style: apply Biome formatting to backported files
CI / Type-check & lint (pull_request) Successful in 17s
CI / Build & push worker image (pull_request) Has been skipped
CI / Build & push API image (pull_request) Has been skipped

Co-Authored-By: Paperclip <noreply@paperclip.ing>
This commit is contained in:
2026-05-20 00:46:33 +00:00
committed by Hugh Commit [agent]
parent 8944f7b5c0
commit dcfcecfea7
3 changed files with 82 additions and 65 deletions
+78 -49
View File
@@ -17,8 +17,7 @@ import type { AgentName } from '../types/agents.js';
// === Common Fields === // === Common Fields ===
const ANALYSIS_NOTES_DESCRIPTION = const ANALYSIS_NOTES_DESCRIPTION = 'Plain context for defenders (caveats, scope, what is at risk). Not attack steps.';
'Plain context for defenders (caveats, scope, what is at risk). Not attack steps.';
function notesField(exploit: boolean) { function notesField(exploit: boolean) {
const f = z.string().optional(); const f = z.string().optional();
@@ -114,53 +113,83 @@ function toOutputFormat(zodSchema: z.ZodType): JsonSchemaOutputFormat {
function buildOutputFormats(exploit: boolean): Partial<Record<AgentName, JsonSchemaOutputFormat>> { function buildOutputFormats(exploit: boolean): Partial<Record<AgentName, JsonSchemaOutputFormat>> {
const base = makeBase(exploit); const base = makeBase(exploit);
return { return {
'injection-vuln': toOutputFormat(z.object({ vulnerabilities: z.array(base.extend({ 'injection-vuln': toOutputFormat(
source: z.string().optional(), z.object({
combined_sources: z.string().optional(), vulnerabilities: z.array(
path: z.string().optional(), base.extend({
sink_call: z.string().optional(), source: z.string().optional(),
slot_type: z.string().optional(), combined_sources: z.string().optional(),
sanitization_observed: z.string().optional(), path: z.string().optional(),
concat_occurrences: z.string().optional(), sink_call: z.string().optional(),
verdict: z.string().optional(), slot_type: z.string().optional(),
mismatch_reason: z.string().optional(), sanitization_observed: z.string().optional(),
witness_payload: z.string().optional(), concat_occurrences: z.string().optional(),
})) })), verdict: z.string().optional(),
'xss-vuln': toOutputFormat(z.object({ vulnerabilities: z.array(base.extend({ mismatch_reason: z.string().optional(),
source: z.string().optional(), witness_payload: z.string().optional(),
source_detail: z.string().optional(), }),
path: z.string().optional(), ),
sink_function: z.string().optional(), }),
render_context: z.string().optional(), ),
encoding_observed: z.string().optional(), 'xss-vuln': toOutputFormat(
verdict: z.string().optional(), z.object({
mismatch_reason: z.string().optional(), vulnerabilities: z.array(
witness_payload: z.string().optional(), base.extend({
})) })), source: z.string().optional(),
'auth-vuln': toOutputFormat(z.object({ vulnerabilities: z.array(base.extend({ source_detail: z.string().optional(),
source_endpoint: z.string().optional(), path: z.string().optional(),
vulnerable_code_location: z.string().optional(), sink_function: z.string().optional(),
missing_defense: z.string().optional(), render_context: z.string().optional(),
exploitation_hypothesis: z.string().optional(), encoding_observed: z.string().optional(),
suggested_exploit_technique: z.string().optional(), verdict: z.string().optional(),
})) })), mismatch_reason: z.string().optional(),
'ssrf-vuln': toOutputFormat(z.object({ vulnerabilities: z.array(base.extend({ witness_payload: z.string().optional(),
source_endpoint: z.string().optional(), }),
vulnerable_parameter: z.string().optional(), ),
vulnerable_code_location: z.string().optional(), }),
missing_defense: z.string().optional(), ),
exploitation_hypothesis: z.string().optional(), 'auth-vuln': toOutputFormat(
suggested_exploit_technique: z.string().optional(), z.object({
})) })), vulnerabilities: z.array(
'authz-vuln': toOutputFormat(z.object({ vulnerabilities: z.array(base.extend({ base.extend({
endpoint: z.string().optional(), source_endpoint: z.string().optional(),
vulnerable_code_location: z.string().optional(), vulnerable_code_location: z.string().optional(),
