feat(arsenal): HackerOne disclosed-reports reference agent + methodology trim

CHANGELOG.md

@@ -7,6 +7,29 @@ and the project uses [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ---
 
+## [Unreleased]
+
+### `offensive-osint` — feat: HackerOne hacktivity reference agent (§29.3)
+
+- Added `skills/offensive-osint/scripts/h1_reference.py` — stdlib-only Python script (no API key required) that queries HackerOne's public GraphQL API for disclosed reports, surfacing community-validated findings during recon.
+- Supports: top-voted sort (community-validated techniques), top-bounty sort (business-impact framing), keyword search with cursor pagination (50 results/page), client-side severity and CWE filters, program-specific lookups, JSON output for piping.
+- Documents three empirically discovered H1 GraphQL server crashes worked around in the script: named variables + substate filter + report fields, `disclosed_at` field + substate filter, sort + substate filter + report fields.
+- Added §29.3 "HackerOne Disclosed Reports Reference" to `offensive-osint` with usage recipes for session-start baseline loading, tech-stack keyword search, pre-probe attack-class reference, and report-writing comparables.
+- Added trigger phrases: `hackerone reference`, `h1 hacktivity`, `disclosed reports`, `community bug reports`, `prior disclosures`, `bug bounty reference`.
+- Added smoke-test prompt #33.
+
+### `osint-methodology` — refactor: trimmed from 1,694 to 455 lines (v2.2)
+
+- Removed duplicate implementation content already covered by `offensive-osint` (§11–§15, §27–§29 original).
+- Compressed 9 implementation-detail sections (Identity Fabric, API, JS, Mobile, Cloud, WAF/CDN, Vuln Prioritization, Phishing) into a single §11 pointer block — each now a 2-sentence description + companion skill reference.
+- Collapsed §16–§21 (Cryptocurrency, Image/Video/Chronolocation, Threat Actor, People, Infrastructure OSINT, Automation, Synthetic Media) into a single §13 specialty domains section (~20 lines total).
+- Retained full methodology core: confidence levels + upgrade workflows (§2), 5-stage pipeline + priority order + time budgets (§7), asset graph taxonomy + triage rules (§8), severity rubric + escalation rules (§9), OpSec + detectability + back-off (§6), breach × identity correlation (§12), anti-patterns (§14).
+- Trimmed §30 Bug Bounty Submission (~90 lines → ~15) and §31 Client Deliverable Templates (~150 lines → ~20); retained essential structures (report skeleton, risk translation matrix).
+- Renumbered: §26 Anti-Patterns → §14; §30 Bug Bounty → §15; §31 Deliverables → §16; §32 Self-Test → §17; §33 Changelog → §18.
+- Updated skill self-test to 12 prompts aligned with new section numbers.
+
+---
+
 ## [2.1] — 2026-04-27
 
 Comprehensive expansion based on a 32-prompt smoke-test gap analysis. PASS rate moved from C-grade (1 PASS / 9 PARTIAL / 22 FAIL) to A-grade (31 PASS / 1 PARTIAL / 0 FAIL).

README.md

@@ -2,7 +2,7 @@
 
 # claude-osint
 
-> 2 paired Claude skills · **90+ recon modules** · 48 secret-regex patterns · 80+ dorks · 9 read-only credential validators · 27 attack-path templates · 5,500+ lines of structured tradecraft. Drop-in `SKILL.md` files that turn Claude into a god-mode external recon operator for authorized red-team and bug-bounty engagements.
+> 2 paired Claude skills · **90+ recon modules** · 48 secret-regex patterns · 80+ dorks · 9 read-only credential validators · 27 attack-path templates · 4,600+ lines of structured tradecraft. Drop-in `SKILL.md` files that turn Claude into a god-mode external recon operator for authorized red-team and bug-bounty engagements.
 
 Built by **[ElementalSoul](https://github.com/elementalsouls)** — GenAI Security Research.
 
@@ -17,7 +17,7 @@ Built by **[ElementalSoul](https://github.com/elementalsouls)** — GenAI Securi
 
 Drop both into your Claude environment and it behaves like a senior recon analyst: it knows the techniques, the tooling, the edge cases, and the escalation paths — and it stays in scope.
 
-~5,500 lines of structured tradecraft · 96.9% PASS on a 32-prompt self-evaluation · ~85–90% practitioner coverage for the recon phase of authorized engagements.
+~4,600 lines of structured tradecraft · 96.9% PASS on a 32-prompt self-evaluation · ~85–90% practitioner coverage for the recon phase of authorized engagements.
 
