codejury 0.1.0__py3-none-any.whl

codejury/cli.py

@@ -0,0 +1,196 @@
+"""Command-line entry point.
+
+``dry-run`` wires every mock layer together with no API key, proving the
+contracts compose. ``audit`` runs the real pipeline against the capability
+library, backed by the Anthropic provider, under a chosen orchestration strategy
+(single verifier, or finder/challenger/judge debate).
+"""
+
+from __future__ import annotations
+
+import argparse
+import sys
+
+from codejury.agents.mock import MockAgent
+from codejury.assembly import (
+    DEFAULT_MODEL,
+    PROVIDERS,
+    STRATEGIES,
+    build_orchestration,
+    make_provider,
+    run_over_source,
+)
+from codejury.domain.artifact import CodeArtifact
+from codejury.domain.capability import Capability, load_capabilities
+from codejury.domain.context import AnalysisContext
+from codejury.domain.observation import Observation
+from codejury.domain.result import AnalysisResult
+from codejury.evaluation import Metrics, evaluate, load_cases
+from codejury.orchestrators.single import SingleOrchestrator
+from codejury.providers.base import Provider
+from codejury.providers.mock import MockProvider
+from codejury.reporting import to_json, to_markdown
+from codejury.resources import CAPABILITIES_DIR, GOLDEN_DIR, TASKS_DIR
+from codejury.sources.diff import DiffSource
+from codejury.tasks.base import run_task
+from codejury.tasks.registry import load_tasks
+
+_FORMATS = ("text", "markdown", "json")
+
+
+def dry_run() -> AnalysisResult:
+    provider = MockProvider(default="[mock] no real backend was called")
+    agent = MockAgent(provider=provider, role="verifier")
+    orchestrator = SingleOrchestrator()
+    capabilities = [
+        Capability(id="authn", name="Authentication"),
+        Capability(id="crypto", name="Cryptography"),
+    ]
+    ctx = AnalysisContext(
+        artifact=CodeArtifact(kind="diff", path="auth.py", content="+ hashlib.sha256(pwd)"),
+        capabilities=capabilities,
+    )
+    return orchestrator.run({"verifier": agent}, ctx)
+
+
+def audit(
+    diff_text: str,
+    capabilities: list[Capability],
+    *,
+    provider: Provider,
+    model: str,
+    max_tokens: int = 2048,
+    strategy: str = "single",
+) -> list[tuple[str, AnalysisResult]]:
+    """Audit each changed file in `diff_text`, returning (path, result) per file."""
+    agents, orchestrator = build_orchestration(strategy, provider=provider, model=model, max_tokens=max_tokens)
+    return run_over_source(DiffSource(diff_text), capabilities, agents, orchestrator)
+
+
+def _render_dry_run(result: AnalysisResult) -> str:
+    lines = [f"observations: {len(result.observations)}"]
+    for o in result.observations:
+        lines.append(f"  [{o.kind}] {o.capability} by {o.produced_by} -> {getattr(o, 'status', '-')}")
+    if result.error:
+        lines.append(f"error: {result.error}")
+    return "\n".join(lines)
+
+
+def _render_audit(results: list[tuple[str, AnalysisResult]]) -> str:
+    if not results:
+        return "no changed files in diff"
+    lines = []
+    for path, result in results:
+        lines.append(f"== {path} ==")
+        if result.error:
+            lines.append(f"  error: {result.error}")
+        for o in result.observations:
+            lines.append("  " + _render_observation(o))
+    return "\n".join(lines)
+
+
+def _render_observation(o: Observation) -> str:
+    if o.kind == "verdict":
+        matched = o.matched_anti or o.matched_correct
+        suffix = f" [{', '.join(matched)}]" if matched else ""
+        return f"{o.status:<11} {o.capability}{suffix}"
+    if o.kind == "finding":
+        cwe = f" {o.cwe}" if o.cwe else ""
+        return f"{'FINDING':<11} [{o.severity}{cwe}] {o.title}"
+    if o.kind == "concession":
+        return f"{'DISMISSED':<11} {o.target}: {o.reason}"
+    return f"{o.kind}: {o.capability}"
+
+
