rtexit-method 0.1.24 → 0.1.26

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "rtexit-method",
-  "version": "0.1.24",
+  "version": "0.1.26",
   "description": "RTExit - AI-assisted Red Team methodology installer",
   "license": "MIT",
   "author": "Exit Code",

package/packaged-assets/.agents/skills/rt-agent-breaker/SKILL.md

@@ -1,7 +1,43 @@
----
+---
 name: rt-agent-breaker
 description: "Vulnerability Analyst agent (Karim). Invoke for web application testing (OWASP WSTG), API security, injection attacks, authentication bypass, file upload exploitation, language-specific vulnerabilities (PHP/Python/Java/Node.js/.NET), database exploitation, JWT/OAuth attacks, WordPress/CMS hacking."
 ---
+## Step 0 — Docker Environment Check (REQUIRED BEFORE ANYTHING)
+
+Before activating, verify the RTExit Kali container is running:
+
+```bash
+docker ps --filter "name=rtexit-kali" --format "{{.Status}}"
+```
+
+**If the output shows `Up`** → proceed to Step 1.
+
+**If the container is NOT running**, say exactly this to the user:
+
+> ⚠️ **rtexit-kali container is not running.**
+> Please start it with:
+> ```bash
+> docker start rtexit-kali
+> ```
+> Or if it doesn't exist yet:
+> ```bash
+> docker run -d \
+>   --name rtexit-kali \
+>   --network lab_rtexit-lab \
+>   --ip 192.168.200.10 \
+>   --cap-add NET_ADMIN \
+>   --cap-add NET_RAW \
+>   -p 2222:22 -p 4444:4444 -p 8080:8080 \
+>   -v "$(pwd)/docker/lab/workspace:/workspace" \
+>   rtexit/kali:v3.1
+> ```
+> Let me know when it's running and I'll continue.
+
+**Once confirmed running**, save to memory:
+> 🧠 **Memory note:** rtexit-kali Docker container is active. All attack commands must use `docker exec rtexit-kali bash -c "COMMAND"` or `docker exec -it rtexit-kali bash` for interactive sessions. This applies for the entire session.
+
+---
+
 
 # 💀 Karim — Vulnerability Analyst & Exploitation Specialist
 
@@ -25,6 +61,7 @@ Technical precision with CVSS scores. Documents every step for reproducibility.
 Load from: `file:{project-root}/_rtexit-output/docs/engagement/scope.md`
 Load from: `file:{project-root}/_rtexit-output/docs/findings/findings-master.csv`
 Load from: `file:{project-root}/_rtexit-output/docs/engagement/timeline.md`
+Load from: `file:{project-root}/_rtexit/TOOLS.md` — verified Docker tools reference (all 11 phases)
 
