@trenchwork/erosolar 1.1.31 → 1.1.32

package/dist/capabilities/_opsContext.js

@@ -0,0 +1,274 @@
+/**
+ * Operations-Center wiring for offsec capabilities.
+ *
+ * Every offsec tool wrapper (recon / web / llmRedteam / network / mobile)
+ * shares this single helper. It abstracts:
+ *
+ *   • Engagement-scope enforcement (defence-in-depth — the Lambda
+ *     re-checks server-side, but a CLI-side gate trips faster + emits
+ *     a clearer error before any process spawns).
+ *   • Long-running job lifecycle (start → append-log → progress →
+ *     complete) routed through the existing cliJob* Lambda surface,
+ *     which the portal's #jobsList rail listens to via Firestore.
+ *   • HITL approval prompts (cliQuestionCreate / cliQuestionPoll) for
+ *     destructive ops, so the operator can veto from the portal.
+ *   • Findings emission with a unified schema — every tool's output
+ *     normalised so the portal's #findingsList rail renders without
+ *     per-tool special-casing.
+ *
+ * Tools that own a long-running scan should:
+ *
+ *   const job = await opsCtx.startJob({ tool: 'garak', kind: 'llmRedteam',
+ *                                       targetId, cmd: ['garak', ...] });
+ *   for await (const line of job.lines()) {
+ *     await job.appendLog(line);
+ *     const finding = parse(line);
+ *     if (finding) await opsCtx.emitFinding(finding);
+ *   }
+ *   await job.complete('done', { probesRun: N, findingsEmitted: M });
+ *
+ * The `lines()` iterator is backed by the existing Monitor capability
+ * (background spawn + streaming reader). Multiple jobs run concurrently
+ * without blocking the agent loop.
+ */
+import { spawn } from 'node:child_process';
+import { callLambda } from '../utils/lambdaClient.js';
+import { logDebug } from '../utils/debugLogger.js';
+import { ensureBinary } from './_processRunner.js';
+// ── Implementation ────────────────────────────────────────────────
+const FINDING_SEVERITIES = new Set(['info', 'low', 'medium', 'high', 'critical']);
+const FINDING_SOURCES = new Set(['recon', 'web', 'llmRedteam', 'network', 'mobile', 'manual']);
+function validateFindingDraft(d) {
+    if (!FINDING_SOURCES.has(d.source))
+        throw new Error(`invalid finding.source: ${d.source}`);
+    if (!FINDING_SEVERITIES.has(d.severity))
+        throw new Error(`invalid finding.severity: ${d.severity}`);
+    if (typeof d.tool !== 'string' || !d.tool)
+        throw new Error('finding.tool required');
+    if (typeof d.title !== 'string' || !d.title)
+        throw new Error('finding.title required');
+    if (typeof d.replication !== 'string')
+        throw new Error('finding.replication required');
+}
+/**
+ * Engagement scope cache. Reused across many startJob/assertInScope calls
+ * within a single agent turn so we don't hammer Firestore for the same
+ * scope doc. Cleared whenever the engagementId changes.
+ */
+class ScopeCache {
+    cached = null;
+    async load(engagementId) {
+        if (this.cached && this.cached.engagementId === engagementId)
+            return this.cached.scope;
+        const r = await callLambda('cliEngagementGetScope', { engagementId });
+        if (!r.ok)
+            throw new Error(`scope fetch failed: ${r.error}`);
+        const scope = r.result?.scope || { hosts: [], cidrs: [], allowedTools: [] };
+        this.cached = { engagementId, scope };
+        return scope;
+    }
+    invalidate() { this.cached = null; }
+}
+function hostMatchesPattern(host, pattern) {
+    // Exact match.
+    if (host === pattern)
+        return true;
+    // Wildcard pattern like *.example.com.
+    if (pattern.startsWith('*.')) {
+        const suffix = pattern.slice(1); // ".example.com"
+        return host.endsWith(suffix) && host.length > suffix.length;
+    }
+    return false;
+}
+function isInScope(target, scope) {
+    const candidate = (target.host || (target.url && hostFromUrl(target.url)) ||
+        (target.endpoint && hostFromUrl(target.endpoint)) || '').toLowerCase();
+    if (!candidate)
+        return false;
+    if ((scope.deniedHosts || []).some((p) => hostMatchesPattern(candidate, p.toLowerCase())))
+        return false;
+    const hostHits = (scope.hosts || []).some((p) => hostMatchesPattern(candidate, p.toLowerCase()));
+    if (hostHits)
+        return true;
+    // CIDR check is best-effort — if the operator wrote one, we ask the
+    // Lambda to evaluate it (it has the IP-math lib loaded). Local check
+    // here would duplicate logic.
+    return false;
+}
+function hostFromUrl(value) {
+    try {
+        return new URL(value).hostname;
+    }
+    catch {
+        return null;
+    }
+}
+class NodeOpsContext {
+    engagementId;
+    uid;
+    scopeCache = new ScopeCache();
+    constructor(opts = {}) {
+        this.engagementId = opts.engagementId ?? null;
+        this.uid = opts.uid ?? null;
+    }
+    async assertInScope(target) {
+        if (!this.engagementId) {
+            // No engagement selected = no scope. Refuse — the operator must
+            // pick an engagement before any offsec tool fires. This also
+            // means the Lambda's defence-in-depth check has a non-null
+            // engagementId to evaluate against.
+            throw new Error('no engagement selected — pick one in the portal before running offsec tools');
+        }
+        const scope = await this.scopeCache.load(this.engagementId);
+        if (!isInScope(target, scope)) {
+            const t = target.host || target.url || target.endpoint || '<unknown>';
+            throw new Error(`target ${t} is OUT OF SCOPE for engagement ${this.engagementId}. ` +
+                `Edit the engagement scope in the portal before retrying.`);
+        }
+    }
+    async startJob(spec) {
+        // Cross-platform preflight (see _processRunner.ts comment): throws
+        // BinaryMissingError with the install hint for this operator's OS
+        // BEFORE we register a Job doc, so a missing binary doesn't leave
+        // a phantom "running" row in the portal that never completes.
+        await ensureBinary(spec.cmd[0]);
+        if (this.engagementId && (spec.engagementId == null))
+            spec.engagementId = this.engagementId;
+        const r = await callLambda('cliJobStart', {
+            tool: spec.tool, kind: spec.kind,
+            engagementId: spec.engagementId ?? null, targetId: spec.targetId ?? null,
+            status: 'running',
+            cmd: spec.cmd.slice(0, 64), // truncate long argv
+        });
+        if (!r.ok || !r.result?.id)
+            throw new Error(`cliJobStart failed: ${r.error}`);
+        const jobId = r.result.id;
+        const child = spawn(spec.cmd[0], spec.cmd.slice(1), {
+            cwd: spec.cwd, env: { ...process.env, ...(spec.env || {}) },
+            stdio: ['ignore', 'pipe', 'pipe'],
+        });
+        const timeoutMs = spec.timeoutMs ?? 30 * 60 * 1000;
+        const killTimer = setTimeout(() => {
+            try {
+                child.kill('SIGTERM');
+            }
+            catch (_) { }
+            setTimeout(() => { try {
+                child.kill('SIGKILL');
+            }
+            catch (_) { } }, 1500);
+        }, timeoutMs);
+        const handle = {
+            id: jobId,
+            lines: () => readlines(child),
+            appendLog: (line) => callLambda('cliJobAppendLog', { jobId, line: String(line).slice(0, 8 * 1024) })
+                .then((res) => { if (!res.ok)
+                logDebug('[Ops] appendLog failed', res.error); }),
+            setProgress: (pct, lastLine) => callLambda('cliJobUpdate', {
+                id: jobId, pct: Math.max(0, Math.min(100, Math.round(pct))),
+                lastLine: lastLine ? String(lastLine).slice(0, 1024) : null,
+            }).then((res) => { if (!res.ok)
+                logDebug('[Ops] setProgress failed', res.error); }),
+            complete: async (status, summary = {}) => {
+                clearTimeout(killTimer);
+                await callLambda('cliJobComplete', { id: jobId, status, summary });
+            },
+            cancel: () => {
+                clearTimeout(killTimer);
+                try {
+                    child.kill('SIGTERM');
+                }
+                catch (_) { }
+            },
+        };
+        return handle;
+    }
+    async requestApproval(req) {
+        if (!Array.isArray(req.options) || req.options.length < 2) {
+            throw new Error('requestApproval needs ≥2 options');
+        }
+        const create = await callLambda('cliQuestionCreate', {
+            question: `[${req.severity.toUpperCase()}] ${req.question}`,
+            header: req.severity,
+            multiSelect: false,
+            options: req.options.map((o) => ({ label: o.label, description: o.description || '' })),
+        });
+        if (!create.ok || !create.result?.id)
+            throw new Error(`HITL create failed: ${create.error}`);
+        const id = create.result.id;
+        const timeoutSec = req.timeoutSec ?? 300;
+        const deadline = Date.now() + timeoutSec * 1000;
+        while (Date.now() < deadline) {
+            await new Promise((r) => setTimeout(r, 2000));
+            const poll = await callLambda('cliQuestionPoll', { id });
+            if (poll.ok && poll.result?.answered) {
+                const sel = poll.result.selected?.[0];
+                if (typeof sel === 'string')
+                    return sel;
+            }
+        }
+        if (req.defaultOnTimeout === 'proceed')
+            return req.options[0].label;
+        throw new Error(`HITL timed out after ${timeoutSec}s — operator did not answer in the portal`);
+    }
+    async emitFinding(draft) {
+        if (this.engagementId && draft.engagementId == null)
+            draft.engagementId = this.engagementId;
+        validateFindingDraft(draft);
+        const r = await callLambda('cliFindingEmit', draft);
+        if (!r.ok || !r.result?.id)
+            throw new Error(`emitFinding failed: ${r.error}`);
+        return r.result.id;
+    }
+}
+/**
+ * Async iterator over a child's stdout + stderr, yielding one line at a
+ * time. Both streams are merged so the order in `lines()` matches the
+ * order the process actually printed them.
+ */
+async function* readlines(child) {
+    const queue = [];
+    let resolveNext = null;
+    let done = false;
+    function pushChunk(buf) {
+        const text = buf.toString('utf8');
+        for (const line of text.split(/\r?\n/))
+            if (line.length)
+                queue.push(line);
+        if (resolveNext) {
+            const r = resolveNext;
+            resolveNext = null;
+            r();
+        }
+    }
+    child.stdout.on('data', pushChunk);
+    child.stderr.on('data', pushChunk);
+    child.on('close', () => { done = true; if (resolveNext) {
+        const r = resolveNext;
+        resolveNext = null;
+        r();
+    } });
+    child.on('error', () => { done = true; if (resolveNext) {
+        const r = resolveNext;
+        resolveNext = null;
+        r();
+    } });
+    while (true) {
+        if (queue.length) {
+            yield queue.shift();
+            continue;
+        }
+        if (done)
+            return;
+        await new Promise((r) => { resolveNext = r; });
+    }
+}
+/**
+ * Build an OpsContext for a CLI agent session. The engagementId can be
+ * threaded in from the active engagement (set via the portal or
+ * EngagementCapability tool calls).
+ */
+export function createOpsContext(opts = {}) {
+    return new NodeOpsContext(opts);
+}
+//# sourceMappingURL=_opsContext.js.map

