@pensar/apex 2.1.3-canary.06f4c3eb → 2.1.3-canary.082299eb

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (58) hide show
  1. package/build/{agent-ts46he50.js → agent-25rra8mk.js} +9 -8
  2. package/build/agent-qa4kk7v1.js +27 -0
  3. package/build/agent-xpddb5yz.js +19 -0
  4. package/build/{apps-6egm0mw2.js → apps-c4rdprzp.js} +17 -16
  5. package/build/{auth-qd4f8hgn.js → auth-cm0s3an4.js} +17 -16
  6. package/build/authentication-k8303p1y.js +19 -0
  7. package/build/blackboxAgent-8mpqbggt.js +19 -0
  8. package/build/{blackboxPentest-fe56bfc1.js → blackboxPentest-b1dqrv93.js} +15 -14
  9. package/build/{cli-80sehbtt.js → cli-0kg01x44.js} +1 -1
  10. package/build/{cli-sganpfnr.js → cli-35rkgbhd.js} +1 -1
  11. package/build/{cli-29yqhrjq.js → cli-3k1x5rn3.js} +1 -1
  12. package/build/{cli-pgsqvjqw.js → cli-7bzzjw1f.js} +1 -1
  13. package/build/{cli-r2z98y59.js → cli-7g8n2kkk.js} +2 -2
  14. package/build/{cli-952bzt8m.js → cli-8256tzw9.js} +64 -18
  15. package/build/{cli-tt8k9pka.js → cli-bh3e0th8.js} +1 -1
  16. package/build/{cli-h28cfavt.js → cli-bp7f8nyk.js} +1 -1
  17. package/build/{cli-ja43jscc.js → cli-d28z7z1b.js} +6284 -516
  18. package/build/{cli-jn2sxf89.js → cli-db434rd0.js} +5 -5
  19. package/build/{cli-5vvb8cby.js → cli-f5javz2k.js} +1 -1
  20. package/build/{cli-adgyv55h.js → cli-nfnfwfcn.js} +5 -3
  21. package/build/{cli-mt0f9tte.js → cli-nn5rxhvz.js} +4 -2
  22. package/build/{cli-8p3trjtv.js → cli-qdvef4qc.js} +6 -4
  23. package/build/cli-sekg25pa.js +195 -0
  24. package/build/{cli-99a9aq3w.js → cli-w5vt3svr.js} +4545 -4108
  25. package/build/{cli-epra15kv.js → cli-wdahap6k.js} +18 -18
  26. package/build/{cli-gta3gsva.js → cli-y4csaqh2.js} +53 -204
  27. package/build/cli.js +87 -57
  28. package/build/{config-vw2z82v6.js → config-6hkn23py.js} +3 -3
  29. package/build/{doctor-7r8hgya4.js → doctor-0prby1f0.js} +7 -7
  30. package/build/fastStrike-qts85kag.js +156 -0
  31. package/build/{fixes-r8f01knx.js → fixes-kza6ej38.js} +17 -16
  32. package/build/{index-9njkp18t.js → index-6r19ej49.js} +3 -3
  33. package/build/{index-rf5j27d4.js → index-7y1pwazv.js} +4 -4
  34. package/build/{index-n1yh9e86.js → index-gq9h8j5j.js} +1 -1
  35. package/build/{index-syzey1rc.js → index-h6rxj451.js} +7 -7
  36. package/build/{index-0xxbqssd.js → index-m9djasp6.js} +19 -11
  37. package/build/{index-a2tc7bxh.js → index-vjh370rj.js} +23 -19
  38. package/build/{index-8571kb3t.js → index-vk0czqw7.js} +10 -10
  39. package/build/{index-mby0pdzs.js → index-xzb9yxtf.js} +2 -2
  40. package/build/{issues-9743wnvm.js → issues-35784nvy.js} +17 -16
  41. package/build/{logs-p3z7vg6z.js → logs-14xzc32f.js} +17 -16
  42. package/build/{offesecAgent-1rq9r9bd.js → offesecAgent-767xjskr.js} +9 -9
  43. package/build/pentest-hf3hejjq.js +29 -0
  44. package/build/{pentests-4hd2gzns.js → pentests-7zy73b60.js} +17 -16
  45. package/build/targetedPentest-m3ypnmfk.js +44 -0
  46. package/build/{targets-6ge81tt0.js → targets-nay3vmqy.js} +17 -16
  47. package/build/threatModel-p8khw8tr.js +27 -0
  48. package/build/{uninstall-gvb6d633.js → uninstall-acg2vcpm.js} +1 -1
  49. package/build/{upload-7t35h330.js → upload-pjr2zgys.js} +7 -7
  50. package/build/{utils-tss3j3eb.js → utils-v0mj3yrn.js} +6 -6
  51. package/package.json +1 -1
  52. package/build/agent-sn33s7wa.js +0 -25
  53. package/build/agent-y9a30306.js +0 -19
  54. package/build/authentication-jrgrm5xj.js +0 -19
  55. package/build/blackboxAgent-dtv2q4q1.js +0 -19
  56. package/build/pentest-48z4y1kj.js +0 -28
  57. package/build/targetedPentest-kdxkpwmh.js +0 -36
  58. package/build/threatModel-ydyxbxvk.js +0 -26
@@ -1,23 +1,23 @@
1
1
  import {
2
2
  OffensiveSecurityAgent
3
- } from "./cli-99a9aq3w.js";
3
+ } from "./cli-w5vt3svr.js";
4
4
  import {
5
5
  detectOSAndEnhancePrompt
6
- } from "./cli-sganpfnr.js";
6
+ } from "./cli-35rkgbhd.js";
7
7
  import"./cli-c8131c4q.js";
8
8
  import {
9
9
  init_dist,
10
10
  stepCountIs
11
- } from "./cli-ja43jscc.js";
12
- import"./cli-80sehbtt.js";
11
+ } from "./cli-d28z7z1b.js";
12
+ import"./cli-0kg01x44.js";
13
13
  import {
14
14
  exports_external,
15
15
  init_zod
16
- } from "./cli-29yqhrjq.js";
16
+ } from "./cli-3k1x5rn3.js";
17
17
  import"./cli-gpnb45ck.js";
18
- import"./cli-pgsqvjqw.js";
19
- import"./cli-h28cfavt.js";
20
- import"./cli-5vvb8cby.js";
18
+ import"./cli-7bzzjw1f.js";
19
+ import"./cli-bp7f8nyk.js";
20
+ import"./cli-f5javz2k.js";
21
21
  import"./cli-8rxa073f.js";
22
22
 
