@pensar/apex 2.1.2 → 2.1.3-canary.082299eb

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (59) hide show
  1. package/build/{agent-737mxp3v.js → agent-25rra8mk.js} +9 -8
  2. package/build/agent-qa4kk7v1.js +27 -0
  3. package/build/agent-xpddb5yz.js +19 -0
  4. package/build/{apps-j0bwey0w.js → apps-c4rdprzp.js} +17 -16
  5. package/build/{auth-5stxpmga.js → auth-cm0s3an4.js} +17 -16
  6. package/build/authentication-k8303p1y.js +19 -0
  7. package/build/blackboxAgent-8mpqbggt.js +19 -0
  8. package/build/{blackboxPentest-2edr9rj3.js → blackboxPentest-b1dqrv93.js} +15 -14
  9. package/build/{cli-hj3t87r2.js → cli-0kg01x44.js} +1 -1
  10. package/build/{cli-6wwpk9d9.js → cli-35rkgbhd.js} +1 -1
  11. package/build/{cli-f7d23ded.js → cli-3k1x5rn3.js} +936 -1775
  12. package/build/{cli-9z6vwf30.js → cli-7bzzjw1f.js} +1 -1
  13. package/build/{cli-tw3fe8bj.js → cli-7g8n2kkk.js} +2 -2
  14. package/build/{cli-yjbkaqvy.js → cli-8256tzw9.js} +79 -23
  15. package/build/{cli-jd0c0b91.js → cli-bh3e0th8.js} +1 -1
  16. package/build/{cli-xnnkeg5p.js → cli-bp7f8nyk.js} +1 -1
  17. package/build/{cli-v1aqbv58.js → cli-d28z7z1b.js} +29267 -25585
  18. package/build/{cli-dqkdnd3c.js → cli-db434rd0.js} +88 -49
  19. package/build/{cli-ks60cc3h.js → cli-f5javz2k.js} +30 -30
  20. package/build/{cli-gbkj2has.js → cli-nfnfwfcn.js} +5 -3
  21. package/build/{cli-6vs0mtsb.js → cli-nn5rxhvz.js} +4 -2
  22. package/build/{cli-whtdyc0e.js → cli-qdvef4qc.js} +6 -4
  23. package/build/cli-sekg25pa.js +195 -0
  24. package/build/{cli-35czfv00.js → cli-w5vt3svr.js} +70869 -79383
  25. package/build/{cli-0gk2x2sc.js → cli-wdahap6k.js} +18 -18
  26. package/build/{cli-9vzc18m5.js → cli-y4csaqh2.js} +53 -204
  27. package/build/cli.js +120 -90
  28. package/build/{config-s5ryv5ez.js → config-6hkn23py.js} +3 -3
  29. package/build/{doctor-f08gegwc.js → doctor-0prby1f0.js} +7 -7
  30. package/build/fastStrike-qts85kag.js +156 -0
  31. package/build/{fixes-qf4s92z2.js → fixes-kza6ej38.js} +17 -16
  32. package/build/{index-x4xefngs.js → index-6r19ej49.js} +3 -3
  33. package/build/{index-exvkbve0.js → index-7y1pwazv.js} +4 -4
  34. package/build/{index-mgng15va.js → index-gq9h8j5j.js} +909 -456
  35. package/build/{index-c6qz0gve.js → index-h6rxj451.js} +7 -7
  36. package/build/{index-s8gw83d6.js → index-m9djasp6.js} +19 -11
  37. package/build/{index-gakk2t5q.js → index-vjh370rj.js} +23 -19
  38. package/build/{index-5h1hjhzw.js → index-vk0czqw7.js} +10 -10
  39. package/build/{index-sqjve2bm.js → index-xzb9yxtf.js} +2 -2
  40. package/build/{issues-5anqrh2j.js → issues-35784nvy.js} +17 -16
  41. package/build/{logs-q6ankt6m.js → logs-14xzc32f.js} +17 -16
  42. package/build/{main-3zneyg7p.js → main-3d7dfdvs.js} +17 -93
  43. package/build/{offesecAgent-hsej0pfc.js → offesecAgent-767xjskr.js} +9 -9
  44. package/build/pentest-hf3hejjq.js +29 -0
  45. package/build/{pentests-hyx3c3qa.js → pentests-7zy73b60.js} +17 -16
  46. package/build/targetedPentest-m3ypnmfk.js +44 -0
  47. package/build/{targets-9cqrshet.js → targets-nay3vmqy.js} +17 -16
  48. package/build/threatModel-p8khw8tr.js +27 -0
  49. package/build/{uninstall-1j469qj7.js → uninstall-acg2vcpm.js} +1 -1
  50. package/build/{upload-ymvhkyq5.js → upload-pjr2zgys.js} +7 -7
  51. package/build/{utils-d1ed6jzf.js → utils-v0mj3yrn.js} +6 -6
  52. package/package.json +30 -30
  53. package/build/agent-8w9h3tnw.js +0 -19
  54. package/build/agent-vdrtakz4.js +0 -25
  55. package/build/authentication-qswvctj4.js +0 -19
  56. package/build/blackboxAgent-vwm9t3h4.js +0 -19
  57. package/build/pentest-1e30q7rs.js +0 -28
  58. package/build/targetedPentest-ws0a7frk.js +0 -36
  59. package/build/threatModel-z9b213x8.js +0 -26
package/build/cli.js CHANGED
@@ -14,16 +14,16 @@ import {
14
14
  init_toolset,
15
15
  init_utils,
16
