Skip to content

pentest-ai

v0.16.1 Bugfix

This release fixes issues for SREs watching stability and regressions.

Published 8d Offensive & Pentesting
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

ai-security bug-bounty claude ctf security exploit
+12 more
exploit-chaining hacking-tools mcp model-context-protocol nmap offensive-security osint penetration-testing pentest-ai pentesting python vulnerability-scanning

Affected surfaces

auth

Summary

AI summary

CLI agent-mode now honors PENTEST_AI_LLM_PROVIDER, fixing silent exit when using non-Anthropic providers.

Changes in this release

Bugfix Medium

CLI agent-mode now honors PENTEST_AI_LLM_PROVIDER configuration.

CLI agent-mode now honors PENTEST_AI_LLM_PROVIDER configuration.

Source: llm_adapter@2026-05-26

Confidence: low
Bugfix Medium

Fixed silent-exit bug when LLM provider initialization failed in agent-mode.

Fixed silent-exit bug when LLM provider initialization failed in agent-mode.

Source: granite4.1:30b@2026-05-26-audit

Confidence: low
Full changelog

Patch release closing the silent-exit bug in CLI agent-mode that issue #12 reporters kept hitting. The 0.16.0 release had an earlier attempt at this fix (read the canonical OLLAMA_HOST env var instead of OLLAMA_BASE_URL); that change was correct but solved an adjacent bug, not the one users were experiencing.

Fixed

  • CLI agent-mode now actually honors PENTEST_AI_LLM_PROVIDER (cli/main.py, engine/agents/anthropic_agent.py, engine/llm/factory.py). The previous ptai start flow hardcoded AsyncAnthropic() regardless of which provider the user configured. Users who set OPENAI_API_KEY or OLLAMA_HOST (or both) saw agent_mode: NNN action handlers registered, then a spinner, then a silent exit — because the first Anthropic call failed under the spinner and the agent's exception handler returned a clean finish action. The CLI now constructs the LLM client via engine.llm.factory.create_llm_client(), which routes correctly through every supported provider:

    # OpenAI
export OPENAI_API_KEY=sk-...
ptai start http://target

# Local Ollama (configurable via OLLAMA_HOST)
export PENTEST_AI_LLM_PROVIDER=ollama
ptai start http://target

# No LLM, deterministic tools only
ptai start http://target --no-llm

    Three sub-changes:

    • cli/main.py replaces AsyncAnthropic() with create_llm_client().
    • engine/agents/anthropic_agent.py duck-types the client. If it exposes .complete() (the unified LLMClient from the factory), use that; otherwise fall back to the legacy client.messages.create() path so existing test fixtures keep working.
    • engine/llm/factory.py auto-detects provider from whichever API key is set when PENTEST_AI_LLM_PROVIDER isn't explicit. ANTHROPIC_API_KEY set → anthropic, OPENAI_API_KEY set → openai, neither set → openai default. Closes the "I set OPENAI_API_KEY in good faith, why is it routing to Anthropic" foot-gun.

    Verified end-to-end against a live local Ollama running qwen2.5-coder:7b: factory routes to OllamaProvider, the unified LLMClient.complete() round-trips successfully, AnthropicAgent.decide_next_action returns a real Action instead of the silent finish-on-failure. Closes the silent-exit class for the issue #12 reporters.

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track pentest-ai

Get notified when new releases ship.

Sign up free

About pentest-ai

Offensive-security MCP server with 205 wrapped tools, 17 specialist agents, and 60 SPA-aware probes for OWASP Top 10. CLI + MCP, BYO LLM. No API key needed on MCP path.

All releases →

Related context

Beta — feedback welcome: [email protected]