wormclaude 1.0.194 → 1.0.195

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/dist/commands.js CHANGED
@@ -60,6 +60,7 @@ export const COMMANDS = [
60
60
  { name: '/dirscan', desc: '[seviye 3+] dizin/içerik keşfi (yönetim/api/yedek/sızıntı yolları): /dirscan <alan>' },
61
61
  { name: '/report', desc: 'son taramadan profesyonel pentest raporu üret (CVSS/etki/çözüm, dosyaya yazar)' },
62
62
  { name: '/fullscan', desc: '[seviye 3+] tam kapsamlı DETERMİNİSTİK tarama: recon+XSS+SQLi tek komutta: /fullscan <hedef>' },
63
+ { name: '/pentest', desc: 'OTONOM çoklu-yüzey pentest (web+network+OSINT+cloud → tek rapor): /pentest <domain>' },
63
64
  { name: '/audit', desc: 'kaynak kod güvenlik denetimi (SAST — sır/açık/CVE, yerel): /audit [klasör]' },
64
65
  { name: '/jwt', desc: 'JWT token güvenlik analizi (alg=none/zayıf-secret/expiry/claim, yerel): /jwt <token>' },
65
66
  { name: '/spray', desc: 'login formuna parola-spray (yetkili test, trust 3+): /spray <login-url> [kullanıcı]' },
package/dist/theme.js CHANGED
@@ -16,4 +16,4 @@ export const theme = {
16
16
  synType: '#a78bfa', // tip/sınıf adları, sabitler
17
17
  synProp: '#e0e0e0', // özellik/anahtar adları
18
18
  };
19
- export const VERSION = '1.0.194';
19
+ export const VERSION = '1.0.195';
package/dist/tools.js CHANGED
@@ -230,7 +230,7 @@ export const toolSchemas = [
230
230
  parameters: {
231
231
  type: 'object',
232
232
  properties: {
233
- tool: { type: 'string', enum: ['full', 'recon', 'scan', 'xss', 'sqli', 'dirscan', 'idor', 'portscan', 'osint', 'cloudscan', 'spray', 'defaultcreds'], description: 'full → tam kapsamlı web taraması; recon/scan/dirscan/portscan/osint/cloudscan → domain/host/şirket; xss/sqli/idor → parameterized URL. portscan = TCP port/servis. osint = DNS + e-posta güvenliği (SPF/DMARC). cloudscan = açık bulut bucket keşfi (S3/GCP/Azure). spray = login formuna parola-spray (target = login URL, username param ile; "parola dene"/"spray"/"brute" denince, trust 3+). defaultcreds = login\'e varsayılan kimlikler (admin/admin vb.) dene (target = login URL, trust 3+)' },
233
+ tool: { type: 'string', enum: ['auto', 'full', 'recon', 'scan', 'xss', 'sqli', 'dirscan', 'idor', 'portscan', 'osint', 'cloudscan', 'spray', 'defaultcreds'], description: 'auto → OTONOM çoklu-yüzey pentest (web full + network portscan + OSINT + cloud bucket, hepsi tek raporda; "pentest yap"/"tam denetle"/"her şeyi tara"/"otonom" denince — domain/host); full → tam kapsamlı web taraması; recon/scan/dirscan/portscan/osint/cloudscan → domain/host/şirket; xss/sqli/idor → parameterized URL. portscan = TCP port/servis. osint = DNS + e-posta güvenliği (SPF/DMARC). cloudscan = açık bulut bucket keşfi (S3/GCP/Azure). spray = login formuna parola-spray (target = login URL, username param ile; "parola dene"/"spray"/"brute" denince, trust 3+). defaultcreds = login\'e varsayılan kimlikler (admin/admin vb.) dene (target = login URL, trust 3+)' },
234
234
  target: { type: 'string', description: 'Domain for recon/scan/dirscan (example.com) OR parameterized URL for xss/sqli (https://example.com/p?id=1)' },
235
235
