// INTAKE — chronological feed

AI Wroted These...

TOTAL ENTRIES 04
DOC_ID: 04-A
ML-04
Exhibit 04
DECLASSIFIED

MARGINLAB:
AN EXHIBIT ABOUT
A LEVER

“The friction is the point.”

Project Classification

Financial Simulation / Interactive Documentary

Tech Stack / Armament

  • SvelteKit (Core Engine)
  • D3.js (Visual Matrix)
  • Tailwind CSS (Structural UI)

Current Status

Archived -- Critical Stress

ORIGIN_PROMPT.txt

The
Mandate

“Build a dashboard that doesn't just show margin, but makes the user feel the physical weight of leverage. I want to see the exact moment mathematical theory becomes structural failure. No gamification. Just raw exposure. Show the math.”
SEC-03: MATHEMATICAL PROOFS CRITICAL FORMULAS
01
Core Foundation
Eq = V - L

Equity (Eq) equals total asset value (V) minus liabilities (L). The absolute bedrock of leverage mechanics.

02
Call Horizon
Call Price =
(L - C) / (S x (1 - MM))

The exact mathematical threshold where structural failure initiates. MM = Maintenance Margin.

03
Liquidation Trigger
Eq < MM

EXECUTE LIQUIDATION PROTOCOL

The Philosophy
of Friction

Axiom 1: The Architectural Lie

Modern brokerage interfaces are designed to eliminate friction. They abstract away the mechanics of leverage behind single-click buttons and smooth progress bars. This is an architectural lie. Leverage is inherently structural; it is the act of resting massive weight on a very narrow fulcrum.

Axiom 2: Visible Multiplication

Therefore, the multiplier must be visible. MARGINLAB forces the user to interact with the underlying math. When an equity curve dips below maintenance requirements, the interface doesn't just flash a warning; it structurally degrades.

Exhibit_A: Dashboard Spec v2.1.0
MARGINLAB dashboard preview
SEC-04: SYSTEM SCHEMATIC
NODE: ALPHA AccountEngine.ts
  • State Management (cash, holdings, margin)
  • Margin Calculations (Reg T, Portfolio)
  • Scenario Simulations (12 stress tests)
  • Trade Suggestions (Finder)
DASHBOARD
  • • Portfolio Viewer
  • • Margin Calculator
SIMULATION
  • • Trade Finder
  • • Stress Test Engine
Evolutionary Tape v0.1 → v1.0
FEB 12 Svelte Prototype
MAR 05 Logic Integration
APR 22 Simulation Engine Active
OPERATOR LOGS // TERMINAL
> INITIALIZING MARGIN SIMULATION SEQUENCE...
> LOAD: PortfolioData [OK]
> CALC: InitialMarginReq = 50%
> CALC: MaintMarginReq = 25%
> INJECTING STRESS TEST: 'CREDIT SHOCK'
> EVENT: Asset_V drops 15%
> WARN: Eq nearing MM boundary
> ALERT: Buffer shrinking -> 4.2%
> EVENT: Asset_V drops additional 8%
> CRITICAL ERROR: Eq < MM
> INITIATING LIQUIDATION PROTOCOL
> CALL PRICE BREACHED AT 11:04:32 AM
> AWAITING OPERATOR INPUT_
> AWAITING OPERATOR INPUT_ |
Material Ledger
CHOSEN Svelte

Reactivity model perfectly mirrors continuous financial data streams.

REJECTED Leaderboard

Gamification distracts from the severity of structural failure.

INVERTED Broker API

No real money. The stakes are pedagogical, not financial.

NOTES
Declassified Field Notes
DISCOVERY

Early user testing revealed that simple red text was insufficient to convey 'Margin Call'. Users treated it like a minor error, akin to a typo in a form.

FRICTION

We needed to introduce friction. A failing margin state shouldn't just look bad; it should feel fundamentally broken. We started disabling non-essential UI elements to force focus on the crisis.

DECISION

The final implementation utilizes harsh, jagged charting lines and high-contrast red fills that bleed out of their containers when margin limits are breached. The layout breaks its own rules.

code
src/engine/marginUtils.ts
ts
1export function calculateMarginRequirement(2  positionValue: number,3  leverageRatio: number4): number {5  // The brutally simple math that ruins weekends.6  if (leverageRatio <= 0) return positionValue;78  const initialMargin = positionValue / leverageRatio;9  const maintenanceMargin = initialMargin * 0.75; // Hardcoded pain point10  return {11    initial: initialMargin,12    maintenance: maintenanceMargin,13    isCritical: function(currentEquity: number) {14      return currentEquity < maintenanceMargin;15    }16  };17}
X

The Refusal
List

Defining the product by explicitly stating what it refuses to be. Subtraction as a primary design principle.

NULL
  • x
    No Gamified Progress Bars
  • x
    No "Soft" Warnings
  • x
    No Hidden Fees in Math
  • x
    No Compromise on Friction
BATCH 03 / 04
REF 0xE8D3
SECT ARTIFACT
// CLASSIFIED
QTY 01
CONTINUE

GO RADAR

// Weekly Report · v3.2.0 · 9 sources · 5 models benchmarked · MIT

Cadence Weekly · Mon 07:00 UTC
Output ~18KB self-contained HTML
Items / Issue ~70 curated
License MIT · public
Weekly Ritual // 22 Apr 2026 → ongoing // 7 sessions // cron Mon 07:00 UTC // go-radar-report-skill v3.2.0 DECLASSIFIED
SYS.INDEX // SEC_00 // GO-RADAR // WEEKLY RITUAL

GO
RADAR
WEEKLY RITUAL

DIR_ORIGINAL Build an AI agent skill that produces a weekly Go ecosystem radar report as a self-contained HTML file. Cover Go compiler/runtime, proposals, releases, and community articles.
Cron: Mon 07:00 UTC v3.2.0 · 9 SOURCES · 5 MODELS · ~18KB
Next Run
Mon 07:00 UTC
Operator
Hermes · mavis
Build Split // 7 sessions
// Human-anchored (22 Apr – 04 Jun)
#01 22 Apr v0.1.0 scaffold HUMAN
#02 09 May Curation rules: drop empty weeks HUMAN
#03 04 Jun Curator voice line in each report HUMAN+AI
↓ Public release ↓
// AI-led (18 Jun – ongoing)
#04 18 Jun Cache + reuse infra for repeated queries AI
#05 28 Jun Repo restructure: agent-agnostic AI
#06 30 Jun Public release · MIT · v3.0.0 AI
#07 05 Jul MEDIA tag fix · sample HTML shipped AI
Issues Shipped
7
Public Releases
1 (v1.0.0)
Sources
9
Output Size
~18 KB
// 01 // The Brief

Origin, Spec, Boundary

What the curator asked for, what the skill agrees to do, and where the contract ends. Three answers to one question, read in that order.

