security-mcp 1.1.3 → 1.1.4

package/dist/mcp/server.js

@@ -100,7 +100,19 @@ tool("security.start_review", "Start a stateful security review run, lock the sc
         headRef: headRef ?? "HEAD",
         requiredSteps: run.requiredSteps,
         operatingMandate: "90% fixing, 10% advisory. Write the fix. Implement the control. Enforce the policy. Do not list vulnerabilities and walk away.",
+        coverageProtocol: {
+            step0: "Enumerate ALL source files first → write .mcp/agent-runs/{runId}/coverage-manifest.json before any analysis",
+            step1: "Taint-trace every user-controlled input (req.body, req.query, event.data, etc.) to ALL sinks → write taint-map.json",
+            step2: "Negative assertion per attack class: 'ATTACK CLASS: {name} | FILES: {n}/{total} | PATTERNS: {list} | RESULT: CLEAN or N findings (N/N fixed)'",
+            step3: "Fix verification loop: re-run the triggering check after every fix — do NOT advance until VERIFIED CLEAN",
+            step4: "All HIGH/CRITICAL: FIXED with verified-clean re-run, OR formally blocked with risk-acceptance record + failing gate"
+        },
         nextSteps: [
+            "Step 0: Enumerate ALL source files → write coverage-manifest.json before any analysis begins.",
+            "Step 1: For every user-controlled input found, trace it to ALL sinks → write taint-map.json.",
+            "After every attack class reviewed: write NEGATIVE ASSERTION confirming files checked and result.",
+            "After every fix: re-run the triggering check and confirm CLEAN before proceeding to next finding.",
+            "All findings must be FIXED (verified-clean) or BLOCKED (risk-accepted + gate failing). No open HIGH/CRITICAL at completion.",
             "Run security.threat_model with this runId.",
             "Run security.checklist with this runId.",
             "Run security.run_pr_gate with this runId.",
@@ -361,22 +373,108 @@ Describe Level 0 (context) and Level 1 (process) flows in prose or embed a diagr
 |---|---|---|---|---|
 | TM-001 | | | | PENDING |
 
+## 4b. LINDDUN Privacy Threat Analysis
+
+| Category | Description | Threat | Mitigation |
+|---|---|---|---|
+| Linking | Can records across contexts be linked? | | |
+| Identifying | Can data be traced to an individual? | | |
+| Non-repudiation | Can users deny their actions? | | |
+| Detecting | Can sensitive behavior be inferred from metadata? | | |
+| Data Disclosure | Can data be exposed beyond its intended scope? | | |
+| Unawareness | Are users unaware of data collection? | | |
+| Non-compliance | Does the system violate regulations? | | |
+
+## 4c. TRIKE Risk Matrix
+
+| Actor | Action | Asset | Allowed? | Risk if Violated |
+|---|---|---|---|---|
+| Authenticated User | Read | Own profile | Yes | — |
+| Authenticated User | Read | Other user profile | No | CRITICAL |
+| Service Account | Write | Production DB | Restricted | HIGH |
+
+## 4d. DREAD Scoring
+
+| Threat | Damage (0-10) | Reproducibility | Exploitability | Affected Users | Discoverability | Total |
+|---|---|---|---|---|---|---|
+| _Threat 1_ | | | | | | |
+
+## 4e. Attack Trees — Top 3 Critical Paths
+
+**Goal 1: Achieve authentication bypass**
+- OR: Exploit JWT algorithm confusion (requires: access to token + public key)
+  - AND: Obtain RS256 public key (from JWKS endpoint or source code)
+  - AND: Re-sign token as HS256 using public key as HMAC secret
+- OR: Session fixation (requires: pre-auth request, no session regeneration)
+
+**Goal 2: Exfiltrate PII/cardholder data**
+- OR: IDOR via unvalidated object reference
+- OR: SQLi / NoSQL injection in query endpoint
+- OR: SSRF to internal data store
+
+**Goal 3: Achieve remote code execution**
+- OR: SSTI via template compilation from user input
+- OR: Deserialization gadget chain (node-serialize / eval)
+- OR: Prototype pollution → downstream exec sink
+
+## 5. Adversary Profiles
+
+| Profile | Goal | ATT&CK Techniques | Test Focus |
+|---|---|---|---|
+| APT / Nation-State | Persistent access + exfiltration | T1195, T1078, T1027 | What steps produce NO log entries? |
+| Ransomware Group | Encrypt backups, maximize leverage | T1490, T1485, T1496 | Can attacker reach and delete backups? |
+| Insider (DevOps) | Exfiltration or sabotage with valid creds | T1213, T1087 | What can a DevOps engineer access they shouldn't? |
+| Script Kiddie | Quick wins via automated tools | T1190, T1595 | Does WAF/rate limiting stop nuclei/sqlmap? |
+
+## 6. Supply Chain Threats
+
+| Threat | Vector | Likelihood | Mitigation |
+|---|---|---|---|
+| Dependency confusion | Private pkg name registered on npm | | SHA-pin all deps; use npm audit |
+| Typosquatting | Misspelled package installed | | Lock file + npm audit on CI |
+| CI cache poisoning | Malicious action poisons build cache | | Pin actions to SHA; no cache cross-branches |
+| Compromised upstream | Maintainer account takeover | | SBOM + Sigstore verification |
+| Malicious maintainer | Legitimate maintainer inserts backdoor | | OpenSSF scorecard + CISA KEV monitoring |
+| pwn-request | pull_request_target with head code | | Explicit head_ref check; no auto-use of forked code |
+
 ## 11. Pre-Release Checklist (Section 22E)
 
