Skip to content
Now taking design partners.Roadmap →

Remediation

Findings you can actually close.

The layer nobody else packages well: rotation checklists, PR bumping, and per-machine fix plans that a level-1 analyst can execute in a ticket.

01

Per-finding fix instructions

Upgrade to at least version x.y.z, remove extension X, disable MCP entry Y. Concrete, copyable, and versioned with the catalog entry.

02

Auto-generated PRs

GitHub App integration bumps affected lockfiles. Opt-in per repo. One-click revert. No writes without your approval.

03

Credential-rotation checklist

Per exposed machine: which token types are plausibly present (npm token, GH PAT, cloud CLI creds, SSH keys, inferred from tool presence, never by reading secrets) → ordered rotation playbook.

Example

Rotation playbook for a Shai-Hulud-exposed endpoint.

Ordered, defensible, and tuned to the tokens the agent inferred present on that machine. Never by reading secret values.

  1. 01Revoke and rotate npm tokens tied to affected accounts.
  2. 02Cycle GitHub PATs and SSH keys stored on the endpoint.
  3. 03Rotate cloud CLI credentials (AWS, GCP, Azure profiles present on disk).
  4. 04Force sign-out and re-auth on IdP-integrated apps.
  5. 05Verify no new refresh tokens were issued during the exposure window.