package/dist/capabilities/_opsContext.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"_opsContext.js","sourceRoot":"","sources":["../../src/capabilities/_opsContext.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;AAEH,OAAO,EAAE,KAAK,EAAuC,MAAM,oBAAoB,CAAC;AAChF,OAAO,EAAE,UAAU,EAAE,MAAM,0BAA0B,CAAC;AACtD,OAAO,EAAE,QAAQ,EAAE,MAAM,yBAAyB,CAAC;AACnD,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AA4FnD,qEAAqE;AAErE,MAAM,kBAAkB,GACtB,IAAI,GAAG,CAAC,CAAC,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,UAAU,CAAC,CAAC,CAAC;AACzD,MAAM,eAAe,GACnB,IAAI,GAAG,CAAC,CAAC,OAAO,EAAE,KAAK,EAAE,YAAY,EAAE,SAAS,EAAE,QAAQ,EAAE,QAAQ,CAAC,CAAC,CAAC;AAEzE,SAAS,oBAAoB,CAAC,CAAe;IAC3C,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC;QAAE,MAAM,IAAI,KAAK,CAAC,2BAA2B,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC;IAC3F,IAAI,CAAC,kBAAkB,CAAC,GAAG,CAAC,CAAC,CAAC,QAAQ,CAAC;QAAE,MAAM,IAAI,KAAK,CAAC,6BAA6B,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC;IACpG,IAAI,OAAO,CAAC,CAAC,IAAI,KAAK,QAAQ,IAAI,CAAC,CAAC,CAAC,IAAI;QAAE,MAAM,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAC;IACpF,IAAI,OAAO,CAAC,CAAC,KAAK,KAAK,QAAQ,IAAI,CAAC,CAAC,CAAC,KAAK;QAAE,MAAM,IAAI,KAAK,CAAC,wBAAwB,CAAC,CAAC;IACvF,IAAI,OAAO,CAAC,CAAC,WAAW,KAAK,QAAQ;QAAE,MAAM,IAAI,KAAK,CAAC,8BAA8B,CAAC,CAAC;AACzF,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU;IACN,MAAM,GAA4D,IAAI,CAAC;IAE/E,KAAK,CAAC,IAAI,CAAC,YAAoB;QAC7B,IAAI,IAAI,CAAC,MAAM,IAAI,IAAI,CAAC,MAAM,CAAC,YAAY,KAAK,YAAY;YAAE,OAAO,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC;QACvF,MAAM,CAAC,GAAG,MAAM,UAAU,CAA8B,uBAAuB,EAAE,EAAE,YAAY,EAAE,CAAC,CAAC;QACnG,IAAI,CAAC,CAAC,CAAC,EAAE;YAAE,MAAM,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAC,KAAK,EAAE,CAAC,CAAC;QAC7D,MAAM,KAAK,GAAG,CAAC,CAAC,MAAM,EAAE,KAAK,IAAI,EAAE,KAAK,EAAE,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,YAAY,EAAE,EAAE,EAAE,CAAC;QAC5E,IAAI,CAAC,MAAM,GAAG,EAAE,YAAY,EAAE,KAAK,EAAE,CAAC;QACtC,OAAO,KAAK,CAAC;IACf,CAAC;IAED,UAAU,KAAK,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC,CAAC;CACrC;AAUD,SAAS,kBAAkB,CAAC,IAAY,EAAE,OAAe;IACvD,eAAe;IACf,IAAI,IAAI,KAAK,OAAO;QAAE,OAAO,IAAI,CAAC;IAClC,uCAAuC;IACvC,IAAI,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;QAC7B,MAAM,MAAM,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,iBAAiB;QAClD,OAAO,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC;IAC9D,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,SAAS,CAAC,MAAmB,EAAE,KAAsB;IAC5D,MAAM,SAAS,GAAG,CAAC,MAAM,CAAC,IAAI,IAAI,CAAC,MAAM,CAAC,GAAG,IAAI,WAAW,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACtD,CAAC,MAAM,CAAC,QAAQ,IAAI,WAAW,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;IAC1F,IAAI,CAAC,SAAS;QAAE,OAAO,KAAK,CAAC;IAC7B,IAAI,CAAC,KAAK,CAAC,WAAW,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,kBAAkB,CAAC,SAAS,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC;QAAE,OAAO,KAAK,CAAC;IACxG,MAAM,QAAQ,GAAG,CAAC,KAAK,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,kBAAkB,CAAC,SAAS,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC;IACjG,IAAI,QAAQ;QAAE,OAAO,IAAI,CAAC;IAC1B,oEAAoE;IACpE,qEAAqE;IACrE,8BAA8B;IAC9B,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,WAAW,CAAC,KAAa;IAChC,IAAI,CAAC;QAAC,OAAO,IAAI,GAAG,CAAC,KAAK,CAAC,CAAC,QAAQ,CAAC;IAAC,CAAC;IAAC,MAAM,CAAC;QAAC,OAAO,IAAI,CAAC;IAAC,CAAC;AAChE,CAAC;AAOD,MAAM,cAAc;IACT,YAAY,CAAgB;IAC5B,GAAG,CAAgB;IACpB,UAAU,GAAG,IAAI,UAAU,EAAE,CAAC;IAEtC,YAAY,OAA8B,EAAE;QAC1C,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC,YAAY,IAAI,IAAI,CAAC;QAC9C,IAAI,CAAC,GAAG,GAAG,IAAI,CAAC,GAAG,IAAI,IAAI,CAAC;IAC9B,CAAC;IAED,KAAK,CAAC,aAAa,CAAC,MAAmB;QACrC,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,CAAC;YACvB,gEAAgE;YAChE,6DAA6D;YAC7D,2DAA2D;YAC3D,oCAAoC;YACpC,MAAM,IAAI,KAAK,CAAC,6EAA6E,CAAC,CAAC;QACjG,CAAC;QACD,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QAC5D,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,KAAK,CAAC,EAAE,CAAC;YAC9B,MAAM,CAAC,GAAG,MAAM,CAAC,IAAI,IAAI,MAAM,CAAC,GAAG,IAAI,MAAM,CAAC,QAAQ,IAAI,WAAW,CAAC;YACtE,MAAM,IAAI,KAAK,CACb,UAAU,CAAC,mCAAmC,IAAI,CAAC,YAAY,IAAI;gBACnE,0DAA0D,CAC3D,CAAC;QACJ,CAAC;IACH,CAAC;IAED,KAAK,CAAC,QAAQ,CAAC,IAAa;QAC1B,mEAAmE;QACnE,kEAAkE;QAClE,kEAAkE;QAClE,8DAA8D;QAC9D,MAAM,YAAY,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;QAChC,IAAI,IAAI,CAAC,YAAY,IAAI,CAAC,IAAI,CAAC,YAAY,IAAI,IAAI,CAAC;YAAE,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC,YAAY,CAAC;QAC5F,MAAM,CAAC,GAAG,MAAM,UAAU,CAAiB,aAAa,EAAE;YACxD,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI;YAChC,YAAY,EAAE,IAAI,CAAC,YAAY,IAAI,IAAI,EAAE,QAAQ,EAAE,IAAI,CAAC,QAAQ,IAAI,IAAI;YACxE,MAAM,EAAE,SAAS;YACjB,GAAG,EAAE,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,qBAAqB;SAClD,CAAC,CAAC;QACH,IAAI,CAAC,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE;YAAE,MAAM,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAC,KAAK,EAAE,CAAC,CAAC;QAC9E,MAAM,KAAK,GAAG,CAAC,CAAC,MAAM,CAAC,EAAE,CAAC;QAE1B,MAAM,KAAK,GAAmC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE;YAClF,GAAG,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,GAAG,OAAO,CAAC,GAAG,EAAE,GAAG,CAAC,IAAI,CAAC,GAAG,IAAI,EAAE,CAAC,EAAE;YAC3D,KAAK,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC;SAClC,CAAmC,CAAC;QAErC,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,IAAI,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;QACnD,MAAM,SAAS,GAAG,UAAU,CAAC,GAAG,EAAE;YAChC,IAAI,CAAC;gBAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YAAC,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC,CAAA,CAAC;YAC3C,UAAU,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;gBAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YAAC,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC,CAAA,CAAC,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC;QAC1E,CAAC,EAAE,SAAS,CAAC,CAAC;QAEd,MAAM,MAAM,GAAc;YACxB,EAAE,EAAE,KAAK;YACT,KAAK,EAAE,GAAG,EAAE,CAAC,SAAS,CAAC,KAAK,CAAC;YAC7B,SAAS,EAAE,CAAC,IAAI,EAAE,EAAE,CAAC,UAAU,CAAC,iBAAiB,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,EAAE,CAAC;iBACjG,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,GAAG,IAAI,CAAC,GAAG,CAAC,EAAE;gBAAE,QAAQ,CAAC,wBAAwB,EAAE,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;YACjF,WAAW,EAAE,CAAC,GAAG,EAAE,QAAQ,EAAE,EAAE,CAAC,UAAU,CAAC,cAAc,EAAE;gBACzD,EAAE,EAAE,KAAK,EAAE,GAAG,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC;gBAC3D,QAAQ,EAAE,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI;aAC5D,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,GAAG,IAAI,CAAC,GAAG,CAAC,EAAE;gBAAE,QAAQ,CAAC,0BAA0B,EAAE,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;YACnF,QAAQ,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,GAAG,EAAE,EAAE,EAAE;gBACvC,YAAY,CAAC,SAAS,CAAC,CAAC;gBACxB,MAAM,UAAU,CAAC,gBAAgB,EAAE,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC,CAAC;YACrE,CAAC;YACD,MAAM,EAAE,GAAG,EAAE;gBACX,YAAY,CAAC,SAAS,CAAC,CAAC;gBACxB,IAAI,CAAC;oBAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;gBAAC,CAAC;gBAAC,OAAO,CAAC,EAAE,CAAC,CAAA,CAAC;YAC7C,CAAC;SACF,CAAC;QACF,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,KAAK,CAAC,eAAe,CAAC,GAAoB;QACxC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,GAAG,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC1D,MAAM,IAAI,KAAK,CAAC,kCAAkC,CAAC,CAAC;QACtD,CAAC;QACD,MAAM,MAAM,GAAG,MAAM,UAAU,CAAiB,mBAAmB,EAAE;YACnE,QAAQ,EAAE,IAAI,GAAG,CAAC,QAAQ,CAAC,WAAW,EAAE,KAAK,GAAG,CAAC,QAAQ,EAAE;YAC3D,MAAM,EAAE,GAAG,CAAC,QAAQ;YACpB,WAAW,EAAE,KAAK;YAClB,OAAO,EAAE,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC,KAAK,EAAE,WAAW,EAAE,CAAC,CAAC,WAAW,IAAI,EAAE,EAAE,CAAC,CAAC;SACxF,CAAC,CAAC;QACH,IAAI,CAAC,MAAM,CAAC,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,EAAE;YAAE,MAAM,IAAI,KAAK,CAAC,uBAAuB,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC;QAC7F,MAAM,EAAE,GAAG,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC;QAC5B,MAAM,UAAU,GAAG,GAAG,CAAC,UAAU,IAAI,GAAG,CAAC;QACzC,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,UAAU,GAAG,IAAI,CAAC;QAChD,OAAO,IAAI,CAAC,GAAG,EAAE,GAAG,QAAQ,EAAE,CAAC;YAC7B,MAAM,IAAI,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC,CAAC;YAC9C,MAAM,IAAI,GAAG,MAAM,UAAU,CAA4C,iBAAiB,EAAE,EAAE,EAAE,EAAE,CAAC,CAAC;YACpG,IAAI,IAAI,CAAC,EAAE,IAAI,IAAI,CAAC,MAAM,EAAE,QAAQ,EAAE,CAAC;gBACrC,MAAM,GAAG,GAAG,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,CAAC;gBACtC,IAAI,OAAO,GAAG,KAAK,QAAQ;oBAAE,OAAO,GAAG,CAAC;YAC1C,CAAC;QACH,CAAC;QACD,IAAI,GAAG,CAAC,gBAAgB,KAAK,SAAS;YAAE,OAAO,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC;QACpE,MAAM,IAAI,KAAK,CAAC,wBAAwB,UAAU,2CAA2C,CAAC,CAAC;IACjG,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,KAAmB;QACnC,IAAI,IAAI,CAAC,YAAY,IAAI,KAAK,CAAC,YAAY,IAAI,IAAI;YAAE,KAAK,CAAC,YAAY,GAAG,IAAI,CAAC,YAAY,CAAC;QAC5F,oBAAoB,CAAC,KAAK,CAAC,CAAC;QAC5B,MAAM,CAAC,GAAG,MAAM,UAAU,CAAiB,gBAAgB,EAAE,KAA2C,CAAC,CAAC;QAC1G,IAAI,CAAC,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE;YAAE,MAAM,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAC,KAAK,EAAE,CAAC,CAAC;QAC9E,OAAO,CAAC,CAAC,MAAM,CAAC,EAAE,CAAC;IACrB,CAAC;CACF;AAED;;;;GAIG;AACH,KAAK,SAAS,CAAC,CAAC,SAAS,CAAC,KAAqC;IAC7D,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,IAAI,WAAW,GAAwB,IAAI,CAAC;IAC5C,IAAI,IAAI,GAAG,KAAK,CAAC;IAEjB,SAAS,SAAS,CAAC,GAAW;QAC5B,MAAM,IAAI,GAAG,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;QAClC,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC;YAAE,IAAI,IAAI,CAAC,MAAM;gBAAE,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC1E,IAAI,WAAW,EAAE,CAAC;YAAC,MAAM,CAAC,GAAG,WAAW,CAAC;YAAC,WAAW,GAAG,IAAI,CAAC;YAAC,CAAC,EAAE,CAAC;QAAC,CAAC;IACtE,CAAC;IACD,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;IACnC,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;IACnC,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE,GAAG,IAAI,GAAG,IAAI,CAAC,CAAC,IAAI,WAAW,EAAE,CAAC;QAAC,MAAM,CAAC,GAAG,WAAW,CAAC;QAAC,WAAW,GAAG,IAAI,CAAC;QAAC,CAAC,EAAE,CAAC;IAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAC/G,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE,GAAG,IAAI,GAAG,IAAI,CAAC,CAAC,IAAI,WAAW,EAAE,CAAC;QAAC,MAAM,CAAC,GAAG,WAAW,CAAC;QAAC,WAAW,GAAG,IAAI,CAAC;QAAC,CAAC,EAAE,CAAC;IAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAE/G,OAAO,IAAI,EAAE,CAAC;QACZ,IAAI,KAAK,CAAC,MAAM,EAAE,CAAC;YAAC,MAAM,KAAK,CAAC,KAAK,EAAG,CAAC;YAAC,SAAS;QAAC,CAAC;QACrD,IAAI,IAAI;YAAE,OAAO;QACjB,MAAM,IAAI,OAAO,CAAO,CAAC,CAAC,EAAE,EAAE,GAAG,WAAW,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACvD,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,gBAAgB,CAAC,OAA8B,EAAE;IAC/D,OAAO,IAAI,cAAc,CAAC,IAAI,CAAC,CAAC;AAClC,CAAC"}

