@pensar/apex 1.8.0 → 1.8.2-canary.fb75c486

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (70) hide show
  1. package/README.md +11 -0
  2. package/build/agent-6dj1qm50.js +221 -0
  3. package/build/agent-6xr8vpgm.js +28 -0
  4. package/build/agent-x1htbpe3.js +22 -0
  5. package/build/apps-t0gmwc7z.js +446 -0
  6. package/build/{auth-dxjgy41e.js → auth-p4r1m7xq.js} +50 -13
  7. package/build/authentication-je2b0c3w.js +22 -0
  8. package/build/blackboxAgent-a4jnt0y5.js +22 -0
  9. package/build/{blackboxPentest-8ps4yvbk.js → blackboxPentest-b5741n3h.js} +19 -17
  10. package/build/{cli-y61d9433.js → cli-0tnv1vkp.js} +138 -38
  11. package/build/{cli-jg7r7y5n.js → cli-4xb21y6g.js} +30 -2
  12. package/build/{cli-k0tckznm.js → cli-6p7d2k55.js} +39701 -31695
  13. package/build/cli-87zakjb2.js +17 -0
  14. package/build/{authentication-e30mfzbe.js → cli-8frjr68r.js} +11 -18
  15. package/build/cli-8xknm7d9.js +204 -0
  16. package/build/cli-9egg9azd.js +22 -0
  17. package/build/cli-9fsre5pt.js +0 -0
  18. package/build/cli-abbka8n3.js +501 -0
  19. package/build/{cli-3y0dgy56.js → cli-c8131c4q.js} +2 -2
  20. package/build/cli-e08r86zk.js +24 -0
  21. package/build/{cli-0ghkg3w6.js → cli-e6rgwtpb.js} +19950 -18556
  22. package/build/cli-g5h24ny8.js +197 -0
  23. package/build/{cli-nr1cjfr9.js → cli-gtcd5c3f.js} +26 -7
  24. package/build/cli-k0730f59.js +52 -0
  25. package/build/{cli-tp1tqn3k.js → cli-mswm4k81.js} +1 -1
  26. package/build/{cli-m788e4f3.js → cli-q8dfq25x.js} +584 -33
  27. package/build/cli-rhry8mat.js +7213 -0
  28. package/build/{cli-g8t710ew.js → cli-ryy39d77.js} +253 -250
  29. package/build/cli-s1nckt4k.js +20 -0
  30. package/build/{cli-k4hrygff.js → cli-v9ds4jb8.js} +9 -5
  31. package/build/{cli-dqt80sw3.js → cli-w5990vr6.js} +199 -68
  32. package/build/{cli-3w2syxpv.js → cli-wfmdch3r.js} +102695 -104816
  33. package/build/cli.js +351 -280
  34. package/build/config-3bvtf3j8.js +188 -0
  35. package/build/{doctor-8tva8j99.js → doctor-2bkpddws.js} +1 -1
  36. package/build/{fixes-q5bhgxhc.js → fixes-60k3ts71.js} +23 -4
  37. package/build/{index-pfee23kv.js → index-0gp3x2r8.js} +19306 -18954
  38. package/build/index-861hkebg.js +12 -0
  39. package/build/{index-y5xpp21a.js → index-acc00eq4.js} +77 -108
  40. package/build/index-acdgrqa0.js +36 -0
  41. package/build/{index-e898mdyh.js → index-cfberehw.js} +4 -2
  42. package/build/{index-wfeb2gcc.js → index-hxn4rk8f.js} +9 -11
  43. package/build/{index-dw1xbhfn.js → index-vc29b21w.js} +161 -26
  44. package/build/index-vwt27stc.js +184 -0
  45. package/build/{issues-qbmdneej.js → issues-1bynat5q.js} +33 -9
  46. package/build/{logs-xm5vbymy.js → logs-e78vx2dy.js} +23 -4
  47. package/build/{main-3d7dfdvs.js → main-3zneyg7p.js} +93 -17
  48. package/build/{offesecAgent-re6kt2ff.js → offesecAgent-w9m0svwk.js} +14 -11
  49. package/build/parse-15kqmy2v.js +207 -0
  50. package/build/pentest-gpvqpvmd.js +31 -0
  51. package/build/{pentests-e3rj5845.js → pentests-nq7wa8yb.js} +36 -17
  52. package/build/{targetedPentest-fs0v570s.js → targetedPentest-fjxqn089.js} +15 -12
  53. package/build/threatModel-9yqx7d7x.js +29 -0
  54. package/build/{uninstall-qb2xbh2t.js → uninstall-9zbf4cwc.js} +6 -4
