@pensar/apex 0.0.112 → 0.0.113-canary.8a0cb7bc

package/build/{cli-yj3dy0vg.js → cli-8q94bv77.js}

@@ -3,7 +3,7 @@ import { spawnSync } from "child_process";
 // package.json
 var package_default = {
   name: "@pensar/apex",
-  version: "0.0.112",
+  version: "0.0.113-canary.8a0cb7bc",
   description: "AI-powered penetration testing CLI tool with terminal UI",
   module: "src/tui/index.tsx",
   main: "build/cli.js",
@@ -83,7 +83,7 @@ var package_default = {
     "@ai-sdk/amazon-bedrock": "^4.0.69",
     "@ai-sdk/anthropic": "^3.0.50",
     "@ai-sdk/google": "^3.0.37",
-    "@ai-sdk/openai": "^3.0.37",
+    "@ai-sdk/openai": "3.0.46",
     "@ai-sdk/openai-compatible": "^2.0.35",
     "@daytonaio/sdk": "^0.112.1",
     "@googleapis/gmail": "^16.1.1",

package/build/{cli-jh38b6zv.js → cli-8sm33f4k.js}

@@ -3,7 +3,7 @@ import {
   generateObjectResponse,
   init_zod,
   zod_default
-} from "./cli-kqtgcdzn.js";
+} from "./cli-5ekr1ws4.js";
 import {
   __callDispose,
   __esm,

package/build/{cli-w04ggbe4.js → cli-8yze7t68.js}

@@ -1,9 +1,9 @@
 import {
   OffensiveSecurityAgent
-} from "./cli-r8r90gka.js";
+} from "./cli-khem6ept.js";
 import {
   stepCountIs
-} from "./cli-kqtgcdzn.js";
+} from "./cli-5ekr1ws4.js";
 
 // src/core/agents/specialized/codeAgent/prompts.ts
 var CODE_AGENT_SYSTEM_PROMPT = `You are an expert coding agent with direct filesystem access. You will be given a specific objective — focus exclusively on completing it.

package/build/{cli-j66pect7.js → cli-9tzcmrd4.js}

@@ -1,7 +1,9 @@
 import {
   config,
-  getPensarApiUrl
-} from "./cli-bp6d08sg.js";
+  ensureValidToken,
+  getPensarApiUrl,
+  getPensarGatewayUrl
+} from "./cli-16m30n7b.js";
 
 // src/core/auth/device-flow.ts
 function sleep(ms) {
@@ -199,4 +201,37 @@ ${bodyHash}`;
   const signature = createHmac("sha256", signingKey).update(payload).digest("base64");
   return { signature, timestamp, nonce };
 }
-export { signGatewayRequest, startDeviceFlow, pollWorkOSToken, pollLegacyToken, fetchWorkspaces, pollForWorkspaceCreation, selectWorkspace, isConnected, disconnect };
+// src/core/auth/gateway.ts
+async function validateGateway() {
+  const cfg = await config.get();
+  const tokenResult = await ensureValidToken({
+    accessToken: cfg.accessToken,
+    refreshToken: cfg.refreshToken,
+    pensarAPIKey: cfg.pensarAPIKey
+  });
+  if (!tokenResult)
+    return null;
+  const gatewayUrl = cfg.gatewayUrl || getPensarGatewayUrl();
+  const headers = {
+    Authorization: `Bearer ${tokenResult.token}`
+  };
+  if (cfg.workspaceId) {
+    headers["X-Workspace-Id"] = cfg.workspaceId;
+  }
+  const response = await fetch(`${gatewayUrl}/gateway/validate`, {
+    method: "GET",
+    headers
+  });
+  if (!response.ok) {
+    throw new Error(`Gateway validation failed (${response.status})`);
+  }
+  const result = await response.json();
+  if (result.signingKey || result.gatewayUrl) {
+    await config.update({
+      gatewaySigningKey: result.signingKey ?? undefined,
+      gatewayUrl: result.gatewayUrl ?? undefined
+    });
+  }
+  return result;
+}
+export { signGatewayRequest, startDeviceFlow, pollWorkOSToken, pollLegacyToken, fetchWorkspaces, pollForWorkspaceCreation, selectWorkspace, isConnected, disconnect, validateGateway };

