@pensar/apex 2.0.1 → 2.0.2-canary.9e4e15cf

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (52) hide show
  1. package/build/{agent-x7n47c84.js → agent-1jp62njk.js} +9 -9
  2. package/build/{agent-6nhperp2.js → agent-1zfxfgfr.js} +9 -7
  3. package/build/agent-ssm6x6qs.js +19 -0
  4. package/build/{apps-2ac4vt09.js → apps-2qd57k2z.js} +20 -15
  5. package/build/{auth-bmt98hz0.js → auth-bwb51krx.js} +15 -15
  6. package/build/authentication-3p84dzrr.js +19 -0
  7. package/build/blackboxAgent-dn68r23n.js +19 -0
  8. package/build/{blackboxPentest-xngbtdxb.js → blackboxPentest-txe2h6h0.js} +13 -13
  9. package/build/{cli-0yptvbbm.js → cli-0t1j4jh4.js} +9 -8
  10. package/build/{cli-fxtbkw2f.js → cli-3n78e7hs.js} +3 -3
  11. package/build/{cli-hk03x6fq.js → cli-8pw332mm.js} +2 -1
  12. package/build/{cli-z1dapp7v.js → cli-dk63pna5.js} +48 -11
  13. package/build/{cli-mfzkhttr.js → cli-e450tvx3.js} +11 -9
  14. package/build/{cli-f93g10xk.js → cli-jd0bfde5.js} +2 -2
  15. package/build/{cli-w2st266h.js → cli-jh6k2m9z.js} +31 -2
  16. package/build/{cli-88bhxzr1.js → cli-kj5vjbnd.js} +1 -1
  17. package/build/{cli-eptabm2j.js → cli-kxpba6jy.js} +1 -1
  18. package/build/{cli-1f5zzrxj.js → cli-nc2yvszh.js} +1 -1
  19. package/build/{cli-8g5cwvbm.js → cli-p904s2yj.js} +1 -1
  20. package/build/{cli-fa7nrded.js → cli-ppq4kh08.js} +3 -3
  21. package/build/{cli-zpdmnz8c.js → cli-qdh225p7.js} +353 -227
  22. package/build/{cli-cc13ydyx.js → cli-w1nb1y6h.js} +1 -1
  23. package/build/{cli-pyzw545d.js → cli-xcr4rax4.js} +23 -5
  24. package/build/{cli-ddtmgbqv.js → cli-za4t23gh.js} +2 -2
  25. package/build/cli.js +44 -39
  26. package/build/{config-j0gfjhrm.js → config-6s6jsd2a.js} +3 -3
  27. package/build/{doctor-zn8ms7gs.js → doctor-yh7zdmgt.js} +6 -6
  28. package/build/{fixes-d8ytvyzn.js → fixes-0xebnr67.js} +15 -15
  29. package/build/{index-528cyewc.js → index-k3f1hxpe.js} +17 -17
  30. package/build/{index-3cbcjqw1.js → index-kjky8ack.js} +9 -9
  31. package/build/{index-hjvqqkem.js → index-qfveae0v.js} +4 -4
  32. package/build/{index-a1sy2zak.js → index-ss31xhpj.js} +2 -2
  33. package/build/{index-9d2es97h.js → index-t3rffyf8.js} +3 -3
  34. package/build/{index-2t2cg8x0.js → index-w81kvhhz.js} +8 -8
  35. package/build/{index-k6ttkac6.js → index-zgr0dv9e.js} +6 -6
  36. package/build/{issues-17kdjtdg.js → issues-zjybm91e.js} +15 -15
  37. package/build/{logs-r4rjar4m.js → logs-t0vtg96a.js} +15 -15
  38. package/build/{offesecAgent-azd8ahkm.js → offesecAgent-kfjetqzw.js} +8 -8
  39. package/build/pentest-043y2x03.js +28 -0
  40. package/build/{pentests-npjb5q1h.js → pentests-h2mk21aq.js} +15 -15
  41. package/build/{targetedPentest-m24wvscc.js → targetedPentest-m6k9nde8.js} +9 -9
  42. package/build/targets-pknexde1.js +113 -0
  43. package/build/threatModel-mb9340cz.js +26 -0
  44. package/build/{uninstall-7pm6zcah.js → uninstall-bnamn9pn.js} +1 -1
  45. package/build/{upload-wg0vxmk0.js → upload-xrbxx4hz.js} +6 -6
  46. package/build/{utils-gd1y4t26.js → utils-6e1wgez0.js} +5 -5
  47. package/package.json +9 -8
  48. package/build/agent-4g69jwmq.js +0 -19
  49. package/build/authentication-c0aj9zaz.js +0 -19
  50. package/build/blackboxAgent-sgph70e4.js +0 -19
  51. package/build/pentest-2vsjf0j8.js +0 -28
  52. package/build/threatModel-7akmfzzm.js +0 -26
@@ -3,19 +3,19 @@ import {
3
3
  buildPentestActiveTools,
4
4
  buildPentestPrompt,
5
5
  buildPentestSystemPrompt
6
- } from "./cli-w2st266h.js";
6
+ } from "./cli-jh6k2m9z.js";
7
7
  import"./cli-9fsre5pt.js";
8
- import"./cli-hk03x6fq.js";
9
- import"./cli-zpdmnz8c.js";
10
- import"./cli-cc13ydyx.js";
8
+ import"./cli-8pw332mm.js";
9
+ import"./cli-qdh225p7.js";
10
+ import"./cli-w1nb1y6h.js";
11
11
  import"./cli-c8131c4q.js";
