@pensar/apex 0.0.27 → 0.0.28-canary.0

package/build/quicktest.js

@@ -41485,13 +41485,170 @@ Remember: You are a focused penetration testing agent assigned a specific target
 import { exec } from "child_process";
 import { promisify } from "util";
 import {
-  writeFileSync,
+  writeFileSync as writeFileSync2,
   appendFileSync,
-  readdirSync,
+  readdirSync as readdirSync2,
+  readFileSync as readFileSync2,
+  existsSync as existsSync2
+} from "fs";
+import { join as join2 } from "path";
+
+// src/core/agent/sessions/index.ts
+import {
+  mkdirSync,
+  existsSync,
+  writeFileSync,
   readFileSync,
-  existsSync
+  readdirSync,
+  statSync,
+  rmSync
 } from "fs";
 import { join } from "path";
+import { homedir } from "os";
+
+// src/core/services/rateLimiter/index.ts
+function sleep(ms) {
+  return new Promise((resolve2) => setTimeout(resolve2, ms));
+}
+
+class RateLimiter {
+  tokens;
+  lastRefillTime;
+  rps;
+  bucketSize;
+  msPerToken;
+  queue;
+  constructor(config2) {
+    this.rps = config2?.requestsPerSecond;
+    this.bucketSize = this.rps ? 1 : 0;
+    this.tokens = this.bucketSize;
+    this.lastRefillTime = performance.now();
+    this.msPerToken = this.rps ? 1000 / this.rps : undefined;
+    this.queue = Promise.resolve();
+  }
+  async acquireSlot() {
+    if (!this.rps || !this.msPerToken)
+      return;
+    const previousPromise = this.queue;
+    let resolveCurrentRequest;
+    this.queue = new Promise((resolve2) => {
+      resolveCurrentRequest = resolve2;
+    });
+    await previousPromise;
+    try {
+      const now2 = performance.now();
+      this.refill(now2);
+      if (this.tokens < 1) {
+        const waitTime = (1 - this.tokens) * this.msPerToken;
+        await sleep(waitTime);
+        const nowAfterSleep = performance.now();
+        this.refill(nowAfterSleep);
+      }
+      this.tokens -= 1;
+    } finally {
+      resolveCurrentRequest();
+    }
+  }
+  refill(now2) {
+    if (this.tokens >= this.bucketSize) {
+      this.lastRefillTime = now2;
+      return;
+    }
+    const elapsed = now2 - this.lastRefillTime;
+    const tokensToAdd = elapsed / this.msPerToken;
+    this.tokens = Math.min(this.bucketSize, this.tokens + tokensToAdd);
+    this.lastRefillTime = now2;
+  }
+  isEnabled() {
+    return this.rps !== undefined;
+  }
+}
+
+// src/core/agent/sessions/index.ts
+var DEFAULT_OFFENSIVE_HEADERS = {
+  "User-Agent": "pensar-apex"
+};
+function generateSessionId(prefix) {
+  const timestamp = Date.now().toString(36);
+  return `${prefix ? `${prefix}-` : ""}${timestamp}`;
+}
+function getPensarDir() {
+  return join(homedir(), ".pensar");
+}
+function getExecutionsDir() {
+  return join(getPensarDir(), "executions");
+}
+function createSession(target, objective, prefix, config2) {
+  const sessionId = generateSessionId(prefix);
+  const rootPath = join(getExecutionsDir(), sessionId);
+  const findingsPath = join(rootPath, "findings");
+  const scratchpadPath = join(rootPath, "scratchpad");
+  const logsPath = join(rootPath, "logs");
+  ensureDirectoryExists(rootPath);
+  ensureDirectoryExists(findingsPath);
+  ensureDirectoryExists(scratchpadPath);
+  ensureDirectoryExists(logsPath);
+  const session = {
+    id: sessionId,
+    rootPath,
+    findingsPath,
+    scratchpadPath,
+    logsPath,
+    target,
+    objective: objective ?? "",
+    startTime: new Date().toISOString(),
+    config: config2
+  };
+  if (config2?.rateLimiter) {
+    session._rateLimiter = new RateLimiter(config2.rateLimiter);
+  }
+  const metadataPath = join(rootPath, "session.json");
+  writeFileSync(metadataPath, JSON.stringify(session, null, 2));
+  const readmePath = join(rootPath, "README.md");
+  const readme = `# Penetration Test Session
+
+**Session ID:** ${sessionId}
+**Target:** ${target}
+**Objective:** ${objective}
+**Started:** ${session.startTime}
+
+## Directory Structure
+
+- \`findings/\` - Security findings and vulnerabilities
+- \`scratchpad/\` - Notes and temporary data during testing
+- \`logs/\` - Execution logs and command outputs
+- \`session.json\` - Session metadata
+
+## Findings
+
+Security findings will be documented in the \`findings/\` directory as individual files.
+
+## Status
+
+Testing in progress...
+`;
+  writeFileSync(readmePath, readme);
+  return session;
+}
+function ensureDirectoryExists(path) {
+  if (!existsSync(path)) {
+    mkdirSync(path, { recursive: true });
+  }
+}
+function getOffensiveHeaders(session) {
+  const config2 = session.config?.offensiveHeaders;
+  if (!config2 || config2.mode === "none") {
+    return;
+  }
+  if (config2.mode === "default") {
+    return DEFAULT_OFFENSIVE_HEADERS;
+  }
+  if (config2.mode === "custom" && config2.headers) {
+    return config2.headers;
+  }
+  return;
+}
+// src/core/agent/tools.ts
 var execAsync = promisify(exec);
 var PayloadSchema = exports_external.object({
   payload: exports_external.string(),
@@ -42585,7 +42742,7 @@ FINDING STRUCTURE:
         const safeTitle = finding.title.toLowerCase().replace(/[^a-z0-9]+/g, "-").replace(/^-|-$/g, "").substring(0, 50);
         const findingId = `${timestamp.split("T")[0]}-${safeTitle}`;
         const filename = `${findingId}.md`;
-        const filepath = join(session.findingsPath, filename);
+        const filepath = join2(session.findingsPath, filename);
         const markdown = `# ${finding.title}
 