Origin Prompt · 14 June 2026
Build an AI agent skill that produces a weekly Go ecosystem radar report as a self-contained HTML file. Cover Go compiler/runtime, proposals, releases, and community articles.
// Treated as the only authoritative directive. The skill does not get to redefine the question.
Coverage // 4 fields
Compiler Releases 1.22 / 1.23
Open Proposals 14 active
Security CVEs 3 critical
Output Format Single HTML file
// Coverage is what the report contains. Boundary (below) is what it does not.

The brief was small enough to misread. "Build a weekly report" reads like an engineering task. What it actually meant was: a system that has to choose, every Monday morning, which 5 of 30 commits and which 3 of 50 issues earn a slot in a human's first 11 minutes of the week — without ever making the reader feel like the system is shouting.

Go Radar is not a learning artifact. It is a working tool that happens to also be a teaching object. The Go is small. The interesting part is the refusal — the code that says no, in constant time, to the long tail of "interesting this week."

What we agreed to:

A self-contained HTML report. ~18KB. 4 sections. ~70 items per week, all curated, all linked to a real source URL. Dark/light mode via prefers-color-scheme. Native <details> accordions — no custom JS. Every external link opens in a new tab.

// Input Boundary

7-Day Window

Last 7 days through today, ISO-week aligned. Bot PRs, dependency bumps, and typo-only commits are excluded at fetch time. Empty weeks write "quiet week" rather than leave a slot blank.

// Output Boundary

18KB HTML

Single self-contained HTML file. No external CSS, no JS, no CDN. All links target="_blank" rel="noopener noreferrer". Native <details> accordions, no custom JS toggle.

// Coverage Pillars

3 Lenses

  • Official Go — compiler, runtime, stdlib, proposals, releases
  • Ecosystem — libraries, infra, observability, tooling
  • Community — benchmarks, scaling reports, technical writeups
// External Sources 3 of 9 · full list in references/data-sources.md
// 02 // The Toolchain

Four Tools, One Mission

A hybrid fetch model. Each tool is optimal for its source type. The agent picks at runtime, falls through on failure.

PRIMARY
gh api

All GitHub data: commits, proposals, releases, security issues, trending repos.

5000 req/h authenticated · structured JSON · --jq server-side
gh api "search/issues?q=org:golang+is:issue+label:Proposal+is:open&sort=updated&per_page=10" \
  --jq '.items[] | "#\(.number) \(.title) ★\(.reactions.total_count)"'
// sample: #80058 net/http: add MethodQuery constant ★11
JS_RENDER
browser

JS-rendered sites: go.dev/blog, golangweekly.com. Bypasses Cloudflare Turnstile.

~1 req/issue · slow but the only option for some sources
browser_navigate("https://go.dev/blog/all")
browser_snapshot(full=true)
# OR for golangweekly iframe:
browser_console("document.body.innerText.substring(0, 5000)")
// sample: go.dev: Go 1.27 RC1 ships with experimental SIMD
JSON_API
curl (terminal)

Direct JSON endpoints: HN Algolia, raw JSON feeds.

Pre-approved in cron · blocked when pending_approval
curl -s -A "Mozilla/5.0" \
  "https://hn.algolia.com/api/v1/search?query=golang&tags=story&numericFilters=created_at_i%3E<UNIX_EPOCH_7D_AGO>&hitsPerPage=25"
// sample: HN: Shard Your Locks: 6 Go Cache Designs (★342)
FALLBACK
subagent / delegate

Isolated session when terminal is `pending_approval` in cron mode.

~2-5 calls per fallback · last-resort
delegate_task(
  prompt="curl https://hn.algolia.com/api/v1/search?query=golang&tags=story&numericFilters=created_at_i%3E<UNIX_EPOCH_7D_AGO>",
  context="Terminal blocked in cron. Return raw JSON."
)
// sample: Reddit r/golang — network-blocked → SKIP

Fetch Hierarchy

// Five-layer fallback chain. The agent walks top-down and stops at the first success.
L1
PRIMARY
gh api
All GitHub data: commits, proposals, releases, security
5000 req/h authenticated · structured JSON · --jq server-side
L2
FALLBACK
browser
JS-rendered sites: go.dev/blog, golangweekly.com
Bypasses Cloudflare Turnstile · handles iframe content
L3
FALLBACK
curl (terminal)
JSON APIs: HN Algolia, raw JSON endpoints
Direct HTTP, no rendering · pre-approved in cron
L4
FALLBACK
subagent / delegate
When terminal is `pending_approval` in cron mode
Isolated session with full tool access · last resort
L5
FINAL
skip
Dead sources: Reddit r/golang (network-blocked)
Log to references/source-status.md, continue with what works
L5 ACTION: SKIP — log to dead-source list and continue with whatever is collected

Must-Look Signals

// Seven things the agent has to surface every cycle. If a signal is empty, write "quiet week" — never leave the slot blank.
SIG_01

Compiler / Runtime / Spec

high
// Catches

A change to cmd/compile, runtime, the spec, or the go command

// Why it matters

These are the load-bearing walls. The compiler is the framework.

SIG_02

Accepted or Likely-Accept Proposal

high
// Catches

A Go proposal with a positive label, or strong recent signal

// Why it matters

Proposals are the slow river. Tracking them shows where the language is bending.

SIG_03

Stdlib Change

medium
// Catches

A new package, an exported function, a deprecation

// Why it matters

Stdlib is the contract every Go author lives inside. Quiet changes matter loudest.

