security-mcp 1.1.4 → 1.3.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (158) hide show
  1. package/README.md +341 -1018
  2. package/defaults/checklists/ai.json +20 -1
  3. package/defaults/checklists/api.json +35 -1
  4. package/defaults/checklists/infra.json +34 -1
  5. package/defaults/checklists/mobile.json +23 -1
  6. package/defaults/checklists/payments.json +15 -1
  7. package/defaults/checklists/web.json +11 -1
  8. package/defaults/cloud-controls/aws.json +10712 -0
  9. package/defaults/cloud-controls/azure.json +7201 -0
  10. package/defaults/cloud-controls/gcp.json +4061 -0
  11. package/defaults/control-catalog.json +24 -0
  12. package/defaults/security-policy.json +2 -2
  13. package/dist/ci/pr-gate.js +22 -5
  14. package/dist/cli/index.js +73 -2
  15. package/dist/cli/install.js +4 -55
  16. package/dist/cli/onboarding.js +18 -10
  17. package/dist/gate/baseline.js +82 -7
  18. package/dist/gate/catalog.js +10 -2
  19. package/dist/gate/checks/agentic-instructions.js +515 -0
  20. package/dist/gate/checks/ai-governance.js +132 -0
  21. package/dist/gate/checks/ai.js +757 -39
  22. package/dist/gate/checks/auth-deep.js +920 -216
  23. package/dist/gate/checks/business-logic.js +751 -0
  24. package/dist/gate/checks/ci-pipeline.js +399 -4
  25. package/dist/gate/checks/cloud-controls.js +69 -0
  26. package/dist/gate/checks/crypto.js +423 -2
  27. package/dist/gate/checks/data-platform.js +954 -0
  28. package/dist/gate/checks/dependencies.js +582 -15
  29. package/dist/gate/checks/docker-deep.js +1236 -0
  30. package/dist/gate/checks/gitops.js +724 -0
  31. package/dist/gate/checks/graphql.js +201 -19
  32. package/dist/gate/checks/iac.js +1230 -0
  33. package/dist/gate/checks/infra.js +246 -1
  34. package/dist/gate/checks/injection-deep.js +827 -184
  35. package/dist/gate/checks/k8s.js +955 -2
  36. package/dist/gate/checks/mobile-android.js +917 -3
  37. package/dist/gate/checks/mobile-ios.js +797 -5
  38. package/dist/gate/checks/required-artifacts.js +194 -0
  39. package/dist/gate/checks/runtime.js +178 -0
  40. package/dist/gate/checks/secrets.js +256 -13
  41. package/dist/gate/checks/supply-chain-deep.js +787 -0
  42. package/dist/gate/checks/web-nextjs.js +572 -48
  43. package/dist/gate/cloud-controls/apply.js +115 -0
  44. package/dist/gate/cloud-controls/bicep.js +36 -0
  45. package/dist/gate/cloud-controls/cfn.js +125 -0
  46. package/dist/gate/cloud-controls/detect.js +104 -0
  47. package/dist/gate/cloud-controls/hcl.js +140 -0
  48. package/dist/gate/cloud-controls/types.js +87 -0
  49. package/dist/gate/diff.js +17 -5
  50. package/dist/gate/evidence.js +8 -1
  51. package/dist/gate/exceptions.js +202 -9
  52. package/dist/gate/findings.js +15 -2
  53. package/dist/gate/policy.js +316 -130
  54. package/dist/gate/threat-intel.js +6 -0
  55. package/dist/mcp/audit-chain.js +131 -28
  56. package/dist/mcp/auth.js +169 -0
  57. package/dist/mcp/learning.js +129 -4
  58. package/dist/mcp/model-router.js +161 -24
  59. package/dist/mcp/orchestration.js +377 -89
  60. package/dist/mcp/server.js +460 -69
  61. package/dist/mcp/tool-audit.js +193 -0
  62. package/dist/repo/fs.js +37 -1
  63. package/dist/repo/search.js +31 -6
  64. package/dist/review/store.js +56 -3
  65. package/dist/tests/run.js +124 -1