 - [ ] Threat model reviewed by security-designated reviewer
 - [ ] All SAST/SCA/IaC/container scan gates pass
 - [ ] Auth and authorization logic reviewed
-- [ ] Secrets handling reviewed - no hardcoded secrets
+- [ ] Secrets handling reviewed — no hardcoded secrets
 - [ ] Input validation present on all new inputs (server-side confirmed)
-- [ ] Error messages reviewed - no information leakage
-- [ ] Logging confirmed - required events logged, no PII in logs
+- [ ] Error messages reviewed — no information leakage
+- [ ] Logging confirmed — required events logged, no PII in logs
 - [ ] Security headers verified in staging
 - [ ] Rate limiting confirmed on all new endpoints
 - [ ] CORS configuration reviewed
 - [ ] Dependencies reviewed for new CVEs
-- [ ] Network rules reviewed - no 0.0.0.0/0, all traffic via private paths
+- [ ] Network rules reviewed — no 0.0.0.0/0, all traffic via private paths
 - [ ] IR playbook updated if new attack surface introduced
 - [ ] Compliance requirements addressed and documented
+
+## 12. Business Logic Abuse
+
+| Workflow | State Machine Step | Can skip? | Invariant | Test |
+|---|---|---|---|---|
+| _e.g. Checkout_ | Cart → Payment → Confirm | Can step 2 be skipped? | Amount must match cart total | POST /confirm without /payment |
+| _e.g. Subscription_ | Trial → Upgrade → Active | Can upgrade be replayed? | One upgrade per user | Concurrent PATCH /upgrade |
+
+- [ ] Full state machine mapped for all significant workflows
+- [ ] Step-skip tests designed and executed
+- [ ] Negative value inputs tested on all numeric fields (quantity, price, balance, seats)
+- [ ] Concurrent request tests executed for all limit-once invariants
+
+## 13. PoC Requirement
+
+**Every HIGH or CRITICAL finding must have a working PoC before sign-off.**
+
+| Finding ID | Severity | PoC Written | PoC Confirmed Working | Fix Written | Fix Verified Clean |
+|---|---|---|---|---|---|
+| | HIGH | [ ] | [ ] | [ ] | [ ] |
+
+Rule: PoC must be written BEFORE the fix. After the fix, re-run the PoC and confirm it fails.
 `;
     if (runId) {
         await updateReviewStep(runId, "threat_model", "completed", {
@@ -402,80 +500,212 @@ Use before every production release. All items must be checked or explicitly ris
 ## All Surfaces
 
 - [ ] Threat model completed and reviewed by security-designated reviewer
-- [ ] SAST scan results reviewed - all CRITICAL/HIGH findings resolved
-- [ ] SCA scan - no CRITICAL CVEs in dependencies; HIGH CVEs triaged
-- [ ] Secrets scan clean (Trufflehog / Gitleaks)
-- [ ] IaC scan - no HIGH/CRITICAL misconfigurations (Checkov / tfsec)
-- [ ] Container scan - no CRITICAL CVEs with available fix (Trivy / Grype)
-- [ ] Error messages reviewed - no stack traces, schema details, or enum leakage
-- [ ] Logging reviewed - all required events logged; no PII, secrets, or tokens in logs
-- [ ] Dependencies reviewed for new CVEs introduced by this change
+- [ ] SAST scan results reviewed — all CRITICAL/HIGH findings resolved or risk-accepted with ticket
+- [ ] SCA scan — no CRITICAL CVEs in dependencies; HIGH CVEs triaged and scheduled
+- [ ] Secrets scan clean (Trufflehog / Gitleaks) — no credentials, tokens, or keys in source
+- [ ] IaC scan — no HIGH/CRITICAL misconfigurations (Checkov / tfsec)
+- [ ] Container scan — no CRITICAL CVEs with available fix (Trivy / Grype)
 - [ ] SBOM generated for this release artifact
-- [ ] Rollback plan documented and tested
+- [ ] SLSA provenance attestation generated for release artifacts
+- [ ] Error messages reviewed — no stack traces, schema details, internal paths, or enum leakage
+- [ ] Logging reviewed — all required events logged; no PII, secrets, or tokens in logs
+- [ ] Dependencies reviewed for new CVEs introduced by this change
+- [ ] CISA KEV cross-check completed for all dependency CVEs
+- [ ] Rollback plan documented and tested (can revert within 15 minutes)
 - [ ] IR playbook updated if a new attack surface was introduced
+- [ ] Regression gate: previous CRITICAL/HIGH findings verified still fixed
+- [ ] Coverage-gap disclosure: documented what this scan CANNOT catch (business logic, runtime behavior)
 
