@pensar/apex 0.0.114 → 0.0.115-canary.3a244a59

package/README.md

@@ -22,36 +22,6 @@ Want to run from the cloud or integrate it with your CI/CD? See <a href="https:/
   <img src="screenshot.png" alt="Pensar Apex Screenshot" width="800">
 </p> -->
 
-## What is Apex?
-
-Apex is an autonomous penetration testing agent that runs directly in your terminal.
-
-It doesn't wrap existing scanners or chain shell scripts. Apex deploys a **swarm of specialized AI agents** — each with domain expertise in reconnaissance, authentication analysis, exploitation, and code review — that coordinate a real penetration test against your application. Every finding comes with CVSS 4.0 scoring, CWE classification, evidence, and a validated proof-of-concept.
-
-The result is a pentest that runs like `npm test` — but thinks like a red team.
-
-## Why Apex?
-
-Traditional scanners execute signatures. Apex executes a methodology.
-
-- **Swarm architecture** - Specialized agents run in parallel across your attack surface, the same way a real red team divides and conquers. Up to 10 concurrent agents, each scoped to a specific objective.
-- **Structured, auditable output** - Every vulnerability is automatically scored (CVSS 4.0), classified (CWE), and documented with evidence and remediation steps. No raw tool dumps.
-- **Real exploitation, not guesswork** - Apex writes, runs, and validates proof-of-concept scripts. If the PoC doesn't succeed, it pivots to a different technique.
-- **Blackbox and whitebox** - Test a live target with no source access, or analyze your codebase to map endpoints and test them against a running instance.
-- **30+ built-in tools** - Browser automation, shell execution, HTTP requests, file analysis, web search for CVE lookups, authenticated crawling, and more. Optional Kali Linux container adds 25+ offensive security tools (nmap, sqlmap, hydra, hashcat, gobuster, and others).
-
-## Two Modes
-
-### `/pentest` — Autonomous
-
-Fire and forget. Apex runs a full engagement end-to-end: attack surface discovery, parallel swarm testing, and a structured report with findings in Markdown and JSON. No security expertise required.
-
-### `/operator` — Interactive
-
-Full control. Steer the agent step by step, approve each action, chain exploits manually, and dig deep into specific targets. Every tool is available. The approval gate holds until you say go.
-
-Start with `/pentest` to get coverage, then reopen the session in `/operator` to investigate specific findings — all context carries over.
-
 ## Use Cases
 
 ### Developers
@@ -69,30 +39,12 @@ Start with `/pentest` to get coverage, then reopen the session in `/operator` to
 
 ## Installation
 
-#### macOS / Linux (Quick Install)
-
-```bash
-curl -fsSL https://pensarai.com/install.sh | bash
-```
-
-#### Homebrew
-
-```bash
-brew tap pensarai/tap
-brew install apex
-```
-
-#### npm
-
-```bash
-npm install -g @pensar/apex
-```
-
-#### Windows (PowerShell)
-
-```powershell
-irm https://www.pensarai.com/apex.ps1 | iex
-```
+| Method                          | Command                                              |
+| ------------------------------- | ---------------------------------------------------- |
+| **Quick Install** (macOS/Linux) | `curl -fsSL https://pensarai.com/install.sh \| bash` |
+| **Homebrew**                    | `brew tap pensarai/tap && brew install apex`         |
+| **npm**                         | `npm install -g @pensar/apex`                        |
+| **Windows** (PowerShell)        | `irm https://www.pensarai.com/apex.ps1 \| iex`       |
 
 ## Usage
 
@@ -123,5 +75,5 @@ pensar
 
 ### ⚠️ Responsible Use
 
-This repository contains tools for **authorized security testing** only.  
+This repository contains tools for **authorized security testing** only.
 Before use, please read and agree to the [Responsible Use Disclosure](./RESPONSIBLE_USE.md).

