ctipilot.ch

2026-07-18T1208Z-audit

One pipeline fire, in full · audit run of 2026-07-18 · sub-agent allocation and telemetry, per-iteration verification verdicts and findings, source-list edits, coverage gaps, bridge invocations — and the run's own verification & coverage notes: what was published, what was dropped at the borderline or judged not relevant (and why), single-source carve-outs, and contradictions. Rendered from runs/2026-07-18/2026-07-18T1208Z-audit.md.

Run telemetry

2026-07-18T1208Z-audit audit prompt v3.26 publish ok
1h 14m duration 3 published 0 updates
Claude Fable 5 (claude-fable-5) main agent
G1 Claude Sonnet 5 (claude-sonnet-5)
Items returned
4
Duration
8m 42s
Tool calls
15 WebFetch8 WebSearch14 bridge
Cited sources
none
G2 Claude Sonnet 5 (claude-sonnet-5)
Items returned
8
Duration
5m 25s
Tool calls
7 WebFetch17 WebSearch3 bridge
Cited sources
none
G3 Claude Sonnet 5 (claude-sonnet-5)
Items returned
7
Duration
15m 56s
Tool calls
24 WebFetch16 WebSearch6 bridge
Cited sources
none
deepread Claude Sonnet 5 (claude-sonnet-5)
Items returned
2
Duration
9m 15s
Tool calls
9 WebFetch6 WebSearch11 bridge
Cited sources
none
truth-B1 Claude Opus 4.8 (claude-opus-4-8)
Items returned
16
Duration
9m 51s
Tool calls
not reported
Cited sources
none
truth-B2 Claude Sonnet 5 (claude-sonnet-5)
Items returned
16
Duration
8m 34s
Tool calls
not reported
Cited sources
none
truth-B3 Claude Opus 4.8 (claude-opus-4-8)
Items returned
15
Duration
11m 01s
Tool calls
not reported
Cited sources
none
truth-B4 Claude Sonnet 5 (claude-sonnet-5)
Items returned
15
Duration
9m 26s
Tool calls
not reported
Cited sources
none

Verification

✓ double-CLEAN · Opus 4.8 + Sonnet 5 #1 NEEDS_FIXES · Opus 4.8 · t=1 e=0 a=0 #2 NEEDS_FIXES · Sonnet 5 · t=1 e=0 a=0 #3 CLEAN · Opus 4.8 · t=0 e=0 a=0 #4 CLEAN · Sonnet 5 · t=0 e=0 a=0

Deep dive

Sources changed (this run)

Edits this run made to sources/sources.json · promotions, demotions, new candidates, and fetch-method / category / reliability / url corrections (the run record's sources_changed[]). Paginated; 10 per page.

2 notes · 2 notes+last_successful_fetch · 1 added-candidate.

SourceChangeFrom → ToReason
enisa-euvdnotes— → —2026-07-18 audit: discovery requires sweeping the recent/criticals listings, not only per-CVE lookups (WP2Shell miss root cause)
kaspersky-securelistnotes+last_successful_fetch— → —listing renders undated titles to a plain fetch (GoSerpent miss root cause); sweep the dated RSS feed
ncsc-ch-incidentsnotes— → —reachable-but-stale content suspect (G2): page serves Oct-2025 consumer-phishing warnings, not incident bulletins
searchlight-cybernotes+last_successful_fetch— → —contributed primary content (WP2Shell discoverer write-up) — second contribution toward activation
wordpress-org-newsadded-candidate— → —WordPress core security releases had no curated discovery path (this run's one new candidate)

Coverage gaps (this run)

Sources this run's brief needed that returned no usable content via any documented recipe. Bridge-recovered or quiet-day sources do NOT appear here. (Distinct from the independent source-accessibility probe at the foot of this section, which probes all active sources regardless of what any run needed.)

No coverage gaps in this run · every source the brief needed returned usable content via its documented recipe.

Verification findings · all iterations

Per-iteration finding detail. Each table is one verifier pass · what was flagged, how the main agent remediated it, and the outcome. Walking the tables top-to-bottom shows the verifier's debugging trail across iterations.

Iteration #1 NEEDS_FIXES · 1 finding (truth=1, editorial=0, advisory=0) · Claude Opus 4.8 · 10m 03s

F-codeSectionItem · URL/quoteVerifier summaryRemediation · outcome
F4
hallucinated-fact
Entry asserted, uncited, that the public GitHub PoC is 'detection-only, explicitly not a working RCE exploit', while its own cited The Hacker News source says 'a working proof-of-concept has gone up oRemoved the unsupported 'detection-only' characterization; entry now states public PoC code is on GitHub, quotes THN's 'working proof-of-concept' verbatim with

Iteration #2 NEEDS_FIXES · 2 findings (truth=1, editorial=0, advisory=0) · Claude Sonnet 5 · 7m 13s

F-codeSectionItem · URL/quoteVerifier summaryRemediation · outcome
F4
hallucinated-fact
Entry dated the GitHub Security Advisory primary 2026-07-16, but the GHSA page publishes 2026-07-06 (fix releases tagged v20260423 = 2026-04-23); the 07-16 date belongs to BSI's corroborating advisoryCorrected the GHSA source date and event_date to 2026-07-06 across the entry (frontmatter + all three inline citations); reframed the recovery's recency anchor
confirm
?

Verification & coverage notes

The run record's narrative body, verbatim. This is where the run accounts for its own judgement calls — every borderline drop and judged-not-relevant item with its reason, dedup decisions, single-source items and their carve-outs, contradictions, and per-source coverage gaps — so nothing the run considered disappears silently.

