Feat/temporal (#46)
* refactor: modularize claude-executor and extract shared utilities
- Extract message handling into src/ai/message-handlers.ts with pure functions
- Extract output formatting into src/ai/output-formatters.ts
- Extract progress management into src/ai/progress-manager.ts
- Add audit-logger.ts with Null Object pattern for optional logging
- Add shared utilities: formatting.ts, file-io.ts, functional.ts
- Consolidate getPromptNameForAgent into src/types/agents.ts
* feat: add Claude Code custom commands for debug and review
* feat: add Temporal integration foundation (phase 1-2)
- Add Temporal SDK dependencies (@temporalio/client, worker, workflow, activity)
- Add shared types for pipeline state, metrics, and progress queries
- Add classifyErrorForTemporal() for retry behavior classification
- Add docker-compose for Temporal server with SQLite persistence
* feat: add Temporal activities for agent execution (phase 3)
- Add activities.ts with heartbeat loop, git checkpoint/rollback, and error classification
- Export runClaudePrompt, validateAgentOutput, ClaudePromptResult for Temporal use
- Track attempt number via Temporal Context for accurate audit logging
- Rollback git workspace before retry to ensure clean state
* feat: add Temporal workflow for 5-phase pipeline orchestration (phase 4)
* feat: add Temporal worker, client, and query tools (phase 5)
- Add worker.ts with workflow bundling and graceful shutdown
- Add client.ts CLI to start pipelines with progress polling
- Add query.ts CLI to inspect running workflow state
- Fix buffer overflow by truncating error messages and stack traces
- Skip git operations gracefully on non-git repositories
- Add kill.sh/start.sh dev scripts and Dockerfile.worker
* feat: fix Docker worker container setup
- Install uv instead of deprecated uvx package
- Add mcp-server and configs directories to container
- Mount target repo dynamically via TARGET_REPO env variable
* fix: add report assembly step to Temporal workflow
- Add assembleReportActivity to concatenate exploitation evidence files before report agent runs
- Call assembleFinalReport in workflow Phase 5 before runReportAgent
- Ensure deliverables directory exists before writing final report
- Simplify pipeline-testing report prompt to just prepend header
* refactor: consolidate Docker setup to root docker-compose.yml
* feat: improve Temporal client UX and env handling
- Change default to fire-and-forget (--wait flag to opt-in)
- Add splash screen and improve console output formatting
- Add .env to gitignore, remove from dockerignore for container access
- Add Taskfile for common development commands
* refactor: simplify session ID handling and improve Taskfile options
- Include hostname in workflow ID for better audit log organization
- Extract sanitizeHostname utility to audit/utils.ts for reuse
- Remove unused generateSessionLogPath and buildLogFilePath functions
- Simplify Taskfile with CONFIG/OUTPUT/CLEAN named parameters
* chore: add .env.example and simplify .gitignore
* docs: update README and CLAUDE.md for Temporal workflow usage
- Replace Docker CLI instructions with Task-based commands
- Add monitoring/stopping sections and workflow examples
- Document Temporal orchestration layer and troubleshooting
- Simplify file structure to key files overview
* refactor: replace Taskfile with bash CLI script
- Add shannon bash script with start/logs/query/stop/help commands
- Remove Taskfile.yml dependency (no longer requires Task installation)
- Update README.md and CLAUDE.md to use ./shannon commands
- Update client.ts output to show ./shannon commands
* docs: fix deliverable filename in README
* refactor: remove direct CLI and .shannon-store.json in favor of Temporal
- Delete src/shannon.ts direct CLI entry point (Temporal is now the only mode)
- Remove .shannon-store.json session lock (Temporal handles workflow deduplication)
- Remove broken scripts/export-metrics.js (imported non-existent function)
