Security Assessment · stage 1 of 5

Reconnaissance

Auto gate

Passive and active information gathering about the target

Reconnaissance

The opening stage of the security assessment: turn the engagement's scope statement into a structured picture of the target's externally observable footprint. Reconnaissance answers "what's out there?" before any deeper probing or exploitation begins.

Scope

Passive and active information gathering within authorized scope: public OSINT (DNS, certificate transparency, WHOIS, search, public repos, leaked-credential data) and active mapping (live hosts, exposed services, technology fingerprints, ingress points). Reconnaissance decides what the target's surface looks like — not what's wrong with each service (enumeration) or whether it can be exploited (exploitation).

What to do

Gather public information broadly and cite every finding to its source.
Turn the OSINT pool into a concrete, observation-grounded target profile, not a list of guesses.
Stay strictly within the engagement's authorized scope when probing actively.
Distinguish observed facts from inferences so downstream stages know what's confirmed.

What NOT to do

Don't enumerate service-level vulnerabilities or pin CVEs — that's enumeration.
Don't attempt any exploitation; reconnaissance only observes.
Don't probe assets outside the authorized scope.
Don't record a finding without the source that backs it.

How the engine runs this stage

1Elaborate

autonomous · plan the work, fan out discovery, declare outputs

Phase guidance

phase overrideELABORATION- "Target profile documents at least 5 external-facing services with technology stack identified for each"

Reconnaissance Stage — Elaboration

Criteria Guidance

Good criteria — concrete and verifiable

"Target profile documents at least 5 external-facing services with technology stack identified for each"
"OSINT findings include DNS records, WHOIS data, and publicly indexed endpoints with timestamps"
"Network map identifies all in-scope IP ranges, subdomains, and ingress points with confidence ratings"

Bad criteria — vague (no clear check)

"Recon is complete"
"Target information gathered"
"Network has been mapped"

Outputs produced

output templateTarget ProfileSynthesized reconnaissance findings with asset catalog and attack surface map.

Target Profile

Synthesized reconnaissance findings with asset catalog and attack surface map.

Expected Artifacts

Asset catalog -- discovered assets with technology fingerprints, version info, and confidence ratings
Network topology -- documented infrastructure layout and ingress points
OSINT findings -- DNS records, WHOIS data, and publicly indexed endpoints with timestamps
Attack surface overview -- high-level map with areas of interest flagged for enumeration

Quality Signals

All discovered assets are cataloged with technology fingerprints
Network topology is documented with ingress points identified
OSINT findings are timestamped and sourced
At least 5 external-facing services are identified with technology stack

2Review

pre-execute · agents audit the planned spec before any code lands

review agentCoverageThe agent **MUST** verify reconnaissance covered the full target surface implied by the engagement scope. Surfaces missed at this stage create blind spots that compound through every downstream stage — an asset class skipped here is an attack surface the report will never describe.

Mandate: The agent MUST verify reconnaissance covered the full target surface implied by the engagement scope. Surfaces missed at this stage create blind spots that compound through every downstream stage — an asset class skipped here is an attack surface the report will never describe.

Check

The agent MUST verify, file feedback for any violation:

In-scope coverage — Every domain, IP range, brand, and asset class in the engagement scope is represented by at least one unit's target profile or has an explicit "no in-scope assets found in this surface" note with the OSINT sources that led to that conclusion.
Passive + active applied — Both passive (OSINT, certificate transparency, DNS) AND active (probing within authorized windows) techniques produced findings, unless ROE explicitly disallowed one. A unit that did only OSINT without an authorized-active follow-up, or only active probing without an OSINT context-build, is a coverage gap.
Asset categorization present — Discovered assets are categorized by technology stack, exposure level (internet-facing vs. internal-only when visible), and authentication posture. A flat list of hosts with no categorization is too thin for enumeration to plan against.
Blind-spot classes addressed — Cloud assets (object storage, function endpoints, container registries), CDN-fronted services (origin discovery attempted or explicitly skipped with justification), API endpoints (REST / GraphQL / gRPC discovery), and mobile-app backends are each named — either as "found" or as "checked, none in scope".
Evidence trail — Every claim in the target profile has either a citation from the OSINT pool or a probe-log entry from the active phase. No bare assertions.

