@pensar/apex 1.0.0 → 1.1.0

package/build/{cli-mxj8tz9b.js → cli-nwcvgx5m.js}

@@ -14,33 +14,33 @@ import {
   updateManifestEntryStatus,
   writeAgentManifest,
   writeExecutionMetrics
-} from "./cli-abkgxjcc.js";
+} from "./cli-06q6sz4x.js";
 import {
   TargetedPentestAgent,
   buildPentestSystemPrompt
-} from "./cli-j4qm285k.js";
+} from "./cli-ch1yfrj1.js";
 import {
   BlackboxAttackSurfaceAgent
-} from "./cli-etrmgpa5.js";
+} from "./cli-gs7zy230.js";
 import {
   createThreatModelPrompt
 } from "./cli-fw5r7pfj.js";
 import {
   CodeAgent
-} from "./cli-awjwsbrz.js";
+} from "./cli-mazg4ajq.js";
 import {
   EndpointSchema
-} from "./cli-ey40xb9a.js";
+} from "./cli-1xdc0keq.js";
 import {
   FindingsRegistry,
   OffensiveSecurityAgent,
   PLAN_MODE_TOOL_NAMES
-} from "./cli-yz3dzpxd.js";
+} from "./cli-tyrzasca.js";
 import {
   exports_external,
   hasToolCall,
   init_zod
-} from "./cli-dfth2beg.js";
+} from "./cli-1tv4x6xh.js";
 
 // src/core/workflows/pentest.ts
 import { existsSync as existsSync3, readdirSync as readdirSync2, readFileSync as readFileSync3, writeFileSync as writeFileSync2 } from "fs";
@@ -150,6 +150,16 @@ Use this to document each application/service you identify. Persists a JSON reco
 ## document_endpoint
 **This is your primary output tool for endpoints.** Use it to document every endpoint you discover. Each call persists a JSON record to the session's endpoints directory, organized by app.
 
+**HARD RULE — call this tool DIRECTLY, one route at a time.** The moment you have enough information about a route to document it, your very next tool call must be \`document_endpoint\` for that route. Do not defer. Do not batch. Do not collect routes into a list to "process later."
+
+**You MUST NOT, under any circumstances:**
+- Build a manifest, JSON file, list, or array of routes to document later (e.g. \`cat > /tmp/pages.json << EOF [...] EOF\`).
+- Write a shell, Python, or any other script whose purpose is to generate \`document_endpoint\` tool calls.
+- Use a single message to "summarize all the routes I'll document" before documenting them.
+- Stop documentation early because you "have enough" or it's "getting repetitive." If you discovered N routes, you must produce N \`document_endpoint\` calls.
+
+These patterns silently truncate at output-token limits and routes get dropped. The only correct workflow is: discover a route → call \`document_endpoint\` for it → discover the next route → call \`document_endpoint\` for it → ... until every route is documented. Repetition is expected and required.
+
 **CRITICAL — endpoint documentation rules:**
 - **One entry per unique route path.** Do NOT create separate entries for different HTTP methods on the same path. If \`/api/users\` supports GET, POST, and DELETE, that is ONE entry with \`method: ["GET", "POST", "DELETE"]\`.
 - **Use \`method: "PAGE"\`** for web pages and views (non-API routes).
@@ -168,9 +178,9 @@ When your objective includes structured output, call \`response\` with your fina
 1. **Orient first** — list files and read key entry points to understand the structure.
 2. **Ignore submodules** — check for a \`.gitmodules\` file or run \`git submodule status\`. Any directories that are git submodules are external dependencies and must be **completely excluded** from your analysis.
 3. **Search, then read** — use grep to locate what you need, then read the relevant files.
-4. **Document as you go** — call document_app for apps and document_endpoint for every endpoint you discover. Don't batch them up.
+4. **Document each item the instant you discover it** — every \`document_app\` / \`document_endpoint\` call must be made directly, one item per call, immediately after you identify it. Never collect items into a manifest, JSON file, or batch script. If you find yourself thinking "let me list all of these and then document them," stop — that pattern silently drops items when output tokens run out.
 5. **Follow the trail** — trace through imports, function calls, and references to build full understanding.
-6. **Be thorough** — don't stop at the first match. Cover everything relevant to the objective.
+6. **Be thorough** — don't stop at the first match. Cover everything relevant to the objective. Repetitive \`document_endpoint\` calls are expected; do not summarize, deduplicate, or shortcut them.
 `;
 var AppInfoSchema = exports_external.object({
   name: exports_external.string().describe("Application or service name"),
@@ -608,8 +618,20 @@ For each page, call \`document_endpoint\` with:
 - **authRequired**: Whether the page requires authentication
 - **riskLevel**: CRITICAL for admin/auth pages, HIGH for user data, MEDIUM for general, LOW for static/public
 
