breslin 0.1.0__tar.gz

breslin-0.1.0/PKG-INFO

@@ -0,0 +1,261 @@
+Metadata-Version: 2.3
+Name: breslin
+Version: 0.1.0
+Summary: Any break requires three things: knowing the layout, understanding the routine and help from outside or inside
+Author: vvcb
+Author-email: vvcb <vvcb.n1@gmail.com>
+Requires-Dist: deepagents>=0.6.8
+Requires-Dist: fastmcp>=3.4.0
+Requires-Python: >=3.14
+Description-Content-Type: text/markdown
+
+# Breslin
+
+An **authorised** red-team CTF agent for Kubernetes. It runs
+[opencode](https://github.com/sst/opencode) in headless mode inside a
+deliberately-constrained pod and attempts a catalog of read-only
+enumeration / credential-access / lateral-movement techniques against the
+cluster, validating that the platform's security controls (RBAC,
+NetworkPolicy, Pod Security Admission) actually hold.
+
+The agent runs as a one-shot Kubernetes **Job**: it captures planted
+`KARECTL{...}` flags where controls are weak, and records `BLOCKED` where they
+hold. A blocked attempt is as valuable as a capture.
+
+> ⚠️ This is a sanctioned security-validation tool. It is read-only by design
+> (no `delete` / `patch` / `create` against live objects) and is scoped to a
+> sandbox namespace via namespace-only RBAC. Only run it against clusters you
+> own or are explicitly authorised to test.
+
+---
+
+## Repository layout
+
+```
+.
+├── Dockerfile              # container image (system tools + kubectl + opencode + uv venv)
+├── pyproject.toml          # Python project (uv-managed); console script: redteam-agent
+├── uv.lock
+├── src/redteam_agent/      # the Python wrapper (was entrypoint.sh)
+│   ├── cli.py              #   orchestration + opencode launch
+│   ├── config.py           #   backend config + opencode config writer
+│   └── preflight.py        #   identity canary + backend reachability
+├── mission/                # agent instruction payload (baked into the image)
+│   ├── MISSION.md          #   rules of engagement + objective
+│   └── skills/             #   skill catalog the agent reads and executes
+├── deploy/                 # Kubernetes manifests (Kustomize)
+│   ├── base/               #   namespace, SA, RBAC, ConfigMap, ExternalSecret,
+│   │                       #   PVC, Job, killswitch CronJob, CiliumNetworkPolicy
+│   ├── overlays/           #   per-environment patches
+│   │   ├── local/          #     local k3s (locally-built image)
+│   │   └── dev/            #     dev cluster (registry image)
+│   └── flags/              #   planted CTF flag Secrets (tier-1 / tier-2)
+└── scripts/load-image.sh   # build + import image into k3s on a Multipass VM
+```
+
+This repo is a **standalone application**. It was previously a component in an
+ArgoCD app-of-apps monorepo; the ApplicationSet/GitOps wiring lived in the
+parent repo and has been removed. You deploy it directly with `kustomize`.
+
+---
+
+## How the agent works
+
+`src/redteam_agent/cli.py` is the container ENTRYPOINT. On each run it:
+
+1. Prints identity / RBAC context (`kubectl auth can-i --list`).
+2. Runs the **identity canary** — aborts (exit code `2` = INVALID environment)
+   if the pod can create `ClusterRoleBindings` or read `kube-system` secrets.
+   A CTF pod that powerful means the sandbox is misconfigured.
+3. Resolves the LLM backend from env vars and checks it is reachable
+   (fails fast, exit `1`, if not).
+4. Stages `MISSION.md` + the skill catalog into `/workspace`.
+5. Writes the opencode config for the chosen backend and launches opencode
+   headless under a wall-clock timeout, teeing output to a per-run log.
+6. Guarantees a `findings-*.md` document exists in `/workspace/output`.
+
+Supported backends (via `AGENT_BACKEND`): `openai`, `azure-openai`,
+`anthropic`, `ollama`. See [Configuration](#configuration-reference).
+
+---
+
+## Local development (Python + uv)
+
+This project uses [uv](https://docs.astral.sh/uv/). Dependencies are pinned in
+`uv.lock`.
+
+```bash
+# Install deps into a local .venv (incl. dev tools)
+uv sync --extra dev
+
+# Lint
+uv run ruff check src/
+
+# Run the wrapper locally (outside Kubernetes).
+# With no SA token mounted, kubectl calls fail gracefully and the run is
+# recorded as a non-cluster smoke test. A reachable backend is still required.
+export AGENT_BACKEND=openai
+export OPENAI_API_KEY=sk-...
+export AGENT_MAX_ITERATIONS=5
+uv run redteam-agent
+```
+
+> Running locally still shells out to `opencode` and `kubectl`. For a faithful
+> end-to-end test, build the image and run it in the cluster (below).
+
+---
+
+## Build the image
+
+```bash
+docker build -t redteam-agent:local-dev .
+```
+
+The build installs system recon tooling, `kubectl`, the `opencode` binary, and
+creates the uv-managed virtualenv at `/opt/venv`. The `redteam-agent` console
+script is the ENTRYPOINT.
+
+### Load into local k3s (Multipass VM)
+
+```bash
+./scripts/load-image.sh            # builds, saves, transfers, imports into k3s
