Add native AV scans on all 3 platforms + update SECURITY.md

Every platform now has a real antivirus gate that fails the build:
- Windows: Windows Defender with ML heuristics (MpCmdRun.exe)
- Linux: ClamAV with freshclam signature update
- macOS: ClamAV with freshclam signature update

Any detection on any platform blocks the release-draft from being
created. This is on top of the VirusTotal zero-tolerance gate in
the verify job.

SECURITY.md updated with complete security architecture.

Author: DeusData

.github/workflows/dry-run.yml

@@ -302,6 +302,24 @@ jobs:
         if: matrix.variant == 'standard' && matrix.goos == 'linux' && matrix.goarch == 'amd64'
         run: scripts/security-fuzz.sh ./codebase-memory-mcp
 
+      - name: ClamAV scan (Linux)
+        if: matrix.variant == 'standard' && startsWith(matrix.os, 'ubuntu')
+        run: |
+          sudo apt-get update -qq && sudo apt-get install -y -qq clamav > /dev/null 2>&1
+          sudo freshclam --quiet 2>/dev/null || true
+          echo "=== ClamAV scan ==="
+          clamscan --no-summary ./codebase-memory-mcp
+          echo "=== ClamAV: clean ==="
+
+      - name: ClamAV scan (macOS)
+        if: matrix.variant == 'standard' && startsWith(matrix.os, 'macos')
+        run: |
+          brew install clamav > /dev/null 2>&1
+          freshclam --quiet 2>/dev/null || true
+          echo "=== ClamAV scan (macOS) ==="
+          clamscan --no-summary ./codebase-memory-mcp
+          echo "=== ClamAV: clean ==="
+
   smoke-windows:
     if: ${{ !inputs.skip_builds }}
     needs: [build-windows]
@@ -345,3 +363,17 @@ jobs:
         if: matrix.variant == 'standard'
         shell: msys2 {0}
         run: scripts/security-install.sh ./codebase-memory-mcp.exe
+
+      - name: Windows Defender scan
+        if: matrix.variant == 'standard'
+        shell: pwsh
+        run: |
+          Write-Host "=== Windows Defender scan (with ML heuristics) ==="
+          & "C:\Program Files\Windows Defender\MpCmdRun.exe" -SignatureUpdate 2>$null
+          $result = & "C:\Program Files\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -File "$PWD\codebase-memory-mcp.exe" -DisableRemediation
+          Write-Host $result
+          if ($LASTEXITCODE -ne 0) {
+            Write-Host "BLOCKED: Windows Defender flagged the binary!"
+            exit 1
+          }
+          Write-Host "=== Windows Defender: clean ==="

.github/workflows/release.yml

@@ -297,6 +297,25 @@ jobs:
         if: matrix.variant == 'standard' && matrix.goos == 'linux' && matrix.goarch == 'amd64'
         run: scripts/security-fuzz.sh ./codebase-memory-mcp
 
+      # Native platform antivirus scan
+      - name: ClamAV scan (Linux)
+        if: matrix.variant == 'standard' && startsWith(matrix.os, 'ubuntu')
+        run: |
+          sudo apt-get update -qq && sudo apt-get install -y -qq clamav > /dev/null 2>&1
+          sudo freshclam --quiet 2>/dev/null || true
+          echo "=== ClamAV scan ==="
+          clamscan --no-summary ./codebase-memory-mcp
+          echo "=== ClamAV: clean ==="
+
+      - name: ClamAV scan (macOS)
+        if: matrix.variant == 'standard' && startsWith(matrix.os, 'macos')
+        run: |
+          brew install clamav > /dev/null 2>&1
+          freshclam --quiet 2>/dev/null || true
+          echo "=== ClamAV scan (macOS) ==="
+          clamscan --no-summary ./codebase-memory-mcp
+          echo "=== ClamAV: clean ==="
+
   smoke-windows:
     needs: [build-windows]
     strategy:
@@ -339,6 +358,24 @@ jobs:
         shell: msys2 {0}
         run: scripts/security-install.sh ./codebase-memory-mcp.exe
 
+      # Windows Defender scan (includes ML heuristics — catches what VirusTotal misses)
+      - name: Windows Defender scan
+        if: matrix.variant == 'standard'
+        shell: pwsh
+        run: |
+          Write-Host "=== Windows Defender scan (with ML heuristics) ==="
+          # Update definitions first
+          & "C:\Program Files\Windows Defender\MpCmdRun.exe" -SignatureUpdate 2>$null
+          # Full scan of the binary
+          $result = & "C:\Program Files\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -File "$PWD\codebase-memory-mcp.exe" -DisableRemediation
+          Write-Host $result
+          if ($LASTEXITCODE -ne 0) {
+            Write-Host "BLOCKED: Windows Defender flagged the binary!"
+            Write-Host "Exit code: $LASTEXITCODE"
+            exit 1
+          }
+          Write-Host "=== Windows Defender: clean ==="
+
   # ── Step 5: Create DRAFT release (not public yet) ─────────────
   release-draft:
     needs: [smoke-unix, smoke-windows, security-static]
@@ -634,8 +671,16 @@ jobs:
           REPORT+=$'**Sigstore cosign** — keyless signature verification:\n'
           REPORT+=$'```\ncosign verify-blob --bundle <file>.bundle <file>\n```\n\n'
 
