@pensar/apex 2.1.2 → 2.1.3-canary.082299eb
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/build/{agent-737mxp3v.js → agent-25rra8mk.js} +9 -8
- package/build/agent-qa4kk7v1.js +27 -0
- package/build/agent-xpddb5yz.js +19 -0
- package/build/{apps-j0bwey0w.js → apps-c4rdprzp.js} +17 -16
- package/build/{auth-5stxpmga.js → auth-cm0s3an4.js} +17 -16
- package/build/authentication-k8303p1y.js +19 -0
- package/build/blackboxAgent-8mpqbggt.js +19 -0
- package/build/{blackboxPentest-2edr9rj3.js → blackboxPentest-b1dqrv93.js} +15 -14
- package/build/{cli-hj3t87r2.js → cli-0kg01x44.js} +1 -1
- package/build/{cli-6wwpk9d9.js → cli-35rkgbhd.js} +1 -1
- package/build/{cli-f7d23ded.js → cli-3k1x5rn3.js} +936 -1775
- package/build/{cli-9z6vwf30.js → cli-7bzzjw1f.js} +1 -1
- package/build/{cli-tw3fe8bj.js → cli-7g8n2kkk.js} +2 -2
- package/build/{cli-yjbkaqvy.js → cli-8256tzw9.js} +79 -23
- package/build/{cli-jd0c0b91.js → cli-bh3e0th8.js} +1 -1
- package/build/{cli-xnnkeg5p.js → cli-bp7f8nyk.js} +1 -1
- package/build/{cli-v1aqbv58.js → cli-d28z7z1b.js} +29267 -25585
- package/build/{cli-dqkdnd3c.js → cli-db434rd0.js} +88 -49
- package/build/{cli-ks60cc3h.js → cli-f5javz2k.js} +30 -30
- package/build/{cli-gbkj2has.js → cli-nfnfwfcn.js} +5 -3
- package/build/{cli-6vs0mtsb.js → cli-nn5rxhvz.js} +4 -2
- package/build/{cli-whtdyc0e.js → cli-qdvef4qc.js} +6 -4
- package/build/cli-sekg25pa.js +195 -0
- package/build/{cli-35czfv00.js → cli-w5vt3svr.js} +70869 -79383
- package/build/{cli-0gk2x2sc.js → cli-wdahap6k.js} +18 -18
- package/build/{cli-9vzc18m5.js → cli-y4csaqh2.js} +53 -204
- package/build/cli.js +120 -90
- package/build/{config-s5ryv5ez.js → config-6hkn23py.js} +3 -3
- package/build/{doctor-f08gegwc.js → doctor-0prby1f0.js} +7 -7
- package/build/fastStrike-qts85kag.js +156 -0
- package/build/{fixes-qf4s92z2.js → fixes-kza6ej38.js} +17 -16
- package/build/{index-x4xefngs.js → index-6r19ej49.js} +3 -3
- package/build/{index-exvkbve0.js → index-7y1pwazv.js} +4 -4
- package/build/{index-mgng15va.js → index-gq9h8j5j.js} +909 -456
- package/build/{index-c6qz0gve.js → index-h6rxj451.js} +7 -7
- package/build/{index-s8gw83d6.js → index-m9djasp6.js} +19 -11
- package/build/{index-gakk2t5q.js → index-vjh370rj.js} +23 -19
- package/build/{index-5h1hjhzw.js → index-vk0czqw7.js} +10 -10
- package/build/{index-sqjve2bm.js → index-xzb9yxtf.js} +2 -2
- package/build/{issues-5anqrh2j.js → issues-35784nvy.js} +17 -16
- package/build/{logs-q6ankt6m.js → logs-14xzc32f.js} +17 -16
- package/build/{main-3zneyg7p.js → main-3d7dfdvs.js} +17 -93
- package/build/{offesecAgent-hsej0pfc.js → offesecAgent-767xjskr.js} +9 -9
- package/build/pentest-hf3hejjq.js +29 -0
- package/build/{pentests-hyx3c3qa.js → pentests-7zy73b60.js} +17 -16
- package/build/targetedPentest-m3ypnmfk.js +44 -0
- package/build/{targets-9cqrshet.js → targets-nay3vmqy.js} +17 -16
- package/build/threatModel-p8khw8tr.js +27 -0
- package/build/{uninstall-1j469qj7.js → uninstall-acg2vcpm.js} +1 -1
- package/build/{upload-ymvhkyq5.js → upload-pjr2zgys.js} +7 -7
- package/build/{utils-d1ed6jzf.js → utils-v0mj3yrn.js} +6 -6
- package/package.json +30 -30
- package/build/agent-8w9h3tnw.js +0 -19
- package/build/agent-vdrtakz4.js +0 -25
- package/build/authentication-qswvctj4.js +0 -19
- package/build/blackboxAgent-vwm9t3h4.js +0 -19
- package/build/pentest-1e30q7rs.js +0 -28
- package/build/targetedPentest-ws0a7frk.js +0 -36
- package/build/threatModel-z9b213x8.js +0 -26
package/build/cli.js
CHANGED
|
@@ -14,16 +14,16 @@ import {
|
|
|
14
14
|
init_toolset,
|
|
15
15
|
init_utils,
|
|
16
16
|
logger
|
|
17
|
-
} from "./cli-
|
|
18
|
-
import"./cli-
|
|
19
|
-
import"./cli-
|
|
17
|
+
} from "./cli-d28z7z1b.js";
|
|
18
|
+
import"./cli-0kg01x44.js";
|
|
19
|
+
import"./cli-3k1x5rn3.js";
|
|
20
20
|
import"./cli-gpnb45ck.js";
|
|
21
|
-
import"./cli-
|
|
22
|
-
import"./cli-
|
|
21
|
+
import"./cli-7bzzjw1f.js";
|
|
22
|
+
import"./cli-bp7f8nyk.js";
|
|
23
23
|
import {
|
|
24
24
|
init_package,
|
|
25
25
|
package_default
|
|
26
|
-
} from "./cli-
|
|
26
|
+
} from "./cli-f5javz2k.js";
|
|
27
27
|
import {
|
|
28
28
|
__require,
|
|
29
29
|
__toESM
|
|
@@ -35,50 +35,50 @@ var package_default2 = {
|
|
|
35
35
|
pensar: "./bin/pensar.js"
|
|
36
36
|
},
|
|
37
37
|
dependencies: {
|
|
38
|
-
"@ai-sdk/amazon-bedrock": "^4.0.
