npm - @pensar/apex - Versions diffs - 0.0.27 → 0.0.28-canary.0 - Mend

@pensar/apex 0.0.27 → 0.0.28-canary.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/bin/pensar.js CHANGED Viewed

@@ -48,17 +48,29 @@ if (command === "benchmark") {
   // Import and run quicktest
   await import(quicktestPath);
-} else if (command === "--version" || command === "-v") {
+} else if (command === "pentest") {
+  // Run pentest CLI
+  const pentestPath = join(__dirname, "..", "build", "pentest.js");
+  // Remove "pentest" from args and pass the rest to pentest script
+  process.argv = [process.argv[0], pentestPath, ...args.slice(1)];
+  // Import and run pentest
+  await import(pentestPath);
+} else if (command === "version" || command === "--version" || command === "-v") {
   // Show version
   console.log(`v${version}`);
-} else if (command === "--help" || command === "-h") {
+} else if (command === "help" || command === "--help" || command === "-h") {
   // Show help
   console.log("Pensar - AI-Powered Penetration Testing CLI");
   console.log();
   console.log("Usage:");
   console.log("  pensar              Launch the TUI (Terminal User Interface)");
+  console.log("  pensar help         Show this help message");
+  console.log("  pensar version      Show version number");
   console.log("  pensar benchmark    Run the benchmark CLI");
   console.log("  pensar quicktest    Run a quick penetration test");
+  console.log("  pensar pentest      Run a comprehensive penetration test");
   console.log(
     "  pensar swarm        Run parallel pentests on multiple targets"
   );
@@ -80,7 +92,7 @@ if (command === "benchmark") {
   console.log();
   console.log("Quicktest Usage:");
   console.log(
-    "  pensar quicktest --target <target> --objective <objective> [--model <model>]"
+    "  pensar quicktest --target <target> --objective <objective> [options]"
   );
   console.log();
   console.log("Quicktest Options:");
@@ -93,9 +105,34 @@ if (command === "benchmark") {
   console.log(
     "  --model <model>          AI model to use (default: claude-sonnet-4-5)"
   );
+  console.log(
+    "  --headers <mode>         Header mode: none, default, custom (default: default)"
+  );
+  console.log(
+    "  --header <name:value>    Add custom header (requires --headers custom)"
+  );
+  console.log();
+  console.log("Pentest Usage:");
+  console.log(
+    "  pensar pentest --target <target> [options]"
+  );
+  console.log();
+  console.log("Pentest Options:");
+  console.log(
+    "  --target <target>        Target domain or organization (required)"
+  );
+  console.log(
+    "  --model <model>          AI model to use (default: claude-sonnet-4-5)"
+  );
+  console.log(
+    "  --headers <mode>         Header mode: none, default, custom (default: default)"
+  );
+  console.log(
+    "  --header <name:value>    Add custom header (requires --headers custom)"
+  );
   console.log();
   console.log("Swarm Usage:");
-  console.log("  pensar swarm <targets> [--model <model>]");
+  console.log("  pensar swarm <targets> [options]");
   console.log();
   console.log("Swarm Arguments:");
   console.log("  <targets>                JSON string or path to JSON file");
@@ -104,36 +141,43 @@ if (command === "benchmark") {
   console.log(
     "  --model <model>          AI model to use (default: claude-sonnet-4-5)"
   );
+  console.log(
+    "  --headers <mode>         Header mode: none, default, custom (default: default)"
+  );
+  console.log(
+    "  --header <name:value>    Add custom header (requires --headers custom)"
+  );
   console.log();
-  console.log("Targets format (JSON array):");
-  console.log("  [");
-  console.log("    {");
-  console.log('      "target": "api.example.com",');
-  console.log('      "objective": "Test API for injection vulnerabilities"');
-  console.log("    },");
-  console.log("    {");
-  console.log('      "target": "admin.example.com",');
-  console.log('      "objective": "Test admin panel for auth bypass"');
-  console.log("    }");
-  console.log("  ]");
+  console.log("Header Modes (for quicktest, pentest, swarm):");
+  console.log(
+    "  none                     No custom headers added to requests"
+  );
+  console.log(
+    "  default                  Add 'User-Agent: pensar-apex' to all offensive requests"
+  );
+  console.log(
