@kernel.chat/kbot 3.57.0 → 3.58.1

package/dist/tools/pentest.js

@@ -0,0 +1,2225 @@
+// kbot Pentest Tools — Penetration testing workflow
+// Self-contained using Node.js built-in modules: dns, https, http, tls, net.
+// No external tools or shell-outs required.
+// Findings stored in ~/.kbot/pentest/{session-id}/
+import { registerTool } from './index.js';
+import { homedir } from 'node:os';
+import { join } from 'node:path';
+import { existsSync, readFileSync, writeFileSync, mkdirSync, readdirSync, statSync } from 'node:fs';
+import * as dns from 'node:dns';
+import * as https from 'node:https';
+import * as http from 'node:http';
+import * as tls from 'node:tls';
+import * as net from 'node:net';
+import { URL } from 'node:url';
+import { randomUUID } from 'node:crypto';
+// ─────────────────────────────────────────────────────────────────────────────
+// Constants
+// ─────────────────────────────────────────────────────────────────────────────
+const PENTEST_DIR = join(homedir(), '.kbot', 'pentest');
+const COMMON_PATHS = [
+    '/', '/admin', '/administrator', '/login', '/signin', '/signup',
+    '/register', '/api', '/api/v1', '/api/v2', '/api/docs',
+    '/api/swagger', '/api/graphql', '/graphql',
+    '/.env', '/.git', '/.git/HEAD', '/.git/config',
+    '/.gitignore', '/.svn', '/.hg',
+    '/wp-admin', '/wp-login.php', '/wp-content', '/wp-includes',
+    '/xmlrpc.php', '/wp-json',
+    '/phpmyadmin', '/pma', '/adminer',
+    '/robots.txt', '/sitemap.xml', '/sitemap_index.xml',
+    '/favicon.ico', '/crossdomain.xml',
+    '/.well-known/security.txt', '/.well-known/openid-configuration',
+    '/server-status', '/server-info',
+    '/.htaccess', '/.htpasswd',
+    '/config', '/config.json', '/config.yml', '/config.xml',
+    '/backup', '/backups', '/dump', '/db', '/database',
+    '/debug', '/trace', '/status', '/health', '/healthz',
+    '/metrics', '/prometheus', '/grafana',
+    '/console', '/shell', '/terminal',
+    '/test', '/testing', '/staging',
+    '/temp', '/tmp', '/upload', '/uploads',
+    '/files', '/documents', '/media', '/assets',
+    '/node_modules', '/vendor', '/composer.json', '/package.json',
+    '/Dockerfile', '/docker-compose.yml',
+    '/.dockerenv', '/Procfile',
+    '/info.php', '/phpinfo.php', '/info',
+    '/actuator', '/actuator/health', '/actuator/env',
+    '/elmah.axd', '/trace.axd',
+    '/cgi-bin', '/cgi-bin/test-cgi',
+    '/manager/html', '/jmx-console',
+    '/solr', '/jenkins', '/hudson',
+    '/_debug_toolbar/', '/__debug__/',
+    '/telescope', '/horizon',
+    '/swagger-ui.html', '/swagger.json', '/openapi.json',
+    '/v2/api-docs', '/v3/api-docs',
+    '/.DS_Store', '/Thumbs.db',
+    '/crossdomain.xml', '/clientaccesspolicy.xml',
+    '/error', '/errors', '/404', '/500',
+    '/ckeditor', '/tinymce', '/editor',
+    '/filemanager', '/file-manager',
+    '/webmail', '/mail', '/email',
+    '/cpanel', '/whm', '/plesk',
+    '/awstats', '/webalizer',
+    '/phppgadmin', '/pgadmin',
+    '/mongodb', '/mongo-express',
+    '/redis', '/memcached',
+    '/elasticsearch', '/_cat/indices',
+    '/_cluster/health',
+];
+const COMMON_SUBDOMAINS = [
+    'www', 'mail', 'ftp', 'smtp', 'pop', 'imap',
+    'webmail', 'remote', 'vpn', 'gateway',
+    'admin', 'administrator', 'panel',
+    'api', 'api2', 'api3', 'rest',
+    'dev', 'development', 'staging', 'stage', 'test', 'testing',
+    'qa', 'uat', 'sandbox', 'demo', 'preview',
+    'beta', 'alpha', 'canary', 'next',
+    'app', 'application', 'portal', 'dashboard',
+    'cdn', 'static', 'assets', 'media', 'img', 'images',
+    'docs', 'doc', 'documentation', 'wiki', 'help', 'support',
+    'blog', 'news', 'press',
+    'shop', 'store', 'ecommerce', 'cart',
+    'db', 'database', 'sql', 'mysql', 'postgres', 'mongo',
+    'redis', 'cache', 'memcached',
+    'search', 'elastic', 'elasticsearch', 'solr',
+    'git', 'gitlab', 'github', 'bitbucket', 'svn',
+    'ci', 'cd', 'jenkins', 'drone', 'build',
+    'monitor', 'monitoring', 'grafana', 'prometheus', 'kibana',
+    'log', 'logs', 'logging', 'syslog', 'elk',
+    'backup', 'backups', 'bak',
+    'ns1', 'ns2', 'ns3', 'dns',
+    'mx', 'mx1', 'mx2',
+    'proxy', 'reverse-proxy', 'lb', 'loadbalancer',
+    'auth', 'sso', 'oauth', 'login', 'accounts', 'id',
+    'internal', 'intranet', 'extranet', 'private',
+    'secure', 'ssl', 'tls',
+    'status', 'health', 'uptime',
+    'metrics', 'analytics', 'stats',
+    'chat', 'im', 'messaging', 'slack', 'teams',
+    'crm', 'erp', 'hr',
+    'jira', 'confluence', 'trello',
+    'aws', 'gcp', 'azure', 'cloud',
+    's3', 'storage', 'bucket',
+    'queue', 'mq', 'rabbitmq', 'kafka',
+    'ws', 'websocket', 'socket', 'realtime',
+];
+const SECURITY_HEADERS = [
+    'content-security-policy',
+    'strict-transport-security',
+    'x-frame-options',
+    'x-content-type-options',
+    'referrer-policy',
+    'permissions-policy',
+    'x-xss-protection',
+    'cross-origin-opener-policy',
+    'cross-origin-embedder-policy',
+    'cross-origin-resource-policy',
+];
+const SEVERITY_ORDER = {
+    CRITICAL: 0,
+    HIGH: 1,
+    MEDIUM: 2,
+    LOW: 3,
+    INFO: 4,
+};
+const HTTP_METHODS = ['GET', 'POST', 'PUT', 'DELETE', 'PATCH', 'OPTIONS', 'HEAD', 'TRACE'];
+// ─────────────────────────────────────────────────────────────────────────────
+// Helpers
+// ─────────────────────────────────────────────────────────────────────────────
+/** Ensure the pentest directory exists */
+function ensurePentestDir() {
+    if (!existsSync(PENTEST_DIR)) {
+        mkdirSync(PENTEST_DIR, { recursive: true });
+    }
+}
+/** Get session directory path */
+function sessionDir(sessionId) {
+    return join(PENTEST_DIR, sessionId);
+}
+/** Create a new session directory */
+function createSessionDir(sessionId) {
+    const dir = sessionDir(sessionId);
+    mkdirSync(dir, { recursive: true });
+    return dir;
+}
+/** Read session config */
+function readSession(sessionId) {
+    const configPath = join(sessionDir(sessionId), 'config.json');
+    if (!existsSync(configPath))
+        return null;
+    try {
+        return JSON.parse(readFileSync(configPath, 'utf8'));
+    }
+    catch {
+        return null;
+    }
+}
+/** Write session config */
+function writeSession(session) {
+    const configPath = join(sessionDir(session.id), 'config.json');
+    writeFileSync(configPath, JSON.stringify(session, null, 2));
+}
+/** Read recon data for a session */
+function readRecon(sessionId) {
+    const p = join(sessionDir(sessionId), 'recon.json');
+    if (!existsSync(p))
+        return null;
+    try {
+        return JSON.parse(readFileSync(p, 'utf8'));
+    }
+    catch {
+        return null;
+    }
+}
+/** Write recon data */
+function writeRecon(sessionId, data) {
+    writeFileSync(join(sessionDir(sessionId), 'recon.json'), JSON.stringify(data, null, 2));
+}
+/** Read vuln data for a session */
+function readVulns(sessionId) {
+    const p = join(sessionDir(sessionId), 'vulns.json');
+    if (!existsSync(p))
+        return null;
+    try {
+        return JSON.parse(readFileSync(p, 'utf8'));
+    }
+    catch {
+        return null;
+    }
+}
+/** Write vuln data */
+function writeVulns(sessionId, data) {
+    writeFileSync(join(sessionDir(sessionId), 'vulns.json'), JSON.stringify(data, null, 2));
+}
+/** Find the latest session ID */
+function findLatestSession() {
+    ensurePentestDir();
+    const dirs = readdirSync(PENTEST_DIR).filter(d => {
+        const fp = join(PENTEST_DIR, d);
+        return statSync(fp).isDirectory() && existsSync(join(fp, 'config.json'));
+    });
+    if (dirs.length === 0)
+        return null;
+    // Sort by session start time
+    const sorted = dirs
+        .map(d => {
+        const session = readSession(d);
+        return { id: d, time: session?.started_at ?? '' };
+    })
+        .sort((a, b) => b.time.localeCompare(a.time));
+    return sorted[0]?.id ?? null;
+}
+/** Find session for a target, returning the latest one */
+function findSessionForTarget(target) {
+    ensurePentestDir();
+    const dirs = readdirSync(PENTEST_DIR).filter(d => {
+        const fp = join(PENTEST_DIR, d);
+        return statSync(fp).isDirectory() && existsSync(join(fp, 'config.json'));
+    });
+    const matching = dirs
+        .map(d => readSession(d))
+        .filter((s) => s !== null && s.target === target)
+        .sort((a, b) => b.started_at.localeCompare(a.started_at));
+    return matching[0]?.id ?? null;
+}
+/** Create a finding object */
+function createFinding(severity, category, title, description, evidence, remediation) {
+    return {
+        id: randomUUID().slice(0, 8),
+        severity,
+        category,
+        title,
+        description,
+        evidence,
+        remediation,
+        timestamp: new Date().toISOString(),
+    };
+}
+/** Parse a target into a URL object, handling bare IPs/domains */
+function parseTarget(target) {
+    let urlStr = target.trim();
+    if (!urlStr.startsWith('http://') && !urlStr.startsWith('https://')) {
+        urlStr = `https://${urlStr}`;
+    }
+    return new URL(urlStr);
+}
+/** Promisified DNS resolve for a given record type */
+function dnsResolve(hostname, rrtype) {
+    return new Promise((resolve) => {
+        dns.resolve(hostname, rrtype, (err, addresses) => {
+            if (err)
+                resolve([]);
+            else
+                resolve(Array.isArray(addresses) ? addresses.map(a => typeof a === 'string' ? a : JSON.stringify(a)) : []);
+        });
+    });
+}
+/** DNS reverse lookup */
+function dnsReverse(ip) {
+    return new Promise((resolve) => {
+        dns.reverse(ip, (err, hostnames) => {
+            if (err)
+                resolve([]);
+            else
+                resolve(hostnames);
+        });
+    });
+}
+/** Make an HTTP(S) request and return response info */
+function httpRequest(urlStr, options = {}) {
+    return new Promise((resolve, reject) => {
+        const method = options.method ?? 'GET';
+        const timeout = options.timeout ?? 10_000;
+        const parsed = new URL(urlStr);
+        const isHttps = parsed.protocol === 'https:';
+        const reqOptions = {
+            method,
+            hostname: parsed.hostname,
+            port: parsed.port || (isHttps ? 443 : 80),
+            path: parsed.pathname + parsed.search,
+            timeout,
+            headers: {
+                'User-Agent': 'kbot-pentest/1.0 (security assessment tool)',
+                'Accept': '*/*',
+                ...options.headers,
+            },
+            rejectUnauthorized: options.rejectUnauthorized ?? false,
+        };
+        const mod = isHttps ? https : http;
+        const req = mod.request(reqOptions, (res) => {
+            let body = '';
+            const maxBody = 256_000; // 256KB max
+            res.setEncoding('utf8');
+            res.on('data', (chunk) => {
+                if (body.length < maxBody) {
+                    body += chunk;
+                }
+            });
+            res.on('end', () => {
+                const headers = {};
+                for (const [key, val] of Object.entries(res.headers)) {
+                    headers[key.toLowerCase()] = val;
+                }
+                resolve({
+                    statusCode: res.statusCode ?? 0,
+                    headers,
+                    body: body.slice(0, maxBody),
+                    url: urlStr,
+                    redirectUrl: res.headers.location,
+                });
+            });
+        });
+        req.on('error', (err) => reject(err));
+        req.on('timeout', () => {
+            req.destroy();
+            reject(new Error('Request timed out'));
+        });
+        req.end();
+    });
+}
+/** Make a request and catch errors, returning null on failure */
+async function safeRequest(urlStr, options = {}) {
+    try {
+        return await httpRequest(urlStr, options);
+    }
+    catch {
+        return null;
+    }
+}
+/** Check if a TCP port is open */
+function checkPort(host, port, timeout = 3000) {
+    return new Promise((resolve) => {
+        const socket = new net.Socket();
+        socket.setTimeout(timeout);
+        socket.on('connect', () => {
+            socket.destroy();
+            resolve(true);
+        });
+        socket.on('timeout', () => {
+            socket.destroy();
+            resolve(false);
+        });
+        socket.on('error', () => {
+            socket.destroy();
+            resolve(false);
+        });
+        socket.connect(port, host);
+    });
+}
+/** Get TLS certificate info */
+function getTlsCertificate(hostname, port = 443, timeout = 10_000) {
+    return new Promise((resolve) => {
+        const socket = tls.connect({
+            host: hostname,
+            port,
+            timeout,
+            rejectUnauthorized: false,
+            servername: hostname,
+        }, () => {
+            const cert = socket.getPeerCertificate(true);
+            const cipher = socket.getCipher();
+            const protocol = socket.getProtocol() ?? 'unknown';
+            if (!cert || !cert.subject) {
+                socket.destroy();
+                resolve(null);
+                return;
+            }
+            const validFrom = new Date(cert.valid_from);
+            const validTo = new Date(cert.valid_to);
+            const now = new Date();
+            const daysUntilExpiry = Math.floor((validTo.getTime() - now.getTime()) / (1000 * 60 * 60 * 24));
+            const expired = now > validTo || now < validFrom;
+            // Check if self-signed (issuer matches subject)
+            const selfSigned = cert.issuer &&
+                cert.subject &&
+                JSON.stringify(cert.issuer) === JSON.stringify(cert.subject);
+            // Parse Subject Alternative Names
+            const altNames = [];
+            if (cert.subjectaltname) {
+                const parts = cert.subjectaltname.split(',').map((s) => s.trim());
+                for (const part of parts) {
+                    if (part.startsWith('DNS:')) {
+                        altNames.push(part.slice(4));
+                    }
+                    else if (part.startsWith('IP Address:')) {
+                        altNames.push(part.slice(11));
+                    }
+                }
+            }
+            socket.destroy();
+            resolve({
+                valid: !expired && !selfSigned,
+                subject: cert.subject,
+                issuer: cert.issuer,
+                validFrom: cert.valid_from,
+                validTo: cert.valid_to,
+                serialNumber: cert.serialNumber ?? '',
+                fingerprint: cert.fingerprint ?? '',
+                fingerprint256: cert.fingerprint256 ?? '',
+                protocol,
+                cipher: cipher?.name ?? 'unknown',