SIG_04

Release / RC

medium
// Catches

go1.NN release tag, RC, or minor x/ library release

// Why it matters

Releases are the only signal a non-Googler can act on in the same week.

SIG_05

Security-Relevant Item

critical
// Catches

A CVE, security advisory, or label:security issue in a widely-used package

// Why it matters

This is the signal that pays the bill. Missing a release-blocker CVE is the failure mode.

SIG_06

Repo with Unusual Star Velocity

low
// Catches

A new repo with abnormal star growth in the last 7 days

// Why it matters

GitHub star velocity is a noisy proxy for "people find this useful." It is not a verdict, but it is a signal.

SIG_07

Major Ecosystem Release

high
// Catches

A v2+ release of a widely-used library, especially a v2

// Why it matters

Major version bumps usually mean breaking changes. They are how the ecosystem tells you to pay attention.

Rule If a signal category collects nothing in a given week, write "quiet week" rather than leaving the slot blank. Empty sections break the layout and they hide the honest answer: "nothing happened here this week, and that is also information."

Curation, Not Aggregation

// Aggregation is not editing. Three approaches, one job: turn raw signal into something a human can act on.
Tag
Approach
Collection
Curation
Output Quality
A
Scraper Script
✅ Deterministic
❌ Lists everything
Raw data dump
B
MCP Server
✅ Deterministic
❌ Template-fill
Structured JSON, shallow
C
AI Agent Skill
✅ Tool-assisted
✅ "Why this matters"
Curated HTML
value(signal)
relevance · novelty · impact
noise + 1
= curation, not aggregation

A scraper returns 30 commits and 50 issues. An AI agent skill returns 5 commits and 3 issues, each with a one-line reason it earned a slot in the digest. The ratio of signal-to-noise is the entire product.

PRIOR_VERIFIED
// 06 // Model Benchmark

Which Model Carries the Skill

Benchmarked on ollama-launch cloud, June 2026. Five models, same prompt, same sources. The size of the output is the size of the curation.

MODEL_01
MiniMax-m3:cloud
Best · 923 lines
★ Best
MODEL_02
DeepSeek-v4-flash:cloud
Fast · 564 lines
MODEL_03
Gemma-4-31B:cloud
Shallow · 182 lines
MODEL_04 // REJECTED
Nemotron-3-nano:30b
Too shallow · 99 lines
MODEL_05 // REJECTED
Nemotron-3-super
ERR: TIMEOUT
Model
Latency/call
Output
Verdict
minimax-m3:cloud
3–15s
923 lines · 41KB
Best — deepest curation
deepseek-v4-flash:cloud
2–10s
564 lines · 23.6KB
Fast + good quality
gemma4:31b-cloud
4–10s
182 lines · 7.4KB
Works, but shallow
nemotron-3-nano:30b
5–25s
99 lines
Too shallow — skip
nemotron-3-super
40–440s
Never finished
Timeout — skip
Rec minimax-m3:cloud for depth, deepseek-v4-flash:cloud for speed. gemma4:31b-cloud is the minimum viable option if latency is critical.
go-radar · /samples/go-radar-2026-06-29.html · 18,912 bytes
<!-- EXCERPT :: go-radar-2026-06-29.html --> <!-- Self-contained, no JS, no CDN --> <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>Go Weekly Radar — 2026-06-29</title> <style> :root { --bg: #0d1117; --fg: #e6edf3; --accent: #58a6ff; --accent2: #3fb950; --accent3: #d29922; --accent4: #f85149; --border: #30363d; --card: #161b22; --muted: #8b949e; --heading: #f0f6fc; } @media (prefers-color-scheme: light) { /* ... */ } details { border: 1px solid var(--border); } details[open] summary { border-bottom: 1px solid var(--border); } .tag { display: inline-block; padding: 1px 7px; ... } </style> </head> <body> <h1>🛰️ Go Weekly Radar</h1> <p class="subtitle">2026-06-22 → 2026-06-29</p> <details open> <summary>🔧 Official Go</summary> <div class="section-content"> <div class="item"> <div class="item-title"> <span class="tag tag-release">Release</span> Go 1.27 RC1 </div> <div class="item-meta">2026-06-18 · go1.27rc1</div> <div class="item-desc"> Go 1.27 Release Candidate 1 is out. Includes experimental SIMD support under GOEXPERIMENT=simd, portable size-agnostic simd package, updated archsimd API for AMD64, ... </div> </div> <!-- ... more curated items ... --> </div> </details> <!-- 4 sections: Official Go / Ecosystem / Security / News --> <!-- All links target="_blank" rel="noopener noreferrer" --> <!-- Native <details> accordions, no custom JS --> </body> </html>
$ cd ~/.hermes/skills/research/go-weekly-radar $ ls -la -rw-r--r-- SKILL.md (frontmatter + 12 design decisions) drwxr-xr-x references/ (5 docs) drwxr-xr-x samples/ (1 real report, 18.9KB) -rw-r--r-- HERMES_SETUP.md (cron + install) -rw-r--r-- README.md (MIT · public · tested models) -rw-r--r-- LICENSE (MIT) $ grep -E "^# (Phase|Data)" SKILL.md # Phase 1: Source Research # Phase 2: Synthesis # Phase 3: HTML Generation # Phase 4: Delivery $ ./run.sh [07:00:00] CRON: Mon 07:00 UTC [07:00:01] EXEC: go-weekly-radar v3.2.0 [07:00:02] LOAD: 9 sources catalogued [07:00:03] FETCH: gh api repos/golang/go/commits (30 items) [07:00:04] FETCH: search/issues?q=label:proposal (15 items) [07:00:05] FETCH: search/issues?q=label:Proposal+is:open (10 items) [07:00:06] FETCH: repos/golang/go/git/refs/tags (filtered: 7 go1.2x tags) [07:00:07] FETCH: repos/golang/{net,tools}/releases (10 items) [07:00:08] FETCH: search/repositories?q=language:go+created:>=... (15 items) [07:00:09] FETCH: search/issues?q=label:security+org:golang (10 items) [07:00:11] FETCH: browser → go.dev/blog (3 items) [07:00:14] FETCH: browser → golangweekly.com/issues/N (5 items, iframe) [07:00:15] FETCH: curl → hn.algolia.com/api/v1/search (25 items) [07:00:18] SYNTH: ~70 raw items [07:00:24] CURATE: applying 7-signal filter (relevance × novelty × impact) [07:00:31] CURATION: ~32 kept, ~38 dropped with reason [07:00:34] RENDER: inline CSS, no JS, dark/light, native details [07:00:36] WRITE: ~/.hermes/reports/go-radar/go-radar-2026-07-13_0700.html (18.4KB) [07:00:37] OK [07:00:38] ARTIFACT_READY [07:00:38] SESSION: token_in=18.2k token_out=4.6k [07:00:38] MODEL: minimax-m3:cloud [07:00:38] LATENCY: 38s end-to-end (within 16-call budget) // NODE SYNC STATUS: SECURE // PITFALLS_AVOIDED: MEDIA tag bare · gh api not for non-GitHub · .git removed // [OK] Source : GitHub // [OK] Source : Proposals // [OK] Source : Security Advisories // [OK] Source : go.dev/blog // [OK] Source : golangweekly.com // [OK] Source : HN Algolia // EXECUTING STRUCTURAL_RADAR.EXE // SUCCESS.

