AndrewAltimit · AndrewAltimit · Apr 21, 2026 · Apr 21, 2026 · Apr 21, 2026 · Apr 21, 2026
@@ -0,0 +1,32 @@
+# CODEOWNERS — security-sensitive files require explicit review approval.
+#
+# Syntax: <pattern> <owner> [<owner> ...]
+# GitHub enforces these on every PR that touches the matched paths.
+# "Required reviewers" must approve before merge regardless of branch protection.
+
+# ── Symbol allowlist gate ────────────────────────────────────────────────────
+# Any change to the BOF symbol allowlist must be reviewed by a maintainer.
+# See tools/rust/bof-loader/src/symbol_table.rs header for PR requirements.
+/tools/rust/bof-loader/src/symbol_table.rs  @AndrewAltimit
+
+# ── Containment library ──────────────────────────────────────────────────────
+# The containment library is the primary safety boundary for all offensive tools.
+/tools/lib/containment.py  @AndrewAltimit
+/tools/rust/containment/   @AndrewAltimit
+
+# ── CI checks ────────────────────────────────────────────────────────────────
+# CI enforcement scripts must not be weakened without review.
+/tools/ci/  @AndrewAltimit
+
+# ── C2 transport profiles ─────────────────────────────────────────────────────
+# Transport profiles control beacon communications; changes need review.
+/tools/c2/profiles/  @AndrewAltimit
+/tools/c2/transports/  @AndrewAltimit
+
+# ── Docker lab topology ───────────────────────────────────────────────────────
+# Network topology changes affect all lab tools.
+/docker-compose.lab.yml  @AndrewAltimit
+
+# ── Repository configuration ─────────────────────────────────────────────────
+/.github/  @AndrewAltimit
+/CLAUDE.md  @AndrewAltimit
@@ -34,6 +34,37 @@ jobs:
           fetch-depth: 1
           clean: true
 
+      # -- Python Environment Setup -------------------------------------------
+      - name: Set up Python environment (uv)
+        timeout-minutes: 10
+        run: |
+          uv sync --all-packages
+          echo "### Python Environment" >> $GITHUB_STEP_SUMMARY
+          echo "✅ uv sync complete — $(uv pip list | wc -l) packages installed" >> $GITHUB_STEP_SUMMARY
+
+      # -- Python Tests -------------------------------------------------------
+      - name: Python tests
+        timeout-minutes: 10
+        run: |
+          uv run pytest \
+            tools/lateral-movement/rpc-movement/tests/ \
+            tools/lateral-movement/sccm-abuse/tests/ \
+            tools/lateral-movement/azure-arc/tests/ \
+            tools/lateral-movement/exchange-hybrid/tests/ \
+            tools/edr-silencing/callback-integrity/tests/ \
+            tools/browser-native-postex/tests/ \
+            tools/bofs/tests/ \
+            -v --tb=short 2>&1 | tee /tmp/pytest-output.txt
+          PASSED=$(grep -c "PASSED" /tmp/pytest-output.txt || true)
+          FAILED=$(grep -c "FAILED" /tmp/pytest-output.txt || true)
+          echo "### Python Tests" >> $GITHUB_STEP_SUMMARY
+          if [ "$FAILED" -eq 0 ]; then
+            echo "✅ $PASSED passed, 0 failed" >> $GITHUB_STEP_SUMMARY
+          else
+            echo "❌ $PASSED passed, $FAILED failed" >> $GITHUB_STEP_SUMMARY
+            exit 1
+          fi
+
       # -- Python Syntax Check ------------------------------------------------
       - name: Python syntax check
         timeout-minutes: 5
@@ -73,7 +104,7 @@ jobs:
           echo "### Secret Scan" >> $GITHUB_STEP_SUMMARY
 