+def _render_results(fmt: str, results: list[tuple[str, AnalysisResult]]) -> str:
+    return {"text": _render_audit, "markdown": to_markdown, "json": to_json}[fmt](results)
+
+
+def _render_metrics(m: Metrics) -> str:
+    return (
+        f"cases: {m.total}  (tp={m.tp} fp={m.fp} tn={m.tn} fn={m.fn})\n"
+        f"precision: {m.precision:.2f}  recall: {m.recall:.2f}  accuracy: {m.accuracy:.2f}"
+    )
+
+
+def _read_diff(path: str) -> str:
+    if path == "-":
+        return sys.stdin.read()
+    with open(path, encoding="utf-8") as f:
+        return f.read()
+
+
+def main(argv: list[str] | None = None) -> int:
+    parser = argparse.ArgumentParser(prog="codejury")
+    sub = parser.add_subparsers(dest="command")
+
+    sub.add_parser("dry-run", help="run the mock pipeline end to end")
+
+    audit_p = sub.add_parser("audit", help="audit a unified diff against the capability library")
+    audit_p.add_argument("diff", nargs="?", default="-", help="unified diff file, or - for stdin")
+    audit_p.add_argument("--capabilities", default=CAPABILITIES_DIR, help="capability YAML directory")
+    audit_p.add_argument("--orchestrator", choices=STRATEGIES, default="single")
+    audit_p.add_argument("--provider", choices=PROVIDERS, default="anthropic")
+    audit_p.add_argument("--format", choices=_FORMATS, default="text", dest="fmt")
+    audit_p.add_argument("--model", default=DEFAULT_MODEL)
+    audit_p.add_argument("--max-tokens", type=int, default=2048)
+    audit_p.add_argument("--retries", type=int, default=0, help="provider retry attempts on failure")
+
+    run_p = sub.add_parser("run", help="run a named task preset against a unified diff")
+    run_p.add_argument("task", help="task name")
+    run_p.add_argument("diff", nargs="?", default="-", help="unified diff file, or - for stdin")
+    run_p.add_argument("--tasks", default=TASKS_DIR, help="task YAML directory")
+    run_p.add_argument("--capabilities", default=CAPABILITIES_DIR, help="capability YAML directory")
+    run_p.add_argument("--format", choices=_FORMATS, default="text", dest="fmt")
+
+    eval_p = sub.add_parser("eval", help="score golden cases and report precision/recall")
+    eval_p.add_argument("--golden", default=GOLDEN_DIR, help="golden case YAML directory")
+    eval_p.add_argument("--capabilities", default=CAPABILITIES_DIR, help="capability YAML directory")
+    eval_p.add_argument("--provider", choices=PROVIDERS, default="anthropic")
+    eval_p.add_argument("--model", default=DEFAULT_MODEL)
+
+    args = parser.parse_args(argv)
+
+    if args.command == "audit":
+        results = audit(
+            _read_diff(args.diff),
+            load_capabilities(args.capabilities),
+            provider=make_provider(args.provider, retries=args.retries),
+            model=args.model,
+            max_tokens=args.max_tokens,
+            strategy=args.orchestrator,
+        )
+        print(_render_results(args.fmt, results))
+        return 0
+
+    if args.command == "run":
+        tasks = load_tasks(args.tasks)
+        if args.task not in tasks:
+            print(f"unknown task {args.task!r}; available: {', '.join(sorted(tasks)) or '(none)'}")
+            return 1
+        results = run_task(
+            tasks[args.task], DiffSource(_read_diff(args.diff)), load_capabilities(args.capabilities)
+        )
+        print(_render_results(args.fmt, results))
+        return 0
+
+    if args.command == "eval":
+        metrics = evaluate(
+            load_cases(args.golden),
+            load_capabilities(args.capabilities),
+            provider=make_provider(args.provider),
+            model=args.model,
+        )
+        print(_render_metrics(metrics))
+        return 0
+
+    if args.command in (None, "dry-run"):
+        print(_render_dry_run(dry_run()))
+        return 0
+
+    parser.print_help()
+    return 1
+
+
+if __name__ == "__main__":
+    raise SystemExit(main())

