npm - @pensar/apex - Versions diffs - 0.0.88-canary.2b93505f → 0.0.88 - Mend

@pensar/apex 0.0.88-canary.2b93505f → 0.0.88

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/build/index.js +402 -174
package/package.json +1 -1

package/build/index.js CHANGED Viewed

@@ -31971,7 +31971,7 @@ var package_default2;
 var init_package = __esm(() => {
   package_default2 = {
     name: "@pensar/apex",
-    version: "0.0.88-canary.2b93505f",
+    version: "0.0.88",
     description: "AI-powered penetration testing CLI tool with terminal UI",
     module: "src/tui/index.tsx",
     main: "build/index.js",
@@ -88478,6 +88478,7 @@ Summary: ${summary}
 Original task: Please respond based on this summary.` : `${opts.prompt}
 The previous agent has summarized the conversation to pass to you to continue the task. Here is the summary: ${summary}`;
+  opts.onSummarized?.(summary);
   const resumed = streamResponse({
     ...opts,
     prompt: enhancedPrompt,
@@ -89152,6 +89153,20 @@ function hasOperatorState(session) {
   const statePath = path5.join(session.rootPath, "messages.json");
   return existsSync3(statePath);
 }
+function getResumeMessages(messages, limit = MAX_RESUME_MESSAGES) {
+  if (messages.length <= limit)
+    return messages;
+  let cutIndex = messages.length - limit;
+  while (cutIndex < messages.length) {
+    if (messages[cutIndex].role === "user")
+      break;
+    cutIndex++;
+  }
+  if (cutIndex >= messages.length) {
+    cutIndex = messages.length - limit;
+  }
+  return messages.slice(cutIndex);
+}
 async function updateOperatorSettings(sessionId, settings) {
   return await update3(sessionId, (session) => {
     if (!session.config) {
@@ -89224,7 +89239,7 @@ var DEFAULT_OUTCOME_GUIDANCE, EXFIL_OUTCOME_GUIDANCE, DEFAULT_OFFENSIVE_HEADERS,
     input.messageId
   ]);
   return input.messageId;
-}, sessions;
+}, MAX_RESUME_MESSAGES = 200, sessions;
 var init_session = __esm(() => {
   init_zod();
   init_id();
@@ -89356,6 +89371,7 @@ var init_session = __esm(() => {
     removeMessage,
     loadOperatorState,
     hasOperatorState,
+    getResumeMessages,
     updateOperatorSettings,
     updateToolsetState,
     toggleTool: toggleTool2
@@ -106964,6 +106980,34 @@ var init_executeCommand = __esm(() => {
 });
 // src/core/agents/offSecAgent/tools/httpRequest.ts
+import { join as join10 } from "path";
+import { writeFileSync as writeFileSync6, mkdirSync as mkdirSync6, existsSync as existsSync14 } from "fs";
+function maybeSaveBody(body, ctx4) {
+  if (body.length <= MAX_INLINE_BODY)
+    return { text: body };
+  const outputDir = join10(ctx4.session.logsPath, "http-responses");
+  if (!existsSync14(outputDir)) {
+    mkdirSync6(outputDir, { recursive: true });
+  }
+  const ts = new Date().toISOString().replace(/[:.]/g, "-");
+  const filename = `response-${ts}.txt`;
+  const filePath = join10(outputDir, filename);
+  try {
+    writeFileSync6(filePath, body);
+  } catch {
+    return {
+      text: `${body.substring(0, MAX_INLINE_BODY)}...
+(truncated — failed to save full response to file)`
+    };
+  }
+  return {
+    text: `${body.substring(0, MAX_INLINE_BODY)}...
+(truncated — full response saved to ${filePath}). Use read_file or grep to analyze.`,
+    file: filePath
+  };
+}
 function parseHeaders(raw) {
   if (!raw)
     return {};
@@ -107052,14 +107096,13 @@ COMMON TESTING PATTERNS:
         } catch {
           responseBody = "(unable to read response body)";
         }
+        const { text: truncatedBody } = maybeSaveBody(responseBody, ctx4);
         return {
           success: true,
           status: response.status,
           statusText: response.statusText,
           headers: responseHeaders,
-          body: responseBody.length > 5000 ? `${responseBody.substring(0, 5000)}...
-(truncated) use execute_command with grep / tail to paginate the response` : responseBody,
+          body: truncatedBody,
           url: response.url,
           redirected: response.redirected
         };
@@ -107134,14 +107177,13 @@ async function executeSandboxHttpRequest(ctx4, opts) {
     const statusText = statusMatch ? statusMatch[2] : "Unknown";
     const responseBody = lines.slice(bodyStartIndex).join(`
 `);
+    const { text: truncatedBody } = maybeSaveBody(responseBody, ctx4);
     return {
       success: status >= 200 && status < 400,
       status,
       statusText,
       headers: responseHeaders,
-      body: responseBody.length > 5000 ? `${responseBody.substring(0, 5000)}...
-(truncated) use execute_command with grep / tail to paginate the response` : responseBody,
+      body: truncatedBody,
       url: url2,
       redirected: false
     };
@@ -107159,7 +107201,7 @@ async function executeSandboxHttpRequest(ctx4, opts) {
     };
   }
 }
-var httpRequestInputSchema;
+var MAX_INLINE_BODY = 5000, httpRequestInputSchema;
 var init_httpRequest = __esm(() => {
   init_dist5();
   init_zod();
@@ -108030,8 +108072,8 @@ var init_cvssScorer = __esm(() => {
 });
 // src/core/agents/offSecAgent/tools/documentFinding.ts
-import { join as join10 } from "path";
-import { writeFileSync as writeFileSync6, appendFileSync as appendFileSync2 } from "fs";
+import { join as join11 } from "path";
+import { writeFileSync as writeFileSync7, appendFileSync as appendFileSync2 } from "fs";
 function documentVulnerability(ctx4) {
   const { session } = ctx4;
   return tool({
@@ -108060,8 +108102,8 @@ FINDING STRUCTURE:
         if (input.evidence.length > EVIDENCE_FILE_THRESHOLD) {
           const safeSlug = input.title.toLowerCase().replace(/[^a-z0-9]+/g, "-").replace(/^-|-$/g, "").substring(0, 40);
           const evidenceFilename = `${timestamp.split("T")[0]}-${safeSlug}-evidence.txt`;
-          evidenceFilePath = join10(session.findingsPath, evidenceFilename);
-          writeFileSync6(evidenceFilePath, input.evidence);
+          evidenceFilePath = join11(session.findingsPath, evidenceFilename);
+          writeFileSync7(evidenceFilePath, input.evidence);
           evidenceForPrompt = input.evidence.substring(0, EVIDENCE_FILE_THRESHOLD) + `
