diff --git a/CLAUDE.md b/CLAUDE.md index df36f7b..a06d496 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -17,6 +17,7 @@ Each skill follows this convention: ## Current Skills - **`github-app-token`** — Generates a short-lived GitHub App installation access token, writes it to `.gh-token` under `$GH_CONFIG_DIR` (preferred) or `$AGENT_HOME` (fallback), and authenticates the `gh` CLI. Requires `GITHUB_APP_ID`, `GITHUB_APP_INSTALLATION_ID`, and one of `GITHUB_APP_PEM` (inline PEM) or `GITHUB_APP_PEM_FILE` (path). Depends on `openssl`, `curl`, `jq`, `gh`. +- **`hightower`** — Interacts with the Hightower AI pentest API: start scans, poll status, retrieve markdown reports. Requires `HIGHTOWER_API_URL` and `HIGHTOWER_API_TOKEN`. Documentation only — no scripts. - **`kubernetes-reflector`** — Documents Kubernetes Reflector annotations for mirroring secrets and configmaps across namespaces. Documentation only — no scripts. - **`minimax-image-generation`** — Generates images from MiniMax's `image-01` model via `/v1/image_generation`. Requires `MINIMAX_API_KEY`; `MINIMAX_API_BASE_URL` is optional. Depends on `curl`, `jq`, `base64`. diff --git a/README.md b/README.md index 2819378..386e553 100644 --- a/README.md +++ b/README.md @@ -7,6 +7,7 @@ A collection of Claude Code skills — reusable tools that extend Claude Code's | Skill | What it does | |---|---| | [`github-app-token`](./github-app-token) | Generate a short-lived GitHub App installation access token and authenticate the `gh` CLI with it. | +| [`hightower`](./hightower) | Start AI-powered penetration test scans, check scan status, and retrieve security findings reports via the Hightower API. | | [`kubernetes-reflector`](./kubernetes-reflector) | Reference for Kubernetes Reflector annotations that mirror secrets and configmaps across namespaces. | | [`minimax-image-generation`](./minimax-image-generation) | Generate images from MiniMax's `image-01` model via the `/v1/image_generation` endpoint. | diff --git a/hightower/SKILL.md b/hightower/SKILL.md index 419e1d1..c440e88 100644 --- a/hightower/SKILL.md +++ b/hightower/SKILL.md @@ -7,7 +7,15 @@ allowed-tools: Bash, Read # Hightower: Penetration Testing API -Hightower is deployed in the `hightower` namespace on Kubernetes. It exposes a REST API for scan management and a Temporal cluster for workflow orchestration. +Hightower is an AI-powered penetration testing platform forked from [KeygraphHQ/shannon](https://github.com/KeygraphHQ/shannon). It runs multi-agent security assessments against a target URL and git repository, coordinating up to 13 specialized AI agents (recon, auth testing, injection, etc.) to produce a structured findings report. + +**Architecture:** +- **`hightower-api`** — Hono REST API. Accepts scan requests, creates Kubernetes Jobs for each scan, queries Temporal for job progress, and serves reports from the workspace PVC. +- **Worker** — Shannon fork running inside K8s Jobs. Each scan gets its own Job; the worker executes the full AI agent pipeline against the target. +- **Temporal** — Workflow orchestration engine. Tracks scan state, retries, and completion. +- **Workspace PVC** — Persistent volume where completed scan reports are stored and served by the API. + +Scans are triggered via REST API and run asynchronously. Typical scan duration is ~36 minutes for the full 13-agent pipeline. ## Configuration @@ -15,7 +23,7 @@ All settings come from environment variables: | Variable | Description | |----------|-------------| -| `HIGHTOWER_API_URL` | Hightower REST API base URL (e.g., `http://hightower-api.hightower:3000`) | +| `HIGHTOWER_API_URL` | Hightower REST API base URL (e.g., `http://hightower-api:3000`) | | `HIGHTOWER_API_TOKEN` | Bearer auth token for the Hightower API | --- @@ -111,8 +119,6 @@ grep -A 10 "^### \[HIGH\]" report.md 2. **completed** — Job succeeded, report available at `{workspace}/report` 3. **failed** — Job failed (check pod logs) -Typical runtime: ~36 minutes for a full 13-agent pipeline. - --- ## Notes