security-mcp 1.1.4 → 1.3.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (158) hide show
  1. package/README.md +341 -1018
  2. package/defaults/checklists/ai.json +20 -1
  3. package/defaults/checklists/api.json +35 -1
  4. package/defaults/checklists/infra.json +34 -1
  5. package/defaults/checklists/mobile.json +23 -1
  6. package/defaults/checklists/payments.json +15 -1
  7. package/defaults/checklists/web.json +11 -1
  8. package/defaults/cloud-controls/aws.json +10712 -0
  9. package/defaults/cloud-controls/azure.json +7201 -0
  10. package/defaults/cloud-controls/gcp.json +4061 -0
  11. package/defaults/control-catalog.json +24 -0
  12. package/defaults/security-policy.json +2 -2
  13. package/dist/ci/pr-gate.js +22 -5
  14. package/dist/cli/index.js +73 -2
  15. package/dist/cli/install.js +4 -55
  16. package/dist/cli/onboarding.js +18 -10
  17. package/dist/gate/baseline.js +82 -7
  18. package/dist/gate/catalog.js +10 -2
  19. package/dist/gate/checks/agentic-instructions.js +515 -0
  20. package/dist/gate/checks/ai-governance.js +132 -0
  21. package/dist/gate/checks/ai.js +757 -39
  22. package/dist/gate/checks/auth-deep.js +920 -216
  23. package/dist/gate/checks/business-logic.js +751 -0
  24. package/dist/gate/checks/ci-pipeline.js +399 -4
  25. package/dist/gate/checks/cloud-controls.js +69 -0
  26. package/dist/gate/checks/crypto.js +423 -2
  27. package/dist/gate/checks/data-platform.js +954 -0
  28. package/dist/gate/checks/dependencies.js +582 -15
  29. package/dist/gate/checks/docker-deep.js +1236 -0
  30. package/dist/gate/checks/gitops.js +724 -0
  31. package/dist/gate/checks/graphql.js +201 -19
  32. package/dist/gate/checks/iac.js +1230 -0
  33. package/dist/gate/checks/infra.js +246 -1
  34. package/dist/gate/checks/injection-deep.js +827 -184
  35. package/dist/gate/checks/k8s.js +955 -2
  36. package/dist/gate/checks/mobile-android.js +917 -3
  37. package/dist/gate/checks/mobile-ios.js +797 -5
  38. package/dist/gate/checks/required-artifacts.js +194 -0
  39. package/dist/gate/checks/runtime.js +178 -0
  40. package/dist/gate/checks/secrets.js +256 -13
  41. package/dist/gate/checks/supply-chain-deep.js +787 -0
  42. package/dist/gate/checks/web-nextjs.js +572 -48
  43. package/dist/gate/cloud-controls/apply.js +115 -0
  44. package/dist/gate/cloud-controls/bicep.js +36 -0
  45. package/dist/gate/cloud-controls/cfn.js +125 -0
  46. package/dist/gate/cloud-controls/detect.js +104 -0
  47. package/dist/gate/cloud-controls/hcl.js +140 -0
  48. package/dist/gate/cloud-controls/types.js +87 -0
  49. package/dist/gate/diff.js +17 -5
  50. package/dist/gate/evidence.js +8 -1
  51. package/dist/gate/exceptions.js +202 -9
  52. package/dist/gate/findings.js +15 -2
  53. package/dist/gate/policy.js +316 -130
  54. package/dist/gate/threat-intel.js +6 -0
  55. package/dist/mcp/audit-chain.js +131 -28
  56. package/dist/mcp/auth.js +169 -0
  57. package/dist/mcp/learning.js +129 -4
  58. package/dist/mcp/model-router.js +161 -24
  59. package/dist/mcp/orchestration.js +377 -89
  60. package/dist/mcp/server.js +460 -69
  61. package/dist/mcp/tool-audit.js +193 -0
  62. package/dist/repo/fs.js +37 -1
  63. package/dist/repo/search.js +31 -6
  64. package/dist/review/store.js +56 -3
  65. package/dist/tests/run.js +124 -1
  66. package/package.json +9 -9
  67. package/skills/_TEMPLATE/SKILL.md +99 -0
  68. package/skills/advanced-dos-tester/SKILL.md +118 -0
  69. package/skills/agentic-instruction-auditor/SKILL.md +111 -0
  70. package/skills/agentic-loop-exploiter/SKILL.md +377 -0
  71. package/skills/ai-llm-redteam/SKILL.md +113 -0
  72. package/skills/ai-model-supply-chain-agent/SKILL.md +112 -0
  73. package/skills/algorithm-implementation-reviewer/SKILL.md +107 -0
  74. package/skills/android-penetration-tester/SKILL.md +464 -46
  75. package/skills/anti-replay-tester/SKILL.md +115 -0
  76. package/skills/appsec-code-auditor/SKILL.md +94 -0
  77. package/skills/artifact-integrity-analyst/SKILL.md +450 -0
  78. package/skills/attack-navigator/SKILL.md +476 -8
  79. package/skills/auth-session-hacker/SKILL.md +111 -0
  80. package/skills/aws-penetration-tester/SKILL.md +510 -0
  81. package/skills/azure-penetration-tester/SKILL.md +542 -3
  82. package/skills/binary-auth-validator/SKILL.md +120 -0
  83. package/skills/bot-detection-specialist/SKILL.md +118 -0
