briar-pentest 0.3.0__tar.gz

briar_pentest-0.3.0/LICENSE

@@ -0,0 +1,18 @@
+                    GNU AFFERO GENERAL PUBLIC LICENSE
+                       Version 3, 19 November 2007
+
+ Copyright (C) 2026 Stiimy (Keran JOBLON)
+ 
+ Briar — Autonomous AI Pentester
+ This program is free software: you can redistribute it and/or modify
+ it under the terms of the GNU Affero General Public License as published
+ by the Free Software Foundation, either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ GNU Affero General Public License for more details.
+
+ You should have received a copy of the GNU Affero General Public License
+ along with this program.  If not, see <https://www.gnu.org/licenses/>.

briar_pentest-0.3.0/PKG-INFO

@@ -0,0 +1,178 @@
+Metadata-Version: 2.4
+Name: briar-pentest
+Version: 0.3.0
+Summary: Autonomous AI Pentester — find vulnerabilities before hackers do
+Home-page: https://github.com/Stiimy/briar
+Author: Stiimy
+Author-email: Stiimy <keran.joblon@outlook.fr>
+License: AGPL-3.0
+Project-URL: Homepage, https://github.com/Stiimy/briar
+Project-URL: Repository, https://github.com/Stiimy/briar
+Project-URL: Issues, https://github.com/Stiimy/briar/issues
+Keywords: security,pentest,vulnerability,owasp,ai,ollama
+Classifier: Development Status :: 3 - Alpha
+Classifier: Intended Audience :: Developers
+Classifier: Intended Audience :: Information Technology
+Classifier: License :: OSI Approved :: GNU Affero General Public License v3
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.14
+Classifier: Topic :: Security
+Requires-Python: >=3.10
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Requires-Dist: requests>=2.31
+Requires-Dist: click>=8.1
+Requires-Dist: rich>=13.7
+Requires-Dist: fastapi>=0.115
+Requires-Dist: uvicorn>=0.30
+Provides-Extra: full
+Requires-Dist: python-docx>=1.1; extra == "full"
+Requires-Dist: openpyxl>=3.1; extra == "full"
+Requires-Dist: python-pptx>=0.6; extra == "full"
+Requires-Dist: matplotlib>=3.8; extra == "full"
+Requires-Dist: plotly>=5.18; extra == "full"
+Requires-Dist: selenium>=4.15; extra == "full"
+Dynamic: author
+Dynamic: home-page
+Dynamic: license-file
+Dynamic: requires-python
+
+# 🥀 Briar — Autonomous AI Pentester
+
+> *Find vulnerabilities before hackers do. Free. Open Source. No Docker required.*
+
+[![Python](https://img.shields.io/badge/Python-3.10+-blue?logo=python)](https://python.org)
+[![License](https://img.shields.io/badge/License-AGPL--3.0-green)](LICENSE)
+[![Ollama](https://img.shields.io/badge/Ollama-Free-%23cba6f7)](https://ollama.ai)
+[![Version](https://img.shields.io/badge/version-0.3.0-purple)](https://github.com/Stiimy/briar/releases)
+
+Briar is an autonomous AI pentester. It scans web applications, injects real payloads, validates exploits, and generates professional security reports — powered by **11 AI providers** including a completely free local mode via Ollama.
+
+---
+
+## Quick Start
+
+```bash
+pip install briar
+briar setup              # Pick your AI provider (Ollama = free)
+briar scan -u https://target.com --quick
+briar serve              # Web dashboard → http://localhost:8233
+```
+
+---
+
+## Features
+
+| Category | Details |
+|----------|---------|
+| 🤖 **11 AI Providers** | Ollama (free, local), OpenAI, Claude, DeepSeek, Groq, Mistral, xAI/Grok, Google/Gemini, OpenRouter, Together, Custom |
+| 🛡️ **10 OWASP Agents** | Recon, Injection, XSS, SSRF, Auth, AuthZ, CSRF, Upload, Traversal, RCE, API, Secrets |
+| 🎯 **No Exploit, No Report** | Every High/Critical finding is replayed and confirmed before reporting |
+| 🔌 **Blackbox + Whitebox** | Works with just a URL. Add `-r /path/to/source` for code-aware analysis |
+| 📡 **Port Scanning** | 24 common ports scanned during recon phase |
+| 📄 **Reports** | Markdown, Word (.docx), Excel (.xlsx), Obsidian vault + canvas mindmap |
+| 🎨 **Slides** | PowerPoint (.pptx) + HTML presentation |
+| 📊 **Charts** | Severity pie chart, agent bar chart |
+| 🌐 **Dashboard** | Web UI on port 8233 (FastAPI) with scan launcher |
+| 💾 **Workspaces** | Resume interrupted scans, checkpoint after every agent |
+| ⚙️ **YAML Config** | Authenticated scanning, login flows, custom rules (avoid/focus paths) |
+| 🐳 **No Docker Required** | Native Python. pip install and go. Docker optional for server mode. |
+
+---
+
+## Usage
+
+```bash
+# Quick scan (4 agents)
+briar scan -u https://target.com --quick
+
+# Standard scan (8 agents)  
+briar scan -u https://target.com
+
+# Deep scan (all 12 agents + browser exploits)
+briar scan -u https://target.com --deep
+
+# With source code (whitebox mode)
+briar scan -u https://target.com -r /path/to/repo
+
+# With DeepSeek provider (set env var first)
+export DEEPSEEK_API_KEY=sk-xxx
+briar scan -u https://target.com -p deepseek
+
+# With config file (authenticated scanning)
+briar scan -c juice-shop.yaml
+
+# Resume an interrupted scan
+briar scan --resume workspace-name
+
+# List saved workspaces
+briar workspaces
+```
+
+---
+
+## Config File (YAML)
+
+```yaml
+# juice-shop.yaml — example for OWASP Juice Shop
+target:
+  url: http://localhost:3000
+
+provider: deepseek
+mode: deep
+output: ./reports/juice-shop
+
+authentication:
+  login_url: /rest/user/login
+  method: json
+  credentials:
+    email: test@test.com
+    password: test123
+  success_condition: "status=200"
+
+rules:
+  avoid:
+    - path: /logout
+    - path: /score-board
+  focus:
+    - path: /api
+    - path: /rest
+```
+
+---
+
+## Architecture
+
+```
+briar/
+├── agents/          12 security agents (recon, injection, xss, ssrf,
+│                    auth, authz, csrf, upload, traversal, rce, api, secrets)
+├── providers/       11 AI backends (Ollama, OpenAI, Claude, DeepSeek, ...)
+├── core/            HTTP client, exploit validator, workspace manager
+├── exploits/        Selenium browser exploits + CLI payload injector
+├── reports/         Markdown, Word, Excel, Obsidian generators
+├── charts/          Pie chart + bar chart (matplotlib)
+├── slides/          PowerPoint + HTML slide decks
+├── cli.py           Main CLI (click + rich)
+├── web.py           FastAPI dashboard (port 8233)
+├── worker.py        Background job queue worker
+└── config.py        YAML config loader
+```
+
+---
+
+## Install from Source
+
+```bash
+git clone https://github.com/Stiimy/briar
+cd briar
+pip install -e .
+briar setup
+```
+
+---
+
+> *"No exploit, no report."* — Briar validates every High/Critical finding before you see it.
+
+**License:** AGPL-3.0 — Free. Forever.

briar_pentest-0.3.0/README.md

@@ -0,0 +1,138 @@
+# 🥀 Briar — Autonomous AI Pentester
+
+> *Find vulnerabilities before hackers do. Free. Open Source. No Docker required.*
+
+[![Python](https://img.shields.io/badge/Python-3.10+-blue?logo=python)](https://python.org)
+[![License](https://img.shields.io/badge/License-AGPL--3.0-green)](LICENSE)
+[![Ollama](https://img.shields.io/badge/Ollama-Free-%23cba6f7)](https://ollama.ai)
+[![Version](https://img.shields.io/badge/version-0.3.0-purple)](https://github.com/Stiimy/briar/releases)
+
+Briar is an autonomous AI pentester. It scans web applications, injects real payloads, validates exploits, and generates professional security reports — powered by **11 AI providers** including a completely free local mode via Ollama.
+
+---
+
+## Quick Start
+
+```bash
+pip install briar
+briar setup              # Pick your AI provider (Ollama = free)
+briar scan -u https://target.com --quick
+briar serve              # Web dashboard → http://localhost:8233
+```
+
+---
+
+## Features
+
+| Category | Details |
+|----------|---------|
+| 🤖 **11 AI Providers** | Ollama (free, local), OpenAI, Claude, DeepSeek, Groq, Mistral, xAI/Grok, Google/Gemini, OpenRouter, Together, Custom |
+| 🛡️ **10 OWASP Agents** | Recon, Injection, XSS, SSRF, Auth, AuthZ, CSRF, Upload, Traversal, RCE, API, Secrets |
+| 🎯 **No Exploit, No Report** | Every High/Critical finding is replayed and confirmed before reporting |
+| 🔌 **Blackbox + Whitebox** | Works with just a URL. Add `-r /path/to/source` for code-aware analysis |
+| 📡 **Port Scanning** | 24 common ports scanned during recon phase |
+| 📄 **Reports** | Markdown, Word (.docx), Excel (.xlsx), Obsidian vault + canvas mindmap |
+| 🎨 **Slides** | PowerPoint (.pptx) + HTML presentation |
+| 📊 **Charts** | Severity pie chart, agent bar chart |
+| 🌐 **Dashboard** | Web UI on port 8233 (FastAPI) with scan launcher |
+| 💾 **Workspaces** | Resume interrupted scans, checkpoint after every agent |
+| ⚙️ **YAML Config** | Authenticated scanning, login flows, custom rules (avoid/focus paths) |
+| 🐳 **No Docker Required** | Native Python. pip install and go. Docker optional for server mode. |
+
+---
+
+## Usage
+
+```bash
+# Quick scan (4 agents)
+briar scan -u https://target.com --quick
+
+# Standard scan (8 agents)  
+briar scan -u https://target.com
+
+# Deep scan (all 12 agents + browser exploits)
+briar scan -u https://target.com --deep
+
+# With source code (whitebox mode)
+briar scan -u https://target.com -r /path/to/repo
+
+# With DeepSeek provider (set env var first)
+export DEEPSEEK_API_KEY=sk-xxx
+briar scan -u https://target.com -p deepseek
+
+# With config file (authenticated scanning)
+briar scan -c juice-shop.yaml
+
+# Resume an interrupted scan
+briar scan --resume workspace-name
+
+# List saved workspaces
+briar workspaces
+```
+
+---
+
+## Config File (YAML)
+
+```yaml
+# juice-shop.yaml — example for OWASP Juice Shop
+target:
+  url: http://localhost:3000
+
+provider: deepseek
+mode: deep
+output: ./reports/juice-shop
+
+authentication:
+  login_url: /rest/user/login
+  method: json
+  credentials:
+    email: test@test.com
+    password: test123
+  success_condition: "status=200"
+
+rules:
+  avoid:
+    - path: /logout
+    - path: /score-board
+  focus:
+    - path: /api
+    - path: /rest
+```
+
+---
+
+## Architecture
+
+```
+briar/
+├── agents/          12 security agents (recon, injection, xss, ssrf,
+│                    auth, authz, csrf, upload, traversal, rce, api, secrets)
+├── providers/       11 AI backends (Ollama, OpenAI, Claude, DeepSeek, ...)
+├── core/            HTTP client, exploit validator, workspace manager
+├── exploits/        Selenium browser exploits + CLI payload injector
+├── reports/         Markdown, Word, Excel, Obsidian generators
+├── charts/          Pie chart + bar chart (matplotlib)
+├── slides/          PowerPoint + HTML slide decks
+├── cli.py           Main CLI (click + rich)
+├── web.py           FastAPI dashboard (port 8233)
+├── worker.py        Background job queue worker
+└── config.py        YAML config loader
+```
+
+---
+
+## Install from Source
+
+```bash
+git clone https://github.com/Stiimy/briar
+cd briar
+pip install -e .
+briar setup
+```
+
+---
+
+> *"No exploit, no report."* — Briar validates every High/Critical finding before you see it.
+
+**License:** AGPL-3.0 — Free. Forever.

briar_pentest-0.3.0/briar/__init__.py

@@ -0,0 +1,2 @@
+"""Briar — Autonomous AI Pentester 🥀"""
+__version__ = "0.1.0"

briar_pentest-0.3.0/briar/__main__.py

@@ -0,0 +1,3 @@
+"""Allow running as: python -m briar"""
+from briar.cli import cli
+cli()