16
  logger
17
- } from "./cli-v1aqbv58.js";
18
- import"./cli-hj3t87r2.js";
19
- import"./cli-f7d23ded.js";
17
+ } from "./cli-d28z7z1b.js";
18
+ import"./cli-0kg01x44.js";
19
+ import"./cli-3k1x5rn3.js";
20
20
  import"./cli-gpnb45ck.js";
21
- import"./cli-9z6vwf30.js";
22
- import"./cli-xnnkeg5p.js";
21
+ import"./cli-7bzzjw1f.js";
22
+ import"./cli-bp7f8nyk.js";
23
23
  import {
24
24
  init_package,
25
25
  package_default
26
- } from "./cli-ks60cc3h.js";
26
+ } from "./cli-f5javz2k.js";
27
27
  import {
28
28
  __require,
29
29
  __toESM
@@ -35,50 +35,50 @@ var package_default2 = {
35
35
  pensar: "./bin/pensar.js"
36
36
  },
37
37
  dependencies: {
38
- "@ai-sdk/amazon-bedrock": "^4.0.113",
39
- "@ai-sdk/anthropic": "^3.0.81",
40
- "@ai-sdk/google": "^3.0.37",
38
+ "@ai-sdk/amazon-bedrock": "^4.0.119",
39
+ "@ai-sdk/anthropic": "^3.0.85",
40
+ "@ai-sdk/google": "^3.0.83",
41
41
  "@ai-sdk/openai": "3.0.46",
42
- "@ai-sdk/openai-compatible": "^2.0.35",
43
- "@ai-sdk/provider": "^3.0.8",
44
- "@daytonaio/sdk": "^0.112.1",
45
- "@googleapis/gmail": "^16.1.1",
42
+ "@ai-sdk/openai-compatible": "^2.0.51",
43
+ "@ai-sdk/provider": "^3.0.10",
44
+ "@daytonaio/sdk": "^0.112.3",
45
+ "@googleapis/gmail": "^16.1.2",
46
46
  "@microsoft/microsoft-graph-client": "^3.0.7",
47
- "@modelcontextprotocol/sdk": "^1.0.0",
48
- "@openrouter/ai-sdk-provider": "^2.2.3",
49
- "@opentelemetry/api": "^1.9.0",
47
+ "@modelcontextprotocol/sdk": "^1.29.0",
48
+ "@openrouter/ai-sdk-provider": "^2.9.1",
49
+ "@opentelemetry/api": "^1.9.1",
50
50
  "@opentui/core": "^0.1.107",
51
51
  "@opentui/react": "^0.1.107",
52
52
  "@pensar/surface": "0.2.2",
53
53
  "@playwright/mcp": "^0.0.54",
54
- ai: "^6.0.105",
54
+ ai: "^6.0.208",
55
55
  "camoufox-js": "^0.11.1",
56
- glob: "^13.0.0",
56
+ glob: "^13.0.6",
57
57
  "highlight.js": "^11.11.1",
58
- imapflow: "^1.2.10",
59
- mailparser: "^3.9.3",
60
- marked: "^16.4.0",
58
+ imapflow: "^1.4.2",
59
+ mailparser: "^3.9.11",
60
+ marked: "^16.4.2",
61
61
  "mime-types": "^3.0.2",
62
- nodemailer: "^8.0.7",
63
- "p-limit": "^7.2.0",
64
- react: "^19.2.0",
65
- sharp: "^0.34.4",
66
- tldts: "^7.0.28",
67
- yaml: "^2.8.2",
68
- zod: "^4.1.12"
62
+ nodemailer: "^8.0.11",
63
+ "p-limit": "^7.3.0",
64
+ react: "^19.2.7",
65
+ sharp: "^0.34.5",
66
+ tldts: "^7.4.3",
67
+ yaml: "^2.9.0",
68
+ zod: "^4.4.3"
69
69
  },
70
70
  description: "AI-powered penetration testing CLI tool with terminal UI",
71
71
  devDependencies: {
72
72
  "@biomejs/biome": "2.4.14",
73
- "@types/bun": "^1.3.0",
73
+ "@types/bun": "^1.3.14",
74
74
  "@types/mailparser": "^3.4.6",
75
75
  "@types/mime-types": "^3.0.1",
76
- "@types/nodemailer": "^8.0.0",
77
- "@types/react": "^19.2.6",
78
- dotenv: "^17.2.3",
79
- knip: "^6.12.0",
80
- prettier: "^3.8.1",
81
- vitest: "^2.1.8"
76
+ "@types/nodemailer": "^8.0.1",
77
+ "@types/react": "^19.2.17",
78
+ dotenv: "^17.4.2",
79
+ knip: "^6.17.1",
80
+ prettier: "^3.8.4",
81
+ vitest: "^2.1.9"
82
82
  },
83
83
  engines: {
84
84
  bun: ">=1.0.0",
@@ -144,7 +144,7 @@ var package_default2 = {
144
144
  tsc: "tsc --noEmit"
145
145
  },
146
146
  type: "module",
147
- version: "2.1.2"
147
+ version: "2.1.3-canary.082299eb"
148
148
  };
149
149
 
150
150
  // src/core/ai/index.ts
@@ -257,7 +257,7 @@ class AgentEventBus {
257
257
  }
258
258
  return this;
259
259
  }
260
- static attachChild(child, parent, subagentId) {
260
+ static attachChild(child, parent, childSessionId) {
261
261
  if (!parent)
262
262
  return;
263
263
  for (const key of CHILD_BUS_FORWARDED_EVENTS) {
@@ -266,28 +266,37 @@ class AgentEventBus {
266
266
  const p = payload;
267
267
  const isLifecycle = forwardKey === "subagent-spawn" || forwardKey === "subagent-complete";
268
268
  if (isLifecycle) {
269
- if (p.parentSubagentId) {
270
- parent.emit(forwardKey, payload);