+    "  custom                   Use custom headers defined with --header flag"
+  );
   console.log();
   console.log("Examples:");
   console.log("  pensar");
   console.log("  pensar benchmark /path/to/vulnerable-app");
   console.log("  pensar benchmark /path/to/app main develop");
   console.log("  pensar benchmark /path/to/app --all-branches --limit 3");
-  console.log("  pensar benchmark /path/to/app --model gpt-4o");
   console.log(
     "  pensar quicktest --target http://localhost:3000 --objective 'Find SQL injection'"
   );
   console.log(
-    "  pensar quicktest --target 192.168.1.100 --objective 'Test auth bypass' --model gpt-4o"
+    "  pensar quicktest --target api.example.com --objective 'API testing' --headers custom --header 'User-Agent: pensar_client123'"
+  );
+  console.log(
+    "  pensar pentest --target example.com"
   );
-  console.log("  pensar swarm targets.json");
-  console.log("  pensar swarm targets.json --model gpt-4o");
   console.log(
-    '  pensar swarm \'[{"target":"api.example.com","objective":"Test API"}]\''
+    "  pensar pentest --target example.com --headers custom --header 'User-Agent: pensar_client123'"
   );
+  console.log("  pensar swarm targets.json");
+  console.log("  pensar swarm targets.json --headers none");
 } else if (args.length === 0) {
   // No command specified, run the TUI
   const appPath = join(__dirname, "..", "build", "index.js");

package/build/benchmark.js CHANGED Viewed

@@ -62994,7 +62994,7 @@ var require_dist_cjs77 = __commonJS((exports) => {
 // node_modules/@smithy/util-waiter/dist-cjs/index.js
 var require_dist_cjs78 = __commonJS((exports) => {
-  var sleep = (seconds) => {
+  var sleep2 = (seconds) => {
     return new Promise((resolve3) => setTimeout(resolve3, seconds * 1000));
   };
   var waiterServiceDefaults = {
@@ -63061,7 +63061,7 @@ var require_dist_cjs78 = __commonJS((exports) => {
       if (Date.now() + delay2 * 1000 > waitUntil) {
         return { state: exports.WaiterState.TIMEOUT, observedResponses };
       }
-      await sleep(delay2);
+      await sleep2(delay2);
       const { state: state2, reason: reason2 } = await acceptorChecks(client, input);
       if (reason2) {
         const message = createMessageFromResponse(reason2);
@@ -121929,6 +121929,69 @@ import {
 } from "fs";
 import { join } from "path";
 import { homedir } from "os";
+// src/core/services/rateLimiter/index.ts
+function sleep(ms) {
+  return new Promise((resolve2) => setTimeout(resolve2, ms));
+}
+class RateLimiter {
+  tokens;
+  lastRefillTime;
+  rps;
+  bucketSize;
+  msPerToken;
+  queue;
+  constructor(config2) {
+    this.rps = config2?.requestsPerSecond;
+    this.bucketSize = this.rps ? 1 : 0;
+    this.tokens = this.bucketSize;
+    this.lastRefillTime = performance.now();
+    this.msPerToken = this.rps ? 1000 / this.rps : undefined;
+    this.queue = Promise.resolve();
+  }
+  async acquireSlot() {
+    if (!this.rps || !this.msPerToken)
+      return;
+    const previousPromise = this.queue;
+    let resolveCurrentRequest;
+    this.queue = new Promise((resolve2) => {
+      resolveCurrentRequest = resolve2;
+    });
+    await previousPromise;
+    try {
+      const now2 = performance.now();
+      this.refill(now2);
+      if (this.tokens < 1) {
+        const waitTime = (1 - this.tokens) * this.msPerToken;
+        await sleep(waitTime);
+        const nowAfterSleep = performance.now();
+        this.refill(nowAfterSleep);
+      }
+      this.tokens -= 1;
+    } finally {
+      resolveCurrentRequest();
+    }
+  }
+  refill(now2) {
+    if (this.tokens >= this.bucketSize) {
+      this.lastRefillTime = now2;
+      return;
+    }
+    const elapsed = now2 - this.lastRefillTime;
+    const tokensToAdd = elapsed / this.msPerToken;
+    this.tokens = Math.min(this.bucketSize, this.tokens + tokensToAdd);
+    this.lastRefillTime = now2;
+  }
+  isEnabled() {
+    return this.rps !== undefined;
+  }
+}
+// src/core/agent/sessions/index.ts
+var DEFAULT_OFFENSIVE_HEADERS = {
+  "User-Agent": "pensar-apex"
+};
 function generateSessionId(prefix) {
   const timestamp = Date.now().toString(36);
   return `${prefix ? `${prefix}-` : ""}${timestamp}`;
@@ -121939,7 +122002,7 @@ function getPensarDir() {
 function getExecutionsDir() {
   return join(getPensarDir(), "executions");
 }
-function createSession(target, objective, prefix) {
