Canonical multi-agent threat-intelligence collaboration contract for remote Primary, Analyst, and SecOps roles.
@RequirementID: REQ-OPENCODE-MULTIAGENT-THREAT-INTEL-001 @ArchitectureID: ELM-APP-PROC-THREAT-COLLAB-SKILL @ArchitectureID: ELM-APP-COMP-OPENCODE-THREAT-WORKSPACE @ArchitectureID: ELM-APP-FUNC-CANONICALIZE-THREAT-ANALYST-CONTRACT
Activate this skill when the remote workspace receives a threat-intelligence push-analysis request containing normalized event context, STIX-relevant entities/observables, and a requirement to return a structured result.
ThreatIntelPrimary validates the incoming request contract and owns the final answer.ThreatIntelPrimary delegates schema-guided Neo4j evidence retrieval, incident-driven extraction, and writeback initiation to ThreatIntelAnalyst.ThreatIntelAnalyst must follow the Schema-First principle: explore the workspace semantic schema menu -> construct schema-guided Cypher -> return precise evidence and any traceable writeback summary.ThreatIntelAnalyst may use db_schema_explorer and the native neo4j_query tool, and no other role may use those tools.ThreatIntelAnalyst returns no relevant local threat-intelligence evidence, ThreatIntelPrimary must skip deep SecOps assessment and return a minimal TASK-009 result stating 未发现本地 STIX 情报关联.ThreatIntelPrimary delegates operational impact and actions to ThreatIntelSecOps using the analyst return payload while retaining final TASK-009 assembly ownership.ThreatIntelPrimary merges event context, analyst findings, optional writeback traceability, and optional SecOps output into the final schema response on the remote side.rolesummarysupporting_evidence_refsmatched_entitiesrelationship_findingsconfidence_noteswriteback_summaryrolesummaryverdictconfidencerecommended_actionsservices/result_assembler/schema_version, run_id, event, analysis_conclusion, recommended_actions, and collaboration_tracecollaboration_trace.participantsFinish only when:
ThreatIntelligenceCommander maps to ThreatIntelPrimary.STIX_EvidenceSpecialist maps to ThreatIntelAnalyst.TARA_analyst maps to ThreatIntelSecOps.Primary -> Analyst -> SecOps -> Primary.neo4j_query is the canonical analyst database tool.stix_query may remain available only as a compatibility wrapper during migration.