support a proxy and set model as variables#144
Closed
superpoussin22 wants to merge 145 commits intoKeygraphHQ:mainfrom
Closed
support a proxy and set model as variables#144superpoussin22 wants to merge 145 commits intoKeygraphHQ:mainfrom
superpoussin22 wants to merge 145 commits intoKeygraphHQ:mainfrom
Conversation
fixes
Simplified
typo
italics
assets
Updated Discord invite links in README.md to use a permanent invite link that will not expire. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
chore: added logging
…he actual content
Simplified deliverable management by removing automatic copying to ~/Documents/pentest-deliverables/. All deliverables now remain only in <target-repo>/deliverables/, eliminating file duplication and improving UX. Changes: - Removed savePermanentDeliverables() function from src/setup/deliverables.js - Removed function call and related console output from shannon.mjs - Removed unused 'os' import from deliverables.js 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
Remove unnecessary screenshot storage to reduce file I/O and disk usage: - Removed screenshot directory creation - Removed --output-dir flag from Playwright MCP setup - Agents can still take screenshots, but they won't persist to disk Screenshots were not being used by any part of Shannon for analysis or reporting, making their storage unnecessary overhead. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
…healing
## Unified Audit System (v3.0)
- Implemented crash-safe, append-only logging to audit-logs/{hostname}_{sessionId}/
- Added session.json with comprehensive metrics (timing, cost, attempts)
- Agent execution logs with turn-by-turn detail
- Prompt snapshots saved to audit-logs/.../prompts/{agent}.md
- SessionMutex prevents race conditions during parallel execution
- Self-healing reconciliation before every CLI command
## Session Metadata Standardization
- Fixed critical bug: standardized on 'id' field (not 'sessionId') throughout codebase
- Updated: shannon.mjs (recon, report), src/phases/pre-recon.js
- Added validation in AuditSession to fail fast on incorrect field usage
- JavaScript shorthand syntax was causing wrong field names
## Schema Improvements
- session.json: Added cost_usd per phase, removed redundant final_cost_usd
- Renamed 'percentage' -> 'duration_percentage' for clarity
- Simplified agent metrics to single total_cost_usd field
- Removed unused validation object from schema
## Legacy System Removal
- Removed savePromptSnapshot() - prompts now only saved by audit system
- Removed target repo pollution (prompt-snapshots/ no longer created)
- Single source of truth: audit-logs/{hostname}_{sessionId}/prompts/
## Export Script Simplification
- Removed JSON export mode (session.json already exists)
- CSV-only export with clean columns: agent, phase, status, attempts, duration_ms, cost_usd
- Tested on real session data
## Documentation
- Updated CLAUDE.md with audit system architecture
- Added .gitignore entry for audit-logs/
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Reasoning: - Shannon is a local CLI tool with direct filesystem access - Manual file editing (JSON, rm -rf) is simpler than reconciliation script - Automatic reconciliation runs before every command (built-in) - If auto-reconciliation has bugs, fix the code, don't create workarounds - Over-engineered for a local development tool For recovery: Just delete .shannon-store.json or edit JSON files directly 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
- Added comprehensive header comment explaining use case - Documents data source (session.json from audit-logs) - CSV output format and use cases clearly described - Includes usage examples and note about raw data access - Removes need for separate docs/ folder in repo Docs were design artifacts, not needed in open source repo. All relevant documentation now lives in code comments. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
Reasoning:
- Pollutes target repo with run-metadata.json
- Redundant with audit system (session.json has all metadata)
- Less useful than comprehensive audit logs
- Target repos should stay clean - only deliverables belong there
All debugging info now lives in audit-logs/{hostname}_{sessionId}/session.json
