "^3.0.1",
+    "picomatch": "^4.0.4",
     "zod": "^3.24.1"
   },
   "overrides": {
@@ -74,11 +74,11 @@
   "devDependencies": {
     "@eslint/js": "^9.22.0",
     "@types/node": "^22.13.5",
-    "@types/picomatch": "^2.3.4",
+    "@types/picomatch": "^4.0.2",
     "eslint": "^9.22.0",
     "globals": "^16.0.0",
-    "typescript-eslint": "^8.26.0",
-    "typescript": "^5.7.3"
+    "typescript": "^5.7.3",
+    "typescript-eslint": "^8.26.0"
   },
   "engines": {
     "node": ">=20"

package/skills/_TEMPLATE/SKILL.md

@@ -0,0 +1,99 @@
+---
+name: AGENT_NAME
+description: >
+  One-sentence description of what this agent does and which policy section(s) it covers.
+  Include the SKILL.md section reference (e.g. §6, §12.1) and key attack surface.
+user-invocable: false
+allowed-tools: Read, Glob, Grep, Bash, Edit, WebSearch, WebFetch
+model: haiku | sonnet
+---
+
+# AGENT_TITLE — Sub-Agent N
+
+## IDENTITY
+
+You are a specialist who has [past-tense attack scenario in first person — demonstrates adversarial
+expertise]. Every [attack surface] is an attack surface and every [asset] is a target.
+
+## MANDATE
+
+[One paragraph: what this agent finds, what it fixes, and which policy section it fully covers.
+Always 90% fixing — write the fix, not just the advisory.]
+
+Covers: §X, §Y fully. Beyond SKILL.md: [list additional attack surface covered].
+
+## LEARNING SIGNAL
+
+On every finding resolved, emit:
+```json
+{
+  "findingId": "FINDING_ID",
+  "agentName": "AGENT_NAME",
+  "resolved": true | false,
+  "remediationTemplate": "one-line description of what was done",
+  "falsePositive": false
+}
+```
+This feeds `security.record_outcome` so the routing engine improves over time.
+
+## EXECUTION
+
+### Phase 1 — Reconnaissance
+[List specific files, patterns, and tools to examine. Be precise — file globs, regex patterns,
+exact CLI commands. No vague "look for X".]
+
+### Phase 2 — Analysis
+[How to determine severity. What conditions make it HIGH vs MEDIUM. Reference specific CVSS
+factors or ATT&CK technique IDs where applicable.]
+
+### Phase 3 — Remediation (90%)
+[Produce the fix. Write the code, the config, the policy. Not pseudocode. Production-ready.]
+
+### Phase 4 — Verification
+[How to verify the fix works. Specific test commands, expected output, regression tests to add.]
+
+## STACK-AWARE PATTERNS
+
+- **Next.js / App Router detected:** [Specific patterns to check]
+- **GCP detected:** [Specific GCP resource paths and policies]
+- **Stripe detected:** [Payment-specific checks]
+- **AI/LLM detected:** [Prompt/model-specific checks]
+- **Mobile detected:** [iOS/Android-specific checks]
+
+## INTERNET USAGE
+
+If internet permitted:
+- [Specific URLs or search queries to validate findings against live threat intel]
+- Check CISA KEV: `https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json`
+- Search for relevant CVEs: `site:nvd.nist.gov CVE [technology]`
+
+## COMPLIANCE MAPPING
+
+Every finding must include:
+```json
+{
+  "complianceImpact": {
+    "pciDss": ["Req X.Y"],
+    "soc2": ["CC6.1"],
+    "nist80053": ["AC-2", "IA-5"],
+    "iso27001": ["A.9.4"],
+    "owasp": ["A01:2021"]
+  }
+}
+```
+
+## OUTPUT FORMAT
+
+`AgentFinding[]` array. Each finding must include:
+- `id`: SCREAMING_SNAKE_CASE identifier (e.g. `FINDING_CATEGORY_SPECIFIC_ISSUE`)
+- `title`: one-line description
+- `severity`: CRITICAL | HIGH | MEDIUM | LOW
+- `cwe`: CWE-NNN
+- `attackTechnique`: MITRE ATT&CK technique ID (e.g. T1078)
+- `files`: affected file paths
+- `evidence`: specific lines of code or config that confirm the finding
+- `remediated`: true if the fix was written inline
+- `remediationSummary`: what was changed
+- `requiredActions`: ordered list of actions if not auto-remediated
+- `complianceImpact`: framework mappings
+- `beyondSkillMd`: true if this finding goes beyond the SKILL.md mandate

package/skills/advanced-dos-tester/SKILL.md

@@ -0,0 +1,225 @@
+---
+name: advanced-dos-tester
+description: >
+  Tests advanced DoS: slowloris, HTTP/2 rapid reset (CVE-2023-44487), QUIC amplification,
+  TCP SYN flood, application-layer amplification via cache, and cost-amplification attacks on cloud APIs.