+                bits: cipher?.version ? parseInt(String(cipher.version), 10) || 0 : 0,
+                altNames,
+                expired,
+                daysUntilExpiry,
+                selfSigned: !!selfSigned,
+            });
+        });
+        socket.on('error', () => {
+            socket.destroy();
+            resolve(null);
+        });
+        socket.on('timeout', () => {
+            socket.destroy();
+            resolve(null);
+        });
+    });
+}
+/** Extract technologies from HTTP response headers and body */
+function fingerprintTechnologies(headers, body) {
+    const techs = [];
+    // Header-based detection
+    const serverHeader = String(headers['server'] ?? '');
+    if (serverHeader) {
+        techs.push(`Server: ${serverHeader}`);
+        if (/nginx/i.test(serverHeader))
+            techs.push('Nginx');
+        if (/apache/i.test(serverHeader))
+            techs.push('Apache');
+        if (/iis/i.test(serverHeader))
+            techs.push('IIS');
+        if (/cloudflare/i.test(serverHeader))
+            techs.push('Cloudflare');
+        if (/litespeed/i.test(serverHeader))
+            techs.push('LiteSpeed');
+        if (/openresty/i.test(serverHeader))
+            techs.push('OpenResty');
+        if (/caddy/i.test(serverHeader))
+            techs.push('Caddy');
+        if (/envoy/i.test(serverHeader))
+            techs.push('Envoy');
+        if (/gunicorn/i.test(serverHeader))
+            techs.push('Gunicorn');
+        if (/uvicorn/i.test(serverHeader))
+            techs.push('Uvicorn');
+    }
+    const poweredBy = String(headers['x-powered-by'] ?? '');
+    if (poweredBy) {
+        techs.push(`X-Powered-By: ${poweredBy}`);
+        if (/php/i.test(poweredBy))
+            techs.push('PHP');
+        if (/asp\.net/i.test(poweredBy))
+            techs.push('ASP.NET');
+        if (/express/i.test(poweredBy))
+            techs.push('Express.js');
+        if (/next\.js/i.test(poweredBy))
+            techs.push('Next.js');
+        if (/nuxt/i.test(poweredBy))
+            techs.push('Nuxt.js');
+    }
+    // Cookie-based detection
+    const setCookie = String(headers['set-cookie'] ?? '');
+    if (/PHPSESSID/i.test(setCookie))
+        techs.push('PHP (session cookie)');
+    if (/ASP\.NET_SessionId/i.test(setCookie))
+        techs.push('ASP.NET (session cookie)');
+    if (/JSESSIONID/i.test(setCookie))
+        techs.push('Java (session cookie)');
+    if (/laravel_session/i.test(setCookie))
+        techs.push('Laravel');
+    if (/rack\.session/i.test(setCookie))
+        techs.push('Ruby/Rack');
+    if (/connect\.sid/i.test(setCookie))
+        techs.push('Express.js (session cookie)');
+    if (/_rails/i.test(setCookie))
+        techs.push('Ruby on Rails');
+    if (/django/i.test(setCookie))
+        techs.push('Django');
+    if (/wordpress_/i.test(setCookie))
+        techs.push('WordPress');
+    // Header-based framework detection
+    if (headers['x-drupal-cache'])
+        techs.push('Drupal');
+    if (headers['x-generator'] && /drupal/i.test(String(headers['x-generator'])))
+        techs.push('Drupal');
+    if (headers['x-generator'] && /wordpress/i.test(String(headers['x-generator'])))
+        techs.push('WordPress');
+    if (headers['x-aspnet-version'])
+        techs.push(`ASP.NET ${headers['x-aspnet-version']}`);
+    if (headers['x-aspnetmvc-version'])
+        techs.push(`ASP.NET MVC ${headers['x-aspnetmvc-version']}`);
+    if (headers['x-runtime'])
+        techs.push('Ruby');
+    if (headers['x-request-id'] && headers['x-runtime'])
+        techs.push('Ruby on Rails');
+    if (headers['x-vercel-id'])
+        techs.push('Vercel');
+    if (headers['x-amz-request-id'] || headers['x-amz-id-2'])
+        techs.push('AWS');
+    if (headers['x-goog-generation'])
+        techs.push('Google Cloud');
+    if (headers['x-azure-ref'])
+        techs.push('Azure');
+    if (headers['cf-ray'])
+        techs.push('Cloudflare');
+    if (headers['fly-request-id'])
+        techs.push('Fly.io');
+    if (headers['x-render-origin-server'])
+        techs.push('Render');
+    if (headers['x-railway-request-id'])
+        techs.push('Railway');
+    if (headers['x-netlify-request-id'])
+        techs.push('Netlify');
+    // Body-based detection
+    if (/<meta[^>]+generator[^>]+wordpress/i.test(body))
+        techs.push('WordPress');
+    if (/<meta[^>]+generator[^>]+joomla/i.test(body))
+        techs.push('Joomla');
+    if (/<meta[^>]+generator[^>]+drupal/i.test(body))
+        techs.push('Drupal');
+    if (/<meta[^>]+generator[^>]+ghost/i.test(body))
+        techs.push('Ghost');
+    if (/<meta[^>]+generator[^>]+hugo/i.test(body))
+        techs.push('Hugo');
+    if (/<meta[^>]+generator[^>]+jekyll/i.test(body))
+        techs.push('Jekyll');
+    if (/<meta[^>]+generator[^>]+gatsby/i.test(body))
+        techs.push('Gatsby');
+    if (/<meta[^>]+generator[^>]+hexo/i.test(body))
+        techs.push('Hexo');
+    if (/<meta[^>]+generator[^>]+eleventy/i.test(body))
+        techs.push('Eleventy');
+    if (/wp-content|wp-includes/i.test(body))
+        techs.push('WordPress (paths)');
+    if (/__next/i.test(body) || /_next\/static/i.test(body))
+        techs.push('Next.js');
+    if (/__nuxt/i.test(body) || /_nuxt\//i.test(body))
+        techs.push('Nuxt.js');
+    if (/react/i.test(body) && /__REACT/i.test(body))
+        techs.push('React');
+    if (/ng-version/i.test(body) || /angular/i.test(body))
+        techs.push('Angular');
+    if (/vue/i.test(body) && /data-v-/i.test(body))
+        techs.push('Vue.js');
+    if (/svelte/i.test(body) || /svelte-/i.test(body))
+        techs.push('Svelte');
+    if (/ember/i.test(body) && /ember-cli/i.test(body))
+        techs.push('Ember.js');
+    if (/jquery/i.test(body))
+        techs.push('jQuery');
+    if (/bootstrap/i.test(body) && /bootstrap\.min/i.test(body))
+        techs.push('Bootstrap');
+    if (/tailwindcss/i.test(body) || /tailwind/i.test(body))
+        techs.push('Tailwind CSS');
+    if (/materialize/i.test(body))
+        techs.push('Materialize CSS');
+    if (/google-analytics|gtag|GA_TRACKING/i.test(body))
+        techs.push('Google Analytics');
+    if (/googletagmanager/i.test(body))
+        techs.push('Google Tag Manager');
+    if (/hotjar/i.test(body))
+        techs.push('Hotjar');
+    if (/segment\.com|analytics\.js/i.test(body))
+        techs.push('Segment');
+    if (/stripe/i.test(body) && /js\.stripe\.com/i.test(body))
+        techs.push('Stripe');
+    if (/recaptcha/i.test(body))
+        techs.push('Google reCAPTCHA');
+    if (/cloudflare/i.test(body) && /cdn-cgi/i.test(body))
+        techs.push('Cloudflare CDN');
+    if (/unpkg\.com|cdnjs\.cloudflare\.com|cdn\.jsdelivr\.net/i.test(body))
+        techs.push('CDN-served libraries');
+    // Deduplicate
+    return [...new Set(techs)];
+}
+/** Extract info resembling WHOIS from DNS and other sources (no external whois binary) */
+async function gatherWhoisInfo(hostname) {
+    const info = {};
+    info['hostname'] = hostname;
+    // Resolve IPs
+    const aRecords = await dnsResolve(hostname, 'A');
+    if (aRecords.length > 0) {
+        info['ip_addresses'] = aRecords.join(', ');
+        // Reverse DNS on first IP
+        const reverseNames = await dnsReverse(aRecords[0]);
+        if (reverseNames.length > 0) {
+            info['reverse_dns'] = reverseNames.join(', ');
+        }
+    }
+    const aaaaRecords = await dnsResolve(hostname, 'AAAA');
+    if (aaaaRecords.length > 0) {
+        info['ipv6_addresses'] = aaaaRecords.join(', ');
+    }
+    // Domain parts
+    const parts = hostname.split('.');
+    if (parts.length >= 2) {
+        info['tld'] = parts[parts.length - 1];
+        info['registered_domain'] = parts.slice(-2).join('.');
+        if (parts.length > 2) {
+            info['subdomain_prefix'] = parts.slice(0, -2).join('.');
+        }
+    }
+    return info;
+}
+/** Parse cookie attributes from a Set-Cookie header value */
+function parseCookieAttributes(setCookieValue) {
+    const parts = setCookieValue.split(';').map(p => p.trim());
+    const nameValue = parts[0] ?? '';
+    const name = nameValue.split('=')[0] ?? '';
+    let httpOnly = false;
+    let secure = false;
+    let sameSite = '';
+    let path = '';
+    let domain = '';
+    let expires = '';
+    let maxAge = '';
+    for (const part of parts.slice(1)) {
+        const lower = part.toLowerCase();
+        if (lower === 'httponly')
+            httpOnly = true;
+        else if (lower === 'secure')
+            secure = true;
+        else if (lower.startsWith('samesite='))
+            sameSite = part.split('=')[1] ?? '';
+        else if (lower.startsWith('path='))
+            path = part.split('=')[1] ?? '';
+        else if (lower.startsWith('domain='))
+            domain = part.split('=')[1] ?? '';
+        else if (lower.startsWith('expires='))
+            expires = part.slice(8);
+        else if (lower.startsWith('max-age='))
+            maxAge = part.split('=')[1] ?? '';
+    }
+    return { name, httpOnly, secure, sameSite, path, domain, expires, maxAge };
+}
+/** Aggregate all findings from recon and vuln phases */
+function getAllFindings(sessionId) {
+    const findings = [];
+    const vulns = readVulns(sessionId);
+    if (vulns)
+        findings.push(...vulns.findings);
+    return findings.sort((a, b) => SEVERITY_ORDER[a.severity] - SEVERITY_ORDER[b.severity]);
+}
+/** Count findings by severity */
+function countBySeverity(findings) {
+    const counts = { CRITICAL: 0, HIGH: 0, MEDIUM: 0, LOW: 0, INFO: 0 };
+    for (const f of findings) {
+        counts[f.severity]++;
+    }
+    return counts;
+}
+/** Format a severity label with color-coding hints (for terminal markdown) */
+function severityBadge(sev) {
+    switch (sev) {
+        case 'CRITICAL': return '🔴 CRITICAL';
+        case 'HIGH': return '🟠 HIGH';
+        case 'MEDIUM': return '🟡 MEDIUM';
+        case 'LOW': return '🔵 LOW';
+        case 'INFO': return 'ℹ️  INFO';
+    }
+}
+// ─────────────────────────────────────────────────────────────────────────────
+// Recon Engine
+// ─────────────────────────────────────────────────────────────────────────────
+async function performRecon(target, depth, passiveOnly) {
+    const parsed = parseTarget(target);
+    const hostname = parsed.hostname;
+    const baseUrl = `${parsed.protocol}//${parsed.host}`;
+    const findings = [];
+    // ── DNS Resolution ────────────────────────────────────────────────────
+    const dnsResults = {};
+    const recordTypes = ['A', 'AAAA', 'MX', 'NS', 'TXT', 'CNAME', 'SOA'];
+    for (const rtype of recordTypes) {
+        const records = await dnsResolve(hostname, rtype);
+        if (records.length > 0) {
+            dnsResults[rtype] = records;
+        }
+    }
+    // Check for DNS zone transfer potential (AXFR is not directly testable without a DNS library,
+    // but we can check for multiple NS records which indicate distributed DNS)
+    const nsRecords = dnsResults['NS'] ?? [];
+    if (nsRecords.length === 1) {
+        findings.push(createFinding('LOW', 'DNS', 'Single nameserver detected', `Only one NS record found: ${nsRecords[0]}. This is a single point of failure.`, `NS records: ${nsRecords.join(', ')}`, 'Configure at least two nameservers for redundancy.'));
+    }
+    // Check for SPF, DMARC, DKIM in TXT records
+    const txtRecords = dnsResults['TXT'] ?? [];
+    const hasSPF = txtRecords.some(r => r.includes('v=spf1'));
+    const hasDMARC = await dnsResolve(`_dmarc.${hostname}`, 'TXT');
+    const hasDKIM = await dnsResolve(`default._domainkey.${hostname}`, 'TXT');
+    if (!hasSPF) {
+        findings.push(createFinding('LOW', 'DNS', 'Missing SPF record', 'No SPF (Sender Policy Framework) record found. This allows email spoofing.', `TXT records: ${txtRecords.join('; ') || 'none'}`, 'Add an SPF record: v=spf1 include:_spf.google.com ~all (adjust for your email provider).'));
+    }
+    if (hasDMARC.length === 0) {
+        findings.push(createFinding('LOW', 'DNS', 'Missing DMARC record', 'No DMARC record found at _dmarc.' + hostname + '. Email from this domain can be easily spoofed.', 'No _dmarc TXT record present.', 'Add a DMARC record: _dmarc.' + hostname + ' IN TXT "v=DMARC1; p=reject; rua=mailto:dmarc@' + hostname + '".'));
+    }
+    dnsResults['SPF'] = hasSPF;
+    dnsResults['DMARC'] = hasDMARC.length > 0 ? hasDMARC : false;
+    dnsResults['DKIM'] = hasDKIM.length > 0 ? hasDKIM : false;
+    // ── WHOIS-style info ──────────────────────────────────────────────────
+    const whoisInfo = await gatherWhoisInfo(hostname);
+    // ── HTTP Response Analysis ────────────────────────────────────────────
+    const mainResponse = await safeRequest(baseUrl, { timeout: 15_000 });
+    const headersMap = {};
+    let bodyContent = '';
+    let technologies = [];
+    if (mainResponse) {
+        for (const [key, val] of Object.entries(mainResponse.headers)) {
+            headersMap[key] = Array.isArray(val) ? val.join(', ') : String(val ?? '');
+        }
+        bodyContent = mainResponse.body;
+        technologies = fingerprintTechnologies(mainResponse.headers, bodyContent);
+        // Check for server version disclosure
+        const serverVal = headersMap['server'] ?? '';
+        if (/\d+\.\d+/.test(serverVal)) {
+            findings.push(createFinding('LOW', 'Information Disclosure', 'Server version disclosed in headers', `The Server header reveals version information: ${serverVal}`, `Server: ${serverVal}`, 'Configure the web server to hide version information. For Nginx: server_tokens off; For Apache: ServerTokens Prod.'));
+        }
+        const poweredBy = headersMap['x-powered-by'] ?? '';
+        if (poweredBy) {
+            findings.push(createFinding('LOW', 'Information Disclosure', 'X-Powered-By header reveals technology stack', `The X-Powered-By header discloses: ${poweredBy}`, `X-Powered-By: ${poweredBy}`, 'Remove the X-Powered-By header. For Express.js: app.disable("x-powered-by"). For PHP: expose_php = Off in php.ini.'));
+        }
+        // Check for redirect to HTTPS
+        if (parsed.protocol === 'https:') {
+            const httpResponse = await safeRequest(`http://${parsed.host}`, { timeout: 10_000 });
+            if (httpResponse) {
+                if (httpResponse.statusCode >= 300 && httpResponse.statusCode < 400) {
+                    const redirectLoc = String(httpResponse.headers['location'] ?? '');
+                    if (!redirectLoc.startsWith('https://')) {
+                        findings.push(createFinding('MEDIUM', 'Transport Security', 'HTTP does not redirect to HTTPS', 'The HTTP version of the site redirects, but not to an HTTPS URL.', `HTTP redirect location: ${redirectLoc}`, 'Configure HTTP to redirect to the HTTPS version with a 301 redirect.'));
