@pensar/apex 2.0.0 → 2.0.1

package/build/{cli-h825qzmd.js → cli-z1dapp7v.js}

@@ -4,7 +4,7 @@ import {
   init_auth,
   init_constants,
   signGatewayRequest
-} from "./cli-948dk60p.js";
+} from "./cli-8g5cwvbm.js";
 import {
   AISDKError,
   APICallError,
@@ -32,6 +32,7 @@ import {
   delay,
   executeTool,
   exports_external,
+  exports_external1 as exports_external2,
   gateway,
   getErrorMessage,
   getErrorMessage1 as getErrorMessage2,
@@ -42,6 +43,7 @@ import {
   init_stream,
   init_v3,
   init_v4,
+  init_zod,
   isAbortError,
   isUrlSupported,
   lazySchema,
@@ -55,17 +57,24 @@ import {
   validateDownloadUrl,
   validateTypes,
   withUserAgentSuffix,
-  zodSchema
+  zodSchema,
+  zod_default
 } from "./cli-e6rgwtpb.js";
 import {
   config,
   init_config
-} from "./cli-h6nw89zf.js";
+} from "./cli-eptabm2j.js";
 import {
+  getCurrentVersion,
+  init_installation
+} from "./cli-0yptvbbm.js";
+import {
+  __callDispose,
   __commonJS,
   __esm,
   __require,
-  __toESM
+  __toESM,
+  __using
 } from "./cli-8rxa073f.js";
 
 // node_modules/ai/dist/index.mjs
@@ -8776,6 +8785,20 @@ var init_models = __esm(() => {
   ];
 });
 
+// src/core/util/lazyLogger.ts
+function scopedLogger(factory) {
+  let instance;
+  const get = () => instance ??= factory();
+  return new Proxy({}, {
+    get(_target, prop) {
+      const inst = get();
+      const value = inst[prop];
+      return typeof value === "function" ? value.bind(inst) : value;
+    }
+  });
+}
+var init_lazyLogger = () => {};
+
 // node_modules/@ai-sdk/provider-utils/dist/index.mjs
 function combineHeaders(...headers) {
   return headers.reduce((combinedHeaders, currentHeaders) => ({
@@ -42434,7 +42457,7 @@ function wrapStreamWithErrorHandler(originalStream, messagesContainer, opts, mod
               if (!isCtxError && isStreamIdleTimeoutError(error) && idleResumeCount < MAX_IDLE_RESUME_RETRIES && messagesContainer.current.length > 0) {
                 const nextIdleCount = idleResumeCount + 1;
                 if (!silent) {
-                  console.warn(`Stream stalled (attempt ${nextIdleCount}/${MAX_IDLE_RESUME_RETRIES}), resuming with ${messagesContainer.current.length} messages: ${errorMessage}`);
+                  log.warn(`Stream stalled (attempt ${nextIdleCount}/${MAX_IDLE_RESUME_RETRIES}), resuming with ${messagesContainer.current.length} messages: ${errorMessage}`);
                 }
                 const retriedStream = streamResponse({
                   ...opts,
@@ -42450,7 +42473,7 @@ function wrapStreamWithErrorHandler(originalStream, messagesContainer, opts, mod
                 const nextRetryCount = rateLimitRetryCount + 1;
                 const delayMs = Math.min(1000 * nextRetryCount, 30000);
                 if (!silent) {
-                  console.warn(`Rate limit error (attempt ${nextRetryCount}/${MAX_RATE_LIMIT_RETRIES}), waiting ${delayMs}ms: ${errorMessage}`);
+                  log.warn(`Rate limit error (attempt ${nextRetryCount}/${MAX_RATE_LIMIT_RETRIES}), waiting ${delayMs}ms: ${errorMessage}`);
                 }
                 await new Promise((resolve4) => setTimeout(resolve4, delayMs));
                 const retriedStream = streamResponse({
@@ -42482,7 +42505,7 @@ function wrapStreamWithErrorHandler(originalStream, messagesContainer, opts, mod
                 let postReactiveDepth = opts._restartDepth ?? 0;
                 if (fitted.fitsBudget && fitted.modified) {
                   if (!silent) {
-                    console.warn(`Context length error — Layer 1+2 reduced to ~${fitted.estimatedInputTokens} tokens, retrying`);
+                    log.warn(`Context length error — Layer 1+2 reduced to ~${fitted.estimatedInputTokens} tokens, retrying`);
                   }
                   try {
                     const retried = streamResponse({
@@ -42504,7 +42527,7 @@ function wrapStreamWithErrorHandler(originalStream, messagesContainer, opts, mod
                 }
                 const messagesForSummary = messagesContainer.current;
                 if (!silent) {
-                  console.warn(`Context length error — summarizing ${messagesForSummary.length} messages`);
+                  log.warn(`Context length error — summarizing ${messagesForSummary.length} messages`);
                 }
                 try {
                   const summarizationStream = createSummarizationStream(messagesForSummary, { ...opts, _restartDepth: postReactiveDepth }, model);
@@ -42517,7 +42540,7 @@ function wrapStreamWithErrorHandler(originalStream, messagesContainer, opts, mod
                   }
                   if (!silent) {
                     const sumMsg = summarizeError instanceof Error ? summarizeError.message : String(summarizeError);
-                    console.error(`Layer 3 summarization failed (${sumMsg}). Falling back to minimal-context restart.`);
+                    log.warn(`Layer 3 summarization failed (${sumMsg}). Falling back to minimal-context restart.`);
                   }
                   opts.onSummarized?.("");
                   const minimalPrompt = typeof opts.prompt === "string" && opts.prompt.length > 0 ? opts.prompt.slice(0, 4000) : MINIMAL_RESTART_PROMPT;
@@ -42533,7 +42556,9 @@ function wrapStreamWithErrorHandler(originalStream, messagesContainer, opts, mod
                 }
               } else {
                 if (!silent) {
-                  console.error("Non-recoverable stream error, re-throwing:", errorMessage);
+                  log.error("Non-recoverable stream error, re-throwing", {
+                    error: errorMessage
+                  });
                 }
                 throw error;
               }
@@ -42620,13 +42645,13 @@ function streamResponse(opts) {
     fittedMessages = fitted.messages;
     proactiveFitFailed = !fitted.fitsBudget;
     if (fitted.modified && !silent) {
-      console.warn(`Proactive context fit: compacted messages to ~${fitted.estimatedInputTokens} tokens (fits=${fitted.fitsBudget})`);
+      log.warn(`Proactive context fit: compacted messages to ~${fitted.estimatedInputTokens} tokens (fits=${fitted.fitsBudget})`);
     }
   }
   const messagesContainer = { current: fittedMessages || [] };
   if (proactiveFitFailed && fittedMessages) {
     if (!silent) {
-      console.warn(`Proactive context fit returned fitsBudget=false on ${fittedMessages.length} messages — escalating to summarization before send`);
+      log.warn(`Proactive context fit returned fitsBudget=false on ${fittedMessages.length} messages — escalating to summarization before send`);
     }
     return wrapStreamWithErrorHandler(createSummarizationStream(fittedMessages, opts, providerModel), messagesContainer, opts, providerModel, silent);
   }
@@ -42719,16 +42744,17 @@ function streamResponse(opts) {
       }) => {
         try {
           if (!silent) {
-            console.log(`\uD83D\uDD27 Repairing tool call: ${toolCall.toolName}`);
-            console.log(`   Error: ${error.message || error}`);
+            log.debug(`Repairing tool call: ${toolCall.toolName}`, {
+              error: error.message || String(error)
+            });
             if (error.message && (error.message.includes("severity") || error.message.includes("riskLevel"))) {
-              console.log(`   Note: This appears to be an enum validation error. Tool call repair will normalize the value.`);
+              log.debug("Enum validation error — tool call repair will normalize the value");
             }
           }
           const tool6 = tools2[toolCall.toolName];
           if (!tool6 || !tool6.inputSchema) {
             if (!silent) {
-              console.error(`Cannot repair tool call: ${toolCall.toolName} not found or has no schema`);
+              log.warn(`Cannot repair tool call: ${toolCall.toolName} not found or has no schema`);
             }
             return null;
           }
@@ -42792,14 +42818,16 @@ function streamResponse(opts) {
           }
           if (repairedArgs === undefined || repairedArgs === null) {
             if (!silent) {
-              console.error(`Tool call repair for "${toolCall.toolName}" produced no valid output`);