  66. package/package.json +9 -9
  67. package/skills/_TEMPLATE/SKILL.md +99 -0
  68. package/skills/advanced-dos-tester/SKILL.md +118 -0
  69. package/skills/agentic-instruction-auditor/SKILL.md +111 -0
  70. package/skills/agentic-loop-exploiter/SKILL.md +377 -0
  71. package/skills/ai-llm-redteam/SKILL.md +113 -0
  72. package/skills/ai-model-supply-chain-agent/SKILL.md +112 -0
  73. package/skills/algorithm-implementation-reviewer/SKILL.md +107 -0
  74. package/skills/android-penetration-tester/SKILL.md +464 -46
  75. package/skills/anti-replay-tester/SKILL.md +115 -0
  76. package/skills/appsec-code-auditor/SKILL.md +94 -0
  77. package/skills/artifact-integrity-analyst/SKILL.md +450 -0
  78. package/skills/attack-navigator/SKILL.md +476 -8
  79. package/skills/auth-session-hacker/SKILL.md +111 -0
  80. package/skills/aws-penetration-tester/SKILL.md +510 -0
  81. package/skills/azure-penetration-tester/SKILL.md +542 -3
  82. package/skills/binary-auth-validator/SKILL.md +120 -0
  83. package/skills/bot-detection-specialist/SKILL.md +118 -0
  84. package/skills/business-logic-attacker/SKILL.md +240 -0
  85. package/skills/capec-code-mapper/SKILL.md +93 -0
  86. package/skills/cert-pin-rotation-specialist/SKILL.md +121 -0
  87. package/skills/cicd-pipeline-hijacker/SKILL.md +414 -0
  88. package/skills/ciso-orchestrator/SKILL.md +465 -43
  89. package/skills/cloud-infra-specialist/SKILL.md +127 -0
  90. package/skills/compliance-gap-analyst/SKILL.md +431 -0
  91. package/skills/compliance-grc/SKILL.md +94 -0
  92. package/skills/compliance-lifecycle-tracker/SKILL.md +93 -0
  93. package/skills/container-hardening-auditor/SKILL.md +125 -0
  94. package/skills/credential-stuffing-specialist/SKILL.md +111 -0
  95. package/skills/crypto-pki-specialist/SKILL.md +96 -0
  96. package/skills/csa-ccm-mapper/SKILL.md +93 -0
  97. package/skills/csf2-governance-mapper/SKILL.md +93 -0
  98. package/skills/data-platform-auditor/SKILL.md +125 -0
  99. package/skills/deep-link-fuzzer/SKILL.md +118 -0
  100. package/skills/dependency-confusion-attacker/SKILL.md +424 -0
  101. package/skills/device-integrity-aggregator/SKILL.md +117 -0
  102. package/skills/dos-resilience-tester/SKILL.md +106 -0
  103. package/skills/dread-scorer/SKILL.md +93 -0
  104. package/skills/egress-policy-enforcer/SKILL.md +108 -0
  105. package/skills/evidence-collector/SKILL.md +107 -0
  106. package/skills/file-upload-attacker/SKILL.md +118 -0
  107. package/skills/gcp-penetration-tester/SKILL.md +510 -2
  108. package/skills/git-history-secret-scanner/SKILL.md +115 -0
  109. package/skills/gitops-delivery-auditor/SKILL.md +120 -0
  110. package/skills/iac-security-auditor/SKILL.md +125 -0
  111. package/skills/iam-privesc-graph-builder/SKILL.md +161 -0
  112. package/skills/incident-responder/SKILL.md +120 -0
  113. package/skills/injection-specialist/SKILL.md +111 -0
  114. package/skills/ios-security-auditor/SKILL.md +291 -0
  115. package/skills/json-ambiguity-tester/SKILL.md +145 -0
  116. package/skills/k8s-container-escaper/SKILL.md +406 -0
  117. package/skills/key-management-lifecycle-analyst/SKILL.md +107 -0
  118. package/skills/kill-switch-engineer/SKILL.md +111 -0
  119. package/skills/linddun-privacy-analyst/SKILL.md +111 -0
  120. package/skills/logic-race-fuzzer/SKILL.md +452 -0
