automagik-dev
diff --git a/‎.genie/brainstorm.md‎
Lines changed: 8 additions & 0 deletions b/‎.genie/brainstorm.md‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎.genie/brainstorms/canisterworm-incident-response/DESIGN.md‎
Lines changed: 126 additions & 0 deletions b/‎.genie/brainstorms/canisterworm-incident-response/DESIGN.md‎
Lines changed: 126 additions & 0 deletions
@@ -9,11 +9,14 @@
 ### Tier 1: Autonomous dispatch (dream-eligible)
 - [scaffold-auto-memory](wishes/scaffold-auto-memory/WISH.md) — READY. Auto-configure `autoMemoryEnabled`/`autoMemoryDirectory` in `.claude/settings.local.json` + seed `MEMORY.md` when `genie init agent <name>` scaffolds. Closes automagik-dev/genie#1106. Twin-genie reviewed: scope 2/5, risk 2/5, clarity 4/5.
 - [brain-help-passthrough](wishes/brain-help-passthrough/WISH.md) — READY. Add `addHelpText` footer to `genie brain --help` so users see the forwarded subcommands (status, health, init, search, etc.). Passthrough already works at runtime; help text just doesn't advertise it. Closes automagik-dev/genie#1118. Twin-genie reviewed: scope 1/5, risk 1/5, clarity 5/5.
+- [bare-genie-dashboard](wishes/bare-genie-dashboard/WISH.md) — READY (filed 2026-04-23, lint-clean). Phase 1 split out of `onboarding-unification` brainstorm. Rebuild bare `genie`: first-run provisioning (one prompt ever), `agent sync` auto-heal, 2-column dashboard (NUMBERS left + Clancy-style agent feed right via `claude -p --output-format stream-json`), `welcome.md` override, 8 toggle panels (kanban/tree/bar/severity/sparkline). 6 groups across 4 waves; medium appetite (~6–10h).
+- [session-cost-extraction](wishes/session-cost-extraction/WISH.md) — DISPATCHED (team `session-cost-fix`, 2026-04-22). Extract `usage` from JSONL turns into `sessions` cost columns + `v_session_spend` view. Unblocks PG as the spend source-of-truth for the dashboard.
 
 ### Tier 2: Agent creation (brainstorm → wish)
 - **brain-cag-v2** — NEW. Seamless brain→rlmx integration. Brain is the interface, rlmx is the engine. No direct `rlmx` CLI needed.
 - **brain-optimizer-agent** — `/review` existing pipeline → create `.genie/agents/brain-optimizer/` sub-agent that uses traces+grades.
 - **rlmx-dogfood-agent** — `/review` rlmx → create `.genie/agents/rlmx-dogfood/` sub-agent that uses rlmx on itself.
+- [onboarding-unification](brainstorms/onboarding-unification/DRAFT.md) — SIMMERING. 7-phase roadmap for unifying first-run install/setup/init/wizard/dir-add into one coherent entry surface + deleting fragmented commands. Phase 1 (bare-genie-dashboard) split out to its own wish 2026-04-23. Phases 2-7 remaining: `genie agent create` atomic scaffold, `genie agent sync`, `genie workspace create/use/show`, `genie config`, removed-command hard-redirects + skill-update sweep, migration-on-upgrade.
 
 ### Tier 3: Investigation first
 - **dir-scope-architecture** (automagik-dev/genie#1107) — BLOCKED on architecture decision. Twin-genie trace revealed the PG `agents` table has NO scope column; `dir add --global` and `dir add` hit the same row. Fix requires either (a) adding a scope column with migration, or (b) removing the `--global` flag and false success messaging. Human decision needed before any code change. NOT autonomous-friendly.
@@ -40,6 +43,11 @@
 
 All shipped wishes live in [`wishes/_archive/`](wishes/_archive/). Listed here for reference.
 
+- [canisterworm-incident-response](brainstorms/canisterworm-incident-response/DESIGN.md) — **UMBRELLA** (WRS 100/100, 2026-04-23). Full CanisterWorm incident-response posture split into 4 sibling wishes after 10-perspective council + dispatched reviewer both returned BLOCKED on the monolith. Council record: [COUNCIL.md](brainstorms/sec-scan-progress/COUNCIL.md). Preconditions: `codex/sec-scan-command` must merge to `main` before any sibling dispatches. Shared invariants: detect-only scanner, quarantine-by-move never delete, append-only audit log, dry-run default, typed consent strings, signature-verified `--apply`. Total wall-time with parallelism ~6 weeks.
