@pensar/apex 0.0.111 → 0.0.112

package/build/cli-f9shhcxf.js

@@ -0,0 +1,1498 @@
+import {
+  TargetedPentestAgent
+} from "./cli-e20q3hqz.js";
+import {
+  CodeAgent
+} from "./cli-w04ggbe4.js";
+import {
+  EndpointSchema
+} from "./cli-2ckm5es2.js";
+import {
+  BlackboxAttackSurfaceAgent
+} from "./cli-hmrzx8am.js";
+import {
+  CweEntrySchema,
+  FindingsRegistry
+} from "./cli-r8r90gka.js";
+import {
+  exports_external,
+  init_zod
+} from "./cli-kqtgcdzn.js";
+
+// src/core/workflows/pentest.ts
+import { existsSync as existsSync4, readdirSync as readdirSync2, readFileSync as readFileSync4, writeFileSync as writeFileSync3 } from "fs";
+import { join as join4 } from "path";
+
+// src/core/report/schemas.ts
+init_zod();
+var PentestReportFindingSchema = exports_external.object({
+  title: exports_external.string(),
+  severity: exports_external.enum(["CRITICAL", "HIGH", "MEDIUM", "LOW"]),
+  description: exports_external.string(),
+  impact: exports_external.string(),
+  evidence: exports_external.string(),
+  endpoint: exports_external.string(),
+  pocPath: exports_external.string(),
+  remediation: exports_external.string(),
+  references: exports_external.string().optional(),
+  cwes: exports_external.array(CweEntrySchema).optional()
+});
+var PentestReportSchema = exports_external.object({
+  version: exports_external.string().regex(/^1\.\d+$/),
+  metadata: exports_external.object({
+    target: exports_external.string(),
+    model: exports_external.string(),
+    timestamp: exports_external.string(),
+    sessionId: exports_external.string(),
+    mode: exports_external.enum(["blackbox", "whitebox", "targeted"])
+  }),
+  summary: exports_external.object({
+    totalFindings: exports_external.number(),
+    bySeverity: exports_external.object({
+      CRITICAL: exports_external.number(),
+      HIGH: exports_external.number(),
+      MEDIUM: exports_external.number(),
+      LOW: exports_external.number()
+    })
+  }),
+  findings: exports_external.array(PentestReportFindingSchema)
+});
+var REPORT_VERSION = "1.0";
+// src/core/report/builder.ts
+var SEVERITY_ORDER = ["CRITICAL", "HIGH", "MEDIUM", "LOW"];
+function buildPentestReport(findings, context) {
+  const sorted = [...findings].sort((a, b) => SEVERITY_ORDER.indexOf(a.severity) - SEVERITY_ORDER.indexOf(b.severity));
+  const bySeverity = { CRITICAL: 0, HIGH: 0, MEDIUM: 0, LOW: 0 };
+  for (const f of findings) {
+    bySeverity[f.severity]++;
+  }
+  return {
+    version: REPORT_VERSION,
+    metadata: {
+      target: context.target,
+      model: context.model,
+      timestamp: new Date().toISOString(),
+      sessionId: context.sessionId,
+      mode: context.mode
+    },
+    summary: {
+      totalFindings: findings.length,
+      bySeverity
+    },
+    findings: sorted.map((f) => ({
+      title: f.title,
+      severity: f.severity,
+      description: f.description,
+      impact: f.impact,
+      evidence: f.evidence,
+      endpoint: f.endpoint,
+      pocPath: f.pocPath,
+      remediation: f.remediation,
+      references: f.references
+    }))
+  };
+}
+// src/core/report/renderers/markdown.ts
+function renderMarkdown(report) {
+  const { metadata, findings, summary } = report;
+  const header = [
+    `# Pentest Report — ${metadata.target}`,
+    "",
+    `**Date:** ${metadata.timestamp}  `,
+    `**Session:** ${metadata.sessionId}  `,
+    `**Model:** ${metadata.model}  `,
+    `**Mode:** ${metadata.mode}`,
+    "",
+    `**Findings:** ${summary.totalFindings}`,
+    ""
+  ];
+  if (findings.length === 0) {
+    return [
+      ...header,
+      "No findings were identified during this assessment.",
+      ""
+    ].join(`
+`);
+  }
+  const body = findings.map((finding) => renderFinding(finding, metadata)).join(`
+`);
+  return [...header, body].join(`
+`);
+}
+function renderFinding(finding, metadata) {
+  const lines = [
+    `# ${finding.title}`,
+    "",
+    `**Severity:** ${finding.severity}  `,
+    `**Target:** ${metadata.target}  `,
+    `**Endpoint:** ${finding.endpoint}  `,
+    `**Date:** ${metadata.timestamp}  `,
+    `**Session:** ${metadata.sessionId}`,
+    "",
+    "## Description",
+    "",
+    finding.description,
+    "",
+    "## Impact",
+    "",
+    finding.impact,
+    "",
+    "## Evidence",
+    "",
+    "```",
+    finding.evidence,
+    "```",
+    "",
+    ...finding.cwes?.length ? [
+      "## CWE Classification",
+      "",
+      ...finding.cwes.map((cwe) => `- **${cwe.id}** — ${cwe.reasoning}`),
+      ""
+    ] : [],
+    "## POC",
+    "",
+    `Path: \`${finding.pocPath}\``,
+    "",
+    "## Remediation",
+    "",
+    finding.remediation,
+    ...finding.references ? ["", `## References`, "", finding.references] : [],
+    "",
+    "---",
+    "",
+    "*This finding was automatically documented by the Pensar penetration testing agent.*",
+    ""
+  ];
+  return lines.join(`
+`);
+}
+// src/core/report/renderers/json.ts
+function renderJson(report) {
+  return JSON.stringify(report, null, 2);
+}
+
+// src/core/report/index.ts
+var REPORT_FILENAME_MD = "pentest-report.md";
+var REPORT_FILENAME_JSON = "pentest-report.json";
+
+// src/core/session/persistence.ts
+import {
+  existsSync,
+  mkdirSync,
+  writeFileSync,
+  readFileSync,
+  readdirSync
+} from "fs";
+import { join } from "path";
+var SUBAGENTS_DIR = "subagents";
+var MANIFEST_FILE = "agent-manifest.json";
+function loadSubagentMessages(session, agentName) {
+  const filePath = join(session.rootPath, SUBAGENTS_DIR, `${agentName}.json`);
+  if (!existsSync(filePath))
+    return [];
+  try {
+    const data = JSON.parse(readFileSync(filePath, "utf-8"));
+    return data.messages;
+  } catch {
+    return [];
+  }
+}
+function saveSubagentData(session, data) {
+  const subagentsDir = join(session.rootPath, SUBAGENTS_DIR);
+  mkdirSync(subagentsDir, { recursive: true });
+  let toolCallCount = 0;
+  let stepCount = 0;
+  for (const msg of data.messages) {
+    if (msg.role === "assistant") {
+      stepCount++;
+      if (Array.isArray(msg.content)) {
+        for (const part of msg.content) {
+          if (part.type === "tool-call")
+            toolCallCount++;
+        }
+      }
+    }
+  }
+  const savedData = {
+    agentName: data.agentName,
+    timestamp: new Date().toISOString(),
+    target: data.target,
+    objective: data.objective,
+    vulnerabilityClass: data.vulnerabilityClass,
+    toolCallCount,
+    stepCount,
+    findingsCount: data.findingsCount ?? 0,
+    status: data.status,
+    error: data.error,
+    messages: data.messages
+  };
+  writeFileSync(join(subagentsDir, `${data.agentName}.json`), JSON.stringify(savedData, null, 2));
+}
+function writeAgentManifest(session, entries) {
+  const manifestPath = join(session.rootPath, MANIFEST_FILE);
+  writeFileSync(manifestPath, JSON.stringify(entries, null, 2));
+}
+function readAgentManifest(session) {
+  const manifestPath = join(session.rootPath, MANIFEST_FILE);
+  if (!existsSync(manifestPath))
+    return [];
+  try {
+    return JSON.parse(readFileSync(manifestPath, "utf-8"));
+  } catch {
+    return [];
+  }
+}
+function buildManifestEntries(targets) {
+  return targets.map((t, i) => ({
