From 096437a40c78f7ba03e975f864a2426632a94049 Mon Sep 17 00:00:00 2001 From: SchwartzKamel Date: Sun, 3 May 2026 02:54:48 -0700 Subject: [PATCH] docs(audit): reconcile stale roadmap claims with v0.4.0 reality MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Vaporware sweep over docs + agent guidance: - copilot-instructions.md: 'Roadmap scanners to implement' (SMB/FTP/ SSH/SNMP/LDAP/RPC/Kerberos/HTTP-content-discovery/TLS-cipher-enum/ DNS-AXFR) reframed as shipped — every listed scanner is in tree under src/Drederick/Recon/. - EMPIRE.md: 'OPSEC profiles: Template stagers with obfuscation, certificate pinning, jitter' replaced with 'OPSEC profile auto- rotation' — the Malleable C2 corpus + MalleableProfileLibrary shipped in v0.4.0; only per-stage rotation + cert pinning remain deferred. - UI_GUIDE.md: 'What's still CLI-only' → 'What's still Avalonia-CLI- only' — the offensive engine and Jeopardy CTF subsystem are now exposed by the Web UI (Offensive + Jeopardy pages); only the Avalonia console still lacks them. - ARCHITECTURE.md: 'planned live UI stream' for AuditLog updated to point at the live Drederick.Web SignalR EventsHub. Class-(b) deferred items left intact: fight-notebook replay-into- prompts, MAGIKA CTF prompt enrichment, Avalonia offensive surface, Datasette auth + offensive-table facets, native http-enum/SMB/RPC/ Database tools, ICredTool split, Tier-2+ self-sufficiency benchmarks, Web UI a11y/dark-mode/rate-limit/TLS follow-ups. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .github/copilot-instructions.md | 18 +++++++++++------- docs/ARCHITECTURE.md | 3 ++- docs/EMPIRE.md | 2 +- docs/UI_GUIDE.md | 8 +++++--- 4 files changed, 19 insertions(+), 12 deletions(-) diff --git a/.github/copilot-instructions.md b/.github/copilot-instructions.md index 8e3a7e2..d3af6d1 100644 --- a/.github/copilot-instructions.md +++ b/.github/copilot-instructions.md @@ -122,13 +122,17 @@ impact faster: should assume it will run concurrently per-host and per-service. No shared mutable state outside `KnowledgeBase` / `AuditLog`, both of which must stay thread-safe. -- **Wider enumeration surface.** Roadmap scanners to implement - aggressively: SMB (shares, sessions, OS), FTP (anon + banner), SSH - (algos, host keys, user enum), SNMP (community brute + walk), LDAP - (anon bind, naming contexts, user/group enum), RPC (endpoint mapper - + null session), Kerberos (SPN listing, AS-REP roast, kerberoast - where in scope), HTTP content-discovery (wordlist-driven), TLS - cipher enumeration, DNS AXFR. Each re-checks scope inside the tool. +- **Wider enumeration surface.** The shipped scanner set already + covers SMB (shares, sessions, OS), FTP (anon + banner), SSH (algos, + host keys), SNMP (community brute + walk), LDAP (anon bind, naming + contexts), RPC (endpoint mapper + null session via + `Recon/Ad/SmbNullSessionTool`), Kerberos (SPN listing, + delegation/AS-REP/kerberoast helpers under `DelegationEnumTool` / + `DcSyncDetectionTool`), HTTP content-discovery + (`HttpContentDiscoveryTool`), TLS cipher enumeration + (`TlsCipherEnumTool`), and DNS AXFR (`DnsZoneTransferTool`). Each + re-checks scope inside the tool. New scanners should match this + bar — wider surface, scope-checked, audit-recorded. - **Full NSE surface inside scope.** `safe,default,discovery,version, auth,exploit,intrusive,vuln` are all available in lab mode. `dos` and `malware` are opt-in per run. In strict mode the defaults are diff --git a/docs/ARCHITECTURE.md b/docs/ARCHITECTURE.md index 373a546..0e00a1f 100644 --- a/docs/ARCHITECTURE.md +++ b/docs/ARCHITECTURE.md @@ -437,7 +437,8 @@ network; downstream tools enforce scope per Append-only JSONL log (`out/audit.jsonl`) capturing every tool call, scope decision, doctor detection/install, and session event. Used by tests, -forensics, and the planned live UI stream. +forensics, and the live UI stream surfaced via the `Drederick.Web` +SignalR `EventsHub`. ## Thread-safety {#thread-safety} diff --git a/docs/EMPIRE.md b/docs/EMPIRE.md index d7230ad..263e4ac 100644 --- a/docs/EMPIRE.md +++ b/docs/EMPIRE.md @@ -497,6 +497,6 @@ drederick --scope lab.txt --target 10.0.0.0/8 --autopilot --out out/ - **Listener orchestration:** Auto-start Empire server, return listener URL to stager - **Module API integration:** Query `empire/handlers` for available modules, match against findings - **Callback tunneling:** Route agent callbacks through Drederick's network isolation layer -- **OPSEC profiles:** Template stagers with obfuscation, certificate pinning, jitter +- **OPSEC profile auto-rotation:** Per-stage profile rotation and certificate pinning on top of the bundled Malleable C2 corpus already shipped via [`MalleableProfileLibrary`](../src/Drederick/Exploit/Empire/MalleableProfileLibrary.cs). - **Lateral move simulation:** Pre-flight test lateral movement paths before execution diff --git a/docs/UI_GUIDE.md b/docs/UI_GUIDE.md index d925c7c..8691867 100644 --- a/docs/UI_GUIDE.md +++ b/docs/UI_GUIDE.md @@ -57,11 +57,13 @@ loaded (the `scope-file-read-only` invariant). **Findings → Open in Datasette** button launches `drederick serve` against the currently selected output directory. -## What's still CLI-only +## What's still Avalonia-CLI-only The offensive engine (`ExploitRunner`, `MsfDriver`, `CredRunner`, -`PayloadStager`, session tracking) and the Jeopardy CTF subsystem ship -today as CLI features. Run them with the per-category opt-in flags +`PayloadStager`, session tracking) and the Jeopardy CTF subsystem are +exposed by the CLI and by the **Web UI** (see [`WEB_UI.md`](./WEB_UI.md) +— Offensive and Jeopardy pages). They are not yet surfaced in the +Avalonia console. Run them with the per-category opt-in flags (`--allow-exec-pocs`, `--allow-cred-attacks`, `--allow-payloads`, `--allow-destructive`, `--allow-dos`, `--acknowledge-lockout-risk`). Surfacing them in the Avalonia console is tracked in [`UI.md`