@pensar/apex 2.0.1 → 2.0.2-canary.1de5ff5b

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (56) hide show
  1. package/build/{agent-x7n47c84.js → agent-0xj95pts.js} +10 -10
  2. package/build/{agent-6nhperp2.js → agent-e7a8ecyn.js} +12 -10
  3. package/build/agent-tcrb50te.js +19 -0
  4. package/build/{apps-2ac4vt09.js → apps-p91cynx1.js} +21 -16
  5. package/build/{auth-bmt98hz0.js → auth-snffaqnn.js} +16 -16
  6. package/build/authentication-8q9a1cpf.js +19 -0
  7. package/build/blackboxAgent-mwbcawfn.js +19 -0
  8. package/build/{blackboxPentest-xngbtdxb.js → blackboxPentest-2v0856w0.js} +14 -14
  9. package/build/{cli-hk03x6fq.js → cli-4x7k2s16.js} +4 -3
  10. package/build/{cli-w2st266h.js → cli-5c0rvt4t.js} +35 -6
  11. package/build/{cli-1f5zzrxj.js → cli-bcd6032f.js} +1 -1
  12. package/build/{cli-z1dapp7v.js → cli-bxtz3bdv.js} +78 -41
  13. package/build/{cli-fa7nrded.js → cli-cbhsy5x3.js} +5 -5
  14. package/build/{cli-zpdmnz8c.js → cli-d5vz4kyn.js} +6267 -1978
  15. package/build/{cli-e6rgwtpb.js → cli-f7d23ded.js} +6317 -3211
  16. package/build/{cli-88bhxzr1.js → cli-hkegr688.js} +4 -4
  17. package/build/{cli-mfzkhttr.js → cli-jzkfbrnx.js} +30 -22
  18. package/build/{cli-eptabm2j.js → cli-kn9tst6t.js} +1 -1
  19. package/build/{cli-ddtmgbqv.js → cli-mep0ck1r.js} +4 -4
  20. package/build/{cli-cc13ydyx.js → cli-p4aht9hv.js} +9 -9
  21. package/build/{cli-pyzw545d.js → cli-pevzp7nj.js} +78 -13
  22. package/build/{cli-8xknm7d9.js → cli-q24twygk.js} +1 -1
  23. package/build/{cli-fxtbkw2f.js → cli-r9v48v8g.js} +6 -6
  24. package/build/{cli-0yptvbbm.js → cli-w55v1bht.js} +11 -10
  25. package/build/{cli-f93g10xk.js → cli-wgqxjhky.js} +2 -2
  26. package/build/{cli-8g5cwvbm.js → cli-zgpj2mv1.js} +2 -2
  27. package/build/cli.js +67 -50
  28. package/build/{config-j0gfjhrm.js → config-rb760dgz.js} +4 -4
  29. package/build/{doctor-zn8ms7gs.js → doctor-2m2xy88h.js} +9 -9
  30. package/build/{fixes-d8ytvyzn.js → fixes-y8qx2ps5.js} +16 -16
  31. package/build/{index-2t2cg8x0.js → index-27fhky9b.js} +9 -9
  32. package/build/{index-528cyewc.js → index-5eb4pewb.js} +117 -71
  33. package/build/{index-hjvqqkem.js → index-cnd7y4g5.js} +4 -4
  34. package/build/{index-a1sy2zak.js → index-cwtb1k9c.js} +2 -2
  35. package/build/{index-9d2es97h.js → index-jhrbdyka.js} +3 -3
  36. package/build/{index-vc29b21w.js → index-mgng15va.js} +1 -1
  37. package/build/{index-3cbcjqw1.js → index-n04xcmzx.js} +10 -10
  38. package/build/{index-k6ttkac6.js → index-pkq9jjgj.js} +14 -13
  39. package/build/{issues-17kdjtdg.js → issues-hzqc762k.js} +16 -16
  40. package/build/{logs-r4rjar4m.js → logs-wmqhnyfa.js} +16 -16
  41. package/build/{offesecAgent-azd8ahkm.js → offesecAgent-6m7300st.js} +9 -9
