Show HN: Shannon Uncontained – generate src for live target, go for the pwn

The security-industrial complex peddles spreadsheets of vibes. Severity badges. Ritual scans. Then, at the moment of truth, it refuses the simple, adult question: can you actually pwn it?

Shannon said yes. It did the unfashionable thing: try the exploit, ship receipts, or shut up. No exploit, no report. That single sentence wipes out half the ceremony and all of the superstition.

Shannon Uncontained is the fork for people who don’t need a container to run Node, don’t always have source, and don’t swear fealty to a single LLM vendor. It runs natively. It speaks Claude, GPT-4.1, support connecting via GitHub Models, and the locals (Ollama/llama.cpp/LM Studio).

And when all you’ve got is a URL and permission, it crawls, fingerprints, and assembles pseudo‑source—a structured model of routes, inputs, and flows—then hands that to the same exploit-first pipeline. Less incense, more impact.

This is a pentester that behaves like it means it:

If it can’t make the vuln sing—shell, XSS pop, auth bypass, SSRF reach—it doesn’t log it as gospel. It maps your mess to OWASP Top 10, spits SARIF for auditors, JSON/HTML for humans, and keeps an audit trail that’s actually evidence, not a confession.

It slots into CI/CD without container cosplay, because “portable” shouldn’t mean “pretend Linux wrapped around JavaScript.”

Yes, the tone is combative. That’s because the default is complacency. “We ran the scanner” is a lullaby. If your app can be owned, your pipeline should find out before someone less poetic does.

If the idea of pseudo‑source offends you, excellent—show me where it fails. If you think it’s useful, tell me the guardrails you want in CI (timeouts, scope fences, auth flows). Either way, the premise stands: suspicion without a proof-of-concept is astrology with YAML.

Repo: https://github.com/steake/shannon-uncontained