feat: typescript migration (#40)

* chore: initialize TypeScript configuration and build setup

- Add tsconfig.json for root and mcp-server with strict type checking
- Install typescript and @types/node as devDependencies
- Add npm build script for TypeScript compilation
- Update main entrypoint to compiled dist/shannon.js
- Update Dockerfile to build TypeScript before running
- Configure output directory and module resolution for Node.js

* refactor: migrate codebase from JavaScript to TypeScript

- Convert all 37 JavaScript files to TypeScript (.js -> .ts)
- Add type definitions in src/types/ for agents, config, errors, session
- Update mcp-server with proper TypeScript types
- Move entry point from shannon.mjs to src/shannon.ts
- Update tsconfig.json with rootDir: "./src" for cleaner dist output
- Update Dockerfile to build TypeScript before runtime
- Update package.json paths to use compiled dist/shannon.js

No runtime behavior changes - pure type safety migration.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* docs: update CLI references from ./shannon.mjs to shannon

- Update help text in src/cli/ui.ts
- Update usage examples in src/cli/command-handler.ts
- Update setup message in src/shannon.ts
- Update CLAUDE.md documentation with TypeScript file structure
- Replace all ./shannon.mjs references with shannon command

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* chore: remove unnecessary eslint-disable comments

ESLint is not configured in this project, making these comments redundant.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