 ## Web / Frontend
 
-- [ ] Content-Security-Policy header present with nonce-based script control (no unsafe-inline)
-- [ ] HSTS header with includeSubDomains and preload
-- [ ] X-Frame-Options: DENY
-- [ ] X-Content-Type-Options: nosniff
+- [ ] Content-Security-Policy: nonce-based script control — unsafe-inline and unsafe-eval absent
+- [ ] Content-Security-Policy: default-src 'self' with explicit allowlists for external resources
+- [ ] HSTS: max-age=31536000; includeSubDomains; preload
+- [ ] X-Frame-Options: DENY (or SAMEORIGIN with justification)
+- [ ] X-Content-Type-Options: nosniff on all responses including error pages
 - [ ] Referrer-Policy: strict-origin-when-cross-origin
-- [ ] Permissions-Policy set
-- [ ] No inline JavaScript or inline event handlers
-- [ ] Subresource Integrity (SRI) on any third-party scripts
-- [ ] CSRF protection on all state-changing endpoints
-- [ ] XSS: no dangerouslySetInnerHTML without sanitization
+- [ ] Permissions-Policy: camera, microphone, geolocation restricted
+- [ ] Cross-Origin-Opener-Policy (COOP): same-origin
+- [ ] Cross-Origin-Embedder-Policy (COEP): require-corp where SharedArrayBuffer used
+- [ ] Cross-Origin-Resource-Policy (CORP): same-origin or same-site on API responses
+- [ ] Trusted Types policy enforced (require-trusted-types-for 'script') — DOM XSS sinks covered
+- [ ] No inline JavaScript or inline event handlers (onclick, onload, onerror, etc.)
+- [ ] No dangerouslySetInnerHTML without DOMPurify sanitization
+- [ ] All user-supplied data escaped before rendering in server-side templates
+- [ ] document.write(), innerHTML, insertAdjacentHTML, eval() DOM sink audit completed
+- [ ] postMessage handlers validate event.origin against explicit allowlist
+- [ ] Subresource Integrity (SRI) on all third-party scripts and stylesheets
+- [ ] CSRF protection on all state-changing endpoints (SameSite + CSRF tokens)
+- [ ] Open redirect prevention: redirect targets validated against allowlist
+- [ ] Subdomain takeover DNS audit — no dangling CNAME records to unprovisioned services
+- [ ] HTTP request smuggling: CL/TE header normalization at proxy layer confirmed
+- [ ] Session tokens are HttpOnly, Secure, SameSite=Strict — not localStorage
+- [ ] Session expiry: access tokens max 15 minutes, refresh tokens rotated on use
+- [ ] Login rate limiting: max 5 failures per IP per minute with progressive lockout
 
 ## API
 
-- [ ] All new endpoints require authentication (JWT RS256/ES256 validated)
-- [ ] Authorization checked server-side for every resource operation (IDOR prevention)
-- [ ] Input validation present on all new inputs - server-side schema validation confirmed
-- [ ] Rate limiting configured on all new endpoints
-- [ ] CORS origin allowlist reviewed (no wildcard on authenticated endpoints)
-- [ ] Request size limits enforced
-- [ ] SSRF protection on any server-side HTTP client (block private IPs, metadata endpoints)
+- [ ] All new endpoints require authentication — no unauthenticated access to sensitive data
+- [ ] JWT algorithm pinned to RS256 or ES256 in all jwt.verify() calls (CWE-327)
+- [ ] JWT expiry enforced — access tokens max 15 minutes, refresh tokens rotated on use
+- [ ] Authorization checked server-side for every resource operation — IDOR prevention confirmed
+- [ ] Row-level security enforced — cross-tenant access not possible
+- [ ] Privilege escalation paths reviewed — no client-supplied role claims accepted
+- [ ] Session regenerated after login — session fixation prevented (CWE-384)
+- [ ] OAuth state parameter generated and verified (CWE-352)
+- [ ] PKCE (S256) required for all public clients and SPAs
+- [ ] OAuth redirect_uri validated with exact equality — not includes/startsWith (CWE-601)
+- [ ] HTTP verb tampering: PUT/DELETE on read-only resources returns 405 not 200
+- [ ] BOPLA: PATCH/PUT handler rejects field updates beyond caller's role
+- [ ] Input validation: server-side schema validation on all new inputs (Zod / Joi / Valibot)
+- [ ] SQL injection: parameterized queries throughout — no raw string concat in query context
+- [ ] NoSQL injection: user input validated before passing to MongoDB/DynamoDB filters (CWE-943)
+- [ ] XML parsers: external entity processing disabled (XXE — CWE-611)
+- [ ] Deserialization: no node-serialize, eval(), or new Function() on user input (CWE-502)
+- [ ] SSTI: templates never compiled from user input (CWE-94)
+- [ ] Prototype pollution: Zod schema validation before any object merge (CWE-1321)
+- [ ] YAML parsing: safe/FAILSAFE schema used — not default js-yaml schema (CWE-502)
+- [ ] Path traversal: path.join() + user input always followed by prefix check (CWE-22)
+- [ ] Log injection: newlines stripped from user values before logging (CWE-117)
+- [ ] CRLF injection: user values sanitized before res.setHeader() (CWE-113)
+- [ ] Rate limiting on all new endpoints — per-user and per-IP
+- [ ] Aggressive rate limiting on auth endpoints (login, token refresh, password reset)
+- [ ] CORS origin allowlist reviewed — no wildcard on authenticated endpoints
+- [ ] Request size limits enforced — no unbounded body parsing
+- [ ] SSRF protection on server-side HTTP clients — blocks private IPs and metadata endpoints
 - [ ] Webhook signatures verified (HMAC-SHA256 + replay protection)
-- [ ] OpenAPI spec updated
+- [ ] Mass assignment prevented — explicit field allowlists, not object spread from request body
+- [ ] Response bodies reviewed — no internal IDs, system details, or field over-exposure (BOPLA)
+- [ ] OpenAPI spec updated for all new endpoints
+
+## GraphQL
+
+- [ ] Introspection disabled in production
+- [ ] Query depth limit enforced (max 10 or documented level)
+- [ ] Query complexity limit enforced
+- [ ] Batching limited (max 5 operations per request)
+- [ ] Field-level authorization enforced — not just type-level
+- [ ] Subscription auth enforced on WS handshake — not just on first message
 
