@pensar/apex 0.0.77 → 0.0.78-canary.224df24d

package/build/index.js

@@ -31716,6 +31716,55 @@ var init_openrouter = __esm(() => {
   ];
 });
 
+// src/core/ai/models/pensar.ts
+var PENSAR_MODELS;
+var init_pensar = __esm(() => {
+  PENSAR_MODELS = [
+    {
+      id: "pensar:anthropic.claude-sonnet-4-5-20250929-v1:0",
+      name: "Claude Sonnet 4.5 (Pensar)",
+      provider: "pensar",
+      contextLength: 200000
+    },
+    {
+      id: "pensar:anthropic.claude-opus-4-1-20250805-v1:0",
+      name: "Claude Opus 4.1 (Pensar)",
+      provider: "pensar",
+      contextLength: 200000
+    },
+    {
+      id: "pensar:anthropic.claude-haiku-4-5-20251001-v1:0",
+      name: "Claude Haiku 4.5 (Pensar)",
+      provider: "pensar",
+      contextLength: 200000
+    },
+    {
+      id: "pensar:anthropic.claude-sonnet-4-20250514-v1:0",
+      name: "Claude Sonnet 4 (Pensar)",
+      provider: "pensar",
+      contextLength: 200000
+    },
+    {
+      id: "pensar:anthropic.claude-opus-4-20250514-v1:0",
+      name: "Claude Opus 4 (Pensar)",
+      provider: "pensar",
+      contextLength: 200000
+    },
+    {
+      id: "pensar:anthropic.claude-3-7-sonnet-20250219-v1:0",
+      name: "Claude 3.7 Sonnet (Pensar)",
+      provider: "pensar",
+      contextLength: 200000
+    },
+    {
+      id: "pensar:anthropic.claude-3-5-haiku-20241022-v1:0",
+      name: "Claude 3.5 Haiku (Pensar)",
+      provider: "pensar",
+      contextLength: 200000
+    }
+  ];
+});
+
 // src/core/ai/models/index.ts
 function getModelInfo(model) {
   return AVAILABLE_MODELS.find((m2) => m2.id === model) ?? {
@@ -31730,14 +31779,231 @@ var init_models = __esm(() => {
   init_openai();
   init_bedrock();
   init_openrouter();
+  init_pensar();
   AVAILABLE_MODELS = [
     ...ANTHROPIC_MODELS,
     ...OPENAI_MODELS,
     ...BEDROCK_MODELS,
-    ...OPENROUTER_MODELS
+    ...OPENROUTER_MODELS,
+    ...PENSAR_MODELS
   ];
 });
 
+// package.json
+var package_default2;
+var init_package = __esm(() => {
+  package_default2 = {
+    name: "@pensar/apex",
+    version: "0.0.78-canary.224df24d",
+    description: "AI-powered penetration testing CLI tool with terminal UI",
+    module: "src/tui/index.tsx",
+    main: "build/index.js",
+    type: "module",
+    repository: {
+      type: "git",
+      url: "https://github.com/pensarai/apex.git"
+    },
+    bin: {
+      pensar: "./bin/pensar.js"
+    },
+    files: [
+      "build",
+      "bin",
+      "src/core/installation",
+      "pensar.svg",
+      "LICENSE"
+    ],
+    scripts: {
+      build: "bun build src/tui/index.tsx --outdir build --target node --format esm --external sharp",
+      "generate:ascii": "bun run scripts/generate-ascii-art.ts",
+      "generate:models": "bun run scripts/generate-models.ts",
+      "build:binary": "bun run generate:ascii && bun build src/cli.ts --compile --outfile pensar",
+      "build:binary:macos-arm64": "bun build src/cli.ts --compile --target=bun-darwin-arm64 --outfile dist/pensar-darwin-arm64",
+      "build:binary:macos-x64": "bun build src/cli.ts --compile --target=bun-darwin-x64 --outfile dist/pensar-darwin-x64",
+      "build:binary:linux-x64": "bun build src/cli.ts --compile --target=bun-linux-x64 --outfile dist/pensar-linux-x64",
+      "build:binary:linux-arm64": "bun build src/cli.ts --compile --target=bun-linux-arm64 --outfile dist/pensar-linux-arm64",
+      "build:binaries": "bun run generate:ascii && mkdir -p dist && bun run build:binary:macos-arm64 && bun run build:binary:macos-x64 && bun run build:binary:linux-x64 && bun run build:binary:linux-arm64",
+      dev: "bun run scripts/watch.ts",
+      "dev:debug": "SHOW_CONSOLE=true bun run scripts/watch.ts",
+      start: "bun run src/tui/index.tsx",
+      pensar: "node bin/pensar.js",
+      tsc: "tsc --noEmit",
+      "daytona-benchmark": "bun run scripts/daytona-benchmark.ts",
+      "local-benchmark": "bun run scripts/local-benchmark.ts",
+      test: "vitest run",
+      "test:watch": "vitest",
+      lint: "eslint src/",
+      format: "prettier --write .",
+      "format:check": "prettier --check .",
+      prepublishOnly: "npm run build"
+    },
+    keywords: [
+      "penetration-testing",
+      "security",
+      "pentesting",
+      "ai",
+      "cli",
+      "terminal",
+      "tui"
+    ],
+    author: "Pensar",
+    license: "MIT",
+    engines: {
+      node: ">=18.0.0",
+      bun: ">=1.0.0"
+    },
+    devDependencies: {
+      "@eslint/js": "^10.0.1",
+      "@playwright/mcp": "^0.0.54",
+      "@types/bun": "^1.3.0",
+      "@types/mailparser": "^3.4.6",
+      "@types/react": "^19.2.6",
+      "@typescript-eslint/eslint-plugin": "^8.55.0",
+      "@typescript-eslint/parser": "^8.55.0",
+      dotenv: "^17.2.3",
+      eslint: "^10.0.0",
+      "eslint-config-prettier": "^10.1.8",
+      "eslint-plugin-unused-imports": "^4.4.1",
+      prettier: "^3.8.1",
+      "typescript-eslint": "^8.55.0",
+      vitest: "^2.1.8"
+    },
+    peerDependencies: {
+      typescript: "^5.9.3"
+    },
+    dependencies: {
+      "@ai-sdk/amazon-bedrock": "^4.0.69",
+      "@ai-sdk/anthropic": "^3.0.50",
+      "@ai-sdk/openai": "^3.0.37",
+      "@daytonaio/sdk": "^0.112.1",
+      "@googleapis/gmail": "^16.1.1",
+      "@microsoft/microsoft-graph-client": "^3.0.7",
+      "@modelcontextprotocol/sdk": "^1.0.0",
+      "@openrouter/ai-sdk-provider": "^2.2.3",
+      "@opentui/core": "^0.1.80",
+      "@opentui/react": "^0.1.80",
+      ai: "^6.0.105",
+      glob: "^13.0.0",
+      "google-auth-library": "^10.6.1",
+      ignore: "^7.0.5",
+      imapflow: "^1.2.10",
+      mailparser: "^3.9.3",
+      marked: "^16.4.0",
+      nanoid: "^5.1.6",
+      "p-limit": "^7.2.0",
+      react: "^19.2.0",
+      sharp: "^0.34.4",
+      yaml: "^2.8.2",
+      zod: "^3.25.76"
+    },
+    packageManager: "yarn@1.22.22+sha512.a6b2f7906b721bba3d67d4aff083df04dad64c399707841b7acf00f6b133b7ac24255f2652fa22ae3534329dc6180534e98d17432037ff6fd140556e2bb3137e"
+  };
+});
+
+// src/core/installation/index.ts
+function getCurrentVersion() {
+  return package_default2.version;
+}
+function isNewerVersion(current, latest) {
+  const parse2 = (v2) => v2.split(".").map((n) => parseInt(n, 10) || 0);
+  const c = parse2(current);
+  const l = parse2(latest);
+  for (let i = 0;i < Math.max(c.length, l.length); i++) {
+    const cv = c[i] ?? 0;
+    const lv = l[i] ?? 0;
+    if (lv > cv)
+      return true;
+    if (lv < cv)
+      return false;
+  }
+  return false;
+}
+async function getLatestVersion() {
+  const res = await fetch("https://registry.npmjs.org/@pensar/apex/latest");
+  if (!res.ok)
+    throw new Error(`Failed to fetch latest version: ${res.statusText}`);
+  const data = await res.json();
+  return String(data.version);
+}
+async function checkForUpdate() {
+  const currentVersion = getCurrentVersion();
+  let latestVersion;
+  try {
+    latestVersion = await getLatestVersion();
+  } catch {
+    return {
+      updateAvailable: false,
+      currentVersion,
+      latestVersion: currentVersion
+    };
+  }
+  return {
+    updateAvailable: isNewerVersion(currentVersion, latestVersion),
+    currentVersion,
+    latestVersion
+  };
+}
+var init_installation = __esm(() => {
+  init_package();
+});
+
+// src/core/config/config.ts
+import os2 from "os";
+import path2 from "path";
+import fs2 from "fs/promises";
+async function init() {
+  const folder = path2.join(os2.homedir(), ".pensar");
+  const file = path2.join(folder, "config.json");
+  const dirExists = await fs2.access(folder).then(() => true).catch(() => false);
+  if (!dirExists) {
+    await fs2.mkdir(folder, { recursive: true });
+  }
+  const fileExists = await fs2.access(file).then(() => true).catch(() => false);
+  if (!fileExists) {
+    await fs2.writeFile(file, JSON.stringify(DEFAULT_CONFIG));
+  }
+  const version = getCurrentVersion();
+  return { ...DEFAULT_CONFIG, version };
+}
+async function get() {
+  const folder = path2.join(os2.homedir(), ".pensar");
+  const file = path2.join(folder, "config.json");
+  const exists = await fs2.access(file).then(() => true).catch(() => false);
+  if (!exists) {
+    return await init();
+  }
+  const config = await fs2.readFile(file, "utf8");
+  const parsedConfig = JSON.parse(config);
+  const version = getCurrentVersion();
+  return {
+    ...parsedConfig,
+    version,
+    openAiAPIKey: process.env.OPENAI_API_KEY ?? parsedConfig.openAiAPIKey,
+    anthropicAPIKey: process.env.ANTHROPIC_API_KEY ?? parsedConfig.anthropicAPIKey,
+    openRouterAPIKey: process.env.OPENROUTER_API_KEY ?? parsedConfig.openRouterAPIKey,
+    bedrockAPIKey: process.env.BEDROCK_API_KEY ?? parsedConfig.bedrockAPIKey,
+    pensarAPIKey: process.env.PENSAR_API_KEY ?? parsedConfig.pensarAPIKey,
+    pensarApiUrl: process.env.PENSAR_API_URL ?? parsedConfig.pensarApiUrl,
+    daytonaAPIKey: process.env.DAYTONA_API_KEY ?? parsedConfig.daytonaAPIKey,
+    daytonaOrgId: process.env.DAYTONA_ORG_ID ?? parsedConfig.daytonaOrgId,
+    runloopAPIKey: process.env.RUNLOOP_API_KEY ?? parsedConfig.runloopAPIKey
+  };
+}
+async function update(config) {
+  const currentConfig = await get();
+  const newConfig = { ...currentConfig, ...config };
+  const folder = path2.join(os2.homedir(), ".pensar");
+  const file = path2.join(folder, "config.json");
+  await fs2.writeFile(file, JSON.stringify(newConfig));
+}
+var DEFAULT_CONFIG;
+var init_config = __esm(() => {
+  init_installation();
+  DEFAULT_CONFIG = {
+    responsibleUseAccepted: false
+  };
+});
+
 // node_modules/zod/v3/helpers/util.js
 var util3, objectUtil, ZodParsedType, getParsedType = (data) => {
   const t2 = typeof data;
@@ -36239,6 +36505,119 @@ var init_toolset = __esm(() => {
   });
 });
 
+// src/core/config/index.ts
+var config;
+var init_config2 = __esm(() => {
+  init_config();
+  config = {
+    get,
+    init,
+    update
+  };
+});
+
+// src/core/api/constants.ts
+var exports_constants = {};
+__export(exports_constants, {
+  getPensarConsoleUrl: () => getPensarConsoleUrl,
+  getPensarApiUrl: () => getPensarApiUrl,
+  PENSAR_CONSOLE_BASE_URL: () => PENSAR_CONSOLE_BASE_URL,
+  PENSAR_API_BASE_URL: () => PENSAR_API_BASE_URL
+});
+function getPensarApiUrl(config2) {
+  return config2?.pensarApiUrl || process.env.PENSAR_API_URL || PENSAR_API_BASE_URL;
+}
+function getPensarConsoleUrl() {
+  return process.env.PENSAR_CONSOLE_URL || PENSAR_CONSOLE_BASE_URL;
+}
+var PENSAR_API_BASE_URL = "https://api.console.pensar.dev", PENSAR_CONSOLE_BASE_URL = "https://console.pensar.dev";
+
+// src/core/api/tokenRefresh.ts
+function decodeJwtPayload(token) {
+  try {
+    const parts = token.split(".");
+    if (parts.length !== 3)
+      return null;
+    const payload = Buffer.from(parts[1], "base64url").toString("utf-8");
+    return JSON.parse(payload);
+  } catch {
+    return null;
+  }
+}
+function isTokenExpired(token, bufferSeconds = 60) {
+  const payload = decodeJwtPayload(token);
+  if (!payload || typeof payload.exp !== "number")
+    return true;
+  const nowSeconds = Math.floor(Date.now() / 1000);
+  return payload.exp - nowSeconds < bufferSeconds;
+}
+async function refreshAccessToken(clientId, refreshToken) {
+  try {
+    const response = await fetch("https://api.workos.com/user_management/authenticate", {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({
+        client_id: clientId,
+        grant_type: "refresh_token",
+        refresh_token: refreshToken
+      })
+    });
+    if (!response.ok) {
+      console.error(`[pensar] Token refresh failed: ${response.status} ${response.statusText}`);
+      return null;
+    }
+    const data = await response.json();
+    await config.update({
+      accessToken: data.access_token,
+      refreshToken: data.refresh_token
+    });
+    return data.access_token;
+  } catch (err) {
+    console.error("[pensar] Token refresh error:", err);
+    return null;
+  }
+}
+async function ensureValidToken(cfg) {
+  if (cfg.accessToken) {
+    if (!isTokenExpired(cfg.accessToken)) {
+      return { token: cfg.accessToken, type: "workos" };
+    }
+    if (cfg.refreshToken) {
+      const clientId = await fetchWorkOSClientId(cfg);
+      if (clientId) {
+        const newToken = await refreshAccessToken(clientId, cfg.refreshToken);
+        if (newToken) {
+          return { token: newToken, type: "workos" };
+        }
+      }
+    }
+  }
+  if (cfg.pensarAPIKey) {
+    return { token: cfg.pensarAPIKey, type: "legacy" };
+  }
+  return null;
+}
+async function fetchWorkOSClientId(cfg) {
+  if (cachedClientId)
+    return cachedClientId;
+  try {
+    const { getPensarApiUrl: getPensarApiUrl2 } = await Promise.resolve().then(() => exports_constants);
+    const apiUrl = getPensarApiUrl2(cfg);
+    const response = await fetch(`${apiUrl}/api/cli/config`);
+    if (!response.ok)
+      return null;
+    const data = await response.json();
+    cachedClientId = data.workosClientId;
+    return cachedClientId;
+  } catch {
+    return null;
+  }
+}
+var cachedClientId = null;
+var init_tokenRefresh = __esm(() => {
+  init_config2();
+});
+
 // node_modules/@ai-sdk/provider/dist/index.mjs
 function getErrorMessage(error) {
   if (error == null) {
@@ -60666,7 +61045,7 @@ Run shell commands for reconnaissance. Use for: dig, curl, nmap, whois, and all
 Record a discovered asset to the session's assets directory. Use extensively — every significant discovery should be documented.
 
 ## create_attack_surface_report
-Submit the final structured report. Call this ONCE at the very end with complete results.
+Submit the final structured report. Call this ONCE at the very end with complete results. This ends the run.
 
 ## Browser tools
 - \`browser_navigate\` — Load a URL in the browser
@@ -80023,7 +80402,345 @@ var init_dist9 = __esm(() => {
   anthropic = createAnthropic();
 });
 