|
|
39
|
-
"@ai-sdk/anthropic": "^3.0.
|
|
40
|
-
"@ai-sdk/google": "^3.0.
|
|
38
|
+
"@ai-sdk/amazon-bedrock": "^4.0.119",
|
|
39
|
+
"@ai-sdk/anthropic": "^3.0.85",
|
|
40
|
+
"@ai-sdk/google": "^3.0.83",
|
|
41
41
|
"@ai-sdk/openai": "3.0.46",
|
|
42
|
-
"@ai-sdk/openai-compatible": "^2.0.
|
|
43
|
-
"@ai-sdk/provider": "^3.0.
|
|
44
|
-
"@daytonaio/sdk": "^0.112.
|
|
45
|
-
"@googleapis/gmail": "^16.1.
|
|
42
|
+
"@ai-sdk/openai-compatible": "^2.0.51",
|
|
43
|
+
"@ai-sdk/provider": "^3.0.10",
|
|
44
|
+
"@daytonaio/sdk": "^0.112.3",
|
|
45
|
+
"@googleapis/gmail": "^16.1.2",
|
|
46
46
|
"@microsoft/microsoft-graph-client": "^3.0.7",
|
|
47
|
-
"@modelcontextprotocol/sdk": "^1.
|
|
48
|
-
"@openrouter/ai-sdk-provider": "^2.
|
|
49
|
-
"@opentelemetry/api": "^1.9.
|
|
47
|
+
"@modelcontextprotocol/sdk": "^1.29.0",
|
|
48
|
+
"@openrouter/ai-sdk-provider": "^2.9.1",
|
|
49
|
+
"@opentelemetry/api": "^1.9.1",
|
|
50
50
|
"@opentui/core": "^0.1.107",
|
|
51
51
|
"@opentui/react": "^0.1.107",
|
|
52
52
|
"@pensar/surface": "0.2.2",
|
|
53
53
|
"@playwright/mcp": "^0.0.54",
|
|
54
|
-
ai: "^6.0.
|
|
54
|
+
ai: "^6.0.208",
|
|
55
55
|
"camoufox-js": "^0.11.1",
|
|
56
|
-
glob: "^13.0.
|
|
56
|
+
glob: "^13.0.6",
|
|
57
57
|
"highlight.js": "^11.11.1",
|
|
58
|
-
imapflow: "^1.2
|
|
59
|
-
mailparser: "^3.9.
|
|
60
|
-
marked: "^16.4.
|
|
58
|
+
imapflow: "^1.4.2",
|
|
59
|
+
mailparser: "^3.9.11",
|
|
60
|
+
marked: "^16.4.2",
|
|
61
61
|
"mime-types": "^3.0.2",
|
|
62
|
-
nodemailer: "^8.0.
|
|
63
|
-
"p-limit": "^7.
|
|
64
|
-
react: "^19.2.
|
|
65
|
-
sharp: "^0.34.
|
|
66
|
-
tldts: "^7.
|
|
67
|
-
yaml: "^2.
|
|
68
|
-
zod: "^4.
|
|
62
|
+
nodemailer: "^8.0.11",
|
|
63
|
+
"p-limit": "^7.3.0",
|
|
64
|
+
react: "^19.2.7",
|
|
65
|
+
sharp: "^0.34.5",
|
|
66
|
+
tldts: "^7.4.3",
|
|
67
|
+
yaml: "^2.9.0",
|
|
68
|
+
zod: "^4.4.3"
|
|
69
69
|
},
|
|
70
70
|
description: "AI-powered penetration testing CLI tool with terminal UI",
|
|
71
71
|
devDependencies: {
|
|
72
72
|
"@biomejs/biome": "2.4.14",
|
|
73
|
-
"@types/bun": "^1.3.
|
|
73
|
+
"@types/bun": "^1.3.14",
|
|
74
74
|
"@types/mailparser": "^3.4.6",
|
|
75
75
|
"@types/mime-types": "^3.0.1",
|
|
76
|
-
"@types/nodemailer": "^8.0.
|
|
77
|
-
"@types/react": "^19.2.
|
|
78
|
-
dotenv: "^17.2
|
|
79
|
-
knip: "^6.
|
|
80
|
-
prettier: "^3.8.
|
|
81
|
-
vitest: "^2.1.
|
|
76
|
+
"@types/nodemailer": "^8.0.1",
|
|
77
|
+
"@types/react": "^19.2.17",
|
|
78
|
+
dotenv: "^17.4.2",
|
|
79
|
+
knip: "^6.17.1",
|
|
80
|
+
prettier: "^3.8.4",
|
|
81
|
+
vitest: "^2.1.9"
|
|
82
82
|
},
|
|
83
83
|
engines: {
|
|
84
84
|
bun: ">=1.0.0",
|
|
@@ -144,7 +144,7 @@ var package_default2 = {
|
|
|
144
144
|
tsc: "tsc --noEmit"
|
|
145
145
|
},
|
|
146
146
|
type: "module",
|
|
147
|
-
version: "2.1.
