openctemio · 0xmanhnv · Apr 14, 2026 · Apr 14, 2026 · Apr 14, 2026 · Apr 14, 2026
diff --git a/cmd/server/handlers.go b/cmd/server/handlers.go
@@ -85,12 +85,14 @@ func NewHandlers(deps *HandlerDeps) routes.Handlers {
 		// CTEM Discovery - Network Services, State History & Relationships
 		AssetService:      handler.NewAssetServiceHandler(repos.AssetService, repos.Asset, v, log),
 		AssetStateHistory: handler.NewAssetStateHistoryHandler(repos.AssetStateHistory, repos.Asset, v, log),
-		AssetRelationship: handler.NewAssetRelationshipHandler(svc.AssetRelationship, v, log),
+		AssetRelationship:      handler.NewAssetRelationshipHandler(svc.AssetRelationship, v, log),
+		RelationshipSuggestion: handler.NewRelationshipSuggestionHandler(svc.RelationshipSuggestion, log),
 
 		// Vulnerabilities & Exposures
 		Vulnerability:      vulnHandler,
 		FindingActivity:    handler.NewFindingActivityHandler(svc.FindingActivity, svc.Vulnerability, log),
 		FindingActions:   handler.NewFindingActionsHandler(svc.FindingActions, log),
+		JiraWebhook:      handler.NewJiraWebhookHandler(svc.JiraSync, log),
 		Exposure:         handler.NewExposureHandler(svc.Exposure, svc.User, v, log),
 		ThreatIntel:      handler.NewThreatIntelHandler(svc.ThreatIntel, v, log),
 		CredentialImport: handler.NewCredentialImportHandler(svc.CredentialImport, v, log),

diff --git a/cmd/server/repositories.go b/cmd/server/repositories.go
@@ -23,7 +23,8 @@ type Repositories struct {
 	ScopeSchedule     *postgres.ScopeScheduleRepository
 	AssetService      *postgres.AssetServiceRepository      // CTEM: Network services on assets
 	AssetStateHistory *postgres.AssetStateHistoryRepository // CTEM: State change audit log
-	AssetRelationship *postgres.AssetRelationshipRepository // CTEM: Asset topology graph
+	AssetRelationship          *postgres.AssetRelationshipRepository          // CTEM: Asset topology graph
+	RelationshipSuggestion     *postgres.RelationshipSuggestionRepository     // CTEM: Relationship suggestions
 
 	// Vulnerabilities & Findings
 	Vulnerability    *postgres.VulnerabilityRepository
@@ -168,7 +169,8 @@ func NewRepositories(db *postgres.DB) *Repositories {
 		ScopeSchedule:     postgres.NewScopeScheduleRepository(db),
 		AssetService:      postgres.NewAssetServiceRepository(db),      // CTEM: Network services
 		AssetStateHistory: postgres.NewAssetStateHistoryRepository(db), // CTEM: State change audit
-		AssetRelationship: postgres.NewAssetRelationshipRepository(db), // CTEM: Asset topology graph
+		AssetRelationship:          postgres.NewAssetRelationshipRepository(db),          // CTEM: Asset topology graph
+		RelationshipSuggestion:     postgres.NewRelationshipSuggestionRepository(db),     // CTEM: Relationship suggestions
 
 		// Vulnerabilities & Findings
 		Vulnerability:    postgres.NewVulnerabilityRepository(db),

diff --git a/cmd/server/services.go b/cmd/server/services.go
@@ -55,8 +55,9 @@ type Services struct {
 	Asset             *app.AssetService
 	AssetGroup        *app.AssetGroupService
 	AssetType         *app.AssetTypeService
-	AssetRelationship *app.AssetRelationshipService
-	Scope             *app.ScopeService
+	AssetRelationship      *app.AssetRelationshipService
+	RelationshipSuggestion *app.RelationshipSuggestionService
+	Scope                  *app.ScopeService
 	AttackSurface     *app.AttackSurfaceService
 
 	// Configuration (read-only system config)
@@ -159,6 +160,9 @@ type Services struct {
 	APIKey  *app.APIKeyService
 	Webhook *app.WebhookService
 
+	// Jira Bidirectional Sync
+	JiraSync *app.JiraSyncService
+
 	// AI Triage
 	AITriage *app.AITriageService
 
@@ -224,8 +228,9 @@ func NewServices(deps *ServiceDeps) (*Services, error) {
 	s.AssetGroup = app.NewAssetGroupService(repos.AssetGroup, log)
 	s.AssetType = app.NewAssetTypeService(repos.AssetType, repos.AssetTypeCat, log)
 	s.Scope = app.NewScopeService(repos.ScopeTarget, repos.ScopeExcl, repos.ScopeSchedule, repos.Asset, log)
-	s.AttackSurface = app.NewAttackSurfaceService(repos.Asset, log)
+	s.AttackSurface = app.NewAttackSurfaceService(repos.Asset, repos.AssetRelationship, log)
 	s.AssetRelationship = app.NewAssetRelationshipService(repos.AssetRelationship, repos.Asset, log)
+	s.RelationshipSuggestion = app.NewRelationshipSuggestionService(repos.RelationshipSuggestion, repos.Asset, repos.AssetRelationship, log)
 
 	// Initialize finding source service (read-only system configuration)
 	s.FindingSource = app.NewFindingSourceService(repos.FindingSource, repos.FindingSourceCat, log)
@@ -353,6 +358,7 @@ func NewServices(deps *ServiceDeps) (*Services, error) {
 	// Initialize API Key & Webhook services
 	s.APIKey = app.NewAPIKeyService(repos.APIKey, log)
 	s.Webhook = app.NewWebhookService(repos.Webhook, s.Encryptor, log)
+	s.JiraSync = app.NewJiraSyncService(repos.Finding, log)
 
