npm - aisec-cli - Versions diffs - 0.2.0 → 0.2.1 - Mend

aisec-cli 0.2.0 → 0.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/README.md CHANGED Viewed

@@ -1,22 +1,22 @@
-# @aisec-foundation/cli
+# aisec-cli
-CLI for **aisec** — AI-powered web security scanner.
+CLI for [AISEC](https://aisec.tools) — AI-powered web application security scanner. Autonomous pentesting from your terminal.
 ## Quick Start
 ```bash
-npx @aisec-foundation/cli scan https://target.com --token YOUR_TOKEN
+npx aisec-cli scan https://target.com --token YOUR_TOKEN
 ```
 Or install globally:
 ```bash
-npm i -g @aisec-foundation/cli
+npm i -g aisec-cli
 ```
 ## Authentication
-Get your token at [app.aisec.tools/developer](https://app.aisec.tools/developer).
+Get your token at the [AISEC Dashboard](https://app.aisec.tools/developer).
 ```bash
 export AISEC_TOKEN=ask_...
@@ -49,6 +49,14 @@ aisec scans -l 20     # Last 20 scans
 aisec status          # Check connection & auth
 ```
+## Links
+- [AISEC Website](https://aisec.tools) — AI-powered penetration testing platform
+- [Dashboard](https://app.aisec.tools) — manage scans and findings
+- [How It Works](https://aisec.tools/how-it-works) — platform documentation
+- [Pricing](https://aisec.tools/pricing) — plans and credits
+- [Python CLI](https://github.com/aisec-foundation/cli-python) — alternative CLI
 ## License
 MIT

package/lib/api.mjs CHANGED Viewed

@@ -15,6 +15,26 @@ export async function request(apiUrl, path, token, opts = {}) {
       process.exit(1);
     }
     const body = await res.text();
+    if (res.status === 403) {
+      try {
+        const parsed = JSON.parse(body);
+        const err = parsed?.detail || parsed;
+        if (err?.error === "target_not_verified") {
+          const root = err.root_domain || "your target";
+          console.error(chalk.bold.red("\nTarget not verified"));
+          console.error(`To scan ${chalk.bold(root)}, publish a DNS TXT record:`);
+          console.error(`  ${chalk.cyan("Host")}:  _aisec-verify.${root}`);
+          console.error(`  ${chalk.cyan("Type")}:  TXT`);
+          console.error(`  ${chalk.cyan("Value")}: use the dashboard to get your per-user challenge token`);
+          // Prefer the backend-provided per-project verification path; fall
+          // back to /projects (verification is per-project — there is no
+          // account-wide /verifications route).
+          const vpath = err.verification_url || "/projects";
+          console.error(`\nDashboard: ${chalk.cyan(`https://app.aisec.tools${vpath}`)}`);
+          process.exit(3);
+        }
+      } catch {}
+    }
     throw new Error(`${res.status} ${res.statusText}: ${body}`);
   }

