@pensar/apex 1.8.0 → 1.8.2-canary.fb75c486

package/build/{cli-m788e4f3.js → cli-q8dfq25x.js}

@@ -1,6 +1,29 @@
 import {
-  OffensiveSecurityAgent
-} from "./cli-3w2syxpv.js";
+  ALL_TOOL_NAMES,
+  ASK_USER_QUESTIONS_TOOL_NAME,
+  OffensiveSecurityAgent,
+  SKILL_TOOL_NAMES,
+  buildBaseSystemPrompt,
+  sessions
+} from "./cli-wfmdch3r.js";
+import {
+  init_dist,
+  stepCountIs
+} from "./cli-6p7d2k55.js";
+import {
+  ensureValidToken,
+  getPensarApiUrl,
+  init_auth,
+  init_constants
+} from "./cli-w5990vr6.js";
+import {
+  exports_external1 as exports_external,
+  init_zod
+} from "./cli-e6rgwtpb.js";
+import {
+  config,
+  init_config
+} from "./cli-9egg9azd.js";
 import {
   __commonJS,
   __require
@@ -1338,7 +1361,6 @@ var require_stringify = __commonJS((exports) => {
       nullStr: "null",
       simpleKeys: false,
       singleQuote: null,
-      trailingComma: false,
       trueStr: "true",
       verifyAliasOrder: true
     }, doc.schema.toStringOptions, options);
@@ -1847,20 +1869,13 @@ ${indent}${line}` : `
       if (comment)
         reqNewline = true;
       let str = stringify.stringify(item, itemCtx, () => comment = null);
-      reqNewline || (reqNewline = lines.length > linesAtValue || str.includes(`
-`));
-      if (i < items.length - 1) {
+      if (i < items.length - 1)
         str += ",";
-      } else if (ctx.options.trailingComma) {
-        if (ctx.options.lineWidth > 0) {
-          reqNewline || (reqNewline = lines.reduce((sum, line) => sum + line.length + 2, 2) + (str.length + 2) > ctx.options.lineWidth);
-        }
-        if (reqNewline) {
-          str += ",";
-        }
-      }
       if (comment)
         str += stringifyComment.lineComment(str, itemIndent, commentString(comment));
+      if (!reqNewline && (lines.length > linesAtValue || str.includes(`
+`)))
+        reqNewline = true;
       lines.push(str);
       linesAtValue = lines.length;
     }
@@ -4655,22 +4670,17 @@ var require_compose_node = __commonJS((exports) => {
       case "block-map":
       case "block-seq":
       case "flow-collection":
-        try {
-          node = composeCollection.composeCollection(CN, ctx, token, props, onError);
-          if (anchor)
-            node.anchor = anchor.source.substring(1);
-        } catch (error) {
-          const message = error instanceof Error ? error.message : String(error);
-          onError(token, "RESOURCE_EXHAUSTION", message);
-        }
+        node = composeCollection.composeCollection(CN, ctx, token, props, onError);
+        if (anchor)
+          node.anchor = anchor.source.substring(1);
         break;
       default: {
         const message = token.type === "error" ? token.message : `Unsupported token (type: ${token.type})`;
         onError(token, "UNEXPECTED_TOKEN", message);
+        node = composeEmptyNode(ctx, token.offset, undefined, null, props, onError);
         isSrcToken = false;
       }
     }
-    node ?? (node = composeEmptyNode(ctx, token.offset, undefined, null, props, onError));
     if (anchor && node.anchor === "")
       onError(anchor, "BAD_ALIAS", "Anchor cannot be an empty string");
     if (atKey && ctx.options.stringKeys && (!identity.isScalar(node) || typeof node.value !== "string" || node.tag && node.tag !== "tag:yaml.org,2002:str")) {
@@ -6920,6 +6930,329 @@ var require_public_api = __commonJS((exports) => {
   exports.parseDocument = parseDocument;
   exports.stringify = stringify;
 });
+
+// src/core/api/apiClient.ts
+init_auth();
+init_config();
+init_constants();
+async function getAuthHeaders() {
+  const cfg = await config.get();
+  const validToken = await ensureValidToken({
+    accessToken: cfg.accessToken,
+    refreshToken: cfg.refreshToken,
+    pensarAPIKey: cfg.pensarAPIKey
+  });
+  if (!validToken) {
+    throw new Error("Not authenticated. Run `pensar login` to connect to Pensar Console.");
+  }
+  const headers = {
+    "Content-Type": "application/json",
