docs: Mythos-style bug-hunt pipeline + spar ranking

[avrabe]

Summary

Ships the four-prompt bug-hunt pipeline modeled on Anthropic's Claude Mythos (red.anthropic.com, April 2026) adapted for spar, plus the ranking output from its first end-to-end run.

The architecture: let an agent reason freely about code, but require a machine-checkable oracle (Kani harness + PoC test) for every reported bug so hallucinations don't ship.

What's in scripts/mythos/

File	Purpose
HOWTO.md	Pipeline overview, prerequisites, worked example (sigil case study)
rank.md	Tier-1-to-5 rubric adapted to spar's AADL-pipeline attack surface
discover.md	Mythos-verbatim discovery prompt + spar context + AADL hypothesis priors
validate.md	Fresh-session validator enforcing both oracle halves + interestingness
emit.md	Converts confirmed finding → draft STPA artifact under safety/stpa/
rank.json	144-file ranking produced by running rank.md on the spar workspace

Proof of life

The first parallel run of discover on the top-5 tier-5 files surfaced five findings:

• 3 confirmed — now fixed on PR #132: unary-sign regression, duplicate component sections, overflowing range-min.
• 2 confirmed-but-no-uca — validators correctly filtered them as over-claimed severity (AADL +=> is append not override; bare-array applies-to is a missing feature, not a resolver bug).

So the oracle gate and validation pass both earned their keep on run one.

How to run it

# Step 1 — rank
$ claude
> Read scripts/mythos/rank.md
# → produces JSON ranking (see rank.json for an example)

# Step 2 — discover in parallel, one agent per tier-≥4 file
# (the parallelism is what makes Mythos effective)
> discover.md with {{file}} = crates/spar-parser/src/grammar/properties.rs

# Step 3 — validate in fresh sessions
> validate.md with {{report}} = <finding>

# Step 4 — emit a draft tracking artifact
> emit.md with {{confirmed_report}} + {{uca_id}}

Gotchas called out in HOWTO

• Failing tests in source break CI → use #[ignore] with rerun command in ignore reason.
• The rubric is wrong the first time — expect to patch after pass 1.
• Validators must be fresh sessions. Reusing discovery context lets the agent defend its own hypothesis.
• One agent per file, not per codebase.
• Keep the discovery prompt minimal. Elaborate CWE checklists underperform the plain "find a correctness bug" prompt because the agent has tools (oracle, debugger, runtime) and the environment filters truth.

Related

• Upstream Mythos blog: https://red.anthropic.com (Mythos, April 2026)
• Vidoc's open-model reproduction (cited in HOWTO)
• First application PR: fix: three Mythos-discovered bugs (parser + range lowering) #132

🤖 Generated with Claude Code

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!