|
|
147
|
+
version: "2.1.3-canary.082299eb"
|
|
148
148
|
};
|
|
149
149
|
|
|
150
150
|
// src/core/ai/index.ts
|
|
@@ -257,7 +257,7 @@ class AgentEventBus {
|
|
|
257
257
|
}
|
|
258
258
|
return this;
|
|
259
259
|
}
|
|
260
|
-
static attachChild(child, parent,
|
|
260
|
+
static attachChild(child, parent, childSessionId) {
|
|
261
261
|
if (!parent)
|
|
262
262
|
return;
|
|
263
263
|
for (const key of CHILD_BUS_FORWARDED_EVENTS) {
|
|
@@ -266,28 +266,37 @@ class AgentEventBus {
|
|
|
266
266
|
const p = payload;
|
|
267
267
|
const isLifecycle = forwardKey === "subagent-spawn" || forwardKey === "subagent-complete";
|
|
268
268
|
if (isLifecycle) {
|
|
269
|
-
|
|
270
|
-
|
|
271
|
-
|
|
272
|
-
|
|
273
|
-
|
|
274
|
-
|
|
275
|
-
});
|
|
276
|
-
}
|
|
269
|
+
const next2 = { ...p };
|
|
270
|
+
if (!p.parentSubagentId)
|
|
271
|
+
next2.parentSubagentId = childSessionId;
|
|
272
|
+
if (!p.parentSessionId)
|
|
273
|
+
next2.parentSessionId = childSessionId;
|
|
274
|
+
parent.emit(forwardKey, next2);
|
|
277
275
|
return;
|
|
278
276
|
}
|
|
279
|
-
|
|
280
|
-
|
|
281
|
-
|
|
282
|
-
|
|
283
|
-
|
|
277
|
+
const next = { ...p };
|
|
278
|
+
if (!p.subagentId)
|
|
279
|
+
next.subagentId = childSessionId;
|
|
280
|
+
if (!p.sessionId)
|
|
281
|
+
next.sessionId = childSessionId;
|
|
282
|
+
parent.emit(forwardKey, next);
|
|
284
283
|
});
|
|
285
284
|
}
|
|
286
285
|
}
|
|
287
|
-
emitStreamPart(chunk,
|
|
286
|
+
emitStreamPart(chunk, ids) {
|
|
287
|
+
const ctx = typeof ids === "string" ? { subagentId: ids } : ids ?? {};
|
|
288
|
+
const subagentId = ctx.subagentId;
|
|
289
|
+
const sessionId = ctx.sessionId;
|
|
290
|
+
const messageId = ctx.messageId;
|
|
288
291
|
switch (chunk.type) {
|
|
289
292
|
case "text-delta":
|
|
290
|
-
this.emit("text-delta", {
|
|
293
|
+
this.emit("text-delta", {
|
|
294
|
+
text: chunk.text,
|
|
295
|
+
subagentId,
|
|
296
|
+
sessionId,
|
|
297
|
+
messageId,
|
|
298
|
+
partId: ctx.textPartId
|
|
299
|
+
});
|
|
291
300
|
break;
|
|
292
301
|
case "reasoning-start":
|
|
293
302
|
this.emit("reasoning-start", { subagentId });
|
|
@@ -302,14 +311,20 @@ class AgentEventBus {
|
|
|
302
311
|
this.emit("tool-call-start", {
|
|
303
312
|
toolCallId: chunk.id,
|
|
304
313
|
toolName: chunk.toolName,
|
|
305
|
-
subagentId
|
|
314
|
+
subagentId,
|
|
315
|
+
sessionId,
|
|
316
|
+
messageId,
|
|
317
|
+
partId: ctx.toolPartId?.(chunk.id)
|
|
306
318
|
});
|
|
307
319
|
break;
|
|
308
320
|
case "tool-input-delta":
|
|
309
321
|
this.emit("tool-call-delta", {
|
|
310
322
|
toolCallId: chunk.id,
|
|
311
323
|
argsTextDelta: chunk.delta,
|
|
312
|
-
subagentId
|
|
324
|
+
subagentId,
|
|
325
|
+
sessionId,
|
|
326
|
+
messageId,
|
|
327
|
+
partId: ctx.toolPartId?.(chunk.id)
|
|
313
328
|
});
|
|
314
329
|
break;
|
|
315
330
|
case "tool-call": {
|
|
@@ -318,7 +333,10 @@ class AgentEventBus {
|
|
|
318
333
|
toolCallId: tc.toolCallId,
|
|
319
334
|
toolName: tc.toolName,
|
|
320
335
|
args: tc.args ?? tc.input,
|
|
321
|
-
subagentId
|
|
336
|
+
subagentId,
|
|
337
|
+
sessionId,
|
|
338
|
+
messageId,
|
|
339
|
+
partId: ctx.toolPartId?.(tc.toolCallId)
|
|
322
340
|
});
|
|
323
341
|
break;
|
|
324
342
|
}
|
|
@@ -328,7 +346,10 @@ class AgentEventBus {
|
|
|
328
346
|
toolCallId: tr.toolCallId,
|
|
329
347
|
toolName: tr.toolName,
|
|
330
348
|
result: tr.result ?? tr.output,
|
|
331
|
-
subagentId
|
|
349
|
+
subagentId,
|
|
350
|
+
sessionId,
|
|
351
|
+
messageId,
|
|
352
|
+
partId: ctx.toolPartId?.(tr.toolCallId)
|
|
332
353
|
});
|
|
333
354
|
break;
|
|
334
355
|
}
|
|
@@ -477,6 +498,7 @@ You can upgrade manually by running:
|
|
|
477
498
|
// src/core/logger/index.ts
|
|
478
499
|
init_session();
|
|
479
500
|
init_structured();
|
|
501
|
+
init_structured();
|
|
480
502
|
import os from "node:os";
|
|
481
503
|
import path from "node:path";
|
|
482
504
|
var ERROR_LOG_PATH = path.join(os.homedir(), ".pensar", "error.log");
|
|
@@ -565,7 +587,7 @@ function attachCliAgentStreamListeners(bus) {
|
|
|
565
587
|
async function createInstrumentedBus(session) {
|
|
566
588
|
const bus = new AgentEventBus;
|
|
567
589
|
attachCliAgentStreamListeners(bus);
|
|
568
|
-
const { attachWandbToEventBus } = await import("./upload-
|
|
590
|
+
const { attachWandbToEventBus } = await import("./upload-pjr2zgys.js");
|
|
569
591
|
const wandbCleanup = await attachWandbToEventBus(session, bus).catch((e) => {
|
|
570
592
|
console.warn("[wandb] Tracing disabled:", e.message);
|
|
571
593
|
return null;
|
|
@@ -582,7 +604,7 @@ async function resolveCliHeaders() {
|
|
|
582
604
|
