fix: resolve 'spawn node ENOENT' when SDK spawns claude CLI#138
Closed
nitayStain wants to merge 132 commits intoKeygraphHQ:mainfrom
Closed
fix: resolve 'spawn node ENOENT' when SDK spawns claude CLI#138nitayStain wants to merge 132 commits intoKeygraphHQ:mainfrom
nitayStain wants to merge 132 commits intoKeygraphHQ:mainfrom
Conversation
fixes
Simplified
typo
italics
assets
Updated Discord invite links in README.md to use a permanent invite link that will not expire. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
chore: added logging
…he actual content
Simplified deliverable management by removing automatic copying to ~/Documents/pentest-deliverables/. All deliverables now remain only in <target-repo>/deliverables/, eliminating file duplication and improving UX. Changes: - Removed savePermanentDeliverables() function from src/setup/deliverables.js - Removed function call and related console output from shannon.mjs - Removed unused 'os' import from deliverables.js 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
Remove unnecessary screenshot storage to reduce file I/O and disk usage: - Removed screenshot directory creation - Removed --output-dir flag from Playwright MCP setup - Agents can still take screenshots, but they won't persist to disk Screenshots were not being used by any part of Shannon for analysis or reporting, making their storage unnecessary overhead. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
…healing
## Unified Audit System (v3.0)
- Implemented crash-safe, append-only logging to audit-logs/{hostname}_{sessionId}/
- Added session.json with comprehensive metrics (timing, cost, attempts)
- Agent execution logs with turn-by-turn detail
- Prompt snapshots saved to audit-logs/.../prompts/{agent}.md
- SessionMutex prevents race conditions during parallel execution
- Self-healing reconciliation before every CLI command
## Session Metadata Standardization
- Fixed critical bug: standardized on 'id' field (not 'sessionId') throughout codebase
- Updated: shannon.mjs (recon, report), src/phases/pre-recon.js
- Added validation in AuditSession to fail fast on incorrect field usage
- JavaScript shorthand syntax was causing wrong field names
## Schema Improvements
- session.json: Added cost_usd per phase, removed redundant final_cost_usd
- Renamed 'percentage' -> 'duration_percentage' for clarity
- Simplified agent metrics to single total_cost_usd field
- Removed unused validation object from schema
## Legacy System Removal
- Removed savePromptSnapshot() - prompts now only saved by audit system
- Removed target repo pollution (prompt-snapshots/ no longer created)
- Single source of truth: audit-logs/{hostname}_{sessionId}/prompts/
## Export Script Simplification
- Removed JSON export mode (session.json already exists)
- CSV-only export with clean columns: agent, phase, status, attempts, duration_ms, cost_usd
- Tested on real session data
## Documentation
- Updated CLAUDE.md with audit system architecture
- Added .gitignore entry for audit-logs/
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Reasoning: - Shannon is a local CLI tool with direct filesystem access - Manual file editing (JSON, rm -rf) is simpler than reconciliation script - Automatic reconciliation runs before every command (built-in) - If auto-reconciliation has bugs, fix the code, don't create workarounds - Over-engineered for a local development tool For recovery: Just delete .shannon-store.json or edit JSON files directly 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
- Added comprehensive header comment explaining use case - Documents data source (session.json from audit-logs) - CSV output format and use cases clearly described - Includes usage examples and note about raw data access - Removes need for separate docs/ folder in repo Docs were design artifacts, not needed in open source repo. All relevant documentation now lives in code comments. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
Reasoning:
- Pollutes target repo with run-metadata.json
- Redundant with audit system (session.json has all metadata)
- Less useful than comprehensive audit logs
- Target repos should stay clean - only deliverables belong there
All debugging info now lives in audit-logs/{hostname}_{sessionId}/session.json
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