271
- } else {
272
- parent.emit(forwardKey, {
273
- ...p,
274
- parentSubagentId: subagentId
275
- });
276
- }
269
+ const next2 = { ...p };
270
+ if (!p.parentSubagentId)
271
+ next2.parentSubagentId = childSessionId;
272
+ if (!p.parentSessionId)
273
+ next2.parentSessionId = childSessionId;
274
+ parent.emit(forwardKey, next2);
277
275
  return;
278
276
  }
279
- if (!p.subagentId) {
280
- parent.emit(forwardKey, { ...p, subagentId });
281
- } else {
282
- parent.emit(forwardKey, payload);
283
- }
277
+ const next = { ...p };
278
+ if (!p.subagentId)
279
+ next.subagentId = childSessionId;
280
+ if (!p.sessionId)
281
+ next.sessionId = childSessionId;
282
+ parent.emit(forwardKey, next);
284
283
  });
285
284
  }
286
285
  }
287
- emitStreamPart(chunk, subagentId) {
286
+ emitStreamPart(chunk, ids) {
287
+ const ctx = typeof ids === "string" ? { subagentId: ids } : ids ?? {};
288
+ const subagentId = ctx.subagentId;
289
+ const sessionId = ctx.sessionId;
290
+ const messageId = ctx.messageId;
288
291
  switch (chunk.type) {
289
292
  case "text-delta":
290
- this.emit("text-delta", { text: chunk.text, subagentId });
293
+ this.emit("text-delta", {
294
+ text: chunk.text,
295
+ subagentId,
296
+ sessionId,
297
+ messageId,
298
+ partId: ctx.textPartId
299
+ });
291
300
  break;
292
301
  case "reasoning-start":
293
302
  this.emit("reasoning-start", { subagentId });
@@ -302,14 +311,20 @@ class AgentEventBus {
302
311
  this.emit("tool-call-start", {
303
312
  toolCallId: chunk.id,
304
313
  toolName: chunk.toolName,
305
- subagentId
314
+ subagentId,
315
+ sessionId,
316
+ messageId,
317
+ partId: ctx.toolPartId?.(chunk.id)
306
318
  });
307
319
  break;
308
320
  case "tool-input-delta":
309
321
  this.emit("tool-call-delta", {
310
322
  toolCallId: chunk.id,
311
323
  argsTextDelta: chunk.delta,
312
- subagentId
324
+ subagentId,
325
+ sessionId,
326
+ messageId,
327
+ partId: ctx.toolPartId?.(chunk.id)
313
328
  });
314
329
  break;
315
330
  case "tool-call": {
@@ -318,7 +333,10 @@ class AgentEventBus {
318
333
  toolCallId: tc.toolCallId,
319
334
  toolName: tc.toolName,
320
335
  args: tc.args ?? tc.input,
321
- subagentId
336
+ subagentId,
337
+ sessionId,
338
+ messageId,
339
+ partId: ctx.toolPartId?.(tc.toolCallId)
322
340
  });
323
341
  break;
324
342
  }
@@ -328,7 +346,10 @@ class AgentEventBus {
328
346
  toolCallId: tr.toolCallId,
329
347
  toolName: tr.toolName,
330
348
  result: tr.result ?? tr.output,
331
- subagentId
349
+ subagentId,
350
+ sessionId,
351
+ messageId,
352
+ partId: ctx.toolPartId?.(tr.toolCallId)
332
353
  });
333
354
  break;
334
355
  }
@@ -477,6 +498,7 @@ You can upgrade manually by running:
477
498
  // src/core/logger/index.ts
478
499
  init_session();
479
500
  init_structured();
501
+ init_structured();
480
502
  import os from "node:os";
481
503
  import path from "node:path";
482
504
  var ERROR_LOG_PATH = path.join(os.homedir(), ".pensar", "error.log");
@@ -565,7 +587,7 @@ function attachCliAgentStreamListeners(bus) {
565
587
  async function createInstrumentedBus(session) {
566
588
  const bus = new AgentEventBus;
567
589
  attachCliAgentStreamListeners(bus);
568
- const { attachWandbToEventBus } = await import("./upload-ymvhkyq5.js");
590
+ const { attachWandbToEventBus } = await import("./upload-pjr2zgys.js");
569
591
  const wandbCleanup = await attachWandbToEventBus(session, bus).catch((e) => {
570
592
  console.warn("[wandb] Tracing disabled:", e.message);
571
593
  return null;
@@ -582,7 +604,7 @@ async function resolveCliHeaders() {
582
604
  const { parseHeaderLine: parseHeaderLine2, parseHeadersFromFile, formatParseError: formatParseError2 } = await import("./parse-7djk9jyf.js");
583
605
  const merged = {};
584
606
  if (!noGlobal) {
585
- const { config: appConfig } = await import("./index-sqjve2bm.js");
