security-mcp 1.1.3 → 1.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (133) hide show
  1. package/README.md +164 -185
  2. package/defaults/checklists/ai.json +20 -1
  3. package/defaults/checklists/api.json +35 -1
  4. package/defaults/checklists/infra.json +34 -1
  5. package/defaults/checklists/mobile.json +23 -1
  6. package/defaults/checklists/payments.json +15 -1
  7. package/defaults/checklists/web.json +11 -1
  8. package/defaults/control-catalog.json +200 -0
  9. package/defaults/security-policy.json +2 -2
  10. package/dist/cli/index.js +82 -5
  11. package/dist/cli/install.js +36 -6
  12. package/dist/cli/onboarding.js +6 -0
  13. package/dist/gate/baseline.js +82 -7
  14. package/dist/gate/catalog.js +10 -2
  15. package/dist/gate/checks/ai.js +757 -39
  16. package/dist/gate/checks/auth-deep.js +935 -0
  17. package/dist/gate/checks/business-logic.js +751 -0
  18. package/dist/gate/checks/ci-pipeline.js +399 -4
  19. package/dist/gate/checks/crypto.js +423 -2
  20. package/dist/gate/checks/dependencies.js +571 -15
  21. package/dist/gate/checks/graphql.js +201 -19
  22. package/dist/gate/checks/infra.js +246 -1
  23. package/dist/gate/checks/injection-deep.js +848 -0
  24. package/dist/gate/checks/k8s.js +114 -1
  25. package/dist/gate/checks/mobile-android.js +917 -3
  26. package/dist/gate/checks/mobile-ios.js +797 -5
  27. package/dist/gate/checks/required-artifacts.js +194 -0
  28. package/dist/gate/checks/runtime.js +178 -0
  29. package/dist/gate/checks/secrets.js +244 -13
  30. package/dist/gate/checks/supply-chain-deep.js +787 -0
  31. package/dist/gate/checks/web-nextjs.js +572 -48
  32. package/dist/gate/diff.js +17 -5
  33. package/dist/gate/evidence.js +8 -1
  34. package/dist/gate/exceptions.js +131 -9
  35. package/dist/gate/policy.js +282 -129
  36. package/dist/mcp/audit-chain.js +122 -28
  37. package/dist/mcp/auth.js +169 -0
  38. package/dist/mcp/learning.js +129 -4
  39. package/dist/mcp/model-router.js +158 -21
  40. package/dist/mcp/orchestration.js +186 -51
  41. package/dist/mcp/server.js +608 -94
  42. package/dist/repo/fs.js +24 -1
  43. package/dist/repo/search.js +31 -6
  44. package/dist/review/store.js +52 -1
  45. package/package.json +7 -7
  46. package/prompts/SECURITY_PROMPT.md +73 -0
  47. package/skills/_TEMPLATE/SKILL.md +99 -0
  48. package/skills/advanced-dos-tester/SKILL.md +109 -0
  49. package/skills/agentic-loop-exploiter/SKILL.md +368 -0
  50. package/skills/ai-llm-redteam/SKILL.md +104 -0
  51. package/skills/ai-model-supply-chain-agent/SKILL.md +103 -0
  52. package/skills/algorithm-implementation-reviewer/SKILL.md +98 -0
  53. package/skills/android-penetration-tester/SKILL.md +455 -46
  54. package/skills/anti-replay-tester/SKILL.md +106 -0
  55. package/skills/appsec-code-auditor/SKILL.md +120 -0
  56. package/skills/artifact-integrity-analyst/SKILL.md +441 -0
  57. package/skills/attack-navigator/SKILL.md +467 -8
  58. package/skills/auth-session-hacker/SKILL.md +128 -0
  59. package/skills/aws-penetration-tester/SKILL.md +456 -0
  60. package/skills/azure-penetration-tester/SKILL.md +490 -3
  61. package/skills/binary-auth-validator/SKILL.md +111 -0
  62. package/skills/bot-detection-specialist/SKILL.md +109 -0
  63. package/skills/business-logic-attacker/SKILL.md +231 -0
  64. package/skills/capec-code-mapper/SKILL.md +84 -0
  65. package/skills/cert-pin-rotation-specialist/SKILL.md +112 -0
  66. package/skills/cicd-pipeline-hijacker/SKILL.md +405 -0
  67. package/skills/ciso-orchestrator/SKILL.md +454 -43
  68. package/skills/cloud-infra-specialist/SKILL.md +118 -0
  69. package/skills/compliance-gap-analyst/SKILL.md +422 -0
  70. package/skills/compliance-grc/SKILL.md +85 -0
  71. package/skills/compliance-lifecycle-tracker/SKILL.md +84 -0
  72. package/skills/credential-stuffing-specialist/SKILL.md +102 -0
  73. package/skills/crypto-pki-specialist/SKILL.md +87 -0
  74. package/skills/csa-ccm-mapper/SKILL.md +84 -0
  75. package/skills/csf2-governance-mapper/SKILL.md +84 -0
  76. package/skills/deep-link-fuzzer/SKILL.md +109 -0
  77. package/skills/dependency-confusion-attacker/SKILL.md +415 -0
  78. package/skills/device-integrity-aggregator/SKILL.md +108 -0
  79. package/skills/dos-resilience-tester/SKILL.md +97 -0
  80. package/skills/dread-scorer/SKILL.md +84 -0
  81. package/skills/egress-policy-enforcer/SKILL.md +99 -0
  82. package/skills/evidence-collector/SKILL.md +98 -0
  83. package/skills/file-upload-attacker/SKILL.md +109 -0
  84. package/skills/gcp-penetration-tester/SKILL.md +459 -2
  85. package/skills/git-history-secret-scanner/SKILL.md +106 -0
  86. package/skills/iam-privesc-graph-builder/SKILL.md +152 -0
  87. package/skills/incident-responder/SKILL.md +111 -0
  88. package/skills/injection-specialist/SKILL.md +131 -0
  89. package/skills/ios-security-auditor/SKILL.md +282 -0
  90. package/skills/json-ambiguity-tester/SKILL.md +0 -0
  91. package/skills/k8s-container-escaper/SKILL.md +384 -0
  92. package/skills/key-management-lifecycle-analyst/SKILL.md +98 -0
  93. package/skills/kill-switch-engineer/SKILL.md +102 -0
  94. package/skills/linddun-privacy-analyst/SKILL.md +102 -0
  95. package/skills/logic-race-fuzzer/SKILL.md +443 -0
  96. package/skills/mobile-api-network-attacker/SKILL.md +421 -0
  97. package/skills/mobile-binary-hardener/SKILL.md +102 -0
  98. package/skills/mobile-security-specialist/SKILL.md +85 -0
  99. package/skills/mobile-webview-auditor/SKILL.md +96 -0
  100. package/skills/model-extraction-attacker/SKILL.md +219 -0
  101. package/skills/multipart-abuse-tester/SKILL.md +84 -0
  102. package/skills/oauth-pkce-specialist/SKILL.md +104 -0
  103. package/skills/parser-exhaustion-tester/SKILL.md +142 -0
  104. package/skills/pentest-infra/SKILL.md +141 -0
  105. package/skills/pentest-social/SKILL.md +201 -0
  106. package/skills/pentest-team/SKILL.md +134 -0
  107. package/skills/pentest-web-api/SKILL.md +151 -0
  108. package/skills/privacy-flow-analyst/SKILL.md +234 -0
  109. package/skills/prompt-injection-specialist/SKILL.md +394 -0
  110. package/skills/quantum-migration-planner/SKILL.md +96 -0
  111. package/skills/rag-poisoning-specialist/SKILL.md +358 -0
  112. package/skills/registry-mirror-enforcer/SKILL.md +84 -0
  113. package/skills/rotation-validation-agent/SKILL.md +112 -0
  114. package/skills/samm-assessor/SKILL.md +85 -0
  115. package/skills/secrets-mask-bypass-tester/SKILL.md +100 -0
  116. package/skills/senior-security-engineer/SKILL.md +370 -2
  117. package/skills/serialization-memory-attacker/SKILL.md +332 -0
  118. package/skills/session-timeout-tester/SKILL.md +161 -0
  119. package/skills/slsa-level3-enforcer/SKILL.md +112 -0
  120. package/skills/slsa-provenance-enforcer/SKILL.md +102 -0
  121. package/skills/ssrf-detection-validator/SKILL.md +108 -0
  122. package/skills/step-up-auth-enforcer/SKILL.md +84 -0
  123. package/skills/stride-pasta-analyst/SKILL.md +420 -0
  124. package/skills/supply-chain-devsecops/SKILL.md +98 -0
  125. package/skills/threat-infrastructure-analyst/SKILL.md +84 -0
