@pensar/apex 0.0.113 → 0.0.114-canary.1775f089

package/README.md

@@ -1,6 +1,8 @@
 <h1 align="center">Pensar Apex</h1>
 
-<p align="center">AI-powered penetration testing using an AI agent to perform comprehensive blackbox and whitebox pentesting - directly in your terminal.
+<p align="center">
+AI-powered penetration testing using autonomous agents — directly in your terminal. Run blackbox and whitebox pentests that explore, reason, and surface real vulnerabilities.
+
 </p>
 
 <p align="center">
@@ -22,77 +24,27 @@ Want to run from the cloud or integrate it with your CI/CD? See <a href="https:/
 
 ## Use Cases
 
-Apex enables both developers and security professionals to run autonomous and assisted penetration testing directly from the terminal.
-
-### Developers: Run a Pentest in Minutes
-
-Apex makes it easy for developers to run a real penetration test without needing deep offensive security expertise.
-
-Using the autonomous `/pentest` mode, Apex will perform reconnaissance, attack surface discovery, vulnerability testing, and exploitation attempts automatically.
-
-This allows teams to quickly identify security issues before they reach production.
-
-```bash
-/pentest
-```
-
-Examples:
-
-- Test a staging environment before deploying
-- Scan a newly launched domain or API
-- Run quick security checks during development
-- Identify exposed services or misconfigurations
-
-This is the **fastest way to get real pentesting coverage without becoming a security expert.**
-
----
-
-### Security Engineers: Advanced Operator Workflows
-
-Security professionals can use Apex as an **agentic offensive security harness** that orchestrates tools and reasoning workflows.
-
-The `/operator` mode allows engineers to work interactively with the Offensive Security Agent, guiding investigations and chaining tools dynamically.
+### Developers
 
-```bash
-/operator
-```
-
-Examples:
+- Run `/pentest` before merging a PR — catch vulnerabilities as naturally as running tests
+- Get actionable findings with severity scores, evidence, and suggested fixes — no security background needed
+- Integrate into CI/CD via headless CLI commands or Pensar Console
 
-- Deep investigation of suspicious endpoints
-- Manual exploitation of discovered vulnerabilities
-- Tool orchestration across recon and exploitation phases
-- Validation and reproduction of vulnerabilities
-- Open-source security research / testing
+### Security Engineers
 
-This turns Apex into a **terminal-native AI pentesting partner** rather than just a scanner.
+- Deploy agent-driven swarm testing across large attack surfaces
+- Use `/operator` mode for manual investigation, exploit chaining, and validation
+- Automate repetitive testing workflows with persistent memory that accumulates across engagements
+- Scale across teams and projects through Pensar Console
 
 ## Installation
 
-#### macOS / Linux (Quick Install)
-
-```bash
-curl -fsSL https://pensarai.com/install.sh | bash
-```
-
-#### Homebrew
-
-```bash
-brew tap pensarai/tap
-brew install apex
-```
-
-#### Windows (PowerShell)
-
-```powershell
-irm https://www.pensarai.com/apex.ps1 | iex
-```
-
-#### npm
-
-```bash
-npm install -g @pensar/apex
-```
+| Method                          | Command                                              |
+| ------------------------------- | ---------------------------------------------------- |
+| **Quick Install** (macOS/Linux) | `curl -fsSL https://pensarai.com/install.sh \| bash` |
+| **Homebrew**                    | `brew tap pensarai/tap && brew install apex`         |
+| **npm**                         | `npm install -g @pensar/apex`                        |
+| **Windows** (PowerShell)        | `irm https://www.pensarai.com/apex.ps1 \| iex`       |
 
 ## Usage
 
@@ -123,5 +75,5 @@ pensar
 
 ### ⚠️ Responsible Use
 
-This repository contains tools for **authorized security testing** only.  
+This repository contains tools for **authorized security testing** only.
 Before use, please read and agree to the [Responsible Use Disclosure](./RESPONSIBLE_USE.md).