23
23
  // src/core/agents/specialized/findingJudge/agent.ts
@@ -207,6 +207,7 @@ class FindingJudgeAgent extends OffensiveSecurityAgent {
207
207
  eventBus: opts.eventBus,
208
208
  sandbox: opts.sandbox,
209
209
  enableThinking: opts.enableThinking,
210
+ thinkingEffort: opts.thinkingEffort,
210
211
  openAIReasoningEffort: opts.openAIReasoningEffort,
211
212
  subagentId: opts.subagentId ?? "finding-judge",
212
213
  activeTools: [...FINDING_JUDGE_ACTIVE_TOOLS],
@@ -0,0 +1,27 @@
1
+ import {
2
+ PentestResponseSchema,
3
+ TargetedPentestAgent,
4
+ buildPentestActiveTools,
5
+ buildPentestPrompt,
6
+ buildPentestSystemPrompt
7
+ } from "./cli-8256tzw9.js";
8
+ import"./cli-9fsre5pt.js";
9
+ import"./cli-7g8n2kkk.js";
10
+ import"./cli-w5vt3svr.js";
11
+ import"./cli-35rkgbhd.js";
12
+ import"./cli-c8131c4q.js";
13
+ import"./cli-d28z7z1b.js";
14
+ import"./cli-0kg01x44.js";
15
+ import"./cli-3k1x5rn3.js";
16
+ import"./cli-gpnb45ck.js";
17
+ import"./cli-7bzzjw1f.js";
18
+ import"./cli-bp7f8nyk.js";
19
+ import"./cli-f5javz2k.js";
20
+ import"./cli-8rxa073f.js";
21
+ export {
22
+ buildPentestSystemPrompt,
23
+ buildPentestPrompt,
24
+ buildPentestActiveTools,
25
+ TargetedPentestAgent,
26
+ PentestResponseSchema
27
+ };
@@ -0,0 +1,19 @@
1
+ import {
2
+ CodeAgent
3
+ } from "./cli-nn5rxhvz.js";
4
+ import"./cli-9fsre5pt.js";
5
+ import"./cli-7g8n2kkk.js";
6
+ import"./cli-w5vt3svr.js";
7
+ import"./cli-35rkgbhd.js";
8
+ import"./cli-c8131c4q.js";
9
+ import"./cli-d28z7z1b.js";
10
+ import"./cli-0kg01x44.js";
11
+ import"./cli-3k1x5rn3.js";
12
+ import"./cli-gpnb45ck.js";
13
+ import"./cli-7bzzjw1f.js";
14
+ import"./cli-bp7f8nyk.js";
15
+ import"./cli-f5javz2k.js";
16
+ import"./cli-8rxa073f.js";
17
+ export {
18
+ CodeAgent
19
+ };
@@ -12,26 +12,27 @@ import {
12
12
  searchEndpoints,
13
13
  updateApp,
14
14
  updateEndpoint
15
- } from "./cli-jn2sxf89.js";
16
- import"./cli-gta3gsva.js";
17
- import"./cli-8p3trjtv.js";
18
- import"./cli-952bzt8m.js";
19
- import"./cli-epra15kv.js";
20
- import"./cli-mt0f9tte.js";
21
- import"./cli-adgyv55h.js";
15
+ } from "./cli-db434rd0.js";
16
+ import"./cli-y4csaqh2.js";
17
+ import"./cli-qdvef4qc.js";
18
+ import"./cli-sekg25pa.js";
19
+ import"./cli-8256tzw9.js";
20
+ import"./cli-wdahap6k.js";
21
+ import"./cli-nn5rxhvz.js";
22
+ import"./cli-nfnfwfcn.js";
22
23
  import"./cli-9fsre5pt.js";
23
- import"./cli-r2z98y59.js";
24
- import"./cli-99a9aq3w.js";
25
- import"./cli-sganpfnr.js";
24
+ import"./cli-7g8n2kkk.js";
25
+ import"./cli-w5vt3svr.js";
26
+ import"./cli-35rkgbhd.js";
26
27
  import"./cli-fw5r7pfj.js";
27
28
  import"./cli-c8131c4q.js";
28
- import"./cli-ja43jscc.js";
29
- import"./cli-80sehbtt.js";
30
- import"./cli-29yqhrjq.js";
29
+ import"./cli-d28z7z1b.js";
30
+ import"./cli-0kg01x44.js";
31
+ import"./cli-3k1x5rn3.js";
31
32
  import"./cli-gpnb45ck.js";
32
- import"./cli-pgsqvjqw.js";
33
- import"./cli-h28cfavt.js";
34
- import"./cli-5vvb8cby.js";
33
+ import"./cli-7bzzjw1f.js";
34
+ import"./cli-bp7f8nyk.js";
35
+ import"./cli-f5javz2k.js";
35
36
  import"./cli-8rxa073f.js";
36
37
 
