@pensar/apex 1.7.0 → 1.8.0-canary.12d8c6ce

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (46) hide show
  1. package/build/agent-296395pk.js +138 -0
  2. package/build/agent-d7ykbm5k.js +19 -0
  3. package/build/{auth-wvh553ea.js → auth-7jbyp815.js} +4 -4
  4. package/build/{authentication-ec7trwb4.js → authentication-ye7mrmzt.js} +8 -8
  5. package/build/blackboxAgent-d5skf3w1.js +19 -0
  6. package/build/{blackboxPentest-rwyjy4kq.js → blackboxPentest-e5xyh6mv.js} +14 -14
  7. package/build/{cli-zr7sg2m2.js → cli-12z0rn8s.js} +2 -2
  8. package/build/{cli-06zt0g1a.js → cli-4h5g3581.js} +2 -2
  9. package/build/{cli-vvyq7ace.js → cli-5gppgkrv.js} +1 -1
  10. package/build/{cli-xtqm11qt.js → cli-7b1zxzm1.js} +1 -1
  11. package/build/{cli-q2dty8g4.js → cli-7ftzn306.js} +1 -1
  12. package/build/{cli-5m0347h3.js → cli-c9qmk6g9.js} +1 -1
  13. package/build/{cli-r879p2yz.js → cli-d9865q9t.js} +2 -1
  14. package/build/{cli-x3k26g1t.js → cli-g82bk3cj.js} +299 -182
  15. package/build/{cli-03z6pswp.js → cli-hjc1pbs8.js} +64 -1
  16. package/build/{cli-nqx9y9ds.js → cli-k9mz32aa.js} +1 -1
  17. package/build/{cli-40ef01tb.js → cli-kjhfp9qw.js} +10 -1
  18. package/build/cli-mk4mytk7.js +6559 -0
  19. package/build/cli-rs7t70an.js +377 -0
  20. package/build/{cli-rc7hyq7e.js → cli-tkqzmbr6.js} +383 -67
  21. package/build/{cli-gr3zncst.js → cli-xf0wpcaa.js} +1 -1
  22. package/build/{cli-836bfgxg.js → cli-z310fkzd.js} +1 -1
  23. package/build/cli.js +54 -43
  24. package/build/{fixes-1z283wdz.js → fixes-67dkcyvw.js} +4 -4
  25. package/build/{index-j3hw6d4w.js → index-aw21pvv6.js} +135 -107
  26. package/build/{index-py7gtxez.js → index-ay4qrkda.js} +2 -2
  27. package/build/{index-5a173a2k.js → index-c7tsfq3c.js} +7 -7
  28. package/build/{index-1p5bg26t.js → index-t4zc82cr.js} +4 -4
  29. package/build/{index-a4ydz3dd.js → index-z1g9fdnn.js} +8 -8
  30. package/build/{issues-trbzy8n0.js → issues-7rr0e8ep.js} +4 -4
  31. package/build/{logs-c88md0h3.js → logs-vmyf1202.js} +4 -4
  32. package/build/{offesecAgent-ahcz5hcx.js → offesecAgent-x8dgamy8.js} +8 -8
  33. package/build/pentest-cgyq3thw.js +29 -0
  34. package/build/{pentests-re8dzxt9.js → pentests-rv941srb.js} +4 -4
  35. package/build/{projects-dqp4m0ws.js → projects-9n0k2dja.js} +4 -4
  36. package/build/{targetedPentest-de8a67va.js → targetedPentest-zhgdgkf6.js} +9 -9
  37. package/build/{threatModel-waz866yk.js → threatModel-wsa8mvvj.js} +9 -9
  38. package/build/{uninstall-0bwz7jdn.js → uninstall-25tshq5q.js} +1 -1
  39. package/build/{utils-jf52rmrb.js → utils-418twev8.js} +1 -1
  40. package/package.json +2 -1
  41. package/build/agent-63cc9rpx.js +0 -19
  42. package/build/agent-beywhvf3.js +0 -278
  43. package/build/blackboxAgent-ng2t2p2x.js +0 -19
  44. package/build/cli-09prdch1.js +0 -1207
  45. package/build/cli-0fy9j5dw.js +0 -61
  46. package/build/pentest-4932ke3a.js +0 -29
package/build/agent-296395pk.js ADDED
@@ -0,0 +1,138 @@
1
+ import {
2
+ WHITEBOX_ATTACK_SURFACE_SYSTEM_PROMPT,
3
+ WhiteboxAttackSurfaceResultSchema
4
+ } from "./cli-rs7t70an.js";
5
+ import {
6