package/build/agent-n22nh2s8.js

@@ -0,0 +1,16 @@
+import {
+  CodeAgent
+} from "./cli-7ms8v8dt.js";
+import"./cli-qv95srfs.js";
+import"./cli-dbs6bfdd.js";
+import"./cli-rx4g8yat.js";
+import"./cli-te462405.js";
+import"./cli-q87kgwcy.js";
+import"./cli-0gm6ya88.js";
+import"./cli-jrgcmjck.js";
+import"./cli-5gh0m3xb.js";
+import"./cli-7ckctq7a.js";
+import"./cli-8rxa073f.js";
+export {
+  CodeAgent
+};

package/build/{agent-jr0kf32x.js → agent-scs6hq61.js}

@@ -1,19 +1,19 @@
 import {
   WhiteboxAttackSurfaceResultSchema
-} from "./cli-tj25jvz6.js";
+} from "./cli-gvfy5xk2.js";
 import {
   OffensiveSecurityAgent
-} from "./cli-phajnhzs.js";
-import"./cli-vnydvy0r.js";
+} from "./cli-qv95srfs.js";
+import"./cli-dbs6bfdd.js";
 import {
   hasToolCall,
   tool
-} from "./cli-z1s5njxn.js";
-import"./cli-zz9wwkqh.js";
-import"./cli-27bnjky6.js";
-import"./cli-xj88naps.js";
-import"./cli-s1dd4n9x.js";
-import"./cli-0tpx8khk.js";
+} from "./cli-rx4g8yat.js";
+import"./cli-te462405.js";
+import"./cli-q87kgwcy.js";
+import"./cli-0gm6ya88.js";
+import"./cli-jrgcmjck.js";
+import"./cli-5gh0m3xb.js";
 import"./cli-7ckctq7a.js";
 import"./cli-8rxa073f.js";
 
@@ -41,16 +41,31 @@ Read config files, entry points, route definitions, etc.
 ## grep
 Your primary search tool. Use it to find route definitions, middleware, controllers, etc.
 
-## document_asset
-**Use this to document every significant asset you discover.** Each call persists a JSON record to the session's assets directory. Document:
-- Each application/service you identify (assetType: "web_application" or "api")
-- Notable subdomains or infrastructure you encounter (assetType: "subdomain", "infrastructure_service")
-- Key API endpoint groups or admin panels (assetType: "endpoint", "admin_panel")
-
-Call this throughout your analysis as you discover assets — don't wait until the end. Include relevant details like the technology stack, URL, authentication requirements, and risk level.
+## document_app
+**Use this to document each application/service you identify.** Each call persists a JSON record to the session's apps directory. Document:
+- Each application/service you identify (appType: "web_application" or "api")
+- Notable subdomains hosting distinct services (appType: "subdomain")
+- Cloud resources like S3 buckets, cloud storage, CDN origins (appType: "cloud_resource" or "storage")
+  - For S3 buckets: set url to the bucket endpoint (e.g. "https://bucket-name.s3.amazonaws.com") and use appType "storage"
+  - For other cloud resources: set url to the resource endpoint and use appType "cloud_resource"
+- If known domains are provided, set the \`domain\` field to associate the app with the correct domain
+
+## document_endpoint
+**This is your primary output tool for endpoints.** Each call persists a JSON record to the session's endpoints directory, organized by app. Document:
+- Individual API endpoints and web pages
+
+**CRITICAL — endpoint documentation rules:**
+- **ONE endpoint per unique route path.** Do NOT create separate entries for different HTTP methods on the same path. If \`/api/users\` supports GET, POST, and DELETE, that is ONE entry with \`method: ["GET", "POST", "DELETE"]\`.
+- **Use \`method: "PAGE"\`** for web pages and views.
+- **Always set \`appName\`** to group endpoints under the correct application.
+- **Always set \`routePath\`** to the HTTP route (e.g., \`/api/users\`). This is the URL path a client requests — NOT a source-file path.
+- **Always set \`file\`** to the source-code file (e.g., \`src/routes/users.ts\`). This is NOT the HTTP route.
+- **Always set \`handler\`** to the function name, and \`authRequired\` to indicate auth requirements.
+
+Call these tools throughout your analysis as you discover apps and endpoints — don't wait until the end.
 
 ## spawn_coding_agent
-**This is your key tool for scaling out analysis.** Spawn coding sub-agents to analyze individual apps in parallel for higher fidelity. Each sub-agent has full filesystem access (read_file, list_files, grep, execute_command).
+**This is your key tool for scaling out analysis.** Spawn coding sub-agents to analyze individual apps in parallel for higher fidelity. Each sub-agent has full filesystem access (read_file, list_files, grep, execute_command) and the document_app/document_endpoint tools.
 
