swarmhack-cli 2.0.0 → 2.3.0

package/README.md

@@ -2,22 +2,21 @@
 
 Neural swarm-based penetration testing framework.
 
-## What's New in v2.0.0
-
-**v2.0.0 -- Major Release**
-
-- **Confidence Calibration System** -- Evidence-based confidence scoring (0.60-1.0) replacing fixed 1.0. Each finding's confidence reflects actual proof quality: heuristic detection (0.60), response pattern match (0.90), marker-based confirmation (0.99), synthesized from confirmed data (1.0).
-- **Full Kill Chain Automation** -- Single command executes: external web scan -> credential extraction -> SSH lateral movement -> privilege escalation -> SSH tunnel -> internal target scanning. Zero human intervention.
-- **Credential Correlation** -- 12 regex patterns extract credentials from HTML response bodies (SSH creds in admin pages, connection strings, API keys, Bearer tokens). Extracted creds automatically propagated via Intelligence Bus to SSH/auth agents.
-- **Privilege Escalation Chain Synthesis (ADR-009)** -- Post-processing creates standalone "www-data -> root" findings from CMDI post-exploitation data (sudo NOPASSWD, SUID binaries, Docker socket).
-- **.env File Deep Extraction** -- CMDI agent reads .env files via command injection, parses SSH/DB/API credentials with category classification (ssh_credential, database_credential, api_key, network_topology).
-- **Internal Tunnel Scanning (ADR-010)** -- After SSH pivot discovers dual-homed hosts, automatically opens SSH tunnel via portable-pty and spawns new kill chain against internal targets.
-- **SSRF CVE Correlation** -- 10-CVE payload map (CVE-2021-44224, ProxyLogon, Log4Shell, etc.). SSRF agent reads vulnerable_components findings and generates CVE-specific exploitation payloads.
-- **SQLi Time-Based Confirmation** -- 3-step verification: retry payload, send SLEEP(0) control, confirm only if retry delayed AND control fast. Eliminates jitter false positives.
-- **XXE Confidence Grading** -- Tiered confidence: heuristic-only (0.60), marker match (0.90), with deep exploitation output (1.0). OOB callback infrastructure ready (callback_url config).
-- **SONA Self-Learning (Phase 1)** -- Optional `--features self-learning` wires ruvector-sona for payload trajectory recording and adaptive recommendations.
-- **32 Exploit Agents** -- Added session_fixation, dangerous_methods, pivot, plus enhanced all ADR-003 agents with memory deduplication and Intelligence Bus integration.
-- **Smart Pivot Optimization** -- Port-scanned reachable hosts tried first, failed hosts skipped after timeout, SSH ConnectTimeout reduced to 3s for fast iteration.
+## What's New in v2.1.0
+
+**v2.1.0 -- Quality, OCSF Compliance & Service-Driven Discovery Foundation**
+
+- **Agent Plugin Registry (ADR-011)** -- Scalable plugin system: adding a new agent is one file + one registry line. 26 plugins registered (23 legacy web agents + nmap scanner + FTP probe + SSH probe). Foundation for 100+ agents.
+- **Nmap-First Port Discovery** -- Every mission starts with nmap port/service discovery (canonical entry point). Discovered services route to the correct agents automatically via ServiceRouter. Falls back to URL-based inference when nmap is unavailable.
+- **FTP & SSH Probe Agents** -- New non-HTTP agents: FTP anonymous login + default credential testing, SSH banner analysis + weak version CVE detection. First protocol-aware agents beyond HTTP.
+- **OCSF 1.1.0 Full Compliance** -- `type_uid` corrected to 600105, `severity_id` added at finding level, crown jewel deduplication by (category, value), findings sorted by generation ascending + risk_score descending.
+- **Crown Jewel Sanitization** -- 5-rule system: short values always full, api_key never truncated, credential summaries up to 200 chars, session tokens format-preserving (`PHPSESSID=abcd...wxyz`), fallback 500-char cap.
+- **False Positive Elimination** -- LFI agent filters PHP payloads on ASP.NET/IIS targets, IDOR agent no longer fabricates synthetic parameters, Default Credentials uses discovered form field names, CVE-2021-31166 version rule narrowed.
+- **Risk Score Calibration** -- Info=1.0, Low=3.0, Medium=5.0, High=7.5, Critical=10.0 base scores. robots.txt now scores ~0.2 (was 0.9), SQLi auth bypass scores ~9.0 (was 5.63).
+- **Security Fixes** -- Shell injection in askpass helper patched, TLS verification restored in file_upload/xxe agents, PII redaction in OCSF reports.
+- **CI Pipeline** -- `cargo test` + `cargo clippy` now run on every push/PR (was build-only).
+- **Version Banner** -- Uses `CARGO_PKG_VERSION` (no more hardcoded v1.0.0).
+- **83 new regression tests** -- 46 for v2.1.0 quality fixes + 37 for ADR-011 Phase 1.
 
