pentesting 0.46.11 → 0.47.0

package/dist/main.js

@@ -311,7 +311,7 @@ var ORPHAN_PROCESS_NAMES = [
 
 // src/shared/constants/agent.ts
 var APP_NAME = "Pentest AI";
-var APP_VERSION = "0.46.11";
+var APP_VERSION = "0.47.0";
 var APP_DESCRIPTION = "Autonomous Penetration Testing AI Agent";
 var LLM_ROLES = {
   SYSTEM: "system",
@@ -7093,7 +7093,7 @@ You should either: (1) try a different approach that doesn't need this input, or
       if (isSensitive) {
         return {
           success: true,
-          output: `\u2713 Received ${request.type} input from user.
+          output: `Received ${request.type} input from user.
 
 The value has been stored. You can now use it in your next command.
 For sudo: include 'echo "<the_value>" | sudo -S <command>'
@@ -7103,7 +7103,7 @@ For SSH: use sshpass or expect with the provided password.`,
       }
       return {
         success: true,
-        output: `\u2713 User provided: ${result2.value}
+        output: `User provided: ${result2.value}
 
 Use this value in your next action.`,
         value: result2.value
@@ -10110,11 +10110,17 @@ Phase: ${phase} | Targets: ${targets} | Findings: ${findings} | Tools executed:
 
 ${direction}
 
+ESCALATION CHAIN \u2014 follow this order:
+1. web_search: Search for techniques, bypasses, default creds, CVEs, HackTricks
+2. BYPASS: Try alternative approaches \u2014 different protocols, ports, encodings, methods
+3. ZERO-DAY EXPLORATION: Probe for unknown vulns \u2014 fuzz parameters, test edge cases, analyze error responses for leaks
+4. BRUTE-FORCE: Wordlists, credential stuffing, common passwords, custom password lists from context
+5. ask_user: ONLY as last resort \u2014 ask the user for hints, wordlists, or guidance
+
 RULES:
 - Every turn MUST have tool calls
-- If stuck: search for techniques (web_search)
-- If failed: try a DIFFERENT approach
-- ACT NOW \u2014 do not plan or explain`
+- NEVER silently give up \u2014 exhaust ALL 5 steps above first
+- ACT NOW \u2014 do not plan, do not explain, do not summarize. EXECUTE.`
           });
         }
       } catch (error) {
@@ -10232,11 +10238,6 @@ Please decide how to handle this error and continue.`;
     const stepDuration = Date.now() - stepStartTime;
     const tokens = response.usage ? { input: response.usage.input_tokens, output: response.usage.output_tokens } : void 0;
     if (!response.toolCalls?.length) {
-      const hasDoneMeaningfulWork = (progress?.totalToolsExecuted ?? 0) > 0;
-      if (hasDoneMeaningfulWork) {
-        this.emitComplete(response.content, iteration, 0, stepDuration, tokens);
-        return { output: response.content, toolsExecuted: 0, isCompleted: true };
-      }
       return { output: response.content, toolsExecuted: 0, isCompleted: false };
