Skip to content

Markdown cleanup: linkify paths, restructure README, add license, scrub workstream metadata#40

Merged
AndrewAltimit merged 6 commits intomainfrom
cleanup-markdown-links-and-license
Apr 26, 2026
Merged

Markdown cleanup: linkify paths, restructure README, add license, scrub workstream metadata#40
AndrewAltimit merged 6 commits intomainfrom
cleanup-markdown-links-and-license

Conversation

@AndrewAltimit
Copy link
Copy Markdown
Owner

@AndrewAltimit AndrewAltimit commented Apr 26, 2026

Summary

Documentation pass across the markdown corpus to make the repo navigable, professional, and stateless:

  • Restructured the main README. Moved the Databricks Apps Assessment section toward the end (it was distracting near the top), reframed dense bullet items into clearer prose, and added a ## License section pointing at the new dual-licensing setup.
  • Added LICENSE files. Dual-licensed under Unlicense and MIT (year 2026).
  • Linkified repo paths. Backticked references like `tools/c2/transports/` and `docs/methodology/llm-attack-modeling.md` are now real markdown links with correct relative paths. A small Python helper handled fenced-code-block skipping, double-link prevention, path verification (with parent-directory fallback for globs), and per-file relative-path computation. Net effect: zero unlinked repo-path references remain anywhere in the markdown outside CLAUDE.md (which is an agent-instructions file).
  • Stripped residual workstream / sprint metadata. All **Workstream:** WS-X — ... headers, **Coverage:** WS-X labels, and inline See WS-C / BYOVD workstream (WS-B) pointers removed or rephrased into concrete links to the directory the prose was actually pointing at. Keeps the docs stateless and public-facing.
  • Reframed enumerated counts. Replaced marketing-shape claims (53 distinct payloads, 97-task corpus, 10 attacks x 7 MFA types, six-app entitlement catalog, covers all 15 ESC vulnerability classes) with descriptions of what the corpus / matrix / catalog actually contains. Numbers rot — the AD CS toolkit was already at ESC1-ESC16 by the time we caught the "all 15" claim. Empirical research findings (e.g., 62/64 controlled reads), CVE IDs, and port numbers are left alone — those are load-bearing.
  • Refreshed tools/rust/Cargo.lock to pick up the existing callstack-detect crate.

Scope

148 files changed, 773 insertions / 594 deletions. The README itself is the most visible change; the rest is a long tail of small fixes spread across docs/methodology/, docs/analysis/, tools/*/README.md, the per-tool detection READMEs, the rust crate READMEs, and the CVE write-ups.

Test plan

  • Render the main README on GitHub and confirm the new section ordering reads naturally
  • Spot-check that linkified paths actually navigate (sample from different depths: docs/methodology, tools/rust/, infra/lab)
  • Confirm LICENSE / LICENSE-MIT show up in the GitHub "About" sidebar after merge
  • Verify CI gates still pass (no *.sys, detection-pairing, no real tenant IDs)
  • Optional: re-run grep -nP '\b(WS-[A-Z]|Workstream)\b' across the tree to confirm nothing slipped back in

Out of scope (noted for a future branch)

A consistent top-of-file structure across the top-level tool READMEs (one-paragraph "what this is for" -> lab gating -> modules -> usage). Higher effort, judgment call per file, separate PR.

Generated with Claude Code

AI Agent Bot and others added 6 commits April 26, 2026 04:30
@claude
Markdown cleanup: linkify paths, restructure README, add LICENSE files
4337e74 
- Convert backticked path references to markdown links across the main
  README, SECURITY.md, and the kerberos / evasion / llm-attacks /
  forensic-analysis / browser-ext-attacks tool READMEs so paths are
  navigable rather than just labels.
- Restructure the main README: move the Databricks Apps Assessment
  section toward the end, expand the dense bullet items with clearer
  framing, and add a License section pointing at the dual Unlicense /
  MIT setup.
- Drop residual workstream / branch references from the touched READMEs
  to keep the documentation stateless and public-facing.
- Add LICENSE (Unlicense) and LICENSE-MIT, dual-licensing the repo.
- Refresh tools/rust/Cargo.lock to track the new callstack-detect crate.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@claude
Linkify paths across remaining tool READMEs
8de8f35 
Sweep through the lower-priority top-level tool READMEs (ad-cs, bofs,
browser-native-postex, cloud-identity, dashboard, edr-silencing,
entra-abuse, framework, macos-postex, persistence, supply-chain) and the
heavily cross-referenced Rust crate READMEs (bof-loader, callstack-detect,
callstack-spoof, cookie-theft, etw-ti-aware), converting backticked
repo-path references to navigable markdown links.

