@pensar/apex 2.1.2 → 2.1.3-canary.15e34bf1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (55) hide show
  1. package/build/agent-3ktj43z9.js +19 -0
  2. package/build/{agent-vdrtakz4.js → agent-3s7c1qrd.js} +10 -10
  3. package/build/{agent-737mxp3v.js → agent-v3d0ssgy.js} +8 -8
  4. package/build/{apps-j0bwey0w.js → apps-rk071a9p.js} +16 -16
  5. package/build/{auth-5stxpmga.js → auth-cnc8b1tj.js} +16 -16
  6. package/build/authentication-hrwp9bw8.js +19 -0
  7. package/build/blackboxAgent-fzp5cyvr.js +19 -0
  8. package/build/{blackboxPentest-2edr9rj3.js → blackboxPentest-b6cpqtkh.js} +14 -14
  9. package/build/{cli-9vzc18m5.js → cli-1kgqgq0a.js} +30 -17
  10. package/build/{cli-f7d23ded.js → cli-29yqhrjq.js} +936 -1775
  11. package/build/{cli-0gk2x2sc.js → cli-2zbvtnrx.js} +16 -18
  12. package/build/{cli-gbkj2has.js → cli-49kwknjj.js} +3 -3
  13. package/build/{cli-35czfv00.js → cli-4xz6rqg5.js} +70821 -79369
  14. package/build/{cli-ks60cc3h.js → cli-7y6dwmn8.js} +30 -30
  15. package/build/{cli-whtdyc0e.js → cli-84pr5q33.js} +4 -4
  16. package/build/{cli-dqkdnd3c.js → cli-8vaa0frx.js} +88 -49
  17. package/build/{cli-jd0c0b91.js → cli-9m9d9vtm.js} +1 -1
  18. package/build/{cli-hj3t87r2.js → cli-dh7tfkre.js} +1 -1
  19. package/build/{cli-6vs0mtsb.js → cli-eh6nrt6s.js} +2 -2
  20. package/build/{cli-9z6vwf30.js → cli-h7w8nj1x.js} +1 -1
  21. package/build/{cli-v1aqbv58.js → cli-nm2jskqg.js} +25040 -26995
  22. package/build/{cli-6wwpk9d9.js → cli-r5n86ej6.js} +1 -1
  23. package/build/{cli-xnnkeg5p.js → cli-td2vwxvv.js} +1 -1
  24. package/build/{cli-yjbkaqvy.js → cli-xe08y0nv.js} +43 -13
  25. package/build/{cli-tw3fe8bj.js → cli-yqtxtvg8.js} +2 -2
  26. package/build/cli.js +109 -88
  27. package/build/{config-s5ryv5ez.js → config-nvgzsffk.js} +3 -3
  28. package/build/{doctor-f08gegwc.js → doctor-785qvedj.js} +7 -7
  29. package/build/{fixes-qf4s92z2.js → fixes-xhr8ghx7.js} +16 -16
  30. package/build/{index-s8gw83d6.js → index-2edcw64j.js} +17 -11
  31. package/build/{index-sqjve2bm.js → index-e9rxwzqv.js} +2 -2
  32. package/build/{index-gakk2t5q.js → index-kx3w10s2.js} +18 -18
  33. package/build/{index-mgng15va.js → index-n1yh9e86.js} +909 -456
  34. package/build/{index-exvkbve0.js → index-ng1a7q8g.js} +4 -4
  35. package/build/{index-x4xefngs.js → index-qcf9f2n7.js} +3 -3
  36. package/build/{index-5h1hjhzw.js → index-y5bdx5j1.js} +10 -10
  37. package/build/{index-c6qz0gve.js → index-z35ctxx8.js} +7 -7
  38. package/build/{issues-5anqrh2j.js → issues-jwfdctks.js} +16 -16
  39. package/build/{logs-q6ankt6m.js → logs-8h7pwx7s.js} +16 -16
  40. package/build/{main-3zneyg7p.js → main-3d7dfdvs.js} +17 -93
  41. package/build/{offesecAgent-hsej0pfc.js → offesecAgent-yxaxnxwk.js} +9 -9
  42. package/build/pentest-a87kxj2v.js +28 -0
  43. package/build/{pentests-hyx3c3qa.js → pentests-6nhr9rdv.js} +16 -16
  44. package/build/{targetedPentest-ws0a7frk.js → targetedPentest-jyzcm9cx.js} +18 -11
  45. package/build/{targets-9cqrshet.js → targets-wbxhcpb8.js} +16 -16
  46. package/build/threatModel-0qpzh1jb.js +26 -0
  47. package/build/{uninstall-1j469qj7.js → uninstall-57tdyecc.js} +1 -1
  48. package/build/{upload-ymvhkyq5.js → upload-tvad5wre.js} +7 -7
  49. package/build/{utils-d1ed6jzf.js → utils-e14mz7h9.js} +6 -6
  50. package/package.json +30 -30
  51. package/build/agent-8w9h3tnw.js +0 -19
  52. package/build/authentication-qswvctj4.js +0 -19
  53. package/build/blackboxAgent-vwm9t3h4.js +0 -19
  54. package/build/pentest-1e30q7rs.js +0 -28
  55. package/build/threatModel-z9b213x8.js +0 -26
@@ -1,9 +1,9 @@
1
1
  import {
2
2
  OffensiveSecurityAgent
3
- } from "./cli-35czfv00.js";
3
+ } from "./cli-4xz6rqg5.js";
4
4
  import {
5
5
  detectOSAndEnhancePrompt
6
- } from "./cli-6wwpk9d9.js";
6
+ } from "./cli-r5n86ej6.js";
7
7
  import {
8
8
  createLogger,
9
9
  hasToolCall,
@@ -11,7 +11,7 @@ import {
11
11
  init_lazyLogger,
12
12
  init_structured,
13
13
  scopedLogger
14
- } from "./cli-v1aqbv58.js";
14
+ } from "./cli-nm2jskqg.js";
15
15
 