  55. package/build/{utils-jf52rmrb.js → utils-dh1t2r1e.js} +13 -10
  56. package/package.json +86 -88
  57. package/build/agent-4d8j2jsw.js +0 -278
  58. package/build/agent-z2s6h7n2.js +0 -19
  59. package/build/blackboxAgent-j9pczwym.js +0 -19
  60. package/build/cli-03z6pswp.js +0 -1423
  61. package/build/cli-0fy9j5dw.js +0 -61
  62. package/build/cli-asyas1xb.js +0 -110
  63. package/build/cli-dj1dgw2n.js +0 -190
  64. package/build/cli-q7r2sth7.js +0 -103
  65. package/build/cli-vkwch0bc.js +0 -1207
  66. package/build/cli-wr7g9qcr.js +0 -645
  67. package/build/index-bz6f8jry.js +0 -32
  68. package/build/pentest-mfm4hake.js +0 -29
  69. package/build/projects-qk22qcbt.js +0 -35
  70. package/build/threatModel-xfvc6cch.js +0 -67
package/package.json CHANGED
@@ -1,111 +1,32 @@
1
1
  {
2
- "name": "@pensar/apex",
3
- "version": "1.8.0",
4
- "description": "AI-powered penetration testing CLI tool with terminal UI",
5
- "module": "src/tui/index.tsx",
6
- "main": "build/cli.js",
7
- "type": "module",
8
- "repository": {
9
- "type": "git",
10
- "url": "https://github.com/pensarai/apex.git"
11
- },
2
+ "author": "Pensar",
12
3
  "bin": {
13
4
  "pensar": "./bin/pensar.js"
14
5
  },
15
- "files": [
16
- "build",
17
- "bin",
18
- "assets",
19
- "pensar.svg",
20
- "LICENSE"
21
- ],
22
- "scripts": {
23
- "build": "bun build src/cli.ts --outdir build --target node --format esm --splitting --external @opentui/core --external @opentui/react --external @opentui/react/* --external react --external react/jsx-runtime --external react/jsx-dev-runtime --external react-reconciler --external weave",
24
- "generate:ascii": "bun run scripts/generate-ascii-art.ts",
25
- "generate:models": "bun run scripts/generate-models.ts",
26
- "build:binary": "bun run generate:ascii && bun build src/cli.ts --compile --outfile pensar",
27
- "build:binary:macos-arm64": "bun build src/cli.ts --compile --target=bun-darwin-arm64 --outfile dist/pensar-darwin-arm64",
28
- "build:binary:macos-x64": "bun build src/cli.ts --compile --target=bun-darwin-x64 --outfile dist/pensar-darwin-x64",
29
- "build:binary:linux-x64": "bun build src/cli.ts --compile --target=bun-linux-x64 --outfile dist/pensar-linux-x64",
30
- "build:binary:linux-arm64": "bun build src/cli.ts --compile --target=bun-linux-arm64 --outfile dist/pensar-linux-arm64",
31
- "build:binaries": "bun run generate:ascii && mkdir -p dist && bun run build:binary:macos-arm64 && bun run build:binary:macos-x64 && bun run build:binary:linux-x64 && bun run build:binary:linux-arm64",
32
- "dev": "bun run scripts/watch.ts",
33
- "dev:debug": "SHOW_CONSOLE=true bun run scripts/watch.ts",
34
- "start": "bun run src/tui/index.tsx",
35
- "pensar": "node bin/pensar.js",
36
- "tsc": "tsc --noEmit",
37
- "daytona-benchmark": "bun run scripts/daytona-benchmark.ts",
38
- "local-benchmark": "bun run scripts/local-benchmark.ts",
39
- "test": "vitest run",
40
- "test:watch": "vitest",
41
- "lint": "eslint src/",
42
- "format": "prettier --write .",
43
- "format:check": "prettier --check .",
44
- "prepublishOnly": "npm run build"
45
- },
46
- "keywords": [
47
- "penetration-testing",
48
- "security",
49
- "pentesting",
50
- "ai",
51
- "cli",
52
- "terminal",
53
- "tui"
54
- ],
55
- "author": "Pensar",
56
- "license": "MIT",
