icdev 0.0.3__py3-none-any.whl

goals/security_scan.md

@@ -0,0 +1,381 @@
+# Goal: Comprehensive Security Scanning
+
+## Description
+
+Run a full security scanning pipeline covering static analysis (SAST), dependency auditing, secret detection, and container scanning. Enforce quality gates that block deployment if critical findings exist. Generate a consolidated security report.
+
+**Why this matters:** A single undetected vulnerability in a government system can be a national security incident. Defense-in-depth means layering multiple scanners — no single tool catches everything. This workflow runs them all and aggregates results.
+
+---
+
+## Prerequisites
+
+- [ ] Project initialized (`goals/init_project.md` completed)
+- [ ] Project has source code to scan
+- [ ] Scanner tools installed or available: bandit, pip-audit/npm-audit, detect-secrets, trivy
+- [ ] Container image built (for container scanning) — optional if no containers
+- [ ] `memory/MEMORY.md` loaded (session context)
+
+---
+
+## Quality Gates
+
+These gates MUST pass for the project to proceed to deployment:
+
+| Gate | Threshold | Blocks Deployment? |
+|------|-----------|-------------------|
+| Critical vulnerabilities | 0 | YES |
+| High vulnerabilities (SAST) | 0 | YES |
+| Detected secrets | 0 | YES |
+| CAT1 STIG findings | 0 | YES |
+| High dependency vulns | 0 | YES |
+| Medium dependency vulns | <= 5 with documented POAM | NO (with POAM) |
+| Low findings | Unlimited | NO |
+
+**No exceptions without Authorizing Official written approval.**
+
+### Security Scanning Pipeline
+
+```mermaid
+flowchart TB
+    START(["Start\nSecurity Scan"])
+    SAST["Step 1: SAST\nbandit / eslint-security\nStatic code analysis"]
+    G1{"Gate 1\n0 Critical\n0 High?"}
+    DEP["Step 2: Dependency Audit\npip-audit / npm audit\nCVE vulnerability check"]
+    G2{"Gate 2\n0 Critical\n0 High?"}
+    SEC["Step 3: Secret Detection\ndetect-secrets\nAPI keys, passwords, tokens"]
+    G3{"Gate 3\n0 Secrets?"}
+    CON["Step 4: Container Scan\ntrivy\nOS + app vulns, misconfig"]
+    G4{"Gate 4\n0 Critical\n0 High?"}
+    REPORT["Step 6: Consolidated\nSecurity Report"]
+    AUDIT["Step 7: Audit Trail\nLog results to DB"]
+    BLOCKED(["BLOCKED\nRemediate findings\nbefore deployment"])
+
+    START --> SAST --> G1
+    G1 -->|PASS| DEP
+    G1 -->|FAIL| BLOCKED
+    DEP --> G2
+    G2 -->|PASS| SEC
+    G2 -->|FAIL| BLOCKED
+    SEC --> G3
+    G3 -->|PASS| CON
+    G3 -->|FAIL| BLOCKED
+    CON --> G4
+    G4 -->|PASS| REPORT
+    G4 -->|FAIL| BLOCKED
+    REPORT --> AUDIT
+    BLOCKED -.->|After fix| START
+
+    style START fill:#1a3a5c,stroke:#4a90d9,color:#e0e0e0
+    style SAST fill:#1a3a5c,stroke:#4a90d9,color:#e0e0e0
+    style DEP fill:#1a3a5c,stroke:#4a90d9,color:#e0e0e0
+    style SEC fill:#1a3a5c,stroke:#4a90d9,color:#e0e0e0
+    style CON fill:#1a3a5c,stroke:#4a90d9,color:#e0e0e0
+    style G1 fill:#3a3a1a,stroke:#ffc107,color:#e0e0e0
+    style G2 fill:#3a3a1a,stroke:#ffc107,color:#e0e0e0
+    style G3 fill:#3a3a1a,stroke:#ffc107,color:#e0e0e0
+    style G4 fill:#3a3a1a,stroke:#ffc107,color:#e0e0e0
+    style REPORT fill:#1a3a2d,stroke:#28a745,color:#e0e0e0
+    style AUDIT fill:#1a3a2d,stroke:#28a745,color:#e0e0e0
+    style BLOCKED fill:#3a1a1a,stroke:#dc3545,color:#e0e0e0
+```
+
+---
+
+## Process
+
+### Step 1: Run Static Application Security Testing (SAST)
+
+**Tool:** `python tools/security/sast_runner.py --project <name> --report --gate`
+
+**Expected output:**
+```
+SAST scan complete: projects/<name>/security/scan-results/sast_report.json
+
+Scanner: bandit (Python) / eslint-security (JavaScript)
+Files scanned: <count>
+Time elapsed: <seconds>s
+
+Findings:
+  - CRITICAL: <count>
+  - HIGH: <count>
+  - MEDIUM: <count>
+  - LOW: <count>
+  Total: <count>
+
+Top findings:
+  1. [HIGH] B608: SQL injection via string formatting (src/db.py:42)
+  2. [MEDIUM] B105: Hardcoded password string (src/config.py:15)
+  3. [LOW] B101: Use of assert in production code (src/utils.py:88)
+
+Gate status: <PASS | FAIL — <count> critical/high findings>
+```
+
+**Error handling:**
+- Scanner not installed → provide installation command, fail gracefully
+- No source files found → warn, skip SAST (may be infra-only project)
+- Scanner timeout → increase timeout, retry once
+- False positives → document with `# nosec` comment + justification in POAM
+
+**Verify:** Report file exists and is valid JSON. Gate correctly evaluates critical/high counts.