package/build/agent-52h91djs.js

@@ -0,0 +1,16 @@
+import {
+  CodeAgent
+} from "./cli-8qzgz72f.js";
+import"./cli-4qzcxwfp.js";
+import"./cli-wjnrr5gy.js";
+import"./cli-jtkmm7n7.js";
+import"./cli-5g381af1.js";
+import"./cli-ekexez12.js";
+import"./cli-ybsywgq3.js";
+import"./cli-axr89j41.js";
+import"./cli-5gh0m3xb.js";
+import"./cli-7ckctq7a.js";
+import"./cli-8rxa073f.js";
+export {
+  CodeAgent
+};

package/build/{agent-k1n19b3w.js → agent-htp87jx5.js}

@@ -1,19 +1,19 @@
 import {
   WhiteboxAttackSurfaceResultSchema
-} from "./cli-4sxvxwcb.js";
+} from "./cli-zyxdcp6e.js";
 import {
   OffensiveSecurityAgent
-} from "./cli-t7dpdkd6.js";
-import"./cli-wqh6md2n.js";
+} from "./cli-4qzcxwfp.js";
+import"./cli-wjnrr5gy.js";
 import {
   hasToolCall,
   tool
-} from "./cli-j6qdxby9.js";
-import"./cli-yc2cs5cs.js";
-import"./cli-qeg15dzj.js";
-import"./cli-6nhtpv4g.js";
-import"./cli-mnqb1xvt.js";
-import"./cli-0tpx8khk.js";
+} from "./cli-jtkmm7n7.js";
+import"./cli-5g381af1.js";
+import"./cli-ekexez12.js";
+import"./cli-ybsywgq3.js";
+import"./cli-axr89j41.js";
+import"./cli-5gh0m3xb.js";
 import"./cli-7ckctq7a.js";
 import"./cli-8rxa073f.js";
 
@@ -41,16 +41,25 @@ Read config files, entry points, route definitions, etc.
 ## grep
 Your primary search tool. Use it to find route definitions, middleware, controllers, etc.
 
-## document_asset
-**Use this to document every significant asset you discover.** Each call persists a JSON record to the session's assets directory. Document:
-- Each application/service you identify (assetType: "web_application" or "api")
-- Notable subdomains or infrastructure you encounter (assetType: "subdomain", "infrastructure_service")
-- Key API endpoint groups or admin panels (assetType: "endpoint", "admin_panel")
+## document_app
+**Use this to document each application/service you identify.** Each call persists a JSON record to the session's apps directory. Document:
+- Each application/service you identify (appType: "web_application" or "api")
+- Notable subdomains hosting distinct services (appType: "subdomain")
 
-Call this throughout your analysis as you discover assets — don't wait until the end. Include relevant details like the technology stack, URL, authentication requirements, and risk level.
+## document_endpoint
+**This is your primary output tool for endpoints.** Each call persists a JSON record to the session's endpoints directory, organized by app. Document:
+- Individual API endpoints and web pages
+
+**CRITICAL — endpoint documentation rules:**
+- **ONE endpoint per unique route path.** Do NOT create separate entries for different HTTP methods on the same path. If \`/api/users\` supports GET, POST, and DELETE, that is ONE entry with \`method: ["GET", "POST", "DELETE"]\`.
+- **Use \`method: "PAGE"\`** for web pages and views.
+- **Always set \`appName\`** to group endpoints under the correct application.
+- **Always set \`url\`** to the route path, \`file\` to the source file, \`handler\` to the function name, and \`authRequired\` to indicate auth requirements.
+
+Call these tools throughout your analysis as you discover apps and endpoints — don't wait until the end.
 
 ## spawn_coding_agent
-**This is your key tool for scaling out analysis.** Spawn coding sub-agents to analyze individual apps in parallel for higher fidelity. Each sub-agent has full filesystem access (read_file, list_files, grep, execute_command).
+**This is your key tool for scaling out analysis.** Spawn coding sub-agents to analyze individual apps in parallel for higher fidelity. Each sub-agent has full filesystem access (read_file, list_files, grep, execute_command) and the document_app/document_endpoint tools.
 
