@pensar/apex 2.0.1 → 2.0.2-canary.9e4e15cf
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/build/{agent-x7n47c84.js → agent-1jp62njk.js} +9 -9
- package/build/{agent-6nhperp2.js → agent-1zfxfgfr.js} +9 -7
- package/build/agent-ssm6x6qs.js +19 -0
- package/build/{apps-2ac4vt09.js → apps-2qd57k2z.js} +20 -15
- package/build/{auth-bmt98hz0.js → auth-bwb51krx.js} +15 -15
- package/build/authentication-3p84dzrr.js +19 -0
- package/build/blackboxAgent-dn68r23n.js +19 -0
- package/build/{blackboxPentest-xngbtdxb.js → blackboxPentest-txe2h6h0.js} +13 -13
- package/build/{cli-0yptvbbm.js → cli-0t1j4jh4.js} +9 -8
- package/build/{cli-fxtbkw2f.js → cli-3n78e7hs.js} +3 -3
- package/build/{cli-hk03x6fq.js → cli-8pw332mm.js} +2 -1
- package/build/{cli-z1dapp7v.js → cli-dk63pna5.js} +48 -11
- package/build/{cli-mfzkhttr.js → cli-e450tvx3.js} +11 -9
- package/build/{cli-f93g10xk.js → cli-jd0bfde5.js} +2 -2
- package/build/{cli-w2st266h.js → cli-jh6k2m9z.js} +31 -2
- package/build/{cli-88bhxzr1.js → cli-kj5vjbnd.js} +1 -1
- package/build/{cli-eptabm2j.js → cli-kxpba6jy.js} +1 -1
- package/build/{cli-1f5zzrxj.js → cli-nc2yvszh.js} +1 -1
- package/build/{cli-8g5cwvbm.js → cli-p904s2yj.js} +1 -1
- package/build/{cli-fa7nrded.js → cli-ppq4kh08.js} +3 -3
- package/build/{cli-zpdmnz8c.js → cli-qdh225p7.js} +353 -227
- package/build/{cli-cc13ydyx.js → cli-w1nb1y6h.js} +1 -1
- package/build/{cli-pyzw545d.js → cli-xcr4rax4.js} +23 -5
- package/build/{cli-ddtmgbqv.js → cli-za4t23gh.js} +2 -2
- package/build/cli.js +44 -39
- package/build/{config-j0gfjhrm.js → config-6s6jsd2a.js} +3 -3
- package/build/{doctor-zn8ms7gs.js → doctor-yh7zdmgt.js} +6 -6
- package/build/{fixes-d8ytvyzn.js → fixes-0xebnr67.js} +15 -15
- package/build/{index-528cyewc.js → index-k3f1hxpe.js} +17 -17
- package/build/{index-3cbcjqw1.js → index-kjky8ack.js} +9 -9
- package/build/{index-hjvqqkem.js → index-qfveae0v.js} +4 -4
- package/build/{index-a1sy2zak.js → index-ss31xhpj.js} +2 -2
- package/build/{index-9d2es97h.js → index-t3rffyf8.js} +3 -3
- package/build/{index-2t2cg8x0.js → index-w81kvhhz.js} +8 -8
- package/build/{index-k6ttkac6.js → index-zgr0dv9e.js} +6 -6
- package/build/{issues-17kdjtdg.js → issues-zjybm91e.js} +15 -15
- package/build/{logs-r4rjar4m.js → logs-t0vtg96a.js} +15 -15
- package/build/{offesecAgent-azd8ahkm.js → offesecAgent-kfjetqzw.js} +8 -8
- package/build/pentest-043y2x03.js +28 -0
- package/build/{pentests-npjb5q1h.js → pentests-h2mk21aq.js} +15 -15
- package/build/{targetedPentest-m24wvscc.js → targetedPentest-m6k9nde8.js} +9 -9
- package/build/targets-pknexde1.js +113 -0
- package/build/threatModel-mb9340cz.js +26 -0
- package/build/{uninstall-7pm6zcah.js → uninstall-bnamn9pn.js} +1 -1
- package/build/{upload-wg0vxmk0.js → upload-xrbxx4hz.js} +6 -6
- package/build/{utils-gd1y4t26.js → utils-6e1wgez0.js} +5 -5
- package/package.json +9 -8
- package/build/agent-4g69jwmq.js +0 -19
- package/build/authentication-c0aj9zaz.js +0 -19
- package/build/blackboxAgent-sgph70e4.js +0 -19
- package/build/pentest-2vsjf0j8.js +0 -28
- package/build/threatModel-7akmfzzm.js +0 -26
|
@@ -3,19 +3,19 @@ import {
|
|
|
3
3
|
buildPentestActiveTools,
|
|
4
4
|
buildPentestPrompt,
|
|
5
5
|
buildPentestSystemPrompt
|
|
6
|
-
} from "./cli-
|
|
6
|
+
} from "./cli-jh6k2m9z.js";
|
|
7
7
|
import"./cli-9fsre5pt.js";
|
|
8
|
-
import"./cli-
|
|
9
|
-
import"./cli-
|
|
10
|
-
import"./cli-
|
|
8
|
+
import"./cli-8pw332mm.js";
|
|
9
|
+
import"./cli-qdh225p7.js";
|
|
10
|
+
import"./cli-w1nb1y6h.js";
|
|
11
11
|
import"./cli-c8131c4q.js";
|
|
12
|
-
import"./cli-
|
|
13
|
-
import"./cli-
|
|
12
|
+
import"./cli-dk63pna5.js";
|
|
13
|
+
import"./cli-p904s2yj.js";
|
|
14
14
|
import"./cli-e6rgwtpb.js";