 **Severity:** ${finding.severity}  
@@ -42619,8 +42776,8 @@ ${finding.references}` : ""}
 
 *This finding was automatically documented by the Pensar penetration testing agent.*
 `;
-        writeFileSync(filepath, markdown);
-        const summaryPath = join(session.rootPath, "findings-summary.md");
+        writeFileSync2(filepath, markdown);
+        const summaryPath = join2(session.rootPath, "findings-summary.md");
         const summaryEntry = `- [${finding.severity}] ${finding.title} - \`findings/${filename}\`
 `;
         try {
@@ -42634,7 +42791,7 @@ ${finding.references}` : ""}
 ## All Findings
 
 `;
-          writeFileSync(summaryPath, header + summaryEntry);
+          writeFileSync2(summaryPath, header + summaryEntry);
         }
         return {
           success: true,
@@ -42673,7 +42830,7 @@ The scratchpad is session-specific and helps maintain context during long assess
     execute: async ({ note, category }) => {
       try {
         const timestamp = new Date().toISOString();
-        const scratchpadFile = join(session.scratchpadPath, "notes.md");
+        const scratchpadFile = join2(session.scratchpadPath, "notes.md");
         const entry = `## ${category.toUpperCase()} - ${timestamp}
 
 ${note}
@@ -42692,7 +42849,7 @@ ${note}
 ---
 
 `;
-          writeFileSync(scratchpadFile, header + entry);
+          writeFileSync2(scratchpadFile, header + entry);
         }
         return {
           success: true,
@@ -42819,11 +42976,11 @@ The report will be saved as 'pentest-report.md' in the session root directory.`,
           MEDIUM: 0,
           LOW: 0
         };
-        if (existsSync(session.findingsPath)) {
-          const findingFiles = readdirSync(session.findingsPath).filter((f) => f.endsWith(".json"));
+        if (existsSync2(session.findingsPath)) {
+          const findingFiles = readdirSync2(session.findingsPath).filter((f) => f.endsWith(".json"));
           for (const file2 of findingFiles) {
-            const filePath = join(session.findingsPath, file2);
-            const content = readFileSync(filePath, "utf-8");
+            const filePath = join2(session.findingsPath, file2);
+            const content = readFileSync2(filePath, "utf-8");
             const severityMatch = content.match(/\*\*Severity:\*\*\s+(CRITICAL|HIGH|MEDIUM|LOW)/);
             const titleMatch = content.match(/^#\s+(.+)$/m);
             if (severityMatch && titleMatch) {
@@ -42848,14 +43005,14 @@ The report will be saved as 'pentest-report.md' in the session root directory.`,
         const totalFindings = findings.length;
         const criticalAndHigh = severityCounts.CRITICAL + severityCounts.HIGH;
         let scratchpadNotes = "";
-        const scratchpadFile = join(session.scratchpadPath, "notes.md");
-        if (existsSync(scratchpadFile)) {
-          scratchpadNotes = readFileSync(scratchpadFile, "utf-8");
+        const scratchpadFile = join2(session.scratchpadPath, "notes.md");
+        if (existsSync2(scratchpadFile)) {
+          scratchpadNotes = readFileSync2(scratchpadFile, "utf-8");
         }
         let testResultsSummary = "";
-        const testResultsFile = join(session.scratchpadPath, "test-results.jsonl");
-        if (existsSync(testResultsFile)) {
-          const testLines = readFileSync(testResultsFile, "utf-8").split(`
+        const testResultsFile = join2(session.scratchpadPath, "test-results.jsonl");
+        if (existsSync2(testResultsFile)) {
+          const testLines = readFileSync2(testResultsFile, "utf-8").split(`
 `).filter((l) => l.trim());
           const testResults = testLines.map((line) => {
             try {