const { parseHeaderLine: parseHeaderLine2, parseHeadersFromFile, formatParseError: formatParseError2 } = await import("./parse-7djk9jyf.js");
|
|
583
605
|
const merged = {};
|
|
584
606
|
if (!noGlobal) {
|
|
585
|
-
const { config: appConfig } = await import("./index-
|
|
607
|
+
const { config: appConfig } = await import("./index-xzb9yxtf.js");
|
|
586
608
|
const cfg = await appConfig.get();
|
|
587
609
|
if (cfg.defaultHeaders) {
|
|
588
610
|
Object.assign(merged, cfg.defaultHeaders);
|
|
@@ -616,8 +638,8 @@ async function resolveCliModel() {
|
|
|
616
638
|
const explicit = getArg("--model");
|
|
617
639
|
if (explicit)
|
|
618
640
|
return explicit;
|
|
619
|
-
const { config: appConfig } = await import("./index-
|
|
620
|
-
const { getDefaultModelForConfig } = await import("./utils-
|
|
641
|
+
const { config: appConfig } = await import("./index-xzb9yxtf.js");
|
|
642
|
+
const { getDefaultModelForConfig } = await import("./utils-v0mj3yrn.js");
|
|
621
643
|
const pensarConfig = await appConfig.get();
|
|
622
644
|
const defaultModel = getDefaultModelForConfig(pensarConfig);
|
|
623
645
|
if (!defaultModel) {
|
|
@@ -671,6 +693,8 @@ pentest options:
|
|
|
671
693
|
--model <model> AI model (default: auto-selected from configured provider)
|
|
672
694
|
--extended-thinking Enable extended thinking for supported models
|
|
673
695
|
--task-driven Enable task-driven architecture (experimental)
|
|
696
|
+
--fast-strike Single-operator fast strike: skip attack-surface/swarm
|
|
697
|
+
phases, one tight recon\u2192exploit loop against the target
|
|
674
698
|
--prompt <text|@file> Guidance for the pentest agent (inline text or @filepath)
|
|
675
699
|
--threat-model <text|@file> Threat model to guide the pentest (inline or @filepath)
|
|
676
700
|
--header "Name: Value" Custom HTTP header (repeatable)
|
|
@@ -701,11 +725,11 @@ Global options:
|
|
|
701
725
|
`);
|
|
702
726
|
}
|
|
703
727
|
async function runPentest() {
|
|
704
|
-
const { config } = await import("./main-
|
|
728
|
+
const { config } = await import("./main-3d7dfdvs.js").then((m)=>__toESM(m.default,1));
|
|
705
729
|
config();
|
|
706
|
-
const { runPentestAgent } = await import("./blackboxPentest-
|
|
707
|
-
const { sessions: sessions2 } = await import("./index-
|
|
708
|
-
const { config: appConfig } = await import("./index-
|
|
730
|
+
const { runPentestAgent } = await import("./blackboxPentest-b1dqrv93.js");
|
|
731
|
+
const { sessions: sessions2 } = await import("./index-h6rxj451.js");
|
|
732
|
+
const { config: appConfig } = await import("./index-xzb9yxtf.js");
|
|
709
733
|
const target = getArgRequired("--target");
|
|
710
734
|
const cwd = getArg("--cwd");
|
|
711
735
|
const mode = getArg("--mode");
|
|
@@ -713,6 +737,7 @@ async function runPentest() {
|
|
|
713
737
|
const threatModelRaw = getArg("--threat-model");
|
|
714
738
|
const enableThinking = hasFlag("--extended-thinking");
|
|
715
739
|
const taskDriven = hasFlag("--task-driven");
|
|
740
|
+
const fastStrike = hasFlag("--fast-strike");
|
|
716
741
|
const resolvedTm = threatModelRaw ? resolveThreatModelPrompt(threatModelRaw) : undefined;
|
|
717
742
|
const resolvedPrompt = promptRaw ? resolveFlagValue(promptRaw) : undefined;
|
|
718
743
|
const prompt = combinePromptParts(resolvedTm, resolvedPrompt);
|
|
@@ -723,6 +748,9 @@ async function runPentest() {
|
|
|
723
748
|
if (modeWarning) {
|
|
724
749
|
console.warn(modeWarning);
|
|
725
750
|
}
|
|
751
|
+
if (taskDriven && fastStrike) {
|
|
752
|
+
console.warn("Warning: --task-driven has no effect with --fast-strike (task tools are excluded).");
|
|
753
|
+
}
|
|
726
754
|
const sep = "=".repeat(60);
|
|
727
755
|
console.log(`${sep}
|
|
728
756
|
PENTEST ORCHESTRATION
|
|
@@ -732,14 +760,15 @@ Cwd: ${cwd} (whitebox)` : ""}${exfilMode ? `
|
|
|
732
760
|
Mode: exfil` : ""}
|
|
733
761
|
Model: ${model}${enableThinking ? `
|
|
734
762
|
Thinking: enabled` : ""}${taskDriven ? `
|
|
735
|
-
Task-driven: enabled` : ""}${
|
|
763
|
+
Task-driven: enabled` : ""}${fastStrike ? `
|
|
764
|
+
Fast strike: enabled` : ""}${headers ? `
|
|
736
765
|
Headers: ${Object.keys(headers).length} configured` : ""}
|
|
737
766
|
`);
|
|
738
767
|
const session = await sessions2.create({
|
|
739
768
|
name: cwd ? "Whitebox Pentest" : "Blackbox Pentest",
|
|
740
769
|
targets: [target],
|
|
741
770
|
config: {
|
|
742
|
-
...cwd ? { cwd } : {},
|
|
771
|
+
...cwd ? { codebasePath: cwd } : {},
|
|
743
772
|
...exfilMode ? { exfilMode: true } : {},
|
|
744
773
|
...prompt ? { prompt } : {},
|
|
745
774
|
...taskDriven ? { taskDriven: true } : {},
|
|