+    Authorization: `Bearer ${validToken.token}`
+  };
+  if (cfg.workspaceId) {
+    headers["X-Workspace-Id"] = cfg.workspaceId;
+  }
+  return headers;
+}
+async function apiRequest(method, path, body) {
+  const baseUrl = getPensarApiUrl();
+  const headers = await getAuthHeaders();
+  const url = `${baseUrl}${path}`;
+  const init = { method, headers };
+  if (body !== undefined) {
+    init.body = JSON.stringify(body);
+  }
+  const response = await fetch(url, init);
+  if (!response.ok) {
+    const text2 = await response.text();
+    let message;
+    try {
+      const err = JSON.parse(text2);
+      message = err.error ?? text2;
+    } catch {
+      message = text2;
+    }
+    throw new Error(`API error (${response.status}): ${message}`);
+  }
+  const text = await response.text();
+  if (!text)
+    return;
+  return JSON.parse(text);
+}
+
+// src/core/api/apps.ts
+async function listApps(opts) {
+  const params = new URLSearchParams;
+  if (opts?.limit !== undefined)
+    params.set("limit", String(opts.limit));
+  if (opts?.offset !== undefined)
+    params.set("offset", String(opts.offset));
+  const qs = params.toString();
+  return apiRequest("GET", `/apps${qs ? `?${qs}` : ""}`);
+}
+async function getApp(appId) {
+  return apiRequest("GET", `/apps/${appId}`);
+}
+async function createApp(data) {
+  return apiRequest("POST", "/apps", data);
+}
+async function updateApp(appId, data) {
+  return apiRequest("PATCH", `/apps/${appId}`, data);
+}
+async function deleteApp(appId) {
+  return apiRequest("DELETE", `/apps/${appId}`);
+}
+async function listEndpoints(appId, filters) {
+  const params = new URLSearchParams;
+  if (filters?.type)
+    params.set("type", filters.type);
+  if (filters?.minRiskScore !== undefined) {
+    params.set("minRiskScore", String(filters.minRiskScore));
+  }
+  if (filters?.limit !== undefined)
+    params.set("limit", String(filters.limit));
+  if (filters?.offset !== undefined) {
+    params.set("offset", String(filters.offset));
+  }
+  const qs = params.toString();
+  const path = `/apps/${appId}/endpoints${qs ? `?${qs}` : ""}`;
+  return apiRequest("GET", path);
+}
+async function getEndpoint(endpointId) {
+  return apiRequest("GET", `/endpoints/${endpointId}`);
+}
+async function createEndpoint(appId, data) {
+  return apiRequest("POST", `/apps/${appId}/endpoints`, data);
+}
+async function updateEndpoint(endpointId, data) {
+  return apiRequest("PATCH", `/endpoints/${endpointId}`, data);
+}
+async function deleteEndpoint(endpointId) {
+  return apiRequest("DELETE", `/endpoints/${endpointId}`);
+}
+async function searchApps(query, opts) {
+  const params = new URLSearchParams({ q: query });
+  if (opts?.type)
+    params.set("type", opts.type);
+  if (opts?.limit !== undefined)
+    params.set("limit", String(opts.limit));
+  if (opts?.offset !== undefined)
+    params.set("offset", String(opts.offset));
+  return apiRequest("GET", `/search/apps?${params.toString()}`);
+}
+async function searchEndpoints(query, opts) {
+  const params = new URLSearchParams({ q: query });
+  if (opts?.applicationId)
+    params.set("applicationId", opts.applicationId);
+  if (opts?.type)
+    params.set("type", opts.type);
+  if (opts?.minRiskScore !== undefined) {
+    params.set("minRiskScore", String(opts.minRiskScore));
+  }
+  if (opts?.authRequired !== undefined) {
+    params.set("authRequired", opts.authRequired ? "true" : "false");
+  }
+  if (opts?.limit !== undefined)
+    params.set("limit", String(opts.limit));
+  if (opts?.offset !== undefined)
+    params.set("offset", String(opts.offset));
+  return apiRequest("GET", `/search/endpoints?${params.toString()}`);
+}
+
+// src/core/api/issues.ts
+async function listScans() {
+  return apiRequest("GET", "/pentests");
+}
+async function getScan(scanId) {
+  return apiRequest("GET", `/pentests/${scanId}`);
+}
+async function dispatchPentest(opts) {
+  return apiRequest("POST", "/pentests", opts);
+}
