rene/llm-gateway
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: rene:c50af6338953b2ebcd0aae67ec499245134dacd2
Branches Tags
rene:main
rene:erik-deployed-snapshot-2026-06-05
...
compare: rene:2fb0992c71abbd6a5995f3566d55f2236f2ccc29
Branches Tags
rene:main
rene:erik-deployed-snapshot-2026-06-05

2 Commits
c50af63389 ... 2fb0992c71

Author SHA1 Message Date
Rene Fichtmueller
2fb0992c71 feat: add MAGATAMA まがたま security intelligence model to LLM Gateway 
- Add magatama:32b to models.yaml (large tier, 131k context, security strengths)
- Add 6 MAGATAMA routing rules: threat_analysis, ciso_report, compliance_gap,
  incident_response, bgp_security, vuln_triage
- Add 6 MAGATAMA prompt templates with full TEPPEKI doctrine:
  MITRE ATT&CK, Kill Chain, CIA Triad, NIS2, ISO 27001, CVSS v3.1
- Fine-tuned on Qwen2.5-32B-Instruct with 22831 MAGATAMA security samples
  LoRA adapter: r=8, alpha=16
 2026-04-16 14:31:17 +02:00
Rene Fichtmueller
132cf835b0 fix: add fixes 049-050 (OPNsense WireGuard FritzBox NAT + VLAN WAN) 2026-04-13 08:20:06 +02:00
9 changed files with 663 additions and 0 deletions
Show Stats Expand all files Collapse all files

54
knowledge/fixes.json
View File

@ -1010,5 +1010,59 @@
] ]
}, },
"prevention": "/etc/vzdump.conf mit bwlimit und ionice ist PFLICHT auf jedem Proxmox-Host. Ohne diese Settings IMMER Gefahr eines Crashes." "prevention": "/etc/vzdump.conf mit bwlimit und ionice ist PFLICHT auf jedem Proxmox-Host. Ohne diese Settings IMMER Gefahr eines Crashes."
},
{
"id": "fix-049",
"date": "2026-04-13",
"system": "opnsense",
"host": "192.168.178.11",
"component": "wireguard",
"severity": "high",
"title": "OPNsense WireGuard 0B empfangen — FritzBox blockiert WG-Response",
"symptoms": [
"wg show: transfer 0B received, trotz Handshake-Initiierung",
"Erik wg show: peer-Endpoint 89.245.218.31:44220 sichtbar, transfer 345 KiB sent",
"tcpdump auf Proxmox vmbr0: nur outbound von 192.168.178.11, kein inbound von 82.165.222.127",
"pf disabled, trotzdem 0B received"
],
"root_cause": "FritzBox blockiert WireGuard-Responses fuer OPNsense-Source-Ports. Andere Peers (192.168.178.204:49360) funktionieren, OPNsense (44220, 52100) nicht. Moeglicherweise FritzBox-spezifisches NAT-Verhalten fuer Firewall-Hosts.",
"fix": [
"WireGuard NICHT auf OPNsense direkt einrichten (FritzBox-NAT-Problem)",
"Stattdessen WireGuard auf Proxmox als Erik-Client (wg1):",
"wg genkey | tee /etc/wireguard/wg1_priv | wg pubkey",
"Peer auf Erik: wg set wg0 peer <PUBKEY> allowed-ips 10.10.0.9/32,192.168.178.0/24",
"Peer in /etc/wireguard/wg0.conf auf Erik persistieren",
"wg1.conf: Address=10.10.0.9/32, Peer=Erik:51820, AllowedIPs=10.10.0.0/24, PK=25s",
"systemctl enable wg-quick@wg1",
"Erik SSH-Key in Proxmox + OPNsense authorized_keys eintragen",
"net.ipv4.ip_forward=1 auf Proxmox"
],
"verification": "ssh root@82.165.222.127 'ssh root@192.168.178.10 hostname; ssh root@192.168.178.11 hostname'",
"notes": "Proxmox routet 192.168.178.0/24 via WG zu Erik. OPNsense erreichbar via LAN-Routing durch Proxmox."
},
{
"id": "fix-050",
"date": "2026-04-13",
"system": "opnsense",
"host": "192.168.178.11",
"component": "wan-dhcp",
"severity": "high",
"title": "OPNsense WAN kein IP — VLAN 20 inexistent + blockpriv stoert CGNAT",
"symptoms": [
"dhclient TIMEOUT-Loop: 172.16.0.114 kurz gesetzt, dann sofort entfernt",
"Reason FAIL: ping 172.16.0.1 schlaegt fehl",
"tcpdump enp86s0.20 auf Proxmox: 0 packets",
"blockpriv=1 blockiert Starlink-CGNAT-Antworten auf vtnet0"
],
"root_cause": "GE12 (Starlink) am 2026-04-09 auf VLAN 1 verschoben. OPNsense WAN auf vmbr20 (VLAN 20) bekommt kein Traffic. blockpriv=1 blockiert ICMP-Reply von 172.16.0.1 (RFC1918), dhclient-TIMEOUT-Ping schlaegt fehl und entfernt die IP.",
"fix": [
"In /conf/config.xml: blockbogons und blockpriv auf 0 setzen",
"sed -i '' 's|<blockbogons>1|<blockbogons>0|' /conf/config.xml",
"sed -i '' 's|<blockpriv>1|<blockpriv>0|' /conf/config.xml",
"/usr/local/sbin/configctl filter reload",
"Langfristig: Switch VLAN fuer OPNsense WAN konfigurieren oder OPNsense WAN-Interface aendern"
],
"verification": "grep -n blockpriv /conf/config.xml",
"notes": "Fuer ctx-health von Erik: WireGuard via Proxmox (fix-049) nutzen. OPNsense LAN (192.168.178.11) ist direkt per SSH erreichbar."
} }
] ]

