@pensar/apex 1.8.0 → 1.8.2-canary.fb75c486
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +11 -0
- package/build/agent-6dj1qm50.js +221 -0
- package/build/agent-6xr8vpgm.js +28 -0
- package/build/agent-x1htbpe3.js +22 -0
- package/build/apps-t0gmwc7z.js +446 -0
- package/build/{auth-dxjgy41e.js → auth-p4r1m7xq.js} +50 -13
- package/build/authentication-je2b0c3w.js +22 -0
- package/build/blackboxAgent-a4jnt0y5.js +22 -0
- package/build/{blackboxPentest-8ps4yvbk.js → blackboxPentest-b5741n3h.js} +19 -17
- package/build/{cli-y61d9433.js → cli-0tnv1vkp.js} +138 -38
- package/build/{cli-jg7r7y5n.js → cli-4xb21y6g.js} +30 -2
- package/build/{cli-k0tckznm.js → cli-6p7d2k55.js} +39701 -31695
- package/build/cli-87zakjb2.js +17 -0
- package/build/{authentication-e30mfzbe.js → cli-8frjr68r.js} +11 -18
- package/build/cli-8xknm7d9.js +204 -0
- package/build/cli-9egg9azd.js +22 -0
- package/build/cli-9fsre5pt.js +0 -0
- package/build/cli-abbka8n3.js +501 -0
- package/build/{cli-3y0dgy56.js → cli-c8131c4q.js} +2 -2
- package/build/cli-e08r86zk.js +24 -0
- package/build/{cli-0ghkg3w6.js → cli-e6rgwtpb.js} +19950 -18556
- package/build/cli-g5h24ny8.js +197 -0
- package/build/{cli-nr1cjfr9.js → cli-gtcd5c3f.js} +26 -7
- package/build/cli-k0730f59.js +52 -0
- package/build/{cli-tp1tqn3k.js → cli-mswm4k81.js} +1 -1
- package/build/{cli-m788e4f3.js → cli-q8dfq25x.js} +584 -33
- package/build/cli-rhry8mat.js +7213 -0
- package/build/{cli-g8t710ew.js → cli-ryy39d77.js} +253 -250
- package/build/cli-s1nckt4k.js +20 -0
- package/build/{cli-k4hrygff.js → cli-v9ds4jb8.js} +9 -5
- package/build/{cli-dqt80sw3.js → cli-w5990vr6.js} +199 -68
- package/build/{cli-3w2syxpv.js → cli-wfmdch3r.js} +102695 -104816
- package/build/cli.js +351 -280
- package/build/config-3bvtf3j8.js +188 -0
- package/build/{doctor-8tva8j99.js → doctor-2bkpddws.js} +1 -1
- package/build/{fixes-q5bhgxhc.js → fixes-60k3ts71.js} +23 -4
- package/build/{index-pfee23kv.js → index-0gp3x2r8.js} +19306 -18954
- package/build/index-861hkebg.js +12 -0
- package/build/{index-y5xpp21a.js → index-acc00eq4.js} +77 -108
- package/build/index-acdgrqa0.js +36 -0
- package/build/{index-e898mdyh.js → index-cfberehw.js} +4 -2
- package/build/{index-wfeb2gcc.js → index-hxn4rk8f.js} +9 -11
- package/build/{index-dw1xbhfn.js → index-vc29b21w.js} +161 -26
- package/build/index-vwt27stc.js +184 -0
- package/build/{issues-qbmdneej.js → issues-1bynat5q.js} +33 -9
- package/build/{logs-xm5vbymy.js → logs-e78vx2dy.js} +23 -4
- package/build/{main-3d7dfdvs.js → main-3zneyg7p.js} +93 -17
- package/build/{offesecAgent-re6kt2ff.js → offesecAgent-w9m0svwk.js} +14 -11
- package/build/parse-15kqmy2v.js +207 -0
- package/build/pentest-gpvqpvmd.js +31 -0
- package/build/{pentests-e3rj5845.js → pentests-nq7wa8yb.js} +36 -17
- package/build/{targetedPentest-fs0v570s.js → targetedPentest-fjxqn089.js} +15 -12
- package/build/threatModel-9yqx7d7x.js +29 -0
- package/build/{uninstall-qb2xbh2t.js → uninstall-9zbf4cwc.js} +6 -4
- package/build/{utils-jf52rmrb.js → utils-dh1t2r1e.js} +13 -10
- package/package.json +86 -88
- package/build/agent-4d8j2jsw.js +0 -278
- package/build/agent-z2s6h7n2.js +0 -19
- package/build/blackboxAgent-j9pczwym.js +0 -19
- package/build/cli-03z6pswp.js +0 -1423
- package/build/cli-0fy9j5dw.js +0 -61
- package/build/cli-asyas1xb.js +0 -110
- package/build/cli-dj1dgw2n.js +0 -190
- package/build/cli-q7r2sth7.js +0 -103
- package/build/cli-vkwch0bc.js +0 -1207
- package/build/cli-wr7g9qcr.js +0 -645
- package/build/index-bz6f8jry.js +0 -32
- package/build/pentest-mfm4hake.js +0 -29
- package/build/projects-qk22qcbt.js +0 -35
- package/build/threatModel-xfvc6cch.js +0 -67
package/package.json
CHANGED
|
@@ -1,111 +1,32 @@
|
|
|
1
1
|
{
|
|
2
|
-
"
|
|
3
|
-