+    id: `pentest-agent-${i + 1}`,
+    name: `Pentest Agent ${i + 1}`,
+    target: t.target,
+    vulnerabilityClass: t.objectives[0] || "general",
+    objective: t.objectives.join("; "),
+    status: "running",
+    spawnedAt: new Date().toISOString()
+  }));
+}
+function finalizeManifest(session, entries, results) {
+  const finalManifest = entries.map((entry, i) => {
+    if (entry.status === "completed")
+      return entry;
+    return {
+      ...entry,
+      status: results[i] != null ? "completed" : "failed",
+      completedAt: new Date().toISOString()
+    };
+  });
+  writeAgentManifest(session, finalManifest);
+}
+function updateManifestEntryStatus(session, agentId, status) {
+  const manifest = readAgentManifest(session);
+  const updated = manifest.map((e) => e.id === agentId ? { ...e, status, completedAt: new Date().toISOString() } : e);
+  writeAgentManifest(session, updated);
+}
+function getCompletedAgentIds(session) {
+  const manifest = readAgentManifest(session);
+  return new Set(manifest.filter((e) => e.id.startsWith("pentest-agent-") && e.status === "completed").map((e) => e.id));
+}
+function parseSubagentFilename(filename) {
+  if (filename.startsWith("attack-surface-agent")) {
+    return { agentType: "attack-surface", name: "Attack Surface Discovery" };
+  }
+  const pentestMatch = filename.match(/^pentest-agent-(\d+)/);
+  if (pentestMatch) {
+    return {
+      agentType: "pentest",
+      name: `Pentest Agent ${pentestMatch[1]}`
+    };
+  }
+  if (filename.startsWith("vuln-test-")) {
+    const parts = filename.replace("vuln-test-", "").split("-");
+    const vulnClass = parts[0] || "generic";
+    const vulnClassFormatted = vulnClass.replace(/-/g, " ").replace(/\b\w/g, (c) => c.toUpperCase());
+    return {
+      agentType: "pentest",
+      name: `${vulnClassFormatted} Test`
+    };
+  }
+  if (filename.startsWith("orchestrator-")) {
+    return { agentType: "pentest", name: "Orchestrator Summary" };
+  }
+  return { agentType: "pentest", name: filename.split("-")[0] || "Unknown" };
+}
+function convertMessagesToUI(messages, baseTime) {
+  const uiMessages = [];
+  let messageIndex = 0;
+  const toolResults = new Map;
+  for (const msg of messages) {
+    if (Array.isArray(msg.content)) {
+      for (const part of msg.content) {
+        if (part.type === "tool-result" && part.toolCallId) {
+          toolResults.set(part.toolCallId, part.output);
+        }
+      }
+    }
+  }
+  for (const msg of messages) {
+    const createdAt = new Date(baseTime.getTime() + messageIndex * 1000);
+    messageIndex++;
+    if (typeof msg.content === "string") {
+      uiMessages.push({
+        role: msg.role,
+        content: msg.content,
+        createdAt
+      });
+    } else if (Array.isArray(msg.content)) {
+      for (const part of msg.content) {
+        if (part.type === "text" && part.text) {
+          uiMessages.push({
+            role: "assistant",
+            content: part.text,
+            createdAt
+          });
+        } else if (part.type === "tool-call") {
+          const input = part.input;
+          const toolDescription = typeof input?.toolCallDescription === "string" ? input.toolCallDescription : part.toolName || "tool";
+          const result = part.toolCallId ? toolResults.get(part.toolCallId) : undefined;
+          const resultText = typeof result === "string" ? result : result != null && typeof result === "object" && ("value" in result) && typeof result.value === "string" ? result.value : undefined;
+          const cancelled = typeof resultText === "string" && resultText.toLowerCase().includes("cancelled");
+          uiMessages.push({
+            role: "tool",
+            content: toolDescription,
+            createdAt,
+            toolCallId: part.toolCallId,
+            toolName: part.toolName,
+            args: input,
+            result,
+            status: cancelled ? "error" : "completed"
+          });
+        }
+      }
+    }
+  }
+  return uiMessages;
+}
+function convertModelMessagesToUI(messages) {
+  return convertMessagesToUI(messages, new Date);
+}
+function loadSubagents(rootPath) {
+  const subagentsPath = join(rootPath, SUBAGENTS_DIR);
+  const subagents = [];
+  const agentNameIndex = new Map;
+  if (existsSync(subagentsPath)) {
+    const files = readdirSync(subagentsPath).filter((f) => f.endsWith(".json"));
+    files.sort();
+    for (const file of files) {
+      if (file.startsWith("orchestrator-"))
+        continue;
+      try {
+        const filePath = join(subagentsPath, file);
+        const data = JSON.parse(readFileSync(filePath, "utf-8"));
+        const { agentType, name } = parseSubagentFilename(file);
+        const timestamp = new Date(data.timestamp);
+        const messages = convertMessagesToUI(data.messages, timestamp);
+        let status = "completed";
+        switch (data.status) {
+          case "canceled":
+          case "failed":
+          case "completed":
+          case "pending":
+            status = data.status;
+            break;
+          default:
+            if (typeof data.findingsCount === "number" && data.findingsCount < 0) {
+              status = "failed";
+            }
+            break;
+        }
+        agentNameIndex.set(data.agentName, subagents.length);
+        subagents.push({
+          id: data.agentName,
+          name: data.agentName === "attack-surface-agent" ? "Attack Surface Discovery" : name,
+          type: agentType,
+          target: data.target || "Unknown",
+          messages,
+          createdAt: timestamp,
+          status
+        });
+      } catch (e) {
+        console.error(`Failed to load subagent file ${file}:`, e);
+      }
+    }
+  }
+  const manifestPath = join(rootPath, MANIFEST_FILE);
+  if (existsSync(manifestPath)) {
+    try {
+      const manifest = JSON.parse(readFileSync(manifestPath, "utf-8"));
+      for (const entry of manifest) {
+        if (entry.status !== "running")
+          continue;
+        const resumeInfo = {
+          target: entry.target,
+          objective: entry.objective,
+          vulnerabilityClass: entry.vulnerabilityClass,
+          authenticationInfo: entry.authInfo
+        };
+        const existingIndex = agentNameIndex.get(entry.id);
+        if (existingIndex !== undefined) {
+          subagents[existingIndex] = {
+            ...subagents[existingIndex],
+            status: "paused",
+            resumeInfo
+          };
+        } else {
+          subagents.push({
+            id: entry.id,
+            name: entry.name,
+            type: "pentest",
+            target: entry.target,
+            messages: [],
+            createdAt: new Date(entry.spawnedAt),
+            status: "paused",
+            resumeInfo
+          });
+        }
+      }
+    } catch (e) {
+      console.error("Failed to load agent manifest:", e);
+    }
+  }
+  return subagents;
+}
+
+// src/core/session/execution-metrics.ts
+import { existsSync as existsSync2, readFileSync as readFileSync2, writeFileSync as writeFileSync2 } from "fs";
+import { join as join2 } from "path";
+var EXECUTION_METRICS_FILENAME = "execution-metrics.json";
