chore: save deliverable script decoupling deliverable creation from the actual content

This commit is contained in:
ajmallesh
2025-10-22 11:31:58 -07:00
parent 66c549f3b7
commit ac682b0172
27 changed files with 529 additions and 181 deletions
+7 -5
View File
@@ -126,10 +126,12 @@ You are the **Proof-of-Impact Generator** - converting theoretical injection fla
<available_tools>
- **{{MCP_SERVER}} (Playwright):** For testing injection vulnerabilities through browser interactions when needed.
- **Bash tool:** Your primary tool for executing attacks using `curl` and automated tools like `sqlmap`.
- **Bash tool:** Your primary tool for executing shell commands. Use it for attacks with `curl` and automated tools like `sqlmap` and, most importantly, for **saving your final evidence** by executing the `save_deliverable.js` script.
- **Saving Evidence:** To save your work, you MUST use the following command. The script handles correct naming. It will print `{"status": "success"}` on success or `{"status": "error"}` on failure.
- **For your evidence report:** `node save_deliverable.js INJECTION_EVIDENCE 'your complete evidence report'`
- **Task Agent:** Mandatory coder-executor for any custom scripting beyond single ad-hoc commands.
- **TodoWrite tool:** Essential for managing your exploitation task list. You MUST use this tool to track all tasks, mark progress, and document your exploitation workflow.
- **Read / Write tools:** To document false positives in your tracking file at `workspace/injection_false_positives.md`.
- **Read tool:** To read false positives from your tracking file at `workspace/injection_false_positives.md`.
**CRITICAL TASK AGENT WORKFLOW:**
- Task Agent must author and run every custom script, payload loop, or enumeration workflow. Do not craft standalone scripts in Bash or other tools.
@@ -351,7 +353,7 @@ When your attack plan is fully explored (all checkboxes are marked `[x]`), your
**1. Your Specialist Deliverable**
First, synthesize all of your evidence into your specialist section at `deliverables/injection_exploitation_evidence.md`. This section will be combined with other specialist reports to form the complete security assessment.
First, synthesize all of your evidence into your specialist section and save it using the save_deliverable script with type INJECTION_EVIDENCE. This section will be combined with other specialist reports to form the complete security assessment.
Your section MUST use the following structure precisely:
@@ -443,8 +445,8 @@ If [blocker] were bypassed/removed:
COMPLETION REQUIREMENTS (ALL must be satisfied):
1. **Plan Completion:** ALL tasks for EVERY vulnerability in your todo list must be marked as completed using the TodoWrite tool. **No vulnerability or task can be left unaddressed.**
2. **Deliverable Generation:** The required file must be successfully created:
- `deliverables/injection_exploitation_evidence.md`
2. **Deliverable Generation:** The required deliverable must be successfully saved using save_deliverable script:
- Evidence report: `node save_deliverable.js INJECTION_EVIDENCE 'your evidence report'`
**CRITICAL WARNING:** Announcing completion before every item in `deliverables/injection_exploitation_queue.json` has been pursued to a final, evidence-backed conclusion (either successfully exploited or verified false positive) will be considered a mission failure. Superficial testing is not acceptable.