+              log.warn(`Tool call repair for "${toolCall.toolName}" produced no valid output`);
             }
             return null;
           }
           return { ...toolCall, input: JSON.stringify(repairedArgs) };
         } catch (repairError) {
           if (!silent) {
-            console.error("Error repairing tool call:", repairError instanceof Error ? repairError.message : String(repairError));
+            log.warn("Error repairing tool call", {
+              error: String(repairError)
+            });
           }
           return null;
         }
@@ -42812,12 +42840,14 @@ function streamResponse(opts) {
     const outerErrorMessage = error instanceof Error ? error.message : String(error);
     if (isContextLengthError) {
       if (!silent) {
-        console.warn(`Context length error, summarizing ${messagesContainer.current.length} messages: `, outerErrorMessage);
+        log.warn(`Context length error, summarizing ${messagesContainer.current.length} messages`, { error: outerErrorMessage });
       }
       return wrapStreamWithErrorHandler(createSummarizationStream(messagesContainer.current, opts, providerModel), messagesContainer, opts, providerModel, silent);
     }
     if (!silent) {
-      console.error("Non-context length error, re-throwing", outerErrorMessage);
+      log.error("Non-context length error, re-throwing", {
+        error: outerErrorMessage
+      });
     }
     throw error;
   }
@@ -42890,14 +42920,17 @@ async function generateObjectResponse(opts) {
   }
   throw lastError;
 }
-var DEFAULT_OPENAI_REASONING_EFFORT = "medium", OPENAI_REASONING_MODEL_IDS, _usageCallback = null, MAX_RATE_LIMIT_RETRIES = 20, MAX_IDLE_RESUME_RETRIES = 3, STREAM_IDLE_TIMEOUT_MS, StreamIdleTimeoutError, MAX_OBJECT_RATE_LIMIT_RETRIES = 8, ContextLengthError, ContextLengthExhaustedError, MAX_RESTART_DEPTH = 3, MAX_TOOL_INPUT_CHARS = 8000, MAX_SCHEMA_CHARS = 6000, MINIMAL_RESTART_PROMPT = "Continue the previous task. Earlier context was discarded due to repeated context-length errors.";
+var log, DEFAULT_OPENAI_REASONING_EFFORT = "medium", OPENAI_REASONING_MODEL_IDS, _usageCallback = null, MAX_RATE_LIMIT_RETRIES = 20, MAX_IDLE_RESUME_RETRIES = 3, STREAM_IDLE_TIMEOUT_MS, StreamIdleTimeoutError, MAX_OBJECT_RATE_LIMIT_RETRIES = 8, ContextLengthError, ContextLengthExhaustedError, MAX_RESTART_DEPTH = 3, MAX_TOOL_INPUT_CHARS = 8000, MAX_SCHEMA_CHARS = 6000, MINIMAL_RESTART_PROMPT = "Continue the previous task. Earlier context was discarded due to repeated context-length errors.";
 var init_ai = __esm(() => {
   init_dist4();
+  init_structured();
   init_observability();
+  init_lazyLogger();
   init_caching();
   init_contextManagement();
   init_models();
   init_utils();
+  log = scopedLogger(() => createLogger("ai"));
   OPENAI_REASONING_MODEL_IDS = new Set([
     "gpt-5",
     "gpt-5-2025-08-07",
@@ -42937,6 +42970,1407 @@ var init_ai = __esm(() => {
   };
 });
 
+// src/core/ai/index.ts
+var init_ai2 = __esm(() => {
+  init_ai();
+  init_models();
+  init_utils();
+});
+
+// src/util/name.ts
+function generateRandomName() {
+  const adj = adjectives[Math.floor(Math.random() * adjectives.length)] ?? "swift";
+  const noun = nouns[Math.floor(Math.random() * nouns.length)] ?? "falcon";
+  return `${adj}-${noun}`;
+}
+async function generateSessionName(opts) {
+  const { targets, userMessage, model, authConfig, abortSignal } = opts;
+  const contextParts = [];
+  if (targets.length > 0) {
+    contextParts.push(`Target(s): ${targets.join(", ")}`);
+  }
+  if (userMessage) {
+    contextParts.push(`User objective: ${userMessage}`);
+  }
+  if (contextParts.length === 0)
+    return null;
+  const prompt = [
+    "Generate a short, descriptive name for a penetration testing session.",
+    "The name should be 2-4 lowercase words separated by hyphens.",
+    "It should capture the key aspect of the target or task — e.g. 'acme-api-pentest', 'login-auth-bypass', 'ecommerce-checkout-test'.",
+    "",
+    ...contextParts
+  ].join(`
+`);
+  try {
+    const result = await generateObjectResponse({
+      model,
+      schema: sessionNameSchema,
+      prompt,
+      maxTokens: 50,
+      temperature: 0.7,
+      authConfig,
+      abortSignal
+    });
+    if (!result?.name)
+      return null;
+    const name29 = result.name.toLowerCase().replace(/[^a-z0-9-]/g, "-").replace(/-+/g, "-").replace(/^-|-$/g, "").slice(0, 50);
+    return name29 || null;
+  } catch {
+    return null;
+  }
+}
+var adjectives, nouns, sessionNameSchema;
+var init_name = __esm(() => {
+  init_zod();
+  init_ai2();
+  adjectives = [
+    "swift",
+    "bright",
+    "calm",
+    "bold",
+    "keen",
+    "noble",
+    "quick",
+    "sharp",
+    "vivid",
+    "warm",
+    "agile",
+    "brave",
+    "clever",
+    "daring",
+    "eager",
+    "fierce",
+    "gentle",
+    "humble",
+    "jolly",
+    "lively",
+    "merry",
+    "nimble",
+    "proud",
+    "quiet",
+    "rapid",
+    "serene",
+    "sturdy",
+    "tender",
+    "valiant",
+    "witty",
+    "zealous"
+  ];
+  nouns = [
+    "falcon",
+    "wolf",
+    "hawk",
+    "bear",
+    "lion",
+    "tiger",
+    "eagle",
+    "raven",
+    "phoenix",
+    "dragon",
+    "panther",
+    "cobra",
+    "viper",
+    "shark",
+    "orca",
+    "mantis",
+    "spider",
+    "scorpion",
+    "hydra",
+    "griffin",
+    "sphinx",
+    "kraken",
+    "cipher",
+    "nexus",
+    "prism",
+    "vector",
+    "matrix",
+    "pulse",
+    "surge",
+    "flux"
+  ];
+  sessionNameSchema = exports_external2.object({
+    name: exports_external2.string().describe("A short, descriptive session name (2-4 words, lowercase, hyphenated)")
+  });
+});
+
+// src/core/credentials/manager.ts
+import { randomBytes } from "crypto";
+function generateCredentialId() {
+  return `cred_${randomBytes(8).toString("hex")}`;
+}
+function inferType(cred) {
+  const hasPwd = !!cred.password;
+  const hasApiKey = !!cred.apiKey;
+  const hasBearer = !!cred.tokens?.bearerToken;
+  const hasHeaders = !!cred.tokens?.customHeaders && Object.keys(cred.tokens.customHeaders).length > 0;
+  const hasCookies = !!cred.tokens?.cookies;
+  const count = (hasPwd ? 1 : 0) + (hasApiKey ? 1 : 0) + (hasBearer ? 1 : 0) + (hasHeaders ? 1 : 0) + (hasCookies ? 1 : 0);
+  if (count > 1)
+    return "composite";
+  if (hasPwd)
+    return "username-password";
+  if (hasApiKey)
+    return "api-key";
+  if (hasBearer)
+    return "bearer-token";
+  if (hasHeaders)
+    return "custom-headers";
+  if (hasCookies)
+    return "cookies";
+  return "username-password";
+}
+function toReference(stored) {
+  const ref = {
+    id: stored.id,
+    type: stored.type
+  };
+  if (stored.label)
+    ref.label = stored.label;
+  if (stored.role)
+    ref.role = stored.role;
+  if (stored.username)
+    ref.username = stored.username;
+  if (stored.loginUrl)
+    ref.loginUrl = stored.loginUrl;
+  if (stored.tokens?.customHeaders) {
+    ref.customHeaderKeys = Object.keys(stored.tokens.customHeaders);
+  }
+  const ctx = stored.metadata?.context;
+  if (typeof ctx === "string" && ctx)
+    ref.context = ctx;
+  return ref;
+}
+
+class CredentialManager {
+  store = new Map;
+  findDuplicate(candidate) {
+    for (const [id, existing] of this.store) {
+      if (existing.username === candidate.username && existing.password === candidate.password && existing.apiKey === candidate.apiKey && existing.loginUrl === candidate.loginUrl && existing.tokens?.bearerToken === candidate.tokens?.bearerToken && existing.tokens?.cookies === candidate.tokens?.cookies && existing.tokens?.sessionToken === candidate.tokens?.sessionToken && JSON.stringify(existing.tokens?.customHeaders) === JSON.stringify(candidate.tokens?.customHeaders)) {
+        return id;
+      }
+    }
+    return;
+  }
+  add(input) {
+    const id = input.id ?? generateCredentialId();
+    const type = input.type ?? inferType(input);
+    const stored = { ...input, id, type };
+    this.store.set(id, stored);
+    return id;
+  }
+  addFromAuthCredentials(creds, extra) {
+    const candidate = {
+      username: creds.username,
+      password: creds.password,
+      apiKey: creds.apiKey,