package/build/{cli-f9shhcxf.js → cli-ee7y516a.js}

@@ -1,23 +1,23 @@
 import {
   TargetedPentestAgent
-} from "./cli-e20q3hqz.js";
+} from "./cli-vzq3vcqa.js";
 import {
   CodeAgent
-} from "./cli-w04ggbe4.js";
+} from "./cli-8yze7t68.js";
 import {
   EndpointSchema
-} from "./cli-2ckm5es2.js";
+} from "./cli-renwxhw7.js";
 import {
   BlackboxAttackSurfaceAgent
-} from "./cli-hmrzx8am.js";
+} from "./cli-0atrar08.js";
 import {
   CweEntrySchema,
   FindingsRegistry
-} from "./cli-r8r90gka.js";
+} from "./cli-khem6ept.js";
 import {
   exports_external,
   init_zod
-} from "./cli-kqtgcdzn.js";
+} from "./cli-5ekr1ws4.js";
 
 // src/core/workflows/pentest.ts
 import { existsSync as existsSync4, readdirSync as readdirSync2, readFileSync as readFileSync4, writeFileSync as writeFileSync3 } from "fs";

package/build/{cli-r8r90gka.js → cli-khem6ept.js}

@@ -17,7 +17,7 @@ import {
   update,
   write,
   writeRaw
-} from "./cli-jh38b6zv.js";
+} from "./cli-8sm33f4k.js";
 import {
   _enum,
   _null,
@@ -46,18 +46,18 @@ import {
   union,
   unknown,
   zod_default
-} from "./cli-kqtgcdzn.js";
+} from "./cli-5ekr1ws4.js";
 import {
   signGatewayRequest
-} from "./cli-j66pect7.js";
+} from "./cli-9tzcmrd4.js";
 import {
   config,
   ensureValidToken,
   getPensarApiUrl
-} from "./cli-bp6d08sg.js";
+} from "./cli-16m30n7b.js";
 import {
   getCurrentVersion
-} from "./cli-yj3dy0vg.js";
+} from "./cli-8q94bv77.js";
 import {
   __commonJS,
   __require,
@@ -90321,6 +90321,7 @@ Each asset creates a JSON file in the assets directory for tracking and analysis
         return val;
       }, exports_external.enum(["LOW", "MEDIUM", "HIGH", "CRITICAL"])).describe("Risk level: LOW-CRITICAL (exposed/sensitive)"),
       notes: exports_external.string().optional().describe("Additional notes or observations about the asset"),
+      pentestObjectives: exports_external.array(exports_external.string()).describe("Specific pentest objectives for this asset — what a pentest agent should test (e.g., 'Test for IDOR in /api/orders/{id}')"),
       toolCallDescription: exports_external.string().describe("A concise, human-readable description of what this tool call is doing")
     }),
     execute: async (asset) => {
@@ -90665,7 +90666,7 @@ When to use delegate_to_auth_subagent vs authenticate_session:
         if (credentials) {
           ctx.session.credentialManager.addFromAuthCredentials(credentials);
         }
-        const { runAuthenticationAgent } = await import("./authentication-nya4td5k.js");
+        const { runAuthenticationAgent } = await import("./authentication-b5h01t7q.js");
         const subagentCallbacks = cbs ? {
           onTextDelta: (d) => cbs.onTextDelta?.({ ...d, subagentId }),
           onToolCall: (d) => cbs.onToolCall?.({ ...d, subagentId }),
@@ -91567,7 +91568,7 @@ should be passed directly to spawn_pentest_swarm for deep testing.`,
       });
       if (cwd) {
         try {
-          const { WhiteboxAttackSurfaceAgent } = await import("./agent-5qdmmchx.js");
+          const { WhiteboxAttackSurfaceAgent } = await import("./agent-bmamdgbm.js");
           const agent = new WhiteboxAttackSurfaceAgent({
             codebasePath: cwd,
             model: ctx.model,
@@ -91619,7 +91620,7 @@ should be passed directly to spawn_pentest_swarm for deep testing.`,
         }
       }
       try {
-        const { BlackboxAttackSurfaceAgent } = await import("./blackboxAgent-qa9ze2hn.js");
+        const { BlackboxAttackSurfaceAgent } = await import("./blackboxAgent-91vnvpa8.js");
         const agent = new BlackboxAttackSurfaceAgent({
           target,
           model: ctx.model,
@@ -91698,7 +91699,7 @@ Pass every target you want tested — the swarm handles concurrency automaticall
       toolCallDescription: exports_external.string().describe("A concise, human-readable description of what this tool call is doing")
     }),
     execute: async ({ targets }) => {
-      const { runPentestSwarm, DEFAULT_CONCURRENCY } = await import("./pentest-zzebnfa0.js");
+      const { runPentestSwarm, DEFAULT_CONCURRENCY } = await import("./pentest-5wc29t2w.js");
       if (!ctx.model) {
         return {
           success: false,
@@ -91825,7 +91826,7 @@ Returns an array of results with the text output from each agent.`,
   });
 }
 async function runSingleCodingAgent(ctx, codebasePath, objective, agentIndex, name) {
-  const { CodeAgent } = await import("./agent-s2z0dasf.js");
+  const { CodeAgent } = await import("./agent-5nnw5gdw.js");
   const subagentId = `coding-agent-${agentIndex}`;
   ctx.subagentCallbacks?.onSubagentSpawn?.({
     subagentId,

