Skip to content

[pull] main from JoasASantos:main#11

Open
pull[bot] wants to merge 37 commits into
whzsyx:mainfrom
JoasASantos:main
Open

[pull] main from JoasASantos:main#11
pull[bot] wants to merge 37 commits into
whzsyx:mainfrom
JoasASantos:main

Conversation

@pull

@pull pull Bot commented Jun 26, 2026

Copy link
Copy Markdown

See Commits and Changes for more details.


Created by pull[bot] (v2.0.0-alpha.4)

Can you help keep this open source service alive? 💖 Please sponsor : )

leebaird and others added 5 commits June 25, 2026 20:22
Updated methodology section for DNS reconnaissance.
Revise DNS reconnaissance methodology details.
`whitebox <arg>`, `greybox --repo <arg>`, `tui --repo`, and the REPL `/repo`
now accept a git URL (https://github.com/owner/repo[.git], git@…, ssh://, *.git)
or an `owner/repo` shorthand. A new resolve_source() shallow-clones it into
<base>/repos/<name> (cached, .gitignored) and reviews it; existing local paths
are used unchanged. Works identically with API-key (--model) and --subscription.

Verified: `neurosploit whitebox https://github.com/digininja/DVWA --offline`
clones DVWA and runs the 78 code agents over 120KB of source.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…mini

Resolves the only two open issues that still apply to the Rust build:
- #21 Azure OpenAI: new `azure` provider (OpenAI-compatible). Endpoint comes
  from AZURE_OPENAI_ENDPOINT, api-version from AZURE_OPENAI_API_VERSION
  (default 2024-10-21); the model name is the Azure deployment; auth uses the
  `api-key` header instead of Bearer. Use `--model azure:<deployment>`.
- #25 Gemini key confusion: GEMINI_API_KEY now also accepts GOOGLE_API_KEY
  (Google's standard env var) as an alias; local providers (ollama/litellm)
  require no key. .env.example documents both.

Kept under the v3.5.2 line (additive provider support).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…windows)

GitHub Actions workflow that, on a pushed v* tag (or manual dispatch), builds a
self-contained NeuroSploit (binary + agents_md/) for every OS/arch and uploads
the archives to the matching release. macOS builds are also attached manually.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@pull pull Bot locked and limited conversation to collaborators Jun 26, 2026
@pull pull Bot added the ⤵️ pull label Jun 26, 2026
JoasASantos and others added 23 commits June 27, 2026 01:56
New harness module `integrations` (+ app commands) wiring NeuroSploit into the
SDLC. Config persists per-project to .neurosploit/integrations.json; secrets are
NEVER stored — only the env-var name is saved, values read from the environment.

GitHub:
- private-repo clone (token injected into the clone URL for whitebox/greybox/tui)
- `neurosploit pr <owner/repo> <n>`: clone the PR head (refs/pull/N/head),
  white-box review, optional `--comment` (PR summary) and `--jira` (cards)
- `neurosploit watch <owner/repo> --branch --interval`: re-review on each new commit
GitLab:
- private-repo clone (oauth2 token) for whitebox/greybox (gitlab.com or self-hosted)
Jira:
- `--jira` on any engagement opens one card per finding (REST /issue, basic auth)

Control:
- `/integrations` (REPL): show · enable/disable · setup jira|gitlab|github
- `neurosploit integrations [show|enable|disable] [github|gitlab|jira]` (CLI)

Docs: README "Integrations" section + new TUTORIAL-INTEGRATION.md (per-tool setup,
scopes, recipes, troubleshooting). Version bumped 3.5.2 → 3.5.3.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…-13)

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Credits: Joas A Santos & Red Team Leaders.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…fute pass)

