pentesting 0.7.49 → 0.8.2

package/README.md

@@ -12,337 +12,71 @@
 **Autonomous AI Penetration Testing Agent**
 
 [![npm version](https://badge.fury.io/js/pentesting.svg)](https://www.npmjs.com/package/pentesting)
-[![Docker](https://img.shields.io/badge/Docker-pentesting--tools-blue)](https://hub.docker.com/r/agnusdei1207/pentesting-tools)
+[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
 
 </div>
 
 ---
 
-## 🚀 Quick Start
+## Quick Start
 
 ```bash
-# Install
 npm install -g pentesting
 
-# Configure
-export PENTEST_API_KEY=your_api_key
-export PENTEST_BASE_URL=https://your-api-endpoint.com/v1
-export PENTEST_MODEL=your-model-name
+# GLM example
+export PENTEST_API_KEY="your_api_key"
+export PENTEST_BASE_URL="https://api.z.ai/api/anthropic"   
+export PENTEST_MODEL="glm-4.7"                       
 
-# Run
 pentesting
 ```
 
 ---
 
-## 🧠 Philosophy: Think Like a Hacker
+## Environment Variables
 
-**Pentesting is not a brute-force tool.** It's an intelligent agent that thinks strategically.
-
-### Strategic Decision Framework
-
-Every action is evaluated using:
-
-```
-Value = (Probability × CVSS Impact) / Time Cost
-```
-
-The agent only executes actions with **confidence >50%**. Below that, it finds a better approach.
-
-### Self-Reflection Before Every Action
-
-Before running any tool, the agent asks:
-- "What exactly am I trying to learn?"
-- "Is this the FASTEST way to get that information?"
-- "Have I already tried this? What happened?"
-- "Is there a simpler approach?"
-
-### Mandatory Fallback Strategy
-
-When a tool fails, the agent immediately tries alternatives:
-
-| Task | Primary | Fallback 1 | Fallback 2 |
-|------|---------|------------|------------|
-| Subdomain | subfinder | ffuf | amass |
-| Directory | gobuster | ffuf | dirsearch |
-| Port Scan | rustscan | nmap | masscan |
+| Variable | Required | Default | Description |
+|----------|----------|---------|-------------|
+| `PENTEST_API_KEY` | ✅ | - | API key (`ANTHROPIC_API_KEY` also works) |
+| `PENTEST_BASE_URL` | | - | Custom API endpoint URL |
+| `PENTEST_MODEL` | | `claude-sonnet-4-20250514` | LLM model name |
+| `PENTEST_MAX_TOKENS` | | `16384` | Max response tokens |
 
 ---
 
-## 🔥 Why Pentesting?
-
-| Feature | Traditional Tools | Pentesting Agent |
-|---------|-------------------|------------------|
-| Decision Making | Manual | AI-driven with confidence scoring |
-| Tool Selection | You choose | Auto-selects based on context |
-| Failure Handling | You retry | Auto-fallback to alternatives |
-| Attack Planning | Manual prioritization | CVSS-based priority matrix |
-| Context Awareness | None | Remembers all findings |
-| Reporting | Manual | Auto-generated findings |
-
----
-
-## ✨ Core Capabilities
-
-- **10-Phase Attack Workflow**: Recon → Scan → Enum → Vuln Analysis → Exploitation → PrivEsc → Pivot → Persist → Exfil → Report
-- **Auto Docker Management**: Pulls and starts tool container automatically
-- **Multi-Target Attack**: Attack multiple targets sequentially
-- **Real-time Feedback**: See thinking process, tool calls, results live
-- **Session Persistence**: Save/resume attack sessions
-- **Context Compaction**: Automatic history summarization
-
----
-
-## 📖 CLI Commands
-
-### Target Management
-```bash
-/target <domain|ip>     Set primary target
-/target add <t>         Add target to list
-/target list            Show all targets (★ = primary)
-/target rm <t>          Remove target from list
-/target set <t>         Set as primary target
-/target clear           Remove ALL targets
-```
-
-### Attack Execution
-```bash
-/start [objective]      Start pentest on primary target
-/start all              Attack ALL registered targets sequentially
-/stop                   Stop current operation
-/status                 Show status report
-```
-
-### Session Management
-```bash
-/checkpoint [desc]      Create checkpoint with optional description
-/checkpoints            List all checkpoints
-/undo                   Undo to last checkpoint
-/revert <id>            Revert to specific checkpoint
-/compact                Compact context (keep last 3 messages)
-/sessions               List saved sessions
-/resume [id]            Resume a session
-/replay                 Show session recordings
-```
+## Features
 