 ## Infrastructure / Cloud
 
 - [ ] No 0.0.0.0/0 ingress or egress rules in any firewall / security group
 - [ ] All managed services accessed via VPC endpoints / private connectivity
 - [ ] No world-readable storage buckets
-- [ ] Secrets stored in secret manager - not in env files, CI logs, or container images
-- [ ] IAM roles follow least privilege - no wildcard permissions
+- [ ] Secrets stored in secret manager — not in env files, CI logs, or container images
+- [ ] IAM roles follow least privilege — no wildcard permissions
+- [ ] No long-lived static credentials — workload identity or short-lived tokens
+- [ ] Admin roles require MFA and are time-limited — no standing admin access
+- [ ] New IAM roles reviewed for privilege escalation paths
 - [ ] Network segmentation reviewed (web tier, app tier, data tier isolated)
 - [ ] WAF rules updated if new public endpoints added
 - [ ] Cloud audit logging confirmed for new resources
+- [ ] IMDSv2 enforced on all EC2 instances (HttpTokens=required)
+- [ ] S3 Block Public Access enabled at account level
+- [ ] S3 Object Lock (WORM) on backup buckets — prevents ransomware deletion
+- [ ] Threat detection enabled: AWS GuardDuty / GCP SCC / Azure Defender
+- [ ] SCP blocking: public S3 creation, CloudTrail disable, IAM * wildcards
+- [ ] CloudTrail log file integrity validation enabled
+- [ ] Container seccomp profile applied (RuntimeDefault or stricter)
+- [ ] Kubernetes resource limits (CPU and memory) set on all workloads
+
+## Supply Chain / CI-CD
+
+- [ ] All GitHub Actions pinned to full SHA — no floating tag references
+- [ ] No pull_request_target workflow without explicit head_ref validation (pwn-request prevention)
+- [ ] GITHUB_TOKEN permissions explicitly declared minimal — no inherited default write
+- [ ] SLSA Level 3 provenance or equivalent documented
+- [ ] SBOM signed with cosign — signature verified at deployment
+- [ ] No secrets readable in CI job logs — masked and audited
+
+## OAuth / OIDC
+
+- [ ] PKCE with S256 code challenge required for all public clients
+- [ ] state and nonce parameters generated and verified on every OAuth callback
+- [ ] redirect_uri exact-match only — no prefix or includes() matching
+- [ ] Authorization code reuse prevented — server rejects second use within validity window
+- [ ] Token audience (aud) validated against expected service identifier
+- [ ] Bearer token passed in Authorization header — not in URL query string
+
+## Business Logic
+
+- [ ] Rate-limited endpoints: every endpoint with a limit-once invariant has idempotency protection
+- [ ] Idempotency keys required on all payment/transfer mutations
+- [ ] Resource ownership verified on every write operation — not just on read
+- [ ] No sequential integer IDs for user-facing resources — use UUID or opaque tokens
+- [ ] Negative input values rejected: quantity, price, balance change, seat count all validated ≥ 0
+- [ ] Race condition test executed for any balance/quota/inventory limit (concurrent requests)
+
+## Serialization / Injection
+
+- [ ] XXE prevented: XML parsers disable external entities (processEntities:false)
+- [ ] SSTI prevented: no template compilation from user input
+- [ ] No eval(), new Function(), or setTimeout(string) with user-controlled content
+- [ ] No unsafe YAML.load() — FAILSAFE_SCHEMA or yaml.safeLoad() used
+- [ ] No node-serialize or other gadget-chain-capable deserialization library on user input
+- [ ] Prototype pollution mitigated: Zod validation before all object merges
+- [ ] Open redirect blocked: all res.redirect() targets validated against allowlist
+- [ ] CRLF injection blocked: response headers sanitized before setting
 
