diff --git a/README.md b/README.md index 86873bd..dc454b9 100755 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -
-
+
@@ -24,12 +24,14 @@
>
> ๐ **New here? Read the [full Tutorial & User Guide โ](TUTORIAL.md)** โ every mode, flag, config and example explained.
-> ๐ **New in v3.5.3 โ Integrations:** connect **GitHub / GitLab** (clone private
-> repos, review a **Pull Request's** code, **watch** a branch and re-review on
-> every commit) and **Jira** (open a vulnerability **card per finding**). Toggle
-> them with **`/integrations`** in the REPL or `neurosploit integrations`. Full
-> setup in **[TUTORIAL-INTEGRATION.md](TUTORIAL-INTEGRATION.md)**.
-> *(v3.5.2 added the DEPTH doctrine + report-hygiene pass โ see [RELEASE.md](RELEASE.md).)*
+> ๐ **New in v3.5.4 โ Robust attack chaining + fewer false positives:** a
+> multi-round, decision-driven **post-exploitation** engine takes each confirmed
+> foothold and expands new directions (cred reuse, privesc, lateral movement,
+> exfil, new surface), carrying **loot** forward across rounds (`--chain-depth`).
+> Validation is now **severity-aware** (High/Critical need โฅ2 validators & โฅ2/3
+> agreement) with an **adversarial refute pass** that drops findings that can't
+> withstand a skeptic.
+> *(v3.5.3 added GitHub/GitLab/Jira **[integrations](TUTORIAL-INTEGRATION.md)**; v3.5.2 the DEPTH doctrine + report-hygiene pass โ see [RELEASE.md](RELEASE.md).)*
---
diff --git a/RELEASE.md b/RELEASE.md
index e7f37df..16730f9 100644
--- a/RELEASE.md
+++ b/RELEASE.md
@@ -1,3 +1,65 @@
+# NeuroSploit v3.5.4 โ Release Notes
+
+**Release Date:** July 2026
+**Codename:** Robust Attack Chaining & False-Positive Reduction
+**License:** MIT
+**Credits:** Joas A Santos & Red Team Leaders
+
+---
+
+## TL;DR
+
+v3.5.4 makes NeuroSploit both **deeper** and **more precise**: a real multi-round
+**post-exploitation attack-chaining** engine that expands each foothold in new
+directions, plus stronger **false-positive** controls so what it reports is
+trustworthy.
+
+## Attack chaining (robust, decision-driven)
+
+Replaces the old single-shot chainer with **`attack_chain()`** โ an iterative,
+per-foothold pivot engine:
+
+- **Per-foothold decisions.** Each round takes the newest confirmed footholds
+ (best-first, capped per round) and, for **each one**, an agent decides which
+ directions to expand and proves new impact: **post-exploitation** (loot
+ creds/keys/config/source), **credential reuse**, **privilege escalation**
+ (horizontal & vertical), **lateral movement** to adjacent services/hosts,
+ **data exfiltration**, and **new attack surface** the foothold exposes.
+- **Loot carried forward.** Credentials/tokens/hosts/endpoints discovered in one
+ round are passed to later rounds and reused (agent returns
+ `{"findings":[...],"loot":[...]}`), so the engine genuinely pivots in new
+ directions instead of re-testing the same spot.
+- **No pivoting off false positives.** Each round's new findings are validated
+ before they become the next round's footholds.
+- **Convergence.** Runs up to `chain_depth` rounds **or** stops when a round finds
+ nothing new (loop-until-dry).
+- **Control.** New `RunConfig.chain_depth` (default **2**) and a `--chain-depth`
+ flag on every engagement command (`0` disables).
+
+## False-positive reduction
+
+- **Robust verdict parsing** (`pool::parse_verdict`) โ whitespace-insensitive,
+ checks explicit rejection first, counts only explicit confirmations; ambiguous
+ replies are *not* counted as confirmed. Replaces the fragile exact-JSON /
+ loose-`yes` matching.
+- **Severity-aware quorum** (`pool::quorum_confirmed`) โ **High/Critical now need
+ โฅ2 validators AND โฅ2/3 agreement** (a single vote can no longer confirm a
+ Critical); lower severities need a strict majority. Single-model panels fall
+ back to majority so they aren't nuked.
+- **Adversarial refute pass** โ every confirmed High/Critical is re-examined by a
+ skeptical panel that assumes false-positive; findings that can't withstand a
+ majority of skeptics are dropped.
+- **Stronger validator prompt** with an explicit false-positive checklist
+ (reflected-not-executed, version/banner guesses, self-XSS, error-as-injection,
+ thin evidence, inflated severity).
+
+## Notes
+
+- Additive and back-compatible; defaults keep behavior sensible if you change
+ nothing. Unit tests cover verdict parsing, quorum, and report-hygiene logic.