57
- "engines": {
58
- "node": ">=18.0.0",
59
- "bun": ">=1.0.0"
60
- },
61
- "optionalDependencies": {
62
- "weave": "^0.12.1"
63
- },
64
- "devDependencies": {
65
- "@eslint/js": "^10.0.1",
66
- "@types/bun": "^1.3.0",
67
- "@types/mailparser": "^3.4.6",
68
- "@types/mime-types": "^3.0.1",
69
- "@types/nodemailer": "^8.0.0",
70
- "@types/react": "^19.2.6",
71
- "@typescript-eslint/eslint-plugin": "^8.55.0",
72
- "@typescript-eslint/parser": "^8.55.0",
73
- "dotenv": "^17.2.3",
74
- "eslint": "^10.0.0",
75
- "eslint-config-prettier": "^10.1.8",
76
- "eslint-plugin-unused-imports": "^4.4.1",
77
- "prettier": "^3.8.1",
78
- "typescript-eslint": "^8.55.0",
79
- "vitest": "^2.1.8"
80
- },
81
- "peerDependencies": {
82
- "typescript": "^5.9.3"
83
- },
84
6
  "dependencies": {
85
- "@ai-sdk/amazon-bedrock": "^4.0.69",
86
- "@ai-sdk/anthropic": "^3.0.50",
7
+ "@ai-sdk/amazon-bedrock": "^4.0.113",
8
+ "@ai-sdk/anthropic": "^3.0.81",
87
9
  "@ai-sdk/google": "^3.0.37",
88
10
  "@ai-sdk/openai": "3.0.46",
89
11
  "@ai-sdk/openai-compatible": "^2.0.35",
12
+ "@ai-sdk/provider": "^3.0.8",
90
13
  "@daytonaio/sdk": "^0.112.1",
91
14
  "@googleapis/gmail": "^16.1.1",
92
15
  "@microsoft/microsoft-graph-client": "^3.0.7",
93
16
  "@modelcontextprotocol/sdk": "^1.0.0",
94
17
  "@openrouter/ai-sdk-provider": "^2.2.3",
95
- "@opentui/core": "^0.1.80",
96
- "@opentui/react": "^0.1.80",
18
+ "@opentelemetry/api": "^1.9.0",
19
+ "@opentui/core": "^0.1.107",
20
+ "@opentui/react": "^0.1.107",
21
+ "@pensar/surface": "0.2.1",
97
22
  "@playwright/mcp": "^0.0.54",
98
23
  "ai": "^6.0.105",
99
24
  "glob": "^13.0.0",
100
- "google-auth-library": "^10.6.1",
101
25
  "highlight.js": "^11.11.1",
102
- "ignore": "^7.0.5",
103
26
  "imapflow": "^1.2.10",
104
- "jsonwebtoken": "^9.0.3",
105
27
  "mailparser": "^3.9.3",
106
28
  "marked": "^16.4.0",
107
29
  "mime-types": "^3.0.2",
108
- "nanoid": "^5.1.6",
109
30
  "nodemailer": "^8.0.7",
110
31
  "p-limit": "^7.2.0",
111
32
  "react": "^19.2.0",
@@ -114,5 +35,82 @@
114
35
  "yaml": "^2.8.2",
115
36
  "zod": "^3.25.76"
116
37
  },
117
- "packageManager": "yarn@1.22.22+sha512.a6b2f7906b721bba3d67d4aff083df04dad64c399707841b7acf00f6b133b7ac24255f2652fa22ae3534329dc6180534e98d17432037ff6fd140556e2bb3137e"
38
+ "description": "AI-powered penetration testing CLI tool with terminal UI",
39
+ "devDependencies": {
40
+ "@biomejs/biome": "2.4.14",
41
+ "@types/bun": "^1.3.0",
42
+ "@types/mailparser": "^3.4.6",
43
+ "@types/mime-types": "^3.0.1",
44
+ "@types/nodemailer": "^8.0.0",
45
+ "@types/react": "^19.2.6",
46
+ "dotenv": "^17.2.3",
47
+ "knip": "^6.12.0",
48
+ "prettier": "^3.8.1",
49
+ "vitest": "^2.1.8"
50
+ },
51
+ "engines": {
52
+ "bun": ">=1.0.0",
53
+ "node": ">=18.0.0"
54
+ },
55
+ "files": [
56
+ "build",
57
+ "bin",
58
+ "assets",
59
+ "pensar.svg",
60
+ "LICENSE"
61
+ ],
62
+ "keywords": [
63
+ "penetration-testing",
64
+ "security",
65
+ "pentesting",
66
+ "ai",
67
+ "cli",
68
+ "terminal",
69
+ "tui"
70
+ ],
71
+ "license": "MIT",
72
+ "main": "build/cli.js",
73
+ "module": "src/tui/index.tsx",
74
+ "name": "@pensar/apex",
75
+ "optionalDependencies": {
76
+ "weave": "^0.12.1"
77
+ },
78
