@pensar/apex 2.1.2 → 2.1.3-canary.082299eb
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/build/{agent-737mxp3v.js → agent-25rra8mk.js} +9 -8
- package/build/agent-qa4kk7v1.js +27 -0
- package/build/agent-xpddb5yz.js +19 -0
- package/build/{apps-j0bwey0w.js → apps-c4rdprzp.js} +17 -16
- package/build/{auth-5stxpmga.js → auth-cm0s3an4.js} +17 -16
- package/build/authentication-k8303p1y.js +19 -0
- package/build/blackboxAgent-8mpqbggt.js +19 -0
- package/build/{blackboxPentest-2edr9rj3.js → blackboxPentest-b1dqrv93.js} +15 -14
- package/build/{cli-hj3t87r2.js → cli-0kg01x44.js} +1 -1
- package/build/{cli-6wwpk9d9.js → cli-35rkgbhd.js} +1 -1
- package/build/{cli-f7d23ded.js → cli-3k1x5rn3.js} +936 -1775
- package/build/{cli-9z6vwf30.js → cli-7bzzjw1f.js} +1 -1
- package/build/{cli-tw3fe8bj.js → cli-7g8n2kkk.js} +2 -2
- package/build/{cli-yjbkaqvy.js → cli-8256tzw9.js} +79 -23
- package/build/{cli-jd0c0b91.js → cli-bh3e0th8.js} +1 -1
- package/build/{cli-xnnkeg5p.js → cli-bp7f8nyk.js} +1 -1
- package/build/{cli-v1aqbv58.js → cli-d28z7z1b.js} +29267 -25585
- package/build/{cli-dqkdnd3c.js → cli-db434rd0.js} +88 -49
- package/build/{cli-ks60cc3h.js → cli-f5javz2k.js} +30 -30
- package/build/{cli-gbkj2has.js → cli-nfnfwfcn.js} +5 -3
- package/build/{cli-6vs0mtsb.js → cli-nn5rxhvz.js} +4 -2
- package/build/{cli-whtdyc0e.js → cli-qdvef4qc.js} +6 -4
- package/build/cli-sekg25pa.js +195 -0
- package/build/{cli-35czfv00.js → cli-w5vt3svr.js} +70869 -79383
- package/build/{cli-0gk2x2sc.js → cli-wdahap6k.js} +18 -18
- package/build/{cli-9vzc18m5.js → cli-y4csaqh2.js} +53 -204
- package/build/cli.js +120 -90
- package/build/{config-s5ryv5ez.js → config-6hkn23py.js} +3 -3
- package/build/{doctor-f08gegwc.js → doctor-0prby1f0.js} +7 -7
- package/build/fastStrike-qts85kag.js +156 -0
- package/build/{fixes-qf4s92z2.js → fixes-kza6ej38.js} +17 -16
- package/build/{index-x4xefngs.js → index-6r19ej49.js} +3 -3
- package/build/{index-exvkbve0.js → index-7y1pwazv.js} +4 -4
- package/build/{index-mgng15va.js → index-gq9h8j5j.js} +909 -456
- package/build/{index-c6qz0gve.js → index-h6rxj451.js} +7 -7
- package/build/{index-s8gw83d6.js → index-m9djasp6.js} +19 -11
- package/build/{index-gakk2t5q.js → index-vjh370rj.js} +23 -19
- package/build/{index-5h1hjhzw.js → index-vk0czqw7.js} +10 -10
- package/build/{index-sqjve2bm.js → index-xzb9yxtf.js} +2 -2
- package/build/{issues-5anqrh2j.js → issues-35784nvy.js} +17 -16
- package/build/{logs-q6ankt6m.js → logs-14xzc32f.js} +17 -16
- package/build/{main-3zneyg7p.js → main-3d7dfdvs.js} +17 -93
- package/build/{offesecAgent-hsej0pfc.js → offesecAgent-767xjskr.js} +9 -9
- package/build/pentest-hf3hejjq.js +29 -0
- package/build/{pentests-hyx3c3qa.js → pentests-7zy73b60.js} +17 -16
- package/build/targetedPentest-m3ypnmfk.js +44 -0
- package/build/{targets-9cqrshet.js → targets-nay3vmqy.js} +17 -16
- package/build/threatModel-p8khw8tr.js +27 -0
- package/build/{uninstall-1j469qj7.js → uninstall-acg2vcpm.js} +1 -1
- package/build/{upload-ymvhkyq5.js → upload-pjr2zgys.js} +7 -7
- package/build/{utils-d1ed6jzf.js → utils-v0mj3yrn.js} +6 -6
- package/package.json +30 -30
- package/build/agent-8w9h3tnw.js +0 -19
- package/build/agent-vdrtakz4.js +0 -25