@@ -755,6 +784,7 @@ Headers: ${Object.keys(headers).length} configured` : ""}
|
|
|
755
784
|
session,
|
|
756
785
|
model,
|
|
757
786
|
enableThinking,
|
|
787
|
+
...fastStrike ? { fastStrike: true } : {},
|
|
758
788
|
surfaceIntegrationEnabled: pensarConfig.surfaceIntegrationEnabled,
|
|
759
789
|
authConfig: buildAuthConfig(pensarConfig),
|
|
760
790
|
eventBus: pentestBus
|
|
@@ -773,11 +803,11 @@ Report: ${reportPath}` : ""}`);
|
|
|
773
803
|
process.exit(0);
|
|
774
804
|
}
|
|
775
805
|
async function runTargetedPentest() {
|
|
776
|
-
const { config } = await import("./main-
|
|
806
|
+
const { config } = await import("./main-3d7dfdvs.js").then((m)=>__toESM(m.default,1));
|
|
777
807
|
config();
|
|
778
|
-
const { runTargetedPentestAgent } = await import("./targetedPentest-
|
|
779
|
-
const { sessions: sessions2 } = await import("./index-
|
|
780
|
-
const { config: appConfig } = await import("./index-
|
|
808
|
+
const { runTargetedPentestAgent } = await import("./targetedPentest-m3ypnmfk.js");
|
|
809
|
+
const { sessions: sessions2 } = await import("./index-h6rxj451.js");
|
|
810
|
+
const { config: appConfig } = await import("./index-xzb9yxtf.js");
|
|
781
811
|
const target = getArgRequired("--target");
|
|
782
812
|
const objectives = getAllArgs("--objective");
|
|
783
813
|
const pensarConfig = await appConfig.get();
|
|
@@ -827,10 +857,10 @@ POCs: ${pocsPath}`);
|
|
|
827
857
|
process.exit(0);
|
|
828
858
|
}
|
|
829
859
|
async function runThreatModel() {
|
|
830
|
-
const { config } = await import("./main-
|
|
860
|
+
const { config } = await import("./main-3d7dfdvs.js").then((m)=>__toESM(m.default,1));
|
|
831
861
|
config();
|
|
832
|
-
const { runThreatModelWorkflow } = await import("./threatModel-
|
|
833
|
-
const { config: appConfig } = await import("./index-
|
|
862
|
+
const { runThreatModelWorkflow } = await import("./threatModel-p8khw8tr.js");
|
|
863
|
+
const { config: appConfig } = await import("./index-xzb9yxtf.js");
|
|
834
864
|
const path2 = await import("path");
|
|
835
865
|
const pensarConfig = await appConfig.get();
|
|
836
866
|
const model = await resolveCliModel();
|
|
@@ -864,16 +894,16 @@ ${sep}
|
|
|
864
894
|
Threat model written to: ${resolvedPath}`);
|
|
865
895
|
}
|
|
866
896
|
async function runOperator() {
|
|
867
|
-
const { config } = await import("./main-
|
|
897
|
+
const { config } = await import("./main-3d7dfdvs.js").then((m)=>__toESM(m.default,1));
|
|
868
898
|
config();
|
|
869
|
-
const { runOffensiveSecurityAgent } = await import("./offesecAgent-
|
|
870
|
-
const { sessions: sessions2, normalizeMessages, getResumeMessages } = await import("./index-
|
|
871
|
-
const { ALL_TOOL_NAMES, SKILL_TOOL_NAMES } = await import("./index-
|
|
872
|
-
const { config: appConfig } = await import("./index-
|
|
899
|
+
const { runOffensiveSecurityAgent } = await import("./offesecAgent-767xjskr.js");
|
|
900
|
+
const { sessions: sessions2, normalizeMessages, getResumeMessages } = await import("./index-h6rxj451.js");
|
|
901
|
+
const { ALL_TOOL_NAMES, SKILL_TOOL_NAMES } = await import("./index-m9djasp6.js");
|
|
902
|
+
const { config: appConfig } = await import("./index-xzb9yxtf.js");
|
|
873
903
|
const { createInterface } = await import("readline");
|
|
874
904
|
const { readFileSync: readFileSync2, existsSync } = await import("fs");
|
|
875
905
|
const path2 = await import("path");
|
|
876
|
-
const { stepCountIs } = await import("./index-
|
|
906
|
+
const { stepCountIs } = await import("./index-gq9h8j5j.js");
|
|
877
907
|
const promptRaw = getArg("-p") ?? getArg("--prompt");
|
|
878
908
|
if (!promptRaw) {
|
|
879
909
|
console.error("Error: -p <prompt> is required");
|
|
@@ -983,35 +1013,35 @@ if (hasFlag("-p") || command === "--prompt") {
|
|
|
983
1013
|
await runTargetedPentest();
|
|
984
1014
|
} else if (command === "login" || command === "auth") {
|
|
985
1015
|
process.argv = [process.argv[0], process.argv[1], ...args.slice(1)];
|
|
986
|
-
await import("./auth-
|
|
1016
|
+
await import("./auth-cm0s3an4.js");
|
|
987
1017
|
} else if (command === "uninstall") {
|
|
988
1018
|
process.argv = [process.argv[0], process.argv[1], ...args.slice(1)];
|
|
989
|
-
await import("./uninstall-
|
|
1019
|
+
await import("./uninstall-acg2vcpm.js");
|
|
990
1020
|
} else if (command === "apps") {
|
|
991
1021
|
process.argv = [process.argv[0], process.argv[1], ...args.slice(1)];
|
|
992
|
-
await import("./apps-
|
|
1022
|
+
await import("./apps-c4rdprzp.js");
|
|
993
1023
|
} else if (command === "pentests") {
|
|
994
1024
|
process.argv = [process.argv[0], process.argv[1], ...args.slice(1)];