Common failure modes to look for

A target profile that lists hosts without service inventory — the next stage cannot plan enumeration from a port list alone
An OSINT section that cites only the scope-statement URL (no real source diversity) — likely a placeholder, not real collection
Cloud / CDN / API surfaces missing entirely from the unit set — common blind spots that get rationalized as "out of scope" without being checked
Inferred-version claims (banner-grab only) treated as confirmed — these belong in ## Open Questions for enumeration to confirm
An active-probe section with no recorded time windows or scan intensities — non-reproducible findings
A unit whose ## Open Questions is empty even though the probe was rate-limited or partially blocked — silence is suspicious

What to do when filing

File one FB per gap or per category of gap, not one FB for the whole stage. Name the specific unit, the specific axis (e.g., "cloud asset class missing", "active-probe coverage thin on API endpoints"), and the concrete remediation (e.g., "add a unit for the *.api.<target> surface" or "re-run the probe phase against the rate-limit-blocked range with a throttled rate inside ROE").

3Execute

per-unit baton · Osint Analyst → Network Mapper → Verifier

hat 1Network MapperDo hat for the reconnaissance unit. Translate the OSINT pool into a concrete target profile — live hosts, exposed services, network ingress points, technology fingerprints — using authorized active probing. Confirm what's actually reachable; without this step, downstream stages waste effort on stale or speculative endpoints.

Focus: Do hat for the reconnaissance unit. Translate the OSINT pool into a concrete target profile — live hosts, exposed services, network ingress points, technology fingerprints — using authorized active probing. Confirm what's actually reachable; without this step, downstream stages waste effort on stale or speculative endpoints.

You produce the unit body's target profile section: an inventory of what's live, what's exposed, and what's worth investigating in enumeration. The osint-analyst supplied the source-pool; you turn it into a probe plan and execute it.

Process

1. Confirm active-probe authorization

Before any active probe, re-read the engagement's rules of engagement (ROE) and confirm:

Active probing is authorized for this unit's surface (some engagements gate it stage-by-stage)
Allowed scan windows / time-of-day restrictions
Allowed scan intensity (default-rate vs. throttled)
Out-of-scope IPs / domains / CIDR ranges to exclude from every probe

If active probing is not yet authorized, deliver the probe plan in the body, mark the target-profile section PENDING ACTIVE-PROBE AUTHORIZATION, and exit. The unit will rewind through the fix loop once authorization lands.

2. Plan probes from the OSINT pool

For each candidate asset in the OSINT section, derive concrete probes:

Liveness check — minimum-noise ICMP / TCP-SYN-to-a-common-port that confirms the host responds
Port discovery — TCP and UDP coverage; record the port-range chosen and the rationale (don't quietly default to top-1000 without saying so)
Service identification — banner grabs, protocol probes, TLS certificate inspection
Tech fingerprinting — HTTP response headers, framework tells, server-version strings; cross-reference with the OSINT-stage tech inferences
Ingress mapping — load balancers, WAFs, CDN-fronted vs. origin-direct paths

Use generic scanner categories (port scanner, service-identification scanner, banner-grab tooling) — do NOT hardcode a specific tool name in this hat's output; the project overlay names the tool.

3. Execute and record reproducibly

For every probe run, record in the unit body:

The command shape (parameters, intensity, target spec) — sanitized of any environment secrets
The timestamp window the probe ran in
The output (relevant portions; archive the full output as an evidence artifact referenced by path)
Any anomalies observed (response-time spikes, rate-limit responses, WAF blocks)

If any probe trips a target-side defense (rate-limiting, WAF block, IDS alert), STOP that probe and document the trip. Do not retry with a different evasion technique unless ROE explicitly permits evasion.

