@pensar/apex 2.1.2 → 2.1.3-canary.082299eb

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (59) hide show
  1. package/build/{agent-737mxp3v.js → agent-25rra8mk.js} +9 -8
  2. package/build/agent-qa4kk7v1.js +27 -0
  3. package/build/agent-xpddb5yz.js +19 -0
  4. package/build/{apps-j0bwey0w.js → apps-c4rdprzp.js} +17 -16
  5. package/build/{auth-5stxpmga.js → auth-cm0s3an4.js} +17 -16
  6. package/build/authentication-k8303p1y.js +19 -0
  7. package/build/blackboxAgent-8mpqbggt.js +19 -0
  8. package/build/{blackboxPentest-2edr9rj3.js → blackboxPentest-b1dqrv93.js} +15 -14
  9. package/build/{cli-hj3t87r2.js → cli-0kg01x44.js} +1 -1
  10. package/build/{cli-6wwpk9d9.js → cli-35rkgbhd.js} +1 -1
  11. package/build/{cli-f7d23ded.js → cli-3k1x5rn3.js} +936 -1775
  12. package/build/{cli-9z6vwf30.js → cli-7bzzjw1f.js} +1 -1
  13. package/build/{cli-tw3fe8bj.js → cli-7g8n2kkk.js} +2 -2
  14. package/build/{cli-yjbkaqvy.js → cli-8256tzw9.js} +79 -23
  15. package/build/{cli-jd0c0b91.js → cli-bh3e0th8.js} +1 -1
  16. package/build/{cli-xnnkeg5p.js → cli-bp7f8nyk.js} +1 -1
  17. package/build/{cli-v1aqbv58.js → cli-d28z7z1b.js} +29267 -25585
  18. package/build/{cli-dqkdnd3c.js → cli-db434rd0.js} +88 -49
  19. package/build/{cli-ks60cc3h.js → cli-f5javz2k.js} +30 -30
  20. package/build/{cli-gbkj2has.js → cli-nfnfwfcn.js} +5 -3
  21. package/build/{cli-6vs0mtsb.js → cli-nn5rxhvz.js} +4 -2
  22. package/build/{cli-whtdyc0e.js → cli-qdvef4qc.js} +6 -4
  23. package/build/cli-sekg25pa.js +195 -0
  24. package/build/{cli-35czfv00.js → cli-w5vt3svr.js} +70869 -79383
  25. package/build/{cli-0gk2x2sc.js → cli-wdahap6k.js} +18 -18
  26. package/build/{cli-9vzc18m5.js → cli-y4csaqh2.js} +53 -204
  27. package/build/cli.js +120 -90
  28. package/build/{config-s5ryv5ez.js → config-6hkn23py.js} +3 -3
  29. package/build/{doctor-f08gegwc.js → doctor-0prby1f0.js} +7 -7
  30. package/build/fastStrike-qts85kag.js +156 -0
  31. package/build/{fixes-qf4s92z2.js → fixes-kza6ej38.js} +17 -16
  32. package/build/{index-x4xefngs.js → index-6r19ej49.js} +3 -3
  33. package/build/{index-exvkbve0.js → index-7y1pwazv.js} +4 -4
  34. package/build/{index-mgng15va.js → index-gq9h8j5j.js} +909 -456
  35. package/build/{index-c6qz0gve.js → index-h6rxj451.js} +7 -7
  36. package/build/{index-s8gw83d6.js → index-m9djasp6.js} +19 -11
  37. package/build/{index-gakk2t5q.js → index-vjh370rj.js} +23 -19
  38. package/build/{index-5h1hjhzw.js → index-vk0czqw7.js} +10 -10
  39. package/build/{index-sqjve2bm.js → index-xzb9yxtf.js} +2 -2
  40. package/build/{issues-5anqrh2j.js → issues-35784nvy.js} +17 -16
  41. package/build/{logs-q6ankt6m.js → logs-14xzc32f.js} +17 -16
  42. package/build/{main-3zneyg7p.js → main-3d7dfdvs.js} +17 -93
  43. package/build/{offesecAgent-hsej0pfc.js → offesecAgent-767xjskr.js} +9 -9
  44. package/build/pentest-hf3hejjq.js +29 -0
  45. package/build/{pentests-hyx3c3qa.js → pentests-7zy73b60.js} +17 -16
  46. package/build/targetedPentest-m3ypnmfk.js +44 -0
