pentest-ai

End-to-end testing surfaced 16 bugs across the CLI, MCP server, and agent layer. This release fixes all of them, plus adds 4 new specialist agents and exposes 8 previously-internal agents as MCP tools.

Highlights

• HTML and PDF reports work for everyone now. The pip wheel was missing agents/report/templates/report.html.j2, the LLM redteam corpus, the built-in playbooks, and the default config. Templates ship correctly in 0.10.3.
• No more hard exit when no LLM key is set. Customers using ptai through Claude Code MCP don't need their own API key (Claude Code provides the AI). The CLI now greets first-time users with a setup prompt: Anthropic key, OpenAI key, Ollama, or skip. Choice persists.
• Agents fall back to deterministic mode when the LLM is unreachable instead of returning silent zero-finding results.
• Recon results are bounded. A scan against example.com previously produced 27,680 cert-transparency-derived findings. Now capped at 200 per phase by default, configurable via PENTEST_AI_MAX_FINDINGS_* env vars.
• Stale 'running' engagements get reconciled to 'interrupted' the next time you run ptai start, so ptai list stops accumulating dead rows.
• 8 new MCP tools exposing agents that previously had no MCP surface: test_api_security, test_credentials, test_vulnerabilities, test_privesc, test_mobile, test_wireless, test_social_engineering, browser_inspect. Total MCP tools: 33 → 41.

Full bug list

See CHANGELOG.md for the complete list of 16 fixes shipped in this release.

Install

```bash
pip install ptai==0.10.3
```

Wire into Claude Code:

```bash
claude mcp add pentest-ai -- ptai mcp
```

Tests

655 unit + integration tests pass (was 651). Added 4 new integration tests against a real SQLite database to catch schema-drift regressions in the engagement reconciler.