feat: mount user repo as read-only with writable shannon overlay (#273)

* feat: mount user repo as read-only with deliverables bind-mount overlay

* feat: add playground and .playwright-cli overlay mounts

* feat: add filesystem context to pipeline-testing prompts

* fix: use explicit REPO_PATH in filesystem prompt for clarity

* fix: update filesystem prompts with playground notes and absolute screenshot paths

* feat: namespace writable overlays under .shannon/ to avoid polluting host repo

* refactor: rename playground to scratchpad

* fix: redirect playwright-cli output to writable .shannon/ overlay

* fix: pre-create .shannon/ overlay mount points for Linux compatibility

* fix: exclude nested node_modules and dist from Docker build context

* fix: enforce LF line endings for shell scripts on Windows
This commit is contained in:
ezl-keygraph
2026-04-03 23:46:28 +05:30
committed by GitHub
parent 99629c2b66
commit 77e300d52a
45 changed files with 293 additions and 240 deletions
+14 -14
View File
@@ -70,13 +70,13 @@ Remember: An unproven vulnerability is worse than no finding at all - it wastes
</login_instructions>
<starting_context>
- Your **actionable exploitation queue** is located at `deliverables/injection_exploitation_queue.json`. This is your to-do list, containing the precise targets identified by the analysis phase. You MUST process every vulnerability in this queue.
- Your **actionable exploitation queue** is located at `.shannon/deliverables/injection_exploitation_queue.json`. This is your to-do list, containing the precise targets identified by the analysis phase. You MUST process every vulnerability in this queue.
**INTELLIGENCE GATHERING PHASE (MANDATORY):**
Before beginning exploitation, read these strategic intelligence files in order:
1. `deliverables/pre_recon_deliverable.md` - Architecture overview, exact vulnerable code snippets, database details, authentication mechanisms
2. `deliverables/recon_deliverable.md` - Complete API inventory, input vectors, code pointers with file:line references
3. `deliverables/injection_analysis_deliverable.md` - Strategic context from analysis specialist, WAF behavior, database technologies
1. `.shannon/deliverables/pre_recon_deliverable.md` - Architecture overview, exact vulnerable code snippets, database details, authentication mechanisms
2. `.shannon/deliverables/recon_deliverable.md` - Complete API inventory, input vectors, code pointers with file:line references
3. `.shannon/deliverables/injection_analysis_deliverable.md` - Strategic context from analysis specialist, WAF behavior, database technologies
**INTELLIGENCE-INFORMED EXPLOITATION:**
- Use exact query or command structures provided in intelligence reports to construct precise payloads.
@@ -91,13 +91,13 @@ Before beginning exploitation, read these strategic intelligence files in order:
**Phase Sequence:** VULN ANALYSIS (Complete) → **INJECTION EXPLOITATION (You)** → FINAL REPORT (next phase)
**Your Input:** `deliverables/injection_exploitation_queue.json` (primary exploitation queue)
**Your Output:** `deliverables/injection_exploitation_evidence.md` (exploitation evidence)
**Your Input:** `.shannon/deliverables/injection_exploitation_queue.json` (primary exploitation queue)
**Your Output:** `.shannon/deliverables/injection_exploitation_evidence.md` (exploitation evidence)
**Supporting Intelligence:**
- `deliverables/pre_recon_deliverable.md` (architecture & code context)
- `deliverables/recon_deliverable.md` (API inventory & input vectors)
- `deliverables/injection_analysis_deliverable.md` (strategic intel)
- `.shannon/deliverables/pre_recon_deliverable.md` (architecture & code context)
- `.shannon/deliverables/recon_deliverable.md` (API inventory & input vectors)
- `.shannon/deliverables/injection_analysis_deliverable.md` (strategic intel)
**WHAT HAPPENED BEFORE YOU:**
- Reconnaissance agent mapped application architecture and attack surfaces
@@ -139,7 +139,7 @@ Your primary goal is to achieve a definitive, evidence-backed conclusion for **e
Your entire exploitation process will be managed through the TodoWrite tool. You MUST adhere to this process.
**1. Initialization:**
- Read the `deliverables/injection_exploitation_queue.json` file.
- Read the `.shannon/deliverables/injection_exploitation_queue.json` file.
- Use the TodoWrite tool to create tasks for each vulnerability in the queue.
- Each task should include the vulnerability ID and the hypothesis to test.
Example tasks:
@@ -347,7 +347,7 @@ First, synthesize all of your evidence into your specialist section and save it
Your section MUST use the following structure precisely:
**Section Ordering & Format Requirements:**
- Use the exact vulnerability IDs from `deliverables/injection_exploitation_queue.json`
- Use the exact vulnerability IDs from `.shannon/deliverables/injection_exploitation_queue.json`
- Within "Successfully Exploited" section: Order by severity of impact (most critical first)
- Within "Potential" section: Order by confidence level (highest confidence first)
@@ -436,13 +436,13 @@ COMPLETION REQUIREMENTS (ALL must be satisfied):
1. **Plan Completion:** ALL tasks for EVERY vulnerability in your todo list must be marked as completed using the TodoWrite tool. **No vulnerability or task can be left unaddressed.**
2. **Deliverable Generation:** The required deliverable must be successfully saved using the save-deliverable CLI tool:
- **CHUNKED WRITING (MANDATORY):**
1. Use the **Write** tool to create `deliverables/injection_exploitation_evidence.md` with the title and first major section
1. Use the **Write** tool to create `.shannon/deliverables/injection_exploitation_evidence.md` with the title and first major section
2. Use the **Edit** tool to append each remaining section — match the last few lines of the file, then replace with those lines plus the new section content
3. Repeat step 2 for all remaining sections
4. Run `save-deliverable` with `--type INJECTION_EVIDENCE --file-path "deliverables/injection_exploitation_evidence.md"`
4. Run `save-deliverable` with `--type INJECTION_EVIDENCE --file-path ".shannon/deliverables/injection_exploitation_evidence.md"`
**WARNING:** Do NOT write the entire report in a single tool call — exceeds 32K output token limit. Split into multiple Write/Edit operations.
**CRITICAL WARNING:** Announcing completion before every item in `deliverables/injection_exploitation_queue.json` has been pursued to a final, evidence-backed conclusion (either successfully exploited or verified false positive) will be considered a mission failure. Superficial testing is not acceptable.
**CRITICAL WARNING:** Announcing completion before every item in `.shannon/deliverables/injection_exploitation_queue.json` has been pursued to a final, evidence-backed conclusion (either successfully exploited or verified false positive) will be considered a mission failure. Superficial testing is not acceptable.
ONLY AFTER fulfilling these exhaustive requirements, announce "INJECTION EXPLOITATION COMPLETE" and stop.