@pensar/apex 0.0.115-canary.60bf5fa4 → 0.0.115-canary.78d2d7dd

package/README.md

@@ -54,6 +54,49 @@ Open the Apex TUI:
 pensar
 ```
 
+### Headless CLI
+
+Run pentests without the TUI for scripting, CI, or evalgate integration:
+
+```bash
+# Basic pentest
+pensar pentest --target https://example.com
+
+# With extended thinking and task-driven mode
+pensar pentest --target https://example.com --extended-thinking --task-driven
+
+# Whitebox (with source code access)
+pensar pentest --target https://example.com --cwd ./my-app
+
+# Targeted pentest with specific objectives
+pensar targeted-pentest --target https://example.com --objective "Test authentication bypass"
+```
+
+| Flag                           | Command                   | Description                                    |
+| ------------------------------ | ------------------------- | ---------------------------------------------- |
+| `--target <url>`               | pentest, targeted-pentest | Target URL (required)                          |
+| `--cwd <path>`                 | pentest                   | Source code path for whitebox mode             |
+| `--mode <mode>`                | pentest                   | `exfil` for pivoting and flag extraction       |
+| `--model <model>`              | pentest, targeted-pentest | AI model (default: auto-selected)              |
+| `--extended-thinking`          | pentest                   | Enable extended thinking for supported models  |
+| `--task-driven`                | pentest                   | Enable task-driven architecture (experimental) |
+| `--prompt <text\|@file>`       | pentest                   | Custom guidance for the agent                  |
+| `--threat-model <text\|@file>` | pentest                   | Threat model to guide testing                  |
+| `--objective <text>`           | targeted-pentest          | Testing objective (repeatable)                 |
+
+### W&B Weave Tracing
+
+Stream step-level agent traces to Weights & Biases Weave for analysis and fine-tuning:
+
+```bash
+export WANDB_API_KEY=your-key
+export WANDB_ENTITY=your-entity
+# WANDB_PROJECT defaults to "apex-traces"
+pensar pentest --target https://example.com
+```
+
+Traces include reasoning steps, tool calls, token usage, and state checkpoints. When credentials are not set, tracing is silently disabled.
+
 ## Kali Linux Container (Optional)
 
 For **best performance**, run Apex in the included Kali Linux container with preconfigured pentest tools:

package/build/agent-bpxwmtxm.js

@@ -0,0 +1,17 @@
+import {
+  CodeAgent
+} from "./cli-ttar2ydd.js";
+import"./cli-km6s27mj.js";
+import"./cli-0wve372a.js";
+import"./cli-3y0dgy56.js";
+import"./cli-fvpmqcde.js";
+import"./cli-r8cerdwk.js";
+import"./cli-2jdpgtmk.js";
+import"./cli-hy4qmtqq.js";
+import"./cli-nw1pczc7.js";
+import"./cli-mg3bvqq9.js";
+import"./cli-gpnb45ck.js";
+import"./cli-8rxa073f.js";
+export {
+  CodeAgent
+};

package/build/{agent-b6q8zg3g.js → agent-nm6c5ns8.js}

@@ -1,20 +1,21 @@
 import {
   WhiteboxAttackSurfaceResultSchema
-} from "./cli-6dxcgqj7.js";
+} from "./cli-9j8k95v4.js";
 import {
   OffensiveSecurityAgent
-} from "./cli-fjv700j4.js";
-import"./cli-4y02kfw6.js";
+} from "./cli-km6s27mj.js";
+import"./cli-0wve372a.js";
+import"./cli-3y0dgy56.js";
 import {
   hasToolCall,
   tool
-} from "./cli-170kbfjp.js";
-import"./cli-yerz6636.js";
-import"./cli-zcyjrmz1.js";
-import"./cli-m4g13900.js";
-import"./cli-mb4vmv5r.js";
-import"./cli-z96s1mhh.js";
-import"./cli-7ckctq7a.js";
+} from "./cli-fvpmqcde.js";
+import"./cli-r8cerdwk.js";
+import"./cli-2jdpgtmk.js";
+import"./cli-hy4qmtqq.js";
+import"./cli-nw1pczc7.js";
+import"./cli-mg3bvqq9.js";
+import"./cli-gpnb45ck.js";
 import"./cli-8rxa073f.js";
 
 // src/core/agents/specialized/whiteboxAttackSurface/prompts.ts
@@ -29,6 +30,7 @@ Given a codebase path, you must:
 2. Discover every application/service defined in the repo
 3. For each app, enumerate ALL web pages and ALL API endpoints defined in the source code
 4. For each endpoint, generate specific pentest objectives
+5. **Double-check app coverage before submitting** — initial discovery commonly misses apps (hidden monorepo packages, IaC-defined services, Docker compose services, serverless functions, mobile/desktop apps, etc.). A dedicated verification pass is mandatory before you submit results.