|
|
995
|
-
await import("./pentests-
|
|
1025
|
+
await import("./pentests-7zy73b60.js");
|
|
996
1026
|
} else if (command === "targets") {
|
|
997
1027
|
process.argv = [process.argv[0], process.argv[1], ...args.slice(1)];
|
|
998
|
-
await import("./targets-
|
|
1028
|
+
await import("./targets-nay3vmqy.js");
|
|
999
1029
|
} else if (command === "issues") {
|
|
1000
1030
|
process.argv = [process.argv[0], process.argv[1], ...args.slice(1)];
|
|
1001
|
-
await import("./issues-
|
|
1031
|
+
await import("./issues-35784nvy.js");
|
|
1002
1032
|
} else if (command === "fixes") {
|
|
1003
1033
|
process.argv = [process.argv[0], process.argv[1], ...args.slice(1)];
|
|
1004
|
-
await import("./fixes-
|
|
1034
|
+
await import("./fixes-kza6ej38.js");
|
|
1005
1035
|
} else if (command === "logs") {
|
|
1006
1036
|
process.argv = [process.argv[0], process.argv[1], ...args.slice(1)];
|
|
1007
|
-
await import("./logs-
|
|
1037
|
+
await import("./logs-14xzc32f.js");
|
|
1008
1038
|
} else if (command === "config") {
|
|
1009
1039
|
process.argv = [process.argv[0], process.argv[1], ...args.slice(1)];
|
|
1010
|
-
await import("./config-
|
|
1040
|
+
await import("./config-6hkn23py.js");
|
|
1011
1041
|
} else if (command === "threat-model") {
|
|
1012
1042
|
await runThreatModel();
|
|
1013
1043
|
} else if (command === "doctor") {
|
|
1014
|
-
const { runDoctor } = await import("./doctor-
|
|
1044
|
+
const { runDoctor } = await import("./doctor-0prby1f0.js");
|
|
1015
1045
|
await runDoctor();
|
|
1016
1046
|
} else if (args.length === 0) {
|
|
1017
1047
|
if (process.env.PENSAR_NO_TUI === "1") {
|
|
@@ -1019,7 +1049,7 @@ if (hasFlag("-p") || command === "--prompt") {
|
|
|
1019
1049
|
console.error("All other commands work with Node \u2014 run 'pensar --help'.");
|
|
1020
1050
|
process.exit(1);
|
|
1021
1051
|
}
|
|
1022
|
-
await import("./index-
|
|
1052
|
+
await import("./index-vjh370rj.js");
|
|
1023
1053
|
} else {
|
|
1024
1054
|
console.error(`Error: Unknown command '${command}'`);
|
|
1025
1055
|
console.error();
|
|
@@ -11,9 +11,9 @@ import {
|
|
|
11
11
|
import {
|
|
12
12
|
config,
|
|
13
13
|
init_config
|
|
14
|
-
} from "./cli-
|
|
15
|
-
import"./cli-
|
|
16
|
-
import"./cli-
|
|
14
|
+
} from "./cli-7bzzjw1f.js";
|
|
15
|
+
import"./cli-bp7f8nyk.js";
|
|
16
|
+
import"./cli-f5javz2k.js";
|
|
17
17
|
import"./cli-8rxa073f.js";
|
|
18
18
|
|
|
19
19
|
// src/cli/config.ts
|
|
@@ -1,13 +1,13 @@
|
|
|
1
1
|
import {
|
|
2
2
|
toolExists
|
|
3
|
-
} from "./cli-
|
|
4
|
-
import"./cli-
|
|
5
|
-
import"./cli-
|
|
6
|
-
import"./cli-
|
|
3
|
+
} from "./cli-35rkgbhd.js";
|
|
4
|
+
import"./cli-d28z7z1b.js";
|
|
5
|
+
import"./cli-0kg01x44.js";
|
|
6
|
+
import"./cli-3k1x5rn3.js";
|
|
7
7
|
import"./cli-gpnb45ck.js";
|
|
8
|
-
import"./cli-
|
|
9
|
-
import"./cli-
|
|
10
|
-
import"./cli-
|
|
8
|
+
import"./cli-7bzzjw1f.js";
|
|
9
|
+
import"./cli-bp7f8nyk.js";
|
|
10
|
+
import"./cli-f5javz2k.js";
|
|
11
11
|
import"./cli-8rxa073f.js";
|
|
12
12
|
|
|
13
13
|
// src/core/doctor.ts
|
|
@@ -0,0 +1,156 @@
|
|
|
1
|
+
import {
|
|
2
|
+
REPORT_FILENAME_JSON,
|
|
3
|
+
REPORT_FILENAME_MD,
|
|
4
|
+
buildPentestReport,
|
|
5
|
+
renderJson,
|
|
6
|
+
renderMarkdown
|
|
7
|
+
} from "./cli-sekg25pa.js";
|
|
8
|
+
import"./cli-9fsre5pt.js";
|
|
9
|
+
import"./cli-7g8n2kkk.js";
|
|
10
|
+
import {
|
|
11
|
+
FindingsRegistry,
|
|
12
|
+
OffensiveSecurityAgent
|
|
13
|
+
} from "./cli-w5vt3svr.js";
|
|
14
|
+
import"./cli-35rkgbhd.js";
|
|
15
|
+
import {
|
|
16
|
+
createThreatModelPrompt
|
|
17
|
+
} from "./cli-fw5r7pfj.js";
|
|
18
|
+
import"./cli-c8131c4q.js";
|
|
19
|
+
import"./cli-d28z7z1b.js";
|
|
20
|
+
import"./cli-0kg01x44.js";
|
|
21
|
+
import {
|
|
22
|
+
exports_external,
|
|
23
|
+
init_zod
|
|
24
|
+
} from "./cli-3k1x5rn3.js";
|
|
25
|
+
import"./cli-gpnb45ck.js";
|
|
26
|
+
import"./cli-7bzzjw1f.js";
|
|
27
|
+
import"./cli-bp7f8nyk.js";
|
|
28
|
+
import"./cli-f5javz2k.js";
|
|
29
|
+
import"./cli-8rxa073f.js";
|
|
30
|
+
|
|
31
|
+
// src/core/workflows/fastStrike.ts
|
|
32
|
+
init_zod();
|
|
33
|
+
import { writeFileSync } from "node:fs";
|
|
34
|
+
import { join } from "node:path";
|
|
35
|
+
var FastStrikeResult = exports_external.object({
|
|
36
|
+
solved: exports_external.boolean().describe("True if the objective was achieved — a vulnerability was confirmed and, where applicable, the flag or sensitive data was extracted."),
|
|
37
|
+
summary: exports_external.string().describe("Concise account of the vulnerability exploited, the exact steps that worked, and any flag or sensitive data recovered.")
