@pentoshi/clai 0.6.0 → 0.7.1

package/dist/tools/http.js

@@ -1,48 +1,187 @@
+import net from "node:net";
+import { lookup } from "node:dns/promises";
+const DEFAULT_MAX_BYTES = 256 * 1024;
+const ALLOWED_METHODS = new Set([
+    "GET",
+    "HEAD",
+    "POST",
+    "PUT",
+    "PATCH",
+    "DELETE",
+    "OPTIONS",
+]);
+/**
+ * Block (or require explicit ownership confirmation for) requests that
+ * target loopback, private, link-local, or cloud-metadata addresses.
+ * This stops the agent from being tricked into SSRF against the host's
+ * intranet via a "fetch this URL" prompt.
+ */
+function isBlockedAddress(host) {
+    const lower = host.toLowerCase();
+    if (lower === "localhost" || lower === "localhost.localdomain")
+        return true;
+    if (lower === "ip6-localhost" || lower === "ip6-loopback")
+        return true;
+    if (net.isIPv4(host)) {
+        const parts = host.split(".").map((p) => Number(p));
+        const [a, b] = parts;
+        if (a === 127)
+            return true; // loopback
+        if (a === 10)
+            return true; // RFC1918
+        if (a === 172 && b !== undefined && b >= 16 && b <= 31)
+            return true; // RFC1918
+        if (a === 192 && b === 168)
+            return true; // RFC1918
+        if (a === 169 && b === 254)
+            return true; // link-local + cloud metadata
+        if (a === 0)
+            return true; // 0.0.0.0/8
+        if (a === 100 && b !== undefined && b >= 64 && b <= 127)
+            return true; // CGNAT
+        return false;
+    }
+    if (net.isIPv6(host)) {
+        if (lower === "::1")
+            return true;
+        if (lower.startsWith("fe80:"))
+            return true; // link-local
+        if (lower.startsWith("fc") || lower.startsWith("fd"))
+            return true; // ULA
+        if (lower.startsWith("::ffff:")) {
+            // IPv4-mapped IPv6 — re-check the embedded v4 address.
+            const v4 = lower.slice("::ffff:".length);
+            return isBlockedAddress(v4);
+        }
+        return false;
+    }
+    return false;
+}
+async function resolveHost(host) {
+    if (net.isIP(host))
+        return host;
+    try {
+        const result = await lookup(host);
+        return result.address;
+    }
+    catch {
+        return undefined;
+    }
+}
 export async function httpFetch(url, options = {}) {
-    const init = {
-        method: options.method ?? "GET",
-        body: options.body ?? null,
-    };
+    let target;
+    try {
+        target = new URL(url);
+    }
+    catch {
+        return { ok: false, output: `Invalid URL: ${url}`, exitCode: 1 };
+    }
+    if (target.protocol !== "http:" && target.protocol !== "https:") {
+        return {
+            ok: false,
+            output: `Refusing non-http(s) scheme: ${target.protocol}`,
+            exitCode: 1,
+        };
+    }
+    const method = (options.method ?? "GET").toUpperCase();
+    if (!ALLOWED_METHODS.has(method)) {
+        return {
+            ok: false,
+            output: `Unsupported HTTP method: ${method}`,
+            exitCode: 1,
+        };
+    }
+    // SSRF guard: refuse loopback/private/link-local/metadata destinations
+    // unless the caller explicitly attested ownership of the target.
+    const hostname = target.hostname.replace(/^\[|\]$/g, "");
+    const literalBlocked = isBlockedAddress(hostname);
+    let resolvedBlocked = false;
+    if (!literalBlocked) {
+        const resolved = await resolveHost(hostname);
+        resolvedBlocked = Boolean(resolved && isBlockedAddress(resolved));
+    }
+    if ((literalBlocked || resolvedBlocked) && !options.iOwnThis) {
+        return {
+            ok: false,
+            output: `Refusing to fetch private/loopback/metadata address ${hostname}. Pass iOwnThis=true to override.`,
+            exitCode: 1,
+        };
+    }
+    const init = { method };
+    if (options.body !== undefined && method !== "GET" && method !== "HEAD") {
+        init.body = options.body;
+    }
     if (options.headers) {
         init.headers = options.headers;
     }
-    const response = await fetch(url, { ...init, signal: options.signal ?? null });
-    const limit = options.maxBytes ?? 256_000;
-    const chunks = [];
+    let response;
+    try {
+        response = await fetch(url, init);
+    }
+    catch (error) {
+        return {
+            ok: false,
+            output: `Network error: ${error instanceof Error ? error.message : String(error)}`,
+            exitCode: 1,
+        };
+    }
+    const limit = options.maxBytes ?? DEFAULT_MAX_BYTES;
+    const decoder = new TextDecoder("utf-8", { fatal: false });
+    let collected = "";
     let bytesRead = 0;
     let truncated = false;
     const reader = response.body?.getReader();
     if (reader) {
-        while (bytesRead < limit) {
-            const { done, value } = await reader.read();
-            if (done)
-                break;
-            const remaining = limit - bytesRead;
-            if (value.byteLength > remaining) {
-                chunks.push(value.subarray(0, remaining));
-                bytesRead += remaining;
-                truncated = true;
-                await reader.cancel().catch(() => undefined);
-                break;
+        try {
+            while (bytesRead < limit) {
+                const { done, value } = await reader.read();
+                if (done)
+                    break;
+                if (!value)
+                    continue;
+                const remaining = limit - bytesRead;
+                if (value.byteLength > remaining) {
+                    collected += decoder.decode(value.subarray(0, remaining), { stream: true });
+                    bytesRead += remaining;
+                    truncated = true;
+                    try {
+                        await reader.cancel();
+                    }
+                    catch {
+                        // ignore — we're abandoning the body deliberately
+                    }
+                    break;
+                }
+                collected += decoder.decode(value, { stream: true });
+                bytesRead += value.byteLength;
             }
-            chunks.push(value);
-            bytesRead += value.byteLength;
+            collected += decoder.decode();
         }
-        if (bytesRead >= limit)
-            truncated = true;
-    }
-    const text = new TextDecoder().decode(Buffer.concat(chunks));
-    const headerPreview = [
-        `status=${response.status}`,
-        `content-type=${response.headers.get("content-type") ?? "unknown"}`,
-        `bytes=${bytesRead}${truncated ? "+" : ""}`,
-    ].join(" ");
+        finally {
+            try {
+                reader.releaseLock();
+            }
+            catch {
+                // already released
+            }
+        }
+    }
+    else {
+        // No streaming body (eg HEAD or empty 204). Fall through with empty text.
+        collected = "";
+    }
+    const headerLines = [];
+    response.headers.forEach((v, k) => headerLines.push(`${k}: ${v}`));
+    const headerBlock = headerLines.length > 0 ? `Headers:\n${headerLines.join("\n")}\n\n` : "";
+    const truncNote = truncated
+        ? `\n... (truncated at ${limit.toLocaleString()} bytes)`
+        : "";
+    const body = method === "HEAD" ? "" : collected;
     return {
         ok: response.ok,
-        output: `${headerPreview}\n${text}${truncated ? `\n... response truncated at ${limit} bytes ...` : ""}`,
+        output: `${response.status} ${response.statusText} ${response.url}\n${headerBlock}${body}${truncNote}`,
         exitCode: response.status,
         truncated,
-        stats: { bytesRead, bytesShown: bytesRead },
     };
 }
 //# sourceMappingURL=http.js.map