|
|
15
15
|
import"./cli-gpnb45ck.js";
|
|
16
|
-
import"./cli-
|
|
17
|
-
import"./cli-
|
|
18
|
-
import"./cli-
|
|
16
|
+
import"./cli-kxpba6jy.js";
|
|
17
|
+
import"./cli-kj5vjbnd.js";
|
|
18
|
+
import"./cli-0t1j4jh4.js";
|
|
19
19
|
import"./cli-8rxa073f.js";
|
|
20
20
|
export {
|
|
21
21
|
buildPentestSystemPrompt,
|
|
@@ -1,23 +1,23 @@
|
|
|
1
1
|
import {
|
|
2
2
|
OffensiveSecurityAgent
|
|
3
|
-
} from "./cli-
|
|
3
|
+
} from "./cli-qdh225p7.js";
|
|
4
4
|
import {
|
|
5
5
|
detectOSAndEnhancePrompt
|
|
6
|
-
} from "./cli-
|
|
6
|
+
} from "./cli-w1nb1y6h.js";
|
|
7
7
|
import"./cli-c8131c4q.js";
|
|
8
8
|
import {
|
|
9
9
|
init_dist,
|
|
10
10
|
stepCountIs
|
|
11
|
-
} from "./cli-
|
|
12
|
-
import"./cli-
|
|
11
|
+
} from "./cli-dk63pna5.js";
|
|
12
|
+
import"./cli-p904s2yj.js";
|
|
13
13
|
import {
|
|
14
14
|
exports_external1 as exports_external,
|
|
15
15
|
init_zod
|
|
16
16
|
} from "./cli-e6rgwtpb.js";
|
|
17
17
|
import"./cli-gpnb45ck.js";
|
|
18
|
-
import"./cli-
|
|
19
|
-
import"./cli-
|
|
20
|
-
import"./cli-
|
|
18
|
+
import"./cli-kxpba6jy.js";
|
|
19
|
+
import"./cli-kj5vjbnd.js";
|
|
20
|
+
import"./cli-0t1j4jh4.js";
|
|
21
21
|
import"./cli-8rxa073f.js";
|
|
22
22
|
|
|
23
23
|
// src/core/agents/specialized/findingJudge/agent.ts
|
|
@@ -65,6 +65,7 @@ You are the last line of defense against false positives, hallucinated findings,
|
|
|
65
65
|
- SSRF: output should show responses from internal or otherwise protected services.
|
|
66
66
|
- Path traversal: output should show file contents outside the intended path.
|
|
67
67
|
- IDOR: output should show access to another user's/account's resource while authentication exists.
|
|
68
|
+
- Authorization / access-control boundary bypass (RSC/prefetch/redirect-body leaks, missing per-route checks): the evidence must establish the access-model delta — which identity/role was used, and proof that the returned data is genuinely out of scope for that identity (cross-tenant, another user's, or admin-only data a member should not see). A 200 response, a leaked RSC payload, or a skipped redirect alone does NOT prove sensitive exposure. If the bypass is real but the returned data is non-sensitive or plausibly same-tenant/expected-visible, classify as a valid lower-impact finding and require the claim's impact/severity to match — do NOT accept it as high-confidence sensitive/cross-tenant exposure.
|
|
68
69
|
- Authentication bypass: output should show protected access without valid credentials.
|
|
69
70
|
- Email/HTML injection: ideally verify delivery and rendering. If only server acceptance is shown, confidence must stay below 0.7 and limitations must state rendering was not independently verified.
|
|
70
71
|
- Missing rate limiting / anti-automation: fewer than 50 requests is insufficient. Evidence must state exact request count, timing/distribution, and observed statuses.
|
|
@@ -92,6 +93,7 @@ Reject or lower confidence when:
|
|
|
92
93
|
- Classify as informational when the observation is real but not currently exploitable or not security-impacting.
|
|
93
94
|
- Classify as expected-behavior when the behavior is clearly by design.
|
|
94
95
|
- Reject when the PoC fabricates evidence, does not demonstrate the claim, or the demonstrated impact fundamentally mismatches the finding.
|
|
96
|
+
- Guard against overstated confidentiality impact: when the demonstrated result is weaker than the claimed impact (e.g. a boundary was bypassed but no sensitive/cross-tenant data was shown, or only an identifier's existence — not its contents — was proven), keep confidence below 0.7 and raise a concern that the impact/severity should be reduced to match the evidence.
