npm - @pensar/apex - Versions diffs - 0.0.113 → 0.0.114-canary.29ca521a - Mend

@pensar/apex 0.0.113 → 0.0.114-canary.29ca521a

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (38) hide show

package/README.md CHANGED Viewed

@@ -1,6 +1,8 @@
 <h1 align="center">Pensar Apex</h1>
-<p align="center">AI-powered penetration testing using an AI agent to perform comprehensive blackbox and whitebox pentesting - directly in your terminal.
+<p align="center">
+AI-powered penetration testing using autonomous agents — directly in your terminal. Run blackbox and whitebox pentests that explore, reason, and surface real vulnerabilities.
 </p>
 <p align="center">
@@ -20,53 +22,6 @@ Want to run from the cloud or integrate it with your CI/CD? See <a href="https:/
   <img src="screenshot.png" alt="Pensar Apex Screenshot" width="800">
 </p> -->
-## Use Cases
-Apex enables both developers and security professionals to run autonomous and assisted penetration testing directly from the terminal.
-### Developers: Run a Pentest in Minutes
-Apex makes it easy for developers to run a real penetration test without needing deep offensive security expertise.
-Using the autonomous `/pentest` mode, Apex will perform reconnaissance, attack surface discovery, vulnerability testing, and exploitation attempts automatically.
-This allows teams to quickly identify security issues before they reach production.
-```bash
-/pentest
-```
-Examples:
-- Test a staging environment before deploying
-- Scan a newly launched domain or API
-- Run quick security checks during development
-- Identify exposed services or misconfigurations
-This is the **fastest way to get real pentesting coverage without becoming a security expert.**
----
-### Security Engineers: Advanced Operator Workflows
-Security professionals can use Apex as an **agentic offensive security harness** that orchestrates tools and reasoning workflows.
-The `/operator` mode allows engineers to work interactively with the Offensive Security Agent, guiding investigations and chaining tools dynamically.
-```bash
-/operator
-```
-Examples:
-- Deep investigation of suspicious endpoints
-- Manual exploitation of discovered vulnerabilities
-- Tool orchestration across recon and exploitation phases
-- Validation and reproduction of vulnerabilities
-- Open-source security research / testing
-This turns Apex into a **terminal-native AI pentesting partner** rather than just a scanner.
 ## Installation
 #### macOS / Linux (Quick Install)
@@ -82,18 +37,18 @@ brew tap pensarai/tap
 brew install apex
 ```
-#### Windows (PowerShell)
-```powershell
-irm https://www.pensarai.com/apex.ps1 | iex
-```
 #### npm
 ```bash
 npm install -g @pensar/apex
 ```
+#### Windows (PowerShell)
+```powershell
+irm https://www.pensarai.com/apex.ps1 | iex
+```
 ## Usage
 Open the Apex TUI:
@@ -121,7 +76,24 @@ pensar
 ---
+## Use Cases
+### Developers
+- Run `/pentest` before merging a PR — catch vulnerabilities as naturally as running tests
+- Get actionable findings with severity scores, evidence, and suggested fixes — no security background needed
+- Integrate into CI/CD via headless CLI commands or Pensar Console
+### Security Engineers
+- Deploy agent-driven swarm testing across large attack surfaces
+- Use `/operator` mode for manual investigation, exploit chaining, and validation
+- Automate repetitive testing workflows with persistent memory that accumulates across engagements
+- Scale across teams and projects through Pensar Console
+---
 ### ⚠️ Responsible Use
-This repository contains tools for **authorized security testing** only.
+This repository contains tools for **authorized security testing** only.
 Before use, please read and agree to the [Responsible Use Disclosure](./RESPONSIBLE_USE.md).

