chore: add pentest-fix prompt and wire verification into loop.sh

- loop/prompt-pentest-fix.md: dedicated prompt for pentest fix overnight
  runs, instructs Claude to run verify-pentest-fixes.sh as final step
- loop/loop.sh: automatically runs verification script when all plan
  tasks are complete (runs for any plan, not just pentest)

Usage: PROMPT_FILE=loop/prompt-pentest-fix.md caffeinate -i ./loop/loop.sh

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

loop/loop.sh

@@ -76,7 +76,20 @@ while [ "$i" -le "$ITERATION_COUNT" ]; do
 
   if ! plan_has_tasks; then
     banner "ALL TASKS COMPLETE"
-    log "  No remaining tasks in plan.md. Stopping."
+    log "  No remaining tasks in plan.md."
+
+    # Run pentest verification if the script exists
+    if [ -x "$PROJECT_DIR/scripts/verify-pentest-fixes.sh" ]; then
+      section "RUNNING PENTEST VERIFICATION"
+      "$PROJECT_DIR/scripts/verify-pentest-fixes.sh" 2>&1 | tee -a "$LOG_FILE"
+      VERIFY_EXIT=$?
+      if [ "$VERIFY_EXIT" -eq 0 ]; then
+        log "  Verification PASSED — all checks green."
+      else
+        log "  Verification FAILED — some checks did not pass."
+        log "  Exit code: $VERIFY_EXIT"
+      fi
+    fi
     break
   fi
 

loop/prompt-pentest-fix.md

@@ -0,0 +1,60 @@
+You are remediating security vulnerabilities found during a penetration test of Archipelago. Read these files first:
+
+1. `loop/plan.md` — Your fix checklist (mark items `- [x]` as you complete them)
+2. `CLAUDE.md` — Archy project conventions, architecture, coding standards
+3. `loop/pentest/security-assessment-report.md` — Full pentest report with findings and evidence
+
+## Architecture Reference
+
+```
+Nginx (port 80) → Rust backend (port 5678) → Podman containers
+                → Vue 3 frontend (static files)
+                → WebSocket /ws/db
+```
+
+Key backend files:
+- `core/archipelago/src/api/handler.rs` — HTTP request routing and middleware
+- `core/archipelago/src/api/rpc/mod.rs` — RPC method dispatch and auth gating
+- `core/archipelago/src/api/rpc/auth.rs` — Login/logout handlers
+- `core/archipelago/src/session.rs` — Session store, rate limiter, cookie helpers
+- `core/archipelago/src/api/rpc/package.rs` — Package install/uninstall
+- `core/archipelago/src/api/rpc/peers.rs` — P2P peer messaging
+- `core/archipelago/src/node_message.rs` — P2P message storage and validation
+- `image-recipe/configs/nginx-archipelago.conf` — Nginx config
+- `image-recipe/configs/archipelago.service` — Systemd service
+
+## For each task in loop/plan.md:
+
+1. Find the first unchecked `- [ ]` item
+2. Read the task description and the corresponding finding in the pentest report
+3. Read the relevant source files before making changes
+4. Implement the fix following CLAUDE.md conventions
+5. Deploy to live server: `./scripts/deploy-to-target.sh --live`
+6. Verify the specific fix works (curl test against the endpoint)
+7. Commit: `fix: description` (conventional commits)
+8. Mark it done `- [x]` in `loop/plan.md`
+9. Move to the next unchecked task immediately
+
+## When all FIX tasks are done:
+
+Run the full verification suite:
+
+```bash
+./scripts/verify-pentest-fixes.sh
+```
+
+If ALL 26 checks pass (exit code 0):
+- Mark VERIFY as `- [x]` in `loop/plan.md`
+- Commit the final state
+
+If ANY check fails (exit code 1):
+- DO NOT mark VERIFY done
+- Fix the failing checks, redeploy, and re-run verification
+- Only mark VERIFY done when all checks pass
+
+## Rules
+
+- Never skip deploy — changes must be live at 192.168.1.228 before marking done
+- If a fix breaks something else, fix the regression before moving on
+- Test each fix individually before moving to the next
+- Do not stop until all tasks are checked and verification passes, or you are rate limited