@pensar/apex 0.0.111 → 0.0.112

package/build/auth-jvq72ekc.js

@@ -0,0 +1,263 @@
+#!/usr/bin/env bun
+import {
+  disconnect,
+  fetchWorkspaces,
+  isConnected,
+  pollForWorkspaceCreation,
+  pollLegacyToken,
+  pollWorkOSToken,
+  selectWorkspace,
+  startDeviceFlow
+} from "./cli-j66pect7.js";
+import {
+  config,
+  getPensarApiUrl,
+  getPensarConsoleUrl
+} from "./cli-bp6d08sg.js";
+import"./cli-jb0gcnrs.js";
+import"./cli-yj3dy0vg.js";
+import {
+  __require
+} from "./cli-8rxa073f.js";
+
+// src/cli/auth.ts
+import * as readline from "readline";
+function openUrl(url) {
+  try {
+    const { spawn } = __require("child_process");
+    const platform = process.platform;
+    let cmd;
+    if (platform === "darwin") {
+      cmd = spawn("open", [url]);
+    } else if (platform === "win32") {
+      cmd = spawn("cmd", ["/c", "start", url]);
+    } else {
+      cmd = spawn("xdg-open", [url]);
+    }
+    cmd.on("error", () => {});
+  } catch {}
+}
+function prompt(question) {
+  const rl = readline.createInterface({
+    input: process.stdin,
+    output: process.stdout
+  });
+  return new Promise((resolve) => {
+    rl.question(question, (answer) => {
+      rl.close();
+      resolve(answer.trim());
+    });
+  });
+}
+async function promptWorkspaceSelection(workspaces) {
+  console.log(`
+Select a workspace:
+`);
+  workspaces.forEach((ws, i) => {
+    console.log(`  ${i + 1}. ${ws.name} (${ws.slug}) — $${ws.balance.toFixed(2)}`);
+  });
+  const answer = await prompt(`
+Enter number (1-${workspaces.length}): `);
+  const index = parseInt(answer, 10) - 1;
+  if (isNaN(index) || index < 0 || index >= workspaces.length) {
+    console.error("Invalid selection.");
+    process.exit(1);
+  }
+  return workspaces[index];
+}
+async function login() {
+  const appConfig = await config.get();
+  if (isConnected(appConfig)) {
+    console.log("Already connected to Pensar Console.");
+    if (appConfig.workspaceSlug) {
+      console.log(`  Workspace: ${appConfig.workspaceSlug}`);
+    }
+    const answer = await prompt(`
+Reconnect? (y/N): `);
+    if (answer.toLowerCase() !== "y") {
+      return;
+    }
+  }
+  console.log(`
+Pensar Console — Managed Inference
+Connect for usage-based AI inference. No API keys needed.
+`);
+  const apiUrl = getPensarApiUrl();
+  const flowInfo = await startDeviceFlow(apiUrl);
+  if (flowInfo.mode === "workos") {
+    const { clientId, deviceInfo } = flowInfo;
+    openUrl(deviceInfo.verification_uri_complete);
+    console.log(`A browser window should have opened.
+If not, open this URL:
+  ${deviceInfo.verification_uri_complete}
+
+Your code: ${deviceInfo.user_code}
+
+Waiting for browser authorization...`);
+    const tokens = await pollWorkOSToken({
+      clientId,
+      deviceCode: deviceInfo.device_code,
+      interval: deviceInfo.interval,
+      expiresIn: deviceInfo.expires_in
+    });
+    await config.update({
+      accessToken: tokens.accessToken,
+      refreshToken: tokens.refreshToken
+    });
+    console.log(`
+Authenticated successfully. Fetching workspaces...`);
+    await handleWorkspaces(apiUrl, tokens.accessToken);
+  } else {
+    const { deviceInfo } = flowInfo;
+    openUrl(deviceInfo.verificationUriComplete);
+    console.log(`A browser window should have opened.
