一键在 Manus 中运行任何 Skill

开始使用

orchestration

星标4,445

分支878

更新时间2026年6月12日 09:59

Decepticon orchestrator patterns — delegation, state management, adaptive re-planning, context handoff protocols.

安装

用 Codex 或 Claude 帮你安装复制这段 Prompt，粘贴到 Codex、Claude 或其他助手里，让它检查 Skill 页面并帮你完成安装。

在 Manus 中运行

来源

PurpleAILAB

PurpleAILAB/Decepticon

打开 GitHub 仓库查看创作者相关仓库

下载

在 Manus 中运行

Decepticon Orchestration Patterns

Delegation Protocol

Context Handoff — What Every Sub-Agent Needs

Every task() delegation MUST include:

Objective — What specifically to accomplish (from OPPLAN)
Scope — IN SCOPE targets + OUT OF SCOPE boundaries (from RoE)
Context — Relevant findings from previous phases
Lessons — Known gotchas, failed approaches, OPSEC warnings
Acceptance Criteria — How the sub-agent knows it's done
Output Location — Where to save results (e.g. recon/, exploit/)

Delegation Template

task(
  description="""
  OBJECTIVE: {objective_id} — {title}
  PHASE: {phase}

  SCOPE:
  - IN: {in_scope_targets}
  - OUT: {out_of_scope_targets}

  CONTEXT FROM PREVIOUS PHASES:
  {relevant_findings_summary}

  LESSONS LEARNED:
  {known_gotchas}

  ACCEPTANCE CRITERIA:
  - [ ] {criterion_1}
  - [ ] {criterion_2}

  Save all results to {phase}/
  """,
  subagent_type="{agent_name}"
)

Sub-Agent Selection Matrix

Objective Phase	Sub-Agent	When to Use
Planning	`soundwave`	Missing roe.json/conops.json/deconfliction.json, or documents need updating
Recon	`recon`	Subdomain/port/service enumeration, OSINT, cloud/web recon
Exploitation	`exploit`	Initial access: SQLi, SSTI, AD attacks, credential exploitation
Post-Exploitation	`postexploit`	After foothold: cred dump, privesc, lateral movement, C2

Parallel Execution

Delegate independent tasks simultaneously for efficiency:

# Independent targets — run in parallel
task(description="Recon subnet 10.0.0.0/24...", subagent_type="recon")
task(description="Recon subnet 10.0.1.0/24...", subagent_type="recon")

# DO NOT parallelize dependent tasks:
# ✗ Exploit before recon completes
# ✗ PostExploit before foothold established

State Management

Engagement State Files

./
├── plan/
│   ├── roe.json          # Immutable scope boundaries (read every iteration)
│   ├── conops.json       # Operation concept
│   ├── deconfliction.json # Deconfliction identifiers and procedures
│   └── opplan.json       # Objective tracker (update status after each sub-agent)
├── findings/            # Per-finding Markdown files, created lazily
├── lessons_learned.md    # Failed approaches + what worked
└── .ralph_state.json     # Loop iteration counter + completion flags

State Update Protocol (After Each Sub-Agent Returns)

Parse result — Did the sub-agent report PASSED or BLOCKED?
Update plan/opplan.json — Set objective status (passed, blocked, in_progress)
Record verified findings — Add findings/FIND-{NNN}.md only when a real finding exists
Append lessons_learned.md — Record what worked, what failed, and why
Check completion — All objectives passed? → Generate summary

Context Window Budget

Read recent findings/FIND-*.md entries each iteration (keep only relevant excerpts)
Summarize verbose sub-agent outputs before appending to findings
Use files on disk as persistent memory — don't rely on conversation history

After Recon Returns — Decision Tree

Execute this IN ORDER after every recon task() completes. No exceptions.

1. Read recon/SUMMARY.md
   ├── Missing or empty? → Rule 13 crash protocol (retry once, then BLOCKED)
   └── Present → continue

2. Contains RECON_HANDOFF / CRITICAL/HIGH finding / captured session?
   ├── YES → dispatch task("exploit", ...) IMMEDIATELY (Rule 19)
   │         Pass: exact vector, URL, param, session tokens, challenge tags
   └── NO (RECON_BUDGET_EXHAUSTED / LOW/INFO only) → continue

3. RECON_BUDGET_EXHAUSTED with zero confirmed vulns?
   ├── Unvisited surface remains? → focused second recon turn on that surface
   └── No unvisited surface → update_objective(status="blocked",
                               reason="recon exhausted: no confirmed vuln class")

Rule: Step 2 YES has NO exceptions. Do not do "one more recon probe" first.

Adaptive Re-planning

When an Objective is BLOCKED

1. Document failure:
   - WHY it failed (specific error, defense mechanism, missing prerequisite)
   - WHAT was attempted (tools, techniques, targets)
   → Append to lessons_learned.md

2. Assess alternatives:
   - Different attack vector from findings?
   - Lower-risk approach?
   - Skip and return later after more intel?

