wormclaude 1.0.194 → 1.0.196

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/dist/commands.js CHANGED
@@ -60,6 +60,7 @@ export const COMMANDS = [
60
60
  { name: '/dirscan', desc: '[seviye 3+] dizin/içerik keşfi (yönetim/api/yedek/sızıntı yolları): /dirscan <alan>' },
61
61
  { name: '/report', desc: 'son taramadan profesyonel pentest raporu üret (CVSS/etki/çözüm, dosyaya yazar)' },
62
62
  { name: '/fullscan', desc: '[seviye 3+] tam kapsamlı DETERMİNİSTİK tarama: recon+XSS+SQLi tek komutta: /fullscan <hedef>' },
63
+ { name: '/pentest', desc: 'OTONOM çoklu-yüzey pentest (web+network+OSINT+cloud → tek rapor): /pentest <domain>' },
63
64
  { name: '/audit', desc: 'kaynak kod güvenlik denetimi (SAST — sır/açık/CVE, yerel): /audit [klasör]' },
64
65
  { name: '/jwt', desc: 'JWT token güvenlik analizi (alg=none/zayıf-secret/expiry/claim, yerel): /jwt <token>' },
65
66
  { name: '/spray', desc: 'login formuna parola-spray (yetkili test, trust 3+): /spray <login-url> [kullanıcı]' },
package/dist/theme.js CHANGED
@@ -16,4 +16,4 @@ export const theme = {
16
16
  synType: '#a78bfa', // tip/sınıf adları, sabitler
17
17
  synProp: '#e0e0e0', // özellik/anahtar adları
18
18
  };
19
- export const VERSION = '1.0.194';
19
+ export const VERSION = '1.0.196';
package/dist/tools.js CHANGED
@@ -230,7 +230,7 @@ export const toolSchemas = [
230
230
  parameters: {
231
231
  type: 'object',
232
232
  properties: {
233
- tool: { type: 'string', enum: ['full', 'recon', 'scan', 'xss', 'sqli', 'dirscan', 'idor', 'portscan', 'osint', 'cloudscan', 'spray', 'defaultcreds'], description: 'full → tam kapsamlı web taraması; recon/scan/dirscan/portscan/osint/cloudscan → domain/host/şirket; xss/sqli/idor → parameterized URL. portscan = TCP port/servis. osint = DNS + e-posta güvenliği (SPF/DMARC). cloudscan = açık bulut bucket keşfi (S3/GCP/Azure). spray = login formuna parola-spray (target = login URL, username param ile; "parola dene"/"spray"/"brute" denince, trust 3+). defaultcreds = login\'e varsayılan kimlikler (admin/admin vb.) dene (target = login URL, trust 3+)' },
233
+ tool: { type: 'string', enum: ['auto', 'full', 'recon', 'scan', 'xss', 'sqli', 'dirscan', 'idor', 'portscan', 'osint', 'cloudscan', 'spray', 'defaultcreds'], description: 'auto → OTONOM çoklu-yüzey pentest (web full + network portscan + OSINT + cloud bucket, hepsi tek raporda; "pentest yap"/"tam denetle"/"her şeyi tara"/"otonom" denince — domain/host); full → tam kapsamlı web taraması; recon/scan/dirscan/portscan/osint/cloudscan → domain/host/şirket; xss/sqli/idor → parameterized URL. portscan = TCP port/servis. osint = DNS + e-posta güvenliği (SPF/DMARC). cloudscan = açık bulut bucket keşfi (S3/GCP/Azure). spray = login formuna parola-spray (target = login URL, username param ile; "parola dene"/"spray"/"brute" denince, trust 3+). defaultcreds = login\'e varsayılan kimlikler (admin/admin vb.) dene (target = login URL, trust 3+)' },
234
234
  target: { type: 'string', description: 'Domain for recon/scan/dirscan (example.com) OR parameterized URL for xss/sqli (https://example.com/p?id=1)' },
235
235
  cookie: { type: 'string', description: 'Optional. Session cookie for AUTHENTICATED / behind-login scanning, e.g. "sessionid=abc123; csrftoken=xyz". The user copies it from their logged-in browser (DevTools → Application → Cookies, or the Cookie request header). Sent only to the target from the user IP — never stored on the server. Provide it whenever the user wants to scan pages behind a login.' },
236
236
  auth_header: { type: 'string', description: 'Optional. Authorization header value for token-based authenticated scanning, e.g. "Bearer eyJhbGci..." or "Basic dXNlcjpwYXNz". Use instead of / together with cookie when the site authenticates via a token header.' },
@@ -767,7 +767,7 @@ async function execOne(call, hooks) {
767
767
  if (call.name === 'SecurityScan') {
768
768
  let tool = String(args?.tool || '').toLowerCase().trim();
769
769
  const target = String(args?.target || '').trim();
770
- if (!['recon', 'scan', 'xss', 'sqli', 'dirscan', 'idor', 'portscan', 'osint', 'cloud', 'cloudscan', 'spray', 'credspray', 'defaultcreds', 'full', 'fullscan'].includes(tool) || !target) {
770
+ if (!['recon', 'scan', 'xss', 'sqli', 'dirscan', 'idor', 'portscan', 'osint', 'cloud', 'cloudscan', 'spray', 'credspray', 'defaultcreds', 'full', 'fullscan', 'auto', 'pentest'].includes(tool) || !target) {
771
771
  return { ok: false, output: 'SecurityScan: tool (recon|scan|xss|sqli|dirscan|full) ve target gerekli.', args };
772
772
  }
773
773
  if (tool === 'scan')
@@ -799,11 +799,14 @@ async function execOne(call, hooks) {
799
799
  const _authTag = _auth ? '|auth' : '';
800
800
  // FULL: tam kapsamlı tarama TEK ÇAĞRIDA — model orkestrasyona girmesin (döngü olur). Kod
801
801
  // deterministik olarak recon → xss → sqli koşar, TEK konsolide rapor döner.