     }
     const results = await this.processToolCalls(response.toolCalls, progress);
@@ -11972,14 +11973,14 @@ var useAgentEvents = (agent, eventsRef, state) => {
     };
     const onReasoningStart = () => {
       reasoningBufferRef.current = "";
-      setCurrentStatus("Thinking\u2026");
+      setCurrentStatus("Reasoning\u2026");
     };
     const onReasoningDelta = (e) => {
       reasoningBufferRef.current += e.data.content;
       const chars = reasoningBufferRef.current.length;
-      const firstLine = reasoningBufferRef.current.split("\n")[0]?.slice(0, TUI_DISPLAY_LIMITS.reasoningPreviewChars) || "";
-      setCurrentStatus(`Thinking\u2026 ${chars} chars
-${firstLine}`);
+      const estTokens = Math.round(chars / 4);
+      setCurrentStatus(`Reasoning (~${estTokens} tokens)
+${reasoningBufferRef.current}`);
     };
     const onReasoningEnd = () => {
       const text = reasoningBufferRef.current.trim();
@@ -12438,22 +12439,16 @@ var MessageList = memo(({ messages }) => {
     if (msg.type === "thinking") {
       const lines = msg.content.split("\n");
       const charCount = msg.content.length;
-      const firstLine = lines[0]?.slice(0, TUI_DISPLAY_LIMITS.thinkingSummaryChars) || "";
-      const isMultiLine = lines.length > 1 || charCount > TUI_DISPLAY_LIMITS.thinkingSummaryChars;
+      const estTokens = Math.round(charCount / 4);
       return /* @__PURE__ */ jsxs2(Box2, { flexDirection: "column", marginTop: 0, marginBottom: 1, children: [
         /* @__PURE__ */ jsxs2(Box2, { children: [
-          /* @__PURE__ */ jsx2(Text2, { color: THEME.cyan, children: "\u25D0 " }),
-          /* @__PURE__ */ jsx2(Text2, { color: THEME.cyan, bold: true, children: "Thinking" }),
-          /* @__PURE__ */ jsx2(Text2, { color: THEME.gray, children: ` (${lines.length} line${lines.length !== 1 ? "s" : ""}, ${charCount} chars)` })
+          /* @__PURE__ */ jsx2(Text2, { color: THEME.cyan, bold: true, children: "Reasoning" }),
+          /* @__PURE__ */ jsx2(Text2, { color: THEME.gray, children: ` (~${estTokens} tokens)` })
         ] }),
         lines.map((line, i) => /* @__PURE__ */ jsxs2(Box2, { children: [
           /* @__PURE__ */ jsx2(Text2, { color: THEME.cyan, children: "\u2502 " }),
           /* @__PURE__ */ jsx2(Text2, { color: THEME.gray, children: line })
-        ] }, i)),
-        /* @__PURE__ */ jsxs2(Box2, { children: [
-          /* @__PURE__ */ jsx2(Text2, { color: THEME.cyan, children: "\u2570\u2500" }),
-          isMultiLine && /* @__PURE__ */ jsx2(Text2, { color: THEME.gray, children: ` ${firstLine}\u2026` })
-        ] })
+        ] }, i))
       ] }, msg.id);
     }
     if (msg.type === "tool") {
@@ -12529,6 +12524,7 @@ var MusicSpinner = memo2(({ color }) => {
 
 // src/platform/tui/components/StatusDisplay.tsx
 import { jsx as jsx4, jsxs as jsxs3 } from "react/jsx-runtime";
+var MAX_THINKING_LINES = 15;
 var StatusDisplay = memo3(({
   retryState,
   isProcessing,
@@ -12540,10 +12536,9 @@ var StatusDisplay = memo3(({
     return err.length > DISPLAY_LIMITS.RETRY_ERROR_PREVIEW ? err.substring(0, DISPLAY_LIMITS.RETRY_ERROR_TRUNCATED) + "..." : err;
   };
   const meta = formatMeta(elapsedTime * 1e3, currentTokens);
+  const isThinkingStatus = currentStatus.startsWith("Reasoning");
   const statusLines = currentStatus ? currentStatus.split("\n").filter(Boolean) : [];
   const statusMain = statusLines[0] || "Processing...";
-  const statusSub = statusLines.slice(1).join(" ");
-  const isThinkingStatus = statusMain.startsWith("Thinking");
   return /* @__PURE__ */ jsxs3(Box3, { flexDirection: "column", marginTop: 0, children: [
     retryState.status === "retrying" && /* @__PURE__ */ jsxs3(Box3, { marginBottom: 1, children: [
       /* @__PURE__ */ jsx4(Text4, { color: THEME.yellow, children: /* @__PURE__ */ jsx4(MusicSpinner, { color: THEME.yellow }) }),
@@ -12572,10 +12567,14 @@ var StatusDisplay = memo3(({
           meta
         ] })
       ] }),
-      statusSub ? /* @__PURE__ */ jsx4(Box3, { paddingLeft: 2, children: /* @__PURE__ */ jsxs3(Text4, { color: isThinkingStatus ? THEME.cyan : THEME.gray, children: [
+      isThinkingStatus && statusLines.length > 1 && statusLines.slice(1).slice(-MAX_THINKING_LINES).map((line, i) => /* @__PURE__ */ jsxs3(Box3, { children: [
+        /* @__PURE__ */ jsx4(Text4, { color: THEME.cyan, children: "\u2502 " }),
+        /* @__PURE__ */ jsx4(Text4, { color: THEME.gray, children: line })
+      ] }, i)),
+      !isThinkingStatus && statusLines.length > 1 && /* @__PURE__ */ jsx4(Box3, { paddingLeft: 2, children: /* @__PURE__ */ jsxs3(Text4, { color: THEME.gray, children: [
         "\u2502 ",
-        statusSub
-      ] }) }) : null
+        statusLines.slice(1).join(" ")
+      ] }) })
     ] })
   ] });
 });
@@ -12938,22 +12937,43 @@ ${procData.stdout || "(no output)"}
     setInputRequest({ status: "inactive" });
     setSecretInput("");
   }, [addMessage, setInputRequest]);
+  const ctrlCTimerRef = useRef5(null);
+  const ctrlCPressedRef = useRef5(false);
+  const handleCtrlC = useCallback4(() => {
+    if (ctrlCPressedRef.current) {
+      if (ctrlCTimerRef.current) clearTimeout(ctrlCTimerRef.current);
+      handleExit();
+      return;
+    }
+    ctrlCPressedRef.current = true;
+    addMessage("system", "\u26A0\uFE0F Press Ctrl+C again within 3 seconds to exit.");
+    if (isProcessingRef.current) abort();
+    ctrlCTimerRef.current = setTimeout(() => {
+      ctrlCPressedRef.current = false;
+      ctrlCTimerRef.current = null;
+    }, 3e3);
+  }, [handleExit, addMessage, abort]);
+  useEffect4(() => {
+    return () => {
+      if (ctrlCTimerRef.current) clearTimeout(ctrlCTimerRef.current);
+    };
+  }, []);
   useInput2(useCallback4((ch, key) => {
     if (key.escape) {
       if (inputRequestRef.current.status === "active") cancelInputRequest();
       else if (isProcessingRef.current) abort();
     }
-    if (key.ctrl && ch === "c") handleExit();
-  }, [cancelInputRequest, abort, handleExit]));
+    if (key.ctrl && ch === "c") handleCtrlC();
+  }, [cancelInputRequest, abort, handleCtrlC]));
   useEffect4(() => {
-    const onSignal = () => handleExit();
+    const onSignal = () => handleCtrlC();
     process.on("SIGINT", onSignal);
     process.on("SIGTERM", onSignal);
     return () => {
       process.off("SIGINT", onSignal);
       process.off("SIGTERM", onSignal);
     };
-  }, [handleExit]);
+  }, [handleCtrlC]);
   return /* @__PURE__ */ jsxs6(Box6, { flexDirection: "column", paddingX: 1, children: [
     /* @__PURE__ */ jsx7(Box6, { flexDirection: "column", marginBottom: 1, flexGrow: 1, children: /* @__PURE__ */ jsx7(MessageList, { messages }) }),
     /* @__PURE__ */ jsxs6(Box6, { flexDirection: "column", children: [

