@pensar/apex 0.0.27 → 0.0.28-canary.0

package/build/swarm.js

@@ -41485,13 +41485,171 @@ Remember: You are a focused penetration testing agent assigned a specific target
 import { exec } from "child_process";
 import { promisify } from "util";
 import {
-  writeFileSync,
+  writeFileSync as writeFileSync2,
   appendFileSync,
-  readdirSync,
+  readdirSync as readdirSync2,
+  readFileSync as readFileSync2,
+  existsSync as existsSync2
+} from "fs";
+import { join as join2 } from "path";
+
+// src/core/agent/sessions/index.ts
+import {
+  mkdirSync,
+  existsSync,
+  writeFileSync,
   readFileSync,
-  existsSync
+  readdirSync,
+  statSync,
+  rmSync
 } from "fs";
 import { join } from "path";
+import { homedir } from "os";
+
+// src/core/services/rateLimiter/index.ts
+function sleep(ms) {
+  return new Promise((resolve2) => setTimeout(resolve2, ms));
+}
+
+class RateLimiter {
+  tokens;
+  lastRefillTime;
+  rps;
+  bucketSize;
+  msPerToken;
+  queue;
+  constructor(config2) {
+    this.rps = config2?.requestsPerSecond;
+    this.bucketSize = this.rps ? 1 : 0;
+    this.tokens = this.bucketSize;
+    this.lastRefillTime = performance.now();
+    this.msPerToken = this.rps ? 1000 / this.rps : undefined;
+    this.queue = Promise.resolve();
+  }
+  async acquireSlot() {
+    if (!this.rps || !this.msPerToken)
+      return;
+    const previousPromise = this.queue;
+    let resolveCurrentRequest;
+    this.queue = new Promise((resolve2) => {
+      resolveCurrentRequest = resolve2;
+    });
+    await previousPromise;
+    try {
+      const now2 = performance.now();
+      this.refill(now2);
+      if (this.tokens < 1) {
+        const waitTime = (1 - this.tokens) * this.msPerToken;
+        await sleep(waitTime);
+        const nowAfterSleep = performance.now();
+        this.refill(nowAfterSleep);
+      }
+      this.tokens -= 1;
+    } finally {
+      resolveCurrentRequest();
+    }
+  }
+  refill(now2) {
+    if (this.tokens >= this.bucketSize) {
+      this.lastRefillTime = now2;
+      return;
+    }
+    const elapsed = now2 - this.lastRefillTime;
+    const tokensToAdd = elapsed / this.msPerToken;
+    this.tokens = Math.min(this.bucketSize, this.tokens + tokensToAdd);
+    this.lastRefillTime = now2;
+  }
+  isEnabled() {
+    return this.rps !== undefined;
+  }
+}
+
+// src/core/agent/sessions/index.ts
+var DEFAULT_OFFENSIVE_HEADERS = {
+  "User-Agent": "pensar-apex"
+};
+function generateSessionId(prefix) {
+  const timestamp = Date.now().toString(36);
+  return `${prefix ? `${prefix}-` : ""}${timestamp}`;
+}
+function getPensarDir() {
+  return join(homedir(), ".pensar");
+}
+function getExecutionsDir() {
+  return join(getPensarDir(), "executions");
+}
+function createSession(target, objective, prefix, config2) {
+  const sessionId = generateSessionId(prefix);
+  const rootPath = join(getExecutionsDir(), sessionId);
+  const findingsPath = join(rootPath, "findings");
+  const scratchpadPath = join(rootPath, "scratchpad");
+  const logsPath = join(rootPath, "logs");
+  ensureDirectoryExists(rootPath);
+  ensureDirectoryExists(findingsPath);
+  ensureDirectoryExists(scratchpadPath);
+  ensureDirectoryExists(logsPath);
+  const session = {
+    id: sessionId,
+    rootPath,
+    findingsPath,
+    scratchpadPath,
+    logsPath,
+    target,
+    objective: objective ?? "",
+    startTime: new Date().toISOString(),
+    config: config2
+  };
+  if (config2?.rateLimiter) {
+    session._rateLimiter = new RateLimiter(config2.rateLimiter);
+  }
+  const metadataPath = join(rootPath, "session.json");
+  writeFileSync(metadataPath, JSON.stringify(session, null, 2));
+  const readmePath = join(rootPath, "README.md");
+  const readme = `# Penetration Test Session
+
+**Session ID:** ${sessionId}
+**Target:** ${target}
+**Objective:** ${objective}
+**Started:** ${session.startTime}
+
+## Directory Structure
+
+- \`findings/\` - Security findings and vulnerabilities
+- \`scratchpad/\` - Notes and temporary data during testing
+- \`logs/\` - Execution logs and command outputs
+- \`session.json\` - Session metadata
+
+## Findings
+
+Security findings will be documented in the \`findings/\` directory as individual files.