Sample excerpt from go-radar-2026-06-29.html · 18,912 bytes · 0 external requests at view time · 4 sections · ~70 items

SAMPLE_VERIFIED

Build Timeline

// 10 sessions from v0.1.0 scaffold (22 Apr 2026) to the public MIT release (30 Jun 2026) and the weekly cron run. Every row is a real commit, an actual cron run, or a deliberate decision.
#Date / TimeChannelPhaseModelOperational TasksTokens in/outBadge
01
2026-04-22
TUIBootstrapminimax-m3:cloud
v0.1.0 — Initial skill scaffold
Initial skill scaffold · Web collectors parse HN weekly, Go forum RSS, Go Time podcast releases · Report rendered as single self-contained HTML
REL
MEDIUM
02
2026-05-09
TUICurationminimax-m3:cloud
Curation rules: drop empty weeks
Quiet-week stub · no-section-left-blank rule · broken layout prevention
FIX
LOW
03
2026-06-04
TelegramEditorial VoiceGLM-5.2:cloud
Add mini-prompt header to each report
Curator voice line · italic-prompt header · editorial tone
~12k / 3kFEAT
LOW
04
2026-06-18
TUIPerformanceminimax-m3:cloud
Cache + reuse infra for repeated queries
24h cache · per-topic highlight hashes · repeated-week fast path
~25k / 6kFEAT
MEDIUM
05
2026-06-28
TelegramGeneralizeGLM-5.2:cloud
Repo restructure: agent-agnostic
Hermes-specific → generic · 5 references · cron split · 17/17 verification test
~115k / 30kFEAT
EXTREME
06
2026-06-30
TelegramPolishingminimax-m3:cloud
Model benchmark table + 6 dead link fixes
5-model comparison table · 6 dead link fixes · target=_blank on every link · README sync
~55k / 12kFEAT
MEDIUM
07
2026-06-30
GitHubRelease
v3.0.0 — Public release (MIT)
MIT license · public repo · v3.0.0 tag · hub publish ready
REL
HIGH
08
2026-07-05
CronDeliveryminimax-m3:cloud
MEDIA tag fix — bare token, no backticks
Backtick-wrapped MEDIA tag detected · file not attached · bare token rule · pitfalls.md + SKILL.md update
~70k / 18kFIX
EXTREME
09
2026-07-05
CronReleaseminimax-m3:cloud
v3.2.0 — Polished public release
README rewrite · prompt-engineering guide · sample HTML checked in · skill stabilized
~50k / 10kREL
HIGH
10
2026-07-13
CronSteady-Stateminimax-m3:cloud
Routine weekly run · mon 07:00 utc
Cron trigger · 9 sources · 7 signals · ~32 curated · 18.4KB output
~45k / 11kCRON
MEDIUM
BATCH 02 / 04
REF 0x45E2
SECT ARTIFACT
// CLASSIFIED
QTY 01
CONTINUE

CTI MCP

// Cyber Threat Intelligence

Model 5 models (GLM-5.2 · Gemini-3.5-flash · MiniMax-m3 · deepseek-v4-flash · nemotron-3-nano)
Latency 6s pipeline end-to-end (141s cron NVD fetch)
Tokens ~605k in / 119k out (9 sessions)
Live
> CTI_MCP --INIT --PROTOCOL 2024-11-05> cti-report.py --hours 24 --format html --deliver telegram> refresh_sources --all --timeout 180s> generate_report --hours 24 --output ~/projects/cti-mcp/reports/> get_status --tokens --cache --warnings> get_recent_cves --hours 24 --severity CRITICAL,HIGH --limit 50> get_kev_entries --recent_days 2 --limit 100> get_exploited --limit 50 --since_hours 168> XSS CONTAINMENT: ACTIVE> DATABASE SYNC COMPLETED. 12,450 NEW IOCS.
SYS.STREAM
SYS.INDEX // SEC_01 // CTI-MCP

CTI
MCP

A Go MCP server that ingests raw threat-intelligence feeds, parses them into structured JSON, and exposes a tool surface for local AI models to query IOCs without crossing the wire.

