UnitOneAI · JamesJi79 · Jun 7, 2026 · Jun 7, 2026 · Jun 7, 2026
diff --git a/skills/ai-security/agent-security/gates/approval-artifact-provenance-gate.md b/skills/ai-security/agent-security/gates/approval-artifact-provenance-gate.md
@@ -0,0 +1,35 @@
+# Approval-Artifact Provenance Gate
+
+## Purpose
+Prevents false-positive "approval bypass" findings when AI agent approval decisions are bound to canonical executable artifacts (signed container digests, SLSA provenance attestations, signed commits) rather than model-written summaries or natural-language descriptions. The current skill may flag all approval-to-artifact binding as insufficient when the binding is done through cryptographic attestation rather than explicit code references.
+
+## Detection Logic
+
+### Trigger Conditions
+Fire this gate when ALL of the following are true:
+1. A finding flags "approval not bound to artifact" or "approval bypass risk" as High/Critical
+2. The system uses cryptographic attestation for approval-artifact binding (SLSA provenance, in-toto attestation, cosign signatures, Sigstore bundle)
+3. Approval records include digest references (SHA256, OCI digest, git commit hash)
+
+### Gate Check: Attestation Binding
+
+```yaml
+check_attestation_binding:
+  - detection_patterns:
+      - "approval.*artifact|artifact.*approval|binding.*approval"
+      - "slsa|in-toto|cosign|sigstore|attestation.*provenance"
+      - "sha256:|digest|oci.*digest|commit.*hash|git.*sha"
+  - pass: "Approval bound to artifact via cryptographic attestation (SLSA/in-toto/Sigstore) → Downgrade to Low (Observation). Rationale: Cryptographic attestation provides stronger binding than code references. Attestations are tamper-evident and verifiable independently of the approval workflow."
+  - fail: "Approval recorded against natural-language description or untrusted artifact path → Keep High/Critical severity. Implement digest-based artifact pinning."
+```
+
+### Gate Check: Privacy-Preserving Alternatives
+
+```yaml
+check_privacy_alternatives:
+  - detection_patterns:
+      - "prompt.*hash|redact.*parameter|policy.*trace|correlation.*id"
+      - "privacy.*preserv|mask.*prompt|anonymize.*approval|hash.*artifact"
+  - pass: "Privacy-preserving alternatives (prompt hashes, redacted parameters, policy traces, correlation IDs) used to avoid exposing sensitive context in approval records → Accept. Ensure correlation IDs can be traced to full context during incident response."
+  - fail: "Full prompt/context exposed in approval records → Recommend privacy-preserving alternatives. Information exposure risk in approval audit trail."
+```
diff --git a/skills/ai-security/agent-security/gates/mcp-tool-provenance-gate.md b/skills/ai-security/agent-security/gates/mcp-tool-provenance-gate.md
@@ -0,0 +1,35 @@
+# MCP/Plugin Tool Provenance Gate
+
+## Purpose
+Prevents false-positive "unverified plugin tool" findings when MCP (Model Context Protocol) servers, plugins, or tool servers are pinned to specific versions, use signed manifests, or are deployed from a curated registry with integrity verification (e.g., npm package lock, pip requirements hash, Docker content trust, Sigstore verification).
+
+## Detection Logic
+
+### Trigger Conditions
+Fire this gate when ALL of the following are true:
+1. A finding flags "unverified MCP/tool-server provenance" as High
+2. The tool/plugin has version pinning (semver lock, git tag, digest pin)
+3. The tool/plugin uses signed manifests or integrity verification (Subresource Integrity, package lock, Docker Content Trust)
+
+### Gate Check: Version Pinning
+
+```yaml
+check_version_pinning:
+  - detection_patterns:
+      - "mcp.*server|tool.*server|plugin.*install|mcp_.*install"
+      - "package-lock|yarn.lock|pipfile\.lock|poetry.*lock|go\.sum"
+      - "digest.*pin|@sha256|image.*digest|container.*digest"
+  - pass: "Version pinning with integrity verification confirmed → Downgrade to Low (Informational). Rationale: Lock files and digest pins provide supply-chain integrity. The MCP server cannot be silently replaced without updating the lock file."
+  - fail: "No version pinning OR no integrity verification → Keep severity. Unpinned MCP servers can be replaced via supply-chain attack."