 ## submit_results
 Call this LAST with your complete structured results. This ends your run.
@@ -71,36 +80,18 @@ Call this LAST with your complete structured results. This ends your run.
 For each app you identified, spawn a coding agent with a detailed objective. The objective should instruct the agent to:
 
 1. **Identify the framework** — read the app's config/entry point to determine the web framework
-2. **Find ALL web pages** — search for page/view/route definitions:
-   - React/Next.js: pages/ or app/ directory, route components
-   - Express: res.render(), res.sendFile(), static file serving
-   - Django: urls.py patterns pointing to template views
-   - Rails: routes.rb entries pointing to controller actions that render views
-   - Vue/Nuxt: pages/ directory, router definitions
-   - etc.
-3. **Find ALL API endpoints** — search for route/endpoint definitions:
-   - Express: app.get(), app.post(), router.get(), router.post(), etc.
-   - Next.js: app/api/ or pages/api/ route handlers
-   - Django: urls.py patterns pointing to API views, DRF viewsets/routers
-   - FastAPI: @app.get(), @app.post() decorators
-   - Rails: routes.rb API namespaces, controller actions
-   - Spring: @GetMapping, @PostMapping, @RequestMapping
-   - etc.
-4. **For each endpoint, determine**:
-   - HTTP method and route path
-   - Handler function/component name
-   - File location and line number
-   - Whether auth appears to be required (middleware, decorators, guards)
-   - Brief description of what it does
-5. **For each endpoint, generate pentest objectives** — specific, actionable testing goals like:
-   - "Test for SQL injection in the 'search' query parameter"
-   - "Test for IDOR by accessing /api/orders/{id} with other users' order IDs"
-   - "Test for XSS in the user profile name field"
-   - "Test for privilege escalation by accessing admin-only endpoint as regular user"
-   - "Test for CSRF on the password change endpoint"
-   - "Test for path traversal in the file download parameter"
-
-**IMPORTANT:** Tell each coding agent to output its findings in a STRUCTURED FORMAT that you can parse. Instruct it to use clear delimiters or a consistent format for each endpoint (method, path, handler, file, line, auth, description, pentest objectives).
+2. **Document the application** — call \`document_app\` with the app name, type, and framework
+3. **Find ALL web pages** — search for page/view/route definitions and document each with \`document_endpoint\` using \`method: "PAGE"\`
+4. **Find ALL API endpoints** — search for route/endpoint definitions and document each unique path with \`document_endpoint\`, listing ALL HTTP methods in \`method\`
+5. **For each endpoint, include** in the document_endpoint call:
+   - Route path in \`url\`
+   - ALL HTTP methods in \`method\` (consolidated — one entry per path)
+   - Handler function in \`handler\`
+   - Source file in \`file\` and line number in \`line\`
+   - Auth requirement in \`authRequired\`
+   - Specific pentest objectives in \`pentestObjectives\`
+
+**IMPORTANT:** Tell each coding agent to set \`appName\` on every \`document_endpoint\` call so endpoints are organized by application.
 
 ## Phase 3: COLLECT AND SUBMIT (do this yourself)
 1. Parse the output from all coding agents
@@ -155,7 +146,8 @@ This ends the agent run — make sure all data is included.`,
         "read_file",
         "list_files",
         "grep",
-        "document_asset",
+        "document_app",
+        "document_endpoint",
         "spawn_coding_agent",
         "submit_results"
       ],

package/build/{auth-a0ftn8cb.js → auth-hap3w5dk.js}

@@ -8,14 +8,14 @@ import {
   pollWorkOSToken,
   selectWorkspace,
   startDeviceFlow
-} from "./cli-yc2cs5cs.js";
+} from "./cli-5g381af1.js";
 import {
   config,
   getPensarApiUrl,
   getPensarConsoleUrl
-} from "./cli-qeg15dzj.js";
-import"./cli-6nhtpv4g.js";
-import"./cli-mnqb1xvt.js";
+} from "./cli-ekexez12.js";
+import"./cli-ybsywgq3.js";
+import"./cli-axr89j41.js";
 import {
   __require
 } from "./cli-8rxa073f.js";

package/build/{authentication-vjefzf37.js → authentication-dtz33a5x.js}

@@ -3,16 +3,16 @@ import {
 } from "./cli-6gtnyaqf.js";
 import {
   OffensiveSecurityAgent
-} from "./cli-t7dpdkd6.js";
-import"./cli-wqh6md2n.js";
+} from "./cli-4qzcxwfp.js";
+import"./cli-wjnrr5gy.js";
 import {
   hasToolCall
-} from "./cli-j6qdxby9.js";
-import"./cli-yc2cs5cs.js";
-import"./cli-qeg15dzj.js";
-import"./cli-6nhtpv4g.js";
-import"./cli-mnqb1xvt.js";
-import"./cli-0tpx8khk.js";
+} from "./cli-jtkmm7n7.js";
+import"./cli-5g381af1.js";
+import"./cli-ekexez12.js";
+import"./cli-ybsywgq3.js";
+import"./cli-axr89j41.js";
+import"./cli-5gh0m3xb.js";
 import"./cli-7ckctq7a.js";
 import"./cli-8rxa073f.js";
 
