security-mcp 1.1.4 → 1.3.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (158) hide show
  1. package/README.md +341 -1018
  2. package/defaults/checklists/ai.json +20 -1
  3. package/defaults/checklists/api.json +35 -1
  4. package/defaults/checklists/infra.json +34 -1
  5. package/defaults/checklists/mobile.json +23 -1
  6. package/defaults/checklists/payments.json +15 -1
  7. package/defaults/checklists/web.json +11 -1
  8. package/defaults/cloud-controls/aws.json +10712 -0
  9. package/defaults/cloud-controls/azure.json +7201 -0
  10. package/defaults/cloud-controls/gcp.json +4061 -0
  11. package/defaults/control-catalog.json +24 -0
  12. package/defaults/security-policy.json +2 -2
  13. package/dist/ci/pr-gate.js +22 -5
  14. package/dist/cli/index.js +73 -2
  15. package/dist/cli/install.js +4 -55
  16. package/dist/cli/onboarding.js +18 -10
  17. package/dist/gate/baseline.js +82 -7
  18. package/dist/gate/catalog.js +10 -2
  19. package/dist/gate/checks/agentic-instructions.js +515 -0
  20. package/dist/gate/checks/ai-governance.js +132 -0
  21. package/dist/gate/checks/ai.js +757 -39
  22. package/dist/gate/checks/auth-deep.js +920 -216
  23. package/dist/gate/checks/business-logic.js +751 -0
  24. package/dist/gate/checks/ci-pipeline.js +399 -4
  25. package/dist/gate/checks/cloud-controls.js +69 -0
  26. package/dist/gate/checks/crypto.js +423 -2
  27. package/dist/gate/checks/data-platform.js +954 -0
  28. package/dist/gate/checks/dependencies.js +582 -15
  29. package/dist/gate/checks/docker-deep.js +1236 -0
  30. package/dist/gate/checks/gitops.js +724 -0
  31. package/dist/gate/checks/graphql.js +201 -19
  32. package/dist/gate/checks/iac.js +1230 -0
  33. package/dist/gate/checks/infra.js +246 -1
  34. package/dist/gate/checks/injection-deep.js +827 -184
  35. package/dist/gate/checks/k8s.js +955 -2
  36. package/dist/gate/checks/mobile-android.js +917 -3
  37. package/dist/gate/checks/mobile-ios.js +797 -5
  38. package/dist/gate/checks/required-artifacts.js +194 -0
  39. package/dist/gate/checks/runtime.js +178 -0
  40. package/dist/gate/checks/secrets.js +256 -13
  41. package/dist/gate/checks/supply-chain-deep.js +787 -0
  42. package/dist/gate/checks/web-nextjs.js +572 -48
  43. package/dist/gate/cloud-controls/apply.js +115 -0
  44. package/dist/gate/cloud-controls/bicep.js +36 -0
  45. package/dist/gate/cloud-controls/cfn.js +125 -0
  46. package/dist/gate/cloud-controls/detect.js +104 -0
  47. package/dist/gate/cloud-controls/hcl.js +140 -0
  48. package/dist/gate/cloud-controls/types.js +87 -0
  49. package/dist/gate/diff.js +17 -5
  50. package/dist/gate/evidence.js +8 -1
  51. package/dist/gate/exceptions.js +202 -9
  52. package/dist/gate/findings.js +15 -2
  53. package/dist/gate/policy.js +316 -130
  54. package/dist/gate/threat-intel.js +6 -0
  55. package/dist/mcp/audit-chain.js +131 -28
  56. package/dist/mcp/auth.js +169 -0
  57. package/dist/mcp/learning.js +129 -4
  58. package/dist/mcp/model-router.js +161 -24
  59. package/dist/mcp/orchestration.js +377 -89
  60. package/dist/mcp/server.js +460 -69
  61. package/dist/mcp/tool-audit.js +193 -0
  62. package/dist/repo/fs.js +37 -1
  63. package/dist/repo/search.js +31 -6
  64. package/dist/review/store.js +56 -3
  65. package/dist/tests/run.js +124 -1
  66. package/package.json +9 -9
  67. package/skills/_TEMPLATE/SKILL.md +99 -0
  68. package/skills/advanced-dos-tester/SKILL.md +118 -0
  69. package/skills/agentic-instruction-auditor/SKILL.md +111 -0
  70. package/skills/agentic-loop-exploiter/SKILL.md +377 -0
  71. package/skills/ai-llm-redteam/SKILL.md +113 -0
  72. package/skills/ai-model-supply-chain-agent/SKILL.md +112 -0
  73. package/skills/algorithm-implementation-reviewer/SKILL.md +107 -0
  74. package/skills/android-penetration-tester/SKILL.md +464 -46
  75. package/skills/anti-replay-tester/SKILL.md +115 -0
  76. package/skills/appsec-code-auditor/SKILL.md +94 -0
  77. package/skills/artifact-integrity-analyst/SKILL.md +450 -0
  78. package/skills/attack-navigator/SKILL.md +476 -8
  79. package/skills/auth-session-hacker/SKILL.md +111 -0
  80. package/skills/aws-penetration-tester/SKILL.md +510 -0
  81. package/skills/azure-penetration-tester/SKILL.md +542 -3
  82. package/skills/binary-auth-validator/SKILL.md +120 -0
  83. package/skills/bot-detection-specialist/SKILL.md +118 -0
  84. package/skills/business-logic-attacker/SKILL.md +240 -0
  85. package/skills/capec-code-mapper/SKILL.md +93 -0
  86. package/skills/cert-pin-rotation-specialist/SKILL.md +121 -0
  87. package/skills/cicd-pipeline-hijacker/SKILL.md +414 -0
  88. package/skills/ciso-orchestrator/SKILL.md +465 -43
  89. package/skills/cloud-infra-specialist/SKILL.md +127 -0
  90. package/skills/compliance-gap-analyst/SKILL.md +431 -0
  91. package/skills/compliance-grc/SKILL.md +94 -0
  92. package/skills/compliance-lifecycle-tracker/SKILL.md +93 -0
  93. package/skills/container-hardening-auditor/SKILL.md +125 -0