  47. package/build/{targets-9cqrshet.js → targets-nay3vmqy.js} +17 -16
  48. package/build/threatModel-p8khw8tr.js +27 -0
  49. package/build/{uninstall-1j469qj7.js → uninstall-acg2vcpm.js} +1 -1
  50. package/build/{upload-ymvhkyq5.js → upload-pjr2zgys.js} +7 -7
  51. package/build/{utils-d1ed6jzf.js → utils-v0mj3yrn.js} +6 -6
  52. package/package.json +30 -30
  53. package/build/agent-8w9h3tnw.js +0 -19
  54. package/build/agent-vdrtakz4.js +0 -25
  55. package/build/authentication-qswvctj4.js +0 -19
  56. package/build/blackboxAgent-vwm9t3h4.js +0 -19
  57. package/build/pentest-1e30q7rs.js +0 -28
  58. package/build/targetedPentest-ws0a7frk.js +0 -36
  59. package/build/threatModel-z9b213x8.js +0 -26
@@ -1,9 +1,9 @@
1
1
  import {
2
2
  OffensiveSecurityAgent
3
- } from "./cli-35czfv00.js";
3
+ } from "./cli-w5vt3svr.js";
4
4
  import {
5
5
  detectOSAndEnhancePrompt
6
- } from "./cli-6wwpk9d9.js";
6
+ } from "./cli-35rkgbhd.js";
7
7
  import {
8
8
  createLogger,
9
9
  hasToolCall,
@@ -11,7 +11,7 @@ import {
11
11
  init_lazyLogger,
12
12
  init_structured,
13
13
  scopedLogger
14
- } from "./cli-v1aqbv58.js";
14
+ } from "./cli-d28z7z1b.js";
15
15
 
16
16
  // src/core/agents/specialized/authenticationAgent/agent.ts
17
17
  init_dist();
@@ -37,9 +37,9 @@ Obtain valid credentials/sessions that other agents can use for authenticated te
37
37
  # Available Tools
38
38
 
39
39
  ## API Authentication
40
- - \`authenticate_session\` — Submit credentials via form POST, JSON POST, or HTTP Basic auth.
41
- Params: loginUrl, username, password, method (form_post|json_post|basic_auth), usernameField, passwordField, additionalFields.
42
- - \`execute_command\` — Run curl or other shell commands for custom/complex API auth flows.
40
+ - \`execute_command\` — Run curl (or other shell commands) to submit credentials via form POST,
41
+ JSON POST, or HTTP Basic auth, and to capture the Set-Cookie / token response. Use this for all
42
+ custom and complex API auth flows.
43
43
 
44
44
  ## Browser Authentication
45
45
  - \`browser_navigate\` — Navigate to login page
@@ -77,11 +77,11 @@ Look for:
77
77
  ## Step 2: Authenticate
78
78
 
79
79
  ### API path (use when target is an API or has a simple form):
80
- 1. Call \`authenticate_session\` with the correct method and credentials.
81
- - \`form_post\` for HTML forms
82
- - \`json_post\` for JSON APIs
83
- - \`basic_auth\` for HTTP Basic
84
- 2. Check the response — if authenticated is true, you have a session cookie.
80
+ 1. Use \`execute_command\` with curl to submit the credentials, matching the target's scheme:
81
+ - \`curl -i -d 'username=...&password=...' <loginUrl>\` for HTML form POST
82
+ - \`curl -i -H 'Content-Type: application/json' -d '{"username":"...","password":"..."}' <loginUrl>\` for JSON APIs
83
+ - \`curl -i -u '<user>:<pass>' <url>\` for HTTP Basic
84
+ 2. Inspect the response (\`-i\` shows headers) capture any \`Set-Cookie\` value or token to use as the session credential.