- Robust verdict parsing (pool::parse_verdict): whitespace-insensitive, checks
  explicit rejection first, counts only explicit confirmations; ambiguous →
  Unclear (not confirmed). Replaces the fragile exact-JSON / loose "yes" match.
- Severity-aware quorum (pool::quorum_confirmed): High/Critical now need ≥2
  validators AND ≥2/3 agreement (a single vote can no longer confirm a
  Critical); lower severities need a strict majority (>half, was ≥half). Single-
  model panels fall back to majority so they aren't nuked.
- Adversarial refute pass (REFUTE_SYS): every confirmed High/Critical is
  re-examined by a skeptical panel that assumes false-positive; findings that
  can't withstand a majority of skeptics are dropped. Survives on infra failure.
- Strengthened VOTE_SYS with an explicit false-positive checklist (reflected-not-
  executed, version/banner guesses, self-XSS, error-as-injection, thin evidence,
  inflated severity); validator query now also includes impact.
- Unit tests for parse_verdict + quorum_confirmed.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…loitation)

Replaces the single-shot chain_round with attack_chain(): an iterative,
per-foothold pivot engine.
- Each round takes the newest confirmed footholds (best-first, capped) and, for
  EACH one, an agent DECIDES which directions to expand — post-exploitation
  (loot creds/keys/config/source), credential reuse, horizontal+vertical
  privesc, lateral movement to adjacent services/hosts, data exfiltration, and
  new attack surface the foothold exposes — proving each step with a receipt.
- LOOT (creds/tokens/hosts/endpoints) discovered in one round is carried forward
  and reused by later rounds (parsed from a {"findings":[...],"loot":[...]} reply).
- New findings are validated each round (never pivot off a false positive) and
  become the next round's footholds. Loop-until-dry or chain_depth rounds.
- New RunConfig.chain_depth (default 2) + --chain-depth flag on all engagement
  commands (0 disables). CHAIN_SYS rewritten for decision/post-ex framing.
Bundles the multi-round post-exploitation attack-chaining engine (attack_chain:
per-foothold decisions, loot carried forward, validate-before-pivot, loop-until-
dry, --chain-depth) and the false-positive controls (robust verdict parsing,
severity-aware quorum, adversarial refute pass, stronger validator prompt).
Version bumped 3.5.3 -> 3.5.4; README/RELEASE updated.
Cloud testing:
- +17 cloud agents (agents_md/infra/) for AWS/GCP/Azure: IAM/RBAC privesc,
  storage exposure (S3/GCS/Blob), compute & network exposure + IMDS, secrets
  (Secrets Manager / Secret Manager / Key Vault), SA/SP key abuse, Entra ID
  enum, and a multi-cloud footprint/identity recon agent. Library 348 -> 365.
- creds.yaml gains aws:/gcp:/azure: blocks (Creds::cloud). The harness exports
  provider env vars (AWS_*, GOOGLE_APPLICATION_CREDENTIALS, AZURE_* SP) so
  aws/gcloud/az authenticate automatically, and injects a cloud directive. GCP
  inline JSON is written to a temp file. Best-practice auth per provider.

REPL polish:
- /chain <n> (attack-chain depth, wired to Session.chain_depth), /agents list
  (library category counts incl. infra/cloud); /show now shows chain-depth and
  enabled integrations. Tab-completion + help updated.

Docs: README badges (365 agents / 14 providers), new "Cloud credentials" section;
RELEASE notes. Version 3.5.4 -> 3.5.5.
The prompt passed to rustyline embedded ANSI escapes AND a newline (dim context
line + colored `neurosploit›`), so rustyline mis-measured the prompt width and
cursor position — typing/backspace/history/cursor got garbled in a real
terminal (fine when piped, which has no line editor).

Now: the dim context line is printed with println!() ABOVE the prompt, the
readline prompt is plain "neurosploit› " (correct width), and the magenta color
is applied via Highlighter::highlight_prompt (display-only, doesn't affect width).
…prompts

REPL (v3.5.5):
- /timeout <min>: idle guardrail — if no NEW finding lands within the window the
  run soft-stops and validates what was found (default 5 min; 0 disables).
- /target accepts a comma-separated list; /run tests them SEQUENTIALLY (a queue
  auto-advances to the next target when the current run finishes; one report each).
- /results (no arg, interactive): navigation browser — pick target/run → pick
  vulnerability → full detail; Esc steps back a level (vuln → target → session).
- /report (no arg, multiple runs): pick which report to open from a menu.
- /show now shows idle-stop; help updated.