package/build/{cli-2ckm5es2.js → cli-renwxhw7.js}

@@ -1,7 +1,7 @@
 import {
   exports_external,
   init_zod
-} from "./cli-kqtgcdzn.js";
+} from "./cli-5ekr1ws4.js";
 
 // src/core/agents/specialized/whiteboxAttackSurface/types.ts
 init_zod();

package/build/{cli-x1msjf55.js → cli-rjfkex2j.js}

@@ -2,7 +2,7 @@ import {
   config,
   ensureValidToken,
   getPensarApiUrl
-} from "./cli-bp6d08sg.js";
+} from "./cli-16m30n7b.js";
 
 // src/core/api/issues.ts
 async function getAuthHeaders() {
@@ -19,7 +19,7 @@ async function getAuthHeaders() {
     "Content-Type": "application/json",
     Authorization: `Bearer ${validToken.token}`
   };
-  if (validToken.type === "workos" && cfg.workspaceId) {
+  if (cfg.workspaceId) {
     headers["X-Workspace-Id"] = cfg.workspaceId;
   }
   return headers;

package/build/{cli-e20q3hqz.js → cli-vzq3vcqa.js}

@@ -1,10 +1,10 @@
 import {
   OffensiveSecurityAgent
-} from "./cli-r8r90gka.js";
+} from "./cli-khem6ept.js";
 import {
   exports_external,
   init_zod
-} from "./cli-kqtgcdzn.js";
+} from "./cli-5ekr1ws4.js";
 
 // src/core/agents/specialized/pentest/agent.ts
 init_zod();