+      loginUrl: creds.loginUrl,
+      additionalFields: creds.additionalFields,
+      tokens: creds.tokens,
+      label: extra?.label,
+      role: extra?.role ?? creds.role,
+      metadata: creds.context ? { context: creds.context } : undefined
+    };
+    const existingId = this.findDuplicate(candidate);
+    if (existingId)
+      return existingId;
+    return this.add(candidate);
+  }
+  resolve(credentialId) {
+    return this.store.get(credentialId);
+  }
+  getReference(credentialId) {
+    const stored = this.store.get(credentialId);
+    if (!stored)
+      return;
+    return toReference(stored);
+  }
+  listReferences() {
+    return Array.from(this.store.values()).map(toReference);
+  }
+  listCredentialsWithHeaders() {
+    const out = [];
+    for (const stored of this.store.values()) {
+      const headers = stored.tokens?.customHeaders;
+      if (headers && Object.keys(headers).length > 0) {
+        out.push({ tokens: { customHeaders: { ...headers } } });
+      }
+    }
+    return out;
+  }
+  remove(credentialId) {
+    return this.store.delete(credentialId);
+  }
+  get size() {
+    return this.store.size;
+  }
+  clear() {
+    this.store.clear();
+  }
+  toAuthCredentials(credentialId) {
+    const stored = this.resolve(credentialId);
+    if (!stored)
+      return;
+    const result = {};
+    if (stored.username)
+      result.username = stored.username;
+    if (stored.password)
+      result.password = stored.password;
+    if (stored.apiKey)
+      result.apiKey = stored.apiKey;
+    if (stored.loginUrl)
+      result.loginUrl = stored.loginUrl;
+    if (stored.additionalFields)
+      result.additionalFields = stored.additionalFields;
+    if (stored.tokens)
+      result.tokens = { ...stored.tokens };
+    return result;
+  }
+  formatForPrompt() {
+    const refs = this.listReferences();
+    if (refs.length === 0)
+      return "";
+    const lines = refs.map((ref) => {
+      const parts = [`- Credential ID: ${ref.id}`];
+      if (ref.label)
+        parts.push(`  Label: ${ref.label}`);
+      parts.push(`  Type: ${ref.type}`);
+      if (ref.role)
+        parts.push(`  Role: ${ref.role}`);
+      if (ref.username)
+        parts.push(`  Username: ${ref.username}`);
+      if (ref.loginUrl)
+        parts.push(`  Login URL: ${ref.loginUrl}`);
+      if (ref.customHeaderKeys?.length) {
+        parts.push(`  Header keys: ${ref.customHeaderKeys.join(", ")}`);
+      }
+      if (ref.context)
+        parts.push(`  Context: ${ref.context}`);
+      return parts.join(`
+`);
+    });
+    return `<available_credentials>
+The following credentials are available. To use a credential, pass its ID to the appropriate tool.
+Do NOT ask the user for passwords or secrets — they are resolved automatically from the credential ID.
+
+${lines.join(`
+
+`)}
+</available_credentials>`;
+  }
+}
+var init_manager = () => {};
+
+// src/core/credentials/index.ts
+var init_credentials = __esm(() => {
+  init_manager();
+});
+
+// src/core/id/id.ts
+import { randomBytes as randomBytes2 } from "crypto";
+function schema(prefix) {
+  return zod_default.string().startsWith(prefixes[prefix]);
+}
+function descending(prefix, given) {
+  return generateID(prefix, true, given);
+}
+function generateID(prefix, descending2, given) {
+  if (!given) {
+    return create(prefix, descending2);
+  }
+  if (!given.startsWith(prefixes[prefix])) {
+    throw new Error(`ID ${given} does not start with ${prefixes[prefix]}`);
+  }
+  return given;
+}
+function randomBase62(length) {
+  const chars = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
+  let result = "";
+  const bytes = randomBytes2(length);
+  for (let i = 0;i < length; i++) {
+    result += chars[bytes[i] % 62];
+  }
+  return result;
+}
+function create(prefix, descending2, timestamp) {
+  const currentTimestamp = timestamp ?? Date.now();
+  if (currentTimestamp !== lastTimestamp) {
+    lastTimestamp = currentTimestamp;
+    counter = 0;
+  }
+  counter++;
+  let now2 = BigInt(currentTimestamp) * BigInt(4096) + BigInt(counter);
+  now2 = descending2 ? ~now2 : now2;
+  const timeBytes = Buffer.alloc(6);
+  for (let i = 0;i < 6; i++) {
+    timeBytes[i] = Number(now2 >> BigInt(40 - 8 * i) & BigInt(255));
+  }
+  return prefixes[prefix] + "_" + timeBytes.toString("hex") + randomBase62(LENGTH - 12);
+}
+var prefixes, LENGTH = 26, lastTimestamp = 0, counter = 0;
+var init_id = __esm(() => {
+  init_zod();
+  prefixes = {
+    session: "ses",
+    message: "msg",
+    permission: "per",
+    user: "usr",
+    part: "prt"
+  };
+});
+
+// src/core/services/rateLimiter/index.ts
+function sleep(ms) {
+  return new Promise((resolve4) => setTimeout(resolve4, ms));
+}
+
+class RateLimiter {
+  tokens;
+  lastRefillTime;
+  rps;
+  bucketSize;
+  msPerToken;
+  queue;
+  constructor(config2) {
+    this.rps = config2?.requestsPerSecond;
+    this.bucketSize = this.rps ? 1 : 0;
+    this.tokens = this.bucketSize;
+    this.lastRefillTime = performance.now();
+    this.msPerToken = this.rps ? 1000 / this.rps : undefined;
+    this.queue = Promise.resolve();
+  }
+  async acquireSlot() {
+    if (!this.rps || !this.msPerToken)
+      return;
+    const previousPromise = this.queue;
+    let resolveCurrentRequest;
+    this.queue = new Promise((resolve4) => {
+      resolveCurrentRequest = resolve4;
+    });
+    await previousPromise;
+    try {
+      const now2 = performance.now();
+      this.refill(now2);
+      if (this.tokens < 1) {
+        const waitTime = (1 - this.tokens) * this.msPerToken;
+        await sleep(waitTime);
+        const nowAfterSleep = performance.now();
+        this.refill(nowAfterSleep);
+      }
+      this.tokens -= 1;
+    } finally {
+      resolveCurrentRequest();
+    }
+  }
+  refill(now2) {
+    if (this.tokens >= this.bucketSize) {
+      this.lastRefillTime = now2;
+      return;
+    }
+    const elapsed = now2 - this.lastRefillTime;
+    const tokensToAdd = elapsed / this.msPerToken;
+    this.tokens = Math.min(this.bucketSize, this.tokens + tokensToAdd);
+    this.lastRefillTime = now2;
+  }
+  isEnabled() {
+    return this.rps !== undefined;
+  }
+}
+var init_rateLimiter = () => {};
+
+// src/util/errors.ts
+var NamedError;
+var init_errors = __esm(() => {
+  init_zod();
+  NamedError = class NamedError extends Error {
+    static create(name29, data) {
+      const schema2 = zod_default.object({
+        name: zod_default.literal(name29),
+        data
+      });
+      const result = class extends NamedError {
+        data;
+        static Schema = schema2;
+        name = name29;
+        constructor(data2, options) {
+          super(name29, options);
+          this.data = data2;
+          this.name = name29;
+        }
+        static isInstance(input) {
+          return typeof input === "object" && input !== null && "name" in input && input.name === name29;
+        }
+        schema() {
+          return schema2;
+        }
+        toObject() {
+          return {
+            name: name29,
+            data: this.data
+          };
+        }
+      };
+      Object.defineProperty(result, "name", { value: name29 });
+      return result;
+    }
+    static Unknown = NamedError.create("UnknownError", zod_default.object({
+      message: zod_default.string()
+    }));
+  };
+});
+
+// src/util/lock.ts
+function getLock(key) {
+  let lock = locks.get(key);
+  if (!lock) {
+    lock = {
+      readers: 0,
+      writer: false,
+      waitingReaders: [],
+      waitingWriters: []
+    };
+    locks.set(key, lock);
+  }
+  return lock;
+}
+function processQueue(key) {
+  const lock = locks.get(key);
+  if (!lock || lock.writer || lock.readers > 0)
+    return;
+  if (lock.waitingWriters.length > 0) {
+    const nextWriter = lock.waitingWriters.shift();
+    nextWriter?.();
+    return;
+  }
+  while (lock.waitingReaders.length > 0) {
+    const nextReader = lock.waitingReaders.shift();
+    nextReader?.();
+  }
+  if (lock.readers === 0 && !lock.writer && lock.waitingReaders.length === 0 && lock.waitingWriters.length === 0) {
+    locks.delete(key);
+  }
+}
+async function read(key) {
+  const lock = getLock(key);
