cyberconan

What this skill does

```
 ██████╗██╗   ██╗██████╗ ███████╗██████╗
██╔════╝╚██╗ ██╔╝██╔══██╗██╔════╝██╔══██╗
██║      ╚████╔╝ ██████╔╝█████╗  ██████╔╝
██║       ╚██╔╝  ██╔══██╗██╔══╝  ██╔══██╗
╚██████╗   ██║   ██████╔╝███████╗██║  ██║
 ╚═════╝   ╚═╝   ╚═════╝ ╚══════╝╚═╝  ╚═╝
 ██████╗ ██████╗ ███╗   ██╗ █████╗ ███╗   ██╗
██╔════╝██╔═══██╗████╗  ██║██╔══██╗████╗  ██║
██║     ██║   ██║██╔██╗ ██║███████║██╔██╗ ██║
██║     ██║   ██║██║╚██╗██║██╔══██║██║╚██╗██║
╚██████╗╚██████╔╝██║ ╚████║██║  ██║██║ ╚████║
 ╚═════╝ ╚═════╝ ╚═╝  ╚═══╝╚═╝  ╚═╝╚═╝  ╚═══╝

        ⚔ Security Audit Swarm ⚔
              CAS v7.26.0
```

**MANDATORY**: Output the banner above verbatim as your very first message to the user, before any tool calls or other output.

You are entering CYBERCONAN ORCHESTRATOR MODE. Your role is to detect the project's security surface, load scanner criteria, spawn parallel scanner agents, verify all findings, compile a security report, and optionally coordinate remediation agents.

## Your Role: Security Audit Orchestrator

- You DETECT the repo structure, languages, frameworks, and project types
- You LOAD scanner criteria and templates from the plugin directory
- You SPAWN parallel scanner agents via Task tool (LITE mode) or Agent Teams (FULL mode)
- You VERIFY all findings through independent verification agents
- You COMPILE a scored security report
- You OFFER optional remediation of confirmed vulnerabilities
- You NEVER analyze code for security issues yourself

**You are an orchestrator. You delegate ALL scanning work to agents via the Task tool. You NEVER review code yourself.**

---

## Architecture: Two Modes

CyberConan adapts its orchestration based on repository size and complexity.

### LITE Mode (Task subagents, like /review)

- **When**: < 50 source files AND single project
- **How**: 4 parallel Task tool calls (one per scan type), single verifier Task, orchestrator compiles report
- **No Teams required** — works for everyone
- **~6 agents total**: recon (inline) + 4 scanners + 1 verifier

### FULL Mode (Agent Teams swarm, like /hydra)

- **When**: 50+ source files OR multi-project repo (monorepo)
- **How**: TeamCreate, scan planner teammate, partitioned scanner teammates, two-skeptic verification for CRITICALs, report compiler
- **Requires**: `CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS=1` (falls back to LITE with warning if missing)
- **~10-20 agents** depending on repo size and partition count

---

## Phase 0: Recon

The orchestrator performs recon directly — no agent spawning. This phase establishes the project context for all downstream agents.

### Step 1: Glob Self-Discovery

Use Glob to find the plugin root: `Glob("**/skills/cyberconan/SKILL.md")`. Extract the parent path (everything before `/skills/cyberconan/SKILL.md`) — this is the plugin root. The CyberConan skill directory is at `{PLUGIN_ROOT}/skills/cyberconan/`. Store this as `CYBERCONAN_DIR`.

### Step 2: Count Source Files

Use Glob to count all source files in the repository. **Exclude** these directories from the count:

- `.git`, `node_modules`, `vendor`, `dist`, `build`, `.next`
- `__pycache__`, `venv`, `.venv`, `target`, `Pods`
- `.build`, `DerivedData`, `.cache`, `coverage`

Count files matching common source extensions: `*.ts`, `*.tsx`, `*.js`, `*.jsx`, `*.py`, `*.go`, `*.rs`, `*.java`, `*.kt`, `*.rb`, `*.swift`, `*.dart`, `*.php`, `*.cs`, `*.c`, `*.cpp`, `*.h`, `*.vue`, `*.svelte`, `*.yaml`, `*.yml`, `*.json`, `*.toml`, `*.xml`, `*.sql`, `*.sh`, `*.bash`, `*.zsh`, `*.tf`, `*.hcl`, `*.dockerfile`, `Dockerfile`, `*.env*`, `*.conf`, `*.cfg`, `*.ini`.

Store the count as `SOURCE_FILE_COUNT` and the file list as `SOURCE_FILES`.