 
 # Tools at Your Disposal
 
@@ -46,9 +48,9 @@ Your primary search tool. Use it to find route definitions, middleware, controll
 - Each application/service you identify (appType: "web_application" or "api")
 - Notable subdomains hosting distinct services (appType: "subdomain")
 - Cloud resources like S3 buckets, cloud storage, CDN origins (appType: "cloud_resource" or "storage")
-  - For S3 buckets: set url to the bucket endpoint (e.g. "https://bucket-name.s3.amazonaws.com") and use appType "storage"
-  - For other cloud resources: set url to the resource endpoint and use appType "cloud_resource"
-- If known domains are provided, set the \`domain\` field to associate the app with the correct domain
+  - For S3 buckets: set \`domain\` to the **canonical virtual-hosted-style** endpoint (e.g. "https://bucket-name.s3.amazonaws.com") and use appType "storage". Do NOT use path-style URLs (e.g. "https://s3.amazonaws.com/bucket-name").
+  - For other cloud resources: set \`domain\` to the primary/canonical resource endpoint and use appType "cloud_resource"
+- If known domains are provided, set the \`domain\` field to associate the app with the correct domain. **Known domains are association hints only — they do NOT scope or limit discovery.** Document every app you find, even if it has no public domain or doesn't match any known domain.
 
 ## document_endpoint
 **This is your primary output tool for endpoints.** Each call persists a JSON record to the session's endpoints directory, organized by app. Document:
@@ -85,7 +87,9 @@ Call this LAST with your complete structured results. This ends your run.
    - S3 buckets, GCS buckets, Azure Blob Storage (search for bucket names, s3://, storage URLs)
    - CDN distributions (CloudFront, Cloudflare)
    - Infrastructure-as-code definitions (Terraform, CloudFormation, CDK, SST, Pulumi, serverless.yml)
-   - Document each as an app with appType "cloud_resource" or "storage" and set the url to the resource endpoint
+   - Document each as an app with appType "cloud_resource" or "storage" and set the \`domain\` to the **canonical** resource endpoint
+   - **S3 canonical URL:** Always use virtual-hosted-style "https://bucket-name.s3.amazonaws.com" (or with region: "https://bucket-name.s3.us-east-1.amazonaws.com"). Never use path-style "https://s3.amazonaws.com/bucket-name".
+   - **Do NOT document alternative URL formats** as separate endpoints — only document the canonical/primary URL and any distinct functional paths under it
 
 ## Phase 2: APP ANALYSIS (delegate to coding agents)
 For each app you identified, spawn a coding agent with a detailed objective. The objective should instruct the agent to:
@@ -101,11 +105,46 @@ For each app you identified, spawn a coding agent with a detailed objective. The
    - Source-code file in \`file\` (e.g., \`src/routes/users.ts\`) — this is NOT the route
    - Line number in \`line\`
    - Auth requirement in \`authRequired\`
-   - Specific pentest objectives in \`pentestObjectives\`
 
 **IMPORTANT:** Tell each coding agent to set \`appName\` on every \`document_endpoint\` call so endpoints are organized by application.
 
-## Phase 3: COLLECT AND SUBMIT (do this yourself)
+## Phase 3: COVERAGE DOUBLE-CHECK (do this yourself — DO NOT SKIP)
+
+**Initial app discovery almost always misses something.** Before submitting, you MUST verify that every app/service in the codebase has been documented. This phase is mandatory — do not skip it even if you believe you found everything.
+
+1. **Re-list the repo root and any workspace/package roots** to confirm you didn't miss a directory.