+                    }
+                }
+                else if (httpResponse.statusCode === 200) {
+                    findings.push(createFinding('MEDIUM', 'Transport Security', 'HTTP version serves content without redirecting to HTTPS', 'The site is accessible over plain HTTP without redirecting to HTTPS. Credentials and data may be transmitted in clear text.', `HTTP ${httpResponse.statusCode} response received on http://${parsed.host}`, 'Add a redirect from HTTP to HTTPS. For Nginx: return 301 https://$host$request_uri;'));
+                }
+            }
+        }
+    }
+    // ── SSL/TLS Certificate Analysis ──────────────────────────────────────
+    let sslInfo = {};
+    if (parsed.protocol === 'https:') {
+        const cert = await getTlsCertificate(hostname, parsed.port ? parseInt(parsed.port) : 443);
+        if (cert) {
+            sslInfo = {
+                valid: cert.valid,
+                subject: cert.subject,
+                issuer: cert.issuer,
+                validFrom: cert.validFrom,
+                validTo: cert.validTo,
+                serialNumber: cert.serialNumber,
+                fingerprint256: cert.fingerprint256,
+                protocol: cert.protocol,
+                cipher: cert.cipher,
+                altNames: cert.altNames,
+                expired: cert.expired,
+                daysUntilExpiry: cert.daysUntilExpiry,
+                selfSigned: cert.selfSigned,
+            };
+            if (cert.expired) {
+                findings.push(createFinding('CRITICAL', 'SSL/TLS', 'SSL certificate is expired', `The SSL certificate expired on ${cert.validTo}. Browsers will show security warnings.`, `Valid to: ${cert.validTo}`, 'Renew the SSL certificate immediately. Consider using Let\'s Encrypt for automatic renewal.'));
+            }
+            else if (cert.daysUntilExpiry < 30) {
+                findings.push(createFinding('HIGH', 'SSL/TLS', 'SSL certificate expires within 30 days', `The SSL certificate expires in ${cert.daysUntilExpiry} days (${cert.validTo}).`, `Expires: ${cert.validTo} (${cert.daysUntilExpiry} days remaining)`, 'Renew the SSL certificate before it expires. Set up automated renewal with certbot or your certificate provider.'));
+            }
+            else if (cert.daysUntilExpiry < 90) {
+                findings.push(createFinding('MEDIUM', 'SSL/TLS', 'SSL certificate expires within 90 days', `The SSL certificate expires in ${cert.daysUntilExpiry} days (${cert.validTo}).`, `Expires: ${cert.validTo} (${cert.daysUntilExpiry} days remaining)`, 'Plan to renew the SSL certificate. Set up automated renewal if not already configured.'));
+            }
+            if (cert.selfSigned) {
+                findings.push(createFinding('HIGH', 'SSL/TLS', 'Self-signed SSL certificate', 'The SSL certificate is self-signed. Browsers will show security warnings and users cannot trust the certificate.', `Issuer: ${JSON.stringify(cert.issuer)}, Subject: ${JSON.stringify(cert.subject)}`, 'Obtain a certificate from a trusted Certificate Authority. Let\'s Encrypt provides free certificates.'));
+            }
+            // Check for weak protocol versions
+            const weakProtocols = ['SSLv2', 'SSLv3', 'TLSv1', 'TLSv1.1'];
+            if (weakProtocols.includes(cert.protocol)) {
+                findings.push(createFinding('HIGH', 'SSL/TLS', `Weak TLS protocol version: ${cert.protocol}`, `The server negotiated ${cert.protocol}, which has known vulnerabilities.`, `Protocol: ${cert.protocol}`, 'Configure the server to only accept TLS 1.2 and TLS 1.3. Disable SSLv2, SSLv3, TLSv1, and TLSv1.1.'));
+            }
+            // Check for wildcard certificate over-usage
+            if (cert.altNames.some(n => n.startsWith('*.'))) {
+                findings.push(createFinding('INFO', 'SSL/TLS', 'Wildcard SSL certificate in use', 'A wildcard certificate is in use, which covers all subdomains. If the private key is compromised, all subdomains are affected.', `Alt names: ${cert.altNames.join(', ')}`, 'Consider using specific certificates for sensitive subdomains. Monitor for key compromise.'));
+            }
+        }
+        else {
+            findings.push(createFinding('HIGH', 'SSL/TLS', 'Unable to establish TLS connection', 'Could not connect via TLS to retrieve the certificate. The server may not support HTTPS, or the connection timed out.', `Target: ${hostname}:${parsed.port || 443}`, 'Ensure the server is configured to accept TLS connections. Check firewall rules and server configuration.'));
+        }
+    }
+    // ── robots.txt and sitemap.xml ────────────────────────────────────────
+    let robotsTxt = null;
+    let sitemapXml = null;
+    const robotsResp = await safeRequest(`${baseUrl}/robots.txt`, { timeout: 8_000 });
+    if (robotsResp && robotsResp.statusCode === 200 && robotsResp.body.length > 0) {
+        robotsTxt = robotsResp.body.slice(0, 10_000);
+        // Check for sensitive paths in robots.txt Disallow rules
+        const disallowLines = robotsTxt.split('\n')
+            .filter(line => /^Disallow:/i.test(line.trim()))
+            .map(line => line.replace(/^Disallow:\s*/i, '').trim());
+        const sensitiveDisallows = disallowLines.filter(path => /admin|login|dashboard|config|backup|secret|private|internal|api|\.env|\.git/i.test(path));
+        if (sensitiveDisallows.length > 0) {
+            findings.push(createFinding('INFO', 'Information Disclosure', 'robots.txt reveals sensitive paths', `The robots.txt file discloses potentially sensitive paths via Disallow rules.`, `Sensitive disallows:\n${sensitiveDisallows.map(p => `  - ${p}`).join('\n')}`, 'While robots.txt is meant for search engines, attackers use it for reconnaissance. Ensure disallowed paths are also properly secured with authentication.'));
+        }
+    }
+    const sitemapResp = await safeRequest(`${baseUrl}/sitemap.xml`, { timeout: 8_000 });
+    if (sitemapResp && sitemapResp.statusCode === 200 && sitemapResp.body.includes('<urlset')) {
+        sitemapXml = sitemapResp.body.slice(0, 20_000);
+    }
+    // ── Common Path Enumeration ───────────────────────────────────────────
+    const pathResults = [];
+    if (!passiveOnly) {
+        // Determine how many paths to check based on depth
+        let pathsToCheck;
+        switch (depth) {
+            case 'quick':
+                pathsToCheck = COMMON_PATHS.slice(0, 25);
+                break;
+            case 'standard':
+                pathsToCheck = COMMON_PATHS.slice(0, 70);
+                break;
+            case 'deep':
+                pathsToCheck = COMMON_PATHS;
+                break;
+        }
+        // Check paths in batches of 10 for speed
+        const batchSize = 10;
+        for (let i = 0; i < pathsToCheck.length; i += batchSize) {
+            const batch = pathsToCheck.slice(i, i + batchSize);
+            const results = await Promise.allSettled(batch.map(async (path) => {
+                const resp = await safeRequest(`${baseUrl}${path}`, { timeout: 5_000 });
+                if (resp && resp.statusCode !== 404 && resp.statusCode !== 0) {
+                    return { path, status: resp.statusCode, size: resp.body.length };
+                }
+                return null;
+            }));
+            for (const r of results) {
+                if (r.status === 'fulfilled' && r.value) {
+                    pathResults.push(r.value);
+                }
+            }
+        }
+        // Flag sensitive discovered paths
+        const sensitivePathPatterns = [
+            { pattern: /\.env/i, severity: 'CRITICAL', title: '.env file accessible' },
+            { pattern: /\.git\/config/i, severity: 'CRITICAL', title: '.git/config exposed' },
+            { pattern: /\.git\/HEAD/i, severity: 'CRITICAL', title: '.git/HEAD exposed (git repository)' },
+            { pattern: /\.git$/i, severity: 'HIGH', title: '.git directory accessible' },
+            { pattern: /\.htpasswd/i, severity: 'CRITICAL', title: '.htpasswd file exposed' },
+            { pattern: /\.htaccess/i, severity: 'HIGH', title: '.htaccess file exposed' },
+            { pattern: /phpmyadmin|adminer|pma/i, severity: 'HIGH', title: 'Database admin panel exposed' },
+            { pattern: /server-status|server-info/i, severity: 'MEDIUM', title: 'Apache status/info page exposed' },
+            { pattern: /phpinfo|info\.php/i, severity: 'HIGH', title: 'PHP info page exposed' },
+            { pattern: /actuator/i, severity: 'HIGH', title: 'Spring Boot Actuator endpoint exposed' },
+            { pattern: /swagger|openapi|api-docs/i, severity: 'MEDIUM', title: 'API documentation exposed' },
+            { pattern: /wp-admin|wp-login/i, severity: 'INFO', title: 'WordPress admin login found' },
+            { pattern: /console|shell|terminal/i, severity: 'CRITICAL', title: 'Web shell/console potentially exposed' },
+            { pattern: /backup|dump|\.sql|\.bak/i, severity: 'HIGH', title: 'Backup files potentially accessible' },
+            { pattern: /config\.json|config\.yml|config\.xml/i, severity: 'HIGH', title: 'Configuration file exposed' },
+            { pattern: /node_modules/i, severity: 'MEDIUM', title: 'node_modules directory exposed' },
+            { pattern: /vendor|composer\.json/i, severity: 'MEDIUM', title: 'Vendor/dependency directory exposed' },
+            { pattern: /package\.json/i, severity: 'LOW', title: 'package.json exposed' },
+            { pattern: /Dockerfile|docker-compose/i, severity: 'MEDIUM', title: 'Docker configuration file exposed' },
+            { pattern: /\.DS_Store/i, severity: 'LOW', title: '.DS_Store file exposed' },
+            { pattern: /Thumbs\.db/i, severity: 'LOW', title: 'Thumbs.db file exposed' },
+            { pattern: /elmah|trace\.axd/i, severity: 'HIGH', title: 'Error logging/tracing endpoint exposed' },
+            { pattern: /graphql/i, severity: 'INFO', title: 'GraphQL endpoint discovered' },
+            { pattern: /jenkins|hudson|jmx-console/i, severity: 'HIGH', title: 'CI/CD or management console exposed' },
+            { pattern: /telescope|horizon/i, severity: 'MEDIUM', title: 'Laravel debug panel exposed' },
+            { pattern: /debug|__debug__/i, severity: 'HIGH', title: 'Debug interface exposed' },
+            { pattern: /elasticsearch|_cat|_cluster/i, severity: 'CRITICAL', title: 'Elasticsearch endpoint exposed' },
+            { pattern: /xmlrpc\.php/i, severity: 'MEDIUM', title: 'WordPress XML-RPC endpoint accessible' },
+            { pattern: /\.svn/i, severity: 'HIGH', title: '.svn directory exposed' },
+            { pattern: /\.hg/i, severity: 'HIGH', title: '.hg directory exposed' },
+            { pattern: /crossdomain\.xml|clientaccesspolicy\.xml/i, severity: 'INFO', title: 'Cross-domain policy file found' },
+            { pattern: /ckeditor|tinymce|editor/i, severity: 'INFO', title: 'Rich text editor path discovered' },
+            { pattern: /metrics|prometheus|grafana/i, severity: 'MEDIUM', title: 'Monitoring endpoint exposed' },
+        ];
+        for (const result of pathResults) {
+            if (result.status >= 200 && result.status < 400) {
+                for (const sp of sensitivePathPatterns) {
+                    if (sp.pattern.test(result.path)) {
+                        findings.push(createFinding(sp.severity, 'Path Discovery', sp.title, `The path ${result.path} returned HTTP ${result.status} (${result.size ?? 0} bytes).`, `GET ${baseUrl}${result.path} → ${result.status}`, 'Restrict access to this path. Use authentication, IP allowlisting, or remove the resource if unnecessary.'));
+                        break;
+                    }
+                }
+            }
+            // Directory listing detection
+            if (result.status === 200 && result.size && result.size > 0) {
+                const dirResp = await safeRequest(`${baseUrl}${result.path}`, { timeout: 5_000 });
+                if (dirResp && /Index of|<title>.*listing/i.test(dirResp.body)) {
+                    findings.push(createFinding('MEDIUM', 'Path Discovery', `Directory listing enabled at ${result.path}`, 'Directory listing is enabled, allowing attackers to browse files.', `GET ${baseUrl}${result.path} → directory index page`, 'Disable directory listing. For Nginx: autoindex off; For Apache: Options -Indexes.'));
+                }
+            }
+        }
+    }
+    // ── Subdomain Enumeration ─────────────────────────────────────────────
+    const subdomainResults = [];
+    // Only enumerate subdomains for domain-like hostnames (not IPs)
+    const isIP = net.isIP(hostname);
+    if (!isIP) {
+        // Determine how many subdomains to check based on depth
+        let subdomainsToCheck;
+        switch (depth) {
+            case 'quick':
+                subdomainsToCheck = COMMON_SUBDOMAINS.slice(0, 15);
+                break;
+            case 'standard':
+                subdomainsToCheck = COMMON_SUBDOMAINS.slice(0, 50);
+                break;
+            case 'deep':
+                subdomainsToCheck = COMMON_SUBDOMAINS;
+                break;
+        }
+        // Get the base domain (registered domain, not the full hostname)
+        const baseDomain = hostname.split('.').slice(-2).join('.');
+        // Check subdomains in batches
+        const subBatchSize = 15;
+        for (let i = 0; i < subdomainsToCheck.length; i += subBatchSize) {
+            const batch = subdomainsToCheck.slice(i, i + subBatchSize);
+            const results = await Promise.allSettled(batch.map(async (sub) => {
+                const fqdn = `${sub}.${baseDomain}`;
+                // Skip if this is the same as the hostname
+                if (fqdn === hostname)
+                    return null;
+                const ips = await dnsResolve(fqdn, 'A');
+                if (ips.length > 0) {
+                    return { subdomain: fqdn, resolved: true, ip: ips[0] };
+                }
+                return { subdomain: fqdn, resolved: false };
+            }));
+            for (const r of results) {
+                if (r.status === 'fulfilled' && r.value) {
+                    subdomainResults.push(r.value);
+                }
+            }
+        }
+        const resolvedSubs = subdomainResults.filter(s => s.resolved);
+        if (resolvedSubs.length > 0) {
+            findings.push(createFinding('INFO', 'Subdomain Enumeration', `${resolvedSubs.length} subdomains resolved`, `Found ${resolvedSubs.length} active subdomains for ${baseDomain}.`, resolvedSubs.map(s => `  ${s.subdomain} → ${s.ip}`).join('\n'), 'Review all subdomains for unnecessary exposure. Decommission unused subdomains. Ensure each subdomain has appropriate security controls.'));
+        }
+    }
+    const reconData = {
+        dns: dnsResults,
+        whois: whoisInfo,
+        headers: headersMap,
+        technologies,
+        ssl: sslInfo,
+        paths: pathResults,
+        subdomains: subdomainResults,
+        robots_txt: robotsTxt,
+        sitemap_xml: sitemapXml,
+        timestamp: new Date().toISOString(),
+    };
+    return { recon: reconData, findings };
+}
+// ─────────────────────────────────────────────────────────────────────────────
+// Vulnerability Scanner Engine
+// ─────────────────────────────────────────────────────────────────────────────
+async function checkSecurityHeaders(target) {
+    const findings = [];
+    const parsed = parseTarget(target);
+    const baseUrl = `${parsed.protocol}//${parsed.host}`;
+    const resp = await safeRequest(baseUrl, { timeout: 10_000 });
+    if (!resp) {
+        findings.push(createFinding('INFO', 'Security Headers', 'Could not connect to target for header analysis', `Unable to connect to ${baseUrl} to analyze security headers.`, 'Connection failed or timed out.', 'Ensure the target is accessible and try again.'));
+        return findings;
+    }
+    const headers = resp.headers;
+    // Content-Security-Policy
+    const csp = headers['content-security-policy'];
+    if (!csp) {
+        findings.push(createFinding('MEDIUM', 'Security Headers', 'Missing Content-Security-Policy header', 'No Content-Security-Policy (CSP) header is set. This makes the site more vulnerable to XSS attacks.', 'Content-Security-Policy header not present in response.', 'Implement a Content-Security-Policy header. Start with: Content-Security-Policy: default-src \'self\'; script-src \'self\'; style-src \'self\' \'unsafe-inline\'.'));
+    }
+    else {
+        const cspStr = String(csp);
+        // Check for overly permissive CSP
+        if (cspStr.includes('unsafe-inline') && cspStr.includes('unsafe-eval')) {
+            findings.push(createFinding('MEDIUM', 'Security Headers', 'CSP allows unsafe-inline and unsafe-eval', 'The Content-Security-Policy allows both unsafe-inline and unsafe-eval, significantly reducing XSS protection.', `CSP: ${cspStr.slice(0, 200)}`, 'Remove unsafe-inline and unsafe-eval from the CSP. Use nonces or hashes for inline scripts.'));
+        }
+        else if (cspStr.includes('unsafe-inline')) {
+            findings.push(createFinding('LOW', 'Security Headers', 'CSP allows unsafe-inline', 'The Content-Security-Policy allows unsafe-inline, reducing XSS protection for inline scripts/styles.', `CSP: ${cspStr.slice(0, 200)}`, 'Consider using nonces or hashes instead of unsafe-inline for better XSS protection.'));
+        }
+        if (cspStr.includes('*') && /default-src[^;]*\*|script-src[^;]*\*/.test(cspStr)) {
+            findings.push(createFinding('HIGH', 'Security Headers', 'CSP uses wildcard source', 'The Content-Security-Policy uses a wildcard (*) in default-src or script-src, making it ineffective.', `CSP: ${cspStr.slice(0, 200)}`, 'Replace wildcard sources with specific domains. A wildcard CSP provides almost no protection.'));
+        }
+    }
+    // Strict-Transport-Security
+    const hsts = headers['strict-transport-security'];
+    if (!hsts && parsed.protocol === 'https:') {
+        findings.push(createFinding('MEDIUM', 'Security Headers', 'Missing Strict-Transport-Security (HSTS) header', 'No HSTS header is set. The site is vulnerable to SSL stripping attacks on first visit.', 'Strict-Transport-Security header not present in response.', 'Add: Strict-Transport-Security: max-age=31536000; includeSubDomains; preload'));
+    }
+    else if (hsts) {
+        const hstsStr = String(hsts);
+        const maxAgeMatch = hstsStr.match(/max-age=(\d+)/);
+        if (maxAgeMatch) {
+            const maxAge = parseInt(maxAgeMatch[1], 10);
+            if (maxAge < 15_768_000) { // Less than 6 months
+                findings.push(createFinding('LOW', 'Security Headers', 'HSTS max-age is less than 6 months', `HSTS max-age is ${maxAge} seconds (${Math.floor(maxAge / 86400)} days). Recommended minimum is 6 months.`, `Strict-Transport-Security: ${hstsStr}`, 'Increase max-age to at least 31536000 (1 year). Add includeSubDomains and preload directives.'));
+            }
+        }
+        if (!hstsStr.includes('includeSubDomains')) {
+            findings.push(createFinding('LOW', 'Security Headers', 'HSTS does not include subdomains', 'HSTS is set but does not include the includeSubDomains directive. Subdomains are not protected.', `Strict-Transport-Security: ${hstsStr}`, 'Add includeSubDomains directive: Strict-Transport-Security: max-age=31536000; includeSubDomains; preload'));
+        }
+    }
+    // X-Frame-Options
+    const xfo = headers['x-frame-options'];
+    if (!xfo) {
+        // Check if CSP has frame-ancestors
+        const cspVal = String(csp ?? '');
+        if (!cspVal.includes('frame-ancestors')) {
+            findings.push(createFinding('MEDIUM', 'Security Headers', 'Missing X-Frame-Options / CSP frame-ancestors', 'Neither X-Frame-Options nor CSP frame-ancestors is set. The site may be vulnerable to clickjacking.', 'No X-Frame-Options header and no frame-ancestors in CSP.', 'Add: X-Frame-Options: DENY or Content-Security-Policy: frame-ancestors \'none\''));
+        }
+    }
+    // X-Content-Type-Options
+    const xcto = headers['x-content-type-options'];
+    if (!xcto) {
+        findings.push(createFinding('LOW', 'Security Headers', 'Missing X-Content-Type-Options header', 'No X-Content-Type-Options header. Browsers may MIME-sniff responses, leading to XSS via content type confusion.', 'X-Content-Type-Options header not present.', 'Add: X-Content-Type-Options: nosniff'));
+    }
+    // Referrer-Policy
+    const refPol = headers['referrer-policy'];
+    if (!refPol) {
+        findings.push(createFinding('LOW', 'Security Headers', 'Missing Referrer-Policy header', 'No Referrer-Policy header. The browser may send full URLs in the Referer header, leaking sensitive paths and parameters.', 'Referrer-Policy header not present.', 'Add: Referrer-Policy: strict-origin-when-cross-origin (or no-referrer for maximum privacy).'));
+    }
+    // Permissions-Policy
+    const permPol = headers['permissions-policy'];
+    if (!permPol) {
+        findings.push(createFinding('LOW', 'Security Headers', 'Missing Permissions-Policy header', 'No Permissions-Policy header. Browser features like camera, microphone, and geolocation are not explicitly restricted.', 'Permissions-Policy header not present.', 'Add: Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=()'));
+    }
+    // Cross-Origin headers
+    const coop = headers['cross-origin-opener-policy'];
+    const coep = headers['cross-origin-embedder-policy'];
+    const corp = headers['cross-origin-resource-policy'];
+    if (!coop && !coep && !corp) {
+        findings.push(createFinding('INFO', 'Security Headers', 'No cross-origin isolation headers', 'None of COOP, COEP, or CORP headers are set. The site is not cross-origin isolated.', 'No Cross-Origin-Opener-Policy, Cross-Origin-Embedder-Policy, or Cross-Origin-Resource-Policy headers found.', 'Consider adding cross-origin isolation headers for enhanced security. Start with: Cross-Origin-Opener-Policy: same-origin.'));
+    }
+    // X-XSS-Protection (legacy but still useful)
+    const xss = headers['x-xss-protection'];
+    if (xss && String(xss).includes('0')) {
+        findings.push(createFinding('LOW', 'Security Headers', 'X-XSS-Protection explicitly disabled', 'The X-XSS-Protection header is set to 0, disabling the browser\'s built-in XSS filter. While this header is largely obsolete (superseded by CSP), explicitly disabling it with no CSP in place reduces protection.', `X-XSS-Protection: ${String(xss)}`, 'If no CSP is in place, set X-XSS-Protection: 1; mode=block. Prefer implementing a proper CSP instead.'));
+    }
+    return findings;
+}
+async function checkSSL(target) {
+    const findings = [];
+    const parsed = parseTarget(target);
+    const hostname = parsed.hostname;
+    const port = parsed.port ? parseInt(parsed.port) : 443;
+    if (parsed.protocol !== 'https:') {
+        findings.push(createFinding('HIGH', 'SSL/TLS', 'Target is not using HTTPS', 'The target URL uses plain HTTP. All data is transmitted unencrypted.', `Protocol: ${parsed.protocol}`, 'Configure HTTPS with a valid TLS certificate. Use Let\'s Encrypt for free certificates.'));
+        return findings;
+    }
+    const cert = await getTlsCertificate(hostname, port);
+    if (!cert) {
+        findings.push(createFinding('HIGH', 'SSL/TLS', 'Cannot establish TLS connection', `Failed to connect via TLS to ${hostname}:${port}.`, `TLS connection to ${hostname}:${port} failed`, 'Check that the server supports TLS and the port is correct.'));
+        return findings;
+    }
+    // Certificate expiry (already checked in recon, but standalone vuln scan needs it too)
+    if (cert.expired) {
+        findings.push(createFinding('CRITICAL', 'SSL/TLS', 'SSL certificate expired', `Certificate expired on ${cert.validTo}.`, `Valid to: ${cert.validTo}`, 'Renew the certificate immediately.'));
+    }
+    else if (cert.daysUntilExpiry < 14) {
+        findings.push(createFinding('HIGH', 'SSL/TLS', 'SSL certificate expires within 14 days', `Certificate expires in ${cert.daysUntilExpiry} days.`, `Expires: ${cert.validTo}`, 'Renew the certificate immediately.'));
+    }
+    if (cert.selfSigned) {
+        findings.push(createFinding('HIGH', 'SSL/TLS', 'Self-signed certificate', 'The certificate is self-signed and will not be trusted by browsers.', `Issuer matches subject: ${JSON.stringify(cert.issuer)}`, 'Obtain a certificate from a trusted CA.'));
+    }
+    // Protocol version check
+    const weakProtocols = ['SSLv2', 'SSLv3', 'TLSv1', 'TLSv1.1'];
+    if (weakProtocols.includes(cert.protocol)) {
+        findings.push(createFinding('HIGH', 'SSL/TLS', `Weak protocol: ${cert.protocol}`, `Server negotiated ${cert.protocol} which is deprecated and has known vulnerabilities.`, `Negotiated protocol: ${cert.protocol}`, 'Configure the server to only support TLS 1.2 and TLS 1.3.'));
+    }
+    // Check common weak cipher suites (by name pattern)
+    const weakCipherPatterns = [
+        { pattern: /RC4/i, name: 'RC4', severity: 'HIGH' },
+        { pattern: /DES(?!3)/i, name: 'DES', severity: 'HIGH' },
+        { pattern: /3DES|DES-CBC3/i, name: '3DES', severity: 'MEDIUM' },
+        { pattern: /NULL/i, name: 'NULL cipher', severity: 'CRITICAL' },
+        { pattern: /EXPORT/i, name: 'Export-grade', severity: 'CRITICAL' },
+        { pattern: /MD5/i, name: 'MD5-based', severity: 'MEDIUM' },
+        { pattern: /anon/i, name: 'Anonymous', severity: 'CRITICAL' },
+    ];
+    for (const wc of weakCipherPatterns) {
+        if (wc.pattern.test(cert.cipher)) {
+            findings.push(createFinding(wc.severity, 'SSL/TLS', `Weak cipher suite: ${wc.name} (${cert.cipher})`, `The server negotiated a ${wc.name} cipher suite which is considered weak.`, `Cipher: ${cert.cipher}`, 'Configure the server to use strong cipher suites only: ECDHE+AESGCM:ECDHE+CHACHA20POLY1305.'));
+        }
+    }
+    // Check certificate key size via the cipher info
+    if (cert.cipher && /RSA/i.test(cert.cipher)) {
+        // Note: We can't directly get key size from tls module cipher info,
+        // but we can flag if RSA is used (recommend ECDHE)
+        findings.push(createFinding('INFO', 'SSL/TLS', 'RSA key exchange in use', 'The negotiated cipher uses RSA key exchange instead of ECDHE. RSA key exchange does not provide forward secrecy.', `Cipher: ${cert.cipher}`, 'Prefer ECDHE key exchange for forward secrecy. Configure cipher order: ECDHE+AESGCM before RSA.'));
+    }
+    // Check if the cert covers the hostname
+    const hostMatches = cert.altNames.some(name => {
+        if (name.startsWith('*.')) {
+            const wildcardBase = name.slice(2);
+            return hostname.endsWith(wildcardBase) && hostname.split('.').length === name.split('.').length;
+        }
+        return name === hostname;
+    });
+    if (!hostMatches && cert.altNames.length > 0) {
+        findings.push(createFinding('HIGH', 'SSL/TLS', 'Certificate hostname mismatch', `The certificate does not cover ${hostname}. Browsers will show warnings.`, `Certificate covers: ${cert.altNames.join(', ')}\nRequested hostname: ${hostname}`, 'Obtain a certificate that includes the correct hostname in the Subject Alternative Names.'));
+    }
+    return findings;
+}
+async function checkInjection(target) {
+    const findings = [];
+    const parsed = parseTarget(target);
+    const baseUrl = `${parsed.protocol}//${parsed.host}`;
+    // Test for reflected input in error pages (potential XSS)
+    const xssPayloads = [
+        { path: '/<script>alert(1)</script>', name: 'script tag in URL path' },
+        { path: '/?q=<img+src=x+onerror=alert(1)>', name: 'img tag in query parameter' },
+        { path: '/?search=%22onmouseover%3Dalert(1)%22', name: 'event handler in query parameter' },
+        { path: '/?id=1%27+OR+1%3D1--', name: 'SQL injection in query parameter' },
+        { path: '/?file=../../../etc/passwd', name: 'path traversal in query parameter' },
+        { path: '/?url=http://evil.com', name: 'open redirect in query parameter' },
+        { path: '/?redirect=http://evil.com', name: 'open redirect via redirect param' },
+        { path: '/?next=http://evil.com', name: 'open redirect via next param' },
+        { path: '/?return=http://evil.com', name: 'open redirect via return param' },
+        { path: '/?callback=http://evil.com', name: 'open redirect via callback param' },
+    ];
+    for (const payload of xssPayloads) {
+        const resp = await safeRequest(`${baseUrl}${payload.path}`, { timeout: 5_000 });
+        if (!resp)
+            continue;
+        // Check for reflected XSS (the payload appears in the response body unescaped)
+        if (payload.name.includes('script') && resp.body.includes('<script>alert(1)</script>')) {
+            findings.push(createFinding('HIGH', 'Injection', 'Potential reflected XSS', `The server reflects the script tag back in the response body without encoding: ${payload.name}`, `URL: ${baseUrl}${payload.path}\nResponse contains unescaped script tag.`, 'Implement input validation and output encoding. Use a Content-Security-Policy to prevent inline script execution.'));
+        }
+        if (payload.name.includes('img') && resp.body.includes('onerror=alert(1)')) {
+            findings.push(createFinding('HIGH', 'Injection', 'Potential reflected XSS via event handler', `The server reflects an event handler in the response body: ${payload.name}`, `URL: ${baseUrl}${payload.path}\nResponse contains onerror=alert(1).`, 'Implement strict output encoding for all user-controlled content in HTML responses.'));