607
+ const { config: appConfig } = await import("./index-xzb9yxtf.js");
586
608
  const cfg = await appConfig.get();
587
609
  if (cfg.defaultHeaders) {
588
610
  Object.assign(merged, cfg.defaultHeaders);
@@ -616,8 +638,8 @@ async function resolveCliModel() {
616
638
  const explicit = getArg("--model");
617
639
  if (explicit)
618
640
  return explicit;
619
- const { config: appConfig } = await import("./index-sqjve2bm.js");
620
- const { getDefaultModelForConfig } = await import("./utils-d1ed6jzf.js");
641
+ const { config: appConfig } = await import("./index-xzb9yxtf.js");
642
+ const { getDefaultModelForConfig } = await import("./utils-v0mj3yrn.js");
621
643
  const pensarConfig = await appConfig.get();
622
644
  const defaultModel = getDefaultModelForConfig(pensarConfig);
623
645
  if (!defaultModel) {
@@ -671,6 +693,8 @@ pentest options:
671
693
  --model <model> AI model (default: auto-selected from configured provider)
672
694
  --extended-thinking Enable extended thinking for supported models
673
695
  --task-driven Enable task-driven architecture (experimental)
696
+ --fast-strike Single-operator fast strike: skip attack-surface/swarm
697
+ phases, one tight recon\u2192exploit loop against the target
674
698
  --prompt <text|@file> Guidance for the pentest agent (inline text or @filepath)
675
699
  --threat-model <text|@file> Threat model to guide the pentest (inline or @filepath)
676
700
  --header "Name: Value" Custom HTTP header (repeatable)
@@ -701,11 +725,11 @@ Global options:
701
725
  `);
702
726
  }
703
727
  async function runPentest() {
704
- const { config } = await import("./main-3zneyg7p.js").then((m)=>__toESM(m.default,1));
728
+ const { config } = await import("./main-3d7dfdvs.js").then((m)=>__toESM(m.default,1));
705
729
  config();
706
- const { runPentestAgent } = await import("./blackboxPentest-2edr9rj3.js");
707
- const { sessions: sessions2 } = await import("./index-c6qz0gve.js");
708
- const { config: appConfig } = await import("./index-sqjve2bm.js");
730
+ const { runPentestAgent } = await import("./blackboxPentest-b1dqrv93.js");
731
+ const { sessions: sessions2 } = await import("./index-h6rxj451.js");
732
+ const { config: appConfig } = await import("./index-xzb9yxtf.js");
709
733
  const target = getArgRequired("--target");
710
734
  const cwd = getArg("--cwd");
711
735
  const mode = getArg("--mode");
@@ -713,6 +737,7 @@ async function runPentest() {
713
737
  const threatModelRaw = getArg("--threat-model");
714
738
  const enableThinking = hasFlag("--extended-thinking");
715
739
  const taskDriven = hasFlag("--task-driven");
740
+ const fastStrike = hasFlag("--fast-strike");
716
741
  const resolvedTm = threatModelRaw ? resolveThreatModelPrompt(threatModelRaw) : undefined;
717
742
  const resolvedPrompt = promptRaw ? resolveFlagValue(promptRaw) : undefined;
718
743
  const prompt = combinePromptParts(resolvedTm, resolvedPrompt);
@@ -723,6 +748,9 @@ async function runPentest() {
723
748
  if (modeWarning) {
724
749
  console.warn(modeWarning);
725
750
  }
751
+ if (taskDriven && fastStrike) {
752
+ console.warn("Warning: --task-driven has no effect with --fast-strike (task tools are excluded).");
753
+ }
726
754
  const sep = "=".repeat(60);
727
755
  console.log(`${sep}
728
756
  PENTEST ORCHESTRATION
@@ -732,14 +760,15 @@ Cwd: ${cwd} (whitebox)` : ""}${exfilMode ? `
732
760
  Mode: exfil` : ""}
733
761
  Model: ${model}${enableThinking ? `
734
762
  Thinking: enabled` : ""}${taskDriven ? `
735
- Task-driven: enabled` : ""}${headers ? `
763
+ Task-driven: enabled` : ""}${fastStrike ? `
764
+ Fast strike: enabled` : ""}${headers ? `
736
765
  Headers: ${Object.keys(headers).length} configured` : ""}
737
766
  `);
738
767
  const session = await sessions2.create({
739
768
