@pensar/apex 0.0.90 → 0.0.91-canary.5fbb4998

package/build/index.js

@@ -31971,7 +31971,7 @@ var package_default2;
 var init_package = __esm(() => {
   package_default2 = {
     name: "@pensar/apex",
-    version: "0.0.90",
+    version: "0.0.91-canary.5fbb4998",
     description: "AI-powered penetration testing CLI tool with terminal UI",
     module: "src/tui/index.tsx",
     main: "build/index.js",
@@ -89342,10 +89342,21 @@ var init_session = __esm(() => {
   };
 });
 
+// src/lib/cwe/types.ts
+var CweEntrySchema;
+var init_types2 = __esm(() => {
+  init_zod();
+  CweEntrySchema = exports_external.object({
+    id: exports_external.string().regex(/^CWE-\d+$/, "Must be CWE-<number> format"),
+    reasoning: exports_external.string().describe("Why this CWE applies to the observed vulnerability")
+  });
+});
+
 // src/core/report/schemas.ts
 var PentestReportFindingSchema, PentestReportSchema, REPORT_VERSION = "1.0";
 var init_schemas3 = __esm(() => {
   init_zod();
+  init_types2();
   PentestReportFindingSchema = exports_external.object({
     title: exports_external.string(),
     severity: exports_external.enum(["CRITICAL", "HIGH", "MEDIUM", "LOW"]),
@@ -89355,7 +89366,8 @@ var init_schemas3 = __esm(() => {
     endpoint: exports_external.string(),
     pocPath: exports_external.string(),
     remediation: exports_external.string(),
-    references: exports_external.string().optional()
+    references: exports_external.string().optional(),
+    cwes: exports_external.array(CweEntrySchema).optional()
   });
   PentestReportSchema = exports_external.object({
     version: exports_external.string().regex(/^1\.\d+$/),
@@ -89469,6 +89481,12 @@ function renderFinding(finding, metadata) {
     finding.evidence,
     "```",
     "",
+    ...finding.cwes?.length ? [
+      "## CWE Classification",
+      "",
+      ...finding.cwes.map((cwe) => `- **${cwe.id}** — ${cwe.reasoning}`),
+      ""
+    ] : [],
     "## POC",
     "",
     `Path: \`${finding.pocPath}\``,
@@ -90220,7 +90238,7 @@ function loadAttackSurfaceResults2(resultsPath) {
   const data = readFileSync6(resultsPath, "utf-8");
   return JSON.parse(data);
 }
-var init_types2 = () => {};
+var init_types3 = () => {};
 
 // src/core/ai/index.ts
 var init_ai2 = __esm(() => {
@@ -90333,7 +90351,7 @@ var init_zod_compat = __esm(() => {
 
