@@ -86,19 +86,65 @@ change that affects `skills/lazyown_mcp.py` or modules imported at startup.
8686| ` lazyc2.py ` | Flask + Socket.IO C2 server, 84 routes, decoy site, phishing blueprint, dashboard, terminal, listener, /pty xterm. |
8787| ` utils.py ` | Shared helpers (` Config ` , ` load_payload ` , ` getprompt ` , ` print_msg ` , ` run_command ` , ` xor_encrypt_decrypt ` , ` generate_certificates ` , ANSI constants, etc.). |
8888| ` payload.json ` | The ** only** runtime configuration file. Keys are read by every component. Persists across runs. |
89- | ` templates/ ` | 54 Jinja2 templates: ` index.html ` , ` terminal.html ` , ` surface.html ` , ` connect.html ` , ` decoy.html ` , ` phishing/ ` , ` landing_pages/ ` , ` emails/ ` , etc. |
90- | ` static/ ` | CSS/JS assets, dashboard, body_report.json (PDF report fields), icons. |
91- | ` modules/ ` | Python modules invoked via ` run <name> ` or imported by lazyc2 (LLM clients, dashboards, parsers, exploits). |
92- | ` skills/ ` | MCP server + autonomous AI stack (mcp, hive_mind, swan, daemon, policy, parquet_db). |
93- | ` sessions/ ` | Authoritative campaign state — never delete without confirmation. |
94- | ` parquets/ ` | Knowledge bases: GTFOBins, LOLBas, MITRE ATT&CK, Atomic Red Team, session_knowledge. |
95- | ` plugins/ ` | Lua plugins (lupa runtime). |
96- | ` lazyaddons/ ` | Declarative YAML tool integrations. |
97- | ` tools/ ` | pwntomate ` .tool ` files auto-applied to nmap-discovered services. |
98- | ` external/ ` | Vendored upstreams (atomic-red-team, etc.). |
99- | ` lazyscripts/ ` | ` .ls ` scripts — small recipes loaded with ` run_script ` . |
89+ | ` templates/ ` | 55+ Jinja2 templates. Root templates extend ` base.html ` . Subdirs: ` phishing/ ` , ` landing_pages/ ` , ` emails/ ` . |
90+ | ` static/ ` | CSS/JS assets (` xterm.js ` , ` particles.js ` ), icons for network graph, ` body_report.json ` (PDF report fields). |
91+ | ` modules/ ` | 50+ Python modules: LLM clients, ` collab_bp ` , ` dashboard_bp ` , world model, obs parser, playbook engine, etc. |
92+ | ` modules/integrations/ ` | Third-party bridges: MISP export, Nuclei scanner, Searchsploit wrapper. |
93+ | ` modules/backdoor/ ` | C reverse-shell backdoor source + Makefile. |
94+ | ` modules/rootkit/ ` | Linux kernel module rootkit research code. |
95+ | ` modules/win_rootkit/ ` | Windows ring-3 rootkit (C/C++/C#) for cross-compiled testing. |
96+ | ` skills/ ` | MCP server (95 tools) + autonomous AI stack: daemon, hive_mind, swan, policy, parquet_db. |
97+ | ` sessions/ ` | Authoritative campaign state — ** gitignored** , never delete without confirmation. ` git add -f ` required for any file here. |
98+ | ` parquets/ ` | Columnar knowledge bases: GTFOBins, LOLBas, MITRE ATT&CK techniques (6 ` .parquet ` files). |
99+ | ` plugins/ ` | Lua plugins (lupa/LuaJIT runtime). Each ` .lua ` + companion ` .yaml ` metadata. |
100+ | ` lazyaddons/ ` | 76 declarative YAML tool integrations. Auto-discovered at startup. |
101+ | ` tools/ ` | 69 pwntomate ` .tool ` files auto-triggered on nmap-discovered services. |
102+ | ` external/ ` | Vendored upstreams (atomic-red-team, etc.). Excluded from git. |
103+ | ` lazyscripts/ ` | 11 ` .ls ` recipe scripts loaded with ` run_script ` . |
104+ | ` playbooks/ ` | YAML APT simulation playbooks (7 threat actors) consumed by ` apt_playbook ` . |
105+ | ` lazyadversaries/ ` | YAML threat actor profiles used by the autonomous daemon's adversary selector. |
106+ | ` cli/ ` | Shell-layer extensions: wizard, graph advisor, reactive hints, dashboard TUI, fuzzy picker, palette, aliases. Zero imports from ` lazyown.py ` . |
107+ | ` cli/commands/ ` | cmd2 ` CommandSet ` subpackage. Auto-discovered by ` cli/registry.py ` . |
108+ | ` core/ ` | Canonical ` Config ` class, crypto primitives, validators, ` typing.Protocol ` interfaces. No framework imports. |
109+ | ` scripts/ ` | Build/maintenance scripts: ` build_command_index.py ` , ` patch_playbook_atomic_ids.py ` , ` update_apt_atomic_ids.py ` . |
110+ | ` tests/ ` | 23 test files, ~ 450 tests total. No mocking of C2 or daemon. |
111+ | ` lazyown-docker/ ` | Dockerfile, docker-compose, sandbox mode support. |
112+ | ` lazygui/ ` | Desktop GUI application (separate from the Textual TUI in ` cli/ ` ). |
113+ | ` modules_ext/ ` | External subprojects: ` lazyown_infinitestorage/ ` , ` rustrevmaker/ ` . ** Gitignored** — ` git add -f ` required. |
114+ | ` docs/ ` | Static site for GitHub Pages. Auto-generated by ` DEPLOY.sh ` from Markdown sources — do not edit HTML directly. |
115+ | ` lazyc2/ ` | Security validators (` validate_route_path ` , ` validate_template_name ` , ` is_safe_template_path ` ) imported by ` lazyc2.py ` . |
116+ | ` vpn/ ` | VPN config files (` .ovpn ` , ` .conf ` ). ** Gitignored** — ` git add -f ` required. Never commit VPN credentials. |
117+ | ` banners/ ` | Banner image assets for the CLI banner display. |
118+ | ` source/ ` | Source artwork and design assets. |
100119| ` QUICKSTART.md ` | Canonical 5-minute onboarding guide (clone → wizard → recon → C2 → beacon → collab). ** Do not auto-generate** ; update manually when the operator flow changes. |
101120
121+ ### Directory README convention
122+
123+ ** Every directory in this repository has a ` README.md ` .** When adding a new
124+ directory, create its README immediately. A directory without a README will be
125+ flagged in code review.
126+
127+ README content rules (same as §10 for code):
128+ - English only, no emojis, human language.
129+ - File/subdirectory table explaining the role of each item.
130+ - "How it works" section for non-obvious mechanics.
131+ - "Adding X" section for any directory that is an extension point.
132+ - No generated content — write prose that a human would find useful six months
133+ from now without any context from this conversation.
134+
135+ ### Gitignored directories
136+
137+ These directories are in ` .gitignore ` and require ` git add -f <path> ` to stage
138+ any file inside them:
139+
140+ - ` sessions/ ` — engagement state (credentials, scan output, beacons)
141+ - ` vpn/ ` — VPN configuration files
142+ - ` modules_ext/ ` — external module subprojects
143+ - ` external/ ` — vendored upstreams
144+
145+ Use ` git add -f ` consciously. Never use it for credential files, TLS keys,
146+ or ` payload.json ` .
147+
102148---
103149
104150## 3. The ` payload.json ` contract — single source of configuration
@@ -464,6 +510,8 @@ These rules are enforced by review. Code that violates them is rejected.
464510 payload.json ↔ MCP ↔ sessions/ artefact) or it isn't merged.
46551110 . ** No backwards-compatibility shims** for code that hasn't shipped to
466512 operators yet. Just change it.
513+ 11 . ** Every new directory gets a README.** See §2 "Directory README convention"
514+ for content rules. No exceptions.
467515
468516---
469517
@@ -534,14 +582,28 @@ between sessions. Use `lazyown_soul(action="write", content=...)` to update it.
534582| Auto-run on a discovered service | ` tools/<name>.tool ` (pwntomate) |
535583| New CLI command | ` do_<name> ` in ` lazyown.py ` |
536584| New web UI page or beacon endpoint | ` lazyc2.py ` route + Jinja2 template |
585+ | New Flask blueprint | ` modules/<name>_bp.py ` — register in ` lazyc2.py ` ; pass config via ` app.config["LAZYOWN_CONFIG"] ` |
537586| New MCP tool | ` skills/lazyown_mcp.py ` |
538587| New autonomous selector | subclass ` BaseSelector ` in ` skills/autonomous_daemon.py ` |
539588| New AI agent persona | ` skills/lazyown_groq_agents.py ` registry |
540589| New knowledge base | new parquet under ` parquets/ ` + ` lazyown_parquet_query ` mode |
590+ | New directory | create the directory + ` README.md ` immediately (§10 rule 11) |
541591
542592Adding ` do_* ` for something that already works as a YAML addon is a smell —
543593the YAML system exists precisely so you don't have to touch Python.
544594
595+ ### Blueprint ` template_folder ` pattern
596+
597+ Blueprints that live in ` modules/ ` and need Jinja2 templates must set:
598+
599+ ``` python
600+ bp = Blueprint(" name" , __name__ , template_folder = " ../templates" )
601+ ```
602+
603+ This makes ` render_template("foo.html") ` resolve against the root ` templates/ `
604+ directory rather than looking for a non-existent ` modules/templates/ ` . Do not
605+ duplicate templates into ` modules/templates/ ` — there is one template store.
606+
545607---
546608
547609## 14. Things this framework deliberately does NOT do
@@ -842,6 +904,7 @@ CLI command structure.
842904
843905# # 15e. Onboarding — `QUICKSTART.md` + `wizard`
844906
907+
845908# ## `QUICKSTART.md`
846909
847910Canonical operator onboarding document. **Manually maintained** — update it
@@ -868,16 +931,55 @@ The shell calls `wizard` automatically on first launch when `rhost` is unset.
868931
869932---
870933
934+ # # 15f. Release pipeline — `DEPLOY.sh`
935+
936+ The deploy script is `DEPLOY.sh` at the repo root (not `./DEPLOY`). It :
937+ 1. Rebuilds `README.md` from `UTILS.md`, `COMMANDS.md`, and `CHANGELOG.md`.
938+ 2. Regenerates `docs/index.html`.
939+ 3. Prompts for commit type, typedesc, subject, and body.
940+ 4. Increments the version in `version.json`.
941+ 5. Creates a signed git commit and tag (`release/0.x.y`).
942+ 6. Pushes to `origin/main` and creates a GitHub release.
943+
944+ # ## Running non-interactively
945+
946+ ` ` ` bash
947+ printf "1\n feat\n subject line\n body text\n " | bash DEPLOY.sh --no-test
948+ ` ` `
949+
950+ The four inputs are : commit type number (1–9), typedesc (e.g. `feat`),
951+ subject (one-line summary), body (detail paragraph).
952+
953+ Commit type → version bump :
954+
955+ | Type | Bump |
956+ |------|------|
957+ | feat, feature, fix, hotfix | patch (0.x.Y) |
958+ | refactor, docs, test, style | none (version unchanged) |
959+ | release | major (X.0.0) |
960+ | patch | minor (0.X.0) |
961+
962+ ` --no-test` skips the test suite. Use only when tests were already run
963+ separately and you are confident they pass.
964+
965+ # ## What DEPLOY.sh does NOT do
966+
967+ - It does not run `python -m pytest`. Run tests manually before deploying.
968+ - It does not validate `CLAUDE.md` content. Keep this file accurate by hand.
969+ - The `CHANGELOG.md` is truncated to 120 000 chars for the GitHub release
970+ body. Full history is always in the file itself.
971+
972+ ---
973+
871974# # 16. Read these next
872975
873976- ` QUICKSTART.md` — **start here for a new operator session** — 5-minute clone-to-shell guide.
874- - ` README.md` — public-facing feature list (long, marketing-flavoured).
875- - ` COMMANDS.md` — exhaustive list of every CLI command.
977+ - ` README.md` — public-facing feature list (long, marketing-flavoured). Auto-regenerated by `DEPLOY.sh`.
978+ - ` COMMANDS.md` — exhaustive list of every CLI command. Auto-generated.
876979- ` UTILS.md` — auto-generated reference for `utils.py`.
877- - ` CHANGELOG.md` — release history, useful for context on any flag you don't
878- recognise.
879- - ` skills/lazyown.md` — full MCP playbook (mandatory reading before any MCP
880- session).
881- - ` skills/README.md` — skills layer architecture.
980+ - ` CHANGELOG.md` — release history, useful for context on any flag you don't recognise.
981+ - ` skills/lazyown.md` — full MCP playbook (mandatory reading before any MCP session).
982+ - ` skills/README.md` — skills layer architecture and all 95 MCP tools.
983+ - ` <dir>/README.md` — every directory has one; read it before editing files in that directory.
882984
883- When in doubt : read `payload.json`, read `sessions/`, then write code.
985+ When in doubt : read `payload.json`, read `sessions/`, read the directory's `README.md`, then write code.
0 commit comments