npm - pentesting - Versions diffs - 0.72.9 → 0.72.10 - Mend

pentesting 0.72.9 → 0.72.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (20) hide show

package/README.md +9 -0
package/dist/{chunk-74KL4OOU.js → chunk-GHJPYI4S.js} +0 -8
package/dist/{chunk-PQIB3DUX.js → chunk-SLDFXMHL.js} +166 -117
package/dist/main.js +1154 -570
package/dist/{persistence-7L4UXPIJ.js → persistence-7FTYXIZY.js} +2 -2
package/dist/{process-registry-BDTYM4MC.js → process-registry-CCAQVJ4Y.js} +1 -1
package/dist/prompts/base.md +7 -7
package/dist/prompts/llm/input-processor-system.md +55 -0
package/dist/prompts/llm/{summary-regenerator-system.md → memory-synth-system.md} +1 -1
package/dist/prompts/llm/triage-system.md +1 -1
package/dist/prompts/offensive-playbook.md +24 -3
package/dist/prompts/recon.md +11 -2
package/dist/prompts/strategist-system.md +16 -12
package/dist/prompts/strategy.md +35 -2
package/dist/prompts/techniques/auth-access.md +1 -1
package/dist/prompts/techniques/forensics.md +1 -1
package/dist/prompts/techniques/pwn.md +1 -1
package/dist/prompts/vuln.md +9 -0
package/dist/prompts/web.md +9 -0
package/package.json +1 -1

package/README.md CHANGED Viewed

@@ -32,6 +32,15 @@
 Pentesting support tool. Can autonomously execute network penetration tests or assist with generic Capture The Flag (CTF) challenges (such as Reverse Engineering, Cryptography, and binary analysis) without requiring a specific network target.
+## Architecture Notes
+- User input is preprocessed by a dedicated input processor LLM before the main loop acts on it.
+- Durable engagement guidance, sensitive data handling rules, and reusable operator constraints are merged into `.pentesting/memory/policy.md`.
+- Both the strategist and the main prompt builder read that policy document every turn.
+- Each completed turn is compressed into `.pentesting/turns/{N}-memory.md`, with provenance metadata describing who wrote it and what sources were used.
+- Automatically maintained LLM documents are intentionally small in number: bounded turn memories, one `policy.md`, one merged `persistent-knowledge.json`, and on-demand reports only.
+- Interactive prompts are brokered through a single active input slot in the TUI. Additional prompts wait in a hidden queue and are promoted one at a time.
 ---
 ## Quick Start

package/dist/{chunk-74KL4OOU.js → chunk-GHJPYI4S.js} RENAMED Viewed

@@ -126,13 +126,6 @@ function llmNodeSystemPrompt(nodeName) {
     `[pipeline.yaml] llm_nodes.${nodeName} must declare system_prompt_file, fallback_system_prompt_file, or system_prompt. Add one to pipeline.yaml.`
   );
 }
-function getUserInputQueueConfig() {
-  return getPipelineConfig().user_input_queue ?? {
-    format: "tagged",
-    tag: "user-input",
-    inject_position: "messages_end"
-  };
-}
 function llmNodeOutputParsing(nodeName) {
   return getPipelineConfig().llm_nodes?.[nodeName]?.output_parsing;
 }
@@ -304,7 +297,6 @@ export {
   PROCESS_LIMITS,
   getPipelineConfig,
   llmNodeSystemPrompt,
-  getUserInputQueueConfig,
   llmNodeOutputParsing,
   llmNodeCooldownPolicy,
   getPromptSources,

package/dist/{chunk-PQIB3DUX.js → chunk-SLDFXMHL.js} RENAMED Viewed

@@ -18,7 +18,7 @@ import {
   getProcessEventLog,
   logEvent,
   setProcess
-} from "./chunk-74KL4OOU.js";
+} from "./chunk-GHJPYI4S.js";
 // src/shared/constants/time/conversions.ts
 var MS_PER_MINUTE = 6e4;
@@ -235,7 +235,7 @@ var INPUT_PROMPT_PATTERNS = [
 // src/shared/constants/agent.ts
 var APP_NAME = "Pentest AI";
-var APP_VERSION = "0.72.9";
