security-mcp 1.1.4 → 1.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (129) hide show
  1. package/README.md +116 -264
  2. package/defaults/checklists/ai.json +20 -1
  3. package/defaults/checklists/api.json +35 -1
  4. package/defaults/checklists/infra.json +34 -1
  5. package/defaults/checklists/mobile.json +23 -1
  6. package/defaults/checklists/payments.json +15 -1
  7. package/defaults/checklists/web.json +11 -1
  8. package/defaults/security-policy.json +2 -2
  9. package/dist/cli/index.js +0 -0
  10. package/dist/gate/baseline.js +82 -7
  11. package/dist/gate/catalog.js +10 -2
  12. package/dist/gate/checks/ai.js +757 -39
  13. package/dist/gate/checks/auth-deep.js +920 -216
  14. package/dist/gate/checks/business-logic.js +751 -0
  15. package/dist/gate/checks/ci-pipeline.js +399 -4
  16. package/dist/gate/checks/crypto.js +423 -2
  17. package/dist/gate/checks/dependencies.js +571 -15
  18. package/dist/gate/checks/graphql.js +201 -19
  19. package/dist/gate/checks/infra.js +246 -1
  20. package/dist/gate/checks/injection-deep.js +827 -184
  21. package/dist/gate/checks/k8s.js +114 -1
  22. package/dist/gate/checks/mobile-android.js +917 -3
  23. package/dist/gate/checks/mobile-ios.js +797 -5
  24. package/dist/gate/checks/required-artifacts.js +194 -0
  25. package/dist/gate/checks/runtime.js +178 -0
  26. package/dist/gate/checks/secrets.js +244 -13
  27. package/dist/gate/checks/supply-chain-deep.js +787 -0
  28. package/dist/gate/checks/web-nextjs.js +572 -48
  29. package/dist/gate/diff.js +17 -5
  30. package/dist/gate/evidence.js +8 -1
  31. package/dist/gate/exceptions.js +131 -9
  32. package/dist/gate/policy.js +280 -131
  33. package/dist/mcp/audit-chain.js +122 -28
  34. package/dist/mcp/auth.js +169 -0
  35. package/dist/mcp/learning.js +129 -4
  36. package/dist/mcp/model-router.js +158 -21
  37. package/dist/mcp/orchestration.js +186 -51
  38. package/dist/mcp/server.js +337 -53
  39. package/dist/repo/fs.js +24 -1
  40. package/dist/repo/search.js +31 -6
  41. package/dist/review/store.js +52 -1
  42. package/package.json +7 -7
  43. package/skills/_TEMPLATE/SKILL.md +99 -0
  44. package/skills/advanced-dos-tester/SKILL.md +109 -0
  45. package/skills/agentic-loop-exploiter/SKILL.md +368 -0
  46. package/skills/ai-llm-redteam/SKILL.md +104 -0
  47. package/skills/ai-model-supply-chain-agent/SKILL.md +103 -0
  48. package/skills/algorithm-implementation-reviewer/SKILL.md +98 -0
  49. package/skills/android-penetration-tester/SKILL.md +455 -46
  50. package/skills/anti-replay-tester/SKILL.md +106 -0
  51. package/skills/appsec-code-auditor/SKILL.md +85 -0
  52. package/skills/artifact-integrity-analyst/SKILL.md +441 -0
  53. package/skills/attack-navigator/SKILL.md +467 -8
  54. package/skills/auth-session-hacker/SKILL.md +102 -0
  55. package/skills/aws-penetration-tester/SKILL.md +456 -0
  56. package/skills/azure-penetration-tester/SKILL.md +490 -3
  57. package/skills/binary-auth-validator/SKILL.md +111 -0
  58. package/skills/bot-detection-specialist/SKILL.md +109 -0
  59. package/skills/business-logic-attacker/SKILL.md +231 -0
  60. package/skills/capec-code-mapper/SKILL.md +84 -0
  61. package/skills/cert-pin-rotation-specialist/SKILL.md +112 -0
  62. package/skills/cicd-pipeline-hijacker/SKILL.md +405 -0
  63. package/skills/ciso-orchestrator/SKILL.md +454 -43
  64. package/skills/cloud-infra-specialist/SKILL.md +118 -0
  65. package/skills/compliance-gap-analyst/SKILL.md +422 -0
  66. package/skills/compliance-grc/SKILL.md +85 -0
  67. package/skills/compliance-lifecycle-tracker/SKILL.md +84 -0
  68. package/skills/credential-stuffing-specialist/SKILL.md +102 -0
  69. package/skills/crypto-pki-specialist/SKILL.md +87 -0
  70. package/skills/csa-ccm-mapper/SKILL.md +84 -0
  71. package/skills/csf2-governance-mapper/SKILL.md +84 -0
  72. package/skills/deep-link-fuzzer/SKILL.md +109 -0
  73. package/skills/dependency-confusion-attacker/SKILL.md +415 -0
  74. package/skills/device-integrity-aggregator/SKILL.md +108 -0
  75. package/skills/dos-resilience-tester/SKILL.md +97 -0
  76. package/skills/dread-scorer/SKILL.md +84 -0
  77. package/skills/egress-policy-enforcer/SKILL.md +99 -0
  78. package/skills/evidence-collector/SKILL.md +98 -0
  79. package/skills/file-upload-attacker/SKILL.md +109 -0
  80. package/skills/gcp-penetration-tester/SKILL.md +459 -2
  81. package/skills/git-history-secret-scanner/SKILL.md +106 -0
  82. package/skills/iam-privesc-graph-builder/SKILL.md +152 -0
  83. package/skills/incident-responder/SKILL.md +111 -0
  84. package/skills/injection-specialist/SKILL.md +102 -0
  85. package/skills/ios-security-auditor/SKILL.md +282 -0
  86. package/skills/json-ambiguity-tester/SKILL.md +0 -0
  87. package/skills/k8s-container-escaper/SKILL.md +384 -0
  88. package/skills/key-management-lifecycle-analyst/SKILL.md +98 -0
  89. package/skills/kill-switch-engineer/SKILL.md +102 -0
  90. package/skills/linddun-privacy-analyst/SKILL.md +102 -0
  91. package/skills/logic-race-fuzzer/SKILL.md +443 -0
  92. package/skills/mobile-api-network-attacker/SKILL.md +421 -0
  93. package/skills/mobile-binary-hardener/SKILL.md +102 -0
  94. package/skills/mobile-security-specialist/SKILL.md +85 -0
  95. package/skills/mobile-webview-auditor/SKILL.md +96 -0
  96. package/skills/model-extraction-attacker/SKILL.md +219 -0
  97. package/skills/multipart-abuse-tester/SKILL.md +84 -0
  98. package/skills/oauth-pkce-specialist/SKILL.md +104 -0
  99. package/skills/parser-exhaustion-tester/SKILL.md +142 -0
  100. package/skills/pentest-infra/SKILL.md +98 -0
  101. package/skills/pentest-social/SKILL.md +201 -0