+// src/core/ai/providers/pensarFormatters.ts
+function convertToBedrockFormat(modelId, options) {
+  if (modelId.includes("anthropic.claude")) {
+    return convertToAnthropicFormat(options);
+  }
+  return convertToAnthropicFormat(options);
+}
+function convertToAnthropicFormat(options) {
+  const messages = [];
+  let systemPrompt;
+  if (options.prompt) {
+    for (const part of options.prompt) {
+      if (part.role === "system") {
+        systemPrompt = part.content;
+      } else if (part.role === "user") {
+        const content = part.content.map((c) => {
+          if (c.type === "text")
+            return c.text;
+          if (c.type === "file")
+            return "[file]";
+          return "";
+        }).join("");
+        messages.push({ role: "user", content });
+      } else if (part.role === "assistant") {
+        const assistantContent = part.content;
+        const hasToolCalls = assistantContent.some((c) => c.type === "tool-call");
+        if (hasToolCalls) {
+          const content = [];
+          for (const c of assistantContent) {
+            if (c.type === "text" && c.text) {
+              content.push({ type: "text", text: c.text });
+            } else if (c.type === "tool-call") {
+              const parsedInput = typeof c.input === "string" ? JSON.parse(c.input) : c.input;
+              content.push({
+                type: "tool_use",
+                id: c.toolCallId,
+                name: c.toolName,
+                input: parsedInput
+              });
+            }
+          }
+          messages.push({ role: "assistant", content });
+        } else {
+          const text2 = assistantContent.map((c) => c.type === "text" ? c.text : "").join("");
+          messages.push({ role: "assistant", content: text2 });
+        }
+      } else if (part.role === "tool") {
+        const toolResults = part.content.map((c) => {
+          let resultContent;
+          if (c.output.type === "text" || c.output.type === "error-text") {
+            resultContent = c.output.value;
+          } else {
+            resultContent = JSON.stringify(c.output.value);
+          }
+          return {
+            type: "tool_result",
+            tool_use_id: c.toolCallId,
+            content: resultContent
+          };
+        });
+        messages.push({ role: "user", content: toolResults });
+      }
+    }
+  }
+  if (options.responseFormat?.type === "json") {
+    const jsonInstruction = options.responseFormat.schema ? `
+
+You MUST respond with ONLY valid JSON matching this schema (no markdown, no explanation, no code fences):
+${JSON.stringify(options.responseFormat.schema)}` : `
+
+You MUST respond with ONLY valid JSON (no markdown, no explanation, no code fences).`;
+    systemPrompt = (systemPrompt || "") + jsonInstruction;
+  }
+  const body = {
+    anthropic_version: "bedrock-2023-05-31",
+    messages,
+    max_tokens: options.maxOutputTokens ?? 4096
+  };
+  if (systemPrompt) {
+    body.system = systemPrompt;
+  }
+  if (options.temperature != null) {
+    body.temperature = options.temperature;
+  }
+  if (options.topP != null) {
+    body.top_p = options.topP;
+  }
+  if (options.stopSequences && options.stopSequences.length > 0) {
+    body.stop_sequences = options.stopSequences;
+  }
+  if (options.tools && options.tools.length > 0) {
+    body.tools = options.tools.filter((tool2) => tool2.type === "function").map((tool2) => ({
+      name: tool2.name,
+      description: tool2.description,
+      input_schema: tool2.inputSchema
+    }));
+  }
+  if (options.toolChoice) {
+    if (options.toolChoice.type === "auto") {
+      body.tool_choice = { type: "auto" };
+    } else if (options.toolChoice.type === "required") {
+      body.tool_choice = { type: "any" };
+    } else if (options.toolChoice.type === "none") {
+      delete body.tools;
+    } else if (options.toolChoice.type === "tool") {
+      body.tool_choice = {
+        type: "tool",
+        name: options.toolChoice.toolName
+      };
+    }
+  }
+  return body;
+}
+function parseBedrockResponse(modelId, response, usage) {
+  if (modelId.includes("anthropic.claude")) {
+    return parseAnthropicResponse(response, usage);
+  }
+  return parseAnthropicResponse(response, usage);
+}
+function parseAnthropicResponse(response, usage) {
+  const rawContent = response.content;
+  const content = [];
+  if (rawContent) {
+    for (const block of rawContent) {
+      if (block.type === "text") {
+        content.push({
+          type: "text",
+          text: block.text
+        });
+      } else if (block.type === "tool_use") {
+        content.push({
+          type: "tool-call",
+          toolCallId: block.id,
+          toolName: block.name,
+          input: typeof block.input === "string" ? block.input : JSON.stringify(block.input)
+        });
+      }
+    }
+  }
+  const stopReason = response.stop_reason;
+  let finishReason = "unknown";
+  switch (stopReason) {
+    case "end_turn":
+      finishReason = "stop";
+      break;
+    case "tool_use":
+      finishReason = "tool-calls";
+      break;
+    case "max_tokens":
+      finishReason = "length";
+      break;
+    case "stop_sequence":
+      finishReason = "stop";
+      break;
+  }
+  const respUsage = response.usage;
+  const finalUsage = {
+    inputTokens: respUsage?.input_tokens ?? usage.inputTokens,
+    outputTokens: respUsage?.output_tokens ?? usage.outputTokens,
+    totalTokens: (respUsage?.input_tokens ?? usage.inputTokens) + (respUsage?.output_tokens ?? usage.outputTokens)
+  };
+  return { content, finishReason, usage: finalUsage };
+}
+
+// src/core/ai/providers/pensar.ts
+function log(...args) {
+  if (DEBUG)
+    console.log("[pensar]", ...args);
+}
+function logError(...args) {
+  console.error("[pensar]", ...args);
+}
+function createPensarModel(bedrockModelId, config3) {
+  const modelId = `pensar:${bedrockModelId}`;
+  async function buildHeaders() {
+    const headers = {
+      "Content-Type": "application/json"
+    };
+    if (config3.getToken) {
+      const result = await config3.getToken();
+      if (!result) {
+        throw new Error("Pensar authentication failed. Run /auth to reconnect.");
+      }
+      headers.Authorization = `Bearer ${result.token}`;
+      if (result.type === "workos" && config3.workspaceId) {
+        headers["X-Workspace-Id"] = config3.workspaceId;
+      }
+    } else {
+      headers.Authorization = `Bearer ${config3.apiKey}`;
+      if (config3.workspaceId && !config3.apiKey.startsWith("sk-")) {
+        headers["X-Workspace-Id"] = config3.workspaceId;
+      }
+    }
+    return headers;
+  }
+  const model = {
+    specificationVersion: "v2",
+    provider: "pensar",
+    modelId,
+    supportedUrls: {},
+    async doGenerate(options) {
+      const body = convertToBedrockFormat(bedrockModelId, options);
+      const url2 = `${config3.baseUrl}/bedrock/invoke`;
+      log(`doGenerate → ${bedrockModelId}`);
+      log(`  URL: ${url2}`);
+      log(`  messages: ${body.messages?.length ?? 0}, tools: ${body.tools?.length ?? 0}`);
+      const startTime = Date.now();
+      const headers = await buildHeaders();
+      const response = await fetch(url2, {
+        method: "POST",
+        headers,
+        signal: options.abortSignal,
+        body: JSON.stringify({
+          modelId: bedrockModelId,
+          body,
+          stream: false
+        })
+      });
+      log(`  response: ${response.status} (${Date.now() - startTime}ms)`);
+      if (!response.ok) {
+        const errorBody = await response.text();
+        let errorMessage;
+        try {
+          const parsed2 = JSON.parse(errorBody);
+          errorMessage = parsed2.error || parsed2.message || errorBody;
+        } catch {
+          errorMessage = errorBody;
+        }
+        logError(`  FAILED ${response.status}: ${errorMessage}`);
+        if (response.status === 402) {
+          throw new Error(`Insufficient Pensar credits: ${errorMessage}. ` + `Top up at https://console.pensar.dev`);
+        }
+        throw new Error(`Pensar API error (${response.status}): ${errorMessage}`);
+      }
+      const result = await response.json();
+      const usageFromProxy = result.usage ?? {
+        inputTokens: 0,
+        outputTokens: 0
+      };
+      const parsed = parseBedrockResponse(bedrockModelId, result.response, {
+        inputTokens: usageFromProxy.inputTokens,
+        outputTokens: usageFromProxy.outputTokens
+      });
+      log(`  finish: ${parsed.finishReason}, content: ${parsed.content.length} parts`);
+      log(`  usage: ${parsed.usage.inputTokens}in / ${parsed.usage.outputTokens}out`);
+      if (result.usage?.totalCost != null) {
+        log(`  cost: $${result.usage.totalCost.toFixed(6)}`);
+      }
+      return {
+        content: parsed.content,
+        finishReason: parsed.finishReason,
+        usage: parsed.usage,
+        request: {
+          body
+        },
+        response: {
+          body: result
+        },
+        warnings: []
+      };
+    },
+    async doStream(options) {
+      log(`doStream → wrapping doGenerate for ${bedrockModelId}`);
+      const generateResult = await model.doGenerate(options);
+      const parts = [];
+      parts.push({
+        type: "stream-start",
+        warnings: generateResult.warnings
+      });
+      for (const item of generateResult.content) {
+        if (item.type === "text") {
+          const id = `text-${Date.now()}`;
+          parts.push({ type: "text-start", id });
+          parts.push({ type: "text-delta", id, delta: item.text });
+          parts.push({ type: "text-end", id });
+        } else if (item.type === "tool-call") {
+          const id = item.toolCallId;
+          parts.push({
+            type: "tool-input-start",
+            id,
+            toolName: item.toolName
+          });
+          parts.push({
+            type: "tool-input-delta",
+            id,
+            delta: item.input
+          });
+          parts.push({ type: "tool-input-end", id });
+          parts.push({
+            type: "tool-call",
+            toolCallId: id,
+            toolName: item.toolName,
+            input: item.input
+          });
+        }
+      }
+      parts.push({
+        type: "finish",
+        finishReason: generateResult.finishReason,
+        usage: generateResult.usage
+      });
+      const stream2 = new ReadableStream({
+        start(controller) {
+          for (const part of parts) {
+            controller.enqueue(part);
+          }
+          controller.close();
+        }
+      });
+      return {
+        stream: stream2,
+        request: {
+          body: generateResult.request?.body
+        }
+      };
+    }
+  };
+  return model;
+}
+var DEBUG;
+var init_pensar2 = __esm(() => {
+  DEBUG = process.env.PENSAR_DEBUG === "1" || process.env.PENSAR_DEBUG === "true";
+});
+
 // src/core/ai/utils.ts
+function buildAuthConfig(cfg) {
+  return {
+    anthropicAPIKey: cfg.anthropicAPIKey ?? undefined,
+    openAiAPIKey: cfg.openAiAPIKey ?? undefined,
+    openRouterAPIKey: cfg.openRouterAPIKey ?? undefined,
+    pensarAPIKey: cfg.pensarAPIKey ?? undefined,
+    pensarApiUrl: cfg.pensarApiUrl ?? undefined,
+    accessToken: cfg.accessToken ?? undefined,
+    refreshToken: cfg.refreshToken ?? undefined,
+    workspaceId: cfg.workspaceId ?? undefined,
+    bedrock: cfg.bedrockAPIKey ? { apiKey: cfg.bedrockAPIKey } : undefined,
+    local: cfg.localModelUrl ? { baseURL: cfg.localModelUrl } : undefined
+  };
+}
 function getProviderModel(model, authConfig) {
   const { provider } = getModelInfo(model);
   const openAiAPIKey = authConfig?.openAiAPIKey || process.env.OPENAI_API_KEY;
@@ -80068,6 +80785,36 @@ function getProviderModel(model, authConfig) {
         apiKey: anthropicAPIKey
       }).chat(model);
       break;
+    case "pensar": {
+      const pensarApiKey = authConfig?.pensarAPIKey || process.env.PENSAR_API_KEY;
+      const hasWorkOSAuth = !!authConfig?.accessToken;
+      if (!pensarApiKey && !hasWorkOSAuth) {
+        throw new Error("Pensar not configured. Run /auth to connect to Pensar Console.");
+      }
+      const pensarApiUrl = authConfig?.pensarApiUrl || getPensarApiUrl();
+      const bedrockModelId = model.startsWith("pensar:") ? model.slice(7) : model;
+      if (process.env.PENSAR_DEBUG === "1" || process.env.PENSAR_DEBUG === "true") {
+        console.log(`[pensar] getProviderModel: ${model} → bedrock:${bedrockModelId} via ${pensarApiUrl}`);
+      }
+      const modelConfig = {
+        apiKey: pensarApiKey || authConfig?.accessToken || "",
+        baseUrl: pensarApiUrl,
+        workspaceId: authConfig?.workspaceId
+      };
+      if (hasWorkOSAuth) {
+        modelConfig.getToken = async () => {
+          const freshConfig = await config.get();
+          return ensureValidToken({
+            accessToken: freshConfig.accessToken,
+            refreshToken: freshConfig.refreshToken,
+            pensarAPIKey: freshConfig.pensarAPIKey,
+            pensarApiUrl: freshConfig.pensarApiUrl
+          });
+        };
+      }
+      providerModel = createPensarModel(bedrockModelId, modelConfig);
+      break;
+    }
     case "local":
       providerModel = createOpenAI({
         baseURL: localBaseURL,
@@ -80239,6 +80986,9 @@ var init_utils2 = __esm(() => {
   init_dist8();
   init_dist9();
   init_models();
+  init_pensar2();
+  init_tokenRefresh();
+  init_config2();
   init_dist5();
 });
 
@@ -86652,11 +87402,11 @@ var require_core = __commonJS((exports) => {
   Ajv.ValidationError = validation_error_1.default;
   Ajv.MissingRefError = ref_error_1.default;
   exports.default = Ajv;
-  function checkOptions(checkOpts, options, msg, log = "error") {
+  function checkOptions(checkOpts, options, msg, log2 = "error") {
     for (const key in checkOpts) {
       const opt = key;
       if (opt in options)
-        this.logger[log](`${msg}: option ${key}. ${checkOpts[opt]}`);
+        this.logger[log2](`${msg}: option ${key}. ${checkOpts[opt]}`);
     }
   }
   function getSchEnv(keyRef) {
@@ -92294,11 +93044,11 @@ var require_core3 = __commonJS((exports) => {
   Ajv.ValidationError = validation_error_1.default;
   Ajv.MissingRefError = ref_error_1.default;
   exports.default = Ajv;
-  function checkOptions(checkOpts, options, msg, log = "error") {
+  function checkOptions(checkOpts, options, msg, log2 = "error") {
     for (const key in checkOpts) {
       const opt = key;
       if (opt in options)
-        this.logger[log](`${msg}: option ${key}. ${checkOpts[opt]}`);
+        this.logger[log2](`${msg}: option ${key}. ${checkOpts[opt]}`);
     }
   }
   function getSchEnv(keyRef) {
@@ -95700,6 +96450,20 @@ var init_stdio2 = __esm(() => {
 import { createRequire as createRequire2 } from "module";
 import { writeFileSync as writeFileSync3, mkdirSync as mkdirSync2, existsSync as existsSync10 } from "fs";
 import { join as join3, dirname as dirname2 } from "path";
+function transformScriptToFunction(script) {
+  const trimmed = script.trim();
+  const iifeTrailing = /\(\s*\)\s*;?\s*$/.test(trimmed);
+  const iifeLeading = /^\s*\((?:async\s+)?(?:function|\()/.test(trimmed);
+  if (iifeLeading && iifeTrailing) {
+    let extracted = trimmed.replace(/\(\s*\)\s*;?\s*$/, "").trim();
+    if (extracted.startsWith("(") && extracted.endsWith(")")) {
+      extracted = extracted.slice(1, -1).trim();
+    }
+    return extracted;
+  }
+  const isFunction = /^\s*(async\s+)?\(/.test(script) || /^\s*(async\s+)?function\s*\(/.test(script);
+  return isFunction ? script : `() => (${script})`;
+}
 function withTimeout(promise3, ms, message) {
   let timer;
   const timeout = new Promise((_2, reject) => {
@@ -96041,8 +96805,7 @@ IMPORTANT: For reliable form filling, first call browser_snapshot to get element
       toolCallDescription
     }) => {
       try {
-        const isFunction = /^\s*(async\s+)?\(/.test(script) || /^\s*(async\s+)?function\s*\(/.test(script);
-        const fnScript = isFunction ? script : `() => (${script})`;
+        const fnScript = transformScriptToFunction(script);
         const result = await session.callTool("browser_evaluate", { function: fnScript }, abortSignal);
         return { success: true, script, result };
       } catch (error40) {
@@ -96795,6 +97558,852 @@ var init_httpRequest = __esm(() => {
   });
 });
 