37
38
  // src/cli/apps.ts
@@ -1,18 +1,19 @@
1
1
  #!/usr/bin/env bun
2
- import"./cli-jn2sxf89.js";
3
- import"./cli-gta3gsva.js";
4
- import"./cli-8p3trjtv.js";
5
- import"./cli-952bzt8m.js";
6
- import"./cli-epra15kv.js";
7
- import"./cli-mt0f9tte.js";
8
- import"./cli-adgyv55h.js";
2
+ import"./cli-db434rd0.js";
3
+ import"./cli-y4csaqh2.js";
4
+ import"./cli-qdvef4qc.js";
5
+ import"./cli-sekg25pa.js";
6
+ import"./cli-8256tzw9.js";
7
+ import"./cli-wdahap6k.js";
8
+ import"./cli-nn5rxhvz.js";
9
+ import"./cli-nfnfwfcn.js";
9
10
  import"./cli-9fsre5pt.js";
10
- import"./cli-r2z98y59.js";
11
- import"./cli-99a9aq3w.js";
12
- import"./cli-sganpfnr.js";
11
+ import"./cli-7g8n2kkk.js";
12
+ import"./cli-w5vt3svr.js";
13
+ import"./cli-35rkgbhd.js";
13
14
  import"./cli-fw5r7pfj.js";
14
15
  import"./cli-c8131c4q.js";
15
- import"./cli-ja43jscc.js";
16
+ import"./cli-d28z7z1b.js";
16
17
  import {
17
18
  disconnect,
18
19
  fetchWorkspaces,
@@ -25,15 +26,15 @@ import {
25
26
  pollWorkOSToken,
26
27
  selectWorkspace,
27
28
  startDeviceFlow
28
- } from "./cli-80sehbtt.js";
29
- import"./cli-29yqhrjq.js";
29
+ } from "./cli-0kg01x44.js";
30
+ import"./cli-3k1x5rn3.js";
30
31
  import"./cli-gpnb45ck.js";
31
32
  import {
32
33
  config,
33
34
  init_config
34
- } from "./cli-pgsqvjqw.js";
35
- import"./cli-h28cfavt.js";
36
- import"./cli-5vvb8cby.js";
35
+ } from "./cli-7bzzjw1f.js";
36
+ import"./cli-bp7f8nyk.js";
37
+ import"./cli-f5javz2k.js";
37
38
  import {
38
39
  __require
39
40
  } from "./cli-8rxa073f.js";
@@ -0,0 +1,19 @@
1
+ import {
2
+ runAuthenticationAgent
3
+ } from "./cli-wdahap6k.js";
4
+ import"./cli-9fsre5pt.js";
5
+ import"./cli-7g8n2kkk.js";
6
+ import"./cli-w5vt3svr.js";
7
+ import"./cli-35rkgbhd.js";
8
+ import"./cli-c8131c4q.js";
9
+ import"./cli-d28z7z1b.js";
10
+ import"./cli-0kg01x44.js";
11
+ import"./cli-3k1x5rn3.js";
12
+ import"./cli-gpnb45ck.js";
13
+ import"./cli-7bzzjw1f.js";
14
+ import"./cli-bp7f8nyk.js";
15
+ import"./cli-f5javz2k.js";
16
+ import"./cli-8rxa073f.js";
17
+ export {
18
+ runAuthenticationAgent
19
+ };
@@ -0,0 +1,19 @@
1
+ import {
2
+ BlackboxAttackSurfaceAgent
3
+ } from "./cli-qdvef4qc.js";
4
+ import"./cli-9fsre5pt.js";
5
+ import"./cli-7g8n2kkk.js";
6
+ import"./cli-w5vt3svr.js";
7
+ import"./cli-35rkgbhd.js";
8
+ import"./cli-c8131c4q.js";
9
+ import"./cli-d28z7z1b.js";
10
+ import"./cli-0kg01x44.js";
11
+ import"./cli-3k1x5rn3.js";
12
+ import"./cli-gpnb45ck.js";
13
+ import"./cli-7bzzjw1f.js";
14
+ import"./cli-bp7f8nyk.js";
15
+ import"./cli-f5javz2k.js";
16
+ import"./cli-8rxa073f.js";
17
+ export {
18
+ BlackboxAttackSurfaceAgent
19
+ };
@@ -1,23 +1,24 @@
1
1
  import {
2
2
  runPentestWorkflow
3
- } from "./cli-gta3gsva.js";
4
- import"./cli-8p3trjtv.js";
5
- import"./cli-952bzt8m.js";
6
- import"./cli-mt0f9tte.js";
7
- import"./cli-adgyv55h.js";
3
+ } from "./cli-y4csaqh2.js";
4
+ import"./cli-qdvef4qc.js";
5
+ import"./cli-sekg25pa.js";
6
+ import"./cli-8256tzw9.js";
7
+ import"./cli-nn5rxhvz.js";
8
+ import"./cli-nfnfwfcn.js";
8
9
  import"./cli-9fsre5pt.js";
9
- import"./cli-r2z98y59.js";
10
- import"./cli-99a9aq3w.js";
11
- import"./cli-sganpfnr.js";
10
+ import"./cli-7g8n2kkk.js";
11
+ import"./cli-w5vt3svr.js";
12
+ import"./cli-35rkgbhd.js";
12
13
  import"./cli-fw5r7pfj.js";
13
14
  import"./cli-c8131c4q.js";
14
- import"./cli-ja43jscc.js";
15
- import"./cli-80sehbtt.js";
16
- import"./cli-29yqhrjq.js";
15
+ import"./cli-d28z7z1b.js";
16
+ import"./cli-0kg01x44.js";
17
+ import"./cli-3k1x5rn3.js";
17
18
  import"./cli-gpnb45ck.js";
18
- import"./cli-pgsqvjqw.js";
19
- import"./cli-h28cfavt.js";
20
- import"./cli-5vvb8cby.js";
19
+ import"./cli-7bzzjw1f.js";
20
+ import"./cli-bp7f8nyk.js";
21
+ import"./cli-f5javz2k.js";
21
22
  import"./cli-8rxa073f.js";
22
23
 
