{
  "$schema": "https://calm.finos.org/release/1.1/meta/flow.json",
  "unique-id": "vulnerability-lifecycle",
  "name": "Security Vulnerability Lifecycle (identify -> disclose -> remediate -> evidence)",
  "description": "A FINOS CALM (tm:finos-calm) flow encoding how a security vulnerability is identified, privately reported, remediated, and cryptographically evidenced across the incident-response fabric. Each transition is cross-referenced to a Hypergraph pathway, a Trust Key dimensional deep link, and the standard clause (std:) it implements - realizing the right to follow. This is the required CALM-standard encoding of how a vulnerability is identified or fixed.",
  "metadata": {
    "channel": "djat-poc-hypergraph-20260716",
    "architecture_ref": "../architecture/incident-response-fabric.calm.json",
    "implements_clauses": [
      "std:poc-cv-0.1.0-rev/part2/domains/security",
      "std:poc-cv-0.1.0-rev/part2/evidence-properties",
      "std:poc-cv-0.1.0-rev/part2/threat-model"
    ],
    "trust_key_dimension": "calm_flow=vulnerability-lifecycle"
  },
  "transitions": [
    {
      "relationship-unique-id": "agent-through-gateway",
      "sequence-number": 1,
      "direction": "source-to-destination",
      "description": "IDENTIFY. Anomaly detection flags an agent tool call breaching the behavioral envelope (candidate ASI02 tool misuse / ASI01 goal hijack).",
      "metadata": {
        "pathway": "Hypergraph.Incident.PrivateReport@v1",
        "sdg_nodes": ["security:anomaly", "security:behavioral_envelope", "security:tool_misuse"],
        "anchor": "tm:owasp-agentic-top10",
        "implements_clause": "std:poc-cv-0.1.0-rev/part2/threat-model",
        "trust_key_deep_link": "poc-hypergraph://context/{ctx}?sdg_domain=security&incident_id={id}"
      }
    },
    {
      "relationship-unique-id": "runtime-emits-evidence",
      "sequence-number": 2,
      "direction": "source-to-destination",
      "description": "SEAL. The suspected action and its context are sealed as signed runtime evidence at the moment of the action - a cryptographically bounded private incident record.",
      "metadata": {
        "pathway": "Hypergraph.Incident.PrivateReport@v1",
        "sdg_nodes": ["security:incident_seal", "security:signed_evidence"],
        "anchor": "tm:poc-cv-standard",
        "implements_clause": "std:poc-cv-0.1.0-rev/part2/evidence-properties",
        "trust_key_deep_link": "poc-hypergraph://context/{ctx}?incident_id={id}&one_time=1"
      }
    },
    {
      "relationship-unique-id": "trustkey-into-fabric",
      "sequence-number": 3,
      "direction": "source-to-destination",
      "description": "PRIVATE REPORT. A private, attributed report routes only to in-network trust members: 'while you have this incident open, can you confirm this response pattern?' No raw incident detail leaves the boundary.",
      "metadata": {
        "pathway": "Hypergraph.Incident.PrivateReport@v1",
        "sdg_nodes": ["security:private_report", "security:trust_network"],
        "anchor": "tm:csa-atf",
        "implements_clause": "std:poc-cv-0.1.0-rev/part2/domains/security",
        "trust_key_deep_link": "poc-hypergraph://context/{ctx}?sdg_domain=security&persona=ciso"
      }
    },
    {
      "relationship-unique-id": "ciso-files-report",
      "sequence-number": 4,
      "direction": "destination-to-source",
      "description": "HONOR + REMEDIATE. An in-network member honors the report by contributing a response pattern; containment/interruption is executed and itself signed. An attributed response playbook emerges as a cross-domain composite.",
      "metadata": {
        "pathway": "Hypergraph.Incident.HonorResponse@v1",
        "sdg_nodes": ["security:response_honor", "security:containment", "security:response_playbook"],
        "emerges_composite": "security:attributed_playbook",
        "anchor": "tm:eu-ai-act",
        "implements_clause": "std:poc-cv-0.1.0-rev/part2/domains/authorization",
        "trust_key_deep_link": "poc-hypergraph://context/{ctx}?pathway=Hypergraph.Incident.HonorResponse@v1"
      }
    },
    {
      "relationship-unique-id": "evidence-minted-into-trustkey",
      "sequence-number": 5,
      "direction": "source-to-destination",
      "description": "EVIDENCE. Remediation and containment are placed on the verification spectrum and proven at Stage 3 - cryptographically checkable by any party without trusting the operator. A 'proven_control' composite emerges.",
      "metadata": {
        "pathway": "Hypergraph.Map.EmergeIntersection@v1",
        "sdg_nodes": ["security:crypto_verify", "provenance:action_record", "security:proven_control"],
        "anchor": "tm:poc-cv-standard",
        "implements_clause": "std:poc-cv-0.1.0-rev/part2/spectrum",
        "trust_key_deep_link": "poc-hypergraph://context/{ctx}?standard_section=std:poc-cv-0.1.0-rev/part2/spectrum"
      }
    },
    {
      "relationship-unique-id": "insurer-reads-fabric",
      "sequence-number": 6,
      "direction": "source-to-destination",
      "description": "UNDERWRITE. The insurer reads the now-attributed, verifiable posture and re-prices risk - closing the loop from vulnerability to underwriting. The AI-embracing insurer's acceleration path.",
      "metadata": {
        "pathway": "Hypergraph.Underwrite.ThreatProfile@v1",
        "sdg_nodes": ["security:insurer_fabric", "security:conformance_tier", "security:underwritable_posture"],
        "emerges_composite": "security:underwritable_posture",
        "anchor": "tm:aiuc-1",
        "implements_clause": "std:poc-cv-0.1.0-rev/part1/insurance-adoption",
        "trust_key_deep_link": "poc-hypergraph://context/{ctx}?persona=insurer_underwriter&one_time=1"
      }
    },
    {
      "relationship-unique-id": "assessor-verifies-trustkey",
      "sequence-number": 7,
      "direction": "source-to-destination",
      "description": "ATTEST. An independent assessor verifies the Trust Key offline and attests the conformance tier. Powerful party does least: accept key, verify, follow deep link only if needed.",
      "metadata": {
        "pathway": "Pathways.TrustKey.Verify@v1",
        "sdg_nodes": ["security:attestation", "security:conformance_tier"],
        "anchor": "tm:soc2",
        "implements_clause": "std:poc-cv-0.1.0-rev/part2/conformance-tiers",
        "trust_key_deep_link": "poc-hypergraph://context/{ctx}?persona=assessor"
      }
    }
  ]
}
