enhance: Aquaponics pair — seasonal calibration, vendor hardening, bio-cyber correlation

aquaponics-anomaly-monitor/README.md

@@ -260,10 +260,20 @@ Agent: CRITICAL — Rapid pH crash detected (Δ-0.9 over ~12 hours).
 
 ---
 
+## Companion Workspace
+
+This workspace monitors the **biology**. The companion workspace monitors the **security**:
+
+**[Aquaponics ICS Security](../aquaponics-ics-security/)** — Assesses and hardens the automation infrastructure (PLCs, SCADA, IoT controllers, network segmentation) that keeps fish alive and crops growing.
+
+The two workspaces are designed as a pair. A biological anomaly might be a cyber event (spoofed sensor data). A cyber event always has biological consequences (a compromised pump controller kills fish). See the [Bio-Cyber Cross-Correlation Guide](../aquaponics-ics-security/resources/bio-cyber-correlation.md) for how to use them together.
+
+---
+
 ## Built By
 
-The Cognitropy Lab — Day 3 Workspace  
-Assigned by: [cognitropy.py](../cognitropy.py)  
-Domain: Aquaponics | Technique: Automated Anomaly Detection  
-Built by: Claude (Anthropic) × [DaxxSec](https://github.com/DaxxSec)  
+The Cognitropy Lab — Day 3 Workspace
+Assigned by: [cognitropy.py](../cognitropy.py)
+Domain: Aquaponics | Technique: Automated Anomaly Detection
+Built by: Claude (Anthropic) × [DaxxSec](https://github.com/DaxxSec)
 Date: 2026-03-28

aquaponics-anomaly-monitor/resources/controller-platforms.md

@@ -0,0 +1,140 @@
+# Controller Platform Integration Guide
+
+## Purpose
+
+Most aquaponics systems use some form of automated monitoring — from a Raspberry Pi with pH and temperature probes to commercial SCADA systems. This guide covers how to get data out of common controller platforms and into this workspace for analysis.
+
+## Platform Profiles
+
+### Raspberry Pi + Custom Stack
+
+**Prevalence:** Most common in DIY and small commercial systems.
+
+**Typical setup:**
+- Raspberry Pi 3/4/5
+- Atlas Scientific pH, DO, EC, temperature probes (I2C)
+- Data logged to local CSV, SQLite, or InfluxDB
+- Optional: Grafana dashboard, MQTT broker
+
+**How to get data into this workspace:**
+
+```bash
+# If logging to CSV (most common)
+# Copy the latest readings file
+scp pi@192.168.1.100:/home/pi/aquaponics/logs/readings.csv ./outputs/
+
+# Then use /scan with CSV reference
+/scan readings.csv
+
+# If logging to InfluxDB
+# Export last 24 hours to CSV
+influx query 'from(bucket:"aquaponics") |> range(start: -24h)' --raw > outputs/readings.csv
+```
+
+**Data format expected:**
+```csv
+timestamp,pH,temp_c,do_mg_l,nh3_ppm,no2_ppm,no3_ppm,ec_us_cm
+2026-03-28T08:00:00Z,6.9,27.2,7.1,0.08,0.04,22,850
+2026-03-28T09:00:00Z,6.8,27.4,6.9,0.09,0.04,23,860
+```
+
+### Blynk IoT
+
+**Prevalence:** Common in hobby and small-scale systems.
+
+**Typical setup:**
+- ESP32 or Arduino with Blynk library
+- Sensors publish to Blynk virtual pins
+- Data viewable in Blynk app/web
+
+**How to get data into this workspace:**
