# Diagrams — Capstone C2: Build a Smart Contract or Cloud Security Harness

> All Mermaid validated in Mermaid Live Editor.

---

## Diagram 1 — Domain Choice and the Three Modes

**Type**: Mermaid (flowchart)
**Purpose**: Shows the two tracks and how each defines three modes. The C1 architecture ports; the modes and tools are domain-specific. A harness that only runs one mode is half a harness.

```mermaid
flowchart TD
    ARCH["C1 architecture PORTS<br/>scope middleware · memory · tools · evidence · triage · report"]

    SC["Smart contract track<br/>(EVMbench-aligned)"]
    CL["Cloud track<br/>(posture + red team)"]

    SC_D["DETECT<br/>Slither · Mythril · LLM reasoning<br/>Evidence: finding + location + class"]
    SC_P["PATCH<br/>generate fix · verify (re-detect clean + tests pass)<br/>Evidence: diff + test results"]
    SC_E["EXPLOIT<br/>working PoC on forked mainnet<br/>Evidence: PoC tx + state change"]

    CL_D["DETECT<br/>config scanner (Prowler) · IAM analyzer<br/>Evidence: misconfigured resource + violated control"]
    CL_R["REMEDIATE<br/>apply fix · verify (re-scan clean)<br/>Evidence: remediation action + post-fix state"]
    CL_E["EXPLOIT<br/>controlled red-team action<br/>Evidence: exploit chain + access achieved"]

    ARCH --> SC --> SC_D --> SC_P --> SC_E
    ARCH --> CL --> CL_D --> CL_R --> CL_E

    NOTE["Three modes together = the benchmark<br/>Detect-only = half a harness<br/>recall alone hides Patch/Remediate and Exploit weaknesses"]
    SC_E -.-> NOTE
    CL_E -.-> NOTE

    style ARCH fill:#0d2818,stroke:#1e8449,color:#82e0aa
    style SC fill:#0d1b2a,stroke:#1b4f72,color:#e4e4e8
    style CL fill:#0d1b2a,stroke:#1b4f72,color:#e4e4e8
    style SC_D fill:#14141f,stroke:#5eead4,color:#5eead4
    style SC_P fill:#14141f,stroke:#5eead4,color:#5eead4
    style SC_E fill:#14141f,stroke:#5eead4,color:#5eead4
    style CL_D fill:#14141f,stroke:#5eead4,color:#5eead4
    style CL_R fill:#14141f,stroke:#5eead4,color:#5eead4
    style CL_E fill:#14141f,stroke:#5eead4,color:#5eead4
    style NOTE fill:#2a1810,stroke:#a04000,color:#f0a868
```

**Reading the diagram**: The C1 architecture — scope middleware, memory, tools, evidence, triage, report — ports directly to both domains. What changes is the three modes and their tool chains. Smart contract: Detect (Slither/Mythril/LLM), Patch (generate + verify), Exploit (PoC on forked mainnet). Cloud: Detect (Prowler/IAM analyzer), Remediate (apply + verify), Exploit (red-team action). The three modes together are the benchmark. A harness that only runs Detect is half a harness — recall alone hides weaknesses in Patch/Remediate and Exploit. All three must be scored and reported together.