  94. package/skills/credential-stuffing-specialist/SKILL.md +111 -0
  95. package/skills/crypto-pki-specialist/SKILL.md +96 -0
  96. package/skills/csa-ccm-mapper/SKILL.md +93 -0
  97. package/skills/csf2-governance-mapper/SKILL.md +93 -0
  98. package/skills/data-platform-auditor/SKILL.md +125 -0
  99. package/skills/deep-link-fuzzer/SKILL.md +118 -0
  100. package/skills/dependency-confusion-attacker/SKILL.md +424 -0
  101. package/skills/device-integrity-aggregator/SKILL.md +117 -0
  102. package/skills/dos-resilience-tester/SKILL.md +106 -0
  103. package/skills/dread-scorer/SKILL.md +93 -0
  104. package/skills/egress-policy-enforcer/SKILL.md +108 -0
  105. package/skills/evidence-collector/SKILL.md +107 -0
  106. package/skills/file-upload-attacker/SKILL.md +118 -0
  107. package/skills/gcp-penetration-tester/SKILL.md +510 -2
  108. package/skills/git-history-secret-scanner/SKILL.md +115 -0
  109. package/skills/gitops-delivery-auditor/SKILL.md +120 -0
  110. package/skills/iac-security-auditor/SKILL.md +125 -0
  111. package/skills/iam-privesc-graph-builder/SKILL.md +161 -0
  112. package/skills/incident-responder/SKILL.md +120 -0
  113. package/skills/injection-specialist/SKILL.md +111 -0
  114. package/skills/ios-security-auditor/SKILL.md +291 -0
  115. package/skills/json-ambiguity-tester/SKILL.md +145 -0
  116. package/skills/k8s-container-escaper/SKILL.md +406 -0
  117. package/skills/key-management-lifecycle-analyst/SKILL.md +107 -0
  118. package/skills/kill-switch-engineer/SKILL.md +111 -0
  119. package/skills/linddun-privacy-analyst/SKILL.md +111 -0
  120. package/skills/logic-race-fuzzer/SKILL.md +452 -0
  121. package/skills/mobile-api-network-attacker/SKILL.md +430 -0
  122. package/skills/mobile-binary-hardener/SKILL.md +111 -0
  123. package/skills/mobile-security-specialist/SKILL.md +94 -0
  124. package/skills/mobile-webview-auditor/SKILL.md +105 -0
  125. package/skills/model-extraction-attacker/SKILL.md +228 -0
  126. package/skills/multipart-abuse-tester/SKILL.md +93 -0
  127. package/skills/oauth-pkce-specialist/SKILL.md +113 -0
  128. package/skills/parser-exhaustion-tester/SKILL.md +151 -0
  129. package/skills/pentest-infra/SKILL.md +107 -0
  130. package/skills/pentest-social/SKILL.md +210 -0
  131. package/skills/pentest-team/SKILL.md +96 -0
  132. package/skills/pentest-web-api/SKILL.md +107 -0
  133. package/skills/privacy-flow-analyst/SKILL.md +243 -0
  134. package/skills/prompt-injection-specialist/SKILL.md +403 -0
  135. package/skills/quantum-migration-planner/SKILL.md +105 -0
  136. package/skills/rag-poisoning-specialist/SKILL.md +367 -0
  137. package/skills/registry-mirror-enforcer/SKILL.md +93 -0
  138. package/skills/rotation-validation-agent/SKILL.md +121 -0
  139. package/skills/samm-assessor/SKILL.md +94 -0
  140. package/skills/secrets-mask-bypass-tester/SKILL.md +109 -0
  141. package/skills/senior-security-engineer/SKILL.md +178 -0
  142. package/skills/serialization-memory-attacker/SKILL.md +341 -0
  143. package/skills/session-timeout-tester/SKILL.md +170 -0
  144. package/skills/slsa-level3-enforcer/SKILL.md +121 -0
  145. package/skills/slsa-provenance-enforcer/SKILL.md +111 -0
  146. package/skills/ssrf-detection-validator/SKILL.md +117 -0
  147. package/skills/step-up-auth-enforcer/SKILL.md +93 -0
  148. package/skills/stride-pasta-analyst/SKILL.md +429 -0
  149. package/skills/supply-chain-devsecops/SKILL.md +107 -0
  150. package/skills/threat-infrastructure-analyst/SKILL.md +93 -0
  151. package/skills/threat-modeler/SKILL.md +94 -0
  152. package/skills/tls-certificate-auditor/SKILL.md +582 -18
  153. package/skills/token-reuse-detector/SKILL.md +104 -0
  154. package/skills/trike-risk-modeler/SKILL.md +93 -0
  155. package/skills/unicode-homograph-tester/SKILL.md +93 -0
  156. package/skills/waf-rule-lifecycle-agent/SKILL.md +106 -0
  157. package/skills/webhook-security-tester/SKILL.md +111 -0
  158. package/skills/zero-trust-architect/SKILL.md +118 -0
@@ -34,6 +34,15 @@ On every finding resolved, emit:
34
34
  }
35
35
  ```
36
36
 
37
+ ## BEYOND THE CHECKS — AUTONOMOUS DETECT & FIX
38
+
39
+ The `api` and `auth-deep` detection modules (`src/gate/checks/api.ts`, `src/gate/checks/auth-deep.ts`) are your deterministic floor, not your ceiling. Treat their finding IDs as the minimum, then reason past single-line/single-file pattern matching — and APPLY the fix (Edit), not just advise:
40
+
41
+ - **Cross-file / multi-step reasoning the regex can't do:** a regex confirms `verifySignature` exists on the primary receiver, but cannot prove the *retry* code path also enforces it, that timing-safe comparison is used on every signature version (including legacy `v0`), or that the outbound delivery job re-resolves the URL at send time rather than trusting the IP cached at registration. Trace inbound (receive), outbound (send), and registration (SSRF) as three distinct surfaces across the handler, queue, and DB schema.