+
+## Status
+
+Testing in progress...
+`;
+  writeFileSync(readmePath, readme);
+  return session;
+}
+function ensureDirectoryExists(path) {
+  if (!existsSync(path)) {
+    mkdirSync(path, { recursive: true });
+  }
+}
+function getOffensiveHeaders(session) {
+  const config2 = session.config?.offensiveHeaders;
+  if (!config2 || config2.mode === "none") {
+    return;
+  }
+  if (config2.mode === "default") {
+    return DEFAULT_OFFENSIVE_HEADERS;
+  }
+  if (config2.mode === "custom" && config2.headers) {
+    return config2.headers;
+  }
+  return;
+}
+
+// src/core/agent/tools.ts
 var execAsync = promisify(exec);
 var PayloadSchema = exports_external.object({
   payload: exports_external.string(),
@@ -42585,7 +42743,7 @@ FINDING STRUCTURE:
         const safeTitle = finding.title.toLowerCase().replace(/[^a-z0-9]+/g, "-").replace(/^-|-$/g, "").substring(0, 50);
         const findingId = `${timestamp.split("T")[0]}-${safeTitle}`;
         const filename = `${findingId}.md`;
-        const filepath = join(session.findingsPath, filename);
+        const filepath = join2(session.findingsPath, filename);
         const markdown = `# ${finding.title}
 
 **Severity:** ${finding.severity}  
@@ -42619,8 +42777,8 @@ ${finding.references}` : ""}
 
 *This finding was automatically documented by the Pensar penetration testing agent.*
 `;
-        writeFileSync(filepath, markdown);
-        const summaryPath = join(session.rootPath, "findings-summary.md");
+        writeFileSync2(filepath, markdown);
+        const summaryPath = join2(session.rootPath, "findings-summary.md");
         const summaryEntry = `- [${finding.severity}] ${finding.title} - \`findings/${filename}\`
 `;
         try {
@@ -42634,7 +42792,7 @@ ${finding.references}` : ""}
 ## All Findings
 
 `;
-          writeFileSync(summaryPath, header + summaryEntry);
+          writeFileSync2(summaryPath, header + summaryEntry);
         }
         return {
           success: true,
@@ -42673,7 +42831,7 @@ The scratchpad is session-specific and helps maintain context during long assess
     execute: async ({ note, category }) => {
       try {
         const timestamp = new Date().toISOString();
-        const scratchpadFile = join(session.scratchpadPath, "notes.md");
+        const scratchpadFile = join2(session.scratchpadPath, "notes.md");
         const entry = `## ${category.toUpperCase()} - ${timestamp}
 
 ${note}
@@ -42692,7 +42850,7 @@ ${note}
 ---
 
 `;
-          writeFileSync(scratchpadFile, header + entry);
+          writeFileSync2(scratchpadFile, header + entry);
         }
         return {
           success: true,
@@ -42819,11 +42977,11 @@ The report will be saved as 'pentest-report.md' in the session root directory.`,
           MEDIUM: 0,
           LOW: 0
         };
-        if (existsSync(session.findingsPath)) {
-          const findingFiles = readdirSync(session.findingsPath).filter((f) => f.endsWith(".json"));
+        if (existsSync2(session.findingsPath)) {
+          const findingFiles = readdirSync2(session.findingsPath).filter((f) => f.endsWith(".json"));
           for (const file2 of findingFiles) {
-            const filePath = join(session.findingsPath, file2);
-            const content = readFileSync(filePath, "utf-8");
+            const filePath = join2(session.findingsPath, file2);
+            const content = readFileSync2(filePath, "utf-8");
             const severityMatch = content.match(/\*\*Severity:\*\*\s+(CRITICAL|HIGH|MEDIUM|LOW)/);
             const titleMatch = content.match(/^#\s+(.+)$/m);
             if (severityMatch && titleMatch) {
@@ -42848,14 +43006,14 @@ The report will be saved as 'pentest-report.md' in the session root directory.`,
         const totalFindings = findings.length;
         const criticalAndHigh = severityCounts.CRITICAL + severityCounts.HIGH;
         let scratchpadNotes = "";