"version": "1.8.0",
|
|
4
|
-
"description": "AI-powered penetration testing CLI tool with terminal UI",
|
|
5
|
-
"module": "src/tui/index.tsx",
|
|
6
|
-
"main": "build/cli.js",
|
|
7
|
-
"type": "module",
|
|
8
|
-
"repository": {
|
|
9
|
-
"type": "git",
|
|
10
|
-
"url": "https://github.com/pensarai/apex.git"
|
|
11
|
-
},
|
|
2
|
+
"author": "Pensar",
|
|
12
3
|
"bin": {
|
|
13
4
|
"pensar": "./bin/pensar.js"
|
|
14
5
|
},
|
|
15
|
-
"files": [
|
|
16
|
-
"build",
|
|
17
|
-
"bin",
|
|
18
|
-
"assets",
|
|
19
|
-
"pensar.svg",
|
|
20
|
-
"LICENSE"
|
|
21
|
-
],
|
|
22
|
-
"scripts": {
|
|
23
|
-
"build": "bun build src/cli.ts --outdir build --target node --format esm --splitting --external @opentui/core --external @opentui/react --external @opentui/react/* --external react --external react/jsx-runtime --external react/jsx-dev-runtime --external react-reconciler --external weave",
|
|
24
|
-
"generate:ascii": "bun run scripts/generate-ascii-art.ts",
|
|
25
|
-
"generate:models": "bun run scripts/generate-models.ts",
|
|
26
|
-
"build:binary": "bun run generate:ascii && bun build src/cli.ts --compile --outfile pensar",
|
|
27
|
-
"build:binary:macos-arm64": "bun build src/cli.ts --compile --target=bun-darwin-arm64 --outfile dist/pensar-darwin-arm64",
|
|
28
|
-
"build:binary:macos-x64": "bun build src/cli.ts --compile --target=bun-darwin-x64 --outfile dist/pensar-darwin-x64",
|
|
29
|
-
"build:binary:linux-x64": "bun build src/cli.ts --compile --target=bun-linux-x64 --outfile dist/pensar-linux-x64",
|
|
30
|
-
"build:binary:linux-arm64": "bun build src/cli.ts --compile --target=bun-linux-arm64 --outfile dist/pensar-linux-arm64",
|
|
31
|
-
"build:binaries": "bun run generate:ascii && mkdir -p dist && bun run build:binary:macos-arm64 && bun run build:binary:macos-x64 && bun run build:binary:linux-x64 && bun run build:binary:linux-arm64",
|
|
32
|
-
"dev": "bun run scripts/watch.ts",
|
|
33
|
-
"dev:debug": "SHOW_CONSOLE=true bun run scripts/watch.ts",
|
|
34
|
-
"start": "bun run src/tui/index.tsx",
|
|
35
|
-
"pensar": "node bin/pensar.js",
|
|
36
|
-
"tsc": "tsc --noEmit",
|
|
37
|
-
"daytona-benchmark": "bun run scripts/daytona-benchmark.ts",
|
|
38
|
-
"local-benchmark": "bun run scripts/local-benchmark.ts",
|
|
39
|
-
"test": "vitest run",
|
|
40
|
-
"test:watch": "vitest",
|
|
41
|
-
"lint": "eslint src/",
|
|
42
|
-
"format": "prettier --write .",
|
|
43
|
-
"format:check": "prettier --check .",
|
|
44
|
-
"prepublishOnly": "npm run build"
|
|
45
|
-
},
|
|
46
|
-
"keywords": [
|
|
47
|
-
"penetration-testing",
|
|
48
|
-
"security",
|
|
49
|
-
"pentesting",
|
|
50
|
-
"ai",
|
|
51
|
-
"cli",
|
|
52
|
-
"terminal",
|
|
53
|
-
"tui"
|
|
54
|
-
],
|
|
55
|
-
"author": "Pensar",
|
|
56
|
-
"license": "MIT",
|
|
57
|
-
"engines": {
|
|
58
|
-
"node": ">=18.0.0",
|
|
59
|
-
"bun": ">=1.0.0"
|
|
60
|
-
},
|
|
61
|
-
"optionalDependencies": {
|
|
62
|
-
"weave": "^0.12.1"
|
|
63
|
-
},
|
|
64
|
-
"devDependencies": {
|
|
65
|
-
"@eslint/js": "^10.0.1",
|
|
66
|
-
"@types/bun": "^1.3.0",
|
|
67
|
-
"@types/mailparser": "^3.4.6",
|
|
68
|
-
"@types/mime-types": "^3.0.1",
|
|
69
|
-
"@types/nodemailer": "^8.0.0",
|
|
70
|
-
"@types/react": "^19.2.6",
|
|
71
|
-
"@typescript-eslint/eslint-plugin": "^8.55.0",
|
|
72
|
-
"@typescript-eslint/parser": "^8.55.0",
|
|
73
|
-
"dotenv": "^17.2.3",
|
|
74
|
-
"eslint": "^10.0.0",
|
|
75
|
-
"eslint-config-prettier": "^10.1.8",
|
|
76
|
-
"eslint-plugin-unused-imports": "^4.4.1",
|
|
77
|
-
"prettier": "^3.8.1",
|
|
78
|
-
"typescript-eslint": "^8.55.0",
|
|
79
|
-
"vitest": "^2.1.8"
|
|
80
|
-
},
|
|
81
|
-
"peerDependencies": {
|
|
82
|
-
"typescript": "^5.9.3"
|
|
83
|
-
},
|
|
84
6
|
"dependencies": {
|
|
85
|
-
"@ai-sdk/amazon-bedrock": "^4.0.