---

## Diagram 2 — The Build Pipeline (Smart Contract and Cloud)

**Type**: Mermaid (flowchart)
**Purpose**: Shows the full pipeline for both tracks — load target, run three modes, triage, report — and where evidence is captured at each stage.

```mermaid
flowchart TD
    subgraph SC_PIPE["Smart contract pipeline"]
        SC_LOAD["Load target<br/>contract source + EVMbench metadata"]
        SC_DETECT["Detect mode<br/>Slither · Mythril · LLM<br/>→ candidate findings"]
        SC_PATCH["Patch mode<br/>for each finding: generate fix<br/>verify: re-detect clean + Foundry tests pass"]
        SC_EXPLOIT["Exploit mode<br/>for each finding: build PoC on forked mainnet<br/>record success/failure"]
        SC_TRIAGE["Triage<br/>filter FP · confirm with evidence"]
        SC_REPORT["Audit report<br/>scope · methodology · findings · severity · PoC · roadmap"]
        SC_LOAD --> SC_DETECT --> SC_PATCH --> SC_EXPLOIT --> SC_TRIAGE --> SC_REPORT
    end

    subgraph CL_PIPE["Cloud pipeline"]
        CL_LOAD["Load target<br/>account + regions + control framework (CIS)"]
        CL_DETECT["Detect mode<br/>Prowler · IAM analyzer · surface mapper<br/>→ posture violations"]
        CL_REMED["Remediate mode<br/>for each finding: apply fix<br/>verify: re-scan clean"]
        CL_EXPLOIT["Exploit mode<br/>for each exposure: red-team action<br/>(assume role · access data)"]
        CL_TRIAGE["Triage<br/>filter FP · confirm with evidence"]
        CL_REPORT["Posture report<br/>scope · controls · findings by category · evidence · roadmap"]
        CL_LOAD --> CL_DETECT --> CL_REMED --> CL_EXPLOIT --> CL_TRIAGE --> CL_REPORT
    end

    EV["Evidence captured at every stage<br/>finding → evidence (sha256) → tool call → trace ID<br/>tamper-evident chain (from C1)"]
    SC_EXPLOIT -.-> EV
    CL_EXPLOIT -.-> EV

    style SC_PIPE fill:#0d1b2a,stroke:#1b4f72,color:#e4e4e8
    style CL_PIPE fill:#0d1b2a,stroke:#1b4f72,color:#e4e4e8
    style SC_DETECT fill:#14141f,stroke:#5eead4,color:#5eead4
    style CL_DETECT fill:#14141f,stroke:#5eead4,color:#5eead4
    style SC_REPORT fill:#0d2818,stroke:#1e8449,color:#82e0aa
    style CL_REPORT fill:#0d2818,stroke:#1e8449,color:#82e0aa
    style EV fill:#2a1810,stroke:#a04000,color:#f0a868
```

**Reading the diagram**: Both pipelines follow the same shape: load the target, run three modes in sequence, triage, report. The smart contract pipeline loads contract source and EVMbench metadata, runs Detect (Slither/Mythril/LLM), Patch (generate + verify via re-detect and Foundry tests), and Exploit (PoC on forked mainnet). The cloud pipeline loads the account and control framework, runs Detect (Prowler/IAM analyzer), Remediate (apply + re-scan), and Exploit (red-team action). Evidence is captured at every stage using the same tamper-evident chain from C1 — finding links to evidence (sha256) links to tool call links to trace ID. The report is domain-specific but the evidence shape is identical.

---

## Diagram 3 — Benchmark Scoring: Three Independent Scores

**Type**: Mermaid (flowchart)
**Purpose**: Shows the three benchmark scores for each domain and why all three must be reported together. A high Detect score with low Patch/Exploit is a detection engine, not a harness.

```mermaid
flowchart LR
    subgraph SC_BENCH["Smart contract (EVMbench subset)"]
        SC_D["Detect recall<br/>of N known vulns, how many found?"]
        SC_P["Patch quality<br/>fix removes vuln AND preserves behavior?"]
        SC_E["Exploit success<br/>working PoC on forked mainnet?"]
    end

    subgraph CL_BENCH["Cloud (posture benchmark)"]
        CL_D["Detect recall<br/>of N seeded misconfigs, how many found?"]
        CL_R["Remediation success<br/>fix resolves it (re-scan clean) without breaking app?"]
        CL_E["Exploit success<br/>red-team objective achieved?"]
    end

    RULE["Report all three together<br/>85% Detect / 30% Patch / 30% Exploit = detection engine<br/>80% across all three = genuine harness"]

    SC_E --> RULE
    CL_E --> RULE

    PUBLISH["Scores are falsifiable<br/>anyone can run the same target and compare<br/>→ this is the publishable claim"]

    RULE --> PUBLISH

    style SC_BENCH fill:#0d1b2a,stroke:#1b4f72,color:#e4e4e8
    style CL_BENCH fill:#0d1b2a,stroke:#1b4f72,color:#e4e4e8
    style SC_D fill:#14141f,stroke:#5eead4,color:#5eead4
    style SC_P fill:#14141f,stroke:#5eead4,color:#5eead4
    style SC_E fill:#14141f,stroke:#5eead4,color:#5eead4
    style CL_D fill:#14141f,stroke:#5eead4,color:#5eead4
    style CL_R fill:#14141f,stroke:#5eead4,color:#5eead4
    style CL_E fill:#14141f,stroke:#5eead4,color:#5eead4
    style RULE fill:#2a0d0d,stroke:#a00000,color:#f08080
    style PUBLISH fill:#0d2818,stroke:#1e8449,color:#82e0aa
```