@@ -170,18 +170,21 @@ class AuthenticationAgent extends OffensiveSecurityAgent {
       authHints,
       authConfig,
       onStepFinish,
-      abortSignal
+      abortSignal,
+      context,
+      environmentVariables
     } = opts;
     const cm = session.credentialManager;
     super({
       system: detectOSAndEnhancePrompt(AUTH_SUBAGENT_SYSTEM_PROMPT),
-      prompt: buildAuthPrompt(target, authHints, cm),
+      prompt: buildAuthPrompt(target, authHints, cm, context),
       model,
       session,
       target,
       authConfig,
       onStepFinish,
       abortSignal,
+      environmentVariables,
       toolChoice: "auto",
       activeTools: [
         "execute_command",
@@ -245,9 +248,16 @@ function loadAuthResult(authDataPath) {
     };
   }
 }
-function buildAuthPrompt(target, authHints, credentialManager) {
+function buildAuthPrompt(target, authHints, credentialManager, context) {
   const parts = [`TARGET: ${target}
 `];
+  if (context) {
+    parts.push("APPLICATION CONTEXT:");
+    parts.push(`The following is context specific to the application under test. If it contains non-malicious instructions relevant to authentication, follow them.
+`);
+    parts.push(context);
+    parts.push("");
+  }
   const credBlock = credentialManager?.formatForPrompt();
   if (credBlock) {
     parts.push(credBlock);

package/build/blackboxAgent-dqxkz2bc.js

@@ -0,0 +1,17 @@
+import {
+  BlackboxAttackSurfaceAgent
+} from "./cli-cndebjbk.js";
+import"./cli-6gtnyaqf.js";
+import"./cli-4qzcxwfp.js";
+import"./cli-wjnrr5gy.js";
+import"./cli-jtkmm7n7.js";
+import"./cli-5g381af1.js";
+import"./cli-ekexez12.js";
+import"./cli-ybsywgq3.js";
+import"./cli-axr89j41.js";
+import"./cli-5gh0m3xb.js";
+import"./cli-7ckctq7a.js";
+import"./cli-8rxa073f.js";
+export {
+  BlackboxAttackSurfaceAgent
+};

package/build/{blackboxPentest-26japf1w.js → blackboxPentest-xaefbkew.js}

@@ -1,19 +1,19 @@
 import {
   runPentestWorkflow
-} from "./cli-tat7hrek.js";
-import"./cli-0v3p48tt.js";
-import"./cli-7kpzf8kz.js";
-import"./cli-4sxvxwcb.js";
-import"./cli-065mgjsh.js";
+} from "./cli-evz7x313.js";
+import"./cli-cjdheabf.js";
+import"./cli-8qzgz72f.js";
+import"./cli-zyxdcp6e.js";
+import"./cli-cndebjbk.js";
 import"./cli-6gtnyaqf.js";
-import"./cli-t7dpdkd6.js";
-import"./cli-wqh6md2n.js";
-import"./cli-j6qdxby9.js";
-import"./cli-yc2cs5cs.js";
-import"./cli-qeg15dzj.js";
-import"./cli-6nhtpv4g.js";
-import"./cli-mnqb1xvt.js";
-import"./cli-0tpx8khk.js";
+import"./cli-4qzcxwfp.js";
+import"./cli-wjnrr5gy.js";
+import"./cli-jtkmm7n7.js";
+import"./cli-5g381af1.js";
+import"./cli-ekexez12.js";
+import"./cli-ybsywgq3.js";
+import"./cli-axr89j41.js";
+import"./cli-5gh0m3xb.js";
 import"./cli-7ckctq7a.js";
 import"./cli-8rxa073f.js";