+  return new Promise((resolve4) => {
+    if (!lock.writer && lock.waitingWriters.length === 0) {
+      lock.readers++;
+      resolve4({
+        [Symbol.dispose]: () => {
+          lock.readers--;
+          processQueue(key);
+        }
+      });
+    } else {
+      lock.waitingReaders.push(() => {
+        lock.readers++;
+        resolve4({
+          [Symbol.dispose]: () => {
+            lock.readers--;
+            processQueue(key);
+          }
+        });
+      });
+    }
+  });
+}
+async function write(key) {
+  const lock = getLock(key);
+  return new Promise((resolve4) => {
+    if (!lock.writer && lock.readers === 0) {
+      lock.writer = true;
+      resolve4({
+        [Symbol.dispose]: () => {
+          lock.writer = false;
+          processQueue(key);
+        }
+      });
+    } else {
+      lock.waitingWriters.push(() => {
+        lock.writer = true;
+        resolve4({
+          [Symbol.dispose]: () => {
+            lock.writer = false;
+            processQueue(key);
+          }
+        });
+      });
+    }
+  });
+}
+var locks;
+var init_lock = __esm(() => {
+  locks = new Map;
+});
+
+// src/core/storage/index.ts
+import fs, { readdir } from "fs/promises";
+import os from "os";
+import path from "path";
+function getBaseDir() {
+  return process.env.PENSAR_DATA_DIR ?? path.join(os.homedir(), ".pensar");
+}
+async function write2(key, content, ext) {
+  const dir = getBaseDir();
+  const target = path.join(dir, ...key) + (ext ? ext : ".json");
+  return withErrorHandling(async () => {
+    let __stack = [];
+    try {
+      const _ = __using(__stack, await write(target), 0);
+      await fs.mkdir(path.dirname(target), { recursive: true });
+      await fs.writeFile(target, JSON.stringify(content, null, 2), "utf-8");
+    } catch (_catch) {
+      var _err = _catch, _hasErr = 1;
+    } finally {
+      __callDispose(__stack, _err, _hasErr);
+    }
+  });
+}
+async function createDir(key) {
+  const dir = getBaseDir();
+  const target = path.join(dir, ...key);
+  return withErrorHandling(async () => {
+    let __stack = [];
+    try {
+      const _ = __using(__stack, await write(target), 0);
+      await fs.mkdir(target, { recursive: true });
+    } catch (_catch) {
+      var _err = _catch, _hasErr = 1;
+    } finally {
+      __callDispose(__stack, _err, _hasErr);
+    }
+  });
+}
+async function writeRaw(key, content) {
+  const dir = getBaseDir();
+  const target = path.join(dir, ...key);
+  return withErrorHandling(async () => {
+    let __stack = [];
+    try {
+      const _ = __using(__stack, await write(target), 0);
+      const parentDir = path.dirname(target);
+      await fs.mkdir(parentDir, { recursive: true });
+      await fs.writeFile(target, content, "utf-8");
+    } catch (_catch) {
+      var _err = _catch, _hasErr = 1;
+    } finally {
+      __callDispose(__stack, _err, _hasErr);
+    }
+  });
+}
+async function read2(key, ext) {
+  const dir = getBaseDir();
+  const target = path.join(dir, ...key) + (ext ? ext : ".json");
+  return withErrorHandling(async () => {
+    let __stack = [];
+    try {
+      const _ = __using(__stack, await read(target), 0);
+      const text2 = await fs.readFile(target, "utf-8");
+      const result = ext ? text2 : JSON.parse(text2);
+      return result;
+    } catch (_catch) {
+      var _err = _catch, _hasErr = 1;
+    } finally {
+      __callDispose(__stack, _err, _hasErr);
+    }
+  });
+}
+async function update(key, fn, ext) {
+  const dir = getBaseDir();
+  const target = path.join(dir, ...key) + (ext ? ext : ".json");
+  return withErrorHandling(async () => {
+    let __stack = [];
+    try {
+      const _ = __using(__stack, await write(target), 0);
+      const text2 = await fs.readFile(target, "utf-8");
+      const content = ext ? text2 : JSON.parse(text2);
+      fn(content);
+      await fs.writeFile(target, JSON.stringify(content, null, 2), "utf-8");
+      return content;
+    } catch (_catch) {
+      var _err = _catch, _hasErr = 1;
+    } finally {
+      __callDispose(__stack, _err, _hasErr);
+    }
+  });
+}
+async function withErrorHandling(body) {
+  return body().catch((e) => {
+    if (!(e instanceof Error))
+      throw e;
+    const errnoExcpetion = e;
+    if (errnoExcpetion.code === "ENOENT") {
+      throw new NotFoundError({
+        message: `Resource not found: ${errnoExcpetion.path}`
+      });
+    }
+    throw e;
+  });
+}
+async function listFilesRecursively(dir) {
+  const entries = await readdir(dir, { withFileTypes: true });
+  const files = [];
+  for (const entry of entries) {
+    const fullPath = path.join(dir, entry.name);
+    if (entry.isDirectory()) {
+      files.push(...await listFilesRecursively(fullPath));
+    } else {
+      files.push(fullPath);
+    }
+  }
+  return files;
+}
+async function list(prefix) {
+  const dir = getBaseDir();
+  const targetDir = path.join(dir, ...prefix);
+  try {
+    const files = await listFilesRecursively(targetDir);
+    const result = files.map((filePath) => {
+      const relativePath = path.relative(targetDir, filePath);
+      return [...prefix, ...relativePath.slice(0, -5).split(path.sep)];
+    });
+    result.sort();
+    return result;
+  } catch {
+    return [];
+  }
+}
+var NotFoundError;
+var init_storage = __esm(() => {
+  init_zod();
+  init_errors();
+  init_lock();
+  NotFoundError = NamedError.create("NotFoundError", zod_default.object({
+    message: zod_default.string()
+  }));
+});
+
+// src/core/toolset/index.ts
+var ToolsetStateSchema;
+var init_toolset = __esm(() => {
+  init_zod();
+  ToolsetStateSchema = exports_external2.object({
+    baseToolsetId: exports_external2.string(),
+    enabledTools: exports_external2.record(exports_external2.string(), exports_external2.boolean()),
+    lastModified: exports_external2.number()
+  });
+});
+
+// src/core/session/index.ts
+import { existsSync, readFileSync } from "fs";
+import os2 from "os";
+import path2 from "path";
+function resolveSmtpConfig(explicit) {
+  if (explicit)
+    return explicit;
+  const fromAddress = process.env.OUTBOUND_EMAIL;
+  const resendKey = process.env.RESEND_API_KEY;
+  if (resendKey) {
+    return {
+      host: "smtp.resend.com",
+      port: 465,
+      username: "resend",
+      password: resendKey,
+      tls: true,
+      fromAddress
+    };
+  }
+  const host = process.env.SMTP_HOST;
+  const port = process.env.SMTP_PORT;
+  const username = process.env.SMTP_USERNAME;
+  const password = process.env.SMTP_PASSWORD;
+  if (host && port && username && password) {
+    return {
+      host,
+      port: parseInt(port, 10),
+      username,
+      password,
+      tls: process.env.SMTP_TLS !== "false",
+      fromAddress
+    };
+  }
+  return;
+}
+function getPensarDir() {
+  return path2.join(os2.homedir(), ".pensar");
+}
+function getSessionsDir() {
+  return path2.join(getPensarDir(), "sessions");
+}
+function getSessionRoot(id) {
+  return path2.join(getSessionsDir(), id);
+}
+async function createSessionDirs(input) {
+  const { session } = input;
+  await createDir(["sessions", session.id]);
+  await createDir(["sessions", session.id, "findings"]);
+  await createDir(["sessions", session.id, "scratchpad"]);
+  await createDir(["sessions", session.id, "logs"]);
+  await createDir(["sessions", session.id, "pocs"]);
+  const startTime = new Date().toISOString();
+  const readme = generateSessionReadme(session);
+  await writeRaw(["sessions", session.id, "README.md"], readme);
+  console.info("created session", session.id);
+}
+function generateSessionReadme(session) {
+  return `# Penetration Test Session
+
+**Session ID:** ${session.id}
+**Target:** ${session.targets}
+**Objective:** ${session.config?.outcomeGuidance}
+**Started:** ${session.time.created}
+
+## Directory Structure
+
+- \`findings/\` - Security findings and vulnerabilities
+- \`scratchpad/\` - Notes and temporary data during testing
+- \`logs/\` - Execution logs and command outputs
+- \`pocs/\` - Proof-of-concept exploit scripts
+- \`session.json\` - Session metadata
+
+## Findings
+
+Security findings will be documented in the \`findings/\` directory as individual files.