+
+---
+
# NeuroSploit v3.5.3 โ Release Notes
**Release Date:** June 2026
diff --git a/TUTORIAL.md b/TUTORIAL.md
index e7ca7ee..ed7df65 100644
--- a/TUTORIAL.md
+++ b/TUTORIAL.md
@@ -1,4 +1,4 @@
-# NeuroSploit โ Tutorial & User Guide (v3.5.3)
+# NeuroSploit โ Tutorial & User Guide (v3.5.4)
A complete, hands-on guide to installing, configuring and running NeuroSploit โ
the autonomous, multi-model penetration-testing harness.
@@ -98,7 +98,7 @@ Agents **degrade gracefully**: if `rustscan` is absent they use `nmap`; if neith
### Verify
```bash
-neurosploit --version # neurosploit 3.5.3
+neurosploit --version # neurosploit 3.5.4
neurosploit agents # {"vulns":196,...,"chains":12,"total":329}
neurosploit models # all providers & models
```
diff --git a/install.ps1 b/install.ps1
index 984b340..dde8d2e 100644
--- a/install.ps1
+++ b/install.ps1
@@ -11,7 +11,7 @@ function Ok ($m) { Write-Host " + $m" -ForegroundColor Green }
function Warn($m){ Write-Host " ! $m" -ForegroundColor Yellow }
Write-Host ""
-Write-Host " NeuroSploit installer (Windows) โ v3.5.3" -ForegroundColor Cyan
+Write-Host " NeuroSploit installer (Windows) โ v3.5.4" -ForegroundColor Cyan
$arch = $env:PROCESSOR_ARCHITECTURE
Say "Platform: Windows / $arch"
diff --git a/neurosploit-rs/Cargo.lock b/neurosploit-rs/Cargo.lock
index 52c74de..581f826 100644
--- a/neurosploit-rs/Cargo.lock
+++ b/neurosploit-rs/Cargo.lock
@@ -871,7 +871,7 @@ dependencies = [
[[package]]
name = "neurosploit"
-version = "3.5.3"
+version = "3.5.4"
dependencies = [
"anyhow",
"clap",
@@ -888,7 +888,7 @@ dependencies = [
[[package]]
name = "neurosploit-harness"
-version = "3.5.3"
+version = "3.5.4"
dependencies = [
"anyhow",
"futures",
diff --git a/neurosploit-rs/Cargo.toml b/neurosploit-rs/Cargo.toml
index 13bb0ae..f94ca56 100644
--- a/neurosploit-rs/Cargo.toml
+++ b/neurosploit-rs/Cargo.toml
@@ -3,7 +3,7 @@ members = ["crates/harness", "app"]
resolver = "2"
[workspace.package]
-version = "3.5.3"
+version = "3.5.4"
edition = "2021"
license = "MIT"
repository = "https://github.com/JoasASantos/NeuroSploit"
diff --git a/neurosploit-rs/app/src/main.rs b/neurosploit-rs/app/src/main.rs
index 1ce102f..c23b2a4 100644
--- a/neurosploit-rs/app/src/main.rs
+++ b/neurosploit-rs/app/src/main.rs
@@ -1,4 +1,4 @@
-//! NeuroSploit v3.5.3 โ interactive harness + CLI (`run` / `whitebox` / `agents` / `models`).
+//! NeuroSploit v3.5.4 โ interactive harness + CLI (`run` / `whitebox` / `agents` / `models`).
mod repl;
mod tui;
@@ -11,8 +11,8 @@ use std::path::{Path, PathBuf};
#[command(
name = "neurosploit",
version,
- about = "NeuroSploit v3.5.3 โ multi-model autonomous pentest harness",
- long_about = "NeuroSploit v3.5.3 โ a Rust multi-model harness that drives a pool of LLMs \
+ about = "NeuroSploit v3.5.4 โ multi-model autonomous pentest harness",
+ long_about = "NeuroSploit v3.5.4 โ a Rust multi-model harness that drives a pool of LLMs \
(API key or local subscription: Claude/Codex/Gemini/Grok) to autonomously test a target. \
After recon it INTELLIGENTLY selects only the agents matching the discovered surface, runs \
them in parallel, then validates every finding by cross-model voting before reporting.\n\n\
@@ -534,7 +534,7 @@ pub(crate) fn spawn_engagement(base: &Path, mut cfg: RunConfig, mcp: bool, mode:
cfg.rl_path = Some(base.join("data").join("rl_state_rs.json").display().to_string());
write_status(&workdir, "running", &format!("\"target\":{:?}", cfg.target));
- println!(" โโ NeuroSploit v3.5.3 ยท by Joas A Santos & Red Team Leaders");
+ println!(" โโ NeuroSploit v3.5.4 ยท by Joas A Santos & Red Team Leaders");
println!(" โ run id : {run_id}");
println!(" โ target : {}", cfg.target);
println!(" โ models : {}", cfg.models.join(", "));
diff --git a/neurosploit-rs/app/src/repl.rs b/neurosploit-rs/app/src/repl.rs
index c5662a1..8db9e51 100644
--- a/neurosploit-rs/app/src/repl.rs
+++ b/neurosploit-rs/app/src/repl.rs
@@ -1,4 +1,4 @@
-//! NeuroSploit v3.5.3 โ interactive session (Claude-Code / Codex / Cursor-CLI style).
