aisec-cli 0.1.0 → 0.2.1

package/README.md

@@ -1,22 +1,22 @@
-# @aisec-foundation/cli
+# aisec-cli
 
-CLI for **aisec** — AI-powered web security scanner.
+CLI for [AISEC](https://aisec.tools) — AI-powered web application security scanner. Autonomous pentesting from your terminal.
 
 ## Quick Start
 
 ```bash
-npx @aisec-foundation/cli scan https://target.com --token YOUR_TOKEN
+npx aisec-cli scan https://target.com --token YOUR_TOKEN
 ```
 
 Or install globally:
 
 ```bash
-npm i -g @aisec-foundation/cli
+npm i -g aisec-cli
 ```
 
 ## Authentication
 
-Get your token at [app.aisec.tools/developer](https://app.aisec.tools/developer).
+Get your token at the [AISEC Dashboard](https://app.aisec.tools/developer).
 
 ```bash
 export AISEC_TOKEN=ask_...
@@ -49,6 +49,14 @@ aisec scans -l 20     # Last 20 scans
 aisec status          # Check connection & auth
 ```
 
+## Links
+
+- [AISEC Website](https://aisec.tools) — AI-powered penetration testing platform
+- [Dashboard](https://app.aisec.tools) — manage scans and findings
+- [How It Works](https://aisec.tools/how-it-works) — platform documentation
+- [Pricing](https://aisec.tools/pricing) — plans and credits
+- [Python CLI](https://github.com/aisec-foundation/cli-python) — alternative CLI
+
 ## License
 
 MIT

package/bin/aisec.mjs

@@ -16,12 +16,16 @@ program
   .option("--stealth", "Stealth profile — slower, WAF evasion")
   .option("--aggressive", "Aggressive — full port scan, brute force, sqlmap")
   .option("--full", "Full — aggressive + subdomain scope + 50 iterations")
+  .option("--bounty", "Bug bounty — high-impact vulns, skip noise, PoC-ready output")
+  .option("--scan-type <type>", "Scan type: web, network, crypto", "web")
   .option("-e, --engine <engine>", "AI engine: claude or ollama", "claude")
   .option("-m, --model <model>", "Model name")
+  .option("--review-model <model>", "Review model (default: claude-sonnet-4-6)")
   .option("--temperature <temp>", "AI temperature 0.0-1.0", parseFloat)
   .option("-n, --max-iterations <n>", "Max AI iterations", parseInt)
   .option("--scope <scope>", "Scan scope: target, domain, subdomain")
   .option("-t, --timeout <minutes>", "Timeout in minutes, 0=unlimited", parseInt)
+  .option("--cost-cap <credits>", "Max credits to spend (0=no limit)", parseFloat)
   .option("--skip-recon", "Skip infrastructure recon")
   .option("--skip-browser", "Skip browser-based recon")
   .option("-u, --username <user>", "Username for auth scanning")
@@ -29,6 +33,14 @@ program
   .option("--cookies <json>", "Session cookies as JSON or @file")
   .option("--proxy <url>", "Proxy URL")
   .option("--headers <headers>", "Custom headers: 'Key:Val,Key2:Val2' or @file")
+  .option("--localstorage <json>", "Browser localStorage as JSON or @file")
+  .option("--custom-instructions <text>", "Free-text guidance for the AI agent (max 500 chars)")
+  .option("--disable-tools <tools>", "Comma-separated tools to disable (e.g. sqlmap,hydra,nikto)")
+  .option("--disable-enrichments <list>", "Comma-separated enrichments to disable (e.g. leak_check,shodan)")
+  .option("--out-of-scope <list>", "Comma-separated domains/paths to exclude")
+  .option("--wordlist <name>", "Wordlist: common, big, api-endpoints")
+  .option("--auto-compact", "Auto-compact context for long scans (saves credits)")
+  .option("--project-id <id>", "Assign scan to a project")
   .option("--fail-on <severity>", "Exit 1 if findings at this severity or above (critical, high, medium, low)")
   .option("--source <source>", "Scan source identifier (cli, ci, api)", "cli")
   .option("--token <token>", "API token (or AISEC_TOKEN env)")

package/lib/api.mjs

@@ -15,6 +15,26 @@ export async function request(apiUrl, path, token, opts = {}) {
       process.exit(1);
     }
     const body = await res.text();
+    if (res.status === 403) {
+      try {
+        const parsed = JSON.parse(body);
+        const err = parsed?.detail || parsed;
+        if (err?.error === "target_not_verified") {
+          const root = err.root_domain || "your target";
+          console.error(chalk.bold.red("\nTarget not verified"));
+          console.error(`To scan ${chalk.bold(root)}, publish a DNS TXT record:`);
+          console.error(`  ${chalk.cyan("Host")}:  _aisec-verify.${root}`);
+          console.error(`  ${chalk.cyan("Type")}:  TXT`);
+          console.error(`  ${chalk.cyan("Value")}: use the dashboard to get your per-user challenge token`);
+          // Prefer the backend-provided per-project verification path; fall
+          // back to /projects (verification is per-project — there is no
+          // account-wide /verifications route).
+          const vpath = err.verification_url || "/projects";
+          console.error(`\nDashboard: ${chalk.cyan(`https://app.aisec.tools${vpath}`)}`);
+          process.exit(3);
+        }
+      } catch {}
+    }
     throw new Error(`${res.status} ${res.statusText}: ${body}`);
   }
 

package/lib/scan.mjs

@@ -4,8 +4,22 @@ import { readFileSync } from "fs";
 import { resolveAuth, resolveApi, wsUrl } from "./config.mjs";
 import { request, healthCheck } from "./api.mjs";
 
+// Map a known API host to its dashboard host. Returns null for unknown
+// hosts (staging/local/other tenant) so we never print a production URL
+// for a scan that didn't run on production.
+function dashboardUrl(apiUrl, scanId) {
+  try {
+    const host = new URL(apiUrl).hostname;
+    if (host === "api.aisec.tools") return `https://app.aisec.tools/scans/${scanId}`;
+    return null;
+  } catch {
+    return null;
+  }
+}
+
 function resolveProfile(opts) {
   if (opts.full) return "full";
+  if (opts.bounty) return "bounty";
   if (opts.aggressive) return "aggressive";
   if (opts.stealth) return "stealth";
   return undefined;
@@ -32,6 +46,19 @@ function parseCookies(raw) {
   return raw;
 }
 
+function parseFileOrString(raw) {
+  if (!raw) return undefined;
+  if (raw.startsWith("@")) {
+    return readFileSync(raw.slice(1), "utf-8").trim();
+  }
+  return raw;
+}
+
+function parseCommaSeparated(raw) {
+  if (!raw) return undefined;
+  return raw.split(",").map(s => s.trim()).filter(Boolean);
+}
+
 function buildBody(target, opts) {
   const body = { target, source: opts.source || "cli" };
   const profile = resolveProfile(opts);
@@ -47,10 +74,25 @@ function buildBody(target, opts) {
   if (opts.username) body.username = opts.username;
   if (opts.password) body.password = opts.password;
   if (opts.proxy) body.proxy = opts.proxy;
+  if (opts.costCap != null) body.cost_cap = opts.costCap;
+  if (opts.reviewModel) body.review_model = opts.reviewModel;
+  if (opts.scanType && opts.scanType !== "web") body.scan_type = opts.scanType;
   const cookies = parseCookies(opts.cookies);
   if (cookies) body.cookies_json = cookies;
   const headers = parseHeaders(opts.headers);
   if (headers) body.custom_headers = headers;
+  const ls = parseFileOrString(opts.localstorage);
+  if (ls) body.localstorage_json = ls;
+  if (opts.customInstructions) body.custom_instructions = opts.customInstructions;
+  const disabledTools = parseCommaSeparated(opts.disableTools);
+  if (disabledTools) body.disabled_tools = disabledTools;
+  const disabledEnrichments = parseCommaSeparated(opts.disableEnrichments);
+  if (disabledEnrichments) body.disabled_enrichments = disabledEnrichments;
+  const outOfScope = parseCommaSeparated(opts.outOfScope);
+  if (outOfScope) body.out_of_scope = outOfScope;
+  if (opts.wordlist) body.wordlist = opts.wordlist;
+  if (opts.autoCompact) body.auto_compact = true;
+  if (opts.projectId) body.project_id = opts.projectId;
   return body;
 }
 
@@ -173,10 +215,15 @@ export async function cmdScan(target, opts) {
 
   // WebSocket streaming
   const wsBase = wsUrl(apiUrl);
-  const wsUrlFull = `${wsBase}/ws/scans/${scanId}?token=${token}`;
+  const wsUrlFull = `${wsBase}/ws/scans/${scanId}`;
 
-  const ws = new WebSocket(wsUrlFull);
+  // The API authenticates the socket via the `aisec-token` subprotocol
+  // (same as the dashboard + Python CLI). It does NOT read ?token= from the
+  // URL — passing it there both fails auth and risks leaking the token into
+  // logs. The ws lib sends the second protocol entry as the token value.
+  const ws = new WebSocket(wsUrlFull, ["aisec-token", token]);
   let cancelled = false;
+  let completed = false;      // set true on scan_complete
   const foundFindings = [];   // track severities for --fail-on
   let exitCode = 0;
 
@@ -235,12 +282,13 @@ export async function cmdScan(target, opts) {
         }
         break;
 
-      case "credits_update":
       case "cost_update":
         {
-          const cr = msg.data?.credits_used ?? msg.data?.cost;
-          if (cr != null) {
-            process.stdout.write(chalk.dim(`  [${cr.toFixed(1)} credits]\r`));
+          // Backend emits token counts now (cost/credits were removed).
+          const ti = msg.data?.tokens_in;
+          const to = msg.data?.tokens_out;
+          if (ti != null || to != null) {
+            process.stdout.write(chalk.dim(`  [tokens ${ti ?? 0} in · ${to ?? 0} out]\r`));
           }
         }
         break;
@@ -252,25 +300,19 @@ export async function cmdScan(target, opts) {
 
       case "scan_complete": {
         spinner.stop();
+        completed = true;
         const d = msg.data || {};
-        const duration = d.duration ? formatDuration(d.duration) : "?";
-        const creditsUsed = (d.credits_used ?? d.cost ?? 0).toFixed(1);
-
-        // Fetch remaining credits
-        let remaining = "?";
-        try {
-          const me = await request(apiUrl, "/api/v1/auth/me", token);
-          remaining = parseFloat(me.credits_balance || 0).toFixed(1);
-        } catch {}
-
-        const reportUrl = `https://app.aisec.tools/scans/${scanId}`;
+        const tokensIn = d.tokens_in ?? 0;
+        const tokensOut = d.tokens_out ?? 0;
+        const reportUrl = dashboardUrl(apiUrl, scanId);
         console.log(
           "\n" + chalk.green("━".repeat(50)) + "\n" +
           chalk.bold.green(" Scan complete\n") +
           chalk.dim(` Findings: `) + chalk.white(d.findings ?? 0) + "\n" +
-          chalk.dim(` Credits:  `) + chalk.white(creditsUsed) + chalk.dim(" used · ") + chalk.yellow.bold(remaining) + chalk.dim(" remaining") + "\n" +
-          chalk.dim(` Duration: `) + chalk.white(duration) + "\n" +
-          chalk.dim(` Report:   `) + chalk.underline.cyan(reportUrl) + "\n" +
+          chalk.dim(` Tokens:   `) + chalk.white(`${tokensIn} in · ${tokensOut} out`) + "\n" +
+          (reportUrl
+            ? chalk.dim(` Report:   `) + chalk.underline.cyan(reportUrl)
+            : chalk.dim(` Scan ID:  `) + chalk.white(scanId)) + "\n" +
           chalk.green("━".repeat(50))
         );
 
