Add security vulnerability management

docs/SECURITY_MANAGEMENT.md

@@ -0,0 +1,261 @@
+# Security Vulnerability Management & Autonomous Patching
+
+## Problem
+
+**Security vulnerabilities in dependencies are the #1 attack vector for Linux systems.** According to recent CVE data:
+
+- **25,000+ new CVEs** are published annually
+- **60% of breaches** exploit known, unpatched vulnerabilities  
+- Average time from CVE publication to exploit: **15 days**
+- Average enterprise patching cycle: **102 days** ❌
+
+Cortex Linux currently has **zero automated security monitoring**. Users must:
+
+1. Manually check each of their 2,000+ installed packages
+2. Cross-reference against CVE databases (NVD, OSV, etc.)
+3. Determine which updates fix which vulnerabilities
+4. Hope they don't miss a critical exploit
+
+**This is unacceptable for an AI-native package manager.**
+
+### Real-World Impact
+
+| Vulnerability | Impact |
+|---------------|--------|
+| **Log4Shell (CVE-2021-44228)** | Organizations without automated scanning took weeks to identify affected systems |
+| **Heartbleed (CVE-2014-0160)** | OpenSSL vulnerability affected 17% of "secure" web servers |
+| **Monthly kernel patches** | Linux releases security updates monthly — missing one can expose the entire system |
+
+### Current State
+
+```bash
+# Today: Manual, error-prone, incomplete
+$ apt list --upgradable | grep security  # Doesn't show CVE severity
+$ apt-cache policy openssl               # No vulnerability context
+```
+
+Users are flying blind.
+
+---
+
+## Proposed Solution
+
+Implement **continuous vulnerability scanning** with **autonomous patching** capabilities.
+
+### Core Features
+
+| Feature | Description |
+|---------|-------------|
+| **Vulnerability Scanner** | Continuously monitor installed packages against CVE databases |
+| **Autonomous Patcher** | Automatically patch vulnerabilities with safety controls |
+| **Security Scheduler** | Monthly/weekly/daily automated security maintenance |
+| **Rollback Support** | All patches tracked in history, fully reversible |
+
+### Example Commands
+
+```bash
+# Scan all installed packages for vulnerabilities
+cortex security scan --all
+
+# Output:
+# 🔍 Scanning: 2636/2636 (100%) | Vulnerabilities found: 47
+# 
+# 📊 Scan Results:
+#   🔴 Critical: 3
+#   🟠 High: 12
+#   🟡 Medium: 24
+#   🟢 Low: 8
+
+# Scan specific package
+cortex security scan --package openssl
+
+# Show only critical vulnerabilities
+cortex security scan --critical
+
+# Autonomous patching (dry-run by default for safety)
+cortex security patch --scan-and-patch --strategy critical_only
+
+# Actually apply patches
+cortex security patch --scan-and-patch --strategy critical_only --apply
+
+# Set up monthly automated patching (suitable for desktops/low-risk systems)
+cortex security schedule create monthly-patch --frequency monthly --enable-patch
+
+# For servers/critical systems, use weekly with critical-only strategy
+cortex security schedule create weekly-critical --frequency weekly --enable-patch
+cortex security schedule install-timer monthly-patch
+```
+
+### Patching Frequency Guidelines
+
+Different systems have different security requirements. Choose the appropriate patching frequency based on your use case:
+
+| System Type | Recommended Frequency | Rationale |
+|-------------|----------------------|-----------|
+| **Production servers** | Weekly or daily (critical only) | Minimize exposure window for exploitable vulnerabilities |
+| **Internet-facing services** | Daily (critical/high) | High risk of exploitation; CVEs are weaponized within ~15 days |
+| **Development workstations** | Weekly | Balance productivity with security; less exposure than servers |
+| **Desktop/personal use** | Monthly | Standard Linux practice; lower risk profile |
+| **Air-gapped/isolated systems** | Monthly | Limited attack surface; coordinate with maintenance windows |
+| **Compliance-regulated (SOC2, HIPAA)** | Per policy, typically weekly | Meet audit requirements; document all patching activity |
+
+**When to patch more frequently:**
+- After major CVE disclosures (e.g., Log4Shell, Heartbleed-class vulnerabilities)
+- Systems handling sensitive data (PII, financial, healthcare)
+- Publicly accessible services (web servers, APIs, databases)
+
+**When monthly is appropriate:**
+- Internal-only systems with limited network exposure
+- Systems where stability is prioritized over immediate patching
+- Environments with change control processes requiring scheduled maintenance windows
+
+### Safety Controls
+
+| Control | Description |
+|---------|-------------|
+| **Dry-run default** | Shows what would be patched without making changes |
+| **Whitelist/Blacklist** | Control which packages can be auto-patched |
+| **Severity filtering** | Only patch above threshold (e.g., critical only) |
+| **Rollback support** | All patches recorded in history, reversible |
+| **Systemd integration** | Native Linux scheduling via timers |
+
+### Data Sources
+
+| Source | Purpose | Speed |
+|--------|---------|-------|
+| **OSV (Open Source Vulnerabilities)** | Primary database, comprehensive | Fast |
+| **NVD (National Vulnerability Database)** | Fallback for critical packages | Slower |
