Complete project directory layout with descriptions of each component.
bd_app/
|
|-- .claude/
| |-- skills/ # All pentest skills (SKILL.md + supporting files)
| | |-- pentest/ # Master pentest orchestrator
| | | |-- SKILL.md # Main /pentest skill with wave coordinator
| | | |-- helpers/
| | | |-- skill-boilerplate.md # Shared init code for all 17 test skills
| | | |-- agent-dispatch.md # Dispatch protocol, model routing, wave execution
| | | |-- stealth-config.md # TLS fingerprint, rate limits, JITTER_MULT
| | | |-- finding-schema.md # Required fields for findings
| | | |-- advanced-opsec.md # Advanced OPSEC configuration
| | | |-- scope-check.md # Scope validation logic
| | | |-- research-terms.md # Domain vocabulary per skill
| | | |-- exemplars.md # Ideal test execution examples
| | |
| | |-- context/SKILL.md # /context init -- fingerprinting
| | |-- intake/SKILL.md # /intake -- pre-engagement questionnaire
| | |-- recon/SKILL.md # /recon -- passive & active recon
| | |-- discover/SKILL.md # /discover -- endpoint enumeration
| | |-- scan/SKILL.md # /scan -- automated scanning
| | |-- route/SKILL.md # /route -- smart test router
| | |-- walkthrough/SKILL.md # /walkthrough -- browser crawl
| | |
| | |-- test-injection/ # SQLi, XSS, SSTI, XXE, CMDi
| | |-- test-auth/ # Sessions, JWT, OAuth, SAML
| | |-- test-access/ # AuthZ, IDOR, privilege escalation
| | |-- test-ssrf/ # SSRF variants and bypasses
| | |-- test-logic/ # Business logic, race conditions
| | |-- test-client/ # CSRF, CORS, clickjacking, DOM
| | |-- test-infra/ # Smuggling, cache poisoning
| | |-- test-api/ # REST, GraphQL, prototype pollution
| | |-- test-crypto/ # TLS/SSL, cryptographic failures
| | |-- test-llm/ # Prompt injection, MCP attacks
| | |-- test-mobile/ # Android & iOS testing
| | |-- test-deser/ # Deserialization (Java, PHP, .NET, Python, Ruby)
| | |-- test-advanced/ # HPP, CRLF, open redirect, HTTP/2 desync
| | |-- test-supply-chain/ # Dependency confusion, SRI, Docker secrets
| | |-- test-exceptions/ # Stack traces, debug mode
| | |-- test-cloud/ # S3/GCS/Azure, subdomain takeover, Firebase
| | |
| | |-- verify/SKILL.md # /verify -- exploit verification
| | |-- chain-findings/SKILL.md # /chain-findings -- attack chain correlation
| | |-- report/SKILL.md # /report -- final report generation
| | |
| | |-- dashboard/SKILL.md # /dashboard -- status overview
| | |-- resume/SKILL.md # /resume -- checkpoint-based resume
| | |-- retest/SKILL.md # /retest -- re-test specific findings
| | |-- preflight/SKILL.md # /preflight -- pre-check
| | |-- diff-engagements/SKILL.md # /diff-engagements -- compare engagements
| | |-- update-wordlists/SKILL.md # /update-wordlists -- update wordlists + templates
| | |-- pentest_suggestions/SKILL.md # /pentest_suggestions -- manual suggestions
| | |-- analyze-js/SKILL.md # /analyze-js -- AI-powered JS analysis
| |
|-- packages/
| |-- bd_design_system/ # Shared Dart design system package
| |-- lib/
| |-- bd_design_system.dart # Barrel export
| |-- src/
| |-- theme/ # BdColors, BdTypography, BdShadows, BdAnimations, BdTheme
| |-- widgets/ # BdBadge, BdButton, BdCard, BdInput, BdModal, BdSelect,
| # SeverityBadge, StatusIndicator, LoadingSpinner, etc.
|
|-- client_portal/ # Client Portal app (Flutter web + desktop)
| |-- lib/
| | |-- main.dart # Entry point
| | |-- app.dart # GoRouter + MaterialApp
| | |-- config/api_config.dart # API base URL
| | |-- models/ # 8 models (ClientUser, Engagement, Finding, etc.)