- package/build/authentication-qswvctj4.js +0 -19
- package/build/blackboxAgent-vwm9t3h4.js +0 -19
- package/build/pentest-1e30q7rs.js +0 -28
- package/build/targetedPentest-ws0a7frk.js +0 -36
- package/build/threatModel-z9b213x8.js +0 -26
|
@@ -1,9 +1,9 @@
|
|
|
1
1
|
import {
|
|
2
2
|
OffensiveSecurityAgent
|
|
3
|
-
} from "./cli-
|
|
3
|
+
} from "./cli-w5vt3svr.js";
|
|
4
4
|
import {
|
|
5
5
|
detectOSAndEnhancePrompt
|
|
6
|
-
} from "./cli-
|
|
6
|
+
} from "./cli-35rkgbhd.js";
|
|
7
7
|
import {
|
|
8
8
|
createLogger,
|
|
9
9
|
hasToolCall,
|
|
@@ -11,7 +11,7 @@ import {
|
|
|
11
11
|
init_lazyLogger,
|
|
12
12
|
init_structured,
|
|
13
13
|
scopedLogger
|
|
14
|
-
} from "./cli-
|
|
14
|
+
} from "./cli-d28z7z1b.js";
|
|
15
15
|
|
|
16
16
|
// src/core/agents/specialized/authenticationAgent/agent.ts
|
|
17
17
|
init_dist();
|
|
@@ -37,9 +37,9 @@ Obtain valid credentials/sessions that other agents can use for authenticated te
|
|
|
37
37
|
# Available Tools
|
|
38
38
|
|
|
39
39
|
## API Authentication
|
|
40
|
-
- \`
|
|
41
|
-
|
|
42
|
-
|
|
40
|
+
- \`execute_command\` — Run curl (or other shell commands) to submit credentials via form POST,
|
|
41
|
+
JSON POST, or HTTP Basic auth, and to capture the Set-Cookie / token response. Use this for all
|
|
42
|
+
custom and complex API auth flows.
|
|
43
43
|
|
|
44
44
|
## Browser Authentication
|
|
45
45
|
- \`browser_navigate\` — Navigate to login page
|
|
@@ -77,11 +77,11 @@ Look for:
|
|
|
77
77
|
## Step 2: Authenticate
|
|
78
78
|
|
|
79
79
|
### API path (use when target is an API or has a simple form):
|
|
80
|
-
1.
|
|
81
|
-
- \`
|
|
82
|
-
- \`
|
|
83
|
-
- \`
|
|
84
|
-
2.
|
|
80
|
+
1. Use \`execute_command\` with curl to submit the credentials, matching the target's scheme:
|
|
81
|
+
- \`curl -i -d 'username=...&password=...' <loginUrl>\` for HTML form POST
|
|
82
|
+
- \`curl -i -H 'Content-Type: application/json' -d '{"username":"...","password":"..."}' <loginUrl>\` for JSON APIs
|
|
83
|
+
- \`curl -i -u '<user>:<pass>' <url>\` for HTTP Basic
|
|
84
|
+
2. Inspect the response (\`-i\` shows headers) — capture any \`Set-Cookie\` value or token to use as the session credential.
|
|
85
85
|
|
|
86
86
|
### Browser path (use for SPAs, OAuth, JS-rendered forms):
|
|
87
87
|
1. \`browser_navigate\` to the login URL
|
|
@@ -113,7 +113,7 @@ If both API and browser approaches fail, use \`delegate_to_auth_subagent\` for c
|
|
|
113
113
|
**First**, call \`complete_authentication\` with:
|
|
114
114
|
- \`success\`: whether auth succeeded
|
|
115
115
|
- \`summary\`: what happened and what credentials/cookies were obtained
|
|
116
|
-
- \`exportedCookies\`: the cookie string for downstream HTTP requests (from browser_get_cookies cookieHeader or
|
|
116
|
+
- \`exportedCookies\`: the cookie string for downstream HTTP requests (from browser_get_cookies cookieHeader or the Set-Cookie header in the curl response)
|
|
117
117
|
- \`exportedHeaders\`: auth headers map, e.g. {"Authorization": "Bearer <token>"} (from browser_evaluate localStorage tokens or API response)
|
|
118
118
|
- \`strategy\`: method used ("browser", "form_post", "json_post", "basic_auth", "bearer")
|
|
119
119
|
- \`authBarrier\`: if a barrier was encountered (captcha, mfa, etc.)