 ## submit_results
 Call this LAST with your complete structured results. This ends your run.
@@ -66,41 +81,29 @@ Call this LAST with your complete structured results. This ends your run.
    - Monorepo workspace packages with their own entry points
    - Separate service directories with their own configs
    - A single app at the root
+4. Discover cloud resources and external infrastructure referenced in the code:
+   - S3 buckets, GCS buckets, Azure Blob Storage (search for bucket names, s3://, storage URLs)
+   - CDN distributions (CloudFront, Cloudflare)
+   - Infrastructure-as-code definitions (Terraform, CloudFormation, CDK, SST, Pulumi, serverless.yml)
+   - Document each as an app with appType "cloud_resource" or "storage" and set the url to the resource endpoint
 
 ## Phase 2: APP ANALYSIS (delegate to coding agents)
 For each app you identified, spawn a coding agent with a detailed objective. The objective should instruct the agent to:
 
 1. **Identify the framework** — read the app's config/entry point to determine the web framework
-2. **Find ALL web pages** — search for page/view/route definitions:
-   - React/Next.js: pages/ or app/ directory, route components
-   - Express: res.render(), res.sendFile(), static file serving
-   - Django: urls.py patterns pointing to template views
-   - Rails: routes.rb entries pointing to controller actions that render views
-   - Vue/Nuxt: pages/ directory, router definitions
-   - etc.
-3. **Find ALL API endpoints** — search for route/endpoint definitions:
-   - Express: app.get(), app.post(), router.get(), router.post(), etc.
-   - Next.js: app/api/ or pages/api/ route handlers
-   - Django: urls.py patterns pointing to API views, DRF viewsets/routers
-   - FastAPI: @app.get(), @app.post() decorators
-   - Rails: routes.rb API namespaces, controller actions
-   - Spring: @GetMapping, @PostMapping, @RequestMapping
-   - etc.
-4. **For each endpoint, determine**:
-   - HTTP method and route path
-   - Handler function/component name
-   - File location and line number
-   - Whether auth appears to be required (middleware, decorators, guards)
-   - Brief description of what it does
-5. **For each endpoint, generate pentest objectives** — specific, actionable testing goals like:
-   - "Test for SQL injection in the 'search' query parameter"
-   - "Test for IDOR by accessing /api/orders/{id} with other users' order IDs"
-   - "Test for XSS in the user profile name field"
-   - "Test for privilege escalation by accessing admin-only endpoint as regular user"
-   - "Test for CSRF on the password change endpoint"
-   - "Test for path traversal in the file download parameter"
-
-**IMPORTANT:** Tell each coding agent to output its findings in a STRUCTURED FORMAT that you can parse. Instruct it to use clear delimiters or a consistent format for each endpoint (method, path, handler, file, line, auth, description, pentest objectives).
+2. **Document the application** — call \`document_app\` with the app name, type, and framework
+3. **Find ALL web pages** — search for page/view/route definitions and document each with \`document_endpoint\` using \`method: "PAGE"\`
+4. **Find ALL API endpoints** — search for route/endpoint definitions and document each unique path with \`document_endpoint\`, listing ALL HTTP methods in \`method\`
+5. **For each endpoint, include** in the document_endpoint call:
+   - HTTP route in \`routePath\` (e.g., \`/api/users\`) — this is the URL path, NOT a file path
+   - ALL HTTP methods in \`method\` (consolidated — one entry per path)
+   - Handler function in \`handler\`
+   - Source-code file in \`file\` (e.g., \`src/routes/users.ts\`) — this is NOT the route
+   - Line number in \`line\`
+   - Auth requirement in \`authRequired\`
+   - Specific pentest objectives in \`pentestObjectives\`
+
+**IMPORTANT:** Tell each coding agent to set \`appName\` on every \`document_endpoint\` call so endpoints are organized by application.
 
