uneven-ai 1.0.4 → 1.0.6

package/CHANGELOG.md

@@ -5,6 +5,34 @@ All notable changes to Uneven AI will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.0.6] - 2026-04-16
+
+### Fixed
+
+- **askf**: parser no longer creates spurious `output.*` files from unlabelled code blocks in LLM explanation sections (Pattern 3)
+- **askf**: `parseFilesWithId` now tolerates optional whitespace/blank line between filename and opening code fence — silent parse failures eliminated
+- **license**: `parseKey` no longer rejects all `UNVN-PRO-*` / `UNVN-TEAM-*` keys as malformed (wrong prefix `TMR` → `UNVN`)
+- **license**: gate message now shows correct command `uneven-ai license activate` (was missing `-ai`)
+- **analyze**: `--package-exe` flag now works in batch mode — packager was instantiated but never called
+- **packager**: replaced `execFile` + `stdio: inherit` (unsupported) with `spawn` for real-time pkg output streaming
+- **dashboard**: chart gridline colors corrected for light theme (`#1e293b` → `#e2e8f0`)
+- **engine**: `readExcelFile` row cap guard moved before `rows.push` (was accumulating rows past the 500-row limit)
+- **engine**: formula cells now resolved via `v.result` instead of rendering as `[object Object]`
+- **engine**: `.xls` (legacy BIFF format) now detected early with a clear warning instead of silently returning empty string
+
+### Added
+
+- **test**: unit tests for `isValidTarget` — IPv4, CIDR, hostname, wildcard, localhost, edge cases (12 tests)
+- **test**: unit tests for `parseFiles` and `parseFilesWithId` — all patterns including spurious-file regression (11 tests)
+
+## [1.0.5] - 2026-04-16
+
+### Fixed
+
+- **config**: `uneven.config.ts` changes now applied automatically on every command — no longer requires manual edit of `.uneven/config.json` or re-running `uneven init`
+- **init**: default Gemini model changed from `gemini-2.0-flash` to `gemini-2.5-flash`
+- **index-planner**: added `gemini-2.5-flash` pricing entry to cost estimation table
+
 ## [1.0.4] - 2026-04-16
 
 ### Fixed

package/dist/cli/commands/init.js

@@ -48,9 +48,9 @@ function defaultModelFor(provider) {
         ollama: 'llama3.2',
         claude: 'claude-sonnet-4-6',
         openai: 'gpt-4o-mini',
-        gemini: 'gemini-2.0-flash',
+        gemini: 'gemini-2.5-flash',
     };
-    return MAP[provider] ?? 'gemini-2.0-flash';
+    return MAP[provider] ?? 'gemini-2.5-flash';
 }
 function makeConfig(provider, threads, gpuLayers) {
     const model = defaultModelFor(provider);

package/dist/core/active-scanner.d.ts

@@ -0,0 +1,34 @@
+/**
+ * Active Scanner — Phase 3
+ *
+ * Real network-based probes against authorized targets only.
+ * Uses only Node.js built-ins (net, tls, https, http) — zero extra deps.
+ *
+ * Checks:
+ *   1. Port scan          — TCP connect scan on common/dangerous ports
+ *   2. HTTP header audit  — missing security headers, server version disclosure
+ *   3. SSL/TLS audit      — expired cert, TLS 1.0/1.1, self-signed, weak cipher
+ *   4. CORS reflection    — tests if server reflects arbitrary Origin header
+ *   5. HTTP methods       — checks for dangerous methods (PUT, DELETE, TRACE)
+ *
+ * Every probe is guarded by PentestSecurityContext.checkTarget() before execution.
+ * All results are written to .uneven/pentest-audit.log.
