Commit Graph

264 Commits

Author SHA1 Message Date
ezl-keygraph f46243a35a feat(worker): load playwright-cli skill via pi resource loader 2026-06-15 22:37:36 +05:30
ezl-keygraph 09e11b3ad9 fix(worker): restore minLength/minItems on pre-recon and exploit collector schemas 2026-06-15 21:06:29 +05:30
ezl-keygraph e16dcba13f refactor(prompts): drop collector server names from deliverable instructions 2026-06-15 20:21:22 +05:30
ezl-keygraph 5547afa73f refactor(prompts): drop stale MCP terminology for collector tools 2026-06-15 20:18:53 +05:30
ezl-keygraph 667e6ac4b0 refactor(prompts): use pi tool names (task, todo_write, read, bash, glob) 2026-06-15 20:03:26 +05:30
ezl-keygraph d18e928a6a feat(worker): add glob custom tool and route code_path globs to it 2026-06-15 20:03:26 +05:30
ezl-keygraph 58d0defea7 feat(worker): give task sub-agent write+bash, align tool descriptions 2026-06-15 19:54:20 +05:30
ezl-keygraph 9e845159b3 fix(worker): restore minLength/minItems on vuln-collector schemas 2026-06-15 18:42:53 +05:30
ezl-keygraph 0fd2f6bbe4 fix(worker): gate adaptive thinking to Opus models, drop CLAUDE_THINKING_LEVEL 2026-06-15 18:11:46 +05:30
ezl-keygraph 575465a741 feat(worker): pi-event-driven output formatting 2026-06-15 16:16:46 +05:30
ezl-keygraph 263b18e98a refactor(worker): rename claude-executor to pi-executor 2026-06-15 16:05:31 +05:30
ezl-keygraph 56241625a4 fix(worker): count sub-agent cost and surface compaction failures 2026-06-15 15:59:55 +05:30
ezl-keygraph 79fb49c159 feat(prompts): instruct agents to call submit_exploitation_queue and submit_auth_result 2026-06-15 15:49:02 +05:30
ezl-keygraph c275b27a6c fix(worker): route Bedrock and custom-base-URL providers from env 2026-06-15 15:36:14 +05:30
ezl-keygraph a9e966026c feat: remove Google Vertex AI provider support 2026-06-15 12:49:40 +05:30
ezl-keygraph 1908156525 feat(worker): migrate agent runtime from Claude Agent SDK to pi harness 2026-06-15 12:05:32 +05:30
ezl-keygraph 3d1a3c75f8 feat(ai): support Claude Fable 5 (upgrade Claude Agent SDK to 0.3.173) (#354) v1.7.0 2026-06-12 14:50:27 +05:30
ezl-keygraph ac6db3b52e feat(ai): upgrade to Opus 4.8 and Claude Agent SDK 0.3.163 (#353) v1.6.0 2026-06-12 02:03:26 +05:30
ezl-keygraph 0a1a2eb1c1 feat(worker): structure intermediate deliverables via MCP collectors (#350) v1.5.0 2026-06-05 14:50:43 +05:30
keygraphVarun a6f004cd25 Merge pull request #349 from KeygraphHQ/readme-update
Update README and docs content
2026-06-03 17:02:37 -07:00
Varun Sivamani 4a12918448 Update README and docs content
Add new docs pages and LLM context files, and remove the legacy SHANNON-PRO.md file.
2026-06-03 17:00:34 -07:00
ezl-keygraph 35f59f30f6 feat(docker): forward /etc/hosts entries to worker containers (#346) v1.4.0 2026-05-28 23:12:11 +05:30
ezl-keygraph 7813baf16a feat: share preflight authenticated session across agents (#345)
* feat(auth): reuse preflight's authenticated session across agents

* fix(preflight): verify saved auth state parses and has cookies or origins

* fix(prompts): strip shared-session block when no auth is configured

* fix(shannon): store shared auth state in the per-session audit dir

* fix(prompts): write stub auth-state in pipeline-testing preflight

* fix(preflight): clear stale auth-state.json before validate-authentication

* fix(preflight): drop auth-state.json on workflow completion

* docs(claude): refresh auth-state.json description for new layout and cleanup

* refactor(prompts): drop unused PLAYWRIGHT_SESSION resolve in login instructions

* style(prompts): collapse verifySavedAuthState signature per biome

* refactor(prompts): require AUTH_STATE_FILE on authenticated runs

* style(prompts): trim numbered-step comments back to step headers
2026-05-28 03:23:09 +05:30
ezl-keygraph 8f5d639f0d fix(deps): bump fast-uri to 3.1.2 (CVE-2026-6321) (#344) 2026-05-27 13:16:55 +05:30
ezl-keygraph 32c01a39b1 feat(preflight): block cloud metadata range in target URL check (#337)
* chore(docker): pin temporal image to 1.7.0