package/lib/scan.mjs CHANGED Viewed

@@ -4,6 +4,19 @@ import { readFileSync } from "fs";
 import { resolveAuth, resolveApi, wsUrl } from "./config.mjs";
 import { request, healthCheck } from "./api.mjs";
+// Map a known API host to its dashboard host. Returns null for unknown
+// hosts (staging/local/other tenant) so we never print a production URL
+// for a scan that didn't run on production.
+function dashboardUrl(apiUrl, scanId) {
+  try {
+    const host = new URL(apiUrl).hostname;
+    if (host === "api.aisec.tools") return `https://app.aisec.tools/scans/${scanId}`;
+    return null;
+  } catch {
+    return null;
+  }
+}
 function resolveProfile(opts) {
   if (opts.full) return "full";
   if (opts.bounty) return "bounty";
@@ -202,10 +215,15 @@ export async function cmdScan(target, opts) {
   // WebSocket streaming
   const wsBase = wsUrl(apiUrl);
-  const wsUrlFull = `${wsBase}/ws/scans/${scanId}?token=${token}`;
+  const wsUrlFull = `${wsBase}/ws/scans/${scanId}`;
-  const ws = new WebSocket(wsUrlFull);
+  // The API authenticates the socket via the `aisec-token` subprotocol
+  // (same as the dashboard + Python CLI). It does NOT read ?token= from the
+  // URL — passing it there both fails auth and risks leaking the token into
+  // logs. The ws lib sends the second protocol entry as the token value.
+  const ws = new WebSocket(wsUrlFull, ["aisec-token", token]);
   let cancelled = false;
+  let completed = false;      // set true on scan_complete
   const foundFindings = [];   // track severities for --fail-on
   let exitCode = 0;
@@ -264,12 +282,13 @@ export async function cmdScan(target, opts) {
         }
         break;
-      case "credits_update":
       case "cost_update":
         {
-          const cr = msg.data?.credits_used ?? msg.data?.cost;
-          if (cr != null) {
-            process.stdout.write(chalk.dim(`  [${cr.toFixed(1)} credits]\r`));
+          // Backend emits token counts now (cost/credits were removed).
+          const ti = msg.data?.tokens_in;
+          const to = msg.data?.tokens_out;
+          if (ti != null || to != null) {
+            process.stdout.write(chalk.dim(`  [tokens ${ti ?? 0} in · ${to ?? 0} out]\r`));
           }
         }
         break;
@@ -281,25 +300,19 @@ export async function cmdScan(target, opts) {
       case "scan_complete": {
         spinner.stop();
+        completed = true;
         const d = msg.data || {};
-        const duration = d.duration ? formatDuration(d.duration) : "?";
-        const creditsUsed = (d.credits_used ?? d.cost ?? 0).toFixed(1);
-        // Fetch remaining credits
-        let remaining = "?";
-        try {
-          const me = await request(apiUrl, "/api/v1/auth/me", token);
-          remaining = parseFloat(me.credits_balance || 0).toFixed(1);
-        } catch {}
-        const reportUrl = `https://app.aisec.tools/scans/${scanId}`;
+        const tokensIn = d.tokens_in ?? 0;
+        const tokensOut = d.tokens_out ?? 0;
+        const reportUrl = dashboardUrl(apiUrl, scanId);
         console.log(
           "\n" + chalk.green("━".repeat(50)) + "\n" +
           chalk.bold.green(" Scan complete\n") +
           chalk.dim(` Findings: `) + chalk.white(d.findings ?? 0) + "\n" +
-          chalk.dim(` Credits:  `) + chalk.white(creditsUsed) + chalk.dim(" used · ") + chalk.yellow.bold(remaining) + chalk.dim(" remaining") + "\n" +
-          chalk.dim(` Duration: `) + chalk.white(duration) + "\n" +
-          chalk.dim(` Report:   `) + chalk.underline.cyan(reportUrl) + "\n" +
+          chalk.dim(` Tokens:   `) + chalk.white(`${tokensIn} in · ${tokensOut} out`) + "\n" +
+          (reportUrl
+            ? chalk.dim(` Report:   `) + chalk.underline.cyan(reportUrl)
+            : chalk.dim(` Scan ID:  `) + chalk.white(scanId)) + "\n" +
           chalk.green("━".repeat(50))
         );
@@ -307,7 +320,7 @@ export async function cmdScan(target, opts) {
         if (process.env.GITHUB_OUTPUT) {
           const { appendFileSync } = await import("fs");
           appendFileSync(process.env.GITHUB_OUTPUT, `findings=${d.findings ?? 0}\n`);
-          appendFileSync(process.env.GITHUB_OUTPUT, `report-url=${reportUrl}\n`);
+          if (reportUrl) appendFileSync(process.env.GITHUB_OUTPUT, `report-url=${reportUrl}\n`);
         }
         // --fail-on check
@@ -335,8 +348,19 @@ export async function cmdScan(target, opts) {
     console.error(chalk.red(`WebSocket error: ${err.message}`));
   });
-  ws.on("close", () => {
+  ws.on("close", (code) => {
     spinner.stop();
-    if (!cancelled) process.exit(exitCode);
+    if (cancelled) return;
+    // Closing before scan_complete means we never saw the result (auth
+    // failure, network drop, server restart). Don't let CI read that as a
+    // pass — exit non-zero so the pipeline surfaces it.
+    if (!completed && exitCode === 0) {
+      console.error(
+        chalk.red(`\n✗ Stream closed before the scan completed (ws code ${code ?? "?"}). `) +
+        chalk.dim("Check the dashboard for status; the scan may still be running.")
+      );
+      exitCode = 1;
+    }
+    process.exit(exitCode);
   });
 }

package/lib/scans.mjs CHANGED Viewed

@@ -35,18 +35,15 @@ export async function cmdScans(opts) {
     chalk.dim("Status".padEnd(12)) +
     chalk.dim("Domain".padEnd(30)) +
     chalk.dim("Finds".padStart(6)) +
-    chalk.dim("Cost".padStart(9)) +
     chalk.dim("Date".padStart(13)) +
     chalk.dim("ID".padStart(11))
   );
-  console.log(chalk.dim("─".repeat(81)));
+  console.log(chalk.dim("─".repeat(72)));
   for (const s of scans) {
     const color = STATUS_COLORS[s.status] || chalk.white;
     const domain = (s.target || "").replace(/^https?:\/\//, "").slice(0, 28);
     const findings = String(s.findings_count ?? s.total_findings ?? 0);
-    const cr = s.credits_used ?? s.total_cost;
-    const cost = cr != null ? `${cr.toFixed(1)}` : "-";
     const date = s.created_at ? s.created_at.slice(0, 10) : "-";
     const id = (s.id || "").slice(0, 8);
@@ -54,7 +51,6 @@ export async function cmdScans(opts) {
       color(s.status.padEnd(12)) +
       chalk.white(domain.padEnd(30)) +
       chalk.white(findings.padStart(6)) +
-      chalk.white(cost.padStart(9)) +
       chalk.dim(date.padStart(13)) +
       chalk.dim(id.padStart(11))
     );

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "aisec-cli",
-  "version": "0.2.0",
+  "version": "0.2.1",
   "description": "CLI for aisec — AI-powered web security scanner",
   "type": "module",
   "bin": {
@@ -10,6 +10,9 @@
     "bin/",
     "lib/"
   ],
+  "scripts": {
+    "test": "node test/unit.mjs"
+  },
   "engines": {
     "node": ">=18"
   },