| | |-- api/ # HTTP clients (Dio) for /api/v2/client/*
| | |-- providers/ # Riverpod state management
| | |-- screens/ # 15 screens (login, dashboard, findings, etc.)
| | |-- widgets/ # Layout, engagement, findings widgets
| | |-- services/ # Auth, WebSocket services
| | |-- i18n/ # Italian (primary) + English
| |-- web/ # Flutter web (PWA)
| |-- windows/ # Flutter desktop (Windows)
| |-- macos/ # Flutter desktop (macOS)
|
|-- browser/
| |-- crawler.py # Playwright BFS crawler
| # --role <name> per-user parallel crawl
| # --merge combine role results
|
|-- scope.txt # Target scope definition
| # *.example.com in scope
| # !admin.example.com out of scope
|
|-- context.json # Shared engagement state (auto-generated)
| # Tech stack, WAF, auth type, attack surface
|
|-- brief.json # Pre-engagement intake (from /intake)
| # Never commit -- in .gitignore
|
|-- checkpoint.json # Phase + wave checkpoint for /resume
| # Tracks completed phases, current wave, agent states
|
|-- credentials.json # Multi-user credentials
| # Never commit -- in .gitignore
| # See credentials.json.example for format
|
|-- proxies.txt # Proxy rotation list (http/socks5)
|
|-- vpn/
| |-- profiles/ # VPN configs (.ovpn, .conf) -- gitignored
|
|-- findings/ # Vulnerability findings
| |-- FINDING-NNN.md # Individual finding reports
| |-- CHAIN-NNN.md # Attack chain reports with Mermaid diagrams
|
|-- evidence/ # Supporting evidence
| |-- response dumps # Raw HTTP responses
| |-- SHA-256 hashes # Integrity verification
| |-- access-matrix.md # Endpoint x role authorization matrix
|
|-- report/ # Final penetration test report
|
|-- logs/ # Execution logs
| |-- pentest-timeline.jsonl # Chronological event log
| |-- scan output # Tool output files
| |-- agent logs # Per-agent wave execution logs
| |-- unverified/ # Findings with "possible" confidence
|
|-- discovery/ # Phase 2 output
| |-- test-plan.json # Smart router output (endpoint -> test mapping)
| |-- resource-map.json # Resource types for IDOR testing
| |-- injectable-params.json # Parameter inventory
| |-- api-tokens.json # Validated Bearer tokens per role
| |-- sensitive-files.txt # Content discovery results
| |-- inline-js-analysis.json # Inline JS analysis results
| |-- js-dom-xss-sinks.txt # DOM XSS sink scan results
|
|-- waves/ # Wave coordinator state
| |-- agent-*.json # Per-agent state files
|
|-- docs/
| |-- memory/
| | |-- MEMORY.md # Knowledge bank (synced across machines)
| | |-- gap-analysis.md # Methodology gap tracking
| |
| |-- getting-started/ # Setup and quickstart docs
| |-- architecture/ # Architecture documentation
| |-- methodology/ # Testing methodology docs
| |-- skills/ # Skill documentation
| |-- reference/ # Reference documentation
|
|-- evals/ # Eval framework for skill quality
| |-- configs/ # Per-skill eval configs
| |-- labs/ # Lab targets with answer keys
| | |-- vulnhr/ # VulnHR lab (81 vulns)
| | | |-- answer-key.json
| | | |-- history/
| | | |-- gap-analysis.md
| | |-- ssb-dotnet8/ # SuperSecureBank lab (37 vulns)
| | | |-- answer-key.json
| | | |-- history/
| | | |-- gap-analysis.md
| | |-- altoro-spring/ # AltoroMutual lab (29 vulns)
| | |-- answer-key.json
| | |-- history/
| | |-- gap-analysis.md
| |
| |-- lab-scorer.py # Compare findings vs answer key (TP/FN/FP)
| |-- lab-runner.sh # Launch pentest on lab + auto-score
| |-- run-eval.sh # Run skill evals with claude -p
| |-- score-eval.py # Score eval outputs + HTML reports
| |-- optimize-descriptions.py # Analyze/optimize skill descriptions
|
|-- Dockerfile # All-in-one container
| # curl-impersonate, ysoserial, Playwright,
| # all Go/Python tools pre-installed
|
|-- vpn-start.sh # VPN routing script for Docker
|-- .claude/hooks/sync-memory.sh # Memory sync hook (run before git push)