rtexit-method 0.1.0 → 0.1.2

package/packaged-assets/.agents/skills/rt-finding-document/template.md

@@ -0,0 +1,71 @@
+# Finding Template
+
+---
+id: F-XXX
+title: "[Finding Title]"
+severity: HIGH
+cvss: 0.0
+cvss_vector: ""
+cwe: ""
+asset: ""
+status: CONFIRMED
+date: ""
+operator: ""
+---
+
+# F-XXX - [Finding Title]
+
+## Summary
+
+[One paragraph describing the weakness and affected system.]
+
+## Affected Assets
+
+| Asset | Role | Environment | Notes |
+|---|---|---|---|
+
+## Technical Details
+
+[Explain root cause, affected component, and how the issue manifests.]
+
+## Evidence
+
+| Evidence ID | Type | Path | Notes |
+|---|---|---|---|
+
+## Reproduction
+
+1. [Step using approved account and scope]
+2. [Step]
+3. [Observed result]
+
+## Impact
+
+### Technical Impact
+
+[Data, privilege, integrity, availability impact.]
+
+### Business Impact
+
+[Plain-language business consequence.]
+
+## Remediation
+
+### Immediate
+
+- [ ] [Containment action]
+
+### Short Term
+
+- [ ] [Fix]
+
+### Long Term
+
+- [ ] [Prevent recurrence]
+
+## References
+
+- CWE:
+- OWASP:
+- Vendor:
+

package/packaged-assets/.agents/skills/rt-finding-document/workflow.md

@@ -0,0 +1,68 @@
+# Workflow - rt-finding-document
+
+## Purpose
+
+This workflow standardizes how $skill is executed inside RTExit. It is designed for authorized engagements, evidence-first documentation, and consistent handoff into reporting.
+
+## Authorization Gate
+
+Before execution, confirm:
+
+- SEAD exists and explicitly covers the target asset or activity.
+- Rules of Engagement define allowed techniques, rate limits, and stop conditions.
+- The operator knows the evidence handling rules.
+- Any active or sensitive validation has client approval.
+
+If any item is unclear, pause and invoke 
+
+## Required Inputs
+
+| Input | Source | Notes |
+|---|---|---|
+| Engagement reference | _rtexit/config.toml or SEAD | Used in output names. |
+| Target asset(s) | Scope document | Must be explicitly approved. |
+| Operator name | Config/user context | Used in timeline entries. |
+| Evidence directory | _rtexit-output/docs/evidence/ | Store logs, screenshots, and artifacts. |
+| Finding tracker | _rtexit-output/docs/findings/ | Create/update findings when confirmed. |
+
+## Execution Steps
+
+1. Load current engagement configuration.
+2. Read scope, exclusions, and current findings.
+3. Build a small test plan for this skill with target, expected control, and evidence type.
+4. Run the lowest-risk validation first.
+5. Capture baseline behavior before proof behavior.
+6. Record exact timestamp, account/role used, and affected asset.
+7. Stop when evidence is sufficient; avoid unnecessary data access.
+8. Create or update findings through the RTExit finding tracker.
+9. Map remediation owner and recommended timeline.
+10. Add a timeline entry and evidence chain entry.
+
+## Evidence Requirements
+
+| Evidence | Required? | Notes |
+|---|---|---|
+| Command or action summary | Yes | Redact secrets and tokens. |
+| Screenshot or transcript | If useful | Store under evidence folder. |
+| Request/response pair | For web/API | Redact cookies and bearer tokens. |
+| Config excerpt | For cloud/infra | Include only relevant lines. |
+| Business impact note | Yes | Explain why it matters. |
+
+## Autodoc Commands
+
+`ash
+python _rtexit/scripts/autodoc_engine.py log --skill rt-finding-document --phase auto --cmd "workflow execution" --output "summary"
+python _rtexit/scripts/finding_tracker.py list
+`
+
+## Completion Criteria
+
+- Scope and authorization are referenced.
+- Evidence is stored and redacted.
+- Findings are added or explicitly marked as not found.
+- Remediation guidance is actionable.
+- Timeline and chain of custody are updated where applicable.
+
+## Handoff
+
+Send confirmed findings to 