|
|
@@ -179,6 +179,7 @@ class AuthenticationAgent extends OffensiveSecurityAgent {
|
|
|
179
179
|
context,
|
|
180
180
|
environmentVariables,
|
|
181
181
|
enableThinking,
|
|
182
|
+
thinkingEffort,
|
|
182
183
|
openAIReasoningEffort
|
|
183
184
|
} = opts;
|
|
184
185
|
const cm = session.credentialManager;
|
|
@@ -195,11 +196,11 @@ class AuthenticationAgent extends OffensiveSecurityAgent {
|
|
|
195
196
|
subagentId,
|
|
196
197
|
environmentVariables,
|
|
197
198
|
enableThinking,
|
|
199
|
+
thinkingEffort,
|
|
198
200
|
openAIReasoningEffort,
|
|
199
201
|
toolChoice: "auto",
|
|
200
202
|
activeTools: [
|
|
201
203
|
"execute_command",
|
|
202
|
-
"authenticate_session",
|
|
203
204
|
"complete_authentication",
|
|
204
205
|
"browser_navigate",
|
|
205
206
|
"browser_snapshot",
|
|
@@ -294,17 +295,16 @@ function buildAuthPrompt(target, authHints, credentialManager, context) {
|
|
|
294
295
|
if (credBlock) {
|
|
295
296
|
parts.push(`INSTRUCTIONS:
|
|
296
297
|
You have credentials available via credential IDs — authenticate immediately.
|
|
297
|
-
1.
|
|
298
|
-
2.
|
|
298
|
+
1. For API/form logins, use execute_command (curl) to submit credentials and capture the Set-Cookie / token response
|
|
299
|
+
2. For browser-based logins, use the browser tools. For browser_fill on password/secret fields,
|
|
299
300
|
pass credentialId + credentialField (e.g. credentialField="password") instead of the raw value —
|
|
300
301
|
the secret is resolved securely at execution time. NEVER type a password directly.
|
|
301
302
|
3. Call complete_authentication with exported cookies/headers to persist credentials and end the run`);
|
|
302
303
|
} else {
|
|
303
304
|
parts.push(`INSTRUCTIONS:
|
|
304
305
|
1. Probe the target with execute_command (curl) to determine the auth mechanism
|
|
305
|
-
2. Attempt authentication with
|
|
306
|
-
3.
|
|
307
|
-
4. Call complete_authentication with exported cookies/headers to persist credentials and end the run`);
|
|
306
|
+
2. Attempt authentication with execute_command (curl) or the browser tools
|
|
307
|
+
3. Call complete_authentication with exported cookies/headers to persist credentials and end the run`);
|
|
308
308
|
}
|
|
309
309
|
return parts.join(`
|
|
310
310
|
`);
|
|
@@ -1,13 +1,20 @@
|
|
|
1
1
|
import {
|
|
2
2
|
BlackboxAttackSurfaceAgent
|
|
3
|
-
} from "./cli-
|
|
3
|
+
} from "./cli-qdvef4qc.js";
|
|
4
|
+
import {
|
|
5
|
+
REPORT_FILENAME_JSON,
|
|
6
|
+
REPORT_FILENAME_MD,
|
|
7
|
+
buildPentestReport,
|
|
8
|
+
renderJson,
|
|
9
|
+
renderMarkdown
|
|
10
|
+
} from "./cli-sekg25pa.js";
|
|
4
11
|
import {
|
|
5
12
|
TargetedPentestAgent,
|
|
6
13
|
buildPentestSystemPrompt
|
|
7
|
-
} from "./cli-
|
|
14
|
+
} from "./cli-8256tzw9.js";
|
|
8
15
|
import {
|
|
9
16
|
CodeAgent
|
|
10
|
-
} from "./cli-
|
|
17
|
+
} from "./cli-nn5rxhvz.js";
|
|
11
18
|
import {
|
|
12
19
|
AppsDiscoveryResultSchema,
|
|
13
20
|
DiscoverySummarySchema,
|
|
@@ -15,19 +22,14 @@ import {
|
|
|
15
22
|
WHITEBOX_APPS_DISCOVERY_SYSTEM_PROMPT,
|
|
16
23
|
WHITEBOX_DISCOVERY_SYSTEM_PROMPT,
|
|
17
24
|
WHITEBOX_ENDPOINT_DOCUMENTATION_SYSTEM_PROMPT
|
|
18
|
-
} from "./cli-
|
|
19
|
-
import {
|
|
20
|
-
EvidenceFileEntrySchema
|
|
21
|
-
} from "./cli-tw3fe8bj.js";
|
|
25
|
+
} from "./cli-nfnfwfcn.js";
|
|
22
26
|