**Reading the diagram**: Each domain has three independent benchmark scores. Smart contract: Detect recall, Patch quality, Exploit success rate. Cloud: Detect recall, Remediation success, Exploit success. All three must be reported together. A harness scoring 85% Detect but 30% Patch and 30% Exploit is a detection engine, not a harness — it finds bugs but cannot fix or exploit them. A harness scoring 80% across all three is a genuine tool. The scores are falsifiable: anyone can run the same target (DVD challenge, forked mainnet, isolated AWS) and compare. That falsifiability is what makes the score publishable.

---

## Diagram 4 — The One-Page Publishable Summary

**Type**: Mermaid (flowchart)
**Purpose**: Shows how the benchmark and client report distill into a single publishable page that becomes the portfolio asset across three platforms.

```mermaid
flowchart TD
    BENCH["Benchmark scores<br/>Detect / Patch or Remediate / Exploit"]
    REPORT["Client report<br/>HTML + JSON · full evidence chain"]

    ONE_PAGE["One-page summary<br/>Harness name · target · date<br/>3-mode score table<br/>link to report · link to evidence repo"]

    BENCH --> ONE_PAGE
    REPORT --> ONE_PAGE

    GITHUB["GitHub README<br/>full report + evidence linked<br/>repo with harness code"]
    LINKEDIN["LinkedIn post<br/>benchmark + client report<br/>positioning as falsifiable claim"]
    DEEPTHREAT["Deepthreat.ai<br/>demonstration asset<br/>harness running vs real target"]

    ONE_PAGE --> GITHUB
    ONE_PAGE --> LINKEDIN
    ONE_PAGE --> DEEPTHREAT

    PORTFOLIO["Public portfolio artifact<br/>the harness is the engine<br/>the benchmark is the proof<br/>the published summary is the portfolio"]

    GITHUB --> PORTFOLIO
    LINKEDIN --> PORTFOLIO
    DEEPTHREAT --> PORTFOLIO

    style BENCH fill:#14141f,stroke:#5eead4,color:#5eead4
    style REPORT fill:#14141f,stroke:#5eead4,color:#5eead4
    style ONE_PAGE fill:#0d2818,stroke:#1e8449,color:#82e0aa
    style GITHUB fill:#0d1b2a,stroke:#1b4f72,color:#e4e4e8
    style LINKEDIN fill:#0d1b2a,stroke:#1b4f72,color:#e4e4e8
    style DEEPTHREAT fill:#0d1b2a,stroke:#1b4f72,color:#e4e4e8
    style PORTFOLIO fill:#2a1810,stroke:#a04000,color:#f0a868
```

**Reading the diagram**: The benchmark scores and the client report distill into a single one-page summary: harness name, target, date, a three-mode score table, and links to the full report and the evidence repository. This one page is published to three platforms. On GitHub, it is the README for the harness repository, with the full report and evidence chain linked. On LinkedIn, it is a post showcasing the benchmark and client report, positioning the work as a falsifiable security claim. On Deepthreat.ai, it is a demonstration asset showing the harness running against a real target with scored results. The harness is the engine; the benchmark is the proof; the published summary is the portfolio. This is the culmination of Course 2A.