Also drops a couple of stray "Workstream" references from edr-silencing
to keep the docs stateless.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@claude
Linkify path references across deep-nested docs and READMEs
ee564c6 
Sweep through the long tail of markdown files — docs/methodology/*,
docs/analysis/*, infra/lab/*, the per-tool submodule READMEs, the CVE
write-ups, and the rust crate detection docs — converting every
backticked repo-path reference into a navigable markdown link with the
correct relative path.

The largest single file affected is
docs/methodology/network-topology-detection-mapping.md, where the
detection-mapping tables previously listed bare backticked paths in
table cells. They are now links, and glob-style references like
tools/foo/*/detection/ resolve to the parent directory so the link
still navigates somewhere useful.

Net effect: zero unlinked repo-path references remain across the
markdown corpus outside CLAUDE.md (which is an agent-instructions
file, not user-facing).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
remove audience line - not needed or accurate imo
f2ba20b
@claude
Strip workstream metadata and reframe enumerated counts
5ec2b81 
Two cleanup passes across the markdown corpus:

1. Workstream / sprint metadata removal. Drop the residual
   `**Workstream:** WS-X — ...` headers, `**Coverage:** WS-X` labels, and
   inline references like "See WS-C for lab setup" or "the BYOVD workstream
   (WS-B)". Replace inline pointers with concrete links to the actual
   directory the prose was referring to. Affected directories:
   browser-ext-attacks, edr-silencing, kerberos, llm-attacks, plus the
   matching docs/methodology and docs/analysis files.

2. Enumerated-count reframing. Replace marketing-shaped "53 distinct
   payloads", "97-task corpus", "10 attacks × 7 MFA types", "covers all 15
   ESC vulnerability classes", and "six-app entitlement catalog" with
   descriptions of what the corpus / matrix / catalog actually contains.
   Numbers rot fast (the AD CS toolkit is already at ESC1–ESC16, not the
   15 the README still cited) and read as marketing rather than operational
   detail. Empirical research findings (e.g., "62/64 controlled reads"),
   port numbers, and CVE IDs are left alone — those are load-bearing.

Net effect: zero `WS-X` / `Workstream:` / `sprint` references remain in
non-CLAUDE markdown, and the catalog descriptions are now durable against
content drift.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@claude
CI: SHA-pin actions, harden fork-guard, fix link checker
36f7668 
Three targeted fixes to the PR validation pipeline:

1. **SHA-pin every third-party action.** Tag refs (`@v4`, `@stable`) can be
   re-pointed if the upstream repo is compromised, which would execute
   attacker code on the self-hosted runner. Now pinned to commit SHAs with
   the version in a trailing comment for readability:
     - actions/checkout            -> v4.3.1
     - dtolnay/rust-toolchain      -> stable as of 2026-04-26
     - actions/upload-pages-artifact -> v3.0.1
     - actions/deploy-pages        -> v4.0.5

2. **Move the fork-guard onto the self-hosted runner.** The "Require
   approval for all external contributors" repo setting is the actual
   perimeter for fork PRs, so the guard no longer needs a hosted runner
   to exist; it stays as defence-in-depth gated by `needs: fork-guard`.
   Also drops the unused `pull-requests: write` permission to `read`.

3. **Fix the markdown link checker.** Two bugs: the inner `FAIL=1` was set
   inside a `... | while read` subshell and lost, and the link path was
   resolved against the repo root rather than the file's directory, so
   any relative link in `cves/README.md` looked broken. Both `continue-on-
   error: true` and the resulting double-failure made the step a silent
   no-op. Now uses process substitution and resolves links via
   `dirname "$f"`, with a step summary line indicating pass/fail.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@AndrewAltimit AndrewAltimit merged commit 984b9ae into main Apr 26, 2026
2 checks passed
@AndrewAltimit AndrewAltimit deleted the cleanup-markdown-links-and-license branch April 26, 2026 10:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@AndrewAltimit