@pensar/apex 0.0.114 → 0.0.115-canary.08a8d5c0

package/README.md

@@ -22,36 +22,6 @@ Want to run from the cloud or integrate it with your CI/CD? See <a href="https:/
   <img src="screenshot.png" alt="Pensar Apex Screenshot" width="800">
 </p> -->
 
-## What is Apex?
-
-Apex is an autonomous penetration testing agent that runs directly in your terminal.
-
-It doesn't wrap existing scanners or chain shell scripts. Apex deploys a **swarm of specialized AI agents** — each with domain expertise in reconnaissance, authentication analysis, exploitation, and code review — that coordinate a real penetration test against your application. Every finding comes with CVSS 4.0 scoring, CWE classification, evidence, and a validated proof-of-concept.
-
-The result is a pentest that runs like `npm test` — but thinks like a red team.
-
-## Why Apex?
-
-Traditional scanners execute signatures. Apex executes a methodology.
-
-- **Swarm architecture** - Specialized agents run in parallel across your attack surface, the same way a real red team divides and conquers. Up to 10 concurrent agents, each scoped to a specific objective.
-- **Structured, auditable output** - Every vulnerability is automatically scored (CVSS 4.0), classified (CWE), and documented with evidence and remediation steps. No raw tool dumps.
-- **Real exploitation, not guesswork** - Apex writes, runs, and validates proof-of-concept scripts. If the PoC doesn't succeed, it pivots to a different technique.
-- **Blackbox and whitebox** - Test a live target with no source access, or analyze your codebase to map endpoints and test them against a running instance.
-- **30+ built-in tools** - Browser automation, shell execution, HTTP requests, file analysis, web search for CVE lookups, authenticated crawling, and more. Optional Kali Linux container adds 25+ offensive security tools (nmap, sqlmap, hydra, hashcat, gobuster, and others).
-
-## Two Modes
-
-### `/pentest` — Autonomous
-
-Fire and forget. Apex runs a full engagement end-to-end: attack surface discovery, parallel swarm testing, and a structured report with findings in Markdown and JSON. No security expertise required.
-
-### `/operator` — Interactive
-
-Full control. Steer the agent step by step, approve each action, chain exploits manually, and dig deep into specific targets. Every tool is available. The approval gate holds until you say go.
-
-Start with `/pentest` to get coverage, then reopen the session in `/operator` to investigate specific findings — all context carries over.
-
 ## Use Cases
 
 ### Developers
@@ -69,30 +39,12 @@ Start with `/pentest` to get coverage, then reopen the session in `/operator` to
 
 ## Installation
 
-#### macOS / Linux (Quick Install)
-
-```bash
-curl -fsSL https://pensarai.com/install.sh | bash
-```
-
-#### Homebrew
-
-```bash
-brew tap pensarai/tap
-brew install apex
-```
-
-#### npm
-
-```bash
-npm install -g @pensar/apex
-```
-
-#### Windows (PowerShell)
-
-```powershell
-irm https://www.pensarai.com/apex.ps1 | iex
-```
+| Method                          | Command                                              |
+| ------------------------------- | ---------------------------------------------------- |
+| **Quick Install** (macOS/Linux) | `curl -fsSL https://pensarai.com/install.sh \| bash` |
+| **Homebrew**                    | `brew tap pensarai/tap && brew install apex`         |
+| **npm**                         | `npm install -g @pensar/apex`                        |
+| **Windows** (PowerShell)        | `irm https://www.pensarai.com/apex.ps1 \| iex`       |
 
 ## Usage
 
@@ -123,5 +75,5 @@ pensar
 
 ### ⚠️ Responsible Use
 
-This repository contains tools for **authorized security testing** only.  
+This repository contains tools for **authorized security testing** only.
 Before use, please read and agree to the [Responsible Use Disclosure](./RESPONSIBLE_USE.md).