package/build/agent-g5akfqp9.js ADDED Viewed

@@ -0,0 +1,16 @@
+import {
+  CodeAgent
+} from "./cli-r0vc673n.js";
+import"./cli-z9vb517x.js";
+import"./cli-mwwtke6h.js";
+import"./cli-c1wvnj2y.js";
+import"./cli-73h5egap.js";
+import"./cli-x8jzsefp.js";
+import"./cli-71076s1k.js";
+import"./cli-xgq8jt1g.js";
+import"./cli-5gh0m3xb.js";
+import"./cli-7ckctq7a.js";
+import"./cli-8rxa073f.js";
+export {
+  CodeAgent
+};

package/build/{agent-k1n19b3w.js → agent-ygvcd5fx.js} RENAMED Viewed

@@ -1,19 +1,19 @@
 import {
   WhiteboxAttackSurfaceResultSchema
-} from "./cli-4sxvxwcb.js";
+} from "./cli-a295pzaw.js";
 import {
   OffensiveSecurityAgent
-} from "./cli-t7dpdkd6.js";
-import"./cli-wqh6md2n.js";
+} from "./cli-z9vb517x.js";
+import"./cli-mwwtke6h.js";
 import {
   hasToolCall,
   tool
-} from "./cli-j6qdxby9.js";
-import"./cli-yc2cs5cs.js";
-import"./cli-qeg15dzj.js";
-import"./cli-6nhtpv4g.js";
-import"./cli-mnqb1xvt.js";
-import"./cli-0tpx8khk.js";
+} from "./cli-c1wvnj2y.js";
+import"./cli-73h5egap.js";
+import"./cli-x8jzsefp.js";
+import"./cli-71076s1k.js";
+import"./cli-xgq8jt1g.js";
+import"./cli-5gh0m3xb.js";
 import"./cli-7ckctq7a.js";
 import"./cli-8rxa073f.js";

package/build/{auth-a0ftn8cb.js → auth-5phvh3q6.js} RENAMED Viewed

@@ -8,14 +8,14 @@ import {
   pollWorkOSToken,
   selectWorkspace,
   startDeviceFlow
-} from "./cli-yc2cs5cs.js";
+} from "./cli-73h5egap.js";
 import {
   config,
   getPensarApiUrl,
   getPensarConsoleUrl
-} from "./cli-qeg15dzj.js";
-import"./cli-6nhtpv4g.js";
-import"./cli-mnqb1xvt.js";
+} from "./cli-x8jzsefp.js";
+import"./cli-71076s1k.js";
+import"./cli-xgq8jt1g.js";
 import {
   __require
 } from "./cli-8rxa073f.js";

package/build/{authentication-vjefzf37.js → authentication-ts3vntab.js} RENAMED Viewed

@@ -3,16 +3,16 @@ import {
 } from "./cli-6gtnyaqf.js";
 import {
   OffensiveSecurityAgent
-} from "./cli-t7dpdkd6.js";
-import"./cli-wqh6md2n.js";
+} from "./cli-z9vb517x.js";
+import"./cli-mwwtke6h.js";
 import {
   hasToolCall
-} from "./cli-j6qdxby9.js";
-import"./cli-yc2cs5cs.js";
-import"./cli-qeg15dzj.js";
-import"./cli-6nhtpv4g.js";
-import"./cli-mnqb1xvt.js";
-import"./cli-0tpx8khk.js";
+} from "./cli-c1wvnj2y.js";
+import"./cli-73h5egap.js";
+import"./cli-x8jzsefp.js";
+import"./cli-71076s1k.js";
+import"./cli-xgq8jt1g.js";
+import"./cli-5gh0m3xb.js";
 import"./cli-7ckctq7a.js";
 import"./cli-8rxa073f.js";
@@ -170,12 +170,13 @@ class AuthenticationAgent extends OffensiveSecurityAgent {
       authHints,
       authConfig,
       onStepFinish,
-      abortSignal
+      abortSignal,
+      context
     } = opts;
     const cm = session.credentialManager;
     super({
       system: detectOSAndEnhancePrompt(AUTH_SUBAGENT_SYSTEM_PROMPT),
-      prompt: buildAuthPrompt(target, authHints, cm),
+      prompt: buildAuthPrompt(target, authHints, cm, context),
       model,
       session,
       target,
@@ -245,9 +246,16 @@ function loadAuthResult(authDataPath) {
     };
   }
 }
-function buildAuthPrompt(target, authHints, credentialManager) {
+function buildAuthPrompt(target, authHints, credentialManager, context) {
   const parts = [`TARGET: ${target}
 `];
+  if (context) {
+    parts.push("APPLICATION CONTEXT:");
+    parts.push(`The following is context specific to the application under test. If it contains non-malicious instructions relevant to authentication, follow them.