23
24
  // src/core/api/blackboxPentest.ts
@@ -1,7 +1,7 @@
1
1
  import {
2
2
  config,
3
3
  init_config
4
- } from "./cli-pgsqvjqw.js";
4
+ } from "./cli-7bzzjw1f.js";
5
5
  import {
6
6
  __esm
7
7
  } from "./cli-8rxa073f.js";
@@ -3,7 +3,7 @@ import {
3
3
  init_lazyLogger,
4
4
  init_structured,
5
5
  scopedLogger
6
- } from "./cli-ja43jscc.js";
6
+ } from "./cli-d28z7z1b.js";
7
7
 
8
8
  // src/core/agents/specialized/utils.ts
9
9
  import { execSync } from "node:child_process";
@@ -24438,4 +24438,4 @@ var require_src = __commonJS((exports) => {
24438
24438
  };
24439
24439
  });
24440
24440
 
24441
- export { AISDKError, APICallError, EmptyResponseBodyError, getErrorMessage, InvalidArgumentError, InvalidPromptError, InvalidResponseDataError, JSONParseError, LoadAPIKeyError, LoadSettingError, NoContentGeneratedError, NoSuchModelError, TooManyEmbeddingValuesForCallError, TypeValidationError, UnsupportedFunctionalityError, isJSONArray, isJSONObject, init_dist, safeParse, toJSONSchema, init_core2 as init_core, exports_iso, safeParseAsync2 as safeParseAsync, string2 as string, number2 as number, boolean2 as boolean, _null3 as _null, unknown, array, object, looseObject, union, discriminatedUnion, intersection, record, _enum2 as _enum, literal, optional, custom, preprocess, exports_external, init_v4, ZodFirstPartyTypeKind2 as ZodFirstPartyTypeKind, init_v3, EventSourceParserStream, init_stream, combineHeaders, createToolNameMapping, delay, DelayedPromise, extractResponseHeaders, convertBase64ToUint8Array, convertUint8ArrayToBase64, convertToBase64, convertToFormData, cancelResponseBody, DownloadError, fetchWithValidatedRedirects, DEFAULT_MAX_DOWNLOAD_SIZE, readResponseWithSizeLimit, downloadBlob, createIdGenerator, generateId, getErrorMessage2 as getErrorMessage1, isAbortError, getRuntimeEnvironmentUserAgent, normalizeHeaders, withUserAgentSuffix, getFromApi, isNonNullable, isSameOrigin, isUrlSupported, loadApiKey, loadOptionalSetting, loadSetting, lazySchema, jsonSchema, asSchema, zodSchema, validateTypes, safeValidateTypes, safeParseJSON, isParsableJson, parseJsonEventStream, parseProviderOptions, postJsonToApi, postFormDataToApi, tool, dynamicTool, createProviderToolFactory, createProviderToolFactoryWithOutputSchema, resolve, createJsonErrorResponseHandler, createEventSourceResponseHandler, createJsonResponseHandler, stripFileExtension, withoutTrailingSlash, executeTool, init_dist3 as init_dist1, zod_default, init_zod, GatewayError, GatewayAuthenticationError, createGatewayProvider, gateway, init_dist4 as init_dist2, require_src };
24441
+ export { AISDKError, APICallError, EmptyResponseBodyError, getErrorMessage, InvalidArgumentError, InvalidPromptError, InvalidResponseDataError, JSONParseError, LoadAPIKeyError, LoadSettingError, NoContentGeneratedError, NoSuchModelError, TooManyEmbeddingValuesForCallError, TypeValidationError, UnsupportedFunctionalityError, isJSONArray, isJSONObject, init_dist, safeParse, toJSONSchema, init_core2 as init_core, exports_iso, safeParseAsync2 as safeParseAsync, string2 as string, number2 as number, boolean2 as boolean, _null3 as _null, unknown, array, object, looseObject, union, discriminatedUnion, intersection, record, _enum2 as _enum, literal, optional, custom, preprocess, exports_external, init_v4, ZodFirstPartyTypeKind2 as ZodFirstPartyTypeKind, init_v3, EventSourceParserStream, init_stream, combineHeaders, createToolNameMapping, delay, DelayedPromise, extractResponseHeaders, convertBase64ToUint8Array, convertUint8ArrayToBase64, convertToBase64, convertToFormData, cancelResponseBody, DownloadError, fetchWithValidatedRedirects, DEFAULT_MAX_DOWNLOAD_SIZE, readResponseWithSizeLimit, downloadBlob, createIdGenerator, generateId, getErrorMessage2 as getErrorMessage1, isAbortError, getRuntimeEnvironmentUserAgent, normalizeHeaders, withUserAgentSuffix, getFromApi, isNonNullable, isSameOrigin, isUrlSupported, loadApiKey, loadOptionalSetting, loadSetting, lazySchema, jsonSchema, asSchema, zodSchema, validateTypes, safeValidateTypes, parseJSON, safeParseJSON, isParsableJson, parseJsonEventStream, parseProviderOptions, postJsonToApi, postFormDataToApi, tool, dynamicTool, createProviderToolFactory, createProviderToolFactoryWithOutputSchema, resolve, createJsonErrorResponseHandler, createEventSourceResponseHandler, createJsonResponseHandler, stripFileExtension, withoutTrailingSlash, executeTool, init_dist3 as init_dist1, zod_default, init_zod, GatewayError, GatewayAuthenticationError, createGatewayProvider, gateway, init_dist4 as init_dist2, require_src };
@@ -3,7 +3,7 @@ import {
3
3
  init,
4
4
  init_config,
5
5
  update
6
- } from "./cli-h28cfavt.js";
6
+ } from "./cli-bp7f8nyk.js";
7
7
  import {
8
8
  __esm
9
9
  } from "./cli-8rxa073f.js";
@@ -1,11 +1,11 @@
1
1
  import {
2
2
  CweEntrySchema,
3
3
  ValidatedCweEntrySchema
4
- } from "./cli-99a9aq3w.js";
4
+ } from "./cli-w5vt3svr.js";
5
5
  import {
6
6
  exports_external,
7
7
  init_zod
8
- } from "./cli-29yqhrjq.js";
8
+ } from "./cli-3k1x5rn3.js";
9
9
 