  121. package/skills/mobile-api-network-attacker/SKILL.md +430 -0
  122. package/skills/mobile-binary-hardener/SKILL.md +111 -0
  123. package/skills/mobile-security-specialist/SKILL.md +94 -0
  124. package/skills/mobile-webview-auditor/SKILL.md +105 -0
  125. package/skills/model-extraction-attacker/SKILL.md +228 -0
  126. package/skills/multipart-abuse-tester/SKILL.md +93 -0
  127. package/skills/oauth-pkce-specialist/SKILL.md +113 -0
  128. package/skills/parser-exhaustion-tester/SKILL.md +151 -0
  129. package/skills/pentest-infra/SKILL.md +107 -0
  130. package/skills/pentest-social/SKILL.md +210 -0
  131. package/skills/pentest-team/SKILL.md +96 -0
  132. package/skills/pentest-web-api/SKILL.md +107 -0
  133. package/skills/privacy-flow-analyst/SKILL.md +243 -0
  134. package/skills/prompt-injection-specialist/SKILL.md +403 -0
  135. package/skills/quantum-migration-planner/SKILL.md +105 -0
  136. package/skills/rag-poisoning-specialist/SKILL.md +367 -0
  137. package/skills/registry-mirror-enforcer/SKILL.md +93 -0
  138. package/skills/rotation-validation-agent/SKILL.md +121 -0
  139. package/skills/samm-assessor/SKILL.md +94 -0
  140. package/skills/secrets-mask-bypass-tester/SKILL.md +109 -0
  141. package/skills/senior-security-engineer/SKILL.md +178 -0
  142. package/skills/serialization-memory-attacker/SKILL.md +341 -0
  143. package/skills/session-timeout-tester/SKILL.md +170 -0
  144. package/skills/slsa-level3-enforcer/SKILL.md +121 -0
  145. package/skills/slsa-provenance-enforcer/SKILL.md +111 -0
  146. package/skills/ssrf-detection-validator/SKILL.md +117 -0
  147. package/skills/step-up-auth-enforcer/SKILL.md +93 -0
  148. package/skills/stride-pasta-analyst/SKILL.md +429 -0
  149. package/skills/supply-chain-devsecops/SKILL.md +107 -0
  150. package/skills/threat-infrastructure-analyst/SKILL.md +93 -0
  151. package/skills/threat-modeler/SKILL.md +94 -0
  152. package/skills/tls-certificate-auditor/SKILL.md +582 -18
  153. package/skills/token-reuse-detector/SKILL.md +104 -0
  154. package/skills/trike-risk-modeler/SKILL.md +93 -0
  155. package/skills/unicode-homograph-tester/SKILL.md +93 -0
  156. package/skills/waf-rule-lifecycle-agent/SKILL.md +106 -0
  157. package/skills/webhook-security-tester/SKILL.md +111 -0
  158. package/skills/zero-trust-architect/SKILL.md +118 -0
@@ -35,6 +35,15 @@ On every finding resolved, emit:
35
35
  }
36
36
  ```
37
37
 
38
+ ## BEYOND THE CHECKS — AUTONOMOUS DETECT & FIX
39
+
40
+ The `infra`, `iac`, and `k8s` detection modules (`src/gate/checks/infra.ts`, `src/gate/checks/iac.ts`, `src/gate/checks/k8s.ts`) are your deterministic floor, not your ceiling. Treat their finding IDs as the minimum, then reason past single-line/single-file pattern matching — and APPLY the hardening fix (Edit), not just advise:
41
+
42
+ - **Cross-file / multi-step reasoning the regex can't do:** `infra.ts`/`iac.ts` can flag an open egress rule or a permissive security group in one Terraform file, but they cannot correlate that the same workload's IAM role (defined elsewhere) plus a reachable metadata endpoint plus a wide-open ASN range forms an exfiltration path an observed C2 cluster would use. Build the egress + IAM + network-segmentation graph across IaC, K8s manifests, and infra config.
