@pensar/apex 0.0.90-canary.97fbe7e3 → 0.0.90

package/build/index.js

@@ -31971,7 +31971,7 @@ var package_default2;
 var init_package = __esm(() => {
   package_default2 = {
     name: "@pensar/apex",
-    version: "0.0.90-canary.97fbe7e3",
+    version: "0.0.90",
     description: "AI-powered penetration testing CLI tool with terminal UI",
     module: "src/tui/index.tsx",
     main: "build/index.js",
@@ -89342,21 +89342,10 @@ var init_session = __esm(() => {
   };
 });
 
-// src/lib/cwe/types.ts
-var CweEntrySchema;
-var init_types2 = __esm(() => {
-  init_zod();
-  CweEntrySchema = exports_external.object({
-    id: exports_external.string().regex(/^CWE-\d+$/, "Must be CWE-<number> format"),
-    reasoning: exports_external.string().describe("Why this CWE applies to the observed vulnerability")
-  });
-});
-
 // src/core/report/schemas.ts
 var PentestReportFindingSchema, PentestReportSchema, REPORT_VERSION = "1.0";
 var init_schemas3 = __esm(() => {
   init_zod();
-  init_types2();
   PentestReportFindingSchema = exports_external.object({
     title: exports_external.string(),
     severity: exports_external.enum(["CRITICAL", "HIGH", "MEDIUM", "LOW"]),
@@ -89366,8 +89355,7 @@ var init_schemas3 = __esm(() => {
     endpoint: exports_external.string(),
     pocPath: exports_external.string(),
     remediation: exports_external.string(),
-    references: exports_external.string().optional(),
-    cwes: exports_external.array(CweEntrySchema).optional()
+    references: exports_external.string().optional()
   });
   PentestReportSchema = exports_external.object({
     version: exports_external.string().regex(/^1\.\d+$/),
@@ -89481,12 +89469,6 @@ function renderFinding(finding, metadata) {
     finding.evidence,
     "```",
     "",
-    ...finding.cwes?.length ? [
-      "## CWE Classification",
-      "",
-      ...finding.cwes.map((cwe) => `- **${cwe.id}** — ${cwe.reasoning}`),
-      ""
-    ] : [],
     "## POC",
     "",
     `Path: \`${finding.pocPath}\``,
@@ -90238,7 +90220,7 @@ function loadAttackSurfaceResults2(resultsPath) {
   const data = readFileSync6(resultsPath, "utf-8");
   return JSON.parse(data);
 }
-var init_types3 = () => {};
+var init_types2 = () => {};
 
 // src/core/ai/index.ts
 var init_ai2 = __esm(() => {
@@ -90351,7 +90333,7 @@ var init_zod_compat = __esm(() => {
 