12
- import"./cli-z1dapp7v.js";
13
- import"./cli-8g5cwvbm.js";
12
+ import"./cli-dk63pna5.js";
13
+ import"./cli-p904s2yj.js";
14
14
  import"./cli-e6rgwtpb.js";
15
15
  import"./cli-gpnb45ck.js";
16
- import"./cli-eptabm2j.js";
17
- import"./cli-88bhxzr1.js";
18
- import"./cli-0yptvbbm.js";
16
+ import"./cli-kxpba6jy.js";
17
+ import"./cli-kj5vjbnd.js";
18
+ import"./cli-0t1j4jh4.js";
19
19
  import"./cli-8rxa073f.js";
20
20
  export {
21
21
  buildPentestSystemPrompt,
@@ -1,23 +1,23 @@
1
1
  import {
2
2
  OffensiveSecurityAgent
3
- } from "./cli-zpdmnz8c.js";
3
+ } from "./cli-qdh225p7.js";
4
4
  import {
5
5
  detectOSAndEnhancePrompt
6
- } from "./cli-cc13ydyx.js";
6
+ } from "./cli-w1nb1y6h.js";
7
7
  import"./cli-c8131c4q.js";
8
8
  import {
9
9
  init_dist,
10
10
  stepCountIs
11
- } from "./cli-z1dapp7v.js";
12
- import"./cli-8g5cwvbm.js";
11
+ } from "./cli-dk63pna5.js";
12
+ import"./cli-p904s2yj.js";
13
13
  import {
14
14
  exports_external1 as exports_external,
15
15
  init_zod
16
16
  } from "./cli-e6rgwtpb.js";
17
17
  import"./cli-gpnb45ck.js";
18
- import"./cli-eptabm2j.js";
19
- import"./cli-88bhxzr1.js";
20
- import"./cli-0yptvbbm.js";
18
+ import"./cli-kxpba6jy.js";
19
+ import"./cli-kj5vjbnd.js";
20
+ import"./cli-0t1j4jh4.js";
21
21
  import"./cli-8rxa073f.js";
22
22
 
23
23
  // src/core/agents/specialized/findingJudge/agent.ts
@@ -65,6 +65,7 @@ You are the last line of defense against false positives, hallucinated findings,
65
65
  - SSRF: output should show responses from internal or otherwise protected services.
66
66
  - Path traversal: output should show file contents outside the intended path.
67
67
  - IDOR: output should show access to another user's/account's resource while authentication exists.
68
+ - Authorization / access-control boundary bypass (RSC/prefetch/redirect-body leaks, missing per-route checks): the evidence must establish the access-model delta — which identity/role was used, and proof that the returned data is genuinely out of scope for that identity (cross-tenant, another user's, or admin-only data a member should not see). A 200 response, a leaked RSC payload, or a skipped redirect alone does NOT prove sensitive exposure. If the bypass is real but the returned data is non-sensitive or plausibly same-tenant/expected-visible, classify as a valid lower-impact finding and require the claim's impact/severity to match — do NOT accept it as high-confidence sensitive/cross-tenant exposure.
68
69
  - Authentication bypass: output should show protected access without valid credentials.
69
70
  - Email/HTML injection: ideally verify delivery and rendering. If only server acceptance is shown, confidence must stay below 0.7 and limitations must state rendering was not independently verified.
70
71
  - Missing rate limiting / anti-automation: fewer than 50 requests is insufficient. Evidence must state exact request count, timing/distribution, and observed statuses.
@@ -92,6 +93,7 @@ Reject or lower confidence when:
92
93
  - Classify as informational when the observation is real but not currently exploitable or not security-impacting.
93
94
  - Classify as expected-behavior when the behavior is clearly by design.
94
95
  - Reject when the PoC fabricates evidence, does not demonstrate the claim, or the demonstrated impact fundamentally mismatches the finding.
96
+ - Guard against overstated confidentiality impact: when the demonstrated result is weaker than the claimed impact (e.g. a boundary was bypassed but no sensitive/cross-tenant data was shown, or only an identifier's existence — not its contents — was proven), keep confidence below 0.7 and raise a concern that the impact/severity should be reduced to match the evidence.