42
+ - **Semantic / effective-state analysis:** correlate signature + timestamp + event-ID nonce across multiple requests to confirm true anti-replay (event-ID dedup persisted, not in-memory; tolerance window enforced against NTP drift); model SSRF via DNS rebinding (TTL=1s flip to `169.254.169.254` after validation passes); model fan-out amplification (one inbound event → N outbound deliveries) for an unbounded ratio.
43
+ - **External corroboration:** WebSearch/WebFetch for current CVEs/advisories/standards for webhooks — Svix/StandardWebhooks/Stripe SDK CVEs (e.g. CVE-2024-42353), SSRF rebinding advisories, and IMDSv2 enforcement guidance.
44
+ - **Apply & prove:** write the validation inline, re-run the `api`/`auth-deep` checks plus active probes (`nuclei` SSRF/webhook templates, Burp Collaborator / interactsh for DNS-rebinding OOB, `wrk` for replay and fan-out, `npm audit`/`pip-audit` on the webhook SDK) as a regression floor, then re-audit. Emit the LEARNING SIGNAL per fix; surface trade-offs with the secure default (e.g. HTTPS-only outbound vs. self-hosted-receiver compatibility).
45
+
37
46
  ## EXECUTION
38
47
 
39
48
  ### Phase 1 — Reconnaissance
@@ -182,3 +191,105 @@ function isPrivateIp(ip: string): boolean {
182
191
  - `requiredActions`: ordered action list
183
192
  - `complianceImpact`: framework mappings
184
193
  - `beyondSkillMd`: true if finding goes beyond the SKILL.md mandate
194
+
195
+ Every findings JSON MUST include `intelligenceForOtherAgents`:
196
+ ```json
197
+ {
198
+ "intelligenceForOtherAgents": {
199
+ "forPentestTeam": [{ "type": "HIGH_VALUE_TARGET", "description": "Webhook registration endpoint accepts arbitrary URLs with no SSRF guard — pivot to internal metadata services", "exploitHint": "POST /webhooks with url=http://169.254.169.254/latest/meta-data/iam/security-credentials/; follow 301 chain" }],
200
+ "forCryptoSpecialist": [{ "type": "CRYPTO_WEAKNESS_REFERENCE", "algorithm": "HMAC-SHA1 or MD5 used for webhook signature", "location": "Webhook signature verification routine — upgrade to HMAC-SHA256 minimum" }],
201
+ "forCloudSpecialist": [{ "type": "SSRF_TO_CLOUD_CHAIN", "ssrfLocation": "Outbound webhook delivery / URL registration", "escalationPath": "DNS rebinding or redirect to 169.254.169.254 yields IMDSv1 IAM credentials; combine with missing IMDSv2 enforcement" }],
202
+ "forComplianceGrc": [{ "type": "COMPLIANCE_BLOCKER", "frameworks": ["PCI-DSS Req 6.4.1", "SOC 2 CC6.6", "NIST SP 800-53 SC-8"], "releaseBlock": true }]
203
+ }
204
+ }
205
+ ```
206
+
207
+ ## BEYOND SKILL.MD — MANDATORY EXPANSIONS
208
+
209
+ - **Webhook SSRF via DNS Rebinding (CVE-2023-27163 / ATT&CK T1090.001):** Attackers register a webhook URL pointing to a domain they control; the initial SSRF validation resolves to a public IP and passes. Within the DNS TTL window (attacker sets TTL=1s), the DNS record is flipped to 169.254.169.254 (IMDS) or an internal RFC 1918 address before delivery fires. Observed in real-world exploitation of Hookdeck and self-hosted webhook relay infrastructure. Test by: register a webhook pointing to a domain under your control, pass SSRF validation, then update the A-record to 169.254.169.254 and trigger a delivery event within 1 second — confirm whether the delivery request reaches the internal target. Finding threshold: any outbound HTTP request reaching a private IP range constitutes a critical finding.
210
+
211
+ - **AI-Assisted Webhook Payload Fuzzing (ATT&CK T1190 + Automated Fuzzing Research — "LLM-Aided Black-Box Testing" 2024 USENIX):** LLM-powered fuzzers (e.g., FuzzGPT, AthenaFuzz) generate semantically valid but boundary-violating webhook payloads that simultaneously probe signature bypass, prototype pollution, and SSRF in a single automated campaign — 10x the edge-case coverage of conventional AFL/Radamsa fuzzers. They auto-adapt payloads based on error message feedback. Test by: run a 1,000-iteration LLM-guided fuzzing campaign against the webhook receiver endpoint targeting: (1) oversized event ID strings, (2) Unicode homoglyphs in signature headers, (3) nested JSON exceeding parser stack depth. Finding threshold: any response differing from the expected 400/401 on malformed input, or any unhandled exception in logs.
212
+
213
+ - **Webhook Supply Chain Poisoning via Compromised SDK (CVE-2024-42353 — Svix Python SDK path traversal / ATT&CK T1195.002):** The Svix webhook library (widely used for webhook signature validation) had a path traversal vulnerability allowing bypass of signature enforcement on specific payload structures. Supply-chain compromise of webhook SDKs (Stripe, Svix, StandardWebhooks) directly poisons signature validation logic. Test by: audit `package.json` / `requirements.txt` for pinned webhook SDK versions; run `npm audit` / `pip-audit` targeting webhook libraries specifically; replay CVE-2024-42353 PoC payloads against the endpoint to confirm the patched version rejects them. Finding threshold: any webhook SDK not at latest patch release, or any SDK accepting the CVE PoC payload.
214
+
215
+ - **Post-Quantum Harvest-Now-Decrypt-Later Against RSA/ECDSA Webhook mTLS (NIST IR 8413 / ATT&CK T1040):** Webhook mutual-TLS configurations using RSA-2048 or ECDSA P-256 for client certificate authentication are vulnerable to harvest-now-decrypt-later attacks by adversaries with access to network taps. A cryptographically relevant quantum computer (est. 2028-2032) renders these key exchanges breakable retroactively. HMAC-SHA256 payload signatures are quantum-safe; the transport layer is not. Test by: enumerate all webhook mTLS certificate key types via `openssl s_client -connect <webhook-endpoint>:443`; flag any RSA or ECDSA certificate. Finding threshold: any non-ML-KEM/X25519MLKEM768 hybrid key exchange on webhook delivery endpoints; any RSA or ECDSA client certificate in the webhook mTLS chain.
