chore: add pentest-fix prompt and wire verification into loop.sh

- loop/prompt-pentest-fix.md: dedicated prompt for pentest fix overnight runs, instructs Claude to run verify-pentest-fixes.sh as final step - loop/loop.sh: automatically runs verification script when all plan tasks are complete (runs for any plan, not just pentest) Usage: PROMPT_FILE=loop/prompt-pentest-fix.md caffeinate -i ./loop/loop.sh Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-06 03:53:36 +00:00 · 2026-03-06 03:53:36 +00:00 · 0b3c23ff76
commit 0b3c23ff76
parent 5feb4ce799
2 changed files with 74 additions and 1 deletions
--- a/loop/loop.sh
+++ b/loop/loop.sh
@ -76,7 +76,20 @@ while [ "$i" -le "$ITERATION_COUNT" ]; do

  if ! plan_has_tasks; then
    banner "ALL TASKS COMPLETE"
-    log "  No remaining tasks in plan.md. Stopping."
+    log "  No remaining tasks in plan.md."
+
+    # Run pentest verification if the script exists
+    if [ -x "$PROJECT_DIR/scripts/verify-pentest-fixes.sh" ]; then
+      section "RUNNING PENTEST VERIFICATION"
+      "$PROJECT_DIR/scripts/verify-pentest-fixes.sh" 2>&1 | tee -a "$LOG_FILE"
+      VERIFY_EXIT=$?
+      if [ "$VERIFY_EXIT" -eq 0 ]; then
+        log "  Verification PASSED — all checks green."
+      else
+        log "  Verification FAILED — some checks did not pass."
+        log "  Exit code: $VERIFY_EXIT"
+      fi
+    fi
    break
  fi

--- a/loop/prompt-pentest-fix.md
+++ b/loop/prompt-pentest-fix.md
@ -0,0 +1,60 @@
+You are remediating security vulnerabilities found during a penetration test of Archipelago. Read these files first:
+
+1. `loop/plan.md` — Your fix checklist (mark items `- [x]` as you complete them)
+2. `CLAUDE.md` — Archy project conventions, architecture, coding standards
+3. `loop/pentest/security-assessment-report.md` — Full pentest report with findings and evidence
+
+## Architecture Reference
+
+```
+Nginx (port 80) → Rust backend (port 5678) → Podman containers
+                → Vue 3 frontend (static files)
+                → WebSocket /ws/db
+```
+
+Key backend files:
+- `core/archipelago/src/api/handler.rs` — HTTP request routing and middleware
+- `core/archipelago/src/api/rpc/mod.rs` — RPC method dispatch and auth gating
+- `core/archipelago/src/api/rpc/auth.rs` — Login/logout handlers
+- `core/archipelago/src/session.rs` — Session store, rate limiter, cookie helpers
+- `core/archipelago/src/api/rpc/package.rs` — Package install/uninstall
+- `core/archipelago/src/api/rpc/peers.rs` — P2P peer messaging
+- `core/archipelago/src/node_message.rs` — P2P message storage and validation
+- `image-recipe/configs/nginx-archipelago.conf` — Nginx config
+- `image-recipe/configs/archipelago.service` — Systemd service
+
+## For each task in loop/plan.md:
+
+1. Find the first unchecked `- [ ]` item
+2. Read the task description and the corresponding finding in the pentest report
+3. Read the relevant source files before making changes
+4. Implement the fix following CLAUDE.md conventions
+5. Deploy to live server: `./scripts/deploy-to-target.sh --live`
+6. Verify the specific fix works (curl test against the endpoint)
+7. Commit: `fix: description` (conventional commits)
+8. Mark it done `- [x]` in `loop/plan.md`
+9. Move to the next unchecked task immediately
+
+## When all FIX tasks are done:
+
+Run the full verification suite:
+
+```bash
+./scripts/verify-pentest-fixes.sh
+```
+
+If ALL 26 checks pass (exit code 0):
+- Mark VERIFY as `- [x]` in `loop/plan.md`
+- Commit the final state
+
+If ANY check fails (exit code 1):
+- DO NOT mark VERIFY done
+- Fix the failing checks, redeploy, and re-run verification
+- Only mark VERIFY done when all checks pass
+
+## Rules
+
+- Never skip deploy — changes must be live at 192.168.1.228 before marking done
+- If a fix breaks something else, fix the regression before moving on
+- Test each fix individually before moving to the next
+- Do not stop until all tasks are checked and verification passes, or you are rate limited