+        }
+        // Check for SQL error disclosure
+        if (payload.name.includes('SQL')) {
+            const sqlErrors = [
+                /SQL syntax/i, /mysql_/i, /pg_query/i, /ORA-\d{5}/i,
+                /Microsoft OLE DB/i, /ODBC SQL Server/i, /unclosed quotation/i,
+                /quoted string not properly terminated/i, /SQLite3::/i,
+                /Warning.*mysql/i, /valid MySQL result/i,
+                /PostgreSQL.*ERROR/i, /ERROR.*syntax error at/i,
+                /com\.mysql/i, /java\.sql\.SQLException/i,
+                /DB2 SQL error/i, /SQLSTATE/i,
+            ];
+            for (const pattern of sqlErrors) {
+                if (pattern.test(resp.body)) {
+                    findings.push(createFinding('HIGH', 'Injection', 'SQL error message disclosed', 'The server returns SQL error messages that reveal database type and query structure.', `URL: ${baseUrl}${payload.path}\nMatched pattern: ${pattern.source}`, 'Never expose database error messages to users. Use generic error pages and log detailed errors server-side.'));
+                    break;
+                }
+            }
+        }
+        // Check for path traversal success
+        if (payload.name.includes('path traversal')) {
+            if (/root:|\/bin\/bash|\/bin\/sh|nobody:|daemon:/i.test(resp.body)) {
+                findings.push(createFinding('CRITICAL', 'Injection', 'Path traversal vulnerability (LFI)', 'The server appears to be vulnerable to local file inclusion. /etc/passwd content was returned.', `URL: ${baseUrl}${payload.path}\nResponse contains system file content.`, 'Never use user input directly in file paths. Use allowlists for permitted files and sanitize all path components.'));
+            }
+        }
+        // Check for open redirect
+        if (payload.name.includes('redirect')) {
+            if (resp.statusCode >= 300 && resp.statusCode < 400) {
+                const location = String(resp.headers['location'] ?? '');
+                if (location.includes('evil.com')) {
+                    findings.push(createFinding('MEDIUM', 'Injection', `Open redirect via ${payload.name.split('via ')[1] ?? 'parameter'}`, 'The server redirects to an arbitrary external URL based on user input. This can be used for phishing attacks.', `URL: ${baseUrl}${payload.path}\nRedirects to: ${location}`, 'Validate redirect URLs against an allowlist of permitted domains. Never redirect to user-controlled URLs.'));
+                }
+            }
+        }
+    }
+    // Check for error page information disclosure
+    const errorPaths = [
+        '/this-page-should-not-exist-404',
+        '/api/this-endpoint-should-not-exist',
+        '/%00',
+        '/..%00',
+    ];
+    for (const errorPath of errorPaths) {
+        const resp = await safeRequest(`${baseUrl}${errorPath}`, { timeout: 5_000 });
+        if (!resp)
+            continue;
+        // Check for stack trace disclosure
+        const stackTracePatterns = [
+            /at\s+\S+\s+\([^)]+:\d+:\d+\)/, // JS stack trace
+            /File ".*?", line \d+/, // Python traceback
+            /\.java:\d+\)/, // Java stack trace
+            /#\d+\s+\S+\s+\S+\.php/, // PHP stack trace
+            /in\s+\S+\.rb:\d+/, // Ruby stack trace
+            /^\s+at\s+\S+\.\S+\(/m, // .NET stack trace
+            /Traceback \(most recent call last\)/, // Python traceback header
+            /goroutine \d+ \[/, // Go panic
+            /Exception in thread/, // Java exception
+            /System\.(?:NullReferenceException|ArgumentException|InvalidOperationException)/, // .NET
+        ];
+        for (const pattern of stackTracePatterns) {
+            if (pattern.test(resp.body)) {
+                findings.push(createFinding('MEDIUM', 'Information Disclosure', 'Stack trace disclosed in error response', 'Error responses contain stack traces revealing internal code structure, file paths, and potentially sensitive information.', `URL: ${baseUrl}${errorPath}\nMatched: ${pattern.source}`, 'Configure the application to show generic error pages in production. Log detailed errors server-side only.'));
+                break;
+            }
+        }
+        // Check for debug mode indicators
+        const debugPatterns = [
+            /DEBUG\s*=\s*True/i,
+            /DJANGO_SETTINGS_MODULE/i,
+            /X-Debug-Token/i,
+            /Whoops!/i, // Laravel debug page
+            /Laravel.*Exception/i,
+            /DebugBar/i,
+            /symfony.*profiler/i,
+        ];
+        for (const pattern of debugPatterns) {
+            if (pattern.test(resp.body)) {
+                findings.push(createFinding('HIGH', 'Configuration', 'Debug mode appears to be enabled in production', 'The error response indicates the application is running in debug mode, exposing sensitive internal details.', `URL: ${baseUrl}${errorPath}\nMatched: ${pattern.source}`, 'Disable debug mode in production. Set DEBUG=False (Django), APP_DEBUG=false (Laravel), NODE_ENV=production (Node.js).'));
+                break;
+            }
+        }
+    }
+    return findings;
+}
+async function checkAuth(target) {
+    const findings = [];
+    const parsed = parseTarget(target);
+    const baseUrl = `${parsed.protocol}//${parsed.host}`;
+    // Check for default credentials on common admin paths
+    const defaultCredPaths = [
+        { path: '/admin', title: 'Admin panel' },
+        { path: '/administrator', title: 'Administrator panel' },
+        { path: '/login', title: 'Login page' },
+        { path: '/wp-login.php', title: 'WordPress login' },
+        { path: '/phpmyadmin', title: 'phpMyAdmin' },
+        { path: '/adminer', title: 'Adminer' },
+        { path: '/manager/html', title: 'Tomcat Manager' },
+        { path: '/jenkins', title: 'Jenkins' },
+    ];
+    for (const cred of defaultCredPaths) {
+        const resp = await safeRequest(`${baseUrl}${cred.path}`, { timeout: 5_000 });
+        if (!resp)
+            continue;
+        // Check if login page is accessible without authentication
+        if (resp.statusCode === 200) {
+            const hasLoginForm = /<form[^>]*>[\s\S]*?(?:password|login|signin)/i.test(resp.body);
+            const hasBasicAuth = resp.statusCode === 401;
+            if (hasLoginForm) {
+                findings.push(createFinding('INFO', 'Authentication', `${cred.title} login page found at ${cred.path}`, `A login form is accessible at ${cred.path}. This is informational — verify brute-force protections are in place.`, `GET ${baseUrl}${cred.path} → 200 with login form`, 'Ensure rate limiting, account lockout, and CAPTCHA are configured on login forms. Use strong password policies.'));
+            }
+            // Check for no authentication required (direct access to admin)
+            if (/dashboard|admin.*panel|control.*panel|management/i.test(resp.body) && !hasLoginForm) {
+                findings.push(createFinding('CRITICAL', 'Authentication', `${cred.title} accessible without authentication`, `The admin interface at ${cred.path} appears accessible without requiring login credentials.`, `GET ${baseUrl}${cred.path} → 200 with admin content, no login form present.`, 'Implement authentication for all administrative interfaces. Use strong passwords and multi-factor authentication.'));
+            }
+        }
+    }
+    // Check for cookie security
+    const mainResp = await safeRequest(baseUrl, { timeout: 10_000 });
+    if (mainResp) {
+        const setCookieHeaders = mainResp.headers['set-cookie'];
+        const cookieValues = Array.isArray(setCookieHeaders)
+            ? setCookieHeaders
+            : setCookieHeaders
+                ? [String(setCookieHeaders)]
+                : [];
+        for (const cookieStr of cookieValues) {
+            const cookie = parseCookieAttributes(cookieStr);
+            const isSessionCookie = /sess|token|auth|jwt|sid|login|user/i.test(cookie.name);
+            if (isSessionCookie) {
+                if (!cookie.httpOnly) {
+                    findings.push(createFinding('MEDIUM', 'Authentication', `Session cookie "${cookie.name}" missing HttpOnly flag`, 'The session cookie is accessible via JavaScript (document.cookie), making it vulnerable to XSS-based session theft.', `Set-Cookie: ${cookieStr.slice(0, 150)}...`, 'Add the HttpOnly flag to all session cookies to prevent JavaScript access.'));
+                }
+                if (!cookie.secure && parsed.protocol === 'https:') {
+                    findings.push(createFinding('MEDIUM', 'Authentication', `Session cookie "${cookie.name}" missing Secure flag`, 'The session cookie can be sent over unencrypted HTTP connections, enabling session hijacking via MITM.', `Set-Cookie: ${cookieStr.slice(0, 150)}...`, 'Add the Secure flag to all session cookies when using HTTPS.'));
+                }
+                if (!cookie.sameSite || cookie.sameSite.toLowerCase() === 'none') {
+                    findings.push(createFinding('LOW', 'Authentication', `Session cookie "${cookie.name}" has weak SameSite policy`, `The session cookie has SameSite=${cookie.sameSite || 'not set'}, which may allow CSRF attacks.`, `Set-Cookie: ${cookieStr.slice(0, 150)}...`, 'Set SameSite=Lax or SameSite=Strict on session cookies for CSRF protection.'));
+                }
+            }
+        }
+    }
+    // Check for CORS misconfiguration
+    const corsResp = await safeRequest(baseUrl, {
+        timeout: 5_000,
+        headers: { 'Origin': 'https://evil-attacker.com' },
+    });
+    if (corsResp) {
+        const acao = String(corsResp.headers['access-control-allow-origin'] ?? '');
+        const acac = String(corsResp.headers['access-control-allow-credentials'] ?? '');
+        if (acao === '*') {
+            if (acac.toLowerCase() === 'true') {
+                findings.push(createFinding('CRITICAL', 'Authentication', 'CORS allows all origins with credentials', 'Access-Control-Allow-Origin is set to * with Access-Control-Allow-Credentials: true. Any website can make authenticated requests.', `Access-Control-Allow-Origin: *\nAccess-Control-Allow-Credentials: true`, 'Never use * with credentials. Implement an allowlist of trusted origins.'));
+            }
+            else {
+                findings.push(createFinding('MEDIUM', 'Authentication', 'CORS allows all origins', 'Access-Control-Allow-Origin is set to *, allowing any website to read responses. Evaluate if this is intended.', `Access-Control-Allow-Origin: *`, 'Restrict CORS to specific trusted origins unless the API is truly public.'));
+            }
+        }
+        else if (acao === 'https://evil-attacker.com') {
+            findings.push(createFinding('CRITICAL', 'Authentication', 'CORS reflects arbitrary origin', 'The server reflects the Origin header value in Access-Control-Allow-Origin, allowing any website to read responses.', `Origin: https://evil-attacker.com\nAccess-Control-Allow-Origin: ${acao}`, 'Do not reflect the Origin header. Implement a strict allowlist of permitted origins.'));
+        }
+    }
+    return findings;
+}
+async function checkConfig(target) {
+    const findings = [];
+    const parsed = parseTarget(target);
+    const baseUrl = `${parsed.protocol}//${parsed.host}`;
+    // Check for rate limiting
+    const rateLimitResults = [];
+    for (let i = 0; i < 5; i++) {
+        const resp = await safeRequest(baseUrl, { timeout: 5_000 });
+        if (resp) {
+            rateLimitResults.push(resp.statusCode);
+        }
+    }
+    const has429 = rateLimitResults.includes(429);
+    const mainResp = await safeRequest(baseUrl, { timeout: 5_000 });
+    const hasRateLimitHeaders = mainResp && (mainResp.headers['x-ratelimit-limit'] ||
+        mainResp.headers['x-rate-limit-limit'] ||
+        mainResp.headers['ratelimit-limit'] ||
+        mainResp.headers['retry-after']);
+    if (!has429 && !hasRateLimitHeaders) {
+        findings.push(createFinding('LOW', 'Configuration', 'No rate limiting detected', 'No rate limiting headers or 429 responses were observed after multiple rapid requests. The application may be vulnerable to brute-force attacks.', `5 rapid requests all returned: ${rateLimitResults.join(', ')}\nNo rate limit headers detected.`, 'Implement rate limiting on all endpoints, especially authentication endpoints. Use headers like X-RateLimit-Limit and X-RateLimit-Remaining.'));
+    }
+    // Check HTTP methods
+    const optionsResp = await safeRequest(baseUrl, { method: 'OPTIONS', timeout: 5_000 });
+    const allowedMethods = [];
+    if (optionsResp) {
+        const allow = String(optionsResp.headers['allow'] ?? '');
+        if (allow) {
+            allowedMethods.push(...allow.split(',').map(m => m.trim()));
+        }
+        const corsAllow = String(optionsResp.headers['access-control-allow-methods'] ?? '');
+        if (corsAllow) {
+            allowedMethods.push(...corsAllow.split(',').map(m => m.trim()));
+        }
+    }
+    // Test individual methods
+    const dangerousMethods = ['TRACE', 'PUT', 'DELETE'];
+    for (const method of dangerousMethods) {
+        const resp = await safeRequest(baseUrl, { method, timeout: 5_000 });
+        if (resp && resp.statusCode !== 405 && resp.statusCode !== 501 && resp.statusCode !== 404) {
+            if (method === 'TRACE' && resp.statusCode === 200) {
+                findings.push(createFinding('MEDIUM', 'Configuration', 'TRACE method enabled', 'The TRACE HTTP method is enabled. This can be exploited for Cross-Site Tracing (XST) attacks to steal credentials.', `TRACE ${baseUrl} → ${resp.statusCode}`, 'Disable the TRACE method on the web server. For Nginx: if ($request_method = TRACE) { return 405; }'));
+            }
+            else if (method === 'PUT') {
+                findings.push(createFinding('MEDIUM', 'Configuration', 'PUT method may be enabled', `The PUT method returned ${resp.statusCode} instead of 405. This could allow file upload or modification.`, `PUT ${baseUrl} → ${resp.statusCode}`, 'Disable PUT method if not needed. Ensure proper authorization checks on PUT endpoints.'));
+            }
+            else if (method === 'DELETE') {
+                findings.push(createFinding('MEDIUM', 'Configuration', 'DELETE method may be enabled', `The DELETE method returned ${resp.statusCode} instead of 405. This could allow resource deletion.`, `DELETE ${baseUrl} → ${resp.statusCode}`, 'Disable DELETE method if not needed. Ensure proper authorization checks on DELETE endpoints.'));
+            }
+        }
+    }
+    // Check for directory listing on common directories
