secplat
Security Platform vulnerability posture, KEV triage, and compliance queries via Skynet mesh agent
Security Platform Plugin (secplat)
A Claude Code plugin for querying Optum Security Platform via the Skynet mesh agent. Provides vulnerability posture, KEV-prioritized triage, Immerse infrastructure management, and Secure identity/access queries.
Architecture
Claude Code --> /secplat:* commands --> Python CLI --> Skynet mesh agent --> Security Platform
\-> Immerse
\-> Secure
All API calls route through the Skynet streaming endpoint at
skynet-secplat-agent.uhg.com. The agent exposes 70+ MCP tools across 5
services. Authentication uses Kerberos SPNEGO to obtain a Maelstrom JWT token
(~60-minute lifetime) -- the CLI handles this transparently once you have a
valid Kerberos ticket.
Prerequisites
| Requirement | How to verify | Install if missing |
|---|---|---|
| Python 3.10+ | python3 --version | brew install [email protected] (macOS) |
| curl | curl --version | Pre-installed on macOS/Linux |
| Kerberos ticket | klist | kinit [email protected] |
| CA certificate bundle | See CA Bundle section | Set env var (see below) |
| Network access | curl -I https://skynet-secplat-agent.uhg.com | Must be on Optum network or VPN |
Installation
Step 1: Install the Claude Code plugin
# From the otc-awesome-llm repository root:
claude plugin marketplace add .
claude plugin install secplat@otc-awesome-llm
Step 2: Set up Python path
The CLI runs as python3 -m secplat.src.cli. For the secplat package to
resolve, claude-code/plugins/ must be on your Python path.
Option A -- Shell profile (recommended):
Add to ~/.zshrc or ~/.bashrc:
export PYTHONPATH="/path/to/otc-awesome-llm/claude-code/plugins${PYTHONPATH:+:$PYTHONPATH}"
Option B -- .pth file:
SITE=$(python3 -c "import site; print(site.getusersitepackages())")
mkdir -p "$SITE"
echo "/path/to/otc-awesome-llm/claude-code/plugins" > "$SITE/secplat.pth"
Option C -- Run the installer (interactive):
./claude-code/plugins/secplat/install.sh
Step 3: Authenticate
# Get a Kerberos ticket (required once per ~10 hours)
kinit [email protected]
# Enter your AD password when prompted
# Verify auth works
python3 -m secplat.src.cli auth
Expected output:
{
"status": "authenticated",
"expires_in_seconds": 3500,
"max_age_seconds": 3500
}
Step 4: Verify
python3 -m secplat.src.cli search "Epic"
Kerberos Setup (First Time)
Your Kerberos principal is your Windows/AD login (MSID) with the UHG realm:
[email protected]
macOS -- kinit is pre-installed at /usr/bin/kinit. The Kerberos config
at /etc/krb5.conf should already have the UHG realm from IT-managed profiles.
If not:
[libdefaults]
default_realm = MSAD.UHG.COM
[realms]
MSAD.UHG.COM = {
kdc = msad.uhg.com
admin_server = msad.uhg.com
}
Linux -- Install krb5-user (Debian/Ubuntu) or krb5-workstation
(RHEL/CentOS), then configure /etc/krb5.conf as above.
Ticket lifetime -- Tickets last ~10 hours. If you get auth failures after
working for a long session, run kinit again.
CA Certificate Bundle
Corporate proxies (Netskope, Zscaler) inject intermediate CAs that must be in
the trust store. The authentication flow (auth.py) uses proper TLS
verification with CA bundles resolved from these locations:
SECPLAT_CA_BUNDLEenv var (plugin-specific override)CURL_CA_BUNDLEenv var (often set by Azure CLI setup)REQUESTS_CA_BUNDLEenv varSSL_CERT_FILEenv var (OpenSSL default)/opt/homebrew/etc/openssl@3/cert.pem(macOS Homebrew OpenSSL)/etc/ssl/certs/ca-certificates.crt(Debian/Ubuntu)/etc/pki/tls/certs/ca-bundle.crt(RHEL/CentOS)
Note: The streaming API client (client.py) currently disables TLS
verification unconditionally (curl -k equivalent) due to corporate CA
complexity at the Skynet endpoint. Authentication still uses proper TLS.
