@trenchwork/erosolar 1.1.31 → 1.1.32

package/dist/cli/offsecInstall.js

@@ -0,0 +1,258 @@
+/**
+ * `erosolar offsec install` — operator-facing self-bootstrap.
+ *
+ * Reads the BinaryRequirement manifest, scans PATH for each entry,
+ * and installs every missing binary using the channel that's
+ * appropriate for the operator's platform (apt on Linux/Kali,
+ * Homebrew on macOS, winget on Windows, with pipx/pip/npm/cargo/go/
+ * gem as cross-platform fallbacks).
+ *
+ * Two key invariants:
+ *
+ *   1. **Idempotent.** Already-on-PATH binaries are skipped. Re-running
+ *      after a partial install is safe.
+ *
+ *   2. **Cross-platform graceful.** Binaries with no plausibly-native
+ *      install path on the operator's OS (e.g. afl-fuzz on Windows)
+ *      are skipped with a clear message pointing at WSL2 / Docker
+ *      instead of crashing the whole bootstrap.
+ *
+ * Two confirmation modes:
+ *
+ *   • Default (interactive TTY): each install command is shown and
+ *     the operator confirms with [y/N]. Defaults to skip — destructive
+ *     by default = safer.
+ *   • `--yes` / `-y`: auto-confirm every install. Used in CI / Docker
+ *     image builds where there's no TTY to prompt against.
+ *
+ * Filtering:
+ *
+ *   • `--capability <id>` (repeatable) — install only the bins for
+ *     these capabilities. Default = all.
+ *   • `--bin <name>` (repeatable) — install a specific binary.
+ *   • `--missing-only` — skip if already on PATH (this is the default;
+ *     flag exists so the inverse is explicit when scripting).
+ *   • `--dry-run` — list what would be installed, run nothing.
+ */
+import { spawn } from 'node:child_process';
+import { promisify } from 'node:util';
+import { execFile } from 'node:child_process';
+import * as readline from 'node:readline';
+import { BINARY_REQUIREMENTS, pickInstallCommand, isNativelyAvailable, platformNote, } from '../capabilities/_binaryRequirements.js';
+import { clearBinaryAvailabilityCache } from '../capabilities/_processRunner.js';
+const execFileP = promisify(execFile);
+function parseArgs(argv) {
+    const out = { capabilities: [], bins: [] };
+    for (let i = 0; i < argv.length; i++) {
+        const a = argv[i];
+        if (a === '--yes' || a === '-y')
+            out.yes = true;
+        else if (a === '--dry-run')
+            out.dryRun = true;
+        else if (a === '--missing-only') { /* default; flag accepted as noop */ }
+        else if (a === '--capability' || a === '-c') {
+            const v = argv[++i];
+            if (v)
+                out.capabilities.push(v);
+        }
+        else if (a?.startsWith('--capability=')) {
+            out.capabilities.push(a.slice('--capability='.length));
+        }
+        else if (a === '--bin' || a === '-b') {
+            const v = argv[++i];
+            if (v)
+                out.bins.push(v);
+        }
+        else if (a?.startsWith('--bin=')) {
+            out.bins.push(a.slice('--bin='.length));
+        }
+    }
+    return out;
+}
+async function whichBin(bin) {
+    const cmd = process.platform === 'win32' ? 'where' : 'which';
+    try {
+        await execFileP(cmd, [bin], { timeout: 3000 });
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+async function askYesNo(prompt, defaultYes = false) {
+    // Non-TTY → fall back to default (safer to skip in CI without --yes).