43
+ - **Semantic / effective-state analysis:** map observed TTPs to the effective control state — does a `k8s.ts` NetworkPolicy gap actually permit the DoH-tunnelled C2 or HTTP/2 Rapid Reset pattern you attributed? Model bulletproof-ASN co-tenancy and CDN-fronted C2 against the real egress firewall, not the declared intent.
44
+ - **External corroboration:** WebSearch/WebFetch for current CVEs/advisories/threat-intel for the observed campaign (CISA KEV, MITRE ATT&CK technique pages, VirusTotal/AbuseIPDB/Shodan, RIPEstat BGP for ASN pivoting).
45
+ - **Apply & prove:** write the targeted defense inline (egress allowlist, NetworkPolicy, IMDSv2 enforcement, ASN-level block, stream-reset rate limit), re-run the `infra`/`iac`/`k8s` checks plus a `nmap`/`nuclei` reachability probe as a regression floor, then re-audit. Emit the LEARNING SIGNAL per fix; surface trade-offs against the secure default (deny-by-default egress vs. third-party integration reach).
46
+
38
47
  ## EXECUTION
39
48
 
40
49
  ### Phase 1 — Reconnaissance
@@ -165,3 +174,87 @@ If internet permitted:
165
174
  - `requiredActions`: prioritized defensive actions
166
175
  - `complianceImpact`: framework mappings
167
176
  - `beyondSkillMd`: true — entirely beyond-policy
177
+
178
+ Every findings JSON MUST include `intelligenceForOtherAgents`:
179
+ ```json
180
+ {
181
+ "intelligenceForOtherAgents": {
182
+ "forPentestTeam": [{ "type": "HIGH_VALUE_TARGET", "description": "...", "exploitHint": "..." }],
183
+ "forCryptoSpecialist": [{ "type": "CRYPTO_WEAKNESS_REFERENCE", "algorithm": "...", "location": "..." }],
184
+ "forCloudSpecialist": [{ "type": "SSRF_TO_CLOUD_CHAIN", "ssrfLocation": "...", "escalationPath": "..." }],
185
+ "forComplianceGrc": [{ "type": "COMPLIANCE_BLOCKER", "frameworks": ["..."], "releaseBlock": true }]
186
+ }
187
+ }
188
+ ```
189
+
190
+ ## BEYOND SKILL.MD
191
+
192
+ Domain-specific threat intelligence intelligence that no static scanner surfaces. Each item is tied to a named CVE, technique, tool, or research finding.
193
+
194
+ - **CVE-2024-3400 (PAN-OS command injection via GlobalProtect)** — Threat actors (UTA0218, attributed by Volexity) weaponised this within 48 hours of disclosure to implant UPSTYLE backdoor via crafted session IDs. Check edge-device logs for `SESSID` values containing shell metacharacters; correlate with outbound connections to novel hosting ASNs on TCP/4444 or 8443.
195
+ - **Bulletproof hosting ASN cluster pivoting** — APT groups regularly rotate C2 infrastructure across a stable set of ~20 "bulletproof" ASNs (AS58061 Frantech/BuyVM, AS209588 Flyservers, AS59676 Networks Land). A single observed C2 IP should trigger a full ASN-level block review, not a per-IP block. Use BGP routing data (RIPEstat, CAIDA) to identify co-tenanted infrastructure.
196
+ - **MITRE ATT&CK T1583.006 (Web Services — adversary-controlled cloud CDN)** — Threat actors front C2 traffic through legitimate CDN providers (Cloudflare, Fastly) to blend with allowed traffic. DNS-only IOC lists miss this entirely. Detection requires JA3/JA3S TLS fingerprint correlation and SNI inspection at the egress proxy.
197
+ - **LLM-assisted spear-phishing infrastructure (Mandiant FIN7 research, 2024)** — FIN7 was observed using LLM-generated lure content to dynamically generate per-target phishing pages hosted on compromised legitimate domains. Static URL/IP reputation feeds have zero coverage. Detection: entropy analysis of page content, registration-date skew of hosting domains (less than 30 days old), and DMARC misalignment on sender domains.
