@pensar/apex 2.0.1-canary.dbd5280d → 2.0.2-canary.9e4e15cf

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (52) hide show
  1. package/build/{agent-hkmr0qfx.js → agent-1jp62njk.js} +9 -9
  2. package/build/{agent-gcbmtsg9.js → agent-1zfxfgfr.js} +7 -7
  3. package/build/agent-ssm6x6qs.js +19 -0
  4. package/build/{apps-601zgmmv.js → apps-2qd57k2z.js} +15 -15
  5. package/build/{auth-qamrjg7b.js → auth-bwb51krx.js} +15 -15
  6. package/build/authentication-3p84dzrr.js +19 -0
  7. package/build/blackboxAgent-dn68r23n.js +19 -0
  8. package/build/{blackboxPentest-3xntxqze.js → blackboxPentest-txe2h6h0.js} +13 -13
  9. package/build/{cli-pza9qman.js → cli-0t1j4jh4.js} +8 -7
  10. package/build/{cli-6t3awh0r.js → cli-3n78e7hs.js} +3 -3
  11. package/build/{cli-as7ewckw.js → cli-8pw332mm.js} +1 -1
  12. package/build/{cli-q4n0b0zg.js → cli-dk63pna5.js} +4 -4
  13. package/build/{cli-12de9asy.js → cli-e450tvx3.js} +7 -7
  14. package/build/{cli-m7b8jyvv.js → cli-jd0bfde5.js} +2 -2
  15. package/build/{cli-14nwkt3h.js → cli-jh6k2m9z.js} +2 -2
  16. package/build/{cli-srghpenw.js → cli-kj5vjbnd.js} +1 -1
  17. package/build/{cli-36r75bvs.js → cli-kxpba6jy.js} +1 -1
  18. package/build/{cli-q1ttngwf.js → cli-nc2yvszh.js} +1 -1
  19. package/build/{cli-xjc8ep0h.js → cli-p904s2yj.js} +1 -1
  20. package/build/{cli-cnkxk6kf.js → cli-ppq4kh08.js} +3 -3
  21. package/build/{cli-bhmpwat8.js → cli-qdh225p7.js} +277 -214
  22. package/build/{cli-p34rdn2x.js → cli-w1nb1y6h.js} +1 -1
  23. package/build/{cli-yzztbwfa.js → cli-xcr4rax4.js} +4 -4
  24. package/build/{cli-mxcapapb.js → cli-za4t23gh.js} +2 -2
  25. package/build/cli.js +40 -39
  26. package/build/{config-qdm0m88x.js → config-6s6jsd2a.js} +3 -3
  27. package/build/{doctor-te0xfdq5.js → doctor-yh7zdmgt.js} +6 -6
  28. package/build/{fixes-zqtk4q1r.js → fixes-0xebnr67.js} +15 -15
  29. package/build/{index-5f7cdm8x.js → index-k3f1hxpe.js} +17 -17
  30. package/build/{index-dg9804xb.js → index-kjky8ack.js} +9 -9
  31. package/build/{index-nhdd1s9z.js → index-qfveae0v.js} +4 -4
  32. package/build/{index-p32qwcq9.js → index-ss31xhpj.js} +2 -2
  33. package/build/{index-hxax0a5k.js → index-t3rffyf8.js} +3 -3
  34. package/build/{index-3ygs5dqm.js → index-w81kvhhz.js} +8 -8
  35. package/build/{index-wb8v5f26.js → index-zgr0dv9e.js} +6 -6
  36. package/build/{issues-3m0ed3ze.js → issues-zjybm91e.js} +15 -15
  37. package/build/{logs-p1qnh0kn.js → logs-t0vtg96a.js} +15 -15
  38. package/build/{offesecAgent-ksqj0bte.js → offesecAgent-kfjetqzw.js} +8 -8
  39. package/build/pentest-043y2x03.js +28 -0
  40. package/build/{pentests-fhpdhh5x.js → pentests-h2mk21aq.js} +15 -15
  41. package/build/{targetedPentest-pf75bvhk.js → targetedPentest-m6k9nde8.js} +9 -9
  42. package/build/{targets-484ww2a3.js → targets-pknexde1.js} +15 -15
  43. package/build/threatModel-mb9340cz.js +26 -0
  44. package/build/{uninstall-n7mjsbc4.js → uninstall-bnamn9pn.js} +1 -1
  45. package/build/{upload-xc7ttqjq.js → upload-xrbxx4hz.js} +6 -6
  46. package/build/{utils-kjbrmka8.js → utils-6e1wgez0.js} +5 -5
  47. package/package.json +8 -7
  48. package/build/agent-vnhgzmm9.js +0 -19
  49. package/build/authentication-ee80ydxj.js +0 -19
  50. package/build/blackboxAgent-yyjvgxwd.js +0 -19
  51. package/build/pentest-9q2g54yy.js +0 -28
  52. package/build/threatModel-hmnjg3d6.js +0 -26
@@ -1,6 +1,6 @@
1
1
  import {
2
2
  detectOSAndEnhancePrompt
3
- } from "./cli-p34rdn2x.js";
3
+ } from "./cli-w1nb1y6h.js";
4
4
  import {
5
5
  parseTargetUrl
6
6
  } from "./cli-c8131c4q.js";
@@ -26,14 +26,14 @@ import {
26
26
  scopedLogger,
27
27
  streamResponse,
28
28
  write
29
- } from "./cli-q4n0b0zg.js";
29
+ } from "./cli-dk63pna5.js";
30
30
  import {
31
31
  ensureValidToken,
32
32
  getPensarApiUrl,
33
33
  init_auth,
34
34
  init_constants,
35
35
  signGatewayRequest
36
- } from "./cli-xjc8ep0h.js";
36
+ } from "./cli-p904s2yj.js";
37
37
  import {
38
38
  _enum,
39
39
  _null,
@@ -64,7 +64,7 @@ import {
64
64
  import {
65
65
  config,
66
66
  init_config
67
- } from "./cli-36r75bvs.js";
67
+ } from "./cli-kxpba6jy.js";
68
68
  import {
69
69
  __commonJS,
70
70
  __require,
@@ -42486,8 +42486,8 @@ var require_core3 = __commonJS((exports) => {
42486
42486
  function many1(p) {
42487
42487
  return ab(p, many(p), (head, tail) => [head, ...tail]);
42488
42488
  }
42489
- function ab(pa, pb, join13) {
42490
- return (data, i) => mapOuter(pa(data, i), (ma) => mapInner(pb(data, ma.position), (vb, j) => join13(ma.value, vb, data, i, j)));
42489
+ function ab(pa, pb, join14) {
42490
+ return (data, i) => mapOuter(pa(data, i), (ma) => mapInner(pb(data, ma.position), (vb, j) => join14(ma.value, vb, data, i, j)));
42491
42491
  }
42492
42492
  function left(pa, pb) {
42493
42493
  return ab(pa, pb, (va) => va);
@@ -42495,8 +42495,8 @@ var require_core3 = __commonJS((exports) => {
42495
42495
  function right(pa, pb) {
42496
42496
  return ab(pa, pb, (va, vb) => vb);
42497
42497
  }
42498
- function abc(pa, pb, pc, join13) {
42499
- return (data, i) => mapOuter(pa(data, i), (ma) => mapOuter(pb(data, ma.position), (mb) => mapInner(pc(data, mb.position), (vc, j) => join13(ma.value, mb.value, vc, data, i, j))));
42498
+ function abc(pa, pb, pc, join14) {
42499
+ return (data, i) => mapOuter(pa(data, i), (ma) => mapOuter(pb(data, ma.position), (mb) => mapInner(pc(data, mb.position), (vc, j) => join14(ma.value, mb.value, vc, data, i, j))));
42500
42500
  }
42501
42501
  function middle(pa, pb, pc) {
42502
42502
  return abc(pa, pb, pc, (ra, rb) => rb);
@@ -71179,7 +71179,7 @@ var require_thread_stream = __commonJS((exports, module) => {
71179
71179
  var { version } = require_package5();
71180
71180
  var { EventEmitter: EventEmitter2 } = __require("events");
71181
71181
  var { Worker } = __require("worker_threads");
71182
- var { join: join13 } = __require("path");
71182
+ var { join: join14 } = __require("path");
71183
71183
  var { pathToFileURL } = __require("url");
71184
71184
  var { wait } = require_wait();
71185
71185
  var {
@@ -71215,7 +71215,7 @@ var require_thread_stream = __commonJS((exports, module) => {
71215
71215
  function createWorker(stream, opts) {
71216
71216
  const { filename, workerData } = opts;
71217
71217
  const bundlerOverrides = "__bundlerPathsOverrides" in globalThis ? globalThis.__bundlerPathsOverrides : {};
71218
- const toExecute = bundlerOverrides["thread-stream-worker"] || join13(__dirname, "lib", "worker.js");
71218
+ const toExecute = bundlerOverrides["thread-stream-worker"] || join14(__dirname, "lib", "worker.js");
71219
71219
  const worker = new Worker(toExecute, {
71220
71220
  ...opts.workerOpts,
71221
71221
  trackUnmanagedFds: false,
@@ -71601,10 +71601,10 @@ var require_thread_stream = __commonJS((exports, module) => {
71601
71601
  // node_modules/pino/lib/transport.js
71602
71602
  var require_transport = __commonJS((exports, module) => {
71603
71603
  var __dirname = "/home/runner/work/apex/apex/node_modules/pino/lib";
71604
- var { createRequire: createRequire2 } = __require("module");
71604
+ var { createRequire: createRequire3 } = __require("module");
71605
71605
  var { existsSync: existsSync9 } = __require("node:fs");
71606
71606
  var getCallers = require_caller();
71607
- var { join: join13, isAbsolute: isAbsolute2, sep } = __require("node:path");
71607
+ var { join: join14, isAbsolute: isAbsolute2, sep } = __require("node:path");
71608
71608
  var { fileURLToPath } = __require("node:url");
71609
71609
  var sleep = require_atomic_sleep();
71610
71610
  var onExit = require_on_exit_leak_free();
@@ -71757,7 +71757,7 @@ var require_transport = __commonJS((exports, module) => {
71757
71757
  throw new Error("only one of target or targets can be specified");
71758
71758
  }
71759
71759
  if (targets) {
71760
- target = bundlerOverrides["pino-worker"] || join13(__dirname, "worker.js");
71760
+ target = bundlerOverrides["pino-worker"] || join14(__dirname, "worker.js");
71761
71761
  options.targets = targets.filter((dest) => dest.target).map((dest) => {
71762
71762
  return {
71763
71763
  ...dest,
@@ -71774,7 +71774,7 @@ var require_transport = __commonJS((exports, module) => {
71774
71774
  });
71775
71775
  });
71776
71776
  } else if (pipeline2) {
71777
- target = bundlerOverrides["pino-worker"] || join13(__dirname, "worker.js");
71777
+ target = bundlerOverrides["pino-worker"] || join14(__dirname, "worker.js");
71778
71778
  options.pipelines = [pipeline2.map((dest) => {
71779
71779
  return {
71780
71780
  ...dest,
@@ -71797,13 +71797,13 @@ var require_transport = __commonJS((exports, module) => {
71797
71797
  return origin;
71798
71798
  }
71799
71799
  if (origin === "pino/file") {
71800
- return join13(__dirname, "..", "file.js");
71800
+ return join14(__dirname, "..", "file.js");
71801
71801
  }
71802
71802
  let fixTarget2;
71803
71803
  for (const filePath of callers) {
71804
71804
  try {
71805
71805
  const context = filePath === "node:repl" ? process.cwd() + sep : filePath;
71806
- fixTarget2 = createRequire2(context).resolve(origin);
71806
+ fixTarget2 = createRequire3(context).resolve(origin);
71807
71807
  break;
71808
71808
  } catch (err) {
71809
71809
  continue;
@@ -72726,7 +72726,7 @@ var require_safe_stable_stringify = __commonJS((exports, module) => {
72726
72726
  return circularValue;
72727
72727
  }
72728
72728
  let res = "";
72729
- let join13 = ",";
72729
+ let join14 = ",";
72730
72730
  const originalIndentation = indentation;
72731
72731
  if (Array.isArray(value)) {
72732
72732
  if (value.length === 0) {
@@ -72740,7 +72740,7 @@ var require_safe_stable_stringify = __commonJS((exports, module) => {
72740
72740
  indentation += spacer;
72741
72741
  res += `
72742
72742
  ${indentation}`;
72743
- join13 = `,
72743
+ join14 = `,
72744
72744
  ${indentation}`;
72745
72745
  }
72746
72746
  const maximumValuesToStringify = Math.min(value.length, maximumBreadth);
@@ -72748,13 +72748,13 @@ ${indentation}`;
72748
72748
  for (;i < maximumValuesToStringify - 1; i++) {
72749
72749
  const tmp2 = stringifyFnReplacer(String(i), value, stack, replacer, spacer, indentation);
72750
72750
  res += tmp2 !== undefined ? tmp2 : "null";
72751
- res += join13;
72751
+ res += join14;
72752
72752
  }
72753
72753
  const tmp = stringifyFnReplacer(String(i), value, stack, replacer, spacer, indentation);