package/build/cli.js

@@ -1,13 +1,13 @@
 #!/usr/bin/env bun
 // @bun
-import"./cli-kqtgcdzn.js";
-import"./cli-j66pect7.js";
-import"./cli-bp6d08sg.js";
-import"./cli-jb0gcnrs.js";
+import"./cli-5ekr1ws4.js";
+import"./cli-9tzcmrd4.js";
+import"./cli-16m30n7b.js";
+import"./cli-3tntsb59.js";
 import {
   package_default
-} from "./cli-yj3dy0vg.js";
-import"./cli-15vxn9zj.js";
+} from "./cli-8q94bv77.js";
+import"./cli-0tpx8khk.js";
 import"./cli-7ckctq7a.js";
 import {
   __require,
@@ -16,7 +16,7 @@ import {
 // package.json
 var package_default2 = {
   name: "@pensar/apex",
-  version: "0.0.112",
+  version: "0.0.113-canary.8a0cb7bc",
   description: "AI-powered penetration testing CLI tool with terminal UI",
   module: "src/tui/index.tsx",
   main: "build/cli.js",
@@ -96,7 +96,7 @@ var package_default2 = {
     "@ai-sdk/amazon-bedrock": "^4.0.69",
     "@ai-sdk/anthropic": "^3.0.50",
     "@ai-sdk/google": "^3.0.37",
-    "@ai-sdk/openai": "^3.0.37",
+    "@ai-sdk/openai": "3.0.46",
     "@ai-sdk/openai-compatible": "^2.0.35",
     "@daytonaio/sdk": "^0.112.1",
     "@googleapis/gmail": "^16.1.1",
@@ -351,10 +351,10 @@ Global options:
 async function runPentest() {
   const { config: config2 } = await import("./main-2483qzbq.js").then((m)=>__toESM(m.default,1));
   config2();
-  const { runPentestAgent } = await import("./blackboxPentest-85hwznet.js");
-  const { sessions } = await import("./index-vwvh1rdw.js");
-  const { config: appConfig } = await import("./index-5ke2yd32.js");
-  const { getDefaultModelForConfig } = await import("./utils-jky0th19.js");
+  const { runPentestAgent } = await import("./blackboxPentest-xtevpnvk.js");
+  const { sessions } = await import("./index-7etzc7sn.js");
+  const { config: appConfig } = await import("./index-c6x1x3cq.js");
+  const { getDefaultModelForConfig } = await import("./utils-9fhmzzzh.js");
   const target = getArgRequired("--target");
   const cwd = getArg("--cwd");
   const mode = getArg("--mode");
@@ -408,10 +408,10 @@ Report:    ${reportPath}` : ""}`);
 async function runTargetedPentest() {
   const { config: config2 } = await import("./main-2483qzbq.js").then((m)=>__toESM(m.default,1));
   config2();
-  const { runTargetedPentestAgent } = await import("./targetedPentest-w2c85whf.js");
-  const { sessions } = await import("./index-vwvh1rdw.js");
-  const { config: appConfig } = await import("./index-5ke2yd32.js");
-  const { getDefaultModelForConfig } = await import("./utils-jky0th19.js");
+  const { runTargetedPentestAgent } = await import("./targetedPentest-5zyade2x.js");
+  const { sessions } = await import("./index-7etzc7sn.js");
+  const { config: appConfig } = await import("./index-c6x1x3cq.js");
+  const { getDefaultModelForConfig } = await import("./utils-9fhmzzzh.js");
   const target = getArgRequired("--target");
   const objectives = getAllArgs("--objective");
   const pensarConfig = await appConfig.get();
@@ -472,25 +472,25 @@ if (command === "version" || command === "--version" || command === "-v") {
   await runTargetedPentest();
 } else if (command === "auth") {
   process.argv = [process.argv[0], process.argv[1], ...args.slice(1)];
-  await import("./auth-jvq72ekc.js");
+  await import("./auth-ynsrm9bf.js");
 } else if (command === "uninstall") {
   process.argv = [process.argv[0], process.argv[1], ...args.slice(1)];
-  await import("./uninstall-2j0pymb0.js");
+  await import("./uninstall-s3r4kj3h.js");
 } else if (command === "projects") {
   process.argv = [process.argv[0], process.argv[1], ...args.slice(1)];
-  await import("./projects-tr719twv.js");
+  await import("./projects-hkmq4y05.js");
 } else if (command === "pentests") {
   process.argv = [process.argv[0], process.argv[1], ...args.slice(1)];
-  await import("./pentests-s9fwd71b.js");
+  await import("./pentests-8yxnj9kr.js");
 } else if (command === "issues") {
   process.argv = [process.argv[0], process.argv[1], ...args.slice(1)];
-  await import("./issues-kx721wja.js");
+  await import("./issues-6dvz3xwg.js");
 } else if (command === "fixes") {
   process.argv = [process.argv[0], process.argv[1], ...args.slice(1)];
-  await import("./fixes-1r6v7kh2.js");
+  await import("./fixes-8dt41pqr.js");
 } else if (command === "logs") {
   process.argv = [process.argv[0], process.argv[1], ...args.slice(1)];
-  await import("./logs-hav7d0nm.js");
+  await import("./logs-21t24e4n.js");
 } else if (command === "doctor") {
   const { runDoctor } = await import("./doctor-b7612pzw.js");
   await runDoctor();
@@ -500,7 +500,7 @@ if (command === "version" || command === "--version" || command === "-v") {
     console.error("All other commands work with Node \u2014 run 'pensar --help'.");
     process.exit(1);
   }
-  await import("./index-9ze42wn7.js");
+  await import("./index-42y4vj9f.js");
 } else {
   console.error(`Error: Unknown command '${command}'`);
   console.error();

