Package Exports
- pentesting
This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (pentesting) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.
Readme
Pentesting π
Pentesting is a local-first Rust coding agent CLI for authorized security work, with audited reverse-shell and PTY session control: catch callbacks, verify upgrades, pivot across sessions, and reclaim them cleanly.
The runtimeβnot the modelβowns routing, tool sandboxing, verification, completion adjudication, and PTY/session lifecycle management. PTYs are first-class runtime objects: upgrade state, resize authority, transcript capture, file-descriptor ownership, and close/revoke/gc reclamation are all tracked explicitly.
β Capabilities
Agent-loop essentials plus a security-focused runtime layer.
| Area | What it does |
|---|---|
| Model-driven loop | Streaming tool-use loop; the model decides when it's done |
| Tool guardrails | Read-before-edit enforcement, repeat-call guard, policy-gated file/shell/network |
| Permissions | Allow / Deny / Confirm, with once/always decisions persisted |
| Context compaction | Automatic micro-pruning + model-triggered summarization, pre/post hooks |
| Interrupt & steering | ESC to interrupt mid-turn, queue follow-ups while it works, and keep Enter submissions deterministic across PTY redraw/control-response noise |
| Reverse-shell control plane | Accept and track multiple authorized callbacks, tag/probe sessions, send/observe/run commands, verify PTY upgrades, and keep transcript/ledger/evidence records |
| PTY session control | Treat upgraded shells as managed PTY sessions with resize gating, transcript capture, FD accounting, and deterministic close/revoke/gc reclamation |
| Frontier-guided exploration | Persistent, deduplicated lead frontier: the runtime enforces pivots and caps, and recommends breadth-first enumeration vs depth-first exploitation while the model drives |
| Subagents | Broad-clone delegates with category focus overlays; independent deep-specialist leads (crypto/rev/pwn) run in the same parallel batch so the main line keeps moving |
| MCP & skills | Dynamic MCP tool discovery, layered markdown skills |
| Memory | Ebbinghaus-style decaying notes + hybrid lexical/semantic/graph retrieval |
π Quick Start
Install globally, or run once with a Node package runner:
npm install -g pentesting && pentesting # install
npx pentesting # or run once, no install
pnpm dlx pentesting
yarn dlx pentestingRequires Node.js 18.18+. Use npm/npx/pnpm/yarn; Bun and Deno runners are not supported.
π³ Run with Docker
No local Rust toolchain needed:
export OPENAI_API_KEY="sk-..." # provider API key or gateway token
export OPENAI_BASE_URL="https://api.openai.com/v1"
export OPENAI_MODEL="gpt-4o"
export OPENAI_MAX_TOKENS="4096"
docker run -it --rm \
-v "$(pwd):/workspace" \
-v pentesting-config:/root/.pentesting \
-w /workspace \
-e OPENAI_API_KEY \
-e OPENAI_BASE_URL \
-e OPENAI_MODEL \
-e OPENAI_MAX_TOKENS \
agnusdei1207/pentesting:latestProvider environment variables are optional for startup. If they are omitted,
the interactive TUI still launches and lets you configure/login inside the
persistent pentesting-config volume.
Or via Docker Compose:
PENTESTING_PROJECT_DIR=/path/to/project \
OPENAI_API_KEY=sk-... \
OPENAI_BASE_URL=https://api.openai.com/v1 \
OPENAI_MODEL=gpt-4o \
OPENAI_MAX_TOKENS=4096 \
docker compose run --rm pentestingCommon commands
pentesting # Interactive TUI
pentesting --prompt "Enumerate the target and summarize next actions."
pentesting shell-listener --bind 127.0.0.1 --port 4444 # Authorized reverse-shell listener
pentesting --versionUse shell-listener in authorized CTF/lab work to accept callbacks, tag sessions, run sentinel-tracked commands, verify PTY upgrades, and retain transcripts/evidence.
Short version: the agent can catch a dumb reverse shell, upgrade it to a verified PTY, pivot to a second callback, and reclaim both sessions cleanly with close / revoke / gc.
Inside a session, /help lists every command and /update pulls the latest release for supported native targets.