package/dist/tools/http.js.map

@@ -1 +1 @@
-{"version":3,"file":"http.js","sourceRoot":"","sources":["../../src/tools/http.ts"],"names":[],"mappings":"AAEA,MAAM,CAAC,KAAK,UAAU,SAAS,CAC7B,GAAW,EACX,UAMI,EAAE;IAEN,MAAM,IAAI,GAAgB;QACxB,MAAM,EAAE,OAAO,CAAC,MAAM,IAAI,KAAK;QAC/B,IAAI,EAAE,OAAO,CAAC,IAAI,IAAI,IAAI;KAC3B,CAAC;IACF,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;QACpB,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC;IACjC,CAAC;IACD,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE,EAAE,GAAG,IAAI,EAAE,MAAM,EAAE,OAAO,CAAC,MAAM,IAAI,IAAI,EAAE,CAAC,CAAC;IAC/E,MAAM,KAAK,GAAG,OAAO,CAAC,QAAQ,IAAI,OAAO,CAAC;IAC1C,MAAM,MAAM,GAAiB,EAAE,CAAC;IAChC,IAAI,SAAS,GAAG,CAAC,CAAC;IAClB,IAAI,SAAS,GAAG,KAAK,CAAC;IACtB,MAAM,MAAM,GAAG,QAAQ,CAAC,IAAI,EAAE,SAAS,EAAE,CAAC;IAC1C,IAAI,MAAM,EAAE,CAAC;QACX,OAAO,SAAS,GAAG,KAAK,EAAE,CAAC;YACzB,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,MAAM,MAAM,CAAC,IAAI,EAAE,CAAC;YAC5C,IAAI,IAAI;gBAAE,MAAM;YAChB,MAAM,SAAS,GAAG,KAAK,GAAG,SAAS,CAAC;YACpC,IAAI,KAAK,CAAC,UAAU,GAAG,SAAS,EAAE,CAAC;gBACjC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,EAAE,SAAS,CAAC,CAAC,CAAC;gBAC1C,SAAS,IAAI,SAAS,CAAC;gBACvB,SAAS,GAAG,IAAI,CAAC;gBACjB,MAAM,MAAM,CAAC,MAAM,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,CAAC;gBAC7C,MAAM;YACR,CAAC;YACD,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YACnB,SAAS,IAAI,KAAK,CAAC,UAAU,CAAC;QAChC,CAAC;QACD,IAAI,SAAS,IAAI,KAAK;YAAE,SAAS,GAAG,IAAI,CAAC;IAC3C,CAAC;IACD,MAAM,IAAI,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC;IAC7D,MAAM,aAAa,GAAG;QACpB,UAAU,QAAQ,CAAC,MAAM,EAAE;QAC3B,gBAAgB,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,IAAI,SAAS,EAAE;QACnE,SAAS,SAAS,GAAG,SAAS,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE;KAC5C,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACZ,OAAO;QACL,EAAE,EAAE,QAAQ,CAAC,EAAE;QACf,MAAM,EAAE,GAAG,aAAa,KAAK,IAAI,GAAG,SAAS,CAAC,CAAC,CAAC,+BAA+B,KAAK,YAAY,CAAC,CAAC,CAAC,EAAE,EAAE;QACvG,QAAQ,EAAE,QAAQ,CAAC,MAAM;QACzB,SAAS;QACT,KAAK,EAAE,EAAE,SAAS,EAAE,UAAU,EAAE,SAAS,EAAE;KAC5C,CAAC;AACJ,CAAC"}
+{"version":3,"file":"http.js","sourceRoot":"","sources":["../../src/tools/http.ts"],"names":[],"mappings":"AAAA,OAAO,GAAG,MAAM,UAAU,CAAC;AAC3B,OAAO,EAAE,MAAM,EAAE,MAAM,mBAAmB,CAAC;AAG3C,MAAM,iBAAiB,GAAG,GAAG,GAAG,IAAI,CAAC;AACrC,MAAM,eAAe,GAAG,IAAI,GAAG,CAAC;IAC9B,KAAK;IACL,MAAM;IACN,MAAM;IACN,KAAK;IACL,OAAO;IACP,QAAQ;IACR,SAAS;CACV,CAAC,CAAC;AAEH;;;;;GAKG;AACH,SAAS,gBAAgB,CAAC,IAAY;IACpC,MAAM,KAAK,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;IACjC,IAAI,KAAK,KAAK,WAAW,IAAI,KAAK,KAAK,uBAAuB;QAAE,OAAO,IAAI,CAAC;IAC5E,IAAI,KAAK,KAAK,eAAe,IAAI,KAAK,KAAK,cAAc;QAAE,OAAO,IAAI,CAAC;IACvE,IAAI,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC;QACrB,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;QACpD,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,KAAK,CAAC;QACrB,IAAI,CAAC,KAAK,GAAG;YAAE,OAAO,IAAI,CAAC,CAAC,WAAW;QACvC,IAAI,CAAC,KAAK,EAAE;YAAE,OAAO,IAAI,CAAC,CAAC,UAAU;QACrC,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,SAAS,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE;YAAE,OAAO,IAAI,CAAC,CAAC,UAAU;QAC/E,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,GAAG;YAAE,OAAO,IAAI,CAAC,CAAC,UAAU;QACnD,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,GAAG;YAAE,OAAO,IAAI,CAAC,CAAC,8BAA8B;QACvE,IAAI,CAAC,KAAK,CAAC;YAAE,OAAO,IAAI,CAAC,CAAC,YAAY;QACtC,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,SAAS,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,GAAG;YAAE,OAAO,IAAI,CAAC,CAAC,QAAQ;QAC9E,OAAO,KAAK,CAAC;IACf,CAAC;IACD,IAAI,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC;QACrB,IAAI,KAAK,KAAK,KAAK;YAAE,OAAO,IAAI,CAAC;QACjC,IAAI,KAAK,CAAC,UAAU,CAAC,OAAO,CAAC;YAAE,OAAO,IAAI,CAAC,CAAC,aAAa;QACzD,IAAI,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC;YAAE,OAAO,IAAI,CAAC,CAAC,MAAM;QACzE,IAAI,KAAK,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;YAChC,uDAAuD;YACvD,MAAM,EAAE,GAAG,KAAK,CAAC,KAAK,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;YACzC,OAAO,gBAAgB,CAAC,EAAE,CAAC,CAAC;QAC9B,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,KAAK,UAAU,WAAW,CAAC,IAAY;IACrC,IAAI,