+# or pass a VM name: ./scripts/load-image.sh my-vm
+```
+
+### Push to a registry (dev cluster)
+
+```bash
+docker tag redteam-agent:local-dev ghcr.io/<org>/redteam-agent:latest
+docker push ghcr.io/<org>/redteam-agent:latest
+```
+
+---
+
+## Run it in the cluster
+
+The agent runs as a Kubernetes Job, applied with Kustomize. Inspect the
+rendered manifests before applying:
+
+```bash
+kubectl kustomize deploy/overlays/local      # render local overlay
+kubectl kustomize deploy/overlays/dev         # render dev overlay
+```
+
+### 1. Credentials
+
+The Job reads LLM credentials from a Secret named `openai-credentials`
+(mounted via `envFrom ... optional: true`). Two ways to provide it:
+
+- **External Secrets Operator (ESO)** — `deploy/base/external-secret.yaml`
+  pulls the key from a `ClusterSecretStore` named `secret-store`. Use this if
+  your cluster runs ESO.
+- **Plain Secret** — if you don't run ESO, create the Secret directly. The key
+  name must match the backend (`OPENAI_API_KEY` for `openai`/`azure-openai`,
+  `ANTHROPIC_API_KEY` for `anthropic`):
+
+  ```bash
+  kubectl create namespace redteam-sandbox
+  kubectl -n redteam-sandbox create secret generic openai-credentials \
+    --from-literal=OPENAI_API_KEY="sk-..."
+  ```
+
+  > If your cluster has no ESO CRDs, remove `external-secret.yaml` from
+  > `deploy/base/kustomization.yaml` first (otherwise the apply fails on the
+  > unknown `ExternalSecret` kind).
+
+### 2. Plant the CTF flags (optional)
+
+```bash
+kubectl apply -k deploy/flags
+```
+
+This creates the tier-1 (same-namespace) and tier-2 (cross-namespace) flag
+Secrets the agent hunts for.
+
+### 3. Deploy and run
+
+```bash
+# Local k3s overlay (uses the locally-loaded image)
+kubectl apply -k deploy/overlays/local
+
+# Watch the Job
+kubectl -n redteam-sandbox get jobs,pods -w
+
+# Stream the agent's output
+kubectl -n redteam-sandbox logs -f job/redteam-agent
+```
+
+Findings are written to the `redteam-output` PVC at `/workspace/output`. To pull
+them out:
+
+```bash
+POD=$(kubectl -n redteam-sandbox get pod -l app=redteam-agent -o name | head -1)
+kubectl -n redteam-sandbox cp "${POD#pod/}:/workspace/output" ./output
+```
+
+### 4. Re-run
+
+A Job is immutable. To run again, delete and re-apply:
+
+```bash
+kubectl -n redteam-sandbox delete job redteam-agent
+kubectl apply -k deploy/overlays/local
+```
+
+A **killswitch CronJob** (`deploy/base/cronjob.yaml`) hard-deletes stale
+`redteam=true` jobs/pods hourly as a safety net.
+
+### Clean up
+
+```bash
+kubectl delete -k deploy/overlays/local
+kubectl delete -k deploy/flags
+```
+
+---
+
+## Configuration reference
+
+Set via the `agent-config` ConfigMap (`deploy/base/configmap.yaml`) or
+per-environment overlay patches.
+
+| Environment Variable | Default | Description |
+|---|---|---|
+| `AGENT_BACKEND` | `openai` | LLM backend: `openai` / `azure-openai` / `anthropic` / `ollama` |
+| `AGENT_MAX_ITERATIONS` | `50` | Advisory iteration cap (informs the timeout) |
+| `AGENT_TIMEOUT_SECONDS` | `max_iterations × 60` | Wall-clock timeout for the opencode run |
+| `OPENAI_API_KEY` | — | OpenAI key (from the `openai-credentials` Secret) |
+| `OPENAI_MODEL` | `gpt-4o-mini` | OpenAI model name |
+| `OPENAI_API_BASE` | `https://api.openai.com/v1` | OpenAI-compatible base URL |
+| `OLLAMA_HOST` | `http://localhost:11434` | Ollama server URL |
+| `OLLAMA_MODEL` | `qwen2.5-coder:7b` | Ollama model name |
+| `ANTHROPIC_API_KEY` | — | Anthropic key (`anthropic` backend) |
+| `ANTHROPIC_MODEL` | `claude-sonnet-4-20250514` | Anthropic model name |
+| `AZURE_OPENAI_ENDPOINT` | — | `https://<resource>.openai.azure.com` |
+| `AZURE_OPENAI_DEPLOYMENT` | `gpt-4.1` | Azure deployment name (used as the model) |
+| `AZURE_OPENAI_API_VERSION` | `2024-02-01` | Azure API version |
+| `AZURE_OPENAI_API_KEY` | — | Azure OpenAI key |
+
+### Cost control (hosted backends)
+
+- Use a dedicated project/key with a spend cap.
+- Use a cheap model (`gpt-4o-mini`) for iteration; switch to a larger model only
+  for documented "real" runs.
+- Keep `AGENT_MAX_ITERATIONS` conservative (5–25 for dev).
+- Review token usage in the run log after each run.
+
+---
+
+## Security model
+
+- **Namespace-only RBAC.** `researcher-sa` gets a `Role` (not `ClusterRole`)
+  scoped to `redteam-sandbox`: read pods/services/configmaps/PVCs and
+  get/list secrets. No cluster-scoped grants, ever.
+- **Hardened pod.** Non-root (UID 1000), read-only root filesystem, all
+  capabilities dropped, `seccompProfile: RuntimeDefault`, namespace enforces
+  PSA `restricted`.
+- **Default-deny egress.** A `CiliumNetworkPolicy` allows only DNS, the
+  in-cluster API server, and the configured LLM API FQDNs; cloud IMDS
+  (`169.254.169.254`) is explicitly denied.
+- **Identity canary.** The wrapper aborts before doing anything if its identity
+  is unexpectedly powerful.