+          # Native AV scans
+          REPORT+=$'**Native antivirus scans** — every binary scanned during CI build:\n'
+          REPORT+=$'- Windows: Windows Defender with ML heuristics (the same engine end users run)\n'
+          REPORT+=$'- Linux: ClamAV with daily signature updates\n'
+          REPORT+=$'- macOS: ClamAV with daily signature updates\n\n'
+
           # SBOM
-          REPORT+=$'**SBOM** — Software Bill of Materials (`sbom.json`) lists all vendored dependencies.\n'
+          REPORT+=$'**SBOM** — Software Bill of Materials (`sbom.json`) lists all vendored dependencies.\n\n'
+
+          REPORT+=$'See [SECURITY.md](https://github.com/DeusData/codebase-memory-mcp/blob/main/SECURITY.md) for full details.\n'
 
           # Append to release notes
           EXISTING=$(gh release view "$VERSION" --json body --jq '.body' --repo "$GITHUB_REPOSITORY")

SECURITY.md

@@ -12,29 +12,46 @@ We will acknowledge your report within 48 hours and provide a fix timeline withi
 
 ## Security Measures
 
-This project implements multiple layers of security verification:
-
-### Build-Time (CI)
-
-- **8-layer security audit suite** runs on every build (static analysis, binary string audit, network egress monitoring, install path validation, MCP robustness testing, UI security audit, vendored dependency integrity, smoke test hardening)
-- **All dangerous function calls** (`system()`, `popen()`, `fork()`, `connect()`) require a reviewed entry in `scripts/security-allowlist.txt`
-- **Vendored dependency checksums** verified on every build (72 files, SHA-256)
-
-### Release-Time
-
-- **VirusTotal scanning** — all release binaries scanned by 70+ antivirus engines, reports linked in release notes
-- **SLSA build provenance** — cryptographic attestation proving each binary was built by GitHub Actions from this repository
-- **Sigstore cosign signing** — keyless signatures verifiable by anyone
-- **SBOM** — Software Bill of Materials listing all vendored dependencies
-- **SHA-256 checksums** — published with every release
+This project implements multiple layers of security verification. Every release binary must pass all checks before users can download it (draft → verify → publish flow).
+
+### Build-Time (CI — every commit)
+
+- **8-layer security audit suite** runs on every build:
+  - Layer 1: Static allow-list for dangerous calls (`system`/`popen`/`fork`) + hardcoded URLs
+  - Layer 2: Binary string audit (URLs, credentials, dangerous commands)
+  - Layer 3: Network egress monitoring via strace (Linux)
+  - Layer 4: Install output path + content validation
+  - Layer 5: Smoke test hardening (clean shutdown, residual processes, version integrity)
+  - Layer 6: Graph UI audit (external domains, CORS, server binding, eval/iframe)
+  - Layer 7: MCP robustness (23 adversarial JSON-RPC payloads)
+  - Layer 8: Vendored dependency integrity (SHA-256 checksums, dangerous call scan)
+- **All dangerous function calls** require a reviewed entry in `scripts/security-allowlist.txt`
+- **Native antivirus scanning** on every platform (any detection fails the build):
+  - **Windows**: Windows Defender with ML heuristics — the same engine end users run
+  - **Linux**: ClamAV with daily signature updates
+  - **macOS**: ClamAV with daily signature updates
+
+### Release-Time (draft → verify → publish)
+
+Releases are created as **drafts** (invisible to users) and only published after all verification passes:
+
+1. **SLSA build provenance** — cryptographic attestation proving each binary was built by GitHub Actions from this repository
+2. **Sigstore cosign signing** — keyless digital signatures verifiable by anyone
+3. **SBOM** — Software Bill of Materials (CycloneDX) listing all vendored dependencies
+4. **SHA-256 checksums** — published with every release
+5. **VirusTotal scanning** — all binaries scanned by 70+ antivirus engines (zero-tolerance: any detection blocks the release)
+6. **OpenSSF Scorecard** — repository security health score
+
+If ANY antivirus engine flags ANY binary, the release stays as a draft and is not published until the issue is investigated and resolved.
 
 ### Code-Level Defenses
 
 - **Shell injection prevention** — `cbm_validate_shell_arg()` rejects metacharacters before all `popen()`/`system()` calls
-- **SQLite authorizer** — blocks `ATTACH`/`DETACH` at engine level
+- **SQLite authorizer** — blocks `ATTACH`/`DETACH` at engine level (prevents file creation via SQL injection)
 - **CORS locked to localhost** — graph UI only accessible from localhost origins
 - **Path containment** — `realpath()` check prevents reading files outside project root
 - **Process-kill restriction** — only server-spawned PIDs can be terminated
+- **SHA-256 checksum verification** — update command verifies downloaded binary before installing
 
 ### Verification
 
@@ -49,6 +66,9 @@ cosign verify-blob --bundle <file>.bundle <file>
 
 # SHA-256 checksum
 sha256sum -c checksums.txt
+
+# VirusTotal (upload binary or check the report links in the release notes)
+# https://www.virustotal.com/
 ```
 
 ## Supported Versions