codejury/data/capabilities/authentication.yaml

@@ -0,0 +1,67 @@
+id: authn
+name: Authentication
+asvs_chapter: V2
+description: Mechanisms that verify a caller's claimed identity.
+
+sub_capabilities:
+  password_storage:
+    correct_patterns:
+      - id: PWD-OK-1
+        description: Hash passwords with bcrypt, scrypt, or Argon2id at an OWASP-recommended cost
+        signals: ["bcrypt.hashpw", "argon2.PasswordHasher", "hashlib.scrypt", "passlib"]
+        why_ok: Slow, salted, memory-hard hashing resists GPU brute force and rainbow tables
+
+    anti_patterns:
+      - id: PWD-BAD-1
+        cwe: CWE-916
+        severity: HIGH
+        description: Hash passwords with a fast general-purpose digest such as MD5, SHA-1, or SHA-256
+        signals: ["hashlib.md5(", "hashlib.sha1(", "hashlib.sha256("]
+        why_bad: Unsalted fast hashes are brute-forced at billions of guesses per second on commodity GPUs
+        example_bad: |
+          hashlib.sha256(password.encode()).hexdigest()
+        example_good: |
+          bcrypt.hashpw(password.encode(), bcrypt.gensalt())
+
+      - id: PWD-BAD-2
+        cwe: CWE-256
+        severity: HIGH
+        description: Store passwords in plaintext or with reversible encryption
+        why_bad: A single database leak exposes every credential directly
+
+      - id: PWD-BAD-3
+        cwe: CWE-759
+        severity: MEDIUM
+        description: Hash without a per-user salt, using a global salt or no salt
+        why_bad: Identical passwords produce identical hashes, so precomputed tables apply across users
+
+  jwt_verification:
+    correct_patterns:
+      - id: JWT-OK-1
+        description: Verify the signature and validate iss, aud, exp, and nbf before trusting any claim
+        signals: ["algorithms=", "audience=", "issuer="]
+        why_ok: Rejects forged, expired, and misrouted tokens before their claims are used
+
+    anti_patterns:
+      - id: JWT-BAD-1
+        cwe: CWE-347
+        severity: HIGH
+        description: Accept the "none" algorithm, or sign with a weak or hardcoded HS256 secret
+        signals: ['algorithms=["none"]', 'algorithms=["HS256"]']
+        why_bad: An attacker can forge tokens that the server accepts as authentic
+
+      - id: JWT-BAD-2
+        cwe: CWE-345
+        severity: HIGH
+        description: Read claims before verifying the signature, or skip verification entirely
+        signals: ['verify_signature": False', "verify=False"]
+        why_bad: Attacker-controlled claims drive trust and authorization decisions
+        example_bad: |
+          claims = jwt.decode(token, options={"verify_signature": False})
+        example_good: |
+          claims = jwt.decode(token, key, algorithms=["RS256"], audience=AUD, issuer=ISS)
+
+trigger_signals:
+  - routes matching /login, /register, /auth, or /token appear
+  - imports of jwt, pyjwt, python-jose, or authlib
+  - a user model with a password or password_hash field

codejury/data/capabilities/authorization.yaml

@@ -0,0 +1,55 @@
+id: authz
+name: Authorization
+asvs_chapter: V4
+description: Deciding whether an authenticated caller is allowed to perform an action on a resource.
+
+sub_capabilities:
+  object_level:
+    correct_patterns:
+      - id: OBJ-OK-1
+        description: Confirm the authenticated user owns or may access the object before acting on it
+        signals: ["filter(owner=request.user", "get_object_or_404(..., user=", "current_user.id =="]
+        why_ok: Ties every object access to the caller's identity, closing direct-object-reference holes
+
+    anti_patterns:
+      - id: IDOR-BAD-1
+        cwe: CWE-639
+        severity: HIGH
+        description: Fetch or mutate a record by a user-supplied id with no ownership or access check
+        signals: ["get(id=request", "objects.get(pk=", "WHERE id ="]
+        why_bad: Any user can read or change another user's data by changing the id (IDOR)
+        example_bad: |
+          account = Account.objects.get(id=request.GET["account_id"])
+        example_good: |
+          account = Account.objects.get(id=request.GET["account_id"], owner=request.user)
+
+      - id: AUTHZ-BAD-1
+        cwe: CWE-862
+        severity: HIGH
+        description: Missing function or endpoint level authorization, so any authenticated user reaches privileged actions
+        why_bad: Authentication is checked but authorization is not; non-admins can hit admin routes
+
+  privilege:
+    correct_patterns:
+      - id: PRIV-OK-1
+        description: Derive roles and permissions server-side from a trusted store, checked per request
+        why_ok: The client cannot grant itself privileges it was not assigned
+
+    anti_patterns:
+      - id: PRIV-BAD-1
+        cwe: CWE-269
+        severity: HIGH
+        description: Derive role or permission from a client-controlled field (request body, query param, client-set claim)
+        signals: ["request.json[\"role\"]", "is_admin = request", "request.POST.get(\"role\""]
+        why_bad: An attacker sets the field and escalates to admin
+
+      - id: PRIV-BAD-2
+        cwe: CWE-602
+        severity: MEDIUM
+        description: Enforce authorization only in the client or UI, not on the server
+        why_bad: The server is the only trust boundary; hidden buttons stop nothing
+
+trigger_signals:
+  - routes with an :id or <pk> path parameter
+  - admin or privileged endpoints
+  - role, permission, or is_admin checks