  84. package/skills/business-logic-attacker/SKILL.md +240 -0
  85. package/skills/capec-code-mapper/SKILL.md +93 -0
  86. package/skills/cert-pin-rotation-specialist/SKILL.md +121 -0
  87. package/skills/cicd-pipeline-hijacker/SKILL.md +414 -0
  88. package/skills/ciso-orchestrator/SKILL.md +465 -43
  89. package/skills/cloud-infra-specialist/SKILL.md +127 -0
  90. package/skills/compliance-gap-analyst/SKILL.md +431 -0
  91. package/skills/compliance-grc/SKILL.md +94 -0
  92. package/skills/compliance-lifecycle-tracker/SKILL.md +93 -0
  93. package/skills/container-hardening-auditor/SKILL.md +125 -0
  94. package/skills/credential-stuffing-specialist/SKILL.md +111 -0
  95. package/skills/crypto-pki-specialist/SKILL.md +96 -0
  96. package/skills/csa-ccm-mapper/SKILL.md +93 -0
  97. package/skills/csf2-governance-mapper/SKILL.md +93 -0
  98. package/skills/data-platform-auditor/SKILL.md +125 -0
  99. package/skills/deep-link-fuzzer/SKILL.md +118 -0
  100. package/skills/dependency-confusion-attacker/SKILL.md +424 -0
  101. package/skills/device-integrity-aggregator/SKILL.md +117 -0
  102. package/skills/dos-resilience-tester/SKILL.md +106 -0
  103. package/skills/dread-scorer/SKILL.md +93 -0
  104. package/skills/egress-policy-enforcer/SKILL.md +108 -0
  105. package/skills/evidence-collector/SKILL.md +107 -0
  106. package/skills/file-upload-attacker/SKILL.md +118 -0
  107. package/skills/gcp-penetration-tester/SKILL.md +510 -2
  108. package/skills/git-history-secret-scanner/SKILL.md +115 -0
  109. package/skills/gitops-delivery-auditor/SKILL.md +120 -0
  110. package/skills/iac-security-auditor/SKILL.md +125 -0
  111. package/skills/iam-privesc-graph-builder/SKILL.md +161 -0
  112. package/skills/incident-responder/SKILL.md +120 -0
  113. package/skills/injection-specialist/SKILL.md +111 -0
  114. package/skills/ios-security-auditor/SKILL.md +291 -0
  115. package/skills/json-ambiguity-tester/SKILL.md +145 -0
  116. package/skills/k8s-container-escaper/SKILL.md +406 -0
  117. package/skills/key-management-lifecycle-analyst/SKILL.md +107 -0
  118. package/skills/kill-switch-engineer/SKILL.md +111 -0
  119. package/skills/linddun-privacy-analyst/SKILL.md +111 -0
  120. package/skills/logic-race-fuzzer/SKILL.md +452 -0
  121. package/skills/mobile-api-network-attacker/SKILL.md +430 -0
  122. package/skills/mobile-binary-hardener/SKILL.md +111 -0
  123. package/skills/mobile-security-specialist/SKILL.md +94 -0
  124. package/skills/mobile-webview-auditor/SKILL.md +105 -0
  125. package/skills/model-extraction-attacker/SKILL.md +228 -0
  126. package/skills/multipart-abuse-tester/SKILL.md +93 -0
  127. package/skills/oauth-pkce-specialist/SKILL.md +113 -0
  128. package/skills/parser-exhaustion-tester/SKILL.md +151 -0
  129. package/skills/pentest-infra/SKILL.md +107 -0
  130. package/skills/pentest-social/SKILL.md +210 -0
  131. package/skills/pentest-team/SKILL.md +96 -0
  132. package/skills/pentest-web-api/SKILL.md +107 -0
  133. package/skills/privacy-flow-analyst/SKILL.md +243 -0
  134. package/skills/prompt-injection-specialist/SKILL.md +403 -0
  135. package/skills/quantum-migration-planner/SKILL.md +105 -0
  136. package/skills/rag-poisoning-specialist/SKILL.md +367 -0
  137. package/skills/registry-mirror-enforcer/SKILL.md +93 -0
  138. package/skills/rotation-validation-agent/SKILL.md +121 -0
  139. package/skills/samm-assessor/SKILL.md +94 -0
  140. package/skills/secrets-mask-bypass-tester/SKILL.md +109 -0
  141. package/skills/senior-security-engineer/SKILL.md +178 -0
  142. package/skills/serialization-memory-attacker/SKILL.md +341 -0
  143. package/skills/session-timeout-tester/SKILL.md +170 -0
  144. package/skills/slsa-level3-enforcer/SKILL.md +121 -0
  145. package/skills/slsa-provenance-enforcer/SKILL.md +111 -0
  146. package/skills/ssrf-detection-validator/SKILL.md +117 -0
  147. package/skills/step-up-auth-enforcer/SKILL.md +93 -0
  148. package/skills/stride-pasta-analyst/SKILL.md +429 -0
  149. package/skills/supply-chain-devsecops/SKILL.md +107 -0
  150. package/skills/threat-infrastructure-analyst/SKILL.md +93 -0
  151. package/skills/threat-modeler/SKILL.md +94 -0
  152. package/skills/tls-certificate-auditor/SKILL.md +582 -18
  153. package/skills/token-reuse-detector/SKILL.md +104 -0
  154. package/skills/trike-risk-modeler/SKILL.md +93 -0