+function toNonNegativeInteger(value) {
+  const n = Number(value);
+  return Number.isFinite(n) && n > 0 ? Math.floor(n) : 0;
+}
+function normalizeTokenUsage(value) {
+  const inputTokens = toNonNegativeInteger(value?.inputTokens);
+  const outputTokens = toNonNegativeInteger(value?.outputTokens);
+  const derivedTotal = inputTokens + outputTokens;
+  const explicitTotal = toNonNegativeInteger(value?.totalTokens);
+  return {
+    inputTokens,
+    outputTokens,
+    totalTokens: explicitTotal > 0 ? explicitTotal : derivedTotal
+  };
+}
+function metricsPath(sessionRootPath) {
+  return join2(sessionRootPath, EXECUTION_METRICS_FILENAME);
+}
+function sessionJsonPath(sessionRootPath) {
+  return join2(sessionRootPath, "session.json");
+}
+function readExecutionMetrics(sessionRootPath) {
+  const path = metricsPath(sessionRootPath);
+  if (!existsSync2(path))
+    return null;
+  try {
+    const parsed = JSON.parse(readFileSync2(path, "utf-8"));
+    return {
+      tokenUsage: normalizeTokenUsage(parsed.tokenUsage),
+      runtime: typeof parsed.runtime === "string" ? parsed.runtime : undefined,
+      updatedAt: typeof parsed.updatedAt === "string" ? parsed.updatedAt : new Date().toISOString()
+    };
+  } catch {
+    return null;
+  }
+}
+function writeSessionJsonTokenTotals(sessionRootPath, tokenUsage) {
+  const path = sessionJsonPath(sessionRootPath);
+  if (!existsSync2(path))
+    return;
+  try {
+    const parsed = JSON.parse(readFileSync2(path, "utf-8"));
+    parsed.tokensIn = tokenUsage.inputTokens;
+    parsed.tokensOut = tokenUsage.outputTokens;
+    writeFileSync2(path, JSON.stringify(parsed, null, 2));
+  } catch {}
+}
+function writeExecutionMetrics(input) {
+  const existing = readExecutionMetrics(input.sessionRootPath);
+  const nextTokenUsage = input.tokenUsage ? normalizeTokenUsage(input.tokenUsage) : existing?.tokenUsage ?? {
+    inputTokens: 0,
+    outputTokens: 0,
+    totalTokens: 0
+  };
+  const next = {
+    tokenUsage: nextTokenUsage,
+    runtime: input.runtime ?? existing?.runtime,
+    updatedAt: new Date().toISOString()
+  };
+  writeFileSync2(metricsPath(input.sessionRootPath), JSON.stringify(next, null, 2), "utf-8");
+  writeSessionJsonTokenTotals(input.sessionRootPath, next.tokenUsage);
+  return next;
+}
+function formatDurationHmsFromMs(durationMs) {
+  const totalSeconds = Math.max(0, Math.floor(durationMs / 1000));
+  const hours = Math.floor(totalSeconds / 3600);
+  const minutes = Math.floor(totalSeconds % 3600 / 60);
+  const seconds = totalSeconds % 60;
+  return `${hours}h${minutes}m${seconds}s`;
+}
+
+// src/core/utils/concurrency.ts
+async function runWithBoundedConcurrency(items, concurrency, fn, abortSignal) {
+  const results = new Array(items.length).fill(null);
+  let nextIdx = 0;
+  let completed = 0;
+  await new Promise((resolve) => {
+    if (items.length === 0) {
+      resolve();
+      return;
+    }
+    let active = 0;
+    function next() {
+      if (completed >= nextIdx && (nextIdx === items.length || abortSignal?.aborted)) {
+        resolve();
+        return;
+      }
+      while (active < concurrency && nextIdx < items.length && !abortSignal?.aborted) {
+        const idx = nextIdx++;
+        active++;
+        fn(items[idx], idx).then((r) => {
+          results[idx] = r;
+        }).catch(() => {
+          results[idx] = null;
+        }).finally(() => {
+          active--;
+          completed++;
+          next();
+        });
+      }
+    }
+    next();
+  });
+  return results;
+}
+
+// src/core/session/loader.ts
+import { join as join3 } from "path";
+import { existsSync as existsSync3, readFileSync as readFileSync3 } from "fs";
+function loadAttackSurfaceResults(rootPath) {
+  const resultsPath = join3(rootPath, "attack-surface-results.json");
+  if (!existsSync3(resultsPath)) {
+    return null;
+  }
+  try {
+    return JSON.parse(readFileSync3(resultsPath, "utf-8"));
+  } catch (e) {
+    console.error("Failed to load attack surface results:", e);
+    return null;
+  }
+}
+function hasReport(rootPath) {
+  const reportPath = join3(rootPath, REPORT_FILENAME_MD);
+  return existsSync3(reportPath);
+}
+function createDiscoveryFromLogs(rootPath, session) {
+  const logPath = join3(rootPath, "logs", "streamlined-pentest.log");
+  if (!existsSync3(logPath)) {
+    return null;
+  }
+  try {
+    const logContent = readFileSync3(logPath, "utf-8");
+    const lines = logContent.split(`
+`).filter(Boolean);
+    const messages = [];
+    for (const line of lines) {
+      const match = line.match(/^(\d{4}-\d{2}-\d{2}T[\d:.]+Z) - \[(\w+)\] (.+)$/);
+      if (!match)
+        continue;
+      const [, timestamp, _level, content] = match;
+      const createdAt = new Date(timestamp);
+      if (content.startsWith("[Tool]")) {
+        const toolMatch = content.match(/\[Tool\] (\w+): (.+)/);
+        if (toolMatch) {
+          messages.push({
+            role: "tool",
+            content: `✓ ${toolMatch[2]}`,
+            createdAt,
+            toolName: toolMatch[1],
+            status: "completed"
+          });
+        }
+      } else if (content.startsWith("[Step")) {
+        const stepMatch = content.match(/\[Step \d+\] (.+)/);
+        if (stepMatch) {
+          messages.push({
+            role: "assistant",
+            content: stepMatch[1],
+            createdAt
+          });
+        }
+      }
+    }
+    if (messages.length === 0) {
+      return null;
+    }
+    return {
+      id: "discovery-from-logs",
+      name: "Attack Surface Discovery",
+      type: "attack-surface",
+      target: session.targets[0] || "Unknown",
+      messages,
+      createdAt: new Date(session.time.created),
+      status: "completed"
+    };
+  } catch (e) {
+    console.error("Failed to parse logs:", e);
+    return null;
+  }
+}
+async function loadSessionState(session) {
+  const rootPath = session.rootPath;
+  let subagents = loadSubagents(rootPath);
+  const hasAttackSurfaceAgent = subagents.some((s) => s.type === "attack-surface");
+  if (!hasAttackSurfaceAgent) {
+    const discoveryAgent = createDiscoveryFromLogs(rootPath, session);
+    if (discoveryAgent) {
+      subagents = [discoveryAgent, ...subagents];
+    }
+  }
+  const attackSurfaceResults = loadAttackSurfaceResults(rootPath);
+  const hasReportFile = hasReport(rootPath);
+  const hasDiscoverySubagent = subagents.some((s) => s.type === "attack-surface");
+  const interruptedDuringDiscovery = !attackSurfaceResults && !hasReportFile && hasDiscoverySubagent;
+  if (interruptedDuringDiscovery) {
+    for (let i = 0;i < subagents.length; i++) {
+      if (subagents[i].type === "attack-surface" && subagents[i].status === "completed") {
+        subagents[i] = { ...subagents[i], status: "paused" };
+      }
+    }
+  }
+  const isComplete = hasReportFile;
+  return {
+    session,
+    subagents,
+    attackSurfaceResults,
+    isComplete,
+    hasReport: hasReportFile,
+    interruptedDuringDiscovery
+  };
+}
+
+// src/core/workflows/whiteboxAttackSurface.ts
+init_zod();
+
+// src/core/workflows/riskScoring.ts
+init_zod();
+var DEFAULT_CONCURRENCY = 5;
+var RiskScoreResultSchema = exports_external.object({