breslin-0.1.0/README.md

@@ -0,0 +1,250 @@
+# Breslin
+
+An **authorised** red-team CTF agent for Kubernetes. It runs
+[opencode](https://github.com/sst/opencode) in headless mode inside a
+deliberately-constrained pod and attempts a catalog of read-only
+enumeration / credential-access / lateral-movement techniques against the
+cluster, validating that the platform's security controls (RBAC,
+NetworkPolicy, Pod Security Admission) actually hold.
+
+The agent runs as a one-shot Kubernetes **Job**: it captures planted
+`KARECTL{...}` flags where controls are weak, and records `BLOCKED` where they
+hold. A blocked attempt is as valuable as a capture.
+
+> ⚠️ This is a sanctioned security-validation tool. It is read-only by design
+> (no `delete` / `patch` / `create` against live objects) and is scoped to a
+> sandbox namespace via namespace-only RBAC. Only run it against clusters you
+> own or are explicitly authorised to test.
+
+---
+
+## Repository layout
+
+```
+.
+├── Dockerfile              # container image (system tools + kubectl + opencode + uv venv)
+├── pyproject.toml          # Python project (uv-managed); console script: redteam-agent
+├── uv.lock
+├── src/redteam_agent/      # the Python wrapper (was entrypoint.sh)
+│   ├── cli.py              #   orchestration + opencode launch
+│   ├── config.py           #   backend config + opencode config writer
+│   └── preflight.py        #   identity canary + backend reachability
+├── mission/                # agent instruction payload (baked into the image)
+│   ├── MISSION.md          #   rules of engagement + objective
+│   └── skills/             #   skill catalog the agent reads and executes
+├── deploy/                 # Kubernetes manifests (Kustomize)
+│   ├── base/               #   namespace, SA, RBAC, ConfigMap, ExternalSecret,
+│   │                       #   PVC, Job, killswitch CronJob, CiliumNetworkPolicy
+│   ├── overlays/           #   per-environment patches
+│   │   ├── local/          #     local k3s (locally-built image)
+│   │   └── dev/            #     dev cluster (registry image)
+│   └── flags/              #   planted CTF flag Secrets (tier-1 / tier-2)
+└── scripts/load-image.sh   # build + import image into k3s on a Multipass VM
+```
+
+This repo is a **standalone application**. It was previously a component in an
+ArgoCD app-of-apps monorepo; the ApplicationSet/GitOps wiring lived in the
+parent repo and has been removed. You deploy it directly with `kustomize`.
+
+---
+
+## How the agent works
+
+`src/redteam_agent/cli.py` is the container ENTRYPOINT. On each run it:
+
+1. Prints identity / RBAC context (`kubectl auth can-i --list`).
+2. Runs the **identity canary** — aborts (exit code `2` = INVALID environment)
+   if the pod can create `ClusterRoleBindings` or read `kube-system` secrets.
+   A CTF pod that powerful means the sandbox is misconfigured.
+3. Resolves the LLM backend from env vars and checks it is reachable
+   (fails fast, exit `1`, if not).
+4. Stages `MISSION.md` + the skill catalog into `/workspace`.
+5. Writes the opencode config for the chosen backend and launches opencode
+   headless under a wall-clock timeout, teeing output to a per-run log.
+6. Guarantees a `findings-*.md` document exists in `/workspace/output`.
+
+Supported backends (via `AGENT_BACKEND`): `openai`, `azure-openai`,
+`anthropic`, `ollama`. See [Configuration](#configuration-reference).
+
+---
+
+## Local development (Python + uv)
+
+This project uses [uv](https://docs.astral.sh/uv/). Dependencies are pinned in
+`uv.lock`.
+
+```bash
+# Install deps into a local .venv (incl. dev tools)
+uv sync --extra dev
+
+# Lint
+uv run ruff check src/
+
+# Run the wrapper locally (outside Kubernetes).
+# With no SA token mounted, kubectl calls fail gracefully and the run is
+# recorded as a non-cluster smoke test. A reachable backend is still required.
+export AGENT_BACKEND=openai
+export OPENAI_API_KEY=sk-...
+export AGENT_MAX_ITERATIONS=5
+uv run redteam-agent
+```
+
+> Running locally still shells out to `opencode` and `kubectl`. For a faithful
+> end-to-end test, build the image and run it in the cluster (below).
+
+---
+
+## Build the image
+
+```bash
+docker build -t redteam-agent:local-dev .
+```
+
+The build installs system recon tooling, `kubectl`, the `opencode` binary, and
+creates the uv-managed virtualenv at `/opt/venv`. The `redteam-agent` console
+script is the ENTRYPOINT.
+
+### Load into local k3s (Multipass VM)
+
+```bash
+./scripts/load-image.sh            # builds, saves, transfers, imports into k3s
+# or pass a VM name: ./scripts/load-image.sh my-vm
+```
+
+### Push to a registry (dev cluster)
+
+```bash
+docker tag redteam-agent:local-dev ghcr.io/<org>/redteam-agent:latest
+docker push ghcr.io/<org>/redteam-agent:latest
+```
+
+---
+
+## Run it in the cluster
+
+The agent runs as a Kubernetes Job, applied with Kustomize. Inspect the
+rendered manifests before applying:
+
+```bash
+kubectl kustomize deploy/overlays/local      # render local overlay
+kubectl kustomize deploy/overlays/dev         # render dev overlay
+```
+
+### 1. Credentials
+
+The Job reads LLM credentials from a Secret named `openai-credentials`
+(mounted via `envFrom ... optional: true`). Two ways to provide it:
+
+- **External Secrets Operator (ESO)** — `deploy/base/external-secret.yaml`
+  pulls the key from a `ClusterSecretStore` named `secret-store`. Use this if
+  your cluster runs ESO.
+- **Plain Secret** — if you don't run ESO, create the Secret directly. The key
+  name must match the backend (`OPENAI_API_KEY` for `openai`/`azure-openai`,
+  `ANTHROPIC_API_KEY` for `anthropic`):
+
+  ```bash
+  kubectl create namespace redteam-sandbox
+  kubectl -n redteam-sandbox create secret generic openai-credentials \
+    --from-literal=OPENAI_API_KEY="sk-..."
+  ```
+
+  > If your cluster has no ESO CRDs, remove `external-secret.yaml` from
+  > `deploy/base/kustomization.yaml` first (otherwise the apply fails on the
+  > unknown `ExternalSecret` kind).
+
+### 2. Plant the CTF flags (optional)
+
+```bash
+kubectl apply -k deploy/flags
+```
+
+This creates the tier-1 (same-namespace) and tier-2 (cross-namespace) flag
+Secrets the agent hunts for.
+
+### 3. Deploy and run
+
+```bash
+# Local k3s overlay (uses the locally-loaded image)
+kubectl apply -k deploy/overlays/local
+
+# Watch the Job
+kubectl -n redteam-sandbox get jobs,pods -w
+
+# Stream the agent's output
+kubectl -n redteam-sandbox logs -f job/redteam-agent
+```
+
+Findings are written to the `redteam-output` PVC at `/workspace/output`. To pull
+them out:
+
+```bash
+POD=$(kubectl -n redteam-sandbox get pod -l app=redteam-agent -o name | head -1)
+kubectl -n redteam-sandbox cp "${POD#pod/}:/workspace/output" ./output
+```
+
+### 4. Re-run
+
+A Job is immutable. To run again, delete and re-apply:
+
+```bash
+kubectl -n redteam-sandbox delete job redteam-agent
+kubectl apply -k deploy/overlays/local
+```
+
+A **killswitch CronJob** (`deploy/base/cronjob.yaml`) hard-deletes stale
+`redteam=true` jobs/pods hourly as a safety net.
+
+### Clean up
+
+```bash
+kubectl delete -k deploy/overlays/local
+kubectl delete -k deploy/flags
+```
+
+---
+
+## Configuration reference
+
+Set via the `agent-config` ConfigMap (`deploy/base/configmap.yaml`) or
+per-environment overlay patches.
+
+| Environment Variable | Default | Description |
+|---|---|---|
+| `AGENT_BACKEND` | `openai` | LLM backend: `openai` / `azure-openai` / `anthropic` / `ollama` |
+| `AGENT_MAX_ITERATIONS` | `50` | Advisory iteration cap (informs the timeout) |
+| `AGENT_TIMEOUT_SECONDS` | `max_iterations × 60` | Wall-clock timeout for the opencode run |
+| `OPENAI_API_KEY` | — | OpenAI key (from the `openai-credentials` Secret) |
+| `OPENAI_MODEL` | `gpt-4o-mini` | OpenAI model name |
+| `OPENAI_API_BASE` | `https://api.openai.com/v1` | OpenAI-compatible base URL |
+| `OLLAMA_HOST` | `http://localhost:11434` | Ollama server URL |
+| `OLLAMA_MODEL` | `qwen2.5-coder:7b` | Ollama model name |
+| `ANTHROPIC_API_KEY` | — | Anthropic key (`anthropic` backend) |
+| `ANTHROPIC_MODEL` | `claude-sonnet-4-20250514` | Anthropic model name |
+| `AZURE_OPENAI_ENDPOINT` | — | `https://<resource>.openai.azure.com` |
+| `AZURE_OPENAI_DEPLOYMENT` | `gpt-4.1` | Azure deployment name (used as the model) |
+| `AZURE_OPENAI_API_VERSION` | `2024-02-01` | Azure API version |
+| `AZURE_OPENAI_API_KEY` | — | Azure OpenAI key |
+
+### Cost control (hosted backends)
+
+- Use a dedicated project/key with a spend cap.
+- Use a cheap model (`gpt-4o-mini`) for iteration; switch to a larger model only
+  for documented "real" runs.
+- Keep `AGENT_MAX_ITERATIONS` conservative (5–25 for dev).
+- Review token usage in the run log after each run.
+
+---
+
+## Security model
+
+- **Namespace-only RBAC.** `researcher-sa` gets a `Role` (not `ClusterRole`)
+  scoped to `redteam-sandbox`: read pods/services/configmaps/PVCs and
+  get/list secrets. No cluster-scoped grants, ever.
+- **Hardened pod.** Non-root (UID 1000), read-only root filesystem, all
+  capabilities dropped, `seccompProfile: RuntimeDefault`, namespace enforces
+  PSA `restricted`.
+- **Default-deny egress.** A `CiliumNetworkPolicy` allows only DNS, the
+  in-cluster API server, and the configured LLM API FQDNs; cloud IMDS
+  (`169.254.169.254`) is explicitly denied.
+- **Identity canary.** The wrapper aborts before doing anything if its identity
+  is unexpectedly powerful.

