@pensar/apex 0.0.112 → 0.0.113-canary.8a0cb7bc

package/README.md

@@ -1,6 +1,8 @@
 <h1 align="center">Pensar Apex</h1>
 
-<p align="center">AI-powered penetration testing using an AI agent to perform comprehensive blackbox and whitebox pentesting - directly in your terminal.
+<p align="center">
+AI-powered penetration testing using autonomous agents — directly in your terminal. Run blackbox and whitebox pentests that explore, reason, and surface real vulnerabilities.
+
 </p>
 
 <p align="center">
@@ -19,53 +21,49 @@ Want to run from the cloud or integrate it with your CI/CD? See <a href="https:/
 <!-- <p align="center">
   <img src="screenshot.png" alt="Pensar Apex Screenshot" width="800">
 </p> -->
+## What is Apex?
 
-## Use Cases
+Apex is an autonomous penetration testing agent that runs directly in your terminal.
 
-Apex enables both developers and security professionals to run autonomous and assisted penetration testing directly from the terminal.
+It doesn't wrap existing scanners or chain shell scripts. Apex deploys a **swarm of specialized AI agents** — each with domain expertise in reconnaissance, authentication analysis, exploitation, and code review — that coordinate a real penetration test against your application. Each agent follows a structured methodology: plan, verify, prepare, test, exploit, and document. Every finding comes with CVSS 4.0 scoring, CWE classification, evidence, and a validated proof-of-concept.
 
-### Developers: Run a Pentest in Minutes
+The result is a pentest that runs like `npm test` — but thinks like a red team.
 
-Apex makes it easy for developers to run a real penetration test without needing deep offensive security expertise.
+## Why Apex?
 
-Using the autonomous `/pentest` mode, Apex will perform reconnaissance, attack surface discovery, vulnerability testing, and exploitation attempts automatically.
+Traditional scanners execute signatures. Apex executes a methodology.
 
-This allows teams to quickly identify security issues before they reach production.
+- **Swarm architecture** - Specialized agents run in parallel across your attack surface, the same way a real red team divides and conquers. Up to 10 concurrent agents, each scoped to a specific objective.
+- **Structured, auditable output** - Every vulnerability is automatically scored (CVSS 4.0), classified (CWE), and documented with evidence and remediation steps. No raw tool dumps.
+- **Real exploitation, not guesswork** - Apex writes, runs, and validates proof-of-concept scripts. If the PoC doesn't succeed, it pivots to a different technique.
+- **Blackbox and whitebox** - Test a live target with no source access, or analyze your codebase to map endpoints and test them against a running instance.
+- **30+ built-in tools** - Browser automation, shell execution, HTTP requests, file analysis, web search for CVE lookups, authenticated crawling, and more. Optional Kali Linux container adds 25+ offensive security tools (nmap, sqlmap, hydra, hashcat, gobuster, and others).
 
-```bash
-/pentest
-```
+## Two Modes
 
-Examples:
+### `/pentest` — Autonomous
 
-- Test a staging environment before deploying
-- Scan a newly launched domain or API
-- Run quick security checks during development
-- Identify exposed services or misconfigurations
+Fire and forget. Apex runs a full engagement end-to-end: attack surface discovery, parallel swarm testing, and a structured report with findings in Markdown and JSON. No security expertise required.
 
-This is the **fastest way to get real pentesting coverage without becoming a security expert.**
+### `/operator` — Interactive
 
----
+Full control. Steer the agent step by step, approve each action, chain exploits manually, and dig deep into specific targets. Every tool is available. The approval gate holds until you say go.
 
-### Security Engineers: Advanced Operator Workflows
+Start with `/pentest` to get coverage, then reopen the session in `/operator` to investigate specific findings — all context carries over.
 
