From a2ccf34c6526edb4a83a8c5e80e4150c7cb472fe Mon Sep 17 00:00:00 2001 From: Muzaffar Hossain Date: Thu, 9 Jul 2026 16:55:57 +0530 Subject: [PATCH 1/2] docs: remove internal stack/vendor terms from Applications.md The AI assistant grounds its answers in this public repo and was quoting this file to confirm internal implementation details when users probed ("why are you calling it a claude code agent?"). Replace vendor and infrastructure names with neutral platform terminology: - "CLDPM-managed Claude Code project" -> "platform-managed agent project" - "Claude Code Agent(s)" -> "Transilience Agent(s)" - "Claude API (proxy)" / "Claude Sonnet 4.6" -> "AI engine" - "Modal OIDC" -> "platform OIDC" - "CLDPM Monorepo" -> "App Monorepo" - CLAUDE.md references -> "project config" / "committed configuration" NOTE: this file is generated from projects/*/CLAUDE.md and project.json in claude-compliance-suite. The generator needs the same substitutions, or the next regeneration will reintroduce these terms. (The frontend also now redacts vendor terms from retrieved docs as a backstop.) --- concepts/Applications.md | 48 ++++++++++++++++++++-------------------- 1 file changed, 24 insertions(+), 24 deletions(-) diff --git a/concepts/Applications.md b/concepts/Applications.md index 4667f84..8e0c3fd 100644 --- a/concepts/Applications.md +++ b/concepts/Applications.md @@ -1,6 +1,6 @@ # Application Briefs -A reference to every application in `projects/`: what each one does, how it works, and an architecture diagram. Briefs reflect the **latest committed logic** (`CLAUDE.md` + `project.json` per project). +A reference to every application in `projects/`: what each one does, how it works, and an architecture diagram. Briefs reflect the **latest committed logic** (each project's committed configuration). > 30 project directories. 26 are fully specified applications, 1 is a generic framework (`custom-task`), 1 is a near-stub (`threat-radar-generation` has minimal docs but a full skill tree), and 1 is an empty placeholder (`Updated_evidence_review`). @@ -8,7 +8,7 @@ A reference to every application in `projects/`: what each one does, how it work ## 1. Platform Architecture (shared by all apps) -Every app is a **CLDPM-managed Claude Code project** that runs on the **MCS backend**. Apps are not standalone binaries — they are bundles of *agents*, *skills*, and *hooks* that the platform executes, surfacing results through a browser-rendered **dynamic dashboard** (React/TSX served from `outputs/`). +Every app is a **platform-managed agent project** that runs on the **MCS backend**. Apps are not standalone binaries — they are bundles of *agents*, *skills*, and *hooks* that the platform executes, surfacing results through a browser-rendered **dynamic dashboard** (React/TSX served from `outputs/`). Three contracts are common to nearly every app: @@ -16,36 +16,36 @@ Three contracts are common to nearly every app: |----------|----------|---------| | **Data load** | `fetch('data/…')` | Dashboard reads persisted JSON from the session volume | | **Execute** | `POST /project/execute` | Dashboard triggers the backend agent to persist results or run a phase | -| **AI Bridge** | `POST /ai-bridge/invoke` \| `/stream` | Domain-agnostic proxy to Claude for intermediate LLM calls (mapping, scoring, OCR, narrative) | +| **AI Bridge** | `POST /ai-bridge/invoke` \| `/stream` | Domain-agnostic proxy to the platform's AI engine for intermediate LLM calls (mapping, scoring, OCR, narrative) | -AWS access is brokered by the **`session-start-credentials`** hook, which exchanges a Modal OIDC token for short-lived, customer-scoped credentials at session start. Most apps share three skills — **`dashboard-creation-skill`** (TSX + THEME), **`interactive-user-actions`** (forms/uploads), and **`ai-bridge`** — now unified as **`dynamic-dashboard`**. +AWS access is brokered by the **`session-start-credentials`** hook, which exchanges a platform OIDC token for short-lived, customer-scoped credentials at session start. Most apps share three skills — **`dashboard-creation-skill`** (TSX + THEME), **`interactive-user-actions`** (forms/uploads), and **`ai-bridge`** — now unified as **`dynamic-dashboard`**. ```mermaid flowchart TD - subgraph Repo["CLDPM Monorepo"] + subgraph Repo["App Monorepo"] SH["shared/
skills · hooks · services"] - PROJ["projects/<app>
agents · skills · hooks · CLAUDE.md"] + PROJ["projects/<app>
agents · skills · hooks · config"] SH -. symlinks .-> PROJ end PROJ -->|deployed to| MCS["MCS Backend Platform"] subgraph Runtime["App Runtime"] - AGENT["Claude Code Agent(s)
orchestrate phases"] + AGENT["Transilience Agent(s)
orchestrate phases"] DASH["Dynamic Dashboard (TSX)
served from outputs/"] end MCS --> AGENT MCS --> DASH - AGENT -->|short-lived creds| CRED["session-start-credentials
Modal OIDC"] + AGENT -->|short-lived creds| CRED["session-start-credentials
platform OIDC"] CRED --> AWS["Customer AWS Account"] AGENT -->|writes| VOL["Session Volume
outputs/{data,components,reports}"] DASH -->|fetch data/| VOL DASH -->|/project/execute| AGENT - DASH -->|/ai-bridge/invoke·stream| CLAUDE["Claude API (proxy)"] - AGENT -->|invoke| CLAUDE + DASH -->|/ai-bridge/invoke·stream| AIENG["AI engine (proxied)"] + AGENT -->|invoke| AIENG ``` **Typical request lifecycle** @@ -56,7 +56,7 @@ sequenceDiagram participant D as Dashboard (TSX) participant A as Backend Agent participant AWS as AWS APIs - participant C as Claude (AI Bridge) + participant C as AI Bridge participant V as Session Volume U->>D: Open app / select scope @@ -139,22 +139,22 @@ flowchart TD *An auditor-facing workbench that automates the most laborious part of a PCI engagement: gathering evidence and reconciling it against 133 requirements. Scoping questions and asset uploads keep the assessment honest about what is genuinely in scope, while streamed AI verdicts and an evidence-grounded chat let reviewers interrogate every conclusion.* **Purpose** — Auditor-grade PCI-DSS v4.0.1 evidence collection, mapping, and gap assessment from AWS via a unified 5-phase dashboard workflow. -**Inputs / data sources** — 20+ AWS services via Modal OIDC; an 11-question scoping questionnaire; optional asset inventory (CSV/XLSX) and auditor sample-set uploads. -**How it works** — **Start** → **Collecting** (parallel AWS fetch with progress; scoping + asset uploads in side pane) → **Mapped** (category tallies, in-scope vs auto-N/A, naming + sample-coverage checks) → **Reviewing** (Claude Sonnet 4.6 streams NDJSON verdicts for in-scope parent requirements) → **Results** (Overview, All Requirements, Raw Evidence, Auditor Chat). +**Inputs / data sources** — 20+ AWS services via platform OIDC; an 11-question scoping questionnaire; optional asset inventory (CSV/XLSX) and auditor sample-set uploads. +**How it works** — **Start** → **Collecting** (parallel AWS fetch with progress; scoping + asset uploads in side pane) → **Mapped** (category tallies, in-scope vs auto-N/A, naming + sample-coverage checks) → **Reviewing** (the AI engine streams NDJSON verdicts for in-scope parent requirements) → **Results** (Overview, All Requirements, Raw Evidence, Auditor Chat). **Agents & skills** — Single `pci-dss-evidence-analyzer-agent`; `dashboard-creation` + `platform-api` deps; AI Bridge streaming. **Outputs** — 7-sheet Excel report, raw evidence JSON by category, snapshot history. **Frameworks** — PCI-DSS v4.0.1 (133 requirements, Defined Approach matrix). ```mermaid flowchart TD - Start["User: Start"] -->|fetch_aws_evidence| Fetch["AWS Fetcher (Modal OIDC)"] + Start["User: Start"] -->|fetch_aws_evidence| Fetch["AWS Fetcher (platform OIDC)"] Fetch --> Raw["data/raw/<category>.json"] Quest["Scoping Questionnaire (11Q)"] --> NA["Auto Not-Applicable"] Asset["Asset Inventory + Sample Set"] --> Parsed["Parsed Assets"] Raw --> Map["Mapping: tallies + coverage"] NA --> Map Parsed --> Map - Map -->|in-scope reqs| Rev["/ai-bridge/stream · Sonnet 4.6"] + Map -->|in-scope reqs| Rev["/ai-bridge/stream · AI engine"] Rev --> Verd["NDJSON Verdicts"] Verd --> Res["Results: 4 tabs"] Raw --> Res @@ -178,7 +178,7 @@ flowchart TD B -->|boto3 via get_credentials| C["AWS (41 categories)"] C --> D["data/raw/ per-category JSON"] D -->|review_controls| E["Control Scorer (55 controls)"] - E -->|/ai-bridge/invoke| F["Claude Sonnet 4.6"] + E -->|/ai-bridge/invoke| F["AI engine"] F -->|verdict| E E --> G["task_results.json"] G --> H["SOC2ReadinessDashboard (5 tabs)"] @@ -190,10 +190,10 @@ flowchart TD ### evidence-reviewer -*A framework-agnostic triage tool for compliance teams buried in screenshots, PDFs, and configuration dumps. It ingests hundreds of artifacts in the browser, fuzzy-matches them to whatever control matrix you upload, and uses Claude to render a defensible per-control verdict.* -**Purpose** — Ingest bulk compliance evidence (200–300+ files), map to control matrices, and use Claude to review each control against a chosen framework. +*A framework-agnostic triage tool for compliance teams buried in screenshots, PDFs, and configuration dumps. It ingests hundreds of artifacts in the browser, fuzzy-matches them to whatever control matrix you upload, and uses the AI engine to render a defensible per-control verdict.* +**Purpose** — Ingest bulk compliance evidence (200–300+ files), map to control matrices, and use the AI engine to review each control against a chosen framework. **Inputs / data sources** — Drag-and-drop evidence (PDF, image, text, Excel, Word); CSV/JSON control matrices; framework-agnostic field mapping. -**How it works** — In-browser bulk ingestion (FileReader text + base64 images) → parse control matrix with flexible field mapping → keyword fuzzy-match evidence↔controls with manual override → per-control Claude review via `/ai-bridge/invoke` (analyst persona, structured JSON) → compliance dashboard with filtering and CSV/JSON export. +**How it works** — In-browser bulk ingestion (FileReader text + base64 images) → parse control matrix with flexible field mapping → keyword fuzzy-match evidence↔controls with manual override → per-control AI review via `/ai-bridge/invoke` (analyst persona, structured JSON) → compliance dashboard with filtering and CSV/JSON export. **Agents & skills** — No agents; `dashboard-creation-skill`, `interactive-user-actions`, `ai-bridge`. **Outputs** — `EvidenceReviewDashboard.tsx`, `task_results.json` (verdicts + observations), gap analysis, CSV/JSON exports, markdown report. **Frameworks** — PCI-DSS v4.0.1, SOC 2 Type II, ISO 27001:2022, HIPAA, NIST 800-53 Rev 5, custom. @@ -205,7 +205,7 @@ flowchart TD B --> E["Keyword Matching"] D --> E E -->|Phase 3| F["Manual Override UI"] - F -->|Phase 4| G["/ai-bridge/invoke (Claude)"] + F -->|Phase 4| G["/ai-bridge/invoke (AI engine)"] G --> H["Verdict + Observations + Severity"] H -->|Phase 5| I["Results Dashboard"] I --> J["CSV/JSON Export + Markdown Report"] @@ -258,7 +258,7 @@ flowchart TD *A document factory and reviewer for information-security policies. It authors brand-aligned policy sets from a 473-point control library and, in reverse, audits existing policies for framework-coverage gaps.* **Purpose** — Framework-aligned policy creator and reviewer; generates branded PDF/DOCX policies and performs multi-framework gap analysis. **Inputs / data sources** — Framework selection (PCI-DSS v4.0.1, ISO 27001/27002:2022, SOC 2 TSC 2017, HIPAA); org metadata + logo; for review mode, an existing policy PDF/DOCX. -**How it works** — Choose Create or Review → select framework(s) + enter org details (logo → co-brand + color extraction) → **Create**: pick style + target policies from a 473-control-point index, Claude generates branded PDF → **Review**: parse uploaded policy, cross-map to controls, score missing controls by severity → output PDF (create) or XLSX + PDF (review). +**How it works** — Choose Create or Review → select framework(s) + enter org details (logo → co-brand + color extraction) → **Create**: pick style + target policies from a 473-control-point index, the AI engine generates branded PDF → **Review**: parse uploaded policy, cross-map to controls, score missing controls by severity → output PDF (create) or XLSX + PDF (review). **Agents & skills** — No agents; `policy-engine` skill via `dynamic-dashboard`; AI Bridge invoke/stream. **Outputs** — Branded 7-section PDF policies; gap-analysis XLSX + PDF summary. **Frameworks** — PCI-DSS v4.0.1 (203 sub-reqs), ISO 27001/27002:2022 (93 controls), SOC 2 TSC 2017 (90 criteria), HIPAA (49 specs). @@ -503,7 +503,7 @@ flowchart TD *An autonomous offensive-security platform that orchestrates a fleet of specialized attack agents the way a red-team lead directs operators. Reconnaissance, exploitation, and evidence validation run in parallel, and every finding is adversarially re-checked before it reaches the report.