Add coding agent session handoff docs

[KeremP]

Summary

• print explicit Apex session handoff details from headless pentest commands
• document the local ~/.pensar session artifact contract for coding agents
• add Cursor, OpenCode, generic agent, and software factory setup examples

Verification

• bun run test src/core/cli/sessionHandoff.test.ts
• prettier --check examples/coding-agents/*.md fern/docs/integrations/coding-agents.mdx fern/docs/cli/pentest.mdx fern/docs/cli/targeted-pentest.mdx README.md fern/docs.yml

Notes

Full repo checks were attempted earlier but are currently blocked by existing environment issues: invalid/missing type resolution for mime-types and @pensar/surface under tsc, sandbox EPERM in skills scanner tests, network DNS failures for Anthropic-backed tests, and existing persistent shell timeout test failures.

---

Note

Low Risk
Changes are mostly documentation and formatted CLI stdout; no auth, pentest engine, or session storage logic changes beyond printing paths twice.

Overview
Headless pensar pentest and pensar targeted-pentest now emit a standardized SESSION HANDOFF block right after session creation and again in the final RESULTS summary, via new formatSessionHandoffSummary (Session, Session path, findings/POCs/report paths). That gives automation and coding agents a stable stdout contract even when a run fails after the session exists.

Documentation adds a Coding Agents integration (Fern nav + fern/docs/integrations/coding-agents.mdx), updates CLI docs and README for the ~/.pensar/sessions/<session-id>/ artifact handoff, and ships reusable templates under examples/coding-agents/ (generic, Cursor, OpenCode, software factory) covering when to run Apex, targeted vs broad pentest, and fix/verify loops.

^{Reviewed by Cursor Bugbot for commit 73afa12. Bugbot is set up for automated code reviews on this repo. Configure here.}

[KeremP]

@cursoragent fix merge conflicts

[cursor]

Perfect! I've successfully resolved the merge conflicts on the coding-agent-session-handoff branch.

What was resolved:

The conflict was in src/core/agents/specialized/attackSurface/prompts.ts where this PR branch introduced a refactoring from a single document_asset approach to a two-step document_app + document_endpoint approach, but main had updates to the original document_asset approach.

Resolution strategy:

I kept the PR branch's two-step documentation approach (document_app and document_endpoint) since that's the architectural change this PR is introducing. The conflicts were in four locations:

1. The documentation format explanation
2. The asset types section
3. The tool reference section
4. The "document as you go" rule

Verification:

• ✅ All tests pass (1031 passed, 15 skipped)
• ✅ TypeScript compilation successful
• ✅ No conflict markers remain in the file
• ✅ Changes committed and pushed to remote

The PR is now up to date with main and ready for review.

  

[KeremP]

@cursoragent i think actually we need to rebase our branch with the latest canary. revert your last changes and rebase.

[cursor]

Perfect! I've successfully rebased the coding-agent-session-handoff branch onto the latest canary.

What was done:

1. Reverted the previous merge commit that merged main into the branch
2. Fetched latest canary (commit 6902073e - version 1.8.1)
3. Rebased the branch onto canary, resolving conflicts in two documentation files

Conflicts resolved:

Both conflicts were in the CLI documentation where canary had added new HTTP header options (--header, --headers-from, --no-global-headers) that weren't in our original branch:

• fern/docs/cli/pentest.mdx - Added header options to the options table
• fern/docs/cli/targeted-pentest.mdx - Added header options to the options table

Verification:

• ✅ All tests pass (1080 passed, 15 skipped)
• ✅ No conflict markers remain
• ✅ Clean rebase history (1 commit ahead of canary)
• ✅ Force pushed with --force-with-lease to preserve safety

The branch now has a clean linear history rebased on the latest canary and is ready for review.

  

[github-actions]

🌿 Preview your docs: https://pensar-preview-58a12cbc-1a46-4858-9b76-c01849efa41e.docs.buildwithfern.com/apex

[kylejryan]

Left a couple of non-blocking comments around the automation contract and opt-in behavior for agent-triggered Apex runs.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is ON. A cloud agent has been kicked off to fix the reported issue.}

^{Reviewed by Cursor Bugbot for commit 26f7049. Configure here.}

[kylejryan]

@cursoragent Resolve the bug bot findings please

[cursor]

Perfect! I've resolved the bugbot finding about the duplicate "Findings:" label.

Changes made:

Fixed the ambiguous output format by renaming the label in formatSessionHandoffSummary:

• Changed Findings: ${path} to Findings path: ${path}

This disambiguates the two lines in the CLI output:

Findings:  3                    (count)
Findings path: /path/.../findings  (directory path)

Files updated:

1. src/core/cli/sessionHandoff.ts - Updated the formatter function
2. src/core/cli/sessionHandoff.test.ts - Updated test expectations
3. fern/docs/cli/pentest.mdx - Updated output example
4. fern/docs/cli/targeted-pentest.mdx - Updated output example
5. fern/docs/integrations/coding-agents.mdx - Updated output example

Verification:

• ✅ All tests pass (including sessionHandoff unit tests)
• ✅ Code formatting passes
• ✅ Changes committed and pushed
• ✅ Rebased with latest remote changes

The new label follows the pattern established by "Session path:" and makes the machine-parseable output unambiguous for coding agents and automation tools.