-        const scratchpadFile = join(session.scratchpadPath, "notes.md");
-        if (existsSync(scratchpadFile)) {
-          scratchpadNotes = readFileSync(scratchpadFile, "utf-8");
+        const scratchpadFile = join2(session.scratchpadPath, "notes.md");
+        if (existsSync2(scratchpadFile)) {
+          scratchpadNotes = readFileSync2(scratchpadFile, "utf-8");
         }
         let testResultsSummary = "";
-        const testResultsFile = join(session.scratchpadPath, "test-results.jsonl");
-        if (existsSync(testResultsFile)) {
-          const testLines = readFileSync(testResultsFile, "utf-8").split(`
+        const testResultsFile = join2(session.scratchpadPath, "test-results.jsonl");
+        if (existsSync2(testResultsFile)) {
+          const testLines = readFileSync2(testResultsFile, "utf-8").split(`
 `).filter((l) => l.trim());
           const testResults = testLines.map((line) => {
             try {
@@ -43029,25 +43187,25 @@ This report should be treated as confidential and distributed only to authorized
 *Report generated by Pensar Penetration Testing Agent*  
 *Session: ${session.id}*
 `;
-        const reportPath = join(session.rootPath, "pentest-report.md");
-        writeFileSync(reportPath, report);
-        const readmePath = join(session.rootPath, "README.md");
-        if (existsSync(readmePath)) {
-          let readme = readFileSync(readmePath, "utf-8");
+        const reportPath = join2(session.rootPath, "pentest-report.md");
+        writeFileSync2(reportPath, report);
+        const readmePath = join2(session.rootPath, "README.md");
+        if (existsSync2(readmePath)) {
+          let readme = readFileSync2(readmePath, "utf-8");
           readme = readme.replace("Testing in progress...", `Testing completed on ${endDate.toLocaleString()}
 
 **Final Report:** \`pentest-report.md\``);
-          writeFileSync(readmePath, readme);
+          writeFileSync2(readmePath, readme);
         }
-        const metadataPath = join(session.rootPath, "session.json");
-        if (existsSync(metadataPath)) {
-          const metadata = JSON.parse(readFileSync(metadataPath, "utf-8"));
+        const metadataPath = join2(session.rootPath, "session.json");
+        if (existsSync2(metadataPath)) {
+          const metadata = JSON.parse(readFileSync2(metadataPath, "utf-8"));
           metadata.endTime = endTime;
           metadata.duration = duration3;
           metadata.status = "completed";
           metadata.totalFindings = totalFindings;
           metadata.severityCounts = severityCounts;
-          writeFileSync(metadataPath, JSON.stringify(metadata, null, 2));
+          writeFileSync2(metadataPath, JSON.stringify(metadata, null, 2));
         }
         return {
           success: true,
@@ -43088,7 +43246,7 @@ async function recordTestResultCore(session, params) {
       evidence: params.evidence || "",
       confidence: params.confidence || "high"
     };
-    const testResultsPath = join(session.scratchpadPath, "test-results.jsonl");
+    const testResultsPath = join2(session.scratchpadPath, "test-results.jsonl");
     const resultLine = JSON.stringify(testResult) + `
 `;
     appendFileSync(testResultsPath, resultLine);
@@ -43499,8 +43657,8 @@ Use this when:
     }),
     execute: async ({ objective }) => {
       try {
-        const testResultsPath = join(session.scratchpadPath, "test-results.jsonl");
-        if (!existsSync(testResultsPath)) {
+        const testResultsPath = join2(session.scratchpadPath, "test-results.jsonl");
+        if (!existsSync2(testResultsPath)) {
           return {
             success: true,
             totalTests: 0,
@@ -43509,7 +43667,7 @@ Use this when:
             suggestions: objective ? `Based on objective "${objective}", consider testing relevant parameters with test_parameter tool.` : "Use test_parameter to test parameters for vulnerabilities."