Setting SECPLAT_INSECURE=1 only affects the auth flow's fallback behavior.
macOS with Homebrew (most common setup):
# Check if Homebrew OpenSSL cert exists
ls /opt/homebrew/etc/openssl@3/cert.pem
# If it does, add to profile:
export CURL_CA_BUNDLE=/opt/homebrew/etc/openssl@3/cert.pem
macOS without Homebrew OpenSSL:
# Export the system keychain certificates
security find-certificate -a -p /System/Library/Keychains/SystemRootCertificates.keychain > ~/certs.pem
security find-certificate -a -p /Library/Keychains/System.keychain >> ~/certs.pem
export CURL_CA_BUNDLE=~/certs.pem
Escape hatch (not recommended):
export SECPLAT_INSECURE=1
Commands
| Command | Argument | Description |
|---|---|---|
/secplat:search | <query> | Search for applications by name or AIDE pattern |
/secplat:posture | <AIDE_ID> | Vulnerability counts, KEV status, compliance flags |
/secplat:triage | <AIDE_ID> | Priority-ordered remediation plan (KEV, Critical, High) |
CLI Subcommands (direct use)
# SecPlat -- vulnerability management
python3 -m secplat.src.cli auth # Check/refresh session
python3 -m secplat.src.cli search "Epic" # Search applications
python3 -m secplat.src.cli posture AIDE_ID # Vulnerability posture
python3 -m secplat.src.cli triage AIDE_ID # Remediation priorities
python3 -m secplat.src.cli vulns AIDE_ID # List vulnerabilities
python3 -m secplat.src.cli count AIDE_ID # Vulnerability counts
python3 -m secplat.src.cli kevs AIDE_ID # Known exploited vulns
python3 -m secplat.src.cli assets AIDE_ID # Top vulnerable assets
# Immerse -- infrastructure management
python3 -m secplat.src.cli apps # List applications
python3 -m secplat.src.cli teams [name] # List/get teams
python3 -m secplat.src.cli repos # List repositories
python3 -m secplat.src.cli pipelines AIDE_ID # List pipelines
python3 -m secplat.src.cli deployments # List deployments
# Secure -- identity/access
python3 -m secplat.src.cli whoami MSID # User lookup
python3 -m secplat.src.cli groups [--msid X] # Group membership
python3 -m secplat.src.cli members GROUP # Group members
All output is JSON for LLM agent consumption.
Skills
Skills fire automatically when Claude detects relevant user intent:
| Skill | Triggers on |
|---|---|
secplat-posture-check | "what's the security posture of AIDE X?", "vulnerability counts" |
secplat-vuln-triage | "what should I fix first?", "are there KEVs?", "remediation plan" |
Session Management
- JWT token lifetime: ~60 minutes (auto-refresh at 58 min)
- Session persisted to
~/.secplat/session.json(permissions 0600) - Multiple CLI invocations share the same session
- Token stored in memory during agent conversations; file is the cross-process cache
- If auth fails mid-session: run
kinitand retry (the CLI retries once automatically)
Data Quality Caveats
Trust: KEV counts, severity counts, vulnerability findings -- these come from authoritative scanning sources (CISA catalog, Qualys, Prisma, etc.).
Verify before acting: Compliance flags (HasIngressFirewall, HasWAF,
HasEDR) are detection-derived, not configuration-derived.
HasIngressFirewall: falseoften means the Palo Alto firewall is assigned to a different team's AIDE, not that there's no firewall- WAF/EDR flags have similar attribution patterns
- Always cross-reference with IaC repos (
ohemr-terraform-*,ohemr-ansible-role-*) before opening remediation tickets
Dr. Zero Remediation Bridge
The security-remediation bridge agent (in the drzero plugin) converts secplat
triage output into cross-repo remediation dispatch plans for portal-gun execution.
Workflow
/secplat:triage AIDE_ID
|
v
security-remediation agent (planner only)
|
v
JSON dispatch plan (repos, PRs, priorities)
|
v (user confirms)
/drzero:drzero-portal-gun (executes cross-repo PRs)
Usage
- Run triage to get prioritized findings:
/secplat:triage AIDE_0085665
-
The bridge agent processes the output and produces a structured dispatch plan with repo targets, PR strategies, and priority ordering (KEV fast-track first).
