npm - @pensar/apex - Versions diffs - 1.7.0 → 1.8.0-canary.0d99fc6b - Mend

@pensar/apex 1.7.0 → 1.8.0-canary.0d99fc6b

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (62) hide show

package/build/agent-4r4v67zn.js +21 -0
package/build/agent-7e2fje70.js +23 -0
package/build/agent-w6269xc8.js +202 -0
package/build/apps-j0ttt7aq.js +455 -0
package/build/{auth-wvh553ea.js → auth-1z15wb4n.js} +29 -8
package/build/authentication-6jjg1t5a.js +21 -0
package/build/blackboxAgent-s8w6f6q3.js +21 -0
package/build/{blackboxPentest-rwyjy4kq.js → blackboxPentest-axb8q31y.js} +17 -16
package/build/{cli-zr7sg2m2.js → cli-1t4bfz5p.js} +6 -2
package/build/{cli-0ghkg3w6.js → cli-2sdqzmg5.js} +19345 -19056
package/build/{cli-5m0347h3.js → cli-2sv6r1yn.js} +105 -34
package/build/cli-319h88b8.js +20 -0
package/build/{cli-x3k26g1t.js → cli-3e5y21yf.js} +100727 -105760
package/build/{authentication-ec7trwb4.js → cli-5741e39a.js} +8 -17
package/build/cli-5x18s214.js +19 -0
package/build/cli-7pg2p4df.js +52 -0
package/build/{cli-nqx9y9ds.js → cli-8vt56350.js} +241 -248
package/build/cli-9fsre5pt.js +0 -0
package/build/{cli-rc7hyq7e.js → cli-c1dq3bjq.js} +35459 -33517
package/build/{cli-836bfgxg.js → cli-cjqzxgq1.js} +589 -33
package/build/cli-ekxab87x.js +7235 -0
package/build/{cli-06zt0g1a.js → cli-f5dydcws.js} +6 -4
package/build/cli-gjyeds7x.js +196 -0
package/build/{cli-tp1tqn3k.js → cli-mswm4k81.js} +1 -1
package/build/{cli-xtqm11qt.js → cli-peywcat1.js} +206 -65
package/build/cli-rayda5y4.js +499 -0
package/build/{cli-40ef01tb.js → cli-xgnxtfvg.js} +24 -7
package/build/cli.js +282 -268
package/build/{doctor-8tva8j99.js → doctor-2bkpddws.js} +1 -1
package/build/{fixes-1z283wdz.js → fixes-dzmqth18.js} +22 -4
package/build/{index-5a173a2k.js → index-1t8g503m.js} +17 -105
package/build/index-cnd29sn5.js +183 -0
package/build/{index-j3hw6d4w.js → index-mqda3zkc.js} +23034 -16643
package/build/{index-1p5bg26t.js → index-nhw65p67.js} +8 -11
package/build/index-nkbryzv4.js +45 -0
package/build/{index-py7gtxez.js → index-t6r2s52n.js} +4 -2
package/build/{index-dw1xbhfn.js → index-yvafffn2.js} +161 -26
package/build/{issues-trbzy8n0.js → issues-kxm9dnkf.js} +22 -4
package/build/{logs-c88md0h3.js → logs-ytae940p.js} +22 -4
package/build/{main-3d7dfdvs.js → main-3zneyg7p.js} +93 -17
package/build/{offesecAgent-ahcz5hcx.js → offesecAgent-kthqbs1e.js} +12 -10
package/build/pentest-27z433th.js +30 -0
package/build/{pentests-re8dzxt9.js → pentests-h0ykqd4f.js} +22 -4
package/build/{projects-dqp4m0ws.js → projects-b91c2yaq.js} +22 -4
package/build/{targetedPentest-de8a67va.js → targetedPentest-c2ndcc0w.js} +13 -11
package/build/threatModel-4svjbnwh.js +28 -0
package/build/{uninstall-0bwz7jdn.js → uninstall-vbg4v6q0.js} +6 -4
package/build/{utils-jf52rmrb.js → utils-h3p6pa7c.js} +11 -9
package/package.json +81 -84
package/build/agent-63cc9rpx.js +0 -19
package/build/agent-beywhvf3.js +0 -278
package/build/blackboxAgent-ng2t2p2x.js +0 -19
package/build/cli-03z6pswp.js +0 -1423
package/build/cli-09prdch1.js +0 -1207
package/build/cli-0fy9j5dw.js +0 -61
package/build/cli-gr3zncst.js +0 -645
package/build/cli-q2dty8g4.js +0 -110
package/build/cli-r879p2yz.js +0 -190
package/build/cli-vvyq7ace.js +0 -103
package/build/index-a4ydz3dd.js +0 -32
package/build/pentest-4932ke3a.js +0 -29
package/build/threatModel-waz866yk.js +0 -67