 // node_modules/@modelcontextprotocol/sdk/dist/esm/types.js
 var LATEST_PROTOCOL_VERSION = "2025-11-25", SUPPORTED_PROTOCOL_VERSIONS, RELATED_TASK_META_KEY = "io.modelcontextprotocol/related-task", JSONRPC_VERSION = "2.0", AssertObjectSchema, ProgressTokenSchema, CursorSchema, TaskCreationParamsSchema, TaskMetadataSchema, RelatedTaskMetadataSchema, RequestMetaSchema, BaseRequestParamsSchema, TaskAugmentedRequestParamsSchema, isTaskAugmentedRequestParams = (value) => TaskAugmentedRequestParamsSchema.safeParse(value).success, RequestSchema, NotificationsParamsSchema, NotificationSchema, ResultSchema, RequestIdSchema, JSONRPCRequestSchema, isJSONRPCRequest = (value) => JSONRPCRequestSchema.safeParse(value).success, JSONRPCNotificationSchema, isJSONRPCNotification = (value) => JSONRPCNotificationSchema.safeParse(value).success, JSONRPCResultResponseSchema, isJSONRPCResultResponse = (value) => JSONRPCResultResponseSchema.safeParse(value).success, ErrorCode, JSONRPCErrorResponseSchema, isJSONRPCErrorResponse = (value) => JSONRPCErrorResponseSchema.safeParse(value).success, JSONRPCMessageSchema, JSONRPCResponseSchema, EmptyResultSchema, CancelledNotificationParamsSchema, CancelledNotificationSchema, IconSchema, IconsSchema, BaseMetadataSchema, ImplementationSchema, FormElicitationCapabilitySchema, ElicitationCapabilitySchema, ClientTasksCapabilitySchema, ServerTasksCapabilitySchema, ClientCapabilitiesSchema, InitializeRequestParamsSchema, InitializeRequestSchema, ServerCapabilitiesSchema, InitializeResultSchema, InitializedNotificationSchema, PingRequestSchema, ProgressSchema, ProgressNotificationParamsSchema, ProgressNotificationSchema, PaginatedRequestParamsSchema, PaginatedRequestSchema, PaginatedResultSchema, TaskStatusSchema, TaskSchema, CreateTaskResultSchema, TaskStatusNotificationParamsSchema, TaskStatusNotificationSchema, GetTaskRequestSchema, GetTaskResultSchema, GetTaskPayloadRequestSchema, GetTaskPayloadResultSchema, ListTasksRequestSchema, ListTasksResultSchema, CancelTaskRequestSchema, CancelTaskResultSchema, ResourceContentsSchema, TextResourceContentsSchema, Base64Schema, BlobResourceContentsSchema, RoleSchema, AnnotationsSchema, ResourceSchema, ResourceTemplateSchema, ListResourcesRequestSchema, ListResourcesResultSchema, ListResourceTemplatesRequestSchema, ListResourceTemplatesResultSchema, ResourceRequestParamsSchema, ReadResourceRequestParamsSchema, ReadResourceRequestSchema, ReadResourceResultSchema, ResourceListChangedNotificationSchema, SubscribeRequestParamsSchema, SubscribeRequestSchema, UnsubscribeRequestParamsSchema, UnsubscribeRequestSchema, ResourceUpdatedNotificationParamsSchema, ResourceUpdatedNotificationSchema, PromptArgumentSchema, PromptSchema, ListPromptsRequestSchema, ListPromptsResultSchema, GetPromptRequestParamsSchema, GetPromptRequestSchema, TextContentSchema, ImageContentSchema, AudioContentSchema, ToolUseContentSchema, EmbeddedResourceSchema, ResourceLinkSchema, ContentBlockSchema, PromptMessageSchema, GetPromptResultSchema, PromptListChangedNotificationSchema, ToolAnnotationsSchema, ToolExecutionSchema, ToolSchema, ListToolsRequestSchema, ListToolsResultSchema, CallToolResultSchema, CompatibilityCallToolResultSchema, CallToolRequestParamsSchema, CallToolRequestSchema, ToolListChangedNotificationSchema, ListChangedOptionsBaseSchema, LoggingLevelSchema, SetLevelRequestParamsSchema, SetLevelRequestSchema, LoggingMessageNotificationParamsSchema, LoggingMessageNotificationSchema, ModelHintSchema, ModelPreferencesSchema, ToolChoiceSchema, ToolResultContentSchema, SamplingContentSchema, SamplingMessageContentBlockSchema, SamplingMessageSchema, CreateMessageRequestParamsSchema, CreateMessageRequestSchema, CreateMessageResultSchema, CreateMessageResultWithToolsSchema, BooleanSchemaSchema, StringSchemaSchema, NumberSchemaSchema, UntitledSingleSelectEnumSchemaSchema, TitledSingleSelectEnumSchemaSchema, LegacyTitledEnumSchemaSchema, SingleSelectEnumSchemaSchema, UntitledMultiSelectEnumSchemaSchema, TitledMultiSelectEnumSchemaSchema, MultiSelectEnumSchemaSchema, EnumSchemaSchema, PrimitiveSchemaDefinitionSchema, ElicitRequestFormParamsSchema, ElicitRequestURLParamsSchema, ElicitRequestParamsSchema, ElicitRequestSchema, ElicitationCompleteNotificationParamsSchema, ElicitationCompleteNotificationSchema, ElicitResultSchema, ResourceTemplateReferenceSchema, PromptReferenceSchema, CompleteRequestParamsSchema, CompleteRequestSchema, CompleteResultSchema, RootSchema, ListRootsRequestSchema, ListRootsResultSchema, RootsListChangedNotificationSchema, ClientRequestSchema, ClientNotificationSchema, ClientResultSchema, ServerRequestSchema, ServerNotificationSchema, ServerResultSchema, McpError, UrlElicitationRequiredError;
-var init_types4 = __esm(() => {
+var init_types3 = __esm(() => {
   init_v4();
   SUPPORTED_PROTOCOL_VERSIONS = [LATEST_PROTOCOL_VERSION, "2025-06-18", "2025-03-26", "2024-11-05", "2024-10-07"];
   AssertObjectSchema = custom2((v2) => v2 !== null && (typeof v2 === "object" || typeof v2 === "function"));
@@ -92252,7 +92234,7 @@ function mergeCapabilities(base, additional) {
 var DEFAULT_REQUEST_TIMEOUT_MSEC = 60000;
 var init_protocol = __esm(() => {
   init_zod_compat();
-  init_types4();
+  init_types3();
   init_zod_json_schema_compat();
 });
 
@@ -104302,7 +104284,7 @@ class ExperimentalClientTasks {
   }
 }
 var init_client = __esm(() => {
-  init_types4();
+  init_types3();
 });
 
 // node_modules/@modelcontextprotocol/sdk/dist/esm/experimental/tasks/helpers.js
@@ -104385,7 +104367,7 @@ function getSupportedElicitationModes(capabilities) {
 var Client;
 var init_client2 = __esm(() => {
   init_protocol();
-  init_types4();
+  init_types3();
   init_ajv_provider();
   init_zod_compat();
   init_client();
@@ -105300,7 +105282,7 @@ function serializeMessage(message) {
 `;
 }
 var init_stdio = __esm(() => {
-  init_types4();
+  init_types3();
 });
 
 // node_modules/@modelcontextprotocol/sdk/dist/esm/client/stdio.js
@@ -107210,7 +107192,7 @@ function getSeverityFromScore(score) {
     return "HIGH";
   return "CRITICAL";
 }
-var init_types5 = () => {};
+var init_types4 = () => {};
 
 // src/lib/cvss/macrovector-scores.ts
 var MACROVECTOR_LOOKUP, METRIC_LEVELS, MAX_SEVERITY, STEP = 0.1, EPSILON;
@@ -107784,7 +107766,7 @@ function getScoreType(metrics) {
 }
 var BASE_METRICS, THREAT_METRICS, ENVIRONMENTAL_METRICS, SUPPLEMENTAL_METRICS;
 var init_calculator = __esm(() => {
-  init_types5();
+  init_types4();
   init_macrovector_scores();
   BASE_METRICS = [
     "AV",
@@ -107821,7 +107803,7 @@ var init_calculator = __esm(() => {
 
 // src/lib/cvss/index.ts
 var init_cvss = __esm(() => {
-  init_types5();
+  init_types4();
   init_calculator();
   init_macrovector_scores();
 });
@@ -107846,8 +107828,7 @@ async function scoreFindingWithCVSS(input, model, authConfig, abortSignal) {
     vectorString: cvssResult.vectorString,
     metrics: cvssResult.metrics,
     scoreType: cvssResult.scoreType,
-    reasoning: assessment.reasoning,
-    cwes: assessment.cwes
+    reasoning: assessment.reasoning
   };
 }
 function truncateField(value, limit) {
@@ -108031,45 +108012,11 @@ var CVSSMetricsOutputSchema, CVSS_SCORER_SYSTEM_PROMPT = `You are a CVSS 4.0 sco
 6. Assess impact on both the vulnerable system AND potential subsequent systems
 7. Since a POC exists and confirmed the vulnerability, E should typically be 'A'
 
