955eae5d65
fix: remove duplicate environment gate from merge-docker job
...
Move DOCKERHUB_USERNAME from vars to secrets so merge-docker can access
credentials without its own environment scope. This eliminates the
redundant double approval since build-docker already gates on
release-publish.
2026-03-18 15:58:45 +05:30
ea7c74f33b
fix: resolve unsubstituted placeholders in report prompt
...
Remove unused {{GITHUB_URL}} placeholder and wire up {{AUTH_CONTEXT}}
with structured auth context (login type, username, URL, MFA status).
2026-03-18 15:58:45 +05:30
b27fdac0f9
fix: skip POSIX permission check on Windows
...
writeFileSync mode option is ignored on Windows, so config.toml
gets 0o666 and the guard rejects it.
2026-03-18 15:58:45 +05:30
92204adbaa
fix: resolve SessionMutex race condition with 3+ concurrent waiters
2026-03-18 15:58:45 +05:30
12ce802770
fix: use native ARM64 runners for Docker multi-platform builds
...
Replace QEMU emulation with parallel native builds using a matrix
strategy (ubuntu-latest for amd64, ubuntu-24.04-arm for arm64).
Each platform pushes by digest, then a merge job creates the
multi-arch manifest list before signing with cosign.
2026-03-18 15:58:45 +05:30
96732306a8
feat: mark GitHub release as latest during rollback
2026-03-18 15:58:45 +05:30
2e7c6b4cb7
fix: align TypeScript config types with JSON Schema
...
- SuccessCondition.type: use schema values (url_contains,
element_present, url_equals_exactly, text_contains) instead of
stale values (url, cookie, element, redirect)
- Authentication.login_flow: mark optional to match schema which
does not require it
2026-03-18 15:58:45 +05:30
f720b7d752
style: fix biome formatting in docker.ts
2026-03-18 15:58:45 +05:30
117a9d859d
fix: show resumed workflow ID in splash screen URL
...
When resuming a workflow, the Temporal Web UI link pointed to the old
(terminated) workflow ID. Now extracts "New Workflow ID" from the resume
header in workflow.log, falling back to the original ID for fresh scans.
2026-03-18 15:58:45 +05:30
de8b7c368d
fix: resolve Docker bind mount permission errors on Linux
...
Use entrypoint-based UID remapping instead of --user flag so the
container's pentest user matches the host UID/GID, keeping bind-mounted
volumes writable. Git config moved to --system level to survive remapping.
2026-03-18 15:58:45 +05:30
d89dbcd58b
feat: add optional model customization to Anthropic setup
2026-03-18 15:58:45 +05:30
a8ab9d8b1c
fix: handle Esc cancellation in Bedrock setup flow
...
Replace p.group() with individual prompts and per-field cancel checks,
matching the pattern used by all other provider setup flows.
2026-03-18 15:58:45 +05:30
ade31455b7
fix: pin pnpm to 10.12.1 in Dockerfile for catalog support
2026-03-18 15:58:45 +05:30
53b4c6b83f
fix: resolve all biome warnings and formatting issues
...
- Remove unnecessary non-null assertions where values are guaranteed
- Replace array index access with .at() for safer element retrieval
- Use local variables to avoid repeated process.env lookups
- Replace any types with unknown in functional utilities
- Use nullish coalescing for TOTP hash byte access
- Auto-format security patches to match biome config
2026-03-18 15:58:45 +05:30
181f24cfcc
refactor: migrate to Turborepo + pnpm + Biome monorepo
...
Restructure into apps/worker, apps/cli, packages/mcp-server with
Turborepo task orchestration, pnpm workspaces, Biome linting/formatting,
and tsdown CLI bundling.
Key changes:
- src/ -> apps/worker/src/, cli/ -> apps/cli/, mcp-server/ -> packages/mcp-server/
- prompts/ and configs/ moved into apps/worker/
- npm replaced with pnpm, package-lock.json replaced with pnpm-lock.yaml
- Dockerfile updated for pnpm-based builds
- CLI logs command rewritten with chokidar for cross-platform reliability
- Router health checking added for auto-detected router mode
- Centralized path resolution via apps/worker/src/paths.ts
2026-03-18 15:58:45 +05:30
9b1abd9ec0
feat: integrate npx CLI, CI/CD, and ephemeral worker architecture
...
Bring in changes from shannon-npx: npx-distributable CLI package (cli/),
semantic-release CI/CD workflows, ephemeral per-scan worker containers,
TOML config support, setup wizard, and workspace management.
Preserves all shannon-only changes: security hardening (localhost-bound
ports, MCP env allowlist, path traversal guard), updated benchmarks
(XBEN 19/31/35/44), README assets, and prompt injection disclaimer.
