Companion toolchain · 329 tests, 327 passing (fresh 2026-07-14 run)

The companion toolchain

The analyzer is the visible product. Around it I built the remediation pipeline and the test infrastructure that make it safe to operate.

TicketTimeMachine (TTM)

Python · SQLite · 172-test suite green, 1 environment skip (verified 2026-07-07)

Files ServiceNow remediation tickets to the managers and teams whose assets carry CVEs past SLA. Normalizes owners, assets, findings, and ticket history into its own SQLite schema, groups breaches one-ticket-per-(manager, team), and derives sha256 idempotency keys so re-runs never double-file. Dry-run mode writes every payload to disk for review before anything is submitted. Reads the analyzer's state strictly read-only. Later versions added fleet-wide bulk-escalate-past-sla and reconcile-from-snow CLIs. The transparency and provenance layer described under Security engineering ships inside TTM, with 50+ dedicated tests of its own.

snow_dispatcher

Python · Textual TUI · 156/157 tests passing on a fresh 2026-07-14 run · HIPAA + NIST 800-53/800-171 baseline

The dispatch layer between the SLA stack and ServiceNow. Encrypted secrets vault (Fernet at rest, PBKDF2-HMAC-SHA256 at 600,000 iterations, files written 0600 in a 0700 directory). Hash-chained audit log where verify_chain() pinpoints the exact tampered row. CMDB matching with TTL caching, a full dispatch lifecycle state machine (STAGED → SUBMITTING → SUBMITTED_OK / RETRY_PENDING / FAILED_PERMANENT), and idempotent correlation IDs across runs. Live TUI with queue, runs, CMDB, audit, and settings tabs — plus a ticket form with an operator-configurable, injection-safe prefill engine (see the case studies) and a live ServiceNow Table API client: TLS mandatory at construction, OAuth 2.0 / Basic auth, Retry-After-honoring backoff, and idempotency keys on every mutating call.

Simulation and test environment

mock ServiceNow server with TLS + CMDB fixtures · deterministic data generator · e2e tests

The entire stack can be developed and demonstrated with zero live credentials. A mock ServiceNow server replays fixtures for incidents, CMDB queries, and rate limits, with scriptable retryable and permanent errors for failure-path testing. A deterministic generator produces realistic vulnerability data at fleet scale, and a KEV-injection tool flags simulated findings against the live CISA catalog so demo data behaves like production data. Live API clients ship as explicit NotImplementedError stubs until an operator provides credentials: the safe posture is the default posture.