Agent prompts:
- RECON_SYS deepened: crawl + params/headers/cookies, DOWNLOAD & analyze linked
  JS (endpoints, hidden params, GraphQL, secrets, sourceMappingURL), fingerprint
  exact versions, response-differential analysis; richer JSON schema.
- tool_doctrine adds JS-analysis and request/response-analysis guidance
  (linkfinder/gau/katana, header/cookie/timing/length differentials).
…y, PoC dir

Agents (+10 → library 375): absurd-misconfig hunters (exposed .git/.env/backups,
debug/actuator, default creds, dir listing, ops dashboards, permissive CORS,
verbose errors), a CVE Hunter (fingerprint → correlate → safe PoC), a PoC
Developer (writes runnable scripts to the run's pocs/), and a Rate-Limit tester.

Doctrine (pipeline):
- SAFETY_DOCTRINE injected into every exploit/chain/host prompt: no modify/delete/
  exfiltrate/state-change without permission; on PII prove with a masked sample +
  count, never dump.
- tool_doctrine adds: smart targeted nuclei (fingerprint-first, -tags/-id, rate/
  timeouts), misconfig hunting, rate-limit control checks, authorized tool
  download (git clone PoC repos / fetch scanners), Burp/ZAP proxy routing, and a
  per-run PoC workspace.

Harness/CLI/REPL:
- RunConfig.proxy; spawn_engagement creates <workdir>/pocs and exports
  NEUROSPLOIT_POCS + NEUROSPLOIT_PROXY (proxy from cfg or the env var).
- REPL /proxy <url> and /burp (Session.proxy); /show shows proxy.

Docs: README highlights + Cloud/counts (375), RELEASE v3.5.5 sections.
The OPTIONS/RUN sections crammed a second command into the description column
(/clear, /quit, /offline, /chain, /theme appeared as loose text), which was
confusing. Every command now has its own aligned row; split /attach+/context and
/diff+/retest; added /results, /finding, /report, /offline, /theme rows; added
/finding and /expand to Tab-completion.
Attribution (anti-plagiarism), multiple layers:
- Identifying User-Agent on every request (default NeuroSploit/<ver> + an
  X-NeuroSploit-Scan header), overridable via /ua or NEUROSPLOIT_UA env; shown
  in the run banner. RunConfig.user_agent + Session.user_agent wired through.
- Every finding is stamped "Identified and validated by NeuroSploit …" (in
  finish() and the raw-report path) so provenance travels in the finding text,
  findings.json and the report.

Multi-role authentication for access-control testing (IDOR/BOLA/BFLA/privesc):
- creds.yaml gains named identity blocks (admin:/user:/victim:/…), each with
  jwt | header | cookie | apikey | login+username+password. With >=2 roles the
  harness injects a cross-role access-control directive (authorized-vs-unauthorized
  proof) and defaults the primary auth to the first role.

Also: /help now lists one command per line (fixes smushed OPTIONS/RUN columns);
/ua command + Session field; docs (README + RELEASE) updated.
…ust)

New harness::probe runs a real request/response analysis of the target BEFORE
the model recon and injects the observed facts into recon, so agent-selection
and exploitation decisions are grounded in evidence (robust even when model
recon is weak):
- status & redirect, Server/X-Powered-By/content-type, 6 security headers,
  cookie flags (HttpOnly/Secure/SameSite), CORS reflection test (arbitrary
  Origin + credentials), tech fingerprint, linked scripts, form count, a 404
  baseline for soft-404 differentials, and high-signal paths (/robots.txt,
  /.git/config, /.env, /sitemap.xml, /.well-known/security.txt).
- Best-effort (never fatal — degrades to a note on network failure), honors the
  identifying User-Agent and the Burp/ZAP proxy. Wired into black-box run() and
  greybox recon. A one-line probe summary streams to the live feed.
… codex wiring)