 ... [truncated — full output saved to ${evidenceFilename}]`;
         }
@@ -108120,11 +108162,11 @@ FINDING STRUCTURE:
         const safeTitle = finding.title.toLowerCase().replace(/[^a-z0-9]+/g, "-").replace(/^-|-$/g, "").substring(0, 50);
         const findingId = `${timestamp.split("T")[0]}-${safeTitle}`;
         const jsonFilename = `${findingId}.json`;
-        const jsonPath = join10(session.findingsPath, jsonFilename);
+        const jsonPath = join11(session.findingsPath, jsonFilename);
         const mdFilename = `${findingId}.md`;
-        const mdPath = join10(session.findingsPath, mdFilename);
+        const mdPath = join11(session.findingsPath, mdFilename);
         try {
-          writeFileSync6(jsonPath, JSON.stringify(findingWithMeta, null, 2));
+          writeFileSync7(jsonPath, JSON.stringify(findingWithMeta, null, 2));
           const cvssSection = cvssWarning ? `## CVSS 4.0 Assessment
 **Warning:** ${cvssWarning}
@@ -108186,8 +108228,8 @@ ${finding.references}` : ""}
 *This finding was automatically documented by the Pensar penetration testing agent.*
 `;
-          writeFileSync6(mdPath, markdown);
-          const summaryPath = join10(session.rootPath, "findings-summary.md");
+          writeFileSync7(mdPath, markdown);
+          const summaryPath = join11(session.rootPath, "findings-summary.md");
           const summaryEntry = `- [${finding.severity}] (CVSS ${cvssResult.score}) ${finding.title} - \`findings/${mdFilename}\`
 `;
           try {
@@ -108201,7 +108243,7 @@ ${finding.references}` : ""}
 ## All Findings
 `;
-            writeFileSync6(summaryPath, header + summaryEntry);
+            writeFileSync7(summaryPath, header + summaryEntry);
           }
         } catch (writeError) {
           if (ctx4.findingsRegistry) {
@@ -108267,14 +108309,14 @@ var init_documentFinding = __esm(() => {
 });
 // src/core/agents/offSecAgent/tools/createPoc.ts
-import { join as join11 } from "path";
+import { join as join12 } from "path";
 import { spawn as spawn2 } from "child_process";
 import {
-  existsSync as existsSync14,
-  writeFileSync as writeFileSync7,
+  existsSync as existsSync15,
+  writeFileSync as writeFileSync8,
   chmodSync,
   unlinkSync,
-  mkdirSync as mkdirSync6
+  mkdirSync as mkdirSync7
 } from "fs";
 function sanitizeFilename(str) {
   return str.toLowerCase().replace(/[^a-z0-9_-]/g, "_").replace(/_+/g, "_").replace(/^_|_$/g, "").substring(0, 50);
@@ -108323,12 +108365,12 @@ Max ${MAX_POC_ATTEMPTS} attempts per approach before pivoting.`,
 async function executeLocalPoc(ctx4, poc, currentAttempts) {
   try {
     const pocsPath = ctx4.session.pocsPath;
-    if (!existsSync14(pocsPath)) {
-      mkdirSync6(pocsPath, { recursive: true });
+    if (!existsSync15(pocsPath)) {
+      mkdirSync7(pocsPath, { recursive: true });
     }
     const { filename, pocContent } = preparePoc(poc, currentAttempts);
-    const pocPath = join11(pocsPath, filename);
-    writeFileSync7(pocPath, pocContent);
+    const pocPath = join12(pocsPath, filename);
+    writeFileSync8(pocPath, pocContent);
     chmodSync(pocPath, 493);
     const runner = poc.pocType === "bash" ? "bash" : poc.pocType === "python" ? "python3" : "node";
     const { stdout, stderr, exitCode } = await runScript(runner, pocPath, 60000, ctx4.abortSignal);
@@ -108359,18 +108401,18 @@ async function executeSandboxPoc(ctx4, poc, currentAttempts) {
   try {
     const { filename, pocContent } = preparePoc(poc, currentAttempts);
     const localPocsPath = ctx4.session.pocsPath;
-    if (!existsSync14(localPocsPath)) {
-      mkdirSync6(localPocsPath, { recursive: true });
+    if (!existsSync15(localPocsPath)) {
+      mkdirSync7(localPocsPath, { recursive: true });
     }
-    const localPocPath = join11(localPocsPath, filename);
-    if (existsSync14(localPocPath)) {
+    const localPocPath = join12(localPocsPath, filename);
+    if (existsSync15(localPocPath)) {
       return {
         success: false,
         error: `POC already exists at: pocs/${filename}`,
         attemptsRemaining: MAX_POC_ATTEMPTS - currentAttempts
       };
     }
-    writeFileSync7(localPocPath, pocContent);
+    writeFileSync8(localPocPath, pocContent);
     const sandboxPocPath = `/tmp/pocs/${filename}`;
     await ctx4.sandbox.execute("mkdir -p /tmp/pocs");
     const base64Content = Buffer.from(pocContent).toString("base64");
@@ -108568,7 +108610,7 @@ var init_readFile = __esm(() => {
 // src/core/agents/offSecAgent/tools/listFiles.ts
 import { readdir as readdir2, stat } from "fs/promises";
-import { join as join12, relative, resolve as resolve7, isAbsolute as isAbsolute3 } from "path";
+import { join as join13, relative, resolve as resolve7, isAbsolute as isAbsolute3 } from "path";
 async function listRecursive(dir, maxEntries) {
   const results = [];
   let total = 0;
@@ -108581,7 +108623,7 @@ async function listRecursive(dir, maxEntries) {
     }
     for (const entry of entries2) {
       total++;
-      const fullPath = join12(current, entry.name);
+      const fullPath = join13(current, entry.name);
       if (entry.isDirectory()) {
         if (results.length < maxEntries)
           results.push(`${fullPath}/`);
@@ -108644,7 +108686,7 @@ Each directory entry is suffixed with "/" for easy identification.`,
         }
         const entries2 = await readdir2(dir, { withFileTypes: true });
         const fullPaths = entries2.map((e) => {
-          const name26 = join12(dir, e.name);
+          const name26 = join13(dir, e.name);
           return e.isDirectory() ? `${name26}/` : name26;
         });
         const capped = fullPaths.slice(0, MAX_NON_RECURSIVE);
@@ -108790,7 +108832,7 @@ var init_grep = __esm(() => {
 // src/core/agents/offSecAgent/tools/createFile.ts
 import { writeFile, mkdir } from "fs/promises";
 import { dirname as dirname4, resolve as resolve8, isAbsolute as isAbsolute4 } from "path";
-import { existsSync as existsSync15 } from "fs";
+import { existsSync as existsSync16 } from "fs";
 function createFile(ctx4) {
   return tool({
     description: `Create a new file with the given content.
