pentesting 0.4.1 → 0.4.2

package/README.md

@@ -1,3 +1,5 @@
+# PENTEST
+
 ```
 ╔═══════════════════════════════════════════════════════════════╗
 ║                                                               ║
@@ -9,6 +11,7 @@
 ║   ╚═╝     ╚══════╝╚═╝  ╚═══╝   ╚═╝   ╚══════╝╚══════╝   ╚═╝   ║
 ║                                                               ║
 ║        🎯 DEF CON-level Autonomous Pentesting Agent           ║
+║        ⚡ Powered by Claude + MCP + Ralph Loop                ║
 ║                                                               ║
 ╚═══════════════════════════════════════════════════════════════╝
 ```
@@ -29,11 +32,6 @@ export PENTEST_API_KEY=your_api_key
 export PENTEST_BASE_URL=https://your-api-endpoint.com/v1
 export PENTEST_MODEL=your-model-name
 
-export PENTEST_API_KEY="key"
-export PENTEST_BASE_URL="https://api.z.ai/api/anthropic"
-export PENTEST_MODEL="glm-4.7"
-
-
 # Run
 pentesting
 ```
@@ -42,46 +40,70 @@ pentesting
 
 ## ✨ Features
 
+### Core Capabilities
 - **10-Phase Attack Workflow**: Recon → Scan → Enum → Vuln Analysis → Exploitation → PrivEsc → Pivot → Persist → Exfil → Report
-- **9 Specialized Agents**: Built-in experts for each security domain
+- **9 Specialized Agents**: Built-in domain experts for security testing
 - **Ralph Loop**: Autonomous iteration until objective is achieved
-- **Streaming Responses**: Real-time LLM output
+- **Streaming Responses**: Real-time LLM output display
 - **Session Persistence**: Save/resume pentesting sessions
 - **Tool Approval**: Manual confirmation for dangerous commands
 - **MCP Integration**: Extend with Model Context Protocol tools
 - **Docker Toolkit**: 50+ pre-installed pentesting tools
 - **Provider Agnostic**: Works with any OpenAI-compatible API
 
+### v0.4+ New Features (kimi-cli inspired)
+- **Context Checkpoints**: Save/restore conversation states with `/checkpoint`, `/undo`, `/revert`
+- **Flow Skills**: Mermaid/D2 diagram-based workflow automation
+- **Session Replay**: Review past sessions from wire recordings
+- **Auto-Update**: Background version checking with update notifications
+- **Vision Analysis**: Analyze images from clipboard with `/paste`
+- **Wire Logging**: Detailed session recording in JSONL format
+- **Rich TUI**: Premium ASCII banner, organized help, status reports
+
 ---
 
 ## 📖 CLI Commands
 
+### Core
 ```bash
-# Target & Session
-/target <ip>        Set target
+/target <ip>        Set target IP/hostname
 /start [objective]  Start autonomous pentest
+/stop               Stop current operation
+/status             Show status report
+```
+
+### Session Management
+```bash
+/checkpoint [desc]  Create checkpoint with optional description
+/checkpoints        List all checkpoints
+/undo               Undo to last checkpoint
+/revert <id>        Revert to specific checkpoint
+/compact            Compact context (keep last 3 messages)
 /sessions           List saved sessions
 /resume [id]        Resume a session
+/replay             Show session recordings
+```
 
-# Scanning & Enumeration
-/scan <target>      Quick enumeration
-/web <url>          Web application testing
-
-# Exploitation
-/exploit <service>  Search for exploits
-/privesc [os]       Check privilege escalation vectors
-/attack <objective> Execute attack chain
-/hash <hash>        Identify and crack hashes
+### Skills & Extras
+```bash
+/skills             List available skills
+/update             Check for updates
+/update now         Install update
+```
 
-# Reporting
+### Findings & Reports
+```bash
+/findings           Show discovered findings
 /report             Generate pentest report
-/findings           Show findings
+```
 
-# Control
+### Utility
+```bash
+/paste              Paste from clipboard (text or image)
 /yolo               Toggle auto-approve mode
-/approve /deny      Approve/deny tool execution
 /clear              Clear screen
 /exit               Exit
+/y /n /ya           Approve/Deny/Always approve (for pending tools)
 ```
 
 ---
@@ -195,33 +217,62 @@ await agent.addMCPServer('security-tools', 'docker', [
 ## 🏗️ Architecture
 