  name: cwd ? "Whitebox Pentest" : "Blackbox Pentest",
740
769
  targets: [target],
741
770
  config: {
742
- ...cwd ? { cwd } : {},
771
+ ...cwd ? { codebasePath: cwd } : {},
743
772
  ...exfilMode ? { exfilMode: true } : {},
744
773
  ...prompt ? { prompt } : {},
745
774
  ...taskDriven ? { taskDriven: true } : {},
@@ -755,6 +784,7 @@ Headers: ${Object.keys(headers).length} configured` : ""}
755
784
  session,
756
785
  model,
757
786
  enableThinking,
787
+ ...fastStrike ? { fastStrike: true } : {},
758
788
  surfaceIntegrationEnabled: pensarConfig.surfaceIntegrationEnabled,
759
789
  authConfig: buildAuthConfig(pensarConfig),
760
790
  eventBus: pentestBus
@@ -773,11 +803,11 @@ Report: ${reportPath}` : ""}`);
773
803
  process.exit(0);
774
804
  }
775
805
  async function runTargetedPentest() {
776
- const { config } = await import("./main-3zneyg7p.js").then((m)=>__toESM(m.default,1));
806
+ const { config } = await import("./main-3d7dfdvs.js").then((m)=>__toESM(m.default,1));
777
807
  config();
778
- const { runTargetedPentestAgent } = await import("./targetedPentest-ws0a7frk.js");
779
- const { sessions: sessions2 } = await import("./index-c6qz0gve.js");
780
- const { config: appConfig } = await import("./index-sqjve2bm.js");
808
+ const { runTargetedPentestAgent } = await import("./targetedPentest-m3ypnmfk.js");
809
+ const { sessions: sessions2 } = await import("./index-h6rxj451.js");
810
+ const { config: appConfig } = await import("./index-xzb9yxtf.js");
781
811
  const target = getArgRequired("--target");
782
812
  const objectives = getAllArgs("--objective");
783
813
  const pensarConfig = await appConfig.get();
@@ -827,10 +857,10 @@ POCs: ${pocsPath}`);
827
857
  process.exit(0);
828
858
  }
829
859
  async function runThreatModel() {
830
- const { config } = await import("./main-3zneyg7p.js").then((m)=>__toESM(m.default,1));
860
+ const { config } = await import("./main-3d7dfdvs.js").then((m)=>__toESM(m.default,1));
831
861
  config();
832
- const { runThreatModelWorkflow } = await import("./threatModel-z9b213x8.js");
833
- const { config: appConfig } = await import("./index-sqjve2bm.js");
862
+ const { runThreatModelWorkflow } = await import("./threatModel-p8khw8tr.js");
863
+ const { config: appConfig } = await import("./index-xzb9yxtf.js");
834
864
  const path2 = await import("path");
835
865
  const pensarConfig = await appConfig.get();
836
866
  const model = await resolveCliModel();
@@ -864,16 +894,16 @@ ${sep}
864
894
  Threat model written to: ${resolvedPath}`);
865
895
  }
866
896
  async function runOperator() {
867
- const { config } = await import("./main-3zneyg7p.js").then((m)=>__toESM(m.default,1));
897
+ const { config } = await import("./main-3d7dfdvs.js").then((m)=>__toESM(m.default,1));
868
898
  config();
869
- const { runOffensiveSecurityAgent } = await import("./offesecAgent-hsej0pfc.js");
870
- const { sessions: sessions2, normalizeMessages, getResumeMessages } = await import("./index-c6qz0gve.js");
871
- const { ALL_TOOL_NAMES, SKILL_TOOL_NAMES } = await import("./index-s8gw83d6.js");
872
- const { config: appConfig } = await import("./index-sqjve2bm.js");
899
+ const { runOffensiveSecurityAgent } = await import("./offesecAgent-767xjskr.js");
900
+ const { sessions: sessions2, normalizeMessages, getResumeMessages } = await import("./index-h6rxj451.js");
901
+ const { ALL_TOOL_NAMES, SKILL_TOOL_NAMES } = await import("./index-m9djasp6.js");
902
+ const { config: appConfig } = await import("./index-xzb9yxtf.js");
873
903
  const { createInterface } = await import("readline");
874
904
  const { readFileSync: readFileSync2, existsSync } = await import("fs");
875
905
  const path2 = await import("path");
876
- const { stepCountIs } = await import("./index-mgng15va.js");
906
+ const { stepCountIs } = await import("./index-gq9h8j5j.js");