|
|
86
|
-
"@ai-sdk/anthropic": "^3.0.
|
|
7
|
+
"@ai-sdk/amazon-bedrock": "^4.0.113",
|
|
8
|
+
"@ai-sdk/anthropic": "^3.0.81",
|
|
87
9
|
"@ai-sdk/google": "^3.0.37",
|
|
88
10
|
"@ai-sdk/openai": "3.0.46",
|
|
89
11
|
"@ai-sdk/openai-compatible": "^2.0.35",
|
|
12
|
+
"@ai-sdk/provider": "^3.0.8",
|
|
90
13
|
"@daytonaio/sdk": "^0.112.1",
|
|
91
14
|
"@googleapis/gmail": "^16.1.1",
|
|
92
15
|
"@microsoft/microsoft-graph-client": "^3.0.7",
|
|
93
16
|
"@modelcontextprotocol/sdk": "^1.0.0",
|
|
94
17
|
"@openrouter/ai-sdk-provider": "^2.2.3",
|
|
95
|
-
"@
|
|
96
|
-
"@opentui/
|
|
18
|
+
"@opentelemetry/api": "^1.9.0",
|
|
19
|
+
"@opentui/core": "^0.1.107",
|
|
20
|
+
"@opentui/react": "^0.1.107",
|
|
21
|
+
"@pensar/surface": "0.2.1",
|
|
97
22
|
"@playwright/mcp": "^0.0.54",
|
|
98
23
|
"ai": "^6.0.105",
|
|
99
24
|
"glob": "^13.0.0",
|
|
100
|
-
"google-auth-library": "^10.6.1",
|
|
101
25
|
"highlight.js": "^11.11.1",
|
|
102
|
-
"ignore": "^7.0.5",
|
|
103
26
|
"imapflow": "^1.2.10",
|
|
104
|
-
"jsonwebtoken": "^9.0.3",
|
|
105
27
|
"mailparser": "^3.9.3",
|
|
106
28
|
"marked": "^16.4.0",
|
|
107
29
|
"mime-types": "^3.0.2",
|
|
108
|
-
"nanoid": "^5.1.6",
|
|
109
30
|
"nodemailer": "^8.0.7",
|
|
110
31
|
"p-limit": "^7.2.0",
|
|
111
32
|
"react": "^19.2.0",
|
|
@@ -114,5 +35,82 @@
|
|
|
114
35
|
"yaml": "^2.8.2",
|
|
115
36
|
"zod": "^3.25.76"
|
|
116
37
|
},
|
|
117
|
-
"
|
|
38
|
+
"description": "AI-powered penetration testing CLI tool with terminal UI",
|
|
39
|
+
"devDependencies": {
|
|
40
|
+
"@biomejs/biome": "2.4.14",
|
|
41
|
+
"@types/bun": "^1.3.0",
|
|
42
|
+
"@types/mailparser": "^3.4.6",
|
|
43
|
+
"@types/mime-types": "^3.0.1",
|
|
44
|
+
"@types/nodemailer": "^8.0.0",
|
|
45
|
+
"@types/react": "^19.2.6",
|
|
46
|
+
"dotenv": "^17.2.3",
|
|
47
|
+
"knip": "^6.12.0",
|
|
48
|
+
"prettier": "^3.8.1",
|
|
49
|
+
"vitest": "^2.1.8"
|
|
50
|
+
},
|
|
51
|
+
"engines": {
|
|
52
|
+
"bun": ">=1.0.0",
|
|
53
|
+
"node": ">=18.0.0"
|
|
54
|
+
},
|
|
55
|
+
"files": [
|
|
56
|
+
"build",
|
|
57
|
+
"bin",
|
|
58
|
+
"assets",
|
|
59
|
+
"pensar.svg",
|
|
60
|
+
"LICENSE"
|
|
61
|
+
],
|
|
62
|
+
"keywords": [
|
|
63
|
+
"penetration-testing",
|
|
64
|
+
"security",
|
|
65
|
+
"pentesting",
|
|
66
|
+
"ai",
|
|
67
|
+
"cli",
|
|
68
|
+
"terminal",
|
|
69
|
+
"tui"
|
|
70
|
+
],
|
|
71
|
+
"license": "MIT",
|
|
72
|
+
"main": "build/cli.js",
|
|
73
|
+
"module": "src/tui/index.tsx",
|
|
74
|
+
"name": "@pensar/apex",
|
|
75
|
+
"optionalDependencies": {
|
|
76
|
+
"weave": "^0.12.1"
|
|
77
|
+
},
|
|
78
|
+
"packageManager": "yarn@1.22.22+sha512.a6b2f7906b721bba3d67d4aff083df04dad64c399707841b7acf00f6b133b7ac24255f2652fa22ae3534329dc6180534e98d17432037ff6fd140556e2bb3137e",
|
|
79
|
+
"peerDependencies": {
|
|
80
|
+
"typescript": "^5.9.3"
|
|
81
|
+
},
|
|
82
|
+
"repository": {
|
|
83
|
+
"type": "git",
|
|
84
|
+
"url": "https://github.com/pensarai/apex.git"
|
|
85
|
+
},
|
|
86
|
+
"scripts": {
|
|
87
|
+
"build": "bun build src/cli.ts --outdir build --target node --format esm --splitting --external @opentui/core --external @opentui/react --external @opentui/react/* --external react --external react/jsx-runtime --external react/jsx-dev-runtime --external react-reconciler --external weave",
|
|
88
|
+
"build:binaries": "bun run generate:ascii && mkdir -p dist && bun run build:binary:macos-arm64 && bun run build:binary:macos-x64 && bun run build:binary:linux-x64 && bun run build:binary:linux-arm64",
|
|
89
|
+
"build:binary": "bun run generate:ascii && bun build src/cli.ts --compile --outfile pensar",
|
|
90
|
+