+
+## Status
+
+Testing in progress...
+`;
+}
+function normalizeDeprecatedHeaders(config2) {
+  if (!config2)
+    return config2;
+  if (config2.offensiveHeaders == null) {
+    const { offensiveHeaders: _drop, ...rest2 } = config2;
+    return rest2;
+  }
+  const { offensiveHeaders, ...rest } = config2;
+  const restWithHeaders = rest;
+  if (restWithHeaders.headers !== undefined) {
+    return restWithHeaders;
+  }
+  const oh = offensiveHeaders;
+  if (oh.mode === "none") {
+    return { ...restWithHeaders, headers: {} };
+  }
+  let headers = {};
+  if (oh.mode === "default")
+    headers = { ...DEFAULT_HEADER_RECORD };
+  if (oh.headers)
+    headers = { ...headers, ...oh.headers };
+  return { ...restWithHeaders, headers };
+}
+function migrateLegacySessionData(input) {
+  if (!input || typeof input !== "object")
+    return input;
+  const root = input;
+  const config2 = root.config;
+  if (!config2 || typeof config2 !== "object")
+    return input;
+  const cfg = config2;
+  if (!("offensiveHeaders" in cfg))
+    return input;
+  return { ...root, config: normalizeDeprecatedHeaders(cfg) };
+}
+async function create2(input) {
+  const name29 = input.name ?? generateRandomName();
+  const normalizedConfig = normalizeDeprecatedHeaders(input.config);
+  const id = `${input.prefix ? input.prefix : ""}` + descending("session", input.id);
+  const rootPath = getSessionRoot(id);
+  const findingsPath = path2.join(rootPath, "findings");
+  const scratchpadPath = path2.join(rootPath, "scratchpad");
+  const logsPath = path2.join(rootPath, "logs");
+  const pocsPath = path2.join(rootPath, "pocs");
+  const rateLimiter = new RateLimiter({
+    requestsPerSecond: normalizedConfig?.requestsPerSecond
+  });
+  let credentialManager;
+  if (normalizedConfig?.authCredentials) {
+    credentialManager = new CredentialManager;
+    const creds = Array.isArray(normalizedConfig.authCredentials) ? normalizedConfig.authCredentials : [normalizedConfig.authCredentials];
+    for (const cred of creds) {
+      credentialManager.addFromAuthCredentials(cred);
+    }
+  }
+  const smtpConfig = resolveSmtpConfig(normalizedConfig?.smtpConfig);
+  let snapshotHeaders;
+  if (normalizedConfig?.headers !== undefined) {
+    snapshotHeaders = { ...normalizedConfig.headers };
+  } else {
+    const { config: appConfig } = await import("./index-9d2es97h.js");
+    const cfg = await appConfig.get();
+    snapshotHeaders = cfg.defaultHeaders ? { ...cfg.defaultHeaders } : { ...DEFAULT_HEADER_RECORD };
+  }
+  const result = {
+    id,
+    version: getCurrentVersion(),
+    targets: input.targets,
+    name: name29,
+    time: {
+      created: Date.now(),
+      updated: Date.now()
+    },
+    config: {
+      ...normalizedConfig,
+      mode: normalizedConfig?.mode || "auto",
+      headers: snapshotHeaders,
+      outcomeGuidance: normalizedConfig?.outcomeGuidance || (normalizedConfig?.exfilMode ? EXFIL_OUTCOME_GUIDANCE : DEFAULT_OUTCOME_GUIDANCE),
+      smtpConfig
+    },
+    _rateLimiter: rateLimiter,
+    credentialManager,
+    rootPath,
+    logsPath,
+    pocsPath,
+    scratchpadPath,
+    findingsPath
+  };
+  const { _rateLimiter, credentialManager: _cm, ...sessionData } = result;
+  await createSessionDirs({ session: result });
+  await write2(["sessions", result.id, "session"], sessionData);
+  if (!input.name && input.model) {
+    generateSessionName({
+      targets: input.targets,
+      userMessage: input.userMessage,
+      model: input.model,
+      authConfig: input.authConfig
+    }).then((aiName) => {
+      if (aiName) {
+        result.name = aiName;
+        update2(result.id, (s) => {
+          s.name = aiName;
+        }).catch(() => {});
+        input.onNameGenerated?.(aiName);
+      }
+    });
+  }
+  return result;
+}
+async function update2(id, editor) {
+  const result = await update(["sessions", id, "session"], (draft) => {
+    editor(draft);
+    draft.time.updated = Date.now();
+  });
+  return result;
+}
+async function* list2() {
+  const sessionsDir = getSessionsDir();
+  let entries;
+  try {
+    entries = await import("fs/promises").then((fsp) => fsp.readdir(sessionsDir, { withFileTypes: true }));
+  } catch {
+    return;
+  }
+  for (const entry of entries) {
+    if (!entry.isDirectory())
+      continue;
+    try {
+      yield await read2([
+        "sessions",
+        entry.name,
+        "session"
+      ]);
+    } catch {}
+  }
+}
+async function loadOperatorState(sessionId) {
+  try {
+    const session = await get(sessionId);
+    const statePath = path2.join(session.rootPath, "messages.json");
+    if (!existsSync(statePath))
+      return null;
+    const data = readFileSync(statePath, "utf-8");
+    const parsed = JSON.parse(data);
+    if (Array.isArray(parsed)) {
+      return {
+        mode: session.config?.operatorSettings?.initialMode ?? "manual",
+        requireApproval: session.config?.operatorSettings?.requireApproval ?? true,
+        currentStage: "recon",
+        messages: parsed,
+        attackSurface: [],
+        credentials: [],
+        verifiedVulns: [],
+        targetState: null,
+        hypotheses: [],
+        evidence: [],
+        actionHistory: [],
+        pausedAt: new Date().toISOString(),
+        lastRunId: ""
+      };
+    }
+    return parsed;
+  } catch (error) {
+    console.error("Error loading operator state:", error);
+    return null;
+  }
+}
+function hasOperatorState(session) {
+  const statePath = path2.join(session.rootPath, "messages.json");
+  return existsSync(statePath);
+}
+function getResumeMessages(messages, limit = MAX_RESUME_MESSAGES) {
+  if (messages.length <= limit)
+    return messages;
+  let cutIndex = messages.length - limit;
+  while (cutIndex < messages.length) {
+    if (messages[cutIndex].role === "user")
+      break;
+    cutIndex++;
+  }
+  if (cutIndex >= messages.length) {
+    cutIndex = messages.length - limit;
+  }
+  return messages.slice(cutIndex);
+}
+function normalizeMessages(messages) {
+  if (messages.length <= 1)
+    return fixToolOutputs(messages);
+  const result = [];
+  for (const msg of messages) {
+    const prev = result[result.length - 1];
+    if (prev && prev.role === "user" && msg.role === "user" && typeof prev.content === "string" && typeof msg.content === "string") {
+      result[result.length - 1] = {
+        ...prev,
+        content: `${prev.content}
+
+${msg.content}`
+      };
+    } else if (prev && prev.role === "user" && msg.role === "user") {
+      result[result.length - 1] = msg;
+    } else {
+      result.push(msg);
+    }
+  }
+  return fixToolOutputs(result);
+}
+function fixToolOutputs(messages) {
+  let changed = false;
+  const fixed = messages.map((msg) => {
+    if (msg.role !== "tool" || !Array.isArray(msg.content))
+      return msg;
+    let partChanged = false;
+    const fixedContent = msg.content.map((part) => {
+      if (part.type === "tool-result" && typeof part.output === "string") {
+        partChanged = true;
+        return { ...part, output: { type: "text", value: part.output } };
+      }
+      return part;
+    });
+    if (partChanged) {
+      changed = true;
+      return { ...msg, content: fixedContent };
+    }
+    return msg;
+  });
+  return changed ? fixed : messages;
+}
+async function updateOperatorSettings(sessionId, settings) {
+  return await update2(sessionId, (session) => {
+    if (!session.config) {
+      session.config = {};
+    }
+    if (!session.config.operatorSettings) {