+  exposure: exports_external.number().min(0).max(3).describe("Exposure Level (0-3): 3=Public endpoint no auth, 2=Requires standard user login, 1=Requires privileged/admin access, 0=Private/internal-only"),
+  exposureReasoning: exports_external.string().describe("Brief explanation for the exposure score"),
+  dataSensitivity: exports_external.number().min(0).max(3).describe("Data Sensitivity (0-3): 3=PII/PHI/financial/passwords/tokens, 2=Business operations/configs, 1=Low-value user data, 0=No meaningful data"),
+  dataSensitivityReasoning: exports_external.string().describe("Brief explanation for the data sensitivity score"),
+  functionCriticality: exports_external.number().min(0).max(2).describe("Function Criticality (0-2): 2=Auth flows/password resets/payments/state-changing mutations, 1=Core product functionality, 0=Non-critical content"),
+  functionCriticalityReasoning: exports_external.string().describe("Brief explanation for the function criticality score"),
+  securityIndicators: exports_external.number().min(0).max(2).describe("Security Indicators (0-2): 2=Critical vulnerability patterns found (SQL injection, command injection, hardcoded secrets, path traversal), 1=Moderate security concerns (missing input validation, weak error handling), 0=No obvious security issues"),
+  securityIndicatorsReasoning: exports_external.string().describe("Brief explanation for the security indicators score, including specific vulnerability patterns observed if any"),
+  justification: exports_external.string().describe("Overall justification summarizing why this endpoint received this risk score")
+});
+var RISK_SCORE_SYSTEM_PROMPT = `You are an Endpoint Risk Scoring Agent. Your task is to evaluate an API or webpage endpoint and assign a Risk Score (0-10) that reflects how important it is to test this endpoint during a penetration test.
+
+Read the source code at the specified location, analyze it, and provide a structured risk assessment. Be thorough but efficient — read only the relevant code.`;
+async function scoreEndpoints(input) {
+  const {
+    codebasePath,
+    endpoints,
+    model,
+    session,
+    authConfig,
+    abortSignal,
+    callbacks,
+    concurrency = DEFAULT_CONCURRENCY
+  } = input;
+  const results = new Map;
+  const scored = await runWithBoundedConcurrency(endpoints, concurrency, async (ep) => {
+    const key = `${ep.method}:${ep.file}:${ep.path}`;
+    const subagentId = `risk-score-${ep.appName}-${ep.method}-${ep.path}`;
+    callbacks?.subagentCallbacks?.onSubagentSpawn?.({
+      subagentId,
+      input: { app: ep.appName, path: ep.path },
+      status: "pending"
+    });
+    try {
+      const score = await scoreEndpoint({
+        codebasePath,
+        endpoint: ep,
+        model,
+        session,
+        authConfig,
+        abortSignal,
+        callbacks
+      });
+      callbacks?.subagentCallbacks?.onSubagentComplete?.({
+        subagentId,
+        input: { app: ep.appName, path: ep.path },
+        status: "completed"
+      });
+      return { key, score };
+    } catch (error) {
+      console.error(`Risk scoring failed for ${ep.path}: ${error instanceof Error ? error.message : String(error)}`);
+      callbacks?.subagentCallbacks?.onSubagentComplete?.({
+        subagentId,
+        input: { app: ep.appName, path: ep.path },
+        status: "failed"
+      });
+      return null;
+    }
+  });
+  for (const r of scored) {
+    if (r)
+      results.set(r.key, r.score);
+  }
+  return results;
+}
+async function scoreEndpoint(opts) {
+  const {
+    codebasePath,
+    endpoint: ep,
+    model,
+    session,
+    authConfig,
+    abortSignal,
+    callbacks
+  } = opts;
+  const lineRange = ep.line ? `around line ${ep.line}` : "";
+  const authInfo = ep.authRequired ? "Authentication required" : "No authentication required";
+  const objective = `# Endpoint Risk Score Assessment
+
+## Endpoint
+- **Method**: ${ep.method}
+- **Path**: ${ep.path}
+- **File**: ${ep.file} ${lineRange}
+- **Handler**: ${ep.handler ?? "unknown"}
+- **Auth**: ${authInfo}
+- **Description**: ${ep.description ?? "N/A"}
+
+## Task
+1. Read the source file at \`${ep.file}\` ${lineRange ? `(${lineRange})` : ""} to understand the implementation
+2. Analyze authentication requirements, data handling, business logic, and security patterns
+3. Score each dimension and provide your assessment via the \`response\` tool
+
+## Scoring Model
+
+### 1. Exposure Level (0-3)
+| Score | Description |
+|-------|-------------|
+| 3 | Public endpoint, no authentication required |
+| 2 | Requires standard user login |
+| 1 | Requires privileged/admin access |
+| 0 | Private, IP-restricted, or internal-only |
+
+### 2. Data Sensitivity (0-3)
+| Score | Example Data |
+|-------|-------------|
+| 3 | PII, PHI, financial data, passwords, tokens, secrets |
+| 2 | Business operations data, configs, settings |
+| 1 | Low-value or non-sensitive user data |
+| 0 | No meaningful data (static content, health checks) |
+
+### 3. Function Criticality (0-2)
+| Score | Examples |
+|-------|---------|
+| 2 | Auth flows, password resets, payments, permission changes |
+| 1 | Core product functionality (CRUD on user data) |
+| 0 | Non-critical content or utility endpoints |
+
+### 4. Security Indicators (0-2)
+| Score | Indicators |
+|-------|-----------|
+| 2 | Critical vuln patterns: SQL injection, command injection, hardcoded secrets, path traversal, unsafe deserialization |
+| 1 | Moderate concerns: missing input validation, weak error handling, missing output encoding, overly permissive CORS |
+| 0 | No obvious security issues — code follows best practices |
+
+**Final Score = Exposure + DataSensitivity + FunctionCriticality + SecurityIndicators (0-10)**
+
+Begin by reading the source code, then call \`response\` with your assessment.`;
+  const agent = new CodeAgent({
+    codebasePath,
+    objective,
+    system: RISK_SCORE_SYSTEM_PROMPT,
+    model,
+    session,
+    authConfig,
+    abortSignal,
+    callbacks,
+    responseSchema: RiskScoreResultSchema
+  });
+  const result = await agent.consume({
+    onError: (e) => callbacks?.onError?.(e),
+    subagentCallbacks: callbacks?.subagentCallbacks
+  });
+  if (!result) {
+    return {
+      score: 0,
+      explanation: "Risk scoring agent did not return a result",
+      breakdown: {
+        exposure: 0,
+        dataSensitivity: 0,
+        functionCriticality: 0,
+        securityIndicators: 0
+      }
+    };
+  }
+  const totalScore = result.exposure + result.dataSensitivity + result.functionCriticality + result.securityIndicators;
+  return {
+    score: totalScore,
+    explanation: result.justification,
+    breakdown: {
+      exposure: result.exposure,
+      dataSensitivity: result.dataSensitivity,
+      functionCriticality: result.functionCriticality,
+      securityIndicators: result.securityIndicators
+    }
+  };
+}
+
+// src/core/workflows/whiteboxAttackSurface.ts
+var DEFAULT_CONCURRENCY2 = 5;
+var WHITEBOX_CODE_AGENT_SYSTEM_PROMPT = `You are an expert source-code analyst with direct filesystem access. You will be given a specific objective — focus exclusively on completing it.
+
+Your focus is on **deployed applications and services** — APIs, web apps, microservices — that listen on a port and serve traffic. Ignore libraries, shared packages, SDKs, CLI tools, build scripts, and test suites unless they are part of a deployable service.
+
+# Tool Usage Guide
+
+## read_file
+Read the contents of any file. You can read the whole file or a specific line range.
+- When a file is large, read it in chunks using startLine / endLine to stay focused.
+- Follow imports and references — when you see an interesting function call, read its source.
+
+## list_files
+List files and directories. Use this to orient yourself in the codebase.
+- Start by listing the project root or relevant subdirectory to understand the structure.
+- Use recursive=true sparingly on targeted subdirectories to avoid flooding context.
+
+## grep
+Search file contents by pattern. This is your most powerful navigation tool.
+- Use it to find route definitions, middleware, controllers, endpoint registrations, etc.
+- Use -i for case-insensitive searches.
+- Use --include="*.ext" to narrow to relevant file types.
+- Use -C 3 or -C 5 to get context around matches.
+- Use -rn (default for directories) for recursive search with line numbers.
+- Use -l to get just file paths when you need a broad overview of where something appears.
+
+## execute_command
+Run shell commands when needed.
+- Use for build tools, git operations, package managers, linters, etc.
+
+## document_asset
+**Use this to document every significant asset you discover.** Each call persists a JSON record to the session's assets directory. Document assets as you discover them — don't wait until the end.
+
+Document these types of assets:
+- **web_application**: Each application/service you identify (include framework and technology stack in details)
+- **api**: API services or microservices (include base URL and authentication type in details)
+- **admin_panel**: Admin interfaces, dashboards, management UIs
+- **endpoint**: Notable endpoint groups — auth endpoints, file upload handlers, payment flows, admin routes
+- **development_asset**: Dev/staging environments, CI/CD pipelines, internal tools
+
+For each asset, include:
+- **assetName**: A unique descriptive name (e.g., "user-api", "admin-dashboard", "payment-service")
+- **assetType**: One of the types above
+- **description**: What it is, what it does, why it matters for security
+- **details**: Include \`technology\` (stack), \`endpoints\` (key routes), \`authentication\` (auth type), and \`url\` if known
+- **riskLevel**: CRITICAL for auth/payment/admin, HIGH for user data, MEDIUM for general functionality, LOW for static/public
+
+## response
+When your objective includes structured output, call \`response\` with your final results once you are done. This ends your run — make sure all data is included.
+
+# Working Approach
+1. **Orient first** — list files and read key entry points to understand the structure.
+2. **Ignore submodules** — check for a \`.gitmodules\` file or run \`git submodule status\`. Any directories that are git submodules are external dependencies and must be **completely excluded** from your analysis.
+3. **Search, then read** — use grep to locate what you need, then read the relevant files.
+4. **Document as you go** — call document_asset for every significant asset you discover. Don't batch them up.
+5. **Follow the trail** — trace through imports, function calls, and references to build full understanding.
+6. **Be thorough** — don't stop at the first match. Cover everything relevant to the objective.
+`;
+var AppInfoSchema = exports_external.object({
+  name: exports_external.string().describe("Application or service name"),
+  framework: exports_external.string().describe("Framework in use (e.g. Express, Next.js, Django, FastAPI, Rails)"),
+  description: exports_external.string().describe("Brief description of what this app does"),
+  location: exports_external.string().describe("Path to the app root relative to the repository root")
+});
+var AppsDiscoveryResultSchema = exports_external.object({
+  repoType: exports_external.string().describe("e.g. monorepo, single-app, multi-package"),
+  packageManager: exports_external.string().describe("e.g. npm, yarn, pnpm, pip, cargo, go modules"),
+  apps: exports_external.array(AppInfoSchema).describe("All applications/services discovered in the repository")
+});
+var EndpointsDiscoveryResultSchema = exports_external.object({
+  endpoints: exports_external.array(EndpointSchema).describe("All discovered endpoints")
+});
+async function runWhiteboxAttackSurfaceWorkflow(input) {
+  const {
+    codebasePath,
+    model,
+    session,
+    authConfig,
+    abortSignal,
+    callbacks,
+    attackSurfaceRegistry,
+    onStepFinish
+  } = input;
+  const appsAgent = new CodeAgent({
+    codebasePath,
+    objective: buildAppsDiscoveryObjective(codebasePath),
+    system: WHITEBOX_CODE_AGENT_SYSTEM_PROMPT,
+    model,
+    session,
+    authConfig,
+    abortSignal,
+    attackSurfaceRegistry,
+    callbacks,
+    onStepFinish: (event) => onStepFinish?.(event),
+    responseSchema: AppsDiscoveryResultSchema
+  });
+  const appsResult = await appsAgent.consume({
+    onTextDelta: (d) => callbacks?.onTextDelta?.(d),
+    onToolCallStreaming: (d) => callbacks?.onToolCallStreaming?.(d),
+    onToolCallDelta: (d) => callbacks?.onToolCallDelta?.(d),
+    onToolCall: (d) => callbacks?.onToolCall?.(d),
+    onToolResult: (d) => callbacks?.onToolResult?.(d),
+    onError: (e) => callbacks?.onError?.(e),
+    subagentCallbacks: callbacks?.subagentCallbacks
+  });
+  if (!appsResult || appsResult.apps.length === 0) {
+    return {
+      repoType: appsResult?.repoType ?? "unknown",
+      packageManager: appsResult?.packageManager ?? "unknown",
+      apps: [],
+      summary: {
+        totalApps: 0,
+        totalPages: 0,
+        totalApiEndpoints: 0,
+        totalPentestObjectives: 0
+      }
+    };
+  }
+  const tasks = appsResult.apps.flatMap((app) => [
+    { appInfo: app, type: "pages" },
+    { appInfo: app, type: "apiEndpoints" }
+  ]);
+  const taskResults = await runWithBoundedConcurrency(tasks, DEFAULT_CONCURRENCY2, async (task, _index) => {
+    const subagentId = `${task.type}-${task.appInfo.name}`;
+    callbacks?.subagentCallbacks?.onSubagentSpawn?.({
+      subagentId,
+      input: { app: task.appInfo.name, type: task.type },
+      status: "pending"
+    });
+    const objective = task.type === "pages" ? buildPagesDiscoveryObjective(codebasePath, task.appInfo) : buildApiEndpointsDiscoveryObjective(codebasePath, task.appInfo);