+function createSession(target, objective, prefix, config2) {
   const sessionId = generateSessionId(prefix);
   const rootPath = join(getExecutionsDir(), sessionId);
   const findingsPath = join(rootPath, "findings");
@@ -121957,8 +122020,12 @@ function createSession(target, objective, prefix) {
     logsPath,
     target,
     objective: objective ?? "",
-    startTime: new Date().toISOString()
+    startTime: new Date().toISOString(),
+    config: config2
   };
+  if (config2?.rateLimiter) {
+    session._rateLimiter = new RateLimiter(config2.rateLimiter);
+  }
   const metadataPath = join(rootPath, "session.json");
   writeFileSync(metadataPath, JSON.stringify(session, null, 2));
   const readmePath = join(rootPath, "README.md");
@@ -121992,6 +122059,19 @@ function ensureDirectoryExists(path) {
     mkdirSync(path, { recursive: true });
   }
 }
+function getOffensiveHeaders(session) {
+  const config2 = session.config?.offensiveHeaders;
+  if (!config2 || config2.mode === "none") {
+    return;
+  }
+  if (config2.mode === "default") {
+    return DEFAULT_OFFENSIVE_HEADERS;
+  }
+  if (config2.mode === "custom" && config2.headers) {
+    return config2.headers;
+  }
+  return;
+}
 // src/core/agent/benchmark/tools.ts
 import { writeFileSync as writeFileSync9 } from "fs";
@@ -126153,9 +126233,10 @@ function runAgent(opts) {
     silent,
     authConfig,
     toolOverride,
-    messages
+    messages,
+    sessionConfig
   } = opts;
-  const session = opts.session || createSession(target, objective);
+  const session = opts.session || createSession(target, objective, undefined, sessionConfig);
   const pocsPath = join3(session.rootPath, "pocs");
   if (!existsSync5(pocsPath)) {
     mkdirSync4(pocsPath, { recursive: true });
@@ -128627,7 +128708,53 @@ ${note}
     }
   });
 }
+function wrapCommandWithHeaders(command, headers) {
+  const userAgent = headers["User-Agent"];
+  if (!userAgent)
+    return command;
+  let wrapped = command;
+  if (command.includes("curl") && !command.includes("User-Agent") && !command.includes("-A")) {
+    wrapped = wrapped.replace(/\bcurl(\s+)/g, `curl -A "${userAgent}" $1`);
+  }
+  if (command.includes("nikto") && !command.includes("-useragent")) {
+    wrapped = wrapped.replace(/\bnikto\s+/, `nikto -useragent "${userAgent}" `);
+  }
+  if (command.includes("nmap") && command.includes("--script") && /--script[= ](.*?http.*?)/.test(command) && !command.includes("http.useragent")) {
+    if (command.includes("--script-args")) {
+      wrapped = wrapped.replace(/--script-args\s+([^\s]+)/, `--script-args $1,http.useragent="${userAgent}"`);
+    } else {
+      wrapped = `${wrapped} --script-args http.useragent="${userAgent}"`;
+    }
+  }
+  if (command.includes("gobuster") && !command.includes("-a ") && !command.includes("--useragent")) {
+    wrapped = wrapped.replace(/\bgobuster\s+/, `gobuster -a "${userAgent}" `);
+  }
+  if (command.includes("ffuf") && !command.includes("User-Agent:")) {
+    wrapped = wrapped.replace(/\bffuf\s+/, `ffuf -H "User-Agent: ${userAgent}" `);
+  }
+  if (command.includes("sqlmap") && !command.includes("--user-agent")) {
+    wrapped = wrapped.replace(/\bsqlmap\s+/, `sqlmap --user-agent="${userAgent}" `);
+  }
+  if (command.includes("wfuzz") && !command.includes("-H") && !command.includes("User-Agent")) {
+    wrapped = wrapped.replace(/\bwfuzz\s+/, `wfuzz -H "User-Agent: ${userAgent}" `);
+  }
+  if (command.includes("dirb") && !command.includes("-a")) {
+    wrapped = wrapped.replace(/\bdirb\s+/, `dirb -a "${userAgent}" `);
+  }
+  if (command.includes("wpscan") && !command.includes("--user-agent")) {
+    wrapped = wrapped.replace(/\bwpscan\s+/, `wpscan --user-agent "${userAgent}" `);
+  }
+  if (command.includes("nuclei") && !command.includes("-H")) {
+    wrapped = wrapped.replace(/\bnuclei\s+/, `nuclei -H "User-Agent: ${userAgent}" `);
+  }
+  if (command.includes("httpx") && !command.includes("-H")) {
+    wrapped = wrapped.replace(/\bhttpx\s+/, `httpx -H "User-Agent: ${userAgent}" `);
+  }
+  return wrapped;
+}
 function createPentestTools(session, model, toolOverride) {
+  const offensiveHeaders = getOffensiveHeaders(session);
+  const rateLimiter = session._rateLimiter;
   const executeCommand = tool({
     name: "execute_command",
     description: `Execute a shell command for penetration testing activities.