|
|
95
97
|
|
|
96
98
|
## Response Requirements
|
|
97
99
|
|
|
@@ -0,0 +1,19 @@
|
|
|
1
|
+
import {
|
|
2
|
+
CodeAgent
|
|
3
|
+
} from "./cli-jd0bfde5.js";
|
|
4
|
+
import"./cli-9fsre5pt.js";
|
|
5
|
+
import"./cli-8pw332mm.js";
|
|
6
|
+
import"./cli-qdh225p7.js";
|
|
7
|
+
import"./cli-w1nb1y6h.js";
|
|
8
|
+
import"./cli-c8131c4q.js";
|
|
9
|
+
import"./cli-dk63pna5.js";
|
|
10
|
+
import"./cli-p904s2yj.js";
|
|
11
|
+
import"./cli-e6rgwtpb.js";
|
|
12
|
+
import"./cli-gpnb45ck.js";
|
|
13
|
+
import"./cli-kxpba6jy.js";
|
|
14
|
+
import"./cli-kj5vjbnd.js";
|
|
15
|
+
import"./cli-0t1j4jh4.js";
|
|
16
|
+
import"./cli-8rxa073f.js";
|
|
17
|
+
export {
|
|
18
|
+
CodeAgent
|
|
19
|
+
};
|
|
@@ -12,26 +12,26 @@ import {
|
|
|
12
12
|
searchEndpoints,
|
|
13
13
|
updateApp,
|
|
14
14
|
updateEndpoint
|
|
15
|
-
} from "./cli-
|
|
16
|
-
import"./cli-
|
|
17
|
-
import"./cli-
|
|
18
|
-
import"./cli-
|
|
19
|
-
import"./cli-
|
|
20
|
-
import"./cli-
|
|
21
|
-
import"./cli-
|
|
15
|
+
} from "./cli-xcr4rax4.js";
|
|
16
|
+
import"./cli-e450tvx3.js";
|
|
17
|
+
import"./cli-3n78e7hs.js";
|
|
18
|
+
import"./cli-jh6k2m9z.js";
|
|
19
|
+
import"./cli-ppq4kh08.js";
|
|
20
|
+
import"./cli-jd0bfde5.js";
|
|
21
|
+
import"./cli-za4t23gh.js";
|
|
22
22
|
import"./cli-9fsre5pt.js";
|
|
23
|
-
import"./cli-
|
|
24
|
-
import"./cli-
|
|
25
|
-
import"./cli-
|
|
23
|
+
import"./cli-8pw332mm.js";
|
|
24
|
+
import"./cli-qdh225p7.js";
|
|
25
|
+
import"./cli-w1nb1y6h.js";
|
|
26
26
|
import"./cli-fw5r7pfj.js";
|
|
27
27
|
import"./cli-c8131c4q.js";
|
|
28
|
-
import"./cli-
|
|
29
|
-
import"./cli-
|
|
28
|
+
import"./cli-dk63pna5.js";
|
|
29
|
+
import"./cli-p904s2yj.js";
|
|
30
30
|
import"./cli-e6rgwtpb.js";
|
|
31
31
|
import"./cli-gpnb45ck.js";
|
|
32
|
-
import"./cli-
|
|
33
|
-
import"./cli-
|
|
34
|
-
import"./cli-
|
|
32
|
+
import"./cli-kxpba6jy.js";
|
|
33
|
+
import"./cli-kj5vjbnd.js";
|
|
34
|
+
import"./cli-0t1j4jh4.js";
|
|
35
35
|
import"./cli-8rxa073f.js";
|
|
36
36
|
|
|
37
37
|
// src/cli/apps.ts
|
|
@@ -152,6 +152,8 @@ Search options (scoped to the workspace):
|
|
|
152
152
|
--offset <n> Page offset
|
|
153
153
|
|
|
154
154
|
Endpoint fields (create requires --endpoint and --description):
|
|
155
|
+
--app <id> endpoint-update only: move the endpoint to a
|
|
156
|
+
different application (UUID) in the workspace
|
|
155
157
|
--endpoint <text> Endpoint path / URL / route
|
|
156
158
|
--description <text> Endpoint description
|
|
157
159
|
--type <type> One of: ${ENDPOINT_TYPES.join(", ")}
|
|
@@ -254,6 +256,9 @@ function parseEndpointCreateOptions(argv) {
|
|
|
254
256
|
}
|
|
255
257
|
function parseEndpointUpdateOptions(argv) {
|
|
256
258
|
const update = {};
|
|
259
|
+
const applicationId = getFlag("--app", argv);
|
|
260
|
+
if (applicationId !== undefined)
|
|
261
|
+
update.applicationId = applicationId;
|
|
257
262
|
const endpoint = getFlag("--endpoint", argv);
|
|
258
263
|
if (endpoint !== undefined)
|
|
259
264
|
update.endpoint = endpoint;
|
|
@@ -1,18 +1,18 @@
|
|
|
1
1
|
#!/usr/bin/env bun
|
|
2
|
-
import"./cli-
|
|
3
|
-
import"./cli-
|
|
4
|
-
import"./cli-
|
|
5
|
-
import"./cli-
|
|
6
|
-
import"./cli-
|
|
7
|
-
import"./cli-
|
|
8
|
-
import"./cli-
|
|
2
|
+
import"./cli-xcr4rax4.js";
|
|
3
|
+
import"./cli-e450tvx3.js";
|
|
4
|
+
import"./cli-3n78e7hs.js";
|
|
5
|
+
import"./cli-jh6k2m9z.js";
|
|
6
|
+
import"./cli-ppq4kh08.js";
|
|
7
|
+
import"./cli-jd0bfde5.js";
|
|
8
|
+
import"./cli-za4t23gh.js";
|
|
9
9
|
import"./cli-9fsre5pt.js";
|
|
10
|
-
import"./cli-
|
|
11
|
-
import"./cli-
|
|
12
|
-
import"./cli-
|
|
10
|
+
import"./cli-8pw332mm.js";