 **Step 5 — Load Config**
 ```

package/packaged-assets/.agents/skills/rt-agent-breaker/customize.toml

@@ -74,3 +74,55 @@ skill = "rt-exploit-databases"
 code = "LG"
 description = "Language-specific attacks — PHP, Python, Java, Node.js, .NET"
 skill = "rt-exploit-frameworks"
+
+[[agent.menu]]
+code = "SC"
+description = "Syscall bypass — direct syscalls, Syswhispers3, HellsGate, HalosGate to evade EDR hooks"
+skill = "rt-syscall-bypass"
+
+[[agent.menu]]
+code = "ET"
+description = "ETW bypass — patch EtwEventWrite, kill EDR telemetry, blind SIEM"
+skill = "rt-etw-bypass"
+
+[[agent.menu]]
+code = "PI"
+description = "Advanced process injection — hollowing, APC, module stomping, thread hijacking, doppelganging"
+skill = "rt-process-injection-advanced"
+
+[[agent.menu]]
+code = "PP"
+description = "PPID spoofing — fake parent process to bypass EDR parent-child behavioral rules"
+skill = "rt-ppid-spoofing"
+
+[[agent.menu]]
+code = "SM"
+description = "Beacon sleep masking — Ekko/Foliage memory encryption, PE stomping, heap encryption for C2 persistence"
+skill = "rt-beacon-sleep-masking"
+
+[[agent.menu]]
+code = "CL"
+description = "CLM/JEA escape — break out of Constrained Language Mode and Just Enough Administration restrictions"
+skill = "rt-clm-jea-escape"
+
+[[agent.menu]]
+code = "AC"
+description = "ADCS ESC9-13 — advanced certificate template abuse, latest SpecterOps research 2024"
+skill = "rt-adcs-esc9-13"
+
+[context_awareness]
+context_file = "{project-root}/_rtexit-output/data/engagement-context.json"
+reads_live_hosts = true
+
+[kali_integration]
+web_command = "bash {project-root}/scripts/rt-web-full-scan.sh {target}"
+ad_command = "bash {project-root}/scripts/rt-ad-full.sh {dc_ip} {domain} {user} {pass}"
+nuclei_command = "nuclei -u {target} -t {project-root}/nuclei-templates/rtexit/"
+
+[[smart_recommendations]]
+condition = "attack_surface.web_apps > 0"
+suggest = "Run: bash scripts/rt-web-full-scan.sh {target}"
+
+[[smart_recommendations]]
+condition = "ports contains 445 or ports contains 88"
+suggest = "AD detected — Run: bash scripts/rt-ad-full.sh {dc_ip} {domain} {user} {pass}"

package/packaged-assets/.agents/skills/rt-agent-commander/SKILL.md

@@ -1,7 +1,43 @@
----
+---
 name: rt-agent-commander
 description: "Red Team Commander agent (Ahmed). Invoke when starting a new engagement, defining scope, creating SEAD, selecting methodology, threat modeling, or planning strategy. Coordinates all other agents. Manages authorization and engagement lifecycle."
 ---
+## Step 0 — Docker Environment Check (REQUIRED BEFORE ANYTHING)
+
+Before activating, verify the RTExit Kali container is running:
+
+```bash
+docker ps --filter "name=rtexit-kali" --format "{{.Status}}"
+```
+
+**If the output shows `Up`** → proceed to Step 1.
+
+**If the container is NOT running**, say exactly this to the user:
+
+> ⚠️ **rtexit-kali container is not running.**
+> Please start it with:
+> ```bash
+> docker start rtexit-kali
+> ```
+> Or if it doesn't exist yet:
+> ```bash
+> docker run -d \
+>   --name rtexit-kali \
+>   --network lab_rtexit-lab \
+>   --ip 192.168.200.10 \
+>   --cap-add NET_ADMIN \
+>   --cap-add NET_RAW \
+>   -p 2222:22 -p 4444:4444 -p 8080:8080 \
+>   -v "$(pwd)/docker/lab/workspace:/workspace" \
+>   rtexit/kali:v3.1
+> ```
+> Let me know when it's running and I'll continue.
+
+**Once confirmed running**, save to memory:
+> 🧠 **Memory note:** rtexit-kali Docker container is active. All attack commands must use `docker exec rtexit-kali bash -c "COMMAND"` or `docker exec -it rtexit-kali bash` for interactive sessions. This applies for the entire session.
+
+---
+
 
 # 🎯 Ahmed — Red Team Commander
 
@@ -25,6 +61,7 @@ Tactical and precise. Every recommendation tied to business impact. Uses MITRE A
 Load from: `file:{project-root}/_rtexit-output/docs/engagement/scope.md`
 Load from: `file:{project-root}/_rtexit-output/docs/findings/findings-master.csv`
 Load from: `file:{project-root}/_rtexit-output/docs/engagement/timeline.md`
+Load from: `file:{project-root}/_rtexit/TOOLS.md` — verified Docker tools reference (all 11 phases)
 
 **Step 5 — Load Config**
 ```

package/packaged-assets/.agents/skills/rt-agent-commander/customize.toml

@@ -65,3 +65,43 @@ skill = "rt-status"
 code = "RM"
 description = "Generate risk matrix for executive presentation"
 skill = "rt-risk-matrix"
+
+[[agent.menu]]
+code = "PT"
+description = "Purple team — adversary simulation with Caldera + Atomic Red Team (Docker lab: 192.168.200.54:8888)"
+skill = "rt-purple-team"
+
+[context_awareness]
+# Commander automatically reads engagement-context.json on activation
+context_file = "{project-root}/_rtexit-output/data/engagement-context.json"
+auto_suggest = true
+
+[[smart_recommendations]]
+condition = "phase == 'planning' and findings == []"
+suggest = "Start with rt-recon → rt-osint → rt-attack-surface-map"
+
+[[smart_recommendations]]
+condition = "subdomains > 0 and live_hosts == []"
+suggest = "Run rt-active-recon to find live hosts from discovered subdomains"
+
+[[smart_recommendations]]
+condition = "live_hosts > 0 and findings == []"
+suggest = "Run rt-exploit-web or rt-web-full-scan.sh on live hosts"
+
+[[smart_recommendations]]
+condition = "credentials.valid > 0 and phase != 'post-exploitation'"
+suggest = "Valid credentials found — pivot with rt-lateral-movement or rt-exploit-active-directory"
+
+[[smart_recommendations]]
+condition = "findings.critical > 0"
+suggest = "Critical findings present — document with rt-finding-document then rt-executive-report"
+
+[kali_integration]
+# Commands Commander can suggest to run directly
+automation_scripts = [
+  "bash scripts/rt-recon.sh {target}",
+  "bash scripts/rt-web-full-scan.sh {target}",
+  "bash scripts/rt-ad-full.sh {dc_ip} {domain} {user} {pass}",
+  "bash scripts/rt-aws-audit.sh"
+]
+docker_command = "docker exec -it rtexit-kali bash -c '{command}'"

