UNPKG

aiwg

Version:

Deployment tool and support utility for AI context. Copies agents, skills, commands, rules, and behaviors into the paths each AI platform reads (Claude Code, Codex, Copilot, Cursor, Warp, OpenClaw, and 6 more) so one source of truth works across 10 platfo

aiwg.io

jmagly/aiwg

135 lines (97 loc) 5.75 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
--- name: forensics-quickref namespace: aiwg platforms: [all] kernel: true description: Forensics framework quick reference capability domains and curated discovery phrases for incident response, log analysis, evidence preservation, and IOC extraction --- # Forensics Framework — Quick Reference This is your always-loaded directory for the AIWG **forensics-complete** framework. It does **not** list every skill. Instead, it teaches the framework's mental model and gives you **curated search phrases** that map to `aiwg discover` lookups. ## Canonical access pattern: discover → show When you find a candidate via `aiwg discover`, fetch its body with `aiwg show <type> <name>`. **Never** use `find`, `ls`, `Glob`, or direct `Read` on `<provider>/skills/` paths those reflect the kernel-pivot deploy state, not the full surface. ```bash aiwg discover "<phrase>" # find — returns ranked candidates aiwg show skill <name> # fetch — streams the SKILL.md body ``` If your platform's Skill tool errors on a non-kernel skill (expected most aren't kernel), the fallback is `aiwg show`, never filesystem browsing. Last-resort if `aiwg` itself is broken: read directly from `$AIWG_ROOT/agentic/code/...` (the canonical corpus, always present). ## How to use this quickref 1. Identify the **capability domain** the user's need belongs to 2. Pick a **curated phrase** from that domain (or paraphrase the user's words) 3. Run `aiwg discover "<phrase>"` and surface the top match (or top-3) to the user 4. If the top result isn't right, iterate the phrasing the scorer is forgiving **Do not enumerate skills from memory.** The framework ships ~20 skills and discovery is the lookup surface. ## What this framework is for Digital forensics & incident response. RFC 3227-aligned triage, multi-source timeline reconstruction, IOC extraction, chain-of-custody preservation, and Sigma-rule-based threat hunting. Multi-platform (Linux / cloud / containers / memory). ## Capability domains | Domain | Covers | |---|---| | **Triage & acquisition** | Quick host triage following RFC 3227, evidence acquisition with chain of custody, target system profiling | | **Platform-specific analysis** | Linux, memory dumps, cloud (AWS/Azure/GCP), Docker/K8s containers, supply chain | | **Investigation orchestration** | Full multi-agent investigation, log correlation, IOC extraction & STIX 2.1 mapping | | **Threat hunting** | Sigma rule application across log sources | | **Reporting** | Investigation reports with evidence, timeline reconstruction | ## Curated discovery phrases ### Triage & acquisition ```bash aiwg discover "forensic triage" # → forensics-triage aiwg discover "evidence acquisition" # → forensics-acquire (score 0.55) aiwg discover "target system profile" # → forensics-profile ``` ### Platform-specific analysis ```bash aiwg discover "linux forensics" # → linux-forensics (score 0.51) aiwg discover "memory forensics" # → memory-forensics (score 0.94) aiwg discover "cloud forensics" # → cloud-forensics (score 0.63) aiwg discover "container forensics" # → container-forensics aiwg discover "supply chain compromise" # → supply-chain-forensics ``` ### Investigation orchestration ```bash aiwg discover "forensics investigation" # → forensics-investigate (top-3; refine if needed) aiwg discover "log analysis" # → log-analysis aiwg discover "extract iocs" # → forensics-ioc aiwg discover "build forensic timeline" # → forensics-timeline ``` ### Threat hunting ```bash aiwg discover "threat hunt with sigma rules" # → sigma-hunting (score 1.00) aiwg discover "forensics hunt" # → forensics-hunt ``` ### Reporting & integrity ```bash aiwg discover "forensic report" # → forensics-report aiwg discover "investigation status" # → forensics-status aiwg discover "evidence preservation" # → evidence-preservation aiwg discover "integrity verification" # → integrity-verification ``` ## Mental model — the investigation pipeline ``` Triage (RFC 3227) Acquisition Platform analysis IOC extraction Reporting forensics-triage forensics-acquire linux-forensics forensics-ioc forensics-report memory-forensics cloud-forensics container-forensics ``` Cross-cutting: `forensics-hunt` (Sigma) and `log-analysis` (correlation) feed both Analysis and IOC extraction. ## Artifact directory layout Forensic artifacts go under `.aiwg/forensics/` when the framework is in use: ``` .aiwg/forensics/ ├── triage/ # RFC 3227 quick captures ├── evidence/ # Chain-of-custody-preserved evidence ├── timelines/ # Reconstructed event timelines ├── iocs/ # Extracted indicators of compromise ├── reports/ # Investigation reports └── chain-of-custody.md # Master CoC log ``` ## When the curated phrases don't fit ```bash aiwg discover "<your need, paraphrased>" --limit 5 ``` If the top-3 results all score below ~0.20, the framework genuinely may not have a curated skill for that need. Then improvise but always check first. ## Anti-pattern: don't enumerate If a user asks "what forensics skills are available?", **do not list from this skill**. Run: ```bash aiwg discover --type skill --limit 20 "<their interest area>" ``` This skill is the orientation layer. The index is the lookup.