+var APP_VERSION = "0.72.10";
 var APP_DESCRIPTION = "Autonomous Penetration Testing AI Agent";
 var LLM_ROLES = {
   SYSTEM: "system",
@@ -682,6 +682,7 @@ var EVENT_TYPES = {
   NOTIFICATION: "notification",
   AUXILIARY_WORK_START: "auxiliary_work_start",
   AUXILIARY_WORK_END: "auxiliary_work_end",
+  QUEUE_UPDATED: "queue_updated",
   QUEUE_DRAINED: "queue_drained"
 };
 var COMMAND_EVENT_TYPES = {
@@ -869,30 +870,142 @@ function detectConnection(stdout) {
   return DETECTION_PATTERNS.CONNECTION.some((p) => p.test(stdout));
 }
-// src/engine/tools-base/event-emitter.ts
-var globalEventEmitter = null;
-var globalInputHandler = null;
-function setCommandEventEmitter(emitter) {
-  globalEventEmitter = emitter;
+// src/engine/session-runtime.ts
+var SessionRuntime = class {
+  commandEventEmitter = null;
+  inputHandler = null;
+  credentialHandler = null;
+  setCommandEventEmitter(emitter) {
+    this.commandEventEmitter = emitter;
+  }
+  clearCommandEventEmitter() {
+    this.commandEventEmitter = null;
+  }
+  getCommandEventEmitter() {
+    return this.commandEventEmitter;
+  }
+  setInputHandler(handler) {
+    this.inputHandler = handler;
+  }
+  clearInputHandler() {
+    this.inputHandler = null;
+  }
+  getInputHandler() {
+    return this.inputHandler;
+  }
+  setCredentialHandler(handler) {
+    this.credentialHandler = handler;
+  }
+  clearCredentialHandler() {
+    this.credentialHandler = null;
+  }
+  getCredentialHandler() {
+    return this.credentialHandler;
+  }
+  clearAll() {
+    this.clearCommandEventEmitter();
+    this.clearInputHandler();
+    this.clearCredentialHandler();
+  }
+};
+var activeSessionRuntime = null;
+function createSessionRuntime() {
+  return new SessionRuntime();
 }
-function setInputHandler(handler) {
-  globalInputHandler = handler;
+function setActiveSessionRuntime(runtime) {
+  activeSessionRuntime = runtime;
 }
-function clearInputHandler() {
-  globalInputHandler = null;
+function clearActiveSessionRuntime(runtime) {
+  if (!runtime || activeSessionRuntime === runtime) {
+    activeSessionRuntime = null;
+  }
 }
-function clearCommandEventEmitter() {
-  globalEventEmitter = null;
+function getActiveSessionRuntime() {
+  return activeSessionRuntime;
 }
+// src/engine/tools-base/event-emitter.ts
 function getEventEmitter() {
-  return globalEventEmitter;
+  return getActiveSessionRuntime()?.getCommandEventEmitter() || null;
 }
 function getInputHandler() {
-  return globalInputHandler;
+  return getActiveSessionRuntime()?.getInputHandler() || null;
 }
 // src/shared/constants/paths.ts
 import path from "path";
+// src/shared/constants/files/extensions.ts
+var FILE_EXTENSIONS = {
+  // Data formats
+  JSON: ".json",
+  MARKDOWN: ".md",
+  TXT: ".txt",
+  XML: ".xml",
+  // Network capture
+  PCAP: ".pcap",
+  HOSTS: ".hosts",
+  MITM: ".mitm",
+  // Process I/O
+  STDOUT: ".stdout",
+  STDERR: ".stderr",
+  STDIN: ".stdin",
+  // Scripts
+  SH: ".sh",
+  PY: ".py",
+  CJS: ".cjs",
+  // Config
+  ENV: ".env",
+  BAK: ".bak"
+};
+// src/shared/constants/files/special.ts
+var SPECIAL_FILES = {
+  /** Latest state snapshot */
+  LATEST_STATE: "latest.json",
+  /** README */
+  README: "README.md",
+  /** Persistent knowledge store */
+  PERSISTENT_KNOWLEDGE: "persistent-knowledge.json",
+  /** Persistent policy memory document */
+  POLICY: "policy.md",
+  /** Debug log file */
+  DEBUG_LOG: "debug.log",
+  /**
+   * Session snapshot for Insane-level long session resumption (3차).