+    if (!process.stdin.isTTY)
+        return defaultYes;
+    const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
+    try {
+        const suffix = defaultYes ? ' [Y/n] ' : ' [y/N] ';
+        const answer = await new Promise((resolve) => rl.question(prompt + suffix, resolve));
+        const a = answer.trim().toLowerCase();
+        if (!a)
+            return defaultYes;
+        return a === 'y' || a === 'yes';
+    }
+    finally {
+        rl.close();
+    }
+}
+/** Run an install command via `bash -lc` (POSIX) or `cmd /c` (Windows). */
+async function runInstallCommand(cmd) {
+    return new Promise((resolve) => {
+        const isWin = process.platform === 'win32';
+        const child = isWin
+            ? spawn('cmd.exe', ['/c', cmd], { stdio: 'inherit', shell: false })
+            : spawn('bash', ['-lc', cmd], { stdio: 'inherit', shell: false });
+        child.on('close', (code) => resolve({ ok: code === 0, code }));
+        child.on('error', () => resolve({ ok: false, code: null }));
+    });
+}
+function filterRequirements(opts) {
+    let reqs = [...BINARY_REQUIREMENTS];
+    if (opts.capabilities && opts.capabilities.length) {
+        const set = new Set(opts.capabilities);
+        reqs = reqs.filter((r) => set.has(r.capability));
+    }
+    if (opts.bins && opts.bins.length) {
+        const set = new Set(opts.bins);
+        reqs = reqs.filter((r) => set.has(r.bin));
+    }
+    return reqs;
+}
+export async function runOffsecInstall(rawArgs) {
+    if (rawArgs[0] === 'help' || rawArgs[0] === '-h' || rawArgs[0] === '--help') {
+        console.log(`Usage: erosolar offsec install [options]
+
+Installs the binaries the offsec capability surface needs (Kali / AFL++ /
+gdb / pwntools / binary-analysis / Ghidra / llmRedteam). Cross-platform —
+runs on Linux, macOS, and Windows. Tools without a native install path
+on the current OS are skipped with a pointer to WSL2 / Docker.
+
+Options:
+  --capability, -c <id>   Limit to one capability (repeatable). Ids:
+                          kali, aflpp, gdb, pwntools, binaryAnalysis,
+                          ghidra, llmRedteam.
+  --bin, -b <name>        Limit to a specific binary (repeatable).
+  --yes, -y               Auto-confirm every install (no prompt).
+  --dry-run               List what would be installed, run nothing.
+
+Examples:
+  erosolar offsec install --capability llmRedteam
+  erosolar offsec install -c kali -c llmRedteam --yes
+  erosolar offsec install --bin garak --bin promptfoo
+  erosolar offsec install --dry-run
+`);
+        return 0;
+    }
+    const opts = parseArgs(rawArgs);
+    const reqs = filterRequirements(opts);
+    if (reqs.length === 0) {
+        console.error('No matching binaries found in the manifest. Check --capability / --bin spellings.');
+        return 1;
+    }
+    console.log(`erosolar offsec install · platform=${process.platform} · candidates=${reqs.length}`);
+    const summary = {
+        installed: [], skippedAlreadyPresent: [], skippedNoNativeChannel: [], failed: [],
+    };
+    for (const req of reqs) {
+        process.stdout.write(`\n[${req.capability}] ${req.bin} — ${req.description}\n`);
+        if (await whichBin(req.bin)) {
+            console.log('  ✓ already on PATH — skipping');
+            summary.skippedAlreadyPresent.push(req.bin);
+            continue;
+        }
+        const native = isNativelyAvailable(req);
+        const note = platformNote(req);
+        const pick = pickInstallCommand(req);
+        if (!native || !pick) {
+            const optionalTag = req.optional ? ' (optional)' : '';
+            console.log(`  ⊘ no native install path on ${process.platform}${optionalTag}`);
+            if (note)
+                console.log(`    note: ${note}`);
+            summary.skippedNoNativeChannel.push(req.bin);
+            continue;
+        }
+        console.log(`  → ${pick.channel}: ${pick.cmd}`);
+        if (note)
+            console.log(`    note: ${note}`);
+        if (opts.dryRun) {
+            console.log('    (dry-run — not executed)');
+            continue;
+        }
+        const confirmed = opts.yes
+            ? true
+            : await askYesNo('  install?', false);
+        if (!confirmed) {
+            console.log('  skipped by operator');
+            continue;
+        }
+        const result = await runInstallCommand(pick.cmd);
+        if (result.ok) {
+            console.log('  ✓ installed');
+            summary.installed.push(req.bin);
+        }
+        else {
+            console.log(`  ✗ install failed (exit ${result.code})`);
+            summary.failed.push({ bin: req.bin, reason: `exit ${result.code}` });
+        }
+    }
+    // Reset the in-process availability cache so subsequent agent runs
+    // pick up the just-installed binaries.
+    clearBinaryAvailabilityCache();
+    console.log('\n── summary ────────────────────────────────────');
+    console.log(`installed:               ${summary.installed.length}`);
+    console.log(`already present:         ${summary.skippedAlreadyPresent.length}`);
+    console.log(`skipped (no native):     ${summary.skippedNoNativeChannel.length}`);
+    console.log(`failed:                  ${summary.failed.length}`);
+    if (summary.failed.length) {
+        for (const f of summary.failed)
+            console.log(`  · ${f.bin}: ${f.reason}`);
+        return 1;
+    }
+    return 0;
+}
+/**
+ * Top-level dispatch for `erosolar offsec <verb>`. Currently only
+ * `install` is implemented; reserve `status` / `update` for follow-ups.