+    const dirPaths = ['/images/', '/img/', '/uploads/', '/files/', '/css/', '/js/', '/assets/', '/static/', '/media/'];
+    for (const dirPath of dirPaths) {
+        const resp = await safeRequest(`${baseUrl}${dirPath}`, { timeout: 5_000 });
+        if (resp && resp.statusCode === 200) {
+            if (/Index of|<title>.*listing|Parent Directory|\[DIR\]|<pre>.*<a href/i.test(resp.body)) {
+                findings.push(createFinding('MEDIUM', 'Configuration', `Directory listing enabled at ${dirPath}`, 'Directory listing allows attackers to browse and enumerate all files in the directory.', `GET ${baseUrl}${dirPath} → 200 with directory listing content.`, 'Disable directory listing. Nginx: autoindex off; Apache: Options -Indexes.'));
+            }
+        }
+    }
+    // Check for information in HTTP response
+    if (mainResp) {
+        // Check for ASP.NET version header
+        const aspnetVersion = mainResp.headers['x-aspnet-version'] || mainResp.headers['x-aspnetmvc-version'];
+        if (aspnetVersion) {
+            findings.push(createFinding('LOW', 'Configuration', 'ASP.NET version disclosed', `The X-AspNet-Version or X-AspNetMvc-Version header reveals the framework version: ${aspnetVersion}`, `Header value: ${aspnetVersion}`, 'Remove version headers. In web.config: <httpRuntime enableVersionHeader="false" />'));
+        }
+        // Check for X-Debug-Token (Symfony)
+        if (mainResp.headers['x-debug-token']) {
+            findings.push(createFinding('HIGH', 'Configuration', 'Debug token header present (Symfony Profiler)', 'The X-Debug-Token header is present, indicating the Symfony Profiler is enabled in production.', `X-Debug-Token: ${mainResp.headers['x-debug-token']}`, 'Disable the Symfony Profiler in production by removing the web_profiler configuration.'));
+        }
+        // Check for ETag-based information leakage (Apache inode disclosure)
+        const etag = String(mainResp.headers['etag'] ?? '');
+        if (etag && /^"[0-9a-f]+-[0-9a-f]+-[0-9a-f]+"$/i.test(etag)) {
+            findings.push(createFinding('LOW', 'Configuration', 'ETag reveals server inode information', 'The ETag header contains inode, size, and mtime information (Apache default), which can aid fingerprinting.', `ETag: ${etag}`, 'Configure Apache to not include inodes: FileETag MTime Size'));
+        }
+    }
+    // Check for common security.txt
+    const secTxtResp = await safeRequest(`${baseUrl}/.well-known/security.txt`, { timeout: 5_000 });
+    if (!secTxtResp || secTxtResp.statusCode !== 200) {
+        findings.push(createFinding('INFO', 'Configuration', 'No security.txt file found', 'No /.well-known/security.txt file was found. This file helps security researchers report vulnerabilities responsibly.', `GET ${baseUrl}/.well-known/security.txt → ${secTxtResp?.statusCode ?? 'connection failed'}`, 'Create a security.txt file at /.well-known/security.txt with contact information for security reports. See https://securitytxt.org/'));
+    }
+    // Check for X-Robots-Tag
+    if (mainResp && !mainResp.headers['x-robots-tag']) {
+        // This is just informational
+        findings.push(createFinding('INFO', 'Configuration', 'No X-Robots-Tag header', 'The X-Robots-Tag header is not set. Consider using it to control indexing of sensitive pages.', 'X-Robots-Tag header not present.', 'Use X-Robots-Tag: noindex for pages that should not be indexed by search engines.'));
+    }
+    return findings;
+}
+async function performVulnScan(target, checks) {
+    const allFindings = [];
+    const checksRun = [];
+    const runAll = checks === 'all';
+    if (runAll || checks === 'headers') {
+        checksRun.push('headers');
+        const headerFindings = await checkSecurityHeaders(target);
+        allFindings.push(...headerFindings);
+    }
+    if (runAll || checks === 'ssl') {
+        checksRun.push('ssl');
+        const sslFindings = await checkSSL(target);
+        allFindings.push(...sslFindings);
+    }
+    if (runAll || checks === 'injection') {
+        checksRun.push('injection');
+        const injectionFindings = await checkInjection(target);
+        allFindings.push(...injectionFindings);
+    }
+    if (runAll || checks === 'auth') {
+        checksRun.push('auth');
+        const authFindings = await checkAuth(target);
+        allFindings.push(...authFindings);
+    }
+    if (runAll || checks === 'config') {
+        checksRun.push('config');
+        const configFindings = await checkConfig(target);
+        allFindings.push(...configFindings);
+    }
+    // Sort by severity
+    allFindings.sort((a, b) => SEVERITY_ORDER[a.severity] - SEVERITY_ORDER[b.severity]);
+    return {
+        findings: allFindings,
+        checks_run: checksRun,
+        timestamp: new Date().toISOString(),
+    };
+}
+// ─────────────────────────────────────────────────────────────────────────────
+// Report Generator
+// ─────────────────────────────────────────────────────────────────────────────
+function generateMarkdownReport(session, findings, recon) {
+    const counts = countBySeverity(findings);
+    const now = new Date().toISOString();
+    let report = `# Penetration Test Report\n\n`;
+    report += `**Target:** ${session.target}\n`;
+    report += `**Scope:** ${session.scope}\n`;
+    report += `**Mode:** ${session.passive_only ? 'Passive only' : 'Active + Passive'}\n`;
+    report += `**Started:** ${session.started_at}\n`;
+    report += `**Generated:** ${now}\n\n`;
+    // Executive Summary
+    report += `## Executive Summary\n\n`;
+    const totalFindings = findings.length;
+    const criticalAndHigh = counts.CRITICAL + counts.HIGH;
+    if (criticalAndHigh === 0 && totalFindings === 0) {
+        report += `No security findings were identified during this assessment. The target appears to have a strong security posture based on the checks performed.\n\n`;
+    }
+    else if (criticalAndHigh === 0) {
+        report += `${totalFindings} finding(s) were identified, none of which are critical or high severity. The target has a reasonable security posture with room for improvement in lower-priority areas.\n\n`;
+    }
+    else if (counts.CRITICAL > 0) {
+        report += `**${counts.CRITICAL} critical** and **${counts.HIGH} high** severity finding(s) require immediate attention. A total of ${totalFindings} finding(s) were identified. The target has significant security weaknesses that should be addressed urgently.\n\n`;
+    }
+    else {
+        report += `**${counts.HIGH} high** severity finding(s) should be addressed promptly. A total of ${totalFindings} finding(s) were identified across all severity levels.\n\n`;
+    }
+    // Risk Matrix
+    report += `## Risk Matrix\n\n`;
+    report += `| Severity | Count |\n`;
+    report += `|----------|-------|\n`;
+    report += `| ${severityBadge('CRITICAL')} | ${counts.CRITICAL} |\n`;
+    report += `| ${severityBadge('HIGH')} | ${counts.HIGH} |\n`;
+    report += `| ${severityBadge('MEDIUM')} | ${counts.MEDIUM} |\n`;
+    report += `| ${severityBadge('LOW')} | ${counts.LOW} |\n`;
+    report += `| ${severityBadge('INFO')} | ${counts.INFO} |\n\n`;
+    // Scope and Methodology
+    report += `## Scope & Methodology\n\n`;
+    report += `### Scope\n`;
+    report += `- **Target:** ${session.target}\n`;
+    report += `- **Type:** ${session.scope}\n`;
+    report += `- **Passive only:** ${session.passive_only ? 'Yes' : 'No'}\n\n`;
+    report += `### Methodology\n`;
+    report += `The assessment was conducted using automated tools performing:\n`;
+    report += `- DNS enumeration and analysis\n`;
+    report += `- HTTP response header analysis\n`;
+    report += `- SSL/TLS certificate and configuration analysis\n`;
+    report += `- Common path and sensitive file discovery\n`;
+    report += `- Subdomain enumeration\n`;
+    report += `- Security header evaluation\n`;
+    report += `- Injection vector testing (reflected XSS, SQLi, LFI, open redirect)\n`;
+    report += `- Authentication and session management review\n`;
+    report += `- Configuration and information disclosure checks\n\n`;
+    // Recon Summary
+    if (recon) {
+        report += `## Reconnaissance Summary\n\n`;
+        if (Object.keys(recon.dns).length > 0) {
+            report += `### DNS Records\n`;
+            for (const [rtype, records] of Object.entries(recon.dns)) {
+                if (Array.isArray(records) && records.length > 0) {
+                    report += `- **${rtype}:** ${records.join(', ')}\n`;
+                }
+                else if (typeof records === 'boolean') {
+                    report += `- **${rtype}:** ${records ? 'Present' : 'Not found'}\n`;
+                }
+            }
+            report += `\n`;
+        }
+        if (recon.technologies.length > 0) {
+            report += `### Technologies Detected\n`;
+            for (const tech of recon.technologies) {
+                report += `- ${tech}\n`;
+            }
+            report += `\n`;
+        }
+        if (Object.keys(recon.ssl).length > 0) {
+            report += `### SSL/TLS Certificate\n`;
+            const ssl = recon.ssl;
+            if (ssl.valid !== undefined)
+                report += `- **Valid:** ${ssl.valid}\n`;
+            if (ssl.protocol)
+                report += `- **Protocol:** ${ssl.protocol}\n`;
+            if (ssl.cipher)
+                report += `- **Cipher:** ${ssl.cipher}\n`;
+            if (ssl.validTo)
+                report += `- **Expires:** ${ssl.validTo}\n`;
+            if (ssl.daysUntilExpiry !== undefined)
+                report += `- **Days until expiry:** ${ssl.daysUntilExpiry}\n`;
+            if (ssl.selfSigned !== undefined)
+                report += `- **Self-signed:** ${ssl.selfSigned}\n`;
+            if (Array.isArray(ssl.altNames) && ssl.altNames.length > 0) {
+                report += `- **Alt Names:** ${ssl.altNames.join(', ')}\n`;
+            }
+            report += `\n`;
+        }
+        const resolvedPaths = recon.paths.filter(p => p.status >= 200 && p.status < 400);
+        if (resolvedPaths.length > 0) {
+            report += `### Discovered Paths (${resolvedPaths.length})\n`;
+            report += `| Path | Status | Size |\n`;
+            report += `|------|--------|------|\n`;
+            for (const p of resolvedPaths.slice(0, 50)) {
+                report += `| ${p.path} | ${p.status} | ${p.size ?? '-'} |\n`;
+            }
+            if (resolvedPaths.length > 50) {
+                report += `| ... | +${resolvedPaths.length - 50} more | |\n`;
+            }
+            report += `\n`;
+        }
+        const resolvedSubs = recon.subdomains.filter(s => s.resolved);
+        if (resolvedSubs.length > 0) {
+            report += `### Resolved Subdomains (${resolvedSubs.length})\n`;
+            for (const s of resolvedSubs) {
+                report += `- ${s.subdomain} → ${s.ip}\n`;
+            }
+            report += `\n`;
+        }
+    }
+    // Findings
+    report += `## Findings\n\n`;
+    if (findings.length === 0) {
+        report += `No findings to report.\n\n`;
+    }
+    else {
+        // Findings table
+        report += `| # | Severity | Category | Title |\n`;
+        report += `|---|----------|----------|-------|\n`;
+        findings.forEach((f, i) => {
+            report += `| ${i + 1} | ${severityBadge(f.severity)} | ${f.category} | ${f.title} |\n`;
+        });
+        report += `\n`;
+        // Detailed findings
+        report += `### Detailed Findings\n\n`;
+        findings.forEach((f, i) => {
+            report += `#### ${i + 1}. ${f.title}\n\n`;
+            report += `- **Severity:** ${severityBadge(f.severity)}\n`;
+            report += `- **Category:** ${f.category}\n`;
+            report += `- **Finding ID:** ${f.id}\n\n`;
+            report += `**Description:**\n${f.description}\n\n`;
+            report += `**Evidence:**\n\`\`\`\n${f.evidence}\n\`\`\`\n\n`;
+            report += `**Remediation:**\n${f.remediation}\n\n`;
+            report += `---\n\n`;
+        });
+    }
+    // Remediation Priorities
+    report += `## Remediation Priorities\n\n`;
+    const criticalFindings = findings.filter(f => f.severity === 'CRITICAL');
+    const highFindings = findings.filter(f => f.severity === 'HIGH');
+    const mediumFindings = findings.filter(f => f.severity === 'MEDIUM');
+    if (criticalFindings.length > 0) {
+        report += `### Immediate (Critical)\n`;
+        for (const f of criticalFindings) {
+            report += `1. **${f.title}** — ${f.remediation}\n`;
+        }
+        report += `\n`;
+    }
+    if (highFindings.length > 0) {
+        report += `### Short-term (High)\n`;
+        for (const f of highFindings) {
+            report += `1. **${f.title}** — ${f.remediation}\n`;
+        }
+        report += `\n`;
+    }
+    if (mediumFindings.length > 0) {
+        report += `### Medium-term (Medium)\n`;
+        for (const f of mediumFindings) {
+            report += `1. **${f.title}** — ${f.remediation}\n`;
+        }
+        report += `\n`;
+    }
+    report += `---\n\n`;
+    report += `*Report generated by kbot pentest tools. This is an automated assessment and may not cover all vulnerabilities. A manual review is recommended for comprehensive security evaluation.*\n`;
+    return report;
+}
+function generateJsonReport(session, findings, recon) {
+    return JSON.stringify({
+        report: {
+            target: session.target,
+            scope: session.scope,
+            passive_only: session.passive_only,
+            started_at: session.started_at,
+            generated_at: new Date().toISOString(),
+        },
+        summary: {
+            total_findings: findings.length,
+            severity_counts: countBySeverity(findings),
+        },
+        recon: recon ?? {},
+        findings,
+    }, null, 2);
+}
+function generateHtmlReport(session, findings, recon) {
+    const counts = countBySeverity(findings);
+    const now = new Date().toISOString();
+    const severityColor = (sev) => {
+        switch (sev) {
+            case 'CRITICAL': return '#dc2626';
+            case 'HIGH': return '#ea580c';
+            case 'MEDIUM': return '#ca8a04';
+            case 'LOW': return '#2563eb';
+            case 'INFO': return '#6b7280';
+        }
+    };
+    let html = `<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>Pentest Report — ${session.target}</title>
+  <style>
+    * { margin: 0; padding: 0; box-sizing: border-box; }
+    body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; line-height: 1.6; color: #1f2937; max-width: 960px; margin: 0 auto; padding: 2rem; }
+    h1 { font-size: 1.75rem; margin-bottom: 0.5rem; }
+    h2 { font-size: 1.35rem; margin-top: 2rem; margin-bottom: 0.75rem; border-bottom: 2px solid #e5e7eb; padding-bottom: 0.25rem; }