@@ -108815,7 +108857,7 @@ Parent directories are created automatically if they don't exist.`,
 }
 async function executeLocalCreate(filePath, content, overwrite) {
   try {
-    if (!overwrite && existsSync15(filePath)) {
+    if (!overwrite && existsSync16(filePath)) {
       return {
         success: false,
         error: `File already exists: ${filePath}. Set overwrite=true to replace it.`,
@@ -109025,11 +109067,173 @@ var init_updateFile = __esm(() => {
   });
 });
+// src/core/agents/specialized/attackSurface/blackboxRiskScoring.ts
+function computeBlackboxRiskScore(riskLevel, assetType, details, notes) {
+  const exposure = computeExposure(riskLevel, details);
+  const dataSensitivity = computeDataSensitivity(riskLevel, assetType, details);
+  const functionCriticality = computeFunctionCriticality(riskLevel, assetType, details, notes);
+  const securityIndicators = computeSecurityIndicators(riskLevel, details, notes);
+  const rawSum = exposure + dataSensitivity + functionCriticality + securityIndicators;
+  const score = Math.min(10, Math.max(0, rawSum));
+  const baseScore = RISK_LEVEL_BASE_SCORE[riskLevel] ?? 0;
+  const explanation = buildExplanation(riskLevel, assetType, baseScore, score, {
+    exposure,
+    dataSensitivity,
+    functionCriticality,
+    securityIndicators
+  });
+  return {
+    score,
+    explanation,
+    breakdown: {
+      exposure,
+      dataSensitivity,
+      functionCriticality,
+      securityIndicators
+    }
+  };
+}
+function computeExposure(riskLevel, details) {
+  let base = EXPOSURE_BY_RISK[riskLevel] ?? 1;
+  if (details?.authentication) {
+    const authLower = details.authentication.toLowerCase();
+    if (authLower.includes("none") || authLower.includes("no auth") || authLower.includes("public")) {
+      base = Math.max(base, 3);
+    } else if (authLower.includes("admin") || authLower.includes("privileged")) {
+      base = Math.min(base, 1);
+    }
+  }
+  return Math.min(3, Math.max(0, base));
+}
+function computeDataSensitivity(riskLevel, assetType, details) {
+  if (riskLevel === "CRITICAL")
+    return 3;
+  let score = riskLevel === "HIGH" ? 2 : riskLevel === "MEDIUM" ? 1 : 0;
+  if (assetType === "admin_panel")
+    score = Math.max(score, 2);
+  const techStr = (details?.technology ?? []).join(" ").toLowerCase();
+  if (techStr.includes("database") || techStr.includes("postgres") || techStr.includes("mysql") || techStr.includes("mongo") || techStr.includes("redis")) {
+    score = Math.max(score, 2);
+  }
+  return Math.min(3, score);
+}
+function computeFunctionCriticality(riskLevel, assetType, details, notes) {
+  if (assetType === "admin_panel")
+    return 2;
+  if (riskLevel === "CRITICAL")
+    return 2;
+  const searchText = [
+    ...details?.services ?? [],
+    ...details?.technology ?? [],
+    details?.authentication ?? "",
+    notes ?? ""
+  ].join(" ").toLowerCase();
+  const criticalPatterns = [
+    "auth",
+    "login",
+    "payment",
+    "checkout",
+    "password",
+    "oauth",
+    "sso",
+    "saml",
+    "admin",
+    "transfer",
+    "billing"
+  ];
+  if (criticalPatterns.some((p) => searchText.includes(p)))
+    return 2;
+  if (riskLevel === "HIGH")
+    return 1;
+  if (assetType === "api" || assetType === "web_application")
+    return 1;
+  return 0;
+}
+function computeSecurityIndicators(riskLevel, details, notes) {
+  if (riskLevel === "CRITICAL")
+    return 2;
+  const searchText = [
+    ...details?.services ?? [],
+    ...details?.technology ?? [],
+    notes ?? "",
+    String(details?.status ?? "")
+  ].join(" ").toLowerCase();
+  const criticalIndicators = [
+    "injection",
+    "sqli",
+    "xss",
+    "rce",
+    "traversal",
+    "deserialization",
+    "hardcoded",
+    "default credentials",
+    "vulnerable",
+    "cve-",
+    "exploit"
+  ];
+  if (criticalIndicators.some((p) => searchText.includes(p)))
+    return 2;
+  const moderateIndicators = [
+    "outdated",
+    "deprecated",
+    "insecure",
+    "http:",
+    "self-signed",
+    "debug",
+    "verbose error",
+    "stack trace",
+    "cors",
+    "misconfigur"
+  ];
+  if (moderateIndicators.some((p) => searchText.includes(p)))
+    return 1;
+  if (riskLevel === "HIGH")
+    return 1;
+  return 0;
+}
+function buildExplanation(riskLevel, assetType, _baseScore, totalScore, breakdown) {
+  const parts = [
+    `${riskLevel} risk ${assetType.replace(/_/g, " ")} (score ${totalScore}/10).`
+  ];
+  if (breakdown.exposure >= 3)
+    parts.push("Publicly exposed.");
+  else if (breakdown.exposure >= 2)
+    parts.push("Externally accessible.");
+  if (breakdown.dataSensitivity >= 3)
+    parts.push("Likely handles sensitive data.");
+  else if (breakdown.dataSensitivity >= 2)
+    parts.push("May handle business-critical data.");
+  if (breakdown.functionCriticality >= 2)
+    parts.push("Critical function.");
+  else if (breakdown.functionCriticality >= 1)
+    parts.push("Core function.");
+  if (breakdown.securityIndicators >= 2)
+    parts.push("Security concerns observed.");
+  else if (breakdown.securityIndicators >= 1)
+    parts.push("Moderate security concerns.");
+  return parts.join(" ");
+}
+var RISK_LEVEL_BASE_SCORE, EXPOSURE_BY_RISK;
+var init_blackboxRiskScoring = __esm(() => {
+  RISK_LEVEL_BASE_SCORE = {
+    CRITICAL: 10,
+    HIGH: 8,
+    MEDIUM: 5,
+    LOW: 2
+  };
+  EXPOSURE_BY_RISK = {
+    CRITICAL: 3,
+    HIGH: 3,
+    MEDIUM: 2,
+    LOW: 1
+  };
+});
 // src/core/agents/offSecAgent/tools/documentAsset.ts
-import { join as join13 } from "path";
-import { writeFileSync as writeFileSync8, mkdirSync as mkdirSync7, existsSync as existsSync16 } from "fs";
+import { join as join14 } from "path";
+import { writeFileSync as writeFileSync9, mkdirSync as mkdirSync8, existsSync as existsSync17 } from "fs";
 function documentAsset(ctx4) {
-  const assetsPath = join13(ctx4.session.rootPath, "assets");
+  const assetsPath = join14(ctx4.session.rootPath, "assets");
   return tool({
     description: `Document a discovered asset during attack surface analysis.
@@ -109107,21 +109311,23 @@ Each asset creates a JSON file in the assets directory for tracking and analysis
           };
         }
       }
-      if (!existsSync16(assetsPath)) {
-        mkdirSync7(assetsPath, { recursive: true });
+      if (!existsSync17(assetsPath)) {
+        mkdirSync8(assetsPath, { recursive: true });
       }
       const sanitizedName = asset.assetName.toLowerCase().replace(/[^a-z0-9-_.]/g, "_");
       const timestamp = new Date().toISOString().replace(/[:.]/g, "-");
       const filename = `asset_${sanitizedName}_${timestamp}.json`;
-      const filepath = join13(assetsPath, filename);
+      const filepath = join14(assetsPath, filename);
+      const riskScore = computeBlackboxRiskScore(asset.riskLevel, asset.assetType, asset.details, asset.notes);
       const assetRecord = {
         ...asset,
         discoveredAt: new Date().toISOString(),
         sessionId: ctx4.session.id,
-        target: ctx4.session.targets[0]
+        target: ctx4.session.targets[0],
+        riskScore
       };
       try {
-        writeFileSync8(filepath, JSON.stringify(assetRecord, null, 2));
+        writeFileSync9(filepath, JSON.stringify(assetRecord, null, 2));
       } catch (writeError) {
         if (ctx4.attackSurfaceRegistry) {
           await ctx4.attackSurfaceRegistry.unregister(asset);
@@ -109142,11 +109348,12 @@ Each asset creates a JSON file in the assets directory for tracking and analysis
 var init_documentAsset = __esm(() => {
   init_dist5();
   init_zod();
+  init_blackboxRiskScoring();
 });
 // src/core/agents/offSecAgent/tools/authenticateSession.ts
-import { join as join14 } from "path";
-import { writeFileSync as writeFileSync9 } from "fs";
+import { join as join15 } from "path";
+import { writeFileSync as writeFileSync10 } from "fs";
 function authenticateSession(ctx4) {
   return tool({
     description: `Authenticate with credentials and obtain a session cookie for subsequent authenticated requests.