 	// Initialize integration & notification services
 	s.Integration = app.NewIntegrationService(repos.Integration, repos.IntegrationSCMExt, s.Encryptor, log)
@@ -462,6 +468,10 @@ func NewServices(deps *ServiceDeps) (*Services, error) {
 		scan.WithProfileRepo(repos.ScanProfile),
 	)
 
+	// Wire verification scan trigger: allows FindingActionsService to launch targeted scans
+	// when a finding transitions to fix_applied and the user requests scan-based verification.
+	s.FindingActions.SetVerificationScanTrigger(app.NewVerificationScanTriggerAdapter(s.Scan))
+
 	// Create adapters for pipeline sub-package
 	pipelineAuditAdapter := app.NewPipelineAuditServiceAdapter(s.Audit)
 	pipelineAgentSelectorAdapter := app.NewPipelineAgentSelectorAdapter(s.AgentSelector)

diff --git a/cmd/server/workers.go b/cmd/server/workers.go
@@ -212,6 +212,23 @@ func NewWorkers(deps *WorkerDeps) (*Workers, error) {
 		},
 	))
 
+	// Threat intel — daily EPSS + KEV refresh (fetches + persists to DB)
+	w.ControllerManager.Register(controller.NewThreatIntelRefreshController(
+		svc.ThreatIntel,
+		log.With("controller", "threat-intel-refresh"),
+	))
+
+	// Control test scheduler — daily sweep to mark stale detection coverage as overdue
+	w.ControllerManager.Register(controller.NewControlTestSchedulerController(
+		repos.ControlTest,
+		&controller.ControlTestSchedulerConfig{
+			Interval:  24 * time.Hour,
+			StaleDays: 30,
+			BatchSize: 500,
+			Logger:    log.With("controller", "control-test-scheduler"),
+		},
+	))
+
 	return w, nil
 }
 

diff --git a/configs/relationship-types.yaml b/configs/relationship-types.yaml
@@ -140,6 +140,9 @@ types:
       # Code hierarchy
       - sources: [repository]
         targets: [container_image]
+      # DNS hierarchy
+      - sources: [domain]
+        targets: [subdomain]
 
   - id: exposes
     category: attack_surface_mapping
@@ -161,27 +164,27 @@ types:
     direct: Resolves To
     inverse: Resolved By
     description: >-
-      Literal DNS A/AAAA resolution — a domain resolves to an IP record
-      or a load balancer that owns that IP. STRICT semantic: target
-      MUST be the network endpoint, not the server that happens to own
-      the IP. For "this domain leads to this server / website" use
-      Exposes. For subdomain → parent domain or CNAME aliases use
-      Cname Of.
+      Literal DNS A/AAAA resolution — a domain or subdomain resolves to
+      an IP record or a load balancer that owns that IP. STRICT semantic:
+      target MUST be the network endpoint, not the server that happens
+      to own the IP. For "this domain leads to this server / website"
+      use Exposes. For subdomain → parent domain hierarchy use Contains.
     constraints:
-      - sources: [domain]
+      - sources: [domain, subdomain]
         targets: [ip_address, load_balancer]
 
   - id: cname_of
     category: attack_surface_mapping
     direct: CNAME Of
     inverse: Has CNAME
     description: >-
-      DNS aliasing — this name is a CNAME for that name. Also used for
-      subdomain → parent domain logical relationships. Distinct from
-      Resolves To which captures the final IP/host record.
+      DNS CNAME aliasing — this name is a CNAME record pointing to
+      another name. Strictly for actual DNS CNAME records, NOT for
+      subdomain hierarchy (use Contains for that). Distinct from
+      Resolves To which captures the final A/AAAA IP record.
     constraints:
-      - sources: [domain]
-        targets: [domain]
+      - sources: [domain, subdomain]
+        targets: [domain, subdomain]
 
   # ---- Attack Path Analysis ----------------------------------------------
 

diff --git a/internal/app/adapters.go b/internal/app/adapters.go
@@ -320,3 +320,39 @@ func convertToPipelineValidationResult(r *ValidationResult) *pipeline.Validation
 		Errors: errors,
 	}
 }
+
+// =============================================================================
+// Verification Scan Trigger Adapter
+// =============================================================================
+
+// verificationScanTriggerAdapter adapts scan.Service to FindingActionsService.VerificationScanTrigger.
+type verificationScanTriggerAdapter struct {
+	svc *scan.Service
+}
+
+// NewVerificationScanTriggerAdapter creates an adapter that wraps scan.Service
+// for use as a VerificationScanTrigger.
+func NewVerificationScanTriggerAdapter(svc *scan.Service) VerificationScanTrigger {
+	return &verificationScanTriggerAdapter{svc: svc}
+}
+
+// TriggerVerificationScan implements VerificationScanTrigger.
+func (a *verificationScanTriggerAdapter) TriggerVerificationScan(
+	ctx context.Context, tenantID, createdBy, scannerName, workflowID string, targets []string,
+) (pipelineRunID, scanID string, err error) {
+	result, err := a.svc.QuickScan(ctx, scan.QuickScanInput{
+		TenantID:    tenantID,
+		Targets:     targets,
+		ScannerName: scannerName,
+		WorkflowID:  workflowID,
+		CreatedBy:   createdBy,
+		Tags:        []string{"verification-scan"},
+		Config: map[string]any{
+			"trigger": "verification_scan",
+		},
+	})
+	if err != nil {
+		return "", "", err
+	}
+	return result.PipelineRunID, result.ScanID, nil
+}