+    h3 { font-size: 1.1rem; margin-top: 1.25rem; margin-bottom: 0.5rem; }
+    table { width: 100%; border-collapse: collapse; margin: 1rem 0; }
+    th, td { padding: 0.5rem 0.75rem; border: 1px solid #d1d5db; text-align: left; font-size: 0.9rem; }
+    th { background: #f3f4f6; font-weight: 600; }
+    .badge { display: inline-block; padding: 0.15rem 0.5rem; border-radius: 4px; color: #fff; font-size: 0.75rem; font-weight: 600; }
+    .meta { color: #6b7280; font-size: 0.9rem; margin-bottom: 1.5rem; }
+    .finding { margin: 1.25rem 0; padding: 1rem; border: 1px solid #e5e7eb; border-radius: 8px; border-left: 4px solid; }
+    .finding pre { background: #f9fafb; padding: 0.75rem; border-radius: 4px; overflow-x: auto; font-size: 0.8rem; margin: 0.5rem 0; }
+    .summary-grid { display: grid; grid-template-columns: repeat(5, 1fr); gap: 0.75rem; margin: 1rem 0; }
+    .summary-card { text-align: center; padding: 0.75rem; border-radius: 8px; border: 1px solid #e5e7eb; }
+    .summary-card .count { font-size: 1.5rem; font-weight: 700; }
+    .summary-card .label { font-size: 0.75rem; text-transform: uppercase; }
+  </style>
+</head>
+<body>
+  <h1>Penetration Test Report</h1>
+  <div class="meta">
+    <p><strong>Target:</strong> ${session.target} | <strong>Scope:</strong> ${session.scope} | <strong>Mode:</strong> ${session.passive_only ? 'Passive' : 'Active'}</p>
+    <p><strong>Started:</strong> ${session.started_at} | <strong>Generated:</strong> ${now}</p>
+  </div>
+
+  <h2>Summary</h2>
+  <div class="summary-grid">
+    <div class="summary-card" style="border-color: ${severityColor('CRITICAL')}">
+      <div class="count" style="color: ${severityColor('CRITICAL')}">${counts.CRITICAL}</div>
+      <div class="label">Critical</div>
+    </div>
+    <div class="summary-card" style="border-color: ${severityColor('HIGH')}">
+      <div class="count" style="color: ${severityColor('HIGH')}">${counts.HIGH}</div>
+      <div class="label">High</div>
+    </div>
+    <div class="summary-card" style="border-color: ${severityColor('MEDIUM')}">
+      <div class="count" style="color: ${severityColor('MEDIUM')}">${counts.MEDIUM}</div>
+      <div class="label">Medium</div>
+    </div>
+    <div class="summary-card" style="border-color: ${severityColor('LOW')}">
+      <div class="count" style="color: ${severityColor('LOW')}">${counts.LOW}</div>
+      <div class="label">Low</div>
+    </div>
+    <div class="summary-card" style="border-color: ${severityColor('INFO')}">
+      <div class="count" style="color: ${severityColor('INFO')}">${counts.INFO}</div>
+      <div class="label">Info</div>
+    </div>
+  </div>
+`;
+    if (findings.length > 0) {
+        html += `  <h2>Findings</h2>
+  <table>
+    <thead><tr><th>#</th><th>Severity</th><th>Category</th><th>Title</th></tr></thead>
+    <tbody>
+`;
+        findings.forEach((f, i) => {
+            html += `      <tr><td>${i + 1}</td><td><span class="badge" style="background:${severityColor(f.severity)}">${f.severity}</span></td><td>${f.category}</td><td>${f.title}</td></tr>\n`;
+        });
+        html += `    </tbody>
+  </table>
+
+  <h2>Detailed Findings</h2>
+`;
+        findings.forEach((f, i) => {
+            html += `  <div class="finding" style="border-left-color: ${severityColor(f.severity)}">
+    <h3>${i + 1}. ${f.title}</h3>
+    <p><span class="badge" style="background:${severityColor(f.severity)}">${f.severity}</span> <strong>${f.category}</strong> (ID: ${f.id})</p>
+    <p><strong>Description:</strong> ${f.description}</p>
+    <pre>${f.evidence}</pre>
+    <p><strong>Remediation:</strong> ${f.remediation}</p>
+  </div>
+`;
+        });
+    }
+    else {
+        html += `  <h2>Findings</h2>\n  <p>No findings to report.</p>\n`;
+    }
+    html += `  <hr style="margin-top:2rem">
+  <p style="color:#9ca3af;font-size:0.8rem;margin-top:1rem"><em>Report generated by kbot pentest tools. Automated assessment — manual review recommended.</em></p>
+</body>
+</html>`;
+    return html;
+}
+// ─────────────────────────────────────────────────────────────────────────────
+// Tool Registration
+// ─────────────────────────────────────────────────────────────────────────────
+export function registerPentestTools() {
+    // ─── pentest_start ──────────────────────────────────────────────────────
+    registerTool({
+        name: 'pentest_start',
+        description: 'Start a new penetration testing session against a target. Creates a session with findings storage in ~/.kbot/pentest/. Returns the session ID.',
+        parameters: {
+            target: { type: 'string', description: 'URL or IP address to test (e.g., "https://example.com" or "192.168.1.1")', required: true },
+            scope: { type: 'string', description: 'Assessment scope: "full", "web", "network", or "api" (default: "web")' },
+            passive_only: { type: 'boolean', description: 'Only perform passive reconnaissance — no active probing (default: false)' },
+        },
+        tier: 'free',
+        timeout: 30_000,
+        async execute(args) {
+            const target = String(args.target ?? '').trim();
+            if (!target) {
+                return 'Error: target is required. Provide a URL or IP address.';
+            }
+            const validScopes = ['full', 'web', 'network', 'api'];
+            const scope = validScopes.includes(String(args.scope ?? '')) ? String(args.scope) : 'web';
+            const passiveOnly = args.passive_only === true;
+            // Validate target
+            try {
+                parseTarget(target);
+            }
+            catch {
+                return `Error: Invalid target "${target}". Provide a valid URL or IP address.`;
+            }
+            ensurePentestDir();
+            const sessionId = `pentest-${Date.now()}-${randomUUID().slice(0, 6)}`;
+            createSessionDir(sessionId);
+            const session = {
+                id: sessionId,
+                target,
+                scope,
+                passive_only: passiveOnly,
+                started_at: new Date().toISOString(),
+                phases: {
+                    recon: 'pending',
+                    vuln_scan: 'pending',
+                    report: 'pending',
+                },
+                findings_count: 0,
+            };
+            writeSession(session);
+            const lines = [
+                `Pentest session started.`,
+                ``,
+                `  Session ID:    ${sessionId}`,
+                `  Target:        ${target}`,
+                `  Scope:         ${scope}`,
+                `  Passive only:  ${passiveOnly}`,
+                `  Storage:       ~/.kbot/pentest/${sessionId}/`,
+                ``,
+                `Next steps:`,
+                `  1. Run pentest_recon for reconnaissance`,
+                `  2. Run pentest_vuln_scan for vulnerability assessment`,
+                `  3. Run pentest_report to generate the report`,
+                ``,
+                `Or use pentest_status to check progress.`,
+            ];
+            return lines.join('\n');
+        },
+    });
+    // ─── pentest_recon ──────────────────────────────────────────────────────
+    registerTool({
+        name: 'pentest_recon',
+        description: 'Perform reconnaissance on a target: DNS enumeration (A, AAAA, MX, NS, TXT, CNAME, SOA, SPF, DMARC), WHOIS-style info, HTTP header analysis, technology fingerprinting, SSL/TLS certificate analysis, robots.txt and sitemap.xml discovery, common path enumeration, and subdomain brute-forcing.',
+        parameters: {
+            target: { type: 'string', description: 'URL or IP address to scan (required)', required: true },
+            depth: { type: 'string', description: 'Scan depth: "quick" (fast, fewer checks), "standard" (balanced), or "deep" (thorough, slow). Default: "standard"' },
+        },
+        tier: 'free',
+        timeout: 300_000,
+        async execute(args) {
+            const target = String(args.target ?? '').trim();
+            if (!target) {
+                return 'Error: target is required.';
+            }
+            const validDepths = ['quick', 'standard', 'deep'];
+            const depth = (validDepths.includes(String(args.depth ?? '')) ? String(args.depth) : 'standard');
+            // Find or create a session for this target
+            let sessionId = findSessionForTarget(target);
+            if (!sessionId) {
+                // Auto-create a session
+                ensurePentestDir();
+                sessionId = `pentest-${Date.now()}-${randomUUID().slice(0, 6)}`;
+                createSessionDir(sessionId);
+                const session = {
+                    id: sessionId,
+                    target,
+                    scope: 'web',
+                    passive_only: false,
+                    started_at: new Date().toISOString(),
+                    phases: { recon: 'pending', vuln_scan: 'pending', report: 'pending' },
+                    findings_count: 0,
+                };
+                writeSession(session);
+            }
+            const session = readSession(sessionId);
+            if (!session) {
+                return 'Error: Could not read session configuration.';
+            }
+            // Update phase status
+            session.phases.recon = 'running';
+            writeSession(session);
+            try {
+                const { recon, findings } = await performRecon(target, depth, session.passive_only);
+                // Save recon data
+                writeRecon(sessionId, recon);
+                // Merge findings with existing vulns
+                const existingVulns = readVulns(sessionId);
+                const allFindings = [
+                    ...(existingVulns?.findings ?? []),
+                    ...findings,
+                ];
+                writeVulns(sessionId, {
+                    findings: allFindings,
+                    checks_run: [...(existingVulns?.checks_run ?? []), 'recon'],
+                    timestamp: new Date().toISOString(),
+                });
+                // Update session
+                session.phases.recon = 'complete';
+                session.findings_count = allFindings.length;
+                writeSession(session);
+                // Format output
+                const lines = [
+                    `Reconnaissance complete for ${target} (depth: ${depth})`,
+                    ``,
+                ];
+                // DNS summary
+                const dnsEntries = Object.entries(recon.dns).filter(([, v]) => {
+                    if (Array.isArray(v))
+                        return v.length > 0;
+                    return v !== false;
+                });
+                if (dnsEntries.length > 0) {
+                    lines.push(`DNS Records:`);
+                    for (const [rtype, records] of dnsEntries) {
+                        if (Array.isArray(records)) {
+                            lines.push(`  ${rtype}: ${records.slice(0, 5).join(', ')}${records.length > 5 ? ` (+${records.length - 5} more)` : ''}`);
+                        }
+                        else if (typeof records === 'boolean') {
+                            lines.push(`  ${rtype}: ${records ? 'present' : 'not found'}`);
+                        }
+                    }
+                    lines.push(``);
+                }
+                // Technologies
+                if (recon.technologies.length > 0) {
+                    lines.push(`Technologies detected (${recon.technologies.length}):`);
+                    for (const tech of recon.technologies.slice(0, 15)) {
+                        lines.push(`  - ${tech}`);
+                    }
+                    if (recon.technologies.length > 15) {
+                        lines.push(`  ... +${recon.technologies.length - 15} more`);
+                    }
+                    lines.push(``);
+                }
+                // SSL
+                if (Object.keys(recon.ssl).length > 0) {
+                    const ssl = recon.ssl;
+                    lines.push(`SSL/TLS:`);
+                    lines.push(`  Valid: ${ssl.valid}, Protocol: ${ssl.protocol}, Cipher: ${ssl.cipher}`);
+                    lines.push(`  Expires: ${ssl.validTo} (${ssl.daysUntilExpiry} days)`);
+                    lines.push(``);
+                }
+                // Paths
+                const activePaths = recon.paths.filter(p => p.status >= 200 && p.status < 400);
+                if (activePaths.length > 0) {
+                    lines.push(`Discovered paths (${activePaths.length} accessible):`);
+                    for (const p of activePaths.slice(0, 20)) {
+                        lines.push(`  [${p.status}] ${p.path} (${p.size ?? 0} bytes)`);
+                    }
+                    if (activePaths.length > 20) {
+                        lines.push(`  ... +${activePaths.length - 20} more`);
+                    }
+                    lines.push(``);
+                }
+                // Subdomains
+                const resolvedSubs = recon.subdomains.filter(s => s.resolved);
+                if (resolvedSubs.length > 0) {
+                    lines.push(`Resolved subdomains (${resolvedSubs.length}):`);
+                    for (const s of resolvedSubs.slice(0, 15)) {
+                        lines.push(`  ${s.subdomain} -> ${s.ip}`);
+                    }
+                    if (resolvedSubs.length > 15) {
+                        lines.push(`  ... +${resolvedSubs.length - 15} more`);
+                    }
+                    lines.push(``);
+                }
+                // Findings summary
+                if (findings.length > 0) {
+                    const counts = countBySeverity(findings);
+                    lines.push(`Recon findings (${findings.length}):`);
+                    if (counts.CRITICAL > 0)
+                        lines.push(`  CRITICAL: ${counts.CRITICAL}`);
+                    if (counts.HIGH > 0)
+                        lines.push(`  HIGH:     ${counts.HIGH}`);
+                    if (counts.MEDIUM > 0)
+                        lines.push(`  MEDIUM:   ${counts.MEDIUM}`);
+                    if (counts.LOW > 0)
+                        lines.push(`  LOW:      ${counts.LOW}`);
+                    if (counts.INFO > 0)
+                        lines.push(`  INFO:     ${counts.INFO}`);
+                    lines.push(``);
+                    for (const f of findings.slice(0, 10)) {
+                        lines.push(`  [${f.severity}] ${f.title}`);
+                    }
+                    if (findings.length > 10) {
+                        lines.push(`  ... +${findings.length - 10} more findings`);
+                    }
+                }
+                else {
