Leaflet
Pentest notes and engagement workspace with host tracking, findings, CVSS, credentials, and attack-chain documentation.
Leaflet is a self-hosted markdown note-taking app originally created to capture notes from the HackTheBox CPTS course, but later on expanded to support general note-taking and pentest/CTF workflows. Inspired by Obsidian and Cherry Tree, it keeps notes as plain .md files on disk while adding pentest and CTF workflow tools such as a host tracker, credential vault, flag tracker, attack chain visualizer, methodology checklist, operation log, findings tracker, network topology, and CVSS calculator. Leaflet supports both general and pentest workspaces, combining a rich Milkdown WYSIWYG editor, CodeMirror source mode, LaTeX math, wiki links, backlinks, graph visualization, exports, and Git-based sync with no cloud lock-in.
Tech Stack
Framework
- SvelteKit 5 Full-stack application framework using adapter-node
Language
- TypeScript Strict-mode TypeScript across the application
Styling
- Tailwind CSS v4 Utility-first styling for the interface
Editor
- Milkdown Rich WYSIWYG Markdown editor via @milkdown/crepe
- CodeMirror 6 Source mode editor through svelte-codemirror-editor
- KaTeX LaTeX math rendering for inline and block equations
Database
- SQLite Local database storage through better-sqlite3
- Drizzle ORM Synchronous better-sqlite3 dialect for type-safe data access
Frontend
- Lucide Icon system via @lucide/svelte
Tooling
- pnpm Package manager for the project workspace
Runtime
- Node.js 22 LTS Runtime target for the self-hosted application
Metrics
Case Study
The Problem
CPTS, CTF, and penetration testing notes need fast writing, durable structure, and engagement-specific tracking, but many note tools either hide data behind proprietary formats or require cloud sync.
The Solution
Leaflet keeps every note as a portable Markdown file while layering a polished editor, workspace isolation, Git sync, and pentest-only tools that activate when a workspace is marked as CTF-related.
The Results
The finished app supports everyday notes as well as security engagements, with rich editing, source mode, search, backlinks, note graph visualization, images, exports, templates, and dedicated pentest trackers.
The Outcome
Leaflet also became a reference project for agent orchestration and open-source project structure, including an agent AI engineering pipeline with structured outputs, context-passing protocols, and skills-based code generation.
Timeline
Initial Build
Created Leaflet to capture HackTheBox CPTS notes in a self-hosted Markdown-first workflow.
Rich Markdown Workspace
Added Milkdown WYSIWYG editing, CodeMirror source mode, math rendering, syntax-highlighted code blocks, wiki links, backlinks, graph visualization, image handling, and export flows.
Engagement Tooling
Added pentest workspaces with host tracking, credential storage, flag tracking, attack chain visualization, command snippets, findings, operation logs, topology, CVSS scoring, and the optional CPTS methodology checklist.
Git-Based Sync
Implemented one-click push and pull, a persistent recommendation-driven sync badge, stale and error states, and refreshes on load, focus, and sync actions.
Finished Project
Completed Leaflet as a self-hosted general and pentest note-taking app with optional AI assistance and agent-orchestration reference structure.