@pensar/apex 0.0.26 → 0.0.28-canary.0

package/build/index.js

@@ -64634,7 +64634,7 @@ function getProviderModel(model, authConfig) {
   const bedrockAccessKeyId = authConfig?.bedrock?.accessKeyId || process.env.AWS_ACCESS_KEY_ID;
   const bedrockSecretAccessKey = authConfig?.bedrock?.secretAccessKey || process.env.AWS_SECRET_ACCESS_KEY;
   const bedrockRegion = authConfig?.bedrock?.region || process.env.AWS_REGION || "us-east-1";
-  const localBaseURL = authConfig?.local?.baseURL || process.env.LOCAL_MODEL_URL;
+  const localBaseURL = authConfig?.local?.baseURL || process.env.LOCAL_MODEL_URL || "http://127.0.0.1:1234/v1";
   let providerModel;
   switch (provider) {
     case "openai":
@@ -66454,13 +66454,200 @@ Remember: You are a focused penetration testing agent assigned a specific target
 import { exec } from "child_process";
 import { promisify } from "util";
 import {
-  writeFileSync,
+  writeFileSync as writeFileSync2,
   appendFileSync,
-  readdirSync,
+  readdirSync as readdirSync2,
+  readFileSync as readFileSync2,
+  existsSync as existsSync5
+} from "fs";
+import { join as join2 } from "path";
+
+// src/core/agent/sessions/index.ts
+import {
+  mkdirSync,
+  existsSync as existsSync3,
+  writeFileSync,
   readFileSync,
-  existsSync as existsSync3
+  readdirSync,
+  statSync,
+  rmSync
 } from "fs";
 import { join } from "path";
+import { homedir } from "os";
+
+// src/core/services/rateLimiter/index.ts
+function sleep(ms) {
+  return new Promise((resolve4) => setTimeout(resolve4, ms));
+}
+
+class RateLimiter {
+  tokens;
+  lastRefillTime;
+  rps;
+  bucketSize;
+  msPerToken;
+  queue;
+  constructor(config3) {
+    this.rps = config3?.requestsPerSecond;
+    this.bucketSize = this.rps ? 1 : 0;
+    this.tokens = this.bucketSize;
+    this.lastRefillTime = performance.now();
+    this.msPerToken = this.rps ? 1000 / this.rps : undefined;
+    this.queue = Promise.resolve();
+  }
+  async acquireSlot() {
+    if (!this.rps || !this.msPerToken)
+      return;
+    const previousPromise = this.queue;
+    let resolveCurrentRequest;
+    this.queue = new Promise((resolve4) => {
+      resolveCurrentRequest = resolve4;
+    });
+    await previousPromise;
+    try {
+      const now2 = performance.now();
+      this.refill(now2);
+      if (this.tokens < 1) {
+        const waitTime = (1 - this.tokens) * this.msPerToken;
+        await sleep(waitTime);
+        const nowAfterSleep = performance.now();
+        this.refill(nowAfterSleep);
+      }
+      this.tokens -= 1;
+    } finally {
+      resolveCurrentRequest();
+    }
+  }
+  refill(now2) {
+    if (this.tokens >= this.bucketSize) {
+      this.lastRefillTime = now2;
+      return;
+    }
+    const elapsed = now2 - this.lastRefillTime;
+    const tokensToAdd = elapsed / this.msPerToken;
+    this.tokens = Math.min(this.bucketSize, this.tokens + tokensToAdd);
+    this.lastRefillTime = now2;
+  }
+  isEnabled() {
+    return this.rps !== undefined;
+  }
+}
+
+// src/core/agent/sessions/index.ts
+var DEFAULT_OFFENSIVE_HEADERS = {
+  "User-Agent": "pensar-apex"
+};
+function generateSessionId(prefix) {
+  const timestamp = Date.now().toString(36);
+  return `${prefix ? `${prefix}-` : ""}${timestamp}`;
+}
+function getPensarDir() {
+  return join(homedir(), ".pensar");
+}
+function getExecutionsDir() {
+  return join(getPensarDir(), "executions");
+}
+function createSession(target, objective, prefix, config3) {
+  const sessionId = generateSessionId(prefix);
+  const rootPath = join(getExecutionsDir(), sessionId);
+  const findingsPath = join(rootPath, "findings");
+  const scratchpadPath = join(rootPath, "scratchpad");
+  const logsPath = join(rootPath, "logs");
+  ensureDirectoryExists(rootPath);
+  ensureDirectoryExists(findingsPath);
+  ensureDirectoryExists(scratchpadPath);
+  ensureDirectoryExists(logsPath);
+  const session = {
+    id: sessionId,
+    rootPath,
+    findingsPath,
+    scratchpadPath,
+    logsPath,
+    target,
+    objective: objective ?? "",
+    startTime: new Date().toISOString(),
+    config: config3
+  };
+  if (config3?.rateLimiter) {
+    session._rateLimiter = new RateLimiter(config3.rateLimiter);
+  }
+  const metadataPath = join(rootPath, "session.json");
+  writeFileSync(metadataPath, JSON.stringify(session, null, 2));
+  const readmePath = join(rootPath, "README.md");
+  const readme = `# Penetration Test Session
+
+**Session ID:** ${sessionId}
+**Target:** ${target}
+**Objective:** ${objective}
+**Started:** ${session.startTime}
+
+## Directory Structure
+
+- \`findings/\` - Security findings and vulnerabilities
+- \`scratchpad/\` - Notes and temporary data during testing
+- \`logs/\` - Execution logs and command outputs
+- \`session.json\` - Session metadata
+
+## Findings
+
+Security findings will be documented in the \`findings/\` directory as individual files.
+
+## Status
+
+Testing in progress...
+`;
+  writeFileSync(readmePath, readme);
+  return session;
+}
+function ensureDirectoryExists(path3) {
+  if (!existsSync3(path3)) {
+    mkdirSync(path3, { recursive: true });
+  }
+}
+function getSession(sessionId) {
+  const sessionPath = join(getExecutionsDir(), sessionId);
+  const metadataPath = join(sessionPath, "session.json");
+  if (!existsSync3(metadataPath)) {
+    return null;
+  }
+  const metadata = JSON.parse(readFileSync(metadataPath, "utf-8"));
+  return metadata;
+}
+function extractTimestamp(sessionId) {
+  const parts = sessionId.split("-");
+  const timestampBase36 = parts[parts.length - 1];
+  return parseInt(timestampBase36 || "", 36);
+}
+function listSessions() {
+  const executionsDir = getExecutionsDir();
+  if (!existsSync3(executionsDir)) {
+    return [];
+  }
+  const entries = readdirSync(executionsDir);
+  const directories = entries.filter((entry) => {
+    const fullPath = join(executionsDir, entry);
+    return statSync(fullPath).isDirectory();
+  });
+  return directories.sort((a, b) => {
+    const timestampA = extractTimestamp(a);
+    const timestampB = extractTimestamp(b);
+    return timestampB - timestampA;
+  });
+}
+function getOffensiveHeaders(session) {
+  const config3 = session.config?.offensiveHeaders;
+  if (!config3 || config3.mode === "none") {
+    return;
+  }
+  if (config3.mode === "default") {
+    return DEFAULT_OFFENSIVE_HEADERS;
+  }
+  if (config3.mode === "custom" && config3.headers) {
+    return config3.headers;
+  }
+  return;
+}
+// src/core/agent/tools.ts
 var execAsync = promisify(exec);
 var PayloadSchema = exports_external.object({
   payload: exports_external.string(),
@@ -67554,7 +67741,7 @@ FINDING STRUCTURE:
         const safeTitle = finding.title.toLowerCase().replace(/[^a-z0-9]+/g, "-").replace(/^-|-$/g, "").substring(0, 50);
         const findingId = `${timestamp.split("T")[0]}-${safeTitle}`;
         const filename = `${findingId}.md`;
-        const filepath = join(session.findingsPath, filename);
+        const filepath = join2(session.findingsPath, filename);
         const markdown = `# ${finding.title}
 
 **Severity:** ${finding.severity}  
@@ -67588,8 +67775,8 @@ ${finding.references}` : ""}
 
 *This finding was automatically documented by the Pensar penetration testing agent.*
 `;
-        writeFileSync(filepath, markdown);
-        const summaryPath = join(session.rootPath, "findings-summary.md");
+        writeFileSync2(filepath, markdown);
+        const summaryPath = join2(session.rootPath, "findings-summary.md");
         const summaryEntry = `- [${finding.severity}] ${finding.title} - \`findings/${filename}\`
 `;
         try {
@@ -67603,7 +67790,7 @@ ${finding.references}` : ""}
 ## All Findings
 
 `;
-          writeFileSync(summaryPath, header + summaryEntry);
+          writeFileSync2(summaryPath, header + summaryEntry);
         }
         return {
           success: true,
@@ -67642,7 +67829,7 @@ The scratchpad is session-specific and helps maintain context during long assess
     execute: async ({ note, category }) => {
       try {
         const timestamp = new Date().toISOString();
-        const scratchpadFile = join(session.scratchpadPath, "notes.md");
+        const scratchpadFile = join2(session.scratchpadPath, "notes.md");
         const entry = `## ${category.toUpperCase()} - ${timestamp}
 
 ${note}
@@ -67661,7 +67848,7 @@ ${note}
 ---
 
 `;
-          writeFileSync(scratchpadFile, header + entry);
+          writeFileSync2(scratchpadFile, header + entry);
         }
         return {
           success: true,
@@ -67788,11 +67975,11 @@ The report will be saved as 'pentest-report.md' in the session root directory.`,
           MEDIUM: 0,
           LOW: 0
         };
-        if (existsSync3(session.findingsPath)) {
-          const findingFiles = readdirSync(session.findingsPath).filter((f) => f.endsWith(".json"));
+        if (existsSync5(session.findingsPath)) {
+          const findingFiles = readdirSync2(session.findingsPath).filter((f) => f.endsWith(".json"));
           for (const file2 of findingFiles) {
-            const filePath = join(session.findingsPath, file2);
-            const content = readFileSync(filePath, "utf-8");
+            const filePath = join2(session.findingsPath, file2);
+            const content = readFileSync2(filePath, "utf-8");
             const severityMatch = content.match(/\*\*Severity:\*\*\s+(CRITICAL|HIGH|MEDIUM|LOW)/);
             const titleMatch = content.match(/^#\s+(.+)$/m);
             if (severityMatch && titleMatch) {
@@ -67817,14 +68004,14 @@ The report will be saved as 'pentest-report.md' in the session root directory.`,
         const totalFindings = findings.length;
         const criticalAndHigh = severityCounts.CRITICAL + severityCounts.HIGH;
         let scratchpadNotes = "";
-        const scratchpadFile = join(session.scratchpadPath, "notes.md");
-        if (existsSync3(scratchpadFile)) {
-          scratchpadNotes = readFileSync(scratchpadFile, "utf-8");
+        const scratchpadFile = join2(session.scratchpadPath, "notes.md");
+        if (existsSync5(scratchpadFile)) {
+          scratchpadNotes = readFileSync2(scratchpadFile, "utf-8");
         }
         let testResultsSummary = "";
-        const testResultsFile = join(session.scratchpadPath, "test-results.jsonl");
-        if (existsSync3(testResultsFile)) {
-          const testLines = readFileSync(testResultsFile, "utf-8").split(`
+        const testResultsFile = join2(session.scratchpadPath, "test-results.jsonl");
+        if (existsSync5(testResultsFile)) {
+          const testLines = readFileSync2(testResultsFile, "utf-8").split(`
 `).filter((l) => l.trim());
           const testResults = testLines.map((line) => {
             try {
@@ -67998,25 +68185,25 @@ This report should be treated as confidential and distributed only to authorized
 *Report generated by Pensar Penetration Testing Agent*  
 *Session: ${session.id}*
 `;
-        const reportPath = join(session.rootPath, "pentest-report.md");
-        writeFileSync(reportPath, report);
-        const readmePath = join(session.rootPath, "README.md");
-        if (existsSync3(readmePath)) {
-          let readme = readFileSync(readmePath, "utf-8");
+        const reportPath = join2(session.rootPath, "pentest-report.md");
+        writeFileSync2(reportPath, report);
+        const readmePath = join2(session.rootPath, "README.md");
+        if (existsSync5(readmePath)) {
+          let readme = readFileSync2(readmePath, "utf-8");
           readme = readme.replace("Testing in progress...", `Testing completed on ${endDate.toLocaleString()}
 
 **Final Report:** \`pentest-report.md\``);
-          writeFileSync(readmePath, readme);
+          writeFileSync2(readmePath, readme);
         }
-        const metadataPath = join(session.rootPath, "session.json");
-        if (existsSync3(metadataPath)) {
-          const metadata = JSON.parse(readFileSync(metadataPath, "utf-8"));
+        const metadataPath = join2(session.rootPath, "session.json");
+        if (existsSync5(metadataPath)) {
+          const metadata = JSON.parse(readFileSync2(metadataPath, "utf-8"));
           metadata.endTime = endTime;
           metadata.duration = duration3;
           metadata.status = "completed";
           metadata.totalFindings = totalFindings;
           metadata.severityCounts = severityCounts;
-          writeFileSync(metadataPath, JSON.stringify(metadata, null, 2));
+          writeFileSync2(metadataPath, JSON.stringify(metadata, null, 2));
         }
         return {
           success: true,
@@ -68057,7 +68244,7 @@ async function recordTestResultCore(session, params) {
       evidence: params.evidence || "",
       confidence: params.confidence || "high"
     };
-    const testResultsPath = join(session.scratchpadPath, "test-results.jsonl");
+    const testResultsPath = join2(session.scratchpadPath, "test-results.jsonl");
     const resultLine = JSON.stringify(testResult) + `
 `;
     appendFileSync(testResultsPath, resultLine);
@@ -68468,8 +68655,8 @@ Use this when:
     }),
     execute: async ({ objective }) => {
       try {
-        const testResultsPath = join(session.scratchpadPath, "test-results.jsonl");
-        if (!existsSync3(testResultsPath)) {
+        const testResultsPath = join2(session.scratchpadPath, "test-results.jsonl");
+        if (!existsSync5(testResultsPath)) {
           return {
             success: true,
             totalTests: 0,
@@ -68478,7 +68665,7 @@ Use this when:
             suggestions: objective ? `Based on objective "${objective}", consider testing relevant parameters with test_parameter tool.` : "Use test_parameter to test parameters for vulnerabilities."
           };
         }
-        const fileContent = readFileSync(testResultsPath, "utf-8");
+        const fileContent = readFileSync2(testResultsPath, "utf-8");
         const testResults = fileContent.trim().split(`
 `).filter((line) => line.trim()).map((line) => JSON.parse(line));
         const parametersTested = new Set;
@@ -68735,7 +68922,7 @@ ${discovered.map((d) => `- ${d.endpoint} [${d.method}] → HTTP ${d.status}`).jo
 Not found: ${range.max - range.min + 1 - discovered.length} endpoints returned 404`;
       try {
         const timestamp = new Date().toISOString();
-        const scratchpadFile = join(session.scratchpadPath, "notes.md");
+        const scratchpadFile = join2(session.scratchpadPath, "notes.md");
         const entry = `## RESULT - ${timestamp}
 
 ${note}
@@ -68754,7 +68941,7 @@ ${note}
 ---
 
 `;
-          writeFileSync(scratchpadFile, header + entry);
+          writeFileSync2(scratchpadFile, header + entry);
         }
       } catch (err) {
         console.error("Failed to record to scratchpad:", err);
@@ -68771,7 +68958,53 @@ ${note}
     }
   });
 }
+function wrapCommandWithHeaders(command, headers) {
+  const userAgent = headers["User-Agent"];
+  if (!userAgent)
+    return command;
+  let wrapped = command;
+  if (command.includes("curl") && !command.includes("User-Agent") && !command.includes("-A")) {
+    wrapped = wrapped.replace(/\bcurl(\s+)/g, `curl -A "${userAgent}" $1`);
+  }
+  if (command.includes("nikto") && !command.includes("-useragent")) {
+    wrapped = wrapped.replace(/\bnikto\s+/, `nikto -useragent "${userAgent}" `);
+  }
+  if (command.includes("nmap") && command.includes("--script") && /--script[= ](.*?http.*?)/.test(command) && !command.includes("http.useragent")) {
+    if (command.includes("--script-args")) {
+      wrapped = wrapped.replace(/--script-args\s+([^\s]+)/, `--script-args $1,http.useragent="${userAgent}"`);
+    } else {
+      wrapped = `${wrapped} --script-args http.useragent="${userAgent}"`;
+    }
+  }
+  if (command.includes("gobuster") && !command.includes("-a ") && !command.includes("--useragent")) {
+    wrapped = wrapped.replace(/\bgobuster\s+/, `gobuster -a "${userAgent}" `);
+  }
+  if (command.includes("ffuf") && !command.includes("User-Agent:")) {
+    wrapped = wrapped.replace(/\bffuf\s+/, `ffuf -H "User-Agent: ${userAgent}" `);
+  }
+  if (command.includes("sqlmap") && !command.includes("--user-agent")) {
+    wrapped = wrapped.replace(/\bsqlmap\s+/, `sqlmap --user-agent="${userAgent}" `);
+  }
+  if (command.includes("wfuzz") && !command.includes("-H") && !command.includes("User-Agent")) {
+    wrapped = wrapped.replace(/\bwfuzz\s+/, `wfuzz -H "User-Agent: ${userAgent}" `);
+  }
+  if (command.includes("dirb") && !command.includes("-a")) {
+    wrapped = wrapped.replace(/\bdirb\s+/, `dirb -a "${userAgent}" `);
+  }
+  if (command.includes("wpscan") && !command.includes("--user-agent")) {
+    wrapped = wrapped.replace(/\bwpscan\s+/, `wpscan --user-agent "${userAgent}" `);
+  }
+  if (command.includes("nuclei") && !command.includes("-H")) {
+    wrapped = wrapped.replace(/\bnuclei\s+/, `nuclei -H "User-Agent: ${userAgent}" `);
+  }
+  if (command.includes("httpx") && !command.includes("-H")) {
+    wrapped = wrapped.replace(/\bhttpx\s+/, `httpx -H "User-Agent: ${userAgent}" `);
+  }
+  return wrapped;
+}
 function createPentestTools(session, model, toolOverride) {
+  const offensiveHeaders = getOffensiveHeaders(session);
+  const rateLimiter = session._rateLimiter;
   const executeCommand = tool({
     name: "execute_command",
     description: `Execute a shell command for penetration testing activities.
@@ -68816,6 +69049,9 @@ IMPORTANT: Always analyze results and adjust your approach based on findings.`,
     inputSchema: ExecuteCommandInput,
     execute: async ({ command, timeout = 30000, toolCallDescription }) => {
       try {
+        if (rateLimiter) {
+          await rateLimiter.acquireSlot();
+        }
         if (toolOverride?.execute_command) {
           return toolOverride.execute_command({
             command,
@@ -68823,7 +69059,8 @@ IMPORTANT: Always analyze results and adjust your approach based on findings.`,
             toolCallDescription
           });
         }
-        const { stdout, stderr } = await execAsync(command, {
+        const finalCommand = offensiveHeaders ? wrapCommandWithHeaders(command, offensiveHeaders) : command;
+        const { stdout, stderr } = await execAsync(finalCommand, {
           timeout,
           maxBuffer: 10 * 1024 * 1024
         });
@@ -68833,7 +69070,7 @@ IMPORTANT: Always analyze results and adjust your approach based on findings.`,
 
  (truncated) call the command again with grep / tail to paginate the response` || "(no output)",
           stderr: stderr || "",
-          command,
+          command: finalCommand,
           error: ""
         };
       } catch (error46) {
@@ -68871,6 +69108,9 @@ COMMON TESTING PATTERNS:
     inputSchema: HttpRequestInput,
     execute: async ({ url: url2, method, headers, body, followRedirects, timeout, toolCallDescription }) => {
       try {
+        if (rateLimiter) {
+          await rateLimiter.acquireSlot();
+        }
         if (toolOverride?.http_request) {
           return toolOverride.http_request({
             url: url2,
@@ -68886,7 +69126,10 @@ COMMON TESTING PATTERNS:
         const timeoutId = setTimeout(() => controller.abort(), timeout);
         const response = await fetch(url2, {
           method,
-          headers: headers || {},
+          headers: {
+            ...offensiveHeaders || {},
+            ...headers || {}
+          },
           body: body || undefined,
           redirect: followRedirects ? "follow" : "manual",
           signal: controller.signal
@@ -68945,102 +69188,6 @@ COMMON TESTING PATTERNS:
   };
 }
 
-// src/core/agent/sessions/index.ts
-import {
-  mkdirSync,
-  existsSync as existsSync5,
-  writeFileSync as writeFileSync2,
-  readFileSync as readFileSync2,
-  readdirSync as readdirSync2,
-  statSync,
-  rmSync
-} from "fs";
-import { join as join2 } from "path";
-import { homedir } from "os";
-function generateSessionId(prefix) {
-  const timestamp = Date.now().toString(36);
-  return `${prefix ? `${prefix}-` : ""}${timestamp}`;
-}
-function getPensarDir() {
-  return join2(homedir(), ".pensar");
-}
-function getExecutionsDir() {
-  return join2(getPensarDir(), "executions");
-}
-function createSession(target, objective, prefix) {
-  const sessionId = generateSessionId(prefix);
-  const rootPath = join2(getExecutionsDir(), sessionId);
-  const findingsPath = join2(rootPath, "findings");
-  const scratchpadPath = join2(rootPath, "scratchpad");
-  const logsPath = join2(rootPath, "logs");
-  ensureDirectoryExists(rootPath);
-  ensureDirectoryExists(findingsPath);
-  ensureDirectoryExists(scratchpadPath);
-  ensureDirectoryExists(logsPath);
-  const session = {
-    id: sessionId,
-    rootPath,
-    findingsPath,
-    scratchpadPath,
-    logsPath,
-    target,
-    objective: objective ?? "",
-    startTime: new Date().toISOString()
-  };
-  const metadataPath = join2(rootPath, "session.json");
-  writeFileSync2(metadataPath, JSON.stringify(session, null, 2));
-  const readmePath = join2(rootPath, "README.md");
-  const readme = `# Penetration Test Session
-
-**Session ID:** ${sessionId}
-**Target:** ${target}
-**Objective:** ${objective}
-**Started:** ${session.startTime}
-
-## Directory Structure
-
-- \`findings/\` - Security findings and vulnerabilities
-- \`scratchpad/\` - Notes and temporary data during testing
-- \`logs/\` - Execution logs and command outputs
-- \`session.json\` - Session metadata
-
-## Findings
-
-Security findings will be documented in the \`findings/\` directory as individual files.
-
-## Status
-
-Testing in progress...
-`;
-  writeFileSync2(readmePath, readme);
-  return session;
-}
-function ensureDirectoryExists(path3) {
-  if (!existsSync5(path3)) {
-    mkdirSync(path3, { recursive: true });
-  }
-}
-function getSession(sessionId) {
-  const sessionPath = join2(getExecutionsDir(), sessionId);
-  const metadataPath = join2(sessionPath, "session.json");
-  if (!existsSync5(metadataPath)) {
-    return null;
-  }
-  const metadata = JSON.parse(readFileSync2(metadataPath, "utf-8"));
-  return metadata;
-}
-function listSessions() {
-  const executionsDir = getExecutionsDir();
-  if (!existsSync5(executionsDir)) {
-    return [];
-  }
-  const entries = readdirSync2(executionsDir);
-  return entries.filter((entry) => {
-    const fullPath = join2(executionsDir, entry);
-    return statSync(fullPath).isDirectory();
-  });
-}
-
 // src/core/agent/utils.ts
 import { readFileSync as readFileSync3, existsSync as existsSync6 } from "fs";
 import { execSync } from "child_process";
@@ -69855,9 +70002,10 @@ function runAgent(opts) {
     silent,
     authConfig,
     toolOverride,
-    messages
+    messages,
+    sessionConfig
   } = opts;
-  const session = opts.session || createSession(target, objective);
+  const session = opts.session || createSession(target, objective, undefined, sessionConfig);
   const pocsPath = join4(session.rootPath, "pocs");
   if (!existsSync9(pocsPath)) {
     mkdirSync4(pocsPath, { recursive: true });
@@ -71613,9 +71761,128 @@ import fs5 from "fs";
 
 // src/core/messages/index.ts
 import fs4 from "fs";
+
+// src/core/messages/types.ts
+var ToolMessageObject = exports_external.object({
+  role: exports_external.literal("tool"),
+  status: exports_external.enum(["pending", "completed"]),
+  toolCallId: exports_external.string(),
+  content: exports_external.string(),
+  args: exports_external.record(exports_external.string(), exports_external.any()),
+  toolName: exports_external.string(),
+  createdAt: exports_external.coerce.date()
+});
+var SystemModelMessageObject = exports_external.object({
+  role: exports_external.literal("system"),
+  content: exports_external.string(),
+  createdAt: exports_external.coerce.date(),
+  providerOptions: exports_external.record(exports_external.string(), exports_external.any()).optional()
+});
+var TextPartObject = exports_external.object({
+  type: exports_external.literal("text"),
+  text: exports_external.string(),
+  providerOptions: exports_external.record(exports_external.string(), exports_external.any()).optional()
+});
+var FilePartObject = exports_external.object({
+  type: exports_external.literal("file"),
+  data: exports_external.union([
+    exports_external.string(),
+    exports_external.instanceof(Uint8Array),
+    exports_external.instanceof(ArrayBuffer),
+    exports_external.instanceof(Buffer),
+    exports_external.url()
+  ]),
+  filename: exports_external.string().optional(),
+  mediaType: exports_external.string(),
+  providerOptions: exports_external.record(exports_external.string(), exports_external.any()).optional()
+});
+var ReasoningPartObject = exports_external.object({
+  type: exports_external.literal("reasoning"),
+  text: exports_external.string(),
+  providerOptions: exports_external.record(exports_external.string(), exports_external.any()).optional()
+});
+var ToolCallPartObject = exports_external.object({
+  type: exports_external.literal("tool-call"),
+  toolCallId: exports_external.string(),
+  toolName: exports_external.string(),
+  input: exports_external.unknown(),
+  providerOptions: exports_external.record(exports_external.string(), exports_external.any()).optional(),
+  providerExecuted: exports_external.boolean().optional()
+});
+var ToolResultOutputObject = exports_external.discriminatedUnion("type", [
+  exports_external.object({
+    type: exports_external.literal("text"),
+    value: exports_external.string()
+  }),
+  exports_external.object({
+    type: exports_external.literal("json"),
+    value: exports_external.any()
+  }),
+  exports_external.object({
+    type: exports_external.literal("error-text"),
+    value: exports_external.string()
+  }),
+  exports_external.object({
+    type: exports_external.literal("error-json"),
+    value: exports_external.any()
+  }),
+  exports_external.object({
+    type: exports_external.literal("content"),
+    value: exports_external.array(exports_external.discriminatedUnion("type", [
+      exports_external.object({
+        type: exports_external.literal("text"),
+        text: exports_external.string()
+      }),
+      exports_external.object({
+        type: exports_external.literal("media"),
+        data: exports_external.string(),
+        mediaType: exports_external.string()
+      })
+    ]))
+  })
+]);
+var ToolResultPartObject = exports_external.object({
+  type: exports_external.literal("tool-result"),
+  toolCallId: exports_external.string(),
+  toolName: exports_external.string(),
+  output: ToolResultOutputObject,
+  providerOptions: exports_external.record(exports_external.string(), exports_external.any()).optional()
+});
+var AssistantModelMessageObject = exports_external.object({
+  role: exports_external.literal("assistant"),
+  content: exports_external.union([
+    exports_external.string(),
+    exports_external.array(exports_external.discriminatedUnion("type", [
+      TextPartObject,
+      FilePartObject,
+      ReasoningPartObject,
+      ToolCallPartObject,
+      ToolResultPartObject
+    ]))
+  ]),
+  createdAt: exports_external.coerce.date(),
+  providerOptions: exports_external.record(exports_external.string(), exports_external.any()).optional()
+});
+var UserModelMessageObject = exports_external.object({
+  role: exports_external.literal("user"),
+  content: exports_external.union([
+    exports_external.string(),
+    exports_external.array(exports_external.discriminatedUnion("type", [TextPartObject, FilePartObject]))
+  ]),
+  createdAt: exports_external.coerce.date(),
+  providerOptions: exports_external.record(exports_external.string(), exports_external.any()).optional()
+});
+var ModelMessageObject = exports_external.discriminatedUnion("role", [
+  SystemModelMessageObject,
+  UserModelMessageObject,
+  AssistantModelMessageObject,
+  ToolMessageObject
+]);
+
+// src/core/messages/index.ts
 function getMessages(session) {
   const messages = fs4.readFileSync(session.rootPath + "/messages.json", "utf8");
-  return JSON.parse(messages);
+  return ModelMessageObject.array().parse(JSON.parse(messages));
 }
 function saveMessages(session, messages) {
   fs4.writeFileSync(session.rootPath + "/messages.json", JSON.stringify(messages, null, 2));
@@ -71643,6 +71910,15 @@ function PentestAgentDisplay() {
   const [isCompleted, setIsCompleted] = import_react20.useState(false);
   const [sessionPath, setSessionPath] = import_react20.useState("");
   const [abortController, setAbortController] = import_react20.useState(null);
+  const [rps, setRps] = import_react20.useState("");
+  const [headerMode, setHeaderMode] = import_react20.useState("default");
+  const [customHeaders, setCustomHeaders] = import_react20.useState({});
+  const [headerInputName, setHeaderInputName] = import_react20.useState("");
+  const [headerInputValue, setHeaderInputValue] = import_react20.useState("");
+  const [selectedHeaderIndex, setSelectedHeaderIndex] = import_react20.useState(0);
+  const [headerEditMode, setHeaderEditMode] = import_react20.useState("list");
+  const [inputError, setInputError] = import_react20.useState("");
+  const [editingHeaderKey, setEditingHeaderKey] = import_react20.useState(null);
   const { closePentest } = useCommand();
   const {
     model,
@@ -71652,7 +71928,8 @@ function PentestAgentDisplay() {
     isExecuting,
     setIsExecuting
   } = useAgent();
-  const inputs = ["target", "objective"];
+  const inputs = headerMode === "custom" && headerEditMode === "input" ? ["target", "objective", "rps", "headerMode", "headerInputName", "headerInputValue"] : ["target", "objective", "rps", "headerMode"];
+  const headerEntries = Object.entries(customHeaders);
   useKeyboard((key) => {
     if (key.name === "escape") {
       closePentest();
@@ -71671,6 +71948,105 @@ function PentestAgentDisplay() {
     if (hasStarted) {
       return;
     }
+    if (focusedIndex === 3 && key.name === "up") {
+      if (headerMode === "custom" && headerEditMode === "list") {
+        if (headerEntries.length > 0) {
+          setSelectedHeaderIndex((prev) => (prev - 1 + headerEntries.length) % headerEntries.length);
+        }
+      } else {
+        const modes = ["none", "default", "custom"];
+        const currentIndex = modes.indexOf(headerMode);
+        const newMode = modes[(currentIndex - 1 + 3) % 3];
+        if (newMode)
+          setHeaderMode(newMode);
+      }
+      return;
+    }
+    if (focusedIndex === 3 && key.name === "down") {
+      if (headerMode === "custom" && headerEditMode === "list") {
+        if (headerEntries.length > 0) {
+          setSelectedHeaderIndex((prev) => (prev + 1) % headerEntries.length);
+        }
+      } else {
+        const modes = ["none", "default", "custom"];
+        const currentIndex = modes.indexOf(headerMode);
+        const newMode = modes[(currentIndex + 1) % 3];
+        if (newMode)
+          setHeaderMode(newMode);
+      }
+      return;
+    }
+    if (headerMode === "custom" && focusedIndex === 3) {
+      if (key.name === "a" && headerEditMode === "list") {
+        setHeaderEditMode("input");
+        setHeaderInputName("");
+        setHeaderInputValue("");
+        setInputError("");
+        setEditingHeaderKey(null);
+        setFocusedIndex(3);
+        return;
+      }
+      if (key.name === "e" && headerEditMode === "list" && headerEntries.length > 0) {
+        const entry = headerEntries[selectedHeaderIndex];
+        if (entry) {
+          const [key2, value] = entry;
+          setHeaderInputName(key2);
+          setHeaderInputValue(value);
+          setEditingHeaderKey(key2);
+          setHeaderEditMode("input");
+          setInputError("");
+          setFocusedIndex(3);
+        }
+        return;
+      }
+      if (key.name === "d" && headerEditMode === "list" && headerEntries.length > 0) {
+        const entry = headerEntries[selectedHeaderIndex];
+        if (entry) {
+          const [keyToDelete] = entry;
+          const newHeaders = { ...customHeaders };
+          delete newHeaders[keyToDelete];
+          setCustomHeaders(newHeaders);
+          setSelectedHeaderIndex(Math.max(0, selectedHeaderIndex - 1));
+        }
+        return;
+      }
+      if (key.name === "escape" && headerEditMode === "input") {
+        setHeaderEditMode("list");
+        setHeaderInputName("");
+        setHeaderInputValue("");
+        setInputError("");
+        setEditingHeaderKey(null);
+        setFocusedIndex(2);
+        return;
+      }
+    }
+    if (headerMode === "custom" && focusedIndex === 4 && key.name === "return") {
+      const headerName = headerInputName.trim();
+      const headerValue = headerInputValue.trim();
+      if (!headerName) {
+        setInputError("Header name cannot be empty");
+        return;
+      }
+      if (!/^[A-Za-z][A-Za-z0-9-]*$/.test(headerName)) {
+        setInputError("Invalid header name - Use only letters, numbers, and hyphens");
+        return;
+      }
+      if (editingHeaderKey && editingHeaderKey !== headerName) {
+        const newHeaders = { ...customHeaders };
+        delete newHeaders[editingHeaderKey];
+        newHeaders[headerName] = headerValue;
+        setCustomHeaders(newHeaders);
+      } else {
+        setCustomHeaders({ ...customHeaders, [headerName]: headerValue });
+      }
+      setHeaderEditMode("list");
+      setHeaderInputName("");
+      setHeaderInputValue("");
+      setInputError("");
+      setEditingHeaderKey(null);
+      setFocusedIndex(2);
+      return;
+    }
     if (key.name === "tab" && !key.shift) {
       setFocusedIndex((prev) => (prev + 1) % inputs.length);
       return;
@@ -71679,9 +72055,21 @@ function PentestAgentDisplay() {
       setFocusedIndex((prev) => (prev - 1 + inputs.length) % inputs.length);
       return;
     }
-    if (key.name === "return") {
+    if (key.name === "return" && focusedIndex < 4) {
       if (target && objective) {
-        beginExecution();
+        const parsedRps = rps ? parseInt(rps, 10) : undefined;
+        const sessionConfig = {
+          offensiveHeaders: {
+            mode: headerMode,
+            headers: headerMode === "custom" ? customHeaders : undefined
+          },
+          ...parsedRps && !isNaN(parsedRps) && parsedRps > 0 && {
+            rateLimiter: {
+              requestsPerSecond: parsedRps
+            }
+          }
+        };
+        beginExecution(sessionConfig);
       }
     }
   });
@@ -71695,7 +72083,7 @@ function PentestAgentDisplay() {
       });
     }
   }
-  async function beginExecution() {
+  async function beginExecution(sessionConfig) {
     if (target && objective && !hasStarted) {
       setHasStarted(true);
       setThinking(true);
@@ -71708,6 +72096,7 @@ function PentestAgentDisplay() {
           objective,
           model: model.id,
           abortSignal: controller.signal,
+          sessionConfig,
           onStepFinish: ({ usage }) => {
             const stepTokens = (usage.inputTokens ?? 0) + (usage.outputTokens ?? 0);
             setTokenCount(stepTokens);
@@ -71901,6 +72290,244 @@ Path: ${result.session.rootPath}`,
             onInput: setObjective,
             focused: focusedIndex === 1
           }, undefined, false, undefined, this),
+          /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV(Input, {
+            label: "Rate Limit (RPS)",
+            description: "Max requests/sec (leave empty for unlimited)",
+            placeholder: "15 (recommended)",
+            value: rps,
+            onInput: setRps,
+            focused: focusedIndex === 2
+          }, undefined, false, undefined, this),
+          /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("box", {
+            border: true,
+            width: "100%",
+            borderStyle: "heavy",
+            backgroundColor: "black",
+            borderColor: focusedIndex === 3 ? "green" : "gray",
+            flexDirection: "column",
+            padding: 1,
+            children: [
+              /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("text", {
+                fg: "green",
+                children: "Offensive Request Headers"
+              }, undefined, false, undefined, this),
+              /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("text", {
+                fg: "gray",
+                children: "Configure headers for HTTP tools (curl, nmap, nikto, etc.)"
+              }, undefined, false, undefined, this),
+              /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("text", {
+                fg: "gray",
+                children: "─────────────────────────────────────────────────"
+              }, undefined, false, undefined, this),
+              /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("box", {
+                flexDirection: "column",
+                children: [
+                  /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("text", {
+                    fg: headerMode === "none" ? "green" : "gray",
+                    children: [
+                      headerMode === "none" ? "●" : "○",
+                      " None ",
+                      /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("span", {
+                        fg: "gray",
+                        children: "(no custom headers)"
+                      }, undefined, false, undefined, this)
+                    ]
+                  }, undefined, true, undefined, this),
+                  /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("text", {
+                    fg: headerMode === "default" ? "green" : "gray",
+                    children: [
+                      headerMode === "default" ? "●" : "○",
+                      " Default ",
+                      /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("span", {
+                        fg: "gray",
+                        children: "(User-Agent: pensar-apex)"
+                      }, undefined, false, undefined, this)
+                    ]
+                  }, undefined, true, undefined, this),
+                  /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("text", {
+                    fg: headerMode === "custom" ? "green" : "gray",
+                    children: [
+                      headerMode === "custom" ? "●" : "○",
+                      " Custom ",
+                      /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("span", {
+                        fg: "gray",
+                        children: "(define headers below)"
+                      }, undefined, false, undefined, this)
+                    ]
+                  }, undefined, true, undefined, this)
+                ]
+              }, undefined, true, undefined, this),
+              headerMode === "custom" && /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("box", {
+                flexDirection: "column",
+                children: [
+                  /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("text", {
+                    fg: "gray",
+                    children: "─────────────────────────────────────────────────"
+                  }, undefined, false, undefined, this),
+                  headerEditMode === "list" && /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("box", {
+                    flexDirection: "column",
+                    children: headerEntries.length > 0 ? /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV(import_jsx_dev_runtime2.Fragment, {
+                      children: [
+                        /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("text", {
+                          fg: "green",
+                          children: "Configured Headers:"
+                        }, undefined, false, undefined, this),
+                        headerEntries.map(([key, value], index) => /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("text", {
+                          fg: index === selectedHeaderIndex ? "green" : "gray",
+                          children: [
+                            index === selectedHeaderIndex ? "▸" : " ",
+                            " • ",
+                            key,
+                            ": ",
+                            value
+                          ]
+                        }, key, true, undefined, this))
+                      ]
+                    }, undefined, true, undefined, this) : /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("text", {
+                      fg: "gray",
+                      children: "No headers configured. Press [A] to add."
+                    }, undefined, false, undefined, this)
+                  }, undefined, false, undefined, this),
+                  headerEditMode === "input" && /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("box", {
+                    flexDirection: "column",
+                    children: [
+                      /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("text", {
+                        fg: "green",
+                        children: editingHeaderKey ? "Edit Header" : "Add Header"
+                      }, undefined, false, undefined, this),
+                      /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("box", {
+                        flexDirection: "row",
+                        children: [
+                          /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("text", {
+                            fg: "gray",
+                            children: "Name:  "
+                          }, undefined, false, undefined, this),
+                          /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("input", {
+                            value: headerInputName,
+                            onInput: setHeaderInputName,
+                            placeholder: "User-Agent",
+                            focused: focusedIndex === 3,
+                            width: 40,
+                            backgroundColor: "black"
+                          }, undefined, false, undefined, this)
+                        ]
+                      }, undefined, true, undefined, this),
+                      /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("box", {
+                        flexDirection: "row",
+                        children: [
+                          /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("text", {
+                            fg: "gray",
+                            children: "Value: "
+                          }, undefined, false, undefined, this),
+                          /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("input", {
+                            value: headerInputValue,
+                            onInput: setHeaderInputValue,
+                            placeholder: "pensar-apex_client123",
+                            focused: focusedIndex === 4,
+                            width: 40,
+                            backgroundColor: "black"
+                          }, undefined, false, undefined, this)
+                        ]
+                      }, undefined, true, undefined, this),
+                      inputError && /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("text", {
+                        fg: "red",
+                        children: inputError
+                      }, undefined, false, undefined, this)
+                    ]
+                  }, undefined, true, undefined, this),
+                  headerEntries.length > 0 && /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("box", {
+                    flexDirection: "column",
+                    children: [
+                      /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("text", {
+                        fg: "gray",
+                        children: "─────────────────────────────────────────────────"
+                      }, undefined, false, undefined, this),
+                      /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("text", {
+                        fg: "green",
+                        children: "Preview:"
+                      }, undefined, false, undefined, this),
+                      headerEntries.map(([key, value]) => /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("text", {
+                        fg: "gray",
+                        children: [
+                          key,
+                          ": ",
+                          value
+                        ]
+                      }, key, true, undefined, this))
+                    ]
+                  }, undefined, true, undefined, this),
+                  /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("text", {
+                    fg: "gray",
+                    children: "─────────────────────────────────────────────────"
+                  }, undefined, false, undefined, this),
+                  headerEditMode === "list" && /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("text", {
+                    fg: "gray",
+                    children: [
+                      /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("span", {
+                        fg: "green",
+                        children: "[A]"
+                      }, undefined, false, undefined, this),
+                      " Add  ",
+                      /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("span", {
+                        fg: "green",
+                        children: "[E]"
+                      }, undefined, false, undefined, this),
+                      " Edit  ",
+                      /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("span", {
+                        fg: "green",
+                        children: "[D]"
+                      }, undefined, false, undefined, this),
+                      " Delete  ",
+                      /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("span", {
+                        fg: "green",
+                        children: "[↑↓]"
+                      }, undefined, false, undefined, this),
+                      " Navigate"
+                    ]
+                  }, undefined, true, undefined, this),
+                  headerEditMode === "input" && /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("text", {
+                    fg: "gray",
+                    children: [
+                      /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("span", {
+                        fg: "green",
+                        children: "[TAB]"
+                      }, undefined, false, undefined, this),
+                      " Next Field  ",
+                      /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("span", {
+                        fg: "green",
+                        children: "[ENTER]"
+                      }, undefined, false, undefined, this),
+                      " Save  ",
+                      /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("span", {
+                        fg: "green",
+                        children: "[ESC]"
+                      }, undefined, false, undefined, this),
+                      " Cancel"
+                    ]
+                  }, undefined, true, undefined, this)
+                ]
+              }, undefined, true, undefined, this),
+              headerMode !== "custom" && /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("box", {
+                flexDirection: "column",
+                children: [
+                  /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("text", {
+                    fg: "gray",
+                    children: "─────────────────────────────────────────────────"
+                  }, undefined, false, undefined, this),
+                  /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("text", {
+                    fg: "gray",
+                    children: [
+                      /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("span", {
+                        fg: "green",
+                        children: "[↑↓]"
+                      }, undefined, false, undefined, this),
+                      " Select mode"
+                    ]
+                  }, undefined, true, undefined, this)
+                ]
+              }, undefined, true, undefined, this)
+            ]
+          }, undefined, true, undefined, this),
           /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("box", {
             flexDirection: "row",
             width: "100%",
@@ -74073,12 +74700,13 @@ function runAgent3(opts) {
     model,
     onStepFinish,
     abortSignal,
+    sessionConfig,
     onSubagentSpawn,
     onSubagentMessage,
     onSubagentComplete,
     session: sessionProp
   } = opts;
-  const session = sessionProp || createSession(target);
+  const session = sessionProp || createSession(target, undefined, undefined, sessionConfig);
   const logger = new Logger(session);
   logger.log(`Created thorough pentest session: ${session.id}`);
   logger.log(`Session path: ${session.rootPath}`);
@@ -74673,7 +75301,7 @@ function useThoroughPentestAgent() {
       }
     }
   }
-  async function beginExecution() {
+  async function beginExecution(sessionConfig) {
     if (target && !hasStarted) {
       setHasStarted(true);
       setThinking(true);
@@ -74685,6 +75313,7 @@ function useThoroughPentestAgent() {
           target,
           model: model.id,
           abortSignal: controller.signal,
+          sessionConfig,
           onStepFinish: ({ usage }) => {
             const stepTokens = (usage.inputTokens ?? 0) + (usage.outputTokens ?? 0);
             setTokenCount(stepTokens);
@@ -74892,6 +75521,16 @@ Mode: Pentest (Orchestrator)`,
 function ThoroughPentestAgentDisplay() {
   const [focusedIndex, setFocusedIndex] = import_react23.useState(0);
   const { closeThoroughPentest } = useCommand();
+  const [rps, setRps] = import_react23.useState("");
+  const [headerMode, setHeaderMode] = import_react23.useState("default");
+  const [customHeaders, setCustomHeaders] = import_react23.useState({});
+  const [headerInputName, setHeaderInputName] = import_react23.useState("");
+  const [headerInputValue, setHeaderInputValue] = import_react23.useState("");
+  const [selectedHeaderIndex, setSelectedHeaderIndex] = import_react23.useState(0);
+  const [headerEditMode, setHeaderEditMode] = import_react23.useState("list");
+  const [inputError, setInputError] = import_react23.useState("");
+  const [editingHeaderKey, setEditingHeaderKey] = import_react23.useState(null);
+  const [inputFocusField, setInputFocusField] = import_react23.useState("name");
   const {
     target,
     setTarget,
@@ -74905,7 +75544,8 @@ function ThoroughPentestAgentDisplay() {
     beginExecution,
     openReport
   } = useThoroughPentestAgent();
-  const inputs = ["target", "objective"];
+  const inputs = headerMode === "custom" && headerEditMode === "input" ? ["target", "rps", "headerMode", "headerInputName", "headerInputValue"] : ["target", "rps", "headerMode"];
+  const headerEntries = Object.entries(customHeaders);
   useKeyboard((key) => {
     if (key.name === "escape") {
       closeThoroughPentest();
@@ -74924,6 +75564,107 @@ function ThoroughPentestAgentDisplay() {
     if (hasStarted) {
       return;
     }
+    if (focusedIndex === 2 && key.name === "up") {
+      if (headerMode === "custom" && headerEditMode === "list") {
+        if (headerEntries.length > 0) {
+          setSelectedHeaderIndex((prev) => (prev - 1 + headerEntries.length) % headerEntries.length);
+        }
+      } else {
+        const modes = ["none", "default", "custom"];
+        const currentIndex = modes.indexOf(headerMode);
+        const newMode = modes[(currentIndex - 1 + 3) % 3];
+        if (newMode)
+          setHeaderMode(newMode);
+      }
+      return;
+    }
+    if (focusedIndex === 2 && key.name === "down") {
+      if (headerMode === "custom" && headerEditMode === "list") {
+        if (headerEntries.length > 0) {
+          setSelectedHeaderIndex((prev) => (prev + 1) % headerEntries.length);
+        }
+      } else {
+        const modes = ["none", "default", "custom"];
+        const currentIndex = modes.indexOf(headerMode);
+        const newMode = modes[(currentIndex + 1) % 3];
+        if (newMode)
+          setHeaderMode(newMode);
+      }
+      return;
+    }
+    if (headerMode === "custom" && focusedIndex === 2) {
+      if (key.name === "a" && headerEditMode === "list") {
+        setHeaderEditMode("input");
+        setHeaderInputName("");
+        setHeaderInputValue("");
+        setInputError("");
+        setEditingHeaderKey(null);
+        setInputFocusField("name");
+        setFocusedIndex(2);
+        return;
+      }
+      if (key.name === "e" && headerEditMode === "list" && headerEntries.length > 0) {
+        const entry = headerEntries[selectedHeaderIndex];
+        if (entry) {
+          const [key2, value] = entry;
+          setHeaderInputName(key2);
+          setHeaderInputValue(value);
+          setEditingHeaderKey(key2);
+          setHeaderEditMode("input");
+          setInputError("");
+          setInputFocusField("name");
+          setFocusedIndex(2);
+        }
+        return;
+      }
+      if (key.name === "d" && headerEditMode === "list" && headerEntries.length > 0) {
+        const entry = headerEntries[selectedHeaderIndex];
+        if (entry) {
+          const [keyToDelete] = entry;
+          const newHeaders = { ...customHeaders };
+          delete newHeaders[keyToDelete];
+          setCustomHeaders(newHeaders);
+          setSelectedHeaderIndex(Math.max(0, selectedHeaderIndex - 1));
+        }
+        return;
+      }
+      if (key.name === "escape" && headerEditMode === "input") {
+        setHeaderEditMode("list");
+        setHeaderInputName("");
+        setHeaderInputValue("");
+        setInputError("");
+        setEditingHeaderKey(null);
+        setFocusedIndex(1);
+        return;
+      }
+    }
+    if (headerMode === "custom" && focusedIndex === 3 && key.name === "return") {
+      const headerName = headerInputName.trim();
+      const headerValue = headerInputValue.trim();
+      if (!headerName) {
+        setInputError("Header name cannot be empty");
+        return;
+      }
+      if (!/^[A-Za-z][A-Za-z0-9-]*$/.test(headerName)) {
+        setInputError("Invalid header name - Use only letters, numbers, and hyphens");
+        return;
+      }
+      if (editingHeaderKey && editingHeaderKey !== headerName) {
+        const newHeaders = { ...customHeaders };
+        delete newHeaders[editingHeaderKey];
+        newHeaders[headerName] = headerValue;
+        setCustomHeaders(newHeaders);
+      } else {
+        setCustomHeaders({ ...customHeaders, [headerName]: headerValue });
+      }
+      setHeaderEditMode("list");
+      setHeaderInputName("");
+      setHeaderInputValue("");
+      setInputError("");
+      setEditingHeaderKey(null);
+      setFocusedIndex(1);
+      return;
+    }
     if (key.name === "tab" && !key.shift) {
       setFocusedIndex((prev) => (prev + 1) % inputs.length);
       return;
@@ -74932,9 +75673,21 @@ function ThoroughPentestAgentDisplay() {
       setFocusedIndex((prev) => (prev - 1 + inputs.length) % inputs.length);
       return;
     }
-    if (key.name === "return") {
+    if (key.name === "return" && focusedIndex < 3) {
       if (target) {
-        beginExecution();
+        const parsedRps = rps ? parseInt(rps, 10) : undefined;
+        const sessionConfig = {
+          offensiveHeaders: {
+            mode: headerMode,
+            headers: headerMode === "custom" ? customHeaders : undefined
+          },
+          ...parsedRps && !isNaN(parsedRps) && parsedRps > 0 && {
+            rateLimiter: {
+              requestsPerSecond: parsedRps
+            }
+          }
+        };
+        beginExecution(sessionConfig);
       }
     }
   });
@@ -75050,6 +75803,244 @@ function ThoroughPentestAgentDisplay() {
             onInput: setTarget,
             focused: focusedIndex === 0
           }, undefined, false, undefined, this),
+          /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV(Input, {
+            label: "Rate Limit (RPS)",
+            description: "Max requests/sec (leave empty for unlimited)",
+            placeholder: "15 (recommended)",
+            value: rps,
+            onInput: setRps,
+            focused: focusedIndex === 1
+          }, undefined, false, undefined, this),
+          /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("box", {
+            border: true,
+            width: "100%",
+            borderStyle: "heavy",
+            backgroundColor: "black",
+            borderColor: focusedIndex === 2 ? "green" : "gray",
+            flexDirection: "column",
+            padding: 1,
+            children: [
+              /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("text", {
+                fg: "green",
+                children: "Offensive Request Headers"
+              }, undefined, false, undefined, this),
+              /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("text", {
+                fg: "gray",
+                children: "Configure headers for HTTP tools (curl, nmap, nikto, etc.)"