198
+ - **CVE-2023-44487 / HTTP/2 Rapid Reset (CVSS 7.5)** — Enables application-layer DDoS at record scale (398 Mpps observed by Google). Standard rate-limiters that count completed requests miss this because connections are reset before response. Requires server-side stream-reset rate monitoring at the HTTP/2 framing layer.
199
+ - **Post-quantum harvest-now-decrypt-later (HNDL) campaigns** — Nation-state actors (assessed: China/APT41 cluster) are actively collecting encrypted traffic today for decryption once cryptographically relevant quantum computers (CRQCs) arrive (~2028–2032, NAS 2024 report). Any long-lived sensitive data transmitted over RSA/ECDSA-protected channels is already compromised in adversary archives. Immediate action: inventory all TLS certificate key types; prioritise migration of authentication and PII-bearing endpoints to ML-KEM (FIPS 203) hybrid key exchange.
200
+ - **AI-generated infrastructure impersonation (novel TTPs, 2025)** — LLM-powered tools (e.g., FraudGPT derivatives) generate typosquatting domains, SSL certificates, and pixel-perfect brand impersonation pages at scale. Traditional phishing-domain detection based on Levenshtein distance or static brand-name lists is bypassed by semantic lookalike generation. Detection: perceptual hash comparison of favicon/logo assets against protected brand assets + certificate transparency log monitoring with ML-based domain classifier.
201
+ - **DNS-over-HTTPS (DoH) C2 tunnelling** — Threat actors tunnel C2 traffic through legitimate DoH providers (Cloudflare 1.1.1.1, Google 8.8.8.8) to evade DNS-layer security controls. Traditional DNS sinkholes and CIPA-style DNS filtering are completely blind. Requires HTTPS traffic inspection at the application layer or enforcement of internal-only DNS resolution with DoH explicitly blocked at the egress firewall.
202
+
203
+ ---
204
+
205
+ ## §EDGE-CASE-MATRIX
206
+
207
+ The 5 attack cases in this domain that automated scanners and naive manual review universally miss. MANDATORY checks — do not skip.
208
+
209
+ | # | Edge Case | Why Scanners Miss It | Concrete Test |
210
+ |---|-----------|----------------------|---------------|
211
+ | 1 | Second-order / stored payload executed in different context | Scanner checks input context, not execution context | Store payload safely; trigger in separate request/session |
212
+ | 2 | Unicode normalisation bypass | Regex filters run before normalisation; attacker uses homoglyphs or composed forms | Submit Ⅰ (U+2160) or < (U+FF1C) variants of known-bad strings |
213
+ | 3 | Polyglot payload active in multiple sinks simultaneously | Scanners test one injection class per payload | `'"><script>{{7*7}}</script><!--` — SQL + XSS + SSTI in one request |
214
+ | 4 | Out-of-band exfiltration (DNS/HTTP callback) | Scanner looks for inline response difference; OOB leaves no visible trace | Use Burp Collaborator / interactsh; inject DNS lookup payload |
215
+ | 5 | Race condition between check and use (TOCTOU) | Sequential scanners don't model concurrency | Send two simultaneous requests to the same state-changing endpoint |
216
+
217
+ ## §TEMPORAL-THREATS
218
+
219
+ Threats materialising in the 2025–2030 window that defences designed today must account for.