72754
72754
  res += tmp !== undefined ? tmp : "null";
72755
72755
  if (value.length - 1 > maximumBreadth) {
72756
72756
  const removedKeys = value.length - maximumBreadth - 1;
72757
- res += `${join13}"... ${getItemCount(removedKeys)} not stringified"`;
72757
+ res += `${join14}"... ${getItemCount(removedKeys)} not stringified"`;
72758
72758
  }
72759
72759
  if (spacer !== "") {
72760
72760
  res += `
@@ -72775,7 +72775,7 @@ ${originalIndentation}`;
72775
72775
  let separator = "";
72776
72776
  if (spacer !== "") {
72777
72777
  indentation += spacer;
72778
- join13 = `,
72778
+ join14 = `,
72779
72779
  ${indentation}`;
72780
72780
  whitespace = " ";
72781
72781
  }
@@ -72789,13 +72789,13 @@ ${indentation}`;
72789
72789
  const tmp = stringifyFnReplacer(key2, value, stack, replacer, spacer, indentation);
72790
72790
  if (tmp !== undefined) {
72791
72791
  res += `${separator}${strEscape(key2)}:${whitespace}${tmp}`;
72792
- separator = join13;
72792
+ separator = join14;
72793
72793
  }
72794
72794
  }
72795
72795
  if (keyLength > maximumBreadth) {
72796
72796
  const removedKeys = keyLength - maximumBreadth;
72797
72797
  res += `${separator}"...":${whitespace}"${getItemCount(removedKeys)} not stringified"`;
72798
- separator = join13;
72798
+ separator = join14;
72799
72799
  }
72800
72800
  if (spacer !== "" && separator.length > 1) {
72801
72801
  res = `
@@ -72835,7 +72835,7 @@ ${originalIndentation}`;
72835
72835
  }
72836
72836
  const originalIndentation = indentation;
72837
72837
  let res = "";
72838
- let join13 = ",";
72838
+ let join14 = ",";
72839
72839
  if (Array.isArray(value)) {
72840
72840
  if (value.length === 0) {
72841
72841
  return "[]";
@@ -72848,7 +72848,7 @@ ${originalIndentation}`;
72848
72848
  indentation += spacer;
72849
72849
  res += `
72850
72850
  ${indentation}`;
72851
- join13 = `,
72851
+ join14 = `,
72852
72852
  ${indentation}`;
72853
72853
  }
72854
72854
  const maximumValuesToStringify = Math.min(value.length, maximumBreadth);
@@ -72856,13 +72856,13 @@ ${indentation}`;
72856
72856
  for (;i < maximumValuesToStringify - 1; i++) {
72857
72857
  const tmp2 = stringifyArrayReplacer(String(i), value[i], stack, replacer, spacer, indentation);
72858
72858
  res += tmp2 !== undefined ? tmp2 : "null";
72859
- res += join13;
72859
+ res += join14;
72860
72860
  }
72861
72861
  const tmp = stringifyArrayReplacer(String(i), value[i], stack, replacer, spacer, indentation);
72862
72862
  res += tmp !== undefined ? tmp : "null";
72863
72863
  if (value.length - 1 > maximumBreadth) {
72864
72864
  const removedKeys = value.length - maximumBreadth - 1;
72865
- res += `${join13}"... ${getItemCount(removedKeys)} not stringified"`;
72865
+ res += `${join14}"... ${getItemCount(removedKeys)} not stringified"`;
72866
72866
  }
72867
72867
  if (spacer !== "") {
72868
72868
  res += `
@@ -72875,7 +72875,7 @@ ${originalIndentation}`;
72875
72875
  let whitespace = "";
72876
72876
  if (spacer !== "") {
72877
72877
  indentation += spacer;
72878
- join13 = `,
72878
+ join14 = `,
72879
72879
  ${indentation}`;
72880
72880
  whitespace = " ";
72881
72881
  }
@@ -72884,7 +72884,7 @@ ${indentation}`;
72884
72884
  const tmp = stringifyArrayReplacer(key2, value[key2], stack, replacer, spacer, indentation);
72885
72885
  if (tmp !== undefined) {
72886
72886
  res += `${separator}${strEscape(key2)}:${whitespace}${tmp}`;
72887
- separator = join13;
72887
+ separator = join14;
72888
72888
  }
72889
72889
  }
72890
72890
  if (spacer !== "" && separator.length > 1) {
@@ -72941,20 +72941,20 @@ ${originalIndentation}`;
72941
72941
  indentation += spacer;
72942
72942
  let res2 = `
72943
72943
  ${indentation}`;
72944
- const join14 = `,
72944
+ const join15 = `,
72945
72945
  ${indentation}`;
72946
72946
  const maximumValuesToStringify = Math.min(value.length, maximumBreadth);
72947
72947
  let i = 0;
72948
72948
  for (;i < maximumValuesToStringify - 1; i++) {
72949
72949
  const tmp2 = stringifyIndent(String(i), value[i], stack, spacer, indentation);
72950
72950
  res2 += tmp2 !== undefined ? tmp2 : "null";
72951
- res2 += join14;
72951
+ res2 += join15;
72952
72952
  }
72953
72953
  const tmp = stringifyIndent(String(i), value[i], stack, spacer, indentation);
72954
72954
  res2 += tmp !== undefined ? tmp : "null";
72955
72955
  if (value.length - 1 > maximumBreadth) {
72956
72956
  const removedKeys = value.length - maximumBreadth - 1;
72957
- res2 += `${join14}"... ${getItemCount(removedKeys)} not stringified"`;
72957
+ res2 += `${join15}"... ${getItemCount(removedKeys)} not stringified"`;
72958
72958
  }
72959
72959
  res2 += `
72960
72960
  ${originalIndentation}`;
@@ -72970,16 +72970,16 @@ ${originalIndentation}`;
72970
72970
  return '"[Object]"';
72971
72971
  }
72972
72972
  indentation += spacer;
72973
- const join13 = `,
72973
+ const join14 = `,
72974
72974
  ${indentation}`;
72975
72975
  let res = "";
72976
72976
  let separator = "";
72977
72977
  let maximumPropertiesToStringify = Math.min(keyLength, maximumBreadth);
72978
72978
  if (isTypedArrayWithEntries(value)) {
72979
- res += stringifyTypedArray(value, join13, maximumBreadth);
72979
+ res += stringifyTypedArray(value, join14, maximumBreadth);
72980
72980
  keys = keys.slice(value.length);
72981
72981
  maximumPropertiesToStringify -= value.length;
72982
- separator = join13;
72982
+ separator = join14;
72983
72983
  }
72984
72984
  if (deterministic) {
72985
72985
  keys = sort(keys, comparator);
@@ -72990,13 +72990,13 @@ ${indentation}`;
72990
72990
  const tmp = stringifyIndent(key2, value[key2], stack, spacer, indentation);
72991
72991
  if (tmp !== undefined) {
72992
72992
  res += `${separator}${strEscape(key2)}: ${tmp}`;
72993
- separator = join13;
72993
+ separator = join14;
72994
72994
  }
72995
72995
  }
72996
72996
  if (keyLength > maximumBreadth) {
72997
72997
  const removedKeys = keyLength - maximumBreadth;
72998
72998
  res += `${separator}"...": "${getItemCount(removedKeys)} not stringified"`;
72999
- separator = join13;
72999
+ separator = join14;
73000
73000
  }
73001
73001
  if (separator !== "") {
73002
73002
  res = `
@@ -109378,8 +109378,46 @@ function isElectron() {
109378
109378
  init_dist();
109379
109379
  init_zod();
109380
109380
  import { existsSync as existsSync2, mkdirSync, writeFileSync as writeFileSync2 } from "fs";
109381
- import { createRequire } from "module";
109382
- import { dirname, join as join3 } from "path";
109381
+ import { createRequire as createRequire2 } from "module";
109382
+ import { dirname as dirname2, join as join4 } from "path";
109383
+
109384
+ // src/core/agents/offSecAgent/tools/camoufox.ts
109385
+ import { execFile } from "node:child_process";
109386
+ import { createRequire } from "node:module";
109387
+ import { dirname, join as join3 } from "node:path";
109388
+ import { promisify } from "node:util";
109389
+ var execFileAsync = promisify(execFile);
109390
+ var CAMOUFOX_OPTIONS = {
109391
+ humanize: true,
109392
+ block_webrtc: true
109393
+ };
109394
+ async function resolveCamoufoxLaunchOptions(headless) {
109395
+ const { launchOptions: camoufoxLaunchOptions } = await import("camoufox-js");
109396
+ return await camoufoxLaunchOptions({
109397
+ ...CAMOUFOX_OPTIONS,
109398
+ headless
109399
+ });
109400
+ }
109401
+ var ensurePromise = null;
109402
+ function ensureCamoufox(log) {
109403
+ if (!ensurePromise) {
109404
+ ensurePromise = (async () => {
109405
+ log?.("Provisioning Camoufox browser (first run downloads ~150MB; cached after)…");
109406
+ const require_ = createRequire(import.meta.url);
109407
+ const pkgPath = require_.resolve("camoufox-js/package.json");
109408
+ const fetchBin = join3(dirname(pkgPath), "dist", "__main__.js");
109409
+ await execFileAsync("node", [fetchBin, "fetch"], {
109410
+ timeout: 300000
109411
+ });
109412
+ })().catch((err) => {
109413
+ ensurePromise = null;
109414
+ throw err;
109415
+ });
109416
+ }
109417
+ return ensurePromise;
109418
+ }
109419
+
109420
+ // src/core/agents/offSecAgent/tools/playwrightMcp.ts
109383
109421
  var BrowserNavigateInput = exports_external.object({
109384
109422
  url: exports_external.string().describe("Full URL to navigate to"),
109385
109423
  toolCallDescription: exports_external.string().describe("Why you are navigating to this URL")
@@ -109495,6 +109533,7 @@ class PlaywrightMcpSession {
109495
109533
  viewportSize;
109496
109534
  extraHttpHeaders;
109497
109535
  mcpConfigPath = null;
109536
+ cachedCamouOptions = null;
109498
109537
  constructor(options = {}) {
109499
109538
  const { headless, userAgent, viewportSize, extraHttpHeaders } = options;
109500
109539
  this.headless = headless ?? defaultHeadless;
@@ -109504,12 +109543,25 @@ class PlaywrightMcpSession {
109504
109543
  this.extraHttpHeaders = headerSource && Object.keys(headerSource).length > 0 ? { ...headerSource } : undefined;
109505
109544
  }
109506
109545
  resetState() {
109546
+ this.cleanupConfigFile();
109507
109547
  this.mcpClient = null;
109508
109548
  this.mcpTransport = null;
109509
109549
  this.mcpProcess = null;
109510
109550
  this.connectionPromise = null;
109511
109551
  this.disconnecting = false;
109512
109552
  }
109553
+ cleanupConfigFile() {
109554
+ const configPath = this.mcpConfigPath;
109555
+ if (!configPath)
109556
+ return;
109557
+ this.mcpConfigPath = null;
109558
+ (async () => {
109559
+ try {
109560
+ const fsp = await import("fs/promises");
109561
+ await fsp.unlink(configPath);
109562
+ } catch {}
109563
+ })();
109564
+ }
109513
109565
  forceKillProcess(proc = this.mcpProcess) {
109514
109566
  if (!proc || proc.exitCode !== null)
109515
109567
  return;
@@ -109538,41 +109590,40 @@ class PlaywrightMcpSession {
109538
109590
  }
109539
109591
  this.connectionPromise = (async () => {
109540
109592
  try {
109541
- const require_ = createRequire(import.meta.url);
109593
+ const require_ = createRequire2(import.meta.url);
109542
109594
  const mcpPkgJsonPath = require_.resolve("@playwright/mcp/package.json");
109543
- const cliPath = join3(dirname(mcpPkgJsonPath), "cli.js");
109595
+ const cliPath = join4(dirname2(mcpPkgJsonPath), "cli.js");
109544
109596
  const args = [cliPath, "--isolated"];
109545
- if (this.headless) {
109546
- args.push("--headless");
109547
- }