85
85
 
86
86
  ### Browser path (use for SPAs, OAuth, JS-rendered forms):
87
87
  1. \`browser_navigate\` to the login URL
@@ -113,7 +113,7 @@ If both API and browser approaches fail, use \`delegate_to_auth_subagent\` for c
113
113
  **First**, call \`complete_authentication\` with:
114
114
  - \`success\`: whether auth succeeded
115
115
  - \`summary\`: what happened and what credentials/cookies were obtained
116
- - \`exportedCookies\`: the cookie string for downstream HTTP requests (from browser_get_cookies cookieHeader or authenticate_session response)
116
+ - \`exportedCookies\`: the cookie string for downstream HTTP requests (from browser_get_cookies cookieHeader or the Set-Cookie header in the curl response)
117
117
  - \`exportedHeaders\`: auth headers map, e.g. {"Authorization": "Bearer <token>"} (from browser_evaluate localStorage tokens or API response)
118
118
  - \`strategy\`: method used ("browser", "form_post", "json_post", "basic_auth", "bearer")
119
119
  - \`authBarrier\`: if a barrier was encountered (captcha, mfa, etc.)
@@ -179,6 +179,7 @@ class AuthenticationAgent extends OffensiveSecurityAgent {
179
179
  context,
180
180
  environmentVariables,
181
181
  enableThinking,
182
+ thinkingEffort,
182
183
  openAIReasoningEffort
183
184
  } = opts;
184
185
  const cm = session.credentialManager;
@@ -195,11 +196,11 @@ class AuthenticationAgent extends OffensiveSecurityAgent {
195
196
  subagentId,
196
197
  environmentVariables,
197
198
  enableThinking,
199
+ thinkingEffort,
198
200
  openAIReasoningEffort,
199
201
  toolChoice: "auto",
200
202
  activeTools: [
201
203
  "execute_command",
202
- "authenticate_session",
203
204
  "complete_authentication",
204
205
  "browser_navigate",
205
206
  "browser_snapshot",
@@ -294,17 +295,16 @@ function buildAuthPrompt(target, authHints, credentialManager, context) {
294
295
  if (credBlock) {
295
296
  parts.push(`INSTRUCTIONS:
296
297
  You have credentials available via credential IDs — authenticate immediately.
297
- 1. Try authenticate_session first (pass the credentialId secrets are resolved automatically)
298
- 2. If authenticate_session fails, use browser tools. For browser_fill on password/secret fields,
298
+ 1. For API/form logins, use execute_command (curl) to submit credentials and capture the Set-Cookie / token response
299
+ 2. For browser-based logins, use the browser tools. For browser_fill on password/secret fields,
299
300
  pass credentialId + credentialField (e.g. credentialField="password") instead of the raw value —
300
301
  the secret is resolved securely at execution time. NEVER type a password directly.