+If not, open this URL:
+  ${deviceInfo.verificationUriComplete}
+
+Your code: ${deviceInfo.userCode}
+
+Waiting for browser authorization...`);
+    const data = await pollLegacyToken({
+      apiUrl,
+      deviceCode: deviceInfo.deviceCode,
+      interval: deviceInfo.interval,
+      expiresIn: deviceInfo.expiresIn
+    });
+    await config.update({
+      pensarAPIKey: data.apiKey,
+      gatewaySigningKey: data.signingKey ?? null
+    });
+    if (data.workspace) {
+      await config.update({
+        workspaceId: data.workspace.id,
+        workspaceSlug: data.workspace.slug
+      });
+    }
+    console.log(`
+✓ Connected to Pensar Console`);
+    if (data.workspace) {
+      console.log(`  Workspace: ${data.workspace.name} (${data.workspace.slug})`);
+    }
+    if (data.credits) {
+      console.log(`  Credits: $${data.credits.balance.toFixed(2)}`);
+    }
+  }
+}
+async function handleWorkspaces(apiUrl, accessToken) {
+  const wsResult = await fetchWorkspaces(apiUrl, accessToken);
+  let workspaces = wsResult.workspaces;
+  const consoleUrl = wsResult.consoleUrl ?? getPensarConsoleUrl();
+  if (workspaces.length === 0) {
+    console.log(`
+No workspaces found. Opening browser to create one...
+If the browser didn't open, visit: ${consoleUrl}/create-workspace?redirect=/credits
+`);
+    openUrl(`${consoleUrl}/create-workspace?redirect=/credits`);
+    console.log("Waiting for workspace creation...");
+    workspaces = await pollForWorkspaceCreation(apiUrl, accessToken);
+  }
+  let workspace;
+  if (workspaces.length === 1) {
+    workspace = workspaces[0];
+  } else {
+    workspace = await promptWorkspaceSelection(workspaces);
+  }
+  const result = await selectWorkspace(apiUrl, accessToken, workspace.id);
+  await config.update({
+    workspaceId: workspace.id,
+    workspaceSlug: workspace.slug,
+    gatewaySigningKey: result.signingKey ?? null
+  });
+  console.log(`
+✓ Connected to Pensar Console
+  Workspace: ${workspace.name} (${workspace.slug})
+  Credits: $${result.billing.balance.toFixed(2)}`);
+  if (!result.confirmed && result.billingUrl) {
+    console.log(`
+⚠ Your workspace needs credits. Add them at:
+  ${result.billingUrl}`);
+  } else if (result.billing.balance < 1) {
+    const billingUrl = `${getPensarConsoleUrl()}/${workspace.slug}/settings/billing`;
+    console.log(`
+⚠ Low credit balance. We recommend at least $30 for uninterrupted pentests.
+  Add credits: ${billingUrl}`);
+  }
+  console.log("\nPensar models are now available. Run `pensar` to get started.");
+}
+async function logout() {
+  const appConfig = await config.get();
+  if (!isConnected(appConfig)) {
+    console.log("Not currently connected to Pensar Console.");
+    return;
+  }
+  await disconnect();
+  console.log("✓ Disconnected from Pensar Console.");
+}
+async function status() {
+  const appConfig = await config.get();
+  if (!isConnected(appConfig)) {
+    console.log("Not connected to Pensar Console.\n\nRun `pensar auth login` to connect.");
+    return;
+  }
+  if (!appConfig.accessToken && appConfig.pensarAPIKey && !appConfig.workspaceSlug) {
+    try {
+      const apiUrl = getPensarApiUrl();
+      const res = await fetch(`${apiUrl}/auth/validate`, {
+        headers: { Authorization: `Bearer ${appConfig.pensarAPIKey}` }
+      });
+      if (res.ok) {
+        const data = await res.json();
+        if (data.workspace) {
+          await config.update({
+            workspaceId: data.workspace.id,
+            workspaceSlug: data.workspace.slug
+          });
+          appConfig.workspaceId = data.workspace.id;
+          appConfig.workspaceSlug = data.workspace.slug;
+        }
+      }
+    } catch {}
+  }
+  const authMethod = appConfig.accessToken ? "WorkOS" : "API key";
+  console.log(`✓ Connected to Pensar Console
+  Workspace: ${appConfig.workspaceSlug ?? "not set"}
+  Auth: ${authMethod}`);
+}
+function showHelp() {
+  console.log(`Pensar Auth — Connect to Pensar Console
+
+Usage:
