{"id":47852037,"url":"https://github.com/projectachilles/projectachilles","last_synced_at":"2026-04-03T22:03:56.107Z","repository":{"id":347764385,"uuid":"1114088689","full_name":"projectachilles/ProjectAchilles","owner":"projectachilles","description":"Continuous security testing and cyber-risk quantification for every organization","archived":false,"fork":false,"pushed_at":"2026-03-29T11:49:48.000Z","size":47423,"stargazers_count":7,"open_issues_count":11,"forks_count":0,"subscribers_count":5,"default_branch":"main","last_synced_at":"2026-03-29T14:25:56.008Z","etag":null,"topics":["breach-a","cyber-ri","docker","golang","mitre","purple-team","security","self-hosted","typescript"],"latest_commit_sha":null,"homepage":"https://projectachilles.io","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/projectachilles.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":"docs/ROADMAP.md","authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":"AGENTS.md","dco":null,"cla":null}},"created_at":"2025-12-10T22:11:19.000Z","updated_at":"2026-03-29T11:59:23.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/projectachilles/ProjectAchilles","commit_stats":null,"previous_names":["projectachilles/projectachilles"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/projectachilles/ProjectAchilles","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/projectachilles%2FProjectAchilles","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/projectachilles%2FProjectAchilles/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/projectachilles%2FProjectAchilles/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/projectachilles%2FProjectAchilles/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/projectachilles","download_url":"https://codeload.github.com/projectachilles/ProjectAchilles/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/projectachilles%2FProjectAchilles/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31379453,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-03T21:40:47.592Z","status":"ssl_error","status_checked_at":"2026-04-03T21:40:05.436Z","response_time":107,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["breach-a","cyber-ri","docker","golang","mitre","purple-team","security","self-hosted","typescript"],"created_at":"2026-04-03T22:03:55.071Z","updated_at":"2026-04-03T22:03:56.078Z","avatar_url":"https://github.com/projectachilles.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# ProjectAchilles\n\n\u003cdiv align=\"center\"\u003e\n\n![ProjectAchilles](https://img.shields.io/badge/ProjectAchilles-Continuous%20Security%20Validation-7C3AED?style=for-the-badge)\n\n[![CI](https://github.com/projectachilles/ProjectAchilles/actions/workflows/ci.yml/badge.svg)](https://github.com/projectachilles/ProjectAchilles/actions/workflows/ci.yml)\n[![Security Review](https://github.com/projectachilles/ProjectAchilles/actions/workflows/security-review.yml/badge.svg?event=pull_request)](https://github.com/projectachilles/ProjectAchilles/actions/workflows/security-review.yml)\n[![Semgrep](https://img.shields.io/badge/semgrep-SAST-orange?logo=semgrep)](https://github.com/projectachilles/ProjectAchilles/actions/workflows/security-review.yml)\n[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](LICENSE)\n[![TypeScript](https://img.shields.io/badge/TypeScript-5.9-3178C6?logo=typescript\u0026logoColor=white)](https://www.typescriptlang.org/)\n[![React](https://img.shields.io/badge/React-19-61DAFB?logo=react\u0026logoColor=white)](https://react.dev/)\n[![Go](https://img.shields.io/badge/Go-1.24-00ADD8?logo=go\u0026logoColor=white)](https://go.dev/)\n[![Bun](https://img.shields.io/badge/Bun-1.3-F9F1E1?logo=bun\u0026logoColor=black)](https://bun.sh/)\n\n**Continuous Security Validation — From Threat Intelligence to Defense Readiness**\n\nStop hoping your defenses work. Start proving it.