Copy disabled (too large)
Download .txt
Showing preview only (16,191K chars total). Download the full file to get everything.
Repository: KeygraphHQ/shannon
Branch: main
Commit: 0d172f5e32ef
Files: 1803
Total size: 33.3 MB
Directory structure:
gitextract_vzznzar8/
├── .claude/
│ └── commands/
│ ├── debug.md
│ ├── pr.md
│ └── review.md
├── .dockerignore
├── .github/
│ ├── ISSUE_TEMPLATE/
│ │ ├── bug_report.yml
│ │ └── feature_request.yml
│ └── workflows/
│ ├── release-beta.yml
│ └── rollback-beta.yml
├── .gitignore
├── CLAUDE.md
├── COVERAGE.md
├── Dockerfile
├── LICENSE
├── README.md
├── SHANNON-PRO.md
├── configs/
│ ├── config-schema.json
│ ├── example-config.yaml
│ └── router-config.json
├── docker-compose.docker.yml
├── docker-compose.yml
├── mcp-server/
│ ├── package.json
│ ├── src/
│ │ ├── index.ts
│ │ ├── tools/
│ │ │ ├── generate-totp.ts
│ │ │ └── save-deliverable.ts
│ │ ├── types/
│ │ │ ├── deliverables.ts
│ │ │ ├── index.ts
│ │ │ └── tool-responses.ts
│ │ ├── utils/
│ │ │ ├── error-formatter.ts
│ │ │ └── file-operations.ts
│ │ └── validation/
│ │ ├── queue-validator.ts
│ │ └── totp-validator.ts
│ └── tsconfig.json
├── package.json
├── prompts/
│ ├── exploit-auth.txt
│ ├── exploit-authz.txt
│ ├── exploit-injection.txt
│ ├── exploit-ssrf.txt
│ ├── exploit-xss.txt
│ ├── pipeline-testing/
│ │ ├── exploit-auth.txt
│ │ ├── exploit-authz.txt
│ │ ├── exploit-injection.txt
│ │ ├── exploit-ssrf.txt
│ │ ├── exploit-xss.txt
│ │ ├── pre-recon-code.txt
│ │ ├── recon.txt
│ │ ├── report-executive.txt
│ │ ├── vuln-auth.txt
│ │ ├── vuln-authz.txt
│ │ ├── vuln-injection.txt
│ │ ├── vuln-ssrf.txt
│ │ └── vuln-xss.txt
│ ├── pre-recon-code.txt
│ ├── recon.txt
│ ├── report-executive.txt
│ ├── shared/
│ │ ├── _exploit-scope.txt
│ │ ├── _rules.txt
│ │ ├── _target.txt
│ │ ├── _vuln-scope.txt
│ │ └── login-instructions.txt
│ ├── vuln-auth.txt
│ ├── vuln-authz.txt
│ ├── vuln-injection.txt
│ ├── vuln-ssrf.txt
│ └── vuln-xss.txt
├── sample-reports/
│ ├── shannon-report-capital-api.md
│ ├── shannon-report-crapi.md
│ └── shannon-report-juice-shop.md
├── shannon
├── src/
│ ├── ai/
│ │ ├── audit-logger.ts
│ │ ├── claude-executor.ts
│ │ ├── message-handlers.ts
│ │ ├── models.ts
│ │ ├── output-formatters.ts
│ │ ├── progress-manager.ts
│ │ ├── router-utils.ts
│ │ └── types.ts
│ ├── audit/
│ │ ├── audit-session.ts
│ │ ├── index.ts
│ │ ├── log-stream.ts
│ │ ├── logger.ts
│ │ ├── metrics-tracker.ts
│ │ ├── utils.ts
│ │ └── workflow-logger.ts
│ ├── config-parser.ts
│ ├── progress-indicator.ts
│ ├── services/
│ │ ├── agent-execution.ts
│ │ ├── config-loader.ts
│ │ ├── container.ts
│ │ ├── error-handling.ts
│ │ ├── exploitation-checker.ts
│ │ ├── git-manager.ts
│ │ ├── index.ts
│ │ ├── preflight.ts
│ │ ├── prompt-manager.ts
│ │ ├── queue-validation.ts
│ │ └── reporting.ts
│ ├── session-manager.ts
│ ├── splash-screen.ts
│ ├── temporal/
│ │ ├── activities.ts
│ │ ├── activity-logger.ts
│ │ ├── client.ts
│ │ ├── shared.ts
│ │ ├── summary-mapper.ts
│ │ ├── worker.ts
│ │ ├── workflow-errors.ts
│ │ ├── workflows.ts
│ │ └── workspaces.ts
│ ├── types/
│ │ ├── activity-logger.ts
│ │ ├── agents.ts
│ │ ├── audit.ts
│ │ ├── config.ts
│ │ ├── errors.ts
│ │ ├── index.ts
│ │ ├── metrics.ts
│ │ └── result.ts
│ └── utils/
│ ├── billing-detection.ts
│ ├── concurrency.ts
│ ├── file-io.ts
│ ├── formatting.ts
│ ├── functional.ts
│ └── metrics.ts
├── tsconfig.json
└── xben-benchmark-results/
├── README.md
├── XBEN-001-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_evidence.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ └── xss_exploitation_queue.json
├── XBEN-002-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_evidence.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ └── xss_exploitation_queue.json
├── XBEN-003-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_evidence.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-004-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-005-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_evidence.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ └── xss_exploitation_queue.json
├── XBEN-006-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_evidence.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_evidence.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-007-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_evidence.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ └── xss_exploitation_queue.json
├── XBEN-008-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_evidence.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-009-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-010-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ └── xss_exploitation_queue.json
├── XBEN-011-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-012-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-013-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-014-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_evidence.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ └── xss_exploitation_queue.json
├── XBEN-015-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-016-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-017-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_evidence.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-018-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_evidence.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-019-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_evidence.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_evidence.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ └── xss_exploitation_queue.json
├── XBEN-020-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_evidence.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_evidence.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ └── xss_exploitation_queue.json
├── XBEN-021-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_evidence.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ └── xss_exploitation_queue.json
├── XBEN-022-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_evidence.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_evidence.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-023-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_evidence.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_evidence.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ └── xss_exploitation_queue.json
├── XBEN-024-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_evidence.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_evidence.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ └── xss_exploitation_queue.json
├── XBEN-025-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_evidence.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-026-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_evidence.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ └── xss_exploitation_queue.json
├── XBEN-027-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_evidence.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ └── xss_exploitation_queue.json
├── XBEN-028-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_evidence.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-029-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_evidence.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_evidence.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ └── xss_exploitation_queue.json
├── XBEN-030-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_evidence.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_evidence.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_evidence.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ └── xss_exploitation_queue.json
├── XBEN-031-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_evidence.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_evidence.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ └── xss_exploitation_queue.json
├── XBEN-032-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_evidence.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_evidence.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-033-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_evidence.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_evidence.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-034-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_evidence.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_evidence.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-035-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_evidence.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-036-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_evidence.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ └── xss_exploitation_queue.json
├── XBEN-037-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_evidence.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_evidence.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ └── xss_exploitation_queue.json
├── XBEN-038-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_evidence.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-039-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_evidence.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-040-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_evidence.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_evidence.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ └── xss_exploitation_queue.json
├── XBEN-041-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-042-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ └── xss_exploitation_queue.json
├── XBEN-043-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_evidence.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ └── xss_exploitation_queue.json
├── XBEN-044-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── authz_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_evidence.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ └── xss_exploitation_queue.json
├── XBEN-045-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_evidence.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ └── xss_exploitation_queue.json
├── XBEN-046-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-047-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_evidence.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-048-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-049-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-050-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_evidence.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-051-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_evidence.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-052-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_evidence.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ └── xss_exploitation_queue.json
├── XBEN-053-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-054-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ └── xss_exploitation_queue.json
├── XBEN-055-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_evidence.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ └── xss_exploitation_queue.json
├── XBEN-056-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-057-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_architecture_deliverable.md
│ ├── authz_exploitation_evidence.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── context_workflow_authorization_verification.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_evidence.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── vertical_privilege_escalation_verification.md
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-058-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_evidence.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ └── xss_exploitation_queue.json
├── XBEN-059-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_evidence.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-060-24/
│ └── deliverables/
│ ├── auth_exploitation_evidence.md
│ └── comprehensive_security_assessment_report.md
├── XBEN-061-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_evidence.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-062-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-063-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_evidence.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_evidence.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ └── xss_exploitation_queue.json
├── XBEN-064-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_evidence.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-065-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_evidence.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-066-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_evidence.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ └── xss_exploitation_queue.json
├── XBEN-067-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-068-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_evidence.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ └── xss_exploitation_queue.json
├── XBEN-069-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_evidence.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ └── xss_exploitation_queue.json
├── XBEN-070-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_evidence.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-071-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_evidence.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ └── xss_exploitation_queue.json
├── XBEN-072-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ └── xss_exploitation_queue.json
├── XBEN-073-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_evidence.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_evidence.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ └── xss_exploitation_queue.json
├── XBEN-074-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_evidence.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-075-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_evidence.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-076-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_evidence.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ └── xss_exploitation_queue.json
├── XBEN-077-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_evidence.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-078-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_evidence.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_evidence.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-079-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_evidence.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-080-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_evidence.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ └── xss_exploitation_queue.json
├── XBEN-081-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_evidence.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-082-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_evidence.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ └── xss_exploitation_queue.json
├── XBEN-083-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_evidence.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_evidence.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-084-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_evidence.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_evidence.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ └── xss_exploitation_queue.json
├── XBEN-085-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_evidence.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ └── xss_exploitation_queue.json
├── XBEN-086-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-087-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-088-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ └── xss_exploitation_queue.json
├── XBEN-089-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_evidence.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-090-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_evidence.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ └── xss_exploitation_queue.json
├── XBEN-091-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_evidence.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ └── xss_exploitation_queue.json
├── XBEN-092-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_evidence.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_evidence.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-093-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ └── xss_exploitation_queue.json
├── XBEN-094-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_evidence.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_evidence.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_evidence.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ └── xss_exploitation_queue.json
├── XBEN-095-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_evidence.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_evidence.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-096-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_evidence.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-097-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_evidence.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ └── xss_exploitation_queue.json
├── XBEN-098-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_evidence.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_evidence.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-099-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_evidence.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_evidence.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-100-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_evidence.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_evidence.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ └── xss_exploitation_queue.json
├── XBEN-101-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ └── xss_exploitation_queue.json
├── XBEN-102-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_evidence.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ └── xss_exploitation_queue.json
├── XBEN-103-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_evidence.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ └── xss_exploitation_queue.json
└── XBEN-104-24/
└── deliverables/
├── auth_analysis_deliverable.md
├── auth_exploitation_evidence.md
├── auth_exploitation_queue.json
├── authz_analysis_deliverable.md
├── authz_exploitation_evidence.md
├── authz_exploitation_queue.json
├── code_analysis_deliverable.md
├── comprehensive_security_assessment_report.md
├── injection_analysis_deliverable.md
├── injection_exploitation_queue.json
├── pre_recon_deliverable.md
├── recon_deliverable.md
├── ssrf_analysis_deliverable.md
├── ssrf_exploitation_queue.json
├── xss_analysis_deliverable.md
└── xss_exploitation_queue.json
================================================
FILE CONTENTS
================================================
================================================
FILE: .claude/commands/debug.md
================================================
---
description: Systematically debug errors using context analysis and structured recovery
---
You are debugging an issue. Follow this structured approach to avoid spinning in circles.
## Step 1: Capture Error Context
- Read the full error message and stack trace
- Identify the layer where the error originated:
- **CLI/Args** - Input validation, path resolution
- **Config Parsing** - YAML parsing, JSON Schema validation (`src/config-parser.ts`)
- **Session Management** - Agent definitions (`src/session-manager.ts`), mutex (`src/utils/concurrency.ts`)
- **DI Container** - Container initialization/lookup (`src/services/container.ts`)
- **Services** - AgentExecutionService, ConfigLoaderService, ExploitationCheckerService, error-handling (`src/services/`)
- **Audit System** - Logging, metrics tracking, atomic writes (`src/audit/`)
- **Claude SDK** - Agent execution, MCP servers, turn handling (`src/ai/claude-executor.ts`)
- **Git Operations** - Checkpoints, rollback, commit (`src/services/git-manager.ts`)
- **Validation** - Deliverable checks, queue validation (`src/services/queue-validation.ts`)
## Step 2: Check Relevant Logs
**Session audit logs:**
```bash
# Find most recent session
ls -lt audit-logs/ | head -5
# Check session metrics and errors
cat audit-logs/<session>/session.json | jq '.errors, .agentMetrics'
# Check agent execution logs
ls -lt audit-logs/<session>/agents/
cat audit-logs/<session>/agents/<latest>.log
```
## Step 3: Trace the Call Path
For Shannon, trace through these layers:
1. **Temporal Client** → `src/temporal/client.ts` - Workflow initiation
2. **Workflow** → `src/temporal/workflows.ts` - Pipeline orchestration
3. **Activities** → `src/temporal/activities.ts` - Thin wrappers: heartbeat, error classification
4. **Container** → `src/services/container.ts` - Per-workflow DI
5. **Services** → `src/services/agent-execution.ts` - Agent lifecycle
6. **Config** → `src/config-parser.ts` via `src/services/config-loader.ts`
7. **Prompts** → `src/services/prompt-manager.ts`
8. **Audit** → `src/audit/audit-session.ts` - Logging facade, metrics tracking
9. **Executor** → `src/ai/claude-executor.ts` - SDK calls, MCP setup, retry logic
10. **Validation** → `src/services/queue-validation.ts` - Deliverable checks
## Step 4: Identify Root Cause
**Common Shannon-specific issues:**
| Symptom | Likely Cause | Fix |
|---------|--------------|-----|
| Agent hangs indefinitely | MCP server crashed, Playwright timeout | Check Playwright logs in `/tmp/playwright-*` |
| "Validation failed: Missing deliverable" | Agent didn't create expected file | Check `deliverables/` dir, review prompt |
| Git checkpoint fails | Uncommitted changes, git lock | Run `git status`, remove `.git/index.lock` |
| "Session limit reached" | Claude API billing limit | Not retryable - check API usage |
| Parallel agents all fail | Shared resource contention | Check mutex usage, stagger startup timing |
| Cost/timing not tracked | Metrics not reloaded before update | Add `metricsTracker.reload()` before updates |
| session.json corrupted | Partial write during crash | Delete and restart, or restore from backup |
| YAML config rejected | Invalid schema or unsafe content | Run through AJV validator manually |
| Prompt variable not replaced | Missing `{{VARIABLE}}` in context | Check `src/services/prompt-manager.ts` interpolation |
| Service returns Err result | Check `ErrorCode` in Result | Trace through `classifyErrorForTemporal()` in `src/services/error-handling.ts` |
| Container not found | `getOrCreateContainer()` not called | Check activity setup code in `src/temporal/activities.ts` |
| ActivityLogger undefined | `createActivityLogger()` not called | Must be called at top of each activity function |
**MCP Server Issues:**
```bash
# Check if Playwright browsers are installed
npx playwright install chromium
# Check MCP server startup (look for connection errors)
grep -i "mcp\|playwright" audit-logs/<session>/agents/*.log
```
**Git State Issues:**
```bash
# Check for uncommitted changes
git status
# Check for git locks
ls -la .git/*.lock
# View recent git operations from Shannon
git reflog | head -10
```
## Step 5: Apply Fix with Retry Limit
- **CRITICAL**: Track consecutive failed attempts
- After **3 consecutive failures** on the same issue, STOP and:
- Summarize what was tried
- Explain what's blocking progress
- Ask the user for guidance or additional context
- After a successful fix, reset the failure counter
## Step 6: Validate the Fix
**For code changes:**
```bash
# Compile TypeScript
npx tsc --noEmit
# Quick validation run
shannon <URL> <REPO> --pipeline-testing
```
**For audit/session issues:**
- Verify `session.json` is valid JSON after fix
- Check that atomic writes complete without errors
- Confirm mutex release in `finally` blocks
**For agent issues:**
- Verify deliverable files are created in correct location
- Check that validation functions return expected results
- Confirm retry logic triggers on appropriate errors
## Anti-Patterns to Avoid
- Don't delete `session.json` without checking if session is active
- Don't modify git state while an agent is running
- Don't retry billing/quota errors (they're not retryable)
- Don't ignore PentestError type - it indicates the error category
- Don't make random changes hoping something works
- Don't fix symptoms without understanding root cause
- Don't bypass mutex protection for "quick fixes"
## Quick Reference: Error Types
`ErrorCode` enum in `src/types/errors.ts` provides finer-grained classification used by `classifyErrorForTemporal()` in `src/services/error-handling.ts`.
| PentestError Type | Meaning | Retryable? |
|-------------------|---------|------------|
| `config` | Configuration file issues | No |
| `network` | Connection/timeout issues | Yes |
| `tool` | External tool (nmap, etc.) failed | Yes |
| `prompt` | Claude SDK/API issues | Sometimes |
| `filesystem` | File read/write errors | Sometimes |
| `validation` | Deliverable validation failed | Yes (via retry) |
| `billing` | API quota/billing limit | No |
| `unknown` | Unexpected error | Depends |
---
Now analyze the error and begin debugging systematically.
================================================
FILE: .claude/commands/pr.md
================================================
---
description: Create a PR to main branch using conventional commit style for the title
---
Create a pull request from the current branch to the `main` branch.
## Arguments
The user may provide issue numbers that this PR fixes: `$ARGUMENTS`
- If provided (e.g., `123` or `123,456`), use these issue numbers
- If not provided, check the branch name for issue numbers (e.g., `fix/123-bug` or `issue-456-feature` → extract `123` or `456`)
- If no issues are found, omit the "Closes" section
## Steps
First, analyze the current branch to understand what changes have been made:
1. Run `git log --oneline -10` to see recent commit history and understand commit style
2. Run `git log main..HEAD --oneline` to see all commits on this branch that will be included in the PR
3. Run `git diff main...HEAD --stat` to see a summary of file changes
4. Run `git branch --show-current` to get the branch name for issue detection (if no explicit issues provided)
Then generate a PR title that:
- Follows conventional commit format (e.g., `fix:`, `feat:`, `chore:`, `refactor:`)
- Is concise and accurately describes the changes
- Matches the style of recent commits in the repository
Generate a PR body with:
- A `## Summary` section using rich bullets with bold action leads
- A `Closes #X` line for each issue number (if any were provided or detected from branch name)
Each Summary bullet must follow this format:
- **Bold action phrase** (imperative verb: "Add X", "Replace Y", "Fix Z") — followed by em dash and a 1-2 sentence conceptual description of what changed and why
- Keep descriptions conceptual — no inline code references (no backticks for function/file names). The diff shows the code
- Use 2-5 bullets, scaling with PR size. Group related changes into single bullets rather than listing every file touched
Example:
```
## Summary
- **Add preflight validation** — validates repo path, config, and credentials before agent execution. Fails fast with actionable errors
- **Replace error strings** — pipe-delimited segments rendered as multi-line blocks with phase context, type, message, and remediation hint
- **Add error classification** — new error codes for repo, auth, and billing failures with proper retry classification
```
Finally, create the PR using the gh CLI:
```
gh pr create --base main --title "<generated title>" --body "$(cat <<'EOF'
## Summary
<rich bullets>
Closes #<issue1>
Closes #<issue2>
EOF
)"
```
Note: Omit the "Closes" lines entirely if no issues are associated with this PR.
IMPORTANT:
- Do NOT include any Claude Code attribution in the PR
- Use the conventional commit prefix that best matches the changes (fix, feat, chore, refactor, docs, etc.)
- The `Closes #X` syntax will automatically close the referenced issues when the PR is merged
================================================
FILE: .claude/commands/review.md
================================================
---
description: Review code changes for Shannon-specific patterns, security, and common mistakes
---
Review the current changes (staged or working directory) with focus on Shannon-specific patterns and common mistakes.
## Step 1: Gather Changes
Run these commands to understand the scope:
```bash
git diff --stat HEAD
git diff HEAD
```
## Step 2: Check Shannon-Specific Patterns
### Error Handling (CRITICAL)
- [ ] **All errors use PentestError** - Never use raw `Error`. Use `new PentestError(message, type, retryable, context)`
- [ ] **Error type is appropriate** - Use correct type: 'config', 'network', 'tool', 'prompt', 'filesystem', 'validation', 'billing', 'unknown'
- [ ] **Retryable flag matches behavior** - If error will be retried, set `retryable: true`
- [ ] **Context includes debugging info** - Add relevant paths, tool names, error codes to context object
- [ ] **Never swallow errors silently** - Always log or propagate errors
- [ ] **Use ErrorCode enum** - Prefer `ErrorCode.CONFIG_INVALID` over string matching for classification
- [ ] **Result<T,E> for service returns** - Services return `Result`, not throw
### Audit System & Concurrency (CRITICAL)
- [ ] **Mutex protection for parallel operations** - Use `sessionMutex.lock()` when updating `session.json` during parallel agent execution
- [ ] **Reload before modify** - Always call `this.metricsTracker.reload()` before updating metrics in mutex block
- [ ] **Atomic writes for session.json** - Use `atomicWrite()` for session metadata, never `fs.writeFile()` directly
- [ ] **Stream drain handling** - Log writes must wait for buffer drain before resolving
- [ ] **Semaphore release in finally** - Git semaphore must be released in `finally` block
### Claude SDK Integration (CRITICAL)
- [ ] **MCP server configuration** - Verify Playwright MCP uses `--isolated` and unique `--user-data-dir`
- [ ] **Prompt variable interpolation** - Check all `{{VARIABLE}}` placeholders are replaced
- [ ] **Turn counting** - Increment `turnCount` on assistant messages, not tool calls
- [ ] **Cost tracking** - Extract cost from final `result` message, track even on failure
- [ ] **API error detection** - Check for "session limit reached" (fatal) vs other errors
### Configuration & Validation (CRITICAL)
- [ ] **FAILSAFE_SCHEMA for YAML** - Never use default schema (prevents code execution)
- [ ] **Security pattern detection** - Check for path traversal (`../`), HTML injection (`<>`), JavaScript URLs
- [ ] **Rule conflict detection** - Rules cannot appear in both `avoid` AND `focus`
- [ ] **Duplicate rule detection** - Same `type:url_path` cannot appear twice
- [ ] **JSON Schema validation before use** - Config must pass AJV validation
### Services Layer & DI Container (CRITICAL)
- [ ] **Business logic in services, not activities** — Activities: heartbeat loop, error classification, container calls only. Domain logic → `src/services/`
- [ ] **Services accept ActivityLogger** — Never import `@temporalio/*` in services. Use `ActivityLogger` interface from `src/types/`
- [ ] **Result type for fallible operations** — Service methods return `Result<T, PentestError>`, unwrap with `isOk()`/`isErr()`. Activities call `executeOrThrow()` at the boundary
- [ ] **Container lifecycle** — `getOrCreateContainer()` at activity start, `removeContainer()` only in workflow cleanup
- [ ] **AuditSession not in container** — Must be passed per-agent call (parallel safety)
### Session & Agent Management (CRITICAL)
- [ ] **Deliverable dependencies respected** - Exploitation agents only run if vulnerability queue exists AND has items
- [ ] **Queue validation before exploitation** - Use `safeValidateQueueAndDeliverable()` to check eligibility
- [ ] **Git checkpoint before agent run** - Create checkpoint for rollback on failure
- [ ] **Git rollback on retry** - Call `rollbackGitWorkspace()` before each retry attempt
- [ ] **Agent prerequisites checked** - Verify prerequisite agents completed before running dependent agent
### Parallel Execution
- [ ] **Promise.allSettled for parallel agents** - Never use `Promise.all` (partial failures should not crash batch)
- [ ] **Staggered startup** - 2-second delay between parallel agent starts to prevent API throttle
- [ ] **Individual retry loops** - Each agent retries independently (3 attempts max)
- [ ] **Results aggregated correctly** - Handle both 'fulfilled' and 'rejected' results from `Promise.allSettled`
## Step 3: TypeScript Safety
### Type Assertions (WARNING)
- [ ] **No double casting** - Never use `as unknown as SomeType` (bypasses type safety)
- [ ] **Validate before casting** - JSON parsed data should be validated (JSON Schema) before `as Type`
- [ ] **Prefer type guards** - Use `instanceof` or property checks instead of assertions where possible
### Null/Undefined Handling
- [ ] **Explicit null checks** - Use `if (x === null || x === undefined)` not truthy checks for critical paths
- [ ] **Nullish coalescing** - Use `??` for null/undefined, not `||` which also catches empty string/0
- [ ] **Optional chaining** - Use `?.` for nested property access on potentially undefined objects
### Imports & Types
- [ ] **Type imports** - Use `import type { ... }` for type-only imports
- [ ] **No implicit any** - All function parameters and returns must have explicit types
- [ ] **Readonly for constants** - Use `Object.freeze()` and `Readonly<>` for immutable data
## Step 4: Security Review
### Defensive Tool Security
- [ ] **No credentials in logs** - Check that passwords, tokens, TOTP secrets are not logged to audit files
- [ ] **Config file size limit** - Ensure 1MB max for config files (DoS prevention)
- [ ] **Safe shell execution** - Command arguments must be escaped/sanitized
### Code Injection Prevention
- [ ] **YAML safe parsing** - FAILSAFE_SCHEMA only
- [ ] **No eval/Function** - Never use dynamic code evaluation
- [ ] **Input validation at boundaries** - URLs, paths validated before use
## Step 5: Common Mistakes to Avoid
### Anti-Patterns Found in Codebase
- [ ] **Catch + re-throw without context** - Don't just `throw error`, wrap with additional context
- [ ] **Silent failures in session loading** - Corrupted session files should warn user, not silently reset
- [ ] **Duplicate retry logic** - Don't implement retry at both caller and callee level
- [ ] **Hardcoded error message matching** - Prefer error codes over regex on error.message
- [ ] **Missing timeout on long operations** - Git operations and API calls should have timeouts
- [ ] **Console.log in services** — Use `ActivityLogger`. Only CLI display code (`client.ts`, `worker.ts`, `output-formatters.ts`) uses console.log
- [ ] **Temporal imports in services** — Services must stay Temporal-agnostic. If you need Temporal APIs, it belongs in activities
### Code Quality
- [ ] **No dead code added** - Remove unused imports, functions, variables
- [ ] **No over-engineering** - Don't add abstractions for single-use operations
- [ ] **Comments only where needed** - Self-documenting code preferred over excessive comments
- [ ] **Consistent file naming** - kebab-case for files (e.g., `queue-validation.ts`)
## Step 6: Provide Feedback
For each issue found:
1. **Location**: File and line number
2. **Issue**: What's wrong and why it matters
3. **Fix**: How to correct it (with code example if helpful)
4. **Severity**: Critical / Warning / Suggestion
### Severity Definitions
- **Critical**: Will cause bugs, crashes, data loss, or security issues
- **Warning**: Code smell, inconsistent pattern, or potential future issue
- **Suggestion**: Style improvement or minor enhancement
Summarize with:
- Total issues by severity
- Overall assessment (Ready to commit / Needs fixes / Needs discussion)
---
Now review the current changes.
================================================
FILE: .dockerignore
================================================
# Node.js
node_modules/
npm-debug.log*
yarn-debug.log*
yarn-error.log*
# Runtime directories
sessions/
deliverables/
xben-benchmark-results/
.claude/
# Git
.git/
.gitignore
.gitattributes
# Development files
*.md
!CLAUDE.md
.DS_Store
Thumbs.db
# IDE files
.vscode/
.idea/
*.swp
*.swo
*~
# Logs
logs/
*.log
# Temporary files
tmp/
temp/
.tmp/
# OS generated files
.DS_Store
.DS_Store?
._*
.Spotlight-V100
.Trashes
ehthumbs.db
Thumbs.db
# Docker files (avoid recursive copying)
Dockerfile*
docker-compose*.yml
.dockerignore
# Test files
test/
tests/
spec/
coverage/
# Documentation (except CLAUDE.md which is needed)
docs/
README.md
LICENSE
CHANGELOG.md
================================================
FILE: .github/ISSUE_TEMPLATE/bug_report.yml
================================================
name: Bug report
description: Create a report to help us improve
title: "[BUG]: "
labels: []
assignees: []
body:
- type: textarea
id: describe-the-bug
attributes:
label: Describe the bug
description: Provide a clear and concise description of the issue.
validations:
required: true
- type: textarea
id: steps-to-reproduce
attributes:
label: Steps to reproduce
value: |
1.
2.
3.
validations:
required: true
- type: textarea
id: expected-behaviour
attributes:
label: Expected behaviour
description: Describe what you expected to happen.
validations:
required: true
- type: textarea
id: actual-behaviour
attributes:
label: Actual behaviour
description: Describe what actually happened.
validations:
required: true
- type: checkboxes
id: pre-submission-checklist
attributes:
label: Pre-submission checklist (required)
options:
- label: I have searched the existing open issues and confirmed this bug has not already been reported.
required: true
- label: I am running the latest released version of `shannon`.
required: true
- type: checkboxes
id: applicable-checklist
attributes:
label: If applicable
options:
- label: I have included relevant error messages, stack traces, or failure details.
- label: I have checked the audit logs and pasted the relevant errors.
- label: I have inspected the failed Temporal workflow run and included the failure reason.
- label: I have included clear steps to reproduce the issue.
- label: I have redacted any sensitive information (tokens, URLs, repo names).
- type: markdown
attributes:
value: |
### Debugging checklist (required)
Please include any **error messages, stack traces, or failure details** you find from the steps below.
Issues without this information may be difficult to triage.
- Check the audit logs at: `./audit-logs/target_url_shannon-123/workflow.log`
Use `grep` or search to identify errors.
Paste the relevant error output below.
- Temporal:
- Open the Temporal UI: http://localhost:8233/namespaces/default/workflows
- Navigate to failed workflow runs
- Open the failed workflow run
- In Event History, click on the failed event
Copy the error message or failure reason here.
- type: textarea
id: debugging-details
attributes:
label: Debugging details
description: Paste any error messages, stack traces, or failure details from the audit logs or Temporal UI.
- type: textarea
id: screenshots
attributes:
label: Screenshots
description: If applicable, add screenshots of the audit logs or Temporal failure details.
- type: markdown
attributes:
value: |
### CLI details
Provide the following information (redact sensitive data such as repository names, URLs, and tokens):
- type: dropdown
id: auth-method
attributes:
label: Authentication method used
options:
- CLAUDE_CODE_OAUTH_TOKEN
- ANTHROPIC_API_KEY
validations:
required: true
- type: input
id: shannon-command
attributes:
label: Full ./shannon command with all flags used (with redactions)
- type: dropdown
id: experimental-models
attributes:
label: Are you using any experimental models or providers other than default Anthropic models?
options:
- "No"
- "Yes"
validations:
required: true
- type: input
id: experimental-model-details
attributes:
label: If Yes, which one (model/provider)?
- type: input
id: os-version
attributes:
label: "OS (with version)"
placeholder: "e.g. macOS 26.2"
validations:
required: true
- type: input
id: docker-version
attributes:
label: "Docker version ('docker -v')"
placeholder: "e.g. 25.0.3"
validations:
required: true
- type: textarea
id: additional-context
attributes:
label: Additional context
description: Add any other context that may help us analyze the root cause.
================================================
FILE: .github/ISSUE_TEMPLATE/feature_request.yml
================================================
name: Feature request
description: Suggest an idea for this project
title: "[FEATURE]: "
labels: []
assignees: []
body:
- type: textarea
id: problem-description
attributes:
label: Is your feature request related to a problem? Please describe.
description: "A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]"
validations:
required: true
- type: textarea
id: desired-solution
attributes:
label: Describe the solution you'd like
description: A clear and concise description of what you want to happen.
validations:
required: true
- type: textarea
id: alternatives-considered
attributes:
label: Describe alternatives you've considered
description: A clear and concise description of any alternative solutions or features you've considered.
- type: textarea
id: additional-context
attributes:
label: Additional context
description: Add any other context or screenshots about the feature request here.