  cookie: { type: 'string', description: 'Optional. Session cookie for AUTHENTICATED / behind-login scanning, e.g. "sessionid=abc123; csrftoken=xyz". The user copies it from their logged-in browser (DevTools → Application → Cookies, or the Cookie request header). Sent only to the target from the user IP — never stored on the server. Provide it whenever the user wants to scan pages behind a login.' },
236
236
  auth_header: { type: 'string', description: 'Optional. Authorization header value for token-based authenticated scanning, e.g. "Bearer eyJhbGci..." or "Basic dXNlcjpwYXNz". Use instead of / together with cookie when the site authenticates via a token header.' },
@@ -767,7 +767,7 @@ async function execOne(call, hooks) {
767
767
  if (call.name === 'SecurityScan') {
768
768
  let tool = String(args?.tool || '').toLowerCase().trim();
769
769
  const target = String(args?.target || '').trim();
770
- if (!['recon', 'scan', 'xss', 'sqli', 'dirscan', 'idor', 'portscan', 'osint', 'cloud', 'cloudscan', 'spray', 'credspray', 'defaultcreds', 'full', 'fullscan'].includes(tool) || !target) {
770
+ if (!['recon', 'scan', 'xss', 'sqli', 'dirscan', 'idor', 'portscan', 'osint', 'cloud', 'cloudscan', 'spray', 'credspray', 'defaultcreds', 'full', 'fullscan', 'auto', 'pentest'].includes(tool) || !target) {
771
771
  return { ok: false, output: 'SecurityScan: tool (recon|scan|xss|sqli|dirscan|full) ve target gerekli.', args };
772
772
  }
773
773
  if (tool === 'scan')
@@ -799,11 +799,14 @@ async function execOne(call, hooks) {
799
799
  const _authTag = _auth ? '|auth' : '';
800
800
  // FULL: tam kapsamlı tarama TEK ÇAĞRIDA — model orkestrasyona girmesin (döngü olur). Kod
801
801
  // deterministik olarak recon → xss → sqli koşar, TEK konsolide rapor döner.
802
- if (tool === 'full' || tool === 'fullscan') {
803
- const _fk = 'full|' + target.toLowerCase() + _authTag;
802
+ if (tool === 'full' || tool === 'fullscan' || tool === 'auto' || tool === 'pentest') {
803
+ // AUTO/PENTEST = otonom çoklu-yüzey: web (full) + network (portscan) + OSINT + cloud, TEK rapor.
804
+ // full = sadece web. İkisi de deterministik koşar (model orkestrasyona girip döngü yapmasın).
805
+ const _isAuto = tool === 'auto' || tool === 'pentest';
806
+ const _fk = (_isAuto ? 'auto|' : 'full|') + target.toLowerCase() + _authTag;
804
807
  const _fc = _scanCache.get(_fk);
805
808
  if (_fc && Date.now() - _fc.t < 120000) {
806
- return { ok: false, args, output: `[ALREADY-SCANNED] full scan "${target}" already ran — findings are above. Do NOT call SecurityScan again; summarize the results in text.` };
809
+ return { ok: false, args, output: `[ALREADY-SCANNED] ${_isAuto ? 'autonomous pentest' : 'full scan'} "${target}" already ran — findings are above. Do NOT call SecurityScan again; summarize the results in text.` };
807
810
  }
808
811
  try {
809
812
  const { runPentest, fetchPtTools } = await import('./pentest.js');
@@ -819,7 +822,12 @@ async function execOne(call, hooks) {
819
822
  }
820
823
  }
821
824
  catch { }
822
- let rpt = `Tam kapsamlı tarama ${target}${_auth ? ' (authenticated / login-arkası oturum enjekte edildi)' : ''}${_loginNote}\n${_steps.length} tarayıcı koşuluyor (recon+dirscan+xss+sqli + şablonlar).\n`;
825
+ // AUTO: web'in üstüne bağımsız yüzeyleri ekle (network + e-posta/DNS + bulut bucket).