220
+
221
+ | Threat | Est. Timeline | Relevance to This Domain | Prepare Now By |
222
+ |--------|--------------|--------------------------|----------------|
223
+ | Cryptographically Relevant Quantum Computer (CRQC) | 2028–2032 | Harvest-now-decrypt-later attacks active today; RSA/ECDSA keys signed today will be broken | Inventory all RSA/ECDSA usage; migrate long-lived data to ML-KEM (FIPS 203) |
224
+ | AI-assisted adversaries at scale | 2025–2027 (active) | LLM-powered fuzzing finds 10× more edge cases; automated PoC generation | Assume attackers have LLM help; expand test surface to match |
225
+ | EU AI Act full enforcement | 2026 | High-risk AI systems require mandatory conformity assessments | Classify all AI features against AI Act tiers now |
226
+ | Post-quantum TLS migration deadline | 2028–2030 | Browser vendors will drop classical-only TLS connections | Begin TLS agility assessment; test hybrid key exchange |
227
+ | Mandatory SBOM + build provenance (US EO 14028 / EU CRA) | 2025–2026 (active) | SBOM and SLSA attestation are becoming legally required | Achieve SLSA L2 minimum; generate CycloneDX SBOM per release |
228
+
229
+ ## §DETECTION-GAP
230
+
231
+ What current security monitoring CANNOT detect in this domain, and what to build to close each gap.
232
+
233
+ **Standard gaps that MUST be checked:**
234
+
235
+ - **Second-order attack execution**: The storage request looks safe; only the retrieval+execution step is dangerous. Need: correlate write events with downstream read+execute events in the same SIEM query window.
236
+ - **Timing-side-channel leakage**: No log event emitted; only observable as microsecond response-time variance. Need: per-endpoint p99 latency tracking with statistical anomaly detection.
237
+ - **Low-and-slow credential stuffing**: Individually, each request is under rate limits. Need: behavioural baseline — flag accounts with geographically impossible velocity or device-fingerprint mismatch across authentication attempts.
238
+ - **Insider exfiltration via legitimate process**: Authorised exports, reports, and data downloads that individually are permitted but collectively constitute data exfiltration. Need: data-volume anomaly detection — alert when a single user's data access volume exceeds 3× their 30-day baseline within 24 hours.
239
+ - **Cross-agent attack chains**: Phase 1 finding A + Phase 1 finding B = CRITICAL chain invisible to either agent alone. Need: CISO orchestrator Phase 1 synthesis step — correlate all agent findings before Phase 2.
240
+
241
+ ## §ZERO-MISS-MANDATE
242
+
243
+ This agent CANNOT declare any attack class clean without explicit evidence of checking. For each item, output one of:
244
+ - `CHECKED: [N files] | [patterns used] | CLEAN`
245
+ - `CHECKED: [N files] | [patterns used] | [N findings, all fixed]`
246
+ - `SKIPPED: [reason — must be "not applicable: [evidence]"]`
247
+
248
+ **Silent skip = FAILED COVERAGE.** The orchestrator flags this as a quality gap.
249
+
250
+ The output findings JSON MUST include a `coverageManifest` key:
251
+ ```json
252
+ {
253
+ "coverageManifest": {
254
+ "attackClassesCovered": [{ "class": "SQL Injection", "filesReviewed": 47, "patterns": ["queryRaw", "string concat"], "result": "CLEAN" }],
255
+ "filesReviewed": 47,
256
+ "negativeAssertions": ["SQL Injection: queryRaw pattern searched across 47 files — 0 matches"],
257
+ "uncoveredReason": {}
258
+ }
259
+ }
260
+ ```
@@ -24,6 +24,15 @@ SKILL.md §2 and §8 are the MINIMUM. Go beyond them.
24
24
  Think like APT29, Lazarus Group, or FIN7 depending on the project's industry vertical.
25
25
  90% fixing — every threat you identify must have a mitigation written and implemented.
26
26
 
27
+ ## BEYOND THE CHECKS — AUTONOMOUS DETECT & FIX
28
+
29
+ As the master threat-model lead, the full suite of detection modules in `src/gate/checks/` (especially `auth-deep.ts`, `injection-deep.ts`, and `infra.ts`) is your deterministic floor, not your ceiling. The threat model you produce is the attack brief that drives every other check — so treat their finding IDs as the minimum, reason past single-line/single-file pattern matching, and APPLY the mitigation (Edit), not just advise:
30
+
31
+ - **Cross-file / multi-step reasoning the regex can't do:** each detection module sees one component in isolation; your job is the interaction boundary the regex cannot reach — a multi-service flow where an auth bypass in one service plus a missing tenant filter in another yields cross-org data leak, or a webhook→outbound-fetch→IMDS pivot spanning three files. Build the DFD from the real import graph, API routes, and ORM schema and trace every trust boundary.