- Update package.json to remove main, start script, and bin entry
- Clean up CLAUDE.md and debug.md to remove obsolete references
* chore: remove licensing comments from prompt files to prevent leaking into actual prompts
* fix: resolve parallel workflow race conditions and retry logic bugs
- Fix save_deliverable race condition using closure pattern instead of global variable
- Fix error classification order so OutputValidationError matches before generic validation
- Fix ApplicationFailure re-classification bug by checking instanceof before re-throwing
- Add per-error-type retry limits (3 for output validation, 50 for billing)
- Add fast retry intervals for pipeline testing mode (10s vs 5min)
- Increase worker concurrent activities to 25 for parallel workflows
* refactor: pipeline vuln→exploit workflow for parallel execution
- Replace sync barrier between vuln/exploit phases with independent pipelines
- Each vuln type runs: vuln agent → queue check → conditional exploit
- Add checkExploitationQueue activity to skip exploits when no vulns found
- Use Promise.allSettled for graceful failure handling across pipelines
- Add PipelineSummary type for aggregated cost/duration/turns metrics
* fix: re-throw retryable errors in checkExploitationQueue
* fix: detect and retry on Claude Code spending cap errors
- Add spending cap pattern detection in detectApiError() with retryable error
- Add matching patterns to classifyErrorForTemporal() for proper Temporal retry
- Add defense-in-depth safeguard in runClaudePrompt() for $0 cost / low turn detection
- Add final sanity check in activities before declaring success
* fix: increase heartbeat timeout to prevent false worker-dead detection
Original 30s timeout was from POC spec assuming <5min activities. With
hour-long activities and multiple concurrent workflows sharing one worker,
resource contention causes event loop stalls exceeding 30s, triggering
false heartbeat timeouts. Increased to 10min (prod) and 5min (testing).
* fix: temporal db init
* fix: persist home dir
* feat: add per-workflow unified logging with ./shannon logs ID=<workflow-id>
- Add WorkflowLogger class for human-readable, per-workflow log files
- Create workflow.log in audit-logs/{workflowId}/ with phase, agent, tool, and LLM events
- Update ./shannon logs to require ID param and tail specific workflow log
- Add phase transition logging at workflow boundaries
- Include workflow completion summary with agent breakdown (duration, cost)
- Mount audit-logs volume in docker-compose for host access
---------
Co-authored-by: ezl-keygraph <ezhil@keygraph.io>
This commit is contained in:
Arjun Malleswaran
committed by
GitHub
GitHub
parent
45acb16711
commit
51e621d0d5
@@ -1,7 +1,3 @@
|
||||
# This Source Code Form is subject to the terms of the AGPL, v. 3.0
|
||||
# This section above is metadata and not part of the prompt.
|
||||
=== PROMPT ===
|
||||
|
||||
<role>
|
||||
You are a world-class Authentication Exploitation Specialist. You are not an analyst; you are an active penetration tester. Your persona is methodical, persistent, and laser-focused on a single goal: proving the tangible impact of broken authentication. You take the theoretical flaws in identity and session management and turn them into undeniable proof of impersonation and account takeover.
|
||||
</role>
|
||||
|
||||
@@ -1,7 +1,3 @@
|
||||
# This Source Code Form is subject to the terms of the AGPL, v. 3.0
|
||||
# This section above is metadata and not part of the prompt.
|
||||
=== PROMPT ===
|
||||
|
||||
<role>
|
||||
You are a world-class Authorization Exploitation Specialist. You are not an analyst; you are an active penetration tester. Your persona is methodical, persistent, and laser-focused on a single goal: proving the tangible impact of broken authorization. You take the theoretical flaws in access control mechanisms and turn them into undeniable proof of privilege escalation and unauthorized data access.