 ## Mobile
 
-- [ ] iOS: NSAllowsArbitraryLoads is false (ATS enforced)
+- [ ] iOS: NSAllowsArbitraryLoads is false — ATS strictly enforced
+- [ ] iOS: NSExceptionDomains documented and justified for any exceptions
 - [ ] Android: android:debuggable="false" in release build
 - [ ] Android: cleartext traffic disabled (usesCleartextTraffic="false")
+- [ ] Android: Network Security Config restricts cleartext and pins certificates
 - [ ] Certificate pinning verified for high-value API calls
-- [ ] Sensitive data not stored in shared preferences or external storage
+- [ ] Sensitive data stored in iOS Keychain / Android Keystore — not plaintext files
+- [ ] No sensitive data in SharedPreferences or NSUserDefaults in plaintext
+- [ ] Jailbreak/root detection implemented for high-risk operations
+- [ ] Obfuscation verified on release binary
+- [ ] Anti-instrumentation detection active (Frida / Magisk / Cydia)
+- [ ] Universal Links (iOS) / App Links (Android) used for auth callbacks — not custom scheme
 
 ## AI / LLM
 
 - [ ] All AI inputs sanitized and validated
-- [ ] System prompt structurally separated from user content (no string concatenation)
-- [ ] Indirect prompt injection: retrieved context (RAG, external data) treated as untrusted
+- [ ] System prompt structurally separated from user content — no string concatenation
+- [ ] Indirect prompt injection: RAG-retrieved context treated as untrusted — isolated from instructions
+- [ ] System prompt extraction resistance tested — model cannot be tricked into revealing it
+- [ ] Multi-turn attack chains tested across 5+ turns — instruction hierarchy holds
+- [ ] Multimodal injection: image/audio/document inputs treated as untrusted
 - [ ] Model outputs validated against JSON schema before acting on them
 - [ ] Output PII scan: no SSN, card numbers, tokens in model responses
+- [ ] Model output never passed to eval(), exec(), or shell commands
 - [ ] AI endpoints rate-limited independently from regular API
-- [ ] Model access logging enabled (user, timestamp, token counts)
-- [ ] Red-team test cases executed and results reviewed
+- [ ] Per-user token budgets enforced (daily and hourly)
+- [ ] Model access logging enabled (user, timestamp, token counts, model version)
+- [ ] Red-team test cases executed: jailbreak, prompt injection, PII exfiltration, DoS probes
+- [ ] Agentic tool allowlist — only permitted tools exposed to the model
+- [ ] High-impact tools require human-in-the-loop approval
+- [ ] AML.T0054 (LLM Prompt Injection) and AML.T0057 mitigations verified
 
 ## Payments (PCI DSS 4.0)
 
-- [ ] No card numbers, CVV, or PAN in any log, database, cache, or error message
-- [ ] Stripe / payment processor webhook verified (HMAC-SHA256)
-- [ ] PCI scope clearly defined and documented
+- [ ] No card numbers, CVV, or full PAN stored anywhere — tokenization confirmed
+- [ ] No card data in any log, database, cache, error message, or analytics system
+- [ ] PAN masked when displayed — last 4 digits only
+- [ ] Payment form hosted by processor (iFrame or redirect) — card data never touches app servers
+- [ ] Stripe / payment processor webhook verified (HMAC-SHA256 + replay protection)
+- [ ] Payment processor API keys stored in secret manager
 - [ ] Payment-adjacent systems network-segmented from non-payment systems
+- [ ] TLS 1.2+ required on all payment data flows
+- [ ] CSP extra-strict on checkout pages — no inline scripts, no external origins (Magecart prevention)
+- [ ] SRI on every script and stylesheet on checkout pages
+- [ ] DOM mutation monitoring active on payment form
+- [ ] EMV 3DS version 2.2+ for card-not-present transactions
 - [ ] Audit trail maintained for all payment operations
+- [ ] SAQ type documented and current for this release scope
+- [ ] PCI scope clearly defined and documented
+
+## Observability Gate
+
+- [ ] Anomaly detection baselines documented — normal traffic envelope defined
+- [ ] SLO (Service Level Objective) defined for security events (e.g. auth failure rate < 0.1%)
+- [ ] Alert fatigue reviewed — false positive rate for each security alert < 5%
+- [ ] Runbook linked from every security alert — on-call can respond in < 5 minutes
+- [ ] Log integrity check: logs are forwarded to tamper-evident storage; local deletion does not erase them
 `;
 tool("security.checklist", "Return the pre-release security checklist, optionally filtered by attack surface (web, api, mobile, ai, infra, payments, all).", ChecklistParams, safeTool(async (args, _extra) => {
     const { runId, surface } = ChecklistSchema.parse(args);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "security-mcp",
-  "version": "1.1.3",
+  "version": "1.1.4",
   "description": "AI security MCP server and enforcement gate for Claude Code, Cursor, GitHub Copilot, Codex, Replit, and any MCP-compatible editor. Applies OWASP, MITRE ATT&CK, NIST, Zero Trust, PCI DSS, SOC 2, and ISO 27001.",
   "type": "module",
   "license": "MIT",

package/prompts/SECURITY_PROMPT.md

@@ -32,6 +32,79 @@ When you find a vulnerability, you do exactly this:
 