@@ -43029,25 +43186,25 @@ This report should be treated as confidential and distributed only to authorized
 *Report generated by Pensar Penetration Testing Agent*  
 *Session: ${session.id}*
 `;
-        const reportPath = join(session.rootPath, "pentest-report.md");
-        writeFileSync(reportPath, report);
-        const readmePath = join(session.rootPath, "README.md");
-        if (existsSync(readmePath)) {
-          let readme = readFileSync(readmePath, "utf-8");
+        const reportPath = join2(session.rootPath, "pentest-report.md");
+        writeFileSync2(reportPath, report);
+        const readmePath = join2(session.rootPath, "README.md");
+        if (existsSync2(readmePath)) {
+          let readme = readFileSync2(readmePath, "utf-8");
           readme = readme.replace("Testing in progress...", `Testing completed on ${endDate.toLocaleString()}
 
 **Final Report:** \`pentest-report.md\``);
-          writeFileSync(readmePath, readme);
+          writeFileSync2(readmePath, readme);
         }
-        const metadataPath = join(session.rootPath, "session.json");
-        if (existsSync(metadataPath)) {
-          const metadata = JSON.parse(readFileSync(metadataPath, "utf-8"));
+        const metadataPath = join2(session.rootPath, "session.json");
+        if (existsSync2(metadataPath)) {
+          const metadata = JSON.parse(readFileSync2(metadataPath, "utf-8"));
           metadata.endTime = endTime;
           metadata.duration = duration3;
           metadata.status = "completed";
           metadata.totalFindings = totalFindings;
           metadata.severityCounts = severityCounts;
-          writeFileSync(metadataPath, JSON.stringify(metadata, null, 2));
+          writeFileSync2(metadataPath, JSON.stringify(metadata, null, 2));
         }
         return {
           success: true,
@@ -43088,7 +43245,7 @@ async function recordTestResultCore(session, params) {
       evidence: params.evidence || "",
       confidence: params.confidence || "high"
     };
-    const testResultsPath = join(session.scratchpadPath, "test-results.jsonl");
+    const testResultsPath = join2(session.scratchpadPath, "test-results.jsonl");
     const resultLine = JSON.stringify(testResult) + `
 `;
     appendFileSync(testResultsPath, resultLine);
@@ -43499,8 +43656,8 @@ Use this when:
     }),
     execute: async ({ objective }) => {
       try {
-        const testResultsPath = join(session.scratchpadPath, "test-results.jsonl");
-        if (!existsSync(testResultsPath)) {
+        const testResultsPath = join2(session.scratchpadPath, "test-results.jsonl");
+        if (!existsSync2(testResultsPath)) {
           return {
             success: true,
             totalTests: 0,
@@ -43509,7 +43666,7 @@ Use this when:
             suggestions: objective ? `Based on objective "${objective}", consider testing relevant parameters with test_parameter tool.` : "Use test_parameter to test parameters for vulnerabilities."
           };
         }
-        const fileContent = readFileSync(testResultsPath, "utf-8");
+        const fileContent = readFileSync2(testResultsPath, "utf-8");
         const testResults = fileContent.trim().split(`
 `).filter((line) => line.trim()).map((line) => JSON.parse(line));
         const parametersTested = new Set;
@@ -43766,7 +43923,7 @@ ${discovered.map((d) => `- ${d.endpoint} [${d.method}] → HTTP ${d.status}`).jo
 Not found: ${range.max - range.min + 1 - discovered.length} endpoints returned 404`;
       try {
         const timestamp = new Date().toISOString();
-        const scratchpadFile = join(session.scratchpadPath, "notes.md");
+        const scratchpadFile = join2(session.scratchpadPath, "notes.md");
         const entry = `## RESULT - ${timestamp}
 