109548
- if (this.userAgent) {
109549
- args.push("--user-agent", this.userAgent);
109550
- }
109551
- if (this.viewportSize) {
109552
- args.push(`--viewport-size=${this.viewportSize}`);
109553
- }
109554
- if (this.extraHttpHeaders) {
109555
- const os = await import("os");
109556
- const fsp = await import("fs/promises");
109557
- const cfg = {
109558
- browser: {
109559
- contextOptions: { extraHTTPHeaders: this.extraHttpHeaders }
109560
- }
109561
- };
109562
- this.mcpConfigPath = join3(os.tmpdir(), `pensar-mcp-${process.pid}-${Date.now()}.json`);
109563
- await fsp.writeFile(this.mcpConfigPath, JSON.stringify(cfg), {
109564
- encoding: "utf-8",
109565
- mode: 384
109566
- });
109567
- args.push("--config", this.mcpConfigPath);
109568
- }
109569
- if (process.getuid?.() === 0) {
109570
- args.push("--no-sandbox");
109571
- }
109597
+ await ensureCamoufox();
109598
+ if (!this.cachedCamouOptions) {
109599
+ this.cachedCamouOptions = await resolveCamoufoxLaunchOptions(this.headless);
109600
+ }
109601
+ const camou = this.cachedCamouOptions;
109602
+ const os = await import("os");
109603
+ const fsp = await import("fs/promises");
109604
+ const cfg = {
109605
+ browser: {
109606
+ browserName: "firefox",
109607
+ launchOptions: {
109608
+ executablePath: camou.executablePath,
109609
+ args: camou.args,
109610
+ firefoxUserPrefs: camou.firefoxUserPrefs,
109611
+ headless: camou.headless
109612
+ },
109613
+ ...this.extraHttpHeaders ? { contextOptions: { extraHTTPHeaders: this.extraHttpHeaders } } : {}
109614
+ }
109615
+ };
109616
+ this.mcpConfigPath = join4(os.tmpdir(), `pensar-mcp-${process.pid}-${Date.now()}.json`);
109617
+ await fsp.writeFile(this.mcpConfigPath, JSON.stringify(cfg), {
109618
+ encoding: "utf-8",
109619
+ mode: 384
109620
+ });
109621
+ args.push("--config", this.mcpConfigPath);
109572
109622
  const transport = new StdioClientTransport({
109573
109623
  command: "node",
109574
109624
  args,
109575
- stderr: "pipe"
109625
+ stderr: "pipe",
109626
+ env: Object.fromEntries(Object.entries(camou.env).map(([k, v]) => [k, String(v)]))
109576
109627
  });
109577
109628
  const client = new Client({
109578
109629
  name: "apex-browser-agent",
@@ -109627,16 +109678,7 @@ class PlaywrightMcpSession {
109627
109678
  ]);
109628
109679
  if (closeTimer)
109629
109680
  clearTimeout(closeTimer);
109630
- if (this.mcpConfigPath) {
109631
- const configPath = this.mcpConfigPath;
109632
- this.mcpConfigPath = null;
109633
- (async () => {
109634
- try {
109635
- const fsp = await import("fs/promises");
109636
- await fsp.unlink(configPath);
109637
- } catch {}
109638
- })();
109639
- }
109681
+ this.cleanupConfigFile();
109640
109682
  this.disconnecting = false;
109641
109683
  }
109642
109684
  isConnected() {
@@ -109960,8 +110002,8 @@ Target base URL: ${targetUrl}`,
109960
110002
  if (base64Data) {
109961
110003
  const timestamp = new Date().toISOString().replace(/[:.]/g, "-");
109962
110004
  const screenshotFilename = `${filename}_${timestamp}.png`;
109963
- const screenshotPath = join3(evidenceDir, screenshotFilename);
109964
- const dir = dirname(screenshotPath);
110005
+ const screenshotPath = join4(evidenceDir, screenshotFilename);
110006
+ const dir = dirname2(screenshotPath);
109965
110007
  if (!existsSync2(dir)) {
109966
110008
  mkdirSync(dir, { recursive: true });
109967
110009
  }
@@ -110175,17 +110217,19 @@ The returned cookies can be formatted as a Cookie header for use with http_reque
110175
110217
  init_dist();
110176
110218
  init_zod();
110177
110219
  import { existsSync as existsSync3, mkdirSync as mkdirSync2, writeFileSync as writeFileSync3 } from "fs";
110178
- import { dirname as dirname2, join as join4 } from "path";
110220
+ import { dirname as dirname3, join as join5 } from "path";
110179
110221
  var SANDBOX_PW_DIR = "/opt/sandbox-playwright";
110180
110222
  var SANDBOX_EVIDENCE_DIR = "/tmp/evidence";
110181
110223
  var SANDBOX_REFS_FILE = "/tmp/pw-refs.json";
110182
110224
  var SANDBOX_URL_FILE = "/tmp/pw-current-url";
110183
110225
  var SANDBOX_CONSOLE_FILE = "/tmp/pw-console-log.json";
110226
+ var SANDBOX_CAMOU_CACHE = "/tmp/pw-camou-opts.json";
110184
110227
  var RESULT_START = "__PW_RESULT__";
110185
110228
  var RESULT_END = "__PW_END__";
110186
110229
  var installationCache = new WeakMap;
110230
+ var browserSetupCache = new WeakMap;
110187
110231
  async function checkSandboxPlaywright(sandbox) {
110188
- const script = `try{require("playwright");console.log("OK")}catch(e){process.exit(1)}`;
110232
+ const script = `(async()=>{try{const{launchPath}=await import("camoufox-js/dist/pkgman.js");require("playwright-core");if(!require("fs").existsSync(launchPath()))process.exit(1);console.log("OK")}catch(e){process.exit(1)}})()`;
110189
110233
  const b64 = Buffer.from(script).toString("base64");
110190
110234
  await sandbox.execute(`mkdir -p ${SANDBOX_PW_DIR} && echo "${b64}" | base64 -d > ${SANDBOX_PW_DIR}/pw_check.js`, { timeout: 10 });
110191
110235
  const result = await sandbox.execute(`node ${SANDBOX_PW_DIR}/pw_check.js`, {
@@ -110196,35 +110240,33 @@ async function checkSandboxPlaywright(sandbox) {
110196
110240
  async function installSandboxPlaywright(sandbox) {
110197
110241
  await sandbox.execute(`mkdir -p ${SANDBOX_PW_DIR}`, { timeout: 10 });
110198
110242
  const isAlpine = (await sandbox.execute("which apk", { timeout: 5 })).success;
110243
+ if (isAlpine) {
110244
+ throw new Error("Camoufox requires a glibc-based sandbox image (Debian/Ubuntu); Alpine/musl is unsupported.");
110245
+ }
110199
110246
  const initResult = await sandbox.execute(`cd ${SANDBOX_PW_DIR} && npm init -y --silent 2>/dev/null`, { timeout: 30 });
110200
110247
  if (!initResult.success) {
110201
110248
  throw new Error(`Failed to init npm project in sandbox: ${initResult.stderr || initResult.stdout}`);
110202
110249
  }
110203
- const npmInstallCmd = isAlpine ? `cd ${SANDBOX_PW_DIR} && PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD=1 npm install playwright 2>&1` : `cd ${SANDBOX_PW_DIR} && npm install playwright 2>&1`;
110204
- const installResult = await sandbox.execute(npmInstallCmd, { timeout: 300 });
110250
+ const installResult = await sandbox.execute(`cd ${SANDBOX_PW_DIR} && npm install camoufox-js@0.11.1 playwright-core@1.53.1 2>&1`, { timeout: 300 });
110205
110251
  if (!installResult.success) {
110206
- throw new Error(`Failed to install Playwright in sandbox: ${installResult.stderr || installResult.stdout}`);
110252
+ throw new Error(`Failed to install camoufox-js in sandbox: ${installResult.stderr || installResult.stdout}`);
110207
110253
  }
110208
- if (isAlpine) {
110209
- const apkResult = await sandbox.execute("apk add --no-cache chromium nss freetype harfbuzz ca-certificates ttf-freefont 2>&1", { timeout: 120 });
110210
- if (!apkResult.success) {
110211
- throw new Error(`Failed to install Chromium via apk: ${apkResult.stderr || apkResult.stdout}`);
110212
- }
110213
- } else {
110214
- await sandbox.execute(`(sudo rm -f /etc/apt/sources.list.d/yarn.list /etc/apt/sources.list.d/yarn.sources 2>/dev/null || rm -f /etc/apt/sources.list.d/yarn.list /etc/apt/sources.list.d/yarn.sources 2>/dev/null || true)`, { timeout: 10 });
110215
- let browserResult;
110216
- for (let attempt = 1;attempt <= 3; attempt++) {
110217
- browserResult = await sandbox.execute(`cd ${SANDBOX_PW_DIR} && npx playwright install chromium --with-deps 2>&1`, { timeout: 300 });
110218
- if (browserResult.success)
110219
- break;
110220
- if (attempt < 3) {
110221
- await new Promise((r) => setTimeout(r, 3000));
110222
- }
110223
- }
110224
- if (!browserResult.success) {
110225
- throw new Error(`Failed to install Chromium in sandbox: ${browserResult.stderr || browserResult.stdout}`);
110254
+ const depsResult = await sandbox.execute(`rm -f /etc/apt/sources.list.d/yarn.list /etc/apt/sources.list.d/yarn.sources 2>/dev/null; cd ${SANDBOX_PW_DIR} && npx playwright@1.53.1 install-deps firefox 2>&1`, { timeout: 300 });
110255
+ if (!depsResult.success) {
110256
+ throw new Error(`Failed to install Firefox system deps in sandbox: ${depsResult.stderr || depsResult.stdout}`);
110257
+ }
110258
+ let fetchResult;
110259
+ for (let attempt = 1;attempt <= 3; attempt++) {
110260
+ fetchResult = await sandbox.execute(`cd ${SANDBOX_PW_DIR} && node ./node_modules/camoufox-js/dist/__main__.js fetch 2>&1`, { timeout: 300 });
110261
+ if (fetchResult.success)
110262
+ break;
110263
+ if (attempt < 3) {
110264
+ await new Promise((r) => setTimeout(r, 3000));
110226
110265
  }
110227
110266
  }
110267
+ if (!fetchResult.success) {
110268
+ throw new Error(`Failed to fetch Camoufox in sandbox: ${fetchResult.stderr || fetchResult.stdout}`);
110269
+ }
110228
110270
  }
110229
110271
  async function ensureSandboxPlaywright(sandbox) {
110230
110272
  let cached = installationCache.get(sandbox);
@@ -110245,42 +110287,59 @@ async function ensureSandboxPlaywright(sandbox) {
110245
110287
  }
110246
110288
  }
110247
110289
  async function ensureSandboxBrowser(sandbox) {
110248
- await sandbox.execute(`mkdir -p ${SANDBOX_EVIDENCE_DIR} /tmp/pw-user-data`, {
110249
- timeout: 5
110250
- });
110290
+ await sandbox.execute(`rm -rf /tmp/pw-user-data ${SANDBOX_CAMOU_CACHE}; mkdir -p ${SANDBOX_EVIDENCE_DIR} /tmp/pw-user-data`, { timeout: 5 });
110251
110291
  }
110252
110292
  async function ensureSandboxReady(sandbox) {
110253
110293
  await ensureSandboxPlaywright(sandbox);
110254
- await ensureSandboxBrowser(sandbox);
110294
+ let cached = browserSetupCache.get(sandbox);
110295
+ if (!cached) {
110296
+ cached = ensureSandboxBrowser(sandbox);
110297
+ browserSetupCache.set(sandbox, cached);
110298
+ try {
110299
+ await cached;
110300
+ } catch (error) {
110301
+ browserSetupCache.delete(sandbox);
110302
+ throw error;
110303
+ }
110304
+ } else {
110305
+ await cached;
110306
+ }
110255
110307
  }
110256
110308
  async function runPlaywrightScript(sandbox, body, timeout = 60, extraHttpHeaders) {
110257
110309
  const headersJson = extraHttpHeaders && Object.keys(extraHttpHeaders).length > 0 ? JSON.stringify(extraHttpHeaders) : "null";
110258
110310
  const script = `
110259
- const { chromium } = require('playwright');
110311
+ const { firefox } = require('playwright-core');
110260
110312
  const fs = require('fs');
110261
110313
 
