"What is the control plane shift, and why is it forced by AI coding agents?"	"Shift from review-time checks (scan after commit, findings days later) to creation-time guardrails (synchronous, pre-commit/pre-merge/IDE, seconds feedback). Forced because agents create code/deps/IaC in SECONDS — faster than review-time can process. Defense must match the speed of creation."	c2a::s08::analysis
"Compare review-time checks vs creation-time guardrails across when/latency/action."	"Review-time: post-commit/nightly, hours-days latency, report to dashboard. Creation-time: pre-commit/pre-merge/in-IDE, seconds latency, block inline. The action changes from 'report' to 'block the action.' Structural change to where the gate lives — not a slogan."	c2a::s08::analysis
"What does an SDLC gate harness enforce (list the scan types)?"	"Secret scanning (Gitleaks/TruffleHog), SAST (Semgrep/CodeQL), SCA (Snyk/OWASP Dependency-Check), IaC policy (Checkov/OPA), license compliance, DAST for API changes. Each mapped to a scan type with a hard/soft gate decision."	c2a::s08::recall
"What is the hard-gate vs soft-gate decision matrix, and which findings hard-block?"	"Hard block (cannot merge): validated secrets, SAST critical high-conf, SCA CISA-KEV or EPSS>0.7, IaC public exposure (0.0.0.0/0, public S3). Soft warn (proceed): SAST medium/low, SCA low-EPSS fix-available, license unknown/copyleft. Block the immediately dangerous; warn the rest."	c2a::s08::application
"Why is over-blocking dangerous (the matrix calibration principle)?"	"Over-blocking trains developers to override without reading. The goal is to block findings you are CONFIDENT are immediately dangerous, not gate every PR. Under-blocking ships vulns. The matrix is the calibration between the two failure modes."	c2a::s08::analysis
"Why do the 4 scanner types run in PARALLEL, not sequentially?"	"They analyze independent artifacts (code, manifests, diffs, IaC). Parallel: bounded by slowest (~90s SAST). Sequential: sum (~145s). On a large PR, that difference = usable guardrail vs one developers disable. Wall-clock time matters for a creation-time gate."	c2a::s08::application
"What does the orchestrator normalize, and why?"	"Each scanner has its own format + severity vocab (Semgrep: ERROR/WARNING/INFO; Snyk: crit/high/med/low; Checkov: FAILED/PASSED). Normalize to a unified schema with a DOCUMENTED severity mapping. The mapping is policy, not improvisation. Enables cross-scanner dedup and consistent gating."	c2a::s08::recall
"How does cross-scanner dedup work, and why does it matter?"	"Dedup via dedup_key: within scan type (Semgrep+CodeQL same SQLi → 1 finding) and across types (Snyk+DepCheck same CVE → 1 finding). Matters: duplicate findings erode trust — developer assumes the bot is broken when it reports the same thing 3 times."	c2a::s08::analysis
"What is LLM-powered cross-scanner triage, and what can it do?"	"Correlates findings that relate across scan types: SCA vuln (vulnerable lib) upgraded if SAST shows path is REACHABLE; IaC public bucket downgraded if no SENSITIVE DATA. Produces insight no single scanner could. Token-budgeted: high-severity first (they block)."	c2a::s08::application
"How is the risk score per PR computed, and what are the gate thresholds?"	"Severity-weighted new findings (crit=25, high=10, med=3, low=1) + net direction (new − fixed) × trend modifier (rising over 10 builds ×1.2), capped 0-100. Gates: <30 pass, 30-60 requires security reviewer approval, >60 BLOCKED until resolved. Computed, consistent, auditable."	c2a::s08::recall
"Why does net direction matter more than absolute finding count?"	"A PR that introduces 5 criticals but fixes 7 is NET POSITIVE (codebase getting safer). A PR that introduces 5 and fixes 0 is net negative. Trend direction (rising/falling over N builds) is a stronger signal than any single build's count — indicates systemic change."	c2a::s08::analysis
"What is the framing guardrail on per-author attribution, and why?"	"Attribution is for COACHING, not punishment. Visible to author + lead only, never broadcast or tied to performance reviews. Misuse as punishment destroys psychological safety → developers disengage from the gate. Attribution without coaching = surveillance; coaching without data = guesswork."	c2a::s08::analysis
"What is EPSS, and what does it measure (vs CVSS)?"	"Exploit Prediction Scoring System (FIRST). Probability 0-1 that a CVE will be exploited in the wild in next 30 days, from real-world exploit data. CVSS = impact IF exploited. EPSS = PROBABILITY of exploitation. Together they prioritize correctly; CVSS-only prioritization is a failure mode."	c2a::s08::recall
"How does EPSS invert CVSS-only prioritization? Give the example."	"CVSS 9.8 (critical) + EPSS 0.01 = high impact but almost never exploited → LOW urgency. CVSS 7.5 (high) + EPSS 0.8 = likely being exploited NOW → HIGH urgency. Severity alone misleads; EPSS reveals which CVEs actually threaten the application."	c2a::s08::application
"What is CISA KEV, and where does it sit in the priority queue?"	"Known Exploited Vulnerabilities catalog — CVEs with CONFIRMED ACTIVE exploitation in the wild. Highest-confidence signal. KEV matches jump to TOP of queue regardless of EPSS/CVSS. Fix in HOURS — a present-tense breach path, not theoretical risk."	c2a::s08::recall
"Name the 5 stages of the vulnerability triage pipeline."	"(1) CVE feed ingestion (NVD). (2) Dependency matching (vs manifests). (3) Exploitability scoring (EPSS). (4) Environment relevance (vulnerable path reachable?). (5) Priority queue (CISA KEV first, then EPSS × reachability × severity). Each stage narrows the list."	c2a::s08::recall
"What is the prioritized remediation queue output (5 tiers)?"	"(1) CISA KEV → fix HOURS. (2) EPSS>0.7 + reachable → fix DAYS. (3) EPSS>0.7, not confirmed → verify reachability, then fix. (4) High CVSS, low EPSS → backlog. (5) Low CVSS, low EPSS → accept risk / batch-fix. Turns hundreds of CVEs into 3 things to fix this week."	c2a::s08::recall
"Why does environment-relevance filtering matter in vuln triage?"	"A CVE in a dependency is only exploitable if the vulnerable code path is REACHABLE in the application. Many CVEs exist in code paths the app never uses. Filtering by reachability removes theoretical risks and focuses remediation on actual exposures. Narrows the list meaningfully."	c2a::s08::analysis
"How does the bug report intake pipeline handle external submissions?"	"Parse (structured: target, vuln type, PoC, severity claim) → Dedup against existing findings (internal + prior reports, duplicates common) → detect duplicates via semantic similarity → auto-route P1 findings (critical, confirmed, in scope) to immediate response. Same triage discipline as scanner output."	c2a::s08::application
"Why is the siloed-scanners anti-pattern harmful, and what is the cure?"	"Each scanner in its own dashboard, own severity scale, reviewed separately. Developer sees 3 reports of the same SQLi from 3 tools → assumes bot is broken. Cure: the orchestrator normalizes + deduplicates across scanners → one finding, unified schema, single source of truth."	c2a::s08::analysis