ROOT CAUSE: - Exploitation phase checked session.validationResults to determine eligibility - validationResults field was removed during audit system refactor - Field never existed in session schema, so all exploits were skipped THE FIX: - Exploitation phase now validates queue files directly when checking eligibility - Reads exploitation_queue.json and checks if vulnerabilities array is non-empty - No need to store validation results - just re-validate on demand CHANGES: 1. runParallelExploit() now calls safeValidateQueueAndDeliverable() directly 2. Removed validationResults parameter from markAgentCompleted() 3. Simplified calculateVulnerabilityAnalysisSummary() - no longer needs validation data 4. Simplified calculateExploitationSummary() - no longer needs validation data IMPACT: - Exploitation agents will now run when vulnerabilities are found - Queue files are the single source of truth for eligibility - Simpler architecture - no duplicate state storage 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
…c-ai/claude-agent-sdk Anthropic rebranded the SDK in 2025 from "Claude Code SDK" to "Claude Agent SDK". Updated all references across package.json, Dockerfile, and documentation to use the current @anthropic-ai/claude-agent-sdk package. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
Remove unused files and exports to improve codebase maintainability: Phase 1 - Deleted files (5): - login_resources/generate-totp-standalone.mjs (replaced by MCP tool) - mcp-server/src/tools/index.js (unused barrel export) - mcp-server/src/utils/index.js (unused barrel export) - mcp-server/src/validation/index.js (unused barrel export) - src/agent-status.js (deprecated 309-line status manager) Phase 2 - Removed unused exports (3): - mcp-server/src/index.js: shannonHelperServer constant - mcp-server/src/utils/error-formatter.js: createFileSystemError function - src/utils/git-manager.js: cleanWorkspace (now internal-only) Phase 3 - Unexported internal functions (4): - src/checkpoint-manager.js: runSingleAgent, runAgentRange, runParallelVuln, runParallelExploit (internal use only) All Shannon CLI commands tested and verified working. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
…ontainer user The container runs as non-root user 'pentest' (UID 1001), but bind-mounted directories are owned by the host user. Added chmod 777 after mkdir to ensure the container can write to these directories.
…ssion-issue fix: create audit-logs directory before container startup
feat: add multi-model router support for OpenAI and OpenRouter
Update README.md
Update README.md
* feat: update splash screen screenshot with new branding * docs: add Trendshift badge to README
…aphHQ#107) * feat: use static repos/ folder mount instead of dynamic TARGET_REPO Replace dynamic per-run TARGET_REPO bind mount with a static ./repos:/repos mount. Users place target repositories under ./repos/ and reference them by folder name. This fixes stale mounts when switching targets and enables running multiple scans concurrently against different repos. * feat: mount configs directory into worker container * docs: add instructions for repos and configs directory setup
…ution (KeygraphHQ#108) * fix: extend heartbeat timeout to prevent stalls during sub-agent execution * feat: add /pr command for creating pull requests with conventional commits
…graphHQ#116) Pre-create the deliverables directory with proper permissions on the host before starting containers, and surface permission errors instead of silently swallowing them in save_deliverable.
…eygraphHQ#113) * feat: upgrade claude-agent-sdk to 0.2.38 and adapt to new SDK types - Bump @anthropic-ai/claude-agent-sdk from 0.1.x to 0.2.38 (both root and mcp-server) - Bump zod from 3.x to 4.x (SDK peer dependency) - Add allowDangerouslySkipPermissions to query options (required for bypassPermissions) - Suppress new SDK message types (tool_progress, tool_use_summary, auth_status) - Use structured error field on assistant messages instead of text-sniffing - Add stop_reason to result message handling for diagnostics - Add SDKAssistantMessageError type matching SDK's string literal union * chore: remove CLAUDE_CODE_MAX_OUTPUT_TOKENS from all config and docs
KeygraphHQ#112) Deliverables saved by agents were never committed to git because git identity was not configured in the Docker container. This left them as untracked files, which git clean -fd destroyed whenever another agent's retry triggered a workspace rollback. Moves git config after ENV HOME=/tmp so the config is written to /tmp/.gitconfig where git actually looks at runtime.