+    const agent = new CodeAgent({
+      codebasePath,
+      objective,
+      system: WHITEBOX_CODE_AGENT_SYSTEM_PROMPT,
+      model,
+      session,
+      authConfig,
+      abortSignal,
+      attackSurfaceRegistry,
+      callbacks,
+      onStepFinish: (event) => onStepFinish?.(event),
+      responseSchema: EndpointsDiscoveryResultSchema
+    });
+    try {
+      const result = await agent.consume({
+        onError: (e) => callbacks?.onError?.(e),
+        subagentCallbacks: callbacks?.subagentCallbacks ? {
+          onTextDelta: (d) => callbacks.subagentCallbacks.onTextDelta?.({
+            ...d,
+            subagentId
+          }),
+          onToolCallStreaming: (d) => callbacks.subagentCallbacks.onToolCallStreaming?.({
+            ...d,
+            subagentId
+          }),
+          onToolCallDelta: (d) => callbacks.subagentCallbacks.onToolCallDelta?.({
+            ...d,
+            subagentId
+          }),
+          onToolCall: (d) => callbacks.subagentCallbacks.onToolCall?.({
+            ...d,
+            subagentId
+          }),
+          onToolResult: (d) => callbacks.subagentCallbacks.onToolResult?.({
+            ...d,
+            subagentId
+          }),
+          onError: (e) => callbacks.subagentCallbacks.onError?.(e)
+        } : undefined
+      });
+      callbacks?.subagentCallbacks?.onSubagentComplete?.({
+        subagentId,
+        input: { app: task.appInfo.name, type: task.type },
+        status: "completed"
+      });
+      return {
+        appName: task.appInfo.name,
+        type: task.type,
+        endpoints: result?.endpoints ?? []
+      };
+    } catch (error) {
+      callbacks?.subagentCallbacks?.onSubagentComplete?.({
+        subagentId,
+        input: { app: task.appInfo.name, type: task.type },
+        status: "failed"
+      });
+      return { appName: task.appInfo.name, type: task.type, endpoints: [] };
+    }
+  });
+  const pagesByApp = new Map;
+  const apiEndpointsByApp = new Map;
+  for (const r of taskResults) {
+    if (!r)
+      continue;
+    const map = r.type === "pages" ? pagesByApp : apiEndpointsByApp;
+    map.set(r.appName, r.endpoints);
+  }
+  const allEndpointsForScoring = appsResult.apps.flatMap((appInfo) => {
+    const pages = pagesByApp.get(appInfo.name) ?? [];
+    const apiEps = apiEndpointsByApp.get(appInfo.name) ?? [];
+    return [...pages, ...apiEps].map((ep) => ({
+      ...ep,
+      appName: appInfo.name
+    }));
+  });
+  let riskScores = new Map;
+  if (allEndpointsForScoring.length > 0) {
+    try {
+      riskScores = await scoreEndpoints({
+        codebasePath,
+        endpoints: allEndpointsForScoring,
+        model,
+        session,
+        authConfig,
+        abortSignal,
+        callbacks
+      });
+      console.log(`Risk scoring complete: ${riskScores.size}/${allEndpointsForScoring.length} endpoints scored`);
+    } catch (error) {
+      console.error("Risk scoring phase failed, continuing without scores:", error);
+    }
+  }
+  function attachRiskScore(ep) {
+    const key = `${ep.method}:${ep.file}:${ep.path}`;
+    const score = riskScores.get(key);
+    return score ? { ...ep, riskScore: score } : ep;
+  }
+  const apps = appsResult.apps.map((appInfo) => ({
+    name: appInfo.name,
+    framework: appInfo.framework,
+    description: appInfo.description,
+    location: appInfo.location,
+    pages: (pagesByApp.get(appInfo.name) ?? []).map(attachRiskScore),
+    apiEndpoints: (apiEndpointsByApp.get(appInfo.name) ?? []).map(attachRiskScore)
+  }));
+  const totalPages = apps.reduce((sum, a) => sum + a.pages.length, 0);
+  const totalApiEndpoints = apps.reduce((sum, a) => sum + a.apiEndpoints.length, 0);
+  const totalPentestObjectives = apps.reduce((sum, a) => sum + [...a.pages, ...a.apiEndpoints].reduce((s, ep) => s + ep.pentestObjectives.length, 0), 0);
+  return {
+    repoType: appsResult.repoType,
+    packageManager: appsResult.packageManager,
+    apps,
+    summary: {
+      totalApps: apps.length,
+      totalPages,
+      totalApiEndpoints,
+      totalPentestObjectives
+    }
+  };
+}
+function buildAppsDiscoveryObjective(codebasePath) {
+  return `# Identify All Applications in the Repository
+
+## Codebase
+- **Path:** ${codebasePath}
+
+## Task
+Analyze the repository structure and identify every **deployed application or service** (APIs, web apps, microservices) defined within it.
+
+**IMPORTANT: Only include deployable apps and services.** Exclude:
+- Libraries, SDKs, and shared packages that are consumed by other code but not deployed on their own
+- Git submodules (external dependencies)
+- Build tools, scripts, CLI utilities, and dev tooling
+- Test suites, fixtures, and test helpers
+- Documentation packages
+
+An app/service qualifies if it **listens on a port, serves HTTP traffic, or runs as a deployed process** (e.g. an Express server, a Next.js app, a Django project, a FastAPI service, a background worker with an API).
+
+### Steps
+1. List the root directory and read top-level config files (package.json, requirements.txt, Cargo.toml, go.mod, etc.)
+2. **Check for git submodules** — run \`git submodule status\` or check for a \`.gitmodules\` file. Exclude all submodule directories.
+3. Determine the **repo type**: monorepo (workspaces), single-app, multi-package, etc.
+4. Determine the **package manager**: npm, yarn, pnpm, pip, cargo, go modules, etc.
+5. Identify all **deployable** applications/services (ignoring submodules, libraries, and shared packages):
+   - For monorepos: look at workspace packages that have their own server entry point, Dockerfile, or deploy config — skip packages that are libraries/utilities consumed by other packages
+   - For multi-service repos: look at separate service directories with their own server startup
+   - For single apps: the root is the app
+6. For each app, determine:
+   - **name**: the application or service name
+   - **framework**: the web framework (Express, Next.js, Django, FastAPI, Rails, Spring, etc.)
+   - **description**: brief summary of what it does
+   - **location**: path relative to the repository root
+
+When finished, call the \`response\` tool with your structured findings.`;
+}
+function buildPagesDiscoveryObjective(codebasePath, appInfo) {
+  return `# Find All Web Pages in ${appInfo.name}
+
+## Codebase
+- **Repository root:** ${codebasePath}
+- **App location:** ${appInfo.location}
+- **Framework:** ${appInfo.framework}
+
+## Task
+Find ALL web pages, views, and routes that render HTML or serve client-side UI in this application.