package/build/{fixes-1r6v7kh2.js → fixes-8dt41pqr.js}

@@ -2,10 +2,10 @@
 import {
   getFix,
   listFixes
-} from "./cli-x1msjf55.js";
-import"./cli-bp6d08sg.js";
-import"./cli-jb0gcnrs.js";
-import"./cli-yj3dy0vg.js";
+} from "./cli-rjfkex2j.js";
+import"./cli-16m30n7b.js";
+import"./cli-3tntsb59.js";
+import"./cli-8q94bv77.js";
 import"./cli-8rxa073f.js";
 
 // src/cli/fixes.ts

package/build/{index-9ze42wn7.js → index-42y4vj9f.js}

@@ -8,11 +8,11 @@ import {
   readExecutionMetrics,
   runPentestWorkflow,
   writeExecutionMetrics
-} from "./cli-f9shhcxf.js";
-import"./cli-e20q3hqz.js";
-import"./cli-w04ggbe4.js";
-import"./cli-2ckm5es2.js";
-import"./cli-hmrzx8am.js";
+} from "./cli-ee7y516a.js";
+import"./cli-vzq3vcqa.js";
+import"./cli-8yze7t68.js";
+import"./cli-renwxhw7.js";
+import"./cli-0atrar08.js";
 import"./cli-6gtnyaqf.js";
 import {
   ALL_TOOL_NAMES,
@@ -23,17 +23,17 @@ import {
   createInitialOperatorState,
   normalizeMessages,
   sessions
-} from "./cli-r8r90gka.js";
+} from "./cli-khem6ept.js";
 import {
   createToolsetState,
   init_toolset,
   read,
   write
-} from "./cli-jh38b6zv.js";
+} from "./cli-8sm33f4k.js";
 import {
   buildAuthConfig,
   stepCountIs
-} from "./cli-kqtgcdzn.js";
+} from "./cli-5ekr1ws4.js";
 import {
   disconnect,
   fetchWorkspaces,
@@ -42,23 +42,23 @@ import {
   pollLegacyToken,
   pollWorkOSToken,
   selectWorkspace,
-  startDeviceFlow
-} from "./cli-j66pect7.js";
+  startDeviceFlow,
+  validateGateway
+} from "./cli-9tzcmrd4.js";
 import {
   config,
-  ensureValidToken,
   getPensarApiUrl,
   getPensarConsoleUrl
-} from "./cli-bp6d08sg.js";
+} from "./cli-16m30n7b.js";
 import {
   update
-} from "./cli-jb0gcnrs.js";
+} from "./cli-3tntsb59.js";
 import {
   checkForUpdate
-} from "./cli-yj3dy0vg.js";
+} from "./cli-8q94bv77.js";
 import {
   AVAILABLE_MODELS
-} from "./cli-15vxn9zj.js";
+} from "./cli-0tpx8khk.js";
 import"./cli-7ckctq7a.js";
 import {
   __commonJS,
@@ -50346,6 +50346,7 @@ var commands = [
     name: "config",
     description: "Show config dialog",
     category: "General",
+    hidden: true,
     handler: async (args, ctx4) => {
       ctx4.navigate({
         type: "base",
@@ -55543,6 +55544,7 @@ function AuthFlow({ onClose }) {
   const [selectedIndex, setSelectedIndex] = useState24(0);
   const [billingUrl, setBillingUrl] = useState24(null);
   const [balance, setBalance] = useState24(null);
+  const [billingStatus, setBillingStatus] = useState24(null);
   const abortRef = useRef9(null);
   const connectedWorkspace = appConfig.data.workspaceSlug ? {
     name: appConfig.data.workspaceSlug,
@@ -55663,6 +55665,7 @@ function AuthFlow({ onClose }) {
         hasPaymentMethod: true
       } : null);
       setBalance(data.credits?.balance ?? null);
+      setBillingStatus(null);
       setStep("success");
     } catch (err) {
       if (ac.signal.aborted)
@@ -55735,6 +55738,11 @@ function AuthFlow({ onClose }) {
       });
       appConfig.reload();
       setBalance(data.billing.balance);
+      setBillingStatus({
+        confirmed: data.confirmed,
+        ready: data.billing.ready,
+        hasPaymentMethod: data.billing.hasPaymentMethod
+      });
       if (!data.confirmed && data.billingUrl) {
         setBillingUrl(data.billingUrl);
       }
@@ -55761,9 +55769,12 @@ function AuthFlow({ onClose }) {
     setSelectedWorkspace(null);
     setBalance(null);
     setBillingUrl(null);
+    setBillingStatus(null);
     setStep("start");
   };
   const hasLowBalance = balance !== null && balance < 1;
+  const needsBillingSetup = billingStatus !== null && !billingStatus.ready && (balance ?? 0) <= 0;