  155. package/skills/unicode-homograph-tester/SKILL.md +93 -0
  156. package/skills/waf-rule-lifecycle-agent/SKILL.md +106 -0
  157. package/skills/webhook-security-tester/SKILL.md +111 -0
  158. package/skills/zero-trust-architect/SKILL.md +118 -0
@@ -34,6 +34,15 @@ On every finding resolved, emit:
34
34
  }
35
35
  ```
36
36
 
37
+ ## BEYOND THE CHECKS — AUTONOMOUS DETECT & FIX
38
+
39
+ The `supply-chain-deep`, `sbom`, and `ai` detection modules (`src/gate/checks/supply-chain-deep.ts`, `src/gate/checks/sbom.ts`, `src/gate/checks/ai.ts`) are your deterministic floor, not your ceiling. Treat their finding IDs as the minimum, then reason past what single-line/single-file pattern matching can see — and APPLY the fix (Edit the loader code/config/manifest), not just advise:
40
+
41
+ - **Cross-file / data-flow reasoning the regex can't do:** a `from_pretrained` revision pinned to a mutable tag in one config, an unverified `model.onnx.data` sidecar referenced from the protobuf, and a training-data S3 bucket with a public-write ACL in IaC together form a weight-poisoning chain no single grep for `torch.load` can see; trace the path from bucket → fine-tune script → serialized artifact → inference loader.
42
+ - **Semantic / effective-state analysis:** resolve every `revision` to a 40-char commit SHA (not a force-pushable tag), enumerate ALL files referenced by `external_data_helper` and check each against the model SBOM, and reason about `trust_remote_code=True` reached transitively via a wrapper library or YAML config rather than only direct application code.
43
+ - **External corroboration:** use WebSearch/WebFetch for current model supply-chain CVEs and advisories (CVE-2024-3094 xz, HF malicious-pickle campaigns, picklescan disclosures) and HF discussion/issue pages for the exact model IDs in use.
44
+ - **Apply & prove:** write the fix inline (`weights_only=True`, safetensors load, pinned SHA + SHA-256 manifest entry, dataset allowlist), re-run the `supply-chain-deep`/`sbom`/`ai` checks plus `picklescan -r` and `grep -rn trust_remote_code=True` (including `site-packages`) as a regression floor, then re-audit semantically. Emit the LEARNING SIGNAL per fix; surface any pin or allowlist that blocks a previously-floating model as an explicit reproducibility-vs-freshness trade-off with the secure default.
45
+
37
46
  ## EXECUTION
38
47
 
39
48
  ### Phase 1 — Reconnaissance
@@ -196,3 +205,106 @@ If internet permitted:
196
205
  - `requiredActions`: ordered action list
197
206
  - `complianceImpact`: framework mappings
198
207
  - `beyondSkillMd`: true if finding goes beyond the SKILL.md mandate
208
+
209
+ Every findings JSON MUST also include `intelligenceForOtherAgents`:
210
+ ```json
211
+ {
212
+ "intelligenceForOtherAgents": {
213
+ "forPentestTeam": [{ "type": "HIGH_VALUE_TARGET", "description": "Unsafe torch.load endpoint accepting user-supplied model path", "exploitHint": "Supply a crafted pickle file via the model path parameter to achieve RCE" }],
214
+ "forCryptoSpecialist": [{ "type": "CRYPTO_WEAKNESS_REFERENCE", "algorithm": "SHA-1 or missing hash", "location": "Model integrity check using deprecated hash or no verification at all" }],
215
+ "forCloudSpecialist": [{ "type": "SSRF_TO_CLOUD_CHAIN", "ssrfLocation": "hf_hub_download with attacker-controlled model_id", "escalationPath": "Model download URL can be redirected to IMDSv1 endpoint to steal cloud credentials" }],
216
+ "forComplianceGrc": [{ "type": "COMPLIANCE_BLOCKER", "frameworks": ["NIST 800-218A", "EU AI Act Art.13", "EO 14028 SBOM"], "releaseBlock": true }]
217
+ }
218
+ }
219
+ ```
220
+
221
+ ## BEYOND SKILL.MD — MANDATORY EXPANSIONS
222
+
223
+ - **Pickle-based RCE via `torch.load` (CVE-2024-5480 / ATT&CK T1195.002):** PyTorch models distributed as `.pt`/`.pth` files use Python pickle serialization; a malicious model file can embed arbitrary Python bytecode that executes on `torch.load()` without `weights_only=True`. Real-world incident: April 2024 Hugging Face hosted multiple weaponized `.pt` files detected by `picklescan`. Test by: run `picklescan -r <model_dir>` and confirm zero unsafe globals; also run `grep -rn "torch\.load" . | grep -v "weights_only=True"`. Finding threshold: any `torch.load` call missing `weights_only=True` on a path that can receive external input is CRITICAL.