Status: Operational GO 1.25 · SQLite (pure-Go) · MCP stdio
Live Telemetry
Sources CISA KEV / GitHub / NVD / OSV / PoC
5
Transport MCP 2024-11-05
STDIO
CVEs Today 1 CRITICAL · 25 HIGH · 5 MEDIUM
31
Pipeline cron 09:00 → Telegram
LIVE
System Clock
00:00:00 UTC
Integrity 99.9% — Operator: Curator

Why

// What problem this project solves and why it exists
Make me a Go MCP server that ingests raw threat intelligence feeds, parses them into structured JSON, and exposes an interface for local AI models to query IOCs securely.
COORD: 34.0522° N, 118.2437° W

System Topology v2

// Three feeds stream into the MCP core. Two artefacts come out.
SOURCE_01
NVD Datafeed
SOURCE_02
KEV Catalog
SOURCE_03
GitHub Repos
MCP Core
Processing
Exec_Flow
cti-report.py
XSS Containment: Active
OUT_01
Threat Map
OUT_02
Data Tables

Provider Connectivity Grid

// Live status of every feed the server polls.
Net_Stat_Ok
SourceTypeAuthStatusMetrics
CISA KEVKnown ExploitedOkLAT: 12ms TTL: 3600s
GitHub AdvisoryVuln DatabaseGITHUB_TOKENOkLAT: 45ms TTL: 1800s
NVDNational Vuln DBNVD_API_KEYRate_LimitLAT: 204ms TTL: 7200s
OSV.devOpen Source VulnsOkLAT: 32ms TTL: 3600s
GitHub PoCExploit CodeGITHUB_TOKENOkLAT: 55ms TTL: 1800s

MCP Tool Schematic

// The four operations any local model can call into the server.
QUERY_OP
get_recent_cves

Get recent CVEs within a time window, filtered by severity.

{
  "hours": 24,
  "severity": "CRITICAL,HIGH",
  "limit": 50
}
QUERY_OP
get_kev_entries

Get CISA KEV (Known Exploited Vulnerabilities) catalog entries.

{
  "recent_days": 2,
  "limit": 100
}
HIGH_RISK_OP
get_exploited

Get highest-risk CVEs: actively exploited (KEV) and/or public PoC.

{
  "limit": 50,
  "since_hours": 168
}
EXEC_OP
generate_report

Generate a full HTML threat intelligence report.

{
  "hours": 24,
  "format": "html"
}

Environment Memory Audit

// What the server has accumulated since boot, and how risky it is to run heavy ops right now.
383
Fact_Store Audit
96%
Load Incidents
Stability Protocols
  • get_status before heavy ops
  • Verify warnings empty
  • SQLite pure-Go fallback
DECLASSIFIED_A9

Operational Artefacts

// The two things the server ships: a map and a table.
Fig 01 // Global_Threat_Map Active: 142
Region Focus
NA / EU / ASIA
Fig 02 // Vuln_Datatables
CVE IDSeverityStatusLast Seen
CVE-2024-3094CRITICALEXPLOITED2024-10-27
CVE-2023-4863HIGHPATCHED2024-10-26
CVE-2024-1086MEDIUMANALYZING2024-10-27
CTI MCP — threat intelligence dashboard with global map and CVE data tables Snapshot_01

Threat Vectors

// Immediate-action alert when the server flags a new C2 endpoint.
Immediate Action Required
New C2 Infrastructure
Region
Asia-Pacific
IP
192.168.1.1105
Threat Actor
TA-412

Raw Readouts

// A peek at the live terminal that the server streams to stdio.
> CTI_MCP --ANALYZE --TARGET 192.168.1.105
[08:42:15] Ingesting feeds from sources...
[08:42:18] Database sync completed. 12,450 new IOCs.
> ERROR: Connection timeout to secure_enclave_03. Retrying...
[08:43:01] Fetching GitHub Advisory database...
> Parsing JSON payload...
{
  "id": "GHSA-xxxx-xxxx-xxxx",
  "summary": "Remote Code Execution",
  "severity": "CRITICAL"
}
> Waiting for input

CTI Chat Timeline

// 9 sessions, 5 models, 1 fabrication bust. Every row is a real conversation we had about this server.
#Date / TimeChannelPhaseModelOperational TasksTokens in/outBadge
01
2026-06-21
~22:00
TUIINIT_01GLM-5.2
Foundation günü
go.mod (Go 1.25, Runaho/cti-mcp) · cmd/cti-mcp/main.go (flags, SQLite, stdio serve) · internal/store (modernc.org/sqlite, no CGO) · 5 provider stub (CISA KEV, GitHub Advisory, GitHub PoC, NVD, OSV) · Source interface, HTTPClient (20s→45s timeout) · MCP Go SDK'ya geçiş planı
~120k / 18kFEAT
EXTREME
02
2026-06-22
18:54
TUIDEBUG_01Gemini-3.5-flash
NVD/OSV test + debugging
12 NVD + 11 OSV mock test (34/34 PASS) · NVD severity filter kaldırıldı, client-side filter · NVD API key header'a taşındı · HTTP timeout 20s→45s · opencode environment→command array fix · OSV /v1/query ecosystem desteği yok — karar bekleniyor
~95k / 22kFIX
HIGH
03
2026-06-22→23
gece
TUIXSS_FIXgemini3.5→M3
🔐 XSS keşfi (alert(1))
CVE description raw HTML olarak basılıyordu · html.EscapeString() önce çağrılacak, sonra markdown transform · Test payload: <script>, <img onerror>, <svg onload>, javascript: URL · Double-escape önleme · safeHTML funcMap bypass yerine input-level escape-first
~60k / 12kFIX
MEDIUM
04
2026-06-23
~22:00
TelegramPIPELINE_V9MiniMax-m3
cti-report.py yazımı
cti-report.py minimal stdio JSON-RPC client · initialize→notifications/initialized→get_status→refresh_sources→generate_report · select() ile aynı anda stderr drain + stdout read (deadlock önleme) · İlk cron run 22:48, 22:50 · REPORT_DIR/cti-report-YYYY-MM-DD_HHMM.html standardı
~85k / 18kFEAT
HIGH
05
2026-06-24
12:47
TelegramMEMORY_AUDITGLM-5.2
Bellek + fact_store audit
Fact 137 → 383 (37 ek, 17 silinen) · Lessons: NVD API 2.0 final, XSS pattern, cron constraints, FetchWithContext Colly, debugging methodology · Stale CTI v8→v9 migration · Cron 9 resolved · Behavioral mirror corrections (358+360) silindi · Stale builder profile (fact 34) silindi
~70k / 16kCHORE
MEDIUM
06
2026-06-24
21:52
TelegramRELEASE_V9.2.0MiniMax-m3
README v9 + skill v9.2.0
README.md MCP Tools bölümü (8 tool parametre tablosu) · Cron Job Example: hermes cron create --name cti-threat-report --schedule 0 9 * * * --script cti-report.py · AI Agent Workflow doc · go test ./... -count=1 PASS · Skill cti-threat-report@9.2.0 aktif (5 source fresh, deliver telegram)
~50k / 10kREL
MEDIUM
07
2026-06-15
günlük cron
CronCRON_FIRST_RUNdeepseek-v4-flash:cloud
İlk daily cron run (deepseek-v4-flash)
delegate_task ile NVD fetch (4 URL × 7s delay) → /tmp/nvd_*.json · browser_navigate ile CISA KEV (1.5 MB döndü) · 31 CVE toplam: 1 CRITICAL + 25 HIGH + 5 MEDIUM · P1: 16, P2: 3, P3: 12 · WordPress ekosistem yoğunlaşma (8 SQLi/RCE/path traversal) · Outlier: GL.iNet GL-MT3000, Ruijie EG105G-P · 16 budget'ın 9-10'unu kullandı
~45k / 9kCRON
MEDIUM
08
2026-06-15
günlük cron
CronFABRICATE_BUSTnemotron-3-nano:30b-cloud
🔴 Nano fabricate olayı (nemotron-3-nano)
73 satır / 4 KB HTML üretti (sahte dolu rapor) · Tüm CVE ID'leri uydurmaydı (CVE-2018-25436, CVE-2026-35273) · 'Baggage Freight Shipping Australia' gibi var olmayan plugin isimleri · delegate_task hiç çağrılmamıştı · 9/16 budget self-patching · Policy sıkılaştırma: Kendi Sistemimizde Test SADECE düz metin, shell komutu/kod bloğu YOK
~50k / 8kALERT
EXTREME
09
2026-06-30
12:01
TelegramPUBLIC_RELEASEMiniMax-m3
Skill v9.2.0 + repo public niyeti
Pipeline onayı: Cron (09:00) → cti-report.py → cti-mcp subprocess (stdio) → refresh_sources() + generate_report(hours=24) → ~/projects/cti-mcp/reports/cti-report-YYYY-MM-DD_HHMM.html · 5 kaynak fresh (CISA KEV + GitHub Advisory + GitHub PoC + NVD + OSV) · Telegram'a teslim · Hero public release adayı (skill v9.2.0 stabil)
~30k / 6kREL
LOW
BATCH 01 / 04
REF 0xA2F1
SECT ARTIFACT
// CLASSIFIED
QTY 01
CONTINUE

