feat: backport config-driven run scoping and report filtering

Cherry-pick of upstream Shannon PR #326. Adds vuln_classes subset selection, exploit toggle, code_path avoid enforcement via SDK deny rules, deterministic findings rendering when exploit is disabled, report filtering (min_severity, min_confidence, guidance), and rules_of_engagement config field. Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-05-20 00:45:35 +00:00
parent 70af2b12db
commit 85bcb27860
30 changed files with 1116 additions and 170 deletions
@@ -118,6 +118,51 @@
      },
      "additionalProperties": false
    },
+    "vuln_classes": {
+      "type": "array",
+      "description": "Vulnerability classes to test. When omitted, all five classes run. When set, only listed classes run; their vuln+exploit agents and report sections are included.",
+      "items": {
+        "type": "string",
+        "enum": ["injection", "xss", "auth", "authz", "ssrf"]
+      },
+      "minItems": 1,
+      "maxItems": 5,
+      "uniqueItems": true
+    },
+    "exploit": {
+      "type": "string",
+      "enum": ["true", "false"],
+      "description": "Whether to run the exploitation phase (default true). Set false to run only analysis."
+    },
+    "report": {
+      "type": "object",
+      "description": "Report filtering and guidance applied by the report agent.",
+      "properties": {
+        "min_severity": {
+          "type": "string",
+          "enum": ["low", "medium", "high", "critical"],
+          "description": "Minimum severity threshold; findings below are dropped by the report agent."
+        },
+        "min_confidence": {
+          "type": "string",
+          "enum": ["low", "medium", "high"],
+          "description": "Minimum confidence threshold; findings below are dropped by the report agent."
+        },
+        "guidance": {
+          "type": "string",
+          "minLength": 1,
+          "maxLength": 500,
+          "description": "Free-text guidance to the report agent (e.g., 'Drop findings about missing security headers')."
+        }
+      },
+      "additionalProperties": false
+    },
+    "rules_of_engagement": {
+      "type": "string",
+      "minLength": 1,
+      "maxLength": 1000,
+      "description": "Free-text instructions to the agent that render into every prompt."
+    },
    "login": {
      "type": "object",
      "description": "Deprecated: Use 'authentication' section instead",
@@ -135,7 +180,11 @@
    { "required": ["authentication"] },
    { "required": ["rules"] },
    { "required": ["authentication", "rules"] },
-    { "required": ["description"] }
+    { "required": ["description"] },
+    { "required": ["vuln_classes"] },
+    { "required": ["exploit"] },
+    { "required": ["report"] },
+    { "required": ["rules_of_engagement"] }
  ],
  "additionalProperties": false,
  "$defs": {
@@ -151,17 +200,17 @@
        },
        "type": {
          "type": "string",
-          "enum": ["path", "subdomain", "domain", "method", "header", "parameter"],
-          "description": "Type of rule (what aspect of requests to match against)"
+          "enum": ["url_path", "subdomain", "domain", "method", "header", "parameter", "code_path"],
+          "description": "Type of rule (what aspect of requests or source code to match against)"
        },
-        "url_path": {
+        "value": {
          "type": "string",
          "minLength": 1,
          "maxLength": 1000,
-          "description": "URL path pattern or value to match"
+          "description": "Value to match"
        }
      },
-      "required": ["description", "type", "url_path"],
+      "required": ["description", "type", "value"],
      "additionalProperties": false
    }
  }