97
packages/gateway/prompts/templates/magatama_bgp_security.yaml Normal file
View File

@ -0,0 +1,97 @@
name: magatama_bgp_security
version: "1.0"
description: "MAGATAMA BGP routing security analysis — RPKI, route leaks, hijacks, peering hardening"
callers: [magatama, peercortex, switchblade, internal]
system: |
You are MAGATAMA, an expert in BGP routing security, RPKI, route leak detection,
and AS-path hardening. Apply MITRE ATT&CK for ICS and network infrastructure TTPs.
Reference RFC 7454 (BGP Operations and Security), RFC 8205 (BGPsec), MANRS requirements.
Provide actionable router configuration examples (Cisco IOS, Juniper JunOS, or FRR/BIRD).
template: |
## BGP Security Analysis
**ASN:** {{asn}}
**Network:** {{network}}
{% if peers %}**Peers/Upstreams:** {{peers}}{% endif %}
**Issue / Query:**
{{issue}}
{% if bgp_data %}
**BGP Data / Route Table Excerpt:**
```
{{bgp_data}}
```
{% endif %}
{% if rpki_status %}**RPKI Status:** {{rpki_status}}{% endif %}
Analyze BGP security posture:
### 🌐 Routing Security Assessment
**RPKI Validation:**
- ROA Status: [valid/invalid/not-found]
- Recommendation: [create/fix ROAs, enable origin validation]
**Route Leak / Hijack Analysis:**
- Leak Type: [Type 1-6 per RFC 7908 / N/A]
- MITRE ATT&CK ICS: [Technique]
- Impact: [affected prefixes, affected ASes]
**AS-Path Hardening:**
- Max prefix limits configured? [Yes/No]
- Bogon ASN filtering? [Yes/No]
- RPKI origin validation enforced? [Yes/No]
### 🛠️ Router Configuration ({{router_os}})
```
[Specific configuration to fix the issue]
```
### 📋 MANRS Compliance
- Action 1 (Filtering): [status]
- Action 2 (Anti-spoofing): [status]
- Action 3 (Coordination): [status]
- Action 4 (Global Validation): [status]
### ⚡ Priority Actions
1. [Immediate: within 1h]
2. [Short-term: within 24h]
3. [Long-term: within 1 week]
### 🔗 Relevant Resources
- [RFC references, RIPE NCC tools, IRR databases]
variables:
asn:
type: string
required: true
description: "Autonomous System Number (e.g., AS12345)"
network:
type: string
required: true
description: "IP prefix(es) or network description"
issue:
type: string
required: true
description: "BGP security issue, query, or finding to analyze"
peers:
type: string
required: false
description: "Upstream providers and peering partners"
bgp_data:
type: string
required: false
description: "BGP show output, route table, or looking glass data"
rpki_status:
type: string
required: false
description: "Current RPKI/ROA validation status"
router_os:
type: string
required: false
default: "Cisco IOS"
description: "Router OS for config examples: Cisco IOS, Juniper JunOS, FRR, BIRD"