3. Decision:
   IF alternative exists → delegate new task with adjusted approach
   IF prerequisite missing → re-order objectives (e.g., need more recon)
   IF no path forward → mark BLOCKED with explanation, move to next objective

Re-ordering Objectives

The OPPLAN defines priority order, but you may deviate when:

A higher-priority objective depends on a lower-priority one
New findings reveal a faster path to the same goal
An objective is temporarily blocked and others are actionable

Always document re-ordering decisions in lessons_learned.md.

Response Format

After Each Sub-Agent Completes

Report structured status:

Objective	Phase	Sub-Agent	Result	Key Findings
OBJ-001	Recon	recon	PASSED	12 subdomains, AD on 10.0.0.5

Decision Transparency

Before each delegation, briefly state:

Why this objective is next (priority, dependency, re-plan reason)
Which sub-agent and why
What context you're passing

Progress Summary

Maintain running status after each iteration:

Engagement: {name}
Progress: {passed}/{total} objectives
Current: OBJ-003 (Exploit phase)
Blocked: OBJ-002 (WAF blocking SQLi — will retry after credential access)
Next: OBJ-004 (PostExploit — pending OBJ-003 completion)

Engagement Completion Report

When all objectives are done:

Full attack path (every hop, credential, escalation)
Credential inventory
Host access map
Recommendations for defensive improvements

同仓库更多 Skills

同仓库

decepticon

PurpleAILAB/Decepticon

Drive Decepticon — an autonomous multi-agent red-team framework — over MCP to run authorized penetration tests and bug-bounty engagements end to end, then watch and steer them live from chat. Launch an engagement against a target, poll its transcript to narrate progress, send messages to refocus it, and pull findings as SARIF. Use when the user asks to run a pentest/red-team engagement, hunt a bug bounty, do recon, exploit/scan a host, web app, API, network, cloud, Active Directory, mobile app, or smart contract WITH Decepticon — or to check/resume a running engagement or report what Decepticon found. Triggers: run a decepticon engagement, pentest this with decepticon, bug bounty, recon this target, red team this, scan this host, resume the engagement, what did decepticon find, decepticon status. Do NOT use for ad-hoc local tool runs (running nmap/sqlmap/ffuf directly) when no Decepticon server is involved — this drives the Decepticon orchestrator, not raw tools.

2026-06-164.4k

iot-security

PurpleAILAB/Decepticon

IoT device security reconnaissance — firmware extraction, embedded analysis, protocol identification, default credential checking, vulnerability scanning, device fingerprinting.

2026-06-154.4k

mobile-security

PurpleAILAB/Decepticon

Mobile application security reconnaissance — APK/IPA analysis, permission enumeration, certificate validation, hardcoded secret detection, insecure storage identification, network security analysis.

2026-06-154.4k

wireless-security

PurpleAILAB/Decepticon

Wireless network security reconnaissance — WiFi analysis, Bluetooth assessment, RFID/NFC evaluation, signal capture, protocol analysis, encryption testing, rogue device detection.

2026-06-154.4k

finding-protocol

PurpleAILAB/Decepticon

Operational-tier finding template — minimal fields for sub-agent decision support. Heavyweight deliverable promotion lives in skills/decepticon/final-report.

2026-06-124.4k

engagement-lifecycle

PurpleAILAB/Decepticon

Red team engagement lifecycle management — initiation, phase transitions, go/no-go gates, deconfliction, emergency procedures, completion.

2026-06-124.4k

name	orchestration
description	Decepticon orchestrator patterns — delegation, state management, adaptive re-planning, context handoff protocols.
allowed-tools	Read
metadata	{"subdomain":"orchestration","when_to_use":"delegate, orchestrate, next objective, blocked, re-plan, hand off, engagement state, status update, parallel execution","tags":"orchestration, delegation, state-management, re-planning, context-handoff","upstream_ref":"Decepticon orchestrator delegation / re-planning patterns — multi-agent control plane, no direct attack technique"}

Decepticon Orchestration Patterns

Delegation Protocol

Context Handoff — What Every Sub-Agent Needs

Every task() delegation MUST include:

Objective — What specifically to accomplish (from OPPLAN)
Scope — IN SCOPE targets + OUT OF SCOPE boundaries (from RoE)
Context — Relevant findings from previous phases
Lessons — Known gotchas, failed approaches, OPSEC warnings
Acceptance Criteria — How the sub-agent knows it's done
Output Location — Where to save results (e.g. recon/, exploit/)

Delegation Template

task(
  description="""
  OBJECTIVE: {objective_id} — {title}
  PHASE: {phase}

  SCOPE:
  - IN: {in_scope_targets}
  - OUT: {out_of_scope_targets}

  CONTEXT FROM PREVIOUS PHASES:
  {relevant_findings_summary}

  LESSONS LEARNED:
  {known_gotchas}

  ACCEPTANCE CRITERIA:
  - [ ] {criterion_1}
  - [ ] {criterion_2}

  Save all results to {phase}/
  """,
  subagent_type="{agent_name}"
)