 ---
 
+## §0 COVERAGE COMPLETENESS PROTOCOL — THIS RUNS BEFORE EVERYTHING ELSE
+
+You cannot declare a codebase clean without proving you checked every file.
+You cannot close a finding without proving your fix eliminates it.
+
+### Step 1 — Complete File Inventory (NO EXCEPTIONS)
+
+Before any analysis begins:
+
+1. Run `repo.search` with `.*` pattern or use Glob to enumerate ALL source files.
+2. Write the complete file list to `.mcp/agent-runs/{runId}/coverage-manifest.json`:
+   `{ "totalFiles": N, "files": [{"path": "...", "status": "pending"}] }`
+3. You CANNOT start analysis until every source file appears in the manifest as "pending".
+4. As you review each file: update its status to "reviewed" with attack classes checked.
+5. You CANNOT call any completion step until every file is "reviewed".
+
+### Step 2 — Taint Tracking (MANDATORY FOR EVERY USER-CONTROLLED INPUT)
+
+For every source of untrusted data found in the codebase, trace ALL downstream paths:
+
+- `req.body`, `req.query`, `req.params`, `req.headers` (HTTP)
+- `event.data`, `socket.message` (WebSocket/event-driven)
+- `process.env[variable]` passed through to functions (env injection)
+- Database results that originated from user input
+- External API responses used in downstream processing
+- File contents read from user-uploaded files
+- URL fragments / hash passed via JavaScript
+
+Classify each sink as:
+
+- **SAFE**: parameterized query, schema-validated output, sanitized before use
+- **UNSAFE**: raw SQL concat, eval, shell exec, unvalidated redirect, unencoded output
+- **UNRESOLVED**: tracing blocked (e.g., function in a third-party module)
+
+Any UNRESOLVED path is treated as UNSAFE until proven otherwise.
+Write the taint map to `.mcp/agent-runs/{runId}/taint-map.json`.
+
+### Step 3 — Negative Assertion Protocol (MANDATORY PER ATTACK CLASS)
+
+After reviewing each attack class, you MUST write one of these statements:
+
+**FORMAT:** `ATTACK CLASS: {name} | FILES CHECKED: {n}/{total} | PATTERNS SEARCHED: {list} | RESULT: {CLEAN | N findings (N/N fixed)}`
+
+**Example (clean):** `ATTACK CLASS: SQL Injection | FILES CHECKED: 47/47 | PATTERNS SEARCHED: queryRaw, executeRaw, string concat in query context | RESULT: CLEAN`
+
+**Example (fixed):** `ATTACK CLASS: JWT Algorithm Confusion | FILES CHECKED: 47/47 | PATTERNS SEARCHED: jwt.verify without algorithms pin | RESULT: 2 findings (2/2 fixed)`
+
+You CANNOT report a class as CLEAN without examining every file in the manifest.
+
+### Step 4 — Fix Verification Loop (MANDATORY FOR EVERY FINDING)
+
+After writing a fix:
+
+1. Re-run the SAME pattern search or gate check that triggered the finding.
+2. Confirm the finding no longer fires.
+3. If the finding still fires: fix again. Do NOT proceed to the next finding.
+4. Write to the coverage manifest: `{ "finding": "ID", "fixedAt": "path:line", "verifiedClean": true }`
+
+You CANNOT mark a finding "resolved" without a verified-clean gate re-run.
+
+### Step 5 — All-or-Nothing Fix Mandate
+
+If a finding CANNOT be fixed in this session (architectural change required):
+
+- The gate check for that attack class MUST remain failing (do NOT suppress).
+- Write a detailed remediation plan to `.mcp/agent-runs/{runId}/deferred-fixes.json`.
+- Create a risk-acceptance record: `{ "finding": "ID", "owner": "...", "ticket": "...", "dueDate": "...", "compensatingControl": "..." }`
+- The merge gate MUST block on this finding until the ticket is closed.
+
+**No finding is ever "noted and moved on." It is either FIXED or BLOCKED.**
+
+---
+
 ## ROLE
 
 You are a **Senior Security Engineer**. Your operating ratio is **90% fixing, 10% advisory**.

package/skills/appsec-code-auditor/SKILL.md

@@ -79,6 +79,41 @@ If internet permitted:
 - Fetch GitHub Security Advisories for top dependencies
 - Fetch OWASP Testing Guide for any new test categories since last cached intel
 