-Security professionals can use Apex as an **agentic offensive security harness** that orchestrates tools and reasoning workflows.
-
-The `/operator` mode allows engineers to work interactively with the Offensive Security Agent, guiding investigations and chaining tools dynamically.
-
-```bash
-/operator
-```
+## Use Cases
 
-Examples:
+### Developers
+- Run `/pentest` before merging a PR — catch vulnerabilities as naturally as running tests
+- Get actionable findings with severity scores, evidence, and suggested fixes — no security background needed
+- Integrate into CI/CD via headless CLI commands or Pensar Console
 
-- Deep investigation of suspicious endpoints
-- Manual exploitation of discovered vulnerabilities
-- Tool orchestration across recon and exploitation phases
-- Validation and reproduction of vulnerabilities
-- Open-source security research / testing
+### Security Engineers
+- Deploy agent-driven swarm testing across large attack surfaces
+- Use `/operator` mode for manual investigation, exploit chaining, and validation
+- Automate repetitive testing workflows with persistent memory that accumulates across engagements
+- Scale across teams and projects through Pensar Console
 
-This turns Apex into a **terminal-native AI pentesting partner** rather than just a scanner.
 
 ## Installation
 
@@ -82,17 +80,18 @@ brew tap pensarai/tap
 brew install apex
 ```
 
+#### npm
+
+```bash
+npm install -g @pensar/apex
+```
+
 #### Windows (PowerShell)
 