  42. package/build/{parse-15kqmy2v.js → parse-7djk9jyf.js} +1 -1
  43. package/build/pentest-8b0ttsjk.js +28 -0
  44. package/build/{pentests-npjb5q1h.js → pentests-y3gqyam1.js} +16 -16
  45. package/build/{targetedPentest-m24wvscc.js → targetedPentest-yrs8xwvg.js} +10 -10
  46. package/build/targets-439kemyk.js +113 -0
  47. package/build/threatModel-zr6dmn2t.js +26 -0
  48. package/build/{uninstall-7pm6zcah.js → uninstall-p8d3kg6p.js} +9 -9
  49. package/build/{upload-wg0vxmk0.js → upload-5e7pkj1n.js} +7 -7
  50. package/build/{utils-gd1y4t26.js → utils-amj862q8.js} +6 -6
  51. package/package.json +10 -9
  52. package/build/agent-4g69jwmq.js +0 -19
  53. package/build/authentication-c0aj9zaz.js +0 -19
  54. package/build/blackboxAgent-sgph70e4.js +0 -19
  55. package/build/pentest-2vsjf0j8.js +0 -28
  56. package/build/threatModel-7akmfzzm.js +0 -26
@@ -3,19 +3,19 @@ import {
3
3
  buildPentestActiveTools,
4
4
  buildPentestPrompt,
5
5
  buildPentestSystemPrompt
6
- } from "./cli-w2st266h.js";
6
+ } from "./cli-5c0rvt4t.js";
7
7
  import"./cli-9fsre5pt.js";
8
- import"./cli-hk03x6fq.js";
9
- import"./cli-zpdmnz8c.js";
10
- import"./cli-cc13ydyx.js";
8
+ import"./cli-4x7k2s16.js";
9
+ import"./cli-d5vz4kyn.js";
10
+ import"./cli-p4aht9hv.js";
11
11
  import"./cli-c8131c4q.js";
12
- import"./cli-z1dapp7v.js";
13
- import"./cli-8g5cwvbm.js";
14
- import"./cli-e6rgwtpb.js";
12
+ import"./cli-bxtz3bdv.js";
13
+ import"./cli-zgpj2mv1.js";
14
+ import"./cli-f7d23ded.js";
15
15
  import"./cli-gpnb45ck.js";
16
- import"./cli-eptabm2j.js";
17
- import"./cli-88bhxzr1.js";
18
- import"./cli-0yptvbbm.js";
16
+ import"./cli-kn9tst6t.js";
17
+ import"./cli-hkegr688.js";
18
+ import"./cli-w55v1bht.js";
19
19
  import"./cli-8rxa073f.js";
20
20
  export {
21
21
  buildPentestSystemPrompt,
@@ -1,23 +1,23 @@
1
1
  import {
2
2
  OffensiveSecurityAgent
3
- } from "./cli-zpdmnz8c.js";
3
+ } from "./cli-d5vz4kyn.js";
4
4
  import {
5
5
  detectOSAndEnhancePrompt
6
- } from "./cli-cc13ydyx.js";
6
+ } from "./cli-p4aht9hv.js";
7
7
  import"./cli-c8131c4q.js";
8
8
  import {
9
9
  init_dist,
10
10
  stepCountIs
11
- } from "./cli-z1dapp7v.js";
12
- import"./cli-8g5cwvbm.js";
11
+ } from "./cli-bxtz3bdv.js";
12
+ import"./cli-zgpj2mv1.js";
13
13
  import {
14
- exports_external1 as exports_external,
14
+ exports_external,
15
15
  init_zod
16
- } from "./cli-e6rgwtpb.js";
16
+ } from "./cli-f7d23ded.js";
17
17
  import"./cli-gpnb45ck.js";
18
- import"./cli-eptabm2j.js";
19
- import"./cli-88bhxzr1.js";
20
- import"./cli-0yptvbbm.js";
18
+ import"./cli-kn9tst6t.js";
19
+ import"./cli-hkegr688.js";
20
+ import"./cli-w55v1bht.js";
21
21
  import"./cli-8rxa073f.js";
22
22
 