877
907
  const promptRaw = getArg("-p") ?? getArg("--prompt");
878
908
  if (!promptRaw) {
879
909
  console.error("Error: -p <prompt> is required");
@@ -983,35 +1013,35 @@ if (hasFlag("-p") || command === "--prompt") {
983
1013
  await runTargetedPentest();
984
1014
  } else if (command === "login" || command === "auth") {
985
1015
  process.argv = [process.argv[0], process.argv[1], ...args.slice(1)];
986
- await import("./auth-5stxpmga.js");
1016
+ await import("./auth-cm0s3an4.js");
987
1017
  } else if (command === "uninstall") {
988
1018
  process.argv = [process.argv[0], process.argv[1], ...args.slice(1)];
989
- await import("./uninstall-1j469qj7.js");
1019
+ await import("./uninstall-acg2vcpm.js");
990
1020
  } else if (command === "apps") {
991
1021
  process.argv = [process.argv[0], process.argv[1], ...args.slice(1)];
992
- await import("./apps-j0bwey0w.js");
1022
+ await import("./apps-c4rdprzp.js");
993
1023
  } else if (command === "pentests") {
994
1024
  process.argv = [process.argv[0], process.argv[1], ...args.slice(1)];
995
- await import("./pentests-hyx3c3qa.js");
1025
+ await import("./pentests-7zy73b60.js");
996
1026
  } else if (command === "targets") {
997
1027
  process.argv = [process.argv[0], process.argv[1], ...args.slice(1)];
998
- await import("./targets-9cqrshet.js");
1028
+ await import("./targets-nay3vmqy.js");
999
1029
  } else if (command === "issues") {
1000
1030
  process.argv = [process.argv[0], process.argv[1], ...args.slice(1)];
1001
- await import("./issues-5anqrh2j.js");
1031
+ await import("./issues-35784nvy.js");
1002
1032
  } else if (command === "fixes") {
1003
1033
  process.argv = [process.argv[0], process.argv[1], ...args.slice(1)];
1004
- await import("./fixes-qf4s92z2.js");
1034
+ await import("./fixes-kza6ej38.js");
1005
1035
  } else if (command === "logs") {
1006
1036
  process.argv = [process.argv[0], process.argv[1], ...args.slice(1)];
1007
- await import("./logs-q6ankt6m.js");
1037
+ await import("./logs-14xzc32f.js");
1008
1038
  } else if (command === "config") {
1009
1039
  process.argv = [process.argv[0], process.argv[1], ...args.slice(1)];
1010
- await import("./config-s5ryv5ez.js");
1040
+ await import("./config-6hkn23py.js");
1011
1041
  } else if (command === "threat-model") {
1012
1042
  await runThreatModel();
1013
1043
  } else if (command === "doctor") {
1014
- const { runDoctor } = await import("./doctor-f08gegwc.js");
1044
+ const { runDoctor } = await import("./doctor-0prby1f0.js");
1015
1045
  await runDoctor();
1016
1046
  } else if (args.length === 0) {
1017
1047
  if (process.env.PENSAR_NO_TUI === "1") {
@@ -1019,7 +1049,7 @@ if (hasFlag("-p") || command === "--prompt") {
1019
1049
  console.error("All other commands work with Node \u2014 run 'pensar --help'.");
1020
1050
  process.exit(1);
1021
1051
  }
1022
- await import("./index-gakk2t5q.js");
1052
+ await import("./index-vjh370rj.js");
1023
1053
  } else {
1024
1054
  console.error(`Error: Unknown command '${command}'`);
1025
1055
  console.error();
@@ -11,9 +11,9 @@ import {
11
11
  import {
12
12
  config,
13
13
  init_config
14
- } from "./cli-9z6vwf30.js";
15
- import"./cli-xnnkeg5p.js";
16
- import"./cli-ks60cc3h.js";
14
+ } from "./cli-7bzzjw1f.js";
15
+ import"./cli-bp7f8nyk.js";
16
+ import"./cli-f5javz2k.js";
17
17
  import"./cli-8rxa073f.js";
18
18
 
19
19
  // src/cli/config.ts
@@ -1,13 +1,13 @@
1
1
  import {
2
2
  toolExists
3
- } from "./cli-6wwpk9d9.js";
4
- import"./cli-v1aqbv58.js";
5
- import"./cli-hj3t87r2.js";
6
- import"./cli-f7d23ded.js";
3
+ } from "./cli-35rkgbhd.js";
4
+ import"./cli-d28z7z1b.js";
5
+ import"./cli-0kg01x44.js";
6
+ import"./cli-3k1x5rn3.js";
7
7
  import"./cli-gpnb45ck.js";
8
- import"./cli-9z6vwf30.js";
9
- import"./cli-xnnkeg5p.js";
10
- import"./cli-ks60cc3h.js";
8
+ import"./cli-7bzzjw1f.js";