Why runs came back empty / "MCP didn't execute":
- Not logged in: a subscription CLI that isn't authenticated returns empty
  instantly (the Juice Shop symptom — every agent 0 candidates, no tool activity).
  Added models::cli_login_status + subscription_preflight(): before a run we check
  the primary provider's CLI is installed AND logged in and warn clearly if not
  (CLI run_mode + REPL start_background).
- Missing browser: ensure_playwright_mcp now also runs `npx playwright install
  chromium` (best-effort; NEUROSPLOIT_SKIP_BROWSER_INSTALL=1 to skip) so the first
  browser action doesn't fail/hang.
- Codex MCP was mis-wired (`--config mcp_config_file=` is not a codex key). Now
  injects our .mcp.json servers via `-c mcp_servers.<name>.command/.args` TOML
  overrides — MCP works on Codex, not only Claude. gemini/grok remain built-in-tools
  only (no MCP flag).
- REPL diagnostic: subscription+MCP run with zero tool/browser events warns the
  CLI likely isn't logged in / MCP didn't start.
- tool_doctrine: agents now actively DRIVE the browser on JS/SPA targets — use
  the Playwright MCP (render, read live DOM, click client-side routes, watch the
  network to find the real API, screenshot proof); when no MCP, use the Playwright
  CLI (write+run a small script / npx playwright screenshot) to render and capture
  XHR/fetch traffic — complementing curl (which only sees the empty shell).
- probe: detect SPAs (<app-root>, ng-version, near-empty body + linked scripts →
  Angular/React/Vue/SPA) and note in recon that the browser is required, so the
  SPA agents get selected.
- +8 SPA/API agents (library 383): spa_api_discovery, spa_hidden_admin,
  login_sqli_bypass, dom_xss_spa, api_bola_numeric_ids,
  register_privilege_mass_assign, jwt_forgery_spa, spa_business_logic.
- Docs: README/RELEASE/TUTORIAL counts + notes.
…; Ctrl-C confirm

- /results (interactive, no arg) now ALWAYS opens the run/test picker (target →
  vuln → detail, Esc back) instead of jumping straight to the current run's vulns.
  The live run (if any) appears at the top, past runs newest-first — so you can
  browse every test, not only the active one.
- /validate [n]: re-run false-positive validation (N-model voting + adversarial
  refute) on a recovered/past run's findings WITHOUT re-testing the target, then
  rewrite that run's findings + report. Backed by new harness::pipeline::revalidate.
  Use this after a crash/quit recovered raw findings into /runs.
- Ctrl-C at the prompt now CONFIRMS instead of silently cancelling: with a live
  run it offers [s]top&validate / [q]uit(keep findings) / keep-running; otherwise
  asks "exit? [y/N]" — so a stray Ctrl-C can't lose a running test.
…run from anywhere

- setup.sh: downloads the prebuilt release asset for the detected OS/arch (no Rust
  needed; latest release auto-resolved), installs binary + agents_md to
  ~/.neurosploit-app, symlinks into ~/.local/bin, and PERSISTS PATH +
  NEUROSPLOIT_BASE into the shell rc (bash/zsh/fish). Falls back to a source build
  (NEUROSPLOIT_BUILD=1 to force). Idempotent.
- install.ps1: same for Windows — downloads windows-x64 zip, installs to
  %LOCALAPPDATA%\NeuroSploit, sets User PATH + NEUROSPLOIT_BASE (setx), source-build
  fallback (incl. arm64).
- find_base(): auto-discovers agents_md/ NEXT TO THE EXECUTABLE (resolves the PATH
  symlink via current_exe) and at common install dirs — so `neurosploit` runs from
  ANY folder even without the env var. Env override still takes precedence.
  Verified: symlinked binary run from /tmp with no env finds all 383 agents.
…h, +6 agents