+
+```bash
+# Blynk HTTP API — export pin data
+# Replace TOKEN and pin numbers with your values
+curl "https://blynk.cloud/external/api/get?token=YOUR_TOKEN&V0&V1&V2&V3" \
+  -o outputs/blynk-snapshot.json
+
+# For historical data (Blynk Pro plan required)
+curl "https://blynk.cloud/external/api/data/get?token=YOUR_TOKEN&pin=V0&period=WEEK" \
+  -o outputs/blynk-history.json
+```
+
+**Pin mapping (document in `/onboard`):**
+| Virtual Pin | Parameter | Unit |
+|-------------|-----------|------|
+| V0 | pH | - |
+| V1 | Temperature | C |
+| V2 | DO | mg/L |
+| V3 | EC | uS/cm |
+
+### GroPal / FarmBot / Commercial Systems
+
+**Prevalence:** Commercial operations and well-funded research setups.
+
+**Typical setup:**
+- Cloud-connected controller with vendor dashboard
+- API access varies by vendor and plan tier
+
+**General approach:**
+1. Check if your platform has an API (most commercial systems do)
+2. Export data as CSV or JSON
+3. Place in `outputs/` directory
+4. Use `/scan` with the file reference
+
+**Common export paths:**
+- GroPal: Settings > Data Export > CSV
+- FarmBot: API at `https://my.farm.bot/api/sensor_readings`
+- Custom SCADA: Usually Modbus polling to historian — export from historian
+
+### Manual Readings (No Automation)
+
+**Prevalence:** Beginners, educational setups, backup monitoring.
+
+**How to use this workspace without a controller:**
+
+Simply paste your readings directly into `/scan`:
+
+```
+/scan
+pH: 6.9, Temp: 27.2C, DO: 7.1 mg/L, NH3: 0.08 ppm, NO2: 0.04 ppm, NO3: 22 ppm
+```
+
+Or use the structured template in `prompts/anomaly-scan-template.md`.
+
+**Recommendation:** Even with manual testing, log every reading to `work-log/` with timestamp. Trend data is where anomaly detection becomes powerful — a single reading is a snapshot, but a week of readings reveals patterns.
+
+---
+
+## MQTT Integration (Advanced)
+
+Many DIY systems publish sensor data to an MQTT broker. If your system uses MQTT:
+
+```bash
+# Subscribe to sensor topic and log to file
+mosquitto_sub -h localhost -t "aquaponics/sensors/#" \
+  | tee -a outputs/mqtt-log.txt
+
+# Or capture a single snapshot
+mosquitto_sub -h localhost -t "aquaponics/sensors/#" -C 1 \
+  -o outputs/mqtt-snapshot.json
+```
+
+**Standard topic structure (if you're designing your MQTT schema):**
+```
+aquaponics/sensors/ph
+aquaponics/sensors/temperature
+aquaponics/sensors/do
+aquaponics/sensors/nh3
+aquaponics/sensors/no2
+aquaponics/sensors/no3
+aquaponics/sensors/ec
+aquaponics/sensors/flow_rate
+aquaponics/alerts/compound_events
+```
+
+---
+
+## Security Note
+
+If your controller is network-connected, also consider running the companion workspace: **[Aquaponics ICS Security](../aquaponics-ics-security/)** — it assesses and hardens the automation infrastructure that keeps your fish alive and your crops growing. A compromised controller can kill a system faster than any biological anomaly.

