Add changelog, enhance microservices support, and update dependencies

- Introduced a new `CHANGELOG.md` to document project changes and follow semantic versioning.
- Added direct microservices mode with a foundational controller, planner, and worker services.
- Implemented a FastAPI control plane for session lifecycle operations.
- Expanded CLI options to include microservices mode and updated the README with relevant commands.
- Enhanced CI workflows with vulnerability scanning and dependency audits.
- Updated Python version requirement to 3.10+ and added new dependencies for FastAPI, Redis, and others.
- Introduced a benchmark suite for performance calibration and added Docker support for local development.

Author: Av7danger

.github/workflows/secnode-pentest.yml

@@ -29,6 +29,9 @@ jobs:
       - name: Build package
         run: uv build
 
+      - name: Dependency vulnerability audit
+        run: uv run pip-audit
+
   security-scan:
     needs: lint-test-build
     runs-on: ubuntu-latest
@@ -52,3 +55,22 @@ jobs:
           OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
           ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
         run: uv run secnodeapi --target https://staging-api.example.com/swagger.json
+
+  container-scan:
+    needs: lint-test-build
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Build image
+        run: docker build -t secnodeapi:ci -f docker/Dockerfile .
+
+      - name: Trivy scan
+        uses: aquasecurity/[email protected]
+        with:
+          image-ref: secnodeapi:ci
+          format: table
+          exit-code: "1"
+          ignore-unfixed: true
+          vuln-type: "os,library"
+          severity: "CRITICAL,HIGH"

CHANGELOG.md

@@ -0,0 +1,38 @@
+# Changelog
+
+All notable changes to this project are documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
+and this project follows [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [Unreleased]
+
+### Added
+
+- Direct microservices mode (`--mode microservices`) with controller/planner/worker foundation.
+- FastAPI control plane entrypoint (`secnodeapi-server`) for session lifecycle operations.
+- Attack graph, memory subsystem, worker facades, and tool adapter scaffolding.
+- CI container vulnerability scanning via Trivy.
+- CI dependency vulnerability audit using `pip-audit`.
+- Developer workflows for local stack (`make up`, `make down`) and audit target (`make audit-uv`).
+
+### Changed
+
+- CLI mode options expanded to include `microservices`.
+- README updated with direct microservices runtime description and commands.
+- Dependency set expanded with `fastapi`, `uvicorn`, `redis`, and `networkx`.
+
+## [0.1.0] - 2026-03-08
+
+### Added
+
+- Initial autonomous API pentesting framework with schema fetch, AI understanding, test generation, execution, and reporting.
+- Async execution pipeline and findings model/report generation.
+- Baseline unit test suite and CI checks.
+- Contributor-facing project docs: license, code of conduct, security policy, and contribution guide.
+
+### Changed
+
+- AI engine refactored into modular `understand`, `generate`, and `validate` components.
+- Pipeline execution tuned with budget clipping and category token handling improvements.
+- Environment support extended for OpenAI, Anthropic, and Ollama provider configuration.

CONTRIBUTING.md

@@ -6,7 +6,7 @@ Thank you for your interest in contributing to SecNode API! This guide will help
 
 ### Prerequisites
 
-- Python 3.9+
+- Python 3.10+
 - Git
 - uv (recommended)
 

Makefile

@@ -1,7 +1,7 @@
 PYTHON ?= python
 UV ?= uv
 
-.PHONY: install install-dev install-uv install-dev-uv lint lint-uv test test-uv test-cov test-cov-uv build build-uv run run-uv clean
+.PHONY: install install-dev install-uv install-dev-uv lint lint-uv test test-uv test-cov test-cov-uv build build-uv run run-uv audit-uv up down benchmark clean
 
 install:
 	$(PYTHON) -m pip install -r requirements.txt
@@ -48,5 +48,17 @@ run:
 run-uv:
 	$(UV) run secnodeapi --help
 
