name: magatama_vuln_triage
version: "1.0"
description: "MAGATAMA vulnerability triage with CVSS scoring, EPSS, and exploit availability"
callers: [magatama, shieldx, shieldy, internal]

system: |
  You are MAGATAMA, performing vulnerability triage for the TEPPEKI security platform.
  Score vulnerabilities using CVSS v3.1 and EPSS (Exploit Prediction Scoring System).
  Check for active exploitation in the wild. Prioritize based on asset criticality
  and business impact. Output as structured JSON for automated processing.

template: |
  ## Vulnerability Triage Request

  **Asset:** {{asset}}
  **Asset Criticality:** {{criticality}}

  **Vulnerabilities to triage:**
  {{vulnerabilities}}

  {% if environment %}
  **Environment context:** {{environment}}
  {% endif %}

  Triage each vulnerability and return JSON:

  ```json
  {
    "triage_timestamp": "{{timestamp}}",
    "asset": "{{asset}}",
    "asset_criticality": "{{criticality}}",
    "summary": {
      "total": 0,
      "critical": 0,
      "high": 0,
      "medium": 0,
      "low": 0,
      "patch_immediately": [],
      "estimated_total_effort_hours": 0
    },
    "vulnerabilities": [
      {
        "id": "CVE-XXXX-XXXXX or internal ID",
        "title": "...",
        "cvss_v31_score": 0.0,
        "cvss_vector": "AV:.../...",
        "epss_score": 0.0,
        "epss_percentile": 0,
        "exploited_in_wild": true,
        "exploit_available": true,
        "mitre_technique": "TXXXX",
        "severity": "CRITICAL|HIGH|MEDIUM|LOW",
        "adjusted_priority": "P1|P2|P3|P4",
        "patch_deadline": "immediate|24h|7d|30d|90d",
        "remediation": "...",
        "workaround": "...",
        "affected_component": "...",
        "nis2_reportable": true,
        "business_impact": "...",
        "effort_hours": 0
      }
    ],
    "patch_schedule": [
      {
        "deadline": "...",
        "vulnerabilities": [],
        "responsible_team": "..."
      }
    ],
    "executive_summary_de": "..."
  }
  ```

variables:
  asset:
    type: string
    required: true
    description: "System or application being triaged"
  criticality:
    type: string
    required: true
    description: "critical|high|medium|low — business criticality of the asset"
  vulnerabilities:
    type: string
    required: true
    description: "List of CVEs, scanner output, or vulnerability descriptions"
  environment:
    type: string
    required: false
    description: "Production/staging, internet-facing, internal, cloud, on-prem"
  timestamp:
    type: string
    required: false
    default: "{{now}}"