codejury/data/capabilities/business_logic.yaml

@@ -0,0 +1,58 @@
+id: business_logic
+name: Business Logic
+asvs_chapter: V11
+description: Correctness of stateful workflows against abuse -- ordering, races, replay, and value validation.
+
+sub_capabilities:
+  state_and_sequence:
+    correct_patterns:
+      - id: BL-OK-1
+        description: Enforce the workflow state machine server-side and make sensitive actions idempotent
+        signals: ["idempotency_key", "select_for_update", "with lock"]
+        why_ok: Steps cannot be skipped or applied twice regardless of client behavior
+
+    anti_patterns:
+      - id: SEQ-BAD-1
+        cwe: CWE-841
+        severity: MEDIUM
+        description: Do not enforce step ordering, so a later step can be invoked without the earlier ones
+        why_bad: An attacker reaches checkout or fulfillment without payment or validation
+
+      - id: RACE-BAD-1
+        cwe: CWE-362
+        severity: HIGH
+        description: Check-then-act on shared state without a lock or atomic update
+        signals: ["if balance >=", "balance -=", ".get(...)\n    ...save()"]
+        why_bad: Concurrent requests both pass the check, enabling double spend
+        example_bad: |
+          if account.balance >= amount:
+              account.balance -= amount
+        example_good: |
+          with transaction.atomic():
+              acct = Account.objects.select_for_update().get(pk=id)
+              if acct.balance >= amount: acct.balance -= amount
+
+  limits_and_replay:
+    correct_patterns:
+      - id: LIM-OK-1
+        description: Validate amounts, quantities, and ranges server-side and rate-limit sensitive actions
+        why_ok: Client-supplied values cannot drive the outcome
+
+    anti_patterns:
+      - id: AMT-BAD-1
+        cwe: CWE-840
+        severity: MEDIUM
+        description: Trust a client-supplied price, amount, or quantity without server validation
+        signals: ["request.json[\"price\"]", "total = request", "quantity = request"]
+        why_bad: A user sets a negative or tiny amount and underpays
+
+      - id: REPLAY-BAD-1
+        cwe: CWE-799
+        severity: MEDIUM
+        description: No rate limiting or replay protection on sensitive actions
+        why_bad: Requests can be replayed or brute-forced without restriction
+
+trigger_signals:
+  - multi-step flows such as checkout, transfer, or approval
+  - balance, amount, price, or quantity arithmetic
+  - shared-state updates without locking or transactions