+ OffensiveSecurityAgent
7
+ } from "./cli-g82bk3cj.js";
8
+ import"./cli-tp1tqn3k.js";
9
+ import"./cli-k9mz32aa.js";
10
+ import"./cli-3y0dgy56.js";
11
+ import {
12
+ hasToolCall
13
+ } from "./cli-tkqzmbr6.js";
14
+ import {
15
+ tool
16
+ } from "./cli-0ghkg3w6.js";
17
+ import"./cli-7b1zxzm1.js";
18
+ import"./cli-7ftzn306.js";
19
+ import"./cli-gpnb45ck.js";
20
+ import"./cli-kjhfp9qw.js";
21
+ import"./cli-d9865q9t.js";
22
+ import"./cli-hjc1pbs8.js";
23
+ import"./cli-8rxa073f.js";
24
+
25
+ // src/core/agents/specialized/whiteboxAttackSurface/agent.ts
26
+ class WhiteboxAttackSurfaceAgent extends OffensiveSecurityAgent {
27
+ constructor(opts) {
28
+ const {
29
+ model,
30
+ codebasePath,
31
+ session,
32
+ authConfig,
33
+ onStepFinish,
34
+ abortSignal,
35
+ eventBus,
36
+ subagentId,
37
+ attackSurfaceRegistry,
38
+ domains,
39
+ enableThinking
40
+ } = opts;
41
+ let capturedResult = null;
42
+ const submitResultsTool = tool({
43
+ description: `Submit the final whitebox attack surface analysis results.
44
+
45
+ Call this ONCE at the end with your complete structured findings.
46
+ This ends the agent run — make sure all data is included.`,
47
+ inputSchema: WhiteboxAttackSurfaceResultSchema,
48
+ execute: async (results) => {
49
+ capturedResult = results;
50
+ return { success: true, message: "Results submitted." };
51
+ }
52
+ });
53
+ super({
54
+ system: WHITEBOX_ATTACK_SURFACE_SYSTEM_PROMPT,
55
+ prompt: buildPrompt(codebasePath, domains, session.config?.prompt),
56
+ model,
57
+ session,
58
+ authConfig,
59
+ onStepFinish,
60
+ abortSignal,
61
+ eventBus,
62
+ subagentId,
63
+ attackSurfaceRegistry,
64
+ enableThinking,
65
+ activeTools: [
66
+ "read_file",
67
+ "list_files",
68
+ "grep",
69
+ "document_app",
70
+ "document_endpoint",
71
+ "spawn_coding_agent",
72
+ "submit_results"
73
+ ],
74
+ extraTools: {
75
+ submit_results: submitResultsTool
76
+ },
77
+ stopWhen: hasToolCall("submit_results"),
78
+ resolveResult: () => {
79
+ if (capturedResult) {
80
+ return capturedResult;
81
+ }
82
+ return {
83
+ repoType: "unknown",
84
+ packageManager: "unknown",
85
+ apps: [],
86
+ summary: {
87
+ totalApps: 0,
88
+ totalPages: 0,
89
+ totalApiEndpoints: 0,
90
+ totalPentestObjectives: 0
91
+ }
92
+ };
93
+ }
94
+ });
95
+ }
96
+ }
97
+ function buildPrompt(codebasePath, domains, operatorPrompt) {
98
+ const domainSection = domains?.length ? `
99
+ ## Known Domains
100
+ The following domains are **hints for association only** — they are known to be operated by the target and should be set on the \`domain\` field of \`document_app\` when you can determine which domain serves a given app.
101
+
102
+ **IMPORTANT — these domains DO NOT define the scope of discovery:**
103
+ - Discover and document **every** app/service/cloud resource defined in the codebase, regardless of whether it maps to one of these domains.
104
+ - Apps with no known public domain (internal services, background workers, staging-only apps, functions, admin tools, etc.) MUST still be documented. Leave \`domain\` unset or use the canonical resource URL for cloud resources.