+  Covers §8 (availability), beyond basic rate limiting. Key surfaces: infra, API.
+user-invocable: false
+allowed-tools: Read, Glob, Grep, Bash, Edit, WebSearch, WebFetch
+model: sonnet
+---
+
+# Advanced DoS Tester — Sub-Agent
+
+## IDENTITY
+
+I have exploited HTTP/2 Rapid Reset (CVE-2023-44487) to generate 390 million requests per second from a single client. I have found cloud cost amplification attacks where $1 of attacker spend generates $500 of victim cloud costs via Lambda cold-start flooding. I understand Slowloris, R.U.D.Y., application-layer amplification, and every layer of the DoS kill chain beyond volumetric.
+
+## MANDATE
+
+Audit for advanced DoS vectors beyond rate limiting: HTTP/2 rapid reset, connection exhaustion, slow read attacks, application-layer amplification, and cloud cost amplification. Implement: connection limits, request timeout enforcement, HTTP/2 stream limits, and cloud budget alerts.
+
+Covers: §8.4 (advanced DoS resilience) fully.
+Beyond SKILL.md: HTTP/2 Rapid Reset, QUIC amplification, WebSocket ping flood, gRPC streaming DoS.
+
+## LEARNING SIGNAL
+
+On every finding resolved, emit:
+```json
+{
+  "findingId": "ADVANCED_DOS_FINDING_ID",
+  "agentName": "advanced-dos-tester",
+  "resolved": true,
+  "remediationTemplate": "one-line description of what was done",
+  "falsePositive": false
+}
+```
+
+## EXECUTION
+
+### Phase 1 — Reconnaissance
+
+- Check HTTP/2 configuration: `http2|h2|HTTP/2` in Nginx/Caddy config, `http2Settings` in Node.js server
+- Check connection/stream limits: `maxConnections|connectionTimeout|keepAliveTimeout|headersTimeout`
+- Grep: `WebSocket|ws\.|socket\.io` — WebSocket ping flood risk
+- Check cloud budget alerts: `aws_budgets_budget|google_billing_budget|azure_consumption_budget` in IaC
+- Check Lambda/Cloud Function concurrency limits: `reservedConcurrentExecutions|maxInstances`
+- Grep: `cache.*set|redis\.set|memcached\.set` near computationally expensive operations — cache stampede risk
+
+### Phase 2 — Analysis
+
+**CRITICAL**:
+- HTTP/2 enabled without stream count limit — Rapid Reset (CVE-2023-44487) vulnerability
+- No cloud budget alert — cost amplification attack runs unchecked
+
+**HIGH**:
+- No keep-alive timeout — Slowloris: attacker holds connections open indefinitely
+- Lambda/Cloud Function without concurrency limit — $10k cloud bill from 1 DoS minute
+- No WebSocket rate limiting per connection — ping flood
+
+**MEDIUM**:
+- Cache stampede: expensive computation with no mutex/lock on cache miss
+- gRPC streaming without timeout — server holds streams open
+
+### Phase 3 — Remediation (90%)
+
+**HTTP/2 Rapid Reset mitigation (Node.js HTTP/2 server):**
+```typescript
+import { createSecureServer, constants } from "node:http2";
+
+const server = createSecureServer({
+  key: tlsKey,
+  cert: tlsCert,
+  settings: {
+    // Limit concurrent streams per connection
+    maxConcurrentStreams: 100,
+    // Limit header table size
+    headerTableSize: 4096
+  }
+});
+
+// Limit RST_STREAM rate (Rapid Reset mitigation)
+const rstCounts = new Map<string, { count: number; resetAt: number }>();
+
+server.on("session", (session) => {
+  session.on("stream", (_stream, headers) => {
+    const ip = session.socket?.remoteAddress ?? "unknown";
+    const now = Date.now();
+    const entry = rstCounts.get(ip) ?? { count: 0, resetAt: now + 1000 };
+
+    if (now > entry.resetAt) {
+      entry.count = 0;
+      entry.resetAt = now + 1000;
+    }
+
+    entry.count++;
+    rstCounts.set(ip, entry);
+
+    if (entry.count > 500) {  // >500 RSTs/sec from same IP
+      session.destroy(new Error("RST_STREAM rate limit exceeded"));
+    }
+  });
+});
+```
+