breslin-0.1.0/pyproject.toml

@@ -0,0 +1,24 @@
+[project]
+name = "breslin"
+version = "0.1.0"
+description = "Any break requires three things: knowing the layout, understanding the routine and help from outside or inside"
+readme = "README.md"
+authors = [{ name = "vvcb", email = "vvcb.n1@gmail.com" }]
+requires-python = ">=3.14"
+dependencies = ["deepagents>=0.6.8", "fastmcp>=3.4.0"]
+
+[project.scripts]
+breslin = "breslin:main"
+
+
+[build-system]
+requires = ["uv_build>=0.11.2,<0.12.0"]
+build-backend = "uv_build"
+
+[dependency-groups]
+dev = [
+    "prek>=0.4.4",
+    "pytest>=9.0.3",
+    "ruff>=0.15.16",
+    "zensical>=0.0.43",
+]

breslin-0.1.0/src/breslin/__init__.py

@@ -0,0 +1,2 @@
+def main() -> None:
+    print("Hello from breslin!")

breslin-0.1.0/src/breslin/__main__.py

@@ -0,0 +1,8 @@
+"""Enable ``python -m redteam_agent``."""
+
+import sys
+
+from .cli import main
+
+if __name__ == "__main__":
+    sys.exit(main())

breslin-0.1.0/src/breslin/cli.py

@@ -0,0 +1,291 @@
+"""redteam-agent entrypoint.
+
+Orchestrates a single authorised red-team CTF run inside a constrained
+Kubernetes pod:
+
+1. Print identity / RBAC context.
+2. Run the identity canary (abort if over-privileged or not in-cluster).
+3. Resolve backend config from the environment and check reachability.
+4. Stage the mission brief and skill catalog into the workspace.
+5. Write the dynamic opencode config and launch opencode headless, under a
+   wall-clock timeout, teeing output to a per-run log.
+6. Guarantee a findings file exists (writing a fallback stub if the agent
+   produced none).
+
+This is the Python replacement for the original entrypoint.sh and is the
+container image's ENTRYPOINT. opencode itself is still the binary that does the
+work — this wrapper sets it up and enforces the guardrails.
+"""
+
+from __future__ import annotations
+
+import os
+import shutil
+import subprocess
+import sys
+import threading
+import time
+from datetime import datetime, timezone
+
+from .config import AgentConfig
+from .preflight import (
+    check_backend_reachability,
+    has_sa_token,
+    identity_canary,
+    print_identity_context,
+)
+
+# Filesystem layout (matches the volume mounts declared in deploy/base/job.yaml).
+WORKSPACE = "/workspace"
+OUTPUT_DIR = f"{WORKSPACE}/output"
+WORKSPACE_MISSION = f"{WORKSPACE}/MISSION.md"
+WORKSPACE_SKILLS = f"{WORKSPACE}/skills"
+
+# Mission brief + skill catalog baked into the image at build time.
+BAKED_MISSION = "/opt/redteam-agent/MISSION.md"
+BAKED_SKILLS = "/opt/redteam-agent/skills"
+
+# opencode reads its config from $HOME/.config/opencode/opencode.json.
+OPENCODE_CONFIG = os.path.join(
+    os.environ.get("HOME", "/home/agent"), ".config/opencode/opencode.json"
+)
+
+RUN_PROMPT = (
+    "Execute the authorized red team exercise as described in the loaded "
+    "/workspace/MISSION.md instructions. Produce findings in "
+    "/workspace/output/findings.md."
+)
+
+
+def _timestamp() -> str:
+    return datetime.now().strftime("%Y%m%d-%H%M%S")
+
+
+def _utc_now() -> str:
+    return datetime.now(timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ")
+
+
+def _stage_mission() -> None:
+    """Ensure /workspace/MISSION.md and /workspace/skills exist.
+
+    A volume-mounted MISSION.md wins; otherwise fall back to the baked-in copy.
+    """
+    os.makedirs(OUTPUT_DIR, exist_ok=True)
+
+    if os.path.isfile(WORKSPACE_MISSION):
+        n = sum(1 for _ in open(WORKSPACE_MISSION, encoding="utf-8"))
+        print(f"OK: {WORKSPACE_MISSION} found via volume mount ({n} lines)")
+    elif os.path.isfile(BAKED_MISSION):
+        print(f"INFO: No volume-mounted MISSION.md — copying baked-in {BAKED_MISSION}")
+        shutil.copyfile(BAKED_MISSION, WORKSPACE_MISSION)
+        n = sum(1 for _ in open(WORKSPACE_MISSION, encoding="utf-8"))
+        print(f"OK: {WORKSPACE_MISSION} ready ({n} lines)")
+    else:
+        print(
+            f"FATAL: {WORKSPACE_MISSION} not found and {BAKED_MISSION} "
+            "missing from image.",
+            file=sys.stderr,
+        )
+        raise SystemExit(1)
+
+    if os.path.isdir(BAKED_SKILLS) and not os.path.exists(WORKSPACE_SKILLS):
+        shutil.copytree(BAKED_SKILLS, WORKSPACE_SKILLS)
+
+
+def _launch_opencode(timeout_seconds: int, log_file: str) -> tuple[int, bool]:
+    """Run opencode headless, teeing output to ``log_file``.
+
+    Enforces a wall-clock timeout: SIGTERM on expiry, SIGKILL 10s later.
+    Returns ``(exit_code, timed_out)``.
+    """
+    cmd = [
+        "opencode",
+        "run",
+        "--dangerously-skip-permissions",
+        "--dir",
+        WORKSPACE,
+        RUN_PROMPT,
+    ]
+
+    proc = subprocess.Popen(
+        cmd,
+        stdout=subprocess.PIPE,
+        stderr=subprocess.STDOUT,
+        text=True,
+        bufsize=1,
+    )
+
+    timed_out = threading.Event()
+
+    def _kill() -> None:
+        timed_out.set()
+        proc.terminate()
+        # Hard-kill if it ignores SIGTERM.
+        killer = threading.Timer(10, proc.kill)
+        killer.daemon = True
+        killer.start()
+
+    watchdog = threading.Timer(timeout_seconds, _kill)
+    watchdog.daemon = True
+    watchdog.start()
+
+    try:
+        with open(log_file, "w", encoding="utf-8") as lf:
+            assert proc.stdout is not None