+## §ZERO-MISS COVERAGE MANDATE (REQUIRED — RUNS BEFORE SUB-AGENTS)
+
+### 1. Enumerate All Files
+
+Before spawning sub-agents, glob all source files and write `.mcp/agent-runs/{agentRunId}/coverage-manifest.json`. Sub-agents receive the manifest and each must mark files as `reviewed` as they process them.
+
+### 2. Assign File Ownership
+
+Divide the manifest among sub-agents by directory. Each sub-agent is responsible for marking its assigned files as reviewed. No file is left unowned.
+
+### 3. Coverage Checkpoint
+
+After all sub-agents complete, read the manifest. If any file shows status `"pending"`, investigate it yourself before writing `appsec-findings.json`.
+
+### 4. Taint Map
+
+Write `taint-map.json` yourself for all cross-file dataflows detected. Sub-agents write their local taint entries; you synthesize into the full map.
+
+### 5. Negative Assertion Table
+
+Before writing `appsec-findings.json`, write a table covering EVERY attack class from §12/§13/§17 plus: SQL, NoSQL, LDAP, OS cmd, SSTI, XXE, prototype pollution, open redirect, JWT alg confusion, PKCE, session fixation, deserialization, path traversal, CRLF, log injection, HTTP smuggling.
+
+| Attack Class | Files Checked | Patterns Used | Result |
+|---|---|---|---|
+| SQL Injection | N/total | queryRaw, string concat | CLEAN |
+| ... | | | |
+
+### 6. Fix Verification
+
+After sub-agents write fixes, personally re-run the gate check patterns for every HIGH/CRITICAL finding. Do not trust sub-agent confirmation — verify independently.
+
+### 7. Zero Open Findings Rule
+
+You cannot call `orchestration.update_agent_status("completed")` while any HIGH/CRITICAL finding remains without: (a) a committed fix with verified-clean re-check written to the output, OR (b) a risk-acceptance record in `deferred-fixes.json` AND a failing gate check blocking merge.
+
 ## OUTPUT FORMAT
 
 Write `.mcp/agent-runs/{agentRunId}/appsec-findings.json` following the AgentFindingsFile schema.

package/skills/auth-session-hacker/SKILL.md

@@ -85,3 +85,29 @@ Write working exploits before fixes.
 - Auth mechanism affected, attack vector, working exploit
 - Fixed code written inline
 - §12 controls covered per finding
+
+---
+
+## §JWT-CHAIN — 5 Specific JWT Attack Techniques
+
+1. **Algorithm confusion (HS/RS)**: Obtain RS256 token → modify header to `alg: HS256` → sign with public key as HMAC secret → submit. Verify server accepts it (CVE-2015-9235 pattern).
+2. **`kid` path injection**: Set `{"kid": "../../dev/null"}` in header → HMAC with empty string as secret → forge arbitrary payload.
+3. **`jku` injection**: Set `{"jku": "https://attacker.example.com/jwks.json"}` → supply JWKS with attacker's public key → forge tokens signed by attacker's private key.
+4. **`x5c` injection**: Embed attacker-controlled certificate in `x5c` header → server trusts the embedded cert for signature verification.
+5. **Expired token acceptance**: Submit token with `exp` 1 second in the past, then 1 hour in the past. Server must reject both.
+**Required fix**: `jwt.verify(token, key, { algorithms: ['RS256'] })` — always pin algorithm.
+
+## §OAUTH-ADVANCED — 5 Specific OAuth Attack Scenarios
+
+1. **PKCE downgrade**: Send `code_challenge_method=plain` — does server accept it? Crack verifier by brute-force (plain method = no hashing).
+2. **Authorization code reuse**: Submit the same authorization code twice within the validity window. Server must reject the second use.
+3. **Token audience bypass**: Take a token issued for Service A. Present it to Service B. Does Service B accept it (missing `aud` validation)?
+4. **Open `redirect_uri` via suffix**: Register `https://example.com` and submit `redirect_uri=https://example.com.evil.com/callback` — does server accept it?
+5. **OAuth SSRF via callback**: Submit `redirect_uri=http://169.254.169.254/latest/meta-data/` — does the server fetch it during the callback flow?
+
+## §SAML — 4 Specific SAML Attack Scenarios
+
+1. **XML signature wrapping**: Move the signed `<Assertion>` to a position not covered by the reference in `<SignedInfo>`, insert unsigned malicious assertion in the signed position. Does the SP accept the unsigned assertion?
+2. **Comment injection**: Username `user@example.com<!--->admin@example.com` — does the XML parser strip the comment and authenticate as admin?
+3. **Namespace confusion**: Use `ds:Reference` instead of `Reference` in `<SignedInfo>` — does signature verification fail silently, accepting the unsigned response?
+4. **Assertion replay**: Submit a valid SAML assertion after its `NotOnOrAfter` timestamp using clock skew tolerance. Does the SP accept it?

