admin / Synapse-Cortex
publicSelf Hosted ITSM Tool with RBAC/Tenanting and MFA
Synapse-Cortex / Synapse-Cortexv2 / playbooks / vuln-remediation-hitl-linux.json
3539 B · main
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 | { "name": "Human-in-the-Loop Vulnerability Remediation v2 (Linux/apt)", "enabled": true, "allowed_target_os": ["linux"], "required_approval_level": "human_in_the_loop", "forbidden_commands": [ "apt-get remove", "apt-get purge", "do-release-upgrade", "dist-upgrade" ], "acknowledged_dangerous_commands": ["host_power"], "graph_json": { "meta": { "playbook_kind": "vuln_remediation_hitl", "version": 2, "engine_notes": "The strings in data.command are PREDEFINED and IMMUTABLE. The AI assistant executes them verbatim and must never invent, alter, or choose a scan command. The ONLY AI-authored value in this graph is the {{command}} token on the 'remediate' node, and even that is re-checked by guardrails and gated on a human Approve click. v2 changes: (1) the predefined scans use 'apt-get -s upgrade' (a safe, read-only simulate) so they no longer collide with this playbook's own 'dist-upgrade' forbidden string and self-block; (2) 'host_power' is acknowledged so an AI-proposed reboot after patching (e.g. a kernel/glibc CVE) reaches mandatory human review instead of being auto-blocked - it still never runs without an explicit Approve click.", "scan_command_id": "phase1_discover" }, "nodes": [ { "id": "start", "type": "start", "data": {}, "position": { "x": 250, "y": 0 } }, { "id": "phase1_discover", "type": "command", "data": { "label": "Phase 1 — Discovery scan (predefined)", "phase": "discovery", "stage": "pre_approval", "immutable": true, "capture_as": "baseline_scan", "command": "apt-get update -qq >/dev/null 2>&1; apt-get -s upgrade 2>/dev/null | awk '/^Inst/{print $2}' | sort -u" }, "position": { "x": 250, "y": 130 } }, { "id": "gate_triage", "type": "condition", "data": { "label": "Phase 2 — High/Critical findings present?", "phase": "triage", "stage": "pre_approval", "expression": "severity in ('CRITICAL','HIGH')" }, "position": { "x": 250, "y": 260 } }, { "id": "phase4_remediate", "type": "command", "data": { "label": "Phase 4 — Targeted remediation (approved only)", "phase": "remediation", "stage": "post_approval", "immutable": false, "ai_authored": true, "command": "{{command}}" }, "position": { "x": 250, "y": 390 } }, { "id": "phase5_verify", "type": "command", "data": { "label": "Phase 5 — Verification re-scan (same as Phase 1)", "phase": "verification", "stage": "post_approval", "immutable": true, "capture_as": "verify_scan", "same_command_as": "phase1_discover", "command": "apt-get update -qq >/dev/null 2>&1; apt-get -s upgrade 2>/dev/null | awk '/^Inst/{print $2}' | sort -u" }, "position": { "x": 250, "y": 520 } } ], "edges": [ { "id": "e_start_discover", "source": "start", "target": "phase1_discover" }, { "id": "e_discover_gate", "source": "phase1_discover", "target": "gate_triage" }, { "id": "e_gate_remediate", "source": "gate_triage", "target": "phase4_remediate", "sourceHandle": "true" }, { "id": "e_remediate_verify", "source": "phase4_remediate", "target": "phase5_verify" } ] } } |