+ "packageManager": "yarn@1.22.22+sha512.a6b2f7906b721bba3d67d4aff083df04dad64c399707841b7acf00f6b133b7ac24255f2652fa22ae3534329dc6180534e98d17432037ff6fd140556e2bb3137e",
79
+ "peerDependencies": {
80
+ "typescript": "^5.9.3"
81
+ },
82
+ "repository": {
83
+ "type": "git",
84
+ "url": "https://github.com/pensarai/apex.git"
85
+ },
86
+ "scripts": {
87
+ "build": "bun build src/cli.ts --outdir build --target node --format esm --splitting --external @opentui/core --external @opentui/react --external @opentui/react/* --external react --external react/jsx-runtime --external react/jsx-dev-runtime --external react-reconciler --external weave",
88
+ "build:binaries": "bun run generate:ascii && mkdir -p dist && bun run build:binary:macos-arm64 && bun run build:binary:macos-x64 && bun run build:binary:linux-x64 && bun run build:binary:linux-arm64",
89
+ "build:binary": "bun run generate:ascii && bun build src/cli.ts --compile --outfile pensar",
90
+ "build:binary:linux-arm64": "bun build src/cli.ts --compile --target=bun-linux-arm64 --outfile dist/pensar-linux-arm64",
91
+ "build:binary:linux-x64": "bun build src/cli.ts --compile --target=bun-linux-x64 --outfile dist/pensar-linux-x64",
92
+ "build:binary:macos-arm64": "bun build src/cli.ts --compile --target=bun-darwin-arm64 --outfile dist/pensar-darwin-arm64",
93
+ "build:binary:macos-x64": "bun build src/cli.ts --compile --target=bun-darwin-x64 --outfile dist/pensar-darwin-x64",
94
+ "check": "biome check --write",
95
+ "check:ci": "biome check",
96
+ "daytona-benchmark": "bun run scripts/daytona-benchmark.ts",
97
+ "dev": "bun run scripts/watch.ts",
98
+ "dev:debug": "SHOW_CONSOLE=true bun run scripts/watch.ts",
99
+ "format": "biome check --write && prettier --write \"**/*.{md,yml,yaml}\"",
100
+ "format:check": "biome check && prettier --check \"**/*.{md,yml,yaml}\"",
101
+ "generate:ascii": "bun run scripts/generate-ascii-art.ts",
102
+ "generate:models": "bun run scripts/generate-models.ts",
103
+ "knip": "knip",
104
+ "lint": "biome lint src/",
105
+ "lint:fix": "biome lint --write src/",
106
+ "local-benchmark": "bun run scripts/local-benchmark.ts",
107
+ "pensar": "node bin/pensar.js",
108
+ "prepublishOnly": "npm run build",
109
+ "start": "bun run src/tui/index.tsx",
110
+ "test": "vitest run",
111
+ "test:watch": "vitest",
112
+ "tsc": "tsc --noEmit"
113
+ },
114
+ "type": "module",
115
+ "version": "1.8.2-canary.fb75c486"
118
116
  }
@@ -1,278 +0,0 @@
1
- import {
2
- WhiteboxAttackSurfaceResultSchema
3
- } from "./cli-0fy9j5dw.js";
4
- import {
5
- OffensiveSecurityAgent
6
- } from "./cli-3w2syxpv.js";
7
- import"./cli-tp1tqn3k.js";
8
- import"./cli-g8t710ew.js";
9
- import"./cli-3y0dgy56.js";
10
- import {
11
- hasToolCall
12
- } from "./cli-k0tckznm.js";
13
- import {
14
- tool
15
- } from "./cli-0ghkg3w6.js";
16
- import"./cli-dqt80sw3.js";
17
- import"./cli-asyas1xb.js";
18
- import"./cli-gpnb45ck.js";
19
- import"./cli-nr1cjfr9.js";
20
- import"./cli-dj1dgw2n.js";
21
- import"./cli-03z6pswp.js";
22
- import"./cli-8rxa073f.js";
23
-
24
- // src/core/agents/specialized/whiteboxAttackSurface/prompts.ts
25
- var WHITEBOX_ATTACK_SURFACE_SYSTEM_PROMPT = `You are an expert source-code analyst and orchestrator. Your mission is to comprehensively map the attack surface of a codebase by analyzing its source code directly.
