From 77e300d52a66b77c1510e9495de3cd107bd9705c Mon Sep 17 00:00:00 2001 From: ezl-keygraph Date: Fri, 3 Apr 2026 23:46:28 +0530 Subject: [PATCH] feat: mount user repo as read-only with writable shannon overlay (#273) * feat: mount user repo as read-only with deliverables bind-mount overlay * feat: add playground and .playwright-cli overlay mounts * feat: add filesystem context to pipeline-testing prompts * fix: use explicit REPO_PATH in filesystem prompt for clarity * fix: update filesystem prompts with playground notes and absolute screenshot paths * feat: namespace writable overlays under .shannon/ to avoid polluting host repo * refactor: rename playground to scratchpad * fix: redirect playwright-cli output to writable .shannon/ overlay * fix: pre-create .shannon/ overlay mount points for Linux compatibility * fix: exclude nested node_modules and dist from Docker build context * fix: enforce LF line endings for shell scripts on Windows --- .dockerignore | 5 +- .gitattributes | 1 + Dockerfile | 2 +- apps/cli/src/commands/start.ts | 20 ++++-- apps/cli/src/docker.ts | 14 ++-- apps/cli/src/paths.ts | 9 --- apps/worker/prompts/exploit-auth.txt | 28 ++++---- apps/worker/prompts/exploit-authz.txt | 28 ++++---- apps/worker/prompts/exploit-injection.txt | 28 ++++---- apps/worker/prompts/exploit-ssrf.txt | 28 ++++---- apps/worker/prompts/exploit-xss.txt | 28 ++++---- .../prompts/pipeline-testing/exploit-auth.txt | 6 +- .../pipeline-testing/exploit-authz.txt | 6 +- .../pipeline-testing/exploit-injection.txt | 6 +- .../prompts/pipeline-testing/exploit-ssrf.txt | 6 +- .../prompts/pipeline-testing/exploit-xss.txt | 6 +- .../pipeline-testing/pre-recon-code.txt | 2 + .../worker/prompts/pipeline-testing/recon.txt | 2 + .../pipeline-testing/report-executive.txt | 4 +- .../pipeline-testing/shared/_filesystem.txt | 4 ++ .../prompts/pipeline-testing/vuln-auth.txt | 2 + .../prompts/pipeline-testing/vuln-authz.txt | 2 + .../pipeline-testing/vuln-injection.txt | 2 + .../prompts/pipeline-testing/vuln-ssrf.txt | 2 + .../prompts/pipeline-testing/vuln-xss.txt | 2 + apps/worker/prompts/pre-recon-code.txt | 19 +++-- apps/worker/prompts/recon.txt | 17 +++-- apps/worker/prompts/report-executive.txt | 19 +++-- apps/worker/prompts/shared/_target.txt | 7 +- apps/worker/prompts/vuln-auth.txt | 12 ++-- apps/worker/prompts/vuln-authz.txt | 16 ++--- apps/worker/prompts/vuln-injection.txt | 16 ++--- apps/worker/prompts/vuln-ssrf.txt | 14 ++-- apps/worker/prompts/vuln-xss.txt | 16 ++--- apps/worker/src/ai/claude-executor.ts | 3 +- apps/worker/src/audit/utils.ts | 31 --------- apps/worker/src/scripts/save-deliverable.ts | 2 +- apps/worker/src/services/agent-execution.ts | 23 ++++--- apps/worker/src/services/queue-validation.ts | 4 +- apps/worker/src/services/reporting.ts | 6 +- apps/worker/src/session-manager.ts | 8 +-- apps/worker/src/temporal/activities.ts | 69 ++++++++++++------- apps/worker/src/temporal/worker.ts | 3 +- apps/worker/src/temporal/workflows.ts | 3 + entrypoint.sh | 2 +- 45 files changed, 293 insertions(+), 240 deletions(-) create mode 100644 .gitattributes create mode 100644 apps/worker/prompts/pipeline-testing/shared/_filesystem.txt diff --git a/.dockerignore b/.dockerignore index 7d18227..b3c87c5 100644 --- a/.dockerignore +++ b/.dockerignore @@ -1,5 +1,5 @@ # Node.js -node_modules/ +**/node_modules/ npm-debug.log* yarn-debug.log* yarn-error.log* @@ -49,8 +49,7 @@ Thumbs.db # CLI package (runs on host, not in container) # Keep apps/cli/package.json so pnpm workspaces resolve apps/cli/src/ -apps/cli/dist/ -apps/worker/dist/ +**/dist/ apps/cli/infra/ apps/cli/tsconfig.json apps/cli/tsdown.config.ts diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..dfdb8b7 --- /dev/null +++ b/.gitattributes @@ -0,0 +1 @@ +*.sh text eol=lf diff --git a/Dockerfile b/Dockerfile index bfd7650..c2d7193 100644 --- a/Dockerfile +++ b/Dockerfile @@ -154,7 +154,7 @@ RUN ln -s /app/apps/worker/dist/scripts/save-deliverable.js /usr/local/bin/save- chmod +x /app/apps/worker/dist/scripts/generate-totp.js # Create directories for session data and ensure proper permissions -RUN mkdir -p /app/sessions /app/deliverables /app/repos /app/workspaces && \ +RUN mkdir -p /app/sessions /app/repos /app/workspaces && \ mkdir -p /tmp/.cache /tmp/.config /tmp/.npm && \ chmod 777 /app && \ chmod 777 /tmp/.cache && \ diff --git a/apps/cli/src/commands/start.ts b/apps/cli/src/commands/start.ts index 35e7518..129477e 100644 --- a/apps/cli/src/commands/start.ts +++ b/apps/cli/src/commands/start.ts @@ -12,7 +12,7 @@ import { ensureImage, ensureInfra, randomSuffix, spawnWorker } from '../docker.j import { buildEnvFlags, isRouterConfigured, loadEnv, validateCredentials } from '../env.js'; import { getCredentialsPath, getWorkspacesDir, initHome } from '../home.js'; import { isLocal } from '../mode.js'; -import { ensureDeliverables, resolveConfig, resolveRepo } from '../paths.js'; +import { resolveConfig, resolveRepo } from '../paths.js'; import { displaySplash } from '../splash.js'; export interface StartArgs { @@ -42,7 +42,6 @@ export async function start(args: StartArgs): Promise { // 3. Resolve paths const repo = resolveRepo(args.repo); const config = args.config ? resolveConfig(args.config) : undefined; - ensureDeliverables(repo.hostPath); // 4. Ensure workspaces dir is writable by container user (UID 1001) const workspacesDir = getWorkspacesDir(); @@ -68,7 +67,20 @@ export async function start(args: StartArgs): Promise { const workspace = args.workspace ?? `${new URL(args.url).hostname.replace(/[^a-zA-Z0-9-]/g, '-')}_shannon-${Date.now()}`; - // 9. Resolve credentials — mount single file to fixed container path + // 9. Create writable overlay directories (mounted over :ro repo paths inside container) + const workspacePath = path.join(workspacesDir, workspace); + for (const dir of ['deliverables', 'scratchpad', '.playwright-cli']) { + const dirPath = path.join(workspacePath, dir); + fs.mkdirSync(dirPath, { recursive: true }); + fs.chmodSync(dirPath, 0o777); + } + + // 10. Pre-create overlay mount points (Linux :ro mounts can't auto-create them) + const shannonDir = path.join(repo.hostPath, '.shannon'); + for (const dir of ['deliverables', 'scratchpad', '.playwright-cli']) { + fs.mkdirSync(path.join(shannonDir, dir), { recursive: true }); + } + const credentialsPath = getCredentialsPath(); const hasCredentials = fs.existsSync(credentialsPath); @@ -101,7 +113,7 @@ export async function start(args: StartArgs): Promise { ...(hasCredentials && { credentials: credentialsPath }), ...(promptsDir && { promptsDir }), ...(outputDir && { outputDir }), - ...(workspace && { workspace }), + workspace, ...(args.pipelineTesting && { pipelineTesting: true }), }); diff --git a/apps/cli/src/docker.ts b/apps/cli/src/docker.ts index e28fceb..9080f64 100644 --- a/apps/cli/src/docker.ts +++ b/apps/cli/src/docker.ts @@ -194,7 +194,7 @@ export interface WorkerOptions { credentials?: string; promptsDir?: string; outputDir?: string; - workspace?: string; + workspace: string; pipelineTesting?: boolean; } @@ -214,7 +214,13 @@ export function spawnWorker(opts: WorkerOptions): ChildProcess { // Volume mounts args.push('-v', `${opts.workspacesDir}:/app/workspaces`); - args.push('-v', `${opts.repo.hostPath}:${opts.repo.containerPath}`); + args.push('-v', `${opts.repo.hostPath}:${opts.repo.containerPath}:ro`); + + // Writable overlays: shadow .shannon/ inside the :ro repo with workspace-backed dirs + const workspacePath = path.join(opts.workspacesDir, opts.workspace); + args.push('-v', `${path.join(workspacePath, 'deliverables')}:${opts.repo.containerPath}/.shannon/deliverables`); + args.push('-v', `${path.join(workspacePath, 'scratchpad')}:${opts.repo.containerPath}/.shannon/scratchpad`); + args.push('-v', `${path.join(workspacePath, '.playwright-cli')}:${opts.repo.containerPath}/.shannon/.playwright-cli`); // Local mode: mount prompts for live editing if (opts.promptsDir) { @@ -253,9 +259,7 @@ export function spawnWorker(opts: WorkerOptions): ChildProcess { if (opts.outputDir) { args.push('--output', '/app/output'); } - if (opts.workspace) { - args.push('--workspace', opts.workspace); - } + args.push('--workspace', opts.workspace); if (opts.pipelineTesting) { args.push('--pipeline-testing'); } diff --git a/apps/cli/src/paths.ts b/apps/cli/src/paths.ts index 4386e1b..5ab460a 100644 --- a/apps/cli/src/paths.ts +++ b/apps/cli/src/paths.ts @@ -76,12 +76,3 @@ export function resolveConfig(configArg: string): MountPair { containerPath: `/app/configs/${basename}`, }; } - -/** - * Ensure the deliverables directory exists and is writable by the container user. - */ -export function ensureDeliverables(repoHostPath: string): void { - const deliverables = path.join(repoHostPath, 'deliverables'); - fs.mkdirSync(deliverables, { recursive: true }); - fs.chmodSync(deliverables, 0o777); -} diff --git a/apps/worker/prompts/exploit-auth.txt b/apps/worker/prompts/exploit-auth.txt index e0a5c97..870a674 100644 --- a/apps/worker/prompts/exploit-auth.txt +++ b/apps/worker/prompts/exploit-auth.txt @@ -106,13 +106,13 @@ If you only confirmed a vulnerability without attempting to weaponize it, you ha -- Your **actionable exploitation queue** is located at `deliverables/auth_exploitation_queue.json`. This is your to-do list, containing the precise targets identified by the analysis phase. You MUST process every vulnerability in this queue. +- Your **actionable exploitation queue** is located at `.shannon/deliverables/auth_exploitation_queue.json`. This is your to-do list, containing the precise targets identified by the analysis phase. You MUST process every vulnerability in this queue. **INTELLIGENCE GATHERING PHASE (MANDATORY):** Before beginning exploitation, read these strategic intelligence files in order: -1. `deliverables/pre_recon_deliverable.md` - Architecture overview, technology stack, and authentication code locations. -2. `deliverables/recon_deliverable.md` - Complete API inventory, user roles, and data flow maps. -3. `deliverables/auth_analysis_deliverable.md` - Strategic context from the Auth analysis specialist, including notes on session mechanisms, password policies, and flawed logic paths. +1. `.shannon/deliverables/pre_recon_deliverable.md` - Architecture overview, technology stack, and authentication code locations. +2. `.shannon/deliverables/recon_deliverable.md` - Complete API inventory, user roles, and data flow maps. +3. `.shannon/deliverables/auth_analysis_deliverable.md` - Strategic context from the Auth analysis specialist, including notes on session mechanisms, password policies, and flawed logic paths. - You will manage your work using the **TodoWrite tool** to track your exploitation tasks and progress. The todo list is your private workbench for organizing and tracking all exploitation attempts. @@ -122,13 +122,13 @@ Before beginning exploitation, read these strategic intelligence files in order: **Phase Sequence:** VULN ANALYSIS (Complete) → **AUTH EXPLOITATION (You)** → FINAL REPORT (next phase) -**Your Input:** `deliverables/auth_exploitation_queue.json` (primary exploitation queue) -**Your Output:** `deliverables/auth_exploitation_evidence.md` (exploitation evidence) +**Your Input:** `.shannon/deliverables/auth_exploitation_queue.json` (primary exploitation queue) +**Your Output:** `.shannon/deliverables/auth_exploitation_evidence.md` (exploitation evidence) **Supporting Intelligence:** -- `deliverables/pre_recon_deliverable.md` (architecture & code context) -- `deliverables/recon_deliverable.md` (API inventory & user roles) -- `deliverables/auth_analysis_deliverable.md` (strategic intel) +- `.shannon/deliverables/pre_recon_deliverable.md` (architecture & code context) +- `.shannon/deliverables/recon_deliverable.md` (API inventory & user roles) +- `.shannon/deliverables/auth_analysis_deliverable.md` (strategic intel) **WHAT HAPPENED BEFORE YOU:** - Reconnaissance agent mapped application architecture and attack surfaces @@ -189,7 +189,7 @@ Your primary goal is to achieve a definitive, evidence-backed conclusion for **e Your entire exploitation process will be managed through the TodoWrite tool. You MUST adhere to this process. **1. Initialization:** -- Read `deliverables/auth_exploitation_queue.json`. +- Read `.shannon/deliverables/auth_exploitation_queue.json`. - Use the TodoWrite tool to create tasks for each vulnerability in the queue. - Each task should include the vulnerability ID and the hypothesis to test. Example tasks: @@ -315,7 +315,7 @@ When your attack plan is fully explored (all checkboxes are marked `[x]`), your First, synthesize all evidence into your specialist section and save it using the save-deliverable CLI with --type AUTH_EVIDENCE. This section will be combined with other specialist reports to form the complete security assessment. **Section Ordering & Format Requirements:** -- Use the exact vulnerability IDs from `deliverables/auth_exploitation_queue.json` +- Use the exact vulnerability IDs from `.shannon/deliverables/auth_exploitation_queue.json` - Within "Successfully Exploited" section: Order by severity of impact (most critical first) - Within "Confirmed Vulnerabilities (Attempted Exploitation)" section: Order by severity (most critical first) - Within "Potential" section: Order by confidence level (highest confidence first) @@ -407,13 +407,13 @@ COMPLETION REQUIREMENTS (ALL must be satisfied): 1. Plan Completion: ALL tasks in your todo list must be marked as completed using the TodoWrite tool. 2. Deliverable Generation: The required deliverable must be successfully saved using the save-deliverable CLI: - **CHUNKED WRITING (MANDATORY):** - 1. Use the **Write** tool to create `deliverables/auth_exploitation_evidence.md` with the title and first major section + 1. Use the **Write** tool to create `.shannon/deliverables/auth_exploitation_evidence.md` with the title and first major section 2. Use the **Edit** tool to append each remaining section — match the last few lines of the file, then replace with those lines plus the new section content 3. Repeat step 2 for all remaining sections - 4. Run `save-deliverable` with `--type AUTH_EVIDENCE --file-path "deliverables/auth_exploitation_evidence.md"` + 4. Run `save-deliverable` with `--type AUTH_EVIDENCE --file-path ".shannon/deliverables/auth_exploitation_evidence.md"` **WARNING:** Do NOT write the entire report in a single tool call — exceeds 32K output token limit. Split into multiple Write/Edit operations. -CRITICAL WARNING: Announcing completion before every item in deliverables/auth_exploitation_queue.json has been pursued to a final, evidence-backed conclusion will be considered a mission failure. +CRITICAL WARNING: Announcing completion before every item in .shannon/deliverables/auth_exploitation_queue.json has been pursued to a final, evidence-backed conclusion will be considered a mission failure. ONLY AFTER fulfilling these exhaustive requirements, announce "AUTH EXPLOITATION COMPLETE" and stop. diff --git a/apps/worker/prompts/exploit-authz.txt b/apps/worker/prompts/exploit-authz.txt index 161bd53..0c218c3 100644 --- a/apps/worker/prompts/exploit-authz.txt +++ b/apps/worker/prompts/exploit-authz.txt @@ -93,13 +93,13 @@ After exhaustive bypass attempts, determine: -- Your **actionable exploitation queue** is located at `deliverables/authz_exploitation_queue.json`. This is your to-do list, containing the precise targets identified by the analysis phase. You MUST process every vulnerability in this queue. +- Your **actionable exploitation queue** is located at `.shannon/deliverables/authz_exploitation_queue.json`. This is your to-do list, containing the precise targets identified by the analysis phase. You MUST process every vulnerability in this queue. **INTELLIGENCE GATHERING PHASE (MANDATORY):** Before beginning exploitation, read these strategic intelligence files in order: -1. `deliverables/pre_recon_deliverable.md` - Architecture overview, technology stack, and authorization code locations. -2. `deliverables/recon_deliverable.md` - Complete API inventory, user roles, and permission models. -3. `deliverables/authz_analysis_deliverable.md` - Strategic context from the Authz analysis specialist, including notes on access control patterns, role hierarchies, and flawed logic paths. +1. `.shannon/deliverables/pre_recon_deliverable.md` - Architecture overview, technology stack, and authorization code locations. +2. `.shannon/deliverables/recon_deliverable.md` - Complete API inventory, user roles, and permission models. +3. `.shannon/deliverables/authz_analysis_deliverable.md` - Strategic context from the Authz analysis specialist, including notes on access control patterns, role hierarchies, and flawed logic paths. - You will manage your work using the **TodoWrite tool** to track your exploitation tasks and progress. The todo list is your private workbench for organizing and tracking all exploitation attempts. @@ -109,13 +109,13 @@ Before beginning exploitation, read these strategic intelligence files in order: **Phase Sequence:** VULN ANALYSIS (Complete) → **AUTHZ EXPLOITATION (You)** → FINAL REPORT (next phase) -**Your Input:** `deliverables/authz_exploitation_queue.json` (primary exploitation queue) -**Your Output:** `deliverables/authz_exploitation_evidence.md` (exploitation evidence) +**Your Input:** `.shannon/deliverables/authz_exploitation_queue.json` (primary exploitation queue) +**Your Output:** `.shannon/deliverables/authz_exploitation_evidence.md` (exploitation evidence) **Supporting Intelligence:** -- `deliverables/pre_recon_deliverable.md` (architecture & code context) -- `deliverables/recon_deliverable.md` (API inventory & user roles) -- `deliverables/authz_analysis_deliverable.md` (strategic intel) +- `.shannon/deliverables/pre_recon_deliverable.md` (architecture & code context) +- `.shannon/deliverables/recon_deliverable.md` (API inventory & user roles) +- `.shannon/deliverables/authz_analysis_deliverable.md` (strategic intel) **WHAT HAPPENED BEFORE YOU:** - Reconnaissance agent mapped application architecture and attack surfaces @@ -176,7 +176,7 @@ Your primary goal is to achieve a definitive, evidence-backed conclusion for **e Your entire exploitation process will be managed through the TodoWrite tool. You MUST adhere to this process. **1. Initialization:** -- Read `deliverables/authz_exploitation_queue.json`. +- Read `.shannon/deliverables/authz_exploitation_queue.json`. - Use the TodoWrite tool to create tasks for each vulnerability in the queue. - Each task should include the vulnerability ID, type, and the hypothesis to test. Example tasks: @@ -321,7 +321,7 @@ When your attack plan is fully explored (all checkboxes are marked `[x]`), your First, synthesize all evidence into your specialist section and save it using the save-deliverable CLI with --type AUTHZ_EVIDENCE. This section will be combined with other specialist reports to form the complete security assessment and MUST use the following structure: **Section Ordering & Format Requirements:** -- Use the exact vulnerability IDs from `deliverables/authz_exploitation_queue.json` +- Use the exact vulnerability IDs from `.shannon/deliverables/authz_exploitation_queue.json` - Within "Successfully Exploited" section: Order by severity of impact (most critical first) - Within "Potential" section: Order by confidence level (highest confidence first) @@ -409,13 +409,13 @@ COMPLETION REQUIREMENTS (ALL must be satisfied): 1. Plan Completion: ALL tasks in your todo list must be marked as completed using the TodoWrite tool. 2. Deliverable Generation: The required deliverable must be successfully saved using the save-deliverable CLI: - **CHUNKED WRITING (MANDATORY):** - 1. Use the **Write** tool to create `deliverables/authz_exploitation_evidence.md` with the title and first major section + 1. Use the **Write** tool to create `.shannon/deliverables/authz_exploitation_evidence.md` with the title and first major section 2. Use the **Edit** tool to append each remaining section — match the last few lines of the file, then replace with those lines plus the new section content 3. Repeat step 2 for all remaining sections - 4. Run `save-deliverable` with `--type AUTHZ_EVIDENCE --file-path "deliverables/authz_exploitation_evidence.md"` + 4. Run `save-deliverable` with `--type AUTHZ_EVIDENCE --file-path ".shannon/deliverables/authz_exploitation_evidence.md"` **WARNING:** Do NOT write the entire report in a single tool call — exceeds 32K output token limit. Split into multiple Write/Edit operations. -CRITICAL WARNING: Announcing completion before every item in deliverables/authz_exploitation_queue.json has been pursued to a final, evidence-backed conclusion will be considered a mission failure. +CRITICAL WARNING: Announcing completion before every item in .shannon/deliverables/authz_exploitation_queue.json has been pursued to a final, evidence-backed conclusion will be considered a mission failure. ONLY AFTER fulfilling these exhaustive requirements, announce "AUTHZ EXPLOITATION COMPLETE" and stop. diff --git a/apps/worker/prompts/exploit-injection.txt b/apps/worker/prompts/exploit-injection.txt index 696ae2f..ae5bfd3 100644 --- a/apps/worker/prompts/exploit-injection.txt +++ b/apps/worker/prompts/exploit-injection.txt @@ -70,13 +70,13 @@ Remember: An unproven vulnerability is worse than no finding at all - it wastes -- Your **actionable exploitation queue** is located at `deliverables/injection_exploitation_queue.json`. This is your to-do list, containing the precise targets identified by the analysis phase. You MUST process every vulnerability in this queue. +- Your **actionable exploitation queue** is located at `.shannon/deliverables/injection_exploitation_queue.json`. This is your to-do list, containing the precise targets identified by the analysis phase. You MUST process every vulnerability in this queue. **INTELLIGENCE GATHERING PHASE (MANDATORY):** Before beginning exploitation, read these strategic intelligence files in order: -1. `deliverables/pre_recon_deliverable.md` - Architecture overview, exact vulnerable code snippets, database details, authentication mechanisms -2. `deliverables/recon_deliverable.md` - Complete API inventory, input vectors, code pointers with file:line references -3. `deliverables/injection_analysis_deliverable.md` - Strategic context from analysis specialist, WAF behavior, database technologies +1. `.shannon/deliverables/pre_recon_deliverable.md` - Architecture overview, exact vulnerable code snippets, database details, authentication mechanisms +2. `.shannon/deliverables/recon_deliverable.md` - Complete API inventory, input vectors, code pointers with file:line references +3. `.shannon/deliverables/injection_analysis_deliverable.md` - Strategic context from analysis specialist, WAF behavior, database technologies **INTELLIGENCE-INFORMED EXPLOITATION:** - Use exact query or command structures provided in intelligence reports to construct precise payloads. @@ -91,13 +91,13 @@ Before beginning exploitation, read these strategic intelligence files in order: **Phase Sequence:** VULN ANALYSIS (Complete) → **INJECTION EXPLOITATION (You)** → FINAL REPORT (next phase) -**Your Input:** `deliverables/injection_exploitation_queue.json` (primary exploitation queue) -**Your Output:** `deliverables/injection_exploitation_evidence.md` (exploitation evidence) +**Your Input:** `.shannon/deliverables/injection_exploitation_queue.json` (primary exploitation queue) +**Your Output:** `.shannon/deliverables/injection_exploitation_evidence.md` (exploitation evidence) **Supporting Intelligence:** -- `deliverables/pre_recon_deliverable.md` (architecture & code context) -- `deliverables/recon_deliverable.md` (API inventory & input vectors) -- `deliverables/injection_analysis_deliverable.md` (strategic intel) +- `.shannon/deliverables/pre_recon_deliverable.md` (architecture & code context) +- `.shannon/deliverables/recon_deliverable.md` (API inventory & input vectors) +- `.shannon/deliverables/injection_analysis_deliverable.md` (strategic intel) **WHAT HAPPENED BEFORE YOU:** - Reconnaissance agent mapped application architecture and attack surfaces @@ -139,7 +139,7 @@ Your primary goal is to achieve a definitive, evidence-backed conclusion for **e Your entire exploitation process will be managed through the TodoWrite tool. You MUST adhere to this process. **1. Initialization:** -- Read the `deliverables/injection_exploitation_queue.json` file. +- Read the `.shannon/deliverables/injection_exploitation_queue.json` file. - Use the TodoWrite tool to create tasks for each vulnerability in the queue. - Each task should include the vulnerability ID and the hypothesis to test. Example tasks: @@ -347,7 +347,7 @@ First, synthesize all of your evidence into your specialist section and save it Your section MUST use the following structure precisely: **Section Ordering & Format Requirements:** -- Use the exact vulnerability IDs from `deliverables/injection_exploitation_queue.json` +- Use the exact vulnerability IDs from `.shannon/deliverables/injection_exploitation_queue.json` - Within "Successfully Exploited" section: Order by severity of impact (most critical first) - Within "Potential" section: Order by confidence level (highest confidence first) @@ -436,13 +436,13 @@ COMPLETION REQUIREMENTS (ALL must be satisfied): 1. **Plan Completion:** ALL tasks for EVERY vulnerability in your todo list must be marked as completed using the TodoWrite tool. **No vulnerability or task can be left unaddressed.