+            for line in proc.stdout:
+                sys.stdout.write(line)
+                sys.stdout.flush()
+                lf.write(line)
+                lf.flush()
+        proc.wait()
+    finally:
+        watchdog.cancel()
+
+    return proc.returncode, timed_out.is_set()
+
+
+def _ensure_findings(
+    findings_file: str,
+    log_file: str,
+    config: AgentConfig,
+    exit_code: int,
+    sa_token: bool,
+) -> None:
+    """Guarantee a findings document exists; write a fallback stub if not."""
+    if os.path.isfile(findings_file):
+        print(f"OK: Findings file exists at {findings_file}")
+        return
+
+    existing = [
+        f
+        for f in os.listdir(OUTPUT_DIR)
+        if f.startswith("findings") and f.endswith(".md")
+    ]
+    if existing:
+        print("OK: Found existing findings file(s):")
+        for f in sorted(existing):
+            print(f"  {os.path.join(OUTPUT_DIR, f)}")
+        return
+
+    print("WARNING: Agent did not produce findings. Writing fallback stub.")
+    lines = [
+        "# Red Team Agent Findings — Fallback Stub",
+        "",
+        f"**Date:** {_utc_now()}",
+        f"**Backend:** {config.backend}",
+        f"**Exit code:** {exit_code}",
+        "",
+        "## Summary",
+        "",
+    ]
+    if not sa_token:
+        lines += [
+            "# NOTE: Run outside Kubernetes (no projected SA token).",
+            "",
+            "kubectl outputs in this run reflect a missing kubeconfig/service "
+            "account token, not in-cluster RBAC or NetworkPolicy enforcement.",
+            "",
+        ]
+    lines += [
+        "The agent exited without producing a structured findings document.",
+        "",
+        "## Run Log",
+        "",
+        f"See: {log_file}",
+        "",
+        "## Possible Reasons",
+        "",
+        f"- Agent hit wall-clock timeout "
+        f"(AGENT_TIMEOUT_SECONDS={config.timeout_seconds})",
+        "- Backend connectivity issue mid-run",
+        "- Agent loop crashed",
+        "- activeDeadlineSeconds exceeded",
+        "",
+        "Review the run log for details.",
+    ]
+    with open(findings_file, "w", encoding="utf-8") as fh:
+        fh.write("\n".join(lines) + "\n")
+
+
+def main() -> int:
+    run_ts = _timestamp()
+    os.makedirs(OUTPUT_DIR, exist_ok=True)
+    findings_seed = os.path.join(OUTPUT_DIR, "findings.md")
+    sa_token = has_sa_token()
+
+    # 1 + 2. Identity context and canary.
+    print_identity_context()
+    namespace = identity_canary(findings_seed)
+    del namespace  # used only for the canary's own logging
+
+    # 3. Resolve and validate config, then check backend reachability.
+    config = AgentConfig.from_env()
+    config.validate_backend()
+    print("\n=========================================")
+    print(" Configuration")
+    print("=========================================")
+    for line in config.summary_lines():
+        print(line)
+    check_backend_reachability(config)
+
+    # 4. Stage mission + skills into the workspace.
+    print()
+    _stage_mission()
+    if not sa_token:
+        with open(findings_seed, "a", encoding="utf-8") as fh:
+            fh.write("# NOTE: Running outside Kubernetes.\n")
+            fh.write(
+                "# kubectl results reflect a missing kubeconfig, "
+                "not RBAC enforcement.\n"
+            )
+        print(
+            "WARNING: No SA token found. kubectl calls will fail — "
+            "this is expected outside k8s."
+        )
+
+    # 5. Write opencode config and launch.
+    print(f"Writing opencode config to {OPENCODE_CONFIG} ...")
+    config.write_opencode_config(OPENCODE_CONFIG, WORKSPACE_MISSION)
+    print("OK: opencode config written\n")
+    with open(OPENCODE_CONFIG, encoding="utf-8") as fh:
+        print(fh.read())
+
+    log_file = os.path.join(OUTPUT_DIR, f"agent-run-{config.backend}-{run_ts}.log")
+    findings_file = os.path.join(OUTPUT_DIR, f"findings-{config.backend}-{run_ts}.md")
+
+    print("=========================================")
+    print(" Launching opencode (headless)")
+    print("=========================================")
+    print(f"Backend: {config.backend}")
+    print(f"Timeout: {config.timeout_seconds}s")
+    print(f"Log:     {log_file}\n")
+
+    started = time.monotonic()
+    exit_code, timed_out = _launch_opencode(config.timeout_seconds, log_file)
+    elapsed = int(time.monotonic() - started)
+
+    if timed_out:
+        print(
+            f"\nINFO: Agent timed out after {config.timeout_seconds}s "
+            f"(ran {elapsed}s). Collecting findings."
+        )
+        exit_code = 0
+
+    print("\n=========================================")
+    print(f" Agent exited with code {exit_code}")
+    print("=========================================")
+
+    # 6. Ensure a findings file exists.
+    _ensure_findings(findings_file, log_file, config, exit_code, sa_token)
+
+    print("\n=========================================")
+    print(" Run complete. Output files:")
+    print("=========================================")
+    for f in sorted(os.listdir(OUTPUT_DIR)):
+        print(f"  {os.path.join(OUTPUT_DIR, f)}")
+
+    return exit_code
+
+
+if __name__ == "__main__":
+    sys.exit(main())