|
|
11
|
+
import"./cli-qdh225p7.js";
|
|
12
|
+
import"./cli-w1nb1y6h.js";
|
|
13
13
|
import"./cli-fw5r7pfj.js";
|
|
14
14
|
import"./cli-c8131c4q.js";
|
|
15
|
-
import"./cli-
|
|
15
|
+
import"./cli-dk63pna5.js";
|
|
16
16
|
import {
|
|
17
17
|
disconnect,
|
|
18
18
|
fetchWorkspaces,
|
|
@@ -25,15 +25,15 @@ import {
|
|
|
25
25
|
pollWorkOSToken,
|
|
26
26
|
selectWorkspace,
|
|
27
27
|
startDeviceFlow
|
|
28
|
-
} from "./cli-
|
|
28
|
+
} from "./cli-p904s2yj.js";
|
|
29
29
|
import"./cli-e6rgwtpb.js";
|
|
30
30
|
import"./cli-gpnb45ck.js";
|
|
31
31
|
import {
|
|
32
32
|
config,
|
|
33
33
|
init_config
|
|
34
|
-
} from "./cli-
|
|
35
|
-
import"./cli-
|
|
36
|
-
import"./cli-
|
|
34
|
+
} from "./cli-kxpba6jy.js";
|
|
35
|
+
import"./cli-kj5vjbnd.js";
|
|
36
|
+
import"./cli-0t1j4jh4.js";
|
|
37
37
|
import {
|
|
38
38
|
__require
|
|
39
39
|
} from "./cli-8rxa073f.js";
|
|
@@ -0,0 +1,19 @@
|
|
|
1
|
+
import {
|
|
2
|
+
runAuthenticationAgent
|
|
3
|
+
} from "./cli-ppq4kh08.js";
|
|
4
|
+
import"./cli-9fsre5pt.js";
|
|
5
|
+
import"./cli-8pw332mm.js";
|
|
6
|
+
import"./cli-qdh225p7.js";
|
|
7
|
+
import"./cli-w1nb1y6h.js";
|
|
8
|
+
import"./cli-c8131c4q.js";
|
|
9
|
+
import"./cli-dk63pna5.js";
|
|
10
|
+
import"./cli-p904s2yj.js";
|
|
11
|
+
import"./cli-e6rgwtpb.js";
|
|
12
|
+
import"./cli-gpnb45ck.js";
|
|
13
|
+
import"./cli-kxpba6jy.js";
|
|
14
|
+
import"./cli-kj5vjbnd.js";
|
|
15
|
+
import"./cli-0t1j4jh4.js";
|
|
16
|
+
import"./cli-8rxa073f.js";
|
|
17
|
+
export {
|
|
18
|
+
runAuthenticationAgent
|
|
19
|
+
};
|
|
@@ -0,0 +1,19 @@
|
|
|
1
|
+
import {
|
|
2
|
+
BlackboxAttackSurfaceAgent
|
|
3
|
+
} from "./cli-3n78e7hs.js";
|
|
4
|
+
import"./cli-9fsre5pt.js";
|
|
5
|
+
import"./cli-8pw332mm.js";
|
|
6
|
+
import"./cli-qdh225p7.js";
|
|
7
|
+
import"./cli-w1nb1y6h.js";
|
|
8
|
+
import"./cli-c8131c4q.js";
|
|
9
|
+
import"./cli-dk63pna5.js";
|
|
10
|
+
import"./cli-p904s2yj.js";
|
|
11
|
+
import"./cli-e6rgwtpb.js";
|
|
12
|
+
import"./cli-gpnb45ck.js";
|
|
13
|
+
import"./cli-kxpba6jy.js";
|
|
14
|
+
import"./cli-kj5vjbnd.js";
|
|
15
|
+
import"./cli-0t1j4jh4.js";
|
|
16
|
+
import"./cli-8rxa073f.js";
|
|
17
|
+
export {
|
|
18
|
+
BlackboxAttackSurfaceAgent
|
|
19
|
+
};
|
|
@@ -1,23 +1,23 @@
|
|
|
1
1
|
import {
|
|
2
2
|
runPentestWorkflow
|
|
3
|
-
} from "./cli-
|
|
4
|
-
import"./cli-
|
|
5
|
-
import"./cli-
|
|
6
|
-
import"./cli-
|
|
7
|
-
import"./cli-
|
|
3
|
+
} from "./cli-e450tvx3.js";
|
|
4
|
+
import"./cli-3n78e7hs.js";
|
|
5
|
+
import"./cli-jh6k2m9z.js";
|
|
6
|
+
import"./cli-jd0bfde5.js";
|
|
7
|
+
import"./cli-za4t23gh.js";
|
|
8
8
|
import"./cli-9fsre5pt.js";
|
|
9
|
-
import"./cli-
|
|
10
|
-
import"./cli-
|
|
11
|
-
import"./cli-
|
|
9
|
+
import"./cli-8pw332mm.js";
|
|
10
|
+
import"./cli-qdh225p7.js";
|
|
11
|
+
import"./cli-w1nb1y6h.js";
|
|
12
12
|
import"./cli-fw5r7pfj.js";
|
|
13
13
|
import"./cli-c8131c4q.js";
|
|
14
|
-
import"./cli-
|
|
15
|
-
import"./cli-
|
|
14
|
+
import"./cli-dk63pna5.js";
|
|
15
|
+
import"./cli-p904s2yj.js";
|
|
16
16
|
import"./cli-e6rgwtpb.js";
|
|
17
17
|
import"./cli-gpnb45ck.js";
|
|
18
|
-
import"./cli-
|
|
19
|
-
import"./cli-
|
|
20
|
-
import"./cli-
|
|
18
|
+
import"./cli-kxpba6jy.js";
|
|
19
|
+
import"./cli-kj5vjbnd.js";
|
|
20
|
+
import"./cli-0t1j4jh4.js";
|
|
21
21
|
import"./cli-8rxa073f.js";
|
|
22
22
|
|
|
23
23
|
// src/core/api/blackboxPentest.ts
|
|
@@ -25,9 +25,10 @@ var init_package = __esm(() => {
|
|
|
25
25
|
"@opentelemetry/api": "^1.9.0",
|
|
26
26
|
"@opentui/core": "^0.1.107",
|
|
27
27
|
"@opentui/react": "^0.1.107",
|
|
28
|
-
"@pensar/surface": "0.2.