224
+
225
+ - **Hugging Face `trust_remote_code=True` as a persistent backdoor (ATT&CK T1546.016 — Event-Triggered Execution):** Setting `trust_remote_code=True` in `from_pretrained()` downloads and executes arbitrary Python from the model repo's `modeling_*.py` files on every inference server restart. Supply chain incident: March 2023, the `baller423/not-a-virus` HF repo demonstrated full RCE via a poisoned `modeling_custom.py`. Test by: `grep -rn "trust_remote_code=True" . --include="*.py" --include="*.yaml" --include="*.json"` — any match is a finding; also scan installed packages: `grep -rn "trust_remote_code=True" $(python -c "import site; print(site.getsitepackages()[0])")`. Finding threshold: any occurrence not accompanied by a documented security review of the specific repo commit SHA is HIGH.
226
+
227
+ - **ONNX protobuf external data sidecar substitution (CWE-494 / NIST SP 800-218A §2.5):** ONNX models split weights into a `.onnx` descriptor and a `model.onnx.data` sidecar; integrity manifests that hash only the `.onnx` file leave the sidecar unprotected. An attacker who can write to the model artifact directory replaces the sidecar with adversarially perturbed weights that preserve the architecture but alter behavior on specific inputs (AI-assisted attack vector). Test by: parse the ONNX protobuf with `onnx.load()` and enumerate all `external_data_helper` location fields; verify each referenced file has a SHA-256 entry in the model SBOM (`models/model-manifest.json`). Finding threshold: any ONNX external data file not covered by the integrity manifest is HIGH.
228
+
229
+ - **ML model weight poisoning via compromised S3/GCS training dataset bucket (ATT&CK T1195.001 — Compromise Software Supply Chain):** Fine-tuning pipelines that pull datasets from S3 buckets with permissive ACLs are vulnerable to data poisoning; an attacker with write access can inject adversarial examples that introduce a backdoor trigger. Research: "BadNL: Backdoor Attacks against NLP Models with Semantic-Preserving Improvements" (Chen et al., 2021) demonstrates <1% poisoning rate is sufficient. Test by: run `aws s3api get-bucket-acl --bucket <training-data-bucket>` and `aws s3api get-bucket-policy --bucket <training-data-bucket>`; review CloudTrail for `PutObject` events to the dataset prefix in the 30 days preceding the last training run. Finding threshold: any public write ACL or any unexpected `PutObject` from a non-CI principal is CRITICAL.
230
+
231
+ - **Post-quantum harvest-now-attack-later against model signing certificates (NIST FIPS 203/204 migration gap):** Model signing certificates issued with RSA-2048 or ECDSA P-256 (current industry norm for Sigstore/cosign model provenance) are vulnerable to retroactive forgery once a cryptographically relevant quantum computer (CRQC) is available (estimated 2028–2032). Signed model artifacts stored in artifact registries today are being harvested for future forgery. Test by: enumerate all model signing certificates in the CI/CD pipeline (`cosign verify --certificate-identity ... <model_image>`); check key algorithm with `openssl x509 -in cert.pem -text | grep "Public Key Algorithm"`. Finding threshold: any model signing key using RSA or ECC rather than ML-DSA (FIPS 204) or a hybrid scheme is a MEDIUM now, escalating to CRITICAL at the CRQC horizon; flag for migration planning.
232
+
233
+ - **EU AI Act Art. 13 conformity failure due to missing model supply chain documentation (Regulatory — enforcement 2026):** High-risk AI systems (Annex III categories: biometric identification, critical infrastructure, employment decisions, credit scoring) require a technical file with full supply chain provenance — model origin, training data sources, integrity verification records, and human oversight measures. Missing model SBOMs, unpinned HF revisions, and unaudited `trust_remote_code` usage each independently constitute non-conformity. Test by: classify the AI system against EU AI Act Annex III; if Tier 2 or 3, verify a conformity assessment technical file exists at `docs/ai-act-conformity/` containing model provenance records, dataset lineage, and a bias audit report. Finding threshold: any high-risk AI system lacking a complete technical file 6+ months before the EU enforcement date applicable to its risk tier is HIGH; absence of classification itself is MEDIUM.
234
+
235
+ ## §EDGE-CASE-MATRIX
236
+
237
+ The 5 attack cases in the AI model supply chain domain that automated scanners and naive manual review universally miss. MANDATORY checks — do not skip.
