ghostonbutterbread/recon-ry

Recon Ry

Use when Ryushe asks to run recon-ry, install/check the Hoster recon box, find recon-ry artifacts for a program, or import/index a completed recon-ry project into the Ghost bounty pipeline.

This skill is a long-running recon wrapper and directory map. Start scans and return the PID/log path; do not watch the scan until completion. When agents need recon data, point them to the recon-ry project location and artifact map instead of copying bulk output.

Load Order

1. Read $HARNESS_ROOT/prompts/recon-ry-playbook.md.
2. Confirm target scope/rate policy from program notes or /pullscope artifacts.
3. Use Hoster via ryushe@hoster and /home/ryushe/.ssh/hoster.
4. Use agents/recon_ry.py for start/status/ingest actions.
5. Treat recon-ry project directories as durable recon storage; do not write high-volume output into the findings ledger.

Commands

Start a remote run and return immediately:

python3 agents/recon_ry.py start <program> --url <scoped-domain-or-url> --profile full

The start command fails closed if saved scope is missing or the URL is out of scope. It also writes a project-local rate_limit.conf before launch. Use --rate-limit-rps only after checking the program policy; use --allow-unscoped only after explicit Ryushe approval.

Before launch, the wrapper stages recon seed files into the remote project:

• /home/ryushe/bounties/{program}/urls.txt
• /home/ryushe/bounties/{program}/wild.txt

urls.txt receives exact URLs and exact host/domain entries. wild.txt receives wildcard base domains with *. removed.

Check remote status/log names:

python3 agents/recon_ry.py status

Ingest a completed Hoster project:

python3 agents/recon_ry.py ingest <program> \
  --source ryushe@hoster:/home/ryushe/bounties/<program> \
  --target <target-host>

Recon-Ry Project Location

Active and durable recon-ry project directories use:

/home/ryushe/bounties/{program}/

Legacy local examples may also exist at:

~/Shared/bounty_recon/{program}/
~/projects/bounties/{program}/

Use the newest history/ snapshot when the question is about a specific run. Use the root files when the question is about the latest deduped current state.

Artifact Map

{project}/
├── urls.txt          # all known URLs and exact host/domain seed entries; deduped current state
├── wild.txt          # discovered/input subdomains or wildcard bases; deduped current state
├── alive.txt         # live HTTP(S) hosts/URLs after probing; primary list for browser/live-map/nuclei follow-up
├── params_raw.txt    # raw parameterized endpoint candidates from discovery tools
├── params.txt        # normalized/deduped URLs with parameters; primary list for XSS, SQLi, SSRF, redirect, IDOR-style endpoint review
├── jsfiles.txt       # JavaScript URLs extracted from parameter/url discovery; primary list for JS/secrets/sink analysis
├── secrets.txt       # secret-scanner findings; treat as sensitive until manually validated and sanitized
├── dorks.txt         # dork/query leads generated by recon stages
├── dirs.txt          # directory/content discovery results when present
├── rate_limit.conf   # per-project rate configuration written by the wrapper
├── history/
│   └── {timestamp}/  # per-run snapshots; newest timestamp is the most recent run
└── screenshots/ or eyewitness/  # visual artifacts when present

Recon-ry merges line-based outputs into the root files during runs, so root files are the current deduped view. history/{timestamp}/ preserves what existed during that run.

Finding The Latest Data

On Hoster:

PROJECT=/home/ryushe/bounties/<program>
ls -1t "$PROJECT/history" | head -1

For legacy local data:

PROJECT=~/Shared/bounty_recon/<program>
ls -1t "$PROJECT/history" | head -1

If history/ does not exist, read the project root files directly.

Output Indexing

Ingest writes:

~/Shared/web_bounty/{program}/web/recon/recon-ry/{target}/runs/{YYYY-MM-DD}/{run_id}/
├── command.txt
├── stdout.txt
├── stderr.txt
├── raw/
├── parsed/
└── manifest.json

Use ingest/indexing for manifests, counts, and small parsed artifacts. Do not copy 10GB+ raw recon trees by default when agents can read the recon-ry location directly.

Rules

• Treat recon-ry outputs as recon artifacts, not confirmed vulnerabilities.
• Promote to the findings ledger only after a separate high-confidence validation step.
• Keep Hoster logs and bulk raw artifacts on Hoster unless Ryushe explicitly asks to archive them elsewhere.
• Prefer root project files for current deduped state; prefer history/{timestamp}/ for run-specific snapshots.
• Stop before running high-volume recon on a target without explicit scope/rate approval.
• Never bypass the saved-scope check unless Ryushe explicitly approves the target and rate limit.