+
+### What to look for (by framework)
+- **React/Next.js**: pages/ or app/ directory, route components, layout files
+- **Express**: res.render(), res.sendFile(), static file serving, template routes
+- **Django**: urls.py patterns pointing to template views, class-based views with template_name
+- **Rails**: routes.rb entries pointing to controller actions that render views
+- **Vue/Nuxt**: pages/ directory, router definitions
+- **FastAPI**: routes returning HTMLResponse, Jinja2 template responses
+- **Spring**: @Controller methods returning view names, Thymeleaf templates
+
+### For each page, provide
+- **method**: "PAGE" or "GET"
+- **path**: the route path (e.g. /dashboard, /settings)
+- **handler**: the handler function or component name (if identifiable)
+- **file**: the file where this page is defined
+- **line**: line number (if determinable)
+- **authRequired**: whether the page requires authentication (look for middleware, guards, decorators)
+- **description**: brief description of what this page shows
+- **pentestObjectives**: specific testing goals, e.g.:
+  - "Test for XSS in user-editable fields on the profile page"
+  - "Test for authorization bypass — access admin dashboard as regular user"
+  - "Test for CSRF on the settings update form"
+
+Be thorough — examine every route file, every page directory, every template.
+When finished, call the \`response\` tool with your structured findings.`;
+}
+function buildApiEndpointsDiscoveryObjective(codebasePath, appInfo) {
+  return `# Find All API Endpoints in ${appInfo.name}
+
+## Codebase
+- **Repository root:** ${codebasePath}
+- **App location:** ${appInfo.location}
+- **Framework:** ${appInfo.framework}
+
+## Task
+Find ALL API endpoints defined in this application.
+
+### What to look for (by framework)
+- **Express**: app.get(), app.post(), router.get(), router.post(), router.put(), router.delete(), etc.
+- **Next.js**: app/api/ or pages/api/ route handlers (GET, POST, PUT, DELETE exports)
+- **Django**: urls.py patterns pointing to API views, DRF viewsets, routers, @api_view decorators
+- **FastAPI**: @app.get(), @app.post(), @app.put(), @app.delete() decorators
+- **Rails**: routes.rb API namespaces, resources, controller actions
+- **Spring**: @GetMapping, @PostMapping, @PutMapping, @DeleteMapping, @RequestMapping
+- **Go**: http.HandleFunc, mux.Handle, gin router methods
+
+### For each endpoint, provide
+- **method**: HTTP method (GET, POST, PUT, DELETE, PATCH, etc.)
+- **path**: the route path (e.g. /api/users/:id, /api/orders)
+- **handler**: the handler function name (if identifiable)
+- **file**: the file where this endpoint is defined
+- **line**: line number (if determinable)
+- **authRequired**: whether the endpoint requires authentication (look for auth middleware, decorators, guards)
+- **description**: brief description of what this endpoint does
+- **pentestObjectives**: specific testing goals, e.g.:
+  - "Test for SQL injection in the 'search' query parameter"
+  - "Test for IDOR by accessing /api/orders/{id} with other users' order IDs"
+  - "Test for privilege escalation by calling admin-only endpoint as regular user"
+  - "Test for mass assignment by sending extra fields in the POST body"
+  - "Test for rate limiting on the login endpoint"
+
+Be thorough — trace through all route registrations, middleware chains, and controller files.
+When finished, call the \`response\` tool with your structured findings.`;
+}
+
+// src/core/workflows/pentest.ts
+var DEFAULT_CONCURRENCY3 = 10;
+function addUsageTotals(totals, usage) {
+  if (!usage)
+    return;
+  const inputTokens = usage.inputTokens ?? 0;
+  const outputTokens = usage.outputTokens ?? 0;
+  const totalTokens = usage.totalTokens ?? inputTokens + outputTokens;
+  totals.inputTokens += inputTokens;
+  totals.outputTokens += outputTokens;
+  totals.totalTokens += totalTokens;
+}
+async function runPentestSwarm(input) {
+  const {
+    targets,
+    model,
+    session,
+    authConfig,
+    abortSignal,
+    findingsRegistry,
+    subagentCallbacks,
+    onError,
+    concurrency = DEFAULT_CONCURRENCY3,
+    onStepFinish
+  } = input;
+  const completedIds = getCompletedAgentIds(session);
+  const existingManifest = readAgentManifest(session);
+  const freshEntries = buildManifestEntries(targets);
+  const manifestEntries = freshEntries.map((fresh) => {
+    const existing = existingManifest.find((e) => e.id === fresh.id);
+    if (existing && existing.status === "completed")
+      return existing;
+    return fresh;
+  });
+  writeAgentManifest(session, manifestEntries);
+  const results = await runWithBoundedConcurrency(targets, concurrency, async (target, index) => {
+    const subagentId = `pentest-agent-${index + 1}`;
+    if (completedIds.has(subagentId))
+      return null;
+    const previousMessages = loadSubagentMessages(session, subagentId);
+    let lastMessages = [];
+    const handleStepFinish = (e) => {
+      if (e.response.messages) {
+        lastMessages = e.response.messages;
+      }
+      onStepFinish?.(e);
+    };
+    const wrappedCallbacks = subagentCallbacks ? {
+      onTextDelta: (d) => subagentCallbacks.onTextDelta?.({ ...d, subagentId }),
+      onToolCallStreaming: (d) => subagentCallbacks.onToolCallStreaming?.({
+        ...d,
+        subagentId
+      }),
+      onToolCallDelta: (d) => subagentCallbacks.onToolCallDelta?.({ ...d, subagentId }),
+      onToolCall: (d) => subagentCallbacks.onToolCall?.({ ...d, subagentId }),
+      onToolResult: (d) => subagentCallbacks.onToolResult?.({ ...d, subagentId }),
+      onError: (e) => subagentCallbacks.onError?.(e)
+    } : undefined;
+    subagentCallbacks?.onSubagentSpawn?.({
+      subagentId,
+      name: target.name,
+      input: { target: target.target, objectives: target.objectives },
+      status: "pending"
+    });
+    try {
+      const agent = new TargetedPentestAgent({
+        target: target.target,
+        objectives: target.objectives,
+        model,
+        session,
+        authConfig,
+        abortSignal,
+        findingsRegistry,
+        onStepFinish: handleStepFinish,
+        messages: previousMessages.length > 0 ? previousMessages : undefined
+      });
+      const result = await agent.consume({
+        onError: (e) => onError?.(e),
+        subagentCallbacks: wrappedCallbacks
+      });
+      saveSubagentData(session, {
+        agentName: subagentId,
+        target: target.target,
+        objective: target.objectives.join("; "),
+        status: "completed",
+        findingsCount: result.findings.length,
+        messages: [...previousMessages, ...lastMessages]
+      });
+      updateManifestEntryStatus(session, subagentId, "completed");
+      subagentCallbacks?.onSubagentComplete?.({
+        subagentId,
+        input: { target: target.target, objectives: target.objectives },
+        status: "completed"