 ${note}
@@ -43785,7 +43942,7 @@ ${note}
 ---
 
 `;
-          writeFileSync(scratchpadFile, header + entry);
+          writeFileSync2(scratchpadFile, header + entry);
         }
       } catch (err) {
         console.error("Failed to record to scratchpad:", err);
@@ -43802,7 +43959,53 @@ ${note}
     }
   });
 }
+function wrapCommandWithHeaders(command, headers) {
+  const userAgent = headers["User-Agent"];
+  if (!userAgent)
+    return command;
+  let wrapped = command;
+  if (command.includes("curl") && !command.includes("User-Agent") && !command.includes("-A")) {
+    wrapped = wrapped.replace(/\bcurl(\s+)/g, `curl -A "${userAgent}" $1`);
+  }
+  if (command.includes("nikto") && !command.includes("-useragent")) {
+    wrapped = wrapped.replace(/\bnikto\s+/, `nikto -useragent "${userAgent}" `);
+  }
+  if (command.includes("nmap") && command.includes("--script") && /--script[= ](.*?http.*?)/.test(command) && !command.includes("http.useragent")) {
+    if (command.includes("--script-args")) {
+      wrapped = wrapped.replace(/--script-args\s+([^\s]+)/, `--script-args $1,http.useragent="${userAgent}"`);
+    } else {
+      wrapped = `${wrapped} --script-args http.useragent="${userAgent}"`;
+    }
+  }
+  if (command.includes("gobuster") && !command.includes("-a ") && !command.includes("--useragent")) {
+    wrapped = wrapped.replace(/\bgobuster\s+/, `gobuster -a "${userAgent}" `);
+  }
+  if (command.includes("ffuf") && !command.includes("User-Agent:")) {
+    wrapped = wrapped.replace(/\bffuf\s+/, `ffuf -H "User-Agent: ${userAgent}" `);
+  }
+  if (command.includes("sqlmap") && !command.includes("--user-agent")) {
+    wrapped = wrapped.replace(/\bsqlmap\s+/, `sqlmap --user-agent="${userAgent}" `);
+  }
+  if (command.includes("wfuzz") && !command.includes("-H") && !command.includes("User-Agent")) {
+    wrapped = wrapped.replace(/\bwfuzz\s+/, `wfuzz -H "User-Agent: ${userAgent}" `);
+  }
+  if (command.includes("dirb") && !command.includes("-a")) {
+    wrapped = wrapped.replace(/\bdirb\s+/, `dirb -a "${userAgent}" `);
+  }
+  if (command.includes("wpscan") && !command.includes("--user-agent")) {
+    wrapped = wrapped.replace(/\bwpscan\s+/, `wpscan --user-agent "${userAgent}" `);
+  }
+  if (command.includes("nuclei") && !command.includes("-H")) {
+    wrapped = wrapped.replace(/\bnuclei\s+/, `nuclei -H "User-Agent: ${userAgent}" `);
+  }
+  if (command.includes("httpx") && !command.includes("-H")) {
+    wrapped = wrapped.replace(/\bhttpx\s+/, `httpx -H "User-Agent: ${userAgent}" `);
+  }
+  return wrapped;
+}
 function createPentestTools(session, model, toolOverride) {
+  const offensiveHeaders = getOffensiveHeaders(session);
+  const rateLimiter = session._rateLimiter;
   const executeCommand = tool({
     name: "execute_command",
     description: `Execute a shell command for penetration testing activities.
@@ -43847,6 +44050,9 @@ IMPORTANT: Always analyze results and adjust your approach based on findings.`,
     inputSchema: ExecuteCommandInput,
     execute: async ({ command, timeout = 30000, toolCallDescription }) => {
       try {
+        if (rateLimiter) {
+          await rateLimiter.acquireSlot();
+        }
         if (toolOverride?.execute_command) {
           return toolOverride.execute_command({
             command,
@@ -43854,7 +44060,8 @@ IMPORTANT: Always analyze results and adjust your approach based on findings.`,
             toolCallDescription
           });
         }
-        const { stdout, stderr } = await execAsync(command, {
+        const finalCommand = offensiveHeaders ? wrapCommandWithHeaders(command, offensiveHeaders) : command;
+        const { stdout, stderr } = await execAsync(finalCommand, {
           timeout,
           maxBuffer: 10 * 1024 * 1024
         });
@@ -43864,7 +44071,7 @@ IMPORTANT: Always analyze results and adjust your approach based on findings.`,
 