Applies security hardening to cli/infra/compose.yml as well.
2026-03-18 15:57:57 +05:30
ae4bd45a30
feat: add custom base URL support for Anthropic-compatible endpoints ( #246 )
...
Support ANTHROPIC_BASE_URL + ANTHROPIC_AUTH_TOKEN in .env to route
SDK requests through proxies or gateways. Preflight now validates the
custom endpoint is reachable instead of skipping credential checks.
2026-03-18 00:53:44 +05:30
629c52ed3b
Merge pull request #230 from KeygraphHQ/patching-benchmark
...
chore: upload correct benchmarks for XBEN 19/31/35/44
2026-03-09 19:30:51 -07:00
3dd4056dc3
chore: upload correct benchmarks for XBEN 19/31/35/44
2026-03-09 19:07:21 -07:00
17df89a48f
Merge pull request #224 from ajmallesh/security/tighten-docker-env-isolation
...
Hardening local defaults
2026-03-07 11:56:35 -08:00
58afb767c6
docs: simplify prompt injection disclaimer in README
2026-03-07 11:48:59 -08:00
023cc953db
security: tighten Docker isolation and subprocess env
...
- Pin @playwright/mcp to 0.0.68 instead of @latest to prevent supply chain risk
- Restrict MCP subprocess env to allowlist (PATH, HOME, NODE_PATH, DISPLAY, XDG_*) instead of spreading process.env
- Add path traversal guard to @include() directive in prompt templates
- Bind all Docker ports to 127.0.0.1 to prevent network exposure
- Remove ipc: host — shm_size: 2gb already covers Chromium shared memory needs
- Add prompt injection disclaimer for untrusted repositories to README
2026-03-06 17:20:39 -08:00
01165382ed
Merge pull request #220 from KeygraphHQ/Readme-Update
...
Readme update
2026-03-06 13:42:49 -08:00
4c6750541b
Update README.md
2026-03-06 11:38:53 -08:00
2feff83b6e
Add files via upload
2026-03-06 11:38:18 -08:00
96b2728318
Delete assets/keygraph_button.png
2026-03-06 11:38:06 -08:00
595b2ada78
Update README.md
2026-03-06 11:36:43 -08:00
c68ee44103
Add files via upload
2026-03-06 11:35:16 -08:00
fdd7d0af64
Merge pull request #216 from KeygraphHQ/Updated-README.md
...
Updated readme.md
2026-03-05 16:48:32 -08:00
03377de469
Update README.md
2026-03-05 16:47:03 -08:00
477ccd71aa
Update README.md
2026-03-05 16:45:08 -08:00
43aa6386a2
Add files via upload
2026-03-05 16:44:01 -08:00
6ad2c9d5c1
Merge pull request #206 from KeygraphHQ/keygraphVarun-patch-1
...
update image
2026-03-04 18:40:22 -08:00
53bb10c450
Update README.md
2026-03-04 18:39:05 -08:00
ce98c749f5
update image
2026-03-04 18:38:11 -08:00
ba8f737d02
Delete assets/github-banner.png
2026-03-04 18:37:54 -08:00
a01b130281
update image
2026-03-04 18:36:34 -08:00
ff7874815a
Merge pull request #205 from KeygraphHQ/keygraphVarun-patch-4
...
Update README.md
2026-03-04 18:30:39 -08:00
c5f13235da
Update SHANNON-PRO.md
2026-03-04 18:28:41 -08:00
528dced335
updated image
2026-03-04 18:20:35 -08:00
cdf0f13cc6
Add files via upload
2026-03-04 18:19:27 -08:00
e69ce6f51e
Update README.md
2026-03-04 18:17:46 -08:00
ab2c400daf
Merge pull request #202 from KeygraphHQ/keygraphVarun-patch-1
...
Update README.md
2026-03-04 13:59:42 -08:00
9b0e64944b
Update README.md
...
cleanup
2026-03-04 13:57:28 -08:00
f3f4e44ccd
Merge pull request #198 from KeygraphHQ/keygraphVarun-patch-1
...
Update SHANNON-PRO.md
2026-03-04 13:46:34 -08:00
6b68bb40f8
Merge pull request #200 from KeygraphHQ/keygraphVarun-patch-2
...
Update README.md
2026-03-04 13:46:10 -08:00
d3de8e13fb
Update SHANNON-PRO.md
2026-03-04 13:44:08 -08:00
57d1141f4a
Update README.md
2026-03-04 13:38:43 -08:00
1aafc0c3d0
Update README.md
...
update readme
2026-03-04 13:08:18 -08:00
a8afe98518
Update SHANNON-PRO.md
...
fix
2026-03-04 11:35:49 -08:00
ezl-keygraph