-Be thorough — examine every route file, every page directory, every template **within \`${appInfo.location}\`**.
-When finished, call \`response\` with a summary of how many pages you documented.`;
+### Required workflow — NO MANIFESTS, NO BATCHING
+**You MUST call \`document_endpoint\` directly, one page at a time, the moment you identify a route.** It is a hard error to:
+- Build a JSON file, array, or list of pages-to-document and then "process" it (e.g. \`cat > /tmp/pages.json << EOF [...] EOF\`).
+- Write a Python or shell script that emits \`document_endpoint\` calls.
+- Defer documentation until "the end" or until "you have the full picture."
+- Stop early because the calls feel repetitive or because you've documented "the important ones."
+
+These patterns hit per-message output-token limits and silently drop pages — usually the alphabetically-later ones. The only correct loop is: identify route → call \`document_endpoint\` → identify next route → call \`document_endpoint\` → ...
+
+You may use \`list_files\`, \`grep\`, or \`execute_command\` (e.g. \`find ... -name page.tsx\`) to **enumerate** the routes that exist. That enumeration step is fine and encouraged. What is not allowed is using a script to **emit the documentation calls themselves** — those must come directly from you, one tool call per route.
+
+Be thorough — examine every route file, every page directory, every template **within \`${appInfo.location}\`**. Every page surfaced by your enumeration must result in its own \`document_endpoint\` call. Repetitive calls are expected; do not summarize, deduplicate to "interesting" routes, or skip any.
+
+When finished, call \`response\` with a summary of how many pages you documented. The reported count must equal the number of successful \`document_endpoint\` calls you made.`;
 }
 function buildApiEndpointsDiscoveryObjective(codebasePath, appInfo) {
   return `# Find All API Endpoints in ${appInfo.name}
@@ -657,8 +679,20 @@ For each **unique route path**, call \`document_endpoint\` with:
 
 **IMPORTANT — Method consolidation for document_endpoint:** When using the \`document_endpoint\` tool, do NOT create separate entries for different HTTP methods on the same route path. For example, if \`/api/users\` supports GET, POST, and DELETE, document it as ONE entry with \`method: ["GET", "POST", "DELETE"]\` and include pentest objectives covering all methods.
 
-Be thorough — trace through all route registrations, middleware chains, and controller files **within \`${appInfo.location}\`**.
-When finished, call \`response\` with a summary of how many endpoints you documented.`;
+### Required workflow — NO MANIFESTS, NO BATCHING
+**You MUST call \`document_endpoint\` directly, one route at a time, the moment you identify it.** It is a hard error to:
+- Build a JSON file, array, or list of endpoints-to-document and then "process" it (e.g. \`cat > /tmp/endpoints.json << EOF [...] EOF\`).
+- Write a Python or shell script that emits \`document_endpoint\` calls.
+- Defer documentation until you've "mapped everything out."
+- Stop early because the calls feel repetitive or because you've covered "the important ones."
+
+These patterns hit per-message output-token limits and silently drop endpoints — usually the alphabetically-later ones. The only correct loop is: identify route → call \`document_endpoint\` → identify next route → call \`document_endpoint\` → ...
+
+You may use \`list_files\`, \`grep\`, or \`execute_command\` to **enumerate** routes (e.g. extracting all route registrations into a list to read). That enumeration step is fine. What is not allowed is using a script to **emit the documentation calls themselves** — those must come directly from you, one tool call per unique route path.
+
+Be thorough — trace through all route registrations, middleware chains, and controller files **within \`${appInfo.location}\`**. Every unique route path your enumeration surfaces must result in its own \`document_endpoint\` call.
+
+When finished, call \`response\` with a summary of how many endpoints you documented. The reported count must equal the number of successful \`document_endpoint\` calls you made.`;
 }
 function buildCloudResourceEndpointsObjective(codebasePath, appInfo, environments) {
   const envNote = environments?.length ? `
@@ -717,7 +751,10 @@ For each entry point, call \`document_endpoint\` with:
 - **authRequired**: Whether external access requires authentication
 - **riskLevel**: CRITICAL for publicly accessible storage with write access or sensitive data, HIGH for resources with broad IAM permissions, MEDIUM for internal resources, LOW for read-only public assets
 