+// src/lib/cvss/types.ts
+function getSeverityFromScore(score) {
+  if (score === 0)
+    return "NONE";
+  if (score <= 3.9)
+    return "LOW";
+  if (score <= 6.9)
+    return "MEDIUM";
+  if (score <= 8.9)
+    return "HIGH";
+  return "CRITICAL";
+}
+var init_types4 = () => {};
+
+// src/lib/cvss/macrovector-scores.ts
+var MACROVECTOR_LOOKUP, METRIC_LEVELS, MAX_SEVERITY, STEP = 0.1, EPSILON;
+var init_macrovector_scores = __esm(() => {
+  MACROVECTOR_LOOKUP = {
+    "000000": 10,
+    "000001": 9.9,
+    "000010": 9.8,
+    "000011": 9.5,
+    "000020": 9.5,
+    "000021": 9.2,
+    "000100": 10,
+    "000101": 9.6,
+    "000110": 9.3,
+    "000111": 8.7,
+    "000120": 9.1,
+    "000121": 8.1,
+    "000200": 9.3,
+    "000201": 9,
+    "000210": 8.9,
+    "000211": 8,
+    "000220": 8.1,
+    "000221": 6.8,
+    "001000": 9.8,
+    "001001": 9.5,
+    "001010": 9.5,
+    "001011": 9.2,
+    "001020": 9,
+    "001021": 8.4,
+    "001100": 9.3,
+    "001101": 9.2,
+    "001110": 8.9,
+    "001111": 8.1,
+    "001120": 8.1,
+    "001121": 6.5,
+    "001200": 8.8,
+    "001201": 8,
+    "001210": 7.8,
+    "001211": 7,
+    "001220": 6.9,
+    "001221": 4.8,
+    "002001": 9.2,
+    "002011": 8.2,
+    "002021": 7.2,
+    "002101": 7.9,
+    "002111": 6.9,
+    "002121": 5,
+    "002201": 6.9,
+    "002211": 5.5,
+    "002221": 2.7,
+    "010000": 9.9,
+    "010001": 9.7,
+    "010010": 9.5,
+    "010011": 9.2,
+    "010020": 9.2,
+    "010021": 8.5,
+    "010100": 9.5,
+    "010101": 9.1,
+    "010110": 9,
+    "010111": 8.3,
+    "010120": 8.4,
+    "010121": 7.1,
+    "010200": 9.2,
+    "010201": 8.1,
+    "010210": 8.2,
+    "010211": 7.1,
+    "010220": 7.2,
+    "010221": 5.3,
+    "011000": 9.5,
+    "011001": 9.3,
+    "011010": 9.2,
+    "011011": 8.5,
+    "011020": 8.5,
+    "011021": 7.3,
+    "011100": 9.2,
+    "011101": 8.2,
+    "011110": 8,
+    "011111": 7.2,
+    "011120": 7,
+    "011121": 5.9,
+    "011200": 8.4,
+    "011201": 7,
+    "011210": 7.1,
+    "011211": 5.2,
+    "011220": 5,
+    "011221": 3,
+    "012001": 8.6,
+    "012011": 7.5,
+    "012021": 5.2,
+    "012101": 7.1,
+    "012111": 5.2,
+    "012121": 2.9,
+    "012201": 6.3,
+    "012211": 2.9,
+    "012221": 1.7,
+    "100000": 9.8,
+    "100001": 9.5,
+    "100010": 9.4,
+    "100011": 8.7,
+    "100020": 9.1,
+    "100021": 8.1,
+    "100100": 9.4,
+    "100101": 8.9,
+    "100110": 8.6,
+    "100111": 7.4,
+    "100120": 7.7,
+    "100121": 6.4,
+    "100200": 8.7,
+    "100201": 7.5,
+    "100210": 7.4,
+    "100211": 6.3,
+    "100220": 6.3,
+    "100221": 4.9,
+    "101000": 9.4,
+    "101001": 8.9,
+    "101010": 8.8,
+    "101011": 7.7,
+    "101020": 7.6,
+    "101021": 6.7,
+    "101100": 8.6,
+    "101101": 7.6,
+    "101110": 7.4,
+    "101111": 5.8,
+    "101120": 5.9,
+    "101121": 5,
+    "101200": 7.2,
+    "101201": 5.7,
+    "101210": 5.7,
+    "101211": 5.2,
+    "101220": 5.2,
+    "101221": 2.5,
+    "102001": 8.3,
+    "102011": 7,
+    "102021": 5.4,
+    "102101": 6.5,
+    "102111": 5.8,
+    "102121": 2.6,
+    "102201": 5.3,
+    "102211": 2.1,
+    "102221": 1.3,
+    "110000": 9.5,
+    "110001": 9,
+    "110010": 8.8,
+    "110011": 7.6,
+    "110020": 7.6,
+    "110021": 7,
+    "110100": 9,
+    "110101": 7.7,
+    "110110": 7.5,
+    "110111": 6.2,
+    "110120": 6.1,
+    "110121": 5.3,
+    "110200": 7.7,
+    "110201": 6.6,
+    "110210": 6.8,
+    "110211": 5.9,
+    "110220": 5.2,
+    "110221": 3,
+    "111000": 8.9,
+    "111001": 7.8,
+    "111010": 7.6,
+    "111011": 6.7,
+    "111020": 6.2,
+    "111021": 5.8,
+    "111100": 7.4,
+    "111101": 5.9,
+    "111110": 5.7,
+    "111111": 5.7,
+    "111120": 4.7,
+    "111121": 2.3,
+    "111200": 6.1,
+    "111201": 5.2,
+    "111210": 5.7,
+    "111211": 2.9,
+    "111220": 2.4,
+    "111221": 1.6,
+    "112001": 7.1,
+    "112011": 5.9,
+    "112021": 3,
+    "112101": 5.8,
+    "112111": 2.6,
+    "112121": 1.5,
+    "112201": 2.3,
+    "112211": 1.3,
+    "112221": 0.6,
+    "200000": 9.3,
+    "200001": 8.7,
+    "200010": 8.6,
+    "200011": 7.2,
+    "200020": 7.5,
+    "200021": 5.8,
+    "200100": 8.6,
+    "200101": 7.4,
+    "200110": 7.4,
+    "200111": 6.1,
+    "200120": 5.6,
+    "200121": 3.4,
+    "200200": 7,
+    "200201": 5.4,
+    "200210": 5.2,
+    "200211": 4,
+    "200220": 4,
+    "200221": 2.2,
+    "201000": 8.5,
+    "201001": 7.5,
+    "201010": 7.4,
+    "201011": 5.5,
+    "201020": 6.2,
+    "201021": 5.1,
+    "201100": 7.2,
+    "201101": 5.7,
+    "201110": 5.5,
+    "201111": 4.1,
+    "201120": 4.6,
+    "201121": 1.9,
+    "201200": 5.3,
+    "201201": 3.6,
+    "201210": 3.4,
+    "201211": 1.9,
+    "201220": 1.9,
+    "201221": 0.8,
+    "202001": 6.4,
+    "202011": 5.1,
+    "202021": 2,
+    "202101": 4.7,
+    "202111": 2.1,
+    "202121": 1.1,
+    "202201": 2.4,
+    "202211": 0.9,
+    "202221": 0.4,
+    "210000": 8.8,
+    "210001": 7.5,
+    "210010": 7.3,
+    "210011": 5.3,
+    "210020": 6,
+    "210021": 5,
+    "210100": 7.3,
+    "210101": 5.5,
+    "210110": 5.9,
+    "210111": 4,
+    "210120": 4.1,
+    "210121": 2,
+    "210200": 5.4,
+    "210201": 4.3,
+    "210210": 4.5,
+    "210211": 2.2,
+    "210220": 2,
+    "210221": 1.1,
+    "211000": 7.5,
+    "211001": 5.5,
+    "211010": 5.8,
+    "211011": 4.5,
+    "211020": 4,
+    "211021": 2.1,
+    "211100": 6.1,
+    "211101": 5.1,
+    "211110": 4.8,
+    "211111": 1.8,
+    "211120": 2,
+    "211121": 0.9,
+    "211200": 4.6,
+    "211201": 1.8,
+    "211210": 1.7,
+    "211211": 0.7,
+    "211220": 0.8,
+    "211221": 0.2,
+    "212001": 5.3,
+    "212011": 2.4,
+    "212021": 1.4,
+    "212101": 2.4,
+    "212111": 1.2,
+    "212121": 0.5,
+    "212201": 1,
+    "212211": 0.3,
+    "212221": 0.1
+  };
+  METRIC_LEVELS = {
+    AV: { N: 0, A: 0.1, L: 0.2, P: 0.3 },
+    PR: { N: 0, L: 0.1, H: 0.2 },
+    UI: { N: 0, P: 0.1, A: 0.2 },
+    AC: { L: 0, H: 0.1 },
+    AT: { N: 0, P: 0.1 },
+    VC: { H: 0, L: 0.1, N: 0.2 },
+    VI: { H: 0, L: 0.1, N: 0.2 },
+    VA: { H: 0, L: 0.1, N: 0.2 },
+    SC: { H: 0.1, L: 0.2, N: 0.3 },
+    SI: { S: 0, H: 0.1, L: 0.2, N: 0.3 },
+    SA: { S: 0, H: 0.1, L: 0.2, N: 0.3 },
+    CR: { H: 0, M: 0.1, L: 0.2 },
+    IR: { H: 0, M: 0.1, L: 0.2 },
+    AR: { H: 0, M: 0.1, L: 0.2 },
+    E: { A: 0, P: 0.1, U: 0.2 }
+  };
+  MAX_SEVERITY = {
+    eq1: { 0: 1, 1: 4, 2: 5 },
+    eq2: { 0: 1, 1: 2 },
+    eq3eq6: {
+      0: { 0: 7, 1: 6 },
+      1: { 0: 8, 1: 8 },
+      2: { 1: 10 }
+    },
+    eq4: { 0: 6, 1: 5, 2: 4 },
+    eq5: { 0: 1, 1: 1, 2: 1 }
+  };
+  EPSILON = Math.pow(10, -6);
+});
+
+// src/lib/cvss/calculator.ts
+function buildVectorString(metrics) {
+  const parts = ["CVSS:4.0"];
+  for (const metric of BASE_METRICS) {
+    const value = metrics[metric];
+    if (value !== undefined) {
+      parts.push(`${metric}:${value}`);
+    }
+  }
+  for (const metric of THREAT_METRICS) {
+    const value = metrics[metric];
+    if (value !== undefined && value !== "X") {
+      parts.push(`${metric}:${value}`);
+    }
+  }
+  for (const metric of ENVIRONMENTAL_METRICS) {
+    const value = metrics[metric];
+    if (value !== undefined && value !== "X") {
+      parts.push(`${metric}:${value}`);
+    }
+  }
+  for (const metric of SUPPLEMENTAL_METRICS) {
+    const value = metrics[metric];
+    if (value !== undefined && value !== "X") {
+      parts.push(`${metric}:${value}`);
+    }
+  }
+  return parts.join("/");
+}
+function getEffectiveValue(metrics, baseMetric, modifiedMetric) {
+  if (modifiedMetric) {
+    const modValue = metrics[modifiedMetric];
+    if (modValue && modValue !== "X") {
+      return modValue;
+    }
+  }
+  return metrics[baseMetric] ?? "";
+}
+function computeEQ1(metrics) {
+  const av = getEffectiveValue(metrics, "AV", "MAV");
+  const pr = getEffectiveValue(metrics, "PR", "MPR");
+  const ui = getEffectiveValue(metrics, "UI", "MUI");
+  if (av === "N" && pr === "N" && ui === "N") {
+    return 0;
+  }
+  if (!(av === "P" || pr === "H" || ui === "A")) {
+    return 1;
+  }
+  return 2;
+}
+function computeEQ2(metrics) {
+  const ac = getEffectiveValue(metrics, "AC", "MAC");
+  const at = getEffectiveValue(metrics, "AT", "MAT");
+  if (ac === "L" && at === "N") {
+    return 0;
+  }
+  return 1;
+}
+function computeEQ3(metrics) {
+  const vc = getEffectiveValue(metrics, "VC", "MVC");
+  const vi = getEffectiveValue(metrics, "VI", "MVI");
+  const va = getEffectiveValue(metrics, "VA", "MVA");
+  if (vc === "H" && vi === "H") {
+    return 0;
+  }
+  if (vc === "H" || vi === "H" || va === "H") {
+    return 1;
+  }
+  return 2;
+}
+function computeEQ4(metrics) {
+  const msi = metrics.MSI || "X";
+  const msa = metrics.MSA || "X";
+  const sc = getEffectiveValue(metrics, "SC", "MSC");
+  const si = msi !== "X" ? msi : metrics.SI;
+  const sa = msa !== "X" ? msa : metrics.SA;
+  if (msi === "S" || msa === "S") {
+    return 0;
+  }
+  if (sc === "H" || si === "H" || sa === "H") {
+    return 1;
+  }
+  return 2;
+}
+function computeEQ5(metrics) {
+  const e = metrics.E || "A";
+  if (e === "A" || e === "X") {
+    return 0;
+  }
+  if (e === "P") {
+    return 1;
+  }
+  return 2;
+}
+function computeEQ6(metrics) {
+  const cr = metrics.CR || "H";
+  const ir = metrics.IR || "H";
+  const ar = metrics.AR || "H";
+  const vc = getEffectiveValue(metrics, "VC", "MVC");
+  const vi = getEffectiveValue(metrics, "VI", "MVI");
+  const va = getEffectiveValue(metrics, "VA", "MVA");
+  if (cr === "H" && vc === "H" || ir === "H" && vi === "H" || ar === "H" && va === "H") {
+    return 0;
+  }
+  return 1;
+}
+function computeMacroVector(metrics) {
+  const eq1 = computeEQ1(metrics);
+  const eq2 = computeEQ2(metrics);
+  const eq3 = computeEQ3(metrics);
+  const eq4 = computeEQ4(metrics);
+  const eq5 = computeEQ5(metrics);
+  const eq6 = computeEQ6(metrics);
+  return `${eq1}${eq2}${eq3}${eq4}${eq5}${eq6}`;
+}
+function hasNoImpact(metrics) {
+  const vc = getEffectiveValue(metrics, "VC", "MVC");
+  const vi = getEffectiveValue(metrics, "VI", "MVI");
+  const va = getEffectiveValue(metrics, "VA", "MVA");
+  const sc = getEffectiveValue(metrics, "SC", "MSC");
+  const si = metrics.MSI !== "X" && metrics.MSI ? metrics.MSI : metrics.SI;
+  const sa = metrics.MSA !== "X" && metrics.MSA ? metrics.MSA : metrics.SA;
+  return vc === "N" && vi === "N" && va === "N" && sc === "N" && si === "N" && sa === "N";
+}
+function getMetricDistance(metrics, metric) {
+  const levels = METRIC_LEVELS[metric];
+  if (!levels)
+    return 0;
+  let value;
+  const modifiedMetric = "M" + metric;
+  const metricsRecord = metrics;
+  if (metricsRecord[modifiedMetric] && metricsRecord[modifiedMetric] !== "X") {
+    value = metricsRecord[modifiedMetric] ?? "";
+  } else {
+    value = metricsRecord[metric] ?? "";
+  }
+  if (metric === "E" && (!value || value === "X")) {
+    value = "A";
+  }
+  if ((metric === "CR" || metric === "IR" || metric === "AR") && (!value || value === "X")) {
+    value = "H";
+  }
+  return levels[value] || 0;
+}
+function getNextLowerScore(macroVector, position) {
+  const digits = macroVector.split("").map(Number);
+  digits[position]++;
+  const nextMacroVector = digits.join("");
+  return MACROVECTOR_LOOKUP[nextMacroVector] ?? null;
+}
+function interpolateScore(metrics, macroVector, baseScore) {
+  const eq1 = parseInt(macroVector[0]);
+  const eq2 = parseInt(macroVector[1]);
+  const eq3 = parseInt(macroVector[2]);
+  const eq4 = parseInt(macroVector[3]);
+  const eq5 = parseInt(macroVector[4]);
+  const eq6 = parseInt(macroVector[5]);
+  let meanDistance = 0;
+  let eqCount = 0;
+  const eq1NextLower = getNextLowerScore(macroVector, 0);
+  if (eq1NextLower !== null) {
+    const msd = baseScore - eq1NextLower;
+    const maxDepth = MAX_SEVERITY.eq1[eq1] || 1;
+    const avDist = getMetricDistance(metrics, "AV");
+    const prDist = getMetricDistance(metrics, "PR");
+    const uiDist = getMetricDistance(metrics, "UI");
+    const severityDist = avDist + prDist + uiDist;
+    const normalizedDist = severityDist / (maxDepth * STEP);
+    meanDistance += msd * normalizedDist;
+    eqCount++;
+  }
+  const eq2NextLower = getNextLowerScore(macroVector, 1);
+  if (eq2NextLower !== null) {
+    const msd = baseScore - eq2NextLower;
+    const maxDepth = MAX_SEVERITY.eq2[eq2] || 1;
+    const acDist = getMetricDistance(metrics, "AC");
+    const atDist = getMetricDistance(metrics, "AT");
+    const severityDist = acDist + atDist;
+    const normalizedDist = severityDist / (maxDepth * STEP);
+    meanDistance += msd * normalizedDist;
+    eqCount++;
+  }
+  const eq3eq6MaxSeverity = MAX_SEVERITY.eq3eq6;
+  if (eq3eq6MaxSeverity[eq3] && eq3eq6MaxSeverity[eq3][eq6] !== undefined) {
+    const eq3NextLower = getNextLowerScore(macroVector, 2);
+    if (eq3NextLower !== null) {
+      const msd = baseScore - eq3NextLower;
+      const maxDepth = eq3eq6MaxSeverity[eq3][eq6] || 1;
+      const vcDist = getMetricDistance(metrics, "VC");
+      const viDist = getMetricDistance(metrics, "VI");
+      const vaDist = getMetricDistance(metrics, "VA");
+      const crDist = getMetricDistance(metrics, "CR");
+      const irDist = getMetricDistance(metrics, "IR");
+      const arDist = getMetricDistance(metrics, "AR");
+      const severityDist = vcDist + viDist + vaDist + crDist + irDist + arDist;
+      const normalizedDist = severityDist / (maxDepth * STEP);
+      meanDistance += msd * normalizedDist;
+      eqCount++;
+    }
+  }
+  const eq4NextLower = getNextLowerScore(macroVector, 3);
+  if (eq4NextLower !== null) {
+    const msd = baseScore - eq4NextLower;
+    const maxDepth = MAX_SEVERITY.eq4[eq4] || 1;
+    const scDist = getMetricDistance(metrics, "SC");
+    const siDist = getMetricDistance(metrics, "SI");
+    const saDist = getMetricDistance(metrics, "SA");
+    const severityDist = scDist + siDist + saDist;
+    const normalizedDist = severityDist / (maxDepth * STEP);
+    meanDistance += msd * normalizedDist;
+    eqCount++;
+  }
+  const eq5NextLower = getNextLowerScore(macroVector, 4);
+  if (eq5NextLower !== null) {
+    const msd = baseScore - eq5NextLower;
+    const maxDepth = MAX_SEVERITY.eq5[eq5] || 1;
+    const eDist = getMetricDistance(metrics, "E");
+    const normalizedDist = eDist / (maxDepth * STEP);
+    meanDistance += msd * normalizedDist;
+    eqCount++;
+  }
+  const avgDistance = eqCount > 0 ? meanDistance / eqCount : 0;
+  let finalScore = baseScore - avgDistance;
+  finalScore = Math.max(0, Math.min(10, finalScore));
+  finalScore = Math.round(finalScore * 10) / 10;
+  return finalScore;
+}
+function calculateCVSS4Score(metrics) {
+  if (hasNoImpact(metrics)) {
+    return {
+      score: 0,
+      severity: "NONE",
+      vectorString: buildVectorString(metrics),
+      metrics,
+      scoreType: getScoreType(metrics)
+    };
+  }
+  const macroVector = computeMacroVector(metrics);
+  const baseScore = MACROVECTOR_LOOKUP[macroVector];
+  if (baseScore === undefined) {
+    throw new Error(`Invalid MacroVector: ${macroVector}`);
+  }
+  const score = interpolateScore(metrics, macroVector, baseScore);
+  const severity = getSeverityFromScore(score);
+  const scoreType = getScoreType(metrics);
+  return {
+    score,
+    severity,
+    vectorString: buildVectorString(metrics),
+    metrics,
+    scoreType
+  };
+}
+function getScoreType(metrics) {
+  const hasThreat = metrics.E !== undefined && metrics.E !== "X";
+  const hasEnvironmental = metrics.CR !== undefined && metrics.CR !== "X" || metrics.IR !== undefined && metrics.IR !== "X" || metrics.AR !== undefined && metrics.AR !== "X" || metrics.MAV !== undefined && metrics.MAV !== "X" || metrics.MAC !== undefined && metrics.MAC !== "X" || metrics.MAT !== undefined && metrics.MAT !== "X" || metrics.MPR !== undefined && metrics.MPR !== "X" || metrics.MUI !== undefined && metrics.MUI !== "X" || metrics.MVC !== undefined && metrics.MVC !== "X" || metrics.MVI !== undefined && metrics.MVI !== "X" || metrics.MVA !== undefined && metrics.MVA !== "X" || metrics.MSC !== undefined && metrics.MSC !== "X" || metrics.MSI !== undefined && metrics.MSI !== "X" || metrics.MSA !== undefined && metrics.MSA !== "X";
+  if (hasThreat && hasEnvironmental)
+    return "CVSS-BTE";
+  if (hasEnvironmental)
+    return "CVSS-BE";
+  if (hasThreat)
+    return "CVSS-BT";
+  return "CVSS-B";
+}
+var BASE_METRICS, THREAT_METRICS, ENVIRONMENTAL_METRICS, SUPPLEMENTAL_METRICS;
+var init_calculator = __esm(() => {
+  init_types4();
+  init_macrovector_scores();
+  BASE_METRICS = [
+    "AV",
+    "AC",
+    "AT",
+    "PR",
+    "UI",
+    "VC",
+    "VI",
+    "VA",
+    "SC",
+    "SI",
+    "SA"
+  ];
+  THREAT_METRICS = ["E"];
+  ENVIRONMENTAL_METRICS = [
+    "CR",
+    "IR",
+    "AR",
+    "MAV",
+    "MAC",
+    "MAT",
+    "MPR",
+    "MUI",
+    "MVC",
+    "MVI",
+    "MVA",
+    "MSC",
+    "MSI",
+    "MSA"
+  ];
+  SUPPLEMENTAL_METRICS = ["S", "AU", "R", "V", "RE", "U"];
+});
+
+// src/lib/cvss/index.ts
+var init_cvss = __esm(() => {
+  init_types4();
+  init_calculator();
+  init_macrovector_scores();
+});
+
+// src/core/agents/specialized/cvssScorer/index.ts
+async function scoreFindingWithCVSS(input, model, authConfig) {
+  const prompt = buildScoringPrompt(input);
+  const assessment = await generateObjectResponse({
+    model,
+    schema: CVSSMetricsOutputSchema,
+    prompt,
+    system: CVSS_SCORER_SYSTEM_PROMPT,
+    authConfig
+  });
+  const cvssResult = calculateCVSS4Score({
+    ...assessment.metrics
+  });
+  return {
+    score: cvssResult.score,
+    severity: cvssResult.severity,
+    vectorString: cvssResult.vectorString,
+    metrics: cvssResult.metrics,
+    scoreType: cvssResult.scoreType,
+    reasoning: assessment.reasoning
+  };
+}
+function buildScoringPrompt(input) {
+  const { finding, agentMessages } = input;
+  let prompt = `# Vulnerability Finding to Score
+
+## Finding Details
+
+**Title:** ${finding.title}
+**Vulnerability Class:** ${finding.vulnerabilityClass || "Unknown"}
+**Endpoint:** ${finding.endpoint}
+
+### Description
+${finding.description}
+
+### Impact Assessment
+${finding.impact}
+
+### Evidence (POC Output)
+\`\`\`
+${finding.evidence}
+\`\`\`
+
+`;
+  if (agentMessages && agentMessages.length > 0) {
+    prompt += `## Discovery Context
+
+The following is a summary of how this vulnerability was discovered (from the testing agent's conversation):
+
+`;
+    const contextSummary = extractContextSummary(agentMessages);
+    prompt += contextSummary;
+  }
+  prompt += `
+## Task
+
+Analyze this vulnerability finding and determine the appropriate CVSS 4.0 metrics.
+
+Consider:
+1. How the vulnerability is exploited (attack vector, complexity, requirements)
+2. What privileges/authentication were needed
+3. Whether user interaction is required
+4. The actual impact demonstrated in the evidence
+5. Potential for lateral movement or subsequent system compromise
+
+Provide your metrics assessment and brief reasoning.
+`;
+  return prompt;
+}
+function extractContextSummary(messages) {
+  const contextParts = [];
+  let foundToolCalls = 0;
+  const maxToolCalls = 5;
+  for (const message of messages) {
+    if (foundToolCalls >= maxToolCalls)
+      break;
+    if (message.role === "assistant" && typeof message.content === "string") {
+      const hypothesisMatch = message.content.match(/HYPOTHESIS:[\s\S]*?(?=VALIDATION:|$)/);
+      const validationMatch = message.content.match(/VALIDATION:[\s\S]*?(?=HYPOTHESIS:|$)/);
+      if (hypothesisMatch) {
+        contextParts.push(`- ${hypothesisMatch[0].substring(0, 300)}...`);
+      }
+      if (validationMatch) {
+        contextParts.push(`- ${validationMatch[0].substring(0, 300)}...`);
+      }
+    }
+    if (message.role === "assistant" && Array.isArray(message.content)) {
+      for (const rawPart of message.content) {
+        const part = rawPart;
+        if (part.type === "tool-call" && part.toolName) {
+          const input = part.input;
+          const desc = input?.toolCallDescription || `Used ${part.toolName}`;
+          contextParts.push(`- Tool: ${String(desc)}`);
+          foundToolCalls++;
+        }
+      }
+    }
+  }
+  if (contextParts.length === 0) {
+    return `No additional context available from testing conversation.
+`;
+  }
+  return contextParts.join(`
+`) + `
+`;
+}
+var CVSSMetricsOutputSchema, CVSS_SCORER_SYSTEM_PROMPT = `You are a CVSS 4.0 scoring specialist. Your task is to analyze vulnerability findings and determine the appropriate CVSS 4.0 Base metrics.
+
+## CVSS 4.0 Metrics Guide
+
+### Attack Vector (AV)
+- **N (Network)**: Remotely exploitable over the internet (web app vulns, network services)
+- **A (Adjacent)**: Requires shared physical or logical network (same WiFi, VLAN)
+- **L (Local)**: Requires local access or user interaction to deliver payload
+- **P (Physical)**: Requires physical hardware access
+
+### Attack Complexity (AC)
+- **L (Low)**: No special preparation needed, works reliably
+- **H (High)**: Requires race conditions, bypassing defenses, or specific configurations
+
+### Attack Requirements (AT)
+- **N (None)**: Works under normal conditions
+- **P (Present)**: Requires specific deployment conditions (race window, man-in-the-middle position)
+
+### Privileges Required (PR)
+- **N (None)**: Unauthenticated attack
+- **L (Low)**: Requires basic user-level privileges
+- **H (High)**: Requires administrative/root privileges
+
+### User Interaction (UI)
+- **N (None)**: No user action required
+- **P (Passive)**: User visits a page, opens a file, or is on a vulnerable session
+- **A (Active)**: User must click a link, dismiss warnings, or actively interact
+
+### Confidentiality Impact (VC - Vulnerable System, SC - Subsequent Systems)
+- **H (High)**: Complete loss of confidentiality (full data access, credential theft)
+- **L (Low)**: Limited data exposure (some info leak but not critical)
+- **N (None)**: No confidentiality impact
+
+### Integrity Impact (VI - Vulnerable System, SI - Subsequent Systems)
+- **H (High)**: Complete loss of integrity (arbitrary modification, code execution)
+- **L (Low)**: Limited modification capability
+- **N (None)**: No integrity impact
+
+### Availability Impact (VA - Vulnerable System, SA - Subsequent Systems)
+- **H (High)**: Complete denial of service
+- **L (Low)**: Reduced performance or intermittent availability
+- **N (None)**: No availability impact
+
+### Exploit Maturity (E)
+- **A (Attacked)**: Working exploit exists (POC confirmed vulnerability)
+- **P (POC)**: Proof-of-concept code exists but may not be weaponized
+- **U (Unreported)**: No known public exploit
+
+## Vulnerability Class Guidelines
+
+### SQL Injection (sqli)
+- Typically: AV:N, AC:L, AT:N, PR varies, UI:N
+- VC:H (data access), VI:H (data modification), VA:L-H (depending on impact)
+- SC/SI/SA: Usually N unless database is shared
+
+### Cross-Site Scripting (xss)
+- Reflected: AV:N, AC:L, AT:N, PR:N, UI:A (user must click)
+- Stored: AV:N, AC:L, AT:N, PR varies, UI:P (user visits page)
+- VC:L (session theft), VI:L (DOM modification), VA:N
+- SC/SI/SA: Usually N (client-side only)
+
+### Command Injection / RCE
+- Typically: AV:N, AC:L, AT:N, PR varies, UI:N
+- VC:H, VI:H, VA:H (complete system compromise)
+- SC/SI/SA: Potentially H if can pivot
+
+### IDOR / Access Control
+- Typically: AV:N, AC:L, AT:N, PR:L (needs some access), UI:N
+- Impact varies based on what data is accessed
+
+### SSRF
+- Typically: AV:N, AC:L, AT:N, PR varies, UI:N
+- VC on vulnerable: L-N, SC on subsequent: H (internal network access)
+
+### Path Traversal / LFI
+- Typically: AV:N, AC:L, AT:N, PR varies, UI:N
+- VC:H (file read), VI:N (unless write), VA:N
+
+## Analysis Instructions
+
+1. Read the finding description and evidence carefully
+2. Consider the attack vector based on how the vulnerability was exploited
+3. Assess complexity based on whether special conditions were needed
+4. Determine privileges based on authentication requirements
+5. Evaluate user interaction based on exploit mechanics
+6. Assess impact on both the vulnerable system AND potential subsequent systems
+7. Since a POC exists and confirmed the vulnerability, E should typically be 'A'
+
+Always provide brief reasoning explaining your key decisions.`;
+var init_cvssScorer = __esm(() => {
+  init_zod();
+  init_ai2();
+  init_cvss();
+  CVSSMetricsOutputSchema = exports_external.object({
+    metrics: exports_external.object({
+      AV: exports_external.enum(["N", "A", "L", "P"]).describe("Attack Vector: N=Network (remotely exploitable), A=Adjacent network, L=Local access required, P=Physical access required"),
+      AC: exports_external.enum(["L", "H"]).describe("Attack Complexity: L=Low (no special conditions), H=High (requires specific conditions/bypassing)"),
+      AT: exports_external.enum(["N", "P"]).describe("Attack Requirements: N=None (works in most configs), P=Present (requires race conditions/specific setup)"),
+      PR: exports_external.enum(["N", "L", "H"]).describe("Privileges Required: N=None (unauthenticated), L=Low (basic user), H=High (admin)"),
+      UI: exports_external.enum(["N", "P", "A"]).describe("User Interaction: N=None, P=Passive (user visits page), A=Active (user must click/interact)"),
+      VC: exports_external.enum(["H", "L", "N"]).describe("Confidentiality Impact on Vulnerable System: H=High (total loss), L=Low (partial), N=None"),
+      VI: exports_external.enum(["H", "L", "N"]).describe("Integrity Impact on Vulnerable System: H=High (total loss), L=Low (partial), N=None"),
+      VA: exports_external.enum(["H", "L", "N"]).describe("Availability Impact on Vulnerable System: H=High (total loss), L=Low (partial), N=None"),
+      SC: exports_external.enum(["H", "L", "N"]).describe("Confidentiality Impact on Subsequent Systems: H=High, L=Low, N=None (no pivoting)"),
+      SI: exports_external.enum(["H", "L", "N"]).describe("Integrity Impact on Subsequent Systems: H=High, L=Low, N=None"),
+      SA: exports_external.enum(["H", "L", "N"]).describe("Availability Impact on Subsequent Systems: H=High, L=Low, N=None"),
+      E: exports_external.enum(["A", "P", "U"]).describe("Exploit Maturity: A=Attacked (working exploit exists), P=POC available, U=Unreported")
+    }),
+    reasoning: exports_external.string().describe("Brief explanation (2-3 sentences) of the key factors that influenced the metric choices")
+  });
+});
+
 // src/core/agents/offSecAgent/tools/documentFinding.ts
 import { join as join5 } from "path";
 import { writeFileSync as writeFileSync4, appendFileSync as appendFileSync2 } from "fs";
@@ -96840,11 +98449,37 @@ FINDING STRUCTURE:
           }
         }
         const timestamp = new Date().toISOString();
+        let cvssResult;
+        try {
+          cvssResult = await scoreFindingWithCVSS({
+            finding: {
+              title: finding.title,
+              description: finding.description,
+              impact: finding.impact,
+              evidence: finding.evidence,
+              endpoint: finding.endpoint,
+              remediation: finding.remediation
+            },
+            agentMessages: []
+          }, ctx4.model, ctx4.authConfig);
+        } catch (err) {
+          console.warn("CVSS scoring failed, proceeding without score:", err instanceof Error ? err.message : err);
+        }
         const findingWithMeta = {
           ...finding,
           timestamp,
           sessionId: session.id,
-          target: session.targets[0]
+          target: session.targets[0],
+          ...cvssResult && {
+            cvss: {
+              score: cvssResult.score,
+              severity: cvssResult.severity,
+              vectorString: cvssResult.vectorString,
+              metrics: cvssResult.metrics,
+              scoreType: cvssResult.scoreType,
+              reasoning: cvssResult.reasoning
+            }
+          }
         };
         const safeTitle = finding.title.toLowerCase().replace(/[^a-z0-9]+/g, "-").replace(/^-|-$/g, "").substring(0, 50);
         const findingId = `${timestamp.split("T")[0]}-${safeTitle}`;
@@ -96854,9 +98489,21 @@ FINDING STRUCTURE:
         const mdPath = join5(session.findingsPath, mdFilename);
         try {
           writeFileSync4(jsonPath, JSON.stringify(findingWithMeta, null, 2));
+          const cvssLine = cvssResult ? `
+**CVSS 4.0 Score:** ${cvssResult.score} (${cvssResult.severity})  
+**Vector:** \`${cvssResult.vectorString}\`  ` : "";
+          const cvssSection = cvssResult ? `
+## CVSS 4.0 Assessment
+
+**Score:** ${cvssResult.score} / 10.0 (${cvssResult.severity})  
+**Vector:** \`${cvssResult.vectorString}\`  
+**Score Type:** ${cvssResult.scoreType}
+
+**Reasoning:** ${cvssResult.reasoning}
+` : "";
           const markdown = `# ${finding.title}
 
-**Severity:** ${finding.severity}  
+**Severity:** ${finding.severity}  ${cvssLine}
 **Target:** ${session.targets[0]}  
 **Endpoint:** ${finding.endpoint}  
 **Date:** ${timestamp}  
@@ -96869,7 +98516,7 @@ ${finding.description}
 ## Impact
 
 ${finding.impact}
-
+${cvssSection}
 ## Evidence
 
 \`\`\`
@@ -96894,7 +98541,8 @@ ${finding.references}` : ""}
 `;
           writeFileSync4(mdPath, markdown);
           const summaryPath = join5(session.rootPath, "findings-summary.md");
-          const summaryEntry = `- [${finding.severity}] ${finding.title} - \`findings/${mdFilename}\`
+          const cvssTag = cvssResult ? ` (CVSS ${cvssResult.score})` : "";
+          const summaryEntry = `- [${finding.severity}]${cvssTag} ${finding.title} - \`findings/${mdFilename}\`
 `;
           try {
             appendFileSync2(summaryPath, summaryEntry);
@@ -96936,6 +98584,7 @@ var documentVulnerabilityInputSchema;
 var init_documentFinding = __esm(() => {
   init_dist5();
   init_zod();
+  init_cvssScorer();
   documentVulnerabilityInputSchema = exports_external.object({
     title: exports_external.string().describe("Finding title"),
     severity: exports_external.enum(["CRITICAL", "HIGH", "MEDIUM", "LOW"]),
@@ -99103,7 +100752,7 @@ For each app you identified, spawn a coding agent with a detailed objective. The
 
 // src/core/agents/specialized/whiteboxAttackSurface/types.ts
 var EndpointSchema, AppSchema, WhiteboxAttackSurfaceResultSchema;
-var init_types4 = __esm(() => {
+var init_types5 = __esm(() => {
   init_zod();
   EndpointSchema = exports_external.object({
     method: exports_external.string().describe("HTTP method (GET, POST, PUT, DELETE, etc.) or 'PAGE' for web pages"),
@@ -99165,7 +100814,7 @@ var init_agent2 = __esm(() => {
   init_dist5();
   init_dist5();
   init_offensiveSecurityAgent();
-  init_types4();
+  init_types5();
   WhiteboxAttackSurfaceAgent = class WhiteboxAttackSurfaceAgent extends OffensiveSecurityAgent {
     constructor(opts) {
       const {
@@ -99718,6 +101367,13 @@ var PentestResponseSchema, TargetedPentestAgent, PENTEST_SYSTEM_PROMPT = `You ar
 
 You are given a specific target and specific objectives. Do NOT perform broad reconnaissance or service/endpoint discovery — that has already been done for you. Your job is to deeply test the provided target against the provided objectives.
 
+CRITICAL — Source Code Prohibition:
+- You are performing a BLACKBOX penetration test. You must NEVER read, view, access, or analyze source code under any circumstances.
+- Do NOT use execute_command to read files on the local filesystem (no cat, less, more, head, tail, find, ls on source directories, strings, xxd, or any other file-reading command targeting application source code).
+- Do NOT attempt to download, fetch, or retrieve source code from the target server (e.g. via .git exposure, backup files, directory traversal to read source, or source map files) for the purpose of analyzing application logic. If you discover such an exposure, document it as a finding but do NOT read or analyze the contents.
+- Do NOT reference, assume, or reason about internal implementation details. Treat the target as a completely opaque black box — you can only observe its external behavior through HTTP responses, browser rendering, and error messages.
+- Your testing must rely exclusively on external interaction: sending requests, observing responses, and analyzing observable behavior.
+
 Your methodology:
 1. PLAN — Begin by stating the objectives you have been given and outlining your testing plan. For each objective, describe which attack techniques, payloads, and tools you intend to use. Output this plan as text before making any tool calls.
 2. VERIFY — Confirm the target endpoint exists and is reachable. Understand its basic behavior (response format, parameters, auth requirements).
@@ -138829,7 +140485,7 @@ var require_node3 = __commonJS((exports, module2) => {
   var tty = __require("tty");
   var util4 = __require("util");
   exports.init = init2;
-  exports.log = log;
+  exports.log = log2;
   exports.formatArgs = formatArgs;
   exports.save = save;
   exports.load = load;
@@ -138961,7 +140617,7 @@ var require_node3 = __commonJS((exports, module2) => {
     }
     return new Date().toISOString() + " ";
   }
-  function log(...args) {
+  function log2(...args) {
     return process.stderr.write(util4.formatWithOptions(exports.inspectOpts, ...args) + `
 `);
   }
@@ -147926,7 +149582,7 @@ var require_logging_utils = __commonJS((exports) => {
   exports.getDebugBackend = getDebugBackend;
   exports.getStructuredBackend = getStructuredBackend;
   exports.setBackend = setBackend;
-  exports.log = log;
+  exports.log = log2;
   var events_1 = __require("events");
   var process3 = __importStar(__require("process"));
   var util4 = __importStar(__require("util"));
@@ -147953,7 +149609,7 @@ var require_logging_utils = __commonJS((exports) => {
       this.func.info = (...args) => this.invokeSeverity(LogSeverity.INFO, ...args);
       this.func.warn = (...args) => this.invokeSeverity(LogSeverity.WARNING, ...args);
       this.func.error = (...args) => this.invokeSeverity(LogSeverity.ERROR, ...args);
-      this.func.sublog = (namespace2) => log(namespace2, this.func);
+      this.func.sublog = (namespace2) => log2(namespace2, this.func);
     }
     invoke(fields, ...args) {
       if (this.upstream) {
@@ -148114,7 +149770,7 @@ var require_logging_utils = __commonJS((exports) => {
     cachedBackend = backend;
     loggerCache.clear();
   }
-  function log(namespace, parent) {
+  function log2(namespace, parent) {
     if (!cachedBackend) {
       const enablesFlag = process3.env[exports.env.nodeEnables];
       if (!enablesFlag) {
@@ -148254,7 +149910,7 @@ var require_src6 = __commonJS((exports) => {
   exports.HEADER_NAME = "Metadata-Flavor";
   exports.HEADER_VALUE = "Google";
   exports.HEADERS = Object.freeze({ [exports.HEADER_NAME]: exports.HEADER_VALUE });
-  var log = logger.log("gcp-metadata");
+  var log2 = logger.log("gcp-metadata");
   exports.METADATA_SERVER_DETECTION = Object.freeze({
     "assume-present": "don't try to ping the metadata server, but assume it's present",
     none: "don't try to ping the metadata server, but don't try to use it either",
@@ -148317,9 +149973,9 @@ var require_src6 = __commonJS((exports) => {
       responseType: "text",
       timeout: requestTimeout()
     };
-    log.info("instance request %j", req);
+    log2.info("instance request %j", req);
     const res = await requestMethod(req);
-    log.info("instance metadata is %s", res.data);
+    log2.info("instance metadata is %s", res.data);
     const metadataFlavor = res.headers.get(exports.HEADER_NAME);
     if (metadataFlavor !== exports.HEADER_VALUE) {
       throw new RangeError(`Invalid response from metadata service: incorrect ${exports.HEADER_NAME} header. Expected '${exports.HEADER_VALUE}', got ${metadataFlavor ? `'${metadataFlavor}'` : "no header"}`);
@@ -156447,7 +158103,7 @@ var require_http2 = __commonJS((exports) => {
   var process3 = __require("process");
   var util_1 = require_util7();
   var { HTTP2_HEADER_CONTENT_ENCODING, HTTP2_HEADER_CONTENT_TYPE, HTTP2_HEADER_METHOD, HTTP2_HEADER_PATH, HTTP2_HEADER_STATUS } = http22.constants;
-  var DEBUG = !!process3.env.HTTP2_DEBUG;
+  var DEBUG2 = !!process3.env.HTTP2_DEBUG;
   exports.sessions = {};
   async function request(config3) {
     const opts = extend3(true, {}, config3);
@@ -156561,7 +158217,7 @@ var require_http2 = __commonJS((exports) => {
   }
   function _getClient(host) {
     if (!exports.sessions[host]) {
-      if (DEBUG) {
+      if (DEBUG2) {
         console.log(`Creating client for ${host}`);
       }
       const session = http22.connect(`https://${host}`);
@@ -156574,7 +158230,7 @@ var require_http2 = __commonJS((exports) => {
       });
       exports.sessions[host] = { session };
     } else {
-      if (DEBUG) {
+      if (DEBUG2) {
         console.log(`Used cached client for ${host}`);
       }
     }
@@ -156587,17 +158243,17 @@ var require_http2 = __commonJS((exports) => {
     }
     const { session } = sessionData;
     delete exports.sessions[url2.host];
-    if (DEBUG) {
+    if (DEBUG2) {
       console.error(`Closing ${url2.host}`);
     }
     session.close(() => {
-      if (DEBUG) {
+      if (DEBUG2) {
         console.error(`Closed ${url2.host}`);
       }
     });
     setTimeout(() => {
       if (session && !session.destroyed) {
-        if (DEBUG) {
+        if (DEBUG2) {
           console.log(`Forcing close ${url2.host}`);
         }
         if (session) {
@@ -166108,11 +167764,11 @@ var require_tools = __commonJS((exports, module2) => {
       }
     }
   }
-  function buildFormatters(level, bindings, log) {
+  function buildFormatters(level, bindings, log2) {
     return {
       level,
       bindings,
-      log
+      log: log2
     };
   }
   function normalizeDestFileDescriptor(destination) {
@@ -166457,8 +168113,8 @@ var require_proto = __commonJS((exports, module2) => {
     } else
       instance[serializersSym] = serializers;
     if (options.hasOwnProperty("formatters")) {
-      const { level, bindings: chindings, log } = options.formatters;
-      instance[formattersSym] = buildFormatters(level || formatters.level, chindings || resetChildingsFormatter, log || formatters.log);
+      const { level, bindings: chindings, log: log2 } = options.formatters;
+      instance[formattersSym] = buildFormatters(level || formatters.level, chindings || resetChildingsFormatter, log2 || formatters.log);
     } else {
       instance[formattersSym] = buildFormatters(formatters.level, resetChildingsFormatter, formatters.log);
     }
@@ -209469,219 +211125,16 @@ var useTerminalDimensions = () => {
 };
 