110262
110314
  (async () => {
110315
+ const { launchOptions } = await import('camoufox-js');
110263
110316
  function resolve(value) {
110264
110317
  process.stdout.write('${RESULT_START}' + JSON.stringify(value) + '${RESULT_END}');
110265
110318
  }
110266
110319
 
110267
- // Prefer system Chromium (Alpine apk install) over Playwright's bundled binary.
110268
- let executablePath;
110269
- for (const p of ['/usr/bin/chromium-browser', '/usr/bin/chromium']) {
110270
- try { fs.accessSync(p, fs.constants.X_OK); executablePath = p; break; } catch {}
110271
- }
110272
-
110273
110320
  // Resolved per script invocation so /headers mutations take effect
110274
110321
  // on the next browser tool call.
110275
110322
  const __extraHeaders = ${headersJson};
110276
110323
 
110324
+ // Use the sandbox's virtual display if one is present — Camoufox is far less
110325
+ // detectable headful. Falls back to plain headless, which is still fully
110326
+ // fingerprint-spoofed (just a weaker stealth posture, never vanilla Chromium).
110327
+ const __headless = process.env.DISPLAY ? false : true;
110328
+ // Resolve Camoufox options once per sandbox session and cache to disk so
110329
+ // every tool call presents the same fingerprint on the shared profile dir.
110330
+ let __camou;
110331
+ try {
110332
+ __camou = JSON.parse(fs.readFileSync('${SANDBOX_CAMOU_CACHE}', 'utf-8'));
110333
+ } catch {
110334
+ __camou = await launchOptions({ ...${JSON.stringify(CAMOUFOX_OPTIONS)}, headless: __headless });
110335
+ fs.writeFileSync('${SANDBOX_CAMOU_CACHE}', JSON.stringify(__camou));
110336
+ }
110337
+
110277
110338
  let context;
110278
110339
  const __consoleMessages = [];
110279
110340
  try {
110280
- context = await chromium.launchPersistentContext('/tmp/pw-user-data', {
110281
- headless: true,
110282
- ...(executablePath ? { executablePath } : {}),
110283
- args: ['--no-sandbox', '--disable-setuid-sandbox', '--disable-dev-shm-usage', '--disable-gpu'],
110341
+ context = await firefox.launchPersistentContext('/tmp/pw-user-data', {
110342
+ ...__camou,
110284
110343
  ...(__extraHeaders ? { extraHTTPHeaders: __extraHeaders } : {}),
110285
110344
  });
110286
110345
  const pages = context.pages();
@@ -110370,7 +110429,7 @@ var BrowserGetCookiesInput2 = exports_external.object({
110370
110429
  });
110371
110430
  function createSandboxBrowserTools(ctx) {
110372
110431
  const sandbox = ctx.sandbox;
110373
- const evidenceDir = join4(ctx.session.rootPath, "evidence");
110432
+ const evidenceDir = join5(ctx.session.rootPath, "evidence");
110374
110433
  const targetUrl = ctx.target ?? "";
110375
110434
  if (!existsSync3(evidenceDir)) {
110376
110435
  mkdirSync2(evidenceDir, { recursive: true });
@@ -110382,9 +110441,13 @@ function createSandboxBrowserTools(ctx) {
110382
110441
  }
110383
110442
  return setupPromise;
110384
110443
  }
110444
+ let scriptQueue = Promise.resolve();
110385
110445
  function runScript(body, timeout = 60) {
110386
110446
  const resolved = targetUrl ? resolveEffectiveHeaders(resolverSessionFromCtx(ctx), targetUrl) : ctx.session.config?.headers;
110387
- return runPlaywrightScript(sandbox, body, timeout, stripBrowserManagedHeaders(resolved));
110447
+ const headers = stripBrowserManagedHeaders(resolved);
110448
+ const next = scriptQueue.then(() => runPlaywrightScript(sandbox, body, timeout, headers));
110449
+ scriptQueue = next.then(() => {}, () => {});
110450
+ return next;
110388
110451
  }
110389
110452
  const browser_navigate = tool({
110390
110453
  description: `Navigate the browser to a URL to load and render a page.
@@ -110435,8 +110498,8 @@ Use this to document:
110435
110498
  resolve({ success: true, data: b64, sandboxPath: ${JSON.stringify(sandboxPath)} });
110436
110499
  `, 30);
110437
110500
  if (result.success && result.data) {
110438
- const localPath = join4(evidenceDir, screenshotFilename);
110439
- const dir = dirname2(localPath);
110501
+ const localPath = join5(evidenceDir, screenshotFilename);
110502
+ const dir = dirname3(localPath);
110440
110503
  if (!existsSync3(dir)) {
110441
110504
  mkdirSync2(dir, { recursive: true });
110442
110505
  }
@@ -110813,7 +110876,7 @@ The returned cookies can be formatted as a Cookie header for use with http_reque
110813
110876
  // src/core/agents/offSecAgent/tools/browserTools.ts
110814
110877
  init_dist();
110815
110878
  init_zod();
110816
- import { join as join5 } from "path";
110879
+ import { join as join6 } from "path";
110817
110880
  var BROWSER_TOOL_NAMES = [
110818
110881
  "browser_navigate",
110819
110882
  "browser_snapshot",
@@ -110825,7 +110888,7 @@ var BROWSER_TOOL_NAMES = [
110825
110888
  "browser_get_cookies"
110826
110889
  ];
110827
110890
  function createBrowserToolset(ctx) {
110828
- const tools = ctx.sandbox ? createSandboxBrowserTools(ctx) : createBrowserTools(ctx.target ?? "", join5(ctx.session.rootPath, "evidence"), "operator", undefined, ctx.abortSignal, undefined, undefined, undefined, ctx.browserSession);
110891
+ const tools = ctx.sandbox ? createSandboxBrowserTools(ctx) : createBrowserTools(ctx.target ?? "", join6(ctx.session.rootPath, "evidence"), "operator", undefined, ctx.abortSignal, undefined, undefined, undefined, ctx.browserSession);
110829
110892
  if (!ctx.credentialManager) {
110830
110893
  return tools;
110831
110894
  }
@@ -110951,7 +111014,7 @@ init_zod();
110951
111014
  init_structured();
110952
111015
  init_lazyLogger();
110953
111016
  import { existsSync as existsSync4, mkdirSync as mkdirSync3, writeFileSync as writeFileSync4 } from "fs";
110954
- import { join as join6 } from "path";
111017
+ import { join as join7 } from "path";
110955
111018
  var log = scopedLogger(() => createLogger("complete_authentication"));
110956
111019
  var AUTH_DIR = "auth";
110957
111020
  var AUTH_DATA_FILENAME = "auth-data.json";
@@ -110995,11 +111058,11 @@ This tool marks the end of the authentication flow.`,
110995
111058
  log.info(`Authentication complete: ${result.success ? "SUCCESS" : "FAILED"}`);
110996
111059
  let authDataPath;
110997
111060
  try {
110998
- const authDir = join6(ctx.session.rootPath, AUTH_DIR);
111061
+ const authDir = join7(ctx.session.rootPath, AUTH_DIR);
110999
111062
  if (!existsSync4(authDir)) {
111000
111063
  mkdirSync3(authDir, { recursive: true });
111001
111064
  }
111002
- authDataPath = join6(authDir, AUTH_DATA_FILENAME);
111065
+ authDataPath = join7(authDir, AUTH_DATA_FILENAME);
111003
111066
  const authData = {
111004
111067
  authenticated: result.success,
111005
111068
  strategy: result.strategy || "unknown",
@@ -111216,7 +111279,7 @@ function crawlAuthenticated(ctx) {
111216
111279
  init_dist();
111217
111280
  init_zod();
111218
111281
  import { writeFileSync as writeFileSync5 } from "fs";
111219
- import { join as join7 } from "path";
111282
+ import { join as join8 } from "path";
111220
111283
  function createAttackSurfaceReport(ctx) {
111221
111284
  return tool({
111222
111285
  description: `Provide attack surface analysis results to the orchestrator agent.
@@ -111242,7 +111305,7 @@ Call this at the END of your analysis with:
111242
111305
  toolCallDescription: exports_external.string().describe("A concise, human-readable description of what this tool call is doing")
111243
111306
  }),
111244
111307
  execute: async (results) => {
111245
- const resultsPath = join7(ctx.session.rootPath, "attack-surface-results.json");
111308
+ const resultsPath = join8(ctx.session.rootPath, "attack-surface-results.json");
111246
111309
  writeFileSync5(resultsPath, JSON.stringify(results, null, 2));
111247
111310
  return {
111248
111311
  success: true,
@@ -111261,7 +111324,7 @@ init_structured();
111261
111324
  init_lazyLogger();
111262
111325
  import { existsSync as existsSync5 } from "fs";
111263
111326
  import { mkdir, writeFile } from "fs/promises";
111264
- import { dirname as dirname3, isAbsolute, resolve } from "path";
111327
+ import { dirname as dirname4, isAbsolute, resolve } from "path";
111265
111328
  var log3 = scopedLogger(() => createLogger("create_file"));
111266
111329
  var createFileInputSchema = exports_external.object({
111267
111330
  path: exports_external.string().describe("Absolute or relative path for the new file"),
@@ -111305,7 +111368,7 @@ async function executeLocalCreate(filePath, content, overwrite) {
111305
111368
  path: filePath
111306
111369
  };
111307
111370
  }
111308
- const dir = dirname3(filePath);
111371
+ const dir = dirname4(filePath);
111309
111372
  log3.debug(`local: mkdir ${dir}`);
111310
111373
  await mkdir(dir, { recursive: true });
111311
111374
  log3.debug(`local: mkdir done, writing ${content.length} bytes`);
@@ -111339,7 +111402,7 @@ async function executeSandboxCreate(ctx, filePath, content, overwrite) {
111339
111402
  };
111340
111403
  }
111341
111404
  }
111342
- const dirPath = dirname3(filePath);
111405
+ const dirPath = dirname4(filePath);
111343
111406
  await ctx.sandbox.execute(`mkdir -p "${dirPath}"`);
111344
111407
  const base64Content = Buffer.from(content).toString("base64");
111345
111408
  const writeResult = await ctx.sandbox.execute(`echo "${base64Content}" | base64 -d > "${filePath}"`);
@@ -111370,16 +111433,16 @@ init_zod();
111370
111433
 