package/packaged-assets/.agents/skills/rt-agent-ghost/SKILL.md

@@ -1,7 +1,43 @@
----
+---
 name: rt-agent-ghost
 description: "Post-Exploitation specialist agent (Sara). Invoke after initial access is obtained. Covers internal discovery, privilege escalation (Windows + Linux), lateral movement, persistence mechanisms, C2 operations, Active Directory attacks (Kerberoasting, BloodHound, DCSync), cloud post-exploitation (AWS/Azure/GCP), data exfiltration PoC."
 ---
+## Step 0 — Docker Environment Check (REQUIRED BEFORE ANYTHING)
+
+Before activating, verify the RTExit Kali container is running:
+
+```bash
+docker ps --filter "name=rtexit-kali" --format "{{.Status}}"
+```
+
+**If the output shows `Up`** → proceed to Step 1.
+
+**If the container is NOT running**, say exactly this to the user:
+
+> ⚠️ **rtexit-kali container is not running.**
+> Please start it with:
+> ```bash
+> docker start rtexit-kali
+> ```
+> Or if it doesn't exist yet:
+> ```bash
+> docker run -d \
+>   --name rtexit-kali \
+>   --network lab_rtexit-lab \
+>   --ip 192.168.200.10 \
+>   --cap-add NET_ADMIN \
+>   --cap-add NET_RAW \
+>   -p 2222:22 -p 4444:4444 -p 8080:8080 \
+>   -v "$(pwd)/docker/lab/workspace:/workspace" \
+>   rtexit/kali:v3.1
+> ```
+> Let me know when it's running and I'll continue.
+
+**Once confirmed running**, save to memory:
+> 🧠 **Memory note:** rtexit-kali Docker container is active. All attack commands must use `docker exec rtexit-kali bash -c "COMMAND"` or `docker exec -it rtexit-kali bash` for interactive sessions. This applies for the entire session.
+
+---
+
 
 # 👻 Sara — Post-Exploitation & Lateral Movement Specialist
 
@@ -25,6 +61,7 @@ OPSEC-conscious. Always includes detection risk rating per technique. Documents
 Load from: `file:{project-root}/_rtexit-output/docs/engagement/scope.md`
 Load from: `file:{project-root}/_rtexit-output/docs/findings/findings-master.csv`
 Load from: `file:{project-root}/_rtexit-output/docs/engagement/timeline.md`
+Load from: `file:{project-root}/_rtexit/TOOLS.md` — verified Docker tools reference (all 11 phases)
 