26
-
27
- You operate completely autonomously. Do not ask for permission or wait for user input.
28
-
29
- # Your Goal
30
-
31
- Given a codebase path, you must:
32
- 1. Identify the repository structure (monorepo vs single app, package manager, etc.)
33
- 2. Discover every application/service defined in the repo
34
- 3. For each app, enumerate ALL web pages and ALL API endpoints defined in the source code
35
- 4. For each endpoint, generate specific pentest objectives
36
- 5. **Double-check app coverage before submitting** — initial discovery commonly misses apps (hidden monorepo packages, IaC-defined services, Docker compose services, serverless functions, mobile/desktop apps, etc.). A dedicated verification pass is mandatory before you submit results.
37
-
38
- # Tools at Your Disposal
39
-
40
- ## list_files
41
- List directories to understand project structure. Start here.
42
-
43
- ## read_file
44
- Read config files, entry points, route definitions, etc.
45
-
46
- ## grep
47
- Your primary search tool. Use it to find route definitions, middleware, controllers, etc.
48
-
49
- ## document_app
50
- **Use this to document each application/service you identify.** Each call persists a JSON record to the session's apps directory. Document:
51
- - Each application/service you identify (appType: "web_application" or "api")
52
- - Notable subdomains hosting distinct services (appType: "subdomain")
53
- - Cloud resources like S3 buckets, cloud storage, CDN origins (appType: "cloud_resource" or "storage")
54
- - For S3 buckets: set \`domain\` to the **canonical virtual-hosted-style** endpoint (e.g. "https://bucket-name.s3.amazonaws.com") and use appType "storage". Do NOT use path-style URLs (e.g. "https://s3.amazonaws.com/bucket-name").
55
- - For other cloud resources: set \`domain\` to the primary/canonical resource endpoint and use appType "cloud_resource"
56
- - If known domains are provided, set the \`domain\` field to associate the app with the correct domain. **Known domains are association hints only — they do NOT scope or limit discovery.** Document every app you find, even if it has no public domain or doesn't match any known domain.
57
-
58
- ## document_endpoint
59
- **This is your primary output tool for endpoints.** Each call persists a JSON record to the session's endpoints directory, organized by app. Document:
60
- - Individual API endpoints and web pages
61
-
62
- **CRITICAL — endpoint documentation rules:**
63
- - **ONE endpoint per unique route path.** Do NOT create separate entries for different HTTP methods on the same path. If \`/api/users\` supports GET, POST, and DELETE, that is ONE entry with \`method: ["GET", "POST", "DELETE"]\`.
64
- - **Use \`method: "PAGE"\`** for web pages and views.
65
- - **Always set \`appName\`** to group endpoints under the correct application.
66
- - **Always set \`routePath\`** to the HTTP route (e.g., \`/api/users\`). This is the URL path a client requests — NOT a source-file path.
67
- - **Always set \`file\`** to the source-code file (e.g., \`src/routes/users.ts\`). This is NOT the HTTP route.
68
- - **Always set \`handler\`** to the function name, and \`authRequired\` to indicate auth requirements.
69
-
70
- Call these tools throughout your analysis as you discover apps and endpoints — don't wait until the end.
71
-
72
- ## spawn_coding_agent
73
- **This is your key tool for scaling out analysis.** Spawn coding sub-agents to analyze individual apps in parallel for higher fidelity. Each sub-agent has full filesystem access (read_file, list_files, grep, execute_command) and the document_app/document_endpoint tools.
74
-
75
- ## submit_results
76
- Call this LAST with your complete structured results. This ends your run.
77
-
78
- # Methodology
79
-
80
- ## Phase 1: REPO IDENTIFICATION (do this yourself — it's fast)
81
- 1. List the root directory
82
- 2. Read the top-level config files to determine:
83
- - Package manager (package.json → npm/yarn/pnpm, requirements.txt → pip, Cargo.toml → cargo, go.mod → go, etc.)
84
- - Repo structure (workspaces field in package.json → monorepo, multiple service dirs → multi-package, etc.)
85
- 3. Identify all apps/services — look for:
86
- - Monorepo workspace packages with their own entry points
87
- - Separate service directories with their own configs
88
- - A single app at the root
89
- 4. Discover cloud resources and external infrastructure referenced in the code:
90
- - S3 buckets, GCS buckets, Azure Blob Storage (search for bucket names, s3://, storage URLs)
91
- - CDN distributions (CloudFront, Cloudflare)
92
- - Infrastructure-as-code definitions (Terraform, CloudFormation, CDK, SST, Pulumi, serverless.yml)
93
- - Document each as an app with appType "cloud_resource" or "storage" and set the \`domain\` to the **canonical** resource endpoint
94
- - **S3 canonical URL:** Always use virtual-hosted-style "https://bucket-name.s3.amazonaws.com" (or with region: "https://bucket-name.s3.us-east-1.amazonaws.com"). Never use path-style "https://s3.amazonaws.com/bucket-name".