package/build/agent-2f4q4n26.js

@@ -0,0 +1,16 @@
+import {
+  CodeAgent
+} from "./cli-jycdef9r.js";
+import"./cli-m6xhh40a.js";
+import"./cli-8fxhbwz2.js";
+import"./cli-4cz845xw.js";
+import"./cli-9r9grmzr.js";
+import"./cli-6f5bs0zb.js";
+import"./cli-nbxjkzcb.js";
+import"./cli-mmm9mpgd.js";
+import"./cli-217my1rx.js";
+import"./cli-7ckctq7a.js";
+import"./cli-8rxa073f.js";
+export {
+  CodeAgent
+};

package/build/agent-rcm3mnb7.js

@@ -0,0 +1,227 @@
+import {
+  WhiteboxAttackSurfaceResultSchema
+} from "./cli-p2q3a22n.js";
+import {
+  OffensiveSecurityAgent
+} from "./cli-m6xhh40a.js";
+import"./cli-8fxhbwz2.js";
+import {
+  hasToolCall,
+  tool
+} from "./cli-4cz845xw.js";
+import"./cli-9r9grmzr.js";
+import"./cli-6f5bs0zb.js";
+import"./cli-nbxjkzcb.js";
+import"./cli-mmm9mpgd.js";
+import"./cli-217my1rx.js";
+import"./cli-7ckctq7a.js";
+import"./cli-8rxa073f.js";
+
+// src/core/agents/specialized/whiteboxAttackSurface/prompts.ts
+var WHITEBOX_ATTACK_SURFACE_SYSTEM_PROMPT = `You are an expert source-code analyst and orchestrator. Your mission is to comprehensively map the attack surface of a codebase by analyzing its source code directly.
+
+You operate completely autonomously. Do not ask for permission or wait for user input.
+
+# Your Goal
+
+Given a codebase path, you must:
+1. Identify the repository structure (monorepo vs single app, package manager, etc.)
+2. Discover every application/service defined in the repo
+3. For each app, enumerate ALL web pages and ALL API endpoints defined in the source code
+4. For each endpoint, generate specific pentest objectives
+
+# Tools at Your Disposal
+
+## list_files
+List directories to understand project structure. Start here.
+
+## read_file
+Read config files, entry points, route definitions, etc.
+
+## grep
+Your primary search tool. Use it to find route definitions, middleware, controllers, etc.
+
+## document_app
+**Use this to document each application/service you identify.** Each call persists a JSON record to the session's apps directory. Document:
+- Each application/service you identify (appType: "web_application" or "api")
+- Notable subdomains hosting distinct services (appType: "subdomain")
+- Cloud resources like S3 buckets, cloud storage, CDN origins (appType: "cloud_resource" or "storage")
+  - For S3 buckets: set \`domain\` to the **canonical virtual-hosted-style** endpoint (e.g. "https://bucket-name.s3.amazonaws.com") and use appType "storage". Do NOT use path-style URLs (e.g. "https://s3.amazonaws.com/bucket-name").
+  - For other cloud resources: set \`domain\` to the primary/canonical resource endpoint and use appType "cloud_resource"
+- If known domains are provided, set the \`domain\` field to associate the app with the correct domain
+
+## document_endpoint
+**This is your primary output tool for endpoints.** Each call persists a JSON record to the session's endpoints directory, organized by app. Document:
+- Individual API endpoints and web pages
+
+**CRITICAL — endpoint documentation rules:**
+- **ONE endpoint per unique route path.** Do NOT create separate entries for different HTTP methods on the same path. If \`/api/users\` supports GET, POST, and DELETE, that is ONE entry with \`method: ["GET", "POST", "DELETE"]\`.
+- **Use \`method: "PAGE"\`** for web pages and views.
+- **Always set \`appName\`** to group endpoints under the correct application.
+- **Always set \`routePath\`** to the HTTP route (e.g., \`/api/users\`). This is the URL path a client requests — NOT a source-file path.
+- **Always set \`file\`** to the source-code file (e.g., \`src/routes/users.ts\`). This is NOT the HTTP route.
+- **Always set \`handler\`** to the function name, and \`authRequired\` to indicate auth requirements.
+
+Call these tools throughout your analysis as you discover apps and endpoints — don't wait until the end.
+
+## spawn_coding_agent
+**This is your key tool for scaling out analysis.** Spawn coding sub-agents to analyze individual apps in parallel for higher fidelity. Each sub-agent has full filesystem access (read_file, list_files, grep, execute_command) and the document_app/document_endpoint tools.
+
+## submit_results
+Call this LAST with your complete structured results. This ends your run.
+
+# Methodology
+
+## Phase 1: REPO IDENTIFICATION (do this yourself — it's fast)
+1. List the root directory
+2. Read the top-level config files to determine:
+   - Package manager (package.json → npm/yarn/pnpm, requirements.txt → pip, Cargo.toml → cargo, go.mod → go, etc.)
+   - Repo structure (workspaces field in package.json → monorepo, multiple service dirs → multi-package, etc.)
+3. Identify all apps/services — look for:
+   - Monorepo workspace packages with their own entry points
+   - Separate service directories with their own configs
+   - A single app at the root
+4. Discover cloud resources and external infrastructure referenced in the code:
+   - S3 buckets, GCS buckets, Azure Blob Storage (search for bucket names, s3://, storage URLs)
+   - CDN distributions (CloudFront, Cloudflare)
+   - Infrastructure-as-code definitions (Terraform, CloudFormation, CDK, SST, Pulumi, serverless.yml)
+   - Document each as an app with appType "cloud_resource" or "storage" and set the \`domain\` to the **canonical** resource endpoint
+   - **S3 canonical URL:** Always use virtual-hosted-style "https://bucket-name.s3.amazonaws.com" (or with region: "https://bucket-name.s3.us-east-1.amazonaws.com"). Never use path-style "https://s3.amazonaws.com/bucket-name".
