feat: backport run scoping + steerability (Phase 2) #5

Open

Hugh Commit wants to merge 3 commits from far-137/backport-phase-2 into main

pull from: far-137/backport-phase-2

merge into: farhoodlabs:main

farhoodlabs:main

farhoodlabs:far-142/istio-conversion

farhoodlabs:far-138/backport-phase-3

farhoodlabs:far-136/backport-phase-1

farhoodlabs:far-134/remove-mcp-server

farhoodlabs:far-132/helm-chart

farhoodlabs:far-133/move-github-to-gitea

farhoodlabs:gh-pages

Conversation 0 Commits 3 Files Changed 31

+1212 -195

Hugh Commit commented 2026-05-20 00:46:57 +00:00

Member

Copy Link

Copy Source

Summary

Backport of upstream Shannon PRs for config-driven run scoping and steerability:

• #326 — Config-driven run scoping + report filtering

  • code_path-based avoid enforcement in config schema + SDK deny rules
  • Preflight validation for code path rules
  • vuln_classes subset selection and exploit toggle
  • rules_of_engagement free-form operational guidelines
  • Deterministic findings rendering when exploit is disabled
  • Report filtering (min_severity, min_confidence, guidance)
  • Resume scope validation (short-circuit on mismatch)

• #329 — Steer notes for analysis-only mode

  • Per-mode output format builders in queue-schemas.ts
  • Notes field description steers LLM toward defensive context when exploit disabled

New files

• apps/worker/src/ai/settings-writer.ts — Syncs code_path avoid rules to ~/.claude/settings.json
• apps/worker/src/services/findings-renderer.ts — Deterministic findings rendering from queue JSON
• apps/worker/src/utils/glob.ts — Glob matching utility
• apps/worker/prompts/shared/_code-path-rules.txt — Shared partial for code path rules
• apps/worker/prompts/shared/_rules-of-engagement.txt — Shared partial for rules of engagement

Verification

• pnpm run check — passes
• pnpm biome — passes

cc @cpfarhood

## Summary Backport of upstream Shannon PRs for config-driven run scoping and steerability: - **[#326](https://github.com/KeygraphHQ/shannon/pull/326) — Config-driven run scoping + report filtering** - `code_path`-based avoid enforcement in config schema + SDK deny rules - Preflight validation for code path rules - `vuln_classes` subset selection and `exploit` toggle - `rules_of_engagement` free-form operational guidelines - Deterministic findings rendering when exploit is disabled - Report filtering (min_severity, min_confidence, guidance) - Resume scope validation (short-circuit on mismatch) - **[#329](https://github.com/KeygraphHQ/shannon/pull/329) — Steer notes for analysis-only mode** - Per-mode output format builders in queue-schemas.ts - Notes field description steers LLM toward defensive context when exploit disabled ## New files - `apps/worker/src/ai/settings-writer.ts` — Syncs code_path avoid rules to `~/.claude/settings.json` - `apps/worker/src/services/findings-renderer.ts` — Deterministic findings rendering from queue JSON - `apps/worker/src/utils/glob.ts` — Glob matching utility - `apps/worker/prompts/shared/_code-path-rules.txt` — Shared partial for code path rules - `apps/worker/prompts/shared/_rules-of-engagement.txt` — Shared partial for rules of engagement ## Verification - `pnpm run check` — passes - `pnpm biome` — passes cc @cpfarhood

Hugh Commit added 3 commits 2026-05-20 00:46:57 +00:00

feat: backport config-driven run scoping and report filtering ... 85bcb27860

Cherry-pick of upstream Shannon PR #326. Adds vuln_classes subset
selection, exploit toggle, code_path avoid enforcement via SDK deny
rules, deterministic findings rendering when exploit is disabled,
report filtering (min_severity, min_confidence, guidance), and
rules_of_engagement config field.

Co-Authored-By: Paperclip <noreply@paperclip.ing>

feat: backport steer notes for analysis-only mode ... 8944f7b5c0

Cherry-pick of upstream Shannon PR #329. Adds per-mode output format
builders in queue-schemas.ts so the notes field description steers LLM
output toward defensive context when exploit is disabled. Updates
agent-execution to pass the exploit flag through to getOutputFormat.

Co-Authored-By: Paperclip <noreply@paperclip.ing>

style: apply Biome formatting to backported files ... dcfcecfea7

Co-Authored-By: Paperclip <noreply@paperclip.ing>

Some checks are pending

Hide all checks

CI / Type-check & lint (pull_request) Successful in 17s

Details

CI / Build & push worker image (pull_request) Has been skipped

Details

CI / Build & push API image (pull_request) Has been skipped

Details

This pull request can be merged automatically.

You are not authorized to merge this pull request.

View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.

git fetch -u origin far-137/backport-phase-2:far-137/backport-phase-2

git checkout far-137/backport-phase-2

Sign in to join this conversation.

Reviewers

No Reviewers

Labels

Clear labels

bug

Something isn't working

documentation

Improvements or additions to documentation

duplicate

This issue or pull request already exists

enhancement

New feature or request

good first issue

Good for newcomers

help wanted

Extra attention is needed

invalid

This doesn't seem right

question

Further information is requested

wontfix

This will not be worked on

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

fl_blake (Blake MIddleware) cpfarhood (Chris Farhood) ci (Continuous Integration [bot]) flux (Flux CD) admin (Gitea Admin) fl_hugh (Hugh Commit) renovate (Mend Renovate) fl_warren (Warren Bufferpool)

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: farhoodlabs/trebuchet#5