@@ -128672,6 +128799,9 @@ IMPORTANT: Always analyze results and adjust your approach based on findings.`,
     inputSchema: ExecuteCommandInput,
     execute: async ({ command, timeout = 30000, toolCallDescription }) => {
       try {
+        if (rateLimiter) {
+          await rateLimiter.acquireSlot();
+        }
         if (toolOverride?.execute_command) {
           return toolOverride.execute_command({
             command,
@@ -128679,7 +128809,8 @@ IMPORTANT: Always analyze results and adjust your approach based on findings.`,
             toolCallDescription
           });
         }
-        const { stdout, stderr } = await execAsync3(command, {
+        const finalCommand = offensiveHeaders ? wrapCommandWithHeaders(command, offensiveHeaders) : command;
+        const { stdout, stderr } = await execAsync3(finalCommand, {
           timeout,
           maxBuffer: 10 * 1024 * 1024
         });
@@ -128689,7 +128820,7 @@ IMPORTANT: Always analyze results and adjust your approach based on findings.`,
  (truncated) call the command again with grep / tail to paginate the response` || "(no output)",
           stderr: stderr || "",
-          command,
+          command: finalCommand,
           error: ""
         };
       } catch (error46) {
@@ -128727,6 +128858,9 @@ COMMON TESTING PATTERNS:
     inputSchema: HttpRequestInput,
     execute: async ({ url: url2, method, headers, body, followRedirects, timeout, toolCallDescription }) => {
       try {
+        if (rateLimiter) {
+          await rateLimiter.acquireSlot();
+        }
         if (toolOverride?.http_request) {
           return toolOverride.http_request({
             url: url2,
@@ -128742,7 +128876,10 @@ COMMON TESTING PATTERNS:
         const timeoutId = setTimeout(() => controller.abort(), timeout);
         const response = await fetch(url2, {
           method,
-          headers: headers || {},
+          headers: {
+            ...offensiveHeaders || {},
+            ...headers || {}
+          },
           body: body || undefined,
           redirect: followRedirects ? "follow" : "manual",
           signal: controller.signal
@@ -128961,6 +129098,125 @@ You MUST provide the details final report using create_attack_surface_report too
 // src/core/messages/index.ts
 import fs from "fs";
+// src/core/messages/types.ts
+var ToolMessageObject = exports_external.object({
+  role: exports_external.literal("tool"),
+  status: exports_external.enum(["pending", "completed"]),
+  toolCallId: exports_external.string(),
+  content: exports_external.string(),
+  args: exports_external.record(exports_external.string(), exports_external.any()),
+  toolName: exports_external.string(),
+  createdAt: exports_external.coerce.date()
+});
+var SystemModelMessageObject = exports_external.object({
+  role: exports_external.literal("system"),
+  content: exports_external.string(),
+  createdAt: exports_external.coerce.date(),
+  providerOptions: exports_external.record(exports_external.string(), exports_external.any()).optional()
+});
+var TextPartObject = exports_external.object({
+  type: exports_external.literal("text"),
+  text: exports_external.string(),
+  providerOptions: exports_external.record(exports_external.string(), exports_external.any()).optional()
+});
+var FilePartObject = exports_external.object({
+  type: exports_external.literal("file"),
+  data: exports_external.union([
+    exports_external.string(),
+    exports_external.instanceof(Uint8Array),
+    exports_external.instanceof(ArrayBuffer),
+    exports_external.instanceof(Buffer),
+    exports_external.url()
+  ]),
+  filename: exports_external.string().optional(),
+  mediaType: exports_external.string(),
+  providerOptions: exports_external.record(exports_external.string(), exports_external.any()).optional()
+});
+var ReasoningPartObject = exports_external.object({
+  type: exports_external.literal("reasoning"),