package/build/agent-4r4v67zn.js ADDED Viewed

@@ -0,0 +1,21 @@
+import {
+  CodeAgent
+} from "./cli-1t4bfz5p.js";
+import"./cli-9fsre5pt.js";
+import"./cli-7pg2p4df.js";
+import"./cli-3e5y21yf.js";
+import"./cli-mswm4k81.js";
+import"./cli-8vt56350.js";
+import"./cli-3y0dgy56.js";
+import"./cli-319h88b8.js";
+import"./cli-5x18s214.js";
+import"./cli-c1dq3bjq.js";
+import"./cli-peywcat1.js";
+import"./cli-2sdqzmg5.js";
+import"./cli-gpnb45ck.js";
+import"./cli-xgnxtfvg.js";
+import"./cli-gjyeds7x.js";
+import"./cli-8rxa073f.js";
+export {
+  CodeAgent
+};

package/build/agent-7e2fje70.js ADDED Viewed

@@ -0,0 +1,23 @@
+import {
+  TargetedPentestAgent,
+  buildPentestSystemPrompt
+} from "./cli-2sv6r1yn.js";
+import"./cli-9fsre5pt.js";
+import"./cli-7pg2p4df.js";
+import"./cli-3e5y21yf.js";
+import"./cli-mswm4k81.js";
+import"./cli-8vt56350.js";
+import"./cli-3y0dgy56.js";
+import"./cli-319h88b8.js";
+import"./cli-5x18s214.js";
+import"./cli-c1dq3bjq.js";
+import"./cli-peywcat1.js";
+import"./cli-2sdqzmg5.js";
+import"./cli-gpnb45ck.js";
+import"./cli-xgnxtfvg.js";
+import"./cli-gjyeds7x.js";
+import"./cli-8rxa073f.js";
+export {
+  buildPentestSystemPrompt,
+  TargetedPentestAgent
+};

