feat(v1.14): SDK architecture, agent compression, script standardization#43
Open
feat(v1.14): SDK architecture, agent compression, script standardization#43
Conversation
Adds config/settings/codex.hooks.json as a hooks-only template for Codex, mirroring claude.settings.json with 5 hooks (safety-guard, spl-lint, schema-validate, agent-logger, artifact-check). Excludes scope-aws-output-inject.sh — Gemini-only hook using hookSpecificOutput response format not available on Codex. All paths use __HOOKS_DIR__ placeholder for install.js rewrite.
…aths - Remove early-return guard that skipped hook installation for Codex - Add codex entry to settingsMap pointing to config/settings/codex.hooks.json and outputting to .codex/hooks.json - Fix hardcoded 'settings.json' filename: destFile now derived from entry.dest, destDir from path.dirname(destFile) — preserves existing Claude/Gemini output
…tform-neutral - Delete Codex no-hooks statement and CODEX SAFETY NOTE blockquote - Delete Codex schema self-check instruction from Schema Enforcement section - Rewrite Hooks line to be platform-neutral, add .codex/hooks/ and .codex/hooks.json paths - Rewrite Output Quality Rules intro to remove Codex qualifier
Adds ## Shared Runtime Contract at position 4 (after Input, before Extraction Templates) with mkdir -p, STATUS, ERRORS=(), REGIONS_COMPLETED, REGIONS_WITH_FINDINGS, and TOTAL_FINDINGS initialization as required by ENUM-AGENT-SPEC. STS is global so no rm -f temp-file line is added.
…-02) - ## Enumeration Workflow -> ## Execution Workflow - ## Enumeration Checklist -> ## Service Enumeration Checklist - ## Post-Write Validation (MANDATORY) -> ## Post-Write Validation Header-only renames; no section content altered.
Add ## Shared Runtime Contract at position 4 (after Input, before Extraction Templates) per ENUM-AGENT-SPEC canonical section order. Initializes STATUS, ERRORS, REGIONS_COMPLETED, REGIONS_WITH_FINDINGS, and TOTAL_FINDINGS. IAM is global so rm -f stale temp files line is intentionally omitted.
- ## Enumeration Workflow -> ## Execution Workflow - ## Enumeration Checklist -> ## Service Enumeration Checklist - ## Post-Write Validation (MANDATORY) -> ## Post-Write Validation
…rder (47-02-03) Moves ## Service Enumeration Checklist from position 11 (after Module Constraints) to position 6 (between Extraction Templates and Execution Workflow) to match the canonical ENUM-AGENT-SPEC section order. All section content preserved verbatim.
Replaces hardcoded --arg status "complete" with --arg status "\$STATUS" in the Output Contract jq envelope. Hardcoding status violates the ENUM-AGENT-SPEC which requires the runtime variable to be used.
…-03) Move ## Service Enumeration Checklist from after ## Module Constraints to between ## Extraction Templates and ## Execution Workflow, matching the canonical section order defined in ENUM-AGENT-SPEC.md.
…2-05)
Replaces echo-only validation failure with ERRORS+=("[VALIDATION]...")
as required by ENUM-AGENT-SPEC Post-Write Validation Contract. Also
removes trailing prose that manually described what the bash block
should do (now the code does it directly).
…1-04) Replace prose + incomplete validation block with spec-compliant bash block that appends to ERRORS array on validation failure, matching the Post-Write Validation Contract in ENUM-AGENT-SPEC.md.
Adds ## Shared Runtime Contract at position 4 per ENUM-AGENT-SPEC, initializing STATUS, ERRORS, REGIONS_COMPLETED, REGIONS_WITH_FINDINGS, TOTAL_FINDINGS, and lambda temp-file cleanup. Removes redundant inline ERRORS=() from Regional Iteration template.
Replaces prose-only ENABLED_REGIONS fallback with a spec-compliant bash code block that sets STATUS="partial" and appends to ERRORS array on missing input, per ENUM-AGENT-SPEC Standard Input Contract.
Renames: Enumeration Workflow -> Execution Workflow, Enumeration Checklist -> Service Enumeration Checklist, Post-Write Validation (MANDATORY) -> Post-Write Validation.