  (truncated) call the command again with grep / tail to paginate the response` || "(no output)",
           stderr: stderr || "",
-          command,
+          command: finalCommand,
           error: ""
         };
       } catch (error46) {
@@ -43902,6 +44109,9 @@ COMMON TESTING PATTERNS:
     inputSchema: HttpRequestInput,
     execute: async ({ url: url2, method, headers, body, followRedirects, timeout, toolCallDescription }) => {
       try {
+        if (rateLimiter) {
+          await rateLimiter.acquireSlot();
+        }
         if (toolOverride?.http_request) {
           return toolOverride.http_request({
             url: url2,
@@ -43917,7 +44127,10 @@ COMMON TESTING PATTERNS:
         const timeoutId = setTimeout(() => controller.abort(), timeout);
         const response = await fetch(url2, {
           method,
-          headers: headers || {},
+          headers: {
+            ...offensiveHeaders || {},
+            ...headers || {}
+          },
           body: body || undefined,
           redirect: followRedirects ? "follow" : "manual",
           signal: controller.signal
@@ -43976,82 +44189,6 @@ COMMON TESTING PATTERNS:
   };
 }
 
-// src/core/agent/sessions/index.ts
-import {
-  mkdirSync,
-  existsSync as existsSync2,
-  writeFileSync as writeFileSync2,
-  readFileSync as readFileSync2,
-  readdirSync as readdirSync2,
-  statSync,
-  rmSync
-} from "fs";
-import { join as join2 } from "path";
-import { homedir } from "os";
-function generateSessionId(prefix) {
-  const timestamp = Date.now().toString(36);
-  return `${prefix ? `${prefix}-` : ""}${timestamp}`;
-}
-function getPensarDir() {
-  return join2(homedir(), ".pensar");
-}
-function getExecutionsDir() {
-  return join2(getPensarDir(), "executions");
-}
-function createSession(target, objective, prefix) {
-  const sessionId = generateSessionId(prefix);
-  const rootPath = join2(getExecutionsDir(), sessionId);
-  const findingsPath = join2(rootPath, "findings");
-  const scratchpadPath = join2(rootPath, "scratchpad");
-  const logsPath = join2(rootPath, "logs");
-  ensureDirectoryExists(rootPath);
-  ensureDirectoryExists(findingsPath);
-  ensureDirectoryExists(scratchpadPath);
-  ensureDirectoryExists(logsPath);
-  const session = {
-    id: sessionId,
-    rootPath,
-    findingsPath,
-    scratchpadPath,
-    logsPath,
-    target,
-    objective: objective ?? "",
-    startTime: new Date().toISOString()
-  };
-  const metadataPath = join2(rootPath, "session.json");
-  writeFileSync2(metadataPath, JSON.stringify(session, null, 2));
-  const readmePath = join2(rootPath, "README.md");
-  const readme = `# Penetration Test Session
-
-**Session ID:** ${sessionId}
-**Target:** ${target}
-**Objective:** ${objective}
-**Started:** ${session.startTime}
-
-## Directory Structure
-
-- \`findings/\` - Security findings and vulnerabilities
-- \`scratchpad/\` - Notes and temporary data during testing
-- \`logs/\` - Execution logs and command outputs
-- \`session.json\` - Session metadata
-
-## Findings
-
-Security findings will be documented in the \`findings/\` directory as individual files.
-
-## Status
-
-Testing in progress...
-`;
-  writeFileSync2(readmePath, readme);
-  return session;
-}
-function ensureDirectoryExists(path) {
-  if (!existsSync2(path)) {
-    mkdirSync(path, { recursive: true });
-  }
-}
-
 // src/core/agent/utils.ts
 import { readFileSync as readFileSync3, existsSync as existsSync3 } from "fs";
 import { execSync } from "child_process";
@@ -44866,9 +45003,10 @@ function runAgent(opts) {
     silent,
     authConfig,
     toolOverride,
-    messages
+    messages,
+    sessionConfig
   } = opts;
-  const session = opts.session || createSession(target, objective);
+  const session = opts.session || createSession(target, objective, undefined, sessionConfig);
   const pocsPath = join4(session.rootPath, "pocs");
   if (!existsSync6(pocsPath)) {
     mkdirSync4(pocsPath, { recursive: true });
@@ -45032,19 +45170,45 @@ You are only authorized to perform testing against the specific target endpoint
 
