13 Commits

Author SHA1 Message Date
Hugh Commit 70af2b12db Merge pull request 'feat: backport Opus 4.7 + adaptive thinking, remove scan tools, add --help to scripts' (#4) from far-136/backport-phase-1 into main
CI / Type-check & lint (push) Successful in 18s
CI / Build & push API image (push) Successful in 58s
CI / Build & push worker image (push) Successful in 3m35s
feat: backport Opus 4.7 + adaptive thinking, remove scan tools, add --help to scripts (#4)
2026-05-20 00:41:19 +00:00
Chris Farhood 800afbfefb feat(cli): block running with sudo or as root
CI / Type-check & lint (pull_request) Successful in 16s
CI / Build & push API image (pull_request) Has been skipped
CI / Build & push worker image (pull_request) Has been skipped
Backport upstream Shannon PR #323. Adds privilege check at CLI startup
that prevents execution via sudo or as the root user.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-05-20 00:30:58 +00:00
Chris Farhood 085624b287 feat: backport Opus 4.7 + adaptive thinking, remove scan tools, add --help to scripts
CI / Build & push API image (pull_request) Has been skipped
CI / Type-check & lint (pull_request) Successful in 18s
CI / Build & push worker image (pull_request) Has been skipped
Backport upstream Shannon PRs #325, #327, #328:

- Update large model default to claude-opus-4-7, add adaptive thinking
  configuration (auto-enabled on Opus 4.6/4.7, opt-out via
  CLAUDE_ADAPTIVE_THINKING=false), filter thinking blocks from message
  content, bump claude-agent-sdk to ^0.2.114
- Remove unused scan tools (nmap, subfinder, whatweb, schemathesis) from
  Dockerfile, prompts, and docs; remove dead 'tool' error type from
  PentestErrorType; redact URLs in preflight info logs
- Add --help flag to save-deliverable and generate-totp CLI scripts

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-05-20 00:26:25 +00:00
Chris Farhood ccb3dc6f75 Merge pull request 'chore: move .github folder to .gitea for Gitea compatibility' (#1) from far-133/move-github-to-gitea into main
CI / Type-check & lint (push) Successful in 17s
CI / Build & push API image (push) Successful in 59s
CI / Build & push worker image (push) Successful in 3m16s
Reviewed-on: #1
Reviewed-by: Chris Farhood <3+cpfarhood@noreply.git.farh.net>
2026-05-18 20:10:48 +00:00
Chris Farhood ff32ec85c5 chore: move .github folder to .gitea for Gitea compatibility
CI / Type-check & lint (pull_request) Successful in 15s
CI / Build & push worker image (pull_request) Has been skipped
CI / Build & push API image (pull_request) Has been skipped
Gitea prefers .gitea/ISSUE_TEMPLATE/ and .gitea/workflows/ over the
GitHub-convention .github/ equivalents. Moves all issue templates and
workflow files to the Gitea-native paths and updates CLAUDE.md references.

Cosign certificate identity paths in release/rollback workflows are
intentionally left unchanged — they reference the signing identity from
prior workflow runs and will need a separate update when the CI signing
infrastructure migrates.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-05-18 15:56:05 +00:00
Chris Farhood 48c0351be3 ci: switch back to REGISTRY_TOKEN PAT for registry auth
CI / Type-check & lint (push) Successful in 15s
CI / Build & push API image (push) Successful in 1m2s
CI / Build & push worker image (push) Successful in 3m6s
Even on Gitea 1.26 the auto-token still hits the registry with 401
in this environment. Use the gitea-admin PAT stored as REGISTRY_TOKEN.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-16 21:09:46 -04:00
Chris Farhood 5c7e4d45d4 ci: revert to auto GITEA_TOKEN for registry auth
CI / Type-check & lint (push) Successful in 15s
CI / Build & push worker image (push) Failing after 8s
CI / Build & push API image (push) Failing after 8s
Gitea 1.26 (PR #36173) honors permissions.packages: write on the
auto-provided GITEA_TOKEN, so the PAT workaround is no longer needed.
You can delete the REGISTRY_TOKEN org secret.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-16 21:02:41 -04:00
Chris Farhood 8fe637e0e2 ci: pin registry login username to gitea-admin
CI / Type-check & lint (push) Successful in 15s
CI / Build & push worker image (push) Failing after 7s
CI / Build & push API image (push) Failing after 8s
REGISTRY_TOKEN was created under the gitea-admin user, so the
docker/helm registry username must match. Using github.actor
would fail for any other workflow-triggering user.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-16 20:40:28 -04:00
Chris Farhood f3d73c9160 ci: use REGISTRY_TOKEN PAT for container registry auth
CI / Type-check & lint (push) Successful in 52s
CI / Build & push worker image (push) Failing after 1m50s
CI / Build & push API image (push) Failing after 1m50s
The auto-provided GITEA_TOKEN doesn't grant write:package scope
in Gitea 1.25 even when permissions.packages: write is declared.
Switch registry logins to a dedicated PAT stored as REGISTRY_TOKEN.
Keep GITEA_TOKEN for semantic-release-gitea API calls.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-16 20:35:51 -04:00
Chris Farhood a6da45f6bf ci: trigger workflow re-run
CI / Type-check & lint (push) Successful in 1m8s
CI / Build & push worker image (push) Failing after 2m11s
CI / Build & push API image (push) Failing after 2m11s
2026-05-16 19:49:54 -04:00
Chris Farhood 547d8ae314 ci: trigger workflow re-run
CI / Build & push API image (push) Failing after 1m39s
CI / Type-check & lint (push) Successful in 1m10s
CI / Build & push worker image (push) Failing after 1m38s
2026-05-16 19:36:42 -04:00
Chris Farhood 1a874724c2 ci: trigger workflow re-run
CI / Type-check & lint (push) Successful in 1m12s
CI / Build & push API image (push) Failing after 2m15s
CI / Build & push worker image (push) Failing after 2m15s
2026-05-16 19:11:59 -04:00
Chris Farhood 262a8be326 ci: migrate from GitHub Actions to Gitea Actions
Helm Chart Release / Lint, package & push OCI (push) Failing after 12s
CI / Type-check & lint (push) Failing after 37s
CI / Build & push API image (push) Has been skipped
CI / Build & push worker image (push) Has been skipped
Move workflows to .gitea/workflows and adapt for git.farh.net:
- Push container images to git.farh.net instead of GHCR/Docker Hub
- Publish Helm chart as OCI artifact (no gh-pages, Gitea lacks Pages)
- Replace cosign keyless signing with key-based (COSIGN_PRIVATE_KEY/PASSWORD/PUBLIC_KEY)
- Swap @semantic-release/github for semantic-release-gitea
- Drop gh CLI from rollback workflow
- Use GITEA_TOKEN for registry auth and release creation
- Add Artifact Hub annotations to Chart.yaml
- Run on ubuntu-latest

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-16 18:55:32 -04:00
31 changed files with 394 additions and 394 deletions
-1
View File
@@ -135,7 +135,6 @@ shannon <URL> <REPO> --pipeline-testing
|-------------------|---------|------------| |-------------------|---------|------------|
| `config` | Configuration file issues | No | | `config` | Configuration file issues | No |
| `network` | Connection/timeout issues | Yes | | `network` | Connection/timeout issues | Yes |
| `tool` | External tool (nmap, etc.) failed | Yes |
| `prompt` | Claude SDK/API issues | Sometimes | | `prompt` | Claude SDK/API issues | Sometimes |
| `filesystem` | File read/write errors | Sometimes | | `filesystem` | File read/write errors | Sometimes |
| `validation` | Deliverable validation failed | Yes (via retry) | | `validation` | Deliverable validation failed | Yes (via retry) |
+6 -3
View File
@@ -4,6 +4,9 @@
# Recommended output token configuration for larger tool outputs # Recommended output token configuration for larger tool outputs
CLAUDE_CODE_MAX_OUTPUT_TOKENS=64000 CLAUDE_CODE_MAX_OUTPUT_TOKENS=64000
# Adaptive thinking is enabled automatically on Opus 4.6/4.7. Set to false to disable.
# CLAUDE_ADAPTIVE_THINKING=false
# ============================================================================= # =============================================================================
# OPTION 1: Direct Anthropic # OPTION 1: Direct Anthropic
# ============================================================================= # =============================================================================
@@ -26,7 +29,7 @@ ANTHROPIC_API_KEY=your-api-key-here
# Optional for direct Anthropic and custom base URL modes. Required for Bedrock/Vertex. # Optional for direct Anthropic and custom base URL modes. Required for Bedrock/Vertex.
# ANTHROPIC_SMALL_MODEL=... # Small tier (default: claude-haiku-4-5-20251001) # ANTHROPIC_SMALL_MODEL=... # Small tier (default: claude-haiku-4-5-20251001)
# ANTHROPIC_MEDIUM_MODEL=... # Medium tier (default: claude-sonnet-4-6) # ANTHROPIC_MEDIUM_MODEL=... # Medium tier (default: claude-sonnet-4-6)
# ANTHROPIC_LARGE_MODEL=... # Large tier (default: claude-opus-4-6) # ANTHROPIC_LARGE_MODEL=... # Large tier (default: claude-opus-4-7)
# ============================================================================= # =============================================================================
# OPTION 3: AWS Bedrock # OPTION 3: AWS Bedrock
@@ -36,7 +39,7 @@ ANTHROPIC_API_KEY=your-api-key-here
# Example Bedrock model IDs for us-east-1: # Example Bedrock model IDs for us-east-1:
# ANTHROPIC_SMALL_MODEL=us.anthropic.claude-haiku-4-5-20251001-v1:0 # ANTHROPIC_SMALL_MODEL=us.anthropic.claude-haiku-4-5-20251001-v1:0
# ANTHROPIC_MEDIUM_MODEL=us.anthropic.claude-sonnet-4-6 # ANTHROPIC_MEDIUM_MODEL=us.anthropic.claude-sonnet-4-6
# ANTHROPIC_LARGE_MODEL=us.anthropic.claude-opus-4-6 # ANTHROPIC_LARGE_MODEL=us.anthropic.claude-opus-4-7
# CLAUDE_CODE_USE_BEDROCK=1 # CLAUDE_CODE_USE_BEDROCK=1
# AWS_REGION=us-east-1 # AWS_REGION=us-east-1
@@ -52,7 +55,7 @@ ANTHROPIC_API_KEY=your-api-key-here
# Example Vertex AI model IDs: # Example Vertex AI model IDs:
# ANTHROPIC_SMALL_MODEL=claude-haiku-4-5@20251001 # ANTHROPIC_SMALL_MODEL=claude-haiku-4-5@20251001
# ANTHROPIC_MEDIUM_MODEL=claude-sonnet-4-6 # ANTHROPIC_MEDIUM_MODEL=claude-sonnet-4-6
# ANTHROPIC_LARGE_MODEL=claude-opus-4-6 # ANTHROPIC_LARGE_MODEL=claude-opus-4-7
# CLAUDE_CODE_USE_VERTEX=1 # CLAUDE_CODE_USE_VERTEX=1
# CLOUD_ML_REGION=us-east5 # CLOUD_ML_REGION=us-east5
@@ -16,7 +16,7 @@ concurrency:
jobs: jobs:
check: check:
name: Type-check & lint name: Type-check & lint
runs-on: runners-farhoodlabs runs-on: ubuntu-latest
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -43,7 +43,7 @@ jobs:
name: Build & push worker image name: Build & push worker image
needs: check needs: check
if: github.event_name == 'push' && github.ref == 'refs/heads/main' if: github.event_name == 'push' && github.ref == 'refs/heads/main'
runs-on: runners-farhoodlabs runs-on: ubuntu-latest
permissions: permissions:
contents: read contents: read
packages: write packages: write
@@ -55,12 +55,12 @@ jobs:
- name: Set up Docker Buildx - name: Set up Docker Buildx
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
- name: Log in to GHCR - name: Log in to Gitea registry
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
with: with:
registry: ghcr.io registry: git.farh.net
username: ${{ github.actor }} username: gitea-admin
password: ${{ secrets.GITHUB_TOKEN }} password: ${{ secrets.REGISTRY_TOKEN }}
- name: Build and push worker image - name: Build and push worker image
uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0 uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
@@ -68,14 +68,14 @@ jobs:
context: . context: .
