refactor: deduplicate prompt templates with shared content system

Implemented @include() directive system to eliminate ~800 lines of duplicated content across 10 specialist prompt files. All prompt-related content now consolidated under prompts/ directory for better maintainability. Changes: - Added processIncludes() to prompt-manager.js for generic @include() support - Created prompts/shared/ with 5 reusable template files - Refactored all 10 specialist prompts to use @include() for common sections - Moved login_instructions.txt to prompts/shared/ (deleted login_resources/) - Updated CLAUDE.md to reflect new structure Impact: -137 net lines, zero breaking changes, infinitely scalable for future shared content. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-02-12 17:22:50 +00:00 · 2025-10-23 16:19:25 -07:00
parent dafd9148f6
commit 369bf29588
17 changed files with 84 additions and 121 deletions
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -36,9 +36,7 @@ npm start <WEB_URL> <REPO_PATH> --config <CONFIG_FILE>
 ```

 ### Generate TOTP for Authentication
-```bash
-./login_resources/generate-totp.mjs <TOTP_SECRET>
-```
+TOTP generation is now handled automatically via the `generate_totp` MCP tool during authentication flows.

 ### Development Commands
 ```bash
@@ -163,8 +161,8 @@ The agent uses the `@anthropic-ai/claude-agent-sdk` with maximum autonomy config
 - Configuration context injection for authenticated testing

 ### Authentication & Login Resources
- `login_resources/generate-totp.mjs` - TOTP token generation utility
- `login_resources/login_instructions.txt` - Login flow documentation
+- `prompts/shared/login-instructions.txt` - Login flow template for all agents
+- TOTP token generation via MCP `generate_totp` tool
 - Support for multi-factor authentication workflows
 - Configurable authentication mechanisms (form, SSO, API, basic)

@@ -296,14 +294,17 @@ configs/                         # Configuration files
 ├── metabase-config.yaml         # Metabase configuration
 └── cal-com-config.yaml          # Cal.com configuration
 prompts/                         # AI prompt templates
+├── shared/                      # Shared content for all prompts
+│   ├── _target.txt              # Target URL template
+│   ├── _rules.txt               # Rules template
+│   ├── _vuln-scope.txt          # Vulnerability scope template
+│   ├── _exploit-scope.txt       # Exploitation scope template
+│   └── login-instructions.txt   # Login flow template
 ├── pre-recon-code.txt           # Code analysis
 ├── recon.txt                    # Reconnaissance
 ├── vuln-*.txt                   # Vulnerability assessment
 ├── exploit-*.txt                # Exploitation
 └── report-executive.txt         # Executive reporting
-login_resources/                 # Authentication utilities
-├── generate-totp.mjs            # TOTP generation
-└── login_instructions.txt       # Login documentation
 scripts/                         # Utility scripts
 └── export-metrics.js            # Export metrics to CSV
 deliverables/                    # Output directory (in target repo)
--- a/prompts/exploit-auth.txt
+++ b/prompts/exploit-auth.txt
@@ -8,20 +8,7 @@ Success criterion: A comprehensive evidence report detailing the outcome for **e
 </objective>

 <exploitation_scope>
-**MANDATORY EXPLOITATION CONSTRAINTS:**
- ALL exploitation attempts MUST be performed against {{WEB_URL}} from external network
- DO NOT attempt to exploit vulnerabilities that require:
-  - Internal network access (Tailscale, VPN, etc.)
-  - Direct server access
-  - Database console access
-
-**VERDICT CLASSIFICATIONS:**
- EXPLOITED: Successfully demonstrated impact via public interface
- BLOCKED_BY_SECURITY: Valid vulnerability but blocked by WAF/controls
- OUT_OF_SCOPE_INTERNAL: Requires internal access - DO NOT PURSUE
- FALSE_POSITIVE: Not actually vulnerable
-
-Only EXPLOITED and BLOCKED_BY_SECURITY should be reported as findings.
+@include(shared/_exploit-scope.txt)
 </exploitation_scope>

 <critical>
@@ -107,13 +94,11 @@ Chain exploits together: Use enumerated users in password attacks. Use created w
 If you only confirmed a vulnerability without attempting to weaponize it, you have not completed the exploitation task.

 <target>
-URL: {{WEB_URL}}
+@include(shared/_target.txt)
 </target>

 <rules>
-Rules to Avoid:
-{{RULES_AVOID}}
-
+@include(shared/_rules.txt)
 </rules>

 <login_instructions>
--- a/prompts/exploit-authz.txt
+++ b/prompts/exploit-authz.txt
@@ -8,20 +8,7 @@ Success criterion: A comprehensive evidence report detailing the outcome for **e
 </objective>

 <exploitation_scope>
-**MANDATORY EXPLOITATION CONSTRAINTS:**
- ALL exploitation attempts MUST be performed against {{WEB_URL}} from external network
- DO NOT attempt to exploit vulnerabilities that require:
-  - Internal network access (Tailscale, VPN, etc.)
-  - Direct server access
-  - Database console access
-
-**VERDICT CLASSIFICATIONS:**
- EXPLOITED: Successfully demonstrated impact via public interface
- BLOCKED_BY_SECURITY: Valid vulnerability but blocked by WAF/controls
- OUT_OF_SCOPE_INTERNAL: Requires internal access - DO NOT PURSUE
- FALSE_POSITIVE: Not actually vulnerable
-
-Only EXPLOITED and BLOCKED_BY_SECURITY should be reported as findings.
+@include(shared/_exploit-scope.txt)
 </exploitation_scope>

 <critical>
@@ -94,13 +81,11 @@ After exhaustive bypass attempts, determine:
 </critical>

 <target>
-URL: {{WEB_URL}}
+@include(shared/_target.txt)
 </target>

 <rules>
-Rules to Avoid:
-{{RULES_AVOID}}
-
+@include(shared/_rules.txt)
 </rules>

 <login_instructions>
--- a/prompts/exploit-injection.txt
+++ b/prompts/exploit-injection.txt
@@ -8,20 +8,7 @@ Success criterion: A comprehensive evidence report detailing the outcome for **e
 </objective>

 <exploitation_scope>
-**MANDATORY EXPLOITATION CONSTRAINTS:**
- ALL exploitation attempts MUST be performed against {{WEB_URL}} from external network
- DO NOT attempt to exploit vulnerabilities that require:
-  - Internal network access (Tailscale, VPN, etc.)
-  - Direct server access
-  - Database console access
-
-**VERDICT CLASSIFICATIONS:**
- EXPLOITED: Successfully demonstrated impact via public interface
- BLOCKED_BY_SECURITY: Valid vulnerability but blocked by WAF/controls
- OUT_OF_SCOPE_INTERNAL: Requires internal access - DO NOT PURSUE
- FALSE_POSITIVE: Not actually vulnerable
-
-Only EXPLOITED and BLOCKED_BY_SECURITY should be reported as findings.
+@include(shared/_exploit-scope.txt)
 </exploitation_scope>

 <critical>
@@ -71,12 +58,11 @@ Remember: An unproven vulnerability is worse than no finding at all - it wastes


 <target>
-URL: {{WEB_URL}}
+@include(shared/_target.txt)
 </target>

 <rules>
-Rules to Avoid:
-{{RULES_AVOID}}
+@include(shared/_rules.txt)
 </rules>

 <login_instructions>
--- a/prompts/exploit-ssrf.txt
+++ b/prompts/exploit-ssrf.txt
@@ -8,20 +8,7 @@ Success criterion: A comprehensive evidence report detailing the outcome for **e
 </objective>

 <exploitation_scope>
-**MANDATORY EXPLOITATION CONSTRAINTS:**
- ALL exploitation attempts MUST be performed against {{WEB_URL}} from external network
- DO NOT attempt to exploit vulnerabilities that require:
-  - Internal network access (Tailscale, VPN, etc.)
-  - Direct server access
-  - Database console access
-
-**VERDICT CLASSIFICATIONS:**
- EXPLOITED: Successfully demonstrated impact via public interface
- BLOCKED_BY_SECURITY: Valid vulnerability but blocked by WAF/controls
- OUT_OF_SCOPE_INTERNAL: Requires internal access - DO NOT PURSUE
- FALSE_POSITIVE: Not actually vulnerable
-
-Only EXPLOITED and BLOCKED_BY_SECURITY should be reported as findings.
+@include(shared/_exploit-scope.txt)
 </exploitation_scope>

 <critical> 
@@ -94,13 +81,11 @@ After exhaustive bypass attempts, determine:
 </critical>

 <target>
-URL: {{WEB_URL}}
+@include(shared/_target.txt)
 </target>

 <rules>
-Rules to Avoid:
-{{RULES_AVOID}}
-
+@include(shared/_rules.txt)
 </rules>

 <login_instructions>
--- a/prompts/exploit-xss.txt
+++ b/prompts/exploit-xss.txt
@@ -19,20 +19,7 @@ Success criterion: A comprehensive evidence report detailing the outcome for **e
 </objective>