238
+
239
+ | # | Edge Case | Why Scanners Miss It | Concrete Test |
240
+ |---|-----------|----------------------|---------------|
241
+ | 1 | Pickle payload smuggled inside a `safetensors` wrapper | Scanners check file extension and format header; a safetensors file whose metadata JSON embeds a base64-encoded pickle blob for a custom "callback" key goes undetected | Write a synthetic safetensors file with a poisoned `__metadata__` value that triggers deserialization in a downstream consumer that parses metadata naively |
242
+ | 2 | Model revision SHA pinned to a tag rather than a commit SHA | Tag `v1.0` on Hugging Face can be force-pushed (tags are mutable); scanners see a hash and assume immutability | Verify the `revision` parameter resolves to a 40-character commit SHA (not a branch or tag name) by calling the HF API; confirm it matches `git rev-parse HEAD` on the upstream repo |
243
+ | 3 | Backdoor triggered only by a specific trigger phrase, not by general inputs | Black-box accuracy tests pass because the backdoor activates on a rare, crafted input; no observable difference in benign evaluation | Run targeted behavioural probes using known backdoor trigger patterns (e.g., specific Unicode sequences, rare tokens); compare output distribution against a clean reference model |
244
+ | 4 | Fine-tuning data poisoning via a shared, writable S3/GCS bucket | Scanner checks model file integrity but not training data integrity; the poisoning happens upstream before model serialization | Verify the training data source bucket policy blocks public write; check CloudTrail/GCS audit logs for unexpected PUT operations to the dataset prefix in the 30 days before the training run |
245
+ | 5 | ONNX external data file (`model.onnx` + `model.onnx.data`) substitution | Scanners hash-check `model.onnx` but miss the external weights sidecar file; attacker replaces `model.onnx.data` with adversarially perturbed weights | Ensure the integrity manifest covers ALL files referenced by `external_data_helper`; grep for `location` fields in the ONNX protobuf and confirm each referenced file has an entry in the model SBOM |
246
+
247
+ ## §TEMPORAL-THREATS
248
+
249
+ Threats materialising in the 2025–2030 window that AI model supply chain defences designed today must account for.
250
+
251
+ | Threat | Est. Timeline | Relevance to AI Model Supply Chain | Prepare Now By |
252
+ |--------|--------------|-------------------------------------|----------------|
253
+ | Cryptographically Relevant Quantum Computer (CRQC) breaking RSA/ECDSA model signatures | 2028–2032 | Model signing certificates issued today (RSA-2048, ECDSA P-256) will be retrospectively forgeable; harvest-now-attack-later applies to stored signed model artifacts | Migrate model signing to ML-KEM / ML-DSA (FIPS 203/204); inventory all long-lived model signing keys |
254
+ | AI-assisted automated backdoor insertion at scale | 2025–2027 (active) | LLM-powered tools can generate subtly poisoned fine-tuning datasets and propose PRs to open-source model repos that pass human review | Enforce automated backdoor detection (e.g., Neural Cleanse, STRIP) as a CI gate before any fine-tuned model reaches staging |
255
+ | EU AI Act Art. 13 + 17 mandatory conformity assessments for high-risk AI | 2026 (enforcement) | High-risk AI systems require technical documentation, supply chain provenance records, and bias audits — non-compliance blocks EU market access | Classify all AI features against AI Act Annex III risk tiers now; begin conformity assessment prep for any Tier 2/3 systems |
256
+ | Mandatory SBOM + SLSA provenance for AI artifacts (US EO 14028, EU CRA) | 2025–2026 (active) | Software Bills of Materials and SLSA Level 2+ build provenance are becoming legally required for AI model artifacts used in government and critical infrastructure contracts | Generate CycloneDX SBOM per model release; achieve SLSA L2 minimum for training pipelines (hermetic builds, signed provenance) |
257
+ | Hugging Face ecosystem at scale as a malware distribution vector | 2025–2027 | HF hosts >500k models; automated malware campaigns are already depositing weaponised pickle files; the volume makes manual vetting impossible | Implement organisation-level HF allowlists; block `from_pretrained` from any repo not on the approved list; scan all downloads with `picklescan` in CI |
258
+
259
+ ## §DETECTION-GAP
260
+
261
+ What current security monitoring CANNOT detect in the AI model supply chain domain, and what to build to close each gap.
262
+
263
+ **Gaps that MUST be checked:**
264
+
265
+ - **Silent model weight substitution post-download**: Standard file integrity checks run at download time; if a compromised model is swapped in the local model cache between download and load, no alert fires. Need: hash re-verification at load time (not just at download time), with the expected hash stored outside the cache directory (e.g., in a secrets manager or read-only config).
266
+
267
+ - **Behavioural drift from fine-tuning data poisoning**: Model weights pass hash checks (the poisoned model is internally consistent); the attack is only observable as anomalous output on trigger inputs. Standard monitoring logs requests and responses but doesn't maintain a baseline distribution. Need: a shadow evaluation harness that runs a fixed probe set against every newly trained model and compares output distributions against the approved baseline; flag any model where KL-divergence on the probe set exceeds threshold.
268
+
269
+ - **`trust_remote_code=True` execution via transitive dependency**: The flag is set in a config file or a wrapper library, not in application code directly — grep on application code misses it. Need: extend grep patterns to `**/*.yaml`, `**/*.json`, `**/*.toml` model config files and all installed package source under `site-packages` for the string `trust_remote_code`.
270
+
271
+ - **Training pipeline data source tampering via CI/CD injection**: The dataset hash is correct at the start of the training job, but a compromised CI step downloads a replacement dataset mid-pipeline before the training script runs. Standard pipeline logs don't record file hashes at each step. Need: hash the dataset immediately before passing it to the training script (not in a separate pre-check step); emit the hash as a structured log event that feeds into SIEM.
272
+
273
+ - **Cross-agent chain: unsafe model load + SSRF = cloud credential theft**: A SSRF finding from the network agent and a `torch.load` finding from this agent, individually Medium severity, combine into a CRITICAL chain (attacker supplies a URL to a pickle that, when loaded, makes a request to IMDSv1). Neither agent alone flags this as critical. Need: CISO orchestrator Phase 1 synthesis step — correlate all agent findings on the same service before Phase 2 begins.
274
+
275
+ ## §ZERO-MISS-MANDATE
276
+
277
+ This agent CANNOT declare any attack class clean without explicit evidence of checking. For each item below, output one of:
278
+ - `CHECKED: [N files] | [patterns used] | CLEAN`
279
+ - `CHECKED: [N files] | [patterns used] | [N findings, all fixed]`
280
+ - `SKIPPED: [reason — must be "not applicable: [evidence]"]`
281
+
282
+ **Silent skip = FAILED COVERAGE.** The orchestrator flags this as a quality gap.
283
+
284
+ **Mandatory attack classes for AI model supply chain:**
285
+
286
+ 1. Unsafe deserialization — `torch.load` without `weights_only=True`, `pickle.load`, `joblib.load` on untrusted input
287
+ 2. `trust_remote_code=True` — in Python source, YAML configs, JSON configs, and installed package wrappers
288
+ 3. Missing model hash verification — model downloaded or loaded without SHA-256 check against a trusted manifest
289
+ 4. Unpinned model revision — `from_pretrained` using a branch name or tag instead of a commit SHA
290
+ 5. Fine-tuning data source integrity — training data ingested without hash verification or source allowlist
291
+ 6. Model SBOM completeness — every model artifact (including ONNX external data files) covered by the manifest
292
+ 7. HF token least privilege — write-scoped tokens used where read-only suffices; tokens present in env files committed to repo
293
+
294
+ The output findings JSON MUST include a `coverageManifest` key:
295
+ ```json
296
+ {
297
+ "coverageManifest": {
298
+ "attackClassesCovered": [
299
+ { "class": "Unsafe deserialization", "filesReviewed": 23, "patterns": ["torch\\.load", "pickle\\.load", "joblib\\.load"], "result": "CLEAN" },
300
+ { "class": "trust_remote_code=True", "filesReviewed": 47, "patterns": ["trust_remote_code=True"], "result": "2 findings, both fixed" }
301
+ ],
302
+ "filesReviewed": 47,
303
+ "negativeAssertions": [
304
+ "Unsafe deserialization: torch.load pattern searched across 23 .py files — 0 unsafe calls found",
305
+ "trust_remote_code: searched 47 .py/.yaml/.json files — 2 instances found and removed"
306
+ ],
307
+ "uncoveredReason": {}
308
+ }
309
+ }
310
+ ```
@@ -34,6 +34,15 @@ Any use of the following in any context, even non-security uses:
34
34
  - `RSA PKCS#1 v1.5` padding — PKCS#1 oracle attacks; use OAEP; CWE-780
35
35
  - `Math.random()` for any security-sensitive value — not cryptographically random; CWE-338
36
36
 
37
+ ## BEYOND THE CHECKS — AUTONOMOUS DETECT & FIX
38
+
39
+ The `crypto` detection module (`src/gate/checks/crypto.ts`) is your deterministic floor, not your ceiling. Treat its finding IDs as the minimum, then reason past what single-line/single-file pattern matching can see — and APPLY the fix (Edit the crypto code), not just advise:
40
+
41
+ - **Cross-file / data-flow reasoning the regex can't do:** an AES-GCM nonce that looks random at the call site but is derived from a counter persisted in another module (or absent in a serverless deployment) reuses under the same key — catastrophic GCM nonce reuse that grepping the `randomBytes(12)` line in isolation never reveals; trace the key+nonce pair from generation through every encrypt call.
42
+ - **Semantic / effective-state analysis:** distinguish a security-sensitive `Math.random()` from a cosmetic one by following the value to its sink (session token vs animation seed); verify a comparison is *effectively* constant-time end-to-end (not just that `timingSafeEqual` appears somewhere); confirm Argon2 parameters are compile/deploy-time constants and not runtime-injectable to a near-zero cost factor.
43
+ - **External corroboration:** use WebSearch/WebFetch for current crypto CVEs and advisories (CVE-2022-21449 Psychic Signatures, Bleichenbacher/python-jose oracles, library-specific JWT alg-confusion CVEs) and NIST FIPS 203/204 ML-KEM/ML-DSA migration guidance.