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IAChC,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,IAAI,CAAC,CAAC;QAClC,OAAO,MAAM,CAAC,OAAO,CAAC;IACxB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAUD,MAAM,CAAC,KAAK,UAAU,SAAS,CAC7B,GAAW,EACX,UAAwB,EAAE;IAE1B,IAAI,MAAW,CAAC;IAChB,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;IACxB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,gBAAgB,GAAG,EAAE,EAAE,QAAQ,EAAE,CAAC,EAAE,CAAC;IACnE,CAAC;IAED,IAAI,MAAM,CAAC,QAAQ,KAAK,OAAO,IAAI,MAAM,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAChE,OAAO;YACL,EAAE,EAAE,KAAK;YACT,MAAM,EAAE,gCAAgC,MAAM,CAAC,QAAQ,EAAE;YACzD,QAAQ,EAAE,CAAC;SACZ,CAAC;IACJ,CAAC;IAED,MAAM,MAAM,GAAG,CAAC,OAAO,CAAC,MAAM,IAAI,KAAK,CAAC,CAAC,WAAW,EAAE,CAAC;IACvD,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;QACjC,OAAO;YACL,EAAE,EAAE,KAAK;YACT,MAAM,EAAE,4BAA4B,MAAM,EAAE;YAC5C,QAAQ,EAAE,CAAC;SACZ,CAAC;IACJ,CAAC;IAED,uEAAuE;IACvE,iEAAiE;IACjE,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC;IACzD,MAAM,cAAc,GAAG,gBAAgB,CAAC,QAAQ,CAAC,CAAC;IAClD,IAAI,eAAe,GAAG,KAAK,CAAC;IAC5B,IAAI,CAAC,cAAc,EAAE,CAAC;QACpB,MAAM,QAAQ,GAAG,MAAM,WAAW,CAAC,QAAQ,CAAC,CAAC;QAC7C,eAAe,GAAG,OAAO,CAAC,QAAQ,IAAI,gBAAgB,CAAC,QAAQ,CAAC,CAAC,CAAC;IACpE,CAAC;IACD,IAAI,CAAC,cAAc,IAAI,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC;QAC7D,OAAO;YACL,EAAE,EAAE,KAAK;YACT,MAAM,EAAE,uDAAuD,QAAQ,mCAAmC;YAC1G,QAAQ,EAAE,CAAC;SACZ,CAAC;IACJ,CAAC;IAED,MAAM,IAAI,GAAgB,EAAE,MAAM,EAAE,CAAC;IACrC,IAAI,OAAO,CAAC,IAAI,KAAK,SAAS,IAAI,MAAM,KAAK,KAAK,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;QACxE,IAAI,CAAC,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC;IAC3B,CAAC;IACD,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;QACpB,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC;IACjC,CAAC;IAED,IAAI,QAAkB,CAAC;IACvB,IAAI,CAAC;QACH,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;IACpC,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO;YACL,EAAE,EAAE,KAAK;YACT,MAAM,EAAE,kBAAkB,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE;YAClF,QAAQ,EAAE,CAAC;SACZ,CAAC;IACJ,CAAC;IAED,MAAM,KAAK,GAAG,OAAO,CAAC,QAAQ,IAAI,iBAAiB,CAAC;IACpD,MAAM,OAAO,GAAG,IAAI,WAAW,CAAC,OAAO,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC,CAAC;IAC3D,IAAI,SAAS,GAAG,EAAE,CAAC;IACnB,IAAI,SAAS,GAAG,CAAC,CAAC;IAClB,IAAI,SAAS,GAAG,KAAK,CAAC;IACtB,MAAM,MAAM,GAAG,QAAQ,CAAC,IAAI,EAAE,SAAS,EAAE,CAAC;IAC1C,IAAI,MAAM,EAAE,CAAC;QACX,IAAI,CAAC;YACH,OAAO,SAAS,GAAG,KAAK,EAAE,CAAC;gBACzB,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,MAAM,MAAM,CAAC,IAAI,EAAE,CAAC;gBAC5C,IAAI,IAAI;oBAAE,MAAM;gBAChB,IAAI,CAAC,KAAK;oBAAE,SAAS;gBACrB,MAAM,SAAS,GAAG,KAAK,GAAG,SAAS,CAAC;gBACpC,IAAI,KAAK,CAAC,UAAU,GAAG,SAAS,EAAE,CAAC;oBACjC,SAAS,IAAI,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,EAAE,SAAS,CAAC,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC;oBAC5E,SAAS,IAAI,SAAS,CAAC;oBACvB,SAAS,GAAG,IAAI,CAAC;oBACjB,IAAI,CAAC;wBACH,MAAM,MAAM,CAAC,MAAM,EAAE,CAAC;oBACxB,CAAC;oBAAC,MAAM,CAAC;wBACP,kDAAkD;oBACpD,CAAC;oBACD,MAAM;gBACR,CAAC;gBACD,SAAS,IAAI,OAAO,CAAC,MAAM,CAAC,KAAK,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC;gBACrD,SAAS,IAAI,KAAK,CAAC,UAAU,CAAC;YAChC,CAAC;YACD,SAAS,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;QAChC,CAAC;gBAAS,CAAC;YACT,IAAI,CAAC;gBACH,MAAM,CAAC,WAAW,EAAE,CAAC;YACvB,CAAC;YAAC,MAAM,CAAC;gBACP,mBAAmB;YACrB,CAAC;QACH,CAAC;IACH,CAAC;SAAM,CAAC;QACN,0EAA0E;QAC1E,SAAS,GAAG,EAAE,CAAC;IACjB,CAAC;IAED,MAAM,WAAW,GAAa,EAAE,CAAC;IACjC,QAAQ,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,WAAW,CAAC,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC,CAAC;IACnE,MAAM,WAAW,GAAG,WAAW,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,aAAa,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC;IAC5F,MAAM,SAAS,GAAG,SAAS;QACzB,CAAC,CAAC,uBAAuB,KAAK,CAAC,cAAc,EAAE,SAAS;QACxD,CAAC,CAAC,EAAE,CAAC;IACP,MAAM,IAAI,GAAG,MAAM,KAAK,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC;IAEhD,OAAO;QACL,EAAE,EAAE,QAAQ,CAAC,EAAE;QACf,MAAM,EAAE,GAAG,QAAQ,CAAC,MAAM,IAAI,QAAQ,CAAC,UAAU,IAAI,QAAQ,CAAC,GAAG,KAAK,WAAW,GAAG,IAAI,GAAG,SAAS,EAAE;QACtG,QAAQ,EAAE,QAAQ,CAAC,MAAM;QACzB,SAAS;KACV,CAAC;AACJ,CAAC"}

package/dist/tools/policies/output-policy.d.ts

@@ -0,0 +1,13 @@
+import type { Reducer, ReducerOutput } from "../reducers/types.js";
+interface PolicyContext {
+    toolName: string;
+    command?: string | undefined;
+    argv?: string[] | undefined;
+}
+/**
+ * Pick a reducer based on (a) the tool name and (b) what binary is being
+ * invoked. Falls back to the generic line-ranking reducer.
+ */
+export declare function pickReducer(context: PolicyContext): Reducer;
+export declare function reduceToolOutput(raw: string, context: PolicyContext): ReducerOutput;
+export {};

package/dist/tools/policies/output-policy.js

@@ -0,0 +1,56 @@
+import { ffufReducer } from "../reducers/ffuf.js";
+import { genericReducer } from "../reducers/generic.js";
+import { gobusterReducer } from "../reducers/gobuster.js";
+import { httpxReducer } from "../reducers/httpx.js";
+import { nmapReducer } from "../reducers/nmap.js";
+import { nucleiReducer } from "../reducers/nuclei.js";
+import { sqlmapReducer } from "../reducers/sqlmap.js";
+import { subdomainsReducer } from "../reducers/subdomains.js";
+function commandHead(command) {
+    return command.trim().split(/\s+/)[0]?.replace(/^.*\//, "") ?? "";
+}
+/**
+ * Pick a reducer based on (a) the tool name and (b) what binary is being
+ * invoked. Falls back to the generic line-ranking reducer.
+ */
+export function pickReducer(context) {
+    if (context.toolName === "net.scan" || context.toolName === "pentest.recon") {
+        // Both produce nmap-style text; for recon we still want nmap-shaped parsing
+        // for the nmap sub-step.
+        return nmapReducer;
+    }
+    const head = context.command ? commandHead(context.command) : "";
+    switch (head) {
+        case "nmap":
+            return nmapReducer;
+        case "ffuf":
+            return ffufReducer;
+        case "gobuster":
+        case "feroxbuster":
+        case "dirb":
+        case "dirsearch":
+            return gobusterReducer;
+        case "subfinder":
+        case "amass":
+        case "sublist3r":
+        case "assetfinder":
+            return subdomainsReducer;
+        case "httpx":
+        case "httprobe":
+            return httpxReducer;
+        case "nuclei":
+            return nucleiReducer;
+        case "sqlmap":
+            return sqlmapReducer;
+        default:
+            return genericReducer;
+    }
+}
+export function reduceToolOutput(raw, context) {
+    const reducer = pickReducer(context);
+    return reducer(raw, {
+        command: context.command ?? context.toolName,
+        argv: context.argv,
+    });
+}
+//# sourceMappingURL=output-policy.js.map

package/dist/tools/policies/output-policy.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"output-policy.js","sourceRoot":"","sources":["../../../src/tools/policies/output-policy.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAClD,OAAO,EAAE,cAAc,EAAE,MAAM,wBAAwB,CAAC;AACxD,OAAO,EAAE,eAAe,EAAE,MAAM,yBAAyB,CAAC;AAC1D,OAAO,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAC;AACpD,OAAO,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAClD,OAAO,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AACtD,OAAO,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AACtD,OAAO,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAS9D,SAAS,WAAW,CAAC,OAAe;IAClC,OAAO,OAAO,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC,IAAI,EAAE,CAAC;AACpE,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,WAAW,CAAC,OAAsB;IAChD,IAAI,OAAO,CAAC,QAAQ,KAAK,UAAU,IAAI,OAAO,CAAC,QAAQ,KAAK,eAAe,EAAE,CAAC;QAC5E,4EAA4E;QAC5E,yBAAyB;QACzB,OAAO,WAAW,CAAC;IACrB,CAAC;IACD,MAAM,IAAI,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,WAAW,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;IACjE,QAAQ,IAAI,EAAE,CAAC;QACb,KAAK,MAAM;YACT,OAAO,WAAW,CAAC;QACrB,KAAK,MAAM;YACT,OAAO,WAAW,CAAC;QACrB,KAAK,UAAU,CAAC;QAChB,KAAK,aAAa,CAAC;QACnB,KAAK,MAAM,CAAC;QACZ,KAAK,WAAW;YACd,OAAO,eAAe,CAAC;QACzB,KAAK,WAAW,CAAC;QACjB,KAAK,OAAO,CAAC;QACb,KAAK,WAAW,CAAC;QACjB,KAAK,aAAa;YAChB,OAAO,iBAAiB,CAAC;QAC3B,KAAK,OAAO,CAAC;QACb,KAAK,UAAU;YACb,OAAO,YAAY,CAAC;QACtB,KAAK,QAAQ;YACX,OAAO,aAAa,CAAC;QACvB,KAAK,QAAQ;YACX,OAAO,aAAa,CAAC;QACvB;YACE,OAAO,cAAc,CAAC;IAC1B,CAAC;AACH,CAAC;AAED,MAAM,UAAU,gBAAgB,CAC9B,GAAW,EACX,OAAsB;IAEtB,MAAM,OAAO,GAAG,WAAW,CAAC,OAAO,CAAC,CAAC;IACrC,OAAO,OAAO,CAAC,GAAG,EAAE;QAClB,OAAO,EAAE,OAAO,CAAC,OAAO,IAAI,OAAO,CAAC,QAAQ;QAC5C,IAAI,EAAE,OAAO,CAAC,IAAI;KACnB,CAAC,CAAC;AACL,CAAC"}