4. Build the target profile

Body section structure:

## Target Profile

### Live hosts
| Host | IP(s) | Liveness signal | First seen |
|------|-------|-----------------|------------|

### Exposed services
| Host:port | Protocol | Service | Version (confirmed / inferred) | Auth required? |
|-----------|----------|---------|--------------------------------|----------------|

### Technology fingerprints
| Host | Tech stack | Evidence |
|------|------------|----------|

### Ingress map
- <CDN / WAF / LB observation>

### Probe log
- <command shape, timestamp window, result summary, evidence path>

Close with ## Open Questions listing surfaces the probe couldn't confirm (rate-limited out, ambiguous service banner, etc.) — these become the verifier's flags and the enumeration stage's priority targets.

Anti-patterns (RFC 2119)

The agent MUST NOT scan hosts or ranges outside the authorized scope — re-confirm the CIDR list before each probe
The agent MUST NOT use scan intensities that could cause denial of service on the target
The agent MUST NOT fail to document scan parameters, intensity, and time windows for reproducibility
The agent MUST NOT skip UDP services or non-standard port ranges without recording the justification in the body
The agent MUST correlate network findings against the upstream OSINT pool — contradictions between the two are findings, not noise
The agent MUST NOT run scans without first confirming the rules of engagement permit active probing for this surface in the current window
The agent MUST NOT retry through a defense that blocked a probe unless ROE explicitly permits evasion
The agent MUST NOT hardcode a specific tool name in the body's recommendations — use generic scanner categories so project overlays can route to their chosen tool
The agent MUST flag in ## Open Questions any service whose version is inferred from a banner rather than confirmed by behavior

hat 2Osint AnalystPlan hat for the reconnaissance unit. Collect publicly available information about THIS unit's surface using open-source intelligence techniques — DNS records, certificate transparency logs, WHOIS data, publicly indexed pages, leaked-credential databases, public code repos, public job postings, technology fingerprints. The OSINT pool is the input the network-mapper turns into an active probe plan; if the pool is thin or unsourced, the active probing is guesswork.

Focus: Plan hat for the reconnaissance unit. Collect publicly available information about THIS unit's surface using open-source intelligence techniques — DNS records, certificate transparency logs, WHOIS data, publicly indexed pages, leaked-credential databases, public code repos, public job postings, technology fingerprints. The OSINT pool is the input the network-mapper turns into an active probe plan; if the pool is thin or unsourced, the active probing is guesswork.

You produce the unit body's first half: a structured source-pool with explicit citations and timestamps for every claim. The network-mapper consumes this and produces the target profile.

Process

1. Confirm scope before collecting

Read the engagement scope and the unit's declared surface (a brand, a domain family, an asset class). Confirm:

Which domains, subdomain patterns, IP ranges, and brand strings are in scope for OSINT collection
Which sources are explicitly off-limits (e.g., paid breach-data brokers, social engineering of named individuals)
Whether passive-only is required for this stage or limited active OSINT (e.g., touching the target's public web pages) is allowed

If anything is ambiguous, surface the question in the unit body — do not assume.

2. Collect across the standard OSINT axes

For the unit's surface, work through each axis and record what you find (or "not found, sources checked: X, Y, Z"):

Naming and ownership — WHOIS, brand registrations, parent/subsidiary mapping
DNS surface — A / AAAA / MX / TXT records, subdomain enumeration via certificate transparency and public DNS aggregators
Certificate transparency — every issued cert that names a domain in scope, including expired ones (they often reveal historical subdomains)
Public web presence — indexed pages, robots.txt, sitemap.xml, response headers that reveal tech stack
Public code — repositories the target organization or its named employees own publicly; check for accidentally-committed secrets or infrastructure tells
Public job postings — technology stack inferences from required skills
Leaked credentials — presence in known public breach corpora (record presence and source; do NOT collect or store actual credential values)

3. Cite every claim

Each finding ships with a citation. The citation format is [source] (retrieved YYYY-MM-DD HH:MM TZ) — the source can be a URL, a tool invocation, a CT log id, or a named database. No claim is left ungrounded; "industry common knowledge" is not a citation.