301
302
  3. Call complete_authentication with exported cookies/headers to persist credentials and end the run`);
302
303
  } else {
303
304
  parts.push(`INSTRUCTIONS:
304
305
  1. Probe the target with execute_command (curl) to determine the auth mechanism
305
- 2. Attempt authentication with authenticate_session or the browser tools
306
- 3. If that fails, try delegate_to_auth_subagent as a fallback
307
- 4. Call complete_authentication with exported cookies/headers to persist credentials and end the run`);
306
+ 2. Attempt authentication with execute_command (curl) or the browser tools
307
+ 3. Call complete_authentication with exported cookies/headers to persist credentials and end the run`);
308
308
  }
309
309
  return parts.join(`
310
310
  `);
@@ -1,13 +1,20 @@
1
1
  import {
2
2
  BlackboxAttackSurfaceAgent
3
- } from "./cli-whtdyc0e.js";
3
+ } from "./cli-qdvef4qc.js";
4
+ import {
5
+ REPORT_FILENAME_JSON,
6
+ REPORT_FILENAME_MD,
7
+ buildPentestReport,
8
+ renderJson,
9
+ renderMarkdown
10
+ } from "./cli-sekg25pa.js";
4
11
  import {
5
12
  TargetedPentestAgent,
6
13
  buildPentestSystemPrompt
7
- } from "./cli-yjbkaqvy.js";
14
+ } from "./cli-8256tzw9.js";
8
15
  import {
9
16
  CodeAgent
10
- } from "./cli-6vs0mtsb.js";
17
+ } from "./cli-nn5rxhvz.js";
11
18
  import {
12
19
  AppsDiscoveryResultSchema,
13
20
  DiscoverySummarySchema,
@@ -15,19 +22,14 @@ import {
15
22
  WHITEBOX_APPS_DISCOVERY_SYSTEM_PROMPT,
16
23
  WHITEBOX_DISCOVERY_SYSTEM_PROMPT,
17
24
  WHITEBOX_ENDPOINT_DOCUMENTATION_SYSTEM_PROMPT
18
- } from "./cli-gbkj2has.js";
19
- import {
20
- EvidenceFileEntrySchema
21
- } from "./cli-tw3fe8bj.js";
25
+ } from "./cli-nfnfwfcn.js";
22
26
  import {
23
- CweEntrySchema,
24
27
  FindingsRegistry,
25
28
  OffensiveSecurityAgent,
26
29
  PLAN_MODE_TOOL_NAMES,
27
- ValidatedCweEntrySchema,
28
- hasCanonicalName,
30
+ pLimit,
29
31
  runWithBoundedConcurrency
30
- } from "./cli-35czfv00.js";
32
+ } from "./cli-w5vt3svr.js";
31
33
  import {
32
34
  createThreatModelPrompt
33
35
  } from "./cli-fw5r7pfj.js";
@@ -36,13 +38,13 @@ import {
36
38
  hasToolCall,
37
39
  init_dist,
38
40
  init_lazyLogger,
41
+ init_session,
39
42
  init_structured,
40
43
  scopedLogger
41
- } from "./cli-v1aqbv58.js";
44
+ } from "./cli-d28z7z1b.js";
42
45
  import {
43
- exports_external,
44
- init_zod
45
- } from "./cli-f7d23ded.js";
46
+ __require
47
+ } from "./cli-8rxa073f.js";
46
48
 
47
49
  // src/core/workflows/pentest.ts
48
50
  init_dist();
@@ -95,185 +97,6 @@ ${objectiveList}
95
97
  // src/core/workflows/pentest.ts
96
98
  init_structured();
97
99
 
98
- // src/core/report/schemas.ts
99
- init_zod();
100
- var PentestReportFindingSchema = exports_external.object({
101
- title: exports_external.string(),
102
- severity: exports_external.enum(["CRITICAL", "HIGH", "MEDIUM", "LOW"]),
103
- description: exports_external.string(),
104
- impact: exports_external.string(),
105
- evidence: exports_external.string(),
106
- endpoint: exports_external.string(),
107
- pocPath: exports_external.string(),
108
- remediation: exports_external.string(),
109
- references: exports_external.string().optional(),
110
- cwes: exports_external.array(ValidatedCweEntrySchema.or(CweEntrySchema)).optional(),
111
- rootCauseGroup: exports_external.string().optional(),
