Adds SKILL.md for the hightower pentest API. Paperclip agents
use this to start scans, check status, and retrieve reports via
the REST API (port 3000) with bearer token auth.
Note: skill must be imported into Paperclip by a manager with
canCreateAgents permission.
MCP server is overkill for this use case — all 5 MCP tools are
thin wrappers over the REST API. Paperclip agents should use the
REST API directly with bearer token auth instead.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Without --output, copyDeliverables() is skipped after the workflow finishes,
so the final report and all agent deliverables are lost when the emptyDir
volumes are cleaned up on pod exit.
Pass --output pointing to the workspace's deliverables/ subdir on the
workspaces PVC so files survive beyond the pod lifecycle.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Node mindy caches the :latest tag digest even with imagePullPolicy: Always.
Pinning to the SHA-tagged image forces a fresh pull on pod restart.
This image includes the pentest-user (UID 1001) securityContext fix.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Claude Code refuses --allow-dangerously-skip-permissions when running as root,
causing immediate exit with code 1. The worker image defines a "pentest" user
(UID/GID 1001), but K8s job specs override the entrypoint.sh that normally
switches to it. Adding a pod-level securityContext with runAsUser=1001 and
fsGroup=1001 fixes both the root-privilege rejection and PVC write access.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
BuildKit cache on self-hosted runner was stale — compiled JS still had
bitnami/git:2 despite source using alpine/git:latest. Adding no-cache:
true to force clean rebuilds until we can investigate the cache
invalidation issue.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The worker container overlay mounts (deliverables, scratchpad,
playwright-cli) failed because /repo is read-only and the overlay
mountpoints at /repo/.shannon/* didn't exist. The init container now
creates these directories after cloning the repo.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Biome reported unsorted imports and formatting issues in
apps/api/src/index.ts and apps/api/src/mcp/server.ts.
Auto-fixed via pnpm biome:fix.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add a Model Context Protocol server to apps/api/src/mcp/, exposing
five tools backed by scan-manager.ts:
- start_scan, get_scan, list_scans, cancel_scan, get_report
The MCP server runs on port 3100 (MCP_PORT env var) using
StreamableHTTPServerTransport from @modelcontextprotocol/sdk, alongside
the existing Hono API server.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Add restart annotation to trigger Flux-driven rollout so the API picks
up the alpine/git init container fix (ef79ca2). Also add a deploy-manager
Role and RoleBinding so the farh-net:farh-net-paperclip SA can manage
deployments in the hightower namespace going forward.
Resolves FAR-112.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Ensures rollout restart pulls the latest image instead of using
the node's cached copy.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
CNPG already creates the temporal and temporal_visibility databases
via postInitSQL. The auto-setup container doesn't have CREATEDB
privilege, so set SKIP_DB_CREATE=true to skip that step.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Single container that auto-creates and migrates the schema against
CNPG PostgreSQL. Built-in Web UI on 8233. No separate schema job,
ConfigMap, or UI deployment needed.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Replace temporalio/temporal (SQLite dev server) with temporalio/server
backed by CNPG PostgreSQL (hightower-temporal-db)
- Add schema init Job using temporalio/admin-tools
- Add separate temporalio/ui deployment for the web dashboard
- Remove namespace.yaml — namespace is managed by the cluster repo
- Remove ensureNamespace() from K8s orchestrator
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Namespace, Temporal, router, PVCs, labels, and GHCR API image all
renamed from shannon-* to hightower-*. Upstream references preserved:
worker image (ghcr.io/farhoodliquor/shannon), .shannon/ dirs,
@shannon/worker package imports.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Renames API server, worker jobs, credentials secret, and workspaces
PVC to use the hightower prefix. Upstream Shannon names (namespace,
Temporal service, package imports, .shannon/ dir) are unchanged.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The temporalio/temporal image has `temporal` as its entrypoint.
Using `command` overrides the entrypoint entirely. Use `args` to
pass `server start-dev` to the existing entrypoint.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The temporalio/temporal:latest image no longer has a `server` binary.