import {
|
|
23
|
-
CweEntrySchema,
|
|
24
27
|
FindingsRegistry,
|
|
25
28
|
OffensiveSecurityAgent,
|
|
26
29
|
PLAN_MODE_TOOL_NAMES,
|
|
27
|
-
|
|
28
|
-
hasCanonicalName,
|
|
30
|
+
pLimit,
|
|
29
31
|
runWithBoundedConcurrency
|
|
30
|
-
} from "./cli-
|
|
32
|
+
} from "./cli-w5vt3svr.js";
|
|
31
33
|
import {
|
|
32
34
|
createThreatModelPrompt
|
|
33
35
|
} from "./cli-fw5r7pfj.js";
|
|
@@ -36,13 +38,13 @@ import {
|
|
|
36
38
|
hasToolCall,
|
|
37
39
|
init_dist,
|
|
38
40
|
init_lazyLogger,
|
|
41
|
+
init_session,
|
|
39
42
|
init_structured,
|
|
40
43
|
scopedLogger
|
|
41
|
-
} from "./cli-
|
|
44
|
+
} from "./cli-d28z7z1b.js";
|
|
42
45
|
import {
|
|
43
|
-
|
|
44
|
-
|
|
45
|
-
} from "./cli-f7d23ded.js";
|
|
46
|
+
__require
|
|
47
|
+
} from "./cli-8rxa073f.js";
|
|
46
48
|
|
|
47
49
|
// src/core/workflows/pentest.ts
|
|
48
50
|
init_dist();
|
|
@@ -95,185 +97,6 @@ ${objectiveList}
|
|
|
95
97
|
// src/core/workflows/pentest.ts
|
|
96
98
|
init_structured();
|
|
97
99
|
|
|
98
|
-
// src/core/report/schemas.ts
|
|
99
|
-
init_zod();
|
|
100
|
-
var PentestReportFindingSchema = exports_external.object({
|
|
101
|
-
title: exports_external.string(),
|
|
102
|
-
severity: exports_external.enum(["CRITICAL", "HIGH", "MEDIUM", "LOW"]),
|
|
103
|
-
description: exports_external.string(),
|
|
104
|
-
impact: exports_external.string(),
|
|
105
|
-
evidence: exports_external.string(),
|
|
106
|
-
endpoint: exports_external.string(),
|
|
107
|
-
pocPath: exports_external.string(),
|
|
108
|
-
remediation: exports_external.string(),
|
|
109
|
-
references: exports_external.string().optional(),
|
|
110
|
-
cwes: exports_external.array(ValidatedCweEntrySchema.or(CweEntrySchema)).optional(),
|
|
111
|
-
rootCauseGroup: exports_external.string().optional(),
|
|
112
|
-
relatedFindings: exports_external.array(exports_external.string()).optional(),
|
|
113
|
-
rootCauseLead: exports_external.boolean().optional(),
|
|
114
|
-
evidenceFiles: exports_external.array(EvidenceFileEntrySchema).optional()
|
|
115
|
-
});
|
|
116
|
-
var PentestReportSchema = exports_external.object({
|
|
117
|
-
version: exports_external.string().regex(/^1\.\d+$/),
|
|
118
|
-
metadata: exports_external.object({
|
|
119
|
-
target: exports_external.string(),
|
|
120
|
-
model: exports_external.string(),
|
|
121
|
-
timestamp: exports_external.string(),
|
|
122
|
-
sessionId: exports_external.string(),
|
|
123
|
-
mode: exports_external.enum(["blackbox", "whitebox", "targeted"])
|
|
124
|
-
}),
|
|
125
|
-
summary: exports_external.object({
|
|
126
|
-
totalFindings: exports_external.number(),
|
|
127
|
-
bySeverity: exports_external.object({
|
|
128
|
-
CRITICAL: exports_external.number(),
|
|
129
|
-
HIGH: exports_external.number(),
|
|
130
|
-
MEDIUM: exports_external.number(),
|
|
131
|
-
LOW: exports_external.number()
|
|
132
|
-
})
|
|
133
|
-
}),
|
|
134
|
-
findings: exports_external.array(PentestReportFindingSchema)
|
|
135
|
-
});
|
|
136
|
-
var REPORT_VERSION = "1.0";
|
|
137
|
-
|
|
138
|
-
// src/core/report/builder.ts
|
|
139
|
-
var SEVERITY_ORDER = ["CRITICAL", "HIGH", "MEDIUM", "LOW"];
|
|
140
|
-
function buildPentestReport(findings, context) {
|
|
141
|
-
const sorted = [...findings].sort((a, b) => SEVERITY_ORDER.indexOf(a.severity) - SEVERITY_ORDER.indexOf(b.severity));