================================================
FILE: .github/workflows/release-beta.yml
================================================
name: Release (Beta)
on:
workflow_dispatch:
permissions:
contents: read
concurrency:
group: release-beta
cancel-in-progress: false
jobs:
preflight:
name: Preflight
runs-on: ubuntu-latest
outputs:
version: ${{ steps.version.outputs.version }}
steps:
- name: Setup Node.js
uses: actions/setup-node@v6
with:
node-version: 24
registry-url: https://registry.npmjs.org
- name: Compute next beta version
id: version
shell: bash
run: |
set -euo pipefail
LATEST=$(npm view "@keygraph/shannon" dist-tags.beta 2>/dev/null || echo "")
if [[ -z "$LATEST" ]]; then
echo "version=1.0.0-beta.1" >> "$GITHUB_OUTPUT"
else
# Extract N from 1.0.0-beta.N and increment
N=$(echo "$LATEST" | grep -oE 'beta\.([0-9]+)' | grep -oE '[0-9]+')
NEXT=$((N + 1))
echo "version=1.0.0-beta.$NEXT" >> "$GITHUB_OUTPUT"
fi
- name: Print version
run: 'echo "Next beta version: ${{ steps.version.outputs.version }}"'
build-docker:
name: Build Docker (${{ matrix.platform }})
needs: preflight
permissions:
contents: read
strategy:
fail-fast: true
matrix:
include:
- platform: linux/amd64
runner: ubuntu-latest
- platform: linux/arm64
runner: ubuntu-24.04-arm
runs-on: ${{ matrix.runner }}
steps:
- name: Checkout
uses: actions/checkout@v6
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v4
- name: Log in to Docker Hub
uses: docker/login-action@v4
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Build and push by digest
id: build
uses: docker/build-push-action@v7
with:
context: .
platforms: ${{ matrix.platform }}
provenance: mode=max
sbom: true
outputs: type=image,name=keygraph/shannon,push-by-digest=true,name-canonical=true,push=true
- name: Export digest
run: |
mkdir -p /tmp/digests
digest="${{ steps.build.outputs.digest }}"
touch "/tmp/digests/${digest#sha256:}"
- name: Upload digest
uses: actions/upload-artifact@v6
with:
name: digests-${{ matrix.platform == 'linux/amd64' && 'amd64' || 'arm64' }}
path: /tmp/digests/*
if-no-files-found: error
retention-days: 1
merge-docker:
name: Push Docker manifests
needs: [preflight, build-docker]
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
outputs:
digest: ${{ steps.inspect.outputs.digest }}
steps:
- name: Download digests
uses: actions/download-artifact@v6
with:
path: /tmp/digests
pattern: digests-*
merge-multiple: true
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v4
- name: Log in to Docker Hub
uses: docker/login-action@v4
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Create manifest list and push
working-directory: /tmp/digests
run: |
docker buildx imagetools create \
--tag "keygraph/shannon:${{ needs.preflight.outputs.version }}" \
$(printf 'keygraph/shannon@sha256:%s ' *)
- name: Inspect image
id: inspect
run: |
docker buildx imagetools inspect "keygraph/shannon:${{ needs.preflight.outputs.version }}"
DIGEST="sha256:$(docker buildx imagetools inspect --raw "keygraph/shannon:${{ needs.preflight.outputs.version }}" | sha256sum | cut -d' ' -f1)"
echo "digest=$DIGEST" >> "$GITHUB_OUTPUT"
- name: Install cosign
uses: sigstore/cosign-installer@v4.1.0
- name: Sign Docker image
run: cosign sign --yes "keygraph/shannon@${{ steps.inspect.outputs.digest }}"
- name: Verify Docker image signature
run: |
sleep 10
cosign verify \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-identity https://github.com/${{ github.repository }}/.github/workflows/release-beta.yml@${{ github.ref }} \
"keygraph/shannon@${{ steps.inspect.outputs.digest }}"
publish-npm:
name: Publish npm (beta)
needs: [preflight, merge-docker]
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
steps:
- name: Checkout
uses: actions/checkout@v6
- name: Install pnpm
uses: pnpm/action-setup@v4
- name: Configure npm registry
uses: actions/setup-node@v6
with:
node-version: 24
registry-url: https://registry.npmjs.org
cache: 'pnpm'
- name: Install dependencies
run: pnpm install --frozen-lockfile
- name: Set CLI package version
run: cd apps/cli && npm version "${{ needs.preflight.outputs.version }}" --no-git-tag-version --allow-same-version
- name: Sync lockfile with bumped version
run: pnpm install --lockfile-only
- name: Build CLI
run: pnpm --filter @keygraph/shannon run build
- name: Publish npm package
working-directory: apps/cli
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
run: |
if npm view "@keygraph/shannon@${{ needs.preflight.outputs.version }}" version 2>/dev/null; then
echo "Version already published, skipping"
else
pnpm publish --access public --no-git-checks --tag beta
fi
================================================
FILE: .github/workflows/rollback-beta.yml
================================================
name: Rollback (Beta)
on:
workflow_dispatch:
inputs:
version:
description: "Beta version to roll back to (example: 1.0.0-beta.2)"
required: true
type: string
permissions:
contents: read
concurrency:
group: rollback-beta-${{ github.event.inputs.version }}
cancel-in-progress: false
jobs:
rollback:
name: Roll back npm beta dist-tag
runs-on: ubuntu-latest
steps:
- name: Validate target version
id: target
shell: bash
env:
RAW_VERSION: ${{ inputs.version }}
run: |
set -euo pipefail
VERSION="${RAW_VERSION#v}"
if ! [[ "$VERSION" =~ ^[0-9]+\.[0-9]+\.[0-9]+-beta\.[0-9]+$ ]]; then
echo "Version must be in format X.Y.Z-beta.N (e.g. 1.0.0-beta.2)"
exit 1
fi
echo "version=$VERSION" >> "$GITHUB_OUTPUT"
- name: Setup Node.js
uses: actions/setup-node@v6
with:
node-version: 24
registry-url: https://registry.npmjs.org
- name: Verify npm package version exists
run: npm view "@keygraph/shannon@${{ steps.target.outputs.version }}" version
- name: Show current npm dist-tags
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
run: npm dist-tag ls @keygraph/shannon
- name: Move npm beta tag
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
run: npm dist-tag add "@keygraph/shannon@${{ steps.target.outputs.version }}" beta
- name: Show final npm dist-tags
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
run: npm dist-tag ls @keygraph/shannon
- name: Write summary
run: |
{
echo "## Rollback beta"
echo ""
echo "- Target version: \`${{ steps.target.outputs.version }}\`"
echo "- npm package: \`@keygraph/shannon\` (beta tag moved)"
} >> "$GITHUB_STEP_SUMMARY"
================================================
FILE: .gitignore
================================================
node_modules/
.env
audit-logs/
credentials/
dist/
repos/
================================================
FILE: CLAUDE.md
================================================
# CLAUDE.md
AI-powered penetration testing agent for defensive security analysis. Automates vulnerability assessment by combining reconnaissance tools with AI-powered code analysis.
## Commands
**Prerequisites:** Docker, Anthropic API key in `.env`
```bash
# Setup
cp .env.example .env && edit .env # Set ANTHROPIC_API_KEY
# Prepare repo (REPO is a folder name inside ./repos/, not an absolute path)
git clone https://github.com/org/repo.git ./repos/my-repo
# or symlink: ln -s /path/to/existing/repo ./repos/my-repo
# Run
./shannon start URL=<url> REPO=my-repo
./shannon start URL=<url> REPO=my-repo CONFIG=./configs/my-config.yaml
# Workspaces & Resume
./shannon start URL=<url> REPO=my-repo WORKSPACE=my-audit # New named workspace
./shannon start URL=<url> REPO=my-repo WORKSPACE=my-audit # Resume (same command)
./shannon start URL=<url> REPO=my-repo WORKSPACE=<auto-name> # Resume auto-named run
./shannon workspaces # List all workspaces
# Monitor
./shannon logs # Real-time worker logs
# Temporal Web UI: http://localhost:8233
# Stop
./shannon stop # Preserves workflow data
./shannon stop CLEAN=true # Full cleanup including volumes
# Build
npm run build
```
**Options:** `CONFIG=<file>` (YAML config), `OUTPUT=<path>` (default: `./audit-logs/`), `WORKSPACE=<name>` (named workspace; auto-resumes if exists), `PIPELINE_TESTING=true` (minimal prompts, 10s retries), `REBUILD=true` (force Docker rebuild), `ROUTER=true` (multi-model routing via [claude-code-router](https://github.com/musistudio/claude-code-router))
## Architecture
### Core Modules
- `src/session-manager.ts` — Agent definitions (`AGENTS` record). Agent types in `src/types/agents.ts`
- `src/config-parser.ts` — YAML config parsing with JSON Schema validation
- `src/ai/claude-executor.ts` — Claude Agent SDK integration with retry logic
- `src/services/` — Business logic layer (Temporal-agnostic). Activities delegate here. Key: `agent-execution.ts`, `error-handling.ts`, `container.ts`
- `src/types/` — Consolidated types: `Result<T,E>`, `ErrorCode`, `AgentName`, `ActivityLogger`, etc.
- `src/utils/` — Shared utilities (file I/O, formatting, concurrency)
### Temporal Orchestration
Durable workflow orchestration with crash recovery, queryable progress, intelligent retry, and parallel execution (5 concurrent agents in vuln/exploit phases).
- `src/temporal/workflows.ts` — Main workflow (`pentestPipelineWorkflow`)
- `src/temporal/activities.ts` — Thin wrappers — heartbeat loop, error classification, container lifecycle. Business logic delegated to `src/services/`
- `src/temporal/activity-logger.ts` — `TemporalActivityLogger` implementation of `ActivityLogger` interface
- `src/temporal/summary-mapper.ts` — Maps `PipelineSummary` to `WorkflowSummary`
- `src/temporal/worker.ts` — Worker entry point
- `src/temporal/client.ts` — CLI client for starting workflows
- `src/temporal/shared.ts` — Types, interfaces, query definitions
### Five-Phase Pipeline
1. **Pre-Recon** (`pre-recon`) — External scans (nmap, subfinder, whatweb) + source code analysis
2. **Recon** (`recon`) — Attack surface mapping from initial findings
3. **Vulnerability Analysis** (5 parallel agents) — injection, xss, auth, authz, ssrf
4. **Exploitation** (5 parallel agents, conditional) — Exploits confirmed vulnerabilities
5. **Reporting** (`report`) — Executive-level security report
### Supporting Systems
- **Configuration** — YAML configs in `configs/` with JSON Schema validation (`config-schema.json`). Supports auth settings, MFA/TOTP, and per-app testing parameters
- **Prompts** — Per-phase templates in `prompts/` with variable substitution (`{{TARGET_URL}}`, `{{CONFIG_CONTEXT}}`). Shared partials in `prompts/shared/` via `src/services/prompt-manager.ts`
- **SDK Integration** — Uses `@anthropic-ai/claude-agent-sdk` with `maxTurns: 10_000` and `bypassPermissions` mode. Playwright MCP for browser automation, TOTP generation via MCP tool. Login flow template at `prompts/shared/login-instructions.txt` supports form, SSO, API, and basic auth
- **Audit System** — Crash-safe append-only logging in `audit-logs/{hostname}_{sessionId}/`. Tracks session metrics, per-agent logs, prompts, and deliverables. WorkflowLogger (`audit/workflow-logger.ts`) provides unified human-readable per-workflow logs, backed by LogStream (`audit/log-stream.ts`) shared stream primitive
- **Deliverables** — Saved to `deliverables/` in the target repo via the `save_deliverable` MCP tool
- **Workspaces & Resume** — Named workspaces via `WORKSPACE=<name>` or auto-named from URL+timestamp. Resume passes `--workspace` to the Temporal client (`src/temporal/client.ts`), which loads `session.json` to detect completed agents. `loadResumeState()` in `src/temporal/activities.ts` validates deliverable existence, restores git checkpoints, and cleans up incomplete deliverables. Workspace listing via `src/temporal/workspaces.ts`
## Development Notes
### Adding a New Agent
1. Define agent in `src/session-manager.ts` (add to `AGENTS` record). `ALL_AGENTS`/`AgentName` types live in `src/types/agents.ts`
2. Create prompt template in `prompts/` (e.g., `vuln-newtype.txt`)
3. Two-layer pattern: add a thin activity wrapper in `src/temporal/activities.ts` (heartbeat + error classification). `AgentExecutionService` in `src/services/agent-execution.ts` handles the agent lifecycle automatically via the `AGENTS` registry
4. Register activity in `src/temporal/workflows.ts` within the appropriate phase
### Modifying Prompts
- Variable substitution: `{{TARGET_URL}}`, `{{CONFIG_CONTEXT}}`, `{{LOGIN_INSTRUCTIONS}}`
- Shared partials in `prompts/shared/` included via `src/services/prompt-manager.ts`
- Test with `PIPELINE_TESTING=true` for fast iteration
### Key Design Patterns
- **Configuration-Driven** — YAML configs with JSON Schema validation
- **Progressive Analysis** — Each phase builds on previous results
- **SDK-First** — Claude Agent SDK handles autonomous analysis
- **Modular Error Handling** — `ErrorCode` enum, `Result<T,E>` for explicit error propagation, automatic retry (3 attempts per agent)
- **Services Boundary** — Activities are thin Temporal wrappers; `src/services/` owns business logic, accepts `ActivityLogger`, returns `Result<T,E>`. No Temporal imports in services
- **DI Container** — Per-workflow in `src/services/container.ts`. `AuditSession` excluded (parallel safety)
### Security
Defensive security tool only. Use only on systems you own or have explicit permission to test.
## Code Style Guidelines
### Clarity Over Brevity
- Optimize for readability, not line count — three clear lines beat one dense expression
- Use descriptive names that convey intent
- Prefer explicit logic over clever one-liners
### Structure
- Keep functions focused on a single responsibility
- Use early returns and guard clauses instead of deep nesting
- Never use nested ternary operators — use if/else or switch
- Extract complex conditions into well-named boolean variables
### TypeScript Conventions
- Use `function` keyword for top-level functions (not arrow functions)
- Explicit return type annotations on exported/top-level functions
- Prefer `readonly` for data that shouldn't be mutated
- `exactOptionalPropertyTypes` is enabled — use spread for optional props, not direct `undefined` assignment
### Avoid
- Combining multiple concerns into a single function to "save lines"
- Dense callback chains when sequential logic is clearer
- Sacrificing readability for DRY — some repetition is fine if clearer
- Abstractions for one-time operations
- Backwards-compatibility shims, deprecated wrappers, or re-exports for removed code — delete the old code, don't preserve it
### Comments
Comments must be **timeless** — no references to this conversation, refactoring history, or the AI.
**Patterns used in this codebase:**
- `/** JSDoc */` — file headers (after license) and exported functions/interfaces
- `// N. Description` — numbered sequential steps inside function bodies. Use when a
function has 3+ distinct phases where at least one isn't immediately obvious from the
code. Each step marks the start of a logical phase. Reference: `AgentExecutionService.execute`
(steps 1-9) and `injectModelIntoReport` (steps 1-5)
- `// === Section ===` — high-level dividers between groups of functions in long files,
or to label major branching/classification blocks (e.g., `// === SPENDING CAP SAFEGUARD ===`).
Not for sequential steps inside function bodies — use numbered steps for that
- `// NOTE:` / `// WARNING:` / `// IMPORTANT:` — gotchas and constraints
**Never:** obvious comments, conversation references ("as discussed"), history ("moved from X")
## Key Files
**Entry Points:** `src/temporal/workflows.ts`, `src/temporal/activities.ts`, `src/temporal/worker.ts`, `src/temporal/client.ts`
**Core Logic:** `src/session-manager.ts`, `src/ai/claude-executor.ts`, `src/config-parser.ts`, `src/services/`, `src/audit/`
**Config:** `shannon` (CLI), `docker-compose.yml`, `configs/`, `prompts/`
## Troubleshooting
- **"Repository not found"** — `REPO` must be a folder name inside `./repos/`, not an absolute path. Clone or symlink your repo there first: `ln -s /path/to/repo ./repos/my-repo`
- **"Temporal not ready"** — Wait for health check or `docker compose logs temporal`
- **Worker not processing** — Check `docker compose ps`
- **Reset state** — `./shannon stop CLEAN=true`
- **Local apps unreachable** — Use `host.docker.internal` instead of `localhost`
- **Missing tools** — Use `PIPELINE_TESTING=true` to skip nmap/subfinder/whatweb (graceful degradation)
- **Container permissions** — On Linux, may need `sudo` for docker commands
================================================
FILE: COVERAGE.md
================================================
# Coverage and Roadmap
A Web Security Testing (WST) checklist is a comprehensive guide that systematically outlines security tests for web applications, covering areas like information gathering, authentication, session management, input validation, and error handling to identify and mitigate vulnerabilities.
The checklist below highlights the specific WST categories and items that our product consistently and reliably addresses. While Shannon's dynamic detection often extends to other areas, we believe in transparency and have only checked the vulnerabilities we are designed to consistently catch. **Our coverage is strategically focused on the WST controls that are applicable to today's Web App technology stacks.**
We are actively working to expand this coverage to provide an even more comprehensive security solution for modern web applications.
## Current Coverage
Shannon currently targets the following classes of *exploitable* vulnerabilities:
- Broken Authentication & Authorization
- SQL Injection (SQLi)
- Command Injection
- Cross-Site Scripting (XSS)
- Server-Side Request Forgery (SSRF)
## What Shannon Does Not Cover
This list is not exhaustive of all potential security risks. Shannon does not, for example, report on issues that it cannot actively exploit, such as the use of vulnerable third-party libraries, weak encryption algorithms, or insecure configurations. These types of static-analysis findings are the focus of our upcoming **Keygraph Code Security (SAST)** product.
## WST Testing Checklist
| Test ID | Test Name | Status |
| --- | --- | --- |
| **WSTG-INFO** | **Information Gathering** | |
| WSTG-INFO-01 | Conduct Search Engine Discovery and Reconnaissance for Information Leakage | |
| WSTG-INFO-02 | Fingerprint Web Server | ✅ |
| WSTG-INFO-03 | Review Webserver Metafiles for Information Leakage | |
| WSTG-INFO-04 | Enumerate Applications on Webserver | |
| WSTG-INFO-05 | Review Webpage Content for Information Leakage | |
| WSTG-INFO-06 | Identify Application Entry Points | ✅ |
| WSTG-INFO-07 | Map Execution Paths Through Application | ✅ |
| WSTG-INFO-08 | Fingerprint Web Application Framework | ✅ |
| WSTG-INFO-09 | Fingerprint Web Application | ✅ |
| WSTG-INFO-10 | Map Application Architecture | ✅ |
| | | |
| **WSTG-CONF** | **Configuration and Deploy Management Testing** | |
| WSTG-CONF-01 | Test Network Infrastructure Configuration | ✅ |
| WSTG-CONF-02 | Test Application Platform Configuration | |
| WSTG-CONF-03 | Test File Extensions Handling for Sensitive Information | |
| WSTG-CONF-04 | Review Old Backup and Unreferenced Files for Sensitive Information | |
| WSTG-CONF-05 | Enumerate Infrastructure and Application Admin Interfaces | |
| WSTG-CONF-06 | Test HTTP Methods | |
| WSTG-CONF-07 | Test HTTP Strict Transport Security | |
| WSTG-CONF-08 | Test RIA Cross Domain Policy | |
| WSTG-CONF-09 | Test File Permission | |
| WSTG-CONF-10 | Test for Subdomain Takeover | ✅ |
| WSTG-CONF-11 | Test Cloud Storage | |
| WSTG-CONF-12 | Testing for Content Security Policy | |
| WSTG-CONF-13 | Test Path Confusion | |
| WSTG-CONF-14 | Test Other HTTP Security Header Misconfigurations | |
| | | |
| **WSTG-IDNT** | **Identity Management Testing** | |
| WSTG-IDNT-01 | Test Role Definitions | ✅ |
| WSTG-IDNT-02 | Test User Registration Process | ✅ |
| WSTG-IDNT-03 | Test Account Provisioning Process | ✅ |
| WSTG-IDNT-04 | Testing for Account Enumeration and Guessable User Account | ✅ |
| WSTG-IDNT-05 | Testing for Weak or Unenforced Username Policy | ✅ |
| | | |
| **WSTG-ATHN** | **Authentication Testing** | |
| WSTG-ATHN-01 | Testing for Credentials Transported over an Encrypted Channel | ✅ |
| WSTG-ATHN-02 | Testing for Default Credentials | ✅ |
| WSTG-ATHN-03 | Testing for Weak Lock Out Mechanism | ✅ |
| WSTG-ATHN-04 | Testing for Bypassing Authentication Schema | ✅ |
| WSTG-ATHN-05 | Testing for Vulnerable Remember Password | |
| WSTG-ATHN-06 | Testing for Browser Cache Weakness | |
| WSTG-ATHN-07 | Testing for Weak Password Policy | ✅ |
| WSTG-ATHN-08 | Testing for Weak Security Question Answer | ✅ |
| WSTG-ATHN-09 | Testing for Weak Password Change or Reset Functionalities | ✅ |
| WSTG-ATHN-10 | Testing for Weaker Authentication in Alternative Channel | ✅ |
| WSTG-ATHN-11 | Testing Multi-Factor Authentication (MFA) | ✅ |
| | | |
| **WSTG-ATHZ** | **Authorization Testing** | |
| WSTG-ATHZ-01 | Testing Directory Traversal File Include | ✅ |
| WSTG-ATHZ-02 | Testing for Bypassing Authorization Schema | ✅ |
| WSTG-ATHZ-03 | Testing for Privilege Escalation | ✅ |
| WSTG-ATHZ-04 | Testing for Insecure Direct Object References | ✅ |
| WSTG-ATHZ-05 | Testing for OAuth Weaknesses | ✅ |
| | | |
| **WSTG-SESS** | **Session Management Testing** | |
| WSTG-SESS-01 | Testing for Session Management Schema | ✅ |
| WSTG-SESS-02 | Testing for Cookies Attributes | ✅ |
| WSTG-SESS-03 | Testing for Session Fixation | ✅ |
| WSTG-SESS-04 | Testing for Exposed Session Variables | |
| WSTG-SESS-05 | Testing for Cross Site Request Forgery | ✅ |
| WSTG-SESS-06 | Testing for Logout Functionality | ✅ |
| WSTG-SESS-07 | Testing Session Timeout | ✅ |
| WSTG-SESS-08 | Testing for Session Puzzling | |
| WSTG-SESS-09 | Testing for Session Hijacking | |
| WSTG-SESS-10 | Testing JSON Web Tokens | ✅ |
| WSTG-SESS-11 | Testing for Concurrent Sessions | |
| | | |
| **WSTG-INPV** | **Input Validation Testing** | |
| WSTG-INPV-01 | Testing for Reflected Cross Site Scripting | ✅ |
| WSTG-INPV-02 | Testing for Stored Cross Site Scripting | ✅ |
| WSTG-INPV-03 | Testing for HTTP Verb Tampering | |
| WSTG-INPV-04 | Testing for HTTP Parameter pollution | |
| WSTG-INPV-05 | Testing for SQL Injection | ✅ |
| WSTG-INPV-06 | Testing for LDAP Injection | |
| WSTG-INPV-07 | Testing for XML Injection | |
| WSTG-INPV-08 | Testing for SSI Injection | |
| WSTG-INPV-09 | Testing for XPath Injection | |
| WSTG-INPV-10 | Testing for IMAP SMTP Injection | |
| WSTG-INPV-11 | Testing for Code Injection | ✅ |
| WSTG-INPV-12 | Testing for Command Injection | ✅ |
| WSTG-INPV-13 | Testing for Format String Injection | |
| WSTG-INPV-14 | Testing for Incubated Vulnerabilities | |
| WSTG-INPV-15 | Testing for HTTP Splitting Smuggling | |
| WSTG-INPV-16 | Testing for HTTP Incoming Requests | |
| WSTG-INPV-17 | Testing for Host Header Injection | |
| WSTG-INPV-18 | Testing for Server-Side Template Injection | ✅ |
| WSTG-INPV-19 | Testing for Server-Side Request Forgery | ✅ |
| WSTG-INPV-20 | Testing for Mass Assignment | |
| | | |
| **WSTG-ERRH** | **Error Handling** | |
| WSTG-ERRH-01 | Testing for Improper Error Handling | |
| WSTG-ERRH-02 | Testing for Stack Traces | |
| | | |
| **WSTG-CRYP** | **Cryptography** | |
| WSTG-CRYP-01 | Testing for Weak Transport Layer Security | ✅ |
| WSTG-CRYP-02 | Testing for Padding Oracle | |
| WSTG-CRYP-03 | Testing for Sensitive Information Sent Via Unencrypted Channels | ✅ |
| WSTG-CRYP-04 | Testing for Weak Encryption | |
| | | |
| **WSTG-BUSLOGIC** | **Business Logic Testing** | |
| WSTG-BUSL-01 | Test Business Logic Data Validation | |
| WSTG-BUSL-02 | Test Ability to Forge Requests | |
| WSTG-BUSL-03 | Test Integrity Checks | |
| WSTG-BUSL-04 | Test for Process Timing | |
| WSTG-BUSL-05 | Test Number of Times a Function Can Be Used Limits | |
| WSTG-BUSL-06 | Testing for the Circumvention of Work Flows | |
| WSTG-BUSL-07 | Test Defenses Against Application Misuse | |
| WSTG-BUSL-08 | Test Upload of Unexpected File Types | |
| WSTG-BUSL-09 | Test Upload of Malicious Files | |
| WSTG-BUSL-10 | Test Payment Functionality | |
| | | |
| **WSTG-CLIENT** | **Client-side Testing** | |
| WSTG-CLNT-01 | Testing for DOM Based Cross Site Scripting | ✅ |
| WSTG-CLNT-02 | Testing for JavaScript Execution | ✅ |
| WSTG-CLNT-03 | Testing for HTML Injection | ✅ |
| WSTG-CLNT-04 | Testing for Client-Side URL Redirect | ✅ |
| WSTG-CLNT-05 | Testing for CSS Injection | |
| WSTG-CLNT-06 | Testing for Client-Side Resource Manipulation | |
| WSTG-CLNT-07 | Test Cross Origin Resource Sharing | |
| WSTG-CLNT-08 | Testing for Cross Site Flashing | |
| WSTG-CLNT-09 | Testing for Clickjacking | |
| WSTG-CLNT-10 | Testing WebSockets | |
| WSTG-CLNT-11 | Test Web Messaging | |
| WSTG-CLNT-12 | Test Browser Storage | ✅ |
| WSTG-CLNT-13 | Testing for Cross Site Script Inclusion | ✅ |
| WSTG-CLNT-14 | Testing for Reverse Tabnabbing | |
| | | |
| **WSTG-APIT** | **API Testing** | |
| WSTG-APIT-01 | API Reconnaissance | ✅ |
| WSTG-APIT-02 | API Broken Object Level Authorization | ✅ |
| WSTG-APIT-99 | Testing GraphQL | ✅ |
| | | |
================================================
FILE: Dockerfile
================================================
#
# Multi-stage Dockerfile for Pentest Agent
# Uses Chainguard Wolfi for minimal attack surface and supply chain security
# Builder stage - Install tools and dependencies
FROM cgr.dev/chainguard/wolfi-base:latest AS builder
# Install system dependencies available in Wolfi
RUN apk update && apk add --no-cache \
# Core build tools
build-base \
git \
curl \
wget \
ca-certificates \
# Network libraries for Go tools
libpcap-dev \
linux-headers \
# Language runtimes
go \
nodejs-22 \
npm \
python3 \
py3-pip \
ruby \
ruby-dev \
# Security tools available in Wolfi
nmap \
# Additional utilities
bash
# Set environment variables for Go
ENV GOPATH=/go
ENV PATH=$GOPATH/bin:/usr/local/go/bin:$PATH
ENV CGO_ENABLED=1
# Create directories
RUN mkdir -p $GOPATH/bin
# Install Go-based security tools
RUN go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest
# Install WhatWeb from GitHub (Ruby-based tool)
RUN git clone --depth 1 https://github.com/urbanadventurer/WhatWeb.git /opt/whatweb && \
chmod +x /opt/whatweb/whatweb && \
gem install addressable && \
echo '#!/bin/bash' > /usr/local/bin/whatweb && \
echo 'cd /opt/whatweb && exec ./whatweb "$@"' >> /usr/local/bin/whatweb && \
chmod +x /usr/local/bin/whatweb
# Install Python-based tools
RUN pip3 install --no-cache-dir schemathesis
# Runtime stage - Minimal production image
FROM cgr.dev/chainguard/wolfi-base:latest AS runtime
# Install only runtime dependencies
USER root
RUN apk update && apk add --no-cache \
# Core utilities
git \
bash \
curl \
ca-certificates \
# Network libraries (runtime)
libpcap \
# Security tools
nmap \
# Language runtimes (minimal)
nodejs-22 \
npm \
python3 \
ruby \
# Chromium browser and dependencies for Playwright
chromium \
# Additional libraries Chromium needs
nss \
freetype \
harfbuzz \
# X11 libraries for headless browser
libx11 \
libxcomposite \
libxdamage \
libxext \
libxfixes \
libxrandr \
mesa-gbm \
# Font rendering
fontconfig
# Copy Go binaries from builder
COPY --from=builder /go/bin/subfinder /usr/local/bin/
# Copy WhatWeb from builder
COPY --from=builder /opt/whatweb /opt/whatweb
COPY --from=builder /usr/local/bin/whatweb /usr/local/bin/whatweb
# Install WhatWeb Ruby dependencies in runtime stage
RUN gem install addressable
# Copy Python packages from builder
COPY --from=builder /usr/lib/python3.*/site-packages /usr/lib/python3.12/site-packages
COPY --from=builder /usr/bin/schemathesis /usr/bin/
# Create non-root user for security
RUN addgroup -g 1001 pentest && \
adduser -u 1001 -G pentest -s /bin/bash -D pentest
# Set working directory
WORKDIR /app
# Copy package files first for better caching
COPY package*.json ./
COPY mcp-server/package*.json ./mcp-server/
# Install Node.js dependencies (including devDependencies for TypeScript build)
RUN npm ci && \
cd mcp-server && npm ci && cd .. && \
npm cache clean --force
# Copy application source code
COPY . .
# Build TypeScript (mcp-server first, then main project)
RUN cd mcp-server && npm run build && cd .. && npm run build
# Remove devDependencies after build to reduce image size
RUN npm prune --production && \
cd mcp-server && npm prune --production
RUN npm install -g @anthropic-ai/claude-code
# Create directories for session data and ensure proper permissions
RUN mkdir -p /app/sessions /app/deliverables /app/repos /app/configs && \
mkdir -p /tmp/.cache /tmp/.config /tmp/.npm && \
chmod 777 /app && \
chmod 777 /tmp/.cache && \
chmod 777 /tmp/.config && \
chmod 777 /tmp/.npm && \
chown -R pentest:pentest /app
# Switch to non-root user
USER pentest
# Set environment variables
ENV NODE_ENV=production
ENV PATH="/usr/local/bin:$PATH"
ENV SHANNON_DOCKER=true
ENV PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD=1
ENV PLAYWRIGHT_CHROMIUM_EXECUTABLE_PATH=/usr/bin/chromium-browser
ENV npm_config_cache=/tmp/.npm
ENV HOME=/tmp
ENV XDG_CACHE_HOME=/tmp/.cache
ENV XDG_CONFIG_HOME=/tmp/.config
# Configure Git identity and trust all directories
RUN git config --global user.email "agent@localhost" && \
git config --global user.name "Pentest Agent" && \
git config --global --add safe.directory '*'
# Set entrypoint
ENTRYPOINT ["node", "dist/shannon.js"]
================================================
FILE: LICENSE
================================================
GNU AFFERO GENERAL PUBLIC LICENSE
Version 3, 19 November 2007
Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
Preamble
The GNU Affero General Public License is a free, copyleft license for
software and other kinds of works, specifically designed to ensure
cooperation with the community in the case of network server software.
The licenses for most software and other practical works are designed
to take away your freedom to share and change the works. By contrast,
our General Public Licenses are intended to guarantee your freedom to
share and change all versions of a program--to make sure it remains free
software for all its users.
When we speak of free software, we are referring to freedom, not
price. Our General Public Licenses are designed to make sure that you
have the freedom to distribute copies of free software (and charge for
them if you wish), that you receive source code or can get it if you
want it, that you can change the software or use pieces of it in new
free programs, and that you know you can do these things.
Developers that use our General Public Licenses protect your rights
with two steps: (1) assert copyright on the software, and (2) offer
you this License which gives you legal permission to copy, distribute
and/or modify the software.
A secondary benefit of defending all users' freedom is that
improvements made in alternate versions of the program, if they
receive widespread use, become available for other developers to
incorporate. Many developers of free software are heartened and
encouraged by the resulting cooperation. However, in the case of
software used on network servers, this result may fail to come about.
The GNU General Public License permits making a modified version and
letting the public access it on a server without ever releasing its
source code to the public.
The GNU Affero General Public License is designed specifically to
ensure that, in such cases, the modified source code becomes available
to the community. It requires the operator of a network server to
provide the source code of the modified version running there to the
users of that server. Therefore, public use of a modified version, on
a publicly accessible server, gives the public access to the source
code of the modified version.
An older license, called the Affero General Public License and
published by Affero, was designed to accomplish similar goals. This is
a different license, not a version of the Affero GPL, but Affero has
released a new version of the Affero GPL which permits relicensing under
this license.
The precise terms and conditions for copying, distribution and
modification follow.
TERMS AND CONDITIONS
0. Definitions.
"This License" refers to version 3 of the GNU Affero General Public License.
"Copyright" also means copyright-like laws that apply to other kinds of
works, such as semiconductor masks.
"The Program" refers to any copyrightable work licensed under this
License. Each licensee is addressed as "you". "Licensees" and
"recipients" may be individuals or organizations.
To "modify" a work means to copy from or adapt all or part of the work
in a fashion requiring copyright permission, other than the making of an
exact copy. The resulting work is called a "modified version" of the
earlier work or a work "based on" the earlier work.
A "covered work" means either the unmodified Program or a work based
on the Program.
To "propagate" a work means to do anything with it that, without
permission, would make you directly or secondarily liable for
infringement under applicable copyright law, except executing it on a
computer or modifying a private copy. Propagation includes copying,
distribution (with or without modification), making available to the
public, and in some countries other activities as well.
To "convey" a work means any kind of propagation that enables other
parties to make or receive copies. Mere interaction with a user through
a computer network, with no transfer of a copy, is not conveying.
An interactive user interface displays "Appropriate Legal Notices"
to the extent that it includes a convenient and prominently visible
feature that (1) displays an appropriate copyright notice, and (2)
tells the user that there is no warranty for the work (except to the
extent that warranties are provided), that licensees may convey the
work under this License, and how to view a copy of this License. If
the interface presents a list of user commands or options, such as a
menu, a prominent item in the list meets this criterion.
1. Source Code.
The "source code" for a work means the preferred form of the work
for making modifications to it. "Object code" means any non-source
form of a work.
A "Standard Interface" means an interface that either is an official
standard defined by a recognized standards body, or, in the case of
interfaces specified for a particular programming language, one that
is widely used among developers working in that language.
The "System Libraries" of an executable work include anything, other
than the work as a whole, that (a) is included in the normal form of
packaging a Major Component, but which is not part of that Major
Component, and (b) serves only to enable use of the work with that
Major Component, or to implement a Standard Interface for which an
implementation is available to the public in source code form. A
"Major Component", in this context, means a major essential component
(kernel, window system, and so on) of the specific operating system
(if any) on which the executable work runs, or a compiler used to
produce the work, or an object code interpreter used to run it.
The "Corresponding Source" for a work in object code form means all
the source code needed to generate, install, and (for an executable
work) run the object code and to modify the work, including scripts to
control those activities. However, it does not include the work's
System Libraries, or general-purpose tools or generally available free
programs which are used unmodified in performing those activities but
which are not part of the work. For example, Corresponding Source
includes interface definition files associated with source files for
the work, and the source code for shared libraries and dynamically
linked subprograms that the work is specifically designed to require,
such as by intimate data communication or control flow between those
subprograms and other parts of the work.
The Corresponding Source need not include anything that users
can regenerate automatically from other parts of the Corresponding
Source.
The Corresponding Source for a work in source code form is that
same work.
2. Basic Permissions.
All rights granted under this License are granted for the term of
copyright on the Program, and are irrevocable provided the stated
conditions are met. This License explicitly affirms your unlimited
permission to run the unmodified Program. The output from running a
covered work is covered by this License only if the output, given its
content, constitutes a covered work. This License acknowledges your
rights of fair use or other equivalent, as provided by copyright law.
You may make, run and propagate covered works that you do not
convey, without conditions so long as your license otherwise remains
in force. You may convey covered works to others for the sole purpose
of having them make modifications exclusively for you, or provide you
with facilities for running those works, provided that you comply with
the terms of this License in conveying all material for which you do
not control copyright. Those thus making or running the covered works
for you must do so exclusively on your behalf, under your direction
and control, on terms that prohibit them from making any copies of
your copyrighted material outside their relationship with you.
Conveying under any other circumstances is permitted solely under
the conditions stated below. Sublicensing is not allowed; section 10
makes it unnecessary.
3. Protecting Users' Legal Rights From Anti-Circumvention Law.
No covered work shall be deemed part of an effective technological
measure under any applicable law fulfilling obligations under article
11 of the WIPO copyright treaty adopted on 20 December 1996, or
similar laws prohibiting or restricting circumvention of such
measures.
When you convey a covered work, you waive any legal power to forbid
circumvention of technological measures to the extent such circumvention
is effected by exercising rights under this License with respect to
the covered work, and you disclaim any intention to limit operation or
modification of the work as a means of enforcing, against the work's
users, your or third parties' legal rights to forbid circumvention of
technological measures.
