Metadata-Version: 2.4
Name: riciplay-cli
Version: 1.7.31
Summary: Riciplay Security Platform — Autonomous AI-driven bug-bounty CLI
Author: Zaidux
License: MIT
Project-URL: Homepage, https://riciplay.xyz
Project-URL: Documentation, https://riciplay.xyz/docs
Project-URL: Repository, https://github.com/Zaidux/Riciplay
Project-URL: Issues, https://github.com/Zaidux/Riciplay/issues
Keywords: security,bug-bounty,dast,sast,pentest,vulnerability-scanner,ai-security,cli
Classifier: Development Status :: 4 - Beta
Classifier: Environment :: Console
Classifier: Intended Audience :: Developers
Classifier: Intended Audience :: Information Technology
Classifier: License :: OSI Approved :: MIT License
Classifier: Operating System :: OS Independent
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.10
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: Programming Language :: Python :: 3.13
Classifier: Topic :: Security
Classifier: Topic :: Software Development :: Testing
Requires-Python: >=3.10
Description-Content-Type: text/markdown
Requires-Dist: typer[all]>=0.9.0
Requires-Dist: httpx>=0.27.0
Requires-Dist: rich>=13.0
Requires-Dist: keyring>=25.0
Requires-Dist: tiktoken>=0.7.0
Requires-Dist: packaging>=23.0

# riciplay-cli

**Riciplay Security Platform — Command-line Interface**

An autonomous AI-driven bug bounty hunting agent for web applications and
codebases. Runs local investigations with an LLM-in-a-loop leader that
orchestrates specialists, probes endpoints, verifies findings, and chains
vulnerabilities.

## Features

- **Autonomous DAST (Dynamic Application Security Testing)** — Web app
  vulnerability scanning with automatic attack-surface enumeration, multi-class
  injection probing (XSS / SQLi / IDOR / open-redirect / SSRF), and
  interception-driven recon through miniproxy + headless browser.

- **Autonomous SAST (Static Application Security Testing)** — Code audit with
  semgrep, code search, and AI-guided data-flow tracing. Finds injection sinks,
  hardcoded secrets, weak crypto, and path traversal.

- **Manual-analysis mode** — Human-pentester-style workflow: observe through
  browser, take notebook notes, register accounts, test cross-account, reason
  and iterate.

- **Specialist orchestration** — Parallel execution of domain specialists
  (Recon, Web, API, Auth, Cloud, Business Logic) with shared findings,
  cross-specialist corroboration, and compound attack chaining.

- **Coverage gates** — Deterministic finish-time enforcement ensures every
  discovered endpoint×parameter×attack-class combination is attempted before
  the investigation concludes.

- **Two-identity IDOR testing** — Automatic account registration/login and
  cross-account replay for authorization bypass detection.

- **Phase-separated investigation** — DISCOVER (breadth-first surface mapping
  and probing) followed by REPORT (impact verification, chaining, and quality
  gating).

## Installation

```bash
pip install riciplay-cli
```

Requires Python 3.10+, `mitmdump` (for proxy capture), and optionally Chromium
(via Playwright) for browser-based discoveries.

## Quick Start

```bash
# Authenticate against the Riciplay backend
riciplay auth set-key <your-api-key>

# Run a DAST investigation against a target
riciplay scan investigate https://example.com --budget 12

# Run a SAST code audit
riciplay scan investigate ./my-project --mode sast --budget 8

# Manual-analysis mode
riciplay scan investigate https://example.com --mode manual --budget 15
```

## Configuration

- `riciplay auth status` — Check authentication and tier
- `riciplay auth whoami` — Show current account info
- `riciplay review <path>` — Code review with markdown output
- `riciplay --help` — Full command reference