  126. package/skills/threat-modeler/SKILL.md +85 -0
  127. package/skills/tls-certificate-auditor/SKILL.md +573 -18
  128. package/skills/token-reuse-detector/SKILL.md +95 -0
  129. package/skills/trike-risk-modeler/SKILL.md +84 -0
  130. package/skills/unicode-homograph-tester/SKILL.md +84 -0
  131. package/skills/waf-rule-lifecycle-agent/SKILL.md +97 -0
  132. package/skills/webhook-security-tester/SKILL.md +102 -0
  133. package/skills/zero-trust-architect/SKILL.md +109 -0
@@ -146,3 +146,88 @@ Structure:
146
146
  - `releaseBlocked`: boolean
147
147
  - `releaseBlockers[]`: specific findings preventing release
148
148
  - `evidencePaths[]`: file paths of generated evidence artifacts
149
+
150
+ Every findings JSON MUST include `intelligenceForOtherAgents`:
151
+ ```json
152
+ {
153
+ "intelligenceForOtherAgents": {
154
+ "forPentestTeam": [{ "type": "HIGH_VALUE_TARGET", "description": "...", "exploitHint": "..." }],
155
+ "forCryptoSpecialist": [{ "type": "CRYPTO_WEAKNESS_REFERENCE", "algorithm": "...", "location": "..." }],
156
+ "forCloudSpecialist": [{ "type": "SSRF_TO_CLOUD_CHAIN", "ssrfLocation": "...", "escalationPath": "..." }],
157
+ "forComplianceGrc": [{ "type": "COMPLIANCE_BLOCKER", "frameworks": ["..."], "releaseBlock": true }]
158
+ }
159
+ }
160
+ ```
161
+
162
+ ## LEARNING SIGNAL
163
+
164
+ On every finding resolved, emit:
165
+ ```json
166
+ {
167
+ "findingId": "FINDING_ID",
168
+ "agentName": "AGENT_NAME",
169
+ "resolved": true,
170
+ "remediationTemplate": "one-line description of what was done",
171
+ "falsePositive": false
172
+ }
173
+ ```
174
+ Call `security.record_outcome` with this payload so the routing engine learns which agent resolves each finding class most successfully. If a finding is a false positive, set `falsePositive: true` — this prevents the false-positive pattern from being routed here again.
175
+
176
+ ---
177
+
178
+ ## §EDGE-CASE-MATRIX
179
+
180
+ The 5 attack cases in this domain that automated scanners and naive manual review universally miss. MANDATORY checks — do not skip.
181
+
182
+ | # | Edge Case | Why Scanners Miss It | Concrete Test |
183
+ |---|-----------|----------------------|---------------|
184
+ | 1 | Second-order / stored payload executed in different context | Scanner checks input context, not execution context | Store payload safely; trigger in separate request/session |
185
+ | 2 | Unicode normalisation bypass | Regex filters run before normalisation; attacker uses homoglyphs or composed forms | Submit Ⅰ (U+2160) or < (U+FF1C) variants of known-bad strings |
186
+ | 3 | Polyglot payload active in multiple sinks simultaneously | Scanners test one injection class per payload | `'"><script>{{7*7}}</script><!--` — SQL + XSS + SSTI in one request |
187
+ | 4 | Out-of-band exfiltration (DNS/HTTP callback) | Scanner looks for inline response difference; OOB leaves no visible trace | Use Burp Collaborator / interactsh; inject DNS lookup payload |
188
+ | 5 | Race condition between check and use (TOCTOU) | Sequential scanners don't model concurrency | Send two simultaneous requests to the same state-changing endpoint |
189
+
190
+ ## §TEMPORAL-THREATS
191
+
192
+ Threats materialising in the 2025–2030 window that defences designed today must account for.
193
+
194
+ | Threat | Est. Timeline | Relevance to This Domain | Prepare Now By |
195
+ |--------|--------------|--------------------------|----------------|
196
+ | Cryptographically Relevant Quantum Computer (CRQC) | 2028–2032 | Harvest-now-decrypt-later attacks active today; RSA/ECDSA keys signed today will be broken | Inventory all RSA/ECDSA usage; migrate long-lived data to ML-KEM (FIPS 203) |
197
+ | AI-assisted adversaries at scale | 2025–2027 (active) | LLM-powered fuzzing finds 10× more edge cases; automated PoC generation | Assume attackers have LLM help; expand test surface to match |
198
+ | EU AI Act full enforcement | 2026 | High-risk AI systems require mandatory conformity assessments | Classify all AI features against AI Act tiers now |
199
+ | Post-quantum TLS migration deadline | 2028–2030 | Browser vendors will drop classical-only TLS connections | Begin TLS agility assessment; test hybrid key exchange |
200
+ | Mandatory SBOM + build provenance (US EO 14028 / EU CRA) | 2025–2026 (active) | SBOM and SLSA attestation are becoming legally required | Achieve SLSA L2 minimum; generate CycloneDX SBOM per release |
201
+
202
+ ## §DETECTION-GAP
203
+
204
+ What current security monitoring CANNOT detect in this domain, and what to build to close each gap.
205
+
206
+ **Standard gaps that MUST be checked:**
207
+
208
+ - **Second-order attack execution**: The storage request looks safe; only the retrieval+execution step is dangerous. Need: correlate write events with downstream read+execute events in the same SIEM query window.
209
+ - **Timing-side-channel leakage**: No log event emitted; only observable as microsecond response-time variance. Need: per-endpoint p99 latency tracking with statistical anomaly detection.
210
+ - **Low-and-slow credential stuffing**: Individually, each request is under rate limits. Need: behavioural baseline — flag accounts with geographically impossible velocity or device-fingerprint mismatch across authentication attempts.
211
+ - **Insider exfiltration via legitimate process**: Authorised exports, reports, and data downloads that individually are permitted but collectively constitute data exfiltration. Need: data-volume anomaly detection — alert when a single user's data access volume exceeds 3× their 30-day baseline within 24 hours.
212
+ - **Cross-agent attack chains**: Phase 1 finding A + Phase 1 finding B = CRITICAL chain invisible to either agent alone. Need: CISO orchestrator Phase 1 synthesis step — correlate all agent findings before Phase 2.
213
+
214
+ ## §ZERO-MISS-MANDATE
215
+
216
+ This agent CANNOT declare any attack class clean without explicit evidence of checking. For each item, output one of:
217
+ - `CHECKED: [N files] | [patterns used] | CLEAN`
218
+ - `CHECKED: [N files] | [patterns used] | [N findings, all fixed]`
219
+ - `SKIPPED: [reason — must be "not applicable: [evidence]"]`
220
+
221
+ **Silent skip = FAILED COVERAGE.** The orchestrator flags this as a quality gap.
222
+
223
+ The output findings JSON MUST include a `coverageManifest` key:
224
+ ```json
225
+ {
226
+ "coverageManifest": {
227
+ "attackClassesCovered": [{ "class": "SQL Injection", "filesReviewed": 47, "patterns": ["queryRaw", "string concat"], "result": "CLEAN" }],
228
+ "filesReviewed": 47,
229
+ "negativeAssertions": ["SQL Injection: queryRaw pattern searched across 47 files — 0 matches"],
230
+ "uncoveredReason": {}
231
+ }
232
+ }
233
+ ```
@@ -21,6 +21,19 @@ Track compliance posture continuously. Detect control drift (controls that exist
21
21
  Covers: §23 (ongoing compliance monitoring), §22 (security governance metrics) fully.
22
22
  Beyond SKILL.md: Continuous control monitoring (CCM), audit evidence collection automation, auditor communication templates.