           # Check for .env files (should not exist)
-          if find . -name ".env" -not -name ".env.example" | grep -q .; then
+          if find . -name ".env" -not -name ".env.example" -not -path './.venv/*' | grep -q .; then
             echo "FAIL: .env file found in repo"
             echo "- ❌ .env file found" >> $GITHUB_STEP_SUMMARY
             FAIL=1
@@ -91,7 +122,7 @@ jobs:
           # Check for binary files that shouldn't be here
           BINARIES=$(find . \( -name "*.zip" -o -name "*.tar.xz" -o -name "*.tar.bz2" \
             -o -name "*.mp4" -o -name "*.exe" -o -name "*.so" -o -name "*.dylib" \) \
-            -not -path './.git/*' 2>/dev/null)
+            -not -path './.git/*' -not -path './.venv/*' 2>/dev/null)
           if [ -n "$BINARIES" ]; then
             echo "FAIL: Binary files found:"
             echo "$BINARIES"

@@ -43,6 +43,37 @@ jobs:
           fetch-depth: 1
           clean: true
 
+      # -- Python Environment Setup -------------------------------------------
+      - name: Set up Python environment (uv)
+        timeout-minutes: 10
+        run: |
+          uv sync --all-packages
+          echo "### Python Environment" >> $GITHUB_STEP_SUMMARY
+          echo "✅ uv sync complete" >> $GITHUB_STEP_SUMMARY
+
+      # -- Python Tests -------------------------------------------------------
+      - name: Python tests
+        timeout-minutes: 10
+        run: |
+          uv run pytest \
+            tools/lateral-movement/rpc-movement/tests/ \
+            tools/lateral-movement/sccm-abuse/tests/ \
+            tools/lateral-movement/azure-arc/tests/ \
+            tools/lateral-movement/exchange-hybrid/tests/ \
+            tools/edr-silencing/callback-integrity/tests/ \
+            tools/browser-native-postex/tests/ \
+            tools/bofs/tests/ \
+            --tb=short 2>&1 | tee /tmp/pytest-output.txt
+          PASSED=$(grep -c "PASSED" /tmp/pytest-output.txt || true)
+          FAILED=$(grep -c "FAILED" /tmp/pytest-output.txt || true)
+          echo "### Python Tests" >> $GITHUB_STEP_SUMMARY
+          if [ "$FAILED" -eq 0 ]; then
+            echo "✅ $PASSED passed, 0 failed" >> $GITHUB_STEP_SUMMARY
+          else
+            echo "❌ $PASSED passed, $FAILED failed" >> $GITHUB_STEP_SUMMARY
+            exit 1
+          fi
+
       # -- Python Syntax Check ------------------------------------------------
       - name: Python syntax check
         timeout-minutes: 5
@@ -84,7 +115,7 @@ jobs:
           FAIL=0
 
           # .env files
-          ENV_FILES=$(find . -name ".env" -not -name ".env.example" -not -path './.git/*' 2>/dev/null)
+          ENV_FILES=$(find . -name ".env" -not -name ".env.example" -not -path './.git/*' -not -path './.venv/*' 2>/dev/null)
           if [ -n "$ENV_FILES" ]; then
             echo "::error::.env file found: $ENV_FILES"
             FAIL=1
@@ -94,7 +125,7 @@ jobs:
           BINARIES=$(find . \( -name "*.zip" -o -name "*.tar.xz" -o -name "*.tar.bz2" \
             -o -name "*.7z" -o -name "*.mp4" -o -name "*.pdf" \
             -o -name "*.exe" -o -name "*.so" -o -name "*.dylib" \) \
-            -not -path './.git/*' 2>/dev/null)
+            -not -path './.git/*' -not -path './.venv/*' 2>/dev/null)
           if [ -n "$BINARIES" ]; then
             echo "::error::Binary files found: $BINARIES"
             FAIL=1
@@ -103,7 +134,7 @@ jobs:
           # Downloaded browser directories
           BROWSER_DIRS=$(find . \( -name "chrome-win64" -o -name "chrome-linux64" \
             -o -name "js-shell" -o -name "js-shell-149" \) -type d \
-            -not -path './.git/*' 2>/dev/null)
+            -not -path './.git/*' -not -path './.venv/*' 2>/dev/null)
           if [ -n "$BROWSER_DIRS" ]; then
             echo "::error::Downloaded browser directories found: $BROWSER_DIRS"
             FAIL=1