@pentoshi/clai 0.6.0 → 0.7.1

package/dist/tools/reducers/nmap.js

@@ -0,0 +1,82 @@
+const PORT_LINE_RE = /^\s*(\d+)\/(tcp|udp)\s+(open|closed|filtered|open\|filtered)\s+(\S+)(?:\s+(.*))?$/i;
+const HOST_LINE_RE = /^Nmap scan report for\s+(.+)$/i;
+const STATUS_LINE_RE = /^Host is\s+(.+?)(?:\s+\(.*\))?\.?$/i;
+const OS_LINE_RE = /^(?:OS details|Running):\s+(.+)$/i;
+const SUMMARY_RE = /Nmap done:.+/i;
+/**
+ * Parse plain "nmap -sV" text output into structured findings. We avoid
+ * forcing -oX here so the agent can still pass any flags it wants — but if
+ * the output looks like XML we just include it verbatim.
+ */
+export const nmapReducer = (raw) => {
+    if (raw.trim().startsWith("<?xml")) {
+        return { summary: raw.slice(0, 8_000) };
+    }
+    const hosts = [];
+    let current;
+    let summaryLine = "";
+    for (const line of raw.split(/\r?\n/)) {
+        const hostMatch = HOST_LINE_RE.exec(line);
+        if (hostMatch) {
+            current = { host: hostMatch[1].trim(), ports: [] };
+            hosts.push(current);
+            continue;
+        }
+        if (!current)
+            continue;
+        const statusMatch = STATUS_LINE_RE.exec(line);
+        if (statusMatch) {
+            current.status = statusMatch[1];
+            continue;
+        }
+        const osMatch = OS_LINE_RE.exec(line);
+        if (osMatch) {
+            current.os = osMatch[1];
+            continue;
+        }
+        const portMatch = PORT_LINE_RE.exec(line);
+        if (portMatch) {
+            current.ports.push({
+                port: Number(portMatch[1]),
+                protocol: portMatch[2].toLowerCase(),
+                state: portMatch[3].toLowerCase(),
+                service: portMatch[4],
+                version: portMatch[5]?.trim() || undefined,
+            });
+            continue;
+        }
+        if (SUMMARY_RE.test(line)) {
+            summaryLine = line.trim();
+        }
+    }
+    const totalHosts = hosts.length;
+    const totalOpen = hosts.reduce((n, host) => n + host.ports.filter((p) => p.state === "open").length, 0);
+    const lines = [];
+    lines.push(`# nmap reduced summary — ${totalHosts} host(s), ${totalOpen} open port(s)`);
+    if (summaryLine)
+        lines.push(summaryLine);
+    for (const host of hosts) {
+        lines.push("");
+        lines.push(`## ${host.host}${host.status ? ` (${host.status})` : ""}`);
+        if (host.os)
+            lines.push(`OS: ${host.os}`);
+        if (host.ports.length === 0) {
+            lines.push("(no ports parsed)");
+            continue;
+        }
+        for (const port of host.ports) {
+            const parts = [
+                `${port.port}/${port.protocol}`,
+                port.state,
+                port.service ?? "",
+                port.version ?? "",
+            ];
+            lines.push(parts.filter(Boolean).join(" — "));
+        }
+    }
+    return {
+        summary: lines.join("\n"),
+        findings: { hosts, totalHosts, totalOpen },
+    };
+};
+//# sourceMappingURL=nmap.js.map