16
16
  // src/core/agents/specialized/authenticationAgent/agent.ts
17
17
  init_dist();
@@ -37,9 +37,9 @@ Obtain valid credentials/sessions that other agents can use for authenticated te
37
37
  # Available Tools
38
38
 
39
39
  ## API Authentication
40
- - \`authenticate_session\` — Submit credentials via form POST, JSON POST, or HTTP Basic auth.
41
- Params: loginUrl, username, password, method (form_post|json_post|basic_auth), usernameField, passwordField, additionalFields.
42
- - \`execute_command\` — Run curl or other shell commands for custom/complex API auth flows.
40
+ - \`execute_command\` — Run curl (or other shell commands) to submit credentials via form POST,
41
+ JSON POST, or HTTP Basic auth, and to capture the Set-Cookie / token response. Use this for all
42
+ custom and complex API auth flows.
43
43
 
44
44
  ## Browser Authentication
45
45
  - \`browser_navigate\` — Navigate to login page
@@ -77,11 +77,11 @@ Look for:
77
77
  ## Step 2: Authenticate
78
78
 
79
79
  ### API path (use when target is an API or has a simple form):
80
- 1. Call \`authenticate_session\` with the correct method and credentials.
81
- - \`form_post\` for HTML forms
82
- - \`json_post\` for JSON APIs
83
- - \`basic_auth\` for HTTP Basic
84
- 2. Check the response — if authenticated is true, you have a session cookie.
80
+ 1. Use \`execute_command\` with curl to submit the credentials, matching the target's scheme:
81
+ - \`curl -i -d 'username=...&password=...' <loginUrl>\` for HTML form POST
82
+ - \`curl -i -H 'Content-Type: application/json' -d '{"username":"...","password":"..."}' <loginUrl>\` for JSON APIs
83
+ - \`curl -i -u '<user>:<pass>' <url>\` for HTTP Basic
84
+ 2. Inspect the response (\`-i\` shows headers) capture any \`Set-Cookie\` value or token to use as the session credential.
85
85
 