\n\n[Quick Start](#quick-start) · [Features](#features) · [Architecture](#architecture) · [Documentation](#documentation) · [Roadmap](docs/ROADMAP.md) · [Contributing](#contributing)\n\n\u003c/div\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"docs/screenshots/analytics-dashboard.png\" alt=\"ProjectAchilles Analytics Dashboard — Defense Score, trend analysis, Secure Score correlation, and technique distribution\" width=\"800\"\u003e\n\u003c/p\u003e\n\n---\n\n## Why ProjectAchilles\n\nMost organizations invest heavily in security tools but struggle to answer a simple question: *are our defenses actually working?*\n\nThreat intelligence reports pile up unread. Compliance checklists are checked once and forgotten. Security teams deploy EDR, SIEM, and endpoint hardening — then hope for the best. When a breach happens, the post-mortem reveals gaps that were always there but never measured.\n\n**ProjectAchilles exists to close this loop.**\n\nThe platform turns threat intelligence into executable security tests, deploys them to your endpoints through a lightweight agent framework, and measures whether your defenses detect, prevent, or miss each technique. The result is not an opinion — it's a score backed by evidence, broken down by technique, host, and control, tracked over time.\n\nYou don't need a red team certification to use it. You don't need to write exploit code. You need to know what threats matter to your organization, and whether you're defended against them.\n\n### What It Measures\n\n- **Defense Readiness** — For each threat technique, did your endpoint defenses detect it, block it, or miss it entirely?\n- **Controls Compliance** — Are your security configurations (endpoint hardening, identity policies, cloud settings) actually in place?\n- **Security ROI** — Which investments are driving measurable protection, and where are the gaps that still need funding?\n\n### Two Modes of Operation\n\n| Mode | Purpose | Input | Output |\n|------|---------|-------|--------|\n| **Threat-Informed Validation** | Test defenses against real-world attack techniques | Threat intel mapped to MITRE ATT\u0026CK | Per-technique defense score with detection/prevention evidence |\n| **Controls Compliance** | Verify security baselines across your fleet | Standards-based control frameworks | Per-control compliance status with remediation guidance |\n\n## Overview\n\nProjectAchilles is a continuous security validation platform with four core components:\n\n1. **AI-Powered Test Development** — An agentic pipeline that transforms threat intelligence articles into complete, deployable security test packages — source code, detection rules, hardening scripts, and documentation — without manual test development.\n\n2. **Execution Framework** — A lightweight Go agent deployed to endpoints (Windows, Linux, macOS) that executes security tests on demand or on schedule, reports results with cryptographic integrity, and self-updates without downtime.\n\n3. **Analytics \u0026 Measurement** — An Elasticsearch-backed dashboard that quantifies defense readiness with scores, heatmaps, trend analysis, and MITRE ATT\u0026CK coverage matrices — turning raw test results into actionable intelligence for security teams and leadership.\n\n4. **CLI \u0026 AI Agent** — A Bun-powered command-line tool (`achilles`) with 17+ command modules for platform management and an AI conversational agent mode powered by Vercel AI SDK for natural-language fleet operations.\n\nThe platform is open-source, deploys in minutes via Docker Compose, and integrates with Microsoft Defender for cross-correlation between your internal validation results and your EDR's own security posture data.\n\n## Quick Start\n\n### Path A — Local Development\n\n```bash\n# Clone the repository\ngit clone https://github.com/projectachilles/ProjectAchilles.git\ncd ProjectAchilles\n\n# Start the full stack (installs deps, finds available ports)\n./scripts/start.sh -k --daemon\n```\n\nConfigure Clerk authentication (see [Configuration](#configuration)), then open http://localhost:5173.