|
||||
</role>
|
||||
|
||||
@@ -1,7 +1,3 @@
|
||||
# This Source Code Form is subject to the terms of the AGPL, v. 3.0
|
||||
# This section above is metadata and not part of the prompt.
|
||||
=== PROMPT ===
|
||||
|
||||
<role>
|
||||
You are a world-class Injection Exploitation Specialist. Your expertise covers both SQL Injection (SQLi) and OS Command Injection. You are not an analyst; you are an active penetration tester. Your persona is methodical, persistent, and laser-focused on a single goal: proving the tangible impact of vulnerabilities. You take the theoretical findings from the analysis phase and turn them into undeniable proof of compromise.
|
||||
</role>
|
||||
|
||||
@@ -1,7 +1,3 @@
|
||||
# This Source Code Form is subject to the terms of the AGPL, v. 3.0
|
||||
# This section above is metadata and not part of the prompt.
|
||||
=== PROMPT ===
|
||||
|
||||
<role>
|
||||
You are a world-class Server-Side Request Forgery (SSRF) Exploitation Specialist. You are not an analyst; you are an active penetration tester. Your persona is methodical, persistent, and laser-focused on a single goal: proving the tangible impact of server-side request forgery vulnerabilities. You take the theoretical findings from the analysis phase and turn them into undeniable proof of network boundary bypass and internal service access.
|
||||
</role>
|
||||
|
||||
@@ -1,7 +1,3 @@
|
||||
# This Source Code Form is subject to the terms of the AGPL, v. 3.0
|
||||
# This section above is metadata and not part of the prompt.
|
||||
=== PROMPT ===
|
||||
|
||||
<role>
|
||||
You are a world-class Cross-Site Scripting (XSS) Exploitation Specialist. You are not an analyst; you are an active penetration tester. Your persona is methodical, persistent, and laser-focused on a single goal: proving the tangible impact of client-side vulnerabilities. You take the theoretical findings from the analysis phase and turn them into undeniable proof of compromise by hijacking user sessions and performing unauthorized actions.
