{"id":49589434,"url":"https://github.com/pb3ck/playbook","last_synced_at":"2026-05-04T00:13:28.600Z","repository":{"id":354702366,"uuid":"1224786649","full_name":"pb3ck/playbook","owner":"pb3ck","description":"A phase-driven walkthrough of offensive security — engagement-aware, ATT\u0026CK-mapped, with an auto-derived attack graph and BYOK CVE enrichment. Static export, no backend.","archived":false,"fork":false,"pushed_at":"2026-04-29T18:22:58.000Z","size":307,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-04-29T18:30:18.772Z","etag":null,"topics":["attack-graph","byok","cve","methodology","mitre-attack","nextjs","offensive-security","penetration-testing","pentest","react","security-tools","tailwindcss","typescript","vulnerability-management"],"latest_commit_sha":null,"homepage":"","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/pb3ck.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":"ROADMAP.md","authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-04-29T16:17:38.000Z","updated_at":"2026-04-29T18:23:03.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/pb3ck/playbook","commit_stats":null,"previous_names":["pb3ck/playbook"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/pb3ck/playbook","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pb3ck%2Fplaybook","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pb3ck%2Fplaybook/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pb3ck%2Fplaybook/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pb3ck%2Fplaybook/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/pb3ck","download_url":"https://codeload.github.com/pb3ck/playbook/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pb3ck%2Fplaybook/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32589331,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-03T22:12:39.696Z","status":"ssl_error","status_checked_at":"2026-05-03T22:09:10.534Z","response_time":103,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["attack-graph","byok","cve","methodology","mitre-attack","nextjs","offensive-security","penetration-testing","pentest","react","security-tools","tailwindcss","typescript","vulnerability-management"],"created_at":"2026-05-04T00:13:25.788Z","updated_at":"2026-05-04T00:13:28.594Z","avatar_url":"https://github.com/pb3ck.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# playbook\n\n\u003e **Abandoned. Successor:** [`pb3ck/quarry`](https://github.com/pb3ck/quarry).\n\u003e\n\u003e This repo is preserved for archaeology — no further development. The\n\u003e approach pivoted: a curated phase-by-phase walkthrough turned out to\n\u003e be the wrong shape; the next attempt is an evidence-aware reasoning\n\u003e layer over the artifacts a hunter actually produces, not a\n\u003e hand-curated methodology framework. If you landed here looking for\n\u003e active work, go to **Quarry**.\n\n## What this was\n\nA static-export Next.js app that surfaced a curated pentest workflow\nfiltered by three axes (engagement type / target OS / tech tags). Five\nphases (recon → vuln → exploit → post-ex → defense), each with\ngoal, pre-checks, sequenced steps, and copy-ready commands. Optional\nfeatures layered on top: an auto-derived attack-graph map, defense\nthread-back via local MITRE ATT\u0026CK bundle, BYOK CVE enrichment, on-demand\nAI assistance for catalog gaps, and a continuous-fill workflow that\nopened weekly PRs growing the catalog autonomously.\n\nThe tool worked. It just turned out to solve a problem that, for\nserious bounty hunters at least, isn't the bottleneck.\n\n## Why it was abandoned\n\nThree lessons informed the pivot to Quarry:\n\n1. **A hand-curated methodology catalog is the wrong unit of leverage.**\n   Catalog content is a sliding gauge that's never \"done.\" Hitting 100%\n   coverage across 18 tag stacks × 5 phases would have meant ~900\n   commands, all hand-validated, all kept current as tools and CVEs\n   churn. Even with the AI authoring CLI + the continuous-fill\n   workflow getting that to 8/18 tags ready in a few sessions, the\n   marginal utility of the next 10 tags wasn't worth the maintenance\n   debt of the first 8.\n\n2. **Real engagements are evidence-driven, not procedure-driven.**\n   The \"I've followed steps 1-7 of the recon phase\" model doesn't\n   match how good hunters work. They respond to *what their tools\n   actually surfaced*: a weird endpoint in the katana crawl, a\n   reference to `/admin` in a JS bundle, a 502 that suggests a\n   misconfigured proxy. A linear walkthrough is for training; an\n   evidence index is for working.\n\n3. **The most useful AI surface wasn't \"fill catalog gaps\" — it was\n   \"reason over my data.\"** The on-demand AI Assist surface in\n   Playbook had to be carefully scoped (closed MITRE vocabulary,\n   tool inventory injection, three layers of \"AI-generated\" disclosure)\n   because it was generating *advice* for a specific situation. The\n   higher-leverage version of that idea is to feed the model your\n   actual recon corpus and let it answer questions grounded in your\n   evidence — which is what Quarry is.\n\nQuarry's README is explicit about this:\n\n\u003e Not a methodology framework. If you want a phase-by-phase\n\u003e walkthrough, use a different tool. Quarry assumes you already\n\u003e know what you're doing and want leverage on the parts that don't\n\u003e scale: reading, cross-referencing, and remembering.\n\nThat sentence is essentially Playbook's epitaph.\n\n## What worked here (worth carrying forward)\n\nIf you fork this repo or rebuild parts of it, these were the design\nideas that did pull weight:\n\n- **Three filter axes (engagement / OS / stack) gating visibility.**\n  Solved the \"show only what's relevant to me\" problem cleanly.