 // node_modules/@modelcontextprotocol/sdk/dist/esm/types.js
 var LATEST_PROTOCOL_VERSION = "2025-11-25", SUPPORTED_PROTOCOL_VERSIONS, RELATED_TASK_META_KEY = "io.modelcontextprotocol/related-task", JSONRPC_VERSION = "2.0", AssertObjectSchema, ProgressTokenSchema, CursorSchema, TaskCreationParamsSchema, TaskMetadataSchema, RelatedTaskMetadataSchema, RequestMetaSchema, BaseRequestParamsSchema, TaskAugmentedRequestParamsSchema, isTaskAugmentedRequestParams = (value) => TaskAugmentedRequestParamsSchema.safeParse(value).success, RequestSchema, NotificationsParamsSchema, NotificationSchema, ResultSchema, RequestIdSchema, JSONRPCRequestSchema, isJSONRPCRequest = (value) => JSONRPCRequestSchema.safeParse(value).success, JSONRPCNotificationSchema, isJSONRPCNotification = (value) => JSONRPCNotificationSchema.safeParse(value).success, JSONRPCResultResponseSchema, isJSONRPCResultResponse = (value) => JSONRPCResultResponseSchema.safeParse(value).success, ErrorCode, JSONRPCErrorResponseSchema, isJSONRPCErrorResponse = (value) => JSONRPCErrorResponseSchema.safeParse(value).success, JSONRPCMessageSchema, JSONRPCResponseSchema, EmptyResultSchema, CancelledNotificationParamsSchema, CancelledNotificationSchema, IconSchema, IconsSchema, BaseMetadataSchema, ImplementationSchema, FormElicitationCapabilitySchema, ElicitationCapabilitySchema, ClientTasksCapabilitySchema, ServerTasksCapabilitySchema, ClientCapabilitiesSchema, InitializeRequestParamsSchema, InitializeRequestSchema, ServerCapabilitiesSchema, InitializeResultSchema, InitializedNotificationSchema, PingRequestSchema, ProgressSchema, ProgressNotificationParamsSchema, ProgressNotificationSchema, PaginatedRequestParamsSchema, PaginatedRequestSchema, PaginatedResultSchema, TaskStatusSchema, TaskSchema, CreateTaskResultSchema, TaskStatusNotificationParamsSchema, TaskStatusNotificationSchema, GetTaskRequestSchema, GetTaskResultSchema, GetTaskPayloadRequestSchema, GetTaskPayloadResultSchema, ListTasksRequestSchema, ListTasksResultSchema, CancelTaskRequestSchema, CancelTaskResultSchema, ResourceContentsSchema, TextResourceContentsSchema, Base64Schema, BlobResourceContentsSchema, RoleSchema, AnnotationsSchema, ResourceSchema, ResourceTemplateSchema, ListResourcesRequestSchema, ListResourcesResultSchema, ListResourceTemplatesRequestSchema, ListResourceTemplatesResultSchema, ResourceRequestParamsSchema, ReadResourceRequestParamsSchema, ReadResourceRequestSchema, ReadResourceResultSchema, ResourceListChangedNotificationSchema, SubscribeRequestParamsSchema, SubscribeRequestSchema, UnsubscribeRequestParamsSchema, UnsubscribeRequestSchema, ResourceUpdatedNotificationParamsSchema, ResourceUpdatedNotificationSchema, PromptArgumentSchema, PromptSchema, ListPromptsRequestSchema, ListPromptsResultSchema, GetPromptRequestParamsSchema, GetPromptRequestSchema, TextContentSchema, ImageContentSchema, AudioContentSchema, ToolUseContentSchema, EmbeddedResourceSchema, ResourceLinkSchema, ContentBlockSchema, PromptMessageSchema, GetPromptResultSchema, PromptListChangedNotificationSchema, ToolAnnotationsSchema, ToolExecutionSchema, ToolSchema, ListToolsRequestSchema, ListToolsResultSchema, CallToolResultSchema, CompatibilityCallToolResultSchema, CallToolRequestParamsSchema, CallToolRequestSchema, ToolListChangedNotificationSchema, ListChangedOptionsBaseSchema, LoggingLevelSchema, SetLevelRequestParamsSchema, SetLevelRequestSchema, LoggingMessageNotificationParamsSchema, LoggingMessageNotificationSchema, ModelHintSchema, ModelPreferencesSchema, ToolChoiceSchema, ToolResultContentSchema, SamplingContentSchema, SamplingMessageContentBlockSchema, SamplingMessageSchema, CreateMessageRequestParamsSchema, CreateMessageRequestSchema, CreateMessageResultSchema, CreateMessageResultWithToolsSchema, BooleanSchemaSchema, StringSchemaSchema, NumberSchemaSchema, UntitledSingleSelectEnumSchemaSchema, TitledSingleSelectEnumSchemaSchema, LegacyTitledEnumSchemaSchema, SingleSelectEnumSchemaSchema, UntitledMultiSelectEnumSchemaSchema, TitledMultiSelectEnumSchemaSchema, MultiSelectEnumSchemaSchema, EnumSchemaSchema, PrimitiveSchemaDefinitionSchema, ElicitRequestFormParamsSchema, ElicitRequestURLParamsSchema, ElicitRequestParamsSchema, ElicitRequestSchema, ElicitationCompleteNotificationParamsSchema, ElicitationCompleteNotificationSchema, ElicitResultSchema, ResourceTemplateReferenceSchema, PromptReferenceSchema, CompleteRequestParamsSchema, CompleteRequestSchema, CompleteResultSchema, RootSchema, ListRootsRequestSchema, ListRootsResultSchema, RootsListChangedNotificationSchema, ClientRequestSchema, ClientNotificationSchema, ClientResultSchema, ServerRequestSchema, ServerNotificationSchema, ServerResultSchema, McpError, UrlElicitationRequiredError;
-var init_types3 = __esm(() => {
+var init_types4 = __esm(() => {
   init_v4();
   SUPPORTED_PROTOCOL_VERSIONS = [LATEST_PROTOCOL_VERSION, "2025-06-18", "2025-03-26", "2024-11-05", "2024-10-07"];
   AssertObjectSchema = custom2((v2) => v2 !== null && (typeof v2 === "object" || typeof v2 === "function"));
@@ -92234,7 +92252,7 @@ function mergeCapabilities(base, additional) {
 var DEFAULT_REQUEST_TIMEOUT_MSEC = 60000;
 var init_protocol = __esm(() => {
   init_zod_compat();
-  init_types3();
+  init_types4();
   init_zod_json_schema_compat();
 });
 