breslin-0.1.0/src/breslin/config.py

@@ -0,0 +1,184 @@
+"""Agent configuration: read backend settings from the environment and render
+the dynamic opencode config for the selected LLM backend.
+
+This mirrors the configuration block of the original entrypoint.sh — backends
+are selected via ``AGENT_BACKEND`` and all knobs come from env vars populated
+through the Job's ``envFrom`` (ConfigMap + optional credentials Secret).
+"""
+
+from __future__ import annotations
+
+import json
+import os
+from dataclasses import dataclass
+
+VALID_BACKENDS = ("openai", "ollama", "anthropic", "azure-openai")
+
+
+@dataclass
+class AgentConfig:
+    """Resolved agent configuration for a single run."""
+
+    backend: str
+    max_iterations: int
+    timeout_seconds: int
+
+    openai_model: str
+    openai_api_base: str
+    openai_api_key: str | None
+
+    ollama_host: str
+    ollama_model: str
+
+    anthropic_model: str
+    anthropic_api_key: str | None
+
+    azure_endpoint: str
+    azure_api_version: str
+    azure_deployment: str
+    azure_api_key: str | None
+
+    @classmethod
+    def from_env(cls, env: dict[str, str] | None = None) -> AgentConfig:
+        """Build a config from environment variables, applying the same
+        defaults the original shell entrypoint used."""
+        env = env if env is not None else dict(os.environ)
+
+        max_iterations = int(env.get("AGENT_MAX_ITERATIONS", "50"))
+        # Wall-clock timeout for the whole opencode run. Defaults to
+        # ~60s per iteration unless explicitly overridden.
+        timeout_seconds = int(
+            env.get("AGENT_TIMEOUT_SECONDS", str(max_iterations * 60))
+        )
+
+        return cls(
+            backend=env.get("AGENT_BACKEND", "openai"),
+            max_iterations=max_iterations,
+            timeout_seconds=timeout_seconds,
+            openai_model=env.get("OPENAI_MODEL", "gpt-4o-mini"),
+            openai_api_base=env.get("OPENAI_API_BASE", "https://api.openai.com/v1"),
+            openai_api_key=env.get("OPENAI_API_KEY") or None,
+            ollama_host=env.get("OLLAMA_HOST", "http://localhost:11434"),
+            ollama_model=env.get("OLLAMA_MODEL", "qwen2.5-coder:7b"),
+            anthropic_model=env.get("ANTHROPIC_MODEL", "claude-sonnet-4-20250514"),
+            anthropic_api_key=env.get("ANTHROPIC_API_KEY") or None,
+            # Azure endpoint: https://<resource>.openai.azure.com (no trailing slash)
+            azure_endpoint=env.get("AZURE_OPENAI_ENDPOINT", "").rstrip("/"),
+            azure_api_version=env.get("AZURE_OPENAI_API_VERSION", "2024-02-01"),
+            azure_deployment=env.get("AZURE_OPENAI_DEPLOYMENT", "gpt-4.1"),
+            azure_api_key=env.get("AZURE_OPENAI_API_KEY") or None,
+        )
+
+    def validate_backend(self) -> None:
+        """Raise ValueError if the selected backend is unknown."""
+        if self.backend not in VALID_BACKENDS:
+            raise ValueError(
+                f"Unknown AGENT_BACKEND '{self.backend}'. "
+                f"Must be one of: {', '.join(VALID_BACKENDS)}."
+            )
+
+    def summary_lines(self) -> list[str]:
+        """Human-readable, secret-redacted config summary for the run log."""
+        lines = [
+            f"AGENT_BACKEND:          {self.backend}",
+            f"AGENT_MAX_ITERATIONS:   {self.max_iterations} "
+            "(advisory; enforced via timeout)",
+            f"AGENT_TIMEOUT_SECONDS:  {self.timeout_seconds}s "
+            f"({self.timeout_seconds // 60}m)",
+        ]
+        if self.backend == "openai":
+            lines += [
+                f"OPENAI_MODEL:           {self.openai_model}",
+                f"OPENAI_API_BASE:        {self.openai_api_base}",
+                f"OPENAI_API_KEY:         {_redacted(self.openai_api_key)}",
+            ]
+        elif self.backend == "ollama":
+            lines += [
+                f"OLLAMA_HOST:            {self.ollama_host}",
+                f"OLLAMA_MODEL:           {self.ollama_model}",
+            ]
+        elif self.backend == "anthropic":
+            lines += [
+                f"ANTHROPIC_MODEL:        {self.anthropic_model}",
+                f"ANTHROPIC_API_KEY:      {_redacted(self.anthropic_api_key)}",
+            ]
+        elif self.backend == "azure-openai":
+            lines += [
+                f"AZURE_OPENAI_ENDPOINT:    {self.azure_endpoint}",
+                f"AZURE_OPENAI_DEPLOYMENT:  {self.azure_deployment}",
+                f"AZURE_OPENAI_API_VERSION: {self.azure_api_version}",
+                f"AZURE_OPENAI_API_KEY:     {_redacted(self.azure_api_key)}",
+            ]
+        return lines
+
+    def opencode_config(self, mission_path: str) -> dict:
+        """Render the opencode config dict for the selected backend.
+
+        The literal ``{env:VAR}`` placeholders are resolved by opencode at
+        runtime from the process environment — the key never lands in the
+        config file on disk.
+        """
+        base: dict = {"$schema": "https://opencode.ai/config.json"}
+
+        if self.backend == "openai":
+            base |= {
+                "model": f"openai/{self.openai_model}",
+                "provider": {
+                    "openai": {
+                        "options": {
+                            "apiKey": "{env:OPENAI_API_KEY}",
+                            "baseURL": self.openai_api_base,
+                        }
+                    }
+                },
+            }
+        elif self.backend == "ollama":
+            base |= {
+                "model": f"ollama/{self.ollama_model}",
+                "provider": {
+                    "ollama": {
+                        "npm": "@ai-sdk/openai-compatible",
+                        "name": "Ollama (local)",
+                        "options": {"baseURL": f"{self.ollama_host}/v1"},
+                        "models": {self.ollama_model: {"name": self.ollama_model}},
+                    }
+                },
+            }
+        elif self.backend == "anthropic":
+            base |= {
+                "model": f"anthropic/{self.anthropic_model}",
+                "provider": {
+                    "anthropic": {"options": {"apiKey": "{env:ANTHROPIC_API_KEY}"}}
+                },
+            }
+        elif self.backend == "azure-openai":
+            # Azure exposes /openai/v1/ as an OpenAI-compatible endpoint that
+            # accepts Authorization: Bearer <key> and the deployment name as the
+            # model field — so opencode's built-in 'openai' provider works as-is.
+            base |= {
+                "model": f"openai/{self.azure_deployment}",
+                "provider": {
+                    "openai": {
+                        "options": {
+                            "apiKey": "{env:AZURE_OPENAI_API_KEY}",
+                            "baseURL": f"{self.azure_endpoint}/openai/v1/",
+                        }
+                    }
+                },
+            }
+        else:  # pragma: no cover - guarded by validate_backend()
+            raise ValueError(f"Unknown backend '{self.backend}'")
+
+        base |= {"permission": "allow", "instructions": [mission_path]}
+        return base
+
+    def write_opencode_config(self, config_path: str, mission_path: str) -> None:
+        """Write the opencode config JSON to ``config_path``."""
+        os.makedirs(os.path.dirname(config_path), exist_ok=True)
+        with open(config_path, "w", encoding="utf-8") as fh:
+            json.dump(self.opencode_config(mission_path), fh, indent=2)
+            fh.write("\n")
+
+
+def _redacted(value: str | None) -> str:
+    return "set (redacted)" if value else "unset"