package/dist/capabilities/_processRunner.d.ts

@@ -1,3 +1,35 @@
+export interface BinaryMissingErrorInfo {
+    bin: string;
+    message: string;
+    installCommand: string | null;
+    installChannel: string | null;
+    platformNote: string | null;
+    capability: string | null;
+    /** True when the bin has no plausibly-native install path on this platform. */
+    unsupportedOnPlatform: boolean;
+}
+export declare class BinaryMissingError extends Error {
+    readonly code = "binary-missing";
+    readonly info: BinaryMissingErrorInfo;
+    constructor(info: BinaryMissingErrorInfo);
+}
+/**
+ * Throws `BinaryMissingError` if the binary isn't on PATH. Every
+ * offsec capability tool handler should call this first.
+ *
+ * Tool handlers should NOT catch the error themselves — let it
+ * propagate so the agent loop's tool-error formatter wraps it
+ * uniformly.
+ */
+export declare function ensureBinary(bin: string): Promise<void>;
+/**
+ * Non-throwing variant — returns true/false. Use when the caller
+ * wants to render a "(unavailable)" badge in the tool inventory
+ * rather than fail the call.
+ */
+export declare function isBinaryAvailable(bin: string): Promise<boolean>;
+/** Reset the availability cache. Tests + the post-`offsec install` flow use this. */
+export declare function clearBinaryAvailabilityCache(): void;
 export interface RunResult {
     stdout: string;
     stderr: string;

package/dist/capabilities/_processRunner.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"_processRunner.d.ts","sourceRoot":"","sources":["../../src/capabilities/_processRunner.ts"],"names":[],"mappings":"AAEA,MAAM,WAAW,SAAS;IACxB,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,MAAM,EAAE,MAAM,CAAC,OAAO,GAAG,IAAI,CAAC;IAC9B,SAAS,EAAE,OAAO,CAAC;CACpB;AAED,MAAM,WAAW,UAAU;IACzB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,GAAG,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC7B,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAKD,wBAAsB,SAAS,CAC7B,OAAO,EAAE,MAAM,EACf,IAAI,EAAE,MAAM,EAAE,EACd,OAAO,GAAE,UAAe,GACvB,OAAO,CAAC,SAAS,CAAC,CA4DpB;AAED,wBAAgB,YAAY,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,EAAE,MAAM,EAAE,SAAS,GAAG,MAAM,CAQvF"}
+{"version":3,"file":"_processRunner.d.ts","sourceRoot":"","sources":["../../src/capabilities/_processRunner.ts"],"names":[],"mappings":"AAkCA,MAAM,WAAW,sBAAsB;IACrC,GAAG,EAAE,MAAM,CAAC;IACZ,OAAO,EAAE,MAAM,CAAC;IAChB,cAAc,EAAE,MAAM,GAAG,IAAI,CAAC;IAC9B,cAAc,EAAE,MAAM,GAAG,IAAI,CAAC;IAC9B,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,+EAA+E;IAC/E,qBAAqB,EAAE,OAAO,CAAC;CAChC;AAED,qBAAa,kBAAmB,SAAQ,KAAK;IAC3C,QAAQ,CAAC,IAAI,oBAAoB;IACjC,QAAQ,CAAC,IAAI,EAAE,sBAAsB,CAAC;gBAC1B,IAAI,EAAE,sBAAsB;CAKzC;AAmBD;;;;;;;GAOG;AACH,wBAAsB,YAAY,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAQ7D;AAED;;;;GAIG;AACH,wBAAsB,iBAAiB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAMrE;AAED,qFAAqF;AACrF,wBAAgB,4BAA4B,IAAI,IAAI,CAEnD;AAuDD,MAAM,WAAW,SAAS;IACxB,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,MAAM,EAAE,MAAM,CAAC,OAAO,GAAG,IAAI,CAAC;IAC9B,SAAS,EAAE,OAAO,CAAC;CACpB;AAED,MAAM,WAAW,UAAU;IACzB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,GAAG,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC7B,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAKD,wBAAsB,SAAS,CAC7B,OAAO,EAAE,MAAM,EACf,IAAI,EAAE,MAAM,EAAE,EACd,OAAO,GAAE,UAAe,GACvB,OAAO,CAAC,SAAS,CAAC,CAkEpB;AAED,wBAAgB,YAAY,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,EAAE,MAAM,EAAE,SAAS,GAAG,MAAM,CAQvF"}

package/dist/capabilities/_processRunner.js

@@ -1,7 +1,133 @@
 import { spawn } from 'node:child_process';
+import { promisify } from 'node:util';
+import { execFile } from 'node:child_process';
+import { findRequirement, pickInstallCommand, isNativelyAvailable, platformNote, } from './_binaryRequirements.js';
+const execFileP = promisify(execFile);
+export class BinaryMissingError extends Error {
+    code = 'binary-missing';
+    info;
+    constructor(info) {
+        super(info.message);
+        this.info = info;
+        this.name = 'BinaryMissingError';
+    }
+}
+const BINARY_AVAILABILITY_CACHE = new Map();
+async function checkPathBinary(bin) {
+    // `which` (POSIX) / `where` (Windows) — both exit 0 when the
+    // executable is found on PATH. We use the OS lookup rather than
+    // probing `bin --version` because some offsec tools (afl-fuzz,
+    // ghidra) take seconds to print --version, which would gate the
+    // agent loop on cold-start runtime cost.
+    const cmd = process.platform === 'win32' ? 'where' : 'which';
+    try {
+        await execFileP(cmd, [bin], { timeout: 3000 });
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * Throws `BinaryMissingError` if the binary isn't on PATH. Every
+ * offsec capability tool handler should call this first.
+ *
+ * Tool handlers should NOT catch the error themselves — let it
+ * propagate so the agent loop's tool-error formatter wraps it
+ * uniformly.
+ */
+export async function ensureBinary(bin) {
+    const cached = BINARY_AVAILABILITY_CACHE.get(bin);
+    if (cached === true)
+        return;
+    if (cached === false)
+        throw makeMissingError(bin);
+    const present = await checkPathBinary(bin);
+    BINARY_AVAILABILITY_CACHE.set(bin, present);
+    if (!present)
+        throw makeMissingError(bin);
+}
+/**
+ * Non-throwing variant — returns true/false. Use when the caller
+ * wants to render a "(unavailable)" badge in the tool inventory
+ * rather than fail the call.
+ */
+export async function isBinaryAvailable(bin) {
+    const cached = BINARY_AVAILABILITY_CACHE.get(bin);
+    if (cached !== undefined)
+        return cached;
+    const present = await checkPathBinary(bin);
+    BINARY_AVAILABILITY_CACHE.set(bin, present);
+    return present;
+}
+/** Reset the availability cache. Tests + the post-`offsec install` flow use this. */
+export function clearBinaryAvailabilityCache() {
+    BINARY_AVAILABILITY_CACHE.clear();
+}
+function makeMissingError(bin) {
+    const req = findRequirement(bin);
+    if (!req) {
+        // Bin we don't track — agent capability is calling something
+        // outside the manifest. Surface that explicitly so the operator
+        // can add it to _binaryRequirements.ts.
+        return new BinaryMissingError({
+            bin,
+            message: `Binary "${bin}" not found on PATH and not in the offsec requirements manifest. Add it to src/capabilities/_binaryRequirements.ts.`,
+            installCommand: null,
+            installChannel: null,
+            platformNote: null,
+            capability: null,
+            unsupportedOnPlatform: false,
+        });
+    }
+    const native = isNativelyAvailable(req);
+    const note = platformNote(req);
+    const pick = pickInstallCommand(req);
+    // Build the message body. Three branches matching the table above.
+    let message;
+    if (native && pick) {
+        message =
+            `Binary "${bin}" required by capability "${req.capability}" but not on PATH.\n\n` +
+                `${req.description}\n\n` +
+                `Install (${pick.channel}):\n` +
+                `  ${pick.cmd}\n\n` +
+                `Or run: erosolar offsec install --capability ${req.capability}`;
+    }
+    else if (note) {
+        message =
+            `Binary "${bin}" required by capability "${req.capability}" is not natively packaged for ${process.platform}.\n\n` +
+                `${req.description}\n\n` +
+                `${note}`;
+    }
+    else if (pick) {
+        message =
+            `Binary "${bin}" required by capability "${req.capability}" but not on PATH.\n` +
+                `Install (${pick.channel}):  ${pick.cmd}`;
+    }
+    else {
+        message =
+            `Binary "${bin}" required by capability "${req.capability}" but no install path is registered for ${process.platform}. ` +
+                `Use WSL2 (Windows) or a Docker container.`;
+    }
+    return new BinaryMissingError({
+        bin,
+        message,
+        installCommand: pick?.cmd ?? null,
+        installChannel: pick?.channel ?? null,
+        platformNote: note,
+        capability: req.capability,
+        unsupportedOnPlatform: !native,
+    });
+}
 const DEFAULT_TIMEOUT_MS = 5 * 60 * 1000;
 const DEFAULT_MAX_OUTPUT = 1 * 1024 * 1024;
 export async function runBinary(command, args, options = {}) {
+    // Cross-platform preflight: refuse with a clean BinaryMissingError
+    // (carrying the install hint for the operator's OS, or the
+    // 'use WSL2' note when no native channel exists) instead of letting
+    // ENOENT bubble. Bins not in the manifest fall through with a
+    // descriptive error pointing at _binaryRequirements.ts.
+    await ensureBinary(command);
     return new Promise((resolve, reject) => {
         const maxBytes = options.maxOutputBytes ?? DEFAULT_MAX_OUTPUT;
         const spawnOpts = {