+  pensar auth              Login to Pensar Console (or show status if connected)
+  pensar auth login        Login to Pensar Console
+  pensar auth logout       Disconnect from Pensar Console
+  pensar auth status       Show connection status
+
+Options:
+  -h, --help               Show this help message`);
+}
+async function main() {
+  const args = process.argv.slice(2);
+  const subcommand = args[0];
+  if (subcommand === "help" || subcommand === "--help" || subcommand === "-h") {
+    showHelp();
+    return;
+  }
+  try {
+    if (!subcommand || subcommand === "login") {
+      await login();
+    } else if (subcommand === "logout") {
+      await logout();
+    } else if (subcommand === "status") {
+      await status();
+    } else {
+      console.error(`Unknown auth subcommand: ${subcommand}`);
+      console.error("Run 'pensar auth --help' for usage information");
+      process.exit(1);
+    }
+  } catch (err) {
+    console.error(`
+Error: ${err instanceof Error ? err.message : String(err)}`);
+    process.exit(1);
+  }
+}
+main();

package/build/authentication-nya4td5k.js

@@ -0,0 +1,310 @@
+import {
+  detectOSAndEnhancePrompt
+} from "./cli-6gtnyaqf.js";
+import {
+  OffensiveSecurityAgent
+} from "./cli-r8r90gka.js";
+import"./cli-jh38b6zv.js";
+import {
+  hasToolCall
+} from "./cli-kqtgcdzn.js";
+import"./cli-j66pect7.js";
+import"./cli-bp6d08sg.js";
+import"./cli-jb0gcnrs.js";
+import"./cli-yj3dy0vg.js";
+import"./cli-15vxn9zj.js";
+import"./cli-7ckctq7a.js";
+import"./cli-8rxa073f.js";
+
+// src/core/agents/specialized/authenticationAgent/agent.ts
+import { existsSync, readFileSync } from "fs";
+import { join } from "path";
+
+// src/core/agents/specialized/authenticationAgent/prompts.ts
+var AUTH_SUBAGENT_SYSTEM_PROMPT = `You are an authentication specialist for autonomous penetration testing.
+
+# Mission
+
+Authenticate against the target using browser or API methods — whichever is applicable.
+Obtain valid credentials/sessions that other agents can use for authenticated testing.
+
+# Operating Mode
+
+- Fully autonomous — no human intervention
+- If you encounter barriers (CAPTCHA, MFA), report failure with details
+- Call \`complete_authentication\` when done (success or failure)
+
+# Available Tools
+
+## API Authentication
+- \`authenticate_session\` — Submit credentials via form POST, JSON POST, or HTTP Basic auth.
+  Params: loginUrl, username, password, method (form_post|json_post|basic_auth), usernameField, passwordField, additionalFields.
+- \`execute_command\` — Run curl or other shell commands for custom/complex API auth flows.
+
+## Browser Authentication
+- \`browser_navigate\` — Navigate to login page
+- \`browser_snapshot\` — Get page accessibility tree with element refs (REQUIRED before click/fill)
+- \`browser_fill\` — Fill a form field using its ref from the snapshot
+- \`browser_click\` — Click a button/link using its ref from the snapshot
+- \`browser_screenshot\` — Capture page state for verification
+- \`browser_evaluate\` — Run JS to extract tokens from localStorage/sessionStorage
+- \`browser_console\` — Check console output for errors
+- \`browser_get_cookies\` — Extract session cookies (including httpOnly)
+
+## Completion (two-step — BOTH are required)
+- \`complete_authentication\` — Persist cookies/headers to disk for downstream agents. Call this FIRST.
+- \`response\` — Submit your final structured result and end the run. Call this AFTER complete_authentication.
+- \`delegate_to_auth_subagent\` — Fallback for complex auth flows (OAuth, SAML, CSRF chains).
+  Use only if direct API and browser approaches both fail.
+
+# Strategy
+
+## Step 1: Determine the auth method
+
+If credentials AND a loginUrl hint are provided, skip probing and go straight to Step 2.
+
+Otherwise, probe the target to detect the auth mechanism:
+\`\`\`
+execute_command: curl -i -s -o /dev/null -w "%{http_code}" <target>
+\`\`\`
+
+Look for:
+- **401/403 response** → API auth likely. Check WWW-Authenticate header for Basic/Bearer.
