RnD/EVOLV
3
0
Fork 0
Code Issues 22 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
14140725bc527bcdd253a163f57353dad1570d01
EVOLV/.claude/skills/evolv-ot-it-security/SKILL.md
znetsixe d4e72f280e docs: retire repo-mem MCP, migrate skills to .claude/skills, audit fixes 
- Delete .mcp.json + .claude/rules/repo-mem.md; drop .repo-mem from .gitignore
- Remove repo-mem / substrate_score / repo_search references from all .md
- Move 15 EVOLV skills from .agents/skills/ to .claude/skills/ so they are
  auto-discovered by the Claude Code harness and invokable via the Skill tool
- Retire .agents/skills/evolv-orchestrator (duplicate of the subagent at
  .claude/agents/evolv-orchestrator.md); orchestrator lives as a subagent only
- Drop OpenAI-format agent yaml metadata from each skill (not needed for CC)
- Update CLAUDE.md, CONTRACTS.md, AGENTS.md to point at the new locations and
  disambiguate skills (.claude/skills/) vs subagents (.claude/agents/)
- Fix CLAUDE.md tick-loop wording (opt-in per-node, not a fixed 1000ms)
- Widen .claude/rules/ paths frontmatter so node-architecture and telemetry
  rules trigger on more relevant files; add frontmatter to flow-layout rule
- Bump CONTRACTS.md review date to 2026-05-19; add step 7 to the contract-
  change workflow (review example flows when topic usage changes)
- Bump nodes/generalFunctions pin (Home.md substrate_score reference removed)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-19 09:30:49 +02:00

2.3 KiB
Raw Blame History

name, description
name description
evolv-ot-it-security Perform OT/IT security analysis for EVOLV Node-RED automation systems. Use when reviewing admin endpoints, node input handling, configuration exposure, dependency risk, network/data flow boundaries, and secure-by-default behavior for operational technology integrations.

EVOLV OT/IT Security

Mission

Identify and reduce security risk while preserving operational reliability for process automation workloads.

Harness Execution Contract

  • Model trust boundaries first (admin HTTP, message ingress, external integrations).
  • Define security invariants before edits:
    • secure defaults stay secure unless explicitly approved
    • no sensitive leakage in logs/UI/errors
    • malformed control inputs are rejected predictably
  • Support findings with reproducible evidence and concrete remediation steps.

Scope

  • Node-RED admin endpoints in node entry files
  • Input validation across msg.topic and payload paths
  • Exposure of sensitive config/secrets in code, logs, or UI
  • Dependency and supply-chain concerns in node packages

Security Workflow

  1. Enumerate attack surface:
  • HTTP admin routes
  • message ingress topics/payloads
  • external service interfaces
  1. Validate input sanitization and type checks.
  2. Check least-privilege assumptions and secret handling.
  3. Evaluate failure modes for denial-of-service or unsafe operation.
  4. Recommend pragmatic controls with minimal operational friction.

Control Priorities

  • Reject malformed or unauthorized control messages.
  • Avoid leaking credentials, asset identifiers, or internal topology.
  • Keep defaults safe; require explicit opt-in for risky behavior.
  • Preserve auditability of critical control actions.

Validation Expectations

  • Add negative tests for malformed inputs and unauthorized paths.
  • Confirm error paths are explicit and non-sensitive.
  • Document residual risk when controls are deferred.

Deliverables

Return:

  • findings sorted by severity
  • concrete remediation plan by file
  • tests added for security regressions
  • residual risks and compensating controls

Decision interview triggers:

  • any change that relaxes authentication/authorization checks
  • exposure of new admin routes or integration interfaces
  • security control deferrals that require compensating controls
Reference in New Issue View Git Blame Copy Permalink