package/dist/tools/reducers/nmap.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"nmap.js","sourceRoot":"","sources":["../../../src/tools/reducers/nmap.ts"],"names":[],"mappings":"AAiBA,MAAM,YAAY,GAAG,oFAAoF,CAAC;AAC1G,MAAM,YAAY,GAAG,gCAAgC,CAAC;AACtD,MAAM,cAAc,GAAG,qCAAqC,CAAC;AAC7D,MAAM,UAAU,GAAG,mCAAmC,CAAC;AACvD,MAAM,UAAU,GAAG,eAAe,CAAC;AAEnC;;;;GAIG;AACH,MAAM,CAAC,MAAM,WAAW,GAAY,CAAC,GAAG,EAAiB,EAAE;IACzD,IAAI,GAAG,CAAC,IAAI,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;QACnC,OAAO,EAAE,OAAO,EAAE,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,KAAK,CAAC,EAAE,CAAC;IAC1C,CAAC;IACD,MAAM,KAAK,GAAe,EAAE,CAAC;IAC7B,IAAI,OAA6B,CAAC;IAClC,IAAI,WAAW,GAAG,EAAE,CAAC;IACrB,KAAK,MAAM,IAAI,IAAI,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,EAAE,CAAC;QACtC,MAAM,SAAS,GAAG,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC1C,IAAI,SAAS,EAAE,CAAC;YACd,OAAO,GAAG,EAAE,IAAI,EAAE,SAAS,CAAC,CAAC,CAAE,CAAC,IAAI,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC;YACpD,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YACpB,SAAS;QACX,CAAC;QACD,IAAI,CAAC,OAAO;YAAE,SAAS;QACvB,MAAM,WAAW,GAAG,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC9C,IAAI,WAAW,EAAE,CAAC;YAChB,OAAO,CAAC,MAAM,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC;YAChC,SAAS;QACX,CAAC;QACD,MAAM,OAAO,GAAG,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACtC,IAAI,OAAO,EAAE,CAAC;YACZ,OAAO,CAAC,EAAE,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC;YACxB,SAAS;QACX,CAAC;QACD,MAAM,SAAS,GAAG,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC1C,IAAI,SAAS,EAAE,CAAC;YACd,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC;gBACjB,IAAI,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;gBAC1B,QAAQ,EAAE,SAAS,CAAC,CAAC,CAAE,CAAC,WAAW,EAAE;gBACrC,KAAK,EAAE,SAAS,CAAC,CAAC,CAAE,CAAC,WAAW,EAAE;gBAClC,OAAO,EAAE,SAAS,CAAC,CAAC,CAAC;gBACrB,OAAO,EAAE,SAAS,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,IAAI,SAAS;aAC3C,CAAC,CAAC;YACH,SAAS;QACX,CAAC;QACD,IAAI,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YAC1B,WAAW,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAC5B,CAAC;IACH,CAAC;IACD,MAAM,UAAU,GAAG,KAAK,CAAC,MAAM,CAAC;IAChC,MAAM,SAAS,GAAG,KAAK,CAAC,MAAM,CAC5B,CAAC,CAAC,EAAE,IAAI,EAAE,EAAE,CAAC,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,KAAK,MAAM,CAAC,CAAC,MAAM,EACpE,CAAC,CACF,CAAC;IACF,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,KAAK,CAAC,IAAI,CAAC,4BAA4B,UAAU,aAAa,SAAS,eAAe,CAAC,CAAC;IACxF,IAAI,WAAW;QAAE,KAAK,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IACzC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACf,KAAK,CAAC,IAAI,CAAC,MAAM,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QACvE,IAAI,IAAI,CAAC,EAAE;YAAE,KAAK,CAAC,IAAI,CAAC,OAAO,IAAI,CAAC,EAAE,EAAE,CAAC,CAAC;QAC1C,IAAI,IAAI,CAAC,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC5B,KAAK,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC;YAChC,SAAS;QACX,CAAC;QACD,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YAC9B,MAAM,KAAK,GAAG;gBACZ,GAAG,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,QAAQ,EAAE;gBAC/B,IAAI,CAAC,KAAK;gBACV,IAAI,CAAC,OAAO,IAAI,EAAE;gBAClB,IAAI,CAAC,OAAO,IAAI,EAAE;aACnB,CAAC;YACF,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;QAChD,CAAC;IACH,CAAC;IACD,OAAO;QACL,OAAO,EAAE,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC;QACzB,QAAQ,EAAE,EAAE,KAAK,EAAE,UAAU,EAAE,SAAS,EAAE;KAC3C,CAAC;AACJ,CAAC,CAAC"}

package/dist/tools/reducers/nuclei.d.ts

@@ -0,0 +1,2 @@
+import type { Reducer } from "./types.js";
+export declare const nucleiReducer: Reducer;

package/dist/tools/reducers/nuclei.js

@@ -0,0 +1,51 @@
+const SEVERITY_ORDER = ["critical", "high", "medium", "low", "info", "unknown"];
+export const nucleiReducer = (raw) => {
+    const hits = [];
+    for (const line of raw.split(/\r?\n/)) {
+        const trimmed = line.trim();
+        if (!trimmed.startsWith("{"))
+            continue;
+        try {
+            hits.push(JSON.parse(trimmed));
+        }
+        catch {
+            // skip malformed lines
+        }
+    }
+    if (hits.length === 0) {
+        return { summary: "# nuclei — no JSONL hits parsed (pass -jsonl to get structured output)" };
+    }
+    const bySeverity = new Map();
+    for (const hit of hits) {
+        const sev = hit.info?.severity?.toLowerCase() ?? "unknown";
+        const list = bySeverity.get(sev) ?? [];
+        list.push(hit);
+        bySeverity.set(sev, list);
+    }
+    const counts = SEVERITY_ORDER
+        .filter((sev) => bySeverity.has(sev))
+        .map((sev) => `${sev}=${bySeverity.get(sev).length}`);
+    const lines = [
+        `# nuclei reduced summary — ${hits.length} hit(s) ${counts.join(" ")}`,
+    ];
+    for (const sev of SEVERITY_ORDER) {
+        const list = bySeverity.get(sev);
+        if (!list)
+            continue;
+        lines.push("");
+        lines.push(`## ${sev.toUpperCase()} (${list.length})`);
+        for (const hit of list.slice(0, 15)) {
+            const id = hit["template-id"] ?? hit.template ?? "?";
+            const name = hit.info?.name ?? "";
+            const matched = hit["matched-at"] ?? hit.matched ?? hit.host ?? "?";
+            lines.push(`- ${id}${name ? ` [${name}]` : ""} — ${matched}`);
+        }
+        if (list.length > 15)
+            lines.push(`- ... ${list.length - 15} more`);
+    }
+    return {
+        summary: lines.join("\n"),
+        findings: { total: hits.length, bySeverity: Object.fromEntries([...bySeverity.entries()].map(([k, v]) => [k, v.length])) },
+    };
+};
+//# sourceMappingURL=nuclei.js.map