The dev server is now in temporalio/cli with `temporal server start-dev`.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Worker and API builds now run independently so a failure in one
doesn't block the other.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Add apps/api/ — Hono REST API server for managing pentest scans via K8s Jobs
- POST/GET /api/scans, GET /api/scans/:id, cancel, report endpoints
- Bearer token auth, Temporal client integration, K8s Job builder
- Dockerfile, Kustomize manifests (Deployment, Service, RBAC)
- Add CLI orchestrator abstraction (docker.ts → Orchestrator interface)
- DockerOrchestrator and K8sOrchestrator implementations
- Backend detection via SHANNON_BACKEND env var or --backend flag
- Add CI workflow: type-check + lint on PR, build+push both images on main
- Switch all workflows to self-hosted runners (runners-farhoodliquor)
- Add shannon-api image build to release and release-beta workflows
- Add root infra/kustomization.yaml as Flux entry point
- Export PipelineProgress from @shannon/worker/pipeline
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- namespace, temporal server, workspaces PVC
- API server deployment, service, serviceaccount, RBAC
- Dev overlay
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* feat: extract pipeline core for library consumption
* fix: chmod workspace directory for container write access
* fix: resolve playwright output dir relative to deliverables parent
* feat: add multi-provider LLM support via ProviderConfig
* fix: resolve model overrides via options.model, remove unused model env passthrough
* fix: use ANTHROPIC_AUTH_TOKEN for custom base URL and router auth
* fix: skip env-based credential validation when providerConfig is present
* fix: support large UID/GID values for AD/LDAP users in container
* feat: mount user repo as read-only with deliverables bind-mount overlay
* feat: add playground and .playwright-cli overlay mounts
* feat: add filesystem context to pipeline-testing prompts
* fix: use explicit REPO_PATH in filesystem prompt for clarity
* fix: update filesystem prompts with playground notes and absolute screenshot paths
* feat: namespace writable overlays under .shannon/ to avoid polluting host repo
* refactor: rename playground to scratchpad
* fix: redirect playwright-cli output to writable .shannon/ overlay
* fix: pre-create .shannon/ overlay mount points for Linux compatibility
* fix: exclude nested node_modules and dist from Docker build context
* fix: enforce LF line endings for shell scripts on Windows
- Add minimum-release-age=10080 (7 days) and ignore-scripts=true to .npmrc
- Upgrade pnpm from 10.12.1 to 10.33.0 (minimumReleaseAge requires >= 10.16.0)
- Document package installation age policy in CLAUDE.md
* feat: add structured outputs for vuln agent exploitation queues
Use Claude Agent SDK's native outputFormat to get schema-validated JSON
queue data from vulnerability analysis agents instead of relying on
save-deliverable tool calls for queue files.
- Add Zod schemas for all 5 vuln types (injection, xss, auth, ssrf, authz)
- Thread outputFormat through SDK call chain (executor → message handlers)
- Write structured_output to disk as queue JSON before validation
- Handle error_max_structured_output_retries as retryable failure
- Update vuln prompts to use structured output for queues
- Keep save-deliverable for markdown deliverables (unchanged)
* fix: correct structured output schema conversion for Claude Agent SDK
Use draft-07 target for z.toJSONSchema() instead of the default
draft-2020-12, which the SDK's AJV validator doesn't support. Update
pipeline-testing prompts to use structured output instead of raw JSON
responses.
* refactor: remove save-deliverable references for queues in vuln prompts
Queues are now captured via structured outputs, so vuln agents no longer
need to use save-deliverable for queue JSON. Removes references to
"structured response/output" phrasing and aligns all prompts to use
consistent "exploitation queue" terminology.
* refactor: remove queue support from save-deliverable
Queues are now produced via structured outputs, so save-deliverable no
longer needs queue-related code. Removes queue enum values, filename
mappings, JSON validation, and updates all prompt tool descriptions to
match the simplified CLI interface.
* fix: instruct vuln agents to save deliverable before exploitation queue
The structured output tool terminates the agent session when called.
Agents were calling it before saving their deliverable markdown,
causing output validation failures and unnecessary retries.