* feat(preflight): block link-local metadata range in target URL check

* style: apply biome formatting and import sorting
v1.3.0
2026-05-21 00:23:46 +05:30
ezl-keygraph 72c424f687 fix(docker): pin --ignore-scripts on global npm installs (#338) 2026-05-21 00:23:14 +05:30
ezl-keygraph 1af42339b9 feat(auth): auth-validation preflight + email_login credentials (#335)
* feat(preflight): add credential validation activity

* refactor(preflight): tighten error retryability and dedup failure-point enum

* refactor(preflight): extract resolvePromptDir helper and cap failure_detail at 250 chars

* refactor(preflight): inline validator rules into intro paragraph

* refactor(preflight): restyle validator prompt with XML tags and tool list

* chore(preflight): bump auth validation timeout to 10 minutes

* feat: provision playwright stealth config for browser auto-discovery

* feat(stealth): strengthen browser fingerprint with chrome.runtime and realistic plugins

* feat(prompts): add pipeline-testing stub for validate-authentication

* refactor(stealth): swap zx for node:fs in playwright-config-writer

* feat(auth): add email_login credentials with login-flow substitution

* fix(auth): propagate email_login through credentials sanitizer

* fix(config): drop dangerous-pattern check on credentials.password

* feat(auth-validation): instruct agent to mask sensitive values in failure_detail

* docs(auth): document email_login credentials for magic-link and email-OTP flows

* docs(auth): add login_flow authoring guide with placeholder reference

* feat(auth): make credentials.password optional for passwordless flows

* docs(auth): drop redundant placeholder hint from login_flow examples
2026-05-20 03:46:56 +05:30
ezl-keygraph ca86c839cc feat(ai): steer notes field for analysis-only mode (#329) v1.2.0 2026-05-06 04:07:38 +05:30
ezl-keygraph 0a57b062fd feat(scripts): add --help to save-deliverable and generate-totp (#328) 2026-05-06 04:07:25 +05:30
ezl-keygraph 46be49c175 chore: remove unused scan tools and dead error type (#327)
* chore: remove unused scan tools and dead error type

* chore(logs): redact base URL and target URL from preflight info logs
2026-05-04 21:51:45 +05:30
ezl-keygraph 95998d1a44 feat: add config-driven run scoping and report filtering (#326)
* feat(steerability): add config-driven profile with code_path avoid enforcement

* fix(steerability): write SDK deny rules once per workflow to avoid parallel-agent race

* fix(steerability): reference guidance by pointer in report DROP rules

* fix(steerability): tighten code_path avoid enforcement

* chore(steerability): use shared ALL_VULN_CLASSES const and tighten RunScope type

* fix(steerability): validate run scope before resume short-circuit

* fix(steerability): emit only documented Read/Edit deny rules for code_path

* fix(steerability): assemble report from analysis deliverables when exploit is disabled

* feat(steerability): preflight check that code_path rules match at least one repo entry

* fix(steerability): tag missing code_path entries with avoid/focus kind

* revert(steerability): assemble report from analysis deliverables when exploit is disabled

* feat(steerability): render per-class findings from queue JSON when exploit is disabled

* refactor(steerability): trim findings renderer to common mappable rows

* feat(steerability): allow report agent to rewrite category-label finding titles

* docs(steerability): document new config fields in README and CLAUDE.md

* docs(steerability): comment out optional config sections in examples
2026-05-01 23:56:15 +05:30
ezl-keygraph 6c8135d031 feat(ai): upgrade to Opus 4.7 with adaptive thinking (#325) 2026-04-28 21:52:13 +05:30
ezl-keygraph 03a3d764af feat(cli): block running shannon with sudo or as root (#323) 2026-04-28 12:43:07 +05:30
ezl-keygraph 79caada539 fix(deps): bump protobufjs to 7.5.5 to patch CVE-2026-41242 (#314) 2026-04-23 20:42:06 +05:30
ezl-keygraph dcabe6e82e docs: update README for router sunset, WSL2-only Windows, and safety disclaimers (#302) v1.1.0 2026-04-21 13:15:50 +05:30
ezl-keygraph ccb5303106 fix(cli): surface docker errors and add --debug flag for worker logs (#299)
* fix(cli): surface docker run errors and add --debug flag for worker inspection

* docs: add --debug flag to CLAUDE.md options list
2026-04-20 14:45:42 +05:30
ezl-keygraph 581c208b84 feat: provider extensions and drop claude-code-router mode (#295)
* feat: add ReportOutputProvider for consumer-extended report artifacts

* fix: thread deliverablesSubdir through report assembly

* fix: produce structured report JSON on resume path

* fix: fail loud on structured report output provider errors

* feat: extend checkpoint provider and container DI for consumer-specific backends