package/dist/tools/reducers/ffuf.d.ts

@@ -0,0 +1,6 @@
+import type { Reducer } from "./types.js";
+/**
+ * ffuf supports JSON output (`-of json`) but the default is plain text. We
+ * parse both, group by status, and surface the most interesting clusters.
+ */
+export declare const ffufReducer: Reducer;

package/dist/tools/reducers/ffuf.js

@@ -0,0 +1,74 @@
+const LINE_RE = /^([^\s]+)\s+\[Status:\s*(\d+),\s*Size:\s*(\d+),\s*Words:\s*(\d+),\s*Lines:\s*(\d+).*\]/;
+/**
+ * ffuf supports JSON output (`-of json`) but the default is plain text. We
+ * parse both, group by status, and surface the most interesting clusters.
+ */
+export const ffufReducer = (raw) => {
+    const results = [];
+    // Try JSON first (works when the agent already used `-of json`).
+    const jsonStart = raw.indexOf("{");
+    if (jsonStart >= 0) {
+        try {
+            const parsed = JSON.parse(raw.slice(jsonStart));
+            if (parsed.results) {
+                for (const r of parsed.results)
+                    results.push(r);
+            }
+        }
+        catch {
+            // fall through to text parsing
+        }
+    }
+    if (results.length === 0) {
+        for (const line of raw.split(/\r?\n/)) {
+            const match = LINE_RE.exec(line);
+            if (!match)
+                continue;
+            results.push({
+                url: match[1],
+                status: Number(match[2]),
+                length: Number(match[3]),
+                words: Number(match[4]),
+                lines: Number(match[5]),
+            });
+        }
+    }
+    if (results.length === 0) {
+        return { summary: "# ffuf — no results parsed" };
+    }
+    // Cluster by (status, length) so likely-templated wildcard responses fold up.
+    const clusters = new Map();
+    for (const r of results) {
+        const key = `${r.status ?? "?"}:${r.length ?? "?"}`;
+        const c = clusters.get(key) ??
+            { status: r.status, length: r.length, samples: [] };
+        c.samples.push(r);
+        clusters.set(key, c);
+    }
+    const sorted = [...clusters.values()].sort((a, b) => b.samples.length - a.samples.length);
+    const lines = [
+        `# ffuf reduced summary — ${results.length} result(s), ${clusters.size} (status,length) cluster(s)`,
+    ];
+    for (const c of sorted.slice(0, 25)) {
+        lines.push("");
+        lines.push(`## status=${c.status ?? "?"} length=${c.length ?? "?"} — ${c.samples.length} hit(s)`);
+        for (const sample of c.samples.slice(0, 5)) {
+            lines.push(`- ${sample.url ?? JSON.stringify(sample.input)}`);
+        }
+        if (c.samples.length > 5) {
+            lines.push(`- ... ${c.samples.length - 5} more`);
+        }
+    }
+    return {
+        summary: lines.join("\n"),
+        findings: {
+            total: results.length,
+            clusters: sorted.map((c) => ({
+                status: c.status,
+                length: c.length,
+                count: c.samples.length,
+            })),
+        },
+    };
+};
+//# sourceMappingURL=ffuf.js.map

package/dist/tools/reducers/ffuf.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ffuf.js","sourceRoot":"","sources":["../../../src/tools/reducers/ffuf.ts"],"names":[],"mappings":"AAiBA,MAAM,OAAO,GACX,wFAAwF,CAAC;AAE3F;;;GAGG;AACH,MAAM,CAAC,MAAM,WAAW,GAAY,CAAC,GAAG,EAAiB,EAAE;IACzD,MAAM,OAAO,GAAiB,EAAE,CAAC;IACjC,iEAAiE;IACjE,MAAM,SAAS,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IACnC,IAAI,SAAS,IAAI,CAAC,EAAE,CAAC;QACnB,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,KAAK,CAAC,SAAS,CAAC,CAAa,CAAC;YAC5D,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;gBACnB,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,OAAO;oBAAE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YAClD,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,+BAA+B;QACjC,CAAC;IACH,CAAC;IACD,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzB,KAAK,MAAM,IAAI,IAAI,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,EAAE,CAAC;YACtC,MAAM,KAAK,GAAG,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACjC,IAAI,CAAC,KAAK;gBAAE,SAAS;YACrB,OAAO,CAAC,IAAI,CAAC;gBACX,GAAG,EAAE,KAAK,CAAC,CAAC,CAAC;gBACb,MAAM,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;gBACxB,MAAM,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;gBACxB,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;gBACvB,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;aACxB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzB,OAAO,EAAE,OAAO,EAAE,4BAA4B,EAAE,CAAC;IACnD,CAAC;IAED,8EAA8E;IAC9E,MAAM,QAAQ,GAAG,IAAI,GAAG,EAGrB,CAAC;IACJ,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;QACxB,MAAM,GAAG,GAAG,GAAG,CAAC,CAAC,MAAM,IAAI,GAAG,IAAI,CAAC,CAAC,MAAM,IAAI,GAAG,EAAE,CAAC;QACpD,MAAM,CAAC,GACL,QAAQ,CAAC,GAAG,CAAC,GAAG,CAAC;YAChB,EAAE,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,OAAO,EAAE,EAAE,EAIhD,CAAC;QACL,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,QAAQ,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;IACvB,CAAC;IACD,MAAM,MAAM,GAAG,CAAC,GAAG,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC,IAAI,CACxC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC,OAAO,CAAC,MAAM,CAC9C,CAAC;IACF,MAAM,KAAK,GAAa;QACtB,4BAA4B,OAAO,CAAC,MAAM,eAAe,QAAQ,CAAC,IAAI,6BAA6B;KACpG,CAAC;IACF,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC;QACpC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACf,KAAK,CAAC,IAAI,CACR,aAAa,CAAC,CAAC,MAAM,IAAI,GAAG,WAAW,CAAC,CAAC,MAAM,IAAI,GAAG,MAAM,CAAC,CAAC,OAAO,CAAC,MAAM,SAAS,CACtF,CAAC;QACF,KAAK,MAAM,MAAM,IAAI,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,CAAC;YAC3C,KAAK,CAAC,IAAI,CAAC,KAAK,MAAM,CAAC,GAAG,IAAI,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;QAChE,CAAC;QACD,IAAI,CAAC,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACzB,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,OAAO,CAAC,CAAC;QACnD,CAAC;IACH,CAAC;IACD,OAAO;QACL,OAAO,EAAE,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC;QACzB,QAAQ,EAAE;YACR,KAAK,EAAE,OAAO,CAAC,MAAM;YACrB,QAAQ,EAAE,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;gBAC3B,MAAM,EAAE,CAAC,CAAC,MAAM;gBAChB,MAAM,EAAE,CAAC,CAAC,MAAM;gBAChB,KAAK,EAAE,CAAC,CAAC,OAAO,CAAC,MAAM;aACxB,CAAC,CAAC;SACJ;KACF,CAAC;AACJ,CAAC,CAAC"}