* refactor: remove explicit exploitation queue output instructions from vuln prompts
The Claude Agent SDK automatically captures structured output on the
last turn when outputFormat is set. Prompts explicitly telling agents
to produce the queue caused them to call StructuredOutput mid-session,
conflicting with the SDK mechanism and silently dropping the output.
Removed exploitation_queue_requirements sections and queue references
from conclusion triggers. Added note that the queue is captured
automatically. Updated Your Output to point to the deliverable markdown.
* feat: integrate npx CLI, CI/CD, and ephemeral worker architecture
Bring in changes from shannon-npx: npx-distributable CLI package (cli/),
semantic-release CI/CD workflows, ephemeral per-scan worker containers,
TOML config support, setup wizard, and workspace management.
Preserves all shannon-only changes: security hardening (localhost-bound
ports, MCP env allowlist, path traversal guard), updated benchmarks
(XBEN 19/31/35/44), README assets, and prompt injection disclaimer.
Applies security hardening to cli/infra/compose.yml as well.
* refactor: migrate to Turborepo + pnpm + Biome monorepo
Restructure into apps/worker, apps/cli, packages/mcp-server with
Turborepo task orchestration, pnpm workspaces, Biome linting/formatting,
and tsdown CLI bundling.
Key changes:
- src/ -> apps/worker/src/, cli/ -> apps/cli/, mcp-server/ -> packages/mcp-server/
- prompts/ and configs/ moved into apps/worker/
- npm replaced with pnpm, package-lock.json replaced with pnpm-lock.yaml
- Dockerfile updated for pnpm-based builds
- CLI logs command rewritten with chokidar for cross-platform reliability
- Router health checking added for auto-detected router mode
- Centralized path resolution via apps/worker/src/paths.ts
* fix: resolve all biome warnings and formatting issues
- Remove unnecessary non-null assertions where values are guaranteed
- Replace array index access with .at() for safer element retrieval
- Use local variables to avoid repeated process.env lookups
- Replace any types with unknown in functional utilities
- Use nullish coalescing for TOTP hash byte access
- Auto-format security patches to match biome config
* fix: pin pnpm to 10.12.1 in Dockerfile for catalog support
* fix: handle Esc cancellation in Bedrock setup flow
Replace p.group() with individual prompts and per-field cancel checks,
matching the pattern used by all other provider setup flows.
* feat: add optional model customization to Anthropic setup
* fix: resolve Docker bind mount permission errors on Linux
Use entrypoint-based UID remapping instead of --user flag so the
container's pentest user matches the host UID/GID, keeping bind-mounted
volumes writable. Git config moved to --system level to survive remapping.
* fix: show resumed workflow ID in splash screen URL
When resuming a workflow, the Temporal Web UI link pointed to the old
(terminated) workflow ID. Now extracts "New Workflow ID" from the resume
header in workflow.log, falling back to the original ID for fresh scans.
* style: fix biome formatting in docker.ts
* fix: align TypeScript config types with JSON Schema
- SuccessCondition.type: use schema values (url_contains,
element_present, url_equals_exactly, text_contains) instead of
stale values (url, cookie, element, redirect)
- Authentication.login_flow: mark optional to match schema which
does not require it
* feat: mark GitHub release as latest during rollback
* fix: use native ARM64 runners for Docker multi-platform builds
Replace QEMU emulation with parallel native builds using a matrix
strategy (ubuntu-latest for amd64, ubuntu-24.04-arm for arm64).
Each platform pushes by digest, then a merge job creates the
multi-arch manifest list before signing with cosign.
* fix: resolve SessionMutex race condition with 3+ concurrent waiters
* fix: skip POSIX permission check on Windows
writeFileSync mode option is ignored on Windows, so config.toml
gets 0o666 and the guard rejects it.
* fix: resolve unsubstituted placeholders in report prompt
Remove unused {{GITHUB_URL}} placeholder and wire up {{AUTH_CONTEXT}}
with structured auth context (login type, username, URL, MFA status).
