Clone and adapt pentagi

[DevOpsMadDog]

Clones and adapts Pentagi into an enterprise micro pen testing service to provide rapid, focused security testing for microservices.

---

 

---

Summary by cubic

Integrated Pentagi into FixOps with an enterprise micro pen testing service and an upgraded pentest pipeline. Adds new APIs, exploit capabilities, continuous validation, and a Risk Graph action.

• New Features

  • MicroPenTestService with quick/standard/deep profiles; REST API at /api/v1/micro-pentest; batch runs with concurrency and structured logging.
  • Enhanced Pentagi router at /api/v1/pentagi with request/batch/results, exploit generation, and continuous validation engines.
  • Risk Graph: multi-select CVEs and “Run Micro Pen Tests” action with progress UI.
  • Evidence signing/verification and KEV waiver policy endpoints; new crypto utilities.

• Migration

  • Routers auto-registered; pentagi router upgraded.
  • All endpoints require Bearer token.
  • No database setup required (in-memory defaults).

^{Written for commit 2f1aaf1. Summary will update automatically on new commits.}

[cursor]

Cursor Agent can help with this pull request. Just @cursor in comments and I'll start working on changes in this branch.
_{Learn more about Cursor Agents}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Frontend calls non-existent micro-pentest run/status APIs

The new microPentest helpers issue requests to /micro-pentest/run, /micro-pentest/status/{id}, and /micro-pentest/batch, but the backend router only defines /micro-pentest/requests, /requests/{id}/execute, and /batches (see fixops-enterprise/src/api/v1/micro_pentest.py around lines 53–143). Any attempt to launch a micro penetration test from the UI will therefore 404 and never start, leaving the new Risk Graph “Run Micro Pen Tests” action non-functional.

Useful? React with 👍 / 👎.

[cubic-dev-ai]

38 issues found across 166 files

Note: This PR contains a large number of files. cubic only reviews up to 75 files per PR, so some files may not have been reviewed.

Prompt for AI agents (all 38 issues)

Check if these issues are valid — if so, understand the root cause of each and fix them.


<file name="cli/fixops_sbom.py">

<violation number="1" location="cli/fixops_sbom.py:116">
P2: Misleading error message: After the explicit `path.exists()` check, a `FileNotFoundError` would likely come from writing output files, not from `normalized_path`. Consider removing this handler (since it&#39;s unreachable for the input file) or updating the message to reflect output file issues.</violation>
</file>

<file name="fixops-enterprise/src/db/session.py">

<violation number="1" location="fixops-enterprise/src/db/session.py:39">
P1: Missing `yield` statement in `@asynccontextmanager` decorated function. The `@asynccontextmanager` decorator requires an async generator function, but this function raises without yielding. This will cause a `TypeError` at runtime when attempting to use it as a context manager. Add an unreachable `yield` after the `raise` to make this a valid async generator.</violation>
</file>

<file name="core/continuous_validation.py">

<violation number="1" location="core/continuous_validation.py:120">
P1: Background tasks created with `asyncio.create_task()` should be stored to prevent garbage collection. Without keeping references, tasks may silently disappear mid-execution.</violation>

<violation number="2" location="core/continuous_validation.py:420">
P0: Missing `import json` - this will cause a `NameError` at runtime when `json.loads(response)` is called.</violation>
</file>

<file name="PENTAGI_INTEGRATION_COMPLETE.md">

<violation number="1" location="PENTAGI_INTEGRATION_COMPLETE.md:15">
P2: Incorrect year in completion date. The document says &#39;December 8, 2024&#39; but the current date is December 9, 2025. Should be &#39;2025&#39; to reflect the actual completion time.</violation>
</file>

<file name="agents/AGENT_SYSTEM_ARCHITECTURE.md">

<violation number="1" location="agents/AGENT_SYSTEM_ARCHITECTURE.md:381">
P2: Documentation inconsistency: This line claims production agents exist for JavaScript, Java, and Go, but the IMPLEMENTATION STATUS section in this same document lists these as &#39;⚠️ TO BUILD&#39;. Either update the implementation status or correct this claim to avoid misleading readers.</violation>