+2. **Check monorepo workspace declarations** against your documented apps:
+   - \`package.json\` \`workspaces\` field, \`pnpm-workspace.yaml\`, \`lerna.json\`, \`nx.json\`, \`turbo.json\`, \`rush.json\`
+   - \`Cargo.toml\` \`[workspace]\` members, \`go.work\` use directives
+   - Any top-level \`apps/\`, \`packages/\`, \`services/\`, \`cmd/\`, \`functions/\`, \`lambdas/\`, \`workers/\` directories
+3. **Search for additional entry points** you may have missed. Run targeted greps such as:
+   - Framework manifests: \`next.config.*\`, \`vite.config.*\`, \`remix.config.*\`, \`nuxt.config.*\`, \`astro.config.*\`, \`svelte.config.*\`, \`angular.json\`, \`gatsby-config.*\`, \`expo.json\`, \`app.json\`
+   - Backend entry points: \`main.py\`, \`app.py\`, \`manage.py\`, \`wsgi.py\`, \`asgi.py\`, \`server.{ts,js,go,rs}\`, \`main.{go,rs}\`, \`Program.cs\`, \`Startup.cs\`
+   - Dockerfiles and \`docker-compose.y*ml\` services — each service may be a separate app
+   - IaC definitions: \`serverless.y*ml\`, \`sam.y*ml\`, \`template.y*ml\`, \`*.tf\`, \`cdk.json\`, \`sst.config.*\`, \`pulumi.yaml\`
+   - CI/CD deployment configs: \`.github/workflows/\`, \`vercel.json\`, \`netlify.toml\`, \`fly.toml\`, \`railway.toml\`, \`app.yaml\`, \`Procfile\`
+   - Mobile apps: \`ios/\`, \`android/\`, \`*.xcodeproj\`, \`AndroidManifest.xml\`
+   - Browser extensions / desktop apps: \`manifest.json\` (MV2/MV3), \`electron\`, \`tauri.conf.*\`
+   - Background jobs / workers: search for \`worker\`, \`queue\`, \`cron\`, \`scheduler\`, \`BullMQ\`, \`Celery\`, \`Sidekiq\`
+4. **Check for hidden apps in unusual locations:** admin panels, internal tools, documentation sites, storybook, marketing sites, landing pages, \`docs/\`, \`www/\`, \`admin/\`, \`internal/\`, \`tools/\`.
+5. **Compare discovered cloud resources against IaC files** — every S3 bucket, Lambda, CloudFront distribution, storage bucket, or CDN origin referenced in infra code should be documented as an app.
+
+For every candidate you identify in this phase:
+- If it's **already documented** — good, move on.
+- If it's **NOT documented** — spawn another coding agent to analyze it, or document it yourself with \`document_app\` / \`document_endpoint\`. Do not simply note it in the final summary; it must be in the apps list.
+
+Only proceed to Phase 4 once you have explicitly walked through the checks above and confirmed coverage is complete.
+
+## Phase 4: COLLECT AND SUBMIT (do this yourself)
+
+Before calling \`submit_results\`, verify the final coverage checklist:
+- [ ] Every workspace package / service directory is represented by a documented app
+- [ ] Every framework entry point discovered in Phase 3 maps to a documented app
+- [ ] Every Dockerfile / compose service / IaC resource maps to a documented app or cloud resource
+- [ ] Every known domain (if provided) that maps to an app in the repo has been associated via the \`domain\` field — but apps that don't map to a known domain are still documented (known domains are hints, not a scope filter)
+- [ ] Each documented app has its endpoints/pages enumerated (or an explicit note in \`pentestObjectives\` if it is a non-HTTP service)
+
+Then:
 1. Parse the output from all coding agents
 2. Assemble the complete structured result
 3. Call \`submit_results\` with the full data
@@ -116,6 +155,8 @@ For each app you identified, spawn a coding agent with a detailed objective. The
 - Give coding agents VERY detailed objectives — they work best with specific instructions about what to search for and how to report it.
 - Don't duplicate work — let the coding agents do the deep file-by-file analysis.
 - When in doubt about repo structure, read more config files before deciding.
+- **Never skip the Phase 3 coverage double-check** — initial discovery routinely misses apps, and a second pass is the cheapest way to catch them.
+- **Known domains are association hints, not a scope filter.** If the task includes a list of known domains, use them to populate the \`domain\` field on \`document_app\` when you can match an app to one. Do NOT use them to decide which apps, packages, services, endpoints, or cloud resources are worth documenting — document everything found in the codebase.
 `;
 
 // src/core/agents/specialized/whiteboxAttackSurface/agent.ts
@@ -148,7 +189,7 @@ This ends the agent run — make sure all data is included.`,
     });
     super({
       system: WHITEBOX_ATTACK_SURFACE_SYSTEM_PROMPT,
-      prompt: buildPrompt(codebasePath, domains),
+      prompt: buildPrompt(codebasePath, domains, session.config?.prompt),
       model,
       session,
       authConfig,
@@ -190,18 +231,30 @@ This ends the agent run — make sure all data is included.`,
     });
   }
 }
-function buildPrompt(codebasePath, domains) {
+function buildPrompt(codebasePath, domains, operatorPrompt) {
   const domainSection = domains?.length ? `
 ## Known Domains
-The following domains are associated with this project. When documenting apps, set the \`domain\` field on \`document_app\` if you can determine which domain serves the app:
+The following domains are **hints for association only** — they are known to be operated by the target and should be set on the \`domain\` field of \`document_app\` when you can determine which domain serves a given app.