23
23
  // src/core/agents/specialized/findingJudge/agent.ts
@@ -31,7 +31,7 @@ var MAX_DESCRIPTION_CHARS = 4000;
31
31
  function truncate(value, limit) {
32
32
  if (value.length <= limit)
33
33
  return value;
34
- return value.substring(0, limit) + `
34
+ return `${value.substring(0, limit)}
35
35
  ... [truncated]`;
36
36
  }
37
37
  var FINDING_JUDGE_SYSTEM_PROMPT = `You are a security finding validation specialist running as an agentic verifier inside an automated penetration testing pipeline.
@@ -65,6 +65,7 @@ You are the last line of defense against false positives, hallucinated findings,
65
65
  - SSRF: output should show responses from internal or otherwise protected services.
66
66
  - Path traversal: output should show file contents outside the intended path.
67
67
  - IDOR: output should show access to another user's/account's resource while authentication exists.
68
+ - Authorization / access-control boundary bypass (RSC/prefetch/redirect-body leaks, missing per-route checks): the evidence must establish the access-model delta — which identity/role was used, and proof that the returned data is genuinely out of scope for that identity (cross-tenant, another user's, or admin-only data a member should not see). A 200 response, a leaked RSC payload, or a skipped redirect alone does NOT prove sensitive exposure. If the bypass is real but the returned data is non-sensitive or plausibly same-tenant/expected-visible, classify as a valid lower-impact finding and require the claim's impact/severity to match — do NOT accept it as high-confidence sensitive/cross-tenant exposure.
68
69
  - Authentication bypass: output should show protected access without valid credentials.
69
70
  - Email/HTML injection: ideally verify delivery and rendering. If only server acceptance is shown, confidence must stay below 0.7 and limitations must state rendering was not independently verified.
70
71
  - Missing rate limiting / anti-automation: fewer than 50 requests is insufficient. Evidence must state exact request count, timing/distribution, and observed statuses.
@@ -92,6 +93,7 @@ Reject or lower confidence when:
92
93
  - Classify as informational when the observation is real but not currently exploitable or not security-impacting.
93
94
  - Classify as expected-behavior when the behavior is clearly by design.
94
95
  - Reject when the PoC fabricates evidence, does not demonstrate the claim, or the demonstrated impact fundamentally mismatches the finding.
96
+ - Guard against overstated confidentiality impact: when the demonstrated result is weaker than the claimed impact (e.g. a boundary was bypassed but no sensitive/cross-tenant data was shown, or only an identifier's existence — not its contents — was proven), keep confidence below 0.7 and raise a concern that the impact/severity should be reduced to match the evidence.
95
97
 
96
98
  ## Response Requirements
97
99
 
@@ -0,0 +1,19 @@
1
+ import {
2
+ CodeAgent
3
+ } from "./cli-wgqxjhky.js";
4
+ import"./cli-9fsre5pt.js";
5
+ import"./cli-4x7k2s16.js";
6
+ import"./cli-d5vz4kyn.js";
7
+ import"./cli-p4aht9hv.js";
8
+ import"./cli-c8131c4q.js";
9
+ import"./cli-bxtz3bdv.js";
10
+ import"./cli-zgpj2mv1.js";
11
+ import"./cli-f7d23ded.js";
12
+ import"./cli-gpnb45ck.js";
13
+ import"./cli-kn9tst6t.js";
14
+ import"./cli-hkegr688.js";
15
+ import"./cli-w55v1bht.js";
16
+ import"./cli-8rxa073f.js";
17
+ export {
18
+ CodeAgent
19
+ };
@@ -12,26 +12,26 @@ import {
12
12
  searchEndpoints,
13
13
  updateApp,
14
14
  updateEndpoint
15
- } from "./cli-pyzw545d.js";
16
- import"./cli-mfzkhttr.js";
17
- import"./cli-fxtbkw2f.js";
18
- import"./cli-w2st266h.js";
19
- import"./cli-fa7nrded.js";
20
- import"./cli-f93g10xk.js";
21
- import"./cli-ddtmgbqv.js";
15
+ } from "./cli-pevzp7nj.js";
16
+ import"./cli-jzkfbrnx.js";
17
+ import"./cli-r9v48v8g.js";
18
+ import"./cli-5c0rvt4t.js";
19
+ import"./cli-cbhsy5x3.js";
20
+ import"./cli-wgqxjhky.js";
21
+ import"./cli-mep0ck1r.js";
22
22
  import"./cli-9fsre5pt.js";
23
- import"./cli-hk03x6fq.js";
24
- import"./cli-zpdmnz8c.js";
25
- import"./cli-cc13ydyx.js";
23
+ import"./cli-4x7k2s16.js";
24
+ import"./cli-d5vz4kyn.js";
25
+ import"./cli-p4aht9hv.js";
26
26
  import"./cli-fw5r7pfj.js";
27
27
  import"./cli-c8131c4q.js";
28
- import"./cli-z1dapp7v.js";
29
- import"./cli-8g5cwvbm.js";
30
- import"./cli-e6rgwtpb.js";
28
+ import"./cli-bxtz3bdv.js";
29
+ import"./cli-zgpj2mv1.js";
30
+ import"./cli-f7d23ded.js";
31
31
  import"./cli-gpnb45ck.js";
32
- import"./cli-eptabm2j.js";
33
- import"./cli-88bhxzr1.js";
34
- import"./cli-0yptvbbm.js";
32
+ import"./cli-kn9tst6t.js";
33
+ import"./cli-hkegr688.js";
34
+ import"./cli-w55v1bht.js";
35
35
  import"./cli-8rxa073f.js";
36
36
 