+ */
+export async function runOffsecCommand(rawArgs) {
+    const verb = rawArgs[0] || 'install';
+    if (verb === 'help' || verb === '-h' || verb === '--help') {
+        console.log(`Usage: erosolar offsec <verb> [args]
+
+Verbs:
+  install [opts]   Install missing offsec binaries (cross-platform).
+  status           Show which offsec binaries are present / missing.
+  help             Show this message.
+
+Run \`erosolar offsec install --help\` for install-specific options.
+`);
+        return 0;
+    }
+    if (verb === 'install')
+        return runOffsecInstall(rawArgs.slice(1));
+    if (verb === 'status')
+        return runOffsecStatus(rawArgs.slice(1));
+    console.error(`Unknown offsec verb: ${verb}\nRun \`erosolar offsec help\` for usage.`);
+    return 1;
+}
+async function runOffsecStatus(_args) {
+    console.log(`erosolar offsec status · platform=${process.platform}`);
+    let present = 0, missingNative = 0, missingUnsupported = 0;
+    for (const req of BINARY_REQUIREMENTS) {
+        const onPath = await whichBin(req.bin);
+        const native = isNativelyAvailable(req);
+        const tag = onPath ? '✓' : (native ? '✗' : '⊘');
+        const status = onPath ? 'present' : (native ? 'missing — installable' : 'missing — no native channel');
+        console.log(`  [${tag}] [${req.capability}] ${req.bin.padEnd(20)} ${status}`);
+        if (onPath)
+            present += 1;
+        else if (native)
+            missingNative += 1;
+        else
+            missingUnsupported += 1;
+    }
+    console.log(`\npresent ${present} · missing ${missingNative} · unsupported-here ${missingUnsupported}`);
+    return 0;
+}
+//# sourceMappingURL=offsecInstall.js.map

package/dist/cli/offsecInstall.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"offsecInstall.js","sourceRoot":"","sources":["../../src/cli/offsecInstall.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAmCG;AAEH,OAAO,EAAE,KAAK,EAAE,MAAM,oBAAoB,CAAC;AAC3C,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC9C,OAAO,KAAK,QAAQ,MAAM,eAAe,CAAC;AAC1C,OAAO,EACL,mBAAmB,EAAE,kBAAkB,EAAE,mBAAmB,EAC5D,YAAY,GACb,MAAM,wCAAwC,CAAC;AAChD,OAAO,EAAE,4BAA4B,EAAE,MAAM,mCAAmC,CAAC;AAEjF,MAAM,SAAS,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;AAStC,SAAS,SAAS,CAAC,IAAc;IAC/B,MAAM,GAAG,GAAyB,EAAE,YAAY,EAAE,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC;IACjE,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACrC,MAAM,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,IAAI,CAAC,KAAK,OAAO,IAAI,CAAC,KAAK,IAAI;YAAE,GAAG,CAAC,GAAG,GAAG,IAAI,CAAC;aAC3C,IAAI,CAAC,KAAK,WAAW;YAAE,GAAG,CAAC,MAAM,GAAG,IAAI,CAAC;aACzC,IAAI,CAAC,KAAK,gBAAgB,EAAE,CAAC,CAAC,oCAAoC,CAAC,CAAC;aACpE,IAAI,CAAC,KAAK,cAAc,IAAI,CAAC,KAAK,IAAI,EAAE,CAAC;YAC5C,MAAM,CAAC,GAAG,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC;YACpB,IAAI,CAAC;gBAAE,GAAG,CAAC,YAAa,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACnC,CAAC;aAAM,IAAI,CAAC,EAAE,UAAU,CAAC,eAAe,CAAC,EAAE,CAAC;YAC1C,GAAG,CAAC,YAAa,CAAC,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC,eAAe,CAAC,MAAM,CAAC,CAAC,CAAC;QAC1D,CAAC;aAAM,IAAI,CAAC,KAAK,OAAO,IAAI,CAAC,KAAK,IAAI,EAAE,CAAC;YACvC,MAAM,CAAC,GAAG,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC;YACpB,IAAI,CAAC;