9
+ import"./cli-bp7f8nyk.js";
10
+ import"./cli-f5javz2k.js";
11
11
  import"./cli-8rxa073f.js";
12
12
 
13
13
  // src/core/doctor.ts
@@ -0,0 +1,156 @@
1
+ import {
2
+ REPORT_FILENAME_JSON,
3
+ REPORT_FILENAME_MD,
4
+ buildPentestReport,
5
+ renderJson,
6
+ renderMarkdown
7
+ } from "./cli-sekg25pa.js";
8
+ import"./cli-9fsre5pt.js";
9
+ import"./cli-7g8n2kkk.js";
10
+ import {
11
+ FindingsRegistry,
12
+ OffensiveSecurityAgent
13
+ } from "./cli-w5vt3svr.js";
14
+ import"./cli-35rkgbhd.js";
15
+ import {
16
+ createThreatModelPrompt
17
+ } from "./cli-fw5r7pfj.js";
18
+ import"./cli-c8131c4q.js";
19
+ import"./cli-d28z7z1b.js";
20
+ import"./cli-0kg01x44.js";
21
+ import {
22
+ exports_external,
23
+ init_zod
24
+ } from "./cli-3k1x5rn3.js";
25
+ import"./cli-gpnb45ck.js";
26
+ import"./cli-7bzzjw1f.js";
27
+ import"./cli-bp7f8nyk.js";
28
+ import"./cli-f5javz2k.js";
29
+ import"./cli-8rxa073f.js";
30
+
31
+ // src/core/workflows/fastStrike.ts
32
+ init_zod();
33
+ import { writeFileSync } from "node:fs";
34
+ import { join } from "node:path";
35
+ var FastStrikeResult = exports_external.object({
36
+ solved: exports_external.boolean().describe("True if the objective was achieved — a vulnerability was confirmed and, where applicable, the flag or sensitive data was extracted."),
37
+ summary: exports_external.string().describe("Concise account of the vulnerability exploited, the exact steps that worked, and any flag or sensitive data recovered.")
38
+ });
39
+ var FAST_STRIKE_SYSTEM_PROMPT = `You are an elite offensive security operator running a fast strike against a single target. You work ALONE and finish the job yourself — there is no team to hand off to, no swarm to spawn, no plan to file. Your edge is discipline and observation, not volume.
40
+
41
+ Run this loop, tightly:
42
+
43
+ 1. OBSERVE — Read every response for signal before you act. Note the stack, headers, cookies, tokens, form fields, error messages, redirects, disabled controls, ID patterns. State what you just learned in one line before the next move.
44
+ 2. HYPOTHESIZE — From that signal and your deep knowledge of web/app vulnerability classes, name the single most likely vulnerability and why the evidence points to it. Rank leads by signal strength and go for the strongest first. A disabled form field, an ID in a URL or JWT, advertised demo creds, an exposed schema — these are tells; read them.
45
+ 3. ACT — Test that one hypothesis with the minimum number of commands. Every tool call should exist to confirm or kill a specific hypothesis.
46
+ 4. PRUNE — If the evidence disproves a lead, drop it and move to the next-strongest. Do NOT re-run a disproven approach or grind a dead end. Do NOT enumerate, brute-force, or run wordlists unless a specific signal demands it — choose techniques from evidence, not from a checklist.
47
+ 5. EXPLOIT — When a vulnerability is confirmed, exploit it: capture the flag, extract the sensitive data, and pivot through it if the objective requires more. Multi-step objectives are yours to finish end to end — foothold, then privesc, then the goal.
48
+ 6. DOCUMENT & FINISH — Record each confirmed vulnerability with the document_vulnerability tool as you go. When the objective is met (or every credible lead is exhausted), call the response tool with your result.
49
+
50
+ Rules:
51
+ - You are one operator. Plan in your head and in short text notes — never via planning tools, task lists, or sub-agents.
52
+ - Recon and exploitation are the same loop. Do just enough recon to form the first hypothesis, then start testing. Do not map the entire surface before acting.
53
+ - Bias toward the shortest path that proves impact. Speed comes from picking the right lead, not from skipping verification — always confirm a finding before you claim it.