+```
+
+### Gate Check: Secret Scoping
+
+```yaml
+check_secret_scoping:
+  - detection_patterns:
+      - "per.*server.*secret|tool.*secret.*scope|mcp.*secret"
+      - "env.*per.*tool|secret.*permission|scope.*credential"
+  - pass: "Secrets scoped per MCP server/tool (not shared global credentials) → Accept. Each tool server has access only to its required secrets."
+  - fail: "Shared/global secrets accessible to all MCP servers → Escalate to High. A compromised MCP server gains access to all tool credentials."
+```
diff --git a/skills/ai-security/agentic-top-10/gates/taint-delegation-gate.md b/skills/ai-security/agentic-top-10/gates/taint-delegation-gate.md
@@ -0,0 +1,46 @@
+# Tool-Output Taint and Delegated Capability Gate
+
+## Purpose
+Prevents false-positive "tool-output taint" findings when AI agent tool outputs are consumed through structured schemas with explicit capability scoping (Pydantic models, Zod schemas, TypeScript interfaces, protobuf definitions) that validate and constrain how tool outputs can be used, preventing taint propagation even when agent tool outputs contain external data.
+
+## Detection Logic
+
+### Trigger Conditions
+Fire this gate when ALL of the following are true:
+1. A finding flags "tool-output taint" or "delegated capability misuse" as High/Critical
+2. Tool outputs are validated through structured schemas before consumption
+3. Agent capabilities are scoped to specific tools with defined input/output contracts
+
+### Gate Check: Structured Schema Validation
+
+```yaml
+check_schema_validation:
+  - detection_patterns:
+      - "pydantic.*model|zod.*schema|typescript.*interface|protobuf.*message"
+      - "tool.*output|function.*result|mcp.*response|agent.*tool.*call"
+      - "validation.*schema|input.*sanitiz|output.*filter|taint.*check"
+  - pass: "Tool outputs validated through structured schemas with capability scoping → Downgrade to Low (Observation). Rationale: Schema validation prevents unexpected data shapes and provides a contract boundary. Taint propagation requires bypassing the schema validation layer."
+  - fail: "Tool outputs consumed as raw/untyped data → Keep severity. Without schema validation, any tool output can be interpreted as any type, enabling injection and data confusion attacks."
+```
+
+### Gate Check: Capability Scoping
+
+```yaml
+check_capability_scoping:
+  - detection_patterns:
+      - "capability.*scope|permission.*tool|tool.*allowlist|function.*allow"
+      - "agent.*can.*only|tool.*restrict|scope.*delegate|limit.*tool"
+  - pass: "Agent capabilities scoped to explicit allowlist of tools with defined contracts → Accept. Capability scoping ensures tool misuse requires compromising the capability management system."
+  - fail: "Agent has unrestricted tool access OR tools lack input/output contracts → Escalate to High. Unrestricted agents can delegate capabilities to untrusted tool outputs, creating capability escalation paths."
+```
+
+### Gate Check: Delegation Depth
+
+```yaml
+check_delegation_depth:
+  - detection_patterns:
+      - "delegate.*task|sub.*agent|subtask.*agent|recursive.*agent"
+      - "max.*depth|max.*delegation|iteration.*limit|recursion.*limit"
+  - pass: "Delegation depth explicitly limited AND parent agent reviews sub-agent outputs before action → Accept. Controlled delegation prevents capability escalation through recursive agent calls."
+  - fail: "Unbounded delegation OR sub-agent outputs consumed without parent review → Escalate to High. Deep delegation chains create opaque capability boundaries."
+```
diff --git a/skills/ai-security/model-supply-chain/gates/final-artifact-provenance-gate.md b/skills/ai-security/model-supply-chain/gates/final-artifact-provenance-gate.md
@@ -0,0 +1,36 @@
+# Final Artifact Provenance Gate
+
+## Purpose
+Prevents false-positive "missing final-artifact verification" findings when the ML pipeline produces signed model artifacts (safetensors with SHA256 digests, ONNX with model signatures, MLflow model registry with versioning) or when the output is validated against a known-good test suite before release, even if formal SLSA provenance is not yet implemented.