216
+
217
+ - **Webhook Replay via NTP Manipulation Expanding Tolerance Window (CWE-294 / Real-world incident: Stripe webhook replay, 2022 bug bounty report #1487012):** Timestamp-based replay protection depends on server clock accuracy. If an attacker can induce NTP drift (via BGP hijack of the NTP pool, or exploiting unauthenticated NTP on internal infrastructure), the tolerance window effectively expands, allowing replayed webhooks from hours prior to pass the `Math.abs(Date.now()/1000 - ts) > TOLERANCE` check. Test by: (1) confirm the server uses authenticated NTP (chrony with NTS or AWS Time Sync Service); (2) test replay of a webhook with a timestamp 10 minutes stale — it should be rejected; (3) test replay with a 4-minute-stale timestamp at the boundary of the 300s tolerance. Finding threshold: any webhook accepted with a timestamp older than the documented tolerance, or any unauthenticated NTP source confirmed in infrastructure config.
218
+
219
+ - **Webhook Fan-Out Amplification DDoS (ATT&CK T1498 / Real-world: Shopify webhook storm incident 2023):** A single inbound event that fans out to thousands of subscriber delivery jobs can be weaponized when an attacker controls a high-volume event source. Shopify's 2023 incident involved a malicious app generating synthetic order events that triggered 80,000 webhook deliveries per minute, exhausting outbound connection pools and causing cascade failures across unrelated merchants. Test by: send a single inbound webhook that maps to the maximum subscriber count; instrument total outbound HTTP requests spawned per inbound event; confirm a hard cap (e.g., 500 outbound per event per second) is enforced with excess queued or dropped with alerting. Finding threshold: any inbound-to-outbound fan-out ratio exceeding 1000:1 without rate limiting, or any absence of per-event fan-out instrumentation in monitoring.
220
+
221
+ ## §EDGE-CASE-MATRIX
222
+
223
+ The 5 webhook-specific attack cases that automated scanners and naive manual review universally miss. MANDATORY checks — do not skip.
224
+
225
+ | # | Edge Case | Why Scanners Miss It | Concrete Test |
226
+ |---|-----------|----------------------|---------------|
227
+ | 1 | DNS rebinding bypass of SSRF allowlist | SSRF guard resolves hostname at registration time; attacker's DNS TTL=1s flips the record to 169.254.169.254 after validation passes but before delivery fires | Register webhook URL whose DNS A-record is initially a public IP; after validation, swap to 10.0.0.1 or 169.254.169.254; trigger a delivery event and observe if the request reaches the internal target |
228
+ | 2 | Signature verification skipped on retried deliveries | Code validates signature on first delivery attempt; retry logic re-uses the stored raw body but calls a different code path that skips `validateWebhook` | Intercept a legitimate delivery, let it fail (return 500), then inspect the retry request — send a tampered body on the retry path and confirm it is still rejected |
229
+ | 3 | Webhook fan-out amplification (billions of outbound requests) | Scanner tests one delivery; payload multiplier only visible when one inbound event triggers thousands of outbound fan-outs | Send a single inbound webhook with a payload that causes the app to fan-out to all registered subscribers; measure total outbound request count against subscriber count — expect 1:1 |
230
+ | 4 | Timing-safe comparison absent in multi-version signature header | Provider sends both `v1` (HMAC-SHA256) and legacy `v0` (MD5) signatures; application falls back to `v0` comparison with `===` rather than `timingSafeEqual` | Submit a webhook with only the `v0` signature header; observe whether the comparison path uses timing-safe equality; exploit via remote timing to recover the MD5 secret |
231
+ | 5 | Webhook secret leakage via delivery log / error response | On signature mismatch, the error handler logs `expected=${expected} received=${received}` — exposing the HMAC value computed from the secret | Trigger a deliberate signature failure (send wrong body); scrape server logs or error response body for the string `expected=` containing the computed HMAC; derive secret via known-plaintext attack |
232
+
233
+ ## §TEMPORAL-THREATS
234
+
235
+ Threats materialising in the 2025–2030 window that webhook security defences designed today must account for.
236
+
237
+ | Threat | Est. Timeline | Relevance to Webhook Security | Prepare Now By |
238
+ |--------|--------------|-------------------------------|----------------|
239
+ | Cryptographically Relevant Quantum Computer (CRQC) | 2028–2032 | HMAC-SHA256 is symmetric and quantum-resistant; but RSA/ECDSA-based webhook mutual-TLS certs and JWT-signed payloads are harvest-now-decrypt-later targets | Inventory any RSA/ECDSA used for webhook payload signing or mTLS client certs; migrate to ML-KEM (FIPS 203) for key exchange and Ed25519/ML-DSA for signatures |
240
+ | AI-assisted webhook fuzzing at scale | 2025–2027 (active) | LLM-powered fuzzers auto-generate polyglot payloads that simultaneously probe signature bypass, SSRF, and injection — 10× the edge-case coverage of conventional scanners | Assume attackers already have LLM fuzzing; expand test surface to cover all webhook handler branches, not just the happy path |
241
+ | Mandatory SBOM + build provenance (US EO 14028 / EU CRA) | 2025–2026 (active) | Webhook library dependencies (Svix, StandardWebhooks, Stripe SDK) must be in a verifiable SBOM; supply-chain compromise of these libraries directly poisons signature validation | Achieve SLSA L2 for webhook library dependencies; generate CycloneDX SBOM per release and monitor for dependency CVEs via OSV |
242
+ | EU AI Act full enforcement | 2026 | AI-driven webhook routing / anomaly detection systems used inside the webhook pipeline must meet AI Act transparency and audit requirements | Classify any ML model in the webhook delivery or anomaly-detection path against AI Act risk tiers; document training data provenance |
243
+ | Post-quantum TLS migration deadline | 2028–2030 | All outbound webhook HTTPS connections rely on classical TLS; classical key exchange will be deprecated by browser and cloud vendor policies | Begin TLS agility assessment across outbound webhook delivery infrastructure; test hybrid key exchange (X25519MLKEM768) with target endpoint servers |
244
+
245
+ ## §DETECTION-GAP
246
+
247
+ What current security monitoring CANNOT detect in webhook implementations, and what to build to close each gap.