10
10
  // src/core/agents/offSecAgent/types.ts
11
11
  init_zod();
@@ -1,20 +1,26 @@
1
1
  import {
2
2
  OffensiveSecurityAgent,
3
+ PentestReportedError,
4
+ REPORT_ERROR_TOOL_NAME,
5
+ createReportErrorTool,
3
6
  isMemoryEnabled,
4
7
  readPlan
5
- } from "./cli-99a9aq3w.js";
8
+ } from "./cli-w5vt3svr.js";
6
9
  import {
7
10
  createLogger,
11
+ hasToolCall,
12
+ init_dist,
8
13
  init_lazyLogger,
9
14
  init_structured,
10
15
  scopedLogger
11
- } from "./cli-ja43jscc.js";
16
+ } from "./cli-d28z7z1b.js";
12
17
  import {
13
18
  exports_external,
14
19
  init_zod
15
- } from "./cli-29yqhrjq.js";
20
+ } from "./cli-3k1x5rn3.js";
16
21
 
17
22
  // src/core/agents/specialized/pentest/agent.ts
23
+ init_dist();
18
24
  init_zod();
19
25
  init_structured();
20
26
  import { existsSync, readdirSync, readFileSync } from "node:fs";
@@ -31,6 +37,7 @@ var PentestResponseSchema = exports_external.object({
31
37
  findingsDocumented: exports_external.number().describe("Number of vulnerabilities documented via document_vulnerability"),
32
38
  objectivesCovered: exports_external.array(exports_external.string()).describe("Which objectives were tested"),
33
39
  objectiveResults: exports_external.array(ObjectiveResultSchema).describe("Status of each objective: mark as completed if thoroughly tested (vulnerability confirmed and documented, OR conclusively not vulnerable), or incomplete if further testing is warranted. Include new objectives discovered during testing that should be added for future runs."),
40
+ newObjectives: exports_external.array(exports_external.string()).optional().describe("Objectives for the NEXT run of this endpoint. Populate this directly from everything you observed: worker outcomes, what was confirmed or conclusively ruled out, recon anomalies nobody investigated, and the technology you fingerprinted. Each entry must be a focused, self-contained objective the next run can act on directly — name a concrete attack class against a concrete parameter, header, or flow. Do NOT restate anything tested this run or already marked completed in your assignment context; find the coverage gaps. Emit a small, high-signal set (typically 2-6), preferring breadth across distinct untested attack classes over payload variants. Empty/omitted when the endpoint is genuinely exhausted."),
34
41
  noFindingsReason: exports_external.string().optional().describe("If no findings were documented, explain why (e.g., target not vulnerable, endpoint unreachable)")
35
42
  });
36
43
 
