rtexit-method 0.1.0 → 0.1.1

package/packaged-assets/.agents/skills/rt-exploit-jwt/workflow.md

@@ -0,0 +1,68 @@
+# Workflow - rt-exploit-jwt
+
+## Purpose
+
+This workflow standardizes how $skill is executed inside RTExit. It is designed for authorized engagements, evidence-first documentation, and consistent handoff into reporting.
+
+## Authorization Gate
+
+Before execution, confirm:
+
+- SEAD exists and explicitly covers the target asset or activity.
+- Rules of Engagement define allowed techniques, rate limits, and stop conditions.
+- The operator knows the evidence handling rules.
+- Any active or sensitive validation has client approval.
+
+If any item is unclear, pause and invoke 
+
+## Required Inputs
+
+| Input | Source | Notes |
+|---|---|---|
+| Engagement reference | _rtexit/config.toml or SEAD | Used in output names. |
+| Target asset(s) | Scope document | Must be explicitly approved. |
+| Operator name | Config/user context | Used in timeline entries. |
+| Evidence directory | _rtexit-output/docs/evidence/ | Store logs, screenshots, and artifacts. |
+| Finding tracker | _rtexit-output/docs/findings/ | Create/update findings when confirmed. |
+
+## Execution Steps
+
+1. Load current engagement configuration.
+2. Read scope, exclusions, and current findings.
+3. Build a small test plan for this skill with target, expected control, and evidence type.
+4. Run the lowest-risk validation first.
+5. Capture baseline behavior before proof behavior.
+6. Record exact timestamp, account/role used, and affected asset.
+7. Stop when evidence is sufficient; avoid unnecessary data access.
+8. Create or update findings through the RTExit finding tracker.
+9. Map remediation owner and recommended timeline.
+10. Add a timeline entry and evidence chain entry.
+
+## Evidence Requirements
+
+| Evidence | Required? | Notes |
+|---|---|---|
+| Command or action summary | Yes | Redact secrets and tokens. |
+| Screenshot or transcript | If useful | Store under evidence folder. |
+| Request/response pair | For web/API | Redact cookies and bearer tokens. |
+| Config excerpt | For cloud/infra | Include only relevant lines. |
+| Business impact note | Yes | Explain why it matters. |
+
+## Autodoc Commands
+
+`ash
+python _rtexit/scripts/autodoc_engine.py log --skill rt-exploit-jwt --phase auto --cmd "workflow execution" --output "summary"
+python _rtexit/scripts/finding_tracker.py list
+`
+
+## Completion Criteria
+
+- Scope and authorization are referenced.
+- Evidence is stored and redacted.
+- Findings are added or explicitly marked as not found.
+- Remediation guidance is actionable.
+- Timeline and chain of custody are updated where applicable.
+
+## Handoff
+
+Send confirmed findings to 