32
+ - **Semantic / effective-state analysis:** model whole attack trees and their effective exploitability — APT-vertical TTP chains (FIN7/Lazarus/Scattered Spider), formal-verification-worthy auth/payment state machines, and temporal threats (post-quantum harvest-now-decrypt-later, upcoming regulatory deadlines) that no single-line check surfaces — and prove each with a working PoC before and a failing PoC after the mitigation.
33
+ - **External corroboration:** WebSearch/WebFetch for current CVEs/advisories/standards, the latest ATT&CK v15 STIX bundle, industry APT group profiles, and CISA KEV.
34
+ - **Apply & prove:** write the mitigation inline, re-run the relevant `src/gate/checks/` modules (plus targeted tools — `nuclei`, `osv-scanner`, `sslyze`, `slsa-verifier`) as a regression floor, then re-audit and regenerate `threat-model.json`. Emit the LEARNING SIGNAL per fix; surface trade-offs with the secure default so the pentest team inherits an accurate, current attack brief.
35
+
27
36
  ## ACTIVATION PROTOCOL
28
37
 
29
38
  1. Call `orchestration.update_agent_status(agentRunId, "threat-modeler", "running")`
@@ -114,3 +123,88 @@ On complete: append new threat patterns; update intel with latest ATT&CK fetch t
114
123
 
115
124
  If a sub-agent fails: continue with remaining three, mark findings as partial.
116
125
  If ATT&CK STIX fetch fails: use cached intel.json regardless of age, note the age.
126
+
127
+ ## LEARNING SIGNAL
128
+
129
+ On every finding resolved, emit:
130
+ ```json
131
+ {
132
+ "findingId": "FINDING_ID",
133
+ "agentName": "threat-modeler",
134
+ "resolved": true,
135
+ "remediationTemplate": "one-line description of what was done",
136
+ "falsePositive": false
137
+ }
138
+ ```
139
+ Call `security.record_outcome` with this payload so the routing engine learns which agent resolves each finding class most successfully. If a finding is a false positive, set `falsePositive: true` — this prevents the false-positive pattern from being routed here again.
140
+
141
+ ---
142
+
143
+ ## §EDGE-CASE-MATRIX
144
+
145
+ The 5 attack cases in this domain that automated scanners and naive manual review universally miss. MANDATORY checks — do not skip.
146
+
147
+ | # | Edge Case | Why Scanners Miss It | Concrete Test |
148
+ |---|-----------|----------------------|---------------|
149
+ | 1 | Second-order / stored payload executed in different context | Scanner checks input context, not execution context | Store payload safely; trigger in separate request/session |
150
+ | 2 | Unicode normalisation bypass | Regex filters run before normalisation; attacker uses homoglyphs or composed forms | Submit Ⅰ (U+2160) or < (U+FF1C) variants of known-bad strings |
151
+ | 3 | Polyglot payload active in multiple sinks simultaneously | Scanners test one injection class per payload | `'"><script>{{7*7}}</script><!--` — SQL + XSS + SSTI in one request |
152
+ | 4 | Out-of-band exfiltration (DNS/HTTP callback) | Scanner looks for inline response difference; OOB leaves no visible trace | Use Burp Collaborator / interactsh; inject DNS lookup payload |
153
+ | 5 | Race condition between check and use (TOCTOU) | Sequential scanners don't model concurrency | Send two simultaneous requests to the same state-changing endpoint |
154
+
155
+ ## §TEMPORAL-THREATS
156
+
157
+ Threats materialising in the 2025–2030 window that defences designed today must account for.