gBAAE,GAAG,CAAC,IAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAC3B,CAAC;aAAM,IAAI,CAAC,EAAE,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;YACnC,GAAG,CAAC,IAAK,CAAC,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;QAC3C,CAAC;IACH,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,KAAK,UAAU,QAAQ,CAAC,GAAW;IACjC,MAAM,GAAG,GAAG,OAAO,CAAC,QAAQ,KAAK,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC;IAC7D,IAAI,CAAC;QAAC,MAAM,SAAS,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC;QAAC,OAAO,IAAI,CAAC;IAAC,CAAC;IACpE,MAAM,CAAC;QAAC,OAAO,KAAK,CAAC;IAAC,CAAC;AACzB,CAAC;AAED,KAAK,UAAU,QAAQ,CAAC,MAAc,EAAE,UAAU,GAAG,KAAK;IACxD,sEAAsE;IACtE,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,KAAK;QAAE,OAAO,UAAU,CAAC;IAC5C,MAAM,EAAE,GAAG,QAAQ,CAAC,eAAe,CAAC,EAAE,KAAK,EAAE,OAAO,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;IACtF,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,UAAU,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC;QAClD,MAAM,MAAM,GAAG,MAAM,IAAI,OAAO,CAAS,CAAC,OAAO,EAAE,EAAE,CAAC,EAAE,CAAC,QAAQ,CAAC,MAAM,GAAG,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC;QAC7F,MAAM,CAAC,GAAG,MAAM,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QACtC,IAAI,CAAC,CAAC;YAAE,OAAO,UAAU,CAAC;QAC1B,OAAO,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,KAAK,CAAC;IAClC,CAAC;YAAS,CAAC;QACT,EAAE,CAAC,KAAK,EAAE,CAAC;IACb,CAAC;AACH,CAAC;AAED,2EAA2E;AAC3E,KAAK,UAAU,iBAAiB,CAAC,GAAW;IAC1C,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;QAC7B,MAAM,KAAK,GAAG,OAAO,CAAC,QAAQ,KAAK,OAAO,CAAC;QAC3C,MAAM,KAAK,GAAG,KAAK;YACjB,CAAC,CAAC,KAAK,CAAC,SAAS,EAAE,CAAC,IAAI,EAAE,GAAG,CAAC,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC;YACnE,CAAC,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,KAAK,EAAE,GAAG,CAAC,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC,CAAC;QACpE,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,IAAI,EAAE,EAAE,CAAC,OAAO,CAAC,EAAE,EAAE,EAAE,IAAI,KAAK,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;QAC/D,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;IAC9D,CAAC,CAAC,CAAC;AACL,CAAC;AAED,SAAS,kBAAkB,CAAC,IAA0B;IACpD,IAAI,IAAI,GAAG,CAAC,GAAG,mBAAmB,CAAC,CAAC;IACpC,IAAI,IAAI,CAAC,YAAY,IAAI,IAAI,CAAC,YAAY,CAAC,MAAM,EAAE,CAAC;QAClD,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QACvC,IAAI,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC;IACnD,CAAC;IACD,IAAI,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;QAClC,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC/B,IAAI,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IAC5C,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AASD,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,OAAiB;IACtD,IAAI,OAAO,CAAC,CAAC,CAAC,KAAK,MAAM,IAAI,OAAO,CAAC,CAAC,CAAC,KAAK,IAAI,IAAI,OAAO,CAAC,CAAC,CAAC,KAAK,QAAQ,EAAE,CAAC;QAC5E,OAAO,CAAC,GAAG,CAAC;;;;;;;;;;;;;;;;;;;;CAoBf,CAAC,CAAC;QACC,OAAO,CAAC,CAAC;IACX,CAAC;IAED,MAAM,IAAI,GAAG,SAAS,CAAC,OAAO,CAAC,CAAC;IAChC,MAAM,IAAI,GAAG,kBAAkB,CAAC,IAAI,CAAC,CAAC;IACtC,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACtB,OAAO,CAAC,KAAK,CAAC,mFAAmF,CAAC,CAAC;QACnG,OAAO,CAAC,CAAC;IACX,CAAC;IAED,OAAO,CAAC,GAAG,CAAC,sCAAsC,OAAO,CAAC,QAAQ,iBAAiB,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;IAClG,MAAM,