 ```
-┌─────────────────────────────────────────────────────────────┐
-│                        TUI (app.tsx)                         │
-│  - Streaming text display                                    │
-│  - Tool approval prompts                                     │
-│  - Session management                                        │
-└──────────────────────────┬──────────────────────────────────┘
-                          │ Wire Protocol
-┌──────────────────────────▼──────────────────────────────────┐
-│                 PentestingAgent (Unified)                    │
-│  ┌──────────────┐  ┌──────────────┐  ┌──────────────┐       │
-│  │ RalphLoop    │  │ Streaming    │  │ Session      │       │
-│  │ (Auto-iter)  │  │ Handler      │  │ Manager      │       │
-│  └──────────────┘  └──────────────┘  └──────────────┘       │
-│                                                              │
-│  ┌──────────────────────────────────────────────────┐       │
-│  │         AutonomousHackingAgent (Core)             │       │
-│  │  ┌──────────────────────────────────────────┐    │       │
-│  │  │ 9 Built-in Specialized Agents            │    │       │
-│  │  └──────────────────────────────────────────┘    │       │
-│  └──────────────────────────────────────────────────┘       │
-└──────────────────────────┬──────────────────────────────────┘
-                          │
-         ┌────────────────┼────────────────┐
-    ┌────▼────┐     ┌────▼────┐     ┌────▼────┐
-    │ Tool    │     │  Bash   │     │   MCP   │
-    │Executor │     │ Commands│     │ Servers │
-    └─────────┘     └─────────┘     └─────────┘
+┌─────────────────────────────────────────────────────────────────┐
+│                         TUI (app.tsx)                            │
+│  ┌──────────────┐ ┌──────────────┐ ┌──────────────────────────┐ │
+│  │ WireLogger   │ │ContextMgr   │ │ SlashCommandRegistry     │ │
+│  │ (Recording)  │ │(Checkpoints)│ │ (Command Handling)       │ │
+│  └──────────────┘ └──────────────┘ └──────────────────────────┘ │
+└────────────────────────────┬────────────────────────────────────┘
+                             │ Events
+┌────────────────────────────▼────────────────────────────────────┐
+│              AutonomousHackingAgent (Core Engine)                │
+│  ┌──────────────┐ ┌──────────────┐ ┌──────────────┐             │
+│  │ HookExecutor │ │ MCPManager   │ │ApprovalMgr   │             │
+│  │ (Lifecycle)  │ │ (Extensions) │ │(Tool Safety) │             │
+│  └──────────────┘ └──────────────┘ └──────────────┘             │
+│                                                                  │
+│  ┌────────────────────────────────────────────────────────────┐ │
+│  │            9 Built-in Specialized Agents                   │ │
+│  │  target-explorer • exploit-researcher • privesc-master     │ │
+│  │  web-hacker • crypto-solver • forensics-analyst            │ │
+│  │  reverse-engineer • attack-architect • finding-reviewer    │ │
+│  └────────────────────────────────────────────────────────────┘ │
+└────────────────────────────┬────────────────────────────────────┘
+                             │
+          ┌──────────────────┼──────────────────┐
+     ┌────▼────┐       ┌────▼────┐       ┌────▼────┐
+     │  Tool   │       │  Bash   │       │   MCP   │
+     │Executor │       │Commands │       │ Servers │
+     └─────────┘       └─────────┘       └─────────┘
+```
+
+### Module Connectivity
+
+```
+Core Modules (src/core/):
+├── agent/           AutonomousHackingAgent, PentestingAgent, AgentOrchestrator
+├── approval/        ApprovalManager - tool execution safety
+├── commands/        SlashCommandRegistry - command handling
+├── context/         ContextManager (checkpoints) + Compaction (tokens)
+├── display/         DisplayBlocks - rich output formatting
+├── hooks/           HookExecutor - lifecycle events
+├── loop/            RalphLoop - autonomous iteration
+├── prompts/         System prompts for agents
+├── replay/          SessionReplay - wire file parsing
+├── session/         SessionManager - persistence
+├── skill/           SkillManager + FlowExecutor - workflow automation
+├── streaming/       StreamingAgent - real-time output
+├── tools/           Tool definitions, executor, registry