- DECISION_DOCTRINE injected into exploit/grey/chain prompts: analyse responses to
  pick the technique; map & connect routes (endpoint output → next endpoint input);
  hunt sensitive flows; mine parameters (incl. hidden from JS/source maps) and test
  per-param; mock realistic (non-PII) data to reach deeper logic; exploit the
  authenticated surface after login and compare roles; build PoCs when a proof
  needs an artifact; bypass 401/403/redirect controls.
- REPL /auth now supports multiple named identities (/auth admin <hdr>, /auth user
  <hdr>; bare token → Bearer). With >=2 roles the run gets the access-control
  directive (IDOR/BOLA/BFLA/privesc, authorized-vs-unauthorized) and tests both.
- +6 decision agents (library 389): param_miner, endpoint_flow_linker,
  authenticated_surface_exploit, clickjacking_poc (HTML PoC), csrf_poc (HTML PoC),
  access_control_bypass.
- Docs: counts 383->389, RELEASE + /auth help updated.
Detect components past their vendor end-of-life/end-of-support window and exploit
the accumulated, unpatched CVEs (pin exact version → check endoflife.date + CVE
feeds → safe PoC):
- vulns: eol_stack_detection, eol_runtime_exploitation, eol_framework_exploitation,
  eol_cms_exploitation, eol_client_library
- infra: eol_webserver_exploitation, eol_os_service, eol_tls_protocol
Docs: counts 389->397, RELEASE note.
…n tricks

- New meta/bugbounty_methodology.md (library 398): distilled high-signal techniques
  from public writeups (HackerOne Hacktivity, KingOfBugBounty, Awesome-Bugbounty-
  Writeups, bug-bounty-reference, top hunters) — hunter mindset + per-class tricks
  (IDOR/BOLA, 403 bypass, account takeover, SSRF->cloud, business logic/race, cache
  poisoning, subdomain takeover, GraphQL), chaining and reporting.
- RECON_SYS gains KingOfBugBounty-style recon: subdomain enum (crt.sh/subfinder/
  amass->httpx), historical URLs (gau/waybackurls/katana), gf patterns, param mining
  (arjun+JS/wayback), content discovery (ffuf/feroxbuster), classic exposure checks
  (.git/.env/swagger/actuator, dangling CNAMEs). Degrades to installed tools.
- Docs: counts 397->398, RELEASE note.
…adge

- Fetched & analysed real public writeup corpora (Awesome-Bugbounty-Writeups,
  bug-bounty-reference); the technique distribution (XSS/RCE/CSRF/SSRF/2FA/…)
  validates the methodology agent's priorities. Added explicit 2FA/MFA bypass and
  SAML/SSO sections to bugbounty_methodology.
- New agent twofa_bypass_techniques (library 399): full 2FA-bypass playbook
  (rate-limit brute, reuse, response manipulation, step skip, null/default,
  backup/remember-me, race, disable-2FA IDOR, SSO side door).
- README: Trendshift badge.
- Version bumped 3.5.5 -> 3.5.6 across crates/app/installers/docs; RELEASE section.
- New `ai` agent category (agents_md/ai/, +18): OWASP LLM Top 10 (2025) — prompt
  injection (direct+indirect), jailbreak, system-prompt leak, sensitive-info
  disclosure, improper output handling, excessive agency, RAG/embedding, unbounded
  consumption, supply chain, misinformation — plus MCP risks (tool poisoning,
  excessive permissions/confused-deputy, unsafe tool execution) and Skills/plugin
  + n8n workflow audits (incl. an AI/LLM-node audit). Library 417.
- Pipeline: run_ai (live AI/LLM/MCP red-team) + run_skills_audit (white-box .md/
  .json/folder for skills & exported n8n flows), AI_DOCTRINE + AI_RECON_SYS. Mode
  enum gains Ai/Skills; wired in CLI + TUI.
- CLI: `aitest <url>` and `skills <path>` subcommands. `agents` JSON now reports ai.
- REPL onboarding wizard (/onboard, auto on first launch): pick scope — web /
  infra / cloud / ai / skills — then guided setup; Session.scope drives dispatch;
  shown in /show.
- Models: +claude-sonnet-5, +grok-4.5.
- Version 3.5.6 -> 3.6.0; docs/counts (417) + RELEASE section.
…nstall