briar_pentest-0.3.0/briar/agents/__init__.py

@@ -0,0 +1,25 @@
+from .analyzer import SecurityAnalyzer
+from .recon import ReconAgent
+from .injection import InjectionAgent
+from .xss import XSSAgent
+from .ssrf import SSRFAgent
+from .auth import AuthAgent
+from .authz import AuthZAgent
+from .csrf import CSRFAgent
+from .upload import UploadAgent
+from .traversal import TraversalAgent
+from .rce import RCEAgent
+from .api import APIAgent
+from .secrets import SecretsAgent
+
+AGENTS = {
+    "recon": ReconAgent, "injection": InjectionAgent, "xss": XSSAgent, "ssrf": SSRFAgent,
+    "auth": AuthAgent, "authz": AuthZAgent, "csrf": CSRFAgent,
+    "upload": UploadAgent, "traversal": TraversalAgent,
+    "rce": RCEAgent, "api": APIAgent, "secrets": SecretsAgent,
+}
+
+def run_agent(name, provider="ollama", **kwargs):
+    if name not in AGENTS:
+        return {"error": f"Agent '{name}' not found. Available: {list(AGENTS.keys())}"}
+    return AGENTS[name](provider).scan(**kwargs)

briar_pentest-0.3.0/briar/agents/analyzer.py

@@ -0,0 +1,81 @@
+"""Briar AI Analysis Engine — the brain of the pentest 🧠"""
+from typing import Optional
+from briar.providers import get_provider
+
+SECURITY_ANALYST_PROMPT = """You are an elite security researcher performing a penetration test.
+Analyze the target and identify vulnerabilities. For each finding, provide:
+
+1. VULNERABILITY TYPE (OWASP category)
+2. SEVERITY (Critical/High/Medium/Low)
+3. CVSS SCORE (0.0-10.0)
+4. ENDPOINT / LOCATION
+5. DESCRIPTION (what the vuln is)
+6. EXPLOIT STEPS (how to reproduce)
+7. IMPACT (what an attacker can do)
+8. REMEDIATION (how to fix)
+
+Be specific. Include exact URLs, parameters, payloads. Think like an attacker."""
+
+class SecurityAnalyzer:
+    """Core AI security analysis engine"""
+    
+    def __init__(self, provider: str = "ollama", model: Optional[str] = None):
+        self.provider = get_provider(provider, model=model) if model else get_provider(provider)
+    
+    def analyze_endpoint(self, url: str, method: str = "GET", source_hint: str = "") -> dict:
+        """Analyze a single endpoint for vulnerabilities"""
+        prompt = f"""Analyze this endpoint for security vulnerabilities:
+
+URL: {url}
+Method: {method}
+{f'Source code context: {source_hint}' if source_hint else ''}
+
+List ALL potential vulnerabilities you find. For each one, provide the full details as specified."""
+        
+        messages = [{"role": "user", "content": prompt}]
+        response = self.provider.chat(messages, system=SECURITY_ANALYST_PROMPT, max_tokens=4096)
+        return {"url": url, "analysis": response, "raw": response}
+    
+    def analyze_code(self, code: str, filepath: str = "") -> dict:
+        """Analyze source code for vulnerabilities"""
+        prompt = f"""Analyze this source code for security vulnerabilities:
+
+File: {filepath}
+
+``` 
+{code[:8000]} 
+```
+
+Find: SQL injection, XSS, SSRF, command injection, path traversal, auth bypass, 
+deserialization, hardcoded secrets, unsafe eval, etc.
+
+For each finding, specify the exact line and how to exploit it."""
+        
+        messages = [{"role": "user", "content": prompt}]
+        response = self.provider.chat(messages, system=SECURITY_ANALYST_PROMPT, max_tokens=4096)
+        return {"file": filepath, "analysis": response}
+    
+    def generate_report(self, findings: list, target: str) -> str:
+        """Generate a comprehensive security report"""
+        findings_text = "\n\n---\n\n".join([
+            f"## Finding {i+1}\n{f.get('analysis', f.get('raw',''))}"
+            for i, f in enumerate(findings)
+        ])
+        
+        prompt = f"""Generate a PROFESSIONAL penetration test report for {target}.
+
+Findings:
+{findings_text[:6000]}
+
+Create a structured report with:
+1. Executive Summary
+2. Methodology
+3. Findings (detailed per vulnerability)
+4. Risk Matrix
+5. Recommendations
+6. Conclusion
+
+Format in Markdown. Be professional and precise."""
+        
+        messages = [{"role": "user", "content": prompt}]
+        return self.provider.chat(messages, system="You are a senior security consultant writing a pentest report.", max_tokens=8192)

briar_pentest-0.3.0/briar/agents/api.py

@@ -0,0 +1,94 @@
+"""API Security Agent — GraphQL, REST, OpenAPI detection 📡"""
+from briar.agents.analyzer import SecurityAnalyzer
+from briar.core.http import HTTPClient
+
+class APIAgent:
+    """Detects API endpoints and tests for common misconfigurations"""
+
+    API_PATHS = [
+        ("/graphql", "GraphQL endpoint"),
+        ("/graphiql", "GraphQL IDE"),
+        ("/api", "REST API"),
+        ("/api/v1", "REST API v1"),
+        ("/api/v2", "REST API v2"),
+        ("/swagger.json", "Swagger/OpenAPI spec"),
+        ("/openapi.json", "OpenAPI 3.0 spec"),
+        ("/api-docs", "API docs"),
+        ("/docs", "API docs"),
+        ("/.well-known/openid-configuration", "OIDC config"),
+        ("/wp-json/", "WordPress REST API"),
+        ("/v1/", "API v1 prefix"),
+    ]
+
+    GRAPHQL_INTROSPECTION = {
+        "query": "{ __schema { types { name fields { name } } } }"
+    }
+
+    def __init__(self, provider="ollama"):
+        self.analyzer = SecurityAnalyzer(provider)
+        self.http = HTTPClient(timeout=10)
+        self.name = "API"
+
+    def scan(self, url: str, **kwargs) -> dict:
+        """Detect API endpoints and test security"""
+        findings = []
+        discovered = []
+
+        # Check common API paths
+        for path, desc in self.API_PATHS:
+            try:
+                full_url = url.rstrip("/") + path
+                resp = self.http.get(full_url)
+                if resp.status_code in [200, 301, 302, 401, 403]:
+                    discovered.append({"path": path, "desc": desc, "status": resp.status_code, "length": len(resp.text)})
+
+                # GraphQL introspection test
+                if "graphql" in path.lower() and resp.status_code == 200:
+                    try:
+                        intro_resp = self.http.post(full_url, json=self.GRAPHQL_INTROSPECTION)
+                        if "__schema" in intro_resp.text or "types" in intro_resp.text:
+                            findings.append({
+                                "type": "GraphQL Introspection Enabled",
+                                "severity": "Medium",
+                                "endpoint": full_url,
+                                "detail": "Schema fully exposed via introspection query",
+                            })
+                    except:
+                        pass
+
+                # Rate limiting check
+                if "api" in path.lower() and resp.status_code == 200:
+                    for _ in range(5):
+                        try:
+                            r = self.http.get(full_url)
+                            if r.status_code == 429:
+                                findings.append({
+                                    "type": "Rate Limiting Active",
+                                    "severity": "Info",
+                                    "endpoint": full_url,
+                                })
+                                break
+                        except:
+                            pass
+
+            except:
+                pass
+
+        analysis = f"API scan complete for {url}\n\n"
+        analysis += f"Endpoints discovered: {len(discovered)}\n\n"
+        for d in discovered:
+            analysis += f"- `{d['path']}` — {d['desc']} (HTTP {d['status']})\n"
+
+        if findings:
+            analysis += f"\n**{len(findings)} API security issues found:**\n\n"
+            for f in findings:
+                analysis += f"- **{f['type']}**: {f.get('endpoint','?')} — {f.get('detail','')}\n"
+            analysis += "\n---\n\nLLM analysis of real API findings:\n"
+
+        result = self.analyzer.analyze_endpoint(url, "GET", analysis)
+        result["real_findings"] = findings
+        result["discovered_endpoints"] = [d["path"] for d in discovered]
+        result["agent"] = self.name
+        result["type"] = "API Security"
+        result["severity"] = "Medium" if findings else "Info"
+        return result

briar_pentest-0.3.0/briar/agents/auth.py

@@ -0,0 +1,141 @@
+"""Authentication Attack Agent — JWT, brute force, token analysis 🔐"""
+import re
+from briar.agents.analyzer import SecurityAnalyzer
+from briar.core.http import HTTPClient
+
+class AuthAgent:
+    """Discovers authentication vulnerabilities"""
+
+    WEAK_CREDS = [
+        ("admin", "admin"), ("admin", "password"), ("admin", "123456"),
+        ("test", "test"), ("guest", "guest"), ("user", "user"),
+        ("root", "root"), ("admin", ""), ("administrator", "administrator"),
+    ]
+
+    def __init__(self, provider="ollama"):
+        self.analyzer = SecurityAnalyzer(provider)
+        self.http = HTTPClient(timeout=10)
+        self.name = "Authentication"
+
+    def _detect_login_form(self, html: str) -> list:
+        """Find login forms by looking for password inputs"""
+        login_forms = []
+        forms = self.http.extract_forms(html)
+        for form in forms:
+            if any("pass" in i.lower() for i in form["inputs"]):
+                login_forms.append(form)
+        return login_forms
+
+    def _test_jwt(self, jwt_str: str) -> list:
+        """Test JWT for common vulnerabilities"""
+        import base64, json
+        findings = []
+        try:
+            parts = jwt_str.split(".")
+            if len(parts) != 3:
+                return findings
+
+            # Decode without verification
+            for i, part in enumerate(parts[:2]):
+                # Add padding
+                padded = part + "=" * (4 - len(part) % 4)
+                try:
+                    decoded = base64.urlsafe_b64decode(padded)
+                    findings.append({
+                        "type": "JWT decoded without verification",
+                        "severity": "Low",
+                        "part": "header" if i == 0 else "payload",
+                        "content": decoded.decode("utf-8", errors="replace")[:200],
+                    })
+                except:
+                    pass
+
+            # Check alg:none
+            header = parts[0]
+            padded = header + "=" * (4 - len(header) % 4)
+            decoded_header = base64.urlsafe_b64decode(padded).decode("utf-8", errors="replace")
+            if '"none"' in decoded_header.lower() or '"None"' in decoded_header:
+                findings.append({
+                    "type": "JWT alg:none accepted",
+                    "severity": "Critical",
+                    "detail": "Algorithm allows 'none' — signature bypass possible",
+                })
+
+        except:
+            pass
+        return findings
+
+    def scan(self, url: str, auth_type: str = "unknown", **kwargs) -> dict:
+        """Scan for authentication vulnerabilities"""
+        findings = []
+
+        try:
+            resp = self.http.get(url)
+            html = resp.text
+
+            # Check for JWT in cookies/headers
+            jwt_pattern = r'[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+'
+            for header_val in resp.headers.values():
+                for match in re.finditer(jwt_pattern, header_val):
+                    jwt_findings = self._test_jwt(match.group(0))
+                    findings.extend(jwt_findings)
+            for match in re.finditer(jwt_pattern, resp.text[:2000]):
+                jwt_findings = self._test_jwt(match.group(0))
+                findings.extend(jwt_findings)
+
+            # Find login forms and test weak creds
+            login_forms = self._detect_login_form(html)
+            for form in login_forms:
+                form_url = form["action"] or url
+                for username, password in self.WEAK_CREDS[:5]:
+                    try:
+                        data = {}
+                        for inp in form["inputs"]:
+                            if "user" in inp.lower() or "email" in inp.lower() or "login" in inp.lower():
+                                data[inp] = username
+                            elif "pass" in inp.lower():
+                                data[inp] = password
+                            else:
+                                data[inp] = username
+
+                        login_resp = self.http.post(form_url, data=data, allow_redirects=False)
+                        if login_resp.status_code in [302, 200]:
+                            # Check if login succeeded (no error message, redirect to dashboard)
+                            text_lower = login_resp.text.lower()
+                            if not any(e in text_lower for e in ["invalid", "incorrect", "wrong", "error", "failed"]):
+                                findings.append({
+                                    "type": "Weak credentials",
+                                    "severity": "Critical",
+                                    "endpoint": form_url,
+                                    "credentials": f"{username}:{password}",
+                                    "response_status": login_resp.status_code,
+                                })
+                                break
+                    except:
+                        pass
+
+                if findings:
+                    break  # Found vuln, stop brute force
+
+            if not login_forms:
+                findings.append({"type": "No login form found", "severity": "Info"})
+
+        except Exception as e:
+            findings.append({"type": "Auth scan error", "error": str(e)})
+
+        analysis = f"Authentication scan complete for {url}\n\n"
+        if findings:
+            analysis += f"**{len(findings)} authentication issues found:**\n\n"
+            for f in findings:
+                if "credential" in str(f.get("type", "")).lower():
+                    analysis += f"- **Weak credentials**: `{f.get('credentials','?')}` → {f.get('endpoint','?')}\n"
+                elif "jwt" in str(f.get("type", "")).lower():
+                    analysis += f"- **{f['type']}**: {f.get('detail', f.get('content',''))}\n"
+            analysis += "\n---\n\nLLM analysis of auth findings:\n"
+
+        result = self.analyzer.analyze_endpoint(url, "GET/POST", analysis)
+        result["real_findings"] = findings
+        result["agent"] = self.name
+        result["type"] = "Authentication"
+        result["severity"] = "Critical" if any(f["severity"] == "Critical" for f in findings) else ("High" if findings else "Info")
+        return result