23
23
 
24
+ ## BEYOND SKILL.MD
25
+
26
+ Domain-specific expansions beyond the baseline mandate — each item cites a specific CVE, technique, tool, or research finding:
27
+
28
+ - **CVE-2024-27322 (R lang RDS deserialization)** — compliance evidence repositories that accept uploaded artefacts (e.g., pentest reports, vendor questionnaires) may process files through pipeline tooling vulnerable to deserialization. Validate that evidence ingestion pipelines strip executable content before storage.
29
+ - **NIST IR 8441 (Continuous Compliance Automation)** — the 2024 NIST draft defines machine-readable control assertions (OSCAL format). Compliance artefacts not expressed in OSCAL become un-diffable, making drift detection manual and error-prone. Generate OSCAL Component Definitions alongside human-readable dashboards.
30
+ - **Technique T1078.004 (Cloud Account valid credentials abuse in audit windows)** — adversaries time access to coincide with annual access-review windows when temporary elevated permissions are granted for audit evidence collection. Flag any IAM changes made within ±7 days of an audit period close date.
31
+ - **GDPR Article 83 — Supervisory Authority enforcement surge (2024–2025)** — enforcement actions against organisations with incomplete Records of Processing Activities (RoPAs) reached €1.2B in fines in 2024. Verify RoPA completeness as a first-class compliance control, not documentation housekeeping.
32
+ - **PCI DSS v4.0 Requirement 6.4.3 / 11.6.1 (script integrity and change-detection, effective March 2025)** — all payment-page JavaScript must have an authorisation mechanism and integrity attribute. Compliance drift occurs silently when third-party tag managers inject new scripts outside the change-management process. Add a Content-Security-Policy `require-trusted-types-for 'script'` check to the drift detector.
33
+ - **AI-era threat — LLM-assisted audit gaming**: Adversaries (including insiders) use LLMs to generate plausible-looking but fabricated evidence artefacts (screenshots, log exports, training completion certificates). Implement hash-chaining and tamper-evident storage (e.g., Sigstore Rekor transparency log) for all compliance evidence files; a document that cannot be independently verified is not audit-ready.
34
+ - **Post-quantum risk to long-lived compliance records**: Compliance artefacts signed with RSA-2048 or ECDSA today (audit reports, certificates, attestations) will be forgeable once a CRQC exists. Organisations operating under HIPAA, FedRAMP, or DoD requirements have record-retention windows of 6–10 years, placing them squarely in the harvest-now-decrypt-later risk window. Begin migrating evidence signing to ML-DSA (FIPS 204) for any artefact with a retention requirement beyond 2030.
35
+ - **EU AI Act Article 17 (Quality Management System obligation, applicable 2026)** — high-risk AI systems must maintain compliance documentation equivalent to ISO 9001 QMS, including logs of training data provenance, human-oversight records, and incident reports. This creates a new compliance lifecycle track distinct from SOC 2 / ISO 27001. Identify AI features in the product and open a parallel AI Act compliance stream in the tracker.
36
+
24
37
  ## LEARNING SIGNAL
25
38
 
26
39
  On every finding resolved, emit:
@@ -167,3 +180,74 @@ jobs:
167
180
  - `requiredActions`: ordered action list with framework and deadline
168
181
  - `complianceImpact`: all affected frameworks
169
182
  - `beyondSkillMd`: true if finding goes beyond the SKILL.md mandate
183
+
184
+ Every findings JSON MUST include `intelligenceForOtherAgents`:
185
+ ```json
186
+ {
187
+ "intelligenceForOtherAgents": {
188
+ "forPentestTeam": [{ "type": "HIGH_VALUE_TARGET", "description": "...", "exploitHint": "..." }],
189
+ "forCryptoSpecialist": [{ "type": "CRYPTO_WEAKNESS_REFERENCE", "algorithm": "...", "location": "..." }],
190
+ "forCloudSpecialist": [{ "type": "SSRF_TO_CLOUD_CHAIN", "ssrfLocation": "...", "escalationPath": "..." }],
191
+ "forComplianceGrc": [{ "type": "COMPLIANCE_BLOCKER", "frameworks": ["..."], "releaseBlock": true }]
192
+ }
193
+ }
194
+ ```
195
+
196
+ ---
197
+
198
+ ## §EDGE-CASE-MATRIX
199
+
200
+ The 5 attack cases in this domain that automated scanners and naive manual review universally miss. MANDATORY checks — do not skip.
201
+
202
+ | # | Edge Case | Why Scanners Miss It | Concrete Test |
203
+ |---|-----------|----------------------|---------------|
204
+ | 1 | Second-order / stored payload executed in different context | Scanner checks input context, not execution context | Store payload safely; trigger in separate request/session |
205
+ | 2 | Unicode normalisation bypass | Regex filters run before normalisation; attacker uses homoglyphs or composed forms | Submit Ⅰ (U+2160) or < (U+FF1C) variants of known-bad strings |
206
+ | 3 | Polyglot payload active in multiple sinks simultaneously | Scanners test one injection class per payload | `'"><script>{{7*7}}</script><!--` — SQL + XSS + SSTI in one request |
207
+ | 4 | Out-of-band exfiltration (DNS/HTTP callback) | Scanner looks for inline response difference; OOB leaves no visible trace | Use Burp Collaborator / interactsh; inject DNS lookup payload |
208
+ | 5 | Race condition between check and use (TOCTOU) | Sequential scanners don't model concurrency | Send two simultaneous requests to the same state-changing endpoint |
209
+
210
+ ## §TEMPORAL-THREATS
211
+
212
+ Threats materialising in the 2025–2030 window that defences designed today must account for.
213
+
214
+ | Threat | Est. Timeline | Relevance to This Domain | Prepare Now By |
215
+ |--------|--------------|--------------------------|----------------|
216
+ | Cryptographically Relevant Quantum Computer (CRQC) | 2028–2032 | Harvest-now-decrypt-later attacks active today; RSA/ECDSA keys signed today will be broken | Inventory all RSA/ECDSA usage; migrate long-lived data to ML-KEM (FIPS 203) |
217
+ | AI-assisted adversaries at scale | 2025–2027 (active) | LLM-powered fuzzing finds 10× more edge cases; automated PoC generation | Assume attackers have LLM help; expand test surface to match |
218
+ | EU AI Act full enforcement | 2026 | High-risk AI systems require mandatory conformity assessments | Classify all AI features against AI Act tiers now |
219
+ | Post-quantum TLS migration deadline | 2028–2030 | Browser vendors will drop classical-only TLS connections | Begin TLS agility assessment; test hybrid key exchange |
220
+ | Mandatory SBOM + build provenance (US EO 14028 / EU CRA) | 2025–2026 (active) | SBOM and SLSA attestation are becoming legally required | Achieve SLSA L2 minimum; generate CycloneDX SBOM per release |
221
+
222
+ ## §DETECTION-GAP
223
+
224
+ What current security monitoring CANNOT detect in this domain, and what to build to close each gap.
225
+
226
+ **Standard gaps that MUST be checked:**
227
+
228
+ - **Second-order attack execution**: The storage request looks safe; only the retrieval+execution step is dangerous. Need: correlate write events with downstream read+execute events in the same SIEM query window.
229
+ - **Timing-side-channel leakage**: No log event emitted; only observable as microsecond response-time variance. Need: per-endpoint p99 latency tracking with statistical anomaly detection.
230
+ - **Low-and-slow credential stuffing**: Individually, each request is under rate limits. Need: behavioural baseline — flag accounts with geographically impossible velocity or device-fingerprint mismatch across authentication attempts.
231
+ - **Insider exfiltration via legitimate process**: Authorised exports, reports, and data downloads that individually are permitted but collectively constitute data exfiltration. Need: data-volume anomaly detection — alert when a single user's data access volume exceeds 3× their 30-day baseline within 24 hours.
232
+ - **Cross-agent attack chains**: Phase 1 finding A + Phase 1 finding B = CRITICAL chain invisible to either agent alone. Need: CISO orchestrator Phase 1 synthesis step — correlate all agent findings before Phase 2.
233
+
234
+ ## §ZERO-MISS-MANDATE
235
+
236
+ This agent CANNOT declare any attack class clean without explicit evidence of checking. For each item, output one of:
237
+ - `CHECKED: [N files] | [patterns used] | CLEAN`
238
+ - `CHECKED: [N files] | [patterns used] | [N findings, all fixed]`
239
+ - `SKIPPED: [reason — must be "not applicable: [evidence]"]`
240
+
241
+ **Silent skip = FAILED COVERAGE.** The orchestrator flags this as a quality gap.