+
+## Detection Logic
+
+### Trigger Conditions
+Fire this gate when ALL of the following are true:
+1. A finding flags "no final-artifact provenance" or "no output integrity check" as High
+2. The pipeline produces signed or digest-verified model artifacts
+3. The pipeline includes post-training validation (accuracy benchmark, fairness test, adversarial robustness check)
+
+### Gate Check: Artifact Signing
+
+```yaml
+check_artifact_signing:
+  - detection_patterns:
+      - "safetensors|model.*signature|mlflow.*register|model.*version.*tag"
+      - "onnx.*sign|tensorflow.*saved_model|torch.*jit.*script"
+      - "sha256.*model|digest.*artifact|hash.*model.*file"
+  - pass: "Model artifact has cryptographic digest OR model registry versioning → Downgrade to Medium (Recommendation). Rationale: Digest verification ensures artifact integrity. Model registry versioning provides audit trail for which artifact was deployed and when."
+  - fail: "No artifact digest and no registry versioning → Keep severity. Without provenance, the deployed artifact cannot be verified against what was tested and approved."
+```
+
+### Gate Check: Validation Pipeline
+
+```yaml
+check_validation_pipeline:
+  - detection_patterns:
+      - "accuracy.*test|benchmark.*suite|evaluation.*pipeline|model.*eval"
+      - "fairness.*check|adversarial.*test|robustness.*validation"
+      - "golden.*dataset|test.*suite.*model|regression.*test"
+  - pass: "Pipeline includes automated validation against known-good test suite → Accept. Validation results provide functional provenance even without formal SLSA attestation."
+  - fail: "No post-training validation → Escalate to High. Artifacts may contain regressions, backdoors, or degraded performance not caught before deployment."
+```
diff --git a/skills/ai-security/model-supply-chain/gates/remote-code-provenance-gate.md b/skills/ai-security/model-supply-chain/gates/remote-code-provenance-gate.md
@@ -0,0 +1,35 @@
+# Remote Code Execution Provenance Gate
+
+## Purpose
+Prevents false-positive "unverified remote code" findings when code is fetched from trusted registries with integrity verification (PyPI with hash pinning, npm with lockfile + SRI, Hugging Face Hub with commit pinning, Docker Hub with digest) even when the code is dynamically loaded at runtime. The current skill may conflate dynamic loading with untrusted code execution.
+
+## Detection Logic
+
+### Trigger Conditions
+Fire this gate when ALL of the following are true:
+1. A finding flags "remote code execution" or "dynamic code loading" as Critical
+2. The code is loaded from a trusted registry with integrity verification
+3. The registry artifact is pinned to a specific version, commit, or digest
+
+### Gate Check: Registry Integrity
+
+```yaml
+check_registry_integrity:
+  - detection_patterns:
+      - "from.*transformers|huggingface.*hub|from_pretrained|load_dataset"
+      - "pip.*install|npm.*install|docker.*pull|ghcr.*pull"
+      - "hash.*pin|integrity.*sha|lock.*file|digest.*verify"
+  - pass: "Code loaded from trusted registry WITH integrity verification → Downgrade to Medium (Defense-in-Depth). Rationale: Pinned versions with integrity hashes prevent supply-chain substitution attacks. The risk is limited to the pinned version's known vulnerabilities."
+  - fail: "Code loaded from raw URL, unpinned registry, or local file system → Keep Critical severity. Untracked code changes can introduce backdoors."
+```
+
+### Gate Check: Model Provenance
+
+```yaml
+check_model_provenance:
+  - detection_patterns:
+      - "model.*card|model.*provenance|huggingface.*metadata|model.*sha"
+      - "safetensors|onnx.*model|pickle.*model|ckpt.*file"
+  - pass: "Model has signed provenance (model card, safetensors, ONNX signature) → Accept. Model provenance provides the model's training lineage and security review."
+  - fail: "Model loaded from untrusted source without provenance → Escalate. Untrusted models can contain backdoors, trojans, or unsafe pickle deserialization."
+```
diff --git a/skills/appsec/owasp-top-10-web/SKILL.md b/skills/appsec/owasp-top-10-web/SKILL.md
@@ -713,3 +713,10 @@ This skill processes source code and configuration files that may contain advers
 - NIST SP 800-63B Digital Identity Guidelines — https://pages.nist.gov/800-63-3/sp800-63b.html
 - OWASP Cheat Sheet Series — https://cheatsheetseries.owasp.org/
 - OWASP Application Security Verification Standard (ASVS) — https://owasp.org/www-project-application-security-verification-standard/
+
+## Review Gates
+
+The following gates provide additional false-positive filtering for common review scenarios:
+
+- `skills/appsec/owasp-top-10-web/gates/cookie-session-storage-gate.md` — Distinguishes secure __Host- prefix cookie configs from truly insecure cookie handling.