44
+ - **Apply & prove:** write the corrected primitive inline (unconditional `randomBytes(12)` per-encryption nonce, OAEP over PKCS#1 v1.5, `timingSafeEqual`, Argon2id at memoryCost ≥ 64MB/timeCost ≥ 3, HKDF for key separation), re-run the `crypto` checks plus `semgrep` crypto rules as a regression floor, then re-audit semantically. Emit the LEARNING SIGNAL per fix; surface any algorithm swap that changes wire format or stored-hash format as an explicit migration trade-off with the secure default.
45
+
37
46
  ## EXECUTION
38
47
 
39
48
  1. **Grep for banned patterns across all source files:**
@@ -83,3 +92,101 @@ Any use of the following in any context, even non-security uses:
83
92
  - Working exploit demonstrating exploitability (timing oracle PoC, collision PoC, etc.)
84
93
  - Fixed implementation written inline
85
94
  - CWE, CVSSv4
95
+
96
+ Every findings JSON MUST include `intelligenceForOtherAgents`:
97
+ ```json
98
+ {
99
+ "intelligenceForOtherAgents": {
100
+ "forPentestTeam": [{ "type": "HIGH_VALUE_TARGET", "description": "...", "exploitHint": "..." }],
101
+ "forCryptoSpecialist": [{ "type": "CRYPTO_WEAKNESS_REFERENCE", "algorithm": "...", "location": "..." }],
102
+ "forCloudSpecialist": [{ "type": "SSRF_TO_CLOUD_CHAIN", "ssrfLocation": "...", "escalationPath": "..." }],
103
+ "forComplianceGrc": [{ "type": "COMPLIANCE_BLOCKER", "frameworks": ["..."], "releaseBlock": true }]
104
+ }
105
+ }
106
+ ```
107
+
108
+ ## BEYOND SKILL.MD
109
+
110
+ Domain-specific knowledge beyond standard algorithm review that this agent must apply:
111
+
112
+ - **CVE-2022-21449 "Psychic Signatures" (Java ECDSA)**: Java 15–18 ECDSA signature verification accepted `r=0, s=0` as valid for any message. Any Java service validating JWTs or signed tokens pre-patch must be retested; the fix is upgrading JDK and adding explicit `r`/`s` range checks.
113
+ - **CVE-2023-29197 / AES-GCM nonce reuse at scale**: Serverless and multi-instance deployments that generate GCM nonces from a counter without distributed state coordination inevitably reuse nonces; nonce collision under GCM allows full plaintext and key recovery. Require `crypto.randomBytes(12)` unconditionally; never counter-based nonces in stateless environments.
114
+ - **Harvest-now-decrypt-later (HNDL) against long-lived RSA/ECDH sessions**: Nation-state adversaries are capturing TLS handshakes and encrypted archives today for decryption once a CRQC arrives (estimated 2028–2032). Any data with a secrecy horizon beyond 5 years is already at risk. Mandate ML-KEM (FIPS 203) hybrid key encapsulation for all new key agreement.
115
+ - **LLM-assisted differential cryptanalysis (2025-active)**: LLM-powered tools (e.g., CryptoPals-GPT derivatives) can suggest distinguisher attacks against reduced-round ciphers and weak PRNG seeds far faster than human review. Assume any custom cipher or non-standard PRNG has been systematically attacked; ban custom ciphers entirely.
116
+ - **Bleichenbacher-style oracle resurrection via JSON parsing (CVE-2023-46234 / python-jose)**: RSA PKCS#1 v1.5 decryption errors that differ based on padding validity re-enable adaptive chosen-ciphertext attacks even when the original padding oracle path is patched. Mandate OAEP and constant-time error paths throughout the entire stack.
117
+ - **ML-KEM / CRYSTALS-Kyber parameter confusion**: Early adopters using `kyber512` (NIST security level 1) for long-lived secrets are underprotected; NIST mandates `kyber768` (level 3) minimum for general use and `kyber1024` for data encrypted beyond 2035. Flag any ML-KEM instantiation below level 3.
118
+ - **Side-channel leakage through speculative execution in crypto code (Spectre v2, Retbleed)**: VM-co-located adversaries can extract AES round keys or ECDSA nonces from cache-timing and branch-predictor side channels. Require constant-time implementations (`libsodium`, `noble-curves`) and document hardware-level mitigation requirements for HSM deployments.
119
+ - **Argon2id parameter downgrade via configuration injection**: Applications that read Argon2 parameters from a database or environment variable allow attackers with write access to reduce cost factors to near-zero, converting stored hashes to brute-forceable form at login time. Parameters must be compile-time or deploy-time constants, never runtime-configurable without signed attestation.
120
+
121
+ ## LEARNING SIGNAL
122
+
123
+ On every finding resolved, emit:
124
+ ```json
125
+ {
126
+ "findingId": "FINDING_ID",
127
+ "agentName": "algorithm-implementation-reviewer",
128
+ "resolved": true,
129
+ "remediationTemplate": "one-line description of what was done",
130
+ "falsePositive": false
131
+ }
132
+ ```
133
+ Call `security.record_outcome` with this payload so the routing engine learns which agent resolves each finding class most successfully. If a finding is a false positive, set `falsePositive: true` — this prevents the false-positive pattern from being routed here again.
