Day 1 Deliverables
Everything that ships with the plugin on day 1, plus the build priority roadmap.
Skills (user-invocable commands)
| Skill | What it does | DX value |
|---|---|---|
/bastion:init | Scaffold security/ directory, create bastion.yaml | One command from zero to working |
/bastion:verify | Run all Layer 4 checks, output structured results | Single command replaces 4 manual steps |
/bastion:scope | Show which vectors apply to staged/changed files | Instant security context |
/bastion:integrate-vector | Accept agent proposal, generate vector + test + rule | "Yes" becomes 5 artifacts |
/bastion:propose | Submit pending proposals to core framework | One command, zero template-filling |
/bastion:propose --dry-run | Preview what would be submitted | See the PR before it's created |
/bastion:sync | Pull framework updates, match new vectors to project | Stay current without reading changelogs |
/bastion:status | Show pending proposals, sync state, contribution stats | Dashboard of security posture |
/bastion:audit | Run all 4 auditor agents on changed files | Full domain sweep in one command |
/bastion:audit --full | Run all auditors on all project files | Quarterly deep sweep |
/bastion:research | Run intelligence-sync (Job 1 + Job 2) | Discover new threats and sources |
/bastion:coverage | Show vector coverage report with gaps | "Where are we exposed?" |
/bastion:compliance | Check standards compliance (OWASP, NIST, etc.) | Answer "are we compliant?" with evidence |
/bastion:explain AV-048 | Explain a specific vector: what, why, how to fix | New developer understands any vector instantly |
/bastion:diff | Compare local vectors against core framework | See what's novel, missing, or outdated |
Hooks (automatic triggers)
| Hook | Event | What it does | DX value |
|---|---|---|---|
| Post-edit security check | PostToolUse on Write/Edit of *.daml | Runs scope on changed file | See applicable vectors instantly |
| Pre-commit gate | PreToolUse on Bash(git commit) | Quick semgrep scan, blocks on CRITICAL | Catches issues before git history |
| Post-integrate nudge | PostToolUse on /bastion:integrate-vector | Novelty check, nudges upstream proposal | Drives community contributions |
| Post-sync report | After /bastion:sync | Shows new matching vectors | New content is immediately actionable |
| Stale sync alert | SessionStart if last sync > 30 days | Reminds user to sync | Prevents drift from core |
| Pending proposals reminder | SessionStart if pending queue non-empty | Shows count with submit command | Keeps contribution pipeline moving |
| Coverage regression | PostToolUse on vector YAML edits | Re-runs coverage check | Prevents accidental coverage loss |
Agents (AI-powered analysis)
| Agent | Layer | Trigger | What it produces |
|---|---|---|---|
| authorization-auditor | 1 | /bastion:audit, auth pattern changes | Vector proposals for controller/signatory/access issues |
| arithmetic-auditor | 1 | /bastion:audit, numeric code changes | Vector proposals for division/overflow/precision issues |
| temporal-auditor | 1 | /bastion:audit, time/deadline changes | Vector proposals for deadline/expiry/staleness issues |
| state-auditor | 1 | /bastion:audit, lifecycle code changes | Vector proposals for state machine/archive issues |
| intelligence-sync | 1 | /bastion:research, weekly schedule | New vector + source proposals |
| standards-sync | 1 | /bastion:research, after releases | Standards updates, advisory-driven proposals |
| vector-integrator | 3 | /bastion:integrate-vector | Vector YAML + test + semgrep rule + index |
| proposal-builder | 3 | /bastion:propose | Sanitized, validated GitHub PR |
Makefile Targets
| Target | Equivalent skill | CI-friendly |
|---|---|---|
make bastion-init | /bastion:init | Yes |