package/build/agent-w6269xc8.js ADDED Viewed

@@ -0,0 +1,202 @@
+import {
+  OffensiveSecurityAgent
+} from "./cli-3e5y21yf.js";
+import {
+  detectOSAndEnhancePrompt
+} from "./cli-mswm4k81.js";
+import"./cli-8vt56350.js";
+import"./cli-3y0dgy56.js";
+import"./cli-319h88b8.js";
+import"./cli-5x18s214.js";
+import {
+  init_dist,
+  stepCountIs
+} from "./cli-c1dq3bjq.js";
+import"./cli-peywcat1.js";
+import {
+  exports_external1 as exports_external,
+  init_zod
+} from "./cli-2sdqzmg5.js";
+import"./cli-gpnb45ck.js";
+import"./cli-xgnxtfvg.js";
+import"./cli-gjyeds7x.js";
+import"./cli-8rxa073f.js";
+// src/core/agents/specialized/findingJudge/agent.ts
+init_dist();
+// src/core/agents/specialized/findingJudge/prompts.ts
+var MAX_POC_SCRIPT_CHARS = 12000;
+var MAX_OUTPUT_CHARS = 16000;
+var MAX_EVIDENCE_CHARS = 8000;
+var MAX_DESCRIPTION_CHARS = 4000;
+function truncate(value, limit) {
+  if (value.length <= limit)
+    return value;
+  return value.substring(0, limit) + `
+... [truncated]`;
+}
+var FINDING_JUDGE_SYSTEM_PROMPT = `You are a security finding validation specialist running as an agentic verifier inside an automated penetration testing pipeline.
+You are the last line of defense against false positives, hallucinated findings, fabricated evidence, and overstated impact. Your job is to independently verify whether a submitted proof-of-concept and its output support the claimed finding.
+## Operating Rules
+- Use tools before accepting a finding. At minimum, rerun or inspect the PoC with execute_command, compare behavior with http_request, read saved artifacts, or research the relevant technology with web_search/get_page.
+- Stay in scope. Only interact with the target endpoint/host and artifacts from this session.
+- Do not create, edit, delete, or document findings. You only validate and call the response tool.
+- Do not run destructive payloads or broaden exploitation. Verification should be enough to confirm or refute the claim.
+- Distinguish "the PoC exited 0" from "the vulnerability is proven." A successful exit code is only supporting evidence.
+- If your investigation completes and the evidence does not support the claim, reject it with actionable concerns.
+- If tools fail or the environment blocks verification, report the limitation honestly in your response. Infrastructure failure fallback is handled by the caller, not by you.
+- Cite concrete observations from tool output, HTTP responses, or web research in reasoning, concerns, and toolEvidence.
+## Evaluation Criteria
+### Correctness
+- SQL injection: output should show inaccessible data, query errors, or behavioral differences indicating injection success.
+- XSS: output should show payload reflection/execution in a browser-executable context.
+- Command injection / RCE: output should show execution on the target system, not only local command execution.
+- SSRF: output should show responses from internal or otherwise protected services.
+- Path traversal: output should show file contents outside the intended path.
+- IDOR: output should show access to another user's/account's resource while authentication exists.
+- Authentication bypass: output should show protected access without valid credentials.
+- Email/HTML injection: ideally verify delivery and rendering. If only server acceptance is shown, confidence must stay below 0.7 and limitations must state rendering was not independently verified.
+- Missing rate limiting / anti-automation: fewer than 50 requests is insufficient. Evidence must state exact request count, timing/distribution, and observed statuses.
+### Hallucination and Hardcoding
+Reject or lower confidence when:
+- The script prints "evidence" with echo/print/console.log that was never received from the target.
+- The script constructs fake HTTP responses or error messages.
+- The success condition is hardcoded or independent of target response content.
+- The script always exits 0.
+- Evidence text does not match live responses or the claimed endpoint.
+### Severity and Classification
+- Accept as vulnerability when real target interaction demonstrates unintended, exploitable behavior.
+- Accept as informational when the observation is real but low-risk, common default behavior, or plausibly intentional.
+- Accept as expected-behavior when the behavior is clearly by design.
+- Reject when the PoC fabricates evidence, does not demonstrate the claim, or the demonstrated impact fundamentally mismatches the finding.
+## Response Requirements
+Call the response tool exactly once. Include:
+- valid: true only when the finding should be persisted.
+- findingType: vulnerability, informational, or expected-behavior.