-### Skills & Extras
-```bash
-/skills                 List available skills
-/update                 Check for updates
-/update now             Install update
-```
-
-### Findings & Reports
-```bash
-/findings               Show discovered findings
-/report                 Generate pentest report
-```
-
-### Utility
-```bash
-/paste                  Paste from clipboard (text or image)
-/yolo                   Toggle auto-approve mode
-/clear                  Clear screen
-/exit                   Exit
-/y /n /ya               Approve/Deny/Always approve (for pending tools)
-```
+- **Soul Architecture** - ReAct pattern: Think → Act → Observe → Reflect
+- **9 Specialized Agents** - Recon, Exploit, PrivEsc, Web, Crypto...
+- **80%+ Confidence Filter** - Only high-confidence findings
+- **D-Mail Time Travel** - Auto-recovery from dead ends
+- **50+ Security Tools** - nmap, sqlmap, gobuster, hydra...
 
 ---
 
-## Multi-Target Workflow
+## Commands
 
-```bash
-# Start pentesting CLI
-pentesting
-
-# Register multiple targets
-/target add example1.com
-/target add example2.com
-/target add 192.168.1.1
-/target add internal.corp
-
-# View registered targets
-/target list
-Targets (4):
-  1. * example1.com (primary)
-  2.   example2.com
-  3.   192.168.1.1
-  4.   internal.corp
-
-# Attack all targets sequentially
-/start all
-
-Starting multi-target attack on 4 targets
-
---- [1/4] example1.com ---
-Session: session-1707325423
-... reconnaissance & exploitation ...
-
---- [2/4] example2.com ---
-...
-
-# Press ESC to stop between targets
-Stopped at target 2/4
-
-Complete
-```
+| Command | Description |
+|---------|-------------|
+| `/target <ip>` | Set target |
+| `/start [objective]` | Start autonomous pentest |
+| `/findings` | Show findings |
+| `/status` | Status |
+| `/yolo` | Toggle auto-approve |
+| `/help` | Help |
 
 ---
 
-## 🤖 AI Agents
-
-Pentesting automatically switches between specialized AI agents based on the current attack phase:
-
-| Phase | Agent | What it does |
-|-------|-------|--------------|
-| Reconnaissance | **Recon Agent** | Discovers hosts, ports, services, subdomains |
-| Web Scanning | **Web Agent** | Tests for OWASP Top 10, SQLi, XSS, SSRF |
-| Exploitation | **Exploit Agent** | Researches CVEs, selects and runs exploits |
-| Privilege Escalation | **PrivEsc Agent** | Finds SUID, sudo misconfigs, kernel exploits |
-| Data Extraction | **Crypto Agent** | Cracks hashes, analyzes encryption |
-
-### How it works
-
-1. **You set a target** → Agent starts in Recon mode
-2. **Finds web services** → Automatically switches to Web Agent
-3. **Discovers vulnerability** → Switches to Exploit Agent
-4. **Gets shell access** → Switches to PrivEsc Agent
-5. **Finds password hashes** → Crypto Agent takes over
-
-> No manual agent switching needed. The system automatically picks the best agent for each situation.
-
----
-
-## ⚙️ Configuration
-
-### Environment Variables
-
-| Variable | Description | Default |
-|----------|-------------|---------|
-| `PENTEST_API_KEY` | LLM API key | Required |
-| `PENTEST_BASE_URL` | API endpoint URL | - |
-| `PENTEST_MODEL` | Model name | claude-sonnet-4-20250514 |
-| `PENTEST_MAX_TOKENS` | Max response tokens | 16384 |
-| `PENTESTING_DOCKER` | Force Docker execution | 0 |
-| `PENTESTING_CONTAINER` | Docker container name | pentesting-tools |
-
-> **Note**: `ANTHROPIC_API_KEY` is also accepted as fallback for `PENTEST_API_KEY`.
-
-
----
-
-## 💻 For Developers
-
-Pentesting can be used as a library in your own projects. See [Architecture Docs](./docs/architecture.md) for:
-- API Reference
-- Event System
-- Custom Agent Integration
-
----
-
-## 🐳 Docker Toolkit (Auto-Managed)
-
-Pentesting automatically manages a Docker container with 50+ pre-installed tools.
-
-### Automatic Setup
-
-**No manual Docker setup required!** When you run a command that needs tools like `nmap` or `rustscan`:
-
-1. Pentesting checks if tool exists locally
-2. If not, it automatically pulls `agnusdei1207/pentesting-tools:latest`
-3. Starts container `pentesting-tools` with host network
-4. Executes command via `docker exec`
-
-### Manual Docker Control
-
-```bash
-# Force all commands through Docker
-export PENTESTING_DOCKER=1
-
-# Use custom container name
-export PENTESTING_CONTAINER=my-pentest-container
-
-# Manual pull (optional - auto-pulled on first use)
-docker pull agnusdei1207/pentesting-tools:latest
-```
-
-### Included Tools (50+)
-
-| Category | Tools |
-|----------|-------|
-| **Network** | nmap, rustscan, masscan, netcat, tcpdump |
-| **Web** | ffuf, nikto, sqlmap, httpx, whatweb |
-| **Discovery** | subfinder, amass, nuclei, dnsrecon |
-| **Bruteforce** | hydra, hashcat, john |
-| **AD/Windows** | impacket, crackmapexec, smbclient |
-| **Database** | mysql-client, postgresql-client, redis-tools |
-| **Utilities** | curl, wget, jq, python3, go |
-
----
-
-## 🔌 MCP Integration
-
-Pentesting supports MCP (Model Context Protocol) for extending capabilities with additional tools and servers. See [Architecture Docs](./docs/architecture.md) for integration details.
-
----
-
-## 🏗️ How It Works
-
-```
-┌──────────────────────────────────────────────┐
-│              Your Terminal                    │
-│  ┌────────────────────────────────────────┐  │
-│  │  pentesting CLI (Interactive TUI)      │  │
-│  │  - Target management                   │  │
-│  │  - Session recording                   │  │
-│  │  - Real-time output                   │  │
-│  └────────────────────────────────────────┘  │
-└─────────────────────┬────────────────────────┘
-                      ▼
-┌──────────────────────────────────────────────┐
-│              AI Agent Core                    │
-│  ┌────────────────────────────────────────┐  │
-│  │  5 Specialized Agents (auto-switching) │  │
-│  │  Recon → Web → Exploit → PrivEsc → Crypto│
-│  └────────────────────────────────────────┘  │
-└─────────────────────┬────────────────────────┘
-                      ▼
-┌──────────────────────────────────────────────┐
-│              Tool Execution                   │
-│  ┌──────────┐  ┌──────────┐  ┌──────────┐   │
-│  │  Docker  │  │  Local   │  │   MCP    │   │
-│  │  (50+    │  │  Tools   │  │  Servers │   │
-│  │  tools)  │  │          │  │          │   │
-│  └──────────┘  └──────────┘  └──────────┘   │
-└──────────────────────────────────────────────┘
-```
-
----
-
-## 🛠️ Development
-
-```bash
-# Clone
-git clone https://github.com/agnusdei1207/pentesting.git
-cd pentesting
-
-# Install
-npm install
-
-# Build
-npm run build
-
-# Dev mode
-npm run dev
-```
-
 ## Documentation
 
-- [Architecture](./docs/ARCHITECTURE.md) - System design and components
-- [Docker Image](https://hub.docker.com/r/agnusdei1207/pentesting-tools) - Pre-built security tools
+- [Architecture](docs/architecture.md)
+- [API Reference](docs/api-reference.md)
+- [Troubleshooting](docs/troubleshooting.md)
 
 ---
 
-## 📄 License
+## License
 
 MIT
+
+⚠️ **For authorized security testing only.**

package/dist/{auto-update-FWXZGK5Z.js → auto-update-NUVK35LG.js}

@@ -8,8 +8,8 @@ import {
   readVersionCache,
   semverTuple,
   writeVersionCache
-} from "./chunk-AIBIXGJI.js";
-import "./chunk-5QWIIPHH.js";
+} from "./chunk-N27ISRFF.js";
+import "./chunk-IYELGZKK.js";
 import "./chunk-3RG5ZIWI.js";
 export {
   checkForUpdate,

package/dist/{chunk-5QWIIPHH.js → chunk-IYELGZKK.js}

@@ -186,7 +186,7 @@ var SENSITIVE_TOOLS = [
 
 // src/config/constants.ts
 import { createRequire } from "module";
-var pkgVersion = "0.7.48";
+var pkgVersion = "0.8.0";
 try {
   const require2 = createRequire(import.meta.url);
   const pkg = require2("../../package.json");
@@ -200,6 +200,14 @@ var LLM_API_KEY = process.env.PENTEST_API_KEY || process.env.ANTHROPIC_API_KEY |
 var LLM_BASE_URL = process.env.PENTEST_BASE_URL || void 0;
 var LLM_MODEL = process.env.PENTEST_MODEL || "claude-sonnet-4-20250514";
 var LLM_MAX_TOKENS = parseInt(process.env.PENTEST_MAX_TOKENS || "16384", 10);
+var CONTEXT_WINDOW = {
+  maxTokens: 2e5,
+  // Claude's context window size
+  compactionThreshold: 15e4,
+  // Trigger compaction at 75% usage
+  reservedTokens: 4e3
+  // Reserved for system prompt
+};
 var AGENT_CONFIG = {
   maxIterations: 200,
   maxToolCallsPerIteration: 10,
@@ -240,5 +248,6 @@ export {
   LLM_BASE_URL,
   LLM_MODEL,
   LLM_MAX_TOKENS,
+  CONTEXT_WINDOW,
   AGENT_CONFIG
 };