* fix: remove duplicate environment gate from merge-docker job
Move DOCKERHUB_USERNAME from vars to secrets so merge-docker can access
credentials without its own environment scope. This eliminates the
redundant double approval since build-docker already gates on
release-publish.
* fix: replace POSIX sleep binary with cross-platform async sleep
execFileSync('sleep') is unavailable on Windows. Use node:timers/promises
setTimeout instead, making ensureInfra async.
* fix: use session.json for workflow ID on resume instead of parsing workflow.log
On resume, workflow.log already exists with stale headers from the
previous run. The CLI poll found '====' immediately and extracted the
old workflow ID, producing a wrong Temporal Web UI URL.
Read the workflow ID from session.json instead — the worker writes
resume attempts there atomically. For fresh runs, poll until
originalWorkflowId appears. For resumes, poll until a new
resumeAttempts entry is appended.
* feat: add custom base URL support for Anthropic-compatible proxies
Support ANTHROPIC_BASE_URL + ANTHROPIC_AUTH_TOKEN to route SDK requests
through LiteLLM or any Anthropic-compatible proxy. Adds TUI wizard
option, TOML config mapping, credential validation, and preflight
endpoint reachability check via SDK query.
* fix: remove environment gates and add NPM_TOKEN to publish step
* feat: add beta release and rollback workflows with cosign signing
* fix: remove redundant checkout and pnpm steps from beta release workflow
* docs: normalize README commands to mode-neutral shorthand
Add a substitution note after Quick Start sections so all subsequent
examples use bare `shannon` instead of mixing `./shannon` and
`npx @keygraph/shannon`. Mode-specific commands (build, update,
uninstall) get inline annotations. Also fixes a broken command in the
Custom Base URL section.
* fix: remove redundant `update` command
Image is already auto-pulled by `ensureImage()` during `start` when the
pinned version tag is missing locally. Manual `update` was unnecessary.
* docs: add CLI package README stub
* docs: update README setup instructions for dual CLI modes
* docs: update announcement banner to npx availability
* feat: migrate from MCP tools to CLI based tools (#252)
* feat: migrate from MCP tools to CLI tools
* fix: restore browser action emoji formatters for CLI output
Adapt formatBrowserAction for playwright-cli commands, replacing the old
mcp__playwright__browser_* tool name matching removed during migration.
* fix: mount credential file to fixed container path for Vertex AI
GOOGLE_APPLICATION_CREDENTIALS was forwarded as-is to the container,
causing the relative host path to resolve against the repo mount
instead of the credentials mount. Now both local and npx modes mount
the resolved file to /app/credentials/google-sa-key.json and rewrite
the env var to match.
* feat: add git awareness and optional description field to config
* fix: drop redundant --ipc host flag from worker container
* fix: align announcement banner URL with main branch
* feat: add target URL reachability preflight check (#254)
* Moving asset benchmark graph image to this folder
* Move benchmark results to benchmark repo
Windows Defender flags exploit code in the pentest reports as false positives, forcing every Windows user to add a Defender exclusion just to clone Shannon.
* Updated README
* fix: case-insensitive grep for semantic-release version probe
* fix: harden supply chain security (#255)
* fix: patch smol-toml and tsdown vulnerabilities
Update smol-toml 1.6.0→1.6.1 (DoS via recursive comment parsing) and
tsdown 0.21.2→0.21.5 (picomatch ReDoS + method injection).
* fix: pin all unpinned dependency versions in Dockerfile
Pins subfinder v2.13.0, WhatWeb v0.6.3 (switched from git clone to
release tarball), schemathesis 4.13.0, addressable 2.8.9,
claude-code 2.1.84, and playwright-cli 0.1.1 for reproducible builds.
* fix: pin GitHub Actions to commit SHAs for supply chain security
* fix: pin GitHub Actions to commit SHAs in beta and rollback workflows
Support ANTHROPIC_BASE_URL + ANTHROPIC_AUTH_TOKEN in .env to route
SDK requests through proxies or gateways. Preflight now validates the
custom endpoint is reachable instead of skipping credential checks.
Test User
Chris Farhood