package/dist/tools/reducers/nuclei.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"nuclei.js","sourceRoot":"","sources":["../../../src/tools/reducers/nuclei.ts"],"names":[],"mappings":"AAYA,MAAM,cAAc,GAAG,CAAC,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,EAAE,SAAS,CAAU,CAAC;AAEzF,MAAM,CAAC,MAAM,aAAa,GAAY,CAAC,GAAG,EAAiB,EAAE;IAC3D,MAAM,IAAI,GAAgB,EAAE,CAAC;IAC7B,KAAK,MAAM,IAAI,IAAI,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,EAAE,CAAC;QACtC,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAC5B,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;YAAE,SAAS;QACvC,IAAI,CAAC;YACH,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAc,CAAC,CAAC;QAC9C,CAAC;QAAC,MAAM,CAAC;YACP,uBAAuB;QACzB,CAAC;IACH,CAAC;IACD,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACtB,OAAO,EAAE,OAAO,EAAE,wEAAwE,EAAE,CAAC;IAC/F,CAAC;IACD,MAAM,UAAU,GAAG,IAAI,GAAG,EAAuB,CAAC;IAClD,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,MAAM,GAAG,GAAG,GAAG,CAAC,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,IAAI,SAAS,CAAC;QAC3D,MAAM,IAAI,GAAG,UAAU,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;QACvC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACf,UAAU,CAAC,GAAG,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;IAC5B,CAAC;IACD,MAAM,MAAM,GAAG,cAAc;SAC1B,MAAM,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,UAAU,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;SACpC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,GAAG,IAAI,UAAU,CAAC,GAAG,CAAC,GAAG,CAAE,CAAC,MAAM,EAAE,CAAC,CAAC;IACzD,MAAM,KAAK,GAAa;QACtB,8BAA8B,IAAI,CAAC,MAAM,WAAW,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE;KACvE,CAAC;IACF,KAAK,MAAM,GAAG,IAAI,cAAc,EAAE,CAAC;QACjC,MAAM,IAAI,GAAG,UAAU,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QACjC,IAAI,CAAC,IAAI;YAAE,SAAS;QACpB,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACf,KAAK,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,WAAW,EAAE,KAAK,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC;QACvD,KAAK,MAAM,GAAG,IAAI,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC;YACpC,MAAM,EAAE,GAAG,GAAG,CAAC,aAAa,CAAC,IAAI,GAAG,CAAC,QAAQ,IAAI,GAAG,CAAC;YACrD,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,EAAE,IAAI,IAAI,EAAE,CAAC;YAClC,MAAM,OAAO,GAAG,GAAG,CAAC,YAAY,CAAC,IAAI,GAAG,CAAC,OAAO,IAAI,GAAG,CAAC,IAAI,IAAI,GAAG,CAAC;YACpE,KAAK,CAAC,IAAI,CAAC,KAAK,EAAE,GAAG,IAAI,CAAC,CAAC,CAAC,KAAK,IAAI,GAAG,CAAC,CAAC,CAAC,EAAE,MAAM,OAAO,EAAE,CAAC,CAAC;QAChE,CAAC;QACD,IAAI,IAAI,CAAC,MAAM,GAAG,EAAE;YAAE,KAAK,CAAC,IAAI,CAAC,SAAS,IAAI,CAAC,MAAM,GAAG,EAAE,OAAO,CAAC,CAAC;IACrE,CAAC;IACD,OAAO;QACL,OAAO,EAAE,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC;QACzB,QAAQ,EAAE,EAAE,KAAK,EAAE,IAAI,CAAC,MAAM,EAAE,UAAU,EAAE,MAAM,CAAC,WAAW,CAAC,CAAC,GAAG,UAAU,CAAC,OAAO,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE;KAC3H,CAAC;AACJ,CAAC,CAAC"}

package/dist/tools/reducers/sqlmap.d.ts

@@ -0,0 +1,2 @@
+import type { Reducer } from "./types.js";
+export declare const sqlmapReducer: Reducer;

package/dist/tools/reducers/sqlmap.js

@@ -0,0 +1,39 @@
+const INJECTABLE_RE = /Parameter:\s*([^\s(]+)\s*\(([^)]+)\)/g;
+const DBMS_RE = /back-end DBMS:\s*(.+)/i;
+const PAYLOAD_RE = /Payload:\s*(.+)/g;
+export const sqlmapReducer = (raw) => {
+    const injectables = [];
+    let dbms;
+    const payloads = [];
+    for (const match of raw.matchAll(INJECTABLE_RE)) {
+        injectables.push({ parameter: match[1], place: match[2] });
+    }
+    const dbmsMatch = DBMS_RE.exec(raw);
+    if (dbmsMatch)
+        dbms = dbmsMatch[1].trim();
+    for (const match of raw.matchAll(PAYLOAD_RE)) {
+        payloads.push(match[1].trim());
+        if (payloads.length >= 5)
+            break;
+    }
+    if (injectables.length === 0 && !dbms) {
+        return { summary: "# sqlmap — no injectable parameters or DBMS detected" };
+    }
+    const lines = [
+        `# sqlmap reduced summary — ${injectables.length} injectable parameter(s)${dbms ? `, DBMS=${dbms}` : ""}`,
+    ];
+    for (const inj of injectables) {
+        lines.push(`- ${inj.parameter} (${inj.place})`);
+    }
+    if (payloads.length > 0) {
+        lines.push("");
+        lines.push("## Sample payloads");
+        for (const payload of payloads)
+            lines.push(`- ${payload}`);
+    }
+    return {
+        summary: lines.join("\n"),
+        findings: { injectables, dbms, samplePayloads: payloads },
+    };
+};
+//# sourceMappingURL=sqlmap.js.map

package/dist/tools/reducers/sqlmap.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sqlmap.js","sourceRoot":"","sources":["../../../src/tools/reducers/sqlmap.ts"],"names":[],"mappings":"AAEA,MAAM,aAAa,GAAG,uCAAuC,CAAC;AAC9D,MAAM,OAAO,GAAG,wBAAwB,CAAC;AACzC,MAAM,UAAU,GAAG,kBAAkB,CAAC;AAEtC,MAAM,CAAC,MAAM,aAAa,GAAY,CAAC,GAAG,EAAiB,EAAE;IAC3D,MAAM,WAAW,GAAgD,EAAE,CAAC;IACpE,IAAI,IAAwB,CAAC;IAC7B,MAAM,QAAQ,GAAa,EAAE,CAAC;IAC9B,KAAK,MAAM,KAAK,IAAI,GAAG,CAAC,QAAQ,CAAC,aAAa,CAAC,EAAE,CAAC;QAChD,WAAW,CAAC,IAAI,CAAC,EAAE,SAAS,EAAE,KAAK,CAAC,CAAC,CAAE,EAAE,KAAK,EAAE,KAAK,CAAC,CAAC,CAAE,EAAE,CAAC,CAAC;IAC/D,CAAC;IACD,MAAM,SAAS,GAAG,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACpC,IAAI,SAAS;QAAE,IAAI,GAAG,SAAS,CAAC,CAAC,CAAE,CAAC,IAAI,EAAE,CAAC;IAC3C,KAAK,MAAM,KAAK,IAAI,GAAG,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;QAC7C,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAE,CAAC,IAAI,EAAE,CAAC,CAAC;QAChC,IAAI,QAAQ,CAAC,MAAM,IAAI,CAAC;YAAE,MAAM;IAClC,CAAC;IACD,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;QACtC,OAAO,EAAE,OAAO,EAAE,sDAAsD,EAAE,CAAC;IAC7E,CAAC;IACD,MAAM,KAAK,GAAa;QACtB,8BAA8B,WAAW,CAAC,MAAM,2BAA2B,IAAI,CAAC,CAAC,CAAC,UAAU,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE;KAC1G,CAAC;IACF,KAAK,MAAM,GAAG,IAAI,WAAW,EAAE,CAAC;QAC9B,KAAK,CAAC,IAAI,CAAC,KAAK,GAAG,CAAC,SAAS,KAAK,GAAG,CAAC,KAAK,GAAG,CAAC,CAAC;IAClD,CAAC;IACD,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACxB,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACf,KAAK,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC;QACjC,KAAK,MAAM,OAAO,IAAI,QAAQ;YAAE,KAAK,CAAC,IAAI,CAAC,KAAK,OAAO,EAAE,CAAC,CAAC;IAC7D,CAAC;IACD,OAAO;QACL,OAAO,EAAE,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC;QACzB,QAAQ,EAAE,EAAE,WAAW,EAAE,IAAI,EAAE,cAAc,EAAE,QAAQ,EAAE;KAC1D,CAAC;AACJ,CAAC,CAAC"}

package/dist/tools/reducers/subdomains.d.ts

@@ -0,0 +1,6 @@
+import type { Reducer } from "./types.js";
+/**
+ * Reducer for subfinder / amass / sublist3r output. Dedup, normalize,
+ * sort. The user can still pull the raw list from the artifact.
+ */
+export declare const subdomainsReducer: Reducer;

package/dist/tools/reducers/subdomains.js

@@ -0,0 +1,31 @@
+const DOMAIN_RE = /^[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?(?:\.[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?)+$/i;
+/**
+ * Reducer for subfinder / amass / sublist3r output. Dedup, normalize,
+ * sort. The user can still pull the raw list from the artifact.
+ */
+export const subdomainsReducer = (raw) => {
+    const set = new Set();
+    for (const line of raw.split(/\r?\n/)) {
+        const token = line.trim();
+        if (DOMAIN_RE.test(token)) {
+            set.add(token.toLowerCase());
+        }
+    }
+    if (set.size === 0) {
+        return { summary: "# subdomains — none parsed from output" };
+    }
+    const sorted = [...set].sort();
+    const preview = sorted.slice(0, 200);
+    const lines = [
+        `# subdomain enumeration — ${sorted.length} unique domain(s)`,
+        ...preview,
+    ];
+    if (sorted.length > preview.length) {
+        lines.push(`... ${sorted.length - preview.length} more in artifact`);
+    }
+    return {
+        summary: lines.join("\n"),
+        findings: { count: sorted.length, sample: preview },
+    };
+};
+//# sourceMappingURL=subdomains.js.map

package/dist/tools/reducers/subdomains.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"subdomains.js","sourceRoot":"","sources":["../../../src/tools/reducers/subdomains.ts"],"names":[],"mappings":"AAEA,MAAM,SAAS,GAAG,oFAAoF,CAAC;AAEvG;;;GAGG;AACH,MAAM,CAAC,MAAM,iBAAiB,GAAY,CAAC,GAAG,EAAiB,EAAE;IAC/D,MAAM,GAAG,GAAG,IAAI,GAAG,EAAU,CAAC;IAC9B,KAAK,MAAM,IAAI,IAAI,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,EAAE,CAAC;QACtC,MAAM,KAAK,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAC1B,IAAI,SAAS,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;YAC1B,GAAG,CAAC,GAAG,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC,CAAC;QAC/B,CAAC;IACH,CAAC;IACD,IAAI,GAAG,CAAC,IAAI,KAAK,CAAC,EAAE,CAAC;QACnB,OAAO,EAAE,OAAO,EAAE,wCAAwC,EAAE,CAAC;IAC/D,CAAC;IACD,MAAM,MAAM,GAAG,CAAC,GAAG,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;IAC/B,MAAM,OAAO,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;IACrC,MAAM,KAAK,GAAa;QACtB,6BAA6B,MAAM,CAAC,MAAM,mBAAmB;QAC7D,GAAG,OAAO;KACX,CAAC;IACF,IAAI,MAAM,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;QACnC,KAAK,CAAC,IAAI,CAAC,OAAO,MAAM,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,mBAAmB,CAAC,CAAC;IACvE,CAAC;IACD,OAAO;QACL,OAAO,EAAE,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC;QACzB,QAAQ,EAAE,EAAE,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE;KACpD,CAAC;AACJ,CAAC,CAAC"}

package/dist/tools/reducers/types.d.ts

@@ -0,0 +1,14 @@
+/**
+ * A reducer takes raw tool output and returns a compact, finding-aware
+ * summary that the model sees instead of the raw blob. The full raw output
+ * still lives in the artifact file for the user to inspect.
+ */
+export interface ReducerOutput {
+    summary: string;
+    findings?: unknown;
+    warnings?: string[];
+}
+export type Reducer = (raw: string, context: {
+    command: string;
+    argv?: string[] | undefined;
+}) => ReducerOutput;

package/dist/tools/reducers/types.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=types.js.map

package/dist/tools/reducers/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../../src/tools/reducers/types.ts"],"names":[],"mappings":""}

package/dist/tools/registry.d.ts

@@ -1,4 +1,4 @@
-import type { ToolCall, ToolResult } from '../types.js';
+import type { ToolCall, ToolResult } from "../types.js";
 export interface ToolRunOptions {
     signal?: AbortSignal | undefined;
     onOutput?: ((chunk: string, stream: "stdout" | "stderr") => void) | undefined;