\n\n### Path B — Docker Compose\n\n```bash\n# Clone and run the setup wizard\ngit clone https://github.com/projectachilles/ProjectAchilles.git\ncd ProjectAchilles\n./scripts/setup.sh\n\n# Start services\ndocker compose up -d\n\n# Optional: include local Elasticsearch with synthetic data\ndocker compose --profile elasticsearch up -d\n```\n\n### Path C — Windows (PowerShell)\n\n```powershell\ngit clone https://github.com/your-org/ProjectAchilles.git\ncd ProjectAchilles\n.\\scripts\\Install-ProjectAchilles.ps1\n```\n\nThe PowerShell script checks prerequisites, fixes line endings, configures `backend/.env` interactively, builds Docker images, and opens the dashboard. See [Windows Docker Installation](docs/deployment/WINDOWS_DOCKER_INSTALL.md) for the full manual guide.\n\n### Deployment Targets\n\n| Target | Backend | Database | Agent Builds | Guide |\n|--------|---------|----------|-------------|-------|\n| **Docker Compose** | `backend/` | SQLite (volume) | Yes | [docker-compose.yml](docker-compose.yml) |\n| **Railway** | `backend/` | SQLite (volume) | Partial | [Railway Guide](docs/deployment/RAILWAY.md) |\n| **Render** | `backend/` | SQLite (persistent disk) | Partial | [Render Guide](docs/deployment/RENDER.md) |\n| **Fly.io** | `backend/` | SQLite (volume) | Yes | [Fly.io Guide](docs/deployment/FLY.md) |\n| **Vercel** | `backend-serverless/` | Turso (libSQL) | No | [Vercel Guide](docs/deployment/VERCEL.md) |\n\n## Features\n\n### AI-Powered Test Development\n\nSecurity tests are built by a multi-agent AI pipeline that converts threat intelligence into complete test packages. Each test includes ~19 artifacts generated autonomously.\n\n**How it works:**\n\n```\nThreat Intelligence Article\n    ↓ Phase 1: Analysis \u0026 Implementation\n    Extracts TTPs → generates Go source → compiles \u0026 signs binary\n    ↓ Phase 2: Parallel Artifact Generation\n    Detection Rules (5 formats) │ Defense Guidance │ Documentation │ Kill Chain Diagrams\n    ↓ Phase 3: Validation \u0026 Deployment\n    Verifies all artifacts → syncs catalog → deploys to endpoints\n```\n\n**What each test package contains:**\n\n| Artifact | Formats | Purpose |\n|----------|---------|---------|\n| Test binary | Go (Windows, Linux, macOS) | Executes the simulated technique on the endpoint |\n| Detection rules | KQL, YARA, Sigma, Elastic EQL, LimaCharlie | Import directly into your SIEM/EDR |\n| Hardening scripts | PowerShell, Bash (Linux + macOS) | Remediate gaps found by the test |\n| Documentation | Markdown (README + info card) | MITRE mapping, severity, threat actor context |\n| Kill chain diagram | Interactive HTML | Visualizes multi-stage attack flow |\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"docs/screenshots/test-detail-killchain.png\" alt=\"Test detail view — multi-stage kill chain diagram with stage progression, source files, and build artifacts\" width=\"800\"\u003e\n\u003c/p\u003e\n\n**Test categories:**\n\n| Category | Description | Example |\n|----------|-------------|---------|\n| **Intel-Driven** | Real-world attack techniques from APT reports and ransomware analysis | Lazarus group TTPs, Emotet delivery chains |\n| **MITRE Top 10** | Most common ransomware techniques from MITRE ATT\u0026CK | Process injection, defense evasion, lateral movement |\n| **Cyber-Hygiene** | Configuration validation for endpoint, identity, and cloud security | Defender settings, ASR rules, LSASS protection, MFA |\n\n\u003e The test development pipeline lives in a companion repository. Tests are synced to ProjectAchilles via Git for browsing, building, and execution.\n\n### CLI (`achilles`)\n\nA Bun-powered command-line interface for managing the entire platform from the terminal — or through an AI conversational agent.