|
|
38
|
+
});
|
|
39
|
+
var FAST_STRIKE_SYSTEM_PROMPT = `You are an elite offensive security operator running a fast strike against a single target. You work ALONE and finish the job yourself — there is no team to hand off to, no swarm to spawn, no plan to file. Your edge is discipline and observation, not volume.
|
|
40
|
+
|
|
41
|
+
Run this loop, tightly:
|
|
42
|
+
|
|
43
|
+
1. OBSERVE — Read every response for signal before you act. Note the stack, headers, cookies, tokens, form fields, error messages, redirects, disabled controls, ID patterns. State what you just learned in one line before the next move.
|
|
44
|
+
2. HYPOTHESIZE — From that signal and your deep knowledge of web/app vulnerability classes, name the single most likely vulnerability and why the evidence points to it. Rank leads by signal strength and go for the strongest first. A disabled form field, an ID in a URL or JWT, advertised demo creds, an exposed schema — these are tells; read them.
|
|
45
|
+
3. ACT — Test that one hypothesis with the minimum number of commands. Every tool call should exist to confirm or kill a specific hypothesis.
|
|
46
|
+
4. PRUNE — If the evidence disproves a lead, drop it and move to the next-strongest. Do NOT re-run a disproven approach or grind a dead end. Do NOT enumerate, brute-force, or run wordlists unless a specific signal demands it — choose techniques from evidence, not from a checklist.
|
|
47
|
+
5. EXPLOIT — When a vulnerability is confirmed, exploit it: capture the flag, extract the sensitive data, and pivot through it if the objective requires more. Multi-step objectives are yours to finish end to end — foothold, then privesc, then the goal.
|
|
48
|
+
6. DOCUMENT & FINISH — Record each confirmed vulnerability with the document_vulnerability tool as you go. When the objective is met (or every credible lead is exhausted), call the response tool with your result.
|
|
49
|
+
|
|
50
|
+
Rules:
|
|
51
|
+
- You are one operator. Plan in your head and in short text notes — never via planning tools, task lists, or sub-agents.
|
|
52
|
+
- Recon and exploitation are the same loop. Do just enough recon to form the first hypothesis, then start testing. Do not map the entire surface before acting.
|
|
53
|
+
- Bias toward the shortest path that proves impact. Speed comes from picking the right lead, not from skipping verification — always confirm a finding before you claim it.
|
|
54
|
+
- Stay in scope. Only touch the target you were given and hosts it legitimately depends on.`;
|
|
55
|
+
async function runFastStrike(input) {
|
|
56
|
+
const {
|
|
57
|
+
target,
|
|
58
|
+
cwd,
|
|
59
|
+
model,
|
|
60
|
+
session,
|
|
61
|
+
authConfig,
|
|
62
|
+
abortSignal,
|
|
63
|
+
eventBus,
|
|
64
|
+
onStepFinish,
|
|
65
|
+
enableThinking,
|
|
66
|
+
openAIReasoningEffort,
|
|
67
|
+
prompt,
|
|
68
|
+
threatModel
|
|
69
|
+
} = input;
|
|
70
|
+
if (cwd) {
|
|
71
|
+
if (!session.config) {
|
|
72
|
+
session.config = {};
|
|
73
|
+
}
|
|
74
|
+
session.config.codebasePath ??= cwd;
|
|
75
|
+
}
|
|
76
|
+
if (prompt || threatModel) {
|
|
77
|
+
const parts = [];
|
|
78
|
+
if (threatModel)
|
|
79
|
+
parts.push(createThreatModelPrompt(threatModel));
|
|
80
|
+
if (prompt)
|
|
81
|
+
parts.push(prompt);
|
|
82
|
+
const combined = parts.join(`
|
|
83
|
+
|
|
84
|
+
`);
|
|
85
|
+
if (!session.config) {
|
|
86
|
+
session.config = {};
|
|
87
|
+
}
|
|
88
|
+
session.config.prompt = session.config?.prompt ? `${session.config?.prompt}
|
|
89
|
+
|
|
90
|
+
${combined}` : combined;
|
|
91
|
+
}
|
|
92
|
+
const operatorGuidance = session.config?.prompt;
|
|
93
|
+
const mode = cwd ? "whitebox" : "blackbox";
|
|
94
|
+
eventBus?.emit("workflow-phase-start", {
|