OAAO,GAAmB;QAC9B,SAAS,EAAE,EAAE,EAAE,qBAAqB,EAAE,EAAE,EAAE,sBAAsB,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE;KACjF,CAAC;IAEF,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,UAAU,KAAK,GAAG,CAAC,GAAG,MAAM,GAAG,CAAC,WAAW,IAAI,CAAC,CAAC;QAChF,IAAI,MAAM,QAAQ,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;YAC5B,OAAO,CAAC,GAAG,CAAC,gCAAgC,CAAC,CAAC;YAC9C,OAAO,CAAC,qBAAqB,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;YAC5C,SAAS;QACX,CAAC;QACD,MAAM,MAAM,GAAG,mBAAmB,CAAC,GAAG,CAAC,CAAC;QACxC,MAAM,IAAI,GAAG,YAAY,CAAC,GAAG,CAAC,CAAC;QAC/B,MAAM,IAAI,GAAG,kBAAkB,CAAC,GAAG,CAAC,CAAC;QAErC,IAAI,CAAC,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC;YACrB,MAAM,WAAW,GAAG,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,EAAE,CAAC;YACtD,OAAO,CAAC,GAAG,CAAC,iCAAiC,OAAO,CAAC,QAAQ,GAAG,WAAW,EAAE,CAAC,CAAC;YAC/E,IAAI,IAAI;gBAAE,OAAO,CAAC,GAAG,CAAC,aAAa,IAAI,EAAE,CAAC,CAAC;YAC3C,OAAO,CAAC,sBAAsB,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;YAC7C,SAAS;QACX,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,OAAO,IAAI,CAAC,OAAO,KAAK,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;QAChD,IAAI,IAAI;YAAE,OAAO,CAAC,GAAG,CAAC,aAAa,IAAI,EAAE,CAAC,CAAC;QAC3C,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAChB,OAAO,CAAC,GAAG,CAAC,8BAA8B,CAAC,CAAC;YAC5C,SAAS;QACX,CAAC;QAED,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG;YACxB,CAAC,CAAC,IAAI;YACN,CAAC,CAAC,MAAM,QAAQ,CAAC,YAAY,EAAE,KAAK,CAAC,CAAC;QACxC,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,OAAO,CAAC,GAAG,CAAC,uBAAuB,CAAC,CAAC;YACrC,SAAS;QACX,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,iBAAiB,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACjD,IAAI,MAAM,CAAC,EAAE,EAAE,CAAC;YACd,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;YAC7B,OAAO,CAAC,SAAS,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAClC,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,GAAG,CAAC,4BAA4B,MAAM,CAAC,IAAI,GAAG,CAAC,CAAC;YACxD,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,GAAG,CAAC,GAAG,EAAE,MAAM,EAAE,QAAQ,MAAM,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;QACvE,CAAC;IACH,CAAC;IAED,mEAAmE;IACnE,uCAAuC;IACvC,4BAA4B,EAAE,CAAC;IAE/B,OAAO,CAAC,GAAG,CAAC,mDAAmD,CAAC,CAAC;IACjE,OAAO,CAAC,GAAG,CAAC,4BAA4B,OAAO,CAAC,SAAS,CAAC,MAAM,EAAE,CAAC,CAAC;IACpE,OAAO,CAAC,GAAG,CAAC,4BAA4B,OAAO,CAAC,qBAAqB,CAAC,MAAM,EAAE,CAAC,CAAC;IAChF,OAAO,CAAC,GAAG,CAAC,4BAA4B,OAAO,CAAC,sBAAsB,CAAC,MAAM,EAAE,CAAC,CAAC;IACjF,OAAO,CAAC,GAAG,CAAC,4BAA4B,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC;IACjE,IAAI,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QAC1B,KAAK,MAAM,CAAC,IAAI,OAAO,CAAC,MAAM;YAAE,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,GAAG,KAAK,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC;QACzE,OAAO,CAAC,CAAC;IACX,CAAC;IACD,OAAO,CAAC,CAAC;AACX,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,OAAiB;IACtD,MAAM,IAAI,GAAG,OAAO,CAAC,CAAC,CAAC,IAAI,SAAS,CAAC;IACrC,IAAI,IAAI,KAAK,MAAM,IAAI,IAAI,KAAK,IAAI,IAAI,IAAI,KAAK,QAAQ,EAAE,CAAC;QAC1D,OAAO,CAAC,GAAG,CAAC;;;;;;;;CAQf,CAAC,CAAC;QACC,OAAO,CAAC,CAAC;IACX,CAAC;IACD,IAAI,IAAI,KAAK,SAAS;QAAE,OAAO,gBAAgB,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IAClE,IAAI,IAAI,KAAK,QAAQ;QAAE,OAAO,eAAe,