package/packaged-assets/.agents/skills/rt-finding-tracker/SKILL.md

@@ -0,0 +1,216 @@
+---
+name: rt-finding-tracker
+description: "Finding management skill integrated with finding_tracker.py CLI. Add findings, list by severity, show statistics, export to CSV/JSON/HTML/Markdown. Maintains findings-master.csv throughout engagement. Use after each exploitation attempt to log findings immediately. Commands: add, list, stats, export."
+---
+
+# rt-finding-tracker Skill Guide
+
+## 1. Purpose and When to Use
+
+The `rt-finding-tracker` skill provides structured finding management throughout a penetration testing engagement. It integrates directly with the `finding_tracker.py` CLI to log, query, and export security findings in a consistent, auditable format.
+
+**Use this skill:**
+- Immediately after each exploitation attempt — successful or failed — to log what was found
+- After completing a reconnaissance phase to record discovered attack surface items
+- When pivoting between targets, to capture the state of findings before moving on
+- At the end of each session to export a progress report for the client or team
+- When comparing current findings against a previous engagement baseline
+
+**Core responsibilities:**
+- Maintain `findings-master.csv` as the single source of truth for all findings in the engagement
+- Ensure every finding has a severity, CVSS score, affected host/service, and remediation note
+- Provide on-demand statistics and export artifacts for reporting
+
+---
+
+## 2. Step-by-Step Workflow
+
+### Step 1 — Add a Finding Immediately After Discovery
+
+Run `add` after any confirmed vulnerability or notable observation:
+
+```bash
+python finding_tracker.py add \
+  --title "SQL Injection in Login Form" \
+  --severity critical \
+  --host 10.10.10.5 \
+  --service "HTTP/8080" \
+  --cvss 9.8 \
+  --description "Parameter 'username' is injectable; authentication bypass confirmed." \
+  --remediation "Use parameterized queries; enforce input validation."
+```
+
+Fields:
+| Field | Required | Description |
+|---|---|---|
+| `--title` | Yes | Short, unique finding name |
+| `--severity` | Yes | `critical`, `high`, `medium`, `low`, `info` |
+| `--host` | Yes | IP or hostname |
+| `--service` | No | Port/protocol/service name |
+| `--cvss` | No | CVSS 3.x base score (0.0–10.0) |
+| `--description` | No | Technical detail and impact |
+| `--remediation` | No | Recommended fix |
+| `--evidence` | No | Path to screenshot, file, or PoC |
+
+### Step 2 — List Findings by Severity
+
+Review the current finding set filtered by severity:
+
+```bash
+# All findings
+python finding_tracker.py list
+
+# Only critical and high
+python finding_tracker.py list --severity critical
+python finding_tracker.py list --severity high
+
+# Filter by host
+python finding_tracker.py list --host 10.10.10.5
+```
+
+### Step 3 — Check Statistics
+
+Get a quick summary of coverage and severity distribution:
+
+```bash
+python finding_tracker.py stats
+```
+
+This outputs total finding count, breakdown by severity, affected hosts, and any findings missing remediation notes.
+
+### Step 4 — Export for Reporting
+
+Export the current findings in the required format:
+
+```bash
+# CSV — for spreadsheet review
+python finding_tracker.py export --format csv --output findings-report.csv
+
+# JSON — for tool integration or API upload
+python finding_tracker.py export --format json --output findings-report.json
+
+# HTML — for standalone client-readable report
+python finding_tracker.py export --format html --output findings-report.html
+
+# Markdown — for inclusion in Git repos or wikis
+python finding_tracker.py export --format markdown --output findings-report.md
+```
+
+---
+
+## 3. Integration with RTExit Scripts and Other Skills
+
+### findings-master.csv
+
+All findings are persisted to `findings-master.csv` in the engagement working directory. This file is the canonical record and should be committed to the engagement repo at the end of each session.
+
+```
+<engagement-root>/
+  findings-master.csv        # maintained by finding_tracker.py
+  findings-report.html       # generated on demand via export
+  evidence/                  # screenshots, PoC files referenced by --evidence
+```
+
+### Integration with Other Skills
+
+| Skill | Integration Point |
+|---|---|
+| `rt-recon` | After host/service enumeration, add `info`-severity findings for notable exposed services |
+| `rt-exploit` | After each exploit attempt, immediately call `add` with result (success or notable failure) |
+| `rt-privesc` | Log privilege escalation paths as `critical` or `high` findings with full command output as evidence |
+| `rt-loot` | After credential or data extraction, add a `critical` finding with loot file path as `--evidence` |
+| `rt-report` | Call `export --format html` and `export --format markdown` to feed the final report generator |
+
+### finding_tracker.py Location
+
+The CLI is located at:
+
+```
+c:/Ahmed/Projects/RTExit/scripts/finding_tracker.py
+```
+
+Add to PATH or invoke with full path. Requires Python 3.8+.
+
+---
+
+## 4. Example Outputs and Interactions
+
+### Adding a Finding
+
+```
+$ python finding_tracker.py add --title "SMB Null Session" --severity medium --host 10.10.10.12 --service "SMB/445"
+
+[+] Finding added: SMB Null Session
+    ID:       FIND-0007
+    Severity: MEDIUM
+    Host:     10.10.10.12
+    Service:  SMB/445
+    Saved to: findings-master.csv
+```
+
+### Listing Findings
+
+```
+$ python finding_tracker.py list --severity critical
+
+ID          Title                          Host           Severity    CVSS
+----------  -----------------------------  -------------  ----------  -----
+FIND-0001   SQL Injection in Login Form    10.10.10.5     CRITICAL    9.8
+FIND-0003   RCE via Deserialization        10.10.10.8     CRITICAL    9.0
+FIND-0005   Default Credentials on VPN    10.10.10.1     CRITICAL    8.8
+
+3 finding(s) matched.
+```
+
+### Statistics Output
+
+```
+$ python finding_tracker.py stats
+
+Finding Statistics — Engagement: ACME-2026-05
+==============================================
+Total findings:     14
+
+Severity breakdown:
+  Critical:          3
+  High:              4
+  Medium:            5
+  Low:               1
+  Informational:     1
+
+Hosts affected:     6
+Missing remediation: 2 (FIND-0009, FIND-0011)
+
+Last updated: 2026-05-31 14:05:22
+```
+
+### Export Confirmation
+
+```
+$ python finding_tracker.py export --format html --output findings-report.html
+
+[+] Exported 14 findings to findings-report.html
+    Format:   HTML
+    Size:     48 KB
+```
+
+---
+
+## 5. Practical Usage Tips
+
+**Log immediately, not later.** Memory of technical detail degrades quickly. Run `add` within two minutes of confirming a finding, even if the description is brief. You can update it later.
+
+**Use severity consistently.** Follow this guide:
+- `critical` — Remote code execution, authentication bypass, direct data breach
+- `high` — Privilege escalation, significant data exposure, lateral movement path
+- `medium` — Information disclosure, misconfiguration without direct exploit path
+- `low` — Hardening gaps, verbose errors, minor policy violations
+- `info` — Noteworthy observations that are not vulnerabilities
+
+**Attach evidence paths.** Use `--evidence` to point to screenshots or PoC files. This makes the export report self-contained and speeds up the reporting phase.
+
+**Run `stats` before ending a session.** It surfaces findings with missing remediation notes, which are the most common cause of incomplete reports. Fix them while context is fresh.
+
+**Commit findings-master.csv frequently.** If working in a team, push the CSV to the shared engagement repo after every major phase (recon, initial access, post-exploitation) to avoid merge conflicts and data loss.
+
+**Cross-reference with `rt-report`.** When generating the final deliverable, run `export --format markdown` first, then pass the output path to `rt-report` for narrative generation and executive summary insertion.