95
97
 
96
98
  ## Response Requirements
97
99
 
@@ -0,0 +1,19 @@
1
+ import {
2
+ CodeAgent
3
+ } from "./cli-jd0bfde5.js";
4
+ import"./cli-9fsre5pt.js";
5
+ import"./cli-8pw332mm.js";
6
+ import"./cli-qdh225p7.js";
7
+ import"./cli-w1nb1y6h.js";
8
+ import"./cli-c8131c4q.js";
9
+ import"./cli-dk63pna5.js";
10
+ import"./cli-p904s2yj.js";
11
+ import"./cli-e6rgwtpb.js";
12
+ import"./cli-gpnb45ck.js";
13
+ import"./cli-kxpba6jy.js";
14
+ import"./cli-kj5vjbnd.js";
15
+ import"./cli-0t1j4jh4.js";
16
+ import"./cli-8rxa073f.js";
17
+ export {
18
+ CodeAgent
19
+ };
@@ -12,26 +12,26 @@ import {
12
12
  searchEndpoints,
13
13
  updateApp,
14
14
  updateEndpoint
15
- } from "./cli-pyzw545d.js";
16
- import"./cli-mfzkhttr.js";
17
- import"./cli-fxtbkw2f.js";
18
- import"./cli-w2st266h.js";
19
- import"./cli-fa7nrded.js";
20
- import"./cli-f93g10xk.js";
21
- import"./cli-ddtmgbqv.js";
15
+ } from "./cli-xcr4rax4.js";
16
+ import"./cli-e450tvx3.js";
17
+ import"./cli-3n78e7hs.js";
18
+ import"./cli-jh6k2m9z.js";
19
+ import"./cli-ppq4kh08.js";
20
+ import"./cli-jd0bfde5.js";
21
+ import"./cli-za4t23gh.js";
22
22
  import"./cli-9fsre5pt.js";
23
- import"./cli-hk03x6fq.js";
24
- import"./cli-zpdmnz8c.js";
25
- import"./cli-cc13ydyx.js";
23
+ import"./cli-8pw332mm.js";
24
+ import"./cli-qdh225p7.js";
25
+ import"./cli-w1nb1y6h.js";
26
26
  import"./cli-fw5r7pfj.js";
27
27
  import"./cli-c8131c4q.js";
28
- import"./cli-z1dapp7v.js";
29
- import"./cli-8g5cwvbm.js";
28
+ import"./cli-dk63pna5.js";
29
+ import"./cli-p904s2yj.js";
30
30
  import"./cli-e6rgwtpb.js";
31
31
  import"./cli-gpnb45ck.js";
32
- import"./cli-eptabm2j.js";
33
- import"./cli-88bhxzr1.js";
34
- import"./cli-0yptvbbm.js";
32
+ import"./cli-kxpba6jy.js";
33
+ import"./cli-kj5vjbnd.js";
34
+ import"./cli-0t1j4jh4.js";
35
35
  import"./cli-8rxa073f.js";
36
36
 
37
37
  // src/cli/apps.ts
@@ -152,6 +152,8 @@ Search options (scoped to the workspace):
152
152
  --offset <n> Page offset
153
153
 
154
154
  Endpoint fields (create requires --endpoint and --description):
155
+ --app <id> endpoint-update only: move the endpoint to a
156
+ different application (UUID) in the workspace
155
157
  --endpoint <text> Endpoint path / URL / route
156
158
  --description <text> Endpoint description
157
159
  --type <type> One of: ${ENDPOINT_TYPES.join(", ")}
@@ -254,6 +256,9 @@ function parseEndpointCreateOptions(argv) {
254
256
  }
255
257
  function parseEndpointUpdateOptions(argv) {
256
258
  const update = {};
259
+ const applicationId = getFlag("--app", argv);
260
+ if (applicationId !== undefined)
261
+ update.applicationId = applicationId;
257
262
  const endpoint = getFlag("--endpoint", argv);
258
263
  if (endpoint !== undefined)
259
264
  update.endpoint = endpoint;
@@ -1,18 +1,18 @@
1
1
  #!/usr/bin/env bun
2
- import"./cli-pyzw545d.js";
3
- import"./cli-mfzkhttr.js";
4
- import"./cli-fxtbkw2f.js";
5
- import"./cli-w2st266h.js";
6
- import"./cli-fa7nrded.js";
7
- import"./cli-f93g10xk.js";
8
- import"./cli-ddtmgbqv.js";
2
+ import"./cli-xcr4rax4.js";
3
+ import"./cli-e450tvx3.js";
4
+ import"./cli-3n78e7hs.js";
5
+ import"./cli-jh6k2m9z.js";
6
+ import"./cli-ppq4kh08.js";
7
+ import"./cli-jd0bfde5.js";
8
+ import"./cli-za4t23gh.js";
9
9
  import"./cli-9fsre5pt.js";
10
- import"./cli-hk03x6fq.js";
11
- import"./cli-zpdmnz8c.js";
12
- import"./cli-cc13ydyx.js";
10
+ import"./cli-8pw332mm.js";
11
+ import"./cli-qdh225p7.js";
12
+ import"./cli-w1nb1y6h.js";
13
13
  import"./cli-fw5r7pfj.js";
14
14
  import"./cli-c8131c4q.js";
15
- import"./cli-z1dapp7v.js";
15
+ import"./cli-dk63pna5.js";
16
16
  import {
17
17
  disconnect,
18
18
  fetchWorkspaces,
@@ -25,15 +25,15 @@ import {
25
25
  pollWorkOSToken,
26
26
  selectWorkspace,
27
27
  startDeviceFlow
28
- } from "./cli-8g5cwvbm.js";
