Closed
Conversation
fixes
Simplified
typo
italics
assets
Updated Discord invite links in README.md to use a permanent invite link that will not expire. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
chore: added logging
…he actual content
Simplified deliverable management by removing automatic copying to ~/Documents/pentest-deliverables/. All deliverables now remain only in <target-repo>/deliverables/, eliminating file duplication and improving UX. Changes: - Removed savePermanentDeliverables() function from src/setup/deliverables.js - Removed function call and related console output from shannon.mjs - Removed unused 'os' import from deliverables.js 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
Remove unnecessary screenshot storage to reduce file I/O and disk usage: - Removed screenshot directory creation - Removed --output-dir flag from Playwright MCP setup - Agents can still take screenshots, but they won't persist to disk Screenshots were not being used by any part of Shannon for analysis or reporting, making their storage unnecessary overhead. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
…healing
## Unified Audit System (v3.0)
- Implemented crash-safe, append-only logging to audit-logs/{hostname}_{sessionId}/
- Added session.json with comprehensive metrics (timing, cost, attempts)
- Agent execution logs with turn-by-turn detail
- Prompt snapshots saved to audit-logs/.../prompts/{agent}.md
- SessionMutex prevents race conditions during parallel execution
- Self-healing reconciliation before every CLI command
## Session Metadata Standardization
- Fixed critical bug: standardized on 'id' field (not 'sessionId') throughout codebase
- Updated: shannon.mjs (recon, report), src/phases/pre-recon.js
- Added validation in AuditSession to fail fast on incorrect field usage
- JavaScript shorthand syntax was causing wrong field names
## Schema Improvements
- session.json: Added cost_usd per phase, removed redundant final_cost_usd
- Renamed 'percentage' -> 'duration_percentage' for clarity
- Simplified agent metrics to single total_cost_usd field
- Removed unused validation object from schema
## Legacy System Removal
- Removed savePromptSnapshot() - prompts now only saved by audit system
- Removed target repo pollution (prompt-snapshots/ no longer created)
- Single source of truth: audit-logs/{hostname}_{sessionId}/prompts/
## Export Script Simplification
- Removed JSON export mode (session.json already exists)
- CSV-only export with clean columns: agent, phase, status, attempts, duration_ms, cost_usd
- Tested on real session data
## Documentation
- Updated CLAUDE.md with audit system architecture
- Added .gitignore entry for audit-logs/
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Reasoning: - Shannon is a local CLI tool with direct filesystem access - Manual file editing (JSON, rm -rf) is simpler than reconciliation script - Automatic reconciliation runs before every command (built-in) - If auto-reconciliation has bugs, fix the code, don't create workarounds - Over-engineered for a local development tool For recovery: Just delete .shannon-store.json or edit JSON files directly 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
- Added comprehensive header comment explaining use case - Documents data source (session.json from audit-logs) - CSV output format and use cases clearly described - Includes usage examples and note about raw data access - Removes need for separate docs/ folder in repo Docs were design artifacts, not needed in open source repo. All relevant documentation now lives in code comments. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
Reasoning:
- Pollutes target repo with run-metadata.json
- Redundant with audit system (session.json has all metadata)
- Less useful than comprehensive audit logs
- Target repos should stay clean - only deliverables belong there
All debugging info now lives in audit-logs/{hostname}_{sessionId}/session.json
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
ROOT CAUSE: - Exploitation phase checked session.validationResults to determine eligibility - validationResults field was removed during audit system refactor - Field never existed in session schema, so all exploits were skipped THE FIX: - Exploitation phase now validates queue files directly when checking eligibility - Reads exploitation_queue.json and checks if vulnerabilities array is non-empty - No need to store validation results - just re-validate on demand CHANGES: 1. runParallelExploit() now calls safeValidateQueueAndDeliverable() directly 2. Removed validationResults parameter from markAgentCompleted() 3. Simplified calculateVulnerabilityAnalysisSummary() - no longer needs validation data 4. Simplified calculateExploitationSummary() - no longer needs validation data IMPACT: - Exploitation agents will now run when vulnerabilities are found - Queue files are the single source of truth for eligibility - Simpler architecture - no duplicate state storage 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
…c-ai/claude-agent-sdk Anthropic rebranded the SDK in 2025 from "Claude Code SDK" to "Claude Agent SDK". Updated all references across package.json, Dockerfile, and documentation to use the current @anthropic-ai/claude-agent-sdk package. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
Remove unused files and exports to improve codebase maintainability: Phase 1 - Deleted files (5): - login_resources/generate-totp-standalone.mjs (replaced by MCP tool) - mcp-server/src/tools/index.js (unused barrel export) - mcp-server/src/utils/index.js (unused barrel export) - mcp-server/src/validation/index.js (unused barrel export) - src/agent-status.js (deprecated 309-line status manager) Phase 2 - Removed unused exports (3): - mcp-server/src/index.js: shannonHelperServer constant - mcp-server/src/utils/error-formatter.js: createFileSystemError function - src/utils/git-manager.js: cleanWorkspace (now internal-only) Phase 3 - Unexported internal functions (4): - src/checkpoint-manager.js: runSingleAgent, runAgentRange, runParallelVuln, runParallelExploit (internal use only) All Shannon CLI commands tested and verified working. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