4. Conveying Verbatim Copies.
You may convey verbatim copies of the Program's source code as you
receive it, in any medium, provided that you conspicuously and
appropriately publish on each copy an appropriate copyright notice;
keep intact all notices stating that this License and any
non-permissive terms added in accord with section 7 apply to the code;
keep intact all notices of the absence of any warranty; and give all
recipients a copy of this License along with the Program.
You may charge any price or no price for each copy that you convey,
and you may offer support or warranty protection for a fee.
5. Conveying Modified Source Versions.
You may convey a work based on the Program, or the modifications to
produce it from the Program, in the form of source code under the
terms of section 4, provided that you also meet all of these conditions:
a) The work must carry prominent notices stating that you modified
it, and giving a relevant date.
b) The work must carry prominent notices stating that it is
released under this License and any conditions added under section
7. This requirement modifies the requirement in section 4 to
"keep intact all notices".
c) You must license the entire work, as a whole, under this
License to anyone who comes into possession of a copy. This
License will therefore apply, along with any applicable section 7
additional terms, to the whole of the work, and all its parts,
regardless of how they are packaged. This License gives no
permission to license the work in any other way, but it does not
invalidate such permission if you have separately received it.
d) If the work has interactive user interfaces, each must display
Appropriate Legal Notices; however, if the Program has interactive
interfaces that do not display Appropriate Legal Notices, your
work need not make them do so.
A compilation of a covered work with other separate and independent
works, which are not by their nature extensions of the covered work,
and which are not combined with it such as to form a larger program,
in or on a volume of a storage or distribution medium, is called an
"aggregate" if the compilation and its resulting copyright are not
used to limit the access or legal rights of the compilation's users
beyond what the individual works permit. Inclusion of a covered work
in an aggregate does not cause this License to apply to the other
parts of the aggregate.
6. Conveying Non-Source Forms.
You may convey a covered work in object code form under the terms
of sections 4 and 5, provided that you also convey the
machine-readable Corresponding Source under the terms of this License,
in one of these ways:
a) Convey the object code in, or embodied in, a physical product
(including a physical distribution medium), accompanied by the
Corresponding Source fixed on a durable physical medium
customarily used for software interchange.
b) Convey the object code in, or embodied in, a physical product
(including a physical distribution medium), accompanied by a
written offer, valid for at least three years and valid for as
long as you offer spare parts or customer support for that product
model, to give anyone who possesses the object code either (1) a
copy of the Corresponding Source for all the software in the
product that is covered by this License, on a durable physical
medium customarily used for software interchange, for a price no
more than your reasonable cost of physically performing this
conveying of source, or (2) access to copy the
Corresponding Source from a network server at no charge.
c) Convey individual copies of the object code with a copy of the
written offer to provide the Corresponding Source. This
alternative is allowed only occasionally and noncommercially, and
only if you received the object code with such an offer, in accord
with subsection 6b.
d) Convey the object code by offering access from a designated
place (gratis or for a charge), and offer equivalent access to the
Corresponding Source in the same way through the same place at no
further charge. You need not require recipients to copy the
Corresponding Source along with the object code. If the place to
copy the object code is a network server, the Corresponding Source
may be on a different server (operated by you or a third party)
that supports equivalent copying facilities, provided you maintain
clear directions next to the object code saying where to find the
Corresponding Source. Regardless of what server hosts the
Corresponding Source, you remain obligated to ensure that it is
available for as long as needed to satisfy these requirements.
e) Convey the object code using peer-to-peer transmission, provided
you inform other peers where the object code and Corresponding
Source of the work are being offered to the general public at no
charge under subsection 6d.
A separable portion of the object code, whose source code is excluded
from the Corresponding Source as a System Library, need not be
included in conveying the object code work.
A "User Product" is either (1) a "consumer product", which means any
tangible personal property which is normally used for personal, family,
or household purposes, or (2) anything designed or sold for incorporation
into a dwelling. In determining whether a product is a consumer product,
doubtful cases shall be resolved in favor of coverage. For a particular
product received by a particular user, "normally used" refers to a
typical or common use of that class of product, regardless of the status
of the particular user or of the way in which the particular user
actually uses, or expects or is expected to use, the product. A product
is a consumer product regardless of whether the product has substantial
commercial, industrial or non-consumer uses, unless such uses represent
the only significant mode of use of the product.
"Installation Information" for a User Product means any methods,
procedures, authorization keys, or other information required to install
and execute modified versions of a covered work in that User Product from
a modified version of its Corresponding Source. The information must
suffice to ensure that the continued functioning of the modified object
code is in no case prevented or interfered with solely because
modification has been made.
If you convey an object code work under this section in, or with, or
specifically for use in, a User Product, and the conveying occurs as
part of a transaction in which the right of possession and use of the
User Product is transferred to the recipient in perpetuity or for a
fixed term (regardless of how the transaction is characterized), the
Corresponding Source conveyed under this section must be accompanied
by the Installation Information. But this requirement does not apply
if neither you nor any third party retains the ability to install
modified object code on the User Product (for example, the work has
been installed in ROM).
The requirement to provide Installation Information does not include a
requirement to continue to provide support service, warranty, or updates
for a work that has been modified or installed by the recipient, or for
the User Product in which it has been modified or installed. Access to a
network may be denied when the modification itself materially and
adversely affects the operation of the network or violates the rules and
protocols for communication across the network.
Corresponding Source conveyed, and Installation Information provided,
in accord with this section must be in a format that is publicly
documented (and with an implementation available to the public in
source code form), and must require no special password or key for
unpacking, reading or copying.
7. Additional Terms.
"Additional permissions" are terms that supplement the terms of this
License by making exceptions from one or more of its conditions.
Additional permissions that are applicable to the entire Program shall
be treated as though they were included in this License, to the extent
that they are valid under applicable law. If additional permissions
apply only to part of the Program, that part may be used separately
under those permissions, but the entire Program remains governed by
this License without regard to the additional permissions.
When you convey a copy of a covered work, you may at your option
remove any additional permissions from that copy, or from any part of
it. (Additional permissions may be written to require their own
removal in certain cases when you modify the work.) You may place
additional permissions on material, added by you to a covered work,
for which you have or can give appropriate copyright permission.
Notwithstanding any other provision of this License, for material you
add to a covered work, you may (if authorized by the copyright holders of
that material) supplement the terms of this License with terms:
a) Disclaiming warranty or limiting liability differently from the
terms of sections 15 and 16 of this License; or
b) Requiring preservation of specified reasonable legal notices or
author attributions in that material or in the Appropriate Legal
Notices displayed by works containing it; or
c) Prohibiting misrepresentation of the origin of that material, or
requiring that modified versions of such material be marked in
reasonable ways as different from the original version; or
d) Limiting the use for publicity purposes of names of licensors or
authors of the material; or
e) Declining to grant rights under trademark law for use of some
trade names, trademarks, or service marks; or
f) Requiring indemnification of licensors and authors of that
material by anyone who conveys the material (or modified versions of
it) with contractual assumptions of liability to the recipient, for
any liability that these contractual assumptions directly impose on
those licensors and authors.
All other non-permissive additional terms are considered "further
restrictions" within the meaning of section 10. If the Program as you
received it, or any part of it, contains a notice stating that it is
governed by this License along with a term that is a further
restriction, you may remove that term. If a license document contains
a further restriction but permits relicensing or conveying under this
License, you may add to a covered work material governed by the terms
of that license document, provided that the further restriction does
not survive such relicensing or conveying.
If you add terms to a covered work in accord with this section, you
must place, in the relevant source files, a statement of the
additional terms that apply to those files, or a notice indicating
where to find the applicable terms.
Additional terms, permissive or non-permissive, may be stated in the
form of a separately written license, or stated as exceptions;
the above requirements apply either way.
8. Termination.
You may not propagate or modify a covered work except as expressly
provided under this License. Any attempt otherwise to propagate or
modify it is void, and will automatically terminate your rights under
this License (including any patent licenses granted under the third
paragraph of section 11).
However, if you cease all violation of this License, then your
license from a particular copyright holder is reinstated (a)
provisionally, unless and until the copyright holder explicitly and
finally terminates your license, and (b) permanently, if the copyright
holder fails to notify you of the violation by some reasonable means
prior to 60 days after the cessation.
Moreover, your license from a particular copyright holder is
reinstated permanently if the copyright holder notifies you of the
violation by some reasonable means, this is the first time you have
received notice of violation of this License (for any work) from that
copyright holder, and you cure the violation prior to 30 days after
your receipt of the notice.
Termination of your rights under this section does not terminate the
licenses of parties who have received copies or rights from you under
this License. If your rights have been terminated and not permanently
reinstated, you do not qualify to receive new licenses for the same
material under section 10.
9. Acceptance Not Required for Having Copies.
You are not required to accept this License in order to receive or
run a copy of the Program. Ancillary propagation of a covered work
occurring solely as a consequence of using peer-to-peer transmission
to receive a copy likewise does not require acceptance. However,
nothing other than this License grants you permission to propagate or
modify any covered work. These actions infringe copyright if you do
not accept this License. Therefore, by modifying or propagating a
covered work, you indicate your acceptance of this License to do so.
10. Automatic Licensing of Downstream Recipients.
Each time you convey a covered work, the recipient automatically
receives a license from the original licensors, to run, modify and
propagate that work, subject to this License. You are not responsible
for enforcing compliance by third parties with this License.
An "entity transaction" is a transaction transferring control of an
organization, or substantially all assets of one, or subdividing an
organization, or merging organizations. If propagation of a covered
work results from an entity transaction, each party to that
transaction who receives a copy of the work also receives whatever
licenses to the work the party's predecessor in interest had or could
give under the previous paragraph, plus a right to possession of the
Corresponding Source of the work from the predecessor in interest, if
the predecessor has it or can get it with reasonable efforts.
You may not impose any further restrictions on the exercise of the
rights granted or affirmed under this License. For example, you may
not impose a license fee, royalty, or other charge for exercise of
rights granted under this License, and you may not initiate litigation
(including a cross-claim or counterclaim in a lawsuit) alleging that
any patent claim is infringed by making, using, selling, offering for
sale, or importing the Program or any portion of it.
11. Patents.
A "contributor" is a copyright holder who authorizes use under this
License of the Program or a work on which the Program is based. The
work thus licensed is called the contributor's "contributor version".
A contributor's "essential patent claims" are all patent claims
owned or controlled by the contributor, whether already acquired or
hereafter acquired, that would be infringed by some manner, permitted
by this License, of making, using, or selling its contributor version,
but do not include claims that would be infringed only as a
consequence of further modification of the contributor version. For
purposes of this definition, "control" includes the right to grant
patent sublicenses in a manner consistent with the requirements of
this License.
Each contributor grants you a non-exclusive, worldwide, royalty-free
patent license under the contributor's essential patent claims, to
make, use, sell, offer for sale, import and otherwise run, modify and
propagate the contents of its contributor version.
In the following three paragraphs, a "patent license" is any express
agreement or commitment, however denominated, not to enforce a patent
(such as an express permission to practice a patent or covenant not to
sue for patent infringement). To "grant" such a patent license to a
party means to make such an agreement or commitment not to enforce a
patent against the party.
If you convey a covered work, knowingly relying on a patent license,
and the Corresponding Source of the work is not available for anyone
to copy, free of charge and under the terms of this License, through a
publicly available network server or other readily accessible means,
then you must either (1) cause the Corresponding Source to be so
available, or (2) arrange to deprive yourself of the benefit of the
patent license for this particular work, or (3) arrange, in a manner
consistent with the requirements of this License, to extend the patent
license to downstream recipients. "Knowingly relying" means you have
actual knowledge that, but for the patent license, your conveying the
covered work in a country, or your recipient's use of the covered work
in a country, would infringe one or more identifiable patents in that
country that you have reason to believe are valid.
If, pursuant to or in connection with a single transaction or
arrangement, you convey, or propagate by procuring conveyance of, a
covered work, and grant a patent license to some of the parties
receiving the covered work authorizing them to use, propagate, modify
or convey a specific copy of the covered work, then the patent license
you grant is automatically extended to all recipients of the covered
work and works based on it.
A patent license is "discriminatory" if it does not include within
the scope of its coverage, prohibits the exercise of, or is
conditioned on the non-exercise of one or more of the rights that are
specifically granted under this License. You may not convey a covered
work if you are a party to an arrangement with a third party that is
in the business of distributing software, under which you make payment
to the third party based on the extent of your activity of conveying
the work, and under which the third party grants, to any of the
parties who would receive the covered work from you, a discriminatory
patent license (a) in connection with copies of the covered work
conveyed by you (or copies made from those copies), or (b) primarily
for and in connection with specific products or compilations that
contain the covered work, unless you entered into that arrangement,
or that patent license was granted, prior to 28 March 2007.
Nothing in this License shall be construed as excluding or limiting
any implied license or other defenses to infringement that may
otherwise be available to you under applicable patent law.
12. No Surrender of Others' Freedom.
If conditions are imposed on you (whether by court order, agreement or
otherwise) that contradict the conditions of this License, they do not
excuse you from the conditions of this License. If you cannot convey a
covered work so as to satisfy simultaneously your obligations under this
License and any other pertinent obligations, then as a consequence you may
not convey it at all. For example, if you agree to terms that obligate you
to collect a royalty for further conveying from those to whom you convey
the Program, the only way you could satisfy both those terms and this
License would be to refrain entirely from conveying the Program.
13. Remote Network Interaction; Use with the GNU General Public License.
Notwithstanding any other provision of this License, if you modify the
Program, your modified version must prominently offer all users
interacting with it remotely through a computer network (if your version
supports such interaction) an opportunity to receive the Corresponding
Source of your version by providing access to the Corresponding Source
from a network server at no charge, through some standard or customary
means of facilitating copying of software. This Corresponding Source
shall include the Corresponding Source for any work covered by version 3
of the GNU General Public License that is incorporated pursuant to the
following paragraph.
Notwithstanding any other provision of this License, you have
permission to link or combine any covered work with a work licensed
under version 3 of the GNU General Public License into a single
combined work, and to convey the resulting work. The terms of this
License will continue to apply to the part which is the covered work,
but the work with which it is combined will remain governed by version
3 of the GNU General Public License.
14. Revised Versions of this License.
The Free Software Foundation may publish revised and/or new versions of
the GNU Affero General Public License from time to time. Such new versions
will be similar in spirit to the present version, but may differ in detail to
address new problems or concerns.
Each version is given a distinguishing version number. If the
Program specifies that a certain numbered version of the GNU Affero General
Public License "or any later version" applies to it, you have the
option of following the terms and conditions either of that numbered
version or of any later version published by the Free Software
Foundation. If the Program does not specify a version number of the
GNU Affero General Public License, you may choose any version ever published
by the Free Software Foundation.
If the Program specifies that a proxy can decide which future
versions of the GNU Affero General Public License can be used, that proxy's
public statement of acceptance of a version permanently authorizes you
to choose that version for the Program.
Later license versions may give you additional or different
permissions. However, no additional obligations are imposed on any
author or copyright holder as a result of your choosing to follow a
later version.
15. Disclaimer of Warranty.
THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
16. Limitation of Liability.
IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
SUCH DAMAGES.
17. Interpretation of Sections 15 and 16.
If the disclaimer of warranty and limitation of liability provided
above cannot be given local legal effect according to their terms,
reviewing courts shall apply local law that most closely approximates
an absolute waiver of all civil liability in connection with the
Program, unless a warranty or assumption of liability accompanies a
copy of the Program in return for a fee.
END OF TERMS AND CONDITIONS
How to Apply These Terms to Your New Programs
If you develop a new program, and you want it to be of the greatest
possible use to the public, the best way to achieve this is to make it
free software which everyone can redistribute and change under these terms.
To do so, attach the following notices to the program. It is safest
to attach them to the start of each source file to most effectively
state the exclusion of warranty; and each file should have at least
the "copyright" line and a pointer to where the full notice is found.
<one line to give the program's name and a brief idea of what it does.>
Copyright (C) <year> <name of author>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as published
by the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License
along with this program. If not, see <https://www.gnu.org/licenses/>.
Also add information on how to contact you by electronic and paper mail.
If your software can interact with users remotely through a computer
network, you should also make sure that it provides a way for users to
get its source. For example, if your program is a web application, its
interface could display a "Source" link that leads users to an archive
of the code. There are many ways you could offer source, and different
solutions will be better for different programs; see section 13 for the
specific requirements.
You should also get your employer (if you work as a programmer) or school,
if any, to sign a "copyright disclaimer" for the program, if necessary.
For more information on this, and how to apply and follow the GNU AGPL, see
<https://www.gnu.org/licenses/>.
================================================
FILE: README.md
================================================
>[!NOTE]
> **[📢 New: Shannon is now available via `npx @keygraph/shannon`. →](https://github.com/KeygraphHQ/shannon/discussions/249)**
<div align="center">
<img src="./assets/github-banner.png" alt="Shannon — AI Pentester for Web Applications and APIs" width="100%">
# Shannon — AI Pentester by Keygraph
<a href="https://trendshift.io/repositories/15604" target="_blank"><img src="https://trendshift.io/api/badge/repositories/15604" alt="KeygraphHQ%2Fshannon | Trendshift" style="width: 250px; height: 55px;" width="250" height="55"/></a>
Shannon is an autonomous, white-box AI pentester for web applications and APIs. <br />
It analyzes your source code, identifies attack vectors, and executes real exploits to prove vulnerabilities before they reach production.
---
<a href="https://github.com/KeygraphHQ/shannon/discussions/categories/announcements"><img src="./assets/announcements.png" height="40" alt="Announcements"></a>
<a href="https://discord.gg/9ZqQPuhJB7"><img src="./assets/discord.png" height="40" alt="Join Discord"></a>
<a href="https://keygraph.io/"><img src="./assets/Keygraph_Button.png" height="40" alt="Visit Keygraph.io"></a>
<a href="https://www.linkedin.com/company/keygraph/"><img src="./assets/linkedin.png" height="40" alt="Follow Us on Linkedin"></a>
---
</div>
## 🎯 What is Shannon?
Shannon is an AI pentester developed by [Keygraph](https://keygraph.io). It performs white-box security testing of web applications and their underlying APIs by combining source code analysis with live exploitation.
Shannon analyzes your web application's source code to identify potential attack vectors, then uses browser automation and command-line tools to execute real exploits (injection attacks, authentication bypass, SSRF, XSS) against the running application and its APIs. Only vulnerabilities with a working proof-of-concept are included in the final report.
**Why Shannon Exists**
Thanks to tools like Claude Code and Cursor, your team ships code non-stop. But your penetration test? That happens once a year. This creates a *massive* security gap. For the other 364 days, you could be unknowingly shipping vulnerabilities to production.
Shannon closes that gap by providing on-demand, automated penetration testing that can run against every build or release.
> [!NOTE]
> **Shannon is part of the Keygraph Security and Compliance Platform**
>
> Keygraph is an integrated security and compliance platform covering IAM, MDM, compliance automation (SOC 2, HIPAA), and application security. Shannon handles the AppSec layer. The broader platform automates evidence collection, audit readiness, and continuous compliance across multiple frameworks.
>
> **[Learn more at keygraph.io](https://keygraph.io)**
## 🎬 Shannon in Action
Shannon identified 20+ vulnerabilities in OWASP Juice Shop, including authentication bypass and database exfiltration. [Full report →](sample-reports/shannon-report-juice-shop.md)
## ✨ Features
- **Fully Autonomous Operation**: A single command launches the full pentest. Shannon handles 2FA/TOTP logins (including SSO), browser navigation, exploitation, and report generation without manual intervention.
- **Reproducible Proof-of-Concept Exploits**: The final report contains only proven, exploitable findings with copy-and-paste PoCs. Vulnerabilities that cannot be exploited are not reported.
- **OWASP Vulnerability Coverage**: Identifies and validates Injection, XSS, SSRF, and Broken Authentication/Authorization, with additional categories in development.
- **Code-Aware Dynamic Testing**: Analyzes source code to guide attack strategy, then validates findings with live browser and CLI-based exploits against the running application.
- **Integrated Security Tooling**: Leverages Nmap, Subfinder, WhatWeb, and Schemathesis during reconnaissance and discovery phases.
- **Parallel Processing**: Vulnerability analysis and exploitation phases run concurrently across all attack categories.
## 📦 Product Line
Shannon is developed by [Keygraph](https://keygraph.io) and available in two editions:
| Edition | License | Best For |
|---------|---------|----------|
| **Shannon Lite** | AGPL-3.0 | Local testing of your own applications. |
| **Shannon Pro** | Commercial | Organizations needing a single AppSec platform (SAST, SCA, secrets, business logic testing, autonomous pentesting) with CI/CD integration and self-hosted deployment. |
> **This repository contains Shannon Lite,** the core autonomous AI pentesting framework. **Shannon Pro** is Keygraph's all-in-one AppSec platform, combining SAST, SCA, secrets scanning, business logic security testing, and autonomous AI pentesting in a single correlated workflow. Every finding is validated with a working proof-of-concept exploit.
> [!IMPORTANT]
> **White-box only.** Shannon Lite is designed for **white-box (source-available)** application security testing.
> It expects access to your application's source code and repository layout.
### Shannon Pro: Architecture Overview
Shannon Pro is an all-in-one application security platform that replaces the need to stitch together separate SAST, SCA, secrets scanning, and pentesting tools. It operates as a two-stage pipeline: agentic static analysis of the codebase, followed by autonomous AI penetration testing. Findings from both stages are cross-referenced and correlated, so every reported vulnerability has a working proof-of-concept exploit and a precise source code location.
**Stage 1: Agentic Static Analysis**
Shannon Pro transforms the codebase into a Code Property Graph (CPG) combining the AST, control flow graph, and program dependence graph. It then runs five analysis capabilities:
- **Data Flow Analysis (SAST)**: Identifies sources (user input, API requests) and sinks (SQL queries, command execution), then traces paths between them. At each node, an LLM evaluates whether the specific sanitization applied is sufficient for the specific vulnerability in context, rather than relying on a hard-coded allowlist of safe functions.
- **Point Issue Detection (SAST)**: LLM-based detection of single-location vulnerabilities: weak cryptography, hardcoded credentials, insecure configuration, missing security headers, weak RNG, disabled certificate validation, and overly permissive CORS.
- **Business Logic Security Testing (SAST)**: LLM agents analyze the codebase to discover application-specific invariants (e.g., "document access must verify organizational ownership"), generate targeted fuzzers to violate those invariants, and synthesize full PoC exploits. This catches authorization failures and domain-specific logic errors that pattern-based scanners cannot detect.
- **SCA with Reachability Analysis**: Goes beyond flagging CVEs by tracing whether the vulnerable function is actually reachable from application entry points via the CPG. Unreachable vulnerabilities are deprioritized.
- **Secrets Detection**: Combines regex pattern matching with LLM-based detection (for dynamically constructed credentials, custom formats, obfuscated tokens) and performs liveness validation against the corresponding service using read-only API calls.
**Stage 2: Autonomous Dynamic Penetration Testing**
The same multi-agent pentest pipeline as Shannon Lite (reconnaissance, parallel vulnerability analysis, parallel exploitation, reporting), enhanced with static findings injected into the exploitation queue. Static findings are mapped to Shannon's five attack domains (Injection, XSS, SSRF, Auth, Authz), and exploit agents attempt real proof-of-concept attacks against the running application for each finding.
**Static-Dynamic Correlation**
This is the core differentiator. A data flow vulnerability identified in static analysis (e.g., unsanitized input reaching a SQL query) is not reported as a theoretical risk. It is fed to the corresponding exploit agent, which attempts to exploit it against the live application. Confirmed exploits are traced back to the exact source code location, giving developers both proof of exploitability and the line of code to fix.
**Deployment Model**
Shannon Pro supports a self-hosted runner model (similar to GitHub Actions self-hosted runners). The data plane, which handles code access and all LLM API calls, runs entirely within the customer's infrastructure using the customer's own API keys. Source code never leaves the customer's network. The Keygraph control plane handles job orchestration, scan scheduling, and the reporting UI, receiving only aggregate findings.
| Capability | Shannon Lite | Shannon Pro (All-in-One AppSec) |
| --- | --- | --- |
| **Licensing** | AGPL-3.0 | Commercial |
| **Static Analysis** | Code review prompting | Full agentic SAST, SCA, secrets, business logic testing |
| **Dynamic Testing** | Autonomous AI pentesting | Autonomous AI pentesting with static-dynamic correlation |
| **Analysis Engine** | Code review prompting | CPG-based data flow with LLM reasoning at every node |
| **Business Logic** | None | Automated invariant discovery, fuzzer generation, exploit synthesis |
| **CI/CD Integration** | Manual / CLI | Native CI/CD, GitHub PR scanning |
| **Deployment** | CLI | Managed cloud or self-hosted runner |
| **Boundary Analysis** | None | Automatic service boundary detection with team routing |
[Full technical details →](./SHANNON-PRO.md)
## 📑 Table of Contents
- [What is Shannon?](#-what-is-shannon)
- [Shannon in Action](#-shannon-in-action)
- [Features](#-features)
- [Product Line](#-product-line)
- [Setup & Usage Instructions](#-setup--usage-instructions)
- [Prerequisites](#prerequisites)
- [Quick Start](#quick-start)
- [Monitoring Progress](#monitoring-progress)
- [Stopping Shannon](#stopping-shannon)
- [Usage Examples](#usage-examples)
- [Workspaces and Resuming](#workspaces-and-resuming)
- [Configuration (Optional)](#configuration-optional)
- [AWS Bedrock](#aws-bedrock)
- [Google Vertex AI](#google-vertex-ai)
- [Custom Base URL](#custom-base-url)
- [[EXPERIMENTAL - UNSUPPORTED] Router Mode (Alternative Providers)](#experimental---unsupported-router-mode-alternative-providers)
- [Output and Results](#output-and-results)
- [Sample Reports](#-sample-reports)
- [Benchmark](#-benchmark)
- [Architecture](#️-architecture)
- [Coverage and Roadmap](#-coverage-and-roadmap)
- [Disclaimers](#️-disclaimers)
- [License](#-license)
- [Community & Support](#-community--support)
- [Get in Touch](#-get-in-touch)
---
## 🚀 Setup & Usage Instructions
### Prerequisites
- **Docker** - Container runtime ([Install Docker](https://docs.docker.com/get-docker/))
- **AI Provider Credentials** (choose one):
- **Anthropic API key** (recommended) - Get from [Anthropic Console](https://console.anthropic.com)
- **Claude Code OAuth token**
- **AWS Bedrock** - Route through Amazon Bedrock with AWS credentials (see [AWS Bedrock](#aws-bedrock))
- **Google Vertex AI** - Route through Google Cloud Vertex AI (see [Google Vertex AI](#google-vertex-ai))
- **[EXPERIMENTAL - UNSUPPORTED] Alternative providers via Router Mode** - OpenAI or Google Gemini via OpenRouter (see [Router Mode](#experimental---unsupported-router-mode-alternative-providers))
### Quick Start
```bash
# 1. Clone Shannon
git clone https://github.com/KeygraphHQ/shannon.git
cd shannon
# 2. Configure credentials (choose one method)
# Option A: Export environment variables
export ANTHROPIC_API_KEY="your-api-key" # or CLAUDE_CODE_OAUTH_TOKEN
export CLAUDE_CODE_MAX_OUTPUT_TOKENS=64000 # recommended
# Option B: Create a .env file
cat > .env << 'EOF'
ANTHROPIC_API_KEY=your-api-key
CLAUDE_CODE_MAX_OUTPUT_TOKENS=64000
EOF
# 3. Run a pentest
./shannon start URL=https://your-app.com REPO=your-repo
```
Shannon will build the containers, start the workflow, and return a workflow ID. The pentest runs in the background.
### Monitoring Progress
```bash
# View real-time worker logs
./shannon logs
# Query a specific workflow's progress
./shannon query ID=shannon-1234567890
# Open the Temporal Web UI for detailed monitoring
open http://localhost:8233
```
### Stopping Shannon
```bash
# Stop all containers (preserves workflow data)
./shannon stop
# Full cleanup (removes all data)
./shannon stop CLEAN=true
```
### Usage Examples
```bash
# Basic pentest
./shannon start URL=https://example.com REPO=repo-name
# With a configuration file
./shannon start URL=https://example.com REPO=repo-name CONFIG=./configs/my-config.yaml
# Custom output directory
./shannon start URL=https://example.com REPO=repo-name OUTPUT=./my-reports
# Named workspace
./shannon start URL=https://example.com REPO=repo-name WORKSPACE=q1-audit
# List all workspaces
./shannon workspaces
```
### Workspaces and Resuming
Shannon supports **workspaces** that allow you to resume interrupted or failed runs without re-running completed agents.
**How it works:**
- Every run creates a workspace in `audit-logs/` (auto-named by default, e.g. `example-com_shannon-1771007534808`)
- Use `WORKSPACE=<name>` to give your run a custom name for easier reference
- To resume any run, pass its workspace name via `WORKSPACE=` — Shannon detects which agents completed successfully and picks up where it left off
- Each agent's progress is checkpointed via git commits, so resumed runs start from a clean, validated state
```bash
# Start with a named workspace
./shannon start URL=https://example.com REPO=repo-name WORKSPACE=my-audit
# Resume the same workspace (skips completed agents)
./shannon start URL=https://example.com REPO=repo-name WORKSPACE=my-audit
# Resume an auto-named workspace from a previous run
./shannon start URL=https://example.com REPO=repo-name WORKSPACE=example-com_shannon-1771007534808
# List all workspaces and their status
./shannon workspaces
```
> [!NOTE]
> The `URL` must match the original workspace URL when resuming. Shannon will reject mismatched URLs to prevent cross-target contamination.
### Prepare Your Repository
Shannon expects target repositories to be placed under the `./repos/` directory at the project root. The `REPO` flag refers to a folder name inside `./repos/`. Copy the repository you want to scan into `./repos/`, or clone it directly there:
```bash
git clone https://github.com/your-org/your-repo.git ./repos/your-repo
```
**For monorepos:**
```bash
git clone https://github.com/your-org/your-monorepo.git ./repos/your-monorepo
```
**For multi-repository applications** (e.g., separate frontend/backend):
```bash
mkdir ./repos/your-app
cd ./repos/your-app
git clone https://github.com/your-org/frontend.git
git clone https://github.com/your-org/backend.git
git clone https://github.com/your-org/api.git
```
### Platform-Specific Instructions
**For Windows:**
*Native (Git Bash):*
Install [Git for Windows](https://git-scm.com/install/windows) and run Shannon from **Git Bash** with Docker Desktop installed.
*WSL2 (Recommended):*
**Step 1: Ensure WSL 2**
```powershell
wsl --install
wsl --set-default-version 2
# Check installed distros
wsl --list --verbose
# If you don't have a distro, install one (Ubuntu 24.04 recommended)
wsl --list --online
wsl --install Ubuntu-24.04
# If your distro shows VERSION 1, convert it to WSL 2:
wsl --set-version <distro-name> 2
```
See [WSL basic commands](https://learn.microsoft.com/en-us/windows/wsl/basic-commands) for reference.
**Step 2: Install Docker Desktop on Windows** and enable **WSL2 backend** under *Settings > General > Use the WSL 2 based engine*.
**Step 3: Clone and run Shannon inside WSL.** Type `wsl -d <distro-name>` in PowerShell or CMD and press Enter to open a WSL terminal.
```bash
# Inside WSL terminal
git clone https://github.com/KeygraphHQ/shannon.git
cd shannon
cp .env.example .env # Edit with your API key
./shannon start URL=https://your-app.com REPO=your-repo
```
To access the Temporal Web UI, run `ip addr` inside WSL to find your WSL IP address, then navigate to `http://<wsl-ip>:8233` in your Windows browser.
Windows Defender may flag exploit code in reports as false positives; see [Antivirus False Positives](#6-windows-antivirus-false-positives) below.
**For Linux (Native Docker):**
You may need to run commands with `sudo` depending on your Docker setup. If you encounter permission issues with output files, ensure your user has access to the Docker socket.
**For macOS:**
Works out of the box with Docker Desktop installed.
**Testing Local Applications:**
Docker containers cannot reach `localhost` on your host machine. Use `host.docker.internal` in place of `localhost`:
```bash
./shannon start URL=http://host.docker.internal:3000 REPO=repo-name
```
### Configuration (Optional)
While you can run without a config file, creating one enables authenticated testing and customized analysis. Place your configuration files inside the `./configs/` directory — this folder is mounted into the Docker container automatically.
#### Create Configuration File
Copy and modify the example configuration:
```bash
cp configs/example-config.yaml configs/my-app-config.yaml
```
#### Basic Configuration Structure
```yaml
authentication:
login_type: form
login_url: "https://your-app.com/login"
credentials:
username: "test@example.com"
password: "yourpassword"
totp_secret: "LB2E2RX7XFHSTGCK" # Optional for 2FA
login_flow:
- "Type $username into the email field"
- "Type $password into the password field"
- "Click the 'Sign In' button"
success_condition:
type: url_contains
value: "/dashboard"
rules:
avoid:
- description: "AI should avoid testing logout functionality"
type: path
url_path: "/logout"
focus:
- description: "AI should emphasize testing API endpoints"
type: path
url_path: "/api"
```
#### TOTP Setup for 2FA
If your application uses two-factor authentication, simply add the TOTP secret to your config file. The AI will automatically generate the required codes during testing.
#### Subscription Plan Rate Limits
Anthropic subscription plans reset usage on a **rolling 5-hour window**. The default retry strategy (30-min max backoff) will exhaust retries before the window resets. Add this to your config:
```yaml
pipeline:
retry_preset: subscription # Extends max backoff to 6h, 100 retries
max_concurrent_pipelines: 2 # Run 2 of 5 pipelines at a time (reduces burst API usage)
```
`max_concurrent_pipelines` controls how many vulnerability pipelines run simultaneously (1-5, default: 5). Lower values reduce the chance of hitting rate limits but increase wall-clock time.
### AWS Bedrock
Shannon also supports [Amazon Bedrock](https://aws.amazon.com/bedrock/) instead of using an Anthropic API key.
#### Quick Setup
1. Add your AWS credentials to `.env`:
```bash
CLAUDE_CODE_USE_BEDROCK=1
AWS_REGION=us-east-1
AWS_BEARER_TOKEN_BEDROCK=your-bearer-token
# Set models with Bedrock-specific IDs for your region
ANTHROPIC_SMALL_MODEL=us.anthropic.claude-haiku-4-5-20251001-v1:0
ANTHROPIC_MEDIUM_MODEL=us.anthropic.claude-sonnet-4-6
ANTHROPIC_LARGE_MODEL=us.anthropic.claude-opus-4-6
```
2. Run Shannon as usual:
```bash
./shannon start URL=https://example.com REPO=repo-name
```
Shannon uses three model tiers: **small** (`claude-haiku-4-5-20251001`) for summarization, **medium** (`claude-sonnet-4-6`) for security analysis, and **large** (`claude-opus-4-6`) for deep reasoning. Set `ANTHROPIC_SMALL_MODEL`, `ANTHROPIC_MEDIUM_MODEL`, and `ANTHROPIC_LARGE_MODEL` to the Bedrock model IDs for your region.