-When finished, call \`response\` with a summary of how many entry points you documented.`;
+### Required workflow — NO MANIFESTS, NO BATCHING
+**You MUST call \`document_endpoint\` directly, one entry point at a time, the moment you identify it.** Do not build a JSON file or list of entry points to "process later," and do not write a script that emits \`document_endpoint\` calls. Those patterns hit per-message output-token limits and silently drop entries. The only correct loop is: identify entry point → call \`document_endpoint\` → identify next → call \`document_endpoint\` → ...
+
+When finished, call \`response\` with a summary of how many entry points you documented. The reported count must equal the number of successful \`document_endpoint\` calls you made.`;
 }
 
 // src/core/agents/specialized/pentest/planPrompt.ts

package/build/{cli-r4jzb7aj.js → cli-st6vsbzv.js}

@@ -3,7 +3,7 @@ import { spawnSync } from "child_process";
 // package.json
 var package_default = {
   name: "@pensar/apex",
-  version: "1.0.0",
+  version: "1.1.0",
   description: "AI-powered penetration testing CLI tool with terminal UI",
   module: "src/tui/index.tsx",
   main: "build/cli.js",
@@ -18,6 +18,7 @@ var package_default = {
   files: [
     "build",
     "bin",
+    "assets",
     "pensar.svg",
     "LICENSE"
   ],

package/build/{cli-qvq41y3z.js → cli-t1nkahx2.js}

@@ -3,7 +3,7 @@ import {
   ensureValidToken,
   getPensarApiUrl,
   getPensarGatewayUrl
-} from "./cli-qcsv2e9h.js";
+} from "./cli-5xfjvm8j.js";
 
 // src/core/auth/signing.ts
 import { createHmac, createHash, randomUUID } from "crypto";

