docs(sec): CanisterWorm umbrella + 4 APPROVED sibling wishes

[namastex888]

Summary

Splits the monolithic sec-scan-progress wish into 4 parallel-shippable sibling wishes under the canisterworm-incident-response umbrella after dual-reviewer BLOCKED verdict on the monolith.

Why the split

Reviewer block	Resolution
H1: circular dependency between sec remediate --apply and release signing	Signing runs parallel to remediate; explicit merge gate on signing G2 before remediate G1 integration tests
H2: three wish-sized scopes bundled in one long-lived branch	4 independently-reviewable wishes, ~6 week wall-time with parallelism (was 6–8 seq)
H3: unmerged codex/sec-scan-command base	✅ merged via #1348; siblings branch from dev
G1/G2/G3/G4/M2/M3/M4 gaps	Every gap mapped to a specific sibling wish group (see umbrella DESIGN.md)

Artifacts shipped in this PR

• `.genie/brainstorms/canisterworm-incident-response/DESIGN.md` — umbrella (WRS 100/100)
• `.genie/brainstorms/sec-scan-progress/{DESIGN,DRAFT}.md` — source material
• `.genie/wishes/sec-scan-progress/WISH.md` — APPROVED, 5 groups, G1 already shipped on `wish/sec-scan-progress@7d02e3b` (pending fresh reviewer pass before merge)
• `.genie/wishes/sec-scan-progress/REVIEW_GROUP_1.md` — provisional SHIP verdict captured from interrupted prior session
• `.genie/wishes/sec-remediate/WISH.md` — APPROVED, 2 groups
• `.genie/wishes/genie-supply-chain-signing/WISH.md` — APPROVED, 2 groups
• `.genie/wishes/sec-incident-runbook/WISH.md` — APPROVED, 2 groups

Key plan edits vs. the drafts that were staged overnight

• Dropped hardware-backed fallback-key scope from `genie-supply-chain-signing` (OIDC-keyless via GitHub Actions is sufficient for v1). Fallback-key infrastructure deferred to a follow-up wish if Sigstore availability ever warrants it. Per Felipe 2026-04-23.
• Replaced two-officer signing ceremony with OIDC-identity rotation procedure (no private key exists to ceremonially generate).
• Explicit merge gate on `sec-remediate`: G1 integration tests (apply-mode CI gate) are blocked on `genie-supply-chain-signing` G2 merging to `dev`. Pre-merge builds use `--unsafe-unverified <INCIDENT_ID>` placeholder. Fixes the Group 6/7 CI-failure trap flagged in the prior review session.
• All 4 wish statuses flipped DRAFT → APPROVED.

Execution pipeline after merge

1. Fresh reviewer dispatch on `wish/sec-scan-progress@7d02e3b` (validates the 6 G1 acceptance criteria end-to-end, re-runs tests).
2. On SHIP, squash-merge `wish/sec-scan-progress` to `dev`; dispatch G2 engineer.
3. In parallel: dispatch `genie-supply-chain-signing` G1 engineer off `dev` (independent of scanner progress).
4. After `sec-scan-progress` fully ships: dispatch `sec-remediate` engineers.
5. After `sec-remediate` + `genie-supply-chain-signing` both ship: dispatch `sec-incident-runbook` engineers.

Test plan

• `genie wish lint` passes on all 4 WISH.md files
• Umbrella DESIGN.md dependency graph verified acyclic
• Every IN bullet from the monolith maps to exactly one sibling (no gaps, no dupes)
• `@automagik/genie@next` channel publishes cleanly after merge (no code changes, docs-only PR)

🤖 Generated with Claude Code

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: e5388002-502d-47c6-9635-c4bfa0ee429b

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch wish/canisterworm-incident-response-umbrella

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 61a7203f34

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Fix broken council link target in sibling wish headers

The new council links point to ../../brainstorms/sec-scan-progress/COUNCIL.md, but that file is not present in the repo, so bun run wishes:lint now fails and the standard check pipeline is blocked. This same missing target is repeated across the four new sibling wishes, so either the COUNCIL.md artifact must be committed or these header links must be updated to an existing path.

Useful? React with 👍 / 👎.

