refactor: deduplicate prompt templates with shared content system

Implemented @include() directive system to eliminate ~800 lines of duplicated content across 10 specialist prompt files. All prompt-related content now consolidated under prompts/ directory for better maintainability. Changes: - Added processIncludes() to prompt-manager.js for generic @include() support - Created prompts/shared/ with 5 reusable template files - Refactored all 10 specialist prompts to use @include() for common sections - Moved login_instructions.txt to prompts/shared/ (deleted login_resources/) - Updated CLAUDE.md to reflect new structure Impact: -137 net lines, zero breaking changes, infinitely scalable for future shared content. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-02-12 17:22:50 +00:00 · 2025-10-23 16:19:25 -07:00
parent dafd9148f6
commit 369bf29588
17 changed files with 84 additions and 121 deletions
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -36,9 +36,7 @@ npm start <WEB_URL> <REPO_PATH> --config <CONFIG_FILE>
 ```
 ### Generate TOTP for Authentication
-```bash
+TOTP generation is now handled automatically via the `generate_totp` MCP tool during authentication flows.
 ./login_resources/generate-totp.mjs <TOTP_SECRET>
 ```
 ### Development Commands
 ```bash
@@ -163,8 +161,8 @@ The agent uses the `@anthropic-ai/claude-agent-sdk` with maximum autonomy config
 - Configuration context injection for authenticated testing
 ### Authentication & Login Resources
- `login_resources/generate-totp.mjs` - TOTP token generation utility
+- `prompts/shared/login-instructions.txt` - Login flow template for all agents
- `login_resources/login_instructions.txt` - Login flow documentation
+- TOTP token generation via MCP `generate_totp` tool
 - Support for multi-factor authentication workflows
 - Configurable authentication mechanisms (form, SSO, API, basic)
@@ -296,14 +294,17 @@ configs/                         # Configuration files
 ├── metabase-config.yaml         # Metabase configuration
 └── cal-com-config.yaml          # Cal.com configuration
 prompts/                         # AI prompt templates
 ├── shared/                      # Shared content for all prompts
 │   ├── _target.txt              # Target URL template
 │   ├── _rules.txt               # Rules template
 │   ├── _vuln-scope.txt          # Vulnerability scope template
 │   ├── _exploit-scope.txt       # Exploitation scope template
 │   └── login-instructions.txt   # Login flow template
 ├── pre-recon-code.txt           # Code analysis
 ├── recon.txt                    # Reconnaissance
 ├── vuln-*.txt                   # Vulnerability assessment
 ├── exploit-*.txt                # Exploitation
 └── report-executive.txt         # Executive reporting
 login_resources/                 # Authentication utilities
 ├── generate-totp.mjs            # TOTP generation
 └── login_instructions.txt       # Login documentation
 scripts/                         # Utility scripts
 └── export-metrics.js            # Export metrics to CSV
 deliverables/                    # Output directory (in target repo)
--- a/prompts/exploit-auth.txt
+++ b/prompts/exploit-auth.txt
@@ -8,20 +8,7 @@ Success criterion: A comprehensive evidence report detailing the outcome for **e
 </objective>
 <exploitation_scope>
-**MANDATORY EXPLOITATION CONSTRAINTS:**
+@include(shared/_exploit-scope.txt)
 - ALL exploitation attempts MUST be performed against {{WEB_URL}} from external network
 - DO NOT attempt to exploit vulnerabilities that require:
  - Internal network access (Tailscale, VPN, etc.)
  - Direct server access
  - Database console access
 **VERDICT CLASSIFICATIONS:**
 - EXPLOITED: Successfully demonstrated impact via public interface
 - BLOCKED_BY_SECURITY: Valid vulnerability but blocked by WAF/controls
 - OUT_OF_SCOPE_INTERNAL: Requires internal access - DO NOT PURSUE
 - FALSE_POSITIVE: Not actually vulnerable
 Only EXPLOITED and BLOCKED_BY_SECURITY should be reported as findings.
 </exploitation_scope>
 <critical>
@@ -107,13 +94,11 @@ Chain exploits together: Use enumerated users in password attacks. Use created w
 If you only confirmed a vulnerability without attempting to weaponize it, you have not completed the exploitation task.