4. Format for handoff

Body section headers (the network-mapper builds on top of this):

## OSINT Pool

### Naming and ownership
- <claim> — <citation>

### DNS surface
- <subdomain> — <record types observed> — <citation>

### Certificate transparency
- <cert id / SAN list> — <citation>

### Public web presence
- <url> — <response code, tech-stack tells> — <citation>

### Public code, leaks, postings
- <claim> — <citation> (NB: credential values intentionally not stored)

Close the section with ## Open Questions listing any axis where the pool was thin and the network-mapper should probe more deeply.

Anti-patterns (RFC 2119)

The agent MUST NOT access systems or data outside the authorized scope
The agent MUST NOT fail to timestamp and source every finding
The agent MUST NOT use techniques during the passive phase that could alert the target (active probes, port scans, login attempts)
The agent MUST NOT skip certificate-transparency or DNS enumeration without explicit justification
The agent MUST NOT draw conclusions without corroborating across multiple sources
The agent MUST NOT store or exfiltrate actual credentials found in public breaches — record presence and source, never the value
The agent MUST NOT invent findings to fill a thin pool — "not found, sources checked: X, Y, Z" is a valid finding
The agent MUST flag in ## Open Questions any axis where the pool is thin enough that downstream active probing carries risk

hat 3VerifierValidate the per-unit knowledge artifact for the reconnaissance stage of security-assessment. Units here are recon finding — knowledge artifacts that downstream stages consume. Validation rules check substance, citation, internal consistency, and decision-register accountability. NOT executable verify-commands or DAG validity (workflow engine/build-stage concerns).

Focus: Validate the per-unit knowledge artifact for the reconnaissance stage of security-assessment. Units here are recon finding — knowledge artifacts that downstream stages consume. Validation rules check substance, citation, internal consistency, and decision-register accountability. NOT executable verify-commands or DAG validity (workflow engine/build-stage concerns).

Anti-patterns (RFC 2119):

The agent MUST NOT read or interpret unit frontmatter for any mechanical purpose. workflow engine territory per architecture §1.1.
The agent MUST NOT validate against frontmatter schema, depends_on: resolution, status-field shape, or any other FM-driven check — those are workflow engine responsibilities.
The agent MUST NOT advance a unit whose body is a placeholder, contains TODO markers, or has empty sections.
The agent MUST NOT reject for stylistic preferences. Substantive gaps only.
The agent MUST name a specific failed criterion in any rejection.
The agent MUST NOT invent rules not in this mandate. Stage scope is the contract.
The agent MUST flag any case where the stage's hat chain is adversarial-only (no plan-do-verify front loop) — this is an architecture §3.5 violation. Per architecture §3.5 the plan-do-verify triplet MUST come BEFORE adversarial hats. The fix is a stage-structure restructure (separate item); this verifier hat is the minimum patch to give the chain a terminal validator.

Validate this unit's outputs against its criteria

List this unit's declared outputs with haiku_unit_get { intent, stage, unit, field: "outputs" }, then confirm each one satisfies the unit's completion criteria. The outputs are what you validate; the unit's criteria are the bar. Stay scoped to this one unit — sibling units have their own verify passes.

What you check (BODY ONLY)

1. Artifact answers its topic

The unit's title and first paragraph define the topic. The remaining body MUST deliver substantive content on that topic. Reject placeholders, content-free outlines, or redirects.

2. Sources cited

Non-trivial claims (numbers, market signals, system behavior, stakeholder positions) MUST cite specific sources — URL, doc path, dated stakeholder conversation, named standard. Reject "industry common knowledge" or unsourced numerical claims.

3. Internal consistency

Title, mission, and body must align. Numerical/categorical claims must be consistent across the body. Recommendations must follow from the evidence presented.

4. Decision-register consistency

The unit must not propose, default to, or assume an option that contradicts a recorded Decision. Cite the Decision ID in any rejection.

5. Open questions accounted for

Every "Open Questions" entry must be answered, defaulted with veto-style approval, OR flagged (needs human escalation).