111371
111434
  // src/core/tasks/index.ts
111372
111435
  import { mkdirSync as mkdirSync4, readdirSync as readdirSync2, readFileSync, writeFileSync as writeFileSync6 } from "fs";
111373
- import { join as join8 } from "path";
111436
+ import { join as join9 } from "path";
111374
111437
  var HWM_FILENAME = "_hwm.json";
111375
111438
  function ensureDir(dir) {
111376
111439
  mkdirSync4(dir, { recursive: true });
111377
111440
  }
111378
111441
  function taskPath(tasksDir, id) {
111379
- return join8(tasksDir, `${id}.json`);
111442
+ return join9(tasksDir, `${id}.json`);
111380
111443
  }
111381
111444
  function hwmPath(tasksDir) {
111382
- return join8(tasksDir, HWM_FILENAME);
111445
+ return join9(tasksDir, HWM_FILENAME);
111383
111446
  }
111384
111447
  function readHighWaterMark(tasksDir) {
111385
111448
  try {
@@ -111452,7 +111515,7 @@ function listTasks(tasksDir, filter) {
111452
111515
  if (!file.endsWith(".json") || file === HWM_FILENAME)
111453
111516
  continue;
111454
111517
  try {
111455
- const raw = readFileSync(join8(tasksDir, file), "utf-8");
111518
+ const raw = readFileSync(join9(tasksDir, file), "utf-8");
111456
111519
  const task = JSON.parse(raw);
111457
111520
  if (filter?.status && task.status !== filter.status)
111458
111521
  continue;
@@ -111550,7 +111613,7 @@ init_dist();
111550
111613
  init_zod();
111551
111614
  init_credentials();
111552
111615
  import { writeFileSync as writeFileSync7 } from "fs";
111553
- import { join as join9 } from "path";
111616
+ import { join as join10 } from "path";
111554
111617
  init_structured();
111555
111618
  init_lazyLogger();
111556
111619
  var log4 = scopedLogger(() => createLogger("delegate_auth"));
@@ -111716,7 +111779,7 @@ When to use delegate_to_auth_subagent vs authenticate_session:
111716
111779
  if (credentials) {
111717
111780
  ctx.session.credentialManager.addFromAuthCredentials(credentials);
111718
111781
  }
111719
- const { runAuthenticationAgent } = await import("./authentication-ee80ydxj.js");
111782
+ const { runAuthenticationAgent } = await import("./authentication-3p84dzrr.js");
111720
111783
  const localBus = new AgentEventBus;
111721
111784
  AgentEventBus.attachChild(localBus, ctx.eventBus, subagentId);
111722
111785
  const result = await runAuthenticationAgent({
@@ -111735,7 +111798,7 @@ When to use delegate_to_auth_subagent vs authenticate_session:
111735
111798
  parentSubagentId: ctx.subagentId
111736
111799
  });
111737
111800
  if (result.success) {
111738
- const sessionInfoPath = join9(ctx.session.rootPath, "session-info.json");
111801
+ const sessionInfoPath = join10(ctx.session.rootPath, "session-info.json");
111739
111802
  const sessionInfo = {
111740
111803
  authenticated: true,
111741
111804
  username: username || "via_subagent",
@@ -111930,7 +111993,7 @@ function detectBarrier(bodyLower, statusCode) {
111930
111993
  init_dist();
111931
111994
  init_zod();
111932
111995
  import { existsSync as existsSync6, mkdirSync as mkdirSync5, writeFileSync as writeFileSync8 } from "fs";
111933
- import { join as join10 } from "path";
111996
+ import { join as join11 } from "path";
111934
111997
  function sanitizeName(name) {
111935
111998
  return name.toLowerCase().replace(/[^a-z0-9-_.]/g, "_");
111936
111999
  }
@@ -111969,7 +112032,7 @@ function validateDomainUrl(value) {
111969
112032
  }
111970
112033
  }
111971
112034
  function documentApp(ctx) {
111972
- const baseAppsPath = join10(ctx.session.rootPath, "apps");
112035
+ const baseAppsPath = join11(ctx.session.rootPath, "apps");
111973
112036
  return tool({
111974
112037
  description: `Document a discovered application during attack surface analysis.
111975
112038
 
@@ -112022,7 +112085,7 @@ Each application creates a JSON file in the apps directory for tracking and anal
112022
112085
  const sanitizedName = sanitizeName(input.appName);
112023
112086
  const timestamp = new Date().toISOString().replace(/[:.]/g, "-");
112024
112087
  const filename = `app_${sanitizedName}_${timestamp}.json`;
112025
- const filepath = join10(baseAppsPath, filename);
112088
+ const filepath = join11(baseAppsPath, filename);
112026
112089
  const appRecord = {
112027
112090
  ...input,
112028
112091
  discoveredAt: new Date().toISOString(),
@@ -112046,7 +112109,7 @@ Each application creates a JSON file in the apps directory for tracking and anal
112046
112109
  init_dist();
112047
112110
  init_zod();
112048
112111
  import { existsSync as existsSync7, mkdirSync as mkdirSync6, writeFileSync as writeFileSync9 } from "fs";
112049
- import { join as join11 } from "path";
112112
+ import { join as join12 } from "path";
112050
112113
 
112051
112114
  // src/core/agents/specialized/attackSurface/blackboxRiskScoring.ts
112052
112115
  var RISK_LEVEL_BASE_SCORE = {
@@ -112396,7 +112459,7 @@ async function generateThreatModelForEndpoint(ctx, input) {
112396
112459
  return threatModelLimiter(async () => {
112397
112460
  if (ctx.abortSignal?.aborted)
112398
112461
  return null;
112399
- const { CodeAgent } = await import("./agent-vnhgzmm9.js");
112462
+ const { CodeAgent } = await import("./agent-ssm6x6qs.js");
112400
112463
  const subagentId = `threat-model-${sanitize(input.appName)}-${sanitize(input.routePath)}`;
112401
112464
  ctx.eventBus?.emit("subagent-spawn", {
112402
112465
  subagentId,
@@ -112704,7 +112767,7 @@ var documentEndpointInputSchema = exports_external.object({
112704
112767
  toolCallDescription: exports_external.string().describe("A concise, human-readable description of what this tool call is doing")
112705
112768
  });
112706
112769
  function documentEndpoint(ctx) {
112707
- const baseAssetsPath = join11(ctx.session.rootPath, "assets");
112770
+ const baseAssetsPath = join12(ctx.session.rootPath, "assets");
112708
112771
  return tool({
112709
112772
  description: `Document a discovered endpoint during attack surface analysis.
112710
112773
 
@@ -112750,14 +112813,14 @@ Each endpoint creates a JSON file in the assets directory for tracking and analy
112750
112813
  message: `routePath "${input.routePath}" is a full URL. The domain is already stored on the parent application. ` + `Use a path or access pattern instead (e.g. "/api/users", "/{objectKey}?X-Amz-Signature={sig}", "arn:aws:s3:::bucket-name").`
112751
112814
  };
112752
112815
  }
112753
- const targetDir = join11(baseAssetsPath, sanitizeName2(input.appName));
112816
+ const targetDir = join12(baseAssetsPath, sanitizeName2(input.appName));
112754
112817
  if (!existsSync7(targetDir)) {
112755
112818
  mkdirSync6(targetDir, { recursive: true });
112756
112819
  }
112757
112820
  const sanitizedPath = sanitizeName2(input.routePath);
112758
112821
  const timestamp = new Date().toISOString().replace(/[:.]/g, "-");
112759
112822
  const filename = `asset_${sanitizedPath}_${timestamp}.json`;
112760
- const filepath = join11(targetDir, filename);
112823
+ const filepath = join12(targetDir, filename);
112761
112824
  const heuristicRiskScore = computeBlackboxRiskScore(input.riskLevel, "endpoint", {
112762
112825
  url: input.routePath,
112763
112826
  method: input.method,
@@ -112835,7 +112898,7 @@ import {
112835
112898
  unlinkSync,
112836
112899
  writeFileSync as writeFileSync10
112837
112900
  } from "fs";
112838
- import { join as join12 } from "path";
112901
+ import { join as join13 } from "path";
112839
112902
 