 ---
 
@@ -26,10 +26,11 @@ Drop both into your Claude environment and it behaves like a senior recon analys
 ```
 claude-osint/
 ├── skills/
-│   ├── osint-methodology/SKILL.md     # how to think  (1,694 lines)
+│   ├── osint-methodology/SKILL.md     # how to think  (455 lines)
 │   └── offensive-osint/
 │       ├── SKILL.md                   # what to reach for (4,168 lines)
-│       └── scripts/secret_scan.py     # stdlib-only secret scanner
+│       ├── scripts/secret_scan.py     # stdlib-only secret scanner
+│       └── scripts/h1_reference.py    # HackerOne disclosed-reports reference agent
 ├── docs/                              # architecture · coverage · install · usage
 ├── examples/                          # 4 end-to-end engagement walk-throughs
 ├── tests/smoke-test-prompts.md        # 32-prompt self-evaluation
@@ -105,6 +106,7 @@ Each skill directory is self-contained. Drop into `~/.claude/skills/` and Claude
 | 9 read-only credential validators (Postman / AWS / GitHub / Slack / Anthropic / OpenAI / npm / Atlassian / DataDog) | arsenal |
 | Post-discovery enumeration workflows (IAM enum · repo enum · workspace enum · JWT triage) | arsenal |
 | `secret_scan.py` runnable helper (stdlib-only, JSONL output) | arsenal |
+| `h1_reference.py` — HackerOne disclosed-reports reference agent (no API key, top-voted / top-bounty / keyword / program filter) | arsenal |
 | 80+ dork corpus across 9 categories | arsenal |
 
 ### Breach Intelligence

skills/offensive-osint/SKILL.md

@@ -124,6 +124,12 @@ triggers:
   - Teams federation
   - SharePoint enum
   - OneDrive enum
+  - hackerone reference
+  - h1 hacktivity
+  - disclosed reports
+  - community bug reports
+  - prior disclosures
+  - bug bounty reference
 ---
 
 # Offensive OSINT — External Red-Team Arsenal
@@ -3069,6 +3075,45 @@ while IFS= read -r CVE; do
   echo "$CVE | EPSS:$EPSS | $KEV_FLAG"
 done < cves.txt | sort -t: -k2 -nr
 
+### 29.3 HackerOne Disclosed Reports Reference
+
+Use `skills/offensive-osint/scripts/h1_reference.py` (no API key required, public GraphQL) to pull community-validated findings as reference while testing. Run it at session start for the target's tech stack or attack type.
+
+**Key modes:**
+```bash
+# Top voted community reports — best validated techniques
+python3 skills/offensive-osint/scripts/h1_reference.py --top-voted --limit 25
+
+# Highest bounty reports — business-impact framing reference
+python3 skills/offensive-osint/scripts/h1_reference.py --top-bounty --limit 10
+
+# Keyword search across pages (50 results/page)
+python3 skills/offensive-osint/scripts/h1_reference.py --top-voted --query "SSRF" --pages 10
+python3 skills/offensive-osint/scripts/h1_reference.py --top-voted --query "auth bypass|OAuth|OIDC" --pages 5
+python3 skills/offensive-osint/scripts/h1_reference.py --top-voted --query "open redirect" --pages 5
+
+# Filter by severity (client-side)
+python3 skills/offensive-osint/scripts/h1_reference.py --top-bounty --severity critical high --pages 3
+
+# Program-specific disclosures (requires program handle)
+python3 skills/offensive-osint/scripts/h1_reference.py --program gitlab --pages 5
+python3 skills/offensive-osint/scripts/h1_reference.py --lookup-program gitlab   # resolve handle → team ID
+
+# JSON output for piping / jq
+python3 skills/offensive-osint/scripts/h1_reference.py --top-voted --query "XSS" --pages 5 --json | jq '.[].report.url'
+```
+
+**When to run:**
+- At session start: `--top-voted` to load high-signal baseline
+- After identifying target's tech stack: `--query "<tech>" --pages 10`
+- Before probing a specific attack class: `--query "SSRF|XXE|SSTI" --pages 5`
+- For report writing: `--query "<vuln type>" --top-bounty` to find comparable severity/bounty
+
+**H1 GraphQL quirks (documented):**
+- Max 50 results/page regardless of `first:` value — use `--pages` for breadth
+- `disclosed_at` field crashes H1 server when combined with substate filter — omitted
+- Sort + substate filter combo crashes — script auto-routes around this
+
 ---
 
 ## 30. Cryptocurrency OSINT