86
86
  ### Browser path (use for SPAs, OAuth, JS-rendered forms):
87
87
  1. \`browser_navigate\` to the login URL
@@ -113,7 +113,7 @@ If both API and browser approaches fail, use \`delegate_to_auth_subagent\` for c
113
113
  **First**, call \`complete_authentication\` with:
114
114
  - \`success\`: whether auth succeeded
115
115
  - \`summary\`: what happened and what credentials/cookies were obtained
116
- - \`exportedCookies\`: the cookie string for downstream HTTP requests (from browser_get_cookies cookieHeader or authenticate_session response)
116
+ - \`exportedCookies\`: the cookie string for downstream HTTP requests (from browser_get_cookies cookieHeader or the Set-Cookie header in the curl response)
117
117
  - \`exportedHeaders\`: auth headers map, e.g. {"Authorization": "Bearer <token>"} (from browser_evaluate localStorage tokens or API response)
118
118
  - \`strategy\`: method used ("browser", "form_post", "json_post", "basic_auth", "bearer")
119
119
  - \`authBarrier\`: if a barrier was encountered (captcha, mfa, etc.)
@@ -199,7 +199,6 @@ class AuthenticationAgent extends OffensiveSecurityAgent {
199
199
  toolChoice: "auto",
200
200
  activeTools: [
201
201
  "execute_command",
202
- "authenticate_session",
203
202
  "complete_authentication",
204
203
  "browser_navigate",
205
204
  "browser_snapshot",
@@ -294,17 +293,16 @@ function buildAuthPrompt(target, authHints, credentialManager, context) {
294
293
  if (credBlock) {
295
294
  parts.push(`INSTRUCTIONS:
296
295
  You have credentials available via credential IDs — authenticate immediately.
297
- 1. Try authenticate_session first (pass the credentialId secrets are resolved automatically)
298
- 2. If authenticate_session fails, use browser tools. For browser_fill on password/secret fields,
296
+ 1. For API/form logins, use execute_command (curl) to submit credentials and capture the Set-Cookie / token response
297
+ 2. For browser-based logins, use the browser tools. For browser_fill on password/secret fields,
299
298
  pass credentialId + credentialField (e.g. credentialField="password") instead of the raw value —
300
299
  the secret is resolved securely at execution time. NEVER type a password directly.
301
300
  3. Call complete_authentication with exported cookies/headers to persist credentials and end the run`);
302
301
  } else {
303
302
  parts.push(`INSTRUCTIONS:
304
303
  1. Probe the target with execute_command (curl) to determine the auth mechanism
305
- 2. Attempt authentication with authenticate_session or the browser tools
306
- 3. If that fails, try delegate_to_auth_subagent as a fallback
307
- 4. Call complete_authentication with exported cookies/headers to persist credentials and end the run`);
304
+ 2. Attempt authentication with execute_command (curl) or the browser tools
305
+ 3. Call complete_authentication with exported cookies/headers to persist credentials and end the run`);
308
306
  }
309
307
  return parts.join(`
310
308
  `);
@@ -1,15 +1,15 @@
1
1
  import {
2
2
  OffensiveSecurityAgent
3
- } from "./cli-35czfv00.js";
3
+ } from "./cli-4xz6rqg5.js";
4
4
  import {
5
5
  hasToolCall,
6
6
  init_dist
7
- } from "./cli-v1aqbv58.js";
7
+ } from "./cli-nm2jskqg.js";
8
8
  import {
9
9
  exports_external,
10
10
  init_zod,
11
11
  tool
12
- } from "./cli-f7d23ded.js";
12
+ } from "./cli-29yqhrjq.js";
13
13
 
14
14
  // src/core/agents/specialized/whiteboxAttackSurface/agent.ts
15
15
  init_dist();