** 2. **Deliverable Generation:** The required deliverable must be successfully saved using the save-deliverable CLI tool: - **CHUNKED WRITING (MANDATORY):** - 1. Use the **Write** tool to create `deliverables/injection_exploitation_evidence.md` with the title and first major section + 1. Use the **Write** tool to create `.shannon/deliverables/injection_exploitation_evidence.md` with the title and first major section 2. Use the **Edit** tool to append each remaining section — match the last few lines of the file, then replace with those lines plus the new section content 3. Repeat step 2 for all remaining sections - 4. Run `save-deliverable` with `--type INJECTION_EVIDENCE --file-path "deliverables/injection_exploitation_evidence.md"` + 4. Run `save-deliverable` with `--type INJECTION_EVIDENCE --file-path ".shannon/deliverables/injection_exploitation_evidence.md"` **WARNING:** Do NOT write the entire report in a single tool call — exceeds 32K output token limit. Split into multiple Write/Edit operations. -**CRITICAL WARNING:** Announcing completion before every item in `deliverables/injection_exploitation_queue.json` has been pursued to a final, evidence-backed conclusion (either successfully exploited or verified false positive) will be considered a mission failure. Superficial testing is not acceptable. +**CRITICAL WARNING:** Announcing completion before every item in `.shannon/deliverables/injection_exploitation_queue.json` has been pursued to a final, evidence-backed conclusion (either successfully exploited or verified false positive) will be considered a mission failure. Superficial testing is not acceptable. ONLY AFTER fulfilling these exhaustive requirements, announce "INJECTION EXPLOITATION COMPLETE" and stop. diff --git a/apps/worker/prompts/exploit-ssrf.txt b/apps/worker/prompts/exploit-ssrf.txt index 487f92b..d7e795e 100644 --- a/apps/worker/prompts/exploit-ssrf.txt +++ b/apps/worker/prompts/exploit-ssrf.txt @@ -93,13 +93,13 @@ After exhaustive bypass attempts, determine: -- Your **actionable exploitation queue** is located at `deliverables/ssrf_exploitation_queue.json`. This is your to-do list, containing the precise targets identified by the analysis phase. You MUST process every vulnerability in this queue. +- Your **actionable exploitation queue** is located at `.shannon/deliverables/ssrf_exploitation_queue.json`. This is your to-do list, containing the precise targets identified by the analysis phase. You MUST process every vulnerability in this queue. **INTELLIGENCE GATHERING PHASE (MANDATORY):** Before beginning exploitation, read these strategic intelligence files in order: -1. `deliverables/pre_recon_deliverable.md` - Architecture overview, technology stack, and network service details. -2. `deliverables/recon_deliverable.md` - Complete API inventory, service endpoints, and internal architecture maps. -3. `deliverables/ssrf_analysis_deliverable.md` - Strategic context from the SSRF analysis specialist, including notes on HTTP client usage, URL validation patterns, and request mechanisms. +1. `.shannon/deliverables/pre_recon_deliverable.md` - Architecture overview, technology stack, and network service details. +2. `.shannon/deliverables/recon_deliverable.md` - Complete API inventory, service endpoints, and internal architecture maps. +3. `.shannon/deliverables/ssrf_analysis_deliverable.md` - Strategic context from the SSRF analysis specialist, including notes on HTTP client usage, URL validation patterns, and request mechanisms. - You will manage your work using the **TodoWrite tool** to track your exploitation tasks and progress. The todo list is your private workbench for organizing and tracking all exploitation attempts. @@ -109,13 +109,13 @@ Before beginning exploitation, read these strategic intelligence files in order: **Phase Sequence:** VULN ANALYSIS (Complete) → **SSRF EXPLOITATION (You)** → FINAL REPORT (next phase) -**Your Input:** `deliverables/ssrf_exploitation_queue.json` (primary exploitation queue) -**Your Output:** `deliverables/ssrf_exploitation_evidence.md` (exploitation evidence) +**Your Input:** `.shannon/deliverables/ssrf_exploitation_queue.json` (primary exploitation queue) +**Your Output:** `.shannon/deliverables/ssrf_exploitation_evidence.md` (exploitation evidence) **Supporting Intelligence:** -- `deliverables/pre_recon_deliverable.md` (architecture & network context) -- `deliverables/recon_deliverable.md` (API inventory & service endpoints) -- `deliverables/ssrf_analysis_deliverable.md` (strategic intel) +- `.shannon/deliverables/pre_recon_deliverable.md` (architecture & network context) +- `.shannon/deliverables/recon_deliverable.md` (API inventory & service endpoints) +- `.shannon/deliverables/ssrf_analysis_deliverable.md` (strategic intel) **WHAT HAPPENED BEFORE YOU:** - Reconnaissance agent mapped application architecture and attack surfaces @@ -176,7 +176,7 @@ Your primary goal is to achieve a definitive, evidence-backed conclusion for **e Your entire exploitation process will be managed through the TodoWrite tool. You MUST adhere to this process. **1. Initialization:** -- Read `deliverables/ssrf_exploitation_queue.json`. +- Read `.shannon/deliverables/ssrf_exploitation_queue.json`. - Use the TodoWrite tool to create tasks for each vulnerability in the queue. - Each task should include the vulnerability ID and the hypothesis to test. Example tasks: @@ -398,7 +398,7 @@ When your attack plan is fully explored (all checkboxes are marked `[x]`), your First, synthesize all evidence into your specialist section and save it using the save-deliverable CLI with --type SSRF_EVIDENCE. This section will be combined with other specialist reports to form the complete security assessment and MUST use the following structure: **Section Ordering & Format Requirements:** -- Use the exact vulnerability IDs from `deliverables/ssrf_exploitation_queue.json` +- Use the exact vulnerability IDs from `.shannon/deliverables/ssrf_exploitation_queue.json` - Within "Successfully Exploited" section: Order by severity of impact (most critical first) - Within "Potential" section: Order by confidence level (highest confidence first) @@ -486,13 +486,13 @@ COMPLETION REQUIREMENTS (ALL must be satisfied): 1. Plan Completion: ALL tasks in your todo list must be marked as completed using the TodoWrite tool. 2. Deliverable Generation: The required deliverable must be successfully saved using the save-deliverable CLI: - **CHUNKED WRITING (MANDATORY):** - 1. Use the **Write** tool to create `deliverables/ssrf_exploitation_evidence.md` with the title and first major section + 1. Use the **Write** tool to create `.shannon/deliverables/ssrf_exploitation_evidence.md` with the title and first major section 2. Use the **Edit** tool to append each remaining section — match the last few lines of the file, then replace with those lines plus the new section content 3. Repeat step 2 for all remaining sections - 4. Run `save-deliverable` with `--type SSRF_EVIDENCE --file-path "deliverables/ssrf_exploitation_evidence.md"` + 4. Run `save-deliverable` with `--type SSRF_EVIDENCE --file-path ".shannon/deliverables/ssrf_exploitation_evidence.md"` **WARNING:** Do NOT write the entire report in a single tool call — exceeds 32K output token limit. Split into multiple Write/Edit operations. -CRITICAL WARNING: Announcing completion before every item in deliverables/ssrf_exploitation_queue.json has been pursued to a final, evidence-backed conclusion will be considered a mission failure. +CRITICAL WARNING: Announcing completion before every item in .shannon/deliverables/ssrf_exploitation_queue.json has been pursued to a final, evidence-backed conclusion will be considered a mission failure. ONLY AFTER fulfilling these exhaustive requirements, announce "SSRF EXPLOITATION COMPLETE" and stop. diff --git a/apps/worker/prompts/exploit-xss.txt b/apps/worker/prompts/exploit-xss.txt index 8ed8274..2a805ff 100644 --- a/apps/worker/prompts/exploit-xss.txt +++ b/apps/worker/prompts/exploit-xss.txt @@ -91,13 +91,13 @@ After exhaustive bypass attempts, determine: -- Your **actionable exploitation queue** is located at `deliverables/xss_exploitation_queue.json`. This is your to-do list, containing the precise targets identified by the analysis phase. You MUST process every vulnerability in this queue. +- Your **actionable exploitation queue** is located at `.shannon/deliverables/xss_exploitation_queue.json`. This is your to-do list, containing the precise targets identified by the analysis phase. You MUST process every vulnerability in this queue. **INTELLIGENCE GATHERING PHASE (MANDATORY):** Before beginning exploitation, read these strategic intelligence files in order: -1. `deliverables/pre_recon_deliverable.md` - Architecture overview, technology stack, and critical file paths. -2. `deliverables/recon_deliverable.md` - Complete API inventory, input vectors, and data flow maps. -3. `deliverables/xss_analysis_deliverable.md` - Strategic context from the XSS analysis specialist, including notes on WAF behavior, CSP headers, and cookie flags. +1. `.shannon/deliverables/pre_recon_deliverable.md` - Architecture overview, technology stack, and critical file paths. +2. `.shannon/deliverables/recon_deliverable.md` - Complete API inventory, input vectors, and data flow maps. +3. `.shannon/deliverables/xss_analysis_deliverable.md` - Strategic context from the XSS analysis specialist, including notes on WAF behavior, CSP headers, and cookie flags. **INTELLIGENCE-INFORMED EXPLOITATION:** - Use the `render_context` and `mismatch_reason` from the analysis queue to craft precise initial payloads. @@ -111,13 +111,13 @@ Before beginning exploitation, read these strategic intelligence files in order: **Phase Sequence:** VULN ANALYSIS (Complete) → **XSS EXPLOITATION (You)** → FINAL REPORT (next phase) -**Your Input:** `deliverables/xss_exploitation_queue.json` (primary exploitation queue) -**Your Output:** `deliverables/xss_exploitation_evidence.md` (exploitation evidence) +**Your Input:** `.shannon/deliverables/xss_exploitation_queue.json` (primary exploitation queue) +**Your Output:** `.shannon/deliverables/xss_exploitation_evidence.md` (exploitation evidence) **Supporting Intelligence:** -- `deliverables/pre_recon_deliverable.md` (architecture & code context) -- `deliverables/recon_deliverable.md` (API inventory & input vectors) -- `deliverables/xss_analysis_deliverable.md` (strategic intel) +- `.shannon/deliverables/pre_recon_deliverable.md` (architecture & code context) +- `.shannon/deliverables/recon_deliverable.md` (API inventory & input vectors) +- `.shannon/deliverables/xss_analysis_deliverable.md` (strategic intel) **WHAT HAPPENED BEFORE YOU:** - Reconnaissance agent mapped application architecture and attack surfaces @@ -183,7 +183,7 @@ For **every single vulnerability** in your queue, systematically work through th **Goal:** Set up tracking and understand the pre-analyzed vulnerabilities. **Actions:** -- Read `deliverables/xss_exploitation_queue.json` to get your targets with their complete graph analysis +- Read `.shannon/deliverables/xss_exploitation_queue.json` to get your targets with their complete graph analysis - Use **TodoWrite tool** to create a todo for each vulnerability with its graph characteristics - Example: "XSS-VULN-01: Exploit Reflected XSS in /search?q= (source: URL param → no sanitization → innerHTML sink)" - Study the provided intelligence for each vulnerability: @@ -331,7 +331,7 @@ First, synthesize all of your evidence into your specialist section and save it Your section MUST use the following structure precisely: **Section Ordering & Format Requirements:** -- Use the exact vulnerability IDs from `deliverables/xss_exploitation_queue.json` +- Use the exact vulnerability IDs from `.shannon/deliverables/xss_exploitation_queue.json` - Within "Successfully Exploited" section: Order by severity of impact (most critical first) - Within "Potential" section: Order by confidence level (highest confidence first) @@ -426,13 +426,13 @@ COMPLETION REQUIREMENTS (ALL must be satisfied): - Todo List Completion: ALL vulnerabilities from the exploitation queue must have been processed and marked as completed in your todo list. - Deliverable Generation: The required deliverable must be successfully saved using the save-deliverable CLI tool: - **CHUNKED WRITING (MANDATORY):** - 1. Use the **Write** tool to create `deliverables/xss_exploitation_evidence.md` with the title and first major section + 1. Use the **Write** tool to create `.shannon/deliverables/xss_exploitation_evidence.md` with the title and first major section 2. Use the **Edit** tool to append each remaining section — match the last few lines of the file, then replace with those lines plus the new section content 3. Repeat step 2 for all remaining sections - 4. Run `save-deliverable` with `--type XSS_EVIDENCE --file-path "deliverables/xss_exploitation_evidence.md"` + 4. Run `save-deliverable` with `--type XSS_EVIDENCE --file-path ".shannon/deliverables/xss_exploitation_evidence.md"` **WARNING:** Do NOT write the entire report in a single tool call — exceeds 32K output token limit. Split into multiple Write/Edit operations. -**CRITICAL WARNING:** Announcing completion before every item in `deliverables/xss_exploitation_queue.json` has been pursued to a final, evidence-backed conclusion (either successfully exploited or verified false positive) will be considered a mission failure. Superficial testing is not acceptable. +**CRITICAL WARNING:** Announcing completion before every item in `.shannon/deliverables/xss_exploitation_queue.json` has been pursued to a final, evidence-backed conclusion (either successfully exploited or verified false positive) will be considered a mission failure. Superficial testing is not acceptable. ONLY AFTER both plan completion AND successful deliverable generation, announce "XSS EXPLOITATION COMPLETE" and stop. diff --git a/apps/worker/prompts/pipeline-testing/exploit-auth.txt b/apps/worker/prompts/pipeline-testing/exploit-auth.txt index 7e84f2d..b8cc67b 100644 --- a/apps/worker/prompts/pipeline-testing/exploit-auth.txt +++ b/apps/worker/prompts/pipeline-testing/exploit-auth.txt @@ -1,3 +1,5 @@ +@include(shared/_filesystem.txt) + ## 🧪 Pipeline Testing: Session Isolation Test for Authentication Exploitation Agent **Playwright Session:** Using session `{{PLAYWRIGHT_SESSION}}` for browser automation testing. @@ -10,7 +12,7 @@ 2. Take