* **Purpose** — Multi-agent penetration-testing framework orchestrating parallel recon, vulnerability testing, and evidence validation across 50+ attack types and 11 domains. -**Inputs / data sources** — User-defined target scope + explicit authorization; optional Shodan/DNS intel; Modal OIDC for AWS. +**Inputs / data sources** — User-defined target scope + explicit authorization; optional Shodan/DNS intel; platform OIDC for AWS. **How it works** — **Initialization** (coordinator parses scope, loads 20+ skills) → **Reconnaissance** (parallel discovery agents) → **Planning** (batch attack vectors by surface) → **Vulnerability Testing** (stateless executor agents write finding-NNN artifacts) → **Aggregation & Validation** (validator agents run 5 checks: CVSS consistency, evidence, PoC, claims-vs-raw, log corroboration) → **Reporting** (dashboard + branded PDF + remediation roadmap). **Agents & skills** — Coordinator (inline), Executor (background, stateless), Validator (background, per-finding); 25+ skills (injection, client/server-side, auth, api-security, cloud-containers, ai-threat-testing, cve-poc-generator, osint, dfir, …). **Outputs** — Validated findings (CVSS/CWE/OWASP/MITRE), `PentestReportDashboard.tsx`, `pentest_results.json`, Transilience PDF, NDJSON logs. @@ -818,8 +818,8 @@ flowchart TD ``` ### Updated_evidence_review -**Status** — Empty placeholder. Directory contains only `.DS_Store` and an empty `outputs/` — no `CLAUDE.md`, `project.json`, agents, skills, or source. Likely superseded by [evidence-reviewer](#evidence-reviewer) / [pci-dss-evidence-analyzer](#pci-dss-evidence-analyzer). +**Status** — Empty placeholder. Directory contains only `.DS_Store` and an empty `outputs/` — no project config, agents, skills, or source. Likely superseded by [evidence-reviewer](#evidence-reviewer) / [pci-dss-evidence-analyzer](#pci-dss-evidence-analyzer). --- -*Generated from `projects/*/CLAUDE.md` and `project.json`. Diagrams are Mermaid — render in any Mermaid-aware viewer (GitHub, VS Code, Obsidian).* +*Generated from each project's committed configuration. Diagrams are Mermaid — render in any Mermaid-aware viewer (GitHub, VS Code, Obsidian).* From bff9e28fc59c8fb3d611a04c18ff17cfa2c4a5b6 Mon Sep 17 00:00:00 2001 From: Muzaffar Hossain Date: Thu, 9 Jul 2026 22:31:19 +0530 Subject: [PATCH 2/2] docs: strip internal architecture from public docs Deep audit of the whole repo for confidential/internal content, since the AI assistant grounds its answers here and the repo is public. Applications.md was an internal engineering reference (825 lines). Rewrote it into a user-facing app catalog: kept each app's description, purpose, high-level data sources, what you get back, and frameworks. Removed all internal architecture: - the shared Platform Architecture section and all Mermaid diagrams (architecture, per-app pipeline, and request-sequence diagrams) - internal agent / skill / hook names - internal endpoints (/project/execute, /ai-bridge/invoke|stream) - internal file names (task_results.json, *.tsx components, flow.json) - internal scripts and build tooling (run_pipeline.py, collect_aws_data.py, esbuild, DuckDB, boto3, OIDC/NDJSON, the projects/ + shared/ monorepo) - the empty internal placeholder app Also removed minor internal-naming asides from the concept docs and glossary ("project is the internal name for an app", "conversation is the internal name for a thread", "artifact type", "the backend", and the app-detail 'agents and skills used internally' bullet). --- concepts/Applications.md | 792 ++++++++------------------------------- concepts/apps.md | 5 +- concepts/artifacts.md | 2 - concepts/sessions.md | 2 +- concepts/threads.md | 2 +- glossary.md | 7 +- 6 files changed, 163 insertions(+), 647 deletions(-) diff --git a/concepts/Applications.md b/concepts/Applications.md index 8e0c3fd..753dcf3 100644 --- a/concepts/Applications.md +++ b/concepts/Applications.md @@ -1,79 +1,16 @@ -# Application Briefs +# Apps catalog -A reference to every application in `projects/`: what each one does, how it works, and an architecture diagram. Briefs reflect the **latest committed logic** (each project's committed configuration). +A reference to every [app](apps.md) you can run: what each one does, what it looks at, what you get back, and which compliance frameworks it covers. -> 30 project directories. 26 are fully specified applications, 1 is a generic framework (`custom-task`), 1 is a near-stub (`threat-radar-generation` has minimal docs but a full skill tree), and 1 is an empty placeholder (`Updated_evidence_review`). +## How apps work (at a glance) ---- +Every app runs on the Transilience platform. It reads from the data sources you've connected — most often your AWS account, read-only — and writes its results to that [session's](sessions.md) [outputs](outputs.md): a mix of interactive **dashboards**, human-readable **reports** (markdown, PDF, Word, or Excel), and downloadable **data files** (JSON or CSV). You read them on the session's **Summary** and **Files** tabs, ask questions about them in a [thread](threads.md), [save](../workflows/save-an-artifact.md) them as artifacts, or [schedule](scheduling.md) the app to run again. -## 1. Platform Architecture (shared by all apps) - -Every app is a **platform-managed agent project** that runs on the **MCS backend**. Apps are not standalone binaries — they are bundles of *agents*, *skills*, and *hooks* that the platform executes, surfacing results through a browser-rendered **dynamic dashboard** (React/TSX served from `outputs/`). - -Three contracts are common to nearly every app: - -| Contract | Endpoint | Purpose | -|----------|----------|---------| -| **Data load** | `fetch('data/…')` | Dashboard reads persisted JSON from the session volume | -| **Execute** | `POST /project/execute` | Dashboard triggers the backend agent to persist results or run a phase | -| **AI Bridge** | `POST /ai-bridge/invoke` \| `/stream` | Domain-agnostic proxy to the platform's AI engine for intermediate LLM calls (mapping, scoring, OCR, narrative) | - -AWS access is brokered by the **`session-start-credentials`** hook, which exchanges a platform OIDC token for short-lived, customer-scoped credentials at session start. Most apps share three skills — **`dashboard-creation-skill`** (TSX + THEME), **`interactive-user-actions`** (forms/uploads), and **`ai-bridge`** — now unified as **`dynamic-dashboard`**. - -```mermaid -flowchart TD - subgraph Repo["App Monorepo"] - SH["shared/
skills · hooks · services"] - PROJ["projects/<app>
agents · skills · hooks · config"] - SH -. symlinks .-> PROJ - end - - PROJ -->|deployed to| MCS["MCS Backend Platform"] - - subgraph Runtime["App Runtime"] - AGENT["Transilience Agent(s)
orchestrate phases"] - DASH["Dynamic Dashboard (TSX)
served from outputs/"] - end - - MCS --> AGENT - MCS --> DASH - - AGENT -->|short-lived creds| CRED["session-start-credentials
platform OIDC"] - CRED --> AWS["Customer AWS Account"] - AGENT -->|writes| VOL["Session Volume
outputs/{data,components,reports}"] - - DASH -->|fetch data/| VOL - DASH -->|/project/execute| AGENT - DASH -->|/ai-bridge/invoke·stream| AIENG["AI engine (proxied)"] - AGENT -->|invoke| AIENG -``` - -**Typical request lifecycle** - -```mermaid -sequenceDiagram - participant U as User (Browser) - participant D as Dashboard (TSX) - participant A as Backend Agent - participant AWS as AWS APIs - participant C as AI Bridge - participant V as Session Volume - - U->>D: Open app / select scope - D->>A: /project/execute (start) - A->>AWS: describe_* / list_* (read-only) - AWS-->>A: raw evidence - A->>V: write outputs/data/raw/*.json - A->>C: /ai-bridge/stream (score / analyze) - C-->>A: verdicts (NDJSON) - A->>V: write task_results.json + dashboard TSX - D->>V: fetch data/task_results.json - D-->>U: render results · export (DOCX/XLSX/PDF) -``` +You don't build or configure apps yourself — Transilience maintains the catalog and it updates automatically. See [apps](apps.md) for how to browse and run them. --- -## 2. Application Index +## Application index | App | Category | One-liner | |-----|----------|-----------| @@ -84,742 +21,327 @@ sequenceDiagram | [encryption-audit](#encryption-audit) | Compliance | Encryption-at-rest/in-transit audit across AWS services | | [cloud-misconfig-scanner](#cloud-misconfig-scanner) | Compliance | S3/RDS/Lambda misconfiguration detection | | [policy-engine](#policy-engine) | Governance | Branded policy authoring + multi-framework gap analysis | -| [iam-role-rightsize](#iam-role-rightsize) | IAM | Access-Analyzer-driven least-privilege recommendations | -| [user-access-review](#user-access-review) | IAM | PCI-compliant periodic IAM access review (DOCX) | +| [iam-role-rightsize](#iam-role-rightsize) | IAM | Least-privilege recommendations from actual usage | +| [user-access-review](#user-access-review) | IAM | PCI-compliant periodic IAM access review (Word) | | [siem-cloudtrail-analyzer](#siem-cloudtrail-analyzer) | SIEM | CloudTrail API audit-log threat detection | | [siem-cloudwatch-analyzer](#siem-cloudwatch-analyzer) | SIEM | CloudWatch + VPC Flow anomaly detection | | [siem-guardduty-analyzer](#siem-guardduty-analyzer) | SIEM | GuardDuty finding analysis + IOC extraction | -| [siem-event-correlator](#siem-event-correlator) | SIEM | Cross-source correlation engine + incident detection | +| [siem-event-correlator](#siem-event-correlator) | SIEM | Cross-source correlation + incident detection | | [siem-soc-analyzer](#siem-soc-analyzer) | SIEM | Tiered L1/L2/L3 SOC analyst pipeline | | [aws-monitor-guardduty](#aws-monitor-guardduty) | SIEM | Lightweight GuardDuty root-cause + risk scoring | | [aws-log-analyzer](#aws-log-analyzer) | SIEM | Multi-source log aggregation + correlation | | [pentest](#pentest) | Offensive | Multi-agent pentest framework, 50+ attack types | | [cloud-attack-path-analysis](#cloud-attack-path-analysis) | Offensive | Attack-graph discovery with chokepoint analysis | | [aws-vulnerability-prioritizer](#aws-vulnerability-prioritizer) | Offensive | ECR/Inspector CVE prioritization + impact simulation | -| [threat-radar-generation](#threat-radar-generation) | Offensive | Two-stage passive OSINT tech-stack threat radar | +| [threat-radar-generation](#threat-radar-generation) | Offensive | Passive OSINT tech-stack threat radar | | [network-diagram-curator](#network-diagram-curator) | Network | Topology diagrams, asset inventory, PCI scoping | -| [network-ruleset-review](#network-ruleset-review) | Network | PCI annual firewall/SG/NACL review (DOCX) | +| [network-ruleset-review](#network-ruleset-review) | Network | PCI annual firewall/SG/NACL review (Word) | | [devops-security-remediation](#devops-security-remediation) | Network | Find 0.0.0.0/0 rules + generate remediation scripts | | [cloud-cost-monitor](#cloud-cost-monitor) | FinOps | Right-sizing, RI/SP optimization, anomaly detection | | [devops-simulation-training](#devops-simulation-training) | Training | Gamified incident-response simulations | | [tabletop-exercise](#tabletop-exercise) | Training | AI DR tabletop scenarios from real inventory | | [phishing-simulator](#phishing-simulator) | Training | Gamified phishing-awareness academy | -| [security-dashboard-hub](#security-dashboard-hub) | Hub | Role-based aggregation of all project outputs | +| [security-dashboard-hub](#security-dashboard-hub) | Hub | Role-based aggregation of all app outputs | | [custom-task](#custom-task) | Framework | Generic ad-hoc task + dashboard generator | -| [Updated_evidence_review](#updated_evidence_review) | — | Empty placeholder | --- -## 3. Compliance & Evidence +## Compliance & evidence ### pci-compliance-analysis -*A turnkey PCI-DSS assessment engine that converts a live AWS account into a scored compliance picture. It closes the gap between raw cloud configuration and the auditor's 12-requirement checklist, letting teams see exactly where they stand—and what to remediate—well before a QSA arrives.* -**Purpose** — Analyze AWS infrastructure for PCI-DSS v4.0 compliance across all 12 requirement categories and produce an interactive scored dashboard. -**Inputs / data sources** — EC2, RDS, S3, IAM, CloudTrail, AWS Config, KMS, GuardDuty, Security Hub via `describe_*`/`get_*`. -**How it works** — Collect infrastructure across 8+ services → evaluate each of the 12 requirement categories → map services to requirements (EC2 SG→Req 1, CloudTrail→Req 10) → score PASS/FAIL/REVIEW aggregated to 0–100% → classify findings by severity → embed real data into a TSX component, compile, render. -**Agents & skills** — No agents; `pci-compliance-analysis` skill + `dashboard-creation-skill`. Hooks: `session-start-credentials`, `gemini-postprocess`, `update-imports`. -**Outputs** — `compliance_analysis.json`, `ComplianceDashboard.tsx/js` (gauge, pie, findings table), `pci_compliance_report.md`. -**Frameworks** — PCI-DSS v4.0 (all 12 requirements). +*A turnkey PCI-DSS assessment engine that converts a live AWS account into a scored compliance picture. It closes the gap between raw cloud configuration and the auditor's 12-requirement checklist, letting teams see exactly where they stand — and what to remediate — well before a QSA arrives.* -```mermaid -flowchart TD - A["AWS Services