package/packaged-assets/.agents/skills/rt-exploit-mongodb/SKILL.md

@@ -0,0 +1,67 @@
+---
+name: rt-exploit-mongodb
+description: "MongoDB security assessment skill for authorized exposure validation, access control review, NoSQL injection testing, TLS, backup posture, audit logging, and remediation."
+---
+
+# rt-exploit-mongodb - MongoDB Assessment
+
+## Overview
+
+MongoDB risk usually appears as public exposure, weak authentication, permissive roles, missing TLS, unvalidated query objects, or sensitive data in collections. This skill emphasizes safe NoSQL injection testing and configuration review.
+
+## Prerequisites
+
+- In-scope cluster/database/application endpoint.
+- Test users and role expectations.
+- Approved test records or collection.
+- Data sampling limits.
+
+## Assessment Areas
+
+| Area | Checks |
+|---|---|
+| Exposure | Public listener, Atlas network access, firewall rules. |
+| Authentication | Auth enabled, SCRAM/OIDC/IAM integration, shared users. |
+| Authorization | Role scope, database separation, admin privileges. |
+| Transport | TLS enforcement. |
+| NoSQL Injection | Operator injection through JSON/filter inputs. |
+| Backups | Snapshot access, public exports, retention. |
+| Logging | Audit events and suspicious query visibility. |
+
+## Workflow
+
+1. Confirm cluster and role scope.
+2. Inventory exposure, auth, TLS, and roles.
+3. Map application query inputs that accept objects or filters.
+4. Validate NoSQLi only against approved test records.
+5. Review sensitive collection access by role.
+6. Recommend schema validation and role reduction.
+
+## Evidence
+
+Capture role summaries, redacted connection settings, paired app requests, and test-record behavior. Do not export production collections.
+
+## Remediation
+
+- Restrict network access.
+- Enforce authentication and TLS.
+- Reduce roles.
+- Validate schemas and allowlist operators.
+- Avoid passing raw user JSON into queries.
+- Monitor suspicious reads and auth failures.
+
+
+## Finding Examples
+
+| Finding | Severity Driver |
+|---|---|
+| Public MongoDB listener | Internet data exposure risk. |
+| Weak role separation | Excess collection access. |
+| Raw filter injection | Authorization bypass or data exposure. |
+| Missing TLS | Credential and data interception. |
+
+## Autodoc
+
+```bash
+python _rtexit/scripts/autodoc_engine.py log --skill rt-exploit-mongodb --phase exploitation --cmd "MongoDB posture review" --output "redacted database risk summary"
+```

package/packaged-assets/.agents/skills/rt-exploit-mssql/SKILL.md

@@ -0,0 +1,52 @@
+---
+name: rt-exploit-mssql
+description: "Microsoft SQL Server assessment skill for authorized exposure review, authentication mode, role permissions, linked servers, encryption, application-layer injection, and remediation."
+---
+
+# rt-exploit-mssql - Microsoft SQL Server Assessment
+
+## Overview
+
+MSSQL environments often connect identity, Windows administration, linked servers, application permissions, and sensitive business data. This skill reviews risk without enabling disruptive features or modifying production state.
+
+## Prerequisites
+
+- Approved instance list or application endpoint.
+- Test account/role.
+- Clear prohibition or approval for configuration changes.
+- Data access and evidence limits.
+
+## Assessment Areas
+
+| Area | Checks |
+|---|---|
+| Exposure | Listener exposure, named instances, firewall rules. |
+| Authentication | Windows vs mixed mode, weak SQL logins, service accounts. |
+| Roles | sysadmin, db_owner, impersonation, unsafe grants. |
+| Features | Risky features enabled without business need. |
+| Linked Servers | Trust relationships and credential delegation. |
+| Encryption | Force encryption, certificate posture, TDE where needed. |
+| App Layer | Injection, stored procedure misuse, overprivileged app role. |
+
+## Workflow
+
+1. Confirm instance and role scope.
+2. Inventory version, authentication mode, encryption, and privileges.
+3. Review linked server and service account exposure.
+4. Validate application injection with safe evidence only.
+5. Map impact to data classification and Windows/AD relationships.
+6. Document remediation by DBA and application owners.
+
+## Evidence
+
+Use configuration screenshots, role summaries, redacted query behavior, and application request pairs. Avoid enabling features or dumping tables unless explicitly approved.
+
+## Remediation
+
+- Use Windows/managed identity where appropriate.
+- Remove unnecessary sysadmin/db_owner.
+- Restrict linked servers.
+- Enforce encryption.
+- Parameterize application queries.
+- Audit privileged actions and failed logins.
+

