pwnkit-cli 0.1.5 → 0.1.7

package/dist/index.js

@@ -10402,10 +10402,11 @@ __export(process_exports, {
   ProcessRuntime: () => ProcessRuntime
 });
 import { spawn } from "node:child_process";
-var RUNTIME_COMMANDS, ProcessRuntime;
+var dim, RUNTIME_COMMANDS, ProcessRuntime;
 var init_process = __esm({
   "packages/core/dist/runtime/process.js"() {
     "use strict";
+    dim = (text2) => `\x1B[2m${text2}\x1B[0m`;
     RUNTIME_COMMANDS = {
       claude: "claude",
       codex: "codex",
@@ -10438,7 +10439,11 @@ var init_process = __esm({
             stdout += chunk.toString();
           });
           proc.stderr.on("data", (chunk) => {
-            stderr += chunk.toString();
+            const text2 = chunk.toString();
+            stderr += text2;
+            if (process.stderr.isTTY) {
+              process.stderr.write(dim(text2));
+            }
           });
           const timer = setTimeout(() => {
             timedOut = true;
@@ -11100,15 +11105,17 @@ async function runNativeAgentLoop(opts) {
       state.totalUsage.inputTokens += result.usage.inputTokens;
       state.totalUsage.outputTokens += result.usage.outputTokens;
     }
-    if (result.error) {
-      onEvent?.("agent_error", { turn: state.turnCount, error: result.error });
+    if (result.error || result.content.length === 0 && (!result.usage || result.usage.outputTokens === 0)) {
+      const errorMsg = result.error || "API returned empty response (0 tokens) \u2014 model may be rate-limited or unavailable";
+      onEvent?.("agent_error", { turn: state.turnCount, error: errorMsg });
+      state.summary = `Error: ${errorMsg}`;
       if (db) {
         db.logEvent({
           scanId: config.scanId,
           stage: config.role,
           eventType: "agent_error",
           agentRole: config.role,
-          payload: { turn: state.turnCount, error: result.error },
+          payload: { turn: state.turnCount, error: errorMsg },
           timestamp: Date.now()
         });
       }
@@ -14039,7 +14046,7 @@ var chalkStderr = createChalk({ level: stderrColor ? stderrColor.level : 0 });
 var source_default = chalk;
 
 // packages/shared/dist/constants.js
-var VERSION = "0.1.5";
+var VERSION = "0.1.7";
 var DEPTH_CONFIG = {
   quick: { maxTemplates: 5, maxPayloadsPerTemplate: 1, multiTurn: false },
   default: { maxTemplates: 20, maxPayloadsPerTemplate: 3, multiTurn: false },
@@ -17395,36 +17402,6 @@ var SEVERITY_COUNT_COLOR = {
   low: source_default.blue,
   info: source_default.gray
 };
-var BOX = {
-  topLeft: "\u256D",
-  topRight: "\u256E",
-  bottomLeft: "\u2570",
-  bottomRight: "\u256F",
-  horizontal: "\u2500",
-  vertical: "\u2502",
-  teeRight: "\u251C",
-  teeLeft: "\u2524"
-};
-function boxLine(width) {
-  return BOX.horizontal.repeat(width);
-}
-function boxTop(width) {
-  return `  ${source_default.gray(BOX.topLeft + boxLine(width) + BOX.topRight)}`;
-}
-function boxBottom(width) {
-  return `  ${source_default.gray(BOX.bottomLeft + boxLine(width) + BOX.bottomRight)}`;
-}
-function boxRow(content, width) {
-  const visible = stripAnsi2(content);
-  const pad = Math.max(0, width - visible.length);
-  return `  ${source_default.gray(BOX.vertical)} ${content}${" ".repeat(pad)}${source_default.gray(BOX.vertical)}`;
-}
-function boxDivider(width) {
-  return `  ${source_default.gray(BOX.teeRight + boxLine(width) + BOX.teeLeft)}`;
-}
-function stripAnsi2(s) {
-  return s.replace(/\x1b\[[0-9;]*m/g, "");
-}
 function formatTerminal(report) {
   const W3 = 60;
   const lines = [];
@@ -17459,20 +17436,18 @@ function formatTerminal(report) {
     }
   }
   lines.push("");
-  lines.push(boxTop(W3));
-  lines.push(boxRow(source_default.bold.white(" SUMMARY"), W3));
-  lines.push(boxDivider(W3));
+  lines.push(`  ${source_default.gray("\u2500".repeat(50))}`);
+  lines.push("");
   const { summary } = report;
-  const severityCounts = buildSeverityLine(summary);
-  lines.push(boxRow(severityCounts, W3));
-  lines.push(boxRow("", W3));
-  const statsLine = [
-    `${source_default.white.bold(String(summary.totalFindings))} findings`,
-    `${source_default.white.bold(String(summary.totalAttacks))} probes`,
-    `${source_default.white.bold(formatDuration(report.durationMs))}`
-  ].join(source_default.gray("  \u2502  "));
-  lines.push(boxRow(` ${statsLine}`, W3));
-  lines.push(boxBottom(W3));
+  const sev = [
+    summary.critical > 0 ? source_default.red.bold(`${summary.critical} critical`) : source_default.gray(`${summary.critical} critical`),
+    summary.high > 0 ? source_default.hex("#f97316").bold(`${summary.high} high`) : source_default.gray(`${summary.high} high`),
+    summary.medium > 0 ? source_default.yellow.bold(`${summary.medium} medium`) : source_default.gray(`${summary.medium} medium`),
+    source_default.gray(`${summary.low} low`),
+    source_default.gray(`${summary.info} info`)
+  ].join(source_default.gray("  "));
+  lines.push(`  ${sev}`);
+  lines.push(`  ${source_default.white.bold(String(summary.totalFindings))} findings ${source_default.gray("in")} ${source_default.white(formatDuration(report.durationMs))}`);
   lines.push("");
   return lines.join("\n");
 }
@@ -17497,17 +17472,6 @@ function formatFinding(finding) {
   lines.push("");
   return lines.join("\n");
 }
-function buildSeverityLine(summary) {
-  const parts = [];
-  const severities = ["critical", "high", "medium", "low", "info"];
-  for (const sev of severities) {
-    const count = summary[sev];
-    const color = SEVERITY_COUNT_COLOR[sev];
-    const icon = SEVERITY_STYLE[sev].icon;
-    parts.push(` ${color(icon)} ${color(String(count))} ${source_default.gray(SEVERITY_STYLE[sev].label)}`);
-  }
-  return parts.join(source_default.gray("  "));
-}
 function formatCategory(cat) {
   return cat.split("-").map((w) => w.charAt(0).toUpperCase() + w.slice(1)).join(" ");
 }
@@ -17628,21 +17592,21 @@ function severityBadge(severity) {
 function sleep(ms) {
   return new Promise((resolve3) => setTimeout(resolve3, ms));
 }
-function stripAnsi3(s) {
+function stripAnsi2(s) {
   return s.replace(/\x1b\[[0-9;]*m/g, "");
 }
 var BOX_WIDTH = 55;
-function boxTop2(label) {
+function boxTop(label) {
   const inner = ` ${label} `;
   const remaining = BOX_WIDTH - inner.length - 1;
   return source_default.dim("\u250C\u2500 ") + source_default.bold.white(label) + source_default.dim(" " + "\u2500".repeat(Math.max(0, remaining)) + "\u2510");
 }
-function boxRow2(content) {
-  const visible = stripAnsi3(content);
+function boxRow(content) {
+  const visible = stripAnsi2(content);
   const pad = Math.max(0, BOX_WIDTH - visible.length - 2);
   return source_default.dim("\u2502") + " " + content + " ".repeat(pad) + source_default.dim("\u2502");
 }
-function boxBottom2(withArrow) {
+function boxBottom(withArrow) {
   if (withArrow) {
     const half = Math.floor((BOX_WIDTH - 1) / 2);
     const rest = BOX_WIDTH - half - 1;
@@ -17676,19 +17640,19 @@ function buildReplayLines(data) {
   const MED = 75;
   const SLOW = 100;
   const PAUSE = 200;
-  lines.push({ text: boxTop2("DISCOVER"), delay: PAUSE });
+  lines.push({ text: boxTop("DISCOVER"), delay: PAUSE });
   if (data.targetInfo) {
     const t2 = data.targetInfo;
     const truncUrl = t2.url.length > 30 ? t2.url.slice(0, 27) + "..." : t2.url;
     lines.push({
-      text: boxRow2(
+      text: boxRow(
         source_default.dim("\u25B8") + " " + source_default.white(`GET ${truncUrl}`) + source_default.dim(" \u2192 ") + source_default.white(`200`) + source_default.gray(` (${t2.type} endpoint detected)`)
       ),
       delay: MED
     });
     if (t2.systemPrompt) {
       lines.push({
-        text: boxRow2(
+        text: boxRow(
           source_default.dim("\u25B8") + " " + source_default.white(`System prompt extracted`) + source_default.gray(` (${t2.systemPrompt.length} chars)`)
         ),
         delay: MED
@@ -17696,7 +17660,7 @@ function buildReplayLines(data) {
     }
     if (t2.detectedFeatures && t2.detectedFeatures.length > 0) {
       lines.push({
-        text: boxRow2(
+        text: boxRow(
           source_default.dim("\u25B8") + " " + source_default.white(`${t2.detectedFeatures.length} features detected: `) + source_default.gray(t2.detectedFeatures.slice(0, 3).join(", "))
         ),
         delay: MED
@@ -17704,7 +17668,7 @@ function buildReplayLines(data) {
     }
     if (t2.endpoints && t2.endpoints.length > 0) {
       lines.push({
-        text: boxRow2(
+        text: boxRow(
           source_default.dim("\u25B8") + " " + source_default.white(`${t2.endpoints.length} endpoints found`)
         ),
         delay: MED
@@ -17713,15 +17677,15 @@ function buildReplayLines(data) {
   } else {
     const truncTarget = data.target.length > 30 ? data.target.slice(0, 27) + "..." : data.target;
     lines.push({
-      text: boxRow2(
+      text: boxRow(
         source_default.dim("\u25B8") + " " + source_default.white(`GET ${truncTarget}`) + source_default.dim(" \u2192 ") + source_default.white("200") + source_default.gray(" (LLM endpoint detected)")
       ),
       delay: MED
     });
   }
-  lines.push({ text: boxBottom2(true), delay: FAST });
+  lines.push({ text: boxBottom(true), delay: FAST });
   lines.push({ text: connector(), delay: PAUSE });
-  lines.push({ text: boxTop2("ATTACK"), delay: PAUSE });
+  lines.push({ text: boxTop("ATTACK"), delay: PAUSE });
   const vulnerableFindings = data.findings.filter(
     (f) => f.status !== "false-positive"
   );
@@ -17733,7 +17697,7 @@ function buildReplayLines(data) {
       if (cat === "system-prompt-extraction") outcome = "LEAKED";
       if (cat === "jailbreak") outcome = "BYPASSED";
       lines.push({
-        text: boxRow2(
+        text: boxRow(
           source_default.dim("\u25B8") + " " + source_default.white(truncTitle) + source_default.dim(" \u2192 ") + "  " + outcomeLabel(outcome.toLowerCase())
         ),
         delay: MED
@@ -17741,7 +17705,7 @@ function buildReplayLines(data) {
     }
     if (vulnerableFindings.length > 8) {
       lines.push({
-        text: boxRow2(
+        text: boxRow(
           source_default.gray(
             `  ... and ${vulnerableFindings.length - 8} more attacks`
           )
@@ -17751,15 +17715,15 @@ function buildReplayLines(data) {
     }
   } else {
     lines.push({
-      text: boxRow2(
+      text: boxRow(
         source_default.dim("\u25B8") + " " + source_default.white(`${data.summary.totalAttacks} probes executed`) + source_default.dim(" \u2192 ") + source_default.green("ALL SAFE")
       ),
       delay: MED
     });
   }
-  lines.push({ text: boxBottom2(true), delay: FAST });
+  lines.push({ text: boxBottom(true), delay: FAST });
   lines.push({ text: connector(), delay: PAUSE });
-  lines.push({ text: boxTop2("VERIFY"), delay: PAUSE });
+  lines.push({ text: boxTop("VERIFY"), delay: PAUSE });
   const confirmed = data.findings.filter(
     (f) => f.status === "confirmed" || f.status === "verified" || f.status === "scored" || f.status === "reported"
   );
@@ -17769,7 +17733,7 @@ function buildReplayLines(data) {
   if (confirmed.length > 0 || data.findings.length > 0) {
     const reproduced = confirmed.length > 0 ? confirmed.length : data.findings.length;
     lines.push({
-      text: boxRow2(
+      text: boxRow(
         source_default.green("\u2713") + " " + source_default.white(`Reproduced ${reproduced}/${reproduced} findings`)
       ),
       delay: MED
@@ -17777,7 +17741,7 @@ function buildReplayLines(data) {
   }
   if (falsePositives.length > 0) {
     lines.push({
-      text: boxRow2(
+      text: boxRow(
         source_default.red("\u2717") + " " + source_default.white(`Eliminated ${falsePositives.length} false positives`)
       ),
       delay: MED
@@ -17785,13 +17749,13 @@ function buildReplayLines(data) {
   }
   if (confirmed.length === 0 && falsePositives.length === 0 && data.findings.length === 0) {
     lines.push({
-      text: boxRow2(source_default.green("\u2713") + " " + source_default.white("No findings to verify")),
+      text: boxRow(source_default.green("\u2713") + " " + source_default.white("No findings to verify")),
       delay: MED
     });
   }
-  lines.push({ text: boxBottom2(true), delay: FAST });
+  lines.push({ text: boxBottom(true), delay: FAST });
   lines.push({ text: connector(), delay: PAUSE });
-  lines.push({ text: boxTop2("REPORT"), delay: PAUSE });
+  lines.push({ text: boxTop("REPORT"), delay: PAUSE });
   const totalFindings = data.summary.totalFindings;
   if (totalFindings > 0) {
     const parts = [];
@@ -17801,25 +17765,25 @@ function buildReplayLines(data) {
     if (data.summary.low > 0) parts.push(source_default.blue(`${data.summary.low} LOW`));
     if (data.summary.info > 0) parts.push(source_default.gray(`${data.summary.info} INFO`));
     lines.push({
-      text: boxRow2(
+      text: boxRow(
         source_default.white(`${totalFindings} verified findings: `) + parts.join(source_default.dim(", "))
       ),
       delay: MED
     });
   } else {
     lines.push({
-      text: boxRow2(source_default.green.bold("0 findings") + source_default.white(" - target appears secure")),
+      text: boxRow(source_default.green.bold("0 findings") + source_default.white(" - target appears secure")),
       delay: MED
     });
   }
   const duration = data.durationMs < 1e3 ? `${data.durationMs}ms` : `${(data.durationMs / 1e3).toFixed(1)}s`;
   lines.push({
-    text: boxRow2(
+    text: boxRow(
       source_default.white(`Completed in ${duration}`) + source_default.dim(" \u2192 ") + source_default.gray("./pwnkit-report.json")
     ),
     delay: MED
   });
-  lines.push({ text: boxBottom2(false), delay: FAST });
+  lines.push({ text: boxBottom(false), delay: FAST });
   return lines;
 }
 async function renderReplay(data) {
@@ -18197,7 +18161,7 @@ program2.command("scan").description("Run security scan against an LLM endpoint"
     if (format !== "terminal") return;
     switch (event.type) {
       case "stage:start":
-        if (verbose) {
+        {
           const msg = event.message;
           if (msg.startsWith("Reading ")) {
             spinner?.stop();
@@ -18209,16 +18173,8 @@ program2.command("scan").description("Run security scan against an LLM endpoint"
             spinner?.start();
           } else {
             spinner?.update(msg);
+            spinner?.start();
           }
-        } else if (event.stage === "attack") {
-          const match = event.message.match(/(\d+)/);
-          if (match) attackTotal = parseInt(match[1], 10);
-          attacksDone = 0;
-          spinner?.update(`Running attacks ${renderProgressBar(0, attackTotal || 1)}`);
-          spinner?.start();
-        } else {
-          spinner?.update(event.message);
-          spinner?.start();
         }
         break;
       case "attack:end":
@@ -18241,11 +18197,11 @@ program2.command("scan").description("Run security scan against an LLM endpoint"
         }
         break;
       case "finding":
-        if (verbose) {
-          console.log(
-            `    ${source_default.yellow("\u26A1")} ${source_default.yellow(event.message)}`
-          );
-        }
+        spinner?.stop();
+        console.log(
+          `    ${source_default.yellow("\u26A1")} ${source_default.yellow(event.message)}`
+        );
+        spinner?.start();
         break;
       case "error":
         spinner?.fail(event.message);
@@ -18496,11 +18452,11 @@ program2.command("review").description("Deep source code security review of a re
     switch (event.type) {
       case "stage:start": {
         const msg = event.message;
-        if (verbose && msg.startsWith("Reading ")) {
+        if (msg.startsWith("Reading ")) {
           spinner?.stop();
           console.log(`    ${source_default.cyan("\u2192")} ${source_default.cyan("read")} ${source_default.gray(msg.replace("Reading ", ""))}`);
           spinner?.start();
-        } else if (verbose && msg.startsWith("Running: ")) {
+        } else if (msg.startsWith("Running: ")) {
           spinner?.stop();
           console.log(`    ${source_default.magenta("\u2192")} ${source_default.magenta("exec")} ${source_default.gray(msg.replace("Running: ", ""))}`);
           spinner?.start();
@@ -18514,10 +18470,12 @@ program2.command("review").description("Deep source code security review of a re
         spinner?.succeed(event.message);
         break;
       case "finding":
-        if (verbose) {
+        {
+          spinner?.stop();
           console.log(
             `    ${source_default.yellow("\u26A1")} ${source_default.yellow(event.message)}`
           );
+          spinner?.start();
         }
         break;
       case "error":
@@ -18612,11 +18570,11 @@ program2.command("audit").description("Audit an npm package for security vulnera
     switch (event.type) {
       case "stage:start": {
         const msg = event.message;
-        if (verbose && msg.startsWith("Reading ")) {
+        if (msg.startsWith("Reading ")) {
           spinner?.stop();
           console.log(`    ${source_default.cyan("\u2192")} ${source_default.cyan("read")} ${source_default.gray(msg.replace("Reading ", ""))}`);
           spinner?.start();
-        } else if (verbose && msg.startsWith("Running: ")) {
+        } else if (msg.startsWith("Running: ")) {
           spinner?.stop();
           console.log(`    ${source_default.magenta("\u2192")} ${source_default.magenta("exec")} ${source_default.gray(msg.replace("Running: ", ""))}`);
           spinner?.start();
@@ -18630,10 +18588,12 @@ program2.command("audit").description("Audit an npm package for security vulnera
         spinner?.succeed(event.message);
         break;
       case "finding":
-        if (verbose) {
+        {
+          spinner?.stop();
           console.log(
             `    ${source_default.yellow("\u26A1")} ${source_default.yellow(event.message)}`
           );
+          spinner?.start();
         }
         break;
       case "error":

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "pwnkit-cli",
   "type": "module",
-  "version": "0.1.5",
+  "version": "0.1.7",
   "description": "AI-powered agentic security scanner. Scan endpoints, audit packages, review source code. Autonomous agents discover, attack, verify, and report.",
   "bin": {
     "pwnkit": "dist/index.js"