 // src/tui/index.tsx
-var import_react83 = __toESM(require_react(), 1);
+var import_react87 = __toESM(require_react(), 1);
 
 // src/tui/components/footer.tsx
 import os5 from "os";
 
 // src/tui/context/agent.tsx
 init_models();
+init_config();
 var import_react11 = __toESM(require_react(), 1);
 
-// src/core/config/config.ts
-import os2 from "os";
-import path2 from "path";
-import fs2 from "fs/promises";
-// package.json
-var package_default2 = {
-  name: "@pensar/apex",
-  version: "0.0.77",
-  description: "AI-powered penetration testing CLI tool with terminal UI",
-  module: "src/tui/index.tsx",
-  main: "build/index.js",
-  type: "module",
-  repository: {
-    type: "git",
-    url: "https://github.com/pensarai/apex.git"
-  },
-  bin: {
-    pensar: "./bin/pensar.js"
-  },
-  files: [
-    "build",
-    "bin",
-    "src/core/installation",
-    "pensar.svg",
-    "LICENSE"
-  ],
-  scripts: {
-    build: "bun build src/tui/index.tsx --outdir build --target node --format esm --external sharp",
-    "generate:ascii": "bun run scripts/generate-ascii-art.ts",
-    "generate:models": "bun run scripts/generate-models.ts",
-    "build:binary": "bun run generate:ascii && bun build src/cli.ts --compile --outfile pensar",
-    "build:binary:macos-arm64": "bun build src/cli.ts --compile --target=bun-darwin-arm64 --outfile dist/pensar-darwin-arm64",
-    "build:binary:macos-x64": "bun build src/cli.ts --compile --target=bun-darwin-x64 --outfile dist/pensar-darwin-x64",
-    "build:binary:linux-x64": "bun build src/cli.ts --compile --target=bun-linux-x64 --outfile dist/pensar-linux-x64",
-    "build:binary:linux-arm64": "bun build src/cli.ts --compile --target=bun-linux-arm64 --outfile dist/pensar-linux-arm64",
-    "build:binaries": "bun run generate:ascii && mkdir -p dist && bun run build:binary:macos-arm64 && bun run build:binary:macos-x64 && bun run build:binary:linux-x64 && bun run build:binary:linux-arm64",
-    dev: "bun run scripts/watch.ts",
-    "dev:debug": "SHOW_CONSOLE=true bun run scripts/watch.ts",
-    start: "bun run src/tui/index.tsx",
-    pensar: "node bin/pensar.js",
-    tsc: "tsc --noEmit",
-    "daytona-benchmark": "bun run scripts/daytona-benchmark.ts",
-    "local-benchmark": "bun run scripts/local-benchmark.ts",
-    test: "vitest run",
-    "test:watch": "vitest",
-    lint: "eslint src/",
-    format: "prettier --write .",
-    "format:check": "prettier --check .",
-    prepublishOnly: "npm run build"
-  },
-  keywords: [
-    "penetration-testing",
-    "security",
-    "pentesting",
-    "ai",
-    "cli",
-    "terminal",
-    "tui"
-  ],
-  author: "Pensar",
-  license: "MIT",
-  engines: {
-    node: ">=18.0.0",
-    bun: ">=1.0.0"
-  },
-  devDependencies: {
-    "@eslint/js": "^10.0.1",
-    "@playwright/mcp": "^0.0.54",
-    "@types/bun": "^1.3.0",
-    "@types/mailparser": "^3.4.6",
-    "@types/react": "^19.2.6",
-    "@typescript-eslint/eslint-plugin": "^8.55.0",
-    "@typescript-eslint/parser": "^8.55.0",
-    dotenv: "^17.2.3",
-    eslint: "^10.0.0",
-    "eslint-config-prettier": "^10.1.8",
-    "eslint-plugin-unused-imports": "^4.4.1",
-    prettier: "^3.8.1",
-    "typescript-eslint": "^8.55.0",
-    vitest: "^2.1.8"
-  },
-  peerDependencies: {
-    typescript: "^5.9.3"
-  },
-  dependencies: {
-    "@ai-sdk/amazon-bedrock": "^4.0.69",
-    "@ai-sdk/anthropic": "^3.0.50",
-    "@ai-sdk/openai": "^3.0.37",
-    "@daytonaio/sdk": "^0.112.1",
-    "@googleapis/gmail": "^16.1.1",
-    "@microsoft/microsoft-graph-client": "^3.0.7",
-    "@modelcontextprotocol/sdk": "^1.0.0",
-    "@openrouter/ai-sdk-provider": "^2.2.3",
-    "@opentui/core": "^0.1.80",
-    "@opentui/react": "^0.1.80",
-    ai: "^6.0.105",
-    glob: "^13.0.0",
-    "google-auth-library": "^10.6.1",
-    ignore: "^7.0.5",
-    imapflow: "^1.2.10",
-    mailparser: "^3.9.3",
-    marked: "^16.4.0",
-    nanoid: "^5.1.6",
-    "p-limit": "^7.2.0",
-    react: "^19.2.0",
-    sharp: "^0.34.4",
-    yaml: "^2.8.2",
-    zod: "^3.25.76"
-  },
-  packageManager: "yarn@1.22.22+sha512.a6b2f7906b721bba3d67d4aff083df04dad64c399707841b7acf00f6b133b7ac24255f2652fa22ae3534329dc6180534e98d17432037ff6fd140556e2bb3137e"
-};
-
-// src/core/installation/index.ts
-function getCurrentVersion() {
-  return package_default2.version;
-}
-function isNewerVersion(current, latest) {
-  const parse2 = (v2) => v2.split(".").map((n) => parseInt(n, 10) || 0);
-  const c = parse2(current);
-  const l = parse2(latest);
-  for (let i = 0;i < Math.max(c.length, l.length); i++) {
-    const cv = c[i] ?? 0;
-    const lv = l[i] ?? 0;
-    if (lv > cv)
-      return true;
-    if (lv < cv)
-      return false;
-  }
-  return false;
-}
-async function getLatestVersion() {
-  const res = await fetch("https://registry.npmjs.org/@pensar/apex/latest");
-  if (!res.ok)
-    throw new Error(`Failed to fetch latest version: ${res.statusText}`);
-  const data = await res.json();
-  return String(data.version);
-}
-async function checkForUpdate() {
-  const currentVersion = getCurrentVersion();
-  let latestVersion;
-  try {
-    latestVersion = await getLatestVersion();
-  } catch {
-    return {
-      updateAvailable: false,
-      currentVersion,
-      latestVersion: currentVersion
-    };
-  }
-  return {
-    updateAvailable: isNewerVersion(currentVersion, latestVersion),
-    currentVersion,
-    latestVersion
-  };
-}
-
-// src/core/config/config.ts
-var DEFAULT_CONFIG = {
-  responsibleUseAccepted: false
-};
-async function init() {
-  const folder = path2.join(os2.homedir(), ".pensar");
-  const file = path2.join(folder, "config.json");
-  const dirExists = await fs2.access(folder).then(() => true).catch(() => false);
-  if (!dirExists) {
-    await fs2.mkdir(folder, { recursive: true });
-  }
-  const fileExists = await fs2.access(file).then(() => true).catch(() => false);
-  if (!fileExists) {
-    await fs2.writeFile(file, JSON.stringify(DEFAULT_CONFIG));
-  }
-  const version = getCurrentVersion();
-  return { ...DEFAULT_CONFIG, version };
-}
-async function get() {
-  const folder = path2.join(os2.homedir(), ".pensar");
-  const file = path2.join(folder, "config.json");
-  const exists = await fs2.access(file).then(() => true).catch(() => false);
-  if (!exists) {
-    return await init();
-  }
-  const config = await fs2.readFile(file, "utf8");
-  const parsedConfig = JSON.parse(config);
-  const version = getCurrentVersion();
-  return {
-    ...parsedConfig,
-    version,
-    openAiAPIKey: process.env.OPENAI_API_KEY ?? parsedConfig.openAiAPIKey,
-    anthropicAPIKey: process.env.ANTHROPIC_API_KEY ?? parsedConfig.anthropicAPIKey,
-    openRouterAPIKey: process.env.OPENROUTER_API_KEY ?? parsedConfig.openRouterAPIKey,
-    bedrockAPIKey: process.env.BEDROCK_API_KEY ?? parsedConfig.bedrockAPIKey,
-    daytonaAPIKey: process.env.DAYTONA_API_KEY ?? parsedConfig.daytonaAPIKey,
-    daytonaOrgId: process.env.DAYTONA_ORG_ID ?? parsedConfig.daytonaOrgId,
-    runloopAPIKey: process.env.RUNLOOP_API_KEY ?? parsedConfig.runloopAPIKey
-  };
-}
-async function update(config) {
-  const currentConfig = await get();
-  const newConfig = { ...currentConfig, ...config };
-  const folder = path2.join(os2.homedir(), ".pensar");
-  const file = path2.join(folder, "config.json");
-  await fs2.writeFile(file, JSON.stringify(newConfig));
-}
-
 // src/core/providers/utils.ts
 init_models();
 
@@ -209716,6 +211169,12 @@ var AVAILABLE_PROVIDERS = [
     name: "Local LLM",
     description: "OpenAI-compatible local model (vLLM, LM Studio, Ollama)",
     requiresAPIKey: false
+  },
+  {
+    id: "pensar",
+    name: "Pensar",
+    description: "Managed inference via Pensar Console (usage-based billing)",
+    requiresAPIKey: true
   }
 ];
 
@@ -209742,12 +211201,14 @@ function isProviderConfigured(providerId, config) {
       return !!config.bedrockAPIKey;
     case "local":
       return !!(config.localModelUrl || config.localModelName || process.env.LOCAL_MODEL_URL);
+    case "pensar":
+      return !!(config.pensarAPIKey || config.accessToken);
     default:
       return false;
   }
 }
 function hasAnyProviderConfigured(config) {
-  return !!config.anthropicAPIKey || !!config.openAiAPIKey || !!config.openRouterAPIKey || !!config.bedrockAPIKey || !!config.localModelUrl || !!config.localModelName || !!process.env.LOCAL_MODEL_URL;
+  return !!config.anthropicAPIKey || !!config.openAiAPIKey || !!config.openRouterAPIKey || !!config.bedrockAPIKey || !!config.localModelUrl || !!config.localModelName || !!process.env.LOCAL_MODEL_URL || !!config.pensarAPIKey || !!config.accessToken;
 }
 function getAvailableModels(config) {
   const models = AVAILABLE_MODELS.filter((model) => {
@@ -209768,10 +211229,17 @@ var import_jsx_dev_runtime2 = __toESM(require_jsx_dev_runtime(), 1);
 
 // src/tui/context/agent.tsx
 var PREFERRED_DEFAULTS = {
+  pensar: "pensar:anthropic.claude-haiku-4-5-20251001-v1:0",
   anthropic: "claude-haiku-4-5",
   openai: "gpt-4o-mini"
 };
-var PROVIDER_PREFERENCE = ["anthropic", "openai", "openrouter", "bedrock"];
+var PROVIDER_PREFERENCE = [
+  "pensar",
+  "anthropic",
+  "openai",
+  "openrouter",
+  "bedrock"
+];
 var AgentContext = import_react11.createContext(null);
 function useAgent() {
   const context = import_react11.useContext(AgentContext);
@@ -210091,6 +211559,9 @@ function create(prefix, descending2, timestamp) {
   return prefixes[prefix] + "_" + timeBytes.toString("hex") + randomBase62(LENGTH - 12);
 }
 
+// src/core/session/index.ts
+init_installation();
+
 // src/core/storage/index.ts
 init_zod();
 import os3 from "os";
@@ -210509,8 +211980,6 @@ var SessionConfigObject = zod_default.object({
   authenticationInstructions: zod_default.string().optional(),
   requestsPerSecond: zod_default.number().optional(),
   operatorSettings: OperatorSettingsObject.optional(),
-  enableCvssScoring: zod_default.boolean().optional(),
-  cvssModel: zod_default.string().optional(),
   toolsetState: ToolsetStateSchema.optional(),
   enumerateSubdomains: zod_default.boolean().optional(),
   cwd: zod_default.string().optional(),
@@ -211356,14 +212825,8 @@ async function createSwarmSessionFromFlags(flags) {
   return session;
 }
 
-// src/core/config/index.ts
-var config = {
-  get,
-  init,
-  update
-};
-
 // src/tui/command-registry.ts
+init_config2();
 var commands = [
   {
     name: "pentest",
@@ -211648,6 +213111,29 @@ var commands = [
     handler: async () => {
       process.kill(process.pid, "SIGINT");
     }
+  },
+  {
+    name: "auth",
+    description: "Connect to Pensar Console for managed inference",
+    category: "General",
+    handler: async (args, ctx3) => {
+      ctx3.navigate({
+        type: "base",
+        path: "auth"
+      });
+    }
+  },
+  {
+    name: "credits",
+    aliases: ["buy"],
+    description: "Buy credits / check balance",
+    category: "General",
+    handler: async (args, ctx3) => {
+      ctx3.navigate({
+        type: "base",
+        path: "credits"
+      });
+    }
   }
 ];
 var commandRegistry = commands.map((config2) => (ctx3) => ({
@@ -212325,6 +213811,7 @@ function AlertDialog({
 }
 
 // src/tui/components/commands/config-dialog.tsx
+init_config2();
 function ConfigDialog() {
   const route = useRoute();
   const [open, setOpen] = import_react25.useState(false);
@@ -212408,6 +213895,7 @@ function ConfigForm({ appConfig }) {
 var import_react37 = __toESM(require_react(), 1);
 
 // src/tui/context/config.tsx
+init_config2();
 var import_react26 = __toESM(require_react(), 1);
 var ctx3 = import_react26.createContext(null);
 function ConfigProvider({ children, config: config2 }) {
@@ -213006,9 +214494,17 @@ var providerNames = {
   openai: "OpenAI",
   openrouter: "OpenRouter",
   bedrock: "Bedrock",
+  pensar: "Pensar",
   local: "Local LLM"
 };
-var providerOrder = ["anthropic", "openai", "openrouter", "bedrock", "local"];
+var providerOrder = [
+  "pensar",
+  "anthropic",
+  "openai",
+  "openrouter",
+  "bedrock",
+  "local"
+];
 function ModelPicker({
   config: config2,
   selectedModel,
@@ -216338,6 +217834,7 @@ function SessionsBrowser() {
 
 // src/tui/components/commands/provider-manager.tsx
 var import_react50 = __toESM(require_react(), 1);
+init_config2();
 // src/tui/components/commands/provider-selection.tsx
 var import_react47 = __toESM(require_react(), 1);
 function ProviderSelection({
@@ -216525,6 +218022,8 @@ function APIKeyInput({
         return "Get your API key from openrouter.ai/keys";
       case "bedrock":
         return "Enter your AWS Access Key ID (configure region separately) or AWS Bedrock API Key";
+      case "pensar":
+        return "Get your API key from console.pensar.dev/connect (or run /auth)";
       default:
         return "Enter your API key";
     }
@@ -216678,6 +218177,9 @@ function ProviderManager() {
   }, undefined, true, undefined, this);
 }
 
+// src/tui/index.tsx
+init_config2();
+
 // src/tui/components/switch.tsx
 var import_react51 = __toESM(require_react(), 1);
 var CaseSymbol = Symbol("Switch.Case");
@@ -217015,6 +218517,9 @@ function ErrorBoundary2({ children }) {
   return import_react55.default.createElement(ErrorBoundaryInner, { onError: handleError }, children);
 }
 
+// src/tui/index.tsx
+init_installation();
+
 // src/tui/keybindings-registry.ts
 var keybindings = [
   {
@@ -217582,11 +219087,946 @@ function ModelsDisplay() {
   }, undefined, true, undefined, this);
 }
 
+// src/tui/components/commands/auth-flow.tsx
+var import_react60 = __toESM(require_react(), 1);
+init_config2();
+function AuthFlow() {
+  const route = useRoute();
+  const appConfig = useConfig();
+  const isConnected = !!(appConfig.data.accessToken || appConfig.data.pensarAPIKey);
+  const [step, setStep] = import_react60.useState(isConnected ? "success" : "start");
+  const [error, setError] = import_react60.useState(null);
+  const [authMode, setAuthMode] = import_react60.useState(null);
+  const [deviceInfo, setDeviceInfo] = import_react60.useState(null);
+  const [legacyDeviceInfo, setLegacyDeviceInfo] = import_react60.useState(null);
+  const [workspaces, setWorkspaces] = import_react60.useState([]);
+  const [selectedWorkspace, setSelectedWorkspace] = import_react60.useState(null);
+  const [selectedIndex, setSelectedIndex] = import_react60.useState(0);
+  const [billingUrl, setBillingUrl] = import_react60.useState(null);
+  const [balance, setBalance] = import_react60.useState(null);
+  const pollingRef = import_react60.useRef(null);
+  const cancelledRef = import_react60.useRef(false);
+  const connectedWorkspace = appConfig.data.workspaceSlug ? { name: appConfig.data.workspaceSlug, slug: appConfig.data.workspaceSlug } : null;
+  const goHome = () => {
+    route.navigate({ type: "base", path: "home" });
+  };
+  const cleanup = () => {
+    cancelledRef.current = true;
+    if (pollingRef.current) {
+      clearTimeout(pollingRef.current);
+      pollingRef.current = null;
+    }
+  };
+  import_react60.useEffect(() => {
+    return cleanup;
+  }, []);
+  const openUrl = (url) => {
+    try {
+      const platform = process.platform;
+      if (platform === "darwin") {
+        Bun.spawn(["open", url]);
+      } else if (platform === "win32") {
+        Bun.spawn(["cmd", "/c", "start", url]);
+      } else {
+        Bun.spawn(["xdg-open", url]);
+      }
+    } catch {}
+  };
+  const startDeviceFlow = async () => {
+    setStep("requesting");
+    setError(null);
+    cancelledRef.current = false;
+    const apiUrl = getPensarApiUrl(appConfig.data);
+    try {
+      const configResponse = await fetch(`${apiUrl}/api/cli/config`);
+      if (configResponse.ok) {
+        const cliConfig = await configResponse.json();
+        const response = await fetch("https://api.workos.com/user_management/authorize/device", {
+          method: "POST",
+          headers: { "Content-Type": "application/json" },
+          body: JSON.stringify({ client_id: cliConfig.workosClientId })
+        });
+        if (response.ok) {
+          const data = await response.json();
+          setAuthMode("workos");
+          setDeviceInfo(data);
+          openUrl(data.verification_uri_complete);
+          setStep("polling");
+          pollForToken(apiUrl, cliConfig.workosClientId, data.device_code, data.interval, data.expires_in);
+          return;
+        }
+      }
+    } catch {}
+    try {
+      const response = await fetch(`${apiUrl}/auth/device/code`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" }
+      });
+      if (!response.ok) {
+        throw new Error("Failed to start device authorization");
+      }
+      const data = await response.json();
+      setAuthMode("legacy");
+      setLegacyDeviceInfo(data);
+      openUrl(data.verificationUriComplete);
+      setStep("polling");
+      pollForLegacyToken(apiUrl, data.deviceCode, data.interval, data.expiresIn);
+    } catch (err) {
+      setError(err instanceof Error ? err.message : "Failed to start authorization");
+      setStep("error");
+    }
+  };
+  const pollForToken = (apiUrl, clientId, deviceCode, interval, expiresIn) => {
+    const deadline = Date.now() + expiresIn * 1000;
+    const poll = async () => {
+      if (cancelledRef.current)
+        return;
+      if (Date.now() > deadline) {
+        setError("Authorization timed out. Please try again.");
+        setStep("error");
+        return;
+      }
+      try {
+        const response = await fetch("https://api.workos.com/user_management/authenticate", {
+          method: "POST",
+          headers: { "Content-Type": "application/json" },
+          body: JSON.stringify({
+            client_id: clientId,
+            grant_type: "urn:ietf:params:oauth:grant-type:device_code",
+            device_code: deviceCode
+          })
+        });
+        if (cancelledRef.current)
+          return;
+        if (response.status === 400) {
+          pollingRef.current = setTimeout(poll, interval * 1000);
+          return;
+        }
+        if (!response.ok) {
+          throw new Error("Authentication failed");
+        }
+        const data = await response.json();
+        await config.update({
+          accessToken: data.access_token,
+          refreshToken: data.refresh_token
+        });
+        await appConfig.reload();
+        await fetchWorkspaces(apiUrl, data.access_token);
+      } catch (err) {
+        if (cancelledRef.current)
+          return;
+        pollingRef.current = setTimeout(poll, interval * 1000);
+      }
+    };
+    pollingRef.current = setTimeout(poll, interval * 1000);
+  };
+  const pollForLegacyToken = (apiUrl, deviceCode, interval, expiresIn) => {
+    const deadline = Date.now() + expiresIn * 1000;
+    const poll = async () => {
+      if (cancelledRef.current)
+        return;
+      if (Date.now() > deadline) {
+        setError("Authorization timed out. Please try again.");
+        setStep("error");
+        return;
+      }
+      try {
+        const response = await fetch(`${apiUrl}/auth/device/token`, {
+          method: "POST",
+          headers: { "Content-Type": "application/json" },
+          body: JSON.stringify({ deviceCode })
+        });
+        if (!response.ok) {
+          throw new Error("Failed to check authorization status");
+        }
+        const data = await response.json();
+        if (cancelledRef.current)
+          return;
+        if (data.status === "complete" && data.apiKey) {
+          await config.update({ pensarAPIKey: data.apiKey });
+          if (data.workspace) {
+            await config.update({
+              workspaceId: data.workspace.id,
+              workspaceSlug: data.workspace.slug
+            });
+          }
+          appConfig.reload();
+          setSelectedWorkspace(data.workspace ? {
+            ...data.workspace,
+            balance: data.credits?.balance ?? 0,
+            hasPaymentMethod: true
+          } : null);
+          setBalance(data.credits?.balance ?? null);
+          setStep("success");
+          return;
+        }
+        if (data.status === "expired") {
+          setError("Authorization expired. Please try again.");
+          setStep("error");
+          return;
+        }
+        if (data.status === "not_found") {
+          setError("Invalid authorization session. Please try again.");
+          setStep("error");
+          return;
+        }
+        pollingRef.current = setTimeout(poll, interval * 1000);
+      } catch (err) {
+        if (cancelledRef.current)
+          return;
+        pollingRef.current = setTimeout(poll, interval * 1000);
+      }
+    };
+    pollingRef.current = setTimeout(poll, interval * 1000);
+  };
+  const fetchWorkspaces = async (apiUrl, accessToken) => {
+    try {
+      const response = await fetch(`${apiUrl}/api/cli/workspaces`, {
+        headers: { Authorization: `Bearer ${accessToken}` }
+      });
+      if (!response.ok) {
+        throw new Error("Failed to fetch workspaces");
+      }
+      const data = await response.json();
+      if (data.workspaces.length === 0) {
+        setError("No workspaces found. Create one at console.pensar.dev");
+        setStep("error");
+        return;
+      }
+      if (data.workspaces.length === 1) {
+        await selectWorkspace(apiUrl, accessToken, data.workspaces[0]);
+        return;
+      }
+      setWorkspaces(data.workspaces);
+      setSelectedIndex(0);
+      setStep("select-workspace");
+    } catch (err) {
+      setError(err instanceof Error ? err.message : "Failed to fetch workspaces");
+      setStep("error");
+    }
+  };
+  const selectWorkspace = async (apiUrl, accessToken, workspace) => {
+    setSelectedWorkspace(workspace);
+    setStep("checking-billing");
+    try {
+      const response = await fetch(`${apiUrl}/api/cli/select-workspace`, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          Authorization: `Bearer ${accessToken}`
+        },
+        body: JSON.stringify({ workspaceId: workspace.id })
+      });
+      if (!response.ok) {
+        throw new Error("Failed to select workspace");
+      }
+      const data = await response.json();
+      await config.update({
+        workspaceId: workspace.id,
+        workspaceSlug: workspace.slug
+      });
+      appConfig.reload();
+      setBalance(data.billing.balance);
+      if (!data.confirmed && data.billingUrl) {
+        setBillingUrl(data.billingUrl);
+      }
+      setStep("success");
+    } catch (err) {
+      setError(err instanceof Error ? err.message : "Failed to select workspace");
+      setStep("error");
+    }
+  };
+  const handleDisconnect = async () => {
+    await config.update({
+      pensarAPIKey: null,
+      accessToken: null,
+      refreshToken: null,
+      workspaceId: null,
+      workspaceSlug: null
+    });
+    appConfig.reload();
+    setAuthMode(null);
+    setSelectedWorkspace(null);
+    setBalance(null);
+    setBillingUrl(null);
+    setDeviceInfo(null);
+    setLegacyDeviceInfo(null);
+    setStep("start");
+  };
+  const hasLowBalance = balance !== null && balance < 1;
+  const effectiveBillingUrl = billingUrl || (selectedWorkspace?.slug ? `${getPensarConsoleUrl()}/${selectedWorkspace.slug}/settings/billing` : connectedWorkspace?.slug ? `${getPensarConsoleUrl()}/${connectedWorkspace.slug}/settings/billing` : `${getPensarConsoleUrl()}/credits`);
+  const openBillingPage = () => {
+    openUrl(effectiveBillingUrl);
+    goHome();
+  };
+  useKeyboard((key) => {
+    if (key.name === "escape") {
+      cleanup();
+      goHome();
+      return;
+    }
+    if (step === "start") {
+      if (key.name === "return") {
+        startDeviceFlow();
+      }
+    }
+    if (step === "select-workspace") {
+      if (key.name === "up" && selectedIndex > 0) {
+        setSelectedIndex((i) => i - 1);
+      }
+      if (key.name === "down" && selectedIndex < workspaces.length - 1) {
+        setSelectedIndex((i) => i + 1);
+      }
+      if (key.name === "return" && workspaces[selectedIndex]) {
+        const currentConfig = appConfig.data;
+        const apiUrl = getPensarApiUrl(currentConfig);
+        const accessToken = currentConfig.accessToken;
+        selectWorkspace(apiUrl, accessToken, workspaces[selectedIndex]);
+      }
+    }
+    if (step === "error") {
+      if (key.name === "return") {
+        startDeviceFlow();
+      }
+    }
+    if (step === "success") {
+      if (key.name === "return") {
+        if (hasLowBalance || billingUrl) {
+          openBillingPage();
+        } else {
+          goHome();
+        }
+      }
+      if (key.raw === "d" || key.raw === "D") {
+        handleDisconnect();
+      }
+    }
+  });
+  return /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("box", {
+    flexDirection: "column",
+    width: "100%",
+    maxWidth: 80,
+    alignItems: "flex-start",
+    padding: 1,
+    children: [
+      /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("box", {
+        marginBottom: 1,
+        children: /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("text", {
+          fg: "green",
+          children: "Pensar Console — Managed Inference"
+        }, undefined, false, undefined, this)
+      }, undefined, false, undefined, this),
+      /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("box", {
+        marginBottom: 1,
+        children: /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("text", {
+          fg: "gray",
+          children: [
+            "Connect to Pensar Console for usage-based AI inference.",
+            `
+`,
+            "No API keys needed — just a Pensar account with credits."
+          ]
+        }, undefined, true, undefined, this)
+      }, undefined, false, undefined, this),
+      step === "start" && /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("box", {
+        flexDirection: "column",
+        gap: 1,
+        children: [
+          /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("box", {
+            children: /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("text", {
+              fg: "white",
+              children: [
+                "Press ",
+                /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("span", {
+                  fg: "green",
+                  children: "[ENTER]"
+                }, undefined, false, undefined, this),
+                " to authorize via your browser."
+              ]
+            }, undefined, true, undefined, this)
+          }, undefined, false, undefined, this),
+          /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("box", {
+            marginTop: 1,
+            children: /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("text", {
+              fg: "gray",
+              children: [
+                /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("span", {
+                  fg: "green",
+                  children: "[ENTER]"
+                }, undefined, false, undefined, this),
+                " Connect ·",
+                " ",
+                /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("span", {
+                  fg: "green",
+                  children: "[ESC]"
+                }, undefined, false, undefined, this),
+                " Cancel"
+              ]
+            }, undefined, true, undefined, this)
+          }, undefined, false, undefined, this)
+        ]
+      }, undefined, true, undefined, this),
+      step === "requesting" && /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("box", {
+        children: /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("text", {
+          fg: "yellow",
+          children: "Starting authorization..."
+        }, undefined, false, undefined, this)
+      }, undefined, false, undefined, this),
+      step === "polling" && (deviceInfo || legacyDeviceInfo) && /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("box", {
+        flexDirection: "column",
+        gap: 1,
+        children: [
+          /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("box", {
+            children: /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("text", {
+              fg: "yellow",
+              children: "Waiting for browser authorization..."
+            }, undefined, false, undefined, this)
+          }, undefined, false, undefined, this),
+          /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("box", {
+            marginTop: 1,
+            children: /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("text", {
+              fg: "white",
+              children: [
+                "Your code:",
+                " ",
+                /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("span", {
+                  fg: "green",
+                  children: deviceInfo?.user_code || legacyDeviceInfo?.userCode
+                }, undefined, false, undefined, this)
+              ]
+            }, undefined, true, undefined, this)
+          }, undefined, false, undefined, this),
+          /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("box", {
+            marginTop: 1,
+            children: /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("text", {
+              fg: "gray",
+              children: [
+                "If the browser didn't open, visit:",
+                `
+`,
+                deviceInfo?.verification_uri_complete || legacyDeviceInfo?.verificationUriComplete
+              ]
+            }, undefined, true, undefined, this)
+          }, undefined, false, undefined, this),
+          /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("box", {
+            marginTop: 1,
+            children: /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("text", {
+              fg: "gray",
+              children: [
+                /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("span", {
+                  fg: "green",
+                  children: "[ESC]"
+                }, undefined, false, undefined, this),
+                " Cancel"
+              ]
+            }, undefined, true, undefined, this)
+          }, undefined, false, undefined, this)
+        ]
+      }, undefined, true, undefined, this),
+      step === "select-workspace" && /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("box", {
+        flexDirection: "column",
+        gap: 1,
+        children: [
+          /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("box", {
+            children: /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("text", {
+              fg: "white",
+              children: "Select a workspace:"
+            }, undefined, false, undefined, this)
+          }, undefined, false, undefined, this),
+          /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("box", {
+            flexDirection: "column",
+            marginTop: 1,
+            children: workspaces.map((ws, i) => /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("box", {
+              children: /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("text", {
+                fg: i === selectedIndex ? "green" : "gray",
+                children: [
+                  i === selectedIndex ? "▸ " : "  ",
+                  ws.name,
+                  " ",
+                  /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("span", {
+                    fg: "gray",
+                    children: [
+                      "(",
+                      ws.slug,
+                      ") — $",
+                      ws.balance.toFixed(2)
+                    ]
+                  }, undefined, true, undefined, this)
+                ]
+              }, undefined, true, undefined, this)
+            }, ws.id, false, undefined, this))
+          }, undefined, false, undefined, this),
+          /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("box", {
+            marginTop: 1,
+            children: /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("text", {
+              fg: "gray",
+              children: [
+                /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("span", {
+                  fg: "green",
+                  children: "[↑/↓]"
+                }, undefined, false, undefined, this),
+                " Navigate ·",
+                " ",
+                /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("span", {
+                  fg: "green",
+                  children: "[ENTER]"
+                }, undefined, false, undefined, this),
+                " Select ·",
+                " ",
+                /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("span", {
+                  fg: "green",
+                  children: "[ESC]"
+                }, undefined, false, undefined, this),
+                " Cancel"
+              ]
+            }, undefined, true, undefined, this)
+          }, undefined, false, undefined, this)
+        ]
+      }, undefined, true, undefined, this),
+      step === "checking-billing" && /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("box", {
+        children: /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("text", {
+          fg: "yellow",
+          children: [
+            "Checking billing for ",
+            selectedWorkspace?.name,
+            "..."
+          ]
+        }, undefined, true, undefined, this)
+      }, undefined, false, undefined, this),
+      step === "success" && /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("box", {
+        flexDirection: "column",
+        gap: 1,
+        children: [
+          /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("box", {
+            children: /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("text", {
+              fg: "green",
+              children: "Connected to Pensar Console"
+            }, undefined, false, undefined, this)
+          }, undefined, false, undefined, this),
+          (selectedWorkspace || connectedWorkspace) && /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("box", {
+            flexDirection: "column",
+            children: [
+              /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("text", {
+                fg: "white",
+                children: [
+                  "Workspace: ",
+                  selectedWorkspace?.name || connectedWorkspace?.name
+                ]
+              }, undefined, true, undefined, this),
+              balance !== null && /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("text", {
+                fg: "white",
+                children: [
+                  "Credits:",
+                  " ",
+                  /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("span", {
+                    fg: hasLowBalance ? "yellow" : "white",
+                    children: [
+                      "$",
+                      balance.toFixed(2)
+                    ]
+                  }, undefined, true, undefined, this)
+                ]
+              }, undefined, true, undefined, this)
+            ]
+          }, undefined, true, undefined, this),
+          (hasLowBalance || billingUrl) && /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("box", {
+            marginTop: 1,
+            children: /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("text", {
+              fg: "yellow",
+              children: [
+                billingUrl ? "Your workspace needs credits to use Apex CLI." : "Your credit balance is very low. We recommend at least $30 to run",
+                `
+`,
+                billingUrl ? "Press ENTER to open billing and add credits." : "pentests without interruptions. Press ENTER to open billing."
+              ]
+            }, undefined, true, undefined, this)
+          }, undefined, false, undefined, this),
+          !selectedWorkspace && !connectedWorkspace && appConfig.data.pensarAPIKey && /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("box", {
+            children: /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("text", {
+              fg: "gray",
+              children: "Already connected (legacy key saved in config)"
+            }, undefined, false, undefined, this)
+          }, undefined, false, undefined, this),
+          /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("box", {
+            marginTop: 1,
+            children: /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("text", {
+              fg: "gray",
+              children: "Pensar models are now available in the model selector."
+            }, undefined, false, undefined, this)
+          }, undefined, false, undefined, this),
+          /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("box", {
+            marginTop: 1,
+            children: /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("text", {
+              fg: "gray",
+              children: [
+                /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("span", {
+                  fg: "green",
+                  children: "[ENTER]"
+                }, undefined, false, undefined, this),
+                " ",
+                hasLowBalance || billingUrl ? "Open billing" : "Done",
+                " ·",
+                " ",
+                /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("span", {
+                  fg: "red",
+                  children: "[D]"
+                }, undefined, false, undefined, this),
+                " Disconnect ·",
+                " ",
+                /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("span", {
+                  fg: "green",
+                  children: "[ESC]"
+                }, undefined, false, undefined, this),
+                " Back"
+              ]
+            }, undefined, true, undefined, this)
+          }, undefined, false, undefined, this)
+        ]
+      }, undefined, true, undefined, this),
+      step === "error" && /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("box", {
+        flexDirection: "column",
+        gap: 1,
+        children: [
+          /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("box", {
+            children: /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("text", {
+              fg: "red",
+              children: error
+            }, undefined, false, undefined, this)
+          }, undefined, false, undefined, this),
+          /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("box", {
+            marginTop: 1,
+            children: /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("text", {
+              fg: "gray",
+              children: [
+                /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("span", {
+                  fg: "green",
+                  children: "[ENTER]"
+                }, undefined, false, undefined, this),
+                " Try again ·",
+                " ",
+                /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("span", {
+                  fg: "green",
+                  children: "[ESC]"
+                }, undefined, false, undefined, this),
+                " Cancel"
+              ]
+            }, undefined, true, undefined, this)
+          }, undefined, false, undefined, this)
+        ]
+      }, undefined, true, undefined, this)
+    ]
+  }, undefined, true, undefined, this);
+}
+
+// src/tui/components/commands/credits-flow.tsx
+var import_react62 = __toESM(require_react(), 1);
+init_tokenRefresh();
+function CreditsFlow() {
+  const route = useRoute();
+  const appConfig = useConfig();
+  const [step, setStep] = import_react62.useState("loading");
+  const [credits, setCredits] = import_react62.useState(null);
+  const [error, setError] = import_react62.useState(null);
+  const creditsUrl = `${getPensarConsoleUrl()}/credits`;
+  const goHome = () => {
+    route.navigate({ type: "base", path: "home" });
+  };
+  const openBrowser = () => {
+    const url = creditsUrl;
+    try {
+      const platform = process.platform;
+      if (platform === "darwin") {
+        Bun.spawn(["open", url]);
+      } else if (platform === "win32") {
+        Bun.spawn(["cmd", "/c", "start", url]);
+      } else {
+        Bun.spawn(["xdg-open", url]);
+      }
+    } catch {}
+    setStep("browser-opened");
+  };
+  const fetchBalance = async () => {
+    const tokenResult = await ensureValidToken({
+      accessToken: appConfig.data.accessToken,
+      refreshToken: appConfig.data.refreshToken,
+      pensarAPIKey: appConfig.data.pensarAPIKey,
+      pensarApiUrl: appConfig.data.pensarApiUrl
+    });
+    if (!tokenResult) {
+      setStep("no-auth");
+      return;
+    }
+    setStep("loading");
+    setError(null);
+    try {
+      const apiUrl = getPensarApiUrl(appConfig.data);
+      const headers = {
+        Authorization: `Bearer ${tokenResult.token}`
+      };
+      if (tokenResult.type === "workos" && appConfig.data.workspaceId) {
+        headers["X-Workspace-Id"] = appConfig.data.workspaceId;
+      }
+      const response = await fetch(`${apiUrl}/bedrock/validate`, {
+        method: "GET",
+        headers
+      });
+      if (!response.ok) {
+        throw new Error("Failed to fetch balance");
+      }
+      const result = await response.json();
+      setCredits({
+        balance: result.credits.balance,
+        workspace: result.workspace.name
+      });
+      setStep("display");
+    } catch (err) {
+      setError(err instanceof Error ? err.message : "Failed to fetch balance");
+      setStep("display");
+    }
+  };
+  import_react62.useEffect(() => {
+    fetchBalance();
+  }, []);
+  useKeyboard((key) => {
+    if (key.name === "escape") {
+      goHome();
+      return;
+    }
+    if (step === "no-auth") {
+      if (key.name === "return") {
+        route.navigate({ type: "base", path: "auth" });
+      }
+    }
+    if (step === "display") {
+      if (key.name === "return") {
+        openBrowser();
+      }
+      if (key.raw === "r" || key.raw === "R") {
+        fetchBalance();
+      }
+    }
+    if (step === "browser-opened") {
+      if (key.name === "return") {
+        fetchBalance();
+      }
+    }
+  });
+  return /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("box", {
+    flexDirection: "column",
+    width: "100%",
+    maxWidth: 80,
+    alignItems: "flex-start",
+    padding: 1,
+    children: [
+      /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("box", {
+        marginBottom: 1,
+        children: /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("text", {
+          fg: "green",
+          children: "Credits"
+        }, undefined, false, undefined, this)
+      }, undefined, false, undefined, this),
+      step === "loading" && /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("box", {
+        children: /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("text", {
+          fg: "yellow",
+          children: "Fetching balance..."
+        }, undefined, false, undefined, this)
+      }, undefined, false, undefined, this),
+      step === "no-auth" && /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("box", {
+        flexDirection: "column",
+        gap: 1,
+        children: [
+          /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("box", {
+            children: /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("text", {
+              fg: "yellow",
+              children: "Not connected to Pensar Console."
+            }, undefined, false, undefined, this)
+          }, undefined, false, undefined, this),
+          /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("box", {
+            children: /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("text", {
+              fg: "gray",
+              children: [
+                "Run ",
+                /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("span", {
+                  fg: "green",
+                  children: "/auth"
+                }, undefined, false, undefined, this),
+                " first to connect your account."
+              ]
+            }, undefined, true, undefined, this)
+          }, undefined, false, undefined, this),
+          /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("box", {
+            marginTop: 1,
+            children: /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("text", {
+              fg: "gray",
+              children: [
+                /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("span", {
+                  fg: "green",
+                  children: "[ENTER]"
+                }, undefined, false, undefined, this),
+                " Run /auth ·",
+                " ",
+                /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("span", {
+                  fg: "green",
+                  children: "[ESC]"
+                }, undefined, false, undefined, this),
+                " Back"
+              ]
+            }, undefined, true, undefined, this)
+          }, undefined, false, undefined, this)
+        ]
+      }, undefined, true, undefined, this),
+      step === "display" && /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("box", {
+        flexDirection: "column",
+        gap: 1,
+        children: [
+          error ? /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("box", {
+            children: /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("text", {
+              fg: "red",
+              children: [
+                "Error: ",
+                error
+              ]
+            }, undefined, true, undefined, this)
+          }, undefined, false, undefined, this) : credits ? /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV(import_jsx_dev_runtime2.Fragment, {
+            children: [
+              /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("box", {
+                children: /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("text", {
+                  fg: "white",
+                  children: [
+                    "Workspace: ",
+                    credits.workspace
+                  ]
+                }, undefined, true, undefined, this)
+              }, undefined, false, undefined, this),
+              /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("box", {
+                children: /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("text", {
+                  fg: "white",
+                  children: [
+                    "Balance:",
+                    " ",
+                    /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("span", {
+                      fg: credits.balance < 5 ? "yellow" : "green",
+                      children: [
+                        "$",
+                        credits.balance.toFixed(2)
+                      ]
+                    }, undefined, true, undefined, this)
+                  ]
+                }, undefined, true, undefined, this)
+              }, undefined, false, undefined, this),
+              credits.balance < 5 && /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("box", {
+                marginTop: 1,
+                children: /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("text", {
+                  fg: "yellow",
+                  children: "Low balance. We recommend at least $30 for uninterrupted pentest runs."
+                }, undefined, false, undefined, this)
+              }, undefined, false, undefined, this)
+            ]
+          }, undefined, true, undefined, this) : null,
+          /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("box", {
+            marginTop: 1,
+            children: /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("text", {
+              fg: "gray",
+              children: [
+                "Press ",
+                /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("span", {
+                  fg: "green",
+                  children: "[ENTER]"
+                }, undefined, false, undefined, this),
+                " to buy credits in your browser."
+              ]
+            }, undefined, true, undefined, this)
+          }, undefined, false, undefined, this),
+          /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("box", {
+            children: /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("text", {
+              fg: "gray",
+              children: [
+                "Or visit: ",
+                creditsUrl
+              ]
+            }, undefined, true, undefined, this)
+          }, undefined, false, undefined, this),
+          /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("box", {
+            marginTop: 1,
+            children: /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("text", {
+              fg: "gray",
+              children: [
+                /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("span", {
+                  fg: "green",
+                  children: "[ENTER]"
+                }, undefined, false, undefined, this),
+                " Open browser ·",
+                " ",
+                /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("span", {
+                  fg: "green",
+                  children: "[R]"
+                }, undefined, false, undefined, this),
+                " Refresh ·",
+                " ",
+                /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("span", {
+                  fg: "green",
+                  children: "[ESC]"
+                }, undefined, false, undefined, this),
+                " Back"
+              ]
+            }, undefined, true, undefined, this)
+          }, undefined, false, undefined, this)
+        ]
+      }, undefined, true, undefined, this),
+      step === "browser-opened" && /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("box", {
+        flexDirection: "column",
+        gap: 1,
+        children: [
+          /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("box", {
+            children: /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("text", {
+              fg: "green",
+              children: "Browser opened. Purchase credits on the Pensar Console."
+            }, undefined, false, undefined, this)
+          }, undefined, false, undefined, this),
+          /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("box", {
+            marginTop: 1,
+            children: /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("text", {
+              fg: "gray",
+              children: [
+                "Press ",
+                /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("span", {
+                  fg: "green",
+                  children: "[ENTER]"
+                }, undefined, false, undefined, this),
+                " to refresh your balance after purchasing."
+              ]
+            }, undefined, true, undefined, this)
+          }, undefined, false, undefined, this),
+          /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("box", {
+            marginTop: 1,
+            children: /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("text", {
+              fg: "gray",
+              children: [
+                /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("span", {
+                  fg: "green",
+                  children: "[ENTER]"
+                }, undefined, false, undefined, this),
+                " Refresh balance ·",
+                " ",
+                /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("span", {
+                  fg: "green",
+                  children: "[ESC]"
+                }, undefined, false, undefined, this),
+                " Back"
+              ]
+            }, undefined, true, undefined, this)
+          }, undefined, false, undefined, this)
+        ]
+      }, undefined, true, undefined, this)
+    ]
+  }, undefined, true, undefined, this);
+}
+
 // src/tui/context/keybinding.tsx
-var import_react64 = __toESM(require_react(), 1);
+var import_react68 = __toESM(require_react(), 1);
 