+audit-uv:
+	$(UV) run pip-audit
+
+up:
+	docker compose -f deploy/docker-compose.yml up --build
+
+down:
+	docker compose -f deploy/docker-compose.yml down
+
+benchmark:
+	@echo "Benchmark fixtures and calibration harness live in benchmarks/"
+
 clean:
 	$(PYTHON) -c "import shutil, pathlib; [shutil.rmtree(p, ignore_errors=True) for p in ['dist','build','.pytest_cache','htmlcov']]; [q.unlink() for q in pathlib.Path('.').rglob('*.pyc')]"

README.md

@@ -1,7 +1,7 @@
 # SecNode API
 
 [![CI](https://github.com/SecNode/API-PENTESTER/actions/workflows/secnode-pentest.yml/badge.svg)](https://github.com/SecNode/API-PENTESTER/actions/workflows/secnode-pentest.yml)
-[![Python](https://img.shields.io/badge/python-3.9%2B-blue.svg)](https://www.python.org/downloads/)
+[![Python](https://img.shields.io/badge/python-3.10%2B-blue.svg)](https://www.python.org/downloads/)
 [![License](https://img.shields.io/badge/license-Apache%202.0-green.svg)](./LICENSE)
 
 AI-augmented, schema-driven API penetration testing from OpenAPI/Swagger specs, with asynchronous execution and structured reporting.
@@ -14,6 +14,7 @@ SecNode API helps security engineers and backend teams run repeatable API risk a
 - Uses an LLM to understand API behavior and generate adversarial test cases
 - Executes tests concurrently with optional proxy routing
 - Supports autonomous agent mode with request budgets and iterative replanning
+- Supports direct microservices mode with controller/planner/worker boundaries
 - Produces both human-readable and machine-readable findings
 
 ## What It Is and Is Not
@@ -28,7 +29,7 @@ SecNode API is a practical automation layer for API security testing.
 
 ### Requirements
 
-- Python 3.9+
+- Python 3.10+
 - Access to an LLM provider key (OpenAI or Anthropic)
 