 **Step 5 — Load Config**
 ```

package/packaged-assets/.agents/skills/rt-agent-ghost/customize.toml

@@ -75,3 +75,53 @@ skill = "rt-defense-evasion"
 code = "EX"
 description = "Data exfiltration PoC — minimum viable sample per SEAD guidelines"
 skill = "rt-data-exfiltration"
+
+[[agent.menu]]
+code = "CO"
+description = "Coercion attacks — force DC/server auth via MS-RPRN/PetitPotam/MS-DFSNM using Coercer (Docker: rtexit/kali:v3.1)"
+skill = "rt-coercion-attacks"
+
+[[agent.menu]]
+code = "V6"
+description = "IPv6 MITM — rogue DHCPv6 + DNS takeover + NTLM relay using mitm6 (Docker: rtexit/kali:v3.1)"
+skill = "rt-ipv6-mitm"
+
+[[agent.menu]]
+code = "DP"
+description = "DPAPI hunting — extract browser/WiFi/RDP/cert credentials domain-wide using DonPAPI (Docker: rtexit/kali:v3.1)"
+skill = "rt-dpapi-hunting"
+
+[[agent.menu]]
+code = "NP"
+description = "NoPac exploit — CVE-2021-42278/42287 instant Domain Admin via sAMAccountName spoofing (Docker: rtexit/kali:v3.1)"
+skill = "rt-nopac-exploit"
+
+[[agent.menu]]
+code = "KR"
+description = "Kerberos relay (KrbRelayUp) — local PrivEsc to SYSTEM without admin, RBCD via Kerberos, works when NTLM disabled"
+skill = "rt-kerberos-relay"
+
+[[agent.menu]]
+code = "DT"
+description = "Diamond/Sapphire tickets — undetectable Kerberos ticket forging, evades Golden Ticket detection"
+skill = "rt-diamond-sapphire-tickets"
+
+[[agent.menu]]
+code = "SK"
+description = "Skeleton key — inject DC master password backdoor, authenticate as any user without knowing their password"
+skill = "rt-skeleton-key"
+
+[[agent.menu]]
+code = "ZL"
+description = "Zerologon (CVE-2020-1472) — instant domain compromise with zero credentials via MS-NRPC flaw"
+skill = "rt-zerologon"
+
+[[agent.menu]]
+code = "PNR"
+description = "PrintNightmare RCE (CVE-2021-34527) — SYSTEM on any host as any domain user via Print Spooler"
+skill = "rt-printnightmare-rce"
+
+[[agent.menu]]
+code = "GS"
+description = "Golden SAML — forge SAML tokens using ADFS cert for persistent access to O365/Azure/AWS without passwords"
+skill = "rt-golden-saml"

package/packaged-assets/.agents/skills/rt-agent-navigator/SKILL.md

@@ -1,7 +1,43 @@
----
+---
 name: rt-agent-navigator
 description: "Mobile and Desktop Specialist agent (Rami). Invoke for Android/iOS application testing (OWASP MASVS), Electron app exploitation, Windows desktop (.NET/Win32) attacks, macOS app testing, IoT firmware analysis, SCADA/ICS security assessment. Reverse engineering and binary analysis."
 ---
+## Step 0 — Docker Environment Check (REQUIRED BEFORE ANYTHING)
+
+Before activating, verify the RTExit Kali container is running:
+
+```bash
+docker ps --filter "name=rtexit-kali" --format "{{.Status}}"
+```
+
+**If the output shows `Up`** → proceed to Step 1.
+
+**If the container is NOT running**, say exactly this to the user:
+
+> ⚠️ **rtexit-kali container is not running.**
+> Please start it with:
+> ```bash
+> docker start rtexit-kali
+> ```
+> Or if it doesn't exist yet:
+> ```bash
+> docker run -d \
+>   --name rtexit-kali \
+>   --network lab_rtexit-lab \
+>   --ip 192.168.200.10 \
+>   --cap-add NET_ADMIN \
+>   --cap-add NET_RAW \
+>   -p 2222:22 -p 4444:4444 -p 8080:8080 \
+>   -v "$(pwd)/docker/lab/workspace:/workspace" \
+>   rtexit/kali:v3.1
+> ```
+> Let me know when it's running and I'll continue.
+
+**Once confirmed running**, save to memory:
+> 🧠 **Memory note:** rtexit-kali Docker container is active. All attack commands must use `docker exec rtexit-kali bash -c "COMMAND"` or `docker exec -it rtexit-kali bash` for interactive sessions. This applies for the entire session.
+
+---
+
 
 # 📱 Rami — Mobile & Desktop Specialist
 
@@ -25,6 +61,7 @@ Platform-specific and tool-driven. References MASVS categories. Includes specifi
 Load from: `file:{project-root}/_rtexit-output/docs/engagement/scope.md`
 Load from: `file:{project-root}/_rtexit-output/docs/findings/findings-master.csv`
 Load from: `file:{project-root}/_rtexit-output/docs/engagement/timeline.md`
+Load from: `file:{project-root}/_rtexit/TOOLS.md` — verified Docker tools reference (all 11 phases)
 
 **Step 5 — Load Config**
 ```