+  const showBillingWarning = hasLowBalance || needsBillingSetup;
   const effectiveBillingUrl = billingUrl || (selectedWorkspace?.slug ? `${consoleUrlRef.current}/${selectedWorkspace.slug}/settings/billing` : connectedWorkspace?.slug ? `${consoleUrlRef.current}/${connectedWorkspace.slug}/settings/billing` : `${consoleUrlRef.current}/credits`);
   const openBillingPage = () => {
     openUrl(effectiveBillingUrl);
@@ -55808,7 +55819,7 @@ function AuthFlow({ onClose }) {
     }
     if (step === "success") {
       if (key.name === "return") {
-        if (hasLowBalance || billingUrl) {
+        if (showBillingWarning) {
           openBillingPage();
         } else {
           goHome();
@@ -56106,15 +56117,15 @@ function AuthFlow({ onClose }) {
                 }, undefined, true, undefined, this)
               ]
             }, undefined, true, undefined, this),
-            (hasLowBalance || billingUrl) && /* @__PURE__ */ jsxDEV29("box", {
+            showBillingWarning && /* @__PURE__ */ jsxDEV29("box", {
               marginTop: 1,
               children: /* @__PURE__ */ jsxDEV29("text", {
                 fg: colors2.warning,
                 children: [
-                  billingUrl ? "Your workspace needs credits to use Apex CLI." : "Your credit balance is very low. We recommend at least $30 to run",
+                  needsBillingSetup ? "Your workspace billing setup is not ready yet." : "Your credit balance is very low. We recommend at least $30 to run",
                   `
 `,
-                  billingUrl ? "Press ENTER to open billing and add credits." : "pentests without interruptions. Press ENTER to open billing."
+                  needsBillingSetup ? "Press ENTER to open billing and finish setup." : "pentests without interruptions. Press ENTER to open billing."
                 ]
               }, undefined, true, undefined, this)
             }, undefined, false, undefined, this),
@@ -56141,7 +56152,7 @@ function AuthFlow({ onClose }) {
                     children: "[ENTER]"
                   }, undefined, false, undefined, this),
                   " ",
-                  hasLowBalance || billingUrl ? "Open billing" : "Done",
+                  showBillingWarning ? "Open billing" : "Done",
                   " ·",
                   " ",
                   /* @__PURE__ */ jsxDEV29("span", {
@@ -56777,9 +56788,10 @@ function HelpDialog() {
   const [selectedIndex, setSelectedIndex] = useState26(0);
   const [showDetail, setShowDetail] = useState26(false);
   const scrollboxRef = useRef10(null);
+  const visibleCommands = useMemo14(() => commands2.filter((cmd) => !cmd.hidden), [commands2]);
   const commandsByCategory = useMemo14(() => {
     const grouped = {};
-    for (const cmd of commands2) {
+    for (const cmd of visibleCommands) {
       const category = cmd.category || "Other";
       if (!grouped[category]) {
         grouped[category] = [];
@@ -56787,10 +56799,10 @@ function HelpDialog() {
       grouped[category].push(cmd);
     }
     return grouped;
-  }, [commands2]);
+  }, [visibleCommands]);
   const flatCommands = useMemo14(() => {
-    return commands2;
-  }, [commands2]);
+    return visibleCommands;
+  }, [visibleCommands]);
   useEffect16(() => {
     if (selectedIndex >= flatCommands.length) {
       setSelectedIndex(Math.max(0, flatCommands.length - 1));
@@ -57267,7 +57279,6 @@ import { useKeyboard as useKeyboard18 } from "@opentui/react";
 import { jsxDEV as jsxDEV37, Fragment as Fragment7 } from "@opentui/react/jsx-dev-runtime";
 function CreditsFlow({ onOpenAuthDialog }) {
