From 939398074f1bba26827f974cbad0ccc55a1dcfb7 Mon Sep 17 00:00:00 2001
From: ajmallesh <ajmallesh@gmail.com>
Date: Mon, 3 Nov 2025 10:21:17 -0800
Subject: [PATCH] refactor: update injection display name and add max tokens
 docs
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Change agent prefix from [SQLi/Cmd] to [Injection] to reflect expanded scope
- Add README documentation for CLAUDE_CODE_MAX_OUTPUT_TOKENS environment variable

This update aligns the display naming with the expanded injection analysis scope
that now covers SQLi, Command Injection, LFI/RFI, SSTI, Path Traversal, and
Insecure Deserialization vulnerabilities.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 README.md                     | 10 ++++++++++
 src/utils/output-formatter.js |  6 +++---
 2 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 424cab5..b6acdf5 100644
--- a/README.md
+++ b/README.md
@@ -99,6 +99,16 @@ Shannon is available in two editions:
 
 You need either a **Claude Code OAuth token** or an **Anthropic API key** to run Shannon. Get your token from the [Anthropic Console](https://console.anthropic.com) and pass it to Docker via the `-e` flag.
 
+### Environment Configuration (Optional)
+
+To prevent Claude Code from hitting token limits during long report generation, set the max output tokens before running Shannon:
+
+```bash
+export CLAUDE_CODE_MAX_OUTPUT_TOKENS=64000
+```
+
+This is especially useful for extensive penetration testing reports or when analyzing large codebases.
+
 ### Quick Start with Docker
 
 #### Build the Container
diff --git a/src/utils/output-formatter.js b/src/utils/output-formatter.js
index 82bf46b..5c2aaaf 100644
--- a/src/utils/output-formatter.js
+++ b/src/utils/output-formatter.js
@@ -45,12 +45,12 @@ function summarizeTodoUpdate(input) {
 export function getAgentPrefix(description) {
   // Map agent names to their prefixes
   const agentPrefixes = {
-    'injection-vuln': '[SQLi/Cmd]',
+    'injection-vuln': '[Injection]',
     'xss-vuln': '[XSS]',
     'auth-vuln': '[Auth]',
     'authz-vuln': '[Authz]',
     'ssrf-vuln': '[SSRF]',
-    'injection-exploit': '[SQLi/Cmd]',
+    'injection-exploit': '[Injection]',
     'xss-exploit': '[XSS]',
     'auth-exploit': '[Auth]',
     'authz-exploit': '[Authz]',
@@ -65,7 +65,7 @@ export function getAgentPrefix(description) {
   }
 
   // Fallback to partial matches for backwards compatibility
-  if (description.includes('injection')) return '[SQLi/Cmd]';
+  if (description.includes('injection')) return '[Injection]';
   if (description.includes('xss')) return '[XSS]';
   if (description.includes('authz')) return '[Authz]';  // Check authz before auth
   if (description.includes('auth')) return '[Auth]';