+
+**IMPORTANT — these domains DO NOT define the scope of discovery:**
+- Discover and document **every** app/service/cloud resource defined in the codebase, regardless of whether it maps to one of these domains.
+- Apps with no known public domain (internal services, background workers, staging-only apps, functions, admin tools, etc.) MUST still be documented. Leave \`domain\` unset or use the canonical resource URL for cloud resources.
+- Do NOT filter out apps, endpoints, subdomains, or cloud resources because they don't appear to belong to one of these domains.
+- Do NOT skip directories, packages, or services because they "look unrelated" to the listed domains.
+
+Known domains:
 ${domains.map((d) => `- ${d}`).join(`
 `)}
+` : "";
+  const operatorGuidanceBlock = operatorPrompt ? `
+## Operator Guidance
+${operatorPrompt}
 ` : "";
   return `# Whitebox Attack Surface Analysis
 
 ## Codebase
 - **Path:** ${codebasePath}
-${domainSection}
+${domainSection}${operatorGuidanceBlock}
 ## Task
 Analyze this codebase and produce a complete attack surface map:
 1. Identify the repo type and package manager
@@ -209,10 +262,11 @@ Analyze this codebase and produce a complete attack surface map:
 3. Discover cloud resources and external infrastructure referenced in the code (S3 buckets, cloud storage, CDN origins, etc.) — document these as apps with the appropriate type
 4. For each app, find all web pages and API endpoints
 5. For each endpoint, generate pentest objectives
+6. **Before submitting**, perform the Phase 3 coverage double-check from the system prompt — re-scan workspace roots, framework configs, Dockerfiles, IaC, and CI/deploy configs for apps you may have missed on the first pass, and document any that were missed.
 
 Use \`spawn_coding_agent\` to delegate app-level analysis for higher fidelity.
 
-When finished, call \`submit_results\` with the complete structured output.
+When finished, call \`submit_results\` with the complete structured output. Do NOT call \`submit_results\` until you have explicitly completed the coverage double-check.
 
 Begin now.`;
 }

package/build/{auth-xavy7vhv.js → auth-skr2man1.js}

@@ -8,14 +8,14 @@ import {
   pollWorkOSToken,
   selectWorkspace,
   startDeviceFlow
-} from "./cli-yerz6636.js";
+} from "./cli-2jdpgtmk.js";
 import {
   config,
   getPensarApiUrl,
   getPensarConsoleUrl
-} from "./cli-zcyjrmz1.js";
-import"./cli-m4g13900.js";
-import"./cli-mb4vmv5r.js";
+} from "./cli-hy4qmtqq.js";
+import"./cli-nw1pczc7.js";
+import"./cli-mg3bvqq9.js";
 import {
   __require
 } from "./cli-8rxa073f.js";

package/build/{authentication-6eh9a3zy.js → authentication-s0vvhxpa.js}

@@ -3,17 +3,18 @@ import {
 } from "./cli-6gtnyaqf.js";
 import {
   OffensiveSecurityAgent
-} from "./cli-fjv700j4.js";
-import"./cli-4y02kfw6.js";
+} from "./cli-km6s27mj.js";
+import"./cli-0wve372a.js";
+import"./cli-3y0dgy56.js";
 import {
   hasToolCall
-} from "./cli-170kbfjp.js";
-import"./cli-yerz6636.js";
-import"./cli-zcyjrmz1.js";
-import"./cli-m4g13900.js";
-import"./cli-mb4vmv5r.js";
-import"./cli-z96s1mhh.js";
-import"./cli-7ckctq7a.js";
+} from "./cli-fvpmqcde.js";
+import"./cli-r8cerdwk.js";
+import"./cli-2jdpgtmk.js";
+import"./cli-hy4qmtqq.js";
+import"./cli-nw1pczc7.js";
+import"./cli-mg3bvqq9.js";
+import"./cli-gpnb45ck.js";
 import"./cli-8rxa073f.js";
 
 // src/core/agents/specialized/authenticationAgent/agent.ts
@@ -86,13 +87,14 @@ Look for:
 ### Browser path (use for SPAs, OAuth, JS-rendered forms):
 1. \`browser_navigate\` to the login URL
 2. \`browser_snapshot\` to find form fields and their refs
-3. \`browser_fill\` the username/email field (use ref from snapshot)
-4. \`browser_snapshot\` again (page may update after input)
-5. \`browser_fill\` the password field
-6. \`browser_click\` the submit/login button
-7. \`browser_snapshot\` or \`browser_screenshot\` to verify the result
-8. \`browser_get_cookies\` to extract session cookies