+  text: exports_external.string(),
+  providerOptions: exports_external.record(exports_external.string(), exports_external.any()).optional()
+});
+var ToolCallPartObject = exports_external.object({
+  type: exports_external.literal("tool-call"),
+  toolCallId: exports_external.string(),
+  toolName: exports_external.string(),
+  input: exports_external.unknown(),
+  providerOptions: exports_external.record(exports_external.string(), exports_external.any()).optional(),
+  providerExecuted: exports_external.boolean().optional()
+});
+var ToolResultOutputObject = exports_external.discriminatedUnion("type", [
+  exports_external.object({
+    type: exports_external.literal("text"),
+    value: exports_external.string()
+  }),
+  exports_external.object({
+    type: exports_external.literal("json"),
+    value: exports_external.any()
+  }),
+  exports_external.object({
+    type: exports_external.literal("error-text"),
+    value: exports_external.string()
+  }),
+  exports_external.object({
+    type: exports_external.literal("error-json"),
+    value: exports_external.any()
+  }),
+  exports_external.object({
+    type: exports_external.literal("content"),
+    value: exports_external.array(exports_external.discriminatedUnion("type", [
+      exports_external.object({
+        type: exports_external.literal("text"),
+        text: exports_external.string()
+      }),
+      exports_external.object({
+        type: exports_external.literal("media"),
+        data: exports_external.string(),
+        mediaType: exports_external.string()
+      })
+    ]))
+  })
+]);
+var ToolResultPartObject = exports_external.object({
+  type: exports_external.literal("tool-result"),
+  toolCallId: exports_external.string(),
+  toolName: exports_external.string(),
+  output: ToolResultOutputObject,
+  providerOptions: exports_external.record(exports_external.string(), exports_external.any()).optional()
+});
+var AssistantModelMessageObject = exports_external.object({
+  role: exports_external.literal("assistant"),
+  content: exports_external.union([
+    exports_external.string(),
+    exports_external.array(exports_external.discriminatedUnion("type", [
+      TextPartObject,
+      FilePartObject,
+      ReasoningPartObject,
+      ToolCallPartObject,
+      ToolResultPartObject
+    ]))
+  ]),
+  createdAt: exports_external.coerce.date(),
+  providerOptions: exports_external.record(exports_external.string(), exports_external.any()).optional()
+});
+var UserModelMessageObject = exports_external.object({
+  role: exports_external.literal("user"),
+  content: exports_external.union([
+    exports_external.string(),
+    exports_external.array(exports_external.discriminatedUnion("type", [TextPartObject, FilePartObject]))
+  ]),
+  createdAt: exports_external.coerce.date(),
+  providerOptions: exports_external.record(exports_external.string(), exports_external.any()).optional()
+});
+var ModelMessageObject = exports_external.discriminatedUnion("role", [
+  SystemModelMessageObject,
+  UserModelMessageObject,
+  AssistantModelMessageObject,
+  ToolMessageObject
+]);
+// src/core/messages/index.ts
 function saveSubagentMessages(orchestratorSession, subagentId, messages) {
   const subagentDir = `${orchestratorSession.rootPath}/subagents/${subagentId}`;
   if (!fs.existsSync(`${orchestratorSession.rootPath}/subagents`)) {
@@ -128982,12 +129238,13 @@ function runAgent3(opts) {
     model,
     onStepFinish,
     abortSignal,
+    sessionConfig,
     onSubagentSpawn,
     onSubagentMessage,
     onSubagentComplete,
     session: sessionProp
   } = opts;
-  const session = sessionProp || createSession(target);
+  const session = sessionProp || createSession(target, undefined, undefined, sessionConfig);
   const logger = new Logger(session);
   logger.log(`Created thorough pentest session: ${session.id}`);
   logger.log(`Session path: ${session.rootPath}`);