package/packaged-assets/.agents/skills/rt-exploit-mysql/SKILL.md

@@ -0,0 +1,53 @@
+---
+name: rt-exploit-mysql
+description: "MySQL security assessment skill for authorized configuration review, privilege analysis, exposure validation, SQL injection impact scoping, logging, backup posture, and remediation."
+---
+
+# rt-exploit-mysql - MySQL Assessment
+
+## Overview
+
+MySQL findings usually combine application-layer injection, excessive database privileges, weak network exposure, insecure backups, or missing encryption. This skill keeps validation scoped and evidence minimal.
+
+## Prerequisites
+
+- Database host/port or application endpoint in scope.
+- Approved account or application test role.
+- Data sampling limits.
+- Permission for configuration review if direct DB access is provided.
+
+## Assessment Areas
+
+| Area | Checks |
+|---|---|
+| Exposure | Public listener, firewall rules, allowed source networks. |
+| Authentication | Root remote login, weak/shared users, password policy. |
+| Privileges | FILE, SUPER, CREATE USER, GRANT OPTION, broad schema rights. |
+| Transport | TLS requirement and certificate posture. |
+| Application Queries | Parameterization and stored procedure usage. |
+| Backups | Public dumps, weak storage permissions, retention. |
+| Logging | Audit logs, slow query logs, failed login visibility. |
+
+## Workflow
+
+1. Confirm whether testing is direct database review or app-mediated.
+2. Inventory version, exposure, and account privileges.
+3. Validate injection impact with approved test data only.
+4. Review whether application role can access unnecessary schemas.
+5. Review sensitive data handling and backup locations.
+6. Convert issues into least-privilege and query-safety recommendations.
+
+## Evidence
+
+Capture version, privilege summaries, endpoint proof, redacted query behavior, and screenshots. Do not dump production tables.
+
+## Remediation
+
+- Parameterized queries.
+- Least-privilege application users.
+- Disable remote root access.
+- Enforce TLS for database connections.
+- Restrict network access.
+- Protect and encrypt backups.
+- Add database activity monitoring.
+

package/packaged-assets/.agents/skills/rt-exploit-network/SKILL.md

@@ -0,0 +1,118 @@
+---
+name: rt-exploit-network
+description: "Authorized network penetration testing workflow for service discovery, exposure validation, segmentation review, identity controls, evidence handling, and remediation planning."
+---
+
+# rt-exploit-network - Network Security Testing
+
+> Network testing can affect availability. Confirm scope, scan windows, rate limits, and emergency contacts before any active validation.
+
+## Overview
+
+This skill covers internal and external network assessment from inventory through risk validation. It is designed to produce a controlled map of exposed services, weak configurations, segmentation issues, and identity/control gaps without turning the engagement into uncontrolled exploitation.
+
+## Prerequisites
+
+- In-scope CIDRs, hostnames, and excluded ranges.
+- Approved source IPs and scan windows.
+- Contact path for SOC/NOC notifications.
+- Tool rate limits and packet restrictions.
+- Permission level: external, internal unauthenticated, or internal authenticated.
+
+## Skill Levels
+
+| Level | Activities |
+|---|---|
+| BEGINNER | Asset inventory, banner review, TLS/port exposure summary. |
+| INTERMEDIATE | Service validation, weak protocol checks, segmentation review. |
+| ADVANCED | Attack-path modeling from network exposure to business impact. |
+| EXPERT | Architecture-level recommendations and detection engineering notes. |
+
+## Workflow
+
+### Step 1 - Scope and Safety
+
+Create a test card:
+
+| Field | Value |
+|---|---|
+| CIDR/Host | [value] |
+| Source IP | [value] |
+| Window | [value] |
+| Rate Limit | [value] |
+| Exclusions | [value] |
+| Emergency Stop | [contact] |
+
+### Step 2 - Inventory
+
+Start with the least intrusive method available:
+
+- Existing asset inventory from the client.
+- Passive DNS and cloud inventory.
+- Approved lightweight host discovery.
+- Approved service enumeration.
+
+Record host, port, protocol, service, version confidence, owner, and exposure.
+
+### Step 3 - Prioritization
+
+Prioritize:
+
+- Internet-exposed administrative services.
+- Legacy protocols such as SMBv1, Telnet, FTP, old TLS, SNMP community exposure.
+- Weak remote access controls.
+- Unauthenticated data services.
+- Flat network paths between user zones and server/admin zones.
+- Services with known critical CVEs.
+
+### Step 4 - Validation
+
+Validate safely:
+
+- Confirm service identity.
+- Confirm authentication requirement.
+- Confirm encryption posture.
+- Confirm version if reliable.
+- Confirm whether compensating controls exist.
+
+Avoid disruptive checks unless explicitly approved.
+
+### Step 5 - Segmentation Review
+
+Build a matrix:
+
+| Source Zone | Destination Zone | Allowed? | Expected? | Risk |
+|---|---|---|---|---|
+| User LAN | Server VLAN | [yes/no] | [yes/no] | [notes] |
+
+### Step 6 - Findings
+
+Common finding families:
+
+- Exposed management service.
+- Weak or deprecated protocol.
+- Missing network segmentation.
+- Unauthenticated service access.
+- Excessive firewall allow rules.
+- Insecure remote administration.
+- Missing logging and alerting.
+
+## Evidence
+
+Use screenshots, service banners, TLS reports, packet captures when approved, and redacted tool output.
+
+## Remediation
+
+- Restrict management ports by VPN/jump host.
+- Enforce MFA for remote access.
+- Disable legacy protocols.
+- Patch externally exposed services first.
+- Segment user, server, admin, and backup zones.
+- Add alerting for scanning and authentication anomalies.
+
+## Autodoc
+
+```bash
+python _rtexit/scripts/autodoc_engine.py log --skill rt-exploit-network --phase exploitation --cmd "[network validation summary]" --output "[redacted output]"
+```
+