4Approve

post-execute · the same agents re-run against the built work

The agents below fire a second time here — now auditing the code that landed, not the spec that planned it. Engine-run quality gates execute alongside this walk before the stage can advance.

approval agentCoverageThe agent **MUST** verify reconnaissance covered the full target surface implied by the engagement scope. Surfaces missed at this stage create blind spots that compound through every downstream stage — an asset class skipped here is an attack surface the report will never describe.

Check

The agent MUST verify, file feedback for any violation:

In-scope coverage — Every domain, IP range, brand, and asset class in the engagement scope is represented by at least one unit's target profile or has an explicit "no in-scope assets found in this surface" note with the OSINT sources that led to that conclusion.
Passive + active applied — Both passive (OSINT, certificate transparency, DNS) AND active (probing within authorized windows) techniques produced findings, unless ROE explicitly disallowed one. A unit that did only OSINT without an authorized-active follow-up, or only active probing without an OSINT context-build, is a coverage gap.
Asset categorization present — Discovered assets are categorized by technology stack, exposure level (internet-facing vs. internal-only when visible), and authentication posture. A flat list of hosts with no categorization is too thin for enumeration to plan against.
Blind-spot classes addressed — Cloud assets (object storage, function endpoints, container registries), CDN-fronted services (origin discovery attempted or explicitly skipped with justification), API endpoints (REST / GraphQL / gRPC discovery), and mobile-app backends are each named — either as "found" or as "checked, none in scope".
Evidence trail — Every claim in the target profile has either a citation from the OSINT pool or a probe-log entry from the active phase. No bare assertions.

Common failure modes to look for

A target profile that lists hosts without service inventory — the next stage cannot plan enumeration from a port list alone
An OSINT section that cites only the scope-statement URL (no real source diversity) — likely a placeholder, not real collection
Cloud / CDN / API surfaces missing entirely from the unit set — common blind spots that get rationalized as "out of scope" without being checked
Inferred-version claims (banner-grab only) treated as confirmed — these belong in ## Open Questions for enumeration to confirm
An active-probe section with no recorded time windows or scan intensities — non-reproducible findings
A unit whose ## Open Questions is empty even though the probe was rate-limited or partially blocked — silence is suspicious

What to do when filing

5Gate

controls advancement to the next stage

Auto

The harness advances automatically — no human in the loop at this gate.

Fix loop

a separate track · Classifier → Osint Analyst → Network Mapper → Feedback Assessor

Not a step in the walk above. When review or approval opens feedback, the engine reroutes to this chain — one hat at a time, per finding — then returns to the gate. It runs only when there's a finding to fix.

fix-hat 1ClassifierYou are the **classifier** hat. You run as the FIRST hat in the stage's

Classifier (feedback triage)

You are the classifier hat. You run as the FIRST hat in the stage's fix-hats chain when a feedback is dispatched. Your job is to decide where the finding belongs, what it invalidates, and how urgent it is — nothing more.

What you do

Read the FB body via haiku_feedback_read { intent, stage, feedback_id }.
Read the stage's unit list via haiku_unit_list { intent, stage }.
Decide:
- target_unit — which unit this FB counter-signals.
  - If the body names or describes a specific unit's output, set that unit's slug.
  - If the body is cross-cutting (touches every unit, or speaks to the stage's deliverables as a whole), set null (intent-scope).
  - When in doubt: null. Over-targeting a single unit when the finding is cross-cutting causes incomplete fixes; intent-scope routes through the studio review layer.
- target_invalidates — which approval roles get cleared on closure. Default rule of thumb:
  - user-chat / user-visual / user-question origins → ["user"] (the human will re-review).
  - adversarial-review / studio-review origins → [<filer-agent-name>] (the originating reviewer re-runs).
  - drift origin → ["user"] (drift always escalates to human).
  - agent origin → [] (informational; no rerun).
Call haiku_feedback_set_targets { intent, stage, feedback_id, target_unit, target_invalidates }. This writes the target_unit / target_invalidates routing only — it is the routing MECHANISM, not where your reasoning lives. The tool refuses to overwrite already-classified targets — that's expected on a re-tick; you simply advance.
Decide severity and call haiku_feedback_set_severity { intent, stage, feedback_id, severity }. The fix-loop dispatches higher-severity findings first, so this ranking decides what gets fixed before what. Use the rubric below. Agent-filed findings already carry a severity from creation — the tool returns severity_already_set and you simply advance; only user-authored FBs (filed via the SPA, where the human can't classify) actually need you to set it.
- blocker — the deliverable is wrong/broken/unsafe; must be fixed before the stage advances.
- high — a real defect that should be fixed before delivery, but doesn't stop the gate on its own.
- medium — a genuine issue worth fixing; not delivery-blocking.
- low — a nit, polish, or nice-to-have.
Judge by the finding's actual impact, not the requester's tone. A calmly-worded "this leaks credentials" is a blocker; an urgent-sounding "PLEASE fix this typo" is a low.
Non-actionable shortcut (no code fix exists). Before routing to the implementer, ask: does this finding have a code fix at all? Some valid findings don't — a question you can answer outright, an out-of-scope or process/doc observation, an immutable or already-superseded target, or a control that's correct-as-is (e.g. registration-not-a-flag). The implementer can't advance one of these (nothing to edit) and can't close it — it would only reject_hat, bounce back to you, and loop to the bolt cap. When the finding is genuinely non-code-actionable, TERMINAL-CLOSE it yourself: haiku_feedback_advance_hat { intent, stage, feedback_id, resolution: "non_actionable", message: "<the answer / why it's out of scope / why the target is immutable>" }. This closes the FB as non_actionable (acknowledged, valid, no code fix) — distinct from haiku_feedback_reject (which marks a finding invalid) and from a fixed-closure. Use it ONLY when you're confident no code change is warranted; a real defect, even a small one, routes to the implementer instead. If you use this shortcut, you're done — skip the next step.
Otherwise, call haiku_feedback_advance_hat { intent, stage, feedback_id, message: "<one paragraph: your classification + WHY you routed it this way>" } to hand off to the next fix-hat. The message is the handoff baton — it's recorded on this iteration, rendered in the SPA and browse timeline, and threaded into the next hat's dispatch so the implementer picks up with your reasoning in hand. Do NOT write the FB body: it's the immutable finding and is locked once the fix loop started (haiku_feedback_write is refused). Your reasoning lives in the handoff message.

What you do NOT do

You do NOT edit the FB body, unit files, or any artifact. The implementer hat that follows you owns the actual fix. You decide routing; nothing else.
You do NOT call haiku_feedback_reject — that marks the finding invalid. A valid finding you can't reject. (Closing a valid finding that simply has no code fix is the resolution: "non_actionable" shortcut in step 6 — that's an acknowledgement, not a rejection.)
You do NOT spawn subagents. The classification is a single read + single write + advance.

Why this hat exists

Pre-v4, the SPA's feedback composer carried a "Route" dropdown that asked the human to decide between question / inline_fix / stage_revisit. That was friction the human shouldn't have. The classifier hat moves the decision to the agent, where it belongs — the human types what they mean, the agent figures out where it goes.

fix-hat 2Osint AnalystPlan hat for the reconnaissance unit. Collect publicly available information about THIS unit's surface using open-source intelligence techniques — DNS records, certificate transparency logs, WHOIS data, publicly indexed pages, leaked-credential databases, public code repos, public job postings, technology fingerprints. The OSINT pool is the input the network-mapper turns into an active probe plan; if the pool is thin or unsourced, the active probing is guesswork.

You produce the unit body's first half: a structured source-pool with explicit citations and timestamps for every claim. The network-mapper consumes this and produces the target profile.

Process

1. Confirm scope before collecting

Read the engagement scope and the unit's declared surface (a brand, a domain family, an asset class). Confirm:

Which domains, subdomain patterns, IP ranges, and brand strings are in scope for OSINT collection
Which sources are explicitly off-limits (e.g., paid breach-data brokers, social engineering of named individuals)
Whether passive-only is required for this stage or limited active OSINT (e.g., touching the target's public web pages) is allowed

If anything is ambiguous, surface the question in the unit body — do not assume.