+async function listIssues(filters) {
+  const params = new URLSearchParams;
+  if (filters?.scanId)
+    params.set("scanId", filters.scanId);
+  if (filters?.status)
+    params.set("status", filters.status);
+  if (filters?.severity)
+    params.set("severity", filters.severity);
+  if (filters?.branch)
+    params.set("branch", filters.branch);
+  const qs = params.toString();
+  const path = `/issues${qs ? `?${qs}` : ""}`;
+  return apiRequest("GET", path);
+}
+async function getIssue(issueId) {
+  return apiRequest("GET", `/issues/${issueId}`);
+}
+async function updateIssue(issueId, data) {
+  return apiRequest("PATCH", `/issues/${issueId}`, data);
+}
+async function listFixes(issueId) {
+  return apiRequest("GET", `/issues/${issueId}/fixes`);
+}
+async function getFix(fixId) {
+  return apiRequest("GET", `/fixes/${fixId}`);
+}
+async function listAgentLogs(issueId, opts) {
+  const params = new URLSearchParams;
+  if (opts?.level)
+    params.set("level", opts.level);
+  if (opts?.role)
+    params.set("role", opts.role);
+  if (opts?.limit)
+    params.set("limit", String(opts.limit));
+  const qs = params.toString();
+  const path = `/issues/${issueId}/logs${qs ? `?${qs}` : ""}`;
+  return apiRequest("GET", path);
+}
+async function searchAgentLogs(issueId, query, opts) {
+  return apiRequest("POST", `/issues/${issueId}/logs/search`, { query, ...opts });
+}
+
+// src/core/api/index.ts
+init_constants();
+
+// src/core/agents/specialized/environment/prompts.ts
+var PREAMBLE = `You are an expert DevOps agent responsible for setting up and validating development environments. Your goal is to ensure the application can run fully with all required services operational and healthy.`;
+var DOCKER_COMPOSE_STEP = `1. **Docker Compose Assessment**
+   - First, check if a docker-compose.yml or docker-compose.yaml file exists in the repository
+   - If present, thoroughly review its configuration:
+     * Verify all services are properly defined
+     * Check for proper networking configuration
+     * Validate volume mounts and environment variables
+     * Ensure health checks are configured where appropriate
+   - If not present, analyze the application to determine if Docker Compose is required:
+     * Check for databases (PostgreSQL, MySQL, MongoDB, Redis, etc.)
+     * Look for message queues (RabbitMQ, Kafka, etc.)
+     * Identify cache layers or other external dependencies
+     * Review application configuration files for service dependencies`;
+var DOCKER_COMPOSE_CREATION_STEP = `2. **Docker Compose Creation (if required but missing)**
+   - Analyze package.json, requirements.txt, go.mod, or other dependency files
+   - Identify database and service requirements from:
+     * Environment variable examples (.env.example, .env.sample)
+     * Configuration files
+     * Database connection strings in code
+     * Documentation (README.md, docs/)
+   - Create a comprehensive docker-compose.yml that includes:
+     * All required services (databases, caches, message queues, etc.)
+     * Proper service networking
+     * Volume mounts for data persistence
+     * Health checks for each service
+     * Appropriate environment variables
+     * Dependency ordering (depends_on with conditions)`;
+var STARTUP_STEP = `3. **Environment Startup & Validation**
+   - Use docker-compose to bring up all services
+   - Monitor startup logs for errors
+   - Wait for all health checks to pass
+   - Verify service accessibility:
+     * Check database connectivity
+     * Verify ports are properly exposed and accessible
+     * Test inter-service communication
+   - If the application itself needs to run, start it and ensure it connects to all services`;
+var TROUBLESHOOTING_STEP = `4. **Iteration & Troubleshooting**
+   - If any service fails to start or becomes unhealthy:
+     * Analyze logs to identify the root cause
+     * Fix configuration issues (ports, environment variables, volumes, etc.)