+   - **Do NOT document alternative URL formats** as separate endpoints — only document the canonical/primary URL and any distinct functional paths under it
+
+## Phase 2: APP ANALYSIS (delegate to coding agents)
+For each app you identified, spawn a coding agent with a detailed objective. The objective should instruct the agent to:
+
+1. **Identify the framework** — read the app's config/entry point to determine the web framework
+2. **Document the application** — call \`document_app\` with the app name, type, and framework
+3. **Find ALL web pages** — search for page/view/route definitions and document each with \`document_endpoint\` using \`method: "PAGE"\`
+4. **Find ALL API endpoints** — search for route/endpoint definitions and document each unique path with \`document_endpoint\`, listing ALL HTTP methods in \`method\`
+5. **For each endpoint, include** in the document_endpoint call:
+   - HTTP route in \`routePath\` (e.g., \`/api/users\`) — this is the URL path, NOT a file path
+   - ALL HTTP methods in \`method\` (consolidated — one entry per path)
+   - Handler function in \`handler\`
+   - Source-code file in \`file\` (e.g., \`src/routes/users.ts\`) — this is NOT the route
+   - Line number in \`line\`
+   - Auth requirement in \`authRequired\`
+   - Specific pentest objectives in \`pentestObjectives\`
+
+**IMPORTANT:** Tell each coding agent to set \`appName\` on every \`document_endpoint\` call so endpoints are organized by application.
+
+## Phase 3: COLLECT AND SUBMIT (do this yourself)
+1. Parse the output from all coding agents
+2. Assemble the complete structured result
+3. Call \`submit_results\` with the full data
+
+# Guidelines
+- Be thorough — every endpoint matters. Don't skip files or directories.
+- Delegate aggressively — spawn coding agents for each app to get high-fidelity results.
+- Give coding agents VERY detailed objectives — they work best with specific instructions about what to search for and how to report it.
+- Don't duplicate work — let the coding agents do the deep file-by-file analysis.
+- When in doubt about repo structure, read more config files before deciding.
+`;
+
+// src/core/agents/specialized/whiteboxAttackSurface/agent.ts
+class WhiteboxAttackSurfaceAgent extends OffensiveSecurityAgent {
+  constructor(opts) {
+    const {
+      model,
+      codebasePath,
+      session,
+      authConfig,
+      onStepFinish,
+      abortSignal,
+      eventBus,
+      subagentId,
+      attackSurfaceRegistry,
+      domains,
+      enableThinking
+    } = opts;
+    let capturedResult = null;
+    const submitResultsTool = tool({
+      description: `Submit the final whitebox attack surface analysis results.
+
+Call this ONCE at the end with your complete structured findings.
+This ends the agent run — make sure all data is included.`,
+      inputSchema: WhiteboxAttackSurfaceResultSchema,
+      execute: async (results) => {
+        capturedResult = results;
+        return { success: true, message: "Results submitted." };
+      }
+    });
+    super({
+      system: WHITEBOX_ATTACK_SURFACE_SYSTEM_PROMPT,
+      prompt: buildPrompt(codebasePath, domains, session.config?.prompt),
+      model,
+      session,
+      authConfig,
+      onStepFinish,
+      abortSignal,
+      eventBus,
+      subagentId,
+      attackSurfaceRegistry,
+      enableThinking,
+      activeTools: [
+        "read_file",
+        "list_files",
+        "grep",
+        "document_app",
+        "document_endpoint",
+        "spawn_coding_agent",
+        "submit_results"
+      ],
+      extraTools: {
+        submit_results: submitResultsTool
+      },
+      stopWhen: hasToolCall("submit_results"),
+      resolveResult: () => {
+        if (capturedResult) {
+          return capturedResult;
+        }
+        return {
+          repoType: "unknown",
+          packageManager: "unknown",
+          apps: [],
+          summary: {
+            totalApps: 0,
+            totalPages: 0,
+            totalApiEndpoints: 0,
+            totalPentestObjectives: 0
+          }
+        };
+      }
+    });
+  }
+}
+function buildPrompt(codebasePath, domains, operatorPrompt) {
+  const domainSection = domains?.length ? `
+## Known Domains
+The following domains are associated with this project. When documenting apps, set the \`domain\` field on \`document_app\` if you can determine which domain serves the app:
+${domains.map((d) => `- ${d}`).join(`
+`)}
+` : "";
+  const operatorGuidanceBlock = operatorPrompt ? `
+## Operator Guidance
+${operatorPrompt}
+` : "";
+  return `# Whitebox Attack Surface Analysis
+
+## Codebase
+- **Path:** ${codebasePath}
+${domainSection}${operatorGuidanceBlock}
+## Task
+Analyze this codebase and produce a complete attack surface map:
+1. Identify the repo type and package manager
+2. Discover all apps/services
+3. Discover cloud resources and external infrastructure referenced in the code (S3 buckets, cloud storage, CDN origins, etc.) — document these as apps with the appropriate type
+4. For each app, find all web pages and API endpoints
+5. For each endpoint, generate pentest objectives
+
+Use \`spawn_coding_agent\` to delegate app-level analysis for higher fidelity.
+
+When finished, call \`submit_results\` with the complete structured output.
+
+Begin now.`;
+}
+export {
+  WhiteboxAttackSurfaceAgent
+};