<violation number="2" location="agents/AGENT_SYSTEM_ARCHITECTURE.md:402">
P2: Documentation inconsistency: Same issue as the benefits section - claims Python, JavaScript, Java, and Go support but only Python is marked as completed in the IMPLEMENTATION STATUS section.</violation>
</file>

<file name="compliance/templates/soc2.py">

<violation number="1" location="compliance/templates/soc2.py:3">
P1: Missing imports for type hints. `List`, `Dict`, and `Any` from `typing` module are used in method signatures but not imported, causing `NameError` at runtime.</violation>
</file>

<file name="fixops-enterprise/src/api/v1/pentagi.py">

<violation number="1" location="fixops-enterprise/src/api/v1/pentagi.py:7">
P3: Unused import `Query` from fastapi. This import is not used anywhere in the file and should be removed.</violation>
</file>

<file name="PENTAGI_IMPROVEMENTS_SUMMARY.md">

<violation number="1" location="PENTAGI_IMPROVEMENTS_SUMMARY.md:100">
P2: Risk scoring formula has operator precedence issue. Due to multiplication precedence, only `business_impact * 0.2` is multiplied by 10, not the entire sum. This will mislead developers understanding or implementing the algorithm. Consider adding parentheses: `((exploitability * 0.4) + (impact * 0.4) + (business_impact * 0.2)) * 10`</violation>
</file>

<file name="fixops-enterprise/src/models/waivers.py">

<violation number="1" location="fixops-enterprise/src/models/waivers.py:31">
P2: `updated_at` field has `default` but missing `onupdate` parameter. The timestamp won&#39;t automatically update when the record is modified. Consider adding `onupdate=lambda: datetime.now(timezone.utc)` for proper audit tracking.</violation>

<violation number="2" location="fixops-enterprise/src/models/waivers.py:31">
P2: Timezone mismatch: `DateTime(timezone=False)` expects naive datetimes, but `datetime.now(timezone.utc)` returns timezone-aware datetimes. Use `datetime.utcnow()` for naive UTC or change to `DateTime(timezone=True)` for timezone-aware storage.</violation>
</file>

<file name="fixops-enterprise/src/models/security_sqlite.py">

<violation number="1" location="fixops-enterprise/src/models/security_sqlite.py:14">
P1: Model uses legacy `Column()` syntax but inherits from a `MappedAsDataclass` base. This is incompatible and will cause runtime errors. Use `mapped_column()` with `Mapped` type annotations instead.

Example fix:
```python
from sqlalchemy.orm import Mapped, mapped_column

class SecurityEvent(Base):
    __tablename__ = &quot;security_events&quot;
    id: Mapped[int] = mapped_column(primary_key=True, init=False)
    service_name: Mapped[str | None] = mapped_column(String(255), default=None)
    ...
```</violation>
</file>

<file name="core/automated_remediation.py">

<violation number="1" location="core/automated_remediation.py:4">
P0: Missing `import json` at module level. The code uses `json.dumps()` and `json.loads()` in several methods but `json` is only imported locally inside `_call_llm`. This will cause a `NameError` at runtime when `_get_architect_remediation` or similar methods are called.</violation>
</file>

<file name=".devin/wiki.json">

<violation number="1" location=".devin/wiki.json:9">
P2: Parent reference mismatch: child pages reference `&quot;parent&quot;: &quot;Overview&quot;` but the actual page title is `&quot;Overview:&quot;` (with colon). This inconsistency may break the wiki hierarchy if the system uses exact string matching.</violation>
</file>