push: true push: true
tags: | tags: |
ghcr.io/farhoodlabs/trebuchet:latest git.farh.net/farhoodlabs/trebuchet:latest
ghcr.io/farhoodlabs/trebuchet:sha-${{ github.sha }} git.farh.net/farhoodlabs/trebuchet:sha-${{ github.sha }}
build-api: build-api:
name: Build & push API image name: Build & push API image
needs: check needs: check
if: github.event_name == 'push' && github.ref == 'refs/heads/main' if: github.event_name == 'push' && github.ref == 'refs/heads/main'
runs-on: runners-farhoodlabs runs-on: ubuntu-latest
permissions: permissions:
contents: read contents: read
packages: write packages: write
@@ -87,12 +87,12 @@ jobs:
- name: Set up Docker Buildx - name: Set up Docker Buildx
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
- name: Log in to GHCR - name: Log in to Gitea registry
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
with: with:
registry: ghcr.io registry: git.farh.net
username: ${{ github.actor }} username: gitea-admin
password: ${{ secrets.GITHUB_TOKEN }} password: ${{ secrets.REGISTRY_TOKEN }}
- name: Build and push API image - name: Build and push API image
uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0 uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
@@ -102,5 +102,5 @@ jobs:
push: true push: true
no-cache: true no-cache: true
tags: | tags: |
ghcr.io/farhoodlabs/trebuchet-api:latest git.farh.net/farhoodlabs/trebuchet-api:latest
ghcr.io/farhoodlabs/trebuchet-api:sha-${{ github.sha }} git.farh.net/farhoodlabs/trebuchet-api:sha-${{ github.sha }}
@@ -13,7 +13,7 @@ concurrency:
jobs: jobs:
preflight: preflight:
name: Preflight name: Preflight
runs-on: runners-farhoodlabs runs-on: ubuntu-latest
outputs: outputs:
version: ${{ steps.version.outputs.version }} version: ${{ steps.version.outputs.version }}
@@ -35,7 +35,6 @@ jobs:
if [[ -z "$LATEST" ]]; then if [[ -z "$LATEST" ]]; then
echo "version=1.0.0-beta.1" >> "$GITHUB_OUTPUT" echo "version=1.0.0-beta.1" >> "$GITHUB_OUTPUT"
else else
# Extract N from 1.0.0-beta.N and increment
N=$(echo "$LATEST" | grep -oE 'beta\.([0-9]+)' | grep -oE '[0-9]+') N=$(echo "$LATEST" | grep -oE 'beta\.([0-9]+)' | grep -oE '[0-9]+')
NEXT=$((N + 1)) NEXT=$((N + 1))
echo "version=1.0.0-beta.$NEXT" >> "$GITHUB_OUTPUT" echo "version=1.0.0-beta.$NEXT" >> "$GITHUB_OUTPUT"
@@ -47,9 +46,10 @@ jobs:
build-docker: build-docker:
name: Build Docker (worker) name: Build Docker (worker)
needs: preflight needs: preflight
runs-on: runners-farhoodlabs runs-on: ubuntu-latest
permissions: permissions:
contents: read contents: read
packages: write
steps: steps:
- name: Checkout - name: Checkout
@@ -58,11 +58,12 @@ jobs:
- name: Set up Docker Buildx - name: Set up Docker Buildx
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
- name: Log in to Docker Hub - name: Log in to Gitea registry
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
with: with:
username: ${{ secrets.DOCKERHUB_USERNAME }} registry: git.farh.net
password: ${{ secrets.DOCKERHUB_TOKEN }} username: gitea-admin
password: ${{ secrets.REGISTRY_TOKEN }}
- name: Build and push worker image - name: Build and push worker image
uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0 uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
@@ -71,14 +72,15 @@ jobs:
push: true push: true
provenance: mode=max provenance: mode=max
sbom: true sbom: true
tags: farhoodlabs/trebuchet:${{ needs.preflight.outputs.version }} tags: git.farh.net/farhoodlabs/trebuchet:${{ needs.preflight.outputs.version }}
build-docker-api: build-docker-api:
name: Build Docker (API) name: Build Docker (API)
needs: preflight needs: preflight
runs-on: runners-farhoodlabs runs-on: ubuntu-latest
permissions: permissions:
contents: read contents: read
packages: write
steps: steps:
- name: Checkout - name: Checkout
@@ -87,11 +89,12 @@ jobs:
- name: Set up Docker Buildx - name: Set up Docker Buildx
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
- name: Log in to Docker Hub - name: Log in to Gitea registry
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
with: with:
username: ${{ secrets.DOCKERHUB_USERNAME }} registry: git.farh.net
password: ${{ secrets.DOCKERHUB_TOKEN }} username: gitea-admin
password: ${{ secrets.REGISTRY_TOKEN }}
- name: Build and push API image - name: Build and push API image
uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0 uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
@@ -101,15 +104,15 @@ jobs:
push: true push: true
provenance: mode=max provenance: mode=max
sbom: true sbom: true
tags: farhoodlabs/trebuchet-api:${{ needs.preflight.outputs.version }} tags: git.farh.net/farhoodlabs/trebuchet-api:${{ needs.preflight.outputs.version }}
sign-docker: sign-docker:
name: Sign Docker images name: Sign Docker images
needs: [preflight, build-docker, build-docker-api] needs: [preflight, build-docker, build-docker-api]
runs-on: runners-farhoodlabs runs-on: ubuntu-latest
permissions: permissions:
contents: read contents: read
id-token: write packages: write
outputs: outputs:
worker_digest: ${{ steps.inspect-worker.outputs.digest }} worker_digest: ${{ steps.inspect-worker.outputs.digest }}
api_digest: ${{ steps.inspect-api.outputs.digest }} api_digest: ${{ steps.inspect-api.outputs.digest }}
@@ -118,57 +121,63 @@ jobs:
- name: Set up Docker Buildx - name: Set up Docker Buildx
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
- name: Log in to Docker Hub - name: Log in to Gitea registry
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
with: with:
username: ${{ secrets.DOCKERHUB_USERNAME }} registry: git.farh.net
password: ${{ secrets.DOCKERHUB_TOKEN }} username: gitea-admin
password: ${{ secrets.REGISTRY_TOKEN }}
- name: Inspect worker image - name: Inspect worker image
id: inspect-worker id: inspect-worker
run: | run: |
docker buildx imagetools inspect "farhoodlabs/trebuchet:${{ needs.preflight.outputs.version }}" docker buildx imagetools inspect "git.farh.net/farhoodlabs/trebuchet:${{ needs.preflight.outputs.version }}"
DIGEST="sha256:$(docker buildx imagetools inspect --raw "farhoodlabs/trebuchet:${{ needs.preflight.outputs.version }}" | sha256sum | cut -d' ' -f1)" DIGEST="sha256:$(docker buildx imagetools inspect --raw "git.farh.net/farhoodlabs/trebuchet:${{ needs.preflight.outputs.version }}" | sha256sum | cut -d' ' -f1)"
echo "digest=$DIGEST" >> "$GITHUB_OUTPUT" echo "digest=$DIGEST" >> "$GITHUB_OUTPUT"
- name: Inspect API image - name: Inspect API image
id: inspect-api id: inspect-api
run: | run: |
docker buildx imagetools inspect "farhoodlabs/trebuchet-api:${{ needs.preflight.outputs.version }}" docker buildx imagetools inspect "git.farh.net/farhoodlabs/trebuchet-api:${{ needs.preflight.outputs.version }}"
DIGEST="sha256:$(docker buildx imagetools inspect --raw "farhoodlabs/trebuchet-api:${{ needs.preflight.outputs.version }}" | sha256sum | cut -d' ' -f1)" DIGEST="sha256:$(docker buildx imagetools inspect --raw "git.farh.net/farhoodlabs/trebuchet-api:${{ needs.preflight.outputs.version }}" | sha256sum | cut -d' ' -f1)"
echo "digest=$DIGEST" >> "$GITHUB_OUTPUT" echo "digest=$DIGEST" >> "$GITHUB_OUTPUT"
- name: Install cosign - name: Install cosign
uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22 # v4.1.0 uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22 # v4.1.0
- name: Sign worker image - name: Sign worker image
run: cosign sign --yes "farhoodlabs/trebuchet@${{ steps.inspect-worker.outputs.digest }}" env:
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
run: cosign sign --yes --key env://COSIGN_PRIVATE_KEY "git.farh.net/farhoodlabs/trebuchet@${{ steps.inspect-worker.outputs.digest }}"
- name: Sign API image - name: Sign API image
run: cosign sign --yes "farhoodlabs/trebuchet-api@${{ steps.inspect-api.outputs.digest }}" env:
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
run: cosign sign --yes --key env://COSIGN_PRIVATE_KEY "git.farh.net/farhoodlabs/trebuchet-api@${{ steps.inspect-api.outputs.digest }}"
- name: Verify worker image signature - name: Verify worker image signature
env:
COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }}
run: | run: |
sleep 10 sleep 10
cosign verify \ cosign verify --key env://COSIGN_PUBLIC_KEY \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \ "git.farh.net/farhoodlabs/trebuchet@${{ steps.inspect-worker.outputs.digest }}"
--certificate-identity https://github.com/${{ github.repository }}/.github/workflows/release-beta.yml@${{ github.ref }} \
"farhoodlabs/trebuchet@${{ steps.inspect-worker.outputs.digest }}"
- name: Verify API image signature - name: Verify API image signature
env:
COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }}
run: | run: |
cosign verify \ cosign verify --key env://COSIGN_PUBLIC_KEY \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \ "git.farh.net/farhoodlabs/trebuchet-api@${{ steps.inspect-api.outputs.digest }}"
--certificate-identity https://github.com/${{ github.repository }}/.github/workflows/release-beta.yml@${{ github.ref }} \
"farhoodlabs/trebuchet-api@${{ steps.inspect-api.outputs.digest }}"
publish-npm: publish-npm:
name: Publish npm (beta) name: Publish npm (beta)
needs: [preflight, sign-docker] needs: [preflight, sign-docker]
runs-on: runners-farhoodlabs runs-on: ubuntu-latest
permissions: permissions:
contents: read contents: read
id-token: write
steps: steps:
- name: Checkout - name: Checkout
@@ -13,7 +13,7 @@ concurrency:
jobs: jobs:
preflight: preflight:
name: Preflight name: Preflight
runs-on: runners-farhoodlabs runs-on: ubuntu-latest
permissions: permissions:
contents: write contents: write
outputs: outputs:
@@ -42,11 +42,12 @@ jobs:
id: probe id: probe
shell: bash shell: bash
env: env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITEA_URL: https://git.farh.net
GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
run: | run: |
set -euo pipefail set -euo pipefail
npx semantic-release@25 --dry-run --no-ci 2>&1 | tee semantic-release.log npx -p semantic-release@25 -p semantic-release-gitea semantic-release --dry-run --no-ci 2>&1 | tee semantic-release.log
if grep -qi "the next release version is" semantic-release.log; then if grep -qi "the next release version is" semantic-release.log; then
echo "should_release=true" >> "$GITHUB_OUTPUT" echo "should_release=true" >> "$GITHUB_OUTPUT"
@@ -60,9 +61,10 @@ jobs:
name: Build Docker (worker) name: Build Docker (worker)
needs: preflight needs: preflight
if: needs.preflight.outputs.should_release == 'true' if: needs.preflight.outputs.should_release == 'true'
runs-on: runners-farhoodlabs runs-on: ubuntu-latest
permissions: permissions:
contents: read contents: read
packages: write
steps: steps:
- name: Checkout - name: Checkout
@@ -71,11 +73,12 @@ jobs:
- name: Set up Docker Buildx - name: Set up Docker Buildx
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
- name: Log in to Docker Hub - name: Log in to Gitea registry
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
with: with:
username: ${{ secrets.DOCKERHUB_USERNAME }} registry: git.farh.net
password: ${{ secrets.DOCKERHUB_TOKEN }} username: gitea-admin
password: ${{ secrets.REGISTRY_TOKEN }}
- name: Build and push worker image - name: Build and push worker image
uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0 uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
@@ -85,16 +88,17 @@ jobs:
provenance: mode=max provenance: mode=max
sbom: true sbom: true
tags: | tags: |
farhoodlabs/trebuchet:${{ needs.preflight.outputs.version }} git.farh.net/farhoodlabs/trebuchet:${{ needs.preflight.outputs.version }}
farhoodlabs/trebuchet:latest git.farh.net/farhoodlabs/trebuchet:latest
build-docker-api: build-docker-api:
name: Build Docker (API) name: Build Docker (API)
needs: preflight needs: preflight
if: needs.preflight.outputs.should_release == 'true' if: needs.preflight.outputs.should_release == 'true'
runs-on: runners-farhoodlabs runs-on: ubuntu-latest
permissions: permissions:
contents: read contents: read
packages: write
steps: steps:
- name: Checkout - name: Checkout
@@ -103,11 +107,12 @@ jobs:
- name: Set up Docker Buildx - name: Set up Docker Buildx
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
- name: Log in to Docker Hub - name: Log in to Gitea registry
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
with: with:
username: ${{ secrets.DOCKERHUB_USERNAME }} registry: git.farh.net
password: ${{ secrets.DOCKERHUB_TOKEN }} username: gitea-admin
password: ${{ secrets.REGISTRY_TOKEN }}
- name: Build and push API image - name: Build and push API image
uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0 uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
@@ -118,16 +123,16 @@ jobs:
provenance: mode=max provenance: mode=max
sbom: true sbom: true
tags: | tags: |
farhoodlabs/trebuchet-api:${{ needs.preflight.outputs.version }} git.farh.net/farhoodlabs/trebuchet-api:${{ needs.preflight.outputs.version }}
farhoodlabs/trebuchet-api:latest git.farh.net/farhoodlabs/trebuchet-api:latest
sign-docker: sign-docker:
name: Sign Docker images name: Sign Docker images
needs: [preflight, build-docker, build-docker-api] needs: [preflight, build-docker, build-docker-api]
runs-on: runners-farhoodlabs runs-on: ubuntu-latest
permissions: permissions:
contents: read contents: read
id-token: write packages: write
outputs: outputs:
worker_digest: ${{ steps.inspect-worker.outputs.digest }} worker_digest: ${{ steps.inspect-worker.outputs.digest }}
api_digest: ${{ steps.inspect-api.outputs.digest }} api_digest: ${{ steps.inspect-api.outputs.digest }}
@@ -136,57 +141,63 @@ jobs:
- name: Set up Docker Buildx - name: Set up Docker Buildx
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
- name: Log in to Docker Hub - name: Log in to Gitea registry
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
with: with:
username: ${{ secrets.DOCKERHUB_USERNAME }} registry: git.farh.net
password: ${{ secrets.DOCKERHUB_TOKEN }} username: gitea-admin
password: ${{ secrets.REGISTRY_TOKEN }}
- name: Inspect worker image - name: Inspect worker image
id: inspect-worker id: inspect-worker
run: | run: |
docker buildx imagetools inspect "farhoodlabs/trebuchet:${{ needs.preflight.outputs.version }}" docker buildx imagetools inspect "git.farh.net/farhoodlabs/trebuchet:${{ needs.preflight.outputs.version }}"
DIGEST="sha256:$(docker buildx imagetools inspect --raw "farhoodlabs/trebuchet:${{ needs.preflight.outputs.version }}" | sha256sum | cut -d' ' -f1)" DIGEST="sha256:$(docker buildx imagetools inspect --raw "git.farh.net/farhoodlabs/trebuchet:${{ needs.preflight.outputs.version }}" | sha256sum | cut -d' ' -f1)"
echo "digest=$DIGEST" >> "$GITHUB_OUTPUT" echo "digest=$DIGEST" >> "$GITHUB_OUTPUT"
- name: Inspect API image - name: Inspect API image
id: inspect-api id: inspect-api
run: | run: |
docker buildx imagetools inspect "farhoodlabs/trebuchet-api:${{ needs.preflight.outputs.version }}" docker buildx imagetools inspect "git.farh.net/farhoodlabs/trebuchet-api:${{ needs.preflight.outputs.version }}"
DIGEST="sha256:$(docker buildx imagetools inspect --raw "farhoodlabs/trebuchet-api:${{ needs.preflight.outputs.version }}" | sha256sum | cut -d' ' -f1)" DIGEST="sha256:$(docker buildx imagetools inspect --raw "git.farh.net/farhoodlabs/trebuchet-api:${{ needs.preflight.outputs.version }}" | sha256sum | cut -d' ' -f1)"
echo "digest=$DIGEST" >> "$GITHUB_OUTPUT" echo "digest=$DIGEST" >> "$GITHUB_OUTPUT"
- name: Install cosign - name: Install cosign
uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22 # v4.1.0 uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22 # v4.1.0
- name: Sign worker image - name: Sign worker image
run: cosign sign --yes "farhoodlabs/trebuchet@${{ steps.inspect-worker.outputs.digest }}" env:
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
run: cosign sign --yes --key env://COSIGN_PRIVATE_KEY "git.farh.net/farhoodlabs/trebuchet@${{ steps.inspect-worker.outputs.digest }}"
- name: Sign API image - name: Sign API image
run: cosign sign --yes "farhoodlabs/trebuchet-api@${{ steps.inspect-api.outputs.digest }}" env:
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
run: cosign sign --yes --key env://COSIGN_PRIVATE_KEY "git.farh.net/farhoodlabs/trebuchet-api@${{ steps.inspect-api.outputs.digest }}"
- name: Verify worker image signature - name: Verify worker image signature
env:
COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }}
run: | run: |
sleep 10 sleep 10
cosign verify \ cosign verify --key env://COSIGN_PUBLIC_KEY \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \ "git.farh.net/farhoodlabs/trebuchet@${{ steps.inspect-worker.outputs.digest }}"
--certificate-identity https://github.com/${{ github.repository }}/.github/workflows/release.yml@${{ github.ref }} \
"farhoodlabs/trebuchet@${{ steps.inspect-worker.outputs.digest }}"
- name: Verify API image signature - name: Verify API image signature
env:
COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }}
run: | run: |
cosign verify \ cosign verify --key env://COSIGN_PUBLIC_KEY \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \ "git.farh.net/farhoodlabs/trebuchet-api@${{ steps.inspect-api.outputs.digest }}"
--certificate-identity https://github.com/${{ github.repository }}/.github/workflows/release.yml@${{ github.ref }} \
"farhoodlabs/trebuchet-api@${{ steps.inspect-api.outputs.digest }}"
publish-npm: publish-npm:
name: Publish npm name: Publish npm
needs: [preflight, sign-docker] needs: [preflight, sign-docker]
runs-on: runners-farhoodlabs runs-on: ubuntu-latest
permissions: permissions:
contents: read contents: read
id-token: write
steps: steps:
- name: Checkout - name: Checkout
@@ -226,9 +237,9 @@ jobs:
fi fi
release: release:
name: Create GitHub release name: Create Gitea release
needs: [preflight, publish-npm] needs: [preflight, publish-npm]
runs-on: runners-farhoodlabs runs-on: ubuntu-latest
permissions: permissions:
contents: write contents: write
@@ -250,7 +261,8 @@ jobs:
- name: Install dependencies - name: Install dependencies
run: pnpm install --frozen-lockfile run: pnpm install --frozen-lockfile
- name: Create GitHub release - name: Create Gitea release
env: env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITEA_URL: https://git.farh.net
run: npx semantic-release@25 GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
run: npx -p semantic-release@25 -p semantic-release-gitea semantic-release
@@ -18,7 +18,7 @@ concurrency:
jobs: jobs:
rollback: rollback:
name: Roll back npm beta dist-tag name: Roll back npm beta dist-tag
runs-on: runners-farhoodlabs runs-on: ubuntu-latest
steps: steps:
- name: Validate target version - name: Validate target version
id: target id: target
@@ -17,8 +17,8 @@ concurrency:
jobs: jobs:
rollback: rollback:
name: Roll back npm, Docker, and GitHub release latest name: Roll back npm and Docker latest
runs-on: runners-farhoodlabs runs-on: ubuntu-latest
steps: steps:
- name: Checkout tags - name: Checkout tags
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -74,48 +74,44 @@ jobs:
- name: Set up Docker Buildx - name: Set up Docker Buildx
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
- name: Log in to Docker Hub - name: Log in to Gitea registry
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
with: with:
username: ${{ secrets.DOCKERHUB_USERNAME }} registry: git.farh.net
password: ${{ secrets.DOCKERHUB_TOKEN }} username: gitea-admin
password: ${{ secrets.REGISTRY_TOKEN }}
- name: Verify Docker image tag exists - name: Verify Docker image tag exists
run: docker buildx imagetools inspect "farhoodlabs/trebuchet:${{ steps.target.outputs.version }}" run: docker buildx imagetools inspect "git.farh.net/farhoodlabs/trebuchet:${{ steps.target.outputs.version }}"
- name: Install cosign - name: Install cosign
uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22 # v4.1.0 uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22 # v4.1.0
- name: Verify Docker image signature before rollback - name: Verify Docker image signature before rollback
env:
COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }}
run: | run: |
cosign verify \ cosign verify --key env://COSIGN_PUBLIC_KEY \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \ "git.farh.net/farhoodlabs/trebuchet:${{ steps.target.outputs.version }}"
--certificate-identity "https://github.com/${{ github.repository }}/.github/workflows/release.yml@refs/heads/main" \
"farhoodlabs/trebuchet:${{ steps.target.outputs.version }}"
- name: Move Docker latest - name: Move Docker latest
run: | run: |
docker buildx imagetools create \ docker buildx imagetools create \
--tag "farhoodlabs/trebuchet:latest" \ --tag "git.farh.net/farhoodlabs/trebuchet:latest" \
"farhoodlabs/trebuchet:${{ steps.target.outputs.version }}" "git.farh.net/farhoodlabs/trebuchet:${{ steps.target.outputs.version }}"
- name: Move npm latest - name: Move npm latest
env: env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
run: npm dist-tag add "@trebuchet/cli@${{ steps.target.outputs.version }}" latest run: npm dist-tag add "@trebuchet/cli@${{ steps.target.outputs.version }}" latest
- name: Mark GitHub release as latest
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: gh release edit "v${{ steps.target.outputs.version }}" --latest
- name: Show final npm dist-tags - name: Show final npm dist-tags
env: env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
run: npm dist-tag ls @trebuchet/cli run: npm dist-tag ls @trebuchet/cli
- name: Verify Docker latest now points to target - name: Verify Docker latest now points to target
run: docker buildx imagetools inspect "farhoodlabs/trebuchet:latest" run: docker buildx imagetools inspect "git.farh.net/farhoodlabs/trebuchet:latest"
- name: Write summary - name: Write summary
run: | run: |
@@ -124,6 +120,9 @@ jobs:
echo "" echo ""
echo "- Target version: \`${{ steps.target.outputs.version }}\`" echo "- Target version: \`${{ steps.target.outputs.version }}\`"
echo "- npm package: \`@trebuchet/cli\`" echo "- npm package: \`@trebuchet/cli\`"
echo "- Docker image: \`farhoodlabs/trebuchet\`" echo "- Docker image: \`git.farh.net/farhoodlabs/trebuchet\`"
echo "- GitHub release: \`v${{ steps.target.outputs.version }}\` marked as latest" echo ""
echo "NOTE: Gitea determines the 'latest' release by date, not a flag."
echo "To re-mark \`v${{ steps.target.outputs.version }}\` as the latest"
echo "release on Gitea, edit the release in the UI to bump its date."
