Onboard CVE Matter-Analysis OS: System artifacts, Copilot tasks, and CI/CD infrastructure

[Copilot]

Implements repository scaffolding for defense-only CVE matter-analysis pipeline (NVD→alignment→arbiter→ε-refractors→Bayesian evidence) with GitHub Actions runner configuration per enterprise docs.

System & Prompt Artifacts

• LID-LIFT v1.4 system description (prompts/legendary_lidlift_v14.md): Complete 5-stage pipeline specification with defense-only guardrails
• Micro/nano core prompts (378 chars / 162 chars): Compressed system descriptions for token-constrained contexts
• Capsule configurations (3 files): Pipeline config, H-MOC v0.2 coordination framework with run_report, operational runbooks

Copilot Agent Infrastructure

• Agent guide (.copilot/AGENT_GUIDE.md): Development workflow, security principles, task execution pattern
• Sequential tasks (010-090): 9 file-anchored task definitions with acceptance criteria
  • 010: NVD ingest with delta sync/ETag
  • 020: Procrustes + CCA alignment (R²≥0.8 threshold)
  • 030: Stacked arbiter with Pareto knee detection
  • 040: Epsilon-refractors (ε<0.05 threshold)
  • 050: Bayesian evidence (BIC/WAIC)
  • 060-090: Notion sync, capsule publishing, CUDA support, Argo bridge
• Security policy (SECURITY.md): Defense-only stance, CVD process, no exploits/offensive tools/crypto-breaking
• Code ownership (CODEOWNERS): Route sensitive changes (k8s/, terraform/, prompts/, capsules/) to designated teams

CI/CD & Infrastructure

GitHub Actions workflows (5 files with explicit permissions blocks):

• ci.yml: Lint + unit/integration/heavy tests, standard runners + large-runner placeholders with docs reference
• codeql.yml: Python security analysis
• container-scan.yml: Trivy scanning, fail on HIGH/CRITICAL
• notion-sync.yml: Documentation sync on prompts/ changes
• publish-capsules.yml: Automated publishing on version tags

Python project structure:

• pyproject.toml: Build config, black/pytest/mypy settings
• requirements.txt: Core deps (numpy, scipy, scikit-learn, requests)
• Dockerfile: Multi-stage build, non-root user, health checks
• src/main.py: Entry point with pipeline stage overview
• tests/test_structure.py: 12 structural validation tests (passing)

Runner Configuration

# Standard jobs (lint, unit tests)
runs-on: ubuntu-latest

# Heavy computational jobs (GPU tests, ε-sweeps)
# TODO: Replace with actual large runner label per org config
# Examples: ubuntu-22.04-16core, ubuntu-22.04-64core
runs-on: ubuntu-latest  # Placeholder

All workflows include comments linking to GitHub-hosted runner documentation for large-runner label configuration.

Security

• CodeQL results: 0 alerts (fixed 10 workflow permission warnings by adding explicit permissions: blocks)
• No secrets committed: All sensitive data via environment variables
• Defense-only guardrails: Prohibited activities documented, CVD process established

Next Steps

Repository ready for sequential task implementation (010→090), one PR per task, following .copilot/AGENT_GUIDE.md workflow.

Original prompt

Copilot Coding Agent — Repository Instructions (Onboard this repo)
Repo: CVE Matter-Analysis OS (defense-only, private)
Stack: Python 3.11, optional CUDA, Docker, K8s (GKE + gVisor), Argo, Terraform, GitHub Actions
Mission: Build and maintain a blue-team CVE matter-analysis pipeline (NVD ingest → positional alignment → stacked arbiter → ε-refractors → Bayesian evidence).
Guardrail: No offensive payloads, no cryptographic-breaking.

0. Runner configuration (GitHub-hosted large runners)
   Action for Copilot (infra/CI):

Read: https://docs.github.com/en/enterprise-cloud@latest/actions/concepts/runners/github-hosted-runners#overview-of-github-hosted-runners.

Configure CI jobs to use the largest available GitHub-hosted runner type for heavy tests (CUDA, ε-sweeps), and a standard runner for light jobs.

Example (adjust labels to match the docs and org configuration):

yaml
Copy code
jobs:
test:
runs-on: ubuntu-latest # standard runner for unit tests
heavy-gpu-tests:
runs-on: ubuntu-latest # replace with largest available large-runner label per docs
# e.g. ubuntu-22.04-16core or equivalent (update after verifying docs)
Add comments in the workflow files explicitly pointing to the Actions docs and specifying which jobs must run on the largest GitHub-hosted runner.

Note: Exact large-runner labels must be chosen from the GitHub Actions docs for your plan/org. Do not invent labels.