112840
112903
  // src/lib/cwe/types.ts
112841
112904
  init_zod();
@@ -114272,7 +114335,7 @@ init_lazyLogger();
114272
114335
  var log6 = scopedLogger(() => createLogger("FindingJudge"));
114273
114336
  async function judgeFinding(input, ctx) {
114274
114337
  try {
114275
- const { FindingJudgeAgent } = await import("./agent-gcbmtsg9.js");
114338
+ const { FindingJudgeAgent } = await import("./agent-1zfxfgfr.js");
114276
114339
  const agent = new FindingJudgeAgent({
114277
114340
  finding: input,
114278
114341
  model: ctx.model,
@@ -114562,14 +114625,14 @@ CRITICAL RULES — READ BEFORE CALLING:
114562
114625
  description: `POC execution output for ${filename}`
114563
114626
  });
114564
114627
  const timestamp = new Date().toISOString();
114565
- const outputDir = isVulnerability ? session.findingsPath : join12(session.rootPath, "informational");
114628
+ const outputDir = isVulnerability ? session.findingsPath : join13(session.rootPath, "informational");
114566
114629
  if (!isVulnerability) {
114567
114630
  mkdirSync7(outputDir, { recursive: true });
114568
114631
  }
114569
114632
  let evidenceForPrompt = materializedEvidence;
114570
114633
  if (materializedEvidence.length > EVIDENCE_FILE_THRESHOLD) {
114571
114634
  const evidenceFilename = `${timestamp.split("T")[0]}-${slugify2(input.title, 40)}-evidence.txt`;
114572
- const evidenceFilePath = join12(outputDir, evidenceFilename);
114635
+ const evidenceFilePath = join13(outputDir, evidenceFilename);
114573
114636
  writeFileSync10(evidenceFilePath, materializedEvidence);
114574
114637
  evidenceForPrompt = materializedEvidence.substring(0, EVIDENCE_FILE_THRESHOLD) + `
114575
114638
  ... [truncated — full output saved to ${evidenceFilename}]`;
@@ -114711,8 +114774,8 @@ CRITICAL RULES — READ BEFORE CALLING:
114711
114774
  const findingId = `${timestamp.split("T")[0]}-${slugify2(finding.title, 50)}`;
114712
114775
  const jsonFilename = `${findingId}.json`;
114713
114776
  const mdFilename = `${findingId}.md`;
114714
- const jsonPath = join12(outputDir, jsonFilename);
114715
- const mdPath = join12(outputDir, mdFilename);
114777
+ const jsonPath = join13(outputDir, jsonFilename);
114778
+ const mdPath = join13(outputDir, mdFilename);
114716
114779
  try {
114717
114780
  writeFileSync10(jsonPath, JSON.stringify(findingWithMeta, null, 2));
114718
114781
  const cvssSection = cvssWarning ? `## CVSS 4.0 Assessment
@@ -114795,7 +114858,7 @@ ${finding.references}` : ""}
114795
114858
  `;
114796
114859
  writeFileSync10(mdPath, markdown);
114797
114860
  if (isVulnerability) {
114798
- const summaryPath = join12(session.rootPath, "findings-summary.md");
114861
+ const summaryPath = join13(session.rootPath, "findings-summary.md");
114799
114862
  const cweTag = cvssResult.cwes?.length ? ` (${cvssResult.cwes.map((c) => c.id).join(", ")})` : "";
114800
114863
  const cvssTag = cvssWarning ? "(estimated)" : `(CVSS ${cvssResult.score})`;
114801
114864
  const summaryEntry = `- [${finding.severity}] ${cvssTag}${cweTag} ${finding.title} - \`findings/${mdFilename}\`
@@ -114853,7 +114916,7 @@ async function executeLocalPoc(ctx, input) {
114853
114916
  mkdirSync7(pocsPath, { recursive: true });
114854
114917
  }
114855
114918
  const { filename, pocContent } = preparePoc(input);
114856
- const pocPath = join12(pocsPath, filename);
114919
+ const pocPath = join13(pocsPath, filename);
114857
114920
  writeFileSync10(pocPath, pocContent);
114858
114921
  chmodSync(pocPath, 493);
114859
114922
  const { stdout, stderr, exitCode } = await runScript(POC_RUNNERS[input.pocType], pocPath, 60000, ctx.abortSignal);
@@ -114871,7 +114934,7 @@ async function executeSandboxPoc(ctx, input) {
114871
114934
  if (!existsSync8(localPocsPath)) {
114872
114935
  mkdirSync7(localPocsPath, { recursive: true });
114873
114936
  }
114874
- const localPocPath = join12(localPocsPath, filename);
114937
+ const localPocPath = join13(localPocsPath, filename);
114875
114938
  writeFileSync10(localPocPath, pocContent);
114876
114939
  const sandboxPocPath = `/tmp/pocs/${filename}`;
114877
114940
  const base64Content = Buffer.from(pocContent).toString("base64");
@@ -114904,10 +114967,10 @@ POC file has been deleted.`,
114904
114967
  }
114905
114968
  function cleanupPocFiles(ctx, filename) {
114906
114969
  try {
114907
- unlinkSync(join12(ctx.session.pocsPath, filename));
114970
+ unlinkSync(join13(ctx.session.pocsPath, filename));
114908
114971
  } catch {}
114909
114972
  try {
114910
- unlinkSync(join12(ctx.session.pocsPath, `${filename}.output.json`));
114973
+ unlinkSync(join13(ctx.session.pocsPath, `${filename}.output.json`));
114911
114974
  } catch {}
114912
114975
  }
114913
114976
  function sanitizeFilename(str) {
@@ -114968,7 +115031,7 @@ ${commentChar} Created: ${new Date().toISOString()}
114968
115031
  }
114969
115032
  function writePocOutputSidecar(pocsPath, filename, stdout, stderr, exitCode, description) {
114970
115033
  try {
114971
- const outputPath = join12(pocsPath, `${filename}.output.json`);
115034
+ const outputPath = join13(pocsPath, `${filename}.output.json`);
114972
115035
  writeFileSync10(outputPath, JSON.stringify({
114973
115036
  stdout,
114974
115037
  stderr,
@@ -118283,7 +118346,7 @@ var SEND_EMAIL_TOOL_NAME = "send_email";
118283
118346
  init_dist();
118284
118347
  init_zod();
118285
118348
  import { existsSync as existsSync9, mkdirSync as mkdirSync8, writeFileSync as writeFileSync11 } from "fs";
118286
- import { join as join13 } from "path";
118349
+ import { join as join14 } from "path";
118287
118350
  var MAX_INLINE = 50000;
118288
118351
  var MS_TIMEOUT_THRESHOLD = 1e4;
118289
118352
  var executeCommandInputSchema = exports_external.object({
@@ -118305,13 +118368,13 @@ function maybeSaveFullOutput(raw, ctx) {
118305
118368
  if (raw.length <= MAX_INLINE) {
118306
118369
  return { text: raw || "(no output)" };
118307
118370
  }
118308
- const outputDir = join13(ctx.session.logsPath, "cmd-output");
118371
+ const outputDir = join14(ctx.session.logsPath, "cmd-output");
118309
118372
  if (!existsSync9(outputDir)) {
118310
118373
  mkdirSync8(outputDir, { recursive: true });
118311
118374
  }
118312
118375
  const ts = new Date().toISOString().replace(/[:.]/g, "-");
118313
118376
  const filename = `output-${ts}.txt`;
118314
- const filePath = join13(outputDir, filename);
118377
+ const filePath = join14(outputDir, filename);
118315
118378
  try {
118316
118379
  writeFileSync11(filePath, raw);
118317
118380
  } catch {
@@ -118798,7 +118861,7 @@ search with flags or a more specific directory if results are truncated.`,
118798
118861
  init_dist();
118799
118862
  init_zod();
118800
118863
  import { existsSync as existsSync10, mkdirSync as mkdirSync9, writeFileSync as writeFileSync12 } from "fs";
118801
- import { join as join14 } from "path";
118864
+ import { join as join15 } from "path";
118802
118865
  var MAX_INLINE_BODY = 5000;
118803
118866
  var httpRequestInputSchema = exports_external.object({
118804
118867
  url: exports_external.string().describe("The URL to request"),
@@ -118812,13 +118875,13 @@ var httpRequestInputSchema = exports_external.object({
118812
118875
  function maybeSaveBody(body, ctx) {
118813
118876
  if (body.length <= MAX_INLINE_BODY)
118814
118877
  return { text: body };
118815
- const outputDir = join14(ctx.session.logsPath, "http-responses");
118878
+ const outputDir = join15(ctx.session.logsPath, "http-responses");
118816
118879
  if (!existsSync10(outputDir)) {
118817
118880
  mkdirSync9(outputDir, { recursive: true });
118818
118881
  }
118819
118882
  const ts = new Date().toISOString().replace(/[:.]/g, "-");
118820
118883
  const filename = `response-${ts}.txt`;
118821
- const filePath = join14(outputDir, filename);
118884
+ const filePath = join15(outputDir, filename);
118822
118885
  try {
118823
118886
  writeFileSync12(filePath, body);
118824
118887
  } catch {
@@ -119057,7 +119120,7 @@ async function executeSandboxHttpRequest(ctx, opts) {
119057
119120
  init_dist();
119058
119121
  init_zod();
119059
119122
  import { readdir, stat } from "fs/promises";
119060
- import { isAbsolute as isAbsolute2, join as join15, relative, resolve as resolve2 } from "path";
119123
+ import { isAbsolute as isAbsolute2, join as join16, relative, resolve as resolve2 } from "path";
119061
119124
  var listFilesInputSchema = exports_external.object({
119062
119125
  directory: exports_external.string().optional().describe("Absolute or relative path to the directory to list (defaults to current working directory)"),
119063
119126
  recursive: exports_external.boolean().optional().describe("If true, list files recursively (default: false)"),
@@ -119077,7 +119140,7 @@ async function listRecursive(dir, maxEntries) {
119077
119140
  }
119078
119141
  for (const entry of entries) {
119079
119142
  total++;
119080
- const fullPath = join15(current, entry.name);
119143
+ const fullPath = join16(current, entry.name);
119081
119144
  if (entry.isDirectory()) {
119082
119145
  if (results.length < maxEntries)
119083
119146
  results.push(`${fullPath}/`);
@@ -119140,7 +119203,7 @@ Each directory entry is suffixed with "/" for easy identification.`,
119140
119203
  }
119141
119204
  const entries = await readdir(dir, { withFileTypes: true });
119142
119205
  const fullPaths = entries.map((e) => {
119143
- const name = join15(dir, e.name);
119206
+ const name = join16(dir, e.name);
119144
119207
  return e.isDirectory() ? `${name}/` : name;
119145
119208
  });
119146
119209
  const capped = fullPaths.slice(0, MAX_NON_RECURSIVE);
@@ -119282,9 +119345,9 @@ import {
119282
119345
  unlinkSync as unlinkSync2
119283
119346
  } from "fs";
119284
119347
  import { tmpdir } from "os";
119285
- import { join as join16 } from "path";
119348
+ import { join as join17 } from "path";
119286
119349
  var MAX_BUFFER = 5000000;
119287
- var APEX_TMP_ROOT = join16(tmpdir(), `apex-shell-${process.pid}`);
119350
+ var APEX_TMP_ROOT = join17(tmpdir(), `apex-shell-${process.pid}`);
119288
119351
  try {
119289
119352
  mkdirSync10(APEX_TMP_ROOT, { recursive: true });
119290
119353
  } catch {}
@@ -119536,8 +119599,8 @@ class PersistentShell {
119536
119599
  const marker = `__APEX_${nonceHex}__`;
119537
119600
  const exitMarkerPrefix = `${marker}_EXIT_`;
119538
119601
  const cutoverMarker = `${marker}_CUTOVER`;
119539
- const outPath = join16(APEX_TMP_ROOT, `${nonceHex}.out`);
119540
- const errPath = join16(APEX_TMP_ROOT, `${nonceHex}.err`);
119602
+ const outPath = join17(APEX_TMP_ROOT, `${nonceHex}.out`);
119603
+ const errPath = join17(APEX_TMP_ROOT, `${nonceHex}.err`);
119541
119604
  const pending = {
119542
119605
  streamedStdout: "",
119543
119606
  authoritativeStdout: "",
@@ -119956,7 +120019,7 @@ Returns discovered endpoints and recommended login approach.`,
119956
120019
  init_dist();
119957
120020
  init_zod();
119958
120021
  import { writeFileSync as writeFileSync13 } from "fs";
119959
- import { join as join17 } from "path";
120022
+ import { join as join18 } from "path";
119960
120023
  function provideComparisonResults(ctx) {
119961
120024
  return tool({
119962
120025
  description: `Provide the final comparison results with matched, missed, and extra findings.
@@ -120002,7 +120065,7 @@ Results will be saved to: comparison-results.json in the session directory.`,
120002
120065
  recall,
120003
120066
  precision
120004
120067
  };
120005
- const resultsPath = join17(ctx.session.rootPath, "comparison-results.json");
120068
+ const resultsPath = join18(ctx.session.rootPath, "comparison-results.json");
120006
120069
  writeFileSync13(resultsPath, JSON.stringify(result, null, 2));
120007
120070
  return {
120008
120071
  success: true,
@@ -120156,7 +120219,7 @@ should be passed directly to spawn_pentest_swarm for deep testing.`,
120156
120219
  });
120157
120220
  if (cwd) {
120158
120221
  try {
120159
- const { WhiteboxAttackSurfaceAgent } = await import("./index-dg9804xb.js");
120222
+ const { WhiteboxAttackSurfaceAgent } = await import("./index-kjky8ack.js");
120160
120223
  const localBus = new AgentEventBus;
120161
120224
  AgentEventBus.attachChild(localBus, ctx.eventBus, subagentId);
120162
120225
  const agent = new WhiteboxAttackSurfaceAgent({
@@ -120206,7 +120269,7 @@ should be passed directly to spawn_pentest_swarm for deep testing.`,
120206
120269
  }
120207
120270
  }
120208
120271
  try {
120209
- const { BlackboxAttackSurfaceAgent } = await import("./blackboxAgent-yyjvgxwd.js");
120272
+ const { BlackboxAttackSurfaceAgent } = await import("./blackboxAgent-dn68r23n.js");
120210
120273
  const localBus = new AgentEventBus;
120211
120274
  AgentEventBus.attachChild(localBus, ctx.eventBus, subagentId);
120212
120275
  const agent = new BlackboxAttackSurfaceAgent({
@@ -120284,7 +120347,7 @@ Omit \`cwd\` for blackbox mode (live target probing only).`,
120284
120347
  toolCallDescription: exports_external.string().describe("A concise, human-readable description of what this tool call is doing")
120285
120348
  }),
120286
120349
  execute: async ({ target, cwd }) => {
120287
- const { runPentestWorkflow: workflow } = await import("./pentest-9q2g54yy.js");
120350
+ const { runPentestWorkflow: workflow } = await import("./pentest-043y2x03.js");
120288
120351
  if (!ctx.model) {
120289
120352
  return {
120290
120353
  success: false,
@@ -120389,11 +120452,11 @@ init_zod();
120389
120452
 