|
|
142
|
-
const bySeverity = { CRITICAL: 0, HIGH: 0, MEDIUM: 0, LOW: 0 };
|
|
143
|
-
for (const f of findings) {
|
|
144
|
-
bySeverity[f.severity]++;
|
|
145
|
-
}
|
|
146
|
-
return {
|
|
147
|
-
version: REPORT_VERSION,
|
|
148
|
-
metadata: {
|
|
149
|
-
target: context.target,
|
|
150
|
-
model: context.model,
|
|
151
|
-
timestamp: new Date().toISOString(),
|
|
152
|
-
sessionId: context.sessionId,
|
|
153
|
-
mode: context.mode
|
|
154
|
-
},
|
|
155
|
-
summary: {
|
|
156
|
-
totalFindings: findings.length,
|
|
157
|
-
bySeverity
|
|
158
|
-
},
|
|
159
|
-
findings: sorted.map((f) => ({
|
|
160
|
-
title: f.title,
|
|
161
|
-
severity: f.severity,
|
|
162
|
-
description: f.description,
|
|
163
|
-
impact: f.impact,
|
|
164
|
-
evidence: f.evidence,
|
|
165
|
-
endpoint: f.endpoint,
|
|
166
|
-
pocPath: f.pocPath,
|
|
167
|
-
remediation: f.remediation,
|
|
168
|
-
references: f.references,
|
|
169
|
-
cwes: f.cwes,
|
|
170
|
-
rootCauseGroup: f.rootCauseGroup,
|
|
171
|
-
relatedFindings: f.relatedFindings,
|
|
172
|
-
rootCauseLead: f.rootCauseLead,
|
|
173
|
-
evidenceFiles: f.evidenceFiles
|
|
174
|
-
}))
|
|
175
|
-
};
|
|
176
|
-
}
|
|
177
|
-
// src/core/report/renderers/json.ts
|
|
178
|
-
function renderJson(report) {
|
|
179
|
-
return JSON.stringify(report, null, 2);
|
|
180
|
-
}
|
|
181
|
-
// src/core/report/renderers/markdown.ts
|
|
182
|
-
function renderMarkdown(report) {
|
|
183
|
-
const { metadata, findings, summary } = report;
|
|
184
|
-
const header = [
|
|
185
|
-
`# Pentest Report — ${metadata.target}`,
|
|
186
|
-
"",
|
|
187
|
-
`**Date:** ${metadata.timestamp} `,
|
|
188
|
-
`**Session:** ${metadata.sessionId} `,
|
|
189
|
-
`**Model:** ${metadata.model} `,
|
|
190
|
-
`**Mode:** ${metadata.mode}`,
|
|
191
|
-
"",
|
|
192
|
-
`**Findings:** ${summary.totalFindings}`,
|
|
193
|
-
""
|
|
194
|
-
];
|
|
195
|
-
if (findings.length === 0) {
|
|
196
|
-
return [
|
|
197
|
-
...header,
|
|
198
|
-
"No findings were identified during this assessment.",
|
|
199
|
-
""
|
|
200
|
-
].join(`
|
|
201
|
-
`);
|
|
202
|
-
}
|
|
203
|
-
const body = findings.map((finding) => renderFinding(finding, metadata)).join(`
|
|
204
|
-
`);
|
|
205
|
-
return [...header, body].join(`
|
|
206
|
-
`);
|
|
207
|
-
}
|
|
208
|
-
function renderFinding(finding, metadata) {
|
|
209
|
-
const lines = [
|
|
210
|
-
`# ${finding.title}`,
|
|
211
|
-
"",
|
|
212
|
-
`**Severity:** ${finding.severity} `,
|
|
213
|
-
`**Target:** ${metadata.target} `,
|
|
214
|
-
`**Endpoint:** ${finding.endpoint} `,
|
|
215
|
-
`**Date:** ${metadata.timestamp} `,
|
|
216
|
-
`**Session:** ${metadata.sessionId}`,
|
|
217
|
-
"",
|
|
218
|
-
"## Description",
|
|
219
|
-
"",
|
|
220
|
-
finding.description,
|
|
221
|
-
"",
|
|
222
|
-
"## Impact",
|
|
223
|
-
"",
|
|
224
|
-
finding.impact,
|
|
225
|
-
"",
|
|
226
|
-
"## Evidence",
|
|
227
|
-
"",
|
|
228
|
-
"```",
|
|
229
|
-
finding.evidence,
|
|
230
|
-
"```",
|
|
231
|
-
"",
|
|
232
|
-
...finding.evidenceFiles?.length ? [
|
|
233
|
-
"## Evidence Files",
|
|
234
|
-
"",
|
|
235
|
-
...finding.evidenceFiles.map((ef) => `- **[${ef.type}]** \`${ef.path}\` — ${ef.description}`),
|
|
236
|
-
""
|
|
237
|
-
] : [],
|
|
238
|
-
...finding.cwes?.length ? [
|
|
239
|
-
"## CWE Classification",
|
|
240
|
-
"",
|
|
241
|
-