aquaponics-anomaly-monitor/resources/seasonal-calibration.md

@@ -0,0 +1,110 @@
+# Seasonal Calibration Reference
+
+## Purpose
+
+Aquaponics parameters shift with seasons. A pH of 7.0 in July and 7.0 in January may represent different system states depending on latitude, species, and system type. This reference provides seasonal baseline adjustment guidance so anomaly detection accounts for natural variation rather than flagging seasonal shifts as false positives.
+
+## Why Seasonal Calibration Matters
+
+- **Water temperature** varies with ambient air temp, especially in greenhouses and outdoor systems
+- **Dissolved oxygen** solubility is inversely related to temperature — warmer water holds less DO
+- **Biofilter efficiency** varies with temperature — nitrifying bacteria slow below 15C and stall below 10C
+- **Fish metabolism** changes with temperature — feeding rates, waste output, and oxygen demand all shift
+- **Plant uptake** varies with photoperiod and temperature — nutrient removal rates change seasonally
+
+Without seasonal calibration, a system that is perfectly healthy in winter may trigger anomaly alerts simply because "normal" was baselined during summer.
+
+## Seasonal Adjustment Tables
+
+### Water Temperature Norms by System Type
+
+| Season | Outdoor (Temperate) | Greenhouse (Unheated) | Greenhouse (Heated) | Indoor (Climate-Controlled) |
+|--------|--------------------|-----------------------|--------------------|-----------------------------|
+| Winter (Dec-Feb) | 4-10C | 10-18C | 22-28C | 24-28C |
+| Spring (Mar-May) | 10-18C | 16-24C | 24-28C | 24-28C |
+| Summer (Jun-Aug) | 22-30C | 24-34C | 26-32C | 24-28C |
+| Fall (Sep-Nov) | 12-20C | 14-22C | 22-28C | 24-28C |
+
+**Note:** These ranges are for temperate latitudes (30-50 degrees). Tropical systems (0-23 degrees) have much smaller seasonal variation. Adjust for your latitude.
+
+### Dissolved Oxygen Saturation by Temperature
+
+DO saturation decreases as temperature increases. These are the 100% saturation values at sea level:
+
+| Water Temp (C) | DO Saturation (mg/L) | Practical Minimum for Fish |
+|----------------|---------------------|---------------------------|
+| 10 | 11.3 | 7.0 |
+| 15 | 10.1 | 6.5 |
+| 20 | 9.1 | 6.0 |
+| 25 | 8.3 | 5.5 |
+| 30 | 7.6 | 5.0 |
+| 35 | 7.0 | 4.5 |
+
+**Calibration rule:** In summer, a DO of 6.0 mg/L at 30C represents 79% saturation — adequate. In winter, a DO of 6.0 mg/L at 10C represents only 53% saturation — something is consuming oxygen. Same number, different diagnosis.
+
+### Biofilter Efficiency by Temperature
+
+Nitrifying bacteria (Nitrosomonas, Nitrobacter) are temperature-sensitive:
+
+| Water Temp (C) | Relative Nitrification Rate | Practical Impact |
+|----------------|----------------------------|------------------|
+| <10 | <20% of peak | Biofilter effectively offline. Ammonia will accumulate. |
+| 10-15 | 20-50% of peak | Biofilter sluggish. Reduce feeding to match. |
+| 15-20 | 50-80% of peak | Biofilter functional but not peak. Monitor NH3/NO2. |
+| 20-30 | 80-100% of peak | Optimal range. Full processing capacity. |
+| >30 | Declining | Heat stress on bacteria. DO competition increases. |
+
+**Calibration rule:** In spring, an ammonia reading of 0.15 ppm may be normal — the biofilter is still warming up. In summer, the same reading is a warning — the biofilter should be at full capacity.
+
+### Feeding Rate Adjustment by Season
+
+| Season | Feeding Rate (% body weight/day) | Rationale |
+|--------|----------------------------------|-----------|
+| Winter (<15C) | 0.5-1.0% | Reduced metabolism, slow biofilter |
+| Spring (15-20C) | 1.0-2.0% | Increasing metabolism, biofilter warming |
+| Summer (20-30C) | 2.0-3.0% | Peak metabolism, full biofilter capacity |
+| Fall (20-15C) | 1.5-2.0% | Decreasing metabolism, biofilter cooling |
+
+**Calibration rule:** Nitrogen loading (NH3 + NO2 + NO3 total) should be evaluated relative to feeding rate, not absolute thresholds. A system fed at 3% in summer will naturally have higher nitrogen than the same system fed at 1% in winter.
+
+## How to Apply Seasonal Calibration
+
+### Step 1: Determine Your Season Profile
+
+When running `/onboard` or `/baseline`, record:
+- Latitude (for photoperiod and ambient temp range)
+- System type (outdoor / greenhouse unheated / greenhouse heated / indoor)
+- Species (temperature preferences determine the operating range)
+- Current season and month
+
+### Step 2: Adjust Alert Thresholds
+
+The `/scan` command should apply seasonal adjustments:
+
+```
+If system_type == "outdoor" AND season == "winter":
+    NH3_warning = 0.2 ppm (relaxed from 0.1 — biofilter is slower)
+    DO_warning = 8.0 mg/L (tightened — cold water should hold more DO)
+    pH range = 6.6-7.6 (slightly wider — less biological buffering)
+
+If system_type == "outdoor" AND season == "summer":
+    NH3_warning = 0.1 ppm (standard — biofilter should be at capacity)
+    DO_warning = 5.5 mg/L (relaxed — warm water holds less DO)
+    pH range = 6.8-7.4 (standard)
+```
+
+### Step 3: Document Baseline Shifts
+
+The `/baseline` command should record seasonal baselines separately:
+- Winter baseline (Dec-Feb readings)
+- Spring baseline (Mar-May readings)
+- Summer baseline (Jun-Aug readings)
+- Fall baseline (Sep-Nov readings)
+
+Anomaly detection compares current readings to the *seasonal* baseline, not the annual average.
+
+---
+
+## Domain Accuracy Note
+
+The temperature-DO solubility relationship and nitrification rate curves in this document are based on published aquaculture science (Timmons & Ebeling, *Recirculating Aquaculture*, 3rd ed.; Lennard & Leonard, *A Comparison of Three Different Hydroponic Sub-systems*). Feeding rate percentages are general guidelines — actual rates depend on species, life stage, and system design. **This reference should be reviewed by a practicing aquaponics operator before use in production monitoring.** If you identify inaccuracies, please open an issue.

