Next-generation security testing platform. Crucible provides a catalog of 80+ attack scenarios, a visual scenario editor, a real-time simulation engine, and pass/fail assessment scoring — all orchestrated through a web UI backed by WebSocket streaming.
- Scenario Catalog — 80+ pre-built security scenarios covering OWASP API Top 10, web attacks, business logic flaws, compliance checks, and more
- Visual Editor — create and modify scenarios with a form-based editor or raw JSON, with live validation
- Real-time Simulations — watch step-by-step execution with a live timeline, pause/resume/cancel controls, and variable extraction
- Assessment Scoring — run scenarios in assessment mode for a pass/fail verdict with percentage scoring
- DAG Execution — steps execute in dependency order with conditional branching, retries, and template variables
crucible/
├── packages/catalog # @crucible/catalog — scenario schemas, validation, and loader
├── apps/web-client # Next.js 16 web UI (scenarios, assessments, simulations)
└── apps/demo-dashboard # Express + WebSocket simulation orchestrator
| Package | Stack | Description |
|---|---|---|
@crucible/catalog |
TypeScript, Zod | Scenario type definitions, JSON schema validation, runbook parser |
web-client |
Next.js 16, React 19, Tailwind 4, Radix UI | Primary web interface for browsing and editing scenarios |
@crucible/demo-dashboard |
Express, WebSocket | Real-time scenario execution engine with live dashboard |
- Node.js 22+
- pnpm 9.15.4 (activated via
corepack enable)
pnpm install
pnpm buildStart both servers (in separate terminals):
# Backend — scenario engine + REST API + WebSocket (port 3001)
pnpm --filter @crucible/demo-dashboard dev
# Frontend — web UI (port 3000)
pnpm --filter web-client devOpen http://localhost:3000 and verify the CONNECTED indicator appears in the header.
docker run -p 3000:3000 ghcr.io/nickcrew/crucible/web-client:latest| Guide | Description |
|---|---|
| Getting Started | Install, configure, and launch Crucible |
| Running Scenarios | Browse the catalog, run simulations, and review assessments |
| Editing Scenarios | Create and modify scenario definitions |
| Document | Description |
|---|---|
| System Overview | Component map, data flow diagrams, and communication protocols |
| Scenario Engine | DAG scheduling, step execution, assertions, and WebSocket events |
| Document | Description |
|---|---|
| Testing Guide | Test infrastructure, conventions, and coverage breakdown |
See the full Documentation Navigator for all available docs.
Every PR to main runs build, type-check, and test via GitHub Actions.
Pushing a semver tag triggers a Docker build and push to GitHub Container Registry:
git tag v0.2.0
git push origin v0.2.0This publishes ghcr.io/nickcrew/crucible/web-client with tags derived from the version (e.g. 0.2.0, 0.2, latest).
| Command | Description |
|---|---|
pnpm build |
Build all packages (Nx orchestrated) |
pnpm test |
Run all test suites |
pnpm type-check |
TypeScript type checking across all packages |
pnpm lint |
Lint all packages |