 // scripts/quicktest.ts
 async function runQuicktest(options) {
-  const { target, objective, model = "claude-sonnet-4-5" } = options;
+  const {
+    target,
+    objective,
+    model = "claude-sonnet-4-5",
+    headerMode = "default",
+    customHeaders,
+    rps
+  } = options;
   console.log("=".repeat(80));
   console.log("PENSAR QUICK PENTEST");
   console.log("=".repeat(80));
   console.log(`Target: ${target}`);
   console.log(`Objective: ${objective}`);
   console.log(`Model: ${model}`);
+  console.log(`Rate Limit: ${rps ? `${rps} req/s` : "Unlimited"}`);
+  console.log(`Headers: ${headerMode === "none" ? "None" : headerMode === "default" ? "Default (pensar-apex)" : "Custom"}`);
+  if (headerMode === "custom" && customHeaders) {
+    for (const [key, value] of Object.entries(customHeaders)) {
+      console.log(`  ${key}: ${value}`);
+    }
+  }
   console.log();
   try {
+    const sessionConfig = {
+      offensiveHeaders: {
+        mode: headerMode,
+        headers: headerMode === "custom" ? customHeaders : undefined
+      },
+      ...rps && {
+        rateLimiter: {
+          requestsPerSecond: rps
+        }
+      }
+    };
     const { streamResult, session } = runAgent({
       target,
       objective,
-      model
+      model,
+      sessionConfig
     });
     console.log(`Session ID: ${session.id}`);
     console.log(`Session Path: ${session.rootPath}`);
@@ -45085,17 +45249,28 @@ async function runQuicktest(options) {
 async function main() {
   const args = process.argv.slice(2);
   if (args.length === 0) {
-    console.error("Usage: pensar quicktest --target <target> --objective <objective> [--model <model>]");
+    console.error("Usage: pensar quicktest --target <target> --objective <objective> [options]");
+    console.error();
+    console.error("Required:");
+    console.error("  --target <target>        Target URL or IP address to test");
+    console.error("  --objective <objective>  Objective or goal of the pentest");
     console.error();
     console.error("Options:");
-    console.error("  --target <target>        Target URL or IP address to test (required)");
-    console.error("  --objective <objective>  Objective or goal of the pentest (required)");
     console.error("  --model <model>          AI model to use (default: claude-sonnet-4-5)");
+    console.error("  --rps <number>           Rate limit: requests per second (default: unlimited)");
+    console.error("  --headers <mode>         Header mode: none, default, or custom (default: default)");
+    console.error("  --header <name:value>    Add custom header (requires --headers custom, can be repeated)");
+    console.error();
+    console.error("Header Modes:");
+    console.error("  none                     No custom headers added to requests");
+    console.error("  default                  Add 'User-Agent: pensar-apex' to all offensive requests");
+    console.error("  custom                   Use custom headers defined with --header flag");
     console.error();
     console.error("Examples:");
-    console.error("  pensar quicktest --target http://localhost:3000 --objective 'Find SQL injection vulnerabilities'");