@@ -104284,7 +104302,7 @@ class ExperimentalClientTasks {
   }
 }
 var init_client = __esm(() => {
-  init_types3();
+  init_types4();
 });
 
 // node_modules/@modelcontextprotocol/sdk/dist/esm/experimental/tasks/helpers.js
@@ -104367,7 +104385,7 @@ function getSupportedElicitationModes(capabilities) {
 var Client;
 var init_client2 = __esm(() => {
   init_protocol();
-  init_types3();
+  init_types4();
   init_ajv_provider();
   init_zod_compat();
   init_client();
@@ -105282,7 +105300,7 @@ function serializeMessage(message) {
 `;
 }
 var init_stdio = __esm(() => {
-  init_types3();
+  init_types4();
 });
 
 // node_modules/@modelcontextprotocol/sdk/dist/esm/client/stdio.js
@@ -107192,7 +107210,7 @@ function getSeverityFromScore(score) {
     return "HIGH";
   return "CRITICAL";
 }
-var init_types4 = () => {};
+var init_types5 = () => {};
 
 // src/lib/cvss/macrovector-scores.ts
 var MACROVECTOR_LOOKUP, METRIC_LEVELS, MAX_SEVERITY, STEP = 0.1, EPSILON;
@@ -107766,7 +107784,7 @@ function getScoreType(metrics) {
 }
 var BASE_METRICS, THREAT_METRICS, ENVIRONMENTAL_METRICS, SUPPLEMENTAL_METRICS;
 var init_calculator = __esm(() => {
-  init_types4();
+  init_types5();
   init_macrovector_scores();
   BASE_METRICS = [
     "AV",
@@ -107803,7 +107821,7 @@ var init_calculator = __esm(() => {
 
 // src/lib/cvss/index.ts
 var init_cvss = __esm(() => {
-  init_types4();
+  init_types5();
   init_calculator();
   init_macrovector_scores();
 });
@@ -107828,7 +107846,8 @@ async function scoreFindingWithCVSS(input, model, authConfig, abortSignal) {
     vectorString: cvssResult.vectorString,
     metrics: cvssResult.metrics,
     scoreType: cvssResult.scoreType,
-    reasoning: assessment.reasoning
+    reasoning: assessment.reasoning,
+    cwes: assessment.cwes
   };
 }
 function truncateField(value, limit) {
@@ -108012,11 +108031,45 @@ var CVSSMetricsOutputSchema, CVSS_SCORER_SYSTEM_PROMPT = `You are a CVSS 4.0 sco
 6. Assess impact on both the vulnerable system AND potential subsequent systems
 7. Since a POC exists and confirmed the vulnerability, E should typically be 'A'
 