242
+
243
+ The output findings JSON MUST include a `coverageManifest` key:
244
+ ```json
245
+ {
246
+ "coverageManifest": {
247
+ "attackClassesCovered": [{ "class": "SQL Injection", "filesReviewed": 47, "patterns": ["queryRaw", "string concat"], "result": "CLEAN" }],
248
+ "filesReviewed": 47,
249
+ "negativeAssertions": ["SQL Injection: queryRaw pattern searched across 47 files — 0 matches"],
250
+ "uncoveredReason": {}
251
+ }
252
+ }
253
+ ```
@@ -190,3 +190,105 @@ If internet permitted:
190
190
  - `requiredActions`: ordered action list
191
191
  - `complianceImpact`: framework mappings
192
192
  - `beyondSkillMd`: true if finding goes beyond the SKILL.md mandate
193
+
194
+ Every findings JSON MUST include `intelligenceForOtherAgents`:
195
+ ```json
196
+ {
197
+ "intelligenceForOtherAgents": {
198
+ "forPentestTeam": [{ "type": "HIGH_VALUE_TARGET", "description": "Auth endpoint with no per-account rate limit — ready for automated spray", "exploitHint": "Use 1 password across all accounts, one request per account per 15 min — never triggers IP limits" }],
199
+ "forCryptoSpecialist": [{ "type": "CRYPTO_WEAKNESS_REFERENCE", "algorithm": "SHA-1 (HIBP k-anonymity range API — acceptable here; flag if SHA-1 used elsewhere for auth token signing)", "location": "HIBP integration module" }],
200
+ "forCloudSpecialist": [{ "type": "SSRF_TO_CLOUD_CHAIN", "ssrfLocation": "HIBP outage fallback — confirm fetch() cannot be redirected to internal metadata endpoint", "escalationPath": "If HIBP URL is configurable via env var without validation, attacker can redirect to 169.254.169.254" }],
201
+ "forComplianceGrc": [{ "type": "COMPLIANCE_BLOCKER", "frameworks": ["PCI DSS Req 8.3.4", "NIST AC-7", "SOC 2 CC6.6"], "releaseBlock": true }]
202
+ }
203
+ }
204
+ ```
205
+
206
+ ---
207
+
208
+ ## BEYOND SKILL.MD — MANDATORY EXPANSIONS
209
+
210
+ - **AI-Generated Combo List Amplification (ATT&CK T1586.002 — Compromise Accounts: Email Accounts):** LLMs trained on breach data (RockYou2024 + LinkedIn scrapes) generate hyper-personalised candidate passwords by combining targets' names, employers, birth years, and hobby keywords — defeating entropy-based rejection rules. Test by: construct a 500-entry wordlist using the target account's publicly-visible OSINT (LinkedIn profile, social handles, known pet names) and run it against the login endpoint; any successful authentication within the first 100 guesses constitutes a finding. Finding threshold: >0 successful logins from OSINT-derived guesses not blocked by per-account rate limiting.
211
+
212
+ - **Residential Proxy Botnets Evading IP Reputation (ATT&CK T1090.002 — Proxy: External Proxy; real-world: 2023 Okta credential stuffing via IPRoyal/Luminati):** Commercial residential proxy networks (Bright Data, IPRoyal) cycle through millions of legitimate ISP IPs, rendering blocklists and GeoIP controls ineffective. Each attack IP appears only once, under all per-IP rate limits. Test by: replay 100 authentication attempts against one account using 100 distinct source IPs (simulate with X-Forwarded-For headers in a controlled environment); confirm per-account counter triggers lockout at threshold regardless of source IP diversity. Finding threshold: account lockout not triggered after 10+ failures from distinct IPs.
213
+
214
+ - **OAuth Token Grant Credential Stuffing Bypassing MFA Step-Up (ATT&CK T1110.004 — Credential Stuffing; CVE-2022-29244 — node-jsonwebtoken algorithm confusion):** Applications enforcing TOTP/WebAuthn on password-based login often skip step-up MFA on the OAuth `password` grant flow or on token refresh — attacker stuffs credentials directly against `/oauth/token?grant_type=password`, receiving a valid bearer token without MFA challenge. Test by: issue a direct POST to the OAuth token endpoint with stuffed credentials bypassing the UI login flow; confirm MFA enforcement applies equally to the OAuth grant endpoint. Finding threshold: successful token issuance without MFA challenge for any account with MFA enrolled.
215
+
216
+ - **Supply Chain Risk in Auth Middleware Libraries (SLSA / US EO 14028; real-world: 2021 ua-parser-js npm hijack, CVE-2021-41265 next-auth CSRF bypass):** Credential stuffing controls implemented in npm-distributed auth libraries (passport.js, next-auth, express-rate-limit) are only as trustworthy as the library's build provenance; a compromised release can silently disable rate limiting or lockout logic. Test by: run `npm audit` + verify SLSA provenance attestation (`cosign verify-attestation`) for every auth dependency; diff the installed tarball hash against the registry manifest. Finding threshold: any auth dependency lacking a verifiable build provenance attestation or carrying a known CVE with CVSS >= 7.0.
217
+
218
+ - **Harvest-Now-Crack-Later Against Bcrypt Hash Databases (Post-Quantum; NIST IR 8105; ATT&CK T1552.001 — Credentials In Files):** While bcrypt/Argon2id are not broken by current quantum hardware, adversaries exfiltrating password hash databases today plan to crack them once Cryptographically Relevant Quantum Computers (CRQCs) reduce bcrypt's effective work factor — particularly for hashes with cost factor < 12 or SHA-1/MD5 legacy hashes. Test by: grep the codebase and database schema for hash storage columns; verify Argon2id with memory-cost >= 65536 (64 MB) and time-cost >= 3; flag any bcrypt cost < 12, any MD5/SHA-1 password hash, and any unencrypted hash storage at rest. Finding threshold: any password hash stored with a work factor below the 2025 OWASP minimum recommendation.
219
+
220
+ - **Regulatory Credential Breach Notification Gaps (GDPR Art. 33 / CCPA / NY SHIELD Act; real-world: 2023 $1.3M FTC penalty against BetterHelp for credential misuse):** Organisations detecting a credential stuffing attack that results in unauthorised access to personal data are required to notify regulators within 72 hours (GDPR) or "in the most expedient time possible" (CCPA/NY SHIELD), yet most incident-response runbooks lack automated detection-to-notification pipelines for credential-based account takeovers. Test by: trigger a simulated mass account-takeover event (>50 accounts, >5 jurisdictions) and measure time from first anomaly alert to draft regulatory notification being generated; verify the IR playbook explicitly covers credential stuffing as a notifiable breach trigger. Finding threshold: no automated ATO detection-to-notification pipeline present, or IR playbook does not classify credential stuffing ATOs as potentially notifiable events.
221
+
222
+ ---
223
+
224
+ ## §EDGE-CASE-MATRIX
225
+
226
+ The 5 credential stuffing attack cases that automated scanners and naive manual review universally miss. MANDATORY checks — do not skip.
227
+
228
+ | # | Edge Case | Why Scanners Miss It | Concrete Test |
229
+ |---|-----------|----------------------|---------------|
230
+ | 1 | Per-account rate limit bypass via username normalisation | Rate limiter keys on raw username string; attacker submits `User@example.com`, `user@example.com`, `USER@example.com` as three separate accounts — all hit the same real account | Submit the same credential set with case and Unicode variants of the username; confirm all variants share the same rate-limit bucket after normalisation |
231
+ | 2 | Credential stuffing through password-reset flow | Rate limiting applied only to `/login`; the password-reset endpoint accepts unlimited email lookups, revealing valid accounts and enabling account enumeration at scale | Send 500 reset requests for unknown emails; confirm response timing and body are identical to known emails and that no lockout triggers |
232
+ | 3 | OAuth / SSO silent bypass — stuffed credential bypasses MFA step-up | App enforces MFA for password-based login but skips it for OAuth flows; attacker stuffs credentials against the OAuth token exchange endpoint directly | Obtain a valid access token via password grant then replay it — confirm step-up MFA fires if new device signal is present on the OAuth flow too |
233
+ | 4 | Residential proxy rotation below per-IP threshold — account lockout never fires | Rate limiter counts per IP, not per account; each proxy IP sees only 1–2 requests, all under limit | Replay 50 login attempts against one account from 50 distinct IPs; confirm per-account counter (not per-IP) triggers lockout at threshold |
234
+ | 5 | HIBP check only on registration, not on breach-notification ingest | Passwords breached after account creation are never re-checked; users with newly-breached passwords remain undetected until next password change | Simulate a new breach event and confirm the system either re-checks existing passwords against the updated HIBP range set or forces a password reset via notification |
235
+
236
+ ## §TEMPORAL-THREATS
237
+
238
+ Threats materialising in the 2025–2030 window that defences designed today must account for in the credential stuffing domain.