- Add ## Shared Runtime Contract section (position 4) with mkdir, STATUS, ERRORS, REGIONS_COMPLETED, REGIONS_WITH_FINDINGS, TOTAL_FINDINGS, and rm -f temp file cleanup - Add ENABLED_REGIONS fallback bash block to ## Input (replace prose with actual code block including STATUS="partial") - Rename sections: Enumeration Workflow → Execution Workflow, Enumeration Checklist → Service Enumeration Checklist, Post-Write Validation (MANDATORY) → Post-Write Validation - Reorder sections to canonical 12-section spec order: Input, Shared Runtime Contract, Extraction Templates, Service Enumeration Checklist, Execution Workflow, Output Contract, Post-Write Validation, Error Handling, Module Constraints, Output Path Constraint - Fix Output Contract envelope: --arg status "complete" → --arg status "$STATUS" - Post-Write Validation already had ERRORS+= block (preserved) - Add REGIONS_SCANNED to Orchestrator Return Contract - All 8 migration checklist items verified
- Add Shared Runtime Contract section at position 4 with STATUS/ERRORS/
REGIONS_COMPLETED/REGIONS_WITH_FINDINGS/TOTAL_FINDINGS init and
rm -f "$RUN_DIR/raw/sqs_"* temp file cleanup
- Replace prose ENABLED_REGIONS fallback with canonical bash block
(STATUS="partial" on missing input)
- Rename Input header, Enumeration Workflow → Execution Workflow,
Enumeration Checklist → Service Enumeration Checklist,
Post-Write Validation (MANDATORY) → Post-Write Validation
- Reorder sections to match canonical 12-section spec order
- Fix Output Contract envelope: --arg status "$STATUS" (not hardcoded "complete")
- Fix Post-Write Validation: ERRORS+=("[VALIDATION]...") bash block
- Verify REGIONS_SCANNED and REGIONS_WITH_FINDINGS in return contract
Plan 47-10
- Add ## Shared Runtime Contract section at position 4 with rm -f temp cleanup line
- Replace prose ENABLED_REGIONS handling with bash fallback block (STATUS="partial")
- Rename ## Enumeration Workflow → ## Execution Workflow
- Rename ## Enumeration Checklist → ## Service Enumeration Checklist
- Rename ## Post-Write Validation (MANDATORY) → ## Post-Write Validation
- Reorder sections to canonical 12-section spec order
- Fix --arg status "complete" → --arg status "$STATUS" in envelope
- Fix Post-Write Validation to use ERRORS+=("[VALIDATION]...") bash block
- Verify REGIONS_SCANNED and REGIONS_WITH_FINDINGS present in Output Contract
- Add ## Shared Runtime Contract at position 4 with rm -f sns_ temp cleanup - Add ENABLED_REGIONS fallback bash block to ## Input; rename header - Rename ## Enumeration Workflow → ## Execution Workflow - Rename ## Enumeration Checklist → ## Service Enumeration Checklist - Rename ## Post-Write Validation (MANDATORY) → ## Post-Write Validation - Reorder sections to canonical 12-section spec order - Fix --arg status "complete" → --arg status "$STATUS" in envelope - Replace prose-only Post-Write Validation with ERRORS+=([VALIDATION]) bash block - Verify REGIONS_SCANNED and REGIONS_WITH_FINDINGS present in Orchestrator Return Contract
- Fold non-standard ## Regional Sweep section into ## Execution Workflow
- Add ## Shared Runtime Contract at position 4 with rm -f codebuild_* cleanup
- Replace prose ENABLED_REGIONS fallback with canonical bash block (STATUS="partial")
- Rename: Enumeration Workflow → Execution Workflow, Enumeration Checklist → Service Enumeration Checklist, Post-Write Validation (MANDATORY) → Post-Write Validation
- Rename ## Input header (remove parenthetical)
- Reorder sections to canonical 12-section spec order
- Fix Output Contract envelope: --arg status "$STATUS" (was hardcoded "complete")
- Add ERRORS+=("[VALIDATION]...") bash block to Post-Write Validation
- Fold temp error file reads into ERRORS array after regional loop
- Reconstruct REGIONS_COMPLETED and REGIONS_WITH_FINDINGS after loop
- Verify REGIONS_SCANNED and REGIONS_WITH_FINDINGS present in Orchestrator Return Contract
…n 47-08)
- Add Shared Runtime Contract section (position 4) with mkdir, STATUS/ERRORS/REGIONS init, and rm -f rds_* cleanup
- Replace prose ENABLED_REGIONS fallback with canonical bash code block (STATUS="partial")
- Rename Input header, Enumeration Workflow → Execution Workflow, Enumeration Checklist → Service Enumeration Checklist, Post-Write Validation (MANDATORY) → Post-Write Validation
- Reorder sections to match canonical 12-section spec order
- Fix output envelope --arg status "complete" → --arg status "$STATUS"
- Fix Post-Write Validation to use ERRORS+=("[VALIDATION]...") bash block
- Confirm REGIONS_SCANNED and REGIONS_WITH_FINDINGS present in Orchestrator Return Contract
- Add ## Shared Runtime Contract at position 4 with apigateway_ temp file cleanup
- Replace prose ENABLED_REGIONS description with bash fallback block (STATUS=partial)
- Rename ## Input header, ## Enumeration Workflow, ## Enumeration Checklist, ## Post-Write Validation (MANDATORY)
- Reorder sections to canonical 12-section spec order
- Fix output envelope --arg status "complete" → --arg status "$STATUS"
- Fix Post-Write Validation to use ERRORS+=("[VALIDATION]...") bash block
- Remove redundant ERRORS=() from Extraction Templates (now in Shared Runtime Contract)
- All 8 migration checklist items verified
- Add ## Shared Runtime Contract section (position 4) with mkdir -p,
STATUS/ERRORS/REGIONS_COMPLETED/REGIONS_WITH_FINDINGS/TOTAL_FINDINGS
initialization, and rm -f "$RUN_DIR/raw/ec2_"* temp file cleanup
- Replace prose ENABLED_REGIONS fallback with bash code block using
STATUS="partial" per spec Standard Input Contract
- Rename ## Enumeration Workflow → ## Execution Workflow
- Rename ## Enumeration Checklist → ## Service Enumeration Checklist
- Rename ## Post-Write Validation (MANDATORY) → ## Post-Write Validation
- Reorder sections to canonical 12-section spec order
- Fix Output Contract envelope: --arg status "$STATUS" (was hardcoded "complete")
- Fix Post-Write Validation: replace prose with ERRORS+=("[VALIDATION]...")