"build:binary:linux-arm64": "bun build src/cli.ts --compile --target=bun-linux-arm64 --outfile dist/pensar-linux-arm64",
|
|
91
|
+
"build:binary:linux-x64": "bun build src/cli.ts --compile --target=bun-linux-x64 --outfile dist/pensar-linux-x64",
|
|
92
|
+
"build:binary:macos-arm64": "bun build src/cli.ts --compile --target=bun-darwin-arm64 --outfile dist/pensar-darwin-arm64",
|
|
93
|
+
"build:binary:macos-x64": "bun build src/cli.ts --compile --target=bun-darwin-x64 --outfile dist/pensar-darwin-x64",
|
|
94
|
+
"check": "biome check --write",
|
|
95
|
+
"check:ci": "biome check",
|
|
96
|
+
"daytona-benchmark": "bun run scripts/daytona-benchmark.ts",
|
|
97
|
+
"dev": "bun run scripts/watch.ts",
|
|
98
|
+
"dev:debug": "SHOW_CONSOLE=true bun run scripts/watch.ts",
|
|
99
|
+
"format": "biome check --write && prettier --write \"**/*.{md,yml,yaml}\"",
|
|
100
|
+
"format:check": "biome check && prettier --check \"**/*.{md,yml,yaml}\"",
|
|
101
|
+
"generate:ascii": "bun run scripts/generate-ascii-art.ts",
|
|
102
|
+
"generate:models": "bun run scripts/generate-models.ts",
|
|
103
|
+
"knip": "knip",
|
|
104
|
+
"lint": "biome lint src/",
|
|
105
|
+
"lint:fix": "biome lint --write src/",
|
|
106
|
+
"local-benchmark": "bun run scripts/local-benchmark.ts",
|
|
107
|
+
"pensar": "node bin/pensar.js",
|
|
108
|
+
"prepublishOnly": "npm run build",
|
|
109
|
+
"start": "bun run src/tui/index.tsx",
|
|
110
|
+
"test": "vitest run",
|
|
111
|
+
"test:watch": "vitest",
|
|
112
|
+
"tsc": "tsc --noEmit"
|
|
113
|
+
},
|
|
114
|
+
"type": "module",
|
|
115
|
+
"version": "1.8.2-canary.fb75c486"
|
|
118
116
|
}
|
package/build/agent-4d8j2jsw.js
DELETED
|
@@ -1,278 +0,0 @@
|
|
|
1
|
-
import {
|
|
2
|
-
WhiteboxAttackSurfaceResultSchema
|
|
3
|
-
} from "./cli-0fy9j5dw.js";
|
|
4
|
-
import {
|
|
5
|
-
OffensiveSecurityAgent
|
|
6
|
-
} from "./cli-3w2syxpv.js";
|
|
7
|
-
import"./cli-tp1tqn3k.js";
|
|
8
|
-
import"./cli-g8t710ew.js";
|
|
9
|
-
import"./cli-3y0dgy56.js";
|
|
10
|
-
import {
|
|
11
|
-
hasToolCall
|
|
12
|
-
} from "./cli-k0tckznm.js";
|
|
13
|
-
import {
|
|
14
|
-
tool
|
|
15
|
-
} from "./cli-0ghkg3w6.js";
|
|
16
|
-
import"./cli-dqt80sw3.js";
|
|
17
|
-
import"./cli-asyas1xb.js";
|
|
18
|
-
import"./cli-gpnb45ck.js";
|
|
19
|
-
import"./cli-nr1cjfr9.js";
|
|
20
|
-
import"./cli-dj1dgw2n.js";
|
|
21
|
-
import"./cli-03z6pswp.js";
|
|
22
|
-
import"./cli-8rxa073f.js";
|
|
23
|
-
|
|
24
|
-
// src/core/agents/specialized/whiteboxAttackSurface/prompts.ts
|
|
25
|
-
var WHITEBOX_ATTACK_SURFACE_SYSTEM_PROMPT = `You are an expert source-code analyst and orchestrator. Your mission is to comprehensively map the attack surface of a codebase by analyzing its source code directly.
|
|
26
|
-
|
|
27
|
-
You operate completely autonomously. Do not ask for permission or wait for user input.
|
|
28
|
-
|
|
29
|
-
# Your Goal
|
|
30
|
-
|
|
31
|
-
Given a codebase path, you must:
|
|
32
|
-
1. Identify the repository structure (monorepo vs single app, package manager, etc.)
|
|
33
|
-
2. Discover every application/service defined in the repo
|
|
34
|
-
3. For each app, enumerate ALL web pages and ALL API endpoints defined in the source code
|
|
35
|
-
4. For each endpoint, generate specific pentest objectives
|
|
36
|
-
5. **Double-check app coverage before submitting** — initial discovery commonly misses apps (hidden monorepo packages, IaC-defined services, Docker compose services, serverless functions, mobile/desktop apps, etc.). A dedicated verification pass is mandatory before you submit results.
|
|
37
|
-
|
|
38
|
-
# Tools at Your Disposal
|
|
39
|
-
|
|
40
|
-
## list_files
|
|
41
|
-
List directories to understand project structure. Start here.