...finding.cwes.map((cwe) => `- **${cwe.id}**${hasCanonicalName(cwe) ? `: ${cwe.name}` : ""} — ${cwe.reasoning}`),
|
|
242
|
-
""
|
|
243
|
-
] : [],
|
|
244
|
-
...finding.rootCauseGroup ? [
|
|
245
|
-
"## Root Cause Group",
|
|
246
|
-
"",
|
|
247
|
-
`**Group:** \`${finding.rootCauseGroup}\``,
|
|
248
|
-
...finding.relatedFindings?.length ? [
|
|
249
|
-
"",
|
|
250
|
-
"**Related Findings:**",
|
|
251
|
-
...finding.relatedFindings.map((rf) => `- ${rf}`)
|
|
252
|
-
] : [],
|
|
253
|
-
""
|
|
254
|
-
] : [],
|
|
255
|
-
"## POC",
|
|
256
|
-
"",
|
|
257
|
-
`Path: \`${finding.pocPath}\``,
|
|
258
|
-
"",
|
|
259
|
-
"## Remediation",
|
|
260
|
-
"",
|
|
261
|
-
finding.remediation,
|
|
262
|
-
...finding.references ? ["", `## References`, "", finding.references] : [],
|
|
263
|
-
"",
|
|
264
|
-
"---",
|
|
265
|
-
"",
|
|
266
|
-
"*This finding was automatically documented by the Pensar penetration testing agent.*",
|
|
267
|
-
""
|
|
268
|
-
];
|
|
269
|
-
return lines.join(`
|
|
270
|
-
`);
|
|
271
|
-
}
|
|
272
|
-
|
|
273
|
-
// src/core/report/index.ts
|
|
274
|
-
var REPORT_FILENAME_MD = "pentest-report.md";
|
|
275
|
-
var REPORT_FILENAME_JSON = "pentest-report.json";
|
|
276
|
-
|
|
277
100
|
// src/core/session/execution-metrics.ts
|
|
278
101
|
import { existsSync, readFileSync, writeFileSync } from "node:fs";
|
|
279
102
|
import { join } from "node:path";
|
|
@@ -360,11 +183,13 @@ init_lazyLogger();
|
|
|
360
183
|
// src/core/session/persistence.ts
|
|
361
184
|
init_structured();
|
|
362
185
|
init_lazyLogger();
|
|
186
|
+
init_session();
|
|
363
187
|
import {
|
|
364
188
|
existsSync as existsSync2,
|
|
365
189
|
mkdirSync,
|
|
366
190
|
readdirSync,
|
|
367
191
|
readFileSync as readFileSync2,
|
|
192
|
+
renameSync,
|
|
368
193
|
statSync,
|
|
369
194
|
writeFileSync as writeFileSync2
|
|
370
195
|
} from "node:fs";
|
|
@@ -372,14 +197,14 @@ import { join as join2 } from "node:path";
|
|
|
372
197
|
var log = scopedLogger(() => createLogger("session:persistence"));
|
|
373
198
|
var SUBAGENTS_DIR = "subagents";
|
|
374
199
|
var MANIFEST_FILE = "agent-manifest.json";
|
|
375
|
-
function loadSubagentMessages(session,
|
|
376
|
-
const stepPath = join2(session.rootPath, SUBAGENTS_DIR,
|
|
200
|
+
function loadSubagentMessages(session, key) {
|
|
201
|
+
const stepPath = join2(session.rootPath, SUBAGENTS_DIR, key, "messages.json");
|
|
377
202
|
if (existsSync2(stepPath)) {
|
|
378
203
|
try {
|
|
379
204
|
return JSON.parse(readFileSync2(stepPath, "utf-8"));
|
|
380
205
|
} catch {}
|
|
381
206
|
}
|
|
382
|
-
const snapshotPath = join2(session.rootPath, SUBAGENTS_DIR, `${
|
|
207
|
+
const snapshotPath = join2(session.rootPath, SUBAGENTS_DIR, `${key}.json`);
|
|
383
208
|
if (!existsSync2(snapshotPath))
|
|
384
209
|
return [];
|
|
385
210
|
try {
|
|
@@ -523,6 +348,9 @@ function parseSubagentFilename(filename) {
|
|
|
523
348
|
if (filename.startsWith("orchestrator-")) {
|
|
524
349
|
return { agentType: "pentest", name: "Orchestrator Summary" };
|
|
525
350
|
}
|
|
351
|
+
if (filename.startsWith("ses_")) {
|
|
352
|
+
return { agentType: "pentest", name: "Pentest Worker" };
|
|
353
|
+
}
|
|
526
354
|
return { agentType: "pentest", name: filename.split("-")[0] || "Unknown" };
|
|
527
355
|
}
|
|
528
356
|
function unwrapAiSdkToolOutput(output) {