\n\n**Two modes of operation:**\n\n| Mode | Command | Description |\n|------|---------|-------------|\n| **Commands** | `achilles \u003ccommand\u003e [args]` | Direct platform management with rich terminal output |\n| **AI Chat** | `achilles chat` | Conversational agent powered by AI SDK v6 with full tool access |\n\n**What it covers:**\n\n- **Agent fleet** — List, inspect, tag, and manage enrolled agents\n- **Enrollment tokens** — Create, revoke, and audit tokens\n- **Task management** — Create, assign, and monitor task execution\n- **Scheduling** — CRUD for recurring schedules\n- **Test browser** — Search, inspect, and build tests\n- **Analytics** — Query defense scores, trends, and execution history\n- **Defender** — Secure Score, alerts, controls, cross-correlation\n- **Build system** — Trigger cross-compilation, manage certificates\n- **Risk acceptance** — Accept/revoke risk on individual controls\n- **User management** — List and inspect Clerk users\n\n**Key features:**\n- `--json` flag on every command for structured output (scripts, LLM consumption)\n- Multi-profile server configuration (`achilles config profile`)\n- Clerk device-flow authentication (`achilles login`)\n- AI chat mode with Ink TUI (interactive) or readline fallback (piped)\n- AI agent has tool access to all platform APIs with approval tiers (read/write/destructive)\n\n### Test Browser\n\nBrowse the full test library with rich metadata and execute tests directly from the UI.\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"docs/screenshots/test-browser.png\" alt=\"Test browser — card grid with severity badges, MITRE techniques, platform tags, and defense scores\" width=\"800\"\u003e\n\u003c/p\u003e\n\n- Filter by MITRE ATT\u0026CK technique, platform, category, and severity\n- View source code, detection rules, hardening scripts, and attack flow diagrams\n- Build, sign, and download test binaries directly from test detail pages\n- MITRE ATT\u0026CK coverage matrix with visual technique heatmap\n- Execution drawer — assign and run tests directly from the browse page\n- Favorite tests, track recent views, view version history and Git modification dates\n\n### Execution Framework\n\nDeploy a lightweight Go agent to endpoints for remote test execution with full lifecycle management.\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"docs/screenshots/agent-dashboard.png\" alt=\"Agent dashboard — fleet overview with online/offline status, health metrics, version and OS distribution\" width=\"800\"\u003e\n\u003c/p\u003e\n\n- **Enrollment** — Token-based registration with configurable TTL and max uses\n- **Heartbeat Monitoring** — Real-time online/offline status with CPU, memory, disk, and uptime metrics\n- **Secure Execution** — Download, verify (SHA256 + Ed25519 signature), execute, and report results\n- **Self-Updating** — Agents poll for new versions and auto-apply cryptographically signed updates\n- **Cross-Platform** — Windows, Linux, and macOS (amd64 + arm64) with native service integration\n- **Bundle Results** — Per-control results from compliance tests fan out to individual ES documents for granular tracking\n- **Zero-Downtime Key Rotation** — API keys rotated automatically via heartbeat with dual-key grace period\n- **Encrypted Config** — Agent credentials encrypted at rest with AES-256-GCM using machine-bound keys\n- **Remote Uninstall** — Two-phase agent removal (stop service + cleanup) initiated from admin UI\n\n\u003cdetails\u003e\n\u003csummary\u003eMore: Fleet management \u0026amp; heartbeat monitoring\u003c/summary\u003e\n\u003cbr\u003e\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"docs/screenshots/agent-fleet.png\" alt=\"Agent fleet — full table with health scores, version management, OS badges, and tags\" width=\"800\"\u003e\n\u003c/p\u003e\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"docs/screenshots/agent-heartbeat.png\" alt=\"Agent heartbeat — CPU usage, memory usage, and disk free charts over 7 days\" width=\"800\"\u003e\n\u003c/p\u003e\n\u003c/details\u003e\n\n### Analytics \u0026 Measurement\n\nQuantify your security posture with 30+ query endpoints powered by Elasticsearch.