package/dist/prompts/base.md

@@ -78,7 +78,8 @@ What target would you like me to attack? (IP, domain, or CTF challenge)
    - **Update objectives**: Use `update_mission` to keep the operation summary and checklist current when needed
    - Is it time to move to the next step, or dig deeper at the current one?
 
-This loop **repeats continuously** until the task is complete. **Never stop.**
+This loop **repeats continuously** until the task is complete. **Never stop on your own.**
+If you believe you have exhausted all approaches → use `ask_user` to confirm with the user before stopping.
 
 ## Absolute Rules
 
@@ -87,12 +88,13 @@ This loop **repeats continuously** until the task is complete. **Never stop.**
 - Record findings immediately with add_finding
 - **Execute tasks immediately without unnecessary confirmations/questions**
 - If no results → **try a different approach** (never repeat the same method)
-- ask_user is **only for physically unobtainable information** (passwords, SSH keys, API tokens)
+- ask_user is for: (1) physically unobtainable information (passwords, SSH keys, API tokens), (2) **confirming you're truly done** when all vectors are exhausted
 
 ### 2. ask_user Rules
 - Use received values **immediately in the next command** — receiving and not using is forbidden
 - Once received → **reuse** — never ask for the same thing again
 - Confirmation requests like "Can I do this?" are forbidden
+- **WHEN TO ASK**: If you believe all attack vectors are exhausted and want to stop, you MUST `ask_user` to confirm. The user may have hints, custom wordlists, or additional context. **Never silently give up.**
 
 ### 3. Self-Correction on Errors (MANDATORY)
 When an error occurs, read the `[TOOL ERROR ANALYSIS]` section and fix immediately:
@@ -223,16 +225,21 @@ Don't agonize. **The world's best methodologies are already on the web.** Search
 When you find a PoC → verify code with `browse_url` → save with `write_file` → modify for environment → execute with `run_cmd`.
 **Searching is not a waste of time — it's a prerequisite for accurate attacks.**
 
-### When Stuck — Autonomous Breakthrough Principles
+### When Stuck — Escalation Chain (follow in order)
 
-1. **Same method fails twice → immediately switch approaches** (don't wait for 3)
-2. **Search when you don't know** — the answer is in HackTricks, PayloadsAllTheThings, GTFOBins
-3. **Install the tool or write code yourself if unavailable** — tool absence is not a reason to stop attacking
-4. **Approach from a completely different angle** — web fails → network, network fails → different service, service fails → different target
-5. **Errors are information** — extract version, path, and configuration hints from error messages
-6. **Use your judgment** — "Can I do this?" is forbidden. Act and see the results
-7. **When you find a PoC → read → save → execute** — you must know how to modify code
-8. **If you have a shell, use it for everything** — tool download, script execution, additional recon all possible
+**Same method fails twice → immediately switch approaches** (don't wait for 3).
+**Errors are information** — extract version, path, and configuration hints from error messages.
+
+1. **🔍 SEARCH** — `web_search` for techniques, bypasses, default creds, CVEs, HackTricks, PayloadsAllTheThings, GTFOBins
+2. **🔄 BYPASS** — Try completely different angles: different protocol, port, encoding, different service, different target. Install missing tools or write your own code
+3. **🧬 ZERO-DAY EXPLORATION** — Probe for unknown vulns: fuzz parameters, test edge cases, analyze error responses for information leaks, try unconventional inputs
+4. **🔨 BRUTE-FORCE** — Wordlists, credential stuffing, common passwords, custom password lists built from discovered context (usernames, company names, service names)
+5. **❓ ask_user** — ONLY as absolute last resort. Ask the user for hints, custom wordlists, or guidance. **Never silently give up.**
+
+Additional principles:
+- **If you have a shell, use it for everything** — tool download, script execution, additional recon
+- **When you find a PoC → read → save → execute** — modify code for the environment
+- **Tool absence is not a reason to stop** — write equivalent scripts yourself
 
 ### PoC Acquisition and Execution Protocol
 ```

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pentesting",
-  "version": "0.46.11",
+  "version": "0.47.0",
   "description": "Autonomous Penetration Testing AI Agent",
   "type": "module",
   "main": "dist/main.js",
@@ -28,7 +28,7 @@
     "release:patch": "npm version patch && npm run build && npm run publish:token",
     "release:minor": "npm version minor && npm run build && npm run publish:token",
     "release:major": "npm version major && npm run build && npm run publish:token",
-    "release:docker": "docker buildx build --platform linux/amd64,linux/arm64 -t agnusdei1207/pentesting:latest --push .",
+    "release:docker": "docker buildx build --platform linux/amd64,linux/arm64 -t agnusdei1207/pentesting:latest --push . && docker system prune -af",
     "check": "TMPDIR=/tmp npm run test && npm run build && npm run release:docker && bash test.sh"
   },
   "repository": {