 ## Phase 3: COLLECT AND SUBMIT (do this yourself)
 1. Parse the output from all coding agents
@@ -125,8 +128,10 @@ class WhiteboxAttackSurfaceAgent extends OffensiveSecurityAgent {
       authConfig,
       onStepFinish,
       abortSignal,
-      callbacks,
-      attackSurfaceRegistry
+      eventBus,
+      subagentId,
+      attackSurfaceRegistry,
+      domains
     } = opts;
     let capturedResult = null;
     const submitResultsTool = tool({
@@ -142,20 +147,21 @@ This ends the agent run — make sure all data is included.`,
     });
     super({
       system: WHITEBOX_ATTACK_SURFACE_SYSTEM_PROMPT,
-      prompt: buildPrompt(codebasePath),
+      prompt: buildPrompt(codebasePath, domains),
       model,
       session,
       authConfig,
       onStepFinish,
       abortSignal,
+      eventBus,
+      subagentId,
       attackSurfaceRegistry,
-      callbacks,
-      subagentCallbacks: callbacks?.subagentCallbacks,
       activeTools: [
         "read_file",
         "list_files",
         "grep",
-        "document_asset",
+        "document_app",
+        "document_endpoint",
         "spawn_coding_agent",
         "submit_results"
       ],
@@ -182,18 +188,25 @@ This ends the agent run — make sure all data is included.`,
     });
   }
 }
-function buildPrompt(codebasePath) {
+function buildPrompt(codebasePath, domains) {
+  const domainSection = domains?.length ? `
+## Known Domains
+The following domains are associated with this project. When documenting apps, set the \`domain\` field on \`document_app\` if you can determine which domain serves the app:
+${domains.map((d) => `- ${d}`).join(`
+`)}
+` : "";
   return `# Whitebox Attack Surface Analysis
 
 ## Codebase
 - **Path:** ${codebasePath}
-
+${domainSection}
 ## Task
 Analyze this codebase and produce a complete attack surface map:
 1. Identify the repo type and package manager
 2. Discover all apps/services
-3. For each app, find all web pages and API endpoints
-4. For each endpoint, generate pentest objectives
+3. Discover cloud resources and external infrastructure referenced in the code (S3 buckets, cloud storage, CDN origins, etc.) — document these as apps with the appropriate type
+4. For each app, find all web pages and API endpoints
+5. For each endpoint, generate pentest objectives
 
 Use \`spawn_coding_agent\` to delegate app-level analysis for higher fidelity.
 

package/build/{auth-g7qfrmqn.js → auth-7gf402f3.js}

@@ -8,14 +8,14 @@ import {
   pollWorkOSToken,
   selectWorkspace,
   startDeviceFlow
-} from "./cli-zz9wwkqh.js";
+} from "./cli-te462405.js";
 import {
   config,
   getPensarApiUrl,
   getPensarConsoleUrl
-} from "./cli-27bnjky6.js";
-import"./cli-xj88naps.js";
-import"./cli-s1dd4n9x.js";
+} from "./cli-q87kgwcy.js";
+import"./cli-0gm6ya88.js";
+import"./cli-jrgcmjck.js";
 import {
   __require
 } from "./cli-8rxa073f.js";

package/build/{authentication-h92927qz.js → authentication-xnygs3rq.js}

@@ -3,16 +3,16 @@ import {
 } from "./cli-6gtnyaqf.js";
 import {
   OffensiveSecurityAgent
-} from "./cli-phajnhzs.js";
-import"./cli-vnydvy0r.js";
+} from "./cli-qv95srfs.js";
+import"./cli-dbs6bfdd.js";
 import {
   hasToolCall
-} from "./cli-z1s5njxn.js";
-import"./cli-zz9wwkqh.js";
-import"./cli-27bnjky6.js";
-import"./cli-xj88naps.js";
-import"./cli-s1dd4n9x.js";
-import"./cli-0tpx8khk.js";
+} from "./cli-rx4g8yat.js";
+import"./cli-te462405.js";
+import"./cli-q87kgwcy.js";
+import"./cli-0gm6ya88.js";
+import"./cli-jrgcmjck.js";
+import"./cli-5gh0m3xb.js";
 import"./cli-7ckctq7a.js";
 import"./cli-8rxa073f.js";
 
