2026-07-18T1208Z-audit
One pipeline fire, in full · audit run of 2026-07-18 · sub-agent allocation and telemetry, per-iteration verification verdicts and findings, source-list edits, coverage gaps, bridge invocations — and the run's own verification & coverage notes: what was published, what was dropped at the borderline or judged not relevant (and why), single-source carve-outs, and contradictions. Rendered from runs/2026-07-18/2026-07-18T1208Z-audit.md.
Run telemetry
- Items returned
- 4
- Duration
- 8m 42s
- Tool calls
- 15 WebFetch8 WebSearch14 bridge
- Cited sources
- none
- Items returned
- 8
- Duration
- 5m 25s
- Tool calls
- 7 WebFetch17 WebSearch3 bridge
- Cited sources
- none
- Items returned
- 7
- Duration
- 15m 56s
- Tool calls
- 24 WebFetch16 WebSearch6 bridge
- Cited sources
- none
- Items returned
- 2
- Duration
- 9m 15s
- Tool calls
- 9 WebFetch6 WebSearch11 bridge
- Cited sources
- none
- Items returned
- 16
- Duration
- 9m 51s
- Tool calls
- not reported
- Cited sources
- none
- Items returned
- 16
- Duration
- 8m 34s
- Tool calls
- not reported
- Cited sources
- none
- Items returned
- 15
- Duration
- 11m 01s
- Tool calls
- not reported
- Cited sources
- none
- Items returned
- 15
- Duration
- 9m 26s
- Tool calls
- not reported
- Cited sources
- none
Verification
Deep dive
—
Entries published (this run)
- GoSerpent evolves: staged collect-then-return espionage against Southeast Asian government and diplomatic targets threat notable
- WP2Shell: pre-auth RCE chain in stock WordPress core (CVE-2026-63030 + CVE-2026-60137) — out-of-band 7.0.2 patch, exploitation expected short-term vulnerability high
- Moodle local_o365 plugin: unverified JWT signature on the Teams SSO endpoint lets anyone authenticate as any user (CVE-2026-54733) vulnerability notable
Sources changed (this run)
Edits this run made to sources/sources.json · promotions, demotions, new candidates, and fetch-method / category / reliability / url corrections (the run record's sources_changed[]). Paginated; 10 per page.
2 notes · 2 notes+last_successful_fetch · 1 added-candidate.
| Source | Change | From → To | Reason |
|---|---|---|---|
| enisa-euvd | notes | — → — | 2026-07-18 audit: discovery requires sweeping the recent/criticals listings, not only per-CVE lookups (WP2Shell miss root cause) |
| kaspersky-securelist | notes+last_successful_fetch | — → — | listing renders undated titles to a plain fetch (GoSerpent miss root cause); sweep the dated RSS feed |
| ncsc-ch-incidents | notes | — → — | reachable-but-stale content suspect (G2): page serves Oct-2025 consumer-phishing warnings, not incident bulletins |
| searchlight-cyber | notes+last_successful_fetch | — → — | contributed primary content (WP2Shell discoverer write-up) — second contribution toward activation |
| wordpress-org-news | added-candidate | — → — | WordPress core security releases had no curated discovery path (this run's one new candidate) |
Coverage gaps (this run)
Sources this run's brief needed that returned no usable content via any documented recipe. Bridge-recovered or quiet-day sources do NOT appear here. (Distinct from the independent source-accessibility probe at the foot of this section, which probes all active sources regardless of what any run needed.)
No coverage gaps in this run · every source the brief needed returned usable content via its documented recipe.
Verification findings · all iterations
Per-iteration finding detail. Each table is one verifier pass · what was flagged, how the main agent remediated it, and the outcome. Walking the tables top-to-bottom shows the verifier's debugging trail across iterations.
Iteration #1 NEEDS_FIXES · 1 finding (truth=1, editorial=0, advisory=0) · Claude Opus 4.8 · 10m 03s
| F-code | Section | Item · URL/quote | Verifier summary | Remediation · outcome |
|---|---|---|---|---|
| F4 hallucinated-fact | — | Entry asserted, uncited, that the public GitHub PoC is 'detection-only, explicitly not a working RCE exploit', while its own cited The Hacker News source says 'a working proof-of-concept has gone up o | Removed the unsupported 'detection-only' characterization; entry now states public PoC code is on GitHub, quotes THN's 'working proof-of-concept' verbatim with |
Iteration #2 NEEDS_FIXES · 2 findings (truth=1, editorial=0, advisory=0) · Claude Sonnet 5 · 7m 13s
| F-code | Section | Item · URL/quote | Verifier summary | Remediation · outcome |
|---|---|---|---|---|
| F4 hallucinated-fact | — | Entry dated the GitHub Security Advisory primary 2026-07-16, but the GHSA page publishes 2026-07-06 (fix releases tagged v20260423 = 2026-04-23); the 07-16 date belongs to BSI's corroborating advisory | Corrected the GHSA source date and event_date to 2026-07-06 across the entry (frontmatter + all three inline citations); reframed the recovery's recency anchor | |
| confirm ? | — | — |
Verification & coverage notes
The run record's narrative body, verbatim. This is where the run accounts for its own judgement calls — every borderline drop and judged-not-relevant item with its reason, dedup decisions, single-source items and their carve-outs, contradictions, and per-source coverage gaps — so nothing the run considered disappears silently.