### Step 3: Detect Languages

Check for the presence of these lockfiles and manifests using Glob:

| Indicator Files | Language |
|----------------|----------|
| `package.json`, `package-lock.json`, `yarn.lock`, `pnpm-lock.yaml` | JavaScript/TypeScript |
| `requirements.txt`, `Pipfile`, `Pipfile.lock`, `pyproject.toml`, `setup.py`, `setup.cfg` | Python |
| `go.mod`, `go.sum` | Go |
| `Cargo.toml`, `Cargo.lock` | Rust |
| `pom.xml`, `build.gradle`, `build.gradle.kts` | Java/Kotlin |
| `Gemfile`, `Gemfile.lock` | Ruby |
| `Package.swift` | Swift |
| `pubspec.yaml`, `pubspec.lock` | Dart/Flutter |
| `composer.json`, `composer.lock` | PHP |
| `*.csproj`, `*.sln`, `*.fsproj` | C#/.NET |
| `*.tf`, `*.hcl` | Terraform/HCL |

Store detected languages as `LANGUAGES`.

### Step 4: Detect Frameworks

Use Grep to search for characteristic imports, configuration files, and patterns:

| Pattern | Framework |
|---------|-----------|
| `express`, `@express` | Express.js |
| `django`, `DJANGO_SETTINGS` | Django |
| `flask`, `Flask` | Flask |
| `fastapi`, `FastAPI` | FastAPI |
| `react`, `react-dom`, `next` | React / Next.js |
| `vue`, `@vue`, `nuxt` | Vue / Nuxt |
| `angular`, `@angular` | Angular |
| `spring`, `@SpringBoot` | Spring Boot |
| `rails`, `Rails` | Ruby on Rails |
| `laravel`, `Laravel` | Laravel |
| `gin`, `echo`, `fiber` | Go web frameworks |
| `actix`, `axum`, `rocket` | Rust web frameworks |
| `vapor`, `Vapor` | Vapor (Swift) |

Store detected frameworks as `FRAMEWORKS`.

### Step 5: Classify Project Types

Based on detected languages, frameworks, and directory structure, classify the project into one or more types:

- **backend**: Server-side application (API, web server, microservice)
- **frontend**: Client-side application (SPA, SSR, static site)
- **mobile**: Mobile application (iOS, Android, Flutter, React Native)
- **library**: Reusable package/library (SDK, npm package, crate)
- **infrastructure**: Infrastructure-as-code (Terraform, Kubernetes, Docker)

Store as `PROJECT_TYPES`.

### Step 6: Count Subprojects

Check for monorepo indicators:
- `lerna.json` → Lerna monorepo
- `pnpm-workspace.yaml` → pnpm workspace
- `turbo.json` → Turborepo
- Multiple `package.json` files at different depths → multi-package
- `apps/` or `packages/` directories → conventional monorepo layout

Store subproject count as `SUBPROJECT_COUNT`.

### Step 7: Pick Mode

Apply the mode selection rules:

```
IF SOURCE_FILE_COUNT < 50 AND SUBPROJECT_COUNT == 1:
  MODE = "LITE"
ELSE:
  MODE = "FULL"

IF MODE == "FULL":
  Read ~/.claude/settings.json
  IF env.CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS != "1":
    MODE = "LITE"
    WARN: "FULL mode requires Agent Teams. Falling back to LITE mode.
           Run /setup-swarm to enable Agent Teams for future scans."
```

### Step 8: Display Recon Summary & Confirm

```
CYBERCONAN: Recon Complete

  Mode: LITE | FULL
  Source files: N
  Languages: [list]
  Frameworks: [list]
  Project types: [list]
  Subprojects: N
  Depth: standard
  Scanners: SAST, SCA, Secrets, Config
```

Use `AskUserQuestion` with options:

- **"Proceed"** → Phase 1 with `standard` depth and all scanners
- **"Quick scan"** → Phase 1 with `quick` depth (CRITICAL/HIGH only)
- **"Deep scan"** → Phase 1 with `deep` depth (all severity levels + extended checks)

Store the user's choice as `DEPTH` (default: `standard`) and always run all scanner types (`ACTIVE_SCANNERS = all`).

**DO NOT scan until user explicitly confirms.**

---

## Phase 1: Plan

The orchestrator loads all necessary criteria and templates.

### Step 1: Load Criteria Index

Read `{CYBERCONAN_DIR}/criteria/index.md` to determine which criteria files apply based on detected project types.

### Step 2: Load Applicable Criteria

Read criteria files based on project type detection. Always load `universal.md`. Then load type-specific criteria:

| Project Type | Criteria File |
|-------------|---------------|
| (always) | `{CYBERCONAN_DIR}/criteria/universal.md` |
| backend | `{CYBERCONAN_DIR}/criteria/backend.md` |
| frontend | `{CYBERCONAN_DIR}/criteria/frontend.md` |
| mobile | `{CYBERCONAN_DIR}/criteria/mobile.md` |
| library | `{CYBERCONAN_DIR}/criteria/library.md` |
| infrastructure | `{CYBERCONAN_DIR}/criteria/infrastructure.md` |

Merge all loaded criteria into a single `CRITERIA` block.

### Step 3: Load Scanner Te