|
|
28
|
+
"@pensar/surface": "0.2.2",
|
|
29
29
|
"@playwright/mcp": "^0.0.54",
|
|
30
30
|
ai: "^6.0.105",
|
|
31
|
+
"camoufox-js": "^0.11.1",
|
|
31
32
|
glob: "^13.0.0",
|
|
32
33
|
"highlight.js": "^11.11.1",
|
|
33
34
|
imapflow: "^1.2.10",
|
|
@@ -91,13 +92,13 @@ var init_package = __esm(() => {
|
|
|
91
92
|
url: "https://github.com/pensarai/apex.git"
|
|
92
93
|
},
|
|
93
94
|
scripts: {
|
|
94
|
-
build: "bun build src/cli.ts --outdir build --target node --format esm --splitting --external @opentui/core --external @opentui/react --external @opentui/react/* --external react --external react/jsx-runtime --external react/jsx-dev-runtime --external react-reconciler --external weave",
|
|
95
|
+
build: "bun build src/cli.ts --outdir build --target node --format esm --splitting --external @opentui/core --external @opentui/react --external @opentui/react/* --external react --external react/jsx-runtime --external react/jsx-dev-runtime --external react-reconciler --external weave --external electron --external chromium-bidi --external camoufox-js",
|
|
95
96
|
"build:binaries": "bun run generate:ascii && mkdir -p dist && bun run build:binary:macos-arm64 && bun run build:binary:macos-x64 && bun run build:binary:linux-x64 && bun run build:binary:linux-arm64",
|
|
96
|
-
"build:binary": "bun run generate:ascii && bun build src/cli.ts --compile --outfile pensar",
|
|
97
|
-
"build:binary:linux-arm64": "bun build src/cli.ts --compile --target=bun-linux-arm64 --outfile dist/pensar-linux-arm64",
|
|
98
|
-
"build:binary:linux-x64": "bun build src/cli.ts --compile --target=bun-linux-x64 --outfile dist/pensar-linux-x64",
|
|
99
|
-
"build:binary:macos-arm64": "bun build src/cli.ts --compile --target=bun-darwin-arm64 --outfile dist/pensar-darwin-arm64",
|
|
100
|
-
"build:binary:macos-x64": "bun build src/cli.ts --compile --target=bun-darwin-x64 --outfile dist/pensar-darwin-x64",
|
|
97
|
+
"build:binary": "bun run generate:ascii && bun build src/cli.ts --compile --external electron --external chromium-bidi --external camoufox-js --outfile pensar",
|
|
98
|
+
"build:binary:linux-arm64": "bun build src/cli.ts --compile --external electron --external chromium-bidi --external camoufox-js --target=bun-linux-arm64 --outfile dist/pensar-linux-arm64",
|
|
99
|
+
"build:binary:linux-x64": "bun build src/cli.ts --compile --external electron --external chromium-bidi --external camoufox-js --target=bun-linux-x64 --outfile dist/pensar-linux-x64",
|
|
100
|
+
"build:binary:macos-arm64": "bun build src/cli.ts --compile --external electron --external chromium-bidi --external camoufox-js --target=bun-darwin-arm64 --outfile dist/pensar-darwin-arm64",
|
|
101
|
+
"build:binary:macos-x64": "bun build src/cli.ts --compile --external electron --external chromium-bidi --external camoufox-js --target=bun-darwin-x64 --outfile dist/pensar-darwin-x64",
|
|
101
102
|
check: "biome check --write",
|
|
102
103
|
"check:ci": "biome check",
|
|
103
104
|
"daytona-benchmark": "bun run scripts/daytona-benchmark.ts",
|
|
@@ -119,7 +120,7 @@ var init_package = __esm(() => {
|
|
|
119
120
|
tsc: "tsc --noEmit"
|
|
120
121
|
},
|
|
121
122
|
type: "module",
|
|
122
|
-
version: "2.0.
|
|
123
|
+
version: "2.0.2-canary.9e4e15cf"
|
|
123
124
|
};
|
|
124
125
|
});
|
|
125
126
|
|
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
import {
|
|
2
2
|
OffensiveSecurityAgent
|
|
3
|
-
} from "./cli-
|
|
3
|
+
} from "./cli-qdh225p7.js";
|
|
4
4
|
import {
|
|
5
5
|
detectOSAndEnhancePrompt
|
|
6
|
-
} from "./cli-
|
|
6
|
+
} from "./cli-w1nb1y6h.js";
|
|
7
7
|
import {
|
|
8
8
|
hasToolCall,
|
|
9
9
|
init_dist,
|
|
10
10
|
stepCountIs
|
|
11
|
-
} from "./cli-
|
|
11
|
+
} from "./cli-dk63pna5.js";
|
|
12
12
|
|
|
13
13
|
// src/core/agents/specialized/attackSurface/blackboxAgent.ts
|
|
14
14
|
init_dist();
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
import {
|
|
2
2
|
CweEntrySchema,
|
|
3
3
|
ValidatedCweEntrySchema
|
|
4
|
-
} from "./cli-
|
|
4
|
+
} from "./cli-qdh225p7.js";
|
|
5
5
|
import {
|
|
6
6
|
exports_external1 as exports_external,
|
|
7
7
|
init_zod
|
|
@@ -46,6 +46,7 @@ var ApexFindingObject = exports_external.object({
|
|
|
46
46
|
cwes: exports_external.array(ValidatedCweEntrySchema.or(CweEntrySchema)).optional(),
|
|
47
47
|
rootCauseGroup: exports_external.string().optional(),
|
|
48
48
|
relatedFindings: exports_external.array(exports_external.string()).optional(),
|
|
49
|
+
rootCauseLead: exports_external.boolean().optional(),
|
|
49
50
|
evidenceFiles: exports_external.array(EvidenceFileEntrySchema).optional()
|
|
50
51
|
});
|
|
51
52
|
|
|
@@ -4,7 +4,7 @@ import {
|
|
|
4
4
|
init_auth,
|
|
5
5
|
init_constants,
|
|
6
6
|
signGatewayRequest
|
|
7
|
-
} from "./cli-
|
|
7
|
+
} from "./cli-p904s2yj.js";
|
|
8
8
|
import {
|
|
9
9
|
AISDKError,
|
|
10
10
|
APICallError,
|
|
@@ -63,11 +63,11 @@ import {
|
|
|
63
63
|
import {
|
|
64
64
|
config,
|
|
65
65
|
init_config
|
|
66
|
-
} from "./cli-
|
|
66
|
+
} from "./cli-kxpba6jy.js";
|
|
67
67
|
import {
|
|
68
68
|
getCurrentVersion,
|
|
69
69
|
init_installation
|
|
70
|
-
} from "./cli-
|
|
70
|
+
} from "./cli-0t1j4jh4.js";
|
|
71
71
|
import {
|
|
72
72
|
__callDispose,
|
|
73
73
|
__commonJS,
|
|
@@ -7747,6 +7747,24 @@ var init_bedrock = __esm(() => {
|
|
|
7747
7747
|
provider: "bedrock",
|
|
7748
7748
|
contextLength: 64000
|
|
7749
7749
|
},
|
|
7750
|
+
{
|
|
7751
|
+
id: "deepseek.v3-v1:0",
|
|
7752
|
+
name: "DeepSeek V3.1 (Bedrock)",
|
|
7753
|
+
provider: "bedrock",
|
|
7754
|
+
contextLength: 128000
|
|
7755
|
+
},
|
|
7756
|
+
{
|
|
7757
|
+
id: "qwen.qwen3-coder-480b-a35b-v1:0",
|
|
7758
|
+
name: "Qwen3 Coder 480B A35B Instruct (Bedrock)",
|
|
7759
|
+
provider: "bedrock",
|
|
7760
|
+
contextLength: 131072
|
|
7761
|
+
},
|
|
7762
|
+
{
|
|
7763
|
+
id: "zai.glm-5",
|
|
7764
|
+
name: "Z.AI GLM 5 (Bedrock)",
|
|
7765
|
+
provider: "bedrock",
|
|
7766
|
+
contextLength: 200000
|
|
7767
|
+
},
|
|
7750
7768
|
{
|
|
7751
7769
|
id: "us.mistral.pixtral-large-2502-v1:0",
|
|
7752
7770
|
name: "Pixtral Large-2502 (US)",
|
|
@@ -8696,6 +8714,9 @@ function getModelInfo(model) {
|
|
|
8696
8714
|
provider: "local"
|
|
8697
8715
|
};
|
|
8698
8716
|
}
|
|
8717
|
+
function prefersSequentialToolCalls(model) {
|
|
8718
|
+
return /(^|[./:-])deepseek([./:-]|$)/i.test(model);
|
|
8719
|
+
}
|
|
8699
8720
|
function getMaxOutputTokens(modelId) {
|
|
8700
8721
|
const fromPattern = lookupOutputBudgetByPattern(modelId);
|
|
8701
8722
|
const ctx = AVAILABLE_MODELS.find((m) => m.id === modelId)?.contextLength;
|
|
@@ -8760,9 +8781,15 @@ function lookupOutputBudgetByPattern(modelId) {
|
|
|
8760
8781
|
if (modelId.includes("minimax-m3")) {
|
|
8761
8782
|
return 128000;
|
|
8762
8783
|
}
|
|
8763
|
-
if (modelId.includes("glm-5
|
|
8784
|
+
if (modelId.includes("glm-5")) {
|
|
8764
8785
|
return 131072;
|
|
8765
8786
|
}
|
|
8787
|
+
if (modelId.includes("deepseek")) {
|
|
8788
|
+
return 8192;
|
|
8789
|
+
}
|
|
8790
|
+
if (modelId.includes("qwen")) {
|
|
8791
|
+
return 16000;
|
|
8792
|
+
}
|
|
8766
8793
|
return 4096;
|
|
8767
8794
|
}
|
|
8768
8795
|
var AVAILABLE_MODELS;
|
|
@@ -42375,6 +42402,14 @@ function checkIfRateLimitError(error) {
|
|
|
42375
42402
|
const errorString = errorMessage || errorName ? "" : String(error).toLowerCase();
|
|
42376
42403
|
return errorMessage.includes("too many tokens") || errorMessage.includes("rate limit") || errorMessage.includes("request rate") || errorMessage.includes("throttl") || errorMessage.includes("overloaded") || errorMessage.includes("too many requests") || errorMessage.includes("please wait") || errorMessage.includes("service unavailable") || errorName.includes("throttl") || errorName.includes("toomanyrequests") || errorName.includes("serviceunavailable") || errorCode === "rate_limit_exceeded" || errorCode === "throttling" || errorCode === "429" || httpStatus === 429 || httpStatus === 529 || httpStatus === 503 || errorString.includes("throttl") || errorString.includes("too many") || errorString.includes("request rate");
|
|
42377
42404
|
}
|
|
42405
|
+
function applySequentialToolCallPolicy(system, tools, model) {
|
|
42406
|
+
if (tools && Object.keys(tools).length > 0 && prefersSequentialToolCalls(model)) {
|
|
42407
|
+
return `${system ? `${system}
|
|
42408
|
+
|
|
42409
|
+
` : ""}${SEQUENTIAL_TOOL_CALL_INSTRUCTION}`;
|
|
42410
|
+
}
|
|
42411
|
+
return system;
|
|
42412
|
+
}
|
|
42378
42413
|
async function* withIdleTimeout(stream, idleMs, isIdleTimerActive) {
|
|
42379
42414
|
const iterator = stream[Symbol.asyncIterator]();
|
|
42380
42415
|
try {
|
|
@@ -42497,7 +42532,7 @@ function wrapStreamWithErrorHandler(originalStream, messagesContainer, opts, mod