role_context: z.string().optional(), missing_defense: z.string().optional(),
guard_evidence: z.string().optional(), exploitation_hypothesis: z.string().optional(),
side_effect: z.string().optional(), suggested_exploit_technique: z.string().optional(),
reason: z.string().optional(), }),
minimal_witness: z.string().optional(), ),
})) })), }),
),
'ssrf-vuln': toOutputFormat(
z.object({
vulnerabilities: z.array(
base.extend({
source_endpoint: z.string().optional(),
vulnerable_parameter: z.string().optional(),
vulnerable_code_location: z.string().optional(),
missing_defense: z.string().optional(),
exploitation_hypothesis: z.string().optional(),
suggested_exploit_technique: z.string().optional(),
}),
),
}),
),
'authz-vuln': toOutputFormat(
z.object({
vulnerabilities: z.array(
base.extend({
endpoint: z.string().optional(),
vulnerable_code_location: z.string().optional(),
role_context: z.string().optional(),
guard_evidence: z.string().optional(),
side_effect: z.string().optional(),
reason: z.string().optional(),
minimal_witness: z.string().optional(),
}),
),
}),
),
}; };
} }
+3 -15
View File
@@ -17,13 +17,7 @@
*/ */
import { fs, path } from 'zx'; import { fs, path } from 'zx';
import type { import type { AuthFinding, AuthzFinding, InjectionFinding, SsrfFinding, XssFinding } from '../ai/queue-schemas.js';
AuthFinding,
AuthzFinding,
InjectionFinding,
SsrfFinding,
XssFinding,
} from '../ai/queue-schemas.js';
import { deliverablesDir } from '../paths.js'; import { deliverablesDir } from '../paths.js';
import type { ActivityLogger } from '../types/activity-logger.js'; import type { ActivityLogger } from '../types/activity-logger.js';
import type { VulnClass } from '../types/config.js'; import type { VulnClass } from '../types/config.js';
@@ -125,10 +119,7 @@ function renderInjectionEntry(e: InjectionFinding): string {
return buildEntry( return buildEntry(
e.ID, e.ID,
e.vulnerability_type, e.vulnerability_type,
[ [summaryRow('Vulnerable location', location), summaryRow('Overview', e.mismatch_reason)],
summaryRow('Vulnerable location', location),
summaryRow('Overview', e.mismatch_reason),
],
e.notes, e.notes,
); );
} }
@@ -138,10 +129,7 @@ function renderXssEntry(e: XssFinding): string {
return buildEntry( return buildEntry(
e.ID, e.ID,
e.vulnerability_type, e.vulnerability_type,
[ [summaryRow('Vulnerable location', location), summaryRow('Overview', e.mismatch_reason)],
summaryRow('Vulnerable location', location),
summaryRow('Overview', e.mismatch_reason),
],
e.notes, e.notes,
); );
} }
+1 -1
View File
@@ -28,10 +28,10 @@ import { DEFAULT_DELIVERABLES_SUBDIR, deliverablesDir } from '../paths.js';
import { getContainer, getOrCreateContainer, removeContainer } from '../services/container.js'; import { getContainer, getOrCreateContainer, removeContainer } from '../services/container.js';
import { classifyErrorForTemporal, PentestError } from '../services/error-handling.js'; import { classifyErrorForTemporal, PentestError } from '../services/error-handling.js';
import { ExploitationCheckerService } from '../services/exploitation-checker.js'; import { ExploitationCheckerService } from '../services/exploitation-checker.js';
import { renderFindingsFromQueues } from '../services/findings-renderer.js';
import { executeGitCommandWithRetry } from '../services/git-manager.js'; import { executeGitCommandWithRetry } from '../services/git-manager.js';
import { runPreflightChecks } from '../services/preflight.js'; import { runPreflightChecks } from '../services/preflight.js';
import type { ExploitationDecision, VulnType } from '../services/queue-validation.js'; import type { ExploitationDecision, VulnType } from '../services/queue-validation.js';
import { renderFindingsFromQueues } from '../services/findings-renderer.js';
import { assembleFinalReport, injectModelIntoReport } from '../services/reporting.js'; import { assembleFinalReport, injectModelIntoReport } from '../services/reporting.js';
import { AGENTS } from '../session-manager.js'; import { AGENTS } from '../session-manager.js';
import type { AgentName } from '../types/agents.js'; import type { AgentName } from '../types/agents.js';