codejury/data/capabilities/crypto.yaml

@@ -0,0 +1,78 @@
+id: crypto
+name: Cryptography
+asvs_chapter: V6
+description: Correct choice and use of cryptographic primitives for confidentiality and integrity.
+
+sub_capabilities:
+  algorithm:
+    correct_patterns:
+      - id: CRYPTO-OK-1
+        description: Use vetted authenticated encryption such as AES-GCM or ChaCha20-Poly1305
+        signals: ["AESGCM", "ChaCha20Poly1305", "AES.MODE_GCM"]
+        why_ok: Modern AEAD provides confidentiality and integrity with no mode pitfalls
+
+    anti_patterns:
+      - id: CRYPTO-BAD-1
+        cwe: CWE-327
+        severity: HIGH
+        description: Use a broken or obsolete cipher or hash for security (DES, 3DES, RC4, MD5, SHA-1)
+        signals: ["DES.new", "ARC4", "Crypto.Cipher.DES", "hashlib.md5", "hashlib.sha1"]
+        why_bad: These are practically attackable and unfit for protecting data
+        example_bad: |
+          cipher = DES.new(key, DES.MODE_ECB)
+        example_good: |
+          cipher = AESGCM(key); ct = cipher.encrypt(nonce, data, None)
+
+      - id: CRYPTO-BAD-2
+        cwe: CWE-327
+        severity: HIGH
+        description: Use ECB mode for a block cipher
+        signals: ["MODE_ECB"]
+        why_bad: ECB leaks plaintext structure because identical blocks encrypt identically
+
+      - id: CRYPTO-BAD-3
+        cwe: CWE-326
+        severity: MEDIUM
+        description: Use an inadequate key size (e.g. RSA shorter than 2048 bits)
+        why_bad: Undersized keys are within reach of feasible attacks
+
+  key_and_nonce:
+    correct_patterns:
+      - id: KEY-OK-1
+        description: Load keys from a KMS or secret store and rotate them; derive a fresh random nonce per message
+        why_ok: Keys are not exposed in code and nonces stay unique
+
+    anti_patterns:
+      - id: KEY-BAD-1
+        cwe: CWE-321
+        severity: HIGH
+        description: Hardcode a cryptographic key in source
+        signals: ["key = b\"", "SECRET_KEY = \"", "AES_KEY ="]
+        why_bad: Anyone with the source can decrypt everything
+
+      - id: IV-BAD-1
+        cwe: CWE-329
+        severity: HIGH
+        description: Use a static or reused IV/nonce
+        signals: ["iv = b\"\\x00", "nonce = b\"", "IV = bytes(16)"]
+        why_bad: Nonce reuse breaks GCM and reveals patterns under CBC
+
+  randomness:
+    correct_patterns:
+      - id: RND-OK-1
+        description: Use a CSPRNG (secrets, os.urandom) for tokens, keys, and salts
+        signals: ["secrets.token_", "os.urandom("]
+        why_ok: Cryptographically strong randomness is unpredictable
+
+    anti_patterns:
+      - id: RND-BAD-1
+        cwe: CWE-338
+        severity: MEDIUM
+        description: Use a non-cryptographic PRNG for security-sensitive values
+        signals: ["random.random(", "random.randint(", "random.choice("]
+        why_bad: Mersenne Twister output is predictable from a few samples
+
+trigger_signals:
+  - imports of hashlib, Crypto, cryptography, or ssl
+  - encrypt, decrypt, sign, or token generation
+  - key, iv, nonce, or salt literals

codejury/data/capabilities/data_protection.yaml

@@ -0,0 +1,57 @@
+id: data_protection
+name: Data Protection
+asvs_chapter: V8
+description: Protecting sensitive data in transit, at rest, and in use, including PII handling.
+
+sub_capabilities:
+  in_transit:
+    correct_patterns:
+      - id: TLS-OK-1
+        description: Send sensitive data only over TLS and verify the peer certificate
+        signals: ["https://", "verify=True", "ssl.create_default_context"]
+        why_ok: Confidentiality and integrity on the wire, with a checked endpoint identity
+
+    anti_patterns:
+      - id: TLS-BAD-1
+        cwe: CWE-319
+        severity: HIGH
+        description: Transmit sensitive data over plaintext HTTP
+        signals: ["http://"]
+        why_bad: Anyone on the path can read or alter the data
+
+      - id: TLS-BAD-2
+        cwe: CWE-295
+        severity: HIGH
+        description: Disable TLS certificate verification
+        signals: ["verify=False", "ssl._create_unverified_context", "CERT_NONE"]
+        why_bad: Removes protection against man-in-the-middle interception
+        example_bad: |
+          requests.get(url, verify=False)
+        example_good: |
+          requests.get(url)  # verification on by default
+
+  at_rest:
+    correct_patterns:
+      - id: REST-OK-1
+        description: Encrypt sensitive fields and backups at rest
+        why_ok: A storage or backup leak does not expose plaintext
+
+    anti_patterns:
+      - id: REST-BAD-1
+        cwe: CWE-311
+        severity: MEDIUM
+        description: Store sensitive data (PII, tokens, financial) unencrypted
+        why_bad: Any database or disk access reveals it directly
+
+  pii:
+    anti_patterns:
+      - id: PII-BAD-1
+        cwe: CWE-359
+        severity: MEDIUM
+        description: Expose PII in URLs, responses, or logs beyond what the operation needs
+        why_bad: PII spreads into caches, history, and logs, widening breach impact
+
+trigger_signals:
+  - outbound requests or URLs carrying user data
+  - models or tables with PII, token, or financial fields
+  - TLS or certificate verification configuration