+  - [sec-scan-progress](wishes/sec-scan-progress/WISH.md) — READY (5 groups, medium). Scanner observability + envelope + telemetry + deletion pass + `print-cleanup-commands`. Depends on: base merge. Unblocks: sec-remediate + sec-incident-runbook.
+  - [sec-remediate](wishes/sec-remediate/WISH.md) — READY (2 groups, medium). `genie sec remediate` + `restore` + `rollback` + quarantine lifecycle + offline-credential guidance. Depends on: sec-scan-progress (envelope + audit log).
+  - [genie-supply-chain-signing](wishes/genie-supply-chain-signing/WISH.md) — READY (2 groups, medium). Cosign + SLSA provenance + `verify-install` + `--unsafe-unverified <INCIDENT_ID>` contract. Runs parallel to sec-remediate; independent of scanner surface.
+  - [sec-incident-runbook](wishes/sec-incident-runbook/WISH.md) — READY (2 groups, small). SECURITY.md invariants + `canisterworm.md` three-branch decision tree + automated cold-runbook test + help-text examples. Depends on: sec-remediate + genie-supply-chain-signing.
 - [Agent Stability Hardening](wishes/_archive/agent-stability-hardening/WISH.md) — SHIPPED (PR #1112, 2026-04-09). Permission spread + remoteApproval + tmux mouse + inbox retry.
 - [Session Capture v2](wishes/_archive/session-capture-v2/WISH.md) — SHIPPED (PR #825, 2026-04-09). Filewatch + lazy backfill + tool event extraction.
 - [pgserve Daemon Ownership](wishes/_archive/pgserve-daemon-ownership/WISH.md) — SHIPPED (PR #827, 2026-04-09). Daemon owns PG, self-heal, doctor --fix.
 
@@ -0,0 +1,126 @@
+# Design: CanisterWorm Incident Response (Umbrella)
+
+| Field | Value |
+|-------|-------|
+| **Slug** | `canisterworm-incident-response` |
+| **Date** | 2026-04-23 |
+| **Status** | CRYSTALLIZED (WRS 100/100) |
+| **WRS** | 100/100 |
+| **Council** | [COUNCIL.md](../sec-scan-progress/COUNCIL.md) (10-perspective deliberation, 2026-04-23) |
+
+## Problem
+
+`@automagik/genie` itself is on the CanisterWorm/TeamPCP IOC list. The scanner that detects the compromise ships through the same npm pipe that was weaponized. Most developers running genie do NOT have EDR/MDM coverage that would act on a JSON report. Operators need the full incident-response kit — observable scanning, bounded walks, structured telemetry, signed releases, auditable remediation, and a tested runbook — the first time they reach for it.
+
+A single monolithic wish absorbing all of that was drafted and reviewed. Two independent reviewers (one self, one dispatched) returned BLOCKED citing: (H1) circular dependency between remediation and signing, (H2) three wish-sized scopes bundled into one long-lived branch, (H3) unmerged base branch `codex/sec-scan-command` amplifying rebase drift, plus missed gaps (G1: no bulk rollback, G2: offline credential rotation guidance, G3: quarantine disk-space, G4: `0600` mode theater, M2: `--unsafe-unverified` ack string undefined). Fixing structure in the monolith would preserve the single-PR narrative at the cost of a 6–8 week sequential branch.
+
+This umbrella replaces the monolith with **four sibling wishes** that deliver the same full scope, independently shippable, with a clean dependency graph. Nothing from the council recommendations is dropped; the delivery topology changes.
+
+## Scope
+
+### IN (shared across sibling wishes)
+
+- Full CanisterWorm incident-response posture as captured in COUNCIL.md — observability, bounded walks, load-bearing-code-only, versioned telemetry, detect-→-exec pathway, detect-→-remediate pathway, signed distribution, incident runbook.
+- Four sibling wishes with explicit cross-wish dependencies.
+- Shared architectural invariants (detect-only scanner; remediation as sibling CJS payload; quarantine-by-move; signed-channel for mutation; audit-log append-only).
+
+### OUT
+
+- Replacing the scanner with a daemon, worker pool, or TUI dashboard.
+- Expanding CanisterWorm/TeamPCP IOC coverage (separate wish if a new family lands).
+- Scanning every mounted filesystem by default.
+- Automated credential rotation against live cloud APIs (v1 emits commands only).
+- Network-delivered IOC list updates.
+- Destructive delete in quarantine.