 <exploitation_scope>
-**MANDATORY EXPLOITATION CONSTRAINTS:**
- ALL exploitation attempts MUST be performed against {{WEB_URL}} from external network
- DO NOT attempt to exploit vulnerabilities that require:
-  - Internal network access (Tailscale, VPN, etc.)
-  - Direct server access
-  - Database console access
-
-**VERDICT CLASSIFICATIONS:**
- EXPLOITED: Successfully demonstrated impact via public interface
- BLOCKED_BY_SECURITY: Valid vulnerability but blocked by WAF/controls
- OUT_OF_SCOPE_INTERNAL: Requires internal access - DO NOT PURSUE
- FALSE_POSITIVE: Not actually vulnerable
-
-Only EXPLOITED and BLOCKED_BY_SECURITY should be reported as findings.
+@include(shared/_exploit-scope.txt)
 </exploitation_scope>

 <critical>
@@ -92,13 +79,11 @@ After exhaustive bypass attempts, determine:
 </critical>

 <target>
-URL: {{WEB_URL}}
+@include(shared/_target.txt)
 </target>

 <rules>
-Rules to Avoid:
-{{RULES_AVOID}}
-
+@include(shared/_rules.txt)
 </rules>

 <login_instructions>
--- a/prompts/shared/_exploit-scope.txt
+++ b/prompts/shared/_exploit-scope.txt
@@ -0,0 +1,14 @@
+**MANDATORY EXPLOITATION CONSTRAINTS:**
+- ALL exploitation attempts MUST be performed against {{WEB_URL}} from external network
+- DO NOT attempt to exploit vulnerabilities that require:
+  - Internal network access (Tailscale, VPN, etc.)
+  - Direct server access
+  - Database console access
+
+**VERDICT CLASSIFICATIONS:**
+- EXPLOITED: Successfully demonstrated impact via public interface
+- BLOCKED_BY_SECURITY: Valid vulnerability but blocked by WAF/controls
+- OUT_OF_SCOPE_INTERNAL: Requires internal access - DO NOT PURSUE
+- FALSE_POSITIVE: Not actually vulnerable
+
+Only EXPLOITED and BLOCKED_BY_SECURITY should be reported as findings.
--- a/prompts/shared/_rules.txt
+++ b/prompts/shared/_rules.txt
@@ -0,0 +1,2 @@
+Rules to Avoid:
+{{RULES_AVOID}}
--- a/prompts/shared/_target.txt
+++ b/prompts/shared/_target.txt
@@ -0,0 +1 @@
+URL: {{WEB_URL}}
--- a/prompts/shared/_vuln-scope.txt
+++ b/prompts/shared/_vuln-scope.txt
@@ -0,0 +1 @@
+**EXTERNAL ATTACKER SCOPE:** Only report vulnerabilities exploitable via {{WEB_URL}} from the internet. Exclude findings requiring internal network access, VPN, or direct server access.
--- a/login_resources/login_instructions.txt
+++ b/login_resources/login_instructions.txt
--- a/prompts/vuln-auth.txt
+++ b/prompts/vuln-auth.txt
@@ -9,16 +9,15 @@ Success criterion: A complete, code-backed analysis of every potential authentic
 </objective>

 <scope>
-**EXTERNAL ATTACKER SCOPE:** Only report vulnerabilities exploitable via {{WEB_URL}} from the internet. Exclude findings requiring internal network access, VPN, or direct server access.
+@include(shared/_vuln-scope.txt)
 </scope>

 <target>
-URL: {{WEB_URL}}
+@include(shared/_target.txt)
 </target>

 <rules>
-Rules to Avoid:
-{{RULES_AVOID}}
+@include(shared/_rules.txt)
 </rules>

 <login_instructions>
--- a/prompts/vuln-authz.txt
+++ b/prompts/vuln-authz.txt
@@ -8,17 +8,15 @@ Success criterion: A complete, code-backed analysis of every potential authoriza
 </objective>

 <scope>
-**EXTERNAL ATTACKER SCOPE:** Only report vulnerabilities exploitable via {{WEB_URL}} from the internet. Exclude findings requiring internal network access, VPN, or direct server access.
+@include(shared/_vuln-scope.txt)
 </scope>

 <target>
-URL: {{WEB_URL}}
+@include(shared/_target.txt)
 </target>

 <rules>
-Rules to Avoid:
-{{RULES_AVOID}}
-
+@include(shared/_rules.txt)
 </rules>

 <login_instructions>
--- a/prompts/vuln-injection.txt
+++ b/prompts/vuln-injection.txt
@@ -11,17 +11,15 @@ Success criterion: A complete source-to-sink trace for every identified vulnerab
 </objective>

 <scope>
-**EXTERNAL ATTACKER SCOPE:** Only report vulnerabilities exploitable via {{WEB_URL}} from the internet. Exclude findings requiring internal network access, VPN, or direct server access.
+@include(shared/_vuln-scope.txt)
 </scope>

 <target>
-URL: {{WEB_URL}}
+@include(shared/_target.txt)
 </target>

 <rules>
-Rules to Avoid:
-{{RULES_AVOID}}
-
+@include(shared/_rules.txt)
 </rules>

 <login_instructions>
--- a/prompts/vuln-ssrf.txt
+++ b/prompts/vuln-ssrf.txt
@@ -8,16 +8,15 @@ Success criterion: A complete source-to-sink trace for every identified SSRF vul
 </objective>

 <scope>
-**EXTERNAL ATTACKER SCOPE:** Only report vulnerabilities exploitable via {{WEB_URL}} from the internet. Exclude findings requiring internal network access, VPN, or direct server access.
+@include(shared/_vuln-scope.txt)
 </scope>

 <target>
-URL: {{WEB_URL}}
+@include(shared/_target.txt)
 </target>

 <rules>
-Rules to Avoid:
-{{RULES_AVOID}}
+@include(shared/_rules.txt)
 </rules>

 <login_instructions>
--- a/prompts/vuln-xss.txt
+++ b/prompts/vuln-xss.txt
@@ -8,16 +8,15 @@ Success criterion: Live confirmation of XSS execution for every vulnerability th
 </objective>

 <scope>
-**EXTERNAL ATTACKER SCOPE:** Only report vulnerabilities exploitable via {{WEB_URL}} from the internet. Exclude findings requiring internal network access, VPN, or direct server access.
+@include(shared/_vuln-scope.txt)
 </scope>

 <target>
-URL: {{WEB_URL}}
+@include(shared/_target.txt)
 </target>

 <rules>
-Rules to Avoid:
-{{RULES_AVOID}}
+@include(shared/_rules.txt)
 </rules>

 <login_instructions>
--- a/src/prompts/prompt-manager.js
+++ b/src/prompts/prompt-manager.js
@@ -7,7 +7,7 @@ import { MCP_AGENT_MAPPING } from '../constants.js';
 async function buildLoginInstructions(authentication) {
  try {
    // Load the login instructions template
-    const loginInstructionsPath = path.join(import.meta.dirname, '..', '..', 'login_resources', 'login_instructions.txt');
+    const loginInstructionsPath = path.join(import.meta.dirname, '..', '..', 'prompts', 'shared', 'login-instructions.txt');

    if (!await fs.pathExists(loginInstructionsPath)) {
      throw new PentestError(
@@ -84,6 +84,27 @@ async function buildLoginInstructions(authentication) {
  }
 }

+// Pure function: Process @include() directives
+async function processIncludes(content, baseDir) {
+  const includeRegex = /@include\(([^)]+)\)/g;
+  // Use a Promise.all to handle all includes concurrently
+  const replacements = await Promise.all(
+    Array.from(content.matchAll(includeRegex)).map(async (match) => {
+      const includePath = path.join(baseDir, match[1]);
+      const sharedContent = await fs.readFile(includePath, 'utf8');
+      return {
+        placeholder: match[0],
+        content: sharedContent,
+      };
+    })
+  );
+
+  for (const replacement of replacements) {
+    content = content.replace(replacement.placeholder, replacement.content);
+  }
+  return content;
+}
+
 // Pure function: Variable interpolation
 async function interpolateVariables(template, variables, config = null) {
  try {
@@ -198,7 +219,11 @@ export async function loadPrompt(promptName, variables, config = null, pipelineT
      console.log(chalk.yellow(`    🎭 Unknown agent ${promptName}, using fallback → ${enhancedVariables.MCP_SERVER}`));
    }

-    const template = await fs.readFile(promptPath, 'utf8');
+    let template = await fs.readFile(promptPath, 'utf8');
+
+    // Pre-process the template to handle @include directives
+    template = await processIncludes(template, promptsDir);
+
    return await interpolateVariables(template, enhancedVariables, config);
  } catch (error) {
    if (error instanceof PentestError) {
				`@@ -0,0 +1 @@`
				`EXTERNAL ATTACKER SCOPE: Only report vulnerabilities exploitable via {{WEB_URL}} from the internet. Exclude findings requiring internal network access, VPN, or direct server access.`