EC2·RDS·S3·IAM·CloudTrail
Config·KMS·GuardDuty·SH"] -->|describe_*| B["Collect Infrastructure"] - B -->|12-req map| C["Evaluate Requirements 1–12"] - C -->|PASS/FAIL/REVIEW| D["Score 0–100%"] - D -->|severity classify| E["Findings + Remediation"] - E -->|embed real data| F["ComplianceDashboard.tsx"] - F -->|esbuild + validate| G["Compiled JS"] - D --> H["compliance_analysis.json"] - E --> I["pci_compliance_report.md"] - G --> J["Dashboard: gauge · pie · table"] -``` +**What it does** — Analyzes your AWS infrastructure for PCI-DSS v4.0 compliance across all 12 requirement categories and produces an interactive scored dashboard. +**What it looks at** — EC2, RDS, S3, IAM, CloudTrail, AWS Config, KMS, GuardDuty, and Security Hub. +**What you get** — An interactive dashboard (compliance gauge, category breakdown, findings table), severity-classified findings with remediation, and a PCI compliance report. +**Frameworks** — PCI-DSS v4.0 (all 12 requirements). ### pci-dss-evidence-analyzer *An auditor-facing workbench that automates the most laborious part of a PCI engagement: gathering evidence and reconciling it against 133 requirements. Scoping questions and asset uploads keep the assessment honest about what is genuinely in scope, while streamed AI verdicts and an evidence-grounded chat let reviewers interrogate every conclusion.* -**Purpose** — Auditor-grade PCI-DSS v4.0.1 evidence collection, mapping, and gap assessment from AWS via a unified 5-phase dashboard workflow. -**Inputs / data sources** — 20+ AWS services via platform OIDC; an 11-question scoping questionnaire; optional asset inventory (CSV/XLSX) and auditor sample-set uploads. -**How it works** — **Start** → **Collecting** (parallel AWS fetch with progress; scoping + asset uploads in side pane) → **Mapped** (category tallies, in-scope vs auto-N/A, naming + sample-coverage checks) → **Reviewing** (the AI engine streams NDJSON verdicts for in-scope parent requirements) → **Results** (Overview, All Requirements, Raw Evidence, Auditor Chat). -**Agents & skills** — Single `pci-dss-evidence-analyzer-agent`; `dashboard-creation` + `platform-api` deps; AI Bridge streaming. -**Outputs** — 7-sheet Excel report, raw evidence JSON by category, snapshot history. -**Frameworks** — PCI-DSS v4.0.1 (133 requirements, Defined Approach matrix). -```mermaid -flowchart TD - Start["User: Start"] -->|fetch_aws_evidence| Fetch["AWS Fetcher (platform OIDC)"] - Fetch --> Raw["data/raw/<category>.json"] - Quest["Scoping Questionnaire (11Q)"] --> NA["Auto Not-Applicable"] - Asset["Asset Inventory + Sample Set"] --> Parsed["Parsed Assets"] - Raw --> Map["Mapping: tallies + coverage"] - NA --> Map - Parsed --> Map - Map -->|in-scope reqs| Rev["/ai-bridge/stream · AI engine"] - Rev --> Verd["NDJSON Verdicts"] - Verd --> Res["Results: 4 tabs"] - Raw --> Res - Res -->|persist| Excel["7-sheet Excel"] - Res -->|Auditor Chat| QA["/ai-bridge/stream (routed Q&A)"] -``` +**What it does** — Auditor-grade PCI-DSS v4.0.1 evidence collection, mapping, and gap assessment across a guided 5-phase workflow. +**What it looks at** — 20+ AWS services; an 11-question scoping questionnaire; optional asset inventory (CSV/XLSX) and auditor sample-set uploads. +**How it flows** — Start → collect AWS evidence (with scoping and asset uploads alongside) → map to requirements with in-scope vs. auto-not-applicable tallies → AI reviews each in-scope requirement → results across Overview, All Requirements, Raw Evidence, and an evidence-grounded Auditor Chat. +**What you get** — A 7-sheet Excel report, raw evidence organized by category, and snapshot history. +**Frameworks** — PCI-DSS v4.0.1 (133 requirements, Defined Approach matrix). ### soc2-readiness *A pre-audit readiness check that scores an organization against all 55 SOC 2 Trust Service Criteria using evidence pulled directly from AWS. Built for the run-up to a Type II audit, it surfaces gaps early and produces an audit-ready workbook with full evidence traceability.* -**Purpose** — SOC 2 Type II readiness assessment with server-side evidence collection, control scoring, and audit-grade reporting with raw-evidence visibility. -**Inputs / data sources** — AWS (IAM, KMS, S3, EC2 network, logging, security services, backup, certificates) across 41 resource categories; customer name + assessment type; optional policy docs/screenshots for OCR. -**How it works** — Select org + region → fetch 41 AWS evidence categories via boto3 → score all 55 SOC 2 controls against raw evidence using AI Bridge (streaming verdicts) → 5-tab dashboard (scorecard, controls, evidence browser, auditor chat, missing-evidence request) → persist to markdown + 6-sheet Excel. -**Agents & skills** — `soc2-readiness-agent`; `dynamic-dashboard`, `platform-api`; `session-start-credentials`; AI Bridge streaming for cited auditor chat. -**Outputs** — `SOC2ReadinessDashboard.tsx`, `task_results.json` (55 verdicts + score), markdown report, 6-sheet Excel, raw evidence JSON. -**Frameworks** — SOC 2 Type II (55 Trust Service Criteria controls). -```mermaid -flowchart TD - A["User: org + region"] -->|fetch_cloud_evidence| B["AWS Evidence Fetcher"] - B -->|boto3 via get_credentials| C["AWS (41 categories)"] - C --> D["data/raw/ per-category JSON"] - D -->|review_controls| E["Control Scorer (55 controls)"] - E -->|/ai-bridge/invoke| F["AI engine"] - F -->|verdict| E - E --> G["task_results.json"] - G --> H["SOC2ReadinessDashboard (5 tabs)"] - D -->|routed chat| I["/ai-bridge/stream (citations)"] - I --> H - H -->|persist| J["6-sheet Excel + Report.md"] - H -->|request_missing| K["Evidence Request Manifest"] -``` +**What it does** — SOC 2 Type II readiness assessment with evidence collection, control scoring, and audit-grade reporting with raw-evidence visibility. +**What it looks at** — AWS across 41 resource categories (IAM, KMS, S3, EC2 networking, logging, security services, backup, certificates); your organization name and assessment type; optional policy docs or screenshots. +**What you get** — An interactive readiness dashboard (scorecard, controls, evidence browser, auditor chat, missing-evidence requests), a 6-sheet Excel workbook, a markdown report, and raw evidence. +**Frameworks** — SOC 2 Type II (55 Trust Service Criteria controls). ### evidence-reviewer -*A framework-agnostic triage tool for compliance teams buried in screenshots, PDFs, and configuration dumps. It ingests hundreds of artifacts in the browser, fuzzy-matches them to whatever control matrix you upload, and uses the AI engine to render a defensible per-control verdict.* -**Purpose** — Ingest bulk compliance evidence (200–300+ files), map to control matrices, and use the AI engine to review each control against a chosen framework. -**Inputs / data sources** — Drag-and-drop evidence (PDF, image, text, Excel, Word); CSV/JSON control matrices; framework-agnostic field mapping. -**How it works** — In-browser bulk ingestion (FileReader text + base64 images) → parse control matrix with flexible field mapping → keyword fuzzy-match evidence↔controls with manual override → per-control AI review via `/ai-bridge/invoke` (analyst persona, structured JSON) → compliance dashboard with filtering and CSV/JSON export. -**Agents & skills** — No agents; `dashboard-creation-skill`, `interactive-user-actions`, `ai-bridge`. -**Outputs** — `EvidenceReviewDashboard.tsx`, `task_results.json` (verdicts + observations), gap analysis, CSV/JSON exports, markdown report. -**Frameworks** — PCI-DSS v4.0.1, SOC 2 Type II, ISO 27001:2022, HIPAA, NIST 800-53 Rev 5, custom. - -```mermaid -flowchart TD - A["Evidence Upload (200–300+ files)"] -->|Phase 1| B["Browser Ingestion
text · base64 · metadata"] - C["CSV/JSON Matrix"] -->|Phase 2| D["Control Parser"] - B --> E["Keyword Matching"] - D --> E - E -->|Phase 3| F["Manual Override UI"] - F -->|Phase 4| G["/ai-bridge/invoke (AI engine)"] - G --> H["Verdict + Observations + Severity"] - H -->|Phase 5| I["Results Dashboard"] - I --> J["CSV/JSON Export + Markdown Report"] -``` +*A framework-agnostic triage tool for compliance teams buried in screenshots, PDFs, and configuration dumps. It ingests hundreds of artifacts in the browser, fuzzy-matches them to whatever control matrix you upload, and renders a defensible per-control verdict.* + +**What it does** — Ingests bulk compliance evidence (200–300+ files), maps it to your control matrix, and reviews each control against a chosen framework. +**What it looks at** — Drag-and-drop evidence (PDF, image, text, Excel, Word) and a CSV/JSON control matrix, with flexible field mapping. +**What you get** — A compliance dashboard with filtering, per-control verdicts and observations, a gap analysis, and CSV/JSON + markdown exports. +**Frameworks** — PCI-DSS v4.0.1, SOC 2 Type II, ISO 27001:2022, HIPAA, NIST 800-53 Rev 5, and custom. ### encryption-audit -*A focused sweep for unprotected data across the AWS estate, answering one high-stakes question—"is anything sensitive left unencrypted?"—across EBS, RDS, S3, DynamoDB, and KMS, at rest and in transit.* -**Purpose** — Audit encryption status across AWS resources (EBS, RDS, S3, DynamoDB, KMS) and surface unencrypted data. -**Inputs / data sources** — EBS volumes, RDS instances, S3 buckets, DynamoDB tables, KMS keys; credentials via `session-start-credentials`. -**How it works** — Retrieve credentials → EBS scanner (volume + snapshot encryption) → RDS scanner (at-rest, SSL/TLS, snapshots) → S3 scanner (SSE + default encryption) → DynamoDB/KMS analyzers (key config + rotation) → dashboard highlighting unencrypted resources by service. -**Agents & skills** — `aws_credential_manager` agent; `encryption-compliance-checker` skill; `dashboard-creation-skill`, `platform-api`. -**Outputs** — `unencrypted_resources.json`, `encryption_summary.json`, `kms_key_inventory.json`, `EncryptionDashboard.tsx`, audit + remediation reports. -**Frameworks** — PCI-DSS 3.4 / 4.1, HIPAA encryption, SOC 2. +*A focused sweep for unprotected data across the AWS estate, answering one high-stakes question — "is anything sensitive left unencrypted?" — across EBS, RDS, S3, DynamoDB, and KMS, at rest and in transit.* -```mermaid -flowchart TD - A["EBS·RDS·S3·DynamoDB·KMS"] -->|describe/list| B["encryption-compliance-checker"] - C["session-start-credentials"] --> B - B --> D["data/
unencrypted_resources.json
encryption_summary.json
kms_key_inventory.json"] - D --> E["dashboard-creation-skill"] - E --> F["EncryptionDashboard.tsx"] - B --> G["reports/ audit + remediation"] - F --> H["Browser Dashboard"] -``` +**What it does** — Audits encryption status across AWS resources and surfaces anything unencrypted. +**What it looks at** — EBS volumes and snapshots, RDS instances, S3 buckets, DynamoDB tables, and KMS keys. +**What you get** — A dashboard highlighting unencrypted resources by service, plus audit and remediation reports. +**Frameworks** — PCI-DSS 3.4 / 4.1, HIPAA encryption, SOC 2. ### cloud-misconfig-scanner *A targeted scanner for the misconfigurations behind most cloud breaches: public buckets, unlogged databases, over-exposed functions. It inspects S3, RDS, and Lambda and returns severity-ranked findings paired with concrete fixes.* -**Purpose** — Identify security misconfigurations across S3, RDS, and Lambda and generate remediation guidance. -**Inputs / data sources** — S3 buckets, RDS instances, Lambda functions; credentials via hook. -**How it works** — Retrieve credentials → S3 scanner (policies, ACLs, encryption, public access) → RDS scanner (logging, encryption, SSL/TLS, network) → Lambda scanner (env vars, exec roles, VPC, secrets) → generate TSX dashboards → synthesize markdown with severity + remediation. -**Agents & skills** — `aws_credential_manager`; `s3/rds/lambda-security-scanner` skills; `dashboard-creation-skill`. -**Outputs** — `s3/rds/lambda_findings.json`, three TSX dashboards, severity-graded markdown reports. -**Frameworks** — PCI-DSS 3.4 / 7.1 / 10.2; CIS AWS Foundations 2.1.x. -```mermaid -flowchart TD - A["AWS S3·RDS·Lambda"] -->|list/describe| B["s3 · rds · lambda