+      session.config.operatorSettings = {
+        initialMode: "manual",
+        requireApproval: true,
+        enableSuggestions: true
+      };
+    }
+    if (settings.initialMode !== undefined) {
+      session.config.operatorSettings.initialMode = settings.initialMode;
+    }
+    if (settings.requireApproval !== undefined) {
+      session.config.operatorSettings.requireApproval = settings.requireApproval;
+    }
+    if (settings.enableSuggestions !== undefined) {
+      session.config.operatorSettings.enableSuggestions = settings.enableSuggestions;
+    }
+  });
+}
+async function updateSessionHeaders(sessionId, headers) {
+  return await update2(sessionId, (session) => {
+    if (!session.config) {
+      session.config = {};
+    }
+    session.config.headers = { ...headers };
+  });
+}
+var DEFAULT_OUTCOME_GUIDANCE, EXFIL_OUTCOME_GUIDANCE, DEFAULT_HEADER_RECORD, AuthCredentialsObject, ScopeConstraintsObject, SessionHeadersRecord, OffensiveHeadersConfigObject, OperatorSettingsObject, EmailInboxConfigObject, EmailIntegrationConfigObject, SmtpConfigObject, SessionConfigObject, SessionInfoObject, get = async (id) => {
+  const raw = await read2(["sessions", id, "session"]);
+  const read3 = migrateLegacySessionData(raw);
+  if (read3.config?.requestsPerSecond) {
+    read3._rateLimiter = new RateLimiter({
+      requestsPerSecond: read3.config.requestsPerSecond
+    });
+  } else {
+    delete read3._rateLimiter;
+  }
+  return read3;
+}, RemoveInput, remove2 = async (input) => {
+  try {
+    const sessionDir = getSessionRoot(input.sessionId);
+    const fsp = await import("fs/promises");
+    await fsp.rm(sessionDir, { recursive: true, force: true });
+  } catch (e) {
+    console.error(e);
+  }
+}, RemoveMsgInput, MAX_RESUME_MESSAGES = 200, sessions;
+var init_session = __esm(() => {
+  init_zod();
+  init_name();
+  init_credentials();
+  init_id();
+  init_installation();
+  init_rateLimiter();
+  init_storage();
+  init_toolset();
+  DEFAULT_OUTCOME_GUIDANCE = "Prove the exploit can be run but do not exfiltrate data or cause any harm to the system. " + "Create proof-of-concept exploits that demonstrate the vulnerability exists without causing damage.";
+  EXFIL_OUTCOME_GUIDANCE = "Exfiltrate data to extract the flag value. " + "Create proof-of-concept exploits that successfully extract the flag from the target system.";
+  DEFAULT_HEADER_RECORD = {
+    "User-Agent": "pensar-apex"
+  };
+  AuthCredentialsObject = zod_default.object({
+    username: zod_default.string().optional(),
+    password: zod_default.string().optional(),
+    loginUrl: zod_default.string().optional(),
+    additionalFields: zod_default.record(zod_default.string(), zod_default.string()).optional(),
+    apiKey: zod_default.string().optional(),
+    role: zod_default.string().optional(),
+    context: zod_default.string().optional(),
+    tokens: zod_default.object({
+      bearerToken: zod_default.string().optional(),
+      cookies: zod_default.string().optional(),
+      sessionToken: zod_default.string().optional(),
+      customHeaders: zod_default.record(zod_default.string(), zod_default.string()).optional()
+    }).optional()
+  });
+  ScopeConstraintsObject = zod_default.object({
+    allowedHosts: zod_default.string().array().optional(),
+    allowedPorts: zod_default.number().array().optional(),
+    strictScope: zod_default.boolean().optional()
+  });
+  SessionHeadersRecord = zod_default.record(zod_default.string(), zod_default.string());
+  OffensiveHeadersConfigObject = zod_default.object({
+    mode: zod_default.enum(["none", "default", "custom"]).optional(),
+    headers: SessionHeadersRecord.optional()
+  });
+  OperatorSettingsObject = zod_default.object({
+    initialMode: zod_default.enum(["plan", "manual", "auto"]).default("manual"),
+    requireApproval: zod_default.boolean().default(true),
+    enableSuggestions: zod_default.boolean().default(true)
+  });
+  EmailInboxConfigObject = zod_default.discriminatedUnion("provider", [
+    zod_default.object({
+      provider: zod_default.literal("gmail"),
+      id: zod_default.string(),
+      name: zod_default.string(),
+      emailAddress: zod_default.string(),
+      accessToken: zod_default.string(),
+      refreshToken: zod_default.string(),
+      clientId: zod_default.string().optional(),
+      clientSecret: zod_default.string().optional(),
+      tokenExpiry: zod_default.number().optional()
+    }),
+    zod_default.object({
+      provider: zod_default.literal("outlook"),
+      id: zod_default.string(),
+      name: zod_default.string(),
+      emailAddress: zod_default.string(),
+      accessToken: zod_default.string(),
+      refreshToken: zod_default.string(),
+      clientId: zod_default.string().optional(),
+      clientSecret: zod_default.string().optional(),
+      tokenExpiry: zod_default.number().optional()
+    }),
+    zod_default.object({
+      provider: zod_default.literal("imap"),
+      id: zod_default.string(),
+      name: zod_default.string(),
+      emailAddress: zod_default.string(),
+      imapHost: zod_default.string(),
+      imapPort: zod_default.number(),
+      username: zod_default.string(),
+      password: zod_default.string(),
+      tls: zod_default.boolean()
+    })
+  ]);
+  EmailIntegrationConfigObject = zod_default.object({
+    inboxes: zod_default.array(EmailInboxConfigObject)
+  });
+  SmtpConfigObject = zod_default.object({
+    host: zod_default.string(),
+    port: zod_default.number(),
+    username: zod_default.string(),
+    password: zod_default.string(),
+    tls: zod_default.boolean().default(true),
+    fromAddress: zod_default.string().optional()
+  });
+  SessionConfigObject = zod_default.object({
+    headers: SessionHeadersRecord.optional(),
+    offensiveHeaders: OffensiveHeadersConfigObject.optional(),
+    sessionType: zod_default.enum(["web-app"]).optional(),
+    mode: zod_default.enum(["auto", "driver", "operator"]).optional(),
+    outcomeGuidance: zod_default.string().optional(),
+    scopeConstraints: ScopeConstraintsObject.optional(),
+    authCredentials: zod_default.union([AuthCredentialsObject, zod_default.array(AuthCredentialsObject)]).optional(),
+    authenticationInstructions: zod_default.string().optional(),
+    requestsPerSecond: zod_default.number().optional(),
+    operatorSettings: OperatorSettingsObject.optional(),
+    toolsetState: ToolsetStateSchema.optional(),
+    enumerateSubdomains: zod_default.boolean().optional(),
+    codebasePath: zod_default.string().optional(),
+    emailIntegration: EmailIntegrationConfigObject.optional(),
+    smtpConfig: SmtpConfigObject.optional(),
+    exfilMode: zod_default.boolean().optional(),
+    agentCwd: zod_default.string().optional(),
+    prompt: zod_default.string().optional(),
+    taskDriven: zod_default.boolean().optional(),
+    requirePlan: zod_default.boolean().optional()
+  });
+  SessionInfoObject = zod_default.object({
+    id: schema("session"),
+    name: zod_default.string().optional(),
+    version: zod_default.string(),
+    targets: zod_default.array(zod_default.string()),
+    config: SessionConfigObject.optional(),
+    time: zod_default.object({
+      created: zod_default.number(),
+      updated: zod_default.number()
+    }),
+    rootPath: zod_default.string(),
+    logsPath: zod_default.string(),
+    findingsPath: zod_default.string(),
+    scratchpadPath: zod_default.string(),
+    pocsPath: zod_default.string()
+  });
+  RemoveInput = zod_default.object({
+    sessionId: schema("session")
+  });