<file name="fixops-enterprise/src/api/v1/__init__.py">

<violation number="1" location="fixops-enterprise/src/api/v1/__init__.py:14">
P2: Inconsistent router prefix pattern: `micro_pentest.router` is included without a `prefix` argument while all other routers in this file have their prefix specified here. The micro_pentest module defines its prefix internally, which breaks the pattern used by the other routers and makes the API route structure harder to understand from this file. Consider either:
1. Adding `prefix=&quot;/micro-pentest&quot;` here and removing it from micro_pentest.py, or
2. Documenting this intentional deviation with a comment.</violation>
</file>

<file name="apps/api/pentagi_router_enhanced.py">

<violation number="1" location="apps/api/pentagi_router_enhanced.py:30">
P2: Global `_pentagi_service` is modified without thread safety. In concurrent environments, this could cause race conditions where one request resets the service while another is using it. Consider using a lock or a proper dependency injection pattern.</violation>

<violation number="2" location="apps/api/pentagi_router_enhanced.py:517">
P2: Loading up to 20,000 records into memory for statistics computation is inefficient. Consider using database-level aggregation queries (COUNT with GROUP BY) instead of fetching all records and processing in Python.</violation>
</file>

<file name="fixops-enterprise/src/api/v1/cicd.py">

<violation number="1" location="fixops-enterprise/src/api/v1/cicd.py:61">
P1: Missing authentication dependency. Unlike all other endpoints in this file that use `Depends(authenticated_payload)`, this endpoint allows unauthenticated access. Add the authentication dependency to maintain consistent security.</violation>
</file>

<file name="apps/pentagi_integration.py">

<violation number="1" location="apps/pentagi_integration.py:10">
P1: Unused import `User` from `core.auth_models`. The PR description states &#39;All endpoints require Bearer token&#39; but no authentication is implemented on any endpoint. All routes are publicly accessible. Add authentication dependency to protect sensitive penetration testing operations.</violation>

<violation number="2" location="apps/pentagi_integration.py:348">
P1: The `generator.generated_exploits` cache lookup will always fail because `get_exploit_generator()` creates a new `IntelligentExploitGenerator` instance per request. The cache is instance-scoped and doesn&#39;t persist between requests. Consider using a singleton pattern or external storage.</violation>

<violation number="3" location="apps/pentagi_integration.py:402">
P1: Same stateless dependency issue: `get_validation_engine()` creates a new instance per request, so `engine.active_jobs` and `engine.completed_jobs` are always empty. Jobs created via `/validation/trigger` cannot be retrieved via `/validation/job/{job_id}`. Consider using a singleton pattern or persisting jobs to a database.</violation>

<violation number="4" location="apps/pentagi_integration.py:512">
P2: Raw exception message is exposed in API response. This could leak sensitive internal information (file paths, configuration details, etc.). Return a generic error message instead and keep detailed errors in server logs only.</violation>
</file>

<file name="agents/language/python_agent.py">

<violation number="1" location="agents/language/python_agent.py:113">
P2: Bandit&#39;s `issue_severity` values (&quot;LOW&quot;, &quot;MEDIUM&quot;, &quot;HIGH&quot;) are not valid SARIF levels. SARIF 2.1.0 requires `level` to be one of: &quot;none&quot;, &quot;note&quot;, &quot;warning&quot;, or &quot;error&quot;. Consider mapping Bandit severities to valid SARIF levels (e.g., LOW→&quot;note&quot;, MEDIUM→&quot;warning&quot;, HIGH→&quot;error&quot;).</violation>
</file>

<file name="core/pentagi_advanced.py">

<violation number="1" location="core/pentagi_advanced.py:6">
P3: Unused import `time`. The module is imported but never used in this file.</violation>

<violation number="2" location="core/pentagi_advanced.py:13">
P3: Unused import `requests`. The module is imported but never used - the code uses `aiohttp` for HTTP requests instead.</violation>
</file>

<file name="fixops-enterprise/src/api/v1/policy.py">

<violation number="1" location="fixops-enterprise/src/api/v1/policy.py:15">
P2: The `policy` router is defined but not registered in the API. The module is not imported in `__init__.py` and its router is not included via `router.include_router()`. The endpoints `create_waiver` and `evaluate_gate` won&#39;t be accessible via HTTP.</violation>