158
+
159
+ | Threat | Est. Timeline | Relevance to This Domain | Prepare Now By |
160
+ |--------|--------------|--------------------------|----------------|
161
+ | Cryptographically Relevant Quantum Computer (CRQC) | 2028–2032 | Harvest-now-decrypt-later attacks active today; RSA/ECDSA keys signed today will be broken | Inventory all RSA/ECDSA usage; migrate long-lived data to ML-KEM (FIPS 203) |
162
+ | AI-assisted adversaries at scale | 2025–2027 (active) | LLM-powered fuzzing finds 10× more edge cases; automated PoC generation | Assume attackers have LLM help; expand test surface to match |
163
+ | EU AI Act full enforcement | 2026 | High-risk AI systems require mandatory conformity assessments | Classify all AI features against AI Act tiers now |
164
+ | Post-quantum TLS migration deadline | 2028–2030 | Browser vendors will drop classical-only TLS connections | Begin TLS agility assessment; test hybrid key exchange |
165
+ | Mandatory SBOM + build provenance (US EO 14028 / EU CRA) | 2025–2026 (active) | SBOM and SLSA attestation are becoming legally required | Achieve SLSA L2 minimum; generate CycloneDX SBOM per release |
166
+
167
+ ## §DETECTION-GAP
168
+
169
+ What current security monitoring CANNOT detect in this domain, and what to build to close each gap.
170
+
171
+ **Standard gaps that MUST be checked:**
172
+
173
+ - **Second-order attack execution**: The storage request looks safe; only the retrieval+execution step is dangerous. Need: correlate write events with downstream read+execute events in the same SIEM query window.
174
+ - **Timing-side-channel leakage**: No log event emitted; only observable as microsecond response-time variance. Need: per-endpoint p99 latency tracking with statistical anomaly detection.
175
+ - **Low-and-slow credential stuffing**: Individually, each request is under rate limits. Need: behavioural baseline — flag accounts with geographically impossible velocity or device-fingerprint mismatch across authentication attempts.
176
+ - **Insider exfiltration via legitimate process**: Authorised exports, reports, and data downloads that individually are permitted but collectively constitute data exfiltration. Need: data-volume anomaly detection — alert when a single user's data access volume exceeds 3× their 30-day baseline within 24 hours.
177
+ - **Cross-agent attack chains**: Phase 1 finding A + Phase 1 finding B = CRITICAL chain invisible to either agent alone. Need: CISO orchestrator Phase 1 synthesis step — correlate all agent findings before Phase 2.
178
+
179
+ ## §ZERO-MISS-MANDATE
180
+
181
+ This agent CANNOT declare any attack class clean without explicit evidence of checking. For each item, output one of:
182
+ - `CHECKED: [N files] | [patterns used] | CLEAN`
183
+ - `CHECKED: [N files] | [patterns used] | [N findings, all fixed]`
184
+ - `SKIPPED: [reason — must be "not applicable: [evidence]"]`
185
+
186
+ **Silent skip = FAILED COVERAGE.** The orchestrator flags this as a quality gap.
187
+
188
+ The output findings JSON MUST include a `coverageManifest` key:
189
+ ```json
190
+ {
191
+ "coverageManifest": {
192
+ "attackClassesCovered": [{ "class": "SQL Injection", "filesReviewed": 47, "patterns": ["queryRaw", "string concat"], "result": "CLEAN" }],
193
+ "filesReviewed": 47,
194
+ "negativeAssertions": ["SQL Injection: queryRaw pattern searched across 47 files — 0 matches"],
195
+ "uncoveredReason": {}
196
+ }
197
+ }
198
+ ```
199
+
200
+ Every findings JSON MUST include `intelligenceForOtherAgents`:
201
+ ```json
202
+ {
203
+ "intelligenceForOtherAgents": {
204
+ "forPentestTeam": [{ "type": "HIGH_VALUE_TARGET", "description": "...", "exploitHint": "..." }],
205
+ "forCryptoSpecialist": [{ "type": "CRYPTO_WEAKNESS_REFERENCE", "algorithm": "...", "location": "..." }],
206
+ "forCloudSpecialist": [{ "type": "SSRF_TO_CLOUD_CHAIN", "ssrfLocation": "...", "escalationPath": "..." }],
207
+ "forComplianceGrc": [{ "type": "COMPLIANCE_BLOCKER", "frameworks": ["..."], "releaseBlock": true }]
208
+ }
209
+ }
210
+ ```