feat: pentest onboarding — streaming, browser automation, reports, user cleanup #16

Merged

sharang merged 5 commits from feat/pentest-onboarding into main 2026-03-17 20:32:21 +00:00

Conversation 0 Commits 5 Files Changed 57 +8844 -2423

sharang commented 2026-03-17 18:56:24 +00:00

Owner

Copy Link

Complete pentest feature overhaul: SSE streaming, session-persistent browser tool (CDP), AES-256 credential encryption, auto-screenshots in reports, code-level remediation correlation, SAST triage chunking, context window optimization, test user cleanup (Keycloak/Auth0/Okta), wizard dropdowns, attack chain improvements, architecture docs with Mermaid diagrams.

Complete pentest feature overhaul: SSE streaming, session-persistent browser tool (CDP), AES-256 credential encryption, auto-screenshots in reports, code-level remediation correlation, SAST triage chunking, context window optimization, test user cleanup (Keycloak/Auth0/Okta), wizard dropdowns, attack chain improvements, architecture docs with Mermaid diagrams.

sharang added 3 commits 2026-03-17 18:56:24 +00:00

feat: pentest feature improvements — streaming, pause/resume, encryption, browser tool, reports, docs ... a912ec9ad9

- True SSE streaming via broadcast channels (DashMap per session)
- Session pause/resume with watch channels + dashboard buttons
- AES-256-GCM credential encryption at rest (PENTEST_ENCRYPTION_KEY)
- Concurrency limiter (Semaphore, max 5 sessions, 429 on overflow)
- Browser tool: headless Chrome CDP automation (navigate, click, fill, screenshot, evaluate)
- Report code-level correlation: SAST findings, code graph, SBOM linked per DAST finding
- Split html.rs (1919 LOC) into html/ module directory (8 files)
- Wizard: target/repo dropdowns from existing data, SSH key display, close button on all steps
- Auth: auto-register with optional registration URL (Playwright discovery), plus-addressing email, IMAP overrides
- Attack chain: tool input/output in detail panel, running node pulse animation
- Architecture docs with Mermaid diagrams + 8 screenshots

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

fix: add pentest architecture to sidebar, fix image paths, enable mermaid ... a737c36bc9

- Add vitepress-plugin-mermaid for diagram rendering
- Add Pentest Architecture page to sidebar nav
- Fix image paths (../public/ → / for VitePress public serving)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

feat: browser session persistence, auto-screenshots, context optimization, user cleanup ... 37690ce734

Browser tool:
- Session-persistent Chrome tab (same tab reused across all calls in a pentest)
- Auto-screenshot on every navigate and click (stored in attack chain for report)
- Fill uses CDP Input.insertText (fixes WebSocket corruption on special chars)
- Switched from browserless/chromium to chromedp/headless-shell (stable WS)

Context window optimization:
- Strip screenshot_base64 from LLM conversation (kept in DB for report)
- Truncate HTML to 2KB, page text to 1.5KB in LLM messages
- Cap element/link arrays at 15 items
- SAST triage: batch 30 findings per LLM call instead of all at once

Report improvements:
- Auto-embed screenshots in attack chain timeline (navigate + click nodes)
- Cover page shows best app screenshot
- Attack chain phases capped at 8 (no more 20x "Final")

User cleanup:
- TestUserRecord model tracks created test users per session
- cleanup.rs: Keycloak (Admin REST API), Auth0 (Management API), Okta (Users API)
- Auto-cleanup on session completion when cleanup_test_user is enabled
- Env vars: KEYCLOAK_ADMIN_USERNAME, KEYCLOAK_ADMIN_PASSWORD

System prompt:
- Explicit browser usage instructions (navigate → get_content → click → fill)
- SPA auth bypass guidance (check page content, not HTTP status)
- Screenshot instructions for evidence collection

Other:
- Pin mongo:7 in docker-compose (mongo:latest/8 segfaults on kernel 6.19)
- Add deploy/docker-compose.mailserver.yml for Postfix + Dovecot

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

sharang added 1 commit 2026-03-17 20:13:22 +00:00

test: add 29 new tests for cleanup, orchestrator, findings, tool registry, models ... 0236cad536

- cleanup.rs: 8 tests — routing logic, skip conditions, missing config errors
- orchestrator.rs: 7 tests — summarize_tool_output (screenshot strip, truncation, recursion)
- findings.rs: 6 tests — empty state, severity grouping, SAST correlation, evidence table
- tools/mod.rs: 4 tests — registry completeness, schema validation, browser action enum
- models.rs: 4 tests — TestUserRecord serde, IdentityProvider variants, BSON roundtrip

Total: 326 tests (was 297)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

sharang added 1 commit 2026-03-17 20:21:07 +00:00

fix: update lz4_flex 0.11.5 → 0.11.6 (RUSTSEC-2026-0041) ... 681201ff45

Fixes high-severity advisory: decompressing invalid data can leak
uninitialized memory. Transitive dep via tantivy → compliance-graph.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

sharang merged commit c461faa2fb into main 2026-03-17 20:32:21 +00:00

sharang referenced this issue from a commit 2026-03-17 20:32:22 +00:00

feat: pentest onboarding — streaming, browser automation, reports, user cleanup (#16)

Sign in to join this conversation.

Reviewers

No Reviewers

Labels

Clear labels

bug

critical

enhancement

high

infrastructure

performance

security

v0.3.0

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

sharang

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: sharang/compliance-scanner-agent#16