package/dist/tools/reducers/generic.d.ts

@@ -0,0 +1,2 @@
+import type { Reducer } from "./types.js";
+export declare const genericReducer: Reducer;

package/dist/tools/reducers/generic.js

@@ -0,0 +1,60 @@
+/**
+ * Catch-all reducer that ranks lines by signal so important findings survive
+ * truncation. Used when no command-specific reducer matches.
+ */
+const SIGNAL_PATTERNS = [
+    { tag: "credential", re: /\b(?:password|passwd|secret|token|api[_-]?key|bearer)\b/i, weight: 5 },
+    { tag: "vulnerable", re: /\b(?:vulnerable|exploitable|exploit|cve-\d{4}-\d+)/i, weight: 5 },
+    { tag: "error", re: /\b(?:error|failed|denied|forbidden|refused|fatal)\b/i, weight: 4 },
+    { tag: "success", re: /\b(?:found|success|matched|positive|admin)\b/i, weight: 3 },
+    { tag: "open-port", re: /\b\d+\/(?:tcp|udp)\s+open\b/i, weight: 3 },
+    { tag: "http-2xx", re: /\s2\d{2}\b/, weight: 2 },
+    { tag: "http-403", re: /\s403\b/, weight: 2 },
+    { tag: "warning", re: /\bwarning\b/i, weight: 1 },
+];
+function scoreLine(line) {
+    let score = 0;
+    const tags = [];
+    for (const pattern of SIGNAL_PATTERNS) {
+        if (pattern.re.test(line)) {
+            score += pattern.weight;
+            tags.push(pattern.tag);
+        }
+    }
+    return { score, tags };
+}
+export const genericReducer = (raw, _ctx) => {
+    const lines = raw.split(/\r?\n/);
+    const scored = lines.map((line, index) => ({
+        line,
+        index,
+        ...scoreLine(line),
+    }));
+    const interesting = scored.filter((x) => x.score > 0);
+    const totalLines = lines.length;
+    if (interesting.length === 0) {
+        // Fall back to head + tail when nothing matched.
+        const head = lines.slice(0, 20).join("\n");
+        const tail = lines.slice(-10).join("\n");
+        return {
+            summary: head + (lines.length > 30 ? `\n... (${lines.length} lines total)\n` : "\n") + tail,
+        };
+    }
+    const topRanked = interesting
+        .sort((a, b) => b.score - a.score || a.index - b.index)
+        .slice(0, 40);
+    const lineSet = new Set(topRanked.map((x) => x.index));
+    // Always include the very last 5 lines so trailing summaries (e.g. "X hosts
+    // up", "scan complete") are not dropped.
+    for (let i = Math.max(0, lines.length - 5); i < lines.length; i++) {
+        lineSet.add(i);
+    }
+    const ordered = [...lineSet].sort((a, b) => a - b);
+    const summaryLines = ordered.map((i) => lines[i]).filter((l) => l !== undefined);
+    const dropped = totalLines - ordered.length;
+    const header = `# Reduced output (${ordered.length} of ${totalLines} lines, ${dropped} omitted)`;
+    return {
+        summary: [header, ...summaryLines].join("\n"),
+    };
+};
+//# sourceMappingURL=generic.js.map