-Always provide brief reasoning explaining your key decisions.
-
-## CWE Assignment Guidelines
-
-In addition to CVSS metrics, assign one or more CWE identifiers to the finding. For each CWE, provide a brief reasoning explaining why it applies.
-
-### Common CWE Mappings
-
-| Vulnerability Class | Primary CWE | Related CWEs |
-|---------------------|------------|--------------|
-| SQL Injection | CWE-89 | CWE-564 (Hibernate), CWE-943 (NoSQL) |
-| Cross-Site Scripting (XSS) | CWE-79 | CWE-80 (Basic XSS), CWE-87 (Alt XSS) |
-| Command/OS Injection | CWE-78 | CWE-77 (Command Injection) |
-| Code Injection / RCE | CWE-94 | CWE-95 (Eval Injection), CWE-96 (Static Code Injection) |
-| IDOR / Access Control | CWE-639 | CWE-284 (Improper Access Control), CWE-862 (Missing AuthZ) |
-| SSRF | CWE-918 | — |
-| Path Traversal / LFI | CWE-22 | CWE-23 (Relative Path), CWE-36 (Absolute Path) |
-| XXE | CWE-611 | CWE-776 (Recursive Entity) |
-| SSTI | CWE-1336 | CWE-94 (Code Injection) |
-| CSRF | CWE-352 | — |
-| Deserialization | CWE-502 | — |
-| Open Redirect | CWE-601 | — |
-| Information Disclosure | CWE-200 | CWE-209 (Error Messages), CWE-532 (Log Files) |
-| Authentication Bypass | CWE-287 | CWE-306 (Missing Auth) |
-| Cryptographic Issues | CWE-327 | CWE-328 (Weak Hash), CWE-330 (Insufficient Randomness) |
-
-### CWE Assignment Rules
-
-1. Assign the **most specific applicable CWE(s)** — prefer CWE-89 (SQL Injection) over CWE-74 (generic Injection).
-2. Use the standard \`CWE-<number>\` format (e.g., CWE-89, not "CWE 89" or "89").
-3. Assign **1-3 CWEs** per finding. Multiple CWEs are appropriate when the vulnerability spans categories (e.g., an IDOR that also leaks PII: CWE-639 + CWE-200).
-4. Order CWEs by relevance — the primary weakness first.
-5. When the vulnerability class is provided, use it as a strong hint but verify against the evidence.
-6. For each CWE, provide a specific reasoning explaining why it applies to *this* finding — not a generic definition of the CWE.`, MAX_EVIDENCE_CHARS = 1e4, MAX_DESCRIPTION_CHARS = 3000, MAX_IMPACT_CHARS = 2000;
+Always provide brief reasoning explaining your key decisions.`, MAX_EVIDENCE_CHARS = 1e4, MAX_DESCRIPTION_CHARS = 3000, MAX_IMPACT_CHARS = 2000;
 var init_cvssScorer = __esm(() => {
   init_zod();
   init_ai2();
   init_cvss();
-  init_types2();
   CVSSMetricsOutputSchema = exports_external.object({
     metrics: exports_external.object({
       AV: exports_external.enum(["N", "A", "L", "P"]).describe("Attack Vector: N=Network (remotely exploitable), A=Adjacent network, L=Local access required, P=Physical access required"),
@@ -108085,8 +108032,7 @@ var init_cvssScorer = __esm(() => {
       SA: exports_external.enum(["H", "L", "N"]).describe("Availability Impact on Subsequent Systems: H=High, L=Low, N=None"),
       E: exports_external.enum(["A", "P", "U"]).describe("Exploit Maturity: A=Attacked (working exploit exists), P=POC available, U=Unreported")
     }),
-    reasoning: exports_external.string().describe("Brief explanation (2-3 sentences) of the key factors that influenced the metric choices"),
-    cwes: exports_external.array(CweEntrySchema).describe("CWE classifications for this vulnerability, most specific first")
+    reasoning: exports_external.string().describe("Brief explanation (2-3 sentences) of the key factors that influenced the metric choices")
   });
 });
 
@@ -108111,8 +108057,7 @@ FINDING STRUCTURE:
 - Impact: Business and technical consequences if exploited
 - Evidence: Commands run, responses received, proof of exploitation
 - Remediation: Specific, actionable steps to fix
-- References: CVE, CWE, OWASP, or security advisories
-- Vulnerability Class: The class of vulnerability (e.g., sqli, xss, command-injection) — improves CWE accuracy`,
+- References: CVE, CWE, OWASP, or security advisories`,
     inputSchema: documentVulnerabilityInputSchema,
     execute: async (input) => {
       try {
@@ -108137,8 +108082,7 @@ FINDING STRUCTURE:
               impact: input.impact,
               evidence: evidenceForPrompt,
               endpoint: input.endpoint,
-              remediation: input.remediation,
-              vulnerabilityClass: input.vulnerabilityClass
+              remediation: input.remediation
             },
             agentMessages: []
           }, ctx4.model, ctx4.authConfig, ctx4.abortSignal);
@@ -108171,7 +108115,6 @@ FINDING STRUCTURE:
           sessionId: session.id,
           target: session.targets[0],
           ...evidenceFilePath && { evidenceFile: evidenceFilePath },
-          cwes: cvssResult.cwes,
           cvss: {
             score: cvssResult.score,
             severity: cvssResult.severity,
@@ -108201,10 +108144,6 @@ FINDING STRUCTURE:
 **Score Type:** ${cvssResult.scoreType}
 
 **Reasoning:** ${cvssResult.reasoning}`;
-          const cweSection = cvssResult.cwes?.length ? `## CWE Classification
-
-${cvssResult.cwes.map((cwe) => `- **${cwe.id}** — ${cwe.reasoning}`).join(`
-`)}` : "";
           const evidenceSection = evidenceFilePath ? `## Evidence
 