826
+ const _extraSurfaces = _isAuto ? ['portscan', 'osint', 'cloudscan'] : [];
827
+ for (const s of _extraSurfaces)
828
+ if (!_steps.includes(s))
829
+ _steps.push(s);
830
+ let rpt = `${_isAuto ? 'Otonom pentest (web+network+OSINT+cloud)' : 'Tam kapsamlı tarama'} — ${target}${_auth ? ' (authenticated / login-arkası — oturum enjekte edildi)' : ''}${_loginNote}\n${_steps.length} tarayıcı koşuluyor${_isAuto ? ' (web full + portscan + osint + cloudscan)' : ' (recon+dirscan+xss+sqli + şablonlar)'}.\n`;
823
831
  let _wafSeen = false;
824
832
  for (const _t of _steps) {
825
833
  if (hooks?.signal?.aborted) {
@@ -901,7 +909,9 @@ async function execOne(call, hooks) {
901
909
  rpt += `\n\nToplam ${all.length} bulgu (${_steps.length} tarayıcı${_subs && _subs.length ? ' + ' + _subs.length + ' alt-alan' : ''}).`;
902
910
  if (all.length)
903
911
  rpt += '\n' + all.slice(0, 80).map((x) => ' ' + JSON.stringify(x)).join('\n');
904
- rpt += `\n[full-done] comprehensive scan (${_steps.length} scanners${_subs && _subs.length ? ' + ' + _subs.length + ' subdomains' : ''}) ran. Each finding has a "cvss" base score. Do NOT call SecurityScan again — report to the user in text: severity-ordered summary, include the CVSS score per finding, note subdomain findings, prioritized fixes, in their language.`;
912
+ rpt += _isAuto
913
+ ? `\n[auto-done] AUTONOMOUS multi-surface pentest ran (web full + network portscan + OSINT dns/email + cloud buckets, ${_steps.length} scanners${_subs && _subs.length ? ' + ' + _subs.length + ' subdomains' : ''}). Each finding has a "cvss" base score. Do NOT call SecurityScan again — write a PENTEST REPORT in the user's language: (1) executive summary (overall risk posture, count by severity), (2) findings grouped by SURFACE (web / network / email-DNS / cloud), severity-ordered, with CVSS, (3) prioritized remediation roadmap. Be concrete.`
914
+ : `\n[full-done] comprehensive scan (${_steps.length} scanners${_subs && _subs.length ? ' + ' + _subs.length + ' subdomains' : ''}) ran. Each finding has a "cvss" base score. Do NOT call SecurityScan again — report to the user in text: severity-ordered summary, include the CVSS score per finding, note subdomain findings, prioritized fixes, in their language.`;
905
915
  const _now = Date.now();
906
916
  _scanCache.set(_fk, { out: rpt, t: _now });
907
917
  for (const _t of ['recon', 'xss', 'sqli', 'dirscan'])
package/dist/tui.js CHANGED
@@ -836,6 +836,16 @@ export async function runTui() {
836
836
  quit();
837
837
  return;
838
838
  }
839
+ // /pentest — OTONOM çoklu-yüzey pentest (web+network+OSINT+cloud); SecurityScan tool=auto
840
+ if (tok === '/pentest') {
841
+ const a = v.slice(tok.length).trim();
842
+ if (!a) {
843
+ printItem({ kind: 'note', text: 'Kullanım: /pentest <domain>' });
844
+ return;
845
+ }
846
+ runTurn(`SecurityScan aracıyla tool=auto, target=${a} çalıştır (otonom çoklu-yüzey pentest: web+network+OSINT+cloud). Sonra yüzey-bazlı yönetici pentest raporu yaz.`, v);
847
+ return;
848
+ }
839
849
  // /audit — kaynak kod güvenlik denetimi (SAST, yerel); modele CodeAudit çağırt
840
850
  if (tok === '/audit') {
841
851
  const a = v.slice(tok.length).trim() || '.';
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "wormclaude",
3
- "version": "1.0.194",
3
+ "version": "1.0.195",
4
4
  "description": "WormClaude CLI - uncensored security+code assistant (ink TUI, Claude-style)",
5
5
  "type": "module",
6
6
  "bin": {