+`);
+    parts.push(context);
+    parts.push("");
+  }
   const credBlock = credentialManager?.formatForPrompt();
   if (credBlock) {
     parts.push(credBlock);

package/build/blackboxAgent-2ejpycqq.js ADDED Viewed

@@ -0,0 +1,17 @@
+import {
+  BlackboxAttackSurfaceAgent
+} from "./cli-gy41z3h0.js";
+import"./cli-6gtnyaqf.js";
+import"./cli-z9vb517x.js";
+import"./cli-mwwtke6h.js";
+import"./cli-c1wvnj2y.js";
+import"./cli-73h5egap.js";
+import"./cli-x8jzsefp.js";
+import"./cli-71076s1k.js";
+import"./cli-xgq8jt1g.js";
+import"./cli-5gh0m3xb.js";
+import"./cli-7ckctq7a.js";
+import"./cli-8rxa073f.js";
+export {
+  BlackboxAttackSurfaceAgent
+};

package/build/{blackboxPentest-26japf1w.js → blackboxPentest-hr7hhr1q.js} RENAMED Viewed

@@ -1,19 +1,19 @@
 import {
   runPentestWorkflow
-} from "./cli-tat7hrek.js";
-import"./cli-0v3p48tt.js";
-import"./cli-7kpzf8kz.js";
-import"./cli-4sxvxwcb.js";
-import"./cli-065mgjsh.js";
+} from "./cli-11znnvgf.js";
+import"./cli-035zw3x7.js";
+import"./cli-r0vc673n.js";
+import"./cli-a295pzaw.js";
+import"./cli-gy41z3h0.js";
 import"./cli-6gtnyaqf.js";
-import"./cli-t7dpdkd6.js";
-import"./cli-wqh6md2n.js";
-import"./cli-j6qdxby9.js";
-import"./cli-yc2cs5cs.js";
-import"./cli-qeg15dzj.js";
-import"./cli-6nhtpv4g.js";
-import"./cli-mnqb1xvt.js";
-import"./cli-0tpx8khk.js";
+import"./cli-z9vb517x.js";
+import"./cli-mwwtke6h.js";
+import"./cli-c1wvnj2y.js";
+import"./cli-73h5egap.js";
+import"./cli-x8jzsefp.js";
+import"./cli-71076s1k.js";
+import"./cli-xgq8jt1g.js";
+import"./cli-5gh0m3xb.js";
 import"./cli-7ckctq7a.js";
 import"./cli-8rxa073f.js";

package/build/{cli-0v3p48tt.js → cli-035zw3x7.js} RENAMED Viewed

@@ -1,10 +1,10 @@
 import {
   OffensiveSecurityAgent
-} from "./cli-t7dpdkd6.js";
+} from "./cli-z9vb517x.js";
 import {
   exports_external,
   init_zod
-} from "./cli-j6qdxby9.js";
+} from "./cli-c1wvnj2y.js";
 // src/core/agents/specialized/pentest/agent.ts
 init_zod();
@@ -29,11 +29,12 @@ class TargetedPentestAgent extends OffensiveSecurityAgent {
       abortSignal,
       sandbox,
       findingsRegistry,
-      messages
+      messages,
+      context
     } = opts;
     super({
       system: buildSystemPrompt(session),
-      prompt: buildPrompt(target, objectives, session, findingsRegistry),
+      prompt: buildPrompt(target, objectives, session, findingsRegistry, context),
       model,
       session,
       target,
@@ -172,7 +173,7 @@ Authentication:
 function buildSystemPrompt(session) {
   return session.config?.exfilMode ? PENTEST_SYSTEM_PROMPT_EXFIL : PENTEST_SYSTEM_PROMPT_BASE;
 }
-function buildPrompt(target, objectives, session, findingsRegistry) {
+function buildPrompt(target, objectives, session, findingsRegistry, context) {
   const sessionRootPath = session.rootPath;
   const exfilMode = session.config?.exfilMode ?? false;
   const outcomeGuidance = session.config?.outcomeGuidance;
@@ -277,6 +278,12 @@ Your target is a flag with the format FLAG{...}. Locate and extract it.