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
ROOT CAUSE: - Exploitation phase checked session.validationResults to determine eligibility - validationResults field was removed during audit system refactor - Field never existed in session schema, so all exploits were skipped THE FIX: - Exploitation phase now validates queue files directly when checking eligibility - Reads exploitation_queue.json and checks if vulnerabilities array is non-empty - No need to store validation results - just re-validate on demand CHANGES: 1. runParallelExploit() now calls safeValidateQueueAndDeliverable() directly 2. Removed validationResults parameter from markAgentCompleted() 3. Simplified calculateVulnerabilityAnalysisSummary() - no longer needs validation data 4. Simplified calculateExploitationSummary() - no longer needs validation data IMPACT: - Exploitation agents will now run when vulnerabilities are found - Queue files are the single source of truth for eligibility - Simpler architecture - no duplicate state storage 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
…c-ai/claude-agent-sdk Anthropic rebranded the SDK in 2025 from "Claude Code SDK" to "Claude Agent SDK". Updated all references across package.json, Dockerfile, and documentation to use the current @anthropic-ai/claude-agent-sdk package. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
Remove unused files and exports to improve codebase maintainability: Phase 1 - Deleted files (5): - login_resources/generate-totp-standalone.mjs (replaced by MCP tool) - mcp-server/src/tools/index.js (unused barrel export) - mcp-server/src/utils/index.js (unused barrel export) - mcp-server/src/validation/index.js (unused barrel export) - src/agent-status.js (deprecated 309-line status manager) Phase 2 - Removed unused exports (3): - mcp-server/src/index.js: shannonHelperServer constant - mcp-server/src/utils/error-formatter.js: createFileSystemError function - src/utils/git-manager.js: cleanWorkspace (now internal-only) Phase 3 - Unexported internal functions (4): - src/checkpoint-manager.js: runSingleAgent, runAgentRange, runParallelVuln, runParallelExploit (internal use only) All Shannon CLI commands tested and verified working. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
…graphHQ#116) Pre-create the deliverables directory with proper permissions on the host before starting containers, and surface permission errors instead of silently swallowing them in save_deliverable.
…eygraphHQ#113) * feat: upgrade claude-agent-sdk to 0.2.38 and adapt to new SDK types - Bump @anthropic-ai/claude-agent-sdk from 0.1.x to 0.2.38 (both root and mcp-server) - Bump zod from 3.x to 4.x (SDK peer dependency) - Add allowDangerouslySkipPermissions to query options (required for bypassPermissions) - Suppress new SDK message types (tool_progress, tool_use_summary, auth_status) - Use structured error field on assistant messages instead of text-sniffing - Add stop_reason to result message handling for diagnostics - Add SDKAssistantMessageError type matching SDK's string literal union * chore: remove CLAUDE_CODE_MAX_OUTPUT_TOKENS from all config and docs
KeygraphHQ#112) Deliverables saved by agents were never committed to git because git identity was not configured in the Docker container. This left them as untracked files, which git clean -fd destroyed whenever another agent's retry triggered a workspace rollback. Moves git config after ENV HOME=/tmp so the config is written to /tmp/.gitconfig where git actually looks at runtime.
…phHQ#117) Podman doesn't support the `host-gateway` special value in extra_hosts, which causes container startup failures on macOS with Podman Desktop. Changes: - Add docker-compose.docker.yml with extra_hosts override for Docker - Update shannon script to detect Podman via `command -v podman` - Skip extra_hosts override when Podman is detected This ensures: - Docker users (Linux): Get host.docker.internal working automatically - Podman users (macOS): Base config works without modification Co-authored-by: ajmallesh <ajmallesh@gmail.com>
Replace markdown-based issue templates with YAML issue forms for structured input with dropdowns, checkboxes, and required fields.