239
+
240
+ | Threat | Est. Timeline | Relevance to Credential Stuffing | Prepare Now By |
241
+ |--------|--------------|----------------------------------|----------------|
242
+ | LLM-generated credential combo lists | 2025–2027 (active) | Attackers use LLMs to generate highly personalised credential guesses from OSINT (LinkedIn, social, breach data) — entropy-based password checks insufficient | Deploy zxcvbn v4+ with site-specific dictionaries; add ML anomaly scoring on login velocity patterns |
243
+ | Cryptographically Relevant Quantum Computer (CRQC) breaks password hashing benchmarks | 2028–2032 | Bcrypt/Argon2 are compute-bound; CRQC does not directly break them, but accelerates offline cracking of stolen hash databases — harvest-now-crack-later attacks | Ensure Argon2id with memory ≥64 MB; inventory all bcrypt/MD5/SHA-1 password hashes in legacy systems for migration |
244
+ | AI-powered residential proxy networks at commodity cost | 2025–2026 (active) | IP reputation blocklists become near-useless; attackers rotate through millions of legitimate residential IPs | Shift rate limiting entirely to account-level signals + device fingerprint; de-weight IP reputation as primary signal |
245
+ | Passkey / FIDO2 mandatory platform requirements (Apple, Google, Microsoft) | 2025–2026 | Password-based auth will be deprecated by default on major platforms — apps that don't support passkeys will face OS-level friction | Begin passkey migration; credential stuffing is structurally eliminated for passkey-enrolled users |
246
+ | Mandatory SBOM + build provenance for auth libraries (US EO 14028 / EU CRA) | 2025–2026 (active) | Auth dependencies (passport.js, next-auth, argon2) must have verifiable supply chain provenance | Achieve SLSA L2 for auth middleware; generate CycloneDX SBOM per release including transitive auth deps |
247
+
248
+ ## §DETECTION-GAP
249
+
250
+ What current security monitoring CANNOT detect in the credential stuffing domain, and what to build to close each gap.
251
+
252
+ **Gaps that MUST be checked:**
253
+
254
+ - **Low-and-slow distributed spray (one attempt per account, many IPs)**: Each individual request is under every rate limit threshold. No single IP triggers an alert. Need: per-account attempt counter stored in Redis (not in-process map) with a 24-hour window; alert when any account accumulates ≥5 failed attempts from ≥3 distinct IPs within the window.
255
+ - **Username enumeration via timing side-channel**: No log event emitted; only observable as a ~5–20 ms response-time difference between "user not found" and "wrong password" code paths. Need: constant-time comparison for auth response — use `crypto.timingSafeEqual` and add artificial jitter (50–200 ms random delay) on failed auth regardless of failure reason.
256
+ - **HIBP bypass via password mutation**: Attacker appends `!1` or `1` to a known-breached password — hash differs, HIBP returns clean. Need: zxcvbn mutation scoring alongside HIBP; reject passwords with edit-distance ≤2 from any known-breached password in the user's breach history.
257
+ - **Account takeover via "remember me" token stuffing**: Session tokens are long-lived; attacker stuffs leaked persistent tokens from breach dumps rather than passwords. Need: persistent token rotation on each use, with binding to device fingerprint; alert on token replays from a new device or new country without step-up verification.
258
+ - **Cross-agent chain — rate limit misconfiguration + verbose error**: Rate limiting finding from this agent + username enumeration finding from injection agent = full account enumeration at scale. Need: CISO orchestrator Phase 1 synthesis — correlate all agent findings before Phase 2 to surface compound attack chains.
259
+
260
+ ## §ZERO-MISS-MANDATE
261
+
262
+ This agent CANNOT declare any credential stuffing attack class clean without explicit evidence of checking. For each item, output one of:
263
+ - `CHECKED: [N files] | [patterns used] | CLEAN`
264
+ - `CHECKED: [N files] | [patterns used] | [N findings, all fixed]`
265
+ - `SKIPPED: [reason — must be "not applicable: [evidence]"]`
266
+
267
+ **Silent skip = FAILED COVERAGE.** The orchestrator flags this as a quality gap.
268
+
269
+ **Required coverage checklist:**
270
+
271
+ | Attack Class | Required Grep Patterns | Minimum Files Reviewed |
272
+ |---|---|---|
273
+ | IP-only rate limiting | `req.ip`, `x-forwarded-for` as sole rate-limit key without `userId` or `accountId` | All auth route handlers |
274
+ | Missing per-account lockout | `loginAttempts`, `failedAttempts`, `tooManyAttempts` absent from auth handler | All login/auth files |
275
+ | HIBP check absent | `hibp`, `haveibeenpwned`, `pwnedpasswords` absent from password set/change flows | All password mutation endpoints |
276
+ | Username enumeration (timing) | `timingSafeEqual` absent; response time variance between "not found" and "wrong password" | Auth comparison functions |
277
+ | Verbose auth errors | Distinct error strings for user-not-found vs. wrong-password in response body | All auth error handlers |
278
+ | Persistent token not rotated | `rememberMe`, `refreshToken`, `persistentToken` — check for rotation on each use | Session / token management |
279
+ | No device fingerprint binding | Device fingerprint absent from per-account rate-limit key | Auth middleware |
280
+
281
+ The output findings JSON MUST include a `coverageManifest` key:
282
+ ```json
283
+ {
284
+ "coverageManifest": {
285
+ "attackClassesCovered": [
286
+ { "class": "Per-account rate limiting", "filesReviewed": 12, "patterns": ["userId.*rateLimit", "accountId.*limiter"], "result": "CLEAN" },
287
+ { "class": "HIBP breached password check", "filesReviewed": 5, "patterns": ["hibp", "pwnedpasswords", "haveibeenpwned"], "result": "2 findings, all fixed" }
288
+ ],
289
+ "filesReviewed": 17,
290
+ "negativeAssertions": ["IP-only rate limiting: req.ip without accountId searched across 12 auth files — 0 matches after fix"],
291
+ "uncoveredReason": {}
292
+ }
293
+ }
294
+ ```
@@ -134,3 +134,90 @@ Write `.mcp/agent-runs/{agentRunId}/crypto-findings.json`
134
134
  Every finding includes: algorithm/primitive affected, CWE, CVSSv4, ATT&CK technique,
135
135
  proof of exploitability, fixed code written inline.
136
136
  Post-quantum readiness score included in summary.
137
+
138
+ Every findings JSON MUST include `intelligenceForOtherAgents`:
139
+ ```json
140
+ {
141
+ "intelligenceForOtherAgents": {
142
+ "forPentestTeam": [{ "type": "HIGH_VALUE_TARGET", "description": "...", "exploitHint": "..." }],
143
+ "forCryptoSpecialist": [{ "type": "CRYPTO_WEAKNESS_REFERENCE", "algorithm": "...", "location": "..." }],
144
+ "forCloudSpecialist": [{ "type": "SSRF_TO_CLOUD_CHAIN", "ssrfLocation": "...", "escalationPath": "..." }],
145
+ "forComplianceGrc": [{ "type": "COMPLIANCE_BLOCKER", "frameworks": ["..."], "releaseBlock": true }]
146
+ }
147
+ }
148
+ ```
149
+
150
+ ---
151
+
152
+ ## LEARNING SIGNAL
153
+
154
+ On every finding resolved, emit:
155
+ ```json
156
+ {
157
+ "findingId": "FINDING_ID",
158
+ "agentName": "AGENT_NAME",
159
+ "resolved": true,
160
+ "remediationTemplate": "one-line description of what was done",
161
+ "falsePositive": false
162
+ }
163
+ ```
164
+ Call `security.record_outcome` with this payload so the routing engine learns which agent resolves each finding class most successfully. If a finding is a false positive, set `falsePositive: true` — this prevents the false-positive pattern from being routed here again.
