Add nation-state level security assessment module with PoC and risk scope

[kingassune]

Adds a security assessment module that evaluates the automaton's defenses against APT-level threats across 10 attack vectors, with live proof-of-concept testing and CVSS-aligned risk scoring.

New module: src/security/

• types.ts — Threat actors, attack vectors, severity levels, findings, PoC, and risk scope type definitions
• threat-vectors.ts — 10 vector evaluators (prompt injection, supply chain, cryptographic, identity/auth, persistence tampering, lateral movement, exfiltration, financial manipulation, self-modification abuse, social engineering). Three vectors run live payloads against the injection defense pipeline; others perform static analysis
• poc.ts — PoC generators that exercise sanitizeInput() with multi-stage attack payloads (boundary escape, authority spoofing, obfuscation chaining)
• risk-scope.ts — Computes impact across CIA + financial + reputational dimensions, identifies cascading risks (e.g. supply chain → child agent propagation), and measures attack surface metrics
• assessment.ts — Orchestrates evaluation and produces a formatted report

Usage

import { runSecurityAssessment, formatAssessmentReport } from './security/assessment.js';

const assessment = runSecurityAssessment(); // all 10 vectors, nation_state threat model
const report = formatAssessmentReport(assessment);
// assessment.overallRiskScore → 6.6/10.0 (MEDIUM)
// assessment.findings → 4 mitigated, 5 partially mitigated, 1 vulnerable

Key findings from the assessment

Finding	CVSS	Status
Multi-stage prompt injection (base64 obfuscation gap)	9.8	Vulnerable
Supply chain / skill loader unsigned code	7.5	Partial
Data exfiltration via curl (not in forbidden patterns)	7.8	Partial
Self-modification safety guardrails	5.0	Mitigated
Financial asset protection	2.5	Mitigated

All findings are MITRE ATT&CK mapped. 21 new tests; all 31 tests pass. CodeQL clean.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• mainnet.base.org
  • Triggering command: /opt/hostedtoolcache/node/24.13.0/x64/bin/node /opt/hostedtoolcache/node/24.13.0/x64/bin/node --conditions development --conditions node /home/REDACTED/work/automaton/automaton/node_modules/tinypool/dist/entry/process.js (dns block)
  • Triggering command: /opt/hostedtoolcache/node/24.13.0/x64/bin/node /opt/hostedtoolcache/node/24.13.0/x64/bin/node --conditions development --conditions node /home/REDACTED/work/automaton/automaton/node_modules/tinypool/dist/entry/process.js 13.0/include/node k/_temp/ghcca-node/node/bin/git 13.0/src (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

Run a nation state level security assessment with poc and risk scope