+- confidence: calibrated 0.0 to 1.0. Below 0.7 requires concerns.
+- reasoning: concise explanation grounded in concrete observations.
+- concerns: actionable concerns; empty only for valid high-confidence results.
+- verificationSteps: actions you performed.
+- toolEvidence: concrete observations from provided artifacts or tool outputs.
+- reproducedPoc: whether you reran or independently reproduced the PoC.
+- webResearchUsed: whether web research materially informed the judgment.
+- limitations: remaining gaps.`;
+function buildFindingJudgePrompt(input) {
+  const { pocScript, pocType, pocOutput, claim } = input;
+  return `# Finding Validation Request
+## Target
+**Target:** ${input.target || "Unknown"}
+**Claimed Endpoint:** ${claim.endpoint}
+**POC Path:** ${input.pocPath || "Not provided"}
+## Claimed Vulnerability
+**Title:** ${claim.title}
+**Vulnerability Class:** ${claim.vulnerabilityClass || "Unknown"}
+### Description
+${truncate(claim.description, MAX_DESCRIPTION_CHARS)}
+### Claimed Impact
+${truncate(claim.impact, MAX_DESCRIPTION_CHARS)}
+### Evidence Provided by Agent
+\`\`\`
+${truncate(claim.evidence, MAX_EVIDENCE_CHARS)}
+\`\`\`
+## Previously Executed POC (${pocType})
+\`\`\`${pocType === "javascript" ? "js" : pocType === "python" ? "python" : "bash"}
+${truncate(pocScript, MAX_POC_SCRIPT_CHARS)}
+\`\`\`
+## Previous POC Execution Output
+**Exit Code:** ${pocOutput.exitCode}
+### stdout
+\`\`\`
+${truncate(pocOutput.stdout || "(empty)", MAX_OUTPUT_CHARS)}
+\`\`\`
+### stderr
+\`\`\`
+${truncate(pocOutput.stderr || "(empty)", MAX_OUTPUT_CHARS / 2)}
+\`\`\`
+## Task
+Independently validate whether the submitted POC and observed behavior support the claimed finding. Use the available minimal tools to rerun or inspect the POC, compare live target behavior, read saved artifacts, or research public documentation/CVEs as needed.
+Do not document or mutate anything. When done, call response with your structured judgment.`;
+}
+// src/core/agents/specialized/findingJudge/types.ts
+init_zod();
+var FINDING_TYPES = [
+  "vulnerability",
+  "informational",
+  "expected-behavior"
+];
+var FindingJudgeOutputSchema = exports_external.object({
+  valid: exports_external.boolean().describe("Whether the POC legitimately demonstrates the claimed vulnerability"),
+  findingType: exports_external.enum(FINDING_TYPES).describe("Classification: 'vulnerability' for genuine security issues, 'informational' for low-risk observations worth noting, 'expected-behavior' for findings that describe intentional design decisions"),
+  confidence: exports_external.number().min(0).max(1).describe("Confidence in the judgment, a decimal between 0.0 (no confidence) and 1.0 (certain)"),
+  reasoning: exports_external.string().describe("Brief explanation of the key tool observations and analysis that led to this judgment"),
+  concerns: exports_external.array(exports_external.string()).describe("Specific concerns identified. Empty array only when the finding is valid and high-confidence."),
+  verificationSteps: exports_external.array(exports_external.string()).describe("Concrete verification actions performed before deciding."),
+  toolEvidence: exports_external.array(exports_external.string()).describe("Specific observations from tool output or provided artifacts."),
+  reproducedPoc: exports_external.boolean().describe("Whether the judge reran or independently reproduced the POC."),
+  webResearchUsed: exports_external.boolean().describe("Whether web_search/get_page materially informed the judgment."),
+  limitations: exports_external.array(exports_external.string()).describe("Remaining verification gaps or environmental limitations.")
+});
+// src/core/agents/specialized/findingJudge/agent.ts
+var FINDING_JUDGE_ACTIVE_TOOLS = [
+  "execute_command",
+  "http_request",
+  "read_file",
+  "list_files",
+  "grep",
+  "web_search",
+  "get_page",
+  "response"
+];
+class FindingJudgeAgent extends OffensiveSecurityAgent {
+  constructor(opts) {
+    const target = opts.finding.target ?? opts.target ?? opts.session.targets[0];
+    super({
+      system: detectOSAndEnhancePrompt(FINDING_JUDGE_SYSTEM_PROMPT),
+      prompt: buildFindingJudgePrompt({ ...opts.finding, target }),
+      model: opts.model,
+      session: opts.session,
+      target,
+      authConfig: opts.authConfig,
+      abortSignal: opts.abortSignal,
+      eventBus: opts.eventBus,
+      sandbox: opts.sandbox,
+      enableThinking: opts.enableThinking,
+      subagentId: "finding-judge",
+      activeTools: [...FINDING_JUDGE_ACTIVE_TOOLS],
+      responseSchema: FindingJudgeOutputSchema,
+      stopWhen: stepCountIs(60)
+    });
+  }
+}
+export {
+  FindingJudgeAgent
+};