mem-exploitabilitylisted

# Memory-corruption exploitability assessment Assess **how exploitable** the repo's memory-safety findings are. Requires memory-corruption findings in `.kuzushi/findings.json` first — run `/systems-hunt` (native / memory-safety review) or `/verify` to populate them. **Assessment only.** This produces exploitability tiers + mitigation posture + remediation. It does **not** generate shellcode, ROP/JOP chains, DEP/ASLR/canary/RELRO/CFG bypasses, or any working hijack payload. Empirical crash proof is `/poc` (gated sandbox). 1. Run `node "${CLAUDE_PLUGIN_ROOT}/scripts/cmd/mem-exploitability-prepare.mjs" --target "<repo root>"` (optionally `--input '{"maxCandidates":12}'`). It errors if there are no memory-corruption findings. Read the prep's `prepPath` — `candidates[]` and the repo `mitigations` posture. 2. For **each** candidate, do the per-candidate walk (vuln shape → control/offset plausibility → constraints → mitigation factor → tier + remediation). Use each candidate's `findingFingerprint` verbatim. Reason about control; never construct an overwrite or payload. 3. Write the `{ candidates: [...] }` bundle to the prep's `draftPath`, then run the `assembleCommand` (finalize) — it validates tiers + remediation and attaches an `exploitability` block onto each finding (status unchanged). 4. Report tier counts, the repo mitigation posture, and the `likely-code-exec` / `control-flow-hijack-plausible` findings. Point to `/poc` for empirical crash proof. ## Wh