Goal: "Resolve all reachable KEV-listed CVEs in the payments service this sprint."

Iteration 1:
  tool: safeguard_find_vulnerabilities { project: payments, kev: true, reachable: true }
  result: 7 findings

Iteration 2:
  tool: safeguard_get_remediation_plan { finding_ids: [...] }
  result: 6 upgradeable, 1 requires fork

Iteration 3:
  tool: safeguard_remediate_npm + safeguard_open_pull_request × 6
  result: 6 PRs open

Iteration 4:
  tool: safeguard_jira_create { severity: high, title: "Fork lodash for CVE-X" }
  result: ticket SEC-1234 opened

Summary: 6 auto-fixes, 1 ticket for manual fork.

"Give me a remediation plan for CVE-2024-3094 across every Go service in the 'platform' team."
"Explain why CVE-2023-44487 (HTTP/2 Rapid Reset) appears in services that don't expose HTTP/2."
"Show the dependency path from my-api@main to a reachable log4j-core 2.17.0."
"Open PRs to pin all transitive dependencies on KEV-listed CVEs in production services; flag anything that would require a major version bump."
"What would happen if I upgraded spring-boot-starter-web from 2.7 to 3.2 in billing-service?"

$ npm install some-package@1.2.3
# Eagle classification runs via Safeguard's install-hook.

Safeguard: some-package@1.2.3 classified MALICIOUS (score 94)
Indicators:
  - post-install script contacts unusual host (tox-xxxx.run)
  - base64-encoded payload in index.js
  - package metadata created < 48h ago
  - author has one prior malicious upload

Install aborted. Use `safeguard malware override` to continue at your own risk.

Input: "For production workloads handling PCI data, block any container
whose SBOM is older than 7 days OR contains any KEV-listed vulnerability."

Output:
---
apiVersion: safeguard.sh/v1
kind: Policy
metadata:
  name: pci-prod-strict
spec:
  targets:
    - kind: Image
      labels:
        env: production
        data_class: pci
  rules:
    - id: sbom-fresh
      condition: age(attestations.sbom) > "7d" OR attestations.sbom == null
      effect: BLOCK
    - id: no-kev
      condition: any(vulnerabilities, kev == true)
      effect: BLOCK

Input: "Gap analysis for CRA for our 'widget-cloud' product."

Output:
  Coverage summary: 61 / 84 requirements met
  Critical gaps:
    - Annex I (1) coordinated vulnerability disclosure policy not published
    - Annex I (9) SBOM not delivered with product releases
    - Annex II (2) security support period not documented
  Medium gaps: ...
  Low gaps: ...
  Recommended next steps (in order):
    1. Publish SECURITY.md with VDP; template linked
    2. Attach CycloneDX SBOM to each release; one-click workflow below
    3. Document support window in product docs

ai_models:
  griffin: "3.0"     # or "3.1-preview"
  eagle: "3.0"
  lino: "2.0"

# Chat with Griffin
safeguard griffin chat "Summarize this SBOM's risk"

# One-shot agentic task
safeguard griffin run --goal "Fix critical KEV CVEs on main" --project my-api

# Eagle classification
safeguard eagle classify --npm react@19.0.0

# Lino policy generation
safeguard lino policy --intent "block unsigned prod images"