|
|
42
|
-
|
|
43
|
-
## read_file
|
|
44
|
-
Read config files, entry points, route definitions, etc.
|
|
45
|
-
|
|
46
|
-
## grep
|
|
47
|
-
Your primary search tool. Use it to find route definitions, middleware, controllers, etc.
|
|
48
|
-
|
|
49
|
-
## document_app
|
|
50
|
-
**Use this to document each application/service you identify.** Each call persists a JSON record to the session's apps directory. Document:
|
|
51
|
-
- Each application/service you identify (appType: "web_application" or "api")
|
|
52
|
-
- Notable subdomains hosting distinct services (appType: "subdomain")
|
|
53
|
-
- Cloud resources like S3 buckets, cloud storage, CDN origins (appType: "cloud_resource" or "storage")
|
|
54
|
-
- For S3 buckets: set \`domain\` to the **canonical virtual-hosted-style** endpoint (e.g. "https://bucket-name.s3.amazonaws.com") and use appType "storage". Do NOT use path-style URLs (e.g. "https://s3.amazonaws.com/bucket-name").
|
|
55
|
-
- For other cloud resources: set \`domain\` to the primary/canonical resource endpoint and use appType "cloud_resource"
|
|
56
|
-
- If known domains are provided, set the \`domain\` field to associate the app with the correct domain. **Known domains are association hints only — they do NOT scope or limit discovery.** Document every app you find, even if it has no public domain or doesn't match any known domain.
|
|
57
|
-
|
|
58
|
-
## document_endpoint
|
|
59
|
-
**This is your primary output tool for endpoints.** Each call persists a JSON record to the session's endpoints directory, organized by app. Document:
|
|
60
|
-
- Individual API endpoints and web pages
|
|
61
|
-
|
|
62
|
-
**CRITICAL — endpoint documentation rules:**
|
|
63
|
-
- **ONE endpoint per unique route path.** Do NOT create separate entries for different HTTP methods on the same path. If \`/api/users\` supports GET, POST, and DELETE, that is ONE entry with \`method: ["GET", "POST", "DELETE"]\`.
|
|
64
|
-
- **Use \`method: "PAGE"\`** for web pages and views.
|
|
65
|
-
- **Always set \`appName\`** to group endpoints under the correct application.
|
|
66
|
-
- **Always set \`routePath\`** to the HTTP route (e.g., \`/api/users\`). This is the URL path a client requests — NOT a source-file path.
|
|
67
|
-
- **Always set \`file\`** to the source-code file (e.g., \`src/routes/users.ts\`). This is NOT the HTTP route.
|
|
68
|
-
- **Always set \`handler\`** to the function name, and \`authRequired\` to indicate auth requirements.
|
|
69
|
-
|
|
70
|
-
Call these tools throughout your analysis as you discover apps and endpoints — don't wait until the end.
|
|
71
|
-
|
|
72
|
-
## spawn_coding_agent
|
|
73
|
-
**This is your key tool for scaling out analysis.** Spawn coding sub-agents to analyze individual apps in parallel for higher fidelity. Each sub-agent has full filesystem access (read_file, list_files, grep, execute_command) and the document_app/document_endpoint tools.
|
|
74
|
-
|
|
75
|
-
## submit_results
|
|
76
|
-
Call this LAST with your complete structured results. This ends your run.
|
|
77
|
-
|
|
78
|
-
# Methodology
|
|
79
|
-
|
|
80
|
-
## Phase 1: REPO IDENTIFICATION (do this yourself — it's fast)
|
|
81
|
-
1. List the root directory
|
|
82
|
-
2. Read the top-level config files to determine:
|
|
83
|
-
- Package manager (package.json → npm/yarn/pnpm, requirements.txt → pip, Cargo.toml → cargo, go.mod → go, etc.)
|
|
84
|
-
- Repo structure (workspaces field in package.json → monorepo, multiple service dirs → multi-package, etc.)
|
|
85
|
-
3. Identify all apps/services — look for:
|
|
86
|
-
- Monorepo workspace packages with their own entry points
|
|
87
|
-
- Separate service directories with their own configs
|
|
88
|
-
- A single app at the root
|
|
89
|
-
4. Discover cloud resources and external infrastructure referenced in the code:
|
|
90
|
-
- S3 buckets, GCS buckets, Azure Blob Storage (search for bucket names, s3://, storage URLs)
|
|
91
|
-
- CDN distributions (CloudFront, Cloudflare)
|
|
92
|
-
- Infrastructure-as-code definitions (Terraform, CloudFormation, CDK, SST, Pulumi, serverless.yml)
|
|
93
|
-
- Document each as an app with appType "cloud_resource" or "storage" and set the \`domain\` to the **canonical** resource endpoint
|
|
94
|
-
- **S3 canonical URL:** Always use virtual-hosted-style "https://bucket-name.s3.amazonaws.com" (or with region: "https://bucket-name.s3.us-east-1.amazonaws.com"). Never use path-style "https://s3.amazonaws.com/bucket-name".