|
||||
</role>
|
||||
|
||||
@@ -1,7 +1,3 @@
|
||||
# This Source Code Form is subject to the terms of the AGPL, v. 3.0
|
||||
# This section above is metadata and not part of the prompt.
|
||||
=== PROMPT ===
|
||||
|
||||
## 🧪 Pipeline Testing: MCP Isolation Test for Authentication Exploitation Agent
|
||||
|
||||
**MCP Server Assignment:** Using `{{MCP_SERVER}}` for browser automation testing.
|
||||
|
||||
@@ -1,7 +1,3 @@
|
||||
# This Source Code Form is subject to the terms of the AGPL, v. 3.0
|
||||
# This section above is metadata and not part of the prompt.
|
||||
=== PROMPT ===
|
||||
|
||||
## 🧪 Pipeline Testing: MCP Isolation Test for Authorization Exploitation Agent
|
||||
|
||||
**MCP Server Assignment:** Using `{{MCP_SERVER}}` for browser automation testing.
|
||||
|
||||
@@ -1,7 +1,3 @@
|
||||
# This Source Code Form is subject to the terms of the AGPL, v. 3.0
|
||||
# This section above is metadata and not part of the prompt.
|
||||
=== PROMPT ===
|
||||
|
||||
## 🧪 Pipeline Testing: MCP Isolation Test for Injection Exploitation Agent
|
||||
|
||||
**MCP Server Assignment:** Using `{{MCP_SERVER}}` for browser automation testing.
|
||||
|
||||
@@ -1,7 +1,3 @@
|
||||
# This Source Code Form is subject to the terms of the AGPL, v. 3.0
|
||||
# This section above is metadata and not part of the prompt.
|
||||
=== PROMPT ===
|
||||
|
||||
## 🧪 Pipeline Testing: MCP Isolation Test for SSRF Exploitation Agent
|
||||
|
||||
**MCP Server Assignment:** Using `{{MCP_SERVER}}` for browser automation testing.
|
||||
|
||||
@@ -1,7 +1,3 @@
|
||||
# This Source Code Form is subject to the terms of the AGPL, v. 3.0
|
||||
# This section above is metadata and not part of the prompt.
|
||||
=== PROMPT ===
|
||||
|
||||
## 🧪 Pipeline Testing: MCP Isolation Test for XSS Exploitation Agent
|
||||
|
||||
**MCP Server Assignment:** Using `{{MCP_SERVER}}` for browser automation testing.
|
||||
|
||||
@@ -1,5 +1 @@
|
||||
# This Source Code Form is subject to the terms of the AGPL, v. 3.0
|
||||
# This section above is metadata and not part of the prompt.
|
||||
=== PROMPT ===
|
||||
|
||||
Use the save_deliverable MCP tool with `deliverable_type: "CODE_ANALYSIS"` and `content: "Pre-recon analysis complete"`. Then say "Done".
|
||||
@@ -1,5 +1 @@
|
||||
# This Source Code Form is subject to the terms of the AGPL, v. 3.0
|
||||
# This section above is metadata and not part of the prompt.
|
||||
=== PROMPT ===
|
||||
|
||||
Use the save_deliverable MCP tool with `deliverable_type: "RECON"` and `content: "Reconnaissance analysis complete"`. Then say "Done".
|
||||
@@ -1,35 +1 @@
|
||||
# This Source Code Form is subject to the terms of the AGPL, v. 3.0
|
||||
# This section above is metadata and not part of the prompt.
|
||||
=== PROMPT ===
|
||||
|
||||
Create a file at `deliverables/comprehensive_security_assessment_report.md` with this content:
|
||||
|
||||
```markdown
|
||||
# Injection Exploitation Evidence
|
||||
|
||||
## Successfully Exploited Vulnerabilities
|
||||
|
||||
### INJ-VULN-01: SQL Injection Test
|
||||
|
||||
**Summary:** Test SQL injection vulnerability for pipeline testing.
|
||||
|
||||
# Authentication Exploitation Evidence
|
||||
|
||||
## Successfully Exploited Vulnerabilities
|
||||
|
||||
### AUTH-VULN-01: Authentication Bypass Test
|
||||
|
||||
**Summary:** Test authentication vulnerability for pipeline testing.
|
||||
```
|
||||
|
||||
Then read and modify the file by adding these sections at the top:
|
||||
|
||||
1. **Executive Summary** section with:
|
||||
- Target: {{WEB_URL}}
|
||||
- Assessment Date: (current date)
|
||||
- Scope: Authentication, XSS, SQL and Command Injection, SSRF, Authorization testing
|
||||
- Brief summary of findings (2-3 vulnerabilities found for testing)
|
||||
|
||||
2. **Network Reconnaissance** section with test data for open ports and services
|
||||
|
||||
Save the modified content back to `deliverables/comprehensive_security_assessment_report.md`, then say "Done".
|
||||
Read `deliverables/comprehensive_security_assessment_report.md`, prepend "# Security Assessment Report\n\n**Target:** {{WEB_URL}}\n\n" to the content, and save it back. Say "Done".