\n- **Activity over completion.** Per-command `ran` ticks +\n  visited-step tracking, no fake \"phase X% done\" gauges. Honest\n  signal.\n- **Local-first MITRE bundle.** Subset of the canonical STIX bundle,\n  scoped to only the technique IDs referenced in the catalog.\n  Bundled at build time (~14 KB), no runtime network.\n- **BYOK pattern with explicit privacy posture.** Keys in\n  localStorage, never sent to the static-export server (because\n  there isn't one). Applied uniformly across CVE enrichment + AI\n  generation profiles. Reused in Quarry.\n- **Provenance separation in the UI.** Catalog-derived nodes use\n  service-color edges; AI-generated nodes use warn-amber across\n  the board. Three layers of \"this is AI\" disclosure (badge,\n  border, edge color, export annotation). The user always knows\n  what they're looking at.\n- **`ai:draft` + `ai:apply` maintainer pipeline.** Drafted\n  candidates with closed-vocabulary prompts (real MITRE IDs, real\n  tool names from the catalog), placed them via AI-suggested step\n  matching, ran typecheck, reverted on failure. The maintainer\n  reviewed a `git diff` instead of writing TypeScript. Cohesion\n  win that survived the pivot in spirit.\n- **Continuous-fill workflow.** Weekly GitHub Action that ran the\n  draft+apply pipeline against the lowest-coverage gap and opened\n  a PR. Never enabled in practice (no `ANTHROPIC_API_KEY` secret\n  was added to the repo) but the architecture is sound.\n\n## What didn't work\n\nThe lessons that informed Quarry, more concretely:\n\n- **Curated catalog content was a treadmill.** Even with AI\n  acceleration, every new tool / CVE / framework version meant\n  catalog drift. Tools renamed (cvemap → vulnx during this\n  project). CVE syntax changed. Detection rules went out of date.\n  The catalog needed perpetual maintenance to stay accurate, and\n  accuracy was the entire trust signal.\n- **The `validated:` field never moved off 0%.** The whole\n  authoring pipeline was designed to make lab-validation cheap —\n  per-command `validated: { on, notes? }` annotations,\n  staleness-aware UI badges, coverage-report column. Nobody\n  validated anything because nobody had a lab box hooked up to\n  the loop. Coverage gauges climbed; trust signal stayed flat.\n- **The Map was rich but rarely the bottleneck.** Auto-derived\n  attack graph with color-coded service ancestry, drag-with-subtree,\n  pan + zoom + scroll-wheel + SVG/PNG export, AI-derivation\n  layered on top with amber treatment. Nobody used it for real\n  decisions. The information was already in the focus view; the\n  Map was a viz layer that demoed well but didn't change behavior.\n- **Phase ordering implied linearity it never had.** Recon → vuln\n  → exploit → post-ex → defense is fiction. Real work loops\n  between recon and exploit constantly. The Coverage Pulse banner\n  helped, but the underlying focus-view \"what phase am I on\"\n  framing was always slightly wrong for how engagements actually\n  flow.\n\n## Final state\n\nLast working build at the time of abandonment:\n\n| | |\n|---|---|\n| Tags ready (≥5 cmds, ≥3 phases, ≥1 tagged tool, ≥1 MITRE) | **8 / 18** |\n| Total commands | **165** |\n| Site-wide MITRE coverage | **41%** |\n| Lab-validated commands | **0%** *(see lessons above)* |\n| Local MITRE techniques bundled | 47 (~14 KB) |\n| Catalog tools | 78 |\n| Catalog phases × steps | 5 × 29 |\n| Last commit | `996ba95` (AI generations flow into the Map) |\n\nRun it locally if you want to see the artifact:\n\n```bash\nnpm install\nnpm run dev\n# http://localhost:3000\n# Click \"load example engagement\" in the welcome modal for a\n# pre-populated Windows AD demo.\n```\n\n## Stack (snapshot at abandonment)\n\n- Next.js 15 App Router (`output: 'export'` — fully static)\n- React 19 + Motion\n- Tailwind v4 with `@theme` color tokens (pure black aesthetic)\n- TypeScript strict mode\n- MIT license\n\n## Maintenance scripts (still functional)\n\nThese were never deleted. If you fork this repo, they still work\nwith `ANTHROPIC_API_KEY` set in `.env.local`:\n\n```bash\nnpm run coverage          # per-tag + per-phase coverage report\nnpm run ai:draft          # AI-draft candidate commands for a gap\nnpm run ai:apply          # auto-merge a draft YAML into the catalog\nnpm run validate          # interactive triage of a draft\nnpm run sync:mitre        # refresh the local MITRE bundle\nnpm run check:sources     # HEAD-check every tool URL for link rot\nnpm run autofill:next     # pick a gap + draft + apply, one shot\n```\n\n`.github/workflows/autofill.yml` was never enabled (the\n`ANTHROPIC_API_KEY` repo secret was never added). It would have\nopened weekly PRs against the lowest-coverage gap; if you fork and\nwant the loop, add the secret and it works.\n\n## Where to go from here\n\n- **Active work**: [`pb3ck/quarry`](https://github.com/pb3ck/quarry).\n  Local-first evidence indexer + LLM reasoning layer. Rust, AGPL.\n  The actual problem this attempt was reaching for.\n- **Fork this repo** if you want a curated-walkthrough scaffold to\n  build something else on. The Next.js skeleton, the BYOK pattern,\n  the MITRE sync, and the AI-draft/apply pipeline are all reusable.\n- **Read the commit history** if you're curious about the\n  evolution. 14 commits across one productive day; the trajectory\n  from \"manual catalog\" to \"self-filling pipeline\" is in there.\n\n## License\n\nMIT — see [`LICENSE`](./LICENSE). Use it, fork it, mine it for\nparts. Just keep the copyright notice.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpb3ck%2Fplaybook","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpb3ck%2Fplaybook","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpb3ck%2Fplaybook/lists"}