  102. package/skills/pentest-team/SKILL.md +87 -0
  103. package/skills/pentest-web-api/SKILL.md +98 -0
  104. package/skills/privacy-flow-analyst/SKILL.md +234 -0
  105. package/skills/prompt-injection-specialist/SKILL.md +394 -0
  106. package/skills/quantum-migration-planner/SKILL.md +96 -0
  107. package/skills/rag-poisoning-specialist/SKILL.md +358 -0
  108. package/skills/registry-mirror-enforcer/SKILL.md +84 -0
  109. package/skills/rotation-validation-agent/SKILL.md +112 -0
  110. package/skills/samm-assessor/SKILL.md +85 -0
  111. package/skills/secrets-mask-bypass-tester/SKILL.md +100 -0
  112. package/skills/senior-security-engineer/SKILL.md +167 -0
  113. package/skills/serialization-memory-attacker/SKILL.md +332 -0
  114. package/skills/session-timeout-tester/SKILL.md +161 -0
  115. package/skills/slsa-level3-enforcer/SKILL.md +112 -0
  116. package/skills/slsa-provenance-enforcer/SKILL.md +102 -0
  117. package/skills/ssrf-detection-validator/SKILL.md +108 -0
  118. package/skills/step-up-auth-enforcer/SKILL.md +84 -0
  119. package/skills/stride-pasta-analyst/SKILL.md +420 -0
  120. package/skills/supply-chain-devsecops/SKILL.md +98 -0
  121. package/skills/threat-infrastructure-analyst/SKILL.md +84 -0
  122. package/skills/threat-modeler/SKILL.md +85 -0
  123. package/skills/tls-certificate-auditor/SKILL.md +573 -18
  124. package/skills/token-reuse-detector/SKILL.md +95 -0
  125. package/skills/trike-risk-modeler/SKILL.md +84 -0
  126. package/skills/unicode-homograph-tester/SKILL.md +84 -0
  127. package/skills/waf-rule-lifecycle-agent/SKILL.md +97 -0
  128. package/skills/webhook-security-tester/SKILL.md +102 -0
  129. package/skills/zero-trust-architect/SKILL.md +109 -0
@@ -194,3 +194,105 @@ If internet permitted:
194
194
  - `requiredActions`: ordered action list
195
195
  - `complianceImpact`: framework mappings
196
196
  - `beyondSkillMd`: true — this agent is entirely beyond-policy
197
+
198
+ Every findings JSON MUST include `intelligenceForOtherAgents`:
199
+ ```json
200
+ {
201
+ "intelligenceForOtherAgents": {
202
+ "forPentestTeam": [{ "type": "HIGH_VALUE_TARGET", "description": "PII-rich endpoint or data store identified during LINDDUN analysis", "exploitHint": "Exfiltration via IDOR, mass-assignment, or analytics SDK misconfiguration" }],
203
+ "forCryptoSpecialist": [{ "type": "CRYPTO_WEAKNESS_REFERENCE", "algorithm": "SHA-256 email hash used as pseudonym (reversible via rainbow table)", "location": "src/models/user.ts" }],
204
+ "forCloudSpecialist": [{ "type": "SSRF_TO_CLOUD_CHAIN", "ssrfLocation": "Third-party analytics SDK with unconstrained webhook callback URL", "escalationPath": "SSRF to instance metadata → IAM token → S3 PII bucket" }],
205
+ "forComplianceGrc": [{ "type": "COMPLIANCE_BLOCKER", "frameworks": ["GDPR Art. 35", "CCPA §1798.150", "HIPAA §164.514"], "releaseBlock": true }]
206
+ }
207
+ }
208
+ ```
209
+
210
+ ---
211
+
212
+ ## BEYOND SKILL.MD — MANDATORY EXPANSIONS
213
+
214
+ - **LLM-Assisted Re-identification of "Anonymised" Datasets (CWE-359 / ATT&CK T1530 / Sweeney 2002 k-anonymity paper):** Adversaries feed quasi-identifier fields (ZIP code, DOB, gender, device type) into an LLM alongside public data sources (voter rolls, LinkedIn, breach dumps) to collapse k-anonymity at scale — a re-identification attack that statistical models underestimate. Modern LLMs reduce the data-point threshold for re-identification from 5+ fields to as few as 2–3 correlated attributes. Test by: extract all non-PII attributes from each data model; prompt GPT-4o with the combination and a public dataset (e.g., US Census) and ask it to identify a specific individual; flag any schema where the LLM produces a confident match with < 5 quasi-identifiers. Finding threshold: any entity record with k < 5 under LLM-assisted adversary model.
215
+
216
+ - **Harvest-Now-Decrypt-Later Attack on Pseudonymised Tokens (NIST IR 8413 / PQC Migration / FIPS 203 ML-KEM):** Nation-state actors archive TLS-captured traffic today containing pseudonymised identifiers encrypted with RSA-2048 or ECDH P-256. When cryptographically relevant quantum computers (CRQCs) arrive (~2030 per NIST), these tokens become fully reversible. Any PII pseudonymised with RSA-based key exchange that must remain private beyond a 5-year horizon is already compromised. Test by: inventory all pseudonymisation key exchange mechanisms (`grep -r "RSA\|ECDH\|P-256\|rs256\|ES256" src/`); check data retention policies — flag any PII-bearing token stored beyond 5 years without post-quantum migration plan. Finding threshold: any long-lived pseudonymous identifier using pre-quantum cryptography with retention > 5 years.
217
+
218
+ - **Consent State Stale Cache Exploitation via Async Worker Race (CVE-2023-28432 class / ATT&CK T1499.003):** Background workers (email queues, retargeting exporters, recommendation engines) read consent state from a Redis or in-memory cache seeded at job-enqueue time. A user withdraws consent and the DB record updates, but the already-enqueued jobs carry a stale consent snapshot and complete the processing — violating GDPR Art. 7(3) right to withdraw consent. This was observed in real-world GDPR enforcement actions (e.g., Meta's 2023 €390M fine for consent bypass via "legitimate interest" fallback). Test by: withdraw consent for a test user via the API; immediately inspect the job queue for enqueued tasks referencing that userId; confirm each job re-reads live consent state (`grep -r "consent" src/workers/ src/queues/`); measure delay between consent revocation and job suppression. Finding threshold: any job that completes PII processing > 5 seconds after consent revocation.