           };
         }
-        const fileContent = readFileSync(testResultsPath, "utf-8");
+        const fileContent = readFileSync2(testResultsPath, "utf-8");
         const testResults = fileContent.trim().split(`
 `).filter((line) => line.trim()).map((line) => JSON.parse(line));
         const parametersTested = new Set;
@@ -43766,7 +43924,7 @@ ${discovered.map((d) => `- ${d.endpoint} [${d.method}] → HTTP ${d.status}`).jo
 Not found: ${range.max - range.min + 1 - discovered.length} endpoints returned 404`;
       try {
         const timestamp = new Date().toISOString();
-        const scratchpadFile = join(session.scratchpadPath, "notes.md");
+        const scratchpadFile = join2(session.scratchpadPath, "notes.md");
         const entry = `## RESULT - ${timestamp}
 
 ${note}
@@ -43785,7 +43943,7 @@ ${note}
 ---
 
 `;
-          writeFileSync(scratchpadFile, header + entry);
+          writeFileSync2(scratchpadFile, header + entry);
         }
       } catch (err) {
         console.error("Failed to record to scratchpad:", err);
@@ -43802,7 +43960,53 @@ ${note}
     }
   });
 }
+function wrapCommandWithHeaders(command, headers) {
+  const userAgent = headers["User-Agent"];
+  if (!userAgent)
+    return command;
+  let wrapped = command;
+  if (command.includes("curl") && !command.includes("User-Agent") && !command.includes("-A")) {
+    wrapped = wrapped.replace(/\bcurl(\s+)/g, `curl -A "${userAgent}" $1`);
+  }
+  if (command.includes("nikto") && !command.includes("-useragent")) {
+    wrapped = wrapped.replace(/\bnikto\s+/, `nikto -useragent "${userAgent}" `);
+  }
+  if (command.includes("nmap") && command.includes("--script") && /--script[= ](.*?http.*?)/.test(command) && !command.includes("http.useragent")) {
+    if (command.includes("--script-args")) {
+      wrapped = wrapped.replace(/--script-args\s+([^\s]+)/, `--script-args $1,http.useragent="${userAgent}"`);
+    } else {
+      wrapped = `${wrapped} --script-args http.useragent="${userAgent}"`;
+    }
+  }
+  if (command.includes("gobuster") && !command.includes("-a ") && !command.includes("--useragent")) {
+    wrapped = wrapped.replace(/\bgobuster\s+/, `gobuster -a "${userAgent}" `);
+  }
+  if (command.includes("ffuf") && !command.includes("User-Agent:")) {
+    wrapped = wrapped.replace(/\bffuf\s+/, `ffuf -H "User-Agent: ${userAgent}" `);
+  }
+  if (command.includes("sqlmap") && !command.includes("--user-agent")) {
+    wrapped = wrapped.replace(/\bsqlmap\s+/, `sqlmap --user-agent="${userAgent}" `);
+  }
+  if (command.includes("wfuzz") && !command.includes("-H") && !command.includes("User-Agent")) {
+    wrapped = wrapped.replace(/\bwfuzz\s+/, `wfuzz -H "User-Agent: ${userAgent}" `);
+  }
+  if (command.includes("dirb") && !command.includes("-a")) {
+    wrapped = wrapped.replace(/\bdirb\s+/, `dirb -a "${userAgent}" `);
+  }
+  if (command.includes("wpscan") && !command.includes("--user-agent")) {
+    wrapped = wrapped.replace(/\bwpscan\s+/, `wpscan --user-agent "${userAgent}" `);
+  }
+  if (command.includes("nuclei") && !command.includes("-H")) {
+    wrapped = wrapped.replace(/\bnuclei\s+/, `nuclei -H "User-Agent: ${userAgent}" `);
+  }
+  if (command.includes("httpx") && !command.includes("-H")) {
+    wrapped = wrapped.replace(/\bhttpx\s+/, `httpx -H "User-Agent: ${userAgent}" `);
+  }
+  return wrapped;
+}
 function createPentestTools(session, model, toolOverride) {
+  const offensiveHeaders = getOffensiveHeaders(session);
+  const rateLimiter = session._rateLimiter;
   const executeCommand = tool({
     name: "execute_command",
     description: `Execute a shell command for penetration testing activities.