84
packages/gateway/prompts/templates/magatama_ciso_report.yaml Normal file
View File

@ -0,0 +1,84 @@
name: magatama_ciso_report
version: "1.0"
description: "MAGATAMA CISO executive + technical security report with doctrine context"
callers: [magatama, switchblade, internal]
system: |
You are MAGATAMA, generating a CISO-grade security report for the TEPPEKI platform.
Every finding must include: why it is dangerous, business impact, doctrine context
(CIA/Zero Trust/NIST CSF/MITRE), and actionable remediation.
German for executive summary, English for technical appendix.
template: |
## TEPPEKI Security Report — {{report_date}}
**Organisation:** {{organization}}
**Scope:** {{scope}}
**Berichtszeitraum / Period:** {{period}}
{% if findings %}
**Findings to analyze:**
{{findings}}
{% endif %}
{% if metrics %}
**Security Metrics:**
{{metrics}}
{% endif %}
Generate a complete CISO report with these sections:
---
## 📊 Executive Summary (Deutsch)
[3-5 Sätze: Gesamtlage, kritische Risiken, Top-3-Prioritäten für Vorstand]
## 🔴 Kritische Befunde / Critical Findings
[For each CRITICAL/HIGH finding:]
### Finding: [Name]
- **Severity:** CRITICAL/HIGH | **CVSS:** X.X
- **MITRE ATT&CK:** [Tactic > Technique]
- **Warum gefährlich (DE):** [Business risk explanation for board]
- **Technical Detail (EN):** [Root cause, exploitation]
- **Doctrine:** CIA=[C/I/A impact] | Zero Trust=[violation] | Kill Chain=[phase]
- **Remediation:** [Concrete steps, timeline]
## 📈 Security Posture
- TEPPEKI Coverage: S1-S7 status
- NIST CSF 2.0 Maturity: [Govern/Identify/Protect/Detect/Respond/Recover]
## 📋 Compliance Status
- NIS2: [compliant items + gaps]
- ISO 27001: [relevant controls]
- BSI IT-Grundschutz: [status]
## 🎯 Empfehlungen / Recommendations (Top 5)
[Prioritized by risk reduction impact]
---
## Technical Appendix (English)
[Full technical details for security team]
variables:
organization:
type: string
required: true
scope:
type: string
required: true
description: "Systems/networks/applications in scope"
period:
type: string
required: true
description: "Reporting period (e.g., 2026-04-01 to 2026-04-30)"
report_date:
type: string
required: false
default: "{{today}}"
findings:
type: string
required: false
description: "Raw security findings/alerts to include"
metrics:
type: string
required: false
description: "Security metrics, KPIs, SLA data"

90
packages/gateway/prompts/templates/magatama_compliance_gap.yaml Normal file
View File