105
+ - Do NOT filter out apps, endpoints, subdomains, or cloud resources because they don't appear to belong to one of these domains.
106
+ - Do NOT skip directories, packages, or services because they "look unrelated" to the listed domains.
107
+
108
+ Known domains:
109
+ ${domains.map((d) => `- ${d}`).join(`
110
+ `)}
111
+ ` : "";
112
+ const operatorGuidanceBlock = operatorPrompt ? `
113
+ ## Operator Guidance
114
+ ${operatorPrompt}
115
+ ` : "";
116
+ return `# Whitebox Attack Surface Analysis
117
+
118
+ ## Codebase
119
+ - **Path:** ${codebasePath}
120
+ ${domainSection}${operatorGuidanceBlock}
121
+ ## Task
122
+ Analyze this codebase and produce a complete attack surface map:
123
+ 1. Identify the repo type and package manager
124
+ 2. Discover all apps/services
125
+ 3. Discover cloud resources and external infrastructure referenced in the code (S3 buckets, cloud storage, CDN origins, etc.) — document these as apps with the appropriate type
126
+ 4. For each app, find all web pages and API endpoints
127
+ 5. For each endpoint, generate pentest objectives
128
+ 6. **Before submitting**, perform the Phase 3 coverage double-check from the system prompt — re-scan workspace roots, framework configs, Dockerfiles, IaC, and CI/deploy configs for apps you may have missed on the first pass, and document any that were missed.
129
+
130
+ Use \`spawn_coding_agent\` to delegate app-level analysis for higher fidelity.
131
+
132
+ When finished, call \`submit_results\` with the complete structured output. Do NOT call \`submit_results\` until you have explicitly completed the coverage double-check.
133
+
134
+ Begin now.`;
135
+ }
136
+ export {
137
+ WhiteboxAttackSurfaceAgent
138
+ };
package/build/agent-d7ykbm5k.js ADDED
@@ -0,0 +1,19 @@
1
+ import {
2
+ CodeAgent
3
+ } from "./cli-12z0rn8s.js";
4
+ import"./cli-g82bk3cj.js";
5
+ import"./cli-tp1tqn3k.js";
6
+ import"./cli-k9mz32aa.js";
7
+ import"./cli-3y0dgy56.js";
8
+ import"./cli-tkqzmbr6.js";
9
+ import"./cli-0ghkg3w6.js";
10
+ import"./cli-7b1zxzm1.js";
11
+ import"./cli-7ftzn306.js";
12
+ import"./cli-gpnb45ck.js";
13
+ import"./cli-kjhfp9qw.js";
14
+ import"./cli-d9865q9t.js";
15
+ import"./cli-hjc1pbs8.js";
16
+ import"./cli-8rxa073f.js";
17
+ export {
18
+ CodeAgent
19
+ };
package/build/{auth-wvh553ea.js → auth-7jbyp815.js} RENAMED
@@ -8,14 +8,14 @@ import {
8
8
  pollWorkOSToken,
9
9
  selectWorkspace,
10
10
  startDeviceFlow
11
- } from "./cli-xtqm11qt.js";
11
+ } from "./cli-7b1zxzm1.js";
12
12
  import {
13
13
  config,
14
14
  getPensarApiUrl,
15
15
  getPensarConsoleUrl
16
- } from "./cli-q2dty8g4.js";
17
- import"./cli-40ef01tb.js";
18
- import"./cli-r879p2yz.js";
16
+ } from "./cli-7ftzn306.js";
17
+ import"./cli-kjhfp9qw.js";
18
+ import"./cli-d9865q9t.js";
19
19
  import {
20
20
  __require
21
21
  } from "./cli-8rxa073f.js";
package/build/{authentication-ec7trwb4.js → authentication-ye7mrmzt.js} RENAMED
@@ -1,21 +1,21 @@
1
1
  import {
2
2
  OffensiveSecurityAgent
3
- } from "./cli-x3k26g1t.js";
3
+ } from "./cli-g82bk3cj.js";
4
4
  import {
5
5
  detectOSAndEnhancePrompt
6
6
  } from "./cli-tp1tqn3k.js";