security-scanner"] - C["session-start-credentials"] --> B - B --> D["data/ *_findings.json"] - D --> E["dashboard-creation-skill"] - E --> F["S3·RDS·Lambda Dashboards"] - B --> G["reports/ severity + remediation"] - F --> H["Browser Dashboard"] -``` +**What it does** — Identifies security misconfigurations across S3, RDS, and Lambda and generates remediation guidance. +**What it looks at** — S3 bucket policies/ACLs/encryption/public access, RDS logging/encryption/networking, and Lambda environment/roles/VPC/secrets. +**What you get** — Severity-ranked findings for each service, interactive dashboards, and remediation reports. +**Frameworks** — PCI-DSS 3.4 / 7.1 / 10.2; CIS AWS Foundations 2.1.x. ### policy-engine *A document factory and reviewer for information-security policies. It authors brand-aligned policy sets from a 473-point control library and, in reverse, audits existing policies for framework-coverage gaps.* -**Purpose** — Framework-aligned policy creator and reviewer; generates branded PDF/DOCX policies and performs multi-framework gap analysis. -**Inputs / data sources** — Framework selection (PCI-DSS v4.0.1, ISO 27001/27002:2022, SOC 2 TSC 2017, HIPAA); org metadata + logo; for review mode, an existing policy PDF/DOCX. -**How it works** — Choose Create or Review → select framework(s) + enter org details (logo → co-brand + color extraction) → **Create**: pick style + target policies from a 473-control-point index, the AI engine generates branded PDF → **Review**: parse uploaded policy, cross-map to controls, score missing controls by severity → output PDF (create) or XLSX + PDF (review). -**Agents & skills** — No agents; `policy-engine` skill via `dynamic-dashboard`; AI Bridge invoke/stream. -**Outputs** — Branded 7-section PDF policies; gap-analysis XLSX + PDF summary. -**Frameworks** — PCI-DSS v4.0.1 (203 sub-reqs), ISO 27001/27002:2022 (93 controls), SOC 2 TSC 2017 (90 criteria), HIPAA (49 specs). -```mermaid -flowchart TD - U["User"] --> M{"Create or Review?"} - M -->|Create| CF["Framework · Org · Logo"] - M -->|Review| RF["Framework · Upload Policy"] - CF -->|control_points_matrix| PG["/ai-bridge/invoke
Policy Gen + Color Extract"] - PG --> CO["Branded PDF (co-branded)"] - RF -->|control_mapping| GA["/ai-bridge/stream
Gap Analysis"] - GA --> RO["Gap XLSX + PDF"] - CO --> D["PolicyDashboard.tsx"] - RO --> D -``` +**What it does** — Creates framework-aligned, branded policies and reviews existing policies for multi-framework gaps. +**What it looks at** — Your framework selection and organization details (name, logo for co-branding); for review mode, an existing policy PDF or Word doc. +**What you get** — **Create**: branded, multi-section PDF policies. **Review**: a gap-analysis workbook plus a PDF summary scoring missing controls by severity. +**Frameworks** — PCI-DSS v4.0.1 (203 sub-reqs), ISO 27001/27002:2022 (93 controls), SOC 2 TSC 2017 (90 criteria), HIPAA (49 specs). --- -## 4. IAM & Access +## IAM & access ### iam-role-rightsize *A least-privilege engine that confronts permission sprawl in AWS IAM. By contrasting what roles are allowed to do against what they actually use, it recommends precise reductions and flags roles safe to retire.* -**Purpose** — Analyze IAM roles/policies with Access Analyzer to identify over-permissive access and generate right-sized recommendations + removal candidates. -**Inputs / data sources** — IAM role inventory; Access Analyzer findings (unused permissions, external access); CloudTrail for usage patterns. -**How it works** — Enumerate roles (`iam:List*`/`Get*`) → analyze CloudTrail usage → Access Analyzer for unused/external access → risk-score over-permission (1–10), flag admin/wildcard/cross-account, compare required vs actual → generate P0–P3 removal + consolidation recommendations → dashboard with before/after policy comparison. -**Agents & skills** — `iam-rightsize-agent`, `aws_credential_manager`; `iam-rightsize-skill`; `dashboard-creation-skill`. -**Outputs** — Role inventory + findings JSON, right-size recommendations, removal candidates, risk heatmap dashboard, compliance-mapped markdown. -**Frameworks** — PCI-DSS 7.1–7.2, CIS AWS 1.16/1.22, SOC 2 CC6.1/CC6.3, NIST AC-6. -```mermaid -flowchart TD - A["IAM Roles"] -->|iam:List*| B["Role Inventory"] - C["CloudTrail"] --> D["Permission Usage"] - E["Access Analyzer"] --> F["Unused + External Access"] - B --> G["Risk Scoring (1–10)"] - D --> G - F --> G - G --> H["Classify Critical/High/Med/Low"] - H --> I["Recommendations: reduce · consolidate · remove"] - I --> J["IAM Dashboard (heatmap)"] - I --> K["Compliance-mapped Report"] -``` +**What it does** — Analyzes IAM roles and policies to find over-permissive access and produce right-sized recommendations and removal candidates. +**What it looks at** — Your IAM role inventory, Access Analyzer findings (unused permissions, external access), and CloudTrail usage patterns. +**What you get** — A risk heatmap dashboard, prioritized reduce/consolidate/remove recommendations with before/after policy comparison, and a compliance-mapped report. +**Frameworks** — PCI-DSS 7.1–7.2, CIS AWS 1.16/1.22, SOC 2 CC6.1/CC6.3, NIST AC-6. ### user-access-review *An automation of the recurring access-recertification chore auditors demand. It compiles IAM identities, scrutinizes privilege breadth and MFA hygiene, and produces a sign-off-ready Word report.* -**Purpose** — PCI-DSS v4.0 compliant periodic user access review and IAM access analysis, producing an audit-grade Word report. -**Inputs / data sources** — IAM inventory (users, roles, policies, access keys, MFA) via boto3 / CLI export; optional historical access data; customer + review period. -**How it works** — Collect IAM data → analyze permissions, flag broad policies (Administrator/PowerUser), check key rotation + MFA → assign CRITICAL/HIGH/MEDIUM/LOW by breadth, key age, MFA, last login → map to PCI-DSS 7.x/8.x → generate 16-section DOCX with color-coded risk tables, score, remediation. -**Agents & skills** — `user-access-review-agent`; `user-access-review` skill (analysis + DOCX); `dashboard-creation-skill`, `platform-api`. -**Outputs** — 16-section Word report, optional filterable React dashboard, JSON analysis files. -**Frameworks** — PCI-DSS v4.0 7.1/7.2, 8.1/8.2/8.3. -```mermaid -flowchart TD - A["IAM Data (boto3/CLI)"] --> B["Inventory Fetch
users·roles·policies·keys·MFA"] - B --> C["Access Analysis
scope · key age · MFA"] - C --> D["Risk Assessment
CRITICAL→LOW"] - D --> E["PCI-DSS 7.x/8.x Mapping"] - E --> F["python-docx Generator"] - F --> G["16-section Word Report"] - D --> H["Optional React Dashboard"] -``` +**What it does** — Runs a PCI-DSS v4.0 compliant periodic user access review and produces an audit-grade Word report. +**What it looks at** — Your IAM inventory (users, roles, policies, access keys, MFA); optional historical access data; the customer name and review period. +**What you get** — A 16-section Word report with color-coded risk tables, scoring, and remediation; an optional filterable dashboard; and JSON analysis files. +**Frameworks** — PCI-DSS v4.0 7.1/7.2, 8.1/8.2/8.3. --- -## 5. SIEM & Threat Detection +## SIEM & threat detection -The SIEM family is a **producer/consumer pipeline**: three source analyzers (CloudTrail, CloudWatch, GuardDuty) normalize events to **Common Event Format (CEF)** and export them; the **event-correlator** consumes all three for cross-source incident detection. The **soc-analyzer** is an independent tiered L1/L2/L3 pipeline. - -```mermaid -flowchart LR - CT["siem-cloudtrail-analyzer"] -->|CEF| EC["siem-event-correlator"] - CW["siem-cloudwatch-analyzer"] -->|CEF| EC - GD["siem-guardduty-analyzer"] -->|CEF| EC - EC --> INC["Incidents · Attack Chains · SOC Metrics"] -``` +The three source analyzers (CloudTrail, CloudWatch, GuardDuty) each normalize events to the industry-standard **Common Event Format (CEF)**; the **event-correlator** then combines all three for cross-source incident detection. The **soc-analyzer** is an independent tiered L1/L2/L3 pipeline. ### siem-cloudtrail-analyzer *The control-plane sensor of the SIEM suite, mining CloudTrail for who-did-what across the account. It turns API audit logs into threat detections and a normalized event feed for downstream correlation.* -**Purpose** — Collect, normalize, and analyze CloudTrail API audit logs with AI threat detection, IAM analysis, MITRE mapping, and 365-day retention. -**Inputs / data sources** — CloudTrail API (LookupEvents, GetTrailStatus), S3 CloudTrail buckets, IAM + Config for context. -**How it works** — Ingest recent API events + S3 historical logs into DuckDB → normalize to CEF + categorize → SQL-based threat detection, privilege-escalation, user behavior profiling → map MITRE + risk score via AI Bridge → generate dashboards → export CEF to correlator. -**Agents & skills** — `cloudtrail-collector-agent` (L1), `cloudtrail-security-analyst` (L2/L3); `cloudtrail-siem-skill`, `ai-bridge`. -**Outputs** — `cloudtrail_events.json`, `iam_activity.json`, `auth_events.json`, threat/IAM/compliance reports, CloudTrail dashboards. -**Frameworks** — PCI-DSS 10.x, NIST IA-2/AC-6, SOC 2 CC6.1. -```mermaid -flowchart TD - A["CloudTrail API"] --> B["Collector L1"] - C["S3 CloudTrail Buckets"] --> B - B --> D["DuckDB Load"] - D --> E["Normalize to CEF"] - E --> F["Security Analyst L2/L3
SQL detection"] - F --> G["MITRE map + risk score (AI Bridge)"] - G --> H["data/ cloudtrail_events · iam_activity · auth_events"] - H --> I["Dashboards"] - H --> J["CEF Export → correlator"] -``` +**What it does** — Collects, normalizes, and analyzes CloudTrail API audit logs with AI threat detection, IAM analysis, MITRE mapping, and 365-day retention. +**What it looks at** — CloudTrail API events and historical S3-stored logs, with IAM and Config for context. +**What you get** — A normalized event feed, IAM and authentication activity data, threat/IAM/compliance reports, and interactive dashboards. +**Frameworks** — PCI-DSS 10.x, NIST IA-2/AC-6, SOC 2 CC6.1. ### siem-cloudwatch-analyzer -*The network- and application-layer sensor of the SIEM suite. It mines CloudWatch and VPC Flow Logs for the anomalies signature tools miss—port scans, data exfiltration, command-and-control beacons.* -**Purpose** — Collect and analyze CloudWatch logs (VPC Flow, app, Lambda, ECS/EKS) with statistical anomaly detection and network threat analysis. -**Inputs / data sources** — CloudWatch Logs API, VPC Flow Logs, alarms/metrics, Lambda logs, ECS/EKS logs, API Gateway access logs. -**How it works** — Discover log groups across regions and pull flows/app/container logs → normalize to CEF → anomaly detection (Z-score, baselines, cardinality) → VPC-flow SQL detects port scans, exfiltration, C2, lateral movement → AI Bridge MITRE enrichment → export CEF to correlator. -**Agents & skills** — `cloudwatch-collector-agent` (L1), `cloudwatch-security-analyst` (L2/L3); `cloudwatch-siem-skill`, `ai-bridge`. -**Outputs** — `vpc_flow_analysis.json`, `network_anomalies.json`, `application_errors.json`, `lambda_analysis.json`, network/anomaly reports, dashboards. -**Frameworks** — PCI-DSS 10.x / 11.4, NIST SI-4, SOC 2 CC6.1/CC7.2. +*The network- and application-layer sensor of the SIEM suite. It mines CloudWatch and VPC Flow Logs for the anomalies signature tools miss — port scans, data exfiltration, command-and-control beacons.* -```mermaid -flowchart TD - A["CloudWatch Logs API"] --> B["Collector L1"] - C["VPC Flow Logs"] --> B - D["Lambda + ECS/EKS Logs"] --> B - B --> E["DuckDB Load → Normalize CEF"] - E --> F["Anomaly Detection (Z-score · baseline)"] - F --> G["Network Threat Analysis + MITRE"] - G --> H["data/ vpc_flow · network_anomalies · lambda"] - H --> I["Dashboards"] - H --> J["CEF Export → correlator"] -``` +**What it does** — Collects and analyzes CloudWatch logs (VPC Flow, application, Lambda, ECS/EKS) with statistical anomaly detection and network threat analysis. +**What it looks at** — CloudWatch Logs, VPC Flow Logs, alarms and metrics, Lambda logs, container logs, and API Gateway access logs. +**What you get** — Network and anomaly analysis data, a normalized event feed for correlation, reports, and dashboards. +**Frameworks** — PCI-DSS 10.x / 11.4, NIST SI-4, SOC 2 CC6.1/CC7.2. ### siem-guardduty-analyzer *A force-multiplier on top of GuardDuty that adds root-cause analysis, IOC extraction, and risk context to raw findings, transforming isolated alerts into prioritized, framework-mapped intelligence.* -**Purpose** — Collect and analyze GuardDuty findings with AI threat detection, root-cause analysis, IOC extraction, and risk scoring. -**Inputs / data sources** — GuardDuty API (ListDetectors/Findings/GetFindings across regions), CloudTrail for root cause, EC2/IAM/S3 for context. -**How it works** — Enumerate detectors across regions → retrieve findings (90-day lookback) → normalize to CEF + extract IOCs (IPs, domains, hashes, UAs) → root-cause via CloudTrail correlation, impact/likelihood scoring, MITRE mapping → AI Bridge threat assessment + FP filtering → compliance mapping → export CEF. -**Agents & skills** — `guardduty-collector-agent` (L1), `guardduty-threat-analyst` (L2/L3); `guardduty-siem-skill`, `ai-bridge`. -**Outputs** — `guardduty_findings.json`, `guardduty_iocs.json`, `guardduty_risk_scores.json`, executive/threat/IOC/compliance reports, dashboards. -**Frameworks** — PCI-DSS 10.6/11.4/12.10, SOC 2 CC6.6, NIST SI-4, CIS AWS 3.10/3.11. -```mermaid -flowchart TD - A["GuardDuty API (multi-region)"] --> B["Collector L1"] - B --> C["ListFindings/GetFindings (90d)"] - C --> D["Normalize CEF + extract IOCs"] - D --> E["Threat Analyst L2/L3