+      });
+      return result;
+    } catch (error) {
+      saveSubagentData(session, {
+        agentName: subagentId,
+        target: target.target,
+        objective: target.objectives.join("; "),
+        status: "failed",
+        error: error instanceof Error ? error.message : String(error),
+        messages: [...previousMessages, ...lastMessages]
+      });
+      updateManifestEntryStatus(session, subagentId, "failed");
+      subagentCallbacks?.onSubagentComplete?.({
+        subagentId,
+        input: { target: target.target, objectives: target.objectives },
+        status: "failed"
+      });
+      throw error;
+    }
+  }, abortSignal);
+  finalizeManifest(session, manifestEntries, results);
+  return results;
+}
+async function runPentestWorkflow(input) {
+  const { target, cwd, model, session, authConfig, abortSignal, callbacks } = input;
+  const startedAt = Date.now();
+  const tokenUsageTotals = {
+    inputTokens: 0,
+    outputTokens: 0,
+    totalTokens: 0
+  };
+  const onStepFinish = (event) => {
+    addUsageTotals(tokenUsageTotals, event.usage);
+  };
+  try {
+    const mode = cwd ? "whitebox" : "blackbox";
+    let swarmTargets;
+    const existingResults = loadAttackSurfaceResults(session.rootPath);
+    if (existingResults?.targets && existingResults.targets.length > 0) {
+      swarmTargets = existingResults.targets.map((t) => ({
+        target: t.target,
+        objectives: [t.objective]
+      }));
+    } else if (mode === "whitebox") {
+      swarmTargets = await runWhiteboxPhase({
+        codebasePath: cwd,
+        baseTarget: target,
+        model,
+        session,
+        authConfig,
+        abortSignal,
+        callbacks,
+        onStepFinish
+      });
+    } else {
+      swarmTargets = await runBlackboxPhase({
+        target,
+        model,
+        session,
+        authConfig,
+        abortSignal,
+        callbacks,
+        onStepFinish
+      });
+    }
+    if (abortSignal?.aborted) {
+      throw new DOMException("Pentest aborted by user", "AbortError");
+    }
+    if (swarmTargets.length === 0) {
+      const report2 = buildPentestReport([], {
+        target,
+        model,
+        sessionId: session.id,
+        mode
+      });
+      const mdPath2 = join4(session.rootPath, REPORT_FILENAME_MD);
+      const jsonPath2 = join4(session.rootPath, REPORT_FILENAME_JSON);
+      writeFileSync3(mdPath2, renderMarkdown(report2));
+      writeFileSync3(jsonPath2, renderJson(report2));
+      return {
+        findings: [],
+        findingsPath: session.findingsPath,
+        pocsPath: session.pocsPath,
+        reportPath: mdPath2
+      };
+    }
+    const findingsRegistry = FindingsRegistry.fromDirectory(session.findingsPath, {
+      model,
+      authConfig,
+      abortSignal
+    });
+    const completedCount = getCompletedAgentIds(session).size;
+    if (completedCount < swarmTargets.length) {
+      await runPentestSwarm({
+        targets: swarmTargets,
+        model,
+        session,
+        authConfig,
+        abortSignal,
+        findingsRegistry,
+        subagentCallbacks: callbacks?.subagentCallbacks,
+        onError: (e) => callbacks?.onError?.(e),
+        onStepFinish
+      });
+    }
+    if (abortSignal?.aborted) {
+      throw new DOMException("Pentest aborted by user", "AbortError");
+    }
+    const findings = loadFindings(session.findingsPath);
+    const report = buildPentestReport(findings, {
+      target,
+      model,
+      sessionId: session.id,
+      mode
+    });
+    const mdPath = join4(session.rootPath, REPORT_FILENAME_MD);
+    const jsonPath = join4(session.rootPath, REPORT_FILENAME_JSON);
+    writeFileSync3(mdPath, renderMarkdown(report));
+    writeFileSync3(jsonPath, renderJson(report));
+    return {
+      findings,
+      findingsPath: session.findingsPath,
+      pocsPath: session.pocsPath,
+      reportPath: mdPath
+    };
+  } finally {
+    const runtime = formatDurationHmsFromMs(Date.now() - startedAt);
+    writeExecutionMetrics({
+      sessionRootPath: session.rootPath,
+      tokenUsage: tokenUsageTotals,
+      runtime
+    });
+  }
+}
+async function runWhiteboxPhase(opts) {
+  const workflowInput = {
+    codebasePath: opts.codebasePath,
+    model: opts.model,
+    session: opts.session,
+    authConfig: opts.authConfig,
+    abortSignal: opts.abortSignal,
+    callbacks: opts.callbacks,
+    onStepFinish: opts.onStepFinish
+  };
+  const result = await runWhiteboxAttackSurfaceWorkflow(workflowInput);
+  return result.apps.flatMap((app) => [...app.pages, ...app.apiEndpoints].map((ep) => ({
+    target: ep.path.startsWith("http") ? ep.path : `${opts.baseTarget}${ep.path}`,
+    objectives: ep.pentestObjectives
+  })));
+}
+async function runBlackboxPhase(opts) {
+  let lastMessages = [];
+  const agentInput = {
+    target: opts.target,
+    model: opts.model,
+    session: opts.session,
+    authConfig: opts.authConfig,
+    abortSignal: opts.abortSignal,
+    callbacks: opts.callbacks,
+    onStepFinish: (e) => {
+      if (e.response.messages) {
+        lastMessages = e.response.messages;
+      }
+      opts.onStepFinish?.(e);
+    }
+  };
+  const agent = new BlackboxAttackSurfaceAgent(agentInput);
+  try {
+    const result = await agent.consume({
+      onTextDelta: (d) => opts.callbacks?.onTextDelta?.(d),
+      onToolCallStreaming: (d) => opts.callbacks?.onToolCallStreaming?.(d),
+      onToolCallDelta: (d) => opts.callbacks?.onToolCallDelta?.(d),
+      onToolCall: (d) => opts.callbacks?.onToolCall?.(d),
+      onToolResult: (d) => opts.callbacks?.onToolResult?.(d),
+      onError: (e) => opts.callbacks?.onError?.(e),
+      subagentCallbacks: opts.callbacks?.subagentCallbacks
+    });
+    saveSubagentData(opts.session, {
+      agentName: "attack-surface-agent",
+      target: opts.target,
+      status: "completed",
+      messages: lastMessages
+    });
+    return result.targets.map((t) => ({
+      target: t.target,
+      objectives: [t.objective]
+    }));
+  } catch (e) {
+    saveSubagentData(opts.session, {
+      agentName: "attack-surface-agent",
+      target: opts.target,
+      status: "failed",
+      error: e instanceof Error ? e.message : String(e),
+      messages: lastMessages
+    });
+    throw e;
+  }
+}
+function loadFindings(findingsPath) {
+  if (!existsSync4(findingsPath)) {
+    return [];
+  }
+  return readdirSync2(findingsPath).filter((f) => f.endsWith(".json")).map((f) => {
+    try {
+      const content = readFileSync4(join4(findingsPath, f), "utf-8");
+      return JSON.parse(content);
+    } catch {
+      return null;
+    }
+  }).filter((f) => f !== null);
+}
+
+export { REPORT_FILENAME_MD, convertModelMessagesToUI, readExecutionMetrics, writeExecutionMetrics, loadSessionState, DEFAULT_CONCURRENCY3 as DEFAULT_CONCURRENCY, runPentestSwarm, runPentestWorkflow };