Skip to content

Port self-upskilling security agent from VXD#87

Merged
tzone85 merged 1 commit into
mainfrom
feat/security-agent
Jun 26, 2026
Merged

Port self-upskilling security agent from VXD#87
tzone85 merged 1 commit into
mainfrom
feat/security-agent

Conversation

@tzone85

@tzone85 tzone85 commented Jun 26, 2026

Copy link
Copy Markdown
Owner

What

Ports vxd's security agent to NXD, adapted for the offline-first design (scanners are local binaries; the LLM threat-model layer uses the configured Ollama/cloud client). Zero VXD references.

  • internal/security/ (LLM-free, unit-tested, mirrored verbatim) — growable OWASP Top 10 + CWE KnowledgeBase (JSON-persisted; immutable/versioned Add; Covers matches ID or CWE; Checklist renders for prompts) + a runner orchestrating gosec, govulncheck, gitleaks, semgrep, npm audit (language-aware applicability, PATH detection, graceful degrade — skipped tools listed, never silently dropped; pure per-tool parsers → real findings).
  • engine/security_gate.go SecurityGateScanRepo (standalone) + ReviewStory (per-story pre-merge, in postExecutionPipeline after QA before merge via Monitor.SetSecurityGate). Findings ≥ security.gate_severity (default critical) pause the requirement (human decision), never escalate. Self-upskilling: confirmed high+ findings of a new vuln class become learned KB rules (SECURITY_RULE_LEARNED).
  • CLInxd security scan [path] [--json] [--llm] [--min <sev>] + nxd security kb (falls back to DefaultConfig so it runs in any repo). Planner prompt now carries the OWASP Top 10 so every story is designed secure.
  • Configsecurity.{disable_gate, gate_severity, auto_learn, kb_path}.

Verified

  • Scanned NXD itself (Go/JS/Python/Shell) — all 5 scanners ran, crit=0.
  • New events in the projection switch; TestResume_WiresSecurityGate guards the wire; cli-reference.md + regenerated nxd.config.example.yaml updated.
  • Full suite 31 pkgs green, go vet clean, golangci-lint 0 issues.

Mirrors vortex-dispatch's security agent (offline-friendly: scanners are local
binaries, LLM layer uses the configured Ollama/cloud client; zero VXD refs).

- internal/security/ (verbatim, LLM-free): growable OWASP Top 10 + CWE knowledge
  base (immutable Add, Covers by ID-or-CWE, Checklist for prompts) + runner for
  gosec/govulncheck/gitleaks/semgrep/npm-audit (graceful degrade, real parsers).
- engine/security_gate.go: ScanRepo (standalone) + ReviewStory (per-story
  pre-merge gate in postExecutionPipeline after QA before merge). Findings >=
  gate severity (default critical) pause the requirement; self-upskills the KB
  from confirmed findings.
- Wiring: Monitor.SetSecurityGate + resume.go (TestResume_WiresSecurityGate);
  events STORY_SECURITY_PASSED/FAILED + SECURITY_SCAN_COMPLETED/RULE_LEARNED
  projected; planner prompt carries the OWASP Top 10 baseline.
- CLI: nxd security scan/kb (falls back to DefaultConfig so it runs in any repo).
- Config: security.{disable_gate, gate_severity, auto_learn, kb_path}.

Verified: scanned NXD itself (Go/JS/Python/Shell, all 5 scanners, crit=0). Full
suite 31 pkgs + vet + golangci-lint clean. Docs: CLAUDE.md + cli-reference.md +
regenerated nxd.config.example.yaml.
@tzone85 tzone85 merged commit ca6702a into main Jun 26, 2026
11 checks passed
@tzone85 tzone85 deleted the feat/security-agent branch June 26, 2026 21:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant