npm - sicario-red-team - Versions diffs - 0.4.0 → 0.4.2 - Mend

sicario-red-team 0.4.0 → 0.4.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/bin/sicario.js CHANGED Viewed

@@ -28,7 +28,7 @@ const program = new Command();
 program
   .name('sicario')
   .description('Autonomous Agentic Red-Teaming Swarm Protocol')
-  .version('0.4.0');
+  .version('0.4.2');
 // Use a more robust way to import the command logic relative to this file
 const hitCommandPath = pathToFileURL(path.join(__dirname, '../src-cli/commands/hit.js')).href;

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "sicario-red-team",
-  "version": "0.4.0",
+  "version": "0.4.2",
   "description": "Autonomous Agentic Red-Teaming Swarm Protocol",
   "type": "module",
   "files": [

package/src-cli/commands/hit.js CHANGED Viewed

@@ -109,6 +109,7 @@ export async function hitCommand(target, options) {
             log.success(`[Breacher] : Analysis complete. ${breachReports.length} vulnerabilities isolated.`);
             if (client && missionId) await client.mutation('handler:logMessage', { missionId, type: 'Breacher', message: `Analysis complete. Found ${breachReports.length} vectors.` });
+            const verifiedBreachReports = [];
             for (const breachReport of breachReports) {
                 // 5.1 [Critic] Verification (Internal Affairs)
                 log.step(`[Critic] : Verifying ${breachReport.title}...`);
@@ -120,6 +121,8 @@ export async function hitCommand(target, options) {
                     continue; // Skip false positive
                 }
+                verifiedBreachReports.push(breachReport);
                 // 6. Sanitization Layer (The Anti-Crash Upgrade)
                 const sanitize = (raw) => ({
                     title: raw.title || "Unknown Logic Flaw",
@@ -191,7 +194,7 @@ export async function hitCommand(target, options) {
                 }
             }
-            if (breachReports.length === 0) {
+            if (verifiedBreachReports.length === 0) {
                 const forms = elements.filter(e => e.tag === 'form').length;
                 const inputs = elements.filter(e => e.tag === 'input' || e.tag === 'textarea').length;
                 const actions = elements.filter(e => e.tag === 'button' || e.tag === 'a').length;
@@ -208,8 +211,8 @@ export async function hitCommand(target, options) {
             // 6. Mission Dossier
             const summaryLines = [
                 `${theme.dim('Target')}           ${theme.bold(finalTarget)}`,
-                `${theme.dim('Nodes Recalled')}   ${theme.bold(options.swarm ? '7 (Scout, Ghost, Accountant, Admin, Chaos, Architect, Ghost)' : '3 (Scout, Ghost, Breacher)')}`,
-                `${theme.dim('Breaches Found')}    ${breachReports.length > 0 ? pc.red(pc.bold(breachReports.length)) : theme.bold('0')}`,
+                `${theme.dim('Nodes Recalled')}   ${theme.bold(options.swarm ? '6 (Scout, Ghost, Accountant, Admin, Chaos, Architect)' : '3 (Scout, Ghost, Breacher)')}`,
+                `${theme.dim('Breaches Found')}    ${verifiedBreachReports.length > 0 ? pc.red(pc.bold(verifiedBreachReports.length)) : theme.bold('0')}`,
                 `${theme.dim('Status')}           ${theme.success('MISSION SUCCESSFUL')}`
             ];
@@ -217,6 +220,12 @@ export async function hitCommand(target, options) {
             summaryLines.forEach(line => console.log(pc.green(`│  ${line.padEnd(54)} │`)));
             console.log(pc.green(`└  Mission complete. Trace extraction successful.          ╯`));
+            // 7. Security Signature (Certificate of Authenticity)
+            console.log(pc.dim('\nSYSTEM SIGNATURE:'));
+            console.log(pc.dim(`SHA-256: ${require('crypto').createHash('sha256').update(finalTarget + Date.now()).digest('hex').substring(0, 32)}`));
+            console.log(pc.dim(`AGENT ID: ${Math.random().toString(36).substring(7).toUpperCase()}`));
+            console.log(pc.dim(`TIMESTAMP: ${new Date().toISOString()}`));
         } catch (error) {
             log.error('[Breacher] : Analysis node failure.');
             log.error(error.message);

package/src-cli/nodes/breacher.js CHANGED Viewed

@@ -86,13 +86,14 @@ export async function runCritic(finding, elements) {
     });
     const systemPrompt = `
-You are the "Internal Affairs" auditor for the Sicario Swarm.
-Your goal is to debunk high-value findings from the Breacher nodes.
-SKEPTICAL AUDIT PROTOCOL:
-1. Is the vulnerability actually exploitable in a modern framework (NextJS, Nest, Rails)?
-2. Is the "Attack Vector" a hallucination or a real technical path?
-3. If you can't find a realistic path to exploitation, you MUST mark it as falsePositive.
+You are the "Internal Affairs" auditor for the Sicario Swarm.
+Your goal is to mercilessly debunk high-value findings from the Breacher nodes to ensure zero-false-positive reports.
+ADVERSARIAL AUDIT PROTOCOL:
+1. BUG vs. EXPLOIT: Is it just a "best practice" violation (e.g. missing label) or a real technical path to catastrophe? Debunk the former.
+2. FRAMEWORK GUARDS: Modern frameworks (React, Next.js, Django) auto-sanitize many vectors. Does this finding survive server-side auto-escaping?
+3. SKEPTICISM: Treat every finding as a hallucination until you can map a specific, realistic user-flow to exploitation.
+4. IDOR/STATE FOCUS: Prioritize Insecure Direct Object References and state-bypass. Be ruthless with generic "Input Validation" reports.
 RETURN VALID JSON:
 {