+  RemoveMsgInput = zod_default.object({
+    sessionId: schema("session"),
+    messageId: schema("message")
+  });
+  sessions = {
+    getSessionRoot,
+    EXFIL_OUTCOME_GUIDANCE,
+    create: create2,
+    get,
+    remove: remove2,
+    loadOperatorState,
+    hasOperatorState,
+    getResumeMessages,
+    updateOperatorSettings,
+    updateSessionHeaders
+  };
+});
+
+// src/core/logger/index.ts
+import {
+  appendFileSync,
+  existsSync as existsSync2,
+  mkdirSync as mkdirSync2,
+  readFileSync as readFileSync2,
+  writeFileSync as writeFileSync2
+} from "fs";
+import os3 from "os";
+import path3 from "path";
+function pruneErrorLog() {
+  if (hasPruned)
+    return;
+  hasPruned = true;
+  try {
+    if (!existsSync2(ERROR_LOG_PATH))
+      return;
+    const cutoff = Date.now() - RETENTION_DAYS * 86400000;
+    const raw = readFileSync2(ERROR_LOG_PATH, "utf8");
+    const lines = raw.split(`
+`);
+    const kept = [];
+    let keeping = true;
+    for (const line of lines) {
+      const match = TIMESTAMP_RE.exec(line);
+      if (match) {
+        keeping = new Date(match[1]).getTime() >= cutoff;
+      }
+      if (keeping) {
+        kept.push(line);
+      }
+    }
+    writeFileSync2(ERROR_LOG_PATH, kept.join(`
+`), "utf8");
+  } catch {}
+}
+function writeErrorLog(error, source, fields) {
+  try {
+    pruneErrorLog();
+    const dir = path3.dirname(ERROR_LOG_PATH);
+    if (!existsSync2(dir)) {
+      mkdirSync2(dir, { recursive: true });
+    }
+    const timestamp = new Date().toISOString();
+    const tag = source ? `[${source}] ` : "";
+    const message = error instanceof Error ? `${error.message}
+${error.stack ?? ""}` : String(error);
+    let fieldsStr = "";
+    if (fields && Object.keys(fields).length > 0) {
+      try {
+        fieldsStr = ` ${JSON.stringify(fields)}`;
+      } catch {}
+    }
+    const entry = `${timestamp} - [ERROR] ${tag}${message}${fieldsStr}
+`;
+    appendFileSync(ERROR_LOG_PATH, entry, "utf8");
+  } catch {}
+}
+var ERROR_LOG_PATH, RETENTION_DAYS = 7, TIMESTAMP_RE, hasPruned = false;
+var init_logger = __esm(() => {
+  init_session();
+  init_structured();
+  ERROR_LOG_PATH = path3.join(os3.homedir(), ".pensar", "error.log");
+  TIMESTAMP_RE = /^(\d{4}-\d{2}-\d{2}T[\d:.]+Z) - /;
+});
+
+// src/core/logger/structured.ts
+function isLevel(v) {
+  return typeof v === "string" && VALID_LEVELS.has(v);
+}
+function resolveInitialLevel(env) {
+  const explicit = env.PENSAR_LOG_LEVEL?.trim().toUpperCase();
+  if (isLevel(explicit))
+    return explicit;
+  const debug = env.PENSAR_DEBUG?.toLowerCase();
+  if (debug === "1" || debug === "true")
+    return "DEBUG";
+  return "INFO";
+}
+function resolveFormat(env) {
+  const forced = env.PENSAR_LOG_FORMAT?.toLowerCase();
+  if (forced === "json" || forced === "pretty")
+    return forced;
+  return process.stderr.isTTY ? "pretty" : "json";
+}
+
+class Logger {
+  level;
+  explicit = false;
+  scope;
+  constructor(scope, level) {
+    this.scope = scope;
+    this.level = level ?? resolveInitialLevel(process.env);
+  }
+  setLevel(level) {
+    this.level = level;
+    this.explicit = true;
+  }
+  getLevel() {
+    return this.level;
+  }
+  child(scope) {
+    const next = this.scope ? `${this.scope}:${scope}` : scope;
+    const child = new Logger(next, this.level);
+    if (this.explicit)
+      child.setLevel(this.level);
+    return child;
+  }
+  debug(msg, fields) {
+    this.emit("DEBUG", msg, fields);
+  }
+  info(msg, fields) {
+    this.emit("INFO", msg, fields);
+  }
+  warn(msg, fields) {
+    this.emit("WARN", msg, fields);
+  }
+  error(msg, errOrFields, fields) {
+    let err;
+    let extra;
+    if (errOrFields instanceof Error) {
+      err = errOrFields;
+      extra = fields;
+    } else if (errOrFields && typeof errOrFields === "object") {
+      extra = errOrFields;
+    }
+    const merged = { ...extra };
+    if (err) {
+      merged.error = err.message;
+      if (err.stack)
+        merged.stack = err.stack;
+    }
+    this.emit("ERROR", msg, merged);
+    if (this.level !== "SILENT") {
+      writeErrorLog(err ?? msg, this.scope, extra);
+    }
+  }
+  emit(level, msg, fields) {
+    if (SEVERITY[level] < SEVERITY[this.level])
+      return;
+    const ts = new Date().toISOString();
+    const format = resolveFormat(process.env);
+    const line = format === "json" ? this.formatJson(ts, level, msg, fields) : this.formatPretty(ts, level, msg, fields);
+    process.stderr.write(`${line}
+`);
+  }
+  formatJson(ts, level, msg, fields) {
+    const record = { ts, level, msg };
+    if (this.scope)
+      record.scope = this.scope;
+    if (fields) {
+      for (const [k, v] of Object.entries(fields)) {
+        if (k !== "ts" && k !== "level" && k !== "msg" && k !== "scope") {
+          record[k] = v;
+        }
+      }
+    }
+    return safeStringify(record);
+  }
+  formatPretty(ts, level, msg, fields) {
+    const color = COLORS[level];
+    const tag = `${color}${level.padEnd(5)}${RESET}`;
+    const scope = this.scope ? ` ${DIM}[${this.scope}]${RESET}` : "";
+    let rest = "";
+    if (fields && Object.keys(fields).length > 0) {
+      rest = ` ${DIM}${safeStringify(fields)}${RESET}`;
+    }
+    return `${DIM}${ts}${RESET} ${tag}${scope} ${msg}${rest}`;
+  }
+}
+function safeStringify(value) {
+  try {
+    return JSON.stringify(value);
+  } catch {
+    return JSON.stringify({ msg: "[unserializable log payload]" });
+  }
+}
+function createLogger(scope) {
+  return new Logger(scope);
+}
+var SEVERITY, VALID_LEVELS, COLORS, RESET = "\x1B[0m", DIM = "\x1B[2m", logger;
+var init_structured = __esm(() => {
+  init_logger();
+  SEVERITY = {
+    DEBUG: 10,
+    INFO: 20,
+    WARN: 30,
+    ERROR: 40,
+    SILENT: 50
+  };
+  VALID_LEVELS = new Set([
+    "DEBUG",
+    "INFO",
+    "WARN",
+    "ERROR",
+    "SILENT"
+  ]);
+  COLORS = {
+    DEBUG: "\x1B[90m",
+    INFO: "\x1B[36m",
+    WARN: "\x1B[33m",
+    ERROR: "\x1B[31m",
+    SILENT: ""
+  };
+  logger = new Logger;
+});
+
 // src/core/ai/providers/pensarFormatters.ts
 function convertToBedrockFormat(modelId, options) {
   if (modelId.includes("anthropic.claude")) {
@@ -43139,11 +44573,9 @@ async function* parseSSE(stream, options = {}) {
           clearTimeout(timeoutId);
       }
       if (result.done) {
-        if (DEBUG) {
-          console.error(`[parseSSE] stream done: ${chunkCount} chunks, ${totalBytes} bytes, ${eventCount} events yielded, remaining buffer=${buffer.length} chars`);
-          if (buffer.length > 0) {
-            console.error(`[parseSSE] remaining buffer: ${buffer.slice(0, 500)}`);
-          }
+        log2.debug(`stream done: ${chunkCount} chunks, ${totalBytes} bytes, ${eventCount} events yielded, remaining buffer=${buffer.length} chars`);
+        if (buffer.length > 0) {
+          log2.debug(`remaining buffer: ${buffer.slice(0, 500)}`);
         }
         break;
       }
@@ -43151,8 +44583,8 @@ async function* parseSSE(stream, options = {}) {
       chunkCount++;
       totalBytes += value.byteLength;
       const decoded = decoder.decode(value, { stream: true });
-      if (DEBUG && chunkCount <= 3) {
-        console.error(`[parseSSE] chunk #${chunkCount}: ${value.byteLength} bytes, preview: ${decoded.slice(0, 200)}`);
+      if (chunkCount <= 3) {
+        log2.debug(`chunk #${chunkCount}: ${value.byteLength} bytes, preview: ${decoded.slice(0, 200)}`);
       }
       buffer += decoded;
       const lines = buffer.split(`
@@ -43177,34 +44609,38 @@ async function* parseSSE(stream, options = {}) {