+
+---
+
+### Step 2: Run Dependency Audit
+
+**Tool:** `python tools/security/dependency_auditor.py --project <name> --report --gate`
+
+**Expected output:**
+```
+Dependency audit complete: projects/<name>/security/scan-results/dependency_report.json
+
+Scanner: pip-audit (Python) / npm audit (JavaScript)
+Dependencies scanned: <count> (direct: <count>, transitive: <count>)
+
+Vulnerabilities found:
+  - CRITICAL: <count>
+  - HIGH: <count>
+  - MEDIUM: <count>
+  - LOW: <count>
+  Total: <count>
+
+Details:
+  1. [CRITICAL] CVE-2024-XXXXX: requests 2.28.0 — SSRF vulnerability
+     Fix: upgrade to requests >= 2.31.0
+  2. [HIGH] CVE-2024-YYYYY: cryptography 38.0.0 — key extraction
+     Fix: upgrade to cryptography >= 41.0.0
+
+Gate status: <PASS | FAIL — <count> critical/high vulnerabilities>
+```
+
+**Error handling:**
+- No requirements.txt/package.json → cannot audit, fail with instructions
+- pip-audit not installed → `pip install pip-audit`
+- Network error (needed for CVE database) → use cached DB if available, warn about staleness
+- Vulnerability has no fix available → document in POAM with "vendor dependency" status
+
+**Verify:** All direct dependencies scanned. CVE IDs link to valid entries.
+
+---
+
+### Step 3: Run Secret Detection
+
+**Tool:** `python tools/security/secret_detector.py --project <name> --report --gate`
+
+**Expected output:**
+```
+Secret detection complete: projects/<name>/security/scan-results/secrets_report.json
+
+Scanner: detect-secrets
+Files scanned: <count>
+Excluded: <count> (binary, generated)
+
+Secrets detected:
+  - API keys: <count>
+  - Passwords: <count>
+  - Private keys: <count>
+  - Tokens: <count>
+  - Connection strings: <count>
+  Total: <count>
+
+Details:
+  1. [SECRET] AWS Access Key ID found in src/config.py:23
+  2. [SECRET] Database password in .env.example:5
+  3. [SECRET] JWT secret in tests/conftest.py:12
+
+Gate status: <PASS | FAIL — <count> secrets detected>
+```
+
+**CRITICAL: Gate threshold is ZERO. Any detected secret is a gate failure.**
+
+**Immediate actions if secrets found:**
+1. Rotate the compromised credential IMMEDIATELY
+2. Remove from source code
+3. Add to `.gitignore` / `.secrets.baseline`
+4. Verify git history does not contain the secret (use `git filter-branch` or BFG Repo Cleaner)
+5. Document the incident in the audit trail
+
+**Error handling:**
+- detect-secrets not installed → `pip install detect-secrets`
+- Baseline file missing → generate with `detect-secrets scan > .secrets.baseline`
+- False positive → add to `.secrets.baseline` with justification comment
+- Secret in git history → this is a separate remediation task, flag it
+
+**Verify:** Zero secrets in current codebase. Baseline file documents any allowed patterns.