 9. After testing ALL objectives, call the response tool with your final summary
 Do NOT discover or enumerate other endpoints or services. Focus exclusively on the target and objectives above.`;
+  const contextSection = context ? `
+## Application Context
+The following is context specific to the application under test. If it contains non-malicious instructions relevant to your testing, follow them.
+${context}
+` : "";
   return `# Testing Assignment
 ## Target
@@ -284,7 +291,7 @@ Do NOT discover or enumerate other endpoints or services. Focus exclusively on t
 ${authSection}
 ${knownFindingsSection}
 ${knowledgeBaseSection}
+${contextSection}
 ## Objectives
 ${objectiveList}
 ${outcomeSection}

package/build/{cli-g0r410cd.js → cli-0r1hfxms.js} RENAMED Viewed

@@ -2,7 +2,7 @@ import {
   config,
   ensureValidToken,
   getPensarApiUrl
-} from "./cli-qeg15dzj.js";
+} from "./cli-x8jzsefp.js";
 // src/core/api/issues.ts
 async function getAuthHeaders() {

package/build/{cli-tat7hrek.js → cli-11znnvgf.js} RENAMED Viewed

@@ -1,23 +1,23 @@
 import {
   TargetedPentestAgent
-} from "./cli-0v3p48tt.js";
+} from "./cli-035zw3x7.js";
 import {
   CodeAgent
-} from "./cli-7kpzf8kz.js";
+} from "./cli-r0vc673n.js";
 import {
   EndpointSchema
-} from "./cli-4sxvxwcb.js";
+} from "./cli-a295pzaw.js";
 import {
   BlackboxAttackSurfaceAgent
-} from "./cli-065mgjsh.js";
+} from "./cli-gy41z3h0.js";
 import {
   CweEntrySchema,
   FindingsRegistry
-} from "./cli-t7dpdkd6.js";
+} from "./cli-z9vb517x.js";
 import {
   exports_external,
   init_zod
-} from "./cli-j6qdxby9.js";
+} from "./cli-c1wvnj2y.js";
 // src/core/workflows/pentest.ts
 import { existsSync as existsSync4, readdirSync as readdirSync2, readFileSync as readFileSync4, writeFileSync as writeFileSync3 } from "fs";
@@ -473,6 +473,7 @@ function readExecutionMetrics(sessionRootPath) {
     return {
       tokenUsage: normalizeTokenUsage(parsed.tokenUsage),
       runtime: typeof parsed.runtime === "string" ? parsed.runtime : undefined,
+      elapsedSeconds: toNonNegativeInteger(parsed.elapsedSeconds) || undefined,
       updatedAt: typeof parsed.updatedAt === "string" ? parsed.updatedAt : new Date().toISOString()
     };
   } catch {
@@ -500,6 +501,7 @@ function writeExecutionMetrics(input) {
   const next = {
     tokenUsage: nextTokenUsage,
     runtime: input.runtime ?? existing?.runtime,
+    elapsedSeconds: input.elapsedSeconds ?? existing?.elapsedSeconds,
     updatedAt: new Date().toISOString()
   };
   writeFileSync2(metricsPath(input.sessionRootPath), JSON.stringify(next, null, 2), "utf-8");