+     * Update the docker-compose.yml as needed
+     * Recreate and restart affected services
+   - Continue iterating until:
+     * All services are running and healthy
+     * The application can successfully connect to all dependencies
+     * No error logs indicate configuration issues`;
+var AUTH_STEP = `5. **Authentication Testing & Documentation**
+   - After the application is running, thoroughly investigate authentication:
+     * Check the codebase for authentication mechanisms (JWT, sessions, OAuth, etc.)
+     * Identify registration/signup endpoints and methods
+     * Identify login/authentication endpoints
+     * Look for initial admin user creation or seed data scripts
+     * Review documentation (README.md, API docs) for auth instructions
+   - Test the authentication flow:
+     * Attempt to register a new user (via API, CLI, or web interface)
+     * Try to login with the registered credentials
+     * Verify that authentication tokens/sessions are properly issued
+     * Test accessing a protected endpoint to confirm auth is working
+   - Document your findings:
+     * Step-by-step instructions for registering a new user
+     * Step-by-step instructions for authenticating/logging in
+     * Any default credentials that exist
+     * API endpoints for registration and login (including HTTP methods and payload format)
+     * Authentication method used (bearer tokens, cookies, etc.)
+     * Example curl commands or code snippets for registration and login
+     * Any prerequisites or special configuration needed for auth to work`;
+var COMPLETION_STEP = `6. **Completion**
+   - Once the environment is fully operational and authentication has been tested:
+     * Verify all services are accessible
+     * Note the URL where the application is running (if applicable)
+     * Use the response tool with:
+       - status: "ready" if successful
+       - status: "failed" if unable to establish a working environment after extensive attempts
+       - url: the URL where the application is accessible (or empty string if not applicable)
+       - authenticationDetails: comprehensive details on how to register and authenticate, including tested examples`;
+var TOOL_USAGE = `## Available Tools
+
+- **execute_command**: Run shell commands (docker-compose, curl, database clients, etc.)
+- **list_files**: List files in directories to explore the repository structure
+- **read_file**: Read file contents to understand configurations and dependencies
+- **grep**: Search for patterns across the codebase
+- **create_file**: Create new files (like docker-compose.yml)
+- **update_file**: Update existing files to fix configurations
+- **response**: Call this when the environment is ready or has failed after extensive attempts`;
+var BEST_PRACTICES = `## Best Practices
+
+- Always check for existing configuration before creating new files
+- Use health checks to properly wait for services to be ready
+- Check logs thoroughly when services fail
+- For databases, ensure proper initialization scripts are run
+- Consider startup order - databases should be healthy before apps connect
+- Test connectivity explicitly (ping, curl, database client connections)
+- Be thorough but efficient - don't repeat failed attempts without changes`;
+var IMPORTANT_NOTES = `## Important Notes
+
+- You have up to 1000 steps to complete this task
+- Always provide clear reasoning for your decisions
+- Document any assumptions you make about the application's requirements
+- If you cannot determine requirements from the codebase, make reasonable defaults
+- Prioritize getting a working environment over perfect configuration
+
+STOP when you have called the response tool with status "ready" or "failed"`;
+function buildEnvironmentSystemPrompt() {
+  return [
+    PREAMBLE,
+    "",
+    "## Core Responsibilities",
+    "",
+    DOCKER_COMPOSE_STEP,
+    "",
+    DOCKER_COMPOSE_CREATION_STEP,
+    "",
+    STARTUP_STEP,
+    "",
+    TROUBLESHOOTING_STEP,
+    "",
+    AUTH_STEP,
+    "",
+    COMPLETION_STEP,
+    "",
+    TOOL_USAGE,
+    "",
+    BEST_PRACTICES,
+    "",
+    IMPORTANT_NOTES
+  ].join(`
+`);
+}
+var ENVIRONMENT_SYSTEM_PROMPT = buildEnvironmentSystemPrompt();
+
+// src/core/agents/specialized/environment/types.ts
+init_zod();
+var EnvironmentResultSchema = exports_external.object({
+  url: exports_external.string().describe("The URL where the application is accessible"),
+  status: exports_external.enum(["ready", "failed"]).describe("The status of the development environment"),
+  stepsTaken: exports_external.string().describe("The steps taken to start the development environment"),
+  authenticationDetails: exports_external.string().describe("Details on how to register a user and authenticate within the development environment")
+});
 // src/core/api/offesecAgent.ts
 async function runOffensiveSecurityAgent(input) {
   const agent = input.session ? new OffensiveSecurityAgent(input) : await OffensiveSecurityAgent.create(input);
@@ -6927,6 +7260,190 @@ async function runOffensiveSecurityAgent(input) {
   await agent.consume();
   return { streamResult: agent.streamResult, session: agent.session };
 }
+// src/core/agents/specialized/patching/prompts.ts
+var PREAMBLE2 = `You are an expert security vulnerability patching agent. Your goal is to analyze security vulnerabilities, provide high-quality fixes, and verify the fixes don't break existing functionality.`;
+var ORIENT_STEP = `1. **Orient Yourself**:
+   - Review the AGENTS.md / project documentation provided in your prompt for build, lint, and test commands
+   - Use list_files to explore the repository structure
+   - Read package.json, Makefile, or equivalent to understand the project's toolchain
+   - Identify the lint command, test command, type-check command, and any other verification scripts`;
+var UNDERSTAND_STEP = `2. **Understand the Vulnerability**: 
+   - Carefully read the vulnerability description, CWE mappings, and any dataflow analysis provided
+   - Understand the root cause: What makes this code vulnerable?