802
- if (tool === 'full' || tool === 'fullscan') {
803
- const _fk = 'full|' + target.toLowerCase() + _authTag;
802
+ if (tool === 'full' || tool === 'fullscan' || tool === 'auto' || tool === 'pentest') {
803
+ // AUTO/PENTEST = otonom çoklu-yüzey: web (full) + network (portscan) + OSINT + cloud, TEK rapor.
804
+ // full = sadece web. İkisi de deterministik koşar (model orkestrasyona girip döngü yapmasın).
805
+ const _isAuto = tool === 'auto' || tool === 'pentest';
806
+ const _fk = (_isAuto ? 'auto|' : 'full|') + target.toLowerCase() + _authTag;
804
807
  const _fc = _scanCache.get(_fk);
805
808
  if (_fc && Date.now() - _fc.t < 120000) {
806
- return { ok: false, args, output: `[ALREADY-SCANNED] full scan "${target}" already ran — findings are above. Do NOT call SecurityScan again; summarize the results in text.` };
809
+ return { ok: false, args, output: `[ALREADY-SCANNED] ${_isAuto ? 'autonomous pentest' : 'full scan'} "${target}" already ran — findings are above. Do NOT call SecurityScan again; summarize the results in text.` };
807
810
  }
808
811
  try {
809
812
  const { runPentest, fetchPtTools } = await import('./pentest.js');
@@ -819,7 +822,12 @@ async function execOne(call, hooks) {
819
822
  }
820
823
  }
821
824
  catch { }
822
- let rpt = `Tam kapsamlı tarama ${target}${_auth ? ' (authenticated / login-arkası oturum enjekte edildi)' : ''}${_loginNote}\n${_steps.length} tarayıcı koşuluyor (recon+dirscan+xss+sqli + şablonlar).\n`;
825
+ // AUTO: web'in üstüne bağımsız yüzeyleri ekle (network + e-posta/DNS + bulut bucket).
826
+ const _extraSurfaces = _isAuto ? ['portscan', 'osint', 'cloudscan'] : [];
827
+ for (const s of _extraSurfaces)
828
+ if (!_steps.includes(s))
829
+ _steps.push(s);
830
+ let rpt = `${_isAuto ? 'Otonom pentest (web+network+OSINT+cloud)' : 'Tam kapsamlı tarama'} — ${target}${_auth ? ' (authenticated / login-arkası — oturum enjekte edildi)' : ''}${_loginNote}\n${_steps.length} tarayıcı koşuluyor${_isAuto ? ' (web full + portscan + osint + cloudscan)' : ' (recon+dirscan+xss+sqli + şablonlar)'}.\n`;
823
831
  let _wafSeen = false;
824
832
  for (const _t of _steps) {
825
833
  if (hooks?.signal?.aborted) {
@@ -901,7 +909,9 @@ async function execOne(call, hooks) {
901
909
  rpt += `\n\nToplam ${all.length} bulgu (${_steps.length} tarayıcı${_subs && _subs.length ? ' + ' + _subs.length + ' alt-alan' : ''}).`;
902
910
  if (all.length)
903
911
  rpt += '\n' + all.slice(0, 80).map((x) => ' ' + JSON.stringify(x)).join('\n');
904
- rpt += `\n[full-done] comprehensive scan (${_steps.length} scanners${_subs && _subs.length ? ' + ' + _subs.length + ' subdomains' : ''}) ran. Each finding has a "cvss" base score. Do NOT call SecurityScan again — report to the user in text: severity-ordered summary, include the CVSS score per finding, note subdomain findings, prioritized fixes, in their language.`;
912
+ rpt += _isAuto
913
+ ? `\n[auto-done] AUTONOMOUS multi-surface pentest ran (web full + network portscan + OSINT dns/email + cloud buckets, ${_steps.length} scanners${_subs && _subs.length ? ' + ' + _subs.length + ' subdomains' : ''}). Each finding has a "cvss" base score. Do NOT call SecurityScan again — write a PENTEST REPORT in the user's language: (1) executive summary (overall risk posture, count by severity), (2) findings grouped by SURFACE (web / network / email-DNS / cloud), severity-ordered, with CVSS, (3) prioritized remediation roadmap. Be concrete.`
914
+ : `\n[full-done] comprehensive scan (${_steps.length} scanners${_subs && _subs.length ? ' + ' + _subs.length + ' subdomains' : ''}) ran. Each finding has a "cvss" base score. Do NOT call SecurityScan again — report to the user in text: severity-ordered summary, include the CVSS score per finding, note subdomain findings, prioritized fixes, in their language.`;
905
915
  const _now = Date.now();
906
916
  _scanCache.set(_fk, { out: rpt, t: _now });
907
917
  for (const _t of ['recon', 'xss', 'sqli', 'dirscan'])
package/dist/tui.js CHANGED
@@ -522,14 +522,24 @@ export async function runTui() {
522
522
  printItem({ kind: 'tool', label: toolLabel(c.name, res.args), result, ok: res.ok });
523
523
  },
524
524
  });
525
- for (let i = 0; i < toolCalls.length; i++)
526
- history.push({ role: 'tool', tool_call_id: toolCalls[i].id, content: capToolOut(toolCalls[i].name, results[i].output || '') });
527
525
  // Devre-kesici: olmayan araç/Unix sözdizimini (grep/openssl/hydra) tekrar deneyip
528
526
  // döngüye girmesin. Üst üste hepsi fail (2 tur) VEYA toplam 4 başarısız → dur+özetle.