} >> "$GITHUB_STEP_SUMMARY" } >> "$GITHUB_STEP_SUMMARY"
+2
View File
@@ -5,3 +5,5 @@ credentials/
dist/ dist/
repos/ repos/
.turbo/ .turbo/
cosign.key
cosign.pub
+1 -8
View File
@@ -9,13 +9,6 @@
"npmPublish": false "npmPublish": false
} }
], ],
[ "semantic-release-gitea"
"@semantic-release/github",
{
"successCommentCondition": false,
"failCommentCondition": false,
"releasedLabels": false
}
]
] ]
} }
+2 -2
View File
@@ -57,7 +57,7 @@ Durable workflow orchestration with crash recovery, queryable progress, intellig
### Five-Phase Pipeline ### Five-Phase Pipeline
1. **Pre-Recon** (`pre-recon`) — External scans (nmap, subfinder, whatweb) + source code analysis 1. **Pre-Recon** (`pre-recon`) — Source code analysis to build the architectural baseline
2. **Recon** (`recon`) — Attack surface mapping from initial findings 2. **Recon** (`recon`) — Attack surface mapping from initial findings
3. **Vulnerability Analysis** (5 parallel agents) — injection, xss, auth, authz, ssrf 3. **Vulnerability Analysis** (5 parallel agents) — injection, xss, auth, authz, ssrf
4. **Exploitation** (5 parallel agents, conditional) — Exploits confirmed vulnerabilities 4. **Exploitation** (5 parallel agents, conditional) — Exploits confirmed vulnerabilities
@@ -158,7 +158,7 @@ Comments must be **timeless** — no references to this conversation, refactorin
**Config:** `Dockerfile`, `apps/worker/configs/`, `apps/worker/prompts/`, `tsconfig.base.json` (shared compiler options), `turbo.json`, `biome.json` **Config:** `Dockerfile`, `apps/worker/configs/`, `apps/worker/prompts/`, `tsconfig.base.json` (shared compiler options), `turbo.json`, `biome.json`
**CI/CD:** `.github/workflows/ci.yml` (type-check, lint, build & push images to GHCR), `.github/workflows/release.yml` (Docker Hub push + GitHub release, manual dispatch) **CI/CD:** `.gitea/workflows/ci.yml` (type-check, lint, build & push images to GHCR), `.gitea/workflows/release.yml` (Docker Hub push + GitHub release, manual dispatch)
## Package Installation ## Package Installation
+2 -49
View File
@@ -13,44 +13,12 @@ RUN apk update && apk add --no-cache \
curl \ curl \
wget \ wget \
ca-certificates \ ca-certificates \
# Network libraries for Go tools
libpcap-dev \
linux-headers \
# Language runtimes # Language runtimes
go \
nodejs-22 \ nodejs-22 \
npm \ npm \
python3 \
py3-pip \
ruby \
ruby-dev \
# Security tools available in Wolfi
nmap \
# Additional utilities # Additional utilities
bash bash
# Set environment variables for Go
ENV GOPATH=/go
ENV PATH=$GOPATH/bin:/usr/local/go/bin:$PATH
ENV CGO_ENABLED=1
# Create directories
RUN mkdir -p $GOPATH/bin
# Install Go-based security tools
RUN go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@v2.13.0
# Install WhatWeb from release tarball (Ruby-based tool)
RUN curl -sL https://github.com/urbanadventurer/WhatWeb/archive/refs/tags/v0.6.3.tar.gz | tar xz -C /opt && \
mv /opt/WhatWeb-0.6.3 /opt/whatweb && \
chmod +x /opt/whatweb/whatweb && \
gem install addressable -v 2.8.9 && \
echo '#!/bin/bash' > /usr/local/bin/whatweb && \
echo 'cd /opt/whatweb && exec ./whatweb "$@"' >> /usr/local/bin/whatweb && \
chmod +x /usr/local/bin/whatweb
# Install Python-based tools
RUN pip3 install --no-cache-dir schemathesis==4.13.0
# Install pnpm # Install pnpm
RUN npm install -g pnpm@10.33.0 RUN npm install -g pnpm@10.33.0
@@ -84,12 +52,11 @@ RUN apk add --no-cache \
curl \ curl \
ca-certificates \ ca-certificates \
shadow \ shadow \
libpcap \ # Language runtimes (minimal)
nmap \
nodejs-22 \ nodejs-22 \
npm \ npm \
python3 \ python3 \
ruby \ # Chromium browser and dependencies for Playwright
chromium \ chromium \
nss \ nss \
freetype \ freetype \
@@ -104,20 +71,6 @@ RUN apk add --no-cache \
fontconfig \ fontconfig \
|| true || true
# Copy Go binaries from builder
COPY --from=builder /go/bin/subfinder /usr/local/bin/
# Copy WhatWeb from builder
COPY --from=builder /opt/whatweb /opt/whatweb
COPY --from=builder /usr/local/bin/whatweb /usr/local/bin/whatweb
# Install WhatWeb Ruby dependencies in runtime stage
RUN gem install addressable -v 2.8.9
# Copy Python packages from builder
COPY --from=builder /usr/lib/python3.*/site-packages /usr/lib/python3.12/site-packages
COPY --from=builder /usr/bin/schemathesis /usr/bin/
# Create non-root user # Create non-root user
RUN addgroup -g 1001 pentest && \ RUN addgroup -g 1001 pentest && \
adduser -u 1001 -G pentest -s /bin/bash -D pentest adduser -u 1001 -G pentest -s /bin/bash -D pentest
+1 -2
View File
@@ -147,7 +147,7 @@ This phase informs everything downstream. If the codebase uses an ORM with param
## Phase 2: Reconnaissance ## Phase 2: Reconnaissance
Bridges static and dynamic analysis using browser automation. The recon agent correlates code findings with the live application, validating that endpoints actually exist, mapping authentication flows, inventorying input vectors (URL parameters, POST fields, headers, cookies), and documenting the real authorization architecture. This phase may also integrate with infrastructure discovery tools including Nmap, Subfinder, and WhatWeb for network perimeter mapping. Bridges static and dynamic analysis using browser automation. The recon agent correlates code findings with the live application, validating that endpoints actually exist, mapping authentication flows, inventorying input vectors (URL parameters, POST fields, headers, cookies), and documenting the real authorization architecture.
## Phase 3: Vulnerability Analysis ## Phase 3: Vulnerability Analysis
@@ -194,7 +194,6 @@ This correlation means that a data flow vulnerability identified in static analy
- **Fully Autonomous Operation:** Shannon Pro handles complex workflows including 2FA/TOTP logins and SSO (e.g., Sign in with Google) without human intervention. TOTP is handled via a dedicated MCP server tool. - **Fully Autonomous Operation:** Shannon Pro handles complex workflows including 2FA/TOTP logins and SSO (e.g., Sign in with Google) without human intervention. TOTP is handled via a dedicated MCP server tool.
- **White-Box Awareness:** Unlike black-box scanners, Shannon Pro reads the source code to intelligently guide its attack strategy, combining code-level insight with runtime validation. - **White-Box Awareness:** Unlike black-box scanners, Shannon Pro reads the source code to intelligently guide its attack strategy, combining code-level insight with runtime validation.
- **Parallel Processing:** Vulnerability analysis and exploitation phases run concurrently across attack domains, with pipelined parallelism minimizing total execution time. - **Parallel Processing:** Vulnerability analysis and exploitation phases run concurrently across attack domains, with pipelined parallelism minimizing total execution time.
- **Tool Orchestration:** Shannon Pro orchestrates existing security tools (e.g., Schemathesis for API testing, Nmap for network discovery) while adding LLM reasoning to interpret results.
- **Configurable Login Flows:** Authentication configuration specifies login procedures and credentials, which are interpolated into agent prompts for authenticated testing. - **Configurable Login Flows:** Authentication configuration specifies login procedures and credentials, which are interpolated into agent prompts for authenticated testing.
--- ---
+21
View File
@@ -26,6 +26,25 @@ import { displaySplash } from './splash.js';
const __dirname = path.dirname(fileURLToPath(import.meta.url)); const __dirname = path.dirname(fileURLToPath(import.meta.url));
function blockSudo(): void {
const isSudo = !!process.env.SUDO_USER;
const isRoot = process.geteuid?.() === 0;
if (!isSudo && !isRoot) return;
if (isSudo) {
console.error('ERROR: Shannon must not be run with sudo.');
console.error('Re-run this command as your normal user.');
} else {
console.error('ERROR: Shannon must not be run as the root user.');
console.error('Switch to a regular user account and re-run this command.');
}
if (process.platform === 'linux') {
console.error('Configure Docker to run without sudo first:');
console.error('https://docs.docker.com/engine/install/linux-postinstall');
}
process.exit(1);
}
function getVersion(): string { function getVersion(): string {
try { try {
const pkgPath = path.join(__dirname, '..', 'package.json'); const pkgPath = path.join(__dirname, '..', 'package.json');
@@ -179,6 +198,8 @@ function parseStartArgs(argv: string[]): ParsedStartArgs {
// === Main Dispatch === // === Main Dispatch ===
blockSudo();
const args = process.argv.slice(2); const args = process.argv.slice(2);
// Parse --backend flag before command dispatch // Parse --backend flag before command dispatch
+2 -3
View File
@@ -180,17 +180,16 @@ For each root vulnerability in your plan, you will follow this systematic, four-
## **Strategic Tool Usage** ## **Strategic Tool Usage**
Use the right tool for the job to ensure thoroughness. Use the right tool for the job to ensure thoroughness.
- **Use `curl` (Manual Probing) for:** Initial confirmation, simple UNION/Error-based injections, and crafting specific WAF bypasses. - **Use `curl` (Manual Probing) for:** Initial confirmation, simple UNION/Error-based injections, and crafting specific WAF bypasses.
- **Use `sqlmap` (Automation) for:** Time-consuming blind injections, automating enumeration **after** manual confirmation, and as a final step to try a wide range of payloads when manual techniques are failing.