219
+
220
+ - **Analytics SDK PII Leakage via Auto-Captured URL Parameters (Real Incident: Meta Pixel HIPAA breach 2022 / ATT&CK T1567.002):** Third-party analytics pixels (Meta Pixel, Google Analytics, Segment auto-track) capture `window.location.href` and `document.referrer` before any application-layer sanitisation runs, exfiltrating PII embedded in query parameters (e.g., `?email=user@example.com`, `?userId=123`, `?token=abc`). The 2022 Meta Pixel healthcare breach affected 3M+ patient records across 33 hospital systems. PII-in-URL is invisible to server-side log analysis. Test by: use Playwright to load every authenticated page with a synthetic PII-laden URL (`?email=test%40evil.com`); intercept all outbound HTTP requests via `page.on('request', ...)`; flag any request to a third-party domain that contains the injected PII value. Finding threshold: any third-party beacon containing PII present in the page URL.
221
+
222
+ - **Right-to-Erasure Gap in ML Training Snapshots and Cold Storage (GDPR Art. 17 / ATT&CK T1530 / EU AI Act Art. 10):** GDPR Art. 17 erasure requests are satisfied for the live database but PII persists in: S3/Glacier data lake snapshots, BigQuery export tables, Elasticsearch document indexes, ML model training datasets, and CDN-edge-cached profile pages. The EU AI Act (enforcement 2026) additionally requires that high-risk AI systems support data subject rights in training data — i.e., the right to have one's data removed from a training set. Regulatory audits now enumerate all downstream stores. Test by: build an erasure verification job that queries each registered downstream system for a deleted userId 72 hours post-deletion (`SELECT * FROM bq_export WHERE user_id = ?`; Elasticsearch `GET /users/_doc/{id}`; `aws s3 ls s3://snapshots/ | grep {userId}`); flag any non-zero result. Finding threshold: PII present in any downstream store 72 hours after erasure request.
223
+
224
+ - **Timing and Response-Size Side-Channel for User Presence Inference (LINDDUN Detecting / CWE-203 / ATT&CK T1592.002):** Authentication and account-lookup endpoints that return differential response latency or content-length for "user exists" vs "user not found" allow an adversary to enumerate valid user accounts — violating the LINDDUN Detecting threat category — without any PII being returned in the response body. This class of oracle was exploited in the 2016 LinkedIn scraping campaign and is present in most OAuth 2.0 password-reset flows. Content-scanning and SAST tools pass because no PII appears in the response. Test by: send 1,000 requests each to a known-valid and known-invalid identifier against `/auth/login`, `/auth/forgot-password`, and `/api/users/{id}`; compute p50/p99 latency delta and Content-Length delta; flag if latency delta > 5 ms or content-length delta > 50 bytes across the distribution. Finding threshold: statistically significant delta (t-test p < 0.05) between hit and miss response timing or size.
225
+
226
+ ---
227
+
228
+ ## §EDGE-CASE-MATRIX
229
+
230
+ The 5 privacy attack cases in the LINDDUN domain that automated scanners and naive manual review universally miss. MANDATORY checks — do not skip.
231
+
232
+ | # | Edge Case | Why Scanners Miss It | Concrete Test |
233
+ |---|-----------|----------------------|---------------|
234
+ | 1 | Quasi-identifier linkage attack | Scanner flags explicit PII fields (email, SSN) but ignores indirect combinations: ZIP + DOB + gender re-identifies 87% of Americans (Sweeney). No single field triggers an alert. | Extract the set of non-PII attributes per data model; run k-anonymity check — flag any combination with k < 5 across realistic user population |
235
+ | 2 | Analytics SDK silently forwarding PII via URL or referrer | Third-party pixels and analytics snippets capture the full page URL including query params (e.g. `?email=user@example.com`) before any sanitization runs. Scanner tests API responses, not browser-sent requests. | Audit every analytics integration for auto-capture scope; search for `window.location.href`, `document.referrer`, `utm_*` patterns logged alongside user sessions; replay with a synthetic PII-laden URL |
236
+ | 3 | Right-to-erasure gap via derived data stores | User record deleted from primary DB but PII persists in: search indexes (Elasticsearch/Algolia), ML training snapshots, cold-storage analytics exports, CDN-cached profile pages. Scanner only checks the primary DELETE code path. | Enumerate every downstream system in the data flow diagram; for each, verify a deletion propagation mechanism exists and is tested with a real erasure call |
237
+ | 4 | Consent state not propagated to asynchronous workers | Consent withdrawn on the frontend; the revocation event is written to the DB. However, background jobs (email queues, recommendation engines, retargeting exports) read a stale consent cache and continue processing. Scanner audits synchronous code paths only. | Trace consent-check logic into every async consumer (queues, crons, webhooks); confirm each re-reads live consent state rather than a cached snapshot |
238
+ | 5 | Fingerprinting via timing or response-size side-channels (Detecting threat) | No PII is returned in the response body, so content-scanning tools pass. But differential response latency or byte-length for "user exists" vs "user not found" allows presence inference — violating the LINDDUN Detecting category. | Measure p50/p99 response time for existing vs non-existing identifiers across 1000 samples; flag if delta > 5 ms; similarly diff response Content-Length |
239
+
240
+ ---
241
+
242
+ ## §TEMPORAL-THREATS
243
+
244
+ Privacy threats materialising in the 2025–2030 window that LINDDUN-informed defences designed today must account for.