@@ -43847,6 +44051,9 @@ IMPORTANT: Always analyze results and adjust your approach based on findings.`,
     inputSchema: ExecuteCommandInput,
     execute: async ({ command, timeout = 30000, toolCallDescription }) => {
       try {
+        if (rateLimiter) {
+          await rateLimiter.acquireSlot();
+        }
         if (toolOverride?.execute_command) {
           return toolOverride.execute_command({
             command,
@@ -43854,7 +44061,8 @@ IMPORTANT: Always analyze results and adjust your approach based on findings.`,
             toolCallDescription
           });
         }
-        const { stdout, stderr } = await execAsync(command, {
+        const finalCommand = offensiveHeaders ? wrapCommandWithHeaders(command, offensiveHeaders) : command;
+        const { stdout, stderr } = await execAsync(finalCommand, {
           timeout,
           maxBuffer: 10 * 1024 * 1024
         });
@@ -43864,7 +44072,7 @@ IMPORTANT: Always analyze results and adjust your approach based on findings.`,
 
  (truncated) call the command again with grep / tail to paginate the response` || "(no output)",
           stderr: stderr || "",
-          command,
+          command: finalCommand,
           error: ""
         };
       } catch (error46) {
@@ -43902,6 +44110,9 @@ COMMON TESTING PATTERNS:
     inputSchema: HttpRequestInput,
     execute: async ({ url: url2, method, headers, body, followRedirects, timeout, toolCallDescription }) => {
       try {
+        if (rateLimiter) {
+          await rateLimiter.acquireSlot();
+        }
         if (toolOverride?.http_request) {
           return toolOverride.http_request({
             url: url2,
@@ -43917,7 +44128,10 @@ COMMON TESTING PATTERNS:
         const timeoutId = setTimeout(() => controller.abort(), timeout);
         const response = await fetch(url2, {
           method,
-          headers: headers || {},
+          headers: {
+            ...offensiveHeaders || {},
+            ...headers || {}
+          },
           body: body || undefined,
           redirect: followRedirects ? "follow" : "manual",
           signal: controller.signal
@@ -43976,82 +44190,6 @@ COMMON TESTING PATTERNS:
   };
 }
 
-// src/core/agent/sessions/index.ts
-import {
-  mkdirSync,
-  existsSync as existsSync2,
-  writeFileSync as writeFileSync2,
-  readFileSync as readFileSync2,
-  readdirSync as readdirSync2,
-  statSync,
-  rmSync
-} from "fs";
-import { join as join2 } from "path";
-import { homedir } from "os";
-function generateSessionId(prefix) {
-  const timestamp = Date.now().toString(36);
-  return `${prefix ? `${prefix}-` : ""}${timestamp}`;
-}
-function getPensarDir() {
-  return join2(homedir(), ".pensar");
-}
-function getExecutionsDir() {
-  return join2(getPensarDir(), "executions");
-}
-function createSession(target, objective, prefix) {
-  const sessionId = generateSessionId(prefix);
-  const rootPath = join2(getExecutionsDir(), sessionId);
-  const findingsPath = join2(rootPath, "findings");
-  const scratchpadPath = join2(rootPath, "scratchpad");
-  const logsPath = join2(rootPath, "logs");
-  ensureDirectoryExists(rootPath);
-  ensureDirectoryExists(findingsPath);
-  ensureDirectoryExists(scratchpadPath);
-  ensureDirectoryExists(logsPath);
-  const session = {
-    id: sessionId,
-    rootPath,
-    findingsPath,
-    scratchpadPath,
-    logsPath,
-    target,
-    objective: objective ?? "",
-    startTime: new Date().toISOString()
-  };
-  const metadataPath = join2(rootPath, "session.json");
-  writeFileSync2(metadataPath, JSON.stringify(session, null, 2));
-  const readmePath = join2(rootPath, "README.md");
-  const readme = `# Penetration Test Session
-
-**Session ID:** ${sessionId}
-**Target:** ${target}
-**Objective:** ${objective}
-**Started:** ${session.startTime}
-
-## Directory Structure
-
-- \`findings/\` - Security findings and vulnerabilities
-- \`scratchpad/\` - Notes and temporary data during testing
-- \`logs/\` - Execution logs and command outputs
-- \`session.json\` - Session metadata
-
-## Findings
-
-Security findings will be documented in the \`findings/\` directory as individual files.
-
-## Status
-
-Testing in progress...
-`;
-  writeFileSync2(readmePath, readme);
-  return session;
-}
-function ensureDirectoryExists(path) {
-  if (!existsSync2(path)) {
-    mkdirSync(path, { recursive: true });
-  }
-}
-
 // src/core/agent/utils.ts
 import { readFileSync as readFileSync3, existsSync as existsSync3 } from "fs";
 import { execSync } from "child_process";
@@ -44866,9 +45004,10 @@ function runAgent(opts) {
     silent,
     authConfig,
     toolOverride,
-    messages
+    messages,
+    sessionConfig
   } = opts;
-  const session = opts.session || createSession(target, objective);
+  const session = opts.session || createSession(target, objective, undefined, sessionConfig);
   const pocsPath = join4(session.rootPath, "pocs");
   if (!existsSync6(pocsPath)) {
     mkdirSync4(pocsPath, { recursive: true });
@@ -45175,7 +45314,7 @@ var TargetSchema = exports_external.array(exports_external.object({
   objective: exports_external.string().describe("The objective of the pentest")
 }));
 async function swarm(options) {
-  const { targets, model, silent } = options;
+  const { targets, model, silent, headerMode = "default", customHeaders } = options;
   let targetsArray = [];
   if (typeof targets === "string") {
     const result = TargetSchema.safeParse(JSON.parse(targets));
@@ -45222,12 +45361,19 @@ async function swarm(options) {
       console.log();
     }
     try {
+      const sessionConfig = {
+        offensiveHeaders: {
+          mode: headerMode,
+          headers: headerMode === "custom" ? customHeaders : undefined
+        }
+      };
       const { streamResult } = runAgent({
         session,
         target: target.target,
         objective: target.objective,
         model,
-        silent
+        silent,
+        sessionConfig
       });
       for await (const delta of streamResult.fullStream) {
         if (delta.type === "text-delta") {} else if (delta.type === "tool-call") {} else if (delta.type === "tool-result") {}
@@ -45284,11 +45430,18 @@ async function main() {
     console.error("Usage: pensar swarm <targets> [options]");
     console.error();
     console.error("Arguments:");
-    console.error("  <targets>            JSON string or path to JSON file");
+    console.error("  <targets>                JSON string or path to JSON file");
     console.error();
     console.error("Options:");
-    console.error("  --model <model>      Specify the AI model to use (default: claude-sonnet-4-5)");
-    console.error("  --silent             Suppress all output");
+    console.error("  --model <model>          AI model to use (default: claude-sonnet-4-5)");
+    console.error("  --silent                 Suppress all output");
+    console.error("  --headers <mode>         Header mode: none, default, or custom (default: default)");
+    console.error("  --header <name:value>    Add custom header (requires --headers custom, can be repeated)");
+    console.error();
+    console.error("Header Modes:");
+    console.error("  none                     No custom headers added to requests");
+    console.error("  default                  Add 'User-Agent: pensar-apex' to all offensive requests");
+    console.error("  custom                   Use custom headers defined with --header flag");
     console.error();
     console.error("Targets format (JSON array):");
     console.error("  [");
@@ -45305,9 +45458,9 @@ async function main() {
     console.error("Examples:");
     console.error("  pensar swarm targets.json");
     console.error("  pensar swarm targets.json --model gpt-4o");
-    console.error("  pensar swarm targets.json --silent");
+    console.error("  pensar swarm targets.json --headers none");
+    console.error("  pensar swarm targets.json --headers custom --header 'User-Agent: pensar_client123'");