+| **24-hour caching** | Reduces API load | Instant (cached) |
+
+---
+
+## Why This Matters
+
+### For Cortex Linux
+
+1. **Differentiation**: No other package manager offers AI-assisted security scanning + natural language patching
+2. **Enterprise requirement**: Automated compliance for SOC2, ISO27001, HIPAA
+3. **User safety**: Protect users from the 25,000+ CVEs published each year
+4. **Flexible patching schedules**: From daily (critical systems) to monthly (desktops) — we make it effortless
+
+### Industry Statistics
+
+```text
+┌─────────────────────────────────────────────────────────────┐
+│                    THE PATCHING GAP                         │
+├─────────────────────────────────────────────────────────────┤
+│                                                             │
+│   CVE Published ──────────────────────────────────────────▶ │
+│        │                                                    │
+│        │  15 days   ┌─────────────────┐                     │
+│        ├───────────▶│ Exploit Created │                     │
+│        │            └─────────────────┘                     │
+│        │                                                    │
+│        │  102 days  ┌─────────────────┐                     │
+│        └───────────▶│ Enterprise Patch│  ← TOO SLOW!        │
+│                     └─────────────────┘                     │
+│                                                             │
+│   WITH CORTEX:                                              │
+│        │  < 24 hrs  ┌─────────────────┐                     │
+│        └───────────▶│ Auto-Detected   │  ← FIXED            │
+│                     └─────────────────┘                     │
+│                                                             │
+└─────────────────────────────────────────────────────────────┘
+```
+
+---
+
+## Acceptance Criteria
+
+- [ ] `cortex security scan --all` scans installed packages against CVE databases
+- [ ] `cortex security scan --package <name>` scans specific package
+- [ ] `cortex security scan --critical` shows only critical vulnerabilities
+- [ ] `cortex security patch --scan-and-patch` creates patch plan (dry-run)
+- [ ] `cortex security patch --scan-and-patch --apply` applies patches
+- [ ] `cortex security schedule create` creates automated schedules
+- [ ] `cortex security schedule list` lists all schedules
+- [ ] `cortex security schedule run <id>` manually runs a schedule
+- [ ] `cortex security schedule install-timer` installs systemd timer
+- [ ] All patches recorded in installation history with rollback support
+- [ ] Configurable whitelist/blacklist for packages
+- [ ] Severity filtering (critical_only, high_and_above, automatic)
+- [ ] Progress output during long scans
+- [ ] Caching to avoid repeated API calls
+
+---
+
+## Technical Implementation
+
+### Architecture
+
+```
+┌─────────────────────────────────────────────────────────────────┐
+│                        CORTEX SECURITY                          │
+├─────────────────────────────────────────────────────────────────┤
+│                                                                 │
+│  ┌──────────────────┐    ┌──────────────────┐    ┌───────────┐ │
+│  │ Vulnerability    │───▶│ Autonomous       │───▶│ Security  │ │
+│  │ Scanner          │    │ Patcher          │    │ Scheduler │ │
+│  └────────┬─────────┘    └────────┬─────────┘    └─────┬─────┘ │
+│           │                       │                     │       │
+│           ▼                       ▼                     ▼       │
+│  ┌──────────────────────────────────────────────────────────┐  │
+│  │                    Installation History                   │  │
+│  │                    (Rollback Support)                     │  │
+│  └──────────────────────────────────────────────────────────┘  │
+└─────────────────────────────────────────────────────────────────┘
+                              │
+                              ▼
+              ┌───────────────────────────────┐
+              │     External CVE Databases    │
+              │  • OSV (Open Source Vulns)    │
+              │  • NVD (National Vuln DB)     │
+              └───────────────────────────────┘
+```
+
+### Files
+
+| File | Purpose |
+|------|---------|
+| `cortex/vulnerability_scanner.py` | Scans packages against CVE databases |
+| `cortex/autonomous_patcher.py` | Applies patches with safety controls |
+| `cortex/security_scheduler.py` | Manages scheduled scans/patches |
+| `cortex/cli.py` | CLI integration (`cortex security ...`) |
+
+### Configuration
+
+Settings stored in `~/.cortex/patcher_config.json`:
+
+```json
+{
+  "whitelist": ["nginx", "openssl"],
+  "blacklist": ["linux-image-generic"],
+  "min_severity": "medium"
+}
+```
+
+---
+
+## Priority
+
+**🔴 Critical**
+
+## Labels
+
+`security`, `feature`, `high-priority`, `enterprise`
+
+## Estimated Effort
+
+- Implementation: 2-3 days
+- Testing: 1 day
+- Documentation: 0.5 day
+
+---
+
+## References
+
+- [OSV API Documentation](https://osv.dev/docs/)
+- [NVD API Documentation](https://nvd.nist.gov/developers)
+- [CVSS v3.1 Specification](https://www.first.org/cvss/v3.1/specification-document)
+- [Linux Security Updates Best Practices](https://wiki.ubuntu.com/Security/Upgrades)
+