npm - @phenixstar/talon - Versions diffs - 1.0.0 - Mend

@phenixstar/talon 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (112) hide show

package/.env.example +72 -0
package/Dockerfile +161 -0
package/Dockerfile.router +16 -0
package/LICENSE +661 -0
package/README.md +709 -0
package/bin/talon.js +96 -0
package/bin/talon.mjs +96 -0
package/configs/config-schema.json +160 -0
package/configs/example-config.yaml +50 -0
package/configs/mcp-allowlist.json +47 -0
package/configs/model-routing.yaml +39 -0
package/configs/router-config.json +73 -0
package/configs/talon-seccomp.json +89 -0
package/dist/cli/dependency-checker.d.ts +25 -0
package/dist/cli/dependency-checker.d.ts.map +1 -0
package/dist/cli/dependency-checker.js +165 -0
package/dist/cli/dependency-checker.js.map +1 -0
package/dist/cli/doctor.d.ts +2 -0
package/dist/cli/doctor.d.ts.map +1 -0
package/dist/cli/doctor.js +127 -0
package/dist/cli/doctor.js.map +1 -0
package/dist/cli/env-configurator.d.ts +27 -0
package/dist/cli/env-configurator.d.ts.map +1 -0
package/dist/cli/env-configurator.js +115 -0
package/dist/cli/env-configurator.js.map +1 -0
package/dist/cli/setup-renderer.d.ts +23 -0
package/dist/cli/setup-renderer.d.ts.map +1 -0
package/dist/cli/setup-renderer.js +71 -0
package/dist/cli/setup-renderer.js.map +1 -0
package/dist/cli/setup.d.ts +2 -0
package/dist/cli/setup.d.ts.map +1 -0
package/dist/cli/setup.js +302 -0
package/dist/cli/setup.js.map +1 -0
package/dist/types/activity-logger.d.ts +10 -0
package/dist/types/activity-logger.d.ts.map +1 -0
package/dist/types/activity-logger.js +7 -0
package/dist/types/activity-logger.js.map +1 -0
package/dist/types/agents.d.ts +39 -0
package/dist/types/agents.d.ts.map +1 -0
package/dist/types/agents.js +28 -0
package/dist/types/agents.js.map +1 -0
package/dist/types/audit.d.ts +28 -0
package/dist/types/audit.d.ts.map +1 -0
package/dist/types/audit.js +7 -0
package/dist/types/audit.js.map +1 -0
package/dist/types/backtesting.d.ts +45 -0
package/dist/types/backtesting.d.ts.map +1 -0
package/dist/types/backtesting.js +3 -0
package/dist/types/backtesting.js.map +1 -0
package/dist/types/config.d.ts +48 -0
package/dist/types/config.d.ts.map +1 -0
package/dist/types/config.js +7 -0
package/dist/types/config.js.map +1 -0
package/dist/types/errors.d.ts +55 -0
package/dist/types/errors.d.ts.map +1 -0
package/dist/types/errors.js +41 -0
package/dist/types/errors.js.map +1 -0
package/dist/types/evolution.d.ts +36 -0
package/dist/types/evolution.d.ts.map +1 -0
package/dist/types/evolution.js +14 -0
package/dist/types/evolution.js.map +1 -0
package/dist/types/index.d.ts +11 -0
package/dist/types/index.d.ts.map +1 -0
package/dist/types/index.js +16 -0
package/dist/types/index.js.map +1 -0
package/dist/types/metrics.d.ts +13 -0
package/dist/types/metrics.d.ts.map +1 -0
package/dist/types/metrics.js +7 -0
package/dist/types/metrics.js.map +1 -0
package/dist/types/resilience.d.ts +30 -0
package/dist/types/resilience.d.ts.map +1 -0
package/dist/types/resilience.js +7 -0
package/dist/types/resilience.js.map +1 -0
package/dist/types/result.d.ts +42 -0
package/dist/types/result.d.ts.map +1 -0
package/dist/types/result.js +30 -0
package/dist/types/result.js.map +1 -0
package/docker-compose.yml +91 -0
package/package.json +75 -0
package/prompts/exploit-auth.txt +423 -0
package/prompts/exploit-authz.txt +425 -0
package/prompts/exploit-injection.txt +452 -0
package/prompts/exploit-ssrf.txt +502 -0
package/prompts/exploit-xss.txt +442 -0
package/prompts/pipeline-testing/exploit-auth.txt +31 -0
package/prompts/pipeline-testing/exploit-authz.txt +31 -0
package/prompts/pipeline-testing/exploit-injection.txt +31 -0
package/prompts/pipeline-testing/exploit-ssrf.txt +31 -0
package/prompts/pipeline-testing/exploit-xss.txt +31 -0
package/prompts/pipeline-testing/pre-recon-code.txt +1 -0
package/prompts/pipeline-testing/recon.txt +1 -0
package/prompts/pipeline-testing/report-executive.txt +1 -0
package/prompts/pipeline-testing/vuln-auth.txt +13 -0
package/prompts/pipeline-testing/vuln-authz.txt +13 -0
package/prompts/pipeline-testing/vuln-injection.txt +13 -0
package/prompts/pipeline-testing/vuln-ssrf.txt +13 -0
package/prompts/pipeline-testing/vuln-xss.txt +13 -0
package/prompts/pre-recon-code.txt +403 -0
package/prompts/recon.txt +382 -0
package/prompts/report-executive.txt +126 -0
package/prompts/shared/_exploit-scope.txt +14 -0
package/prompts/shared/_rules.txt +2 -0
package/prompts/shared/_target.txt +1 -0
package/prompts/shared/_vuln-scope.txt +1 -0
package/prompts/shared/login-instructions.txt +82 -0
package/prompts/vuln-auth.txt +268 -0
package/prompts/vuln-authz.txt +373 -0
package/prompts/vuln-injection.txt +380 -0
package/prompts/vuln-ssrf.txt +315 -0
package/prompts/vuln-xss.txt +304 -0
package/talon +459 -0
package/talon.ps1 +348 -0