root cause via CloudTrail"] - E --> F["Risk score + MITRE + AI Bridge FP filter"] - F --> G["data/ findings · iocs · risk_scores · compliance"] - G --> H["Dashboards"] - G --> I["CEF Export → correlator"] -``` +**What it does** — Collects and analyzes GuardDuty findings with AI threat detection, root-cause analysis, IOC extraction, and risk scoring. +**What it looks at** — GuardDuty findings across regions, with CloudTrail for root cause and EC2/IAM/S3 for context. +**What you get** — Findings, extracted indicators of compromise (IPs, domains, hashes), risk scores, executive/threat/IOC/compliance reports, and dashboards. +**Frameworks** — PCI-DSS 10.6/11.4/12.10, SOC 2 CC6.6, NIST SI-4, CIS AWS 3.10/3.11. ### siem-event-correlator -*The brain of the SIEM suite, fusing all three sensor feeds into multi-stage attack narratives. Single-source alerts that look benign in isolation become recognizable kill chains—credential theft, lateral movement, ransomware.* -**Purpose** — Master correlation engine aggregating GuardDuty + CloudWatch + CloudTrail CEF events for cross-source incident detection and SOC dashboards. -**Inputs / data sources** — CEF JSON from the three source analyzers (90/365-day retention). -**How it works** — Ingest CEF from all sources → dedupe → apply time-window (5m–72h), entity, sequence, threshold, aggregation rules → execute 10 cross-source rules (credential-compromise chain, exfiltration, lateral movement, privilege escalation, crypto-mining, defense evasion, insider threat, account takeover, supply chain, ransomware) → AI Bridge linking + narrative + FP reduction → classify P0–P3 → generate containment/remediation playbooks. -**Agents & skills** — `correlation-orchestrator`, `incident-detector`, `threat-intelligence-analyst`; `event-correlation-skill`, `ai-bridge`. -**Outputs** — `correlated_events.json`, `incidents.json`, `alerts.json`, `attack_chains.json`, `threat_landscape.json`, `soc_metrics.json`; correlation/incident/SOC reports; 8 dashboard views. -**Frameworks** — PCI-DSS 10.6/11.4/12.10, SOC 2 CC6.6/CC7.2/CC7.3, NIST SI-4/IR-4/IR-5, ISO 27001 A.16.1. +*The brain of the SIEM suite, fusing all three sensor feeds into multi-stage attack narratives. Single-source alerts that look benign in isolation become recognizable kill chains — credential theft, lateral movement, ransomware.* -```mermaid -flowchart TD - A["GuardDuty CEF"] --> B["Ingestion + Normalize"] - C["CloudWatch CEF"] --> B - D["CloudTrail CEF"] --> B - B --> E["Deduplication + Entity Linking"] - E --> F["Correlation Rules
time · entity · sequence · threshold"] - F --> G["Cross-Source Detection CR-001…010"] - G --> H["AI Bridge: link · narrate · FP reduce"] - H --> I["Incidents P0–P3"] - I --> J["data/ incidents · attack_chains · soc_metrics"] - J --> K["8 Dashboard Views"] - I --> L["Response Playbooks"] -``` +**What it does** — Aggregates the GuardDuty, CloudWatch, and CloudTrail event feeds for cross-source incident detection and SOC dashboards. +**What it looks at** — The normalized CEF event feeds from the three source analyzers (90/365-day retention). +**How it works** — Deduplicates and links events, applies time-window/entity/sequence/threshold rules, and runs 10 cross-source detections (credential-compromise chains, exfiltration, lateral movement, privilege escalation, crypto-mining, defense evasion, insider threat, account takeover, supply chain, ransomware), classifying incidents P0–P3. +**What you get** — Correlated incidents and attack chains, a threat-landscape and SOC-metrics view, correlation/incident/SOC reports, containment and remediation playbooks, and multiple dashboard views. +**Frameworks** — PCI-DSS 10.6/11.4/12.10, SOC 2 CC6.6/CC7.2/CC7.3, NIST SI-4/IR-4/IR-5, ISO 27001 A.16.1. ### siem-soc-analyzer -*A virtual SOC that mirrors how a real one is staffed, escalating events through L1, L2, and L3 analyst tiers. It triages noise, investigates what matters, and hunts confirmed incidents to closure—generating detection rules along the way.* -**Purpose** — Tiered L1/L2/L3 SOC analyst pipeline for alert triage, correlation, threat hunting, detection-rule creation, and incident response. -**Inputs / data sources** — Raw SIEM events from CloudWatch/CloudTrail, Windows Event Logs, Linux syslog/auditd, normalized to CEF. -**How it works** — **L1 Triage**: normalize CEF, match a 135-rule use-case library, classify P0–P3, filter FPs, escalate → **L2 Investigation**: time-window/entity correlation, threat-intel enrichment (VirusTotal, AbuseIPDB, OTX), MITRE mapping, root-cause, incident determination → **L3 Hunting**: forensics, generate Sigma/YARA/Suricata rules, compliance mapping, IR playbooks, executive reports + SOC KPIs (MTTD, MTTR, FP rate). -**Agents & skills** — `l1-triage-analyst`, `l2-investigation-analyst`, `l3-threat-hunter`; `siem-data-processor`, `dashboard-creation-skill`, `interactive-user-actions`, `platform-api`. -**Outputs** — `triaged_alerts.json`, `investigation_findings.json`, `incident_timeline.json`, `threat_analysis.json`, incident/threat reports, `SOCDashboard.tsx`. -**Frameworks** — PCI-DSS 4.0 (10/11/12.x), ISO 27001 A.12/A.16, SOC 2 CC6/7/8, NIST AU/IR/SI, HIPAA §164.312/.308, CIS v8, MITRE ATT&CK v14. +*A virtual SOC that mirrors how a real one is staffed, escalating events through L1, L2, and L3 analyst tiers. It triages noise, investigates what matters, and hunts confirmed incidents to closure — generating detection rules along the way.* -```mermaid -flowchart TD - A["Raw SIEM Events (CEF)"] --> B["L1 Triage
135-rule match · P0–P3"] - B --> C["FP Filter + Escalation"] - C --> D["triaged_alerts.json"] - D --> E["L2 Investigation
correlation 5m–72h"] - E --> F["Threat Intel + MITRE + root cause"] - F --> G["investigation_findings · incident_timeline"] - G --> H["L3 Threat Hunter
Sigma/YARA · compliance · IR"] - H --> I["threat_analysis.json + reports"] - H --> J["SOCDashboard.tsx (KPIs)"] -``` +**What it does** — Runs a tiered L1/L2/L3 SOC analyst pipeline for alert triage, correlation, threat hunting, detection-rule creation, and incident response. +**What it looks at** — Raw SIEM events from CloudWatch/CloudTrail, Windows Event Logs, and Linux syslog/auditd. +**How it works** — **L1 triage** matches a 135-rule use-case library, classifies P0–P3, and filters false positives → **L2 investigation** correlates by time and entity, enriches with threat intel (VirusTotal, AbuseIPDB, OTX), maps MITRE, and determines incidents → **L3 hunting** runs forensics, generates Sigma/YARA/Suricata detection rules, maps compliance, and writes IR playbooks and executive reports with SOC KPIs (MTTD, MTTR, false-positive rate). +**What you get** — Triaged alerts, investigation findings, incident timelines, threat analysis, incident/threat reports, and an interactive SOC dashboard. +**Frameworks** — PCI-DSS 4.0 (10/11/12.x), ISO 27001 A.12/A.16, SOC 2 CC6/7/8, NIST AU/IR/SI, HIPAA §164.312/.308, CIS v8, MITRE ATT&CK v14. ### aws-monitor-guardduty *A lightweight companion to GuardDuty for teams that want quick root-cause and risk scoring without standing up the full SIEM pipeline.* -**Purpose** — Lightweight GuardDuty analysis: root cause, probable cause, impact, and probability-weighted risk scores. -**Inputs / data sources** — GuardDuty findings; CloudTrail for correlation. -**How it works** — Retrieve findings → correlate with CloudTrail for root access patterns → compute impact(1–10) × likelihood(1–10) ÷ 10 risk → map PCI/CIS/SOC2/NIST → generate executive summary + remediation → JSON + markdown + dashboard. -**Agents & skills** — `aws_credential_manager`; `aws-monitor-guardduty-skill`. -**Outputs** — `guardduty_findings/analysis/risk_scores/correlations.json`, markdown report, `GuardDutyDashboard.tsx`. -**Frameworks** — PCI-DSS, CIS AWS Foundations, SOC 2, NIST. -```mermaid -flowchart TD - A["GuardDuty API"] --> B["Finding Retrieval"] - B --> C["Root Cause (CloudTrail correlation)"] - C --> D["Risk = impact×likelihood/10"] - D --> E["Framework Mapper (PCI·CIS·SOC2)"] - E --> F["data/ + markdown report"] - D --> G["GuardDutyDashboard.tsx"] -``` +**What it does** — Lightweight GuardDuty analysis: root cause, probable cause, impact, and probability-weighted risk scores. +**What it looks at** — GuardDuty findings, with CloudTrail for correlation. +**What you get** — Findings, analysis, and risk-score data; an executive summary with remediation; a markdown report; and a dashboard. +**Frameworks** — PCI-DSS, CIS AWS Foundations, SOC 2, NIST. ### aws-log-analyzer *A cross-source log-forensics tool that stitches six AWS log streams into a single timeline. It is built for the investigator's core question: what actually happened, and when?* -**Purpose** — Aggregate and analyze logs from five+ AWS sources to detect anomalies, support forensics, and monitor PCI logging compliance. -**Inputs / data sources** — CloudTrail, CloudWatch, VPC Flow Logs, S3 Access Logs, GuardDuty, WAF via APIs + S3. -**How it works** — Aggregate across sources (read-only) → cross-correlate events to reveal coordinated attacks → anomaly detection (geographic, temporal, volume, behavioral, sequential) → reconstruct incident timelines → emit findings with user-activity + privilege-escalation tracking. -**Agents & skills** — `aws-log-analyzer-agent`, `aws_credential_manager`; `aws-log-analyzer-skill`. -**Outputs** — `cloudtrail_events/vpc_flow_logs/security_findings/anomalies/user_activity/incident_timeline.json`, markdown reports, 5 TSX views. -**Frameworks** — PCI-DSS 10.1–10.7. -```mermaid -flowchart TD - A["CloudTrail·CloudWatch·VPC Flow
S3·GuardDuty·WAF"] -->|read-only| B["Log Collector"] - B --> C["Cross-Log Correlation"] - C --> D["Anomaly Detection + Timeline"] - D --> E["Findings: user activity · priv-esc"] - E --> F["data/ + reports/"] - E --> G["Dashboards (5 views)"] -``` +**What it does** — Aggregates and analyzes logs from five-plus AWS sources to detect anomalies, support forensics, and monitor PCI logging compliance. +**What it looks at** — CloudTrail, CloudWatch, VPC Flow Logs, S3 Access Logs, GuardDuty, and WAF. +**What you get** — Cross-correlated findings, anomaly detection, reconstructed incident timelines with user-activity and privilege-escalation tracking, markdown reports, and multiple dashboard views. +**Frameworks** — PCI-DSS 10.1–10.7. --- -## 6. Offensive Security & Risk +## Offensive security & risk ### pentest *An autonomous offensive-security platform that orchestrates a fleet of specialized attack agents the way a red-team lead directs operators. Reconnaissance, exploitation, and evidence validation run in parallel, and every finding is adversarially re-checked before it reaches the report.