@@ -109234,7 +109441,7 @@ or provide username/password directly.`,
         const sessionCookies = Array.isArray(setCookieHeader) ? setCookieHeader : [setCookieHeader];
         const cookieString = sessionCookies.join("; ");
         const authenticated = result.status >= 200 && result.status < 400 && cookieString.length > 0;
-        const sessionInfoPath = join14(ctx4.session.rootPath, "session-info.json");
+        const sessionInfoPath = join15(ctx4.session.rootPath, "session-info.json");
         const sessionInfo = {
           authenticated,
           username,
@@ -109242,7 +109449,7 @@ or provide username/password directly.`,
           loginUrl,
           timestamp: new Date().toISOString()
         };
-        writeFileSync9(sessionInfoPath, JSON.stringify(sessionInfo, null, 2));
+        writeFileSync10(sessionInfoPath, JSON.stringify(sessionInfo, null, 2));
         return {
           success: authenticated,
           authenticated,
@@ -109407,10 +109614,10 @@ If you encounter rate-limiting errors (e.g. "Rate limit exceeded", HTTP 429, "to
 `;
 // src/core/agents/specialized/authenticationAgent/agent.ts
-import { existsSync as existsSync17, readFileSync as readFileSync7 } from "fs";
-import { join as join15 } from "path";
+import { existsSync as existsSync18, readFileSync as readFileSync7 } from "fs";
+import { join as join16 } from "path";
 function loadAuthResult(authDataPath) {
-  if (!existsSync17(authDataPath)) {
+  if (!existsSync18(authDataPath)) {
     return {
       success: false,
       summary: "Authentication completed but no auth-data.json was written.",
@@ -109547,7 +109754,7 @@ var init_agent = __esm(() => {
         ],
         stopWhen: hasToolCall("complete_authentication"),
         resolveResult: () => {
-          const authDataPath = join15(session.rootPath, "auth", "auth-data.json");
+          const authDataPath = join16(session.rootPath, "auth", "auth-data.json");
           return loadAuthResult(authDataPath);
         }
       });
@@ -109567,8 +109774,8 @@ var init_authentication = __esm(() => {
 });
 // src/core/agents/offSecAgent/tools/delegateAuth.ts
-import { join as join16 } from "path";
-import { writeFileSync as writeFileSync10 } from "fs";
+import { join as join17 } from "path";
+import { writeFileSync as writeFileSync11 } from "fs";
 function mergeAuthCredentials(sessionCreds, explicit) {
   const hasExplicit = explicit.username || explicit.password || explicit.apiKey || explicit.tokens;
   const hasSession = sessionCreds && (sessionCreds.username || sessionCreds.password || sessionCreds.apiKey || sessionCreds.tokens);
@@ -109766,7 +109973,7 @@ When to use delegate_to_auth_subagent vs authenticate_session:
           status: result.success ? "completed" : "failed"
         });
         if (result.success) {
-          const sessionInfoPath = join16(ctx4.session.rootPath, "session-info.json");
+          const sessionInfoPath = join17(ctx4.session.rootPath, "session-info.json");
           const sessionInfo = {
             authenticated: true,
             username: username || "via_subagent",
@@ -109776,7 +109983,7 @@ When to use delegate_to_auth_subagent vs authenticate_session:
             timestamp: new Date().toISOString(),
             delegatedToSubagent: true
           };
-          writeFileSync10(sessionInfoPath, JSON.stringify(sessionInfo, null, 2));
+          writeFileSync11(sessionInfoPath, JSON.stringify(sessionInfo, null, 2));
         }
         const hasHeaders = result.exportedHeaders && Object.keys(result.exportedHeaders).length > 0;
         const hasCookies = result.exportedCookies && result.exportedCookies.length > 0;
@@ -110186,8 +110393,8 @@ var init_validateDiscovery = __esm(() => {
 });
 // src/core/agents/offSecAgent/tools/createAttackSurfaceReport.ts
-import { join as join17 } from "path";
-import { writeFileSync as writeFileSync11 } from "fs";
+import { join as join18 } from "path";
+import { writeFileSync as writeFileSync12 } from "fs";
 function createAttackSurfaceReport(ctx4) {
   return tool({
     description: `Provide attack surface analysis results to the orchestrator agent.
@@ -110213,8 +110420,8 @@ Call this at the END of your analysis with:
       toolCallDescription: exports_external.string().describe("A concise, human-readable description of what this tool call is doing")
     }),
     execute: async (results) => {
-      const resultsPath = join17(ctx4.session.rootPath, "attack-surface-results.json");
-      writeFileSync11(resultsPath, JSON.stringify(results, null, 2));
+      const resultsPath = join18(ctx4.session.rootPath, "attack-surface-results.json");
+      writeFileSync12(resultsPath, JSON.stringify(results, null, 2));
       return {
         success: true,
         resultsPath,
@@ -110230,8 +110437,8 @@ var init_createAttackSurfaceReport = __esm(() => {
 });
 // src/core/agents/offSecAgent/tools/completeAuthentication.ts
-import { join as join18 } from "path";
-import { existsSync as existsSync18, mkdirSync as mkdirSync8, writeFileSync as writeFileSync12 } from "fs";
+import { join as join19 } from "path";
+import { existsSync as existsSync19, mkdirSync as mkdirSync9, writeFileSync as writeFileSync13 } from "fs";
 function completeAuthentication(ctx4) {
   return tool({
     description: `Signal that the authentication process is complete.
@@ -110273,11 +110480,11 @@ This tool marks the end of the authentication flow.`,
       let authDataPath;
       if (result.success && (result.exportedCookies || result.exportedHeaders)) {
         try {
-          const authDir = join18(ctx4.session.rootPath, AUTH_DIR);
-          if (!existsSync18(authDir)) {
-            mkdirSync8(authDir, { recursive: true });
+          const authDir = join19(ctx4.session.rootPath, AUTH_DIR);
+          if (!existsSync19(authDir)) {
+            mkdirSync9(authDir, { recursive: true });
           }
-          authDataPath = join18(authDir, AUTH_DATA_FILENAME);
+          authDataPath = join19(authDir, AUTH_DATA_FILENAME);
           const authData = {
             authenticated: true,
             strategy: result.strategy || "unknown",
@@ -110287,7 +110494,7 @@ This tool marks the end of the authentication flow.`,
             target: ctx4.target || "",
             timestamp: new Date().toISOString()
           };
-          writeFileSync12(authDataPath, JSON.stringify(authData, null, 2));
+          writeFileSync13(authDataPath, JSON.stringify(authData, null, 2));
           console.log(`Auth data persisted to ${authDataPath}`);
         } catch (err) {
           console.error(`Failed to persist auth data: ${err}`);
@@ -111035,8 +111242,8 @@ var init_runAttackSurface = __esm(() => {
 });
 // src/core/findings/registry.ts
-import { existsSync as existsSync19, readdirSync as readdirSync3, readFileSync as readFileSync8 } from "fs";
-import { join as join19 } from "path";
+import { existsSync as existsSync20, readdirSync as readdirSync3, readFileSync as readFileSync8 } from "fs";
+import { join as join20 } from "path";
 function extractVulnClass(title) {
   const t2 = title.trim();
   for (const [pattern, cls] of VULN_CLASS_PATTERNS) {
@@ -111108,12 +111315,12 @@ class FindingsRegistry {
   }
   static fromDirectory(findingsPath, opts) {
     const registry2 = new FindingsRegistry(opts);
-    if (!existsSync19(findingsPath))
+    if (!existsSync20(findingsPath))
       return registry2;
     const files = readdirSync3(findingsPath).filter((f) => f.endsWith(".json"));
     for (const file2 of files) {
       try {
-        const raw = readFileSync8(join19(findingsPath, file2), "utf-8");
+        const raw = readFileSync8(join20(findingsPath, file2), "utf-8");
         const finding = JSON.parse(raw);
         if (finding && typeof finding.title === "string" && typeof finding.endpoint === "string") {
           registry2.indexFinding(finding);
@@ -111599,8 +111806,8 @@ var init_spawnCodingAgent = __esm(() => {
 });
 // src/core/agents/offSecAgent/tools/provideComparisonResults.ts
-import { join as join20 } from "path";
-import { writeFileSync as writeFileSync13 } from "fs";
+import { join as join21 } from "path";
+import { writeFileSync as writeFileSync14 } from "fs";
 function provideComparisonResults(ctx4) {
   return tool({
     description: `Provide the final comparison results with matched, missed, and extra findings.