## **Persistence and Effort Allocation** ## **Persistence and Effort Allocation**
Measure your effort using tool calls rather than time to ensure thorough testing: Measure your effort using tool calls rather than time to ensure thorough testing:
- **Initial Confirmation Phase:** Minimum 3 distinct payload attempts per vulnerability before concluding it's not exploitable - **Initial Confirmation Phase:** Minimum 3 distinct payload attempts per vulnerability before concluding it's not exploitable
- **Bypass Attempts:** If a vulnerability appears mitigated, try at least 8-10 different technique variations (encoding, syntax, comment styles, etc.) before concluding it's properly defended - **Bypass Attempts:** If a vulnerability appears mitigated, try at least 8-10 different technique variations (encoding, syntax, comment styles, etc.) before concluding it's properly defended
- **Escalation Trigger:** If manual testing exceeds 10-12 tool calls without progress on a single vulnerability, escalate to automated tools (`sqlmap`) or Task Agent scripting - **Escalation Trigger:** If manual testing exceeds 10-12 tool calls without progress on a single vulnerability, escalate to Task Agent scripting
- **Termination Criteria:** After systematic attempts with multiple different techniques → classify as appropriate level - **Termination Criteria:** After systematic attempts with multiple different techniques → classify as appropriate level
## **Using the Task Agent for Custom Scripting** ## **Using the Task Agent for Custom Scripting**
You must delegate every injection automation task to the Task Agent. Use manual `curl` or `sqlmap` runs for spot checks, then escalate to scripted payload loops handled by the Task Agent. You must delegate every injection automation task to the Task Agent. Use manual `curl` runs for spot checks, then escalate to scripted payload loops handled by the Task Agent.
**TEMPLATE FOR SCRIPTING TASKS (REQUIRED):** **TEMPLATE FOR SCRIPTING TASKS (REQUIRED):**
" "
+1 -2
View File
@@ -36,7 +36,7 @@ Read `.gitignore` and run `git ls-files --others --ignored --exclude-standard --
**Phase Sequence:** **PRE-RECON (You)** → RECON → VULN ANALYSIS (5 agents) → EXPLOITATION (5 agents) → REPORTING **Phase Sequence:** **PRE-RECON (You)** → RECON → VULN ANALYSIS (5 agents) → EXPLOITATION (5 agents) → REPORTING
**Your Input:** External scan results from pre-recon tools (nmap, subfinder, whatweb) **Your Input:** Target application source code in the working directory
**Your Output:** `.shannon/deliverables/pre_recon_deliverable.md` (feeds all subsequent analysis phases) **Your Output:** `.shannon/deliverables/pre_recon_deliverable.md` (feeds all subsequent analysis phases)
**Shared Intelligence:** You create the foundational intelligence baseline that all other agents depend on **Shared Intelligence:** You create the foundational intelligence baseline that all other agents depend on
@@ -71,7 +71,6 @@ You are the **Code Intelligence Gatherer** and **Architectural Foundation Builde
<starting_context> <starting_context>
- You are the **ENTRY POINT** of the comprehensive security assessment - no prior deliverables exist to read - You are the **ENTRY POINT** of the comprehensive security assessment - no prior deliverables exist to read
- External reconnaissance tools have completed and their results are available in the working environment
- The target application source code has been cloned and is ready for analysis in the current directory - The target application source code has been cloned and is ready for analysis in the current directory
- You must create the **foundational intelligence baseline** that all subsequent agents depend on - You must create the **foundational intelligence baseline** that all subsequent agents depend on
- **CRITICAL:** This is the ONLY agent with full source code access - your completeness determines whether vulnerabilities are found - **CRITICAL:** This is the ONLY agent with full source code access - your completeness determines whether vulnerabilities are found
+6 -8
View File
@@ -1,5 +1,5 @@
<role> <role>
You are a world-class Reconnaissance Analyst and Attack Surface Mapper. Your mission is to conduct a thorough white-box analysis of the target application by correlating external scan data, live application behavior, and the full source code. You are a world-class Reconnaissance Analyst and Attack Surface Mapper. Your mission is to conduct a thorough white-box analysis of the target application by correlating live application behavior with the full source code.
</role> </role>
<objective> <objective>
@@ -7,7 +7,7 @@ Your goal is to create a comprehensive, structured map of the application's atta
</objective> </objective>
<starting_context> <starting_context>
Your analysis must begin by reading and fully comprehending the initial intelligence report located at `.shannon/deliverables/pre_recon_deliverable.md`. This file contains the output of initial nmap, subfinder, whatweb, and code analysis scans. This is your only starting information. Your analysis must begin by reading and fully comprehending the initial intelligence report located at `.shannon/deliverables/pre_recon_deliverable.md`. This file contains the initial source code analysis. This is your only starting information.
</starting_context> </starting_context>
<target> <target>
@@ -80,13 +80,13 @@ Please use these tools for the following use cases:
**Phase Sequence:** PRE-RECON (Complete) → **RECONNAISSANCE (You)** → VULN ANALYSIS (5 agents) → EXPLOITATION (5 agents) → FINAL REPORT (next phase) **Phase Sequence:** PRE-RECON (Complete) → **RECONNAISSANCE (You)** → VULN ANALYSIS (5 agents) → EXPLOITATION (5 agents) → FINAL REPORT (next phase)
**Your Input:** `.shannon/deliverables/pre_recon_deliverable.md` (external scan data, initial code analysis) **Your Input:** `.shannon/deliverables/pre_recon_deliverable.md` (initial code analysis)
**Your Output:** `.shannon/deliverables/recon_deliverable.md` (comprehensive attack surface map) **Your Output:** `.shannon/deliverables/recon_deliverable.md` (comprehensive attack surface map)
**Shared Intelligence:** None (you are the first analysis specialist) **Shared Intelligence:** None (you are the first analysis specialist)
**WHAT HAPPENED BEFORE YOU:** **WHAT HAPPENED BEFORE YOU:**
- Pre-reconnaissance agent performed external scans (nmap, subfinder, whatweb) and initial code analysis - Pre-reconnaissance agent performed initial source code analysis
- All attack surfaces, technologies, and entry points were catalogued from external perspective - Attack surfaces, technologies, and entry points were catalogued from the codebase
**WHAT HAPPENS AFTER YOU:** **WHAT HAPPENS AFTER YOU:**
- Injection Analysis specialist will analyze SQL injection and command injection vulnerabilities using your attack surface map - Injection Analysis specialist will analyze SQL injection and command injection vulnerabilities using your attack surface map
@@ -112,7 +112,7 @@ You must follow this methodical four-step process:
1. **Synthesize Initial Data:** 1. **Synthesize Initial Data:**
- Read the entire `.shannon/deliverables/pre_recon_deliverable.md`. - Read the entire `.shannon/deliverables/pre_recon_deliverable.md`.
- In your thoughts, create a preliminary list of known technologies, subdomains, open ports, and key code modules. - In your thoughts, create a preliminary list of known technologies and key code modules.
2. **Interactive Application Exploration:** 2. **Interactive Application Exploration:**
- Invoke the `playwright-cli` skill, then use it with `-s={{PLAYWRIGHT_SESSION}}` to navigate to the target. - Invoke the `playwright-cli` skill, then use it with `-s={{PLAYWRIGHT_SESSION}}` to navigate to the target.
@@ -166,8 +166,6 @@ A brief overview of the application's purpose, core technology stack (e.g., Next
- **Frontend:** [Framework, key libraries, authentication libraries] - **Frontend:** [Framework, key libraries, authentication libraries]
- **Backend:** [Language, framework, key dependencies] - **Backend:** [Language, framework, key dependencies]
- **Infrastructure:** [Hosting provider, CDN, database type] - **Infrastructure:** [Hosting provider, CDN, database type]
- **Identified Subdomains:** [List from subfinder and any others discovered]
- **Open Ports & Services:** [List from nmap and their purpose]
## 3. Authentication & Session Management Flow ## 3. Authentication & Session Management Flow
- **Entry Points:** [e.g., /login, /register, /auth/sso] - **Entry Points:** [e.g., /login, /register, /auth/sso]
+2 -14
View File
@@ -12,7 +12,7 @@ Technical leadership (CTOs, CISOs, Engineering VPs) who need both technical accu
The orchestrator has already concatenated all specialist reports into `comprehensive_security_assessment_report.md`. The orchestrator has already concatenated all specialist reports into `comprehensive_security_assessment_report.md`.
Your task is to: Your task is to:
1. Read this existing concatenated report 1. Read this existing concatenated report
2. Add Executive Summary (vulnerability overview) and Network Reconnaissance (security-relevant scan findings) sections at the top 2. Add an Executive Summary (vulnerability overview) at the top
3. Clean up ALL exploitation evidence sections by removing hallucinated content 3. Clean up ALL exploitation evidence sections by removing hallucinated content
4. Save the modified version back to the same file 4. Save the modified version back to the same file
@@ -72,19 +72,10 @@ MODIFY the existing file `.shannon/deliverables/comprehensive_security_assessmen
**Server-Side Request Forgery (SSRF) Vulnerabilities:** **Server-Side Request Forgery (SSRF) Vulnerabilities:**
{Check for "SSRF Exploitation Evidence" section. Include actually exploited vulnerabilities and those blocked by security controls. Exclude theoretical vulnerabilities requiring internal network access. If vulnerabilities exist, summarize their impact and severity. If section is missing or empty, state: "No SSRF vulnerabilities were found."} {Check for "SSRF Exploitation Evidence" section. Include actually exploited vulnerabilities and those blocked by security controls. Exclude theoretical vulnerabilities requiring internal network access. If vulnerabilities exist, summarize their impact and severity. If section is missing or empty, state: "No SSRF vulnerabilities were found."}
## Network Reconnaissance
{Extract security-relevant findings from automated scanning tools:
- Open ports and exposed services from nmap
- Subdomain discoveries from subfinder that could expand attack surface
- Security headers or misconfigurations detected by whatweb
- Any other security-relevant findings from the automated tools
SKIP stack details - technical leaders know their infrastructure}
2. KEEPING the existing exploitation evidence sections but CLEANING them according to the rules below 2. KEEPING the existing exploitation evidence sections but CLEANING them according to the rules below
3. The final structure should be: 3. The final structure should be:
- Executive Summary (new) - Executive Summary (new)
- Network Reconnaissance (new)
- All existing exploitation evidence sections (cleaned) - All existing exploitation evidence sections (cleaned)
IMPORTANT: Do NOT reorder the existing exploitation evidence sections. Maintain the exact order they appear in the concatenated report. Only remove sections that do not match the defined criteria above. IMPORTANT: Do NOT reorder the existing exploitation evidence sections. Maintain the exact order they appear in the concatenated report. Only remove sections that do not match the defined criteria above.