- Move error-handling, git-manager, prompt-manager, queue-validation, and reporting into src/services/ - Delete src/constants.ts — relocate AGENT_VALIDATORS and MCP_AGENT_MAPPING into session-manager.ts alongside agent definitions - Delete src/utils/output-formatter.ts — absorb filterJsonToolCalls and getAgentPrefix into ai/output-formatters.ts - Extract ActivityLogger interface into src/types/activity-logger.ts to break temporal/ → services circular dependency - Consolidate VulnType, ExploitationDecision into types/agents.ts and SessionMetadata into types/audit.ts - Remove dead timingResults/costResults globals from utils/metrics.ts and all consumers
- Remove empty section markers (// === ... ===, // --- ... ---) that duplicate JSDoc or function names - Remove "what" comments that restate the next line of code (e.g. // Save to disk, // Check for retryable patterns) - Remove file-level descriptions that restate the filename (e.g. // Pure functions for formatting console output) - Fix "Added by client" comment referencing implementation history → "Used for audit correlation" - Preserve all WHY comments: error classification groups, billing/session limit explanations, ESM interop, exactOptionalPropertyTypes, mutex reasoning
…nd agent-execution - client.ts: extract parseCliArgs, resolveWorkspace, buildPipelineInput, display helpers, waitForWorkflowResult from startPipeline - workflows.ts: extract runSequentialPhase, buildPipelineConfigs, aggregatePipelineResults to reduce workflow body - agent-execution.ts: add failAgent private method to deduplicate rollback+audit+error pattern in steps 6-8
- Add // N. Description steps to temporal layer (client, activities, workflows) - Add steps to AI layer (claude-executor: runClaudePrompt, buildMcpServers) - Add steps to services layer (prompt-manager, config-parser, git-manager) - Add steps to audit layer (metrics-tracker, audit-session) - Update CLAUDE.md comment guidelines with clearer numbered-step vs section-divider guidance
docs: add WSL2 setup guide for Windows users
refactor: decompose activities into services layer with structured error handling
- Add preflight activity that validates repo path, config, and credentials before agent execution - Add formatWorkflowError() with pipe-delimited segments for multi-line log rendering - Add remediation hints for common failures (auth, billing, config errors) - Add REPO_NOT_FOUND, AUTH_FAILED, BILLING_ERROR codes with error classification - Add formatErrorBlock() in WorkflowLogger for indented error display
…orkflow-errors.ts
Replaces validateApiKey and validateOAuthToken (direct fetch calls) with a single SDK-based query using claude-haiku-4-5-20251001. Uses SDKAssistantMessageError types for structured error classification and returns human-readable error messages for each failure case.
…ation feat: add preflight validation phase with structured error reporting
ANTHROPIC_BASE_URL and ANTHROPIC_AUTH_TOKEN were not forwarded to the SDK subprocess environment, causing router mode to fail with "Authentication failed: Invalid API key" as the subprocess hit Anthropic directly with the placeholder key.
…through fix: pass router env vars to SDK subprocess
…-banner chore: update README banner image
…aphHQ#157) - Add `pipeline` config section with `retry_preset` and `max_concurrent_pipelines` options - Add `subscription` retry preset with extended 6h max interval for Anthropic rate limit windows - Replace Promise.allSettled with concurrency-limited runner for vuln/exploit pipelines - Wire pipeline config through client, shared types, and workflow activity proxy selection
feat: add configurable pipeline retry and concurrency settings
Adds OpenClaw skill integration for Shannon, enabling: - Natural chat commands to trigger pentests - Real-time progress monitoring - Result summaries delivered to chat - Cron-based automated scanning schedules - Workspace management and resumption The integration includes: - SKILL.md: Documentation for OpenClaw agents - shannon-helper.sh: Helper script wrapping Shannon CLI - README.md: Setup and usage guide This allows users to control Shannon entirely through chat commands and schedule automated security scans. Related: OpenClaw integration for AI-assisted pentesting
Documents the new OpenClaw integration feature that enables chat-based control and automation of Shannon pentests.
Adds Z.AI as a new provider in router mode, enabling Shannon to use GLM-5 and GLM-4.7 models via the Z.AI API. Changes: - router-config.json: Add Z.AI provider with glm-5 and glm-4.7 - docker-compose.yml: Add ZAI_API_KEY environment variable - .env.example: Document Z.AI API key usage - README.md: Add Z.AI to experimental models table - shannon script: Update API key checks to include ZAI_API_KEY - openclaw/SKILL.md: Update requirements to mention Z.AI Usage: ZAI_API_KEY=your-key ROUTER_DEFAULT=zai,glm-5 ./shannon start URL=https://example.com REPO=repo-name ROUTER=true Note: Router mode remains experimental and unsupported.
Validates that all Z.AI router integration components are properly configured and documented.
Tests Z.AI API key functionality independently of Shannon. Note: API key is valid but account needs balance.
Documents current integration status, testing results, known issues, and next steps for Z.AI support.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
7 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR adds OpenClaw skill integration to Shannon, enabling chat-based control and automation of pentest workflows.
Features
OpenClaw Skill: Natural language commands to trigger, monitor, and schedule pentests
Helper Script:
shannon-helper.shfor programmatic Shannon controlDocumentation: Complete setup guide and usage examples
Z.AI Router Support: Add GLM models (glm-5, glm-4.7) as router provider
Files Added/Modified
openclaw/SKILL.md- Main skill documentationopenclaw/shannon-helper.sh- Helper CLI wrapperopenclaw/README.md- Setup and usage guideconfigs/router-config.json- Added Z.AI providerdocker-compose.yml- Added ZAI_API_KEY supportREADME.md- Updated with OpenClaw and Z.AI sections.env.example- Documented Z.AI usageshannon- Updated API key checks for Z.AItest-zai.sh- Integration validation scripttest-zai-api.sh- API key validation scriptTesting
Notes
This integration allows users to control Shannon entirely through chat commands and schedule automated security scans.
Related: Add alternative model support via router mode