 ## Installation
 
@@ -161,7 +160,7 @@ If npm installation fails, use Docker:
 docker run --rm \
   -v /var/run/docker.sock:/var/run/docker.sock \
   -v $(pwd)/reports:/app/reports \
-  prancer/swarmhack:2.0.0 \
+  prancer/swarmhack:2.1.0 \
   spawn --agents sqli --target "http://example.com" \
   --customer "your-customer" --token "your-token"
 ```
@@ -221,7 +220,7 @@ swarmhack spawn \
 - The `--header` flag is repeatable -- add as many custom headers as needed
 - All agents (SQLi, XSS, CSRF, etc.) automatically include your custom headers in every request
 
-## Available Agents (32)
+## Available Agents (35)
 
 | Agent | CWE | Description |
 |-------|-----|-------------|
@@ -250,6 +249,9 @@ swarmhack spawn \
 | `vulnerable_components` | CWE-1035 | Version fingerprinting + CVE lookup (30 CVEs) |
 | `pivot` | — | SSH lateral movement, tunnel scanning, credential reuse |
 | `idor` (enhanced) | CWE-639 | Object reference enumeration with credential correlation |
+| `nmap_scanner` | — | Port discovery, service detection, NSE vulnerability scanning |
+| `ftp_probe` | CWE-287 | FTP anonymous login, default credentials, banner analysis |
+| `ssh_probe` | CWE-327 | SSH banner analysis, weak version CVE detection |
 
 ## OCSF Reports
 
@@ -291,6 +293,20 @@ Get your token from [Prancer Portal](https://portal.prancer.io) → Settings →
 
 ## Changelog
 
+### v2.1.0
+- Agent plugin registry (ADR-011): scalable plugin system for 100+ agents (one file + one registry line per agent)
+- Nmap-first port discovery: canonical entry point, automatic service-to-agent routing
+- FTP probe agent: anonymous login, default credential testing, banner analysis
+- SSH probe agent: banner analysis, weak version CVE detection
+- OCSF 1.1.0 compliance: type_uid=600105, severity_id at finding level, crown jewel dedup, finding sort order
+- Crown jewel sanitization: 5-rule system (api_key never truncated, format-preserving session tokens)
+- False positive elimination: LFI tech-stack filter, IDOR no synthetic params, default creds uses discovered form fields, CVE-2021-31166 narrowed
+- Risk score calibration: Info=1.0, Low=3.0, Medium=5.0, High=7.5, Critical=10.0
+- Security fixes: shell injection in askpass, TLS verification restored, PII redaction in reports
+- CI pipeline: cargo test + cargo clippy (was build-only)
+- 83 new regression tests (46 quality fixes + 37 ADR-011 Phase 1)
+- 35 exploit agents (was 32): added nmap_scanner, ftp_probe, ssh_probe
+
 ### v2.0.0
 - Confidence calibration system: evidence-based scoring (0.60-1.0) replacing fixed 1.0
 - Full kill chain automation: web scan -> credential extraction -> SSH pivot -> privilege escalation -> internal scanning

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "swarmhack-cli",
-  "version": "2.0.0",
+  "version": "2.3.0",
   "description": "SwarmHack - Neural swarm-based penetration testing framework",
   "author": "Prancer <support@prancer.io>",
   "license": "MIT",