+- **302 redirect to login page** → Browser or form-based auth.
+- **HTML with login form** → Browser-based or form POST auth.
+- **JSON error (e.g. "unauthorized")** → JSON API auth.
+
+## Step 2: Authenticate
+
+### API path (use when target is an API or has a simple form):
+1. Call \`authenticate_session\` with the correct method and credentials.
+   - \`form_post\` for HTML forms
+   - \`json_post\` for JSON APIs
+   - \`basic_auth\` for HTTP Basic
+2. Check the response — if authenticated is true, you have a session cookie.
+
+### Browser path (use for SPAs, OAuth, JS-rendered forms):
+1. \`browser_navigate\` to the login URL
+2. \`browser_snapshot\` to find form fields and their refs
+3. \`browser_fill\` the username/email field (use ref from snapshot)
+4. \`browser_snapshot\` again (page may update after input)
+5. \`browser_fill\` the password field
+6. \`browser_click\` the submit/login button
+7. \`browser_snapshot\` or \`browser_screenshot\` to verify the result
+8. \`browser_get_cookies\` to extract session cookies
+9. Optionally \`browser_evaluate\` to extract tokens from localStorage/sessionStorage:
+   \`\`\`javascript
+   (() => {
+     const tokens = {};
+     ['token', 'access_token', 'accessToken', 'auth_token', 'jwt', 'id_token'].forEach(key => {
+       const val = localStorage.getItem(key) || sessionStorage.getItem(key);
+       if (val) tokens[key] = val;
+     });
+     return JSON.stringify(tokens);
+   })()
+   \`\`\`
+
+### Fallback:
+If both API and browser approaches fail, use \`delegate_to_auth_subagent\` for complex flows.
+
+## Step 3: Complete (two-step)
+
+**First**, call \`complete_authentication\` with:
+- \`success\`: whether auth succeeded
+- \`summary\`: what happened and what credentials/cookies were obtained
+- \`exportedCookies\`: the cookie string for downstream HTTP requests (from browser_get_cookies cookieHeader or authenticate_session response)
+- \`exportedHeaders\`: auth headers map, e.g. {"Authorization": "Bearer <token>"} (from browser_evaluate localStorage tokens or API response)
+- \`strategy\`: method used ("browser", "form_post", "json_post", "basic_auth", "bearer")
+- \`authBarrier\`: if a barrier was encountered (captcha, mfa, etc.)
+
+CRITICAL: You MUST include exportedCookies and exportedHeaders when authentication succeeds.
+These are the ONLY way downstream agents receive the session credentials.
+- After browser auth: get cookies from \`browser_get_cookies\` (use the cookieHeader field) and tokens from \`browser_evaluate\`
+- After API auth: use the session cookie and any auth headers from the response
+
+**Then**, call the \`response\` tool with your final summary to end the run. This is required — complete_authentication persists the data, response terminates the agent.
+
+# Error Recovery
+
+If authentication fails:
+1. Try alternative field names (email vs username, passwd vs password)
+2. Check for CSRF token requirements (look in page source or hidden form fields)
+3. Verify the endpoint URL is correct
+4. Try a different method (form_post vs json_post)
+5. If all else fails, call \`complete_authentication\` with success=false
+
+## Rate Limiting
+
+If you encounter rate-limiting errors (e.g. "Rate limit exceeded", HTTP 429, "too many requests"):
+1. Do NOT give up or report failure immediately — rate limits are temporary
+2. Use \`execute_command\` to sleep and wait for the rate limit to reset: \`sleep 120\`
+3. After sleeping, retry the authentication attempt
+4. If rate-limited again, sleep for another 120 seconds and retry
+5. Continue this retry loop — be persistent. Only report failure after 5+ consecutive rate-limited retries
+6. NEVER treat rate-limiting as a finding or vulnerability — it is an operational obstacle to work through
+
+# Key Rules
+
+1. **Be direct** — if credentials are provided, authenticate immediately. Don't over-analyze.
+2. **Snapshot before interact** — always call \`browser_snapshot\` before \`browser_fill\` or \`browser_click\`.
+3. **Always complete** — call \`complete_authentication\` to persist credentials, then call \`response\` to end the run. Both are required.