+              }, undefined, false, undefined, this),
+              /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("text", {
+                fg: "gray",
+                children: "─────────────────────────────────────────────────"
+              }, undefined, false, undefined, this),
+              /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("box", {
+                flexDirection: "column",
+                children: [
+                  /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("text", {
+                    fg: headerMode === "none" ? "green" : "gray",
+                    children: [
+                      headerMode === "none" ? "●" : "○",
+                      " None ",
+                      /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("span", {
+                        fg: "gray",
+                        children: "(no custom headers)"
+                      }, undefined, false, undefined, this)
+                    ]
+                  }, undefined, true, undefined, this),
+                  /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("text", {
+                    fg: headerMode === "default" ? "green" : "gray",
+                    children: [
+                      headerMode === "default" ? "●" : "○",
+                      " Default ",
+                      /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("span", {
+                        fg: "gray",
+                        children: "(User-Agent: pensar-apex)"
+                      }, undefined, false, undefined, this)
+                    ]
+                  }, undefined, true, undefined, this),
+                  /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("text", {
+                    fg: headerMode === "custom" ? "green" : "gray",
+                    children: [
+                      headerMode === "custom" ? "●" : "○",
+                      " Custom ",
+                      /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("span", {
+                        fg: "gray",
+                        children: "(define headers below)"
+                      }, undefined, false, undefined, this)
+                    ]
+                  }, undefined, true, undefined, this)
+                ]
+              }, undefined, true, undefined, this),
+              headerMode === "custom" && /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("box", {
+                flexDirection: "column",
+                children: [
+                  /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("text", {
+                    fg: "gray",
+                    children: "─────────────────────────────────────────────────"
+                  }, undefined, false, undefined, this),
+                  headerEditMode === "list" && /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("box", {
+                    flexDirection: "column",
+                    children: headerEntries.length > 0 ? /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV(import_jsx_dev_runtime2.Fragment, {
+                      children: [
+                        /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("text", {
+                          fg: "green",
+                          children: "Configured Headers:"
+                        }, undefined, false, undefined, this),
+                        headerEntries.map(([key, value], index) => /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("text", {
+                          fg: index === selectedHeaderIndex ? "green" : "gray",
+                          children: [
+                            index === selectedHeaderIndex ? "▸" : " ",
+                            " • ",
+                            key,
+                            ": ",
+                            value
+                          ]
+                        }, key, true, undefined, this))
+                      ]
+                    }, undefined, true, undefined, this) : /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("text", {
+                      fg: "gray",
+                      children: "No headers configured. Press [A] to add."
+                    }, undefined, false, undefined, this)
+                  }, undefined, false, undefined, this),
+                  headerEditMode === "input" && /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("box", {
+                    flexDirection: "column",
+                    children: [
+                      /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("text", {
+                        fg: "green",
+                        children: editingHeaderKey ? "Edit Header" : "Add Header"
+                      }, undefined, false, undefined, this),
+                      /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("box", {
+                        flexDirection: "row",
+                        children: [
+                          /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("text", {
+                            fg: "gray",
+                            children: "Name:  "
+                          }, undefined, false, undefined, this),
+                          /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("input", {
+                            value: headerInputName,
+                            onInput: setHeaderInputName,
+                            placeholder: "User-Agent",
+                            focused: focusedIndex === 2,
+                            width: 40,
+                            backgroundColor: "black"
+                          }, undefined, false, undefined, this)
+                        ]
+                      }, undefined, true, undefined, this),
+                      /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("box", {
+                        flexDirection: "row",
+                        children: [
+                          /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("text", {
+                            fg: "gray",
+                            children: "Value: "
+                          }, undefined, false, undefined, this),
+                          /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("input", {
+                            value: headerInputValue,
+                            onInput: setHeaderInputValue,
+                            placeholder: "pensar-apex_client123",
+                            focused: focusedIndex === 3,
+                            width: 40,
+                            backgroundColor: "black"
+                          }, undefined, false, undefined, this)
+                        ]
+                      }, undefined, true, undefined, this),
+                      inputError && /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("text", {
+                        fg: "red",
+                        children: inputError
+                      }, undefined, false, undefined, this)
+                    ]
+                  }, undefined, true, undefined, this),
+                  headerEntries.length > 0 && /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("box", {
+                    flexDirection: "column",
+                    children: [
+                      /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("text", {
+                        fg: "gray",
+                        children: "─────────────────────────────────────────────────"
+                      }, undefined, false, undefined, this),
+                      /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("text", {
+                        fg: "green",
+                        children: "Preview:"
+                      }, undefined, false, undefined, this),
+                      headerEntries.map(([key, value]) => /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("text", {
+                        fg: "gray",
+                        children: [
+                          key,
+                          ": ",
+                          value
+                        ]
+                      }, key, true, undefined, this))
+                    ]
+                  }, undefined, true, undefined, this),
+                  /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("text", {
+                    fg: "gray",
+                    children: "─────────────────────────────────────────────────"
+                  }, undefined, false, undefined, this),
+                  headerEditMode === "list" && /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("text", {
+                    fg: "gray",
+                    children: [
+                      /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("span", {
+                        fg: "green",
+                        children: "[A]"
+                      }, undefined, false, undefined, this),
+                      " Add  ",
+                      /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("span", {
+                        fg: "green",
+                        children: "[E]"
+                      }, undefined, false, undefined, this),
+                      " Edit  ",
+                      /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("span", {
+                        fg: "green",
+                        children: "[D]"
+                      }, undefined, false, undefined, this),
+                      " Delete  ",
+                      /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("span", {
+                        fg: "green",
+                        children: "[↑↓]"
+                      }, undefined, false, undefined, this),
+                      " Navigate"
+                    ]
+                  }, undefined, true, undefined, this),
+                  headerEditMode === "input" && /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("text", {
+                    fg: "gray",
+                    children: [
+                      /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("span", {
+                        fg: "green",
+                        children: "[TAB]"
+                      }, undefined, false, undefined, this),
+                      " Next Field  ",
+                      /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("span", {
+                        fg: "green",
+                        children: "[ENTER]"
+                      }, undefined, false, undefined, this),
+                      " Save  ",
+                      /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("span", {
+                        fg: "green",
+                        children: "[ESC]"
+                      }, undefined, false, undefined, this),
+                      " Cancel"
+                    ]
+                  }, undefined, true, undefined, this)
+                ]
+              }, undefined, true, undefined, this),
+              headerMode !== "custom" && /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("box", {
+                flexDirection: "column",
+                children: [
+                  /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("text", {
+                    fg: "gray",
+                    children: "─────────────────────────────────────────────────"
+                  }, undefined, false, undefined, this),
+                  /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("text", {
+                    fg: "gray",
+                    children: [
+                      /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("span", {
+                        fg: "green",
+                        children: "[↑↓]"
+                      }, undefined, false, undefined, this),
+                      " Select mode"
+                    ]
+                  }, undefined, true, undefined, this)
+                ]
+              }, undefined, true, undefined, this)
+            ]
+          }, undefined, true, undefined, this),
           /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("box", {
             flexDirection: "row",
             width: "100%",