package/build/{auth-g7qfrmqn.js → auth-pvhyt24c.js}

@@ -8,14 +8,14 @@ import {
   pollWorkOSToken,
   selectWorkspace,
   startDeviceFlow
-} from "./cli-zz9wwkqh.js";
+} from "./cli-9r9grmzr.js";
 import {
   config,
   getPensarApiUrl,
   getPensarConsoleUrl
-} from "./cli-27bnjky6.js";
-import"./cli-xj88naps.js";
-import"./cli-s1dd4n9x.js";
+} from "./cli-6f5bs0zb.js";
+import"./cli-nbxjkzcb.js";
+import"./cli-mmm9mpgd.js";
 import {
   __require
 } from "./cli-8rxa073f.js";

package/build/{authentication-h92927qz.js → authentication-ak9yfwcr.js}

@@ -3,16 +3,16 @@ import {
 } from "./cli-6gtnyaqf.js";
 import {
   OffensiveSecurityAgent
-} from "./cli-phajnhzs.js";
-import"./cli-vnydvy0r.js";
+} from "./cli-m6xhh40a.js";
+import"./cli-8fxhbwz2.js";
 import {
   hasToolCall
-} from "./cli-z1s5njxn.js";
-import"./cli-zz9wwkqh.js";
-import"./cli-27bnjky6.js";
-import"./cli-xj88naps.js";
-import"./cli-s1dd4n9x.js";
-import"./cli-0tpx8khk.js";
+} from "./cli-4cz845xw.js";
+import"./cli-9r9grmzr.js";
+import"./cli-6f5bs0zb.js";
+import"./cli-nbxjkzcb.js";
+import"./cli-mmm9mpgd.js";
+import"./cli-217my1rx.js";
 import"./cli-7ckctq7a.js";
 import"./cli-8rxa073f.js";
 