165
+
166
+ ---
167
+
168
+ ## §EDGE-CASE-MATRIX
169
+
170
+ The 5 attack cases in this domain that automated scanners and naive manual review universally miss. MANDATORY checks — do not skip.
171
+
172
+ | # | Edge Case | Why Scanners Miss It | Concrete Test |
173
+ |---|-----------|----------------------|---------------|
174
+ | 1 | Second-order / stored payload executed in different context | Scanner checks input context, not execution context | Store payload safely; trigger in separate request/session |
175
+ | 2 | Unicode normalisation bypass | Regex filters run before normalisation; attacker uses homoglyphs or composed forms | Submit Ⅰ (U+2160) or < (U+FF1C) variants of known-bad strings |
176
+ | 3 | Polyglot payload active in multiple sinks simultaneously | Scanners test one injection class per payload | `'"><script>{{7*7}}</script><!--` — SQL + XSS + SSTI in one request |
177
+ | 4 | Out-of-band exfiltration (DNS/HTTP callback) | Scanner looks for inline response difference; OOB leaves no visible trace | Use Burp Collaborator / interactsh; inject DNS lookup payload |
178
+ | 5 | Race condition between check and use (TOCTOU) | Sequential scanners don't model concurrency | Send two simultaneous requests to the same state-changing endpoint |
179
+
180
+ ## §TEMPORAL-THREATS
181
+
182
+ Threats materialising in the 2025–2030 window that defences designed today must account for.
183
+
184
+ | Threat | Est. Timeline | Relevance to This Domain | Prepare Now By |
185
+ |--------|--------------|--------------------------|----------------|
186
+ | Cryptographically Relevant Quantum Computer (CRQC) | 2028–2032 | Harvest-now-decrypt-later attacks active today; RSA/ECDSA keys signed today will be broken | Inventory all RSA/ECDSA usage; migrate long-lived data to ML-KEM (FIPS 203) |
187
+ | AI-assisted adversaries at scale | 2025–2027 (active) | LLM-powered fuzzing finds 10× more edge cases; automated PoC generation | Assume attackers have LLM help; expand test surface to match |
188
+ | EU AI Act full enforcement | 2026 | High-risk AI systems require mandatory conformity assessments | Classify all AI features against AI Act tiers now |
189
+ | Post-quantum TLS migration deadline | 2028–2030 | Browser vendors will drop classical-only TLS connections | Begin TLS agility assessment; test hybrid key exchange |
190
+ | Mandatory SBOM + build provenance (US EO 14028 / EU CRA) | 2025–2026 (active) | SBOM and SLSA attestation are becoming legally required | Achieve SLSA L2 minimum; generate CycloneDX SBOM per release |
191
+
192
+ ## §DETECTION-GAP
193
+
194
+ What current security monitoring CANNOT detect in this domain, and what to build to close each gap.
195
+
196
+ **Standard gaps that MUST be checked:**
197
+
198
+ - **Second-order attack execution**: The storage request looks safe; only the retrieval+execution step is dangerous. Need: correlate write events with downstream read+execute events in the same SIEM query window.
199
+ - **Timing-side-channel leakage**: No log event emitted; only observable as microsecond response-time variance. Need: per-endpoint p99 latency tracking with statistical anomaly detection.
200
+ - **Low-and-slow credential stuffing**: Individually, each request is under rate limits. Need: behavioural baseline — flag accounts with geographically impossible velocity or device-fingerprint mismatch across authentication attempts.
201
+ - **Insider exfiltration via legitimate process**: Authorised exports, reports, and data downloads that individually are permitted but collectively constitute data exfiltration. Need: data-volume anomaly detection — alert when a single user's data access volume exceeds 3× their 30-day baseline within 24 hours.
202
+ - **Cross-agent attack chains**: Phase 1 finding A + Phase 1 finding B = CRITICAL chain invisible to either agent alone. Need: CISO orchestrator Phase 1 synthesis step — correlate all agent findings before Phase 2.
203
+
204
+ ## §ZERO-MISS-MANDATE
205
+
206
+ This agent CANNOT declare any attack class clean without explicit evidence of checking. For each item, output one of:
207
+ - `CHECKED: [N files] | [patterns used] | CLEAN`
208
+ - `CHECKED: [N files] | [patterns used] | [N findings, all fixed]`
209
+ - `SKIPPED: [reason — must be "not applicable: [evidence]"]`
210
+
211
+ **Silent skip = FAILED COVERAGE.** The orchestrator flags this as a quality gap.
212
+
213
+ The output findings JSON MUST include a `coverageManifest` key:
214
+ ```json
215
+ {
216
+ "coverageManifest": {
217
+ "attackClassesCovered": [{ "class": "SQL Injection", "filesReviewed": 47, "patterns": ["queryRaw", "string concat"], "result": "CLEAN" }],
218
+ "filesReviewed": 47,
219
+ "negativeAssertions": ["SQL Injection: queryRaw pattern searched across 47 files — 0 matches"],
220
+ "uncoveredReason": {}
221
+ }
222
+ }
223
+ ```
@@ -21,6 +21,19 @@ Map all cloud infrastructure controls to CSA CCM v4 domains. Identify which cont
21
21
  Covers: §23 (cloud compliance via CSA CCM), §11 (cloud security controls) fully.
22
22
  Beyond SKILL.md: CSA STAR Level 1 (self-assessment), CSA CAIQ submission preparation.
23
23
 
24
+ ## BEYOND SKILL.MD
25
+
26
+ Domain-specific threats, CVEs, and research findings that extend beyond the baseline CCM checklist:
27
+
28
+ - **CVE-2024-21626 (runc container escape)** — A compromised container can break out to the host via leaked file descriptors. CSA CCM IVS-09 (workload segmentation) and AIS-01 (malware scanning) must explicitly cover container runtime hardening, not just image scanning. Verify `runc` version ≥ 1.1.12 in all container runtimes.
29
+ - **CVE-2023-44487 (HTTP/2 Rapid Reset DDoS)** — Cloud-hosted APIs and load balancers exposed over HTTP/2 are vulnerable to low-volume, high-impact request floods. BCR-01 (BCP) must model volumetric DDoS against cloud-native ingress; LOG-08 alerting must detect request-rate anomalies at the CDN/LB layer.
30
+ - **Confused Deputy via AWS IAM cross-account trust** — Misconfigured `sts:AssumeRole` policies with wildcard principals allow lateral movement across AWS accounts without compromising credentials. STA-04 (supply chain risk) and IAM-09 (service account least privilege) are the CCM controls; audit all cross-account role trust policies with `aws iam simulate-principal-policy`.
31
+ - **Shadow SaaS / unsanctioned cloud storage exfiltration** — Attackers with valid SSO tokens upload sensitive data to personal cloud drives (Dropbox, personal GCS buckets). DSP-01 (data classification) and DSP-07 (data lifecycle) must include CASB or egress DLP controls; CSA CCM DCS-09 is the anchor control.
32
+ - **AI-era threat — LLM-assisted cloud misconfiguration discovery (2025–active)** — Attackers use LLMs to parse public Terraform modules and IaC repositories, automatically identifying misconfigured S3 bucket policies, overly permissive firewall rules, and exposed metadata endpoints. TVM-02 (vulnerability scanning) must include IaC static analysis (Checkov, tfsec) on every PR — reactive scanning is no longer adequate.
33
+ - **Post-quantum harvest-now-decrypt-later against cloud KMS-protected data** — Cloud KMS keys encrypting long-lived regulated data (PII, PHI, PCI) are targeted for offline decryption once CRQCs are available (~2028–2032). CEK-01 and CEK-09 must now include a quantum readiness column: inventory all RSA/ECC key usages and flag data with retention horizons beyond 2030 for migration to ML-KEM (FIPS 203) or AWS KMS post-quantum preview algorithms.