 // src/tui/keybindings/keybind.tsx
-var import_react60 = __toESM(require_react(), 1);
+var import_react64 = __toESM(require_react(), 1);
 
 // src/tui/keybindings/actions.ts
 var movementActions = [
@@ -217838,7 +220278,7 @@ var allActions = [
 var actionsByKey = new Map(allActions.map((action) => [action.key, action]));
 var actionsById = new Map(allActions.map((action) => [action.id, action]));
 // src/tui/keybindings/keybind.tsx
-var LeaderKeyContext = import_react60.createContext(null);
+var LeaderKeyContext = import_react64.createContext(null);
 // src/tui/keybindings/registry.ts
 function createKeybindings(deps) {
   const {
@@ -218016,7 +220456,7 @@ function matchesKeybind(pressed, combo) {
 }
 
 // src/tui/context/keybinding.tsx
-var KeybindingContext = import_react64.createContext(undefined);
+var KeybindingContext = import_react68.createContext(undefined);
 function KeybindingProvider({
   children,
   deps
@@ -218055,7 +220495,7 @@ function KeybindingProvider({
 }
 
 // src/tui/components/pentest/pentest.tsx
-var import_react73 = __toESM(require_react(), 1);
+var import_react77 = __toESM(require_react(), 1);
 import { existsSync as existsSync19, readdirSync as readdirSync5, readFileSync as readFileSync9 } from "fs";
 import { join as join19 } from "path";
 import { exec as exec3 } from "child_process";
@@ -218070,7 +220510,7 @@ import { join as join18 } from "path";
 // src/core/workflows/whiteboxAttackSurface.ts
 init_zod();
 init_agent4();
-init_types4();
+init_types5();
 var DEFAULT_CONCURRENCY3 = 5;
 var WHITEBOX_CODE_AGENT_SYSTEM_PROMPT = `You are an expert source-code analyst with direct filesystem access. You will be given a specific objective — focus exclusively on completing it.
 
@@ -218608,8 +221048,11 @@ Found ${findings.length} vulnerabilities`);
   return { findings, findingsPath, pocsPath, reportPath };
 }
 
+// src/tui/components/pentest/pentest.tsx
+init_utils2();
+
 // src/tui/components/agent-display.tsx
-var import_react71 = __toESM(require_react(), 1);
+var import_react75 = __toESM(require_react(), 1);
 
 // node_modules/marked/lib/marked.esm.js
 function L2() {
@@ -220375,14 +222818,14 @@ function getResultSummary(result, toolName) {
   return null;
 }
 // src/tui/components/shared/ascii-spinner.tsx
-var import_react65 = __toESM(require_react(), 1);
+var import_react69 = __toESM(require_react(), 1);
 var SPINNER_FRAMES = ["/", "-", "\\", "|"];
 var SPINNER_INTERVAL = 100;
 function AsciiSpinner({ label, fg: fg2 }) {
   const { colors: colors2 } = useTheme();
   const spinnerColor = fg2 ?? colors2.info;
-  const [frame, setFrame] = import_react65.useState(0);
-  import_react65.useEffect(() => {
+  const [frame, setFrame] = import_react69.useState(0);
+  import_react69.useEffect(() => {
     const interval = setInterval(() => {
       setFrame((f3) => (f3 + 1) % SPINNER_FRAMES.length);
     }, SPINNER_INTERVAL);
@@ -220394,14 +222837,14 @@ function AsciiSpinner({ label, fg: fg2 }) {
   }, undefined, false, undefined, this);
 }
 // src/tui/components/shared/tool-renderer.tsx
-var import_react66 = __toESM(require_react(), 1);
-var ToolRenderer = import_react66.memo(function ToolRenderer2({
+var import_react70 = __toESM(require_react(), 1);
+var ToolRenderer = import_react70.memo(function ToolRenderer2({
   message,
   verbose = false,
   expandedLogs = false
 }) {
   const { colors: colors2 } = useTheme();
-  const [showOutput, setShowOutput] = import_react66.useState(false);
+  const [showOutput, setShowOutput] = import_react70.useState(false);
   if (!isToolMessage(message)) {
     return null;
   }
@@ -220498,8 +222941,8 @@ var ToolRenderer = import_react66.memo(function ToolRenderer2({
   }, undefined, true, undefined, this);
 });
 // src/tui/components/shared/message-renderer.tsx
-var import_react67 = __toESM(require_react(), 1);
-var MessageRenderer = import_react67.memo(function MessageRenderer2({
+var import_react71 = __toESM(require_react(), 1);
+var MessageRenderer = import_react71.memo(function MessageRenderer2({
   message,
   isStreaming = false,
   verbose = false,
@@ -220509,7 +222952,7 @@ var MessageRenderer = import_react67.memo(function MessageRenderer2({
 }) {
   const { colors: colors2 } = useTheme();
   const content = typeof message.content === "string" ? message.content : JSON.stringify(message.content);
-  const displayContent = import_react67.useMemo(() => message.role === "assistant" ? markdownToStyledText(content, colors2) : content, [content, message.role, colors2]);
+  const displayContent = import_react71.useMemo(() => message.role === "assistant" ? markdownToStyledText(content, colors2) : content, [content, message.role, colors2]);
   if (isToolMessage(message)) {
     return /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV(ToolRenderer, {
       message,
@@ -220621,9 +223064,9 @@ var MessageRenderer = import_react67.memo(function MessageRenderer2({
   }, undefined, false, undefined, this);
 });
 // src/tui/components/shared/approval-prompt.tsx
-var import_react68 = __toESM(require_react(), 1);
+var import_react72 = __toESM(require_react(), 1);
 // src/tui/components/shared/message-reducer.ts
-var import_react70 = __toESM(require_react(), 1);
+var import_react74 = __toESM(require_react(), 1);
 // src/tui/components/agent-display.tsx
 function getStableKey(item, contextId = "root") {
   if ("messages" in item) {
@@ -220699,11 +223142,11 @@ function AgentDisplay({
     ]
   }, undefined, true, undefined, this);
 }
-var SubAgentDisplay = import_react71.memo(function SubAgentDisplay2({
+var SubAgentDisplay = import_react75.memo(function SubAgentDisplay2({
   subagent
 }) {
   const { colors: colors2 } = useTheme();
-  const [open, setOpen] = import_react71.useState(false);
+  const [open, setOpen] = import_react75.useState(false);
   return /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("box", {
     height: open ? 40 : "auto",
     onMouseDown: () => setOpen(!open),
@@ -220758,7 +223201,7 @@ var SubAgentDisplay = import_react71.memo(function SubAgentDisplay2({
     ]
   }, undefined, true, undefined, this);
 });
-var AgentMessage = import_react71.memo(function AgentMessage2({
+var AgentMessage = import_react75.memo(function AgentMessage2({
   message
 }) {
   const { colors: colors2 } = useTheme();
@@ -220822,9 +223265,9 @@ var AgentMessage = import_react71.memo(function AgentMessage2({
                   flexDirection: "column",
                   marginTop: 0,
                   paddingLeft: 2,
-                  children: streamingLogs.slice(-3).map((log, idx) => /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("text", {
+                  children: streamingLogs.slice(-3).map((log2, idx) => /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("text", {
                     fg: colors2.textMuted,
-                    content: log.length > 100 ? log.slice(0, 100) + "…" : log
+                    content: log2.length > 100 ? log2.slice(0, 100) + "…" : log2
                   }, idx, false, undefined, this))
                 }, undefined, false, undefined, this)
               ]
@@ -220871,8 +223314,8 @@ var AgentMessage = import_react71.memo(function AgentMessage2({
 });
 function ToolDetails({ message }) {
   const { colors: colors2 } = useTheme();
-  const [showArgs, setShowArgs] = import_react71.useState(false);
-  const [showResult, setShowResult] = import_react71.useState(false);
+  const [showArgs, setShowArgs] = import_react75.useState(false);
+  const [showResult, setShowResult] = import_react75.useState(false);
   if (message.role !== "tool") {
     return null;
   }
@@ -220950,24 +223393,24 @@ function Pentest({ sessionId }) {
   const config3 = useConfig();
   const { model, setThinking, setIsExecuting, isExecuting } = useAgent();
   const { stack, externalDialogOpen } = useDialog();
-  const [session, setSession] = import_react73.useState(null);
-  const [error40, setError] = import_react73.useState(null);
-  const [phase, setPhase] = import_react73.useState("loading");
-  const [abortController, setAbortController] = import_react73.useState(null);
-  const [panelMessages, setPanelMessages] = import_react73.useState([]);
-  const panelTextRef = import_react73.useRef("");
-  const panelSourceRef = import_react73.useRef(null);
-  const [pentestAgents, setPentestAgents] = import_react73.useState({});
-  const pentestTextRefs = import_react73.useRef({});
-  const [assets, setAssets] = import_react73.useState([]);
-  const [viewMode, setViewMode] = import_react73.useState("overview");
-  const [selectedAgentId, setSelectedAgentId] = import_react73.useState(null);
-  const [focusedIndex, setFocusedIndex] = import_react73.useState(0);
-  const [showOrchestratorPanel, setShowOrchestratorPanel] = import_react73.useState(false);
-  const [startTime, setStartTime] = import_react73.useState(null);
-  const pentestAgentList = import_react73.useMemo(() => Object.values(pentestAgents).sort((a, b3) => a.createdAt.getTime() - b3.createdAt.getTime()), [pentestAgents]);
-  const selectedAgent = import_react73.useMemo(() => selectedAgentId ? pentestAgents[selectedAgentId] ?? null : null, [pentestAgents, selectedAgentId]);
-  import_react73.useEffect(() => {
+  const [session, setSession] = import_react77.useState(null);
+  const [error40, setError] = import_react77.useState(null);
+  const [phase, setPhase] = import_react77.useState("loading");
+  const [abortController, setAbortController] = import_react77.useState(null);
+  const [panelMessages, setPanelMessages] = import_react77.useState([]);
+  const panelTextRef = import_react77.useRef("");
+  const panelSourceRef = import_react77.useRef(null);
+  const [pentestAgents, setPentestAgents] = import_react77.useState({});
+  const pentestTextRefs = import_react77.useRef({});
+  const [assets, setAssets] = import_react77.useState([]);
+  const [viewMode, setViewMode] = import_react77.useState("overview");
+  const [selectedAgentId, setSelectedAgentId] = import_react77.useState(null);
+  const [focusedIndex, setFocusedIndex] = import_react77.useState(0);
+  const [showOrchestratorPanel, setShowOrchestratorPanel] = import_react77.useState(false);
+  const [startTime, setStartTime] = import_react77.useState(null);
+  const pentestAgentList = import_react77.useMemo(() => Object.values(pentestAgents).sort((a, b3) => a.createdAt.getTime() - b3.createdAt.getTime()), [pentestAgents]);
+  const selectedAgent = import_react77.useMemo(() => selectedAgentId ? pentestAgents[selectedAgentId] ?? null : null, [pentestAgents, selectedAgentId]);
+  import_react77.useEffect(() => {
     async function load() {
       try {
         const s2 = await sessions.get(sessionId);
@@ -220984,7 +223427,7 @@ function Pentest({ sessionId }) {
     }
     load();
   }, [sessionId]);
-  import_react73.useEffect(() => {
+  import_react77.useEffect(() => {
     if (!session)
       return;
     const assetsPath = join19(session.rootPath, "assets");
@@ -221007,12 +223450,12 @@ function Pentest({ sessionId }) {
     const interval = setInterval(readAssets, 2000);
     return () => clearInterval(interval);
   }, [session]);
-  import_react73.useEffect(() => {
+  import_react77.useEffect(() => {
     return () => {
       abortController?.abort();
     };
   }, [abortController]);
-  const ensurePentestAgent = import_react73.useCallback((subagentId) => {
+  const ensurePentestAgent = import_react77.useCallback((subagentId) => {
     setPentestAgents((prev) => {
       if (prev[subagentId])
         return prev;
@@ -221029,7 +223472,7 @@ function Pentest({ sessionId }) {
       };
     });
   }, []);
-  const handleSubagentSpawn = import_react73.useCallback(({
+  const handleSubagentSpawn = import_react77.useCallback(({
     subagentId,
     input
   }) => {
@@ -221049,7 +223492,7 @@ function Pentest({ sessionId }) {
       }
     }));
   }, []);
-  const handleSubagentComplete = import_react73.useCallback(({ subagentId, status }) => {
+  const handleSubagentComplete = import_react77.useCallback(({ subagentId, status }) => {
     if (!subagentId.startsWith("pentest-agent-"))
       return;
     setPentestAgents((prev) => {
@@ -221062,7 +223505,7 @@ function Pentest({ sessionId }) {
       };
     });
   }, []);
-  const appendPanelText = import_react73.useCallback((source, text2) => {
+  const appendPanelText = import_react77.useCallback((source, text2) => {
     if (panelSourceRef.current !== source) {
       panelTextRef.current = "";
       panelSourceRef.current = source;
@@ -221087,7 +223530,7 @@ function Pentest({ sessionId }) {
       ];
     });
   }, []);
-  const appendPentestText = import_react73.useCallback((subagentId, text2) => {
+  const appendPentestText = import_react77.useCallback((subagentId, text2) => {
     ensurePentestAgent(subagentId);
     if (!pentestTextRefs.current[subagentId]) {
       pentestTextRefs.current[subagentId] = "";
@@ -221120,7 +223563,7 @@ function Pentest({ sessionId }) {
       };
     });
   }, [ensurePentestAgent]);
-  const addPanelToolCall = import_react73.useCallback((toolCallId, toolName, args) => {
+  const addPanelToolCall = import_react77.useCallback((toolCallId, toolName, args) => {
     panelTextRef.current = "";
     panelSourceRef.current = null;
     const description = typeof args?.toolCallDescription === "string" ? args.toolCallDescription : toolName;
@@ -221139,7 +223582,7 @@ function Pentest({ sessionId }) {
       return [...prev, msg];
     });
   }, []);
-  const addPentestToolCall = import_react73.useCallback((subagentId, toolCallId, toolName, args) => {
+  const addPentestToolCall = import_react77.useCallback((subagentId, toolCallId, toolName, args) => {
     pentestTextRefs.current[subagentId] = "";
     ensurePentestAgent(subagentId);
     const description = typeof args?.toolCallDescription === "string" ? args.toolCallDescription : toolName;
@@ -221184,12 +223627,12 @@ function Pentest({ sessionId }) {
       }
     ];
   };
-  const updatePanelToolResult = import_react73.useCallback((toolCallId, toolName, result) => {
+  const updatePanelToolResult = import_react77.useCallback((toolCallId, toolName, result) => {
     panelTextRef.current = "";
     panelSourceRef.current = null;
     setPanelMessages((prev) => toolResultUpdater(prev, toolCallId, toolName, result));
   }, []);
-  const updatePentestToolResult = import_react73.useCallback((subagentId, toolCallId, toolName, result) => {
+  const updatePentestToolResult = import_react77.useCallback((subagentId, toolCallId, toolName, result) => {
     pentestTextRefs.current[subagentId] = "";
     setPentestAgents((prev) => {
       const agent = prev[subagentId];
@@ -221204,7 +223647,7 @@ function Pentest({ sessionId }) {
       };
     });
   }, []);
-  const startPentest = import_react73.useCallback(async (s2) => {
+  const startPentest = import_react77.useCallback(async (s2) => {
     setPhase("discovery");
     setStartTime(new Date);
     setIsExecuting(true);
@@ -221218,12 +223661,7 @@ function Pentest({ sessionId }) {
         session: s2,
         model: model.id,
         abortSignal: controller.signal,
-        authConfig: {
-          anthropicAPIKey: config3.data.anthropicAPIKey ?? undefined,
-          openAiAPIKey: config3.data.openAiAPIKey ?? undefined,
-          openRouterAPIKey: config3.data.openRouterAPIKey ?? undefined,
-          local: config3.data.localModelUrl ? { baseURL: config3.data.localModelUrl } : undefined
-        },
+        authConfig: buildAuthConfig(config3.data),
         callbacks: {
           onTextDelta: (d3) => {
             setThinking(false);
@@ -221306,7 +223744,7 @@ function Pentest({ sessionId }) {
     handleSubagentSpawn,
     handleSubagentComplete
   ]);
-  import_react73.useEffect(() => {
+  import_react77.useEffect(() => {
     if (session && phase === "loading") {
       startPentest(session);
     }
@@ -221368,7 +223806,7 @@ function Pentest({ sessionId }) {
       }
     }
   });
-  const openReport = import_react73.useCallback(() => {
+  const openReport = import_react77.useCallback(() => {
     if (!session)
       return;
     const reportPath = join19(session.rootPath, "pentest-report.md");
@@ -221560,7 +223998,7 @@ function OrchestratorPanel({
 }) {
   const { colors: colors2 } = useTheme();
   const isRunning = phase !== "loading" && phase !== "completed" && phase !== "error";
-  const assetSummary = import_react73.useMemo(() => {
+  const assetSummary = import_react77.useMemo(() => {
     const byType = {};
     for (const a of assets) {
       const key = a.assetType;
@@ -221809,7 +224247,7 @@ function AgentCardGrid({
   onSelectAgent
 }) {
   const { colors: colors2 } = useTheme();
-  const rows = import_react73.useMemo(() => {
+  const rows = import_react77.useMemo(() => {
     const result = [];
     for (let i2 = 0;i2 < agents.length; i2 += 2) {
       result.push(agents.slice(i2, i2 + 2));
@@ -221857,14 +224295,14 @@ function AgentCard({
     completed: colors2.primary,
     failed: colors2.error
   }[agent.status];
-  const lastActivity = import_react73.useMemo(() => {
+  const lastActivity = import_react77.useMemo(() => {
     const last = agent.messages[agent.messages.length - 1];
     if (!last)
       return "Starting...";
     const text2 = typeof last.content === "string" ? last.content.replace(/\n/g, " ").trim() : "Working...";
     return text2.length > 50 ? text2.substring(0, 47) + "..." : text2;
   }, [agent.messages]);
-  const toolCalls = import_react73.useMemo(() => agent.messages.filter((m4) => m4.role === "tool").length, [agent.messages]);
+  const toolCalls = import_react77.useMemo(() => agent.messages.filter((m4) => m4.role === "tool").length, [agent.messages]);
   return /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV("box", {
     flexGrow: 1,
     flexBasis: 0,
@@ -222051,8 +224489,8 @@ function MetricsBar({
   isExecuting
 }) {
   const { colors: colors2 } = useTheme();
-  const [now2, setNow] = import_react73.useState(Date.now());
-  import_react73.useEffect(() => {
+  const [now2, setNow] = import_react77.useState(Date.now());
+  import_react77.useEffect(() => {
     if (!isExecuting)
       return;
     const interval = setInterval(() => setNow(Date.now()), 1000);
@@ -222195,7 +224633,7 @@ function MetricsBar({
 }
 