7
- import"./cli-nqx9y9ds.js";
7
+ import"./cli-k9mz32aa.js";
8
8
  import"./cli-3y0dgy56.js";
9
9
  import {
10
10
  hasToolCall
11
- } from "./cli-rc7hyq7e.js";
11
+ } from "./cli-tkqzmbr6.js";
12
12
  import"./cli-0ghkg3w6.js";
13
- import"./cli-xtqm11qt.js";
14
- import"./cli-q2dty8g4.js";
13
+ import"./cli-7b1zxzm1.js";
14
+ import"./cli-7ftzn306.js";
15
15
  import"./cli-gpnb45ck.js";
16
- import"./cli-40ef01tb.js";
17
- import"./cli-r879p2yz.js";
18
- import"./cli-03z6pswp.js";
16
+ import"./cli-kjhfp9qw.js";
17
+ import"./cli-d9865q9t.js";
18
+ import"./cli-hjc1pbs8.js";
19
19
  import"./cli-8rxa073f.js";
20
20
 
21
21
  // src/core/agents/specialized/authenticationAgent/agent.ts
package/build/blackboxAgent-d5skf3w1.js ADDED
@@ -0,0 +1,19 @@
1
+ import {
2
+ BlackboxAttackSurfaceAgent
3
+ } from "./cli-4h5g3581.js";
4
+ import"./cli-g82bk3cj.js";
5
+ import"./cli-tp1tqn3k.js";
6
+ import"./cli-k9mz32aa.js";
7
+ import"./cli-3y0dgy56.js";
8
+ import"./cli-tkqzmbr6.js";
9
+ import"./cli-0ghkg3w6.js";
10
+ import"./cli-7b1zxzm1.js";
11
+ import"./cli-7ftzn306.js";
12
+ import"./cli-gpnb45ck.js";
13
+ import"./cli-kjhfp9qw.js";
14
+ import"./cli-d9865q9t.js";
15
+ import"./cli-hjc1pbs8.js";
16
+ import"./cli-8rxa073f.js";
17
+ export {
18
+ BlackboxAttackSurfaceAgent
19
+ };
package/build/{blackboxPentest-rwyjy4kq.js → blackboxPentest-e5xyh6mv.js} RENAMED
@@ -1,24 +1,24 @@
1
1
  import {
2
2
  runPentestWorkflow
3
- } from "./cli-09prdch1.js";
4
- import"./cli-gr3zncst.js";
5
- import"./cli-5m0347h3.js";
6
- import"./cli-0fy9j5dw.js";
7
- import"./cli-06zt0g1a.js";
3
+ } from "./cli-mk4mytk7.js";
4
+ import"./cli-xf0wpcaa.js";
5
+ import"./cli-c9qmk6g9.js";
6
+ import"./cli-rs7t70an.js";
7
+ import"./cli-4h5g3581.js";
8
8
  import"./cli-fw5r7pfj.js";
9
- import"./cli-zr7sg2m2.js";
10
- import"./cli-x3k26g1t.js";
9
+ import"./cli-12z0rn8s.js";
10
+ import"./cli-g82bk3cj.js";
11
11
  import"./cli-tp1tqn3k.js";
12
- import"./cli-nqx9y9ds.js";
12
+ import"./cli-k9mz32aa.js";
13
13
  import"./cli-3y0dgy56.js";
14
- import"./cli-rc7hyq7e.js";
14
+ import"./cli-tkqzmbr6.js";
15
15
  import"./cli-0ghkg3w6.js";
16
- import"./cli-xtqm11qt.js";
17
- import"./cli-q2dty8g4.js";
16
+ import"./cli-7b1zxzm1.js";
17
+ import"./cli-7ftzn306.js";
18
18
  import"./cli-gpnb45ck.js";
19
- import"./cli-40ef01tb.js";
20
- import"./cli-r879p2yz.js";
21
- import"./cli-03z6pswp.js";
19
+ import"./cli-kjhfp9qw.js";
20
+ import"./cli-d9865q9t.js";
21
+ import"./cli-hjc1pbs8.js";
22
22
  import"./cli-8rxa073f.js";
23
23
 
24
24
  // src/core/api/blackboxPentest.ts
package/build/{cli-zr7sg2m2.js → cli-12z0rn8s.js} RENAMED
@@ -1,9 +1,9 @@
1
1
  import {
2
2
  OffensiveSecurityAgent
3
- } from "./cli-x3k26g1t.js";
3
+ } from "./cli-g82bk3cj.js";
4
4
  import {
5
5
  stepCountIs
6
- } from "./cli-rc7hyq7e.js";
6
+ } from "./cli-tkqzmbr6.js";
7
7
 
8
8
  // src/core/agents/specialized/codeAgent/prompts.ts
9
9
  var CODE_AGENT_SYSTEM_PROMPT = `You are an expert coding agent with direct filesystem access. You will be given a specific objective — focus exclusively on completing it.