245
+
246
+ | Threat | Est. Timeline | Relevance to Privacy Domain | Prepare Now By |
247
+ |--------|--------------|------------------------------|----------------|
248
+ | Harvest-now-decrypt-later attacks on pseudonymised data | 2025 (active) | Adversaries archive encrypted PII today to decrypt once CRQCs arrive; pseudonymisation via RSA-based tokens provides no long-term protection | Migrate pseudonymisation tokens and encryption of long-lived PII to ML-KEM (FIPS 203) / AES-256-GCM; audit data retention — delete what doesn't need to outlive the quantum threat window |
249
+ | LLM-assisted re-identification of "anonymised" datasets | 2025–2026 (active) | LLMs correlate quasi-identifiers across public datasets at scale, collapsing k-anonymity protections that were adequate against manual analysis | Apply differential privacy (ε-DP) to any published aggregate or ML training data; validate anonymisation against LLM-assisted adversary, not just statistical models |
250
+ | EU AI Act risk classification of profiling systems | 2026 (enforcement) | Systems that perform behavioural profiling or automated decision-making on individuals are classified high-risk and require DPIA + conformity assessment | Audit all recommendation, scoring, and targeting features against AI Act Annex III; pre-register DPIAs for any feature that scores, ranks, or filters individuals |
251
+ | Data broker regulation and cross-context tracking bans | 2026–2027 | US state privacy laws (CPRA, VCDPA, CPA) increasingly ban cross-context behavioural advertising without explicit consent; violations now carry per-record fines | Audit all third-party SDK data flows; implement server-side tagging to eliminate client-side PII leakage to ad networks |
252
+ | Mandatory data minimisation in generative AI training (EU AI Act / GDPR joint guidance) | 2026–2027 | Any fine-tuning on user data without explicit consent for that purpose will constitute unlawful processing; current fine-tune pipelines rarely validate consent scope | Implement consent-scope checks in every data pipeline that feeds model training; purge user data from training sets upon erasure request |
253
+
254
+ ---
255
+
256
+ ## §DETECTION-GAP
257
+
258
+ What current privacy monitoring CANNOT detect in the LINDDUN domain, and what to build to close each gap.
259
+
260
+ - **Quasi-identifier linkage across data stores**: No SIEM rule fires because no single PII field is accessed. Need: data-access graph that correlates queries touching ZIP, DOB, gender, and device ID within the same user session — alert when 3+ quasi-identifiers are joined without a documented legitimate purpose.
261
+ - **Analytics SDK PII leakage via browser-collected URLs**: Server-side logs show clean API requests; the exfiltration happens in the browser before the request is sent. Need: CSP `connect-src` inventory + periodic synthetic test that loads key pages with PII in query params and inspects outbound network calls via a proxy (Playwright + Burp).
262
+ - **Stale consent propagated to async workers**: The consent DB record is updated; the background worker reads from a Redis cache with a 24-hour TTL. Need: consent-change events must invalidate all downstream caches synchronously; add a canary test that withdraws consent and verifies the next queued job for that user is suppressed within < 5 seconds.
263
+ - **Right-to-erasure incompleteness in cold storage**: Primary DB erasure looks correct in application logs. Glacier, BigQuery export tables, and Elasticsearch indexes are never checked. Need: erasure verification job that queries all registered downstream systems for the deleted user ID 72 hours post-deletion and alerts on any non-zero result.
264
+ - **Timing/size side-channel presence inference (Detecting)**: No application log records "user existence leaked." Need: p99 latency and Content-Length monitoring per authentication/lookup endpoint; statistical alert if the delta between hit and miss paths exceeds 5 ms or 50 bytes across a rolling 1-hour window.
265
+
266
+ ---
267
+
268
+ ## §ZERO-MISS-MANDATE
269
+
270
+ This agent CANNOT declare any LINDDUN threat category clean without explicit evidence of checking. For each category, output one of:
271
+ - `CHECKED: [N files] | [patterns used] | CLEAN`
272
+ - `CHECKED: [N files] | [patterns used] | [N findings, all fixed]`
273
+ - `SKIPPED: [reason — must be "not applicable: [evidence]"]`
274
+
275
+ **Silent skip = FAILED COVERAGE.** The orchestrator flags this as a quality gap.
276
+
277
+ The output findings JSON MUST include a `coverageManifest` key:
278
+ ```json
279
+ {
280
+ "coverageManifest": {
281
+ "attackClassesCovered": [
282
+ { "class": "LINDDUN:Linking", "filesReviewed": 34, "patterns": ["userId in analytics events", "cross-context correlation"], "result": "CLEAN" },
283
+ { "class": "LINDDUN:Identifying", "filesReviewed": 34, "patterns": ["email hash", "IP+UA fingerprint"], "result": "2 findings, both remediated" },
284
+ { "class": "LINDDUN:NonRepudiation", "filesReviewed": 18, "patterns": ["audit log granularity", "action attribution"], "result": "CLEAN" },
285
+ { "class": "LINDDUN:Detecting", "filesReviewed": 22, "patterns": ["last-seen APIs", "read receipts", "timing side-channel"], "result": "CLEAN" },
286
+ { "class": "LINDDUN:DataDisclosure", "filesReviewed": 29, "patterns": ["PII in error messages", "third-party SDK scope"], "result": "1 finding, remediated" },
287
+ { "class": "LINDDUN:Unawareness", "filesReviewed": 8, "patterns": ["privacy notice presence", "consent UI"], "result": "CLEAN" },
288
+ { "class": "LINDDUN:NonCompliance", "filesReviewed": 15, "patterns": ["retention policy", "DPIA existence", "erasure completeness"], "result": "CLEAN" }
289
+ ],
290
+ "filesReviewed": 47,
291
+ "negativeAssertions": [
292
+ "Linking: cross-context userId correlation searched across 34 files — 0 unmitigated paths",
293
+ "DataDisclosure: PII in error messages searched across 29 files — 1 finding fixed inline"
294
+ ],
295
+ "uncoveredReason": {}
296
+ }
297
+ }
298
+ ```
@@ -65,3 +65,446 @@ Find race conditions, business logic flaws, and arithmetic vulnerabilities.
65
65
  - Concurrent request sequence that reproduces the issue
66
66
  - Database/cache state before and after the race
67
67
  - Fixed code using atomic operations or distributed locks written inline
68
+
69
+ Every findings JSON MUST include `intelligenceForOtherAgents`:
70
+ ```json
71
+ {
72
+ "intelligenceForOtherAgents": {
73
+ "forPentestTeam": [{ "type": "HIGH_VALUE_TARGET", "description": "...", "exploitHint": "..." }],
74
+ "forCryptoSpecialist": [{ "type": "CRYPTO_WEAKNESS_REFERENCE", "algorithm": "...", "location": "..." }],
75
+ "forCloudSpecialist": [{ "type": "SSRF_TO_CLOUD_CHAIN", "ssrfLocation": "...", "escalationPath": "..." }],
76
+ "forComplianceGrc": [{ "type": "COMPLIANCE_BLOCKER", "frameworks": ["..."], "releaseBlock": true }]
77
+ }
78
+ }
79
+ ```
80
+
81
+ ---
82
+
83
+ ## BEYOND SKILL.MD — MANDATORY EXPANSIONS
84
+
85
+ ### 1. Double-Spend via Async Await Gap (CVE-2023-23916 class)
86
+
87
+ **Attack technique:** In any async handler where a balance read precedes a deduction, a second
88
+ concurrent request can observe the pre-deduction balance. Both transactions succeed, debiting
89
+ only once from the account. This pattern is rampant in Node.js microservices using Prisma
90
+ without explicit row-level locking.