+   - Identify the attack vector: How would an attacker exploit this?
+   - Consider the context: What is the application trying to do?`;
+var REVIEW_STEP = `3. **Review the Code**:
+   - Use read_file to read the vulnerable file(s) mentioned in the issue
+   - Use grep to search for related code patterns, similar vulnerabilities, or existing security controls
+   - Review related files: imports, dependencies, configuration files
+   - Understand the data flow: Where does user input come from? Where does it go?`;
+var PLAN_STEP = `4. **Plan Your Fix**:
+   - Identify the exact code that needs to change
+   - Determine the appropriate security control (input validation, parameterized queries, access control, etc.)
+   - Consider side effects: Will this break existing functionality?
+   - Think about edge cases: What other inputs or scenarios need to be handled?
+   - Look for framework-specific or language-specific best practices
+   - State your complete plan clearly before making changes`;
+var APPLY_STEP = `5. **Apply the Patch**:
+   - Use update_file to modify existing files with your security fixes
+   - Use create_file if you need to add new security utilities or middleware
+   - Make minimal, targeted changes — don't refactor unrelated code
+   - Follow the existing code style and conventions
+   - Ensure your changes integrate cleanly with the existing codebase`;
+var RESTART_STEP = `6. **Restart Dev Environment** (if applicable):
+   - Use execute_command to restart any dev servers or services so your changes are loaded
+   - Wait for the services to become healthy`;
+var VERIFY_STEP = `7. **Verify the Patch**:
+   - Use execute_command to run the project's lint command (e.g. \`npm run lint\`, \`ruff check\`, \`cargo clippy\`)
+   - Use execute_command to run the project's type-check command if applicable (e.g. \`npx tsc --noEmit\`, \`mypy\`)
+   - Use execute_command to run the project's test suite (e.g. \`npm test\`, \`pytest\`, \`cargo test\`)
+   - If a Proof of Concept (POC) is provided, run it to verify the vulnerability is fixed — the POC should FAIL (non-zero exit code) after a successful patch
+   - If any check fails, read the error output carefully, fix the issues, and re-run until all checks pass
+   - If the project has no clear lint/test commands, at minimum verify the changed files parse correctly (e.g. \`node -c file.js\`, \`python -m py_compile file.py\`)`;
+var FINALIZE_STEP = `8. **Finalize**:
+   - Use the response tool to complete the patching process
+   - Provide a clear, detailed summary of:
+     * Each file you changed and why
+     * The security principles applied
+     * How your fix addresses the vulnerability
+     * Verification results (lint, type-check, test outcomes, POC result if applicable)
+     * Any assumptions or limitations of the fix
+   - Write a professional PR title and description that explains the security fix`;
+var SECURITY_BEST_PRACTICES = `# Security Best Practices by Vulnerability Type
+
+**SQL Injection / NoSQL Injection**:
+- Use parameterized queries or prepared statements ALWAYS
+- Use ORM query builders with parameterization
+- Never concatenate user input into queries
+- Validate and sanitize input as a defense-in-depth measure
+
+**Cross-Site Scripting (XSS)**:
+- Use framework-provided output encoding (React JSX, template engines with auto-escaping)
+- Apply context-appropriate encoding (HTML, JavaScript, URL, CSS)
+- Use Content Security Policy headers
+- Sanitize rich text input with allowlist-based libraries
+
+**Path Traversal / Directory Traversal**:
+- Validate file paths against an allowlist
+- Use path normalization and canonicalization
+- Check that resolved paths stay within intended directories
+- Never trust user input for file paths
+
+**Authentication / Authorization Issues**:
+- Verify user identity before sensitive operations
+- Check permissions at the application layer, not just UI
+- Use framework authentication middleware
+- Implement proper session management
+- Follow principle of least privilege
+
+**Command Injection**:
+- Avoid executing shell commands with user input
+- Use language-specific APIs instead of shell commands
+- If shell execution is necessary, use safe APIs with argument arrays
+- Validate input against strict allowlists
+
+**Insecure Deserialization**:
+- Avoid deserializing untrusted data
+- Use safe data formats (JSON instead of pickle/Java serialization)
+- Implement integrity checks (HMAC signatures)
+- Validate deserialized objects strictly
+
+**Server-Side Request Forgery (SSRF)**:
+- Validate and sanitize URLs
+- Use allowlists for allowed domains/IPs
+- Disable URL redirects or validate redirect targets
+- Block access to internal/private IP ranges
+
+**Cryptographic Issues**:
+- Use strong, modern algorithms (AES-256, RSA-2048+, SHA-256+)
+- Never implement custom cryptography
+- Use cryptographically secure random number generators
+- Properly handle keys (don't hardcode, use key management)
+
+**Sensitive Data Exposure**:
+- Don't log sensitive data (passwords, tokens, PII)
+- Use proper error handling that doesn't leak implementation details
+- Encrypt sensitive data at rest and in transit
+- Remove sensitive data from client-side code`;
+var TOOL_USAGE2 = `# Tool Usage
+
+- **list_files**: Explore directory structure and find relevant files
+- **read_file**: Read file contents to understand code
+- **grep**: Search for patterns across the codebase
+- **update_file**: Modify existing files with security fixes
+- **create_file**: Create new files if needed (utilities, middleware, etc.)
+- **execute_command**: Run shell commands — use for linting, type-checking, running tests, restarting services, running POCs, installing dependencies, and verifying your changes
+- **response**: Complete the process with the structured patch result`;
+var REQUIREMENTS = `# Critical Requirements
+
+1. **Be Thorough**: Your analysis must be comprehensive — read related code, not just the vulnerable file
+2. **Be Conservative**: When in doubt, prefer defense-in-depth approaches
+3. **Be Specific**: Provide exact code changes, not vague suggestions
+4. **Be Contextual**: Respect the existing codebase, frameworks, and patterns
+5. **Verify Your Work**: Always run lint, type-check, and tests after applying the patch. Fix any failures before finalizing.
+6. **Test the Fix**: If a POC is provided, run it after patching. The POC should FAIL (non-zero exit code) once the vulnerability is fixed.
+7. **Be Persistent**: It may take multiple iterations to get the fix right — iterate until the POC fails and tests pass.
+8. **Be Complete**: Address the root cause, not just symptoms
+
+# Important Notes
+
+- You are creating production code that will be deployed
+- Your fixes must not break existing functionality — verify this by running the project's tests
+- If a POC is provided, the POC should FAIL after patching (meaning the exploit no longer works)
+- Consider backward compatibility and edge cases
+- Follow language and framework conventions
+- When multiple approaches exist, choose the most secure and idiomatic
+- If a fix requires configuration changes or environment variables, note this clearly
+- If AGENTS.md or project docs specify particular lint/test/build commands, use those exact commands`;
+function buildSystemPrompt() {
+  return [
+    PREAMBLE2,
+    "",
+    "# Process",
+    "",
+    "You MUST follow this prescriptive process:",
+    "",
+    ORIENT_STEP,
+    "",
+    UNDERSTAND_STEP,
+    "",
+    REVIEW_STEP,
+    "",
+    PLAN_STEP,
+    "",
+    APPLY_STEP,
+    "",
+    RESTART_STEP,
+    "",
+    VERIFY_STEP,
+    "",
+    FINALIZE_STEP,
+    "",
+    SECURITY_BEST_PRACTICES,
+    "",
+    TOOL_USAGE2,
+    "",
+    REQUIREMENTS
+  ].join(`
+`);
+}
+var PATCHING_SYSTEM_PROMPT = buildSystemPrompt();
+
+// src/core/agents/specialized/patching/types.ts
+init_zod();
+var PatchResultSchema = exports_external.object({
+  filesChanged: exports_external.array(exports_external.object({
+    filePath: exports_external.string().describe("Path to the file that was changed"),
+    changesDescription: exports_external.string().describe("Detailed description of the changes made to the file")
+  })),
+  prTitle: exports_external.string().describe("Title for the pull request"),
+  prDescription: exports_external.string().describe("Description for the pull request")
+});
+// src/core/workflows/threatModel.ts
+init_dist();
+
+// src/core/skills/registry.ts
+import fs2 from "fs/promises";
 
 // src/core/skills/builtins/pentest.ts
 function buildPentestPrompt(opts) {
@@ -7380,12 +7897,8 @@ IMPORTANT: When writing the output, use the \`create_file\` tool with the EXACT
 `
 };
 
-// src/core/skills/registry.ts
-import fs2 from "fs/promises";
-
-// src/core/skills/scanner.ts
-import path2 from "path";
-import fs from "fs/promises";
+// src/core/skills/builtins/index.ts
+var BUILTIN_SKILLS = [pentestSkill, threatModelSkill];
 
 // node_modules/yaml/dist/index.js
 var composer = require_composer();
@@ -7501,6 +8014,10 @@ function parseSkillMd(raw) {
   return { manifest, instructions: parts.body };
 }
 
+// src/core/skills/scanner.ts
+import fs from "fs/promises";
+import path2 from "path";
+
 // src/core/skills/utils.ts
 import os from "os";
 import path from "path";
@@ -7575,9 +8092,6 @@ async function discoverScripts(skillDir) {
   return scripts;
 }
 
-// src/core/skills/builtins/index.ts
-var BUILTIN_SKILLS = [pentestSkill, threatModelSkill];
-
 // src/core/skills/registry.ts
 class SkillsRegistry {
   skills = new Map;
@@ -7647,4 +8161,41 @@ function createSkillsRegistry() {
   return new SkillsRegistry;
 }
 
-export { runOffensiveSecurityAgent, buildPentestPrompt, buildThreatModelPrompt, createSkillsRegistry };
+// src/core/workflows/threatModel.ts
+var HEADLESS_TOOL_NAMES = ALL_TOOL_NAMES.filter((name) => name !== ASK_USER_QUESTIONS_TOOL_NAME);
+async function runThreatModelWorkflow(input) {
+  const model = input.model ?? "claude-sonnet-4-5";
+  const registry = createSkillsRegistry();
+  await registry.load({ projectRoot: input.codebasePath });
+  const { content } = await registry.readSkillContent("threat-model");
+  const prompt = buildThreatModelPrompt({
+    outputPath: input.outputPath,
+    codebasePath: input.codebasePath,
+    skillContent: content
+  });
+  const session = input.session ?? await sessions.create({
+    name: "Threat Model",
+    targets: [input.codebasePath],
+    config: { mode: "operator", agentCwd: input.codebasePath }
+  });
+  const system = `${buildBaseSystemPrompt({ sandboxMode: false })}
+
+# Threat Model Mode
+
+You are generating an application-centric threat model from source code analysis.
+Working directory: ${input.codebasePath}`;
+  await runOffensiveSecurityAgent({
+    system,
+    prompt,
+    model,
+    session,
+    activeTools: [...HEADLESS_TOOL_NAMES, ...SKILL_TOOL_NAMES],
+    authConfig: input.authConfig,
+    abortSignal: input.abortSignal,
+    skillsRegistry: registry,
+    eventBus: input.eventBus,
+    stopWhen: stepCountIs(1e4)
+  });
+  return { session, outputPath: input.outputPath };
+}
+export { listApps, getApp, createApp, updateApp, deleteApp, listEndpoints, getEndpoint, createEndpoint, updateEndpoint, deleteEndpoint, searchApps, searchEndpoints, listScans, getScan, dispatchPentest, listIssues, getIssue, updateIssue, listFixes, getFix, listAgentLogs, searchAgentLogs, runOffensiveSecurityAgent, buildPentestPrompt, buildThreatModelPrompt, createSkillsRegistry, runThreatModelWorkflow };