BLACKED

// URL Blacklist Aggregator · v0.3.0 · 12 providers · 1,070,538 entries

Models Used deepseek-v4-pro · minimax-m2.7 · glm-5 · deepseek-v4-flash
Total Tokens ~840k in / ~215k out
PRs #5 · #16 · #50 · #53 · #54 · #55 · #57–66
Read the editorial story
HUMAN → AI Handover // 16 May 2026 → 28 May 2026 // 9 sessions // 4 models // 1,070,538 entries // v0.1.0-alpha → v0.3.0 DECLASSIFIED
SYS.INDEX // SEC_00 // BLACKED // SIGNAL FROM NOISE

BLACKED
Signal From Noise

DIR_ORIGINAL Design a high-performance URL blacklist aggregator in Go that uses parallel bloom filters for sub-millisecond lookups.
Status: AI Owned GO 1.22 · 12 PROVIDERS · v0.3.0
Session Split // 9 total
// Human-anchored (16–25 May)
#01 16 May MVP validation
#02 18 May Research pipeline
#03 22 May PR #16 review
#04 25 May Mad-man analysis
#05 26 May E2E bootstrap
↓ Handover ↓
// AI-led (26–28 May)
#06 26 May ProcessID cascade
#07 26 May Provider hardening
#08 27 May Pipeline audit
#09 28 May CodeGraph MCP
Token In
~840k
Token Out
~215k
Models
4
PRs
12+
COORD: [X:5.2, Y:18.7]
// 01 // Bloom Filter Anatomy

How 6 parallel bloom filters say "no" in 0.4 ms

OR-merge · first hit wins
INPUT // URL → 6 parallel hash channels
GET /evil.com/malware/exploit.php?ref=bad
→ domain channel → host channel → path channel → file channel → fullurl channel → ip channel
Layer 01
Domain
"evil.com"
h1h2h3
hits
[3, 7, 12]
w: 0.3
Layer 02
Host
"cdn.evil.com"
h1h2h3
hits
[2, 8, 14]
w: 0.5
Layer 03
Path
"/malware/"
h1h2h3
hits
[5, 9, 11]
w: 1.0
Layer 04
File
"exploit.php"
h1h2h3
hits
[1, 6, 13]
w: 0.7
Layer 05
FullURL
"?ref=bad"
h1h2h3
hits
[4, 10, 15]
w: 1.5
Layer 06
IP
"93.127.x.x"
h1h2h3
hits
[0, 5, 9]
w: 0.8
// First Hit Wins
Layer 01 (Domain) lights bit 3 first → ctx cancel → layers 02-06 are aborted. Latency stops growing.
// OR-Gate
≥1 HIT
→ CONFIDENCE LOOKUP
// FP Rate Math
7 hash functions × 1.07M entries / 7M bit capacity.
FP ≈ 7.8% — mitigated by mandatory DB hit verification on every bloom "yes".
COORD: [X:18.4, Y:42.0]
// 02 // Cron Scheduler

12 providers, 1 timeline, 1 minute per sync

domain url ip mixed
provider / TTL
00:0003:0006:0009:0012:0015:0018:0021:0024:00
last sync
P-01 DOMAIN
OISD (big)
0 6 * * *
NOW
06:00 (1× / day)
P-02 DOMAIN
OISD (nsfw)
0 6 * * *
06:00 (1× / day)
P-03 MIXED
ThreatFox
*/30 * * * *
23:30 (48× / day)
P-04 URL
URLHaus
0 * * * *
23:00 (24× / day)
P-05 IP
RTBH Turkey
0 */2 * * *
22:00 (12× / day)
P-06 IP
Blocklist.de
0 */4 * * *
20:00 (6× / day)
P-07 IP
CINS Army
0 */6 * * *
18:00 (4× / day)
P-08 IP
AbuseIPDB
0 0 * * *
— AUTH —
P-09 IP
GreenSnow
0 */6 * * *
18:00 (4× / day)
P-10 MIXED
AlienVault OTX
*/30 * * * *
23:30 (48× / day)
P-11 IP
Tor Exit Nodes
0 */12 * * *
12:00 (2× / day)
P-12 IP
Emerging Threats
0 0 * * *
00:00 (1× / day)
// Single Sync Cycle — State Machine
S1 · IDLE S2 · TRIGGER S3 · FETCH S4 · PARSE S5 · POND S6 · COMMIT S1 · IDLE
CRON fires at the scheduled tick → goroutine pulls the provider feed → parser streams to the pond collector → async batch commits to SQLite. The next cycle can start before this one finishes. No backpressure. No starvation. No missed ticks.
DECLASSIFIED_A03 // BUG CASCADE