package/dist/{chunk-AIBIXGJI.js → chunk-N27ISRFF.js}

@@ -1,7 +1,7 @@
 import {
   APP_NAME,
   APP_VERSION
-} from "./chunk-5QWIIPHH.js";
+} from "./chunk-IYELGZKK.js";
 
 // src/core/update/auto-update.ts
 import { execSync } from "child_process";

package/dist/index.js

@@ -6,6 +6,7 @@ import {
   APP_DESCRIPTION,
   APP_VERSION,
   CLI_COMMAND,
+  CONTEXT_WINDOW,
   LLM_API_KEY,
   LLM_BASE_URL,
   LLM_MAX_TOKENS,
@@ -15,7 +16,7 @@ import {
   PHASE_STATUS,
   THOUGHT_TYPE,
   TOOL_NAME
-} from "./chunk-5QWIIPHH.js";
+} from "./chunk-IYELGZKK.js";
 import {
   __require
 } from "./chunk-3RG5ZIWI.js";
@@ -3162,7 +3163,7 @@ function getHistoryTokens(messages) {
     return total + estimateTokens(content);
   }, 0);
 }
-function needsCompaction(messages, maxTokens = 15e4, minMessages = 10) {
+function needsCompaction(messages, maxTokens = CONTEXT_WINDOW.compactionThreshold, minMessages = 10) {
   if (messages.length < minMessages) return false;
   return getHistoryTokens(messages) > maxTokens;
 }
@@ -3218,7 +3219,7 @@ var ContextManager = class {
   client;
   constructor(client, options) {
     this.client = client;
-    this.maxTokens = options?.maxTokens ?? 15e4;
+    this.maxTokens = options?.maxTokens ?? CONTEXT_WINDOW.compactionThreshold;
     this.warningThreshold = options?.warningThreshold ?? 12e4;
   }
   /**
@@ -6983,7 +6984,7 @@ var App = ({ autoApprove = false, target }) => {
         setCheckpointCount(contextManagerRef.current?.getCheckpoints().length || 0);
       }
     });
-    import("./auto-update-FWXZGK5Z.js").then(({ checkForUpdateAsync, formatUpdateNotification }) => {
+    import("./auto-update-NUVK35LG.js").then(({ checkForUpdateAsync, formatUpdateNotification }) => {
       checkForUpdateAsync().then((result) => {
         if (result.hasUpdate) {
           const notification = formatUpdateNotification(result);
@@ -7686,7 +7687,7 @@ ${list}`);
           return;
         case "update":
           try {
-            const { checkForUpdate, formatUpdateNotification, doUpdate } = await import("./update-OD3N757W.js");
+            const { checkForUpdate, formatUpdateNotification, doUpdate } = await import("./update-VGGUNUWQ.js");
             const result = checkForUpdate(true);
             if (result.hasUpdate) {
               const notification = formatUpdateNotification(result);

package/dist/{update-OD3N757W.js → update-VGGUNUWQ.js}

@@ -8,8 +8,8 @@ import {
   readVersionCache,
   semverTuple,
   writeVersionCache
-} from "./chunk-AIBIXGJI.js";
-import "./chunk-5QWIIPHH.js";
+} from "./chunk-N27ISRFF.js";
+import "./chunk-IYELGZKK.js";
 import "./chunk-3RG5ZIWI.js";
 export {
   checkForUpdate,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pentesting",
-  "version": "0.7.49",
+  "version": "0.8.2",
   "description": "Autonomous Penetration Testing AI Agent",
   "type": "module",
   "main": "dist/index.js",
@@ -18,6 +18,8 @@
     "dev": "tsx src/index.tsx",
     "build": "tsup src/index.tsx --format esm --dts --clean",
     "start": "node dist/index.js",
+    "test": "vitest run",
+    "test:watch": "vitest",
     "lint": "tsc --noEmit",
     "prepublishOnly": "npm run build",
     "release:patch": "npm version patch && npm run build && npm publish",
@@ -78,6 +80,7 @@
     "@types/react": "^18.3.18",
     "tsup": "^8.3.6",
     "tsx": "^4.19.2",
-    "typescript": "^5.7.3"
+    "typescript": "^5.7.3",
+    "vitest": "^4.0.18"
   }
 }