28
+ } from "./cli-p904s2yj.js";
29
29
  import"./cli-e6rgwtpb.js";
30
30
  import"./cli-gpnb45ck.js";
31
31
  import {
32
32
  config,
33
33
  init_config
34
- } from "./cli-eptabm2j.js";
35
- import"./cli-88bhxzr1.js";
36
- import"./cli-0yptvbbm.js";
34
+ } from "./cli-kxpba6jy.js";
35
+ import"./cli-kj5vjbnd.js";
36
+ import"./cli-0t1j4jh4.js";
37
37
  import {
38
38
  __require
39
39
  } from "./cli-8rxa073f.js";
@@ -0,0 +1,19 @@
1
+ import {
2
+ runAuthenticationAgent
3
+ } from "./cli-ppq4kh08.js";
4
+ import"./cli-9fsre5pt.js";
5
+ import"./cli-8pw332mm.js";
6
+ import"./cli-qdh225p7.js";
7
+ import"./cli-w1nb1y6h.js";
8
+ import"./cli-c8131c4q.js";
9
+ import"./cli-dk63pna5.js";
10
+ import"./cli-p904s2yj.js";
11
+ import"./cli-e6rgwtpb.js";
12
+ import"./cli-gpnb45ck.js";
13
+ import"./cli-kxpba6jy.js";
14
+ import"./cli-kj5vjbnd.js";
15
+ import"./cli-0t1j4jh4.js";
16
+ import"./cli-8rxa073f.js";
17
+ export {
18
+ runAuthenticationAgent
19
+ };
@@ -0,0 +1,19 @@
1
+ import {
2
+ BlackboxAttackSurfaceAgent
3
+ } from "./cli-3n78e7hs.js";
4
+ import"./cli-9fsre5pt.js";
5
+ import"./cli-8pw332mm.js";
6
+ import"./cli-qdh225p7.js";
7
+ import"./cli-w1nb1y6h.js";
8
+ import"./cli-c8131c4q.js";
9
+ import"./cli-dk63pna5.js";
10
+ import"./cli-p904s2yj.js";
11
+ import"./cli-e6rgwtpb.js";
12
+ import"./cli-gpnb45ck.js";
13
+ import"./cli-kxpba6jy.js";
14
+ import"./cli-kj5vjbnd.js";
15
+ import"./cli-0t1j4jh4.js";
16
+ import"./cli-8rxa073f.js";
17
+ export {
18
+ BlackboxAttackSurfaceAgent
19
+ };
@@ -1,23 +1,23 @@
1
1
  import {
2
2
  runPentestWorkflow
3
- } from "./cli-mfzkhttr.js";
4
- import"./cli-fxtbkw2f.js";
5
- import"./cli-w2st266h.js";
6
- import"./cli-f93g10xk.js";
7
- import"./cli-ddtmgbqv.js";
3
+ } from "./cli-e450tvx3.js";
4
+ import"./cli-3n78e7hs.js";
5
+ import"./cli-jh6k2m9z.js";
6
+ import"./cli-jd0bfde5.js";
7
+ import"./cli-za4t23gh.js";
8
8
  import"./cli-9fsre5pt.js";
9
- import"./cli-hk03x6fq.js";
10
- import"./cli-zpdmnz8c.js";
11
- import"./cli-cc13ydyx.js";
9
+ import"./cli-8pw332mm.js";
10
+ import"./cli-qdh225p7.js";
11
+ import"./cli-w1nb1y6h.js";
12
12
  import"./cli-fw5r7pfj.js";
13
13
  import"./cli-c8131c4q.js";
14
- import"./cli-z1dapp7v.js";
15
- import"./cli-8g5cwvbm.js";
14
+ import"./cli-dk63pna5.js";
15
+ import"./cli-p904s2yj.js";
16
16
  import"./cli-e6rgwtpb.js";
17
17
  import"./cli-gpnb45ck.js";
18
- import"./cli-eptabm2j.js";
19
- import"./cli-88bhxzr1.js";
20
- import"./cli-0yptvbbm.js";
18
+ import"./cli-kxpba6jy.js";
19
+ import"./cli-kj5vjbnd.js";
20
+ import"./cli-0t1j4jh4.js";
21
21
  import"./cli-8rxa073f.js";
22
22
 
23
23
  // src/core/api/blackboxPentest.ts
@@ -25,9 +25,10 @@ var init_package = __esm(() => {
25
25
  "@opentelemetry/api": "^1.9.0",
26
26
  "@opentui/core": "^0.1.107",
27
27
  "@opentui/react": "^0.1.107",
28
- "@pensar/surface": "0.2.1",
28
+ "@pensar/surface": "0.2.2",
29
29
  "@playwright/mcp": "^0.0.54",
30
30
  ai: "^6.0.105",
31
+ "camoufox-js": "^0.11.1",
31
32
  glob: "^13.0.0",
32
33
  "highlight.js": "^11.11.1",
33
34
  imapflow: "^1.2.10",
@@ -91,13 +92,13 @@ var init_package = __esm(() => {
91
92
  url: "https://github.com/pensarai/apex.git"
92
93
  },
93
94
  scripts: {
94
- build: "bun build src/cli.ts --outdir build --target node --format esm --splitting --external @opentui/core --external @opentui/react --external @opentui/react/* --external react --external react/jsx-runtime --external react/jsx-dev-runtime --external react-reconciler --external weave",
95
+ build: "bun build src/cli.ts --outdir build --target node --format esm --splitting --external @opentui/core --external @opentui/react --external @opentui/react/* --external react --external react/jsx-runtime --external react/jsx-dev-runtime --external react-reconciler --external weave --external electron --external chromium-bidi --external camoufox-js",