|
|
95
|
-
- **Do NOT document alternative URL formats** as separate endpoints — only document the canonical/primary URL and any distinct functional paths under it
|
|
96
|
-
|
|
97
|
-
## Phase 2: APP ANALYSIS (delegate to coding agents)
|
|
98
|
-
For each app you identified, spawn a coding agent with a detailed objective. The objective should instruct the agent to:
|
|
99
|
-
|
|
100
|
-
1. **Identify the framework** — read the app's config/entry point to determine the web framework
|
|
101
|
-
2. **Document the application** — call \`document_app\` with the app name, type, and framework
|
|
102
|
-
3. **Find ALL web pages** — search for page/view/route definitions and document each with \`document_endpoint\` using \`method: "PAGE"\`
|
|
103
|
-
4. **Find ALL API endpoints** — search for route/endpoint definitions and document each unique path with \`document_endpoint\`, listing ALL HTTP methods in \`method\`
|
|
104
|
-
5. **For each endpoint, include** in the document_endpoint call:
|
|
105
|
-
- HTTP route in \`routePath\` (e.g., \`/api/users\`) — this is the URL path, NOT a file path
|
|
106
|
-
- ALL HTTP methods in \`method\` (consolidated — one entry per path)
|
|
107
|
-
- Handler function in \`handler\`
|
|
108
|
-
- Source-code file in \`file\` (e.g., \`src/routes/users.ts\`) — this is NOT the route
|
|
109
|
-
- Line number in \`line\`
|
|
110
|
-
- Auth requirement in \`authRequired\`
|
|
111
|
-
|
|
112
|
-
**IMPORTANT:** Tell each coding agent to set \`appName\` on every \`document_endpoint\` call so endpoints are organized by application.
|
|
113
|
-
|
|
114
|
-
## Phase 3: COVERAGE DOUBLE-CHECK (do this yourself — DO NOT SKIP)
|
|
115
|
-
|
|
116
|
-
**Initial app discovery almost always misses something.** Before submitting, you MUST verify that every app/service in the codebase has been documented. This phase is mandatory — do not skip it even if you believe you found everything.
|
|
117
|
-
|
|
118
|
-
1. **Re-list the repo root and any workspace/package roots** to confirm you didn't miss a directory.
|
|
119
|
-
2. **Check monorepo workspace declarations** against your documented apps:
|
|
120
|
-
- \`package.json\` \`workspaces\` field, \`pnpm-workspace.yaml\`, \`lerna.json\`, \`nx.json\`, \`turbo.json\`, \`rush.json\`
|
|
121
|
-
- \`Cargo.toml\` \`[workspace]\` members, \`go.work\` use directives
|
|
122
|
-
- Any top-level \`apps/\`, \`packages/\`, \`services/\`, \`cmd/\`, \`functions/\`, \`lambdas/\`, \`workers/\` directories
|
|
123
|
-
3. **Search for additional entry points** you may have missed. Run targeted greps such as:
|
|
124
|
-
- Framework manifests: \`next.config.*\`, \`vite.config.*\`, \`remix.config.*\`, \`nuxt.config.*\`, \`astro.config.*\`, \`svelte.config.*\`, \`angular.json\`, \`gatsby-config.*\`, \`expo.json\`, \`app.json\`
|
|
125
|
-
- Backend entry points: \`main.py\`, \`app.py\`, \`manage.py\`, \`wsgi.py\`, \`asgi.py\`, \`server.{ts,js,go,rs}\`, \`main.{go,rs}\`, \`Program.cs\`, \`Startup.cs\`
|
|
126
|
-
- Dockerfiles and \`docker-compose.y*ml\` services — each service may be a separate app
|
|
127
|
-
- IaC definitions: \`serverless.y*ml\`, \`sam.y*ml\`, \`template.y*ml\`, \`*.tf\`, \`cdk.json\`, \`sst.config.*\`, \`pulumi.yaml\`
|
|
128
|
-
- CI/CD deployment configs: \`.github/workflows/\`, \`vercel.json\`, \`netlify.toml\`, \`fly.toml\`, \`railway.toml\`, \`app.yaml\`, \`Procfile\`
|
|
129
|
-
- Mobile apps: \`ios/\`, \`android/\`, \`*.xcodeproj\`, \`AndroidManifest.xml\`
|
|
130
|
-
- Browser extensions / desktop apps: \`manifest.json\` (MV2/MV3), \`electron\`, \`tauri.conf.*\`
|
|
131
|
-
- Background jobs / workers: search for \`worker\`, \`queue\`, \`cron\`, \`scheduler\`, \`BullMQ\`, \`Celery\`, \`Sidekiq\`
|
|
132
|
-
4. **Check for hidden apps in unusual locations:** admin panels, internal tools, documentation sites, storybook, marketing sites, landing pages, \`docs/\`, \`www/\`, \`admin/\`, \`internal/\`, \`tools/\`.
|
|
133
|
-
5. **Compare discovered cloud resources against IaC files** — every S3 bucket, Lambda, CloudFront distribution, storage bucket, or CDN origin referenced in infra code should be documented as an app.
|
|
134
|
-
|
|
135
|
-
For every candidate you identify in this phase:
|
|
136
|
-
- If it's **already documented** — good, move on.
|
|
137
|
-
- If it's **NOT documented** — spawn another coding agent to analyze it, or document it yourself with \`document_app\` / \`document_endpoint\`. Do not simply note it in the final summary; it must be in the apps list.
|
|
138
|
-
|
|
139
|
-
Only proceed to Phase 4 once you have explicitly walked through the checks above and confirmed coverage is complete.