+
+---
+
+### Step 4: Run Container Scanning
+
+**Tool:** `python tools/security/container_scanner.py --project <name> --image "<image:tag>"`
+
+**Expected output:**
+```
+Container scan complete: projects/<name>/security/scan-results/container_report.json
+
+Scanner: trivy
+Image: <image:tag>
+OS: <detected OS>
+Packages: <count>
+
+Vulnerabilities:
+  - CRITICAL: <count>
+  - HIGH: <count>
+  - MEDIUM: <count>
+  - LOW: <count>
+  - UNKNOWN: <count>
+  Total: <count>
+
+Misconfigurations:
+  - Running as root: <yes/no>
+  - Secrets in image: <count>
+  - Writable filesystem: <yes/no>
+
+Gate status: <PASS | FAIL — <reason>>
+```
+
+**Skip conditions:**
+- No Dockerfile in project → skip container scanning, log as "N/A"
+- Image not built yet → attempt `docker build`, or skip with warning
+
+**Error handling:**
+- Docker not running → warn, skip container scan
+- trivy not installed → provide installation instructions
+- Image too large (> 2GB) → warn about scan time, proceed
+- Network needed for vuln DB → use cached DB if available
+
+**Verify:** Scan covers both OS packages and application dependencies. No root user in production images.
+
+---
+
+### Step 5: Check Quality Gates (Aggregate)
+
+**Action:** Evaluate ALL scan results against the quality gates defined above.
+
+```
+=== SECURITY GATE CHECK ===
+
+Gate 1: Critical vulnerabilities = 0     [PASS/FAIL]
+Gate 2: High SAST findings = 0           [PASS/FAIL]
+Gate 3: Detected secrets = 0             [PASS/FAIL]
+Gate 4: High dependency vulns = 0        [PASS/FAIL]
+Gate 5: Container critical/high = 0      [PASS/FAIL] (or N/A)
+
+Overall: <ALL GATES PASS | BLOCKED — gates X, Y failed>
+```
+
+**If ANY gate fails:**
+1. Do NOT proceed to deployment
+2. Document all failures
+3. Create POAM entries for each finding
+4. Notify the user with specific remediation steps
+5. Re-run scans after fixes to verify
+
+**If ALL gates pass:**
+1. Generate consolidated report (Step 6)
+2. Mark security scan as "complete" in project status
+3. Proceed to compliance workflow or deployment
+
+---
+
+### Step 6: Generate Consolidated Security Report
+
+**Action:** Combine all scan results into a single report.
+
+**Output format:**
+```
+=== CONSOLIDATED SECURITY REPORT ===
+Project: <name>
+Date: <YYYY-MM-DD>
+Classification: CUI
+
+SCAN SUMMARY:
+  SAST: <count> findings (<count> critical, <count> high)
+  Dependencies: <count> vulnerabilities
+  Secrets: <count> detected
+  Container: <count> vulnerabilities
+
+GATE STATUS: <PASS | FAIL>
+
+FINDINGS BY SEVERITY:
+  Critical: <total across all scanners>
+  High: <total>
+  Medium: <total>
+  Low: <total>
+
+TOP RISKS:
+  1. <Most critical finding with remediation>
+  2. <Second most critical>
+  3. <Third most critical>
+
+RECOMMENDATIONS:
+  - <Actionable recommendation 1>
+  - <Actionable recommendation 2>
+
+NEXT STEPS:
+  - [ ] Remediate critical/high findings
+  - [ ] Re-run scans after remediation
+  - [ ] Update POAM with findings
+  - [ ] Schedule next scan: <date + 30 days>
+```
+
+---
+
+### Step 7: Log to Audit Trail
+
+**Tool:** `python tools/audit/audit_logger.py --event "security_scan_complete" --actor "orchestrator" --action "scan" --project <name>`
+
+**Tool:** `python tools/memory/memory_write.py --content "Security scan complete for <name>. Gate: <PASS|FAIL>. Critical: <count>, High: <count>, Secrets: <count>" --type event --importance 8`
+
+---
+
+## Success Criteria
+
+- [ ] SAST scan completed with results documented
+- [ ] Dependency audit completed with all CVEs identified
+- [ ] Secret detection completed with 0 secrets in codebase
+- [ ] Container scan completed (or marked N/A if no containers)
+- [ ] All quality gates evaluated
+- [ ] Gate failures documented with remediation plans
+- [ ] Consolidated report generated
+- [ ] Audit trail entry logged
+
+---
+
+## Edge Cases & Notes
+
+1. **Scanner disagreements:** Different scanners may classify the same finding at different severities. Use the HIGHEST severity when aggregating.