package/dist/tools/reducers/generic.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"generic.js","sourceRoot":"","sources":["../../../src/tools/reducers/generic.ts"],"names":[],"mappings":"AAEA;;;GAGG;AACH,MAAM,eAAe,GAAuD;IAC1E,EAAE,GAAG,EAAE,YAAY,EAAE,EAAE,EAAE,0DAA0D,EAAE,MAAM,EAAE,CAAC,EAAE;IAChG,EAAE,GAAG,EAAE,YAAY,EAAE,EAAE,EAAE,qDAAqD,EAAE,MAAM,EAAE,CAAC,EAAE;IAC3F,EAAE,GAAG,EAAE,OAAO,EAAE,EAAE,EAAE,sDAAsD,EAAE,MAAM,EAAE,CAAC,EAAE;IACvF,EAAE,GAAG,EAAE,SAAS,EAAE,EAAE,EAAE,+CAA+C,EAAE,MAAM,EAAE,CAAC,EAAE;IAClF,EAAE,GAAG,EAAE,WAAW,EAAE,EAAE,EAAE,8BAA8B,EAAE,MAAM,EAAE,CAAC,EAAE;IACnE,EAAE,GAAG,EAAE,UAAU,EAAE,EAAE,EAAE,YAAY,EAAE,MAAM,EAAE,CAAC,EAAE;IAChD,EAAE,GAAG,EAAE,UAAU,EAAE,EAAE,EAAE,SAAS,EAAE,MAAM,EAAE,CAAC,EAAE;IAC7C,EAAE,GAAG,EAAE,SAAS,EAAE,EAAE,EAAE,cAAc,EAAE,MAAM,EAAE,CAAC,EAAE;CAClD,CAAC;AAEF,SAAS,SAAS,CAAC,IAAY;IAC7B,IAAI,KAAK,GAAG,CAAC,CAAC;IACd,MAAM,IAAI,GAAa,EAAE,CAAC;IAC1B,KAAK,MAAM,OAAO,IAAI,eAAe,EAAE,CAAC;QACtC,IAAI,OAAO,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YAC1B,KAAK,IAAI,OAAO,CAAC,MAAM,CAAC;YACxB,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACzB,CAAC;IACH,CAAC;IACD,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;AACzB,CAAC;AAED,MAAM,CAAC,MAAM,cAAc,GAAY,CAAC,GAAG,EAAE,IAAI,EAAiB,EAAE;IAClE,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;IACjC,MAAM,MAAM,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC,CAAC;QACzC,IAAI;QACJ,KAAK;QACL,GAAG,SAAS,CAAC,IAAI,CAAC;KACnB,CAAC,CAAC,CAAC;IACJ,MAAM,WAAW,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC;IACtD,MAAM,UAAU,GAAG,KAAK,CAAC,MAAM,CAAC;IAChC,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC7B,iDAAiD;QACjD,MAAM,IAAI,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC3C,MAAM,IAAI,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACzC,OAAO;YACL,OAAO,EAAE,IAAI,GAAG,CAAC,KAAK,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC,CAAC,UAAU,KAAK,CAAC,MAAM,iBAAiB,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,IAAI;SAC5F,CAAC;IACJ,CAAC;IACD,MAAM,SAAS,GAAG,WAAW;SAC1B,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,GAAG,CAAC,CAAC,KAAK,IAAI,CAAC,CAAC,KAAK,GAAG,CAAC,CAAC,KAAK,CAAC;SACtD,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IAChB,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC;IACvD,4EAA4E;IAC5E,yCAAyC;IACzC,KAAK,IAAI,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QAClE,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;IACjB,CAAC;IACD,MAAM,OAAO,GAAG,CAAC,GAAG,OAAO,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IACnD,MAAM,YAAY,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAe,EAAE,CAAC,CAAC,KAAK,SAAS,CAAC,CAAC;IAC9F,MAAM,OAAO,GAAG,UAAU,GAAG,OAAO,CAAC,MAAM,CAAC;IAC5C,MAAM,MAAM,GAAG,qBAAqB,OAAO,CAAC,MAAM,OAAO,UAAU,WAAW,OAAO,WAAW,CAAC;IACjG,OAAO;QACL,OAAO,EAAE,CAAC,MAAM,EAAE,GAAG,YAAY,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC;KAC9C,CAAC;AACJ,CAAC,CAAC"}

package/dist/tools/reducers/gobuster.d.ts

@@ -0,0 +1,2 @@
+import type { Reducer } from "./types.js";
+export declare const gobusterReducer: Reducer;

package/dist/tools/reducers/gobuster.js

@@ -0,0 +1,36 @@
+const LINE_RE = /^(?<path>\S+)\s+\(Status:\s*(?<status>\d+)\)\s+\[Size:\s*(?<size>\d+)\]/;
+export const gobusterReducer = (raw) => {
+    const groups = new Map();
+    for (const line of raw.split(/\r?\n/)) {
+        const match = LINE_RE.exec(line);
+        if (!match || !match.groups)
+            continue;
+        const status = Number(match.groups.status);
+        const path = match.groups.path;
+        const size = Number(match.groups.size);
+        const list = groups.get(status) ?? [];
+        list.push({ path, size });
+        groups.set(status, list);
+    }
+    if (groups.size === 0) {
+        return { summary: "# gobuster — no paths discovered" };
+    }
+    const sortedStatuses = [...groups.keys()].sort((a, b) => a - b);
+    const lines = [`# gobuster reduced summary — ${sortedStatuses.length} status code(s)`];
+    for (const status of sortedStatuses) {
+        const entries = groups.get(status);
+        lines.push("");
+        lines.push(`## Status ${status} — ${entries.length} path(s)`);
+        for (const entry of entries.slice(0, 25)) {
+            lines.push(`- ${entry.path} (size=${entry.size})`);
+        }
+        if (entries.length > 25) {
+            lines.push(`- ... ${entries.length - 25} more`);
+        }
+    }
+    return {
+        summary: lines.join("\n"),
+        findings: { byStatus: Object.fromEntries(groups) },
+    };
+};
+//# sourceMappingURL=gobuster.js.map

package/dist/tools/reducers/gobuster.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"gobuster.js","sourceRoot":"","sources":["../../../src/tools/reducers/gobuster.ts"],"names":[],"mappings":"AAEA,MAAM,OAAO,GAAG,yEAAyE,CAAC;AAE1F,MAAM,CAAC,MAAM,eAAe,GAAY,CAAC,GAAG,EAAiB,EAAE;IAC7D,MAAM,MAAM,GAAG,IAAI,GAAG,EAAiD,CAAC;IACxE,KAAK,MAAM,IAAI,IAAI,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,EAAE,CAAC;QACtC,MAAM,KAAK,GAAG,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACjC,IAAI,CAAC,KAAK,IAAI,CAAC,KAAK,CAAC,MAAM;YAAE,SAAS;QACtC,MAAM,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QAC3C,MAAM,IAAI,GAAG,KAAK,CAAC,MAAM,CAAC,IAAK,CAAC;QAChC,MAAM,IAAI,GAAG,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;QACvC,MAAM,IAAI,GAAG,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;QACtC,IAAI,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC;QAC1B,MAAM,CAAC,GAAG,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;IAC3B,CAAC;IACD,IAAI,MAAM,CAAC,IAAI,KAAK,CAAC,EAAE,CAAC;QACtB,OAAO,EAAE,OAAO,EAAE,kCAAkC,EAAE,CAAC;IACzD,CAAC;IACD,MAAM,cAAc,GAAG,CAAC,GAAG,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IAChE,MAAM,KAAK,GAAa,CAAC,gCAAgC,cAAc,CAAC,MAAM,iBAAiB,CAAC,CAAC;IACjG,KAAK,MAAM,MAAM,IAAI,cAAc,EAAE,CAAC;QACpC,MAAM,OAAO,GAAG,MAAM,CAAC,GAAG,CAAC,MAAM,CAAE,CAAC;QACpC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACf,KAAK,CAAC,IAAI,CAAC,aAAa,MAAM,MAAM,OAAO,CAAC,MAAM,UAAU,CAAC,CAAC;QAC9D,KAAK,MAAM,KAAK,IAAI,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC;YACzC,KAAK,CAAC,IAAI,CAAC,KAAK,KAAK,CAAC,IAAI,UAAU,KAAK,CAAC,IAAI,GAAG,CAAC,CAAC;QACrD,CAAC;QACD,IAAI,OAAO,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;YACxB,KAAK,CAAC,IAAI,CAAC,SAAS,OAAO,CAAC,MAAM,GAAG,EAAE,OAAO,CAAC,CAAC;QAClD,CAAC;IACH,CAAC;IACD,OAAO;QACL,OAAO,EAAE,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC;QACzB,QAAQ,EAAE,EAAE,QAAQ,EAAE,MAAM,CAAC,WAAW,CAAC,MAAM,CAAC,EAAE;KACnD,CAAC;AACJ,CAAC,CAAC"}