+   * Stores current phase, achieved foothold, next steps, credentials.
+   * Written by PlaybookSynthesizer on flag capture / manual update_mission.
+   */
+  SESSION_SNAPSHOT: "session-snapshot.json"
+};
+// src/shared/utils/file-ops/file-utils.ts
+import { existsSync, mkdirSync } from "fs";
+function ensureDirExists(dirPath) {
+  if (!existsSync(dirPath)) {
+    mkdirSync(dirPath, { recursive: true });
+  }
+}
+function fileTimestamp() {
+  return (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-").slice(0, 19);
+}
+function sanitizeFilename(name, maxLength = 30) {
+  return name.replace(/[^a-zA-Z0-9_-]/g, "_").slice(0, maxLength);
+}
+// src/shared/constants/files/patterns.ts
+var FILE_PATTERNS = {
+  /** Tool output filename: nmap.txt, gobuster.txt (sanitized) */
+  toolOutput(toolName) {
+    return `${sanitizeFilename(toolName)}.txt`;
+  },
+  /** Generate session snapshot filename: 2026-02-21T08-30-15.json */
+  session() {
+    return `${fileTimestamp()}.json`;
+  }
+};
+// src/shared/constants/paths.ts
 var _dirs = null;
 var _root = null;
 function getRoot() {
@@ -925,6 +1038,9 @@ var WORKSPACE = {
   get MEMORY() {
     return path.resolve(dir("memory", `${getRoot()}/memory`));
   },
+  get POLICY() {
+    return path.resolve(dir("memory", `${getRoot()}/memory`), SPECIAL_FILES.POLICY);
+  },
   get REPORTS() {
     return path.resolve(dir("reports", `${getRoot()}/reports`));
   },
@@ -937,28 +1053,16 @@ var WORKSPACE = {
   get DEBUG() {
     return path.resolve(dir("debug", `${getRoot()}/debug`));
   },
-  /** DEPRECATED — kept for clearWorkspace cleanup only */
-  get OUTPUTS() {
-    return path.resolve(`${getRoot()}/outputs`);
-  },
-  /** DEPRECATED — kept for clearWorkspace cleanup only */
-  get JOURNAL() {
-    return path.resolve(`${getRoot()}/journal`);
-  },
-  /** DEPRECATED — kept for clearWorkspace cleanup only */
-  get ARCHIVE() {
-    return path.resolve(dir("archive", `${getRoot()}/archive`));
-  },
   /** Turn insight files root: .pentesting/turns/ */
   get TURNS() {
     return path.resolve(dir("turns", `${getRoot()}/turns`));
   },
   /**
-   * Resolve the insight file for a specific turn: .pentesting/turns/{N}.md
+   * Resolve the turn memory file for a specific turn: .pentesting/turns/{N}-memory.md
    * Pipeline.yaml: workspace.turn_structure → single file per turn
    */
   turnPath(turn) {
-    return path.resolve(dir("turns", `${getRoot()}/turns`), `${turn}.md`);
+    return path.resolve(dir("turns", `${getRoot()}/turns`), `${turn}-memory.md`);
   }
 };
@@ -1193,78 +1297,6 @@ var BLOCKED_BINARIES = /* @__PURE__ */ new Set([
 // src/shared/utils/debug/debug-logger.ts
 import { appendFileSync, writeFileSync, statSync, readFileSync } from "fs";
 import { join } from "path";
-// src/shared/utils/file-ops/file-utils.ts
-import { existsSync, mkdirSync } from "fs";
-function ensureDirExists(dirPath) {
-  if (!existsSync(dirPath)) {
-    mkdirSync(dirPath, { recursive: true });
-  }
-}
-function fileTimestamp() {
-  return (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-").slice(0, 19);
-}
-function sanitizeFilename(name, maxLength = 30) {
-  return name.replace(/[^a-zA-Z0-9_-]/g, "_").slice(0, maxLength);
-}
-// src/shared/constants/files/extensions.ts
-var FILE_EXTENSIONS = {
-  // Data formats
-  JSON: ".json",
-  MARKDOWN: ".md",
-  TXT: ".txt",
-  XML: ".xml",
-  // Network capture
-  PCAP: ".pcap",
-  HOSTS: ".hosts",
-  MITM: ".mitm",
-  // Process I/O
-  STDOUT: ".stdout",
-  STDERR: ".stderr",
-  STDIN: ".stdin",
-  // Scripts
-  SH: ".sh",
-  PY: ".py",
-  CJS: ".cjs",
-  // Config
-  ENV: ".env",
-  BAK: ".bak"
-};
-// src/shared/constants/files/special.ts
-var SPECIAL_FILES = {
-  /** Latest state snapshot */
-  LATEST_STATE: "latest.json",
-  /** README */
-  README: "README.md",
-  /** Session summary (single source — LLM primary, deterministic fallback) */
-  SUMMARY: "summary.md",
-  /** Persistent knowledge store */
-  PERSISTENT_KNOWLEDGE: "persistent-knowledge.json",
-  /** Debug log file */
-  DEBUG_LOG: "debug.log",
-  /**
-   * Session snapshot for Insane-level long session resumption (3차).
-   * Stores current phase, achieved foothold, next steps, credentials.
-   * Written by PlaybookSynthesizer on flag capture / manual update_mission.
-   */
-  SESSION_SNAPSHOT: "session-snapshot.json"
-};
-// src/shared/constants/files/patterns.ts
-var FILE_PATTERNS = {
-  /** Tool output filename: nmap.txt, gobuster.txt (sanitized) */
-  toolOutput(toolName) {
-    return `${sanitizeFilename(toolName)}.txt`;
-  },
-  /** Generate session snapshot filename: 2026-02-21T08-30-15.json */
-  session() {
-    return `${fileTimestamp()}.json`;
-  }
-};
-// src/shared/utils/debug/debug-logger.ts
 var ROTATE_BYTES = 5 * 1024 * 1024;
 var WIPE_BYTES = 20 * 1024 * 1024;
 var ROTATE_CHECK_INTERVAL = 500;
@@ -1896,6 +1928,8 @@ var ENV_KEYS = {
   SEARCH_API_URL: "SEARCH_API_URL",
   THINKING: "PENTEST_THINKING",
   THINKING_BUDGET: "PENTEST_THINKING_BUDGET",
+  SCOPE_MODE: "PENTEST_SCOPE_MODE",
+  APPROVAL_MODE: "PENTEST_APPROVAL_MODE",
   APP_VERSION: "PENTESTING_VERSION"
 };
 var DEFAULT_SEARCH_API_URL = "https://api.search.brave.com/res/v1/web/search";
@@ -1929,6 +1963,12 @@ function getThinkingBudget() {
   const val = parseInt(process.env[ENV_KEYS.THINKING_BUDGET] || "", 10);
   return isNaN(val) ? 8e3 : Math.max(1024, val);
 }
+function getScopeMode() {
+  return process.env[ENV_KEYS.SCOPE_MODE] === "enforce" ? "enforce" : "advisory";
+}
+function getApprovalMode() {
+  return process.env[ENV_KEYS.APPROVAL_MODE] === "require_auto_approve" ? "require_auto_approve" : "advisory";
+}
 // src/shared/utils/config/tor/core.ts
 var TOR_PROXY = {
@@ -2607,7 +2647,7 @@ async function cleanupAllProcesses() {
     cleanupDone = false;
     return;
   }
-  const { getBackgroundProcessesMap: getBackgroundProcessesMap2 } = await import("./process-registry-BDTYM4MC.js");
+  const { getBackgroundProcessesMap: getBackgroundProcessesMap2 } = await import("./process-registry-CCAQVJ4Y.js");
   const backgroundProcesses = getBackgroundProcessesMap2();
   terminateAllNatively(backgroundProcesses, "SIGTERM");
   await new Promise((r) => setTimeout(r, SYSTEM_LIMITS.CLEANUP_BATCH_WAIT_MS));
@@ -2801,6 +2841,9 @@ var ACTIONABLE_LOOT_TYPES = /* @__PURE__ */ new Set([
   LOOT_TYPES.TICKET,
   LOOT_TYPES.SESSION
 ]);
+function safeList(values) {
+  return Array.isArray(values) ? values.filter((value) => typeof value === "string") : [];
+}
 var StateSerializer = class {
   /**
    * Convert full state to a compact prompt summary
@@ -2837,7 +2880,9 @@ var StateSerializer = class {
       lines.push(`Engagement: ${engagement.name} (${engagement.client})`);
     }
     if (scope) {
-      lines.push(`Scope: CIDR=[${scope.allowedCidrs.join(", ")}] Domains=[${scope.allowedDomains.join(", ")}]`);
+      const allowedCidrs = safeList(scope.allowedCidrs);