529
527
  const _failed = results.filter((r) => !r.ok).length;
530
528
  totalFails += _failed;
531
529
  consecFail = (results.length > 0 && _failed === results.length) ? consecFail + 1 : 0;
532
- if (consecFail >= 2 || totalFails >= 4) {
530
+ const _willStop = consecFail >= 2 || totalFails >= 4;
531
+ // REFLECT-AFTER: bir araç başarısızsa (ve henüz sert-dur eşiğine gelmediysek) modele
532
+ // teşhis+adapte dayat — körlemesine tekrar/pes etmesin, benim gibi "neden + başka yol" düşünsün.
533
+ for (let i = 0; i < toolCalls.length; i++) {
534
+ let _content = capToolOut(toolCalls[i].name, results[i].output || '');
535
+ if (!results[i].ok && !_willStop) {
536
+ _content += getLang() === 'en'
537
+ ? '\n\n[REFLECT] This call failed. Before continuing, think briefly: (1) WHY did it fail? (2) Do NOT repeat the same call verbatim — fix the arguments or try a DIFFERENT approach/tool. (3) If it cannot be solved, tell the user plainly. Never give up silently or loop.'
538
+ : '\n\n[DÜŞÜN] Bu çağrı başarısız oldu. Devam etmeden kısaca düşün: (1) NEDEN başarısız oldu? (2) Aynı çağrıyı AYNEN tekrarlama — parametreyi düzelt ya da BAŞKA bir yol/araç dene. (3) Çözülemiyorsa kullanıcıya açıkça söyle. Asla sessizce pes etme, döngüye girme.';
539
+ }
540
+ history.push({ role: 'tool', tool_call_id: toolCalls[i].id, content: _content });
541
+ }
542
+ if (_willStop) {
533
543
  history.push({ role: 'user', content: getLang() === 'en'
534
544
  ? 'Several commands failed — required tools/syntax are not available here (e.g. grep/openssl/hydra on Windows). STOP running commands now and give a SHORT summary of what you found so far. Do NOT call more tools, do NOT use grep/sed/awk.'
535
545
  : 'Komutlar başarısız oldu — bu ortamda gerekli araç/sözdizim yok (Windows\'ta grep/openssl/hydra gibi). Komut çalıştırmayı ŞİMDİ BIRAK, şu ana kadarki bulguları KISA özetle. Başka araç çağırma, grep/sed/awk kullanma.' });
@@ -836,6 +846,16 @@ export async function runTui() {
836
846
  quit();
837
847
  return;
838
848
  }
849
+ // /pentest — OTONOM çoklu-yüzey pentest (web+network+OSINT+cloud); SecurityScan tool=auto
850
+ if (tok === '/pentest') {
851
+ const a = v.slice(tok.length).trim();
852
+ if (!a) {
853
+ printItem({ kind: 'note', text: 'Kullanım: /pentest <domain>' });
854
+ return;
855
+ }
856
+ runTurn(`SecurityScan aracıyla tool=auto, target=${a} çalıştır (otonom çoklu-yüzey pentest: web+network+OSINT+cloud). Sonra yüzey-bazlı yönetici pentest raporu yaz.`, v);
857
+ return;
858
+ }
839
859
  // /audit — kaynak kod güvenlik denetimi (SAST, yerel); modele CodeAudit çağırt
840
860
  if (tok === '/audit') {
841
861
  const a = v.slice(tok.length).trim() || '.';
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "wormclaude",
3
- "version": "1.0.194",
3
+ "version": "1.0.196",
4
4
  "description": "WormClaude CLI - uncensored security+code assistant (ink TUI, Claude-style)",
5
5
  "type": "module",
6
6
  "bin": {