+ */
+import { Logger } from './logger/index.js';
+import { PentestSecurityContext } from './pentest-security-context.js';
+import { type SecurityFinding } from './security-analyzer.js';
+export declare class ActiveScanner {
+    private logger;
+    private ctx;
+    private auditLog;
+    constructor(logger: Logger, ctx: PentestSecurityContext);
+    scanPorts(target: string): Promise<SecurityFinding[]>;
+    auditHeaders(target: string): Promise<SecurityFinding[]>;
+    auditTLS(target: string): Promise<SecurityFinding[]>;
+    testCORS(target: string): Promise<SecurityFinding[]>;
+    testDangerousMethods(target: string): Promise<SecurityFinding[]>;
+    runAgainstTarget(target: string): Promise<SecurityFinding[]>;
+    private audit;
+    private flushAuditLog;
+}
+//# sourceMappingURL=active-scanner.d.ts.map

package/dist/core/active-scanner.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"active-scanner.d.ts","sourceRoot":"","sources":["../../src/core/active-scanner.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAQH,OAAO,EAAE,MAAM,EAAE,MAAM,mBAAmB,CAAA;AAC1C,OAAO,EAAE,sBAAsB,EAAE,MAAM,+BAA+B,CAAA;AACtE,OAAO,EAAE,KAAK,eAAe,EAAE,MAAM,wBAAwB,CAAA;AAyI7D,qBAAa,aAAa;IACxB,OAAO,CAAC,MAAM,CAAQ;IACtB,OAAO,CAAC,GAAG,CAAwB;IACnC,OAAO,CAAC,QAAQ,CAAe;gBAEnB,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,sBAAsB;IAOjD,SAAS,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,EAAE,CAAC;IA8CrD,YAAY,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,EAAE,CAAC;IA8GxD,QAAQ,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,EAAE,CAAC;IA4EpD,QAAQ,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,EAAE,CAAC;IAoEpD,oBAAoB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,EAAE,CAAC;IA0ChE,gBAAgB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,EAAE,CAAC;IAwBlE,OAAO,CAAC,KAAK;YAKC,aAAa;CAQ5B"}

package/dist/core/active-scanner.js

@@ -0,0 +1,454 @@
+/**
+ * Active Scanner — Phase 3
+ *
+ * Real network-based probes against authorized targets only.
+ * Uses only Node.js built-ins (net, tls, https, http) — zero extra deps.
+ *
+ * Checks:
+ *   1. Port scan          — TCP connect scan on common/dangerous ports
+ *   2. HTTP header audit  — missing security headers, server version disclosure
+ *   3. SSL/TLS audit      — expired cert, TLS 1.0/1.1, self-signed, weak cipher
+ *   4. CORS reflection    — tests if server reflects arbitrary Origin header
+ *   5. HTTP methods       — checks for dangerous methods (PUT, DELETE, TRACE)
+ *
+ * Every probe is guarded by PentestSecurityContext.checkTarget() before execution.
+ * All results are written to .uneven/pentest-audit.log.
+ */
+import * as net from 'net';
+import * as tls from 'tls';
+import * as https from 'https';
+import * as http from 'http';
+import * as fs from 'fs/promises';
+import * as path from 'path';
+// ─── Timeouts ─────────────────────────────────────────────────────────────────
+const CONNECT_TIMEOUT_MS = 3000;
+const HTTP_TIMEOUT_MS = 8000;
+const PORTS = [
+    { port: 21, service: 'FTP', dangerous: true, severity: 'high', cvss: 7.5, message: 'FTP (port 21) is open — transmits credentials in plain text', recommendation: 'Disable FTP. Use SFTP (port 22) instead.' },
+    { port: 22, service: 'SSH', dangerous: false, severity: 'info', cvss: 0, message: 'SSH (port 22) open', recommendation: 'Ensure SSH uses key authentication and has fail2ban/rate limiting.' },
+    { port: 23, service: 'Telnet', dangerous: true, severity: 'critical', cvss: 9.8, message: 'Telnet (port 23) is open — unencrypted remote access', recommendation: 'Disable Telnet immediately. Use SSH.' },
+    { port: 25, service: 'SMTP', dangerous: false, severity: 'info', cvss: 0, message: 'SMTP (port 25) open', recommendation: 'Ensure SMTP relay is restricted. Enable STARTTLS.' },
+    { port: 80, service: 'HTTP', dangerous: false, severity: 'info', cvss: 0, message: 'HTTP (port 80) open', recommendation: 'Redirect all HTTP to HTTPS.' },
+    { port: 443, service: 'HTTPS', dangerous: false, severity: 'info', cvss: 0, message: 'HTTPS (port 443) open', recommendation: 'Verify TLS configuration.' },
+    { port: 3306, service: 'MySQL', dangerous: true, severity: 'critical', cvss: 9.8, message: 'MySQL (port 3306) exposed to network — database should not be publicly accessible', recommendation: 'Bind MySQL to 127.0.0.1. Use a firewall to block external access.' },
+    { port: 5432, service: 'PostgreSQL', dangerous: true, severity: 'critical', cvss: 9.8, message: 'PostgreSQL (port 5432) exposed to network', recommendation: 'Bind PostgreSQL to 127.0.0.1. Use a firewall.' },
+    { port: 6379, service: 'Redis', dangerous: true, severity: 'critical', cvss: 10.0, message: 'Redis (port 6379) exposed — often has no authentication by default', recommendation: 'Bind to 127.0.0.1, enable requirepass, use TLS.' },
+    { port: 27017, service: 'MongoDB', dangerous: true, severity: 'critical', cvss: 10.0, message: 'MongoDB (port 27017) exposed — may allow unauthenticated access', recommendation: 'Enable authentication, bind to localhost, restrict with firewall.' },
+    { port: 5984, service: 'CouchDB', dangerous: true, severity: 'critical', cvss: 9.8, message: 'CouchDB (port 5984) exposed — web-accessible database', recommendation: 'Restrict CouchDB to localhost. Enable authentication.' },
+    { port: 9200, service: 'Elasticsearch', dangerous: true, severity: 'critical', cvss: 10.0, message: 'Elasticsearch (port 9200) exposed — no authentication by default in older versions', recommendation: 'Enable X-Pack security, restrict access with firewall.' },
+    { port: 8080, service: 'HTTP-alt', dangerous: false, severity: 'low', cvss: 3.1, message: 'Alternate HTTP port 8080 open — may expose admin panels or dev servers', recommendation: 'Verify what service is running. Restrict if not needed publicly.' },
+    { port: 8443, service: 'HTTPS-alt', dangerous: false, severity: 'info', cvss: 0, message: 'Alternate HTTPS port 8443 open', recommendation: 'Verify what service is running.' },
+    { port: 4444, service: 'Metasploit', dangerous: true, severity: 'critical', cvss: 10.0, message: 'Port 4444 open — common Metasploit handler / backdoor port', recommendation: 'Investigate immediately. Close if unauthorized.' },
+    { port: 1433, service: 'MSSQL', dangerous: true, severity: 'critical', cvss: 9.8, message: 'MSSQL (port 1433) exposed to network', recommendation: 'Restrict MSSQL to internal network only. Enable Windows Authentication.' },
+    { port: 2375, service: 'Docker', dangerous: true, severity: 'critical', cvss: 10.0, message: 'Docker API (port 2375) exposed without TLS — full container control possible', recommendation: 'Never expose Docker API without TLS. Use unix socket instead.' },
+    { port: 9000, service: 'Portainer/PHP-FPM', dangerous: true, severity: 'high', cvss: 8.6, message: 'Port 9000 open — Portainer admin or PHP-FPM may be exposed', recommendation: 'Restrict to internal network. Enable authentication.' },
+];
+// ─── Helpers ──────────────────────────────────────────────────────────────────
+function tcpConnect(host, port, timeoutMs) {
+    return new Promise(resolve => {
+        const sock = net.createConnection({ host, port });
+        const timer = setTimeout(() => { sock.destroy(); resolve(false); }, timeoutMs);
+        sock.on('connect', () => { clearTimeout(timer); sock.destroy(); resolve(true); });
+        sock.on('error', () => { clearTimeout(timer); resolve(false); });
+    });
+}
+function httpRequest(options, useHttps) {
+    return new Promise((resolve, reject) => {
+        const mod = useHttps ? https : http;
+        const req = mod.request({ ...options, rejectUnauthorized: false }, res => {
+            let body = '';
+            res.on('data', (chunk) => { body += chunk.toString('utf-8'); });
+            res.on('end', () => resolve({
+                statusCode: res.statusCode ?? 0,
+                headers: res.headers,
+                body: body.slice(0, 4096),
+            }));
+        });
+        req.setTimeout(HTTP_TIMEOUT_MS, () => { req.destroy(); reject(new Error('timeout')); });
+        req.on('error', reject);
+        req.end();
+    });
+}
+function parseTlsInfo(host, port) {
+    return new Promise(resolve => {
