Skip to content

secplat

Security Platform vulnerability posture, KEV triage, and compliance queries via Skynet mesh agent

IDE:
claude
Version:
11.3.0
plugin
claude-code
secplat

Security Platform Plugin (secplat)

A Claude Code plugin for querying Optum Security Platform via the Skynet mesh agent. Provides vulnerability posture, KEV-prioritized triage, Immerse infrastructure management, and Secure identity/access queries.

Architecture

Claude Code --> /secplat:* commands --> Python CLI --> Skynet mesh agent --> Security Platform
                                                  \-> Immerse
                                                  \-> Secure

All API calls route through the Skynet streaming endpoint at skynet-secplat-agent.uhg.com. The agent exposes 70+ MCP tools across 5 services. Authentication uses Kerberos SPNEGO to obtain a Maelstrom JWT token (~60-minute lifetime) -- the CLI handles this transparently once you have a valid Kerberos ticket.

Prerequisites

RequirementHow to verifyInstall if missing
Python 3.10+python3 --versionbrew install [email protected] (macOS)
curlcurl --versionPre-installed on macOS/Linux
Kerberos ticketklistkinit [email protected]
CA certificate bundleSee CA Bundle sectionSet env var (see below)
Network accesscurl -I https://skynet-secplat-agent.uhg.comMust be on Optum network or VPN

Installation

Step 1: Install the Claude Code plugin

# From the otc-awesome-llm repository root:
claude plugin marketplace add .
claude plugin install secplat@otc-awesome-llm

Step 2: Set up Python path

The CLI runs as python3 -m secplat.src.cli. For the secplat package to resolve, claude-code/plugins/ must be on your Python path.

Option A -- Shell profile (recommended):

Add to ~/.zshrc or ~/.bashrc:

export PYTHONPATH="/path/to/otc-awesome-llm/claude-code/plugins${PYTHONPATH:+:$PYTHONPATH}"

Option B -- .pth file:

SITE=$(python3 -c "import site; print(site.getusersitepackages())")
mkdir -p "$SITE"
echo "/path/to/otc-awesome-llm/claude-code/plugins" > "$SITE/secplat.pth"

Option C -- Run the installer (interactive):

./claude-code/plugins/secplat/install.sh

Step 3: Authenticate

# Get a Kerberos ticket (required once per ~10 hours)
kinit [email protected]
# Enter your AD password when prompted

# Verify auth works
python3 -m secplat.src.cli auth

Expected output:

{
  "status": "authenticated",
  "expires_in_seconds": 3500,
  "max_age_seconds": 3500
}

Step 4: Verify

python3 -m secplat.src.cli search "Epic"

Kerberos Setup (First Time)

Your Kerberos principal is your Windows/AD login (MSID) with the UHG realm:

[email protected]

macOS -- kinit is pre-installed at /usr/bin/kinit. The Kerberos config at /etc/krb5.conf should already have the UHG realm from IT-managed profiles. If not:

[libdefaults]
    default_realm = MSAD.UHG.COM

[realms]
    MSAD.UHG.COM = {
        kdc = msad.uhg.com
        admin_server = msad.uhg.com
    }

Linux -- Install krb5-user (Debian/Ubuntu) or krb5-workstation (RHEL/CentOS), then configure /etc/krb5.conf as above.

Ticket lifetime -- Tickets last ~10 hours. If you get auth failures after working for a long session, run kinit again.