a screenshot to prove isolation: ``` - playwright-cli -s={{PLAYWRIGHT_SESSION}} screenshot --filename "auth-exploit-test.png" + playwright-cli -s={{PLAYWRIGHT_SESSION}} screenshot --filename "{{REPO_PATH}}/.shannon/scratchpad/auth-exploit-test.png" ``` 3. Log the test results: @@ -24,7 +26,7 @@ Run the save-deliverable CLI: save-deliverable --type AUTH_EVIDENCE --content '# Authentication Exploitation Evidence (Pipeline Test)\n\n**Playwright Session:** {{PLAYWRIGHT_SESSION}}\n**Test Site:** https://example.com\n**Screenshot:** auth-exploit-test.png\n**Status:** Browser isolation test successful\n\n## Exploitation Results\n- **Target:** Test authentication vulnerability\n- **Method:** Authentication bypass via parameter manipulation\n- **Evidence:** Successfully bypassed login using admin=true parameter\n- **Impact:** Demonstrated unauthorized access to protected resources\n- **Proof:** Pipeline testing mode - simulated successful exploitation\n\n## Technical Details\n- **Vulnerability ID:** AUTH-VULN-01\n- **Exploitation Status:** Simulated Success (Pipeline Test)\n- **Session:** {{PLAYWRIGHT_SESSION}}\n- **Attack Vector:** Parameter-based authentication bypass\n- **Bypass Method:** URL parameter manipulation' ``` -This will automatically create `deliverables/auth_exploitation_evidence.md`. +This will automatically create `.shannon/deliverables/auth_exploitation_evidence.md`. ### Step 3: Verify Session Isolation This agent should be using {{PLAYWRIGHT_SESSION}} and navigating to example.com independently of other parallel exploitation agents. \ No newline at end of file diff --git a/apps/worker/prompts/pipeline-testing/exploit-authz.txt b/apps/worker/prompts/pipeline-testing/exploit-authz.txt index 1c56325..838cbdc 100644 --- a/apps/worker/prompts/pipeline-testing/exploit-authz.txt +++ b/apps/worker/prompts/pipeline-testing/exploit-authz.txt @@ -1,3 +1,5 @@ +@include(shared/_filesystem.txt) + ## 🧪 Pipeline Testing: Session Isolation Test for Authorization Exploitation Agent **Playwright Session:** Using session `{{PLAYWRIGHT_SESSION}}` for browser automation testing. @@ -10,7 +12,7 @@ 2. Take a screenshot to prove isolation: ``` - playwright-cli -s={{PLAYWRIGHT_SESSION}} screenshot --filename "authz-exploit-test.png" + playwright-cli -s={{PLAYWRIGHT_SESSION}} screenshot --filename "{{REPO_PATH}}/.shannon/scratchpad/authz-exploit-test.png" ``` 3. Log the test results: @@ -24,7 +26,7 @@ Run the save-deliverable CLI: save-deliverable --type AUTHZ_EVIDENCE --content '# Authorization Exploitation Evidence (Pipeline Test)\n\n**Playwright Session:** {{PLAYWRIGHT_SESSION}}\n**Test Site:** https://example.com\n**Screenshot:** authz-exploit-test.png\n**Status:** Browser isolation test successful\n\n## Exploitation Results\n- **Target:** Test authorization vulnerability\n- **Method:** Privilege escalation via direct object reference\n- **Evidence:** Successfully accessed admin panel with user-level privileges\n- **Impact:** Demonstrated unauthorized access to privileged functionality\n- **Proof:** Pipeline testing mode - simulated successful exploitation\n\n## Technical Details\n- **Vulnerability ID:** AUTHZ-VULN-01\n- **Exploitation Status:** Simulated Success (Pipeline Test)\n- **Session:** {{PLAYWRIGHT_SESSION}}\n- **Attack Vector:** Insecure Direct Object Reference (IDOR)\n- **Escalation Method:** User ID manipulation in API calls' ``` -This will automatically create `deliverables/authz_exploitation_evidence.md`. +This will automatically create `.shannon/deliverables/authz_exploitation_evidence.md`. ### Step 3: Verify Session Isolation This agent should be using {{PLAYWRIGHT_SESSION}} and navigating to example.com independently of other parallel exploitation agents. \ No newline at end of file diff --git a/apps/worker/prompts/pipeline-testing/exploit-injection.txt b/apps/worker/prompts/pipeline-testing/exploit-injection.txt index 91cef3e..3f58399 100644 --- a/apps/worker/prompts/pipeline-testing/exploit-injection.txt +++ b/apps/worker/prompts/pipeline-testing/exploit-injection.txt @@ -1,3 +1,5 @@ +@include(shared/_filesystem.txt) + ## 🧪 Pipeline Testing: Session Isolation Test for Injection Exploitation Agent **Playwright Session:** Using session `{{PLAYWRIGHT_SESSION}}` for browser automation testing. @@ -10,7 +12,7 @@ 2. Take a screenshot to prove isolation: ``` - playwright-cli -s={{PLAYWRIGHT_SESSION}} screenshot --filename "injection-exploit-test.png" + playwright-cli -s={{PLAYWRIGHT_SESSION}} screenshot --filename "{{REPO_PATH}}/.shannon/scratchpad/injection-exploit-test.png" ``` 3. Log the test results: @@ -24,7 +26,7 @@ Run the save-deliverable CLI: save-deliverable --type INJECTION_EVIDENCE --content '# Injection Exploitation Evidence (Pipeline Test)\n\n**Playwright Session:** {{PLAYWRIGHT_SESSION}}\n**Test Site:** https://example.com\n**Screenshot:** injection-exploit-test.png\n**Status:** Browser isolation test successful\n\n## Exploitation Results\n- **Target:** Test injection vulnerability\n- **Vulnerability Type:** SQLi | CommandInjection | LFI | RFI | SSTI | PathTraversal | InsecureDeserialization\n- **Method:** [Type-specific exploitation method]\n- **Evidence:** Successfully executed test payload\n- **Impact:** Demonstrated ability to manipulate [database queries | system commands | file system | template engine | deserialization]\n- **Proof:** Pipeline testing mode - simulated successful exploitation\n\n## Technical Details\n- **Vulnerability ID:** INJ-VULN-XX\n- **Exploitation Status:** Simulated Success (Pipeline Test)\n- **Session:** {{PLAYWRIGHT_SESSION}}' ``` -This will automatically create `deliverables/injection_exploitation_evidence.md`. +This will automatically create `.shannon/deliverables/injection_exploitation_evidence.md`. ### Step 3: Verify Session Isolation This agent should be using {{PLAYWRIGHT_SESSION}} and navigating to example.com independently of other parallel exploitation agents. \ No newline at end of file diff --git a/apps/worker/prompts/pipeline-testing/exploit-ssrf.txt b/apps/worker/prompts/pipeline-testing/exploit-ssrf.txt index 5bd2c0f..655127a 100644 --- a/apps/worker/prompts/pipeline-testing/exploit-ssrf.txt +++ b/apps/worker/prompts/pipeline-testing/exploit-ssrf.txt @@ -1,3 +1,5 @@ +@include(shared/_filesystem.txt) + ## 🧪 Pipeline Testing: Session Isolation Test for SSRF Exploitation Agent **Playwright Session:** Using session `{{PLAYWRIGHT_SESSION}}` for browser automation testing. @@ -10,7 +12,7 @@ 2. Take a screenshot to prove isolation: ``` - playwright-cli -s={{PLAYWRIGHT_SESSION}} screenshot --filename "ssrf-exploit-test.png" + playwright-cli -s={{PLAYWRIGHT_SESSION}} screenshot --filename "{{REPO_PATH}}/.shannon/scratchpad/ssrf-exploit-test.png" ``` 3. Log the test results: @@ -24,7 +26,7 @@ Run the save-deliverable CLI: save-deliverable --type SSRF_EVIDENCE --content '# SSRF Exploitation Evidence (Pipeline Test)\n\n**Playwright Session:** {{PLAYWRIGHT_SESSION}}\n**Test Site:** https://example.com\n**Screenshot:** ssrf-exploit-test.png\n**Status:** Browser isolation test successful\n\n## Exploitation Results\n- **Target:** Test SSRF vulnerability\n- **Method:** Server-Side Request Forgery via URL parameter\n- **Evidence:** Successfully forced server to make request to internal network\n- **Impact:** Demonstrated access to internal services and potential data exfiltration\n- **Proof:** Pipeline testing mode - simulated successful exploitation\n\n## Technical Details\n- **Vulnerability ID:** SSRF-VULN-01\n- **Exploitation Status:** Simulated Success (Pipeline Test)\n- **Session:** {{PLAYWRIGHT_SESSION}}\n- **Attack Vector:** URL parameter manipulation\n- **Target:** Internal network services (localhost:8080)' ``` -This will automatically create `deliverables/ssrf_exploitation_evidence.md`. +This will automatically create `.shannon/deliverables/ssrf_exploitation_evidence.md`. ### Step 3: Verify Session Isolation This agent should be using {{PLAYWRIGHT_SESSION}} and navigating to example.com independently of other parallel exploitation agents. \ No newline at end of file diff --git a/apps/worker/prompts/pipeline-testing/exploit-xss.txt b/apps/worker/prompts/pipeline-testing/exploit-xss.txt index c27e145..9d06c81 100644 --- a/apps/worker/prompts/pipeline-testing/exploit-xss.txt +++ b/apps/worker/prompts/pipeline-testing/exploit-xss.txt @@ -1,3 +1,5 @@ +@include(shared/_filesystem.txt) + ## 🧪 Pipeline Testing: Session Isolation Test for XSS Exploitation Agent **Playwright Session:** Using session `{{PLAYWRIGHT_SESSION}}` for browser automation testing. @@ -10,7 +12,7 @@ 2. Take a screenshot to prove isolation: ``` - playwright-cli -s={{PLAYWRIGHT_SESSION}} screenshot --filename "xss-exploit-test.png" + playwright-cli -s={{PLAYWRIGHT_SESSION}} screenshot --filename "{{REPO_PATH}}/.shannon/scratchpad/xss-exploit-test.png" ``` 3. Log the test results: @@ -24,7 +26,7 @@ Run the save-deliverable CLI: save-deliverable --type XSS_EVIDENCE --content '# XSS Exploitation Evidence (Pipeline Test)\n\n**Playwright Session:** {{PLAYWRIGHT_SESSION}}\n**Test Site:** https://example.com\n**Screenshot:** xss-exploit-test.png\n**Status:** Browser isolation test successful\n\n## Exploitation Results\n- **Target:** Test XSS vulnerability\n- **Method:** Reflected XSS via search parameter\n- **Evidence:** Successfully executed payload ``\n- **Impact:** Demonstrated JavaScript code execution in user context\n- **Proof:** Pipeline testing mode - simulated successful exploitation\n\n## Technical Details\n- **Vulnerability ID:** XSS-VULN-01\n- **Exploitation Status:** Simulated Success (Pipeline Test)\n- **Session:** {{PLAYWRIGHT_SESSION}}\n- **Attack Vector:** Reflected XSS in search functionality' ``` -This will automatically create `deliverables/xss_exploitation_evidence.md`. +This will automatically create `.shannon/deliverables/xss_exploitation_evidence.md`. ### Step 3: Verify Session Isolation This agent should be using {{PLAYWRIGHT_SESSION}} and navigating to example.com independently of other parallel exploitation agents. \ No newline at end of file diff --git a/apps/worker/prompts/pipeline-testing/pre-recon-code.txt b/apps/worker/prompts/pipeline-testing/pre-recon-code.txt index d18ae99..5f4ab5c 100644 --- a/apps/worker/prompts/pipeline-testing/pre-recon-code.txt +++ b/apps/worker/prompts/pipeline-testing/pre-recon-code.txt @@ -1 +1,3 @@ +@include(shared/_filesystem.txt) + Run: `save-deliverable --type CODE_ANALYSIS --content 'Pre-recon analysis complete'`. Then say "Done". \ No newline at end of file diff --git a/apps/worker/prompts/pipeline-testing/recon.txt b/apps/worker/prompts/pipeline-testing/recon.txt index 5f75ea0..60e76be 100644 --- a/apps/worker/prompts/pipeline-testing/recon.txt +++ b/apps/worker/prompts/pipeline-testing/recon.txt @@ -1 +1,3 @@ +@include(shared/_filesystem.txt) + Run: `save-deliverable --type RECON --content 'Reconnaissance analysis complete'`. Then say "Done". \ No newline at end of file diff --git a/apps/worker/prompts/pipeline-testing/report-executive.txt b/apps/worker/prompts/pipeline-testing/report-executive.txt index 7bf2104..a104667 100644 --- a/apps/worker/prompts/pipeline-testing/report-executive.txt +++ b/apps/worker/prompts/pipeline-testing/report-executive.txt @@ -1 +1,3 @@ -Read `deliverables/comprehensive_security_assessment_report.md`, prepend "# Security Assessment Report\n\n**Target:** {{WEB_URL}}\n\n" to the content, and save it back. Say "Done". +@include(shared/_filesystem.txt) + +Read `.shannon/deliverables/comprehensive_security_assessment_report.md`, prepend "# Security Assessment Report\n\n**Target:** {{WEB_URL}}\n\n" to the content, and save it back. Say "Done". diff --git a/apps/worker/prompts/pipeline-testing/shared/_filesystem.txt b/apps/worker/prompts/pipeline-testing/shared/_filesystem.txt new file mode 100644 index 0000000..d9fdf67 --- /dev/null +++ b/apps/worker/prompts/pipeline-testing/shared/_filesystem.txt @@ -0,0 +1,4 @@ +Filesystem: +- {{REPO_PATH}}/ (read only) +- {{REPO_PATH}}/.shannon/deliverables/ (read-write) +- {{REPO_PATH}}/.shannon/scratchpad/ (read-write) - screenshots, scripts, scratch work, etc. diff --git a/apps/worker/prompts/pipeline-testing/vuln-auth.txt b/apps/worker/prompts/pipeline-testing/vuln-auth.txt index 215efe3..f28173d 100644 --- a/apps/worker/prompts/pipeline-testing/vuln-auth.txt +++ b/apps/worker/prompts/pipeline-testing/vuln-auth.txt @@ -1,3 +1,5 @@ +@include(shared/_filesystem.txt) + Please complete these tasks using your CLI tools: 1. Navigate to https://example.net and take a screenshot: diff --git a/apps/worker/prompts/pipeline-testing/vuln-authz.txt b/apps/worker/prompts/pipeline-testing/vuln-authz.txt index 707e892..9aacff0 100644 --- a/apps/worker/prompts/pipeline-testing/vuln-authz.txt +++ b/apps/worker/prompts/pipeline-testing/vuln-authz.txt @@ -1,3 +1,5 @@ +@include(shared/_filesystem.txt) + Please complete these tasks using your CLI tools: 1. Navigate to https://jsonplaceholder.typicode.com and take a screenshot: diff --git a/apps/worker/prompts/pipeline-testing/vuln-injection.txt b/apps/worker/prompts/pipeline-testing/vuln-injection.txt index 33f7aaa..c18ba42 100644 --- a/apps/worker/prompts/pipeline-testing/vuln-injection.txt +++ b/apps/worker/prompts/pipeline-testing/vuln-injection.txt @@ -1,3 +1,5 @@ +@include(shared/_filesystem.txt) + Please