-    console.error("  pensar quicktest --target 192.168.1.100 --objective 'Test for authentication bypass' --model gpt-4o");
-    console.error("  pensar quicktest --target https://example.com --objective 'Find XSS vulnerabilities' --model claude-opus-4-1");
+    console.error("  pensar quicktest --target http://localhost:3000 --objective 'Find SQL injection'");
+    console.error("  pensar quicktest --target 192.168.1.100 --objective 'Test auth bypass' --headers none");
+    console.error("  pensar quicktest --target api.example.com --objective 'API testing' --rps 5 \\");
+    console.error("    --headers custom --header 'User-Agent: pensar_client123' --header 'X-Bug-Bounty: researcher'");
     console.error();
     process.exit(1);
   }
@@ -45129,11 +45304,69 @@ async function main() {
     }
     model = modelArg;
   }
+  const rpsIndex = args.indexOf("--rps");
+  let rps;
+  if (rpsIndex !== -1) {
+    const rpsArg = args[rpsIndex + 1];
+    if (!rpsArg) {
+      console.error("Error: --rps must be followed by a number");
+      process.exit(1);
+    }
+    const parsedRps = parseInt(rpsArg, 10);
+    if (isNaN(parsedRps) || parsedRps <= 0) {
+      console.error("Error: --rps must be a positive number");
+      process.exit(1);
+    }
+    rps = parsedRps;
+  }
+  const headersIndex = args.indexOf("--headers");
+  let headerMode = "default";
+  if (headersIndex !== -1) {
+    const headersArg = args[headersIndex + 1];
+    if (!headersArg || !["none", "default", "custom"].includes(headersArg)) {
+      console.error("Error: --headers must be 'none', 'default', or 'custom'");
+      process.exit(1);
+    }
+    headerMode = headersArg;
+  }
+  const customHeaders = {};
+  for (let i = 0;i < args.length; i++) {
+    if (args[i] === "--header") {
+      const headerArg = args[i + 1];
+      if (!headerArg) {
+        console.error("Error: --header must be followed by 'Name: Value'");
+        process.exit(1);
+      }
+      const colonIndex = headerArg.indexOf(":");
+      if (colonIndex === -1) {
+        console.error("Error: --header must be in format 'Name: Value'");
+        process.exit(1);
+      }
+      const name18 = headerArg.substring(0, colonIndex).trim();
+      const value = headerArg.substring(colonIndex + 1).trim();
+      if (!name18) {
+        console.error("Error: Header name cannot be empty");
+        process.exit(1);
+      }
+      customHeaders[name18] = value;
+    }
+  }
+  if (headerMode !== "custom" && Object.keys(customHeaders).length > 0) {
+    console.error("Error: --header flag requires --headers custom");
+    process.exit(1);
+  }
+  if (headerMode === "custom" && Object.keys(customHeaders).length === 0) {
+    console.error("Error: --headers custom requires at least one --header flag");
+    process.exit(1);
+  }
   try {
     await runQuicktest({
       target,
       objective,
-      ...model && { model }
+      ...model && { model },
+      headerMode,
+      ...headerMode === "custom" && { customHeaders },
+      ...rps && { rps }
     });
   } catch (error46) {
     console.error("Fatal error:", error46.message);