+        const sock = tls.connect({ host, port, rejectUnauthorized: false, timeout: CONNECT_TIMEOUT_MS }, () => {
+            const cert = sock.getPeerCertificate();
+            const protocol = sock.getProtocol() ?? 'unknown';
+            if (!cert || !cert.valid_to) {
+                sock.destroy();
+                resolve(null);
+                return;
+            }
+            const expiry = new Date(cert.valid_to);
+            const now = new Date();
+            const daysToExpiry = Math.floor((expiry.getTime() - now.getTime()) / 86400000);
+            const selfSigned = cert.issuer?.CN === cert.subject?.CN;
+            resolve({
+                valid: sock.authorized,
+                expired: daysToExpiry < 0,
+                selfSigned,
+                daysToExpiry,
+                protocol,
+                subject: String(cert.subject?.CN ?? ''),
+                issuer: String(cert.issuer?.CN ?? ''),
+            });
+            sock.destroy();
+        });
+        sock.setTimeout(CONNECT_TIMEOUT_MS, () => { sock.destroy(); resolve(null); });
+        sock.on('error', () => resolve(null));
+    });
+}
+function resolveHostPort(target) {
+    // Handles: example.com, 192.168.1.1, https://example.com, example.com:8443
+    let raw = target;
+    let useHttps = true;
+    let defaultPort = 443;
+    if (raw.startsWith('http://')) {
+        raw = raw.slice(7);
+        useHttps = false;
+        defaultPort = 80;
+    }
+    else if (raw.startsWith('https://')) {
+        raw = raw.slice(8);
+    }
+    const [host, portStr] = raw.split(':');
+    const port = portStr ? parseInt(portStr, 10) : defaultPort;
+    return { host: host ?? raw, port, https: useHttps };
+}
+// ─── Main class ───────────────────────────────────────────────────────────────
+export class ActiveScanner {
+    logger;
+    ctx;
+    auditLog = [];
+    constructor(logger, ctx) {
+        this.logger = logger;
+        this.ctx = ctx;
+    }
+    // ── 1. Port scan ─────────────────────────────────────────────────────────────
+    async scanPorts(target) {
+        const { host } = resolveHostPort(target);
+        await this.logger.info(`ActiveScan: port scan → ${host}`);
+        const findings = [];
+        const openPorts = [];
+        await Promise.all(PORTS.map(async (def) => {
+            const check = await this.ctx.checkTarget(`${host}:${def.port}`);
+            if (check.blocked) {
+                this.audit(`BLOCKED port scan ${host}:${def.port} — ${check.reason}`);
+                return;
+            }
+            const open = await tcpConnect(host, def.port, CONNECT_TIMEOUT_MS);
+            this.audit(`port ${host}:${def.port} (${def.service}) — ${open ? 'OPEN' : 'closed'}`);
+            if (!open)
+                return;
+            openPorts.push(def.port);
+            if (def.dangerous) {
+                findings.push({
+                    severity: def.severity,
+                    type: `ActiveScan: Exposed Port (${def.service})`,
+                    message: def.message,
+                    recommendation: def.recommendation,
+                    cvss: def.cvss,
+                    match: `${host}:${def.port}`,
+                });
+            }
+            else if (def.severity !== 'info') {
+                findings.push({
+                    severity: def.severity,
+                    type: `ActiveScan: Open Port (${def.service})`,
+                    message: def.message,
+                    recommendation: def.recommendation,
+                    cvss: def.cvss,
+                    match: `${host}:${def.port}`,
+                });
+            }
+        }));
+        await this.logger.info(`ActiveScan: ${openPorts.length} open ports on ${host}`);
+        return findings;
+    }
+    // ── 2. HTTP header audit ─────────────────────────────────────────────────────
+    async auditHeaders(target) {
+        const { host, port, https: useHttps } = resolveHostPort(target);
+        await this.logger.info(`ActiveScan: HTTP header audit → ${host}:${port}`);
+        const findings = [];
+        const check = await this.ctx.checkTarget(target);
+        if (check.blocked) {
+            this.audit(`BLOCKED header audit ${target} — ${check.reason}`);
+            return [];
+        }
+        let res;
+        try {
+            res = await httpRequest({ host, port, path: '/', method: 'GET' }, useHttps);
+        }
+        catch {
+            return [];
+        }
+        this.audit(`HTTP header audit ${host}:${port} — ${res.statusCode}`);
+        const h = res.headers;
+        const REQUIRED = [
+            {
+                header: 'Strict-Transport-Security', key: 'strict-transport-security',
+                severity: 'high', cvss: 6.5,
+                message: `Missing Strict-Transport-Security (HSTS) on ${host} — users can be downgraded to HTTP`,
+                recommendation: "Add: Strict-Transport-Security: max-age=31536000; includeSubDomains; preload",
+            },
+            {
+                header: 'Content-Security-Policy', key: 'content-security-policy',
+                severity: 'high', cvss: 6.1,
+                message: `Missing Content-Security-Policy on ${host} — XSS has no browser-level mitigation`,
+                recommendation: "Define a CSP. Minimum: Content-Security-Policy: default-src 'self'",
+            },
+            {
+                header: 'X-Content-Type-Options', key: 'x-content-type-options',
+                severity: 'medium', cvss: 4.3,
+                message: `Missing X-Content-Type-Options: nosniff on ${host}`,
+                recommendation: "Add: X-Content-Type-Options: nosniff",
+            },
+            {
+                header: 'X-Frame-Options', key: 'x-frame-options',
+                severity: 'medium', cvss: 4.3,
+                message: `Missing X-Frame-Options on ${host} — clickjacking possible`,
+                recommendation: "Add: X-Frame-Options: SAMEORIGIN",
+            },
+            {
+                header: 'Referrer-Policy', key: 'referrer-policy',
+                severity: 'low', cvss: 3.1,
+                message: `Missing Referrer-Policy on ${host} — referrer URL may leak sensitive paths`,
+                recommendation: "Add: Referrer-Policy: strict-origin-when-cross-origin",
+            },
+            {
+                header: 'Permissions-Policy', key: 'permissions-policy',
+                severity: 'low', cvss: 2.6,
+                message: `Missing Permissions-Policy on ${host} — browser features not explicitly restricted`,
+                recommendation: "Add: Permissions-Policy: camera=(), microphone=(), geolocation=()",
+            },
+        ];
+        for (const rule of REQUIRED) {
+            if (!h[rule.key]) {
+                findings.push({
+                    severity: rule.severity,
+                    type: `ActiveScan: Missing ${rule.header}`,
+                    message: rule.message,
+                    recommendation: rule.recommendation,
+                    cvss: rule.cvss,
+                    match: host,
+                });
+            }
+        }
+        // Server version disclosure
+        const server = h['server'];
+        if (server && /[\d.]+/.test(server)) {
+            findings.push({
+                severity: 'low', cvss: 3.7,
+                type: 'ActiveScan: Server Version Disclosure',
+                message: `Server header reveals version: "${server}" — aids fingerprinting attacks`,
+                recommendation: 'Remove version from Server header. Use a generic value or remove it entirely.',
+                match: server,
+            });
+        }
+        // X-Powered-By disclosure
+        const powered = h['x-powered-by'];
+        if (powered) {
+            findings.push({
+                severity: 'low', cvss: 3.1,
+                type: 'ActiveScan: X-Powered-By Disclosure',
+                message: `X-Powered-By header reveals technology: "${powered}"`,
+                recommendation: "Remove X-Powered-By header: app.disable('x-powered-by') or use helmet().",
+                match: powered,
+            });
+        }
+        return findings;
+    }
+    // ── 3. SSL/TLS audit ─────────────────────────────────────────────────────────