package/dist/tools/registry.js

@@ -1,124 +1,146 @@
-import { detectSystem } from '../os/detect.js';
-import { detectPackageManager } from '../os/pkgmgr.js';
-import { fsList, fsRead, fsSearch, fsWrite } from './fs.js';
-import { httpFetch } from './http.js';
-import { shellExec } from './shell.js';
+import { detectSystem } from "../os/detect.js";
+import { detectPackageManager, assertSafePackageName } from "../os/pkgmgr.js";
+import { fsList, fsRead, fsSearch, fsWrite } from "./fs.js";
+import { httpFetch } from "./http.js";
+import { shellExec, spawnArgv } from "./shell.js";
+import { classifyToolCall } from "../safety/classifier.js";
+import { loadScope } from "../store/scope.js";
+import { parseHost, parsePortSpec, parseLegacyFlags, profileToNmapArgs, } from "./validate.js";
 function requireString(args, key) {
     const value = args[key];
-    if (typeof value !== 'string' || value.length === 0) {
+    if (typeof value !== "string" || value.length === 0) {
         throw new Error(`Tool argument "${key}" must be a non-empty string`);
     }
     return value;
 }
 function optionalString(args, key) {
     const value = args[key];
-    return typeof value === 'string' && value.length > 0 ? value : undefined;
+    return typeof value === "string" && value.length > 0 ? value : undefined;
 }
 function optionalNumber(args, key) {
     const value = args[key];
-    return typeof value === 'number' ? value : undefined;
-}
-function safeToolName(value) {
-    if (!/^[A-Za-z0-9_.+-]+$/.test(value)) {
-        throw new Error(`Unsafe package/tool name: ${value}`);
-    }
-    return value;
-}
-function safeTarget(value) {
-    if (!/^[A-Za-z0-9_.:-]+(?:\/\d{1,3})?$/.test(value)) {
-        throw new Error(`Unsafe target syntax: ${value}`);
-    }
-    return value;
-}
-function safePorts(value) {
-    if (!/^[A-Za-z0-9,:-]+$/.test(value)) {
-        throw new Error(`Unsafe port syntax: ${value}`);
-    }
-    return value;
-}
-function safeFlagTokens(value) {
-    if (!value.trim())
-        return [];
-    return value.trim().split(/\s+/).map((token) => {
-        if (!/^-{1,2}[A-Za-z0-9][A-Za-z0-9_.:=,+/-]*$/.test(token)) {
-            throw new Error(`Unsafe flag syntax: ${token}`);
-        }
-        return token;
-    });
-}
-function commandLabel(command, argv) {
-    return [command, ...argv].join(' ');
+    return typeof value === "number" ? value : undefined;
 }
 export const toolRegistry = {
-    async 'shell.exec'(args, options) {
-        return shellExec({ command: requireString(args, 'command'), cwd: optionalString(args, 'cwd'), timeoutMs: optionalNumber(args, 'timeoutMs'), signal: options?.signal, onOutput: options?.onOutput });
+    async "shell.exec"(args, options) {
+        return shellExec({
+            command: requireString(args, "command"),
+            cwd: optionalString(args, "cwd"),
+            timeoutMs: optionalNumber(args, "timeoutMs"),
+            signal: options?.signal,
+            onOutput: options?.onOutput,
+        });
     },
-    async 'fs.read'(args) {
-        return fsRead(requireString(args, 'path'));
+    async "fs.read"(args) {
+        return fsRead(requireString(args, "path"), {
+            maxBytes: optionalNumber(args, "maxBytes"),
+        });
     },
-    async 'fs.write'(args) {
-        return fsWrite(requireString(args, 'path'), requireString(args, 'content'));
+    async "fs.write"(args) {
+        return fsWrite(requireString(args, "path"), requireString(args, "content"));
     },
-    async 'fs.list'(args) {
-        return fsList(optionalString(args, 'path') ?? process.cwd());
+    async "fs.list"(args) {
+        return fsList(optionalString(args, "path") ?? process.cwd(), {
+            maxEntries: optionalNumber(args, "maxEntries"),
+        });
     },
-    async 'fs.search'(args) {
-        return fsSearch(requireString(args, 'pattern'), optionalString(args, 'path'));
+    async "fs.search"(args) {
+        return fsSearch(requireString(args, "pattern"), optionalString(args, "path"));
     },
-    async 'pkg.install'(args, options) {
-        const tool = safeToolName(requireString(args, 'tool'));
+    async "pkg.install"(args, options) {
+        const tool = assertSafePackageName(requireString(args, "tool"));
         const pkgmgr = await detectPackageManager();
-        return shellExec({ command: pkgmgr.installCommand(tool), signal: options?.signal, onOutput: options?.onOutput });
+        const spec = pkgmgr.installArgv(tool);
+        if (!spec) {
+            // Unknown manager: fall back to an instructional message instead of
+            // executing a malformed shell string.
+            return { ok: false, output: pkgmgr.installCommand(tool), exitCode: 1 };
+        }
+        return spawnArgv({
+            command: spec.command,
+            argv: spec.argv,
+            timeoutMs: 600_000,
+            signal: options?.signal,
+            onOutput: options?.onOutput,
+        });
