Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
83 changes: 8 additions & 75 deletions AGENTS.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,14 @@

Security workflow orchestration platform. Visual builder + Temporal for reliability.

To ensure security automation workflows work correctly, values such as these can be set when running the workflow locally to ensure realistic testing(not limited to these but good examples):

- Website: http://scanme.nmap.org/
- Website: https://preview.owasp-juice.shop/#/
- Any github repo
- Any npm package
- Any public API endpoint

## Stack

- `frontend/` — React + Vite
Expand Down Expand Up @@ -250,78 +258,3 @@ The `/analytics` page provides triage performance metrics derived from `finding_
- **SLA policy management** (`GET/PUT /findings/sla-policies`): Configurable per-org severity→deadline mappings. Admin-only write access via `@Roles('ADMIN')`. Atomic replacement via transactional delete+insert.
- **Database**: `sla_policies` table with unique `(organization_id, severity)` constraint. Time-series indexes on `finding_triage(organization_id, created_at)` and `(organization_id, severity_override, created_at)` for aggregation query performance.
- **Frontend**: recharts charts (AreaChart, BarChart, PieChart), MTTR KPI cards, top assignees table, SLA policy settings form. WCAG 2.2 AA accessible — visually-hidden data tables, `role="img"` containers, `aria-busy` loading states, `prefers-reduced-motion` support.

---

## Recent Changes

### Vulnerability Lifecycle Management (VLM) UI

- **Kanban board** for finding triage with drag-drop status transitions between columns.
- **7-state lifecycle**: `new` → `triaged` → `in_progress` → `fixed` → `verified` (terminal). Any non-terminal state can move to `wont_fix` or `accepted_risk`; both can reopen to `triaged`.
- **Bulk triage actions**: Select up to 100 findings and apply status and/or assignee changes in a single operation.
- **Finding detail sheet**: Slide-over panel with triage controls (status, assignee picker, severity override, notes) and an activity timeline of all triage events.
- **Hybrid data strategy**: Immutable finding data in OpenSearch, mutable triage state in PostgreSQL (`finding_triage` + `finding_triage_events` tables). Batch PG lookup merges triage records into OpenSearch results.
- **Org member listing** via Clerk API integration for the assignee picker.
- **State machine** (`packages/shared/src/finding-triage.ts`): Pure function shared between frontend and backend for transition validation.
- **Status filter**: Filter the findings list by triage status.
- **109 new tests** covering state machine, service, controller, kanban view, detail sheet, and bulk operations.

### Webhook Inspector (Delivery Inspection & Resend)

- **Response metadata capture**: Notification adapters now return response metadata (`durationMs`, `responseStatus`, `responseBody`) alongside success/error. The dispatcher stores these fields in the `notification_deliveries` table.
- **Re-send capability**: Failed deliveries can be resent via the delivery detail panel. Resends create new delivery records through the same dispatch path (SSRF protection preserved). Rate limited to 10 resends per channel per minute.
- **Delivery detail panel**: Collapsible accordion in delivery history shows full request/response inspection — request payload, response HTTP status, response body, and latency.
- **Pagination**: Delivery history supports paginated loading via a "Load More" button.

### Bidirectional Jira Ticketing

- **OAuth 2.0 (3LO)** authentication with Atlassian Cloud. Encrypted token storage (AES-256-GCM) and automatic refresh with per-org mutex to prevent race conditions.
- **Outbound sync**: When finding triage status changes (`finding.triage.changed` event via EventEmitter2), tickets are automatically created in Jira with matching status transitions.
- **Inbound sync**: Jira webhooks notify status changes back. HMAC-SHA256 verified, reverse status mapping updates triage state. Circular sync prevention via `source` parameter.
- **Frontend**: Settings > Ticketing tab for OAuth connection, project/issue type selection, status mapping configuration, and auto-create toggles. LinkedTicket component shows sync status in finding detail.
- **Security**: SSRF allowlist (api.atlassian.com, auth.atlassian.com, \*.atlassian.net), issue key regex validation, org-scoped lookups, timing-safe HMAC verify.
- **Database**: `ticketing_connections` (per-org provider config + encrypted tokens) and `ticket_links` (finding↔ticket mapping with sync status).
- **78 tests** covering service, listener, controller, adapter, webhook handler, and frontend components.

### Triage Trends & Analytics Dashboard

- **Security posture trend**: Stacked area chart showing finding counts over time grouped by severity (critical/high/medium/low/info) with configurable time range (7d/30d/90d).
- **Triage velocity**: Bar chart showing status transition throughput per time period — how many findings move through each triage state.
- **MTTR KPI cards**: Mean Time to Remediation per severity with human-readable formatting (e.g., "2d 5h"). Null-safe for severities with no resolved findings.
- **SLA compliance**: Per-severity compliance rate visualization. Color-coded bars (green ≥90%, yellow 50-89%, red <50%). Requires SLA policies to be configured.
- **Status distribution**: Donut chart showing current breakdown across all 7 triage statuses with counts and percentages.
- **Top assignees table**: Leaderboard ranking assignees by total findings, resolved count, and resolution rate. Includes unassigned findings.
- **SLA policy configuration**: Admin-only settings to define per-org severity→deadline mappings (e.g., Critical=24h, High=72h). Stored in `sla_policies` table. Changes apply to future triage actions only.
- **Accessibility**: WCAG 2.2 AA — visually-hidden data tables for screen readers, proper ARIA roles, contrast-safe colors, `prefers-reduced-motion` animation control.
- **104 tests** covering backend aggregation queries, DTO validation, frontend chart components, and E2E endpoint verification.

---

<!-- markdownlint-disable MD033 -->

<skills_system priority="1">

<usage>
When tasks match a skill, load it: `cat .claude/skills/<name>/SKILL.md`
</usage>

<available_skills>
<skill>
<name>component-development</name>
<description>Creating components (inline/docker). Dynamic ports, retry policies, PTY patterns, IsolatedContainerVolume.</description>
<location>project</location>
</skill>
<skill>
<name>performance-review</name>
<description>Review code changes for frontend performance anti-patterns. Checks stale times, bundle splitting, Zustand selectors, N+1 queries, and React rendering.</description>
<location>project</location>
</skill>
<skill>
<name>stress-test-frontend</name>
<description>Run a frontend load testing audit. Seeds data, tests all pages via Chrome DevTools MCP, records network calls, TanStack queries, DOM sizes, and generates a timestamped report.</description>
<location>project</location>
</skill>
</available_skills>

</skills_system>
139 changes: 0 additions & 139 deletions backend/scripts/seed-templates/ai-vulnerability-triage.json

This file was deleted.

129 changes: 0 additions & 129 deletions backend/scripts/seed-templates/api-security-scan.json

This file was deleted.

Loading
Loading