@@ -93,15 +84,12 @@ IMPORTANT: Do NOT reorder the existing exploitation evidence sections. Maintain
<instructions> <instructions>
1. Read the pre_recon and recon deliverable files to gather security-relevant information: 1. Read the pre_recon and recon deliverable files to gather security-relevant information:
- Focus on findings from automated tools (nmap, subfinder, whatweb) that indicate security risks
- Note exposed services, open ports, subdomains, security misconfigurations
- Skip basic information such as technology stack information (the team knows their own stack) - Skip basic information such as technology stack information (the team knows their own stack)
- Use technical leadership tone - precise but concise - Use technical leadership tone - precise but concise
- Use the current date for the assessment date - Use the current date for the assessment date
2. Create the Executive Summary and Network Reconnaissance content: 2. Create the Executive Summary content:
- Executive Summary: Technical overview with actionable findings for engineering leaders - Executive Summary: Technical overview with actionable findings for engineering leaders
- Network Reconnaissance: Focus on security-relevant discoveries from automated scans
3. Clean the exploitation evidence sections from `.shannon/deliverables/comprehensive_security_assessment_report.md` by applying these rules: 3. Clean the exploitation evidence sections from `.shannon/deliverables/comprehensive_security_assessment_report.md` by applying these rules:
- KEEP these specific section headings: - KEEP these specific section headings:
+3 -1
View File
@@ -18,7 +18,7 @@ import { formatTimestamp } from '../utils/formatting.js';
import { Timer } from '../utils/metrics.js'; import { Timer } from '../utils/metrics.js';
import { createAuditLogger } from './audit-logger.js'; import { createAuditLogger } from './audit-logger.js';
import { dispatchMessage } from './message-handlers.js'; import { dispatchMessage } from './message-handlers.js';
import { type ModelTier, resolveModel } from './models.js'; import { type ModelTier, resolveModel, supportsAdaptiveThinking } from './models.js';
import { detectExecutionContext, formatCompletionMessage, formatErrorOutput } from './output-formatters.js'; import { detectExecutionContext, formatCompletionMessage, formatErrorOutput } from './output-formatters.js';
import { createProgressManager } from './progress-manager.js'; import { createProgressManager } from './progress-manager.js';
@@ -218,6 +218,7 @@ export async function runClaudePrompt(
// 4. Configure SDK options // 4. Configure SDK options
// Model override from providerConfig takes precedence over env-based resolveModel // Model override from providerConfig takes precedence over env-based resolveModel
const model = providerConfig?.modelOverrides?.[modelTier] ?? resolveModel(modelTier); const model = providerConfig?.modelOverrides?.[modelTier] ?? resolveModel(modelTier);
const adaptiveThinking = supportsAdaptiveThinking(model) && process.env.CLAUDE_ADAPTIVE_THINKING !== 'false';
const options = { const options = {
model, model,
maxTurns: 10_000, maxTurns: 10_000,
@@ -226,6 +227,7 @@ export async function runClaudePrompt(
allowDangerouslySkipPermissions: true, allowDangerouslySkipPermissions: true,
settingSources: ['user'] as ('user' | 'project' | 'local')[], settingSources: ['user'] as ('user' | 'project' | 'local')[],
env: sdkEnv, env: sdkEnv,
...(adaptiveThinking && { thinking: { type: 'adaptive' as const } }),
...(outputFormat && { outputFormat }), ...(outputFormat && { outputFormat }),
}; };
+4 -1
View File
@@ -39,7 +39,10 @@ function extractMessageContent(message: AssistantMessage): string {
const messageContent = message.message; const messageContent = message.message;
if (Array.isArray(messageContent.content)) { if (Array.isArray(messageContent.content)) {
return messageContent.content.map((c: ContentBlock) => c.text || JSON.stringify(c)).join('\n'); return messageContent.content
.filter((c: ContentBlock) => c.type !== 'thinking' && c.type !== 'redacted_thinking')
.map((c: ContentBlock) => c.text || JSON.stringify(c))
.join('\n');
} }
return String(messageContent.content); return String(messageContent.content);
+6 -1
View File
@@ -21,7 +21,7 @@ export type ModelTier = 'small' | 'medium' | 'large';
const DEFAULT_MODELS: Readonly<Record<ModelTier, string>> = { const DEFAULT_MODELS: Readonly<Record<ModelTier, string>> = {
small: 'claude-haiku-4-5-20251001', small: 'claude-haiku-4-5-20251001',
medium: 'claude-sonnet-4-6', medium: 'claude-sonnet-4-6',
large: 'claude-opus-4-6', large: 'claude-opus-4-7',
}; };
/** Resolve a model tier to a concrete model ID. */ /** Resolve a model tier to a concrete model ID. */
@@ -35,3 +35,8 @@ export function resolveModel(tier: ModelTier = 'medium'): string {
return process.env.ANTHROPIC_MEDIUM_MODEL || DEFAULT_MODELS.medium; return process.env.ANTHROPIC_MEDIUM_MODEL || DEFAULT_MODELS.medium;
} }
} }
/** Whether a model supports adaptive thinking. Opus 4.6 and 4.7 only. */
export function supportsAdaptiveThinking(model: string): boolean {
return /opus-4-[67]/.test(model);
}
+2
View File
@@ -52,6 +52,8 @@ export interface ToolResultData {
export interface ContentBlock { export interface ContentBlock {
type?: string; type?: string;
text?: string; text?: string;
thinking?: string;
data?: string;
} }
export interface AssistantMessage { export interface AssistantMessage {
+25
View File
@@ -82,6 +82,26 @@ function generateTOTP(secret: string, timeStep: number = 30, digits: number = 6)
return generateHOTP(secret, counter, digits); return generateHOTP(secret, counter, digits);
} }
// === Help ===
function printHelp(): void {
console.log(
`generate-totp - emit a current 6-digit TOTP code for a base32-encoded secret.
Usage:
generate-totp --secret <BASE32>
generate-totp --help
Options:
--secret Base32-encoded TOTP shared secret (characters A-Z, 2-7).
-h, --help Show this help and exit.
Output:
JSON to stdout. On success: {"status":"success","totpCode":"123456","expiresIn":<sec>}.
On error: {"status":"error","message":"...","retryable":false} (exit 1).`,
);
}
// === Argument Parsing === // === Argument Parsing ===
function parseSecret(argv: string[]): string { function parseSecret(argv: string[]): string {
@@ -97,6 +117,11 @@ function parseSecret(argv: string[]): string {
// === Main === // === Main ===
function main(): void { function main(): void {
if (process.argv.includes('--help') || process.argv.includes('-h')) {
printHelp();
return;
}
const secret = parseSecret(process.argv); const secret = parseSecret(process.argv);
if (!secret) { if (!secret) {
@@ -19,6 +19,31 @@ import { mkdirSync, readFileSync, writeFileSync } from 'node:fs';
import { join, resolve } from 'node:path'; import { join, resolve } from 'node:path';
import { DELIVERABLE_FILENAMES, type DeliverableType } from '../types/deliverables.js'; import { DELIVERABLE_FILENAMES, type DeliverableType } from '../types/deliverables.js';
// === Help ===
function printHelp(): void {
const types = Object.keys(DELIVERABLE_FILENAMES).join(', ');
console.log(
`save-deliverable - save a Shannon pentest deliverable under its canonical filename.
Usage:
save-deliverable --type <TYPE> --file-path <path>
save-deliverable --type <TYPE> --content '<text>'
save-deliverable --help
Options:
--type Deliverable type (required). One of:
${types}
--file-path Path of a file whose contents to save (preferred for large content).
--content Inline content string to save.
-h, --help Show this help and exit.
Output:
JSON to stdout. On success: {"status":"success","filepath":"..."}.
On error: {"status":"error","message":"...","retryable":true|false} (exit 1).`,
);
}
// === Argument Parsing === // === Argument Parsing ===
interface ParsedArgs { interface ParsedArgs {
@@ -69,6 +94,11 @@ function saveDeliverableFile(targetDir: string, filename: string, content: strin
// === Main === // === Main ===
function main(): void { function main(): void {
if (process.argv.includes('--help') || process.argv.includes('-h')) {
printHelp();
return;
}
const args = parseArgs(process.argv); const args = parseArgs(process.argv);
// 1. Validate --type // 1. Validate --type
+2 -2
View File
@@ -210,7 +210,7 @@ async function validateCredentials(
// 1. Custom base URL — validate endpoint is reachable via SDK query // 1. Custom base URL — validate endpoint is reachable via SDK query
if (process.env.ANTHROPIC_BASE_URL && process.env.ANTHROPIC_AUTH_TOKEN) { if (process.env.ANTHROPIC_BASE_URL && process.env.ANTHROPIC_AUTH_TOKEN) {
const baseUrl = process.env.ANTHROPIC_BASE_URL; const baseUrl = process.env.ANTHROPIC_BASE_URL;
logger.info(`Validating custom base URL: ${baseUrl}`); logger.info('Validating custom base URL');
try { try {
for await (const message of query({ prompt: 'hi', options: { model: resolveModel('small'), maxTurns: 1 } })) { for await (const message of query({ prompt: 'hi', options: { model: resolveModel('small'), maxTurns: 1 } })) {
@@ -394,7 +394,7 @@ function httpHead(url: string, timeoutMs: number): Promise<number> {
/** Check that the target URL is reachable from inside the container. */ /** Check that the target URL is reachable from inside the container. */
async function validateTargetUrl(targetUrl: string, logger: ActivityLogger): Promise<Result<void, PentestError>> { async function validateTargetUrl(targetUrl: string, logger: ActivityLogger): Promise<Result<void, PentestError>> {
logger.info('Checking target URL reachability...', { targetUrl }); logger.info('Checking target URL reachability...');
// 1. Parse URL // 1. Parse URL
let parsed: URL; let parsed: URL;
+2 -10
View File
@@ -11,7 +11,7 @@
/** /**
* Specific error codes for reliable classification. * Specific error codes for reliable classification.
* *
* ErrorCode provides precision within the coarse 8-category PentestErrorType. * ErrorCode provides precision within the coarse 7-category PentestErrorType.
* Used by classifyErrorForTemporal for code-based classification (preferred) * Used by classifyErrorForTemporal for code-based classification (preferred)
* with string matching as fallback for external errors. * with string matching as fallback for external errors.