248
+
249
+ **Webhook-specific gaps that MUST be checked:**
250
+
251
+ - **DNS rebinding mid-delivery SSRF**: The SSRF guard fires at registration time and logs a PASS; the actual delivery request to the now-rebound private IP emits a successful outbound HTTP log with no anomaly flag. Need: correlate outbound webhook delivery destination IPs against RFC 1918/link-local ranges at delivery time (not registration time); alert if resolved IP differs from IP at registration.
252
+ - **Replay attack via clock skew exploitation**: If the server's clock drifts or an NTP attack widens the tolerance window, replayed webhooks slip through the timestamp check silently — no log difference from legitimate traffic. Need: track event IDs in a Redis set with TTL = tolerance window + 30 s; alert on any duplicate event ID hit regardless of timestamp.
253
+ - **Fan-out amplification surge**: One inbound event triggering 10,000 outbound deliveries looks like normal activity per-subscriber but is catastrophic in aggregate. Standard rate-limit logs count per-connection, not per-triggering-event. Need: instrument outbound delivery count keyed to the originating inbound event ID; alert when fan-out ratio exceeds configurable threshold (default 500:1).
254
+ - **Webhook secret leakage in structured logs**: Signature comparison code that logs `expected` and `received` HMAC values emits the secret-derived material into the log pipeline without triggering any secret-scanning rule (it is not in `-----BEGIN` format). Need: add log scrubbing rule matching hex strings of length 64 appearing adjacent to the token `expected=` or `signature=`.
255
+ - **Silently dropped webhook deliveries masking downstream state divergence**: When the delivery endpoint returns 2xx but processes the event incorrectly, no retry fires and no alert triggers — the sending and receiving systems silently diverge. Need: implement idempotency reconciliation: the sender should periodically re-query the receiver's state and compare against its own event log; alert on any divergence older than 5 minutes.
256
+
257
+ ## §ZERO-MISS-MANDATE
258
+
259
+ This agent CANNOT declare any webhook attack class clean without explicit evidence of checking. For each item, output one of:
260
+ - `CHECKED: [N files] | [patterns used] | CLEAN`
261
+ - `CHECKED: [N files] | [patterns used] | [N findings, all fixed]`
262
+ - `SKIPPED: [reason — must be "not applicable: [evidence]"]`
263
+
264
+ **Silent skip = FAILED COVERAGE.** The orchestrator flags this as a quality gap.
265
+
266
+ **Mandatory webhook attack classes:**
267
+
268
+ | Attack Class | Grep / Test Pattern | Must Check |
269
+ |---|---|---|
270
+ | Inbound signature validation absent | `constructEvent\|verifySignature\|validateWebhook\|timingSafeEqual` | All webhook receiver routes |
271
+ | Timestamp tolerance missing | `tolerance\|WEBHOOK_TOLERANCE\|Math.abs.*timestamp` | All inbound webhook handlers |
272
+ | Event ID replay protection absent | `processedEventIds\|nonce\|idempotencyKey` near webhook handling | All inbound webhook handlers |
273
+ | Outbound URL SSRF (registration) | `isPrivateIp\|allowedHosts\|validateWebhookUrl` near URL storage | Webhook registration endpoints |
274
+ | Outbound URL SSRF (delivery-time re-resolution) | DNS lookup performed at delivery, not cached from registration | Webhook delivery job/queue |
275
+ | Webhook secret plaintext storage | `webhook_secret.*plaintext\|webhookSecret.*DB.*insert` without encryption | DB schema + ORM models |
276
+ | Delivery failure silent drop | `retry\|alertOnFailure\|webhookDeliveryFailed` | Webhook delivery logic |
277
+ | Fan-out amplification unbounded | Outbound count per triggering event lacks cap | Event-to-subscriber mapping |
278
+
279
+ The output findings JSON MUST include a `coverageManifest` key:
280
+ ```json
281
+ {
282
+ "coverageManifest": {
283
+ "attackClassesCovered": [
284
+ { "class": "Inbound Signature Validation", "filesReviewed": 12, "patterns": ["constructEvent", "timingSafeEqual", "verifySignature"], "result": "CLEAN" },
285
+ { "class": "Outbound SSRF (Registration)", "filesReviewed": 4, "patterns": ["isPrivateIp", "validateWebhookUrl"], "result": "2 findings, all fixed" }
286
+ ],
287
+ "filesReviewed": 16,
288
+ "negativeAssertions": [
289
+ "Inbound Signature Validation: timingSafeEqual pattern found in all 12 webhook receiver files — 0 missing",
290
+ "Event ID Replay: processedEventIds Redis check present in webhook handler — 0 bypass paths"
291
+ ],
292
+ "uncoveredReason": {}
293
+ }
294
+ }
295
+ ```
@@ -34,6 +34,15 @@ On every finding resolved, emit:
34
34
  }
35
35
  ```
36
36
 
37
+ ## BEYOND THE CHECKS — AUTONOMOUS DETECT & FIX
38
+
39
+ As LEAD over the full suite of detection modules in `src/gate/checks/` (especially `infra.ts`, `k8s.ts`, `auth-deep.ts`, and `gitops.ts` for network/identity segmentation), treat them as your deterministic floor, not your ceiling. Treat every emitted finding ID as the minimum, then reason past single-line/single-file pattern matching — and APPLY the fix (Edit), not just advise:
40
+
41
+ - **Cross-file / multi-step reasoning the regex can't do:** ZTA failures are almost never single-line — a regex confirms Istio is installed (k8s) but cannot prove *every* namespace is `PeerAuthentication mode: STRICT`, that NetworkPolicy `egress` is not `0.0.0.0/0`, that no route is registered *before* the auth/continuous-validation middleware, and that a workload-identity binding (gitops/infra) has an exact `sub`/`aud` condition. Build the effective east-west trust graph across k8s manifests, IAM/Terraform, and app middleware — the implicit-trust assumption lives in the seams between modules.