-
Review the plan -- the agent is a planner only, never executes.
-
Execute confirmed dispatches via portal-gun for cross-repo PRs.
Security Controls
- Org allowlist: only dispatches to repos in
optum-tech-computeby default - Input sanitization: strips unsafe characters, truncates to 200 chars
- Repo visibility check: caller verifies via
gh repo viewbefore PR creation - 50 findings per invocation max; continuation field for overflow
Troubleshooting
"No CA certificate bundle found"
# Find your cert bundle
find / -name "cert.pem" -o -name "ca-certificates.crt" -o -name "ca-bundle.crt" 2>/dev/null
# Set it
export CURL_CA_BUNDLE=/path/to/cert.pem
"Authentication failed" / "Kerberos ticket may have expired"
# Check ticket status
klist
# If expired or missing:
kinit [email protected]
# Verify
python3 -m secplat.src.cli auth
"Connection failed" / timeout
- Verify you're on the Optum network (VPN if remote)
- Test connectivity:
curl -I https://skynet-secplat-agent.uhg.com - If behind proxy, ensure HTTPS_PROXY is set correctly
"ModuleNotFoundError: No module named 'secplat'"
# Verify PYTHONPATH includes the plugins directory
echo $PYTHONPATH
# Quick test
PYTHONPATH=/path/to/otc-awesome-llm/claude-code/plugins python3 -c "import secplat.src; print('OK')"
# If that works, make it permanent (see Installation Step 2)
"No tool results found in response"
The Skynet agent returned a response but no actionable data. Common causes:
- The AIDE ID doesn't exist or you don't have access
- The agent is under load (retry in 30 seconds)
- The mesh agent's upstream SecPlat service is degraded
File Structure
claude-code/plugins/secplat/
├── .claude-plugin/
│ ├── plugin.json # Claude Code plugin manifest
│ └── plugin.json.j2 # Template (version injected at release)
├── commands/
│ ├── search.md # /secplat:search command
│ ├── posture.md # /secplat:posture command
│ └── triage.md # /secplat:triage command
├── skills/
│ ├── posture-check/SKILL.md
│ └── vuln-triage/SKILL.md
├── src/
│ ├── __init__.py # Package version (1.1.0)
│ ├── __main__.py # python -m entry point
│ ├── auth.py # Kerberos SPNEGO + JWT session management
│ ├── cli.py # Argument parser and command dispatch
│ ├── client.py # Skynet streaming API client (SecPlat tools)
│ ├── immerse.py # Immerse platform tools (apps, repos, pipelines)
│ └── secure.py # Secure identity/access tools (groups, users)
├── install.sh # Interactive installer
├── package.json # Plugin metadata (npm-style)
├── pyproject.toml # Python tooling config (ruff, mypy)
└── README.md # This file
Version History
- 1.1.0 -- Added Immerse and Secure command surfaces, unified CLI
- 1.0.0 -- Initial release: SecPlat posture, triage, search
License
Internal Use Only -- Optum Technology
Related Assets
ai-dlc
otc-awesome-llm is the Optum LLM library providing version-controlled prompts, chatmodes, instructions, and agent modes for infrastructure operations via native IDE integrations
asset-reviewer
otc-awesome-llm is the Optum LLM library providing version-controlled prompts, chatmodes, instructions, and agent modes for infrastructure operations via native IDE integrations
documentation-bot
otc-awesome-llm is the Optum LLM library providing version-controlled prompts, chatmodes, instructions, and agent modes for infrastructure operations via native IDE integrations
drzero
otc-awesome-llm is the Optum LLM library providing version-controlled prompts, chatmodes, instructions, and agent modes for infrastructure operations via native IDE integrations
dynatrace-platform
otc-awesome-llm is the Optum LLM library providing version-controlled prompts, chatmodes, instructions, and agent modes for infrastructure operations via native IDE integrations
hcp
Claude Code plugin for hcpctl — the CLI for Optum's HCP Platform Resource Manager (PRM). Provides safe read/write/inspect/apply workflows over hundreds of resource kinds spanning Azure, GCP, AWS, and on-prem infrastructure with mandatory dry-run safety on writes.