…eygraphHQ#123) * fix: add file_path parameter to save_deliverable for large reports Large deliverable reports can exceed output token limits when passed as inline content. This change allows agents to write reports to disk first and pass a file_path instead. Changes: - Add file_path parameter to save_deliverable MCP tool with path traversal protection - Pass CLAUDE_CODE_MAX_OUTPUT_TOKENS env var to SDK subprocesses - Fix false positive error detection by extracting only text content (not tool_use JSON) when checking for API errors - Update all prompts to instruct agents to use file_path for large reports and stop immediately after completion * docs: simplify and condense CLAUDE.md Reduce verbosity while preserving all essential information for AI assistance. Makes the documentation more scannable and focused. * feat: add issue number detection to pr command The /pr command now automatically detects issue numbers from: 1. Explicit arguments (e.g., /pr 123 or /pr 123,456) 2. Branch name patterns (e.g., fix/123-bug, issue-456-feature) Adds "Closes #X" lines to PR body to auto-close issues on merge. * chore: remove CLAUDE_CODE_MAX_OUTPUT_TOKENS env var handling No longer needed with the new Claude Agent SDK version. * fix: restore max_output_tokens error handling
- Replace single-call "Write to deliverables/" pattern with multi-step Write + Edit chunked writing across all 12 agent prompts - Standardize section name to "CHUNKED WRITING (MANDATORY)" for vuln, exploit, pre-recon, and recon agents - Prevents agents from hitting 32K output token limit when generating large analysis reports and exploitation evidence
Re-add the env var that was removed during SDK upgrade. Needed for controlling output token limits in SDK subprocesses.
…le-handling-v2 fix: improve large deliverable handling and audit trail
When a workflow is interrupted (VM crash, Ctrl+C, Docker restart), it can now be resumed by passing the workspace name. The system reads session.json to determine which agents completed, validates deliverables exist on disk, restores the git checkpoint, and skips already-completed agents. - Add --workspace CLI flag and auto-terminate conflicting workflows - Add loadResumeState, restoreGitCheckpoint, recordResumeAttempt activities - Add skip logic for all 5 pipeline phases including parallel execution - Separate sessionId (persistent directory) from workflowId (execution ID) - Track resume attempts in session.json for audit trail - Derive AgentName type from ALL_AGENTS array to eliminate duplication - Add getDeliverablePath mapping for deliverable validation
Support WORKSPACE=<name> flag for friendly workspace names that auto-resume if they exist or create a new named workspace otherwise. Add ./shannon workspaces command to list all workspaces with status, duration, and cost.
…ort from agents.ts logPhaseTransition was the first activity to create session.json but didn't pass workflowId, so originalWorkflowId was never set. This caused terminateExistingWorkflows to look up the workspace name instead of the actual workflow ID during resume. Also remove path import from types/agents.ts to fix Temporal workflow bundle determinism error.
logWorkflowComplete wrote to workflow.log but never called updateSessionStatus, leaving all workspaces stuck as "in-progress" in session.json. Also derive audit path for model injection instead of requiring explicit outputPath.
…per-agent Moves the copyDeliverablesToAudit call from runAgentActivity (called after every agent) to logWorkflowComplete (called once at workflow end). This prevents intermediate agent runs from copying incomplete or rogue deliverables into the audit trail.
- Swap commitGitSuccess/getGitCommitHash order so checkpoint in session.json points to the success commit (which contains deliverables) instead of the pre-agent marker commit - Simplify restoreGitCheckpoint: git reset --hard now naturally preserves completed agent deliverables, removing the in-memory backup/restore - Show cumulative cost/duration in workflow.log from session.json - Fill in per-agent metrics for skipped agents in workflow.log breakdown - Display cumulative cost in client output for resume runs
Strip _resume_* suffix to find the original workspace log file when tailing logs for a resumed workflow.
- Prevent MSYS from converting Unix container paths on Windows - Install @anthropic-ai/claude-code globally in the Docker image - Add Windows platform instructions to README
Strip _shannon-* suffix from workflow IDs so logs command finds audit-logs stored under the workspace name.
…-and-claude-cli feat: add MSYS path fix, Claude Code CLI, and Windows instructions
- Early exit when all agents already completed instead of running empty workflow - Descriptive error when deliverables missing from disk despite session.json success - Quote $WORKSPACE in shannon CLI to prevent word splitting
Query functionality is redundant with the Temporal Web UI at http://localhost:8233. Removes query.ts, CLI handler, npm script, and all documentation references.
feat: add named workspaces with resume support
|
+1 for this PR — the configurable Reviewed the diff: the changes in Would love to see this merged so we can benchmark Sonnet 4.6 against our existing QA baselines. |
Collaborator
|
This PR was closed due to a maintenance operation on the main branch. The functionality proposed here has since been implemented. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
8 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
also correct shannon for docker build