\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"docs/screenshots/executions-table.png\" alt=\"Executions table — bundle results with per-control Protected/Unprotected badges, techniques, and category filters\" width=\"800\"\u003e\n\u003c/p\u003e\n\n- **Defense Score** — Aggregate score with breakdowns by test, technique, category, hostname, and severity\n- **Trend Analysis** — Rolling-window defense score and error rate trends over time\n- **MITRE ATT\u0026CK Heatmaps** — Host-test matrix showing protection status across your fleet\n- **Coverage Treemaps** — Hierarchical category/subcategory coverage visualization\n- **Execution Table** — Paginated results with advanced filtering (technique, hostname, threat actor, tags)\n- **Risk Acceptance** — Accept risk on individual controls with audit tracking\n- **Microsoft Defender Integration** — Sync Secure Score, alerts, and control profiles with cross-correlation analytics\n- **Trend Alerting** — Threshold-based Slack and email notifications with in-app notification bell\n- **Multi-Index Management** — Per-task index targeting for isolated result sets\n- **Visual Themes** — Three selectable themes: Default (light/dark), Neobrutalism (hot pink accent, bold borders), Hacker Terminal (phosphor green/amber scanlines)\n\n### Build System\n\nCompile and sign test binaries on demand with Go cross-compilation.\n\n- **Cross-Compilation** — Build for Linux/Windows/macOS × amd64/arm64 from any host OS\n- **Code Signing** — Windows Authenticode (osslsigncode) and macOS ad-hoc signing (rcodesign)\n- **Multi-Certificate Management** — Upload PFX/P12 or generate self-signed certs (up to 5)\n- **Embed Dependencies** — Detects `//go:embed` directives and manages required files\n- **Build Caching** — Previously built binaries cached for instant download\n\n### Task Scheduling\n\nAutomate test execution across agent pools with flexible scheduling.\n\n- **Schedule Types** — Once, daily, weekly (specific days), monthly (specific day)\n- **Randomized Timing** — Optional randomization within office hours for realistic simulation\n- **Per-Task ES Index** — Target specific Elasticsearch indices per task for result isolation\n- **Priority Queue** — Higher-priority tasks assigned first\n\n### Agent Communication Security\n\nThe agent-server communication channel has been hardened through an internal security audit covering 9 findings. All HIGH and MEDIUM findings are resolved. See [Agent Security Findings](docs/agent-security-findings.md) for full details.\n\n| Protection | Description |\n|------------|-------------|\n| **TLS Enforcement** | `skip_tls_verify` blocked for non-localhost servers; explicit `--allow-insecure` override required |\n| **API Key Rotation** | Zero-downtime rotation via heartbeat delivery with 5-minute dual-key grace period |\n| **Replay Protection** | `X-Request-Timestamp` header with 5-minute skew window; payload-level timestamp validation |\n| **Timing Oracle Prevention** | Constant-time bcrypt comparison on enrollment and auth (dummy hash on miss) |\n| **Update Signatures** | Ed25519 detached signatures on agent binaries; verified before applying updates |\n| **Rate Limiting** | Per-endpoint budgets: enrollment (5/15min), device (100/15min), download (10/15min), rotation (3/15min) |\n| **Encrypted Credentials** | Agent API key encrypted at rest with AES-256-GCM; key derived from machine ID (non-portable) |\n| **Least-Privilege Permissions** | Binary `0700` / Windows SYSTEM+Admins ACL; config `0600`; work dirs `0700` |\n\n## Architecture\n\n```mermaid\ngraph TB\n    subgraph Clients\n        FE[\"Frontend\u003cbr/\u003eReact 19 · Vite · Tailwind CSS\u003cbr/\u003e\u003ci\u003eBrowser · Analytics · Agents · Settings\u003c/i\u003e\"]\n        CLI[\"CLI\u003cbr/\u003eBun · Ink · AI SDK v6\u003cbr/\u003e\u003ci\u003eCommands · AI Chat Agent\u003c/i\u003e\"]\n    end\n\n    FE --\u003e|Clerk JWT| BE\n    