Unresolved {{GITHUB_URL}} and {{AUTH_CONTEXT}} in report output #239
Description
I searched existing issues and PRs but didn't find a report for this.
Bug description
report-executive.txt uses {{GITHUB_URL}} (L24) and {{AUTH_CONTEXT}} (L29), but interpolateVariables() in src/services/prompt-manager.ts (L158-161) does not handle either variable. They appear to pass through as literal strings to the report agent. The unresolved placeholder check at L196-198 logs a warning but continues execution.
Steps to reproduce
- Run any pentest:
./shannon start URL=https://example.com REPO=my-repo - Wait for the report phase to complete
- Open
deliverables/comprehensive_security_assessment_report.md(default output directory) - Observe
Repository: {{GITHUB_URL}}andAuthentication Context:\n{{AUTH_CONTEXT}}as literal text in the report header
Impact
Every generated report contains unresolved placeholders in the header. This is the final deliverable users receive. Reproducible on every run (100%).
Root cause
interpolateVariables() handles 6 variables but {{GITHUB_URL}} and {{AUTH_CONTEXT}} are not among them:
| Variable | Handled | Used in |
|---|---|---|
{{WEB_URL}} |
Yes | multiple templates |
{{REPO_PATH}} |
Yes | multiple templates |
{{MCP_SERVER}} |
Yes | multiple templates |
{{RULES_AVOID}} |
Yes | shared/_rules.txt |
{{RULES_FOCUS}} |
Yes | recon.txt |
{{LOGIN_INSTRUCTIONS}} |
Yes | auth templates |
{{GITHUB_URL}} |
No | report-executive.txt L24 |
{{AUTH_CONTEXT}} |
No | report-executive.txt L29 |
Proposed fix
{{GITHUB_URL}} — Two options:
- Option A: Map to
repoPath(local path, always available) - Option B: Add a new field to
PromptVariablesfor the remote Git URL (more accurate for the report context, but requires plumbing the URL from CLI args)
Which approach do you prefer?
{{AUTH_CONTEXT}} — This needs a summary of the authentication config (login_type, login_url, success_condition) without exposing credentials. This may warrant its own follow-up if the design needs discussion. Happy to take either approach.
Happy to submit a PR if this direction looks right.
Affected files
src/services/prompt-manager.ts— add variable replacements ininterpolateVariables()prompts/report-executive.txt— may need variable rename depending on chosen approach