CA Certificate Bundle

Corporate proxies (Netskope, Zscaler) inject intermediate CAs that must be in the trust store. The authentication flow (auth.py) uses proper TLS verification with CA bundles resolved from these locations:

  1. SECPLAT_CA_BUNDLE env var (plugin-specific override)
  2. CURL_CA_BUNDLE env var (often set by Azure CLI setup)
  3. REQUESTS_CA_BUNDLE env var
  4. SSL_CERT_FILE env var (OpenSSL default)
  5. /opt/homebrew/etc/openssl@3/cert.pem (macOS Homebrew OpenSSL)
  6. /etc/ssl/certs/ca-certificates.crt (Debian/Ubuntu)
  7. /etc/pki/tls/certs/ca-bundle.crt (RHEL/CentOS)

Note: The streaming API client (client.py) currently disables TLS verification unconditionally (curl -k equivalent) due to corporate CA complexity at the Skynet endpoint. Authentication still uses proper TLS. Setting SECPLAT_INSECURE=1 only affects the auth flow's fallback behavior.

macOS with Homebrew (most common setup):

# Check if Homebrew OpenSSL cert exists
ls /opt/homebrew/etc/openssl@3/cert.pem

# If it does, add to profile:
export CURL_CA_BUNDLE=/opt/homebrew/etc/openssl@3/cert.pem

macOS without Homebrew OpenSSL:

# Export the system keychain certificates
security find-certificate -a -p /System/Library/Keychains/SystemRootCertificates.keychain > ~/certs.pem
security find-certificate -a -p /Library/Keychains/System.keychain >> ~/certs.pem
export CURL_CA_BUNDLE=~/certs.pem

Escape hatch (not recommended):

export SECPLAT_INSECURE=1

Commands

CommandArgumentDescription
/secplat:search<query>Search for applications by name or AIDE pattern
/secplat:posture<AIDE_ID>Vulnerability counts, KEV status, compliance flags
/secplat:triage<AIDE_ID>Priority-ordered remediation plan (KEV, Critical, High)

CLI Subcommands (direct use)

# SecPlat -- vulnerability management
python3 -m secplat.src.cli auth              # Check/refresh session
python3 -m secplat.src.cli search "Epic"     # Search applications
python3 -m secplat.src.cli posture AIDE_ID   # Vulnerability posture
python3 -m secplat.src.cli triage AIDE_ID    # Remediation priorities
python3 -m secplat.src.cli vulns AIDE_ID     # List vulnerabilities
python3 -m secplat.src.cli count AIDE_ID     # Vulnerability counts
python3 -m secplat.src.cli kevs AIDE_ID      # Known exploited vulns
python3 -m secplat.src.cli assets AIDE_ID    # Top vulnerable assets

# Immerse -- infrastructure management
python3 -m secplat.src.cli apps              # List applications
python3 -m secplat.src.cli teams [name]      # List/get teams
python3 -m secplat.src.cli repos             # List repositories
python3 -m secplat.src.cli pipelines AIDE_ID # List pipelines
python3 -m secplat.src.cli deployments       # List deployments

# Secure -- identity/access
python3 -m secplat.src.cli whoami MSID       # User lookup
python3 -m secplat.src.cli groups [--msid X] # Group membership
python3 -m secplat.src.cli members GROUP     # Group members

All output is JSON for LLM agent consumption.

Skills

Skills fire automatically when Claude detects relevant user intent:

SkillTriggers on
secplat-posture-check"what's the security posture of AIDE X?", "vulnerability counts"
secplat-vuln-triage"what should I fix first?", "are there KEVs?", "remediation plan"

Session Management

  • JWT token lifetime: ~60 minutes (auto-refresh at 58 min)
  • Session persisted to ~/.secplat/session.json (permissions 0600)
  • Multiple CLI invocations share the same session
  • Token stored in memory during agent conversations; file is the cross-process cache
  • If auth fails mid-session: run kinit and retry (the CLI retries once automatically)

Data Quality Caveats

Trust: KEV counts, severity counts, vulnerability findings -- these come from authoritative scanning sources (CISA catalog, Qualys, Prisma, etc.).

Verify before acting: Compliance flags (HasIngressFirewall, HasWAF, HasEDR) are detection-derived, not configuration-derived.