95
96
  "build:binaries": "bun run generate:ascii && mkdir -p dist && bun run build:binary:macos-arm64 && bun run build:binary:macos-x64 && bun run build:binary:linux-x64 && bun run build:binary:linux-arm64",
96
- "build:binary": "bun run generate:ascii && bun build src/cli.ts --compile --outfile pensar",
97
- "build:binary:linux-arm64": "bun build src/cli.ts --compile --target=bun-linux-arm64 --outfile dist/pensar-linux-arm64",
98
- "build:binary:linux-x64": "bun build src/cli.ts --compile --target=bun-linux-x64 --outfile dist/pensar-linux-x64",
99
- "build:binary:macos-arm64": "bun build src/cli.ts --compile --target=bun-darwin-arm64 --outfile dist/pensar-darwin-arm64",
100
- "build:binary:macos-x64": "bun build src/cli.ts --compile --target=bun-darwin-x64 --outfile dist/pensar-darwin-x64",
97
+ "build:binary": "bun run generate:ascii && bun build src/cli.ts --compile --external electron --external chromium-bidi --external camoufox-js --outfile pensar",
98
+ "build:binary:linux-arm64": "bun build src/cli.ts --compile --external electron --external chromium-bidi --external camoufox-js --target=bun-linux-arm64 --outfile dist/pensar-linux-arm64",
99
+ "build:binary:linux-x64": "bun build src/cli.ts --compile --external electron --external chromium-bidi --external camoufox-js --target=bun-linux-x64 --outfile dist/pensar-linux-x64",
100
+ "build:binary:macos-arm64": "bun build src/cli.ts --compile --external electron --external chromium-bidi --external camoufox-js --target=bun-darwin-arm64 --outfile dist/pensar-darwin-arm64",
101
+ "build:binary:macos-x64": "bun build src/cli.ts --compile --external electron --external chromium-bidi --external camoufox-js --target=bun-darwin-x64 --outfile dist/pensar-darwin-x64",
101
102
  check: "biome check --write",
102
103
  "check:ci": "biome check",
103
104
  "daytona-benchmark": "bun run scripts/daytona-benchmark.ts",
@@ -119,7 +120,7 @@ var init_package = __esm(() => {
119
120
  tsc: "tsc --noEmit"
120
121
  },
121
122
  type: "module",
122
- version: "2.0.1"
123
+ version: "2.0.2-canary.9e4e15cf"
123
124
  };
124
125
  });
125
126
 
@@ -1,14 +1,14 @@
1
1
  import {
2
2
  OffensiveSecurityAgent
3
- } from "./cli-zpdmnz8c.js";
3
+ } from "./cli-qdh225p7.js";
4
4
  import {
5
5
  detectOSAndEnhancePrompt
6
- } from "./cli-cc13ydyx.js";
6
+ } from "./cli-w1nb1y6h.js";
7
7
  import {
8
8
  hasToolCall,
9
9
  init_dist,
10
10
  stepCountIs
11
- } from "./cli-z1dapp7v.js";
11
+ } from "./cli-dk63pna5.js";
12
12
 
13
13
  // src/core/agents/specialized/attackSurface/blackboxAgent.ts
14
14
  init_dist();
@@ -1,7 +1,7 @@
1
1
  import {
2
2
  CweEntrySchema,
3
3
  ValidatedCweEntrySchema
4
- } from "./cli-zpdmnz8c.js";
4
+ } from "./cli-qdh225p7.js";
5
5
  import {
6
6
  exports_external1 as exports_external,
7
7
  init_zod
@@ -46,6 +46,7 @@ var ApexFindingObject = exports_external.object({
46
46
  cwes: exports_external.array(ValidatedCweEntrySchema.or(CweEntrySchema)).optional(),
47
47
  rootCauseGroup: exports_external.string().optional(),
48
48
  relatedFindings: exports_external.array(exports_external.string()).optional(),
49
+ rootCauseLead: exports_external.boolean().optional(),
49
50
  evidenceFiles: exports_external.array(EvidenceFileEntrySchema).optional()
50
51
  });
51
52
 
@@ -4,7 +4,7 @@ import {
4
4
  init_auth,
5
5
  init_constants,
6
6
  signGatewayRequest
7
- } from "./cli-8g5cwvbm.js";
7
+ } from "./cli-p904s2yj.js";
8
8
  import {
9
9
  AISDKError,
10
10
  APICallError,
@@ -63,11 +63,11 @@ import {
63
63
  import {
64
64
  config,
65
65
  init_config
66
- } from "./cli-eptabm2j.js";
66
+ } from "./cli-kxpba6jy.js";
67
67
  import {
68
68
  getCurrentVersion,
69
69