<violation number="2" location="fixops-enterprise/src/api/v1/policy.py:94">
P3: Redundant operation: when `value.tzinfo is None`, calling `value.replace(tzinfo=None)` is a no-op. Should simply `return value`.</violation>
</file>

<file name="core/exploit_generator.py">

<violation number="1" location="core/exploit_generator.py:58">
P2: `datetime.utcnow()` is deprecated since Python 3.12. Use `datetime.now(timezone.utc)` instead for forward compatibility. This requires importing `timezone` from `datetime`.</violation>

<violation number="2" location="core/exploit_generator.py:277">
P1: Potential `IndexError` if `vulnerabilities` list is empty. When iterating through stages, the fallback `vulnerabilities[0]` will fail for an empty list. Add a guard clause at the beginning of the method.</violation>
</file>

<file name="MICRO_PENTEST_INTEGRATION.md">

<violation number="1" location="MICRO_PENTEST_INTEGRATION.md:152">
P2: Using `example.com` as a default target URL for penetration tests is problematic. If no target URLs are provided, the system should reject the request with an error rather than defaulting to any external URL. Running security tests against unspecified targets could lead to unauthorized testing.</violation>
</file>

<file name="fixops-enterprise/src/api/v1/micro_pentest.py">

<violation number="1" location="fixops-enterprise/src/api/v1/micro_pentest.py:70">
P2: Invalid `status` query parameter values will cause an unhandled `ValueError` resulting in a 500 error. Wrap the enum conversion in a try/except to return a proper 400 validation error.</violation>

<violation number="2" location="fixops-enterprise/src/api/v1/micro_pentest.py:170">
P2: Exposing raw exception messages to API consumers could leak internal implementation details. Return a generic error message and log the full exception details server-side.</violation>

<violation number="3" location="fixops-enterprise/src/api/v1/micro_pentest.py:225">
P2: Exposing raw exception messages to API consumers could leak internal implementation details. Return a generic error message and log the full exception details server-side.</violation>

<violation number="4" location="fixops-enterprise/src/api/v1/micro_pentest.py:246">
P2: Invalid `severity` query parameter values will cause an unhandled `ValueError` resulting in a 500 error. Wrap the enum conversion in a try/except to return a proper 400 validation error.</violation>
</file>

<file name="docs/PENTAGI_INTEGRATION_GUIDE.md">

<violation number="1" location="docs/PENTAGI_INTEGRATION_GUIDE.md:66">
P2: API endpoint path is incorrect. The actual API uses `/api/v1/pentagi/configs` (with `/api/v1` prefix and plural `configs`), not `/pentagi/config`. This will cause users following the documentation to get 404 errors.</violation>

<violation number="2" location="docs/PENTAGI_INTEGRATION_GUIDE.md:482">
P2: API endpoint `/pentagi/pentest` doesn&#39;t exist. The actual endpoint for creating a pentest request is `POST /api/v1/pentagi/requests`. This will mislead users.</violation>
</file>

<file name="core/configuration.py">

<violation number="1" location="core/configuration.py:1366">
P1: Configuration fields are added to `base` dictionary but not passed to `OverlayConfig` constructor. The new fields (`analysis_engines`, `oss_tools_config_path`, `fallback`, `decision_tree`) will always use default values because they&#39;re never passed when instantiating `OverlayConfig`. Add these fields to the constructor call around line 1475.</violation>
</file>

_{Reply to cubic to teach it or ask questions. Re-run a review with @cubic-dev-ai review this PR}

[cubic-dev-ai]

P2: Misleading error message: After the explicit path.exists() check, a FileNotFoundError would likely come from writing output files, not from normalized_path. Consider removing this handler (since it's unreachable for the input file) or updating the message to reflect output file issues.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At cli/fixops_sbom.py, line 116:

<comment>Misleading error message: After the explicit `path.exists()` check, a `FileNotFoundError` would likely come from writing output files, not from `normalized_path`. Consider removing this handler (since it&#39;s unreachable for the input file) or updating the message to reflect output file issues.</comment>

<file context>
@@ -72,20 +73,57 @@ def build_parser() -&gt; argparse.ArgumentParser:
+        build_and_write_quality_outputs(normalized, json_path, html_path)
+        print(f&quot;Wrote quality report to {json_path} and HTML to {html_path}&quot;)
+        return 0
+    except FileNotFoundError:
+        print(f&quot;Error: File not found: {normalized_path}&quot;, file=sys.stderr)
+        return 1
</file context>

[cubic-dev-ai]

P1: Missing yield statement in @asynccontextmanager decorated function. The @asynccontextmanager decorator requires an async generator function, but this function raises without yielding. This will cause a TypeError at runtime when attempting to use it as a context manager. Add an unreachable yield after the raise to make this a valid async generator.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At fixops-enterprise/src/db/session.py, line 39:

<comment>Missing `yield` statement in `@asynccontextmanager` decorated function. The `@asynccontextmanager` decorator requires an async generator function, but this function raises without yielding. This will cause a `TypeError` at runtime when attempting to use it as a context manager. Add an unreachable `yield` after the `raise` to make this a valid async generator.</comment>

<file context>
@@ -0,0 +1,50 @@
+    async def get_session_context(cls) -&gt; AsyncGenerator[AsyncSession, None]:
+        &quot;&quot;&quot;Provide an async session context; raises unless user overrides.&quot;&quot;&quot;
+
+        raise RuntimeError(
+            &quot;Database access is not configured in this profile. &quot;
+            &quot;Override DatabaseManager.get_session_context during tests or &quot;
</file context>

[cubic-dev-ai]

P1: Background tasks created with asyncio.create_task() should be stored to prevent garbage collection. Without keeping references, tasks may silently disappear mid-execution.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At core/continuous_validation.py, line 120:

<comment>Background tasks created with `asyncio.create_task()` should be stored to prevent garbage collection. Without keeping references, tasks may silently disappear mid-execution.</comment>

<file context>
@@ -0,0 +1,472 @@
+        self.running = True
+
+        # Start background tasks
+        asyncio.create_task(self._process_validation_queue())
+        asyncio.create_task(self._scheduled_validation_loop())
+        asyncio.create_task(self._posture_assessment_loop())
</file context>

[cubic-dev-ai]

P0: Missing import json - this will cause a NameError at runtime when json.loads(response) is called.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At core/continuous_validation.py, line 420:

<comment>Missing `import json` - this will cause a `NameError` at runtime when `json.loads(response)` is called.</comment>

<file context>
@@ -0,0 +1,472 @@
+        try:
+            # Use Gemini (architect role) for strategic recommendations
+            response = await self.orchestrator._call_llm(&quot;gemini&quot;, prompt)
+            recommendations = json.loads(response)
+            return recommendations if isinstance(recommendations, list) else []
+        except Exception as e:
</file context>

[cubic-dev-ai]

P2: Incorrect year in completion date. The document says 'December 8, 2024' but the current date is December 9, 2025. Should be '2025' to reflect the actual completion time.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At PENTAGI_INTEGRATION_COMPLETE.md, line 15:

<comment>Incorrect year in completion date. The document says &#39;December 8, 2024&#39; but the current date is December 9, 2025. Should be &#39;2025&#39; to reflect the actual completion time.</comment>

<file context>
@@ -0,0 +1,496 @@
+
+**Status**: ✅ **COMPLETE &amp; PRODUCTION READY**
+
+**Completion Date**: December 8, 2024
+
+---
</file context>

[cubic-dev-ai]

P2: Invalid severity query parameter values will cause an unhandled ValueError resulting in a 500 error. Wrap the enum conversion in a try/except to return a proper 400 validation error.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At fixops-enterprise/src/api/v1/micro_pentest.py, line 246:

<comment>Invalid `severity` query parameter values will cause an unhandled `ValueError` resulting in a 500 error. Wrap the enum conversion in a try/except to return a proper 400 validation error.</comment>

<file context>
@@ -0,0 +1,317 @@
+    )
+
+    service = get_micro_pentest_service()
+    severity_enum = MicroPenTestSeverity(severity) if severity else None
+
+    results = await service.list_results(
</file context>

[cubic-dev-ai]

P2: Invalid status query parameter values will cause an unhandled ValueError resulting in a 500 error. Wrap the enum conversion in a try/except to return a proper 400 validation error.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At fixops-enterprise/src/api/v1/micro_pentest.py, line 70:

<comment>Invalid `status` query parameter values will cause an unhandled `ValueError` resulting in a 500 error. Wrap the enum conversion in a try/except to return a proper 400 validation error.</comment>

<file context>
@@ -0,0 +1,317 @@
+    )
+
+    service = get_micro_pentest_service()
+    status_enum = MicroPenTestStatus(status) if status else None
+
+    requests = await service.list_requests(
</file context>

[cubic-dev-ai]

P2: API endpoint /pentagi/pentest doesn't exist. The actual endpoint for creating a pentest request is POST /api/v1/pentagi/requests. This will mislead users.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At docs/PENTAGI_INTEGRATION_GUIDE.md, line 482:

<comment>API endpoint `/pentagi/pentest` doesn&#39;t exist. The actual endpoint for creating a pentest request is `POST /api/v1/pentagi/requests`. This will mislead users.</comment>

<file context>
@@ -0,0 +1,895 @@
+Execute a standard penetration test.
+
+```bash
+curl -X POST http://localhost:8000/pentagi/pentest \
+  -H &quot;X-API-Key: $FIXOPS_API_TOKEN&quot; \
+  -d &#39;{
</file context>

[cubic-dev-ai]

P2: API endpoint path is incorrect. The actual API uses /api/v1/pentagi/configs (with /api/v1 prefix and plural configs), not /pentagi/config. This will cause users following the documentation to get 404 errors.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At docs/PENTAGI_INTEGRATION_GUIDE.md, line 66:

<comment>API endpoint path is incorrect. The actual API uses `/api/v1/pentagi/configs` (with `/api/v1` prefix and plural `configs`), not `/pentagi/config`. This will cause users following the documentation to get 404 errors.</comment>

<file context>
@@ -0,0 +1,895 @@
+3. Create a PentAGI configuration:
+
+```bash
+curl -X POST http://localhost:8000/pentagi/config \
+  -H &quot;X-API-Key: $FIXOPS_API_TOKEN&quot; \
+  -H &quot;Content-Type: application/json&quot; \
</file context>

[cubic-dev-ai]

P1: Configuration fields are added to base dictionary but not passed to OverlayConfig constructor. The new fields (analysis_engines, oss_tools_config_path, fallback, decision_tree) will always use default values because they're never passed when instantiating OverlayConfig. Add these fields to the constructor call around line 1475.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At core/configuration.py, line 1366:

<comment>Configuration fields are added to `base` dictionary but not passed to `OverlayConfig` constructor. The new fields (`analysis_engines`, `oss_tools_config_path`, `fallback`, `decision_tree`) will always use default values because they&#39;re never passed when instantiating `OverlayConfig`. Add these fields to the constructor call around line 1475.</comment>

<file context>
@@ -1353,6 +1363,9 @@ def load_overlay(
         &quot;enhanced_decision&quot;: document.enhanced_decision or {},
         &quot;decision_tree&quot;: document.decision_tree or {},
         &quot;telemetry_bridge&quot;: document.telemetry_bridge or {},
+        &quot;analysis_engines&quot;: document.analysis_engines or {},
+        &quot;oss_tools_config_path&quot;: document.oss_tools_config_path,
+        &quot;fallback&quot;: document.fallback or {},
</file context>

[devin-ai-integration]

Closing as part of PR consolidation. Useful changes have been cherry-picked into PR #240.