src/audit/metrics-tracker.ts

@@ -0,0 +1,372 @@
+// Copyright (C) 2025 Keygraph, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License version 3
+// as published by the Free Software Foundation.
+
+/**
+ * Metrics Tracker
+ *
+ * Manages session.json with comprehensive timing, cost, and validation metrics.
+ * Tracks attempt-level data for complete forensic trail.
+ */
+
+import {
+  generateSessionJsonPath,
+  atomicWrite,
+  readJson,
+  fileExists,
+  formatTimestamp,
+  calculatePercentage,
+  type SessionMetadata,
+} from './utils.js';
+import type { AgentName, PhaseName } from '../types/index.js';
+
+interface AttemptData {
+  attempt_number: number;
+  duration_ms: number;
+  cost_usd: number;
+  success: boolean;
+  timestamp: string;
+  error?: string;
+}
+
+interface AgentMetrics {
+  status: 'in-progress' | 'success' | 'failed' | 'rolled-back';
+  attempts: AttemptData[];
+  final_duration_ms: number;
+  total_cost_usd: number;
+  checkpoint?: string;
+  rolled_back_at?: string;
+}
+
+interface PhaseMetrics {
+  duration_ms: number;
+  duration_percentage: number;
+  cost_usd: number;
+  agent_count: number;
+}
+
+interface SessionData {
+  session: {
+    id: string;
+    webUrl: string;
+    repoPath?: string;
+    status: 'in-progress' | 'completed' | 'failed';
+    createdAt: string;
+    completedAt?: string;
+  };
+  metrics: {
+    total_duration_ms: number;
+    total_cost_usd: number;
+    phases: Record<string, PhaseMetrics>;
+    agents: Record<string, AgentMetrics>;
+  };
+}
+
+interface AgentEndResult {
+  attemptNumber: number;
+  duration_ms: number;
+  cost_usd: number;
+  success: boolean;
+  error?: string;
+  checkpoint?: string;
+  isFinalAttempt?: boolean;
+}
+
+interface ActiveTimer {
+  startTime: number;
+  attemptNumber: number;
+}
+
+/**
+ * MetricsTracker - Manages metrics for a session
+ */
+export class MetricsTracker {
+  private sessionMetadata: SessionMetadata;
+  private sessionJsonPath: string;
+  private data: SessionData | null = null;
+  private activeTimers: Map<string, ActiveTimer> = new Map();
+
+  constructor(sessionMetadata: SessionMetadata) {
+    this.sessionMetadata = sessionMetadata;
+    this.sessionJsonPath = generateSessionJsonPath(sessionMetadata);
+  }
+
+  /**
+   * Initialize session.json (idempotent)
+   */
+  async initialize(): Promise<void> {
+    // Check if session.json already exists
+    const exists = await fileExists(this.sessionJsonPath);
+
+    if (exists) {
+      // Load existing data
+      this.data = await readJson<SessionData>(this.sessionJsonPath);
+    } else {
+      // Create new session.json
+      this.data = this.createInitialData();
+      await this.save();
+    }
+  }
+
+  /**
+   * Create initial session.json structure
+   */
+  private createInitialData(): SessionData {
+    const sessionData: SessionData = {
+      session: {
+        id: this.sessionMetadata.id,
+        webUrl: this.sessionMetadata.webUrl,
+        status: 'in-progress',
+        createdAt: (this.sessionMetadata as { createdAt?: string }).createdAt || formatTimestamp(),
+      },
+      metrics: {
+        total_duration_ms: 0,
+        total_cost_usd: 0,
+        phases: {}, // Phase-level aggregations
+        agents: {}, // Agent-level metrics
+      },
+    };
+    // Only add repoPath if it exists
+    if (this.sessionMetadata.repoPath) {
+      sessionData.session.repoPath = this.sessionMetadata.repoPath;
+    }
+    return sessionData;
+  }
+
+  /**
+   * Start tracking an agent execution
+   */
+  startAgent(agentName: string, attemptNumber: number): void {
+    this.activeTimers.set(agentName, {
+      startTime: Date.now(),
+      attemptNumber,
+    });
+  }
+
+  /**
+   * End agent execution and update metrics
+   */
+  async endAgent(agentName: string, result: AgentEndResult): Promise<void> {
+    if (!this.data) {
+      throw new Error('MetricsTracker not initialized');
+    }
+
+    // Initialize agent metrics if not exists
+    if (!this.data.metrics.agents[agentName]) {
+      this.data.metrics.agents[agentName] = {
+        status: 'in-progress',
+        attempts: [],
+        final_duration_ms: 0,
+        total_cost_usd: 0,
+      };
+    }
+
+    const agent = this.data.metrics.agents[agentName]!;
+
+    // Add attempt to array
+    const attempt: AttemptData = {
+      attempt_number: result.attemptNumber,
+      duration_ms: result.duration_ms,
+      cost_usd: result.cost_usd,
+      success: result.success,
+      timestamp: formatTimestamp(),
+    };
+
+    if (result.error) {
+      attempt.error = result.error;
+    }
+
+    agent.attempts.push(attempt);
+
+    // Update total cost (includes failed attempts)
+    agent.total_cost_usd = agent.attempts.reduce((sum, a) => sum + a.cost_usd, 0);
+
+    // If successful, update final metrics and status
+    if (result.success) {
+      agent.status = 'success';
+      agent.final_duration_ms = result.duration_ms;
+
+      if (result.checkpoint) {
+        agent.checkpoint = result.checkpoint;
+      }