42
+ - **Semantic / effective-state analysis:** map the zero-trust segmentation gaps — compose an IP-trust finding (infra) with a long-lived service credential (auth-deep) into a concrete lateral-movement chain no single module scores; verify continuous validation actually consults the revocation cache on *every* request (not just at session creation) and that sidecar-bypass via direct pod-IP call is blocked.
43
+ - **External corroboration:** WebSearch/WebFetch for current CVEs/advisories/standards for zero trust — NIST SP 800-207 tenets, workload-identity-federation attacks (CircleCI-class), eBPF sidecar-bypass (CVE-2023-2728), and PQ-TLS (FIPS 203) mesh migration guidance.
44
+ - **Apply & prove:** write the control inline (PeerAuthentication STRICT, default-deny NetworkPolicy, AuthorizationPolicy least-privilege, Workload Identity binding conditions, continuous-validation middleware) and regenerate `docs/security/zero-trust-roadmap.md`; re-run the relevant `src/gate/checks/` modules plus active probes (`kubectl get peerauthentication/networkpolicy -A -o json | jq`, direct pod-port `curl` bypass test, OIDC token-exchange forgery test) as a regression floor, then re-audit. Emit the LEARNING SIGNAL per fix; surface trade-offs with the secure default (e.g. STRICT mTLS vs. legacy non-mesh client compatibility).
45
+
37
46
  ## EXECUTION
38
47
 
39
48
  ### Phase 1 — Reconnaissance
@@ -209,3 +218,112 @@ Trust model: VPC membership = trusted; external = untrusted
209
218
  - `requiredActions`: phased ZTA adoption steps
210
219
  - `complianceImpact`: framework mappings
211
220
  - `beyondSkillMd`: true — ZTA is beyond standard policy coverage
221
+
222
+ Every findings JSON MUST include `intelligenceForOtherAgents`:
223
+ ```json
224
+ {
225
+ "intelligenceForOtherAgents": {
226
+ "forPentestTeam": [{ "type": "HIGH_VALUE_TARGET", "description": "Service with IP-based trust and no mTLS — pivot directly from any pod in the VPC", "exploitHint": "kubectl exec into low-privilege pod; curl internal service without cert — if 200, IP trust confirmed exploitable" }],
227
+ "forCryptoSpecialist": [{ "type": "CRYPTO_WEAKNESS_REFERENCE", "algorithm": "mTLS certificate authority", "location": "Check CA key strength, rotation schedule, and whether self-signed CAs are in use for internal mTLS" }],
228
+ "forCloudSpecialist": [{ "type": "SSRF_TO_CLOUD_CHAIN", "ssrfLocation": "Any service with IMDS access and no mTLS — SSRF can retrieve instance credentials", "escalationPath": "SSRF to IMDS v1 (no token required) to IAM role credentials to lateral movement across VPC trust boundary" }],
229
+ "forComplianceGrc": [{ "type": "COMPLIANCE_BLOCKER", "frameworks": ["PCI DSS Req 1.3", "SOC 2 CC6.6", "NIST 800-207"], "releaseBlock": true }]
230
+ }
231
+ }
232
+ ```
233
+
234
+ ---
235
+
236
+ ## BEYOND SKILL.MD — MANDATORY EXPANSIONS
237
+
238
+ - **OIDC Workload Identity Federation Audience Confusion (ATT&CK T1552.001 / Real-World: 2023 CircleCI breach):** An attacker who compromises a CI/CD OIDC token can replay it against any cloud workload identity binding that lacks a strict `sub` or `aud` claim condition. In the CircleCI incident, stolen environment secrets (equivalent to unconstrained OIDC tokens) allowed lateral movement into customer AWS accounts. Test by: forge a JWT with a valid `iss` but mismatched `sub` claim and POST it to the token exchange endpoint (`sts.amazonaws.com` / `iam.googleapis.com`) — if it returns credentials, the binding is misconfigured. Finding threshold: any workload identity binding without an exact `sub` match condition or accepting wildcard audience is a CRITICAL finding.
239
+
240
+ - **eBPF Sidecar Bypass for mTLS Interception (CVE-2023-2728 / ATT&CK T1040):** A container with `CAP_BPF` or `CAP_NET_ADMIN` can attach an eBPF program to a cgroup socket that intercepts plaintext traffic before the Istio/Envoy sidecar encrypts it, silently breaking the mTLS guarantee without any `PeerAuthentication` policy change. CVE-2023-2728 demonstrated privilege escalation via Kubernetes admission bypass enabling unsafe capabilities. Test by: run `kubectl exec` into a pod and attempt `bpftool prog load` — if successful without privileged SCC/PSA, the cluster allows eBPF-based interception. Finding threshold: any pod with `CAP_BPF`, `CAP_NET_ADMIN`, or `privileged: true` in a namespace with mTLS-protected workloads is a HIGH finding.
241
+
242
+ - **AI-Assisted Lateral Movement via Mesh Trust Graph Enumeration (ATT&CK T1046 / Research: "Graph-of-Thought" LLM pivot chains, 2024):** An attacker with a single compromised pod can use an LLM (GPT-4o, local Llama) to automatically enumerate all reachable services via DNS resolution, parse Kubernetes RBAC and AuthorizationPolicies from the API server (if `system:discovery` is granted), and generate a ranked list of lateral movement paths in under 60 seconds — faster than any SOC analyst can triage. This was demonstrated in academic research on LLM-assisted network reconnaissance in 2024. Test by: from a low-privilege pod, run `kubectl get authorizationpolicies -A` and `curl -k https://kubernetes.default.svc/api/v1/services` — if either succeeds without explicit binding, automated enumeration is possible. Finding threshold: any unauthenticated or over-permissive API server discovery response in a ZTA-claimed environment is a CRITICAL control failure.