+      const allowedDomains = safeList(scope.allowedDomains);
+      lines.push(`Scope: CIDR=[${allowedCidrs.join(", ")}] Domains=[${allowedDomains.join(", ")}]`);
     }
     const mission = state3.getMissionSummary();
     if (mission) {
@@ -3014,11 +3059,11 @@ function loadState(state3) {
       state3.addTarget(value);
     }
     for (const finding of snapshot.findings) {
-      const legacyFinding = finding;
-      if (typeof legacyFinding.confidence !== "number") {
-        legacyFinding.confidence = legacyFinding.isVerified === true ? 80 : 25;
+      const migratedFinding = finding;
+      if (typeof migratedFinding.confidence !== "number") {
+        migratedFinding.confidence = migratedFinding.isVerified === true ? 80 : 25;
       }
-      state3.addFinding(legacyFinding);
+      state3.addFinding(migratedFinding);
     }
     for (const loot of snapshot.loot) {
       state3.addLoot(loot);
@@ -3044,18 +3089,20 @@ function loadState(state3) {
 // src/engine/state/persistence/janitor.ts
 import { existsSync as existsSync7, rmSync } from "fs";
+import path2 from "path";
 function clearWorkspace() {
   const cleared = [];
   const errors = [];
+  const root = WORKSPACE.ROOT;
   const dirsToClean = [
     { path: WORKSPACE.TURNS, label: "turn insights" },
-    { path: WORKSPACE.ARCHIVE, label: "archive (legacy)" },
     { path: WORKSPACE.DEBUG, label: "debug logs" },
     { path: WORKSPACE.TMP, label: "workspace/temp" },
-    { path: WORKSPACE.OUTPUTS, label: "outputs (legacy)" },
-    { path: WORKSPACE.JOURNAL, label: "journal (legacy)" },
     { path: WORKSPACE.LOOT, label: "loot" },
-    { path: WORKSPACE.REPORTS, label: "reports" }
+    { path: WORKSPACE.REPORTS, label: "reports" },
+    { path: path2.join(root, "archive"), label: "archive (historical cleanup)" },
+    { path: path2.join(root, "outputs"), label: "outputs (historical cleanup)" },
+    { path: path2.join(root, "journal"), label: "journal (historical cleanup)" }
   ];
   for (const dir2 of dirsToClean) {
     try {
@@ -3073,11 +3120,11 @@ function clearWorkspace() {
 export {
   ensureDirExists,
-  WORK_DIR,
-  WORKSPACE,
   FILE_EXTENSIONS,
   SPECIAL_FILES,
   FILE_PATTERNS,
+  WORK_DIR,
+  WORKSPACE,
   initDebugLogger,
   debugLog,
   flowLog,
@@ -3090,6 +3137,8 @@ export {
   isZaiProvider,
   isThinkingEnabled,
   getThinkingBudget,
+  getScopeMode,
+  getApprovalMode,
   isTorEnabled,
   setTorEnabled,
   getTorBrowserArgs,
@@ -3136,10 +3185,10 @@ export {
   UI_COMMANDS,
   generateId,
   generatePrefixedId,
-  setCommandEventEmitter,
-  setInputHandler,
-  clearInputHandler,
-  clearCommandEventEmitter,
+  createSessionRuntime,
+  setActiveSessionRuntime,
+  clearActiveSessionRuntime,
+  getActiveSessionRuntime,
   runCommand,
   getErrorMessage,
   readFileContent,