+    async auditTLS(target) {
+        const { host, port } = resolveHostPort(target);
+        await this.logger.info(`ActiveScan: TLS audit → ${host}:${port}`);
+        const findings = [];
+        const check = await this.ctx.checkTarget(target);
+        if (check.blocked) {
+            this.audit(`BLOCKED TLS audit ${target} — ${check.reason}`);
+            return [];
+        }
+        const info = await parseTlsInfo(host, port);
+        if (!info) {
+            this.audit(`TLS audit ${host}:${port} — no TLS or unreachable`);
+            return [];
+        }
+        this.audit(`TLS ${host}:${port} — protocol=${info.protocol} expired=${info.expired} selfSigned=${info.selfSigned} daysLeft=${info.daysToExpiry}`);
+        // Expired certificate
+        if (info.expired) {
+            findings.push({
+                severity: 'critical', cvss: 9.8,
+                type: 'ActiveScan: Expired TLS Certificate',
+                message: `TLS certificate on ${host}:${port} expired ${Math.abs(info.daysToExpiry)} day(s) ago — browsers will block the site`,
+                recommendation: 'Renew the certificate immediately. Use Let\'s Encrypt for automatic renewal.',
+                match: `${host}:${port}`,
+            });
+        }
+        else if (info.daysToExpiry < 30) {
+            findings.push({
+                severity: 'high', cvss: 7.5,
+                type: 'ActiveScan: TLS Certificate Expiring Soon',
+                message: `TLS certificate on ${host}:${port} expires in ${info.daysToExpiry} day(s)`,
+                recommendation: 'Renew the certificate before it expires. Set up auto-renewal with certbot.',
+                match: `${host}:${port}`,
+            });
+        }
+        // Self-signed certificate
+        if (info.selfSigned) {
+            findings.push({
+                severity: 'high', cvss: 7.4,
+                type: 'ActiveScan: Self-Signed Certificate',
+                message: `${host}:${port} uses a self-signed certificate — not trusted by browsers, vulnerable to MITM`,
+                recommendation: 'Replace with a certificate from a trusted CA. Let\'s Encrypt provides free certificates.',
+                match: info.subject,
+            });
+        }
+        // Deprecated TLS version
+        if (info.protocol === 'TLSv1' || info.protocol === 'TLSv1.1') {
+            findings.push({
+                severity: 'high', cvss: 7.4,
+                type: `ActiveScan: Deprecated TLS (${info.protocol})`,
+                message: `${host}:${port} negotiated ${info.protocol} — deprecated and vulnerable to POODLE/BEAST attacks`,
+                recommendation: 'Disable TLS 1.0 and 1.1. Require TLS 1.2 minimum, prefer TLS 1.3.',
+                match: info.protocol,
+            });
+        }
+        // No TLS 1.3
+        if (info.protocol !== 'TLSv1.3' && !info.expired) {
+            findings.push({
+                severity: 'info', cvss: 0,
+                type: 'ActiveScan: TLS 1.3 Not Negotiated',
+                message: `${host}:${port} did not negotiate TLS 1.3 (got ${info.protocol}) — modern clients prefer TLS 1.3`,
+                recommendation: 'Enable TLS 1.3 support on the server for better security and performance.',
+                match: info.protocol,
+            });
+        }
+        return findings;
+    }
+    // ── 4. CORS reflection test ───────────────────────────────────────────────────
+    async testCORS(target) {
+        const { host, port, https: useHttps } = resolveHostPort(target);
+        await this.logger.info(`ActiveScan: CORS test → ${host}:${port}`);
+        const findings = [];
+        const check = await this.ctx.checkTarget(target);
+        if (check.blocked) {
+            this.audit(`BLOCKED CORS test ${target} — ${check.reason}`);
+            return [];
+        }
+        const EVIL_ORIGIN = 'https://evil.attacker-example.com';
+        let res;
+        try {
+            res = await httpRequest({
+                host, port,
+                path: '/',
+                method: 'GET',
+                headers: { Origin: EVIL_ORIGIN },
+            }, useHttps);
+        }
+        catch {
+            return [];
+        }
+        this.audit(`CORS test ${host}:${port} — ACAO=${res.headers['access-control-allow-origin']}`);
+        const acao = res.headers['access-control-allow-origin'];
+        const acac = res.headers['access-control-allow-credentials'];
+        // Server reflects arbitrary origin
+        if (acao === EVIL_ORIGIN) {
+            findings.push({
+                severity: 'high', cvss: 8.1,
+                type: 'ActiveScan: CORS Origin Reflection',
+                message: `${host} reflects any Origin header in Access-Control-Allow-Origin — any website can make credentialed cross-origin requests`,
+                recommendation: 'Replace origin reflection with an explicit allowlist. Never echo Origin without validation.',
+                match: acao,
+            });
+        }
+        // Null origin allowed
+        if (acao === 'null') {
+            findings.push({
+                severity: 'high', cvss: 7.4,
+                type: 'ActiveScan: CORS Null Origin Allowed',
+                message: `${host} allows Origin: null — can be exploited from sandboxed iframes and local files`,
+                recommendation: 'Remove null from the CORS origin allowlist.',
+                match: 'null',
+            });
+        }
+        // Wildcard with credentials
+        if (acao === '*' && acac === 'true') {
+            findings.push({
+                severity: 'critical', cvss: 9.8,
+                type: 'ActiveScan: CORS Wildcard + Credentials',
+                message: `${host} sends Access-Control-Allow-Origin: * with Access-Control-Allow-Credentials: true — browsers reject this, but it indicates a server misconfiguration`,
+                recommendation: "Replace '*' with an explicit origin. You cannot use wildcard with credentials: true.",
+                match: `${acao} + credentials`,
+            });
+        }
+        return findings;
+    }
+    // ── 5. HTTP dangerous methods ─────────────────────────────────────────────────
+    async testDangerousMethods(target) {
+        const { host, port, https: useHttps } = resolveHostPort(target);
+        await this.logger.info(`ActiveScan: HTTP methods → ${host}:${port}`);
+        const findings = [];
+        const check = await this.ctx.checkTarget(target);
+        if (check.blocked) {
+            this.audit(`BLOCKED method test ${target} — ${check.reason}`);
+            return [];
+        }
+        const DANGEROUS = [
+            { method: 'TRACE', severity: 'medium', cvss: 4.8, reason: 'Cross-Site Tracing (XST) — can steal cookies/headers via JavaScript' },
+            { method: 'PUT', severity: 'high', cvss: 7.5, reason: 'PUT method allowed — may permit arbitrary file upload' },
+            { method: 'DELETE', severity: 'high', cvss: 7.5, reason: 'DELETE method allowed — may permit resource deletion' },
+            { method: 'CONNECT', severity: 'medium', cvss: 5.8, reason: 'CONNECT method allowed — server may be used as HTTP proxy' },
+        ];
+        await Promise.all(DANGEROUS.map(async ({ method, severity, cvss, reason }) => {
+            try {
+                const res = await httpRequest({ host, port, path: '/', method }, useHttps);
+                this.audit(`${method} ${host}:${port} — ${res.statusCode}`);
+                // 200/204 = method accepted; 405 = properly blocked
+                if (res.statusCode !== 405 && res.statusCode !== 501 && res.statusCode !== 0) {
+                    findings.push({
+                        severity,
+                        type: `ActiveScan: HTTP ${method} Method Allowed`,
+                        message: `${host} accepts HTTP ${method} requests (${res.statusCode}) — ${reason}`,
+                        recommendation: `Disable the ${method} method in your web server / API framework unless explicitly required.`,
+                        cvss,
+                        match: `${method} ${res.statusCode}`,
+                    });
+                }
+            }
+            catch { /* host down or timeout */ }
+        }));
+        return findings;
+    }
+    // ── Run all active checks against a target ────────────────────────────────────
+    async runAgainstTarget(target) {
+        await this.logger.info(`ActiveScan: full active scan → ${target}`);
+        this.audit(`BEGIN active scan: ${target}`);
+        const [ports, headers, tls_, cors, methods] = await Promise.all([
+            this.scanPorts(target),
+            this.auditHeaders(target),
+            this.auditTLS(target),
+            this.testCORS(target),
+            this.testDangerousMethods(target),
+        ]);
+        const all = [...ports, ...headers, ...tls_, ...cors, ...methods];
+        const order = { critical: 0, high: 1, medium: 2, low: 3, info: 4 };
+        all.sort((a, b) => order[a.severity] - order[b.severity]);
+        this.audit(`END active scan: ${target} — ${all.length} findings`);
+        await this.flushAuditLog();
+        return all;
+    }
+    // ── Audit log ─────────────────────────────────────────────────────────────────
+    audit(msg) {
+        const ts = new Date().toISOString();
+        this.auditLog.push(`[${ts}] ${msg}`);
+    }
+    async flushAuditLog() {
+        try {
+            const logPath = path.join(process.cwd(), '.uneven', 'pentest-audit.log');
+            await fs.mkdir(path.dirname(logPath), { recursive: true });
+            await fs.appendFile(logPath, this.auditLog.join('\n') + '\n', 'utf-8');
+            this.auditLog = [];
+        }
+        catch { /* non-fatal */ }
+    }
+}

package/dist/core/analyst-job-manager.d.ts

@@ -0,0 +1,47 @@
+import { Logger } from './logger/index.js';
+export interface AnalystTask {
+    id: string;
+    tableName: string;
+    status: 'pending' | 'processing' | 'completed' | 'failed';
+    resultPath?: string;
+    error?: string;
+    attempts: number;
+}
+export interface AnalystJob {
+    id: string;
+    startTime: number;
+    goal: string;
+    dbUrl: string;
+    tasks: AnalystTask[];
+}
+export declare class AnalystJobManager {
+    private cacheDir;
+    private logger;
+    constructor(logger: Logger, baseDir?: string);
+    /**
+     * Initialize a new job with a set of tables
+     */
+    createJob(id: string, dbUrl: string, tables: string[], goal: string): Promise<AnalystJob>;
+    /**
+     * Save result of a specific task to disk
+     */
+    saveTaskResult(jobId: string, tableName: string, result: any): Promise<string>;
+    /**
+     * Load job state from disk
+     */
+    loadJobState(jobId: string): Promise<AnalystJob | null>;
+    /**
+     * Update job state on disk
+     */
+    saveJobState(job: AnalystJob): Promise<void>;
+    /**
+     * List all pending or failed jobs in cache
+     */
+    findIncompleteJobs(): Promise<string[]>;
+    /**
+     * Clear all analyst cache files
+     */
+    clearCache(): Promise<number>;
+    private ensureCacheDir;
+}
+//# sourceMappingURL=analyst-job-manager.d.ts.map

package/dist/core/analyst-job-manager.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"analyst-job-manager.d.ts","sourceRoot":"","sources":["../../src/core/analyst-job-manager.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,MAAM,EAAE,MAAM,mBAAmB,CAAC;AAE3C,MAAM,WAAW,WAAW;IAC1B,EAAE,EAAE,MAAM,CAAC;IACX,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,SAAS,GAAG,YAAY,GAAG,WAAW,GAAG,QAAQ,CAAC;IAC1D,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,UAAU;IACzB,EAAE,EAAE,MAAM,CAAC;IACX,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,WAAW,EAAE,CAAC;CACtB;AAED,qBAAa,iBAAiB;IAC5B,OAAO,CAAC,QAAQ,CAAS;IACzB,OAAO,CAAC,MAAM,CAAS;gBAEX,MAAM,EAAE,MAAM,EAAE,OAAO,GAAE,MAAsB;IAK3D;;OAEG;IACG,SAAS,CAAC,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC;IAqB/F;;OAEG;IACG,cAAc,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,MAAM,EAAE,GAAG,GAAG,OAAO,CAAC,MAAM,CAAC;IAQpF;;OAEG;IACG,YAAY,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC;IAU7D;;OAEG;IACG,YAAY,CAAC,GAAG,EAAE,UAAU,GAAG,OAAO,CAAC,IAAI,CAAC;IAKlD;;OAEG;IACG,kBAAkB,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;IAY7C;;OAEG;IACG,UAAU,IAAI,OAAO,CAAC,MAAM,CAAC;YAerB,cAAc;CAG7B"}