 ### Install from source
@@ -112,12 +113,14 @@ secnodeapi --target https://api.example.com/swagger.json --dry-run --dry-run-out
 secnodeapi --target https://api.example.com/swagger.json --auth-header "Authorization: Bearer <token>"
 secnodeapi --target https://api.example.com/swagger.json --proxy http://127.0.0.1:8080 --insecure
 secnodeapi --target https://api.example.com/swagger.json --mode agent --request-budget 500 --max-iterations 6
+secnodeapi --target https://api.example.com/swagger.json --mode microservices
 ```
 
 ### Key options
 
 - `--target` URL or local path to OpenAPI schema (required)
 - `--mode` `agent` (default) or `legacy` execution pipeline
+- `--mode` `agent`, `legacy`, or `microservices`
 - `--concurrency` concurrent request workers
 - `--auth-header` single inline auth header
 - `--auth-file` JSON file of auth headers
@@ -167,6 +170,25 @@ GitHub Actions workflow runs:
 - package build
 - scan job template for staging targets
 
+## Direct Microservices Runtime
+
+This repository now includes a direct microservices runtime foundation:
+
+- Controller service
+- Planner service
+- Skill engine service with ranked skill dispatch
+- Specialized workers (recon, discovery, fuzzing, exploit)
+- Tool adapters (`ffuf`, `nuclei`, `sqlmap`, `zap`, `kiterunner`)
+- Memory subsystem (session, history, skill metrics)
+- Attack graph engine
+- FastAPI control plane
+
+Run local stack:
+
+```bash
+docker compose -f deploy/docker-compose.yml up --build
+```
+
 ## Security and Responsible Use
 
 Only test systems you own or are explicitly authorized to assess.

benchmarks/README.md

@@ -0,0 +1,17 @@
+# Benchmark Suite
+
+This directory tracks benchmark scenarios used to calibrate precision/recall
+for autonomous findings.
+
+## Planned Targets
+
+- Deliberately vulnerable API fixtures (BOLA, BFLA, mass assignment)
+- Rate limiting and auth differential scenarios
+- Multi-step exploit chain scenarios
+
+## Baseline Metrics
+
+- endpoint coverage ratio
+- findings precision and recall
+- deterministic-vs-AI validation ratio
+- exploit-chain reproducibility rate

deploy/docker-compose.yml

@@ -0,0 +1,62 @@
+version: "3.9"
+
+services:
+  api-gateway:
+    build:
+      context: ..
+      dockerfile: docker/Dockerfile
+    ports:
+      - "8000:8000"
+    environment:
+      - SECNODE_LLM=${SECNODE_LLM:-openai/gpt-4o}
+      - OPENAI_API_KEY=${OPENAI_API_KEY:-}
+      - ANTHROPIC_API_KEY=${ANTHROPIC_API_KEY:-}
+    depends_on:
+      - redis
+      - postgres
+
+  redis:
+    image: redis:7-alpine
+    ports:
+      - "6379:6379"
+
+  postgres:
+    image: postgres:16-alpine
+    environment:
+      - POSTGRES_USER=secnode
+      - POSTGRES_PASSWORD=secnode
+      - POSTGRES_DB=secnode
+    ports:
+      - "5432:5432"
+
+  recon-worker:
+    build:
+      context: ..
+      dockerfile: docker/Dockerfile
+    command: ["python", "-m", "secnodeapi.cli", "--help"]
+    depends_on:
+      - redis
+
+  discovery-worker:
+    build:
+      context: ..
+      dockerfile: docker/Dockerfile
+    command: ["python", "-m", "secnodeapi.cli", "--help"]
+    depends_on:
+      - redis
+
+  fuzzing-worker:
+    build:
+      context: ..
+      dockerfile: docker/Dockerfile
+    command: ["python", "-m", "secnodeapi.cli", "--help"]
+    depends_on:
+      - redis
+
+  exploit-worker:
+    build:
+      context: ..
+      dockerfile: docker/Dockerfile
+    command: ["python", "-m", "secnodeapi.cli", "--help"]
+    depends_on:
+      - redis

docker/Dockerfile

@@ -0,0 +1,12 @@
+FROM python:3.11-slim
+
+WORKDIR /app
+
+COPY pyproject.toml requirements.txt /app/
+COPY src /app/src
+
+RUN pip install --no-cache-dir -r requirements.txt && pip install --no-cache-dir -e .
+
+EXPOSE 8000
+
+CMD ["secnodeapi-server"]

pyproject.toml

@@ -7,13 +7,17 @@ name = "secnodeapi"
 version = "0.1.0"
 description = "Autonomous, AI-augmented API penetration testing framework."
 readme = "README.md"
-requires-python = ">=3.9"
+requires-python = ">=3.10"
 dependencies = [
   "httpx==0.27.0",
   "pydantic==2.6.3",
   "structlog==24.1.0",
   "litellm==1.34.0",
   "PyYAML==6.0.1",
+  "fastapi==0.115.0",
+  "uvicorn==0.30.6",
+  "redis==5.0.8",
+  "networkx==3.3",
 ]
 
 [project.optional-dependencies]
@@ -22,10 +26,12 @@ dev = [
   "pytest-asyncio==0.25.3",
   "pytest-cov==6.0.0",
   "ruff==0.11.2",
+  "pip-audit==2.8.0",
 ]
 
 [project.scripts]
 secnodeapi = "secnodeapi.cli:entrypoint"
+secnodeapi-server = "secnodeapi.api.server:run"
 
 [tool.setuptools]
 package-dir = {"" = "src"}

requirements.txt

@@ -3,7 +3,12 @@ pydantic==2.6.3
 structlog==24.1.0
 litellm==1.34.0
 PyYAML==6.0.1
+fastapi==0.115.0
+uvicorn==0.30.6
+redis==5.0.8
+networkx==3.3
 pytest==8.3.5
 pytest-asyncio==0.25.3
 pytest-cov==6.0.0
 ruff==0.11.2
+pip-audit==2.8.0