@@ -111646,8 +111853,8 @@ Results will be saved to: comparison-results.json in the session directory.`,
         recall,
         precision
       };
-      const resultsPath = join20(ctx4.session.rootPath, "comparison-results.json");
-      writeFileSync13(resultsPath, JSON.stringify(result, null, 2));
+      const resultsPath = join21(ctx4.session.rootPath, "comparison-results.json");
+      writeFileSync14(resultsPath, JSON.stringify(result, null, 2));
       return {
         success: true,
         resultsPath,
@@ -140946,8 +141153,8 @@ var require_core5 = __commonJS((exports) => {
   function many1(p) {
     return ab(p, many(p), (head, tail) => [head, ...tail]);
   }
-  function ab(pa, pb, join21) {
-    return (data, i) => mapOuter(pa(data, i), (ma) => mapInner(pb(data, ma.position), (vb, j2) => join21(ma.value, vb, data, i, j2)));
+  function ab(pa, pb, join22) {
+    return (data, i) => mapOuter(pa(data, i), (ma) => mapInner(pb(data, ma.position), (vb, j2) => join22(ma.value, vb, data, i, j2)));
   }
   function left(pa, pb) {
     return ab(pa, pb, (va) => va);
@@ -140955,8 +141162,8 @@ var require_core5 = __commonJS((exports) => {
   function right(pa, pb) {
     return ab(pa, pb, (va, vb) => vb);
   }
-  function abc(pa, pb, pc, join21) {
-    return (data, i) => mapOuter(pa(data, i), (ma) => mapOuter(pb(data, ma.position), (mb) => mapInner(pc(data, mb.position), (vc, j2) => join21(ma.value, mb.value, vc, data, i, j2))));
+  function abc(pa, pb, pc, join22) {
+    return (data, i) => mapOuter(pa(data, i), (ma) => mapOuter(pb(data, ma.position), (mb) => mapInner(pc(data, mb.position), (vc, j2) => join22(ma.value, mb.value, vc, data, i, j2))));
   }
   function middle(pa, pb, pc) {
     return abc(pa, pb, pc, (ra, rb) => rb);
@@ -176793,7 +177000,7 @@ var require_thread_stream = __commonJS((exports, module2) => {
   var { version: version2 } = require_package5();
   var { EventEmitter: EventEmitter11 } = __require("events");
   var { Worker: Worker2 } = __require("worker_threads");
-  var { join: join21 } = __require("path");
+  var { join: join22 } = __require("path");
   var { pathToFileURL } = __require("url");
   var { wait } = require_wait();
   var {
@@ -176829,7 +177036,7 @@ var require_thread_stream = __commonJS((exports, module2) => {
   function createWorker(stream, opts) {
     const { filename, workerData } = opts;
     const bundlerOverrides = "__bundlerPathsOverrides" in globalThis ? globalThis.__bundlerPathsOverrides : {};
-    const toExecute = bundlerOverrides["thread-stream-worker"] || join21(__dirname, "lib", "worker.js");
+    const toExecute = bundlerOverrides["thread-stream-worker"] || join22(__dirname, "lib", "worker.js");
     const worker = new Worker2(toExecute, {
       ...opts.workerOpts,
       trackUnmanagedFds: false,
@@ -177218,7 +177425,7 @@ var require_transport = __commonJS((exports, module2) => {
   var { createRequire: createRequire3 } = __require("module");
   var { existsSync: existsSync4 } = __require("node:fs");
   var getCallers = require_caller();
-  var { join: join21, isAbsolute: isAbsolute6, sep } = __require("node:path");
+  var { join: join22, isAbsolute: isAbsolute6, sep } = __require("node:path");
   var { fileURLToPath: fileURLToPath2 } = __require("node:url");
   var sleep2 = require_atomic_sleep();
   var onExit = require_on_exit_leak_free();
@@ -177371,7 +177578,7 @@ var require_transport = __commonJS((exports, module2) => {
       throw new Error("only one of target or targets can be specified");
     }
     if (targets) {
-      target = bundlerOverrides["pino-worker"] || join21(__dirname, "worker.js");
+      target = bundlerOverrides["pino-worker"] || join22(__dirname, "worker.js");
       options.targets = targets.filter((dest) => dest.target).map((dest) => {
         return {
           ...dest,
@@ -177388,7 +177595,7 @@ var require_transport = __commonJS((exports, module2) => {
         });
       });
     } else if (pipeline3) {
-      target = bundlerOverrides["pino-worker"] || join21(__dirname, "worker.js");
+      target = bundlerOverrides["pino-worker"] || join22(__dirname, "worker.js");
       options.pipelines = [pipeline3.map((dest) => {
         return {
           ...dest,
@@ -177411,7 +177618,7 @@ var require_transport = __commonJS((exports, module2) => {
         return origin;
       }
       if (origin === "pino/file") {
-        return join21(__dirname, "..", "file.js");
+        return join22(__dirname, "..", "file.js");
       }
       let fixTarget2;
       for (const filePath of callers) {
@@ -178340,7 +178547,7 @@ var require_safe_stable_stringify = __commonJS((exports, module2) => {
             return circularValue;
           }
           let res = "";
-          let join21 = ",";
+          let join22 = ",";
           const originalIndentation = indentation;
           if (Array.isArray(value)) {
             if (value.length === 0) {
@@ -178354,7 +178561,7 @@ var require_safe_stable_stringify = __commonJS((exports, module2) => {
               indentation += spacer;
               res += `
 ${indentation}`;
-              join21 = `,
+              join22 = `,
 ${indentation}`;
             }
             const maximumValuesToStringify = Math.min(value.length, maximumBreadth);
@@ -178362,13 +178569,13 @@ ${indentation}`;
             for (;i2 < maximumValuesToStringify - 1; i2++) {
               const tmp2 = stringifyFnReplacer(String(i2), value, stack, replacer, spacer, indentation);
               res += tmp2 !== undefined ? tmp2 : "null";
-              res += join21;
+              res += join22;
             }
             const tmp = stringifyFnReplacer(String(i2), value, stack, replacer, spacer, indentation);
             res += tmp !== undefined ? tmp : "null";
             if (value.length - 1 > maximumBreadth) {
               const removedKeys = value.length - maximumBreadth - 1;
-              res += `${join21}"... ${getItemCount(removedKeys)} not stringified"`;
+              res += `${join22}"... ${getItemCount(removedKeys)} not stringified"`;
             }
             if (spacer !== "") {
               res += `
@@ -178389,7 +178596,7 @@ ${originalIndentation}`;
           let separator = "";
           if (spacer !== "") {
             indentation += spacer;
-            join21 = `,
+            join22 = `,
 ${indentation}`;
             whitespace = " ";
           }
@@ -178403,13 +178610,13 @@ ${indentation}`;
             const tmp = stringifyFnReplacer(key2, value, stack, replacer, spacer, indentation);
             if (tmp !== undefined) {
               res += `${separator}${strEscape(key2)}:${whitespace}${tmp}`;
-              separator = join21;
+              separator = join22;
             }
           }
           if (keyLength > maximumBreadth) {
             const removedKeys = keyLength - maximumBreadth;
             res += `${separator}"...":${whitespace}"${getItemCount(removedKeys)} not stringified"`;
-            separator = join21;
