/lagune.plan
🛡️ Turn what detect found into a defense plan: rate each finding with a category and a CVSS v4.0 score, then pair it with the fix to apply.
Run it
- Plan everything
- Point at paths
- Focus a worry
/lagune.plan
/lagune.plan src/routes/upload.ts
/lagune.plan where sensitive data could leak
How it works
This phase continues from detect. Detect already found what your system does and the risk each thing carries, so the plan does not repeat the risk, it rates how serious it is and decides what to do about it. Plan never reads the code, which forces every fix to point at something detect actually detected. It rates each finding with the CVSS v4.0 method: a category, a CVSS v4.0 vector and score reasoned from what detect and the charter captured, and the priority band that score lands on. Each fix also carries the charter principle it upholds.
For example:
- File uploads (Priority: Critical)
- Category: Unrestricted file upload (CWE-434).
- CVSS: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N (9.3, Critical).
- Why this priority: anyone can reach the upload over the internet, and it sits on the server that stores customer files.
- Upholds: III. All input is untrusted until validated.
- Fix: check the file's real type and size, rename it on save, and store uploads where they cannot be run as code.
From there, you have a rated, prioritized list of fixes, each tied to a finding and ready for the next phase to apply. Because the CVSS vector is Base-only, anyone can paste it into the FIRST or NVD calculator and rederive the same score.
- It builds entirely on detect. If a file or worry was never mapped, it tells you to run
/lagune.detecton it first. - Running it again updates the plan: done fixes drop off, new ones come in.
- The defense plan lives in
.lagune/memory/plan.md.
Plan works only from what /lagune.detect already mapped, so run detect first.
Next
Apply the plan: /lagune.harden.