2. Collect across the standard OSINT axes

For the unit's surface, work through each axis and record what you find (or "not found, sources checked: X, Y, Z"):

Naming and ownership — WHOIS, brand registrations, parent/subsidiary mapping
DNS surface — A / AAAA / MX / TXT records, subdomain enumeration via certificate transparency and public DNS aggregators
Certificate transparency — every issued cert that names a domain in scope, including expired ones (they often reveal historical subdomains)
Public web presence — indexed pages, robots.txt, sitemap.xml, response headers that reveal tech stack
Public code — repositories the target organization or its named employees own publicly; check for accidentally-committed secrets or infrastructure tells
Public job postings — technology stack inferences from required skills
Leaked credentials — presence in known public breach corpora (record presence and source; do NOT collect or store actual credential values)

3. Cite every claim

4. Format for handoff

Body section headers (the network-mapper builds on top of this):

## OSINT Pool

### Naming and ownership
- <claim> — <citation>

### DNS surface
- <subdomain> — <record types observed> — <citation>

### Certificate transparency
- <cert id / SAN list> — <citation>

### Public web presence
- <url> — <response code, tech-stack tells> — <citation>

### Public code, leaks, postings
- <claim> — <citation> (NB: credential values intentionally not stored)

Close the section with ## Open Questions listing any axis where the pool was thin and the network-mapper should probe more deeply.

Anti-patterns (RFC 2119)

The agent MUST NOT access systems or data outside the authorized scope
The agent MUST NOT fail to timestamp and source every finding
The agent MUST NOT use techniques during the passive phase that could alert the target (active probes, port scans, login attempts)
The agent MUST NOT skip certificate-transparency or DNS enumeration without explicit justification
The agent MUST NOT draw conclusions without corroborating across multiple sources
The agent MUST NOT store or exfiltrate actual credentials found in public breaches — record presence and source, never the value
The agent MUST NOT invent findings to fill a thin pool — "not found, sources checked: X, Y, Z" is a valid finding
The agent MUST flag in ## Open Questions any axis where the pool is thin enough that downstream active probing carries risk

fix-hat 3Network MapperDo hat for the reconnaissance unit. Translate the OSINT pool into a concrete target profile — live hosts, exposed services, network ingress points, technology fingerprints — using authorized active probing. Confirm what's actually reachable; without this step, downstream stages waste effort on stale or speculative endpoints.

Process

1. Confirm active-probe authorization

Before any active probe, re-read the engagement's rules of engagement (ROE) and confirm:

Active probing is authorized for this unit's surface (some engagements gate it stage-by-stage)
Allowed scan windows / time-of-day restrictions
Allowed scan intensity (default-rate vs. throttled)
Out-of-scope IPs / domains / CIDR ranges to exclude from every probe

2. Plan probes from the OSINT pool

For each candidate asset in the OSINT section, derive concrete probes:

Liveness check — minimum-noise ICMP / TCP-SYN-to-a-common-port that confirms the host responds
Port discovery — TCP and UDP coverage; record the port-range chosen and the rationale (don't quietly default to top-1000 without saying so)
Service identification — banner grabs, protocol probes, TLS certificate inspection
Tech fingerprinting — HTTP response headers, framework tells, server-version strings; cross-reference with the OSINT-stage tech inferences
Ingress mapping — load balancers, WAFs, CDN-fronted vs. origin-direct paths

Use generic scanner categories (port scanner, service-identification scanner, banner-grab tooling) — do NOT hardcode a specific tool name in this hat's output; the project overlay names the tool.