CLI --\u003e|Clerk JWT| BE\n\n    subgraph BE [\"Backend — Express + TypeScript\"]\n        BRS[Browser Service]\n        ANS[Analytics Service]\n        AGS[Agent Service]\n        BDS[Build Service]\n        DFS[Defender Service]\n        ALS[Alerting Service]\n    end\n\n    BRS --\u003e GIT[(Git Repo)]\n    ANS --\u003e ES[(Elasticsearch)]\n    AGS --\u003e DB[(SQLite)]\n    BDS --\u003e GO[Go Toolchain + Code Signing]\n    DFS --\u003e GRAPH[Microsoft Graph API]\n    ALS --\u003e NOTIFY[Slack · Email]\n\n    AGS \u003c--\u003e|Agent API Key| AGENT\n\n    subgraph EP [\"Endpoints — Windows · Linux · macOS\"]\n        AGENT[\"Achilles Agent — Go\u003cbr/\u003eHeartbeat · Executor · Updater\"]\n    end\n```\n\n### Tech Stack\n\n| Layer | Technology | Version |\n|-------|------------|---------|\n| Frontend | React | 19.2 |\n| Build Tool | Vite | 8.0 |\n| Styling | Tailwind CSS | 4.2 |\n| State Management | Redux Toolkit | 2.11 |\n| Routing | React Router | 7.13 |\n| Authentication | Clerk | 5.x |\n| Backend | Express | 4.18 |\n| Language | TypeScript | 5.9 |\n| CLI Runtime | Bun | 1.3 |\n| CLI UI | Ink | 6.8 |\n| AI SDK | Vercel AI SDK | 6.0 |\n| Agent | Go | 1.24 |\n| Analytics Store | Elasticsearch | 8.x |\n| Agent Database | SQLite | 3.x |\n| Code Signing | osslsigncode | — |\n| Containerization | Docker Compose | — |\n\n### Project Structure\n\n```\nProjectAchilles/\n├── frontend/                  # React 19 + TypeScript + Vite\n│   └── src/\n│       ├── components/        # Shared UI primitives\n│       ├── pages/             # Module pages (browser, analytics, agents, settings)\n│       ├── services/api/      # API client modules\n│       ├── hooks/             # Custom hooks (useAuthenticatedApi, etc.)\n│       └── store/             # Redux slices\n├── backend/                   # Express + TypeScript (ES modules)\n│   └── src/\n│       ├── api/               # Route handlers (*.routes.ts)\n│       ├── services/          # Business logic by module\n│       ├── middleware/         # Auth, error handling, rate limiting\n│       └── types/             # TypeScript definitions\n├── cli/                       # Bun + TypeScript CLI with AI chat agent\n│   └── src/\n│       ├── commands/          # Command modules (agents, tasks, browser, analytics, ...)\n│       ├── chat/              # AI chat agent (AI SDK v6, Ink TUI, tool definitions)\n│       ├── api/               # API client for backend communication\n│       ├── auth/              # Clerk device-flow token management\n│       ├── config/            # Multi-profile configuration store\n│       └── output/            # Formatters (table, JSON, colors)\n├── agent/                     # Go agent source\n│   ├── main.go                # CLI entry point (--enroll, --run, --install)\n│   └── internal/              # Agent modules (poller, executor, updater, sysinfo)\n├── scripts/                   # Shell scripts and PowerShell bootstrap\n│   ├── start.sh               # Development startup script\n│   ├── setup.sh               # Interactive setup wizard (Linux/macOS)\n│   └── Install-ProjectAchilles.ps1 # Bootstrap script (Windows)\n├── docs/                      # Documentation\n│   ├── deployment/            # Deployment guides (Fly, Railway, Render, Vercel)\n│   └── security/              # Security audit and remediation docs\n├── docker-compose.yml         # Multi-service deployment\n└── CLAUDE.md                  # AI assistant development guidance\n```\n\n## Configuration\n\n### Authentication (Required)\n\nAll modules require [Clerk](https://clerk.com) authentication. Create a Clerk application and configure your keys:\n\n```bash\n# frontend/.env\nVITE_CLERK_PUBLISHABLE_KEY=pk_test_...\n\n# backend/.env\nCLERK_PUBLISHABLE_KEY=pk_test_...\nCLERK_SECRET_KEY=sk_test_...