Focus rules not propagated to vuln/exploit agents

[karesansui-u]

I searched existing issues and PRs but didn't find a report for this.

Bug description

shared/_rules.txt contains only {{RULES_AVOID}} but not {{RULES_FOCUS}}. Since 10 prompt templates (all vuln-* and exploit-*) include this shared partial via @include(shared/_rules.txt), user-configured focus rules are silently discarded for all agents except recon (which has {{RULES_FOCUS}} inline).

Steps to reproduce

1. Create a config with focus rules:

   rules:
     focus:
       - description: "Test admin endpoints"
         type: path
         url_path: "/admin/*"

2. Run: ./shannon start URL=https://example.com REPO=my-repo CONFIG=./configs/focus-test.yaml
3. Check audit logs for any vuln agent (e.g., vuln-injection) — focus rules are absent from its prompt
4. Check audit logs for recon agent — focus rules are present

Impact

Users who configure rules.focus expect focus areas to guide all agents. Currently only the recon agent respects them. The 10 vuln/exploit agents receive Rules to Avoid: ... but no focus section at all. Reproducible on every run where focus rules are configured.

Root cause

prompt-manager.ts L177-178 correctly calls .replace(/{{RULES_FOCUS}}/g, focusRules), but this replacement is a no-op for templates that include shared/_rules.txt because that file lacks the {{RULES_FOCUS}} placeholder:

// prompts/shared/_rules.txt (current)
Rules to Avoid:
{{RULES_AVOID}}

The replacement targets a string that doesn't exist in the expanded template.

Proposed fix

 Rules to Avoid:
 {{RULES_AVOID}}
+
+Rules to Focus:
+{{RULES_FOCUS}}

One file, two lines. Happy to submit a PR for this.

Affected files

• prompts/shared/_rules.txt

[ezl-keygraph]

Thanks for reporting. We acknowledge the issue exists and appreciate you bringing it to our attention. We’ll fix this in our upcoming updates