 ```powershell
 irm https://www.pensarai.com/apex.ps1 | iex
 ```
 
-#### npm
-
-```bash
-npm install -g @pensar/apex
-```
 
 ## Usage
 

package/build/agent-5nnw5gdw.js

@@ -0,0 +1,16 @@
+import {
+  CodeAgent
+} from "./cli-8yze7t68.js";
+import"./cli-khem6ept.js";
+import"./cli-8sm33f4k.js";
+import"./cli-5ekr1ws4.js";
+import"./cli-9tzcmrd4.js";
+import"./cli-16m30n7b.js";
+import"./cli-3tntsb59.js";
+import"./cli-8q94bv77.js";
+import"./cli-0tpx8khk.js";
+import"./cli-7ckctq7a.js";
+import"./cli-8rxa073f.js";
+export {
+  CodeAgent
+};

package/build/{agent-5qdmmchx.js → agent-bmamdgbm.js}

@@ -1,19 +1,19 @@
 import {
   WhiteboxAttackSurfaceResultSchema
-} from "./cli-2ckm5es2.js";
+} from "./cli-renwxhw7.js";
 import {
   OffensiveSecurityAgent
-} from "./cli-r8r90gka.js";
-import"./cli-jh38b6zv.js";
+} from "./cli-khem6ept.js";
+import"./cli-8sm33f4k.js";
 import {
   hasToolCall,
   tool
-} from "./cli-kqtgcdzn.js";
-import"./cli-j66pect7.js";
-import"./cli-bp6d08sg.js";
-import"./cli-jb0gcnrs.js";
-import"./cli-yj3dy0vg.js";
-import"./cli-15vxn9zj.js";
+} from "./cli-5ekr1ws4.js";
+import"./cli-9tzcmrd4.js";
+import"./cli-16m30n7b.js";
+import"./cli-3tntsb59.js";
+import"./cli-8q94bv77.js";
+import"./cli-0tpx8khk.js";
 import"./cli-7ckctq7a.js";
 import"./cli-8rxa073f.js";
 

package/build/{auth-jvq72ekc.js → auth-ynsrm9bf.js}

@@ -8,14 +8,14 @@ import {
   pollWorkOSToken,
   selectWorkspace,
   startDeviceFlow
-} from "./cli-j66pect7.js";
+} from "./cli-9tzcmrd4.js";
 import {
   config,
   getPensarApiUrl,
   getPensarConsoleUrl
-} from "./cli-bp6d08sg.js";
-import"./cli-jb0gcnrs.js";
-import"./cli-yj3dy0vg.js";
+} from "./cli-16m30n7b.js";
+import"./cli-3tntsb59.js";
+import"./cli-8q94bv77.js";
 import {
   __require
 } from "./cli-8rxa073f.js";
@@ -172,9 +172,10 @@ If the browser didn't open, visit: ${consoleUrl}/create-workspace?redirect=/cred
 ✓ Connected to Pensar Console
   Workspace: ${workspace.name} (${workspace.slug})
   Credits: $${result.billing.balance.toFixed(2)}`);
-  if (!result.confirmed && result.billingUrl) {
+  const needsBillingSetup = !result.billing.ready && result.billing.balance <= 0 && !!result.billingUrl;
+  if (needsBillingSetup && result.billingUrl) {
     console.log(`
-⚠ Your workspace needs credits. Add them at:
+⚠ Your workspace billing setup is not ready yet. Finish setup at:
   ${result.billingUrl}`);
   } else if (result.billing.balance < 1) {
     const billingUrl = `${getPensarConsoleUrl()}/${workspace.slug}/settings/billing`;

package/build/{authentication-nya4td5k.js → authentication-b5h01t7q.js}

@@ -3,16 +3,16 @@ import {
 } from "./cli-6gtnyaqf.js";
 import {
   OffensiveSecurityAgent
-} from "./cli-r8r90gka.js";
-import"./cli-jh38b6zv.js";
+} from "./cli-khem6ept.js";
+import"./cli-8sm33f4k.js";
 import {
   hasToolCall
-} from "./cli-kqtgcdzn.js";
-import"./cli-j66pect7.js";
-import"./cli-bp6d08sg.js";
-import"./cli-jb0gcnrs.js";
-import"./cli-yj3dy0vg.js";
-import"./cli-15vxn9zj.js";
+} from "./cli-5ekr1ws4.js";
+import"./cli-9tzcmrd4.js";
+import"./cli-16m30n7b.js";
+import"./cli-3tntsb59.js";
+import"./cli-8q94bv77.js";
+import"./cli-0tpx8khk.js";
 import"./cli-7ckctq7a.js";
 import"./cli-8rxa073f.js";
 

package/build/blackboxAgent-91vnvpa8.js

@@ -0,0 +1,17 @@
+import {
+  BlackboxAttackSurfaceAgent
+} from "./cli-0atrar08.js";
+import"./cli-6gtnyaqf.js";
+import"./cli-khem6ept.js";
+import"./cli-8sm33f4k.js";
+import"./cli-5ekr1ws4.js";
+import"./cli-9tzcmrd4.js";
+import"./cli-16m30n7b.js";
+import"./cli-3tntsb59.js";
+import"./cli-8q94bv77.js";
+import"./cli-0tpx8khk.js";
+import"./cli-7ckctq7a.js";
+import"./cli-8rxa073f.js";
+export {
+  BlackboxAttackSurfaceAgent
+};

package/build/{blackboxPentest-85hwznet.js → blackboxPentest-xtevpnvk.js}

@@ -1,19 +1,19 @@
 import {
   runPentestWorkflow
-} from "./cli-f9shhcxf.js";
-import"./cli-e20q3hqz.js";
-import"./cli-w04ggbe4.js";
-import"./cli-2ckm5es2.js";
-import"./cli-hmrzx8am.js";
+} from "./cli-ee7y516a.js";
+import"./cli-vzq3vcqa.js";
+import"./cli-8yze7t68.js";
+import"./cli-renwxhw7.js";
+import"./cli-0atrar08.js";
 import"./cli-6gtnyaqf.js";
-import"./cli-r8r90gka.js";
-import"./cli-jh38b6zv.js";
-import"./cli-kqtgcdzn.js";
-import"./cli-j66pect7.js";
-import"./cli-bp6d08sg.js";
-import"./cli-jb0gcnrs.js";
-import"./cli-yj3dy0vg.js";