codejury/data/capabilities/dependency_config.yaml

@@ -0,0 +1,52 @@
+id: dependency_config
+name: Dependencies and Configuration
+asvs_chapter: V14
+description: Software supply chain and deployment configuration -- known-vulnerable components and unsafe defaults.
+
+sub_capabilities:
+  dependencies:
+    correct_patterns:
+      - id: DEP-OK-1
+        description: Pin dependency versions and scan them for known vulnerabilities
+        signals: ["==", "requirements.txt", "poetry.lock", "pip-audit"]
+        why_ok: Builds are reproducible and known-vulnerable versions are caught
+
+    anti_patterns:
+      - id: DEP-BAD-1
+        cwe: CWE-1104
+        severity: MEDIUM
+        description: Depend on unmaintained or known-vulnerable components
+        why_bad: Public CVEs in shipped dependencies are directly exploitable
+
+      - id: DEP-BAD-2
+        cwe: CWE-494
+        severity: MEDIUM
+        description: Download or install code at runtime without an integrity or signature check
+        signals: ["curl | sh", "pip install http", "urlretrieve"]
+        why_bad: A tampered or hijacked source injects code into the build or host
+
+  configuration:
+    correct_patterns:
+      - id: CFG-OK-1
+        description: Ship secure defaults with least privilege and a minimal exposed surface
+        why_ok: Misconfiguration is the default-off state, not something to remember
+
+    anti_patterns:
+      - id: CFG-BAD-1
+        cwe: CWE-732
+        severity: MEDIUM
+        description: Grant overly permissive permissions (world-writable files, public storage buckets)
+        signals: ["chmod 0777", "0o777", "ACL: public-read", "AllUsers"]
+        why_bad: Anyone can read or modify resources that should be restricted
+
+      - id: CFG-BAD-2
+        cwe: CWE-1392
+        severity: HIGH
+        description: Ship default or sample credentials
+        signals: ["admin:admin", "password=admin", "changeme"]
+        why_bad: Default credentials are public knowledge and trivially abused
+
+trigger_signals:
+  - dependency manifests and lock files
+  - install or bootstrap scripts fetching remote code
+  - file permission, bucket ACL, or default credential settings

codejury/data/capabilities/error_logging.yaml

@@ -0,0 +1,49 @@
+id: error_logging
+name: Error Handling and Logging
+asvs_chapter: V7
+description: Failing without leaking information, and recording enough to investigate incidents.
+
+sub_capabilities:
+  information_leakage:
+    correct_patterns:
+      - id: ERR-OK-1
+        description: Return a generic error to the client and log the detail server-side
+        signals: ["except Exception", "return 500", "abort(500)"]
+        why_ok: The caller learns nothing exploitable while operators keep the detail
+
+    anti_patterns:
+      - id: ERR-BAD-1
+        cwe: CWE-209
+        severity: MEDIUM
+        description: Return a stack trace or exception detail to the client
+        signals: ["traceback.format_exc()", "str(e)", "return jsonify(error=str"]
+        why_bad: Internal paths, queries, and versions help an attacker map the system
+        example_bad: |
+          return jsonify(error=traceback.format_exc()), 500
+        example_good: |
+          app.logger.exception("checkout failed"); return jsonify(error="internal error"), 500
+
+      - id: ERR-BAD-2
+        cwe: CWE-489
+        severity: LOW
+        description: Leave a debug feature or verbose mode enabled in production
+        signals: ["DEBUG = True", "app.run(debug=True", "FLASK_DEBUG=1"]
+        why_bad: Debug pages expose internals and sometimes allow code execution
+
+  audit_trail:
+    correct_patterns:
+      - id: AUDIT-OK-1
+        description: Log security-relevant events (auth attempts, access denials, admin actions) with timestamp and actor
+        why_ok: Gives a forensic trail to detect and reconstruct abuse
+
+    anti_patterns:
+      - id: AUDIT-BAD-1
+        cwe: CWE-778
+        severity: MEDIUM
+        description: Do not log security-relevant events
+        why_bad: Without an audit trail, intrusions go unnoticed and uninvestigable
+
+trigger_signals:
+  - exception handlers and error responses
+  - logging configuration and DEBUG flags
+  - authentication, authorization, or admin actions