Verification & coverage notesrun record body

2026-07-18T1208Z-audit · audit · Fable 5 · window 166 h · 3 entries published

Run 2026-07-18T1208Z-audit — weekly quality audit

Prompt version v3.25 at fire time; v3.26 ships in this commit (the audit's own weekly citation-discipline fix — the record carries v3.26 to match the CHANGELOG head per the gate's cross-check). Full findings, root causes, fixes and recommendations: docs/audits/2026-07-18-weekly-quality-audit.md. This body carries the run-level summary and the parseable lines.

Window and scope

Anchored at the last audit that actually audited (2026-07-11T1435Z-audit, started 2026-07-11T14:35Z; the 2026-07-12T1308Z record stood down as duplicate-audit): 2026-07-11T14:35Z → 2026-07-18T12:08Z (~166 h). Audited: 62 published entries (47 operational + 15 W28 strategic), 16 run records. Both audit halves ran in full — four truth passes on two models covered every window entry exactly once (no batch abandoned), three independent coverage re-sweeps plus one scoped deep-read. The July priority-calibration duty (Phase 3b) was owned and discharged by this fire.

Outcome summary

  • Soundness: 48/62 entries fully clean. Zero hallucinated facts, zero broken primary URLs, zero wrong CVE ids/CVSS in operational entries, zero IOCs, all ATT&CK ids active in the pinned v19.1 dataset. Operational batch effectively 45/47 clean (two documentation-level imprecisions, documented without repair; one flag resolved as a false alarm — the update-entry mechanism had already carried the delta). The W28 weekly batch carries a systemic synthesis-time defect: 12/15 entries with citation dates 1–8 days late and four with facts attributed to co-cited sources that do not carry them — all facts true, no defender decision changes, entries stay immutable, fix shipped as prompts v3.26.
  • Completeness: incident domain gap-free (8/8 re-sweep items matched store coverage). Three genuine misses recovered and published through the full gates: WordPress WP2Shell (high), Kaspersky GoSerpent (notable), Moodle local_o365 (notable) — root causes and shipped source-recipe fixes in the report. Correctly-droppable borderlines documented (FortiSandbox KEV delta, CVE-2008-4128 enrichment, OkoBot, TuxBot v3, three research borderlines).
  • Machinery: no runaway runs (07-11 watchdog fix held; max 2.9 h); publish follow-through 16/16 ok; actions[]/classification/techniques/update_of discipline all healthy; all five 07-11 fixes verified effective; jina reader pool restored by the operator hours before this fire (4 live keys, ~39.9 M tokens — outage 07-13→07-18 cost no verified content). Two items need the operator: the silently-halved scheduler cadence (1210Z/2009Z slots dead since 07-15) and the double-CLEAN gate hitting its iteration cap in half the post-v3.23 runs (5/10 fail-open publishes) — recommendations 1 and 2.
  • Priority calibration (July): distribution healthy and deflationary (high share 36.0 % store / 34.9 % month / 27.4 % window), zero F16 findings all month, both June criticals defensible, the 18-day critical-free streak checked against the window's real exploitation pressure and found consistent with the bar. No calibration edit warranted.

Notes and disclosures

  • Anchoring decision: the audit window was anchored at the 07-11 audit (not the stood-down 07-12 record) to avoid a 22.5 h unaudited seam between the full-store audit's cutoff and the stood-down fire; this widened the window to ~166 h, inside the 21-day cap.
  • borderline-drop: Kaspersky OkoBot (2026-07-15) — crypto-wallet-theft objective outside constituency scope; the trojanized-SSMS-repo developer lure is noted as the transferable angle but does not carry the item alone.
  • borderline-drop: Unit 42 TuxBot v3 (2026-07-15) — LLM-artifact IoT botnet; research curiosity exceeds detection-changing value for this constituency; adjacent AI-tooling angle already covered in-window.
  • borderline-drop: FortiSandbox CVE-2026-25089/-39808 KEV-flag delta and CVE-2008-4128 KEV-flag enrichment — already-covered ground; a KEV listing alone never opens an update entry (both drops were already documented by the 07-17/07-18 intel fires; the audit confirms those calls).
  • watch-item: bd.zh.ch MedusaLocker listing — still single-source after a dedicated re-check; listing still live; stays open (report § Watch items).
  • watch-item (new): KELA "ByteToBreach" naming Romania's ANCPI — single-source criminal claim, constituency-relevant if corroborated; next audit re-checks.
  • The B2 truth pass normalized missing timestamps across the shared url-liveness ledger rather than leaving earlier rows' fields empty — batch-B1 rows carry window-accurate but not per-fetch-accurate times (no content impact; disclosed for forensic transparency).
  • source_health.py full probe intentionally not run this fire: an audit touches no source lifecycle beyond the five bookkeeping edits above, and the daily fires run the probe on cadence.
  • Essential-coverage: audit runs are exempt from the essential floor (v3.24, kind: audit); the re-sweeps nonetheless attempted every essential source relevant to their domains (G1/G2 slices carried all 15).
  • Coverage gaps (re-sweep transport): google-tag, group-ib, trendmicro-research, ibm-xforce, depthfirst, nozomi-networks listing surfaces had rendering/transport issues for G3 (detailed in work/2026-07-18T1208Z-audit/findings.G3.yaml); content coverage of those publishers was achieved via feeds/search pivots where possible.

Verification (this run's own output)

Scope: the three recovered entries + this run record + the audit report. Populated by the Phase 5.7 loop below.

← Operations dashboard · day page 2026-07-18 · run-record contract: docs/pipeline.md