Sub-Agent Selection Matrix

Objective Phase	Sub-Agent	When to Use
Planning	`soundwave`	Missing roe.json/conops.json/deconfliction.json, or documents need updating
Recon	`recon`	Subdomain/port/service enumeration, OSINT, cloud/web recon
Exploitation	`exploit`	Initial access: SQLi, SSTI, AD attacks, credential exploitation
Post-Exploitation	`postexploit`	After foothold: cred dump, privesc, lateral movement, C2

Parallel Execution

Delegate independent tasks simultaneously for efficiency:

# Independent targets — run in parallel
task(description="Recon subnet 10.0.0.0/24...", subagent_type="recon")
task(description="Recon subnet 10.0.1.0/24...", subagent_type="recon")

# DO NOT parallelize dependent tasks:
# ✗ Exploit before recon completes
# ✗ PostExploit before foothold established

State Management

Engagement State Files

./
├── plan/
│   ├── roe.json          # Immutable scope boundaries (read every iteration)
│   ├── conops.json       # Operation concept
│   ├── deconfliction.json # Deconfliction identifiers and procedures
│   └── opplan.json       # Objective tracker (update status after each sub-agent)
├── findings/            # Per-finding Markdown files, created lazily
├── lessons_learned.md    # Failed approaches + what worked
└── .ralph_state.json     # Loop iteration counter + completion flags

State Update Protocol (After Each Sub-Agent Returns)

Parse result — Did the sub-agent report PASSED or BLOCKED?
Update plan/opplan.json — Set objective status (passed, blocked, in_progress)
Record verified findings — Add findings/FIND-{NNN}.md only when a real finding exists
Append lessons_learned.md — Record what worked, what failed, and why
Check completion — All objectives passed? → Generate summary

Context Window Budget

Read recent findings/FIND-*.md entries each iteration (keep only relevant excerpts)
Summarize verbose sub-agent outputs before appending to findings
Use files on disk as persistent memory — don't rely on conversation history

After Recon Returns — Decision Tree

Execute this IN ORDER after every recon task() completes. No exceptions.

1. Read recon/SUMMARY.md
   ├── Missing or empty? → Rule 13 crash protocol (retry once, then BLOCKED)
   └── Present → continue

2. Contains RECON_HANDOFF / CRITICAL/HIGH finding / captured session?
   ├── YES → dispatch task("exploit", ...) IMMEDIATELY (Rule 19)
   │         Pass: exact vector, URL, param, session tokens, challenge tags
   └── NO (RECON_BUDGET_EXHAUSTED / LOW/INFO only) → continue

3. RECON_BUDGET_EXHAUSTED with zero confirmed vulns?
   ├── Unvisited surface remains? → focused second recon turn on that surface
   └── No unvisited surface → update_objective(status="blocked",
                               reason="recon exhausted: no confirmed vuln class")

Rule: Step 2 YES has NO exceptions. Do not do "one more recon probe" first.

Adaptive Re-planning

When an Objective is BLOCKED

1. Document failure:
   - WHY it failed (specific error, defense mechanism, missing prerequisite)
   - WHAT was attempted (tools, techniques, targets)
   → Append to lessons_learned.md

2. Assess alternatives:
   - Different attack vector from findings?
   - Lower-risk approach?
   - Skip and return later after more intel?

3. Decision:
   IF alternative exists → delegate new task with adjusted approach
   IF prerequisite missing → re-order objectives (e.g., need more recon)
   IF no path forward → mark BLOCKED with explanation, move to next objective

Re-ordering Objectives

The OPPLAN defines priority order, but you may deviate when:

A higher-priority objective depends on a lower-priority one
New findings reveal a faster path to the same goal
An objective is temporarily blocked and others are actionable

Always document re-ordering decisions in lessons_learned.md.

Response Format

After Each Sub-Agent Completes

Report structured status:

Objective	Phase	Sub-Agent	Result	Key Findings
OBJ-001	Recon	recon	PASSED	12 subdomains, AD on 10.0.0.5

Decision Transparency

Before each delegation, briefly state:

Why this objective is next (priority, dependency, re-plan reason)
Which sub-agent and why
What context you're passing

Progress Summary

Maintain running status after each iteration:

Engagement: {name}
Progress: {passed}/{total} objectives
Current: OBJ-003 (Exploit phase)
Blocked: OBJ-002 (WAF blocking SQLi — will retry after credential access)
Next: OBJ-004 (PostExploit — pending OBJ-003 completion)

Engagement Completion Report

When all objectives are done:

Full attack path (every hop, credential, escalation)
Credential inventory
Host access map
Recommendations for defensive improvements