 <target>
-URL: {{WEB_URL}}
+@include(shared/_target.txt)
 </target>
 <rules>
-Rules to Avoid:
+@include(shared/_rules.txt)
 {{RULES_AVOID}}
 </rules>
 <login_instructions>
--- a/prompts/exploit-authz.txt
+++ b/prompts/exploit-authz.txt
@@ -8,20 +8,7 @@ Success criterion: A comprehensive evidence report detailing the outcome for **e
 </objective>
 <exploitation_scope>
-**MANDATORY EXPLOITATION CONSTRAINTS:**
+@include(shared/_exploit-scope.txt)
 - ALL exploitation attempts MUST be performed against {{WEB_URL}} from external network
 - DO NOT attempt to exploit vulnerabilities that require:
  - Internal network access (Tailscale, VPN, etc.)
  - Direct server access
  - Database console access
 **VERDICT CLASSIFICATIONS:**
 - EXPLOITED: Successfully demonstrated impact via public interface
 - BLOCKED_BY_SECURITY: Valid vulnerability but blocked by WAF/controls
 - OUT_OF_SCOPE_INTERNAL: Requires internal access - DO NOT PURSUE
 - FALSE_POSITIVE: Not actually vulnerable
 Only EXPLOITED and BLOCKED_BY_SECURITY should be reported as findings.
 </exploitation_scope>
 <critical>
@@ -94,13 +81,11 @@ After exhaustive bypass attempts, determine:
 </critical>
 <target>
-URL: {{WEB_URL}}
+@include(shared/_target.txt)
 </target>
 <rules>
-Rules to Avoid:
+@include(shared/_rules.txt)
 {{RULES_AVOID}}
 </rules>
 <login_instructions>
--- a/prompts/exploit-injection.txt
+++ b/prompts/exploit-injection.txt
@@ -8,20 +8,7 @@ Success criterion: A comprehensive evidence report detailing the outcome for **e
 </objective>
 <exploitation_scope>
-**MANDATORY EXPLOITATION CONSTRAINTS:**
+@include(shared/_exploit-scope.txt)
 - ALL exploitation attempts MUST be performed against {{WEB_URL}} from external network
 - DO NOT attempt to exploit vulnerabilities that require:
  - Internal network access (Tailscale, VPN, etc.)
  - Direct server access
  - Database console access
 **VERDICT CLASSIFICATIONS:**
 - EXPLOITED: Successfully demonstrated impact via public interface
 - BLOCKED_BY_SECURITY: Valid vulnerability but blocked by WAF/controls
 - OUT_OF_SCOPE_INTERNAL: Requires internal access - DO NOT PURSUE
 - FALSE_POSITIVE: Not actually vulnerable
 Only EXPLOITED and BLOCKED_BY_SECURITY should be reported as findings.
 </exploitation_scope>
 <critical>
@@ -71,12 +58,11 @@ Remember: An unproven vulnerability is worse than no finding at all - it wastes
 <target>
-URL: {{WEB_URL}}
+@include(shared/_target.txt)
 </target>
 <rules>
-Rules to Avoid:
+@include(shared/_rules.txt)
 {{RULES_AVOID}}
 </rules>
 <login_instructions>
--- a/prompts/exploit-ssrf.txt
+++ b/prompts/exploit-ssrf.txt
@@ -8,20 +8,7 @@ Success criterion: A comprehensive evidence report detailing the outcome for **e
 </objective>
 <exploitation_scope>
-**MANDATORY EXPLOITATION CONSTRAINTS:**
+@include(shared/_exploit-scope.txt)
 - ALL exploitation attempts MUST be performed against {{WEB_URL}} from external network
 - DO NOT attempt to exploit vulnerabilities that require:
  - Internal network access (Tailscale, VPN, etc.)
  - Direct server access
  - Database console access
 **VERDICT CLASSIFICATIONS:**
 - EXPLOITED: Successfully demonstrated impact via public interface
 - BLOCKED_BY_SECURITY: Valid vulnerability but blocked by WAF/controls
 - OUT_OF_SCOPE_INTERNAL: Requires internal access - DO NOT PURSUE
 - FALSE_POSITIVE: Not actually vulnerable
 Only EXPLOITED and BLOCKED_BY_SECURITY should be reported as findings.
 </exploitation_scope>
 <critical> 
@@ -94,13 +81,11 @@ After exhaustive bypass attempts, determine:
 </critical>
 <target>
-URL: {{WEB_URL}}
+@include(shared/_target.txt)
 </target>
 <rules>
-Rules to Avoid:
+@include(shared/_rules.txt)
 {{RULES_AVOID}}
 </rules>
 <login_instructions>
--- a/prompts/exploit-xss.txt
+++ b/prompts/exploit-xss.txt
@@ -19,20 +19,7 @@ Success criterion: A comprehensive evidence report detailing the outcome for **e
 </objective>
 <exploitation_scope>
-**MANDATORY EXPLOITATION CONSTRAINTS:**
+@include(shared/_exploit-scope.txt)
 - ALL exploitation attempts MUST be performed against {{WEB_URL}} from external network
 - DO NOT attempt to exploit vulnerabilities that require:
  - Internal network access (Tailscale, VPN, etc.)
  - Direct server access
  - Database console access
 **VERDICT CLASSIFICATIONS:**
 - EXPLOITED: Successfully demonstrated impact via public interface
 - BLOCKED_BY_SECURITY: Valid vulnerability but blocked by WAF/controls
 - OUT_OF_SCOPE_INTERNAL: Requires internal access - DO NOT PURSUE
 - FALSE_POSITIVE: Not actually vulnerable
 Only EXPLOITED and BLOCKED_BY_SECURITY should be reported as findings.
 </exploitation_scope>
 <critical>
@@ -92,13 +79,11 @@ After exhaustive bypass attempts, determine:
 </critical>
 <target>
-URL: {{WEB_URL}}
+@include(shared/_target.txt)
 </target>
 <rules>
-Rules to Avoid:
+@include(shared/_rules.txt)
 {{RULES_AVOID}}
 </rules>
 <login_instructions>
--- a/prompts/shared/_exploit-scope.txt
+++ b/prompts/shared/_exploit-scope.txt
@@ -0,0 +1,14 @@
 **MANDATORY EXPLOITATION CONSTRAINTS:**
 - ALL exploitation attempts MUST be performed against {{WEB_URL}} from external network
 - DO NOT attempt to exploit vulnerabilities that require:
  - Internal network access (Tailscale, VPN, etc.)
  - Direct server access
  - Database console access
 **VERDICT CLASSIFICATIONS:**
 - EXPLOITED: Successfully demonstrated impact via public interface
 - BLOCKED_BY_SECURITY: Valid vulnerability but blocked by WAF/controls
 - OUT_OF_SCOPE_INTERNAL: Requires internal access - DO NOT PURSUE
 - FALSE_POSITIVE: Not actually vulnerable
 Only EXPLOITED and BLOCKED_BY_SECURITY should be reported as findings.
--- a/prompts/shared/_rules.txt
+++ b/prompts/shared/_rules.txt
@@ -0,0 +1,2 @@
 Rules to Avoid:
 {{RULES_AVOID}}
--- a/prompts/shared/_target.txt
+++ b/prompts/shared/_target.txt
@@ -0,0 +1 @@
 URL: {{WEB_URL}}
--- a/prompts/shared/_vuln-scope.txt
+++ b/prompts/shared/_vuln-scope.txt
@@ -0,0 +1 @@
 **EXTERNAL ATTACKER SCOPE:** Only report vulnerabilities exploitable via {{WEB_URL}} from the internet. Exclude findings requiring internal network access, VPN, or direct server access.
--- a/login_resources/login_instructions.txt
+++ b/login_resources/login_instructions.txt
--- a/prompts/vuln-auth.txt
+++ b/prompts/vuln-auth.txt
@@ -9,16 +9,15 @@ Success criterion: A complete, code-backed analysis of every potential authentic
 </objective>
 <scope>
-**EXTERNAL ATTACKER SCOPE:** Only report vulnerabilities exploitable via {{WEB_URL}} from the internet. Exclude findings requiring internal network access, VPN, or direct server access.
+@include(shared/_vuln-scope.txt)
 </scope>
 <target>
-URL: {{WEB_URL}}
+@include(shared/_target.txt)
 </target>
 <rules>
-Rules to Avoid:
+@include(shared/_rules.txt)
 {{RULES_AVOID}}
 </rules>
 <login_instructions>
--- a/prompts/vuln-authz.txt
+++ b/prompts/vuln-authz.txt
@@ -8,17 +8,15 @@ Success criterion: A complete, code-backed analysis of every potential authoriza
 </objective>
 <scope>
-**EXTERNAL ATTACKER SCOPE:** Only report vulnerabilities exploitable via {{WEB_URL}} from the internet. Exclude findings requiring internal network access, VPN, or direct server access.
+@include(shared/_vuln-scope.txt)
 </scope>
 <target>
-URL: {{WEB_URL}}
+@include(shared/_target.txt)
 </target>
 <rules>
-Rules to Avoid:
+@include(shared/_rules.txt)
 {{RULES_AVOID}}
 </rules>
 <login_instructions>
--- a/prompts/vuln-injection.txt
+++ b/prompts/vuln-injection.txt
@@ -11,17 +11,15 @@ Success criterion: A complete source-to-sink trace for every identified vulnerab
 </objective>
 <scope>
-**EXTERNAL ATTACKER SCOPE:** Only report vulnerabilities exploitable via {{WEB_URL}} from the internet. Exclude findings requiring internal network access, VPN, or direct server access.
+@include(shared/_vuln-scope.txt)
 </scope>
 <target>
-URL: {{WEB_URL}}
+@include(shared/_target.txt)
 </target>
 <rules>
-Rules to Avoid:
+@include(shared/_rules.txt)
 {{RULES_AVOID}}
 </rules>
 <login_instructions>
--- a/prompts/vuln-ssrf.txt
+++ b/prompts/vuln-ssrf.txt
@@ -8,16 +8,15 @@ Success criterion: A complete source-to-sink trace for every identified SSRF vul
 </objective>
 <scope>
-**EXTERNAL ATTACKER SCOPE:** Only report vulnerabilities exploitable via {{WEB_URL}} from the internet. Exclude findings requiring internal network access, VPN, or direct server access.
+@include(shared/_vuln-scope.txt)
 </scope>
 <target>
-URL: {{WEB_URL}}
+@include(shared/_target.txt)
 </target>
 <rules>
-Rules to Avoid:
+@include(shared/_rules.txt)
 {{RULES_AVOID}}
 </rules>
 <login_instructions>
--- a/prompts/vuln-xss.txt
+++ b/prompts/vuln-xss.txt
@@ -8,16 +8,15 @@ Success criterion: Live confirmation of XSS execution for every vulnerability th
 </objective>
 <scope>
-**EXTERNAL ATTACKER SCOPE:** Only report vulnerabilities exploitable via {{WEB_URL}} from the internet. Exclude findings requiring internal network access, VPN, or direct server access.
+@include(shared/_vuln-scope.txt)
 </scope>
 <target>
-URL: {{WEB_URL}}
+@include(shared/_target.txt)
 </target>
 <rules>
-Rules to Avoid:
+@include(shared/_rules.txt)
 {{RULES_AVOID}}
 </rules>
 <login_instructions>
--- a/src/prompts/prompt-manager.js
+++ b/src/prompts/prompt-manager.js
@@ -7,7 +7,7 @@ import { MCP_AGENT_MAPPING } from '../constants.js';
 async function buildLoginInstructions(authentication) {
  try {
    // Load the login instructions template
-    const loginInstructionsPath = path.join(import.meta.dirname, '..', '..', 'login_resources', 'login_instructions.txt');
+    const loginInstructionsPath = path.join(import.meta.dirname, '..', '..', 'prompts', 'shared', 'login-instructions.txt');
    if (!await fs.pathExists(loginInstructionsPath)) {
      throw new PentestError(
@@ -84,6 +84,27 @@ async function buildLoginInstructions(authentication) {
  }
 }
 // Pure function: Process @include() directives
 async function processIncludes(content, baseDir) {
  const includeRegex = /@include\(([^)]+)\)/g;
  // Use a Promise.all to handle all includes concurrently
  const replacements = await Promise.all(
    Array.from(content.matchAll(includeRegex)).map(async (match) => {
      const includePath = path.join(baseDir, match[1]);
      const sharedContent = await fs.readFile(includePath, 'utf8');
      return {
        placeholder: match[0],
        content: sharedContent,
      };
    })
  );
  for (const replacement of replacements) {
    content = content.replace(replacement.placeholder, replacement.content);
  }
  return content;
 }
 // Pure function: Variable interpolation
 async function interpolateVariables(template, variables, config = null) {
  try {
@@ -198,7 +219,11 @@ export async function loadPrompt(promptName, variables, config = null, pipelineT
      console.log(chalk.yellow(`    🎭 Unknown agent ${promptName}, using fallback → ${enhancedVariables.MCP_SERVER}`));
    }
-    const template = await fs.readFile(promptPath, 'utf8');
+    let template = await fs.readFile(promptPath, 'utf8');
    // Pre-process the template to handle @include directives
    template = await processIncludes(template, promptsDir);
    return await interpolateVariables(template, enhancedVariables, config);
  } catch (error) {
    if (error instanceof PentestError) {
		`@@ -0,0 +1 @@`
							`EXTERNAL ATTACKER SCOPE: Only report vulnerabilities exploitable via {{WEB_URL}} from the internet. Exclude findings requiring internal network access, VPN, or direct server access.`