+            separator = join22;
           }
           if (spacer !== "" && separator.length > 1) {
             res = `
@@ -178449,7 +178656,7 @@ ${originalIndentation}`;
           }
           const originalIndentation = indentation;
           let res = "";
-          let join21 = ",";
+          let join22 = ",";
           if (Array.isArray(value)) {
             if (value.length === 0) {
               return "[]";
@@ -178462,7 +178669,7 @@ ${originalIndentation}`;
               indentation += spacer;
               res += `
 ${indentation}`;
-              join21 = `,
+              join22 = `,
 ${indentation}`;
             }
             const maximumValuesToStringify = Math.min(value.length, maximumBreadth);
@@ -178470,13 +178677,13 @@ ${indentation}`;
             for (;i2 < maximumValuesToStringify - 1; i2++) {
               const tmp2 = stringifyArrayReplacer(String(i2), value[i2], stack, replacer, spacer, indentation);
               res += tmp2 !== undefined ? tmp2 : "null";
-              res += join21;
+              res += join22;
             }
             const tmp = stringifyArrayReplacer(String(i2), value[i2], stack, replacer, spacer, indentation);
             res += tmp !== undefined ? tmp : "null";
             if (value.length - 1 > maximumBreadth) {
               const removedKeys = value.length - maximumBreadth - 1;
-              res += `${join21}"... ${getItemCount(removedKeys)} not stringified"`;
+              res += `${join22}"... ${getItemCount(removedKeys)} not stringified"`;
             }
             if (spacer !== "") {
               res += `
@@ -178489,7 +178696,7 @@ ${originalIndentation}`;
           let whitespace = "";
           if (spacer !== "") {
             indentation += spacer;
-            join21 = `,
+            join22 = `,
 ${indentation}`;
             whitespace = " ";
           }
@@ -178498,7 +178705,7 @@ ${indentation}`;
             const tmp = stringifyArrayReplacer(key2, value[key2], stack, replacer, spacer, indentation);
             if (tmp !== undefined) {
               res += `${separator}${strEscape(key2)}:${whitespace}${tmp}`;
-              separator = join21;
+              separator = join22;
             }
           }
           if (spacer !== "" && separator.length > 1) {
@@ -178555,20 +178762,20 @@ ${originalIndentation}`;
             indentation += spacer;
             let res2 = `
 ${indentation}`;
-            const join22 = `,
+            const join23 = `,
 ${indentation}`;
             const maximumValuesToStringify = Math.min(value.length, maximumBreadth);
             let i2 = 0;
             for (;i2 < maximumValuesToStringify - 1; i2++) {
               const tmp2 = stringifyIndent(String(i2), value[i2], stack, spacer, indentation);
               res2 += tmp2 !== undefined ? tmp2 : "null";
-              res2 += join22;
+              res2 += join23;
             }
             const tmp = stringifyIndent(String(i2), value[i2], stack, spacer, indentation);
             res2 += tmp !== undefined ? tmp : "null";
             if (value.length - 1 > maximumBreadth) {
               const removedKeys = value.length - maximumBreadth - 1;
-              res2 += `${join22}"... ${getItemCount(removedKeys)} not stringified"`;
+              res2 += `${join23}"... ${getItemCount(removedKeys)} not stringified"`;
             }
             res2 += `
 ${originalIndentation}`;
@@ -178584,16 +178791,16 @@ ${originalIndentation}`;
             return '"[Object]"';
           }
           indentation += spacer;
-          const join21 = `,
+          const join22 = `,
 ${indentation}`;
           let res = "";
           let separator = "";
           let maximumPropertiesToStringify = Math.min(keyLength, maximumBreadth);
           if (isTypedArrayWithEntries(value)) {
-            res += stringifyTypedArray(value, join21, maximumBreadth);
+            res += stringifyTypedArray(value, join22, maximumBreadth);
             keys = keys.slice(value.length);
             maximumPropertiesToStringify -= value.length;
-            separator = join21;
+            separator = join22;
           }
           if (deterministic) {
             keys = sort(keys, comparator);
@@ -178604,13 +178811,13 @@ ${indentation}`;
             const tmp = stringifyIndent(key2, value[key2], stack, spacer, indentation);
             if (tmp !== undefined) {
               res += `${separator}${strEscape(key2)}: ${tmp}`;
-              separator = join21;
+              separator = join22;
             }
           }
           if (keyLength > maximumBreadth) {
             const removedKeys = keyLength - maximumBreadth;
             res += `${separator}"...": "${getItemCount(removedKeys)} not stringified"`;
-            separator = join21;
+            separator = join22;
           }
           if (separator !== "") {
             res = `
@@ -193871,8 +194078,8 @@ var init_operator = __esm(() => {
 });
 // src/core/agents/offSecAgent/offensiveSecurityAgent.ts
-import { join as join21 } from "path";
-import { writeFileSync as writeFileSync14, mkdirSync as mkdirSync9, existsSync as existsSync20 } from "fs";
+import { join as join22 } from "path";
+import { writeFileSync as writeFileSync15, mkdirSync as mkdirSync10, existsSync as existsSync21 } from "fs";
 function wrapToolsWithApprovalGate(tools, gate) {
   const wrapped = {};
   for (const [name26, coreTool] of Object.entries(tools)) {
@@ -193998,16 +194205,18 @@ var init_offensiveSecurityAgent = __esm(() => {
       const emailToolSet = new Set(EMAIL_TOOL_NAMES);
       const activeTools = hasEmail ? input.activeTools : input.activeTools.filter((t3) => !emailToolSet.has(t3));
       const messagesDir = input.messagesDir ?? input.session.rootPath;
-      if (!existsSync20(messagesDir)) {
-        mkdirSync9(messagesDir, { recursive: true });
+      if (!existsSync21(messagesDir)) {
+        mkdirSync10(messagesDir, { recursive: true });
       }
-      const messagesPath = join21(messagesDir, "messages.json");
-      const initialMessages = input.messages ? [...input.messages] : [
-        {
-          role: "user",
-          content: [{ type: "text", text: input.prompt }]
-        }
-      ];
+      const messagesPath = join22(messagesDir, "messages.json");
+      const initialMessagesRef = {
+        current: input.messages ? [...input.messages] : [
+          {
+            role: "user",
+            content: [{ type: "text", text: input.prompt }]
+          }
+        ]
+      };
       this.streamResult = streamResponse({
         prompt: input.prompt,
         system: (input.system ?? BASE_SYSTEM_PROMPT) + buildSessionWorkspaceSection(input.session),
@@ -194019,11 +194228,17 @@ var init_offensiveSecurityAgent = __esm(() => {
         toolChoice: "auto",
         onStepFinish: (event) => {
           try {
-            const allMessages = [...initialMessages, ...event.response.messages];
-            writeFileSync14(messagesPath, JSON.stringify(allMessages, null, 2));
