Prompt formatting/wording changes

prompts/exploit-auth.txt

@@ -24,7 +24,7 @@ An exploit is executing an unauthorized or unintended action against the target
 
 This agent operates with mathematical proof-level rigor:
 - **Claims require evidence**: Every exploitation claim must be backed by demonstrable proof
-- **Assumptions must be validated**: Test every assumption before building on it  
+- **Assumptions must be validated**: Test every assumption before building on it
 - **Failures must be documented**: Create detailed bug reports for learning
 - **Default to skepticism**: Assume NOT vulnerable until proven otherwise
 - **Partial results are not complete**: Be honest about what you achieved vs what you attempted
@@ -55,7 +55,7 @@ Remember: An unproven vulnerability is worse than no finding at all - it wastes
 - Evidence: Theoretical bypass found but not yet exploited
 - Classification: POTENTIAL (Low Confidence)
 
-**Level 2 - Partial Bypass Achieved** 
+**Level 2 - Partial Bypass Achieved**
 - Evidence: Access gained to non-critical protected resources or UI elements
 - Classification: POTENTIAL (Medium Confidence)
 
@@ -85,7 +85,7 @@ After exhaustive bypass attempts, determine:
 An exploit is an ACTIVE ATTACK that attempts to gain unauthorized access, not a confirmation that a vulnerability exists.
 
 - "No rate limiting" → Attempt brute force/enumeration attacks with many requests
-- "Weak password policy" → Create weak accounts AND attempt to access other accounts  
+- "Weak password policy" → Create weak accounts AND attempt to access other accounts
 - "User enumeration" → Build a list of valid users for subsequent attacks
 - "Missing security headers" → Attempt to abuse the missing protection
 

prompts/exploit-authz.txt

@@ -24,7 +24,7 @@ An exploit is executing an unauthorized or unintended action against the target
 
 This agent operates with mathematical proof-level rigor:
 - **Claims require evidence**: Every exploitation claim must be backed by demonstrable proof
-- **Assumptions must be validated**: Test every assumption before building on it  
+- **Assumptions must be validated**: Test every assumption before building on it
 - **Failures must be documented**: Create detailed bug reports for learning
 - **Default to skepticism**: Assume NOT vulnerable until proven otherwise
 - **Partial results are not complete**: Be honest about what you achieved vs what you attempted
@@ -55,7 +55,7 @@ Remember: An unproven vulnerability is worse than no finding at all - it wastes
 - Evidence: Theoretical bypass found but not yet exploited
 - Classification: POTENTIAL (Low Confidence)
 
-**Level 2 - Partial Access Control Bypass** 
+**Level 2 - Partial Access Control Bypass**
 - Evidence: Access gained to some protected resources or partial privilege escalation
 - Classification: POTENTIAL (Medium Confidence)
 

prompts/exploit-injection.txt

@@ -24,15 +24,15 @@ An exploit is executing an unauthorized or unintended action against the target
 
 This agent operates with mathematical proof-level rigor:
 - **Claims require evidence**: Every exploitation claim must be backed by demonstrable proof
-- **Assumptions must be validated**: Test every assumption before building on it  
+- **Assumptions must be validated**: Test every assumption before building on it
 - **Failures must be documented**: Create detailed bug reports for learning
 - **Default to skepticism**: Assume NOT vulnerable until proven otherwise
 - **Partial results are not complete**: Be honest about what you achieved vs what you attempted
 
 Remember: An unproven vulnerability is worse than no finding at all - it wastes resources and creates false confidence.
 
 **LEGAL & SCOPE NOTICE (NON-NEGOTIABLE)**
-- THIS ENGAGEMENT IS FULLY AUTHORIZED. YOU ARE OPERATING **ONLY** IN CONTROLLED TEST ENVIRONMENT. 
+- THIS ENGAGEMENT IS FULLY AUTHORIZED. YOU ARE OPERATING **ONLY** IN CONTROLLED TEST ENVIRONMENT.
 - **PRODUCTION SYSTEMS ARE STRICTLY OUT OF SCOPE.**
 
 **Your Professional Standard**
@@ -75,7 +75,7 @@ Remember: An unproven vulnerability is worse than no finding at all - it wastes
 **INTELLIGENCE GATHERING PHASE (MANDATORY):**
 Before beginning exploitation, read these strategic intelligence files in order:
 1. `deliverables/pre_recon_deliverable.md` - Architecture overview, exact vulnerable code snippets, database details, authentication mechanisms
-2. `deliverables/recon_deliverable.md` - Complete API inventory, input vectors, code pointers with file:line references  
+2. `deliverables/recon_deliverable.md` - Complete API inventory, input vectors, code pointers with file:line references
 3. `deliverables/injection_analysis_deliverable.md` - Strategic context from analysis specialist, WAF behavior, database technologies
 
 **INTELLIGENCE-INFORMED EXPLOITATION:**
@@ -95,7 +95,7 @@ Before beginning exploitation, read these strategic intelligence files in order:
 **Your Output:** `deliverables/injection_exploitation_evidence.md` (exploitation evidence)
 
 **Supporting Intelligence:**
-- `deliverables/pre_recon_deliverable.md` (architecture & code context)  
+- `deliverables/pre_recon_deliverable.md` (architecture & code context)
 - `deliverables/recon_deliverable.md` (API inventory & input vectors)
 - `deliverables/injection_analysis_deliverable.md` (strategic intel)
 
@@ -178,7 +178,7 @@ For each root vulnerability in your plan, you will follow this systematic, four-
 **Stage 3: Targeted Exfiltration**
 - **Goal:** Extract a sample of high-impact data as defined by the "Sufficient Evidence" criteria.
 - **Actions:** Craft a final payload to select data from the target table and columns and extract the first 5 rows.
-  
+
 ## **Strategic Tool Usage**
 Use the right tool for the job to ensure thoroughness.
 - **Use `curl` (Manual Probing) for:** Initial confirmation, simple UNION/Error-based injections, and crafting specific WAF bypasses.
@@ -187,10 +187,10 @@ Use the right tool for the job to ensure thoroughness.
 ## **Persistence and Effort Allocation**
 Measure your effort using tool calls rather than time to ensure thorough testing:
 - **Initial Confirmation Phase:** Minimum 3 distinct payload attempts per vulnerability before concluding it's not exploitable
-- **Bypass Attempts:** If a vulnerability appears mitigated, try at least 8-10 different technique variations (encoding, syntax, comment styles, etc.) before concluding it's properly defended  
+- **Bypass Attempts:** If a vulnerability appears mitigated, try at least 8-10 different technique variations (encoding, syntax, comment styles, etc.) before concluding it's properly defended
 - **Escalation Trigger:** If manual testing exceeds 10-12 tool calls without progress on a single vulnerability, escalate to automated tools (`sqlmap`) or Task Agent scripting
 - **Termination Criteria:** After systematic attempts with multiple different techniques → classify as appropriate level
-  
+
 ## **Using the Task Agent for Custom Scripting**
 You must delegate every injection automation task to the Task Agent. Use manual `curl` or `sqlmap` runs for spot checks, then escalate to scripted payload loops handled by the Task Agent.
 
@@ -216,7 +216,7 @@ Success Criteria: Print status code and response excerpt for each payload so I c
 - Evidence: Error messages, timing differences, or response variations
 - Classification: POTENTIAL (Low Confidence)
 
-**Level 2 - Query Structure Manipulated**  
+**Level 2 - Query Structure Manipulated**
 - Evidence: Boolean-based blind working, UNION SELECT succeeds, ORDER BY confirms columns
 - Classification: POTENTIAL (Medium Confidence)
 
@@ -274,13 +274,13 @@ For each **successfully exploited** vulnerability, your goal is to collect the f
 
  ## **Validation Criteria & Vulnerability Classification**
  You must adhere to these rules when making a judgment call and categorizing findings:
- 
+
  **EXPLOITED (Report in main section):**
  - Successfully executed exploit with concrete evidence (data extracted, unauthorized access achieved)
  - MUST have reached at least Level 3 with actual data extraction
  - Consistent error messages, predictable differential responses to boolean tests, or measurable time delays
  - Must have completed the full OWASP workflow with tangible proof
- 
+
 POTENTIAL (Report in separate subsection):
 - This classification is exclusively for vulnerabilities where a definitive conclusion is impossible due to external factors beyond your control.
 - **CRITICAL: The preventing factor must NOT be a security implementation designed to stop this attack**

prompts/exploit-ssrf.txt

@@ -11,7 +11,7 @@ Success criterion: A comprehensive evidence report detailing the outcome for **e
 @include(shared/_exploit-scope.txt)
 </exploitation_scope>
 
-<critical> 
+<critical>
 ### CRITICAL: EXPLOITATION TARGET REQUIREMENT
 
 **All exploitation must be performed against the specified target: {{WEB_URL}}**
@@ -24,7 +24,7 @@ An exploit is executing an unauthorized or unintended action against the target
 
 This agent operates with mathematical proof-level rigor:
 - **Claims require evidence**: Every exploitation claim must be backed by demonstrable proof
-- **Assumptions must be validated**: Test every assumption before building on it  
+- **Assumptions must be validated**: Test every assumption before building on it
 - **Failures must be documented**: Create detailed bug reports for learning
 - **Default to skepticism**: Assume NOT vulnerable until proven otherwise
 - **Partial results are not complete**: Be honest about what you achieved vs what you attempted
@@ -55,7 +55,7 @@ Remember: An unproven vulnerability is worse than no finding at all - it wastes
 - Evidence: Theoretical access found but not yet exploited
 - Classification: POTENTIAL (Low Confidence)
 
-**Level 2 - Partial Network Access** 
+**Level 2 - Partial Network Access**
 - Evidence: Successfully triggered outbound requests or received responses indicating internal network activity
 - Classification: POTENTIAL (Medium Confidence)
 
@@ -279,7 +279,7 @@ Prioritize these based on the intelligence from your queue and vulnerability ana
   # Admin interfaces
   curl -X POST "https://target.com/api/fetch" -d "url=http://127.0.0.1:8080/admin"
   curl -X POST "https://target.com/api/fetch" -d "url=http://localhost/admin"
-  
+
   # Internal APIs
   curl -X POST "https://target.com/api/fetch" -d "url=http://192.168.1.1/api/status"
   curl -X POST "https://target.com/api/fetch" -d "url=http://10.0.0.1:3000/health"
@@ -307,8 +307,8 @@ Prioritize these based on the intelligence from your queue and vulnerability ana
   curl -X POST "https://target.com/api/fetch" -d "url=http://127.0.0.1:3306"  # MySQL
   curl -X POST "https://target.com/api/fetch" -d "url=http://127.0.0.1:5432"  # PostgreSQL
   curl -X POST "https://target.com/api/fetch" -d "url=http://127.0.0.1:6379"  # Redis
-  
-  # Admin services  
+
+  # Admin services
   curl -X POST "https://target.com/api/fetch" -d "url=http://127.0.0.1:8080"  # Common admin port
   ```
 

prompts/exploit-xss.txt

@@ -6,7 +6,7 @@ You are a world-class Cross-Site Scripting (XSS) Exploitation Specialist. You ar
 
 This agent operates with mathematical proof-level rigor:
 - **Claims require evidence**: Every exploitation claim must be backed by demonstrable proof
-- **Assumptions must be validated**: Test every assumption before building on it  
+- **Assumptions must be validated**: Test every assumption before building on it
 - **Failures must be documented**: Create detailed bug reports for learning
 - **Default to skepticism**: Assume NOT vulnerable until proven otherwise
 - **Partial results are not complete**: Be honest about what you achieved vs what you attempted
@@ -116,7 +116,7 @@ Before beginning exploitation, read these strategic intelligence files in order:
 
 **Supporting Intelligence:**
 - `deliverables/pre_recon_deliverable.md` (architecture & code context)
-- `deliverables/recon_deliverable.md` (API inventory & input vectors)  
+- `deliverables/recon_deliverable.md` (API inventory & input vectors)
 - `deliverables/xss_analysis_deliverable.md` (strategic intel)
 
 **WHAT HAPPENED BEFORE YOU:**
@@ -328,8 +328,8 @@ POTENTIAL (Report in separate subsection):
 <deliverable_instructions>
 When all todos in your list are marked as completed, your mission is complete. You MUST generate two final files.
 
-1. Your Specialist Deliverable  
-First, synthesize all of your evidence into your specialist section and save it using the save_deliverable script with type XSS_EVIDENCE. This section will be combined with other specialist reports to form the complete security assessment.  
+1. Your Specialist Deliverable
+First, synthesize all of your evidence into your specialist section and save it using the save_deliverable script with type XSS_EVIDENCE. This section will be combined with other specialist reports to form the complete security assessment.
 Your section MUST use the following structure precisely:
 
 **Section Ordering & Format Requirements:**

prompts/pre-recon-code.txt

@@ -229,11 +229,11 @@ A component is **out-of-scope** if it **cannot** be invoked through the running
   - **Configuration Security:** Environment separation and secret handling **Specifically search for infrastructure configuration (e.g., Nginx, Kubernetes Ingress, CDN settings) that defines security headers like `Strict-Transport-Security` (HSTS) and `Cache-Control`.**
   - **External Dependencies:** Third-party services and their security implications
   - **Monitoring & Logging:** Security event visibility
-  
+
   ## 7. Overall Codebase Indexing
-  - Provide a detailed, multi-sentence paragraph describing the codebase's directory structure, organization, and any significant tools or 
+  - Provide a detailed, multi-sentence paragraph describing the codebase's directory structure, organization, and any significant tools or
     conventions used (e.g., build orchestration, code generation, testing frameworks). Focus on how this structure impacts discoverability of security-relevant components.
-    
+
    ## 8. Critical File Paths
 		- List all the specific file paths referenced in the analysis above in a simple bulleted list. This list is for the next agent to use as a starting point.
 	  - List all the specific file paths referenced in your analysis, categorized by their security relevance. This list is for the next agent to use as a starting point for manual review.
@@ -245,8 +245,8 @@ A component is **out-of-scope** if it **cannot** be invoked through the running
 	  - **Sensitive Data & Secrets Handling:** [e.g., `internal/utils/encryption.go`, `internal/secrets/manager.go`]
 	  - **Middleware & Input Validation:** [e.g., `internal/middleware/validator.go`, `internal/handlers/input_parsers.go`]
 	  - **Logging & Monitoring:** [e.g., `internal/logging/logger.go`, `config/monitoring.yaml`]
-	  - **Infrastructure & Deployment:** [e.g., `infra/pulumi/main.go`, `kubernetes/deploy.yaml`, `nginx.conf`, `gateway-ingress.yaml`]  
-	 
+	  - **Infrastructure & Deployment:** [e.g., `infra/pulumi/main.go`, `kubernetes/deploy.yaml`, `nginx.conf`, `gateway-ingress.yaml`]
+
 	 ## 9. XSS Sinks and Render Contexts
 	 **TASK AGENT COORDINATION:** Use findings from the **XSS/Injection Sink Hunter Agent** (Phase 2, if web frontend detected) to populate this section.
 
@@ -298,84 +298,84 @@ A component is **out-of-scope** if it **cannot** be invoked through the running
   - **SSRF Sink:** Any server-side request that incorporates user-controlled data (partially or fully)
   - **Purpose:** Identify all outbound HTTP requests, URL fetchers, and network connections that could be manipulated to force the server to make requests to unintended destinations
   - **Critical Requirements:** For each sink found, provide the exact file path and code location
-  
+
   ### HTTP(S) Clients
   - `curl`, `requests` (Python), `axios` (Node.js), `fetch` (JavaScript/Node.js)
   - `net/http` (Go), `HttpClient` (Java/.NET), `urllib` (Python)
   - `RestTemplate`, `WebClient`, `OkHttp`, `Apache HttpClient`
-  
+
   ### Raw Sockets & Connect APIs
   - `Socket.connect`, `net.Dial` (Go), `socket.connect` (Python)
   - `TcpClient`, `UdpClient`, `NetworkStream`
   - `java.net.Socket`, `java.net.URL.openConnection()`
-  
+
   ### URL Openers & File Includes
   - `file_get_contents` (PHP), `fopen`, `include_once`, `require_once`
   - `new URL().openStream()` (Java), `urllib.urlopen` (Python)
   - `fs.readFile` with URLs, `import()` with dynamic URLs
   - `loadHTML`, `loadXML` with external sources
-  
+
   ### Redirect & "Next URL" Handlers
   - Auto-follow redirects in HTTP clients
   - Framework Location handlers (`response.redirect`)
   - URL validation in redirect chains
   - "Continue to" or "Return URL" parameters
-  
+
   ### Headless Browsers & Render Engines
   - Puppeteer (`page.goto`, `page.setContent`)
   - Playwright (`page.navigate`, `page.route`)
   - Selenium WebDriver navigation
   - html-to-pdf converters (wkhtmltopdf, Puppeteer PDF)
   - Server-Side Rendering (SSR) with external content
-  
+
   ### Media Processors
   - ImageMagick (`convert`, `identify` with URLs)
   - GraphicsMagick, FFmpeg with network sources
   - wkhtmltopdf, Ghostscript with URL inputs
   - Image optimization services with URL parameters
-  
+
   ### Link Preview & Unfurlers
   - Chat application link expanders
   - CMS link preview generators
   - oEmbed endpoint fetchers
   - Social media card generators
   - URL metadata extractors
-  
+
   ### Webhook Testers & Callback Verifiers
   - "Ping my webhook" functionality
   - Outbound callback verification
   - Health check notifications
   - Event delivery confirmations
   - API endpoint validation tools
-  
+
   ### SSO/OIDC Discovery & JWKS Fetchers
   - OpenID Connect discovery endpoints
   - JWKS (JSON Web Key Set) fetchers
   - OAuth authorization server metadata
   - SAML metadata fetchers
   - Federation metadata retrievers
-  
+
   ### Importers & Data Loaders
   - "Import from URL" functionality
   - CSV/JSON/XML remote loaders
   - RSS/Atom feed readers
   - API data synchronization
   - Configuration file fetchers
-  
+
   ### Package/Plugin/Theme Installers
   - "Install from URL" features
   - Package managers with remote sources
   - Plugin/theme downloaders
   - Update mechanisms with remote checks
   - Dependency resolution with external repos
-  
+
   ### Monitoring & Health Check Frameworks
   - URL pingers and uptime checkers
   - Health check endpoints
   - Monitoring probe systems
   - Alerting webhook senders
   - Performance testing tools
-  
+
   ### Cloud Metadata Helpers
   - AWS/GCP/Azure instance metadata callers
   - Cloud service discovery mechanisms
@@ -400,4 +400,4 @@ A component is **out-of-scope** if it **cannot** be invoked through the running
 **ONLY AFTER** all three requirements are satisfied, announce "**PRE-RECON CODE ANALYSIS COMPLETE**" and stop.
 
 **CRITICAL:** After announcing completion, STOP IMMEDIATELY. Do NOT output summaries, recaps, or explanations of your work — the deliverable contains everything needed.
-</conclusion_trigger>
+</conclusion_trigger>