     },
-    async 'net.scan'(args, options) {
-        const target = safeTarget(requireString(args, 'target'));
-        const ports = optionalString(args, 'ports');
-        const flags = safeFlagTokens(optionalString(args, 'flags') ?? '');
-        const argv = ports
-            ? ['-p', safePorts(ports), ...flags, target]
-            : [...flags, target];
-        return shellExec({ command: 'nmap', argv, shell: false, timeoutMs: 300_000, signal: options?.signal, onOutput: options?.onOutput });
+    async "net.scan"(args, options) {
+        const host = parseHost(requireString(args, "target"));
+        const portsRaw = optionalString(args, "ports");
+        const ports = portsRaw ? parsePortSpec(portsRaw) : undefined;
+        const profile = args.profile &&
+            typeof args.profile === "object" &&
+            !Array.isArray(args.profile)
+            ? args.profile
+            : undefined;
+        const legacyFlags = optionalString(args, "flags");
+        const profileArgs = profileToNmapArgs(profile);
+        const legacyArgs = legacyFlags ? parseLegacyFlags(legacyFlags) : [];
+        const argv = [];
+        if (ports)
+            argv.push("-p", ports);
+        argv.push(...profileArgs, ...legacyArgs, host.value);
+        return spawnArgv({
+            command: "nmap",
+            argv,
+            timeoutMs: 300_000,
+            signal: options?.signal,
+            onOutput: options?.onOutput,
+        });
     },
-    async 'http.fetch'(args, options) {
-        const headers = args.headers && typeof args.headers === 'object' && !Array.isArray(args.headers)
+    async "http.fetch"(args) {
+        const headers = args.headers &&
+            typeof args.headers === "object" &&
+            !Array.isArray(args.headers)
             ? args.headers
             : undefined;
-        return httpFetch(requireString(args, 'url'), {
-            method: optionalString(args, 'method'),
-            body: optionalString(args, 'body'),
+        return httpFetch(requireString(args, "url"), {
+            method: optionalString(args, "method"),
+            body: optionalString(args, "body"),
             headers,
-            maxBytes: optionalNumber(args, 'maxBytes'),
-            signal: options?.signal,
+            maxBytes: optionalNumber(args, "maxBytes"),
+            iOwnThis: args.iOwnThis === true || args.own === true,
         });
     },
     async sysinfo() {
         return { ok: true, output: JSON.stringify(detectSystem(), null, 2) };
     },
-    async 'pentest.recon'(args, options) {
-        const target = safeTarget(requireString(args, 'target'));
-        const commands = [
-            { command: 'whois', argv: [target] },
-            { command: 'dig', argv: [target, 'ANY', '+noall', '+answer'] },
-            { command: 'nmap', argv: ['-sV', '--top-ports', '100', target] },
+    async "pentest.recon"(args, options) {
+        const host = parseHost(requireString(args, "target"));
+        const steps = [
+            { command: "whois", argv: [host.value] },
+            { command: "dig", argv: [host.value, "ANY", "+noall", "+answer"] },
+            { command: "nmap", argv: ["-sV", "--top-ports", "100", host.value] },
         ];
         const outputs = [];
-        for (const { command, argv } of commands) {
+        for (const step of steps) {
             if (options?.signal?.aborted)
                 break;
+            const display = `${step.command} ${step.argv.join(" ")}`;
             // Announce each sub-step so users see progress through long recons.
-            const label = commandLabel(command, argv);
-            options?.onOutput?.(`\n$ ${label}\n`, "stdout");
-            const result = await shellExec({ command, argv, shell: false, timeoutMs: 180_000, signal: options?.signal, onOutput: options?.onOutput });
-            outputs.push(`$ ${label}\n${result.output}`);
+            options?.onOutput?.(`\n$ ${display}\n`, "stdout");
+            const result = await spawnArgv({
+                command: step.command,
+                argv: step.argv,
+                timeoutMs: 180_000,
+                signal: options?.signal,
+                onOutput: options?.onOutput,
+            });
+            outputs.push(result.output);
             if (options?.signal?.aborted)
                 break;
         }
         return {
             ok: !options?.signal?.aborted,
-            output: options?.signal?.aborted ? `${outputs.join('\n\n')}\n\nCommand aborted.`.trim() : outputs.join('\n\n'),
+            output: options?.signal?.aborted
+                ? `${outputs.join("\n\n")}\n\nCommand aborted.`.trim()
+                : outputs.join("\n\n"),
             exitCode: options?.signal?.aborted ? 130 : 0,
         };
     },
+    async "tool.batch"(args, options) {
+        return runToolBatch(args, options);
+    },
 };
 export function availableToolNames() {
     return Object.keys(toolRegistry);