* -**Purpose** — Multi-agent penetration-testing framework orchestrating parallel recon, vulnerability testing, and evidence validation across 50+ attack types and 11 domains. -**Inputs / data sources** — User-defined target scope + explicit authorization; optional Shodan/DNS intel; platform OIDC for AWS. -**How it works** — **Initialization** (coordinator parses scope, loads 20+ skills) → **Reconnaissance** (parallel discovery agents) → **Planning** (batch attack vectors by surface) → **Vulnerability Testing** (stateless executor agents write finding-NNN artifacts) → **Aggregation & Validation** (validator agents run 5 checks: CVSS consistency, evidence, PoC, claims-vs-raw, log corroboration) → **Reporting** (dashboard + branded PDF + remediation roadmap). -**Agents & skills** — Coordinator (inline), Executor (background, stateless), Validator (background, per-finding); 25+ skills (injection, client/server-side, auth, api-security, cloud-containers, ai-threat-testing, cve-poc-generator, osint, dfir, …). -**Outputs** — Validated findings (CVSS/CWE/OWASP/MITRE), `PentestReportDashboard.tsx`, `pentest_results.json`, Transilience PDF, NDJSON logs. -**Frameworks** — OWASP Top 10 / WSTG / LLM Top 10, MITRE ATT&CK, PTES, CWE, CVSS v3.1, NIST SP 800-115. -```mermaid -flowchart TD - Scope["Target Scope + Authorization"] --> Coord["Coordinator (inline)"] - Coord -->|Phase 1| Recon["Parallel Recon Executors"] - Recon --> Inv["asset_inventory.json + tech stack"] - Coord -->|Phase 2| Plan["Batch Planning by category"] - Plan --> Exec["Parallel Executor Agents (stateless)"] - Exec --> Find["findings/finding-NNN/ (poc · evidence)"] - Coord -->|Phase 3| Val["Parallel Validators (5 checks)"] - Find --> Val - Val --> VOK["validated/ or false-positives/"] - VOK --> Dash["PentestReportDashboard.tsx"] - VOK --> PDF["Transilience PDF + Roadmap"] -``` +**What it does** — A multi-agent penetration-testing framework running parallel recon, vulnerability testing, and evidence validation across 50+ attack types and 11 domains. +**What it looks at** — Your defined target scope and explicit authorization; optional Shodan/DNS intelligence; your AWS account. +**How it works** — Parses scope → parallel reconnaissance → plans attack vectors by surface → parallel vulnerability testing → aggregation and validation (five checks: CVSS consistency, evidence, proof-of-concept, claims-vs-raw, log corroboration) before any finding is reported. +**What you get** — Validated findings (CVSS/CWE/OWASP/MITRE), an interactive report dashboard, a branded PDF, and a remediation roadmap. +**Frameworks** — OWASP Top 10 / WSTG / LLM Top 10, MITRE ATT&CK, PTES, CWE, CVSS v3.1, NIST SP 800-115. ### cloud-attack-path-analysis -*A graph-based way to think like an attacker about your own cloud. It chains misconfigurations, vulnerabilities, and access into ranked attack paths, then pinpoints the single fixes—chokepoints—that collapse the most routes at once.* -**Purpose** — Discover and visualize attack paths through cloud infrastructure, score them by probability, and identify chokepoint remediations. -**Inputs / data sources** — EC2, IAM, S3, RDS, VPC, Security Hub, GuardDuty, Inspector, CloudTrail, Access Analyzer. -**How it works** — Profile infrastructure → detect misconfigurations + map IAM privilege-escalation paths → correlate vulnerabilities to resources (CVSS/EPSS/KEV) → analyze network paths internet→internal → build attack graph (resources=nodes, vectors=edges) → score each path (exploitability 30 / exposure 25 / misconfig 20 / detection 15 / frequency 10) → find chokepoints breaking many paths at once. -**Agents & skills** — `cloud-attack-path-analysis-agent`, `aws_credential_manager`; `cloud-attack-path-analysis-skill`. -**Outputs** — `attack_paths/attack_graph/chokepoints.json`, MITRE-mapped reports, `AttackPathDashboard.tsx` + interactive `AttackGraphVisualization`. -**Frameworks** — PCI-DSS 6.1/11.3, CIS AWS 1–4.x, NIST RA-5/CA-8, MITRE ATT&CK. +*A graph-based way to think like an attacker about your own cloud. It chains misconfigurations, vulnerabilities, and access into ranked attack paths, then pinpoints the single fixes — chokepoints — that collapse the most routes at once.* -```mermaid -flowchart TD - A["EC2·IAM·S3·RDS·VPC"] --> B["Infrastructure Profiler"] - C["Security Hub·GuardDuty·Inspector"] --> B - D["CloudTrail·Access Analyzer"] --> B - B --> E["Misconfig Detector"] - B --> F["Privilege-Escalation Analyzer"] - B --> G["Vulnerability Correlator (CVSS/EPSS)"] - E --> H["Attack Graph Builder"] - F --> H - G --> H - H --> I["Probability Scorer → Chokepoints"] - I --> J["data/ paths · graph · chokepoints"] - I --> K["AttackPathDashboard + Graph Viz"] -``` +**What it does** — Discovers and visualizes attack paths through your cloud infrastructure, scores them by probability, and identifies chokepoint remediations. +**What it looks at** — EC2, IAM, S3, RDS, VPC, Security Hub, GuardDuty, Inspector, CloudTrail, and Access Analyzer. +**How it works** — Profiles infrastructure, maps IAM privilege-escalation paths, correlates vulnerabilities (CVSS/EPSS/KEV), analyzes network reachability, builds an attack graph, scores each path, and finds chokepoints that break many paths at once. +**What you get** — Ranked attack paths, a chokepoint analysis, MITRE-mapped reports, and an interactive attack-graph dashboard. +**Frameworks** — PCI-DSS 6.1/11.3, CIS AWS 1–4.x, NIST RA-5/CA-8, MITRE ATT&CK. ### aws-vulnerability-prioritizer -*A triage layer over ECR and Inspector that answers the only question that matters in vulnerability management—what do we fix first? It weighs exploitability against business context, then projects how much risk each remediation actually removes.* -**Purpose** — Analyze ECR/Inspector vulnerabilities, trace root packages, enrich with asset context, prioritize by risk, and simulate remediation impact. -**Inputs / data sources** — ECR scan findings, Inspector findings, AWS resource tags, image metadata. -**How it works** — Collect ECR + Inspector data → map vulnerabilities to root packages across dependency trees → enrich with tag-derived asset context → prioritize by weighted score (CVSS 30 / EPSS 25 / criticality 20 / exposure 15 / effort 10) → generate action items → simulate before/after vulnerability counts. -**Agents & skills** — `vulnerability-prioritizer-agent`, `aws_credential_manager`; `vulnerability-prioritizer-skill`. -**Outputs** — `vulnerability_findings/root_packages/asset_inventory/remediation_plan/impact_simulation.json`, reports, `VulnerabilityPrioritizerDashboard.tsx`. -**Frameworks** — PCI-DSS 6.2/6.3, CIS AWS 5.1, SOC 2 CC7.1, NIST RA-5. +*A triage layer over ECR and Inspector that answers the only question that matters in vulnerability management — what do we fix first? It weighs exploitability against business context, then projects how much risk each remediation actually removes.* -```mermaid -flowchart TD - A["ECR Scans"] --> C["Vulnerability Collector"] - B["Inspector"] --> C - C --> D["Root Package Tracer"] - D --> E["Asset Context Enricher (tags)"] - E --> F["Prioritization Engine (P0–P3)"] - F --> G["Impact Simulator (before/after)"] - F --> H["data/ + reports/"] - G --> I["VulnerabilityPrioritizerDashboard.tsx"] -``` +**What it does** — Analyzes ECR/Inspector vulnerabilities, traces root packages, enriches with asset context, prioritizes by risk, and simulates remediation impact. +**What it looks at** — ECR scan findings, Inspector findings, resource tags, and image metadata. +**What you get** — Prioritized findings with root-package tracing, a remediation plan, a before/after impact simulation, reports, and a dashboard. +**Frameworks** — PCI-DSS 6.2/6.3, CIS AWS 5.1, SOC 2 CC7.1, NIST RA-5. ### threat-radar-generation -*A passive reconnaissance pipeline that fingerprints an organization's technology stack from public signals alone, then renders a tailored threat radar. No credentials, no active scanning—pure OSINT inference.* -**Purpose** — Two-stage passive OSINT: infer an organization's technology stack via 26 reconnaissance skills, then render a personalized threat radar. -**Inputs / data sources** — Company name (+ optional domain); passive sources only — DNS, HTTP headers, TLS certs, JS DOM, HTML metadata, GitHub, job posts, web archives, CT logs. -**How it works** — **Stage 1**: asset discovery → data collection (fingerprinting/intel) → tech inference (frontend/backend/cloud/CDN/WAF/security/DevOps) → correlation (confidence scoring, conflict resolution) → report. **Stage 2**: build customer profile → call radar API (20-min timeout) → process result → generate `RadarDashboard_.tsx`. -**Agents & skills** — Stage 1 `stage_1_agent` (5 sub-agents, 26 skills); Stage 2 `stage_2_agent` (profile builder, radar API caller, result processor, component generation). -**Outputs** — `techstack_report.json` (tech + confidence + evidence), `RadarDashboard_.tsx`, `customer_profile.json`, `radar_output.json`, JSONL logs. -**Frameworks** — None (pure OSINT discovery). +*A passive reconnaissance pipeline that fingerprints an organization's technology stack from public signals alone, then renders a tailored threat radar. No credentials, no active scanning — pure OSINT inference.* -```mermaid -flowchart TD - In["Company Name + Domain"] --> S1["Stage 1 (26 skills)"] - S1 --> AD["Asset Discovery"] - AD --> DC["Data Collection (fingerprint·intel)"] - DC --> TI["Tech Inference"] - TI --> CO["Correlation (confidence·conflict)"] - CO --> RG["techstack_report.json"] - RG --> S2["Stage 2"] - S2 --> PR["Customer Profile"] - PR --> API["Radar API (20-min)"] - API --> RC["Radar Component Gen"] - RC --> RD["RadarDashboard_<id>.tsx"] -``` +**What it does** — Passive OSINT that infers an organization's technology stack, then renders a personalized threat radar. +**What it looks at** — A company name (and optional domain); passive public sources only — DNS, HTTP headers, TLS certs, page content, GitHub, job posts, web archives, certificate-transparency logs. +**What you get** — A technology-stack report (with confidence and evidence), a customer profile, and an interactive threat-radar dashboard. +**Frameworks** — None (pure OSINT discovery). --- -## 7. Network & Infrastructure +## Network & infrastructure ### network-diagram-curator *An always-current map of the cloud network, generated from the live account rather than stale Visio files. It produces interactive topology, a searchable asset inventory with end-of-life tracking, and PCI scope visualizations.* -**Purpose** — Collect AWS infrastructure via boto3 and generate interactive topology diagrams, asset inventory with EOL tracking, and PCI scoping visualizations. -**Inputs / data sources** — EC2, RDS, Lambda, CloudTrail, CloudWatch, API Gateway, S3, ElastiCache, WAF; VPCs, subnets, SGs, route tables, NACLs, peering, TGWs; OS/engine versions for EOL. -**How it works** — SessionStart hook runs `run_pipeline.py` → `collect_aws_data.py` fetches infra → copy `.tsx` templates to `outputs/components/` → embed real data as `defaultData`, compile TSX→JS via esbuild with security validation → emit three components: NetworkTopologyDiagram (ReactFlow, SVG/JSON export), AssetInventoryTable (vendor/firmware/EOL, searchable), InteractiveScopingDiagram (PCI CDE/connected/security-impacting/out-of-scope). -**Agents & skills** — No agents; `network-diagram-curator` skill; `dashboard-creation-skill`, `interactive-user-actions`, `platform-api`; hooks `session-start-credentials`, `update-imports`. -**Outputs** — 3 compiled TSX/JS components, `aws_infrastructure.json`, `task_results.json`, `flow.json`, EOL markdown, PNG/SVG diagrams. -**Frameworks** — PCI DSS (CDE scoping), AWS Well-Architected. -```mermaid -flowchart TD - A["SessionStart → run_pipeline.py"] --> B["collect_aws_data.py (boto3)"] - B --> C["aws_infrastructure.json"] - C --> D["Copy .tsx templates"] - C --> E["Embed defaultData"] - E --> F["esbuild compile + security validate"] - F --> G["NetworkTopologyDiagram.js"] - F --> H["AssetInventoryTable.js"] - F --> I["InteractiveScopingDiagram.js"] - C --> J["task_results.json + flow.json"] -``` +**What it does** — Collects your AWS infrastructure and generates interactive topology diagrams, an asset inventory with end-of-life tracking, and PCI scoping visualizations. +**What it looks at** — EC2, RDS, Lambda, CloudTrail, CloudWatch, API Gateway, S3, ElastiCache, WAF; VPCs, subnets, security groups, route tables, NACLs, peering, transit gateways; and OS/engine versions for EOL. +**What you get** — Three interactive views (a network topology diagram with SVG/JSON export, a searchable asset inventory with vendor/firmware/EOL, and a PCI scoping diagram), an infrastructure data export, and EOL markdown plus PNG/SVG diagrams. +**Frameworks** — PCI DSS (CDE scoping), AWS Well-Architected. ### network-ruleset-review *An automation of the annual firewall review that PCI mandates and most teams dread. It normalizes AWS and appliance rulesets alike, AI-annotates each rule's risk, and emits a formal Word report.