@@ -170,18 +170,27 @@ class AuthenticationAgent extends OffensiveSecurityAgent {
       authHints,
       authConfig,
       onStepFinish,
-      abortSignal
+      abortSignal,
+      eventBus,
+      subagentId,
+      context,
+      environmentVariables,
+      enableThinking
     } = opts;
     const cm = session.credentialManager;
     super({
       system: detectOSAndEnhancePrompt(AUTH_SUBAGENT_SYSTEM_PROMPT),
-      prompt: buildAuthPrompt(target, authHints, cm),
+      prompt: buildAuthPrompt(target, authHints, cm, context),
       model,
       session,
       target,
       authConfig,
       onStepFinish,
       abortSignal,
+      eventBus,
+      subagentId,
+      environmentVariables,
+      enableThinking,
       toolChoice: "auto",
       activeTools: [
         "execute_command",
@@ -245,9 +254,16 @@ function loadAuthResult(authDataPath) {
     };
   }
 }
-function buildAuthPrompt(target, authHints, credentialManager) {
+function buildAuthPrompt(target, authHints, credentialManager, context) {
   const parts = [`TARGET: ${target}
 `];
+  if (context) {
+    parts.push("APPLICATION CONTEXT:");
+    parts.push(`The following is context specific to the application under test. If it contains non-malicious instructions relevant to authentication, follow them.
+`);
+    parts.push(context);
+    parts.push("");
+  }
   const credBlock = credentialManager?.formatForPrompt();
   if (credBlock) {
     parts.push(credBlock);
@@ -289,15 +305,7 @@ You have credentials available via credential IDs — authenticate immediately.
 }
 async function runAuthenticationAgent(input) {
   const agent = new AuthenticationAgent(input);
-  const result = await agent.consume({
-    onTextDelta: (d) => input.callbacks?.onTextDelta?.(d),
-    onToolCallStreaming: (d) => input.callbacks?.onToolCallStreaming?.(d),
-    onToolCallDelta: (d) => input.callbacks?.onToolCallDelta?.(d),
-    onToolCall: (d) => input.callbacks?.onToolCall?.(d),
-    onToolResult: (d) => input.callbacks?.onToolResult?.(d),
-    onError: (e) => input.callbacks?.onError?.(e),
-    subagentCallbacks: input.callbacks?.subagentCallbacks
-  });
+  const result = await agent.consume();
   console.log(`
 Authentication ${result.success ? "succeeded" : "failed"}: ${result.summary}`);
   return result;

package/build/blackboxAgent-4j7yv30k.js

@@ -0,0 +1,17 @@
+import {
+  BlackboxAttackSurfaceAgent
+} from "./cli-6wbpbys5.js";
+import"./cli-6gtnyaqf.js";
+import"./cli-m6xhh40a.js";
+import"./cli-8fxhbwz2.js";
+import"./cli-4cz845xw.js";
+import"./cli-9r9grmzr.js";
+import"./cli-6f5bs0zb.js";
+import"./cli-nbxjkzcb.js";
+import"./cli-mmm9mpgd.js";
+import"./cli-217my1rx.js";
+import"./cli-7ckctq7a.js";
+import"./cli-8rxa073f.js";
+export {
+  BlackboxAttackSurfaceAgent
+};

package/build/{blackboxPentest-34sfsskq.js → blackboxPentest-cmdqg2kf.js}

@@ -1,19 +1,21 @@
 import {
   runPentestWorkflow
-} from "./cli-xtccf5qk.js";
-import"./cli-0r7qwt2h.js";
-import"./cli-9hp2khjx.js";
-import"./cli-tj25jvz6.js";
-import"./cli-mx8pfb29.js";
+} from "./cli-pwawj18c.js";
+import"./cli-2rfx3548.js";
+import"./cli-kt5y3cap.js";
+import"./cli-jycdef9r.js";
+import"./cli-fw5r7pfj.js";
+import"./cli-p2q3a22n.js";
+import"./cli-6wbpbys5.js";
 import"./cli-6gtnyaqf.js";
-import"./cli-phajnhzs.js";
-import"./cli-vnydvy0r.js";
-import"./cli-z1s5njxn.js";
-import"./cli-zz9wwkqh.js";
-import"./cli-27bnjky6.js";
-import"./cli-xj88naps.js";
-import"./cli-s1dd4n9x.js";
-import"./cli-0tpx8khk.js";
+import"./cli-m6xhh40a.js";
+import"./cli-8fxhbwz2.js";
+import"./cli-4cz845xw.js";
+import"./cli-9r9grmzr.js";
+import"./cli-6f5bs0zb.js";
+import"./cli-nbxjkzcb.js";
+import"./cli-mmm9mpgd.js";
+import"./cli-217my1rx.js";
 import"./cli-7ckctq7a.js";
 import"./cli-8rxa073f.js";
 
@@ -26,7 +28,9 @@ async function runPentestAgent(input) {
     session: input.session,
     authConfig: input.authConfig,
     abortSignal: input.abortSignal,
-    callbacks: input.callbacks
+    eventBus: input.eventBus,
+    prompt: input.prompt,
+    threatModel: input.threatModel
   });
   console.log(`
 Found ${findings.length} vulnerabilities`);