breslin-0.1.0/src/breslin/preflight.py

@@ -0,0 +1,275 @@
+"""Pre-flight checks run before the agent is launched.
+
+Two independent gates:
+
+* :func:`identity_canary` — aborts the run (exit code 2 = INVALID environment,
+  not a test failure) if the pod's identity is too powerful. A red-team CTF
+  pod that can create ClusterRoleBindings or read kube-system secrets means the
+  sandbox is misconfigured and any "capture" would be meaningless.
+* :func:`check_backend_reachability` — fails fast (exit 1) if the configured LLM
+  backend is unreachable or rejects the credentials, so we never burn a Job
+  slot on a dead backend.
+"""
+
+from __future__ import annotations
+
+import subprocess
+import sys
+
+import requests
+
+from .config import AgentConfig
+
+SA_DIR = "/var/run/secrets/kubernetes.io/serviceaccount"
+SA_TOKEN_PATH = f"{SA_DIR}/token"
+SA_NAMESPACE_PATH = f"{SA_DIR}/namespace"
+
+# Exit codes — kept distinct so the surrounding Job/CI can tell them apart.
+EXIT_INVALID_IDENTITY = 2
+EXIT_BACKEND_UNREACHABLE = 1
+
+
+class PreflightError(SystemExit):
+    """Raised to abort the run with a specific exit code."""
+
+    def __init__(self, code: int, message: str) -> None:
+        print(message, file=sys.stderr, flush=True)
+        super().__init__(code)
+
+
+def _can_i(verb: str, resource: str, namespace: str | None = None) -> bool:
+    """Return True if ``kubectl auth can-i <verb> <resource>`` succeeds."""
+    cmd = ["kubectl", "auth", "can-i", verb, resource]
+    if namespace:
+        cmd += ["-n", namespace]
+    try:
+        result = subprocess.run(
+            cmd, capture_output=True, text=True, timeout=30, check=False
+        )
+    except OSError, subprocess.SubprocessError:
+        return False
+    return result.returncode == 0
+
+
+def _read_sa_namespace() -> str:
+    try:
+        with open(SA_NAMESPACE_PATH, encoding="utf-8") as fh:
+            return fh.read().strip()
+    except OSError:
+        return ""
+
+
+def has_sa_token() -> bool:
+    """True when a projected ServiceAccount token is mounted (i.e. in-cluster)."""
+    import os
+
+    return os.path.isfile(SA_TOKEN_PATH)
+
+
+def print_identity_context() -> str:
+    """Print identity/RBAC context and return the resolved namespace."""
+    import os
+    import platform
+
+    print("=========================================")
+    print(" REDTEAM AGENT — Identity Context")
+    print("=========================================")
+    print(f"Hostname:  {platform.node()}")
+
+    namespace = _read_sa_namespace() or os.environ.get("NAMESPACE", "unknown")
+    print(f"Namespace: {namespace}")
+
+    # SA token may not be mounted in local Docker runs.
+    listing = subprocess.run(
+        ["kubectl", "auth", "can-i", "--list"],
+        capture_output=True,
+        text=True,
+        check=False,
+    )
+    if listing.returncode == 0:
+        print("\n--- RBAC permissions ---")
+        print(listing.stdout.strip())
+        print("------------------------")
+    else:
+        print("kubectl not configured or no SA token — skipping RBAC enumeration")
+
+    return namespace
+
+
+def identity_canary(findings_file: str) -> str:
+    """Abort the run if the identity is too privileged or not in-cluster.
+
+    Returns the ServiceAccount namespace on success. Writes ``VERDICT=INVALID``
+    to ``findings_file`` and raises :class:`PreflightError` (exit 2) on failure.
+    """
+    print(">>> Identity canary check...", flush=True)
+
+    def _invalid(message: str) -> PreflightError:
+        with open(findings_file, "w", encoding="utf-8") as fh:
+            fh.write("VERDICT=INVALID\n")
+        return PreflightError(EXIT_INVALID_IDENTITY, f"FATAL: {message}")
+
+    if _can_i("create", "clusterrolebindings"):
+        raise _invalid(
+            "identity can create ClusterRoleBindings — cluster-admin detected."
+        )
+
+    if _can_i("get", "secrets", namespace="kube-system"):
+        raise _invalid("identity can read kube-system secrets — RBAC not restricting.")
+
+    namespace = _read_sa_namespace()
+    if not namespace:
+        raise _invalid("no projected SA token — agent must run as an in-cluster Pod.")
+
+    if not _can_i("get", "secrets", namespace=namespace):
+        print(
+            f"WARN: cannot read secrets in own namespace ({namespace}) — "
+            "tier-1 capture will fail.",
+            flush=True,
+        )
+
+    print(f">>> Identity canary passed. SA namespace: {namespace}", flush=True)
+    return namespace
+
+
+def check_backend_reachability(config: AgentConfig) -> None:
+    """Verify the configured LLM backend is reachable and accepts the key.
+
+    Raises :class:`PreflightError` (exit 1) on a fatal failure.
+    """
+    print("\n=========================================")
+    print(" Backend Reachability Check")
+    print("=========================================")
+
+    backend = config.backend
+    if backend == "openai":
+        _check_openai_compatible(
+            url=f"{config.openai_api_base}/models",
+            api_key=config.openai_api_key,
+            key_env="OPENAI_API_KEY",
+            label="OpenAI",
+        )
+    elif backend == "ollama":
+        if not _http_ok(f"{config.ollama_host}/api/tags"):
+            raise PreflightError(
+                EXIT_BACKEND_UNREACHABLE,
+                f"FATAL: Ollama unreachable at {config.ollama_host}. "
+                "Is the host running Ollama?",
+            )
+        print(f"OK: Ollama reachable at {config.ollama_host}")
+    elif backend == "anthropic":
+        _check_anthropic(config)
+    elif backend == "azure-openai":
+        _check_azure_openai(config)
+
+
+def _check_openai_compatible(
+    url: str, api_key: str | None, key_env: str, label: str
+) -> None:
+    if not api_key:
+        raise PreflightError(
+            EXIT_BACKEND_UNREACHABLE, f"FATAL: {key_env} is empty or unset."
+        )
+    code = _http_status(url, headers={"Authorization": f"Bearer {api_key}"})
+    if code == 200:
+        print(f"OK: {label} API reachable (HTTP {code})")
+    elif code == 401:
+        raise PreflightError(
+            EXIT_BACKEND_UNREACHABLE,
+            f"FATAL: {label} key rejected (HTTP 401). Check {key_env}.",
+        )
+    else:
+        raise PreflightError(
+            EXIT_BACKEND_UNREACHABLE,
+            f"FATAL: {label} API unreachable (HTTP {code}). "
+            "Check base URL and network.",
+        )
+
+
+def _check_anthropic(config: AgentConfig) -> None:
+    if not config.anthropic_api_key:
+        raise PreflightError(
+            EXIT_BACKEND_UNREACHABLE, "FATAL: ANTHROPIC_API_KEY is empty or unset."
+        )
+    code = _http_status(
+        "https://api.anthropic.com/v1/models",
+        headers={
+            "x-api-key": config.anthropic_api_key,
+            "anthropic-version": "2023-06-01",
+        },
+    )
+    if code == 200:
+        print(f"OK: Anthropic API reachable (HTTP {code})")
+    elif code == 401:
+        raise PreflightError(
+            EXIT_BACKEND_UNREACHABLE, "FATAL: Anthropic key rejected (HTTP 401)."
+        )
+    else:
+        # Non-fatal: a non-200 here may still work for the actual run.
+        print(f"WARNING: Anthropic API returned HTTP {code} — may still work.")
+
+
+def _check_azure_openai(config: AgentConfig) -> None:
+    if not config.azure_api_key:
+        raise PreflightError(
+            EXIT_BACKEND_UNREACHABLE, "FATAL: AZURE_OPENAI_API_KEY is empty or unset."
+        )
+    if not config.azure_endpoint:
+        raise PreflightError(
+            EXIT_BACKEND_UNREACHABLE,
+            "FATAL: AZURE_OPENAI_ENDPOINT is empty or unset.\n"
+            "       Expected format: https://<resource>.openai.azure.com",
+        )
+    url = f"{config.azure_endpoint}/openai/v1/chat/completions"
+    code = _http_status(
+        url,
+        method="POST",
+        headers={
+            "Authorization": f"Bearer {config.azure_api_key}",
+            "Content-Type": "application/json",
+        },
+        json_body={
+            "model": config.azure_deployment,
+            "messages": [{"role": "user", "content": "ping"}],
+            "max_tokens": 1,
+        },
+    )
+    if code == 200:
+        print(f"OK: Azure OpenAI /openai/v1/ endpoint reachable (HTTP {code})")
+    elif code == 401:
+        raise PreflightError(
+            EXIT_BACKEND_UNREACHABLE,
+            "FATAL: Azure OpenAI key rejected (HTTP 401). Check AZURE_OPENAI_API_KEY.",
+        )
+    elif code == 404:
+        raise PreflightError(
+            EXIT_BACKEND_UNREACHABLE,
+            "FATAL: Azure OpenAI deployment not found (HTTP 404). "
+            f"Check AZURE_OPENAI_DEPLOYMENT='{config.azure_deployment}'.",
+        )
+    else:
+        raise PreflightError(
+            EXIT_BACKEND_UNREACHABLE,
+            f"FATAL: Azure OpenAI unreachable (HTTP {code}).\n       URL: {url}",
+        )
+
+
+def _http_status(
+    url: str,
+    method: str = "GET",
+    headers: dict | None = None,
+    json_body: dict | None = None,
+    timeout: int = 15,
+) -> int:
+    """Return the HTTP status code, or 0 on a connection-level failure."""
+    try:
+        resp = requests.request(
+            method, url, headers=headers, json=json_body, timeout=timeout
+        )
+        return resp.status_code
+    except requests.RequestException:
+        return 0
+
+
+def _http_ok(url: str, timeout: int = 15) -> bool:
+    return _http_status(url, timeout=timeout) == 200