bash block per spec Post-Write Validation Contract
- REGIONS_SCANNED and REGIONS_WITH_FINDINGS confirmed present in Output Contract
Plan: 47-07
…rder Moves ## Service Enumeration Checklist to position 6 (before Execution Workflow), aligning the section order with ENUM-AGENT-SPEC. All section content preserved verbatim.
Gap 1 from verification: output format templates at lines 166 and 188 still had hardcoded cloudtrail instead of <aws_api_index> placeholder.
…e-defend-splunk.md
…*word patterns only
- install.js: add scope-defend to INSTALLABLE_AGENTS (dual skill + agent install) - install.js: remove INLINE_ONLY exclusion — scope-pipeline and scope-verify now installed for discoverability - install.js: add CODEX_NO_REGISTER guard — pipeline/verify get .md files but not config.toml registrations - install.js: add pruneStaleTomlFiles() — auto-prune stale scope-enum-*.toml from .codex/agents/ - install.js: expand GEMINI_AGENT_CONFIG to all 14 subagents with Gemini tool arrays - install.js: add installProjectDocs() — copies platform-specific project docs to repo root - Move CLAUDE.md to config/project-docs/CLAUDE.md (source, committed) - Create config/project-docs/GEMINI.md with Gemini-adapted project instructions - Create config/project-docs/AGENTS.md with Codex-adapted project instructions - Root CLAUDE.md, GEMINI.md, AGENTS.md are now generated copies (gitignored) - gemini.settings.json context.fileName set to GEMINI.md - Each platform doc uses platform-specific hook events, directories, and model names - .gitignore updated for root project doc copies
…script standardization, hook fixes, doc updates
…hitecture # Conflicts: # AGENTS.md # CLAUDE.md # README.md # agents/scope-audit.md # agents/scope-defend.md # agents/scope-exploit.md # agents/scope-hunt.md # agents/subagents/scope-attack-paths.md # agents/subagents/scope-enum-apigateway.md # agents/subagents/scope-enum-codebuild.md # agents/subagents/scope-enum-ec2.md # agents/subagents/scope-enum-iam.md # agents/subagents/scope-enum-kms.md # agents/subagents/scope-enum-lambda.md # agents/subagents/scope-enum-rds.md # agents/subagents/scope-enum-s3.md # agents/subagents/scope-enum-secrets.md # agents/subagents/scope-enum-sns.md # agents/subagents/scope-enum-sqs.md # agents/subagents/scope-enum-sts.md # agents/subagents/scope-hunt-audit.md # agents/subagents/scope-hunt-intel.md # agents/subagents/scope-hunt-investigate.md # agents/subagents/scope-pipeline.md # agents/subagents/scope-verify.md # bin/install.js # config/hooks/scope-safety-guard.sh
Owner
Author
Code reviewFound 1 issue:
SCOPE/config/hooks/scope-spl-lint.sh Lines 67 to 69 in 9d1f0ed |
…iation to domain template
- Delete bin/splunk-mcp-start.sh (debug wrapper no longer needed) - Update Gemini MCP config to use sh -c for env var expansion (Gemini CLI does not expand $VAR in args, only in env block) - Rewrite config/mcp-setup.md: concise setup, SIEM flexibility note - Add SIEM Integration section to README - Condense AGENTS.md and CLAUDE.md as platform doc overlays
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Key changes
config/project-docs/PROJECT.md— single behavioral instruction file for all platformsscripts/lib/base-enum.js— shared CLI utility eliminating ~75 lines of boilerplate per enum scriptscripts/lib/policy-parser.js— centralized principal extraction replacing 5 duplicate implementationsbaseEnum({ module, run })patternTest plan
npm install && npm test— all 33 tests passnode bin/install.js --all— installs cleanly to all 3 platforms/scope:audit --all— full audit pipeline runs end-to-end