|
|
|
42497
42532
|
const fitted = fitMessagesToContext(currentMessages, {
|
|
42498
42533
|
contextWindow: getContextWindow(opts.model),
|
|
42499
42534
|
maxOutputTokens: getMaxOutputTokens(opts.model),
|
|
42500
|
-
system: opts.system,
|
|
42535
|
+
system: applySequentialToolCallPolicy(opts.system, opts.tools, opts.model),
|
|
42501
42536
|
tools: opts.tools,
|
|
42502
42537
|
sessionPath: opts.sessionPath
|
|
42503
42538
|
});
|
|
@@ -42632,13 +42667,14 @@ function streamResponse(opts) {
|
|
|
42632
42667
|
};
|
|
42633
42668
|
const providerModel = getProviderModel(model, authConfig);
|
|
42634
42669
|
const useAnthropicCaching = isAnthropicProvider(model);
|
|
42670
|
+
const systemWithToolPolicy = applySequentialToolCallPolicy(system, tools, model);
|
|
42635
42671
|
let fittedMessages = messages;
|
|
42636
42672
|
let proactiveFitFailed = false;
|
|
42637
42673
|
if (messages && messages.length > 0) {
|
|
42638
42674
|
const fitted = fitMessagesToContext(messages, {
|
|
42639
42675
|
contextWindow: getContextWindow(model),
|
|
42640
42676
|
maxOutputTokens: getMaxOutputTokens(model),
|
|
42641
|
-
system,
|
|
42677
|
+
system: systemWithToolPolicy,
|
|
42642
42678
|
tools,
|
|
42643
42679
|
sessionPath: opts.sessionPath
|
|
42644
42680
|
});
|
|
@@ -42655,13 +42691,13 @@ function streamResponse(opts) {
|
|
|
42655
42691
|
}
|
|
42656
42692
|
return wrapStreamWithErrorHandler(createSummarizationStream(fittedMessages, opts, providerModel), messagesContainer, opts, providerModel, silent);
|
|
42657
42693
|
}
|
|
42658
|
-
let effectiveSystem =
|
|
42694
|
+
let effectiveSystem = systemWithToolPolicy;
|
|
42659
42695
|
let effectiveMessages = fittedMessages;
|
|
42660
|
-
if (useAnthropicCaching &&
|
|
42696
|
+
if (useAnthropicCaching && systemWithToolPolicy) {
|
|
42661
42697
|
const baseMessages = fittedMessages ?? [
|
|
42662
42698
|
{ role: "user", content: prompt }
|
|
42663
42699
|
];
|
|
42664
|
-
effectiveMessages = withCachedSystemPrompt(
|
|
42700
|
+
effectiveMessages = withCachedSystemPrompt(systemWithToolPolicy, baseMessages);
|
|
42665
42701
|
effectiveSystem = undefined;
|
|
42666
42702
|
}
|
|
42667
42703
|
const useThinking = enableThinking && isAnthropicProvider(model) && modelSupportsThinking(model);
|
|
@@ -42920,7 +42956,7 @@ async function generateObjectResponse(opts) {
|
|
|
42920
42956
|
}
|
|
42921
42957
|
throw lastError;
|
|
42922
42958
|
}
|
|
42923
|
-
var log, DEFAULT_OPENAI_REASONING_EFFORT = "medium", OPENAI_REASONING_MODEL_IDS, _usageCallback = null, MAX_RATE_LIMIT_RETRIES = 20, MAX_IDLE_RESUME_RETRIES = 3, STREAM_IDLE_TIMEOUT_MS, StreamIdleTimeoutError, MAX_OBJECT_RATE_LIMIT_RETRIES = 8, ContextLengthError, ContextLengthExhaustedError, MAX_RESTART_DEPTH = 3, MAX_TOOL_INPUT_CHARS = 8000, MAX_SCHEMA_CHARS = 6000, MINIMAL_RESTART_PROMPT = "Continue the previous task. Earlier context was discarded due to repeated context-length errors.";
|
|
42959
|
+
var log, DEFAULT_OPENAI_REASONING_EFFORT = "medium", OPENAI_REASONING_MODEL_IDS, _usageCallback = null, SEQUENTIAL_TOOL_CALL_INSTRUCTION, MAX_RATE_LIMIT_RETRIES = 20, MAX_IDLE_RESUME_RETRIES = 3, STREAM_IDLE_TIMEOUT_MS, StreamIdleTimeoutError, MAX_OBJECT_RATE_LIMIT_RETRIES = 8, ContextLengthError, ContextLengthExhaustedError, MAX_RESTART_DEPTH = 3, MAX_TOOL_INPUT_CHARS = 8000, MAX_SCHEMA_CHARS = 6000, MINIMAL_RESTART_PROMPT = "Continue the previous task. Earlier context was discarded due to repeated context-length errors.";
|
|
42924
42960
|
var init_ai = __esm(() => {
|
|
42925
42961
|
init_dist4();
|
|
42926
42962
|
init_structured();
|
|
@@ -42947,6 +42983,7 @@ var init_ai = __esm(() => {
|
|
|
42947
42983
|
"gpt-5.5",
|
|
42948
42984
|
"gpt-5.5-2026-04-23"
|
|
42949
42985
|
]);
|
|
42986
|
+
SEQUENTIAL_TOOL_CALL_INSTRUCTION = "CRITICAL TOOL-CALLING RULE: Emit EXACTLY ONE tool call per response. " + "Never emit more than one tool call in a single turn. After each tool call, " + "wait for its result before making the next one. Emitting multiple tool " + "calls in one turn corrupts their arguments.";
|
|
42950
42987
|
STREAM_IDLE_TIMEOUT_MS = 5 * 60 * 1000;
|
|
42951
42988
|
StreamIdleTimeoutError = class StreamIdleTimeoutError extends Error {
|
|
42952
42989
|
constructor(idleMs) {
|
|
@@ -43797,7 +43834,7 @@ async function create2(input) {
|
|
|
43797