package/.env.example ADDED Viewed

@@ -0,0 +1,72 @@
+# Talon Environment Configuration
+# Copy this file to .env and fill in your credentials
+# Recommended output token configuration for larger tool outputs
+CLAUDE_CODE_MAX_OUTPUT_TOKENS=64000
+# =============================================================================
+# OPTION 1: Direct Anthropic (default, no router)
+# =============================================================================
+ANTHROPIC_API_KEY=your-api-key-here
+# OR use OAuth token instead
+# CLAUDE_CODE_OAUTH_TOKEN=your-oauth-token-here
+# =============================================================================
+# OPTION 2: Router Mode (use alternative providers)
+# =============================================================================
+# Enable router mode by running: ./talon start ... ROUTER=true
+# Then configure ONE of the providers below:
+# --- OpenAI ---
+# OPENAI_API_KEY=sk-your-openai-key
+# ROUTER_DEFAULT=openai,gpt-5.2
+# --- OpenRouter (access Gemini 3 models via single API) ---
+# OPENROUTER_API_KEY=sk-or-your-openrouter-key
+# ROUTER_DEFAULT=openrouter,google/gemini-3-flash-preview
+# =============================================================================
+# Model Tier Overrides (Anthropic API / OAuth / Bedrock)
+# =============================================================================
+# Override which model is used for each tier. Defaults are used if not set.
+# ANTHROPIC_SMALL_MODEL=...     # Small tier  (default: claude-haiku-4-5-20251001)
+# ANTHROPIC_MEDIUM_MODEL=...    # Medium tier (default: claude-sonnet-4-6)
+# ANTHROPIC_LARGE_MODEL=...     # Large tier  (default: claude-opus-4-6)
+# =============================================================================
+# OPTION 3: AWS Bedrock
+# =============================================================================
+# https://aws.amazon.com/blogs/machine-learning/accelerate-ai-development-with-amazon-bedrock-api-keys/
+# Requires the model tier overrides above to be set with Bedrock-specific model IDs.
+# Example Bedrock model IDs for us-east-1:
+#   ANTHROPIC_SMALL_MODEL=us.anthropic.claude-haiku-4-5-20251001-v1:0
+#   ANTHROPIC_MEDIUM_MODEL=us.anthropic.claude-sonnet-4-6
+#   ANTHROPIC_LARGE_MODEL=us.anthropic.claude-opus-4-6
+# CLAUDE_CODE_USE_BEDROCK=1
+# AWS_REGION=us-east-1
+# AWS_BEARER_TOKEN_BEDROCK=your-bearer-token
+# =============================================================================
+# OPTION 4: Google Vertex AI
+# =============================================================================
+# https://cloud.google.com/vertex-ai/generative-ai/docs/partner-models/use-partner-models
+# Requires a GCP service account with roles/aiplatform.user.
+# Download the SA key JSON from GCP Console (IAM > Service Accounts > Keys).
+# Requires the model tier overrides above to be set with Vertex AI model IDs.
+# Example Vertex AI model IDs:
+#   ANTHROPIC_SMALL_MODEL=claude-haiku-4-5@20251001
+#   ANTHROPIC_MEDIUM_MODEL=claude-sonnet-4-6
+#   ANTHROPIC_LARGE_MODEL=claude-opus-4-6
+# CLAUDE_CODE_USE_VERTEX=1
+# CLOUD_ML_REGION=us-east5
+# ANTHROPIC_VERTEX_PROJECT_ID=your-gcp-project-id
+# GOOGLE_APPLICATION_CREDENTIALS=./credentials/gcp-sa-key.json
+# =============================================================================
+# Available Models
+# =============================================================================
+# OpenAI:     gpt-5.2, gpt-5-mini
+# OpenRouter: google/gemini-3-flash-preview