make bastion-verify | /bastion:verify | Yes (exit 0/1) |
make bastion-verify-quick | /bastion:verify --quick | Yes |
make bastion-scope | /bastion:scope | Yes |
make bastion-propose | /bastion:propose | Interactive |
make bastion-propose-pending | /bastion:propose --all | Semi |
make bastion-propose-dry-run | /bastion:propose --dry-run | Yes |
make bastion-status | /bastion:status | Yes |
make bastion-sync | /bastion:sync | Interactive |
make bastion-security | Full scan suite | Yes |
make bastion-pre-commit | Quick gate | Yes |
MCP Tools
| Tool | Used by | Purpose |
|---|---|---|
bastion_scan | Agents, CI | Run semgrep, return structured results |
bastion_verify | Agents, CI | Full verification with JSON output |
bastion_scope | Post-edit hook, agents | Match files to applicable vectors |
bastion_vector_status | /bastion:coverage | Coverage report per vector |
bastion_integrate | /bastion:integrate-vector | Create artifacts from accepted proposal |
bastion_propose | /bastion:propose | Sanitize and build PR payload |
bastion_sync | /bastion:sync | Check registry, pull updates |
bastion_standards | /bastion:compliance | Standards mapping check |
bastion_explain | /bastion:explain | Retrieve and format vector details |
bastion_novelty_check | Post-integrate hook | Compare item against core catalog |
Structured Results Format
{
"run_id": "2026-03-21-a1b2c3",
"timestamp": "2026-03-21T14:30:00Z",
"framework_version": "2.1.0",
"project": "canton-exchange",
"summary": {
"vectors_total": 47,
"vectors_covered": 38,
"vectors_missing": 6,
"vectors_partial": 3,
"coverage_pct": 80.9,
"semgrep_findings": 2,
"tests_passed": 34,
"tests_failed": 1,
"standards_compliance": {
"owasp-top-10": "85%",
"nist-800-53": "72%"
}
},
"vectors": [
{
"id": "AV-001",
"domain": "authorization",
"status": "COVERED",
"test": "testSelfTransferPrevention",
"test_result": "PASS",
"semgrep_rule": "daml-self-transfer",
"semgrep_result": "CLEAN",
"last_verified": "2026-03-21T14:30:00Z"
}
]
}
End-to-End Flow: A New Threat Emerges
Build Priority Roadmap
EXISTS (in this repo today)
- 4 focused auditor agent definitions
- intelligence-sync agent definition
- 134-source intelligence catalog
- Semgrep rules (DAML + web)
- Attack vector schema + examples
- MCP server (DAML/Canton dev tools only)
- Init script (scaffolding)
- Verify script (needs fix: hardcoded paths, no JSON output)
- Scope script (needs fix: hardcoded paths)
- Makefile targets
- bastion.yaml template
MUST BE BUILT
Priority 1 — Foundation
-
scripts/config.py— shared bastion.yaml config loader - Fix
verify.py— read config, add--jsonoutput - Fix
scope.py— read config instead of hardcoded paths -
security/results/output format and writer
Priority 2 — Core Skills
-
/bastion:init,/bastion:verify,/bastion:scopeskills -
/bastion:integrate-vectorskill + vector-integrator agent -
/bastion:explain,/bastion:coverage,/bastion:auditskills - Test skeleton generator
- Semgrep rule generator
- Vector status auto-updater
Priority 3 — Hooks
- Post-edit security check
- Pre-commit gate
- Post-integrate nudge
- Session start reminders
- Coverage regression warning
Priority 4 — Distribution + Ecosystem
-
.claude-plugin/plugin.json -
registry.yaml -
/bastion:sync,/bastion:propose,/bastion:status,/bastion:compliance,/bastion:diff,/bastion:researchskills - proposal-builder agent
- MCP security tools (10 tools)
-
vectors/community/directory - GitHub PR templates + CODEOWNERS + rulesets
-
standards/directory with initial mappings -
standards-syncagent
Priority 5 — Polish
- Clean project-specific content from sources.yaml
- Remove monorepo artifacts
- Clean AGENT_COORDINATION.md
-
scripts/generate_docs.py - CI pipeline for framework itself
- Source scoring applied to existing 134 sources