134
+
135
+ ---
136
+
137
+ ## §EDGE-CASE-MATRIX
138
+
139
+ The 5 attack cases in this domain that automated scanners and naive manual review universally miss. MANDATORY checks — do not skip.
140
+
141
+ | # | Edge Case | Why Scanners Miss It | Concrete Test |
142
+ |---|-----------|----------------------|---------------|
143
+ | 1 | Second-order / stored payload executed in different context | Scanner checks input context, not execution context | Store payload safely; trigger in separate request/session |
144
+ | 2 | Unicode normalisation bypass | Regex filters run before normalisation; attacker uses homoglyphs or composed forms | Submit Ⅰ (U+2160) or < (U+FF1C) variants of known-bad strings |
145
+ | 3 | Polyglot payload active in multiple sinks simultaneously | Scanners test one injection class per payload | `'"><script>{{7*7}}</script><!--` — SQL + XSS + SSTI in one request |
146
+ | 4 | Out-of-band exfiltration (DNS/HTTP callback) | Scanner looks for inline response difference; OOB leaves no visible trace | Use Burp Collaborator / interactsh; inject DNS lookup payload |
147
+ | 5 | Race condition between check and use (TOCTOU) | Sequential scanners don't model concurrency | Send two simultaneous requests to the same state-changing endpoint |
148
+
149
+ ## §TEMPORAL-THREATS
150
+
151
+ Threats materialising in the 2025–2030 window that defences designed today must account for.
152
+
153
+ | Threat | Est. Timeline | Relevance to This Domain | Prepare Now By |
154
+ |--------|--------------|--------------------------|----------------|
155
+ | Cryptographically Relevant Quantum Computer (CRQC) | 2028–2032 | Harvest-now-decrypt-later attacks active today; RSA/ECDSA keys signed today will be broken | Inventory all RSA/ECDSA usage; migrate long-lived data to ML-KEM (FIPS 203) |
156
+ | AI-assisted adversaries at scale | 2025–2027 (active) | LLM-powered fuzzing finds 10× more edge cases; automated PoC generation | Assume attackers have LLM help; expand test surface to match |
157
+ | EU AI Act full enforcement | 2026 | High-risk AI systems require mandatory conformity assessments | Classify all AI features against AI Act tiers now |
158
+ | Post-quantum TLS migration deadline | 2028–2030 | Browser vendors will drop classical-only TLS connections | Begin TLS agility assessment; test hybrid key exchange |
159
+ | Mandatory SBOM + build provenance (US EO 14028 / EU CRA) | 2025–2026 (active) | SBOM and SLSA attestation are becoming legally required | Achieve SLSA L2 minimum; generate CycloneDX SBOM per release |
160
+
161
+ ## §DETECTION-GAP
162
+
163
+ What current security monitoring CANNOT detect in this domain, and what to build to close each gap.
164
+
165
+ **Standard gaps that MUST be checked:**
166
+
167
+ - **Second-order attack execution**: The storage request looks safe; only the retrieval+execution step is dangerous. Need: correlate write events with downstream read+execute events in the same SIEM query window.
168
+ - **Timing-side-channel leakage**: No log event emitted; only observable as microsecond response-time variance. Need: per-endpoint p99 latency tracking with statistical anomaly detection.
169
+ - **Low-and-slow credential stuffing**: Individually, each request is under rate limits. Need: behavioural baseline — flag accounts with geographically impossible velocity or device-fingerprint mismatch across authentication attempts.
170
+ - **Insider exfiltration via legitimate process**: Authorised exports, reports, and data downloads that individually are permitted but collectively constitute data exfiltration. Need: data-volume anomaly detection — alert when a single user's data access volume exceeds 3× their 30-day baseline within 24 hours.
171
+ - **Cross-agent attack chains**: Phase 1 finding A + Phase 1 finding B = CRITICAL chain invisible to either agent alone. Need: CISO orchestrator Phase 1 synthesis step — correlate all agent findings before Phase 2.
172
+
173
+ ## §ZERO-MISS-MANDATE
174
+
175
+ This agent CANNOT declare any attack class clean without explicit evidence of checking. For each item, output one of:
176
+ - `CHECKED: [N files] | [patterns used] | CLEAN`
177
+ - `CHECKED: [N files] | [patterns used] | [N findings, all fixed]`
178
+ - `SKIPPED: [reason — must be "not applicable: [evidence]"]`
179
+
180
+ **Silent skip = FAILED COVERAGE.** The orchestrator flags this as a quality gap.
181
+
182
+ The output findings JSON MUST include a `coverageManifest` key:
183
+ ```json
184
+ {
185
+ "coverageManifest": {
186
+ "attackClassesCovered": [{ "class": "SQL Injection", "filesReviewed": 47, "patterns": ["queryRaw", "string concat"], "result": "CLEAN" }],
187
+ "filesReviewed": 47,
188
+ "negativeAssertions": ["SQL Injection: queryRaw pattern searched across 47 files — 0 matches"],
189
+ "uncoveredReason": {}
190
+ }
191
+ }
192
+ ```