@@ -278,7 +320,7 @@ export async function cmdScan(target, opts) {
         if (process.env.GITHUB_OUTPUT) {
           const { appendFileSync } = await import("fs");
           appendFileSync(process.env.GITHUB_OUTPUT, `findings=${d.findings ?? 0}\n`);
-          appendFileSync(process.env.GITHUB_OUTPUT, `report-url=${reportUrl}\n`);
+          if (reportUrl) appendFileSync(process.env.GITHUB_OUTPUT, `report-url=${reportUrl}\n`);
         }
 
         // --fail-on check
@@ -306,8 +348,19 @@ export async function cmdScan(target, opts) {
     console.error(chalk.red(`WebSocket error: ${err.message}`));
   });
 
-  ws.on("close", () => {
+  ws.on("close", (code) => {
     spinner.stop();
-    if (!cancelled) process.exit(exitCode);
+    if (cancelled) return;
+    // Closing before scan_complete means we never saw the result (auth
+    // failure, network drop, server restart). Don't let CI read that as a
+    // pass — exit non-zero so the pipeline surfaces it.
+    if (!completed && exitCode === 0) {
+      console.error(
+        chalk.red(`\n✗ Stream closed before the scan completed (ws code ${code ?? "?"}). `) +
+        chalk.dim("Check the dashboard for status; the scan may still be running.")
+      );
+      exitCode = 1;
+    }
+    process.exit(exitCode);
   });
 }

package/lib/scans.mjs

@@ -35,18 +35,15 @@ export async function cmdScans(opts) {
     chalk.dim("Status".padEnd(12)) +
     chalk.dim("Domain".padEnd(30)) +
     chalk.dim("Finds".padStart(6)) +
-    chalk.dim("Cost".padStart(9)) +
     chalk.dim("Date".padStart(13)) +
     chalk.dim("ID".padStart(11))
   );
-  console.log(chalk.dim("─".repeat(81)));
+  console.log(chalk.dim("─".repeat(72)));
 
   for (const s of scans) {
     const color = STATUS_COLORS[s.status] || chalk.white;
     const domain = (s.target || "").replace(/^https?:\/\//, "").slice(0, 28);
     const findings = String(s.findings_count ?? s.total_findings ?? 0);
-    const cr = s.credits_used ?? s.total_cost;
-    const cost = cr != null ? `${cr.toFixed(1)}` : "-";
     const date = s.created_at ? s.created_at.slice(0, 10) : "-";
     const id = (s.id || "").slice(0, 8);
 
@@ -54,7 +51,6 @@ export async function cmdScans(opts) {
       color(s.status.padEnd(12)) +
       chalk.white(domain.padEnd(30)) +
       chalk.white(findings.padStart(6)) +
-      chalk.white(cost.padStart(9)) +
       chalk.dim(date.padStart(13)) +
       chalk.dim(id.padStart(11))
     );

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "aisec-cli",
-  "version": "0.1.0",
+  "version": "0.2.1",
   "description": "CLI for aisec — AI-powered web security scanner",
   "type": "module",
   "bin": {
@@ -10,6 +10,9 @@
     "bin/",
     "lib/"
   ],
+  "scripts": {
+    "test": "node test/unit.mjs"
+  },
   "engines": {
     "node": ">=18"
   },
@@ -26,8 +29,8 @@
     "url": "https://github.com/aisec-foundation/cli-node.git"
   },
   "dependencies": {
-    "commander": "^12.1.0",
     "chalk": "^5.3.0",
+    "commander": "^12.1.0",
     "ws": "^8.18.0"
   }
 }