91
+
92
+ **Concrete detection method:**
93
+ ```bash
94
+ # Grep for balance read followed by update without transaction or locking
95
+ grep -rn "findUnique\|findFirst" src/ | grep -i "balance\|credit\|wallet\|fund" | \
96
+ while read line; do
97
+ file=$(echo $line | cut -d: -f1)
98
+ # Check if file uses $transaction() or SELECT FOR UPDATE
99
+ grep -l "\$transaction\|SELECT.*FOR UPDATE\|selectForUpdate" "$file" || echo "MISSING_LOCK: $file"
100
+ done
101
+ ```
102
+
103
+ **Finding criterion:** Any balance-affecting endpoint where the read and write are not wrapped
104
+ in a serializable transaction or SELECT FOR UPDATE. Reproduce with:
105
+ ```bash
106
+ ab -n 200 -c 50 -p payload.json -T application/json http://target/api/transfer
107
+ # Verify: final balance < expected minimum (funds created from nothing)
108
+ ```
109
+
110
+ ---
111
+
112
+ ### 2. Redis INCR/EXPIRE Non-Atomic Rate Limit Bypass
113
+
114
+ **Attack technique:** A rate limiter that calls INCR then EXPIRE as two separate commands has a
115
+ TOCTOU window. If the process crashes or a network partition occurs between INCR and EXPIRE,
116
+ the counter persists forever — permanently locking the key. Conversely, a fast concurrent
117
+ burst can exhaust the window before EXPIRE fires, allowing unlimited requests.
118
+
119
+ **Concrete detection method:**
120
+ ```bash
121
+ grep -rn "redis.*incr\|client\.incr\|\.incr(" src/ | grep -v "lua\|eval\|multi\|pipeline"
122
+ # Any INCR not followed immediately by an atomic EXPIRE in the same Lua script is vulnerable
123
+ ```
124
+
125
+ **Fix template:** Replace with atomic Lua:
126
+ ```lua
127
+ local current = redis.call('INCR', KEYS[1])
128
+ if current == 1 then redis.call('EXPIRE', KEYS[1], ARGV[1]) end
129
+ return current
130
+ ```
131
+
132
+ ---
133
+
134
+ ### 3. Mass Assignment Privilege Escalation (OWASP API6:2023)
135
+
136
+ **Attack technique:** When ORM models accept arbitrary JSON from `req.body` without an explicit
137
+ allowlist, an attacker can set fields like `role`, `isAdmin`, `tier`, `verified`, or `balance`
138
+ directly. This is distinct from parameter pollution — the payload looks structurally valid.
139
+
140
+ **Concrete detection method:**
141
+ ```bash
142
+ # Express/Fastify: find raw body spreads into ORM create/update calls
143
+ grep -rn "\.create(\|\.update(\|\.upsert(" src/ | grep -v "allowlist\|pick(\|omit("
144
+ # Then check if req.body is passed directly
145
+ grep -rn "req\.body" src/ | grep -v "zod\|joi\|validate\|schema"
146
+ ```
147
+
148
+ **Finding criterion:** Any ORM mutation accepting `req.body` without a Zod/Joi allowlist schema
149
+ applied at the route boundary. Fields to verify are excluded: `role`, `isAdmin`, `plan`,
150
+ `balance`, `credits`, `verified`, `stripeCustomerId`.
151
+
152
+ ---
153
+
154
+ ### 4. AI-Assisted Race Condition Discovery (Emerging Threat, 2025)
155
+
156
+ **Attack technique:** LLM-powered fuzzing tools (e.g., Mayhem, CodaMOSA, and custom GPT-4-based
157
+ harnesses) can automatically generate concurrent request sequences from OpenAPI specs and
158
+ exhaustively model state interleavings. An adversary with access to a public API spec and an
159
+ LLM harness can discover race windows in hours that would take a human days. This means any
160
+ publicly documented API endpoint with shared-state side effects is now a viable automated
161
+ target.
162
+
163
+ **Concrete detection method (defensive):**
164
+ - Export all route definitions and run `race-the-web` or a custom ab/wrk2 harness against
165
+ every state-mutating endpoint with concurrency ≥ 50.
166
+ - For AI-assisted attack simulation: feed the OpenAPI spec to a locally-hosted LLM and ask it
167
+ to enumerate all async await gaps and concurrent state mutation paths.
168
+
169
+ ```bash
170
+ # Run concurrent hammering against every POST/PUT/PATCH endpoint
171
+ npx race-the-web --config race-config.yaml --concurrency 100 --requests 500
172
+ ```
173
+
174
+ **Finding criterion:** Any endpoint where a concurrent load test produces a final system state
175
+ that differs from the sum of all successful response payloads.
176
+
177
+ ---
178
+
179
+ ### 5. Integer Overflow in Quantity × Price Multiplication (CWE-190)
180
+
181
+ **Attack technique:** When quantity and unit price are stored as 32-bit integers and multiplied
182
+ server-side without overflow guards, an attacker supplying `quantity=2147483648` can cause the
183
+ total to wrap to a negative number (or zero), resulting in a free or negative-cost order. This
184
+ was exploited in multiple e-commerce platforms in 2022–2024.
185
+
186
+ **Concrete detection method:**
187
+ ```bash
188
+ # Find multiplication of user-controlled numeric fields
189
+ grep -rn "quantity.*price\|price.*quantity\|qty.*amount\|amount.*qty" src/ | \
190
+ grep -v "BigInt\|bigint\|Decimal\|decimal\|Math\.imul"
191
+ # Also check for lack of upper-bound validation on quantity inputs
192
+ grep -rn "z\.number()\|Joi\.number()" src/ | grep -v "\.max(\|\.positive(\|\.int("
193
+ ```
194
+
195
+ **Finding criterion:** Any money calculation using native JavaScript `number` type (IEEE 754
196
+ float, 53-bit mantissa) or uncapped integer multiplication. All monetary arithmetic MUST use
197
+ `BigInt` or a decimal library (`decimal.js`, `dinero.js`). All quantity inputs must have an
198
+ explicit `.max()` bound in validation schemas.