* -**Purpose** — PCI-DSS v4.0 annual network ruleset review merging NACL, Security Group, VPC architecture, and firewall-export analysis into a Word report. -**Inputs / data sources** — `describe_network_acls`/`describe_security_groups`, VPC + route tables; firewall exports (Palo Alto, Fortinet, Cisco ASA — CSV/JSON/text); rule justifications. -**How it works** — SessionStart `bootstrap_dashboard.py` runs `collect_aws_data.py` → `ruleset_analysis.json` with normalized rules + baseline risk → dashboard offers three review modes (NACL / firewall+SG / combined) → user picks; browser filters by review_type, calls `/ai-bridge/invoke` once for PCI commentary, computes score → `/project/execute` with `persist_only` + file attachments → agent persists, copies TSX, runs `write_report.py` (`report-writer` skill) to generate a 14-section branded DOCX. -**Agents & skills** — `network-ruleset-review-agent`; `network-ruleset-review` skill; shared `report-writer` (DOCX, Transilience design system); `dashboard-creation-skill`, `interactive-user-actions`, `platform-api`. -**Outputs** — `ruleset_analysis.json`, `task_results.json`, dashboard TSX, `{Company}_Annual_Network_Ruleset_Review_{Date}.docx` (14 sections, PCI mapping, sign-off). -**Frameworks** — PCI-DSS v4.0 1.1.7 / 1.2 / 1.3 / 1.4. -```mermaid -flowchart TD - A["SessionStart: bootstrap_dashboard.py"] --> B["collect_aws_data.py"] - B --> C["ruleset_analysis.json (normalized + baseline risk)"] - D["Dashboard"] --> C - D --> E["Review Mode: NACL / SG / Combined"] - E --> F["Browser filter + classify"] - F --> G["/ai-bridge/invoke (PCI commentary)"] - G --> H["Score in browser"] - H -->|/project/execute persist_only| I["Agent persists + copies TSX"] - I --> J["write_report.py (report-writer)"] - J --> K["Annual Review DOCX (14 sections)"] -``` +**What it does** — A PCI-DSS v4.0 annual network ruleset review merging NACL, Security Group, VPC architecture, and firewall-export analysis into a Word report. +**What it looks at** — Network ACLs, security groups, VPCs and route tables; firewall exports (Palo Alto, Fortinet, Cisco ASA in CSV/JSON/text); and your rule justifications. +**How it works** — Collects and normalizes rules with a baseline risk assessment → you pick a review mode (NACL, firewall + SG, or combined) and the browser adds PCI commentary and a score → the app generates a 14-section branded Word report. +**What you get** — Normalized ruleset analysis, an interactive dashboard, and a 14-section Word report with PCI mapping and sign-off. +**Frameworks** — PCI-DSS v4.0 1.1.7 / 1.2 / 1.3 / 1.4. ### devops-security-remediation -*A fast-acting fix for the most common critical cloud misconfiguration—security groups open to the entire internet. It finds them, ranks them by exposure, and writes both the remediation and the rollback scripts.* -**Purpose** — Identify security groups with 0.0.0.0/0 ingress and generate remediation + rollback scripts. -**Inputs / data sources** — EC2 security groups, network interfaces, running instances; credentials via hook. -**How it works** — Retrieve credentials → discover all 0.0.0.0/0 ingress rules → classify severity (CRITICAL: SSH/RDP/DB; MEDIUM: HTTP; LOW: HTTPS) → impact analysis (affected EC2/RDS/ELB) → generate Python remediation + rollback scripts → dashboard with findings and action buttons. -**Agents & skills** — No agents; `security-group-remediation` skill; `dashboard-creation-skill`, `platform-api`. -**Outputs** — `remediate_*/rollback_*/batch_remediate.py` scripts, `wide_open_sgs.json`, `risk_assessment.json`, `remediation_report.md`. -**Frameworks** — SOC 2. +*A fast-acting fix for the most common critical cloud misconfiguration — security groups open to the entire internet. It finds them, ranks them by exposure, and writes both the remediation and the rollback scripts.* -```mermaid -flowchart TD - A["EC2 Security Groups"] --> B["Find 0.0.0.0/0 Rules"] - C["session-start-credentials"] --> B - B --> D["Severity Classify + Impact (EC2/RDS/ELB)"] - D --> E["data/ wide_open_sgs · risk_assessment"] - B --> F["Generate scripts
remediate · rollback · batch"] - E --> G["RemediationDashboard.tsx"] - F --> H["DevOps executes remediation"] -``` +**What it does** — Identifies security groups with 0.0.0.0/0 ingress and generates remediation and rollback scripts. +**What it looks at** — EC2 security groups, network interfaces, and running instances. +**What you get** — Severity-classified findings with affected-resource impact, ready-to-run remediation and rollback scripts, and a dashboard with action buttons. +**Frameworks** — SOC 2. --- -## 8. FinOps +## FinOps ### cloud-cost-monitor *A FinOps assistant that treats wasted spend as a first-class finding. It combines right-sizing, commitment optimization, and anomaly detection to recover budget and catch cost-driven abuse such as cryptomining.* -**Purpose** — Monitor AWS cost, recommend right-sizing, optimize RI/Savings Plan commitments, and detect cost anomalies. -**Inputs / data sources** — Cost Explorer, Compute Optimizer, CloudWatch metrics, Budgets, Trusted Advisor. -**How it works** — Query Cost Explorer (trends, forecast, breakdown, anomalies) → Compute Optimizer right-sizing (EC2/RDS/ElastiCache/Lambda/EBS) → analyze RI utilization + model Savings Plans → detect anomalies (crypto-mining spikes, data-transfer, storage growth, zombies) → break-even analysis → prioritize remediation by savings (30–70%). -**Agents & skills** — `cloud-cost-monitor-agent`, `aws_credential_manager`; `cloud-cost-monitor-skill`. -**Outputs** — `cost_summary/rightsizing/ri_sp/anomalies/budget_status.json`, reports, 5 TSX views (CostMonitor, RightSizing, SavingsPlan, AnomalyDetection, BudgetTracker). -**Frameworks** — FinOps Foundation, AWS Well-Architected COST, ISO 27001 A.12.1, SOC 2 CC6.1. -```mermaid -flowchart TD - A["Cost Explorer"] --> B["Cost Analyzer"] - C["Compute Optimizer"] --> B - D["CloudWatch Metrics"] --> B - E["Budgets · Trusted Advisor"] --> B - B --> F["Right-Sizing Engine"] - B --> G["Commitment Optimizer (break-even)"] - B --> H["Anomaly Detector (spikes·zombies)"] - F --> I["Prioritizer by savings"] - G --> I - H --> I - I --> J["data/ + reports/"] - I --> K["5 TSX Views"] -``` +**What it does** — Monitors AWS cost, recommends right-sizing, optimizes RI/Savings Plan commitments, and detects cost anomalies. +**What it looks at** — Cost Explorer, Compute Optimizer, CloudWatch metrics, Budgets, and Trusted Advisor. +**What you get** — Cost, right-sizing, commitment, anomaly, and budget data; savings-prioritized remediation; reports; and five dashboard views (cost, right-sizing, savings plans, anomaly detection, budget tracker). +**Frameworks** — FinOps Foundation, AWS Well-Architected COST, ISO 27001 A.12.1, SOC 2 CC6.1. --- -## 9. Training & Simulation +## Training & simulation ### devops-simulation-training *A flight simulator for cloud-operations teams, letting engineers rehearse incidents in a modeled environment without production risk. Scenarios escalate dynamically and scoring measures genuine response skill.* -**Purpose** — Gamified cloud-infrastructure simulations for DevOps teams to practice incident response, capacity planning, DDoS mitigation, and compliance scenarios. -**Inputs / data sources** — Scenario library (10+ scenarios); user difficulty/mode selections; optional AWS context. -**How it works** — Load scenario library → simulation engine models production architecture (WAF→ALB→Compute→Cache→DB→Storage) with dynamic events + cost tracking → gamified dashboard (briefing, investigation tabs, challenges) → knowledge challenges (MC / text / T-F / priority ordering) → scoring (response/resolution time, impact, cost efficiency, compliance) → AI Bridge dynamic assessment + feedback. -**Agents & skills** — `aws_credential_manager`, `devops-simulation-training-agent`; `devops-simulation-training-skill`, `ai-bridge`; `dashboard-creation-skill`, `interactive-user-actions`, `platform-api`. -**Outputs** — `scenario_library/simulation_results/team_progress/skill_assessment.json`, training reports, `SimulationDashboard.tsx`, `ServerSurvivalDashboard.tsx`. -**Frameworks** — None (custom training). -```mermaid -flowchart TD - A["Scenario Library (10+)"] --> B["Simulation Engine"] - C["User: difficulty · mode · budget"] --> B - D["AWS Context (optional)"] --> B - B --> E["data/ scenario · results · progress"] - B --> F["Gamified Dashboard"] - F --> G["Challenges → /ai-bridge/invoke"] - G --> H["Dynamic Scoring"] - B --> I["Training Reports"] -``` +**What it does** — Gamified cloud-infrastructure simulations to practice incident response, capacity planning, DDoS mitigation, and compliance scenarios. +**What it looks at** — A library of 10+ scenarios, your difficulty/mode selections, and optional AWS context. +**What you get** — Scenario, results, progress, and skill-assessment data; training reports; and gamified simulation dashboards with dynamic scoring and feedback. +**Frameworks** — None (custom training). ### tabletop-exercise *A generator for disaster-recovery tabletop drills that feel real because they reference your actual infrastructure. It runs role-specific injects, scores participant responses, and maps readiness back to compliance obligations.* -**Purpose** — AI-powered DR tabletop exercise generator producing role-specific scenarios grounded in real AWS inventory. -**Inputs / data sources** — Org inventory from `generate-all-inventory` outputs; user scenario type/roles/objectives; participant responses. -**How it works** — Analyze inventory (critical assets, topology, SPOFs) → generate scenario (ransomware/breach/failure/DDoS/insider/supply-chain/disaster) referencing real infra → execute role-specific questions with escalating injects → AI evaluation across 5 dimensions (technical 30 / completeness 25 / prioritization 20 / communication 15 / compliance 10) → gap analysis + compliance mapping + trends. -**Agents & skills** — `tabletop-exercise-agent`; `tabletop-exercise-skill`; `dashboard-creation-skill`. -**Outputs** — `TabletopExerciseDashboard.tsx` + 5 detail views, scenario/question/response/evaluation JSON, markdown gap report. -**Frameworks** — PCI-DSS v4.0.1 12.4, NIST SP 800-61, ISO 22301, SOC 2 CC7.x. -```mermaid -flowchart TD - A["generate-all-inventory Outputs"] --> B["Inventory Analysis (SPOFs)"] - B --> C["Scenario Generation (real infra)"] - C --> D["Exercise Execution (role questions + injects)"] - D --> E["AI Evaluation (/ai-bridge/invoke, 5 dims)"] - E --> F["data/ scenarios · responses · evaluations"] - F --> G["TabletopExerciseDashboard + 5 views"] - E --> H["Gap Report + Compliance Mapping"] -``` +**What it does** — An AI-powered DR tabletop exercise generator producing role-specific scenarios grounded in your real AWS inventory. +**What it looks at** — Your organization's inventory, your scenario type/roles/objectives, and participant responses. +**How it works** — Analyzes inventory for critical assets and single points of failure → generates a scenario (ransomware, breach, failure, DDoS, insider, supply-chain, disaster) referencing real infrastructure → runs role-specific questions with escalating injects → evaluates responses across five dimensions and maps gaps to compliance. +**What you get** — An interactive exercise dashboard with detail views, scenario/question/response/evaluation data, and a markdown gap report. +**Frameworks** — PCI-DSS v4.0.1 12.4, NIST SP 800-61, ISO 22301, SOC 2 CC7.x. ### phishing-simulator *A gamified awareness academy that teaches phishing and AI-era attack recognition through play rather than lecture. Streaks, lives, and rank badges turn a compliance checkbox into something people actually finish.* -**Purpose** — Gamified phishing-awareness academy: 8 chapters on email detection, header forensics, AI attack vectors, URL classification, perimeter security, and prompt injection. -**Inputs / data sources** — Hardcoded curriculum (8 chapters, 18 challenges); user quiz/drag-drop interactions; scoring engine. -**How it works** — Load curriculum with comic narrative → progress chapters (DMARC/DKIM/SPF header analysis, URL classification with typosquatting/homoglyphs, MC/multi-select quizzes, drag-and-drop URL sorting) → scoring (points + streak bonuses + penalties) → 3-lives system → final rank badge (Gold/Silver/Bronze/Cadet) + certificate → persist via `/project/execute`. -**Agents & skills** — No agents; standalone TSX using `dashboard-creation-skill` + `interactive-user-actions`. -**Outputs** — `PhishBusterAcademyDashboard.tsx`, `task_results.json` (curriculum + scoring rules), completion certificate. -**Frameworks** — None formal (maps loosely to SOC 2 CC7.x security awareness). -```mermaid -flowchart TD - A["User Launches"] --> B["PhishBusterAcademy (TSX)"] - B --> C["8-Chapter Navigation"] - C --> D["Quiz Engine (single · multi · drag-drop)"] - D --> E["Scoring (points · streaks · penalties)"] - E --> F["3-Lives Tracking"] - F --> G["Rank Badge (Gold→Cadet)"] - G -->|/project/execute| H["Completion + Certificate"] -``` +**What it does** — A gamified phishing-awareness academy: eight chapters on email detection, header forensics, AI attack vectors, URL classification, perimeter security, and prompt injection. +**What it looks at** — A built-in curriculum (8 chapters, 18 challenges) and the learner's quiz and drag-and-drop interactions. +**What you get** — An interactive academy dashboard with a scoring engine (points, streaks, a three-lives system), a final rank badge, and a completion certificate. +**Frameworks** — None formal (maps loosely to SOC 2 CC7.x security awareness). --- -## 10. Hub & Framework +## Hub & framework ### security-dashboard-hub -*The single pane of glass over the entire suite, aggregating every project's output into a role-aware posture view. Executives, managers, and analysts each see the slice they need, backed by a natural-language query box.