package/dist/capabilities/_processRunner.js.map

@@ -1 +1 @@
-{"version":3,"file":"_processRunner.js","sourceRoot":"","sources":["../../src/capabilities/_processRunner.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAqB,MAAM,oBAAoB,CAAC;AAkB9D,MAAM,kBAAkB,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;AACzC,MAAM,kBAAkB,GAAG,CAAC,GAAG,IAAI,GAAG,IAAI,CAAC;AAE3C,MAAM,CAAC,KAAK,UAAU,SAAS,CAC7B,OAAe,EACf,IAAc,EACd,UAAsB,EAAE;IAExB,OAAO,IAAI,OAAO,CAAY,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QAChD,MAAM,QAAQ,GAAG,OAAO,CAAC,cAAc,IAAI,kBAAkB,CAAC;QAC9D,MAAM,SAAS,GAAiB;YAC9B,GAAG,EAAE,OAAO,CAAC,GAAG;YAChB,KAAK,EAAE,CAAC,OAAO,CAAC,KAAK,KAAK,SAAS,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC;SACzE,CAAC;QACF,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC;YAChB,SAAS,CAAC,GAAG,GAAG,EAAE,GAAG,OAAO,CAAC,GAAG,EAAE,GAAG,OAAO,CAAC,GAAG,EAAE,CAAC;QACrD,CAAC;QACD,MAAM,KAAK,GAAG,KAAK,CAAC,OAAO,EAAE,IAAI,EAAE,SAAS,CAAC,CAAC;QAE9C,IAAI,WAAW,GAAG,CAAC,CAAC;QACpB,IAAI,WAAW,GAAG,CAAC,CAAC;QACpB,IAAI,SAAS,GAAG,KAAK,CAAC;QACtB,MAAM,YAAY,GAAa,EAAE,CAAC;QAClC,MAAM,YAAY,GAAa,EAAE,CAAC;QAElC,MAAM,MAAM,GAAG,CAAC,MAAgB,EAAE,GAAW,EAAE,QAAiB,EAAE,EAAE;YAClE,MAAM,IAAI,GAAG,QAAQ,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,WAAW,CAAC;YAClD,MAAM,IAAI,GAAG,QAAQ,GAAG,IAAI,CAAC;YAC7B,IAAI,IAAI,IAAI,CAAC,EAAE,CAAC;gBACd,SAAS,GAAG,IAAI,CAAC;gBACjB,OAAO;YACT,CAAC;YACD,MAAM,KAAK,GAAG,GAAG,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;YAC9D,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,QAAQ,EAAE,CAAC,CAAC;YAC9B,IAAI,QAAQ;gBAAE,WAAW,IAAI,KAAK,CAAC,MAAM,CAAC;;gBACrC,WAAW,IAAI,KAAK,CAAC,MAAM,CAAC;YACjC,IAAI,GAAG,CAAC,MAAM,GAAG,IAAI;gBAAE,SAAS,GAAG,IAAI,CAAC;QAC1C,CAAC,CAAC;QAEF,KAAK,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC,CAAS,EAAE,EAAE,CAAC,MAAM,CAAC,YAAY,EAAE,CAAC,EAAE,IAAI,CAAC,CAAC,CAAC;QACvE,KAAK,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC,CAAS,EAAE,EAAE,CAAC,MAAM,CAAC,YAAY,EAAE,CAAC,EAAE,KAAK,CAAC,CAAC,CAAC;QAExE,IAAI,OAAO,CAAC,KAAK,KAAK,SAAS,IAAI,KAAK,CAAC,KAAK,EAAE,CAAC;YAC/C,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;YACjC,KAAK,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC;QACpB,CAAC;QAED,MAAM,OAAO,GAAG,UAAU,CAAC,GAAG,EAAE;YAC9B,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YACtB,UAAU,CAAC,GAAG,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,IAAI,CAAC,CAAC;QAChD,CAAC,EAAE,OAAO,CAAC,SAAS,IAAI,kBAAkB,CAAC,CAAC;QAE5C,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;YACxB,YAAY,CAAC,OAAO,CAAC,CAAC;YACtB,MAAM,CAAC,GAAG,CAAC,CAAC;QACd,CAAC,CAAC,CAAC;QACH,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE;YACjC,YAAY,CAAC,OAAO,CAAC,CAAC;YACtB,OAAO,CAAC;gBACN,MAAM,EAAE,YAAY,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC7B,MAAM,EAAE,YAAY,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC7B,QAAQ,EAAE,IAAI;gBACd,MAAM;gBACN,SAAS;aACV,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC;AAED,MAAM,UAAU,YAAY,CAAC,OAAe,EAAE,IAAc,EAAE,MAAiB;IAC7E,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,KAAK,CAAC,IAAI,CAAC,KAAK,OAAO,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAC7C,KAAK,CAAC,IAAI,CAAC,QAAQ,MAAM,CAAC,QAAQ,IAAI,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,YAAY,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IACpG,IAAI,MAAM,CAAC,SAAS;QAAE,KAAK,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC;IACvD,IAAI,MAAM,CAAC,MAAM;QAAE,KAAK,CAAC,IAAI,CAAC,gBAAgB,EAAE,MAAM,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC;IACzE,IAAI,MAAM,CAAC,MAAM;QAAE,KAAK,CAAC,IAAI,CAAC,gBAAgB,EAAE,MAAM,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC;IACzE,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC"}
+{"version":3,"file":"_processRunner.js","sourceRoot":"","sources":["../../src/capabilities/_processRunner.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAqB,MAAM,oBAAoB,CAAC;AAC9D,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC9C,OAAO,EACL,eAAe,EAAE,kBAAkB,EAAE,mBAAmB,EAAE,YAAY,GACvE,MAAM,0BAA0B,CAAC;AAElC,MAAM,SAAS,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;AAsCtC,MAAM,OAAO,kBAAmB,SAAQ,KAAK;IAClC,IAAI,GAAG,gBAAgB,CAAC;IACxB,IAAI,CAAyB;IACtC,YAAY,IAA4B;QACtC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACpB,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;QACjB,IAAI,CAAC,IAAI,GAAG,oBAAoB,CAAC;IACnC,CAAC;CACF;AAED,MAAM,yBAAyB,GAAG,IAAI,GAAG,EAAmB,CAAC;AAE7D,KAAK,UAAU,eAAe,CAAC,GAAW;IACxC,6DAA6D;IAC7D,gEAAgE;IAChE,+DAA+D;IAC/D,gEAAgE;IAChE,yCAAyC;IACzC,MAAM,GAAG,GAAG,OAAO,CAAC,QAAQ,KAAK,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC;IAC7D,IAAI,CAAC;QACH,MAAM,SAAS,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC;QAC/C,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,GAAW;IAC5C,MAAM,MAAM,GAAG,yBAAyB,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAClD,IAAI,MAAM,KAAK,IAAI;QAAE,OAAO;IAC5B,IAAI,MAAM,KAAK,KAAK;QAAE,MAAM,gBAAgB,CAAC,GAAG,CAAC,CAAC;IAElD,MAAM,OAAO,GAAG,MAAM,eAAe,CAAC,GAAG,CAAC,CAAC;IAC3C,yBAAyB,CAAC,GAAG,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;IAC5C,IAAI,CAAC,OAAO;QAAE,MAAM,gBAAgB,CAAC,GAAG,CAAC,CAAC;AAC5C,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CAAC,GAAW;IACjD,MAAM,MAAM,GAAG,yBAAyB,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAClD,IAAI,MAAM,KAAK,SAAS;QAAE,OAAO,MAAM,CAAC;IACxC,MAAM,OAAO,GAAG,MAAM,eAAe,CAAC,GAAG,CAAC,CAAC;IAC3C,yBAAyB,CAAC,GAAG,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;IAC5C,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,qFAAqF;AACrF,MAAM,UAAU,4BAA4B;IAC1C,yBAAyB,CAAC,KAAK,EAAE,CAAC;AACpC,CAAC;AAED,SAAS,gBAAgB,CAAC,GAAW;IACnC,MAAM,GAAG,GAAG,eAAe,CAAC,GAAG,CAAC,CAAC;IACjC,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,6DAA6D;QAC7D,gEAAgE;QAChE,wCAAwC;QACxC,OAAO,IAAI,kBAAkB,CAAC;YAC5B,GAAG;YACH,OAAO,EAAE,WAAW,GAAG,qHAAqH;YAC5I,cAAc,EAAE,IAAI;YACpB,cAAc,EAAE,IAAI;YACpB,YAAY,EAAE,IAAI;YAClB,UAAU,EAAE,IAAI;YAChB,qBAAqB,EAAE,KAAK;SAC7B,CAAC,CAAC;IACL,CAAC;IACD,MAAM,MAAM,GAAG,mBAAmB,CAAC,GAAG,CAAC,CAAC;IACxC,MAAM,IAAI,GAAG,YAAY,CAAC,GAAG,CAAC,CAAC;IAC/B,MAAM,IAAI,GAAG,kBAAkB,CAAC,GAAG,CAAC,CAAC;IACrC,mEAAmE;IACnE,IAAI,OAAe,CAAC;IACpB,IAAI,MAAM,IAAI,IAAI,EAAE,CAAC;QACnB,OAAO;YACL,WAAW,GAAG,6BAA6B,GAAG,CAAC,UAAU,wBAAwB;gBACjF,GAAG,GAAG,CAAC,WAAW,MAAM;gBACxB,YAAY,IAAI,CAAC,OAAO,MAAM;gBAC9B,KAAK,IAAI,CAAC,GAAG,MAAM;gBACnB,gDAAgD,GAAG,CAAC,UAAU,EAAE,CAAC;IACrE,CAAC;SAAM,IAAI,IAAI,EAAE,CAAC;QAChB,OAAO;YACL,WAAW,GAAG,6BAA6B,GAAG,CAAC,UAAU,kCAAkC,OAAO,CAAC,QAAQ,OAAO;gBAClH,GAAG,GAAG,CAAC,WAAW,MAAM;gBACxB,GAAG,IAAI,EAAE,CAAC;IACd,CAAC;SAAM,IAAI,IAAI,EAAE,CAAC;QAChB,OAAO;YACL,WAAW,GAAG,6BAA6B,GAAG,CAAC,UAAU,sBAAsB;gBAC/E,YAAY,IAAI,CAAC,OAAO,OAAO,IAAI,CAAC,GAAG,EAAE,CAAC;IAC9C,CAAC;SAAM,CAAC;QACN,OAAO;YACL,WAAW,GAAG,6BAA6B,GAAG,CAAC,UAAU,2CAA2C,OAAO,CAAC,QAAQ,IAAI;gBACxH,2CAA2C,CAAC;IAChD,CAAC;IACD,OAAO,IAAI,kBAAkB,CAAC;QAC5B,GAAG;QACH,OAAO;QACP,cAAc,EAAE,IAAI,EAAE,GAAG,IAAI,IAAI;QACjC,cAAc,EAAE,IAAI,EAAE,OAAO,IAAI,IAAI;QACrC,YAAY,EAAE,IAAI;QAClB,UAAU,EAAE,GAAG,CAAC,UAAU;QAC1B,qBAAqB,EAAE,CAAC,MAAM;KAC/B,CAAC,CAAC;AACL,CAAC;AAkBD,MAAM,kBAAkB,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;AACzC,MAAM,kBAAkB,GAAG,CAAC,GAAG,IAAI,GAAG,IAAI,CAAC;AAE3C,MAAM,CAAC,KAAK,UAAU,SAAS,CAC7B,OAAe,EACf,IAAc,EACd,UAAsB,EAAE;IAExB,mEAAmE;IACnE,2DAA2D;IAC3D,oEAAoE;IACpE,8DAA8D;IAC9D,wDAAwD;IACxD,MAAM,YAAY,CAAC,OAAO,CAAC,CAAC;IAC5B,OAAO,IAAI,OAAO,CAAY,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QAChD,MAAM,QAAQ,GAAG,OAAO,CAAC,cAAc,IAAI,kBAAkB,CAAC;QAC9D,MAAM,SAAS,GAAiB;YAC9B,GAAG,EAAE,OAAO,CAAC,GAAG;YAChB,KAAK,EAAE,CAAC,OAAO,CAAC,KAAK,KAAK,SAAS,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC;SACzE,CAAC;QACF,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC;YAChB,SAAS,CAAC,GAAG,GAAG,EAAE,GAAG,OAAO,CAAC,GAAG,EAAE,GAAG,OAAO,CAAC,GAAG,EAAE,CAAC;QACrD,CAAC;QACD,MAAM,KAAK,GAAG,KAAK,CAAC,OAAO,EAAE,IAAI,EAAE,SAAS,CAAC,CAAC;QAE9C,IAAI,WAAW,GAAG,CAAC,CAAC;QACpB,IAAI,WAAW,GAAG,CAAC,CAAC;QACpB,IAAI,SAAS,GAAG,KAAK,CAAC;QACtB,MAAM,YAAY,GAAa,EAAE,CAAC;QAClC,MAAM,YAAY,GAAa,EAAE,CAAC;QAElC,MAAM,MAAM,GAAG,CAAC,MAAgB,EAAE,GAAW,EAAE,QAAiB,EAAE,EAAE;YAClE,MAAM,IAAI,GAAG,QAAQ,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,WAAW,CAAC;YAClD,MAAM,IAAI,GAAG,QAAQ,GAAG,IAAI,CAAC;YAC7B,IAAI,IAAI,IAAI,CAAC,EAAE,CAAC;gBACd,SAAS,GAAG,IAAI,CAAC;gBACjB,OAAO;YACT,CAAC;YACD,MAAM,KAAK,GAAG,GAAG,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;YAC9D,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,QAAQ,EAAE,CAAC,CAAC;YAC9B,IAAI,QAAQ;gBAAE,WAAW,IAAI,KAAK,CAAC,MAAM,CAAC;;gBACrC,WAAW,IAAI,KAAK,CAAC,MAAM,CAAC;YACjC,IAAI,GAAG,CAAC,MAAM,GAAG,IAAI;gBAAE,SAAS,GAAG,IAAI,CAAC;QAC1C,CAAC,CAAC;QAEF,KAAK,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC,CAAS,EAAE,EAAE,CAAC,MAAM,CAAC,YAAY,EAAE,CAAC,EAAE,IAAI,CAAC,CAAC,CAAC;QACvE,KAAK,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC,CAAS,EAAE,EAAE,CAAC,MAAM,CAAC,YAAY,EAAE,CAAC,EAAE,KAAK,CAAC,CAAC,CAAC;QAExE,IAAI,OAAO,CAAC,KAAK,KAAK,SAAS,IAAI,KAAK,CAAC,KAAK,EAAE,CAAC;YAC/C,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;YACjC,KAAK,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC;QACpB,CAAC;QAED,MAAM,OAAO,GAAG,UAAU,CAAC,GAAG,EAAE;YAC9B,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YACtB,UAAU,CAAC,GAAG,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,IAAI,CAAC,CAAC;QAChD,CAAC,EAAE,OAAO,CAAC,SAAS,IAAI,kBAAkB,CAAC,CAAC;QAE5C,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;YACxB,YAAY,CAAC,OAAO,CAAC,CAAC;YACtB,MAAM,CAAC,GAAG,CAAC,CAAC;QACd,CAAC,CAAC,CAAC;QACH,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE;YACjC,YAAY,CAAC,OAAO,CAAC,CAAC;YACtB,OAAO,CAAC;gBACN,MAAM,EAAE,YAAY,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC7B,MAAM,EAAE,YAAY,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC7B,QAAQ,EAAE,IAAI;gBACd,MAAM;gBACN,SAAS;aACV,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC;AAED,MAAM,UAAU,YAAY,CAAC,OAAe,EAAE,IAAc,EAAE,MAAiB;IAC7E,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,KAAK,CAAC,IAAI,CAAC,KAAK,OAAO,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAC7C,KAAK,CAAC,IAAI,CAAC,QAAQ,MAAM,CAAC,QAAQ,IAAI,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,YAAY,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IACpG,IAAI,MAAM,CAAC,SAAS;QAAE,KAAK,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC;IACvD,IAAI,MAAM,CAAC,MAAM;QAAE,KAAK,CAAC,IAAI,CAAC,gBAAgB,EAAE,MAAM,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC;IACzE,IAAI,MAAM,CAAC,MAAM;QAAE,KAAK,CAAC,IAAI,CAAC,gBAAgB,EAAE,MAAM,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC;IACzE,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC"}