+            const allMessages = [
+              ...initialMessagesRef.current,
+              ...event.response.messages
+            ];
+            writeFileSync15(messagesPath, JSON.stringify(allMessages, null, 2));
           } catch {}
           input.onStepFinish?.(event);
         },
+        onSummarized: () => {
+          initialMessagesRef.current = [];
+        },
         onFinish: input.onFinish,
         abortSignal: input.abortSignal,
         authConfig: input.authConfig,
@@ -194106,8 +194321,8 @@ var exports_blackboxAgent = {};
 __export(exports_blackboxAgent, {
   BlackboxAttackSurfaceAgent: () => BlackboxAttackSurfaceAgent
 });
-import { join as join22 } from "path";
-import { existsSync as existsSync21 } from "fs";
+import { join as join23 } from "path";
+import { existsSync as existsSync22 } from "fs";
 function buildPrompt3(target, session) {
   const scopeConstraints = session.config?.scopeConstraints;
   const authenticationInstructions = session.config?.authenticationInstructions;
@@ -194158,7 +194373,7 @@ Note any login pages you find as assets and flag them for pentest agents.`;
   return `TARGET: ${target}
 Session: ${session.id}
-Assets directory: ${join22(session.rootPath, "assets")}
+Assets directory: ${join23(session.rootPath, "assets")}
 ${authBlock}
@@ -194186,8 +194401,8 @@ var init_blackboxAgent = __esm(() => {
         attackSurfaceRegistry
       } = opts;
       const target = opts.target ?? opts.cwd;
-      const resultsPath = join22(session.rootPath, "attack-surface-results.json");
-      const assetsPath = join22(session.rootPath, "assets");
+      const resultsPath = join23(session.rootPath, "attack-surface-results.json");
+      const assetsPath = join23(session.rootPath, "assets");
       super({
         system: detectOSAndEnhancePrompt(SYSTEM),
         prompt: buildPrompt3(target, session),
@@ -194223,7 +194438,7 @@ var init_blackboxAgent = __esm(() => {
         resolveResult: () => {
           let results = null;
           let targets = [];
-          if (existsSync21(resultsPath)) {
+          if (existsSync22(resultsPath)) {
             try {
               results = loadAttackSurfaceResults2(resultsPath);
               targets = results.targets || [];
@@ -194237,8 +194452,8 @@ var init_blackboxAgent = __esm(() => {
 });
 // src/core/agents/specialized/pentest/agent.ts
-import { existsSync as existsSync22, readdirSync as readdirSync4, readFileSync as readFileSync9 } from "fs";
-import { join as join23 } from "path";
+import { existsSync as existsSync23, readdirSync as readdirSync4, readFileSync as readFileSync9 } from "fs";
+import { join as join24 } from "path";
 function buildSystemPrompt(session) {
   return session.config?.exfilMode ? PENTEST_SYSTEM_PROMPT_EXFIL : PENTEST_SYSTEM_PROMPT_BASE;
 }
@@ -194249,8 +194464,8 @@ function buildPrompt4(target, objectives, session, findingsRegistry) {
   const objectiveList = objectives.map((o, i2) => `${i2 + 1}. ${o}`).join(`
 `);
   let authSection = "";
-  const authDataPath = join23(sessionRootPath, "auth", "auth-data.json");
-  if (existsSync22(authDataPath)) {
+  const authDataPath = join24(sessionRootPath, "auth", "auth-data.json");
+  if (existsSync23(authDataPath)) {
     try {
       const raw = readFileSync9(authDataPath, "utf-8");
       const authData = JSON.parse(raw);
@@ -194327,12 +194542,12 @@ ${outcomeSection}
 ${instructions}`;
 }
 function loadFindings(findingsPath) {
-  if (!existsSync22(findingsPath)) {
+  if (!existsSync23(findingsPath)) {
     return [];
   }
   return readdirSync4(findingsPath).filter((f3) => f3.endsWith(".json")).map((f3) => {
     try {
-      const content = readFileSync9(join23(findingsPath, f3), "utf-8");
+      const content = readFileSync9(join24(findingsPath, f3), "utf-8");
       return JSON.parse(content);
     } catch {
       return null;
@@ -194487,8 +194702,8 @@ var init_agent4 = __esm(() => {
 });
 // src/core/session/execution-metrics.ts
-import { existsSync as existsSync23, readFileSync as readFileSync10, writeFileSync as writeFileSync15 } from "fs";
-import { join as join24 } from "path";
+import { existsSync as existsSync24, readFileSync as readFileSync10, writeFileSync as writeFileSync16 } from "fs";
+import { join as join25 } from "path";
 function toNonNegativeInteger(value) {
   const n = Number(value);
   return Number.isFinite(n) && n > 0 ? Math.floor(n) : 0;
@@ -194505,14 +194720,14 @@ function normalizeTokenUsage(value) {
   };
 }
 function metricsPath(sessionRootPath) {
-  return join24(sessionRootPath, EXECUTION_METRICS_FILENAME);
+  return join25(sessionRootPath, EXECUTION_METRICS_FILENAME);
 }
 function sessionJsonPath(sessionRootPath) {
-  return join24(sessionRootPath, "session.json");
+  return join25(sessionRootPath, "session.json");
 }
 function readExecutionMetrics(sessionRootPath) {
   const path6 = metricsPath(sessionRootPath);
-  if (!existsSync23(path6))
+  if (!existsSync24(path6))
     return null;
   try {
     const parsed = JSON.parse(readFileSync10(path6, "utf-8"));
@@ -194527,13 +194742,13 @@ function readExecutionMetrics(sessionRootPath) {
 }
 function writeSessionJsonTokenTotals(sessionRootPath, tokenUsage) {
   const path6 = sessionJsonPath(sessionRootPath);
-  if (!existsSync23(path6))
+  if (!existsSync24(path6))
     return;
   try {
     const parsed = JSON.parse(readFileSync10(path6, "utf-8"));
     parsed.tokensIn = tokenUsage.inputTokens;
     parsed.tokensOut = tokenUsage.outputTokens;
-    writeFileSync15(path6, JSON.stringify(parsed, null, 2));
+    writeFileSync16(path6, JSON.stringify(parsed, null, 2));
   } catch {}
 }
 function writeExecutionMetrics(input) {
@@ -194548,7 +194763,7 @@ function writeExecutionMetrics(input) {
     runtime: input.runtime ?? existing?.runtime,
     updatedAt: new Date().toISOString()
   };
-  writeFileSync15(metricsPath(input.sessionRootPath), JSON.stringify(next, null, 2), "utf-8");
+  writeFileSync16(metricsPath(input.sessionRootPath), JSON.stringify(next, null, 2), "utf-8");
   writeSessionJsonTokenTotals(input.sessionRootPath, next.tokenUsage);
   return next;
 }
@@ -194611,8 +194826,8 @@ async function scoreEndpoints(input) {
   } = input;
   const results = new Map;
   const scored = await runWithBoundedConcurrency(endpoints, concurrency, async (ep) => {
-    const key = `${ep.file}:${ep.path}`;
-    const subagentId = `risk-score-${ep.appName}-${ep.path}`;
+    const key = `${ep.method}:${ep.file}:${ep.path}`;
+    const subagentId = `risk-score-${ep.appName}-${ep.method}-${ep.path}`;
     callbacks?.subagentCallbacks?.onSubagentSpawn?.({
       subagentId,
       input: { app: ep.appName, path: ep.path },
@@ -194922,7 +195137,7 @@ async function runWhiteboxAttackSurfaceWorkflow(input) {
     }
   }
   function attachRiskScore(ep) {
-    const key = `${ep.file}:${ep.path}`;
+    const key = `${ep.method}:${ep.file}:${ep.path}`;
     const score = riskScores.get(key);
     return score ? { ...ep, riskScore: score } : ep;