     }
     if (currentData.length > 0) {
       eventCount++;
-      if (DEBUG)
-        console.error(`[parseSSE] flushing final event: ${currentEvent}`);
+      log2.debug(`flushing final event: ${currentEvent}`);
       yield { event: currentEvent, data: currentData.join(`
 `) };
     }
     if (eventCount === 0) {
-      console.error(`[parseSSE] WARNING: stream ended with 0 events! totalBytes=${totalBytes}, chunks=${chunkCount}`);
+      log2.warn(`stream ended with 0 events! totalBytes=${totalBytes}, chunks=${chunkCount}`);
     }
   } finally {
     reader.releaseLock();
   }
 }
-var DEBUG;
+var log2;
 var init_pensarSSE = __esm(() => {
-  DEBUG = process.env.PENSAR_DEBUG === "1" || process.env.PENSAR_DEBUG === "true";
+  init_structured();
+  init_lazyLogger();
+  log2 = scopedLogger(() => createLogger("pensarSSE"));
 });
 
 // src/core/ai/providers/pensar.ts
-function log(...args) {
-  if (DEBUG2)
-    console.error("[pensar:debug]", ...args);
+function fmtArgs(args) {
+  return args.map((a) => typeof a === "string" ? a : JSON.stringify(a)).join(" ");
+}
+function log3(...args) {
+  structuredLog.debug(fmtArgs(args));
 }
 function logInfo(...args) {
-  if (DEBUG2)
-    console.error("[pensar]", ...args);
+  structuredLog.debug(fmtArgs(args));
 }
 function logError(...args) {
-  console.error("[pensar:error]", ...args);
+  const err = args.find((a) => a instanceof Error);
+  const msg = fmtArgs(args.filter((a) => !(a instanceof Error)));
+  structuredLog.error(msg, err);
 }
 function createPensarModel(bedrockModelId, config2) {
   const modelId = `pensar:${bedrockModelId}`;
@@ -43220,14 +44656,14 @@ function createPensarModel(bedrockModelId, config2) {
         throw new Error("Pensar authentication failed. Run /login to reconnect.");
       }
       headers.Authorization = `Bearer ${result.token.slice(0, 12)}…`;
-      log(`  auth: ${result.type} token (${result.token.length} chars)`);
+      log3(`  auth: ${result.type} token (${result.token.length} chars)`);
       if (config2.workspaceId) {
         headers["X-Workspace-Id"] = config2.workspaceId;
       }
       headers.Authorization = `Bearer ${result.token}`;
     } else {
       headers.Authorization = `Bearer ${config2.apiKey}`;
-      log(`  auth: apiKey (${config2.apiKey.length} chars)`);
+      log3(`  auth: apiKey (${config2.apiKey.length} chars)`);
       if (config2.workspaceId && !config2.apiKey.startsWith("sk-")) {
         headers["X-Workspace-Id"] = config2.workspaceId;
       }
@@ -43336,7 +44772,7 @@ function createPensarModel(bedrockModelId, config2) {
       const body = convertToBedrockFormat(bedrockModelId, options);
       const url = `${config2.baseUrl}/gateway/invoke`;
       logInfo(`doStream → ${bedrockModelId} (${url})`);
-      log(`  messages: ${body.messages?.length ?? 0}, tools: ${body.tools?.length ?? 0}`);
+      log3(`  messages: ${body.messages?.length ?? 0}, tools: ${body.tools?.length ?? 0}`);
       const startTime = Date.now();
       const serializedBody = JSON.stringify({
         modelId: bedrockModelId,
@@ -43349,7 +44785,7 @@ function createPensarModel(bedrockModelId, config2) {
         headers["X-Pensar-Timestamp"] = sig.timestamp;
         headers["X-Pensar-Nonce"] = sig.nonce;
       }
-      log(`  headers: ${Object.keys(headers).join(", ")}`);
+      log3(`  headers: ${Object.keys(headers).join(", ")}`);
       const fetchSignal = buildStreamingFetchSignal(options.abortSignal);
       let response;
       try {
@@ -43426,10 +44862,10 @@ function createPensarModel(bedrockModelId, config2) {
               try {
                 parsed = JSON.parse(sse.data);
               } catch {
-                log(`  SSE event #${eventCount}: unparseable data, skipping`);
+                log3(`  SSE event #${eventCount}: unparseable data, skipping`);
                 continue;
               }
-              log(`  SSE event #${eventCount}: ${sse.event} (type=${parsed.type})`);
+              log3(`  SSE event #${eventCount}: ${sse.event} (type=${parsed.type})`);
               if (sse.event === "error") {
                 const msg = parsed.error ?? "Unknown streaming error";
                 logError(`  SSE error event: ${msg}`);
@@ -43438,7 +44874,7 @@ function createPensarModel(bedrockModelId, config2) {
               }
               if (sse.event === "pensar:usage") {
                 if (parsed.totalCost != null) {
-                  log(`  cost: $${Number(parsed.totalCost).toFixed(6)}`);
+                  log3(`  cost: $${Number(parsed.totalCost).toFixed(6)}`);
                 }
                 continue;
               }
@@ -43625,13 +45061,15 @@ function mapStopReason(reason) {
       return "other";
   }
 }
-var DEBUG2;
+var structuredLog;
 var init_pensar2 = __esm(() => {
+  init_structured();
+  init_lazyLogger();
   init_utils();
   init_pensarFormatters();
   init_pensarSigning();
   init_pensarSSE();
-  DEBUG2 = process.env.PENSAR_DEBUG === "1" || process.env.PENSAR_DEBUG === "true";
+  structuredLog = scopedLogger(() => createLogger("pensar"));
 });
 
 // src/core/ai/utils.ts
@@ -43735,9 +45173,7 @@ function getProviderModel(model, authConfig) {
       }
       const gatewayUrl = authConfig?.gatewayUrl || getPensarGatewayUrl();
       const bedrockModelId = model.startsWith("pensar:") ? model.slice(7) : model;
-      if (process.env.PENSAR_DEBUG === "1" || process.env.PENSAR_DEBUG === "true") {
-        console.log(`[pensar] getProviderModel: ${model} → bedrock:${bedrockModelId} via ${gatewayUrl}`);
-      }
+      log4.debug(`getProviderModel: ${model} → bedrock:${bedrockModelId} via ${gatewayUrl}`);
       const modelConfig = {
         apiKey: pensarApiKey || authConfig?.accessToken || "",
         baseUrl: gatewayUrl,
@@ -43954,7 +45390,7 @@ function createSummarizationStream(messages, opts, model) {
     }
   };
 }
-var STREAMING_FETCH_TIMEOUT_MS;
+var log4, STREAMING_FETCH_TIMEOUT_MS;
 var init_utils = __esm(() => {
   init_dist6();
   init_dist7();
@@ -43966,11 +45402,14 @@ var init_utils = __esm(() => {
   init_constants();
   init_auth();
   init_config();
+  init_structured();
+  init_lazyLogger();
   init_ai();
   init_contextManagement();
   init_models();
   init_pensar2();
+  log4 = scopedLogger(() => createLogger("ai:utils"));
   STREAMING_FETCH_TIMEOUT_MS = 15 * 60 * 1000;
 });
 
-export { stepCountIs, hasToolCall, init_dist4 as init_dist, getApexTracer, init_observability, AVAILABLE_MODELS, init_models, require_tslib, buildAuthConfig, init_utils, DEFAULT_OPENAI_REASONING_EFFORT, modelSupportsThinking, modelSupportsOpenAIReasoning, getOpenAIReasoningEfforts, streamResponse, generateObjectResponse, init_ai };
+export { stepCountIs, hasToolCall, init_dist4 as init_dist, AVAILABLE_MODELS, init_models, require_tslib, scopedLogger, init_lazyLogger, buildAuthConfig, init_utils, init_ai2 as init_ai, generateRandomName, generateSessionName, init_name, CredentialManager, init_credentials, schema, descending, init_id, RateLimiter, init_rateLimiter, NotFoundError, write2 as write, createDir, writeRaw, read2 as read, update, list, init_storage, ToolsetStateSchema, init_toolset, create2 as create, list2 as list1, normalizeMessages, sessions, init_session, writeErrorLog, init_logger, createLogger, logger, init_structured, getApexTracer, init_observability, DEFAULT_OPENAI_REASONING_EFFORT, modelSupportsThinking, modelSupportsOpenAIReasoning, getOpenAIReasoningEfforts, streamResponse, generateObjectResponse, init_ai as init_ai1 };