|
95
|
+
phase: "pentesting",
|
|
96
|
+
label: "Fast Strike",
|
|
97
|
+
metadata: { target }
|
|
98
|
+
});
|
|
99
|
+
const findingsRegistry = FindingsRegistry.fromDirectory(session.findingsPath, { model, authConfig, abortSignal });
|
|
100
|
+
const promptParts = [`Target: ${target}`];
|
|
101
|
+
if (operatorGuidance)
|
|
102
|
+
promptParts.push(operatorGuidance);
|
|
103
|
+
promptParts.push("Run the fast strike: find and exploit the vulnerability, complete the objective, and report what worked.");
|
|
104
|
+
const agent = new OffensiveSecurityAgent({
|
|
105
|
+
system: FAST_STRIKE_SYSTEM_PROMPT,
|
|
106
|
+
prompt: promptParts.join(`
|
|
107
|
+
|
|
108
|
+
`),
|
|
109
|
+
model,
|
|
110
|
+
session,
|
|
111
|
+
target,
|
|
112
|
+
mode: "fast-strike",
|
|
113
|
+
activeTools: [],
|
|
114
|
+
responseSchema: FastStrikeResult,
|
|
115
|
+
findingsRegistry,
|
|
116
|
+
subagentId: "fast-strike",
|
|
117
|
+
authConfig,
|
|
118
|
+
abortSignal,
|
|
119
|
+
eventBus,
|
|
120
|
+
onStepFinish,
|
|
121
|
+
enableThinking,
|
|
122
|
+
openAIReasoningEffort
|
|
123
|
+
});
|
|
124
|
+
const strikeResult = await agent.consume();
|
|
125
|
+
if (abortSignal?.aborted) {
|
|
126
|
+
throw new DOMException("Pentest aborted by user", "AbortError");
|
|
127
|
+
}
|
|
128
|
+
await findingsRegistry.groupByRootCause();
|
|
129
|
+
const findings = [...findingsRegistry.getFindings()];
|
|
130
|
+
const report = buildPentestReport(findings, {
|
|
131
|
+
target,
|
|
132
|
+
model,
|
|
133
|
+
sessionId: session.id,
|
|
134
|
+
mode
|
|
135
|
+
});
|
|
136
|
+
const mdPath = join(session.rootPath, REPORT_FILENAME_MD);
|
|
137
|
+
const jsonPath = join(session.rootPath, REPORT_FILENAME_JSON);
|
|
138
|
+
writeFileSync(mdPath, renderMarkdown(report));
|
|
139
|
+
writeFileSync(jsonPath, renderJson(report));
|
|
140
|
+
eventBus?.emit("workflow-phase-complete", {
|
|
141
|
+
phase: "pentesting",
|
|
142
|
+
summary: {
|
|
143
|
+
findingsCount: findings.length,
|
|
144
|
+
...strikeResult ? { solved: strikeResult.solved, operatorSummary: strikeResult.summary } : {}
|
|
145
|
+
}
|
|
146
|
+
});
|
|
147
|
+
return {
|
|
148
|
+
findings,
|
|
149
|
+
findingsPath: session.findingsPath,
|
|
150
|
+
pocsPath: session.pocsPath,
|
|
151
|
+
reportPath: mdPath
|
|
152
|
+
};
|
|
153
|
+
}
|
|
154
|
+
export {
|
|
155
|
+
runFastStrike
|
|
156
|
+
};
|
|
@@ -2,26 +2,27 @@
|
|
|
2
2
|
import {
|
|
3
3
|
getFix,
|
|
4
4
|
listFixes
|
|
5
|
-
} from "./cli-
|
|
6
|
-
import"./cli-
|
|
7
|
-
import"./cli-
|
|
8
|
-
import"./cli-
|
|
9
|
-
import"./cli-
|
|
10
|
-
import"./cli-
|
|
11
|
-
import"./cli-
|
|
5
|
+
} from "./cli-db434rd0.js";
|
|
6
|
+
import"./cli-y4csaqh2.js";
|
|
7
|
+
import"./cli-qdvef4qc.js";
|
|
8
|
+
import"./cli-sekg25pa.js";
|
|
9
|
+
import"./cli-8256tzw9.js";
|
|
10
|
+
import"./cli-wdahap6k.js";
|
|
11
|
+
import"./cli-nn5rxhvz.js";
|
|
12
|
+
import"./cli-nfnfwfcn.js";
|
|
12
13
|
import"./cli-9fsre5pt.js";
|
|
13
|
-
import"./cli-
|
|
14
|
-
import"./cli-
|
|
15
|
-
import"./cli-
|
|
14
|
+
import"./cli-7g8n2kkk.js";
|
|
15
|
+
import"./cli-w5vt3svr.js";
|
|
16
|
+
import"./cli-35rkgbhd.js";
|
|
16
17
|
import"./cli-fw5r7pfj.js";
|
|
17
18
|
import"./cli-c8131c4q.js";
|
|
18
|
-
import"./cli-
|
|
19
|
-
import"./cli-
|
|
20
|
-
import"./cli-
|
|
19
|
+
import"./cli-d28z7z1b.js";
|
|
20
|
+
import"./cli-0kg01x44.js";
|
|
21
|
+
import"./cli-3k1x5rn3.js";
|
|
21
22
|
import"./cli-gpnb45ck.js";
|
|
22
|
-
import"./cli-
|
|
23
|
-
import"./cli-
|
|
24
|
-
import"./cli-
|
|
23
|
+
import"./cli-7bzzjw1f.js";
|
|
24
|
+
import"./cli-bp7f8nyk.js";
|
|
25
|
+
import"./cli-f5javz2k.js";
|
|
25
26
|
import"./cli-8rxa073f.js";
|
|
26
27
|
|
|
27
28
|
// src/cli/fixes.ts
|