@@ -130,4 +152,126 @@ export async function runToolCall(call, options = {}) {
     }
     return handler(call.args, options);
 }
+/**
+ * Tools that `tool.batch` is allowed to invoke. Limited to read-only
+ * operations so the batch runner cannot escalate into shell execution
+ * or mutating HTTP methods. http.fetch is allowed but downstream
+ * GET/HEAD enforcement still happens in the classifier when individual
+ * calls are routed.
+ */
+const BATCH_SAFE_TOOLS = new Set([
+    "fs.read",
+    "fs.list",
+    "fs.search",
+    "http.fetch",
+    "sysinfo",
+]);
+const BATCH_MAX_CALLS = 8;
+const BATCH_DEFAULT_CONCURRENCY = 3;
+const BATCH_MAX_CONCURRENCY = 4;
+function parseBatchCalls(value) {
+    if (!Array.isArray(value)) {
+        throw new Error("tool.batch expects { calls: [{name, args}, ...] }");
+    }
+    if (value.length === 0) {
+        throw new Error("tool.batch requires at least one call");
+    }
+    if (value.length > BATCH_MAX_CALLS) {
+        throw new Error(`tool.batch accepts at most ${BATCH_MAX_CALLS} calls per invocation`);
+    }
+    return value.map((entry, index) => {
+        if (!entry ||
+            typeof entry !== "object" ||
+            Array.isArray(entry) ||
+            typeof entry.name !== "string" ||
+            typeof entry.args !== "object" ||
+            entry.args === null) {
+            throw new Error(`tool.batch call #${index} must be { name: string, args: object }`);
+        }
+        const { name, args } = entry;
+        if (!BATCH_SAFE_TOOLS.has(name)) {
+            throw new Error(`tool.batch refuses to run "${name}" — only read-only tools are allowed (${[...BATCH_SAFE_TOOLS].join(", ")})`);
+        }
+        return { name, args };
+    });
+}
+async function runWithLimit(items, limit, worker) {
+    const queue = items.map((item, index) => ({ item, index }));
+    const runners = [];
+    for (let n = 0; n < Math.min(limit, queue.length); n += 1) {
+        runners.push((async () => {
+            while (queue.length > 0) {
+                const next = queue.shift();
+                if (!next)
+                    break;
+                await worker(next.item, next.index);
+            }
+        })());
+    }
+    await Promise.all(runners);
+}
+async function runToolBatch(args, options) {
+    const calls = parseBatchCalls(args.calls);
+    // Re-classify each child call so confirm/block tools (eg http.fetch POST,
+    // public scans without scope) cannot ride in on tool.batch's safe label.
+    const scope = await loadScope().catch(() => undefined);
+    for (const spec of calls) {
+        const decision = classifyToolCall({ name: spec.name, args: spec.args }, { scope });
+        if (decision.level !== "safe") {
+            throw new Error(`tool.batch refuses ${spec.name}: ${decision.reason} (only safe-classified calls are allowed inside a batch)`);
+        }
+    }
+    const concurrency = Math.max(1, Math.min(typeof args.concurrency === "number"
+        ? Math.floor(args.concurrency)
+        : BATCH_DEFAULT_CONCURRENCY, BATCH_MAX_CONCURRENCY));
+    const outcomes = new Array(calls.length);
+    await runWithLimit(calls, concurrency, async (spec, index) => {
+        if (options?.signal?.aborted) {
+            outcomes[index] = {
+                index,
+                name: spec.name,
+                ok: false,
+                output: "Aborted before execution.",
+                exitCode: 130,
+            };
+            return;
+        }
+        try {
+            const result = await runToolCall({ name: spec.name, args: spec.args }, 
+            // Skip onOutput streaming: batch results are summarized after all
+            // members complete to keep the live preview readable.
+            { signal: options?.signal });
+            outcomes[index] = {
+                index,
+                name: spec.name,
+                ok: result.ok,
+                output: result.output,
+                exitCode: result.exitCode,
+            };
+        }
+        catch (error) {
+            outcomes[index] = {
+                index,
+                name: spec.name,
+                ok: false,
+                output: "",
+                error: error instanceof Error ? error.message : String(error),
+            };
+        }
+    });
+    const allOk = outcomes.every((outcome) => outcome.ok);
+    const sections = outcomes.map((outcome) => {
+        const status = outcome.ok ? "ok" : "fail";
+        const head = `── #${outcome.index + 1} ${outcome.name} [${status}${outcome.exitCode !== undefined ? ` exit=${outcome.exitCode}` : ""}]`;
+        const body = outcome.error
+            ? `error: ${outcome.error}`
+            : outcome.output.trim();
+        return `${head}\n${body}`;
+    });
+    return {
+        ok: allOk,
+        output: sections.join("\n\n"),
+        exitCode: allOk ? 0 : 1,
+    };
+}
 //# sourceMappingURL=registry.js.map