feat: pentest feature improvements — streaming, pause/resume, encryption, browser tool, reports, docs

- True SSE streaming via broadcast channels (DashMap per session) - Session pause/resume with watch channels + dashboard buttons - AES-256-GCM credential encryption at rest (PENTEST_ENCRYPTION_KEY) - Concurrency limiter (Semaphore, max 5 sessions, 429 on overflow) - Browser tool: headless Chrome CDP automation (navigate, click, fill, screenshot, evaluate) - Report code-level correlation: SAST findings, code graph, SBOM linked per DAST finding - Split html.rs (1919 LOC) into html/ module directory (8 files) - Wizard: target/repo dropdowns from existing data, SSH key display, close button on all steps - Auth: auto-register with optional registration URL (Playwright discovery), plus-addressing email, IMAP overrides - Attack chain: tool input/output in detail panel, running node pulse animation - Architecture docs with Mermaid diagrams + 8 screenshots Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-17 00:07:50 +01:00
parent 11e1c5f438
commit a912ec9ad9
45 changed files with 5927 additions and 2133 deletions
--- a/compliance-agent/src/pentest/prompt_builder.rs
+++ b/compliance-agent/src/pentest/prompt_builder.rs
@@ -5,6 +5,100 @@ use compliance_core::models::sbom::SbomEntry;

 use super::orchestrator::PentestOrchestrator;

+/// Attempt to decrypt a field; if decryption fails, return the original value
+/// (which may be plaintext from before encryption was enabled).
+fn decrypt_field(value: &str) -> String {
+    super::crypto::decrypt(value).unwrap_or_else(|| value.to_string())
+}
+
+/// Build additional prompt sections from PentestConfig when present.
+fn build_config_sections(config: &PentestConfig) -> String {
+    let mut sections = String::new();
+
+    // Authentication section
+    match config.auth.mode {
+        AuthMode::Manual => {
+            sections.push_str("\n## Authentication\n");
+            sections.push_str("- **Mode**: Manual credentials\n");
+            if let Some(ref u) = config.auth.username {
+                let decrypted = decrypt_field(u);
+                sections.push_str(&format!("- **Username**: {decrypted}\n"));
+            }
+            if let Some(ref p) = config.auth.password {
+                let decrypted = decrypt_field(p);
+                sections.push_str(&format!("- **Password**: {decrypted}\n"));
+            }
+            sections.push_str(
+                "Use these credentials to log in before testing authenticated endpoints.\n",
+            );
+        }
+        AuthMode::AutoRegister => {
+            sections.push_str("\n## Authentication\n");
+            sections.push_str("- **Mode**: Auto-register\n");
+            if let Some(ref url) = config.auth.registration_url {
+                sections.push_str(&format!("- **Registration URL**: {url}\n"));
+            } else {
+                sections.push_str(
+                    "- **Registration URL**: Not provided — use Playwright to discover the registration page.\n",
+                );
+            }
+            if let Some(ref email) = config.auth.verification_email {
+                sections.push_str(&format!(
+                    "- **Verification Email**: Use plus-addressing from `{email}` \
+                     (e.g. `{base}+{{session_id}}@{domain}`) for email verification. \
+                     The system will poll the IMAP mailbox for verification links.\n",
+                    base = email.split('@').next().unwrap_or(email),
+                    domain = email.split('@').nth(1).unwrap_or("example.com"),
+                ));
+            }
+            sections.push_str(
+                "Register a new test account using the registration page, then use it for testing.\n",
+            );
+        }
+        AuthMode::None => {}
+    }
+
+    // Custom headers
+    if !config.custom_headers.is_empty() {
+        sections.push_str("\n## Custom HTTP Headers\n");
+        sections.push_str("Include these headers in all HTTP requests:\n");
+        for (k, v) in &config.custom_headers {
+            sections.push_str(&format!("- `{k}: {v}`\n"));
+        }
+    }
+
+    // Scope exclusions
+    if !config.scope_exclusions.is_empty() {
+        sections.push_str("\n## Scope Exclusions\n");
+        sections.push_str("Do NOT test the following paths:\n");
+        for path in &config.scope_exclusions {
+            sections.push_str(&format!("- `{path}`\n"));
+        }
+    }
+
+    // Git context
+    if config.git_repo_url.is_some() || config.branch.is_some() || config.commit_hash.is_some() {
+        sections.push_str("\n## Git Context\n");
+        if let Some(ref url) = config.git_repo_url {
+            sections.push_str(&format!("- **Repository**: {url}\n"));
+        }
+        if let Some(ref branch) = config.branch {
+            sections.push_str(&format!("- **Branch**: {branch}\n"));
+        }
+        if let Some(ref commit) = config.commit_hash {
+            sections.push_str(&format!("- **Commit**: {commit}\n"));
+        }
+    }
+
+    // Environment
+    sections.push_str(&format!(
+        "\n## Environment\n- **Target environment**: {}\n",
+        config.environment
+    ));
+
+    sections
+}
+
 /// Return strategy guidance text for the given strategy.
 fn strategy_guidance(strategy: &PentestStrategy) -> &'static str {
    match strategy {
@@ -155,6 +249,11 @@ impl PentestOrchestrator {
        let sast_section = build_sast_section(sast_findings);
        let sbom_section = build_sbom_section(sbom_entries);
        let code_section = build_code_section(code_context);
+        let config_sections = session
+            .config
+            .as_ref()
+            .map(build_config_sections)
+            .unwrap_or_default();

        format!(
            r#"You are an expert penetration tester conducting an authorized security assessment.
@@ -178,7 +277,7 @@ impl PentestOrchestrator {

 ## Code Entry Points (Knowledge Graph)
 {code_section}
-
+{config_sections}
 ## Available Tools
 {tool_names}