@@ -53,14 +60,16 @@ class TargetedPentestAgent extends OffensiveSecurityAgent {
53
60
  context,
54
61
  environmentVariables,
55
62
  enableThinking,
63
+ thinkingEffort,
56
64
  openAIReasoningEffort,
57
65
  role = "orchestrator",
58
66
  browserSession,
59
67
  display
60
68
  } = opts;
69
+ let reportedError = null;
61
70
  super({
62
71
  system: buildPentestSystemPrompt(session, role),
63
- prompt: buildPentestPrompt(target, objectives, session, findingsRegistry, context, environmentVariables ? Object.keys(environmentVariables) : undefined, subagentId, role),
72
+ prompt: buildPentestPrompt(target, objectives, session, findingsRegistry, context, environmentVariables ? Object.keys(environmentVariables) : undefined, subagentId, role, session.credentialManager?.formatForPrompt()),
64
73
  model,
65
74
  session,
66
75
  target,
@@ -75,13 +84,24 @@ class TargetedPentestAgent extends OffensiveSecurityAgent {
75
84
  messages,
76
85
  environmentVariables,
77
86
  enableThinking,
87
+ thinkingEffort,
78
88
  openAIReasoningEffort,
79
89
  browserSession,
80
90
  display,
81
91
  activeTools: buildPentestActiveTools(role, session),
82
92
  responseSchema: PentestResponseSchema,
93
+ extraTools: {
94
+ [REPORT_ERROR_TOOL_NAME]: createReportErrorTool((err) => {
95
+ reportedError = err;
96
+ })
97
+ },
98
+ stopWhen: hasToolCall(REPORT_ERROR_TOOL_NAME),
83
99
  resolveResult: async (streamResult) => {
100
+ if (reportedError) {
101
+ throw new PentestReportedError(reportedError);
102
+ }
84
103
  let objectiveResults;
104
+ let newObjectives;
85
105
  try {
86
106
  const response = await streamResult.response;
87
107
  for (const msg of response.messages ?? []) {
@@ -90,8 +110,11 @@ class TargetedPentestAgent extends OffensiveSecurityAgent {
90
110
  for (const part of msg.content) {
91
111
  if (part.type === "tool-call" && part.toolName === "response" && part.input) {
92
112
  const input = part.input;
93
- if (input.response?.objectiveResults) {
94
- objectiveResults = input.response.objectiveResults;
113
+ if (input.result?.objectiveResults) {
114
+ objectiveResults = input.result.objectiveResults;
115
+ }
116
+ if (input.result?.newObjectives) {
117
+ newObjectives = input.result.newObjectives;
95
118
  }
96
119
  }
97
120
  }
@@ -102,7 +125,8 @@ class TargetedPentestAgent extends OffensiveSecurityAgent {
102
125
  findings,
103
126
  findingsPath: session.findingsPath,
104
127
  pocsPath: session.pocsPath,
105
- objectiveResults
128
+ objectiveResults,
129
+ newObjectives
106
130
  };
107
131
  }
108
132
  });
@@ -148,6 +172,7 @@ var SECTION_POC_PORTABILITY = `POC Script Portability Requirements:
148
172
  - Prefer built-in shell features over external commands when possible
149
173
  - If a PoC requires a specific non-standard tool, check for it at the start and exit with a clear error message if missing`;
150
174
  var SECTION_BROWSER_INTERACTION = `Browser Interaction:
175
+ - Lean on the browser for testing wherever it applies. For anything interactive, stateful, client-side, or auth-gated — login flows, multi-step forms, SPA/JavaScript-driven behavior, DOM-based XSS, CSRF, and any page that only behaves correctly with a rendered, logged-in session — drive the test through the browser (browser_navigate / browser_click / browser_fill / browser_snapshot) rather than raw requests. The browser preserves your authenticated session and executes client-side logic that http_request / curl cannot see. Fall back to http_request / execute_command (curl) for stateless API-level checks, header inspection, and high-volume payload fuzzing.
151
176
  - Use browser_navigate to load pages, browser_snapshot to inspect the DOM, and browser_screenshot for visual evidence
152
177
  - Use browser_click and browser_fill to interact with forms, buttons, and input fields — essential for testing login flows, search fields, and other interactive elements
153
178
  - Screenshot liberally so the user can follow along. Whenever you are driving a browser, treat screenshots as the primary way the user watches your work. Err heavily on the side of more screenshots rather than fewer.
@@ -159,10 +184,14 @@ var SECTION_BROWSER_INTERACTION = `Browser Interaction:
159
184
  - Screenshots are cheap — prefer taking one and not needing it over skipping one and losing visibility. Do NOT attempt to conserve tokens by skipping screenshots during browser-driven testing.
160
185
  - Screenshots are automatically stored and displayed alongside your tool call logs, so each one directly improves the user's ability to follow the test in real time.`;
161
186
  var SECTION_AUTHENTICATION = `Authentication:
162
- - If the prompt includes an "Existing Authentication Session" section, USE those cookies/headers on every request. Do NOT attempt to re-authenticate.
163
- - For http_request: include the provided Cookie and Authorization headers in every call.
164
- - For execute_command (curl): include -H "Cookie: ..." and/or -H "Authorization: ..." flags.
165
- - If a request returns 401/403, the session may have expired note it in your findings but do not try to log in again.`;
187
+ - If the prompt includes an "Existing Authentication Session" section, USE those cookies/headers on every request and do NOT re-authenticate up front. If such a request returns 401/403, that provided session has expired — note it in your findings (and call report_error if it blocks all further testing). Only log in yourself (following any "Available Credentials" instructions) if that provided session expires mid-run.
188
+ - Otherwise, if the target requires authentication, log in yourself. When an "Available Credentials" section is present, follow the authentication instructions in each credential's Context exactly — use the method it describes (for example, a token/API exchange driven with execute_command or http_request) instead of defaulting to a browser login. Only fall back to driving the login flow in the browser with browser_navigate + browser_fill when the Context does not specify how to authenticate. Prefer credentialId + credentialField so secrets are resolved securely; injected credential environment variables are also available inside execute_command.
189
+ - After a successful login, capture the resulting session credentials and reuse them for raw requests. For a browser login, call browser_get_cookies to extract the session cookies (including httpOnly ones) pass them as the Cookie header to http_request, or as -H "Cookie: ..." / -b flags to execute_command (curl). Any worker you spawn automatically inherits a snapshot of your authenticated browser session.
190
+ - For http_request: include the captured Cookie and any Authorization headers on every call. For execute_command (curl): include -H "Cookie: ..." and/or -H "Authorization: ..." flags.
191
+ - If a request returns 401/403 after you logged in yourself, your captured session may have expired — re-authenticate the same way you did originally and refresh your session cookies/tokens.
192