-Always provide brief reasoning explaining your key decisions.`, MAX_EVIDENCE_CHARS = 1e4, MAX_DESCRIPTION_CHARS = 3000, MAX_IMPACT_CHARS = 2000;
+Always provide brief reasoning explaining your key decisions.
+
+## CWE Assignment Guidelines
+
+In addition to CVSS metrics, assign one or more CWE identifiers to the finding. For each CWE, provide a brief reasoning explaining why it applies.
+
+### Common CWE Mappings
+
+| Vulnerability Class | Primary CWE | Related CWEs |
+|---------------------|------------|--------------|
+| SQL Injection | CWE-89 | CWE-564 (Hibernate), CWE-943 (NoSQL) |
+| Cross-Site Scripting (XSS) | CWE-79 | CWE-80 (Basic XSS), CWE-87 (Alt XSS) |
+| Command/OS Injection | CWE-78 | CWE-77 (Command Injection) |
+| Code Injection / RCE | CWE-94 | CWE-95 (Eval Injection), CWE-96 (Static Code Injection) |
+| IDOR / Access Control | CWE-639 | CWE-284 (Improper Access Control), CWE-862 (Missing AuthZ) |
+| SSRF | CWE-918 | — |
+| Path Traversal / LFI | CWE-22 | CWE-23 (Relative Path), CWE-36 (Absolute Path) |
+| XXE | CWE-611 | CWE-776 (Recursive Entity) |
+| SSTI | CWE-1336 | CWE-94 (Code Injection) |
+| CSRF | CWE-352 | — |
+| Deserialization | CWE-502 | — |
+| Open Redirect | CWE-601 | — |
+| Information Disclosure | CWE-200 | CWE-209 (Error Messages), CWE-532 (Log Files) |
+| Authentication Bypass | CWE-287 | CWE-306 (Missing Auth) |
+| Cryptographic Issues | CWE-327 | CWE-328 (Weak Hash), CWE-330 (Insufficient Randomness) |
+
+### CWE Assignment Rules
+
+1. Assign the **most specific applicable CWE(s)** — prefer CWE-89 (SQL Injection) over CWE-74 (generic Injection).
+2. Use the standard \`CWE-<number>\` format (e.g., CWE-89, not "CWE 89" or "89").
+3. Assign **1-3 CWEs** per finding. Multiple CWEs are appropriate when the vulnerability spans categories (e.g., an IDOR that also leaks PII: CWE-639 + CWE-200).
+4. Order CWEs by relevance — the primary weakness first.
+5. When the vulnerability class is provided, use it as a strong hint but verify against the evidence.
+6. For each CWE, provide a specific reasoning explaining why it applies to *this* finding — not a generic definition of the CWE.`, MAX_EVIDENCE_CHARS = 1e4, MAX_DESCRIPTION_CHARS = 3000, MAX_IMPACT_CHARS = 2000;
 var init_cvssScorer = __esm(() => {
   init_zod();
   init_ai2();
   init_cvss();
+  init_types2();
   CVSSMetricsOutputSchema = exports_external.object({
     metrics: exports_external.object({
       AV: exports_external.enum(["N", "A", "L", "P"]).describe("Attack Vector: N=Network (remotely exploitable), A=Adjacent network, L=Local access required, P=Physical access required"),
@@ -108032,7 +108085,8 @@ var init_cvssScorer = __esm(() => {
       SA: exports_external.enum(["H", "L", "N"]).describe("Availability Impact on Subsequent Systems: H=High, L=Low, N=None"),
       E: exports_external.enum(["A", "P", "U"]).describe("Exploit Maturity: A=Attacked (working exploit exists), P=POC available, U=Unreported")
     }),
-    reasoning: exports_external.string().describe("Brief explanation (2-3 sentences) of the key factors that influenced the metric choices")
+    reasoning: exports_external.string().describe("Brief explanation (2-3 sentences) of the key factors that influenced the metric choices"),
+    cwes: exports_external.array(CweEntrySchema).describe("CWE classifications for this vulnerability, most specific first")
   });
 });
 
@@ -108057,7 +108111,8 @@ FINDING STRUCTURE:
 - Impact: Business and technical consequences if exploited
 - Evidence: Commands run, responses received, proof of exploitation
 - Remediation: Specific, actionable steps to fix
-- References: CVE, CWE, OWASP, or security advisories`,
+- References: CVE, CWE, OWASP, or security advisories
+- Vulnerability Class: The class of vulnerability (e.g., sqli, xss, command-injection) — improves CWE accuracy`,
     inputSchema: documentVulnerabilityInputSchema,
     execute: async (input) => {
       try {
@@ -108082,7 +108137,8 @@ FINDING STRUCTURE:
               impact: input.impact,
               evidence: evidenceForPrompt,
               endpoint: input.endpoint,
-              remediation: input.remediation
+              remediation: input.remediation,
+              vulnerabilityClass: input.vulnerabilityClass
             },
             agentMessages: []
           }, ctx4.model, ctx4.authConfig, ctx4.abortSignal);
@@ -108115,6 +108171,7 @@ FINDING STRUCTURE:
           sessionId: session.id,
           target: session.targets[0],
           ...evidenceFilePath && { evidenceFile: evidenceFilePath },
+          cwes: cvssResult.cwes,
           cvss: {
             score: cvssResult.score,
             severity: cvssResult.severity,
@@ -108144,6 +108201,10 @@ FINDING STRUCTURE:
 **Score Type:** ${cvssResult.scoreType}
 
 **Reasoning:** ${cvssResult.reasoning}`;
+          const cweSection = cvssResult.cwes?.length ? `## CWE Classification
+
+${cvssResult.cwes.map((cwe) => `- **${cwe.id}** — ${cwe.reasoning}`).join(`
+`)}` : "";
           const evidenceSection = evidenceFilePath ? `## Evidence
 