package/build/{cli-06zt0g1a.js → cli-4h5g3581.js} RENAMED
@@ -1,13 +1,13 @@
1
1
  import {
2
2
  OffensiveSecurityAgent
3
- } from "./cli-x3k26g1t.js";
3
+ } from "./cli-g82bk3cj.js";
4
4
  import {
5
5
  detectOSAndEnhancePrompt
6
6
  } from "./cli-tp1tqn3k.js";
7
7
  import {
8
8
  hasToolCall,
9
9
  stepCountIs
10
- } from "./cli-rc7hyq7e.js";
10
+ } from "./cli-tkqzmbr6.js";
11
11
 
12
12
  // src/core/agents/specialized/attackSurface/blackboxAgent.ts
13
13
  import { join } from "path";
package/build/{cli-vvyq7ace.js → cli-5gppgkrv.js} RENAMED
@@ -2,7 +2,7 @@ import {
2
2
  config,
3
3
  ensureValidToken,
4
4
  getPensarApiUrl
5
- } from "./cli-q2dty8g4.js";
5
+ } from "./cli-7ftzn306.js";
6
6
 
7
7
  // src/core/api/issues.ts
8
8
  async function getAuthHeaders() {
package/build/{cli-xtqm11qt.js → cli-7b1zxzm1.js} RENAMED
@@ -3,7 +3,7 @@ import {
3
3
  ensureValidToken,
4
4
  getPensarApiUrl,
5
5
  getPensarGatewayUrl
6
- } from "./cli-q2dty8g4.js";
6
+ } from "./cli-7ftzn306.js";
7
7
 
8
8
  // src/core/auth/signing.ts
9
9
  import { createHmac, createHash, randomUUID } from "crypto";
package/build/{cli-q2dty8g4.js → cli-7ftzn306.js} RENAMED
@@ -2,7 +2,7 @@ import {
2
2
  get,
3
3
  init,
4
4
  update
5
- } from "./cli-40ef01tb.js";
5
+ } from "./cli-kjhfp9qw.js";
6
6
 
7
7
  // src/core/api/constants.ts
8
8
  var PENSAR_API_BASE_URL = "https://api.pensar.dev";
package/build/{cli-5m0347h3.js → cli-c9qmk6g9.js} RENAMED
@@ -1,7 +1,7 @@
1
1
  import {
2
2
  OffensiveSecurityAgent,
3
3
  readPlan
4
- } from "./cli-x3k26g1t.js";
4
+ } from "./cli-g82bk3cj.js";
5
5
  import {
6
6
  exports_external1 as exports_external,
7
7
  init_zod
package/build/{cli-r879p2yz.js → cli-d9865q9t.js} RENAMED
@@ -3,7 +3,7 @@ import { spawnSync } from "child_process";
3
3
  // package.json
4
4
  var package_default = {
5
5
  name: "@pensar/apex",
6
- version: "1.7.0",
6
+ version: "1.8.0-canary.12d8c6ce",
7
7
  description: "AI-powered penetration testing CLI tool with terminal UI",
8
8
  module: "src/tui/index.tsx",
9
9
  main: "build/cli.js",
@@ -97,6 +97,7 @@ var package_default = {
97
97
  "@openrouter/ai-sdk-provider": "^2.2.3",
98
98
  "@opentui/core": "^0.1.80",
99
99
  "@opentui/react": "^0.1.80",
100
+ "@pensar/surface": "0.2.1",
100
101
  "@playwright/mcp": "^0.0.54",
101
102
  ai: "^6.0.105",
102
103
  glob: "^13.0.0",