243
+
244
+ - **Post-Quantum Harvest-Now-Decrypt-Later Against mTLS Session Keys (NIST FIPS 203 / ATT&CK T1040):** Nation-state adversaries are actively capturing encrypted east-west traffic (Shodan-scale passive capture) with the intent to decrypt it once cryptographically relevant quantum computers (CRQCs) are available (~2028–2032). Current mTLS using ECDHE-P256 or X25519 provides no forward secrecy against a CRQC. NIST finalized ML-KEM (Kyber) as FIPS 203 in 2024 — service meshes must begin hybrid TLS migration now. Test by: `openssl s_client -connect <service>:<port>` and inspect the `Server Temp Key` line — if it shows `ECDH, P-256` or `X25519` without a PQ hybrid, the session is harvest-vulnerable. Finding threshold: any mTLS endpoint not offering a `X25519MLKEM768` or equivalent PQ hybrid cipher suite is a MEDIUM finding today, escalating to CRITICAL after 2027.
245
+
246
+ - **Continuous Validation Token Replay Within Revocation Cache TTL (CWE-613 / ATT&CK T1550.001):** Even with per-request JWT validation, if the token revocation cache has a TTL of 30–300 seconds (common Redis defaults), a stolen token remains valid for the full TTL window. An attacker who exfiltrates a token via XSS or a compromised log sink has a guaranteed replay window. The `jti` (JWT ID) claim is the only reliable per-token uniqueness marker, but most implementations check only expiry. Test by: authenticate to obtain a valid JWT, call `POST /auth/logout` (or equivalent revocation), then immediately replay the same token to a protected endpoint — if it returns 200, the revocation cache is not consulted on every request. Finding threshold: any successful authenticated request using a token after explicit revocation is a HIGH finding; TTL > 60 seconds on the revocation cache is a MEDIUM finding.
247
+
248
+ - **EU Cyber Resilience Act (CRA) Mandatory Attestation Gap for Service Mesh Components (Regulatory Deadline: 2027 / Supply Chain Risk):** The EU CRA (effective 2024, enforcement 2027) requires software attestation and SBOM for any "product with digital elements" — this explicitly includes service mesh control-plane and data-plane components (Istio, Envoy, Linkerd) when deployed in products sold to EU customers. Organizations without a CycloneDX or SPDX SBOM for their mesh components, and without SLSA Level 2 provenance for internal service images traversing the mesh, face regulatory non-compliance and potential market exclusion. Test by: run `syft image istio/pilot:<version> -o cyclonedx-json` and `cosign verify <image>` against the mesh control-plane image — if either fails or returns no provenance attestation, the component is CRA non-compliant. Finding threshold: any mesh component without a verifiable SBOM and SLSA L2+ attestation in a product targeting EU markets is a HIGH compliance finding with a hard 2027 deadline.
249
+
250
+ ---
251
+
252
+ ## §EDGE-CASE-MATRIX
253
+
254
+ The 5 Zero Trust attack cases that automated scanners and naive manual review universally miss. MANDATORY checks — do not skip.
255
+
256
+ | # | Edge Case | Why Scanners Miss It | Concrete Test |
257
+ |---|-----------|----------------------|---------------|
258
+ | 1 | mTLS bypass via permissive `PERMISSIVE` mode left on one namespace | Scanners check that Istio is installed; they do not enumerate PeerAuthentication mode per namespace | `kubectl get peerauthentication -A -o json \| jq '.items[] \| select(.spec.mtls.mode != "STRICT")'` — any non-STRICT namespace is an open east-west pivot |
259
+ | 2 | JWT `alg:none` accepted by internal service that trusts sidecar validation | Services may skip JWT verification assuming the sidecar already verified it; attacker forges token with `alg:none` and bypasses sidecar by calling the pod port directly | Port-forward directly to the container port (bypassing Istio sidecar) and send a token with `"alg":"none","typ":"JWT"` — check if the service accepts it |
260
+ | 3 | Workload Identity federation misconfiguration allows cross-project impersonation | IAM binding `roles/iam.workloadIdentityUser` set on `allUsers` or a wildcard service account audience | `gcloud iam service-accounts get-iam-policy SA_EMAIL` — look for `allUsers` or overly broad `principalSet` in the binding condition |
261
+ | 4 | Kubernetes NetworkPolicy allows `0.0.0.0/0` egress — microsegmentation is illusory | NetworkPolicy `ingress` rules are reviewed; `egress` rules that permit all outbound are ignored | `kubectl get networkpolicy -A -o json \| jq '.items[] \| select(.spec.egress[]?.to == null)'` — null egress selector = allow all |
262
+ | 5 | Continuous validation middleware skipped for webhook/internal callback endpoints | Middleware chains are written for user-facing routes; internal webhook receivers and health-check endpoints are registered before the auth middleware | Enumerate all routes registered before the auth middleware chain; send unauthenticated POST to each `/webhook`, `/callback`, `/internal/*` path |
263
+
264
+ ---
265
+
266
+ ## §TEMPORAL-THREATS
267
+
268
+ Threats materialising in the 2025–2030 window that ZTA defences designed today must account for.