[gemini-code-assist]

Code Review

This pull request introduces a comprehensive incident response framework for the CanisterWorm compromise, splitting a previously monolithic plan into four distinct, parallelizable wishes: scanner progress and observability, auditable remediation (quarantine and rollback), supply-chain signing using Cosign and SLSA, and a formal incident runbook. The changes include detailed design documents, execution strategies, and success criteria for each component. Feedback provided addresses regex inconsistencies for incident IDs in the signing wish, filesystem compatibility issues for quarantine directories on Windows, and the use of more effective AWS credential revocation commands in the remediation templates.

[gemini-code-assist]

The specified regex ^[A-Z]+_[0-9]{4}_[0-9]{2}_[0-9]{2} is inconsistent with the provided examples (e.g., BURNED_KEY_2026_04_23). The regex only allows a single uppercase word before the date, whereas the examples contain multiple words separated by underscores. Updating the regex to allow multiple prefix segments will ensure the contract matches the intended usage.

Suggested change

	- `INCIDENT_ID` must match regex `^[A-Z]+_[0-9]{4}_[0-9]{2}_[0-9]{2}(_[A-Za-z0-9_]+)?$` (e.g., `BURNED_KEY_2026_04_23`, `CI_PRE_SIGNING_2026_04_23_TEST_HARNESS`).
	- INCIDENT_ID must match regex ^[A-Z]+_[0-9]{4}_[0-9]{2}_[0-9]{2}(_[A-Za-z0-9_]+)?$ (e.g., BURNED_KEY_2026_04_23, CI_PRE_SIGNING_2026_04_23_TEST_HARNESS).
	+ INCIDENT_ID must match regex ^([A-Z]+_)+[0-9]{4}_[0-9]{2}_[0-9]{2}(_[A-Za-z0-9_]+)?$ (e.g., BURNED_KEY_2026_04_23, CI_PRE_SIGNING_2026_04_23_TEST_HARNESS).

[gemini-code-assist]

This regex definition has the same inconsistency as noted in the summary section. It should be updated to support multi-word prefixes as shown in the test cases.

Suggested change

	- Exports `INCIDENT_ID_REGEX` = `/^[A-Z]+_[0-9]{4}_[0-9]{2}_[0-9]{2}(_[A-Za-z0-9_]+)?$/`.
	- Exports INCIDENT_ID_REGEX = /^([A-Z]+_)+[0-9]{4}_[0-9]{2}_[0-9]{2}(_[A-Za-z0-9_]+)?$/.

[gemini-code-assist]

Using a raw ISO timestamp in a directory name will cause failures on Windows systems (including NTFS and FAT32) because colons are prohibited in filenames. It is recommended to use a filesystem-safe timestamp format (e.g., YYYYMMDD-HHMMSS) or to explicitly state that colons must be replaced.

Suggested change

	- Quarantine is atomic `rename` into `~/.genie/sec-scan/quarantine/<iso-timestamp>/<action_id>/<original-basename>`.
	- Quarantine is atomic rename into ~/.genie/sec-scan/quarantine/<iso-timestamp>/<action_id>/<original-basename>.
	+ Quarantine is atomic rename into ~/.genie/sec-scan/quarantine/<timestamp-safe>/<action_id>/<original-basename>.

[gemini-code-assist]

The command aws sts get-caller-identity is an informational command that returns the current identity but does not perform any revocation or rotation. To align with the other examples (gcloud auth revoke, az logout), consider suggesting a command that actually disables the credentials, such as aws iam update-access-key --access-key-id <ID> --status Inactive (after using get-caller-identity to find the ID).

Suggested change

	- Per-provider templates: npm (`npm token revoke`, with `npm token list` preamble), GitHub (`gh auth refresh --scopes` + manual URL for PAT rotation), cloud IAM (`aws sts get-caller-identity`, `gcloud auth revoke`, `az logout`), Anthropic/OpenAI (manual web-UI URLs with warning that no CLI rotation exists).
	- Per-provider templates: npm (npm token revoke, with npm token list preamble), GitHub (gh auth refresh --scopes + manual URL for PAT rotation), cloud IAM (aws sts get-caller-identity, gcloud auth revoke, az logout), Anthropic/OpenAI (manual web-UI URLs with warning that no CLI rotation exists).
	+ Per-provider templates: npm (npm token revoke, with npm token list preamble), GitHub (gh auth refresh --scopes + manual URL for PAT rotation), cloud IAM (aws iam update-access-key --status Inactive, gcloud auth revoke, az logout), Anthropic/OpenAI (manual web-UI URLs with warning that no CLI rotation exists).