π Reverse-shell & PTY sessions
Catch and manage authorized shell callbacks: one listener, many targets, audited cleanup.
pentesting shell-listener --port 4444 # 1. Catch callbacks (tracks many at once)
pentesting shell-session list # 2. See every live session + FD ownership
pentesting shell-session run -- id # 3. Run sentinel-bounded commands, capture output
pentesting shell-session pty-upgrade # 4. Inject the PTY helper; `upgrade` then verifies it
pentesting shell-session revoke --session 1 # 5. Hard-close: reclaim FDs + archive evidence- Track β each callback is accepted, numbered, and tagged;
list/info/fdstat/lifecycleshow live state, byte counts, and FD ownership. - Drive β
runwraps commands in a sentinel to capture exactly their output;send/raw/signal/resizegive interactive control. - Upgrade β
pty-upgradesends the built-in helper andupgradeverifies a real PTY before remote resize is allowed; the agent must pick the method with--technique(python3,python,python2,script,expectβ no default) after reconning what the target actually has, or send a fully custom command instead. - Record β per-session raw log, full-duplex transcript, command ledger, replay, and evidence manifest β with secret redaction for registered values.
- Reclaim β
close(graceful) andrevoke(hard) release file descriptors immediately and archive the session;gcprunes closed sessions. Reclamation is tracked end-to-end, so FDs never leak.
βοΈ Configuration
Pentesting uses local storage by default. For normal use, configure only the model endpoint:
Example .env / shell setup
# OpenAI-compatible provider or gateway
export OPENAI_API_KEY="sk-..."
export OPENAI_BASE_URL="https://api.openai.com/v1"
export OPENAI_MODEL="gpt-4o"
export OPENAI_MAX_TOKENS="4096"
# Runtime overrides (optional)
export PENTESTING_CONFIG="$HOME/.config/pentesting" # move the global config dir
export PENTESTING_SKIP_DOWNLOAD=1 # skip postinstall binary download (CI)The TUI pre-fills output max tokens from known model names/provider metadata. OPENAI_MAX_TOKENS and the TUI field are explicit overrides for custom/self-hosted models.
Frontier-guided CTF exploration
The global frontier engine default stays off, but CTF-shaped engagement config
auto-applies the CTF runtime profile: ctf-competition autonomy, runtime
exploration, autonomous continuation, and a completion gate that requires
verified flag_check evidence. A ready-to-copy profile lives at
docs/config/ctf.toml:
[engagement]
kind = "ctf"
flag_format = "flag\\{[^}]+\\}"
require_flag_evidence = true
[exploration]
enabled = true
max_frontier_nodes = 256
max_breadth = 4With the profile active, the runtime stores explore leads as
EvidenceKind::Lead events, carries prior-run frontier/findings/verified flags
forward, deduplicates leads, auto-pivots dead probes, enforces graph/cap limits,
and injects a breadth/depth recommendation into mission control. The model still
drives the work through explore and task; heavy independent leads such as
crypto/rev/pwn ride the same parallel delegation batch rather than a detached
background scheduler. Operators can inspect the current graph with /frontier,
and the status row shows compact frontier progress during dispatch.
Malformed tool-call output is fail-loud: unparsed tool-shaped markup is retried instead of accepted as a final answer, the TUI suppresses raw control markup, and large no-newline streams are bounded so rendering cannot hang behind usage-only progress ticks.
The shipped contract is covered by
cargo test -p builder_app orch_spec::exploration_e2e: it verifies the
flag-off regression path plus breadth enumeration, depth descent, sibling
breadth, dead-probe pivot, global reseed, seed digest, broad-clone overlay, and
child result promotion.
With Docker, mount both your project and the persistent runtime config volume, then pass the same variables through with -e:
docker run -it --rm \
-v "$(pwd):/workspace" \
-v pentesting-config:/root/.pentesting \
-w /workspace \
-e OPENAI_API_KEY \
-e OPENAI_BASE_URL \
-e OPENAI_MODEL \
-e OPENAI_MAX_TOKENS \
agnusdei1207/pentesting:latestThose variables only pre-fill provider settings. Leaving them unset must not block the container from launching the TUI; configure the provider interactively inside the container instead.
Note: The command you run is always
pentesting. The internal engine isbuilderβpentestingdownloads and runs it under the hood; the engine name never surfaces in normal use.
π Documentation
ARCHITECTURE.mdβ Runtime flow, agent team, memory model, crate map, tool surface, and supported targets.- Internal layout: service traits are split under
builder_app/src/services/*; OpenAI request conversion is isolated underdto/openai/request/*. - Public site β Landing page and public runtime entry surface.
compose.yamlβ Docker Compose facade for pentesting sessions.
πΉ From the Developer
"I believe playing the piano is also a form of orchestration."
The harmony of polyphony β multiple voices β and homophony β a single melodic line.
Each voice sings its most beautiful song from its own place, yet when combined, they create one grand, beautiful melody. I believe this structure is no different from AI agents.
β agnusdei1207