Jiffy

jiffy-review — methodology & tiers

The jiffy review command performs a structured, four-pass review of an AI artifact bundle (skills, MCP definitions, agent configs, cursorrules, vector-store documents) and returns a confidence-tiered finding list. This page describes the model.

Four passes

Every jiffy review invocation runs these passes in order. Each pass consumes the prior pass's output; the server is authoritative (the CLI is a thin HTTP wrapper over /api/v1/review).

  1. RECON — inventory. Lists every file submitted in the bundle

with its SHA-256 hash and byte length. Stable-sorted by path. No heuristics; purely catalogs what will be analyzed.

  1. HUNTER — static rules. Runs the Sprint 25 MalSkills symbolic

rule set against an SDG derived from the artifact contents. Each hit carries a rule_id, severity, evidence_node_ids, and framework_codes (OWASP LLM 2025, MITRE ATLAS, NIST CSF 2.0).

  1. ADVERSARIAL — attack-path detectors. Applies the 15 Jiffy

attack-path detectors (12 from Sprint 61, 3 added in Sprint R) to a minimal graph derived from the bundle. Also surfaces MalSkills pattern matches from the HUNTER pass so later triage can fold them.

  1. TRIAGE — tier + CVSS assignment. Assigns each finding a

confidence_tier and, when derivable, an indicative CVSS 3.1 triple (vector, base, severity). Dedupes by the (detector_slug, target_artifact_uri) key, preferring the higher tier when the same slug lands twice.

Confidence tiers

Sprint R introduced a 3-tier validation scheme on top of Jiffy's existing intel confidence enum.

TierMeaningWhen it fires
confirmedCorroborated by a curated rule set or external disclosureMalSkills rule hits; threat_intel_entries.confidence = 'confirmed'
plausibleSupported by static evidence but not independently corroboratedHunter/adversarial matches with severity medium/high/critical
theoreticalPattern-plausible but unvalidatedLow-severity matches; exploratory detectors

Tier–severity invariant

A theoretical tier finding cannot carry a high or critical severity. The publish path rejects such combinations (HTTP 400 from PATCH /api/admin/intel-entries/[id]), and migration 062's pre-check halts with exit 1 if any pre-existing row in the intel table would violate the rule after backfill. Operators re-review those rows manually; Jiffy does not auto-remediate.

Optional CVSS 3.1 metadata

Where an AIL value is known (from attestation.ail_level), Jiffy derives a CVSS 3.1 triple from the 16-cell decision table (web/src/lib/trust/cvss-decision-table.ts). The mapping is indicative, not authoritative — real CVSS analysts customize per-CVE. Customers who need bespoke CVSS override in their SIEM.

The CVSS output is exposed in two places:

  1. /api/v1/trust response gains optional top-level ail_level and

cvss3 keys outside canonical_json. Signatures still verify byte-for-byte; the signing key is not rotated.

  1. SARIF 2.1.0 output (properties.security-severity + cvss3_vector)

from both jiffy-review/sarif and scanner/sarif. GitHub Advanced Security, GitLab, and most SIEMs read security-severity natively.

MITRE ATT&CK coverage

Every rule emitted by the Sprint 25 symbolic engine has an explicit ATT&CK mapping at web/src/lib/jiffy-review/mitre-attack-mappings.ts. The source of truth is the TypeScript file; the table below is rendered at page-request time so the doc cannot drift. Rules with techniques: [] are LLM-specific patterns (prompt injection, jailbreak, content-layer stego) that have no clean core ATT&CK fit and are tracked under MITRE ATLAS AML.T0051 instead.

A machine-readable JSON export of the same matrix lives at /api/public/mitre-coverage.json (1h browser cache, 24h edge cache).

Jiffy covers 27 ATT&CK techniques across 8 tactics. 6 additional rules are LLM-specific and track under MITRE ATLAS AML.T0051.