complete these tasks using your CLI tools: 1. Navigate to https://example.com and take a screenshot: diff --git a/apps/worker/prompts/pipeline-testing/vuln-ssrf.txt b/apps/worker/prompts/pipeline-testing/vuln-ssrf.txt index 25d89ed..69a5bd7 100644 --- a/apps/worker/prompts/pipeline-testing/vuln-ssrf.txt +++ b/apps/worker/prompts/pipeline-testing/vuln-ssrf.txt @@ -1,3 +1,5 @@ +@include(shared/_filesystem.txt) + Please complete these tasks using your CLI tools: 1. Navigate to https://httpbin.org and take a screenshot: diff --git a/apps/worker/prompts/pipeline-testing/vuln-xss.txt b/apps/worker/prompts/pipeline-testing/vuln-xss.txt index c601592..a34f164 100644 --- a/apps/worker/prompts/pipeline-testing/vuln-xss.txt +++ b/apps/worker/prompts/pipeline-testing/vuln-xss.txt @@ -1,3 +1,5 @@ +@include(shared/_filesystem.txt) + Please complete these tasks using your CLI tools: 1. Navigate to https://example.org and take a screenshot: diff --git a/apps/worker/prompts/pre-recon-code.txt b/apps/worker/prompts/pre-recon-code.txt index 4bab90f..a11d7b3 100644 --- a/apps/worker/prompts/pre-recon-code.txt +++ b/apps/worker/prompts/pre-recon-code.txt @@ -10,6 +10,11 @@ Objective: Your task is to analyze the provided source code to generate a securi **WORKING CONTEXT:** You are currently in the root directory of the target codebase to analyze. +Filesystem: +- {{REPO_PATH}}/ (read only) +- {{REPO_PATH}}/.shannon/deliverables/ (read-write) +- {{REPO_PATH}}/.shannon/scratchpad/ (read-write) - screenshots, scripts, scratch work, etc. + **CRITICAL INSTRUCTIONS:** - Base your analysis SOLELY on the provided source code. Do not invent services or infer functionality that is not present. - The output MUST be in Markdown format. @@ -32,7 +37,7 @@ Read `.gitignore` and run `git ls-files --others --ignored --exclude-standard -- **Phase Sequence:** **PRE-RECON (You)** → RECON → VULN ANALYSIS (5 agents) → EXPLOITATION (5 agents) → REPORTING **Your Input:** External scan results from pre-recon tools (nmap, subfinder, whatweb) -**Your Output:** `deliverables/code_analysis_deliverable.md` (feeds all subsequent analysis phases) +**Your Output:** `.shannon/deliverables/code_analysis_deliverable.md` (feeds all subsequent analysis phases) **Shared Intelligence:** You create the foundational intelligence baseline that all other agents depend on **WHAT HAPPENED BEFORE YOU:** @@ -128,14 +133,14 @@ After Phase 1 completes, launch all three vulnerability-focused agents in parall - Resolve conflicts and eliminate duplicates - Generate the final structured markdown report - **Schema Management**: Using schemas identified by the Entry Point Mapper Agent: - - Create the `outputs/schemas/` directory using mkdir -p - - Copy all discovered schema files to `outputs/schemas/` with descriptive names + - Create the `.shannon/deliverables/schemas/` directory using mkdir -p + - Copy all discovered schema files to `.shannon/deliverables/schemas/` with descriptive names - Include schema locations in your attack surface analysis - **CHUNKED WRITING (MANDATORY):** - 1. Use the **Write** tool to create `deliverables/code_analysis_deliverable.md` with the title and first major section + 1. Use the **Write** tool to create `.shannon/deliverables/code_analysis_deliverable.md` with the title and first major section 2. Use the **Edit** tool to append each remaining section — match the last few lines of the file, then replace with those lines plus the new section content 3. Repeat step 2 for all remaining sections - 4. Run `save-deliverable` with `--type CODE_ANALYSIS --file-path "deliverables/code_analysis_deliverable.md"` + 4. Run `save-deliverable` with `--type CODE_ANALYSIS --file-path ".shannon/deliverables/code_analysis_deliverable.md"` - **WARNING:** Do NOT write the entire report in a single tool call — exceeds 32K output token limit. Split into multiple Write/Edit operations. **EXECUTION PATTERN:** @@ -394,8 +399,8 @@ A component is **out-of-scope** if it **cannot** be invoked through the running - Phase 3: Synthesis and report generation completed 2. **Deliverable Generation:** The following files must be successfully created: - - `deliverables/code_analysis_deliverable.md` (via `save-deliverable` with `--file-path`, not inline `--content`) - - `outputs/schemas/` directory with all discovered schema files copied (if any schemas found) + - `.shannon/deliverables/code_analysis_deliverable.md` (via `save-deliverable` with `--file-path`, not inline `--content`) + - `.shannon/deliverables/schemas/` directory with all discovered schema files copied (if any schemas found) 3. **TodoWrite Completion:** All tasks in your todo list must be marked as completed diff --git a/apps/worker/prompts/recon.txt b/apps/worker/prompts/recon.txt index 693ef38..ce1f16c 100644 --- a/apps/worker/prompts/recon.txt +++ b/apps/worker/prompts/recon.txt @@ -7,12 +7,17 @@ Your goal is to create a comprehensive, structured map of the application's atta -Your analysis must begin by reading and fully comprehending the initial intelligence report located at `deliverables/pre_recon_deliverable.md`. This file contains the output of initial nmap, subfinder, whatweb, and code analysis scans. This is your only starting information. +Your analysis must begin by reading and fully comprehending the initial intelligence report located at `.shannon/deliverables/pre_recon_deliverable.md`. This file contains the output of initial nmap, subfinder, whatweb, and code analysis scans. This is your only starting information. URL: {{WEB_URL}} {{DESCRIPTION}} + +Filesystem: +- {{REPO_PATH}}/ (read only) +- {{REPO_PATH}}/.shannon/deliverables/ (read-write) +- {{REPO_PATH}}/.shannon/scratchpad/ (read-write) - screenshots, scripts, scratch work, etc. @@ -75,8 +80,8 @@ Please use these tools for the following use cases: **Phase Sequence:** PRE-RECON (Complete) → **RECONNAISSANCE (You)** → VULN ANALYSIS (5 agents) → EXPLOITATION (5 agents) → FINAL REPORT (next phase) -**Your Input:** `deliverables/pre_recon_deliverable.md` (external scan data, initial code analysis) -**Your Output:** `deliverables/recon_deliverable.md` (comprehensive attack surface map) +**Your Input:** `.shannon/deliverables/pre_recon_deliverable.md` (external scan data, initial code analysis) +**Your Output:** `.shannon/deliverables/recon_deliverable.md` (comprehensive attack surface map) **Shared Intelligence:** None (you are the first analysis specialist) **WHAT HAPPENED BEFORE YOU:** @@ -106,7 +111,7 @@ You are the **Attack Surface Architect** - building the foundational intelligenc You must follow this methodical four-step process: 1. **Synthesize Initial Data:** - - Read the entire `deliverables/pre_recon_deliverable.md`. + - Read the entire `.shannon/deliverables/pre_recon_deliverable.md`. - In your thoughts, create a preliminary list of known technologies, subdomains, open ports, and key code modules. 2. **Interactive Application Exploration:** @@ -367,10 +372,10 @@ CRITICAL: Only include sources tracing to dangerous sinks (shell, DB, file ops, **DELIVERABLE SAVING:** 1. **CHUNKED WRITING (MANDATORY):** - - Use the **Write** tool to create `deliverables/recon_deliverable.md` with the title and first major section + - Use the **Write** tool to create `.shannon/deliverables/recon_deliverable.md` with the title and first major section - Use the **Edit** tool to append each remaining section — match the last few lines of the file, then replace with those lines plus the new section content - Repeat for all remaining sections -2. Run `save-deliverable` with `--type RECON --file-path "deliverables/recon_deliverable.md"` +2. Run `save-deliverable` with `--type RECON --file-path ".shannon/deliverables/recon_deliverable.md"` **WARNING:** Do NOT write the entire report in a single tool call — exceeds 32K output token limit. Split into multiple Write/Edit operations. Do NOT pass your report as inline `--content` to save-deliverable — always use `--file-path`. diff --git a/apps/worker/prompts/report-executive.txt b/apps/worker/prompts/report-executive.txt index 0dddaa4..edf0d8a 100644 --- a/apps/worker/prompts/report-executive.txt +++ b/apps/worker/prompts/report-executive.txt @@ -22,6 +22,11 @@ IMPORTANT: You are MODIFYING an existing file, not creating a new one. URL: {{WEB_URL}} {{DESCRIPTION}} + +Filesystem: +- {{REPO_PATH}}/ (read only) +- {{REPO_PATH}}/.shannon/deliverables/ (read-write) +- {{REPO_PATH}}/.shannon/scratchpad/ (read-write) - screenshots, scripts, scratch work, etc. @@ -31,13 +36,13 @@ Authentication Context: You will analyze the following deliverable files: -- `deliverables/pre_recon_deliverable.md` - Initial reconnaissance and technology stack -- `deliverables/recon_deliverable.md` - Attack surface mapping and endpoint discovery -- `deliverables/comprehensive_security_assessment_report.md` - The already-concatenated report that you will modify +- `.shannon/deliverables/pre_recon_deliverable.md` - Initial reconnaissance and technology stack +- `.shannon/deliverables/recon_deliverable.md` - Attack surface mapping and endpoint discovery +- `.shannon/deliverables/comprehensive_security_assessment_report.md` - The already-concatenated report that you will modify -MODIFY the existing file `deliverables/comprehensive_security_assessment_report.md` by: +MODIFY the existing file `.shannon/deliverables/comprehensive_security_assessment_report.md` by: 1. ADDING these sections at the top: @@ -98,7 +103,7 @@ IMPORTANT: Do NOT reorder the existing exploitation evidence sections. Maintain - Executive Summary: Technical overview with actionable findings for engineering leaders - Network Reconnaissance: Focus on security-relevant discoveries from automated scans -3. Clean the exploitation evidence sections from `comprehensive_security_assessment_report.md` by applying these rules: +3. Clean the exploitation evidence sections from `.shannon/deliverables/comprehensive_security_assessment_report.md` by applying these rules: - KEEP these specific section headings: NOTE: these sections will contain vulnerability lists with IDs matching pattern `### [TYPE]-VULN-[NUMBER]` * `# [Type] Exploitation Evidence` @@ -119,8 +124,8 @@ IMPORTANT: Do NOT reorder the existing exploitation evidence sections. Maintain 4. Combine the content: - Place the Executive Summary and Network Reconnaissance sections at the top - Follow with the cleaned exploitation evidence sections - - Save as the modified `comprehensive_security_assessment_report.md` + - Save as the modified `.shannon/deliverables/comprehensive_security_assessment_report.md` -CRITICAL: You are modifying the existing concatenated report IN-PLACE, not creating a separate file. +CRITICAL: You are modifying the existing concatenated report at `.shannon/deliverables/comprehensive_security_assessment_report.md` IN-PLACE, not creating a separate file. diff --git a/apps/worker/prompts/shared/_target.txt b/apps/worker/prompts/shared/_target.txt index 822fd09..c0733be 100644 --- a/apps/worker/prompts/shared/_target.txt +++ b/apps/worker/prompts/shared/_target.txt @@ -1 +1,6 @@ -URL: {{WEB_URL}} \ No newline at end of file +URL: {{WEB_URL}} + +Filesystem: +- {{REPO_PATH}}/ (read only) +- {{REPO_PATH}}/.shannon/deliverables/ (read-write) +- {{REPO_PATH}}/.shannon/scratchpad/ (read-write) - screenshots, scripts, scratch work, etc. diff --git a/apps/worker/prompts/vuln-auth.txt b/apps/worker/prompts/vuln-auth.txt index 8d6dff4..5cdc41d 100644 --- a/apps/worker/prompts/vuln-auth.txt +++ b/apps/worker/prompts/vuln-auth.txt @@ -33,7 +33,7 @@ Success criterion: A complete, code-backed analysis of every potential authentic -- Your primary source of truth for the application's structure is the reconnaissance report located at `deliverables/recon_deliverable.md`. You must derive your list of testable endpoints and roles from this file. +- Your primary source of truth for the application's structure is the reconnaissance report located at `.shannon/deliverables/recon_deliverable.md`. You must derive your list of testable endpoints and roles from this file. @@ -41,8 +41,8 @@ Success criterion: A complete, code-backed analysis of every potential authentic **Phase Sequence:** RECON (Complete) → **AUTH ANALYSIS (You)** → EXPLOITATION (next phase) -**Your Input:** `deliverables/recon_deliverable.md`, `deliverables/pre_recon_deliverable.md` (reconnaissance findings) -**Your Output:** `deliverables/auth_analysis_deliverable.md` (analysis report for exploitation phase) +**Your Input:** `.shannon/deliverables/recon_deliverable.md`, `.shannon/deliverables/pre_recon_deliverable.md` (reconnaissance findings) +**Your Output:** `.shannon/deliverables/auth_analysis_deliverable.md` (analysis report for exploitation phase) **WHAT HAPPENED BEFORE YOU:** - Reconnaissance agent mapped application architecture, endpoints, and data flows @@ -114,7 +114,7 @@ An **exploitable vulnerability** is a logical flaw in the code that represents a # White-Box Vulnerability Analysis Procedure: Broken Authentication (AuthN-only) NOTE ON "FOR ALL": whenever an item begins with "for all …", use the TodoWrite tool to create a separate task for each relevant endpoint/flow that needs to be analyzed. -From `deliverables/pre_recon_deliverable.md`, use Section 3 and 6 to help guide your tasks. +From `.shannon/deliverables/pre_recon_deliverable.md`, use Section 3 and 6 to help guide your tasks. ## 1) Transport & caching - For all auth endpoints, enforce HTTPS (no HTTP fallbacks/hops); verify HSTS at the edge. (for all: use TodoWrite tool to add each endpoint as a task) @@ -244,10 +244,10 @@ These components were analyzed and found to have robust defenses. They are low-p 1. **Systematic Analysis:** ALL relevant API endpoints and user-facing features identified in the reconnaissance deliverable must be analyzed for AuthN/AuthZ flaws. 