…phHQ#117) Podman doesn't support the `host-gateway` special value in extra_hosts, which causes container startup failures on macOS with Podman Desktop. Changes: - Add docker-compose.docker.yml with extra_hosts override for Docker - Update shannon script to detect Podman via `command -v podman` - Skip extra_hosts override when Podman is detected This ensures: - Docker users (Linux): Get host.docker.internal working automatically - Podman users (macOS): Base config works without modification Co-authored-by: ajmallesh <ajmallesh@gmail.com>
Replace markdown-based issue templates with YAML issue forms for structured input with dropdowns, checkboxes, and required fields.
…eygraphHQ#123) * fix: add file_path parameter to save_deliverable for large reports Large deliverable reports can exceed output token limits when passed as inline content. This change allows agents to write reports to disk first and pass a file_path instead. Changes: - Add file_path parameter to save_deliverable MCP tool with path traversal protection - Pass CLAUDE_CODE_MAX_OUTPUT_TOKENS env var to SDK subprocesses - Fix false positive error detection by extracting only text content (not tool_use JSON) when checking for API errors - Update all prompts to instruct agents to use file_path for large reports and stop immediately after completion * docs: simplify and condense CLAUDE.md Reduce verbosity while preserving all essential information for AI assistance. Makes the documentation more scannable and focused. * feat: add issue number detection to pr command The /pr command now automatically detects issue numbers from: 1. Explicit arguments (e.g., /pr 123 or /pr 123,456) 2. Branch name patterns (e.g., fix/123-bug, issue-456-feature) Adds "Closes #X" lines to PR body to auto-close issues on merge. * chore: remove CLAUDE_CODE_MAX_OUTPUT_TOKENS env var handling No longer needed with the new Claude Agent SDK version. * fix: restore max_output_tokens error handling
- Replace single-call "Write to deliverables/" pattern with multi-step Write + Edit chunked writing across all 12 agent prompts - Standardize section name to "CHUNKED WRITING (MANDATORY)" for vuln, exploit, pre-recon, and recon agents - Prevents agents from hitting 32K output token limit when generating large analysis reports and exploitation evidence
Re-add the env var that was removed during SDK upgrade. Needed for controlling output token limits in SDK subprocesses.
…le-handling-v2 fix: improve large deliverable handling and audit trail
Two issues prevented the Claude Agent SDK from spawning the claude process inside the Docker container: 1. The claude CLI was not installed in the container. Added 'npm install -g @anthropic-ai/claude-code' to the Dockerfile. 2. The SDK's env option received only ANTHROPIC_API_KEY and CLAUDE_CODE_MAX_OUTPUT_TOKENS, stripping PATH and all other system environment variables. The spawned claude process (a #!/usr/bin/env node script) could not locate the node binary. Fixed by spreading process.env into sdkEnv so PATH and other required vars are inherited. Amp-Thread-ID: https://ampcode.com/threads/T-019c60b1-a01e-706b-b9d0-57c573dca354 Co-authored-by: Amp <amp@ampcode.com>
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
Collaborator
|
This PR was closed due to a maintenance operation on the main branch. The functionality proposed here has since been implemented. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
8 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
The Claude Agent SDK fails with
spawn node ENOENTwhen attempting to run any agent inside the Docker container.Root Cause
Two issues:
Missing CLI: The
claudeCLI (@anthropic-ai/claude-code) was not installed in the Docker image. The SDK'squery()function spawns it as a subprocess.Stripped PATH: The
envoption passed to the SDK contained onlyANTHROPIC_API_KEYandCLAUDE_CODE_MAX_OUTPUT_TOKENS. The SDK uses this as the complete environment for the spawned process, soPATHwas missing and theclaudescript (#!/usr/bin/env node) couldn't locatenode.Fix
npm install -g @anthropic-ai/claude-codeto install the CLI.process.envintosdkEnvsoPATHand other system variables are inherited by the spawned process.