Verification & coverage notesrun record body
2026-07-18T1208Z-audit · audit · Fable 5 · window 166 h · 3 entries published
Run 2026-07-18T1208Z-audit — weekly quality audit
Prompt version v3.25 at fire time; v3.26 ships in this commit (the audit's own weekly citation-discipline fix — the record carries v3.26 to match the CHANGELOG head per the gate's cross-check). Full findings, root causes, fixes and recommendations: docs/audits/2026-07-18-weekly-quality-audit.md. This body carries the run-level summary and the parseable lines.
Window and scope
Anchored at the last audit that actually audited (2026-07-11T1435Z-audit, started 2026-07-11T14:35Z; the 2026-07-12T1308Z record stood down as duplicate-audit): 2026-07-11T14:35Z → 2026-07-18T12:08Z (~166 h). Audited: 62 published entries (47 operational + 15 W28 strategic), 16 run records. Both audit halves ran in full — four truth passes on two models covered every window entry exactly once (no batch abandoned), three independent coverage re-sweeps plus one scoped deep-read. The July priority-calibration duty (Phase 3b) was owned and discharged by this fire.
Outcome summary
- Soundness: 48/62 entries fully clean. Zero hallucinated facts, zero broken primary URLs, zero wrong CVE ids/CVSS in operational entries, zero IOCs, all ATT&CK ids active in the pinned v19.1 dataset. Operational batch effectively 45/47 clean (two documentation-level imprecisions, documented without repair; one flag resolved as a false alarm — the update-entry mechanism had already carried the delta). The W28 weekly batch carries a systemic synthesis-time defect: 12/15 entries with citation dates 1–8 days late and four with facts attributed to co-cited sources that do not carry them — all facts true, no defender decision changes, entries stay immutable, fix shipped as prompts v3.26.
- Completeness: incident domain gap-free (8/8 re-sweep items matched store coverage). Three genuine misses recovered and published through the full gates: WordPress WP2Shell (
high), Kaspersky GoSerpent (notable), Moodle local_o365 (notable) — root causes and shipped source-recipe fixes in the report. Correctly-droppable borderlines documented (FortiSandbox KEV delta, CVE-2008-4128 enrichment, OkoBot, TuxBot v3, three research borderlines). - Machinery: no runaway runs (07-11 watchdog fix held; max 2.9 h); publish follow-through 16/16
ok;actions[]/classification/techniques/update_of discipline all healthy; all five 07-11 fixes verified effective; jina reader pool restored by the operator hours before this fire (4 live keys, ~39.9 M tokens — outage 07-13→07-18 cost no verified content). Two items need the operator: the silently-halved scheduler cadence (1210Z/2009Z slots dead since 07-15) and the double-CLEAN gate hitting its iteration cap in half the post-v3.23 runs (5/10 fail-open publishes) — recommendations 1 and 2. - Priority calibration (July): distribution healthy and deflationary (high share 36.0 % store / 34.9 % month / 27.4 % window), zero F16 findings all month, both June criticals defensible, the 18-day critical-free streak checked against the window's real exploitation pressure and found consistent with the bar. No calibration edit warranted.
Notes and disclosures
- Anchoring decision: the audit window was anchored at the 07-11 audit (not the stood-down 07-12 record) to avoid a 22.5 h unaudited seam between the full-store audit's cutoff and the stood-down fire; this widened the window to ~166 h, inside the 21-day cap.
- borderline-drop: Kaspersky OkoBot (2026-07-15) — crypto-wallet-theft objective outside constituency scope; the trojanized-SSMS-repo developer lure is noted as the transferable angle but does not carry the item alone.
- borderline-drop: Unit 42 TuxBot v3 (2026-07-15) — LLM-artifact IoT botnet; research curiosity exceeds detection-changing value for this constituency; adjacent AI-tooling angle already covered in-window.
- borderline-drop: FortiSandbox CVE-2026-25089/-39808 KEV-flag delta and CVE-2008-4128 KEV-flag enrichment — already-covered ground; a KEV listing alone never opens an update entry (both drops were already documented by the 07-17/07-18 intel fires; the audit confirms those calls).
- watch-item: bd.zh.ch MedusaLocker listing — still single-source after a dedicated re-check; listing still live; stays open (report § Watch items).
- watch-item (new): KELA "ByteToBreach" naming Romania's ANCPI — single-source criminal claim, constituency-relevant if corroborated; next audit re-checks.
- The B2 truth pass normalized missing timestamps across the shared url-liveness ledger rather than leaving earlier rows' fields empty — batch-B1 rows carry window-accurate but not per-fetch-accurate times (no content impact; disclosed for forensic transparency).
source_health.pyfull probe intentionally not run this fire: an audit touches no source lifecycle beyond the five bookkeeping edits above, and the daily fires run the probe on cadence.- Essential-coverage: audit runs are exempt from the essential floor (v3.24,
kind: audit); the re-sweeps nonetheless attempted every essential source relevant to their domains (G1/G2 slices carried all 15). - Coverage gaps (re-sweep transport): google-tag, group-ib, trendmicro-research, ibm-xforce, depthfirst, nozomi-networks listing surfaces had rendering/transport issues for G3 (detailed in
work/2026-07-18T1208Z-audit/findings.G3.yaml); content coverage of those publishers was achieved via feeds/search pivots where possible.
Verification (this run's own output)
Scope: the three recovered entries + this run record + the audit report. Populated by the Phase 5.7 loop below.
← Operations dashboard · day page 2026-07-18 · run-record contract: docs/pipeline.md