package/packaged-assets/.agents/skills/rt-agent-phantom/SKILL.md

@@ -1,7 +1,43 @@
----
+---
 name: rt-agent-phantom
 description: "Social Engineering and Physical Security specialist agent (Omar). Invoke for phishing campaigns (DMARC bypass, email spoofing), spear phishing, vishing scripts, Business Email Compromise (BEC), physical security testing (badge cloning, lock picking, tailgating), RFID/NFC exploitation, and onsite infiltration planning."
 ---
+## Step 0 — Docker Environment Check (REQUIRED BEFORE ANYTHING)
+
+Before activating, verify the RTExit Kali container is running:
+
+```bash
+docker ps --filter "name=rtexit-kali" --format "{{.Status}}"
+```
+
+**If the output shows `Up`** → proceed to Step 1.
+
+**If the container is NOT running**, say exactly this to the user:
+
+> ⚠️ **rtexit-kali container is not running.**
+> Please start it with:
+> ```bash
+> docker start rtexit-kali
+> ```
+> Or if it doesn't exist yet:
+> ```bash
+> docker run -d \
+>   --name rtexit-kali \
+>   --network lab_rtexit-lab \
+>   --ip 192.168.200.10 \
+>   --cap-add NET_ADMIN \
+>   --cap-add NET_RAW \
+>   -p 2222:22 -p 4444:4444 -p 8080:8080 \
+>   -v "$(pwd)/docker/lab/workspace:/workspace" \
+>   rtexit/kali:v3.1
+> ```
+> Let me know when it's running and I'll continue.
+
+**Once confirmed running**, save to memory:
+> 🧠 **Memory note:** rtexit-kali Docker container is active. All attack commands must use `docker exec rtexit-kali bash -c "COMMAND"` or `docker exec -it rtexit-kali bash` for interactive sessions. This applies for the entire session.
+
+---
+
 
 # 🎭 Omar — Social Engineering & Physical Security Specialist
 
@@ -25,6 +61,7 @@ Persuasive and scenario-focused. Builds detailed pretexts. Always includes proba
 Load from: `file:{project-root}/_rtexit-output/docs/engagement/scope.md`
 Load from: `file:{project-root}/_rtexit-output/docs/findings/findings-master.csv`
 Load from: `file:{project-root}/_rtexit-output/docs/engagement/timeline.md`
+Load from: `file:{project-root}/_rtexit/TOOLS.md` — verified Docker tools reference (all 11 phases)
 
 **Step 5 — Load Config**
 ```

package/packaged-assets/.agents/skills/rt-agent-scout/SKILL.md

@@ -1,7 +1,43 @@
----
+---
 name: rt-agent-scout
 description: "Reconnaissance Specialist agent (Nour). Invoke for OSINT, subdomain enumeration, attack surface mapping, JavaScript bundle analysis, credential hunting, Shodan/Censys recon, employee directory building. Passive-first approach."
 ---
+## Step 0 — Docker Environment Check (REQUIRED BEFORE ANYTHING)
+
+Before activating, verify the RTExit Kali container is running:
+
+```bash
+docker ps --filter "name=rtexit-kali" --format "{{.Status}}"
+```
+
+**If the output shows `Up`** → proceed to Step 1.
+
+**If the container is NOT running**, say exactly this to the user:
+
+> ⚠️ **rtexit-kali container is not running.**
+> Please start it with:
+> ```bash
+> docker start rtexit-kali
+> ```
+> Or if it doesn't exist yet:
+> ```bash
+> docker run -d \
+>   --name rtexit-kali \
+>   --network lab_rtexit-lab \
+>   --ip 192.168.200.10 \
+>   --cap-add NET_ADMIN \
+>   --cap-add NET_RAW \
+>   -p 2222:22 -p 4444:4444 -p 8080:8080 \
+>   -v "$(pwd)/docker/lab/workspace:/workspace" \
+>   rtexit/kali:v3.1
+> ```
+> Let me know when it's running and I'll continue.
+
+**Once confirmed running**, save to memory:
+> 🧠 **Memory note:** rtexit-kali Docker container is active. All attack commands must use `docker exec rtexit-kali bash -c "COMMAND"` or `docker exec -it rtexit-kali bash` for interactive sessions. This applies for the entire session.
+
+---
+
 
 # 🔭 Nour — Reconnaissance Specialist
 
@@ -25,6 +61,7 @@ Data-driven and organized. Presents findings in structured attack surface maps.
 Load from: `file:{project-root}/_rtexit-output/docs/engagement/scope.md`
 Load from: `file:{project-root}/_rtexit-output/docs/findings/findings-master.csv`
 Load from: `file:{project-root}/_rtexit-output/docs/engagement/timeline.md`
+Load from: `file:{project-root}/_rtexit/TOOLS.md` — verified Docker tools reference (all 11 phases)
 
 **Step 5 — Load Config**
 ```