+                    lines.push(`No findings from reconnaissance phase.`);
+                }
+                lines.push(``);
+                lines.push(`Session: ${sessionId}`);
+                lines.push(`Data saved to: ~/.kbot/pentest/${sessionId}/recon.json`);
+                return lines.join('\n');
+            }
+            catch (err) {
+                session.phases.recon = 'error';
+                writeSession(session);
+                return `Error during reconnaissance: ${err instanceof Error ? err.message : String(err)}`;
+            }
+        },
+    });
+    // ─── pentest_vuln_scan ──────────────────────────────────────────────────
+    registerTool({
+        name: 'pentest_vuln_scan',
+        description: 'Perform a vulnerability assessment on a target. Checks: security headers (CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy), SSL/TLS issues (expired cert, weak cipher, protocol), injection vectors (reflected XSS, SQL injection, path traversal, open redirect), authentication issues (CORS misconfiguration, cookie security, default credentials), and configuration problems (rate limiting, HTTP methods, directory listing, information disclosure).',
+        parameters: {
+            target: { type: 'string', description: 'URL to scan (required)', required: true },
+            checks: { type: 'string', description: 'Checks to run: "headers", "ssl", "injection", "auth", "config", or "all" (default: "all")' },
+        },
+        tier: 'free',
+        timeout: 300_000,
+        async execute(args) {
+            const target = String(args.target ?? '').trim();
+            if (!target) {
+                return 'Error: target is required.';
+            }
+            const validChecks = ['headers', 'ssl', 'injection', 'auth', 'config', 'all'];
+            const checks = validChecks.includes(String(args.checks ?? '')) ? String(args.checks) : 'all';
+            // Find or create a session for this target
+            let sessionId = findSessionForTarget(target);
+            if (!sessionId) {
+                ensurePentestDir();
+                sessionId = `pentest-${Date.now()}-${randomUUID().slice(0, 6)}`;
+                createSessionDir(sessionId);
+                const session = {
+                    id: sessionId,
+                    target,
+                    scope: 'web',
+                    passive_only: false,
+                    started_at: new Date().toISOString(),
+                    phases: { recon: 'pending', vuln_scan: 'pending', report: 'pending' },
+                    findings_count: 0,
+                };
+                writeSession(session);
+            }
+            const session = readSession(sessionId);
+            if (!session) {
+                return 'Error: Could not read session configuration.';
+            }
+            session.phases.vuln_scan = 'running';
+            writeSession(session);
+            try {
+                const vulnData = await performVulnScan(target, checks);
+                // Merge with existing findings (avoid duplicates from recon)
+                const existingVulns = readVulns(sessionId);
+                const existingIds = new Set((existingVulns?.findings ?? []).map(f => f.id));
+                const newFindings = vulnData.findings.filter(f => !existingIds.has(f.id));
+                const allFindings = [
+                    ...(existingVulns?.findings ?? []),
+                    ...newFindings,
+                ];
+                const allChecks = [...new Set([
+                        ...(existingVulns?.checks_run ?? []),
+                        ...vulnData.checks_run,
+                    ])];
+                writeVulns(sessionId, {
+                    findings: allFindings,
+                    checks_run: allChecks,
+                    timestamp: new Date().toISOString(),
+                });
+                session.phases.vuln_scan = 'complete';
+                session.findings_count = allFindings.length;
+                writeSession(session);
+                // Format output
+                const lines = [
+                    `Vulnerability scan complete for ${target}`,
+                    `Checks run: ${vulnData.checks_run.join(', ')}`,
+                    ``,
+                ];
+                if (vulnData.findings.length > 0) {
+                    const counts = countBySeverity(vulnData.findings);
+                    lines.push(`New findings (${vulnData.findings.length}):`);
+                    lines.push(`  CRITICAL: ${counts.CRITICAL} | HIGH: ${counts.HIGH} | MEDIUM: ${counts.MEDIUM} | LOW: ${counts.LOW} | INFO: ${counts.INFO}`);
+                    lines.push(``);
+                    // Group by category
+                    const byCategory = new Map();
+                    for (const f of vulnData.findings) {
+                        const cat = byCategory.get(f.category) ?? [];
+                        cat.push(f);
+                        byCategory.set(f.category, cat);
+                    }
+                    for (const [category, catFindings] of byCategory) {
+                        lines.push(`  ${category}:`);
+                        for (const f of catFindings) {
+                            lines.push(`    [${f.severity}] ${f.title}`);
+                        }
+                        lines.push(``);
+                    }
+                }
+                else {
+                    lines.push(`No vulnerabilities found in the "${checks}" checks.`);
+                    lines.push(``);
+                }
+                lines.push(`Total findings in session: ${allFindings.length}`);
+                lines.push(`Session: ${sessionId}`);
+                lines.push(`Data saved to: ~/.kbot/pentest/${sessionId}/vulns.json`);
+                return lines.join('\n');
+            }
+            catch (err) {
+                session.phases.vuln_scan = 'error';
+                writeSession(session);
+                return `Error during vulnerability scan: ${err instanceof Error ? err.message : String(err)}`;
+            }
+        },
+    });
+    // ─── pentest_report ─────────────────────────────────────────────────────
+    registerTool({
+        name: 'pentest_report',
+        description: 'Generate a structured penetration test report with executive summary, scope, methodology, findings table, risk matrix, and remediation priorities. Supports markdown, JSON, and HTML output formats.',
+        parameters: {
+            format: { type: 'string', description: 'Report format: "markdown", "json", or "html" (default: "markdown")' },
+            session: { type: 'string', description: 'Session ID. Defaults to the latest session.' },
+        },
+        tier: 'free',
+        timeout: 60_000,
+        async execute(args) {
+            const validFormats = ['markdown', 'json', 'html'];
+            const format = validFormats.includes(String(args.format ?? '')) ? String(args.format) : 'markdown';
+            // Find session
+            let sessionId = String(args.session ?? '').trim();
+            if (!sessionId) {
+                const latest = findLatestSession();
+                if (!latest) {
+                    return 'Error: No pentest sessions found. Run pentest_start first.';
+                }
+                sessionId = latest;
+            }
+            const session = readSession(sessionId);
+            if (!session) {
+                return `Error: Session "${sessionId}" not found.`;
+            }
+            const recon = readRecon(sessionId);
+            const findings = getAllFindings(sessionId);
+            // Update session
+            session.phases.report = 'complete';
+            writeSession(session);
+            let report;
+            let extension;
+            switch (format) {
+                case 'json':
+                    report = generateJsonReport(session, findings, recon);
+                    extension = 'json';
+                    break;
+                case 'html':
+                    report = generateHtmlReport(session, findings, recon);
+                    extension = 'html';
+                    break;
+                default:
+                    report = generateMarkdownReport(session, findings, recon);
+                    extension = 'md';
+                    break;
+            }
+            // Save report to session directory
+            const reportPath = join(sessionDir(sessionId), `report.${extension}`);
+            writeFileSync(reportPath, report);
+            // Also save as report.md for the default case
+            if (extension !== 'md') {
+                const mdReport = generateMarkdownReport(session, findings, recon);
+                writeFileSync(join(sessionDir(sessionId), 'report.md'), mdReport);
+            }
+            const counts = countBySeverity(findings);
+            const summary = [
+                `Report generated (${format}).`,
+                ``,
+                `  Session:   ${sessionId}`,
+                `  Target:    ${session.target}`,
+                `  Findings:  ${findings.length} total`,
+                `    CRITICAL: ${counts.CRITICAL}`,
+                `    HIGH:     ${counts.HIGH}`,
+                `    MEDIUM:   ${counts.MEDIUM}`,
+                `    LOW:      ${counts.LOW}`,
+                `    INFO:     ${counts.INFO}`,
+                ``,
+                `  Saved to:  ~/.kbot/pentest/${sessionId}/report.${extension}`,
+                ``,
+            ];
+            // For markdown and short reports, include the full report inline
+            if (format === 'markdown' && report.length < 40_000) {
+                summary.push(`--- Full Report ---\n`);
+                summary.push(report);
+            }
+            else if (format === 'json' && report.length < 40_000) {
+                summary.push(`--- Full Report ---\n`);
+                summary.push(report);
+            }
+            else {
+                summary.push(`Report is ${report.length} characters. View at: ~/.kbot/pentest/${sessionId}/report.${extension}`);
+            }
+            return summary.join('\n');
+        },
+    });
+    // ─── pentest_status ─────────────────────────────────────────────────────
+    registerTool({
+        name: 'pentest_status',
+        description: 'Check the status of the current or a specific penetration test session. Shows which phases are complete, total findings count, and severity breakdown.',
+        parameters: {
+            session: { type: 'string', description: 'Session ID. Defaults to the latest session.' },
+        },
+        tier: 'free',
+        timeout: 10_000,
+        async execute(args) {
+            let sessionId = String(args.session ?? '').trim();
+            if (!sessionId) {
+                const latest = findLatestSession();
+                if (!latest) {
+                    // List all sessions
+                    ensurePentestDir();
+                    const allDirs = readdirSync(PENTEST_DIR).filter(d => {
+                        const fp = join(PENTEST_DIR, d);
+                        return statSync(fp).isDirectory() && existsSync(join(fp, 'config.json'));
+                    });
+                    if (allDirs.length === 0) {
+                        return 'No pentest sessions found. Run pentest_start to begin a new assessment.';
+                    }
+                    const lines = [`Found ${allDirs.length} session(s):\n`];
+                    for (const d of allDirs) {
+                        const s = readSession(d);
+                        if (s) {
+                            lines.push(`  ${s.id} — ${s.target} (${s.started_at})`);
+                        }
+                    }
+                    return lines.join('\n');
+                }
+                sessionId = latest;
+            }
+            const session = readSession(sessionId);
+            if (!session) {
+                return `Error: Session "${sessionId}" not found.`;
+            }
+            const findings = getAllFindings(sessionId);
+            const counts = countBySeverity(findings);
+            const recon = readRecon(sessionId);
+            const phaseIcon = (status) => {
+                switch (status) {
+                    case 'complete': return '[done]';
+                    case 'running': return '[running]';
+                    case 'error': return '[error]';
+                    default: return '[pending]';
+                }
+            };
+            const lines = [
+                `Pentest Session Status`,
+                ``,
+                `  Session:       ${session.id}`,
+                `  Target:        ${session.target}`,
+                `  Scope:         ${session.scope}`,
+                `  Passive only:  ${session.passive_only}`,
+                `  Started:       ${session.started_at}`,
+                ``,
+                `Phases:`,
+                `  ${phaseIcon(session.phases.recon)}      Reconnaissance`,
+                `  ${phaseIcon(session.phases.vuln_scan)}      Vulnerability Scan`,
+                `  ${phaseIcon(session.phases.report)}      Report Generation`,
+                ``,
+                `Findings (${findings.length} total):`,
+                `  CRITICAL: ${counts.CRITICAL}`,
+                `  HIGH:     ${counts.HIGH}`,
+                `  MEDIUM:   ${counts.MEDIUM}`,
+                `  LOW:      ${counts.LOW}`,
+                `  INFO:     ${counts.INFO}`,
+                ``,
+            ];
+            // Show recent top findings
+            if (findings.length > 0) {
+                lines.push(`Top findings:`);
+                for (const f of findings.slice(0, 8)) {
+                    lines.push(`  [${f.severity}] ${f.title}`);
+                }
+                if (findings.length > 8) {
+                    lines.push(`  ... +${findings.length - 8} more`);
+                }
+                lines.push(``);
+            }
+            // Show recon data summary if available
+            if (recon) {
+                const techCount = recon.technologies.length;
+                const pathCount = recon.paths.filter(p => p.status >= 200 && p.status < 400).length;
+                const subCount = recon.subdomains.filter(s => s.resolved).length;
+                lines.push(`Recon data:`);
+                lines.push(`  Technologies:   ${techCount} detected`);
+                lines.push(`  Paths found:    ${pathCount} accessible`);
+                lines.push(`  Subdomains:     ${subCount} resolved`);
+            }
+            lines.push(``);
+            lines.push(`Storage: ~/.kbot/pentest/${sessionId}/`);
+            return lines.join('\n');
+        },
+    });
+}
+//# sourceMappingURL=pentest.js.map