Recon was a single quick model pass — now it's deep and iterative:
- deep_recon(): an initial deep enumeration pass then follow-up EXPANSION rounds
  that chase discovered subdomains/hosts/endpoints/params, converging when a
  round finds nothing new. Rounds scale with intensity.
- recon_intensity_directive(): tells the agent HOW hard to recon and to INSTALL
  the tools it needs (apt/pip/go/npm/cargo) — subfinder/amass/httpx/gau/katana/
  gf/arjun/ffuf/nuclei/nmap/dnsx/linkfinder/whatweb/nikto/testssl — chained
  (subfinder->httpx->katana/gau->gf->ffuf); covers subdomains, crawl+wayback, JS,
  content/param discovery, ports, versions, API, exposures, TLS/headers.
- RunConfig.recon_intensity (default 3) + REPL /recon <1-4> + CLI --recon <1-4>
  (1 quick .. 4 exhaustive); shown in /show.
Added the OpenAI GPT-5.6 line to the provider pool: gpt-5.6-sol (frontier/default),
gpt-5.6-terra (balanced), gpt-5.6-luna (fast/affordable). Version 3.6.0 -> 3.6.1.
…sult

`codex exec` in --dangerously-bypass-approvals-and-sandbox mode exits non-zero
when a tool/command it ran internally (curl/nmap/etc.) returned non-zero — even
though it produced a valid final answer. chat_cli treated any non-zero exit as a
hard failure and dropped the output ("recon round 1 failed ... exit 1"). Now, on
non-zero exit WITH usable stdout and no auth/rate/quota keyword, we use the
output; only genuine auth/rate/quota errors (or empty output) fail hard.
…ill recon

Symptom: with a non-streaming subscription CLI (codex), a long/intense recon
showed nothing in the feed ("phase starting") and the 5-min idle guardrail killed
the run before any agent ran.
- render_compact now SHOWS recon/probe/ai-recon/skills-audit/loaded/running lines
  (were dropped) so a long recon no longer looks frozen.
- Idle guardrail reworked: resets on ANY streamed activity (not only new
  findings) and only ARMS after exploitation starts (agent launch / vote) — recon
  can never trip it. Message: "no activity in N min".
- RunLive.ingest sets phase=recon on recon/probe lines (was stuck at "starting").
- /status now shows progress in EVERY phase: a real bar once agents are selected,
  otherwise the current pre-exploit phase + counters (cmds, activity lines), plus
  a "last:" sign-of-life line (the latest activity) and the actual full findings.
  Before, the bar only appeared after agent selection, so a long recon looked
  frozen. Findings count now uses the full list.
- New /logs [n] — dump the recent activity feed (recon/tools/findings) of the
  running test; useful with non-streaming CLIs (codex) or after scrolling. Backed
  by a capped feed ring buffer + last/lines counters in RunLive.
… /status

- Drive `codex exec --json` and parse its JSONL event stream into the same
  categorized live feed as Claude Code (exec/edit/tool/net/tokens), so recon and
  exploitation are visible as each command runs instead of a silent black box.
- Fix the activity feed to keep per-agent tool events (commands, network, files,
  findings) and only filter model reasoning + token telemetry, so /logs shows the
  real command trail and /status 'last:' is a true sign-of-life.
- Surface failed internal commands as 'exec: (exit N)'; keep Codex auth/rate
  detection from stderr.
…download

A missing or un-downloadable recon tool must never block the run. Both the recon
intensity directive and the general tool doctrine now instruct agents to:
- wrap every install in `timeout 90 <install> || echo skip` and run non-interactively
- try each tool install at most once; on failure/no-package/no-network/hang, skip
  immediately and fall back to an installed alternative or curl/nc/dig/python3
- never wait on, retry, or block the whole recon for a single tool download
- /continue (and /resume) now relaunch a recovered interrupted run on the same
  target, carrying its findings forward and steering agents to widen coverage /
  chain from them instead of re-reporting. Offer shown at launch; a fresh /run
  supersedes it. Findings merge (dedup by title+endpoint) across both runs.
- Opening /results, /finding or /report while a run streams no longer corrupts
  the terminal: live background output is paused for the picker (still captured
  in /logs) and restored on exit, so Ctrl-C in a picker can't take the process
  down mid-run.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants