diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md new file mode 100644 index 0000000..824b549 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/bug_report.md @@ -0,0 +1,41 @@ +--- +name: Bug report +about: Report a reproducible OpenGhost bug +title: "bug: " +labels: bug +assignees: "" +--- + +## Summary + +Describe the bug and the expected behavior. + +## Environment + +- OS: +- Shell: +- Docker version: +- OpenGhost commit: +- Sandbox image digest, if relevant: + +## Steps to Reproduce + +1. +2. +3. + +## Actual Result + +Paste the relevant non-sensitive output. + +## Expected Result + +Describe what should have happened. + +## Validation + +List any commands already run. + +## Safety Check + +- [ ] This report does not include real target data, credentials, tokens, traffic captures, or private vulnerability evidence. diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml new file mode 100644 index 0000000..d5b072a --- /dev/null +++ b/.github/ISSUE_TEMPLATE/config.yml @@ -0,0 +1,5 @@ +blank_issues_enabled: false +contact_links: + - name: Security vulnerability + url: https://github.com/VAIBHAVSING/openghost/security + about: Report vulnerabilities privately. Do not open public issues with exploit details. diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md new file mode 100644 index 0000000..edd2d3b --- /dev/null +++ b/.github/ISSUE_TEMPLATE/feature_request.md @@ -0,0 +1,23 @@ +--- +name: Feature request +about: Propose an OpenGhost improvement +title: "feat: " +labels: enhancement +assignees: "" +--- + +## Problem + +What operator workflow, skill behavior, or sandbox capability is missing? + +## Proposal + +Describe the change. + +## Alternatives + +List any current workaround. + +## Safety and Scope + +Explain how this keeps authorization, Docker-only execution, and evidence quality intact. diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md new file mode 100644 index 0000000..2c9a61a --- /dev/null +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -0,0 +1,16 @@ +## Summary + +- + +## Validation + +- [ ] `bash -n openghost skills/openghost skills/openghost-skill/openghost skills/openghost-skill/scripts/openghost.sh skills/openghost-skill/scripts/verify-toolchain.sh` +- [ ] `python3 -m py_compile skills/openghost-skill/scripts/select-modules.py skills/openghost-skill/scripts/openghost-state.py` +- [ ] Skill validation, if `skills/openghost-skill` changed +- [ ] Docker/toolchain validation, if `docker/` changed + +## Security and Safety + +- [ ] No credentials, target data, traffic captures, or real assessment evidence are included. +- [ ] Security tooling still runs through `openghost`. +- [ ] Documentation was updated for changed commands, paths, or behavior. diff --git a/.github/workflows/publish-sandbox-image.yml b/.github/workflows/publish-sandbox-image.yml index a5462dd..17b65f4 100644 --- a/.github/workflows/publish-sandbox-image.yml +++ b/.github/workflows/publish-sandbox-image.yml @@ -9,11 +9,11 @@ on: - "v*" paths: - ".github/workflows/publish-sandbox-image.yml" - - "developer/docker/**" + - "docker/**" pull_request: paths: - ".github/workflows/publish-sandbox-image.yml" - - "developer/docker/**" + - "docker/**" permissions: contents: read @@ -75,13 +75,13 @@ jobs: org.opencontainers.image.title=OpenGhost sandbox org.opencontainers.image.description=Developer sandbox image for the OpenGhost skill org.opencontainers.image.source=${{ github.server_url }}/${{ github.repository }} - org.opencontainers.image.licenses=MIT + org.opencontainers.image.licenses=Apache-2.0 - name: Build and push uses: docker/build-push-action@v6 with: - context: developer/docker - file: developer/docker/Dockerfile + context: docker + file: docker/Dockerfile platforms: linux/amd64,linux/arm64 push: ${{ github.event_name != 'pull_request' }} tags: ${{ steps.meta.outputs.tags }} diff --git a/.gitignore b/.gitignore index 4c3cb96..6a2810b 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,5 @@ .agents/* !.agents/.gitkeep + +__pycache__/ +*.py[cod] diff --git a/AGENTS.md b/AGENTS.md new file mode 100644 index 0000000..1525c77 --- /dev/null +++ b/AGENTS.md @@ -0,0 +1,164 @@ +# AGENTS.md + +Project context for coding agents working on OpenGhost. + +## What This Repo Is + +OpenGhost is an original standalone Agent Skill for authorized web application and server integrity penetration testing. The repo packages skill instructions, reference methodology, evidence/reporting helpers, and a Docker-backed launcher that keeps security tooling out of the host environment. + +The central design constraint is simple: agents provide reasoning and workflow control, while OpenGhost provides the sandboxed execution layer and structured engagement state. + +## Product Boundary + +- This repository owns the OpenGhost skill package and sandbox launcher. +- Security tools must be executed through `openghost`, not directly on the host. +- External research/reference directories are not runtime dependencies and should not be cited as OpenGhost source material. +- Generated engagement data belongs under `.openghost/` and should normally stay uncommitted. + +## Agent Skill Structure + +OpenGhost follows the standard Agent Skill layout: + +- `skills/openghost-skill/SKILL.md` is the published skill entrypoint and operator workflow. +- Keep `SKILL.md` focused and use progressive disclosure: short entrypoint instructions first, deeper details in references. +- `skills/openghost-skill/references/` contains deeper guidance that agents should load only when relevant. +- `skills/openghost-skill/scripts/` contains deterministic helpers and launcher implementation. +- `skills/openghost-skill/assets/` contains templates and reusable output files. +- Do not duplicate large methodology content across files; link to the canonical reference instead. + +## Main Source Paths + +- `skills/openghost-skill/SKILL.md` - published skill entrypoint and operator workflow. +- `skills/openghost-skill/references/` - deeper guidance for modules, reporting, tooling, auth, and workflow. +- `skills/openghost-skill/references/modules/` - assessment modules such as surface mapping, session auth, access control, injection, APIs, browser policy, HTTP edge, business logic, and server integrity. +- `skills/openghost-skill/scripts/openghost.sh` - canonical CLI and Docker sandbox implementation. +- `skills/openghost-skill/scripts/verify-toolchain.sh` - runtime toolchain verification. +- `skills/openghost-skill/scripts/select-modules.py` - module selection helper. +- `skills/openghost-skill/assets/` - templates for scope, auth, findings, and reports. +- `skills/openghost-skill/agents/` - compatibility notes for other coding agents. + +## Launchers + +There are three launcher entrypoints: + +- `./openghost` forwards to `skills/openghost`. +- `skills/openghost` forwards to `skills/openghost-skill/scripts/openghost.sh`. +- `skills/openghost-skill/openghost` is the standalone fallback for installs that copy only the skill package. + +Keep launcher behavior consistent when changing CLI commands. + +## Sandbox Model + +The root `Dockerfile` intentionally delegates to `ghcr.io/vaibhavsing/openghost-sandbox:latest`. The actual maintainer image source is `docker/Dockerfile`. + +Normal users should pull the published image. Maintainers can set `OPENGHOST_BUILD=1` to build from `docker/`. + +The sandbox mounts the current workspace at `/workspace`, runs with dropped capabilities plus the minimum network capabilities needed for testing, and exposes tools through an allowlist in `openghost.sh`. + +## CLI Surface + +Primary commands: + +```bash +./openghost sandbox start +./openghost sandbox status +./openghost sandbox stop +./openghost sandbox update +./openghost run [args...] +./openghost bash '' +./openghost python code '