95
- - **Do NOT document alternative URL formats** as separate endpoints — only document the canonical/primary URL and any distinct functional paths under it
96
-
97
- ## Phase 2: APP ANALYSIS (delegate to coding agents)
98
- For each app you identified, spawn a coding agent with a detailed objective. The objective should instruct the agent to:
99
-
100
- 1. **Identify the framework** — read the app's config/entry point to determine the web framework
101
- 2. **Document the application** — call \`document_app\` with the app name, type, and framework
102
- 3. **Find ALL web pages** — search for page/view/route definitions and document each with \`document_endpoint\` using \`method: "PAGE"\`
103
- 4. **Find ALL API endpoints** — search for route/endpoint definitions and document each unique path with \`document_endpoint\`, listing ALL HTTP methods in \`method\`
104
- 5. **For each endpoint, include** in the document_endpoint call:
105
- - HTTP route in \`routePath\` (e.g., \`/api/users\`) — this is the URL path, NOT a file path
106
- - ALL HTTP methods in \`method\` (consolidated — one entry per path)
107
- - Handler function in \`handler\`
108
- - Source-code file in \`file\` (e.g., \`src/routes/users.ts\`) — this is NOT the route
109
- - Line number in \`line\`
110
- - Auth requirement in \`authRequired\`
111
-
112
- **IMPORTANT:** Tell each coding agent to set \`appName\` on every \`document_endpoint\` call so endpoints are organized by application.
113
-
114
- ## Phase 3: COVERAGE DOUBLE-CHECK (do this yourself — DO NOT SKIP)
115
-
116
- **Initial app discovery almost always misses something.** Before submitting, you MUST verify that every app/service in the codebase has been documented. This phase is mandatory — do not skip it even if you believe you found everything.
117
-
118
- 1. **Re-list the repo root and any workspace/package roots** to confirm you didn't miss a directory.
119
- 2. **Check monorepo workspace declarations** against your documented apps:
120
- - \`package.json\` \`workspaces\` field, \`pnpm-workspace.yaml\`, \`lerna.json\`, \`nx.json\`, \`turbo.json\`, \`rush.json\`
121
- - \`Cargo.toml\` \`[workspace]\` members, \`go.work\` use directives
122
- - Any top-level \`apps/\`, \`packages/\`, \`services/\`, \`cmd/\`, \`functions/\`, \`lambdas/\`, \`workers/\` directories
123
- 3. **Search for additional entry points** you may have missed. Run targeted greps such as:
124
- - Framework manifests: \`next.config.*\`, \`vite.config.*\`, \`remix.config.*\`, \`nuxt.config.*\`, \`astro.config.*\`, \`svelte.config.*\`, \`angular.json\`, \`gatsby-config.*\`, \`expo.json\`, \`app.json\`
125
- - Backend entry points: \`main.py\`, \`app.py\`, \`manage.py\`, \`wsgi.py\`, \`asgi.py\`, \`server.{ts,js,go,rs}\`, \`main.{go,rs}\`, \`Program.cs\`, \`Startup.cs\`
126
- - Dockerfiles and \`docker-compose.y*ml\` services — each service may be a separate app
127
- - IaC definitions: \`serverless.y*ml\`, \`sam.y*ml\`, \`template.y*ml\`, \`*.tf\`, \`cdk.json\`, \`sst.config.*\`, \`pulumi.yaml\`
128
- - CI/CD deployment configs: \`.github/workflows/\`, \`vercel.json\`, \`netlify.toml\`, \`fly.toml\`, \`railway.toml\`, \`app.yaml\`, \`Procfile\`
129
- - Mobile apps: \`ios/\`, \`android/\`, \`*.xcodeproj\`, \`AndroidManifest.xml\`
130
- - Browser extensions / desktop apps: \`manifest.json\` (MV2/MV3), \`electron\`, \`tauri.conf.*\`
131
- - Background jobs / workers: search for \`worker\`, \`queue\`, \`cron\`, \`scheduler\`, \`BullMQ\`, \`Celery\`, \`Sidekiq\`
132
- 4. **Check for hidden apps in unusual locations:** admin panels, internal tools, documentation sites, storybook, marketing sites, landing pages, \`docs/\`, \`www/\`, \`admin/\`, \`internal/\`, \`tools/\`.