* -**Purpose** — Role-based aggregation hub visualizing security posture from all projects, with AI Bridge for custom queries and on-demand analysis. -**Inputs / data sources** — Aggregated outputs from all project folders; AWS environment via session creds; user role (CISO / InfoSec Manager / Analyst / Developer). -**How it works** — Load aggregated `dashboard_data.json` → role selection auto-populates preset widgets → natural-language query → `/ai-bridge/invoke` returns a structured widget (metric/list/table/status) → dynamic Recharts rendering → AI Assistant panel answers posture questions with context. -**Agents & skills** — No agents; `dynamic-dashboard` + `platform-api`; AI Bridge for widget gen + Q&A. -**Outputs** — `SecurityDashboardHub.tsx`, `CISODashboard.tsx`, `CustomizeDashboard.tsx`; posture score, KPI cards, 30-day trends, compliance heatmaps, remediation roadmap. -**Frameworks** — PCI-DSS, ISO 27001, SOC 2, HIPAA (aggregated from child projects). - -```mermaid -flowchart TD - P["MCS Platform"] --> AG["Aggregated data/dashboard_data.json"] - U["User: Role Select"] --> D["SecurityDashboardHub.tsx"] - AG --> D - D --> K["Preset Widgets (posture · findings · compliance)"] - D -->|NL query| W["/ai-bridge/invoke (widget gen)"] - W --> R["Render Recharts widget"] - D -->|question| AS["AI Assistant (posture Q&A)"] - K --> F["Role-specific Dashboard"] - R --> F - AS --> F -``` +*The single pane of glass over the entire suite, aggregating every app's output into a role-aware posture view. Executives, managers, and analysts each see the slice they need, backed by a natural-language query box.* + +**What it does** — A role-based aggregation hub that visualizes security posture from all your apps, with a natural-language query box for custom analysis. +**What it looks at** — Aggregated outputs from your other apps, your AWS environment, and your selected role (CISO, InfoSec Manager, Analyst, Developer). +**What you get** — Role-aware dashboards with a posture score, KPI cards, 30-day trends, compliance heatmaps, a remediation roadmap, and an AI assistant panel for posture questions. +**Frameworks** — PCI-DSS, ISO 27001, SOC 2, HIPAA (aggregated from the underlying apps). ### custom-task *A general-purpose scaffold for one-off requests that don't warrant a dedicated app. It classifies the user's intent and spins up a matching dashboard on the fly.* -**Purpose** — Flexible framework for executing ad-hoc user queries and dynamically generating matching dashboards. -**Inputs / data sources** — User task intent + query parameters; credentials via hook. -**How it works** — Classify intent (inventory/metrics/security/analysis/form) → collect data by type → generate the matching TSX dashboard → for form tasks, handle submission via `interactive-user-actions` → AI Bridge for dynamic content → persist results, load via fetch. -**Agents & skills** — No agents; `dashboard-creation-skill`, `interactive-user-actions`, `ai-bridge`, `platform-api`. -**Outputs** — `[Task]Dashboard.tsx`, `task_results.json`, `session_metadata.json`. -**Frameworks** — None (general-purpose). - -```mermaid -flowchart TD - A["User Query / Intent"] --> B["Task Classifier"] - C["session-start-credentials"] --> D["Data Collection"] - B --> D - D --> E["task_results.json"] - E --> F["dashboard-creation-skill"] - F --> G["[Task]Dashboard.tsx"] - B -->|form intent| H["interactive-user-actions → /project/execute"] - H --> E -``` - -### Updated_evidence_review -**Status** — Empty placeholder. Directory contains only `.DS_Store` and an empty `outputs/` — no project config, agents, skills, or source. Likely superseded by [evidence-reviewer](#evidence-reviewer) / [pci-dss-evidence-analyzer](#pci-dss-evidence-analyzer). ---- - -*Generated from each project's committed configuration. Diagrams are Mermaid — render in any Mermaid-aware viewer (GitHub, VS Code, Obsidian).* +**What it does** — A flexible framework for ad-hoc queries that dynamically generates a matching dashboard. +**What it looks at** — Your task intent and query parameters, plus any data sources the task needs. +**What you get** — A generated dashboard and a results data export tailored to the task. +**Frameworks** — None (general-purpose). diff --git a/concepts/apps.md b/concepts/apps.md index 1865b4f..77da49b 100644 --- a/concepts/apps.md +++ b/concepts/apps.md @@ -4,7 +4,7 @@ An **app** is a reusable security or compliance workflow you can run on demand. Each app does one job — for example, scanning a cloud account for misconfigurations, running a CIS benchmark, generating a tabletop exercise, or analyzing access reviews. The catalog of apps is what you see when you click **Apps** in the sidebar. -"App" and "project" mean the same thing. You'll see "App" everywhere in the product UI; "project" appears in some internal labels and URLs (like `/apps/detail/[appId]`). Treat them as synonyms. +You'll see **App** everywhere in the product UI. In the URL bar an app detail page appears as `/apps/detail/{appId}`. ## Where to find them @@ -25,7 +25,6 @@ A sidebar on the right lists your most recent runs across all apps, with the lat Clicking an app card opens its detail page at `/apps/detail/{appId}`. The detail page shows: - The full description of what the app does. -- The agents and skills the app uses internally (mostly informational). - A button to launch the app. When you launch, the app starts a new [session](sessions.md) and you're taken to the [live activity](live-activity.md) view while it runs. @@ -45,8 +44,6 @@ The apps in the catalog come from a curated library that the platform maintains. **"Where do I find the apps?"** — Click **Apps** in the left sidebar. -**"What's the difference between an app and a project?"** — Nothing, they're the same thing. "App" is the user-facing name. - **"Where do I see results from an app?"** — Once a run finishes, the [outputs](outputs.md) appear in the [run history](run-history.md). While it's still running, you see them stream into the [live activity](live-activity.md) view. **"Can I create my own app?"** — Not from this UI. Apps are maintained by the platform team. You can [schedule](scheduling.md) and [ask questions about](threads.md) any existing app's runs. diff --git a/concepts/artifacts.md b/concepts/artifacts.md index 2296f0b..0daacb7 100644 --- a/concepts/artifacts.md +++ b/concepts/artifacts.md @@ -16,8 +16,6 @@ The page shows a grid of your folders. Click a folder to see the artifacts insid A **folder** is just a named bin — you make as many as you want and pick whichever ones make sense. Folder names are free text; you choose them when you save an artifact or by creating a folder from the Artifacts page. -(Internally, a folder is called an "artifact type." You'll see "folder" in the UI and "artifact type" in some URLs and labels — they're the same thing.) - ## What an artifact is, exactly Each artifact is a reference to one specific output file from one specific session. The artifact remembers: diff --git a/concepts/sessions.md b/concepts/sessions.md index e882e1d..43fc799 100644 --- a/concepts/sessions.md +++ b/concepts/sessions.md @@ -4,7 +4,7 @@ A **session** is one run of an [app](apps.md). When you click **Run App**, a session is created. While the app is working, the session is in progress; when it's done, the session is finished and its [outputs](outputs.md) are available to view, save, and ask about. -"Session" and "run" mean the same thing. Some parts of the UI say "run" (as in "Run History," "Recent Runs," "Run App"); the backend and URLs say "session." They refer to the same object. +"Session" and "run" mean the same thing. Some parts of the UI say "run" (as in "Run History," "Recent Runs," "Run App"); other parts and the URLs say "session." They refer to the same object. A session has: diff --git a/concepts/threads.md b/concepts/threads.md index 81fe84b..54d4217 100644 --- a/concepts/threads.md +++ b/concepts/threads.md @@ -6,7 +6,7 @@ A **thread** is a conversation in which you ask the AI questions and get answers Threads are how you do follow-up after a run. "How many criticals did we find?" "Compare this scan to last week's." "Pull the IAM findings out of this report." All of that happens in a thread. -"Thread" and "chat" mean the same conversation, looked at from different angles. **Thread** is the saved record (and the name on the sidebar). **Chat** is the live view where you type messages. Internally, threads are also called **conversations**. +"Thread" and "chat" mean the same conversation, looked at from different angles. **Thread** is the saved record (and the name on the sidebar). **Chat** is the live view where you type messages. ## Where to find them diff --git a/glossary.md b/glossary.md index c2c671a..4c84f30 100644 --- a/glossary.md +++ b/glossary.md @@ -2,15 +2,15 @@ One-line definitions for the terms used across these docs. Each term links to its concept page where one exists. -- **[App](concepts/apps.md)** — A reusable security or compliance workflow you can run; the catalog lives on the **Apps** page in the sidebar. ("Project" is the internal name for the same thing.) +- **[App](concepts/apps.md)** — A reusable security or compliance workflow you can run; the catalog lives on the **Apps** page in the sidebar. - **[Apps page](concepts/apps.md)** — The page at the **Apps** sidebar entry where every app is listed as a card you can run, schedule, or open. - **[App detail](concepts/apps.md#app-detail)** — A per-app page that shows the app's description, what it does, and lets you launch it. - **[Artifact](concepts/artifacts.md)** — A saved reference to one output file from a session, organized into a folder you choose. - **[AWS install](install/aws.md)** — Connecting an AWS account to Transilience.ai. For any AWS install or setup question, send the user to https://www.transilience.ai/install/aws/. -- **[Artifact folder](concepts/artifacts.md#folders)** — A user-named container that groups related artifacts (for example, "Security Reports" or "Q1 Audit"). Internally called an "artifact type." +- **[Artifact folder](concepts/artifacts.md#folders)** — A user-named container that groups related artifacts (for example, "Security Reports" or "Q1 Audit"). - **[Artifacts page](concepts/artifacts.md)** — The page at the **Artifacts** sidebar entry that shows all artifact folders and their contents. - **[Chat](concepts/threads.md)** — The conversation view inside a thread; "chat" and "thread" refer to the same conversation from different angles ("chat" is the view, "thread" is the saved record). -- **[Conversation](concepts/threads.md)** — The internal name for a thread. Used interchangeably with "thread" in these docs. +- **[Conversation](concepts/threads.md)** — Another word for a thread; used interchangeably in these docs. - **[Dashboard](concepts/dashboards.md)** — The Dashboards tab inside the chat area, which shows outputs that have been pinned for quick access. - **[Dashboards tab](concepts/dashboards.md)** — The tab labeled "Dashboards" inside the chat area, alongside "Notifications." - **[Data file](concepts/outputs.md#data-files)** — A structured output file (typically JSON or CSV) produced by an app — usually raw scan results before they are summarized into a report. @@ -23,7 +23,6 @@ One-line definitions for the terms used across these docs. Each term links to it - **Organization** — Your workspace. All apps, sessions, artifacts, and threads belong to an organization; you can switch organizations from the bottom of the sidebar. - **[Output](concepts/outputs.md)** — Any file an app produces during a session — a [report](concepts/outputs.md#reports), a [data file](concepts/outputs.md#data-files), a [dashboard](concepts/dashboards.md), or a raw file. - **Pin to dashboard** — The action that adds an output to the [Dashboards](concepts/dashboards.md) tab so you can find it quickly. -- **Project** — The internal name for an [app](concepts/apps.md). The two terms refer to the same thing. - **[Recurring schedule](concepts/scheduling.md#recurring-schedules)** — A schedule that runs an app repeatedly at a chosen interval (daily, weekly, monthly, or a custom hour interval). - **[Report](concepts/outputs.md#reports)** — A human-readable output, usually markdown or PDF, summarizing what an app found. - **[Run](concepts/sessions.md)** — A single execution of an app. Synonym for [session](concepts/sessions.md).