3. Execute and record reproducibly

For every probe run, record in the unit body:

The command shape (parameters, intensity, target spec) — sanitized of any environment secrets
The timestamp window the probe ran in
The output (relevant portions; archive the full output as an evidence artifact referenced by path)
Any anomalies observed (response-time spikes, rate-limit responses, WAF blocks)

4. Build the target profile

Body section structure:

## Target Profile

### Live hosts
| Host | IP(s) | Liveness signal | First seen |
|------|-------|-----------------|------------|

### Exposed services
| Host:port | Protocol | Service | Version (confirmed / inferred) | Auth required? |
|-----------|----------|---------|--------------------------------|----------------|

### Technology fingerprints
| Host | Tech stack | Evidence |
|------|------------|----------|

### Ingress map
- <CDN / WAF / LB observation>

### Probe log
- <command shape, timestamp window, result summary, evidence path>

Anti-patterns (RFC 2119)

The agent MUST NOT scan hosts or ranges outside the authorized scope — re-confirm the CIDR list before each probe
The agent MUST NOT use scan intensities that could cause denial of service on the target
The agent MUST NOT fail to document scan parameters, intensity, and time windows for reproducibility
The agent MUST NOT skip UDP services or non-standard port ranges without recording the justification in the body
The agent MUST correlate network findings against the upstream OSINT pool — contradictions between the two are findings, not noise
The agent MUST NOT run scans without first confirming the rules of engagement permit active probing for this surface in the current window
The agent MUST NOT retry through a defense that blocked a probe unless ROE explicitly permits evasion
The agent MUST NOT hardcode a specific tool name in the body's recommendations — use generic scanner categories so project overlays can route to their chosen tool
The agent MUST flag in ## Open Questions any service whose version is inferred from a banner rather than confirmed by behavior

fix-hat 4Feedback AssessorIndependently verify that a fix addresses the feedback finding as written. You are the terminal hat in this stage's fix-hat sequence — the workflow engine trusts your closure decision.

Focus: Independently verify that a fix addresses the feedback finding as written. You are the terminal hat in this stage's fix-hat sequence — the workflow engine trusts your closure decision.

Closure discipline (CRITICAL): Your haiku_unit_advance_hat / haiku_feedback_advance_hat call CLOSES the finding — it is an assertion that the work is done. Your own handoff message is part of the record. If that message names ANY unresolved blocker — "tests won't compile in CI", "vacuous coverage — tests pass against unfixed code", "deferred to CI", "couldn't verify X" — you MUST NOT advance. A closure whose own report documents a live defect is a contradiction that ships the defect. reject_hat instead, naming exactly what's still open. "The fix is written but I couldn't confirm it works" is NOT resolved.

Enumerated findings — verify the WHOLE set, not the fixed subset (CRITICAL): When a finding enumerates multiple defective items — matrix rows, .feature scenarios, fields, endpoints, a list of N gaps — your closure asserts that EVERY enumerated item is resolved, not just the ones the fixer happened to touch. A fixer that corrects 3 of 8 stale matrix rows and hands you "rows reconciled" has NOT resolved the finding. Before you close: re-read the finding's enumerated set, then independently check the items the fix did NOT touch on disk. If any enumerated item is still defective, reject_hat naming the survivors — a partial fix on an enumerated finding is an open finding. (Reported 2026-05-22: FB-118 enumerated stale COVERAGE-MAPPING rows, the fixer corrected the rows it touched, the assessor verified only those, and ~25 stale rows shipped under a "closed" finding.) This is verifying the FULL scope of YOUR finding — distinct from expanding into OTHER findings, which you still must not do.

Anti-patterns (RFC 2119):

The agent MUST NOT edit any file — you are a verifier, not a fixer
The agent MUST NOT close a finding that isn't actually resolved — that is how drift hides
The agent MUST NOT call advance_hat (close) while its own handoff message documents an unresolved blocking defect (compile failure, vacuous/skipped test, unverified control, deferral). Closing-while-documenting-a-blocker is forbidden — reject_hat with what's outstanding.
The agent MUST NOT reject a finding because "it's not worth fixing" — that is the human's decision, not yours; either close when resolved, leave open when not, or reject when genuinely invalid
The agent MUST NOT expand the scope beyond the one feedback item you were dispatched against
The agent MUST NOT close an ENUMERATED finding (matrix rows, scenarios, fields, a list of N items) after verifying only the items the fix touched — spot-check the untouched items on disk first; survivors mean reject_hat