-import"./cli-15vxn9zj.js";
+import"./cli-khem6ept.js";
+import"./cli-8sm33f4k.js";
+import"./cli-5ekr1ws4.js";
+import"./cli-9tzcmrd4.js";
+import"./cli-16m30n7b.js";
+import"./cli-3tntsb59.js";
+import"./cli-8q94bv77.js";
+import"./cli-0tpx8khk.js";
 import"./cli-7ckctq7a.js";
 import"./cli-8rxa073f.js";
 

package/build/{cli-hmrzx8am.js → cli-0atrar08.js}

@@ -3,11 +3,11 @@ import {
 } from "./cli-6gtnyaqf.js";
 import {
   OffensiveSecurityAgent
-} from "./cli-r8r90gka.js";
+} from "./cli-khem6ept.js";
 import {
   hasToolCall,
   stepCountIs
-} from "./cli-kqtgcdzn.js";
+} from "./cli-5ekr1ws4.js";
 
 // src/core/agents/specialized/attackSurface/blackboxAgent.ts
 import { join } from "path";
@@ -279,10 +279,13 @@ For each asset, include:
 - Technology stack (only what you have evidence for)
 - Authentication requirements
 - Risk level (LOW / MEDIUM / HIGH / CRITICAL)
+- \`pentestObjectives\` — specific pentest objectives (see 5b below)
 
-## 5b. Identify pentest objectives
+## 5b. Include pentest objectives with every asset
 
-For each asset, determine what a pentest agent should test. Map asset types to specific vulnerability classes:
+**Every \`document_asset\` call MUST include a \`pentestObjectives\` array.** These objectives are passed directly to pentest agents downstream — they define exactly what each agent will test. An asset without objectives will not be pentested.
+
+Map asset types to specific vulnerability classes:
 
 | Asset Type | Test For |
 |---|---|
@@ -297,8 +300,8 @@ For each asset, determine what a pentest agent should test. Map asset types to s
 | Encrypted session tokens | Cipher mode attacks, padding oracle, session forgery |
 
 Write objectives that are **specific**, not vague:
-- Good: "Test for IDOR in /api/orders/{id} — verify whether user A can access user B's orders by manipulating the order ID"
-- Bad: "Test for vulnerabilities"
+- Good: \`pentestObjectives: ["Test for IDOR in /api/orders/{id} — verify whether user A can access user B's orders by manipulating the order ID"]\`
+- Bad: \`pentestObjectives: ["Test for vulnerabilities"]\`
 
 ## 5c. Include authentication info with every target
 

package/build/{cli-15vxn9zj.js → cli-0tpx8khk.js}

@@ -238,30 +238,6 @@ var OPENAI_MODELS = [
     provider: "openai",
     contextLength: 128000
   },
-  {
-    id: "gpt-4-turbo",
-    name: "GPT-4-turbo",
-    provider: "openai",
-    contextLength: 128000
-  },
-  {
-    id: "gpt-4-turbo-2024-04-09",
-    name: "GPT-4-turbo-2024-04-09",
-    provider: "openai",
-    contextLength: 128000
-  },
-  {
-    id: "gpt-4",
-    name: "GPT-4",
-    provider: "openai",
-    contextLength: 8192
-  },
-  {
-    id: "gpt-4-0613",
-    name: "GPT-4-0613",
-    provider: "openai",
-    contextLength: 8192
-  },
   {
     id: "gpt-3.5-turbo-0125",
     name: "GPT-3.5-turbo-0125",
@@ -286,12 +262,6 @@ var OPENAI_MODELS = [
     provider: "openai",
     contextLength: 16385
   },
-  {
-    id: "chatgpt-4o-latest",
-    name: "ChatGPT-4o (Latest)",
-    provider: "openai",
-    contextLength: 128000
-  },
   {
     id: "gpt-5",
     name: "GPT-5",
@@ -381,6 +351,36 @@ var OPENAI_MODELS = [
     name: "GPT-5.2-pro-2025-12-11",
     provider: "openai",
     contextLength: 200000
+  },
+  {
+    id: "gpt-5.3-chat-latest",
+    name: "GPT-5.3-chat (Latest)",
+    provider: "openai",
+    contextLength: 200000
+  },
+  {
+    id: "gpt-5.4",
+    name: "GPT-5.4",
+    provider: "openai",
+    contextLength: 200000
+  },
+  {
+    id: "gpt-5.4-2026-03-05",
+    name: "GPT-5.4-2026-03-05",
+    provider: "openai",
+    contextLength: 200000
+  },
+  {
+    id: "gpt-5.4-pro",
+    name: "GPT-5.4-pro",
+    provider: "openai",
+    contextLength: 200000
+  },
+  {
+    id: "gpt-5.4-pro-2026-03-05",
+    name: "GPT-5.4-pro-2026-03-05",
+    provider: "openai",
+    contextLength: 200000
   }
 ];
 

package/build/{cli-bp6d08sg.js → cli-16m30n7b.js}

@@ -2,7 +2,7 @@ import {
   get,
   init,
   update
-} from "./cli-jb0gcnrs.js";
+} from "./cli-3tntsb59.js";
 
 // src/core/api/constants.ts
 var PENSAR_API_BASE_URL = "https://api.pensar.dev";

package/build/{cli-jb0gcnrs.js → cli-3tntsb59.js}

@@ -1,6 +1,6 @@
 import {
   getCurrentVersion
-} from "./cli-yj3dy0vg.js";
+} from "./cli-8q94bv77.js";
 
 // src/core/config/config.ts
 import os from "os";