  • HasIngressFirewall: false often means the Palo Alto firewall is assigned to a different team's AIDE, not that there's no firewall
  • WAF/EDR flags have similar attribution patterns
  • Always cross-reference with IaC repos (ohemr-terraform-*, ohemr-ansible-role-*) before opening remediation tickets

Dr. Zero Remediation Bridge

The security-remediation bridge agent (in the drzero plugin) converts secplat triage output into cross-repo remediation dispatch plans for portal-gun execution.

Workflow

/secplat:triage AIDE_ID
    |
    v
security-remediation agent (planner only)
    |
    v
JSON dispatch plan (repos, PRs, priorities)
    |
    v  (user confirms)
/drzero:drzero-portal-gun (executes cross-repo PRs)

Usage

  1. Run triage to get prioritized findings:
/secplat:triage AIDE_0085665
  1. The bridge agent processes the output and produces a structured dispatch plan with repo targets, PR strategies, and priority ordering (KEV fast-track first).

  2. Review the plan -- the agent is a planner only, never executes.

  3. Execute confirmed dispatches via portal-gun for cross-repo PRs.

Security Controls

  • Org allowlist: only dispatches to repos in optum-tech-compute by default
  • Input sanitization: strips unsafe characters, truncates to 200 chars
  • Repo visibility check: caller verifies via gh repo view before PR creation
  • 50 findings per invocation max; continuation field for overflow

Troubleshooting

"No CA certificate bundle found"

# Find your cert bundle
find / -name "cert.pem" -o -name "ca-certificates.crt" -o -name "ca-bundle.crt" 2>/dev/null

# Set it
export CURL_CA_BUNDLE=/path/to/cert.pem

"Authentication failed" / "Kerberos ticket may have expired"

# Check ticket status
klist

# If expired or missing:
kinit [email protected]

# Verify
python3 -m secplat.src.cli auth

"Connection failed" / timeout

  • Verify you're on the Optum network (VPN if remote)
  • Test connectivity: curl -I https://skynet-secplat-agent.uhg.com
  • If behind proxy, ensure HTTPS_PROXY is set correctly

"ModuleNotFoundError: No module named 'secplat'"

# Verify PYTHONPATH includes the plugins directory
echo $PYTHONPATH

# Quick test
PYTHONPATH=/path/to/otc-awesome-llm/claude-code/plugins python3 -c "import secplat.src; print('OK')"

# If that works, make it permanent (see Installation Step 2)

"No tool results found in response"

The Skynet agent returned a response but no actionable data. Common causes:

  • The AIDE ID doesn't exist or you don't have access
  • The agent is under load (retry in 30 seconds)
  • The mesh agent's upstream SecPlat service is degraded

File Structure

claude-code/plugins/secplat/
├── .claude-plugin/
│   ├── plugin.json          # Claude Code plugin manifest
│   └── plugin.json.j2       # Template (version injected at release)
├── commands/
│   ├── search.md            # /secplat:search command
│   ├── posture.md           # /secplat:posture command
│   └── triage.md            # /secplat:triage command
├── skills/
│   ├── posture-check/SKILL.md
│   └── vuln-triage/SKILL.md
├── src/
│   ├── __init__.py          # Package version (1.1.0)
│   ├── __main__.py          # python -m entry point
│   ├── auth.py              # Kerberos SPNEGO + JWT session management
│   ├── cli.py               # Argument parser and command dispatch
│   ├── client.py            # Skynet streaming API client (SecPlat tools)
│   ├── immerse.py           # Immerse platform tools (apps, repos, pipelines)
│   └── secure.py            # Secure identity/access tools (groups, users)
├── install.sh               # Interactive installer
├── package.json             # Plugin metadata (npm-style)
├── pyproject.toml           # Python tooling config (ruff, mypy)
└── README.md                # This file

Version History

  • 1.1.0 -- Added Immerse and Secure command surfaces, unified CLI
  • 1.0.0 -- Initial release: SecPlat posture, triage, search

License

Internal Use Only -- Optum Technology

Related Assets