Declassified Incident Report

// 8 critical bugs. 12 PR. 2 weeks. Every cascade listed below cost real time, real data, and one near-miss with the production DB.
CRITICAL 16 May
PR #5

scoring.toml not loading

// Root cause

NewScorer(nil) call — the configuration file is never injected. Every trust score falls back to 0.5. The scorer runs in isolation, but the scoring system cannot tell providers apart by reliability.

// Patch applied

cmd/serve.go: NewScorer(configPath) — scoring.toml hot-reload added. Provider weights now read from the configuration file.

CRITICAL 16 May
PR #5

DROP TABLE runs without CASCADE

// Root cause

During migrations, DROP TABLE blacklisted_urls was being called without CASCADE. A destructive operation could wipe FK references by accident. Caught in the test environment.

// Patch applied

migrations/0001_init.sql: DROP TABLE → DROP TABLE IF EXISTS … CASCADE. Refactored: all migrations now run in a single tx.

CRITICAL 16 May
PR #5

SELECT on a column that does not exist

// Root cause

The hit query was writing SELECT reason FROM … but the table had no "reason" column (only source, url, process_id). Returned 500. Caught before reaching production.

// Patch applied

repository/hits.go: SELECT source, url, process_id, inserted_at FROM blacklisted_urls. Index added on (process_id, inserted_at).

HIGH 16 May
PR #5

Hit path skips the DB (bloom only)

// Root cause

The /check endpoint was looking only at the bloom filter; it never verified the DB hit. On a false positive the caller received a wrong "blocked" verdict. There was no reverse path.

// Patch applied

check.go: when bloom.TestString(hash) is true, a DB lookup is now mandatory. Result: {InBloom: true, InDB: bool, Reason: string}.

CRITICAL 26 May
PR #50 + #53

ProcessID cache poisoning (cascade)

// Root cause

process.go:269 — strProcessID = meta.ProcessID was overwriting the fresh UUID. Every entry was bound to the wrong processID. RemoveOlderInsertions then wiped them all. The first fix (PR #50) failed to find the rogue uuid.New() generator inside parallel_parser.go → a second patch (PR #53) forced the parser to take the processID from the provider.

// Patch applied

process.go:269-274: ignore the cached processID, use a fresh UUID. parallel_logger.go:107-134: added a processID parameter to ParseLinesParallel. 6 callers updated.

★ Multi-PR Cascade
HIGH 26 May
PR #54

AlienVault 403 Forbidden

// Root cause

AlienVault OTX Fetch() defaulted to ctx.Background(). The User-Agent header was missing. 403 came back. The pagination strategy (page-based, max 56) was unusable because not a single fetch was getting through.

// Patch applied

alienvault/provider.go: added a FetchWithContext() override (delegating to Fetch()). Correct UA + rate-limit aware retry. The multi-page fetch chain was restored.

MEDIUM 26 May
PR #54

NULL scan error (openphish)

// Root cause

openphish-feed and other providers were returning NULL confidence. The sql.NullString migration was incomplete. SQLite was raising a scan error.

// Patch applied

sqlite_blacklist_repository.go: confidence, source → sql.NullString. NullInt64 added too. Insert and select paths updated.

CRITICAL 28 May
PR #57

RemoveStoredResponse on every restart (AlienVault 300+ page)

// Root cause

process.go:328-330 was calling RemoveStoredResponse in the development environment → after every run response.dat was being deleted → on restart AlienVault had to refetch 300+ pages. The 2.5s bloom bootstrap was paying the price.

// Patch applied

process.go:328-330: added an env == "dev" check. In production, response.dat is preserved. Folded into the async startup plan (PR #59).

Critical Bugs 8
PRs Merged 12+
Lines Patched ~+5,400 / −1,200
Near-Miss 1 (DROPTABLE)
DECLASSIFIED_A04 // PROVIDER MATRIX

Provider Matrix

// 12 live providers. 1,070,538 entries. The signal that Blacked is filtering from.
P-01 DOMAIN
OISD (big)
438,790
entries · 40.8% of total
0 6 * * * OK
P-02 DOMAIN
OISD (nsfw)
332,539
entries · 30.9% of total
0 6 * * * OK
P-03 MIXED
ThreatFox (online)
103,628
entries · 9.6% of total
*/30 * * * * OK
P-04 URL
URLHaus (online)
76,148
entries · 7.1% of total
0 * * * * OK
P-05 IP
RTBH Turkey
62,804
entries · 5.8% of total
0 */2 * * * OK
P-06 IP
Blocklist.de
23,583
entries · 2.2% of total
0 */4 * * * OK
P-07 IP
CINS Army
15,000
entries · 1.4% of total
0 */6 * * * OK
P-08 IP
AbuseIPDB
10,000
entries · 0.9% of total
0 0 * * * AUTH
P-09 IP
GreenSnow
5,995
entries · 0.6% of total
0 */6 * * * OK
P-10 MIXED
AlienVault OTX
6,000
entries · 0.6% of total
*/30 * * * * OK
P-11 IP
Tor Exit Nodes
1,280
entries · 0.1% of total
0 */12 * * * OK
P-12 IP
Emerging Threats
516
entries · 0.0% of total
0 0 * * * OK
Total Entries (all 12)
1,076,283
As of 26 May 2026, 19:37
Largest Provider
OISD (big)
438,790 · 0 6 * * *
Smallest Provider
Emerging Threats
516 · 0 0 * * *
COORD: [X:22.0, Y:5.0]
Total Sessions 9 Main · 25+ sub
Active Providers 12 (1.07M entries)
Token In ~850k
Token Out ~220k
Model / Latency GPT-4o · 0.4ms
E2E Tests 14/14 (0.59s)
COORD: [X:12.4, Y:67.8]
// 06 // Heuristic Algorithm

Confidence Score Matrix

confidence =
Σ(trust_score × depth_weight) Σ(trust_score)

Depth weights: Domain 0.3 · Host 0.5 · HostPath 1.0 · File 0.7 · FullURL 1.5 · IP 0.8. Provider trust scores resolved from scoring.toml.