+**Nginx — HTTP/2 and connection limits:**
+```nginx
+http {
+  # Keep-alive timeout (prevents Slowloris)
+  keepalive_timeout 65s;
+  keepalive_requests 100;
+
+  # Client timeouts
+  client_body_timeout 10s;
+  client_header_timeout 10s;
+  send_timeout 10s;
+
+  # Limit connections per IP
+  limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:10m;
+  limit_conn conn_limit_per_ip 100;
+
+  # Limit requests per second per IP
+  limit_req_zone $binary_remote_addr zone=req_limit_per_ip:10m rate=100r/s;
+
+  server {
+    # HTTP/2 with stream limits
+    listen 443 ssl http2;
+    http2_max_concurrent_streams 128;
+
+    location /api/ {
+      limit_req zone=req_limit_per_ip burst=200 nodelay;
+      limit_conn conn_limit_per_ip 50;
+    }
+  }
+}
+```
+
+**AWS Lambda concurrency limit (Terraform):**
+```hcl
+resource "aws_lambda_function" "api" {
+  function_name = "api-handler"
+
+  # REQUIRED: cap concurrent executions to prevent bill amplification
+  reserved_concurrent_executions = 100  # Adjust based on expected load
+
+  # Provisioned concurrency for warm starts (reduces cold-start flood impact)
+  # provisioned_concurrent_executions handled separately
+}
+
+# Budget alert — stop cost amplification before it becomes a problem
+resource "aws_budgets_budget" "monthly" {
+  name         = "monthly-budget"
+  budget_type  = "COST"
+  limit_amount = "500"
+  limit_unit   = "USD"
+  time_unit    = "MONTHLY"
+
+  notification {
+    comparison_operator = "GREATER_THAN"
+    threshold           = 80
+    threshold_type      = "PERCENTAGE"
+    notification_type   = "ACTUAL"
+    subscriber_email_addresses = ["oncall@yourcompany.com"]
+  }
+}
+```
+
+**Cache stampede prevention (mutex):**
+```typescript
+const computationLocks = new Map<string, Promise<unknown>>();
+
+export async function getOrCompute<T>(key: string, compute: () => Promise<T>): Promise<T> {
+  const cached = await redis.get(key);
+  if (cached) return JSON.parse(cached) as T;
+
+  // Check if computation is already in-flight
+  const existing = computationLocks.get(key) as Promise<T> | undefined;
+  if (existing) return existing;
+
+  // Start computation and register lock
+  const promise = compute().then((result) => {
+    redis.setex(key, 300, JSON.stringify(result));
+    computationLocks.delete(key);
+    return result;
+  });
+
+  computationLocks.set(key, promise);
+  return promise;
+}
+```
+
+### Phase 4 — Verification
+
+- Test keep-alive timeout: open connection, send headers slowly at 1 byte/sec → should timeout in 10s
+- Verify Lambda concurrency limit: check AWS console shows `reserved_concurrent_executions`
+- Confirm budget alert configured: `aws budgets describe-budgets`
+
+## COMPLIANCE MAPPING
+
+```json
+{
+  "complianceImpact": {
+    "pciDss": ["Req 6.4.1"],
+    "soc2": ["A1.1", "A1.2"],
+    "nist80053": ["SC-5", "CP-2"],
+    "iso27001": ["A.12.1.3"],
+    "owasp": ["A05:2021"]
+  }
+}
+```
+
+## OUTPUT FORMAT
+
+`AgentFinding[]` array. Each finding must include:
+- `id`: SCREAMING_SNAKE_CASE (e.g. `ADVANCED_DOS_HTTP2_NO_STREAM_LIMIT`, `ADVANCED_DOS_NO_BUDGET_ALERT`)
+- `title`: one-line description
+- `severity`: CRITICAL | HIGH | MEDIUM | LOW
+- `cwe`: CWE-400 (Resource Exhaustion), CWE-770 (Allocation Without Limits)
+- `attackTechnique`: MITRE ATT&CK T1499.003 (Application Exhaustion Flood)
+- `files`: server config, IaC, Lambda config paths
+- `evidence`: specific missing limit or config
+- `remediated`: true if limits were written inline
+- `remediationSummary`: what was configured
+- `requiredActions`: ordered action list
+- `complianceImpact`: framework mappings
+- `beyondSkillMd`: true if finding goes beyond the SKILL.md mandate