pwnkit-cli 0.2.1 → 0.3.0

package/LICENSE

@@ -1,21 +1,188 @@
-MIT License
-
-Copyright (c) 2026 Peak Twilight
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship made available under
+      the License, as indicated by a copyright notice that is included in
+      or attached to the work (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean, as submitted to the Licensor for inclusion
+      in the Work by the copyright owner or by an individual or Legal Entity
+      authorized to submit on behalf of the copyright owner. For the purposes
+      of this definition, "submitted" means any form of electronic, verbal,
+      or written communication sent to the Licensor or its representatives,
+      including but not limited to communication on electronic mailing lists,
+      source code control systems, and issue tracking systems that are managed
+      by, or on behalf of, the Licensor for the purpose of submitting and
+      discussing improvements to the Work, but excluding communication that is
+      conspicuously marked or designated in writing by the copyright owner as
+      "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any Legal Entity on behalf of
+      whom a Contribution has been received by the Licensor and included
+      within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by the combined Work (with their
+      Contribution(s)). If You institute patent litigation against any
+      entity (including a cross-claim or counterclaim in a lawsuit)
+      alleging that the Work or any Contribution embodied within the Work
+      constitutes a patent or copyright infringement, then any patent
+      licenses granted to You under this License for that Work shall
+      terminate as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or Derivative
+          Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, You must include a readable copy of the
+          attribution notices contained within such NOTICE file, in
+          at least one of the following places: within a NOTICE text
+          file distributed as part of the Derivative Works; within
+          the Source form or documentation, if provided along with the
+          Derivative Works; or, within a display generated by the
+          Derivative Works, if and wherever such third-party notices
+          normally appear. The contents of the NOTICE file are for
+          informational purposes only and do not modify the License.
+          You may add Your own attribution notices within Derivative
+          Works that You distribute, alongside or in addition to the
+          NOTICE text from the Work, provided that such additional
+          attribution notices cannot be construed as modifying the License.
+
+      You may add Your own license statement for Your modifications and
+      may provide additional grant of rights to use, copy, modify, merge,
+      publish, distribute, sublicense, and/or sell copies of the
+      Contribution.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or reproducing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or exemplary damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or all other
+      commercial damages or losses), even if such Contributor has been
+      advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may offer only
+      conditions consistent with this License.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the syntax of the file. We also recommend
+      that a file or directory "LICENSE" or "COPYING" be included with
+      your work.
+
+   Copyright 2026 Doruk Tan Ozturk (Peak Twilight)
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

package/README.md

@@ -5,13 +5,13 @@
 <h1 align="center">pwnkit</h1>
 
 <p align="center">
-  <strong>Security research automation for the AI era</strong><br/>
-  <em>Scan LLM endpoints. Audit npm packages. Review source code. Re-exploit to kill false positives.</em>
+  <strong>General-purpose autonomous pentesting framework</strong><br/>
+  <em>Scan LLM endpoints. Audit npm packages. Review source code. Pentest web apps. Re-exploit to kill false positives.</em>
 </p>
 
 <p align="center">
   <a href="https://www.npmjs.com/package/pwnkit-cli"><img src="https://img.shields.io/npm/v/pwnkit-cli?color=crimson&style=flat-square" alt="npm version" /></a>
-  <a href="https://github.com/peaktwilight/pwnkit/blob/main/LICENSE"><img src="https://img.shields.io/badge/license-MIT-blue?style=flat-square" alt="license" /></a>
+  <a href="https://github.com/peaktwilight/pwnkit/blob/main/LICENSE"><img src="https://img.shields.io/badge/license-Apache%202.0-blue?style=flat-square" alt="license" /></a>
   <a href="https://github.com/peaktwilight/pwnkit/actions"><img src="https://img.shields.io/github/actions/workflow/status/peaktwilight/pwnkit/ci.yml?style=flat-square" alt="CI" /></a>
   <a href="https://github.com/peaktwilight/pwnkit/stargazers"><img src="https://img.shields.io/github/stars/peaktwilight/pwnkit?style=flat-square&color=gold" alt="stars" /></a>
   <a href="https://pwnkit.com"><img src="https://pwnkit.com/badge/peaktwilight/pwnkit" alt="pwnkit verified" /></a>
@@ -33,7 +33,7 @@
 
 ---
 
-pwnkit is an open-source agentic security toolkit. Autonomous agents discover, attack, verify, and report vulnerabilities. Point it at an API, an npm package, or a Git repo — the agents read code, craft payloads, analyze responses, and **re-exploit each finding to kill false positives**. No templates, no static rules — multi-turn agentic reasoning that thinks like an attacker.
+pwnkit is an open-source agentic security toolkit. A research agent discovers, attacks, and writes proof-of-concept code for vulnerabilities across LLM endpoints, web applications, npm packages, and Git repositories. Then a blind verify agent — given ONLY the PoC and file path, not the reasoning — independently reproduces each finding to **kill false positives**. No templates, no static rules — multi-turn agentic reasoning that thinks like an attacker.
 
 One command. Zero config. Every finding re-exploited or dropped.
 
@@ -48,12 +48,33 @@ npx pwnkit-cli audit lodash
 
 # Deep security review of a codebase
 npx pwnkit-cli review ./my-ai-app
+
+# Or just point pwnkit at a target — it auto-detects what to do
+npx pwnkit-cli express          # audits npm package
+npx pwnkit-cli ./my-repo        # reviews source code
+npx pwnkit-cli https://github.com/user/repo  # clones and reviews
+npx pwnkit-cli https://example.com           # scans web endpoint
 ```
 
 That's it. pwnkit discovers your attack surface, launches targeted attacks, verifies findings, and generates a report — all in under 5 minutes.
 
+### Auto-Detect
+
+`pwnkit <target>` figures out what you mean without explicit subcommands:
+
+| Input | What pwnkit does |
+|-------|-----------------|
+| `pwnkit express` | Treats it as an npm package name and runs `audit` |
+| `pwnkit ./my-repo` | Detects a local path and runs `review` |
+| `pwnkit https://github.com/user/repo` | Clones the repo and runs `review` |
+| `pwnkit https://example.com` | Detects an HTTP URL and runs `scan` |
+
+Explicit subcommands (`scan`, `audit`, `review`) still work — auto-detect is just a convenience layer on top.
+
 ## Commands
 
+All commands are available via `npx pwnkit-cli <command>`. Explicit subcommands are optional — thanks to auto-detect, `npx pwnkit-cli <target>` works for most use cases (see [Auto-Detect](#auto-detect) above).
+
 pwnkit ships five commands — from quick API probes to deep source-level audits:
 
 | Command | What It Does | Example |
@@ -66,27 +87,28 @@ pwnkit ships five commands — from quick API probes to deep source-level audits
 
 ## How It Works
 
-pwnkit runs autonomous AI agents in sequence. Each agent uses tools (`read_file`, `run_command`, `send_prompt`, `save_finding`) and makes multi-turn decisions — adapting its strategy based on what it learns:
+pwnkit runs autonomous AI agents in a research-then-verify pipeline. Each agent uses tools (`read_file`, `run_command`, `send_prompt`, `save_finding`) and makes multi-turn decisions — adapting its strategy based on what it learns:
 
 ```
-  +-----------+     +-----------+     +-----------+     +-----------+
-  | DISCOVER  | --> |  ATTACK   | --> |  VERIFY   | --> |  REPORT   |
-  |  (Recon)  |     | (Offense) |     | (Confirm) |     | (Output)  |
-  +-----------+     +-----------+     +-----------+     +-----------+
-   Maps endpoints    Agents craft      Re-exploits       Generates SARIF,
-   Model detection   payloads in       each finding       Markdown, and JSON
-   System prompt     multi-turn        to kill false      with severity +
-   extraction        conversations     positives          remediation
+  +-----------+     +------------------+     +-----------+
+  | RESEARCH  | --> |  BLIND VERIFY    | --> |  REPORT   |
+  | (Discover |     | (PoC + path only |     | (Output)  |
+  |  + Attack |     |  no reasoning)   |     |           |
+  |  + PoC)   |     +------------------+     +-----------+
+  +-----------+      Runs in parallel         Only confirmed
+   Single agent      per finding —            findings in SARIF,
+   session: recon,   independently            Markdown, and JSON
+   payloads, and     reproduces or            with severity +
+   proof-of-concept  kills finding            remediation
 ```
 
 | Agent | Role | What It Does |
 |-------|------|-------------|
-| **Discover** | Recon | Maps endpoints, detects models, extracts system prompts, enumerates MCP tool schemas |
-| **Attack** | Offense | Agentic multi-turn attacks: prompt injection, jailbreaks, tool poisoning, data exfiltration, encoding bypasses — agent reads responses and adapts |
-| **Verify** | Validation | Re-exploits each finding independently. If it can't reproduce it, it's killed as a false positive |
-| **Report** | Output | SARIF for GitHub Security tab, Markdown for humans, JSON for pipelines — with severity scores and remediation |
+| **Research** | Discover + Attack + PoC | Maps endpoints, detects models, extracts system prompts, crafts multi-turn attacks (prompt injection, jailbreaks, tool poisoning, data exfiltration), and writes proof-of-concept code — all in one agent session |
+| **Verify** | Blind validation | Gets ONLY the PoC code and file path — not the research agent's reasoning. Independently traces data flow and reproduces each finding. Can't reproduce? Killed as false positive |
+| **Report** | Output | SARIF for GitHub Security tab, Markdown for humans, JSON for pipelines — only confirmed findings with severity scores and remediation |
 
-The **verification step is the differentiator.** No more triaging 200 "possible prompt injections" that turn out to be nothing.
+The **blind verification is the differentiator.** The verify agent can't be biased by the research agent's reasoning — same principle as double-blind peer review. No more triaging 200 "possible prompt injections" that turn out to be nothing.
 
 ## What pwnkit Scans
 
@@ -95,6 +117,7 @@ The **verification step is the differentiator.** No more triaging 200 "possible
 | **LLM Endpoints** — ChatGPT, Claude, Llama APIs, custom chatbots | `scan --target <url>` | HTTP probing + multi-turn agent attacks |
 | **MCP Servers** — Tool schemas, input validation, authorization | `scan --target <url> --mode mcp` | Connects to server, enumerates tools, tests each |
 | **Web Apps & APIs** — AI-powered copilots, agents, RAG pipelines | `scan --target <url> --mode deep --repo ./src` | API probing + source code analysis |
+| **Web Pentesting** — SQLi, XSS, SSRF, auth bypass, IDOR | `scan --target <url> --mode web` | Full autonomous web pentest, agents adapt per finding |
 | **npm Packages** — Dependency supply chain, malicious code | `audit <package>` | Installs in sandbox, runs semgrep + AI code review |
 | **Git Repositories** — Source-level security review | `review <path-or-url>` | Deep analysis with Claude Code, Codex, or Gemini CLI |
 
@@ -112,15 +135,15 @@ For a verbose view with the animated attack replay:
 npx pwnkit-cli scan --target https://your-app.com/api/chat --verbose
 ```
 
-## Scan Depth & Cost
+## Scan Depth
 
-| Depth | Test Cases | Time | Estimated Cost |
-|-------|-----------|------|----------------|
-| `quick` | ~15 | ~1 min | $0.05–$0.15 |
-| `default` | ~50 | ~3 min | $0.15–$0.50 |
-| `deep` | ~150 | ~10 min | $0.50–$1.00 |
+| Depth | Test Cases | Time |
+|-------|-----------|------|
+| `quick` | ~15 | ~1 min |
+| `default` | ~50 | ~3 min |
+| `deep` | ~150 | ~10 min |
 
-Default model is `anthropic/claude-sonnet-4.6` via [OpenRouter](https://openrouter.ai). Free tier available with `--model free`. You can also use OpenAI, Anthropic direct, or local models via Ollama.
+pwnkit is an agentic harness — bring your own AI. Use your API key (OpenRouter, Anthropic, OpenAI, Ollama), or use the Claude Code CLI or Codex CLI with your existing subscription via `--runtime claude` or `--runtime codex`.
 
 ```bash
 # Quick scan for CI
@@ -135,6 +158,9 @@ npx pwnkit-cli scan --target https://api.example.com/chat --runtime claude --mod
 # MCP server audit
 npx pwnkit-cli scan --target https://mcp-server.example.com --mode mcp --runtime claude
 
+# Full web pentest (SQLi, XSS, SSRF, auth bypass, IDOR)
+npx pwnkit-cli scan --target https://example.com --mode web --runtime claude
+
 # Audit an npm package
 npx pwnkit-cli audit react --depth deep --runtime claude
 
@@ -162,24 +188,26 @@ Combined with scan modes:
 | `probe` | `--mode probe` | Send payloads to API, check responses (default) |
 | `deep` | `--mode deep` | API probing + source code audit (requires `--repo`) |
 | `mcp` | `--mode mcp` | Connect to MCP server, enumerate tools, test each for security issues |
+| `web` | `--mode web` | Full web pentesting — SQLi, XSS, SSRF, auth bypass, IDOR |
 
-> `deep` and `mcp` modes require a process runtime (`claude`, `codex`, `gemini`, `opencode`, or `auto`).
+> `deep`, `mcp`, and `web` modes require a process runtime (`claude`, `codex`, `gemini`, `opencode`, or `auto`).
 
 ## How It Compares
 
 | Feature | pwnkit | promptfoo | garak | semgrep | nuclei |
 |---------|--------|-----------|-------|---------|--------|
-| **Agentic multi-turn pipeline** | Yes — Autonomous agents with tool use | No Single runner | No Single runner | No Rule-based | No Template runner |
+| **Agentic multi-turn pipeline** | Yes — Autonomous agents with tool use | No — Single runner | No — Single runner | No — Rule-based | No — Template runner |
 | **Verification (no false positives)** | Yes — Re-exploits to confirm | No | No | No | No |
 | **LLM endpoint scanning** | Yes — Prompt injection, jailbreaks, exfil | Yes — Red-teaming | Yes — Probes | No | No |
+| **Web pentesting (SQLi, XSS, SSRF, IDOR)** | Yes — `--mode web` | No | No | No | Partial — Templates only |
 | **MCP server security** | Yes — Tool poisoning, schema abuse | No | No | No | No |
 | **npm package audit** | Yes — Semgrep + AI review | No | No | Yes — Rules only | No |
 | **Source code review** | Yes — AI-powered deep analysis | No | No | Yes — Rules only | No |
 | **OWASP LLM Top 10** | Yes — 8/10 covered | Partial | Partial | N/A | N/A |
-| **SARIF + GitHub Security tab** | Yes — | Yes — | No | Yes — | Yes — |
+| **SARIF + GitHub Security tab** | Yes | Yes | No | Yes | Yes |
 | **One command, zero config** | Yes — `npx pwnkit-cli scan` | Needs YAML config | Needs Python setup | Needs rules config | Needs templates |
-| **Open source** | Yes — MIT | Yes — (acquired by OpenAI) | Yes — | Yes — | Yes — |
-| **Cost per scan** | $0.05–$1.00 | Varies | Free (local) | Free (OSS) / Paid (Pro) | Free |
+| **Open source** | Yes — Apache-2.0 | Yes — (acquired by OpenAI) | Yes — MIT | Yes — LGPL / Paid Pro | Yes — MIT |
+| **Pricing** | Free + bring your own AI | Varies | Free (local) | Free (OSS) / Paid (Pro) | Free |
 
 pwnkit isn't replacing semgrep or nuclei — it covers the AI-specific attack surface they can't see. Use them together.
 
@@ -257,7 +285,7 @@ Finding lifecycle: `discovered → verified → confirmed → scored → reporte
 
 ## Roadmap
 
-- [x] Core 4-agent pipeline (discover, attack, verify, report)
+- [x] Core autonomous agent pipeline (research, blind verify, report)
 - [x] OWASP LLM Top 10 coverage (8/10)
 - [x] SARIF output + GitHub Action
 - [x] MCP server scanning
@@ -265,6 +293,7 @@ Finding lifecycle: `discovered → verified → confirmed → scored → reporte
 - [x] Source code review (local + GitHub)
 - [x] Multi-runtime support (Claude, Codex, Gemini, OpenCode)
 - [x] Multi-turn agentic attacks (agents adapt payloads based on responses)
+- [x] Web pentesting mode (SQLi, XSS, SSRF, auth bypass, IDOR)
 - [ ] RAG pipeline security (poisoning, extraction)
 - [ ] Agentic workflow testing (multi-tool chains)
 - [ ] VS Code extension
@@ -275,7 +304,9 @@ Finding lifecycle: `discovered → verified → confirmed → scored → reporte
 
 Created by a security researcher with [7 published CVEs](https://doruk.ch/blog) across node-forge, mysql2, uptime-kuma, liquidjs, picomatch, and jspdf.
 
-pwnkit exists because traditional security tools can't see AI attack surfaces. You can't `nmap` a language model. You can't write a static rule for a jailbreak that hasn't been invented yet. You need agents that think like attackers — and then re-exploit what they find to prove it's real.
+pwnkit is a general-purpose autonomous pentesting framework. It exists because modern attack surfaces — LLM endpoints, MCP servers, AI-powered web apps — require agents that adapt, not static rules that don't. You can't `nmap` a language model. You can't write a rule for a jailbreak that hasn't been invented yet. And traditional web scanners don't understand context — they miss IDOR in paginated APIs and SSRF buried in AI pipeline callbacks.
+
+pwnkit uses autonomous agents that think like attackers, adapt their strategy mid-scan, and re-exploit every finding before reporting it. The result: real vulnerabilities, zero noise.
 
 ## Contributing
 
@@ -290,4 +321,4 @@ pnpm test
 
 ## License
 
-[MIT](LICENSE) — use it, fork it, ship it.
+[Apache 2.0](LICENSE) — use it, fork it, ship it.