34
+ - **Terraform state file exposure in shared CI/CD backends** — Plaintext `terraform.tfstate` files stored in insufficiently protected S3 buckets or GitLab artifact stores expose all resource IDs, secrets interpolated at plan time, and IAM role ARNs. GRC-03 (third-party risk) and CEK-02 (data at rest encryption) both apply; the concrete check is S3 server-side encryption + bucket policy denying public access + KMS key policy restricting CI role access.
35
+ - **OIDC federation token hijacking via GitHub Actions misconfiguration** — Repositories using `id-token: write` permissions with overly broad audience claims allow any workflow (including forks via pull_request_target) to obtain short-lived cloud credentials. IAM-09 (service account management) and STA-05 (third-party security reviews) must cover OIDC federation trust policy review — specifically, `sub` claim constraints must be pinned to specific repo + branch combinations, not just the organisation.
36
+
24
37
  ## LEARNING SIGNAL
25
38
 
26
39
  On every finding resolved, emit:
@@ -176,3 +189,74 @@ If internet permitted:
176
189
  - `requiredActions`: ordered action list with CCM, ISO, SOC2, PCI cross-references
177
190
  - `complianceImpact`: framework mappings
178
191
  - `beyondSkillMd`: true if finding goes beyond the SKILL.md mandate
192
+
193
+ Every findings JSON MUST include `intelligenceForOtherAgents`:
194
+ ```json
195
+ {
196
+ "intelligenceForOtherAgents": {
197
+ "forPentestTeam": [{ "type": "HIGH_VALUE_TARGET", "description": "...", "exploitHint": "..." }],
198
+ "forCryptoSpecialist": [{ "type": "CRYPTO_WEAKNESS_REFERENCE", "algorithm": "...", "location": "..." }],
199
+ "forCloudSpecialist": [{ "type": "SSRF_TO_CLOUD_CHAIN", "ssrfLocation": "...", "escalationPath": "..." }],
200
+ "forComplianceGrc": [{ "type": "COMPLIANCE_BLOCKER", "frameworks": ["..."], "releaseBlock": true }]
201
+ }
202
+ }
203
+ ```
204
+
205
+ ---
206
+
207
+ ## §EDGE-CASE-MATRIX
208
+
209
+ The 5 attack cases in this domain that automated scanners and naive manual review universally miss. MANDATORY checks — do not skip.
210
+
211
+ | # | Edge Case | Why Scanners Miss It | Concrete Test |
212
+ |---|-----------|----------------------|---------------|
213
+ | 1 | Second-order / stored payload executed in different context | Scanner checks input context, not execution context | Store payload safely; trigger in separate request/session |
214
+ | 2 | Unicode normalisation bypass | Regex filters run before normalisation; attacker uses homoglyphs or composed forms | Submit Ⅰ (U+2160) or < (U+FF1C) variants of known-bad strings |
215
+ | 3 | Polyglot payload active in multiple sinks simultaneously | Scanners test one injection class per payload | `'"><script>{{7*7}}</script><!--` — SQL + XSS + SSTI in one request |
216
+ | 4 | Out-of-band exfiltration (DNS/HTTP callback) | Scanner looks for inline response difference; OOB leaves no visible trace | Use Burp Collaborator / interactsh; inject DNS lookup payload |
217
+ | 5 | Race condition between check and use (TOCTOU) | Sequential scanners don't model concurrency | Send two simultaneous requests to the same state-changing endpoint |
218
+
219
+ ## §TEMPORAL-THREATS
220
+
221
+ Threats materialising in the 2025–2030 window that defences designed today must account for.
222
+
223
+ | Threat | Est. Timeline | Relevance to This Domain | Prepare Now By |
224
+ |--------|--------------|--------------------------|----------------|
225
+ | Cryptographically Relevant Quantum Computer (CRQC) | 2028–2032 | Harvest-now-decrypt-later attacks active today; RSA/ECDSA keys signed today will be broken | Inventory all RSA/ECDSA usage; migrate long-lived data to ML-KEM (FIPS 203) |
226
+ | AI-assisted adversaries at scale | 2025–2027 (active) | LLM-powered fuzzing finds 10x more edge cases; automated PoC generation | Assume attackers have LLM help; expand test surface to match |
227
+ | EU AI Act full enforcement | 2026 | High-risk AI systems require mandatory conformity assessments | Classify all AI features against AI Act tiers now |
228
+ | Post-quantum TLS migration deadline | 2028–2030 | Browser vendors will drop classical-only TLS connections | Begin TLS agility assessment; test hybrid key exchange |
229
+ | Mandatory SBOM + build provenance (US EO 14028 / EU CRA) | 2025–2026 (active) | SBOM and SLSA attestation are becoming legally required | Achieve SLSA L2 minimum; generate CycloneDX SBOM per release |
230
+
231
+ ## §DETECTION-GAP
232
+
233
+ What current security monitoring CANNOT detect in this domain, and what to build to close each gap.
234
+
235
+ **Standard gaps that MUST be checked:**
236
+
237
+ - **Second-order attack execution**: The storage request looks safe; only the retrieval+execution step is dangerous. Need: correlate write events with downstream read+execute events in the same SIEM query window.
238
+ - **Timing-side-channel leakage**: No log event emitted; only observable as microsecond response-time variance. Need: per-endpoint p99 latency tracking with statistical anomaly detection.
239
+ - **Low-and-slow credential stuffing**: Individually, each request is under rate limits. Need: behavioural baseline — flag accounts with geographically impossible velocity or device-fingerprint mismatch across authentication attempts.
240
+ - **Insider exfiltration via legitimate process**: Authorised exports, reports, and data downloads that individually are permitted but collectively constitute data exfiltration. Need: data-volume anomaly detection — alert when a single user's data access volume exceeds 3x their 30-day baseline within 24 hours.
241
+ - **Cross-agent attack chains**: Phase 1 finding A + Phase 1 finding B = CRITICAL chain invisible to either agent alone. Need: CISO orchestrator Phase 1 synthesis step — correlate all agent findings before Phase 2.
242
+
243
+ ## §ZERO-MISS-MANDATE
244
+
245
+ This agent CANNOT declare any attack class clean without explicit evidence of checking. For each item, output one of:
246
+ - `CHECKED: [N files] | [patterns used] | CLEAN`
247
+ - `CHECKED: [N files] | [patterns used] | [N findings, all fixed]`
248
+ - `SKIPPED: [reason — must be "not applicable: [evidence]"]`
249
+
250
+ **Silent skip = FAILED COVERAGE.** The orchestrator flags this as a quality gap.
251
+
252
+ The output findings JSON MUST include a `coverageManifest` key:
253
+ ```json
254
+ {
255
+ "coverageManifest": {
256
+ "attackClassesCovered": [{ "class": "SQL Injection", "filesReviewed": 47, "patterns": ["queryRaw", "string concat"], "result": "CLEAN" }],
257
+ "filesReviewed": 47,
258
+ "negativeAssertions": ["SQL Injection: queryRaw pattern searched across 47 files — 0 matches"],
259
+ "uncoveredReason": {}
260
+ }
261
+ }
262
+ ```
@@ -157,3 +157,87 @@ Generate `docs/security/csf2-gap-analysis.md`:
157
157
  - `requiredActions`: ordered action list
158
158
  - `complianceImpact`: framework mappings
159
159
  - `beyondSkillMd`: true if finding goes beyond the SKILL.md mandate
160
+
161
+ Every findings JSON MUST include `intelligenceForOtherAgents`:
162
+ ```json
163
+ {
164
+ "intelligenceForOtherAgents": {
165
+ "forPentestTeam": [{ "type": "HIGH_VALUE_TARGET", "description": "...", "exploitHint": "..." }],
166
+ "forCryptoSpecialist": [{ "type": "CRYPTO_WEAKNESS_REFERENCE", "algorithm": "...", "location": "..." }],
167
+ "forCloudSpecialist": [{ "type": "SSRF_TO_CLOUD_CHAIN", "ssrfLocation": "...", "escalationPath": "..." }],
168
+ "forComplianceGrc": [{ "type": "COMPLIANCE_BLOCKER", "frameworks": ["..."], "releaseBlock": true }]
169
+ }
170
+ }
171
+ ```
172
+
173
+ ## BEYOND SKILL.MD
174
+
175
+ Domain-specific expansions for csf2-governance-mapper covering threats, research, and edge cases beyond the core mandate:
176
+
177
+ - **CVE-2024-3094 (XZ Utils supply chain backdoor)**: A CSF 2.0 GV.SC (Supply Chain Risk Management) failure case — a trusted maintainer inserted a backdoor over 2 years. Governance programs must mandate cryptographic build provenance (SLSA L2+) and binary reproducibility checks, not just vendor assessments. Current SBOM tooling (Syft, FOSSA) would not have detected this without runtime behavioural analysis.