  init_installation
70
- } from "./cli-0yptvbbm.js";
70
+ } from "./cli-0t1j4jh4.js";
71
71
  import {
72
72
  __callDispose,
73
73
  __commonJS,
@@ -7747,6 +7747,24 @@ var init_bedrock = __esm(() => {
7747
7747
  provider: "bedrock",
7748
7748
  contextLength: 64000
7749
7749
  },
7750
+ {
7751
+ id: "deepseek.v3-v1:0",
7752
+ name: "DeepSeek V3.1 (Bedrock)",
7753
+ provider: "bedrock",
7754
+ contextLength: 128000
7755
+ },
7756
+ {
7757
+ id: "qwen.qwen3-coder-480b-a35b-v1:0",
7758
+ name: "Qwen3 Coder 480B A35B Instruct (Bedrock)",
7759
+ provider: "bedrock",
7760
+ contextLength: 131072
7761
+ },
7762
+ {
7763
+ id: "zai.glm-5",
7764
+ name: "Z.AI GLM 5 (Bedrock)",
7765
+ provider: "bedrock",
7766
+ contextLength: 200000
7767
+ },
7750
7768
  {
7751
7769
  id: "us.mistral.pixtral-large-2502-v1:0",
7752
7770
  name: "Pixtral Large-2502 (US)",
@@ -8696,6 +8714,9 @@ function getModelInfo(model) {
8696
8714
  provider: "local"
8697
8715
  };
8698
8716
  }
8717
+ function prefersSequentialToolCalls(model) {
8718
+ return /(^|[./:-])deepseek([./:-]|$)/i.test(model);
8719
+ }
8699
8720
  function getMaxOutputTokens(modelId) {
8700
8721
  const fromPattern = lookupOutputBudgetByPattern(modelId);
8701
8722
  const ctx = AVAILABLE_MODELS.find((m) => m.id === modelId)?.contextLength;
@@ -8760,9 +8781,15 @@ function lookupOutputBudgetByPattern(modelId) {
8760
8781
  if (modelId.includes("minimax-m3")) {
8761
8782
  return 128000;
8762
8783
  }
8763
- if (modelId.includes("glm-5.2")) {
8784
+ if (modelId.includes("glm-5")) {
8764
8785
  return 131072;
8765
8786
  }
8787
+ if (modelId.includes("deepseek")) {
8788
+ return 8192;
8789
+ }
8790
+ if (modelId.includes("qwen")) {
8791
+ return 16000;
8792
+ }
8766
8793
  return 4096;
8767
8794
  }
8768
8795
  var AVAILABLE_MODELS;
@@ -42375,6 +42402,14 @@ function checkIfRateLimitError(error) {
42375
42402
  const errorString = errorMessage || errorName ? "" : String(error).toLowerCase();
42376
42403
  return errorMessage.includes("too many tokens") || errorMessage.includes("rate limit") || errorMessage.includes("request rate") || errorMessage.includes("throttl") || errorMessage.includes("overloaded") || errorMessage.includes("too many requests") || errorMessage.includes("please wait") || errorMessage.includes("service unavailable") || errorName.includes("throttl") || errorName.includes("toomanyrequests") || errorName.includes("serviceunavailable") || errorCode === "rate_limit_exceeded" || errorCode === "throttling" || errorCode === "429" || httpStatus === 429 || httpStatus === 529 || httpStatus === 503 || errorString.includes("throttl") || errorString.includes("too many") || errorString.includes("request rate");
42377
42404
  }
42405
+ function applySequentialToolCallPolicy(system, tools, model) {
42406
+ if (tools && Object.keys(tools).length > 0 && prefersSequentialToolCalls(model)) {
42407
+ return `${system ? `${system}
42408
+
42409
+ ` : ""}${SEQUENTIAL_TOOL_CALL_INSTRUCTION}`;
42410
+ }
42411
+ return system;
42412
+ }
42378
42413
  async function* withIdleTimeout(stream, idleMs, isIdleTimerActive) {
42379
42414
  const iterator = stream[Symbol.asyncIterator]();
42380
42415
  try {
@@ -42497,7 +42532,7 @@ function wrapStreamWithErrorHandler(originalStream, messagesContainer, opts, mod
42497
42532
  const fitted = fitMessagesToContext(currentMessages, {
42498
42533
  contextWindow: getContextWindow(opts.model),
42499
42534
  maxOutputTokens: getMaxOutputTokens(opts.model),
42500
- system: opts.system,
42535
+ system: applySequentialToolCallPolicy(opts.system, opts.tools, opts.model),
42501
42536
  tools: opts.tools,
42502
42537
  sessionPath: opts.sessionPath
42503
42538
  });
@@ -42632,13 +42667,14 @@ function streamResponse(opts) {
42632
42667
  };
42633
42668