   }
@@ -195143,8 +195358,8 @@ __export(exports_pentest, {
   runPentestSwarm: () => runPentestSwarm,
   DEFAULT_CONCURRENCY: () => DEFAULT_CONCURRENCY4
 });
-import { existsSync as existsSync24, readdirSync as readdirSync5, readFileSync as readFileSync11, writeFileSync as writeFileSync16 } from "fs";
-import { join as join25 } from "path";
+import { existsSync as existsSync25, readdirSync as readdirSync5, readFileSync as readFileSync11, writeFileSync as writeFileSync17 } from "fs";
+import { join as join26 } from "path";
 function addUsageTotals(totals, usage) {
   if (!usage)
     return;
@@ -195288,10 +195503,10 @@ async function runPentestWorkflow(input) {
         sessionId: session.id,
         mode
       });
-      const mdPath2 = join25(session.rootPath, REPORT_FILENAME_MD);
-      const jsonPath2 = join25(session.rootPath, REPORT_FILENAME_JSON);
-      writeFileSync16(mdPath2, renderMarkdown(report2));
-      writeFileSync16(jsonPath2, renderJson(report2));
+      const mdPath2 = join26(session.rootPath, REPORT_FILENAME_MD);
+      const jsonPath2 = join26(session.rootPath, REPORT_FILENAME_JSON);
+      writeFileSync17(mdPath2, renderMarkdown(report2));
+      writeFileSync17(jsonPath2, renderJson(report2));
       return {
         findings: [],
         findingsPath: session.findingsPath,
@@ -195321,10 +195536,10 @@ async function runPentestWorkflow(input) {
       sessionId: session.id,
       mode
     });
-    const mdPath = join25(session.rootPath, REPORT_FILENAME_MD);
-    const jsonPath = join25(session.rootPath, REPORT_FILENAME_JSON);
-    writeFileSync16(mdPath, renderMarkdown(report));
-    writeFileSync16(jsonPath, renderJson(report));
+    const mdPath = join26(session.rootPath, REPORT_FILENAME_MD);
+    const jsonPath = join26(session.rootPath, REPORT_FILENAME_JSON);
+    writeFileSync17(mdPath, renderMarkdown(report));
+    writeFileSync17(jsonPath, renderJson(report));
     return {
       findings,
       findingsPath: session.findingsPath,
@@ -195405,12 +195620,12 @@ async function runBlackboxPhase(opts) {
   }
 }
 function loadFindings2(findingsPath) {
-  if (!existsSync24(findingsPath)) {
+  if (!existsSync25(findingsPath)) {
     return [];
   }
   return readdirSync5(findingsPath).filter((f3) => f3.endsWith(".json")).map((f3) => {
     try {
-      const content = readFileSync11(join25(findingsPath, f3), "utf-8");
+      const content = readFileSync11(join26(findingsPath, f3), "utf-8");
       return JSON.parse(content);
     } catch {
       return null;
@@ -279864,8 +280079,8 @@ function KeybindingProvider({
 // src/tui/components/pentest/pentest.tsx
 var import_react74 = __toESM(require_react(), 1);
 init_report();
-import { existsSync as existsSync25, readdirSync as readdirSync6, readFileSync as readFileSync12 } from "fs";
-import { join as join26 } from "path";
+import { existsSync as existsSync26, readdirSync as readdirSync6, readFileSync as readFileSync12 } from "fs";
+import { join as join27 } from "path";
 init_session();
 // src/core/session/loader.ts
@@ -283127,16 +283342,16 @@ function Pentest({
   import_react74.useEffect(() => {
     if (!session)
       return;
-    const assetsPath = join26(session.rootPath, "assets");
+    const assetsPath = join27(session.rootPath, "assets");
     function readAssets() {
-      if (!existsSync25(assetsPath))
+      if (!existsSync26(assetsPath))
         return;
       try {
         const files = readdirSync6(assetsPath).filter((f3) => f3.endsWith(".json"));
         const loaded = [];
         for (const file2 of files) {
           try {
-            const content = readFileSync12(join26(assetsPath, file2), "utf-8");
+            const content = readFileSync12(join27(assetsPath, file2), "utf-8");
             loaded.push(JSON.parse(content));
           } catch {}
         }
@@ -285350,8 +285565,8 @@ function navigateDown(selectedIndex, queueLength) {
 }
 // src/tui/components/operator-dashboard/index.tsx
-import { existsSync as existsSync26, readFileSync as readFileSync13 } from "fs";
-import { join as join27 } from "path";
+import { existsSync as existsSync27, readFileSync as readFileSync13 } from "fs";
+import { join as join28 } from "path";
 function OperatorDashboard({
   sessionId,
   initialMessage,
@@ -285468,7 +285683,7 @@ function OperatorDashboard({
               });
               if (Array.isArray(savedState.messages) && savedState.messages.length > 0) {
                 const modelMsgs = savedState.messages;
-                conversationRef.current = modelMsgs;
+                conversationRef.current = sessions.getResumeMessages(modelMsgs);
                 const uiMsgs = convertModelMessagesToUI(modelMsgs);
                 setMessages(uiMsgs.map((m4) => ({
                   role: m4.role,
@@ -285904,15 +286119,28 @@ function OperatorDashboard({
         setSession(created);
         setSessionCwd(created.rootPath);
       }
-      try {
-        const response = await agentResult.streamResult.response;
-        if (gen === generationRef.current && response.messages) {
-          conversationRef.current = [
-            ...nextMessages,
-            ...response.messages
-          ];
+      if (gen === generationRef.current) {
+        try {
+          const rootPath = agentResult.session.rootPath;
+          const mp = join28(rootPath, "messages.json");
+          if (existsSync27(mp)) {
+            const raw = JSON.parse(readFileSync13(mp, "utf-8"));
+            if (Array.isArray(raw) && raw.length > 0) {
+              conversationRef.current = sessions.getResumeMessages(raw);
+            }
+          }
+        } catch {
+          try {
+            const response = await agentResult.streamResult.response;
+            if (response.messages) {
+              conversationRef.current = [
+                ...nextMessages,
+                ...response.messages
+              ];
+            }
+          } catch {}
         }
-      } catch {}
+      }
     } catch (e2) {
       if (gen !== generationRef.current)
         return;
@@ -286103,11 +286331,11 @@ function OperatorDashboard({
     approvalGateRef.current.denyAll();
     if (session) {
       try {
-        const messagesPath = join27(session.rootPath, "messages.json");
-        if (existsSync26(messagesPath)) {
+        const messagesPath = join28(session.rootPath, "messages.json");
+        if (existsSync27(messagesPath)) {
           const raw = JSON.parse(readFileSync13(messagesPath, "utf-8"));
           if (Array.isArray(raw) && raw.length > 0) {
-            conversationRef.current = raw;
+            conversationRef.current = sessions.getResumeMessages(raw);
           }
         }
       } catch {}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@pensar/apex",
-  "version": "0.0.88-canary.2b93505f",
+  "version": "0.0.88",
   "description": "AI-powered penetration testing CLI tool with terminal UI",
   "module": "src/tui/index.tsx",
   "main": "build/index.js",