+└── update/          AutoUpdate - version management
+
+Support Modules:
+├── wire/            WireLogger (JSONL recording) + Wire Protocol
+├── mcp/             MCPManager, MCPClient - extensions
+├── utils/           Clipboard, Retry utilities
+├── agents/          9 built-in specialized agents
+├── commands/        Built-in slash commands
+└── config/          Constants, Theme, Agent configuration
 ```
 
 ---
@@ -231,21 +282,29 @@ await agent.addMCPServer('security-tools', 'docker', [
 ```
 src/
 ├── index.tsx              # CLI entry point
-├── cli/app.tsx            # TUI with streaming, approval, sessions
+├── cli/
+│   ├── app.tsx            # TUI with streaming, approval, sessions
+│   └── components/        # Rich display components
 ├── core/
 │   ├── agent/             # Agent implementations
 │   ├── approval/          # Tool approval system
-│   ├── context/           # Conversation compaction
+│   ├── commands/          # Slash command registry
+│   ├── context/           # Checkpoint + compaction
+│   ├── display/           # Rich output blocks
 │   ├── hooks/             # Event hooks
 │   ├── loop/              # Ralph autonomous loop
+│   ├── replay/            # Session replay
 │   ├── session/           # Session persistence
+│   ├── skill/             # Flow skills (Mermaid/D2)
 │   ├── streaming/         # Real-time streaming
+│   ├── update/            # Auto-update system
 │   ├── prompts/           # System prompts
 │   └── tools/             # Tool definitions & executor
-├── agents/index.ts        # 9 built-in specialized agents
-├── commands/index.ts      # Built-in slash commands
-├── wire/                  # Agent-UI communication
+├── agents/                # 9 built-in specialized agents
+├── commands/              # Built-in slash commands
+├── wire/                  # JSONL logging + Wire protocol
 ├── mcp/                   # MCP client integration
+├── utils/                 # Clipboard, retry utilities
 └── config/                # Constants, theme
 ```
 

package/dist/{auto-update-ZU3T3VSG.js → auto-update-B2Z37JG3.js}

@@ -8,8 +8,8 @@ import {
   readVersionCache,
   semverTuple,
   writeVersionCache
-} from "./chunk-TABUHG2A.js";
-import "./chunk-JUHBSTKO.js";
+} from "./chunk-5RFHBFIH.js";
+import "./chunk-JOYCWIE7.js";
 import "./chunk-3RG5ZIWI.js";
 export {
   checkForUpdate,

package/dist/{chunk-TABUHG2A.js → chunk-5RFHBFIH.js}

@@ -1,7 +1,7 @@
 import {
   APP_NAME,
   APP_VERSION
-} from "./chunk-JUHBSTKO.js";
+} from "./chunk-JOYCWIE7.js";
 
 // src/core/update/auto-update.ts
 import { execSync } from "child_process";

package/dist/{chunk-JUHBSTKO.js → chunk-JOYCWIE7.js}

@@ -132,7 +132,7 @@ var SENSITIVE_TOOLS = [
 
 // src/config/constants.ts
 var APP_NAME = "pentesting";
-var APP_VERSION = "0.4.1";
+var APP_VERSION = "0.4.2";
 var APP_DESCRIPTION = "Autonomous Penetration Testing AI Agent";
 var LLM_API_KEY = process.env.PENTEST_API_KEY || process.env.ANTHROPIC_API_KEY || "";
 var LLM_BASE_URL = process.env.PENTEST_BASE_URL || void 0;

package/dist/index.js

@@ -15,7 +15,7 @@ import {
   PHASE_STATUS,
   THOUGHT_TYPE,
   TOOL_NAME
-} from "./chunk-JUHBSTKO.js";
+} from "./chunk-JOYCWIE7.js";
 import {
   __require
 } from "./chunk-3RG5ZIWI.js";
@@ -4922,7 +4922,7 @@ var App = ({ autoApprove = false, target }) => {
         setCheckpointCount(contextManagerRef.current?.getCheckpoints().length || 0);
       }
     });
-    import("./auto-update-ZU3T3VSG.js").then(({ checkForUpdateAsync, formatUpdateNotification }) => {
+    import("./auto-update-B2Z37JG3.js").then(({ checkForUpdateAsync, formatUpdateNotification }) => {
       checkForUpdateAsync().then((result) => {
         if (result.hasUpdate) {
           const notification = formatUpdateNotification(result);
@@ -4965,13 +4965,39 @@ var App = ({ autoApprove = false, target }) => {
     return duration;
   }, []);
   useEffect(() => {
-    addMessage(MESSAGE_TYPE.SYSTEM, "Pentesting Agent initialized. Type /help for commands.");
+    const versionPadded = `v${APP_VERSION}`.padEnd(8);
+    const banner = `
+\u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557
+\u2551                                                               \u2551
+\u2551   \u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2588\u2557   \u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2551
+\u2551   \u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255D\u2588\u2588\u2588\u2588\u2557  \u2588\u2588\u2551\u255A\u2550\u2550\u2588\u2588\u2554\u2550\u2550\u255D\u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255D\u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255D\u255A\u2550\u2550\u2588\u2588\u2554\u2550\u2550\u255D\u2551
+\u2551   \u2588\u2588\u2588\u2588\u2588\u2588\u2554\u255D\u2588\u2588\u2588\u2588\u2588\u2557  \u2588\u2588\u2554\u2588\u2588\u2557 \u2588\u2588\u2551   \u2588\u2588\u2551   \u2588\u2588\u2588\u2588\u2588\u2557  \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557   \u2588\u2588\u2551   \u2551
+\u2551   \u2588\u2588\u2554\u2550\u2550\u2550\u255D \u2588\u2588\u2554\u2550\u2550\u255D  \u2588\u2588\u2551\u255A\u2588\u2588\u2557\u2588\u2588\u2551   \u2588\u2588\u2551   \u2588\u2588\u2554\u2550\u2550\u255D  \u255A\u2550\u2550\u2550\u2550\u2588\u2588\u2551   \u2588\u2588\u2551   \u2551
+\u2551   \u2588\u2588\u2551     \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2551 \u255A\u2588\u2588\u2588\u2588\u2551   \u2588\u2588\u2551   \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2551   \u2588\u2588\u2551   \u2551
+\u2551   \u255A\u2550\u255D     \u255A\u2550\u2550\u2550\u2550\u2550\u2550\u255D\u255A\u2550\u255D  \u255A\u2550\u2550\u2550\u255D   \u255A\u2550\u255D   \u255A\u2550\u2550\u2550\u2550\u2550\u2550\u255D\u255A\u2550\u2550\u2550\u2550\u2550\u2550\u255D   \u255A\u2550\u255D   \u2551
+\u2551                                                               \u2551
+\u2551   \u{1F3AF} DEF CON-level Autonomous Pentesting Agent    ${versionPadded}\u2551
+\u2551   \u26A1 Powered by Claude + MCP + Ralph Loop                     \u2551
+\u2551                                                               \u2551
+\u255A\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255D`;
+    addMessage(MESSAGE_TYPE.SYSTEM, banner);
+    addMessage(MESSAGE_TYPE.SYSTEM, `
+\u250C\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510
+\u2502  \u{1F680} Quick Start                                          \u2502
+\u2502  \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 \u2502
+\u2502  /target <ip>     Set target IP/hostname                 \u2502
+\u2502  /start [goal]    Start autonomous pentesting            \u2502
+\u2502  /help            Show all commands                      \u2502
+\u2502                                                          \u2502
+\u2502  \u{1F527} Features: 10 Attack Phases \u2022 9 Specialized Agents   \u2502
+\u2502  \u{1F4E1} Session Recording \u2022 Checkpoints \u2022 Auto-Update       \u2502
+\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518`);
     if (autoApprove) {
-      addMessage(MESSAGE_TYPE.SYSTEM, "\u26A0\uFE0F  YOLO mode: Auto-approving all tools");
+      addMessage(MESSAGE_TYPE.SYSTEM, "\u26A0\uFE0F  YOLO Mode: Auto-approving all tool executions");
     }
     if (target) {
       agent.setTarget(target);
-      addMessage(MESSAGE_TYPE.SYSTEM, `Target: ${target}`);
+      addMessage(MESSAGE_TYPE.SYSTEM, `\u{1F3AF} Target: ${target}`);
     }
     agent.on(AGENT_EVENT.THOUGHT, (thought) => {
       setCurrentStatus(thought.content.slice(0, 60));
@@ -5384,7 +5410,7 @@ var App = ({ autoApprove = false, target }) => {
           return;
         case "update":
           try {
-            const { checkForUpdate, formatUpdateNotification, doUpdate } = await import("./update-4H3DBFBE.js");
+            const { checkForUpdate, formatUpdateNotification, doUpdate } = await import("./update-NZKK32L2.js");
             const result = checkForUpdate(true);
             if (result.hasUpdate) {
               const notification = formatUpdateNotification(result);

package/dist/{update-4H3DBFBE.js → update-NZKK32L2.js}

@@ -8,8 +8,8 @@ import {
   readVersionCache,
   semverTuple,
   writeVersionCache
-} from "./chunk-TABUHG2A.js";
-import "./chunk-JUHBSTKO.js";
+} from "./chunk-5RFHBFIH.js";
+import "./chunk-JOYCWIE7.js";
 import "./chunk-3RG5ZIWI.js";
 export {
   checkForUpdate,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pentesting",
-  "version": "0.4.1",
+  "version": "0.4.2",
   "description": "Autonomous Penetration Testing AI Agent",
   "type": "module",
   "main": "dist/index.js",