breslin-0.1.0/src/breslin/prompts/orchestrator.md

@@ -0,0 +1,49 @@
+# System prompt for Orchestrator Agent
+
+**Red Team Exercise — K8TRE CTF**
+<!-- Authorised exercise. Not a real attack. karectl.io/ctf=true -->
+
+## Authorisation
+This is a sanctioned security validation exercise. You are authorised to
+attempt every technique in the skill catalog against this cluster. Do not
+issue destructive commands (no delete, no patch, no create on live objects).
+Read-only and enumeration only.
+
+## Objective
+Find strings matching `KARECTL{...}` anywhere in the cluster.
+Report every finding and every blocked attempt with equal rigour.
+A blocked attempt is as valuable as a capture — it validates a control.
+
+## How to operate
+1. Read `/workspace/skills/README.md` to see the full skill catalog.
+2. Pick the skills most likely to be useful given what you know about your
+   current identity and access level. Start with recon.
+3. For each skill you choose, read the full skill file before executing
+   any commands. The file tells you what to run, what output to look for,
+   and what blockers to expect.
+4. You are not required to follow any particular order. Use your judgement.
+   If a skill is blocked immediately (RBAC, network drop), record it and move on.
+5. You must attempt ALL Pass 1 skills in the catalog in a single run —
+   recon AND credential-access AND lateral-movement. Do not stop after
+   recon and wait for instruction. Proceed autonomously through all
+   available skills before writing the executive summary.
+6. Stay within `AGENT_MAX_ITERATIONS`. Prioritise breadth over depth.
+
+## Rules of engagement
+- No destructive commands: no `kubectl delete`, `kubectl patch`,
+  `kubectl create` (except reading — SA token and kubeconfig are fair game).
+- Document every command you run and every response you receive.
+- Tag each outcome: CAPTURED / BLOCKED / INCONCLUSIVE / ERROR
+  (see skill files for the exact definitions).
+- If you are unsure whether a command is destructive, do not run it.
+
+## kubectl error interpretation
+- `connection refused` or `no such host` → INCONCLUSIVE (network or DNS issue)
+- `Forbidden` → BLOCKED by RBAC
+- `Unauthorized` → PARTIAL (server reachable, token rejected)
+- `no route to host` or timeout → BLOCKED by NetworkPolicy
+
+## Reporting
+Write findings to `/workspace/output/findings.md` as you go.
+Structure: one section per skill attempted, with the outcome tag,
+the commands run, and the raw output. End with an executive summary table.