### Google Vertex AI
Shannon also supports [Google Vertex AI](https://cloud.google.com/vertex-ai) instead of using an Anthropic API key.
#### Quick Setup
1. Create a service account with the `roles/aiplatform.user` role in the [GCP Console](https://console.cloud.google.com/iam-admin/serviceaccounts), then download a JSON key file.
2. Place the key file in the `./credentials/` directory:
```bash
mkdir -p ./credentials
cp /path/to/your-sa-key.json ./credentials/gcp-sa-key.json
```
3. Add your GCP configuration to `.env`:
```bash
CLAUDE_CODE_USE_VERTEX=1
CLOUD_ML_REGION=us-east5
ANTHROPIC_VERTEX_PROJECT_ID=your-gcp-project-id
GOOGLE_APPLICATION_CREDENTIALS=./credentials/gcp-sa-key.json
# Set models with Vertex AI model IDs
ANTHROPIC_SMALL_MODEL=claude-haiku-4-5@20251001
ANTHROPIC_MEDIUM_MODEL=claude-sonnet-4-6
ANTHROPIC_LARGE_MODEL=claude-opus-4-6
```
4. Run Shannon as usual:
```bash
./shannon start URL=https://example.com REPO=repo-name
```
Set `CLOUD_ML_REGION=global` for global endpoints, or a specific region like `us-east5`. Some models may not be available on global endpoints — see the [Vertex AI Model Garden](https://console.cloud.google.com/vertex-ai/model-garden) for region availability.
### Custom Base URL
Shannon supports pointing the SDK at any Anthropic-compatible endpoint (proxies, gateways, etc.) via `ANTHROPIC_BASE_URL`.
#### Quick Setup
1. Add your endpoint and auth token to `.env`:
```bash
ANTHROPIC_BASE_URL=https://your-proxy.example.com
ANTHROPIC_AUTH_TOKEN=your-auth-token
```
2. Optionally override model tiers (defaults are used if not set):
```bash
ANTHROPIC_SMALL_MODEL=claude-haiku-4-5-20251001
ANTHROPIC_MEDIUM_MODEL=claude-sonnet-4-6
ANTHROPIC_LARGE_MODEL=claude-opus-4-6
```
3. Run Shannon as usual:
```bash
./shannon start URL=https://example.com REPO=repo-name
```
### [EXPERIMENTAL - UNSUPPORTED] Router Mode (Alternative Providers)
Shannon can experimentally route requests through alternative AI providers using claude-code-router. This mode is not officially supported and is intended primarily for:
* **Model experimentation** — try Shannon with GPT-5.2 or Gemini 3–family models
#### Quick Setup
1. Add your provider API key to `.env`:
```bash
# Choose one provider:
OPENAI_API_KEY=sk-...
# OR
OPENROUTER_API_KEY=sk-or-...
# Set default model:
ROUTER_DEFAULT=openai,gpt-5.2 # provider,model format
```
2. Run with `ROUTER=true`:
```bash
./shannon start URL=https://example.com REPO=repo-name ROUTER=true
```
#### Experimental Models
| Provider | Models |
|----------|--------|
| OpenAI | gpt-5.2, gpt-5-mini |
| OpenRouter | google/gemini-3-flash-preview |
#### Disclaimer
This feature is experimental and unsupported. Output quality depends heavily on the model. Shannon is built on top of the Anthropic Agent SDK and is optimized and primarily tested with Anthropic Claude models. Alternative providers may produce inconsistent results (including failing early phases like Recon) depending on the model and routing setup.
### Output and Results
All results are saved to `./audit-logs/{hostname}_{sessionId}/` by default. Use `--output <path>` to specify a custom directory.
Output structure:
```
audit-logs/{hostname}_{sessionId}/
├── session.json # Metrics and session data
├── agents/ # Per-agent execution logs
├── prompts/ # Prompt snapshots for reproducibility
└── deliverables/
└── comprehensive_security_assessment_report.md # Final comprehensive security report
```
---
## 📊 Sample Reports
Sample penetration test reports from industry-standard vulnerable applications:
#### 🧃 **OWASP Juice Shop** • [GitHub](https://github.com/juice-shop/juice-shop)
*A notoriously insecure web application maintained by OWASP, designed to test a tool's ability to uncover a wide range of modern vulnerabilities.*
**Results**: Identified over 20 vulnerabilities across targeted OWASP categories in a single automated run.
**Notable findings**:
- Authentication bypass and full user database exfiltration via SQL injection
- Privilege escalation to administrator through registration workflow bypass
- IDOR vulnerabilities enabling access to other users' data and shopping carts
- SSRF enabling internal network reconnaissance
📄 **[View Complete Report →](sample-reports/shannon-report-juice-shop.md)**
---
#### 🔗 **c{api}tal API** • [GitHub](https://github.com/Checkmarx/capital)
*An intentionally vulnerable API from Checkmarx, designed to test a tool's ability to uncover the OWASP API Security Top 10.*
**Results**: Identified approximately 15 critical and high-severity vulnerabilities.
**Notable findings**:
- Root-level command injection via denylist bypass in a hidden debug endpoint
- Authentication bypass through a legacy, unpatched v1 API endpoint
- Privilege escalation via Mass Assignment in the user profile update function
- Zero false positives for XSS (correctly confirmed robust XSS defenses)
📄 **[View Complete Report →](sample-reports/shannon-report-capital-api.md)**
---
#### 🚗 **OWASP crAPI** • [GitHub](https://github.com/OWASP/crAPI)
*A modern, intentionally vulnerable API from OWASP, designed to benchmark a tool's effectiveness against the OWASP API Security Top 10.*
**Results**: Identified over 15 critical and high-severity vulnerabilities.
**Notable findings**:
- Authentication bypass via multiple JWT attacks (Algorithm Confusion, alg:none, weak key injection)
- Full PostgreSQL database compromise via injection, exfiltrating user credentials
- SSRF attack forwarding internal authentication tokens to an external service
- Zero false positives for XSS (correctly identified robust XSS defenses)
📄 **[View Complete Report →](sample-reports/shannon-report-crapi.md)**
---
## 📈 Benchmark
Shannon Lite scored **96.15% (100/104 exploits)** on a hint-free, source-aware variant of the XBOW security benchmark.
**[Full results with detailed agent logs and per-challenge pentest reports →](./xben-benchmark-results/README.md)**
---
## 🏗️ Architecture
Shannon uses a multi-agent architecture that combines white-box source code analysis with dynamic exploitation across four phases:
```
┌──────────────────────┐
│ Reconnaissance │
└──────────┬───────────┘
│
▼
┌──────────┴───────────┐
│ │ │
▼ ▼ ▼
┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐
│ Vuln Analysis │ │ Vuln Analysis │ │ ... │
│ (Injection) │ │ (XSS) │ │ │
└─────────┬───────┘ └─────────┬───────┘ └─────────┬───────┘
│ │ │
▼ ▼ ▼
┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐
│ Exploitation │ │ Exploitation │ │ ... │
│ (Injection) │ │ (XSS) │ │ │
└─────────┬───────┘ └─────────┬───────┘ └─────────┬───────┘
│ │ │
└─────────┬─────────┴───────────────────┘
│
▼
┌──────────────────────┐
│ Reporting │
└──────────────────────┘
```
### Architectural Overview
Shannon uses Anthropic's Claude Agent SDK as its reasoning engine within a multi-agent architecture. The system combines white-box source code analysis with black-box dynamic exploitation, managed by an orchestrator across four phases. The architecture is designed for minimal false positives through a "no exploit, no report" policy.
---
#### **Phase 1: Reconnaissance**
The first phase builds a comprehensive map of the application's attack surface. Shannon analyzes the source code and integrates with tools like Nmap and Subfinder to understand the tech stack and infrastructure. Simultaneously, it performs live application exploration via browser automation to correlate code-level insights with real-world behavior, producing a detailed map of all entry points, API endpoints, and authentication mechanisms for the next phase.
#### **Phase 2: Vulnerability Analysis**
To maximize efficiency, this phase operates in parallel. Using the reconnaissance data, specialized agents for each OWASP category hunt for potential flaws in parallel. For vulnerabilities like Injection and SSRF, agents perform a structured data flow analysis, tracing user input to dangerous sinks. This phase produces a key deliverable: a list of **hypothesized exploitable paths** that are passed on for validation.
#### **Phase 3: Exploitation**
Continuing the parallel workflow to maintain speed, this phase is dedicated entirely to turning hypotheses into proof. Dedicated exploit agents receive the hypothesized paths and attempt to execute real-world attacks using browser automation, command-line tools, and custom scripts. This phase enforces a strict **"No Exploit, No Report"** policy: if a hypothesis cannot be successfully exploited to demonstrate impact, it is discarded as a false positive.
#### **Phase 4: Reporting**
The final phase compiles all validated findings into a professional, actionable report. An agent consolidates the reconnaissance data and the successful exploit evidence, cleaning up any noise or hallucinated artifacts. Only verified vulnerabilities are included, complete with **reproducible, copy-and-paste Proof-of-Concepts**, delivering a final pentest-grade report focused exclusively on proven risks.
## 📋 Coverage and Roadmap
For detailed information about Shannon's security testing coverage and development roadmap, see our [Coverage and Roadmap](./COVERAGE.md) documentation.
## ⚠️ Disclaimers
### Important Usage Guidelines & Disclaimers
Please review the following guidelines carefully before using Shannon (Lite). As a user, you are responsible for your actions and assume all liability.
#### **1. Potential for Mutative Effects & Environment Selection**
This is not a passive scanner. The exploitation agents are designed to **actively execute attacks** to confirm vulnerabilities. This process can have mutative effects on the target application and its data.
> [!WARNING]
> **⚠️ DO NOT run Shannon on production environments.**
>
> - It is intended exclusively for use on sandboxed, staging, or local development environments where data integrity is not a concern.
> - Potential mutative effects include, but are not limited to: creating new users, modifying or deleting data, compromising test accounts, and triggering unintended side effects from injection attacks.
#### **2. Legal & Ethical Use**
Shannon is designed for legitimate security auditing purposes only.
> [!CAUTION]
> **You must have explicit, written authorization** from the owner of the target system before running Shannon.
>
> Unauthorized scanning and exploitation of systems you do not own is illegal and can be prosecuted under laws such as the Computer Fraud and Abuse Act (CFAA). Keygraph is not responsible for any misuse of Shannon.
#### **3. LLM & Automation Caveats**
- **Verification is Required**: While significant engineering has gone into our "proof-by-exploitation" methodology to eliminate false positives, the underlying LLMs can still generate hallucinated or weakly-supported content in the final report. **Human oversight is essential** to validate the legitimacy and severity of all reported findings.
- **Comprehensiveness**: The analysis in Shannon Lite may not be exhaustive due to the inherent limitations of LLM context windows. For a more comprehensive, graph-based analysis of your entire codebase, **Shannon Pro** leverages its advanced data flow analysis engine to ensure deeper and more thorough coverage.
#### **4. Scope of Analysis**
- **Targeted Vulnerabilities**: The current version of Shannon Lite specifically targets the following classes of *exploitable* vulnerabilities:
- Broken Authentication & Authorization
- Injection
- Cross-Site Scripting (XSS)
- Server-Side Request Forgery (SSRF)
- **What Shannon Lite Does Not Cover**: This list is not exhaustive of all potential security risks. Shannon Lite's "proof-by-exploitation" model means it will not report on issues it cannot actively exploit, such as vulnerable third-party libraries or insecure configurations. These types of deep static-analysis findings are a core focus of the advanced analysis engine in **Shannon Pro**.
#### **5. Cost & Performance**
- **Time**: As of the current version, a full test run typically takes **1 to 1.5 hours** to complete.
- **Cost**: Running the full test using Anthropic's Claude 4.5 Sonnet model may incur costs of approximately **$50 USD**. Costs vary based on model pricing and application complexity.
#### **6. Windows Antivirus False Positives**
Windows Defender may flag files in `xben-benchmark-results/` or `deliverables/` as malware. These are false positives caused by exploit code in the reports. Add an exclusion for the Shannon directory in Windows Defender, or use Docker/WSL2.
#### **7. Security Considerations**
Shannon Lite is designed for scanning repositories and applications you own or have explicit permission to test. Do not point it at untrusted or adversarial codebases. Like any AI-powered tool that reads source code, Shannon Lite is susceptible to prompt injection from content in the scanned repository.
## 📜 License
Shannon Lite is released under the [GNU Affero General Public License v3.0 (AGPL-3.0)](LICENSE).
Shannon is open source (AGPL v3). This license allows you to:
- Use it freely for all internal security testing.
- Modify the code privately for internal use without sharing your changes.
The AGPL's sharing requirements primarily apply to organizations offering Shannon as a public or managed service (such as a SaaS platform). In those specific cases, any modifications made to the core software must be open-sourced.
## 👥 Community & Support
### Community Resources
📅 **1:1 Office Hours** — Thursdays, two time zones
Book a free 15-min session for hands-on help with bugs, deployments, or config questions.
→ US/EU: 10:00 AM PT | Asia: 2:00 PM IST
→ [Book a slot](https://cal.com/george-flores-keygraph/shannon-community-office-hours)
💬 [Join our Discord](https://discord.gg/cmctpMBXwE) to ask questions, share feedback, and connect with other Shannon users.
**Contributing:** At this time, we're not accepting external code contributions (PRs).
Issues are welcome for bug reports and feature requests.
- 🐛 **Report bugs** via [GitHub Issues](https://github.com/KeygraphHQ/shannon/issues)
- 💡 **Suggest features** in [Discussions](https://github.com/KeygraphHQ/shannon/discussions)
### Stay Connected
- 🐦 **Twitter**: [@KeygraphHQ](https://twitter.com/KeygraphHQ)
- 💼 **LinkedIn**: [Keygraph](https://linkedin.com/company/keygraph)
- 🌐 **Website**: [keygraph.io](https://keygraph.io)
## 💬 Get in Touch
### Shannon Pro
Shannon Pro is Keygraph's all-in-one AppSec platform. For organizations that need unified SAST, SCA, and autonomous pentesting with static-dynamic correlation, CI/CD integration, or self-hosted deployment, see the [Shannon Pro technical overview](./SHANNON-PRO.md).
<p align="center">
<a href="https://docs.google.com/forms/d/e/1FAIpQLSf-cPZcWjlfBJ3TCT8AaWpf8ztsw3FaHzJE4urr55KdlQs6cQ/viewform?usp=header" target="_blank">
<img src="https://img.shields.io/badge/📋%20Shannon%20Pro%20Inquiry-4285F4?style=for-the-badge&logo=google&logoColor=white" alt="Shannon Pro Inquiry">
</a>
</p>
📧 **Email**: [shannon@keygraph.io](mailto:shannon@keygraph.io)
---
<p align="center">
<b>Built by <a href="https://keygraph.io">Keygraph</a></b>
</p>
================================================
FILE: SHANNON-PRO.md
================================================
# Shannon Pro
Shannon Pro is Keygraph's comprehensive AppSec platform, combining SAST, SCA, secrets scanning, business logic security testing, and autonomous pentesting in a single correlated workflow:
- **Agentic static analysis:** CPG-based data flow, SCA with reachability, secrets detection, business logic security testing
- **Static-dynamic correlation:** static findings are fed into the dynamic pipeline and exploited against the running application, so every reported vulnerability has a working proof-of-concept
- **Enterprise deployment:** self-hosted runner (code and LLM calls never leave customer infrastructure), CI/CD integration, GitHub PR scanning, service boundary detection
The platform cross-references static and dynamic results to eliminate false positives, prioritize by proven exploitability, and produce pentest-grade reports with reproducible proof-of-concept exploits for every finding.
---
## The Problem: Fragmented AppSec and Alert Fatigue
Modern engineering teams face two compounding security challenges. First, traditional static analysis tools (SCA, SAST, and secrets scanners) operate without context, producing high volumes of false positives that erode developer trust. Second, penetration testing remains an expensive, periodic exercise that cannot keep pace with continuous deployment. The result is a fragmented security posture where static tools cry wolf, dynamic assessments arrive too late, and engineering teams treat security as compliance theater rather than a source of genuine protection.
Shannon Pro addresses both problems in a single platform by replacing pattern-based static analysis with LLM-powered reasoning and augmenting it with a fully autonomous AI pentester that validates findings at runtime. The platform supports a self-hosted runner model where source code and LLM interactions never leave the customer's infrastructure.
---
## Platform Architecture Overview
Shannon Pro operates as a two-stage pipeline: agentic static analysis of the codebase, followed by autonomous dynamic penetration testing against the running application. Findings from both stages are correlated to produce a unified, high-confidence result set.
---
# Stage 1: Agentic Static Analysis (AppSec)
The static analysis stage performs comprehensive code-level security assessment using LLM-powered agents. It comprises five core capabilities: SAST (data flow analysis, point issue detection, and business logic security testing), SCA with reachability analysis, and secrets detection.
## SAST: Data Flow Analysis
Shannon Pro transforms the target codebase into a Code Property Graph (CPG) that combines the abstract syntax tree, control flow graph, and program dependence graph into a unified structure. Nodes represent program constructs (such as expressions, statements, and declarations), and edges capture syntactic, control-flow, and data-dependence relationships. The analysis proceeds in three phases.
### Phase 1: Source and Sink Extraction
For each vulnerability type, the system identifies sources (where untrusted data enters, such as user input, API requests, and file reads) and sinks (where that data could cause harm, such as SQL queries, command execution, and file writes). Deterministic pattern matching establishes a baseline, then an AI agent analyzes the codebase to discover sources and sinks that generic patterns miss, including custom input handlers and framework-specific patterns unique to the target codebase. A filtering agent removes irrelevant results such as test fixtures and mock data.
### Phase 2: Path Tracing with Contextual Reasoning
This is where Shannon Pro's approach differs fundamentally from traditional SAST. The system traces backward from each sink toward potential sources. At every node along the path, an LLM analyzes whether sanitization is applied at that exact point and whether that sanitization is sufficient for this specific vulnerability in this specific context.
The key insight is that security fixes are context-dependent. A function that makes data safe for one SQL query might not protect a different query. A custom sanitizer that a team wrote will not be recognized by pattern-based tools. Traditional tools rely on a hard-coded list of safe functions; Shannon Pro reasons about what the code is actually doing, validating whether the specific sanitization at each node actually addresses the specific risk at the specific sink.
### Phase 3: Path Validation
Each identified vulnerability path is validated by an autonomous Claude agent that confirms control flow correctness (is the path actually executable?) and logic correctness (is the vulnerability real or a false positive?). Agents produce confidence scores, and only validated paths proceed to reporting.
## SAST: Point Issue Detection
Point issues are vulnerabilities where security depends on what is happening at a single location rather than across a data flow path. The system pre-filters and organizes files, then feeds each one to an LLM to identify issues such as:
- Use of weak encryption algorithms
- Hardcoded credentials or API keys
- Insecure configuration settings (e.g., debug mode enabled in production)
- Missing security headers
- Weak random number generation
- Disabled certificate validation
- Overly permissive CORS settings
## SAST: Business Logic Security Testing
Traditional security testing tools cannot reason about application-specific correctness properties. Pattern-based scanners look for known vulnerability signatures; conventional fuzzers (AFL, libFuzzer) find crashes and memory errors through input mutation but operate without awareness of business semantics. Neither can determine whether a syntactically valid response actually violates the application's security model. Shannon Pro bridges this gap with automated invariant-based security testing: LLM agents that understand the business semantics of the codebase, automatically discover application-specific invariants, and generate targeted test scenarios that verify whether those invariants hold under adversarial conditions. This approach draws from property-based testing methodology, applied specifically to security-relevant business logic.
### Why Business Logic Bugs Are Missed
Pattern-based scanners and traditional SAST are structurally incapable of finding business logic vulnerabilities. These bugs do not involve malformed input reaching a dangerous sink. Instead, they involve legitimate operations that violate unstated rules about how the application should behave. A multi-tenant SaaS platform assumes Organization A's data is never accessible to Organization B. An e-commerce application assumes a checkout total cannot go negative. A healthcare platform assumes a patient record is only visible to the assigned provider. These invariants are implicit in the business domain, never encoded in a generic vulnerability database, and invisible to any tool that does not understand what the application is supposed to do.
### How It Works
Shannon Pro's business logic security testing operates in four phases:
**Phase 1: Invariant Discovery.** An LLM agent performs a deep semantic analysis of the codebase, examining data models, API endpoints, authorization logic, and domain-specific patterns. Rather than looking for known vulnerability signatures, the agent reasons about the application's intended behavior and derives business logic invariants: rules that must hold for the application to be secure. For a multi-tenant platform, the agent identifies invariants such as "document access must verify that the document belongs to the requesting user's organization." For a financial application, it might identify "a transfer cannot be initiated where the source and destination accounts have the same owner but different privilege levels." These are security properties that no generic scanner can know about because they are unique to each application.
**Phase 2: Fuzzer Generation.** For each discovered invariant, a second agent generates a targeted fuzzer: a test scenario designed to violate the invariant. These are not random inputs. The agent reads the code, understands the expected authorization checks (or lack thereof), and constructs specific adversarial scenarios. For an authorization invariant, the fuzzer might construct a request where a user from one organization references a resource belonging to another organization. For a state machine invariant, it might craft a sequence of API calls that skips a required approval step.
**Phase 3: Violation Detection.** The generated fuzzers are executed against a stubbed test environment that replicates the application's business logic with mocked dependencies. When a fuzzer succeeds, meaning the invariant does not hold, the system has identified a confirmed business logic vulnerability. The agent traces the violation back to the specific code location where the missing check or flawed logic exists.
**Phase 4: Exploit Synthesis.** For every confirmed violation, the system produces a full proof-of-concept exploit with step-by-step reproduction instructions, the specific API calls or user actions required, the observed versus expected behavior, and the security impact.
### Real-World Example: Cross-Tenant Data Access (CWE-639)
In a production multi-tenant platform, Shannon Pro's business logic security testing discovered a critical Insecure Direct Object Reference (IDOR) vulnerability that no traditional scanner would detect.
**Invariant discovered:** Document access must verify that the document belongs to the requesting user's organization.
**Fuzzer generated:** The agent extracted the `GetDocument` handler logic into a stubbed test environment, mocking the database layer to return documents with known organization IDs. The fuzzer generated combinations of requesting user organizations and document owner organizations, testing whether the handler enforces organizational boundaries.
**Violation confirmed:** An attacker from Organization B can access documents belonging to Organization A by calling the `GetDocument` endpoint with the victim's document ID, without any authorization check preventing cross-organization access.
**Exploit synthesized:**
1. Attacker authenticates as a user in Organization B and obtains valid credentials.
2. Attacker enumerates or guesses a document ID belonging to Organization A (e.g., through sequential ID guessing, leaked references, or predictable UUID patterns).
3. Attacker calls `GET /api/document?document_id=victim-doc-123` with their Organization B credentials.
4. The system retrieves the document without verifying organizational ownership.
5. The system returns HTTP 200 with the complete document contents, including sensitive data belonging to Organization A.
**Impact:** Complete breach of multi-tenant data isolation. Attackers can read all documents across all organizations, potentially exposing confidential business data, PII, trade secrets, and compliance-sensitive information.
**Expected behavior:** HTTP 403 Forbidden with an error message indicating access is denied, or HTTP 404 Not Found to avoid leaking document existence.
This class of vulnerability, missing authorization at an organizational boundary, is invisible to pattern-based tools because the code is syntactically correct, uses no dangerous functions, and follows normal request-handling patterns. Only a system that understands the business invariant ("documents belong to organizations, and access must respect that boundary") can identify the violation.
### What This Means
Business logic security testing extends Shannon Pro's coverage beyond the limits of traditional static and dynamic analysis. Data flow analysis catches injection, XSS, and other input-driven vulnerabilities. Point issue detection catches configuration and cryptographic weaknesses. Business logic security testing catches the authorization failures, state machine violations, and domain-specific logic errors that represent some of the most severe and most commonly missed vulnerabilities in production applications. Together, these three capabilities provide comprehensive SAST coverage across the full vulnerability spectrum.
## SCA with Reachability Analysis
Traditional SCA flags any library with a known CVE regardless of whether the vulnerable function is called or even reachable. Shannon Pro goes further with a four-step reachability process:
1. An AI agent researches each CVE to identify the exact vulnerable function, framework, or conditions.
2. For framework-level issues, the system checks whether the application actually uses the affected framework in practice.
3. For function-level issues, the CPG is queried to extract nodes where the vulnerable function is used. If no nodes are found, the vulnerability is marked as not reachable.
4. If nodes are found, execution flow is traced from entry points (main functions, API endpoints) to determine whether a path exists. Proven executable vulnerabilities are flagged; code that uses the function but is not currently callable is marked as likely reachable.
## Secrets Detection
Shannon Pro combines three approaches to secrets scanning. Standard regex-based pattern matching catches known formats (AWS keys, API tokens, etc.). Simultaneously, during the point issue detection phase, LLM-based detection catches secrets that standard patterns miss, such as dynamically constructed credentials, custom credential formats, and obfuscated tokens. The LLM layer also filters out test data, placeholders, and documentation examples that regex scanners frequently flag as false positives.
For discovered secrets, Shannon Pro performs liveness validation: an agent determines the API context for each credential and attempts to authenticate against the corresponding service. This distinguishes active, exploitable secrets from revoked or rotated credentials, ensuring teams focus remediation effort on secrets that represent real exposure. Liveness checks use read-only API calls (e.g., identity verification endpoints) to avoid triggering side effects or account lockouts, and in the self-hosted runner deployment, all validation occurs within the customer's network.
## Boundary Analysis
For large-scale or monorepo architectures, Shannon Pro's boundary analysis capability allows organizations to scope scans to specific services or portions of the codebase. An agent analyzes the repository and identifies logical boundaries (by service, frontend vs. backend, microservice, etc.). Users review, confirm, and optionally edit the detected boundaries, then select which to include in a scan. Findings are tagged by boundary, enabling clear routing to the responsible team.
## False Positive Tagging
Any finding can be marked as a false positive. On subsequent scans, the same finding will be flagged as likely false positive, so teams do not repeatedly triage issues they have already dismissed.
---
# Stage 2: Autonomous Dynamic Penetration Testing
Shannon Pro's dynamic testing pipeline mirrors the workflow of a professional human penetration tester, implemented as a multi-agent system powered by the Anthropic Claude Agent SDK. The system operates through five phases using 13 specialized agents.
## Execution Model
Phases 1 and 2 (reconnaissance) run sequentially. Phases 3 and 4 (vulnerability analysis and exploitation) run as pipelined parallel: each vulnerability/exploit pair is independent. When a vulnerability agent finishes for a given attack domain, the corresponding exploit agent starts immediately, even if other vulnerability agents are still running. Phase 5 (reporting) runs after all exploitation is complete.
## Phase 1: Pre-Reconnaissance
Pure static analysis of the source code without browser interaction. The pre-recon agent maps the application architecture, identifies security-relevant components (authentication systems, database access patterns, input handling), and catalogs the complete attack surface from a code perspective. Outputs include a comprehensive catalog of all network-accessible entry points, technology stack details, authentication and authorization mechanisms, and all identified sinks (XSS, SSRF, injection) with their locations.
This phase informs everything downstream. If the codebase uses an ORM with parameterized queries everywhere, the injection agents know to focus elsewhere.
## Phase 2: Reconnaissance
Bridges static and dynamic analysis using browser automation. The recon agent correlates code findings with the live application, validating that endpoints actually exist, mapping authentication flows, inventorying input vectors (URL parameters, POST fields, headers, cookies), and documenting the real authorization architecture. This phase may also integrate with infrastructure discovery tools including Nmap, Subfinder, and WhatWeb for network perimeter mapping.
## Phase 3: Vulnerability Analysis
Five parallel agents, each focused on a distinct attack domain, combine code analysis with runtime probing to generate exploitation hypotheses. Each agent produces a detailed analysis deliverable and an exploitation queue -- a structured JSON file listing specific vulnerabilities to attempt, including the type, location, method, parameter, code evidence, and a suggested initial payload.
The five vulnerability analysis agents and their methodologies:
| Agent | Approach | What It Analyzes |
| --- | --- | --- |
| **Injection** | Source -> Sink taint | User input reaching SQL, command, file, template, or deserialization sinks without adequate sanitization |
| **XSS** | Sink -> Source taint | HTML rendering contexts (innerHTML, document.write, event handlers, eval) reachable from user input without proper encoding |
| **SSRF** | Sink -> Source taint | HTTP client libraries, raw sockets, URL openers, and headless browsers callable with user-controlled URLs |
| **Auth** | Guard validation | Missing security controls: rate limiting, session management, token entropy, password hashing, HSTS, SSO/OAuth configuration |
| **Authz** | Guard validation | Missing authorization checks before side effects: horizontal (ownership), vertical (role/capability), and context/workflow violations |
If a vulnerability agent's exploitation queue is empty for a given attack domain, the corresponding exploit agent is skipped entirely, saving significant time and cost.
## Phase 4: Exploitation
Five parallel exploit agents consume the exploitation queues and attempt to verify each hypothesis using full Playwright browser automation. Agents can navigate to endpoints, fill forms with crafted payloads, submit requests, observe responses, take screenshots, and chain multiple requests together to validate complex attack sequences.
**Core principle: POC or it didn't happen.** Shannon Pro never reports a vulnerability without a working proof-of-concept exploit. Exploitation agents classify each finding as EXPLOITED, POTENTIAL, or FALSE POSITIVE. Only EXPLOITED findings (with concrete evidence) make it to the final report. POTENTIAL findings are programmatically stripped before reporting, giving agents a designated space to log uncertain observations without polluting the deliverable.
## Phase 5: Reporting
A reporting agent synthesizes all evidence files into a pentest-grade executive report. The agent only sees confirmed findings (evidence files from Phase 4), never raw hypotheses. It de-duplicates findings, assesses severity, and provides remediation guidance. Every reported vulnerability includes reproducible steps and copy-and-paste commands for verification.
---
# Static-Dynamic Correlation
Shannon Pro's distinguishing capability is the correlation between its static and dynamic analysis stages.
## How AppSec Feeds Into Dynamic Testing
After static analysis completes, findings go through an enrichment phase that adds priority, confidence, and application context. CWEs are mapped to Shannon's five attack domains using a best-fit heuristic. Where a CWE maps to multiple domains (e.g., CWE-918 spans both SSRF and injection contexts), the finding is routed to the most exploitation-relevant agent. CWEs that do not map cleanly to any attack domain, such as certain business logic classes, are routed directly to the exploitation queue with their static analysis context preserved rather than forced into an ill-fitting category. Secrets, data flow findings, point issues, and business logic security testing violations are sent to Shannon's exploitation queue, where domain-specific agents attempt to exploit each finding with real proof-of-concept attacks against the running application.
This correlation means that a data flow vulnerability identified in static analysis (e.g., unsanitized user input reaching a SQL query) is not just reported as a theoretical risk -- it is actively exploited against the live application. Similarly, a business logic invariant violation (e.g., missing cross-tenant authorization) identified by the security testing engine is fed directly into the Authz exploitation agent, which attempts to reproduce the exact cross-organization access scenario against the running application. Confirmed exploits are traced back to their source code location, giving developers both the proof that the vulnerability is real and the exact line of code to fix.
---
# Key Technical Capabilities
- **Fully Autonomous Operation:** Shannon Pro handles complex workflows including 2FA/TOTP logins and SSO (e.g., Sign in with Google) without human intervention. TOTP is handled via a dedicated MCP server tool.
- **White-Box Awareness:** Unlike black-box scanners, Shannon Pro reads the source code to intelligently guide its attack strategy, combining code-level insight with runtime validation.
- **Parallel Processing:** Vulnerability analysis and exploitation phases run concurrently across attack domains, with pipelined parallelism minimizing total execution time.
- **Tool Orchestration:** Shannon Pro orchestrates existing security tools (e.g., Schemathesis for API testing, Nmap for network discovery) while adding LLM reasoning to interpret results.
- **Configurable Login Flows:** Authentication configuration specifies login procedures and credentials, which are interpolated into agent prompts for authenticated testing.
---
# Container Isolation and Data Security
Shannon Pro is engineered with a secure-by-design philosophy to ensure code privacy and isolation across every stage of the pipeline.
## Per-Organization Infrastructure
Each organization receives its own isolated compute environment. In the managed deployment, Keygraph provisions dedicated ECS infrastructure (containers, IAM roles, task queues) per organization. In the self-hosted runner deployment, the organization provisions and controls the data plane, which handles all code access and LLM calls using the organization's own API keys. The Keygraph control plane receives only aggregate findings. In either model, organizations never share compute environments with other organizations.
## Ephemeral Code Handling
When a scan runs, the target repository is cloned to a temporary workspace inside the isolated container. The scan executes against this local copy. Immediately after the scan completes, the entire workspace is deleted, including all cloned code. Source code is never persisted after a scan finishes. Even if a scan fails or is cancelled, a disconnected cleanup process executes regardless of how the scan terminates.
In the self-hosted runner deployment, all code handling occurs within the customer's own infrastructure. Keygraph's control plane never receives, processes, or stores source code.
## Encrypted Storage
Code snippets associated with findings are encrypted before being written to the database. Deliverables uploaded to S3 are encrypted at rest. Each organization's data is stored in org-specific buckets with org-scoped access policies.
## Network Isolation
Isolated workers run in private subnets with org-specific security groups, ensuring network-level separation between customer workloads.
## Self-Hosted Runner
Shannon Pro supports a self-hosted runner deployment model, following the same architecture as GitHub Actions self-hosted runners. The data plane (the runner that clones code, executes scans, and makes all LLM API calls) runs entirely within the customer's infrastructure using the customer's own LLM API keys. Source code never leaves the customer's network, and no code or LLM interactions pass through Keygraph's systems. The control plane (job orchestration, scan scheduling, and the reporting UI) is hosted by Keygraph and receives only aggregate findings to power dashboards, search, and reporting. This separation ensures that Keygraph never has access to customer source code or raw LLM call content.
---
# Deployment and Editions
Shannon is offered in two editions to serve different operational needs:
| Feature | Shannon Lite | Shannon Pro |
| --- | --- | --- |
| **Licensing** | AGPL-3.0 (open source) | Commercial |
| **Static Analysis** | Code review prompting | Full agentic static analysis (SAST, SCA, secrets, business logic security testing) |
| **Dynamic Testing** | Autonomous AI pentest framework | Autonomous AI pentesting with static-dynamic correlation |
| **Analysis Engine** | Code review prompting | CPG-based data flow with LLM reasoning at every node |
| **Business Logic** | N/A | Automated invariant discovery, test scenario generation, and exploit synthesis |
| **Integration** | Manual / CLI | Native CI/CD, GitHub PR scanning, enterprise support, self-hosted runner |
| **Deployment** | CLI / manual | Managed cloud or self-hosted runner (customer data plane, Keygraph control plane) |
| **Boundary Analysis** | N/A | Automatic service boundary detection with team routing |
| **Best For** | Local testing of own applications | Enterprise application security posture management |
---
# Compliance Integration
Within the broader Keygraph ecosystem, Shannon Pro serves as the primary engine for automated compliance evidence generation. By automating penetration testing and static analysis requirements, Shannon Pro generates real-time evidence for frameworks such as SOC 2 and HIPAA, transforming security testing from a periodic audit obligation into a continuous component of the compliance program.
---
# Methodology Standards
Shannon Pro follows AI-assisted white-box testing methodology broadly aligned with OWASP Web Security Testing Guide (WSTG) and OWASP Top 10 standards. All dynamic testing produces confirmed, exploitable findings with reproducible proof-of-concept exploits. Static analysis covers established CWE categories with LLM-powered validation to minimize false positive rates.
================================================
FILE: configs/config-schema.json
================================================
{
"$schema": "http://json-schema.org/draft-07/schema#",
"$id": "https://example.com/pentest-config-schema.json",
"title": "Penetration Testing Configuration Schema",
"description": "Schema for YAML configuration files used in the penetration testing agent",
"type": "object",
"properties": {
"authentication": {
"type": "object",
"description": "Authentication configuration for the target application",
"properties": {
"login_type": {
"type": "string",
"enum": ["form", "sso", "api", "basic"],
"description": "Type of authentication mechanism"
},
"login_url": {
"type": "string",
"format": "uri",
"description": "URL for the login page or endpoint"
},
"credentials": {
"type": "object",
"description": "Login credentials",
"properties": {
"username": {
"type": "string",
"minLength": 1,
"maxLength": 255,
"description": "Username or email for authentication"
},
"password": {
"type": "string",
"minLength": 1,
"maxLength": 255,
"description": "Password for authentication"
},
"totp_secret": {
"type": "string",
"pattern": "^[A-Za-z2-7]+=*$",
"description": "TOTP secret for two-factor authentication (Base32 encoded, case insensitive)"
}
},
"required": ["username", "password"],
"additionalProperties": false
},
"login_flow": {
"type": "array",
"description": "Step-by-step instructions for the login process",
"items": {
"type": "string",
"minLength": 1,
"maxLength": 500
},
"minItems": 1,
"maxItems": 20
},
"success_condition": {
"type": "object",
"description": "Condition that indicates successful authentication",
"properties": {
"type": {
"type": "string",
"enum": ["url_contains", "element_present", "url_equals_exactly", "text_contains"],
"description": "Type of success condition to check"
},
"value": {
"type": "string",
"minLength": 1,
"maxLength": 500,
"description": "Value to match against the success condition"
}
},
"required": ["type", "value"],
"additionalProperties": false
}
},
"required": ["login_type", "login_url", "credentials", "success_condition"],
"additionalProperties": false
},
"pipeline": {
"type": "object",
"description": "Pipeline execution settings for retry behavior and concurrency",
"properties": {
"retry_preset": {
"type": "string",
"enum": ["default", "subscription"],
"description": "Retry preset. 'subscription' extends timeouts for Anthropic subscription rate limit windows (5h+)."
},
"max_concurrent_pipelines": {
"type": "string",
"pattern": "^[1-5]$",
"description": "Max concurrent vulnerability pipelines (1-5, default: 5)"
}
},
"additionalProperties": false
},
"rules": {
"type": "object",
"description": "Testing rules that define what to focus on or avoid during penetration testing",
"properties": {
"avoid": {
"type": "array",
"description": "Rules defining areas to avoid during testing",
"items": {
"$ref": "#/$defs/rule"
},
"maxItems": 50
},
"focus": {
"type": "array",
"description": "Rules defining areas to focus on during testing",
"items": {
"$ref": "#/$defs/rule"
},
"maxItems": 50
}
},
"additionalProperties": false
},
"login": {
"type": "object",
"description": "Deprecated: Use 'authentication' section instead",
"deprecated": true
}
},
"anyOf": [
{"required": ["authentication"]},
{"required": ["rules"]},
{"required": ["authentication", "rules"]}
],
"additionalProperties": false,
"$defs": {
"rule": {
"type": "object",
"description": "A single testing rule",
"properties": {
"description": {
"type": "string",
"minLength": 1,
"maxLength": 200,
"description": "Human-readable description of the rule"
},
"type": {
"type": "string",
"enum": ["path", "subdomain", "domain", "method", "header", "parameter"],
"description": "Type of rule (what aspect of requests to match against)"
},
"url_path": {
"type": "string",
"minLength": 1,
"maxLength": 1000,
"description": "URL path pattern or value to match"
}
},
"required": ["description", "type", "url_path"],
"additionalProperties": false
}
}
}
================================================
FILE: configs/example-config.yaml
================================================
# Example configuration file for pentest-agent
# Copy this file and modify it for your specific testing needs
authentication:
login_type: form # Options: 'form' or 'sso'
login_url: "https://example.com/login"
credentials:
username: "testuser"
password: "testpassword"
totp_secret: "JBSWY3DPEHPK3PXP" # Optional TOTP secret for 2FA
# Natural language instructions for login flow
login_flow:
- "Type $username into the email field"
- "Type $password into the password field"
- "Click the 'Sign In' button"
- "Enter $totp in the verification code field"
- "Click 'Verify'"
success_condition:
type: url_contains # Options: 'url_contains' or 'element_present'
value: "/dashboard"
rules:
avoid:
- description: "Do not test the marketing site subdomain"
type: subdomain
url_path: "www"
- description: "Skip logout functionality"
type: path
url_path: "/logout"
- description: "No DELETE operations on user API"
type: path
url_path: "/api/v1/users/*"
focus:
- description: "Prioritize beta admin panel subdomain"
type: subdomain
url_path: "beta-admin"
- description: "Focus on user profile updates"
type: path
url_path: "/api/v2/user-profile"
# Pipeline execution settings (optional)
# pipeline:
# retry_preset: subscription # 'default' or 'subscription' (6h max retry for rate limit recovery)
# max_concurrent_pipelines: 2 # 1-5, default: 5 (reduce to lower API usage spikes)
================================================
FILE: configs/router-config.json
================================================
{
"HOST": "0.0.0.0",
"APIKEY": "shannon-router-key",
"LOG": true,
"LOG_LEVEL": "info",
"NON_INTERACTIVE_MODE": true,
"API_TIMEOUT_MS": 600000,
"Providers": [
{
"name": "openai",
"api_base_url": "https://api.openai.com/v1/chat/completions",
"api_key": "$OPENAI_API_KEY",
"models": ["gpt-5.2", "gpt-5-mini"],
"transformer": {
"use": [["maxcompletiontokens", { "max_completion_tokens": 16384 }]]
}
},
{
"name": "openrouter",
"api_base_url": "https://openrouter.ai/api/v1/chat/completions",
"api_key": "$OPENROUTER_API_KEY",
"models": [
"google/gemini-3-flash-preview"
],
"transformer": {
"use": ["openrouter"]
}
}
],
"Router": {
"default": "$ROUTER_DEFAULT"
}
}
================================================
FILE: docker-compose.docker.yml
================================================
# Docker-specific overrides (not used with Podman)
# This file is automatically included by the shannon script when running Docker
services:
worker:
extra_hosts:
- "host.docker.internal:host-gateway"
================================================
FILE: docker-compose.yml
================================================
services:
temporal:
image: temporalio/temporal:latest
command: ["server", "start-dev", "--db-filename", "/home/temporal/temporal.db", "--ip", "0.0.0.0"]
ports:
- "127.0.0.1:7233:7233" # gRPC
- "127.0.0.1:8233:8233" # Web UI (built-in)
volumes:
- temporal-data:/home/temporal
healthcheck:
test: ["CMD", "temporal", "operator", "cluster", "health", "--address", "localhost:7233"]
interval: 10s
timeout: 5s
retries: 10
start_period: 30s
worker:
build: .
entrypoint: ["node", "dist/temporal/worker.js"]
environment:
- TEMPORAL_ADDRESS=temporal:7233
- ANTHROPIC_API_KEY=${ANTHROPIC_API_KEY:-}
- ANTHROPIC_BASE_URL=${ANTHROPIC_BASE_URL:-} # Optional: route through claude-code-router
- ANTHROPIC_AUTH_TOKEN=${ANTHROPIC_AUTH_TOKEN:-} # Auth token for router
- ROUTER_DEFAULT=${ROUTER_DEFAULT:-} # Model name when using router (e.g., "gemini,gemini-2.5-pro")
- CLAUDE_CODE_OAUTH_TOKEN=${CLAUDE_CODE_OAUTH_TOKEN:-}
- CLAUDE_CODE_USE_BEDROCK=${CLAUDE_CODE_USE_BEDROCK:-}
- AWS_REGION=${AWS_REGION:-}
- AWS_BEARER_TOKEN_BEDROCK=${AWS_BEARER_TOKEN_BEDROCK:-}
- CLAUDE_CODE_USE_VERTEX=${CLAUDE_CODE_USE_VERTEX:-}
- CLOUD_ML_REGION=${CLOUD_ML_REGION:-}
- ANTHROPIC_VERTEX_PROJECT_ID=${ANTHROPIC_VERTEX_PROJECT_ID:-}
- GOOGLE_APPLICATION_CREDENTIALS=${GOOGLE_APPLICATION_CREDENTIALS:-}
- ANTHROPIC_SMALL_MODEL=${ANTHROPIC_SMALL_MODEL:-}
- ANTHROPIC_MEDIUM_MODEL=${ANTHROPIC_MEDIUM_MODEL:-}
- ANTHROPIC_LARGE_MODEL=${ANTHROPIC_LARGE_MODEL:-}
- CLAUDE_CODE_MAX_OUTPUT_TOKENS=${CLAUDE_CODE_MAX_OUTPUT_TOKENS:-64000}
depends_on:
temporal:
condition: service_healthy
volumes:
- ./configs:/app/configs
- ./prompts:/app/prompts
- ./audit-logs:/app/audit-logs
- ${OUTPUT_DIR:-./audit-logs}:/app/output
- ./credentials:/app/credentials:ro
- ./repos:/repos
- ${BENCHMARKS_BASE:-.}:/benchmarks
shm_size: 2gb
security_opt:
- seccomp:unconfined
# Optional: claude-code-router for multi-model support
# Start with: ROUTER=true ./shannon start ...
router:
image: node:20-slim
profiles: ["router"] # Only starts when explicitly requested
command: >
sh -c "apt-get update && apt-get install -y gettext-base &&
npm install -g @musistudio/claude-code-router &&
mkdir -p /root/.claude-code-router &&
envsubst < /config/router-config.json > /root/.claude-code-router/config.json &&
ccr start"
ports:
- "127.0.0.1:3456:3456"
volumes:
- ./configs/router-config.json:/config/router-config.json:ro
environment:
- HOST=0.0.0.0
- ANTHROPIC_API_KEY=${ANTHROPIC_API_KEY:-}
- OPENAI_API_KEY=${OPENAI_API_KEY:-}
- OPENROUTER_API_KEY=${OPENROUTER_API_KEY:-}
- ROUTER_DEFAULT=${ROUTER_DEFAULT:-openai,gpt-4o}
healthcheck:
test: ["CMD", "node", "-e", "require('http').get('http://localhost:3456/health', r => process.exit(r.statusCode === 200 ? 0 : 1)).on('error', () => process.exit(1))"]
interval: 10s
timeout: 5s
retries: 5
start_period: 30s
volumes:
temporal-data:
================================================
FILE: mcp-server/package.json
================================================
{
"name": "@shannon/mcp-server",
"version": "1.0.0",
"type": "module",
"main": "./dist/index.js",
"scripts": {
"build": "tsc",
"clean": "rm -rf dist"
},
"dependencies": {
"@anthropic-ai/claude-agent-sdk": "^0.2.38",
"zod": "^4.3.6"
},
"devDependencies": {
"@types/node": "^25.0.3",
"typescript": "^5.9.3"
}
}
================================================
FILE: mcp-server/src/index.ts
================================================
// Copyright (C) 2025 Keygraph, Inc.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License version 3
// as published by the Free Software Foundation.
/**
* Shannon Helper MCP Server
*
* In-process MCP server providing save_deliverable and generate_totp tools
* for Shannon penetration testing agents.
*
* Replaces bash script invocations with native tool access.
*
* Uses factory pattern to create tools with targetDir captured in closure,
* ensuring thread-safety when multiple workflows run in parallel.
*/
import { createSdkMcpServer } from '@anthropic-ai/claude-agent-sdk';
import { createSaveDeliverableTool } from './tools/save-deliverable.js';
import { generateTotpTool } from './tools/generate-totp.js';
/**
* Create Shannon Helper MCP Server with target directory context
*
* Each workflow should create its own MCP server instance with its targetDir.
* The save_deliverable tool captures targetDir in a closure, preventing race
* conditions when multiple workflows run in parallel.
*/
export function createShannonHelperServer(targetDir: string): ReturnType<typeof createSdkMcpServer> {
// Create save_deliverable tool with targetDir in closure (no global variable)
const saveDeliverableTool = createSaveDeliverableTool(targetDir);
return createSdkMcpServer({
name: 'shannon-helper',
version: '1.0.0',
tools: [saveDeliverableTool, generateTotpTool],
});
}
// Export factory for direct usage if needed
export { createSaveDeliverableTool } from './tools/save-deliverable.js';
export { generateTotpTool } from './tools/generate-totp.js';
// Export types for external use
export * from './types/index.js';
================================================
FILE: mcp-server/src/tools/generate-totp.ts
================================================
// Copyright (C) 2025 Keygraph, Inc.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License version 3
// as published by the Free Software Foundation.
/**
* generate_totp MCP Tool
*
* Generates 6-digit TOTP codes for authentication.
* Replaces tools/generate-totp-standalone.mjs bash script.
* Based on RFC 6238 (TOTP) and RFC 4226 (HOTP).
*/
import { tool } from '@anthropic-ai/claude-agent-sdk';
import { createHmac } from 'crypto';
import { z } from 'zod';
import { createToolResult, type ToolResult, type GenerateTotpResponse } from '../types/tool-responses.js';
import { base32Decode, validateTotpSecret } from '../validation/totp-validator.js';
import { createCryptoError, createGenericError } from '../utils/error-formatter.js';
/**
* Input schema for generate_totp tool
*/
export const GenerateTotpInputSchema = z.object({
secret: z
.string()
.min(1)
.regex(/^[A-Z2-7]+$/i, 'Must be base32-encoded')
.describe('Base32-encoded TOTP secret'),
});
export type GenerateTotpInput = z.infer<typeof GenerateTotpInputSchema>;
/**
* Generate HOTP code (RFC 4226)
* Ported from generate-totp-standalone.mjs (lines 74-99)
*/
function generateHOTP(secret: string, counter: number, digits: number = 6): string {
const key = base32Decode(secret);
// Convert counter to 8-byte buffer (big-endian)
const counterBuffer = Buffer.alloc(8);
counterBuffer.writeBigUInt64BE(BigInt(counter));
// Generate HMAC-SHA1
const hmac = createHmac('sha1', key);
hmac.update(counterBuffer);
const hash = hmac.digest();
// Dynamic truncation
const offset = hash[hash.length - 1]! & 0x0f;
const code =
((hash[offset]! & 0x7f) << 24) |
((hash[offset + 1]! & 0xff) << 16) |
((hash[offset + 2]! & 0xff) << 8) |
(hash[offset + 3]! & 0xff);
// Generate digits
const otp = (code % Math.pow(10, digits)).toString().padStart(digits, '0');
return otp;
}
/**
* Generate TOTP code (RFC 6238)
* Ported from generate-totp-standalone.mjs (lines 101-106)
*/
function generateTOTP(secret: string, timeStep: number = 30, digits: number = 6): string {
const currentTime = Math.floor(Date.now() / 1000);
const counter = Math.floor(currentTime / timeStep);
return generateHOTP(secret, counter, digits);
}
/**
* Get seconds until TOTP code expires
*/
function getSecondsUntilExpiration(timeStep: number = 30): number {
const currentTime = Math.floor(Date.now() / 1000);
return timeStep - (currentTime % timeStep);
}
/**
* generate_totp tool implementation
*/
export async function generateTotp(args: GenerateTotpInput): Promise<ToolResult> {
try {
const { secret } = args;
// Validate secret (throws on error)
validateTotpSecret(secret);
// Generate TOTP code
const totpCode = generateTOTP(secret);
const expiresIn = getSecondsUntilExpiration();
const timestamp = new Date().toISOString();
// Success response
const successResponse: GenerateTotpResponse = {
status: 'success',
message: 'TOTP code generated successfully',
totpCode,
timestamp,
expiresIn,
};
return createToolResult(successResponse);
} catch (error) {
// Check if it's a validation/crypto error
if (error instanceof Error && (error.message.includes('base32') || error.message.includes('TOTP'))) {
const errorResponse = createCryptoError(error.message, false);
return createToolResult(errorResponse);
}
// Generic error
const errorResponse = createGenericError(error, false);
return createToolResult(errorResponse);
}
}
/**
* Tool definition for MCP server - created using SDK's tool() function
*/
export const generateTotpTool = tool(
'generate_totp',
'Generates 6-digit TOTP code for authentication. Secret must be base32-encoded.',
GenerateTotpInputSchema.shape,
generateTotp
);
================================================
FILE: mcp-server/src/tools/save-deliverable.ts
================================================
// Copyright (C) 2025 Keygraph, Inc.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License version 3
// as published by the Free Software Foundation.
/**
* save_deliverable MCP Tool
*
* Saves deliverable files with automatic validation.
* Replaces tools/save_deliverable.js bash script.
*
* Uses factory pattern to capture targetDir in closure, avoiding race conditions
* when multiple workflows run in parallel.
*/
import { tool } from '@anthropic-ai/claude-agent-sdk';
import { z } from 'zod';
import fs from 'node:fs';
import path from 'node:path';
import { DeliverableType, DELIVERABLE_FILENAMES, isQueueType } from '../types/deliverables.js';
import { createToolResult, type ToolResult, type SaveDeliverableResponse } from '../types/tool-responses.js';
import { validateQueueJson } from '../validation/queue-validator.js';
import { saveDeliverableFile } from '../utils/file-operations.js';
import { createValidationError, createGenericError } from '../utils/error-formatter.js';
/**
* Input schema for save_deliverable tool
*/
export const SaveDeliverableInputSchema = z.object({
deliverable_type: z.nativeEnum(DeliverableType).describe('Type of deliverable to save'),
content: z.string().min(1).optional().describe('File content (markdown for analysis/evidence, JSON for queues). Optional if file_path is provided.'),
file_path: z.string().optional().describe('Path to a file whose contents should be used as the deliverable content. Relative paths are resolved against the deliverables directory. Use this instead of content for large reports to avoid output token limits.'),
});
export type SaveDeliverableInput = z.infer<typeof SaveDeliverableInputSchema>;
/**
* Check if a path is contained within a base directory.
* Prevents path traversal attacks (e.g., ../../../etc/passwd).
*/
function isPathContained(basePath: string, targetPath: string): boolean {
const resolvedBase = path.resolve(basePath);
const resolvedTarget = path.resolve(targetPath);
return resolvedTarget === resolvedBase || resolvedTarget.startsWith(resolvedBase + path.sep);
}
/**
* Resolve deliverable content from either inline content or a file path.
* Returns the content string on success, or a ToolResult error on failure.
*/
function resolveContent(
args: SaveDeliverableInput,
targetDir: string,
): string | ToolResult {
if (args.content) {
return args.content;
}
if (!args.file_path) {
return createToolResult(createValidationError(
'Either "content" or "file_path" must be provided',
true,
{ deliverableType: args.deliverable_type },
));
}
const resolvedPath = path.isAbsolute(args.file_path)
? args.file_path
: path.resolve(targetDir, args.file_path);
// Security: Prevent path traversal outside targetDir
if (!isPathContained(targetDir, resolvedPath)) {
return createToolResult(createValidationError(
`Path "${args.file_path}" resolves outside allowed directory`,
false,
{ deliverableType: args.deliverable_type, allowedBase: targetDir },
));
}
try {
return fs.readFileSync(resolvedPath, 'utf-8');
} catch (readError) {
return createToolResult(createValidationError(
`Failed to read file at ${resolvedPath}: ${readError instanceof Error ? readError.message : String(readError)}`,
true,
{ deliverableType: args.deliverable_type, filePath: resolvedPath },
));
}
}
/**
* Create save_deliverable handler with targetDir captured in closure.
*
* This factory pattern ensures each MCP server instance has its own targetDir,
* preventing race conditions when multiple workflows run in parallel.
*/
function createSaveDeliverableHandler(targetDir: string) {
return async function saveDeliverable(args: SaveDeliverableInput): Promise<ToolResult> {
try {
const { deliverable_type } = args;
const contentOrError = resolveContent(args, targetDir);
if (typeof contentOrError !== 'string') {
return contentOrError;
}
const content = contentOrError;
if (isQueueType(deliverable_type)) {
const queueValidation = validateQueueJson(content);
if (!queueValidation.valid) {
return createToolResult(createValidationError(
queueValidation.message ?? 'Invalid queue JSON',
true,
{ deliverableType: deliverable_type, expectedFormat: '{"vulnerabilities": [...]}' },
));
}
}
const filename = DELIVERABLE_FILENAMES[deliverable_type];
const filepath = saveDeliverableFile(targetDir, filename, content);
const successResponse: SaveDeliverableResponse = {
status: 'success',
message: `Deliverable saved successfully: ${filename}`,
filepath,
deliverableType: deliverable_type,
validated: isQueueType(deliverable_type),
};
return createToolResult(successResponse);
} catch (error) {
return createToolResult(createGenericError(
error,
false,
{ deliverableType: args.deliverable_type },
));
}
};
}
/**
* Factory function to create save_deliverable tool with targetDir in closure
*
* Each MCP server instance should call this with its own targetDir to ensure
* deliverables are saved to the correct workflow's directory.
*/
export function createSaveDeliverableTool(targetDir: string) {
return tool(
'save_deliverable',
'Saves deliverable files with automatic validation. Queue files must have {"vulnerabilities": [...]} structure. For large reports, write the file to disk first then pass file_path instead of inline content to avoid output token limits.',
SaveDeliverableInputSchema.shape,
createSaveDeliverableHandler(targetDir)
);
}
================================================
FILE: mcp-server/src/types/deliverables.ts
================================================
// Copyright (C) 2025 Keygraph, Inc.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License version 3
// as published by the Free Software Foundation.
/**
* Deliverable Type Definitions
*
* Maps deliverable types to their filenames and defines validation requirements.
* Must match the exact mappings from tools/save_deliverable.js.
*/
export enum DeliverableType {
// Pre-recon agent
CODE_ANALYSIS = 'CODE_ANALYSIS',
// Recon agent
RECON = 'RECON',
// Vulnerability analysis agents
INJECTION_ANALYSIS = 'INJECTION_ANALYSIS',
INJECTION_QUEUE = 'INJECTION_QUEUE',
XSS_ANALYSIS = 'XSS_ANALYSIS',
XSS_QUEUE = 'XSS_QUEUE',
AUTH_ANALYSIS = 'AUTH_ANALYSIS',
AUTH_QUEUE = 'AUTH_QUEUE',
AUTHZ_ANALYSIS = 'AUTHZ_ANALYSIS',
AUTHZ_QUEUE = 'AUTHZ_QUEUE',
SSRF_ANALYSIS = 'SSRF_ANALYSIS',
SSRF_QUEUE = 'SSRF_QUEUE',
// Exploitation agents
INJECTION_EVIDENCE = 'INJECTION_EVIDENCE',
XSS_EVIDENCE = 'XSS_EVIDENCE',
AUTH_EVIDENCE = 'AUTH_EVIDENCE',
AUTHZ_EVIDENCE = 'AUTHZ_EVIDENCE',
SSRF_EVIDENCE = 'SSRF_EVIDENCE',
}
/**
* Hard-coded filename mappings from agent prompts
* Must match tools/save_deliverable.js exactly
*/
export const DELIVERABLE_FILENAMES: Record<DeliverableType, string> = {
[DeliverableType.CODE_ANALYSIS]: 'code_analysis_deliverable.md',
[DeliverableType.RECON]: 'recon_deliverable.md',
[DeliverableType.INJECTION_ANALYSIS]: 'injection_analysis_deliverable.md',
[DeliverableType.INJECTION_QUEUE]: 'injection_exploitation_queue.json',
[DeliverableType.XSS_ANALYSIS]: 'xss_analysis_deliverable.md',
[DeliverableType.XSS_QUEUE]: 'xss_exploitation_queue.json',
[DeliverableType.AUTH_ANALYSIS]: 'auth_analysis_deliverable.md',
[DeliverableType.AUTH_QUEUE]: 'auth_exploitation_queue.json',
[DeliverableType.AUTHZ_ANALYSIS]: 'authz_analysis_deliverable.md',
[DeliverableType.AUTHZ_QUEUE]: 'authz_exploitation_queue.json',
[DeliverableType.SSRF_ANALYSIS]: 'ssrf_analysis_deliverable.md',
[DeliverableType.SSRF_QUEUE]: 'ssrf_exploitation_queue.json',
[DeliverableType.INJECTION_EVIDENCE]: 'injection_exploitation_evidence.md',
[DeliverableType.XSS_EVIDENCE]: 'xss_exploitation_evidence.md',
[DeliverableType.AUTH_EVIDENCE]: 'auth_exploitation_evidence.md',
[DeliverableType.AUTHZ_EVIDENCE]: 'authz_exploitation_evidence.md',
[DeliverableType.SSRF_EVIDENCE]: 'ssrf_exploitation_evidence.md',
};
/**
* Queue types that require JSON validation
*/
export const QUEUE_TYPES: DeliverableType[] = [
DeliverableType.INJECTION_QUEUE,
DeliverableType.XSS_QUEUE,
DeliverableType.AUTH_QUEUE,
DeliverableType.AUTHZ_QUEUE,
DeliverableType.SSRF_QUEUE,
];
/**
* Type guard to check if a deliverable type is a queue
*/
export function isQueueType(type: string): boolean {
return QUEUE_TYPES.includes(type as DeliverableType);
}
/**
* Vulnerability queue structure
*/
export interface VulnerabilityQueue {
vulnerabilities: VulnerabilityItem[];
}
export interface VulnerabilityItem {
[key: string]: unknown;
}
================================================
FILE: mcp-server/src/types/index.ts
================================================
// Copyright (C) 2025 Keygraph, Inc.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License version 3
// as published by the Free Software Foundation.
/**
* Type definitions barrel export
*/
export * from './deliverables.js';
export * from './tool-responses.js';
================================================
FILE: mcp-server/src/types/tool-responses.ts
================================================
// Copyright (C) 2025 Keygraph, Inc.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License version 3
// as published by the Free Software Foundation.
/**
* Tool Response Type Definitions
*
* Defines structured response formats for MCP tools to ensure
* consistent error handling and success reporting.
*/
export interface ErrorResponse {
status: 'error';
message: string;
errorType: string; // ValidationError, FileSystemError, CryptoError, etc.
retryable: boolean;
context?: Record<string, unknown>;
}
export interface SuccessResponse {
status: 'success';
message: string;
}
export interface SaveDeliverableResponse {
status: 'success';
message: string;
filepath: string;
deliverableType: string;
validated: boolean; // true if queue JSON was validated
}
export interface GenerateTotpResponse {
status: 'success';
message: string;
totpCode: string;
timestamp: string;
expiresIn: number; // seconds until expiration
}
export type ToolResponse =
| ErrorResponse
| SuccessResponse
| SaveDeliverableResponse
| GenerateTotpResponse;
export interface ToolResultContent {
type: string;
text: string;
}
export interface ToolResult {
content: ToolResultContent[];
isError: boolean;
}
/**
* Helper to create tool result from response
* MCP tools should return this format
*/
export function createToolResult(response: ToolResponse): ToolResult {
return {
content: [
{
type: 'text',
text: JSON.stringify(response, null, 2),
},
],
isError: response.status === 'error',
};
}
================================================
FILE: mcp-server/src/utils/error-formatter.ts
================================================
// Copyright (C) 2025 Keygraph, Inc.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License version 3
// as published by the Free Software Foundation.
/**
* Error Formatting Utilities
*
* Helper functions for creating structured error responses.
*/
import type { ErrorResponse } from '../types/tool-responses.js';
/**
* Create a validation error response
*/
export function createValidationError(
message: string,
retryable: boolean = true,
context?: Record<string, unknown>
): ErrorResponse {
return {
status: 'error',
message,
errorType: 'ValidationError',
retryable,
...(context !== undefined && { context }),
};
}
/**
* Create a crypto error response
*/
export function createCryptoError(
message: string,
retryable: boolean = false,
context?: Record<string, unknown>
): ErrorResponse {
return {
status: 'error',
message,
errorType: 'CryptoError',
retryable,
...(context !== undefined && { context }),
};
}
/**
* Create a generic error response
*/
export function createGenericError(
error: unknown,
retryable: boolean = false,
context?: Record<string, unknown>
): ErrorResponse {
const message = error instanceof Error ? error.message : String(error);
const errorType = error instanceof Error ? error.constructor.name : 'UnknownError';
return {
status: 'error',
message,
errorType,
retryable,
...(context !== undefined && { context }),
};
}
================================================
FILE: mcp-server/src/utils/file-operations.ts
================================================
// Copyright (C) 2025 Keygraph, Inc.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License version 3
// as published by the Free Software Foundation.
/**
* File Operations Utilities
*
* Handles file system operations for deliverable saving.
* Ported from tools/save_deliverable.js (lines 117-130).
*/
import { writeFileSync, mkdirSync } from 'fs';
import { join } from 'path';
/**
* Save deliverable file to deliverables/ directory
*
* @param targetDir - Target directory for deliverables (passed explicitly to avoid race conditions)
* @param filename - Name of the deliverable file
* @param content - File content to save
*/
export function saveDeliverableFile(targetDir: string, filename: string, content: string): string {
const deliverablesDir = join(targetDir, 'deliverables');
const filepath = join(deliverablesDir, filename);
// Ensure deliverables directory exists
try {
mkdirSync(deliverablesDir, { recursive: true });
} catch {
throw new Error(`Cannot create deliverables directory at ${deliverablesDir}`);
}
// Write file (atomic write - single operation)
writeFileSync(filepath, content, 'utf8');
return filepath;
}
================================================
FILE: mcp-server/src/validation/queue-validator.ts
================================================
// Copyright (C) 2025 Keygraph, Inc.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License version 3
// as published by the Free Software Foundation.
/**
* Queue Validator
*
* Validates JSON structure for vulnerability queue files.
* Ported from tools/save_deliverable.js (lines 56-75).
*/
import type { VulnerabilityQueue } from '../types/deliverables.js';
export interface ValidationResult {
valid: boolean;
message?: string;
data?: VulnerabilityQueue;
}
/**
* Validate JSON structure for queue files
* Queue files must have a 'vulnerabilities' array
*/
export function validateQueueJson(content: string): ValidationResult {
try {
const parsed = JSON.parse(content) as unknown;
// Type guard for the parsed result
if (typeof parsed !== 'object' || parsed === null) {
return {
valid: false,
message: `Invalid queue structure: Expected an object. Got: ${typeof parsed}`,
};
}
const obj = parsed as Record<string, unknown>;
// Queue files must have a 'vulnerabilities' array
if (!('vulnerabilities' in obj)) {
return {
valid: false,
message: `Invalid queue structure: Missing 'vulnerabilities' property. Expected: {"vulnerabilities": [...]}`,
};
}
if (!Array.isArray(obj.vulnerabilities)) {
return {
valid: false,
message: `Invalid queue structure: 'vulnerabilities' must be an array. Expected: {"vulnerabilities": [...]}`,
};
}
return {
valid: true,
data: parsed as VulnerabilityQueue,
};
} catch (error) {
return {
valid: false,
message: `Invalid JSON: ${error instanceof Error ? error.message : String(error)}`,
};
}
}
================================================
FILE: mcp-server/src/validation/totp-validator.ts
================================================
// Copyright (C) 2025 Keygraph, Inc.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License version 3
// as published by the Free Software Foundation.
/**
* TOTP Validator
*
* Validates TOTP secrets and provides base32 decoding.
* Ported from tools/generate-totp-standalone.mjs (lines 43-72).
*/
/**
* Base32 decode function
* Ported from generate-totp-standalone.mjs
*/
export function base32Decode(encoded: string): Buffer {
const alphabet = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ234567';
const cleanInput = encoded.toUpperCase().replace(/[^A-Z2-7]/g, '');
if (cleanInput.length === 0) {
return Buffer.alloc(0);
}
const output: number[] = [];
let bits = 0;
let value = 0;
for (const char of cleanInput) {
const index = alphabet.indexOf(char);
if (index === -1) {
throw new Error(`Invalid base32 character: ${char}`);
}
value = (value << 5) | index;
bits += 5;
if (bits >= 8) {
output.push((value >>> (bits - 8)) & 255);
bits -= 8;
}
}
return Buffer.from(output);
}
/**
* Validate TOTP secret
* Must be base32-encoded string
*
* @returns true if valid, throws Error if invalid
*/
export function validateTotpSecret(secret: string): boolean {
if (!secret || secret.length === 0) {
throw new Error('TOTP secret cannot be empty');
}
// Check if it's valid base32 (only A-Z and 2-7, case-insensitive)
const base32Regex = /^[A-Z2-7]+$/i;
if (!base32Regex.test(secret.replace(/[^A-Z2-7]/gi, ''))) {
throw new Error('TOTP secret must be base32-encoded (characters A-Z and 2-7)');
}
// Try to decode to ensure it's valid
try {
base32Decode(secret);
} catch (error) {
throw new Error(`Invalid TOTP secret: ${error instanceof Error ? error.message : String(error)}`);
}
return true;
}
================================================
FILE: mcp-server/tsconfig.json
================================================
{
// Visit https://aka.ms/tsconfig to read more about this file
"compilerOptions": {
// File Layout
"rootDir": "./src",
"outDir": "./dist",
// Environment Settings
// See also https://aka.ms/tsconfig/module
"module": "nodenext",
"moduleResolution": "nodenext",
"target": "es2022",
"lib": ["es2022"],
"types": ["node"],
// For nodejs:
// "lib": ["esnext"],
// "types": ["node"],
// and npm install -D @types/node
"resolveJsonModule": true,
"forceConsistentCasingInFileNames": true,
"noEmitOnError": true,
// Other Outputs
"sourceMap": true,
"declaration": true,
"declarationMap": true,
// Stricter Typechecking Options
"noUncheckedIndexedAccess": true,
"exactOptionalPropertyTypes": true,
// Style Options
// "noImplicitReturns": true,
// "noImplicitOverride": true,
// "noUnusedLocals": true,
// "noUnusedParameters": true,
// "noFallthroughCasesInSwitch": true,
// "noPropertyAccessFromIndexSignature": true,
// Recommended Options
"strict": true,
"noUncheckedSideEffectImports": true,
"skipLibCheck": true,
},
"include": ["src/**/*"],
"exclude": ["node_modules", "dist"]
}
================================================
FILE: package.json
================================================
{
"name": "shannon",
"version": "1.0.0",
"type": "module",
"scripts": {
"build": "tsc",
"temporal:server": "docker compose -f docker/docker-compose.temporal.yml up temporal -d",
"temporal:server:stop": "docker compose -f docker/docker-compose.temporal.yml down",
"temporal:worker": "node dist/temporal/worker.js",
"temporal:start": "node dist/temporal/client.js"
},
"dependencies": {
"@anthropic-ai/claude-agent-sdk": "^0.2.38",
"@temporalio/activity": "^1.11.0",
"@temporalio/client": "^1.11.0",
"@temporalio/worker": "^1.11.0",
"@temporalio/workflow": "^1.11.0",
"ajv": "^8.12.0",
"ajv-formats": "^2.1.1",
"boxen": "^8.0.1",
"chalk": "^5.0.0",
"dotenv": "^16.4.5",
"figlet": "^1.9.3",
"gradient-string": "^3.0.0",
"js-yaml": "^4.1.0",
"zx": "^8.0.0"
},
"devDependencies": {
"@types/js-yaml": "^4.0.9",
"@types/node": "^25.0.3",
"typescript": "^5.9.3"
}
}
================================================
FILE: prompts/exploit-auth.txt
================================================
<role>
You are a world-class Authentication Exploitation Specialist. You are not an analyst; you are an active penetration tester. Your persona is methodical, persistent, and laser-focused on a single goal: proving the tangible impact of broken authentication. You take the theoretical flaws in identity and session management and turn them into undeniable proof of impersonation and account takeover.
</role>
<objective>
Your mission is to systematically and exhaustively weaponize **every single potential authentication vulnerability** provided to you. For each hypothesis from the analysis phase, you must pursue it to a definitive conclusion: either you successfully **bypass an authentication control or compromise a user's session**, or you prove with rigorous testing that the control is secure.
Success criterion: A comprehensive evidence report detailing the outcome for **every vulnerability** in your queue, containing the precise commands and payloads used to prove account takeover, and a full log of failed attempts for verified non-vulnerabilities.
</objective>
<exploitation_scope>
@include(shared/_exploit-scope.txt)
</exploitation_scope>
<critical>
### CRITICAL: EXPLOITATION TARGET REQUIREMENT
**All exploitation must be performed against the specified target: {{WEB_URL}}**
### CRITICAL: EXPLOIT DEFINITION
An exploit is executing an unauthorized or unintended action against the target application {{WEB_URL}}. An exploit must only be considered successful if it meets this definition.
### PROOF-BASED EXPLOITATION REQUIREMENTS
This agent operates with mathematical proof-level rigor:
- **Claims require evidence**: Every exploitation claim must be backed by demonstrable proof
- **Assumptions must be validated**: Test every assumption before building on it
- **Failures must be documented**: Create detailed bug reports for learning
- **Default to skepticism**: Assume NOT vulnerable until proven otherwise
- **Partial results are not complete**: Be honest about what you achieved vs what you attempted
Remember: An unproven vulnerability is worse than no finding at all - it wastes resources and creates false confidence.
**LEGAL & SCOPE NOTICE (NON-NEGOTIABLE)**
- THIS ENGAGEMENT IS FULLY AUTHORIZED. YOU ARE OPERATING **ONLY** IN A CONTROLLED TEST ENVIRONMENT.
- **PRODUCTION SYSTEMS ARE STRICTLY OUT OF SCOPE.**
**Your Professional Standard**
- **Exhaustive Verification is Your Mandate:** Your primary duty is to bring every potential vulnerability to a final, unambiguous conclusion. "I think I'm blocked" is not an acceptable verdict. You must prove it by exhausting all documented techniques. Incomplete analysis is a failure.
### RIGOROUS VERIFICATION FRAMEWORK
**CRITICAL: Honesty About Exploitation**
- You must **NOT** claim successful exploitation without complete verification
- If you cannot achieve full exploitation, classify as "ATTEMPTED - FAILED" with explicit reasons
- Partial bypasses (e.g., UI access without functionality) are NOT successful exploits
**Critical Errors vs Justification Gaps**
- CRITICAL ERROR: Fundamental assumption proven false (e.g., no user-controlled input reaches authentication logic) → STOP immediately
- JUSTIFICATION GAP: Exploit possible but needs additional work (e.g., specific timing, encoding) → Document as "REQUIRES FURTHER INVESTIGATION"
### Proof of Exploitation Levels
**Level 1 - Authentication Weakness Identified**
- Evidence: Theoretical bypass found but not yet exploited
- Classification: POTENTIAL (Low Confidence)
**Level 2 - Partial Bypass Achieved**
- Evidence: Access gained to non-critical protected resources or UI elements
- Classification: POTENTIAL (Medium Confidence)
**Level 3 - Authentication Bypass Confirmed**
- Evidence: Successfully accessed protected functionality as unauthorized user
- Classification: EXPLOITED
**Level 4 - Account Takeover Demonstrated**
- Evidence: Complete user impersonation with access to sensitive data/actions
- Classification: EXPLOITED (CRITICAL)
You MUST reach at least Level 3 with evidence to mark as "EXPLOITED"
### Classification Decision Framework
After exhaustive bypass attempts, determine:
**"Is this preventing factor a security implementation designed to stop this attack, or an external operational constraint?"**
**Key Principle**: Classification is only valid AFTER attempting systematic bypasses across multiple techniques and escalation levels.
- **Impact is Everything:** A finding is a theory until you prove its impact. Your entire purpose is to prove that you can become another user. Focus on what an attacker would do: hijack a session, bypass a login page, replay a token, or crack a weak password.
- **Focus on the Gate, Not the Rooms:** Your sole responsibility is to break the lock on the door (authentication). What lies in the rooms beyond (authorization/access control) is out of scope for you. If you bypass a login and land on a user's dashboard, your job is done.
- **Evidence is Your Deliverable:** Every successful action must be meticulously documented. Capture the payload, the tool you used, and the definitive proof of compromise.
</critical>
### CRITICAL: WHAT "EXPLOIT" MEANS
An exploit is an ACTIVE ATTACK that attempts to gain unauthorized access, not a confirmation that a vulnerability exists.
- "No rate limiting" → Attempt brute force/enumeration attacks with many requests
- "Weak password policy" → Create weak accounts AND attempt to access other accounts
- "User enumeration" → Build a list of valid users for subsequent attacks
- "Missing security headers" → Attempt to abuse the missing protection
Chain exploits together: Use enumerated users in password attacks. Use created weak passwords on other accounts.
If you only confirmed a vulnerability without attempting to weaponize it, you have not completed the exploitation task.
<target>
@include(shared/_target.txt)
</target>
<rules>
@include(shared/_rules.txt)
</rules>
<login_instructions>
{{LOGIN_INSTRUCTIONS}}
</login_instructions>
<starting_context>
- Your **actionable exploitation queue** is located at `deliverables/auth_exploitation_queue.json`. This is your to-do list, containing the precise targets identified by the analysis phase. You MUST process every vulnerability in this queue.
**INTELLIGENCE GATHERING PHASE (MANDATORY):**
Before beginning exploitation, read these strategic intelligence files in order:
1. `deliverables/pre_recon_deliverable.md` - Architecture overview, technology stack, and authentication code locations.
2. `deliverables/recon_deliverable.md` - Complete API inventory, user roles, and data flow maps.
3. `deliverables/auth_analysis_deliverable.md` - Strategic context from the Auth analysis specialist, including notes on session mechanisms, password policies, and flawed logic paths.
- You will manage your work using the **TodoWrite tool** to track your exploitation tasks and progress. The todo list is your private workbench for organizing and tracking all exploitation attempts.
</starting_context>
<system_architecture>
**PENTESTING WORKFLOW - YOUR POSITION:**
**Phase Sequence:** VULN ANALYSIS (Complete) → **AUTH EXPLOITATION (You)** → FINAL REPORT (next phase)
**Your Input:** `deliverables/auth_exploitation_queue.json` (primary exploitation queue)
**Your Output:** `deliverables/auth_exploitation_evidence.md` (exploitation evidence)
**Supporting Intelligence:**
- `deliverables/pre_recon_deliverable.md` (architecture & code context)
- `deliverables/recon_deliverable.md` (API inventory & user roles)
- `deliverables/auth_analysis_deliverable.md` (strategic intel)
**WHAT HAPPENED BEFORE YOU:**
- Reconnaissance agent mapped application architecture and attack surfaces
- Auth Analysis specialist identified high-probability vulnerabilities and documented them in your queue
**WHAT HAPPENS AFTER YOU:**
- Your evidence contributes to proving the highest-impact risks related to identity compromise
**YOUR CRITICAL ROLE:**
You are the **Identity Compromise Specialist** - proving tangible impact of broken authentication through successful account takeover and session hijacking.
</system_architecture>
<available_tools>
- **{{MCP_SERVER}} (Playwright):** Essential for interacting with multi-step authentication flows, injecting stolen session cookies, and verifying account takeover in a real browser context.
- **save_deliverable (MCP Tool):** Saves exploitation evidence files.
- **Parameters:**
- `deliverable_type`: "AUTH_EVIDENCE" (required)
- `
gitextract_vzznzar8/
├── .claude/
│ └── commands/
│ ├── debug.md
│ ├── pr.md
│ └── review.md
├── .dockerignore
├── .github/
│ ├── ISSUE_TEMPLATE/
│ │ ├── bug_report.yml
│ │ └── feature_request.yml
│ └── workflows/
│ ├── release-beta.yml
│ └── rollback-beta.yml
├── .gitignore
├── CLAUDE.md
├── COVERAGE.md
├── Dockerfile
├── LICENSE
├── README.md
├── SHANNON-PRO.md
├── configs/
│ ├── config-schema.json
│ ├── example-config.yaml
│ └── router-config.json
├── docker-compose.docker.yml
├── docker-compose.yml
├── mcp-server/
│ ├── package.json
│ ├── src/
│ │ ├── index.ts
│ │ ├── tools/
│ │ │ ├── generate-totp.ts
│ │ │ └── save-deliverable.ts
│ │ ├── types/
│ │ │ ├── deliverables.ts
│ │ │ ├── index.ts
│ │ │ └── tool-responses.ts
│ │ ├── utils/
│ │ │ ├── error-formatter.ts
│ │ │ └── file-operations.ts
│ │ └── validation/
│ │ ├── queue-validator.ts
│ │ └── totp-validator.ts
│ └── tsconfig.json
├── package.json
├── prompts/
│ ├── exploit-auth.txt
│ ├── exploit-authz.txt
│ ├── exploit-injection.txt
│ ├── exploit-ssrf.txt
│ ├── exploit-xss.txt
│ ├── pipeline-testing/
│ │ ├── exploit-auth.txt
│ │ ├── exploit-authz.txt
│ │ ├── exploit-injection.txt
│ │ ├── exploit-ssrf.txt
│ │ ├── exploit-xss.txt
│ │ ├── pre-recon-code.txt
│ │ ├── recon.txt
│ │ ├── report-executive.txt
│ │ ├── vuln-auth.txt
│ │ ├── vuln-authz.txt
│ │ ├── vuln-injection.txt
│ │ ├── vuln-ssrf.txt
│ │ └── vuln-xss.txt
│ ├── pre-recon-code.txt
│ ├── recon.txt
│ ├── report-executive.txt
│ ├── shared/
│ │ ├── _exploit-scope.txt
│ │ ├── _rules.txt
│ │ ├── _target.txt
│ │ ├── _vuln-scope.txt
│ │ └── login-instructions.txt
│ ├── vuln-auth.txt
│ ├── vuln-authz.txt
│ ├── vuln-injection.txt
│ ├── vuln-ssrf.txt
│ └── vuln-xss.txt
├── sample-reports/
│ ├── shannon-report-capital-api.md
│ ├── shannon-report-crapi.md
│ └── shannon-report-juice-shop.md
├── shannon
├── src/
│ ├── ai/
│ │ ├── audit-logger.ts
│ │ ├── claude-executor.ts
│ │ ├── message-handlers.ts
│ │ ├── models.ts
│ │ ├── output-formatters.ts
│ │ ├── progress-manager.ts
│ │ ├── router-utils.ts
│ │ └── types.ts
│ ├── audit/
│ │ ├── audit-session.ts
│ │ ├── index.ts
│ │ ├── log-stream.ts
│ │ ├── logger.ts
│ │ ├── metrics-tracker.ts
│ │ ├── utils.ts
│ │ └── workflow-logger.ts
│ ├── config-parser.ts
│ ├── progress-indicator.ts
│ ├── services/
│ │ ├── agent-execution.ts
│ │ ├── config-loader.ts
│ │ ├── container.ts
│ │ ├── error-handling.ts
│ │ ├── exploitation-checker.ts
│ │ ├── git-manager.ts
│ │ ├── index.ts
│ │ ├── preflight.ts
│ │ ├── prompt-manager.ts
│ │ ├── queue-validation.ts
│ │ └── reporting.ts
│ ├── session-manager.ts
│ ├── splash-screen.ts
│ ├── temporal/
│ │ ├── activities.ts
│ │ ├── activity-logger.ts
│ │ ├── client.ts
│ │ ├── shared.ts
│ │ ├── summary-mapper.ts
│ │ ├── worker.ts
│ │ ├── workflow-errors.ts
│ │ ├── workflows.ts
│ │ └── workspaces.ts
│ ├── types/
│ │ ├── activity-logger.ts
│ │ ├── agents.ts
│ │ ├── audit.ts
│ │ ├── config.ts
│ │ ├── errors.ts
│ │ ├── index.ts
│ │ ├── metrics.ts
│ │ └── result.ts
│ └── utils/
│ ├── billing-detection.ts
│ ├── concurrency.ts
│ ├── file-io.ts
│ ├── formatting.ts
│ ├── functional.ts
│ └── metrics.ts
├── tsconfig.json
└── xben-benchmark-results/
├── README.md
├── XBEN-001-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_evidence.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ └── xss_exploitation_queue.json
├── XBEN-002-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_evidence.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ └── xss_exploitation_queue.json
├── XBEN-003-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_evidence.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-004-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-005-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_evidence.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ └── xss_exploitation_queue.json
├── XBEN-006-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_evidence.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_evidence.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-007-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_evidence.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ └── xss_exploitation_queue.json
├── XBEN-008-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_evidence.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-009-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-010-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ └── xss_exploitation_queue.json
├── XBEN-011-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-012-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-013-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-014-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_evidence.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ └── xss_exploitation_queue.json
├── XBEN-015-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-016-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-017-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_evidence.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-018-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_evidence.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-019-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_evidence.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_evidence.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ └── xss_exploitation_queue.json
├── XBEN-020-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_evidence.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_evidence.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ └── xss_exploitation_queue.json
├── XBEN-021-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_evidence.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ └── xss_exploitation_queue.json
├── XBEN-022-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_evidence.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_evidence.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-023-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_evidence.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_evidence.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ └── xss_exploitation_queue.json
├── XBEN-024-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_evidence.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_evidence.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ └── xss_exploitation_queue.json
├── XBEN-025-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_evidence.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-026-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_evidence.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ └── xss_exploitation_queue.json
├── XBEN-027-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_evidence.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ └── xss_exploitation_queue.json
├── XBEN-028-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_evidence.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-029-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_evidence.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_evidence.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ └── xss_exploitation_queue.json
├── XBEN-030-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_evidence.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_evidence.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_evidence.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ └── xss_exploitation_queue.json
├── XBEN-031-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_evidence.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_evidence.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ └── xss_exploitation_queue.json
├── XBEN-032-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_evidence.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_evidence.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-033-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_evidence.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_evidence.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-034-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_evidence.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_evidence.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-035-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_evidence.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-036-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_evidence.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ └── xss_exploitation_queue.json
├── XBEN-037-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_evidence.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_evidence.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ └── xss_exploitation_queue.json
├── XBEN-038-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_evidence.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-039-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_evidence.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-040-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_evidence.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_evidence.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ └── xss_exploitation_queue.json
├── XBEN-041-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-042-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ └── xss_exploitation_queue.json
├── XBEN-043-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_evidence.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ └── xss_exploitation_queue.json
├── XBEN-044-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── authz_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_evidence.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ └── xss_exploitation_queue.json
├── XBEN-045-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_evidence.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ └── xss_exploitation_queue.json
├── XBEN-046-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-047-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_evidence.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-048-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-049-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-050-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_evidence.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-051-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_evidence.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-052-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_evidence.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ └── xss_exploitation_queue.json
├── XBEN-053-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-054-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ └── xss_exploitation_queue.json
├── XBEN-055-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_evidence.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ └── xss_exploitation_queue.json
├── XBEN-056-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-057-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_architecture_deliverable.md
│ ├── authz_exploitation_evidence.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── context_workflow_authorization_verification.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_evidence.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── vertical_privilege_escalation_verification.md
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-058-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_evidence.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ └── xss_exploitation_queue.json
├── XBEN-059-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_evidence.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-060-24/
│ └── deliverables/
│ ├── auth_exploitation_evidence.md
│ └── comprehensive_security_assessment_report.md
├── XBEN-061-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_evidence.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-062-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-063-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_evidence.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_evidence.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ └── xss_exploitation_queue.json
├── XBEN-064-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_evidence.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-065-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_evidence.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-066-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_evidence.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ └── xss_exploitation_queue.json
├── XBEN-067-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-068-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_evidence.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ └── xss_exploitation_queue.json
├── XBEN-069-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_evidence.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ └── xss_exploitation_queue.json
├── XBEN-070-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_evidence.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-071-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_evidence.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ └── xss_exploitation_queue.json
├── XBEN-072-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ └── xss_exploitation_queue.json
├── XBEN-073-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_evidence.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_evidence.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ └── xss_exploitation_queue.json
├── XBEN-074-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_evidence.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-075-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_evidence.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-076-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_evidence.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ └── xss_exploitation_queue.json
├── XBEN-077-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_evidence.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-078-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_evidence.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_evidence.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-079-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_evidence.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-080-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_evidence.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ └── xss_exploitation_queue.json
├── XBEN-081-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_evidence.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-082-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_evidence.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ └── xss_exploitation_queue.json
├── XBEN-083-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_evidence.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_evidence.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-084-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_evidence.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_evidence.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ └── xss_exploitation_queue.json
├── XBEN-085-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_evidence.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ └── xss_exploitation_queue.json
├── XBEN-086-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-087-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-088-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ └── xss_exploitation_queue.json
├── XBEN-089-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_evidence.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-090-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_evidence.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ └── xss_exploitation_queue.json
├── XBEN-091-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_evidence.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ └── xss_exploitation_queue.json
├── XBEN-092-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_evidence.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_evidence.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-093-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ └── xss_exploitation_queue.json
├── XBEN-094-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_evidence.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_evidence.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_evidence.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ └── xss_exploitation_queue.json
├── XBEN-095-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_evidence.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_evidence.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-096-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_evidence.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-097-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_evidence.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ └── xss_exploitation_queue.json
├── XBEN-098-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_evidence.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_evidence.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-099-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_evidence.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_evidence.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ ├── xss_exploitation_evidence.md
│ └── xss_exploitation_queue.json
├── XBEN-100-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_evidence.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_evidence.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ └── xss_exploitation_queue.json
├── XBEN-101-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ └── xss_exploitation_queue.json
├── XBEN-102-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_evidence.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ └── xss_exploitation_queue.json
├── XBEN-103-24/
│ └── deliverables/
│ ├── auth_analysis_deliverable.md
│ ├── auth_exploitation_evidence.md
│ ├── auth_exploitation_queue.json
│ ├── authz_analysis_deliverable.md
│ ├── authz_exploitation_evidence.md
│ ├── authz_exploitation_queue.json
│ ├── code_analysis_deliverable.md
│ ├── comprehensive_security_assessment_report.md
│ ├── injection_analysis_deliverable.md
│ ├── injection_exploitation_queue.json
│ ├── pre_recon_deliverable.md
│ ├── recon_deliverable.md
│ ├── ssrf_analysis_deliverable.md
│ ├── ssrf_exploitation_queue.json
│ ├── xss_analysis_deliverable.md
│ └── xss_exploitation_queue.json
└── XBEN-104-24/
└── deliverables/
├── auth_analysis_deliverable.md
├── auth_exploitation_evidence.md
├── auth_exploitation_queue.json
├── authz_analysis_deliverable.md
├── authz_exploitation_evidence.md
├── authz_exploitation_queue.json
├── code_analysis_deliverable.md
├── comprehensive_security_assessment_report.md
├── injection_analysis_deliverable.md
├── injection_exploitation_queue.json
├── pre_recon_deliverable.md
├── recon_deliverable.md
├── ssrf_analysis_deliverable.md
├── ssrf_exploitation_queue.json
├── xss_analysis_deliverable.md
└── xss_exploitation_queue.json
SYMBOL INDEX (417 symbols across 58 files)
FILE: mcp-server/src/index.ts
function createShannonHelperServer (line 30) | function createShannonHelperServer(targetDir: string): ReturnType<typeof...
FILE: mcp-server/src/tools/generate-totp.ts
type GenerateTotpInput (line 33) | type GenerateTotpInput = z.infer<typeof GenerateTotpInputSchema>;
function generateHOTP (line 39) | function generateHOTP(secret: string, counter: number, digits: number = ...
function generateTOTP (line 68) | function generateTOTP(secret: string, timeStep: number = 30, digits: num...
function getSecondsUntilExpiration (line 77) | function getSecondsUntilExpiration(timeStep: number = 30): number {
function generateTotp (line 85) | async function generateTotp(args: GenerateTotpInput): Promise<ToolResult> {
FILE: mcp-server/src/tools/save-deliverable.ts
type SaveDeliverableInput (line 36) | type SaveDeliverableInput = z.infer<typeof SaveDeliverableInputSchema>;
function isPathContained (line 42) | function isPathContained(basePath: string, targetPath: string): boolean {
function resolveContent (line 52) | function resolveContent(
function createSaveDeliverableHandler (line 98) | function createSaveDeliverableHandler(targetDir: string) {
function createSaveDeliverableTool (line 148) | function createSaveDeliverableTool(targetDir: string) {
FILE: mcp-server/src/types/deliverables.ts
type DeliverableType (line 14) | enum DeliverableType {
constant DELIVERABLE_FILENAMES (line 49) | const DELIVERABLE_FILENAMES: Record<DeliverableType, string> = {
constant QUEUE_TYPES (line 72) | const QUEUE_TYPES: DeliverableType[] = [
function isQueueType (line 83) | function isQueueType(type: string): boolean {
type VulnerabilityQueue (line 90) | interface VulnerabilityQueue {
type VulnerabilityItem (line 94) | interface VulnerabilityItem {
FILE: mcp-server/src/types/tool-responses.ts
type ErrorResponse (line 14) | interface ErrorResponse {
type SuccessResponse (line 22) | interface SuccessResponse {
type SaveDeliverableResponse (line 27) | interface SaveDeliverableResponse {
type GenerateTotpResponse (line 35) | interface GenerateTotpResponse {
type ToolResponse (line 43) | type ToolResponse =
type ToolResultContent (line 49) | interface ToolResultContent {
type ToolResult (line 54) | interface ToolResult {
function createToolResult (line 63) | function createToolResult(response: ToolResponse): ToolResult {
FILE: mcp-server/src/utils/error-formatter.ts
function createValidationError (line 18) | function createValidationError(
function createCryptoError (line 35) | function createCryptoError(
function createGenericError (line 52) | function createGenericError(
FILE: mcp-server/src/utils/file-operations.ts
function saveDeliverableFile (line 24) | function saveDeliverableFile(targetDir: string, filename: string, conten...
FILE: mcp-server/src/validation/queue-validator.ts
type ValidationResult (line 16) | interface ValidationResult {
function validateQueueJson (line 26) | function validateQueueJson(content: string): ValidationResult {
FILE: mcp-server/src/validation/totp-validator.ts
function base32Decode (line 18) | function base32Decode(encoded: string): Buffer {
function validateTotpSecret (line 54) | function validateTotpSecret(secret: string): boolean {
FILE: src/ai/audit-logger.ts
type AuditLogger (line 12) | interface AuditLogger {
class RealAuditLogger (line 19) | class RealAuditLogger implements AuditLogger {
method constructor (line 22) | constructor(auditSession: AuditSession) {
method logLlmResponse (line 26) | async logLlmResponse(turn: number, content: string): Promise<void> {
method logToolStart (line 34) | async logToolStart(toolName: string, parameters: unknown): Promise<voi...
method logToolEnd (line 42) | async logToolEnd(result: unknown): Promise<void> {
method logError (line 49) | async logError(error: Error, duration: number, turns: number): Promise...
class NullAuditLogger (line 62) | class NullAuditLogger implements AuditLogger {
method logLlmResponse (line 63) | async logLlmResponse(_turn: number, _content: string): Promise<void> {}
method logToolStart (line 65) | async logToolStart(_toolName: string, _parameters: unknown): Promise<v...
method logToolEnd (line 67) | async logToolEnd(_result: unknown): Promise<void> {}
method logError (line 69) | async logError(_error: Error, _duration: number, _turns: number): Prom...
function createAuditLogger (line 73) | function createAuditLogger(auditSession: AuditSession | null): AuditLogg...
FILE: src/ai/claude-executor.ts
type ClaudePromptResult (line 34) | interface ClaudePromptResult {
type StdioMcpServer (line 49) | interface StdioMcpServer {
type McpServer (line 56) | type McpServer = ReturnType<typeof createShannonHelperServer> | StdioMcp...
function buildMcpServers (line 59) | function buildMcpServers(
function outputLines (line 132) | function outputLines(lines: string[]): void {
function writeErrorLog (line 138) | async function writeErrorLog(
function validateAgentOutput (line 169) | async function validateAgentOutput(
function runClaudePrompt (line 215) | async function runClaudePrompt(
type MessageLoopResult (line 360) | interface MessageLoopResult {
type MessageLoopDeps (line 368) | interface MessageLoopDeps {
function processMessageStream (line 376) | async function processMessageStream(
FILE: src/ai/message-handlers.ts
function extractMessageContent (line 39) | function extractMessageContent(message: AssistantMessage): string {
function extractTextOnlyContent (line 52) | function extractTextOnlyContent(message: AssistantMessage): string {
function detectApiError (line 65) | function detectApiError(content: string): ApiErrorDetection {
function handleStructuredError (line 107) | function handleStructuredError(
function handleAssistantMessage (line 176) | function handleAssistantMessage(
function handleResultMessage (line 214) | function handleResultMessage(message: ResultMessage): ResultData {
function handleToolUseMessage (line 238) | function handleToolUseMessage(message: ToolUseMessage): ToolUseData {
function handleToolResultMessage (line 247) | function handleToolResultMessage(message: ToolResultMessage): ToolResult...
function outputLines (line 264) | function outputLines(lines: string[]): void {
type MessageDispatchAction (line 270) | type MessageDispatchAction =
type MessageDispatchDeps (line 275) | interface MessageDispatchDeps {
function dispatchMessage (line 284) | async function dispatchMessage(
FILE: src/ai/models.ts
type ModelTier (line 19) | type ModelTier = 'small' | 'medium' | 'large';
constant DEFAULT_MODELS (line 21) | const DEFAULT_MODELS: Readonly<Record<ModelTier, string>> = {
function resolveModel (line 28) | function resolveModel(tier: ModelTier = 'medium'): string {
FILE: src/ai/output-formatters.ts
type ToolCallInput (line 11) | interface ToolCallInput {
type ToolCall (line 26) | interface ToolCall {
function getAgentPrefix (line 34) | function getAgentPrefix(description: string): string {
function extractDomain (line 70) | function extractDomain(url: string): string {
function summarizeTodoUpdate (line 82) | function summarizeTodoUpdate(input: ToolCallInput | undefined): string |...
function formatBrowserAction (line 109) | function formatBrowserAction(toolCall: ToolCall): string {
function filterJsonToolCalls (line 207) | function filterJsonToolCalls(content: string | null | undefined): string {
function detectExecutionContext (line 268) | function detectExecutionContext(description: string): ExecutionContext {
function formatAssistantOutput (line 286) | function formatAssistantOutput(
function formatResultOutput (line 311) | function formatResultOutput(data: ResultData, showFullResult: boolean): ...
function formatErrorOutput (line 338) | function formatErrorOutput(
function formatCompletionMessage (line 373) | function formatCompletionMessage(
function formatToolUseOutput (line 391) | function formatToolUseOutput(
function formatToolResultOutput (line 405) | function formatToolResultOutput(displayContent: string): string[] {
FILE: src/ai/progress-manager.ts
type ProgressContext (line 12) | interface ProgressContext {
type ProgressManager (line 17) | interface ProgressManager {
class RealProgressManager (line 24) | class RealProgressManager implements ProgressManager {
method constructor (line 28) | constructor(message: string) {
method start (line 32) | start(): void {
method stop (line 37) | stop(): void {
method finish (line 42) | finish(message: string): void {
method isActive (line 47) | isActive(): boolean {
class NullProgressManager (line 53) | class NullProgressManager implements ProgressManager {
method start (line 54) | start(): void {}
method stop (line 56) | stop(): void {}
method finish (line 58) | finish(_message: string): void {}
method isActive (line 60) | isActive(): boolean {
function createProgressManager (line 66) | function createProgressManager(
FILE: src/ai/router-utils.ts
function getActualModelName (line 12) | function getActualModelName(sdkReportedModel?: string): string | undefin...
FILE: src/ai/types.ts
type ExecutionContext (line 11) | interface ExecutionContext {
type AssistantResult (line 18) | interface AssistantResult {
type ResultData (line 30) | interface ResultData {
type ToolUseData (line 39) | interface ToolUseData {
type ToolResultData (line 45) | interface ToolResultData {
type ContentBlock (line 51) | interface ContentBlock {
type AssistantMessage (line 57) | interface AssistantMessage {
type ResultMessage (line 65) | interface ResultMessage {
type ToolUseMessage (line 75) | interface ToolUseMessage {
type ToolResultMessage (line 81) | interface ToolResultMessage {
type ApiErrorDetection (line 86) | interface ApiErrorDetection {
type SystemInitMessage (line 91) | interface SystemInitMessage {
type UserMessage (line 99) | interface UserMessage {
FILE: src/audit/audit-session.ts
class AuditSession (line 30) | class AuditSession {
method constructor (line 39) | constructor(sessionMetadata: SessionMetadata) {
method initialize (line 74) | async initialize(workflowId?: string): Promise<void> {
method ensureInitialized (line 94) | private async ensureInitialized(): Promise<void> {
method startAgent (line 103) | async startAgent(
method logEvent (line 136) | async logEvent(eventType: string, eventData: unknown): Promise<void> {
method endAgent (line 176) | async endAgent(agentName: string, result: AgentEndResult): Promise<voi...
method updateSessionStatus (line 217) | async updateSessionStatus(status: 'in-progress' | 'completed' | 'faile...
method getMetrics (line 232) | async getMetrics(): Promise<unknown> {
method logPhaseStart (line 240) | async logPhaseStart(phase: string): Promise<void> {
method logPhaseComplete (line 248) | async logPhaseComplete(phase: string): Promise<void> {
method logWorkflowComplete (line 256) | async logWorkflowComplete(summary: WorkflowSummary): Promise<void> {
method addResumeAttempt (line 269) | async addResumeAttempt(
method logResumeHeader (line 289) | async logResumeHeader(resumeInfo: {
FILE: src/audit/log-stream.ts
class LogStream (line 22) | class LogStream {
method constructor (line 27) | constructor(filePath: string) {
method open (line 34) | async open(): Promise<void> {
method write (line 61) | async write(text: string): Promise<void> {
method close (line 100) | async close(): Promise<void> {
method isOpen (line 117) | get isOpen(): boolean {
method path (line 124) | get path(): string {
FILE: src/audit/logger.ts
type LogEvent (line 23) | interface LogEvent {
class AgentLogger (line 32) | class AgentLogger {
method constructor (line 39) | constructor(sessionMetadata: SessionMetadata, agentName: string, attem...
method initialize (line 52) | async initialize(): Promise<void> {
method writeHeader (line 66) | private async writeHeader(): Promise<void> {
method logEvent (line 84) | async logEvent(eventType: string, eventData: unknown): Promise<void> {
method close (line 98) | async close(): Promise<void> {
method savePrompt (line 106) | static async savePrompt(
FILE: src/audit/metrics-tracker.ts
type AttemptData (line 25) | interface AttemptData {
type AgentAuditMetrics (line 35) | interface AgentAuditMetrics {
type PhaseMetrics (line 44) | interface PhaseMetrics {
type ResumeAttempt (line 51) | interface ResumeAttempt {
type SessionData (line 58) | interface SessionData {
type ActiveTimer (line 77) | interface ActiveTimer {
class MetricsTracker (line 85) | class MetricsTracker {
method constructor (line 91) | constructor(sessionMetadata: SessionMetadata) {
method initialize (line 101) | async initialize(workflowId?: string): Promise<void> {
method createInitialData (line 120) | private createInitialData(workflowId?: string): SessionData {
method startAgent (line 152) | startAgent(agentName: string, attemptNumber: number): void {
method endAgent (line 162) | async endAgent(agentName: string, result: AgentEndResult): Promise<voi...
method updateSessionStatus (line 238) | async updateSessionStatus(status: 'in-progress' | 'completed' | 'faile...
method addResumeAttempt (line 257) | async addResumeAttempt(
method recalculateAggregations (line 304) | private recalculateAggregations(): void {
method calculatePhaseMetrics (line 332) | private calculatePhaseMetrics(
method getMetrics (line 375) | getMetrics(): SessionData {
method save (line 382) | private async save(): Promise<void> {
method reload (line 390) | async reload(): Promise<void> {
FILE: src/audit/utils.ts
constant SHANNON_ROOT (line 27) | const SHANNON_ROOT = path.resolve(__dirname, '..', '..');
constant AUDIT_LOGS_DIR (line 28) | const AUDIT_LOGS_DIR = path.join(SHANNON_ROOT, 'audit-logs');
function sanitizeHostname (line 33) | function sanitizeHostname(url: string): string {
function generateSessionIdentifier (line 41) | function generateSessionIdentifier(sessionMetadata: SessionMetadata): st...
function generateAuditPath (line 49) | function generateAuditPath(sessionMetadata: SessionMetadata): string {
function generateLogPath (line 58) | function generateLogPath(
function generatePromptPath (line 72) | function generatePromptPath(sessionMetadata: SessionMetadata, agentName:...
function generateSessionJsonPath (line 80) | function generateSessionJsonPath(sessionMetadata: SessionMetadata): stri...
function generateWorkflowLogPath (line 88) | function generateWorkflowLogPath(sessionMetadata: SessionMetadata): stri...
function initializeAuditStructure (line 97) | async function initializeAuditStructure(sessionMetadata: SessionMetadata...
function copyDeliverablesToAudit (line 113) | async function copyDeliverablesToAudit(
FILE: src/audit/workflow-logger.ts
type AgentLogDetails (line 19) | interface AgentLogDetails {
type AgentMetricsSummary (line 27) | interface AgentMetricsSummary {
type WorkflowSummary (line 32) | interface WorkflowSummary {
class WorkflowLogger (line 44) | class WorkflowLogger {
method constructor (line 48) | constructor(sessionMetadata: SessionMetadata) {
method initialize (line 57) | async initialize(): Promise<void> {
method writeHeader (line 74) | private async writeHeader(): Promise<void> {
method logResumeHeader (line 92) | async logResumeHeader(resumeInfo: {
method formatLogTime (line 120) | private formatLogTime(): string {
method logPhase (line 128) | async logPhase(phase: string, event: 'start' | 'complete'): Promise<vo...
method logAgent (line 145) | async logAgent(
method logEvent (line 188) | async logEvent(eventType: string, message: string): Promise<void> {
method logError (line 198) | async logError(error: Error, context?: string): Promise<void> {
method truncate (line 209) | private truncate(str: string, maxLen: number): string {
method formatToolParams (line 217) | private formatToolParams(toolName: string, params: unknown): string {
method logToolStart (line 293) | async logToolStart(agentName: string, toolName: string, parameters: un...
method logLlmResponse (line 305) | async logLlmResponse(agentName: string, turn: number, content: string)...
method formatErrorBlock (line 320) | private formatErrorBlock(errorString: string): string {
method logWorkflowComplete (line 335) | async logWorkflowComplete(summary: WorkflowSummary): Promise<void> {
method ensureInitialized (line 374) | private async ensureInitialized(): Promise<void> {
method close (line 383) | async close(): Promise<void> {
FILE: src/config-parser.ts
constant DANGEROUS_PATTERNS (line 46) | const DANGEROUS_PATTERNS: RegExp[] = [
function formatAjvError (line 58) | function formatAjvError(error: ErrorObject): string {
function formatAjvErrors (line 175) | function formatAjvErrors(errors: ErrorObject[]): string[] {
FILE: src/progress-indicator.ts
class ProgressIndicator (line 7) | class ProgressIndicator {
method constructor (line 14) | constructor(message: string = 'Working...') {
method start (line 18) | start(): void {
method stop (line 31) | stop(): void {
method finish (line 44) | finish(successMessage: string = 'Complete'): void {
FILE: src/services/agent-execution.ts
type AgentExecutionInput (line 51) | interface AgentExecutionInput {
type FailAgentOpts (line 59) | interface FailAgentOpts {
class AgentExecutionService (line 78) | class AgentExecutionService {
method constructor (line 81) | constructor(configLoader: ConfigLoaderService) {
method execute (line 93) | async execute(
method failAgent (line 223) | private async failAgent(
method executeOrThrow (line 266) | async executeOrThrow(
method toMetrics (line 282) | static toMetrics(endResult: AgentEndResult, result: ClaudePromptResult...
FILE: src/services/config-loader.ts
class ConfigLoaderService (line 26) | class ConfigLoaderService {
method load (line 33) | async load(configPath: string): Promise<Result<DistributedConfig, Pent...
method loadOptional (line 67) | async loadOptional(
FILE: src/services/container.ts
type ContainerDependencies (line 33) | interface ContainerDependencies {
class Container (line 46) | class Container {
method constructor (line 52) | constructor(deps: ContainerDependencies) {
function getOrCreateContainer (line 78) | function getOrCreateContainer(
function removeContainer (line 99) | function removeContainer(workflowId: string): void {
function getContainer (line 115) | function getContainer(workflowId: string): Container | undefined {
FILE: src/services/error-handling.ts
class PentestError (line 18) | class PentestError extends Error {
method constructor (line 27) | constructor(
function handlePromptError (line 45) | function handlePromptError(
constant RETRYABLE_PATTERNS (line 60) | const RETRYABLE_PATTERNS = [
constant NON_RETRYABLE_PATTERNS (line 90) | const NON_RETRYABLE_PATTERNS = [
function isRetryableError (line 100) | function isRetryableError(error: Error): boolean {
function classifyByErrorCode (line 114) | function classifyByErrorCode(
function classifyErrorForTemporal (line 179) | function classifyErrorForTemporal(error: unknown): { type: string; retry...
FILE: src/services/exploitation-checker.ts
class ExploitationCheckerService (line 30) | class ExploitationCheckerService {
method checkQueue (line 43) | async checkQueue(vulnType: VulnType, repoPath: string, logger: Activit...
FILE: src/services/git-manager.ts
function isGitRepository (line 16) | async function isGitRepository(dir: string): Promise<boolean> {
type GitOperationResult (line 25) | interface GitOperationResult {
function getChangedFiles (line 34) | async function getChangedFiles(
function logChangeSummary (line 52) | function logChangeSummary(
function toErrorResult (line 75) | function toErrorResult(error: unknown): GitOperationResult {
class GitSemaphore (line 84) | class GitSemaphore {
method acquire (line 88) | async acquire(): Promise<void> {
method release (line 95) | release(): void {
method process (line 100) | private process(): void {
constant GIT_LOCK_ERROR_PATTERNS (line 111) | const GIT_LOCK_ERROR_PATTERNS = [
function isGitLockError (line 119) | function isGitLockError(errorMessage: string): boolean {
function executeGitCommandWithRetry (line 124) | async function executeGitCommandWithRetry(
function rollbackGitWorkspace (line 168) | async function rollbackGitWorkspace(
function createGitCheckpoint (line 220) | async function createGitCheckpoint(
function commitGitSuccess (line 268) | async function commitGitSuccess(
function getGitCommitHash (line 312) | async function getGitCommitHash(sourceDir: string): Promise<string | nul...
FILE: src/services/preflight.ts
function validateRepo (line 32) | async function validateRepo(
function validateConfig (line 96) | async function validateConfig(
function classifySdkError (line 126) | function classifySdkError(
function validateCredentials (line 160) | async function validateCredentials(
function runPreflightChecks (line 316) | async function runPreflightChecks(
FILE: src/services/prompt-manager.ts
type PromptVariables (line 13) | interface PromptVariables {
type IncludeReplacement (line 19) | interface IncludeReplacement {
function buildLoginInstructions (line 25) | async function buildLoginInstructions(authentication: Authentication, lo...
function processIncludes (line 103) | async function processIncludes(content: string, baseDir: string): Promis...
function interpolateVariables (line 133) | async function interpolateVariables(
function loadPrompt (line 217) | async function loadPrompt(
FILE: src/services/queue-validation.ts
type VulnTypeConfigItem (line 16) | interface VulnTypeConfigItem {
type VulnTypeConfig (line 21) | type VulnTypeConfig = Record<VulnType, VulnTypeConfigItem>;
type ErrorMessageResolver (line 23) | type ErrorMessageResolver = string | ((existence: FileExistence) => stri...
type ValidationRule (line 25) | interface ValidationRule {
type FileExistence (line 31) | interface FileExistence {
type PathsBase (line 36) | interface PathsBase {
type PathsWithExistence (line 43) | interface PathsWithExistence extends PathsBase {
type PathsWithQueue (line 47) | interface PathsWithQueue extends PathsWithExistence {
type PathsWithError (line 51) | interface PathsWithError {
type QueueData (line 55) | interface QueueData {
type QueueValidationResult (line 60) | interface QueueValidationResult {
type SafeValidationResult (line 70) | type SafeValidationResult = Result<ExploitationDecision, PentestError>;
constant VULN_TYPE_CONFIG (line 73) | const VULN_TYPE_CONFIG: VulnTypeConfig = Object.freeze({
function createValidationRule (line 97) | function createValidationRule(
function getExistenceErrorMessage (line 114) | function getExistenceErrorMessage(existence: FileExistence): string {
function validateQueueAndDeliverable (line 298) | async function validateQueueAndDeliverable(
function validateQueueSafe (line 315) | async function validateQueueSafe(
FILE: src/services/reporting.ts
type DeliverableFile (line 12) | interface DeliverableFile {
function assembleFinalReport (line 19) | async function assembleFinalReport(sourceDir: string, logger: ActivityLo...
function injectModelIntoReport (line 84) | async function injectModelIntoReport(
FILE: src/session-manager.ts
constant AGENTS (line 14) | const AGENTS: Readonly<Record<AgentName, AgentDefinition>> = Object.free...
type PhaseName (line 111) | type PhaseName = 'pre-recon' | 'recon' | 'vulnerability-analysis' | 'exp...
constant AGENT_PHASE_MAP (line 114) | const AGENT_PHASE_MAP: Readonly<Record<AgentName, PhaseName>> = Object.f...
function createVulnValidator (line 131) | function createVulnValidator(vulnType: VulnType): AgentValidator {
function createExploitValidator (line 145) | function createExploitValidator(vulnType: VulnType): AgentValidator {
constant MCP_AGENT_MAPPING (line 154) | const MCP_AGENT_MAPPING: Record<string, PlaywrightAgent> = Object.freeze({
constant AGENT_VALIDATORS (line 184) | const AGENT_VALIDATORS: Record<AgentName, AgentValidator> = Object.freeze({
FILE: src/temporal/activities.ts
constant MAX_ERROR_MESSAGE_LENGTH (line 43) | const MAX_ERROR_MESSAGE_LENGTH = 2000;
constant MAX_STACK_TRACE_LENGTH (line 44) | const MAX_STACK_TRACE_LENGTH = 1000;
constant MAX_OUTPUT_VALIDATION_RETRIES (line 47) | const MAX_OUTPUT_VALIDATION_RETRIES = 3;
constant HEARTBEAT_INTERVAL_MS (line 49) | const HEARTBEAT_INTERVAL_MS = 2000;
type ActivityInput (line 54) | interface ActivityInput {
function truncateErrorMessage (line 67) | function truncateErrorMessage(message: string): string {
function truncateStackTrace (line 77) | function truncateStackTrace(failure: ApplicationFailure): void {
function buildSessionMetadata (line 86) | function buildSessionMetadata(input: ActivityInput): SessionMetadata {
function runAgentActivity (line 105) | async function runAgentActivity(
function runPreReconAgent (line 199) | async function runPreReconAgent(input: ActivityInput): Promise<AgentMetr...
function runReconAgent (line 203) | async function runReconAgent(input: ActivityInput): Promise<AgentMetrics> {
function runInjectionVulnAgent (line 207) | async function runInjectionVulnAgent(input: ActivityInput): Promise<Agen...
function runXssVulnAgent (line 211) | async function runXssVulnAgent(input: ActivityInput): Promise<AgentMetri...
function runAuthVulnAgent (line 215) | async function runAuthVulnAgent(input: ActivityInput): Promise<AgentMetr...
function runSsrfVulnAgent (line 219) | async function runSsrfVulnAgent(input: ActivityInput): Promise<AgentMetr...
function runAuthzVulnAgent (line 223) | async function runAuthzVulnAgent(input: ActivityInput): Promise<AgentMet...
function runInjectionExploitAgent (line 227) | async function runInjectionExploitAgent(input: ActivityInput): Promise<A...
function runXssExploitAgent (line 231) | async function runXssExploitAgent(input: ActivityInput): Promise<AgentMe...
function runAuthExploitAgent (line 235) | async function runAuthExploitAgent(input: ActivityInput): Promise<AgentM...
function runSsrfExploitAgent (line 239) | async function runSsrfExploitAgent(input: ActivityInput): Promise<AgentM...
function runAuthzExploitAgent (line 243) | async function runAuthzExploitAgent(input: ActivityInput): Promise<Agent...
function runReportAgent (line 247) | async function runReportAgent(input: ActivityInput): Promise<AgentMetric...
function runPreflightValidation (line 261) | async function runPreflightValidation(input: ActivityInput): Promise<voi...
function assembleReportActivity (line 320) | async function assembleReportActivity(input: ActivityInput): Promise<voi...
function injectReportMetadataActivity (line 335) | async function injectReportMetadataActivity(input: ActivityInput): Promi...
function checkExploitationQueue (line 355) | async function checkExploitationQueue(
type SessionJson (line 369) | interface SessionJson {
function loadResumeState (line 391) | async function loadResumeState(
function findLatestCommit (line 491) | async function findLatestCommit(repoPath: string, commitHashes: string[]...
function restoreGitCheckpoint (line 518) | async function restoreGitCheckpoint(
function recordResumeAttempt (line 557) | async function recordResumeAttempt(
function logPhaseTransition (line 583) | async function logPhaseTransition(
function logWorkflowComplete (line 603) | async function logWorkflowComplete(
FILE: src/temporal/activity-logger.ts
class TemporalActivityLogger (line 14) | class TemporalActivityLogger implements ActivityLogger {
method info (line 15) | info(message: string, attrs?: Record<string, unknown>): void {
method warn (line 19) | warn(message: string, attrs?: Record<string, unknown>): void {
method error (line 23) | error(message: string, attrs?: Record<string, unknown>): void {
function createActivityLogger (line 32) | function createActivityLogger(): ActivityLogger {
FILE: src/temporal/client.ts
type SessionJson (line 43) | interface SessionJson {
constant PROGRESS_QUERY (line 58) | const PROGRESS_QUERY = 'getProgress';
function terminateExistingWorkflows (line 64) | async function terminateExistingWorkflows(
function isValidWorkspaceName (line 117) | function isValidWorkspaceName(name: string): boolean {
function showUsage (line 121) | function showUsage(): void {
type CliArgs (line 146) | interface CliArgs {
function parseCliArgs (line 158) | function parseCliArgs(argv: string[]): CliArgs {
type WorkspaceResolution (line 237) | interface WorkspaceResolution {
function resolveWorkspace (line 244) | async function resolveWorkspace(
function loadPipelineConfig (line 311) | async function loadPipelineConfig(configPath: string | undefined): Promi...
function buildPipelineInput (line 333) | function buildPipelineInput(
function displayWorkflowInfo (line 352) | function displayWorkflowInfo(args: CliArgs, workspace: WorkspaceResoluti...
function displayMonitoringInfo (line 373) | function displayMonitoringInfo(args: CliArgs, workspace: WorkspaceResolu...
function waitForWorkflowResult (line 388) | async function waitForWorkflowResult(
function startPipeline (line 438) | async function startPipeline(): Promise<void> {
FILE: src/temporal/shared.ts
type PipelineInput (line 7) | interface PipelineInput {
type ResumeState (line 20) | interface ResumeState {
type PipelineSummary (line 28) | interface PipelineSummary {
type PipelineState (line 35) | interface PipelineState {
type PipelineProgress (line 48) | interface PipelineProgress extends PipelineState {
type VulnExploitPipelineResult (line 54) | interface VulnExploitPipelineResult {
FILE: src/temporal/summary-mapper.ts
function toWorkflowSummary (line 22) | function toWorkflowSummary(
FILE: src/temporal/worker.ts
function runWorker (line 33) | async function runWorker(): Promise<void> {
FILE: src/temporal/workflow-errors.ts
constant REMEDIATION_HINTS (line 13) | const REMEDIATION_HINTS: Record<string, string> = {
function unwrapActivityError (line 31) | function unwrapActivityError(error: unknown): {
function formatWorkflowError (line 62) | function formatWorkflowError(
FILE: src/temporal/workflows.ts
constant PRODUCTION_RETRY (line 50) | const PRODUCTION_RETRY = {
constant TESTING_RETRY (line 67) | const TESTING_RETRY = {
constant SUBSCRIPTION_RETRY (line 90) | const SUBSCRIPTION_RETRY = {
constant PREFLIGHT_RETRY (line 106) | const PREFLIGHT_RETRY = {
function computeSummary (line 125) | function computeSummary(state: PipelineState): PipelineSummary {
function pentestPipelineWorkflow (line 135) | async function pentestPipelineWorkflow(
FILE: src/temporal/workspaces.ts
type SessionJson (line 24) | interface SessionJson {
type WorkspaceInfo (line 37) | interface WorkspaceInfo {
function formatDuration (line 46) | function formatDuration(ms: number): string {
function getStatusDisplay (line 60) | function getStatusDisplay(status: string): string {
function truncate (line 64) | function truncate(str: string, maxLen: number): string {
function listWorkspaces (line 69) | async function listWorkspaces(): Promise<void> {
FILE: src/types/activity-logger.ts
type ActivityLogger (line 11) | interface ActivityLogger {
FILE: src/types/agents.ts
constant ALL_AGENTS (line 15) | const ALL_AGENTS = [
type AgentName (line 35) | type AgentName = typeof ALL_AGENTS[number];
type PlaywrightAgent (line 37) | type PlaywrightAgent =
type AgentValidator (line 46) | type AgentValidator = (sourceDir: string, logger: ActivityLogger) => Pro...
type AgentStatus (line 48) | type AgentStatus =
type AgentDefinition (line 55) | interface AgentDefinition {
type VulnType (line 67) | type VulnType = 'injection' | 'xss' | 'auth' | 'ssrf' | 'authz';
type ExploitationDecision (line 72) | interface ExploitationDecision {
FILE: src/types/audit.ts
type SessionMetadata (line 14) | interface SessionMetadata {
type AgentEndResult (line 26) | interface AgentEndResult {
FILE: src/types/config.ts
type RuleType (line 11) | type RuleType =
type Rule (line 19) | interface Rule {
type Rules (line 25) | interface Rules {
type LoginType (line 30) | type LoginType = 'form' | 'sso' | 'api' | 'basic';
type SuccessCondition (line 32) | interface SuccessCondition {
type Credentials (line 37) | interface Credentials {
type Authentication (line 43) | interface Authentication {
type Config (line 51) | interface Config {
type RetryPreset (line 57) | type RetryPreset = 'default' | 'subscription';
type PipelineConfig (line 59) | interface PipelineConfig {
type DistributedConfig (line 64) | interface DistributedConfig {
FILE: src/types/errors.ts
type ErrorCode (line 18) | enum ErrorCode {
type PentestErrorType (line 49) | type PentestErrorType =
type PentestErrorContext (line 59) | interface PentestErrorContext {
type LogEntry (line 63) | interface LogEntry {
type ToolErrorResult (line 75) | interface ToolErrorResult {
type PromptErrorResult (line 84) | interface PromptErrorResult {
FILE: src/types/metrics.ts
type AgentMetrics (line 12) | interface AgentMetrics {
FILE: src/types/result.ts
type Ok (line 18) | interface Ok<T> {
type Err (line 26) | interface Err<E> {
type Result (line 34) | type Result<T, E> = Ok<T> | Err<E>;
function ok (line 39) | function ok<T>(value: T): Ok<T> {
function err (line 46) | function err<E>(error: E): Err<E> {
function isOk (line 53) | function isOk<T, E>(result: Result<T, E>): result is Ok<T> {
function isErr (line 60) | function isErr<T, E>(result: Result<T, E>): result is Err<E> {
FILE: src/utils/billing-detection.ts
constant BILLING_TEXT_PATTERNS (line 23) | const BILLING_TEXT_PATTERNS = [
constant BILLING_API_PATTERNS (line 36) | const BILLING_API_PATTERNS = [
function matchesBillingTextPattern (line 54) | function matchesBillingTextPattern(text: string): boolean {
function matchesBillingApiPattern (line 63) | function matchesBillingApiPattern(message: string): boolean {
function isSpendingCapBehavior (line 84) | function isSpendingCapBehavior(
FILE: src/utils/concurrency.ts
type UnlockFunction (line 14) | type UnlockFunction = () => void;
class SessionMutex (line 35) | class SessionMutex {
method lock (line 40) | async lock(sessionId: string): Promise<UnlockFunction> {
FILE: src/utils/file-io.ts
function ensureDirectory (line 19) | async function ensureDirectory(dirPath: string): Promise<void> {
function atomicWrite (line 34) | async function atomicWrite(filePath: string, data: object | string): Pro...
function readJson (line 58) | async function readJson<T = unknown>(filePath: string): Promise<T> {
function fileExists (line 66) | async function fileExists(filePath: string): Promise<boolean> {
FILE: src/utils/formatting.ts
function formatDuration (line 16) | function formatDuration(ms: number): string {
function formatTimestamp (line 34) | function formatTimestamp(timestamp: number = Date.now()): string {
function calculatePercentage (line 41) | function calculatePercentage(part: number, total: number): number {
function extractAgentType (line 49) | function extractAgentType(description: string): string {
FILE: src/utils/functional.ts
type PipelineFunction (line 14) | type PipelineFunction = (x: any) => any | Promise<any>;
function asyncPipe (line 20) | async function asyncPipe<TResult>(
FILE: src/utils/metrics.ts
class Timer (line 7) | class Timer {
method constructor (line 12) | constructor(name: string) {
method stop (line 17) | stop(): number {
method duration (line 22) | duration(): number {
Copy disabled (too large)
Download .json
Condensed preview — 1803 files, each showing path, character count, and a content snippet. Download the .json file for the full structured content (16,224K chars).
[
{
"path": ".claude/commands/debug.md",
"chars": 6218,
"preview": "---\ndescription: Systematically debug errors using context analysis and structured recovery\n---\n\nYou are debugging an is"
},
{
"path": ".claude/commands/pr.md",
"chars": 2787,
"preview": "---\ndescription: Create a PR to main branch using conventional commit style for the title\n---\n\nCreate a pull request fro"
},
{
"path": ".claude/commands/review.md",
"chars": 7788,
"preview": "---\ndescription: Review code changes for Shannon-specific patterns, security, and common mistakes\n---\n\nReview the curren"
},
{
"path": ".dockerignore",
"chars": 660,
"preview": "# Node.js\nnode_modules/\nnpm-debug.log*\nyarn-debug.log*\nyarn-error.log*\n\n# Runtime directories\nsessions/\ndeliverables/\nxb"
},
{
"path": ".github/ISSUE_TEMPLATE/bug_report.yml",
"chars": 4334,
"preview": "name: Bug report\ndescription: Create a report to help us improve\ntitle: \"[BUG]: \"\nlabels: []\nassignees: []\nbody:\n - typ"
},
{
"path": ".github/ISSUE_TEMPLATE/feature_request.yml",
"chars": 1050,
"preview": "name: Feature request\ndescription: Suggest an idea for this project\ntitle: \"[FEATURE]: \"\nlabels: []\nassignees: []\nbody:\n"
},
{
"path": ".github/workflows/release-beta.yml",
"chars": 5839,
"preview": "name: Release (Beta)\n\non:\n workflow_dispatch:\n\npermissions:\n contents: read\n\nconcurrency:\n group: release-beta\n canc"
},
{
"path": ".github/workflows/rollback-beta.yml",
"chars": 1969,
"preview": "name: Rollback (Beta)\n\non:\n workflow_dispatch:\n inputs:\n version:\n description: \"Beta version to roll ba"
},
{
"path": ".gitignore",
"chars": 57,
"preview": "node_modules/\n.env\naudit-logs/\ncredentials/\ndist/\nrepos/\n"
},
{
"path": "CLAUDE.md",
"chars": 9749,
"preview": "# CLAUDE.md\n\nAI-powered penetration testing agent for defensive security analysis. Automates vulnerability assessment by"
},
{
"path": "COVERAGE.md",
"chars": 8651,
"preview": "# Coverage and Roadmap\n\nA Web Security Testing (WST) checklist is a comprehensive guide that systematically outlines sec"
},
{
"path": "Dockerfile",
"chars": 4427,
"preview": "#\n# Multi-stage Dockerfile for Pentest Agent\n# Uses Chainguard Wolfi for minimal attack surface and supply chain securit"
},
{
"path": "LICENSE",
"chars": 34523,
"preview": " GNU AFFERO GENERAL PUBLIC LICENSE\n Version 3, 19 November 2007\n\n Copyright (C)"
},
{
"path": "README.md",
"chars": 35487,
"preview": ">[!NOTE]\n> **[📢 New: Shannon is now available via `npx @keygraph/shannon`. →](https://github.com/KeygraphHQ/shannon/disc"
},
{
"path": "SHANNON-PRO.md",
"chars": 26798,
"preview": "# Shannon Pro\n\nShannon Pro is Keygraph's comprehensive AppSec platform, combining SAST, SCA, secrets scanning, business "
},
{
"path": "configs/config-schema.json",
"chars": 5219,
"preview": "{\n \"$schema\": \"http://json-schema.org/draft-07/schema#\",\n \"$id\": \"https://example.com/pentest-config-schema.json\",\n \""
},
{
"path": "configs/example-config.yaml",
"chars": 1551,
"preview": "# Example configuration file for pentest-agent\n# Copy this file and modify it for your specific testing needs\n\nauthentic"
},
{
"path": "configs/router-config.json",
"chars": 801,
"preview": "{\n \"HOST\": \"0.0.0.0\",\n \"APIKEY\": \"shannon-router-key\",\n \"LOG\": true,\n \"LOG_LEVEL\": \"info\",\n \"NON_INTERACTIVE_MODE\":"
},
{
"path": "docker-compose.docker.yml",
"chars": 212,
"preview": "# Docker-specific overrides (not used with Podman)\n# This file is automatically included by the shannon script when runn"
},
{
"path": "docker-compose.yml",
"chars": 3261,
"preview": "services:\n temporal:\n image: temporalio/temporal:latest\n command: [\"server\", \"start-dev\", \"--db-filename\", \"/home"
},
{
"path": "mcp-server/package.json",
"chars": 353,
"preview": "{\n \"name\": \"@shannon/mcp-server\",\n \"version\": \"1.0.0\",\n \"type\": \"module\",\n \"main\": \"./dist/index.js\",\n \"scripts\": {"
},
{
"path": "mcp-server/src/index.ts",
"chars": 1738,
"preview": "// Copyright (C) 2025 Keygraph, Inc.\n//\n// This program is free software: you can redistribute it and/or modify\n// it un"
},
{
"path": "mcp-server/src/tools/generate-totp.ts",
"chars": 3915,
"preview": "// Copyright (C) 2025 Keygraph, Inc.\n//\n// This program is free software: you can redistribute it and/or modify\n// it un"
},
{
"path": "mcp-server/src/tools/save-deliverable.ts",
"chars": 5823,
"preview": "// Copyright (C) 2025 Keygraph, Inc.\n//\n// This program is free software: you can redistribute it and/or modify\n// it un"
},
{
"path": "mcp-server/src/types/deliverables.ts",
"chars": 3091,
"preview": "// Copyright (C) 2025 Keygraph, Inc.\n//\n// This program is free software: you can redistribute it and/or modify\n// it un"
},
{
"path": "mcp-server/src/types/index.ts",
"chars": 350,
"preview": "// Copyright (C) 2025 Keygraph, Inc.\n//\n// This program is free software: you can redistribute it and/or modify\n// it un"
},
{
"path": "mcp-server/src/types/tool-responses.ts",
"chars": 1658,
"preview": "// Copyright (C) 2025 Keygraph, Inc.\n//\n// This program is free software: you can redistribute it and/or modify\n// it un"
},
{
"path": "mcp-server/src/utils/error-formatter.ts",
"chars": 1539,
"preview": "// Copyright (C) 2025 Keygraph, Inc.\n//\n// This program is free software: you can redistribute it and/or modify\n// it un"
},
{
"path": "mcp-server/src/utils/file-operations.ts",
"chars": 1255,
"preview": "// Copyright (C) 2025 Keygraph, Inc.\n//\n// This program is free software: you can redistribute it and/or modify\n// it un"
},
{
"path": "mcp-server/src/validation/queue-validator.ts",
"chars": 1798,
"preview": "// Copyright (C) 2025 Keygraph, Inc.\n//\n// This program is free software: you can redistribute it and/or modify\n// it un"
},
{
"path": "mcp-server/src/validation/totp-validator.ts",
"chars": 1881,
"preview": "// Copyright (C) 2025 Keygraph, Inc.\n//\n// This program is free software: you can redistribute it and/or modify\n// it un"
},
{
"path": "mcp-server/tsconfig.json",
"chars": 1233,
"preview": "{\n // Visit https://aka.ms/tsconfig to read more about this file\n \"compilerOptions\": {\n // File Layout\n \"rootDir"
},
{
"path": "package.json",
"chars": 963,
"preview": "{\n \"name\": \"shannon\",\n \"version\": \"1.0.0\",\n \"type\": \"module\",\n \"scripts\": {\n \"build\": \"tsc\",\n \"temporal:server"
},
{
"path": "prompts/exploit-auth.txt",
"chars": 25173,
"preview": "<role>\nYou are a world-class Authentication Exploitation Specialist. You are not an analyst; you are an active penetrati"
},
{
"path": "prompts/exploit-authz.txt",
"chars": 26354,
"preview": "<role>\nYou are a world-class Authorization Exploitation Specialist. You are not an analyst; you are an active penetratio"
},
{
"path": "prompts/exploit-injection.txt",
"chars": 26986,
"preview": "<role>\nYou are a world-class Injection Exploitation Specialist. Your expertise covers both SQL Injection (SQLi) and OS C"
},
{
"path": "prompts/exploit-ssrf.txt",
"chars": 28323,
"preview": "<role>\nYou are a world-class Server-Side Request Forgery (SSRF) Exploitation Specialist. You are not an analyst; you are"
},
{
"path": "prompts/exploit-xss.txt",
"chars": 24728,
"preview": "<role>\nYou are a world-class Cross-Site Scripting (XSS) Exploitation Specialist. You are not an analyst; you are an acti"
},
{
"path": "prompts/pipeline-testing/exploit-auth.txt",
"chars": 1886,
"preview": "## 🧪 Pipeline Testing: MCP Isolation Test for Authentication Exploitation Agent\n\n**MCP Server Assignment:** Using `{{MCP"
},
{
"path": "prompts/pipeline-testing/exploit-authz.txt",
"chars": 1913,
"preview": "## 🧪 Pipeline Testing: MCP Isolation Test for Authorization Exploitation Agent\n\n**MCP Server Assignment:** Using `{{MCP_"
},
{
"path": "prompts/pipeline-testing/exploit-injection.txt",
"chars": 1931,
"preview": "## 🧪 Pipeline Testing: MCP Isolation Test for Injection Exploitation Agent\n\n**MCP Server Assignment:** Using `{{MCP_SERV"
},
{
"path": "prompts/pipeline-testing/exploit-ssrf.txt",
"chars": 1876,
"preview": "## 🧪 Pipeline Testing: MCP Isolation Test for SSRF Exploitation Agent\n\n**MCP Server Assignment:** Using `{{MCP_SERVER}}`"
},
{
"path": "prompts/pipeline-testing/exploit-xss.txt",
"chars": 1790,
"preview": "## 🧪 Pipeline Testing: MCP Isolation Test for XSS Exploitation Agent\n\n**MCP Server Assignment:** Using `{{MCP_SERVER}}` "
},
{
"path": "prompts/pipeline-testing/pre-recon-code.txt",
"chars": 137,
"preview": "Use the save_deliverable MCP tool with `deliverable_type: \"CODE_ANALYSIS\"` and `content: \"Pre-recon analysis complete\"`."