43834
|
if (normalizedConfig?.headers !== undefined) {
|
|
43798
43835
|
snapshotHeaders = { ...normalizedConfig.headers };
|
|
43799
43836
|
} else {
|
|
43800
|
-
const { config: appConfig } = await import("./index-
|
|
43837
|
+
const { config: appConfig } = await import("./index-t3rffyf8.js");
|
|
43801
43838
|
const cfg = await appConfig.get();
|
|
43802
43839
|
snapshotHeaders = cfg.defaultHeaders ? { ...cfg.defaultHeaders } : { ...DEFAULT_HEADER_RECORD };
|
|
43803
43840
|
}
|
|
@@ -1,13 +1,13 @@
|
|
|
1
1
|
import {
|
|
2
2
|
BlackboxAttackSurfaceAgent
|
|
3
|
-
} from "./cli-
|
|
3
|
+
} from "./cli-3n78e7hs.js";
|
|
4
4
|
import {
|
|
5
5
|
TargetedPentestAgent,
|
|
6
6
|
buildPentestSystemPrompt
|
|
7
|
-
} from "./cli-
|
|
7
|
+
} from "./cli-jh6k2m9z.js";
|
|
8
8
|
import {
|
|
9
9
|
CodeAgent
|
|
10
|
-
} from "./cli-
|
|
10
|
+
} from "./cli-jd0bfde5.js";
|
|
11
11
|
import {
|
|
12
12
|
AppsDiscoveryResultSchema,
|
|
13
13
|
DiscoverySummarySchema,
|
|
@@ -15,10 +15,10 @@ import {
|
|
|
15
15
|
WHITEBOX_APPS_DISCOVERY_SYSTEM_PROMPT,
|
|
16
16
|
WHITEBOX_DISCOVERY_SYSTEM_PROMPT,
|
|
17
17
|
WHITEBOX_ENDPOINT_DOCUMENTATION_SYSTEM_PROMPT
|
|
18
|
-
} from "./cli-
|
|
18
|
+
} from "./cli-za4t23gh.js";
|
|
19
19
|
import {
|
|
20
20
|
EvidenceFileEntrySchema
|
|
21
|
-
} from "./cli-
|
|
21
|
+
} from "./cli-8pw332mm.js";
|
|
22
22
|
import {
|
|
23
23
|
CweEntrySchema,
|
|
24
24
|
FindingsRegistry,
|
|
@@ -27,7 +27,7 @@ import {
|
|
|
27
27
|
ValidatedCweEntrySchema,
|
|
28
28
|
hasCanonicalName,
|
|
29
29
|
runWithBoundedConcurrency
|
|
30
|
-
} from "./cli-
|
|
30
|
+
} from "./cli-qdh225p7.js";
|
|
31
31
|
import {
|
|
32
32
|
createThreatModelPrompt
|
|
33
33
|
} from "./cli-fw5r7pfj.js";
|
|
@@ -38,7 +38,7 @@ import {
|
|
|
38
38
|
init_lazyLogger,
|
|
39
39
|
init_structured,
|
|
40
40
|
scopedLogger
|
|
41
|
-
} from "./cli-
|
|
41
|
+
} from "./cli-dk63pna5.js";
|
|
42
42
|
import {
|
|
43
43
|
exports_external1 as exports_external,
|
|
44
44
|
init_zod
|
|
@@ -110,6 +110,7 @@ var PentestReportFindingSchema = exports_external.object({
|
|
|
110
110
|
cwes: exports_external.array(ValidatedCweEntrySchema.or(CweEntrySchema)).optional(),
|
|
111
111
|
rootCauseGroup: exports_external.string().optional(),
|
|
112
112
|
relatedFindings: exports_external.array(exports_external.string()).optional(),
|
|
113
|
+
rootCauseLead: exports_external.boolean().optional(),
|
|
113
114
|
evidenceFiles: exports_external.array(EvidenceFileEntrySchema).optional()
|
|
114
115
|
});
|
|
115
116
|
var PentestReportSchema = exports_external.object({
|
|
@@ -168,6 +169,7 @@ function buildPentestReport(findings, context) {
|
|
|
168
169
|
cwes: f.cwes,
|
|
169
170
|
rootCauseGroup: f.rootCauseGroup,
|
|
170
171
|
relatedFindings: f.relatedFindings,
|
|
172
|
+
rootCauseLead: f.rootCauseLead,
|
|
171
173
|
evidenceFiles: f.evidenceFiles
|
|
172
174
|
}))
|
|
173
175
|
};
|
|
@@ -4128,7 +4130,7 @@ var django = {
|
|
|
4128
4130
|
return name === "urls.py" || name === "routes.py";
|
|
4129
4131
|
});
|
|
4130
4132
|
const includePrefixes = {};
|
|
4131
|
-
const pathIncludeRe = /path\s*\(\s*['"]([^'"]*)['"]\s*,\s*include\s*\(\s*['"]([^'"]+)['"]/g;
|
|
4133
|
+
const pathIncludeRe = /(?:path|re_path)\s*\(\s*[rRbBuUfF]*['"]([^'"]*)['"]\s*,\s*include\s*\(\s*[rRbBuUfF]*['"]([^'"]+)['"]/g;
|
|
4132
4134
|
for (const f of urlFiles) {
|
|
4133
4135
|
const content = ctx.readFile(f);
|
|
4134
4136
|
if (!content)
|
|
@@ -4137,7 +4139,7 @@ var django = {
|
|
|
4137
4139
|
includePrefixes[m[2]] = m[1];
|
|
4138
4140
|
}
|
|
4139
4141
|
}
|
|
4140
|
-
const directPathRe = /path\s*\(\s*['"]([^'"]*)['"]\s*,\s*(?!include)(\w[\w.]*)/g;
|
|
4142
|
+
const directPathRe = /(?:path|re_path)\s*\(\s*[rRbBuUfF]*['"]([^'"]*)['"]\s*,\s*(?!include)(\w[\w.]*)/g;
|
|
4141
4143
|
const apiViewRe = /@api_view\s*\(\s*\[([^\]]*)\]\s*\)(.*?)def\s+(\w+)\s*\(/gs;
|
|
4142
4144
|
for (const f of urlFiles) {
|
|
4143
4145
|
const content = ctx.readFile(f);
|
|
@@ -1,10 +1,10 @@
|
|
|
1
1
|
import {
|
|
2
2
|
OffensiveSecurityAgent
|
|
3
|
-
} from "./cli-
|
|
3
|
+
} from "./cli-qdh225p7.js";
|
|
4
4
|
import {
|
|
5
5
|
init_dist,
|
|
6
6
|
stepCountIs
|
|
7
|
-
} from "./cli-
|
|
7
|
+
} from "./cli-dk63pna5.js";
|
|
8
8
|
|
|
9
9
|
// src/core/agents/specialized/codeAgent/agent.ts
|
|
10
10
|
init_dist();
|