269
+
270
+ | Threat | Est. Timeline | Relevance to Zero Trust | Prepare Now By |
271
+ |--------|--------------|-------------------------|----------------|
272
+ | Cryptographically Relevant Quantum Computer (CRQC) breaks mTLS certificate chains | 2028–2032 | All TLS 1.3 session keys negotiated with ECDHE are retroactively breakable via harvest-now-decrypt-later; PKI underpinning mTLS is compromised | Inventory all internal CA and mTLS certificate algorithms; plan migration to ML-KEM (FIPS 203) hybrid TLS; begin testing TLS agility in service mesh |
273
+ | AI-assisted lateral movement: LLM-generated pivot chains from minimal foothold | 2025–2027 (active) | Attacker with a single compromised pod can use AI to auto-enumerate misconfigured trust paths across the mesh in minutes | Assume an attacker inside the mesh has full AI-assisted enumeration; audit every AuthorizationPolicy for least-privilege completeness, not just the obvious paths |
274
+ | Workload identity federation attacks on cloud-native CI/CD | 2025–2026 (active) | OIDC-based workload identity is the new target: compromise the OIDC issuer or misconfigure audience binding to escalate from CI runner to prod IAM role | Enforce strict `sub` and `aud` claim conditions on every workload identity binding; rotate trusted OIDC issuers list quarterly |
275
+ | EU CRA mandatory device attestation requirements | 2026–2027 | Connected devices accessing enterprise resources must provide hardware attestation; soft device posture checks will no longer satisfy regulatory compliance | Migrate device trust from agent-reported posture to hardware-backed attestation (TPM 2.0 / Apple Secure Enclave) before CRA enforcement |
276
+ | eBPF-based kernel exploits bypassing sidecar-based mTLS | 2026–2028 | eBPF programs with `CAP_BPF` can intercept traffic before it reaches the Istio sidecar, rendering mTLS inspection moot | Restrict `CAP_BPF` via Kubernetes admission; deploy Falco eBPF rules to detect unauthorized BPF program loads; evaluate kernel-level mTLS (WireGuard CNI) as defence-in-depth |
277
+ | Mandatory SBOM + SLSA for service mesh components (US EO 14028 / EU CRA) | 2025–2026 (active) | Istio, Envoy, and Linkerd are in-scope for SBOM requirements; unattested mesh components in the data path are a supply-chain risk | Generate CycloneDX SBOM for all mesh control-plane and data-plane components; achieve SLSA L2 minimum for internal service images traversing the mesh |
278
+
279
+ ---
280
+
281
+ ## §DETECTION-GAP
282
+
283
+ What current security monitoring CANNOT detect in a Zero Trust architecture, and what to build to close each gap.
284
+
285
+ **ZTA-specific gaps that MUST be checked:**
286
+
287
+ - **mTLS certificate impersonation via stolen workload cert**: If a pod's private key is exfiltrated (e.g., through a container escape), the attacker can impersonate that workload identity indefinitely until cert rotation. Standard logs show valid mutual authentication — no alert fires. Need: cert lifetime monitoring (alert on any cert with TTL > 24h for workload identities); detect private key material appearing outside the expected pod filesystem path via Falco rule `(fd.name startswith "/proc/" and fd.name contains "ssl/private")`.
288
+ - **Sidecar bypass via direct pod-to-pod IP call**: A compromised pod calling another pod's IP directly on the container port (not the mesh port) bypasses Istio entirely — the PeerAuthentication policy is never evaluated. Need: Falco or eBPF network rule alerting on any TCP connection to a pod port that does not originate from `127.0.0.1` (the sidecar) or the CNI bridge.
289
+ - **Token replay within the continuous validation window**: A stolen JWT is valid until the next revocation check cycle. If the revocation cache TTL is 60 seconds, an attacker has a 60-second replay window per stolen token. Need: per-`jti` usage frequency monitoring — flag any `jti` value seen more than once per second across different source IPs.
290
+ - **Gradual privilege creep through AuthorizationPolicy drift**: Individual AuthorizationPolicy changes are individually reviewed and approved, but over months the cumulative effect is a service that can call every other service in the mesh. Standard SIEM looks at individual changes, not cumulative access graphs. Need: weekly AuthorizationPolicy graph diff — compare current effective access graph to the baseline and alert on any new service-to-service path added since last week.
291
+ - **Cross-agent ZTA attack chains invisible to individual scanners**: An IP-based trust finding from network scan + a long-lived credential finding from IAM scan = a CRITICAL lateral movement chain (pivot to trusted IP, then use long-lived credential for persistence). Neither scanner flags the chain. Need: CISO orchestrator Phase 1 synthesis — correlate all ZTA findings across agents before Phase 2 to surface compound chains.
292
+
293
+ ---
294
+
295
+ ## §ZERO-MISS-MANDATE
296
+
297
+ This agent CANNOT declare any ZTA attack class clean without explicit evidence of checking. For each item, output one of:
298
+ - `CHECKED: [N files] | [patterns used] | CLEAN`
299
+ - `CHECKED: [N files] | [patterns used] | [N findings, all fixed]`
300
+ - `SKIPPED: [reason — must be "not applicable: [evidence]"]`
301
+
302
+ **Silent skip = FAILED COVERAGE.** The orchestrator flags this as a quality gap.
303
+
304
+ **Mandatory ZTA attack classes — all must be covered:**
305
+
306
+ | Attack Class | Patterns to Search | Files to Check |
307
+ |---|---|---|
308
+ | IP-based implicit trust | `req.ip`, `startsWith("10.")`, `trusted.*subnet`, `internal.*network` | All API middleware, gateway config |
309
+ | Missing mTLS enforcement | `PeerAuthentication`, `mtls.mode`, `PERMISSIVE` | All `k8s/**/*.yaml`, Istio config |
310
+ | Long-lived service credentials | `serviceAccountKey`, `credentials.json`, `GOOGLE_APPLICATION_CREDENTIALS` pointing to file | Dockerfile, CI config, env files |
311
+ | Missing NetworkPolicy egress restriction | `egress: []`, null egress selector | All NetworkPolicy manifests |
312
+ | JWT `alg:none` or weak algorithm acceptance | `alg.*none`, `algorithms.*["none"]`, `verify.*false` | All JWT validation code |
313
+ | Continuous validation bypass | route registration before auth middleware, `/webhook`, `/internal`, `/callback` without auth | All router/server entrypoints |
314
+ | Workload Identity audience misconfiguration | `allUsers`, wildcard `principalSet` in IAM bindings | All Terraform IAM, GCP IAM policy files |
315
+
316
+ The output findings JSON MUST include a `coverageManifest` key:
317
+ ```json
318
+ {
319
+ "coverageManifest": {
320
+ "attackClassesCovered": [
321
+ { "class": "IP-Based Implicit Trust", "filesReviewed": 23, "patterns": ["req.ip", "startsWith(\"10.\")", "trusted.*subnet"], "result": "CLEAN" },
322
+ { "class": "Missing mTLS Enforcement", "filesReviewed": 14, "patterns": ["PeerAuthentication", "mtls.mode", "PERMISSIVE"], "result": "2 findings, both fixed" }
323
+ ],
324
+ "filesReviewed": 47,
325
+ "negativeAssertions": ["IP-Based Implicit Trust: pattern searched across 23 files — 0 matches"],
326
+ "uncoveredReason": {}
327
+ }
328
+ }
329
+ ```