112
- relatedFindings: exports_external.array(exports_external.string()).optional(),
113
- rootCauseLead: exports_external.boolean().optional(),
114
- evidenceFiles: exports_external.array(EvidenceFileEntrySchema).optional()
115
- });
116
- var PentestReportSchema = exports_external.object({
117
- version: exports_external.string().regex(/^1\.\d+$/),
118
- metadata: exports_external.object({
119
- target: exports_external.string(),
120
- model: exports_external.string(),
121
- timestamp: exports_external.string(),
122
- sessionId: exports_external.string(),
123
- mode: exports_external.enum(["blackbox", "whitebox", "targeted"])
124
- }),
125
- summary: exports_external.object({
126
- totalFindings: exports_external.number(),
127
- bySeverity: exports_external.object({
128
- CRITICAL: exports_external.number(),
129
- HIGH: exports_external.number(),
130
- MEDIUM: exports_external.number(),
131
- LOW: exports_external.number()
132
- })
133
- }),
134
- findings: exports_external.array(PentestReportFindingSchema)
135
- });
136
- var REPORT_VERSION = "1.0";
137
-
138
- // src/core/report/builder.ts
139
- var SEVERITY_ORDER = ["CRITICAL", "HIGH", "MEDIUM", "LOW"];
140
- function buildPentestReport(findings, context) {
141
- const sorted = [...findings].sort((a, b) => SEVERITY_ORDER.indexOf(a.severity) - SEVERITY_ORDER.indexOf(b.severity));
142
- const bySeverity = { CRITICAL: 0, HIGH: 0, MEDIUM: 0, LOW: 0 };
143
- for (const f of findings) {
144
- bySeverity[f.severity]++;
145
- }
146
- return {
147
- version: REPORT_VERSION,
148
- metadata: {
149
- target: context.target,
150
- model: context.model,
151
- timestamp: new Date().toISOString(),
152
- sessionId: context.sessionId,
153
- mode: context.mode
154
- },
155
- summary: {
156
- totalFindings: findings.length,
157
- bySeverity
158
- },
159
- findings: sorted.map((f) => ({
160
- title: f.title,
161
- severity: f.severity,
162
- description: f.description,
163
- impact: f.impact,
164
- evidence: f.evidence,
165
- endpoint: f.endpoint,
166
- pocPath: f.pocPath,
167
- remediation: f.remediation,
168
- references: f.references,
169
- cwes: f.cwes,
170
- rootCauseGroup: f.rootCauseGroup,
171
- relatedFindings: f.relatedFindings,
172
- rootCauseLead: f.rootCauseLead,
173
- evidenceFiles: f.evidenceFiles
174
- }))
175
- };
176
- }
177
- // src/core/report/renderers/json.ts
178
- function renderJson(report) {
179
- return JSON.stringify(report, null, 2);
180
- }
181
- // src/core/report/renderers/markdown.ts
182
- function renderMarkdown(report) {
183
- const { metadata, findings, summary } = report;
184
- const header = [
185
- `# Pentest Report — ${metadata.target}`,
186
- "",
187
- `**Date:** ${metadata.timestamp} `,
188
- `**Session:** ${metadata.sessionId} `,
189
- `**Model:** ${metadata.model} `,
190
- `**Mode:** ${metadata.mode}`,
191
- "",
192
- `**Findings:** ${summary.totalFindings}`,
193
- ""
194
- ];
195
- if (findings.length === 0) {
196
- return [
197
- ...header,
198
- "No findings were identified during this assessment.",
199
- ""
200
- ].join(`
201
- `);
202
- }
203
- const body = findings.map((finding) => renderFinding(finding, metadata)).join(`
204
- `);
205
- return [...header, body].join(`
206
- `);
207
- }
208
- function renderFinding(finding, metadata) {