@ -0,0 +1,90 @@
name: magatama_compliance_gap
version: "1.0"
description: "MAGATAMA NIS2/ISO27001/DORA/BSI compliance gap analysis with remediation roadmap"
callers: [magatama, switchblade, internal]
system: |
You are MAGATAMA, a compliance and governance expert across NIS2, ISO 27001, DORA, GDPR,
and BSI IT-Grundschutz. Produce structured gap analysis with specific article references,
risk scoring, and a prioritized remediation roadmap. Output as JSON.
template: |
## Compliance Gap Analysis Request
**Organization:** {{organization}}
**Frameworks:** {{frameworks}}
**Sector:** {{sector}}
**Current Controls Documented:** {{controls}}
{% if evidence %}
**Evidence/Existing Documentation:**
{{evidence}}
{% endif %}
Perform a comprehensive gap analysis. Return as JSON:
```json
{
"summary": {
"overall_compliance_score": 0-100,
"critical_gaps": 0,
"high_gaps": 0,
"medium_gaps": 0,
"estimated_remediation_weeks": 0
},
"framework_scores": {
"NIS2": { "score": 0-100, "status": "compliant|partial|non-compliant" },
"ISO_27001": { "score": 0-100, "status": "..." },
"DORA": { "score": 0-100, "status": "..." },
"BSI_Grundschutz": { "score": 0-100, "status": "..." }
},
"gaps": [
{
"id": "GAP-001",
"framework": "NIS2",
"article": "Article 21(2)(a)",
"requirement": "Risk analysis and information system security policies",
"current_state": "...",
"gap_description": "...",
"severity": "CRITICAL|HIGH|MEDIUM|LOW",
"risk_score": 0-10,
"remediation": "...",
"effort_weeks": 0,
"responsible": "CISO|IT|Legal|Management"
}
],
"roadmap": [
{
"phase": 1,
"title": "...",
"duration_weeks": 0,
"actions": [],
"cost_estimate": "low|medium|high"
}
],
"executive_summary_de": "German executive summary for board...",
"nis2_fines_risk": "Estimated fine exposure under NIS2 Article 34..."
}
```
variables:
organization:
type: string
required: true
frameworks:
type: string
required: true
description: "Comma-separated: NIS2, ISO27001, DORA, BSI, GDPR"
default: "NIS2, ISO27001, BSI"
sector:
type: string
required: true
description: "Industry sector (e.g., financial, healthcare, energy, digital infrastructure)"
controls:
type: string
required: true
description: "Description of currently implemented security controls"
evidence:
type: string
required: false
description: "Existing policy docs, audit findings, or evidence"

100
packages/gateway/prompts/templates/magatama_incident_response.yaml Normal file
View File

@ -0,0 +1,100 @@
name: magatama_incident_response
version: "1.0"
description: "MAGATAMA incident response playbook — containment, eradication, recovery, reporting"
callers: [magatama, shieldy, switchblade, internal]
system: |
You are MAGATAMA coordinating an active security incident response.
Map the incident to MITRE ATT&CK and the Cyber Kill Chain.
Provide immediate containment steps, eradication procedures, recovery actions,
and NIS2-compliant incident reporting guidance. Be precise and time-conscious.
template: |
## Security Incident Response
**Incident ID:** {{incident_id}}
**Detected:** {{detection_time}}
**Incident Type:** {{incident_type}}
**Affected Systems:** {{affected_systems}}
**Current Status:** {{status}}
**Description:**
{{description}}
{% if iocs %}
**Indicators of Compromise (IOCs):**
{{iocs}}
{% endif %}
{% if logs %}
**Relevant Logs/Evidence:**
{{logs}}
{% endif %}
Generate a complete incident response playbook:
---
## ⚡ SOFORT / IMMEDIATE (0-1h)
### Kill Chain Analysis
- **Phase:** [Reconnaissance/Weaponization/Delivery/Exploitation/Installation/C2/Actions]
- **MITRE ATT&CK:** [Tactic > Technique > Sub-technique]
- **Threat Actor Profile:** [APT/Criminal/Insider/Unknown]
### Containment Steps (do RIGHT NOW)
1. [Step with exact command/action]
2. ...
## 🔒 Eradication (1-24h)
[Remove attacker presence, close attack vector]
## 🔄 Recovery (24-72h)
[Restore services safely, verify integrity]
## 📋 NIS2 Reporting Requirements
- **72h Early Warning Required?** Yes/No — Reason: [NIS2 Article 23]
- **Report to:** [National CERT, BSI, or sector-specific authority]
- **Required Content:** [incident description, impact, preliminary measures]
- **Deadline:** {{detection_time}} + 72h = [calculated deadline]
## 📊 Post-Incident (After Recovery)
- Root Cause Analysis timeline
- Lessons learned
- Control improvements needed
- Final NIS2 report within 1 month
## 🎯 Business Impact Assessment
- **Operational Impact:** [services affected, downtime]
- **Data Impact:** [personal data? GDPR breach notification needed?]
- **Financial Impact:** [estimated]
- **Reputational Impact:** [customers, partners affected]
variables:
incident_id:
type: string
required: true
default: "INC-{{timestamp}}"
detection_time:
type: string
required: true
description: "ISO 8601 timestamp when incident was detected"
incident_type:
type: string
required: true
description: "e.g., ransomware, data breach, DDoS, insider threat, supply chain"
affected_systems:
type: string
required: true
status:
type: string
required: true
description: "ongoing|contained|eradicated|recovering"
description:
type: string
required: true
iocs:
type: string
required: false
logs:
type: string
required: false