2. **Deliverable Generation:** Your deliverable must be successfully saved using the save-deliverable CLI tool: - **CHUNKED WRITING (MANDATORY):** - 1. Use the **Write** tool to create `deliverables/auth_analysis_deliverable.md` with the title and first major section + 1. Use the **Write** tool to create `.shannon/deliverables/auth_analysis_deliverable.md` with the title and first major section 2. Use the **Edit** tool to append each remaining section — match the last few lines of the file, then replace with those lines plus the new section content 3. Repeat step 2 for all remaining sections - 4. Run `save-deliverable` with `--type AUTH_ANALYSIS --file-path "deliverables/auth_analysis_deliverable.md"` + 4. Run `save-deliverable` with `--type AUTH_ANALYSIS --file-path ".shannon/deliverables/auth_analysis_deliverable.md"` **WARNING:** Do NOT write the entire report in a single tool call — exceeds 32K output token limit. Split into multiple Write/Edit operations. **Note:** Save your deliverable markdown via save-deliverable first. The exploitation queue is captured automatically at the end of your session. diff --git a/apps/worker/prompts/vuln-authz.txt b/apps/worker/prompts/vuln-authz.txt index f832bba..b1c1406 100644 --- a/apps/worker/prompts/vuln-authz.txt +++ b/apps/worker/prompts/vuln-authz.txt @@ -32,7 +32,7 @@ Success criterion: A complete, code-backed analysis of every potential authoriza -- Your **primary source of truth** for authorization test targets is the reconnaissance report at `deliverables/recon_deliverable.md`. Look specifically for: +- Your **primary source of truth** for authorization test targets is the reconnaissance report at `.shannon/deliverables/recon_deliverable.md`. Look specifically for: - **"Horizontal" section:** Endpoints where users access resources by ID that might belong to other users - **"Vertical" section:** Admin/privileged endpoints that regular users shouldn't access - **"Context" section:** Multi-step workflows where order/state matters @@ -44,8 +44,8 @@ Success criterion: A complete, code-backed analysis of every potential authoriza **Phase Sequence:** RECON (Complete) → **AUTHZ ANALYSIS (You)** → EXPLOITATION (next phase) -**Your Input:** `deliverables/recon_deliverable.md`, `deliverables/pre_recon_deliverable.md` (reconnaissance findings) -**Your Output:** `deliverables/authz_analysis_deliverable.md` (analysis report for exploitation phase) +**Your Input:** `.shannon/deliverables/recon_deliverable.md`, `.shannon/deliverables/pre_recon_deliverable.md` (reconnaissance findings) +**Your Output:** `.shannon/deliverables/authz_analysis_deliverable.md` (analysis report for exploitation phase) **WHAT HAPPENED BEFORE YOU:** - Reconnaissance agent mapped application architecture, endpoints, and data flows @@ -125,7 +125,7 @@ An **exploitable vulnerability** is a logical flaw in the code that represents a ### 1) Horizontal Authorization Analysis - **Create To Dos:** - For each item listed under **`deliverables/recon_deliverable.md` → section 8 "Horizontal"*, use the TodoWrite tool to create a task entry. + For each item listed under **`.shannon/deliverables/recon_deliverable.md` → section 8 "Horizontal"*, use the TodoWrite tool to create a task entry. - **Process:** - Start at the identified endpoint. @@ -157,7 +157,7 @@ An **exploitable vulnerability** is a logical flaw in the code that represents a ### 2) Vertical Authorization Analysis - **Create To Dos:** - For each item listed under **`deliverables/recon_deliverable.md` → section 8 "Vertical"**, use the TodoWrite tool to create a task entry. + For each item listed under **`.shannon/deliverables/recon_deliverable.md` → section 8 "Vertical"**, use the TodoWrite tool to create a task entry. - **Process:** - Start at the identified endpoint. @@ -183,7 +183,7 @@ An **exploitable vulnerability** is a logical flaw in the code that represents a ### 3) Context / Workflow Authorization Analysis - **Create To Dos:** - For each item listed under **`deliverables/recon_deliverable.md` → section 8 "Context"**, use the TodoWrite tool to create a task entry. + For each item listed under **`.shannon/deliverables/recon_deliverable.md` → section 8 "Context"**, use the TodoWrite tool to create a task entry. - **Process:** - Start at the endpoint that represents a step in a workflow. @@ -347,10 +347,10 @@ examples: 1. **Todo Completion:** ALL tasks in your TodoWrite list must be marked as "completed" 2. **Deliverable Generation:** Your deliverable must be successfully saved using the save-deliverable CLI tool: - **CHUNKED WRITING (MANDATORY):** - 1. Use the **Write** tool to create `deliverables/authz_analysis_deliverable.md` with the title and first major section + 1. Use the **Write** tool to create `.shannon/deliverables/authz_analysis_deliverable.md` with the title and first major section 2. Use the **Edit** tool to append each remaining section — match the last few lines of the file, then replace with those lines plus the new section content 3. Repeat step 2 for all remaining sections - 4. Run `save-deliverable` with `--type AUTHZ_ANALYSIS --file-path "deliverables/authz_analysis_deliverable.md"` + 4. Run `save-deliverable` with `--type AUTHZ_ANALYSIS --file-path ".shannon/deliverables/authz_analysis_deliverable.md"` **WARNING:** Do NOT write the entire report in a single tool call — exceeds 32K output token limit. Split into multiple Write/Edit operations. **Note:** Save your deliverable markdown via save-deliverable first. The exploitation queue is captured automatically at the end of your session. diff --git a/apps/worker/prompts/vuln-injection.txt b/apps/worker/prompts/vuln-injection.txt index ed60afb..2f7b330 100644 --- a/apps/worker/prompts/vuln-injection.txt +++ b/apps/worker/prompts/vuln-injection.txt @@ -33,7 +33,7 @@ Success criterion: Complete source-to-sink traces detailing path, sanitizers, si -- Your **single source of truth** for the application's structure is the reconnaissance report located at `deliverables/recon_deliverable.md`. You must derive your list of testable targets from this file. +- Your **single source of truth** for the application's structure is the reconnaissance report located at `.shannon/deliverables/recon_deliverable.md`. You must derive your list of testable targets from this file. @@ -42,8 +42,8 @@ Success criterion: Complete source-to-sink traces detailing path, sanitizers, si **Phase Sequence:** RECON (Complete) → **INJECTION ANALYSIS (You)** → EXPLOITATION (next phase) -**Your Input:** `deliverables/recon_deliverable.md` (reconnaissance findings) -**Your Output:** `deliverables/injection_analysis_deliverable.md` (analysis report for exploitation phase) +**Your Input:** `.shannon/deliverables/recon_deliverable.md` (reconnaissance findings) +**Your Output:** `.shannon/deliverables/injection_analysis_deliverable.md` (analysis report for exploitation phase) **WHAT HAPPENED BEFORE YOU:** - Reconnaissance agent mapped application architecture, attack surfaces, endpoints, input vectors @@ -124,7 +124,7 @@ An **exploitable vulnerability** is a confirmed source-to-sink path where the en - **Goal:** Prove whether untrusted input can influence the **structure** of a backend command (SQL or Shell) or reach sensitive **slots** without the correct defense. No live exploitation in this phase. - **1) Create a To Do for each Injection Source found in the Pre-Recon Deliverable - - inside of deliverables/pre_recon_deliverable.md under the section "7. Injection Sources (Command Injection and SQL Injection)" use the TodoWrite tool to create a task for each discovered Injection Source. + - inside of .shannon/deliverables/pre_recon_deliverable.md under the section "7. Injection Sources (Command Injection and SQL Injection)" use the TodoWrite tool to create a task for each discovered Injection Source. - Note: All sources are marked as Tainted until they Hit a Santiization that matches the sink context. normalizers (lowercasing, trimming, JSON parse, schema decode) — still **tainted**. - **2) Trace Data Flow Paths from Source to Sink** - For each source, your goal is to identify every unique "Data Flow Path" to a database sink. A path is a distinct route the data takes through the code. @@ -148,7 +148,7 @@ An **exploitable vulnerability** is a confirmed source-to-sink path where the en - If concat occurred **after** sanitization, treat that sanitization as **non-effective** for this path. - **6) Append to findings list (consistent fields)** - **If the verdict is `vulnerable`:** Include the finding in your exploitation queue. Set `externally_exploitable` to `true` ONLY if exploitable via public internet without internal access. Ensure all fields in the `exploitation_queue_format`, including a minimal `witness_payload`, are populated. - - **If the verdict is `safe`:** DO NOT add the finding to the exploitation queue. These secure vectors must be documented later in the "Vectors Analyzed and Confirmed Secure" section of your final Markdown report (`deliverables/injection_analysis_deliverable.md`). + - **If the verdict is `safe`:** DO NOT add the finding to the exploitation queue. These secure vectors must be documented later in the "Vectors Analyzed and Confirmed Secure" section of your final Markdown report (`.shannon/deliverables/injection_analysis_deliverable.md`). - **If a single source is found to be vulnerable via multiple, distinct paths to different sinks, you must create a separate vulnerability entry in the exploitation queue for each unique vulnerable path.** - **QUEUE INCLUSION CRITERIA:** ONLY include vulnerabilities where `externally_exploitable = true`. Exclude any vulnerability requiring internal network access, VPN, or direct server access. @@ -287,7 +287,7 @@ When you have systematically analyzed all input vectors, you MUST generate two f **1. Your Specialist Deliverable** -First, synthesize all of your findings into a single, detailed Markdown report located at `deliverables/injection_analysis_deliverable.md`. This report is the official record of your work. +First, synthesize all of your findings into a single, detailed Markdown report located at `.shannon/deliverables/injection_analysis_deliverable.md`. This report is the official record of your work. Your report MUST use the following structure precisely: @@ -352,10 +352,10 @@ These input vectors were traced and confirmed to have robust, context-appropriat 1. **Todo Completion:** ALL tasks in your TodoWrite list must be marked as "completed" 2. **Deliverable Generation:** Your deliverable must be successfully saved using the save-deliverable CLI tool: - **CHUNKED WRITING (MANDATORY):** - 1. Use the **Write** tool to create `deliverables/injection_analysis_deliverable.md` with the title and first major section + 1. Use the **Write** tool to create `.shannon/deliverables/injection_analysis_deliverable.md` with the title and first major section 2. Use the **Edit** tool to append each remaining section — match the last few lines of the file, then replace with those lines plus the new section content 3. Repeat step 2 for all remaining sections - 4. Run `save-deliverable` with `--type INJECTION_ANALYSIS --file-path "deliverables/injection_analysis_deliverable.md"` + 4. Run `save-deliverable` with `--type INJECTION_ANALYSIS --file-path ".shannon/deliverables/injection_analysis_deliverable.md"` **WARNING:** Do NOT write the entire report in a single tool call — exceeds 32K output token limit. Split into multiple Write/Edit operations. **Note:** Save your deliverable markdown via save-deliverable first. The exploitation queue is captured automatically at the end of your session. diff --git a/apps/worker/prompts/vuln-ssrf.txt b/apps/worker/prompts/vuln-ssrf.txt index 78fc046..b55e2f5 100644 --- a/apps/worker/prompts/vuln-ssrf.txt +++ b/apps/worker/prompts/vuln-ssrf.txt @@ -32,7 +32,7 @@ Success criterion: A complete source-to-sink trace for every identified SSRF vul -- Your primary source of truth for the application's structure is the reconnaissance report located at `deliverables/recon_deliverable.md`. You must derive your list of testable endpoints from this file. +- Your primary source of truth for the application's structure is the reconnaissance report located at `.shannon/deliverables/recon_deliverable.md`. You must derive your list of testable endpoints from this file. @@ -40,8 +40,8 @@ Success criterion: A complete source-to-sink trace for every identified SSRF vul **Phase Sequence:** RECON (Complete) → **SSRF ANALYSIS (You)** → EXPLOITATION (next phase) -**Your Input:** `deliverables/recon_deliverable.md`, `deliverables/pre_recon_deliverable.md` (reconnaissance findings) -**Your Output:** `deliverables/ssrf_analysis_deliverable.md` (analysis report for exploitation phase) +**Your Input:** `.shannon/deliverables/recon_deliverable.md`, `.shannon/deliverables/pre_recon_deliverable.md` (reconnaissance findings) +**Your Output:** `.shannon/deliverables/ssrf_analysis_deliverable.md` (analysis report for exploitation phase) **WHAT HAPPENED BEFORE YOU:** - Reconnaissance agent mapped application architecture, endpoints, and data flows @@ -114,7 +114,7 @@ An **exploitable vulnerability** is a data flow where user-controlled input infl # White-Box Vulnerability Analysis Procedure: Server-Side Request Forgery (SSRF) NOTE ON "FOR ALL": whenever an item begins with "for all …", use the TodoWrite tool to create a separate task for each relevant endpoint/flow that needs to be analyzed. -From `deliverables/pre_recon_deliverable.md`, use Section 10 (SSRF Sinks) to guide your tasks. +From `.shannon/deliverables/pre_recon_deliverable.md`, use Section 10 (SSRF Sinks) to guide your tasks. ## 1) Identify HTTP Client Usage Patterns - For all endpoints that accept URL parameters, callback URLs, webhook URLs, or file paths, trace how these inputs are processed. @@ -166,7 +166,7 @@ From `deliverables/pre_recon_deliverable.md`, use Section 10 (SSRF Sinks) to gui ### **1) Create a To-Do Item for Each SSRF Sink** -Inside `deliverables/pre_recon_deliverable.md` under section `##10. SSRF Sinks##`. +Inside `.shannon/deliverables/pre_recon_deliverable.md` under section `##10. SSRF Sinks##`. Use the TodoWrite tool to create a task for each discovered sink (any server-side request composed even partially from user input). @@ -291,10 +291,10 @@ These components were analyzed and found to have robust defenses. They are low-p 1. **Systematic Analysis:** ALL relevant API endpoints and request-making features identified in the reconnaissance deliverable must be analyzed for SSRF vulnerabilities. 