+4. **No human intervention** — return failure instead of requesting input.
+5. **Don't log passwords** — never output actual password values in summaries.
+
+# Screenshot Evidence
+
+- Use \`browser_screenshot\` to capture the page state at key moments during authentication
+- **Always screenshot after login attempt** to document success (dashboard/welcome page) or failure (error message)
+- Screenshot any error pages, CAPTCHA challenges, MFA prompts, or unexpected barriers
+- Use descriptive filenames: "login-form", "auth-success", "auth-error", "mfa-prompt", "captcha-detected"
+- Screenshots are automatically stored and displayed in the console logs for debugging
+`;
+
+// src/core/agents/specialized/authenticationAgent/agent.ts
+class AuthenticationAgent extends OffensiveSecurityAgent {
+  constructor(opts) {
+    const {
+      model,
+      target,
+      session,
+      authHints,
+      authConfig,
+      onStepFinish,
+      abortSignal
+    } = opts;
+    const cm = session.credentialManager;
+    super({
+      system: detectOSAndEnhancePrompt(AUTH_SUBAGENT_SYSTEM_PROMPT),
+      prompt: buildAuthPrompt(target, authHints, cm),
+      model,
+      session,
+      target,
+      authConfig,
+      onStepFinish,
+      abortSignal,
+      toolChoice: "auto",
+      activeTools: [
+        "execute_command",
+        "authenticate_session",
+        "complete_authentication",
+        "browser_navigate",
+        "browser_snapshot",
+        "browser_screenshot",
+        "browser_click",
+        "browser_fill",
+        "browser_evaluate",
+        "browser_console",
+        "browser_get_cookies",
+        "email_list_inboxes",
+        "email_list_messages",
+        "email_search_messages",
+        "email_get_message",
+        "web_search",
+        "get_page"
+      ],
+      stopWhen: hasToolCall("complete_authentication"),
+      resolveResult: () => {
+        const authDataPath = join(session.rootPath, "auth", "auth-data.json");
+        return loadAuthResult(authDataPath);
+      }
+    });
+  }
+}
+function loadAuthResult(authDataPath) {
+  if (!existsSync(authDataPath)) {
+    return {
+      success: false,
+      summary: "Authentication completed but no auth-data.json was written.",
+      exportedCookies: "",
+      exportedHeaders: {},
+      strategy: "unknown",
+      authBarrier: undefined,
+      authDataPath: ""
+    };
+  }
+  try {
+    const raw = JSON.parse(readFileSync(authDataPath, "utf-8"));
+    return {
+      success: raw.authenticated ?? false,
+      summary: raw.summary ?? "Authentication process completed.",
+      exportedCookies: raw.cookies ?? "",
+      exportedHeaders: raw.headers ?? {},
+      strategy: raw.strategy ?? "unknown",
+      authBarrier: raw.authBarrier,
+      authDataPath
+    };
+  } catch {
+    return {
+      success: false,
+      summary: "Failed to parse auth-data.json.",
+      exportedCookies: "",
+      exportedHeaders: {},
+      strategy: "unknown",
+      authBarrier: undefined,
+      authDataPath
+    };
+  }
+}
+function buildAuthPrompt(target, authHints, credentialManager) {
+  const parts = [`TARGET: ${target}
+`];
+  const credBlock = credentialManager?.formatForPrompt();
+  if (credBlock) {
+    parts.push(credBlock);
+    parts.push("");
+  } else {
+    parts.push(`No credentials provided. Probe the target to discover auth requirements.
+`);
+  }
+  if (authHints) {
+    parts.push("AUTH HINTS:");
+    if (authHints.authScheme)
+      parts.push(`- Auth scheme: ${authHints.authScheme}`);
+    if (authHints.csrfRequired)
+      parts.push("- CSRF protection detected");
+    if (authHints.browserRequired)
+      parts.push("- Browser automation may be needed");
+    if (authHints.protectedEndpoints?.length) {
+      parts.push(`- Protected endpoints: ${authHints.protectedEndpoints.join(", ")}`);
+    }
+    parts.push("");
+  }
+  if (credBlock) {
+    parts.push(`INSTRUCTIONS:
+You have credentials available via credential IDs — authenticate immediately.