199
+
200
+ ---
201
+
202
+ ### 6. Supply Chain: Malicious npm Package Injecting Timing Attacks (Post-2024)
203
+
204
+ **Attack technique:** Compromised npm packages (e.g., the `event-stream` pattern) can inject
205
+ code that introduces intentional timing side channels. A malicious `parseAmount()` patch in a
206
+ transitive dependency can leak whether a given account balance is above or below a threshold
207
+ by varying response time by ~2ms per bit — invisible to functional tests but detectable by
208
+ statistical timing analysis after ~10,000 samples.
209
+
210
+ **Concrete detection method:**
211
+ ```bash
212
+ # Audit all transitive dependencies for recently published/updated packages
213
+ npm audit --json | jq '.vulnerabilities | keys[]'
214
+ npx better-npm-audit --level critical
215
+ # Check for suspicious timing patterns in hot paths
216
+ grep -rn "setTimeout\|setInterval\|Date\.now()\|performance\.now()" node_modules/.pnp* 2>/dev/null || \
217
+ find node_modules -name "*.js" -newer package-lock.json -not -path "*/test/*" | head -20
218
+ ```
219
+
220
+ **Finding criterion:** Any recently-modified transitive dependency touching arithmetic or
221
+ comparison functions in payment or authentication hot paths. Cross-reference with OSV.dev
222
+ and the Socket.dev supply chain scanner.
223
+
224
+ ---
225
+
226
+ ### 7. Post-Quantum Threat to Idempotency Key HMAC Signing
227
+
228
+ **Attack technique:** Many idempotency key schemes use HMAC-SHA256 to sign the key + timestamp
229
+ to prevent replay. With a Cryptographically Relevant Quantum Computer (CRQC), Grover's algorithm
230
+ reduces HMAC-SHA256 brute-force from 2^256 to 2^128 — still safe for symmetric keys. However,
231
+ if idempotency keys are also bound to RSA or ECDSA signatures (e.g., signed JWTs), those
232
+ signatures will be fully broken. An attacker who harvests signed idempotency tokens today can
233
+ replay them after CRQC deployment.
234
+
235
+ **Concrete detection method:**
236
+ ```bash
237
+ # Find idempotency key validation that relies on RSA/ECDSA-signed tokens
238
+ grep -rn "idempotency\|Idempotency" src/ | grep -v "HMAC\|sha256\|sha512"
239
+ grep -rn "jwt\.verify\|RS256\|ES256\|RS384" src/ | grep -i "idempot\|replay\|dedup"
240
+ ```
241
+
242
+ **Finding criterion:** Any idempotency scheme relying on asymmetric cryptography for token
243
+ integrity. Migrate to HMAC-SHA256 or ML-KEM-based MACs for long-lived tokens. Flag for the
244
+ CryptoSpecialist agent.
245
+
246
+ ---
247
+
248
+ ### 8. TOCTOU in File-Based Job Lock Files
249
+
250
+ **Attack technique:** Job processors that use filesystem lock files (`.lock`, `.pid`) to prevent
251
+ duplicate execution have a TOCTOU window between `fs.existsSync()` and `fs.writeFileSync()`.
252
+ On NFS-mounted volumes or containerized environments with shared storage, two workers can
253
+ simultaneously observe the lock as absent and both proceed — causing duplicate job execution.
254
+ This is a common pattern in legacy cron-to-container migrations.
255
+
256
+ **Concrete detection method:**
257
+ ```bash
258
+ # Find lock file patterns that are not using O_EXCL or atomic file creation
259
+ grep -rn "existsSync\|statSync\|accessSync" src/ | grep -i "lock\|pid\|mutex"
260
+ grep -rn "writeFileSync\|openSync" src/ | grep -i "lock\|pid"
261
+ # O_EXCL flag check — this is the only safe pattern:
262
+ grep -rn "O_EXCL\|wx'" src/ | grep -i "lock\|pid" # must have results
263
+ ```
264
+
265
+ **Finding criterion:** Any lock file mechanism not using `fs.openSync(path, 'wx')` (O_EXCL
266
+ mode) or a database-level advisory lock. The `'wx'` flag fails atomically if the file exists.
267
+ Replace all `existsSync + writeFileSync` lock patterns with atomic `openSync(..., 'wx')`.
268
+
269
+ ---
270
+
271
+ ## §LOGIC_RACE_FUZZER-CHECKLIST
272
+
273
+ 1. **Double-spend via concurrent balance deduction** — Mechanism: two simultaneous POST
274
+ /transfer requests read the same balance before either write commits. Grep for
275
+ `balance`, `wallet`, `credit` reads not inside `$transaction()` or `SELECT FOR UPDATE`.
276
+ Finding: final balance lower than both transactions combined, or negative.
277
+
278
+ 2. **Negative quantity acceptance in order creation** — Mechanism: attacker submits
279
+ `quantity: -100` to refund endpoint, receiving credits without spending. Grep Zod/Joi
280
+ schemas for quantity fields missing `.positive()` or `.min(1)`. Finding: API accepts
281
+ negative quantities and adjusts balance accordingly.
282
+
283
+ 3. **Redis rate limit bypass via non-atomic INCR/EXPIRE** — Mechanism: burst 100 requests
284
+ in <1ms before EXPIRE fires; counter never gets TTL. Grep for `redis.incr` not followed
285
+ by Lua eval. Finding: rate limit counter persists beyond window or burst succeeds past limit.
286
+
287
+ 4. **Mass assignment role escalation** — Mechanism: POST body includes `"role":"admin"` or
288
+ `"isAdmin":true`; ORM applies it without allowlist. Grep for `.create(req.body)` or
289
+ `Object.assign(model, req.body)`. Finding: user gains elevated role via crafted payload.
290
+
291
+ 5. **Float arithmetic precision loss in money** — Mechanism: `0.1 + 0.2 !== 0.3` in
292
+ JavaScript causes rounding errors in accumulated transactions. Grep for `parseFloat`,
293
+ `toFixed`, or arithmetic on price/amount/balance fields. Finding: total differs from
294
+ expected by >0 cents over multiple operations.
295
+
296
+ 6. **Idempotency key replay across users** — Mechanism: idempotency key namespace is not
297
+ scoped per user; attacker reuses another user's key to replay their transaction. Grep for
298
+ idempotency key lookup without user ID scoping. Finding: key from user A accepted for
299
+ user B's request, returning user A's cached response.
300
+
301
+ 7. **Bull/BullMQ duplicate job on worker restart** — Mechanism: job marked active but
302
+ worker crashes before marking complete; re-queued on restart; processed twice. Grep for
303
+ `queue.add()` without `jobId` deduplication option. Finding: job processing count >1 for
304
+ the same logical event in logs.