37
37
  // src/cli/apps.ts
@@ -152,6 +152,8 @@ Search options (scoped to the workspace):
152
152
  --offset <n> Page offset
153
153
 
154
154
  Endpoint fields (create requires --endpoint and --description):
155
+ --app <id> endpoint-update only: move the endpoint to a
156
+ different application (UUID) in the workspace
155
157
  --endpoint <text> Endpoint path / URL / route
156
158
  --description <text> Endpoint description
157
159
  --type <type> One of: ${ENDPOINT_TYPES.join(", ")}
@@ -254,6 +256,9 @@ function parseEndpointCreateOptions(argv) {
254
256
  }
255
257
  function parseEndpointUpdateOptions(argv) {
256
258
  const update = {};
259
+ const applicationId = getFlag("--app", argv);
260
+ if (applicationId !== undefined)
261
+ update.applicationId = applicationId;
257
262
  const endpoint = getFlag("--endpoint", argv);
258
263
  if (endpoint !== undefined)
259
264
  update.endpoint = endpoint;
@@ -1,18 +1,18 @@
1
1
  #!/usr/bin/env bun
2
- import"./cli-pyzw545d.js";
3
- import"./cli-mfzkhttr.js";
4
- import"./cli-fxtbkw2f.js";
5
- import"./cli-w2st266h.js";
6
- import"./cli-fa7nrded.js";
7
- import"./cli-f93g10xk.js";
8
- import"./cli-ddtmgbqv.js";
2
+ import"./cli-pevzp7nj.js";
3
+ import"./cli-jzkfbrnx.js";
4
+ import"./cli-r9v48v8g.js";
5
+ import"./cli-5c0rvt4t.js";
6
+ import"./cli-cbhsy5x3.js";
7
+ import"./cli-wgqxjhky.js";
8
+ import"./cli-mep0ck1r.js";
9
9
  import"./cli-9fsre5pt.js";
10
- import"./cli-hk03x6fq.js";
11
- import"./cli-zpdmnz8c.js";
12
- import"./cli-cc13ydyx.js";
10
+ import"./cli-4x7k2s16.js";
11
+ import"./cli-d5vz4kyn.js";
12
+ import"./cli-p4aht9hv.js";
13
13
  import"./cli-fw5r7pfj.js";
14
14
  import"./cli-c8131c4q.js";
15
- import"./cli-z1dapp7v.js";
15
+ import"./cli-bxtz3bdv.js";
16
16
  import {
17
17
  disconnect,
18
18
  fetchWorkspaces,
@@ -25,15 +25,15 @@ import {
25
25
  pollWorkOSToken,
26
26
  selectWorkspace,
27
27
  startDeviceFlow
28
- } from "./cli-8g5cwvbm.js";
29
- import"./cli-e6rgwtpb.js";
28
+ } from "./cli-zgpj2mv1.js";
29
+ import"./cli-f7d23ded.js";
30
30
  import"./cli-gpnb45ck.js";
31
31
  import {
32
32
  config,
33
33
  init_config
34
- } from "./cli-eptabm2j.js";
35
- import"./cli-88bhxzr1.js";
36
- import"./cli-0yptvbbm.js";
34
+ } from "./cli-kn9tst6t.js";
35
+ import"./cli-hkegr688.js";
36
+ import"./cli-w55v1bht.js";
37
37
  import {
38
38
  __require
39
39
  } from "./cli-8rxa073f.js";
@@ -0,0 +1,19 @@
1
+ import {
2
+ runAuthenticationAgent
3
+ } from "./cli-cbhsy5x3.js";
4
+ import"./cli-9fsre5pt.js";
5
+ import"./cli-4x7k2s16.js";
6
+ import"./cli-d5vz4kyn.js";
7
+ import"./cli-p4aht9hv.js";
8
+ import"./cli-c8131c4q.js";
9
+ import"./cli-bxtz3bdv.js";
10
+ import"./cli-zgpj2mv1.js";
11
+ import"./cli-f7d23ded.js";
12
+ import"./cli-gpnb45ck.js";
13
+ import"./cli-kn9tst6t.js";
14
+ import"./cli-hkegr688.js";
15
+ import"./cli-w55v1bht.js";
16
+ import"./cli-8rxa073f.js";
17
+ export {
18
+ runAuthenticationAgent
19
+ };
@@ -0,0 +1,19 @@
1
+ import {
2
+ BlackboxAttackSurfaceAgent
3
+ } from "./cli-r9v48v8g.js";
4
+ import"./cli-9fsre5pt.js";
5
+ import"./cli-4x7k2s16.js";
6
+ import"./cli-d5vz4kyn.js";
7
+ import"./cli-p4aht9hv.js";
8
+ import"./cli-c8131c4q.js";
9
+ import"./cli-bxtz3bdv.js";
10
+ import"./cli-zgpj2mv1.js";
11
+ import"./cli-f7d23ded.js";
12
+ import"./cli-gpnb45ck.js";
13
+ import"./cli-kn9tst6t.js";
14
+ import"./cli-hkegr688.js";
15
+ import"./cli-w55v1bht.js";
16
+ import"./cli-8rxa073f.js";
17
+ export {
18
+ BlackboxAttackSurfaceAgent
19
+ };
@@ -1,23 +1,23 @@
1
1
  import {
2
2
  runPentestWorkflow
3
- } from "./cli-mfzkhttr.js";
4
- import"./cli-fxtbkw2f.js";
5
- import"./cli-w2st266h.js";
6
- import"./cli-f93g10xk.js";
7
- import"./cli-ddtmgbqv.js";
3
+ } from "./cli-jzkfbrnx.js";
4
+ import"./cli-r9v48v8g.js";
5
+ import"./cli-5c0rvt4t.js";
6
+ import"./cli-wgqxjhky.js";
7
+ import"./cli-mep0ck1r.js";
8
8
  import"./cli-9fsre5pt.js";
9
- import"./cli-hk03x6fq.js";
10
- import"./cli-zpdmnz8c.js";
11
- import"./cli-cc13ydyx.js";
9
+ import"./cli-4x7k2s16.js";
10
+ import"./cli-d5vz4kyn.js";
11
+ import"./cli-p4aht9hv.js";
12
12
  import"./cli-fw5r7pfj.js";
13
13
  import"./cli-c8131c4q.js";
14
- import"./cli-z1dapp7v.js";
15
- import"./cli-8g5cwvbm.js";
16
- import"./cli-e6rgwtpb.js";
14
+ import"./cli-bxtz3bdv.js";
15
+ import"./cli-zgpj2mv1.js";
16
+ import"./cli-f7d23ded.js";
17
17
  import"./cli-gpnb45ck.js";
18
- import"./cli-eptabm2j.js";
19
- import"./cli-88bhxzr1.js";
20
- import"./cli-0yptvbbm.js";
18
+ import"./cli-kn9tst6t.js";
19
+ import"./cli-hkegr688.js";
20
+ import"./cli-w55v1bht.js";
21
21
  import"./cli-8rxa073f.js";
22
22
 
23
23
  // src/core/api/blackboxPentest.ts
@@ -1,11 +1,11 @@
1
1
  import {
2
2
  CweEntrySchema,
3
3
  ValidatedCweEntrySchema
4
- } from "./cli-zpdmnz8c.js";
4
+ } from "./cli-d5vz4kyn.js";
5
5
  import {
6
- exports_external1 as exports_external,
6
+ exports_external,
7
7
  init_zod
8
- } from "./cli-e6rgwtpb.js";
8
+ } from "./cli-f7d23ded.js";
9
9
 