+1. Try authenticate_session first (pass the credentialId — secrets are resolved automatically)
+2. If authenticate_session fails, use browser tools. For browser_fill on password/secret fields,
+   pass credentialId + credentialField (e.g. credentialField="password") instead of the raw value —
+   the secret is resolved securely at execution time. NEVER type a password directly.
+3. Call complete_authentication with exported cookies/headers to persist credentials and end the run`);
+  } else {
+    parts.push(`INSTRUCTIONS:
+1. Probe the target with execute_command (curl) to determine the auth mechanism
+2. Attempt authentication with authenticate_session or the browser tools
+3. If that fails, try delegate_to_auth_subagent as a fallback
+4. Call complete_authentication with exported cookies/headers to persist credentials and end the run`);
+  }
+  return parts.join(`
+`);
+}
+async function runAuthenticationAgent(input) {
+  const agent = new AuthenticationAgent(input);
+  const result = await agent.consume({
+    onTextDelta: (d) => input.callbacks?.onTextDelta?.(d),
+    onToolCallStreaming: (d) => input.callbacks?.onToolCallStreaming?.(d),
+    onToolCallDelta: (d) => input.callbacks?.onToolCallDelta?.(d),
+    onToolCall: (d) => input.callbacks?.onToolCall?.(d),
+    onToolResult: (d) => input.callbacks?.onToolResult?.(d),
+    onError: (e) => input.callbacks?.onError?.(e),
+    subagentCallbacks: input.callbacks?.subagentCallbacks
+  });
+  console.log(`
+Authentication ${result.success ? "succeeded" : "failed"}: ${result.summary}`);
+  return result;
+}
+
+// src/core/api/authentication.ts
+var runAuthenticationAgent2 = runAuthenticationAgent;
+export {
+  runAuthenticationAgent2 as runAuthenticationAgent
+};

package/build/blackboxAgent-qa9ze2hn.js

@@ -0,0 +1,17 @@
+import {
+  BlackboxAttackSurfaceAgent
+} from "./cli-hmrzx8am.js";
+import"./cli-6gtnyaqf.js";
+import"./cli-r8r90gka.js";
+import"./cli-jh38b6zv.js";
+import"./cli-kqtgcdzn.js";
+import"./cli-j66pect7.js";
+import"./cli-bp6d08sg.js";
+import"./cli-jb0gcnrs.js";
+import"./cli-yj3dy0vg.js";
+import"./cli-15vxn9zj.js";
+import"./cli-7ckctq7a.js";
+import"./cli-8rxa073f.js";
+export {
+  BlackboxAttackSurfaceAgent
+};

package/build/blackboxPentest-85hwznet.js

@@ -0,0 +1,41 @@
+import {
+  runPentestWorkflow
+} from "./cli-f9shhcxf.js";
+import"./cli-e20q3hqz.js";
+import"./cli-w04ggbe4.js";
+import"./cli-2ckm5es2.js";
+import"./cli-hmrzx8am.js";
+import"./cli-6gtnyaqf.js";
+import"./cli-r8r90gka.js";
+import"./cli-jh38b6zv.js";
+import"./cli-kqtgcdzn.js";
+import"./cli-j66pect7.js";
+import"./cli-bp6d08sg.js";
+import"./cli-jb0gcnrs.js";
+import"./cli-yj3dy0vg.js";
+import"./cli-15vxn9zj.js";
+import"./cli-7ckctq7a.js";
+import"./cli-8rxa073f.js";
+
+// src/core/api/blackboxPentest.ts
+async function runPentestAgent(input) {
+  const { findings, findingsPath, pocsPath, reportPath } = await runPentestWorkflow({
+    target: input.target,
+    cwd: input.cwd,
+    model: input.model,
+    session: input.session,
+    authConfig: input.authConfig,
+    abortSignal: input.abortSignal,
+    callbacks: input.callbacks
+  });
+  console.log(`
+Found ${findings.length} vulnerabilities`);
+  console.log(`Findings: ${findingsPath}`);
+  console.log(`POCs: ${pocsPath}`);
+  if (reportPath)
+    console.log(`Report: ${reportPath}`);
+  return { findings, findingsPath, pocsPath, reportPath };
+}
+export {
+  runPentestAgent
+};