209
- const lines = [
210
- `# ${finding.title}`,
211
- "",
212
- `**Severity:** ${finding.severity} `,
213
- `**Target:** ${metadata.target} `,
214
- `**Endpoint:** ${finding.endpoint} `,
215
- `**Date:** ${metadata.timestamp} `,
216
- `**Session:** ${metadata.sessionId}`,
217
- "",
218
- "## Description",
219
- "",
220
- finding.description,
221
- "",
222
- "## Impact",
223
- "",
224
- finding.impact,
225
- "",
226
- "## Evidence",
227
- "",
228
- "```",
229
- finding.evidence,
230
- "```",
231
- "",
232
- ...finding.evidenceFiles?.length ? [
233
- "## Evidence Files",
234
- "",
235
- ...finding.evidenceFiles.map((ef) => `- **[${ef.type}]** \`${ef.path}\` — ${ef.description}`),
236
- ""
237
- ] : [],
238
- ...finding.cwes?.length ? [
239
- "## CWE Classification",
240
- "",
241
- ...finding.cwes.map((cwe) => `- **${cwe.id}**${hasCanonicalName(cwe) ? `: ${cwe.name}` : ""} — ${cwe.reasoning}`),
242
- ""
243
- ] : [],
244
- ...finding.rootCauseGroup ? [
245
- "## Root Cause Group",
246
- "",
247
- `**Group:** \`${finding.rootCauseGroup}\``,
248
- ...finding.relatedFindings?.length ? [
249
- "",
250
- "**Related Findings:**",
251
- ...finding.relatedFindings.map((rf) => `- ${rf}`)
252
- ] : [],
253
- ""
254
- ] : [],
255
- "## POC",
256
- "",
257
- `Path: \`${finding.pocPath}\``,
258
- "",
259
- "## Remediation",
260
- "",
261
- finding.remediation,
262
- ...finding.references ? ["", `## References`, "", finding.references] : [],
263
- "",
264
- "---",
265
- "",
266
- "*This finding was automatically documented by the Pensar penetration testing agent.*",
267
- ""
268
- ];
269
- return lines.join(`
270
- `);
271
- }
272
-
273
- // src/core/report/index.ts
274
- var REPORT_FILENAME_MD = "pentest-report.md";
275
- var REPORT_FILENAME_JSON = "pentest-report.json";
276
-
277
100
  // src/core/session/execution-metrics.ts
278
101
  import { existsSync, readFileSync, writeFileSync } from "node:fs";
279
102
  import { join } from "node:path";
@@ -360,11 +183,13 @@ init_lazyLogger();
360
183
  // src/core/session/persistence.ts
361
184
  init_structured();
362
185
  init_lazyLogger();
186
+ init_session();
363
187
  import {
364
188
  existsSync as existsSync2,
365
189
  mkdirSync,
366
190
  readdirSync,
367
191
  readFileSync as readFileSync2,
192
+ renameSync,
368
193
  statSync,
369
194
  writeFileSync as writeFileSync2
370
195
  } from "node:fs";
@@ -372,14 +197,14 @@ import { join as join2 } from "node:path";
372
197
  var log = scopedLogger(() => createLogger("session:persistence"));
373
198
  var SUBAGENTS_DIR = "subagents";
374
199
  var MANIFEST_FILE = "agent-manifest.json";
375
- function loadSubagentMessages(session, agentName) {
376
- const stepPath = join2(session.rootPath, SUBAGENTS_DIR, agentName, "messages.json");
200
+ function loadSubagentMessages(session, key) {
201
+ const stepPath = join2(session.rootPath, SUBAGENTS_DIR, key, "messages.json");
377
202
  if (existsSync2(stepPath)) {
378
203
  try {
379
204
  return JSON.parse(readFileSync2(stepPath, "utf-8"));
380
205
  } catch {}
381
206
  }
382
- const snapshotPath = join2(session.rootPath, SUBAGENTS_DIR, `${agentName}.json`);
207
+ const snapshotPath = join2(session.rootPath, SUBAGENTS_DIR, `${key}.json`);
383
208
  if (!existsSync2(snapshotPath))
384
209
  return [];