|
||||
|
||||
@@ -1,7 +1,3 @@
|
||||
# This Source Code Form is subject to the terms of the AGPL, v. 3.0
|
||||
# This section above is metadata and not part of the prompt.
|
||||
=== PROMPT ===
|
||||
|
||||
## 🧪 Pipeline Testing: MCP Isolation Test for Auth Agent
|
||||
|
||||
**MCP Server Assignment:** Using `{{MCP_SERVER}}` for browser automation testing.
|
||||
|
||||
@@ -1,7 +1,3 @@
|
||||
# This Source Code Form is subject to the terms of the AGPL, v. 3.0
|
||||
# This section above is metadata and not part of the prompt.
|
||||
=== PROMPT ===
|
||||
|
||||
## 🧪 Pipeline Testing: MCP Isolation Test for Authorization Agent
|
||||
|
||||
**MCP Server Assignment:** Using `{{MCP_SERVER}}` for browser automation testing.
|
||||
|
||||
@@ -1,7 +1,3 @@
|
||||
# This Source Code Form is subject to the terms of the AGPL, v. 3.0
|
||||
# This section above is metadata and not part of the prompt.
|
||||
=== PROMPT ===
|
||||
|
||||
## 🧪 Pipeline Testing: MCP Isolation Test for Injection Agent
|
||||
|
||||
**MCP Server Assignment:** Using `{{MCP_SERVER}}` for browser automation testing.
|
||||
|
||||
@@ -1,7 +1,3 @@
|
||||
# This Source Code Form is subject to the terms of the AGPL, v. 3.0
|
||||
# This section above is metadata and not part of the prompt.
|
||||
=== PROMPT ===
|
||||
|
||||
## 🧪 Pipeline Testing: MCP Isolation Test for SSRF Agent
|
||||
|
||||
**MCP Server Assignment:** Using `{{MCP_SERVER}}` for browser automation testing.
|
||||
|
||||
@@ -1,7 +1,3 @@
|
||||
# This Source Code Form is subject to the terms of the AGPL, v. 3.0
|
||||
# This section above is metadata and not part of the prompt.
|
||||
=== PROMPT ===
|
||||
|
||||
## 🧪 Pipeline Testing: MCP Isolation Test for XSS Agent
|
||||
|
||||
**MCP Server Assignment:** Using `{{MCP_SERVER}}` for browser automation testing.
|
||||
|
||||
@@ -1,7 +1,3 @@
|
||||
# This Source Code Form is subject to the terms of the AGPL, v. 3.0
|
||||
# This section above is metadata and not part of the prompt.
|
||||
=== PROMPT ===
|
||||
|
||||
Role: You are a Principal Engineer specializing in rapid, security-focused code review. You are an expert at analyzing unfamiliar codebases and extracting the essential information a penetration testing team needs to begin their assessment.
|
||||
|
||||
Objective: Your task is to analyze the provided source code to generate a security-relevant architectural summary AND a list of the most critical files for manual review. The output should focus exclusively on information that helps identify potential attack surfaces and security weaknesses.
|
||||
|
||||
@@ -1,7 +1,3 @@
|
||||
# This Source Code Form is subject to the terms of the AGPL, v. 3.0
|
||||
# This section above is metadata and not part of the prompt.
|
||||
=== PROMPT ===
|
||||
|
||||
<role>
|
||||
You are a world-class Reconnaissance Analyst and Attack Surface Mapper. Your mission is to conduct a thorough white-box analysis of the target application by correlating external scan data, live application behavior, and the full source code.
|
||||
</role>
|
||||
|
||||
@@ -1,7 +1,3 @@
|
||||
# This Source Code Form is subject to the terms of the AGPL, v. 3.0
|
||||
# This section above is metadata and not part of the prompt.
|
||||
=== PROMPT ===
|
||||
|
||||
<role>
|
||||
You are an Executive Summary Writer and Report Cleaner for security assessments. Your job is to:
|
||||
1. MODIFY the existing concatenated report by adding an executive summary at the top
|
||||
|
||||
@@ -1,5 +1,3 @@
|
||||
# This Source Code Form is subject to the terms of the AGPL, v. 3.0
|
||||
# This section above is metadata and not part of the prompt.
|
||||
**MANDATORY EXPLOITATION CONSTRAINTS:**
|
||||
- ALL exploitation attempts MUST be performed against {{WEB_URL}} from external network
|
||||
- DO NOT attempt to exploit vulnerabilities that require:
|
||||
|
||||
@@ -1,4 +1,2 @@
|
||||
# This Source Code Form is subject to the terms of the AGPL, v. 3.0
|
||||
# This section above is metadata and not part of the prompt.
|
||||
Rules to Avoid:
|
||||
{{RULES_AVOID}}
|
||||
@@ -1,3 +1 @@
|
||||
# This Source Code Form is subject to the terms of the AGPL, v. 3.0
|
||||
# This section above is metadata and not part of the prompt.
|
||||
URL: {{WEB_URL}}
|
||||
@@ -1,3 +1 @@
|
||||
# This Source Code Form is subject to the terms of the AGPL, v. 3.0
|
||||
# This section above is metadata and not part of the prompt.
|
||||
**EXTERNAL ATTACKER SCOPE:** Only report vulnerabilities exploitable via {{WEB_URL}} from the internet. Exclude findings requiring internal network access, VPN, or direct server access.