   const route = useRoute();
-  const appConfig = useConfig();
   const [step, setStep] = useState27("loading");
   const [credits, setCredits] = useState27(null);
   const [error, setError] = useState27(null);
@@ -57290,38 +57301,13 @@ function CreditsFlow({ onOpenAuthDialog }) {
     setStep("browser-opened");
   };
   const fetchBalance = async () => {
-    const tokenResult = await ensureValidToken({
-      accessToken: appConfig.data.accessToken,
-      refreshToken: appConfig.data.refreshToken,
-      pensarAPIKey: appConfig.data.pensarAPIKey
-    });
-    if (!tokenResult) {
-      setStep("no-auth");
-      return;
-    }
     setStep("loading");
     setError(null);
     try {
-      const apiUrl = getPensarApiUrl();
-      const headers = {
-        Authorization: `Bearer ${tokenResult.token}`
-      };
-      if (tokenResult.type === "workos" && appConfig.data.workspaceId) {
-        headers["X-Workspace-Id"] = appConfig.data.workspaceId;
-      }
-      const response = await fetch(`${apiUrl}/gateway/validate`, {
-        method: "GET",
-        headers
-      });
-      if (!response.ok) {
-        throw new Error("Failed to fetch balance");
-      }
-      const result = await response.json();
-      if (result.signingKey || result.gatewayUrl) {
-        await config.update({
-          gatewaySigningKey: result.signingKey ?? undefined,
-          gatewayUrl: result.gatewayUrl ?? undefined
-        });
+      const result = await validateGateway();
+      if (!result) {
+        setStep("no-auth");
+        return;
       }
       setCredits({
         balance: result.credits.balance,
@@ -61826,7 +61812,6 @@ function Pentest({
             onTextDelta: (d2) => {
               if (!d2.subagentId)
                 return;
-              setThinking(false);
               if (d2.subagentId === "attack-surface-agent") {
                 appendPanelText(d2.subagentId, d2.text);
               } else {
@@ -61836,7 +61821,6 @@ function Pentest({
             onToolCallStreaming: (d2) => {
               if (!d2.subagentId)
                 return;
-              setThinking(false);
               if (d2.subagentId === "attack-surface-agent") {
                 addPanelStreamingToolCall(d2.toolCallId, d2.toolName);
               } else {
@@ -61855,7 +61839,6 @@ function Pentest({
             onToolCall: (d2) => {
               if (!d2.subagentId)
                 return;
-              setThinking(false);
               if (d2.subagentId === "attack-surface-agent") {
                 addPanelToolCall(d2.toolCallId, d2.toolName, d2.input);
               } else {
@@ -61865,7 +61848,6 @@ function Pentest({
             onToolResult: (d2) => {
               if (!d2.subagentId)
                 return;
-              setThinking(true);
               if (d2.subagentId === "attack-surface-agent") {
                 updatePanelToolResult(d2.toolCallId, d2.toolName, d2.output);
               } else {

package/build/{index-vwvh1rdw.js → index-7etzc7sn.js}

@@ -17,18 +17,18 @@ import {
   update,
   write,
   writeRaw
-} from "./cli-jh38b6zv.js";
+} from "./cli-8sm33f4k.js";
 import {
   init_zod,
   zod_default
-} from "./cli-kqtgcdzn.js";
-import"./cli-j66pect7.js";
-import"./cli-bp6d08sg.js";
-import"./cli-jb0gcnrs.js";
+} from "./cli-5ekr1ws4.js";
+import"./cli-9tzcmrd4.js";
+import"./cli-16m30n7b.js";
+import"./cli-3tntsb59.js";
 import {
   getCurrentVersion
-} from "./cli-yj3dy0vg.js";
-import"./cli-15vxn9zj.js";
+} from "./cli-8q94bv77.js";
+import"./cli-0tpx8khk.js";
 import"./cli-7ckctq7a.js";
 import {
   __require,