385
210
  try {
@@ -523,6 +348,9 @@ function parseSubagentFilename(filename) {
523
348
  if (filename.startsWith("orchestrator-")) {
524
349
  return { agentType: "pentest", name: "Orchestrator Summary" };
525
350
  }
351
+ if (filename.startsWith("ses_")) {
352
+ return { agentType: "pentest", name: "Pentest Worker" };
353
+ }
526
354
  return { agentType: "pentest", name: filename.split("-")[0] || "Unknown" };
527
355
  }
528
356
  function unwrapAiSdkToolOutput(output) {
@@ -833,8 +661,10 @@ async function runEndpointDocumentationAgent(opts) {
833
661
  onCacheMetrics,
834
662
  openAIReasoningEffort,
835
663
  enableThinking,
664
+ thinkingEffort,
836
665
  projectThreatModel,
837
- parentSubagentId
666
+ parentSubagentId,
667
+ agentLimiter
838
668
  } = opts;
839
669
  const subagentId = `endpoint-doc-${slug(app.name)}-${slug(endpoint.path)}`;
840
670
  const displayMethod = getDocumentMethod(endpoint);
@@ -871,12 +701,13 @@ async function runEndpointDocumentationAgent(opts) {
871
701
  onCacheMetrics,
872
702
  openAIReasoningEffort,
873
703
  enableThinking,
704
+ thinkingEffort,
874
705
  responseSchema: DiscoverySummarySchema,
875
706
  excludeTools: ["document_app", "list_files", "grep"],
876
707
  projectThreatModel
877
708
  });
878
709
  try {
879
- await agent.consume();
710
+ await (agentLimiter ? agentLimiter(() => agent.consume()) : agent.consume());
880
711
  eventBus?.emit("subagent-complete", {
881
712
  subagentId,
882
713
  status: "completed",
@@ -6195,6 +6026,7 @@ init_structured();
6195
6026
  init_lazyLogger();
6196
6027
  var log4 = scopedLogger(() => createLogger("whitebox-workflow"));
6197
6028
  var DEFAULT_CONCURRENCY = 5;
6029
+ var MAX_CONCURRENT_AGENTS = 12;
6198
6030
  var TASK_TYPE_LABELS = {
6199
6031
  pages: "Pages",
6200
6032
  apiEndpoints: "API Endpoints",
@@ -6225,11 +6057,15 @@ async function runWhiteboxAttackSurfaceWorkflow(input) {
6225
6057
  onCacheMetrics,
6226
6058
  openAIReasoningEffort,
6227
6059
  enableThinking,
6060
+ thinkingEffort,
6228
6061
  domains,
6229
6062
  projectThreatModel,
6230
6063
  environments,
6231
- surfaceIntegrationEnabled = true
6064
+ surfaceIntegrationEnabled = true,
6065
+ maxConcurrentAgents = MAX_CONCURRENT_AGENTS
6232
6066
  } = input;
6067
+ const agentSlots = pLimit(Math.max(1, maxConcurrentAgents));
6068
+ const agentLimiter = (fn) => agentSlots(fn);
6233
6069
  const appsAgent = new CodeAgent({
6234
6070
  codebasePath,
6235
6071
  objective: buildAppsDiscoveryObjective(codebasePath, domains, environments),
@@ -6245,6 +6081,7 @@ async function runWhiteboxAttackSurfaceWorkflow(input) {
6245
6081
  onCacheMetrics,
6246
6082
  openAIReasoningEffort,
6247
6083
  enableThinking,
6084
+ thinkingEffort,
6248
6085
  responseSchema: AppsDiscoveryResultSchema,
6249
6086
  projectThreatModel,
6250
6087
  excludeTools: ["document_endpoint"]
@@ -6256,7 +6093,7 @@ async function runWhiteboxAttackSurfaceWorkflow(input) {
6256
6093
  name: "Whitebox Apps Discovery",
6257
6094
  input: { codebasePath }
6258
6095
  });
6259
- const appsResult = await appsAgent.consume();
6096
+ const appsResult = await agentLimiter(() => appsAgent.consume());
6260
6097
  log4.info(`Phase 1 complete: ${appsResult?.apps.length ?? 0} apps discovered` + (appsResult ? ` (repoType=${appsResult.repoType}, packageManager=${appsResult.packageManager})` : " (no result returned)"));