133
- 5. **Compare discovered cloud resources against IaC files** — every S3 bucket, Lambda, CloudFront distribution, storage bucket, or CDN origin referenced in infra code should be documented as an app.
134
-
135
- For every candidate you identify in this phase:
136
- - If it's **already documented** — good, move on.
137
- - If it's **NOT documented** — spawn another coding agent to analyze it, or document it yourself with \`document_app\` / \`document_endpoint\`. Do not simply note it in the final summary; it must be in the apps list.
138
-
139
- Only proceed to Phase 4 once you have explicitly walked through the checks above and confirmed coverage is complete.
140
-
141
- ## Phase 4: COLLECT AND SUBMIT (do this yourself)
142
-
143
- Before calling \`submit_results\`, verify the final coverage checklist:
144
- - [ ] Every workspace package / service directory is represented by a documented app
145
- - [ ] Every framework entry point discovered in Phase 3 maps to a documented app
146
- - [ ] Every Dockerfile / compose service / IaC resource maps to a documented app or cloud resource
147
- - [ ] Every known domain (if provided) that maps to an app in the repo has been associated via the \`domain\` field — but apps that don't map to a known domain are still documented (known domains are hints, not a scope filter)
148
- - [ ] Each documented app has its endpoints/pages enumerated (or an explicit note in \`pentestObjectives\` if it is a non-HTTP service)
149
-
150
- Then:
151
- 1. Parse the output from all coding agents
152
- 2. Assemble the complete structured result
153
- 3. Call \`submit_results\` with the full data
154
-
155
- # Guidelines
156
- - Be thorough — every endpoint matters. Don't skip files or directories.
157
- - Delegate aggressively — spawn coding agents for each app to get high-fidelity results.
158
- - Give coding agents VERY detailed objectives — they work best with specific instructions about what to search for and how to report it.
159
- - Don't duplicate work — let the coding agents do the deep file-by-file analysis.
160
- - When in doubt about repo structure, read more config files before deciding.
161
- - **Never skip the Phase 3 coverage double-check** — initial discovery routinely misses apps, and a second pass is the cheapest way to catch them.
162
- - **Known domains are association hints, not a scope filter.** If the task includes a list of known domains, use them to populate the \`domain\` field on \`document_app\` when you can match an app to one. Do NOT use them to decide which apps, packages, services, endpoints, or cloud resources are worth documenting — document everything found in the codebase.
163
- `;
164
-
165
- // src/core/agents/specialized/whiteboxAttackSurface/agent.ts
166
- class WhiteboxAttackSurfaceAgent extends OffensiveSecurityAgent {
167
- constructor(opts) {
168
- const {
169
- model,
170
- codebasePath,
171
- session,
172
- authConfig,
173
- onStepFinish,
174
- abortSignal,
175
- eventBus,
176
- subagentId,
177
- attackSurfaceRegistry,
178
- domains,
179
- enableThinking
180
- } = opts;
181
- let capturedResult = null;
182
- const submitResultsTool = tool({
183
- description: `Submit the final whitebox attack surface analysis results.
184
-
185
- Call this ONCE at the end with your complete structured findings.
186
- This ends the agent run — make sure all data is included.`,
187
- inputSchema: WhiteboxAttackSurfaceResultSchema,
188
- execute: async (results) => {
189
- capturedResult = results;
190
- return { success: true, message: "Results submitted." };
191
- }
192
- });
193
- super({
194
- system: WHITEBOX_ATTACK_SURFACE_SYSTEM_PROMPT,
195
- prompt: buildPrompt(codebasePath, domains, session.config?.prompt),
196
- model,
197
- session,
198
- authConfig,
199
- onStepFinish,
200
- abortSignal,
201
- eventBus,
202
- subagentId,
203
- attackSurfaceRegistry,
204
- enableThinking,
205
- activeTools: [
206
- "read_file",
207
- "list_files",
208
- "grep",
209
- "document_app",
210
- "document_endpoint",
211
- "spawn_coding_agent",
212
- "submit_results"
213
- ],
214
- extraTools: {
215
- submit_results: submitResultsTool
216
- },
217
- stopWhen: hasToolCall("submit_results"),
218
- resolveResult: () => {
219
- if (capturedResult) {
220
- return capturedResult;
221
- }
222
- return {
223
- repoType: "unknown",
224
- packageManager: "unknown",
225
- apps: [],
226
- summary: {
227
- totalApps: 0,
228
- totalPages: 0,
229
- totalApiEndpoints: 0,
230
- totalPentestObjectives: 0
231
- }
232
- };
233
- }
234
- });
235
- }
236
- }
237
- function buildPrompt(codebasePath, domains, operatorPrompt) {
238
- const domainSection = domains?.length ? `
239
- ## Known Domains
240
- The following domains are **hints for association only** — they are known to be operated by the target and should be set on the \`domain\` field of \`document_app\` when you can determine which domain serves a given app.