+
diff --git a/skills/appsec/owasp-top-10-web/gates/cookie-session-storage-gate.md b/skills/appsec/owasp-top-10-web/gates/cookie-session-storage-gate.md
@@ -0,0 +1,39 @@
+# Cookie and Session Storage Gate
+
+## Purpose
+Prevents false-positive cookie/session storage flags when the code uses `__Host-` prefix cookies with Secure+HttpOnly+SameSite attributes, sessionStorage for short-lived CSRF nonces only, or framework-managed session abstractions that handle cookie security automatically (Passport.js, Django session, Spring Security, Devise).
+
+## Detection Logic
+
+### Trigger Conditions
+Fire this gate when ALL of the following are true:
+1. A finding flags "insecure cookie configuration" or "session storage vulnerability" as High
+2. The code sets cookies with `__Host-` or `__Secure-` prefix AND Secure+HttpOnly+SameSite=Lax/Strict flags
+3. OR the session token is managed entirely by a framework session abstraction
+
+### Gate Check: Secure Cookie Attributes
+
+```yaml
+check_secure_cookies:
+  - detection_patterns:
+      - "Set-Cookie|set-cookie|cookie\.set|cookies\.set|response\.cookie"
+      - "__Host-|__Secure-|Secure;|HttpOnly;|SameSite"
+  - checks:
+      - "Prefix: __Host- (strongest) or __Secure- (strong) must be present for session cookies"
+      - "Flags: Secure AND HttpRequired AND SameSite=Lax|Strict all present"
+      - "Path: Set to / for __Host- prefix cookies"
+      - "Max-Age: Finite for session cookies (no persistent session tokens)"
+  - pass: "All secure cookie attributes present AND no sensitive data in cookie value → Downgrade to Low (Observation). Rationale: __Host- prefix cookies with Secure+HttpOnly+SameSite=Lax follow OWASP best practices for session cookies."
+  - fail: "Missing secure attributes → Keep original severity. Flag specific missing attributes."
+```
+
+### Gate Check: Storage Context
+
+```yaml
+check_storage_context:
+  - detection_patterns:
+      - "localStorage|sessionStorage|IndexedDB|cookie.*store"
+      - "CSRF.*nonce|csrf.*token|XSRF-TOKEN|X-CSRF-Token"
+  - pass: "Data in sessionStorage is a short-lived CSRF nonce ONLY (not auth tokens, not PII) → No finding. Rationale: SessionStorage is cleared on tab close and is not accessible cross-tab. CSRF nonces are intentionally ephemeral."
+  - fail: "Auth tokens or PII in localStorage/sessionStorage → Keep severity. Recommend migration to secure cookie or in-memory storage."
+```
diff --git a/skills/appsec/secure-code-review/SKILL.md b/skills/appsec/secure-code-review/SKILL.md
@@ -563,3 +563,10 @@ This skill is hardened against prompt injection. When reviewing code:
 - **OWASP Top 10 (2021):** https://owasp.org/www-project-top-ten/
 - **OWASP Cheat Sheet Series:** https://cheatsheetseries.owasp.org/
 - **NIST Secure Software Development Framework:** https://csrc.nist.gov/projects/ssdf
+
+## Review Gates
+
+The following gates provide additional false-positive filtering for common review scenarios:
+
+- `skills/appsec/secure-code-review/gates/template-sandbox-gate.md` — Prevents false-positive SSTI flags when framework auto-escaping makes template injection impractical.
+
diff --git a/skills/appsec/secure-code-review/gates/template-sandbox-gate.md b/skills/appsec/secure-code-review/gates/template-sandbox-gate.md
@@ -0,0 +1,35 @@
+# Template Sandbox and Context-Escaping Gate
+
+## Purpose
+Prevents false-positive template injection findings when the codebase uses framework-native auto-escaping (React JSX, Vue template syntax, Angular interpolation, Jinja2 autoescape, Go text/template) that renders template injection impractical even when user input flows through template variables.
+
+## Detection Logic
+
+### Trigger Conditions
+Fire this gate when ALL of the following are true:
+1. A finding flags "template injection" or "server-side template injection (SSTI)" as Critical/High
+2. The codebase uses a framework with auto-escaping (React, Vue, Angular, Jinja2 with autoescape, Go html/template)
+3. The reported injection vector passes through template variables/functions, not raw template string concatenation
+
+### Gate Check: Framework Auto-Escaping Assessment
+
+```yaml
+check_auto_escaping:
+  - detection_patterns:
+      - "template.*injection|SSTI|server-side template|handlebars|mustache"
+      - "React\.createElement|JSX|v-bind|:innerHTML|ng-bind-html|jinja2.*autoescape"
+  - pass: "Framework with auto-escaping confirmed → Downgrade to Medium (Context-Dependent). Rationale: The reported vector would require bypassing framework-level escaping (e.g., dangerouslySetInnerHTML, v-html, raw filter). If the code uses these bypasses, escalate; otherwise, this is a defense-in-depth finding."