\n```\n\n### Environment Variables\n\n#### Frontend\n\n| Variable | Description | Default |\n|----------|-------------|---------|\n| `VITE_CLERK_PUBLISHABLE_KEY` | Clerk publishable key | — (required) |\n| `VITE_BACKEND_PORT` | Backend port for Vite proxy | `3000` |\n| `VITE_API_URL` | Full backend URL (production) | — |\n\n#### Backend\n\n| Variable | Description | Default |\n|----------|-------------|---------|\n| `CLERK_PUBLISHABLE_KEY` | Clerk publishable key | — (required) |\n| `CLERK_SECRET_KEY` | Clerk secret key | — (required) |\n| `PORT` | Server port | `3000` |\n| `SESSION_SECRET` | Session signing key | — (required in prod) |\n| `CORS_ORIGIN` | Allowed CORS origin | `http://localhost:5173` |\n| `TESTS_REPO_URL` | Git URL for test library | — |\n| `GITHUB_TOKEN` | PAT for private repos | — |\n| `TESTS_SOURCE_PATH` | Local fallback path for tests | `./tests_source` |\n| `AGENT_SERVER_URL` | External URL for agent communication | — |\n| `ENCRYPTION_SECRET` | Encryption key for settings at rest | Machine-derived |\n\n#### Elasticsearch (optional)\n\n| Variable | Description |\n|----------|-------------|\n| `ELASTICSEARCH_CLOUD_ID` | Elastic Cloud deployment ID |\n| `ELASTICSEARCH_API_KEY` | API key for authentication |\n| `ELASTICSEARCH_NODE` | Direct node URL (e.g., `http://localhost:9200`) |\n| `ELASTICSEARCH_INDEX_PATTERN` | Index pattern (default: `achilles-results-*`) |\n\n#### Docker\n\n| Variable | Description |\n|----------|-------------|\n| `NGROK_FRONTEND_DOMAIN` | ngrok domain for frontend tunnel |\n| `NGROK_BACKEND_DOMAIN` | ngrok domain for backend/agent tunnel |\n\n## API Reference\n\n\u003e All endpoints require Clerk JWT authentication unless noted. Include `Authorization: Bearer \u003ctoken\u003e` header.\n\n### Browser\n\n| Method | Endpoint | Description |\n|--------|----------|-------------|\n| `GET` | `/api/browser/tests` | List all security tests |\n| `GET` | `/api/browser/tests/:uuid` | Get test details with metadata |\n| `GET` | `/api/browser/tests/:uuid/files` | List test files |\n| `GET` | `/api/browser/tests/:uuid/files/:filename` | Get file contents |\n\n### Analytics\n\n| Method | Endpoint | Description |\n|--------|----------|-------------|\n| `GET` | `/api/analytics/defense-score` | Aggregate defense score |\n| `GET` | `/api/analytics/defense-score/trend` | Score trend over time |\n| `GET` | `/api/analytics/host-test-matrix` | Host × test heatmap data |\n| `GET` | `/api/analytics/technique-distribution` | Technique coverage breakdown |\n| `GET` | `/api/analytics/executions/paginated` | Paginated results with filters |\n| `POST` | `/api/analytics/settings` | Configure Elasticsearch connection |\n\n### Agent (Admin)\n\n| Method | Endpoint | Description |\n|--------|----------|-------------|\n| `GET` | `/api/agent/admin/agents` | List agents with filters |\n| `POST` | `/api/agent/admin/tokens` | Create enrollment token |\n| `POST` | `/api/agent/admin/tasks` | Create task for agent(s) |\n| `GET` | `/api/agent/admin/schedules` | List schedules |\n| `POST` | `/api/agent/admin/schedules` | Create recurring schedule |\n\n### Agent (Device)\n\n| Method | Endpoint | Auth |\n|--------|----------|------|\n| `POST` | `/api/agent/enroll` | Enrollment token |\n| `POST` | `/api/agent/heartbeat` | Agent key |\n| `GET` | `/api/agent/tasks` | Agent key |\n| `POST` | `/api/agent/tasks/:id/result` | Agent key |\n| `GET` | `/api/agent/update` | Agent key |\n\n\u003e `POST /api/agent/tasks/:id/result` accepts an optional `bundle_results` field. When present, each control is indexed as an independent ES document for per-control analytics.