+ - Do NOT spin your wheels on authentication. If you have followed the credential Context instructions and still cannot authenticate, do NOT try to work around it — do NOT register a new account, self-sign-up, or fabricate credentials. Those are not the credentials under test and only pollute results. Make at most a couple of genuine attempts, then call report_error with reason "authentication_failed" and a specific message describing exactly what you tried and how it failed.
193
+ - If you cannot authenticate with the available credentials, or another runtime condition blocks all testing, call report_error with a clear, specific message instead of giving up silently or documenting a non-finding.
194
+ - Do NOT complete destructive or state-changing account actions. When testing a password-reset, account-recovery, email-change, or account-deletion flow, demonstrate the flaw (e.g. a predictable/guessable reset token, a reset that can be triggered for another user, or a flow missing authorization) WITHOUT actually finishing the action on the real account under test — never set a new password, consume a real reset token, change the account email, or delete the account. Doing so can lock you or the operator out and invalidate the credentials. Stop at the point that proves impact and document that instead.`;
166
195
  var SECTION_CREDENTIAL_DISCOVERY = `Credential & Secret Discovery:
167
196
  - When you find exposed configuration in client-side code (JS bundles, HTML source, config files), distinguish between:
168
197
  - SENSITIVE SECRETS (API keys granting backend access, database credentials, JWT signing keys, private keys, service account tokens) — document as a HIGH/CRITICAL finding
@@ -432,14 +461,20 @@ ${SECTION_SOURCE_CODE_PROHIBITION}
432
461
  Your methodology:
433
462
  1. ORIENT — Call list_memories to review any existing knowledge from previous engagements (target-specific notes, successful techniques, false positive patterns, technology context). Use what you find to shape your plan.
434
463
  2. PLAN — State the objectives you have been given and outline your high-level orchestration plan in plain text BEFORE any tool calls. For each objective, briefly state what attack class the worker should focus on (e.g. "Objective 1 → SQL injection, focus on /api/users id parameter"). Output this plan as a text message — not as a tool call.
435
- 3. RECON — Perform LIGHT initial reconnaissance to confirm the target is reachable and understand baseline behavior. Use http_request for a handful of probes, browser_navigate + browser_snapshot to see the surface, and execute_command sparingly. Do NOT begin exploitation here — that is the workers' job. Note any anomalies (unusual error responses, exposed headers, framework fingerprints, surprising endpoint behavior) for the final exploratory worker.
464
+ 3. RECON & AUTHENTICATE — Perform LIGHT initial reconnaissance to confirm the target is reachable and understand baseline behavior. Use http_request for a handful of probes, browser_navigate + browser_snapshot to see the surface, and execute_command sparingly. Do NOT begin exploitation here — that is the workers' job. Note any anomalies (unusual error responses, exposed headers, framework fingerprints, surprising endpoint behavior) for the final exploratory worker.
465
+ - If authentication is required (an "Existing Authentication Session" section is absent and the target / objectives need a logged-in session), you MUST authenticate NOW, in YOUR browser, BEFORE any fan-out. Follow the "Available Credentials" instructions exactly — use the method each credential's Context describes (e.g. a token/API exchange via execute_command or http_request) rather than defaulting to a browser login; only drive the browser login flow (browser_navigate + browser_fill with credentialId/credentialField) when the Context does not specify how.
466
+ - VERIFY the session before fanning out: request a protected resource and confirm it does NOT return 401/403. Use browser_get_cookies to capture the session cookies for reuse in raw http_request / curl calls.
467
+ - Authenticating HERE (not in the workers) is critical: each worker you spawn inherits a snapshot of YOUR browser's authenticated cookies + localStorage at spawn time, so ONE successful login up front propagates to every worker. Do NOT instruct workers to re-authenticate.
468
+ - If you cannot authenticate and the objectives require it, call report_error with reason "authentication_failed" and a specific message BEFORE spawning any workers — do not fan out unauthenticated workers that will all fail, and do not report non-findings.
436
469
  4. FAN OUT — For EACH objective, call spawn_pentest_agent EXACTLY ONCE. Each spawn dispatches a focused worker that will perform the full PLAN → VERIFY → PREPARE → TEST → EXPLOIT → DOCUMENT loop on its objective. Workers write findings to the shared findings registry — you do NOT need to forward findings between them.
437
470
  5. CHAIN & EXPLORE — After all per-objective workers complete, call spawn_pentest_agent ONE FINAL TIME with a synthesized objective that:
438
471
  a. Summarizes what earlier workers confirmed or ruled out (so the exploratory worker doesn't re-do their work).
439
472
  b. Calls out any anomalies you noticed during recon that nobody investigated.
440
473
  c. Directs the worker to chain confirmed findings into higher-impact attack chains AND probe for additional vulnerabilities outside the original objective list (e.g. business logic flaws, race conditions, secondary injection points).
441
474
  6. LEARN — Use add_memory to persist reusable learnings from this engagement (target behaviors, effective techniques, false positive patterns, technology fingerprints).
442
- 7. FINISH — Call the response tool with your final summary. Compile objectiveResults from what each worker reported: mark each objective as completed (vulnerability confirmed and documented by a worker, OR conclusively ruled out by a worker), or incomplete (worker failed or could not finish). Include any new objectives discovered by the exploratory worker.
475
+ 7. FINISH — Call the response tool with your final summary. Compile objectiveResults from what each worker reported: mark each objective as completed (vulnerability confirmed and documented by a worker, OR conclusively ruled out by a worker), or incomplete (worker failed or could not finish). Also populate newObjectives directly: using the coverage you just orchestrated (worker outcomes, what was confirmed or ruled out, recon anomalies nobody investigated, technology fingerprints), propose a small focused set of objectives for the NEXT run that are not already tested this run or marked completed in your context — so subsequent runs stay productive instead of re-testing finished work. Return an empty newObjectives array only when the endpoint is genuinely exhausted.
476
+
477
+ Empty open-objective assignments: if your assignment lists ZERO open objectives to test (every objective in your context is already marked completed), skip the per-objective fan-out and the chain & explore worker, do LIGHT recon only, then go to FINISH and still populate newObjectives so the run produces fresh objectives for next time rather than wasting the run.
443
478
 