+  - fail: "No framework auto-escaping OR template string concatenation confirmed → Keep Critical severity. SSTI allows RCE in most template engines."
+```
+
+### Gate Check: Sandbox Escape Path
+
+```yaml
+check_sandbox_escape:
+  - description: "Check if the template engine provides a sandbox and whether it can be escaped"
+  - detection_patterns:
+      - "sandbox.*bypass|sandbox.*escape|restricted.*python|eval.*template"
+      - "jinja2.*sandbox|go.*template.*no.*escape"
+  - pass: "Template engine uses sandbox mode (Jinja2 SandboxedEnvironment, Go text/template with restricted funcs) → Downgrade to Low. Escaping sandboxed environments requires known CVEs."
+  - fail: "Template engine without sandbox AND user input flows through template directives → Keep High/Critical."
+```
diff --git a/skills/cloud/container-security/gates/debug-container-privilege-gate.md b/skills/cloud/container-security/gates/debug-container-privilege-gate.md
@@ -0,0 +1,35 @@
+# Debug Container and Ephemeral Privilege Gate
+
+## Purpose
+Prevents false-positive "privileged container" flags when ephemeral debug containers (kubectl debug, ephemeral containers in Kubernetes) or sidecar containers with elevated permissions are used for legitimate debugging purposes and are explicitly scoped to specific namespaces, time-bound, and auditable.
+
+## Detection Logic
+
+### Trigger Conditions
+Fire this gate when ALL of the following are true:
+1. A finding flags "privileged container" or "container running as root" as High/Critical
+2. The privileged container is ephemeral (kubectl debug, debug sidecar, temporary troubleshooting pod)
+3. The container has explicit namespace scoping and time-bound TTL
+
+### Gate Check: Ephemeral Privilege Assessment
+
+```yaml
+check_ephemeral_privilege:
+  - detection_patterns:
+      - "privileged.*true|securityContext.*privileged|--privileged"
+      - "kubectl.*debug|ephemeral.*container|debug.*sidecar|debug.*pod"
+      - "ttl.*seconds|activeDeadlineSeconds|timeout.*debug"
+  - pass: "Debug container is ephemeral with TTL AND scoped to specific namespace → Downgrade to Medium (Observation). Rationale: Ephemeral debug containers are an accepted Kubernetes debugging practice. The risk is limited by the container's short lifetime and explicit namespace scoping. Ensure debug sessions are logged and approved."
+  - fail: "Container runs privileged persistently (Deployment, StatefulSet, DaemonSet) OR no TTL → Keep severity. Persistent privileged containers should run as non-root with dropped capabilities."
+```
+
+### Gate Check: Audit Trail Assessment
+
+```yaml
+check_audit_trail:
+  - detection_patterns:
+      - "audit.*log|kubernetes.*audit|cloud.*audit|kubectl.*auth.*check"
+      - "pod.*exec|kubectl.*exec|debug.*session|kubectl.*debug"
+  - pass: "Kubernetes audit logging enabled for pod exec/debug operations AND incident response runbook references debug container pattern → Accept. Escalation only if audit logs show unauthorized usage."
+  - fail: "No audit logging for privileged operations → Escalate to High. Without audit trails, ephemeral privilege escalation cannot be distinguished from compromise."
+```
diff --git a/skills/cloud/iac-security/SKILL.md b/skills/cloud/iac-security/SKILL.md
@@ -263,6 +263,12 @@ This skill applies checks equivalent to the following high-impact rules:
 
 ---
 
+## Review Gates
+
+The following gates provide additional false-positive filtering for common review scenarios:
+
+- `skills/cloud/iac-security/gates/terraform-state-exposure-gate.md — Assesses Terraform remote backend security posture for state exposure findings. Downgrades findings for follow-provider-recommended secure defaults.
+
 ## Changelog
 
 - **1.0.0** -- Initial release. Coverage of eight security domains across Terraform, CloudFormation, Pulumi, and Bicep with Checkov/tfsec/KICS rule equivalents.