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IAChE,OAAO,CAAC,KAAK,CAAC,wBAAwB,IAAI,2CAA2C,CAAC,CAAC;IACvF,OAAO,CAAC,CAAC;AACX,CAAC;AAED,KAAK,UAAU,eAAe,CAAC,KAAe;IAC5C,OAAO,CAAC,GAAG,CAAC,qCAAqC,OAAO,CAAC,QAAQ,EAAE,CAAC,CAAC;IACrE,IAAI,OAAO,GAAG,CAAC,EAAE,aAAa,GAAG,CAAC,EAAE,kBAAkB,GAAG,CAAC,CAAC;IAC3D,KAAK,MAAM,GAAG,IAAI,mBAAmB,EAAE,CAAC;QACtC,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QACvC,MAAM,MAAM,GAAG,mBAAmB,CAAC,GAAG,CAAC,CAAC;QACxC,MAAM,GAAG,GAAG,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;QAChD,MAAM,MAAM,GAAG,MAAM,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,uBAAuB,CAAC,CAAC,CAAC,6BAA6B,CAAC,CAAC;QACvG,OAAO,CAAC,GAAG,CAAC,MAAM,GAAG,MAAM,GAAG,CAAC,UAAU,KAAK,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,IAAI,MAAM,EAAE,CAAC,CAAC;QAC9E,IAAI,MAAM;YAAE,OAAO,IAAI,CAAC,CAAC;aACpB,IAAI,MAAM;YAAE,aAAa,IAAI,CAAC,CAAC;;YAC/B,kBAAkB,IAAI,CAAC,CAAC;IAC/B,CAAC;IACD,OAAO,CAAC,GAAG,CAAC,aAAa,OAAO,cAAc,aAAa,uBAAuB,kBAAkB,EAAE,CAAC,CAAC;IACxG,OAAO,CAAC,CAAC;AACX,CAAC"}

package/dist/headless/interactiveShell.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"interactiveShell.d.ts","sourceRoot":"","sources":["../../src/headless/interactiveShell.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAuJH,MAAM,WAAW,uBAAuB;IACtC,IAAI,EAAE,MAAM,EAAE,CAAC;CAChB;AAMD;;GAEG;AACH,wBAAsB,mBAAmB,CAAC,OAAO,EAAE,uBAAuB,GAAG,OAAO,CAAC,IAAI,CAAC,CAoDzF"}
+{"version":3,"file":"interactiveShell.d.ts","sourceRoot":"","sources":["../../src/headless/interactiveShell.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAuJH,MAAM,WAAW,uBAAuB;IACtC,IAAI,EAAE,MAAM,EAAE,CAAC;CAChB;AAMD;;GAEG;AACH,wBAAsB,mBAAmB,CAAC,OAAO,EAAE,uBAAuB,GAAG,OAAO,CAAC,IAAI,CAAC,CA+EzF"}

package/dist/headless/interactiveShell.js

@@ -180,6 +180,31 @@ export async function runInteractiveShell(options) {
     if (parsed.initialPrompt) {
         shell.queuePrompt(parsed.initialPrompt);
     }
+    // Portal kickoff — when the operator launched this engagement from
+    // the portal, the engagement carries a one-shot prompt explaining
+    // what to do. Claim it (atomic consume on the Lambda side) and pre-
+    // queue it as the first user prompt so the agent starts hunting
+    // immediately instead of dropping the operator at an empty shell.
+    // Best-effort: if the network or auth fails, the shell still boots
+    // normally, and the operator can type their own prompt.
+    try {
+        const { isOffsecProfile } = await import('../runtime/profileGates.js');
+        if (isOffsecProfile(profile)) {
+            const { getEngagementSelection, consumeKickoffPrompt } = await import('../tools/engagementTools.js');
+            const sel = getEngagementSelection();
+            if (sel.engagementId) {
+                const kickoff = await consumeKickoffPrompt(sel.engagementId);
+                if (kickoff?.prompt) {
+                    process.stderr.write(`[engagement] Kickoff loaded — first prompt seeded ` +
+                        `(${kickoff.prompt.length} chars).\n`);
+                    shell.queuePrompt(kickoff.prompt);
+                }
+            }
+        }
+    }
+    catch {
+        // Best-effort. Shell boots normally on any failure.
+    }
     await shell.run();
 }
 class InteractiveShell {