|
|
@@ -833,8 +661,10 @@ async function runEndpointDocumentationAgent(opts) {
|
|
|
833
661
|
onCacheMetrics,
|
|
834
662
|
openAIReasoningEffort,
|
|
835
663
|
enableThinking,
|
|
664
|
+
thinkingEffort,
|
|
836
665
|
projectThreatModel,
|
|
837
|
-
parentSubagentId
|
|
666
|
+
parentSubagentId,
|
|
667
|
+
agentLimiter
|
|
838
668
|
} = opts;
|
|
839
669
|
const subagentId = `endpoint-doc-${slug(app.name)}-${slug(endpoint.path)}`;
|
|
840
670
|
const displayMethod = getDocumentMethod(endpoint);
|
|
@@ -871,12 +701,13 @@ async function runEndpointDocumentationAgent(opts) {
|
|
|
871
701
|
onCacheMetrics,
|
|
872
702
|
openAIReasoningEffort,
|
|
873
703
|
enableThinking,
|
|
704
|
+
thinkingEffort,
|
|
874
705
|
responseSchema: DiscoverySummarySchema,
|
|
875
706
|
excludeTools: ["document_app", "list_files", "grep"],
|
|
876
707
|
projectThreatModel
|
|
877
708
|
});
|
|
878
709
|
try {
|
|
879
|
-
await agent.consume();
|
|
710
|
+
await (agentLimiter ? agentLimiter(() => agent.consume()) : agent.consume());
|
|
880
711
|
eventBus?.emit("subagent-complete", {
|
|
881
712
|
subagentId,
|
|
882
713
|
status: "completed",
|
|
@@ -6195,6 +6026,7 @@ init_structured();
|
|
|
6195
6026
|
init_lazyLogger();
|
|
6196
6027
|
var log4 = scopedLogger(() => createLogger("whitebox-workflow"));
|
|
6197
6028
|
var DEFAULT_CONCURRENCY = 5;
|
|
6029
|
+
var MAX_CONCURRENT_AGENTS = 12;
|
|
6198
6030
|
var TASK_TYPE_LABELS = {
|
|
6199
6031
|
pages: "Pages",
|
|
6200
6032
|
apiEndpoints: "API Endpoints",
|
|
@@ -6225,11 +6057,15 @@ async function runWhiteboxAttackSurfaceWorkflow(input) {
|
|
|
6225
6057
|
onCacheMetrics,
|
|
6226
6058
|
openAIReasoningEffort,
|
|
6227
6059
|
enableThinking,
|
|
6060
|
+
thinkingEffort,
|
|
6228
6061
|
domains,
|
|
6229
6062
|
projectThreatModel,
|
|
6230
6063
|
environments,
|
|
6231
|
-
surfaceIntegrationEnabled = true
|
|
6064
|
+
surfaceIntegrationEnabled = true,
|
|
6065
|
+
maxConcurrentAgents = MAX_CONCURRENT_AGENTS
|
|
6232
6066
|
} = input;
|
|
6067
|
+
const agentSlots = pLimit(Math.max(1, maxConcurrentAgents));
|
|
6068
|
+
const agentLimiter = (fn) => agentSlots(fn);
|
|
6233
6069
|
const appsAgent = new CodeAgent({
|
|
6234
6070
|
codebasePath,
|
|
6235
6071
|
objective: buildAppsDiscoveryObjective(codebasePath, domains, environments),
|
|
@@ -6245,6 +6081,7 @@ async function runWhiteboxAttackSurfaceWorkflow(input) {
|
|
|
6245
6081
|
onCacheMetrics,
|
|
6246
6082
|
openAIReasoningEffort,
|
|
6247
6083
|
enableThinking,
|
|
6084
|
+
thinkingEffort,
|
|
6248
6085
|
responseSchema: AppsDiscoveryResultSchema,
|
|
6249
6086
|
projectThreatModel,
|
|
6250
6087
|
excludeTools: ["document_endpoint"]
|
|
@@ -6256,7 +6093,7 @@ async function runWhiteboxAttackSurfaceWorkflow(input) {
|
|
|
6256
6093
|
name: "Whitebox Apps Discovery",
|
|
6257
6094
|
input: { codebasePath }
|
|
6258
6095
|
});
|
|
6259
|
-
const appsResult = await appsAgent.consume();
|
|
6096
|
+
const appsResult = await agentLimiter(() => appsAgent.consume());
|
|
6260
6097
|
log4.info(`Phase 1 complete: ${appsResult?.apps.length ?? 0} apps discovered` + (appsResult ? ` (repoType=${appsResult.repoType}, packageManager=${appsResult.packageManager})` : " (no result returned)"));
|
|
6261
6098
|
if (appsResult?.apps.length) {
|
|
6262
6099
|
for (const app of appsResult.apps) {