2. **Deliverable Generation:** Your deliverable must be successfully saved using the save-deliverable CLI tool: - **CHUNKED WRITING (MANDATORY):** - 1. Use the **Write** tool to create `deliverables/ssrf_analysis_deliverable.md` with the title and first major section + 1. Use the **Write** tool to create `.shannon/deliverables/ssrf_analysis_deliverable.md` with the title and first major section 2. Use the **Edit** tool to append each remaining section — match the last few lines of the file, then replace with those lines plus the new section content 3. Repeat step 2 for all remaining sections - 4. Run `save-deliverable` with `--type SSRF_ANALYSIS --file-path "deliverables/ssrf_analysis_deliverable.md"` + 4. Run `save-deliverable` with `--type SSRF_ANALYSIS --file-path ".shannon/deliverables/ssrf_analysis_deliverable.md"` **WARNING:** Do NOT write the entire report in a single tool call — exceeds 32K output token limit. Split into multiple Write/Edit operations. **Note:** Save your deliverable markdown via save-deliverable first. The exploitation queue is captured automatically at the end of your session. diff --git a/apps/worker/prompts/vuln-xss.txt b/apps/worker/prompts/vuln-xss.txt index 42b7562..2776d3d 100644 --- a/apps/worker/prompts/vuln-xss.txt +++ b/apps/worker/prompts/vuln-xss.txt @@ -32,7 +32,7 @@ Success criterion: Live confirmation of XSS execution for every vulnerability th -- Your primary source of truth for the application's structure is the reconnaissance report located at deliverables/recon_deliverable.md. You must derive your list of testable targets from this file. +- Your primary source of truth for the application's structure is the reconnaissance report located at .shannon/deliverables/recon_deliverable.md. You must derive your list of testable targets from this file. @@ -40,8 +40,8 @@ Success criterion: Live confirmation of XSS execution for every vulnerability th **Phase Sequence:** RECON (Complete) → **XSS ANALYSIS (You)** → EXPLOITATION (next phase) -**Your Input:** `deliverables/recon_deliverable.md`, `deliverables/pre_recon_deliverable.md` (reconnaissance findings) -**Your Output:** `deliverables/xss_analysis_deliverable.md` (analysis report for exploitation phase) +**Your Input:** `.shannon/deliverables/recon_deliverable.md`, `.shannon/deliverables/pre_recon_deliverable.md` (reconnaissance findings) +**Your Output:** `.shannon/deliverables/xss_analysis_deliverable.md` (analysis report for exploitation phase) **WHAT HAPPENED BEFORE YOU:** - Reconnaissance agent mapped application architecture @@ -72,7 +72,7 @@ An **exploitable vulnerability** is a confirmed source-to-sink path where the en **CRITICAL TOOL USAGE RESTRICTIONS:** - NEVER use the Read tool for application source code analysis - ALWAYS delegate to Task agents for examining .js, .ts, .py, .php files and application logic. You MAY use Read - tool directly for these files: `deliverables/pre_recon_deliverable.md`, `deliverables/recon_deliverable.md` + tool directly for these files: `.shannon/deliverables/pre_recon_deliverable.md`, `.shannon/deliverables/recon_deliverable.md` - Direct the Task Agent to trace render contexts, sanitization coverage, and template/component boundaries before deciding on exploitability. - **ALWAYS delegate code analysis to Task agents** @@ -124,7 +124,7 @@ Structure: The vulnerability JSON object MUST follow this exact format: - **Core Principle:** Data is assumed to be tainted until a context-appropriate output encoder (sanitization) is encountered on its path to the sink. ### **1) Create a todo item for each XSS sink using the TodoWrite tool** -Read deliverables/pre_recon_deliverable.md section ##9. XSS Sinks and Render Contexts## and use the **TodoWrite tool** to create a todo item for each discovered sink-context pair that needs analysis. +Read .shannon/deliverables/pre_recon_deliverable.md section ##9. XSS Sinks and Render Contexts## and use the **TodoWrite tool** to create a todo item for each discovered sink-context pair that needs analysis. ### **2) Trace Each Sink Backward (Backward Taint Analysis)** For each pending item in your todo list (managed via TodoWrite tool), trace the origin of the data variable backward from the sink through the application logic. Your goal is to find either a valid sanitizer or an untrusted source. Mark each todo item as completed after you've fully analyzed that sink. @@ -211,7 +211,7 @@ When you have systematically analyzed all input vectors, you MUST generate two f ## 1. Your Specialist Deliverable - First, synthesize all of your findings into a single, detailed Markdown report located at - `deliverables/xss_analysis_deliverable.md`. + `.shannon/deliverables/xss_analysis_deliverable.md`. - Your report MUST use the following structure precisely: @@ -272,10 +272,10 @@ COMPLETION REQUIREMENTS (ALL must be satisfied): 1. Systematic Analysis: ALL input vectors identified from the reconnaissance deliverable must be analyzed. 2. Deliverable Generation: Your deliverable must be successfully saved using the save-deliverable CLI tool: - **CHUNKED WRITING (MANDATORY):** - 1. Use the **Write** tool to create `deliverables/xss_analysis_deliverable.md` with the title and first major section + 1. Use the **Write** tool to create `.shannon/deliverables/xss_analysis_deliverable.md` with the title and first major section 2. Use the **Edit** tool to append each remaining section — match the last few lines of the file, then replace with those lines plus the new section content 3. Repeat step 2 for all remaining sections - 4. Run `save-deliverable` with `--type XSS_ANALYSIS --file-path "deliverables/xss_analysis_deliverable.md"` + 4. Run `save-deliverable` with `--type XSS_ANALYSIS --file-path ".shannon/deliverables/xss_analysis_deliverable.md"` **WARNING:** Do NOT write the entire report in a single tool call — exceeds 32K output token limit. Split into multiple Write/Edit operations. **Note:** Save your deliverable markdown via save-deliverable first. The exploitation queue is captured automatically at the end of your session. diff --git a/apps/worker/src/ai/claude-executor.ts b/apps/worker/src/ai/claude-executor.ts index c5d43a1..fbc7b8e 100644 --- a/apps/worker/src/ai/claude-executor.ts +++ b/apps/worker/src/ai/claude-executor.ts @@ -72,7 +72,7 @@ async function writeErrorLog( }, duration, }; - const logPath = path.join(sourceDir, 'error.log'); + const logPath = path.join(sourceDir, '.shannon', 'deliverables', 'error.log'); await fs.appendFile(logPath, `${JSON.stringify(errorLog)}\n`); } catch { // Best-effort error log writing - don't propagate failures @@ -152,6 +152,7 @@ export async function runClaudePrompt( // 3. Build env vars to pass to SDK subprocesses const sdkEnv: Record = { CLAUDE_CODE_MAX_OUTPUT_TOKENS: process.env.CLAUDE_CODE_MAX_OUTPUT_TOKENS || '64000', + PLAYWRIGHT_MCP_OUTPUT_DIR: path.join(sourceDir, '.shannon', '.playwright-cli'), }; const passthroughVars = [ 'ANTHROPIC_API_KEY', diff --git a/apps/worker/src/audit/utils.ts b/apps/worker/src/audit/utils.ts index 2715e57..2b64371 100644 --- a/apps/worker/src/audit/utils.ts +++ b/apps/worker/src/audit/utils.ts @@ -11,7 +11,6 @@ * All functions are pure and crash-safe. */ -import fs from 'node:fs/promises'; import path from 'node:path'; import { WORKSPACES_DIR } from '../paths.js'; import { ensureDirectory } from '../utils/file-io.js'; @@ -98,33 +97,3 @@ export async function initializeAuditStructure(sessionMetadata: SessionMetadata) await ensureDirectory(promptsPath); await ensureDirectory(deliverablesPath); } - -/** - * Copy deliverable files from repo to workspaces for self-contained audit trail. - * No-ops if source directory doesn't exist. Idempotent and parallel-safe. - */ -export async function copyDeliverablesToAudit(sessionMetadata: SessionMetadata, repoPath: string): Promise { - const sourceDir = path.join(repoPath, 'deliverables'); - const destDir = path.join(generateAuditPath(sessionMetadata), 'deliverables'); - - let entries: string[]; - try { - entries = await fs.readdir(sourceDir); - } catch { - // Source directory doesn't exist yet — nothing to copy - return; - } - - await ensureDirectory(destDir); - - for (const entry of entries) { - const sourcePath = path.join(sourceDir, entry); - const destPath = path.join(destDir, entry); - - // Only copy files, skip subdirectories - const stat = await fs.stat(sourcePath); - if (stat.isFile()) { - await fs.copyFile(sourcePath, destPath); - } - } -} diff --git a/apps/worker/src/scripts/save-deliverable.ts b/apps/worker/src/scripts/save-deliverable.ts index 409c34d..e0400fa 100644 --- a/apps/worker/src/scripts/save-deliverable.ts +++ b/apps/worker/src/scripts/save-deliverable.ts @@ -52,7 +52,7 @@ function parseArgs(argv: string[]): ParsedArgs { // === File Operations === function saveDeliverableFile(targetDir: string, filename: string, content: string): string { - const deliverablesDir = join(targetDir, 'deliverables'); + const deliverablesDir = join(targetDir, '.shannon', 'deliverables'); const filepath = join(deliverablesDir, filename); try { diff --git a/apps/worker/src/services/agent-execution.ts b/apps/worker/src/services/agent-execution.ts index 48aba61..50bd697 100644 --- a/apps/worker/src/services/agent-execution.ts +++ b/apps/worker/src/services/agent-execution.ts @@ -44,6 +44,7 @@ import { loadPrompt } from './prompt-manager.js'; export interface AgentExecutionInput { webUrl: string; repoPath: string; + deliverablesPath: string; configPath?: string | undefined; pipelineTestingMode?: boolean | undefined; attemptNumber: number; @@ -89,7 +90,7 @@ export class AgentExecutionService { auditSession: AuditSession, logger: ActivityLogger, ): Promise> { - const { webUrl, repoPath, configPath, pipelineTestingMode = false, attemptNumber } = input; + const { webUrl, repoPath, deliverablesPath, configPath, pipelineTestingMode = false, attemptNumber } = input; // 1. Load config (if provided) const configResult = await this.configLoader.loadOptional(configPath); @@ -118,7 +119,7 @@ export class AgentExecutionService { // 3. Create git checkpoint before execution try { - await createGitCheckpoint(repoPath, agentName, attemptNumber, logger); + await createGitCheckpoint(deliverablesPath, agentName, attemptNumber, logger); } catch (error) { const errorMessage = error instanceof Error ? error.message : String(error); return err( @@ -126,7 +127,7 @@ export class AgentExecutionService { `Failed to create git checkpoint for ${agentName}: ${errorMessage}`, 'filesystem', false, - { agentName, repoPath, originalError: errorMessage }, + { agentName, deliverablesPath, originalError: errorMessage }, ErrorCode.GIT_CHECKPOINT_FAILED, ), ); @@ -153,7 +154,7 @@ export class AgentExecutionService { if (result.success && (result.turns ?? 0) <= 2 && (result.cost || 0) === 0) { const resultText = result.result || ''; if (isSpendingCapBehavior(result.turns ?? 0, result.cost || 0, resultText)) { - return this.failAgent(agentName, repoPath, auditSession, logger, { + return this.failAgent(agentName, deliverablesPath, auditSession, logger, { attemptNumber, result, rollbackReason: 'spending cap detected', @@ -168,7 +169,7 @@ export class AgentExecutionService { // 7. Handle execution failure if (!result.success) { - return this.failAgent(agentName, repoPath, auditSession, logger, { + return this.failAgent(agentName, deliverablesPath, auditSession, logger, { attemptNumber, result, rollbackReason: 'execution failure', @@ -183,7 +184,7 @@ export class AgentExecutionService { // 8. Write structured output to disk (vuln agents only) const queueFilename = getQueueFilename(agentName); if (result.structuredOutput !