aquaponics-ics-security/README.md

@@ -172,6 +172,16 @@ These workspaces are designed to complement each other. The anomaly monitor aler
 
 ---
 
+## Companion Workspace
+
+This workspace secures the **automation**. The companion workspace monitors the **biology**:
+
+**[Aquaponics Anomaly Monitor](../aquaponics-anomaly-monitor/)** — Automated anomaly detection for water chemistry, biofilter health, and fish/plant systems.
+
+The two workspaces are designed as a pair. A cyber event always has biological consequences. A biological anomaly might be a cyber indicator. See [resources/bio-cyber-correlation.md](resources/bio-cyber-correlation.md) for the cross-correlation guide.
+
+---
+
 ## Disclaimer
 
 This workspace is for authorized security assessment of systems you own or have explicit written permission to test. The agent will not assist with unauthorized access to systems. All active testing guidance includes explicit requirements for written authorization and maintenance windows.

aquaponics-ics-security/resources/bio-cyber-correlation.md

@@ -0,0 +1,104 @@
+# Bio-Cyber Cross-Correlation Guide
+
+## Purpose
+
+In aquaponics, the biological system and the cyber system are inseparable. A sensor anomaly might be biology (biofilter crash) or it might be cyber (spoofed sensor data). This guide helps operators distinguish between the two — and recognize when a biological anomaly is actually a cyber indicator, or vice versa.
+
+This document bridges the **[Aquaponics Anomaly Monitor](../aquaponics-anomaly-monitor/)** (biological monitoring) and this workspace (cyber security).
+
+---
+
+## The Core Problem
+
+**A compromised controller can make a dying system look healthy.**
+
+If an attacker gains access to the sensor reporting chain — the MQTT broker, the database, the dashboard — they can replace real readings with fabricated ones. The dashboard shows pH 7.0, DO 7.5, NH3 0.05. Everything looks perfect. Meanwhile, the actual water is crashing.
+
+Conversely, **a compromised controller can make a healthy system look sick.**
+
+An attacker who can inject false sensor data could trigger automated responses — dosing pumps adding chemicals that aren't needed, feeders shutting off, alarms exhausting operator attention (alert fatigue as a tactic).
+
+---
+
+## Bio → Cyber Indicators
+
+When the biological monitoring system flags an anomaly, ask: **could this be cyber?**
+
+| Biological Anomaly | Possible Cyber Cause | How to Distinguish |
+|--------------------|---------------------|-------------------|
+| Sudden perfect readings after fluctuation | Sensor data being overwritten with static values | Compare controller reading to manual test kit reading. If they disagree, suspect sensor chain compromise. |
+| All parameters change simultaneously | Controller firmware replaced or config overwritten | Legitimate bio events affect parameters in sequence (NH3 rises first, then NO2, then pH drops). Simultaneous change across unrelated parameters is suspicious. |
+| Readings inconsistent with physical observation | Sensor data spoofed at reporting layer | Look at the fish. If fish are surfacing but DO reads 8.0 mg/L, the sensor is lying. |
+| Automated responses triggering without anomaly | Attacker sending commands directly to actuators | Check command logs. Did the dosing pump receive a command that the control logic didn't generate? |
+| Readings frozen (exact same value repeated) | Sensor polling stopped, last value cached | Real sensors have noise — 0.01-0.05 variation is normal. Exact repetition (7.000, 7.000, 7.000) across multiple readings means the sensor isn't being polled. |
+
+## Cyber → Bio Indicators
+
+When the security monitoring system flags an anomaly, ask: **what's the biological impact?**
+
+| Cyber Anomaly | Biological Risk | Response Priority |
+|---------------|----------------|-------------------|
+| Unauthorized access to controller | Immediate: attacker can modify pump/feeder/dosing schedules | **CRITICAL** — verify all actuator states physically |
+| MQTT broker compromise | Sensor data integrity lost — monitoring becomes unreliable | **HIGH** — switch to manual monitoring until broker is verified |
+| Dashboard credentials compromised | Observation capability lost — attacker can see but not act (unless dashboard has write access) | **MEDIUM** — rotate credentials, check for write permissions |