package/packaged-assets/.agents/skills/rt-finding-tracker/workflow.md

@@ -0,0 +1,68 @@
+# Workflow - rt-finding-tracker
+
+## Purpose
+
+This workflow standardizes how $skill is executed inside RTExit. It is designed for authorized engagements, evidence-first documentation, and consistent handoff into reporting.
+
+## Authorization Gate
+
+Before execution, confirm:
+
+- SEAD exists and explicitly covers the target asset or activity.
+- Rules of Engagement define allowed techniques, rate limits, and stop conditions.
+- The operator knows the evidence handling rules.
+- Any active or sensitive validation has client approval.
+
+If any item is unclear, pause and invoke 
+
+## Required Inputs
+
+| Input | Source | Notes |
+|---|---|---|
+| Engagement reference | _rtexit/config.toml or SEAD | Used in output names. |
+| Target asset(s) | Scope document | Must be explicitly approved. |
+| Operator name | Config/user context | Used in timeline entries. |
+| Evidence directory | _rtexit-output/docs/evidence/ | Store logs, screenshots, and artifacts. |
+| Finding tracker | _rtexit-output/docs/findings/ | Create/update findings when confirmed. |
+
+## Execution Steps
+
+1. Load current engagement configuration.
+2. Read scope, exclusions, and current findings.
+3. Build a small test plan for this skill with target, expected control, and evidence type.
+4. Run the lowest-risk validation first.
+5. Capture baseline behavior before proof behavior.
+6. Record exact timestamp, account/role used, and affected asset.
+7. Stop when evidence is sufficient; avoid unnecessary data access.
+8. Create or update findings through the RTExit finding tracker.
+9. Map remediation owner and recommended timeline.
+10. Add a timeline entry and evidence chain entry.
+
+## Evidence Requirements
+
+| Evidence | Required? | Notes |
+|---|---|---|
+| Command or action summary | Yes | Redact secrets and tokens. |
+| Screenshot or transcript | If useful | Store under evidence folder. |
+| Request/response pair | For web/API | Redact cookies and bearer tokens. |
+| Config excerpt | For cloud/infra | Include only relevant lines. |
+| Business impact note | Yes | Explain why it matters. |
+
+## Autodoc Commands
+
+`ash
+python _rtexit/scripts/autodoc_engine.py log --skill rt-finding-tracker --phase auto --cmd "workflow execution" --output "summary"
+python _rtexit/scripts/finding_tracker.py list
+`
+
+## Completion Criteria
+
+- Scope and authorization are referenced.
+- Evidence is stored and redacted.
+- Findings are added or explicitly marked as not found.
+- Remediation guidance is actionable.
+- Timeline and chain of custody are updated where applicable.
+
+## Handoff
+
+Send confirmed findings to