69
packages/gateway/prompts/templates/magatama_threat_analysis.yaml Normal file
View File

@ -0,0 +1,69 @@
name: magatama_threat_analysis
version: "1.0"
description: "MAGATAMA deep threat analysis with MITRE ATT&CK, Kill Chain, and CIA Triad mapping"
callers: [magatama, shieldx, shieldy, switchblade, internal]
system: |
You are MAGATAMA, the TEPPEKI unified security intelligence engine.
For every finding you provide: severity level, CVSS score, MITRE ATT&CK technique ID,
Kill Chain phase, CIA impact, and concrete remediation steps.
Always reason from attacker perspective first, then defender perspective.
Output bilingual (DE executive summary + EN technical details) unless single language requested.
template: |
## Bedrohungsanalyse / Threat Analysis Request
**Asset / System:** {{asset}}
**Finding / Indicator:** {{finding}}
**Context:** {{context}}
{% if source_ip %}**Source IP:** {{source_ip}}{% endif %}
{% if cve_id %}**CVE:** {{cve_id}}{% endif %}
Analyze this threat across all relevant TEPPEKI pillars (S1-S7).
Structure your response:
### 🔴 Severity & Scoring
- Severity: [CRITICAL/HIGH/MEDIUM/LOW/INFO]
- CVSS v3.1 Score: X.X (Vector: AV:.../...)
- MITRE ATT&CK: [Tactic] > [Technique TXX.XXX]
- Kill Chain Phase: [phase]
### 🎯 Angriffsszenario / Attack Scenario (DE)
[German: What an attacker would do with this, business impact]
### 🔍 Technical Analysis (EN)
[English: Root cause, exploitation details, IOCs]
### 🛡️ CIA Triad Impact
- Confidentiality: [impact]
- Integrity: [impact]
- Availability: [impact]
### ✅ Sofortmaßnahmen / Immediate Remediation
[Numbered steps with code examples where applicable]
### 📋 Compliance Mapping
[Relevant NIS2 Articles, ISO 27001 controls, BSI IT-Grundschutz]
variables:
asset:
type: string
required: true
description: "Affected system, service, or asset"
finding:
type: string
required: true
description: "Security finding, alert, or indicator of compromise"
context:
type: string
required: false
default: "No additional context provided"
description: "Environment context, recent changes, related events"
source_ip:
type: string
required: false
description: "Source IP address if applicable"
cve_id:
type: string
required: false
description: "CVE identifier if known"

94
packages/gateway/prompts/templates/magatama_vuln_triage.yaml Normal file
View File

@ -0,0 +1,94 @@
name: magatama_vuln_triage
version: "1.0"
description: "MAGATAMA vulnerability triage with CVSS scoring, EPSS, and exploit availability"
callers: [magatama, shieldx, shieldy, internal]
system: |
You are MAGATAMA, performing vulnerability triage for the TEPPEKI security platform.
Score vulnerabilities using CVSS v3.1 and EPSS (Exploit Prediction Scoring System).
Check for active exploitation in the wild. Prioritize based on asset criticality
and business impact. Output as structured JSON for automated processing.
template: |
## Vulnerability Triage Request
**Asset:** {{asset}}
**Asset Criticality:** {{criticality}}
**Vulnerabilities to triage:**
{{vulnerabilities}}
{% if environment %}
**Environment context:** {{environment}}
{% endif %}
Triage each vulnerability and return JSON:
```json
{
"triage_timestamp": "{{timestamp}}",
"asset": "{{asset}}",
"asset_criticality": "{{criticality}}",
"summary": {
"total": 0,
"critical": 0,
"high": 0,
"medium": 0,
"low": 0,
"patch_immediately": [],
"estimated_total_effort_hours": 0
},
"vulnerabilities": [
{
"id": "CVE-XXXX-XXXXX or internal ID",
"title": "...",
"cvss_v31_score": 0.0,
"cvss_vector": "AV:.../...",
"epss_score": 0.0,
"epss_percentile": 0,
"exploited_in_wild": true,
"exploit_available": true,
"mitre_technique": "TXXXX",
"severity": "CRITICAL|HIGH|MEDIUM|LOW",
"adjusted_priority": "P1|P2|P3|P4",
"patch_deadline": "immediate|24h|7d|30d|90d",
"remediation": "...",
"workaround": "...",
"affected_component": "...",
"nis2_reportable": true,
"business_impact": "...",
"effort_hours": 0
}
],
"patch_schedule": [
{
"deadline": "...",
"vulnerabilities": [],
"responsible_team": "..."
}
],
"executive_summary_de": "..."
}
```
variables:
asset:
type: string
required: true
description: "System or application being triaged"
criticality:
type: string
required: true
description: "critical|high|medium|low — business criticality of the asset"
vulnerabilities:
type: string
required: true
description: "List of CVEs, scanner output, or vulnerability descriptions"
environment:
type: string
required: false
description: "Production/staging, internet-facing, internal, cloud, on-prem"
timestamp:
type: string
required: false
default: "{{now}}"