== undefined && queueFilename) { - const deliverablesDir = path.join(repoPath, 'deliverables'); + const deliverablesDir = path.join(repoPath, '.shannon', 'deliverables'); await fs.ensureDir(deliverablesDir); const queuePath = path.join(deliverablesDir, queueFilename); await fs.writeFile(queuePath, JSON.stringify(result.structuredOutput, null, 2), 'utf8'); @@ -193,7 +194,7 @@ export class AgentExecutionService { // 9. Validate output const validationPassed = await validateAgentOutput(result, agentName, repoPath, logger); if (!validationPassed) { - return this.failAgent(agentName, repoPath, auditSession, logger, { + return this.failAgent(agentName, deliverablesPath, auditSession, logger, { attemptNumber, result, rollbackReason: 'validation failure', @@ -206,8 +207,8 @@ export class AgentExecutionService { } // 10. Success - commit deliverables, then capture checkpoint hash - await commitGitSuccess(repoPath, agentName, logger); - const commitHash = await getGitCommitHash(repoPath); + await commitGitSuccess(deliverablesPath, agentName, logger); + const commitHash = await getGitCommitHash(deliverablesPath); const endResult: AgentEndResult = { attemptNumber, @@ -224,12 +225,12 @@ export class AgentExecutionService { private async failAgent( agentName: AgentName, - repoPath: string, + deliverablesPath: string, auditSession: AuditSession, logger: ActivityLogger, opts: FailAgentOpts, ): Promise> { - await rollbackGitWorkspace(repoPath, opts.rollbackReason, logger); + await rollbackGitWorkspace(deliverablesPath, opts.rollbackReason, logger); const endResult: AgentEndResult = { attemptNumber: opts.attemptNumber, diff --git a/apps/worker/src/services/queue-validation.ts b/apps/worker/src/services/queue-validation.ts index 4f79f65..1aec900 100644 --- a/apps/worker/src/services/queue-validation.ts +++ b/apps/worker/src/services/queue-validation.ts @@ -133,8 +133,8 @@ const createPaths = (vulnType: VulnType, sourceDir: string): PathsBase | PathsWi return Object.freeze({ vulnType, - deliverable: path.join(sourceDir, 'deliverables', config.deliverable), - queue: path.join(sourceDir, 'deliverables', config.queue), + deliverable: path.join(sourceDir, '.shannon', 'deliverables', config.deliverable), + queue: path.join(sourceDir, '.shannon', 'deliverables', config.queue), sourceDir, }); }; diff --git a/apps/worker/src/services/reporting.ts b/apps/worker/src/services/reporting.ts index c138927..9e33996 100644 --- a/apps/worker/src/services/reporting.ts +++ b/apps/worker/src/services/reporting.ts @@ -28,7 +28,7 @@ export async function assembleFinalReport(sourceDir: string, logger: ActivityLog const sections: string[] = []; for (const file of deliverableFiles) { - const filePath = path.join(sourceDir, 'deliverables', file.path); + const filePath = path.join(sourceDir, '.shannon', 'deliverables', file.path); try { if (await fs.pathExists(filePath)) { const content = await fs.readFile(filePath, 'utf8'); @@ -55,7 +55,7 @@ export async function assembleFinalReport(sourceDir: string, logger: ActivityLog } const finalContent = sections.join('\n\n'); - const deliverablesDir = path.join(sourceDir, 'deliverables'); + const deliverablesDir = path.join(sourceDir, '.shannon', 'deliverables'); const finalReportPath = path.join(deliverablesDir, 'comprehensive_security_assessment_report.md'); try { @@ -117,7 +117,7 @@ export async function injectModelIntoReport( logger.info(`Injecting model info into report: ${modelStr}`); // 3. Read the final report - const reportPath = path.join(repoPath, 'deliverables', 'comprehensive_security_assessment_report.md'); + const reportPath = path.join(repoPath, '.shannon', 'deliverables', 'comprehensive_security_assessment_report.md'); if (!(await fs.pathExists(reportPath))) { logger.warn('Final report not found, skipping model injection'); diff --git a/apps/worker/src/session-manager.ts b/apps/worker/src/session-manager.ts index 817397a..8eaf0c6 100644 --- a/apps/worker/src/session-manager.ts +++ b/apps/worker/src/session-manager.ts @@ -143,7 +143,7 @@ function createVulnValidator(vulnType: VulnType): AgentValidator { // Factory function for exploit deliverable validators function createExploitValidator(vulnType: VulnType): AgentValidator { return async (sourceDir: string): Promise => { - const evidenceFile = path.join(sourceDir, 'deliverables', `${vulnType}_exploitation_evidence.md`); + const evidenceFile = path.join(sourceDir, '.shannon', 'deliverables', `${vulnType}_exploitation_evidence.md`); return await fs.pathExists(evidenceFile); }; } @@ -179,13 +179,13 @@ export const PLAYWRIGHT_SESSION_MAPPING: Record = Obj export const AGENT_VALIDATORS: Record = Object.freeze({ // Pre-reconnaissance agent - validates the code analysis deliverable created by the agent 'pre-recon': async (sourceDir: string): Promise => { - const codeAnalysisFile = path.join(sourceDir, 'deliverables', 'code_analysis_deliverable.md'); + const codeAnalysisFile = path.join(sourceDir, '.shannon', 'deliverables', 'code_analysis_deliverable.md'); return await fs.pathExists(codeAnalysisFile); }, // Reconnaissance agent recon: async (sourceDir: string): Promise => { - const reconFile = path.join(sourceDir, 'deliverables', 'recon_deliverable.md'); + const reconFile = path.join(sourceDir, '.shannon', 'deliverables', 'recon_deliverable.md'); return await fs.pathExists(reconFile); }, @@ -205,7 +205,7 @@ export const AGENT_VALIDATORS: Record = Object.freeze // Executive report agent report: async (sourceDir: string, logger: ActivityLogger): Promise => { - const reportFile = path.join(sourceDir, 'deliverables', 'comprehensive_security_assessment_report.md'); + const reportFile = path.join(sourceDir, '.shannon', 'deliverables', 'comprehensive_security_assessment_report.md'); const reportExists = await fs.pathExists(reportFile); diff --git a/apps/worker/src/temporal/activities.ts b/apps/worker/src/temporal/activities.ts index 5e2c5db..bca205a 100644 --- a/apps/worker/src/temporal/activities.ts +++ b/apps/worker/src/temporal/activities.ts @@ -20,7 +20,7 @@ import path from 'node:path'; import { ApplicationFailure, Context, heartbeat } from '@temporalio/activity'; import { AuditSession } from '../audit/index.js'; import type { ResumeAttempt } from '../audit/metrics-tracker.js'; -import { copyDeliverablesToAudit, type SessionMetadata } from '../audit/utils.js'; +import type { SessionMetadata } from '../audit/utils.js'; import type { WorkflowSummary } from '../audit/workflow-logger.js'; import { getContainer, getOrCreateContainer, removeContainer } from '../services/container.js'; import { classifyErrorForTemporal, PentestError } from '../services/error-handling.js'; @@ -126,11 +126,13 @@ async function runAgentActivity(agentName: AgentName, input: ActivityInput): Pro await auditSession.initialize(workflowId); // 3. Execute agent via service (throws PentestError on failure) + const deliverablesPath = path.join(repoPath, '.shannon', 'deliverables'); const endResult = await container.agentExecution.executeOrThrow( agentName, { webUrl, repoPath, + deliverablesPath, configPath, pipelineTestingMode, attemptNumber, @@ -311,6 +313,31 @@ export async function runPreflightValidation(input: ActivityInput): Promise { + const deliverablesPath = path.join(input.repoPath, '.shannon', 'deliverables'); + await fs.mkdir(deliverablesPath, { recursive: true }); + + // Check for .git directly inside deliverables, not parent repo's .git + const dotGitPath = path.join(deliverablesPath, '.git'); + try { + await fs.stat(dotGitPath); + return; + } catch { + // .git doesn't exist, proceed with init + } + + await executeGitCommandWithRetry(['git', 'init'], deliverablesPath, 'init deliverables repo'); + await executeGitCommandWithRetry( + ['git', 'commit', '--allow-empty', '-m', '📍 Initial deliverables checkpoint'], + deliverablesPath, + 'initial checkpoint', + ); +} + /** * Assemble the final report by concatenating exploitation evidence files. */ @@ -426,7 +453,7 @@ export async function loadResumeState( } const deliverableFilename = AGENTS[agentName].deliverableFilename; - const deliverablePath = `${expectedRepoPath}/deliverables/${deliverableFilename}`; + const deliverablePath = `${expectedRepoPath}/.shannon/deliverables/${deliverableFilename}`; const deliverableExists = await fileExists(deliverablePath); if (!deliverableExists) { @@ -460,7 +487,8 @@ export async function loadResumeState( } // 5. Find the most recent checkpoint commit - const checkpointHash = await findLatestCommit(expectedRepoPath, checkpoints); + const deliverablesPath = path.join(expectedRepoPath, '.shannon', 'deliverables'); + const checkpointHash = await findLatestCommit(deliverablesPath, checkpoints); const originalWorkflowId = session.session.originalWorkflowId || session.session.id; // 6. Log summary and return resume state @@ -480,7 +508,7 @@ export async function loadResumeState( }; } -async function findLatestCommit(repoPath: string, commitHashes: string[]): Promise { +async function findLatestCommit(gitDir: string, commitHashes: string[]): Promise { if (commitHashes.length === 1) { const hash = commitHashes[0]; if (!hash) { @@ -497,7 +525,7 @@ async function findLatestCommit(repoPath: string, commitHashes: string[]): Promi const result = await executeGitCommandWithRetry( ['git', 'rev-list', '--max-count=1', ...commitHashes], - repoPath, + gitDir, 'find latest commit', ); @@ -505,26 +533,29 @@ async function findLatestCommit(repoPath: string, commitHashes: string[]): Promi } /** - * Restore git workspace to a checkpoint and clean up partial deliverables. + * Restore deliverables git to a checkpoint. + * Operates on the private git inside workspace deliverables, not the user's repo. */ export async function restoreGitCheckpoint( repoPath: string, checkpointHash: string, incompleteAgents: AgentName[], ): Promise { + const deliverablesPath = path.join(repoPath, '.shannon', 'deliverables'); const logger = createActivityLogger(); - logger.info(`Restoring git workspace to ${checkpointHash}...`); + logger.info(`Restoring deliverables to ${checkpointHash}...`); await executeGitCommandWithRetry( ['git', 'reset', '--hard', checkpointHash], - repoPath, - 'reset to checkpoint for resume', + deliverablesPath, + 'reset deliverables to checkpoint', ); - await executeGitCommandWithRetry(['git', 'clean', '-fd'], repoPath, 'clean untracked files for resume'); + await executeGitCommandWithRetry(['git', 'clean', '-fd'], deliverablesPath, 'clean untracked deliverables'); + // Explicitly delete partial deliverables for incomplete agents for (const agentName of incompleteAgents) { const deliverableFilename = AGENTS[agentName].deliverableFilename; - const deliverablePath = `${repoPath}/deliverables/${deliverableFilename}`; + const deliverablePath = path.join(deliverablesPath, deliverableFilename); try { const exists = await fileExists(deliverablePath); if (exists) { @@ -536,7 +567,7 @@ export async function restoreGitCheckpoint( } } - logger.info('Workspace restored to clean state'); + logger.info('Deliverables restored to clean state'); } /** @@ -589,7 +620,7 @@ export async function logPhaseTransition( * Cleans up container when done. */ export async function logWorkflowComplete(input: ActivityInput, summary: WorkflowSummary): Promise { - const { repoPath, workflowId } = input; + const { workflowId } = input; const sessionMetadata = buildSessionMetadata(input); // 1. Initialize audit session and mark final status @@ -631,16 +662,6 @@ export async function logWorkflowComplete(input: ActivityInput, summary: Workflo // 5. Write completion entry to workflow.log await auditSession.logWorkflowComplete(cumulativeSummary); - // 6. Copy deliverables to workspaces - try { - await copyDeliverablesToAudit(sessionMetadata, repoPath); - } catch (copyErr) { - const logger = createActivityLogger(); - logger.error('Failed to copy deliverables to workspaces', { - error: copyErr instanceof Error ? copyErr.message : String(copyErr), - }); - } - - // 7. Clean up container + // 6. Clean up container removeContainer(workflowId); } diff --git a/apps/worker/src/temporal/worker.ts b/apps/worker/src/temporal/worker.ts index b8c5a93..70fc5bb 100644 --- a/apps/worker/src/temporal/worker.ts +++ b/apps/worker/src/temporal/worker.ts @@ -360,7 +360,7 @@ async function waitForWorkflowResult( // === Deliverables Copy === function copyDeliverables(repoPath: string, outputPath: string): void { - const deliverablesDir = path.join(repoPath, 'deliverables'); + const deliverablesDir = path.join(repoPath, '.shannon', 'deliverables'); if (!fs.existsSync(deliverablesDir)) { console.log('No deliverables directory found, skipping copy'); return; @@ -375,6 +375,7 @@ function copyDeliverables(repoPath: string, outputPath: string): void { fs.mkdirSync(outputPath, { recursive: true }); for (const file of files) { + if (file === '.git') continue; const src = path.join(deliverablesDir, file); const dest = path.join(outputPath, file); fs.cpSync(src, dest, { recursive: true }); diff --git a/apps/worker/src/temporal/workflows.ts b/apps/worker/src/temporal/workflows.ts index be2eabe..7e1c346 100644 --- a/apps/worker/src/temporal/workflows.ts +++ b/apps/worker/src/temporal/workflows.ts @@ -362,6 +362,9 @@ export async function pentestPipelineWorkflow(input: PipelineInput): Promise