package/dist/tools/reducers/httpx.d.ts

@@ -0,0 +1,2 @@
+import type { Reducer } from "./types.js";
+export declare const httpxReducer: Reducer;

package/dist/tools/reducers/httpx.js

@@ -0,0 +1,38 @@
+export const httpxReducer = (raw) => {
+    const rows = [];
+    for (const line of raw.split(/\r?\n/)) {
+        const trimmed = line.trim();
+        if (!trimmed.startsWith("{"))
+            continue;
+        try {
+            rows.push(JSON.parse(trimmed));
+        }
+        catch {
+            // skip malformed lines
+        }
+    }
+    if (rows.length === 0) {
+        return { summary: "# httpx — no JSONL rows parsed (pass -json to get structured output)" };
+    }
+    const lines = [
+        `# httpx reduced summary — ${rows.length} URL(s)`,
+    ];
+    for (const row of rows.slice(0, 50)) {
+        const url = row.final_url ?? row.url ?? row.input ?? row.host ?? "?";
+        const status = row.status_code ?? row.status ?? "?";
+        const tech = (row.tech ?? row.technologies ?? []).join(", ");
+        const title = row.title ? ` title=${JSON.stringify(row.title)}` : "";
+        const cdn = row.cdn_name ?? row.cdn;
+        const cdnNote = cdn ? ` cdn=${cdn}` : "";
+        const len = row.content_length !== undefined ? ` len=${row.content_length}` : "";
+        lines.push(`- ${url} [${status}]${title}${len}${tech ? ` tech=[${tech}]` : ""}${cdnNote}`);
+    }
+    if (rows.length > 50) {
+        lines.push(`- ... ${rows.length - 50} more in artifact`);
+    }
+    return {
+        summary: lines.join("\n"),
+        findings: { count: rows.length },
+    };
+};
+//# sourceMappingURL=httpx.js.map

package/dist/tools/reducers/httpx.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"httpx.js","sourceRoot":"","sources":["../../../src/tools/reducers/httpx.ts"],"names":[],"mappings":"AAkBA,MAAM,CAAC,MAAM,YAAY,GAAY,CAAC,GAAG,EAAiB,EAAE;IAC1D,MAAM,IAAI,GAAe,EAAE,CAAC;IAC5B,KAAK,MAAM,IAAI,IAAI,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,EAAE,CAAC;QACtC,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAC5B,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;YAAE,SAAS;QACvC,IAAI,CAAC;YACH,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAa,CAAC,CAAC;QAC7C,CAAC;QAAC,MAAM,CAAC;YACP,uBAAuB;QACzB,CAAC;IACH,CAAC;IACD,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACtB,OAAO,EAAE,OAAO,EAAE,sEAAsE,EAAE,CAAC;IAC7F,CAAC;IACD,MAAM,KAAK,GAAa;QACtB,6BAA6B,IAAI,CAAC,MAAM,SAAS;KAClD,CAAC;IACF,KAAK,MAAM,GAAG,IAAI,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC;QACpC,MAAM,GAAG,GAAG,GAAG,CAAC,SAAS,IAAI,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC,KAAK,IAAI,GAAG,CAAC,IAAI,IAAI,GAAG,CAAC;QACrE,MAAM,MAAM,GAAG,GAAG,CAAC,WAAW,IAAI,GAAG,CAAC,MAAM,IAAI,GAAG,CAAC;QACpD,MAAM,IAAI,GAAG,CAAC,GAAG,CAAC,IAAI,IAAI,GAAG,CAAC,YAAY,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC7D,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,UAAU,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QACrE,MAAM,GAAG,GAAG,GAAG,CAAC,QAAQ,IAAI,GAAG,CAAC,GAAG,CAAC;QACpC,MAAM,OAAO,GAAG,GAAG,CAAC,CAAC,CAAC,QAAQ,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QACzC,MAAM,GAAG,GAAG,GAAG,CAAC,cAAc,KAAK,SAAS,CAAC,CAAC,CAAC,QAAQ,GAAG,CAAC,cAAc,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QACjF,KAAK,CAAC,IAAI,CAAC,KAAK,GAAG,KAAK,MAAM,IAAI,KAAK,GAAG,GAAG,GAAG,IAAI,CAAC,CAAC,CAAC,UAAU,IAAI,GAAG,CAAC,CAAC,CAAC,EAAE,GAAG,OAAO,EAAE,CAAC,CAAC;IAC7F,CAAC;IACD,IAAI,IAAI,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;QACrB,KAAK,CAAC,IAAI,CAAC,SAAS,IAAI,CAAC,MAAM,GAAG,EAAE,mBAAmB,CAAC,CAAC;IAC3D,CAAC;IACD,OAAO;QACL,OAAO,EAAE,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC;QACzB,QAAQ,EAAE,EAAE,KAAK,EAAE,IAAI,CAAC,MAAM,EAAE;KACjC,CAAC;AACJ,CAAC,CAAC"}

package/dist/tools/reducers/nmap.d.ts

@@ -0,0 +1,7 @@
+import type { Reducer } from "./types.js";
+/**
+ * Parse plain "nmap -sV" text output into structured findings. We avoid
+ * forcing -oX here so the agent can still pass any flags it wants — but if
+ * the output looks like XML we just include it verbatim.
+ */
+export declare const nmapReducer: Reducer;