1. System & prompt artifacts (do these first)
   Action for Copilot: create and populate these files via PR Build CVE Matter-Analysis OS: Python 3.11 blue-team platform with ML, K8s, and GPU support #1.

prompts/legendary_lidlift_v14.md

Body: full System description for LID-LIFT v1.4 as agreed (defense-only, no CoT, H-MOC run_report, etc.).

prompts/micro_core.txt

Micro-core System prompt (≤1 KB) delegating to link-pack.

prompts/nano_core.txt

Nano-core System prompt (≈280–320 chars) delegating to link-pack.

capsules/lidlift-v1.json

capsules/hmoc-0.2.json

capsules/runbooks.json

Acceptance criteria:

All files exist, are valid JSON/text as appropriate, and match the previously defined content.

CI passes (syntax/format checks if present).

2. Copilot guardrails & onboarding scaffolding
   Action for Copilot: create via PR Onboard CVE Matter-Analysis OS: System artifacts, Copilot tasks, and CI/CD infrastructure #2.

.copilot/AGENT_GUIDE.md

Explain: defense-only, file-anchored tasks, one PR per task, reference this issue.

.copilot/tasks/010_ingest_nvd.md … .copilot/tasks/090_bridge.md

Each task defines goal, files to edit, requirements, acceptance criteria.

SECURITY.md

CVD process, no offensive use, secrets policy.

CODEOWNERS

Route sensitive changes (e.g., k8s/, terraform/, capsules/, prompts/) to designated reviewers.

Update README.md with a short “Copilot agent usage” section.

Acceptance criteria:

Tasks are ordered and self-contained.

SECURITY and CODEOWNERS committed; README updated.

3. CI/CD and large-runner integration
   Action for Copilot: create via PR Define six specialized Copilot agents with model bindings and role specifications #3.

Create / update workflow files:

.github/workflows/ci.yml

Standard runner for lint + unit tests.

.github/workflows/codeql.yml

CodeQL for Python.

.github/workflows/container-scan.yml

Trivy (or equivalent) on built image; fail on HIGH/CRITICAL vulns.

.github/workflows/notion-sync.yml

Sync prompts/legendary_lidlift_v14.md → Notion via scripts/register_prompt_notion.sh.

.github/workflows/publish-capsules.yml

Publish capsules/*.json to your chosen bucket/domain on tags.

Runner requirement:

For standard jobs (lint, unit tests): use standard ubuntu-latest runner.

For heavy jobs (GPU/large-matrix tests, ε-grid smoke tests): configure job to run on the largest GitHub-hosted runner available for your organization, using the official label from the docs.

Acceptance criteria:

All workflows are valid; CI passes on minimal stub code.

Workflow comments clearly indicate which jobs use large runners and link to the GitHub docs URL.

4. Core code modules (performed via sequential Copilot tasks)
   Action for Copilot: follow .copilot/tasks/* in order, one PR per task.

Task 010 — NVD ingest

Implement src/ingest/nvd_client.py + tests.

Delta sync; ETag/backoff; JSONL output.

Task 020 — Positional alignment

Implement src/alignment/procrustes.py, src/alignment/cca.py + tests.

Expose align(X_a, X_b) -> (R2, X_a2b); require alignment_R2 ≥ threshold.

Task 030 — Arbiter / Pareto knee

Implement src/models/arbiter.py: stacked super-learner + Pareto knee.

Task 040 — Refractors

Implement src/refractors/epsilon.py, src/refractors/shifts.py.

Task 050 — Evidence

Implement src/evaluation/evidence.py with BIC/WAIC log-evidence, Bayes factor, Jeffreys scale.

Task 060–090 — Notion sync, capsules publish, CUDA/GPU support, webhook + Argo bridge

Implement scripts, manifests, and orchestration interfaces as described in each task.

Acceptance criteria (each PR):

CI + security checks green.

Tests and linters pass.

No secrets in diff.

PR description includes: short rationale, edited-file list, validation evidence (e.g., test output, kubectl diff, terraform plan as applicable).

5. Safety & policy enforcement (what Copilot must not...

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "Codex (@codex) review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "Codex (@codex) address that feedback".

[chatgpt-codex-connector]

Fail CI when integration job fails

The final ci-success job only asserts the results of the lint, unit-test, and configuration-validation jobs and never checks needs.integration-tests.result. Because the integration job’s test step already uses continue-on-error: true, any failing integration tests will still report a successful job, and the pipeline will pass regardless. Add the integration job to the failure condition so regressions caught by integration tests block the workflow.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

GCP auth step never executes

Both authentication steps are wrapped in if: env.GCP_WORKLOAD_IDENTITY_PROVIDER != '', but that environment variable is only defined inside the step itself. The expression is evaluated before the step runs, so it always resolves to empty and the auth/setup steps are skipped even when secrets are configured. Use the secrets context (e.g. if: ${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER != '' }}) or define a job-level env so publishing can authenticate when credentials exist.

Useful? React with 👍 / 👎.