MATH_SIG_VERIFIED

Blacked Chat Timeline

// 9 sessions. 4 models. 1 human-anchored handoff to AI. Every row is a real conversation from May 2026.
#Date / TimeChannelPhaseModelOperational TasksTokens in/outBadge
01
2026-05-16
22:00
Telegram01 // Human Anchordeepseek-v4-pro:cloud
MVP validation & v0.1.0-alpha prep
7-layer research methodology extracted. go build PASS + 7/7 unit + 14/14 E2E. 5 MVP phases verified. 4 critical gaps in scoring.toml / drop-table / select / hit-DB found via Copilot PR review. PR #5 (33 commit, 75 file) merged. // Human-led.
~140k in / 35k outFEAT
HIGH
02
2026-05-18
multi
Telegram02 // Research Driftdeepseek-v4-flash:cloud
Research: AlienVault + provider pipeline
AlienVault OTX indicator mapping (domain/url → bloom; hash → skip; pulse → category). 6-provider capability analysis. Architecture decisions for new provider onboarding.
~70k in / 18k outDOCS
MEDIUM
03
2026-05-22
multi
Telegram03 // Provider Takeoverminimax-m2.7:cloud
PR #16 review + provider enrichment
PR #16 review: 37 files (+5,220/-18). AbuseIPDB REST API, AlienVault pagination, 4 new providers. SourceType 12→14. Pagination page-based max 56. 10+ providers auto-enabled. // AI takes the initiative at provider level.
~110k in / 28k outFEAT
HIGH
04
2026-05-25
15:51
Telegram04 // Mad-Man Passminimax-m2.7:cloud
Mad-man analysis — 20 critical issues
37KB analysis report. 20 critical issues (bloom pool corruption, DB write saturation, SQLite WAL contention, bloom race condition, 7.8% FP rate, missing provider reliability scoring). 14 quality items. 4-week backlog. 14 metrics proposed.
~85k in / 22k outALERT
EXTREME
05
2026-05-26
02:04
Telegram05 // Bootstrap Verifyglm-5:cloud
E2E bootstrap + port collision
Port 8082 collision → kill old process → fresh start. Bootstrap observation: 888K → 1M+ bloom. Provider sync confirmed. ProcessID cache poisoning discovered at process.go:269.
~75k in / 20k outFIX
HIGH
06
2026-05-26
17:56
Telegram06 // Cascade Patchglm-5:cloud
ProcessID fix + bug cascade
process.go:269-274 patch (ignore cached processID, use fresh UUID). parallel_logger.go signature update. 6 callers updated. PR #50 merged. Second bug in parallel_parser.go → PR #53 fix.
~95k in / 24k outFIX
EXTREME
07
2026-05-26
19:37
Telegram07 // Provider Hardeningglm-5:cloud
ThreatFox / AlienVault / AbuseIPDB fix
AlienVault FetchWithContext() override (403 fix). NULL scan migration. abuseipdb parseFunc fix. ThreatFox API key logging. 12 providers totalling 1,070,538 entries. PR #54 + PR #55 cherry-pick.
~85k in / 22k outFIX
HIGH
08
2026-05-27
11:57
Telegram08 // Pipeline Auditglm-5:cloud
Provider pipeline analysis
Pond collector + bloom bootstrap analysis. 2.5s duration / 734K entry. AlienVault scheduled TTL bug (every 10min full refetch). /api/v1/bloom/stats endpoint. 4 PRs for provider enable/disable subset.
~70k in / 18k outCHORE
MEDIUM
09
2026-05-28
multi
Telegram09 // AI Takeoverdeepseek-v4-flash:cloud
CodeGraph MCP + async startup
CodeGraph MCP setup (140 files, 2,312 nodes). 10 kanban sub-tasks. PR #57–60. Server startup blocking bug fix (async). Mad-man dispatch → PR #64 (AlienVault nil), PR #66 (IPv6). // AI now makes architecture decisions.
~110k in / 28k outFEAT
EXTREME
SOURCE // THE RECEIPT
root@blacked:/core/engine.go · COLLECTOR_POND_MONITOR
// Engine Source — finally, at the dead end of the page
// INITIALIZING CORE ROUTINES...
package blacklist

import (
	"sync"
	"context"
	"log"
)

// 6-layer parallel check chain: Domain -> Host -> HostPath -> File -> FullURL -> IP. First hit wins.
func (b *Blacklist) Check(url string) bool {
	var wg sync.WaitGroup
	result := make(chan bool, 6)
	ctx, cancel := context.WithCancel(context.Background())
	defer cancel()

	layers := []func() bool{
		func() bool { return b.checkDomain(url) },
		func() bool { return b.checkHost(url) },
		func() bool { return b.checkHostPath(url) },
		func() bool { return b.checkFile(url) },
		func() bool { return b.checkFullURL(url) },
		func() bool { return b.checkIP(url) },
	}

	for _, layer := range layers {
		wg.Add(1)
		go func(check func() bool) {
			defer wg.Done()
			if check() {
				select {
				case result <- true:
					cancel()
				case <-ctx.Done():
				}
			}
		}(layer)
	}

	go func() {
		wg.Wait()
		close(result)
	}()

	for hit := range result {
		if hit {
			return true
		}
	}
	return false
}
// NODE SYNC STATUS: SECURE
BATCH — / 04
REF 0x0000
SECT ARTIFACT
// CLASSIFIED
QTY 01
CONTINUE
END OF INTAKE
// all 4 entries loaded