+    } else {
+      // If this was the last attempt, mark as failed
+      if (result.isFinalAttempt) {
+        agent.status = 'failed';
+      }
+    }
+
+    // Clear active timer
+    this.activeTimers.delete(agentName);
+
+    // Recalculate aggregations
+    this.recalculateAggregations();
+
+    // Save to disk
+    await this.save();
+  }
+
+  /**
+   * Mark agent as rolled back
+   */
+  async markRolledBack(agentName: string): Promise<void> {
+    if (!this.data || !this.data.metrics.agents[agentName]) {
+      return; // Agent not tracked
+    }
+
+    const agent = this.data.metrics.agents[agentName]!;
+    agent.status = 'rolled-back';
+    agent.rolled_back_at = formatTimestamp();
+
+    // Recalculate aggregations (exclude rolled-back agents)
+    this.recalculateAggregations();
+
+    await this.save();
+  }
+
+  /**
+   * Mark multiple agents as rolled back
+   */
+  async markMultipleRolledBack(agentNames: string[]): Promise<void> {
+    if (!this.data) return;
+
+    for (const agentName of agentNames) {
+      if (this.data.metrics.agents[agentName]) {
+        const agent = this.data.metrics.agents[agentName]!;
+        agent.status = 'rolled-back';
+        agent.rolled_back_at = formatTimestamp();
+      }
+    }
+
+    this.recalculateAggregations();
+    await this.save();
+  }
+
+  /**
+   * Update session status
+   */
+  async updateSessionStatus(status: 'in-progress' | 'completed' | 'failed'): Promise<void> {
+    if (!this.data) return;
+
+    this.data.session.status = status;
+
+    if (status === 'completed' || status === 'failed') {
+      this.data.session.completedAt = formatTimestamp();
+    }
+
+    await this.save();
+  }
+
+  /**
+   * Recalculate aggregations (total duration, total cost, phases)
+   */
+  private recalculateAggregations(): void {
+    if (!this.data) return;
+
+    const agents = this.data.metrics.agents;
+
+    // Only count successful agents (not rolled-back or failed)
+    const successfulAgents = Object.entries(agents).filter(
+      ([, data]) => data.status === 'success'
+    );
+
+    // Calculate total duration and cost
+    const totalDuration = successfulAgents.reduce(
+      (sum, [, data]) => sum + data.final_duration_ms,
+      0
+    );
+
+    const totalCost = successfulAgents.reduce((sum, [, data]) => sum + data.total_cost_usd, 0);
+
+    this.data.metrics.total_duration_ms = totalDuration;
+    this.data.metrics.total_cost_usd = totalCost;
+
+    // Calculate phase-level metrics
+    this.data.metrics.phases = this.calculatePhaseMetrics(successfulAgents);
+  }
+
+  /**
+   * Calculate phase-level metrics
+   */
+  private calculatePhaseMetrics(
+    successfulAgents: Array<[string, AgentMetrics]>
+  ): Record<string, PhaseMetrics> {
+    const phases: Record<string, AgentMetrics[]> = {
+      'pre-recon': [],
+      recon: [],
+      'vulnerability-analysis': [],
+      exploitation: [],
+      reporting: [],
+    };
+
+    // Map agents to phases
+    const agentPhaseMap: Record<string, string> = {
+      'pre-recon': 'pre-recon',
+      recon: 'recon',
+      'injection-vuln': 'vulnerability-analysis',
+      'xss-vuln': 'vulnerability-analysis',
+      'auth-vuln': 'vulnerability-analysis',
+      'authz-vuln': 'vulnerability-analysis',
+      'ssrf-vuln': 'vulnerability-analysis',
+      'injection-exploit': 'exploitation',
+      'xss-exploit': 'exploitation',
+      'auth-exploit': 'exploitation',
+      'authz-exploit': 'exploitation',
+      'ssrf-exploit': 'exploitation',
+      report: 'reporting',
+    };
+
+    // Group agents by phase
+    for (const [agentName, agentData] of successfulAgents) {
+      const phase = agentPhaseMap[agentName];
+      if (phase && phases[phase]) {
+        phases[phase]!.push(agentData);
+      }
+    }
+
+    // Calculate metrics per phase
+    const phaseMetrics: Record<string, PhaseMetrics> = {};
+    const totalDuration = this.data!.metrics.total_duration_ms;
+
+    for (const [phaseName, agentList] of Object.entries(phases)) {
+      if (agentList.length === 0) continue;
+
+      const phaseDuration = agentList.reduce((sum, agent) => sum + agent.final_duration_ms, 0);
+
+      const phaseCost = agentList.reduce((sum, agent) => sum + agent.total_cost_usd, 0);
+
+      phaseMetrics[phaseName] = {
+        duration_ms: phaseDuration,
+        duration_percentage: calculatePercentage(phaseDuration, totalDuration),
+        cost_usd: phaseCost,
+        agent_count: agentList.length,
+      };
+    }
+
+    return phaseMetrics;
+  }
+
+  /**
+   * Get current metrics
+   */
+  getMetrics(): SessionData {
+    return JSON.parse(JSON.stringify(this.data)) as SessionData;
+  }
+
+  /**
+   * Save metrics to session.json (atomic write)
+   */
+  private async save(): Promise<void> {
+    if (!this.data) return;
+    await atomicWrite(this.sessionJsonPath, this.data);
+  }
+
+  /**
+   * Reload metrics from disk
+   */
+  async reload(): Promise<void> {
+    this.data = await readJson<SessionData>(this.sessionJsonPath);
+  }
+}