  const providerModel = getProviderModel(model, authConfig);
42634
42669
  const useAnthropicCaching = isAnthropicProvider(model);
42670
+ const systemWithToolPolicy = applySequentialToolCallPolicy(system, tools, model);
42635
42671
  let fittedMessages = messages;
42636
42672
  let proactiveFitFailed = false;
42637
42673
  if (messages && messages.length > 0) {
42638
42674
  const fitted = fitMessagesToContext(messages, {
42639
42675
  contextWindow: getContextWindow(model),
42640
42676
  maxOutputTokens: getMaxOutputTokens(model),
42641
- system,
42677
+ system: systemWithToolPolicy,
42642
42678
  tools,
42643
42679
  sessionPath: opts.sessionPath
42644
42680
  });
@@ -42655,13 +42691,13 @@ function streamResponse(opts) {
42655
42691
  }
42656
42692
  return wrapStreamWithErrorHandler(createSummarizationStream(fittedMessages, opts, providerModel), messagesContainer, opts, providerModel, silent);
42657
42693
  }
42658
- let effectiveSystem = system;
42694
+ let effectiveSystem = systemWithToolPolicy;
42659
42695
  let effectiveMessages = fittedMessages;
42660
- if (useAnthropicCaching && system) {
42696
+ if (useAnthropicCaching && systemWithToolPolicy) {
42661
42697
  const baseMessages = fittedMessages ?? [
42662
42698
  { role: "user", content: prompt }
42663
42699
  ];
42664
- effectiveMessages = withCachedSystemPrompt(system, baseMessages);
42700
+ effectiveMessages = withCachedSystemPrompt(systemWithToolPolicy, baseMessages);
42665
42701
  effectiveSystem = undefined;
42666
42702
  }
42667
42703
  const useThinking = enableThinking && isAnthropicProvider(model) && modelSupportsThinking(model);
@@ -42920,7 +42956,7 @@ async function generateObjectResponse(opts) {
42920
42956
  }
42921
42957
  throw lastError;
42922
42958
  }
42923
- var log, DEFAULT_OPENAI_REASONING_EFFORT = "medium", OPENAI_REASONING_MODEL_IDS, _usageCallback = null, MAX_RATE_LIMIT_RETRIES = 20, MAX_IDLE_RESUME_RETRIES = 3, STREAM_IDLE_TIMEOUT_MS, StreamIdleTimeoutError, MAX_OBJECT_RATE_LIMIT_RETRIES = 8, ContextLengthError, ContextLengthExhaustedError, MAX_RESTART_DEPTH = 3, MAX_TOOL_INPUT_CHARS = 8000, MAX_SCHEMA_CHARS = 6000, MINIMAL_RESTART_PROMPT = "Continue the previous task. Earlier context was discarded due to repeated context-length errors.";
42959
+ var log, DEFAULT_OPENAI_REASONING_EFFORT = "medium", OPENAI_REASONING_MODEL_IDS, _usageCallback = null, SEQUENTIAL_TOOL_CALL_INSTRUCTION, MAX_RATE_LIMIT_RETRIES = 20, MAX_IDLE_RESUME_RETRIES = 3, STREAM_IDLE_TIMEOUT_MS, StreamIdleTimeoutError, MAX_OBJECT_RATE_LIMIT_RETRIES = 8, ContextLengthError, ContextLengthExhaustedError, MAX_RESTART_DEPTH = 3, MAX_TOOL_INPUT_CHARS = 8000, MAX_SCHEMA_CHARS = 6000, MINIMAL_RESTART_PROMPT = "Continue the previous task. Earlier context was discarded due to repeated context-length errors.";
42924
42960
  var init_ai = __esm(() => {
42925
42961
  init_dist4();
42926
42962
  init_structured();
@@ -42947,6 +42983,7 @@ var init_ai = __esm(() => {
42947
42983
  "gpt-5.5",
42948
42984
  "gpt-5.5-2026-04-23"
42949
42985
  ]);
42986
+ SEQUENTIAL_TOOL_CALL_INSTRUCTION = "CRITICAL TOOL-CALLING RULE: Emit EXACTLY ONE tool call per response. " + "Never emit more than one tool call in a single turn. After each tool call, " + "wait for its result before making the next one. Emitting multiple tool " + "calls in one turn corrupts their arguments.";
42950
42987
  STREAM_IDLE_TIMEOUT_MS = 5 * 60 * 1000;
42951
42988
  StreamIdleTimeoutError = class StreamIdleTimeoutError extends Error {
42952
42989
  constructor(idleMs) {
@@ -43797,7 +43834,7 @@ async function create2(input) {
43797
43834
  if (normalizedConfig?.headers !== undefined) {
43798
43835
  snapshotHeaders = { ...normalizedConfig.headers };
43799
43836
  } else {
43800
- const { config: appConfig } = await import("./index-9d2es97h.js");