package/Dockerfile ADDED Viewed

@@ -0,0 +1,161 @@
+#
+# Multi-stage Dockerfile for Pentest Agent
+# Uses Chainguard Wolfi for minimal attack surface and supply chain security
+# Builder stage - Install tools and dependencies
+FROM cgr.dev/chainguard/wolfi-base:latest AS builder
+# Install system dependencies available in Wolfi
+RUN apk update && apk add --no-cache \
+    # Core build tools
+    build-base \
+    git \
+    curl \
+    wget \
+    ca-certificates \
+    # Network libraries for Go tools
+    libpcap-dev \
+    linux-headers \
+    # Language runtimes
+    go \
+    nodejs-22 \
+    npm \
+    python3 \
+    py3-pip \
+    ruby \
+    ruby-dev \
+    # Security tools available in Wolfi
+    nmap \
+    # Additional utilities
+    bash
+# Set environment variables for Go
+ENV GOPATH=/go
+ENV PATH=$GOPATH/bin:/usr/local/go/bin:$PATH
+ENV CGO_ENABLED=1
+# Create directories
+RUN mkdir -p $GOPATH/bin
+# Install Go-based security tools
+RUN go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest
+# Install WhatWeb from GitHub (Ruby-based tool)
+RUN git clone --depth 1 https://github.com/urbanadventurer/WhatWeb.git /opt/whatweb && \
+    chmod +x /opt/whatweb/whatweb && \
+    gem install addressable && \
+    echo '#!/bin/bash' > /usr/local/bin/whatweb && \
+    echo 'cd /opt/whatweb && exec ./whatweb "$@"' >> /usr/local/bin/whatweb && \
+    chmod +x /usr/local/bin/whatweb
+# Install Python-based tools
+RUN pip3 install --no-cache-dir schemathesis
+# Runtime stage - Minimal production image
+FROM cgr.dev/chainguard/wolfi-base:latest AS runtime
+# Install only runtime dependencies
+USER root
+RUN apk update && apk add --no-cache \
+    # Core utilities
+    git \
+    bash \
+    curl \
+    ca-certificates \
+    # Network libraries (runtime)
+    libpcap \
+    # Security tools
+    nmap \
+    # Language runtimes (minimal)
+    nodejs-22 \
+    npm \
+    python3 \
+    ruby \
+    # Chromium browser and dependencies for Playwright
+    chromium \
+    # Additional libraries Chromium needs
+    nss \
+    freetype \
+    harfbuzz \
+    # X11 libraries for headless browser
+    libx11 \
+    libxcomposite \
+    libxdamage \
+    libxext \
+    libxfixes \
+    libxrandr \
+    mesa-gbm \
+    # Font rendering
+    fontconfig
+# Copy Go binaries from builder
+COPY --from=builder /go/bin/subfinder /usr/local/bin/
+# Copy WhatWeb from builder
+COPY --from=builder /opt/whatweb /opt/whatweb
+COPY --from=builder /usr/local/bin/whatweb /usr/local/bin/whatweb
+# Install WhatWeb Ruby dependencies in runtime stage
+RUN gem install addressable
+# Copy Python packages from builder