|
|
140
|
-
|
|
141
|
-
## Phase 4: COLLECT AND SUBMIT (do this yourself)
|
|
142
|
-
|
|
143
|
-
Before calling \`submit_results\`, verify the final coverage checklist:
|
|
144
|
-
- [ ] Every workspace package / service directory is represented by a documented app
|
|
145
|
-
- [ ] Every framework entry point discovered in Phase 3 maps to a documented app
|
|
146
|
-
- [ ] Every Dockerfile / compose service / IaC resource maps to a documented app or cloud resource
|
|
147
|
-
- [ ] Every known domain (if provided) that maps to an app in the repo has been associated via the \`domain\` field — but apps that don't map to a known domain are still documented (known domains are hints, not a scope filter)
|
|
148
|
-
- [ ] Each documented app has its endpoints/pages enumerated (or an explicit note in \`pentestObjectives\` if it is a non-HTTP service)
|
|
149
|
-
|
|
150
|
-
Then:
|
|
151
|
-
1. Parse the output from all coding agents
|
|
152
|
-
2. Assemble the complete structured result
|
|
153
|
-
3. Call \`submit_results\` with the full data
|
|
154
|
-
|
|
155
|
-
# Guidelines
|
|
156
|
-
- Be thorough — every endpoint matters. Don't skip files or directories.
|
|
157
|
-
- Delegate aggressively — spawn coding agents for each app to get high-fidelity results.
|
|
158
|
-
- Give coding agents VERY detailed objectives — they work best with specific instructions about what to search for and how to report it.
|
|
159
|
-
- Don't duplicate work — let the coding agents do the deep file-by-file analysis.
|
|
160
|
-
- When in doubt about repo structure, read more config files before deciding.
|
|
161
|
-
- **Never skip the Phase 3 coverage double-check** — initial discovery routinely misses apps, and a second pass is the cheapest way to catch them.
|
|
162
|
-
- **Known domains are association hints, not a scope filter.** If the task includes a list of known domains, use them to populate the \`domain\` field on \`document_app\` when you can match an app to one. Do NOT use them to decide which apps, packages, services, endpoints, or cloud resources are worth documenting — document everything found in the codebase.
|
|
163
|
-
`;
|
|
164
|
-
|
|
165
|
-
// src/core/agents/specialized/whiteboxAttackSurface/agent.ts
|
|
166
|
-
class WhiteboxAttackSurfaceAgent extends OffensiveSecurityAgent {
|
|
167
|
-
constructor(opts) {
|
|
168
|
-
const {
|
|
169
|
-
model,
|
|
170
|
-
codebasePath,
|
|
171
|
-
session,
|
|
172
|
-
authConfig,
|
|
173
|
-
onStepFinish,
|
|
174
|
-
abortSignal,
|
|
175
|
-
eventBus,
|
|
176
|
-
subagentId,
|
|
177
|
-
attackSurfaceRegistry,
|
|
178
|
-
domains,
|
|
179
|
-
enableThinking
|
|
180
|
-
} = opts;
|
|
181
|
-
let capturedResult = null;
|
|
182
|
-
const submitResultsTool = tool({
|
|
183
|
-
description: `Submit the final whitebox attack surface analysis results.
|
|
184
|
-
|
|
185
|
-
Call this ONCE at the end with your complete structured findings.
|
|
186
|
-
This ends the agent run — make sure all data is included.`,
|
|
187
|
-
inputSchema: WhiteboxAttackSurfaceResultSchema,
|
|
188
|
-
execute: async (results) => {
|
|
189
|
-
capturedResult = results;
|
|
190
|
-
return { success: true, message: "Results submitted." };
|
|
191
|
-
}
|
|
192
|
-
});
|
|
193
|
-
super({
|
|
194
|
-
system: WHITEBOX_ATTACK_SURFACE_SYSTEM_PROMPT,
|
|
195
|
-
prompt: buildPrompt(codebasePath, domains, session.config?.prompt),
|
|
196
|
-
model,
|
|
197
|
-
session,
|
|
198
|
-
authConfig,
|
|
199
|
-
onStepFinish,
|
|
200
|
-
abortSignal,
|
|
201
|
-
eventBus,
|
|
202
|
-
subagentId,
|
|
203
|
-
attackSurfaceRegistry,
|
|
204
|
-
enableThinking,
|
|
205
|
-
activeTools: [
|
|
206
|
-
"read_file",
|
|
207
|
-
"list_files",
|
|
208
|
-
"grep",
|
|
209
|
-
"document_app",
|
|
210
|
-
"document_endpoint",
|
|
211
|
-
"spawn_coding_agent",
|
|
212
|
-
"submit_results"
|
|
213
|
-
],
|
|
214
|
-
extraTools: {
|
|
215
|
-
submit_results: submitResultsTool
|
|
216
|
-
},
|
|
217
|
-
stopWhen: hasToolCall("submit_results"),
|
|
218
|
-
resolveResult: () => {
|
|
219
|
-
if (capturedResult) {
|
|
220
|
-
return capturedResult;
|
|
221
|
-
}
|
|
222
|
-
return {
|
|
223
|
-
repoType: "unknown",
|
|
224
|
-
packageManager: "unknown",
|
|
225
|
-
apps: [],
|
|
226
|
-
summary: {
|
|
227
|
-
totalApps: 0,
|
|
228
|
-
totalPages: 0,
|
|
229
|
-
totalApiEndpoints: 0,
|
|
230
|
-
totalPentestObjectives: 0
|
|
231
|
-
}
|
|
232
|
-
};
|
|
233
|
-
}
|
|
234
|
-
});
|
|
235
|
-
}
|
|
236
|
-
}
|
|
237
|
-
function buildPrompt(codebasePath, domains, operatorPrompt) {
|
|
238
|
-
const domainSection = domains?.length ? `
|
|
239
|
-
## Known Domains
|
|
240
|
-
The following domains are **hints for association only** — they are known to be operated by the target and should be set on the \`domain\` field of \`document_app\` when you can determine which domain serves a given app.