 \`\`\`
@@ -108175,7 +108236,9 @@ ${finding.impact}
 
 ${cvssSection}
 
-${evidenceSection}
+${cweSection ? `${cweSection}
+
+` : ""}${evidenceSection}
 
 ## POC
 
@@ -108195,7 +108258,8 @@ ${finding.references}` : ""}
 `;
           writeFileSync7(mdPath, markdown);
           const summaryPath = join11(session.rootPath, "findings-summary.md");
-          const summaryEntry = `- [${finding.severity}] (CVSS ${cvssResult.score}) ${finding.title} - \`findings/${mdFilename}\`
+          const cweTag = cvssResult.cwes?.length ? ` (${cvssResult.cwes.map((c) => c.id).join(", ")})` : "";
+          const summaryEntry = `- [${finding.severity}] (CVSS ${cvssResult.score})${cweTag} ${finding.title} - \`findings/${mdFilename}\`
 `;
           try {
             appendFileSync2(summaryPath, summaryEntry);
@@ -108248,6 +108312,7 @@ var init_documentFinding = __esm(() => {
     pocPath: exports_external.string().describe("Relative path to the POC script (e.g., pocs/poc_sqli.sh)"),
     remediation: exports_external.string().describe("Steps to fix the issue"),
     references: exports_external.string().optional().describe("CVE, CWE, or related references"),
+    vulnerabilityClass: exports_external.string().optional().describe("The class of vulnerability (e.g., sqli, xss, command-injection, idor, ssrf, path-traversal, crypto, cve)"),
     toolCallDescription: exports_external.string().describe("A concise, human-readable description of what this tool call is doing (e.g., 'Documenting SQL injection finding')")
   });
   FALLBACK_CVSS = {
@@ -108269,7 +108334,8 @@ var init_documentFinding = __esm(() => {
       E: "A"
     },
     scoreType: "CVSS-BT",
-    reasoning: "CVSS scoring unavailable — using conservative MEDIUM default."
+    reasoning: "CVSS scoring unavailable — using conservative MEDIUM default.",
+    cwes: []
   };
 });
 
@@ -110904,7 +110970,7 @@ For each app you identified, spawn a coding agent with a detailed objective. The
 
 // src/core/agents/specialized/whiteboxAttackSurface/types.ts
 var RiskScoreBreakdownSchema, RiskScoreSchema, EndpointSchema, AppSchema, WhiteboxAttackSurfaceResultSchema;
-var init_types5 = __esm(() => {
+var init_types6 = __esm(() => {
   init_zod();
   RiskScoreBreakdownSchema = exports_external.object({
     exposure: exports_external.number().min(0).max(3).describe("Exposure Level (0-3): 3=Public no auth, 2=Standard user login, 1=Privileged/admin access, 0=Private/internal-only"),
@@ -110978,7 +111044,7 @@ var init_agent2 = __esm(() => {
   init_dist5();
   init_dist5();
   init_offensiveSecurityAgent();
-  init_types5();
+  init_types6();
   WhiteboxAttackSurfaceAgent = class WhiteboxAttackSurfaceAgent extends OffensiveSecurityAgent {
     constructor(opts) {
       const {
@@ -193873,7 +193939,7 @@ function createInitialOperatorState(initialMode = "manual", requireApproval = tr
   };
 }
 var OPERATOR_STAGES, OperatorSettingsObject2;
-var init_types6 = __esm(() => {
+var init_types7 = __esm(() => {
   init_zod();
   OPERATOR_STAGES = {
     setup: {
@@ -194071,11 +194137,11 @@ var init_approvalGate = __esm(() => {
 
 // src/core/operator/stageManager.ts
 var init_stageManager = __esm(() => {
-  init_types6();
+  init_types7();
 });
 // src/core/operator/index.ts
 var init_operator = __esm(() => {
-  init_types6();
+  init_types7();
   init_toolClassifier();
   init_approvalGate();
   init_stageManager();
@@ -194392,7 +194458,7 @@ var BlackboxAttackSurfaceAgent;
 var init_blackboxAgent = __esm(() => {
   init_dist5();
   init_utils2();
-  init_types2();
+  init_types3();
   init_offensiveSecurityAgent();
   BlackboxAttackSurfaceAgent = class BlackboxAttackSurfaceAgent extends OffensiveSecurityAgent {
     constructor(opts) {
@@ -195369,7 +195435,7 @@ When your objective includes structured output, call \`response\` with your fina
 var init_whiteboxAttackSurface = __esm(() => {
   init_zod();
   init_agent3();
-  init_types5();
+  init_types6();
   init_riskScoring();
   AppInfoSchema = exports_external.object({
     name: exports_external.string().describe("Application or service name"),

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pensar/apex",
-  "version": "0.0.90",
+  "version": "0.0.91-canary.5fbb4998",
   "description": "AI-powered penetration testing CLI tool with terminal UI",
   "module": "src/tui/index.tsx",
   "main": "build/index.js",