# Expected Findings — Memory-Poisoning Walkthrough

This is the testable contract. `run-memory-poisoning.mjs` exits 0
only when each detector category has at least one finding.

## Per-detector contract

| Detector | Min findings | Severity floor | OWASP |
|----------|-------------:|----------------|-------|
| detectInjection | 1 | MEDIUM | LLM01 |
| detectShellCommands | 1 | LOW | LLM06 |
| detectSuspiciousUrls | 1 | HIGH | LLM02 |
| detectCredentialPaths | 1 | HIGH | LLM02 |
| detectPermissionExpansion | 1 | CRITICAL | LLM06 / ASI06 |
| detectEncodedPayloads | 1 | MEDIUM | LLM01 |

Total: at least 6 unique findings, severity-weighted such that
the highest tier in any single file is CRITICAL.

## File-level expectations

| File | Min findings |
|------|-------------:|
| `CLAUDE.md` | 12 |
| `.claude/agents/health-checker.md` | 3 |

The agent file count is lower because the fixture is intentionally
shorter — its purpose is to prove E15 (v7.2.0) coverage of the
agent-file surface, not to exhaustively replicate every CLAUDE.md
signal.

## Bucket-mapping logic (in run-memory-poisoning.mjs)

Findings are bucketed in priority order:

1. permission expansion (most specific) — matches "permission expansion"
   or `allowed-tools` / `bypassPermissions` / `dangerously` / `skip-permissions`
2. credential paths — matches "credential path" or `.ssh` / `.aws` /
   `kubeconfig` / `wallet` / `service-account-key`
3. suspicious URLs — matches "suspicious exfiltration url/domain" or
   `webhook.site` / `requestbin`
4. encoded payloads — matches "base64" or "encoded payload"
5. shell commands — matches "shell command" or `curl` / `wget` / `eval`
6. injection (broadest, last) — matches "injection" / "ignore previous" /
   "spoofed"

The order matters because some findings carry "directive" or
"override" wording that would otherwise fall into the injection
bucket — by checking permission-expansion first we avoid double-counting.

## Side effects

- No file is modified
- No network call (scanner is fully offline)
- Discovery uses `scanners/lib/file-discovery.mjs::discoverFiles()`
- Memory-poisoning-scanner only inspects files matching
  `MEMORY_FILE_PATTERNS` — the fixture deliberately uses
  `CLAUDE.md` and `.claude/agents/health-checker.md` to ensure
  the scanner picks them up