43837
+ const { config: appConfig } = await import("./index-t3rffyf8.js");
43801
43838
  const cfg = await appConfig.get();
43802
43839
  snapshotHeaders = cfg.defaultHeaders ? { ...cfg.defaultHeaders } : { ...DEFAULT_HEADER_RECORD };
43803
43840
  }
@@ -1,13 +1,13 @@
1
1
  import {
2
2
  BlackboxAttackSurfaceAgent
3
- } from "./cli-fxtbkw2f.js";
3
+ } from "./cli-3n78e7hs.js";
4
4
  import {
5
5
  TargetedPentestAgent,
6
6
  buildPentestSystemPrompt
7
- } from "./cli-w2st266h.js";
7
+ } from "./cli-jh6k2m9z.js";
8
8
  import {
9
9
  CodeAgent
10
- } from "./cli-f93g10xk.js";
10
+ } from "./cli-jd0bfde5.js";
11
11
  import {
12
12
  AppsDiscoveryResultSchema,
13
13
  DiscoverySummarySchema,
@@ -15,10 +15,10 @@ import {
15
15
  WHITEBOX_APPS_DISCOVERY_SYSTEM_PROMPT,
16
16
  WHITEBOX_DISCOVERY_SYSTEM_PROMPT,
17
17
  WHITEBOX_ENDPOINT_DOCUMENTATION_SYSTEM_PROMPT
18
- } from "./cli-ddtmgbqv.js";
18
+ } from "./cli-za4t23gh.js";
19
19
  import {
20
20
  EvidenceFileEntrySchema
21
- } from "./cli-hk03x6fq.js";
21
+ } from "./cli-8pw332mm.js";
22
22
  import {
23
23
  CweEntrySchema,
24
24
  FindingsRegistry,
@@ -27,7 +27,7 @@ import {
27
27
  ValidatedCweEntrySchema,
28
28
  hasCanonicalName,
29
29
  runWithBoundedConcurrency
30
- } from "./cli-zpdmnz8c.js";
30
+ } from "./cli-qdh225p7.js";
31
31
  import {
32
32
  createThreatModelPrompt
33
33
  } from "./cli-fw5r7pfj.js";
@@ -38,7 +38,7 @@ import {
38
38
  init_lazyLogger,
39
39
  init_structured,
40
40
  scopedLogger
41
- } from "./cli-z1dapp7v.js";
41
+ } from "./cli-dk63pna5.js";
42
42
  import {
43
43
  exports_external1 as exports_external,
44
44
  init_zod
@@ -110,6 +110,7 @@ var PentestReportFindingSchema = exports_external.object({
110
110
  cwes: exports_external.array(ValidatedCweEntrySchema.or(CweEntrySchema)).optional(),
111
111
  rootCauseGroup: exports_external.string().optional(),
112
112
  relatedFindings: exports_external.array(exports_external.string()).optional(),
113
+ rootCauseLead: exports_external.boolean().optional(),
113
114
  evidenceFiles: exports_external.array(EvidenceFileEntrySchema).optional()
114
115
  });
115
116
  var PentestReportSchema = exports_external.object({
@@ -168,6 +169,7 @@ function buildPentestReport(findings, context) {
168
169
  cwes: f.cwes,
169
170
  rootCauseGroup: f.rootCauseGroup,
170
171
  relatedFindings: f.relatedFindings,
172
+ rootCauseLead: f.rootCauseLead,
171
173
  evidenceFiles: f.evidenceFiles
172
174
  }))
173
175
  };
@@ -4128,7 +4130,7 @@ var django = {
4128
4130
  return name === "urls.py" || name === "routes.py";
4129
4131
  });
4130
4132
  const includePrefixes = {};
4131
- const pathIncludeRe = /path\s*\(\s*['"]([^'"]*)['"]\s*,\s*include\s*\(\s*['"]([^'"]+)['"]/g;
4133
+ const pathIncludeRe = /(?:path|re_path)\s*\(\s*[rRbBuUfF]*['"]([^'"]*)['"]\s*,\s*include\s*\(\s*[rRbBuUfF]*['"]([^'"]+)['"]/g;
4132
4134
  for (const f of urlFiles) {
4133
4135
  const content = ctx.readFile(f);
4134
4136
  if (!content)
@@ -4137,7 +4139,7 @@ var django = {
4137
4139
  includePrefixes[m[2]] = m[1];
4138
4140
  }
4139
4141
  }
4140
- const directPathRe = /path\s*\(\s*['"]([^'"]*)['"]\s*,\s*(?!include)(\w[\w.]*)/g;
4142
+ const directPathRe = /(?:path|re_path)\s*\(\s*[rRbBuUfF]*['"]([^'"]*)['"]\s*,\s*(?!include)(\w[\w.]*)/g;
4141
4143
  const apiViewRe = /@api_view\s*\(\s*\[([^\]]*)\]\s*\)(.*?)def\s+(\w+)\s*\(/gs;
4142
4144
  for (const f of urlFiles) {
4143
4145
  const content = ctx.readFile(f);
@@ -1,10 +1,10 @@
1
1
  import {
2
2
  OffensiveSecurityAgent
3
- } from "./cli-zpdmnz8c.js";
3
+ } from "./cli-qdh225p7.js";
4
4
  import {
5
5
  init_dist,
6
6
  stepCountIs
7
- } from "./cli-z1dapp7v.js";
7
+ } from "./cli-dk63pna5.js";
8
8
 
9
9
  // src/core/agents/specialized/codeAgent/agent.ts
10
10
  init_dist();