*/ */
@@ -47,15 +47,7 @@ export enum ErrorCode {
BILLING_ERROR = 'BILLING_ERROR', BILLING_ERROR = 'BILLING_ERROR',
} }
export type PentestErrorType = export type PentestErrorType = 'config' | 'network' | 'prompt' | 'filesystem' | 'validation' | 'billing' | 'unknown';
| 'config'
| 'network'
| 'tool'
| 'prompt'
| 'filesystem'
| 'validation'
| 'billing'
| 'unknown';
export interface PentestErrorContext { export interface PentestErrorContext {
[key: string]: unknown; [key: string]: unknown;
+21
View File
@@ -4,3 +4,24 @@ description: API-driven AI pentester built on Shannon, deployed as a service on
type: application type: application
version: 0.1.1 version: 0.1.1
appVersion: "1.0.0" appVersion: "1.0.0"
home: https://git.farh.net/farhoodlabs/trebuchet
sources:
- https://git.farh.net/farhoodlabs/trebuchet
maintainers:
- name: farhoodlabs
url: https://git.farh.net/farhoodlabs
keywords:
- security
- pentesting
- ai
- kubernetes
annotations:
artifacthub.io/license: AGPL-3.0
artifacthub.io/links: |
- name: source
url: https://git.farh.net/farhoodlabs/trebuchet
artifacthub.io/images: |
- name: worker
image: git.farh.net/farhoodlabs/trebuchet:latest
- name: api
image: git.farh.net/farhoodlabs/trebuchet-api:latest
+122 -176
View File
@@ -7,8 +7,8 @@ settings:
catalogs: catalogs:
default: default:
'@anthropic-ai/claude-agent-sdk': '@anthropic-ai/claude-agent-sdk':
specifier: ^0.2.38 specifier: ^0.2.114
version: 0.2.76 version: 0.2.140
importers: importers:
@@ -77,7 +77,7 @@ importers:
dependencies: dependencies:
'@anthropic-ai/claude-agent-sdk': '@anthropic-ai/claude-agent-sdk':
specifier: 'catalog:' specifier: 'catalog:'
version: 0.2.76(zod@4.3.6) version: 0.2.140(zod@4.3.6)
'@temporalio/activity': '@temporalio/activity':
specifier: ^1.11.0 specifier: ^1.11.0
version: 1.15.0 version: 1.15.0
@@ -115,12 +115,65 @@ importers:
packages: packages:
'@anthropic-ai/claude-agent-sdk@0.2.76': '@anthropic-ai/claude-agent-sdk-darwin-arm64@0.2.140':
resolution: {integrity: sha512-HZxvnT8ZWkzCnQygaYCA0dl8RSUzuVbxE1YG4ecy6vh4nQbTT36CxUxBy+QVdR12pPQluncC0mCOLhI2918Eaw==} resolution: {integrity: sha512-zEbDsDKeoDO4DzbyX6wBVlcPhLy/gYiCrKzKnxmkOhyNtJBeshgiOTdr+M7WX1xcuI/M/UhEY+B9U6oo884lAQ==}
cpu: [arm64]
os: [darwin]
'@anthropic-ai/claude-agent-sdk-darwin-x64@0.2.140':
resolution: {integrity: sha512-BFJGeZEksvERy7mMJ0mkNAWoMrZOgl6XN/mKPaunGnaC/i+1ykx7xih7e58bRhsrzKzo2mnUrwtjiFyF3MFNRQ==}
cpu: [x64]
os: [darwin]
'@anthropic-ai/claude-agent-sdk-linux-arm64-musl@0.2.140':
resolution: {integrity: sha512-nG7xLL0nKb4ymFVnX0QhSGLoyhh9fuuDpBR+TYz5O4ZQc2RVUMSMqGusqcCNEIGxAKQSVKWCf0WgpCG/edAO9Q==}
cpu: [arm64]
os: [linux]
libc: [musl]
'@anthropic-ai/claude-agent-sdk-linux-arm64@0.2.140':
resolution: {integrity: sha512-FauGGg3zikxrjAUnu+Pso6zD9Qv4Z2+QBiTiZqc12U+x4uoikNsplymUnsJ7MYD9VaTGmLJuZ9pCch0IiKrseQ==}
cpu: [arm64]
os: [linux]
libc: [glibc]
'@anthropic-ai/claude-agent-sdk-linux-x64-musl@0.2.140':
resolution: {integrity: sha512-EZ7VzOGmvft/1ymh2rwts5v3yPnsGGlGrTJlY2Dqnr1ABF43JIhEm1NFYrLnXQWSN74s5Pj8tgkPbYS9x4BhFA==}
cpu: [x64]
os: [linux]
libc: [musl]
'@anthropic-ai/claude-agent-sdk-linux-x64@0.2.140':
resolution: {integrity: sha512-7f627Tq2mIiwFoBYfCKTdEeZSP90r8UOWu/I5DezudTtwtoVl2zRaRCnJ8c4rW+Tzw+xWSfP/pHvR9bTQGXaOw==}
cpu: [x64]
os: [linux]
libc: [glibc]
'@anthropic-ai/claude-agent-sdk-win32-arm64@0.2.140':
resolution: {integrity: sha512-9EOozRF+LTt3UedeJtjJXC8pj9VTAFtPBuB+/YUmcpmDAEH9qcWWknWhf7NDKTapKtBWkNP/387x+18L15MLqg==}
cpu: [arm64]
os: [win32]
'@anthropic-ai/claude-agent-sdk-win32-x64@0.2.140':
resolution: {integrity: sha512-puQyWoYiqosjDEYULWAS/lBJse1vzib0NmQj/bYTirWCbtiUcu6ixKMd4NmLbE+Si/DKTB8XNz6hVZ/KckqeoQ==}
cpu: [x64]
os: [win32]
'@anthropic-ai/claude-agent-sdk@0.2.140':
resolution: {integrity: sha512-Zq2L7YCoTdbxTUi3/soN1axrTqbG7GoKuc6Im8EpkBRdwaY0D1W9+Ux3vAbV/cX8Qk31Vck7DQLZz1lGEArdoQ==}
engines: {node: '>=18.0.0'} engines: {node: '>=18.0.0'}
peerDependencies: peerDependencies:
zod: ^4.0.0 zod: ^4.0.0
'@anthropic-ai/sdk@0.81.0':
resolution: {integrity: sha512-D4K5PvEV6wPiRtVlVsJHIUhHAmOZ6IT/I9rKlTf84gR7GyyAurPJK7z9BOf/AZqC5d1DhYQGJNKRmV+q8dGhgw==}
hasBin: true
peerDependencies:
zod: ^3.25.0 || ^4.0.0
peerDependenciesMeta:
zod:
optional: true
'@babel/generator@8.0.0-rc.2': '@babel/generator@8.0.0-rc.2':
resolution: {integrity: sha512-oCQ1IKPwkzCeJzAPb7Fv8rQ9k5+1sG8mf2uoHiMInPYvkRfrDJxbTIbH51U+jstlkghus0vAi3EBvkfvEsYNLQ==} resolution: {integrity: sha512-oCQ1IKPwkzCeJzAPb7Fv8rQ9k5+1sG8mf2uoHiMInPYvkRfrDJxbTIbH51U+jstlkghus0vAi3EBvkfvEsYNLQ==}
engines: {node: ^20.19.0 || >=22.12.0} engines: {node: ^20.19.0 || >=22.12.0}
@@ -138,6 +191,10 @@ packages:
engines: {node: ^20.19.0 || >=22.12.0} engines: {node: ^20.19.0 || >=22.12.0}
hasBin: true hasBin: true
'@babel/runtime@7.29.2':
resolution: {integrity: sha512-JiDShH45zKHWyGe4ZNVRrCjBz8Nh9TMmZG1kh4QTK8hCBTWBi8Da+i7s1fJw7/lYpM4ccepSNfqzZ/QvABBi5g==}
engines: {node: '>=6.9.0'}
'@babel/types@8.0.0-rc.2': '@babel/types@8.0.0-rc.2':
resolution: {integrity: sha512-91gAaWRznDwSX4E2tZ1YjBuIfnQVOFDCQ2r0Toby0gu4XEbyF623kXLMA8d4ZbCu+fINcrudkmEcwSUHgDDkNw==} resolution: {integrity: sha512-91gAaWRznDwSX4E2tZ1YjBuIfnQVOFDCQ2r0Toby0gu4XEbyF623kXLMA8d4ZbCu+fINcrudkmEcwSUHgDDkNw==}
engines: {node: ^20.19.0 || >=22.12.0} engines: {node: ^20.19.0 || >=22.12.0}
@@ -229,105 +286,6 @@ packages:
peerDependencies: peerDependencies:
hono: ^4 hono: ^4
'@img/sharp-darwin-arm64@0.34.5':
resolution: {integrity: sha512-imtQ3WMJXbMY4fxb/Ndp6HBTNVtWCUI0WdobyheGf5+ad6xX8VIDO8u2xE4qc/fr08CKG/7dDseFtn6M6g/r3w==}
engines: {node: ^18.17.0 || ^20.3.0 || >=21.0.0}
cpu: [arm64]
os: [darwin]
'@img/sharp-darwin-x64@0.34.5':
resolution: {integrity: sha512-YNEFAF/4KQ/PeW0N+r+aVVsoIY0/qxxikF2SWdp+NRkmMB7y9LBZAVqQ4yhGCm/H3H270OSykqmQMKLBhBJDEw==}
engines: {node: ^18.17.0 || ^20.3.0 || >=21.0.0}
cpu: [x64]
os: [darwin]
'@img/sharp-libvips-darwin-arm64@1.2.4':
resolution: {integrity: sha512-zqjjo7RatFfFoP0MkQ51jfuFZBnVE2pRiaydKJ1G/rHZvnsrHAOcQALIi9sA5co5xenQdTugCvtb1cuf78Vf4g==}
cpu: [arm64]
os: [darwin]
'@img/sharp-libvips-darwin-x64@1.2.4':
resolution: {integrity: sha512-1IOd5xfVhlGwX+zXv2N93k0yMONvUlANylbJw1eTah8K/Jtpi15KC+WSiaX/nBmbm2HxRM1gZ0nSdjSsrZbGKg==}
cpu: [x64]
os: [darwin]
'@img/sharp-libvips-linux-arm64@1.2.4':
resolution: {integrity: sha512-excjX8DfsIcJ10x1Kzr4RcWe1edC9PquDRRPx3YVCvQv+U5p7Yin2s32ftzikXojb1PIFc/9Mt28/y+iRklkrw==}
cpu: [arm64]
os: [linux]
libc: [glibc]
'@img/sharp-libvips-linux-arm@1.2.4':
resolution: {integrity: sha512-bFI7xcKFELdiNCVov8e44Ia4u2byA+l3XtsAj+Q8tfCwO6BQ8iDojYdvoPMqsKDkuoOo+X6HZA0s0q11ANMQ8A==}
cpu: [arm]
os: [linux]
libc: [glibc]
'@img/sharp-libvips-linux-x64@1.2.4':
resolution: {integrity: sha512-tJxiiLsmHc9Ax1bz3oaOYBURTXGIRDODBqhveVHonrHJ9/+k89qbLl0bcJns+e4t4rvaNBxaEZsFtSfAdquPrw==}
cpu: [x64]
os: [linux]
libc: [glibc]
'@img/sharp-libvips-linuxmusl-arm64@1.2.4':
resolution: {integrity: sha512-FVQHuwx1IIuNow9QAbYUzJ+En8KcVm9Lk5+uGUQJHaZmMECZmOlix9HnH7n1TRkXMS0pGxIJokIVB9SuqZGGXw==}
cpu: [arm64]
os: [linux]
libc: [musl]
'@img/sharp-libvips-linuxmusl-x64@1.2.4':
resolution: {integrity: sha512-+LpyBk7L44ZIXwz/VYfglaX/okxezESc6UxDSoyo2Ks6Jxc4Y7sGjpgU9s4PMgqgjj1gZCylTieNamqA1MF7Dg==}
cpu: [x64]
os: [linux]
libc: [musl]
'@img/sharp-linux-arm64@0.34.5':
resolution: {integrity: sha512-bKQzaJRY/bkPOXyKx5EVup7qkaojECG6NLYswgktOZjaXecSAeCWiZwwiFf3/Y+O1HrauiE3FVsGxFg8c24rZg==}
engines: {node: ^18.17.0 || ^20.3.0 || >=21.0.0}
cpu: [arm64]
os: [linux]
libc: [glibc]
'@img/sharp-linux-arm@0.34.5':
resolution: {integrity: sha512-9dLqsvwtg1uuXBGZKsxem9595+ujv0sJ6Vi8wcTANSFpwV/GONat5eCkzQo/1O6zRIkh0m/8+5BjrRr7jDUSZw==}