Technique IDTechnique NameTacticCovering Rules
T1027Obfuscated Files or InformationTA0002 (Execution), TA0005 (Defense Evasion), TA0010 (Exfiltration)MS-B64-PAYLOAD-030, MS-CRYPTO-EXFIL-010, MS-OBFUS-EXEC-002, MS-PAYLOAD-LEN-016
T1027.004Obfuscated Files or Information: Compile After DeliveryTA0002 (Execution), TA0005 (Defense Evasion)MS-DYN-IMPORT-027
T1041Exfiltration Over C2 ChannelTA0005 (Defense Evasion), TA0006 (Credential Access), TA0010 (Exfiltration), TA0011 (Command and Control)MS-CRED-NET-001, MS-CRYPTO-EXFIL-010, MS-ENV-NET-004, MS-MULTIART-011, MS-NET-EGRESS-015
T1048Exfiltration Over Alternative ProtocolTA0010 (Exfiltration)MS-ARCHIVE-NET-014
T1053.003Scheduled Task/Job: CronTA0003 (Persistence)MS-PERSIST-007
T1059.004Command and Scripting Interpreter: Unix ShellTA0001 (Initial Access), TA0002 (Execution), TA0005 (Defense Evasion), TA0011 (Command and Control), TA0040 (Impact)MS-CURL-BASH-012, MS-OBFUS-EXEC-002, MS-RM-RF-034, MS-SC-PKG-003, MS-SHELL-TRUE-036
T1059.006Command and Scripting Interpreter: PythonTA0002 (Execution), TA0005 (Defense Evasion), TA0011 (Command and Control)MS-DYN-IMPORT-027, MS-EVAL-NET-009, MS-SHELL-TRUE-036
T1071Application Layer ProtocolTA0001 (Initial Access), TA0010 (Exfiltration), TA0011 (Command and Control)MS-BIND-ALL-035, MS-NET-EGRESS-015
T1090ProxyTA0005 (Defense Evasion), TA0011 (Command and Control)MS-MODEL-OVERRIDE-006
T1098.004Account Manipulation: SSH Authorized KeysTA0003 (Persistence)MS-SSH-008
T1105Ingress Tool TransferTA0002 (Execution), TA0011 (Command and Control)MS-CURL-BASH-012, MS-EVAL-NET-009
T1133External Remote ServicesTA0001 (Initial Access), TA0005 (Defense Evasion), TA0011 (Command and Control)MS-BIND-ALL-035, MS-MCP-BROAD-022
T1140Deobfuscate/Decode Files or InformationTA0002 (Execution), TA0005 (Defense Evasion)MS-OBFUS-EXEC-002
T1195.002Supply Chain Compromise: Compromise Software Supply ChainTA0001 (Initial Access), TA0002 (Execution)MS-SC-PKG-003, MS-UNPINNED-023
T1485Data DestructionTA0002 (Execution), TA0040 (Impact)MS-RM-RF-034
T1539Steal Web Session CookieTA0006 (Credential Access)MS-BROWSER-ARTIFACT-025
T1543.001Create or Modify System Process: Launch AgentTA0003 (Persistence)MS-AUTORUN-013, MS-MCP-HOOK-029, MS-PERSIST-007
T1543.004Create or Modify System Process: Launch DaemonTA0003 (Persistence)MS-PERSIST-007
T1547Boot or Logon Autostart ExecutionTA0003 (Persistence)MS-MCP-HOOK-029
T1547.011Boot or Logon Autostart Execution: Plist ModificationTA0003 (Persistence)MS-AUTORUN-013
T1552Unsecured CredentialsTA0006 (Credential Access), TA0010 (Exfiltration)MS-CONN-STRING-018, MS-ENV-NET-004, MS-HARDCODED-SECRET-017, MS-TOKEN-URL-024
T1552.001Unsecured Credentials: Credentials In FilesTA0006 (Credential Access), TA0010 (Exfiltration)MS-CRED-NET-001, MS-MULTIART-011
T1552.004Unsecured Credentials: Private KeysTA0006 (Credential Access)MS-PEM-KEY-019
T1555Credentials from Password StoresTA0006 (Credential Access)MS-BROWSER-ARTIFACT-025
T1562Impair DefensesTA0001 (Initial Access), TA0005 (Defense Evasion), TA0011 (Command and Control)MS-MCP-BROAD-022, MS-MODEL-OVERRIDE-006
T1562.001Impair Defenses: Disable or Modify ToolsTA0005 (Defense Evasion)MS-DANGER-FLAG-031, MS-EMPTY-PERMS-026, MS-WILDCARD-TOOLS-032
T1567Exfiltration Over Web ServiceTA0006 (Credential Access), TA0010 (Exfiltration)MS-ARCHIVE-NET-014, MS-MULTIART-011

Pipeline parity

The CLI (packages/jiffy-cli/src/commands/review.ts) is a thin HTTP wrapper; the server-side pipeline (web/src/lib/jiffy-review/review-pipeline.ts) is the single source of truth. A parity test (web/src/lib/jiffy-review/__tests__/review-parity.test.ts) asserts the CLI stdout JSON equals the server-handler JSON byte-for-byte (after redacting non-deterministic duration_ms fields) across three canonical fixture bundles (benign, plausible, confirmed). A drift would require someone to hand-port pipeline logic into the CLI — which the thin-wrapper design disallows.

Exit codes

CodeMeaning
0Success — findings present or absent, both are valid outcomes
1Generic failure — network error, 5xx, server rejection
3Malformed CLI input — missing --artifact, invalid --ail range

Findings are not errors. A bundle that triggers every detector still exits 0 provided the HTTP request completes.

See also

same pipeline for Claude Desktop / Cursor integrations.

for any UI derived from the CLI output.