package/build/cli-tp1tqn3k.js

@@ -0,0 +1,184 @@
+// src/core/agents/specialized/utils.ts
+import { readFileSync as readFileSync2, existsSync as existsSync2 } from "fs";
+import { execSync } from "child_process";
+
+// src/core/assets/wordlists.ts
+import { existsSync, readFileSync, statSync } from "fs";
+import { dirname, join, resolve } from "path";
+import { fileURLToPath } from "url";
+var RELATIVE = {
+  tiny: "assets/wordlists/tiny.txt",
+  common: "assets/wordlists/common.txt",
+  large: "assets/wordlists/large.txt"
+};
+var cached;
+function findPackageRoot(start) {
+  let dir = start;
+  while (true) {
+    const pkgPath = join(dir, "package.json");
+    if (existsSync(pkgPath)) {
+      try {
+        const pkg = JSON.parse(readFileSync(pkgPath, "utf8"));
+        if (pkg.name === "@pensar/apex" && existsSync(join(dir, "assets", "wordlists"))) {
+          return dir;
+        }
+      } catch {}
+    }
+    const parent = dirname(dir);
+    if (parent === dir)
+      return null;
+    dir = parent;
+  }
+}
+function getBundledWordlists() {
+  if (cached !== undefined)
+    return cached;
+  const here = dirname(fileURLToPath(import.meta.url));
+  const root = findPackageRoot(here);
+  if (root === null) {
+    cached = null;
+    return cached;
+  }
+  const paths = {
+    tiny: resolve(root, RELATIVE.tiny),
+    common: resolve(root, RELATIVE.common),
+    large: resolve(root, RELATIVE.large)
+  };
+  for (const p of Object.values(paths)) {
+    if (!existsSync(p) || statSync(p).size === 0) {
+      cached = null;
+      return cached;
+    }
+  }
+  cached = paths;
+  return cached;
+}
+
+// src/core/agents/specialized/utils.ts
+function readOsRelease() {
+  try {
+    const content = readFileSync2("/etc/os-release", "utf8");
+    const lines = content.split(/\r?\n/);
+    const map = {};
+    for (const line of lines) {
+      const idx = line.indexOf("=");
+      if (idx === -1)
+        continue;
+      const key = line.slice(0, idx);
+      let value = line.slice(idx + 1);
+      if (value.startsWith('"') && value.endsWith('"')) {
+        value = value.slice(1, -1);
+      }
+      map[key] = value;
+    }
+    return map;
+  } catch {
+    return {};
+  }
+}
+function detectDocker() {
+  try {
+    if (existsSync2("/.dockerenv"))
+      return true;
+  } catch {}
+  try {
+    const cgroup = readFileSync2("/proc/1/cgroup", "utf8");
+    if (/docker|containerd|kubepods/i.test(cgroup))
+      return true;
+  } catch {}
+  return false;
+}
+function toolExists(commandName) {
+  try {
+    execSync(`command -v ${commandName} >/dev/null 2>&1`, {
+      stdio: "ignore",
+      shell: "/bin/bash"
+    });
+    return true;
+  } catch {
+    try {
+      execSync(`which ${commandName} >/dev/null 2>&1`, {
+        stdio: "ignore",
+        shell: "/bin/bash"
+      });
+      return true;
+    } catch {
+      return false;
+    }
+  }
+}
+function detectEnvironment() {
+  const osRelease = readOsRelease();
+  const prettyName = osRelease["PRETTY_NAME"];
+  const id = osRelease["ID"]?.toLowerCase();
+  const idLike = osRelease["ID_LIKE"];
+  const isKali = Boolean(id && /kali/.test(id) || prettyName && /kali/i.test(prettyName));
+  const isDocker = detectDocker();
+  const toolsToCheck = [
+    "nmap",
+    "gobuster",
+    "sqlmap",
+    "nikto",
+    "hydra",
+    "john",
+    "hashcat",
+    "tcpdump",
+    "tshark",
+    "nc",
+    "socat",
+    "curl",
+    "wget",
+    "git"
+  ];
+  const availableTools = [];
+  const missingTools = [];
+  for (const tool of toolsToCheck) {
+    (toolExists(tool) ? availableTools : missingTools).push(tool);
+  }
+  return { isDocker, isKali, prettyName, idLike, availableTools, missingTools };
+}
+function buildBundledAssetsBlock() {
+  const wordlists = getBundledWordlists();
+  if (wordlists === null)
+    return null;
+  return `[BUNDLED ASSETS]
+This block is your authoritative inventory of wordlist assets shipped with the CLI. When the user asks what wordlists / assets / capabilities you have, answer directly from the entries below — do NOT probe the filesystem (\`ls /usr/share/wordlists\`, \`which gobuster\`, \`find / -name wordlists\`, etc.). Those paths are not where these live; the inventory is here.
+
+TINY_WORDLIST=${wordlists.tiny} (~200 entries — smoke checks / time-pressured runs)
+DEFAULT_WORDLIST=${wordlists.common} (~4.7k entries — normal recon, the default)
+LARGE_WORDLIST=${wordlists.large} (~30k entries — escalation only)
+
+These paths can be passed as \`-w\` arguments to gobuster/ffuf/dirb/wfuzz/dirsearch, OR iterated line-by-line in shell loops and \`http_request\` scripts. Their presence is NOT a reason to run a wordlist-based tool; choose techniques based on the task.
+
+If you do invoke a wordlist-based tool: default to DEFAULT_WORDLIST. Use TINY only under explicit time pressure or for a first-pass smoke probe. Use LARGE only after DEFAULT finishes and the target still looks under-mapped, or when the user explicitly asked for a deeper scan. Do NOT chain tiers automatically. Do NOT assume /usr/share/wordlists/* exists — it is missing on macOS, Alpine, most Docker images, and CI.
+[/BUNDLED ASSETS]`;
+}
+function detectOSAndEnhancePrompt(prompt) {
+  try {
+    const env = detectEnvironment();
+    const lines = [];
+    lines.push("[ENV CONTEXT]");
+    lines.push(`OS: ${env.prettyName ?? process.platform} | InDocker: ${env.isDocker ? "yes" : "no"} | Kali: ${env.isKali ? "yes" : "no"}`);
+    if (env.availableTools.length > 0) {
+      lines.push(`Tools available: ${env.availableTools.sort().join(", ")}`);
+    }
+    if (env.missingTools.length > 0) {
+      lines.push(`Tools missing: ${env.missingTools.sort().join(", ")}`);
+    }
+    lines.push("[/ENV CONTEXT]");
+    const bundledAssetsBlock = buildBundledAssetsBlock();
+    if (bundledAssetsBlock !== null) {
+      lines.push("");
+      lines.push(bundledAssetsBlock);
+    }
+    lines.push("");
+    return `${lines.join(`
+`)}
+${prompt}`;
+  } catch (error) {
+    console.error("Error detecting environment:", error);
+    return prompt;
+  }
+}
+
+export { toolExists, detectOSAndEnhancePrompt };