feat: add Z.AI GLM models as router provider#129
Closed
rizkydwicmt wants to merge 133 commits intoKeygraphHQ:mainfrom
Closed
feat: add Z.AI GLM models as router provider#129rizkydwicmt wants to merge 133 commits intoKeygraphHQ:mainfrom
rizkydwicmt wants to merge 133 commits intoKeygraphHQ:mainfrom
Conversation
fixes
Simplified
typo
italics
assets
Updated Discord invite links in README.md to use a permanent invite link that will not expire. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
chore: added logging
…he actual content
Simplified deliverable management by removing automatic copying to ~/Documents/pentest-deliverables/. All deliverables now remain only in <target-repo>/deliverables/, eliminating file duplication and improving UX. Changes: - Removed savePermanentDeliverables() function from src/setup/deliverables.js - Removed function call and related console output from shannon.mjs - Removed unused 'os' import from deliverables.js 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
Remove unnecessary screenshot storage to reduce file I/O and disk usage: - Removed screenshot directory creation - Removed --output-dir flag from Playwright MCP setup - Agents can still take screenshots, but they won't persist to disk Screenshots were not being used by any part of Shannon for analysis or reporting, making their storage unnecessary overhead. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
…healing
## Unified Audit System (v3.0)
- Implemented crash-safe, append-only logging to audit-logs/{hostname}_{sessionId}/
- Added session.json with comprehensive metrics (timing, cost, attempts)
- Agent execution logs with turn-by-turn detail
- Prompt snapshots saved to audit-logs/.../prompts/{agent}.md
- SessionMutex prevents race conditions during parallel execution
- Self-healing reconciliation before every CLI command
## Session Metadata Standardization
- Fixed critical bug: standardized on 'id' field (not 'sessionId') throughout codebase
- Updated: shannon.mjs (recon, report), src/phases/pre-recon.js
- Added validation in AuditSession to fail fast on incorrect field usage
- JavaScript shorthand syntax was causing wrong field names
## Schema Improvements
- session.json: Added cost_usd per phase, removed redundant final_cost_usd
- Renamed 'percentage' -> 'duration_percentage' for clarity
- Simplified agent metrics to single total_cost_usd field
- Removed unused validation object from schema
## Legacy System Removal
- Removed savePromptSnapshot() - prompts now only saved by audit system
- Removed target repo pollution (prompt-snapshots/ no longer created)
- Single source of truth: audit-logs/{hostname}_{sessionId}/prompts/
## Export Script Simplification
- Removed JSON export mode (session.json already exists)
- CSV-only export with clean columns: agent, phase, status, attempts, duration_ms, cost_usd
- Tested on real session data
## Documentation
- Updated CLAUDE.md with audit system architecture
- Added .gitignore entry for audit-logs/
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Reasoning: - Shannon is a local CLI tool with direct filesystem access - Manual file editing (JSON, rm -rf) is simpler than reconciliation script - Automatic reconciliation runs before every command (built-in) - If auto-reconciliation has bugs, fix the code, don't create workarounds - Over-engineered for a local development tool For recovery: Just delete .shannon-store.json or edit JSON files directly 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
- Added comprehensive header comment explaining use case - Documents data source (session.json from audit-logs) - CSV output format and use cases clearly described - Includes usage examples and note about raw data access - Removes need for separate docs/ folder in repo Docs were design artifacts, not needed in open source repo. All relevant documentation now lives in code comments. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
Reasoning:
- Pollutes target repo with run-metadata.json
- Redundant with audit system (session.json has all metadata)
- Less useful than comprehensive audit logs
- Target repos should stay clean - only deliverables belong there
All debugging info now lives in audit-logs/{hostname}_{sessionId}/session.json
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