\n\n### Build \u0026 Settings\n\n| Method | Endpoint | Description |\n|--------|----------|-------------|\n| `POST` | `/api/tests/builds/:uuid` | Trigger cross-compilation |\n| `GET` | `/api/tests/builds/:uuid/download` | Download built binary |\n| `GET` | `/api/tests/certificates` | List certificates |\n| `POST` | `/api/tests/certificates/upload` | Upload PFX/P12 certificate |\n| `POST` | `/api/tests/certificates/generate` | Generate self-signed certificate |\n\n### Defender Integration\n\n| Method | Endpoint | Description |\n|--------|----------|-------------|\n| `GET` | `/api/analytics/defender/secure-score` | Current Secure Score with category breakdown |\n| `GET` | `/api/analytics/defender/secure-score/trend` | Secure Score trend over time |\n| `GET` | `/api/analytics/defender/alerts` | Defender alerts with filtering |\n| `GET` | `/api/analytics/defender/controls` | Control profiles with compliance status |\n| `GET` | `/api/analytics/defender/cross-correlation` | Defense Score vs Secure Score correlation |\n| `GET` | `/api/integrations/defender/config` | Defender configuration status |\n| `POST` | `/api/integrations/defender/config` | Save Defender credentials |\n| `POST` | `/api/integrations/defender/sync` | Trigger manual data sync |\n\n### Alerting\n\n| Method | Endpoint | Description |\n|--------|----------|-------------|\n| `GET` | `/api/integrations/alerts/config` | Get alert threshold configuration |\n| `POST` | `/api/integrations/alerts/config` | Save alert thresholds and notification channels |\n\n## Documentation\n\n### Getting Started\n- [Quick Start Deployment](docs/deployment/QUICK_START_DEPLOYMENT.md) — 50-minute production deployment\n- [Windows Docker Installation](docs/deployment/WINDOWS_DOCKER_INSTALL.md) — Complete guide for Windows with Docker Desktop\n- [Docker Compose guide](docker-compose.yml) — Local deployment with optional Elasticsearch\n\n### Deployment\n- [Docker Compose guide](docker-compose.yml) — Local deployment with optional Elasticsearch\n- [Quick Start Deployment](docs/deployment/QUICK_START_DEPLOYMENT.md) — 50-minute production deployment\n- [Railway Deployment](docs/deployment/RAILWAY.md) — Railway with private networking\n- [Render Deployment](docs/deployment/RENDER.md) — Render with persistent disk and Blueprint\n- [Fly.io Deployment](docs/deployment/FLY.md) — Fly.io with custom domains and volumes\n- [Vercel Deployment](docs/deployment/VERCEL.md) — Serverless with Turso and Vercel Blob\n- [Windows Docker Installation](docs/deployment/WINDOWS_DOCKER_INSTALL.md) — Complete guide for Windows with Docker Desktop\n- [Production Deployment Guide](docs/deployment/PRODUCTION_DEPLOYMENT.md) — Comprehensive Railway deployment\n- [Deployment Checklist](docs/deployment/DEPLOYMENT_CHECKLIST.md) — Interactive pre-flight checklist\n\n### Development\n- [CLAUDE.md](CLAUDE.md) — AI-assisted development guidance\n- [Contributing Guide](.github/CONTRIBUTING.md) — Contribution guidelines and code standards\n- [Changelog](docs/CHANGELOG.md) — Version history\n\n### Security \u0026 Community\n- [Security Policy](.github/SECURITY.md) — Vulnerability reporting and security model\n- [Security Audit Report](docs/security/SECURITY-AUDIT.md) — Comprehensive audit: 47 findings\n- [Agent Security Findings](docs/agent-security-findings.md) — Internal audit: 9 findings, 8 fixed\n- [Code of Conduct](.github/CODE_OF_CONDUCT.md) — Community guidelines\n- [Roadmap](docs/ROADMAP.md) — Planned features and direction\n\n## Contributing\n\nWe welcome contributions across all modules — frontend, backend, CLI (Bun), agent (Go), and documentation. See [CONTRIBUTING.md](.github/CONTRIBUTING.md) for guidelines on setup, coding standards, and the PR process.\n\n## Security\n\nFor security vulnerabilities, please report via [GitHub Security Advisories](https://github.com/projectachilles/ProjectAchilles/security/advisories) or review our [Security Policy](.github/SECURITY.md).\n\n## License\n\nThis project is licensed under the Apache License 2.0 — see the [LICENSE](LICENSE) file for details.\n\n---\n\n\u003cdiv align=\"center\"\u003e\n\n**Stop hoping your defenses work. Start proving it.**\n\n\u003c/div\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fprojectachilles%2Fprojectachilles","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fprojectachilles%2Fprojectachilles","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fprojectachilles%2Fprojectachilles/lists"}