 \`\`\`
@@ -108236,9 +108175,7 @@ ${finding.impact}
 
 ${cvssSection}
 
-${cweSection ? `${cweSection}
-
-` : ""}${evidenceSection}
+${evidenceSection}
 
 ## POC
 
@@ -108258,8 +108195,7 @@ ${finding.references}` : ""}
 `;
           writeFileSync7(mdPath, markdown);
           const summaryPath = join11(session.rootPath, "findings-summary.md");
-          const cweTag = cvssResult.cwes?.length ? ` (${cvssResult.cwes.map((c) => c.id).join(", ")})` : "";
-          const summaryEntry = `- [${finding.severity}] (CVSS ${cvssResult.score})${cweTag} ${finding.title} - \`findings/${mdFilename}\`
+          const summaryEntry = `- [${finding.severity}] (CVSS ${cvssResult.score}) ${finding.title} - \`findings/${mdFilename}\`
 `;
           try {
             appendFileSync2(summaryPath, summaryEntry);
@@ -108312,7 +108248,6 @@ var init_documentFinding = __esm(() => {
     pocPath: exports_external.string().describe("Relative path to the POC script (e.g., pocs/poc_sqli.sh)"),
     remediation: exports_external.string().describe("Steps to fix the issue"),
     references: exports_external.string().optional().describe("CVE, CWE, or related references"),
-    vulnerabilityClass: exports_external.string().optional().describe("The class of vulnerability (e.g., sqli, xss, command-injection, idor, ssrf, path-traversal, crypto, cve)"),
     toolCallDescription: exports_external.string().describe("A concise, human-readable description of what this tool call is doing (e.g., 'Documenting SQL injection finding')")
   });
   FALLBACK_CVSS = {
@@ -108334,8 +108269,7 @@ var init_documentFinding = __esm(() => {
       E: "A"
     },
     scoreType: "CVSS-BT",
-    reasoning: "CVSS scoring unavailable — using conservative MEDIUM default.",
-    cwes: []
+    reasoning: "CVSS scoring unavailable — using conservative MEDIUM default."
   };
 });
 
@@ -110970,7 +110904,7 @@ For each app you identified, spawn a coding agent with a detailed objective. The
 
 // src/core/agents/specialized/whiteboxAttackSurface/types.ts
 var RiskScoreBreakdownSchema, RiskScoreSchema, EndpointSchema, AppSchema, WhiteboxAttackSurfaceResultSchema;
-var init_types6 = __esm(() => {
+var init_types5 = __esm(() => {
   init_zod();
   RiskScoreBreakdownSchema = exports_external.object({
     exposure: exports_external.number().min(0).max(3).describe("Exposure Level (0-3): 3=Public no auth, 2=Standard user login, 1=Privileged/admin access, 0=Private/internal-only"),
@@ -111044,7 +110978,7 @@ var init_agent2 = __esm(() => {
   init_dist5();
   init_dist5();
   init_offensiveSecurityAgent();
-  init_types6();
+  init_types5();
   WhiteboxAttackSurfaceAgent = class WhiteboxAttackSurfaceAgent extends OffensiveSecurityAgent {
     constructor(opts) {
       const {
@@ -193939,7 +193873,7 @@ function createInitialOperatorState(initialMode = "manual", requireApproval = tr
   };
 }
 var OPERATOR_STAGES, OperatorSettingsObject2;
-var init_types7 = __esm(() => {
+var init_types6 = __esm(() => {
   init_zod();
   OPERATOR_STAGES = {
     setup: {
@@ -194137,11 +194071,11 @@ var init_approvalGate = __esm(() => {
 
 // src/core/operator/stageManager.ts
 var init_stageManager = __esm(() => {
-  init_types7();
+  init_types6();
 });
 // src/core/operator/index.ts
 var init_operator = __esm(() => {
-  init_types7();
+  init_types6();
   init_toolClassifier();
   init_approvalGate();
   init_stageManager();
@@ -194458,7 +194392,7 @@ var BlackboxAttackSurfaceAgent;
 var init_blackboxAgent = __esm(() => {
   init_dist5();
   init_utils2();
-  init_types3();
+  init_types2();
   init_offensiveSecurityAgent();
   BlackboxAttackSurfaceAgent = class BlackboxAttackSurfaceAgent extends OffensiveSecurityAgent {
     constructor(opts) {
@@ -195435,7 +195369,7 @@ When your objective includes structured output, call \`response\` with your fina
 var init_whiteboxAttackSurface = __esm(() => {
   init_zod();
   init_agent3();
-  init_types6();
+  init_types5();
   init_riskScoring();
   AppInfoSchema = exports_external.object({
     name: exports_external.string().describe("Application or service name"),

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pensar/apex",
-  "version": "0.0.90-canary.97fbe7e3",
+  "version": "0.0.90",
   "description": "AI-powered penetration testing CLI tool with terminal UI",
   "module": "src/tui/index.tsx",
   "main": "build/index.js",