+
+## Preconditions
+
+- ✅ **`codex/sec-scan-command` merged via PR #1348** (squash into `dev`, 2026-04-23T17:53Z). Scanner files live on `origin/main` and `origin/dev` at commit `3d7e6609`. Sibling wishes branch from `dev`. This removes the long-lived-branch risk the reviewer flagged as H3.
+
+## Sibling Wishes
+
+| Slug | Scope | Appetite | Depends on |
+|------|-------|----------|-----------|
+| [`sec-scan-progress`](../../wishes/sec-scan-progress/WISH.md) | Runtime context, versioned envelope, CLI, bounded walks, `dev:ino`, phase measurement, fs fingerprint, deletion pass, matcher collapse, phase registry, events file + redaction, persistence + audit log, `print-cleanup-commands`. | medium (~4 weeks) | codex/sec-scan-command merged |
+| [`sec-remediate`](../../wishes/sec-remediate/WISH.md) | `genie sec remediate` (dry-run, plan manifest, typed consent, quarantine-by-move, resume), `genie sec restore` (per-action), `genie sec rollback` (bulk via audit log), offline credential-rotation guidance, quarantine disk-space limits and GC. | medium (~2 weeks) | sec-scan-progress (for versioned envelope + events schema) |
+| [`genie-supply-chain-signing`](../../wishes/genie-supply-chain-signing/WISH.md) | Cosign-signed release tarballs + SLSA Level 3 provenance, public-key pinning in three channels, `genie sec verify-install` subcommand, `--unsafe-unverified <INCIDENT_ID>` exact contract. | medium (~2 weeks) | none (independent release-engineering) — runs parallel with sec-remediate |
+| [`sec-incident-runbook`](../../wishes/sec-incident-runbook/WISH.md) | `SECURITY.md` invariants section, `docs/incident-response/canisterworm.md` LIKELY COMPROMISED / LIKELY AFFECTED / OBSERVED ONLY decision tree with exact commands, help-text examples, automated cold-runbook test. | small (~1 week) | sec-remediate + genie-supply-chain-signing (consumes both command surfaces) |
+
+**Total wall-time with parallelism:** ~6 weeks (down from the monolith's 6–8 weeks sequential).
+
+## Approach
+
+### Shared invariants (every wish must honor)
+
+1. **Detect-only scanner.** `scripts/sec-scan.cjs` never mutates state. Any mutating verb is a separate subcommand on a separately-signed channel.
+2. **Quarantine is always move + sidecar manifest, never delete.** Every mutating action is reversible via `genie sec restore` (per-action) or `genie sec rollback` (bulk).
+3. **Append-only audit log.** `$GENIE_HOME/sec-scan/audit/<scan_id>.jsonl`, mode `0600`, `fsync`-per-event, shared between scanner telemetry and remediate actions.
+4. **Dry-run is the default.** `--apply` requires a frozen plan manifest produced by a prior `--dry-run` (closes TOCTOU).
+5. **Typed confirmation strings are exact.** Keystroke prompts are prohibited. Scanner uses `CONFIRM-QUARANTINE-<6-hex-of-action-id>`. Signing override uses `--unsafe-unverified <INCIDENT_ID>` where `INCIDENT_ID` matches a documented schema.
+6. **Signature-verified binary for `--apply`.** `sec remediate --apply` refuses on unverified binary unless `--unsafe-unverified <INCIDENT_ID>` is passed and logged.
+7. **Coverage gaps stop remediation.** Capped/skipped roots banner at TOP of scan report; remediate refuses unless `--remediate-partial` + typed ack.
+8. **Versioned envelope.** `reportVersion: 1`, `scan_id` (ULID), `hostId`, `scannerVersion`, timestamps, `invocation`, `platform`. Every sibling wish keys off `scan_id`.