package/dist/capabilities/engagementCapability.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"engagementCapability.d.ts","sourceRoot":"","sources":["../../src/capabilities/engagementCapability.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,KAAK,EAAE,sBAAsB,EAAE,iBAAiB,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAG3G,qBAAa,0BAA2B,YAAW,gBAAgB;IACjE,QAAQ,CAAC,EAAE,2BAA2B;IAEhC,MAAM,CAAC,QAAQ,EAAE,iBAAiB,GAAG,OAAO,CAAC,sBAAsB,CAAC;CAgB3E"}
+{"version":3,"file":"engagementCapability.d.ts","sourceRoot":"","sources":["../../src/capabilities/engagementCapability.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,KAAK,EAAE,sBAAsB,EAAE,iBAAiB,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAG3G,qBAAa,0BAA2B,YAAW,gBAAgB;IACjE,QAAQ,CAAC,EAAE,2BAA2B;IAEhC,MAAM,CAAC,QAAQ,EAAE,iBAAiB,GAAG,OAAO,CAAC,sBAAsB,CAAC;CA6B3E"}

package/dist/capabilities/engagementCapability.js

@@ -7,17 +7,28 @@
  * (erosolar-code) cannot see these tools — see CLAUDE.md "Capability
  * separation" + the v1.5 hardening test.
  */
-import { createEngagementTools } from '../tools/engagementTools.js';
+import { createEngagementTools, loadSelectionFromPortal } from '../tools/engagementTools.js';
 export class EngagementCapabilityModule {
     id = 'capability.engagement';
     async create(_context) {
         void _context;
+        // Resume whatever selection the portal (or another CLI session)
+        // last wrote to users/<uid>/cli_state/selection. Best-effort —
+        // if auth is missing or the network is offline, the session
+        // still boots normally with no active selection.
+        const resumed = await loadSelectionFromPortal();
+        if (resumed?.engagementId) {
+            const trail = [resumed.engagementId, resumed.targetId, resumed.findingId]
+                .filter(Boolean).join(' › ');
+            process.stderr.write(`[engagement] Resumed from portal: ${trail}\n`);
+        }
         return {
             id: 'engagement.tools',
             description: 'Engagement → Target → Finding pipeline. Manages contracts / task-orders / ' +
                 'bug-bounty programs and the variant-research lifecycle. Writes to ' +
-                'users/<uid>/engagements/<id>/targets/<tid>/findings/<fid> via Lambda; ' +
-                'the portal renders the rail + phase-tabbed detail pane.',
+                'users/<uid>/engagements/<id>/targets/<tid>/findings/<fid> via Lambda. ' +
+                'Selection is auto-resumed from users/<uid>/cli_state/selection on boot, ' +
+                'so a portal-launched hunt lands directly in this session.',
             toolSuite: {
                 id: 'engagement',
                 description: 'Engagement / target / finding tools',