     console.error(`  pensar swarm '[{"target":"api.example.com","objective":"Test API"}]'`);
-    console.error(`  pensar swarm '[{"target":"api.example.com","objective":"Test API"}]' --model gpt-4o`);
     process.exit(1);
   }
   const targetsInput = args[0];
@@ -45322,6 +45475,46 @@ async function main() {
     model = modelArg;
   }
   const silent = args.includes("--silent");
+  const headersIndex = args.indexOf("--headers");
+  let headerMode = "default";
+  if (headersIndex !== -1) {
+    const headersArg = args[headersIndex + 1];
+    if (!headersArg || !["none", "default", "custom"].includes(headersArg)) {
+      console.error("Error: --headers must be 'none', 'default', or 'custom'");
+      process.exit(1);
+    }
+    headerMode = headersArg;
+  }
+  const customHeaders = {};
+  for (let i = 0;i < args.length; i++) {
+    if (args[i] === "--header") {
+      const headerArg = args[i + 1];
+      if (!headerArg) {
+        console.error("Error: --header must be followed by 'Name: Value'");
+        process.exit(1);
+      }
+      const colonIndex = headerArg.indexOf(":");
+      if (colonIndex === -1) {
+        console.error("Error: --header must be in format 'Name: Value'");
+        process.exit(1);
+      }
+      const name18 = headerArg.substring(0, colonIndex).trim();
+      const value = headerArg.substring(colonIndex + 1).trim();
+      if (!name18) {
+        console.error("Error: Header name cannot be empty");
+        process.exit(1);
+      }
+      customHeaders[name18] = value;
+    }
+  }
+  if (headerMode !== "custom" && Object.keys(customHeaders).length > 0) {
+    console.error("Error: --header flag requires --headers custom");
+    process.exit(1);
+  }
+  if (headerMode === "custom" && Object.keys(customHeaders).length === 0) {
+    console.error("Error: --headers custom requires at least one --header flag");
+    process.exit(1);
+  }
   let targetsJson;
   if (targetsInput.startsWith("[") || targetsInput.startsWith("{")) {
     targetsJson = targetsInput;
@@ -45337,7 +45530,9 @@ async function main() {
     const session = await swarm({
       targets: targetsJson,
       model,
-      silent
+      silent,
+      headerMode,
+      ...headerMode === "custom" && { customHeaders }
     });
     if (!session) {
       if (!silent) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pensar/apex",
-  "version": "0.0.27",
+  "version": "0.0.28-canary.0",
   "description": "AI-powered penetration testing CLI tool with terminal UI",
   "module": "src/tui/index.tsx",
   "main": "build/index.js",
@@ -19,13 +19,14 @@
     "LICENSE"
   ],
   "scripts": {
-    "build": "bun build src/tui/index.tsx --outdir build --target node --format esm --external sharp && bun build scripts/benchmark.ts --outdir build --target node --format esm --external sharp && bun build scripts/quicktest.ts --outdir build --target node --format esm --external sharp && bun build scripts/swarm.ts --outdir build --target node --format esm --external sharp",
+    "build": "bun build src/tui/index.tsx --outdir build --target node --format esm --external sharp && bun build scripts/benchmark.ts --outdir build --target node --format esm --external sharp && bun build scripts/quicktest.ts --outdir build --target node --format esm --external sharp && bun build scripts/pentest.ts --outdir build --target node --format esm --external sharp && bun build scripts/swarm.ts --outdir build --target node --format esm --external sharp",
     "dev": "bun run scripts/watch.ts",
     "dev:debug": "SHOW_CONSOLE=true bun run scripts/watch.ts",
     "start": "bun run src/tui/index.tsx",
     "pensar": "node bin/pensar.js",
     "benchmark": "bun run scripts/benchmark.ts",
     "quicktest": "bun run scripts/quicktest.ts",
+    "pentest": "bun run scripts/pentest.ts",
     "swarm": "bun run scripts/swarm.ts",
     "test": "vitest run",
     "test:watch": "vitest",