120390
120453
  // src/core/whitebox/adapters.ts
120391
120454
  import { existsSync as existsSync12 } from "node:fs";
120392
- import { join as join19 } from "node:path";
120455
+ import { join as join20 } from "node:path";
120393
120456
 
120394
120457
  // src/core/whitebox/artifacts.ts
120395
120458
  import { mkdir as mkdir2, readFile as readFile3, writeFile as writeFile2 } from "node:fs/promises";
120396
- import { basename as basename2, join as join18 } from "node:path";
120459
+ import { basename as basename2, join as join19 } from "node:path";
120397
120460
 
120398
120461
  // src/core/whitebox/paths.ts
120399
120462
  import { existsSync as existsSync11, realpathSync } from "node:fs";
@@ -120454,10 +120517,10 @@ function safeName(value) {
120454
120517
  return value.toLowerCase().replace(/[^a-z0-9._-]+/g, "-").replace(/\.{2,}/g, ".").replace(/^-+|-+$/g, "").slice(0, 80);
120455
120518
  }
120456
120519
  function getWhiteboxLogsDir(session) {
120457
- return join18(session.logsPath, "whitebox");
120520
+ return join19(session.logsPath, "whitebox");
120458
120521
  }
120459
120522
  function getWhiteboxScratchDir(session) {
120460
- return join18(session.scratchpadPath, "whitebox");
120523
+ return join19(session.scratchpadPath, "whitebox");
120461
120524
  }
120462
120525
  async function ensureWhiteboxDirs(session) {
120463
120526
  await Promise.all([
@@ -120470,7 +120533,7 @@ async function writeWhiteboxArtifact(input) {
120470
120533
  const baseDir = input.area === "scratchpad" ? getWhiteboxScratchDir(input.session) : getWhiteboxLogsDir(input.session);
120471
120534
  const timestamp = new Date().toISOString().replace(/[:.]/g, "-");
120472
120535
  const filename = `${timestamp}-${safeName(input.name)}${input.extension ?? ".txt"}`;
120473
- const absolutePath = join18(baseDir, filename);
120536
+ const absolutePath = join19(baseDir, filename);
120474
120537
  await writeFile2(absolutePath, input.content, "utf-8");
120475
120538
  const relativeRoot = input.area === "scratchpad" ? "scratchpad/whitebox" : "logs/whitebox";
120476
120539
  return {
@@ -120712,7 +120775,7 @@ var WHITEBOX_SCAN_ADAPTERS = [
120712
120775
  id: "npm-audit",
120713
120776
  kind: "dependencies",
120714
120777
  tool: "npm",
120715
- detect: (profile) => hasTool(profile, "npm") && (profile.packageManagers.includes("npm") || existsSync12(join19(profile.rootPath, "package-lock.json"))),
120778
+ detect: (profile) => hasTool(profile, "npm") && (profile.packageManagers.includes("npm") || existsSync12(join20(profile.rootPath, "package-lock.json"))),
120716
120779
  buildCommand: () => ["npm", "audit", "--json"],
120717
120780
  parseSummary: (raw) => simpleLineFindings("npm audit", raw)
120718
120781
  },
@@ -120821,7 +120884,7 @@ ${raw.stderr}` : "");
120821
120884
  // src/core/whitebox/candidates.ts
120822
120885
  import { existsSync as existsSync13 } from "node:fs";
120823
120886
  import { mkdir as mkdir3, readFile as readFile4, writeFile as writeFile3 } from "node:fs/promises";
120824
- import { join as join20 } from "node:path";
120887
+ import { join as join21 } from "node:path";
120825
120888
  var CANDIDATES_FILE = "candidates.json";
120826
120889
  var writeLocks = new Map;
120827
120890
  function withCandidateLock(session, fn) {
@@ -120848,10 +120911,10 @@ var ALLOWED_TRANSITIONS = {
120848
120911
  deferred: ["hypothesis", "investigating"]
120849
120912
  };
120850
120913
  function candidatesDir(session) {
120851
- return join20(session.scratchpadPath, "whitebox");
120914
+ return join21(session.scratchpadPath, "whitebox");
120852
120915
  }
120853
120916
  function candidatesPath(session) {
120854
- return join20(candidatesDir(session), CANDIDATES_FILE);
120917
+ return join21(candidatesDir(session), CANDIDATES_FILE);
120855
120918
  }
120856
120919
  function makeId2(title) {
120857
120920
  const slug = title.toLowerCase().replace(/[^a-z0-9]+/g, "-").replace(/^-|-$/g, "").slice(0, 48);
@@ -121321,7 +121384,7 @@ import {
121321
121384
  readSync as readSync2,
121322
121385
  statSync as statSync3
121323
121386
  } from "node:fs";
121324
- import { join as join21 } from "node:path";
121387
+ import { join as join22 } from "node:path";
121325
121388
  var MAX_JOB_LOG_INLINE = 40000;
121326
121389
  var MAX_JOB_LOG_BYTES = 10 * 1024 * 1024;
121327
121390
  var PRUNE_AFTER_MS = 60000;
@@ -121396,7 +121459,7 @@ function startWhiteboxJob(input) {
121396
121459
  const logsDir = getWhiteboxLogsDir(input.session);
121397
121460
  mkdirSync11(logsDir, { recursive: true });
121398
121461
  const safeName2 = (input.name ?? "job").replace(/[^a-z0-9._-]+/gi, "-").replace(/\.{2,}/g, ".");
121399
- const logPath = join21(logsDir, `${id}-${safeName2}.log`);
121462
+ const logPath = join22(logsDir, `${id}-${safeName2}.log`);
121400
121463
  const now = new Date().toISOString();
121401
121464
  writeLog(logPath, `$ ${input.command}
121402
121465
 