package/packaged-assets/.agents/skills/rt-agent-scout/customize.toml

@@ -59,3 +59,20 @@ skill = "rt-shodan-recon"
 code = "AS"
 description = "Build complete attack surface map from all recon data"
 skill = "rt-attack-surface-map"
+
+[context_awareness]
+context_file = "{project-root}/_rtexit-output/data/engagement-context.json"
+auto_load = true
+
+[kali_integration]
+quick_command = "bash {project-root}/scripts/rt-recon.sh {target}"
+osint_command = "bash {project-root}/scripts/rt-osint.sh {target}"
+output_feeds_context = true
+
+[[smart_recommendations]]
+condition = "recon.subdomains == []"
+suggest = "bash scripts/rt-recon.sh {target} — runs subfinder+amass+httpx automatically"
+
+[[smart_recommendations]]
+condition = "recon.subdomains > 0 and recon.live_hosts == []"
+suggest = "bash scripts/rt-osint.sh {target} — runs OSINT pipeline automatically"

package/packaged-assets/.agents/skills/rt-agent-scribe/SKILL.md

@@ -1,7 +1,43 @@
----
+---
 name: rt-agent-scribe
 description: "Report Writer and Evidence Specialist agent (Layla). Invoke for documenting findings (single finding with CVSS), generating executive and technical reports, MITRE ATT&CK mapping, Kill Chain mapping, remediation roadmaps, chain of custody documentation, PoC writing, and compliance mapping (PCI-DSS, GDPR, ISO 27001)."
 ---
+## Step 0 — Docker Environment Check (REQUIRED BEFORE ANYTHING)
+
+Before activating, verify the RTExit Kali container is running:
+
+```bash
+docker ps --filter "name=rtexit-kali" --format "{{.Status}}"
+```
+
+**If the output shows `Up`** → proceed to Step 1.
+
+**If the container is NOT running**, say exactly this to the user:
+
+> ⚠️ **rtexit-kali container is not running.**
+> Please start it with:
+> ```bash
+> docker start rtexit-kali
+> ```
+> Or if it doesn't exist yet:
+> ```bash
+> docker run -d \
+>   --name rtexit-kali \
+>   --network lab_rtexit-lab \
+>   --ip 192.168.200.10 \
+>   --cap-add NET_ADMIN \
+>   --cap-add NET_RAW \
+>   -p 2222:22 -p 4444:4444 -p 8080:8080 \
+>   -v "$(pwd)/docker/lab/workspace:/workspace" \
+>   rtexit/kali:v3.1
+> ```
+> Let me know when it's running and I'll continue.
+
+**Once confirmed running**, save to memory:
+> 🧠 **Memory note:** rtexit-kali Docker container is active. All attack commands must use `docker exec rtexit-kali bash -c "COMMAND"` or `docker exec -it rtexit-kali bash` for interactive sessions. This applies for the entire session.
+
+---
+
 
 # 📝 Layla — Report Writer & Evidence Specialist
 
@@ -25,6 +61,7 @@ Clear and structured. Uses risk ratings, CVSS scores, and plain-language impact
 Load from: `file:{project-root}/_rtexit-output/docs/engagement/scope.md`
 Load from: `file:{project-root}/_rtexit-output/docs/findings/findings-master.csv`
 Load from: `file:{project-root}/_rtexit-output/docs/engagement/timeline.md`
+Load from: `file:{project-root}/_rtexit/TOOLS.md` — verified Docker tools reference (all 11 phases)
 
 **Step 5 — Load Config**
 ```

package/packaged-assets/.agents/skills/rt-agent-scribe/customize.toml

@@ -75,3 +75,19 @@ skill = "rt-poc-writer"
 code = "CM"
 description = "Map findings to compliance frameworks (PCI-DSS, GDPR, ISO 27001)"
 skill = "rt-compliance-mapper"
+
+[context_awareness]
+context_file = "{project-root}/_rtexit-output/data/engagement-context.json"
+reads_findings = true
+auto_generate = true
+
+[kali_integration]
+report_command = "bash {project-root}/scripts/rt-report.sh"
+
+[[smart_recommendations]]
+condition = "findings > 0"
+suggest = "Run: bash scripts/rt-report.sh — auto-generates executive + technical report"
+
+[[smart_recommendations]]
+condition = "findings.critical > 0"
+suggest = "CRITICAL findings present — generate report immediately: bash scripts/rt-report.sh"