+//! NeuroSploit v3.5.4 โ interactive session (Claude-Code / Codex / Cursor-CLI style).
//!
//! Launched when `neurosploit` runs with no subcommand. A persistent REPL with
//! real line editing (arrow-key history recall, Ctrl-A/E/K, paste), model
@@ -299,7 +299,7 @@ pub async fn repl(base: &Path) -> anyhow::Result<()> {
let backends = harness::installed_cli_backends();
println!("\x1b[1m");
println!(" โโโโ โโโโโโโโโโโโโโ โโโโโโโโโโ โโโโโโโ");
- println!(" โโโโโ โโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโ NeuroSploit v3.5.3");
+ println!(" โโโโโ โโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโ NeuroSploit v3.5.4");
println!(" โโโโโโ โโโโโโโโโ โโโ โโโโโโโโโโโโโโ โโโ interactive harness");
println!(" โโโโโโโโโโโโโโโโ โโโ โโโโโโโโโโโโโโ โโโ by Joas A Santos");
println!(" โโโ โโโโโโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโ & Red Team Leaders");
diff --git a/neurosploit-rs/app/src/tui.rs b/neurosploit-rs/app/src/tui.rs
index 19828df..1b4b36d 100644
--- a/neurosploit-rs/app/src/tui.rs
+++ b/neurosploit-rs/app/src/tui.rs
@@ -1,4 +1,4 @@
-//! NeuroSploit v3.5.3 โ TUI "Mission Control" mode.
+//! NeuroSploit v3.5.4 โ TUI "Mission Control" mode.
//!
//! Concurrent panels that update live while the engagement runs in the
//! background, with a composer input that stays active during execution:
diff --git a/neurosploit-rs/crates/harness/src/belief.rs b/neurosploit-rs/crates/harness/src/belief.rs
index 4ed9b1f..1a4ef9b 100644
--- a/neurosploit-rs/crates/harness/src/belief.rs
+++ b/neurosploit-rs/crates/harness/src/belief.rs
@@ -1,4 +1,4 @@
-//! POMDP belief-state world model (v3.5.3).
+//! POMDP belief-state world model (v3.5.4).
//!
//! The target is only partially observable, so we don't track booleans โ we
//! track a **belief**: a property graph whose nodes (host / service / vuln /
diff --git a/neurosploit-rs/crates/harness/src/grounding.rs b/neurosploit-rs/crates/harness/src/grounding.rs
index 4a3bd32..6b679b3 100644
--- a/neurosploit-rs/crates/harness/src/grounding.rs
+++ b/neurosploit-rs/crates/harness/src/grounding.rs
@@ -1,4 +1,4 @@
-//! Verification / grounding engine (v3.5.3).
+//! Verification / grounding engine (v3.5.4).
//!
//! Hard rule: **no claim enters the world model without a tool receipt** โ raw
//! tool output, not the LLM's paraphrase. This is the empirical anti-hallucination
diff --git a/neurosploit-rs/crates/harness/src/lib.rs b/neurosploit-rs/crates/harness/src/lib.rs
index 01a3a7c..9734231 100644
--- a/neurosploit-rs/crates/harness/src/lib.rs
+++ b/neurosploit-rs/crates/harness/src/lib.rs
@@ -1,4 +1,4 @@
-//! NeuroSploit v3.5.3 harness โ a robust multi-model runtime for the
+//! NeuroSploit v3.5.4 harness โ a robust multi-model runtime for the
//! markdown-driven autonomous pentest engine.
//!
//! The harness loads the `agents_md/` library, drives a *pool* of LLM models
diff --git a/neurosploit-rs/crates/harness/src/pomdp.rs b/neurosploit-rs/crates/harness/src/pomdp.rs
index b94a78f..544f9a6 100644
--- a/neurosploit-rs/crates/harness/src/pomdp.rs
+++ b/neurosploit-rs/crates/harness/src/pomdp.rs
@@ -1,4 +1,4 @@
-//! POMDP decision layer (v3.5.3): value-of-information planning + the
+//! POMDP decision layer (v3.5.4): value-of-information planning + the
//! anti-hallucination gate.
//!
//! The choice "scan more vs exploit now" is **not** a heuristic here โ it falls
diff --git a/neurosploit-rs/crates/harness/src/report.rs b/neurosploit-rs/crates/harness/src/report.rs
index e9ea22e..b6e62b7 100644
--- a/neurosploit-rs/crates/harness/src/report.rs
+++ b/neurosploit-rs/crates/harness/src/report.rs
@@ -97,9 +97,9 @@ pub fn html(target: &str, findings: &[Finding]) -> String {
h4{{margin:12px 0 3px;font-size:12px;text-transform:uppercase;letter-spacing:.5px;color:#8b5cf6}}\
.b{{color:#8b5cf6;font-weight:800}}