ROOT CAUSE: - Exploitation phase checked session.validationResults to determine eligibility - validationResults field was removed during audit system refactor - Field never existed in session schema, so all exploits were skipped THE FIX: - Exploitation phase now validates queue files directly when checking eligibility - Reads exploitation_queue.json and checks if vulnerabilities array is non-empty - No need to store validation results - just re-validate on demand CHANGES: 1. runParallelExploit() now calls safeValidateQueueAndDeliverable() directly 2. Removed validationResults parameter from markAgentCompleted() 3. Simplified calculateVulnerabilityAnalysisSummary() - no longer needs validation data 4. Simplified calculateExploitationSummary() - no longer needs validation data IMPACT: - Exploitation agents will now run when vulnerabilities are found - Queue files are the single source of truth for eligibility - Simpler architecture - no duplicate state storage 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
…c-ai/claude-agent-sdk Anthropic rebranded the SDK in 2025 from "Claude Code SDK" to "Claude Agent SDK". Updated all references across package.json, Dockerfile, and documentation to use the current @anthropic-ai/claude-agent-sdk package. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
Remove unused files and exports to improve codebase maintainability: Phase 1 - Deleted files (5): - login_resources/generate-totp-standalone.mjs (replaced by MCP tool) - mcp-server/src/tools/index.js (unused barrel export) - mcp-server/src/utils/index.js (unused barrel export) - mcp-server/src/validation/index.js (unused barrel export) - src/agent-status.js (deprecated 309-line status manager) Phase 2 - Removed unused exports (3): - mcp-server/src/index.js: shannonHelperServer constant - mcp-server/src/utils/error-formatter.js: createFileSystemError function - src/utils/git-manager.js: cleanWorkspace (now internal-only) Phase 3 - Unexported internal functions (4): - src/checkpoint-manager.js: runSingleAgent, runAgentRange, runParallelVuln, runParallelExploit (internal use only) All Shannon CLI commands tested and verified working. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
…ssion-issue fix: create audit-logs directory before container startup
feat: add multi-model router support for OpenAI and OpenRouter
Update README.md
Update README.md
* feat: update splash screen screenshot with new branding * docs: add Trendshift badge to README
…aphHQ#107) * feat: use static repos/ folder mount instead of dynamic TARGET_REPO Replace dynamic per-run TARGET_REPO bind mount with a static ./repos:/repos mount. Users place target repositories under ./repos/ and reference them by folder name. This fixes stale mounts when switching targets and enables running multiple scans concurrently against different repos. * feat: mount configs directory into worker container * docs: add instructions for repos and configs directory setup
…ution (KeygraphHQ#108) * fix: extend heartbeat timeout to prevent stalls during sub-agent execution * feat: add /pr command for creating pull requests with conventional commits
…graphHQ#116) Pre-create the deliverables directory with proper permissions on the host before starting containers, and surface permission errors instead of silently swallowing them in save_deliverable.
…eygraphHQ#113) * feat: upgrade claude-agent-sdk to 0.2.38 and adapt to new SDK types - Bump @anthropic-ai/claude-agent-sdk from 0.1.x to 0.2.38 (both root and mcp-server) - Bump zod from 3.x to 4.x (SDK peer dependency) - Add allowDangerouslySkipPermissions to query options (required for bypassPermissions) - Suppress new SDK message types (tool_progress, tool_use_summary, auth_status) - Use structured error field on assistant messages instead of text-sniffing - Add stop_reason to result message handling for diagnostics - Add SDKAssistantMessageError type matching SDK's string literal union * chore: remove CLAUDE_CODE_MAX_OUTPUT_TOKENS from all config and docs
KeygraphHQ#112) Deliverables saved by agents were never committed to git because git identity was not configured in the Docker container. This left them as untracked files, which git clean -fd destroyed whenever another agent's retry triggered a workspace rollback. Moves git config after ENV HOME=/tmp so the config is written to /tmp/.gitconfig where git actually looks at runtime.
…phHQ#117) Podman doesn't support the `host-gateway` special value in extra_hosts, which causes container startup failures on macOS with Podman Desktop. Changes: - Add docker-compose.docker.yml with extra_hosts override for Docker - Update shannon script to detect Podman via `command -v podman` - Skip extra_hosts override when Podman is detected This ensures: - Docker users (Linux): Get host.docker.internal working automatically - Podman users (macOS): Base config works without modification Co-authored-by: ajmallesh <ajmallesh@gmail.com>
Replace markdown-based issue templates with YAML issue forms for structured input with dropdowns, checkboxes, and required fields.
…eygraphHQ#123) * fix: add file_path parameter to save_deliverable for large reports Large deliverable reports can exceed output token limits when passed as inline content. This change allows agents to write reports to disk first and pass a file_path instead. Changes: - Add file_path parameter to save_deliverable MCP tool with path traversal protection - Pass CLAUDE_CODE_MAX_OUTPUT_TOKENS env var to SDK subprocesses - Fix false positive error detection by extracting only text content (not tool_use JSON) when checking for API errors - Update all prompts to instruct agents to use file_path for large reports and stop immediately after completion * docs: simplify and condense CLAUDE.md Reduce verbosity while preserving all essential information for AI assistance. Makes the documentation more scannable and focused. * feat: add issue number detection to pr command The /pr command now automatically detects issue numbers from: 1. Explicit arguments (e.g., /pr 123 or /pr 123,456) 2. Branch name patterns (e.g., fix/123-bug, issue-456-feature) Adds "Closes #X" lines to PR body to auto-close issues on merge. * chore: remove CLAUDE_CODE_MAX_OUTPUT_TOKENS env var handling No longer needed with the new Claude Agent SDK version. * fix: restore max_output_tokens error handling
- Replace single-call "Write to deliverables/" pattern with multi-step Write + Edit chunked writing across all 12 agent prompts - Standardize section name to "CHUNKED WRITING (MANDATORY)" for vuln, exploit, pre-recon, and recon agents - Prevents agents from hitting 32K output token limit when generating large analysis reports and exploitation evidence
Re-add the env var that was removed during SDK upgrade. Needed for controlling output token limits in SDK subprocesses.
…le-handling-v2 fix: improve large deliverable handling and audit trail
- Add Z.AI (zai) provider to router-config.json with glm-5, glm-4.7, glm-4.7-flash models - Use coding-specific endpoint: api.z.ai/api/coding/paas/v4/chat/completions - Forward ANTHROPIC_BASE_URL, ANTHROPIC_AUTH_TOKEN, ROUTER_DEFAULT env vars to SDK subprocess in claude-executor.ts (fixes router auth issue) - Add ZAI_API_KEY to docker-compose.yml router service - Add ZAI_API_KEY to shannon CLI provider key checks - Update .env.example and README.md with Z.AI configuration docs
There was a problem hiding this comment.
Pull request overview
This PR adds Z.AI (Zhipu AI) GLM models as a new router provider for Shannon's experimental multi-model support, alongside an important bug fix for router mode environment variable forwarding.
Changes:
- Added Z.AI provider configuration with GLM models (glm-5, glm-4.7, glm-4.7-flash) to the router
- Fixed SDK subprocess environment variable forwarding for ANTHROPIC_BASE_URL, ANTHROPIC_AUTH_TOKEN, and ROUTER_DEFAULT (critical for all router providers)
- Updated CLI validation, Docker configuration, and documentation to include Z.AI API key support
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| configs/router-config.json | Added Z.AI provider configuration with GLM models and maxcompletiontokens transformer; reformatted existing providers for consistency |
| src/ai/claude-executor.ts | Fixed router mode by forwarding required environment variables to SDK subprocess; corrected comment indentation |
| shannon | Added ZAI_API_KEY validation checks in router mode API key logic and error messages |
| docker-compose.yml | Added ZAI_API_KEY environment variable to router service |
| .env.example | Added Z.AI configuration section with example API key and model settings |
| README.md | Added Z.AI to experimental router mode documentation and models table |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds Z.AI (Zhipu AI) GLM models as a new provider option for Shannon's router mode, enabling pentesting with Chinese-developed large language models.
Changes
Router Configuration (
configs/router-config.json)zaiprovider with endpointhttps://api.z.ai/api/coding/paas/v4/chat/completionsglm-5,glm-4.7,glm-4.7-flashmaxcompletiontokenstransformer pattern as OpenAISDK Environment Forwarding (
src/ai/claude-executor.ts)ANTHROPIC_BASE_URL,ANTHROPIC_AUTH_TOKEN, andROUTER_DEFAULTenv vars to the SDK subprocessAuthenticationError: Invalid API keyDocker & CLI
ZAI_API_KEYtodocker-compose.ymlrouter service environmentZAI_API_KEYtoshannonCLI provider key validation checksDocumentation
.env.examplewith Z.AI configuration sectionREADME.mdwith Z.AI in Quick Setup and Experimental Models tableTesting
glm-4.7model via curlglm-4.7Usage