# DESA - Dynamic Encoded Script Analysis DESA is the PlatPhormNews public-safe deterministic encoded-script analysis workbench. Purpose: static PowerShell and encoded-script triage, Base64/UTF-16LE decoding, IOC extraction, detection-rule explanation, risk scoring, safe exports, and MCP/API tooling. Safety: - Static analysis only. - Submitted scripts are never executed. - PowerShell is never invoked. - Embedded URLs are extracted as IOCs but never auto-fetched. - Public URL fetches are SSRF-protected, size-limited, timeout-limited, and do not follow redirects. Capabilities: - Analyzer: PowerShell encoded-command detection; Base64 and UTF-16LE decoding; hex and character-code deobfuscation; suspicious token and command-line flag matching; IOC extraction; deterministic risk scoring; MITRE-style rule mapping where rules support it - Rules: 20 active deterministic rules from server storage or built-in degraded fallback. - Samples: 2 public-safe static samples. - Integrations: JSON Tree (degraded-capable), ASCII Converter (degraded-capable), XML Validator (degraded-capable), MCP Tools (read-only-capable), Trace (scaffolded), Docs (scaffolded), Sheets (scaffolded), Decks (scaffolded). - Model state: degraded; deterministic fallback remains active. Public endpoints: - /: Analyze - /analyze: Analyze Workbench - /iocs: IOCs - /history: History - /rules: Detection Rules - /integrations: Integrations - /docs: Docs - /settings: Settings - /faq: FAQ - /guidance: Guidance - /roadmap: Roadmap - /contributors: Contributors - /privacy: Privacy - /license: License - /api/docs: API Docs - /openapi.json: OpenAPI JSON - /openapi.yaml: OpenAPI YAML - /llms.txt: LLMs.txt - /llms-full.txt: Full LLM Context - /llms-index.json: LLMs Index - /rss.xml: RSS - /feed.xml: Feed - /sitemap.xml: Sitemap - /sitemap-main.xml: Main Sitemap - /robots.txt: Robots - /manifest.webmanifest: Web Manifest - /humans.txt: Humans - /.well-known/mcp.json: MCP Well-Known - /.well-known/agents.json: Agents Well-Known - /.well-known/ai-plugin.json: AI Plugin - /.well-known/security.txt: Security Contact - /.well-known/trust.json: Trust Policy MCP endpoint: https://desa.platphormnews.com/api/mcp OpenAPI: https://desa.platphormnews.com/openapi.yaml Auth policy: public-safe by default; future protected actions use PLATPHORM_API_KEY only. Trace policy: W3C trace context is accepted and propagated through DESA operation metadata. ## MCP Tools - analyze_script - decode_powershell - extract_iocs - list_rules - get_rule - list_samples - get_sample - export_analysis - send_to_json_tree - send_to_ascii - send_to_xml - get_health - get_info - get_route_compliance - get_discovery_compliance - create_docs_report - create_sheet_report - create_deck_summary ## MCP Resources - desa://rules - desa://rule/{ruleId} - desa://samples - desa://sample/{id} - desa://analysis/{id} - desa://iocs/{analysisId} - desa://guidance - desa://roadmap - desa://openapi - desa://llms - desa://trust-policy ## MCP Prompts - analyze_powershell_script - explain_encoded_command - summarize_iocs - explain_detection_rules - create_defensive_report - generate_detection_guidance - review_false_positive - human_machine_desa_handoff ## Trust Policy Public-safe static encoded-script analysis, PowerShell decoding, IOC extraction, detection-rule browsing, local non-sensitive analysis history, read-only MCP introspection, RSS/feed consumption, trusted-domain discovery, standard route compliance, Vercel metadata capture, backend model scaffolding, and trace-linked DESA operations are intentionally supported for public defensive use. DESA does not execute submitted scripts. PLATPHORM_API_KEY support is scaffolded for future protected backend services, private analysis persistence, bulk analysis, sync, test-triggering, reporting, administrative actions, and sensitive operations. ## Public Route Inventory - https://desa.platphormnews.com (page): Public static encoded-script analysis workbench. - https://desa.platphormnews.com/analyze (page): Canonical DESA public static encoded-script analysis route. - https://desa.platphormnews.com/iocs (page): Public IOC extraction and visualization workspace. - https://desa.platphormnews.com/history (page): Browser-local and server-degraded analysis history. - https://desa.platphormnews.com/rules (page): Deterministic public detection-rule library. - https://desa.platphormnews.com/integrations (page): Public-safe DESA integration status and actions. - https://desa.platphormnews.com/docs (docs): DESA API and product documentation. - https://desa.platphormnews.com/settings (page): Browser-local DESA preferences. - https://desa.platphormnews.com/faq (docs): Public DESA safety, storage, and analysis answers. - https://desa.platphormnews.com/guidance (docs): Defensive DESA usage guidance. - https://desa.platphormnews.com/roadmap (docs): DESA public product roadmap. - https://desa.platphormnews.com/contributors (docs): DESA contributors and maintenance notes. - https://desa.platphormnews.com/privacy (docs): DESA public data-handling policy. - https://desa.platphormnews.com/license (docs): DESA licensing information. - https://desa.platphormnews.com/api/docs (discovery): OpenAPI JSON for real public DESA endpoints. - https://desa.platphormnews.com/openapi.json (discovery): Machine-readable OpenAPI JSON. - https://desa.platphormnews.com/openapi.yaml (discovery): Machine-readable OpenAPI YAML. - https://desa.platphormnews.com/llms.txt (discovery): Concise machine-readable DESA context. - https://desa.platphormnews.com/llms-full.txt (discovery): Expanded DESA machine-readable context. - https://desa.platphormnews.com/llms-index.json (discovery): JSON DESA route, tool, and policy index. - https://desa.platphormnews.com/rss.xml (feed): Public-safe DESA changelog and guidance feed. - https://desa.platphormnews.com/feed.xml (feed): Alias of the public-safe DESA RSS feed. - https://desa.platphormnews.com/sitemap.xml (discovery): Validated public-safe DESA sitemap. - https://desa.platphormnews.com/sitemap-main.xml (discovery): Validated public-safe DESA page sitemap. - https://desa.platphormnews.com/robots.txt (discovery): Crawler policy with canonical sitemap. - https://desa.platphormnews.com/manifest.webmanifest (discovery): DESA web application manifest. - https://desa.platphormnews.com/humans.txt (docs): Human-readable project credits. - https://desa.platphormnews.com/.well-known/mcp.json (well-known): DESA MCP capability discovery. - https://desa.platphormnews.com/.well-known/agents.json (well-known): Public-safe agent policy. - https://desa.platphormnews.com/.well-known/ai-plugin.json (well-known): DESA plugin discovery metadata. - https://desa.platphormnews.com/.well-known/security.txt (well-known): DESA security disclosure contact. - https://desa.platphormnews.com/.well-known/trust.json (well-known): DESA public/protected trust boundary. ## Data Handling DESA returns analysis results to the caller. Server persistence is best-effort and metadata-oriented; when DATABASE_URL is unavailable, history is an honest degraded or browser-local state. Raw submitted scripts are not published in RSS, sitemap, llms files, or public discovery outputs.