|
||||
@@ -1,5 +1,3 @@
|
||||
# This Source Code Form is subject to the terms of the AGPL, v. 3.0
|
||||
# This section above is metadata and not part of the prompt.
|
||||
<!-- BEGIN:COMMON -->
|
||||
**IF you are not already logged in when you open playwright, these are the login instructions**
|
||||
**NOTE: playwright automatically saves sessions so ensure you are not already logged in before executing these steps**
|
||||
|
||||
@@ -1,7 +1,3 @@
|
||||
# This Source Code Form is subject to the terms of the AGPL, v. 3.0
|
||||
# This section above is metadata and not part of the prompt.
|
||||
=== PROMPT ===
|
||||
|
||||
<role>
|
||||
You are an Authentication Analysis Specialist, a master of white-box code auditing. Your expertise lies in dissecting an application's authentication mechanisms to find logical flaws in identity verification and session management systems.
|
||||
</role>
|
||||
|
||||
@@ -1,7 +1,3 @@
|
||||
# This Source Code Form is subject to the terms of the AGPL, v. 3.0
|
||||
# This section above is metadata and not part of the prompt.
|
||||
=== PROMPT ===
|
||||
|
||||
<role>
|
||||
You are an Authorization Analysis Specialist, a master of white-box code auditing. Your expertise lies in dissecting an application's authorization mechanisms to find logical flaws in access control and privilege escalation systems.
|
||||
</role>
|
||||
|
||||
@@ -1,7 +1,3 @@
|
||||
# This Source Code Form is subject to the terms of the AGPL, v. 3.0
|
||||
# This section above is metadata and not part of the prompt.
|
||||
=== PROMPT ===
|
||||
|
||||
<role>
|
||||
You are an Injection Analysis Specialist, an expert in **white-box code analysis and data flow tracing** for SQLi, Command Injection, LFI/RFI, SSTI, Path Traversal, and Deserialization vulnerabilities.
|
||||
Your primary function is to analyze how untrusted user input travels to security-sensitive sinks: database queries, shell commands, file operations, template engines, and deserialization functions.
|
||||
|
||||
@@ -1,7 +1,3 @@
|
||||
# This Source Code Form is subject to the terms of the AGPL, v. 3.0
|
||||
# This section above is metadata and not part of the prompt.
|
||||
=== PROMPT ===
|
||||
|
||||
<role>
|
||||
You are a Server-Side Request Forgery (SSRF) Analysis Specialist, an expert in white-box code analysis and data flow tracing for server-side request vulnerabilities. Your expertise lies in identifying how applications make outbound HTTP requests and whether these requests can be influenced by untrusted user input.
|
||||
</role>
|
||||
|
||||
@@ -1,7 +1,3 @@
|
||||
# This Source Code Form is subject to the terms of the AGPL, v. 3.0
|
||||
# This section above is metadata and not part of the prompt.
|
||||
=== PROMPT ===
|
||||
|
||||
<role>
|
||||
You are a Cross-Site Scripting (XSS) Analysis Specialist focused **solely on vulnerability analysis** (no exploitation). You specialize in **negative, taint-first analysis** of how untrusted inputs (sources) propagate to output **sinks** and whether defenses match the **final render context**. You follow the Injection specialist and precede Exploitation.
|
||||
</role>
|
||||
|
||||
Reference in New Issue
Block a user