package/skills/injection-specialist/SKILL.md

@@ -60,3 +60,32 @@ Cover §13 input validation and §17 file handling completely.
 - Working exploit payload
 - Fixed code written inline
 - §13/§17 section covered
+
+---
+
+## §POLYGLOT — Single Payload, Multiple Sinks
+
+For every input that reaches multiple contexts, use a polyglot payload to detect multiple vulnerabilities simultaneously:
+
+- `'"><script>{{7*7}}</script><!--` — detects SQL injection + XSS + SSTI in one request
+- `; ls /tmp #` — detects OS command injection + SQL injection (comment-based)
+- `../../../etc/passwd` — detects path traversal in any file context
+
+For each input: run ALL injection classes, not just the obvious one. A form field that looks like it's only for names can be an SSTI sink in the email template renderer.
+
+## §HTTP-SMUGGLING
+
+1. Detect the proxy chain: identify nginx/HAProxy/ELB/Cloudflare versions from response headers and error pages
+2. Test CL.TE: send request with `Content-Length: 6` and `Transfer-Encoding: chunked` with body `0\r\n\r\nX` — observe if backend processes the prefix
+3. Test TE.CL: chunked body that overflows into the next request parsed by the backend
+4. Test H2.CL: HTTP/2 request with `content-length` header mismatching actual body size — downgraded to HTTP/1.1
+5. **Impact**: request queue poisoning lets attacker prepend arbitrary headers/body to the next user's request — steal cookies, hijack session, poison cache
+
+## §PROTO-CHAIN — Prototype Pollution to Privilege Escalation
+
+1. Identify every endpoint that merges user-controlled data into a plain JS object (_.merge, Object.assign, spread)
+2. Send payload: `POST /settings` with body `{"__proto__": {"isAdmin": true}}`
+3. Identify downstream authorization check that reads `options.isAdmin` or `user.role`
+4. Confirm: does a subsequent `GET /admin` return 200 instead of 403?
+5. **Client-side variant**: URL hash → `JSON.parse` → unsafe assign → `if (config.admin)` → privilege escalation in SPA
+6. **Required fix**: use `Object.create(null)` + Zod schema parse before every merge

package/skills/pentest-infra/SKILL.md

@@ -59,6 +59,49 @@ Test network segmentation — can a compromised workload reach things it shouldn
 - **GKE + Workload Identity misconfigured:** Default SA with `cloud-platform` scope →
   enumerate all GCP resources in the project
 
+## §CONTAINER-ESCAPE
+
+Test all of the following container escape vectors:
+1. `CAP_SYS_ADMIN` → mount host filesystem → read `/etc/shadow` or inject crontab
+2. `hostPID:true` → `nsenter` into init process → host root shell
+3. `privileged:true` → create device node → full kernel access
+4. `/var/run/docker.sock` mounted → escape to host Docker, spawn privileged container
+5. Exposed `/proc/sysrq-trigger`, `/proc/mem` → kernel manipulation
+
+**Required fix**: drop all capabilities, set `privileged:false`, remove docker.sock mount, apply seccomp + AppArmor profile.
+
+## §SSRF-CHAIN — Full SSRF to Credential Theft Chain
+
+1. Find all server-side HTTP clients accepting user-supplied URLs (fetch, axios, got, http.request)
+2. Test: can the URL reach 169.254.169.254? → GET `latest/meta-data/iam/security-credentials/`
+3. IMDSv2 bypass attempts: X-Forwarded-For injection, redirect-follow chaining, DNS rebinding
+4. Document the full chain: SSRF → stolen IAM credentials → AWS API calls with those creds → impact
+5. **Required fix**: URL allowlist by hostname; disable IMDSv1 (HttpTokens=required)
+
+## §SERVERLESS
+
+1. Lambda/Cloud Run execution role: enumerate permissions via `sts:GetCallerIdentity` + `iam:SimulatePrincipalPolicy`
+2. Event injection: if Lambda triggered by S3/SQS/SNS, can attacker-controlled event data reach dangerous sinks?
+3. Cold-start secrets in `/tmp`: check if previous invocation left sensitive files accessible
+4. Env var extraction via SSRF or injection: `GET /env` or SSRF to `http://localhost:{port}/env`
+5. **Required fix**: minimum execution role, no secrets in env vars, validate all event data with schema
+
+## §TF-STATE — Terraform State Extraction
+
+1. Download the actual state file from the configured backend (S3/Terraform Cloud) now — not hypothetically
+2. Search for: `aws_db_instance.master_password`, `secretsmanager_secret_version.secret_string`, RDS/Redis passwords
+3. Check S3 backend bucket policy: who can `s3:GetObject`? Is it public? Is versioning enabled?
+4. DynamoDB lock table: can an attacker prevent infrastructure changes by holding the lock?
+5. **Required fix**: enable S3 server-side encryption + block public access; scope `s3:GetObject` to CI role only
+
+## §CLOUD-LATERAL — Cross-Account and Service Mesh Lateral Movement
+
+1. GitHub Actions OIDC → AWS role: is `sub` claim validated with exact `repo:org/name:ref:refs/heads/main`?
+2. `sts:AssumeRoleWithWebIdentity` from GCP/GitHub: is audience (`aud`) claim validated?
+3. Service mesh egress: can a compromised service reach services outside its `ServiceEntry` or `NetworkPolicy`?
+4. Cross-account trust: enumerate all IAM roles with trust policies allowing external principals — any unexpected?
+5. **Required fix**: pin GitHub Actions OIDC trust policy to exact repo + branch + environment condition
+
 ## OUTPUT
 
 `AgentFinding[]` array with infrastructure findings. Each includes: