customer-engineering/gitex2026
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
gitex2026/AGENT.md
administrator b91406ada4 fix: email report URL, duplicate case; feat: Home button, email UI, scan timer; test: 44 unit tests; refactor: IsIP to pkg/netutil; docs: SMTP env vars 
- Fix email report URL: /{token}.html → /visitor_{token}.html
- Remove duplicate case 'generating' in simulation.html polling
- Add defensive guard against empty Subdomains in SelectAndScan
- Add Home link and Start New Scan button to visitor report
- Replace QR code injection with email-send form in consultant report
- Add scan timer animation (barberpole + elapsed counter) to frontend
- Move IsIP() from scanner/probe.go to pkg/netutil for reuse
- Add 44 unit tests across scanner, report, and netutil packages
- Create Makefile with build/vet/test/deploy targets
- Document SMTP environment variables in README and AGENT.md
2026-04-29 07:30:42 +00:00

119 lines
4.9 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# AASD — Agent Guide
This file is for AI agents and developers working on the AASD (API Attack Surface Discovery) codebase.
## Project Overview
AASD is a GITEX 2026 booth demo application. Visitors enter a domain, the app discovers subdomains via HTTPS/TLS probing, and the visitor selects one to scan with GoTestWAF against a Wallarm WAF endpoint.
## Repository Structure
```
gitex2026/
├── aasd/
│ ├── src/ # Go source code (module: aasd)
│ │ ├── cmd/aasd/main.go # Entry point — HTTP routes, server lifecycle
│ │ ├── internal/
│ │ │ ├── scanner/ # Core pipeline (discovery, scan orchestration)
│ │ │ │ ├── scanner.go # Orchestrator, pipeline phases, ScanResult
│ │ │ │ ├── probe.go # Wordlist-based HTTPS/TLS subdomain probe
│ │ │ │ └── gotestwaf.go # GoTestWAF binary execution
│ │ │ ├── report/report.go # HTML report generation
│ │ │ ├── ai/deepseek.go # DeepSeek AI narrative generation
│ │ │ └── mailer/smtp.go # SMTP email delivery
│ │ ├── static/ # Frontend HTML/JS (served at runtime from /opt/aasd/static/)
│ │ ├── templates/ # Go HTML templates (admin dashboard)
│ │ ├── go.mod # Module: aasd, Go 1.25
│ │ └── gotestwaf/ # Vendored GoTestWAF source (reference only)
│ ├── docs/
│ │ ├── CHANGELOG.md
│ │ └── STATE_OF_DEVELOPMENT.md
│ ├── install.sh
│ └── VERSION
├── README.md
└── AGENT.md # This file
```
## Deployment
- **Binary**: `/opt/aasd/aasd` (31M, compiled Go binary)
- **Config**: `/opt/aasd/config.yaml`
- **Wordlist**: `/opt/aasd/subdomains.txt` (5000 names from SecLists)
- **Frontend**: `/opt/aasd/static/`
- **Service**: `aasd.service` (systemd, runs as `engineer`, WorkingDir `/opt/aasd`)
- **Build**: `cd ~/gitex2026/aasd/src && go build -o /opt/aasd/aasd ./cmd/aasd/`
- **Restart**: `sudo systemctl restart aasd`
## Architecture — Pipeline Flow
```
Visitor enters domain (or IP)
POST /start → orchestrator.StartPipeline()
┌─────IP detected?─────┐
│ YES │ NO
↓ ↓
executeScanPhase() discoverSubdomains()
│ │
│ ProbeSubdomains()
│ (5000 names × HTTPS/TLS)
│ │
│ Status: awaiting_selection
│ │
│ POST /select-subdomain
│ │
└──────────┬───────────┘
executeScanPhase(selectedDomain)
GoTestWAF scan → AI narrative → Static HTML report
Status: completed → visitor + consultant reports
```
## Key Components
### ProbeSubdomains (`probe.go`)
- Loads wordlist from `projectRoot/subdomains.txt` (falls back to 40 built-in names)
- Probes each name with `https://{name}.{domain}`
- Go's `http.Client` validates TLS certificate by default — this is the **definitive signal**
- Filters out wildcard DNS catch-all (no valid cert for arbitrary names)
- Reports progress via `onProgress(checked, total)` callback
- Concurrency: 10 workers, 3s timeout per request
### Orchestrator (`scanner.go`)
- **`StartPipeline`**: Creates scan result, starts discovery or direct scan for IPs
- **`discoverSubdomains`**: Runs ProbeSubdomains, pauses for user selection
- **`executeScanPhase`**: Runs GoTestWAF, generates AI narrative, builds HTML report
- Thread-safe via `sync.RWMutex` on map operations
### GoTestWAF (`gotestwaf.go`)
- Executes GoTestWAF binary as subprocess
- Targets `https://{selectedDomain}`
- 120s timeout, produces `consultant_{token}.html` on success
- If GoTestWAF fails (target unreachable), status still completes with fallback report
### Report Naming
- Visitor report: `visitor_{token}.html` (always generated)
- Consultant report: `consultant_{token}.html` (only when GoTestWAF succeeds)
## Important Patterns
- **No persistent storage** — scan results are in-memory only (map), lost on restart
- **Reports are files** — persisted at `/opt/aasd/reports/`, survive restarts
- **Config via YAML** — `/opt/aasd/config.yaml` for server URL, admin credentials, AI key
- **Environment config** — `AASD_BASE_URL`, `SMTP_HOST`, `SMTP_PORT`, `SMTP_USERNAME`, `SMTP_PASSWORD`, `SMTP_FROM` env vars override YAML and defaults
- **Gin web framework** — all HTTP routing via `router.POST/GET`
- **Comments in Go code** — use `//` not `/* */` per project style
## Testing
```bash
# Build and deploy
cd ~/gitex2026/aasd/src && go build -o /opt/aasd/aasd ./cmd/aasd/
sudo systemctl restart aasd
# Check service
sudo systemctl status aasd
sudo journalctl -u aasd -f
Reference in a new issue View git blame Copy permalink