+| Network scan detected on OT VLAN | Reconnaissance phase — attack likely incoming | **HIGH** — isolate OT network, increase monitoring frequency |
+| Firmware update pushed outside maintenance window | Controller behavior may be modified — unknown impact | **CRITICAL** — do not trust sensor data until firmware is verified |
+| DNS or NTP manipulation | Logging timestamps unreliable — forensic integrity lost | **MEDIUM** — verify system time, check for time-based automation triggers |
+
+## The Validation Protocol
+
+When any anomaly is detected — biological or cyber — run this cross-validation:
+
+### Step 1: Physical Ground Truth
+- **Look at the fish.** Behavior is a leading indicator. Gasping at surface = low DO regardless of what the sensor says.
+- **Look at the plants.** Wilting, yellowing, or root discoloration that doesn't match sensor data = suspect data integrity.
+- **Smell the water.** Ammonia has a distinctive smell at concentrations above 0.5 ppm. If the sensor says 0.05 but you can smell it, the sensor is wrong.
+- **Use a manual test kit.** API, Hanna, or Salifert test kits are the ground truth. Compare to controller reading.
+
+### Step 2: Sensor Chain Verification
+- **Compare sensor output to controller input.** If the sensor probe reads differently from what the controller reports, the chain is compromised between probe and controller.
+- **Check MQTT messages against database values.** If MQTT published 6.5 but the database shows 7.0, something is modifying data in transit or at rest.
+- **Check dashboard against database.** If the database shows 6.5 but the dashboard shows 7.0, the visualization layer is compromised.
+- **Check controller logs for unexpected commands.** Pumps, feeders, and dosing systems should only respond to commands from the control logic. Orphan commands indicate unauthorized access.
+
+### Step 3: Timeline Correlation
+- **When did the biological anomaly start?**
+- **When did the last cyber event occur?** (Failed login, network scan, firmware update, config change)
+- **Do they correlate?** If ammonia started rising 30 minutes after an unauthorized SSH login to the controller, that's correlation.
+- **Check for the "too quiet" signal.** If the system was generating normal sensor noise and suddenly goes perfectly flat, that's the data equivalent of a phone going dead — silence is a signal.
+
+---
+
+## Integration Workflow
+
+For operators running both workspaces:
+
+1. Run `/scan` in the Anomaly Monitor with current readings
+2. If anomaly detected, check this guide's Bio → Cyber table
+3. If cyber cause suspected, switch to ICS Security workspace
+4. Run `/incident-response` if compromise is likely
+5. Run the Validation Protocol regardless of initial assessment
+6. Log findings in both workspaces' `work-log/` directories
+
+For security assessors evaluating an aquaponics site:
+
+1. Run `/asset-inventory` and `/network-audit` in ICS Security
+2. For each finding, check this guide's Cyber → Bio table for biological risk
+3. Prioritize findings by biological impact, not just technical severity
+4. A low-severity IT finding (default password on dashboard) becomes critical if that dashboard has write access to actuators
+
+---
+
+## Key Principle
+
+**In aquaponics, every cyber event is also a biological event.**
+
+A firewall rule misconfiguration doesn't just create a security exposure — it creates a path from the internet to the pump that keeps 10,000 fish alive. A default password isn't just a compliance finding — it's the only thing standing between an attacker and the feeding schedule that determines whether a crop lives or dies.
+
+Security assessments that ignore biological impact are incomplete. Biological monitoring that ignores cyber integrity is naive. The two workspaces exist as a pair for this reason.
+
+---
+
+## Domain Accuracy Note
+
+The bio-cyber correlation patterns in this document are based on published ICS security research (CISA advisories, SANS ICS whitepapers) and aquaculture monitoring best practices. The specific sensor behavior patterns (noise characteristics, response sequences) reflect general aquaponics system behavior — your system may differ based on sensor brand, calibration frequency, and controller firmware. **This guide should be reviewed by both a security practitioner and an aquaponics operator before use in incident response.** If you identify inaccuracies, please open an issue.