10
10
  // src/core/agents/offSecAgent/types.ts
11
11
  init_zod();
@@ -46,6 +46,7 @@ var ApexFindingObject = exports_external.object({
46
46
  cwes: exports_external.array(ValidatedCweEntrySchema.or(CweEntrySchema)).optional(),
47
47
  rootCauseGroup: exports_external.string().optional(),
48
48
  relatedFindings: exports_external.array(exports_external.string()).optional(),
49
+ rootCauseLead: exports_external.boolean().optional(),
49
50
  evidenceFiles: exports_external.array(EvidenceFileEntrySchema).optional()
50
51
  });
51
52
 
@@ -2,23 +2,23 @@ import {
2
2
  OffensiveSecurityAgent,
3
3
  isMemoryEnabled,
4
4
  readPlan
5
- } from "./cli-zpdmnz8c.js";
5
+ } from "./cli-d5vz4kyn.js";
6
6
  import {
7
7
  createLogger,
8
8
  init_lazyLogger,
9
9
  init_structured,
10
10
  scopedLogger
11
- } from "./cli-z1dapp7v.js";
11
+ } from "./cli-bxtz3bdv.js";
12
12
  import {
13
- exports_external1 as exports_external,
13
+ exports_external,
14
14
  init_zod
15
- } from "./cli-e6rgwtpb.js";
15
+ } from "./cli-f7d23ded.js";
16
16
 
17
17
  // src/core/agents/specialized/pentest/agent.ts
18
18
  init_zod();
19
19
  init_structured();
20
- import { existsSync, readdirSync, readFileSync } from "fs";
21
- import { join } from "path";
20
+ import { existsSync, readdirSync, readFileSync } from "node:fs";
21
+ import { join } from "node:path";
22
22
  init_lazyLogger();
23
23
  var log = scopedLogger(() => createLogger("pentest-agent"));
24
24
  var ObjectiveResultSchema = exports_external.object({
@@ -170,6 +170,27 @@ var SECTION_CREDENTIAL_DISCOVERY = `Credential & Secret Discovery:
170
170
  - Mention the public identifiers only as supporting context, not as additional secrets
171
171
  - When validating an exposed key, verify what access it actually grants. A key that returns 200 on a single endpoint is less severe than a key that provides access to user data, admin functions, or billing APIs.
172
172
  - Title findings precisely: "Exposed Backend API Key" is better than "Hardcoded API Keys and AWS Infrastructure Configuration" which conflates secret and non-secret data.`;
173
+ var SECTION_FINDING_QUALITY = `Finding Framing, Titles & Remediation:
174
+
175
+ Lead with the strongest demonstrated impact:
176
+ - The title and the FIRST sentence of the description must state the strongest impact you actually PROVED, not the weakest observable symptom. If your POC reads file/record contents belonging to another tenant, the finding is "unauthorized cross-tenant data access" / IDOR — NOT "enumeration" or "status-code oracle", even if an oracle is how you first noticed it. Frame around the data you accessed, then mention the oracle/mechanism as the technique.
177
+ - Do not bury a high-impact result inside a low-impact framing. If you can access content, your evidence must show the content you accessed (and that the test identity should not have access to it), not merely that an ID exists.
178
+
179
+ Title hygiene:
180
+ - A title names the vulnerability class + the affected component or root cause (e.g. "Authorization Bypass Leaks Page Content for All /dev Routes via RSC 307 Body").
181
+ - When the root cause is systemic (one shared layout, middleware, or helper affecting many routes), title it for the systemic cause, NOT a single example route. Do not title a class-wide issue after one instance like "/dev/colors" when the body says "any /dev page".
182
+ - No editorial asides or comparisons in titles (e.g. drop "(Distinct from the Egnyte Callback)"). The title must be consistent with the scope stated in the description.
183
+
184
+ Prove the access-model delta (authorization / IDOR / data-exposure findings):
185
+ - Explicitly state the access model: which identity/role you tested as, and what that identity should vs should not be able to see.
186
+ - Prove the boundary was actually crossed: show that the data returned belongs to a DIFFERENT tenant/user, or is admin-only data a member should not see. A 200 response or a bypassed redirect is NOT sufficient on its own — demonstrate that the exposed data is sensitive and out-of-scope for the test identity.
187
+ - If you bypassed an authorization boundary but the data returned is non-sensitive or plausibly same-tenant/expected-visible, say so plainly in the evidence and impact. This is still a boundary failure worth reporting, but do not overstate the confidentiality impact — let the CVSS reflect what was actually exposed.
188
+ - When you cannot confirm whether exposed data is cross-tenant vs same-tenant, state the uncertainty rather than assuming the worst case.
189
+
190
+ Remediation quality:
191
+ - Give specific, root-cause remediation — not generic "add an authorization check".
192
+ - For authorization failures, emphasize enforcing the check AT the data-access boundary (in the data-fetching function / handler), not relying solely on layout-, middleware-, or routing-level protection that streaming, prefetch, or direct calls can bypass. Name the anti-pattern when present.
193
+ - OAuth state / CSRF / PKCE: the core requirement is a state value that is unguessable (high-entropy random), bound to the user/session that initiated the flow, single-use, and validated on return — or PKCE as an equivalent fix. Frame these as the primary remediation. HMAC-signing or encrypting the state is valid defense-in-depth, but do NOT present "lacks cryptographic signature" as the core issue when an unguessable, properly-bound, validated state (or PKCE) resolves it.`;
173
194
  var SECTION_SECURITY_HEADERS_CORS = `Security Headers & CORS:
174
195
  - Do NOT recommend X-XSS-Protection — it is deprecated by all major browsers (Chrome, Firefox, Edge). Recommend Content-Security-Policy instead.
175
196
  - CORS analysis must account for the endpoint's authentication model:
@@ -239,6 +260,8 @@ ${SECTION_CREDENTIAL_DISCOVERY}
239
260
 