54
+ - Stay in scope. Only touch the target you were given and hosts it legitimately depends on.`;
55
+ async function runFastStrike(input) {
56
+ const {
57
+ target,
58
+ cwd,
59
+ model,
60
+ session,
61
+ authConfig,
62
+ abortSignal,
63
+ eventBus,
64
+ onStepFinish,
65
+ enableThinking,
66
+ openAIReasoningEffort,
67
+ prompt,
68
+ threatModel
69
+ } = input;
70
+ if (cwd) {
71
+ if (!session.config) {
72
+ session.config = {};
73
+ }
74
+ session.config.codebasePath ??= cwd;
75
+ }
76
+ if (prompt || threatModel) {
77
+ const parts = [];
78
+ if (threatModel)
79
+ parts.push(createThreatModelPrompt(threatModel));
80
+ if (prompt)
81
+ parts.push(prompt);
82
+ const combined = parts.join(`
83
+
84
+ `);
85
+ if (!session.config) {
86
+ session.config = {};
87
+ }
88
+ session.config.prompt = session.config?.prompt ? `${session.config?.prompt}
89
+
90
+ ${combined}` : combined;
91
+ }
92
+ const operatorGuidance = session.config?.prompt;
93
+ const mode = cwd ? "whitebox" : "blackbox";
94
+ eventBus?.emit("workflow-phase-start", {
95
+ phase: "pentesting",
96
+ label: "Fast Strike",
97
+ metadata: { target }
98
+ });
99
+ const findingsRegistry = FindingsRegistry.fromDirectory(session.findingsPath, { model, authConfig, abortSignal });
100
+ const promptParts = [`Target: ${target}`];
101
+ if (operatorGuidance)
102
+ promptParts.push(operatorGuidance);
103
+ promptParts.push("Run the fast strike: find and exploit the vulnerability, complete the objective, and report what worked.");
104
+ const agent = new OffensiveSecurityAgent({
105
+ system: FAST_STRIKE_SYSTEM_PROMPT,
106
+ prompt: promptParts.join(`
107
+
108
+ `),
109
+ model,
110
+ session,
111
+ target,
112
+ mode: "fast-strike",
113
+ activeTools: [],
114
+ responseSchema: FastStrikeResult,
115
+ findingsRegistry,
116
+ subagentId: "fast-strike",
117
+ authConfig,
118
+ abortSignal,
119
+ eventBus,
120
+ onStepFinish,
121
+ enableThinking,
122
+ openAIReasoningEffort
123
+ });
124
+ const strikeResult = await agent.consume();
125
+ if (abortSignal?.aborted) {
126
+ throw new DOMException("Pentest aborted by user", "AbortError");
127
+ }
128
+ await findingsRegistry.groupByRootCause();
129
+ const findings = [...findingsRegistry.getFindings()];
130
+ const report = buildPentestReport(findings, {
131
+ target,
132
+ model,
133
+ sessionId: session.id,
134
+ mode
135
+ });
136
+ const mdPath = join(session.rootPath, REPORT_FILENAME_MD);
137
+ const jsonPath = join(session.rootPath, REPORT_FILENAME_JSON);
138
+ writeFileSync(mdPath, renderMarkdown(report));
139
+ writeFileSync(jsonPath, renderJson(report));
140
+ eventBus?.emit("workflow-phase-complete", {
141
+ phase: "pentesting",
142
+ summary: {
143
+ findingsCount: findings.length,
144
+ ...strikeResult ? { solved: strikeResult.solved, operatorSummary: strikeResult.summary } : {}
145
+ }
146
+ });
147
+ return {
148
+ findings,
149
+ findingsPath: session.findingsPath,
150
+ pocsPath: session.pocsPath,
151
+ reportPath: mdPath
152
+ };
153
+ }
154
+ export {
155
+ runFastStrike
156
+ };
@@ -2,26 +2,27 @@
2
2
  import {
3
3
  getFix,
4
4
  listFixes
5
- } from "./cli-dqkdnd3c.js";
6
- import"./cli-9vzc18m5.js";
7
- import"./cli-whtdyc0e.js";
8
- import"./cli-yjbkaqvy.js";
9
- import"./cli-0gk2x2sc.js";
10
- import"./cli-6vs0mtsb.js";
11
- import"./cli-gbkj2has.js";
5
+ } from "./cli-db434rd0.js";
6
+ import"./cli-y4csaqh2.js";
7
+ import"./cli-qdvef4qc.js";
8
+ import"./cli-sekg25pa.js";
9
+ import"./cli-8256tzw9.js";
10
+ import"./cli-wdahap6k.js";
11
+ import"./cli-nn5rxhvz.js";
12
+ import"./cli-nfnfwfcn.js";
12
13
  import"./cli-9fsre5pt.js";
13
- import"./cli-tw3fe8bj.js";
14
- import"./cli-35czfv00.js";
15
- import"./cli-6wwpk9d9.js";
14
+ import"./cli-7g8n2kkk.js";
15
+ import"./cli-w5vt3svr.js";
16
+ import"./cli-35rkgbhd.js";
16
17
  import"./cli-fw5r7pfj.js";
17
18
  import"./cli-c8131c4q.js";
18
- import"./cli-v1aqbv58.js";
19
- import"./cli-hj3t87r2.js";
20
- import"./cli-f7d23ded.js";
19
+ import"./cli-d28z7z1b.js";
20
+ import"./cli-0kg01x44.js";
21
+ import"./cli-3k1x5rn3.js";
21
22
  import"./cli-gpnb45ck.js";
22
- import"./cli-9z6vwf30.js";
23
- import"./cli-xnnkeg5p.js";
24
- import"./cli-ks60cc3h.js";
23
+ import"./cli-7bzzjw1f.js";
24
+ import"./cli-bp7f8nyk.js";
25
+ import"./cli-f5javz2k.js";
25
26
  import"./cli-8rxa073f.js";
26
27
 
27
28
  // src/cli/fixes.ts