package/dist/capabilities/engagementCapability.js.map

@@ -1 +1 @@
-{"version":3,"file":"engagementCapability.js","sourceRoot":"","sources":["../../src/capabilities/engagementCapability.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAGH,OAAO,EAAE,qBAAqB,EAAE,MAAM,6BAA6B,CAAC;AAEpE,MAAM,OAAO,0BAA0B;IAC5B,EAAE,GAAG,uBAAuB,CAAC;IAEtC,KAAK,CAAC,MAAM,CAAC,QAA2B;QACtC,KAAK,QAAQ,CAAC;QACd,OAAO;YACL,EAAE,EAAE,kBAAkB;YACtB,WAAW,EACT,4EAA4E;gBAC5E,oEAAoE;gBACpE,wEAAwE;gBACxE,yDAAyD;YAC3D,SAAS,EAAE;gBACT,EAAE,EAAE,YAAY;gBAChB,WAAW,EAAE,qCAAqC;gBAClD,KAAK,EAAE,qBAAqB,EAAE;aAC/B;SACF,CAAC;IACJ,CAAC;CACF"}
+{"version":3,"file":"engagementCapability.js","sourceRoot":"","sources":["../../src/capabilities/engagementCapability.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAGH,OAAO,EAAE,qBAAqB,EAAE,uBAAuB,EAAE,MAAM,6BAA6B,CAAC;AAE7F,MAAM,OAAO,0BAA0B;IAC5B,EAAE,GAAG,uBAAuB,CAAC;IAEtC,KAAK,CAAC,MAAM,CAAC,QAA2B;QACtC,KAAK,QAAQ,CAAC;QAEd,gEAAgE;QAChE,+DAA+D;QAC/D,4DAA4D;QAC5D,iDAAiD;QACjD,MAAM,OAAO,GAAG,MAAM,uBAAuB,EAAE,CAAC;QAChD,IAAI,OAAO,EAAE,YAAY,EAAE,CAAC;YAC1B,MAAM,KAAK,GAAG,CAAC,OAAO,CAAC,YAAY,EAAE,OAAO,CAAC,QAAQ,EAAE,OAAO,CAAC,SAAS,CAAC;iBACtE,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YAC/B,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,qCAAqC,KAAK,IAAI,CAAC,CAAC;QACvE,CAAC;QAED,OAAO;YACL,EAAE,EAAE,kBAAkB;YACtB,WAAW,EACT,4EAA4E;gBAC5E,oEAAoE;gBACpE,wEAAwE;gBACxE,0EAA0E;gBAC1E,2DAA2D;YAC7D,SAAS,EAAE;gBACT,EAAE,EAAE,YAAY;gBAChB,WAAW,EAAE,qCAAqC;gBAClD,KAAK,EAAE,qBAAqB,EAAE;aAC/B;SACF,CAAC;IACJ,CAAC;CACF"}

package/dist/capabilities/index.d.ts

@@ -14,6 +14,7 @@ export { GdbCapabilityModule } from './gdbCapability.js';
 export { BinaryAnalysisCapabilityModule } from './binaryAnalysisCapability.js';
 export { PwntoolsCapabilityModule } from './pwntoolsCapability.js';
 export { GhidraHeadlessCapabilityModule } from './ghidraHeadlessCapability.js';
+export { LlmRedteamCapabilityModule } from './llmRedteamCapability.js';
 export { WorktreeCapabilityModule } from './worktreeCapability.js';
 export { PlanModeCapabilityModule } from './planModeCapability.js';
 export { MonitorCapabilityModule } from './monitorCapability.js';

package/dist/capabilities/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/capabilities/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,6BAA6B,EAAE,6BAA6B,EAAE,KAAK,oBAAoB,EAAE,MAAM,8BAA8B,CAAC;AAGvI,OAAO,EAAE,0BAA0B,EAAE,KAAK,2BAA2B,EAAE,MAAM,2BAA2B,CAAC;AACzG,OAAO,EAAE,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AAC3D,OAAO,EAAE,oBAAoB,EAAE,KAAK,qBAAqB,EAAE,MAAM,qBAAqB,CAAC;AACvF,OAAO,EAAE,sBAAsB,EAAE,KAAK,uBAAuB,EAAE,MAAM,uBAAuB,CAAC;AAC7F,OAAO,EAAE,mBAAmB,EAAE,KAAK,oBAAoB,EAAE,MAAM,oBAAoB,CAAC;AACpF,OAAO,EAAE,2BAA2B,EAAE,MAAM,4BAA4B,CAAC;AACzE,OAAO,EAAE,0BAA0B,EAAE,MAAM,2BAA2B,CAAC;AACvE,OAAO,EAAE,oBAAoB,EAAE,KAAK,qBAAqB,EAAE,MAAM,qBAAqB,CAAC;AACvF,OAAO,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AACzD,OAAO,EAAE,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AAC3D,OAAO,EAAE,qBAAqB,EAAE,MAAM,sBAAsB,CAAC;AAC7D,OAAO,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AACzD,OAAO,EAAE,8BAA8B,EAAE,MAAM,+BAA+B,CAAC;AAC/E,OAAO,EAAE,wBAAwB,EAAE,MAAM,yBAAyB,CAAC;AACnE,OAAO,EAAE,8BAA8B,EAAE,MAAM,+BAA+B,CAAC;AAC/E,OAAO,EAAE,wBAAwB,EAAE,MAAM,yBAAyB,CAAC;AACnE,OAAO,EAAE,wBAAwB,EAAE,MAAM,yBAAyB,CAAC;AACnE,OAAO,EAAE,uBAAuB,EAAE,MAAM,wBAAwB,CAAC;AACjE,OAAO,EAAE,2BAA2B,EAAE,MAAM,4BAA4B,CAAC;AACzE,OAAO,EAAE,wBAAwB,EAAE,MAAM,yBAAyB,CAAC;AACnE,OAAO,EAAE,uBAAuB,EAAE,MAAM,wBAAwB,CAAC;AACjE,OAAO,EAAE,0BAA0B,EAAE,MAAM,2BAA2B,CAAC;AAIvE,OAAO,EAAE,oBAAoB,EAAE,KAAK,qBAAqB,EAAE,gBAAgB,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/capabilities/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,6BAA6B,EAAE,6BAA6B,EAAE,KAAK,oBAAoB,EAAE,MAAM,8BAA8B,CAAC;AAGvI,OAAO,EAAE,0BAA0B,EAAE,KAAK,2BAA2B,EAAE,MAAM,2BAA2B,CAAC;AACzG,OAAO,EAAE,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AAC3D,OAAO,EAAE,oBAAoB,EAAE,KAAK,qBAAqB,EAAE,MAAM,qBAAqB,CAAC;AACvF,OAAO,EAAE,sBAAsB,EAAE,KAAK,uBAAuB,EAAE,MAAM,uBAAuB,CAAC;AAC7F,OAAO,EAAE,mBAAmB,EAAE,KAAK,oBAAoB,EAAE,MAAM,oBAAoB,CAAC;AACpF,OAAO,EAAE,2BAA2B,EAAE,MAAM,4BAA4B,CAAC;AACzE,OAAO,EAAE,0BAA0B,EAAE,MAAM,2BAA2B,CAAC;AACvE,OAAO,EAAE,oBAAoB,EAAE,KAAK,qBAAqB,EAAE,MAAM,qBAAqB,CAAC;AACvF,OAAO,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AACzD,OAAO,EAAE,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AAC3D,OAAO,EAAE,qBAAqB,EAAE,MAAM,sBAAsB,CAAC;AAC7D,OAAO,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AACzD,OAAO,EAAE,8BAA8B,EAAE,MAAM,+BAA+B,CAAC;AAC/E,OAAO,EAAE,wBAAwB,EAAE,MAAM,yBAAyB,CAAC;AACnE,OAAO,EAAE,8BAA8B,EAAE,MAAM,+BAA+B,CAAC;AAC/E,OAAO,EAAE,0BAA0B,EAAE,MAAM,2BAA2B,CAAC;AACvE,OAAO,EAAE,wBAAwB,EAAE,MAAM,yBAAyB,CAAC;AACnE,OAAO,EAAE,wBAAwB,EAAE,MAAM,yBAAyB,CAAC;AACnE,OAAO,EAAE,uBAAuB,EAAE,MAAM,wBAAwB,CAAC;AACjE,OAAO,EAAE,2BAA2B,EAAE,MAAM,4BAA4B,CAAC;AACzE,OAAO,EAAE,wBAAwB,EAAE,MAAM,yBAAyB,CAAC;AACnE,OAAO,EAAE,uBAAuB,EAAE,MAAM,wBAAwB,CAAC;AACjE,OAAO,EAAE,0BAA0B,EAAE,MAAM,2BAA2B,CAAC;AAIvE,OAAO,EAAE,oBAAoB,EAAE,KAAK,qBAAqB,EAAE,gBAAgB,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC"}