6261
6098
  if (appsResult?.apps.length) {
6262
6099
  for (const app of appsResult.apps) {
@@ -6335,12 +6172,13 @@ async function runWhiteboxAttackSurfaceWorkflow(input) {
6335
6172
  onCacheMetrics,
6336
6173
  openAIReasoningEffort,
6337
6174
  enableThinking,
6175
+ thinkingEffort,
6338
6176
  responseSchema: DiscoverySummarySchema,
6339
6177
  excludeTools: ["document_app"],
6340
6178
  projectThreatModel
6341
6179
  });
6342
6180
  try {
6343
- await agent.consume();
6181
+ await agentLimiter(() => agent.consume());
6344
6182
  log4.debug(`Phase 2: agent "${subagentId}" completed`);
6345
6183
  eventBus?.emit("subagent-complete", {
6346
6184
  subagentId,
@@ -6390,8 +6228,10 @@ async function runWhiteboxAttackSurfaceWorkflow(input) {
6390
6228
  onCacheMetrics,
6391
6229
  openAIReasoningEffort,
6392
6230
  enableThinking,
6231
+ thinkingEffort,
6393
6232
  projectThreatModel,
6394
- parentSubagentId: appNodeId
6233
+ parentSubagentId: appNodeId,
6234
+ agentLimiter
6395
6235
  });
6396
6236
  } else {
6397
6237
  log4.debug(`${app.name}: fallback (${surfaceResult.reason})`);
@@ -6852,6 +6692,7 @@ async function runPentestSwarm(input) {
6852
6692
  concurrency = DEFAULT_CONCURRENCY2,
6853
6693
  onStepFinish,
6854
6694
  enableThinking,
6695
+ thinkingEffort,
6855
6696
  openAIReasoningEffort,
6856
6697
  display
6857
6698
  } = input;
@@ -6902,6 +6743,7 @@ async function runPentestSwarm(input) {
6902
6743
  planSubagentId: subagentId,
6903
6744
  eventBus,
6904
6745
  enableThinking,
6746
+ thinkingEffort,
6905
6747
  openAIReasoningEffort,
6906
6748
  display
6907
6749
  });
@@ -6926,6 +6768,7 @@ async function runPentestSwarm(input) {
6926
6768
  eventBus,
6927
6769
  subagentId,
6928
6770
  enableThinking,
6771
+ thinkingEffort,
6929
6772
  openAIReasoningEffort,
6930
6773
  display
6931
6774
  });
@@ -6971,6 +6814,10 @@ async function runPentestSwarm(input) {
6971
6814
  return results;
6972
6815
  }
6973
6816
  async function runPentestWorkflow(input) {
6817
+ if (input.fastStrike) {
6818
+ const { runFastStrike } = await import("./fastStrike-qts85kag.js");
6819
+ return runFastStrike(input);
6820
+ }
6974
6821
  const {
6975
6822
  target,
6976
6823
  cwd,
@@ -6982,6 +6829,7 @@ async function runPentestWorkflow(input) {
6982
6829
  onStepFinish,
6983
6830
  onCacheMetrics,
6984
6831
  enableThinking,
6832
+ thinkingEffort,
6985
6833
  openAIReasoningEffort,
6986
6834
  prompt,
6987
6835
  threatModel,
@@ -7119,6 +6967,7 @@ ${combined}` : combined;
7119
6967
  eventBus,
7120
6968
  onStepFinish: wrappedOnStepFinish,
7121
6969
  enableThinking,
6970
+ thinkingEffort,
7122
6971
  openAIReasoningEffort
7123
6972
  });
7124
6973
  }
@@ -7244,4 +7093,4 @@ async function runBlackboxPhase(opts) {
7244
7093
  throw e;
7245
7094
  }
7246
7095
  }
7247
- export { REPORT_FILENAME_MD, readExecutionMetrics, writeExecutionMetrics, convertModelMessagesToUI, loadSubagents, DEFAULT_CONCURRENCY2 as DEFAULT_CONCURRENCY, runPentestSwarm, runPentestWorkflow };
7096
+ export { readExecutionMetrics, writeExecutionMetrics, convertModelMessagesToUI, loadSubagents, DEFAULT_CONCURRENCY2 as DEFAULT_CONCURRENCY, runPentestSwarm, runPentestWorkflow };