|
|
@@ -6335,12 +6172,13 @@ async function runWhiteboxAttackSurfaceWorkflow(input) {
|
|
|
6335
6172
|
onCacheMetrics,
|
|
6336
6173
|
openAIReasoningEffort,
|
|
6337
6174
|
enableThinking,
|
|
6175
|
+
thinkingEffort,
|
|
6338
6176
|
responseSchema: DiscoverySummarySchema,
|
|
6339
6177
|
excludeTools: ["document_app"],
|
|
6340
6178
|
projectThreatModel
|
|
6341
6179
|
});
|
|
6342
6180
|
try {
|
|
6343
|
-
await agent.consume();
|
|
6181
|
+
await agentLimiter(() => agent.consume());
|
|
6344
6182
|
log4.debug(`Phase 2: agent "${subagentId}" completed`);
|
|
6345
6183
|
eventBus?.emit("subagent-complete", {
|
|
6346
6184
|
subagentId,
|
|
@@ -6390,8 +6228,10 @@ async function runWhiteboxAttackSurfaceWorkflow(input) {
|
|
|
6390
6228
|
onCacheMetrics,
|
|
6391
6229
|
openAIReasoningEffort,
|
|
6392
6230
|
enableThinking,
|
|
6231
|
+
thinkingEffort,
|
|
6393
6232
|
projectThreatModel,
|
|
6394
|
-
parentSubagentId: appNodeId
|
|
6233
|
+
parentSubagentId: appNodeId,
|
|
6234
|
+
agentLimiter
|
|
6395
6235
|
});
|
|
6396
6236
|
} else {
|
|
6397
6237
|
log4.debug(`${app.name}: fallback (${surfaceResult.reason})`);
|
|
@@ -6852,6 +6692,7 @@ async function runPentestSwarm(input) {
|
|
|
6852
6692
|
concurrency = DEFAULT_CONCURRENCY2,
|
|
6853
6693
|
onStepFinish,
|
|
6854
6694
|
enableThinking,
|
|
6695
|
+
thinkingEffort,
|
|
6855
6696
|
openAIReasoningEffort,
|
|
6856
6697
|
display
|
|
6857
6698
|
} = input;
|
|
@@ -6902,6 +6743,7 @@ async function runPentestSwarm(input) {
|
|
|
6902
6743
|
planSubagentId: subagentId,
|
|
6903
6744
|
eventBus,
|
|
6904
6745
|
enableThinking,
|
|
6746
|
+
thinkingEffort,
|
|
6905
6747
|
openAIReasoningEffort,
|
|
6906
6748
|
display
|
|
6907
6749
|
});
|
|
@@ -6926,6 +6768,7 @@ async function runPentestSwarm(input) {
|
|
|
6926
6768
|
eventBus,
|
|
6927
6769
|
subagentId,
|
|
6928
6770
|
enableThinking,
|
|
6771
|
+
thinkingEffort,
|
|
6929
6772
|
openAIReasoningEffort,
|
|
6930
6773
|
display
|
|
6931
6774
|
});
|
|
@@ -6971,6 +6814,10 @@ async function runPentestSwarm(input) {
|
|
|
6971
6814
|
return results;
|
|
6972
6815
|
}
|
|
6973
6816
|
async function runPentestWorkflow(input) {
|
|
6817
|
+
if (input.fastStrike) {
|
|
6818
|
+
const { runFastStrike } = await import("./fastStrike-qts85kag.js");
|
|
6819
|
+
return runFastStrike(input);
|
|
6820
|
+
}
|
|
6974
6821
|
const {
|
|
6975
6822
|
target,
|
|
6976
6823
|
cwd,
|
|
@@ -6982,6 +6829,7 @@ async function runPentestWorkflow(input) {
|
|
|
6982
6829
|
onStepFinish,
|
|
6983
6830
|
onCacheMetrics,
|
|
6984
6831
|
enableThinking,
|
|
6832
|
+
thinkingEffort,
|
|
6985
6833
|
openAIReasoningEffort,
|
|
6986
6834
|
prompt,
|
|
6987
6835
|
threatModel,
|
|
@@ -7119,6 +6967,7 @@ ${combined}` : combined;
|
|
|
7119
6967
|
eventBus,
|
|
7120
6968
|
onStepFinish: wrappedOnStepFinish,
|
|
7121
6969
|
enableThinking,
|
|
6970
|
+
thinkingEffort,
|
|
7122
6971
|
openAIReasoningEffort
|
|
7123
6972
|
});
|
|
7124
6973
|
}
|
|
@@ -7244,4 +7093,4 @@ async function runBlackboxPhase(opts) {
|
|
|
7244
7093
|
throw e;
|
|
7245
7094
|
}
|
|
7246
7095
|
}
|
|
7247
|
-
export {
|
|
7096
|
+
export { readExecutionMetrics, writeExecutionMetrics, convertModelMessagesToUI, loadSubagents, DEFAULT_CONCURRENCY2 as DEFAULT_CONCURRENCY, runPentestSwarm, runPentestWorkflow };
|