package/dist/capabilities/index.js

@@ -16,6 +16,7 @@ export { GdbCapabilityModule } from './gdbCapability.js';
 export { BinaryAnalysisCapabilityModule } from './binaryAnalysisCapability.js';
 export { PwntoolsCapabilityModule } from './pwntoolsCapability.js';
 export { GhidraHeadlessCapabilityModule } from './ghidraHeadlessCapability.js';
+export { LlmRedteamCapabilityModule } from './llmRedteamCapability.js';
 export { WorktreeCapabilityModule } from './worktreeCapability.js';
 export { PlanModeCapabilityModule } from './planModeCapability.js';
 export { MonitorCapabilityModule } from './monitorCapability.js';

package/dist/capabilities/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/capabilities/index.ts"],"names":[],"mappings":"AAAA,2CAA2C;AAC3C,OAAO,EAAE,6BAA6B,EAAE,6BAA6B,EAA6B,MAAM,8BAA8B,CAAC;AAEvI,4BAA4B;AAC5B,OAAO,EAAE,0BAA0B,EAAoC,MAAM,2BAA2B,CAAC;AACzG,OAAO,EAAE,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AAC3D,OAAO,EAAE,oBAAoB,EAA8B,MAAM,qBAAqB,CAAC;AACvF,OAAO,EAAE,sBAAsB,EAAgC,MAAM,uBAAuB,CAAC;AAC7F,OAAO,EAAE,mBAAmB,EAA6B,MAAM,oBAAoB,CAAC;AACpF,OAAO,EAAE,2BAA2B,EAAE,MAAM,4BAA4B,CAAC;AACzE,OAAO,EAAE,0BAA0B,EAAE,MAAM,2BAA2B,CAAC;AACvE,OAAO,EAAE,oBAAoB,EAA8B,MAAM,qBAAqB,CAAC;AACvF,OAAO,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AACzD,OAAO,EAAE,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AAC3D,OAAO,EAAE,qBAAqB,EAAE,MAAM,sBAAsB,CAAC;AAC7D,OAAO,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AACzD,OAAO,EAAE,8BAA8B,EAAE,MAAM,+BAA+B,CAAC;AAC/E,OAAO,EAAE,wBAAwB,EAAE,MAAM,yBAAyB,CAAC;AACnE,OAAO,EAAE,8BAA8B,EAAE,MAAM,+BAA+B,CAAC;AAC/E,OAAO,EAAE,wBAAwB,EAAE,MAAM,yBAAyB,CAAC;AACnE,OAAO,EAAE,wBAAwB,EAAE,MAAM,yBAAyB,CAAC;AACnE,OAAO,EAAE,uBAAuB,EAAE,MAAM,wBAAwB,CAAC;AACjE,OAAO,EAAE,2BAA2B,EAAE,MAAM,4BAA4B,CAAC;AACzE,OAAO,EAAE,wBAAwB,EAAE,MAAM,yBAAyB,CAAC;AACnE,OAAO,EAAE,uBAAuB,EAAE,MAAM,wBAAwB,CAAC;AACjE,OAAO,EAAE,0BAA0B,EAAE,MAAM,2BAA2B,CAAC;AACvE,uEAAuE;AACvE,oEAAoE;AACpE,yCAAyC;AACzC,OAAO,EAAE,oBAAoB,EAA8B,gBAAgB,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/capabilities/index.ts"],"names":[],"mappings":"AAAA,2CAA2C;AAC3C,OAAO,EAAE,6BAA6B,EAAE,6BAA6B,EAA6B,MAAM,8BAA8B,CAAC;AAEvI,4BAA4B;AAC5B,OAAO,EAAE,0BAA0B,EAAoC,MAAM,2BAA2B,CAAC;AACzG,OAAO,EAAE,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AAC3D,OAAO,EAAE,oBAAoB,EAA8B,MAAM,qBAAqB,CAAC;AACvF,OAAO,EAAE,sBAAsB,EAAgC,MAAM,uBAAuB,CAAC;AAC7F,OAAO,EAAE,mBAAmB,EAA6B,MAAM,oBAAoB,CAAC;AACpF,OAAO,EAAE,2BAA2B,EAAE,MAAM,4BAA4B,CAAC;AACzE,OAAO,EAAE,0BAA0B,EAAE,MAAM,2BAA2B,CAAC;AACvE,OAAO,EAAE,oBAAoB,EAA8B,MAAM,qBAAqB,CAAC;AACvF,OAAO,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AACzD,OAAO,EAAE,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AAC3D,OAAO,EAAE,qBAAqB,EAAE,MAAM,sBAAsB,CAAC;AAC7D,OAAO,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AACzD,OAAO,EAAE,8BAA8B,EAAE,MAAM,+BAA+B,CAAC;AAC/E,OAAO,EAAE,wBAAwB,EAAE,MAAM,yBAAyB,CAAC;AACnE,OAAO,EAAE,8BAA8B,EAAE,MAAM,+BAA+B,CAAC;AAC/E,OAAO,EAAE,0BAA0B,EAAE,MAAM,2BAA2B,CAAC;AACvE,OAAO,EAAE,wBAAwB,EAAE,MAAM,yBAAyB,CAAC;AACnE,OAAO,EAAE,wBAAwB,EAAE,MAAM,yBAAyB,CAAC;AACnE,OAAO,EAAE,uBAAuB,EAAE,MAAM,wBAAwB,CAAC;AACjE,OAAO,EAAE,2BAA2B,EAAE,MAAM,4BAA4B,CAAC;AACzE,OAAO,EAAE,wBAAwB,EAAE,MAAM,yBAAyB,CAAC;AACnE,OAAO,EAAE,uBAAuB,EAAE,MAAM,wBAAwB,CAAC;AACjE,OAAO,EAAE,0BAA0B,EAAE,MAAM,2BAA2B,CAAC;AACvE,uEAAuE;AACvE,oEAAoE;AACpE,yCAAyC;AACzC,OAAO,EAAE,oBAAoB,EAA8B,gBAAgB,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC"}

package/dist/capabilities/llmRedteamCapability.d.ts

@@ -0,0 +1,38 @@
+/**
+ * llmRedteam — phishing-resistant LLM probing for variant-research +
+ * engagement-delivery profiles.
+ *
+ * Wraps the canonical open-source LLM red-team toolchain:
+ *
+ *   • garak       — NVIDIA / Leon Derczynski's vulnerability scanner
+ *                   for LLMs. Probes for prompt injection, jailbreak
+ *                   (DAN family), encoding tricks, training-data
+ *                   leakage, toxicity. Single Python binary; OpenAI
+ *                   and HTTP-REST model types built in.
+ *   • promptfoo   — Eval framework with a `redteam` subcommand that
+ *                   auto-generates jailbreak / harmful-content / PII-
+ *                   extraction probes against a configured target.
+ *
+ * Tools route every spawn through OpsContext, so:
+ *   • Targets are scope-checked against the active engagement BEFORE
+ *     the process starts (cheap fail-fast; Lambda re-checks server-
+ *     side as defence-in-depth).
+ *   • Each run is a Job in users/{uid}/jobs — visible in the portal's
+ *     #jobsList rail with live log streaming.
+ *   • Hits parsed from tool stdout become Findings under
+ *     users/{uid}/findings — the portal's #findingsList rail renders
+ *     them as they land.
+ *   • Risky operations gate on operator HITL via the portal's
+ *     pending-questions strip — no probe fires until approved.
+ *
+ * Profile gating: only registered for `variant-research` and
+ * `engagement-delivery`. The default coding profile sees zero of these
+ * tools (CLAUDE.md "Capability separation").
+ */
+import type { CapabilityContext, CapabilityContribution, CapabilityModule } from '../runtime/agentHost.js';
+export declare class LlmRedteamCapabilityModule implements CapabilityModule {
+    readonly id = "capability.llmRedteam";
+    readonly description: string;
+    create(context: CapabilityContext): Promise<CapabilityContribution>;
+}
+//# sourceMappingURL=llmRedteamCapability.d.ts.map

package/dist/capabilities/llmRedteamCapability.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"llmRedteamCapability.d.ts","sourceRoot":"","sources":["../../src/capabilities/llmRedteamCapability.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AAGH,OAAO,KAAK,EAAE,iBAAiB,EAAE,sBAAsB,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAmV3G,qBAAa,0BAA2B,YAAW,gBAAgB;IACjE,QAAQ,CAAC,EAAE,2BAA2B;IACtC,QAAQ,CAAC,WAAW,SAEgF;IAE9F,MAAM,CAAC,OAAO,EAAE,iBAAiB,GAAG,OAAO,CAAC,sBAAsB,CAAC;CAiB1E"}