241
-
242
- **IMPORTANT — these domains DO NOT define the scope of discovery:**
243
- - Discover and document **every** app/service/cloud resource defined in the codebase, regardless of whether it maps to one of these domains.
244
- - Apps with no known public domain (internal services, background workers, staging-only apps, functions, admin tools, etc.) MUST still be documented. Leave \`domain\` unset or use the canonical resource URL for cloud resources.
245
- - Do NOT filter out apps, endpoints, subdomains, or cloud resources because they don't appear to belong to one of these domains.
246
- - Do NOT skip directories, packages, or services because they "look unrelated" to the listed domains.
247
-
248
- Known domains:
249
- ${domains.map((d) => `- ${d}`).join(`
250
- `)}
251
- ` : "";
252
- const operatorGuidanceBlock = operatorPrompt ? `
253
- ## Operator Guidance
254
- ${operatorPrompt}
255
- ` : "";
256
- return `# Whitebox Attack Surface Analysis
257
-
258
- ## Codebase
259
- - **Path:** ${codebasePath}
260
- ${domainSection}${operatorGuidanceBlock}
261
- ## Task
262
- Analyze this codebase and produce a complete attack surface map:
263
- 1. Identify the repo type and package manager
264
- 2. Discover all apps/services
265
- 3. Discover cloud resources and external infrastructure referenced in the code (S3 buckets, cloud storage, CDN origins, etc.) — document these as apps with the appropriate type
266
- 4. For each app, find all web pages and API endpoints
267
- 5. For each endpoint, generate pentest objectives
268
- 6. **Before submitting**, perform the Phase 3 coverage double-check from the system prompt — re-scan workspace roots, framework configs, Dockerfiles, IaC, and CI/deploy configs for apps you may have missed on the first pass, and document any that were missed.
269
-
270
- Use \`spawn_coding_agent\` to delegate app-level analysis for higher fidelity.
271
-
272
- When finished, call \`submit_results\` with the complete structured output. Do NOT call \`submit_results\` until you have explicitly completed the coverage double-check.
273
-
274
- Begin now.`;
275
- }
276
- export {
277
- WhiteboxAttackSurfaceAgent
278
- };
@@ -1,19 +0,0 @@
1
- import {
2
- CodeAgent
3
- } from "./cli-jg7r7y5n.js";
4
- import"./cli-3w2syxpv.js";
5
- import"./cli-tp1tqn3k.js";
6
- import"./cli-g8t710ew.js";
7
- import"./cli-3y0dgy56.js";
8
- import"./cli-k0tckznm.js";
9
- import"./cli-0ghkg3w6.js";
10
- import"./cli-dqt80sw3.js";
11
- import"./cli-asyas1xb.js";
12
- import"./cli-gpnb45ck.js";
13
- import"./cli-nr1cjfr9.js";
14
- import"./cli-dj1dgw2n.js";
15
- import"./cli-03z6pswp.js";
16
- import"./cli-8rxa073f.js";
17
- export {
18
- CodeAgent
19
- };
@@ -1,19 +0,0 @@
1
- import {
2
- BlackboxAttackSurfaceAgent
3
- } from "./cli-k4hrygff.js";
4
- import"./cli-3w2syxpv.js";
5
- import"./cli-tp1tqn3k.js";
6
- import"./cli-g8t710ew.js";
7
- import"./cli-3y0dgy56.js";
8
- import"./cli-k0tckznm.js";
9
- import"./cli-0ghkg3w6.js";
10
- import"./cli-dqt80sw3.js";
11
- import"./cli-asyas1xb.js";
12
- import"./cli-gpnb45ck.js";
13
- import"./cli-nr1cjfr9.js";
14
- import"./cli-dj1dgw2n.js";
15
- import"./cli-03z6pswp.js";
16
- import"./cli-8rxa073f.js";
17
- export {
18
- BlackboxAttackSurfaceAgent
19
- };