 // src/tui/components/operator-dashboard/index.tsx
-var import_react78 = __toESM(require_react(), 1);
+var import_react82 = __toESM(require_react(), 1);
 
 // src/core/api/offesecAgent.ts
 init_offensiveSecurityAgent();
@@ -222210,6 +224648,9 @@ async function runOffensiveSecurityAgent(input) {
   });
 }
 
+// src/tui/components/operator-dashboard/index.tsx
+init_utils2();
+
 // src/core/agents/offSecAgent/index.ts
 init_offensiveSecurityAgent();
 init_tools();
@@ -222292,7 +224733,7 @@ function InlineApprovalPrompt2({ approval }) {
 }
 
 // src/tui/components/chat/loading-indicator.tsx
-var import_react75 = __toESM(require_react(), 1);
+var import_react79 = __toESM(require_react(), 1);
 var SPINNER_FRAMES2 = ["⠋", "⠙", "⠹", "⠸", "⠼", "⠴", "⠦", "⠧", "⠇", "⠏"];
 var SPINNER_INTERVAL2 = 80;
 var DOTS_FRAMES = ["", ".", "..", "..."];
@@ -222303,15 +224744,15 @@ function LoadingIndicator({
   toolName
 }) {
   const { colors: colors2 } = useTheme();
-  const [spinnerFrame, setSpinnerFrame] = import_react75.useState(0);
-  const [dotsFrame, setDotsFrame] = import_react75.useState(0);
-  import_react75.useEffect(() => {
+  const [spinnerFrame, setSpinnerFrame] = import_react79.useState(0);
+  const [dotsFrame, setDotsFrame] = import_react79.useState(0);
+  import_react79.useEffect(() => {
     const interval = setInterval(() => {
       setSpinnerFrame((f3) => (f3 + 1) % SPINNER_FRAMES2.length);
     }, SPINNER_INTERVAL2);
     return () => clearInterval(interval);
   }, []);
-  import_react75.useEffect(() => {
+  import_react79.useEffect(() => {
     const interval = setInterval(() => {
       setDotsFrame((f3) => (f3 + 1) % DOTS_FRAMES.length);
     }, DOTS_INTERVAL);
@@ -222581,7 +225022,7 @@ function MessageList({
 }
 
 // src/tui/components/chat/input-area.tsx
-var import_react76 = __toESM(require_react(), 1);
+var import_react80 = __toESM(require_react(), 1);
 function NormalInputAreaInner({
   value,
   onChange,
@@ -222596,17 +225037,17 @@ function NormalInputAreaInner({
 }) {
   const { colors: colors2 } = useTheme();
   const { inputValue, setInputValue } = useInput();
-  const promptRef = import_react76.useRef(null);
-  const isExternalUpdate = import_react76.useRef(false);
+  const promptRef = import_react80.useRef(null);
+  const isExternalUpdate = import_react80.useRef(false);
   const isDisabled = status === "running";
-  import_react76.useEffect(() => {
+  import_react80.useEffect(() => {
     if (value !== inputValue) {
       isExternalUpdate.current = true;
       setInputValue(value);
       promptRef.current?.setValue(value);
     }
   }, [value]);
-  import_react76.useEffect(() => {
+  import_react80.useEffect(() => {
     if (isExternalUpdate.current) {
       isExternalUpdate.current = false;
       return;
@@ -222756,7 +225197,7 @@ function ApprovalInputArea2({
   lastDeclineNote
 }) {
   const { colors: colors2 } = useTheme();
-  const [focusedElement, setFocusedElement] = import_react76.useState(0);
+  const [focusedElement, setFocusedElement] = import_react80.useState(0);
   const tierColor = getTierColor(colors2, approval.tier);
   useKeyboard((key) => {
     if (key.name === "up") {
@@ -222878,20 +225319,20 @@ function OperatorDashboard({
   const route = useRoute();
   const config3 = useConfig();
   const { model, setThinking, setIsExecuting } = useAgent();
-  const [session, setSession] = import_react78.useState(null);
-  const [loading, setLoading] = import_react78.useState(true);
-  const [error40, setError] = import_react78.useState(null);
-  const [status, setStatus] = import_react78.useState("idle");
-  const abortControllerRef = import_react78.useRef(null);
-  const [messages, setMessages] = import_react78.useState([]);
-  const textRef = import_react78.useRef("");
-  const [inputValue, setInputValue] = import_react78.useState("");
-  const [operatorState, setOperatorState] = import_react78.useState(() => createInitialOperatorState("manual", 2));
-  const [pendingApprovals] = import_react78.useState([]);
-  const [lastApprovedAction] = import_react78.useState(null);
-  const [verboseMode, setVerboseMode] = import_react78.useState(false);
-  const [expandedLogs, setExpandedLogs] = import_react78.useState(false);
-  import_react78.useEffect(() => {
+  const [session, setSession] = import_react82.useState(null);
+  const [loading, setLoading] = import_react82.useState(true);
+  const [error40, setError] = import_react82.useState(null);
+  const [status, setStatus] = import_react82.useState("idle");
+  const abortControllerRef = import_react82.useRef(null);
+  const [messages, setMessages] = import_react82.useState([]);
+  const textRef = import_react82.useRef("");
+  const [inputValue, setInputValue] = import_react82.useState("");
+  const [operatorState, setOperatorState] = import_react82.useState(() => createInitialOperatorState("manual", 2));
+  const [pendingApprovals] = import_react82.useState([]);
+  const [lastApprovedAction] = import_react82.useState(null);
+  const [verboseMode, setVerboseMode] = import_react82.useState(false);
+  const [expandedLogs, setExpandedLogs] = import_react82.useState(false);
+  import_react82.useEffect(() => {
     async function loadSession() {
       try {
         const s2 = await sessions.get(sessionId);
@@ -222923,7 +225364,7 @@ function OperatorDashboard({
     }
     loadSession();
   }, [sessionId, isResume]);
-  const appendText = import_react78.useCallback((text2) => {
+  const appendText = import_react82.useCallback((text2) => {
     textRef.current += text2;
     const accumulated = textRef.current;
     setMessages((prev) => {
@@ -222939,7 +225380,7 @@ function OperatorDashboard({
       ];
     });
   }, []);
-  const addToolCall = import_react78.useCallback((toolCallId, toolName, args) => {
+  const addToolCall = import_react82.useCallback((toolCallId, toolName, args) => {
     textRef.current = "";
     setMessages((prev) => [
       ...prev,
@@ -222954,7 +225395,7 @@ function OperatorDashboard({
       }
     ]);
   }, []);
-  const updateToolResult = import_react78.useCallback((toolCallId, _toolName, result) => {
+  const updateToolResult = import_react82.useCallback((toolCallId, _toolName, result) => {
     textRef.current = "";
     setMessages((prev) => {
       const idx = prev.findIndex((m4) => isToolMessage(m4) && m4.toolCallId === toolCallId);
@@ -222965,7 +225406,7 @@ function OperatorDashboard({
       return updated;
     });
   }, []);
-  const runAgent = import_react78.useCallback(async (prompt) => {
+  const runAgent = import_react82.useCallback(async (prompt) => {
     if (!session)
       return;
     setStatus("running");
@@ -222989,12 +225430,7 @@ function OperatorDashboard({
         target: session.targets[0],
         activeTools: [...ALL_TOOL_NAMES],
         abortSignal: controller.signal,
-        authConfig: {
-          anthropicAPIKey: config3.data.anthropicAPIKey ?? undefined,
-          openAiAPIKey: config3.data.openAiAPIKey ?? undefined,
-          openRouterAPIKey: config3.data.openRouterAPIKey ?? undefined,
-          local: config3.data.localModelUrl ? { baseURL: config3.data.localModelUrl } : undefined
-        },
+        authConfig: buildAuthConfig(config3.data),
         callbacks: {
           onTextDelta: (d3) => {
             setThinking(false);
@@ -223044,13 +225480,13 @@ function OperatorDashboard({
     setThinking,
     setIsExecuting
   ]);
-  const handleSubmit = import_react78.useCallback((value) => {
+  const handleSubmit = import_react82.useCallback((value) => {
     if (!value.trim() || status === "running")
       return;
     setInputValue("");
     runAgent(value.trim());
   }, [status, runAgent]);
-  const handleAbort = import_react78.useCallback(() => {
+  const handleAbort = import_react82.useCallback(() => {
     if (abortControllerRef.current) {
       abortControllerRef.current.abort();
       abortControllerRef.current = null;
@@ -223261,7 +225697,8 @@ Session paths:
 }
 
 // src/tui/components/commands/theme-picker.tsx
-var import_react80 = __toESM(require_react(), 1);
+var import_react84 = __toESM(require_react(), 1);
+init_config2();
 function ThemePicker() {
   const dimensions = useTerminalDimensions();
   const route = useRoute();
@@ -223274,15 +225711,15 @@ function ThemePicker() {
     toggleMode,
     setMode
   } = useTheme();
-  const [selectedIndex, setSelectedIndex] = import_react80.useState(() => Math.max(0, availableThemes.indexOf(theme.name)));
-  const originalThemeRef = import_react80.useRef(theme.name);
-  const originalModeRef = import_react80.useRef(mode);
-  const handleClose = import_react80.useCallback(() => {
+  const [selectedIndex, setSelectedIndex] = import_react84.useState(() => Math.max(0, availableThemes.indexOf(theme.name)));
+  const originalThemeRef = import_react84.useRef(theme.name);
+  const originalModeRef = import_react84.useRef(mode);
+  const handleClose = import_react84.useCallback(() => {
     setTheme(originalThemeRef.current);
     setMode(originalModeRef.current);
     route.navigate({ type: "base", path: "home" });
   }, [setTheme, setMode, route]);
-  const handleConfirm = import_react80.useCallback(async () => {
+  const handleConfirm = import_react84.useCallback(async () => {
     const currentThemeName = availableThemes[selectedIndex];
     if (currentThemeName) {
       await config.update({ theme: currentThemeName });
@@ -225810,13 +228247,13 @@ async function detectTerminalMode(timeoutMs = 1000) {
 
 // src/tui/index.tsx
 function App({ appConfig }) {
-  const [focusIndex, setFocusIndex] = import_react83.useState(0);
-  const [cwd, setCwd] = import_react83.useState(process.cwd());
-  const [ctrlCPressTime, setCtrlCPressTime] = import_react83.useState(null);
-  const [showExitWarning, setShowExitWarning] = import_react83.useState(false);
-  const [inputKey, setInputKey] = import_react83.useState(0);
-  const [showSessionsDialog, setShowSessionsDialog] = import_react83.useState(false);
-  const [showShortcutsDialog, setShowShortcutsDialog] = import_react83.useState(false);
+  const [focusIndex, setFocusIndex] = import_react87.useState(0);
+  const [cwd, setCwd] = import_react87.useState(process.cwd());
+  const [ctrlCPressTime, setCtrlCPressTime] = import_react87.useState(null);
+  const [showExitWarning, setShowExitWarning] = import_react87.useState(false);
+  const [inputKey, setInputKey] = import_react87.useState(0);
+  const [showSessionsDialog, setShowSessionsDialog] = import_react87.useState(false);
+  const [showShortcutsDialog, setShowShortcutsDialog] = import_react87.useState(false);
   const navigableItems = ["command-input"];
   return /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV(ConfigProvider, {
     config: appConfig,
@@ -225880,14 +228317,14 @@ function AppContent({
   const { toast } = useToast();
   const { refocusPrompt } = useFocus();
   const { setExternalDialogOpen } = useDialog();
-  import_react83.useEffect(() => {
+  import_react87.useEffect(() => {
     checkForUpdate().then(({ updateAvailable, currentVersion, latestVersion }) => {
       if (!updateAvailable)
         return;
       toast(`Update available: v${currentVersion} → v${latestVersion}. Run: pensar upgrade`, "warn", 8000);
     });
   }, []);
-  import_react83.useEffect(() => {
+  import_react87.useEffect(() => {
     if (route.data.type !== "base")
       return;
     if (!config3.data.responsibleUseAccepted && route.data.path !== "disclosure") {
@@ -225896,7 +228333,7 @@ function AppContent({
       route.navigate({ type: "base", path: "providers" });
     }
   }, [config3.data.responsibleUseAccepted, route.data]);
-  import_react83.useEffect(() => {
+  import_react87.useEffect(() => {
     if (showExitWarning) {
       const timer = setTimeout(() => {
         setShowExitWarning(false);
@@ -226042,6 +228479,14 @@ function CommandDisplay({
           /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV(RouteSwitch.Case, {
             when: "models",
             children: /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV(ModelsDisplay, {}, undefined, false, undefined, this)
+          }, undefined, false, undefined, this),
+          /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV(RouteSwitch.Case, {
+            when: "auth",
+            children: /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV(AuthFlow, {}, undefined, false, undefined, this)
+          }, undefined, false, undefined, this),
+          /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV(RouteSwitch.Case, {
+            when: "credits",
+            children: /* @__PURE__ */ import_jsx_dev_runtime2.jsxDEV(CreditsFlow, {}, undefined, false, undefined, this)
           }, undefined, false, undefined, this)
         ]
       }, undefined, true, undefined, this)