+2. **False positive management:** Maintain a `.security-exceptions.yaml` file documenting accepted false positives with justification and reviewer approval.
+3. **Air-gapped environments:** Some scanners need network access for CVE databases. Pre-download and cache vulnerability databases for offline use.
+4. **Scan frequency:** Run on every commit (CI/CD), full scan weekly, and before any deployment.
+5. **Zero-day response:** If a new CVE affects a dependency, trigger an emergency scan even outside the normal schedule.
+6. **License scanning:** SBOM generation (compliance workflow) also checks licenses. GPL in proprietary code is a legal risk, not a security risk — route to legal review.
+7. **Scan performance:** Full scans can be slow. For CI/CD, consider incremental scanning (only changed files) for SAST, full scan for dependencies.
+
+---
+
+## GOTCHA Layer Mapping
+
+| Step | GOTCHA Layer | Component |
+|------|-------------|-----------|
+| Run SAST | Tools | sast_runner.py |
+| Dependency audit | Tools | dependency_auditor.py |
+| Secret detection | Tools | secret_detector.py |
+| Container scan | Tools | container_scanner.py |
+| Gate evaluation | Orchestration | AI (you) |
+| Scanner config | Args | scanner settings |
+| CVE references | Context | vulnerability databases |
+
+---
+
+## Related Files
+
+- **Tools:** `tools/security/sast_runner.py`, `tools/security/dependency_auditor.py`, `tools/security/secret_detector.py`, `tools/security/container_scanner.py`
+- **Feeds into:** `goals/compliance_workflow.md` (POAM generation), `goals/deploy_workflow.md` (gate check)
+- **Database:** `data/icdev.db` (security_findings table)
+
+---
+
+## Changelog
+
+- 2026-02-14: Initial creation

goals/self_healing.md

@@ -0,0 +1,120 @@
+# Goal: Self-Healing System
+
+## Purpose
+Detect production issues automatically, match against known patterns, and remediate with appropriate confidence thresholds. Implements a feedback loop where successful fixes increase pattern confidence over time, creating an ever-improving knowledge base.
+
+## Trigger
+- Monitoring detects anomaly or error pattern
+- `/icdev-monitor --self-heal` skill invoked
+- CI/CD pipeline failure
+- Alert threshold exceeded
+
+## Inputs
+- Error logs, metrics, or alert data
+- Knowledge base patterns (`data/icdev.db` → `knowledge_patterns` table)
+- Self-healing configuration (`args/monitoring_config.yaml`)
+- Rate limit state (`self_healing_events` table)
+
+## Process
+
+### Step 1: Detect Issue
+**Tools:** `tools/monitor/log_analyzer.py`, `tools/monitor/metric_collector.py`, `tools/monitor/alert_correlator.py`
+- Parse logs for error patterns
+- Check metrics against thresholds
+- Correlate related alerts into single root cause
+
+### Step 2: Match Against Knowledge Base
+**Tool:** `tools/knowledge/pattern_detector.py`
+- Search knowledge_patterns table for matching patterns
+- Use statistical matching: BM25 keyword + frequency analysis + time correlation
+- Return matched patterns with confidence scores
+
+### Step 3: Analyze Root Cause
+**Tool:** `tools/knowledge/self_heal_analyzer.py`
+- If pattern match found: use pattern's known root cause
+- If no match: use Bedrock LLM for root cause analysis (when available)
+- Determine severity and impact scope
+
+### Step 4: Decision Engine
+Apply confidence thresholds:
+
+| Confidence | Auto-Healable | Action |
+|------------|---------------|--------|
+| >= 0.7 | Yes | Auto-remediate immediately |
+| >= 0.7 | No | Suggest fix, require approval |
+| 0.3 - 0.7 | Any | Suggest fix, require approval |
+| < 0.3 | Any | Escalate with full context |
+
+### Step 5: Rate Limiting
+Before executing any self-heal action:
+- Check `self_healing_events` table for recent actions
+- **Max 5 self-heal actions per hour** (configurable)
+- **10-minute cooldown** between identical actions on same target
+- If rate limited: queue action for later execution
+
+### Step 6: Execute Remediation (if approved)
+**Tool:** `tools/knowledge/self_heal_analyzer.py` → `trigger_self_heal()`
+- Apply the pattern's documented solution
+- Common actions:
+  - Restart service
+  - Scale up replicas
+  - Clear cache
+  - Rollback deployment
+  - Apply configuration fix
+  - Update dependency
+
+### Step 7: Verify Fix
+- Re-run health checks after remediation
+- Confirm error pattern is no longer active
+- Measure resolution time
+
+### Step 8: Feedback Loop
+- **Success:** Increment pattern `use_count`, increase `confidence` by 0.05 (max 1.0)
+- **Failure:** Decrease `confidence` by 0.1, log failure reason
+- Record event in `self_healing_events` with status
+
+### Step 9: Audit Trail
+**Tool:** `tools/audit/audit_logger.py`
+- Record: event_type=self_heal.{auto|suggested|escalated}
+- Include: pattern_id, confidence, action_taken, result
+- **NIST Controls:** IR-4 (Incident Handling), IR-5 (Incident Monitoring), SI-5 (Security Alerts)
+
+## Outputs
+- Detection report (what was found)
+- Pattern match results (known/unknown)
+- Action taken or suggested
+- Verification results
+- Audit trail entry
+
+## Configuration (monitoring_config.yaml)
+```yaml
+self_healing:
+  enabled: true
+  auto_heal_confidence_threshold: 0.7
+  suggest_fix_threshold: 0.3
+  max_actions_per_hour: 5
+  cooldown_minutes: 10
+  require_approval_for:
+    - deployment.rollback
+    - infrastructure.scale
+    - database.failover
+```
+
+## Pattern Learning
+The knowledge base grows through:
+1. **Manual addition:** Developer adds pattern via `/icdev-knowledge add`
+2. **Failure analysis:** When failures are analyzed, new patterns are suggested
+3. **Successful fixes:** Confirmed fixes become high-confidence patterns
+4. **Cross-project learning:** Patterns from one project benefit all projects
+
+## Edge Cases
+- Cascading failures: detect and prevent remediation loops (max 3 retries per pattern per incident)
+- Multiple simultaneous issues: prioritize by severity, handle sequentially
+- Unknown patterns: always escalate, never auto-fix
+- Infrastructure-level issues: require explicit approval regardless of confidence
+- Rate limit exceeded: queue with priority, notify operations team
+
+## Related Goals
+- `monitoring.md` — Log analysis and metric collection
+- `deploy_workflow.md` — Deployment and rollback
+- `security_scan.md` — Security pattern detection

goals/simulation_engine.md

@@ -0,0 +1,111 @@
+# Goal: Digital Program Twin Simulation (RICOAS Phase 3)
+
+## Purpose
+Run 6-dimension what-if simulations to predict impact of requirements on architecture, compliance, supply chain, schedule, cost, and risk. Generate and compare COAs. Use Monte Carlo for probabilistic schedule/cost estimation.
+
+## When to Use
+- Before committing to a set of requirements, simulate their impact
+- Compare multiple COAs side-by-side across all dimensions
+- Need Monte Carlo estimation for schedule or cost confidence levels
+- Scenario planning — "what if we add/remove these requirements?"
+- RED-tier requirements need alternative COA generation
+
+## Workflow
+
+### What-If Simulation
+1. Create scenario: `create_scenario` with modifications (add/remove requirements, change architecture)
+2. Run simulation: `run_simulation` — computes baseline vs simulated across 6 dimensions
+3. Review results: architecture impact, compliance delta, supply chain changes, schedule estimate, cost projection, risk score
+4. Fork scenario for variations: `manage_scenarios` action=fork
+
+### Monte Carlo Estimation
+1. Run Monte Carlo: `run_monte_carlo` with dimension (schedule/cost/risk) and iterations
+2. Review percentiles: P10 (optimistic), P50 (likely), P80 (management reserve), P90 (conservative)
+3. Use histogram and CDF data for inline visualization
+
+### COA Generation & Selection
+1. Generate 3 COAs: `generate_coas` — Speed, Balanced, Comprehensive
+2. Optionally simulate each COA: `generate_coas` with simulate=true
+3. Compare COAs: `compare_coas` — side-by-side across all dimensions
+4. For RED items: `generate_alternative_coa` — within-boundary alternatives
+5. Present to customer: formatted comparison with recommendation (Balanced by default)
+6. Customer selects: `select_coa` — records selection with rationale
+
+### Simulation Pipeline Flowchart
+
+```mermaid
+flowchart TD
+    A["Create Scenario"] --> B["Run Simulation"]
+
+    subgraph SIM["6 Simulation Dimensions"]
+        direction TB
+        S1["Architecture Impact"]
+        S2["Compliance Delta"]
+        S3["Supply Chain Changes"]
+        S4["Schedule Estimate"]
+        S5["Cost Projection"]
+        S6["Risk Score"]
+    end
+
+    B --> SIM
+    SIM --> C["Monte Carlo Estimation"]
+    C --> D["P50 / P80 / P90 Estimates"]
+    D --> E["Generate 3 COAs"]
+
+    subgraph COA["COA Options"]
+        direction LR
+        C1["Speed COA\nMVP, 1-2 PIs\nHigher Risk"]
+        C2["Balanced COA\n P1+P2, 2-3 PIs\nModerate Risk"]
+        C3["Comprehensive COA\nFull Scope, 3-5 PIs\nLowest Risk"]
+    end
+
+    E --> COA
+    COA --> F["Compare COAs"]
+    F --> G["Customer Selects COA"]
+    G --> H["Record Selection + Rationale"]
+
+    style A fill:#1a3a5c,stroke:#4a90d9,color:#e0e0e0
+    style B fill:#1a3a5c,stroke:#4a90d9,color:#e0e0e0
+    style SIM fill:#1a3a5c,stroke:#4a90d9,color:#e0e0e0
+    style S1 fill:#1a3a5c,stroke:#4a90d9,color:#e0e0e0
+    style S2 fill:#1a3a5c,stroke:#4a90d9,color:#e0e0e0
+    style S3 fill:#1a3a5c,stroke:#4a90d9,color:#e0e0e0
+    style S4 fill:#1a3a5c,stroke:#4a90d9,color:#e0e0e0
+    style S5 fill:#1a3a5c,stroke:#4a90d9,color:#e0e0e0
+    style S6 fill:#1a3a5c,stroke:#4a90d9,color:#e0e0e0
+    style C fill:#3a3a1a,stroke:#ffc107,color:#e0e0e0
+    style D fill:#1a3a2d,stroke:#28a745,color:#e0e0e0
+    style E fill:#1a3a5c,stroke:#4a90d9,color:#e0e0e0
+    style COA fill:#1a3a5c,stroke:#4a90d9,color:#e0e0e0
+    style C1 fill:#3a1a1a,stroke:#dc3545,color:#e0e0e0
+    style C2 fill:#3a2a1a,stroke:#e8590c,color:#e0e0e0
+    style C3 fill:#1a3a2d,stroke:#28a745,color:#e0e0e0
+    style F fill:#3a3a1a,stroke:#ffc107,color:#e0e0e0
+    style G fill:#1a3a5c,stroke:#4a90d9,color:#e0e0e0
+    style H fill:#1a3a2d,stroke:#28a745,color:#e0e0e0
+```
+
+### 6 Simulation Dimensions
+| Dimension | Metrics | Data Sources |
+|-----------|---------|-------------|
+| Architecture | Component count, coupling, API surface, data flow complexity | SysML elements, digital thread |
+| Compliance | Control coverage delta, POAM projection, boundary tier | project_controls, crosswalk, SSP |
+| Supply Chain | New dependencies, vendor risk, SBOM delta, ISA changes | dependency graph, vendors, ISAs |
+| Schedule | PERT estimates, Monte Carlo confidence, critical path | SAFe decomposition, risk events |
+| Cost | T-shirt roll-up, vendor licensing, infra delta | ricoas_config cost models |
+| Risk | Compound risk score, risk interaction, mitigation effectiveness | risk register, Monte Carlo |
+
+## Tools Used
+| Tool | Purpose |
+|------|---------|
+| tools/simulation/simulation_engine.py | 6-dimension simulation core |
+| tools/simulation/monte_carlo.py | PERT/Monte Carlo estimation |
+| tools/simulation/coa_generator.py | 3 COAs + RED alternatives |
+| tools/simulation/scenario_manager.py | Fork, compare, export scenarios |
+| tools/mcp/simulation_server.py | MCP server (8 tools) |
+
+## Edge Cases
+- Zero requirements in session → return empty simulation with warning
+- Monte Carlo with < 100 iterations → warn about low confidence
+- All requirements GREEN → skip boundary dimension
+- COA selection without simulation → warn, allow anyway