305
+
306
+ 8. **TOCTOU on inventory deduction** — Mechanism: two concurrent purchase requests both
307
+ check `stock > 0`, both pass, both decrement — final stock goes negative. Grep for
308
+ inventory/stock reads without `SELECT FOR UPDATE` or optimistic locking version field.
309
+ Finding: `stock` column < 0 after concurrent purchase load test.
310
+
311
+ 9. **Integer overflow in total price calculation** — Mechanism: `quantity * unitPrice` with
312
+ uncapped integer input overflows signed 32-bit, wrapping to negative. Grep for price
313
+ multiplication not using `BigInt` or `Decimal`. Finding: order total is negative or zero
314
+ for extreme quantity inputs.
315
+
316
+ 10. **Webhook duplicate delivery without deduplication** — Mechanism: provider retries
317
+ webhook on timeout; handler processes event twice; payment credited twice. Grep for
318
+ webhook handlers without idempotency key storage in DB. Finding: duplicate credit/order
319
+ row created for single webhook event ID.
320
+
321
+ 11. **Async await gap in multi-step state machine** — Mechanism: handler reads state,
322
+ `await`s external call, another request mutates state during await, handler resumes
323
+ with stale state and overwrites it. Grep for state reads followed by `await` and
324
+ subsequent state writes without re-read or optimistic lock. Finding: state machine
325
+ transitions to invalid state under concurrent load.
326
+
327
+ 12. **Quota bypass via concurrent quota check and consumption** — Mechanism: concurrent
328
+ API calls all pass quota check simultaneously; each consumes quota; total exceeds limit.
329
+ Grep for quota/limit checks using two-step read+decrement outside a transaction.
330
+ Finding: usage counter exceeds configured maximum after concurrent burst test.
331
+
332
+ ---
333
+
334
+ ## §POC-REQUIREMENT
335
+
336
+ For every CRITICAL or HIGH finding in this domain:
337
+
338
+ 1. **Write the working PoC FIRST** (exact payload, exact request, observed impact)
339
+ 2. **Confirm the PoC reproduces the issue** — show actual vs. expected state
340
+ 3. **THEN write the fix**
341
+ 4. **THEN verify the PoC fails against the fix** — rerun and confirm fix holds
342
+ 5. **Record the PoC in findings JSON under `exploitPoC`**
343
+
344
+ **PoC skipping = finding severity downgraded to MEDIUM automatically.**
345
+
346
+ ### PoC Template for Race Conditions:
347
+
348
+ ```bash
349
+ # Step 1: Establish baseline state
350
+ BEFORE=$(curl -s -H "Authorization: Bearer $TOKEN" http://target/api/balance | jq .balance)
351
+ echo "Balance before: $BEFORE"
352
+
353
+ # Step 2: Fire concurrent requests
354
+ for i in {1..50}; do
355
+ curl -s -X POST http://target/api/transfer \
356
+ -H "Authorization: Bearer $TOKEN" \
357
+ -H "Content-Type: application/json" \
358
+ -d '{"amount": 100, "to": "attacker"}' &
359
+ done
360
+ wait
361
+
362
+ # Step 3: Observe post-race state
363
+ AFTER=$(curl -s -H "Authorization: Bearer $TOKEN" http://target/api/balance | jq .balance)
364
+ ATTACKER=$(curl -s -H "Authorization: Bearer $ATTACKER_TOKEN" http://target/api/balance | jq .balance)
365
+ echo "Balance after: $AFTER (expected: $((BEFORE - 100)))"
366
+ echo "Attacker received: $ATTACKER (expected: 100)"
367
+ # FINDING: if ATTACKER > 100 — double spend confirmed
368
+ ```
369
+
370
+ ### PoC findings JSON entry:
371
+ ```json
372
+ {
373
+ "findingId": "RACE-001",
374
+ "severity": "CRITICAL",
375
+ "title": "Double-spend via concurrent balance deduction",
376
+ "exploitPoC": {
377
+ "command": "ab -n 200 -c 50 -p transfer.json -T application/json http://target/api/transfer",
378
+ "payload": "{\"amount\": 100, \"to\": \"attacker\"}",
379
+ "observedImpact": "Attacker balance increased by 800 from a single 100-unit source",
380
+ "reproduced": true,
381
+ "fixVerified": true
382
+ }
383
+ }
384
+ ```
385
+
386
+ ---
387
+
388
+ ## §PROJECT-ESCALATION
389
+
390
+ Immediately call `orchestration.update_agent_status` with `"CRITICAL_ESCALATION"` and halt
391
+ normal execution flow when ANY of the following conditions are detected:
392
+
393
+ 1. **Confirmed double-spend with monetary impact** — Any race condition where a concurrent
394
+ PoC produces more funds/credits than were legitimately input. Escalate immediately; do not
395
+ wait for full scan completion. This is a P0 production incident if the service is live.
396
+
397
+ 2. **Mass assignment grants admin/root privileges** — A PoC payload that promotes a regular
398
+ user to admin, superuser, or bypasses billing tier restrictions via body injection. The
399
+ entire authorization model must be reassessed by the full orchestrator.
400
+
401
+ 3. **Idempotency key namespace collision enabling cross-user replay** — If user A's
402
+ idempotency token can be replayed as user B, this is a fundamental authentication flaw
403
+ that affects every transaction in the system. Escalate before continuing.
404
+
405
+ 4. **Integer overflow to negative total enabling free or paid-refund order** — A PoC that
406
+ places an order with negative total, triggering a real payment refund or free fulfillment.
407
+ Escalate to compliance GRC agent simultaneously — this may constitute fraud facilitation.
408
+
409
+ 5. **Duplicate webhook processing confirmed with external payment provider** — If Stripe,
410
+ PayPal, or any payment webhook fires credits twice and the system accepts both, escalate
411
+ immediately. Financial reconciliation is now broken; every transaction must be audited.
412
+
413
+ 6. **Supply chain package found injecting timing code into payment hot path** — A transitive
414
+ npm dependency modified within the last 30 days that touches arithmetic in payment or
415
+ balance calculation code. Escalate to CISO orchestrator for supply chain incident response.
416
+
417
+ 7. **TOCTOU on authentication token validation** — If a race between token validation and
418
+ token revocation allows a revoked token to be used, escalate. This is an authentication
419
+ bypass affecting all session security.
420
+
421
+ 8. **Quota bypass enabling resource exhaustion or billing fraud** — If concurrent API calls
422
+ can exceed hard resource limits (e.g., API call quotas, storage limits, seat licenses),
423
+ escalate to compliance GRC. Billing integrity is compromised.