engines: {node: ^18.17.0 || ^20.3.0 || >=21.0.0}
cpu: [arm]
os: [linux]
libc: [glibc]
'@img/sharp-linux-x64@0.34.5':
resolution: {integrity: sha512-MEzd8HPKxVxVenwAa+JRPwEC7QFjoPWuS5NZnBt6B3pu7EG2Ge0id1oLHZpPJdn3OQK+BQDiw9zStiHBTJQQQQ==}
engines: {node: ^18.17.0 || ^20.3.0 || >=21.0.0}
cpu: [x64]
os: [linux]
libc: [glibc]
'@img/sharp-linuxmusl-arm64@0.34.5':
resolution: {integrity: sha512-fprJR6GtRsMt6Kyfq44IsChVZeGN97gTD331weR1ex1c1rypDEABN6Tm2xa1wE6lYb5DdEnk03NZPqA7Id21yg==}
engines: {node: ^18.17.0 || ^20.3.0 || >=21.0.0}
cpu: [arm64]
os: [linux]
libc: [musl]
'@img/sharp-linuxmusl-x64@0.34.5':
resolution: {integrity: sha512-Jg8wNT1MUzIvhBFxViqrEhWDGzqymo3sV7z7ZsaWbZNDLXRJZoRGrjulp60YYtV4wfY8VIKcWidjojlLcWrd8Q==}
engines: {node: ^18.17.0 || ^20.3.0 || >=21.0.0}
cpu: [x64]
os: [linux]
libc: [musl]
'@img/sharp-win32-arm64@0.34.5':
resolution: {integrity: sha512-WQ3AgWCWYSb2yt+IG8mnC6Jdk9Whs7O0gxphblsLvdhSpSTtmu69ZG1Gkb6NuvxsNACwiPV6cNSZNzt0KPsw7g==}
engines: {node: ^18.17.0 || ^20.3.0 || >=21.0.0}
cpu: [arm64]
os: [win32]
'@img/sharp-win32-x64@0.34.5':
resolution: {integrity: sha512-+29YMsqY2/9eFEiW93eqWnuLcWcufowXewwSNIT6UwZdUUCrM3oFjMWH/Z6/TMmb4hlFenmfAVbpWeup2jryCw==}
engines: {node: ^18.17.0 || ^20.3.0 || >=21.0.0}
cpu: [x64]
os: [win32]
'@jridgewell/gen-mapping@0.3.13': '@jridgewell/gen-mapping@0.3.13':
resolution: {integrity: sha512-2kkt/7niJ6MgEPxF0bYdQ6etZaA+fQvDcLKckhy1yIQOzaoKjBBjSj63/aLVjYE3qhRt5dvM+uUyfCg6UKCBbA==} resolution: {integrity: sha512-2kkt/7niJ6MgEPxF0bYdQ6etZaA+fQvDcLKckhy1yIQOzaoKjBBjSj63/aLVjYE3qhRt5dvM+uUyfCg6UKCBbA==}
@@ -1345,6 +1303,10 @@ packages:
json-parse-even-better-errors@2.3.1: json-parse-even-better-errors@2.3.1:
resolution: {integrity: sha512-xyFwyhro/JEof6Ghe2iz2NcXoj2sloNsWr/XsERDK/oiPCfaNhl5ONfp+jQdAZRQQ0IJWNzH9zIZF7li91kh2w==} resolution: {integrity: sha512-xyFwyhro/JEof6Ghe2iz2NcXoj2sloNsWr/XsERDK/oiPCfaNhl5ONfp+jQdAZRQQ0IJWNzH9zIZF7li91kh2w==}
json-schema-to-ts@3.1.1:
resolution: {integrity: sha512-+DWg8jCJG2TEnpy7kOm/7/AxaYoaRbjVB4LFZLySZlWn8exGs3A4OLJR966cVvU26N7X9TWxl+Jsw7dzAqKT6g==}
engines: {node: '>=16'}
json-schema-traverse@1.0.0: json-schema-traverse@1.0.0:
resolution: {integrity: sha512-NM8/P9n3XjXhIZn1lLhkFaACTOURQXjWhV4BA/RnOv8xvgqtqpAX9IO4mRQxSx1Rlo4tqzeqb0sOlruaOy3dug==} resolution: {integrity: sha512-NM8/P9n3XjXhIZn1lLhkFaACTOURQXjWhV4BA/RnOv8xvgqtqpAX9IO4mRQxSx1Rlo4tqzeqb0sOlruaOy3dug==}
@@ -1744,6 +1706,9 @@ packages:
resolution: {integrity: sha512-L0Orpi8qGpRG//Nd+H90vFB+3iHnue1zSSGmNOOCh1GLJ7rUKVwV2HvijphGQS2UmhUZewS9VgvxYIdgr+fG1A==} resolution: {integrity: sha512-L0Orpi8qGpRG//Nd+H90vFB+3iHnue1zSSGmNOOCh1GLJ7rUKVwV2HvijphGQS2UmhUZewS9VgvxYIdgr+fG1A==}
hasBin: true hasBin: true
ts-algebra@2.0.0:
resolution: {integrity: sha512-FPAhNPFMrkwz76P7cdjdmiShwMynZYN6SgOujD1urY4oNm80Ou9oMdmbR45LotcKOXoy7wSmHkRFE6Mxbrhefw==}
tsdown@0.21.5: tsdown@0.21.5:
resolution: {integrity: sha512-TlgNhfPioAD6ECCUnZsxcUsXXuPPR4Rrxz3az741kL/M3oGIET4a9GajSNRNRx+jIva73TYUKQybrEPkDYN+fQ==} resolution: {integrity: sha512-TlgNhfPioAD6ECCUnZsxcUsXXuPPR4Rrxz3az741kL/M3oGIET4a9GajSNRNRx+jIva73TYUKQybrEPkDYN+fQ==}
engines: {node: '>=20.19.0'} engines: {node: '>=20.19.0'}
@@ -1933,19 +1898,53 @@ packages:
snapshots: snapshots:
'@anthropic-ai/claude-agent-sdk@0.2.76(zod@4.3.6)': '@anthropic-ai/claude-agent-sdk-darwin-arm64@0.2.140':
optional: true
'@anthropic-ai/claude-agent-sdk-darwin-x64@0.2.140':
optional: true
'@anthropic-ai/claude-agent-sdk-linux-arm64-musl@0.2.140':
optional: true
'@anthropic-ai/claude-agent-sdk-linux-arm64@0.2.140':
optional: true
'@anthropic-ai/claude-agent-sdk-linux-x64-musl@0.2.140':
optional: true
'@anthropic-ai/claude-agent-sdk-linux-x64@0.2.140':
optional: true
'@anthropic-ai/claude-agent-sdk-win32-arm64@0.2.140':
optional: true
'@anthropic-ai/claude-agent-sdk-win32-x64@0.2.140':
optional: true
'@anthropic-ai/claude-agent-sdk@0.2.140(zod@4.3.6)':
dependencies: dependencies:
'@anthropic-ai/sdk': 0.81.0(zod@4.3.6)
'@modelcontextprotocol/sdk': 1.29.0(zod@4.3.6)
zod: 4.3.6 zod: 4.3.6
optionalDependencies: optionalDependencies:
'@img/sharp-darwin-arm64': 0.34.5 '@anthropic-ai/claude-agent-sdk-darwin-arm64': 0.2.140
'@img/sharp-darwin-x64': 0.34.5 '@anthropic-ai/claude-agent-sdk-darwin-x64': 0.2.140
'@img/sharp-linux-arm': 0.34.5 '@anthropic-ai/claude-agent-sdk-linux-arm64': 0.2.140
'@img/sharp-linux-arm64': 0.34.5 '@anthropic-ai/claude-agent-sdk-linux-arm64-musl': 0.2.140
'@img/sharp-linux-x64': 0.34.5 '@anthropic-ai/claude-agent-sdk-linux-x64': 0.2.140
'@img/sharp-linuxmusl-arm64': 0.34.5 '@anthropic-ai/claude-agent-sdk-linux-x64-musl': 0.2.140
'@img/sharp-linuxmusl-x64': 0.34.5 '@anthropic-ai/claude-agent-sdk-win32-arm64': 0.2.140
'@img/sharp-win32-arm64': 0.34.5 '@anthropic-ai/claude-agent-sdk-win32-x64': 0.2.140
'@img/sharp-win32-x64': 0.34.5 transitivePeerDependencies:
- '@cfworker/json-schema'
- supports-color
'@anthropic-ai/sdk@0.81.0(zod@4.3.6)':
dependencies:
json-schema-to-ts: 3.1.1
optionalDependencies:
zod: 4.3.6
'@babel/generator@8.0.0-rc.2': '@babel/generator@8.0.0-rc.2':
dependencies: dependencies:
@@ -1964,6 +1963,8 @@ snapshots:
dependencies: dependencies:
'@babel/types': 8.0.0-rc.2 '@babel/types': 8.0.0-rc.2
'@babel/runtime@7.29.2': {}
'@babel/types@8.0.0-rc.2': '@babel/types@8.0.0-rc.2':
dependencies: dependencies:
'@babel/helper-string-parser': 8.0.0-rc.2 '@babel/helper-string-parser': 8.0.0-rc.2
@@ -2045,68 +2046,6 @@ snapshots:
dependencies: dependencies:
hono: 4.12.12 hono: 4.12.12
'@img/sharp-darwin-arm64@0.34.5':
optionalDependencies:
'@img/sharp-libvips-darwin-arm64': 1.2.4
optional: true
'@img/sharp-darwin-x64@0.34.5':
optionalDependencies:
'@img/sharp-libvips-darwin-x64': 1.2.4
optional: true
'@img/sharp-libvips-darwin-arm64@1.2.4':
optional: true
'@img/sharp-libvips-darwin-x64@1.2.4':
optional: true
'@img/sharp-libvips-linux-arm64@1.2.4':
optional: true
'@img/sharp-libvips-linux-arm@1.2.4':
optional: true
'@img/sharp-libvips-linux-x64@1.2.4':
optional: true
'@img/sharp-libvips-linuxmusl-arm64@1.2.4':
optional: true
'@img/sharp-libvips-linuxmusl-x64@1.2.4':
optional: true
'@img/sharp-linux-arm64@0.34.5':
optionalDependencies:
'@img/sharp-libvips-linux-arm64': 1.2.4
optional: true
'@img/sharp-linux-arm@0.34.5':
optionalDependencies:
'@img/sharp-libvips-linux-arm': 1.2.4
optional: true
'@img/sharp-linux-x64@0.34.5':
optionalDependencies:
'@img/sharp-libvips-linux-x64': 1.2.4
optional: true
'@img/sharp-linuxmusl-arm64@0.34.5':
optionalDependencies:
'@img/sharp-libvips-linuxmusl-arm64': 1.2.4
optional: true
'@img/sharp-linuxmusl-x64@0.34.5':
optionalDependencies:
'@img/sharp-libvips-linuxmusl-x64': 1.2.4
optional: true
'@img/sharp-win32-arm64@0.34.5':
optional: true
'@img/sharp-win32-x64@0.34.5':
optional: true
'@jridgewell/gen-mapping@0.3.13': '@jridgewell/gen-mapping@0.3.13':
dependencies: dependencies:
'@jridgewell/sourcemap-codec': 1.5.5 '@jridgewell/sourcemap-codec': 1.5.5
@@ -3103,6 +3042,11 @@ snapshots:
json-parse-even-better-errors@2.3.1: {} json-parse-even-better-errors@2.3.1: {}
json-schema-to-ts@3.1.1:
dependencies:
'@babel/runtime': 7.29.2
ts-algebra: 2.0.0
json-schema-traverse@1.0.0: {} json-schema-traverse@1.0.0: {}
json-schema-typed@8.0.2: {} json-schema-typed@8.0.2: {}
@@ -3530,6 +3474,8 @@ snapshots:
tree-kill@1.2.2: {} tree-kill@1.2.2: {}
ts-algebra@2.0.0: {}
tsdown@0.21.5(typescript@5.9.3): tsdown@0.21.5(typescript@5.9.3):
dependencies: dependencies:
ansis: 4.2.0 ansis: 4.2.0
+1 -1
View File
@@ -2,4 +2,4 @@ packages:
- "apps/*" - "apps/*"
catalog: catalog:
"@anthropic-ai/claude-agent-sdk": ^0.2.38 "@anthropic-ai/claude-agent-sdk": ^0.2.114