package/packaged-assets/.agents/skills/rt-exploit-network/workflow.md

@@ -0,0 +1,68 @@
+# Workflow - rt-exploit-network
+
+## Purpose
+
+This workflow standardizes how $skill is executed inside RTExit. It is designed for authorized engagements, evidence-first documentation, and consistent handoff into reporting.
+
+## Authorization Gate
+
+Before execution, confirm:
+
+- SEAD exists and explicitly covers the target asset or activity.
+- Rules of Engagement define allowed techniques, rate limits, and stop conditions.
+- The operator knows the evidence handling rules.
+- Any active or sensitive validation has client approval.
+
+If any item is unclear, pause and invoke 
+
+## Required Inputs
+
+| Input | Source | Notes |
+|---|---|---|
+| Engagement reference | _rtexit/config.toml or SEAD | Used in output names. |
+| Target asset(s) | Scope document | Must be explicitly approved. |
+| Operator name | Config/user context | Used in timeline entries. |
+| Evidence directory | _rtexit-output/docs/evidence/ | Store logs, screenshots, and artifacts. |
+| Finding tracker | _rtexit-output/docs/findings/ | Create/update findings when confirmed. |
+
+## Execution Steps
+
+1. Load current engagement configuration.
+2. Read scope, exclusions, and current findings.
+3. Build a small test plan for this skill with target, expected control, and evidence type.
+4. Run the lowest-risk validation first.
+5. Capture baseline behavior before proof behavior.
+6. Record exact timestamp, account/role used, and affected asset.
+7. Stop when evidence is sufficient; avoid unnecessary data access.
+8. Create or update findings through the RTExit finding tracker.
+9. Map remediation owner and recommended timeline.
+10. Add a timeline entry and evidence chain entry.
+
+## Evidence Requirements
+
+| Evidence | Required? | Notes |
+|---|---|---|
+| Command or action summary | Yes | Redact secrets and tokens. |
+| Screenshot or transcript | If useful | Store under evidence folder. |
+| Request/response pair | For web/API | Redact cookies and bearer tokens. |
+| Config excerpt | For cloud/infra | Include only relevant lines. |
+| Business impact note | Yes | Explain why it matters. |
+
+## Autodoc Commands
+
+`ash
+python _rtexit/scripts/autodoc_engine.py log --skill rt-exploit-network --phase auto --cmd "workflow execution" --output "summary"
+python _rtexit/scripts/finding_tracker.py list
+`
+
+## Completion Criteria
+
+- Scope and authorization are referenced.
+- Evidence is stored and redacted.
+- Findings are added or explicitly marked as not found.
+- Remediation guidance is actionable.
+- Timeline and chain of custody are updated where applicable.
+
+## Handoff
+
+Send confirmed findings to