-9. Optionally \`browser_evaluate\` to extract tokens from localStorage/sessionStorage:
+3. \`browser_screenshot\` to capture the login page before filling credentials
+4. \`browser_fill\` the username/email field (use ref from snapshot)
+5. \`browser_snapshot\` again (page may update after input)
+6. \`browser_fill\` the password field
+7. \`browser_click\` the submit/login button
+8. \`browser_snapshot\` AND \`browser_screenshot\` to verify and document the post-submit state
+9. \`browser_get_cookies\` to extract session cookies
+10. Optionally \`browser_evaluate\` to extract tokens from localStorage/sessionStorage:
    \`\`\`javascript
    (() => {
      const tokens = {};
@@ -153,11 +155,11 @@ If you encounter rate-limiting errors (e.g. "Rate limit exceeded", HTTP 429, "to
 
 # Screenshot Evidence
 
-- Use \`browser_screenshot\` to capture the page state at key moments during authentication
-- **Always screenshot after login attempt** to document success (dashboard/welcome page) or failure (error message)
-- Screenshot any error pages, CAPTCHA challenges, MFA prompts, or unexpected barriers
-- Use descriptive filenames: "login-form", "auth-success", "auth-error", "mfa-prompt", "captcha-detected"
-- Screenshots are automatically stored and displayed in the console logs for debugging
+- **Screenshot liberally.** A human reviews your run after it completes and relies on screenshots to follow along with what the browser actually did. Every time you navigate to a new page, fill a form field, click a button, or observe a state change, call \`browser_screenshot\` so the reviewer can see exactly what you saw. Aim for at least one screenshot per distinct page or state change — screenshots are cheap, missing visual context is not.
+- **Always screenshot after login attempt** to document success (dashboard/welcome page) or failure (error message).
+- Screenshot any error pages, CAPTCHA challenges, MFA prompts, or unexpected barriers.
+- Use descriptive filenames: "login-form", "username-filled", "password-filled", "auth-success", "auth-error", "mfa-prompt", "captcha-detected".
+- Screenshots are automatically stored and displayed in the console logs for debugging and human review.
 `;
 
 // src/core/agents/specialized/authenticationAgent/agent.ts

package/build/blackboxAgent-dvhet08t.js

@@ -0,0 +1,18 @@
+import {
+  BlackboxAttackSurfaceAgent
+} from "./cli-bksgzyyn.js";
+import"./cli-6gtnyaqf.js";
+import"./cli-km6s27mj.js";
+import"./cli-0wve372a.js";
+import"./cli-3y0dgy56.js";
+import"./cli-fvpmqcde.js";
+import"./cli-r8cerdwk.js";
+import"./cli-2jdpgtmk.js";
+import"./cli-hy4qmtqq.js";
+import"./cli-nw1pczc7.js";
+import"./cli-mg3bvqq9.js";
+import"./cli-gpnb45ck.js";
+import"./cli-8rxa073f.js";
+export {
+  BlackboxAttackSurfaceAgent
+};

package/build/blackboxPentest-r67jj0j1.js

@@ -0,0 +1,36 @@
+import {
+  runPentestWorkflow
+} from "./cli-hdb9d7r0.js";
+import"./cli-zmgzw8jk.js";
+import"./cli-867kbj0c.js";
+import"./cli-bksgzyyn.js";
+import"./cli-fw5r7pfj.js";
+import"./cli-ttar2ydd.js";
+import"./cli-6gtnyaqf.js";
+import"./cli-9j8k95v4.js";
+import"./cli-km6s27mj.js";
+import"./cli-0wve372a.js";
+import"./cli-3y0dgy56.js";
+import"./cli-fvpmqcde.js";
+import"./cli-r8cerdwk.js";
+import"./cli-2jdpgtmk.js";
+import"./cli-hy4qmtqq.js";
+import"./cli-nw1pczc7.js";
+import"./cli-mg3bvqq9.js";
+import"./cli-gpnb45ck.js";
+import"./cli-8rxa073f.js";
+
+// src/core/api/blackboxPentest.ts
+async function runPentestAgent(input) {
+  const { findings, findingsPath, pocsPath, reportPath } = await runPentestWorkflow(input);
+  console.log(`
+Found ${findings.length} vulnerabilities`);
+  console.log(`Findings: ${findingsPath}`);
+  console.log(`POCs: ${pocsPath}`);
+  if (reportPath)
+    console.log(`Report: ${reportPath}`);
+  return { findings, findingsPath, pocsPath, reportPath };
+}
+export {
+  runPentestAgent
+};