Nock the command, draw, fire.
nock is an AI-aware command launcher for pentesters and operators. It holds the hard-to-remember commands you need mid-engagement, fills in your variables (target, domain, wordlist) once, and hands the finished command to your shell — or to an AI agent over MCP. Single Go binary, no runtime dependencies, provider-agnostic AI, works online or fully offline.
Inspired by Orange-Cyberdefense/arsenal,
rebuilt from scratch: engine-first, agent-native, vendor-neutral. See
ROADMAP.md for the full plan and design decisions.
⚠️ For authorized security testing only. You are responsible for having permission to run what you launch. SeeSECURITY.md.
Mid-engagement, you burn seconds you don't have recalling the exact flags — or
your cheatsheets rot in a scratch file you grep by hand and re-type. When recall
is slower than just remembering it, the tool has failed.
nock makes recall instant: fuzzy-search the command, set your target once, review the fully-resolved line, fire. Same knowledge, two keystrokes instead of twenty.
- Single static binary (Go) — instant startup, trivial distribution, no Python/runtime drift.
- Engine-first — one command engine; the TUI, the MCP server, and a future web UI are thin frontends over it.
- Agent-native — ships an MCP server so Claude Code, Cursor, Continue, and other hosts can query your command knowledge directly. In MCP mode the host pays its own model cost; nock makes no LLM calls of its own.
- Provider-agnostic AI — command suggestion behind one interface: Anthropic, OpenAI-compatible (OpenAI, Groq, Together, vLLM, LocalAI, …), or Ollama for a fully offline / air-gapped path.
- Graceful degradation — fuzzy search needs no AI and no network. AI ranking layers on only when configured.
| raw notes | arsenal | nock | |
|---|---|---|---|
| Set a variable once, fill it everywhere | 🔴 | 🟢 | 🟢 |
| Single static binary, no runtime drift | — | 🔴 | 🟢 |
| Works offline / air-gapped | 🟢 | 🟢 | 🟢 |
| Optional AI ranking | 🔴 | 🔴 | 🟢 |
| MCP / agent-native (query from Claude, Cursor…) | 🔴 | 🔴 | 🟢 |
arsenal pioneered fast command recall; nock keeps the idea and modernizes the architecture — engine-first, agent-native, single Go binary.
Early. Milestone 0 (scaffold) is in place: the engine, fuzzy search, the variable resolver, the cheatsheet schema, and a scriptable CLI work today. The TUI, MCP server, AI ranker, and arsenal importer are stubbed and land per the roadmap.
# Build
make build
# Search the example cheatsheets (offline, no AI)
./bin/nock search web directories
# Resolve a command's variables
./bin/nock resolve nmap-service-scan --var target=10.0.0.5
# -> nmap -sV -sC -oA scans/10.0.0.5 10.0.0.5
# Version / help
./bin/nock version
./bin/nock helpPoint nock at your own cheatsheets:
export NOCK_CHEATSHEETS=/path/to/your/cheatsheets
./bin/nock search smbThe interactive TUI (Milestone 2) is the search → fill → fire loop end to end:
› nmap serv # fuzzy-search as you type
[recon] nmap-service-scan nmap -sV -sC -oA scans/<target> <target>
<target> = 10.0.0.5 # fill each variable once
✓ nmap -sV -sC -oA scans/10.0.0.5 10.0.0.5 # review the resolved line, then fire
Nothing runs until you confirm, and what's shown is exactly what's emitted — no hidden expansion (show-before-fire). An asciinema recording lands with the TUI.
| Command | Mode | Status |
|---|---|---|
nock |
Interactive TUI | stub (M2) |
nock --mcp |
MCP server over stdio | stub (M3) |
nock search <query> |
Non-interactive search | ✅ |
nock resolve <id> --var k=v |
Fill & print a command | ✅ |
nock import <src> |
Import arsenal cheatsheets | stub (M0/1) |
nock serve |
Team HTTP/SSE server | stub (M5) |
Cheatsheets are data and the project's stable contract. The Go definition lives in
pkg/format; a JSON Schema is at
pkg/format/schema.json. Commands use <name>
placeholders, resolved from the variable store:
{
"schema_version": "1",
"name": "recon",
"commands": [
{
"id": "nmap-service-scan",
"name": "nmap service/version scan",
"command": "nmap -sV -sC -oA scans/<target> <target>",
"intent": "identify open ports and the service versions behind them",
"tags": ["nmap", "scan"],
"risk": "low"
}
]
}YAML is the primary authoring format; JSON is accepted for tooling and interchange. The codec is chosen by file extension, and a sheet round-trips through either into the same structs.
Versioned, in-repo docs live in docs/:
- Install — source,
go install, release binaries. - CLI reference — every mode and flag.
- Cheatsheet schema — the
pkg/formatauthoring contract. - MCP setup — exposing nock to AI agents (Milestone 3).
- Contributing — dev loop, git-flow branching, and the
CodeRabbit review workflow (
@coderabbitai reviewon PRs todevelop/main). - Releasing — how a version tag becomes a cross-platform release.
Narrative and community content (tutorials, FAQ, operator workflows) lives in the Wiki.
cmd/nock single binary, mode switch
internal/engine THE product: search + variable resolution (one source of truth)
internal/search zero-dependency fuzzy matcher
internal/vars global variable store (set once, fill everywhere)
internal/cheatsheet load + validate cheatsheets
internal/ai provider-agnostic ranker (Anthropic / OpenAI-compat / Ollama)
internal/mcp MCP server frontend
internal/tui Bubble Tea frontend
pkg/format cheatsheet schema — the stable public contract
Frontends call the engine and nothing else; AI is always an optional layer. See
CONTRIBUTING.md for the architecture rules.
Apache-2.0. nock is an independent, clean-room project: no arsenal source
code is copied, and arsenal's GPL-3.0 cheatsheet content is never bundled — the
importer fetches it onto your machine. See NOTICE.