* fix: pre-create .shannon overlay mount points on all platforms

* chore: drop claude-code-router mode

* fix: drop 'resets' keyword from spending-cap text patterns
2026-04-20 13:21:54 +05:30
george-keygraph 01644ff2ed Merge pull request #293 from KeygraphHQ/george-keygraph-patch-3
Update README.md
2026-04-16 13:25:54 -07:00
george-keygraph 0ce34c9c27 Update README.md 2026-04-16 13:24:41 -07:00
george-keygraph 671d41699e Merge pull request #292 from KeygraphHQ/george-keygraph-patch-2
Update README.md
2026-04-16 13:23:26 -07:00
george-keygraph 8ca34dad69 Update README.md 2026-04-16 13:22:57 -07:00
george-keygraph a111863778 Merge pull request #291 from KeygraphHQ/george-keygraph-patch-1
Add files via upload
2026-04-16 13:21:47 -07:00
george-keygraph 3f83a51e22 Merge pull request #290 from KeygraphHQ/george-keygraph-patch
Update README.md
2026-04-16 13:21:34 -07:00
george-keygraph c78ae0b3b6 Add files via upload 2026-04-16 12:54:16 -07:00
george-keygraph c0794bccf6 Update README.md 2026-04-16 12:53:08 -07:00
ezl-keygraph 1f6dfd7e17 feat: extract pipeline core for library consumption (#282)
* feat: extract pipeline core for library consumption

* fix: chmod workspace directory for container write access

* fix: resolve playwright output dir relative to deliverables parent

* feat: add multi-provider LLM support via ProviderConfig

* fix: resolve model overrides via options.model, remove unused model env passthrough

* fix: use ANTHROPIC_AUTH_TOKEN for custom base URL and router auth

* fix: skip env-based credential validation when providerConfig is present

* fix: support large UID/GID values for AD/LDAP users in container
2026-04-10 04:53:36 +05:30
ezl-keygraph f6fd1edad6 fix: pre-recon deliverable filename mismatch (#274) 2026-04-06 22:29:03 +05:30
ezl-keygraph 77e300d52a feat: mount user repo as read-only with writable shannon overlay (#273)
* feat: mount user repo as read-only with deliverables bind-mount overlay

* feat: add playground and .playwright-cli overlay mounts

* feat: add filesystem context to pipeline-testing prompts

* fix: use explicit REPO_PATH in filesystem prompt for clarity

* fix: update filesystem prompts with playground notes and absolute screenshot paths

* feat: namespace writable overlays under .shannon/ to avoid polluting host repo

* refactor: rename playground to scratchpad

* fix: redirect playwright-cli output to writable .shannon/ overlay

* fix: pre-create .shannon/ overlay mount points for Linux compatibility

* fix: exclude nested node_modules and dist from Docker build context

* fix: enforce LF line endings for shell scripts on Windows
2026-04-03 23:46:28 +05:30
rnxj-keygraph 99629c2b66 chore: enforce pnpm minimum release age and upgrade to v10.33.0 (#266)
- Add minimum-release-age=10080 (7 days) and ignore-scripts=true to .npmrc
- Upgrade pnpm from 10.12.1 to 10.33.0 (minimumReleaseAge requires >= 10.16.0)
- Document package installation age policy in CLAUDE.md
2026-04-02 01:22:24 +05:30
ezl-keygraph 2a433f090f feat: use structured outputs for vuln agent exploitation queues (#267)
* feat: add structured outputs for vuln agent exploitation queues

Use Claude Agent SDK's native outputFormat to get schema-validated JSON
queue data from vulnerability analysis agents instead of relying on
save-deliverable tool calls for queue files.

- Add Zod schemas for all 5 vuln types (injection, xss, auth, ssrf, authz)
- Thread outputFormat through SDK call chain (executor → message handlers)
- Write structured_output to disk as queue JSON before validation
- Handle error_max_structured_output_retries as retryable failure
- Update vuln prompts to use structured output for queues
- Keep save-deliverable for markdown deliverables (unchanged)

* fix: correct structured output schema conversion for Claude Agent SDK

Use draft-07 target for z.toJSONSchema() instead of the default
draft-2020-12, which the SDK's AJV validator doesn't support. Update
pipeline-testing prompts to use structured output instead of raw JSON
responses.

* refactor: remove save-deliverable references for queues in vuln prompts

Queues are now captured via structured outputs, so vuln agents no longer
need to use save-deliverable for queue JSON. Removes references to
"structured response/output" phrasing and aligns all prompts to use
consistent "exploitation queue" terminology.

* refactor: remove queue support from save-deliverable

Queues are now produced via structured outputs, so save-deliverable no
longer needs queue-related code. Removes queue enum values, filename
mappings, JSON validation, and updates all prompt tool descriptions to
match the simplified CLI interface.

* fix: instruct vuln agents to save deliverable before exploitation queue

The structured output tool terminates the agent session when called.
Agents were calling it before saving their deliverable markdown,
causing output validation failures and unnecessary retries.

* refactor: remove explicit exploitation queue output instructions from vuln prompts

The Claude Agent SDK automatically captures structured output on the
last turn when outputFormat is set. Prompts explicitly telling agents
to produce the queue caused them to call StructuredOutput mid-session,
conflicting with the SDK mechanism and silently dropping the output.

Removed exploitation_queue_requirements sections and queue references
from conclusion triggers. Added note that the queue is captured
automatically. Updated Your Output to point to the deliverable markdown.
2026-04-02 01:12:00 +05:30