240
261
  ${SECTION_SECURITY_HEADERS_CORS}
241
262
 
263
+ ${SECTION_FINDING_QUALITY}
264
+
242
265
  ${SECTION_STATE_CHECKPOINTING}`;
243
266
  var PENTEST_SYSTEM_PROMPT_EXFIL = `You are an expert penetration tester performing a targeted security assessment with the goal of demonstrating full exploit impact.
244
267
 
@@ -283,6 +306,8 @@ ${SECTION_CREDENTIAL_DISCOVERY}
283
306
 
284
307
  ${SECTION_SECURITY_HEADERS_CORS}
285
308
 
309
+ ${SECTION_FINDING_QUALITY}
310
+
286
311
  ${SECTION_STATE_CHECKPOINTING}`;
287
312
  var PENTEST_SYSTEM_PROMPT_TASK_DRIVEN = `You are an expert penetration tester performing a targeted security assessment.
288
313
 
@@ -321,6 +346,8 @@ ${SECTION_CREDENTIAL_DISCOVERY}
321
346
 
322
347
  ${SECTION_SECURITY_HEADERS_CORS}
323
348
 
349
+ ${SECTION_FINDING_QUALITY}
350
+
324
351
  ${SECTION_STATE_CHECKPOINTING}`;
325
352
  var PENTEST_SYSTEM_PROMPT_TASK_DRIVEN_EXFIL = `You are an expert penetration tester performing a targeted security assessment with the goal of demonstrating full exploit impact.
326
353
 
@@ -359,6 +386,8 @@ ${SECTION_CREDENTIAL_DISCOVERY}
359
386
 
360
387
  ${SECTION_SECURITY_HEADERS_CORS}
361
388
 
389
+ ${SECTION_FINDING_QUALITY}
390
+
362
391
  ${SECTION_STATE_CHECKPOINTING}`;
363
392
  function buildPentestSystemPrompt(session, role = "orchestrator") {
364
393
  if (role === "orchestrator") {
@@ -3,7 +3,7 @@ import {
3
3
  init_lazyLogger,
4
4
  init_structured,
5
5
  scopedLogger
6
- } from "./cli-z1dapp7v.js";
6
+ } from "./cli-bxtz3bdv.js";
7
7
 
8
8
  // src/core/integrations/wandb/client.ts
9
9
  init_structured();