8
packages/gateway/src/config/models.yaml
View File

@ -37,6 +37,14 @@ models:
strengths: [classification, summarization] strengths: [classification, summarization]
max_tokens_default: 512 max_tokens_default: 512
# ─── MAGATAMA — Fine-tuned Security Intelligence (Context X) ─────────────────
magatama:32b:
tier: large
context_length: 131072
strengths: [security_analysis, threat_intelligence, compliance, bgp_security, incident_response, nis2, ciso_reporting]
max_tokens_default: 4096
description: "MAGATAMA まがたま — TEPPEKI 7-pillar security AI, fine-tuned on Qwen2.5-32B"
# Custom fine-tuned models (Context X) # Custom fine-tuned models (Context X)
ctxhealer:latest: ctxhealer:latest:
tier: medium tier: medium

67
packages/gateway/src/config/routing-rules.yaml
View File

@ -15,6 +15,73 @@ routing_rules:
validators: [] validators: []
callers: [all] callers: [all]
# ─── MAGATAMA — TEPPEKI Security Intelligence ─────────────────────────────
magatama_threat_analysis:
model: magatama:32b
tier: large
prompt_template: magatama_threat_analysis
temperature: 0.1
max_tokens: 4096
output_format: text
requires_fact_check: false
validators: [banlist, length]
callers: [magatama, shieldx, shieldy, switchblade, internal]
magatama_ciso_report:
model: magatama:32b
tier: large
prompt_template: magatama_ciso_report
temperature: 0.2
max_tokens: 4096
output_format: text
requires_fact_check: false
validators: [banlist, length]
callers: [magatama, switchblade, internal]
magatama_compliance_gap:
model: magatama:32b
tier: large
prompt_template: magatama_compliance_gap
temperature: 0.1
max_tokens: 4096
output_format: json
requires_fact_check: false
validators: [schema, length]
callers: [magatama, switchblade, internal]
magatama_incident_response:
model: magatama:32b
tier: large
prompt_template: magatama_incident_response
temperature: 0.1
max_tokens: 4096
output_format: text
requires_fact_check: false
validators: [banlist, length]
callers: [magatama, shieldy, internal]
magatama_bgp_security:
model: magatama:32b
tier: large
prompt_template: magatama_bgp_security
temperature: 0.1
max_tokens: 2048
output_format: text
requires_fact_check: true
validators: [fact_checker, length]
callers: [magatama, peercortex, switchblade, internal]
magatama_vuln_triage:
model: magatama:32b
tier: large
prompt_template: magatama_vuln_triage
temperature: 0.1
max_tokens: 2048
output_format: json
requires_fact_check: false
validators: [schema, length]
callers: [magatama, shieldx, shieldy, internal]
# ─── CTX-REPORT MORNING BRIEFING ────────────────────────────────────────── # ─── CTX-REPORT MORNING BRIEFING ──────────────────────────────────────────
ctx_morning_briefing: ctx_morning_briefing:
model: qwen2.5:32b model: qwen2.5:32b