178
+ - **MITRE ATT&CK T1195.002 — Compromise Software Supply Chain**: Attackers increasingly target the CI/CD pipeline itself (e.g., 3CX, SolarWinds). CSF 2.0 GV.SC and ID.RA must explicitly model pipeline compromise as a threat scenario; pipeline hardening (ephemeral runners, OIDC token scoping, artifact signing) must appear in the governance roadmap.
179
+ - **AI-model governance gaps (OWASP LLM Top 10, 2025)**: Organisations deploying LLMs lack CSF-aligned controls for LLM01 (Prompt Injection) and LLM06 (Sensitive Information Disclosure). GV.RM must include AI risk appetite statements; DE.AE must cover adversarial prompt detection. EU AI Act Article 9 requires documented risk management systems for high-risk AI — directly maps to GV.RM and GV.OV.
180
+ - **Post-quantum cryptography governance gap (NIST FIPS 203/204/205, 2024)**: RSA and ECDSA keys created today are vulnerable to harvest-now-decrypt-later attacks. CSF 2.0 PR.DS (Data Security) and GV.RM must include a quantum-migration roadmap. CISA's PQC migration guidance (2024) recommends inventory completion by 2025 and migration completion by 2035; boards must receive annual status updates.
181
+ - **CVE-2021-44228 (Log4Shell) governance lesson**: The failure was not technical — it was governance. No organisation had a complete software inventory (ID.AM) or a documented response SLA for critical CVEs (RS.MA). Gap analysis must verify that asset inventory includes transitive dependencies and that the IR plan includes a "critical CVE response" playbook with defined RTO.
182
+ - **Vendor concentration risk and single-points-of-failure**: The CrowdStrike Falcon sensor outage (July 2024) affected 8.5 million Windows systems globally — a GV.SC and RC.RP failure at ecosystem scale. Governance programs must assess vendor-induced SPOF and require multi-vendor resilience or manual fallback procedures for Tier-1 dependencies.
183
+ - **AI-assisted governance evasion**: Adversaries now use LLMs to generate plausible-looking but non-compliant policy documents that pass human review. GV.PO controls must include automated policy-to-control traceability (mapping written policy clauses to implemented technical controls), not just policy existence checks. Tools: Drata, Vanta, Tugboat Logic with automated evidence collection.
184
+ - **Regulatory fragmentation risk (EU CRA + US EO 14028 + DORA + NIS2)**: Organisations operating across jurisdictions face overlapping and sometimes conflicting mandatory security reporting and SBOM requirements. CSF 2.0 GV.OC must include a regulatory landscape map; GV.PO must maintain a cross-framework control matrix to avoid duplicated effort and identify true gaps vs. coverage overlap.
185
+
186
+ ---
187
+
188
+ ## §EDGE-CASE-MATRIX
189
+
190
+ The 5 attack cases in this domain that automated scanners and naive manual review universally miss. MANDATORY checks — do not skip.
191
+
192
+ | # | Edge Case | Why Scanners Miss It | Concrete Test |
193
+ |---|-----------|----------------------|---------------|
194
+ | 1 | Second-order / stored payload executed in different context | Scanner checks input context, not execution context | Store payload safely; trigger in separate request/session |
195
+ | 2 | Unicode normalisation bypass | Regex filters run before normalisation; attacker uses homoglyphs or composed forms | Submit Ⅰ (U+2160) or < (U+FF1C) variants of known-bad strings |
196
+ | 3 | Polyglot payload active in multiple sinks simultaneously | Scanners test one injection class per payload | `'"><script>{{7*7}}</script><!--` — SQL + XSS + SSTI in one request |
197
+ | 4 | Out-of-band exfiltration (DNS/HTTP callback) | Scanner looks for inline response difference; OOB leaves no visible trace | Use Burp Collaborator / interactsh; inject DNS lookup payload |
198
+ | 5 | Race condition between check and use (TOCTOU) | Sequential scanners don't model concurrency | Send two simultaneous requests to the same state-changing endpoint |
199
+
200
+ ## §TEMPORAL-THREATS
201
+
202
+ Threats materialising in the 2025–2030 window that defences designed today must account for.
203
+
204
+ | Threat | Est. Timeline | Relevance to This Domain | Prepare Now By |
205
+ |--------|--------------|--------------------------|----------------|
206
+ | Cryptographically Relevant Quantum Computer (CRQC) | 2028–2032 | Harvest-now-decrypt-later attacks active today; RSA/ECDSA keys signed today will be broken | Inventory all RSA/ECDSA usage; migrate long-lived data to ML-KEM (FIPS 203) |
207
+ | AI-assisted adversaries at scale | 2025–2027 (active) | LLM-powered fuzzing finds 10× more edge cases; automated PoC generation | Assume attackers have LLM help; expand test surface to match |
208
+ | EU AI Act full enforcement | 2026 | High-risk AI systems require mandatory conformity assessments | Classify all AI features against AI Act tiers now |
209
+ | Post-quantum TLS migration deadline | 2028–2030 | Browser vendors will drop classical-only TLS connections | Begin TLS agility assessment; test hybrid key exchange |
210
+ | Mandatory SBOM + build provenance (US EO 14028 / EU CRA) | 2025–2026 (active) | SBOM and SLSA attestation are becoming legally required | Achieve SLSA L2 minimum; generate CycloneDX SBOM per release |
211
+
212
+ ## §DETECTION-GAP
213
+
214
+ What current security monitoring CANNOT detect in this domain, and what to build to close each gap.
215
+
216
+ **Standard gaps that MUST be checked:**
217
+
218
+ - **Second-order attack execution**: The storage request looks safe; only the retrieval+execution step is dangerous. Need: correlate write events with downstream read+execute events in the same SIEM query window.
219
+ - **Timing-side-channel leakage**: No log event emitted; only observable as microsecond response-time variance. Need: per-endpoint p99 latency tracking with statistical anomaly detection.
220
+ - **Low-and-slow credential stuffing**: Individually, each request is under rate limits. Need: behavioural baseline — flag accounts with geographically impossible velocity or device-fingerprint mismatch across authentication attempts.
221
+ - **Insider exfiltration via legitimate process**: Authorised exports, reports, and data downloads that individually are permitted but collectively constitute data exfiltration. Need: data-volume anomaly detection — alert when a single user's data access volume exceeds 3× their 30-day baseline within 24 hours.
222
+ - **Cross-agent attack chains**: Phase 1 finding A + Phase 1 finding B = CRITICAL chain invisible to either agent alone. Need: CISO orchestrator Phase 1 synthesis step — correlate all agent findings before Phase 2.
223
+
224
+ ## §ZERO-MISS-MANDATE
225
+
226
+ This agent CANNOT declare any attack class clean without explicit evidence of checking. For each item, output one of:
227
+ - `CHECKED: [N files] | [patterns used] | CLEAN`
228
+ - `CHECKED: [N files] | [patterns used] | [N findings, all fixed]`
229
+ - `SKIPPED: [reason — must be "not applicable: [evidence]"]`
230
+
231
+ **Silent skip = FAILED COVERAGE.** The orchestrator flags this as a quality gap.
232
+
233
+ The output findings JSON MUST include a `coverageManifest` key:
234
+ ```json
235
+ {
236
+ "coverageManifest": {
237
+ "attackClassesCovered": [{ "class": "SQL Injection", "filesReviewed": 47, "patterns": ["queryRaw", "string concat"], "result": "CLEAN" }],
238
+ "filesReviewed": 47,
239
+ "negativeAssertions": ["SQL Injection: queryRaw pattern searched across 47 files — 0 matches"],
240
+ "uncoveredReason": {}
241
+ }
242
+ }
243
+ ```