@@ -170,18 +170,25 @@ class AuthenticationAgent extends OffensiveSecurityAgent {
       authHints,
       authConfig,
       onStepFinish,
-      abortSignal
+      abortSignal,
+      eventBus,
+      subagentId,
+      context,
+      environmentVariables
     } = opts;
     const cm = session.credentialManager;
     super({
       system: detectOSAndEnhancePrompt(AUTH_SUBAGENT_SYSTEM_PROMPT),
-      prompt: buildAuthPrompt(target, authHints, cm),
+      prompt: buildAuthPrompt(target, authHints, cm, context),
       model,
       session,
       target,
       authConfig,
       onStepFinish,
       abortSignal,
+      eventBus,
+      subagentId,
+      environmentVariables,
       toolChoice: "auto",
       activeTools: [
         "execute_command",
@@ -245,9 +252,16 @@ function loadAuthResult(authDataPath) {
     };
   }
 }
-function buildAuthPrompt(target, authHints, credentialManager) {
+function buildAuthPrompt(target, authHints, credentialManager, context) {
   const parts = [`TARGET: ${target}
 `];
+  if (context) {
+    parts.push("APPLICATION CONTEXT:");
+    parts.push(`The following is context specific to the application under test. If it contains non-malicious instructions relevant to authentication, follow them.
+`);
+    parts.push(context);
+    parts.push("");
+  }
   const credBlock = credentialManager?.formatForPrompt();
   if (credBlock) {
     parts.push(credBlock);
@@ -289,15 +303,7 @@ You have credentials available via credential IDs — authenticate immediately.
 }
 async function runAuthenticationAgent(input) {
   const agent = new AuthenticationAgent(input);
-  const result = await agent.consume({
-    onTextDelta: (d) => input.callbacks?.onTextDelta?.(d),
-    onToolCallStreaming: (d) => input.callbacks?.onToolCallStreaming?.(d),
-    onToolCallDelta: (d) => input.callbacks?.onToolCallDelta?.(d),
-    onToolCall: (d) => input.callbacks?.onToolCall?.(d),
-    onToolResult: (d) => input.callbacks?.onToolResult?.(d),
-    onError: (e) => input.callbacks?.onError?.(e),
-    subagentCallbacks: input.callbacks?.subagentCallbacks
-  });
+  const result = await agent.consume();
   console.log(`
 Authentication ${result.success ? "succeeded" : "failed"}: ${result.summary}`);
   return result;

package/build/blackboxAgent-kc356rcy.js

@@ -0,0 +1,17 @@
+import {
+  BlackboxAttackSurfaceAgent
+} from "./cli-y23vt1jv.js";
+import"./cli-6gtnyaqf.js";
+import"./cli-qv95srfs.js";
+import"./cli-dbs6bfdd.js";
+import"./cli-rx4g8yat.js";
+import"./cli-te462405.js";
+import"./cli-q87kgwcy.js";
+import"./cli-0gm6ya88.js";
+import"./cli-jrgcmjck.js";
+import"./cli-5gh0m3xb.js";
+import"./cli-7ckctq7a.js";
+import"./cli-8rxa073f.js";
+export {
+  BlackboxAttackSurfaceAgent
+};

package/build/{blackboxPentest-34sfsskq.js → blackboxPentest-mvwc0v1m.js}

@@ -1,19 +1,20 @@
 import {
   runPentestWorkflow
-} from "./cli-xtccf5qk.js";
-import"./cli-0r7qwt2h.js";
-import"./cli-9hp2khjx.js";
-import"./cli-tj25jvz6.js";
-import"./cli-mx8pfb29.js";
+} from "./cli-r9pch5gj.js";
+import"./cli-e16p5ctw.js";
+import"./cli-wctrm0ye.js";
+import"./cli-7ms8v8dt.js";
+import"./cli-gvfy5xk2.js";
+import"./cli-y23vt1jv.js";
 import"./cli-6gtnyaqf.js";
-import"./cli-phajnhzs.js";
-import"./cli-vnydvy0r.js";
-import"./cli-z1s5njxn.js";
-import"./cli-zz9wwkqh.js";
-import"./cli-27bnjky6.js";
-import"./cli-xj88naps.js";
-import"./cli-s1dd4n9x.js";
-import"./cli-0tpx8khk.js";
+import"./cli-qv95srfs.js";
+import"./cli-dbs6bfdd.js";
+import"./cli-rx4g8yat.js";
+import"./cli-te462405.js";
+import"./cli-q87kgwcy.js";
+import"./cli-0gm6ya88.js";
+import"./cli-jrgcmjck.js";
+import"./cli-5gh0m3xb.js";
 import"./cli-7ckctq7a.js";
 import"./cli-8rxa073f.js";
 
@@ -26,7 +27,7 @@ async function runPentestAgent(input) {
     session: input.session,
     authConfig: input.authConfig,
     abortSignal: input.abortSignal,
-    callbacks: input.callbacks
+    eventBus: input.eventBus
   });
   console.log(`
 Found ${findings.length} vulnerabilities`);

package/build/{cli-xj88naps.js → cli-0gm6ya88.js}

@@ -1,6 +1,6 @@
 import {
   getCurrentVersion
-} from "./cli-s1dd4n9x.js";
+} from "./cli-jrgcmjck.js";
 
 // src/core/config/config.ts
 import os from "os";