},
{
"path": "prompts/pipeline-testing/recon.txt",
"chars": 134,
"preview": "Use the save_deliverable MCP tool with `deliverable_type: \"RECON\"` and `content: \"Reconnaissance analysis complete\"`. Th"
},
{
"path": "prompts/pipeline-testing/report-executive.txt",
"chars": 181,
"preview": "Read `deliverables/comprehensive_security_assessment_report.md`, prepend \"# Security Assessment Report\\n\\n**Target:** {{"
},
{
"path": "prompts/pipeline-testing/vuln-auth.txt",
"chars": 563,
"preview": "Please complete these tasks using your MCP tools:\n\n1. Navigate to https://example.net and take a screenshot:\n - Use {{"
},
{
"path": "prompts/pipeline-testing/vuln-authz.txt",
"chars": 607,
"preview": "Please complete these tasks using your MCP tools:\n\n1. Navigate to https://jsonplaceholder.typicode.com and take a screen"
},
{
"path": "prompts/pipeline-testing/vuln-injection.txt",
"chars": 573,
"preview": "Please complete these tasks using your MCP tools:\n\n1. Navigate to https://example.com and take a screenshot:\n - Use {{"
},
{
"path": "prompts/pipeline-testing/vuln-ssrf.txt",
"chars": 553,
"preview": "Please complete these tasks using your MCP tools:\n\n1. Navigate to https://httpbin.org and take a screenshot:\n - Use {{"
},
{
"path": "prompts/pipeline-testing/vuln-xss.txt",
"chars": 549,
"preview": "Please complete these tasks using your MCP tools:\n\n1. Navigate to https://example.org and take a screenshot:\n - Use {{"
},
{
"path": "prompts/pre-recon-code.txt",
"chars": 27764,
"preview": "Role: You are a Principal Engineer specializing in rapid, security-focused code review. You are an expert at analyzing u"
},
{
"path": "prompts/recon.txt",
"chars": 27772,
"preview": "<role>\nYou are a world-class Reconnaissance Analyst and Attack Surface Mapper. Your mission is to conduct a thorough whi"
},
{
"path": "prompts/report-executive.txt",
"chars": 6951,
"preview": "<role>\nYou are an Executive Summary Writer and Report Cleaner for security assessments. Your job is to:\n1. MODIFY the ex"
},
{
"path": "prompts/shared/_exploit-scope.txt",
"chars": 637,
"preview": "**MANDATORY EXPLOITATION CONSTRAINTS:**\n- ALL exploitation attempts MUST be performed against {{WEB_URL}} from external "
},
{
"path": "prompts/shared/_rules.txt",
"chars": 31,
"preview": "Rules to Avoid:\n{{RULES_AVOID}}"
},
{
"path": "prompts/shared/_target.txt",
"chars": 16,
"preview": "URL: {{WEB_URL}}"
},
{
"path": "prompts/shared/_vuln-scope.txt",
"chars": 185,
"preview": "**EXTERNAL ATTACKER SCOPE:** Only report vulnerabilities exploitable via {{WEB_URL}} from the internet. Exclude findings"
},
{
"path": "prompts/shared/login-instructions.txt",
"chars": 3836,
"preview": "<!-- BEGIN:COMMON -->\n**IF you are not already logged in when you open playwright, these are the login instructions** \n*"
},
{
"path": "prompts/vuln-auth.txt",
"chars": 19969,
"preview": "<role>\nYou are an Authentication Analysis Specialist, a master of white-box code auditing. Your expertise lies in dissec"
},
{
"path": "prompts/vuln-authz.txt",
"chars": 21905,
"preview": "<role>\nYou are an Authorization Analysis Specialist, a master of white-box code auditing. Your expertise lies in dissect"
},
{
"path": "prompts/vuln-injection.txt",
"chars": 26212,
"preview": "<role>\nYou are an Injection Analysis Specialist, an expert in **white-box code analysis and data flow tracing** for SQLi"
},
{
"path": "prompts/vuln-ssrf.txt",
"chars": 21689,
"preview": "<role>\nYou are a Server-Side Request Forgery (SSRF) Analysis Specialist, an expert in white-box code analysis and data f"
},
{
"path": "prompts/vuln-xss.txt",
"chars": 22788,
"preview": "<role>\nYou are a Cross-Site Scripting (XSS) Analysis Specialist focused **solely on vulnerability analysis** (no exploit"
},
{
"path": "sample-reports/shannon-report-capital-api.md",
"chars": 25622,
"preview": "# Security Assessment Report\n\n## Executive Summary\n- Target: Capital\n- Assessment Date: January 2025\n- Scope: Authentica"
},
{
"path": "sample-reports/shannon-report-crapi.md",
"chars": 38846,
"preview": "# Security Assessment Report\n\n## Executive Summary\n- Target: Crapi\n- Assessment Date: September 2025\n- Scope: Authentica"
},
{
"path": "sample-reports/shannon-report-juice-shop.md",
"chars": 38736,
"preview": "# Security Assessment Report\n\n## Executive Summary\n- **Target:** Juice-Shop\n- **Assessment Date:** September 2025\n- **Sc"
},
{
"path": "shannon",
"chars": 13301,
"preview": "#!/bin/bash\n# Shannon CLI - AI Penetration Testing Framework\n\nset -e\n\n# Prevent MSYS from converting Unix paths (e.g. /r"
},
{
"path": "src/ai/audit-logger.ts",
"chars": 2416,
"preview": "// Copyright (C) 2025 Keygraph, Inc.\n//\n// This program is free software: you can redistribute it and/or modify\n// it un"
},
{
"path": "src/ai/claude-executor.ts",
"chars": 13383,
"preview": "// Copyright (C) 2025 Keygraph, Inc.\n//\n// This program is free software: you can redistribute it and/or modify\n// it un"
},
{
"path": "src/ai/message-handlers.ts",
"chars": 11510,
"preview": "// Copyright (C) 2025 Keygraph, Inc.\n//\n// This program is free software: you can redistribute it and/or modify\n// it un"
},
{
"path": "src/ai/models.ts",
"chars": 1290,
"preview": "// Copyright (C) 2025 Keygraph, Inc.\n//\n// This program is free software: you can redistribute it and/or modify\n// it un"
},
{
"path": "src/ai/output-formatters.ts",
"chars": 11710,
"preview": "// Copyright (C) 2025 Keygraph, Inc.\n//\n// This program is free software: you can redistribute it and/or modify\n// it un"
},
{
"path": "src/ai/progress-manager.ts",
"chars": 1779,
"preview": "// Copyright (C) 2025 Keygraph, Inc.\n//\n// This program is free software: you can redistribute it and/or modify\n// it un"
},
{
"path": "src/ai/router-utils.ts",
"chars": 1038,
"preview": "// Copyright (C) 2025 Keygraph, Inc.\n//\n// This program is free software: you can redistribute it and/or modify\n// it un"
},
{
"path": "src/ai/types.ts",
"chars": 2070,
"preview": "// Copyright (C) 2025 Keygraph, Inc.\n//\n// This program is free software: you can redistribute it and/or modify\n// it un"
},
{
"path": "src/audit/audit-session.ts",
"chars": 8924,
"preview": "// Copyright (C) 2025 Keygraph, Inc.\n//\n// This program is free software: you can redistribute it and/or modify\n// it un"
},
{
"path": "src/audit/index.ts",
"chars": 643,
"preview": "// Copyright (C) 2025 Keygraph, Inc.\n//\n// This program is free software: you can redistribute it and/or modify\n// it un"
},
{
"path": "src/audit/log-stream.ts",
"chars": 3011,
"preview": "// Copyright (C) 2025 Keygraph, Inc.\n//\n// This program is free software: you can redistribute it and/or modify\n// it un"
},
{
"path": "src/audit/logger.ts",
"chars": 3498,
"preview": "// Copyright (C) 2025 Keygraph, Inc.\n//\n// This program is free software: you can redistribute it and/or modify\n// it un"
},
{
"path": "src/audit/metrics-tracker.ts",
"chars": 10817,
"preview": "// Copyright (C) 2025 Keygraph, Inc.\n//\n// This program is free software: you can redistribute it and/or modify\n// it un"
},
{
"path": "src/audit/utils.ts",
"chars": 4422,
"preview": "// Copyright (C) 2025 Keygraph, Inc.\n//\n// This program is free software: you can redistribute it and/or modify\n// it un"
},
{
"path": "src/audit/workflow-logger.ts",
"chars": 11580,
"preview": "// Copyright (C) 2025 Keygraph, Inc.\n//\n// This program is free software: you can redistribute it and/or modify\n// it un"
},
{
"path": "src/config-parser.ts",
"chars": 17973,
"preview": "// Copyright (C) 2025 Keygraph, Inc.\n//\n// This program is free software: you can redistribute it and/or modify\n// it un"
},
{
"path": "src/progress-indicator.ts",
"chars": 1357,
"preview": "// Copyright (C) 2025 Keygraph, Inc.\n//\n// This program is free software: you can redistribute it and/or modify\n// it un"
},
{
"path": "src/services/agent-execution.ts",
"chars": 9501,
"preview": "// Copyright (C) 2025 Keygraph, Inc.\n//\n// This program is free software: you can redistribute it and/or modify\n// it un"
},
{
"path": "src/services/config-loader.ts",
"chars": 2548,
"preview": "// Copyright (C) 2025 Keygraph, Inc.\n//\n// This program is free software: you can redistribute it and/or modify\n// it un"
},
{
"path": "src/services/container.ts",
"chars": 3864,
"preview": "// Copyright (C) 2025 Keygraph, Inc.\n//\n// This program is free software: you can redistribute it and/or modify\n// it un"
},
{
"path": "src/services/error-handling.ts",
"chars": 8590,
"preview": "// Copyright (C) 2025 Keygraph, Inc.\n//\n// This program is free software: you can redistribute it and/or modify\n// it un"
},
{
"path": "src/services/exploitation-checker.ts",
"chars": 2463,
"preview": "// Copyright (C) 2025 Keygraph, Inc.\n//\n// This program is free software: you can redistribute it and/or modify\n// it un"
},
{
"path": "src/services/git-manager.ts",
"chars": 9506,
"preview": "// Copyright (C) 2025 Keygraph, Inc.\n//\n// This program is free software: you can redistribute it and/or modify\n// it un"
},
{
"path": "src/services/index.ts",
"chars": 934,
"preview": "// Copyright (C) 2025 Keygraph, Inc.\n//\n// This program is free software: you can redistribute it and/or modify\n// it un"
},
{
"path": "src/services/preflight.ts",
"chars": 10541,
"preview": "// Copyright (C) 2025 Keygraph, Inc.\n//\n// This program is free software: you can redistribute it and/or modify\n// it un"
},
{
"path": "src/services/prompt-manager.ts",
"chars": 9994,
"preview": "// Copyright (C) 2025 Keygraph, Inc.\n//\n// This program is free software: you can redistribute it and/or modify\n// it un"
},
{
"path": "src/services/queue-validation.ts",
"chars": 9734,
"preview": "// Copyright (C) 2025 Keygraph, Inc.\n//\n// This program is free software: you can redistribute it and/or modify\n// it un"
},
{
"path": "src/services/reporting.ts",
"chars": 5443,
"preview": "// Copyright (C) 2025 Keygraph, Inc.\n//\n// This program is free software: you can redistribute it and/or modify\n// it un"
},
{
"path": "src/session-manager.ts",
"chars": 8342,
"preview": "// Copyright (C) 2025 Keygraph, Inc.\n//\n// This program is free software: you can redistribute it and/or modify\n// it un"
},
{
"path": "src/splash-screen.ts",
"chars": 3024,
"preview": "// Copyright (C) 2025 Keygraph, Inc.\n//\n// This program is free software: you can redistribute it and/or modify\n// it un"
},
{
"path": "src/temporal/activities.ts",
"chars": 21455,
"preview": "// Copyright (C) 2025 Keygraph, Inc.\n//\n// This program is free software: you can redistribute it and/or modify\n// it un"
},
{
"path": "src/temporal/activity-logger.ts",
"chars": 1161,
"preview": "// Copyright (C) 2025 Keygraph, Inc.\n//\n// This program is free software: you can redistribute it and/or modify\n// it un"
},
{
"path": "src/temporal/client.ts",
"chars": 15737,
"preview": "#!/usr/bin/env node\n// Copyright (C) 2025 Keygraph, Inc.\n//\n// This program is free software: you can redistribute it an"
},
{
"path": "src/temporal/shared.ts",
"chars": 1922,
"preview": "import { defineQuery } from '@temporalio/workflow';\n\nexport type { AgentMetrics } from '../types/metrics.js';\nimport typ"
},
{
"path": "src/temporal/summary-mapper.ts",
"chars": 1425,
"preview": "// Copyright (C) 2025 Keygraph, Inc.\n//\n// This program is free software: you can redistribute it and/or modify\n// it un"
},
{
"path": "src/temporal/worker.ts",
"chars": 2236,
"preview": "#!/usr/bin/env node\n// Copyright (C) 2025 Keygraph, Inc.\n//\n// This program is free software: you can redistribute it an"
},
{
"path": "src/temporal/workflow-errors.ts",
"chars": 2974,
"preview": "// Copyright (C) 2025 Keygraph, Inc.\n//\n// This program is free software: you can redistribute it and/or modify\n// it un"
},
{
"path": "src/temporal/workflows.ts",
"chars": 17120,
"preview": "// Copyright (C) 2025 Keygraph, Inc.\n//\n// This program is free software: you can redistribute it and/or modify\n// it un"
},
{
"path": "src/temporal/workspaces.ts",
"chars": 4626,
"preview": "#!/usr/bin/env node\n// Copyright (C) 2025 Keygraph, Inc.\n//\n// This program is free software: you can redistribute it an"
},
{
"path": "src/types/activity-logger.ts",
"chars": 610,
"preview": "// Copyright (C) 2025 Keygraph, Inc.\n//\n// This program is free software: you can redistribute it and/or modify\n// it un"
},
{
"path": "src/types/agents.ts",
"chars": 1775,
"preview": "// Copyright (C) 2025 Keygraph, Inc.\n//\n// This program is free software: you can redistribute it and/or modify\n// it un"
},
{
"path": "src/types/audit.ts",
"chars": 882,
"preview": "// Copyright (C) 2025 Keygraph, Inc.\n//\n// This program is free software: you can redistribute it and/or modify\n// it un"
},
{
"path": "src/types/config.ts",
"chars": 1358,
"preview": "// Copyright (C) 2025 Keygraph, Inc.\n//\n// This program is free software: you can redistribute it and/or modify\n// it un"
},
{
"path": "src/types/errors.ts",
"chars": 2245,
"preview": "// Copyright (C) 2025 Keygraph, Inc.\n//\n// This program is free software: you can redistribute it and/or modify\n// it un"
},
{
"path": "src/types/index.ts",
"chars": 490,
"preview": "// Copyright (C) 2025 Keygraph, Inc.\n//\n// This program is free software: you can redistribute it and/or modify\n// it un"
},
{
"path": "src/types/metrics.ts",
"chars": 580,
"preview": "// Copyright (C) 2025 Keygraph, Inc.\n//\n// This program is free software: you can redistribute it and/or modify\n// it un"
},
{
"path": "src/types/result.ts",
"chars": 1351,
"preview": "// Copyright (C) 2025 Keygraph, Inc.\n//\n// This program is free software: you can redistribute it and/or modify\n// it un"
},
{
"path": "src/utils/billing-detection.ts",
"chars": 2845,
"preview": "// Copyright (C) 2025 Keygraph, Inc.\n//\n// This program is free software: you can redistribute it and/or modify\n// it un"
},
{
"path": "src/utils/concurrency.ts",
"chars": 1731,
"preview": "// Copyright (C) 2025 Keygraph, Inc.\n//\n// This program is free software: you can redistribute it and/or modify\n// it un"
},
{
"path": "src/utils/file-io.ts",
"chars": 1865,
"preview": "// Copyright (C) 2025 Keygraph, Inc.\n//\n// This program is free software: you can redistribute it and/or modify\n// it un"
},
{
"path": "src/utils/formatting.ts",
"chars": 1480,
"preview": "// Copyright (C) 2025 Keygraph, Inc.\n//\n// This program is free software: you can redistribute it and/or modify\n// it un"
},
{
"path": "src/utils/functional.ts",
"chars": 827,
"preview": "// Copyright (C) 2025 Keygraph, Inc.\n//\n// This program is free software: you can redistribute it and/or modify\n// it un"
},
{
"path": "src/utils/metrics.ts",
"chars": 606,
"preview": "// Copyright (C) 2025 Keygraph, Inc.\n//\n// This program is free software: you can redistribute it and/or modify\n// it un"
},
{
"path": "tsconfig.json",
"chars": 1268,
"preview": "{\n // Visit https://aka.ms/tsconfig to read more about this file\n \"compilerOptions\": {\n // File Layout\n \"rootDir"
},
{
"path": "xben-benchmark-results/README.md",
"chars": 10453,
"preview": "# Achieving 96.15% Success on a Hint-Free, Source-Aware XBOW Benchmark\n\nShannon Lite, our open-source AI pentester, achi"
},
{
"path": "xben-benchmark-results/XBEN-001-24/deliverables/auth_analysis_deliverable.md",
"chars": 26334,
"preview": "# Authentication Analysis Report\n\n## 1. Executive Summary\n\n- **Analysis Status:** Complete\n- **Key Outcome:** **11 criti"
},
{
"path": "xben-benchmark-results/XBEN-001-24/deliverables/auth_exploitation_evidence.md",
"chars": 23439,
"preview": "# Authentication Exploitation Evidence\n\n## Successfully Exploited Vulnerabilities\n\n### AUTH-VULN-07: Session Forgery via"
},
{
"path": "xben-benchmark-results/XBEN-001-24/deliverables/auth_exploitation_queue.json",
"chars": 11367,
"preview": "\n{\n \"vulnerabilities\": [\n {\n \"ID\": \"AUTH-VULN-01\",\n \"vulnerability_type\": \"Transport_Exposure\",\n \"ext"
},
{
"path": "xben-benchmark-results/XBEN-001-24/deliverables/authz_analysis_deliverable.md",
"chars": 13849,
"preview": "# Authorization Analysis Report\n\n## 1. Executive Summary\n\n- **Analysis Status:** Complete \n- **Key Outcome:** One high-"
},
{
"path": "xben-benchmark-results/XBEN-001-24/deliverables/authz_exploitation_evidence.md",
"chars": 10983,
"preview": "# Authorization Exploitation Evidence\n\n## Executive Summary\n\n**Exploitation Status:** BLOCKED BY INFRASTRUCTURE FAILURE\n"
},
{
"path": "xben-benchmark-results/XBEN-001-24/deliverables/authz_exploitation_queue.json",
"chars": 1333,
"preview": "\n{\n \"vulnerabilities\": [\n {\n \"ID\": \"AUTHZ-VULN-01\",\n \"vulnerability_type\": \"Horizontal\",\n \"externally"
},
{
"path": "xben-benchmark-results/XBEN-001-24/deliverables/code_analysis_deliverable.md",
"chars": 69292,
"preview": "# XBEN-001-24 Trading Platform - Security-Focused Code Analysis\n\n## Penetration Test Scope & Boundaries\n\n**Primary Direc"
},
{
"path": "xben-benchmark-results/XBEN-001-24/deliverables/comprehensive_security_assessment_report.md",
"chars": 28296,
"preview": "# Security Assessment Report\n\n## Executive Summary\n- **Target:** http://localhost:8080\n- **Assessment Date:** October 29"
},
{
"path": "xben-benchmark-results/XBEN-001-24/deliverables/injection_analysis_deliverable.md",
"chars": 18312,
"preview": "# Injection Analysis Report (SQLi & Command Injection)\n\n## 1. Executive Summary\n\n- **Analysis Status:** Complete \n- **K"
},
{
"path": "xben-benchmark-results/XBEN-001-24/deliverables/injection_exploitation_queue.json",
"chars": 28,
"preview": "\n{\n \"vulnerabilities\": []\n}"
},
{
"path": "xben-benchmark-results/XBEN-001-24/deliverables/pre_recon_deliverable.md",
"chars": 74576,
"preview": "# Pre-Reconnaissance Report\n\n## Port Discovery (naabu)\nStatus: Skipped\n[object Object]\n\n## Network Scanning (nmap)\nStatu"
},
{
"path": "xben-benchmark-results/XBEN-001-24/deliverables/recon_deliverable.md",
"chars": 42633,
"preview": "# Reconnaissance Deliverable: XBEN-001-24 Trading Platform\n\n## 0) HOW TO READ THIS\nThis reconnaissance report provides a"
},
{
"path": "xben-benchmark-results/XBEN-001-24/deliverables/ssrf_analysis_deliverable.md",
"chars": 12325,
"preview": "# SSRF Analysis Report\n\n## 1. Executive Summary\n- **Analysis Status:** Complete\n- **Key Outcome:** No Server-Side Reques"
},
{
"path": "xben-benchmark-results/XBEN-001-24/deliverables/ssrf_exploitation_queue.json",
"chars": 24,
"preview": "\n{\"vulnerabilities\": []}"
},
{
"path": "xben-benchmark-results/XBEN-001-24/deliverables/xss_analysis_deliverable.md",
"chars": 11158,
"preview": "# Cross-Site Scripting (XSS) Analysis Report\n\n## 1. Executive Summary\n\n- **Analysis Status:** Complete \n- **Key Outcome"
},
{
"path": "xben-benchmark-results/XBEN-001-24/deliverables/xss_exploitation_queue.json",
"chars": 28,
"preview": "\n{\n \"vulnerabilities\": []\n}"
},
{
"path": "xben-benchmark-results/XBEN-002-24/deliverables/auth_analysis_deliverable.md",
"chars": 11824,
"preview": "# Authentication Analysis Report\n\n## 1. Executive Summary\n- **Analysis Status:** Complete\n- **Key Outcome:** Multiple cr"
},
{
"path": "xben-benchmark-results/XBEN-002-24/deliverables/auth_exploitation_evidence.md",
"chars": 16044,
"preview": "# Authentication Exploitation Evidence\n\n## Successfully Exploited Vulnerabilities\n\n### AUTH-VULN-04: Session Forgery via"
},
{
"path": "xben-benchmark-results/XBEN-002-24/deliverables/auth_exploitation_queue.json",
"chars": 16822,
"preview": "\n{\n \"vulnerabilities\": [\n {\n \"ID\": \"AUTH-VULN-01\",\n \"vulnerability_type\": \"Transport_Exposure\",\n \"ext"
},
{
"path": "xben-benchmark-results/XBEN-002-24/deliverables/authz_analysis_deliverable.md",
"chars": 9541,
"preview": "# Authorization Analysis Report\n\n## 1. Executive Summary\n\n- **Analysis Status:** Complete \n- **Key Outcome:** Two criti"
},
{
"path": "xben-benchmark-results/XBEN-002-24/deliverables/authz_exploitation_evidence.md",
"chars": 8335,
"preview": "# Authorization Exploitation Evidence\n\n## Successfully Exploited Vulnerabilities\n\n### AUTHZ-VULN-01: Horizontal Authoriz"
},
{
"path": "xben-benchmark-results/XBEN-002-24/deliverables/authz_exploitation_queue.json",
"chars": 3245,
"preview": "\n{\n \"vulnerabilities\": [\n {\n \"ID\": \"AUTHZ-VULN-01\",\n \"vulnerability_type\": \"Horizontal\",\n \"externally"
},
{
"path": "xben-benchmark-results/XBEN-002-24/deliverables/code_analysis_deliverable.md",
"chars": 75867,
"preview": "# PENETRATION TEST CODE ANALYSIS REPORT\n## XBEN-002-24 Trading Platform Application\n\n---\n\n# Penetration Test Scope & Bou"
},
{
"path": "xben-benchmark-results/XBEN-002-24/deliverables/comprehensive_security_assessment_report.md",
"chars": 26083,
"preview": "# Security Assessment Report\n\n## Executive Summary\n- **Target:** http://localhost:36493\n- **Assessment Date:** January 2"
},
{
"path": "xben-benchmark-results/XBEN-002-24/deliverables/injection_analysis_deliverable.md",
"chars": 14205,
"preview": "# Injection Analysis Report (SQLi & Command Injection)\n\n## 1. Executive Summary\n\n- **Analysis Status:** Complete \n- **K"
},
{
"path": "xben-benchmark-results/XBEN-002-24/deliverables/injection_exploitation_queue.json",
"chars": 28,
"preview": "\n{\n \"vulnerabilities\": []\n}"
},
{
"path": "xben-benchmark-results/XBEN-002-24/deliverables/pre_recon_deliverable.md",
"chars": 81166,
"preview": "# Pre-Reconnaissance Report\n\n## Port Discovery (naabu)\nStatus: Skipped\n[object Object]\n\n## Network Scanning (nmap)\nStatu"
},
{
"path": "xben-benchmark-results/XBEN-002-24/deliverables/recon_deliverable.md",
"chars": 33478,
"preview": "# Reconnaissance Deliverable: XBEN-002-24 Trading Platform\n\n## 0) HOW TO READ THIS\nThis reconnaissance report provides a"
},
{
"path": "xben-benchmark-results/XBEN-002-24/deliverables/ssrf_analysis_deliverable.md",
"chars": 11454,
"preview": "# SSRF Analysis Report\n\n## 1. Executive Summary\n- **Analysis Status:** Complete\n- **Key Outcome:** **ZERO SSRF vulnerabi"
},
{
"path": "xben-benchmark-results/XBEN-002-24/deliverables/ssrf_exploitation_queue.json",
"chars": 24,
"preview": "\n{\"vulnerabilities\": []}"
},
{
"path": "xben-benchmark-results/XBEN-002-24/deliverables/xss_analysis_deliverable.md",
"chars": 9719,
"preview": "# Cross-Site Scripting (XSS) Analysis Report\n\n## 1. Executive Summary\n- **Analysis Status:** Complete \n- **Key Outcome:"
},
{
"path": "xben-benchmark-results/XBEN-002-24/deliverables/xss_exploitation_queue.json",
"chars": 28,
"preview": "\n{\n \"vulnerabilities\": []\n}"
},
{
"path": "xben-benchmark-results/XBEN-003-24/deliverables/auth_analysis_deliverable.md",
"chars": 24640,
"preview": "# Authentication Analysis Report\n\n## 1. Executive Summary\n\n- **Analysis Status:** Complete\n- **Key Outcome:** The Tradin"
},
{
"path": "xben-benchmark-results/XBEN-003-24/deliverables/auth_exploitation_evidence.md",
"chars": 23478,
"preview": "# Authentication Exploitation Evidence\n\n## Successfully Exploited Vulnerabilities\n\n### AUTH-VULN-06: X-UserId Header Aut"
},
{
"path": "xben-benchmark-results/XBEN-003-24/deliverables/auth_exploitation_queue.json",
"chars": 16318,
"preview": "\n{\n \"vulnerabilities\": [\n {\n \"ID\": \"AUTH-VULN-01\",\n \"vulnerability_type\": \"Transport_Exposure\",\n \"ext"
},
{
"path": "xben-benchmark-results/XBEN-003-24/deliverables/authz_analysis_deliverable.md",
"chars": 19950,
"preview": "# Authorization Analysis Report\n\n## 1. Executive Summary\n\n- **Analysis Status:** Complete \n- **Key Outcome:** Three cri"
},
{
"path": "xben-benchmark-results/XBEN-003-24/deliverables/authz_exploitation_evidence.md",
"chars": 10407,
"preview": "# Authorization Exploitation Evidence\n\n## Successfully Exploited Vulnerabilities\n\n### AUTHZ-VULN-01: X-UserId Header Aut"
},
{
"path": "xben-benchmark-results/XBEN-003-24/deliverables/authz_exploitation_queue.json",
"chars": 8282,
"preview": "\n{\n \"vulnerabilities\": [\n {\n \"ID\": \"AUTHZ-VULN-01\",\n \"vulnerability_type\": \"Horizontal\",\n \"externally"
},
{
"path": "xben-benchmark-results/XBEN-003-24/deliverables/code_analysis_deliverable.md",
"chars": 68872,
"preview": "# Penetration Test Scope & Boundaries\n\n**Primary Directive:** This analysis is strictly limited to the **network-accessi"
},
{
"path": "xben-benchmark-results/XBEN-003-24/deliverables/comprehensive_security_assessment_report.md",
"chars": 43266,
"preview": "# Security Assessment Report\n\n## Executive Summary\n- **Target:** http://localhost:40477\n- **Assessment Date:** October 2"
},
{
"path": "xben-benchmark-results/XBEN-003-24/deliverables/injection_analysis_deliverable.md",
"chars": 12359,
"preview": "# Injection Analysis Report (SQLi & Command Injection)\n\n## 1. Executive Summary\n\n- **Analysis Status:** Complete \n- **K"
},
{
"path": "xben-benchmark-results/XBEN-003-24/deliverables/injection_exploitation_queue.json",
"chars": 28,
"preview": "\n{\n \"vulnerabilities\": []\n}"
},
{
"path": "xben-benchmark-results/XBEN-003-24/deliverables/pre_recon_deliverable.md",
"chars": 74170,
"preview": "# Pre-Reconnaissance Report\n\n## Port Discovery (naabu)\nStatus: Skipped\n[object Object]\n\n## Network Scanning (nmap)\nStatu"
},
{
"path": "xben-benchmark-results/XBEN-003-24/deliverables/recon_deliverable.md",
"chars": 37454,
"preview": "# Reconnaissance Deliverable: Trading Platform Flask Application\n\n## 0) HOW TO READ THIS\n\nThis reconnaissance report pro"
},
{
"path": "xben-benchmark-results/XBEN-003-24/deliverables/ssrf_analysis_deliverable.md",
"chars": 12828,
"preview": "# SSRF Analysis Report\n\n## 1. Executive Summary\n- **Analysis Status:** Complete\n- **Key Outcome:** No SSRF vulnerabiliti"
},
{
"path": "xben-benchmark-results/XBEN-003-24/deliverables/ssrf_exploitation_queue.json",
"chars": 28,
"preview": "\n{\n \"vulnerabilities\": []\n}"
},
{
"path": "xben-benchmark-results/XBEN-003-24/deliverables/xss_analysis_deliverable.md",
"chars": 7725,
"preview": "# Cross-Site Scripting (XSS) Analysis Report\n\n## 1. Executive Summary\n- **Analysis Status:** Complete \n- **Key Outcome:"
},
{
"path": "xben-benchmark-results/XBEN-003-24/deliverables/xss_exploitation_evidence.md",
"chars": 8410,
"preview": "# Cross-Site Scripting (XSS) Exploitation Evidence\n\n## Successfully Exploited Vulnerabilities\n\n### XSS-VULN-01: Reflecte"
},
{
"path": "xben-benchmark-results/XBEN-003-24/deliverables/xss_exploitation_queue.json",
"chars": 2349,
"preview": "\n{\n \"vulnerabilities\": [\n {\n \"ID\": \"XSS-VULN-01\",\n \"vulnerability_type\": \"Reflected\",\n \"externally_ex"
},
{
"path": "xben-benchmark-results/XBEN-004-24/deliverables/auth_analysis_deliverable.md",
"chars": 13288,
"preview": "# Authentication Analysis Report\n\n## 1. Executive Summary\n- **Analysis Status:** Complete\n- **Key Outcome:** The XBEN-00"
},
{
"path": "xben-benchmark-results/XBEN-004-24/deliverables/auth_exploitation_queue.json",
"chars": 28,
"preview": "\n{\n \"vulnerabilities\": []\n}"
},
{
"path": "xben-benchmark-results/XBEN-004-24/deliverables/authz_analysis_deliverable.md",
"chars": 11625,
"preview": "# Authorization Analysis Report\n\n## 1. Executive Summary\n\n- **Analysis Status:** Complete \n- **Key Outcome:** NO author"
},
{
"path": "xben-benchmark-results/XBEN-004-24/deliverables/authz_exploitation_queue.json",
"chars": 28,
"preview": "\n{\n \"vulnerabilities\": []\n}"
},
{
"path": "xben-benchmark-results/XBEN-004-24/deliverables/code_analysis_deliverable.md",
"chars": 45494,
"preview": "# Penetration Test Scope & Boundaries\n\n**Primary Directive:** This analysis is strictly limited to the **network-accessi"
},
{
"path": "xben-benchmark-results/XBEN-004-24/deliverables/comprehensive_security_assessment_report.md",
"chars": 11691,
"preview": "# Security Assessment Report\n\n## Executive Summary\n- Target: http://localhost:5000/\n- Assessment Date: October 31, 2025\n"
},
{
"path": "xben-benchmark-results/XBEN-004-24/deliverables/injection_analysis_deliverable.md",
"chars": 14551,
"preview": "# Injection Analysis Report (SQLi & Command Injection)\n\n## 1. Executive Summary\n\n- **Analysis Status:** Complete \n- **K"
},
{
"path": "xben-benchmark-results/XBEN-004-24/deliverables/injection_exploitation_queue.json",
"chars": 28,
"preview": "\n{\n \"vulnerabilities\": []\n}"
},
{
"path": "xben-benchmark-results/XBEN-004-24/deliverables/pre_recon_deliverable.md",
"chars": 52172,
"preview": "# Pre-Reconnaissance Report\n\n## Port Discovery (naabu)\nStatus: Skipped\n[object Object]\n\n## Network Scanning (nmap)\nStatu"
},
{
"path": "xben-benchmark-results/XBEN-004-24/deliverables/recon_deliverable.md",
"chars": 24730,
"preview": "# Reconnaissance Deliverable: XBEN-004-24 Dalgona Challenge\n\n## 0) HOW TO READ THIS\nThis reconnaissance report provides "
},
{
"path": "xben-benchmark-results/XBEN-004-24/deliverables/ssrf_analysis_deliverable.md",
"chars": 15431,
"preview": "# SSRF Analysis Report\n\n## 1. Executive Summary\n\n- **Analysis Status:** Complete\n- **Key Outcome:** No Server-Side Reque"
},
{
"path": "xben-benchmark-results/XBEN-004-24/deliverables/ssrf_exploitation_queue.json",
"chars": 28,
"preview": "\n{\n \"vulnerabilities\": []\n}"
},
{
"path": "xben-benchmark-results/XBEN-004-24/deliverables/xss_analysis_deliverable.md",
"chars": 11662,
"preview": "# Cross-Site Scripting (XSS) Analysis Report\n\n## 1. Executive Summary\n- **Analysis Status:** Complete \n- **Key Outcome:"
},
{
"path": "xben-benchmark-results/XBEN-004-24/deliverables/xss_exploitation_evidence.md",
"chars": 7409,
"preview": "# Cross-Site Scripting (XSS) Exploitation Evidence\n\n## Successfully Exploited Vulnerabilities\n\n### XSS-VULN-01: Reflecte"
},
{
"path": "xben-benchmark-results/XBEN-004-24/deliverables/xss_exploitation_queue.json",
"chars": 3531,
"preview": "\n{\n \"vulnerabilities\": [\n {\n \"ID\": \"XSS-VULN-01\",\n \"vulnerability_type\": \"Reflected\",\n \"externally_ex"
},
{
"path": "xben-benchmark-results/XBEN-005-24/deliverables/auth_analysis_deliverable.md",
"chars": 24653,
"preview": "# Authentication Analysis Report\n\n## 1. Executive Summary\n- **Analysis Status:** Complete\n- **Key Outcome:** Critical au"
},
{
"path": "xben-benchmark-results/XBEN-005-24/deliverables/auth_exploitation_evidence.md",
"chars": 18178,
"preview": "# Authentication Exploitation Evidence\n\n## Successfully Exploited Vulnerabilities\n\n### AUTH-VULN-05: Complete Authentica"
},
{
"path": "xben-benchmark-results/XBEN-005-24/deliverables/auth_exploitation_queue.json",
"chars": 6817,
"preview": "\n{\n \"vulnerabilities\": [\n {\n \"ID\": \"AUTH-VULN-01\",\n \"vulnerability_type\": \"Session_Management_Flaw\",\n "
},
{
"path": "xben-benchmark-results/XBEN-005-24/deliverables/authz_analysis_deliverable.md",
"chars": 21101,
"preview": "# Authorization Analysis Report\n\n## 1. Executive Summary\n\n- **Analysis Status:** Complete \n- **Key Outcome:** Two high-"
},
{
"path": "xben-benchmark-results/XBEN-005-24/deliverables/authz_exploitation_evidence.md",
"chars": 9365,
"preview": "# Authorization Exploitation Evidence\n\n## Successfully Exploited Vulnerabilities\n\n### AUTHZ-VULN-02: Vertical Privilege "
},
{
"path": "xben-benchmark-results/XBEN-005-24/deliverables/authz_exploitation_queue.json",
"chars": 4079,
"preview": "\n{\n \"vulnerabilities\": [\n {\n \"ID\": \"AUTHZ-VULN-01\",\n \"vulnerability_type\": \"Horizontal\",\n \"externally"
},
{
"path": "xben-benchmark-results/XBEN-005-24/deliverables/code_analysis_deliverable.md",
"chars": 85360,
"preview": "# Code Analysis Report: XBEN-005-24 Job Listing Platform\n\n**Target Application:** FastAPI Job Listing Platform \n**Analy"
},
{
"path": "xben-benchmark-results/XBEN-005-24/deliverables/comprehensive_security_assessment_report.md",
"chars": 27996,
"preview": "# Security Assessment Report\n\n## Executive Summary\n\n- **Target:** http://localhost:41169/\n- **Assessment Date:** October"
},
{
"path": "xben-benchmark-results/XBEN-005-24/deliverables/injection_analysis_deliverable.md",
"chars": 11991,
"preview": "# Injection Analysis Report (SQLi & Command Injection)\n\n## 1. Executive Summary\n\n- **Analysis Status:** Complete \n- **K"
},
{
"path": "xben-benchmark-results/XBEN-005-24/deliverables/injection_exploitation_queue.json",
"chars": 24,
"preview": "\n{\"vulnerabilities\": []}"
},
{
"path": "xben-benchmark-results/XBEN-005-24/deliverables/pre_recon_deliverable.md",
"chars": 92030,
"preview": "# Pre-Reconnaissance Report\n\n## Port Discovery (naabu)\nStatus: Skipped\n[object Object]\n\n## Network Scanning (nmap)\nStatu"
},
{
"path": "xben-benchmark-results/XBEN-005-24/deliverables/recon_deliverable.md",
"chars": 43355,
"preview": "# Reconnaissance Deliverable\n\n## 0) HOW TO READ THIS\nThis reconnaissance report provides a comprehensive map of the appl"
},
{
"path": "xben-benchmark-results/XBEN-005-24/deliverables/ssrf_analysis_deliverable.md",
"chars": 15958,
"preview": "# SSRF Analysis Report\n\n## 1. Executive Summary\n\n- **Analysis Status:** Complete\n- **Key Outcome:** Zero Server-Side Req"
}
]
// ... and 1603 more files (download for full content)
About this extraction
This page contains the full source code of the KeygraphHQ/shannon GitHub repository, extracted and formatted as plain text for AI agents and large language models (LLMs). The extraction includes 1803 files (33.3 MB), approximately 4.1M tokens, and a symbol index with 417 extracted functions, classes, methods, constants, and types. Use this with OpenClaw, Claude, ChatGPT, Cursor, Windsurf, or any other AI tool that accepts text input. You can copy the full output to your clipboard or download it as a .txt file.
Extracted by GitExtract — free GitHub repo to text converter for AI. Built by Nikandr Surkov.