+COPY --from=builder /usr/lib/python3.*/site-packages /usr/lib/python3.12/site-packages
+COPY --from=builder /usr/bin/schemathesis /usr/bin/
+# Create non-root user for security
+RUN addgroup -g 1001 pentest && \
+    adduser -u 1001 -G pentest -s /bin/bash -D pentest
+# Set working directory
+WORKDIR /app
+# Copy package files first for better caching
+COPY package*.json ./
+COPY mcp-server/package*.json ./mcp-server/
+# Install Node.js dependencies (including devDependencies for TypeScript build)
+RUN npm ci && \
+    cd mcp-server && npm ci && cd .. && \
+    npm cache clean --force
+# Copy application source code
+COPY . .
+# Build TypeScript (mcp-server first, then main project)
+RUN cd mcp-server && npm run build && cd .. && npm run build
+# Remove devDependencies after build to reduce image size
+RUN npm prune --production && \
+    cd mcp-server && npm prune --production
+RUN npm install -g @anthropic-ai/claude-code
+# Create directories for session data and ensure proper permissions
+RUN mkdir -p /app/sessions /app/deliverables /app/repos /app/configs /app/audit-logs && \
+    mkdir -p /tmp/.cache /tmp/.config /tmp/.npm && \
+    chown -R pentest:pentest /app && \
+    chmod 755 /app && \
+    chmod 770 /app/sessions /app/deliverables /app/repos /app/audit-logs && \
+    chmod 777 /tmp/.cache /tmp/.config /tmp/.npm
+# Switch to non-root user
+USER pentest
+# Set environment variables
+ENV NODE_ENV=production
+ENV PATH="/usr/local/bin:$PATH"
+ENV TALON_DOCKER=true
+ENV PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD=1
+ENV PLAYWRIGHT_CHROMIUM_EXECUTABLE_PATH=/usr/bin/chromium-browser
+ENV npm_config_cache=/tmp/.npm
+ENV HOME=/tmp
+ENV XDG_CACHE_HOME=/tmp/.cache
+ENV XDG_CONFIG_HOME=/tmp/.config
+# Configure Git identity and trust only known directories (not '*' — CVE-2022-24765)
+RUN git config --global user.email "agent@localhost" && \
+    git config --global user.name "Pentest Agent" && \
+    git config --global --add safe.directory /repos && \
+    git config --global --add safe.directory /app
+# Set entrypoint
+ENTRYPOINT ["node", "dist/talon.js"]

package/Dockerfile.router ADDED Viewed

@@ -0,0 +1,16 @@
+FROM node:20-slim
+RUN apt-get update && apt-get install -y --no-install-recommends gettext-base \
+    && rm -rf /var/lib/apt/lists/* \
+    && npm install -g @musistudio/claude-code-router \
+    && npm cache clean --force
+RUN groupadd -r router && useradd -r -g router -m router
+RUN mkdir -p /home/router/.claude-code-router && chown router:router /home/router/.claude-code-router
+USER router
+WORKDIR /home/router
+COPY --chown=router:router entrypoint-router.sh /entrypoint.sh
+ENTRYPOINT ["/entrypoint.sh"]