@@ -121522,12 +121585,12 @@ function readWhiteboxJobLog(id, sessionId) {
121522
121585
  };
121523
121586
  }
121524
121587
  // src/core/whitebox/repoProfile.ts
121525
- import { execFile } from "node:child_process";
121588
+ import { execFile as execFile2 } from "node:child_process";
121526
121589
  import { existsSync as existsSync15, realpathSync as realpathSync2 } from "node:fs";
121527
121590
  import { readdir as readdir2, readFile as readFile5, stat as stat2 } from "node:fs/promises";
121528
- import { basename as basename3, extname as extname2, join as join22, relative as relative3, resolve as resolve5 } from "node:path";
121529
- import { promisify } from "node:util";
121530
- var execFileAsync = promisify(execFile);
121591
+ import { basename as basename3, extname as extname2, join as join23, relative as relative3, resolve as resolve5 } from "node:path";
121592
+ import { promisify as promisify2 } from "node:util";
121593
+ var execFileAsync2 = promisify2(execFile2);
121531
121594
  var MAX_PROFILE_FILES = 5000;
121532
121595
  var LANGUAGE_BY_EXTENSION = {
121533
121596
  ".ts": "typescript",
@@ -121634,7 +121697,7 @@ async function walkFiles(rootPath) {
121634
121697
  for (const entry of entries) {
121635
121698
  if (files.length >= MAX_PROFILE_FILES)
121636
121699
  return;
121637
- const fullPath = join22(current, entry.name);
121700
+ const fullPath = join23(current, entry.name);
121638
121701
  if (entry.isDirectory()) {
121639
121702
  if (shouldSkipDir(entry.name))
121640
121703
  continue;
@@ -121696,7 +121759,7 @@ function detectEntryHints(files) {
121696
121759
  return hints.slice(0, 100);
121697
121760
  }
121698
121761
  async function readPackageScripts(rootPath) {
121699
- const packageJsonPath = join22(rootPath, "package.json");
121762
+ const packageJsonPath = join23(rootPath, "package.json");
121700
121763
  if (!existsSync15(packageJsonPath)) {
121701
121764
  return { buildCommands: [], testCommands: [], runCommands: [] };
121702
121765
  }
@@ -121715,7 +121778,7 @@ async function readPackageScripts(rootPath) {
121715
121778
  }
121716
121779
  async function runGit(rootPath, args) {
121717
121780
  try {
121718
- const { stdout } = await execFileAsync("git", args, {
121781
+ const { stdout } = await execFileAsync2("git", args, {
121719
121782
  cwd: rootPath,
121720
121783
  timeout: 5000,
121721
121784
  maxBuffer: 1024 * 1024
@@ -121728,7 +121791,7 @@ async function runGit(rootPath, args) {
121728
121791
  async function detectTool(name) {
121729
121792
  const cmd = process.platform === "win32" ? "where" : "which";
121730
121793
  try {
121731
- const { stdout } = await execFileAsync(cmd, [name], {
121794
+ const { stdout } = await execFileAsync2(cmd, [name], {
121732
121795
  timeout: 2000,
121733
121796
  maxBuffer: 1024 * 64
121734
121797
  });
@@ -121860,7 +121923,7 @@ Returns an array of results with the text output from each agent.`,
121860
121923
  });
121861
121924
  }
121862
121925
  async function runSingleCodingAgent(ctx, codebasePath, objective, agentIndex, name) {
121863
- const { CodeAgent } = await import("./agent-vnhgzmm9.js");
121926
+ const { CodeAgent } = await import("./agent-ssm6x6qs.js");
121864
121927
  const subagentId = `coding-agent-${agentIndex}`;
121865
121928
  ctx.eventBus?.emit("subagent-spawn", {
121866
121929
  subagentId,
@@ -121910,7 +121973,7 @@ init_ai();
121910
121973
  init_structured();
121911
121974
  init_lazyLogger();
121912
121975
  import { existsSync as existsSync16, readdirSync as readdirSync3, readFileSync as readFileSync4 } from "fs";
121913
- import { join as join23 } from "path";
121976
+ import { join as join24 } from "path";
121914
121977
  var log9 = scopedLogger(() => createLogger("findings:registry"));
121915
121978
  var VULN_CLASS_PATTERNS = [
121916
121979
  [/sql\s*injection/i, "sql-injection"],
@@ -122102,7 +122165,7 @@ class FindingsRegistry {
122102
122165
  log9.debug(`fromDirectory: path=${findingsPath}, jsonFiles=${files.length}`);
122103
122166
  for (const file of files) {
122104
122167
  try {
122105
- const raw = readFileSync4(join23(findingsPath, file), "utf-8");
122168
+ const raw = readFileSync4(join24(findingsPath, file), "utf-8");
122106
122169
  const finding = JSON.parse(raw);
122107
122170
  if (finding && typeof finding.title === "string" && typeof finding.endpoint === "string") {
122108
122171
  registry.indexFinding(finding);
@@ -122307,13 +122370,13 @@ class FindingsRegistry {
122307
122370
 
122308
122371
  // src/core/plan/index.ts
122309
122372
  import { existsSync as existsSync17, readFileSync as readFileSync5 } from "fs";
122310
- import { join as join24 } from "path";
122373
+ import { join as join25 } from "path";
122311
122374
  var PLAN_FILENAME = "plan.md";
122312
122375
  function planFilePath(sessionRootPath, subagentId) {
122313
122376
  if (subagentId) {
122314
- return join24(sessionRootPath, "subagents", `${subagentId}-plan.md`);
122377
+ return join25(sessionRootPath, "subagents", `${subagentId}-plan.md`);
122315
122378
  }
122316
- return join24(sessionRootPath, PLAN_FILENAME);
122379
+ return join25(sessionRootPath, PLAN_FILENAME);
122317
122380
  }
122318
122381
  function readPlan(sessionRootPath, subagentId) {
122319
122382
  const path = planFilePath(sessionRootPath, subagentId);
@@ -122366,7 +122429,7 @@ Returns the worker's summary, objective results, and finding count — but NOT t
122366
122429
  message: "spawn_pentest_agent requires a model in the tool context."
122367
122430
  };
122368
122431
  }
122369
- const { TargetedPentestAgent } = await import("./agent-hkmr0qfx.js");
122432
+ const { TargetedPentestAgent } = await import("./agent-1jp62njk.js");
122370
122433
  const findingsRegistry = ctx.findingsRegistry ?? FindingsRegistry.fromDirectory(ctx.session.findingsPath, {
122371
122434
  model: ctx.model,
122372
122435
  authConfig: ctx.authConfig,
@@ -122520,7 +122583,7 @@ Pass every target you want tested — the swarm handles concurrency automaticall
122520
122583
  toolCallDescription: exports_external.string().describe("A concise, human-readable description of what this tool call is doing")
122521
122584
  }),
122522
122585
  execute: async ({ targets }) => {
122523
- const { runPentestSwarm, DEFAULT_CONCURRENCY: DEFAULT_CONCURRENCY2 } = await import("./pentest-9q2g54yy.js");
122586
+ const { runPentestSwarm, DEFAULT_CONCURRENCY: DEFAULT_CONCURRENCY2 } = await import("./pentest-043y2x03.js");
122524
122587
  if (!ctx.model) {
122525
122588
  return {
122526
122589
  success: false,
@@ -123157,7 +123220,7 @@ init_zod();
123157
123220
  init_structured();
123158
123221
  import { mkdirSync as mkdirSync12 } from "fs";
123159
123222
  import { writeFile as writeFile5 } from "fs/promises";
123160
- import { dirname as dirname4 } from "path";
123223
+ import { dirname as dirname5 } from "path";
123161
123224
  init_lazyLogger();
123162
123225
  var log12 = scopedLogger(() => createLogger("write_plan"));
123163
123226
  var writePlanInputSchema = exports_external.object({
@@ -123183,7 +123246,7 @@ Required plan sections:
123183
123246
  execute: async ({ content }) => {
123184
123247
  const scopeId = ctx.planSubagentId ?? ctx.subagentId;
123185
123248
  const planPath = planFilePath(ctx.session.rootPath, scopeId);
123186
- mkdirSync12(dirname4(planPath), { recursive: true });
123249
+ mkdirSync12(dirname5(planPath), { recursive: true });
123187
123250
  log12.debug(`enter: contentLen=${content.length}, path=${planPath}`);
123188
123251
  try {
123189
123252
  await writeFile5(planPath, content, "utf-8");
@@ -124212,7 +124275,7 @@ var SKILL_TOOL_NAMES = ["read_skill"];
124212
124275
  // src/core/agents/offSecAgent/trace.ts
124213
124276
  import { createHash } from "crypto";
124214
124277
  import { appendFileSync as appendFileSync3, mkdirSync as mkdirSync13 } from "fs";
124215
- import { dirname as dirname5 } from "path";
124278
+ import { dirname as dirname6 } from "path";
124216
124279
  var OUTPUT_PREVIEW_LIMIT = 2000;
124217
124280
  var INPUT_PREVIEW_LIMIT = 1000;
124218
124281
  var SYSTEM_PROMPT_HASH_PREFIX_LENGTH = 12;
@@ -124273,7 +124336,7 @@ class StepTraceWriter {
124273
124336
  const now = Date.now();
124274
124337
  this.agentStartTime = now;
124275
124338
  this.lastStepTime = now;
124276
- mkdirSync13(dirname5(this.tracePath), { recursive: true });
124339
+ mkdirSync13(dirname6(this.tracePath), { recursive: true });
124277
124340
  }
124278
124341
  writeInit(data) {
124279
124342
  const { systemPrompt, ...rest } = data;
@@ -124414,7 +124477,7 @@ init_dist();
124414
124477
  init_ai();
124415
124478
  import { existsSync as existsSync18, mkdirSync as mkdirSync14 } from "fs";
124416
124479
  import { writeFile as writeFile6 } from "fs/promises";
124417
- import { join as join25 } from "path";
124480
+ import { join as join26 } from "path";
124418
124481
  init_structured();
124419
124482
  init_observability();
124420
124483
 
@@ -124751,15 +124814,15 @@ class OffensiveSecurityAgent {
124751
124814
  } else {
124752
124815
  this.ownsBrowserSession = false;
124753
124816
  }
124754
- const messagesDir = input.messagesDir ?? (input.subagentId ? join25(input.session.rootPath, "subagents", input.subagentId) : input.session.rootPath);
124755
- const tracePath = input.subagentId ? join25(input.session.rootPath, "subagents", `${input.subagentId}.trace.jsonl`) : join25(messagesDir, "trace.jsonl");
124817
+ const messagesDir = input.messagesDir ?? (input.subagentId ? join26(input.session.rootPath, "subagents", input.subagentId) : input.session.rootPath);
124818
+ const tracePath = input.subagentId ? join26(input.session.rootPath, "subagents", `${input.subagentId}.trace.jsonl`) : join26(messagesDir, "trace.jsonl");
124756
124819
  const traceWriter = new StepTraceWriter({
124757
124820
  tracePath,
124758
124821
  agentId: input.subagentId ?? null,
124759
124822
  eventBus: this.eventBus
124760
124823
  });
124761
124824
  const taskDriven = input.session.config?.taskDriven ?? false;
124762
- const tasksDir = input.tasksDir ?? (taskDriven ? input.subagentId ? join25(input.session.rootPath, "subagents", `${input.subagentId}-tasks`) : join25(input.session.rootPath, "tasks") : undefined);
124825
+ const tasksDir = input.tasksDir ?? (taskDriven ? input.subagentId ? join26(input.session.rootPath, "subagents", `${input.subagentId}-tasks`) : join26(input.session.rootPath, "tasks") : undefined);
124763
124826
  const credentialManager = input.credentialManager ?? input.session.credentialManager;
124764
124827
  const builtinTools = createAllTools({
124765
124828
  session: input.session,
@@ -124835,7 +124898,7 @@ class OffensiveSecurityAgent {
124835
124898
  if (!existsSync18(messagesDir)) {
124836
124899
  mkdirSync14(messagesDir, { recursive: true });
124837
124900
  }
124838
- const messagesPath = join25(messagesDir, "messages.json");
124901
+ const messagesPath = join26(messagesDir, "messages.json");
124839
124902
  const initialMessagesRef = {
124840
124903
  current: input.messages ? [...input.messages] : [
124841
124904
  {