424
+
425
+ ---
426
+
427
+ ## §EDGE-CASE-MATRIX
428
+
429
+ The 5 attack cases in this domain that automated scanners and naive manual review universally miss. MANDATORY checks — do not skip.
430
+
431
+ | # | Edge Case | Why Scanners Miss It | Concrete Test |
432
+ |---|-----------|----------------------|---------------|
433
+ | 1 | Second-order / stored payload executed in different context | Scanner checks input context, not execution context | Store payload safely; trigger in separate request/session |
434
+ | 2 | Unicode normalisation bypass | Regex filters run before normalisation; attacker uses homoglyphs or composed forms | Submit Ⅰ (U+2160) or < (U+FF1C) variants of known-bad strings |
435
+ | 3 | Polyglot payload active in multiple sinks simultaneously | Scanners test one injection class per payload | `'"><script>{{7*7}}</script><!--` — SQL + XSS + SSTI in one request |
436
+ | 4 | Out-of-band exfiltration (DNS/HTTP callback) | Scanner looks for inline response difference; OOB leaves no visible trace | Use Burp Collaborator / interactsh; inject DNS lookup payload |
437
+ | 5 | Race condition between check and use (TOCTOU) | Sequential scanners don't model concurrency | Send two simultaneous requests to the same state-changing endpoint |
438
+
439
+ ---
440
+
441
+ ## §TEMPORAL-THREATS
442
+
443
+ Threats materialising in the 2025–2030 window that defences designed today must account for.
444
+
445
+ | Threat | Est. Timeline | Relevance to This Domain | Prepare Now By |
446
+ |--------|--------------|--------------------------|----------------|
447
+ | Cryptographically Relevant Quantum Computer (CRQC) | 2028–2032 | Harvest-now-decrypt-later attacks active today; RSA/ECDSA keys signed today will be broken | Inventory all RSA/ECDSA usage; migrate long-lived data to ML-KEM (FIPS 203) |
448
+ | AI-assisted adversaries at scale | 2025–2027 (active) | LLM-powered fuzzing finds 10× more edge cases; automated PoC generation | Assume attackers have LLM help; expand test surface to match |
449
+ | EU AI Act full enforcement | 2026 | High-risk AI systems require mandatory conformity assessments | Classify all AI features against AI Act tiers now |
450
+ | Post-quantum TLS migration deadline | 2028–2030 | Browser vendors will drop classical-only TLS connections | Begin TLS agility assessment; test hybrid key exchange |
451
+ | Mandatory SBOM + build provenance (US EO 14028 / EU CRA) | 2025–2026 (active) | SBOM and SLSA attestation are becoming legally required | Achieve SLSA L2 minimum; generate CycloneDX SBOM per release |
452
+
453
+ ---
454
+
455
+ ## §DETECTION-GAP
456
+
457
+ What current security monitoring CANNOT detect in this domain, and what to build to close each gap.
458
+
459
+ **Standard gaps that MUST be checked:**
460
+
461
+ - **Second-order attack execution**: The storage request looks safe; only the retrieval+execution step is dangerous. Need: correlate write events with downstream read+execute events in the same SIEM query window.
462
+ - **Timing-side-channel leakage**: No log event emitted; only observable as microsecond response-time variance. Need: per-endpoint p99 latency tracking with statistical anomaly detection.
463
+ - **Low-and-slow credential stuffing**: Individually, each request is under rate limits. Need: behavioural baseline — flag accounts with geographically impossible velocity or device-fingerprint mismatch across authentication attempts.
464
+ - **Insider exfiltration via legitimate process**: Authorised exports, reports, and data downloads that individually are permitted but collectively constitute data exfiltration. Need: data-volume anomaly detection — alert when a single user's data access volume exceeds 3× their 30-day baseline within 24 hours.
465
+ - **Cross-agent attack chains**: Phase 1 finding A + Phase 1 finding B = CRITICAL chain invisible to either agent alone. Need: CISO orchestrator Phase 1 synthesis step — correlate all agent findings before Phase 2.
466
+
467
+ **Domain-specific detection gaps for logic-race-fuzzer:**
468
+
469
+ - **Race condition in production traffic**: Standard APM shows elevated p99 but no log entry for the race event itself. Need: distributed tracing with concurrent request correlation — flag any two request spans that overlap in time and mutate the same resource ID.
470
+ - **Slow double-spend over days**: Attacker spaces concurrent requests hours apart to avoid rate limiting. Need: balance integrity check — periodic reconciliation job that computes expected balance from transaction ledger and alerts on discrepancy.
471
+ - **Negative balance after float rounding**: Rounding errors accumulate over thousands of transactions but individual transaction logs appear correct. Need: end-of-day balance reconciliation comparing ledger sum to stored balance with zero tolerance.
472
+
473
+ ---
474
+
475
+ ## §ZERO-MISS-MANDATE
476
+
477
+ This agent CANNOT declare any attack class clean without explicit evidence of checking. For each item, output one of:
478
+ - `CHECKED: [N files] | [patterns used] | CLEAN`
479
+ - `CHECKED: [N files] | [patterns used] | [N findings, all fixed]`
480
+ - `SKIPPED: [reason — must be "not applicable: [evidence]"]`
481
+
482
+ **Silent skip = FAILED COVERAGE.** The orchestrator flags this as a quality gap.
483
+
484
+ The output findings JSON MUST include a `coverageManifest` key:
485
+ ```json
486
+ {
487
+ "coverageManifest": {
488
+ "attackClassesCovered": [{ "class": "Double-Spend Race Condition", "filesReviewed": 47, "patterns": ["findUnique", "balance", "$transaction"], "result": "CLEAN" }],
489
+ "filesReviewed": 47,
490
+ "negativeAssertions": ["Race condition: balance mutation patterns searched across 47 files — all wrapped in $transaction()"],
491
+ "uncoveredReason": {}
492
+ }
493
+ }
494
+ ```
495
+
496
+ ---
497
+
498
+ ## LEARNING SIGNAL
499
+
500
+ On every finding resolved, emit:
501
+ ```json
502
+ {
503
+ "findingId": "FINDING_ID",
504
+ "agentName": "logic-race-fuzzer",
505
+ "resolved": true,
506
+ "remediationTemplate": "one-line description of what was done",
507
+ "falsePositive": false
508
+ }
509
+ ```
510
+ Call `security.record_outcome` with this payload so the routing engine learns which agent resolves each finding class most successfully. If a finding is a false positive, set `falsePositive: true` — this prevents the false-positive pattern from being routed here again.