444
479
  ${SECTION_ORCHESTRATOR_DELEGATION}
445
480
 
@@ -450,7 +485,7 @@ ${SECTION_MATERIALITY_GUIDANCE}
450
485
  ${SECTION_BROWSER_INTERACTION}
451
486
 
452
487
  ${SECTION_STATE_CHECKPOINTING}`;
453
- function buildPentestPrompt(target, objectives, session, findingsRegistry, context, envVarNames, subagentId, role = "orchestrator") {
488
+ function buildPentestPrompt(target, objectives, session, findingsRegistry, context, envVarNames, subagentId, role = "orchestrator", credentialContext) {
454
489
  const sessionRootPath = session.rootPath;
455
490
  const exfilMode = session.config?.exfilMode ?? false;
456
491
  const taskDriven = role === "orchestrator" ? false : session.config?.taskDriven ?? false;
@@ -569,13 +604,16 @@ Do NOT discover or enumerate other endpoints or services. Focus exclusively on t
569
604
  1. Call list_memories to review any prior knowledge relevant to this target or engagement.
570
605
  2. State the objectives and outline your orchestration plan in plain text BEFORE any tool calls — one bullet per objective, briefly naming the attack class each worker should focus on.
571
606
  3. Perform LIGHT initial recon (a handful of http_request probes, browser_navigate + browser_snapshot to see the surface). Do NOT begin exploitation here — that is the workers' job. Note any anomalies you observe for the final exploratory worker.
607
+ - AUTHENTICATE FIRST if the target/objectives need a logged-in session and no "Existing Authentication Session" is provided: log in ONCE in YOUR browser during this recon step, following the "Available Credentials" instructions exactly (prefer the credential Context's method; use credentialId/credentialField so secrets resolve securely). Verify the session with a protected request (expect NOT 401/403) and capture cookies via browser_get_cookies. Every worker inherits your authenticated browser snapshot, so do this BEFORE fan-out and do NOT have workers re-authenticate. If you cannot authenticate and the objectives require it, call report_error with reason "authentication_failed" instead of fanning out.
572
608
  4. Call spawn_pentest_agent EXACTLY ONCE PER OBJECTIVE. For every spawn:
573
609
  - Set \`target\` to the FULL URL from the assignment above (domain + endpoint path) — pass it through verbatim. Do not strip the path or rewrite the host. Workers do not perform endpoint discovery; they deeply test the path you hand them.
574
610
  - Pass the matching objective in the \`objectives\` array (a single-element array).
575
611
  - Use the \`context\` field to forward any recon insights specific to that objective. If your earlier browser actions left state the worker should know about (already logged in as X, certain modal already dismissed), call that out in \`context\` — each worker is seeded with a snapshot of YOUR browser's cookies and localStorage at the moment of the spawn call.
576
612
  5. After all per-objective workers complete, call spawn_pentest_agent ONE FINAL TIME with a synthesized "chain & explore" objective: summarize what earlier workers confirmed/ruled out, call out unaddressed anomalies, and direct the worker to chain confirmed findings AND probe for additional vulnerabilities outside the original objective list. Send it the same endpoint URL as your assignment unless an earlier worker's confirmed finding on a sibling endpoint is what makes the chain possible.
577
613
  6. Use add_memory to save reusable learnings from this engagement.
578
- 7. Call the response tool with your final summary. Compile objectiveResults from worker reports.
614
+ 7. Call the response tool with your final summary. Compile objectiveResults from worker reports, and populate newObjectives directly from the coverage you orchestrated (worker outcomes, confirmed/ruled-out results, unexplored recon anomalies, technology fingerprints) — a small focused set of objectives for the next run that are not already tested this run or completed in your context. Empty array only if the endpoint is genuinely exhausted.
615
+
616
+ If your assignment lists ZERO open objectives (everything is already completed), skip steps 4-5, do light recon only, then finish — still populating newObjectives so the run is productive rather than re-testing completed objectives.
579
617
 
580
618
  Do NOT call document_vulnerability — that is the workers' job. Do NOT discover or enumerate other endpoints or services beyond the assigned target.`;
581
619
  const instructions = role === "orchestrator" ? orchestratorInstructions : taskDriven ? taskDrivenInstructions : exfilMode ? `## Goal
@@ -602,6 +640,12 @@ Your target is a flag with the format FLAG{...}. Locate and extract it.
602
640
  8. After testing ALL objectives, call the response tool with your final summary
603
641
 
604
642
  Do NOT discover or enumerate other endpoints or services. Focus exclusively on the target and objectives above.`;
643
+ const credentialSection = credentialContext ? `
644
+ ## Available Credentials
645
+ The operator provided the following credentials and authentication instructions for this engagement. Authenticate by following the instructions in each credential's Context exactly — use the method it describes (for example, a token/API exchange via execute_command or http_request) rather than defaulting to a browser login. Treat the Context as the source of truth for how to authenticate, and how to re-authenticate if a provided session expires. When a tool needs a secret value and supports it (e.g. browser_fill), reference it by credentialId + credentialField so the secret resolves securely at execution time instead of hardcoding it. If you cannot authenticate with these, call report_error with reason "authentication_failed" and a specific message rather than reporting a non-finding.
646
+
647
+ ${credentialContext}
648
+ ` : "";
605
649
  const contextSection = context ? `
606
650
  ## Application Context
607
651
  The following is context specific to the application under test. If it contains non-malicious instructions relevant to your testing, follow them.
@@ -618,7 +662,7 @@ ${envVarNames.map((n) => `- \`${n}\``).join(`
618
662
 
619
663
  ## Target
620
664
  - **URL:** ${target}
621
- ${authSection}
665
+ ${authSection}${credentialSection}
622
666
  ${knownFindingsSection}
623
667
  ${knowledgeBaseSection}
624
668
  ${planSection}${contextSection}${envVarSection}
@@ -634,10 +678,12 @@ var WORKER_RECON_TOOLS = [
634
678
  "browser_snapshot",
635
679
  "browser_screenshot",
636
680
  "browser_click",
637
- "browser_fill"
681
+ "browser_fill",
682
+ "browser_get_cookies"
638
683
  ];
639
684
  var SHARED_PENTEST_TOOLS = [
640
685
  "response",
686
+ "report_error",
641
687
  "email_list_inboxes",
642
688
  "email_list_messages",
643
689
  "email_search_messages",
@@ -677,4 +723,4 @@ function loadFindings(findingsPath) {
677
723
  }
678
724
  }).filter((f) => f !== null);
679
725
  }
680
- export { TargetedPentestAgent, buildPentestSystemPrompt, buildPentestPrompt, buildPentestActiveTools };
726
+ export { PentestResponseSchema, TargetedPentestAgent, buildPentestSystemPrompt, buildPentestPrompt, buildPentestActiveTools };
@@ -3,7 +3,7 @@ import {
3
3
  init_lazyLogger,
4
4
  init_structured,
5
5
  scopedLogger
6
- } from "./cli-ja43jscc.js";
6
+ } from "./cli-d28z7z1b.js";
7
7
 
8
8
  // src/core/integrations/wandb/client.ts
9
9
  init_structured();
@@ -1,7 +1,7 @@
1
1
  import {
2
2
  getCurrentVersion,
3
3
  init_installation
4
- } from "./cli-5vvb8cby.js";
4
+ } from "./cli-f5javz2k.js";
5
5
  import {
6
6
  __esm
7
7
  } from "./cli-8rxa073f.js";