diff --git a/loop/loop.sh b/loop/loop.sh index bdb478f5..44f5b86d 100755 --- a/loop/loop.sh +++ b/loop/loop.sh @@ -76,7 +76,20 @@ while [ "$i" -le "$ITERATION_COUNT" ]; do if ! plan_has_tasks; then banner "ALL TASKS COMPLETE" - log " No remaining tasks in plan.md. Stopping." + log " No remaining tasks in plan.md." + + # Run pentest verification if the script exists + if [ -x "$PROJECT_DIR/scripts/verify-pentest-fixes.sh" ]; then + section "RUNNING PENTEST VERIFICATION" + "$PROJECT_DIR/scripts/verify-pentest-fixes.sh" 2>&1 | tee -a "$LOG_FILE" + VERIFY_EXIT=$? + if [ "$VERIFY_EXIT" -eq 0 ]; then + log " Verification PASSED — all checks green." + else + log " Verification FAILED — some checks did not pass." + log " Exit code: $VERIFY_EXIT" + fi + fi break fi diff --git a/loop/prompt-pentest-fix.md b/loop/prompt-pentest-fix.md new file mode 100644 index 00000000..973e3147 --- /dev/null +++ b/loop/prompt-pentest-fix.md @@ -0,0 +1,60 @@ +You are remediating security vulnerabilities found during a penetration test of Archipelago. Read these files first: + +1. `loop/plan.md` — Your fix checklist (mark items `- [x]` as you complete them) +2. `CLAUDE.md` — Archy project conventions, architecture, coding standards +3. `loop/pentest/security-assessment-report.md` — Full pentest report with findings and evidence + +## Architecture Reference + +``` +Nginx (port 80) → Rust backend (port 5678) → Podman containers + → Vue 3 frontend (static files) + → WebSocket /ws/db +``` + +Key backend files: +- `core/archipelago/src/api/handler.rs` — HTTP request routing and middleware +- `core/archipelago/src/api/rpc/mod.rs` — RPC method dispatch and auth gating +- `core/archipelago/src/api/rpc/auth.rs` — Login/logout handlers +- `core/archipelago/src/session.rs` — Session store, rate limiter, cookie helpers +- `core/archipelago/src/api/rpc/package.rs` — Package install/uninstall +- `core/archipelago/src/api/rpc/peers.rs` — P2P peer messaging +- `core/archipelago/src/node_message.rs` — P2P message storage and validation +- `image-recipe/configs/nginx-archipelago.conf` — Nginx config +- `image-recipe/configs/archipelago.service` — Systemd service + +## For each task in loop/plan.md: + +1. Find the first unchecked `- [ ]` item +2. Read the task description and the corresponding finding in the pentest report +3. Read the relevant source files before making changes +4. Implement the fix following CLAUDE.md conventions +5. Deploy to live server: `./scripts/deploy-to-target.sh --live` +6. Verify the specific fix works (curl test against the endpoint) +7. Commit: `fix: description` (conventional commits) +8. Mark it done `- [x]` in `loop/plan.md` +9. Move to the next unchecked task immediately + +## When all FIX tasks are done: + +Run the full verification suite: + +```bash +./scripts/verify-pentest-fixes.sh +``` + +If ALL 26 checks pass (exit code 0): +- Mark VERIFY as `- [x]` in `loop/plan.md` +- Commit the final state + +If ANY check fails (exit code 1): +- DO NOT mark VERIFY done +- Fix the failing checks, redeploy, and re-run verification +- Only mark VERIFY done when all checks pass + +## Rules + +- Never skip deploy — changes must be live at 192.168.1.228 before marking done +- If a fix breaks something else, fix the regression before moving on +- Test each fix individually before moving to the next +- Do not stop until all tasks are checked and verification passes, or you are rate limited