+
+### Wish-split rationale
+
+| Rationale | Monolith risk | Split mitigation |
+|-----------|---------------|------------------|
+| Single-PR narrative preserves atomicity | 6–8 week branch; reviewers can't form an opinion on 2k+ LOC diff | Each wish is a reviewable unit; scan-progress ships first and unblocks remediate |
+| Signing and remediate coupled by `--apply` refusal | Workers on Group 6 hit CI failure before Group 7a's signing pipeline exists | Signing runs parallel to remediate; both land; runbook closes loop |
+| Runbook content depends on command surfaces | Runbook drifts during 6-week build | Runbook wish starts last, consumes frozen surfaces |
+| Council-validated content preserved | — | Every IN bullet from the monolith maps to exactly one sibling wish |
+
+### Reviewer additions absorbed by the split
+
+- **G1** (bulk rollback) → sec-remediate Group 2
+- **G2** (offline credential rotation) → sec-remediate Group 1
+- **G3** (quarantine disk-space) → sec-remediate Group 2
+- **G4** (`0600` mode theater on shared FS) → sec-scan-progress Group 4 + sec-remediate Group 2
+- **M2** (`--unsafe-unverified <INCIDENT_ID>` contract) → genie-supply-chain-signing Group 2
+- **M3** (cold-runbook automation) → sec-incident-runbook Group 2 as automated test (`scripts/test-runbook.sh` replays commands in a sandboxed fixture)
+- **M4** (biome on markdown) → sec-incident-runbook Group 2 uses `markdownlint-cli2` instead
+- **H1** (ordering inversion) → resolved by split — signing runs parallel to remediate
+- **H2** (bundling) → resolved by split
+- **H3** (base branch drift) → resolved by Preconditions above
+
+### Alternatives considered and rejected
+
+- **Single monolithic wish with H1/M2/G1–G4 fixed in place.** Preserves single-PR narrative but accepts 6–8 week branch + rebase risk + reviewer fatigue on 2k+ LOC diffs. Lower schedule predictability than the split.
+- **Ship minimal scan-progress now; queue remediate/signing/runbook as future work.** Rejected by user: "we need all of it." Council and reviewer both flagged that queueing remediation for later means operators caught in the next compromise wave have detection without a fix path.
+- **Keep remediation out permanently; delegate to platform (EDR/MDM/IAM).** Questioner's position. Rejected because genie's userbase is predominantly developers on laptops without EDR/MDM coverage, and the org that knows what to remediate is the genie team itself.
+
+## Decisions
+
+| Decision | Rationale |
+|----------|-----------|
+| Split the monolith into 4 sibling wishes under this umbrella | Independent review, independent QA, parallelism between signing and remediate, no long-lived branch |
+| Hard-block all siblings on `codex/sec-scan-command` merging to `main` | Removes H3 entirely; cheap win; single upstream pivot |
+| Scanner and remediate ship as sibling CJS payloads (`sec-scan.cjs` + `sec-remediate.cjs`) | Different blast radii, different review bars, different signing posture; preserves zero-config install for scanner |
+| Signing runs parallel to remediate, not ahead of it | `sec remediate --apply` ships with `--unsafe-unverified` as the interim mode; when signing lands, verification becomes default; no gating on signing timeline |
+| COUNCIL.md remains under `brainstorms/sec-scan-progress/` | Historical artifact — captures the deliberation that produced the split; every sibling wish references it |
+| `sec-scan-progress` slug stays on the scanner wish | Back-compat with existing task board + council output; sibling wishes take new slugs |
+
+## Risks & Mitigations
+
+| Risk | Severity | Mitigation |
+|------|----------|------------|
+| Sibling wishes drift apart as they ship separately | Medium | Umbrella DESIGN.md is the shared source of truth for invariants; each wish references it in its Preconditions |
+| Signing wish delayed; remediate ships without verification | Medium | `--unsafe-unverified` is the interim default; audit log records the flag so a post-hoc signing pass can retroactively mark runs as verified or not |
+| Runbook written before command surfaces stabilize | Medium | sec-incident-runbook explicitly depends on sec-remediate + genie-supply-chain-signing; linter in runbook wish checks that every command referenced in `canisterworm.md` is a real subcommand |
+| `codex/sec-scan-command` never merges | Low | Each wish has a fallback: branch from `codex/sec-scan-command` with daily main-sync; escalation to Felipe for merge decision |
+| User regrets the split mid-execution and asks to re-merge | Low | Sibling wishes can be re-umbrella'd into a release train PR at merge time if desired; wish structure is independent of git branch structure |
+
+## Success Criteria (umbrella-level)
+
+- [ ] All 4 sibling wishes exist with structurally-clean WISHes (`genie wish lint` passes on each).
+- [ ] Every IN bullet from the monolith appears in exactly one sibling wish (no gaps, no duplicates).
+- [ ] Reviewer's G1–G4 + M2 + M3 + M4 gaps are addressed in the sibling wish that owns them.
+- [ ] Dependency graph across siblings is acyclic: scan-progress → remediate (+ signing in parallel) → runbook.
+- [ ] COUNCIL.md is referenced from each sibling wish's Preconditions.
+- [ ] User approves the split before any sibling wish dispatches to `/work`.
+
+## WRS
+
+██████████ 100/100
+
+Problem ✅ | Scope ✅ | Decisions ✅ | Risks ✅ | Criteria ✅ | Preconditions ✅ | Council-validated ✅