|
|
241
|
-
|
|
242
|
-
**IMPORTANT — these domains DO NOT define the scope of discovery:**
|
|
243
|
-
- Discover and document **every** app/service/cloud resource defined in the codebase, regardless of whether it maps to one of these domains.
|
|
244
|
-
- Apps with no known public domain (internal services, background workers, staging-only apps, functions, admin tools, etc.) MUST still be documented. Leave \`domain\` unset or use the canonical resource URL for cloud resources.
|
|
245
|
-
- Do NOT filter out apps, endpoints, subdomains, or cloud resources because they don't appear to belong to one of these domains.
|
|
246
|
-
- Do NOT skip directories, packages, or services because they "look unrelated" to the listed domains.
|
|
247
|
-
|
|
248
|
-
Known domains:
|
|
249
|
-
${domains.map((d) => `- ${d}`).join(`
|
|
250
|
-
`)}
|
|
251
|
-
` : "";
|
|
252
|
-
const operatorGuidanceBlock = operatorPrompt ? `
|
|
253
|
-
## Operator Guidance
|
|
254
|
-
${operatorPrompt}
|
|
255
|
-
` : "";
|
|
256
|
-
return `# Whitebox Attack Surface Analysis
|
|
257
|
-
|
|
258
|
-
## Codebase
|
|
259
|
-
- **Path:** ${codebasePath}
|
|
260
|
-
${domainSection}${operatorGuidanceBlock}
|
|
261
|
-
## Task
|
|
262
|
-
Analyze this codebase and produce a complete attack surface map:
|
|
263
|
-
1. Identify the repo type and package manager
|
|
264
|
-
2. Discover all apps/services
|
|
265
|
-
3. Discover cloud resources and external infrastructure referenced in the code (S3 buckets, cloud storage, CDN origins, etc.) — document these as apps with the appropriate type
|
|
266
|
-
4. For each app, find all web pages and API endpoints
|
|
267
|
-
5. For each endpoint, generate pentest objectives
|
|
268
|
-
6. **Before submitting**, perform the Phase 3 coverage double-check from the system prompt — re-scan workspace roots, framework configs, Dockerfiles, IaC, and CI/deploy configs for apps you may have missed on the first pass, and document any that were missed.
|
|
269
|
-
|
|
270
|
-
Use \`spawn_coding_agent\` to delegate app-level analysis for higher fidelity.
|
|
271
|
-
|
|
272
|
-
When finished, call \`submit_results\` with the complete structured output. Do NOT call \`submit_results\` until you have explicitly completed the coverage double-check.
|
|
273
|
-
|
|
274
|
-
Begin now.`;
|
|
275
|
-
}
|
|
276
|
-
export {
|
|
277
|
-
WhiteboxAttackSurfaceAgent
|
|
278
|
-
};
|
package/build/agent-z2s6h7n2.js
DELETED
|
@@ -1,19 +0,0 @@
|
|
|
1
|
-
import {
|
|
2
|
-
CodeAgent
|
|
3
|
-
} from "./cli-jg7r7y5n.js";
|
|
4
|
-
import"./cli-3w2syxpv.js";
|
|
5
|
-
import"./cli-tp1tqn3k.js";
|
|
6
|
-
import"./cli-g8t710ew.js";
|
|
7
|
-
import"./cli-3y0dgy56.js";
|
|
8
|
-
import"./cli-k0tckznm.js";
|
|
9
|
-
import"./cli-0ghkg3w6.js";
|
|
10
|
-
import"./cli-dqt80sw3.js";
|
|
11
|
-
import"./cli-asyas1xb.js";
|
|
12
|
-
import"./cli-gpnb45ck.js";
|
|
13
|
-
import"./cli-nr1cjfr9.js";
|
|
14
|
-
import"./cli-dj1dgw2n.js";
|
|
15
|
-
import"./cli-03z6pswp.js";
|
|
16
|
-
import"./cli-8rxa073f.js";
|
|
17
|
-
export {
|
|
18
|
-
CodeAgent
|
|
19
|
-
};
|
|
@@ -1,19 +0,0 @@
|
|
|
1
|
-
import {
|
|
2
|
-
BlackboxAttackSurfaceAgent
|
|
3
|
-
} from "./cli-k4hrygff.js";
|
|
4
|
-
import"./cli-3w2syxpv.js";
|
|
5
|
-
import"./cli-tp1tqn3k.js";
|
|
6
|
-
import"./cli-g8t710ew.js";
|
|
7
|
-
import"./cli-3y0dgy56.js";
|
|
8
|
-
import"./cli-k0tckznm.js";
|
|
9
|
-
import"./cli-0ghkg3w6.js";
|
|
10
|
-
import"./cli-dqt80sw3.js";
|
|
11
|
-
import"./cli-asyas1xb.js";
|
|
12
|
-
import"./cli-gpnb45ck.js";
|
|
13
|
-
import"./cli-nr1cjfr9.js";
|
|
14
|
-
import"./cli-dj1dgw2n.js";
|
|
15
|
-
import"./cli-03z6pswp.js";
|
|
16
|
-
import"./cli-8rxa073f.js";
|
|
17
|
-
export {
|
|
18
|
-
BlackboxAttackSurfaceAgent
|
|
19
|
-
};
|